Palo Alto Networks
The next generation of firewalls
What we will discuss today
What makes Palo Alto different
Palo Alto ‘mode’ configurations
Common methods Palo Alto firewalls are physically implemented
Policy based VPN vs. Route based VPN
SSL VPN
Helpful troubleshooting information
Where to obtain further knowledge for Palo Alto firewalls
Questions and Answers
What makes Palo Alto different?
Application Usage and Risk Report (7th Edition, May 2011)
The Palo Alto Networks' Application Usage and Risk Report summarizes application
traffic assessments performed between October 2010 and May 2011 on more than
1,253 networks worldwide. With a sample size of 1,253 participating organizations,
a number that is nearly double that of the previous report, and a view into more
than 28 exabytes (28,046,165,463,032,900,000) worth of data, the latest edition of
the Application Usage and Risk Report (May 2011) is, arguably, the largest
application analysis of its kind.
http://www.paloaltonetworks.com/literature/forms/aur-report.php
•Palo Alto embraces feedback thriving with input from their user community. This
is EXTREMELY important. Do you remember Michael Lynn, Black Hat, and Cisco
in 2005? Instead of embracing this experts input and truly supporting open disclosure
Cisco sues Black Hat and Michael Lynn for disclosing a 0 day vulnerability in the Cisco
IOS. The issue you ask? Running unauthorized code on a Cisco router. Do you think it
is important for us to know this as well as Cisco fixing the issue?
• Palo Alto offers multiple methods to ensure the traffic traversing your network
is identified utilizing a new approach to identify assets. Here we go…..
What makes Palo Alto different? (continued)
Based on patent-pending App-ID™ technology, Palo Alto Networks' next generation
firewalls accurately identify applications - regardless of port, protocol, evasive tactic
or SSL encryption - and scan content to stop threats and prevent data leakage.
Enterprises can for the first time embrace Web 2.0 and maintain complete visibility
and control, while significantly reducing total cost of ownership through device
consolidation.
Here are some of the unique capabilities available only in next generation firewalls
from Palo Alto Networks.
* The only firewall to classify traffic based on the accurate identification of the
application, not just port/protocol information.
* The only firewall to identify, control and inspect SSL encrypted traffic and
applications.
* The only firewall with real-time (line-rate, low latency) content scanning to protect
against viruses, spyware, data leakage and application vulnerabilities based on a
stream-based threat prevention engine.
* The only firewall to provide graphical visualization of applications on the network
with detailed user, group and network-level data categorized by sessions, bytes,
ports, threats and time.
* The only firewall with line-rate, low-latency performance for all services, even under load.
What makes Palo Alto different? (continued)
Palo Alto provides the following features
App-ID classifying traffic on all ports all the time – irrespective of
protocol, encryption, and/or any other evasion tactic
Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional
firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter.
Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or
using non-standard ports. App-IDTM, a patent-pending traffic classification mechanism that is unique to Palo Alto Networks,
addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to
the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.
What makes Palo Alto different? (continued)
[Continued] App-ID
Classify traffic based on applications, not ports.
App-ID uses multiple identification mechanisms to determine the exact identity of
applications traversing the network. The identification mechanisms are applied in the
following manner:
• Traffic is first classified based on the IP address and port.
• Signatures are then applied to the allowed traffic to identify the application based on
unique application properties and related transaction characteristics.
• If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in
place, the application is decrypted and application signatures are applied again on the
decrypted flow.
• Decoders for known protocols are then used to apply additional context-based signatures
to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant
Messenger used across HTTP).
• For applications that are particularly evasive and cannot be identified through advanced
signature and protocol analysis, heuristics or behavioral analysis may be used to determine
the identity of the application.
As the applications are identified by the successive mechanisms, the policy check
determines how to treat the applications and associated functions: block them, or allow
them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape
using QoS.
What makes Palo Alto different? (continued)
User-ID securely enable applications on your network based on users
and group – not just IP addresses
Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications
mean that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Palo Alto
Networks next-generation firewalls integrate with the widest range of user repositories on the firewall market, enabling organizations
to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user
activity on the network as well as user based.
Content-ID Real-time content scanning block threats, controls web
surfing, and limits data and file transfers
Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application
identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web
surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means
that IT departments can regain control over application traffic and the related content.
