Web Interface Help

PANOS
WebInterface
ReferenceGuide
Version8.0
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribesthePaloAltoNetworksnextgenerationfirewallandPanoramawebinterfaces.Itprovides
referenceinformationonhowtopopulatefieldswithinthesewebinterface.Foradditionalinformation,refertothe
followingresources:
Forinformationontheadditionalcapabilitiesandforinstructionsonconfiguringthefeaturesonthefirewall,
refertohttps://www.paloaltonetworks.com/documentation.
Foraccesstotheknowledgebase,discussionforums,andvideos,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,see
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
2014-2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.
RevisionDate:February6,2017
2 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
WebInterfaceBasics ................................................. 13
FirewallOverview .................................................................14
FeaturesandBenefits..............................................................15
LastLoginTimeandFailedLoginAttempts ...........................................16
MessageoftheDay ...............................................................17
TaskManager.....................................................................18
Language.........................................................................20
Alarms...........................................................................20
CommitChanges ..................................................................21
SaveCandidateConfigurations......................................................25
RevertChanges...................................................................29
LockConfigurations ...............................................................33
GlobalFind.......................................................................34
ThreatDetails.....................................................................35
AutoFocusIntelligenceSummary ....................................................37
Dashboard.......................................................... 39
ACC ................................................................ 41
AFirstGlanceattheACC.......................................................42
ACCTabs .....................................................................43
ACCWidgets .................................................................44
ACCActions..................................................................45
Monitor............................................................. 49
Monitor>Logs....................................................................50
LogTypes ....................................................................50
LogActions...................................................................53
Monitor>ExternalLogs ............................................................55
Monitor>AutomatedCorrelationEngine.............................................56
Monitor>AutomatedCorrelationEngine>CorrelationObjects .........................57
Monitor>AutomatedCorrelationEngine>CorrelatedEvents ..........................58
Monitor>PacketCapture ..........................................................59
PacketCaptureOverview......................................................59
BuildingBlocksforaCustomPacketCapture......................................60
EnableThreatPacketCapture ...................................................63
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 3
TableofContents
Monitor>AppScope .............................................................. 64
SummaryReport ............................................................... 65
ChangeMonitorReport......................................................... 66
ThreatMonitorReport.......................................................... 67
ThreatMapReport ............................................................. 68
NetworkMonitorReport........................................................ 69
TrafficMapReport ............................................................. 71
Monitor>SessionBrowser ......................................................... 72
Monitor>BlockIPList............................................................. 73
BlockIPListEntries............................................................ 73
VieworDeleteBlockIPListEntries .............................................. 74
Monitor>Botnet .................................................................. 75
ManagingBotnetReports ....................................................... 75
ConfiguringtheBotnetReport................................................... 76
Monitor>PDFReports............................................................. 77
Monitor>PDFReports>ManagePDFSummary ...................................... 78
Monitor>PDFReports>UserActivityReport........................................ 80
Monitor>PDFReports>SaaSApplicationUsage ..................................... 81
Monitor>PDFReports>ReportGroups ............................................. 83
Monitor>PDFReports>EmailScheduler............................................ 84
Monitor>ManageCustomReports .................................................. 85
Monitor>Reports................................................................. 86
Policies .............................................................87
PolicyTypes ...................................................................... 88
MoveorCloneaPolicyRule ........................................................ 89
Policies>Security ................................................................. 90
SecurityPolicyOverview ....................................................... 90
BuildingBlocksinaSecurityPolicyRule .......................................... 91
CreatingandManagingPolicies .................................................. 98
OverridingorRevertingaSecurityPolicyRule....................................100
Policies>NAT ...................................................................102
GeneralTab ..................................................................102
OriginalPacketTab ...........................................................103
TranslatedPacketTab.........................................................104
Active/ActiveHABindingTab ..................................................105
Policies>QoS....................................................................107
Policies>PolicyBasedForwarding..................................................111
GeneralTab ..................................................................111
SourceTab ...................................................................112
Destination/Application/ServiceTab............................................113
ForwardingTab ...............................................................113
Policies>Decryption..............................................................115
GeneralTab ..................................................................115
SourceTab ...................................................................116
TableofContents
DestinationTab .............................................................. 117

Service/URLCategoryTab ..................................................... 118
OptionsTab.................................................................. 118
Policies>TunnelInspection ....................................................... 119
BuildingBlocksinaTunnelInspectionPolicy ..................................... 119
Policies>ApplicationOverride..................................................... 122
GeneralTab.................................................................. 123
SourceTab................................................................... 123
DestinationTab .............................................................. 124
Protocol/ApplicationTab...................................................... 124
Policies>Authentication .......................................................... 125
BuildingBlocksofanAuthenticationPolicyRule .................................. 125
CreateandManageAuthenticationPolicy ....................................... 128
Policies>DoSProtection.......................................................... 129
DoSProtectionPolicyOverview ................................................ 129
BuildingBlocksofaDoSProtectionPolicy ....................................... 130
Objects ............................................................133
Move,Clone,Override,orRevertObjects........................................... 134
MoveorCloneanObject...................................................... 134
OverrideorRevertanObject................................................... 134
Objects>Addresses .............................................................. 136
Objects>AddressGroups ......................................................... 138
Objects>Regions................................................................ 140
Objects>Applications............................................................ 141
ApplicationsOverview ........................................................ 141
ActionsSupportedonApplications.............................................. 145
DefiningApplications ......................................................... 147
Objects>ApplicationGroups ...................................................... 150
Objects>ApplicationFilters ....................................................... 151
Objects>Services ................................................................ 152
Objects>ServiceGroups.......................................................... 153
Objects>Tags ................................................................... 154
CreateTags .................................................................. 154
UsetheTagBrowser .......................................................... 155
ManageTags ................................................................. 156
Objects>ExternalDynamicLists ................................................... 158
Objects>CustomObjects ......................................................... 161
Objects>CustomObjects>DataPatterns.......................................... 162
DataPatternSettings ......................................................... 162
SyntaxforRegularExpressionDataPatterns..................................... 163
RegularExpressionDataPatternExamples....................................... 164
Objects>CustomObjects>Spyware/Vulnerability................................... 165
Objects>CustomObjects>URLCategory .......................................... 169
Objects>SecurityProfiles......................................................... 170
TableofContents
ActionsinSecurityProfiles .....................................................170
Objects>SecurityProfiles>Antivirus...............................................173
Objects>SecurityProfiles>AntiSpywareProfile....................................175
Objects>SecurityProfiles>VulnerabilityProtection .................................178
Objects>SecurityProfiles>URLFiltering ...........................................181
GeneralSettings..............................................................181
Categories ...................................................................182
Overrides....................................................................183
URLFilteringSettings .........................................................185
UserCredentialDetection......................................................186
Objects>SecurityProfiles>FileBlocking ...........................................188
Objects>SecurityProfiles>WildFireAnalysis.......................................190
Objects>SecurityProfiles>DataFiltering ..........................................191
Objects>SecurityProfiles>DoSProtection .........................................193
Objects>SecurityProfileGroups...................................................196
Objects>LogForwarding .........................................................197
Objects>Authentication..........................................................200
Objects>DecryptionProfile .......................................................202
DecryptionProfileGeneralSettings .............................................202
SettingstoControlDecryptedSSLTraffic ........................................203
SettingstoControlTrafficthatisnotDecrypted..................................205
SettingstoControlDecryptedSSHTraffic .......................................205
Objects>Schedules ..............................................................207
Network.......................................................... 209
Network>VirtualWires...........................................................210
Network>Interfaces..............................................................211
FirewallInterfacesOverview ...................................................212
CommonBuildingBlocksforFirewallInterfaces...................................212
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces....................213
Layer2Interface ..............................................................214
Layer2Subinterface ..........................................................215
Layer3Interface ..............................................................215
Layer3Subinterface ..........................................................226
VirtualWireInterface .........................................................235
VirtualWireSubinterface......................................................236
TapInterface .................................................................237
LogCardInterface ............................................................238
LogCardSubinterface.........................................................239
DecryptMirrorInterface .......................................................240
AggregateEthernet(AE)InterfaceGroup.........................................241
AggregateEthernet(AE)Interface...............................................244
HAInterface .................................................................249
Network>Interfaces>VLAN ......................................................250
Network>Interfaces>Loopback...................................................256
TableofContents
Network>Interfaces>Tunnel ..................................................... 258

Network>VirtualRouters......................................................... 260
GeneralSettingsofaVirtualRouter ............................................. 261
StaticRoutes ................................................................. 261
RouteRedistribution.......................................................... 264
RIP ......................................................................... 265
OSPF ....................................................................... 268
OSPFv3..................................................................... 274
BGP......................................................................... 281
IPMulticast .................................................................. 296
ECMP ....................................................................... 300
MoreRuntimeStatsforaVirtualRouter ......................................... 302
Network>Zones................................................................. 311
BuildingBlocksofSecurityZones ............................................... 311
Network>VLANs ................................................................ 314
Network>IPSecTunnels.......................................................... 315
IPSecVPNTunnelManagement ................................................ 315
IPSecTunnelGeneralTab...................................................... 316
IPSecTunnelProxyIDsTab .................................................... 318
IPSecTunnelStatusontheFirewall............................................. 319
IPSecTunnelRestartorRefresh................................................ 319
Network>DHCP ................................................................ 320
DHCPOverview.............................................................. 320
DHCPAddressing ............................................................ 321
DHCPServer................................................................. 321
DHCPRelay ................................................................. 324
DHCPClient................................................................. 324
Network>DNSProxy............................................................ 325
DNSProxyOverview ......................................................... 325
DNSProxySettings ........................................................... 326
AdditionalDNSProxyActions .................................................. 328
Network>QoS .................................................................. 329
QoSInterfaceSettings ........................................................ 329
QoSInterfaceStatistics........................................................ 331
Network>LLDP ................................................................. 332
BuildingBlocksofLLDP....................................................... 332
Network>NetworkProfiles ....................................................... 335
Network>NetworkProfiles>GlobalProtectIPSecCrypto ............................ 336
Network>NetworkProfiles>IKEGateways ........................................ 337
IKEGatewayManagement..................................................... 337
IKEGatewayGeneralTab...................................................... 338
IKEGatewayAdvancedOptionsTab............................................ 341
IKEGatewayRestartorRefresh................................................ 342
Network>NetworkProfiles>IPSecCrypto......................................... 343
Network>NetworkProfiles>IKECrypto ........................................... 344
Network>NetworkProfiles>InterfaceMgmt ....................................... 345
Network>NetworkProfiles>Monitor ............................................. 346
TableofContents
Network>NetworkProfiles>ZoneProtection.......................................347
BuildingBlocksofZoneProtectionProfiles.......................................348
FloodProtection ..............................................................349
ReconnaissanceProtection .....................................................352
PacketBasedAttackProtection.................................................353
ProtocolProtection ...........................................................360
Network>NetworkProfiles>LLDPProfile ..........................................361
Network>NetworkProfiles>BFDProfile...........................................362
BFDOverview................................................................362
BuildingBlocksofaBFDProfile ................................................363
Network>NetworkProfiles>QoS.................................................365
Device ............................................................ 367

Device>Setup ...................................................................368
Device>Setup>Management .....................................................369
Device>Setup>Operations .......................................................384
EnableSNMPMonitoring......................................................390
Device>Setup>HSM............................................................392
HardwareSecurityModuleProviderSettings .....................................392
HSMAuthentication...........................................................393
HardwareSecurityModuleProviderConfigurationandStatus ......................393
HardwareSecurityModuleStatus ...............................................394
Device>Setup>Services .........................................................395
DestinationServiceRoute......................................................399
Device>Setup>Interfaces ........................................................400
Device>Setup>Telemetry........................................................404
Device>Setup>ContentID.......................................................406
Device>Setup>WildFire.........................................................410
Device>Setup>Session ..........................................................412
SessionSettings ..............................................................412
SessionTimeouts .............................................................414
TCPSettings .................................................................416
DecryptionSettings:CertificateRevocationChecking .............................418
DecryptionSettings:ForwardProxyServerCertificateSettings .....................419
VPNSessionSettings ..........................................................420
Device>HighAvailability..........................................................421
HALite......................................................................421
ImportantConsiderationsforConfiguringHA.....................................421
ConfigureHASettings .........................................................422
Device>ConfigAudit .............................................................432
Device>PasswordProfiles ........................................................433
UsernameandPasswordRequirements ..........................................434
Device>Administrators ...........................................................435
Device>AdminRoles .............................................................437
Device>AccessDomain ..........................................................439
TableofContents
Device>AuthenticationProfile.................................................... 440
ConfigureanAuthenticationProfile ............................................. 440
ExportSAMLMetadatafromanAuthenticationProfile ............................ 445
Device>AuthenticationSequence ................................................. 447
Device>VMInformationSources .................................................. 448
Device>VirtualSystems .......................................................... 452
Device>SharedGateways ........................................................ 454
Device>CertificateManagement.................................................. 455
Device>CertificateManagement>Certificates...................................... 456
ManageFirewallandPanoramaCertificates ...................................... 456
ManageDefaultTrustedCertificateAuthorities .................................. 460
Device>CertificateManagement>CertificateProfile................................ 461
Device>CertificateManagement>OCSPResponder ................................ 463
Device>CertificateManagement>SSL/TLSServiceProfile ........................... 464
Device>CertificateManagement>SCEP........................................... 465
Device>CertificateManagement>SSLDecryptionExclusion......................... 468
Device>ResponsePages ......................................................... 470
Device>LogSettings ............................................................. 472
SelectLogForwardingDestinations ............................................. 472
DefineAlarmSettings ......................................................... 474
ClearLogs ................................................................... 475
Device>ServerProfiles ........................................................... 476
Device>ServerProfiles>SNMPTrap.............................................. 477
Device>ServerProfiles>Syslog ................................................... 479
Device>ServerProfiles>Email .................................................... 481
Device>ServerProfiles>HTTP ................................................... 482
Device>ServerProfiles>NetFlow ................................................. 484
Device>ServerProfiles>RADIUS................................................. 485
Device>ServerProfiles>TACACS+................................................ 486
Device>ServerProfiles>LDAP ................................................... 487
Device>ServerProfiles>Kerberos ................................................ 489
Device>ServerProfiles>SAMLIdentityProvider.................................... 490
Device>ServerProfiles>DNS .................................................... 493
Device>ServerProfiles>MultiFactorAuthentication ................................ 494
Device>LocalUserDatabase>Users.............................................. 496
Device>LocalUserDatabase>UserGroups........................................ 497
Device>ScheduledLogExport .................................................... 498
Device>Software................................................................ 499
Device>DynamicUpdates ........................................................ 501
Device>Licenses ................................................................ 505
BehavioronLicenseExpiry .................................................... 506
TableofContents
Device>Support .................................................................507
Device>MasterKeyandDiagnostics...............................................508
UserIdentification ................................................. 511

Device>UserIdentification>UserMapping .........................................512
EnableWMIAuthentication ....................................................513
EnableClientProbing..........................................................513
EnableServerMonitoring......................................................514
ConfigureCacheTimeoutsforUserMappingEntries..............................516
EnableNTLMAuthentication ...................................................516
EnableRedistributionofUserMappingsAmongFirewalls..........................517
ManageSyslogMessageFilters .................................................518
ManagetheUserIgnoreList....................................................519
MonitorServers ..............................................................520
IncludeorExcludeSubnetworksforUserMapping ................................522
Device>UserIdentification>ConnectionSecurity ...................................524
Device>UserIdentification>UserIDAgents........................................525
ConfigureAccesstoUserIDAgents.............................................525
ManageAccesstoUserIDAgents ..............................................527
Device>UserIdentification>TerminalServicesAgents ...............................528
Device>UserIdentification>GroupMappingSettings................................529
Device>UserIdentification>CaptivePortalSettings .................................533
GlobalProtect...................................................... 537
Network>GlobalProtect>Portals..................................................538
GeneralTab ..................................................................539
AuthenticationConfigurationTab ...............................................540
AgentConfigurationTab .......................................................542
ClientlessConfigurationTab....................................................556
SatelliteConfigurationTab.....................................................559
Network>GlobalProtect>Gateways...............................................562
GeneralTab ..................................................................563
AuthenticationTab ............................................................564
AgentTab....................................................................564
SatelliteConfigurationTab.....................................................572
Network>GlobalProtect>MDM...................................................574
Network>GlobalProtect>BlockList ...............................................575
Network>GlobalProtect>ClientlessApps..........................................576
Network>GlobalProtect>ClientlessAppGroups....................................577
Objects>GlobalProtect>HIPObjects..............................................578
GeneralTab ..................................................................579
MobileDeviceTab............................................................580
PatchManagementTab........................................................581
FirewallTab ..................................................................582
AntivirusTab .................................................................582
AntiSpywareTab .............................................................583
TableofContents
DiskBackupTab.............................................................. 583
DiskEncryptionTab........................................................... 584
DataLossPreventionTab...................................................... 584
CustomChecksTab ........................................................... 585
Objects>GlobalProtect>HIPProfiles .............................................. 586
Device>GlobalProtectClient...................................................... 588
ManagingtheGlobalProtectAgentSoftware ..................................... 588
SettingUptheGlobalProtectAgent ............................................. 589
UsingtheGlobalProtectAgent ................................................. 590
PanoramaWebInterface ............................................591
UsethePanoramaWebInterface .................................................. 593
ContextSwitch .................................................................. 597
PanoramaCommitOperations..................................................... 598
DefiningPoliciesonPanorama..................................................... 607
LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode ................ 608
Panorama>Setup>Interfaces ..................................................... 609
Panorama>HighAvailability....................................................... 611
Panorama>ManagedWildFireClusters ............................................. 614
ManagedWildFireClusterTasks................................................ 614
ManagedWildFireApplianceTasks............................................. 615
ManagedWildFireInformation................................................. 616
ManagedWildFireClusterandApplianceAdministration .......................... 619
Panorama>Administrators ........................................................ 627
Panorama>AdminRoles .......................................................... 629
Panorama>AccessDomains ...................................................... 631
Panorama>ManagedDevices..................................................... 632
ManagedFirewallAdministration............................................... 632
ManagedFirewallInformation.................................................. 633
FirewallSoftwareandContentUpdates ......................................... 635
FirewallBackups.............................................................. 636
Panorama>Templates ............................................................ 638
Templates ................................................................... 638
TemplateStacks .............................................................. 640
Panorama>DeviceGroups ........................................................ 641
Panorama>ManagedCollectors................................................... 643
LogCollectorInformation...................................................... 643
LogCollectorConfiguration .................................................... 644
SoftwareUpdatesforDedicatedLogCollectors .................................. 652
Panorama>CollectorGroups ...................................................... 654
CollectorGroupConfiguration ................................................. 654
CollectorGroupInformation ................................................... 659
Panorama>Plugins............................................................... 660
TableofContents
Panorama>VMwareNSX.........................................................661
ConfigureaNotifyGroup......................................................662
CreateServiceDefinitions......................................................663
ConfigureAccesstotheNSXManager...........................................664
CreateSteeringRules..........................................................665
Panorama>LogIngestionProfile ...................................................667
Panorama>LogSettings ..........................................................668
Panorama>ScheduledConfigExport ...............................................670
Panorama>Software .............................................................671
ManagePanoramaSoftwareUpdates............................................672
DisplayPanoramaSoftwareUpdateInformation..................................673
Panorama>DeviceDeployment....................................................674
ManageSoftwareandContentUpdates .........................................674
DisplaySoftwareandContentUpdateInformation ................................676
ScheduleDynamicContentUpdates.............................................677
ManageFirewallLicenses......................................................678
WebInterfaceBasics
FirewallOverview
FeaturesandBenefits
LastLoginTimeandFailedLoginAttempts
MessageoftheDay
TaskManager
Language
Alarms
CommitChanges
SaveCandidateConfigurations
RevertChanges
LockConfigurations
GlobalFind
ThreatDetails
AutoFocusIntelligenceSummary
FirewallOverview WebInterfaceBasics
FirewallOverview
PaloAltoNetworksnextgenerationfirewallssafelyenableapplicationsandpreventmodernthreatsby
inspectingalltrafficapplications,threats,andcontentandtyingittotheuser,regardlessoflocationor
devicetype.Theapplication,content,andusertheelementsthatrunyourbusinessbecomeintegral
componentsofyourSecuritypolicy.Thisallowsyoutoalignsecuritywithyourkeybusinessinitiatives.With
ournextgenerationsecurityplatform,youreduceresponsetimestoincidents,discoverunknownthreats,
andstreamlinesecuritynetworkdeployment.
Safelyenableapplications,users,andcontentbyclassifyingalltraffic,determiningthebusinessusecase,
andassigningpoliciestoallowandprotectaccesstorelevantapplications.
Preventthreatsbyeliminatingunwantedapplicationstoreduceyourthreatfootprintandapplytargeted
Securitypolicyrulestoblockknownvulnerabilityexploits,viruses,spyware,botnets,andunknown
malware(APTs).
Protectyourdatacentersthroughthevalidationofapplications,isolationofdata,controloverrogue
applications,andhighspeedthreatprevention.
Securepublicandprivatecloudcomputingenvironmentswithincreasedvisibilityandcontrol;deploy,
enforce,andmaintainSecuritypolicyrulesatthesamepaceasyourvirtualmachines.
WebInterfaceBasics FeaturesandBenefits
FeaturesandBenefits
ThePaloAltoNetworksnextgenerationfirewallsprovidegranularcontroloverthetrafficallowedtoaccess
yournetwork.Theprimaryfeaturesandbenefitsinclude:
Applicationbasedpolicyenforcement(AppID)Accesscontrolaccordingtoapplicationtypeisfar
moreeffectivewhenapplicationidentificationisbasedonmorethanjustprotocolandportnumber.The
AppIDservicecanblockhighriskapplications,aswellashighriskbehavior,suchasfilesharing,and
trafficencryptedwiththeSecureSocketsLayer(SSL)protocolcanbedecryptedandinspected.
Useridentification(UserID)TheUserIDfeatureallowsadministratorstoconfigureandenforce
firewallpoliciesbasedonusersandusergroupsinsteadoforinadditiontonetworkzonesandaddresses.
Thefirewallcancommunicatewithmanydirectoryservers,suchasMicrosoftActiveDirectory,
eDirectory,SunOne,OpenLDAP,andmostotherLDAPbaseddirectoryserverstoprovideuserand
groupinformationtothefirewall.Youcanthenusethisinformationforsecureapplicationenablement
thatcanbedefinedperuserorgroup.Forexample,theadministratorcouldallowoneorganizationtouse
awebbasedapplicationbutnotallowanyotherorganizationsinthecompanytousethatsame
application.Youcanalsoconfiguregranularcontrolofcertaincomponentsofanapplicationbasedon
usersandgroups(seeUserIdentification).
ThreatpreventionThreatpreventionservicesthatprotectthenetworkfromviruses,worms,spyware,
andothermalicioustrafficcanbevariedbyapplicationandtrafficsource(seeObjects>SecurityProfiles).
URLfilteringOutboundconnectionscanbefilteredtopreventaccesstoinappropriatewebsites(see
Objects>SecurityProfiles>URLFiltering).
TrafficvisibilityExtensivereports,logs,andnotificationmechanismsprovidedetailedvisibilityinto
networkapplicationtrafficandsecurityevents.TheApplicationCommandCenter(ACC)intheweb
interfaceidentifiestheapplicationswiththemosttrafficandthehighestsecurityrisk(seeMonitor).
NetworkingversatilityandspeedThePaloAltoNetworksfirewallcanaugmentorreplaceyourexisting
firewallandcanbeinstalledtransparentlyinanynetworkorconfiguredtosupportaswitchedorrouted
environment.Multigigabitspeedsandasinglepassarchitectureprovidetheseservicestoyouwithlittle
ornoimpactonnetworklatency.
GlobalProtectTheGlobalProtectsoftwareprovidessecurityforclientsystems,suchaslaptopsthat
areusedinthefield,byallowingeasyandsecureloginfromanywhereintheworld.
FailsafeoperationHighavailability(HA)supportprovidesautomaticfailoverintheeventofany
hardwareorsoftwaredisruption(seeDevice>VirtualSystems).
MalwareanalysisandreportingTheWildFirecloudbasedanalysisserviceprovidesdetailedanalysis
andreportingonmalwarethatpassesthroughthefirewall.IntegrationwiththeAutoFocusthreat
intelligenceserviceallowsyoutoassesstheriskassociatedwithyournetworktrafficatorganization,
industry,andgloballevels.
VMSeriesfirewallAVMSeriesfirewallprovidesavirtualinstanceofPANOSpositionedforuseina
virtualizeddatacenterenvironmentandisidealforyourprivate,public,andhybridcloudcomputing
environments.
ManagementandPanoramaYoucanmanageeachfirewallthroughanintuitivewebinterfaceor
throughacommandlineinterface(CLI)oryoucancentrallymanageallfirewallsthroughthePanorama
centralizedmanagementsystem,whichhasawebinterfaceverysimilartothewebinterfaceonPaloAlto
Networksfirewalls.
LastLoginTimeandFailedLoginAttempts WebInterfaceBasics
LastLoginTimeandFailedLoginAttempts
Todetectmisuseandpreventexploitationofaprivilegedaccount,suchasanadministrativeaccountona
PaloAltoNetworksfirewallorPanorama,thewebinterfaceandthecommandlineinterface(CLI)displays
yourlastlogintimeandanyfailedloginattemptsforyourusernamewhenyoulogin.Thisinformationallows
youtoeasilyidentifywhethersomeoneisusingyouradministrativecredentialstolaunchanattack.
Afteryoulogintothewebinterface,thelastlogintime informationappearsatthebottomleftofthe
window.Ifoneormorefailedloginsoccurredsincethelastsuccessfullogin,acautioniconappearstothe
rightofthelastlogininformation.Hoveroverthecautionsymboltoviewthenumberoffailedloginattempts
orclicktoviewtheFailed Login Attempts Summarywindow,whichliststheadministrativeaccountname,the
sourceIPaddress,andthereasonfortheloginfailure.
Ifyouseemultiplefailedloginattemptsthatyoudonotrecognizeasyourown,youshouldworkwithyour
networkadministratortolocatethesystemthatisperformingthebruteforceattackandtheninvestigate
theuserandhostcomputertoidentifyanderadicateanymaliciousactivity.Ifyouseethatthelastlogindate
andtimeindicatesanaccountcompromise,youshouldimmediatelychangeyourpasswordandthenperform
aconfigurationaudittodetermineifsuspiciousconfigurationchangeswerecommitted.Revertthe
configurationtoaknowngoodconfigurationifyouseethatlogswereclearedorifyouhavedifficulty
determiningifimproperchangesweremadeusingyouraccount.
WebInterfaceBasics MessageoftheDay
MessageoftheDay
IfyouoranotheradministratorconfiguredamessageofthedayorPaloAltoNetworksembeddedoneas
partofasoftwareorcontentrelease,aMessageoftheDaydialogdisplaysautomaticallywhenuserslogin
tothewebinterface.Thisensuresthatusersseeimportantinformation,suchasanimpendingsystemrestart,
thatimpactsthetaskstheyintendtoperform.
Thedialogdisplaysonemessageperpage.IfthedialogincludestheoptiontoselectDo not show again,you
canselectitforeachmessagethatyoudontwantthedialogtodisplayaftersubsequentlogins.
AnytimetheMessage of the Daychanges,themessageappearsinyournextsessionevenifyouselectedDo

