PNCSE Study Notes: Platforms and Architecture

I'll be adding these as I complete my notes on each section. Here is the topic on Platforms and Architecture.

If I have any information wrong or incomplete on any topic, please let me know!

Here is the datasheet for the hardware platforms, has some good information to look over!
https://www.paloaltonetworks.com/resources/datasheets/product-summary-specsheet

Security Platform Overview

• Recon, Weaponize, Deliver, Exploitation, Installation, Command & Control, Act on Objective

​NGFW:

• Identifies and inspects all traffic

• Blocks known threats

• Sense unknown to cloud

• Extends to mobile and virtual networks

​Threat Intel Cloud:

• Gathers potential threats from network and endpoints

• Analyzes and correlates threat intel

• Disseminates threat intel to network and endpoints

Advanced Endpoint Protection

• Inspects all Processes and files

• Prevents known and unknown exploits

• Integrates with cloud to prevent known and unknown malware

Other items available:

• Panorama: Centralized management of all PAN firewall points.

• AutoFocus: Hosted security service, provides aggregate info on threat intel from multiple sources

• Aperture: protection for cloud-based systems like box, sales force, etc. helps manage permissions and file scans. focused on DLP, PCI, and other personally exploitable data.

• GlobalProtect: VPN that puts traffic back through the firewall to ensure traffic scanning, traffic visibility and security.

​Next Gen Firewall Architecture

• Single-Pass Architecture

  • Per-Packet Operations:

  • Traffic Classification with App-Id

  • User/group mapping

  • Content Scan (threats, URL, confidential data)

• Parallel Processing

  • Function specific parallel processing hardware engine

  • Separate data/control plane

• PAN is a single-pass Parallel Processing system.

  • Dataplane:

  • Signature Matching

    • IPS, virus, spyware, CC#, SSN

• Security Processing

  • App-ID, User-ID, URL Match, Policy Match, App Decoding, SSL/IPSec, decompression

• Network Processing

  • Flow Control, Route Lookup, MAC lookup, QoS, NAT

• Control Plane:

  • Managment

    • Configuration, Management UI, Logging, Reporting

• ​Zero Trust Security Model

  • No trust provided by default

  • Never Trust, always verify

  • Need to establish trust boundaries

  • NGFW offer several options to help approach the zero-trust model:

    • App-ID, User-ID, URL filtering, Vuln filtering, anti-spyware, anti-virus, Traps, file blocking, DOS protection, Zone Protection, Wildfire

​Public Cloud Security

• SaaS security provided by Apreture

• Can be spun up on demand

• Can be managed through Panorama, same or different device groups

​Firewall Offerings

• Physical devices:

  • PA-220, PA-800, PA-5200 - Next Gen hardware.

  • PA-7050 and PA-7080 are Chassis architecture

• Virtual devices:

  • VM-700, VM-500, VM-300, VM-100, VM-50, VM-50lite

  • Supported environment:

    • ESXi: All

    • KVM/Openstack: All

    • Hyper-V: All

    • VMWare NSX: VM100-500

    • AWS: VM100-700

    • Azure: VM100-700

  • New sessions all models: 8000 per second

  • IPSec throughput, all models: Varies according to model (originally was 250mbps, per the training, however documentation states otherwise. Please see the hardware spec sheet at the top of this post for specifics)

• Virtual Systems

  • Ability to have seperate virtual firewalls in a single physical chassis

  • Each system has its own zones, policies, administrators.

  • Supported on the 3k/5k/7k models

 

PNCSE Study Guide: Initial Configuration

I'll try to format these the best I can. If anyone spots any incorrect or incomplete information, PLEASE let me know so I can correct it!

Initial Configuration

Administrative Controls

• WebUI

• Panorama

• CLI

• XML API

​Initial Access to System

• MGT is out of band, connected to the management plane; default IP it is [192.168.1.1/24](https://192.168.1.1/24) for physical. VM is DHCP.

• Console port (RJ45) 9600,8,N,1

• Admin/Admin default login (nag screen until changed)

• MGT can be set for DHCP (although Static is highly recommended)

Initial config

• Factory Reset instructions:

  • 'Request system private-data-reset' if you have CLI access

  • If no CLI access, reboot into MAINT mode (see PAN documentation for further information)

• Hostname limited to 31 characters

• Configure new IP if needed, hostname, domain name (if wanted), and Gateway

• MGT does updates for updates, DNS, NTP, unless done on a data port.