The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from
compromising and damaging enterprise information resources. IPS mechanisms include:
Protocol decoder-based analysis statefully decodes the protocol, Protocol anomaly-based protection detect non-RFC
compliance protocol usage, Stateful pattern matching detects attacks over multiple packets, Statistical anomaly
detection prevent rate-based DoS floods, Heuristic-based analysis detect anomalous packet and traffic patterns such as
port scans and port sweeps, Custom vulnerability or spyware phone home signatures that can be used in either the antispyware or vulnerability protection profiles, Other attack protection capabilities such as blocking invalid or malformed
packets, IP defragmentation, and TCP reassembly to protect against evasion and obfuscation methods.
• URL Filtering by Bright Cloud
Complementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20
million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities.
What makes Palo Alto different? (continued)
[Continued]: Content-ID
•File and Data Filtering
Data filtering features enable administrators to implement policies that will reduce the risks associated with the
transfer of unauthorized files and data.
* File blocking by type: Control the flow of a wide range of file types by looking deep within the payload to
identify the file type (as opposed to looking only at the file extension).
* Data filtering: Control the transfer of sensitive data patterns such as credit card and social security numbers
in application content or attachments.
* File transfer function control: Control the file transfer functionality within an individual application, allowing
application use yet preventing undesired inbound or outbound file transfer.
Palo Alto ‘mode’ configurations
Palo Alto firewalls offer three modes to utilize in your network
a. TAP Mode providing
By utilizing tap mode interfaces, the device can be connected to a core switches
span port to identify applications running on the network. This option requires no
changes to the existing network design. In this mode the device cannot block any
harmful traffic nor can it decrypt SSL connections. This is also a method to analyze
your traffic and build rules based on facts removing best-guess prior to go-live.
b. V-Wire Mode providing
Using Vwire interfaces the device can be inserted into an existing topology
without requiring any reallocation of network addresses or redesign of the
network topology. In this mode all of the protection and decryption features of
the device can be used. Will not participate in NAT or dynamic routing.
c. Layer 3 Mode providing
Using L3 interfaces the device can take the place of any current enterprise
firewall deployment. Can also participate in NAT and dynamic routing (RIP, OSPF,
and BGP)
Common methods Palo Alto firewalls are physically implemented
Typical methods of deployment
1. Full Mesh implementation where all devices are physically connected
with each other supporting a more resilient network architecture
Common methods Palo Alto firewalls are physically implemented (continued)
2. Hub and Spoke/Star where multiple devices talk to back to a datacenter
or headquarters and direct connectivity between nodes is not necessary. This
means all traffic must past into and out of the data center or headquarters.
Policy based VPN vs. Route based VPN
A Policy Based VPN the tunnel is specified within the policy itself with an action of
"IPSec". Also for policy based VPN only one policy is required. A route based VPN is
created with two policies, one for inbound and another for outbound with a normal
"Accept" action.
Common Reasons to use a Policy-based VPN:
* Remote VPN device is different than what you administer
* Need to access only one subnet or one network at the remote site, across the VPN
Policy based VPN vs. Route based VPN (continued)
A Route Based VPN is a configuration in which the policy does not reference a
specific VPN tunnel. Instead, a VPN tunnel is indirectly referenced by a route
that points to a specific tunnel interface. The tunnel interface may be bound to
a VPN tunnel or to a tunnel zone. As traffic traverses the tunnel interface it is
encrypted and decrypted.
When a tunnel interface is in a security zone, a tunnel interface must be bound
to a VPN tunnel. This is necessary in order to create a routing- based VPN
configuration. The tunnel interface can be numbered or unnumbered. If it is
unnumbered, the tunnel interface usually borrows the IP address from the security
zone interface.
Common Reasons to use a Route-based VPN:
* Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur as it traverses the VPN
* Overlapping Subnets/IP Addresses between the two LANs
* Hub-and-spoke VPN topology
Policy based VPN vs. Route based VPN (continued)
[Continued]: Common Reasons to use a Route-based VPN:
* Design requires Primary and Backup VPN
* A Dynamic Routing Protocol (i.e. OSPF, RIP, BGP) is running across the VPN
* Need to access multiple subnets or networks at the remote site, across the VPN
SSL VPN
Palo Alto firewall devices can support SSL VPN connectivity. There are no differences
that stand out between the implementation of an SSL VPN with Palo Alto vs. Cisco,
Juniper, etc.