not show againduringapreviouslogin.Youmustthenreselectthisoptiontoavoidseeingthemodified
messageinsubsequentsessions.
Tonavigatethedialogpages,clicktheright( )andleft( )arrowsalongthesidesofthedialogorclicka

pageselector( )alongthebottomofthedialog.AfteryouClosethedialog,youcanmanuallyreopenit
byclickingmessages( )atthebottomofthewebinterface.
Toconfigureamessageoftheday,selectDevice > Setup > ManagementandedittheBannersandMessages
settings.
TaskManager WebInterfaceBasics
TaskManager
ClickTasksatthebottomofthewebinterfacetodisplaythetasksthatyou,otheradministrators,orPANOS
initiatedsincethelastfirewallreboot(forexample,manualcommitsorautomaticFQDNrefreshes).Foreach
task,theTaskManagerprovidestheinformationandactions describedinthetablebelow.
Somecolumnsarehiddenbydefault.Todisplayorhidespecificcolumns,openthedropdowninanycolumn
header,selectColumns,andselect(display)orclear(hide)thecolumnnames.
Field/Button Description
Tofilterthetasks,enteratextstringbasedonavalueinoneofthe
columnsandApplyFilter( ).Forexample,enteringedlwillfilterthe
listtodisplayonlyEDLFetch(fetchexternaldynamiclists)tasks.To
removefiltering,RemoveFilter( ).
Type Thetypeoftask,suchaslogrequest,licenserefresh,orcommit.Ifthe
informationrelatedtothetask(suchaswarnings)istoolongtofitin
theMessagescolumn,youcanclicktheTypevaluetoseeallthe
details.
Status Indicateswhetherthetaskispending(suchascommitswithQueued
status),inprogress(suchaslogrequestswithActivestatus),
completed,orfailed.Forcommitsinprogress,theStatusindicatesthe
percentageofcompletion.
JobID Anumberthatidentifiesthetask.FromtheCLI,youcanusetheJobID
toseeadditionaldetailsaboutatask.Forexample,youcanseethe
positionofacommittaskinthecommitqueuebyentering:
> show jobs id <job-id>
Thiscolumnishiddenbydefault.
EndTime Thedateandtimewhenthetaskfinished.Thiscolumnishiddenby
default.
StartTime Thedateandtimewhenthetaskstarted.Forcommittasks,theStart
Timeindicateswhenthecommitwasaddedtothecommitqueue.
Messages Displaysdetailsaboutthetask.Iftheentryindicatesthattherearetoo
manymessages,youcanclickthetaskTypetoseethemessages.
Forcommittasks,theMessagesincludethedequeuedtimetoindicate
whenPANOSstartedperformingthecommit.Toseethedescription
anadministratorenteredforacommit,clickCommit Description.For
details,seeCommitChanges.
Action Clickxtocancelapendingcommitinitiatedbyanadministratoror
PANOS.Thisbuttonisavailableonlytoadministratorswhohaveone
ofthefollowingpredefinedroles:superuser,deviceadministrator,
virtualsystemadministrator,orPanoramaadministrator.
WebInterfaceBasics TaskManager
Show Selectthetasksyouwanttodisplay:
All Tasks(default)
Alltasksofacertaintype(Jobs,Reports,orLog Requests)
AllRunningtasks(inprogress)
AllRunningtasksofacertaintype(Jobs,Reports,orLog Requests)
(Panoramaonly)Usetheseconddropdowntodisplaythetasksfor
Panorama(default)oraspecificmanagedfirewall.
ClearCommitQueue CancelallpendingcommitsinitiatedbyadministratorsorPANOS.This
buttonisavailableonlytoadministratorswhohaveoneofthe
followingpredefinedroles:superuser,deviceadministrator,virtual
systemadministrator,orPanoramaadministrator.
Language WebInterfaceBasics
Language
Bydefault,thelocale(suchasSpanish)ofthecomputerfromwhichyoulogintothefirewalldeterminesthe
languagethatthewebinterfacedisplays.TochangetheLanguage(bottomofthewebinterface),selecta
LanguagefromthedropdownandclickOK.Thewebinterfacethenrefreshesusingthenewlanguage.
Alarms
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype(see
DefineAlarmSettings).Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystem
Alarmsdialogtodisplaythealarm.Afterclosingthedialog,youcanreopenitanytimebyclickingAlarms
( )atthebottomofthewebinterface.Topreventthefirewallfromautomaticallyopeningthedialogfor
aparticularalarm,selectUnacknowledgedAlarmsandclickAcknowledgetomovethealarmstothe
AcknowledgedAlarmslist.
WebInterfaceBasics CommitChanges
CommitChanges
ClickCommitatthetoprightofthewebinterfaceandspecifyanoperationforpendingchangestothe
firewallconfiguration:commit(activate),validate,orpreview .Youcanfilterpendingchangesby
administratororlocationandthenpreview,validate,andcommitonlythosechanges.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Thefirewallqueuescommitrequestssothatyoucaninitiateanewcommitwhileapreviouscommitisin
progress.Thefirewallperformsthecommitsintheordertheyareinitiatedbutprioritizesautocommitsthat
areinitiatedbythefirewall(suchasFQDNrefreshes).However,ifthequeuealreadyhasthemaximum
numberofadministratorinitiatedcommits,youmustwaitforthefirewalltofinishprocessingapending
commitbeforeinitiatinganewone.
UsetheTaskManagertocancelcommitsorseedetailsaboutcommitsthatarepending,inprogress,
completed,orfailed.
TheCommitdialogdisplaystheoptionsdescribedinthefollowingtable.
CommitAllChanges Commitsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallcommitswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthecommitscope:
SuperuserroleThefirewallcommitsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethecommitscope(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,thefirewallcommitschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallcommitsonly
yourchangesandnotthoseofotheradministrators.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
appliesthosedomainstofilterthecommitscope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallcommits
onlytheconfigurationchangesintheaccessdomainsassignedtoyour
account.
CommitChanges WebInterfaceBasics
CommitChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallcommits.
Theadministrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthecommitscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Admins,youcanlimitthecommitscopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimitthecommitscopeonlytothechanges
youmadeinspecificlocations.
Filterthecommitscopeasfollows:
FilterbyadministratorEvenifyourroleallowscommittingthe
changesofotheradministrators,thecommitscopeincludesonly
yourchangesbydefault.Toaddotheradministratorstothecommit
scope,clickthe<usernames>link,selecttheadministrators,and
clickOK.
FilterbylocationSelectthespecificlocationsforchangesto
IncludeinCommit.
filtersthecommitscopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,thecommitscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
Afteryouloadaconfiguration(Device>Setup>Operations),
youmustCommit All Changes.
Whenyoucommitchangestoavirtualsystem,youmust
includethechangesofalladministratorswhoadded,deleted,
orrepositionedrulesforthesamerulebaseinthatvirtual
system.
CommitScope Liststhelocationsthathavechangestocommit.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedforCommitAllChangesandCommitChanges
MadeBy.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objectsPolicyrulesorobjectsthataredefinedona
firewallthatdoesnothavemultiplevirtualsystems.
device-and-networkNetworkanddevicesettingsthatareglobal
(suchasInterfaceManagementprofiles)andnotspecifictoavirtual
system.Thisalsoappliestonetworkanddevicesettingsonafirewall
thatdoesnothavemultiplevirtualsystems.
<virtual-system>Thenameofthevirtualsysteminwhichpolicy
rulesorobjectsaredefinedonafirewallthathasmultiplevirtual
systems.Thisalsoincludesnetworkanddevicesettingsthatare
specifictoavirtualsystem(suchaszones).
WebInterfaceBasics CommitChanges
LocationType Thiscolumncategorizesthelocationsofpendingchanges:
Virtual SystemsSettingsthataredefinedinaspecificvirtual
system.
Other ChangesSettingsthatarenotspecifictoavirtualsystem
(suchassharedobjects).
IncludeinCommit Enablesyoutoselectthechangesyouwanttocommit.Bydefault,all
(partialcommitonly) changeswithintheCommit Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoCommit Changes Made Byspecific
administrators.
Theremightbedependenciesthataffectthechangesyou
includeinacommit.Forexample,ifyouaddanobjectand
anotheradministratortheneditsthatobject,youcannot
committhechangefortheotheradministratorwithoutalso
committingyourownchange.
GroupbyLocationType GroupsthelistofconfigurationchangesintheCommit Scopeby

Location Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheCommit
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewbrowserwindow,
yourbrowsermustallowpopups.Ifthepreviewwindowdoes
notopen,refertoyourbrowserdocumentationforthestepsto
allowpopups.
ChangeSummary Liststheindividualsettingsforwhichyouarecommittingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be CommittedIndicateswhetherthecommitcurrently
includesthesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).
CommitChanges WebInterfaceBasics
ValidateCommit Validateswhetherthefirewallconfigurationhascorrectsyntaxandis
semanticallycomplete.Theoutputincludesthesameerrorsand
warningsthatacommitwoulddisplay,includingruleshadowingand
applicationdependencywarnings.Thevalidationprocessenablesyou
tofindandfixerrorsbeforeyoucommit(itmakesnochangestothe
runningconfiguration).Thisisusefulifyouhaveafixedcommit
windowandwanttobesurethecommitwillsucceedwithouterrors.
Description Allowsyoutoenteradescription(upto512characters)tohelpother
administratorsunderstandwhatchangesyoumade.
TheSystemlogforacommiteventwilltruncatedescriptions
longerthan512characters.
Commit Startsthecommitor,ifothercommitsarepending,addsyourcommit
tothecommitqueue.
WebInterfaceBasics SaveCandidateConfigurations
SaveCandidateConfigurations
SelectConfig > Save ChangesatthetoprightofthefirewallorPanoramawebinterfacetosaveanewsnapshot

fileofthecandidateconfigurationortooverwriteanexistingconfigurationfile.IfthefirewallorPanorama
rebootsbeforeyoucommityourchanges,youcanthenrevertthecandidateconfigurationtothesaved
snapshottorestorechangesyoumadeafterthelastcommit.Toreverttothesnapshot,selectDevice > Setup
> OperationsandLoad named configuration snapshot.Ifyoudontreverttothesnapshotafterareboot,the
candidateconfigurationwillbethesameasthelastcommittedconfiguration(therunningconfiguration).
Youcanfilterwhichconfigurationchangestosavebasedonadministratororlocation.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Youshouldperiodicallysaveyourchangessothatyoudontlosethemifthefirewallor
Panoramareboots.
Savingyourchangestothecandidateconfigurationdoesnotactivatethosechanges;youmustCommitChanges
toactivatethem.
TheSaveChangesdialogdisplaystheoptionsdescribedinthefollowingtable:
SaveAllChanges Savesallchangesforwhichyouhaveadministrativeprivileges
changesthatthefirewallsaveswhenyouselectthisoption.Instead,
determinesthesavescope:
SuperuserroleThefirewallsavesthechangesofalladministrators.
youraccountdeterminethesavescope(seeDevice>AdminRoles).
IftheprofileincludestheprivilegetoSave For Other Admins,the
firewallsaveschangesconfiguredbyanyandalladministrators.If
yourAdminRoleprofiledoesnotincludetheprivilegetoSave For
Other Admins,thefirewallsavesonlyyourchangesandnotthose
ofotheradministrators.
appliesthosedomainstofilterthesavescope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallsavesonly
theconfigurationchangesintheaccessdomainsassignedtoyour
account.
SaveCandidateConfigurations WebInterfaceBasics
SaveChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallsaves.The
administrativeroleassignedtotheaccountyouusedtologin
SuperuserroleYoucanlimitthesavescopetochangesthat
Roles).IftheprofileincludestheprivilegetoSave For Other
Admins,youcanlimitthesavescopetochangesconfiguredby
AdminRoleprofiledoesnotincludetheprivilegetoSave For Other
Admins,youcanlimitthesavescopeonlytothechangesyoumade
inspecificlocations.
Filterthesavescopeasfollows:
FilterbyadministratorEvenifyourroleallowssavingthechanges
ofotheradministrators,thesavescopeincludesonlyyourchanges
bydefault.Toaddotheradministratorstothesavescope,clickthe
<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectchangesinspecificlocationstoIncludein
Save.
filtersthesavescopebasedonthosedomains(seeDevice>Access
choices,thesavescopeincludesonlytheconfigurationchangesinthe
accessdomainsassignedtoyouraccount.
SaveScope Liststhelocationsthathavechangestosave.Whetherthelistincludes
allchangesorasubsetofthechangesdependsonseveralfactors,as
describedfortheSaveAllChangesandSaveChangesMadeBy
options.Thelocationscanbeanyofthefollowing:
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.
WebInterfaceBasics SaveCandidateConfigurations
LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Groups(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Templates(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Collector Groups(Panoramaonly)Settingsthatarespecifictoa
CollectorGroupconfiguration.
IncludeinSave Enablesyoutoselectthechangesyouwanttosave.Bydefault,all
(partialsaveonly) changeswithintheSave Scopeareselected.Thiscolumndisplaysonly
afteryouchoosetoSave Changes Made Byspecificadministrators.
Theremightdependenciesthataffectthechangesyouinclude
inasave.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotsavethe
changefortheotheradministratorwithoutalsosavingyour
ownchange.
GroupbyLocationType GroupsthelistofconfigurationchangesintheSave ScopebyLocation

Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheSave
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.
SaveCandidateConfigurations WebInterfaceBasics
ChangeSummary Liststheindividualsettingsforwhichyouaresavingchanges.The
setting:
Systems.
Will Be SavedIndicateswhetherthesaveoperationwillinclude
thesetting.
Save Savestheselectedchangestoaconfigurationsnapshotfile:
IfyouselectedSave All Changes,thefirewalloverwritesthedefault
configurationsnapshotfile(.snapshot.xml).
IfyouselectedSave Changes Made By,specifytheNameofanew
orexistingconfigurationfile,andclickOK.
WebInterfaceBasics RevertChanges
RevertChanges
SelectConfig > Revert ChangesatthetoprightofthefirewallorPanoramawebinterfacetoundochanges

madetothecandidateconfigurationsincethelastcommit.Revertingchangesrestoresthesettingstothe
valuesoftherunningconfiguration.Youcanfilterwhichconfigurationchangestorevertbasedon
administratororlocation.Thelocationcanbespecificvirtualsystems,sharedpoliciesandobjects,orshared
deviceandnetworksettings.
YoucannotrevertchangesuntilthefirewallorPanoramafinishesprocessingallcommitsthatarependingor
inprogress.Afteryouinitiatetherevertprocess,thefirewallorPanoramaautomaticallylocksthecandidate
andrunningconfigurationssothatotheradministratorscannoteditsettingsorcommitchanges.After
completingtherevertprocess,thefirewallorPanoramaautomaticallyremovesthelock.
TheRevertChangesdialogdisplaystheoptionsdescribedinthefollowingtable:
RevertAllChanges Revertsallchangesforwhichyouhaveadministrativeprivileges
changesthatthefirewallrevertswhenyouselectthisoption.Instead,
determinestherevertscope:
SuperuserroleThefirewallrevertsthechangesofall
administrators.
youraccountdeterminetherevertscope(seeDevice>Admin
Admins,thefirewallrevertschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallrevertsonly
yourchangesandnotthoseofotheradministrators.
InAdminRoleprofiles,theprivilegesforcommittingalso
applytoreverting.
Ifyouimplementedaccessdomains,thefirewallautomaticallyapplies
thosedomainstofiltertherevertscope(seeDevice>AccessDomain).
Regardlessofyouradministrativerole,thefirewallrevertsonlythe
configurationchangesintheaccessdomainsassignedtoyouraccount.
RevertChanges WebInterfaceBasics
RevertChangesMadeBy Filtersthescopeofconfigurationchangesthatthefirewallreverts.The
administrativeroleassignedtotheaccountyouusedtologin
SuperuserroleYoucanlimittherevertscopetochangesthat
Admins,youcanlimittherevertscopetochangesconfiguredby
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimittherevertscopeonlytothechanges
youmadeinspecificlocations.
Filtertherevertscopeasfollows:
FilterbyadministratorEvenifyourroleallowsrevertingthe
changesofotheradministrators,therevertscopeincludesonlyyour
changesbydefault.Toaddotheradministratorstotherevertscope,
clickthe<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectthechangesinspecificlocationstoInclude
inRevert.
filterstherevertscopebasedonthosedomains(seeDevice>Access
choices,therevertscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
RevertScope Liststhelocationsthathavechangestorevert.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedfortheRevertAllChangesandRevertChanges
MadeByoptions.Thelocationscanbeanyofthefollowing:
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.
WebInterfaceBasics RevertChanges
LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Group(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Template(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Log Collector Group(Panoramaonly)Settingsthatarespecificto
aCollectorGroupconfiguration.
Log Collector(Panoramaonly)SettingsthatarespecifictoaLog
Collectorconfiguration.
Other ChangesSettingsthatarenotspecifictoanyofthe
precedingconfigurationareas(suchassharedobjects).
IncludeinRevert Enablesyoutoselectthechangesyouwanttorevert.Bydefault,all
(partialrevertonly) changeswithintheRevert Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoRevert Changes Made Byspecific
administrators.
Theremightdependenciesthataffectthechangesyouinclude
inarevert.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotrevertyour
changewithoutalsorevertingthechangefortheother
administrator.
GroupbyLocationType ListstheconfigurationchangesintheRevert ScopebyLocation Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheRevert
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.
RevertChanges WebInterfaceBasics
ChangeSummary Liststheindividualsettingsforwhichyouarerevertingchanges.The
setting:
Systems.
Will Be RevertedIndicateswhethertherevertoperationwill
includethesetting.
Revert Revertstheselectedchanges.
WebInterfaceBasics LockConfigurations
LockConfigurations
Tohelpyoucoordinateconfigurationtaskswithotherfirewalladministratorsduringconcurrentlogin
sessions,thewebinterfaceenablesyoutoapplyaconfigurationorcommitlock sothatother
administratorscannotchangetheconfigurationorcommitchangesuntilthelockisremoved.
Atthetoprightofthewebinterface,alockedpadlock( )indicatesthatoneormorelocksareset(with
thenumberoflocksinparentheses);anunlockedpadlock( )indicatesthatnolocksareset.Clickingeither
padlockopenstheLocksdialog,whichprovidesthefollowingoptionsandfields.
Toconfigurethefirewalltoautomaticallysetacommitlockwheneveranadministratorchangesthecandidate
configuration,selectDevice > Setup > Management,edittheGeneralSettings,enableAutomatically
Acquire Commit Lock,andthenclickOKandCommit.
Whenyourevertchanges(Config > Revert Changes),thefirewallautomaticallylocksthecandidateand
runningconfigurationsothatotheradministratorscannoteditsettingsorcommitchanges.Aftercompletingthe
revertprocess,thefirewallautomaticallyremovesthelock.
Admin Theusernameoftheadministratorwhosetthelock.
Location Onafirewallwithmorethanonevirtualsystem(vsys),thescopeofthe
lockcanaspecificvsysortheSharedlocation.
Type Thelocktypecanbe:
ConfigLockBlocksotheradministratorsfromchangingthe
candidateconfiguration.Onlyasuperuserortheadministratorwho
setthelockcanremoveit.
CommitLockBlocksotheradministratorsfromcommitting
changesmadetothecandidateconfiguration.Thecommitqueue
doesnotacceptnewcommitsuntilalllocksarereleased.Thislock
preventscollisionsthatcanoccurwhenmultipleadministrators
makechangesduringconcurrentloginsessionsandone
administratorfinishesandinitiatesacommitbeforetheother
administratorshavefinished.Thefirewallautomaticallyremovesthe
lockaftercompletingthecommitforwhichtheadministratorsetthe
lock.Asuperuserortheadministratorwhosetthelockcanalso
manuallyremoveit.
Comment Enterupto256charactersoftext.Thisisusefulforother
administratorswhowanttoknowthereasonforthelock.
CreatedAt Thedateandtimewhenanadministratorsetthelock.
LoggedIn Indicateswhethertheadministratorwhosetthelockiscurrently
loggedin.
TakeaLock Tosetalock,Take a Lock,selecttheType,selecttheLocation(multiple

virtualsystemfirewallsonly),enteroptionalComments,clickOK,and
thenClose.
RemoveLock Toreleasealock,selectit,Remove Lock,clickOK,andthenClose.
GlobalFind WebInterfaceBasics
GlobalFind
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyname,threatID,orapplicationname.Thesearchresultsare
groupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterfacesothatyoucan
easilyfindalloftheplaceswherethestringexistsorisreferenced.
Tolaunchglobalfind,clickthe Searchicon ontheupperrightsideofthewebinterface.GlobalFind
isavailablefromallwebinterfacepagesandlocations.ThefollowingisalistofGlobalFindfeaturestohelp
youperformsuccessfulsearches:
Ifyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifadministrativerolesare
defined,GlobalFindwillreturnresultsonlyforareasofthefirewallforwhichyouhavepermissionto
access.ThesameappliestoPanoramadevicegroups;youwillseesearchresultsonlyfordevicegroups
towhichyouhaveadministrativeaccess.
SpacesinsearchtextarehandledasANDoperations.Forexample,ifyousearchoncorp policy,both
corpandpolicymustexistintheconfigurationitemforittobeincludedinthesearchresults.
Tofindanexactphrase,surroundthephraseinquotes.
Torerunaprevioussearch,clickGlobalFindandalistofthelast20searchesaredisplayed.Clickany
iteminthelisttorerunthatsearch.Thesearchhistorylistisuniquetoeachadministrativeaccount.
GlobalFindisavailableforeachfieldthatissearchable.Forexample,inthecaseofasecuritypolicy,youcan
searchonthefollowingfields:Name,Tags,Zone,Address,User,HIPProfile,Application,andService.To
performasearch,clickthedropdownnexttoanyofthesefieldsandclickGlobal Find.Forexample,ifyou
clickGlobal Findonazonenamedl3vlantrust,GlobalFindwillsearchtheentireconfigurationforthatzone
nameandreturnresultsforeachlocationwherethezoneisreferenced.Thesearchresultsaregroupedby
categoryandyoucanhoveroveranyitemtoviewdetailsoryoucanclickanitemtonavigatetothe
configurationpageforthatitem.
GlobalFinddoesnotsearchdynamiccontentthatthefirewallallocatestousers(suchaslogs,addressranges,
orindividualDHCPaddresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchasthe
DNSentry,butyoucannotsearchforindividualaddressesissuedtousers.Anotherexampleisusernames
thatthefirewallcollectswhenyouenabletheUserIDfeature.Inthiscase,ausernameorusergroupthat
existsintheUserIDdatabaseisonlysearchableifthenameorgroupexistsintheconfiguration,suchas
whenausergroupnameisdefinedinapolicy.Ingeneral,youcanonlysearchforcontentthatthefirewall
writestotheconfiguration.
Lookingformore?
LearnmoreaboutusingGlobalFindtosearchthefirewallorPanoramaconfiguration.
WebInterfaceBasics ThreatDetails
ThreatDetails
Monitor>Logs>Threat
ACC>ThreatActivity
Objects>SecurityProfiles>AntiSpyware/VulnerabilityProtection
UsetheThreatDetailsdialogtolearnmoreaboutthethreatsignatureswithwhichthefirewallisequipped
andtheeventsthattriggerthosesignatures.Threatdetailsareprovidedfor:
Threatlogsthatrecordthethreatsthatthefirewalldetects(Monitor > Logs > Threat)
Thetopthreatsfoundinyournetwork(ACC > Threat Activity)
Threatsignaturesthatyouwanttomodifyorexcludefromenforcement(Objects > Security Profiles >
Anti-Spyware/Vulnerability Protection)
Whenyoufindathreatsignatureyouwanttolearnmoreabout,hoverovertheThreat NameorthethreatID
andclickException toreviewthethreatdetails.Thethreatdetailsallowyoutoeasilycheckwhetherathreat
signatureisconfiguredasanexceptiontoyoursecuritypolicyandtofindthelatestThreatVaultinformation
aboutaspecificthreat.ThePaloAltoNetworksThreatVaultdatabaseisintegratedwiththefirewall,
allowingyoutoviewexpandeddetailsaboutthreatsignaturesinthefirewallcontextorlaunchaThreatVault
searchinanewbrowserwindowforaloggedthreat.
Dependingonthetypeofthreatyoureviewing,thedetailsincludeallorsomeofthethreatdetailsdescribed
inthefollowingtable.
ThreatDetails Description
Name Threatsignaturename.
ID UniquethreatsignatureID.SelectView in Threat VaulttoopenaThreatVaultsearch