• Add Service route(s) if any are needed.

• HTTPS, SSH and Ping are enabled by default on the MGT Interface

• Minimum MGT Config are IP Address, Netmask and Default Gateway

• MGT port is used by default to access external management services, such as:

  • PAN Update Servers

  • NTP

  • DNS

• Inband port can be set up to for service routes to perform these services which ports to retrieve them from if MGT port is not able to.

Configuration Management

• Running config: active config running on the FW - running-config.xml

• Candidate config: sandbox configuration; when a commit is done, candidate replaces the running config.

• Previous configurations are saved. These can be reverted, exported, saved out, and imported.

• Admin-Level commit will commit all changes made by anyone (if commit all changes is selected)

• Config changes are logged under the admin logged in for change tracking

• Commit locks stop other admins from committing changes

• Config locks stop other admins from making any candidate config changes

• Admin Locks can only be removed by the admin that put the lock in place, or by a super admin.

• Candidate Configuration is stored on control plane memory

• Running configuration is written to both control and dataplane memory

​Licensing and Software Updates

• Registration with PAN is first step - support page and register new device. Generally this will send an activation code to your email.

• Retrieve License from PAN License server

• VM's can be downloaded from the software page after registration

• Activate support license needed before activating other optional licenses (URL/threat/Wildfire, etc)

• (if licensed) Set the dynamic updates for update/install on specific intervals

• Update the Dynamic updates before upgrading the PanOS code. If no subscription, download and install manually.

• Update the PanOS software. Steps to upgrade will likely be needed if upgrading between major versions (7.0 ->8.0 for example)

​Account Administration

• Administrators can be created with specific access, using Admin Roles.

• External auth servers supported are LDAP, Kerberos, RADIUS, TACACS+, SAML, along with 2FA are supported.

• For non-local admins, create an admin role profile, server profile, authentication profile. authentication sequence is optional.

• 2 types of admin role profiles:

  • predefined dynamic profiles

    • super user, superuser(read-only), device administrator, DA (read-only), VS Admin, VS Admin (read-only).

    • administrator defined role based profiles

    • These can be granularity specified for specifically what they have access to, and functions they can change, update or view.

  • Predefined local admin accounts are:

  • super user, superuser(read-only), device administrator, DA (read-only)

  • local admin accounts can be set for minimum passwords, password aging and password complexity. Not enabled by default.

• Creating non-local admins by creating an authentication profile.

  • Multiple servers can be used. LDAP, then RADIUS would be an example.

  • Create Server profile, then (optional) auth sequence, then authentication profile.

  • Allow list can be used for those that will be allowed to use certain auth profiles.

Viewing and Filtering Logs

• Clicking any link in the Monitor > Traffic (or other entries) will filter the logs to only show entries with those

• Filters can be saved and loaded for quick access

 

PNCSE Study Notes Chapter 3: Interface and Routing Configuration

Interface Configuration

​Note: This section glosses over a lot of network 101 level information. I'm using the info from PAN's training documentation, with the assumption that anyone reading this has already been drilled and learned the basics on Layers 1-4 of the OSI model. If this section is giving you a lot to contemplate, a refresh on network 101 would be a good thing to consider :)

Security Zones and interfaces

• Security zones are used to group like-devices, user groups, locations or specific-use systems.

• In-band interfaces are traffic-passing ports, ex: ethernet1/1, 1/2, etc

• Each interface (or subinterface) can only be assigned to one zone

• A zone can have multiple physical or logical interfaces

• Traffic inside zones is allowed by default. Example: Trust to trust is permitted by default

• Traffic outside zones is denied by default. Example: Untrust to DMZ is NOT permitted by default

• Zone types support specific zones:

  • Tap zone: tap interfaces

  • Tunnel zone: no interface

  • Layer 2 Zone: Layer 2 interface

  • Virtual Wire: VWire interfaces

  • Layer 3 Zone: L3, Aggregate, VLAN, Loopback and Tunnel interfaces

• Creating a zone is done by naming the zone, selecting the type of zone (from the list above). Interfaces can be added at this time, or later by editing the interface.

​TAP Interfaces

• Interface for receiving data from a mirror port on a switch. Generally used to gather data on the network in preparation for building security polices prior to cutover.

• TAP cannot do anything with the traffic, be it control or shaping.

• TAP must be assigned to a TAP security zone.

• An Any/Any/Allow rule set with source/dest zones to the TAP zone the interface is in is needed to start this data gathering, or the data is dropped by the FW in the default deny rule.

