PCNSE
A Palo Alto Networks Certified Network Security Engineer (PCNSE) is capable of designing, deploying, configuring, maintaining, and troubleshooting the vast majority of Palo Alto Networks Operating Platform implementations.
Please install PA Virtual appliance PA-VM-ESX-9.1.0 ova file in VMware Workstation.
The first network adapter is GUI.
Innovations of the Palo Alto Firewall are App-ID, User-ID, and Content-ID.
The only firewall to identify, control & inspect your SSL-encrypted traffic & applications.
It is also the only firewall with real-time content scanning to protect you against viruses.
CLI Access Modes
Operational Mode:
Use operational mode to view information about the firewall & the traffic running through.
Use to perform operations such as restarting, loading configuration, or shutting down.
When logging in to Firewall, the Command Line Interface (CLI) opens in operational mode.
Palo Alto Firewall Operational Mode, command prompt sign is greater than sing (>).
Configuration Mode:
Use configuration mode to view and modify the Palo Alto Firewall configuration.
You can switch between operational mode and configuration mode at any time.
Command prompt changes from a > to a #, indicating that successfully changed modes.
Switch from configuration mode to operational mode, and use either the quit or exit command.
To enter the operational mode command while in configuration mode, use the run command.
admin@PA-VM> show interface management | match gateway
Default gateway: 192.168.112.2
Ipv6 default gateway:
admin@PA-VM> configure
Entering configuration mode
[edit]
Lock Configurations
PA Firewall web interface supports multiple concurrent administrator sessions.
Lock candidate or running configuration so other administrators cannot make changes. They will not make any changes in the candidate or running configuration until the lock is removed.
admin@PA-VM> request
> acknowledge Acknowledge alarm logs
> address-expansion address/address-group expansion handler.
> anti-virus Perform anti-virus upgrade operations
> api All API related operations
> authentication authentication
> certificate Manage certificates
> clear-commit-tasks Clear all commit tasks
> commit-lock commit-lock
> config-lock config-lock
> content Perform content upgrade operations
> data-filtering Perform data filtering related operations
> determine-new-applications Determine new applications in content
> device-block-list Manage Device Block Lists
> device-registration Device registration process
> dhcp Request to perform DHCP related actions
> disable-ztp Disable ztp
> dnsproxy Perform DNSproxy daemon functions
> get-application-status Get application status
> get-disabled-applications List disabled applications in content
> global-protect-client Perform GlobalProtect client package operations
> global-protect-clientless-vpn Perform Global protect VPN upgrade operations
> global-protect-gateway request to perform global-protect-gateway functions
--more--
> global-protect-portal request to perform global-protect-portal functions
> global-protect-satellite request to perform global-protect-satellite functions
> high-availability Perform HA operations
> hsm HSM operations
> last-acknowledge-time Last alarm acknowledgement time
> license Perform license related operations
> list-content-downloads List content downloads
> log-collector-forwarding log-collector-forwarding
> logging-service-forwarding logging-service-forwarding
> master-key Change masterkey
> panorama-connectivity-check check connectivity to panorama
> password-change-history Password History
> password-hash Generate password hash
> plugins Request information of plugins
> quota-enforcement Manually enforce disk quota enforcement for logs and pcaps
> resolve resolve address to ip address
> restart Restart the system or software modules
> set-application-status-recursive Set application status
> shutdown Shutdown the system or software modules
> stats Generate stats dump
> support Technical support information
> system Perform system-level operations
> tech-support Generate tech support dump
--more--
> telemetry-data Generate telemetry-data dump
> url-filtering Perform URL filtering related operations
> wf-private Perform WF-Private cloud upgrade operations
> wildfire Perform wildfire upgrade operations
DNS Server
DNS Stands for Domain Name System or Domain Name Server.
DNS converts IP Address to domain name & domain name into IP address.
DNS names are assigned through Internet Registries by the IANA.
There are 13 root name servers from a.root-server.net to m.root-server.net (https://root-servers.org)
DNS primarily uses User Datagram Protocol on port number 53 to serve requests.
DNS Records:
"A" Records are used for conversion of domain names to corresponding IP addresses.
