| Use Dynamic User Groups in Policy | 您所在的位置:网站首页 › dynamic user groups › Use Dynamic User Groups in Policy |
|
Home Location Documentation Home Palo Alto Networks Support Live Community Knowledge Base Home PAN-OS PAN-OS® Administrator’s Guide Policy Use Dynamic User Groups in Policy Download PDF Last Updated: Mar 8, 2023 Current Version: 10.1 Version 11.0 Version 10.2 Version 10.1 Version 10.0 (EoL) Version 9.1 Table of Contents Filter Getting Started Integrate the Firewall into Your Management Network Determine Your Access Strategy for Business Continuity Determine Your Management Strategy Perform Initial Configuration Set Up Network Access for External Services Register the Firewall Segment Your Network Using Interfaces and Zones Network Segmentation for a Reduced Attack Surface Configure Interfaces and Zones Set Up a Basic Security Policy Assess Network Traffic Enable Free WildFire Forwarding Best Practices for Completing the Firewall Deployment Subscriptions Subscriptions You Can Use With the Firewall Activate Subscription Licenses What Happens When Licenses Expire? Enhanced Application Logs for Palo Alto Networks Cloud Services Firewall Administration Management Interfaces Use the Web Interface Launch the Web Interface Configure Banners, Message of the Day, and Logos Use the Administrator Login Activity Indicators to Detect Account Misuse Manage and Monitor Administrative Tasks Commit, Validate, and Preview Firewall Configuration Changes Export Configuration Table Data Use Global Find to Search the Firewall or Panorama Management Server Manage Locks for Restricting Configuration Changes Manage Configuration Backups Save and Export Firewall Configurations Revert Firewall Configuration Changes Manage Firewall Administrators Administrative Role Types Configure an Admin Role Profile Administrative Authentication Configure Administrative Accounts and Authentication Configure a Firewall Administrator Account Configure Local or External Authentication for Firewall Administrators Configure Certificate-Based Administrator Authentication to the Web Interface Configure SSH Key-Based Administrator Authentication to the CLI Configure API Key Lifetime Configure Tracking of Administrator Activity Reference: Web Interface Administrator Access Web Interface Access Privileges Define Access to the Web Interface Tabs Provide Granular Access to the Monitor Tab Provide Granular Access to the Policy Tab Provide Granular Access to the Objects Tab Provide Granular Access to the Network Tab Provide Granular Access to the Device Tab Define User Privacy Settings in the Admin Role Profile Restrict Administrator Access to Commit and Validate Functions Provide Granular Access to Global Settings Provide Granular Access to the Panorama Tab Provide Granular Access to Operations Settings Panorama Web Interface Access Privileges Reference: Port Number Usage Ports Used for Management Functions Ports Used for HA Ports Used for Panorama Ports Used for GlobalProtect Ports Used for User-ID Ports Used for IPSec Ports Used for Routing Ports Used for DHCP Ports Used for Infrastructure Reset the Firewall to Factory Default Settings Bootstrap the Firewall USB Flash Drive Support Sample init-cfg.txt Files Prepare a USB Flash Drive for Bootstrapping a Firewall Bootstrap a Firewall Using a USB Flash Drive Device Telemetry Device Telemetry Overview Device Telemetry Collection and Transmission Intervals Manage Device Telemetry Enable Device Telemetry Disable Device Telemetry Enable Service Routes for Telemetry Manage the Data the Device Telemetry Collects Manage Historical Device Telemetry Monitor Device Telemetry Sample the Data that Device Telemetry Collects Authentication Authentication Types External Authentication Services Multi-Factor Authentication SAML Kerberos TACACS+ RADIUS LDAP Local Authentication Plan Your Authentication Deployment Configure Multi-Factor Authentication Configure MFA Between RSA SecurID and the Firewall Configure MFA Between Okta and the Firewall Configure MFA Between Duo and the Firewall Configure SAML Authentication Configure Kerberos Single Sign-On Configure Kerberos Server Authentication Configure TACACS+ Authentication Configure RADIUS Authentication Configure LDAP Authentication Connection Timeouts for Authentication Servers Guidelines for Setting Authentication Server Timeouts Modify the PAN-OS Web Server Timeout Modify the Authentication Portal Session Timeout Configure Local Database Authentication Configure an Authentication Profile and Sequence Test Authentication Server Connectivity Authentication Policy Authentication Timestamps Configure Authentication Policy Troubleshoot Authentication Issues Certificate Management Keys and Certificates Default Trusted Certificate Authorities (CAs) Certificate Revocation Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP) Certificate Deployment Set Up Verification for Certificate Revocation Status Configure an OCSP Responder Configure Revocation Status Verification of Certificates Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption Configure the Master Key Master Key Encryption Configure Master Key Encryption Level Master Key Encryption on a Firewall HA Pair Master Key Encryption Logs Unique Master Key Encryptions for AES-256-GCM Obtain Certificates Create a Self-Signed Root CA Certificate Generate a Certificate Import a Certificate and Private Key Obtain a Certificate from an External CA Install a Device Certificate Deploy Certificates Using SCEP Export a Certificate and Private Key Configure a Certificate Profile Configure an SSL/TLS Service Profile Configure an SSH Service Profile Replace the Certificate for Inbound Management Traffic Configure the Key Size for SSL Forward Proxy Server Certificates Revoke and Renew Certificates Revoke a Certificate Renew a Certificate Secure Keys with a Hardware Security Module Set Up Connectivity with an HSM Set Up Connectivity with a SafeNet Network HSM Set Up Connectivity with an nCipher nShield Connect HSM Encrypt a Master Key Using an HSM Encrypt the Master Key Refresh the Master Key Encryption Store Private Keys on an HSM Manage the HSM Deployment High Availability HA Overview HA Concepts HA Modes HA Links and Backup Links HA Ports on Palo Alto Networks Firewalls Device Priority and Preemption Failover LACP and LLDP Pre-Negotiation for Active/Passive HA Floating IP Address and Virtual MAC Address ARP Load-Sharing Route-Based Redundancy HA Timers Session Owner Session Setup NAT in Active/Active HA Mode ECMP in Active/Active HA Mode Set Up Active/Passive HA Prerequisites for Active/Passive HA Configuration Guidelines for Active/Passive HA Configure Active/Passive HA Define HA Failover Conditions Verify Failover Set Up Active/Active HA Prerequisites for Active/Active HA Configure Active/Active HA Determine Your Active/Active Use Case Use Case: Configure Active/Active HA with Route-Based Redundancy Use Case: Configure Active/Active HA with Floating IP Addresses Use Case: Configure Active/Active HA with ARP Load-Sharing Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3 HA Clustering Overview HA Clustering Best Practices and Provisioning Configure HA Clustering Refresh HA1 SSH Keys and Configure Key Options HA Firewall States Reference: HA Synchronization What Settings Don’t Sync in Active/Passive HA? What Settings Don’t Sync in Active/Active HA? Synchronization of System Runtime Information Monitoring Use the Dashboard Use the Application Command Center ACC—First Look ACC Tabs ACC Widgets Widget Descriptions ACC Filters Interact with the ACC Use Case: ACC—Path of Information Discovery Use the App Scope Reports Summary Report Change Monitor Report Threat Monitor Report Threat Map Report Network Monitor Report Traffic Map Report Use the Automated Correlation Engine Automated Correlation Engine Concepts Correlation Object Correlated Events View the Correlated Objects Interpret Correlated Events Use the Compromised Hosts Widget in the ACC Take Packet Captures Types of Packet Captures Disable Hardware Offload Take a Custom Packet Capture Take a Threat Packet Capture Take an Application Packet Capture Take a Packet Capture for Unknown Applications Take a Custom Application Packet Capture Take a Packet Capture on the Management Interface Monitor Applications and Threats View and Manage Logs Log Types and Severity Levels Traffic Logs Threat Logs URL Filtering Logs WildFire Submissions Logs Data Filtering Logs Correlation Logs Tunnel Inspection Logs Config Logs System Logs HIP Match Logs GlobalProtect Logs IP-Tag Logs User-ID Logs Decryption Logs Alarms Logs Authentication Logs Unified Logs View Logs Filter Logs Export Logs Configure Log Storage Quotas and Expiration Periods Schedule Log Exports to an SCP or FTP Server Monitor Block List View and Manage Reports Report Types View Reports Configure the Expiration Period and Run Time for Reports Disable Predefined Reports Custom Reports Generate Custom Reports Generate Botnet Reports Configure a Botnet Report Interpret Botnet Report Output Generate the SaaS Application Usage Report Manage PDF Summary Reports Generate User/Group Activity Reports Manage Report Groups Schedule Reports for Email Delivery Manage Report Storage Capacity View Policy Rule Usage Use External Services for Monitoring Configure Log Forwarding Configure Email Alerts Use Syslog for Monitoring Configure Syslog Monitoring Syslog Field Descriptions Traffic Log Fields Threat Log Fields URL Filtering Log Fields Data Filtering Log Fields HIP Match Log Fields GlobalProtect Log Fields IP-Tag Log Fields User-ID Log Fields Decryption Log Fields Tunnel Inspection Log Fields SCTP Log Fields Authentication Log Fields Config Log Fields System Log Fields Correlated Events Log Fields GTP Log Fields Syslog Severity Custom Log/Event Format Escape Sequences SNMP Monitoring and Traps SNMP Support Use an SNMP Manager to Explore MIBs and Objects Identify a MIB Containing a Known OID Walk a MIB Identify the OID for a System Statistic or Trap Enable SNMP Services for Firewall-Secured Network Elements Monitor Statistics Using SNMP Forward Traps to an SNMP Manager Supported MIBs MIB-II IF-MIB HOST-RESOURCES-MIB ENTITY-MIB ENTITY-SENSOR-MIB ENTITY-STATE-MIB IEEE 802.3 LAG MIB LLDP-V2-MIB.my BFD-STD-MIB PAN-COMMON-MIB.my PAN-GLOBAL-REG-MIB.my PAN-GLOBAL-TC-MIB.my PAN-LC-MIB.my PAN-PRODUCT-MIB.my PAN-ENTITY-EXT-MIB.my PAN-TRAPS.my Forward Logs to an HTTP/S Destination NetFlow Monitoring Configure NetFlow Exports NetFlow Templates Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors Monitor Transceivers User-ID User-ID Overview User-ID Concepts Group Mapping User Mapping Server Monitoring Port Mapping XFF Headers Username Header Insertion Authentication Policy and Authentication Portal Syslog GlobalProtect XML API Client Probing Enable User-ID Map Users to Groups Map IP Addresses to Users Create a Dedicated Service Account for the User-ID Agent Configure User Mapping Using the Windows User-ID Agent Install the Windows-Based User-ID Agent Configure the Windows User-ID Agent for User Mapping Configure User Mapping Using the PAN-OS Integrated User-ID Agent Configure Server Monitoring Using WinRM Configure User-ID to Monitor Syslog Senders for User Mapping Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener Configure the Windows User-ID Agent as a Syslog Listener Map IP Addresses to Usernames Using Authentication Portal Authentication Portal Authentication Methods Authentication Portal Modes Configure Authentication Portal Configure User Mapping for Terminal Server Users Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API Send User Mappings to User-ID Using the XML API Enable User- and Group-Based Policy Enable Policy for Users with Multiple Accounts Verify the User-ID Configuration Deploy User-ID in a Large-Scale Network Deploy User-ID for Numerous Mapping Information Sources Windows Log Forwarding and Global Catalog Servers Plan a Large-Scale User-ID Deployment Configure Windows Log Forwarding Configure User-ID for Numerous Mapping Information Sources Insert Username in HTTP Headers Redistribute Data and Authentication Timestamps Firewall Deployment for Data Redistribution Configure Data Redistribution Share User-ID Mappings Across Virtual Systems App-ID App-ID Overview Streamlined App-ID Policy Rules Create an Application Filter Using Tags Create an Application Filter Based on Custom Tags App-ID and HTTP/2 Inspection Manage Custom or Unknown Applications Manage New and Modified App-IDs Workflow to Best Incorporate New and Modified App-IDs See the New and Modified App-IDs in a Content Release See How New and Modified App-IDs Impact Your Security Policy Ensure Critical New App-IDs are Allowed Monitor New App-IDs Disable and Enable App-IDs Use Application Objects in Policy Create an Application Group Create an Application Filter Create a Custom Application Resolve Application Dependencies Safely Enable Applications on Default Ports Applications with Implicit Support Security Policy Rule Optimization Policy Optimizer Concepts Sorting and Filtering Security Policy Rules Clear Application Usage Data Migrate Port-Based to App-ID Based Security Policy Rules Rule Cloning Migration Use Case: Web Browsing and SSL Traffic Add Applications to an Existing Rule Identify Security Policy Rules with Unused Applications High Availability for Application Usage Statistics How to Disable Policy Optimizer App-ID Cloud Engine Prepare to Deploy App-ID Cloud Engine Enable or Disable the App-ID Cloud Engine App-ID Cloud Engine Processing and Usage New App Viewer (Policy Optimizer) Add Apps to an Application Filter with Policy Optimizer Add Apps to an Application Group with Policy Optimizer Add Apps Directly to a Rule with Policy Optimizer Replace an RMA Firewall (ACE) Impact of License Expiration or Disabling ACE Commit Failure Due to Cloud Content Rollback Troubleshoot App-ID Cloud Engine SaaS App-ID Policy Recommendation Import SaaS Policy Recommendation Import Updated SaaS Policy Recommendation Remove Deleted SaaS Policy Recommendation Application Level Gateways Disable the SIP Application-level Gateway (ALG) Use HTTP Headers to Manage SaaS Application Access