Customer
Palo Alto Networks Deployment
Network Integration Low-Level Design Document
Month Year
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
© 2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
©2019 Palo Alto Networks, Inc.
2
Proprietary and Confidential
Table of Contents
Introduction ........................................................................................................................................5
Executive Summary ........................................................................................................................5
Platform .............................................................................................................................................8
Foundational Requirements .............................................................................................................8
Procured Systems .......................................................................................................................8
Procured Licensing ......................................................................................................................8
Recommended PAN-OS Version ..................................................................................................8
Panorama Systems .....................................................................................................................9
Network Integration Requirements ...................................................................................................9
Virtual Systems ...........................................................................................................................9
Virtual Router ............................................................................................................................ 13
High Availability ......................................................................................................................... 22
Operational Interf aces................................................................................................................ 23
Management Interf ace ............................................................................................................... 26
Logging Interf ace....................................................................................................................... 27
Security Zones .......................................................................................................................... 28
IPSec VPNs .............................................................................................................................. 30
Panorama ........................................................................................................................................ 34
Management Interf ace................................................................................................................... 34
Templates .................................................................................................................................... 35
Device Groups .............................................................................................................................. 36
Device Group Tree........................................................................................................................ 36
Logging and Reporting Settings ..................................................................................................... 36
Security Prof iles................................................................................................................................ 37
Antivirus Prof iles ........................................................................................................................... 37
Anti-Spyware Prof iles .................................................................................................................... 37
Vulnerability Protection Prof iles...................................................................................................... 38
WildFire Prof iles............................................................................................................................ 39
File Blocking Prof iles ..................................................................................................................... 39
Data Filtering Profiles .................................................................................................................... 40
Denial of Service Protection Prof iles............................................................................................... 41
Security Prof ile Groups.................................................................................................................. 41
User-ID ............................................................................................................................................ 42
User-ID Sources ........................................................................................................................... 42
Group Mapping Prof iles ................................................................................................................. 42
URL Filtering Prof iles .................................................................................................................... 43
©2019 Palo Alto Networks, Inc.
3
Proprietary and Confidential
Reporting, Alerting, and Conf iguration Backup .................................................................................... 52
Report and Alert Settings............................................................................................................... 52
Conf iguration Backup Settings ....................................................................................................... 52
SNMP Settings ............................................................................................................................. 53
SNMPv2 Settings ...................................................................................................................... 53
SNMPv3 Settings ...................................................................................................................... 53
Cloud Services / Integration Pieces.................................................................................................... 54
Cloud Logging Service .................................................................................................................. 54
GlobalProtect Cloud Service .......................................................................................................... 54
Application Framework .................................................................................................................. 54
Traps ........................................................................................................................................... 54
Azure ........................................................................................................................................... 54
AWS ............................................................................................................................................ 54
NSX Plugin ................................................................................................................................... 54
Document Properties ........................................................................................................................ 55
Contributors.................................................................................................................................. 55
Revision History ............................................................................................................................ 55
Palo Alto Networks Resources........................................................................................................... 56
Customer Resources ........................................................................................................................ 56
©2019 Palo Alto Networks, Inc.
4
Proprietary and Confidential
LLD Template Instructions
This template is designed as a tool to help generate Low-Level Design documents for Palo Alto Networks
architects. Each final LLD should be highly customized to meet the specific needs and requirements of
the customer project. To maintain consistency and completeness, however, this template should be used
as a starting point for the LLD.
This templated document contains notes for the consultants to utilize during the course of the document
creation. These notes include items to check, best practices, and other information useful to complete the
engagement. Add, remove, or change any sections of this template when developing your final document
that you feel are appropriate to meet the objectives of the LLD. The more individual detail that can be
added, the more useful the final document will be to the project.
The blue indented italic notes are instructions for each section. Remove all template instruction notes
before generating the final document. The black text in the template is suggested verbiage for the section,
but it is not required to keep any text as is. Replace all instances of [CUSTOMER] with the customer’s
name, and any other capitalized text in brackets with the correct information.
Introduction
Provide a high-level description of the project in 2-3 paragraphs at most. Name the customer and what
they plan to accomplish in the Palo Alto Networks project. Use “find and replace” to substitute
[CUSTOMER] with the value on the Title Page throughout this document. An example could be
something like the following:
The purpose of this document is to detail the specif ic low-level design criteria to integrate the Palo Alto
Networks solution into the [CUSTOMER] environment. The High-Level Design document, previously
developed and agreed to by both parties, will be the ref erence point f or the additional discovery to identif y
and document the conf iguration details herein. Concurent to this document, the buildsheet is used to
capture the specif ic device settings by site.
Executive Summary
The Palo Alto Networks next-generation security platf orm is a f lexible and extensible, natively integrated
and automated platf orm f or the detection and prevention of known and unknown cyber threats. A solid
approach to securing the networks of [CUSTOMER] would be to control all activity across the network.
This next-generation network security design can be achieved through a multi-phase methodology based
on Palo Alto Networks technology.
Organizations must develop security policies (f irewall rules) that whitelist sanctioned business
applications at the network level, allowing only trusted applications to traverse the f irewalls. Network
segmentation, using subnets and VLANs, is desirable as it allows f or the separation of resources based
on application category, line-of -business f unction, and geographic location. Segmentation can help
prevent the unintentional spread of malware. App -ID goes beyond basic port and protocol inspection and
uniquely identif ies applications based on digital f ingerprints in the headers and payloads of traf fic
sessions.
Security prof iles (next-generation f eatures) should be deployed on all security policies that allow traf f ic.
These will enable the detection and prevention of known threats, exploits, and malware.
WildFire can be leveraged to identif y unknown threats via cloud-based, machine learning, and
sandboxing technologies to mitigate and prevent zero-day exploits.
Palo Alto Networks Prof essional Services will work closely with the [CUSTOMER]. team to discover and
document the specif ic configuration details. The resultant document will enable the [CUSTOMER] team to
understand the conf iguration details and continue to perf orm the conf iguration of additional Palo Alto
Networks systems based on the agreed upon criteria.
©2019 Palo Alto Networks, Inc.
5
Proprietary and Confidential
Note: Site specif ic parameters will be provided by the customer during conf iguration build -out in
a supplemental document.
LLD OUTLINE: This section will never change and is contextually for the Low- Level Design
template so you can get a “feel” for documentation flow.
Each bullet/sub-bullet represents a follow-on section with specific detailed configuration
requirements as discussed and agreed to with the customer.
The bullets correspond to a H1, H2, and H3 in subsequent sections of this document. For
example, in the following list: Platform will be a Head 1, Foundational Requirements will be a
Head 2, Procured systems will be a Head 3.
This document will cover the baseline conf iguration requirements established through collaboration with
[CUSTOMER] on these topics:
•
Platf orm
−
•
Foundational Requirements:
▪ Procured systems
▪ Procured licensing
▪ PAN-OS version
− Network Integration Requirements:
▪ Virtual System (vsys)
▪ Virtual Router
▪ High Availability
▪ Operational interf aces
▪ Management interf ace
▪ Logging interf ace
▪ Security Zones
▪ IPSec VPN
▪ GlobalProtect Conf igurations
− Administration Requirements:
▪ Administrative protocols and security model
▪ Local Administrative roles
▪ Local Administrative password/authentication model
▪ Login banner
Panorama
−
Foundational Requirements:
▪ Procured systems
▪ Procured licensing
▪ Conf irm the production version of Panorama
−
Platf orm Management Requirements:
▪ Device Groups
▪ Templates
▪ Security Prof iles
▪ Logging Prof iles
▪ URL Filtering
▪ Conf iguration backups
−
Reporting and Alerting Requirements
©2019 Palo Alto Networks, Inc.
6
Proprietary and Confidential
▪
▪
▪
−
−
Reporting
SNMP settings
Alerting settings
Administration Requirements:
▪ Role Based Administration
▪ Administrative password/authentication model
Cloud Services / Integration Pieces
▪ Logging Service
▪ GlobalProtect cloud service
▪ Application Framework
▪ Traps
▪ Azure
▪ AWS
▪ NSX Plugin
©2019 Palo Alto Networks, Inc.
7
Proprietary and Confidential
Platform
In this section, provide detail of the platform specific low-level design decisions/criteria as agreed
to by the customer.
This section should clearly and succinctly represent the objectives that have been communicated
by the customer. Provide as much detail about each as is appropriate for this customer, but this
section should be no longer than an executive summary.
This section of the document provides details of the specif ic low-level design criteria to integrate the Palo
Alto Networks platf orm into the [CUSTOMER] environment. The inf ormation contained herein will be
reviewed with [CUSTOMER] and become the basis f or all platf orm conf igurations to f acilitate adherence
to Palo Alto Networks best practices, as well as consistency across the environment to simplif y
operational activities.
Foundational Requirements
All data in the following tables are examples. Fill in with appropriate customer level information.
This section describes the Palo Alto Networks platf orms, physical and virtual, that have been procured
and will be deployed at the [CUSTOMER] location identif ied.
Procured Systems
Table 1 shows the security appliances with their corresponding locations, operating systems, and serial
number inf ormation.
Table 1 – Procured Systems
Item
ID
Platform
Model
High
Availability
Location to be Deployed
Serial Number(s)
1A
PA-5220
Corporate datacenter – Phoenix,
AZ
A/P with 1B
01234567890123456
1B
PA-5220
Corporate datacenter – Phoenix,
AZ
A/P with 1A
01234567890123457
2
PA-3060
Regional site – Denver, CO
N/A
01234567890654321
N
<etc…>
<etc…>
<etc…>
<etc…>
Procured Licensing
Table 2 shows the security appliances with their corresponding locations, operating systems, and serial
number inf ormation.
Table 2 – Procured Licensing
Item
ID
Platform Model
Threat Auth Code
URL Auth Code
WildFire Auth Code
1A
PA-5220
abc0123456
def654321
ghi789012
1B
PA-5220
abc0123457
def654322
ghi789013
2
PA-3060
abc0123458
def654323
ghi789014
N
<etc…>
Recommended PAN-OS Version
Table 3 shows the recommended version of PAN-OS to be deployed based upon Palo Alto Networks
experience and as recommended by ETAC at the time of install.
©2019 Palo Alto Networks, Inc.
8
Proprietary and Confidential
Table 3 – Recommended PAN-OS Version
Recommended
Version
PAN-OS 8.0.12
Recommendation Note(s)
ETAC recommended release, stability and field experience
Table 4 shows the version of PAN-OS to be deployed based upon balancing the recommendation above
and specif ic [CUSTOMER] f eedback.
Table 4 – To Be Deployed PAN-OS Version
Version to be
deployed
PAN-OS 8.1.3
Specific Version Reason(s)
[CUSTOMER] requires Panorama Configuration Variables as part of
deployment. This feature is in 8.1.x only, and 8.1.3 is current stable of 8.1.3.
Panorama Systems
This section describes the Palo Alto Networks Panorama systems, physical and virtual, that have been
procured and will be deployed at the [CUSTOMER] location identif ied.
Table 5 – Procured Systems
Item
Platform
Model
Location to be Deployed
Role
Serial Number(s)
1
M-500
Corporate data center – City,
State
Primary Mgt
01234567890123456
2
M-500
Corporate data center – City,
State
Secondary Mgt
01234567890123654
3
M-100
Regional site – City, State
Log Collector
01234567890654321
n
<etc…>
<etc…>
<etc…>
<etc…>
Network Integration Requirements
This section describes the specif ic low-level requirements to be used f or standardization of the platf orm
conf iguration. There will be a separate “build” document to annotate site specif ic configuration inf ormation
based on the requirements documented here.