inanewbrowserwindowandlookupthelatestinformationthatthePaloAlto
Networksthreatdatabasehasforthissignature.TheThreatVaultentryforthethreat
signaturemightincludeadditionaldetails,includingthefirstandlastcontentreleases
toincludeupdatestothesignatureandtheminimumPANOSversionrequiredto
supportthesignature.
Description Informationaboutthethreatthattriggersthesignature.
Severity Thethreatseveritylevel:informational,low,medium,high,orcritical.
CVE Publiclyknownsecurityvulnerabilitiesassociatedwiththethreat.TheCommon
VulnerabilitiesandExposures(CVE)identifieristhemostusefulidentifierforfinding
informationaboutuniquevulnerabilitiesasvendorspecificIDscommonly
encompassmultiplevulnerabilities.
Bugtraq ID TheBugtraqIDassociatedwiththethreat.
Vendor ID Thevendorspecificidentifierforavulnerability.Forexample,MS16148isthe
vendorIDforoneormoreMicrosoftvulnerabilitiesandAPBSB1639isthevendor
IDforoneormoreAdobevulnerabilities.
Reference Researchsourcesyoucanusetolearnmoreaboutthethreat.
ThreatDetails WebInterfaceBasics
ThreatDetails Description
Exempt Profiles Securityprofilesthatdefineadifferentenforcementactionforthethreatsignature

thanthedefaultsignatureaction.Thethreatexceptionisonlyactivewhenexempt
profilesareattachedtoasecuritypolicyrule(checkiftheexceptionisUsedincurrent
securityrule).
Used in current security ActivethreatexceptionsAcheckmarkinthiscolumnindicatesthatthefirewallis

rule activelyenforcingthethreatexception(theExemptProfilesthatdefinethethreat
exceptionareattachedtoasecuritypolicyrule).
Ifthiscolumnisclear,thefirewallisenforcingthethreatbasedonlyonthe
recommendeddefaultsignatureaction.
Exempt IP Addresses ExemptIPaddressesYoucanaddanIPaddressonwhichtofilterthethreat

exceptionorviewexistingExempt IP Addresses.Thisoptionenforcesathreat
exceptiononlywhentheassociatedsessionhaseitherasourceordestinationIP
addressthatmatchestheexemptIPaddress.Forallothersessions,thethreatis
enforcedbasedonthedefaultsignatureaction.
Ifyourehavingtroubleviewingthreatdetails,checkforthefollowingconditions:
ThefirewallThreatPreventionlicenseisactive(Device > Licenses).
ThelatestAntivirusandThreatsandApplicationscontentupdatesareinstalled.
ThreatVaultaccessisenabled(selectDevice > Setup > ManagementandedittheLogging and
ReportingsettingtoEnable Threat Vault Access).
Thedefault(orcustom)Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofilesareappliedto
yoursecuritypolicy.
WebInterfaceBasics AutoFocusIntelligenceSummary
AutoFocusIntelligenceSummary
YoucanviewagraphicaloverviewofthreatintelligencethatAutoFocuscompilestohelpyouassessthe
pervasivenessandriskofthefollowingfirewallartifacts:
IPAddress
URL
Domain
Useragent(foundintheUserAgentcolumnofDataFilteringlogs)
Threatname(onlyforthreatsofthesubtypesvirusandwildfirevirus)
Filename
SHA256hash(foundintheFileDigestcolumnofWildFireSubmissionslogs)
ToviewtheAutoFocusIntelligenceSummarywindow,youmusthaveanactiveAutoFocussubscriptionand
enableAutoFocusthreatintelligence .Hoveroveranartifacttoopenthedropdown( )andthenclick
AutoFocus.TheAutoFocusIntelligenceSummaryisonlyavailablewhenyou:
ViewTraffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogs(Monitor > Logs).
Viewexternaldynamiclistentries .
SearchAutoFocusfor... ClicktolaunchanAutoFocussearchfortheartifact.
Analysis Information Tab
Sessions ThenumberofprivatesessionsinwhichWildFiredetectedtheartifact.Privatesessions
aresessionsrunningonlyonfirewallsassociatedwithyoursupportaccount.Hoverover
asessionbartoviewthenumberofsessionspermonth.
Samples Organizationandglobalsamples(filesandemaillinks)associatedwiththeartifactand
groupedbyWildFireverdict(benign,grayware,ormalware).Globalreferstosamples
fromallWildFiresubmissions,whileorganizationrefersonlytosamplessubmittedto
WildFirebyyourorganization.
ClickonaWildFireverdicttolaunchanAutoFocussearchfortheartifactfilteredby
scope(organizationorglobal)andWildFireverdict.
MatchingTags AutoFocustags matchedtotheartifact:

PrivateTagsVisibleonlytoAutoFocususersassociatedwithyoursupportaccount.
PublicTagsVisibletoallAutoFocususers.
Unit42TagsIdentifythreatsandcampaignsthatposeadirectsecurityrisk.These
tagsarecreatedbyUnit42(thePaloAltoNetworksthreatintelligenceandresearch
team).
InformationalTagsUnit42tagsthatidentifycommoditythreats.
Hoveroveratagtoviewthetagdescriptionandothertagdetails.
ClickatagtolaunchanAutoFocussearchforthattag.
Toviewmorematchingtagsforanartifact,clicktheellipsis(...)tolaunchanAutoFocus
searchforthatartifact.TheTagscolumnintheAutoFocussearchresultsdisplaysmore
matchingtagsfortheartifact.
AutoFocusIntelligenceSummary WebInterfaceBasics
Passive DNS Tab

ThePassiveDNStabdisplayspassiveDNShistoryassociatedwiththeartifact.Thistabonlydisplaysmatching
informationiftheartifactisanIPaddress,domain,orURL.
Request ThedomainthatsubmittedaDNSrequest.ClickthedomaintolaunchanAutoFocus
searchforit.
Type TheDNSrequesttype(example:A,NS,CNAME).
Response TheIPaddressordomaintowhichtheDNSrequestresolved.ClicktheIPaddressor
domaintolaunchanAutoFocussearch.
TheResponsecolumndoesnotdisplayprivateIPaddresses.
Count Thenumberoftimestherequestwasmade.
FirstSeen ThedateandtimethattheRequest,Response,andTypecombinationwasfirstseen
basedonpassiveDNShistory.
LastSeen ThedateandtimethattheRequest,Response,andTypecombinationwasmostrecently
seenbasedonpassiveDNShistory.
Matching Hashes Tab

TheMatchingHashestabdisplaysthefivemostrecentprivatesampleswhereWildFiredetectedtheartifact.Private
samplesaresamplesdetectedonlyonfirewallsassociatedwithyoursupportaccount.
SHA256 TheSHA256hashforasample.ClickthehashtolaunchanAutoFocussearchforthat
hash.
FileType Thefiletypeofthesample.
CreateDate ThedateandtimethatWildFireanalyzedasampleandassignedaWildFireverdicttoit.
UpdateDate ThedateandtimethatWildFireupdatedtheWildFireverdictforasample.
Verdict TheWildFireverdictforasample:benign,grayware,ormalware.
Dashboard
TheDashboardwidgetsshowgeneralfirewallorPanoramainformation,suchasthesoftwareversion,
statusofeachinterface,resourceutilization,andupto10entriesforeachofseverallogtypes;logwidgets
displayentriesfromthelasthour.Bydefault,theDashboarddisplayswidgetsinaLayoutof3 Columnsbutyou
cancustomizetheDashboardtodisplayonly2 Columns,instead.
Youcanalsodecidewhichwidgetstodisplayorhidesothatyouseeonlythoseyouwanttomonitor.To
displayawidget,selectawidgetcategoryfromtheWidgetsdropdownandselectawidgettoaddittothe
Dashboard(widgetnamesthatappearinfadedgrayedouttextarealreadydisplayed).Hide(stopdisplaying)
awidgetbyclosingthewidget( inthewidgetheader).ThefirewallsandPanoramasaveyourwidget
displaysettingsacrosslogins(separatelyforeachadministrator).
RefertotheLast updatedtimestamptodeterminewhentheDashboarddatawaslastrefreshed.Youcan
manuallyrefreshtheentireDashboard( inthetoprightcorneroftheDashboard)oryoucanrefresh
individualwidgets( withineachwidgetheader).Usetheunlabeleddropdownnexttothemanual
Dashboardrefreshoption( )toselecttheautomaticrefreshintervalfortheentireDashboard(inminutes):
1 min,2 mins,or5 mins;todisableautomaticrefreshfortheentireDashboard,selectManual.
DashboardWidgets Description
Application Widgets
TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplicationsexceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
ACCRiskFactor Displaystheaverageriskfactor(15)forthenetworktrafficprocessedoverthepastweek.
Highervaluesindicatehigherrisk.
System Widgets
GeneralInformation DisplaysthefirewallorPanoramanameandmodel,thePANOSorPanoramasoftware
version,theapplication,threat,andURLfilteringdefinitionversions,thecurrentdateand
time,andthelengthoftimesincethelastrestart.
Interfaces Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
(Firewallonly)
SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount(the
numberofsessionsestablishedthroughthefirewallorPanorama).
HighAvailability Indicateswhenhighavailability(HA)isenabledtheHAstatusofthelocalandpeer
firewall/Panoramagreen(active),yellow(passive),orblack(other).Formoreinformation
aboutHA,refertoDevice>VirtualSystemsorPanorama>HighAvailability.
Locks Showsconfigurationlocksthatadministratorshaveset.
LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(webinterfaceorCLI),andsessionstarttime
foreachadministratorwhoiscurrentlyloggedin.
Dashboard
DashboardWidgets Description
Logs Widgets
ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
Displaysonlyentriesfromthelast60minutes.
URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
ConfigLogs Displaystheadministratorusername,client(webinterfaceorCLI),anddateandtimefor
thelast10entriesintheConfigurationlog.Displaysonlyentriesfromthelast60minutes.
SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfiginstalledentryindicatesconfigurationchangeswerecommitted
successfully.Displaysonlyentriesfromthelast60minutes.
ACC
TheApplicationCommandCenter(ACC)isananalyticaltoolthatprovidesactionableintelligenceaboutthe
activitywithinyournetwork.TheACCusesthefirewalllogstographicallydepicttraffictrendsonyour
network.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizetherelationships
betweeneventsonthenetworkincludingnetworkusagepatterns,trafficpatterns,andsuspiciousactivity
andanomalies.
Whatdoyouwanttoknow? See:
HowdoIusetheACC? AFirstGlanceattheACC
ACCTabs
ACCWidgets
HowdoIinteractwiththeACC? ACCActions
WorkingwithTabsandWidgets
WorkingwithFilters
Looking for more? UsetheApplicationCommandCenter
ACC
AFirstGlanceattheACC
1 Tabs TheACCincludespredefinedtabsthatprovidevisibilityintonetworktraffic,threatactivity,
blockedactivity,andtunnelactivity.Forinformationoneachtab,seeACCTabs.
2 Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheeventsandtrends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowingfilters:
bytes(inandout),sessions,content(filesanddata),URLcategories,applications,users,
threats(malicious,benign,grayware,phishing),andcount.Forinformationoneachwidget,
seeACCWidgets.
3 Time Thechartsandgraphsineachwidgetprovidearealtimeandhistoricview.Youcanchoose
acustomrangeorusethepredefinedtimeperiodsthatrangefromthelast15minutesup
tothelast30daysorlast30calendardays.
Thetimeperiodusedtorenderdata,bydefault,isthelasthour.Thedateandtimeinterval
aredisplayedonscreen.Forexample:
11/11 10:30:00-01/12 11:29:59
4 GlobalFilters Theglobalfiltersallowyoutosetthefilteracrossalltabs.Thechartsandgraphsapplythe
selectedfiltersbeforerenderingthedata.Forinformationonusingthefilters,seeACC
Actions.
ACC
5 Application TheapplicationviewallowsyoufiltertheACCviewbyeitherthesanctionedand
View unsanctionedapplicationsinuseonyournetwork,orbytheriskleveloftheapplicationsin
useonyournetwork.Greenindicatessanctionedapplications,blueunsanctioned
applications,andyellowindicatesapplicationsthathavedifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.
6 RiskMeter Theriskmeter(1=lowestto5=highest)indicatestherelativesecurityriskonyournetwork.
Theriskmeterusesavarietyoffactorssuchasthetypeofapplicationsseenonthenetwork
andtherisklevelsassociatedwiththeapplications,thethreatactivityandmalwareasseen
throughthenumberofblockedthreats,andcompromisedhostsortraffictomalwarehosts
anddomains.
7 Source ThedatausedforthedisplayvariesbetweenthefirewallandPanorama.Youhavethe
followingoptionstoselectwhatdataisusedtogeneratetheviewsontheACC:
VirtualSystem:Onafirewallthatisenabledformultiplevirtualsystems,youcanusethe
Virtual SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjust
aselectedvirtualsystem.
DeviceGroup:OnPanorama,youcanusetheDevice GroupdropdowntochangetheACC
displaytoincludedatafromalldevicegroupsorjustaselecteddevicegroup.
DataSource:OnPanorama,youcanalsochangethedisplaytousePanoramaorRemote
Device Data(managedfirewalldata).WhenthedatasourceisPanorama,youcanfilterthe
displayforaspecificdevicegroup.
8 Export YoucanexportthewidgetsdisplayedinthecurrenttabasaPDF.
ACCTabs
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.Itfocusesonthetop
applicationsbeingused,thetopuserswhogeneratetrafficwithadrilldownintothebytes,content,
threatsorURLsaccessedbytheuser,andthemostusedsecurityrulesagainstwhichtrafficmatches
occur.Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,orIPaddress,
byingressoregressinterfaces,andbyhostinformationsuchastheoperatingsystemsofthedevices
mostcommonlyusedonthenetwork.
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork.Itfocusesonthetopthreats
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,topWildFiresubmissionsby
filetypeandapplication,andapplicationsthatusenonstandardports.TheCompromisedHostswidget
supplementsdetectionwithbettervisualizationtechniques.Itusestheinformationfromthecorrelated
eventstab(Monitor>AutomatedCorrelationEngine>CorrelatedEvents)topresentanaggregatedview
ofcompromisedhostsonyournetworkbysourceusersorIPaddresses,sortedonseverity.
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsinthis
taballowyoutoviewactivitydeniedbyapplicationname,username,threatname,content(filesand
data),andthetopsecurityruleswithadenyactionthatblockedtraffic.
Tunnel ActivityDisplaystheactivityoftunneltrafficthatthefirewallinspectedbasedonyourtunnel
inspectionpolicies.InformationincludestunnelusagebasedontunnelID,monitortag,user,andtunnel
protocolssuchasGenericRoutingEncapsulation(GRE),GeneralPacketRadioService(GPRS)Tunneling
ProtocolforUserData(GTPU),andnonencryptedIPSec.
ACC
ACCWidgets
Thewidgetsoneachtabareinteractive.Youcansetfiltersanddrilldownintothedisplaytocustomizethe
viewandfocusontheinformationyouneed.
Eachwidgetisstructuredtodisplaythefollowinginformation:
1 View Youcansortthedatabybytes,sessions,threats,count,users,content,
applications,URLs,malicious,benign,grayware,phishing,file(name)s,data,
profiles,objects.Theavailableoptionsvarybywidget.
2 Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,
stackedareagraph,stackedbargraph,andmap.Theavailableoptionsvaryby
widgetandtheinteractionexperiencevarieswitheachgraphtype.Forexample,
thewidgetforApplicationsusingNonStandardPortsallowsyoutochoose
betweenatreemapandalinegraph.
Todrilldownintothedisplay,clickonthegraph.Theareayouclickonbecomes
afilterandallowsyoutozoominandviewmoregranularinformationaboutthat
selection.
3 Table Thedetailedviewofthedatausedtorenderthegraphdisplaysinatablebelow
thegraph.
Youcanclickandsetalocalfilteroraglobalfilterforelementsinthetable.With
alocalfilter,thegraphisupdatedandthetableissortedbythatfilter.
Withaglobalfilter,theviewacrosstheACCpivotstodisplayonlythe
informationspecifictoyourfilter.
ACC
4 Actions Thefollowingareactionsavailableinthetitlebarofawidget:
MaximizeviewAllowsyoutoenlargethewidgetandviewitinalarger
screenspace.Inthemaximizedview,youcanseemorethanthetoptenitems
thatdisplayinthedefaultwidgetview.
SetuplocalfiltersAllowsyoutoaddfiltersthatrefinethedisplaywithinthe
widget.SeeWorkingwithFiltersLocalFiltersandGlobalFilters.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >
<log-type>).Thelogsarefilteredusingthetimeperiodforwhichthegraphis
rendered.
Ifyousetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andfiltersanddisplaysonlylogsthatmatchyourfilterset.
ExportAllowsyoutoexportthegraphasaPDF.
Foradescriptionofeachwidget,seethedetailsonusingtheACC.
ACCActions
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkingwithFiltersLocalFiltersandGlobalFilters
Addacustomtab. 1. SelectAdd( )alongthelistoftabs.

2. AddaView Name.Thisnamewillbeusedasthe
nameforthetab.Youcanaddupto10customtabs.
Editatab. Selectthetabandclickeditnexttothetabnametoedit
thetab.
Example: .
Setatabasdefault 1. Editatab.
2. Select tosetthecurrenttabasthedefault.
Eachtimeyoulogintothefirewall,thistabwill
display.
Saveatabstate 1. Editatab.
2. Select tosaveyourpreferencesinthecurrent
tabasthedefault.
Thetabstateincludinganyfiltersthatyoumayhave
setaresynchronizedacrossHApeers.
ACC
WorkingwithTabsandWidgets(Continued)
Exportatab 1. Editatab.
2. Select toexportthecurrenttab.Thetab
downloadstoyourcomputerasa.txtfile.Youmust
enablepopupstodownloadthefile.
Importatab 1. Addacustomtab.
2. Select toimportatab.
3. Browsetothetext(.txt)fileandselectit.
Seewhichwidgetsareincludedinaview. 1. Selecttheviewandclickedit( ).
2. SelecttheAdd Widgetsdropdowntoreview
selectedwidgets.
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widgetandthenselectthewidgetyou
wanttoadd.Youcanselectamaximumof12
widgets.
3. (Optional)Tocreateatwocolumnlayout,selectAdd
Widget Group.Youcandraganddropwidgetsinto
thetwocolumndisplay.Asyoudragthewidgetinto
thelayout,aplaceholderwilldisplayforyoutodrop
thewidget.
Youcannotnameawidgetgroup.
Deleteatab,widget,orwidgetgroup. Todeleteacustomtab,selectthetabandclickdelete(
).
Youcannotdeleteapredefinedtab.
Todeleteawidgetorwidgetgroup,editthetaband
thenclickdelete([X]).Youcannotundoadeletion.
Resetthedefaultview. Onapredefinedview,suchastheBlocked Activityview,

youcandeleteoneormorewidgets.Ifyouwanttoreset
thelayouttoincludethedefaultsetofwidgetsforthetab,
editthetabandReset View.
WorkingwithFiltersLocalFiltersandGlobalFilters
TohonethedetailsandfinelycontrolwhattheACCdisplays,youcanusefilters:
LocalFiltersLocalfiltersareappliedonaspecificwidget.Alocalfilterallowsyoutointeractwiththe
graphandcustomizethedisplaysothatyoucandigintothedetailsandaccesstheinformationyouwant
tomonitoronaspecificwidget.Youcanapplyalocalfilterintwoways:clickintoanattributeinthegraph
ortable;orselectSet Filterwithinawidget.Set Filterallowsyoutosetalocalfilterthatispersistentacross
reboots.
ACC
GlobalfiltersGlobalfiltersareappliedacrosstheACC.Aglobalfilterallowsyoutopivotthedisplay
aroundthedetailsyoucaremostaboutandexcludetheunrelatedinformationfromthecurrentdisplay.
Forexample,toviewalleventsrelatedtoaspecificuserandapplication,youcanapplytheusersIP
addressandspecifytheapplicationtocreateaglobalfilterthatdisplaysonlyinformationpertainingto
thatuserandapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent
acrosslogins.
Globalfilterscanbeappliedinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertobeaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidgetandapplythe
attributegloballytoupdatethedisplayacrossalltabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
WorkingwithFilters
Setalocalfilter. 1. SelectawidgetandclickFilter( ).
Youcanalsoclickanattributeinthe 2. Add( )filtersyouwanttoapply.
tablebelowthegraphtoapplyitas
3. ClickApply.Thesefiltersarepersistentacross
alocalfilter.
reboots.
Thenumberoflocalfiltersappliedonawidgetare
indicatednexttothewidgetname.
Setaglobalfilterfromatable. Hoveroveranattributeinatableandclickthearrowthat
appearstotherightoftheattribute.
SetaglobalfilterusingtheGlobalFilters Add( )filtersyouwanttoapply.

pane.
Promotealocalfiltertoasglobalfilter. 1. Onanytableinawidget,selectanattribute.Thissets
theattributeasalocalfilter.
2. Topromotethefiltertoaglobalfilter,hoveroverthe
attributeandclickthearrowtotherightofthe
attribute.
Removeafilter. ClickRemove( )toremoveafilter.

GlobalfiltersLocatedintheGlobalFilterspane.
LocalfiltersClickFilter( )tobringuptheSetLocal
Filtersdialogandthenselectthefilterandremoveit.
Clearallfilters GlobalfiltersClear AllGlobalFilters.

LocalfiltersSelectawidgetandclickFilter( ).Then
Clear AllintheSetLocalFilterswidget.
Negatefilters SelectanattributeandNegate( )afilter.