Understand SaaS Custom Headers Domains used by the Predefined SaaS Application Types Create HTTP Header Insertion Entries using Predefined Types Create Custom HTTP Header Insertion Entries Maintain Custom Timeouts for Data Center Applications Device-ID Device-ID Overview Prepare to Deploy Device-ID Configure Device-ID Manage Device-ID CLI Commands for Device-ID Threat Prevention Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions Set Up Antivirus, Anti-Spyware, and Vulnerability Protection DNS Security About DNS Security Cloud-Delivered DNS Signatures and Protections DNS Security Analytics Enable DNS Security DNS Security Data Collection and Logging Use DNS Queries to Identify Infected Hosts on the Network How DNS Sinkholing Works Configure DNS Sinkholing Configure DNS Sinkholing for a List of Custom Domains Configure the Sinkhole IP Address to a Local Server on Your Network See Infected Hosts that Attempted to Connect to a Malicious Domain Data Filtering Create a Data Filtering Profile Predefined Data Filtering Patterns WildFire Inline ML Configure WildFire Inline ML Set Up File Blocking Prevent Brute Force Attacks Customize the Action and Trigger Conditions for a Brute Force Signature Enable Evasion Signatures Monitor Blocked IP Addresses Threat Signature Categories Create Threat Exceptions Custom Signatures Monitor and Get Threat Reports Monitor Activity and Create Custom Reports Based on Threat Categories Learn More About Threat Signatures AutoFocus Threat Intelligence for Network Traffic AutoFocus Intelligence Summary Enable AutoFocus Threat Intelligence View and Act on AutoFocus Intelligence Summary Data Share Threat Intelligence with Palo Alto Networks Threat Prevention Resources Decryption Decryption Overview Decryption Concepts Keys and Certificates for Decryption Policies SSL Forward Proxy SSL Forward Proxy Decryption Profile SSL Inbound Inspection SSL Inbound Inspection Decryption Profile SSL Protocol Settings Decryption Profile SSH Proxy SSH Proxy Decryption Profile Profile for No Decryption SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates Perfect Forward Secrecy (PFS) Support for SSL Decryption SSL Decryption and Subject Alternative Names (SANs) TLSv1.3 Decryption High Availability Not Supported for Decrypted Sessions Decryption Mirroring Prepare to Deploy Decryption Work with Stakeholders to Develop a Decryption Deployment Strategy Develop a PKI Rollout Plan Size the Decryption Firewall Deployment Plan a Staged, Prioritized Deployment Define Traffic to Decrypt Create a Decryption Profile Create a Decryption Policy Rule Configure SSL Forward Proxy Configure SSL Inbound Inspection Configure SSH Proxy Configure Server Certificate Verification for Undecrypted Traffic Decryption Exclusions Palo Alto Networks Predefined Decryption Exclusions Exclude a Server from Decryption for Technical Reasons Local Decryption Exclusion Cache Create a Policy-Based Decryption Exclusion Block Private Key Export Generate a Private Key and Block It Import a Private Key and Block It Import a Private Key for IKE Gateway and Block It Verify Private Key Blocking Enable Users to Opt Out of SSL Decryption Temporarily Disable SSL Decryption Configure Decryption Port Mirroring Verify Decryption Troubleshoot and Monitor Decryption Decryption Application Command Center Widgets Decryption Log Configure Decryption Logging Decryption Log Errors, Error Indexes, and Bitmasks Repair Incomplete Certificate Chains Custom Report Templates for Decryption Unsupported Parameters by Proxy Type and TLS Version Decryption Troubleshooting Workflow Examples Investigate Decryption Failure Reasons Troubleshoot Unsupported Cipher Suites Identify Weak Protocols and Cipher Suites Identify Untrusted CA Certificates Troubleshoot Expired Certificates Troubleshoot Revoked Certificates Troubleshoot Pinned Certificates Activate Free Licenses for Decryption Features URL Filtering About Palo Alto Networks URL Filtering Solution How Advanced URL Filtering Works URL Filtering Inline ML URL Filtering Use Cases URL Categories Security-Focused URL Categories Malicious URL Categories Verified URL Categories Policy Actions You Can Take Based on URL Categories Plan Your URL Filtering Deployment URL Filtering Best Practices Activate The Advanced URL Filtering Subscription Configure URL Filtering Test URL Filtering Configuration Configure URL Filtering Inline ML Monitor Web Activity Monitor Web Activity of Network Users View the User Activity Report Configure Custom URL Filtering Reports Log Only the Page a User Visits Create a Custom URL Category URL Category Exceptions Use an External Dynamic List in a URL Filtering Profile Allow Password Access to Certain Sites Prevent Credential Phishing Methods to Check for Corporate Credential Submissions Configure Credential Detection with the Windows User-ID Agent Set Up Credential Phishing Prevention Safe Search Enforcement Safe Search Settings for Search Providers Block Search Results When Strict Safe Search Is Not Enabled Transparently Enable Safe Search for Users URL Filtering Response Pages Customize the URL Filtering Response Pages HTTP Header Logging Request to Change the Category for a URL Troubleshoot URL Filtering Problems Activating Advanced URL Filtering PAN-DB Cloud Connectivity Issues URLs Classified as Not-Resolved Incorrect Categorization PAN-DB Private Cloud M-600 Appliance for PAN-DB Private Cloud Set Up the PAN-DB Private Cloud Configure the PAN-DB Private Cloud Configure the Firewalls to Access the PAN-DB Private Cloud Configure Authentication with Custom Certificates on the PAN-DB Private Cloud Enable SSL/TLS Handshake Inspection Quality of Service QoS Overview QoS Concepts QoS for Applications and Users QoS Policy QoS Profile QoS Classes QoS Priority Queuing QoS Bandwidth Management QoS Egress Interface QoS for Clear Text and Tunneled Traffic Configure QoS Configure QoS for a Virtual System Enforce QoS Based on DSCP Classification QoS Use Cases Use Case: QoS for a Single User Use Case: QoS for Voice and Video Applications VPNs VPN Deployments Site-to-Site VPN Overview Site-to-Site VPN Concepts IKE Gateway Tunnel Interface Tunnel Monitoring Internet Key Exchange (IKE) for VPN IKE Phase 1 IKE Phase 2 Methods of Securing IPSec VPN Tunnels (IKE Phase 2) IKEv2 Liveness Check Cookie Activation Threshold and Strict Cookie Validation Traffic Selectors Hash and URL Certificate Exchange SA Key Lifetime and Re-Authentication Interval Set Up Site-to-Site VPN Set Up an IKE Gateway Export a Certificate for a Peer to Access Using Hash and URL Import a Certificate for IKEv2 Gateway Authentication Change the Key Lifetime or Authentication Interval for IKEv2 Change the Cookie Activation Threshold for IKEv2 Configure IKEv2 Traffic Selectors Define Cryptographic Profiles Define IKE Crypto Profiles Define IPSec Crypto Profiles Set Up an IPSec Tunnel Set Up Tunnel Monitoring Define a Tunnel Monitoring Profile View the Status of the Tunnels Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel Enable or Disable an IKE Gateway or IPSec Tunnel Refresh and Restart Behaviors Refresh or Restart an IKE Gateway or IPSec Tunnel Test VPN Connectivity Interpret VPN Error Messages Site-to-Site VPN Quick Configs Site-to-Site VPN with Static Routing Site-to-Site VPN with OSPF Site-to-Site VPN with Static and Dynamic Routing Large Scale VPN (LSVPN) LSVPN Overview Create Interfaces and Zones for the LSVPN Enable SSL Between GlobalProtect LSVPN Components About Certificate Deployment Deploy Server Certificates to the GlobalProtect LSVPN Components Deploy Client Certificates to the GlobalProtect Satellites Using SCEP Configure the Portal to Authenticate Satellites Configure GlobalProtect Gateways for LSVPN Configure the GlobalProtect Portal for LSVPN GlobalProtect Portal for LSVPN Prerequisite Tasks Configure the Portal Define the Satellite Configurations Prepare the Satellite to Join the LSVPN Verify the LSVPN Configuration LSVPN Quick Configs Basic LSVPN Configuration with Static Routing Advanced LSVPN Configuration with Dynamic Routing Advanced LSVPN Configuration with iBGP Policy Policy Types Security Policy Components of a Security Policy Rule Security Policy Actions Create a Security Policy Rule Policy Objects Security Profiles Create a Security Profile Group Set Up or Override a Default Security Profile Group Track Rules Within a Rulebase Enforce Policy Rule Description, Tag, and Audit Comment Move or Clone a Policy Rule or Object to a Different Virtual System Use an Address Object to Represent IP Addresses Address Objects Create an Address Object Use Tags to Group and Visually Distinguish Objects Create and Apply Tags Modify Tags View Rules by Tag Group Use an External Dynamic List in Policy External Dynamic List Formatting Guidelines for an External Dynamic List IP Address List Domain List URL List Built-in External Dynamic Lists Configure the Firewall to Access an External Dynamic List Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service Create an External Dynamic List Using the EDL Hosting Service Convert the GlobalSign Root R1 Certificate to PEM Format Retrieve an External Dynamic List from the Web Server View External Dynamic List Entries Exclude Entries from an External Dynamic List Enforce Policy on an External Dynamic List Find External Dynamic Lists That Failed Authentication Disable Authentication for an External Dynamic List Register IP Addresses and Tags Dynamically Use Dynamic User Groups in Policy Use Auto-Tagging to Automate Security Actions Monitor Changes in the Virtual Environment Enable VM Monitoring to Track Changes on the Virtual Network Attributes Monitored on Virtual Machines in Cloud Platforms Use Dynamic Address Groups in Policy CLI Commands for Dynamic IP Addresses and Tags Enforce Policy on Endpoints and Users Behind an Upstream Device Collect XFF Values for User-ID Use XFF IP Address Values in Security Policy and Logging Use the IP Address in the XFF Header to Troubleshoot Events Policy-Based Forwarding PBF Egress Path and Symmetric Return Path Monitoring for PBF Service Versus Applications in PBF Create a Policy-Based Forwarding Rule Use Case: PBF for Outbound Access with Dual ISPs Application Override Policy Test Policy Rules Virtual Systems Virtual Systems Overview Virtual System Components and Segmentation Benefits of Virtual Systems Use Cases for Virtual Systems Platform Support and Licensing for Virtual Systems Administrative Roles for Virtual Systems Shared Objects for Virtual Systems Communication Between Virtual Systems Inter-VSYS Traffic That Must Leave the Firewall Inter-VSYS Traffic That Remains Within the Firewall External Zone External Zones and Security Policies For Traffic Within a Firewall Inter-VSYS Communication Uses Two Sessions Shared Gateway External Zones and Shared Gateway Networking Considerations for a Shared Gateway Configure Virtual Systems Configure Inter-Virtual System Communication within the Firewall Configure a Shared Gateway Customize Service Routes for a Virtual System Customize Service Routes to Services for Virtual Systems Configure a PA-7000 Series Firewall for Logging Per Virtual System Configure a PA-7000 Series LPC for Logging per Virtual System Configure a PA-7000 Series LFC for Logging per Virtual System Configure Administrative Access Per Virtual System or Firewall Virtual System Functionality with Other Features Zone Protection and DoS Protection Network Segmentation Using Zones How Do Zones Protect the Network? Zone Defense Zone Defense Tools How Do the Zone Defense Tools Work? Firewall Placement for DoS Protection Baseline CPS Measurements for Setting Flood Thresholds CPS Measurements to Take How to Measure CPS Zone Protection Profiles Flood Protection Reconnaissance Protection Packet-Based Attack Protection Protocol Protection Ethernet SGT Protection Packet Buffer Protection DoS Protection Profiles and Policy Rules Classified Versus Aggregate DoS Protection DoS Protection Profiles DoS Protection Policy Rules Configure Zone Protection to Increase Network Security Configure Reconnaissance Protection Configure Packet Based Attack Protection Configure Protocol Protection Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces Configure Packet Buffer Protection Configure Packet Buffer Protection Based on Latency Configure Ethernet SGT Protection DoS Protection Against Flooding of New Sessions Multiple-Session DoS Attack Single-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions End a Single Session DoS Attack Identify Sessions That Use Too Much of the On-Chip Packet Descriptor Discard a Session Without a Commit Certifications Enable FIPS and Common Criteria Support Access the Maintenance Recovery Tool (MRT) Change the Operational Mode to FIPS-CC Mode FIPS-CC Security Functions Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode Getting Started Integrate the Firewall into Your Management Network Determine Your Access Strategy for Business Continuity Determine Your Management Strategy Perform Initial Configuration Set Up Network Access for External Services Register the Firewall Segment Your Network Using Interfaces and Zones Network Segmentation for a Reduced Attack Surface Configure Interfaces and Zones Set Up a Basic Security Policy Assess Network Traffic Enable Free WildFire Forwarding Best Practices for Completing the Firewall Deployment Subscriptions Subscriptions You Can Use With the Firewall Activate Subscription Licenses What Happens When Licenses Expire? Enhanced Application Logs for Palo Alto Networks Cloud Services Firewall Administration Management Interfaces Use the Web Interface Launch the Web Interface Configure Banners, Message of the Day, and Logos Use the Administrator Login Activity Indicators to Detect Account Misuse Manage and Monitor Administrative Tasks Commit, Validate, and Preview Firewall Configuration Changes Export Configuration Table Data Use Global Find to Search the Firewall or Panorama Management Server Manage Locks for Restricting Configuration Changes Manage Configuration Backups Save and Export Firewall Configurations Revert Firewall Configuration Changes Manage Firewall Administrators Administrative