Palo alto firewall
Palo alto is next gen firewall with user-id and app-id. Dynamic lists/feeds (EDL) for blocking malicious traffic and allowing trusted traffic like azure and CDNs etc.
It can do its inspections on north/south traffic and east/west traffic.
It has IPS, URL, wildfire (unknown threats).
DNS sinkhole (DNS protection)
Advanced logging with cortex datalake (take in multiple log sources and apply machine learning)
Platforms
- Virtual machines for public and private cloud (you control the VM)
- Prisma access (hosted cloud based firewall as a service)
- Physical devices (physical boxes to install on site)
https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations
SP3
Single pass simultaneous traffic inspection, classification and enforcement in one pass
Traffic
Control plane
Data plane
- Signature matching
- security and network processing
Management options
- Web interface HTTPS over the network or MGMT port
- CLI via SSH over the network or via console cable
- Panorama - centralized platform for managing multiple firewalls. Good for MSP. 6+ devices.
- API - XML REST based API. Good for automation and network programming
The management GUI on box help
There is an onbox documentation, usually in the top right
ACC - Application Command Centre
Analytical tool to provide actionable intelligence about network activity. Shows trends etc.
Monitor tab
Policies
Objects- Setup objects for use in policies
Network
- data plane interfaces and zones
- VPN related items
Device
- General settings
- Management interface
- User accounts
- Licenses
- Config backup
Management port is part of the control plane
Default 192.168.1.1/24
HTTPS
default user: admin/admin
We can disable it if needed and use network interface
By default dataplane ports won't accept mgmt packets
Service routes
For all items we need to reach out of the firewall for eg radius / log forwarding etc.
By default it will use the mgmt port
Device > Setup > Services > Service Router Configuration > Customize
CLI modes
- Operational - basic network commands: ping traceroute, show, debug
- Configuration - configure command, now you can make changes
- Similar to cisco in that regard
CLI enhancements
- User find to figure out the command syntax
- use ? to get help
- User tab to autocomplete
- Use | pipe with match or except for output filtering
ping "tab"
We will sett options with symbols
+ count - plus means it needs a value
* host - * means its required
> - means you will have more options after
ping host 1.1.1.1
tail - useful for log messages
set is how we do some config
show is how we show the config
Find all the commands related to the network
find command keyword network
W can see ethernet is under interface under network. To change ethernet1/1 from cli we need to use:
set network interface ethernet1/1
CLI is good for checking and debugging but most config will be done via CLI now
Firewall maintenance
Config files
Running config (running-config.xml)
sits in the dataplane and this one controls the firewall behaviour
When the firewall reboots this config is loaded when it boots up
Candidate configuration (snapshot.xml)
Separate file/space in memory to store temporary configuration in the control plane
Its config we have configured but have not deployed yet.
When we do a commit its merged into running config.
Saving the candidate config doesn't commit the changes
Candidate config is the running config + the new changes
Commit command merges the changes from candidate config into running config
New updated running config has the new changes
We can revert to last saved conf
Replaces current candidate config with a saved candidate config file
We can revert to running config (probably will use this one most)
Get rid of un-commited changes
Load
over writes with a file saved earlier (usually from a backup, used when restoring)
Save
Can save a named config snapshot.
Export
Export a named config (backup)
Dynamic updates
- Make sure these are enabled and auto downloading / installing
- Antivirtus / Wildfire
- Apps and threats
- Global protect HIP
- PAN-DB URL filtering (may use umbrella instead)