Virtual Wires Interfaces

• This is used as a L2 firewall installation in-line. This way, the firewall can be 'dropped' in without any reconfiguration of the network.

• Interfaces will be L2, no IP's, L3 routing ,FW managment or IPSec termination point is available.

• Create VWire instance, and add the interfaces if they have been set to VWire. If interfaces are not set, save the VWire instance and then go to the interfaces and add them into the VWire under interface type. A Vwire Zone is also needed.

• Vwire fully supports 802.1q VLAN tagging, and will pass tagged and untagged traffic as long as there is a security policy to allow it.

• Multiple VWire subinterfaces can also be created. Each sub-interface can be set in any zone, and set as L2 or L3 interfaces.

• An L3 subinterface can be used for IP-routing, IPSec termination tunnels, and zone traffic routing and traffic control.

​Layer 2 Interfaces

• Layer 2 switches traffic between 2+ interfaces. This makes the networks into a single ether broadcast domain.

• Steps to create a Layer 2 interface:

  • create a vlan object under Network >

  • configuring the L2 interfaces

• L2 does not participate in STP, but forwards STP packets.

• L2 can do SSL Decrypt, User-ID, App-ID, Content ID, QoS.

• Cannot do FW management, as no IP address.

• Subinterfaces can be added to an 802.1q vlan

• More than one VLAN can be added to the same top level port (example: e1/1.1 in vlan1 and e1/1.2 in vlan2). However, as there is no routing function, an external router, and security policies would be needed to route the data between the vlans.

• Best practice is to use L3 subinterfaces to provide inter-VLAN routing.

​Layer 3 Interfaces

• Layer 3 is able to route data between networks.

• Each L3 interface needs an IP assigned.

• App-ID, Content-ID, User-ID, SSL Decrypt, NAT, QoS are supported.

• Can support management as it has an IP (further config would be needed).

• Support both IPv4 and IPv6, and support dual stack. (IPv6 must be enabled before it is available).

• When configuring interfaces you'll need:

  • Interface type (L3)

  • IP Address

  • Security Zone

  • Virtual Router (only if you want to route traffic to/from interface).

  • IPv6:

    • Interfaces can be set for Static, DHCP or PPPoE

    • Link Local address prefix is prepended EUI64 interface ID (IPv6)

    • Enable duplicate address detection can be enabled (ipv6)

    • Can also be configured to send ipv6 router advertisements (IPv6)

    • Can also include dns info in ipv6 router advertisments (IPv6)

  • Advanced Tab (interface)

    • Link speed, Duplex Settings, MTU setting

    • Altering the MTU will override the default jumbo frame and default MTU in session settings

    • TCP-MSS can be updated

    • Interface management profile can be set here

    • ARP entries can be manually added (ND entries can be added for IPv6)

    • LLDP can be enabled and configured from the LLDP tab

• Management Profile

  • Profile can be applied to an L3 interface. Protocols that can be allowed or denied are:

    • Ping, Telnet, SSH, HTTP, HTTP-OCSP, HTTPS, SNMP, Response Pages, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP

  • Can be assigned to L3, loopback and tunnel interfaces (interfaces that have an IP address).

  • Security Policies are required to allow traffic to non-MGT interfaces

  • Can have a 'permitted IP' list that will only allow a specific source IP address or subnet access to that specific set of permitted services.

• Layer 3 Sub-interfaces

  • Assigned to a Layer 2 802.1q vlan

  • different L3 sub-ints can be added to the same physical interface, but can only route at layer 3 between them if there is a route at (and security policy for the traffic) in the VR.

  • Configured under Network > Interfaces > Ethernet

  • The configuration is the same as a standard Layer 3 interfaces configuration, with the exception of adding a vlan tagged

  • Untagged L3 sub-ints can be used, but the 'untagged interface' must be selected on the main interface advanced tab.

Virtual Routers

• Used for Layer 3 IP routing

• Supports one or more static routes

• Supports multiple dynamic routing protocols, including RIPv2, OSPFv2, OSPFv3, BGPv4

• Supports Multicast routing protocols PIM-SM and PIM-SSM (both using pimv2)

• IGMP v1, v2, v3 are also supported on host-facing interfaces.

• Configure under Network > Virtual Routers

  • Give Name

  • Add L3 main, sub ints or tunnel interfaces

    • When interfaces are added, the connected routes are automatically populated into the routing table for traffic forwarding

  • Administrative Differences are used to determine routing decisions when identical destination routes are present.