AAAA record specifies the Internet Protocol (IPv6) address for a given host.
CNAME nickname or secondary name it has called a Canonical Name record.
CNAME records in DNS Server are used for creating aliases of domain names.
MX resource record specifies a Mail Exchange server for a DNS domain name.
SMTP uses MX resource records to route emails to proper hosts using the information.
PTR stands for Pointer Record; this is the opposite of an address record (A or AAAA).
Name Server (NS) The NS record specifies who the DNS servers are for the zone.
Start of Authority (SOA) The SOA record stores the settings for the DNS zone.
Update Server Represents the IP address or hostname of the server from which to download updates from Palo Alto Networks. The current value is updates.paloaltonetworks.com.
Verify Update Server Identity If you enable this option, the firewall will verify that the server from which the software or content package is downloaded has an SSL certificate signed by a trusted authority.
DNS Settings Choose the type of DNS service—Servers or DNS Proxy objects—for all DNS queries that the firewall initiates in support of FQDN address objects, logging, and firewall management.
Primary DNS Server Enter the IP address of the primary DNS server for DNS queries from the firewall.
Secondary DNS Server Enter the IP address of a secondary DNS server to use if the primary server is unavailable.
FQDN Refresh Time (sec) Enter the number of seconds after which the firewall refreshes an FQDN.
If a firewall needs to use a proxy server to reach Palo Alto Networks update services, enter the IP address or hostname of the proxy server. Also, Enter the port for the proxy server.
The user Enters the username when accessing the proxy server. Password/Confirm Password Enter and confirm the password for the administrator to enter when accessing the proxy server.
NTP
NTP stands for Network Time Protocol. It allows network devices to synchronize clocks with central source clocks.
It makes sure logging information & timestamps have accurate times & dates.
NTP runs over User Datagram Protocol (UDP) port 123 and is used to maintain clock time.
A Network Time Protocol (NTP) server is also referred to as an NTP Master. Stratum defines the reliability and accuracy of the Network Time Protocol source.
NTP uses of stratum 0 to 15 for NTP sources, one 1 is reliable & 15 is the worst.
Stratum 0 represents Atomic Clock and cannot be used on any network device.
Stratum 1-15 are valid levels, stratum 16 represents NTP is not synchronized.
Syslog messages timestamp use device time.
Licenses and Subscriptions:
Available licenses and subscriptions include the following:
Threat Prevention: Provides Antivirus, Anti-Spyware, and Vulnerability Protection.
Decryption Mirroring: Provides the ability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures.
URL Filtering: Provides the ability to create a security policy that allows or blocks access to the web-based on dynamic URL categories.
Virtual Systems: This license is required to enable support for multiple virtual systems on PA-3000 Series firewalls. VM-Series firewalls do not support virtual systems.
WildFire: Although basic Wildfire support is included as part of the Threat Prevention license, the Wildfire subscription service provides enhanced services for organizations.
GlobalProtect: Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy Global Protect portals and gateways (without HIP checks) without a license.
If you want to use advanced Global Protect features (HIP checks and related content updates, the Global Protect Mobile App, IPv6 connections, or a Global Protect Clientless VPN) you will need a Global Protect license (subscription) for each gateway.
AutoFocus: Provides a graphical analysis of firewall traffic logs and identifies potential risks to your network using threat intelligence from the Autofocus portal.
STEP 1: Locate Activation Codes for Licenses Purchased.
When you purchased your subscriptions, you should have received an email from Palo Alto Networks customer service listing the activation code associated with each subscription. If you cannot locate this email, contact Customer Support to obtain your activation codes before you proceed.
STEP 2: Activate Support License.
You will not be able to update your PAN-OS software if you do not have a valid Support license. 1. Log in to the web interface and then select Device > Support. 2. Click Activate Support Using Authorization Code. 3. Enter your Authorization Code and then click OK.
STEP 3: Activate each License Purchased.
Select Device > Licenses and then activate your licenses and subscriptions in one of the following ways:
Retrieve License Keys from License Server—Use this option if you activated your license on the Customer Support portal.
Activate Feature using Authorization Code—Use this option to enable purchased subscriptions using an authorization code for licenses that have not been previously activated on the support portal. When prompted, enter the Authorization Code and then click OK.