Virtual Systems
A virtual system (vsys) is an independent (virtual) f irewall instance that can be separately managed within
a physical f irewall. Each vsys can be an independent f irewall with its own Security policy, interf aces, and
administrators. A vsys enables segmentation of the administration of all policies, reporting, and visibility
f unctions that the f irewall provides. To optimize policy administration, you can maintain separate
administrator accounts f or overall f irewall and network f unctions while creating vsys administrator
accounts that allow access to individual vsys. This restricts the vsys administrator to their assigned vsys.
Networking f unctions, including static and dynamic routing, pertain to an entire f irewall and all its vsy s;
vsys do not control f irewall and network-level f unctions. Each vsys can have a def ined collection of
physical and logical f irewall interf aces (including VLANs and virtual wires) and security zones. If you
require routing segmentation f or each vsys, you must create/assign additional virtual routers and assign
interf aces, VLANs, and virtual wires as needed.
If you use a Panorama template to def ine vsys, you can set one vsys as the def ault. The def ault vsys and
Multiple Virtual System Mode determine whether f irewalls accept vsys-specif ic configurations during a
template commit:
©2019 Palo Alto Networks, Inc.
9
Proprietary and Confidential
Firewalls that are in Multiple Virtual System Mode accept vsys-specif ic configurations f or all vsys that are
def ined in the template. Firewalls that are not in Multiple Virtual System Mode accept vsys-specif ic
conf igurations only f or the def ault vsys. If you do not set a vsys as the def ault, these f irewalls accept no
vsys-specif ic conf igurations.
<High Level Design Defined VSYS Requirements>
Bef ore enabling multiple vsys, consider the f ollowing:
•
•
•
•
•
•
A vsys administrator creates and manages all items needed f or policies.
Zones, interf aces, virtual routers, and v-wires become vsys-specif ic when multi-vsys is enabled.
Bef ore def ining a policy or policy object, select the Virtual System f rom the drop-down on
the Policies or Objects tab.
You can set remote logging destinations (SNMP, syslog, and email), applications, services, and
prof iles to be available to all vsys (shared) or to a single vsys.
You can conf igure Global (to all vsys on a f irewall) or vsys-specif ic service routes.
Virtual systems are supported on the PA-3000 Series, PA-5000 Series, PA-5200 Series, and
PA-7000 Series f irewalls. Multiple virtual systems are not supported on the PA-200, PA-220,
PA-500, PA-800 Series, or VM-Series f irewalls.
Table 6 – VSYS
VSYS Settings
Requirements
Setting Details
ID
Enter an integer identif ier f or the vsys. Ref er to the data sheet f or your
f irewall model f or inf ormation on the number of supported vsys.
Note: If you use a Panorama template to conf igure the vsys, this f ield
does not appear.
In this section are
examples of VSYS
settings. Delete prior
to presenting to
customer. Copy the
table for multiple vsys
as each will contain
unique configuration
settings.
1
Name
Enter a name (up to 31 characters) to identif y the vsys. The name is
case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Note: If you use a Panorama template to push vsys conf igurations, the
vsys name in the template must match the vsys name on the f irewall.
PHXDC_CustA
Allow
Forwarding of
Decrypted
Content
Select this option to allow the virtual system to f orward decrypted
content to an outside service when port mirroring or sending WildFire
f iles f or analysis.
No
Sessions Limit
Maximum number of sessions.
•
•
600,000 – vsys can
only limit session
count at this time. No
limits on CPU and
memory. Always
remember that vsys is
administrative and
logical traffic
separation only.
Security Rules
Maximum number of security rules
3000
NAT Rules
Maximum number of NAT rules
500
©2019 Palo Alto Networks, Inc.
10
Proprietary and Confidential
Decryption
Rules
Maximum number decryption rules.
500
QoS Rules
Maximum number of QoS rules.
500
Application
Override Rules
Maximum number of application override rules.
500
Policy Based
Forwarding
Rules
Maximum number of policy based f orwarding (PBF) rules.
500
Captive Portal
Rules
Maximum number of Captive Portal rules.
100
DoS Protection
Rules
Maximum number of denial of service (DoS) rules.
100
Site to Site VPN
Tunnels
Maximum number of site-to-site VPN tunnels.
100
Concurrent
GlobalProtect
Tunnels
Maximum number of concurrent remote GlobalProtect users.
©2019 Palo Alto Networks, Inc.
11
100
Proprietary and Confidential
Table 7 - VSYS (2)
VSYS Settings
Requirements
Setting Details
ID
Enter an integer identif ier f or the vsys. Ref er to the data sheet f or your
f irewall model f or inf ormation on the number of supported vsys.
Note: If you use a Panorama template to conf igure the vsys, this f ield
does not appear.
In this section are
examples of VSYS
settings. Delete prior
to presenting to
customer. Copy the
table for multiple vsys
as each will contain
unique configuration
settings.
2
Name
Enter a name (up to 31 characters) to identif y the vsys. The name is
case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Note: If you use a Panorama template to push vsys conf igurations, the
vsys name in the template must match the vsys name on the f irewall.
PHXDC_CustB
Allow
Forwarding of
Decrypted
Content
Select this option to allow the virtual system to f orward decrypted
content to an outside service when port mirroring or sending WildFire
f iles f or analysis.
No
Sessions Limit
Maximum number of sessions.
•
•
300,000
Security Rules
Maximum number of security rules
3000
NAT Rules
Maximum number of NAT rules
500
Decryption
Rules
Maximum number decryption rules.
500
QoS Rules
Maximum number of QoS rules.
500
Application
Override Rules
Maximum number of application override rules.
500
Policy Based
Forwarding
Rules
Maximum number of policy based f orwarding (PBF) rules.
500
Captive Portal
Rules
Maximum number of Captive Portal rules.
100
DoS Protection
Rules
Maximum number of denial of service (DoS) rules.
100
Site to Site VPN
Tunnels
Maximum number of site-to-site VPN tunnels.
100
Concurrent
GlobalProtect
Tunnels
Maximum number of concurrent remote GlobalProtect users.
100
©2019 Palo Alto Networks, Inc.
12
Proprietary and Confidential
Virtual Router
The f irewall uses virtual routers to direct traf f ic. Virtual routers support static routes and the f ollowing
dynamic routing protocols: RIP, OSPFv2, OSPFv3, and BGP . The routes that the f irewall obtains through
these methods populate the f irewall’s IP routing inf ormation base (RIB). When a packet is destined f or a
dif f erent subnet than the one it arrived on, the virtual router obtains the best route f rom the RIB, places it
in the f orwarding inf ormation base (FIB) and f orwards the packet to t he next hop router def ined in the FIB.
The f irewall uses Ethernet switching to reach other devices on the same IP subnet.
The Ethernet, VLAN, and tunnel interf aces def ined on the f irewall receive and f orward Layer 3 packets.
The destination zone is derived f rom the outgoing interf ace based on the f orwarding criteria, and the
f irewall consults the policy-base to identif y the action that it applies to each session. In addition to routing
to other network devices, virtual routers can route to other virtual ro uters within the same f irewall if a next
hop is specif ied to point to another virtual router.
Firewalls conf igured with Layer 3 interf aces can support multiple virtual routers, each maintaining a
separate set of routes that are not shared between virtual routers, supporting dif ferent routing behaviors
f or dif ferent interf aces assigned to the virtual router.
Each Layer 3 Ethernet, loopback, VLAN, and tunnel interf ace def ined on the f irewall must be associated
with only one virtual router. A virtual router can be conf igured with any combination of static routes and
dynamic routing protocols.
Set Administrative Distances f or types of routes as required f or your network. When the virtual router has
two or more dif f erent routes to the same destination, it uses administrative distance to choose the best
path f rom dif ferent routing protocols and static routes, by pref erring a lower distance.
•
•
•
•
•
•
OSPF Internal – Range is 10-240; def ault is 30.
OSPF External – Range is 10-240; def ault is 110.
IBGP – Range is 10-240; def ault is 200.
EBGP – Range is 10-240; def ault is 20.
RIP – Range is 10-240; def ault is 120.
Static – Range is 10-240; def ault is 10.
General dynamic routing settings
•
BFD - To enable Bidirectional Forwarding Detection (BFD) globally f or the virtual router on a
PA-3000 Series, PA-5000 Series, PA-7000 Series, or VM-Series f irewall, select one of the
f ollowing:
−
−
−
−
•
•
Def ault (def ault BFD settings
a BFD prof ile that you have created on the f irewall
New BFD prof ile to create a new BFD prof ile
Select None (Disable BFD) to disable BFD f or all OSPF interf aces on the virtual router;
you cannot enable BFD f or a single OSPF interf ace
Reject Default Route – Def ault setting. Select this option if you do not want to learn any default
routes.
Router ID - Specif y the router ID associated with the OSPF instance in this virtual router. The
OSPF protocol uses the router ID to uniquely identif y the OSPF or BGP instance.
•
Passive Interface - (OSPF-only) Select this option if you do not want the virtual router interfaces to
send or receive LSAs. The network associated with the passive interface will be advertised to the
areas with Type 2 LSAs (native routes.) This will prevent suppression in stubby areas and
NSSAs.
•
Auth Profiles – Create an authentication prof ile to ensure that peers must have a pre-shared key
bef ore establishing relationships. OSPF and BGP each have their own auth prof iles . BGP
supports MD5 pre-shared key while OSPF supports passphrase in addition to MD5.
©2019 Palo Alto Networks, Inc.
13
Proprietary and Confidential
o
(OSPF) If you select MD5 , enter one or more password entries, including Key-ID (0255), Key , and optional Preferred status. Click Add f or each entry, and then click OK. To
specif y the key to be used to authenticate outgoing message, select the Preferred option.
Each virtual router will have a set of general conf iguration settings to be applied to all routing conf igured
within it. Table 8 identif ies these settings and the design details to be applied.
Make one table per vsys if your customer is using multiple virtual systems. Each virtual router, and by
extension each network interface and security zone, must belong to a vsys.
Table 8 – Virtual Routers General Settings
Virtual Router
Settings
General Virtual
Router Conf ig
Routing
Protocols to be
Deployed
Administrative
Distances
Requirements
Setting Details
Virtual router naming convention
•
PHXDC-CustAVR1
Vsys ID
•
1
OSPF Internal
•
Area 0.0.0.0
OSPF External
•
N/A
iBGP
•
N/A
eBGP
•
N/A
RIP
•
N/A
Static
•
Yes, multiple
OSPF Internal
•
30
OSPF External
•
110
iBGP
•
200
eBGP
•
20
RIP
•
120
Static
•
10
OSPF
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) that is most of ten used to
dynamically manage network routes within a large enterprise network. It determines routes dynamically
by obtaining inf ormation f rom other routers and advertising routes to other routers by way of Link State
Advertisements (LSAs). The inf ormation gathered f rom the LSAs is used to construct a topology map of
the network. This topology map is shared across routers in the network and used to populate the IP
routing table with available routes.
Changes in the network topology are detected dynamically and used to generate a new topology map
within seconds. A shortest path tree is computed of each route. Metrics associated with each routing
interf ace are used to calculate the best route. These can include distance, network throughput, link
availability etc. Additionally, these metrics can be conf igured statically to direct the outcome of the OSPF
topology map.
Palo Alto Networks implementation of OSPF f ully supports the f ollowing RFCs:
•
•
RFC 2328 (f or IPv4)
RFC 5340 (f or IPv6)
OSPF Settings
•
•
Enable - Select this option to enable the OSPF protocol
Area ID - Conf igure the area over which the OSPF parameters can be applied
©2019 Palo Alto Networks, Inc.