• To add a default static routes, click: Network > Virtual Routers > Static Routes > Add

  • Give the VR a name

  • add a default of [0.0.0.0/0;](https://0.0.0.0/0;) specify the interface this route will forward packets on (security policy will be needed to route the traffic).

  • Set the next hop type from the list: IP Address, Next VR, Discard or None. Typically a default route is sent to a next hop IP address (upstream to an edge router or ISP link). Next VR sends it to the specified Virtual router (not this one), Discard will Discard (and no log). None is used if there is no text hop for the route.

  • Set any changes to the admin distance that are needed. Administrative distance defaults are specified by the type of route (static, connected, ospf, bgp, etc). leaving this blank will set it to the default value.

  • Set any metric changes desired. This is useful if you have multiple links out and want to prefer one over the other. If the preferred link fails, the other route can be used to forward packets.

  • Select which routing table to install the route in: Unicast, Multicast, Both or no install. No install would stage the route, but would not be actively used.

  • Bi-Directional Forwarding can be selected. Both endpoints must support BFD. (see docs for more details)

    • BFD is not supported on the PA-200 or the PA-500

• Multiple Static Default Routes

  • Multiple SDR's can be configured

  • Route with lowest metric will be installed in the forwarding table

  • Path Monitoring can be used to determine if the route is usable.

  • if Path Monitoring detects a failure, FW will switch to the higher metric route until the lower metric path is restored.

  • Path Monitoring can be configured under: Network > Virtual Routers > Static Routes > Add

    • On the bottom of the static route configuration, click the check on Path Monitoring

    • Multiple failure conditions can be added. single or multiple source/dest entries can be set as criteria. select either 'any' or 'all' when configuring more than one condition.

    • On the source IP, a drop-down provides all IP's configured on the firewall. Generally the IP on the interface being configured for path monitoring is selected.

    • Add the destination IP to send ping requests

    • Set interval for ping interval and ping counts.

  • If the lowest metric link fails monitoring, and then is restored, the 'Preemptive hold time' setting will be the timeout that the firewall will wait before failing traffic back to the lower metric link. This is defaulted to 2 minutes, but can be changed.

• Troubleshooting Routing

  • The 'More Runtime Stats' on the Network > Virtual Routers page will pull up a new screen to show the stats on the current VR.

  • Routing and Route table has all known routes (RIB)

  • Forwarding Table has all routes of where traffic will be forwarded to (FIB)

  • Static Route Monitoring tab will show the status of all Path Monitors configured.

​VLAN Interfaces

• VLAN are Layer 2 802.1q network

• VLAN objects can be assigned and IP address, and connected to Layer 3 networks for Layer 3 routing

• Configure under Network > Network > VLAN > Add

• All vlan interfaces will start with 'vlan' - add the ID number (NOT a vlan ID, but matching them is recommended to avoid confusion).

• Interface must be assigned to an exiting vlan

  • If one doesn't exist or a new VLAN interface is needed, selecting 'New VLAN' on the drop down can be done to create a new VLAN.

  • Select the virtual router to add the interface to

  • Select the Security Zone to add the interface to.

Loopback Interfaces

• Loopbacks are logical interfaces that do not have a physical presence. They are assigned in a security zone and can be reached by their IP through another physical main or sub interface.

• Typical use includes Management UI access, Global Protect interface, or IPSEC tunnel interface termination point.

• Configure under Network > Interfaces > Loopback

  • Loopback interfaces always start with 'loopback', which cannot be changed. the ID number is set by the admin

  • Configured the same as a Layer 3 interface; Only exception is a loopback IP must be a /32 host IP.

  • Set the VR and the Security Zone the LB will be added to.

​Policy-Based Forwarding

• PBF rules are used to send specific traffic to an interface that is not the default route the traffic would follow from the routing table.

  • Use cases would include a private leased line you want to use for unencrypted traffic or traffic that needs low latency (VoIP, etc), while letting non-critical encrypted traffic over a DIA (direct internet access) circuit using an IPSec Tunnel.

  • PBF can be set using specific criteria, including source zone or interface, source user, destination IP and/or port.

  • Includes a Path Monitoring feature; if the interface the PBF is sent out goes down, the traffic will be able to go out the other interface.