GlobalfiltersLocatedintheGlobalFilterspane.
LocalfiltersClickFilter( )tobringuptheSetLocal
Filtersdialogaddafilter,andthennegateit.
ACC
WorkingwithFilters(Continued)
Viewwhatfiltersareinuse. GlobalfiltersThenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
LocalfiltersThenumberoflocalfiltersappliedona
widgetaredisplayednexttothewidgetname.Toview
thefilters,clickSetLocalFilters.
Monitor
Thefollowingtopicsdescribethefirewallreportsandlogsyoucanusetomonitoractivityonyournetwork:
Monitor>Logs
Monitor>ExternalLogs
Monitor>AutomatedCorrelationEngine
Monitor>PacketCapture
Monitor>AppScope
Monitor>SessionBrowser
Monitor>BlockIPList
Monitor>Botnet
Monitor>PDFReports
Monitor>ManageCustomReports
Monitor>Reports
Monitor>Logs Monitor
Monitor>Logs
Tellmeaboutthedifferenttypesof LogTypes
logs.
Filterlogs. LogActions
Exportlogs.
Viewdetailsforindividuallog
entries.
Modifythelogdisplay.
Looking for more? Monitorandmanagelogs.
LogTypes
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsarerespected.Onlythe
informationthatyouhavepermissiontoseeisincluded,andthismightvarydependingonthetypesoflogs
youareviewing.Forinformationonadministratorpermissions,refertoDevice>AdminRoles.
LogType Description
Traffic Displaysanentryforthestartandendofeachsession.Eachentryincludesthedate
andtime,sourceanddestinationzones,addressesandports,applicationname,
securityrulenameappliedtotheflow,ruleaction(allow,deny,ordrop),ingressand
egressinterface,numberofbytes,andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession,
orwhetherthesessionwasdeniedordropped.Adropindicatesthatthesecurity
rulethatblockedthetrafficspecifiedanyapplication,whileadenyindicatesthe
ruleidentifiedaspecificapplication.
Iftrafficisdroppedbeforetheapplicationisidentified,suchaswhenaruledropsall
trafficforaspecificservice,theapplicationisshownasnotapplicable.
Drilldownintrafficlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthesession,suchaswhether
anICMPentryaggregatesmultiplesessionsbetweenthesamesourceand
destination(theCountvaluewillbegreaterthanone).
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
Monitor Monitor>Logs
LogType Description
Threat Displaysanentryforeachsecurityalarmgeneratedbythefirewall.Eachentry
includesthedateandtime,athreatnameorURL,thesourceanddestinationzones,
addresses,andports,theapplicationname,andthealarmaction(alloworblock)and
severity.
TheTypecolumnindicatesthetypeofthreat,suchasvirusorspyware;the
NamecolumnisthethreatdescriptionorURL;andtheCategorycolumnisthe
threatcategory(suchaskeylogger)orURLcategory.
Drilldowninthreatlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthethreat,suchaswhether
theentryaggregatesmultiplethreatsofthesametypebetweenthesamesource
anddestination(theCountvaluewillbegreaterthanone).
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
Iflocalpacketcapturesareenabled,clickDownload( )toaccesscaptured
packets.Toenablelocalpacketcaptures,refertothesubsectionsunderObjects
> Security Profiles.
Toviewmoredetailsaboutathreatortoquicklyconfigurethreatexemptions
directlyfromthethreatlogs,clickthethreatnameintheNamecolumn.The
ExemptProfileslistshowsallcustomAntivirus,Antispyware,andVulnerability
protectionprofiles.Toconfigureanexemptionforathreatsignature,selectthe
checkboxtotheleftofthesecurityprofilenameandsaveyourchange.Toadd
exemptionsforIPAddresses(upto100IPaddressespersignature),highlightthe
securityprofile,addtheIPaddress(es)intheExemptIPAddressessectionand
clickOKtosave.Toviewormodifytheexemption,gototheassociatedsecurity
profileandclicktheExceptionstab.Forexample,ifthethreattypeis
vulnerability,selectObjects > Security Profiles > Vulnerability Protection,click
theassociatedprofilethenclicktheExceptionstab.
URLFiltering DisplayslogsforURLfilters,whichcontrolaccesstowebsitesandwhetherusers
cansubmitcredentialstowebsites.
SelectObjects>SecurityProfiles>URLFilteringtodefineURLfilteringsettings,
includingwhichURLcategoriestoblockorallowandtowhichyouwanttograntor
disablecredentialsubmissions.YoucanalsoenableloggingoftheHTTPheader
optionsfortheURL.
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
WildFire DisplayslogsforfilesandemaillinksthatthefirewallforwardedforWildFire
Submissions analysis.TheWildFirecloudanalyzesthesampleandreturnsanalysisresults,which
includetheWildFireverdictassignedtothesample(benign,malware,grayware,or
phishing).YoucanconfirmifthefirewallallowedorblockedafilebasedonSecurity
policyrulesbyviewingtheActioncolumn.
filename,URL,useragent,threatname,orhash(intheFileDigestcolumn)contained
inalogentryandclickthedropdown( )toopentheAutoFocusIntelligence
Summaryfortheartifact.
LogType Description
DataFiltering DisplayslogsforthesecuritypolicieswithattachedDataFilteringprofiles,tohelp
preventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingtheareaprotectedbythefirewall,andFileBlockingprofiles,thatprevent
certainfiletypesfrombeinguploadedordownloaded.
Toconfigurepasswordprotectionforaccessthedetailsforalogentry,click .
EnterthepasswordandclickOK.RefertoDevice>ResponsePagesforinstructions
onchangingordeletingthedataprotectionpassword.
Thesystempromptsyoutoenterthepasswordonlyoncepersession.
HIPMatch DisplaysallHIPmatchesthattheGlobalProtectgatewayidentifieswhen
comparingtherawHIPdatareportedbytheagenttothedefinedHIPobjectsand
HIPprofiles.Unlikeotherlogs,aHIPmatchisloggedevenwhenitdoesnotmatch
asecuritypolicy.Formoreinformation,refertoNetwork>GlobalProtect>Portals.
UserID DisplaysinformationaboutIPaddresstousernamemappings,suchasthesourceof
themappinginformation,whentheUserIDagentperformedthemapping,andthe
remainingtimebeforemappingsexpire.Youcanusethisinformationtohelp
troubleshootUserIDissues.Forexample,ifthefirewallisapplyingthewrongpolicy
ruleforauser,youcanviewthelogstoverifywhetherthatuserismappedtothe
correctIPaddressandwhetherthegroupassociationsarecorrect.
TunnelInspection Displaysanentryforthestartandendofeachinspectedtunnelsession.Thelog
includestheReceiveTime(dateandtimethefirstandlastpacketinthesession
arrived),TunnelID,MonitorTag,SessionID,Securityruleappliedtothetunnel
traffic,andmore.SeePolicies>TunnelInspectionformoreinformation.
Configuration Displaysanentryforeachconfigurationchange.Eachentryincludesthedateand
time,theadministratorusername,theIPaddressfromwherethechangewasmade,
thetypeofclient(webinterfaceorCLI),thetypeofcommandexecuted,whether
thecommandsucceededorfailed,theconfigurationpath,andthevaluesbeforeand
afterthechange.
System Displaysanentryforeachsystemevent.Eachentryincludesthedateandtime,the
eventseverity,andaneventdescription.
Alarms Thealarmslogrecordsdetailedinformationonalarmsthataregeneratedbythe
system.TheinformationinthislogisalsoreportedinAlarms.RefertoDefineAlarm
Settings.
Authentication Displaysinformationaboutauthenticationeventsthatoccurwhenenduserstryto
accessnetworkresourcesforwhichaccessiscontrolledbyAuthenticationpolicy
rules.Youcanusethisinformationtohelptroubleshootaccessissuesandtoadjust
yourAuthenticationpolicyasneeded.Inconjunctionwithcorrelationobjects,you
canalsouseAuthenticationlogstoidentifysuspiciousactivityonyournetwork,
suchasbruteforceattacks.
Optionally,youcanconfigureAuthenticationrulestoLogAuthenticationTimeouts.
Thesetimeoutsrelatetotheperiodoftimewhenauserneedauthenticatefora
resourceonlyoncebutcanaccessitrepeatedly.Seeinginformationaboutthe
timeoutshelpsyoudecideifandhowtoadjustthem.
SystemlogsrecordauthenticationeventsrelatingtoGlobalProtectandto
administratoraccesstothewebinterface.
Monitor Monitor>Logs
LogType Description
Unified DisplaysthelatestTraffic,Threat,URLFiltering,WildFireSubmissions,andData
Filteringlogentriesinasingleview.Thecollectivelogviewenablesyouto
investigateandfilterthesedifferenttypesoflogstogether(insteadofsearching
eachlogsetseparately).Or,youcanchoosewhichlogtypestodisplay:clickthe
arrowtotheleftofthefilterfieldandselecttraffic,threat,url,data,and/or
wildfiretodisplayonlytheselectedlogtypes.
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsare
respected.WhenviewingUnifiedlogs,onlythelogsthatyouhavepermissiontosee
aredisplayed.Forexample,anadministratorwhodoesnothavepermissiontoview
WildFireSubmissionslogswillnotseeWildFireSubmissionslogentrieswhen
viewingUnifiedlogs.Forinformationonadministratorpermissions,refertoDevice
>AdminRoles.
YoucanusetheUnifiedlogsetwiththeAutoFocusthreatintelligence
portal.SetupanAutoFocussearch toaddAutoFocussearchfilters
directlytotheUnifiedlogfilterfield.
LogActions
Action Description
FilterLogs Eachlogpagehasafilterfieldatthetopofthepage.Youcanaddartifactstothefield,
suchasanIPaddressoratimerange,tofindmatchinglogentries.Theiconstotheright
ofthefieldenableyoutoapply,clear,create,save,andloadfilters.
Createafilter:
Clickanartifactinalogentrytoaddthatartifacttothefilter.
ClickAdd( )todefinenewsearchcriteria.Foreachcriterion,selectthe
Connectorthatdefinesthesearchtype(andoror),theAttributeonwhichto
basethesearch,anOperatortodefinethescopeofthesearch,andaValuefor
evaluationagainstlogentries.AddeachcriteriontothefilterfieldandClose
whenyoufinish.Youcanthenapply( )thefilter.
IftheValuestringmatchesanOperator(suchashasorin),enclosethestring
inquotationmarkstoavoidasyntaxerror.Forexample,ifyoufilterby
destinationcountryanduseINasaValuetospecifyINDIA,enterthefilteras
( dstloc eq "IN" ).
Thelogfilter(receive_time in last-60-seconds)causesthenumberof
logentries(andlogpages)displayedtogroworshrinkovertime.
ApplyfiltersClickApplyFilter( )todisplaylogentriesthatmatchthecurrent
filter.
DeletefiltersClickClearFilter( )toclearthefilterfield.
SaveafilterClickSaveFilter( ),enteranameforthefilter,andclickOK.
UseasavedfilterClickLoadFilter( )toaddasavedfiltertothefilterfield.
Action Description
ExportLogs ClickExporttoCSV( )toexportalllogsmatchedtothecurrentfiltertoa

CSVformattedreportandcontinuetoDownload file.Bydefault,thereportcontainsup
to2,000linesoflogs.TochangethelinelimitforgeneratedCSVreports,selectDevice
> Setup > Management > Logging and Reporting Settings > Log Export and Reporting
andenteranewMax Rows in CSV Exportvalue.
Highlight Selecttohighlightlogentriesthatmatchtheaction.Thefilteredlogsarehighlightedin
PolicyActions thefollowingcolors:
GreenAllow
YellowContinue,oroverride
RedDeny,drop,dropicmp,rstclient,resetserver,resetboth,blockcontinue,
blockoverride,blockurl,dropall,sinkhole
ChangeLog Tocustomizethelogdisplay:
Display ChangetheautomaticrefreshintervalSelectanintervalfromtheinterval
dropdown(60 seconds,30 seconds,10 seconds,orManual).
ChangethenumberandorderofentriesdisplayedperpageLogentriesare
retrievedinblocksof10pages.
Usethepagingcontrolsatthebottomofthepagetonavigatethroughthelog
list.
Tochangethenumberoflogentriesperpage,selectthenumberofrowsfrom
theperpagedropdown(20,30,40,50,75,or100).
Tosorttheresultsinascendingordescendingorder,usetheASCorDESC
dropdown.
ResolveIPaddressestodomainnamesSelectResolve Hostnametobeginresolving
externalIPaddressestodomainnames.
ChangetheorderinwhichlogsaredisplayedSelectDESCtodisplaylogsin
descendingorderbeginningwithlogentrieswiththemostrecentReceiveTime.
SelectASCtodisplaylogsinascendingorderbeginningwithlogentrieswiththe
oldestReceiveTime.
ViewDetails Toviewinformationaboutindividuallogentries:
forIndividual Todisplayadditionaldetails,clickDetails( )foranentry.Ifthesourceor
LogEntries destinationhasanIPaddresstodomainorusernamemappingdefinedinthe
Addressespage,thenameispresentedinsteadoftheIPaddress.Toviewthe
associatedIPaddress,moveyourcursoroverthename.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,filename,
URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryfortheartifact.
Monitor Monitor>ExternalLogs
Monitor>ExternalLogs
UsethispagetoviewlogsingestedfromtheTrapsEndpointSecurityManager(ESM)intoLogCollectors
thataremanagedbyPanorama.ToviewTrapsESMlogsonPanorama,dothefollowing:
OntheTrapsESMserver,configurePanoramaasaSyslogserverandselecttheloggingeventstoforward
toPanorama.Theeventscanincludesecurityevents,policychanges,agentandESMServerstatus
changes,andchangestoconfigurationsettings.
OnaPanoramathatisdeployedinPanoramamodewithoneormoreManagedLogCollectors,setupa
logingestionprofile(Panorama>LogIngestionProfile)andattachtheprofiletoaCollectorGroup
(Panorama>CollectorGroups)inwhichtostoretheTrapsESMlogs.
ExternallogsarenotassociatedwithadevicegroupandarevisibleonlywhenyouselectDevice Group:All
becausethelogsarenotforwardedfromfirewalls.
LogType Description
Monitor > External Logs > Thesethreateventsincludeallprevention,notification,provisional,and

Traps ESM >Threat postdetectioneventsthatarereportedbytheTrapsagents.
Monitor > External Logs > ESMServersystemeventsincludechangesrelatedtoESMstatus,licenses,ESMTech

Traps ESM > System Supportfiles,andcommunicationwithWildFire.
Monitor > External Logs > Policychangeeventsincludechangestorules,protectionlevels,contentupdates,

Traps ESM > Policy hashcontrollogs,andverdicts.
Monitor > External Logs > Agentchangeeventsoccurontheendpointandincludechangestocontentupdates,

Traps ESM > Agent licenses,software,connectionstatus,onetimeactionrules,processesandservices,
andquarantinedfiles.
Monitor > External Logs > ESMconfigurationchangeeventsincludesystemwidechangestolicensing,

Traps ESM > Config administrativeusersandroles,processes,restrictionsettings,andconditions.
Panoramacancorrelatediscretesecurityeventsontheendpointswitheventsonthenetworktotraceany
suspiciousormaliciousactivitybetweentheendpointsandthefirewall.Toviewcorrelatedeventsthat
Panoramaidentifies,seeMonitor>AutomatedCorrelationEngine>CorrelatedEvents.
Monitor>AutomatedCorrelationEngine Monitor
Monitor>AutomatedCorrelationEngine
Theautomatedcorrelationenginetrackspatternsonyournetworkandcorrelateseventsthatindicatean
escalationinsuspiciousbehaviororeventsthatamounttomaliciousactivity.Theenginefunctionsasyour
personalsecurityanalystwhoscrutinizesisolatedeventsacrossthedifferentsetsoflogsonthefirewall,
queriesthedataforspecificpatterns,andconnectsthedotssothatyouhaveactionableinformation.
Thecorrelationengineusescorrelationobjectsthatgeneratecorrelatedevents.Correlatedeventscollate
evidencetohelpyoutracecommonalityacrossseeminglyunrelatednetworkeventsandprovidethefocus
forincidentresponse.
Theautomatedcorrelationengineissupportedonthefollowingmodelsonly:
PanoramaMSeriesandthevirtualappliance
PA800Seriesfirewalls
Whatarecorrelationobjects? Monitor>AutomatedCorrelationEngine>Correlation
Objects
Whatisacorrelatedevent? Monitor>AutomatedCorrelationEngine>Correlated
WheredoIseethematchevidence Events
foracorrelationmatch?
HowcanIseeagraphicalviewof SeetheCompromisedHostswidgetinACC.
correlationmatches?
Looking for more? UsetheAutomatedCorrelationEngine
Monitor Monitor>AutomatedCorrelationEngine>CorrelationObjects
Monitor>AutomatedCorrelationEngine>Correlation
Objects
Tocountertheadvancesinexploitsandmalwaredistributionmethods,correlationobjectsextendthe
signaturebasedmalwaredetectioncapabilitiesonthefirewall.Theyprovidetheintelligenceforidentifying
suspiciousbehaviorpatternsacrossdifferentsetsoflogsandtheygathertheevidencerequiredto
investigateandpromptlyrespondtoanevent.
Acorrelationobjectisadefinitionfilethatspecifiespatternsformatching,thedatasourcestousefor
performingthelookups,andthetimeperiodwithinwhichtolookforthesepatterns.Apatternisaboolean
structureofconditionsthatquerythedatasources,andeachpatternisassignedaseverityandathreshold,
whichisnumberoftimethepatternmatchoccurswithinadefinedtimelimit.Whenapatternmatchoccurs,
acorrelationeventislogged.
Thedatasourcesusedforperforminglookupscanincludethefollowinglogs:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Forexample,thedefinitionfora
correlationobjectcanincludeasetofpatternsthatquerythelogsforevidenceofinfectedhosts,evidence
ofmalwarepatterns,orforlateralmovementofmalwareinthetraffic,urlfiltering,andthreatlogs.
CorrelationobjectsaredefinedbyPaloAltoNetworksandarepackagedwithcontentupdates.Youmust
haveavalidthreatpreventionlicensetogetcontentupdates.
Bydefault,allcorrelationobjectsareenabled.Todisableanobject,selecttheobjectandDisableit.
Correlation Description
ObjectFields
NameandTitle Thelabelindicatesthetypeofactivitythatthecorrelationobjectdetects.
ID Auniquenumberidentifiesthecorrelationobject.Thisnumberisinthe6000series.
Category Asummaryofthekindofthreatorharmposedtothenetwork,user,orhost.
State Thestateindicateswhetherthecorrelationobjectisenabled(active)ordisabled
(inactive).
Description ThedescriptionspecifiesthematchconditionsforwhichthefirewallorPanoramawill
analyzelogs.Itdescribestheescalationpatternorprogressionpaththatwillbeused
toidentifymaliciousactivityorsuspicioushostbehavior.
Monitor>AutomatedCorrelationEngine>CorrelatedEvents Monitor
Monitor>AutomatedCorrelationEngine>Correlated
Events
CorrelatedeventsexpandthethreatdetectioncapabilitiesonthefirewallandPanorama;thecorrelated
eventsgatherevidenceofsuspiciousorunusualbehaviorofusersorhostsonthenetwork.
Thecorrelationobjectmakesitpossibletopivotoncertainconditionsorbehaviorsandtracecommonalities
acrossmultiplelogsources.Whenthesetofconditionsspecifiedinacorrelationobjectareobservedonthe
network,eachmatchisloggedasacorrelatedevent.
Thecorrelatedeventincludesthedetailslistedinthefollowingtable.
Field Description
MatchTime Thetimethecorrelationobjecttriggeredamatch.
UpdateTime Thetimestampwhenthematchwaslastupdated.
ObjectName Thenameofthecorrelationobjectthattriggeredthematch.
SourceAddress TheIPaddressoftheuserfromwhomthetrafficoriginated
SourceUser Theuserandusergroupinformationfromthedirectoryserver,ifUserIDis
enabled.
Severity Aratingthatclassifiestheriskbasedontheextentofdamagecaused.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Toviewthedetailedlogview,clickDetails( )foranentry.Thedetailedlogviewincludesalltheevidence
foramatch:
Tab Description
Match ObjectDetailsPresentsinformationonthecorrelationobjectthattriggeredthe
Information match.Forinformationoncorrelationobjects,seeMonitor>AutomatedCorrelation
Engine>CorrelationObjects.
MatchDetailsAsummaryofthematchdetailsthatincludesthematchtime,last
updatetimeonthematchevidence,severityoftheevent,andaneventsummary.
Match Thistabincludesalltheevidencethatcorroboratesthecorrelatedevent.Itlists
Evidence detailedinformationontheevidencecollectedforeachsession.
SeeagraphicaldisplayoftheinformationintheCorrelated Eventstab,seetheCompromisedHostswidget
ontheACC > Threat Activitytab.IntheCompromisedHostswidget,thedisplayisaggregatedbysourceuser
andIPaddressandsortedbyseverity.
Toconfigurenotificationswhenacorrelatedeventislogged,gototheDevice > Log SettingsorPanorama >
Log Settingstab.
Monitor Monitor>PacketCapture
Monitor>PacketCapture
AllPaloAltoNetworksfirewallshaveabuiltinpacketcapture(pcap)featureyoucanusetocapturepackets
thattraversethenetworkinterfacesonthefirewall.Youcanthenusethecaptureddatafortroubleshooting
purposesortocreatecustomapplicationsignatures.
ThepacketcapturefeatureisCPUintensiveandcandegradefirewallperformance.Onlyuse
thisfeaturewhennecessaryandmakesuretoturnitoffafteryoucollecttherequiredpackets.
Whatarethedifferentmethods PacketCaptureOverview
thefirewallcanusetocapture
packets?
HowdoIgenerateacustompacket BuildingBlocksforaCustomPacketCapture
capture?
HowdoIgeneratepacketcaptures EnableThreatPacketCapture
whenthefirewalldetectsathreat?
WheredoIdownloadapacket PacketCaptureOverview
capture?
Looking for more?
Turnonextendedpacketcapture Device>Setup>ContentID
forsecurityprofiles.
Usepacketcapturetowrite SeeDoc2015.
customapplicationsignatures.
Thisexampleusesathirdpartyappbutyoucanusethe
firewalltocapturetherequiredpackets.
Preventafirewalladminfrom DefineWebInterfaceAdministratorAccess.
viewingpacketcaptures.
Seeanexample. SeeTakePacketCaptures.
PacketCaptureOverview
YoucanconfigureaPaloAltoNetworksfirewalltoperformacustompacketcaptureorathreatpacket
capture.
CustomPacketCaptureCapturepacketsforalltrafficortrafficbasedonfiltersyoudefine.Forexample,
youcanconfigurethefirewalltocaptureonlypacketstoandfromaspecificsourceanddestinationIP
addressorport.Usethesepacketcapturestotroubleshootnetworktrafficrelatedissuesortogather
applicationattributestowritecustomapplicationsignatures(Monitor > Packet Capture).Youdefinethefile
namebasedonthestage(Drop,Firewall,Receive,orTransmit)and,afterthepcapiscomplete,you
downloadthepcapintheCapturedFilessection.
Monitor>PacketCapture Monitor
ThreatPacketCaptureCapturepacketswhenthefirewalldetectsavirus,spyware,orvulnerability.You
enablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.These
packetcapturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulorto
learnmoreaboutthemethodsusedbyanattacker.Theactionforthethreatmustbesettoeitherallow
oralert;otherwise,thethreatisblockedandpacketscannotbecaptured.Youconfigurethistypeof
packetcaptureintheObjects > Security Profiles.Todownload( )pcaps,selectMonitor > Threat.
BuildingBlocksforaCustomPacketCapture
ThefollowingtabledescribesthecomponentsoftheMonitor > Packet Capturepagethatyouusetoconfigure

packetcaptures,enablepacketcapture,andtodownloadpacketcapturefiles.
CustomPacket ConfiguredIn Description

CaptureBuilding
Blocks
ManageFilters ConfigureFiltering Whenenablingcustompacketcaptures,youshoulddefine

filterssothatonlythepacketsthatmatchthefiltersare
captured.Thiswillmakeiteasiertolocatetheinformationyou
needinthepcapsandwillreducetheprocessingpowerrequired
bythefirewalltoperformthepacketcapture.
ClickAddtoaddanewfilterandconfigurethefollowingfields:
IdEnterorselectanidentifierforthefilter.
Ingress InterfaceSelecttheingressinterfaceonwhichyou
wanttocapturetraffic.
SourceSpecifythesourceIPaddressofthetrafficto
capture.
DestinationSpecifythedestinationIPaddressofthetraffic
tocapture.
Src PortSpecifythesourceportofthetraffictocapture.
Dest PortSpecifythedestinationportofthetrafficto
capture.
ProtoSpecifytheprotocolnumbertofilter(1255).For
example,ICMPisprotocolnumber1.
Non-IPChoosehowtotreatnonIPtraffic(excludeallIP
traffic,includeallIPtraffic,includeonlyIPtraffic,ordonot
includeanIPfilter).BroadcastandAppleTalkareexamplesof
NonIPtraffic.
IPv6SelectthisoptiontoincludeIPv6packetsinthefilter.
Filtering ConfigureFiltering Afterdefiningfilters,settheFilteringtoON.IffilteringisOFF,

thenalltrafficiscaptured.
PreParseMatch ConfigureFiltering Thisoptionisforadvancedtroubleshootingpurposes.Aftera

packetenterstheingressport,itproceedsthroughseveral
processingstepsbeforeitisparsedformatchesagainst
preconfiguredfilters.
Itispossibleforapacket,duetoafailure,tonotreachthe
filteringstage.Thiscanoccur,forexample,ifaroutelookupfails.
SetthePre-Parse MatchsettingtoONtoemulateapositive
matchforeverypacketenteringthesystem.Thisallowsthe
firewalltocapturepacketsthatdonotreachthefiltering
process.Ifapacketisabletoreachthefilteringstage,itisthen
processedaccordingtothefilterconfigurationanddiscardedif
itfailstomeetfilteringcriteria.
Monitor>PacketCapture Monitor
CustomPacket ConfiguredIn Description

CaptureBuilding
Blocks
PacketCapture ConfigureCapturing ClickthetoggleswitchtoturnpacketcaptureONorOFF.