14
Proprietary and Confidential
•
•
•
•
•
Enter an identif ier f or the area in x.x.x.x f ormat. This is the identif ier that each neighbor must
accept to be part of the same area. Area 0.0.0.0 is the Backbone, or core area necessary f or all
other areas to communicate.
Type - Select one of the following options:
•−
−
•
−
Normal—There are no restrictions; the area can carry all types of routes.
Stub — Stubs do not receive routes f rom externally advertised sources. Specif ically, they
reject LSA type 5. To reach a destination outside of the stub area it is necessary to go
through the border. There are two options in a stub area.
o Accept Summary – If this option is enabled, the stub area will accept LSA’s f rom other
areas in the OSPF Domain. If this option is disabled, the stub area will behave as a
“Totally Stubby Area” and reject LSA type 3 packets (inter-area LSAs) and block the
propagation of summary LSAs.
o Advertise Default Route - Def ault route LSAs will be included in advertisements to the
stub area along with the associated metric value (1-255).
NSSA (Not-So-Stubby Area) – In a NSSA, it is possible to leave the area directly but only by
routes other than OSPF routes. Specif ically, it advertises externally learned routes as LSA
Type 7 instead of LSA type 5. NSSA still block LSA type 5. If you select this option,
conf igure Accept Summary and Advertise Default Route as if this were a stub area. In
addition, conf igure the Type (Ext1 or Ext2) to advertise the def ault LSA. Also conf igure
Ext-Ranges to enable or suppress the advertisement of specif ic external routes.
•
Link Type – The link type should be specif ic to the type of network that OSPF LSAs will need to
traverse. These are Broadcast, Point-to-Point, and Point-to-Multipoint.
−
Broadcast – LSAs are sent in broadcast mode out the interf ace. This means that if the router
is connected to a switch, the switch will multiply the LSA and send it out all ports. Any
listening devices attached to the switch will accept the LSA and in turn respond with their own
LSA’s to f orm adjacency. Broadcasting is ef f icient when you need to connect a large quantity
of devices. Broadcast mode elects a Designated Router and a Backup Designated Router
(DR/BDR)
−
Choose p2p (point-to-point) if the OSPF interf ace is directly connected to a single OSPF
neighbor. LSA’s are unicasted out the conf igured interf ace and a neighbor is automatically
added if conf igured in the same area.
−
Choose p2mp (point-to-multipoint) when multiple OSPF neighbors exist but you cannot use
broadcast mode. LSAs are sent via multi-cast, and theref ore neighbors must be def ined
manually. Manually def ining neighbors is allowed only f or p2mp mode. No DR/BDR are
necessary here since you are manually def ining the scope of the OSPF area.
•
Priority - Enter the OSPF priority f or this interf ace (0-255). It is the priority f or the router to be
elected as a designated router (DR) or as a backup DR (BDR) according to the OSPF protocol.
When the value is zero, the router will not be elected as a DR or BDR.
•
Hello Interval - Interval, in seconds, at which the OSPF process sends hello packets to its directly
connected neighbors (range is 0-3600; def ault is 10).
•
Dead Count - Number of times the hello interval can occur f or a neighbor without OSPF receiving
a hello packet f rom the neighbor, bef ore OSPF considers that neighbor down. The Hello Interval
multiplied by the Dead Counts equals the value of the dead timer (range is 3-20; def ault is 4).
•
Retransmit Interval - Length of time, in seconds, that OSPF waits to receive a link -state
advertisement (LSA) f rom a neighbor bef ore OSPF retransmits the LSA (range is 0-3600; def ault
is 10).
•
Transmit Delay - Length of time, in seconds, that an LSA is delayed bef ore it is sent out of an
interf ace (range is 0-3600; def ault is 1).
©2019 Palo Alto Networks, Inc.
15
Proprietary and Confidential
•
Gracef ul Restart - Applies to an OSPF interf ace when active/passive high availability is
conf igured. Graceful Restart Hello Delay is the length of time during which the f irewall sends
Grace LSA packets at 1-second intervals. During this time, no hello packets are sent f rom the
restarting f irewall. During the restart, the dead timer (which is the Hello Interval multiplied by
the Dead Counts) is also counting down. If the dead timer is too short, the adjacency will go
down during the gracef ul restart because of the hello delay. Theref ore, it is recommended that the
dead timer be at least f our times the value of the Graceful Restart Hello Delay . For example,
a Hello Interval of 10 seconds and a Dead Counts of 4 yield a dead timer of 40 seconds. If
the Graceful Restart Hello Delay is set to 10 seconds, that 10-second delay of hello packets is
comf ortably within the 40-second dead timer, so the adjacency will not time out during a gracef ul
restart (range is 1-10; def ault is 10).
©2019 Palo Alto Networks, Inc.
16
Proprietary and Confidential
Table 9 identif ies the standardized OSPF conf iguration settings f or this environment.
Table 9 – OSPF Settings
OSPF Settings
Setting Details
Enable
Yes
Reject Def ault Route
•
Yes
Router ID
•
10.20.20.1 – Typically use router IP address
BFD
•
No
Area ID
•
0.0.0.0
Type
•
Normal
Range
•
•
•
10.20.20.0/24 – Advertise
10.20.30.0/24 – Advertise
172.16.0.0/16 – Suppress
Interf ace
•
Ethernet 1/2
Passive
•
No
Link type
•
Broadcast
Metric
•
10
Priority
•
1
Auth Prof ile
•
Yes – See below
Hello Interval (sec)
•
10
Dead Counts
•
4
Retransmit Interval (sec)
•
5
Transit Delay (sec)
•
1
Gracef ul Restart Hello Delay (sec) •
10
Virtual Link – Neighbor
•
N/A
Virtual Link – Transit area
•
N/A
Virtual Link - Enable
•
N/A
Virtual Link - Timing
•
N/A
Virtual Link – Auth prof ile
•
N/A
Auth Prof ile Name
•
PHXDCAuth
Auth Prof ile Password
•
N/A – It is recommended to store this in a password manager
instead of plain text in case this document is ever compromised.
BGP
BGP f unctions between Autonomous Systems (AS) via exterior BGP (eBGP). It f unctions within an AS
with interior BGP (iBGP) to exchange routing and reachability inf ormation with BGP speakers. The f irewall
provides a complete BGP implementation, which includes the f ollowing f eatures:
•
•
Specif ication of one BGP routing instance per virtual router.
BGP settings per virtual router, which include basic parameters such as local route ID and local
AS, and advanced options such as path selection, route ref lector, AS conf ederation, route f lap
dampening, and gracef ul restart.
©2019 Palo Alto Networks, Inc.
17
Proprietary and Confidential
•
•
•
•
•
Peer group and neighbor settings, which include neighbor address and remote AS, and
advanced options such as neighbor attributes and connections.
Route policies to control route import, export, and advertisement; pref ix-based f iltering; and
address aggregation.
IGP-BGP interaction to inject routes to BGP using redistribution prof iles.
Authentication prof iles, which specif y the MD5 authentication key f or BGP connect ions.
Authentication helps prevent route leaking and successf ul DoS attacks.
Multiprotocol BGP (MP-BGP) to allow BGP peers to carry IPv6 unicast routes and IPv4 multicast
routes in Update packets, and to allow the f irewall and a BGP peer to communicate wi th each
other using IPv6 addresses.
BGP Settings
•
AS Number - Enter the number of the AS to which the virtual router belongs, based on the router
ID (range is 1-4294967295).
•
Install Route - Select this option to install BGP routes in the global routing tab le.
•
Aggregate MED - Select to enable route aggregation even when routes have dif f erent Multi-Exit
Discriminator (MED) values.
•
Default Local Preference - Specif ies a value than can be used to determine pref erences among
dif f erent paths.
•
AS Format - Select the 2-byte (def ault) or 4-byte f ormat. This setting is conf igurable f or
interoperability purposes.
•
Always Compare MED - Enable MED comparison f or paths f rom neighbors in dif ferent
autonomous systems.
•
Deterministic MED Comparison - Enable MED comparison to choose between routes that are
advertised by IBGP peers (BGP peers in the same autonomous system).
•
Graceful Restart - Local Restart Time - Specif y the length of time, in seconds, that a route can
stay in the stale state (range is 1-3600; def ault is 120).
•
Graceful Restart - Max Peer Restart Time - Specif y the maximum length of time, in seconds, that
the f irewall accepts as a grace period restart time f or peer devices (range is 1-3600; def ault is
120).
•
Reflector Cluster ID - Specif y an IPv4 identif ier to represent the ref lector cluster.
•
Confederation ID - Specif y the identif ier f or the AS conf ederation to be presented as a single AS
to external BGP peers.
•
Dampening Prof ile Inf ormation
−
−
Profile Name - Enter a name to identif y the prof ile.
Cutoff - Specif y a route withdrawal threshold above which a route advertisement is
suppressed (range is 0.0-1000.0; def ault is 1.25).
Reuse - Specif y a route withdrawal threshold below which a suppressed route is used
again (range is 0.0-1000.0; def ault is 5).
− Max Hold Time - Specif y the maximum length of time, in seconds, that a route can be
suppressed, regardless of how unstable it has been (range is 0-3600; def ault is 900).
− Decay Half Life Reachable - Specif y the length of time, in seconds, af ter which a route’s
stability metric is halved if the route is considered reachable (range is 0-3600; def ault is
300).
− Decay Half Life Unreachable - Specif y the length of time, in seconds, af ter which a
route’s stability metric is halved if the route is considered unreachable (range is 0-3600;
def ault is 300).
Peer Group - Enter a name to identify the peer.
−
•
©2019 Palo Alto Networks, Inc.
18
Proprietary and Confidential
•
Aggregated Confed AS Path - Select this option to include a path to the configured aggregated
confederation AS.
•
Soft Reset with Stored Info - Select this option to perf orm a sof t reset of the f irewall af ter
updating the peer settings.
•
Type - Specify the type of peer or group and configure the associated settings (see below in this
table for descriptions of Import Next Hop and Export Next Hop ).
− IBGP - Specif y Export Next Hop
− EBGP - Specif y Export Next Hop
− IBGP Confed - Specif y Export Next Hop
− EBGP - Specif y Import Next Hop
− Export Next Hop - Remove Private AS (select if you want to force BGP to remove
private AS numbers)
•
Import Next Hop
− Original - Use the Next Hop address provided in the original route advertisement. Use
Peer - Use the peer's IP address as the Next Hop address. Resolve - Resolve the Next
Hop address using the local f orwarding table. Use Self - Replace the Next Hop address
with this router's IP address to ensure that it will be in the f orwarding path. Table 10
identif ies the standardized BGP conf iguration settings f or this environment.
Table 10 – BGP Settings
BGP settings
Setting Details
Enable
Not enabled for this customer but filling with example settings anyway
Router ID
PHXDC-VR1
AS Number
12345
BFD
N/A
Reject Def ault Route
Yes
Install Route
Yes
Aggregate MED
Yes
Def ault Local Pref erence
100
AS Format
4 Byte
Always Compare MED
No
Deterministic MED Comparison
Yes
Auth Prof iles
Yes – Store passwords in a password manager
Gracef ul Restart - Stale Route
120
Gracef ul Restart - Local Restart
120
Gracef ul Restart - Max Peer
120
Ref lector Cluster ID
None
Conf ederation Member AS
Yes
Dampening Prof iles – Name
N/A
Dampening Prof iles – Cutof f
N/A
Time
Time
Restart Time
©2019 Palo Alto Networks, Inc.