• Configure under Policies > Policy Based Forwarding

  • Name the Policy

  • Enter the criteria: Source IP, Zone and/or User-ID

  • Specify desination/application/service. It is NOT recommended to use the application, as it may take several packets to identify the traffic, and it may not be forwarded based on the PBF.

  • Enter the details of where the traffic will be forwarded, including egress interface and optional next-hop. The Path Monitoring can also be configured.

  • Symmetric Return can also be set to be enforced here. For more information on this, google 'enforce sy

 

PNCSE Study Notes Chapter 4: Security Policies and NATs

Security and NAT Policies

Security Policy fundamental concepts

• All traffic must match a session and security policy (stateful firewall)

• Basics are a source and destination zone

• Granular includes Source/Dest Address, ports, application, URL Categories, Source user and HIP profiles.

• Sessions are established for bidirectional data flow.

• Policies > Security has the current security rules

• Columns on this page can be customized for your preferred information displayed.

• Three types of security rules:

  • Intrazone - all traffic within a zone. this traffic is allowed by default.

  • Interzone - all traffic between zones. This traffic is blocked by default.

  • Universal - Allowing all traffic between source and destination. combines intra and interzone traffic.

• Any created rules have traffic logged by default; system created rules (intra/interzone at the end) are not logged.

• Rules are evaluated from top to bottom; when a match is found, no further eval is done.

• Rule Shadowing is when multiple rules match the same scope of traffic.

Security Policy Administration

• Security policy must include:

  • Source zone, Destination zone, Action

• Security policies can also include:

  • Source IP

  • Destination IP

  • User

  • Application

  • Service

  • URL's

  • Additional actions (logging, vuln/av/malware profiles, scheduling and QoS)

• Scheduling can set times when a rule is allowed.

• Rules can be reordered, disabled, deleted, added, cloned.

• Unused rules can be shown by clicking the 'Highlight Unused Rules' checkbox at the bottom of the screen.

• Address Objects is used to give a familiar name(s) to a single IP, IP range or an FQDN (functional dns resolution is needed for FQDN).

• Address Groups are a group of Address Objects. Groups are used to help simplify firewall administration.

• Tags are used to help organize and 'tag' rules that are in related policy groups. examples are: mail, web, DC, SQL, etc

• Custom Services can be created to help provide simplification and identity to services. In services, you can specify a single port, multiple ports with commas, or a range of ports with a dash.

• For the pre-defined intra/interzone allow/deny rules, choose override to set logging or other profile settings such as av/mal/vuln profiles.

Network Address Translation

• NAT policy is evaluated after the destination zone route lookup

• NAT policy is applied just before packet is forwarded.

• NAT types are Source and Destination, and these are from the perspective of the firewall.

Source NAT configuration

• Source NAT is generally used from traffic on private internal IP's to a publicly routable IP (user inside to server outside). Types of Source NAT's include:

  • Static IP: fixed 1-to-1 translation; used when a NAT IP needs to remain the same IP and Port. This can be done with an IP address range, but the translation will always be static 1:1; in a 10-IP range, a x.y.z.2 source will always translate to z.y.x.2 destination.

  • Dynamic IP: 1-to-1 ip address translation only (no port number); can be used with a single or pool of IP's. Generally used for a set number of internal hosts with a matching number of external IP's, but static isn't required.

  • Dynamic IP and port (DIPP): This is used for multiple IP's to one or a few IP's, by allowing the connection to use another port than the default service. This is generally used for internet access outbound from home and business connections.

• To use Source NAT:

  • Create a NAT policy rule: Original packets (IP's of client(s)) that will be using the NAT (source address), destination address (if needed), and the type of source translation (Static, Dyn, DynDIPP), and the IP to translate to.

  • A security policy will be needed to allow the traffic. The security policy will include:

    • Source Address (private/internal client IP's/subnet)

    • Source Zone where client IP's reside

    • Destination Zone (where IP to NAT to exists)

    • Any application or services

    • Allow the traffic on the policy

• Bidirectional NAT's can be configured (only available for static NAT).

  • To configure, check the 'bidirectional' checkbox in the NAT configuration source nat translated packet tab.

• DIPP NAT oversubscription is when a DIPP Source NAT uses more than the available 64,000 ports available per ip address. This is done by using the destination IP of new sessions outbound to 'ride' the same active port as other traffic going to that IP address.

Destination NAT configuration

• Destination NAT is used for external traffic coming into a private or secured location inside your network.

• Types of Destination Nat:

  • Static IP: 1:1 translation of inbound traffic.