Role Types Configure an Admin Role Profile Administrative Authentication Configure Administrative Accounts and Authentication Configure a Firewall Administrator Account Configure Local or External Authentication for Firewall Administrators Configure Certificate-Based Administrator Authentication to the Web Interface Configure SSH Key-Based Administrator Authentication to the CLI Configure API Key Lifetime Configure Tracking of Administrator Activity Reference: Web Interface Administrator Access Web Interface Access Privileges Define Access to the Web Interface Tabs Provide Granular Access to the Monitor Tab Provide Granular Access to the Policy Tab Provide Granular Access to the Objects Tab Provide Granular Access to the Network Tab Provide Granular Access to the Device Tab Define User Privacy Settings in the Admin Role Profile Restrict Administrator Access to Commit and Validate Functions Provide Granular Access to Global Settings Provide Granular Access to the Panorama Tab Provide Granular Access to Operations Settings Panorama Web Interface Access Privileges Reference: Port Number Usage Ports Used for Management Functions Ports Used for HA Ports Used for Panorama Ports Used for GlobalProtect Ports Used for User-ID Ports Used for IPSec Ports Used for Routing Ports Used for DHCP Ports Used for Infrastructure Reset the Firewall to Factory Default Settings Bootstrap the Firewall USB Flash Drive Support Sample init-cfg.txt Files Prepare a USB Flash Drive for Bootstrapping a Firewall Bootstrap a Firewall Using a USB Flash Drive Device Telemetry Device Telemetry Overview Device Telemetry Collection and Transmission Intervals Manage Device Telemetry Enable Device Telemetry Disable Device Telemetry Enable Service Routes for Telemetry Manage the Data the Device Telemetry Collects Manage Historical Device Telemetry Monitor Device Telemetry Sample the Data that Device Telemetry Collects Authentication Authentication Types External Authentication Services Multi-Factor Authentication SAML Kerberos TACACS+ RADIUS LDAP Local Authentication Plan Your Authentication Deployment Configure Multi-Factor Authentication Configure MFA Between RSA SecurID and the Firewall Configure MFA Between Okta and the Firewall Configure MFA Between Duo and the Firewall Configure SAML Authentication Configure Kerberos Single Sign-On Configure Kerberos Server Authentication Configure TACACS+ Authentication Configure RADIUS Authentication Configure LDAP Authentication Connection Timeouts for Authentication Servers Guidelines for Setting Authentication Server Timeouts Modify the PAN-OS Web Server Timeout Modify the Authentication Portal Session Timeout Configure Local Database Authentication Configure an Authentication Profile and Sequence Test Authentication Server Connectivity Authentication Policy Authentication Timestamps Configure Authentication Policy Troubleshoot Authentication Issues Certificate Management Keys and Certificates Default Trusted Certificate Authorities (CAs) Certificate Revocation Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP) Certificate Deployment Set Up Verification for Certificate Revocation Status Configure an OCSP Responder Configure Revocation Status Verification of Certificates Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption Configure the Master Key Master Key Encryption Configure Master Key Encryption Level Master Key Encryption on a Firewall HA Pair Master Key Encryption Logs Unique Master Key Encryptions for AES-256-GCM Obtain Certificates Create a Self-Signed Root CA Certificate Generate a Certificate Import a Certificate and Private Key Obtain a Certificate from an External CA Install a Device Certificate Deploy Certificates Using SCEP Export a Certificate and Private Key Configure a Certificate Profile Configure an SSL/TLS Service Profile Configure an SSH Service Profile Replace the Certificate for Inbound Management Traffic Configure the Key Size for SSL Forward Proxy Server Certificates Revoke and Renew Certificates Revoke a Certificate Renew a Certificate Secure Keys with a Hardware Security Module Set Up Connectivity with an HSM Set Up Connectivity with a SafeNet Network HSM Set Up Connectivity with an nCipher nShield Connect HSM Encrypt a Master Key Using an HSM Encrypt the Master Key Refresh the Master Key Encryption Store Private Keys on an HSM Manage the HSM Deployment High Availability HA Overview HA Concepts HA Modes HA Links and Backup Links HA Ports on Palo Alto Networks Firewalls Device Priority and Preemption Failover LACP and LLDP Pre-Negotiation for Active/Passive HA Floating IP Address and Virtual MAC Address ARP Load-Sharing Route-Based Redundancy HA Timers Session Owner Session Setup NAT in Active/Active HA Mode ECMP in Active/Active HA Mode Set Up Active/Passive HA Prerequisites for Active/Passive HA Configuration Guidelines for Active/Passive HA Configure Active/Passive HA Define HA Failover Conditions Verify Failover Set Up Active/Active HA Prerequisites for Active/Active HA Configure Active/Active HA Determine Your Active/Active Use Case Use Case: Configure Active/Active HA with Route-Based Redundancy Use Case: Configure Active/Active HA with Floating IP Addresses Use Case: Configure Active/Active HA with ARP Load-Sharing Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3 HA Clustering Overview HA Clustering Best Practices and Provisioning Configure HA Clustering Refresh HA1 SSH Keys and Configure Key Options HA Firewall States Reference: HA Synchronization What Settings Don’t Sync in Active/Passive HA? What Settings Don’t Sync in Active/Active HA? Synchronization of System Runtime Information Monitoring Use the Dashboard Use the Application Command Center ACC—First Look ACC Tabs ACC Widgets Widget Descriptions ACC Filters Interact with the ACC Use Case: ACC—Path of Information Discovery Use the App Scope Reports Summary Report Change Monitor Report Threat Monitor Report Threat Map Report Network Monitor Report Traffic Map Report Use the Automated Correlation Engine Automated Correlation Engine Concepts Correlation Object Correlated Events View the Correlated Objects Interpret Correlated Events Use the Compromised Hosts Widget in the ACC Take Packet Captures Types of Packet Captures Disable Hardware Offload Take a Custom Packet Capture Take a Threat Packet Capture Take an Application Packet Capture Take a Packet Capture for Unknown Applications Take a Custom Application Packet Capture Take a Packet Capture on the Management Interface Monitor Applications and Threats View and Manage Logs Log Types and Severity Levels Traffic Logs Threat Logs URL Filtering Logs WildFire Submissions Logs Data Filtering Logs Correlation Logs Tunnel Inspection Logs Config Logs System Logs HIP Match Logs GlobalProtect Logs IP-Tag Logs User-ID Logs Decryption Logs Alarms Logs Authentication Logs Unified Logs View Logs Filter Logs Export Logs Configure Log Storage Quotas and Expiration Periods Schedule Log Exports to an SCP or FTP Server Monitor Block List View and Manage Reports Report Types View Reports Configure the Expiration Period and Run Time for Reports Disable Predefined Reports Custom Reports Generate Custom Reports Generate Botnet Reports Configure a Botnet Report Interpret Botnet Report Output Generate the SaaS Application Usage Report Manage PDF Summary Reports Generate User/Group Activity Reports Manage Report Groups Schedule Reports for Email Delivery Manage Report Storage Capacity View Policy Rule Usage Use External Services for Monitoring Configure Log Forwarding Configure Email Alerts Use Syslog for Monitoring Configure Syslog Monitoring Syslog Field Descriptions Traffic Log Fields Threat Log Fields URL Filtering Log Fields Data Filtering Log Fields HIP Match Log Fields GlobalProtect Log Fields IP-Tag Log Fields User-ID Log Fields Decryption Log Fields Tunnel Inspection Log Fields SCTP Log Fields Authentication Log Fields Config Log Fields System Log Fields Correlated Events Log Fields GTP Log Fields Syslog Severity Custom Log/Event Format Escape Sequences SNMP Monitoring and Traps SNMP Support Use an SNMP Manager to Explore MIBs and Objects Identify a MIB Containing a Known OID Walk a MIB Identify the OID for a System Statistic or Trap Enable SNMP Services for Firewall-Secured Network Elements Monitor Statistics Using SNMP Forward Traps to an SNMP Manager Supported MIBs MIB-II IF-MIB HOST-RESOURCES-MIB ENTITY-MIB ENTITY-SENSOR-MIB ENTITY-STATE-MIB IEEE 802.3 LAG MIB LLDP-V2-MIB.my BFD-STD-MIB PAN-COMMON-MIB.my PAN-GLOBAL-REG-MIB.my PAN-GLOBAL-TC-MIB.my PAN-LC-MIB.my PAN-PRODUCT-MIB.my PAN-ENTITY-EXT-MIB.my PAN-TRAPS.my Forward Logs to an HTTP/S Destination NetFlow Monitoring Configure NetFlow Exports NetFlow Templates Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors Monitor Transceivers User-ID User-ID Overview User-ID Concepts Group Mapping User Mapping Server Monitoring Port Mapping XFF Headers Username Header Insertion Authentication Policy and Authentication Portal Syslog GlobalProtect XML API Client Probing Enable User-ID Map Users to Groups Map IP Addresses to Users Create a Dedicated Service Account for the User-ID Agent Configure User Mapping Using the Windows User-ID Agent Install the Windows-Based User-ID Agent Configure the Windows User-ID Agent for User Mapping Configure User Mapping Using the PAN-OS Integrated User-ID Agent Configure Server Monitoring Using WinRM Configure User-ID to Monitor Syslog Senders for User Mapping Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener Configure the Windows User-ID Agent as a Syslog Listener Map IP Addresses to Usernames Using Authentication Portal Authentication Portal Authentication Methods Authentication Portal Modes Configure Authentication Portal Configure User Mapping for Terminal Server Users Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API Send User Mappings to User-ID Using the XML API Enable User- and Group-Based Policy Enable Policy for Users with Multiple Accounts Verify the User-ID Configuration Deploy User-ID in a Large-Scale Network Deploy User-ID for Numerous Mapping Information Sources Windows Log Forwarding and Global Catalog Servers Plan a Large-Scale User-ID Deployment Configure Windows Log Forwarding Configure User-ID for Numerous Mapping Information Sources Insert Username in HTTP Headers Redistribute Data and Authentication Timestamps Firewall Deployment for Data Redistribution Configure Data Redistribution Share User-ID Mappings Across Virtual Systems App-ID App-ID Overview Streamlined App-ID Policy Rules Create an Application Filter Using Tags Create an Application Filter Based on Custom Tags App-ID and HTTP/2 Inspection Manage Custom or Unknown Applications Manage New and Modified App-IDs Workflow to Best Incorporate New and Modified App-IDs See the New and Modified App-IDs in a Content Release See How New and Modified App-IDs Impact Your Security Policy Ensure Critical New App-IDs are Allowed Monitor New App-IDs Disable and Enable App-IDs Use Application Objects in Policy Create an Application Group Create an Application Filter Create a Custom Application Resolve Application Dependencies Safely Enable Applications on Default Ports Applications with Implicit Support Security Policy Rule Optimization Policy Optimizer Concepts Sorting and Filtering Security Policy Rules Clear Application Usage Data Migrate Port-Based to App-ID Based Security Policy Rules Rule Cloning Migration Use Case: Web Browsing and SSL Traffic Add Applications to an Existing Rule Identify Security Policy Rules with Unused Applications High Availability for Application Usage Statistics How to Disable Policy Optimizer App-ID Cloud Engine Prepare to Deploy App-ID Cloud Engine Enable or Disable the App-ID Cloud Engine App-ID Cloud Engine Processing and Usage New App Viewer (Policy Optimizer) Add Apps to an Application Filter with Policy Optimizer Add Apps to an Application Group with Policy Optimizer Add Apps Directly to a Rule with Policy Optimizer Replace an RMA Firewall (ACE) Impact of License Expiration or Disabling ACE Commit Failure Due to Cloud Content Rollback Troubleshoot App-ID Cloud Engine SaaS App-ID Policy Recommendation Import SaaS Policy Recommendation Import Updated SaaS Policy Recommendation Remove Deleted SaaS Policy Recommendation Application Level Gateways Disable the SIP Application-level Gateway (ALG) Use HTTP Headers to Manage SaaS Application Access Understand SaaS Custom Headers Domains used by the Predefined SaaS Application Types Create HTTP Header Insertion Entries using Predefined Types Create Custom HTTP Header Insertion Entries Maintain Custom Timeouts for Data Center Applications Device-ID Device-ID Overview Prepare to Deploy Device-ID Configure Device-ID Manage Device-ID CLI Commands for Device-ID Threat Prevention Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions Set Up Antivirus, Anti-Spyware, and Vulnerability Protection DNS Security About DNS Security Cloud-Delivered DNS Signatures and Protections DNS Security Analytics Enable DNS Security DNS Security Data Collection and Logging Use DNS Queries to Identify Infected Hosts on the Network How DNS Sinkholing Works Configure DNS Sinkholing Configure DNS Sinkholing for a List of Custom Domains Configure the Sinkhole IP Address to a Local Server on Your Network See Infected Hosts that Attempted to Connect to a Malicious Domain Data Filtering Create a Data Filtering Profile Predefined Data Filtering Patterns WildFire Inline ML Configure WildFire Inline ML Set Up File Blocking Prevent Brute Force Attacks Customize the Action and Trigger Conditions for a Brute Force Signature Enable Evasion Signatures Monitor Blocked IP Addresses Threat Signature Categories Create Threat Exceptions Custom Signatures Monitor and Get Threat Reports Monitor Activity and Create Custom Reports Based on Threat Categories Learn More About Threat Signatures AutoFocus Threat Intelligence for Network Traffic AutoFocus Intelligence Summary Enable AutoFocus Threat Intelligence View and Act on AutoFocus Intelligence Summary Data Share Threat Intelligence with Palo Alto Networks Threat Prevention Resources Decryption Decryption Overview Decryption Concepts