19
Proprietary and Confidential
Dampening Prof iles – Reuse
N/A
Dampening Prof iles – Max Hold
N/A
Dampening Prof iles – Decay
Half Lif e Reachable
N/A
Dampening Prof iles – Decay
Half Lif e Unreachable
N/A
Peer Group Name
N/A
Aggregated Confed AS Path
N/A
Soft Reset with Stored Info
N/A
Type
N/A
Inport Next Hop
N/A
Export Next Hop
N/A
©2019 Palo Alto Networks, Inc.
20
Proprietary and Confidential
RIP
Routing Inf ormation Protocol (RIP) is an interior gateway protocol (IGP) that was designed f or small IP
networks. RIP relies on hop count to determine routes; the best routes have the f ewest number of hops.
RIP is based on UDP and uses port 520 f or route updates. By limiting routes to a maximum of 15 hops,
the protocol helps prevent the development of routing loops, but also limits the supported network size.
If more than 15 hops are required, traf f ic is not routed. RIP also can take longer to converge than OSPF
and other routing protocols. Palo Alto Networks f irewalls only supports RIP v2.
RIP is an old dynamic routing protocol and is rare to see in production environments. OSPF is much more
common to see. Most environments will not configure RIP, thus N/ A is pre-populated below.
RIP General Settings
Advertise - Select to enable advertisement of a default route to RIP peers with the specified
•
metric value.
Metric - Specify a metric value for the router advertisement. This field is visible only if you enable
Advertise.
Mode - normal, passive, or send-only .
Interval Seconds - Define the length of the timer interval in seconds. This duration is used for the
•
•
•
remaining RIP timing fields (range is 1-60).
Update Intervals - Enter the number of intervals between route update announcements (range is
•
1-3600).
Expire Intervals - Enter the number of intervals between the time that the route was last updated
•
to its expiration (range is 1-3600).
Delete Intervals - Enter the number of intervals between the time that the route expires to its
•
deletion (range is 1-3600).
Table 11 identif ies the standardized RIP conf iguration settings f or this environment.
Table 11 – RIP Settings
RIP settings
Setting Details
Reject Default Route •
N/A
BFD
•
N/A
Interface
•
N/A
Advertise
•
N/A
Metric
•
N/A
Mode
•
N/A
Interval Seconds
•
N/A
Update Intervals
•
N/A
Expire Intervals
•
N/A
Delete Intervals
•
N/A
Auth Profile Name
•
N/A
Auth Password Type •
N/A
©2019 Palo Alto Networks, Inc.
21
Proprietary and Confidential
High Availability
A Palo Alto Networks best practice is to deploy all f irewalls in pairs conf igured with active/passive highavailability. With active/passive, one f irewall will be the primary (active) f irewall that passes all traf f ic. The
secondary (passive) f irewall will have a synchronized conf iguration and session table but not pass traf f ic.
In the event of a f irewall f ailover, the secondary f irewall will b ecome active and begin passing traf f ic.
Because the session table will have already been synchronized, existing traf f ic sessions will not be
interrupted.
When the primary f irewall comes back into operation, the f irewalls can be conf igured to leave the
secondary as the active with the primary staying in passive mode. HA can also be conf igured so the
primary can preempt ownership and become the active f irewall again af ter a short time has passed af ter
coming back online.
Active/passive HA on Palo Alto Networks devices requires two links minimum f or operation: HA1 f or
control plane synchronization, and HA2 f or data plane synchronization. There are two dedicated
hardware links on each of the f irewalls f or this f unction (PA-3000 Series and larger). It is also a best
practice to conf igure backup links f or each of those f unctions, if there are available operational interf aces
on the X0Y0 (3020, 5050, etc.) Series f irewalls. The PA X2Y0 (3220, 5260, etc.) Series f irewalls have
dedicated hardware interf aces f or HA1, HA1 backup, and HA2. HA2B still needs to be a dataplane
interf ace on these models.
Link and Path monitoring are available on the HA settings in PAN-OS as well to manage how the platf orm
f ails over f or non-hardware-specif ic reasons. Link monitoring will trigger a f ailover event if it detects
monitored link f ailures. A f ailover can be conf igured to trigger if a single link is down, or if a combination of
links is brought down. Path monitoring will monitor an upstream or downstream IP address or group of
addresses and trigger a f ailover if they are not reachable af ter a conf igurable threshold.
Requirements from HLD
<HLD defined HA requirements>
[CUSTOMER] will be deploying several Palo Alto Networks platf orms in an active/passive conf iguration
with the remainder of the platf orms deployed as standalone systems (see Table 12).
Table 12 – Active/Passive HA Firewall Deployment
Firewall
Name
HA Mode
HA1 IP
HA1B IP
HA2 IP
HA2B IP
PHXDCEFW01
Active/Passive
10.254.250.1
10.254.251.1
10.254.252.1
10.254.253.1
PHXDCEFW02
Active/Passive
10.254.250.2
10.254.251.2
10.254.252.2
10.254.253.2
©2019 Palo Alto Networks, Inc.
22
Proprietary and Confidential
Customer Specific Requirements
<LLD specifics for this customer use case(s)>
Table 13 shows the recommended and agreed upon high availability (HA) settings to be standardized
across all HA active/passive and active/active deployments in the [CUSTOMER] environment.
Table 13 – Standardized HA Settings
A/P HA Settings
Recommendation
Passive Link State
Shutdown
Monitor Fail Hold Down
Time
1 min
Device Priority
50/100
Preemptive
Disabled
Heartbeat backup
Enabled
HA Timer Settings
Default
Backup Links
Enabled
Link Monitoring
Enabled on all
interfaces
Path Monitoring
Disabled
A/A HA Settings
Enabled, customer desires that FW1 is
always active if it is available f or service f or
Perimeter f irewalls, def ault f or datacenter
f irewalls..
Recommendation
Device Priority
50/100
Preemptive
Disabled
Heartbeat backup
Enabled
HA Timer Settings
Recommended
Backup Links
Enabled
Link Monitoring
Enabled on all
interfaces
Path Monitoring
Disabled
Recommendation Override/Reason
Recommendation Override/Reason
Operational Interfaces
Interfaces Overview
The interf ace conf igurations of f irewall data ports enable traf f ic to enter and exit the f irewall. The f irewall
supports the f ollowing interf ace types on the dataplane:
•
Physical Interf aces - Depending on the model, the f irewall supports copper and f iber optic
interf aces. Copper interf aces take standard RJ45 compatible CATX cable, while the f iber
interf aces range f rom SFP+ f or 1 to 10Gbit ethernet, to QSFP+ f or 40 to 100Gbit Ethernet.
Dataplane interf aces can be conf igured as the f ollowing types: tap, high availability (HA), log
card*, decryption mirror, virtual wire*, Layer 2*, Layer 3*, and Aggregate Ethernet*. Interf aces
marked with a * can be conf igured in logical sub -interf ace mode.
©2019 Palo Alto Networks, Inc.
23
Proprietary and Confidential
•
Logical Interf aces - These include virtual local area network (VLAN) interf aces, loopback
interf aces, and tunnel interf aces. You must set up the physical interf ace bef ore def ining a VLAN
or a tunnel interf ace.
General Interface Settings
Interf ace names are predef ined and cannot be changed. A description f ield can be used to “name” the
interf ace if desired. Interf aces that require a numeric suf f ix are: aggregate interf aces, logical subinterf aces, VLAN interf aces, loopback interf aces, and tunnel interf aces.
•
Interface Types
− Tap
− HA
− Decrypt Mirror (PA-3000 Series f irewalls and above only)
− Virtual Wire
− Layer 2
− Layer 3
− Log Card (PA-7000 Series f irewall only)
− Aggregate Ethernet
All interf aces should be conf igured with the f ollowing settings. Settings marked with * are required f or
the interf ace to pass traf f ic.
•
Management Profile - Def ines the protocols allowed on the interf ace. Ping, SSH, HTTPS, SNMP,
and more are available options here. Ping must be enabled f or the interf ace to directly respond to
ICMP echo requests.
•
IP Address - (Optional) Conf igure the IPv4 or IPv6 address of the Ethernet, VLAN, loopback, or
tunnel interf ace. For an IPv4 address, you can also select the addressing mode (Type) f or the
interf ace: Static , DHCP Client, or PPPoE .
•
Virtual Router* - Assign a virtual router to the interf ace (Layer 3 interf aces)
•
Tag - Enter the VLAN tag (1-4,094) f or the subinterf ace.
VLAN - To enable switching between Layer 2 interf aces, or to enable routing through a VLAN
•
interf ace, you must conf igure a VLAN object. A VLAN object must have an IP address.
•
Vwire - Assign a vwire to the interf ace (vwire interf aces only).
•
Virtual System - If the f irewall supports multiple virtual systems and that capability is enabled,
select a virtual system (vsys) f or the interf ace or click Virtual System to def ine a new vsys.
•
Zone* - Def ine a security zone f or the interf ace
Comment - A description of the interf ace f unction or purpose.
•
©2019 Palo Alto Networks, Inc.
24
Proprietary and Confidential
Table 14 – General Interface Settings
Interface
Type
Mgmt
Profile
Virtual
Router
IP
VLAN
vSys
Zone
Ethernet1/1
L3
Ping Only
123.125.22.15
PHXDCCustAVR1
N/A
Vsys1
Internet
Ethernet1/2
L3
Ping Only
192.168.15.1
PHXDCCustAVR1
N/A
Vsys1
UserLAN
<HLD defined operational interface requirements>
Use this section to outline Operation Interface requirements.
<LLD specifics for this customer use case(s)>
Use this section to outline customer specific needs.
Tables f or each of these are shown above with an example of the inf ormation required to conf igure.
©2019 Palo Alto Networks, Inc.
25
Proprietary and Confidential
Management Interface
By def ault, the f irewall is managed via the Management interf ace (MGT). The f irewall also uses the MGT
interf ace to access remote services, such as DNS servers, content updates, and license retrieval. If you
do not want to enable external network access to your management network, you must set up a data port
to provide access to these required external services.
General Management Interface Settings
•
Services – Def ines the services permitted f or management access.
−
−
−
−
−
−
−
−
−
•
•
•
HTTP (Not recommended)
HTTP OCSP
HTTPS
Telnet (not recommended)
SSH
Ping
SNMP
User-ID
User-ID Syslog listener – SSL
Permitted IP – Def ines the IP addresses or ranges allowed to access the f irewall f or
management.
Services - Def ines the DNS and NTP conf iguration.
User-ID Syslog Listener - UDP
Table 15 – MGT Port Settings
MGT Port Settings
Settings
Override/Reason
IP Address
192.168.25.200
Mask
255.255.255.0
Gateway
192.168.25.1
IPv6 address
N/A
Speed
1Gbps
MTU
1500
Services
HTTPS, SSH, Ping, User-ID,
SNMP
Permitted IP’s
192.168.25.0/24
Update Server
Updates.paloaltonetworks.com
Do not change the Update Server
unless instructed by Technical Support
<HLD defined operational interface requirements>
Use this section to outline Operation Interface requirements.
<LLD specifics for this customer use case(s)>
Use this section to outline customer specific needs.
©2019 Palo Alto Networks, Inc.
26
Proprietary and Confidential
Logging Interface
The log interf ace is specif ic to the PA-7000 Series f irewall chassis. The capability of supporting multiple
NPC cards with multiple 10Gbps interf aces in a single unit creates a scenario where logs can be
generated at a rate greater than the def ault 1Gbps RJ45 management interf ace can handle. Theref ore, a
dedicated logging interf ace needs to be created to f orward logs f rom the PA -7000 Series f irewalls with
enough bandwidth to handle the f orwarding of the aggregate logs. Log data on the PA -7000 Series is
stored on an LPC card. In PAN-OS 7.1 and earlier, logs cannot be f orwarded f rom the LPC to Panorama.