  • Optional Port Forwarding: Can route to multiple internal servers based on Port number (25 to mail, 80 to web, etc)

• Configuration:

• Create a Destination NAT policy, defining the source and destination (pre-nat on both)

  • Incoming: (any or specific) to Destination (external routable IP) - Untrust to Untrust typically for example, with a destination translation to the internal IP address

• Create a security policy that permits the post NAT zone (and IP's if needed) to the Pre-Nat destination IP/app/service/action

• Security Policy does pre-nat source/dest, post-nat destination zone.

• Destination Nat Port Forwarding Configuration:

  • When configuring the Destination NAT address under the 'Translated Packet' tab, put in the translated port of the destination

  • A destination NAT can be set with different destination translation IP's and ports from the same external facing IP, as long as the service is specified.

 

PNCSE Study Notes: Chapter 5: Application ID

App-ID

Application ID Overview

• An application is a specific program or feature who's communication can be labeled, monitored and controlled

• App-ID does additional work beyond just port

• Port-based rules use 'Service'

• Application-based rules use 'application'

• Application rules will allow only the application traffic that is allowed (ex: FTP) and not other traffic using that port.

• Zero-day or unknown traffic trying to pass on an application policy is also blocked, because it doesn't match the application traffic.

• App-ID for UDP can generally identify the application on the first packet

• App-ID for TCP will take several packets to identify, as the 3-way handshake needs to be done, and then the app data will need to be examined, depending on the app data.

• Application DB is updated weekly with new and updated application identifiers:

• Unknown protocol decoder will attempt to identify unknown appid traffic

• Known protocol decoder will match traffic with a known app

• Decryption to ID traffic will check if decrypt is configured.

• App-ID steps:

  • Packet comes in - IP/Port identified

  • Check if allowed by Security policy

  • If allowed, App-ID will attempt to identify - Known, Unknown or Decrypt (if configured).

  • Does it match?

  • Security policy applied to allow or block.

Using App-ID in a Security Policy

• Traffic can shift from one app to another during a session lifetime

• As more traffic is received, it can also refine what the traffic it sees is.

• This is why several applications are sometimes needed; web browsing, Facebook base and facebook chat could all be in the same session.

• Signatures contain data on several versions of applications

• Application dependance can be seen in the applications section under objects

• Some objects have dependencies built in - example, facebook has web-browsing as a needed dependence

• Under Objects > Applications, you can find what applications have what implicit use of other applications.

  • Search for an application

  • Click the application

  • Look for the 'implicitly uses' to see what apps it will implicitly use.

• Application Filters can be used to allow access to a series of applications, such as Office application systems, or online streaming audio and video.

• Application Groups can be used to group together several applications for easier deployment to firewall security policy rules. They also can be used for QoS and Policy Based Forwarding (PBF) Policies.

• Applications, Filters and groups can be nested to several levels and added to policies.

• Application groups are added to security policy rules just like single applications.

• Under Objects > Services can be used to build custom services on specific ports. This can be used to narrow access on applications

• Application Block Page can be configured to block access to specific applications. If User ID is in use, it will use the name of the user. If not, it will use their IP address.

Identifying Unknown Application Traffic

• Traffic known to the PAN FW will be shown in the traffic log with the app identified.

• When it's not able to be identified, if it is http, it is identified as web browsing. if it is not http, it is 'unknown tcp' or 'unknown udp'.

• In intitial deployments in TAP mode, in the the Policies > Security section, you can create a policy to block 'known good' or 'known bad' apps, and add known applications on your network to the appropriate rule. a third rule set for 'any/any/allow' will let you see the other applications not identified to help pinpoint what they are and their source/destination.

• To control unknown applications:

  • Create a custom application after identifying the traffic via packet captures.

  • Configure an application override policy. This will disable the application ID for this traffic.

  • Block unknown-tcp, unknown-udp * be cautious if in production, this could block legitimate traffic. this isn't recommended unless you are confident the traffic will have no production impact.

Updating App-ID

• App-ID DB is updated weekly, and can be added to the application/threat auto update. it can also be manually downloaded and installed.

• A check can be done on the updated App-ID under Object > Applications, and clicking on the 'review policies' on the bottom of the page.

• On the Application > Review policies page, you can see what rules will be impacted by the new application matches.