Keys and Certificates for Decryption Policies SSL Forward Proxy SSL Forward Proxy Decryption Profile SSL Inbound Inspection SSL Inbound Inspection Decryption Profile SSL Protocol Settings Decryption Profile SSH Proxy SSH Proxy Decryption Profile Profile for No Decryption SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates Perfect Forward Secrecy (PFS) Support for SSL Decryption SSL Decryption and Subject Alternative Names (SANs) TLSv1.3 Decryption High Availability Not Supported for Decrypted Sessions Decryption Mirroring Prepare to Deploy Decryption Work with Stakeholders to Develop a Decryption Deployment Strategy Develop a PKI Rollout Plan Size the Decryption Firewall Deployment Plan a Staged, Prioritized Deployment Define Traffic to Decrypt Create a Decryption Profile Create a Decryption Policy Rule Configure SSL Forward Proxy Configure SSL Inbound Inspection Configure SSH Proxy Configure Server Certificate Verification for Undecrypted Traffic Decryption Exclusions Palo Alto Networks Predefined Decryption Exclusions Exclude a Server from Decryption for Technical Reasons Local Decryption Exclusion Cache Create a Policy-Based Decryption Exclusion Block Private Key Export Generate a Private Key and Block It Import a Private Key and Block It Import a Private Key for IKE Gateway and Block It Verify Private Key Blocking Enable Users to Opt Out of SSL Decryption Temporarily Disable SSL Decryption Configure Decryption Port Mirroring Verify Decryption Troubleshoot and Monitor Decryption Decryption Application Command Center Widgets Decryption Log Configure Decryption Logging Decryption Log Errors, Error Indexes, and Bitmasks Repair Incomplete Certificate Chains Custom Report Templates for Decryption Unsupported Parameters by Proxy Type and TLS Version Decryption Troubleshooting Workflow Examples Investigate Decryption Failure Reasons Troubleshoot Unsupported Cipher Suites Identify Weak Protocols and Cipher Suites Identify Untrusted CA Certificates Troubleshoot Expired Certificates Troubleshoot Revoked Certificates Troubleshoot Pinned Certificates Activate Free Licenses for Decryption Features URL Filtering About Palo Alto Networks URL Filtering Solution How Advanced URL Filtering Works URL Filtering Inline ML URL Filtering Use Cases URL Categories Security-Focused URL Categories Malicious URL Categories Verified URL Categories Policy Actions You Can Take Based on URL Categories Plan Your URL Filtering Deployment URL Filtering Best Practices Activate The Advanced URL Filtering Subscription Configure URL Filtering Test URL Filtering Configuration Configure URL Filtering Inline ML Monitor Web Activity Monitor Web Activity of Network Users View the User Activity Report Configure Custom URL Filtering Reports Log Only the Page a User Visits Create a Custom URL Category URL Category Exceptions Use an External Dynamic List in a URL Filtering Profile Allow Password Access to Certain Sites Prevent Credential Phishing Methods to Check for Corporate Credential Submissions Configure Credential Detection with the Windows User-ID Agent Set Up Credential Phishing Prevention Safe Search Enforcement Safe Search Settings for Search Providers Block Search Results When Strict Safe Search Is Not Enabled Transparently Enable Safe Search for Users URL Filtering Response Pages Customize the URL Filtering Response Pages HTTP Header Logging Request to Change the Category for a URL Troubleshoot URL Filtering Problems Activating Advanced URL Filtering PAN-DB Cloud Connectivity Issues URLs Classified as Not-Resolved Incorrect Categorization PAN-DB Private Cloud M-600 Appliance for PAN-DB Private Cloud Set Up the PAN-DB Private Cloud Configure the PAN-DB Private Cloud Configure the Firewalls to Access the PAN-DB Private Cloud Configure Authentication with Custom Certificates on the PAN-DB Private Cloud Enable SSL/TLS Handshake Inspection Quality of Service QoS Overview QoS Concepts QoS for Applications and Users QoS Policy QoS Profile QoS Classes QoS Priority Queuing QoS Bandwidth Management QoS Egress Interface QoS for Clear Text and Tunneled Traffic Configure QoS Configure QoS for a Virtual System Enforce QoS Based on DSCP Classification QoS Use Cases Use Case: QoS for a Single User Use Case: QoS for Voice and Video Applications VPNs VPN Deployments Site-to-Site VPN Overview Site-to-Site VPN Concepts IKE Gateway Tunnel Interface Tunnel Monitoring Internet Key Exchange (IKE) for VPN IKE Phase 1 IKE Phase 2 Methods of Securing IPSec VPN Tunnels (IKE Phase 2) IKEv2 Liveness Check Cookie Activation Threshold and Strict Cookie Validation Traffic Selectors Hash and URL Certificate Exchange SA Key Lifetime and Re-Authentication Interval Set Up Site-to-Site VPN Set Up an IKE Gateway Export a Certificate for a Peer to Access Using Hash and URL Import a Certificate for IKEv2 Gateway Authentication Change the Key Lifetime or Authentication Interval for IKEv2 Change the Cookie Activation Threshold for IKEv2 Configure IKEv2 Traffic Selectors Define Cryptographic Profiles Define IKE Crypto Profiles Define IPSec Crypto Profiles Set Up an IPSec Tunnel Set Up Tunnel Monitoring Define a Tunnel Monitoring Profile View the Status of the Tunnels Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel Enable or Disable an IKE Gateway or IPSec Tunnel Refresh and Restart Behaviors Refresh or Restart an IKE Gateway or IPSec Tunnel Test VPN Connectivity Interpret VPN Error Messages Site-to-Site VPN Quick Configs Site-to-Site VPN with Static Routing Site-to-Site VPN with OSPF Site-to-Site VPN with Static and Dynamic Routing Large Scale VPN (LSVPN) LSVPN Overview Create Interfaces and Zones for the LSVPN Enable SSL Between GlobalProtect LSVPN Components About Certificate Deployment Deploy Server Certificates to the GlobalProtect LSVPN Components Deploy Client Certificates to the GlobalProtect Satellites Using SCEP Configure the Portal to Authenticate Satellites Configure GlobalProtect Gateways for LSVPN Configure the GlobalProtect Portal for LSVPN GlobalProtect Portal for LSVPN Prerequisite Tasks Configure the Portal Define the Satellite Configurations Prepare the Satellite to Join the LSVPN Verify the LSVPN Configuration LSVPN Quick Configs Basic LSVPN Configuration with Static Routing Advanced LSVPN Configuration with Dynamic Routing Advanced LSVPN Configuration with iBGP Policy Policy Types Security Policy Components of a Security Policy Rule Security Policy Actions Create a Security Policy Rule Policy Objects Security Profiles Create a Security Profile Group Set Up or Override a Default Security Profile Group Track Rules Within a Rulebase Enforce Policy Rule Description, Tag, and Audit Comment Move or Clone a Policy Rule or Object to a Different Virtual System Use an Address Object to Represent IP Addresses Address Objects Create an Address Object Use Tags to Group and Visually Distinguish Objects Create and Apply Tags Modify Tags View Rules by Tag Group Use an External Dynamic List in Policy External Dynamic List Formatting Guidelines for an External Dynamic List IP Address List Domain List URL List Built-in External Dynamic Lists Configure the Firewall to Access an External Dynamic List Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service Create an External Dynamic List Using the EDL Hosting Service Convert the GlobalSign Root R1 Certificate to PEM Format Retrieve an External Dynamic List from the Web Server View External Dynamic List Entries Exclude Entries from an External Dynamic List Enforce Policy on an External Dynamic List Find External Dynamic Lists That Failed Authentication Disable Authentication for an External Dynamic List Register IP Addresses and Tags Dynamically Use Dynamic User Groups in Policy Use Auto-Tagging to Automate Security Actions Monitor Changes in the Virtual Environment Enable VM Monitoring to Track Changes on the Virtual Network Attributes Monitored on Virtual Machines in Cloud Platforms Use Dynamic Address Groups in Policy CLI Commands for Dynamic IP Addresses and Tags Enforce Policy on Endpoints and Users Behind an Upstream Device Collect XFF Values for User-ID Use XFF IP Address Values in Security Policy and Logging Use the IP Address in the XFF Header to Troubleshoot Events Policy-Based Forwarding PBF Egress Path and Symmetric Return Path Monitoring for PBF Service Versus Applications in PBF Create a Policy-Based Forwarding Rule Use Case: PBF for Outbound Access with Dual ISPs Application Override Policy Test Policy Rules Virtual Systems Virtual Systems Overview Virtual System Components and Segmentation Benefits of Virtual Systems Use Cases for Virtual Systems Platform Support and Licensing for Virtual Systems Administrative Roles for Virtual Systems Shared Objects for Virtual Systems Communication Between Virtual Systems Inter-VSYS Traffic That Must Leave the Firewall Inter-VSYS Traffic That Remains Within the Firewall External Zone External Zones and Security Policies For Traffic Within a Firewall Inter-VSYS Communication Uses Two Sessions Shared Gateway External Zones and Shared Gateway Networking Considerations for a Shared Gateway Configure Virtual Systems Configure Inter-Virtual System Communication within the Firewall Configure a Shared Gateway Customize Service Routes for a Virtual System Customize Service Routes to Services for Virtual Systems Configure a PA-7000 Series Firewall for Logging Per Virtual System Configure a PA-7000 Series LPC for Logging per Virtual System Configure a PA-7000 Series LFC for Logging per Virtual System Configure Administrative Access Per Virtual System or Firewall Virtual System Functionality with Other Features Zone Protection and DoS Protection Network Segmentation Using Zones How Do Zones Protect the Network? Zone Defense Zone Defense Tools How Do the Zone Defense Tools Work? Firewall Placement for DoS Protection Baseline CPS Measurements for Setting Flood Thresholds CPS Measurements to Take How to Measure CPS Zone Protection Profiles Flood Protection Reconnaissance Protection Packet-Based Attack Protection Protocol Protection Ethernet SGT Protection Packet Buffer Protection DoS Protection Profiles and Policy Rules Classified Versus Aggregate DoS Protection DoS Protection Profiles DoS Protection Policy Rules Configure Zone Protection to Increase Network Security Configure Reconnaissance Protection Configure Packet Based Attack Protection Configure Protocol Protection Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces Configure Packet Buffer Protection Configure Packet Buffer Protection Based on Latency Configure Ethernet SGT Protection DoS Protection Against Flooding of New Sessions Multiple-Session DoS Attack Single-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions End a Single Session DoS Attack Identify Sessions That Use Too Much of the On-Chip Packet Descriptor Discard a Session Without a Commit Certifications Enable FIPS and Common Criteria Support Access the Maintenance Recovery Tool (MRT) Change the Operational Mode to FIPS-CC Mode FIPS-CC Security Functions Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode Document:PAN-OS® Administrator’s Guide Use Dynamic User Groups in Policy Download PDF Last Updated: Mar 8, 2023 Current Version: 10.1 Version 11.0 Version 10.2 Version 10.1 Version 10.0 (EoL) Version 9.1 Table of Contents Filter Getting Started Integrate the Firewall into Your Management Network Determine Your Access Strategy for Business Continuity Determine Your Management Strategy Perform Initial Configuration Set Up Network Access for External Services Register the Firewall Segment Your Network Using Interfaces and Zones Network Segmentation for a Reduced Attack Surface Configure Interfaces and Zones Set Up a Basic Security Policy Assess Network Traffic Enable Free WildFire Forwarding Best Practices for Completing the Firewall Deployment Subscriptions Subscriptions You Can Use With the Firewall Activate Subscription Licenses What Happens When Licenses Expire? Enhanced Application Logs for Palo Alto Networks Cloud Services Firewall Administration Management Interfaces Use the Web Interface Launch the Web Interface Configure Banners, Message of the Day, and Logos Use the Administrator Login Activity Indicators to Detect Account Misuse Manage and Monitor Administrative Tasks Commit, Validate, and Preview Firewall Configuration Changes Export Configuration Table Data Use Global Find to Search the Firewall or Panorama Management Server Manage Locks for Restricting Configuration Changes Manage Configuration Backups Save and Export Firewall Configurations Revert Firewall Configuration Changes Manage Firewall Administrators Administrative Role Types Configure an Admin Role Profile Administrative Authentication Configure Administrative Accounts and Authentication Configure a Firewall Administrator Account Configure Local or External Authentication for Firewall Administrators Configure Certificate-Based Administrator Authentication to the Web Interface Configure SSH Key-Based Administrator Authentication to the CLI Configure API Key Lifetime Configure Tracking of Administrator Activity Reference: Web Interface Administrator Access Web Interface Access Privileges Define Access to the Web Interface Tabs Provide Granular Access to the Monitor Tab Provide Granular Access to the Policy Tab Provide Granular Access to the Objects Tab Provide Granular Access to the Network Tab Provide Granular Access to the Device Tab Define User Privacy Settings in the Admin Role Profile Restrict Administrator Access to Commit and Validate Functions Provide Granular Access to Global Settings Provide Granular Access to the Panorama Tab Provide Granular Access to Operations Settings Panorama Web Interface Access Privileges Reference: Port Number Usage Ports Used for Management Functions Ports Used for HA Ports Used for Panorama Ports Used for GlobalProtect Ports Used for User-ID Ports Used for IPSec Ports Used for Routing Ports Used for DHCP Ports Used for Infrastructure Reset the Firewall to Factory Default Settings Bootstrap the Firewall USB Flash Drive Support Sample init-cfg.txt Files Prepare a USB Flash Drive for Bootstrapping a Firewall Bootstrap a Firewall Using a USB