Youmustselectatleastonecapturestage.ClickAddandspecify
thefollowing:
StageIndicatethepointatwhichtocapturepackets:
dropWhenpacketprocessingencountersanerrorand
thepacketisdropped.
firewallWhenthepackethasasessionmatchorafirst
packetwithasessionissuccessfullycreated.
receiveWhenthepacketisreceivedonthedataplane
processor.
transmitWhenthepacketistransmittedonthe
dataplaneprocessor.
FileSpecifythecapturefilename.Thefilenameshould
beginwithaletterandcanincludeletters,digits,periods,
underscores,orhyphens.
Packet CountSpecifythemaximumnumberofpackets,
afterwhichcapturingstops.
Byte CountSpecifythemaximumnumberofbytes,after
whichcapturingstops.
CapturedFiles CapturedFiles Containsalistofcustompacketcapturespreviouslygenerated

bythefirewall.Clickafiletodownloadittoyourcomputer.To
deleteapacketcapture,selectthepacketcaptureandthen
Deleteit.
File NameListsthepacketcapturefiles.Thefilenamesare
basedonthefilenameyouspecifyforthecapturestage
DateDatethefilewasgenerated.
Size (MB)Thesizeofthecapturefile.
Afteryouturnonpacketcaptureandthenturnitoff,youmust
clickRefresh( )beforeanynewpcapfilesdisplayinthislist.
ClearAllSettings Settings ClickClear All Settingstoturnoffpacketcaptureandtoclear

allpacketcapturesettings.
Thisdoesnotturnoffpacketcapturesetinasecurity
profile.Forinformationonenablingpacketcaptureona
securityprofile,seeEnableThreatPacketCapture.
EnableThreatPacketCapture
Objects>SecurityProfiles
Toenablethefirewalltocapturepacketswhenitdetectsathreat,enablethepacketcaptureoptioninthe
securityprofile.
FirstselectObjects > Security Profilesandthenmodifythedesiredprofileasdescribedinthefollowingtable:
PacketCapture Location
Optionsin
SecurityProfiles
Antivirus Selectacustomantivirusprofileand,intheAntivirustab,selectPacket Capture.
AntiSpyware SelectacustomAntiSpywareprofile,clicktheDNS Signaturestaband,inthe

Packet Capturedropdown,selectsingle-packetorextended-capture.
Vulnerability SelectacustomVulnerabilityProtectionprofileand,intheRulestab,clickAddto
Protection addanewruleorselectanexistingrule.ThenselectthePacket Capturedropdown
andselectsingle-packetorextended-capture.
InAntiSpywareandVulnerabilityProtectionprofiles,youcanalsoenablepacketcaptureonexceptions.Click
theExceptionstabandinthePacketCapturecolumnforasignature,clickthedropdownandselect
single-packetorextended-capture.
(Optional)Todefinethelengthofathreatpacketcapturebasedonthenumberofpacketscaptured(and
whichisbasedonaglobalsetting),selectDevice > Setup > Content-IDand,intheContentIDSettingssection,
modifytheExtended Packet Capture Length (packets)field(rangeis150;defaultis5).
Afteryouenablepacketcaptureonasecurityprofile,youneedtoverifythattheprofileispartofasecurity
rule.Forinformationonhowtoaddasecurityprofiletoasecurityrule,seeSecurityPolicyOverview.
Eachtimethefirewalldetectsathreatwhenpacketcaptureisenabledonthesecurityprofile,youcan
download( )orexportthepacketcapture.
Monitor>AppScope Monitor
Monitor>AppScope
TheAppScopereportsprovidegraphicalvisibilityintothefollowingaspectsofyournetwork:
Changesinapplicationusageanduseractivity
Usersandapplicationsthattakeupmostofthenetworkbandwidth
Networkthreats
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected,andhelpspinpoint
problematicbehavior;eachreportprovidesadynamic,usercustomizablewindowintothenetwork.The
reportsincludeoptionstoselectthedataandrangestodisplay.OnPanorama,youcanalsoselecttheData
Sourcefortheinformationthatisdisplayed.Thedefaultdatasource(onnewPanoramainstallations)uses
thelocaldatabaseonPanorama,whichstoreslogsforwardedbythemanagedfirewalls;onanupgrade,the
defaultdatasourceistheRemote Device Data(managedfirewalldata).Tofetchanddisplayanaggregated
viewofthedatadirectlyfromthemanagedfirewalls,younowhavetoswitchthesourcefromPanoramato
Remote Device Data.
HoveringthemouseoverandclickingeitherthelinesorbarsonthechartsswitchestotheACCandprovides
detailedinformationaboutthespecificapplication,applicationcategory,user,orsource.
ApplicationCommand Description
CenterCharts
Summary SummaryReport
ChangeMonitor ChangeMonitorReport
ThreatMonitor ThreatMonitorReport
ThreatMap ThreatMapReport
NetworkMonitor NetworkMonitorReport
TrafficMap TrafficMapReport
Monitor Monitor>AppScope
SummaryReport
TheSummaryreportdisplayschartsforthetopfivegainers,losers,andbandwidthconsumingapplications,
applicationcategories,users,andsources.
ToexportthechartsinthesummaryreportasaPDF,clickExport( ).Eachchartissavedasapage
inthePDFoutput.
AppScopeSummaryReport
ChangeMonitorReport
TheChangeMonitorreportdisplayschangesoveraspecifiedtimeperiod.Forexample,thefigurebelow
displaysthetopapplicationsthatgainedinuseoverthelasthourascomparedwiththelast24hourperiod.
Thetopapplicationsaredeterminedbysessioncountandsortedbypercentage.
AppScopeChangeMonitorReport
Thisreportcontainsthefollowingoptions.
ChangeMonitorReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.
Application Determinesthetypeofitemreported:Application,
ApplicationCategory,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreased
overthemeasuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreased
overthemeasuredperiod.
New Displaysmeasurementsofitemsthatwereaddedover
themeasureperiod.
Dropped Displaysmeasurementsofitemsthatwere
discontinuedoverthemeasureperiod.
Filter Appliesafiltertodisplayonlytheselecteditem.None
displaysallentries.
ChangeMonitorReportOptions Description
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.
Sort Determineswhethertosortentriesbypercentageor
rawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Bottom Bar
Compare(interval) Specifiestheperiodoverwhichthechange
measurementsaretaken.
ThreatMonitorReport
TheThreatMonitorreportdisplaysacountofthetopthreatsovertheselectedtimeperiod.Forexample,
thefigurebelowshowsthetop10threattypesforthepast6hours.
AppScopeThreatMonitorReport
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.
ThreatMonitorReportOptions Description
Top Bar
Threat Determinesthetypeofitemmeasured:Threat,Threat
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Bottom Bar
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheThreatMapreportshowsageographicalviewofthreats,includingseverity.
AppScopeThreatMapReport
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Clickacountryonthemapto
Zoom InandthenZoom Outasneeded.Thisreportcontainsthefollowingoptions.
ThreatMapReportOptions Description
Top Bar
Incomingthreats Displaysincomingthreats.
Outgoingthreats Displaysoutgoingthreats.
Filter Appliesafiltertodisplayonlytheselecteditem.
ZoomInandZoomOut Zoominandzoomoutofthemap.
Bottom Bar
Indicatestheperiodoverwhichthemeasurementsaretaken.
NetworkMonitorReport
TheNetworkMonitorreportdisplaysthebandwidthdedicatedtodifferentnetworkfunctionsoverthe
specifiedperiodoftime.Eachnetworkfunctioniscolorcodedasindicatedinthelegendbelowthechart.
Forexample,theimagebelowshowsapplicationbandwidthforthepast7daysbasedonsession
information.
AppScopeNetworkMonitorReport
Thereportcontainsthefollowingoptions.
NetworkMonitorReportOptions Description
Top Bar
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyteinformation.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Bottom Bar
Indicatestheperiodoverwhichthechangemeasurementsare
taken.
TrafficMapReport
TheTrafficMapreportshowsageographicalviewoftrafficflowsaccordingtosessionsorflows.
AppScopeTrafficMapReport
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.
TrafficMapReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththe
highestmeasurementincludedinthechart.
Incomingtraffic Displaysincomingtraffic.
Outgoingtraffic Displaysoutgoingtraffic.
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.
ZoomInandZoomOut Zoominandzoomoutofthemap.
Export Exportthegraphasa.pngimageorasaPDF.
Bottom Bar
Indicatestheperiodoverwhichthechange
measurementsaretaken.
Monitor>SessionBrowser Monitor
Monitor>SessionBrowser
SelectMonitor > Session Browsertobrowseandfiltercurrentrunningsessionsonthefirewall.Forinformation

onfilteringoptionsforthispage,seeLogActions.
Monitor Monitor>BlockIPList
Monitor>BlockIPList
YoucanconfigurethefirewalltoplaceIPaddressesontheblocklistinseveralways,includingthefollowing:
ConfigureaDoSProtectionpolicyrulewiththeActiontoProtectandapplyaClassifiedDoSProtection
profiletotherule.TheprofileincludestheBlockDuration.
ConfigureaSecuritypolicyrulewithaVulnerabilityProtectionprofilethatusesarulewiththeActionto
Block IPandapplytheruletoazone.
TheBlockIPListissupportedonPA3050,PA3060,PA5000Series,PA5200Series,andPA7000Series
firewalls.
WhatdotheBlockIPListfields BlockIPListEntries
indicate?
HowdoIfilter,navigate,ordelete VieworDeleteBlockIPListEntries
BlockIPListentries?
Looking for more? SetUpAntivirus,AntiSpyware,andVulnerabilityProtection

DoSProtectionAgainstFloodingofNewSessions
MonitorBlockedIPAddresses
BlockIPListEntries
ThefollowingtableexplainstheblocklistentryforasourceIPaddressthatthefirewallisblocking.
Field Description
BlockTime Month/dayandhours:minutes:secondswhentheIPaddresswentontheBlock
IPList.
Type Typeofblockaction:whetherthehardware(hw)orsoftware(sw)blockedthe
IPaddress.
WhenyouconfigureaDoSProtectionpolicyoraSecuritypolicythatusesa
VulnerabilityProtectionprofiletoblockconnectionsfromsourceIPv4
addresses,thefirewallautomaticallyblocksthattrafficinhardwarebefore
thosepacketsuseCPUorpacketbufferresources.Ifattacktrafficexceedsthe
blockingcapacityofthehardware,thefirewallusessoftwaretoblockthe
traffic.
SourceIPAddress SourceIPaddressofthepacketthatthefirewallblocked.
IngressZone Securityzoneassignedtotheinterfacewherethepacketenteredthefirewall.
TimeRemaining NumberofsecondsremainingfortheIPaddresstobeontheBlockIPList.
BlockSource NameoftheclassifiedDoSProtectionprofileorVulnerabilityprotectionobject
namewhereyouspecifiedtheBlockIPaction.
Monitor>BlockIPList Monitor
Field Description
TotalBlockedIPs:xoutof CountofblockedIPaddresses(x)outofthenumberofblockedIPaddressesthe
y(z%used) firewallsupports(y),andthecorrespondingpercentageofblockedIPaddresses
used(z).
VieworDeleteBlockIPListEntries
NavigatetheBlockIPlistentries,viewdetailedinformation,anddeleteanentryifdesired.
VieworDeleteBlockIPListEntries
Searchforspecific Selectavalueinacolumn,whichentersafilterintheFiltersfield,andclicktheright
BlockIPList arrowtoinitiatethesearchforentrieswiththatvalue.
information ClicktheXtoremovethefilter.
ViewBlockIPList EnterapagenumberinthePagefieldorclickthesinglearrowstoseetheNextPage
entriesbeyondthe orPreviousPageofentries.ClickthedoublearrowstoviewtheLastPageorFirst
currentscreen Pageofentries.
Viewdetailed ClickonaSourceIPAddressofanentry,whichlinkstoNetworkSolutionsWhoIs
informationaboutanIP withinformationabouttheaddress.
addressontheBlockIP
List
DeleteBlockIPList SelectanentryandclickDelete.
entries
CleartheentireBlockIP ClickClear Alltopermanentlydeleteallentries,whichmeansthosepacketsareno

List longerblocked.
Monitor Monitor>Botnet
Monitor>Botnet
Thebotnetreportenablesyoutousebehaviorbasedmechanismstoidentifypotentialmalwareand
botnetinfectedhostsinyournetwork.Thereportassignseachhostaconfidencescoreof1to5toindicate
thelikelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Beforeschedulingthereportor
runningitondemand,youmustconfigureittoidentifytypesoftrafficassuspicious.ThePANOS
AdministratorsGuideprovidesdetailsoninterpretingbotnetreportoutput.
ManagingBotnetReports
ConfiguringtheBotnetReport
ManagingBotnetReports
Monitor>Botnet>ReportSetting
Beforegeneratingthebotnetreport,youmustspecifythetypesoftrafficthatindicatepotentialbotnet
activity(seeConfiguringtheBotnetReport).Toscheduleadailyreportorrunitondemand,clickReport
Settingandcompletethefollowingfields.Toexportareport,selectitandExport to PDF,Export to CSV,or
Export to XML.
BotnetReportSettings Description
TestRunTimeFrame SelectthetimeintervalforthereportLast 24 Hours(default)orLast

Calendar Day.
RunNow ClickRun Nowtomanuallyandimmediatelygenerateareport.Thereport

displaysinanewtabwithintheBotnetReportdialog.
No.ofRows Specifythenumberofrowstodisplayinthereport(defaultis100).
Scheduled Selectthisoptiontoautomaticallygeneratethereportdaily.Bydefault,this
optionisenabled.
QueryBuilder (Optional)AddqueriestotheQueryBuildertofilterthereportoutputby
attributessuchassource/destinationIPaddresses,users,orzones.For
example,ifyouknowthattrafficinitiatedfromtheIPaddress192.0.2.0
containsnopotentialbotnetactivity,youcanadd
not (addr.src in 192.0.2.0)asaquerytoexcludethathostfromthe
reportoutput.
ConnectorSelectalogicalconnector(andoror).IfyouselectNegate,
thereportwillexcludethehoststhatthequeryspecifies.
AttributeSelectazone,address,oruserthatisassociatedwiththehosts
thatthefirewallevaluatesforbotnetactivity.
OperatorSelectanoperatortorelatetheAttributetoaValue.
ValueEnteravalueforthequerytomatch.
Monitor>Botnet Monitor
ConfiguringtheBotnetReport
Monitor>Botnet>Configuration
Tospecifythetypesoftrafficthatindicatepotentialbotnetactivity,clickConfigurationontherightsideof
theBotnetpageandcompletethefollowingfields.Afterconfiguringthereport,youcanrunitondemandor
scheduleittorundaily(seeMonitor>PDFReports>ManagePDFSummary).
BotnetConfiguration Description
Settings
HTTPTraffic EnableanddefinetheCountforeachtypeofHTTPTrafficthatthereport
willinclude.TheCountvaluesyouenteraretheminimumnumberofevents
ofeachtraffictypethatmustoccurforthereporttolisttheassociatedhost
withahigherconfidencescore(higherlikelihoodofbotnetinfection).Ifthe
numberofeventsislessthantheCount,thereportwilldisplaythelower
confidencescoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.
Malware URL visit(rangeis21000;defaultis5)Identifiesusers
communicatingwithknownmalwareURLsbasedonmalwareandbotnet
URLfilteringcategories.
Use of dynamic DNS(rangeis21000;defaultis5)Looksfordynamic
DNSquerytrafficthatmightindicatemalware,botnetcommunications,
orexploitkits.Generally,usingdynamicDNSdomainsisveryrisky.
MalwareoftenusesdynamicDNStoavoidIPblacklisting.Considerusing
URLfilteringtoblocksuchtraffic.
Browsing to IP domains(rangeis21000;defaultis10)Identifiesusers
whobrowsetoIPdomainsinsteadofURLs.
Browsing to recently registered domains(rangeis21000;defaultis
5)Looksfortraffictodomainsthatwereregisteredwithinthepast30
days.Attackers,malware,andexploitkitsoftenusenewlyregistered
domains.
Executable files from unknown sites(rangeis21000;defaultis5)
IdentifiesexecutablefilesdownloadedfromunknownURLs.Executable
filesareapartofmanyinfectionsand,whencombinedwithothertypes
ofsuspicioustraffic,canhelpyouprioritizehostinvestigations.
UnknownApplications Definethethresholdsthatdeterminewhetherthereportwillincludetraffic
associatedwithsuspiciousUnknownTCPorUnknownUDPapplications.
Sessions Per Hour(rangeis13600;defaultis10)Thereportincludes
trafficthatinvolvesuptothespecifiednumberofapplicationsessionsper
hour.
Destinations Per Hour(rangeis13600;defaultis10)Thereport
includestrafficthatinvolvesuptothespecifiednumberofapplication
destinationsperhour.
Minimum Bytes(rangeis1200;defaultis50)Thereportincludes
trafficforwhichtheapplicationpayloadequalsorexceedsthespecified
size.
Maximum Bytes(rangeis1200;defaultis100)Thereportincludes
trafficforwhichtheapplicationpayloadisequaltoorlessthanthe
specifiedsize.
IRC SelectthisoptiontoincludetrafficinvolvingIRCservers.
Monitor Monitor>PDFReports
Monitor>PDFReports
Monitor>PDFReports>ManagePDFSummary
Monitor>PDFReports>UserActivityReport
Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>ReportGroups
Monitor>PDFReports>EmailScheduler
Monitor>PDFReports>ManagePDFSummary Monitor
Monitor>PDFReports>ManagePDFSummary
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
PDFSummaryReport
TocreatePDFsummaryreports,clickAdd.ThePDF Summary Reportpageopenstoshowalloftheavailable

reportelements.
ManagingPDFReports
Monitor Monitor>PDFReports>ManagePDFSummary
Useoneormoreoftheseoptionstodesignthereport:
Toremoveanelementfromthereport,clickdelete([X])orcleartheitemfromtheappropriate
dropdown.
Selectadditionalelementsbyselectingthemintheappropriatedropdown.
Draganddropanelementtomoveittoanotherareaofthereport.
Thereisamaximumof18reportelementsallowed.Ifyouhave18already,youmustdelete
existingelementsbeforeyoucanaddnewones.
ToSavethereport,enterareportname,andclickOK.
TodisplayPDFreports,selectMonitor > ReportsandclickPDF Summary Reportandclickareporttoopenor
savethatreport.Youcanalsoexportareportusingtheoptionsatthebottomofthepage(Export to PDF,
Export to CSV,orExport to XML)orclickadayinthecalendartodownloadareportforthatday.
NewPDFsummaryreportswillnotappearuntilafterthereportruns,whichwilloccur
automaticallyevery24hoursat2a.m.
Monitor>PDFReports>UserActivityReport Monitor
Monitor>PDFReports>UserActivityReport
Usethispagetocreatereportsthatsummarizetheactivityofindividualusersorusergroups.ClickAddand
specifythefollowinginformation.
User/GroupActivity Description
ReportSettings
Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Type ForUserActivityReport:SelectUserandentertheUsernameorIP address

(IPv4orIPv6)oftheuserwhowillbethesubjectofthereport.
ForGroupActivityReport:SelectGroupandentertheGroup Name.
TimePeriod Selectthetimeframeforthereportfromthedropdown.
IncludeDetailed (Optional)SelectthisoptiontoincludedetailedURLlogsinthereport.
Browsing Thedetailedbrowsinginformationcanincludealargevolumeoflogs
(thousands)fortheselecteduserorusergroupandcauseareportto
beverylarge.
TheGroupActivityReportdoesnotincludeBrowsingSummarybyURLCategory;allother
informationiscommonacrosstheUserActivityReportandtheGroupActivityReport.
Torunthereportondemand,clickRun Now.Tochangethemaximumnumberofrowsthatdisplayinthe
report,seeLoggingandReportingSettings.
Tosavethereport,clickOK.Youcanthenschedulethereportforemaildelivery(Monitor>PDFReports>
EmailScheduler).
Monitor Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>SaaSApplicationUsage
UsethispagetocreateareportthatsummarizestheSaaSapplicationactivityonyournetwork.This
predefinedreportpresentsacomparisononthesanctionedversusunsanctionedSaaSapplicationusageon
yournetworkandyoucanusethisinformationtohelpsteeryouruserstowardsanctionedapplications.You
canthenenforcegranularcontextandapplicationbasedpoliciesforSaaSapplicationsthatyouwanttoallow
orblockonyournetwork.
Forgeneratinganaccurateandinformativereport,youmusttagthesanctionedapplicationsonyour
network(seeActionsSupportedonApplications).ThefirewallandPanoramaconsideranyapplication
withoutthispredefinedtagasunsanctionedforuseonthenetwork.Itisimportanttoknowaboutthe
sanctionedapplicationsandunsanctionedapplicationsthatareprevalentonyournetworkbecause
unsanctionedSaaSapplicationsareapotentialthreattoinformationsecurity;theyarenotapprovedforuse
onyournetworkandcancauseanexposuretothreatsandlossofprivateandsensitivedata.
.
Makesureyoutagapplicationsconsistentlyacrossallfirewallsordevicegroups.Ifthesameapplicationistagged
assanctionedinonevirtualsystemandisnotsanctionedinanotheroronPanorama,ifanapplicationis
unsanctionedinaparentdevicegroupbutistaggedassanctionedinachilddevicegroup(orviceversa)theSaaS
ApplicationUsagereportwillproduceoverlappingresults.
OntheACC,settheApplication ViewtoBy Sanctioned Statetovisuallyidentifyapplicationsthathave
differentsanctionedstateacrossvirtualsystemsordevicegroups.Greenindicatessanctionedapplications,blueis
forunsanctionedapplications,andyellowindicatesapplicationsthathaveadifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.
Toconfigurethereport,clickAddandspecifythefollowinginformation:
SaaSApplicationUsage Description
ReportSettings
TimePeriod Selectthetimeframeforthereportfromthedropdown:Last 7 Days,Last 30

Days,orLast 90 Days.Thereportincludesdatafromthecurrentday(theday
onwhichthereportisgenerated).
Includelogsfrom Fromthedropdown,selectwhetheryouwanttogeneratethereportona
selectedusergroup,onaselectedzone,orforallusergroupsandzones
configuredonthefirewallorPanorama.
ForaselectedusergroupSelecttheUser Groupforwhichthefirewallor
Panoramawillfilterthelogs.
ForaselectedzoneSelecttheZoneforwhichthefirewallorPanorama
willfilterthelogs.
ForallusergroupsandzonesYoucanreportonallgroupsorchooseup
to25usergroupsforwhichyouwantvisibility.Ifyouhavemorethan25
groups,thefirewallorPanoramawilldisplaythetop25groupsinthereport
andassignallremainingusergroupstotheOthersgroup.
Monitor>PDFReports>SaaSApplicationUsage Monitor
SaaSApplicationUsage Description
ReportSettings
Includeusergroup Thisoptionfiltersthelogsfortheusergroupsyouwanttoincludeinthe
informationinthereport report.Selectthemanage groupsorthemanage groups for the selected
(Notavailableifyou zonelinktochooseupto25usergroupsforwhichyouwantvisibility.
choosetogeneratethe Whenyougenerateareportforspecificusergroupsonaselectedzone,users
reportonaSelected whoarenotamemberofanyoftheselectedgroupsareassignedtoauser
User Group.) groupcalledOthers.
Usergroup Selecttheusergroup(s)forwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected User GroupintheInclude logs from
dropdown.
Zone Selectthezoneforwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected ZoneintheInclude logs from
dropdown.
YoucanthenselectIncludeusergroupinformationinthereport.
Includedetailed TheSaaSApplicationUsagePDFreportisatwopartreport.Bydefault,both
applicationcategory partsofthereportaregenerated.Thefirstpartofthereport(tenpages)
informationinreport focusesontheSaaSapplicationsusedonyournetworkduringthereporting
period.
Clearthisoptionifyoudonotwantthesecondpartofthereportthatincludes
detailedinformationforSaaSandnonSaaSapplicationsforeachapplication
subcategorylistedinthefirstpartofthereport.Thissecondpartofthereport
includesthenamesofthetopapplicationsineachsubcategoryand
informationaboutusers,usergroups,files,bytestransferred,andthreats
generatedfromtheseapplications.
Withoutthedetailedinformation,thereportistenpageslong.
Limitmaxsubcategories SelectwhetheryouwanttouseallapplicationsubcategoriesintheSaaS
inthereportto ApplicationUsagereportorwhetheryouwanttolimitthemaximumnumber
to10,15,20,or25subcategories.
Whenyoureducethemaximumnumberofsubcategories,thedetailedreport
isshorterbecauseyoulimittheSaaSandnonSaaSapplicationactivity
informationincludedinthereport.
ClickRun Nowtogeneratethereportondemand.
Toschedulethereport,seeMonitor>PDFReports>EmailScheduler.
OnPA200andPA500firewalls,theSaaSApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkyouusetoopenthereportinawebbrowser.
Formoreinformationonthereport,seeManageReporting .
Monitor Monitor>PDFReports>ReportGroups
Monitor>PDFReports>ReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
ReportGroupSettings Description
Name Enteranametoidentifythereportgroup(upto31characters).Thenameis
TitlePage Selectthisoptiontoincludeatitlepageinthereport.
Title Enterthenamethatwillappearasthereporttitle.
Reportselection/ Foreachreporttoincludeinthegroup,selectthereportintheleftcolumnand
Widgets Addittotherightcolumn.Youcanselectthefollowingreporttypes:
PredefinedReport
CustomReport
PDFSummaryReport
CSV
LogViewWheneveryoucreateacustomreport,thefirewall
automaticallycreatesaLogViewreportwiththesamename.TheLogView
reportshowsthelogsthatthefirewallusedtobuildthecontentsofthe
customreport.Toincludethelogviewdata,whencreatingareportgroup,
addyourCustom ReportsandthenaddthematchingLog Viewreports.
Theaggregatereportgeneratedforthereportgroupdisplaysthecustom
reportdatafollowedbythelogdata.
Afteryousavethereportgroup,theWidgetscolumnoftheReportGroups
pageliststhereportsyouaddedtothegroup.
Tousethereportgroup,refertoMonitor>PDFReports>EmailScheduler.
Monitor>PDFReports>EmailScheduler Monitor
Monitor>PDFReports>EmailScheduler
UsetheEmailschedulertoschedulereportsfordeliverybyemail.Beforeaddingaschedule,youmustdefine
reportgroupsandanemailprofile.RefertoMonitor>PDFReports>ReportGroupsandDevice>Server
Profiles>Email.
Scheduledreportsbeginrunningat2:00AM,andemailforwardingoccursafterallscheduledreportshave
finishedrunning.
EmailSchedulerSettings Description
Name Enteranametoidentifytheschedule(upto31characters).Thenameis
ReportGroup Selectthereportgroup(Monitor>PDFReports>ReportGroups)ortheSaaS
ApplicationUsagereport(Monitor>PDFReports>SaaSApplicationUsage)
youwanttoschedule.
EmailProfile Selecttheprofilethatdefinestheemailsettings.RefertoDevice>Server
Profiles>Emailforinformationondefiningemailprofiles.
Recurrence Selectthefrequencyatwhichtogenerateandsendthereport.
OverrideEmail Enteranoptionalemailaddresstouseinsteadoftherecipientspecifiedinthe
Addresses emailprofile.
Sendtestemail ClicktosendatestemailtotheemailaddressdefinedintheselectedEmail
Profile.
Monitor Monitor>ManageCustomReports
Monitor>ManageCustomReports
Youcancreatecustomreportstorunondemandoronschedule(eachnight).Forreportsthatarepredefined,
selectMonitor > Reports.
Addacustomreporttocreateanewone.Tobasethereportonanexistingtemplate,Load Templateandselect
thetemplate.Togenerateareportondemand,insteadoforinadditiontotheScheduledtime,clickRun Now.
Specifythefollowingsettingstodefinethereport.
CustomReportSettings Description
Description Enteradescriptionforthecustomreport.
Database Choosethedatabasetouseasthedatasourceforthereport.
Scheduled Selectthisoptiontorunthereporteachnight.Thereportthenbecomes
availablebyselectingMonitor > Reports.
TimeFrame ChooseafixedtimeframeorchooseCustomandspecifyadateandtime
range.
SortBy Choosesortingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.
GroupBy Choosegroupingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.
Columns SelectAvailableColumnstoincludeinthecustomreportandadd( )them