The Palo Alto disseminates a ‘thin client’ via the web browser to the requesting
workstation when connectivity first establishes. If the ‘thin client’ is not installed
the Palo Alto will attempt to send the software to end user. The software is called
NetConnect and it supports IPSEC VPN vs. SSL VPN. This is important information
to know when troubleshooting with the customer. Note: the versions of software
Distributed by the Palo Alto are all manageable and decided by the administrator.
If the thin client is not utilized to establish an IPSEC tunnel then SSL is utilized by
the system as a ‘fall back’. SSL VPN must be configured in your policy to allow the
functionality desired.
Note: SSL VPN implementation should also include a SSL [X.509] certificate from a
known and trusted certificate authority. This prevents end users from receiving a
certificate error. This is to ensure the requesting browser of your identity and
also ensure the end user the session is utilizing encryption.
Helpful troubleshooting information
IKE Debugging – Packet Captures
• Used when there are proposal mismatches in Phase 1 and/or Phase 2
• Can be used to see what proposals the peer is sending
• All debugging must be turned off when troubleshooting is complete
• IKE debugging writes to the ikemgr.pcap file viewable by downloading
and utilizing a tool like WireShark or utilizing the built in web GUI
CLI commands for enabling IKE PCAPS
• debug ike pcap on
Activates a PCAP of all IKE traffic
• scp export debug-pcap
Copies PCAP off of the firewall
• view-pcap <options> debug-pcap ikemgr.pcap
Displays the PCAP in the CLI
Can be used to view it in real time with the ‘follow’ option
Helpful troubleshooting information (continued)
[Continued]: CLI commands for enabling IKE PCAPS
•
debug ike pcap off
Turns off packet capture
•
debug ike pcap delete
Removes the ikemgr.pcap file – do this prior to starting a new capture
so that data in the PCAP file is specifically for your troubleshooting
effort.
Troubleshooting VPN tunnel issues
• show vpn tunnel
Shows current tunnels – displays tunnel ID in first column {TnID}
• show vpn flow tunnel-id {TnID}
Shows detailed information on the tunnel ID specified
Will display packets and bytes through the tunnel
Helpful troubleshooting information (continued)
[Continued]: Troubleshooting VPN tunnel issues
• show vpn tunnel
Shows current tunnels – displays tunnel ID in first column {TnID}
• show vpn flow tunnel-id {TnID}
Shows detailed information on the tunnel ID specified
Will display packets and bytes through the tunnel
• clear vpn ike-sa gateway all
Tears down all tunnels and gateway Security Associations
• test vpn ipsec-sa tunnel <tunnel_name>
Initiate Phase 1 and 2 Security Associations for specified tunnel
Helpful troubleshooting information (continued)
• show system info
Includes management interface settings, Up time, Serial Number, Provides
Software version, and threat/application version
• show jobs processed
Displays status of current and past jobs including:
• Install of PANOS, apps, and content
• Downloads of PANOS, apps, and content
• Validation of configuration
• Commit configuration
• AutoCommit on restart
• show job id <#>
• To look for a specific job and maybe to help determine why a job
that was submitted failed.
Helpful troubleshooting information (continued)
• show system statistics
Provides current throughput and session counts [real time]
• show system statistics (view applications)
* Press “a” which will reflect application statistics [real time]
• show log
The show log command can be used for all logs
Logs can be filtered
Logs can be displayed with most current entries at the top
For example: show log traffic receive time in last-60-seconds
For example: show log traffic receive_time in ? will display all
pre-defined intervals
For example: show log traffic app equal gmail will display any
matches in the system log for ‘gmail’
Helpful troubleshooting information (continued)
• [Continued] show log
For example: show log system subtype equal vpn will display any
subtype category for ‘vpn’
For example: show log system opaque contains SA will display all
text within the description of a system log event with ‘SA’
• Direction keyword changes in sort order
Default is oldest log entries first but can be defined
For example: show log system subtype equal general receive_time
In last-15-minutes will display log entries equal to ‘general’ received
In the last 15 minutes.