Flash Drive Device Telemetry Device Telemetry Overview Device Telemetry Collection and Transmission Intervals Manage Device Telemetry Enable Device Telemetry Disable Device Telemetry Enable Service Routes for Telemetry Manage the Data the Device Telemetry Collects Manage Historical Device Telemetry Monitor Device Telemetry Sample the Data that Device Telemetry Collects Authentication Authentication Types External Authentication Services Multi-Factor Authentication SAML Kerberos TACACS+ RADIUS LDAP Local Authentication Plan Your Authentication Deployment Configure Multi-Factor Authentication Configure MFA Between RSA SecurID and the Firewall Configure MFA Between Okta and the Firewall Configure MFA Between Duo and the Firewall Configure SAML Authentication Configure Kerberos Single Sign-On Configure Kerberos Server Authentication Configure TACACS+ Authentication Configure RADIUS Authentication Configure LDAP Authentication Connection Timeouts for Authentication Servers Guidelines for Setting Authentication Server Timeouts Modify the PAN-OS Web Server Timeout Modify the Authentication Portal Session Timeout Configure Local Database Authentication Configure an Authentication Profile and Sequence Test Authentication Server Connectivity Authentication Policy Authentication Timestamps Configure Authentication Policy Troubleshoot Authentication Issues Certificate Management Keys and Certificates Default Trusted Certificate Authorities (CAs) Certificate Revocation Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP) Certificate Deployment Set Up Verification for Certificate Revocation Status Configure an OCSP Responder Configure Revocation Status Verification of Certificates Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption Configure the Master Key Master Key Encryption Configure Master Key Encryption Level Master Key Encryption on a Firewall HA Pair Master Key Encryption Logs Unique Master Key Encryptions for AES-256-GCM Obtain Certificates Create a Self-Signed Root CA Certificate Generate a Certificate Import a Certificate and Private Key Obtain a Certificate from an External CA Install a Device Certificate Deploy Certificates Using SCEP Export a Certificate and Private Key Configure a Certificate Profile Configure an SSL/TLS Service Profile Configure an SSH Service Profile Replace the Certificate for Inbound Management Traffic Configure the Key Size for SSL Forward Proxy Server Certificates Revoke and Renew Certificates Revoke a Certificate Renew a Certificate Secure Keys with a Hardware Security Module Set Up Connectivity with an HSM Set Up Connectivity with a SafeNet Network HSM Set Up Connectivity with an nCipher nShield Connect HSM Encrypt a Master Key Using an HSM Encrypt the Master Key Refresh the Master Key Encryption Store Private Keys on an HSM Manage the HSM Deployment High Availability HA Overview HA Concepts HA Modes HA Links and Backup Links HA Ports on Palo Alto Networks Firewalls Device Priority and Preemption Failover LACP and LLDP Pre-Negotiation for Active/Passive HA Floating IP Address and Virtual MAC Address ARP Load-Sharing Route-Based Redundancy HA Timers Session Owner Session Setup NAT in Active/Active HA Mode ECMP in Active/Active HA Mode Set Up Active/Passive HA Prerequisites for Active/Passive HA Configuration Guidelines for Active/Passive HA Configure Active/Passive HA Define HA Failover Conditions Verify Failover Set Up Active/Active HA Prerequisites for Active/Active HA Configure Active/Active HA Determine Your Active/Active Use Case Use Case: Configure Active/Active HA with Route-Based Redundancy Use Case: Configure Active/Active HA with Floating IP Addresses Use Case: Configure Active/Active HA with ARP Load-Sharing Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3 HA Clustering Overview HA Clustering Best Practices and Provisioning Configure HA Clustering Refresh HA1 SSH Keys and Configure Key Options HA Firewall States Reference: HA Synchronization What Settings Don’t Sync in Active/Passive HA? What Settings Don’t Sync in Active/Active HA? Synchronization of System Runtime Information Monitoring Use the Dashboard Use the Application Command Center ACC—First Look ACC Tabs ACC Widgets Widget Descriptions ACC Filters Interact with the ACC Use Case: ACC—Path of Information Discovery Use the App Scope Reports Summary Report Change Monitor Report Threat Monitor Report Threat Map Report Network Monitor Report Traffic Map Report Use the Automated Correlation Engine Automated Correlation Engine Concepts Correlation Object Correlated Events View the Correlated Objects Interpret Correlated Events Use the Compromised Hosts Widget in the ACC Take Packet Captures Types of Packet Captures Disable Hardware Offload Take a Custom Packet Capture Take a Threat Packet Capture Take an Application Packet Capture Take a Packet Capture for Unknown Applications Take a Custom Application Packet Capture Take a Packet Capture on the Management Interface Monitor Applications and Threats View and Manage Logs Log Types and Severity Levels Traffic Logs Threat Logs URL Filtering Logs WildFire Submissions Logs Data Filtering Logs Correlation Logs Tunnel Inspection Logs Config Logs System Logs HIP Match Logs GlobalProtect Logs IP-Tag Logs User-ID Logs Decryption Logs Alarms Logs Authentication Logs Unified Logs View Logs Filter Logs Export Logs Configure Log Storage Quotas and Expiration Periods Schedule Log Exports to an SCP or FTP Server Monitor Block List View and Manage Reports Report Types View Reports Configure the Expiration Period and Run Time for Reports Disable Predefined Reports Custom Reports Generate Custom Reports Generate Botnet Reports Configure a Botnet Report Interpret Botnet Report Output Generate the SaaS Application Usage Report Manage PDF Summary Reports Generate User/Group Activity Reports Manage Report Groups Schedule Reports for Email Delivery Manage Report Storage Capacity View Policy Rule Usage Use External Services for Monitoring Configure Log Forwarding Configure Email Alerts Use Syslog for Monitoring Configure Syslog Monitoring Syslog Field Descriptions Traffic Log Fields Threat Log Fields URL Filtering Log Fields Data Filtering Log Fields HIP Match Log Fields GlobalProtect Log Fields IP-Tag Log Fields User-ID Log Fields Decryption Log Fields Tunnel Inspection Log Fields SCTP Log Fields Authentication Log Fields Config Log Fields System Log Fields Correlated Events Log Fields GTP Log Fields Syslog Severity Custom Log/Event Format Escape Sequences SNMP Monitoring and Traps SNMP Support Use an SNMP Manager to Explore MIBs and Objects Identify a MIB Containing a Known OID Walk a MIB Identify the OID for a System Statistic or Trap Enable SNMP Services for Firewall-Secured Network Elements Monitor Statistics Using SNMP Forward Traps to an SNMP Manager Supported MIBs MIB-II IF-MIB HOST-RESOURCES-MIB ENTITY-MIB ENTITY-SENSOR-MIB ENTITY-STATE-MIB IEEE 802.3 LAG MIB LLDP-V2-MIB.my BFD-STD-MIB PAN-COMMON-MIB.my PAN-GLOBAL-REG-MIB.my PAN-GLOBAL-TC-MIB.my PAN-LC-MIB.my PAN-PRODUCT-MIB.my PAN-ENTITY-EXT-MIB.my PAN-TRAPS.my Forward Logs to an HTTP/S Destination NetFlow Monitoring Configure NetFlow Exports NetFlow Templates Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors Monitor Transceivers User-ID User-ID Overview User-ID Concepts Group Mapping User Mapping Server Monitoring Port Mapping XFF Headers Username Header Insertion Authentication Policy and Authentication Portal Syslog GlobalProtect XML API Client Probing Enable User-ID Map Users to Groups Map IP Addresses to Users Create a Dedicated Service Account for the User-ID Agent Configure User Mapping Using the Windows User-ID Agent Install the Windows-Based User-ID Agent Configure the Windows User-ID Agent for User Mapping Configure User Mapping Using the PAN-OS Integrated User-ID Agent Configure Server Monitoring Using WinRM Configure User-ID to Monitor Syslog Senders for User Mapping Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener Configure the Windows User-ID Agent as a Syslog Listener Map IP Addresses to Usernames Using Authentication Portal Authentication Portal Authentication Methods Authentication Portal Modes Configure Authentication Portal Configure User Mapping for Terminal Server Users Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API Send User Mappings to User-ID Using the XML API Enable User- and Group-Based Policy Enable Policy for Users with Multiple Accounts Verify the User-ID Configuration Deploy User-ID in a Large-Scale Network Deploy User-ID for Numerous Mapping Information Sources Windows Log Forwarding and Global Catalog Servers Plan a Large-Scale User-ID Deployment Configure Windows Log Forwarding Configure User-ID for Numerous Mapping Information Sources Insert Username in HTTP Headers Redistribute Data and Authentication Timestamps Firewall Deployment for Data Redistribution Configure Data Redistribution Share User-ID Mappings Across Virtual Systems App-ID App-ID Overview Streamlined App-ID Policy Rules Create an Application Filter Using Tags Create an Application Filter Based on Custom Tags App-ID and HTTP/2 Inspection Manage Custom or Unknown Applications Manage New and Modified App-IDs Workflow to Best Incorporate New and Modified App-IDs See the New and Modified App-IDs in a Content Release See How New and Modified App-IDs Impact Your Security Policy Ensure Critical New App-IDs are Allowed Monitor New App-IDs Disable and Enable App-IDs Use Application Objects in Policy Create an Application Group Create an Application Filter Create a Custom Application Resolve Application Dependencies Safely Enable Applications on Default Ports Applications with Implicit Support Security Policy Rule Optimization Policy Optimizer Concepts Sorting and Filtering Security Policy Rules Clear Application Usage Data Migrate Port-Based to App-ID Based Security Policy Rules Rule Cloning Migration Use Case: Web Browsing and SSL Traffic Add Applications to an Existing Rule Identify Security Policy Rules with Unused Applications High Availability for Application Usage Statistics How to Disable Policy Optimizer App-ID Cloud Engine Prepare to Deploy App-ID Cloud Engine Enable or Disable the App-ID Cloud Engine App-ID Cloud Engine Processing and Usage New App Viewer (Policy Optimizer) Add Apps to an Application Filter with Policy Optimizer Add Apps to an Application Group with Policy Optimizer Add Apps Directly to a Rule with Policy Optimizer Replace an RMA Firewall (ACE) Impact of License Expiration or Disabling ACE Commit Failure Due to Cloud Content Rollback Troubleshoot App-ID Cloud Engine SaaS App-ID Policy Recommendation Import SaaS Policy Recommendation Import Updated SaaS Policy Recommendation Remove Deleted SaaS Policy Recommendation Application Level Gateways Disable the SIP Application-level Gateway (ALG) Use HTTP Headers to Manage SaaS Application Access Understand SaaS Custom Headers Domains used by the Predefined SaaS Application Types Create HTTP Header Insertion Entries using Predefined Types Create Custom HTTP Header Insertion Entries Maintain Custom Timeouts for Data Center Applications Device-ID Device-ID Overview Prepare to Deploy Device-ID Configure Device-ID Manage Device-ID CLI Commands for Device-ID Threat Prevention Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions Set Up Antivirus, Anti-Spyware, and Vulnerability Protection DNS Security About DNS Security Cloud-Delivered DNS Signatures and Protections DNS Security Analytics Enable DNS Security DNS Security Data Collection and Logging Use DNS Queries to Identify Infected Hosts on the Network How DNS Sinkholing Works Configure DNS Sinkholing Configure DNS Sinkholing for a List of Custom Domains Configure the Sinkhole IP Address to a Local Server on Your Network See Infected Hosts that Attempted to Connect to a Malicious Domain Data Filtering Create a Data Filtering Profile Predefined Data Filtering Patterns WildFire Inline ML Configure WildFire Inline ML Set Up File Blocking Prevent Brute Force Attacks Customize the Action and Trigger Conditions for a Brute Force Signature Enable Evasion Signatures Monitor Blocked IP Addresses Threat Signature Categories Create Threat Exceptions Custom Signatures Monitor and Get Threat Reports Monitor Activity and Create Custom Reports Based on Threat Categories Learn More About Threat Signatures AutoFocus Threat Intelligence for Network Traffic AutoFocus Intelligence Summary Enable AutoFocus Threat Intelligence View and Act on AutoFocus Intelligence Summary Data Share Threat Intelligence with Palo Alto Networks Threat Prevention Resources Decryption Decryption Overview Decryption Concepts Keys and Certificates for Decryption Policies SSL Forward Proxy SSL Forward Proxy Decryption Profile SSL Inbound Inspection SSL Inbound Inspection Decryption Profile SSL Protocol Settings Decryption Profile SSH Proxy SSH Proxy Decryption Profile Profile for No Decryption SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates Perfect Forward Secrecy (PFS) Support for SSL Decryption SSL Decryption and Subject Alternative Names (SANs) TLSv1.3 Decryption High Availability Not Supported for Decrypted Sessions Decryption Mirroring Prepare to Deploy Decryption Work with Stakeholders to Develop a Decryption Deployment Strategy Develop a PKI Rollout Plan Size the Decryption Firewall Deployment Plan a Staged, Prioritized Deployment Define Traffic to Decrypt Create a Decryption Profile Create a Decryption Policy Rule Configure SSL Forward Proxy Configure SSL Inbound Inspection Configure SSH Proxy Configure Server Certificate Verification for Undecrypted Traffic Decryption Exclusions Palo Alto Networks Predefined Decryption Exclusions Exclude a Server from Decryption for Technical Reasons Local Decryption Exclusion Cache Create a Policy-Based Decryption Exclusion Block Private Key Export Generate a Private Key and Block It Import a Private Key and Block It Import a Private Key for IKE Gateway and Block It Verify Private Key Blocking Enable Users to Opt Out of SSL Decryption Temporarily Disable SSL Decryption Configure Decryption Port Mirroring Verify Decryption Troubleshoot and Monitor Decryption Decryption Application Command