Manually Upload License Key—Use this option if your firewall does not have connectivity to the Palo Alto Networks Customer Support Portal. In this case, you must download a license key file from the support site on an Internet connected computer and then upload it to the firewall.
STEP 4: Verify License Activation:
On the Device > Licenses page, verify that the license was successfully activated.
Dynamic Updates
Palo Alto Networks regularly posts updates for new & modified applications, threat protection, and Global Protect data files through dynamic updates. You can view the latest updates, read the release notes for each update, and then select the update you want to download and install.
Setting a schedule for dynamic updates allows you to define the frequency at which the firewall checks for and downloads or installs new updates.
Antivirus: Includes new and updated antivirus signatures, including Wildfire signatures.
Applications: Includes new and updated application signatures.
Global Protect Data File: Contains vendor-specific information for defining and evaluating host information profile (HIP) data returned by Global Protect apps.
Global Protect Clientless VPN: Contains new and updated application signatures to enable Clientless VPN access to common web applications from the Global Protect portal.
Bright Cloud URL Filtering: Provides updates to the Bright Cloud URL Filtering database only.
Wildfire: Provides near real-time malware & antivirus signatures created as a result of the analysis done by Wildfire public cloud. Wildfire signature updates are made available every 5 minutes.
Basically, it's Palo Alto nomenclature for "A zero-day attack".
Say a user downloads a file / Application for which PA doesn't have any App Id / Content ID then it will send some packets (sample) from the file to the analyzeWildfire server (public clouds or a locally-hosted Wildfire private cloud) to analysis it.
Now after 5-10 mins PA gets the verdict for that file as one of the following
Benign—The sample is safe.
Grayware—The sample does not pose a direct security threat but might display otherwise obtrusive behavior.
It includes adware, spyware, and Browser Helper Objects (BHOs).
Malicious—The sample is malware and poses a security threat.
Malware can include viruses, worms, Trojans, Remote Access Tools (RATs), rootkits, and botnets.
For files identified as malware, Wildfire generates and distributes a signature to prevent future exposure to the threat.
Note:
Phishing—The link directs users to a phishing site and poses a security threat.
Phishing sites are sites that attackers disguise as legitimate websites with the aim of stealing user information.
The Wildfire appliance does not support the phishing verdict and continues to classify these types of links as malicious.
Palo Alto is Next Generation Firewall
It works on OSI Layer 3 to 7
IP Header -- Layer 3
TCP/UDP Header -- Layer 4
Application Data -- Layer 7
Palo Alto Supports
1) App-ID: Signature, Protocol Decoder & Heurist (application behavior)
2) HTTPS / SSH decryption Policy
3) Content Inspection (Data Filtering / data Leakage / Spyware/Virus)
4) URL Filtering: Can be done on the basis of web category or www.rediff.com or www.rediff.x or x.rediff.com
5) Data Filtering
6) Zero Day Attack Protection
7) Antivirus, Anti spyware etc.
Features supported in Palo Alto
1) Stateful Firewall
2) Zone-Based Firewall: Logical Grouping of physical & logical interface (sub-interface, loopback & tunnel)
3) There is complete isolation between Data Plane (data ports) & Control (Management i.e. just console and management port) plane i.e. separate CPU, RAM & HDD.
Now resource utilization of one plane won't affect the other.
4) VPN Termination (IPsec Site2Site & Global Protect or Remote Access VPN)
5) Virtualization [Routing table Virtualization (Similar to VRF) through Virtual Router & Firewall Virtualization]
6) Advanced Routing (Static, Dynamic, BFD & PBF)
Policy-Based Forwarding (PBF)
Bidirectional Forwarding Detection (BFD) (RFC 5880), is a protocol that recognizes a failure in the bidirectional path between two routing peers.
7) High Availability
8) Logging, Monitoring, Reporting, Packet Capture
9) Centralized Management (PANORAMA)
10) Wild Fire Analysis
Telnet, SSH & Ping all Applications for Palo Alto
TCP application uses needs syn (will have only Ip & port information) syn-ack & ack before sending data so NGF needs to wait till the first packet to truly determine the packet.