This limitation was corrected in PAN-OS 8.x and above. The Logging interf ace is conf igured as a
dataplane interf ace, selectable f rom the Type drop -down menu at creation.
Table 16 – Log Interface Settings
Log Interface
Settings
Interf ace Name
Ethernet3/14
IP Address
IP goes here
Mask
Mask goes here
Gateway
Gateway goes here
IPv6 address
N/A
Speed
10Gbps
MTU
1500
Notes
10 Gbps GBIC slot
Configure Panorama to Use Multiple Interfaces
In a large-scale network, you can improve security and reduce congestion by implementing network
segmentation, which involves segregating the subnetworks based on resource usage, user roles, and
security requirements. Panorama supports network segmentation by enabling you to use multiple
M-Series appliance interf aces f or managing devices (f irewalls, Log Collectors, and WildFire appliances
and appliance clusters) and collecting logs; you can assign separate interf aces to the devices on
separate subnetworks. Using multiple interf aces to collect logs also provides the benef it of load
balancing, which is particularly usef ul in environments where the f irewalls f orward logs at high rates to th e
Log Collectors.
Because administrators access and manage Panorama over the MGT interf ace, securing that interf ace is
especially important. One method f or improving the security of the MGT interf ace is to of fload Panorama
services to other interf aces. In addition to device management and log collection, you can also of f load
Collector Group communication and deployment of software and content updates to f irewalls, Log
Collectors, and WildFire appliances and appliance clusters. By of f loading these services, you can reserve
the MGT interf ace f or administrative traf f ic and assign it to a secure subnetwork that is segregated f rom
the subnetworks where your f irewalls, Log Collectors, and WildFire appliances and appliance clusters
reside.
Multiple Interfaces for Network Segmentation
•
•
•
•
Panorama management network - To protect the Panorama web interf ace, CLI, and XML API
f rom unauthorized access, the MGT interf ace on Panorama should be connected to a
subnetwork that only administrators can access.
Internet - Panorama uses the MGT interf ace to communicate with external services such as the
Palo Alto Networks Update Server.
Perimeter Gateway and Data Center - Panorama can use separate interf ace(s) to manage
f irewalls and Log Collectors.
Managing f irewalls typically generates less traf f ic than querying Log Collectors f or report
inf ormation. Theref ore, Panorama can use 1Gbps interf aces (Eth1 and Eth2) f or managing the
©2019 Palo Alto Networks, Inc.
27
Proprietary and Confidential
•
f irewalls and use 10Gbps interf aces (Eth4 and Eth5) f or querying and managing the Log
Collectors.
− Each Log Collector then uses its MGT interf ace to respond to the queries but uses its
Eth4 and Eth5 interf aces f or the heavier traf f ic associated with collecting logs from the
f irewalls.
Sof tware and content updates - The f irewalls and Log Collectors can retrieve sof tware and
content updates over a dedicated interf ace on Panorama.
Security Zones
<description of security zone functionality>
Security zones are a logical way to group physical and virtual interf aces on the f irewall to control and log
the traf f ic that traverses specif ic interf aces on your network. An interf ace on the f irewall must be assigned
to a security zone bef ore the interf ace can process traf f ic. A zone can have multiple interf aces of the
same type assigned to it (such as tap, Layer 2, or Layer 3 interf aces), but an interf ace can belong to only
one zone.
Policy rules on the f irewall use security zones to identif y where the traf f ic comes f rom and where it is
going. Traf f ic can f low f reely within a zone, but traf f ic cannot f low between dif f erent zones until you def ine
a Security policy rule that allows it. To allow or deny interzone traf f ic, Securit y policy rules must ref erence
a source zone and destination zone (not interf aces) and the zones must be of the same type; that is, a
Security policy rule can allow or deny traf f ic f rom one Layer 2 zone only to another Layer 2 zone.
<HLD defined security zone requirements>
<LLD specifics for this customer use case(s)>
General Security Zone Settings
•
•
•
•
•
•
•
•
Name - Enter a zone name (up to 31 characters). This name appears in the list of zones when
def ining security policies and conf iguring interf aces. The name is case-sensitive and must be
unique within the virtual system. Use only letters, numbers, spaces, hyphens, periods, and
underscores.
Location - This f ield is present only if the f irewall supports multiple virtual systems (vsys) and that
capability is enabled. Select the vsys to which this zone applies.
Type - The External zone is used to control traf f ic between multiple vsys on a single f irewall. It
displays only on f irewalls that support multiple vsys and only if the Multi vsys is enabled. An
interf ace can belong to only one zone.
− Tap
− Virtual Wire
− Layer 2
− Layer 3
− External
− Tunnel
Log Setting - Select a Log Forwarding prof ile f or f orwarding zone protection logs to an external
system. If you have a Log Forwarding prof ile named def ault, that prof ile will be automatically
selected f or this drop-down when def ining a new security zone. You can override this def ault
setting at any time by continuing to select a dif f erent Log Forwarding prof ile when setting up a
new security zone.
Interf ace - Add one or more interf aces. Interf aces can only belong to one zone.
USER-ID - Enable on trusted zones only to allow user-id mapping.
USER-ID ACL Include - By def ault the f irewall applies all user mapping inf ormation discovered to
all the traf f ic of this zone f or use in lo gs, reports, and policies.
USER-ID ACL Exclude - To exclude user mapping inf o included in the Include List.
©2019 Palo Alto Networks, Inc.
28
Proprietary and Confidential
Table 17 – Security Zones
Zone
Name
Type
Zone
Protection
Ethernet1/1
L3
Ping Only
No
Vsys1
N/A
N/A
Ethernet1/2
L3
Ping Only
192.168.15.1
Vsys1
Leave blank
for all
N/A
©2019 Palo Alto Networks, Inc.
User-ID
Vsys
29
User Include
User Exclude
Proprietary and Confidential
IPSec VPNs
IPSec tunnels f acilitate encrypted business to business (site-to-site) connections over the public internet.
Two sites negotiate an IKE connection, and once established, negotiate an IPSec tunnel between the two
IKE Gateways. Palo Alto Networks f irewalls support route-based VPN natively, whereby a route entry is
made in the virtual router that is associated with the tunnel interf ace. These route entries ensure that
traf f ic sent to the specif ied destinations will egress through the conf igured IPSec tunnel interf ace(s).
IPSec tunnels also support proxy IDs. Proxy IDs are necessary f or third -party (Cisco, Juniper, etc.) IKE
peers that route traf f ic based on policy only. Routes conf igured in the Proxy ID’s tab are advertised to the
IKE peer as being permissible through the tunnel – both ingress and egress. Be aware when conf iguring
IPSec tunnels that if the peer is policy based and the IPSec tunnel(s) are not conf igured with proxy ID’s,
the f irewall will attempt to advertise 0.0.0.0/0 over any port to the peer. This results in a f ailed IPSec
tunnel establishment.
<HLD defined IPSec VPN requirements>
<LLD specifics for this customer use case(s)>
General IPSEC Settings
•
Name - Enter a Name to identif y the prof ile (up to 31 characters). The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
•
DH Group - Def ines the Dif f ie-Helmen key exchange group. For higher security, choose the group
with the highest number. If you do not want to renew the key that the f irewall creates during IKE
phase 1, select no-pfs (no perf ect f orward secrecy); the f irewall reuses the current key f or the
IPSec security association (SA) negotiations. Key re-use is not recommended as PFS is
desirable in most circumstances.
−
−
−
−
−
−
•
•
Authentication - For highest security, change the order (top to bottom) as f ollows:
−
−
−
−
sha512
sha384
sha256
sha1
−
md5
Encryption - For highest security, change the order (top to bottom) as f ollows:
−
−
−
−
−
•
group1
group2
group5
group14
group19
group20
aes-256-cbc
aes-192-cbc
aes-128-cbc
3des
des
KEY Lif etime - Select unit of time and enter the length of time that the negotiated IKE Phase 1
key will be ef f ective (def ault is 8 hours).
−
IKEv2—Bef ore the key lif etime expires, the SA must be re-keyed or else, upon expiration,
the SA must begin a new Phase 1 key negotiation.
−
IKEv1—Will not actively do a Phase-1 re-key bef ore expiration. Only when the IKEv1
IPSec SA expires will it trigger IKEv1 Phase 1 re-key.
©2019 Palo Alto Networks, Inc.
30
Proprietary and Confidential
•
IKEv2 Auth - Specif y a value (range is 0-50; def ault is 0) that is multiplied by the Key Lif etime to
determine the authentication count. The authentication count is the number of times that the
gateway can perf orm IKEv2 IKE SA re-key bef ore the gateway must start over with IKEv2
re-authentication. A value of 0 disables the re-authentication f eature.
IPSEC Profile
•
•
ESP - Encapsulating Security Payload protocol encrypts the data, authenticates the source, and
verif ies data integrity.
AH - Authentication Header protocol authenticates the source and verif ies data integrity.
•
Encryption (ESP protocol only)
−
−
−
−
−
−
−
−
•
•
•
aes-256-gcm
aes-256-cbc
aes-192-cbc
aes-128-gcm
aes-128-ccm (the VM-Series f irewall does not support this option)
aes-128-cbc, 3des
des
Null (no encryption)
DH Group - For highest security, choose the group with the highest number. If you do not want to
renew the key that the f irewall creates during IKE phase 1, select no-pf s (no perf ect f orward
secrecy). The f irewall reuses the current key f or the IPSec security association (SA) negotiations.
− group1
− group2
− group5
− group14
− group19
− group20
Lif etime - Select units and enter the length of time (def ault is one hour) that the negotiated key
will stay ef f ective.
Lif esize - Select optional units and enter the amount of data that the key can use f or encryption.
©2019 Palo Alto Networks, Inc.
31
Proprietary and Confidential
Table 18 – IKE Profile
IPSEC Settings
Name
BusinessPeer
DH Group
Group14
Authentication
Sha256
Encryption
AES-256-cbc
Key Lif etime
8 hours
IKEv2
Authentication
Multiple
0
Settings
Override/Reason
Settings
Override/Reason
Table 19 – IPSec Profile
IPSec Settings
Name
IPSec Protocol
AES256_Sha256
ESP
Encryption (ESP
protocol only)
Aes-256-gcm
Authentication
Sha256
DH Group
Group14
Lif etime
1 hour
Lif esize
©2019 Palo Alto Networks, Inc.
32
Proprietary and Confidential
GlobalProtect Configurations
GlobalProtect is the Palo Alto Networks VPN / baked-in User-ID solution. It can serve as a remote access
VPN and/or a source User-ID and Host Inf ormation. Remote Access VPN extends the protections of the
f irewall rulebase to the clients connecting to the external gateways in tunnel mode, while internal
gateways can transparently identif y users on the local network. The f irewall can use this User-ID / HIP
data to enf orce access in security policy.
Portals
Table 20 – GlobalProtect Portal Information
Interface
Auth Profile
Ethernet1/2
LDAP
IP Address
120.111.15.7
FQDN
Agent
Profiles
Portal.company.com
Gateways /
Agent Profile
Windows
ExtGW1 /
MSF
MacOS
ExtGW1 /
MAC
Gateways
Table 21 - GlobalProtect Gateway Information
Interface
Loopback.1
Auth
Profile
LDAP
IP Address
FQDN
Agent
Profiles
Client DHCP
Pool
192.168.254.254
Extgw.company.com
Windows
10.254.0.0/16
MacOS
10.253.0.0/16
Tunnel
Mode?