Center Widgets Decryption Log Configure Decryption Logging Decryption Log Errors, Error Indexes, and Bitmasks Repair Incomplete Certificate Chains Custom Report Templates for Decryption Unsupported Parameters by Proxy Type and TLS Version Decryption Troubleshooting Workflow Examples Investigate Decryption Failure Reasons Troubleshoot Unsupported Cipher Suites Identify Weak Protocols and Cipher Suites Identify Untrusted CA Certificates Troubleshoot Expired Certificates Troubleshoot Revoked Certificates Troubleshoot Pinned Certificates Activate Free Licenses for Decryption Features URL Filtering About Palo Alto Networks URL Filtering Solution How Advanced URL Filtering Works URL Filtering Inline ML URL Filtering Use Cases URL Categories Security-Focused URL Categories Malicious URL Categories Verified URL Categories Policy Actions You Can Take Based on URL Categories Plan Your URL Filtering Deployment URL Filtering Best Practices Activate The Advanced URL Filtering Subscription Configure URL Filtering Test URL Filtering Configuration Configure URL Filtering Inline ML Monitor Web Activity Monitor Web Activity of Network Users View the User Activity Report Configure Custom URL Filtering Reports Log Only the Page a User Visits Create a Custom URL Category URL Category Exceptions Use an External Dynamic List in a URL Filtering Profile Allow Password Access to Certain Sites Prevent Credential Phishing Methods to Check for Corporate Credential Submissions Configure Credential Detection with the Windows User-ID Agent Set Up Credential Phishing Prevention Safe Search Enforcement Safe Search Settings for Search Providers Block Search Results When Strict Safe Search Is Not Enabled Transparently Enable Safe Search for Users URL Filtering Response Pages Customize the URL Filtering Response Pages HTTP Header Logging Request to Change the Category for a URL Troubleshoot URL Filtering Problems Activating Advanced URL Filtering PAN-DB Cloud Connectivity Issues URLs Classified as Not-Resolved Incorrect Categorization PAN-DB Private Cloud M-600 Appliance for PAN-DB Private Cloud Set Up the PAN-DB Private Cloud Configure the PAN-DB Private Cloud Configure the Firewalls to Access the PAN-DB Private Cloud Configure Authentication with Custom Certificates on the PAN-DB Private Cloud Enable SSL/TLS Handshake Inspection Quality of Service QoS Overview QoS Concepts QoS for Applications and Users QoS Policy QoS Profile QoS Classes QoS Priority Queuing QoS Bandwidth Management QoS Egress Interface QoS for Clear Text and Tunneled Traffic Configure QoS Configure QoS for a Virtual System Enforce QoS Based on DSCP Classification QoS Use Cases Use Case: QoS for a Single User Use Case: QoS for Voice and Video Applications VPNs VPN Deployments Site-to-Site VPN Overview Site-to-Site VPN Concepts IKE Gateway Tunnel Interface Tunnel Monitoring Internet Key Exchange (IKE) for VPN IKE Phase 1 IKE Phase 2 Methods of Securing IPSec VPN Tunnels (IKE Phase 2) IKEv2 Liveness Check Cookie Activation Threshold and Strict Cookie Validation Traffic Selectors Hash and URL Certificate Exchange SA Key Lifetime and Re-Authentication Interval Set Up Site-to-Site VPN Set Up an IKE Gateway Export a Certificate for a Peer to Access Using Hash and URL Import a Certificate for IKEv2 Gateway Authentication Change the Key Lifetime or Authentication Interval for IKEv2 Change the Cookie Activation Threshold for IKEv2 Configure IKEv2 Traffic Selectors Define Cryptographic Profiles Define IKE Crypto Profiles Define IPSec Crypto Profiles Set Up an IPSec Tunnel Set Up Tunnel Monitoring Define a Tunnel Monitoring Profile View the Status of the Tunnels Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel Enable or Disable an IKE Gateway or IPSec Tunnel Refresh and Restart Behaviors Refresh or Restart an IKE Gateway or IPSec Tunnel Test VPN Connectivity Interpret VPN Error Messages Site-to-Site VPN Quick Configs Site-to-Site VPN with Static Routing Site-to-Site VPN with OSPF Site-to-Site VPN with Static and Dynamic Routing Large Scale VPN (LSVPN) LSVPN Overview Create Interfaces and Zones for the LSVPN Enable SSL Between GlobalProtect LSVPN Components About Certificate Deployment Deploy Server Certificates to the GlobalProtect LSVPN Components Deploy Client Certificates to the GlobalProtect Satellites Using SCEP Configure the Portal to Authenticate Satellites Configure GlobalProtect Gateways for LSVPN Configure the GlobalProtect Portal for LSVPN GlobalProtect Portal for LSVPN Prerequisite Tasks Configure the Portal Define the Satellite Configurations Prepare the Satellite to Join the LSVPN Verify the LSVPN Configuration LSVPN Quick Configs Basic LSVPN Configuration with Static Routing Advanced LSVPN Configuration with Dynamic Routing Advanced LSVPN Configuration with iBGP Policy Policy Types Security Policy Components of a Security Policy Rule Security Policy Actions Create a Security Policy Rule Policy Objects Security Profiles Create a Security Profile Group Set Up or Override a Default Security Profile Group Track Rules Within a Rulebase Enforce Policy Rule Description, Tag, and Audit Comment Move or Clone a Policy Rule or Object to a Different Virtual System Use an Address Object to Represent IP Addresses Address Objects Create an Address Object Use Tags to Group and Visually Distinguish Objects Create and Apply Tags Modify Tags View Rules by Tag Group Use an External Dynamic List in Policy External Dynamic List Formatting Guidelines for an External Dynamic List IP Address List Domain List URL List Built-in External Dynamic Lists Configure the Firewall to Access an External Dynamic List Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service Create an External Dynamic List Using the EDL Hosting Service Convert the GlobalSign Root R1 Certificate to PEM Format Retrieve an External Dynamic List from the Web Server View External Dynamic List Entries Exclude Entries from an External Dynamic List Enforce Policy on an External Dynamic List Find External Dynamic Lists That Failed Authentication Disable Authentication for an External Dynamic List Register IP Addresses and Tags Dynamically Use Dynamic User Groups in Policy Use Auto-Tagging to Automate Security Actions Monitor Changes in the Virtual Environment Enable VM Monitoring to Track Changes on the Virtual Network Attributes Monitored on Virtual Machines in Cloud Platforms Use Dynamic Address Groups in Policy CLI Commands for Dynamic IP Addresses and Tags Enforce Policy on Endpoints and Users Behind an Upstream Device Collect XFF Values for User-ID Use XFF IP Address Values in Security Policy and Logging Use the IP Address in the XFF Header to Troubleshoot Events Policy-Based Forwarding PBF Egress Path and Symmetric Return Path Monitoring for PBF Service Versus Applications in PBF Create a Policy-Based Forwarding Rule Use Case: PBF for Outbound Access with Dual ISPs Application Override Policy Test Policy Rules Virtual Systems Virtual Systems Overview Virtual System Components and Segmentation Benefits of Virtual Systems Use Cases for Virtual Systems Platform Support and Licensing for Virtual Systems Administrative Roles for Virtual Systems Shared Objects for Virtual Systems Communication Between Virtual Systems Inter-VSYS Traffic That Must Leave the Firewall Inter-VSYS Traffic That Remains Within the Firewall External Zone External Zones and Security Policies For Traffic Within a Firewall Inter-VSYS Communication Uses Two Sessions Shared Gateway External Zones and Shared Gateway Networking Considerations for a Shared Gateway Configure Virtual Systems Configure Inter-Virtual System Communication within the Firewall Configure a Shared Gateway Customize Service Routes for a Virtual System Customize Service Routes to Services for Virtual Systems Configure a PA-7000 Series Firewall for Logging Per Virtual System Configure a PA-7000 Series LPC for Logging per Virtual System Configure a PA-7000 Series LFC for Logging per Virtual System Configure Administrative Access Per Virtual System or Firewall Virtual System Functionality with Other Features Zone Protection and DoS Protection Network Segmentation Using Zones How Do Zones Protect the Network? Zone Defense Zone Defense Tools How Do the Zone Defense Tools Work? Firewall Placement for DoS Protection Baseline CPS Measurements for Setting Flood Thresholds CPS Measurements to Take How to Measure CPS Zone Protection Profiles Flood Protection Reconnaissance Protection Packet-Based Attack Protection Protocol Protection Ethernet SGT Protection Packet Buffer Protection DoS Protection Profiles and Policy Rules Classified Versus Aggregate DoS Protection DoS Protection Profiles DoS Protection Policy Rules Configure Zone Protection to Increase Network Security Configure Reconnaissance Protection Configure Packet Based Attack Protection Configure Protocol Protection Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces Configure Packet Buffer Protection Configure Packet Buffer Protection Based on Latency Configure Ethernet SGT Protection DoS Protection Against Flooding of New Sessions Multiple-Session DoS Attack Single-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions End a Single Session DoS Attack Identify Sessions That Use Too Much of the On-Chip Packet Descriptor Discard a Session Without a Commit Certifications Enable FIPS and Common Criteria Support Access the Maintenance Recovery Tool (MRT) Change the Operational Mode to FIPS-CC Mode FIPS-CC Security Functions Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode Getting Started Integrate the Firewall into Your Management Network Determine Your Access Strategy for Business Continuity Determine Your Management Strategy Perform Initial Configuration Set Up Network Access for External Services Register the Firewall Segment Your Network Using Interfaces and Zones Network Segmentation for a Reduced Attack Surface Configure Interfaces and Zones Set Up a Basic Security Policy Assess Network Traffic Enable Free WildFire Forwarding Best Practices for Completing the Firewall Deployment Subscriptions Subscriptions You Can Use With the Firewall Activate Subscription Licenses What Happens When Licenses Expire? Enhanced Application Logs for Palo Alto Networks Cloud Services Firewall Administration Management Interfaces Use the Web Interface Launch the Web Interface Configure Banners, Message of the Day, and Logos Use the Administrator Login Activity Indicators to Detect Account Misuse Manage and Monitor Administrative Tasks Commit, Validate, and Preview Firewall Configuration Changes Export Configuration Table Data Use Global Find to Search the Firewall or Panorama Management Server Manage Locks for Restricting Configuration Changes Manage Configuration Backups Save and Export Firewall Configurations Revert Firewall Configuration Changes Manage Firewall Administrators Administrative Role Types Configure an Admin Role Profile Administrative Authentication Configure Administrative Accounts and Authentication Configure a Firewall Administrator Account Configure Local or External Authentication for Firewall Administrators Configure Certificate-Based Administrator Authentication to the Web Interface Configure SSH Key-Based Administrator Authentication to the CLI Configure API Key Lifetime Configure Tracking of Administrator Activity Reference: Web Interface Administrator Access Web Interface Access Privileges Define Access to the Web Interface Tabs Provide Granular Access to the Monitor Tab Provide Granular Access to the Policy Tab Provide Granular Access to the Objects Tab Provide Granular Access to the Network Tab Provide Granular Access to the Device Tab Define User Privacy Settings in the Admin Role Profile Restrict Administrator Access to Commit and Validate Functions Provide Granular Access to Global Settings Provide Granular Access to the Panorama Tab Provide Granular Access to Operations Settings Panorama Web Interface Access Privileges Reference: Port Number Usage Ports Used for Management Functions Ports Used for HA Ports Used for Panorama Ports Used for GlobalProtect Ports Used for User-ID Ports Used for IPSec Ports Used for Routing Ports Used for DHCP Ports Used for Infrastructure Reset the Firewall to Factory Default Settings Bootstrap the Firewall USB Flash Drive Support Sample init-cfg.txt Files Prepare a USB Flash Drive for Bootstrapping a Firewall Bootstrap a Firewall Using a USB Flash Drive Device Telemetry Device Telemetry Overview Device Telemetry Collection and Transmission Intervals Manage Device Telemetry Enable Device Telemetry Disable Device Telemetry Enable Service Routes for Telemetry Manage the Data the Device Telemetry Collects Manage Historical Device Telemetry Monitor Device Telemetry Sample the Data that Device Telemetry Collects Authentication Authentication Types External Authentication Services Multi-Factor Authentication SAML Kerberos TACACS+ RADIUS LDAP Local Authentication Plan Your Authentication Deployment Configure Multi-Factor Authentication Configure MFA Between RSA SecurID and the Firewall Configure MFA Between Okta and the Firewall Configure MFA Between Duo and the Firewall Configure SAML Authentication Configure Kerberos Single Sign-On Configure Kerberos Server Authentication Configure TACACS+ Authentication Configure RADIUS Authentication Configure LDAP Authentication Connection Timeouts for Authentication Servers Guidelines for Setting Authentication Server Timeouts Modify the PAN-OS Web Server Timeout Modify the Authentication Portal Session Timeout Configure Local Database Authentication Configure an Authentication Profile and Sequence Test Authentication Server Connectivity Authentication Policy Authentication Timestamps Configure Authentication Policy Troubleshoot Authentication Issues Certificate Management Keys and Certificates Default Trusted Certificate Authorities (CAs) Certificate Revocation Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP) Certificate Deployment Set Up Verification for Certificate Revocation Status Configure an OCSP Responder Configure Revocation Status Verification of Certificates Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption Configure the Master