For example: show log system subtype equal general receive_time
in last-15-minutes direction equal backward will display the last 15
minutes of logs in backward order.
• show system logdb-quota will display log space usage
Helpful troubleshooting information (continued)
• show counters global will display all system counters. You can refine this
command with the “match” and “filter delta yes” switches
• show counter interface will display logical interface counters read from the
CPU of the Palo Alto
Using Packet Filters with counters
Packet filters can be defined to highlight specific traffic
• debug dataplane packet-diag set filter match <data>
Counters can be viewed for traffic matching the packet filters
• show counter global filter packet-filter yes value non-zero
Reading Drop Counters
• show counter global filter severity drop value all will display all
possible drop counters. Most have a description as to why a packet was
dropped.
Helpful troubleshooting information (continued)
[Continued]: Reading Drop Counters
Examples of filters for severity dropped counters
Flow_tcp_non_syn_drop – TCP traffic did not match any existing
session and was not a SYN packet
Flow_parse_I4_tcpsynfin – Packet contained both the SYN and FIN flag.
Probably from a port scan such a NMAP
Flow_fwd_I3_noroute – No route found in FIB (forwarding information
base // routing) for destination address
Flow_ policy_nat – Count not allocate NAT address. Could be out of NAT
IP pool addresses
Helpful troubleshooting information (continued)
Checking Memory Usage
• debug dataplane pool statistics will display memory usage on the Palo
Alto device.
NOTE: Left column = FREE memory
Right column = UTILIZED memory
Showing session IDs
• show session id will display session IDs on the Palo Alto. This provides
information such as timeout value, shows security rule that allowed the
session, and shows QoS information.
There is a Session Browser usable in the GUI of the Palo Alto. The abilities of
this application are extremely powerful.
Test policy commands -- provides you the ability to test policies on the Palo
Alto device to ensure they function as intended.
Helpful troubleshooting information (continued)
[Continued]: Test policy commands -- provides you the ability to test policies
on the Palo Alto device to ensure they function as intended.
•
test security-policy-match from Training to 2Corpnet source
10.30.11.50 destination 4.2.2.2 application dns will display the
policy allowing the source: Training to: 2Corpnet with SRCIP:
10.30.11.50 to DSTIP: 4.2.2.2 for “DNS”
Rule bases you can utilize this test with:
security-policy-match, cp-policy-match, ssl-policy-match, and natpolicy-match
Utilizing PING
•
•
ping host <IP address>
ping source 10.1.1.1 host 4.2.2.2
Show system routing table
•
Show routing route
Helpful troubleshooting information (continued)
Verification of routing
• test routing fib-lookup will allow you to view the (FIB) Forwarding
Information Base for a particular virtual router. This will allow you to
determine which destination interface is used by a particular route.
Display current running configuration on Palo Alto
• show running will display what is in the ‘running-configuration’ much
like a Cisco router/switch. This can be used to view policy sets or get
statistics.
• show running resource-monitor will display CPU statistics for all CPUs
• show running nat-policy displays the installed NAT rulebase
• show running rule-use type unused rule-base security vsys vsys1 will
show unused security rules on Virtual System – VSYS1
Connectivity issues can be found with PING. You can look for “incomplete” in
log for packet count. When packet count = 1 traffic never came back. Check
routing and NAT. REMEMBER you can utilize the session browser via the GUI
(web) to look at traffic details as well.
Where to obtain further knowledge for Palo Alto firewalls
General information relative to Palo Alto networks
http://www.paloaltonetworks.com
Where to register your Palo Alto device
http://support.paloaltonetworks.com
KnowledgePoint
https://live.paloaltonetworks.com/community/knowledgepoint
Support Levels & Severity Definitions
•
•
Standard Support is 24x5 4 PM Sunday – Friday to 7 PM
Premium Support is 24x7
Critical support cases – Phone support
•
<1 hour response time
High, Medium, Low severity – Support portal
https://support.paloaltonetworks.com/pa-portal/index.php
Questions and Answers
Presentation by James Sommer, Shriram Ayyar, with help from
paloaltonetworks.com, Palo Alto Networks EDU-201 & EDU301 (advanced troubleshooting), and juniper.com
HAVE A NICE DAY!