Yes
Yes
HIP Profile Information
Table 22 - HIP Profile Information
HIP Name
AV_OS_CHECK
Parameters
Palo Alto Networks Traps version X.Y, Windows 10
©2019 Palo Alto Networks, Inc.
33
Proprietary and Confidential
Panorama
This section of the document will detail out the specif ic low-level design criteria to integrate the Palo Alto
Networks Panorama, if procured, into the [CUSTOMER] environment. The inf ormation contained herein
will be reviewed with [CUSTOMER] and become the basis f or all platf orm conf igurations to facilitate
adherence to Palo Alto Networks best practices as well as consistency across the environment to simplif y
operational activities.
Management Interface
<description of management interface functionality>
By def ault, the f irewall is managed via the Management interf ace (MGT). The f irewall also uses the MGT
interf ace to access remote services, such as DNS servers, content updates, and license retrieval. If you
do not want to enable external network access to your management network, you must set up a data port
to provide access to these required external services.
Table 23 – MGT Port Settings
MGT Port Settings
Settings
Override/Reason
IP Addres
192.168.25.200
Mask
255.255.255.0
Gateway
192.168.25.1
IPv6 address
N/A
Speed
1Gbps
MTU
1500
Services
HTTPS, SSH, Ping, User-ID,
SNMP
Permitted IP
192.168.25.0/24
Update Server
Updates.paloaltonetworks.com
©2019 Palo Alto Networks, Inc.
34
Do not change the Update Server
unless instructed by Technical Support
Proprietary and Confidential
Templates
A template def ines the collection of all settings in the Device and Network tabs of managed f irewalls
assigned to the template. Through the Device and Network tabs, Panorama can deploy a common base
conf iguration to multiple f irewalls that require similar settings using a template or a template stack (a
combination of templates). Templates are “cookie-cutter” collections of configuration settings and do not
exhibit any type of hierarchical behavior when combined in a stack. The stack has a conf igurable inte rnal
pref erence order when two conf licting settings are detected. The template which is highest in the stack
has priority in the conf ig. For example, a stack consists of Template A and Template B. Both templates
have ethernet1/1 conf igured with two dif f erent IP addresses. If Template A is above Template B in the
stack, Template A’s ethernet1/1 IP address will take precedence.
In addition to the settings available f rom the dialogs f or creating Templates or Template Stacks:
•
•
Type—Identif ies the listed entries as templates or template stacks.
Stack—Lists the templates assigned to a template stack.
Panorama supports up to 1,024 templates.
Table 24 - Panorama Templates
Template Name
Stack
Stack Members
Master Device
US-DeviceConfig
EastCoast-Network
WestCoastNetwork
WestCoast
US-DeviceConfig
WestCoast-Network
WestFW1
EastCoast
US-DeviceConfig
EastCoast-Network
EastFW1
Japan
APAC-DeviceConfig
Japan-Network
Osaka-FW1
Korea
APAC-DeviceConfig
Korea-Network
Seoul-FW1
APAC-DeviceConfig
Japan-Network
Korea-Network
©2019 Palo Alto Networks, Inc.
35
Proprietary and Confidential
Device Groups
A Device Group is a collection of all settings in the Policies and Objects tabs of a managed f irewall.
Device groups are hierarchical in nature and objects created in a parent will propagate down to children.
Panorama treats these groups as single units when applying policies. Firewalls can belong to only one
device group. However, because virtual systems are distinct entities in Panorama you can assign virtual
systems within a f irewall to dif ferent device groups.
You can nest device groups in a tree hierarchy of up to f our levels under the Shared location to
implement a layered approach f or managing policies across your network of f irewalls. At the bottom level,
a device group can have parent, grandparent, and great-grandparent device groups at successively
higher levels—collectively called ancestors—f rom which the bottom-level device group inherits policies
and objects. At the top level, a device group can have child, grandchild, and great -grandchild device
groups—collectively called descendants.
Af ter adding, editing, or deleting a device group, perf orm a Panorama commit and device group commit,
Panorama then pushes the conf iguration changes to the f irewalls that are assigned to the device group .
Panorama supports up to 1,024 device groups.
Device Group Tree
The f ollowing table represents the structure of the device groups .
Table 25 - Device Group Tree Structure
2nd Tier
Device Group Name
3rd Tier
4th Tier
Shared
Corporate Global
US
East Coast
West Coast
APAC
Japan
Korea
Logging and Reporting Settings
Panorama can be conf igured to generate reports based on data observed in the traf f ic logs. These are
device group level settings that can be conf igured to automatically email PDF reports to organization
teams.
©2019 Palo Alto Networks, Inc.
36
Proprietary and Confidential
Security Profiles
Security policy rules allow or block traf f ic based on match crit eria and are otherwise known as firewall
rules. Security prof iles, on the other hand, are objects attached to security policies that help def ine an
allow but scan rule. Security prof iles perf orm various types of deep content inspection on allowed
applications such as CVE vulnerabilities, viruses, malware, spyware, and DDOS attacks. When traf f ic
matches the allow rule def ined in the security policy, the security prof iles that are attached to the rule are
applied f or f urther content inspection criteria. Security prof iles are not used as a match-criteria; the
security prof ile is only applied to permit rules af ter all match criteria is satisf ied.
The f irewall provides def ault security prof iles that you can use out of the box to begin protecting your
network f rom threats. You can add security prof iles that are commonly applied together to a Security
Prof ile Group. This set of prof iles can be treated as a unit and added to security policies in one step; or
included in security policies by def ault, if yo u choose to set up a def ault security prof ile group.
The f ollowing topics provide more detailed inf ormation about each type of security prof ile and how to set
up a security prof ile group.
Antivirus Profiles
Antivirus prof iles protect against known viruses, worms, and trojans as well as spyware downloads. Using
a stream-based malware prevention engine, which inspects traf f ic the moment the f irst packet is received,
the Palo Alto Networks antivirus solution can provide protection f or clients without signif icantly impacting
the perf ormance of the f irewall. This prof ile scans f or a wide variety of malware in executables, PDF f iles,
HTML and JavaScript viruses, including support f or scanning inside compressed f iles and data encoding
schemes. If you have enabled decryption on the f irewall, the prof ile also enables scanning of decrypted
content.
The def ault prof ile inspects all the listed protocol decoders f or viruses, and generates alerts f or SMTP,
IMAP, and POP3 protocols while blocking f or FTP, HTTP, and SMB prot ocols. You can conf igure the
action f or a decoder or antivirus signature and specif y how the f irewall responds to a threat event and
make exceptions if the prof ile detects a f alse positive.
To protect against unknown threats, if there is a valid WildFire subscription licensed on the f irewall the
Antivirus prof iles can take action on WildFire signatures to protect against “zero-day” threats that are
successf ully identif ied as Malware by the WildFire cloud. The recommended action is block on all
decoders as this prof ile is searching f or known malware.
Table 26 - Antivirus Profile
Profile Name
AV-General
Decoder
Action
WildFire-Action
smtp
Reset-both
Reset-both
smb
Reset-both
Reset-both
pop3
Reset-both
Reset-both
imap
Reset-both
Reset-both
http
Reset-both
Reset-both
ftp
Reset-both
Reset-both
Anti-Spyware Profiles
Anti-Spyware prof iles block spyware on compromised hosts f rom trying to phone-home or beacon out to
external command-and-control (C2) servers, allowing the detection of malicious traf f ic leaving the network
f rom inf ected clients. Various levels of protection can be applied between zones. Custom Anti-Spyware
prof iles can be created manually or chosen f rom predef ined prof iles.
©2019 Palo Alto Networks, Inc.
37
Proprietary and Confidential
Additionally, Anti-Spyware prof iles support the DNS sinkhole action. This can be enabled to f orge a
response to a DNS query f or a known malicious domain, causing the malicious domain name to resolve
to an IP address that you def ine. This f eature helps to identif y inf ected hosts on the protected network
using DNS traf f ic. Inf ected hosts can then be easily identif ied in the traf f ic and threat logs because any
host that attempts to connect to the sinkhole IP address are most likely inf ected with malware.
Note: Make a new table per profile.
Table 27 - Anti-Spyware Profile Details
Profile Name
AS-General
Severity
Action
Critical / High / Medium
Reset-both
Low / Informational
Alert
DNS Sinkhole?
Yes, Palo Alto
Networks IP
Vulnerability Protection Profiles
Vulnerability Protection prof iles stop attempts to exploit system f laws or gain unauthorized access to
systems. Vulnerability Protection prof iles help protect against buf f er overf lows, illegal code execution,
brute f orce attempts and other attempts to exploit system vulnerabilities. It is recommended to make a
Vulnerability Protection prof ile that takes the action of reset-both on all medium, high, and critical severity
vulnerability detections f or inbound and outbound f lows. Inside to inside (network segmentation f lows)
should block critical and high. Exceptions can be made if any f alse positives are detected, or true
positives that cannot be f ixed in a specif ic LAN segment. This recommendation does not apply to all
levels of risk tolerance – environments that are averse to any interruption in service should f ollow their
own best practice models. For lower severity such as Low and Inf ormational, choose the action of default.
You can also create exceptions, which allow you to change the response to a specif ic signature.
For more information on Vulnerability Protection profile recommendations, refer to the following link.
Vulnerability profiles should be configured based on traffic direction.
https://iron-skillet.readthedocs.io/en/panos_v8.0/panos_template_guide.html#vulnerability -protection
Actions – The f ollowing actions can be conf igured in a prof ile:
•
Default - For each threat signature and Antivirus signature that is def ined by Palo Alto Networks,
•
•
a def ault action is specif ied internally. Typically, the def ault action is an alert or a reset -both. The
def ault action is displayed in parenthesis, f or example def ault (alert) in the threat or Antivirus
signature.
Allow - Permits the application traf f ic. Does not create a log entry.
Alert - Generates an alert f or each application traf f ic flow. The alert is saved in the threat log.
•
•
•
•
Drop – Drops the application traf f ic.
Reset Client – For TCP, resets the client-side connection. For UDP, drops the connection.
Reset Server – For TCP, resets the client-side connection. For UDP, drops the connection.
Reset Both - For TCP, resets the client-side connection. For UDP, drops the connection.
Table 28 – Threat profiles
Profile Name
Threat-General
Severity
Action
Critical / High / Medium
Reset-both
Low / Informational
Default
©2019 Palo Alto Networks, Inc.
38
Proprietary and Confidential
WildFire Profiles
WildFire prof iles control which f ile types get submitted to the WildFire public cloud or WildFire private
security appliances when traf f ic matches a security policy with the prof ile attached. The def ault, out -of the-box WildFire prof ile submits any-and-all f ile types to the public cloud. This might be acceptable f or
some customers, but f or customers that must adhere to PCI, HIPAA, or other such industry regulations
you must conf igure WildFire prof iles that ignore f ile types that may contain f inancial transaction
inf ormation or personally identif iable inf ormation (PII), such as of f ice documents and PDF f iles, and apply
them to the appropriate security policies. Most customers will have specif ic networks conf igured f or
systems governed by these regulations. There should theref ore be security zones associated with traf f ic
associated with these network segments. Use zones as the primary guideline f or enabling and disabling
f ile types f rom being submitted to WildFire but ensure that you have this discussion with your customer
and put the onus on them f or identif ying any network segments outside the scope of easily identif ied
systems.
Table 29 - WildFire Profile Details
Profile Name
WildFire -All
Applications
any
File Types
Any
Direction
Both
Analysis
Public-cloud
File Blocking Profiles
File blocking prof iles block file transf ers f or configured f ile extensions on any security policies where they
are attached. Beware that some f ile extensions may seem like a good idea to block but can impact line of
business applications. A simple example is .exe f iles f or the website category “internet-communicationsand-telephony.” If you block .exe f iles in a blanket f ashion, you will prevent your users f rom being able to
use webex, zoom, and other remote conf erencing applications.