toSelectedColumns.SelectUp,Down,Top,andBottomtoreorderselected
columns.Asneeded,youcanalsoselectandremove( )previouslyselected
columns.
QueryBuilder Tobuildareportquery,specifythefollowingandclickAdd.Repeatas
neededtoconstructthefullquery.
ConnectorChoosetheconnector(andoror)toprecedetheexpression
youareadding.
NegateSelectthisoptiontointerpretthequeryasanegation.Inthe
previousexample,thenegateoptioncausesamatchonentriesthatare
notinthepast24hoursorarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthe
choiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattribute
applies(suchas=).Theavailableoptionsdependonthechoiceof
database.
ValueSpecifytheattributevaluetomatch.
Formoreinformation,seeGenerateCustomReports.
Monitor>Reports Monitor
Monitor>Reports
Thefirewallprovidesvarioustop50reportsofthetrafficstatisticsforthepreviousdayoraselectedday
inthepreviousweek.
Toviewareport,expandareportcategory(suchasCustomReports)ontherightsideofthepageandselect
areportname.Thepagelistsreportsinsections.Youcanviewtheinformationineachreportfortheselected
timeperiod.
Bydefault,thefirewalldisplaysallreportsforthepreviouscalendarday.Toviewreportsforotherdates,
selectareportgenerationdateinthecalendaratthebottomrightofthepage.
Toviewreportsonasystemotherthanthefirewall,selectanexportoption:
Export to PDF
Export to CSV
Export to XML
Policies
Thissectiondescribesthefirewallwebinterfacesyoucanusetoconfigurepolicies:
PolicyTypes
MoveorCloneaPolicyRule
Policies>Security
Policies>NAT
Policies>QoS
Policies>PolicyBasedForwarding
Policies>Decryption
Policies>TunnelInspection
Policies>ApplicationOverride
Policies>Authentication
Policies>DoSProtection
PolicyTypes Policies
PolicyTypes
Policiesenableyoutocontrolfirewalloperationbyenforcingrulesandautomatingactions.Thefirewall
supportsthefollowingpolicytypes:
Basicsecuritypoliciestoblockorallowanetworksessionbasedontheapplication,thesourceand
destinationzonesandaddresses,andoptionallybasedontheservice(portandprotocol).Zones
identifythephysicalorlogicalinterfacesthatsendorreceivethetraffic.SeePolicies>Security.
NetworkAddressTranslation(NAT)policiestotranslateaddressesandports.SeetoPolicies>NAT.
QualityofService(QoS)policiestodeterminehowtrafficisclassifiedfortreatmentwhenitpasses
throughaninterfacewithQoSenabled.SeePolicies>QoS.
Policybasedforwardingpoliciestooverridetheroutingtableandspecifyanegressinterfacefortraffic.
SeePolicies>PolicyBasedForwarding.
Decryptionpoliciestospecifytrafficdecryptionforsecuritypolicies.Eachpolicycanspecifythe
categoriesofURLsforthetrafficyouwanttodecrypt.SSHdecryptionisusedtoidentifyandcontrolSSH
tunnelinginadditiontoSSHshellaccess.SeePolicies>Decryption.
TunnelInspectionpoliciestoenforceSecurity,DoSProtection,andQoSpoliciesontunneledtraffic,and
toviewtunnelactivity.SeePolicies>TunnelInspection.
Overridepoliciestooverridetheapplicationdefinitionsprovidedbythefirewall.SeePolicies>
ApplicationOverride.
Authenticationpoliciestodefineauthenticationforenduserswhoaccessnetworkresources.See
Policies>Authentication.
Denialofservice(DoS)policiestoprotectagainstDoSattacksandtakeprotectiveactioninresponseto
rulematches.SeePolicies>DoSProtection.
SharedpolicespushedfromPanoramadisplayinorangeonthefirewallwebinterface.You
caneditthesesharedpoliciesonlyonPanorama;youcannoteditthemonthefirewall.
UsetheTagBrowsertoviewallthetagsusedinarulebase.Inrulebaseswithmanyrules,the
tagbrowsersimplifiesthedisplaybypresentingthetags,colorcode,andtherulenumbersin
whichtagsareused.
Policies MoveorCloneaPolicyRule
MoveorCloneaPolicyRule
Whenmovingorcloningpolicies ,youcanassignaDestination(avirtualsystemonafirewalloradevice
grouponPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveapolicyrule,selecttheruleinthePoliciestab,clickMove,selectMove to other vsys(firewallsonly)
orMove to other device group(Panoramaonly),specifythefieldsinthefollowingtable,andthenclickOK.
Tocloneapolicyrule,selecttheruleinthePoliciestab,clickClone,specifythefieldsinthefollowingtable,
andthenclickOK.
Move/CloneSettings Description
SelectedRules DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepolicyrulesyouselectedfortheoperation.
Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.
Ruleorder Selecttherulepositionrelativetootherrules:
Move topTherulewillprecedeallotherrules.
Move bottomTherulewillfollowallotherrules.
Before ruleIntheadjacentdropdown,selectthesubsequentrule.
After ruleIntheadjacentdropdown,selecttheprecedingrule.
Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.
Policies>Security Policies
Policies>Security
Securitypolicyrulesreferencesecurityzonesandenableyoutoallow,restrict,andtracktrafficonyour
networkbasedontheapplication,userorusergroup,andservice(portandprotocol).Bydefault,thefirewall
includesasecurityrulenamedrule1thatallowsalltrafficfromtheTrustzonetotheUntrustzone.
WhatisaSecuritypolicy? SecurityPolicyOverview
ForPanorama,seeMoveorCloneaPolicyRule
Whatarethefieldsavailableto BuildingBlocksinaSecurityPolicyRule
createaSecuritypolicyrule?
HowcanIusethewebinterfaceto CreatingandManagingPolicies
manageSecuritypolicyrules?
OverridingorRevertingaSecurityPolicyRule
Looking for more? SecurityPolicy
SecurityPolicyOverview
Securitypoliciesallowyoutoenforcerulesandtakeaction,andcanbeasgeneralorspecificasneeded.The
policyrulesarecomparedagainsttheincomingtrafficinsequence,andbecausethefirstrulethatmatches
thetrafficisapplied,themorespecificrulesmustprecedethemoregeneralones.Forexample,arulefora
singleapplicationmustprecedearuleforallapplicationsifallothertrafficrelatedsettingsarethesame.
Toensurethatendusersauthenticatewhentheytrytoaccessyournetworkresources,thefirewallevaluates
AuthenticationpolicybeforeSecuritypolicy.Fordetails,seePolicies>Authentication.
Fortrafficthatdoesntmatchanyuserdefinedrules,thedefaultrulesapply.Thedefaultrulesdisplayedat
thebottomofthesecurityrulebasearepredefinedtoallowallintrazonetraffic(withinthezone)anddeny
allinterzonetraffic(betweenzones).Althoughtheserulesarepartofthepredefinedconfigurationandare
readonlybydefault,youcanOverridethemandchangealimitednumberofsettings,includingthetags,
action(allowordeny),logsettings,andsecurityprofiles.
TheinterfaceincludesthefollowingtabsfordefiningSecuritypolicyrules.
GeneralSelecttheGeneraltabtoconfigureanameanddescriptionfortheSecuritypolicyrule.
SourceSelecttheSourcetabtodefinethesourcezoneorsourceaddressfromwhichthetraffic
originates.
UserSelecttheUsertabtoenforcepolicyforindividualusersoragroupofusers.Ifyouareusing
GlobalProtectwithhostinformationprofile(HIP)enabled,youcanalsobasethepolicyoninformation
collectedbyGlobalProtect.Forexample,theuseraccesslevelcanbedeterminedHIPthatnotifiesthe
firewallabouttheuser'slocalconfiguration.TheHIPinformationcanbeusedforgranularaccesscontrol
basedonthesecurityprogramsthatarerunningonthehost,registryvalues,andmanyothercheckssuch
aswhetherthehosthasantivirussoftwareinstalled.
DestinationSelecttheDestinationtabtodefinethedestinationzoneordestinationaddressforthetraffic.
Policies Policies>Security
ApplicationSelecttheApplicationtabtohavethepolicyactionoccurbasedonanapplicationor
applicationgroup.AnadministratorcanalsouseanexistingAppIDsignatureandcustomizeittodetect
proprietaryapplicationsortodetectspecificattributesofanexistingapplication.Customapplicationsare
definedinObjects > Applications.
Service/URL CategorySelecttheService/URL CategorytabtospecifyaspecificTCPand/orUDPport
numberoraURLcategoryasmatchcriteriainthepolicy.
ActionSelecttheActiontabtodeterminetheactionthatwillbetakenbasedontrafficthatmatchesthe
definedpolicyattributes.
BuildingBlocksinaSecurityPolicyRule
Thefollowingsectiondescribeseachcomponentinasecuritypolicyrule.Whenyouviewthedefault
securityrule,orcreateanewrule,youcanconfiguretheoptionsdescribedhere.
BuildingBlocksin ConfiguredIn Description

aSecurityRule
Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas

rulesaremoved.Whenyoufilterrulestomatchspecificfilter(s),
eachruleislistedwithitsnumberinthecontextofthecomplete
setofrulesintherulebaseanditsplaceintheevaluationorder.
InPanorama,prerulesandpostrulesareindependently
numbered.WhenrulesarepushedfromPanoramatoamanaged
firewall,therulenumberingincorporateshierarchyinprerules,
firewallrules,andpostruleswithinarulebaseandreflectsthe
rulesequenceanditsevaluationorder.

aSecurityRule
Name General Enteranametoidentifytherule.Thenameiscasesensitiveand

canhaveupto31characters,whichcanbeletters,numbers,
spaces,hyphens,andunderscores.Thenamemustbeuniqueon
afirewalland,onPanorama,uniquewithinitsdevicegroupand
anyancestorordescendantdevicegroups.
Tag Addandspecifythetagforthepolicy.
Apolicytagisakeywordorphrasethatallowsyoutosortor
filterpolicies.Thisisusefulwhenyouhavedefinedmany
policiesandwanttoviewthosethataretaggedwithaparticular
keyword.Forexample,youmaywanttotagcertainruleswith
specificwordslikeDecryptandNodecrypt,orusethenameof
aspecificdatacenterforpoliciesassociatedwiththatlocation.
Youcanalsoaddtagstothedefaultrules.
Type Specifieswhethertheruleappliestotrafficwithinazone,
betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzone
andintrazonetrafficinthespecifiedsourceanddestination
zones.Forexample,ifyoucreateauniversalrulewithsource
zonesAandBanddestinationzonesAandB,therulewould
applytoalltrafficwithinzoneA,alltrafficwithinzoneB,and
alltrafficfromzoneAtozoneBandalltrafficfromzoneBto
zoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthe
specifiedsourcezones(youcannotspecifyadestinationzone
forintrazonerules).Forexample,ifyousetthesourcezone
toAandB,therulewouldapplytoalltrafficwithinzoneA
andalltrafficwithinzoneB,butnottotrafficbetweenzones
AandB.
interzoneAppliestheruletoallmatchingtrafficbetween
thespecifiedsourceanddestinationzones.Forexample,if
yousetthesourcezonetoA,B,andCandthedestination
zonetoAandB,therulewouldapplytotrafficfromzoneA
tozoneB,fromzoneBtozoneA,fromzoneCtozoneA,and
fromzoneCtozoneB,butnottrafficwithinzonesA,B,orC.
SourceZone Source ClickAddtochoosesourcezones(defaultisany).Zonesmustbe

ofthesametype(Layer2,Layer3,orvirtualwire).Todefinenew
zones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.For
example,ifyouhavethreedifferentinternalzones(Marketing,
Sales,andPublicRelations)thatarealldirectedtotheuntrusted
destinationzone,youcancreateonerulethatcoversallcases.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions
(defaultisany).Selectfromthedropdown,orclickAddress,
Address Group,orRegionsatthebottomofthedropdown,
andspecifythesettings.

aSecurityRule
SourceUser User ClickAddtochoosethesourceusersorgroupsofuserssubject

tothepolicy.Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheir
system.WhenthePrelogonoptionisconfiguredonthe
PortalforGlobalProtectclients,anyuserwhoisnotcurrently
loggedintotheirmachinewillbeidentifiedwiththeusername
prelogon.Youcanthencreatepoliciesforprelogonusers
andalthoughtheuserisnotloggedindirectly,theirmachines
areauthenticatedonthedomainasiftheywerefullylogged
in.
known-userIncludesallauthenticatedusers,whichmeans
anyIPwithuserdatamapped.Thisoptionisequivalenttothe
domainusersgrouponadomain.
unknownIncludesallunauthenticatedusers,whichmeans
IPaddressesthatarenotmappedtoauser.Forexample,you
coulduseunknownforguestlevelaccesstosomething
becausetheywillhaveanIPonyournetworkbutwillnotbe
authenticatedtothedomainandwillnothaveIPtouser
mappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbythe
selectioninthiswindow.Forexample,youmaywanttoadd
oneuser,alistofindividuals,somegroups,ormanuallyadd
users.
IfthefirewallcollectsuserinformationfromaRADIUS,
TACACS+,orSAMLidentityproviderserverandnot
fromtheUserIDagent,thelistofusersdoesnot
display;youmustenteruserinformationmanually.
SourceHIPProfile ClickAddtochoosehostinformationprofiles(HIP)toidentify
users.AHIPenablesyoutocollectinformationaboutthe
securitystatusofyourendhosts,suchaswhethertheyhavethe
latestsecuritypatchesandantivirusdefinitionsinstalled.Using
hostinformationprofilesforpolicyenforcementenables
granularsecuritythatensuresthattheremotehostsaccessing
yourcriticalresourcesareadequatelymaintainedandin
adherencewithyoursecuritystandardsbeforetheyareallowed
accesstoyournetworkresources.ThefollowingsourceHIP
profilesaresupported:
anyIncludesanyendpoint,regardlessofHIPinformation.
selectIncludesselectedHIPprofilesasdeterminedbythe
selectioninthewindow.Forexample,youmaywanttoadd
oneHIPprofile,alistofHIPprofiles,ormanuallyaddHIP
profiles.
no-hipHIPinformationisnotrequired.Thissettingenables
accessfromthirdpartyclientsthatcannotcollectorsubmit
HIPinformation.

aSecurityRule
DestinationZone Destination ClickAddtochoosedestinationzones(defaultisany).Zones

mustbeofthesametype(Layer2,Layer3,orvirtualwire).To
definenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.For
example,ifyouhavethreedifferentinternalzones(Marketing,
Sales,andPublicRelations)thatarealldirectedtotheuntrusted
destinationzone,youcancreateonerulethatcoversallcases.
Onintrazonerules,youcannotdefineaDestination
Zonebecausethesetypesofrulesonlymatchtraffic
withasourceandadestinationwithinthesamezone.To
specifythezonesthatmatchanintrazoneruleyouonly
needtosettheSourceZone.
Destination ClickAddtoadddestinationaddresses,addressgroups,or
Address regions(defaultisany).Selectfromthedropdown,orclick
Addressatthebottomofthedropdown,andspecifyaddress
settings.
Application Application Selectspecificapplicationsforthesecurityrule.Ifanapplication

hasmultiplefunctions,youcanselecttheoverallapplicationor
individualfunctions.Ifyouselecttheoverallapplication,all
functionsareincludedandtheapplicationdefinitionis
automaticallyupdatedasfuturefunctionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainersinthe
securityrule,youcanviewdetailsoftheseobjectsbyholding
yourmouseovertheobjectintheApplicationcolumn,clickthe
dropdownarrowandselectValue.Thisallowsyoutoview
applicationmembersdirectlyfromthepolicywithouthavingto
navigatetotheObjecttab.

aSecurityRule
Service Service/URL Category SelectservicestolimittospecificTCPand/orUDPport

numbers.Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonany
protocolorport.
application-defaultTheselectedapplicationsareallowed
ordeniedonlyontheirdefaultportsdefinedbyPaloAlto
Networks.Thisoptionisrecommendedforallowpolicies
becauseitpreventsapplicationsfromrunningonunusual
portsandprotocolwhich,ifnotintentional,canbeasignof
undesiredapplicationbehaviorandusage.
Whenyouusethisoption,thefirewallstillchecksfor
allapplicationsonallportsbut,withthis
configuration,applicationsareonlyallowedontheir
defaultportsandprotocols.
SelectClickAdd.Chooseanexistingserviceorchoose
ServiceorService Grouptospecifyanewentry.(Orselect
Objects>ServicesandObjects>ServiceGroups).
URLCategory SelectURLcategoriesforthesecurityrule.
Chooseanytoallowordenyallsessionsregardlessofthe
URLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory
(includingacustomcategory)fromthedropdown.Youcan
addmultiplecategories.SelectObjects>ExternalDynamic
Liststodefinecustomcategories.

aSecurityRule
Action Actions Tospecifytheactionfortrafficthatmatchestheattributes

definedinarule,selectfromthefollowingactions:
Allow(default)Allowsthetraffic.
DenyBlockstraffic,andenforcesthedefaultDenyAction
definedfortheapplicationthatisbeingdenied.Toviewthe
denyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
Becausethedefaultdenyactionvariesbyapplication,the
firewallcouldblockthesessionandsendaresetforone
application,whileitcoulddropthesessionsilentlyfor
anotherapplication.
DropSilentlydropstheapplication.ATCPresetisnotsent
tothehost/application,unlessyouselectSend ICMP
Unreachable.
Reset clientSendsaTCPresettotheclientsidedevice.
Reset serverSendsaTCPresettotheserversidedevice.
Reset bothSendsaTCPresettoboththeclientsideand
serversidedevices.
Send ICMP UnreachableOnlyavailableforLayer3
interfaces.WhenyouconfigureSecuritypolicyruletodrop
trafficortoresettheconnection,thetrafficdoesnotreach
thedestinationhost.Insuchcases,forallUDPtrafficandfor
TCPtrafficthatisdropped,youcanenablethefirewallto
sendanICMPUnreachableresponsetothesourceIPaddress
fromwherethetrafficoriginated.Enablingthissettingallows
thesourcetogracefullycloseorclearthesessionand
preventsapplicationsfrombreaking.
ToviewtheICMPUnreachablePacketRateconfiguredon
thefirewall,viewtheSessionSettingssectioninDevice >
Setup > Session.
Tooverridethedefaultactiondefinedonthepredefined
interzoneandintrazonerules:seeOverridingorRevertinga
SecurityPolicyRule
ProfileSetting Actions Tospecifythecheckingdonebythedefaultsecurityprofiles,

selectindividualAntivirus,AntiSpyware,Vulnerability
Protection,URLFiltering,FileBlocking,and/orDataFiltering
profiles.
Tospecifyaprofilegroupratherthanindividualprofiles,select
Profile Type Groupandthenselectaprofilegroupfromthe
Group Profiledropdown.
Todefinenewprofilesorprofilegroups,clickNewnexttothe
appropriateprofileorgroup(refertoObjects>SecurityProfile
Groups).
Youcanalsoattachsecurityprofiles(orprofilegroups)tothe
defaultrules.

aSecurityRule
Options Actions TheOptionstabincludestheloggingsettingsandacombination

ofotheroptionslistedbelow.
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log At Session StartGeneratesatrafficlogentryforthe
startofasession(disabledbydefault).
Log At Session EndGeneratesatrafficlogentryfortheend
ofasession(enabledbydefault).
Ifthesessionstartorendentriesarelogged,dropand
denyentriesarealsologged.
Log Forwarding ProfileToforwardthelocaltrafficlogand

threatlogentriestoremotedestinations,suchasPanorama
andsyslogservers,selectalogprofilefromtheLog
Forwarding Profiledropdown.
Thegenerationofthreatlogentriesisdeterminedby
thesecurityprofiles.Todefinenewlogprofiles,click
New (refertoObjects>LogForwarding).
Youcanalsomodifythelogsettingsonthedefaultrules.Specify
anycombinationofthefollowingoptions:
ScheduleTolimitthedaysandtimeswhentheruleisin
effect,selectaschedulefromthedropdown.Todefinenew
schedules,clickNew(refertoSettingstoControlDecrypted
SSLTraffic).
QoS MarkingTochangetheQualityofService(QoS)setting
onpacketsmatchingtherule,selectIP DSCPorIP
PrecedenceandentertheQoSvalueinbinaryorselecta
predefinedvaluefromthedropdown.Formoreinformation
onQoS,refertoQualityofService .
Disable Server Response InspectionTodisablepacket
inspectionfromtheservertotheclient,selectthisoption.
Thisoptionmaybeusefulunderheavyserverloadconditions.
Description General Enteradescriptionforthepolicy(upto255characters).
CreatingandManagingPolicies
SelectthePolicies > Securitypagetoadd,andmodify,andmanagesecuritypolicies:
Task Description
Add Toaddanewpolicyrule,dooneofthefollowing:
ClickAddatthebottomofthepage.
SelectaruleonwhichtobasethenewruleandclickClone Ruleorselectarule
byclickingthewhitespaceoftheruleandselectClone Ruleatthebottomofthe
page(arulethatisselectedinthewebinterfacedisplayswithayellow
background).Thecopiedrule,rulenisinsertedbelowtheselectedrule,wheren
isthenextavailableintegerthatmakestherulenameunique.Fordetailson
cloning,seeMoveorCloneaPolicyRule.
Modify Tomodifyarule,clicktherule.
IftheruleispushedfromPanorama,theruleisreadonlyonthefirewallandcannot
beeditedlocally.
OverrideandRevertactionspertainonlytothedefaultrulesthataredisplayedatthe
bottomoftheSecurityrulebase.Thesepredefinedrulesallowallintrazonetraffic
anddenyallinterzonetrafficinstructthefirewallonhowtohandletrafficthatdoes
notmatchanyotherruleintherulebase.Becausetheyarepartofthepredefined
configuration,youmustOverridetheminordertoeditselectpolicysettings.Ifyou
areusingPanorama,youcanalsoOverridethedefaultrules,andthenpushthemto
firewallsinaDeviceGrouporSharedcontext.YoucanalsoRevertthedefaultrules,
whichrestoresthepredefinedsettingsorthesettingspushedfromPanorama.For
details,seeOverridingorRevertingaSecurityPolicyRule.
Move RulesareevaluatedtopdownandasenumeratedonthePoliciespage.Tochange
theorderinwhichtherulesareevaluatedagainstnetworktraffic,selectaruleand
clickMove Up,Move Down,Move Top,orMove Bottom.Fordetails,seeMoveor
CloneaPolicyRule.
Delete SelectaruleandclickDeletetoremovetheexistingrule.
Enable/Disable Todisablearule,selecttheruleandclickDisable.Toenablearulethatisdisabled,
selecttheruleandclickEnable.
ViewUnused Toidentifyrulesthathavenotbeenusedsincethelasttimethefirewallwas
rules restarted,selectHighlight Unused Rules.Youcanthendecidewhethertodisable
theruleordeleteit.Rulesnotcurrentlyinusearedisplayedwithadottedyellow
background.
Eachfirewallmaintainsaflagfortherulesthathaveamatch.Becausetheflag
isresetwhenadataplaneresetoccursonarebootorarestart,monitorthis
listperiodicallytodeterminewhethertherulehashadamatchsincethelast
checkbeforeyoudeleteordisableit.
Task Description
Show/Hide ToshoworhidethecolumnsthatdisplayinthePoliciespages,selectthisoption
columns nexttothecolumnnametotogglethedisplayofeachcolumn.
Applyfilters Toapplyafiltertothelist,selectfromtheFilter Rulesdropdown.Toaddavalueto

defineafilter,clickthedropdownfortheitemandchooseFilter.
Thedefaultrulesarenotpartofrulebasefilteringandalwaysshowupinthe
listoffilteredrules.
Toviewthenetworksessionsthatwereloggedasmatchesagainstthepolicy,click
thedropdownfortherulenameandchooseLog Viewer.
Todisplaythecurrentvaluebyclickingthedropdownfortheentryandchoosing
Value.Youcanalsoedit,filter,orremovecertainitemsdirectlyfromthecolumn
menu.Forexample,toviewaddressesincludedinanaddressgroup,holdyourmouse
overtheobjectintheAddresscolumn,clickthedropdownandselectValue.This
allowsyoutoquicklyviewthemembersandthecorrespondingIPaddressesforthe
addressgroupwithouthavingtonavigatetotheObjecttab.
TofindobjectsusedwithinapolicybasedontheirnameorIPaddress,usethefilter
option.Afteryouapplythefilter,youwillseeonlytheitemsthatmatchthefilter.The
filteralsoworkswithembeddedobjects.Example:whenyoufilteron10.1.4.8,only
thepolicythatcontainsthataddressisdisplayed:
Previewrules UsePreview Rulestoviewalistoftherulesbeforeyoupushtherulestothe