 

PNCSE Study Notes: Chapter 6: Content ID

Content ID

Overview

• Scans traffic for/offers protection against/can do:

  • Software Vulnerability exploits - detects attempts to exploit known software vulnerabilities

  • Viruses - detects infected files crossing the firewall

  • Spyware - detects spyware downloads and already infected system traffic

  • Malicious URL's - blocks URL's known to be locations that host or assist any of the content scanned with these profiles.

  • Restricted Files and Data - tracks/blocks uploads/downloads based on application and/or file types

  • Data Filtering - identifies, logs and/or blocks specific data patterns

  • Wildfire Analysis - will upload suspect files to Wildfire for further analysis to determine if threat or benign.

• Security profiles must be added to a security policy to be activated.

• Security Profiles are applied to all packets for the life of a session

• Security Profiles can be added to a group containing several security profiles for easier management, and applying specific types for specific rules.

• Threat log keeps records of vuln, AV, Anti-SW that can be reviewed, and can be forwarded to an external log server.

Vulnerability Protection Security Profiles

• Include 2 predefined read only profiles. These can be cloned for making custom, or a new profile can be built from scratch.

  • Strict: Strict implementation of the profiles. Used for 'out of the box' protection.

  • Default: Default action that will happen that will be applied to traffic. Generally used for PoC and initial deployments

• Each individual vuln signature has a predefined default action. The default action can be seen under:

  • Objects > Security Profiles > Vulnerability Protection > Add > Exceptions - then select 'show all signatures' checkbox

• New updates are released weekly from PAN. *

• Rules can be configured to take packet captures

• Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching that name

• Categories can can for Any or a specific CVE/Vendor ID

• Actions can include:

  • Allow: Permit without logging

  • Alert: Allow with Logging

  • Drop: drops and logs

  • Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session

  • Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session

  • Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session

  • Block IP: Blocks traffic/sessions from an IP, and a time to block can be set in seconds.

• Exceptions can be set to override the actions on rules. This can be used to override false detection being detected blocking legitimate traffic. A list of IP's can be added to the exemptions column, useful for servers that may be flagged as sending out false positives.

AV Security Profiles

• Default Policy is available out of the box. This is recommended for initial configurations and TAP gatherings

• A custom policy is recommended. Options are to clone the default or make a new one from scratch

• The profile has predefined application decoders for common apps: FTP, HTTP, IMAP, Pop3, SMB, SMTP

• Virus signatures are release every 24 hours by PAN

• Action is what will occur when a virus signature is detected.

• Actions can include:

  • Allow: Permit without logging

  • Alert: Allow with Logging

  • Drop: drops and logs

  • Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session

  • Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session

  • Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session

• Application Exceptions can be added to the Application Exception section in the profile config screen. Any application can be added, and the action specified.

• Packet Capture can be set to run a capture when a suspected virus is detected. This can be useful to help troubleshoot and resolve false positives.

• The Virus Exception tab can be configured to add false positives to virus detections. Add the Thread ID to the list to whitelist that pattern from having the specified action taken.

Anti-Spyware Security Profiles

• Include 2 predefined read only profiles. These can be cloned for making custom, or a new profile can be built from scratch.

  • Strict: Strict implementation of the profiles. Used for 'out of the box' protection.

  • Default: Default action that will happen that will be applied to traffic. Generally used for PoC and initial deployments

• Each individual Anti-Spyware signature has a predefined default action. The default action can be seen under:

  • Objects > Security Profiles > Anti-Spyware Protection > Add > Exceptions - then select 'show all signatures' checkbox

• Virus signatures are release every 24 hours by PAN

• Spyware is generally detected when it attempts to 'phone home' to a C2 Server.

• A custom policy is recommended. Options are to clone the default or make a new one from scratch. Best Practice is to create to your network design, deployment and company security policy.

• Each profile can contain several rules to apply policy based on the severity or type of spyware.

• Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching that name

• Actions can include:

  • Allow: Permit without logging

  • Alert: Allow with Logging

  • Drop: drops and logs

  • Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session

  • Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session

  • Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session

• The Exception tab can be configured to add false positives to anti-spyware detections. Add the item to the list to whitelist that pattern from having the specified action taken. The action here will override the rule with the action in the 'Action' column

• DNS Signatures are included in the anti-spyware definition updates from PAN, but additional custom DNS domains can be blacklisted manually.

• Exceptions can also be added by thread ID's. Add the thread ID and the threat name to the exceptions list.