Table 30 - File Blocking Profile Details
Rule Name
Block-Risky
Applications
Any
©2019 Palo Alto Networks, Inc.
File Types
7z, bat, chm,
class, cpl, dll, hlp,
hta, jar, ocx, pif,
scr, torrent, vbe,
wsf
39
Direction
Both
Action
Block
Proprietary and Confidential
Data Filtering Profiles
Data f iltering prof iles are looking f or specific data patterns. When the pattern is identif ied by f irewall
policy, the f irewall will start generating alerts when alert threshold is hit and start blocking if it hits the
block threshold. Data f iltering prof iles require the conf iguration of data pattern objects. The f ollowing
tables contain the data patterns and the data f iltering prof iles.
Table 31 - Data Pattern Objects
Profile Name
CreditCards-SSN
Pattern Type
Predefined
Name
Credit Card
SSN
SSN(No Dashes)
File
Types
Any
Pattern
4444-4444-4444-4444
123-45-1234
123451234
AccountNumbers
Regex
AccountNums
Any
P\-[A-Z]{1,3}\-\d{8}
Table 32 - Data Filtering Profile Details
Rule Name
BlockRiskyData
Apps
Any
©2019 Palo Alto Networks, Inc.
File
Types
Any
Pattern(s)
CreditCards-SSN
AccountNumbers
40
Direction
Both
Alert
Threshold
Block
Threshold
3
5
Proprietary and Confidential
Denial of Service Protection Profiles
Denial of Service (DoS) protection prof iles are designed to protect resources f rom packet -based attacks
such as TCP Non Syn attacks, pings of death, UDP f loods, etc. They extend the capabilities of , and
should be more specif ic (strict) than, the Zone Protection prof iles conf igured on security zones. These
should typically be applied to servers that have known traf f ic metrics and a known baseline number of
sessions.
Table 33 - DoS Profile Details
DoS Profile
Name
SynFloodCookiesAggregate
Type
SYN
Flood
Aggregate
Yes
UDP Flood
Yes
ICMP
Flood
No
ICMPV6
Flood
Other
IP
Flood
Resource
Protection
(Sessions)
No
No
1000
Security Profile Groups
Security prof ile groups are designed to ease the conf iguration of many security policies by allowing the
f irewall administrator to group multiple security prof iles together in one “all-in-one” object that can be
associated with a security policy. DoS profiles are not included in prof ile groups.
Table 34 - Security Profile Group Details
Group
Name
Base
line
Antivirus
Anti-
Vulnerability
Spyware
Block-all
BlockCritHighMed
©2019 Palo Alto Networks, Inc.
BlockCritHighMed
File
Blocking
BlockRisky
41
Data
Filtering
WildFire
None
SubmitAll
URL
BlockBadURL
Proprietary and Confidential
User-ID
User identif ication is a cornerstone of ef f ective security policy. It is important to be able to identif y not only
what systems are conducting activity on the network , but the user perf orming the activity. Palo Alto
Networks next-generation f irewalls can gather User-ID inf ormation f rom various sources including LDAP
servers, Kerberos / SSO, RADIUS servers via Syslog Listeners, Terminal Server Agents, API calls, and
GlobalProtect.
User-ID Sources
Table 35 - User-ID Source Details
User-ID Source
LDAP
Kerberos
Splunk
Type
IP Address
Port
Configured Interface
UID Agent
192.168.10.45
5007
Def ault (MGMT)
SSO
192.168.10.45
88
Def ault (MGMT)
Syslog
Listener
192.168.10.77
514
Def ault (MGMT)
Group Mapping Profiles
Group mapping is necessary f or being able to enumerate users and link them to AD groups. When
creating group mapping prof iles f or Panorama Templates, it is necessary to specif y a Master Device to
serve as the f irewall f rom which User-ID inf ormation is gathered. This setting is a checkbox in each
conf igured template.
Table 36 - Group Mapping Profile Details
Server
Profile
Domain
Setting
LDAP
Sample.com
©2019 Palo Alto Networks, Inc.
Group
Object
class
group
User
Object
Class
person
User and Group
Attributes
sAMAccountName
mail
userPrincipalName
42
Group Include List
Sample\USUsers
sample\USAdmins
sample\GlobalAdmins
Proprietary and Confidential
URL Filtering Profiles
URL Filtering prof iles enable control over how users access the web over HTTP and HTTPS. The f irewall
comes with a def ault prof ile that is conf igured to block websites such as known malware sites, phishing
sites, and adult content sites. The def ault prof ile can be deployed in a security policy or be cloned to be
used as a starting point f or new URL Filtering prof ile. URL prof iles can be used in conjunction with
User-ID to block specific categories of sites for specific categories of users. URL prof iles that have all
categories set to allow can be used f or visibility into web-based traf f ic on the network. The newly added
URL prof iles can then be customized and added to lists of specific websites that should always be
blocked or allowed, which provides more granular control over URL categories.
Table 37 – URL Filtering Profiles
Category Name
Recommended
Action
Description
Abortion
Sites that pertain to inf ormation or
groups in f avor of or against abortion,
details regarding abortion procedures,
help or support f orums f or or against
abortion, or sites that provide
inf ormation regarding the
consequences/ef f ects of pursuing (or
not) an abortion.
Alert
Abused Drugs
Sites that promote the abuse of both
legal and illegal drugs, use and sale of
drug related paraphernalia,
manuf acturing and/or selling of drugs.
Block
Adult
Sexually explicit material, media
(including language), art, and/or
products, online groups or f orums that
are sexually explicit in nature. Sites that
promote adult services such as
video/telephone conf erencing, escort
services, strip clubs, etc.
Block
Alcohol and
Tobacco
Sites that pertain to the sale,
manuf acturing, or use of alcohol and/or
tobacco products and related
paraphernalia. Includes sites related to
electronic cigarettes.
Alert
Auctions
Sites that promote the sale of goods
between individuals.
Alert
Business and
Economy
Marketing, management, economics,
and sites relating to entrepreneurship or
running a business.
Alert
Override
Note:
Includes advertising and marketing
f irms. Should not include corporate
websites as they should be categorized
with their technology. Also shipping
sites, such as f edex.com and ups.com.
Command and
Control
URLs and domains used by malware
and/or compromised systems to
surreptitiously communicate with an
©2019 Palo Alto Networks, Inc.
43
Block
Proprietary and Confidential
attacker’s remote server to receive
malicious commands or exf iltrate data.
Computer and
Internet Info
General inf ormation regarding
computers and the internet.
Alert
Note:
Should include sites about computer
science, engineering, hardware,
sof tware, security, programming, etc.
Programming may have some overlap
with ref erence, but the main category
should remain computer and internet
inf o.
Content Delivery
Networks
Sites whose primary f ocus is delivering
content to 3rd parties such as
advertisements, media, f iles, etc.
Alert
Note:
Includes image servers.
Copyright
Infringement
Web pages and services that are
dedicated to illegally of f er videos,
movies or other media f or download
inf ringing copyrights of others.
Block
Note:
Should not include sites that provide
peer-to-peer f ile exchange services or
general streaming media.
Dating
Websites of fering online dating
services, advice, and other personal
ads
Alert
Dynamic DNS
Sites that provide and/or utilize dynamic
DNS services to associate domain
names to dynamic IP addresses.
Dynamic DNS is of ten used by
attackers f or command-and-control
communication and other malicious
purposes.
Block
Educational
Institutions
Of f icial websites f or schools, colleges,
universities, school districts, online
classes, and other academic
institutions.
Alert
Note: These ref er to larger, established
educational institutions such as
elementary schools, high schools,
universities, etc. Tutoring academies
can go here as well.
Entertainment
and Arts
Sites f or movies, television, radio,
videos, programming guides/tools,
comics, perf orming arts, museums, art
galleries, or libraries. Includes sites f or
©2019 Palo Alto Networks, Inc.
44
Alert
Proprietary and Confidential
entertainment, celebrity and industry
news.
Extremism
Websites promoting terrorism, racism,
f ascism or other extremist views
discriminating people or groups of
dif f erent ethnic backgrounds, religions
or other belief s.
Block
Financial
Services
Websites pertaining to personal
f inancial inf ormation or advice, such as
online banking, loans, mortgages, debt
management, credit card companies,
and insurance companies. Does not
include sites relating to stock markets,
brokerages or trading services.
Alert
Note: Includes sites f or f oreign currency
exchange.
Gambling
Lottery or gambling websites that
f acilitate the exchange of real and/or
virtual money. Related websites that
provide inf ormation, tutorials or advice
regarding gambling, including betting
odds and pools. Corporate websites f or
hotels and casinos that do not enable
gambling are categorized under Travel.
Alert
Games
Sites that provide online play or
download of video and/or computer
games, game reviews, tips, or cheats,
as well as instructional sites f or nonelectronic games, sale/trade of board
games, or related publications/media.
Includes sites that support or host
online sweepstakes and/or giveaways.
Alert
Government
Of f icial websites f or local, state, and
national governments, as well as
related agencies, services, or laws.
Alert
Hacking
Sites relating to the illegal or
questionable access to or the use of
communications equipment/sof tware.
Development and distribution of
programs, how-to-advice and/or tips
that may result in the compromise of
networks and systems. Also includes
sites that f acilitate the bypass of
licensing and digital rights systems.
Block
Health and
Medicine
Sites containing inf ormation regarding
general health inf ormation, issues, and
traditional and non-traditional tips,
remedies, and treatments. Also includes
sites f or various medical specialties,
practices and f acilities (such as gyms
and f itness clubs) as well as
prof essionals. Sites relating to medical
Alert
©2019 Palo Alto Networks, Inc.
45
Proprietary and Confidential
insurance and cosmetic surgery are
also included.
Home and
Garden
Inf ormation, products, and services
regarding home repair and
maintenance, architecture, design,
construction, décor, and gardening.
Alert
Hunting and
Fishing
Hunting and f ishing tips, instructions,
sale of related equipment and
paraphernalia.
Alert
Insufficient
Content
Websites and services that present test
pages, no content, provide API access
not intended f or end-user display or
require authentication without displaying
any other content suggesting a dif f erent
categorization.
Block
Note:
Should not include websites providing
remote access, such as web based
VPN solutions, web based email
services or identif ied credential phishing
pages.
Internet
Communications
and Telephony
Sites that support or provide services
f or video chatting, instant messaging, or
telephony capabilities.
Alert
Internet Portals
Sites that serve as a starting point f or
users, usually by aggregating a broad
set of content and topics.
Alert
Job Search
Sites that provide job listings and
employer reviews, interview advice and
tips, or related services f or both
employers and prospective candidates.
Alert
Legal
Inf ormation, analysis or advice
regarding the law, legal services, legal
f irms, or other legal related issues.
Alert
Malware
Sites containing malicious content,
executables, scripts, viruses, trojans,
and code.
Block
Military
Inf ormation or commentary regarding
military branches, recruitment, current
or past operations, or any related
paraphernalia.
Alert
Motor Vehicles
Inf ormation relating to reviews, sales
and trading, modif cations, parts, and
other related discussions f or
automobiles, motorcycles, boats, trucks
and RVs.
Alert
Music
Music sales, distribution, or inf ormation.
Includes websites f or music artists,
groups, labels, events, lyrics, and other
inf ormation regarding the music
Alert
©2019 Palo Alto Networks, Inc.
46
Proprietary and Confidential
business.
Note:
Does not include streaming music.