(Panorama managedfirewalls.Withineachrulebase,thehierarchyofrulesisvisually
only) demarcatedforeachdevicegroup(andmanagedfirewall)tomakeiteasiertoscan
throughalargenumbersofrules.
OverridingorRevertingaSecurityPolicyRule
Thedefaultsecurityrulesinterzonedefaultandintrazonedefaulthavepredefinedsettingsthatyoucan
overrideonafirewalloronPanorama.Ifafirewallreceivesthedefaultrulesfromadevicegroup,youcan
alsooverridethedevicegroupsettings.Thefirewallorvirtualsystemwhereyouperformtheoverridestores
alocalversionoftheruleinitsconfiguration.Thesettingsyoucanoverrideareasubsetofthefullset(the
followingtableliststhesubsetforsecurityrules).Fordetailsonthedefaultsecurityrules,seePolicies>
Security.
Tooverridearule,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.The
Namecolumndisplaystheinheritanceicon( )forrulesyoucanoverride.Selecttherule,clickOverride,
andeditthesettingsinthefollowingtable.
TorevertanoverriddenruletoitspredefinedsettingsortothesettingspushedfromaPanoramadevice
group,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.TheName
columndisplaystheoverrideicon( )forrulesthathaveoverriddenvalues.Selecttherule,clickRevert,
andclickYestoconfirmtheoperation.
FieldstoOverrideaDefault Description
SecurityRule
General Tab
Name TheNamethatidentifiestheruleisreadonly;youcannotoverrideit.
RuleType TheRule Typeisreadonly;youcannotoverrideit.
Description TheDescriptionisreadonly;youcannotoverrideit.
Tag SelectTagsfromthedropdown.
Apolicytagisakeywordorphrasethatenablesyoutosortorfilter
policies.Thisisusefulwhenyouhavedefinedmanypoliciesandwant
toviewthosethataretaggedwithaparticularkeyword.Forexample,
youmightwanttotagcertainsecuritypolicieswithInboundtoDMZ,
tagspecificdecryptionpolicieswiththewordsDecryptorNodecrypt,
orusethenameofaspecificdatacenterforpoliciesassociatedwith
thatlocation.
Actions Tab
ActionSetting SelecttheappropriateActionfortrafficthatmatchestherule.
Allow(default)Allowsthetraffic.
DenyBlockstrafficandenforcesthedefaultDenyActionthatis
definedfortheapplicationthatthefirewallisdenying.Toviewthe
denyactionthatisdefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
DropSilentlydropstheapplication.Thefirewalldoesnotsenda
TCPresetmessagetothehostorapplication.
Reset clientSendsaTCPresetmessagetotheclientsidedevice.
Reset serverSendsaTCPresetmessagetotheserversidedevice.
Reset bothSendsaTCPresetmessagetoboththeclientsideand
serversidedevices.

FieldstoOverrideaDefault Description
SecurityRule
ProfileSetting Profile TypeAssignprofilesorprofilegroupstothesecurityrule:

Tospecifythecheckingthatthedefaultsecurityprofilesperform,
selectProfilesandthenselectoneormoreoftheindividual
Antivirus,Vulnerability Protection,Anti-Spyware,URL Filtering,
File Blocking,Data Filtering,andWildFire Analysisprofiles.
Toassignaprofilegroupratherthanindividualprofiles,selectGroup
andthenselectaGroup Profilefromthedropdown.
Todefinenewprofiles(Objects>SecurityProfiles)orprofilegroups
(Objects>SecurityProfileGroups),clickNewinthedropdownfor
thecorrespondingprofileorgroup.
LogSetting Specifyanycombinationofthefollowingoptions:
Log ForwardingToforwardthelocaltrafficlogandthreatlog
entriestoremotedestinations,suchasPanoramaandsyslog
servers,selectaLog Forwardingprofilefromthedropdown.
SecurityprofilesdeterminethegenerationofThreatlogentries.To
defineanewLog Forwardingprofile,selectProfileinthe
dropdown(seeObjects>LogForwarding).
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log at Session StartGeneratesatrafficlogentryforthestart
ofasession(selectedbydefault).
Log at Session EndGeneratesatrafficlogentryfortheendof
asession(clearedbydefault).
Ifyouconfigurethefirewalltoincludesessionstartorsession
endentriesintheTrafficlog,itwillalsoincludedropanddeny
entries.

Policies>NAT Policies
Policies>NAT
IfyoudefineLayer3interfacesonthefirewall,youcanconfigureaNetworkAddressTranslation(NAT)
policy tospecifywhethersourceordestinationIPaddressesandportsareconvertedbetweenpublicand
privateaddressesandports.Forexample,privatesourceaddressescanbetranslatedtopublicaddresseson
trafficsentfromaninternal(trusted)zonetoapublic(untrusted)zone.NATisalsosupportedonvirtualwire
interfaces.
NATrulesarebasedonsourceanddestinationzones,sourceanddestinationaddresses,andapplication
service(suchasHTTP).Likesecuritypolicies,NATpolicyrulesarecomparedagainstincomingtrafficin
sequence,andthefirstrulethatmatchesthetrafficisapplied.
Asneeded,addstaticroutestothelocalroutersothattraffictoallpublicaddressesisroutedtothefirewall.
Youmayalsoneedtoaddstaticroutestothereceivinginterfaceonthefirewalltoroutetrafficbacktothe
privateaddress.
ThefollowingtablesdescribetheNATandNPTv6(IPv6toIPv6NetworkPrefixTranslation)settings:
GeneralTab
OriginalPacketTab
TranslatedPacketTab
Active/ActiveHABindingTab
Lookingformore?
SeeNAT
GeneralTab
Policies>NAT>General
SelecttheGeneraltabtoconfigureanameanddescriptionfortheNATorNPTv6policy.Youcanconfigure
atagtoallowyoutosortorfilterpolicieswhenmanypoliciesexist.SelectthetypeofNATpolicyyouare
creating,whichaffectswhichfieldsareavailableontheOriginal PacketandTranslated Packettabs.
NATRule Description
GeneralSettings
Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevicegroups.
Description Enteradescriptionfortherule(upto255characters).
Tag Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.

Policies Policies>NAT
NATRule Description
GeneralSettings
NATType Specifythetypeoftranslation:
ipv4translationbetweenIPv4addresses.
nat64translationbetweenIPv6andIPv4addresses.
nptv6translationbetweenIPv6prefixes.
YoucannotcombineIPv4andIPv6addressrangesinasingleNATrule.
OriginalPacketTab
Policies>NAT>OriginalPacket
SelecttheOriginal Packettabtodefinethesourceanddestinationzonesofpacketsthatthefirewallwill
translateand,optionally,specifythedestinationinterfaceandtypeofservice.Youcanconfiguremultiple
sourceanddestinationzonesofthesametypeandyoucanapplytheruletospecificnetworksorspecificIP
addresses.
NATRuleOriginal Description
PacketSettings
SourceZone/ Selectoneormoresourceanddestinationzonesfortheoriginal
DestinationZone (nonNAT)packet(defaultisAny).Zonesmustbeofthesametype
(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Youcanspecifymultiplezonestosimplifymanagement.Forexample,
youcanconfiguresettingssothatmultipleinternalNATaddressesare
directedtothesameexternalIPaddress.
DestinationInterface Specifythedestinationinterfaceofpacketsthefirewalltranslates.You
canusethedestinationinterfacetotranslateIPaddressesdifferently
inthecasewherethenetworkisconnectedtotwoISPswithdifferent
IPaddresspools.
Service Specifytheserviceforwhichthefirewalltranslatesthesourceor
destinationaddress.Todefineanewservicegroup,selectObjects>
ServiceGroups.
SourceAddress/ Specifyacombinationofsourceanddestinationaddressesforthe
DestinationAddress firewalltotranslate.
ForNPTv6,theprefixesconfiguredforSource Addressand
Destination Addressmustbeintheformatxxxx:xxxx::/yy.Theaddress
cannothaveaninterfaceidentifier(host)portiondefined.Therangeof
supportedprefixlengthsis/32to/64.

TranslatedPacketTab
Policy>NAT>TranslatedPacket
SelecttheTranslated Packettabtodetermine,forSourceAddressTranslation,thetypeoftranslation to
performonthesource,andtheaddressand/orporttowhichthesourcewillbetranslated.
YoucanalsoenableDestinationAddressTranslationforaninternalhostthatneedstobeaccessedbya
publicIPaddress.Inthiscase,youdefineasourceaddress(public)anddestinationaddress(private)inthe
Original Packettabforaninternalhost,andintheTranslated PackettabyouenableDestination Address
TranslationandentertheTranslated Address.Whenthepublicaddressisaccessed,itwillbetranslatedtothe
internal(destination)addressoftheinternalhost.
NATRule Description
TranslatedPacket
Settings
SourceAddress SelecttheTranslationType(dynamicorstaticaddresspool),andenteranIPaddressor
Translation addressrange(address1address2)thatthesourceaddressistranslatedto(Translated
Address).Thesizeoftheaddressrangeislimitedbythetypeofaddresspool:
Dynamic IP And PortAddressselectionisbasedonahashofthesourceIPaddress.Fora
givensourceIPaddress,thefirewallusesthesametranslatedsourceaddressforall
sessions.DynamicIPandPortsourceNATsupportsapproximately64,000concurrent
sessionsoneachIPaddressintheNATpool.Onsomemodels,oversubscriptionis
supported,whichallowsasingleIPtohostmorethan64,000concurrentsessions.
PaloAltoNetworksDynamicIP/portNATsupportsmoreNATsessionsthanaresupported
bythenumberofavailableIPaddressesandports.ThefirewallcanuseIPaddressandport
combinationsuptotwotimes(simultaneously)onthePA200,PA500,andPA3000
Seriesfirewalls,fourtimesonthePA5020firewalls,andeighttimesonthePA5050and
PA5060firewallswhendestinationIPaddressesareunique.
Dynamic IPThenextavailableaddressinthespecifiedrangeisused,buttheportnumber
isunchanged.Upto32,000consecutiveIPaddressesaresupported.AdynamicIPpoolcan
containmultiplesubnets,soyoucantranslateyourinternalnetworkaddressestotwoor
moreseparatepublicsubnets.
Advanced (Dynamic IP/Port Fallback)Usethisoptiontocreateafallbackpoolthatwill
performIPandporttranslationandwillbeusediftheprimarypoolrunsoutofaddresses.
YoucandefineaddressesforthepoolbyusingtheTranslatedAddressoptionorthe
InterfaceAddressoption,whichisforinterfacesthatreceiveanIPaddressdynamically.
Whencreatingafallbackpool,makesureaddressesdonotoverlapwithaddressesinthe
primarypool.
Static IPThesameaddressisalwaysusedforthetranslationandtheportisunchanged.
Forexample,ifthesourcerangeis192.168.0.1192.168.0.10andthetranslationrangeis
10.0.0.110.0.0.10,address192.168.0.2isalwaystranslatedto10.0.0.2.Theaddressrange
isvirtuallyunlimited.
NPTv6mustuseStatic IPtranslationforSourceAddressTranslation.ForNPTv6,the
prefixesconfiguredforTranslated Addressmustbeintheformatxxxx:xxxx::/yy.The
addresscannothaveaninterfaceidentifier(host)portiondefined.Therangeofsupported
prefixlengthsis/32to/64.
NoneTranslationisnotperformed.

Policies Policies>NAT
NATRule Description
TranslatedPacket
Settings
Bidirectional (Optional)Enablebidirectionaltranslationifyouwantthefirewalltocreateacorresponding
translation(NATorNPTv6)intheoppositedirectionofthetranslationyouconfigure.
Ifyouenablebidirectionaltranslation,youmustensurethatyouhavesecuritypolicies
inplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,thebidirectional
featureallowspacketstobetranslatedautomaticallyinbothdirections.
DestinationAddress EnteranIPaddressorrangeofIPaddressesandatranslatedportnumber(165535)towhich
Translation thedestinationaddressandportnumberaretranslated.IftheTranslated Portfieldisblank,
thedestinationportisnotchanged.Destinationtranslationistypicallyusedtoallowan
internalserver,suchasanemailserver,tobeaccessedfromthepublicnetwork.
ForNPTv6,theprefixesconfiguredforDestinationprefixTranslated Addressmustbeinthe
formatxxxx:xxxx::/yy.Theaddresscannothaveaninterfaceidentifier(host)portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TranslatedPortisnotsupportedforNPTv6becauseNPTv6isstrictlyprefix
translation.ThePortandHostaddresssectionissimplyforwardedunchanged.
Active/ActiveHABindingTab
Policies>NAT>Active/ActiveHABinding
TheActive/ActiveHABindingtabisavailableonlyifthefirewallisinahighavailability(HA)active/active
configuration.Inthisconfiguration,youmustbindeachsourceNATrule(whetherstaticordynamicNAT)to
DeviceID0orDeviceID1;youmustbindeachdestinationNATruletoeitherDeviceID0,DeviceID1,both
(DeviceID0andDeviceID1),ortotheactiveprimaryfirewall.
SelectanActive/Active HA BindingsettingtobindtheNATruletoanHAfirewallasfollows:
0BindstheNATruletothefirewallthathasHADeviceID0.
1BindstheNATruletothefirewallthathasHADevice ID 1.
bothBindstheNATruletoboththefirewallthathasHADeviceID0andthefirewallthathasHADevice
ID1.ThissettingdoesnotsupportDynamicIPorDynamicIPandPortNAT.
primaryBindstheNATruletothefirewallthatisinHAactiveprimarystate.Thissettingdoesnot
supportDynamicIPorDynamicIPandPortNAT.
YoutypicallyconfiguredevicespecificNATruleswhenthetwoHApeershaveuniqueNATIPaddresspools.
Whenthefirewallcreatesanewsession,theHAbindingdetermineswhichNATrulesthesessioncanmatch.
Thebindingmustincludethesessionownerfortheruletomatch.Thesessionsetupfirewallperformsthe
NATrulematchingbutthesessioniscomparedtoNATrulesthatareboundtothesessionownerand
translatedaccordingtooneoftherules.Fordevicespecificrules,thefirewallskipsallNATrulesthatarenot
boundtothesessionowner.Forexample,supposethefirewallwithDeviceID1isthesessionownerand
thesessionsetupfirewall.WhenDeviceID1attemptstomatchasessiontoaNATrule,itignoresallrules
boundtoDeviceID0.
Ifonepeerfails,thesecondpeercontinuestoprocesstrafficforthesynchronizedsessionsfromthefailed
peer,includingNATtranslations.PaloAltoNetworksrecommendsyoucreateaduplicateNATrulethatis
boundtothesecondDeviceID.Therefore,therearetwoNATruleswiththesamesourcetranslation
addressesandthesamedestinationtranslationaddressesoneruleboundtoeachDeviceID.This

configurationallowstheHApeertoperformnewsessionsetuptasksandperformNATrulematchingfor
NATrulesthatareboundtoitsDeviceID.WithoutaduplicateNATrule,thefunctioningpeerwilltryto
performtheNATpolicymatchbutthesessionwontmatchthefirewallsowndevicespecificrulesandthe
firewallskipsallotherNATrulesthatarenotboundtoitsDeviceID.
Lookingformore?
SeeNATinActive/ActiveHAMode

Policies Policies>QoS
Policies>QoS
AddQoSpolicy rulestodefinethetrafficthatreceivesspecificQoStreatmentandassignaQoSclass
foreachQoSpolicyruletospecifythattheassignedclassofserviceappliestoalltrafficmatchedtothe
associatedruleasitexitsaQoSenabledinterface.
QoSpolicyrulespushedtoafirewallfromPanoramaareshowninorangeandcannotbeeditedatthefirewall
level.
Additionally,tofullyenablethefirewalltoprovideQoS:
SetbandwidthlimitsforeachQoSclassofservice(selectNetwork>NetworkProfiles>QoStoaddor
modifyaQoSprofile).
EnableQoSonaninterface(selectNetwork>QoS).
RefertoQualityofService forcompleteQoSworkflows,concepts,andusecases.
Addanewruleorcloneanexistingruleandthendefinethefollowingfields.
QoSPolicyRuleSettings
General Tab
Name Enteranametoidentifytherule(upto31characters).Thenameis
Description Enteranoptionaldescription.
Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.
Source Tab
SourceZone Selectoneormoresourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).

Policies>QoS Policies
SourceAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andclickAddtoaddyourselections
totheSelectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.Todefinenewaddressgroups,selectObjects>AddressGroups.
SourceUser SpecifythesourceusersandgroupstowhichtheQoSpolicywillapply.
Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesNOTmatch.
Destination Tab
DestinationZone Selectoneormoredestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).
DestinationAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andAddyourselectionstothe
Selectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.
Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesnotmatch.

Policies Policies>QoS
Application Tab
Application SelectspecificapplicationsfortheQoSrule.Todefinenewapplicationsor
applicationgroups,selectObjects > Applications.
Ifanapplicationhasmultiplefunctions,youcanselecttheoverallapplication
orindividualfunctions.Ifyouselecttheoverallapplication,allfunctionsare
included,andtheapplicationdefinitionisautomaticallyupdatedasfuture
functionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainerintheQoSrule,you
canviewdetailsontheseobjectsbyholdingyourmouseovertheobjectin
theApplicationcolumn,clickthedownarrowandselectValue.Thisenables
youtoeasilyviewapplicationmembersdirectlyfromthepolicywithout
havingtogototheObjectstab.
Service/URL Category Tab
Service SelectservicestolimittospecificTCPand/orUDPportnumbers.Choose
oneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsareallowedordenied
onlyontheirdefaultportsdefinedbyPaloAltoNetworks.Thisoptionis
recommendedforallowpolicies.
SelectClickAdd.ChooseanexistingserviceorchooseServiceor
Service Grouptospecifyanewentry.
URLCategory SelectURLcategoriesfortheQoSrule.
SelectAnytoensurethatasessioncanmatchthisQoSruleregardlessof
theURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
RefertoObjects>ExternalDynamicListsforinformationondefining
customcategories.
DSCP/TOS Tab
Any SelectAny(default)toallowthepolicytomatchtotrafficregardlessofthe
DifferentiatedServicesCodePoint(DSCP)valueortheIPPrecedence/Type
ofService(ToS)definedforthetraffic.
Codepoints SelectCodepointstoenabletraffictoreceiveQoStreatmentbasedonthe
DSCPorToSvaluedefinedapacketsIPheader.TheDSCPandToSvalues
areusedtoindicatethelevelofservicerequestedfortraffic,suchashigh
priorityorbesteffortdelivery.Usingcodepointsasmatchingcriteriaina
QoSpolicyallowsasessiontoreceiveQoStreatmentbasedonthe
codepointdetectedatthebeginningofthesession.
ContinuetoAddcodepointstomatchtraffictotheQoSpolicy:
GivecodepointentriesadescriptiveName.
SelecttheTypeofcodepointyouwanttouseasmatchingcriteriaforthe
QoSpolicyandthenselectaspecificCodepointvalue.Youcanalsocreate
aCustom CodepointbyenteringaCodepoint NameandBinary Value.

Policies>QoS Policies
Other Settings Tab
Class ChoosetheQoSclasstoassigntotherule,andclickOK.Classcharacteristics
aredefinedintheQoSprofile.RefertoNetwork>NetworkProfiles>QoS
forinformationonconfiguringsettingsforQoSclasses.
Schedule SelectNoneforthepolicyruletoremainactiveatalltimes.
Fromthedropdown,selectSchedule(calendaricon)tosetasingletime
rangeorarecurringtimerangeduringwhichtheruleisactive.

Policies Policies>PolicyBasedForwarding
Policies>PolicyBasedForwarding
Normally,whentrafficentersthefirewall,theingressinterfacevirtualrouterdictatestheroutethat
determinestheoutgoinginterfaceanddestinationsecurityzonebasedondestinationIPaddress.Bycreating
apolicybasedforwarding(PBF)rule ,youcanspecifyotherinformationtodeterminetheoutgoing
interface,includingsourcezone,sourceaddress,sourceuser,destinationaddress,destinationapplication,
anddestinationservice.TheinitialsessiononagivendestinationIPaddressandportthatisassociatedwith
anapplicationwillnotmatchanapplicationspecificruleandwillbeforwardedaccordingtosubsequentPBF
rules(thatdonotspecifyanapplication)orthevirtualroutersforwardingtable.Allsubsequentsessionson
thatdestinationIPaddressandportforthesameapplicationwillmatchanapplicationspecificrule.To
ensureforwardingthroughPBFrules,applicationspecificrulesarenotrecommended.
Whennecessary,PBFrulescanbeusedtoforcetrafficthroughanadditionalvirtualsystemusingthe
ForwardtoVSYSforwardingaction.Inthiscase,itisnecessarytodefineanadditionalPBFrulethatwill
forwardthepacketfromthedestinationvirtualsystemoutthroughaparticularegressinterface onthe
firewall.
Thefollowingtablesdescribethepolicybasedforwardingsettings:
GeneralTab
SourceTab
Destination/Application/ServiceTab
ForwardingTab
Lookingformore?
RefertoPolicyBasedForwarding
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionforthePBFpolicy.Atagcanalsobeconfigured
toallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.
Description Enteradescriptionforthepolicy(upto255characters).

Policies>PolicyBasedForwarding Policies
SourceTab
Select the Source tab to define the source zone or source address that defines the incoming source traffic to
which the forwarding policy will be applied.
Field Description
SourceZone Tochoosesourcezones(defaultisany),clickAddandselectfromthe
dropdown.Todefinenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
OnlyLayer3typezonesaresupportedforpolicybasedforwarding.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.
SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
addresstousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.

Policies Policies>PolicyBasedForwarding
Destination/Application/ServiceTab
SelecttheDestination/Application/Servicetabtodefinethedestinationsettingsthatwillbeappliedtotraffic
thatmatchestheforwardingrule.
Field Description
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultisany).
Bydefault,theruleappliestoAnyIPaddress.Selectfromthedropdown,orclick
Address,Address Group,orRegionsatthebottomofthedropdown,andspecify
thesettings.
Application/Service SelectspecificapplicationsorservicesforthePBFrule.Todefinenew
applications,refertoDefiningApplications.Todefineapplicationgroups,referto
Objects>ApplicationGroups.
ApplicationspecificrulesarenotrecommendedforusewithPBF.
Wheneverpossible,useaserviceobject,whichistheLayer4port(TCPor
UDP)usedbytheprotocolorapplication.
Ifyouareusingapplicationgroups,filters,orcontainerinthePBFrule,youcan
viewdetailsontheseobjectsbyholdingyourmouseovertheobjectinthe
Applicationcolumn,clickingthedownarrowandselectingValue.Thisenablesyou
toeasilyviewapplicationmembersdirectlyfromthepolicywithouthavingtogo
totheObjecttabs.
ForwardingTab
SelecttheForwardingtabtodefinetheactionandnetworkinformationthatwillbeappliedtotrafficthat
matchestheforwardingpolicy.TrafficcanbeforwardedtoanexthopIPaddress,avirtualsystem,orthe
trafficcanbedropped.
Field Description
Action Selectoneofthefollowingoptions:
ForwardSpecifythenexthopIPaddressandegressinterface(the
interfacethatthepackettakestogettothespecifiednexthop).
Forward To VSYSChoosethevirtualsystemtoforwardtofromthe
dropdown.
DiscardDropthepacket.
No PBFDonotalterthepaththatthepacketwilltake.Thisoption,
excludesthepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedintherule.Matching
packetsusetheroutetableinsteadofPBF;thefirewallusestheroute
tabletoexcludethematchedtrafficfromtheredirectedport.
EgressInterface DirectsthepackettoaspecificEgressInterface
NextHop Ifyoudirectthepackettoaspecificinterface,specifytheNextHopIP
addressforthepacket.
Monitor EnableMonitoringtoverifyconnectivitytoatargetIP Addressortothe

Next HopIPaddress.SelectMonitorandattachamonitoringProfile(default
orcustom)thatspecifiestheactionwhentheIPaddressisunreachable.