Key Master Key Encryption Configure Master Key Encryption Level Master Key Encryption on a Firewall HA Pair Master Key Encryption Logs Unique Master Key Encryptions for AES-256-GCM Obtain Certificates Create a Self-Signed Root CA Certificate Generate a Certificate Import a Certificate and Private Key Obtain a Certificate from an External CA Install a Device Certificate Deploy Certificates Using SCEP Export a Certificate and Private Key Configure a Certificate Profile Configure an SSL/TLS Service Profile Configure an SSH Service Profile Replace the Certificate for Inbound Management Traffic Configure the Key Size for SSL Forward Proxy Server Certificates Revoke and Renew Certificates Revoke a Certificate Renew a Certificate Secure Keys with a Hardware Security Module Set Up Connectivity with an HSM Set Up Connectivity with a SafeNet Network HSM Set Up Connectivity with an nCipher nShield Connect HSM Encrypt a Master Key Using an HSM Encrypt the Master Key Refresh the Master Key Encryption Store Private Keys on an HSM Manage the HSM Deployment High Availability HA Overview HA Concepts HA Modes HA Links and Backup Links HA Ports on Palo Alto Networks Firewalls Device Priority and Preemption Failover LACP and LLDP Pre-Negotiation for Active/Passive HA Floating IP Address and Virtual MAC Address ARP Load-Sharing Route-Based Redundancy HA Timers Session Owner Session Setup NAT in Active/Active HA Mode ECMP in Active/Active HA Mode Set Up Active/Passive HA Prerequisites for Active/Passive HA Configuration Guidelines for Active/Passive HA Configure Active/Passive HA Define HA Failover Conditions Verify Failover Set Up Active/Active HA Prerequisites for Active/Active HA Configure Active/Active HA Determine Your Active/Active Use Case Use Case: Configure Active/Active HA with Route-Based Redundancy Use Case: Configure Active/Active HA with Floating IP Addresses Use Case: Configure Active/Active HA with ARP Load-Sharing Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3 HA Clustering Overview HA Clustering Best Practices and Provisioning Configure HA Clustering Refresh HA1 SSH Keys and Configure Key Options HA Firewall States Reference: HA Synchronization What Settings Don’t Sync in Active/Passive HA? What Settings Don’t Sync in Active/Active HA? Synchronization of System Runtime Information Monitoring Use the Dashboard Use the Application Command Center ACC—First Look ACC Tabs ACC Widgets Widget Descriptions ACC Filters Interact with the ACC Use Case: ACC—Path of Information Discovery Use the App Scope Reports Summary Report Change Monitor Report Threat Monitor Report Threat Map Report Network Monitor Report Traffic Map Report Use the Automated Correlation Engine Automated Correlation Engine Concepts Correlation Object Correlated Events View the Correlated Objects Interpret Correlated Events Use the Compromised Hosts Widget in the ACC Take Packet Captures Types of Packet Captures Disable Hardware Offload Take a Custom Packet Capture Take a Threat Packet Capture Take an Application Packet Capture Take a Packet Capture for Unknown Applications Take a Custom Application Packet Capture Take a Packet Capture on the Management Interface Monitor Applications and Threats View and Manage Logs Log Types and Severity Levels Traffic Logs Threat Logs URL Filtering Logs WildFire Submissions Logs Data Filtering Logs Correlation Logs Tunnel Inspection Logs Config Logs System Logs HIP Match Logs GlobalProtect Logs IP-Tag Logs User-ID Logs Decryption Logs Alarms Logs Authentication Logs Unified Logs View Logs Filter Logs Export Logs Configure Log Storage Quotas and Expiration Periods Schedule Log Exports to an SCP or FTP Server Monitor Block List View and Manage Reports Report Types View Reports Configure the Expiration Period and Run Time for Reports Disable Predefined Reports Custom Reports Generate Custom Reports Generate Botnet Reports Configure a Botnet Report Interpret Botnet Report Output Generate the SaaS Application Usage Report Manage PDF Summary Reports Generate User/Group Activity Reports Manage Report Groups Schedule Reports for Email Delivery Manage Report Storage Capacity View Policy Rule Usage Use External Services for Monitoring Configure Log Forwarding Configure Email Alerts Use Syslog for Monitoring Configure Syslog Monitoring Syslog Field Descriptions Traffic Log Fields Threat Log Fields URL Filtering Log Fields Data Filtering Log Fields HIP Match Log Fields GlobalProtect Log Fields IP-Tag Log Fields User-ID Log Fields Decryption Log Fields Tunnel Inspection Log Fields SCTP Log Fields Authentication Log Fields Config Log Fields System Log Fields Correlated Events Log Fields GTP Log Fields Syslog Severity Custom Log/Event Format Escape Sequences SNMP Monitoring and Traps SNMP Support Use an SNMP Manager to Explore MIBs and Objects Identify a MIB Containing a Known OID Walk a MIB Identify the OID for a System Statistic or Trap Enable SNMP Services for Firewall-Secured Network Elements Monitor Statistics Using SNMP Forward Traps to an SNMP Manager Supported MIBs MIB-II IF-MIB HOST-RESOURCES-MIB ENTITY-MIB ENTITY-SENSOR-MIB ENTITY-STATE-MIB IEEE 802.3 LAG MIB LLDP-V2-MIB.my BFD-STD-MIB PAN-COMMON-MIB.my PAN-GLOBAL-REG-MIB.my PAN-GLOBAL-TC-MIB.my PAN-LC-MIB.my PAN-PRODUCT-MIB.my PAN-ENTITY-EXT-MIB.my PAN-TRAPS.my Forward Logs to an HTTP/S Destination NetFlow Monitoring Configure NetFlow Exports NetFlow Templates Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors Monitor Transceivers User-ID User-ID Overview User-ID Concepts Group Mapping User Mapping Server Monitoring Port Mapping XFF Headers Username Header Insertion Authentication Policy and Authentication Portal Syslog GlobalProtect XML API Client Probing Enable User-ID Map Users to Groups Map IP Addresses to Users Create a Dedicated Service Account for the User-ID Agent Configure User Mapping Using the Windows User-ID Agent Install the Windows-Based User-ID Agent Configure the Windows User-ID Agent for User Mapping Configure User Mapping Using the PAN-OS Integrated User-ID Agent Configure Server Monitoring Using WinRM Configure User-ID to Monitor Syslog Senders for User Mapping Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener Configure the Windows User-ID Agent as a Syslog Listener Map IP Addresses to Usernames Using Authentication Portal Authentication Portal Authentication Methods Authentication Portal Modes Configure Authentication Portal Configure User Mapping for Terminal Server Users Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API Send User Mappings to User-ID Using the XML API Enable User- and Group-Based Policy Enable Policy for Users with Multiple Accounts Verify the User-ID Configuration Deploy User-ID in a Large-Scale Network Deploy User-ID for Numerous Mapping Information Sources Windows Log Forwarding and Global Catalog Servers Plan a Large-Scale User-ID Deployment Configure Windows Log Forwarding Configure User-ID for Numerous Mapping Information Sources Insert Username in HTTP Headers Redistribute Data and Authentication Timestamps Firewall Deployment for Data Redistribution Configure Data Redistribution Share User-ID Mappings Across Virtual Systems App-ID App-ID Overview Streamlined App-ID Policy Rules Create an Application Filter Using Tags Create an Application Filter Based on Custom Tags App-ID and HTTP/2 Inspection Manage Custom or Unknown Applications Manage New and Modified App-IDs Workflow to Best Incorporate New and Modified App-IDs See the New and Modified App-IDs in a Content Release See How New and Modified App-IDs Impact Your Security Policy Ensure Critical New App-IDs are Allowed Monitor New App-IDs Disable and Enable App-IDs Use Application Objects in Policy Create an Application Group Create an Application Filter Create a Custom Application Resolve Application Dependencies Safely Enable Applications on Default Ports Applications with Implicit Support Security Policy Rule Optimization Policy Optimizer Concepts Sorting and Filtering Security Policy Rules Clear Application Usage Data Migrate Port-Based to App-ID Based Security Policy Rules Rule Cloning Migration Use Case: Web Browsing and SSL Traffic Add Applications to an Existing Rule Identify Security Policy Rules with Unused Applications High Availability for Application Usage Statistics How to Disable Policy Optimizer App-ID Cloud Engine Prepare to Deploy App-ID Cloud Engine Enable or Disable the App-ID Cloud Engine App-ID Cloud Engine Processing and Usage New App Viewer (Policy Optimizer) Add Apps to an Application Filter with Policy Optimizer Add Apps to an Application Group with Policy Optimizer Add Apps Directly to a Rule with Policy Optimizer Replace an RMA Firewall (ACE) Impact of License Expiration or Disabling ACE Commit Failure Due to Cloud Content Rollback Troubleshoot App-ID Cloud Engine SaaS App-ID Policy Recommendation Import SaaS Policy Recommendation Import Updated SaaS Policy Recommendation Remove Deleted SaaS Policy Recommendation Application Level Gateways Disable the SIP Application-level Gateway (ALG) Use HTTP Headers to Manage SaaS Application Access Understand SaaS Custom Headers Domains used by the Predefined SaaS Application Types Create HTTP Header Insertion Entries using Predefined Types Create Custom HTTP Header Insertion Entries Maintain Custom Timeouts for Data Center Applications Device-ID Device-ID Overview Prepare to Deploy Device-ID Configure Device-ID Manage Device-ID CLI Commands for Device-ID Threat Prevention Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions Set Up Antivirus, Anti-Spyware, and Vulnerability Protection DNS Security About DNS Security Cloud-Delivered DNS Signatures and Protections DNS Security Analytics Enable DNS Security DNS Security Data Collection and Logging Use DNS Queries to Identify Infected Hosts on the Network How DNS Sinkholing Works Configure DNS Sinkholing Configure DNS Sinkholing for a List of Custom Domains Configure the Sinkhole IP Address to a Local Server on Your Network See Infected Hosts that Attempted to Connect to a Malicious Domain Data Filtering Create a Data Filtering Profile Predefined Data Filtering Patterns WildFire Inline ML Configure WildFire Inline ML Set Up File Blocking Prevent Brute Force Attacks Customize the Action and Trigger Conditions for a Brute Force Signature Enable Evasion Signatures Monitor Blocked IP Addresses Threat Signature Categories Create Threat Exceptions Custom Signatures Monitor and Get Threat Reports Monitor Activity and Create Custom Reports Based on Threat Categories Learn More About Threat Signatures AutoFocus Threat Intelligence for Network Traffic AutoFocus Intelligence Summary Enable AutoFocus Threat Intelligence View and Act on AutoFocus Intelligence Summary Data Share Threat Intelligence with Palo Alto Networks Threat Prevention Resources Decryption Decryption Overview Decryption Concepts Keys and Certificates for Decryption Policies SSL Forward Proxy SSL Forward Proxy Decryption Profile SSL Inbound Inspection SSL Inbound Inspection Decryption Profile SSL Protocol Settings Decryption Profile SSH Proxy SSH Proxy Decryption Profile Profile for No Decryption SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates Perfect Forward Secrecy (PFS) Support for SSL Decryption SSL Decryption and Subject Alternative Names (SANs) TLSv1.3 Decryption High Availability Not Supported for Decrypted Sessions Decryption Mirroring Prepare to Deploy Decryption Work with Stakeholders to Develop a Decryption Deployment Strategy Develop a PKI Rollout Plan Size the Decryption Firewall Deployment Plan a Staged, Prioritized Deployment Define Traffic to Decrypt Create a Decryption Profile Create a Decryption Policy Rule Configure SSL Forward Proxy Configure SSL Inbound Inspection Configure SSH Proxy Configure Server Certificate Verification for Undecrypted Traffic Decryption Exclusions Palo Alto Networks Predefined Decryption Exclusions Exclude a Server from Decryption for Technical Reasons Local Decryption Exclusion Cache Create a Policy-Based Decryption Exclusion Block Private Key Export Generate a Private Key and Block It Import a Private Key and Block It Import a Private Key for IKE Gateway and Block It Verify Private Key Blocking Enable Users to Opt Out of SSL Decryption Temporarily Disable SSL Decryption Configure Decryption Port Mirroring Verify Decryption Troubleshoot and Monitor Decryption Decryption Application Command Center Widgets Decryption Log Configure Decryption Logging Decryption Log Errors, Error Indexes, and Bitmasks Repair Incomplete Certificate Chains Custom Report Templates for Decryption Unsupported Parameters by Proxy Type and TLS Version Decryption Troubleshooting Workflow Examples Investigate Decryption Failure Reasons Troubleshoot Unsupported Cipher Suites Identify Weak Protocols and Cipher Suites Identify Untrusted CA Certificates Troubleshoot Expired Certificates Troubleshoot Revoked Certificates Troubleshoot Pinned Certificates Activate Free Licenses for Decryption Features URL Filtering About Palo Alto Networks URL Filtering Solution How Advanced URL Filtering Works URL Filtering Inline ML URL Filtering Use Cases URL Categories Security-Focused URL Categories Malicious URL Categories Verified URL Categories Policy Actions You Can Take Based on URL Categories Plan Your URL Filtering Deployment URL Filtering Best Practices Activate The Advanced URL Filtering Subscription Configure URL Filtering Test URL Filtering Configuration Configure URL Filtering Inline ML Monitor Web Activity Monitor Web Activity of Network Users View the User Activity Report Configure Custom URL Filtering Reports Log Only the Page a User Visits Create a Custom URL Category URL Category Exceptions Use an External Dynamic List in a URL Filtering Profile Allow Password Access to Certain Sites Prevent Credential Phishing Methods to Check for Corporate Credential Submissions Configure Credential Detection with the Windows User-ID Agent Set Up Credential Phishing Prevention Safe Search Enforcement Safe Search Settings for Search Providers Block Search Results When Strict Safe Search Is Not Enabled Transparently Enable Safe Search for Users URL Filtering Response Pages