• Actions are:

  • Allow - Permit without logging

  • Alert - Permit with Logging

  • Block - Block with Logging

  • Sinkhole - This is a specified IP to send DNS lookup for C2 traffic servers to a dead end. This can be sent to a PAN-provided IP, a local loopback, or a custom specified IP address. it is recommended that the sinkhole be in a different zone unless intrazone traffic is logged, so that the traffic can be logged.

• Actions are also available with single packet or extended packet capture

• Sinkhole traffic can be seen in the Monitor > Logs > Threat - action of 'sinkhole'

File Blocking Profiles

• Allows blocking of prohibited, malicious and sensative files

• File blocking can be done by extension or examination of files

• Granular control can be done by (example) blocking .exe files from gmail, but allowing .exe's from FTP

• Profiles have these actions available:

  • Alert: Allow and Log

  • Continue: Log incident, send user to a browser response page for them to review/continue/stop.

  • Block: Block file and log

• Monitor > Logs > Data Filtering can be used to see the actions taken and the file name/type

• There is no predefined file block profile. One must be created manually.

• Rules can be set for:

  • Specific applications

  • File Types

  • Direction (upload/download/both)

  • Action (alert/continue/block)

• If a file matches multiple rules, the highest matching rule is applied.

• If Continue is set, the transfer is halted to alert the user that a matched file is attempting to be downloaded. This can be set to help prevent 'drive-by' downloads, or downloads that are done without the user knowing or interaction by the user.

  • Continue only functions with an application over http

• The File Block can decode up to 4 layers of encoding. Encoding includes files such as .zip, .tar, docx, .gzip, etc

  • The 'Multi-Level Encoding' needs to be set under the 'File Types' in the file block rule

Attaching Security Profiles to Security Policy Rules

• Security Groups can be used to group a set of Security profiles. This will simplify Security Policy rule maintenance and deployment by selecting one group that can contain AV, ASW, Vuln, URL Filtering, File Blocking, Wildfire and Data Filtering Profiles.

• You can also assign individual Security Profiles to a rule

Telemetry and Threat Intelligence

• Opt in is required, and can be customized to what data you want to share

• Information sent to PAN is sanitized before being sent to PAN, and is not shared with any 3rd parties.

• Telemetry can be configured under Device > Setup > Telemetry and Threat Intelligence. The check boxes can be selected for what you want to upload. A download box in the corner can be used to get a copy of the 100 most recent folder with packet captures and threat data that has been sent to PAN.

Denial of Service Protection

• DoS is Packet based, not session based.

• Use packet header info rather than signature matching.

• These are not linked to Security Policies.

• Zone Protection:

  • Provides edge protection

  • First line of defense

  • Flood Protection:

    • Protects agains most common attack types, including UDP flood, Syn Flood, ICMP Floods.

    • All Categories use a random early drop, except SYN (provide choice of RED or SYN Cookies)

  • Reconnaissance Protection

    • Protects against TCP/UDP/ICMP sweeps and port scans within the criteria set

    • Actions include:

    • Allow: Permits the scan

    • Alert: Generates an alert for each scan that matches the time interval

    • Block: Blocks the attempts

    • Block IP: Can be specified to block traffic from the source or for the source/destination combo.

  • Packet Based Attack Protection

    • Protects agains specific type of packet attacks. Examples include Spoofed IP, fragmented traffic, timestamp forging, etc

  • Protocol Protection:

    • Applies to L2 or Vwire zones only

    • Used to allow or deny non-IP protocols can move between zone.

    • Include list will allow specified protocols only; Exclude list will allow all but the specified protocols

  • Protection is enabled on a 'per-zone' basis

  • Only one Profile can be set per zone.

• DoS Policy

  • Provide flexible rules and matching criteria

  • Can be used for specific hosts that are critical or have been hit previously

  • This can be based on match criteria such as Source/Desination zone/interface, IP address, user and services.

  • Profiles include:

    • Protect:

    • Aggregate profile: applies limits to ALL incoming traffic

    • Classified Profile: applies limits to a single IP address

    • Allow: Permit all packets

    • Deny: Drop all packets

  • Added under: Polices > DoS Protection > Add

    • Specify match for source/destination/option-protection tabs

    • You can specify the aggregate and/or classified profile if Protect is selected

    • Example setting is to protect a web server from attacks or floods.

    • Added under: Objects > Security Profiles > DoS Protection > Add

    • This will allow to set the profile options for flood proection. Syn, UDP, ICMP, ICMPv6 and Other IP.

    • Resource Protection can be set to limit sessions to a host to prevent port depletion or resource (cpu/memory) exhaustion