News
Online publications, newswire services,
and other websites that aggregate
current events, weather, or other
contemporary issues. Includes
newspapers, radio stations, magazines,
and podcasts.
Alert
Not-Resolved
Indicates that the website was not
found in the local URL filtering
database and the firewall was unable
to connect to the cloud database to
check the category. When a URL
category lookup is performed, the
firewall first checks the dataplane
cache for the URL, if no match is
found, it will then check the
management plane cache, and if no
match is found there, it queries the
URL database in the cloud. When
deciding on what action to take for
traffic that is categorized as notresolved, be aware that setting the
action to block may be very disruptive
to users.
Alert
Nudity
Sites that contain nude or seminude
depictions of the human body,
regardless of context or intent, such as
artwork. Includes nudist or naturist sites
containing images of participants.
Block
Online Storage
and Backup
Websites that provide online storage of
f iles f or f ree and as a service.
Alert
Parked
URLs which host limited content or
click-through ads which may generate
revenue f or the host entity but generally
do not contain content that is usef ul to
the end user.
Block
Peer-to-Peer
Sites that provide access to or clients
f or peer-to-peer sharing of torrents,
download programs, media f iles, or
other sof tware applications.
Block
Note:
Does not include shareware or f reeware
sites. This is primarily f or those sites
that provide bittorrent download
capabilities.
Personal Sites
and Blogs
Personal websites and blogs by
individuals or groups.
©2019 Palo Alto Networks, Inc.
47
Alert
Proprietary and Confidential
Note:
Should try to f irst categorize based on
content. For example, if someone has a
blog just about cars, then the site
should be categorized under "motor
vehicles". However, if the site is a pure
blog, then it should remain under
"personal sites and blogs".
Philosophy and
Political
Advocacy
Sites containing inf ormation, viewpoints
or campaigns regarding philosophical or
political views.
Alert
Phishing
Seemingly reputable sites that harvest
personal inf ormation f rom its users via
phishing or pharming.
Block
Private IP
Addresses
This category includes IP addresses
def ined in RFC 1918, 'Address
Allocation f or Private Intranets? which
are : 10.0.0.0 - 10.255.255.255 (10/8
pref ix) 172.16.0.0 - 172.31.255.255
(172.16/12 pref ix) 192.168.0.0 192.168.255.255 (192.168/16 pref ix)
169.254.0.0 - 169.254.255.255
(169.254/16 pref ix) It also includes
domains not registered with the public
DNS system (such a *.local)
Block
Proxy Avoidance
and
Anonymizers
Proxy servers and other methods that
bypass URL f iltering or monitoring.
Block
Questionable
Sites containing tasteless humor,
of f ensive content targeting specif ic
demographics of individuals or groups
of people, criminal activity, illegal
activity, and get rich quick sites.
Block
Real Estate
Inf ormation on property rentals, sales
and related tips or inf ormation. Includes
sites f or real estate agents, f irms, rental
services, listings (and aggregates), and
property improvement.
Alert
Recreation and
Hobbies
Inf ormation, f orums, associations,
groups, and publications on recreations
and hobbies.
Alert
Reference and
Research
Personal, prof essional, or academic
ref erence portals, materials, or services.
Includes online dictionaries, maps,
almanacs, census inf ormation, libraries,
genealogy and scientif ic inf ormation.
Alert
Religion
Inf ormation regarding various religions,
related activities or events. Includes
websites f or religious organizations,
of f icials and places of worship.
Alert
©2019 Palo Alto Networks, Inc.
48
Proprietary and Confidential
Search Engines
Sites that provide a search interf ace
using keywords, phrases, or other
parameters that may return inf ormation,
websites, images or f iles as results
Alert
Sex Education
Inf ormation on reproduction, sexual
development, saf e sex practices,
sexually transmitted diseases, birth
control, tips f or better sex, as well as
any related products or related
paraphernalia. Includes websites f or
related groups, f orums or
organizations.
Alert
Shareware and
Freeware
Sites that provide access to sof tware,
screensavers, icons, wallpapers,
utilities, ringtones, themes or widgets
f or f ree and/or donations. Also includes
open source projects.
Alert
Shopping
Sites that f acilitate the purchase of
goods and services. Includes online
merchants, websites f or department
stores, retail stores, catalogs, as well as
sites that aggregate and monitor
prices.
Alert
Note:
Sites listed here should be online
merchants that sell a variety of items (or
whose main purpose is online sales). A
webpage f or a cosmetics company that
also happens to allow online purchasing
should be categorized with cosmetics
and not shopping.
Social
Networking
User communities and sites where
users interact with each other, post
messages, pictures, or otherwise
communicate with groups of people.
Does not include blogs or personal
sites.
Alert
Society
Topics relating to the general
population, issues that impact a large
variety of people, such as f ashion,
beauty, philanthropic groups, societies,
or children. Also includes restaurant
websites.
Note:
Includes websites designed f or children
as well as restaurants.
Alert
Sports
Inf ormation about sporting events,
athletes, coaches, of f icials, teams or
organizations, sports scores, schedules
and related news, and any related
paraphernalia. Includes websites
Alert
©2019 Palo Alto Networks, Inc.
49
Proprietary and Confidential
regarding f antasy sports and other
virtual sports leagues.
Stock Advice
and Tools
Inf ormation regarding the stock market,
trading of stocks or options, portfolio
management, investment strategies,
quotes, or related news.
Alert
Streaming
Media
Sites that stream audio or video content
f or f ree and/or purchase.
Note:
Includes online radio stations and other
streaming music services.
Alert
Swimsuits and
Intimate Apparel
Sites that include inf ormation or images
concerning swimsuits, intimate apparel
or other suggestive clothing.
Alert
Training and
Tools
Sites that provide online education and
training and related materials.
Note:
Can include driving/traf f ic schools,
workplace training, etc.
Alert
Translation
Sites that provide translation services,
including both user input and URL
translations. These sites can also allow
users to circumvent f iltering as the
target page's content is presented
within the context of the translator's
URL.
Alert
Travel
Inf ormation regarding travel tips, deals,
pricing inf ormation, destination
inf ormation, tourism, and related
services. Includes websites f or hotels,
local attractions, casinos, airlines,
cruise lines, travel agencies, vehicle
rentals and sites that provide booking
tools such as price monitors.
Note:
Includes websites f or local points of
interest/tourist attractions such as the
Eif f el Tower, the Grand Canyon, etc.
Alert
Unknown
The website has not yet been
categorized, so it does not exist in the
URL filtering database on the firewall
or in the URL cloud database. When
deciding on what action to take for
traffic categorized as unknown, be
aware that setting the action to block
may be very disruptive to users
because there could be a lot of valid
sites that are not in the URL database
yet. If you do want a very strict policy,
you could block this category, so
Alert
©2019 Palo Alto Networks, Inc.
50
Proprietary and Confidential
websites that do not exist in the URL
database cannot be accessed.
Weapons
Sales, reviews, descriptions of or
instructions regarding weapons and
their use.
Alert
Web
Advertisements
Advertisements, media, content, and
banners.
Alert
Free or paid f or hosting services f or
web pages, including inf ormation
regarding web development,
publication, promotion, and other
methods to increase traf f ic.
Alert
Any website that provides access to an
email inbox and the ability to send and
receive emails.
Alert
Web Hosting
Web-based
Email
©2019 Palo Alto Networks, Inc.
51
Proprietary and Confidential
Reporting, Alerting, and Configuration Backup
The f ollowing section centers around documenting the conf igured Report and Alerting settings.
Report and Alert Settings
Document the Report and Alert settings in this section. These are located at Panorama > Log Settings.
Lots of inf ormation here, so you may want to export it in text f ormat using the CLI command:
show panorama log-settings
Figure 1 - Log Settings
Configuration Backup Settings
Document the Scheduled Conf ig Export settings in the f ollowing table.
Table 38 - Scheduled Config Export Settings
Name
IS-LinuxBox
Description
Linux box used f or backing up conf ig text files
Enabled?
Yes
Scheduled Start Time
03:15
Protocol
SCP
Hostname
Isbox.sampleinc.com
Port
22
Path
/home/backupuser/paloalto/
Username
Backupuser
Password
Always store in a password manager
©2019 Palo Alto Networks, Inc.
52
Proprietary and Confidential
SNMP Settings
Document SNMP settings here.
Table 39 - SNMP Settings
Configured Interface
Aux1
Configured IP
192.168.10.1
SNMPv2 Settings
Table 40 - SNMPv2 Settings
Physical
Location
Denver
Contact
Version
ITAdmin@sampleinc.com
V2
Community String
C0MMun1TyStr1NG
SNMPv3 Settings
For assistance on setting up SNMPv3 ref er to the f ollowing document:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG6CAK
Table 41 - Views
Name
TestView
View
OID
Option
panSysHwVersion
1.3.6.1.4.1.25461.2.1.2.1.2
Include
Mask
0x80
Table 42 - Users
Users
Viewer
View
TestView
©2019 Palo Alto Networks, Inc.
Auth
Password
********
Priv Password
********
53
Proprietary and Confidential
Cloud Services / Integration Pieces
This section is devoted to the documentation of the conf igured Cloud Services and Plugin Integrations f or
Panorama.
Include details such as version of plugin, configured region, subscription model etc.
Cloud Logging Service
The cloud logging service is a subscription-based service of f ered by Palo Alto Networks that provides a
remote storage target f or Panorama to f orward its logs. Notable details here are region, plugin version,
storage quantity, and retention.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
GlobalProtect Cloud Service
If GlobalProtect cloud service is conf igured, document the details here.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
Application Framework
If any custom applications are conf igured in the Palo Alto Networks Application Framework, document
their details here.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
Traps
Document Traps details here. Notab le details are version, Traps server, quantity of endpoint licenses,
allowed application list, and any other details which are Traps oriented.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
Azure
Enter any Azure specif ic details here such as region, account, devices, ACLs, etc.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
AWS
Enter any AWS specif ic details here such as region, account, devices, ACLs, etc.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
NSX Plugin
Enter any NSX specif ic details here such as plugin version, vCenter servers hosting NSX plugin, etc.
< Enter details in an organized format. Could be a table, a bullet list, or a form. >
©2019 Palo Alto Networks, Inc.
54
Proprietary and Confidential
Document Properties
This document is prepared f or the sole use by [CUSTOMER].
Contributors
Enter complete information for all people with their role, could include customer resources:
Role types: Author/Contributor/Reviewer
Title example: Professional Services Consultant
Name
Role
Tom Addair
Pro-Serv
Title
Sr. Prof essional Service
Consultant
Contact Information
taddair@paloaltonetworks.com
Revision History
Enter complete information for all revisions and be concise on comments:
Status types: Draft/In Review/Complete
Comments example: Initial draft/Added to Management and Routing sections/Draft complete – in
review
Date
dd MON yyyy
Revision
<x.y>
©2019 Palo Alto Networks, Inc.
Changes By
<your name>
Status
<status>
55
Comments
<comments on version/changes>
Proprietary and Confidential
Palo Alto Networks Resources
Palo Alto Networks has a team of resources committed to making the [CUSTOMER] deployment
successf ul. The f ollowing individuals are assigned to work on the [CUSTOMER] deployment.
Describe each member of the Palo Alto Networks team, their role, and contact information.
Professional Services Architect:
Engineer Name
engineer@paloaltonetworks.com
Professional Services PM
Project Manager Name
pm@paloaltonetworks.com
Customer Resources
Describe each member of the customer team, their role, and contact information.
Customer Role Title 1:
Customer Name
customer@company.com
Customer Role Title 2
Customer Name
customer@company.com
©2019 Palo Alto Networks, Inc.
56
Proprietary and Confidential