Customize the URL Filtering Response Pages HTTP Header Logging Request to Change the Category for a URL Troubleshoot URL Filtering Problems Activating Advanced URL Filtering PAN-DB Cloud Connectivity Issues URLs Classified as Not-Resolved Incorrect Categorization PAN-DB Private Cloud M-600 Appliance for PAN-DB Private Cloud Set Up the PAN-DB Private Cloud Configure the PAN-DB Private Cloud Configure the Firewalls to Access the PAN-DB Private Cloud Configure Authentication with Custom Certificates on the PAN-DB Private Cloud Enable SSL/TLS Handshake Inspection Quality of Service QoS Overview QoS Concepts QoS for Applications and Users QoS Policy QoS Profile QoS Classes QoS Priority Queuing QoS Bandwidth Management QoS Egress Interface QoS for Clear Text and Tunneled Traffic Configure QoS Configure QoS for a Virtual System Enforce QoS Based on DSCP Classification QoS Use Cases Use Case: QoS for a Single User Use Case: QoS for Voice and Video Applications VPNs VPN Deployments Site-to-Site VPN Overview Site-to-Site VPN Concepts IKE Gateway Tunnel Interface Tunnel Monitoring Internet Key Exchange (IKE) for VPN IKE Phase 1 IKE Phase 2 Methods of Securing IPSec VPN Tunnels (IKE Phase 2) IKEv2 Liveness Check Cookie Activation Threshold and Strict Cookie Validation Traffic Selectors Hash and URL Certificate Exchange SA Key Lifetime and Re-Authentication Interval Set Up Site-to-Site VPN Set Up an IKE Gateway Export a Certificate for a Peer to Access Using Hash and URL Import a Certificate for IKEv2 Gateway Authentication Change the Key Lifetime or Authentication Interval for IKEv2 Change the Cookie Activation Threshold for IKEv2 Configure IKEv2 Traffic Selectors Define Cryptographic Profiles Define IKE Crypto Profiles Define IPSec Crypto Profiles Set Up an IPSec Tunnel Set Up Tunnel Monitoring Define a Tunnel Monitoring Profile View the Status of the Tunnels Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel Enable or Disable an IKE Gateway or IPSec Tunnel Refresh and Restart Behaviors Refresh or Restart an IKE Gateway or IPSec Tunnel Test VPN Connectivity Interpret VPN Error Messages Site-to-Site VPN Quick Configs Site-to-Site VPN with Static Routing Site-to-Site VPN with OSPF Site-to-Site VPN with Static and Dynamic Routing Large Scale VPN (LSVPN) LSVPN Overview Create Interfaces and Zones for the LSVPN Enable SSL Between GlobalProtect LSVPN Components About Certificate Deployment Deploy Server Certificates to the GlobalProtect LSVPN Components Deploy Client Certificates to the GlobalProtect Satellites Using SCEP Configure the Portal to Authenticate Satellites Configure GlobalProtect Gateways for LSVPN Configure the GlobalProtect Portal for LSVPN GlobalProtect Portal for LSVPN Prerequisite Tasks Configure the Portal Define the Satellite Configurations Prepare the Satellite to Join the LSVPN Verify the LSVPN Configuration LSVPN Quick Configs Basic LSVPN Configuration with Static Routing Advanced LSVPN Configuration with Dynamic Routing Advanced LSVPN Configuration with iBGP Policy Policy Types Security Policy Components of a Security Policy Rule Security Policy Actions Create a Security Policy Rule Policy Objects Security Profiles Create a Security Profile Group Set Up or Override a Default Security Profile Group Track Rules Within a Rulebase Enforce Policy Rule Description, Tag, and Audit Comment Move or Clone a Policy Rule or Object to a Different Virtual System Use an Address Object to Represent IP Addresses Address Objects Create an Address Object Use Tags to Group and Visually Distinguish Objects Create and Apply Tags Modify Tags View Rules by Tag Group Use an External Dynamic List in Policy External Dynamic List Formatting Guidelines for an External Dynamic List IP Address List Domain List URL List Built-in External Dynamic Lists Configure the Firewall to Access an External Dynamic List Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service Create an External Dynamic List Using the EDL Hosting Service Convert the GlobalSign Root R1 Certificate to PEM Format Retrieve an External Dynamic List from the Web Server View External Dynamic List Entries Exclude Entries from an External Dynamic List Enforce Policy on an External Dynamic List Find External Dynamic Lists That Failed Authentication Disable Authentication for an External Dynamic List Register IP Addresses and Tags Dynamically Use Dynamic User Groups in Policy Use Auto-Tagging to Automate Security Actions Monitor Changes in the Virtual Environment Enable VM Monitoring to Track Changes on the Virtual Network Attributes Monitored on Virtual Machines in Cloud Platforms Use Dynamic Address Groups in Policy CLI Commands for Dynamic IP Addresses and Tags Enforce Policy on Endpoints and Users Behind an Upstream Device Collect XFF Values for User-ID Use XFF IP Address Values in Security Policy and Logging Use the IP Address in the XFF Header to Troubleshoot Events Policy-Based Forwarding PBF Egress Path and Symmetric Return Path Monitoring for PBF Service Versus Applications in PBF Create a Policy-Based Forwarding Rule Use Case: PBF for Outbound Access with Dual ISPs Application Override Policy Test Policy Rules Virtual Systems Virtual Systems Overview Virtual System Components and Segmentation Benefits of Virtual Systems Use Cases for Virtual Systems Platform Support and Licensing for Virtual Systems Administrative Roles for Virtual Systems Shared Objects for Virtual Systems Communication Between Virtual Systems Inter-VSYS Traffic That Must Leave the Firewall Inter-VSYS Traffic That Remains Within the Firewall External Zone External Zones and Security Policies For Traffic Within a Firewall Inter-VSYS Communication Uses Two Sessions Shared Gateway External Zones and Shared Gateway Networking Considerations for a Shared Gateway Configure Virtual Systems Configure Inter-Virtual System Communication within the Firewall Configure a Shared Gateway Customize Service Routes for a Virtual System Customize Service Routes to Services for Virtual Systems Configure a PA-7000 Series Firewall for Logging Per Virtual System Configure a PA-7000 Series LPC for Logging per Virtual System Configure a PA-7000 Series LFC for Logging per Virtual System Configure Administrative Access Per Virtual System or Firewall Virtual System Functionality with Other Features Zone Protection and DoS Protection Network Segmentation Using Zones How Do Zones Protect the Network? Zone Defense Zone Defense Tools How Do the Zone Defense Tools Work? Firewall Placement for DoS Protection Baseline CPS Measurements for Setting Flood Thresholds CPS Measurements to Take How to Measure CPS Zone Protection Profiles Flood Protection Reconnaissance Protection Packet-Based Attack Protection Protocol Protection Ethernet SGT Protection Packet Buffer Protection DoS Protection Profiles and Policy Rules Classified Versus Aggregate DoS Protection DoS Protection Profiles DoS Protection Policy Rules Configure Zone Protection to Increase Network Security Configure Reconnaissance Protection Configure Packet Based Attack Protection Configure Protocol Protection Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces Configure Packet Buffer Protection Configure Packet Buffer Protection Based on Latency Configure Ethernet SGT Protection DoS Protection Against Flooding of New Sessions Multiple-Session DoS Attack Single-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions End a Single Session DoS Attack Identify Sessions That Use Too Much of the On-Chip Packet Descriptor Discard a Session Without a Commit Certifications Enable FIPS and Common Criteria Support Access the Maintenance Recovery Tool (MRT) Change the Operational Mode to FIPS-CC Mode FIPS-CC Security Functions Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode Previous Next Use Dynamic User Groups in Policy Learn how to configure dynamic user groups and use them for policy enforcement. Dynamic user groups help you to create policy that provides auto-remediation for anomalous user behavior and malicious activity while maintaining user visibility. After you create the group and commit the changes, the firewall registers the users and associated tags then automatically updates the dynamic user group’s membership. Because updates to dynamic user group membership are automatic, using dynamic user groups instead of static group objects allows you to respond to changes in user behavior or potential threats without manual policy changes. To determine what users to include as members, a dynamic user group uses tags as filtering criteria. As soon as a user matches the filtering criteria, that user becomes a member of the dynamic user group. The tag-based filter uses logical and and or operators. Each tag is a metadata element or attribute-value pair that you register on the source statically or dynamically. Static tags are part of the firewall configuration, while dynamic tags are part of the runtime configuration. As a result, you don’t need to commit updates to dynamic tags if they are already associated with a policy that you have committed on the firewallTo dynamically register tags, you can use: the XML APIthe User-ID agentPanoramathe web interface on the firewall The firewall redistributes the tags for the dynamic user group to the listening redistribution agents, which includes other firewalls, Panorama, or a Dedicated Log Collector, as well as Cortex applications. To support redistribution for dynamic user group tags, all firewalls must use PAN-OS 9.1 to receive the tags from the registration sources. The firewall redistributes the tags for the dynamic user group to the next hop and you can configure log forwarding to send the logs to a specific server. Log forwarding also allows you to use auto-tagging to automatically add or remove members of dynamic user groups based on events in the logs. Select ObjectsDynamic User Groups and Add a new dynamic user group.Define the membership of the dynamic user group.Enter a Name for the group.(Optional) Enter a Description for the group.Add Match Criteria using dynamic tags to define the members in the dynamic user group. (Optional) Use the And or Or operators with the tag(s) that you want to use to filter for or match against.Click OK.(Optional) Select the Tags you want to assign to the group itself. This tag displays in the Tags column in the Dynamic User Group list and defines the dynamic group object, not the members in the group. Click OK and Commit your changes. If you update the user group object filter, you must commit the changes to update the configuration. Depending on the log information that you want to use as match criteria, configure auto-tagging by creating a log forwarding profile or configuring the log settings. For Authentication, Data, Threat, Traffic, Tunnel Inspection, URL, and WildFire logs, create a log forwarding profile.For User-ID, GlobalProtect, and IP-Tag logs, configure the log settings.(Optional) To return dynamic user group members to their original groups after a specific duration of time, enter a Timeout value in minutes (default is 0, range is 0-43200). Use the dynamic user group in a policy to regulate traffic for the members of the group. You will need to create at least two rules: one to allow initial traffic to populate the dynamic user group and one to deny traffic for the activity you want to prevent. To tag users, the rule to allow traffic must have a higher rule number in your rulebase than the rule that denies traffic. Select the dynamic user group from Step 1 as the Source User.Create the rule where the Action denies traffic to the dynamic user group members.Create the rule that allows the traffic to populate the dynamic user group members.If you configured a Log Forwarding profile in Step 3, select it to add it to the policy.Commit your changes.(Optional) Refine the group’s membership and define the registration source for the user-to-tag mapping updates.If the initial user-to-tag mapping retrieves users who should not be members or if it does not include users who should be, modify the members of the group to include the users for whom you want to enforce the policy and specify the source for the mappings. In the Users column, select more.Register Users to add them to the group and select the Registration Source for the tags and user-to-tag mappings.Local (Default)—Register the tags and mappings for the dynamic user group members locally on the firewall. Panorama User-ID Agent—Register the tags and mappings for the dynamic user group members on a User-ID agent connected to Panorama. If the dynamic user group originates from Panorama, the row displays in yellow and the group name, description, match criteria, and tags are read-only. However, you can still register or unregister users from the group. Remote device User-ID Agent—Register the tags and mappings for the dynamic user group members on a remote User-ID agent. To select this option, you must first configure an HTTP server profile.Select the Tags you want to register on the source using the tag(s) you used to configure the group. (Optional) To return dynamic user group members to their original groups after a specific duration of time, enter a Timeout value in minutes (default is 0, range is 0-43200). Add or Delete users as necessary. (Optional) Unregister Users to remove their tags and user-to-tag mappings. Verify the firewall correctly populates the users in the dynamic user group. Confirm the Dynamic User Group column in the Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Tunnel Inspection logs displays the dynamic user groups correctly. Use the show user group list dynamic command to display a list of all dynamic user groups as well as the total number of dynamic user groups. Use the show object registered-user all command to display a list of users who are registered members of dynamic user groups. Use the show user group name group-name command to display information about the dynamic user group, such as the source type. Previous Next Most Popular Recommended For You Recommended Videos Recommended videos not found. © 2023 Palo Alto Networks, Inc. All rights reserved. |
| CopyRight 2018-2019 实验室设备网 版权所有 |