Policies>PolicyBasedForwarding Policies
Field Description
EnforceSymmetricReturn (Requiredforasymmetricroutingenvironments)SelectEnforce Symmetric

ReturnandenteroneormoreIPaddressesintheNext Hop AddressList.
Enablingsymmetricreturnensuresthatreturntraffic(say,fromtheTrust
zoneontheLANtotheInternet)isforwardedoutthroughthesameinterface
throughwhichtrafficingressesfromtheInternet.
Schedule Tolimitthedaysandtimeswhentheruleisineffect,selectaschedulefrom
thedropdown.Todefinenewschedules,refertoSettingstoControl
DecryptedSSLTraffic.

Policies Policies>Decryption
Policies>Decryption
Youcanconfigurethefirewalltodecrypttrafficforvisibility,control,andgranularsecurity.Decryption
policiescanapplytoSecureSocketsLayer(SSL)includingSSLencapsulatedprotocolssuchasIMAP(S),
POP3(S),SMTP(S),andFTP(S),andSecureShell(SSH)traffic.SSHdecryptioncanbeusedtodecrypt
outboundandinboundSSHtraffictoassurethatsecureprotocolsarenotbeingusedtotunneldisallowed
applicationsandcontent.
Addadecryptionpolicyruletodefinetrafficthatyouwanttodecrypt(forexample,youcandecrypttraffic
basedonURLcategorization).Decryptionpolicyrulesarecomparedagainstthetrafficinsequence,somore
specificrulesmustprecedethemoregeneralones.
SSLforwardproxydecryptionrequirestheconfigurationofatrustedcertificatethatwillbepresentedtothe
useriftheservertowhichtheuserisconnectingpossessesacertificatesignedbyaCAtrustedbythe
firewall.CreateacertificateontheDevice > Certificate Management > Certificatespageandthenclickthename
ofthecertificateandselectForward Trust Certificate.
Certainapplicationswillnotfunctioniftheyaredecryptedbythefirewall.Topreventthisfrom
occurring,PANOSwillnotdecrypttheSSLtrafficfortheseapplicationsandthedecryption
rulesettingswillnotapply.
RefertotheListofApplicationsExcludedfromSSLDecryption.
Thefollowingtablesdescribethedecryptionpolicysettings:
GeneralTab
SourceTab
DestinationTab
Service/URLCategoryTab
OptionsTab
Lookingformore?
SeeDecryption
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionforthedecryptionpolicy.Atagcanalsobe
configuredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
groups.

Policies>Decryption Policies
Field Description
SourceTab
SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetraffictowhichthe
decryptionpolicywillbeapplied.
Field Description
SourceZone ClickAddtochoosesourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).Todefinenewzones,refertoNetwork
>Zones.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.SelectNegateto
chooseanyaddressexcepttheconfiguredones.

Policies Policies>Decryption
Field Description
SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
tousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.
DestinationTab
SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.
Field Description
DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.Select
Negatetochooseanyaddressexcepttheconfiguredones.

Policies>Decryption Policies
Service/URLCategoryTab
SelecttheService/URL CategorytabtoapplythedecryptionpolicytotrafficbasedonTCPportnumberorto
anyURLcategory(oralistofcategories).
Field Description
Service ApplythedecryptionpolicytotrafficbasedonspecificTCPportnumbers.
Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsaredecrypted(orare
exemptfromdecryption)onlyonthedefaultportsdefinedforthe
applicationsbyPaloAltoNetworks.
SelectClickAdd.ChooseanexistingserviceorspecifyanewServiceor
Service Group.(OrselectObjects>ServicesandObjects>Service
Groups).
URLCategoryTab SelectURLcategoriesforthedecryptionrule.
ChooseanytomatchanysessionsregardlessoftheURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
Refertoforinformationondefiningcustomcategories.
OptionsTab
SelecttheOptionstabtodetermineifthematchedtrafficshouldbedecryptedornot.IfDecryptisset,specify
thedecryptiontype.Youcanalsoaddadditionaldecryptionfeaturesbyconfiguringorselectingadecryption
profile.
Field Description
Action Selectdecryptorno-decryptforthetraffic.
Type Selectthetypeoftraffictodecryptfromthedropdown:
SSL Forward ProxySpecifiesthatthepolicywilldecryptclienttraffic
destinedforanexternalserver.
SSH ProxySpecifiesthatthepolicywilldecryptSSHtraffic.Thisoption
allowsyoutocontrolSSHtunnelinginpoliciesbyspecifyingthe
sshtunnelAppID.
SSL Inbound InspectionSpecifiesthatthepolicywilldecryptSSL
inboundinspectiontraffic.
DecryptionProfile Attachadecryptionprofiletothepolicyruleinordertoblockandcontrol
certainaspectsofthetraffic.Fordetailsoncreatingadecryptionprofile,
selectObjects>DecryptionProfile.

Policies Policies>TunnelInspection
Policies>TunnelInspection
Youcanconfigurethefirewalltoinspectthetrafficcontentofthefollowingcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmodeAHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU);supportedonlyon
PA5200SeriesandVMSeriesfirewalls.
YoucanusetunnelcontentinspectiontoenforceSecurity,DoSProtection,andQoSpoliciesontrafficin
thesetypesoftunnelsandontrafficnestedwithinanothercleartexttunnel(forexample,NullEncrypted
IPSecinsideaGREtunnel).
CreateaTunnelInspectionpolicythat,whenmatchinganincomingpacket,determineswhichtunnel
protocolsinthepacketthefirewallwillinspectandthatspecifiestheconditionsunderwhichthefirewall
dropsorcontinuestoprocessthepacket.YoucanviewtunnelinspectionlogsandtunnelactivityintheACC
toverifythattunneledtrafficcomplieswithyourcorporatesecurityandusagepolicies.
ThefirewallsupportstunnelcontentinspectiononEthernetinterfacesandsubinterfaces,AEinterfaces,
VLANinterfaces,andVPNandLSVPNtunnels.ThefeatureissupportedinLayer3,Layer2,virtualwire,and
tapdeployments.Tunnelcontentinspectionworksonsharedgatewaysandonvirtualsystemtovirtual
systemcommunications.
Whatarethefieldsavailableto BuildingBlocksinaTunnelInspectionPolicy
createaTunnelInspectionpolicy?
HowcanIviewtunnelinspection LogTypesandSeverityLevels
logs?
Lookingformore? TunnelContentInspection
BuildingBlocksinaTunnelInspectionPolicy
ThefollowingtabledescribesthefieldsyouconfigureforaTunnelInspectionpolicy.

aTunnel
InspectionPolicy
Name General EnteranamefortheTunnelInspectionpolicybeginningwithanalphanumeric

characterandcontainingzeroormorealphanumeric,underscore(_),hyphen(),
dot(.),andspacecharacters.
Description (Optional)EnteradescriptionfortheTunnelInspectionpolicy.
Tags (Optional)Enteroneormoretagsforreportingandloggingpurposesthat
identifythepacketsthataresubjecttotheTunnelInspectionpolicy.

Policies>TunnelInspection Policies

aTunnel
InspectionPolicy
SourceZone Source AddoneormoresourcezonesofpacketstowhichtheTunnelInspectionpolicy

applies(defaultisAny).
SourceAddress (Optional)AddsourceIPv4orIPv6addresses,addressgroups,orGeoRegion
addressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).
SourceUser (Optional)AddsourceusersofpacketstowhichtheTunnelInspectionpolicy
applies(defaultisany).
Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.
DestinationZone Destination AddoneormoredestinationzonesofpacketstowhichtheTunnelInspection

policyapplies(defaultisAny).
Destination (Optional)AdddestinationIPv4orIPv6addresses,addressgroups,orGeo
Address RegionaddressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).
Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.
TunnelProtocol Inspection AddoneormoretunnelProtocolsthatyouwantthefirewalltoinspect:

GREFirewallinspectspacketsthatuseGenericRouteEncapsulationinthe
tunnel.
GTP-UFirewallinspectspacketsthatuseGeneralPacketRadioService
(GPRS)TunnelingProtocolforUserData(GTPU)inthetunnel(supported
onlyonPA5200SeriesandVMSeriesfirewalls).
Non-encrypted IPSecFirewallinspectspacketsthatusenonencrypted
IPSec(NullEncryptedIPSecortransportmodeAHIPSec)inthetunnel.
Toremoveaprotocolfromyourlist,selectandDeleteit.
MaximumTunnel Inspection > Selectthemaximumleveloftunnelsthefirewallwillinspect:One Level(default)

InspectionLevels Inspect orTwo Levels (Tunnel In Tunnel).
Options
Droppacketif (Optional)Droppacketsthatcontainmorelevelsofencapsulationthan
overmaximum configuredforMaximumTunnelInspectionLevels.
tunnelinspection
level
Droppacketif (Optional)Droppacketsthatcontainatunnelprotocolthatusesaheaderthat
tunnelprotocol isnoncompliantwiththeRFCforthatprotocol.Noncompliantheaderscan
failsstrictheader indicatesuspiciouspackets.ThisoptioncausesthefirewalltoverifyGRE
check headersagainstRFC2890.
DontenablethisoptionifyourfirewallistunnelingGREwithadevicethat
implementsaversionofGREolderthanRFC2890.
Droppacketif (Optional)Droppacketsthatcontainaprotocolinsidethetunnelthatthe
unknownprotocol firewallcannotidentify.
insidetunnel

Policies Policies>TunnelInspection

aTunnel
InspectionPolicy
EnableSecurity Inspection > (Optional)Enable Security Optionstoassignsecurityzonesforseparate

Options Security Securitypolicytreatmentoftunnelcontent.Theinnercontentsourcewill
Options belongtotheTunnel Source Zoneyouspecifyandtheinnercontent
destinationwillbelongtotheTunnel Destination Zoneyouspecify.
IfyoudonotEnable Security Options,theinnercontentsourcebelongstothe
samesourcezoneastheoutertunnelsource,andtheinnercontentdestination
belongstothesamedestinationzoneastheoutertunneldestination.
Therefore,boththeinnercontentsourceanddestinationaresubjecttothe
sameSecuritypoliciesthatapplytothoseouterzones.
TunnelSource (Optional)Selectoneofthefollowing:
Zone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunnelsourcezone.
Tunnel (Optional)Selectoneofthefollowing:
DestinationZone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunneldestinationzone.
MonitorName Inspection > (Optional)Enteramonitornametogroupsimilartraffictogetherformonitoring

Monitor thetrafficinlogsandreports.
Options
MonitorTag (Optional)Enteramonitortagnumberthatcangroupsimilartraffictogetherfor
(number) loggingandreporting(rangeis1to16,777,215).Thetagnumberisglobally
defined.

Policies>ApplicationOverride Policies
Policies>ApplicationOverride
Tochangehowthefirewallclassifiesnetworktrafficintoapplications,youcanspecifyapplicationoverride
policies.Forexample,ifyouwanttocontroloneofyourcustomapplications,anapplicationoverridepolicy
canbeusedtoidentifytrafficforthatapplicationaccordingtozone,sourceanddestinationaddress,port,
andprotocol.Ifyouhavenetworkapplicationsthatareclassifiedasunknown,youcancreatenew
applicationdefinitionsforthem(refertoDefiningApplications).
Likesecuritypolicies,applicationoverridepoliciescanbeasgeneralorspecificasneeded.Thepolicyrules
arecomparedagainstthetrafficinsequence,sothemorespecificrulesmustprecedethemoregeneralones.
BecausetheAppIDengineinPANOSclassifiestrafficbyidentifyingtheapplicationspecificcontentin
networktraffic,thecustomapplicationdefinitioncannotsimplyuseaportnumbertoidentifyanapplication.
Theapplicationdefinitionmustalsoincludetraffic(restrictedbysourcezone,sourceIPaddress,destination
zone,anddestinationIPaddress).
Tocreateacustomapplicationwithapplicationoverride:
Createacustomapplication(seeDefiningApplications).Itisnotrequiredtospecifysignaturesforthe
applicationiftheapplicationisusedonlyforapplicationoverriderules.
Defineanapplicationoverridepolicythatspecifieswhenthecustomapplicationshouldbeinvoked.A
policytypicallyincludestheIPaddressoftheserverrunningthecustomapplicationandarestrictedset
ofsourceIPaddressesorasourcezone.
Usethefollowingtablestoconfigureanapplicationoverriderule.
GeneralTab
SourceTab
DestinationTab
Protocol/ApplicationTab
Lookingformore?
SeeUseApplicationObjectsinPolicy

Policies Policies>ApplicationOverride
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionfortheapplicationoverridepolicy.Atagcanalso
beconfiguredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
groups.
SourceTab
SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetrafficto
whichtheapplicationoverridepolicywillbeapplied.
Field Description
SourceZone Addsourcezones(defaultisany).Zonesmustbeofthesametype(Layer2,
Layer3,orvirtualwire).Todefinenewzones,refertoNetwork>Zones.
SourceAddress Addsourceaddresses,addressgroups,orregions(defaultisany).Selectfrom
thedropdown,orclickAddress,Address Group,orRegionsatthebottom
ofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.

Policies>ApplicationOverride Policies
DestinationTab
SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.
Field Description
DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.
Protocol/ApplicationTab
SelecttheProtocol/Applicationtabtodefinetheprotocol(TCPorUDP),port,andapplicationthatfurther
definestheattributesoftheapplicationforthepolicymatch.
Field Description
Protocol Selecttheprotocol(TCPorUDP)forwhichtoallowanapplicationoverride.
Port Entertheportnumber(0to65535)orrangeofportnumbers(port1port2)
forthespecifieddestinationaddresses.Multipleportsorrangesmustbe
separatedbycommas.
Application Selecttheoverrideapplicationfortrafficflowsthatmatchtheaboverule
criteria.Whenoverridingtoacustomapplication,thereisnothreat
inspectionthatisperformed.Theexceptiontothisiswhenyouoverridetoa
predefinedapplicationthatsupportsthreatinspection.
Todefinenewapplications,refertoObjects>Applications).

Policies Policies>Authentication
Policies>Authentication
YourAuthenticationpolicyenablesyoutoauthenticateendusersbeforetheycanaccessnetworkresources.
Whatarethefieldsavailableto BuildingBlocksofanAuthenticationPolicyRule
createanAuthenticationrule?
HowcanIusethewebinterfaceto CreateandManageAuthenticationPolicy
manageAuthenticationpolicy?
ForPanorama,seeMoveorCloneaPolicyRule
Looking for more? AuthenticationPolicy
BuildingBlocksofanAuthenticationPolicyRule
Wheneverauserrequestsaresource(suchaswhenvisitingawebpage),thefirewallevaluates
Authenticationpolicy.Basedonthematchingpolicyrule,thefirewallthenpromptstheusertorespondto
oneormorechallengesofdifferentfactors(types),suchasloginandpassword,voice,SMS,push,or
onetimepassword(OTP)authentication.Aftertheuserrespondstoallthefactors,thefirewallevaluates
Securitypolicy(seePolicies>Security)todeterminewhethertoallowaccesstotheresource.
Thefirewalldoesnotpromptuserstoauthenticateiftheyaccessnonwebbasedresources(suchasaprinter)
throughaGlobalProtectgateway thatisinternalorintunnelmode.Instead,theuserswillseeconnection
failuremessages.Toensureuserscanaccesstheseresources,setupanauthenticationportalandtrainusersto
visititwhentheyseeconnectionfailures.ConsultyourITdepartmenttosetupanauthenticationportal.
ThefollowingtabledescribeseachbuildingblockorcomponentinanAuthenticationpolicyrule.Beforeyou
Addarule,completetheprerequisitesdescribedinCreateandManageAuthenticationPolicy.

anAuthentication
Rule
Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas

rulesaremoved.Whenyoufilterrulestomatchspecificfilters,
thePolicies > Authenticationpagelistseachrulewithits
numberinthecontextofthecompletesetofrulesinthe
rulebaseanditsplaceintheevaluationorder.Fordetails,see
rulesequenceanditsevaluationorder .
Name General Enteranametoidentifytherule.Thenameiscasesensitiveand

canhaveupto31characters,whichcanbeletters,numbers,
spaces,hyphens,andunderscores.Thenamemustbeuniqueon
afirewalland,onPanorama,uniquewithinitsdevicegroupand
anyancestorordescendantdevicegroups.
Tag Selectatagforsortingandfilteringrules(seeObjects>Tags).

Policies>Authentication Policies

anAuthentication
Rule
SourceZone Source Addzonestoapplytheruleonlytotrafficcomingfrom

interfacesinthezonesthatyouspecify(defaultisany).
Todefinenewzones,seeNetwork>Zones.
SourceAddress Addaddressesoraddressgroupstoapplytheruleonlytotraffic
originatingfromthesourcesthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.
SourceUser User Selectthesourceusersorusergroupstowhichtheruleapplies:

anyIncludesanytrafficregardlessofsourceuser.
pre-logonIncludesremoteuserswhoarenotloggedinto
theirclientsystemsbutwhoseclientsystemsconnecttothe
networkthroughtheGlobalProtectprelogonfeature .
known-userIncludesallusersforwhomthefirewallalready
hasIPaddresstousernamemappingsbeforetheruleevokes
authentication.
unknownIncludesallusersforwhomthefirewalldoesnot
haveIPaddresstousernamemappings.Aftertherule
evokesauthentication,thefirewallcreatesusermappingsfor
unknownusersbasedontheusernamestheyentered.
SelectIncludesonlytheusersandusergroupsthatyouAdd
totheSourceUserlist.
IfthefirewallcollectsuserinformationfromaRADIUS,
TACACS+,orSAMLidentityproviderserverandnot
fromtheUserIDagent,thelistofusersdoesnot
display;youmustenteruserinformationmanually.
SourceHIPProfile Addhostinformationprofiles(HIP)toidentifyusers.AHIP
enablesyoutocollectinformationaboutthesecuritystatusof
yourendhosts,suchaswhethertheyhavethelatestsecurity
patchesandantivirusdefinitions.Fordetailsandtodefinenew
HIPs,seeObjects>GlobalProtect>HIPProfiles.
DestinationZone Destination Addzonestoapplytheruleonlytotrafficgoingtointerfacesin

thezonesthatyouspecify(defaultisany).Todefinenewzones,
seeNetwork>Zones.
Destination Addaddressesoraddressgroupstoapplytheruleonlytothe
Address destinationsthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.

Policies Policies>Authentication

anAuthentication
Rule
Service Service/URL Category Selectfromthefollowingoptionstoapplytheruleonlyto

servicesonspecificTCPandUDPportnumbers:
anySpecifiesservicesonanyportandusinganyprotocol.
defaultSpecifiesservicesonlyonthedefaultportsthatPalo
AltoNetworksdefines.
SelectEnablesyoutoAddservicesorservicegroups.To
createnewservicesandservicegroups,seeObjects>
ServicesandObjects>ServiceGroups.
URLCategory SelecttheURLcategoriestowhichtheruleapplies:
SelectanytospecifyalltrafficregardlessoftheURL
category.
Addcategories.Todefinecustomcategories,seeObjects>
CustomObjects>URLCategory.
Authentication Actions Selecttheauthenticationenforcementobject(Objects>

Enforcement Authentication)thatspecifiesthemethod(suchasCaptive
Portalorbrowserchallenge)andauthenticationprofilethatthe
firewallusestoauthenticateusers.Theauthenticationprofile
defineswhetherusersrespondtoasinglechallengeorto
multifactorauthentication(seeDevice>Authentication
Profile).Youcanselectapredefinedorcustomauthentication
enforcementobject.
Timeout Toreducethefrequencyofauthenticationchallengesthat
interrupttheuserworkflow,youcanspecifytheintervalin
minutes(defaultis60)whenthefirewallpromptstheuserto
authenticateonlyonceforrepeatedaccesstoresources.
IftheAuthentication Enforcementobjectspecifiesmultifactor
authentication,theusermustauthenticateonceforeachfactor.
Thefirewallrecordsatimestampandreissuesachallengeonly
whenthetimeoutforafactorexpires.Redistributing the
timestampstootherfirewallsenablesyoutoapplythetimeout
evenifthefirewallthatinitiallyallowsaccessforauserisnotthe
samefirewallthatlatercontrolsaccessforthatuser.
Log Selectthisoption(disabledbydefault)ifyouwantthefirewallto
Authentication generateAuthenticationlogswhenevertheTimeoutassociated
Timeouts withanauthenticationfactorexpires.Enablingthisoption
providesmoredatatotroubleshootaccessissues.In
conjunctionwithcorrelationobjects,youcanalsouse
Authenticationlogstoidentifysuspiciousactivityonyour
network(suchasbruteforceattacks).
Enablingthisoptionincreaseslogtraffic.
LogForwarding SelectaLogForwardingprofileifyouwantthefirewallto
forwardAuthenticationlogstoPanoramaortoexternalservices
suchasasyslogserver(seeObjects>LogForwarding).

Policies>Authentication Policies
CreateandManageAuthenticationPolicy
SelectthePolicies > AuthenticationpagetocreateandmanageAuthenticationpolicyrules:
Task Description
Add PerformthefollowingprerequisitesbeforecreatingAuthenticationpolicyrules:
ConfiguretheUserIDCaptivePortalsettings(seeDevice>User
Identification>CaptivePortalSettings).ThefirewallusesCaptivePortalto
displaythefirstauthenticationfactorthattheAuthenticationrulerequires.
CaptivePortalalsoenablesthefirewalltorecordthetimestampsassociated
withauthenticationTimeoutperiodsandtoupdateusermappings.
Configureaserverprofilethatspecifieshowthefirewallcanaccesstheservice
thatwillauthenticateusers(seeDevice>ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifies
authenticationsettings(seeDevice>AuthenticationProfile).
Assigntheauthenticationprofiletoanauthenticationenforcementobjectthat
specifiestheauthenticationmethod(seeObjects>Authentication).
Tocreatearule,performoneofthefollowingstepsandthencompletethefields
describedinBuildingBlocksofanAuthenticationPolicyRule:
ClickAdd.
SelectaruleonwhichtobasethenewruleandclickClone Rule.Thefirewall
insertsthecopiedrule,named<rulename>#,belowtheselectedrule,where#is
thenextavailableintegerthatmakestherulenameunique.Fordetails,seeMove
orCloneaPolicyRule.
Modify Tomodifyarule,clicktheruleNameandeditthefieldsdescribedinBuildingBlocks
ofanAuthenticationPolicyRule.
IfthefirewallreceivedtherulefromPanorama,theruleisreadonly;youcan
edititonlyonPanorama.
Move Whenmatchingtraffic,thefirewallevaluatesrulesfromtoptobottomintheorder
thatthePolicies > Authenticationpageliststhem.Tochangetheevaluationorder,
selectaruleandMove Up,Move Down,Move Top,orMove Bottom.Fordetails,see
MoveorCloneaPolicyRule.
Delete Toremoveanexistingrule,selectandDeleteit.
Enable/Disable Todisablearule,selectandDisableit.Toreenableadisabledrule,selectandEnable
it.
Highlight Toidentifyrulesthathavenotmatchedtrafficsincethelasttimethefirewallwas
UnusedRules restarted,Highlight Unused Rules.Youcanthendecidewhethertodisableordelete
unusedrules.Thepagehighlightsunusedruleswithadottedyellowbackground.
Previewrules ClickPreview Rulestoviewalistoftherulesbeforeyoupushtherulestothe

(Panorama managedfirewalls.Withineachrulebase,thepagevisuallydemarcatestherule
only) hierarchyforeachdevicegroup(andmanagedfirewall)tofacilitatescanningof
numerousrules.

Policies Policies>DoSProtection
Policies>DoSProtection
WhatisaDoSProtectionpolicy? DoSProtectionPolicyOverview
Whatarethefieldsavailableto BuildingBlocksofaDoSProtectionPolicy
createaDoSProtectionpolicy?
HowdoIconfigureaDoS SeeObjects>SecurityProfiles>DoSProtection
Protectionprofile?
Lookingformore? SeeDosProtectionPolicies
DoSProtectionPolicyOverview
ADoSProtectionpolicyallowsyoutoprotectagainstDoSattacksbyspecifyingwhethertodenyorallow
packetsthatmatchasourceinterface,zone,addressoruserand/oradestinationinterface,zone,oruser.
Alternatively,youcanchoosetheProtectactionandspecifyaDoSprofilewhereyousetthethresholds
(sessionsorpacketspersecond)thattriggeranalarm,activateaprotectiveaction,andindicatethemaximum
rateabovewhichpacketsaredropped.Thus,youcancontrolthenumberofsessionsbetweeninterfaces,
zones,addresses,andcountriesbasedonaggregatesessionsorsourceand/ordestinationIPaddresses.For
example,youcancontroltraffictoandfromcertainaddressesoraddressgroups,orfromcertainusersand
forcertainservices.
ThefirewallenforcesDoSProtectionpolicyrulesbeforeSecuritypolicyrulestoensurethefirewallusesits
resourcesinthemostefficientmanner.IfaDoSProtectionpolicyruledeniesapacket,thatpacketnever
reachesaSecuritypolicyrule.

Policies>DoSProtection Policies
BuildingBlocksofaDoSProtectionPolicy

aDoSProtection
Policy
Name Policies > DoS EnteranametoidentifytheDoSProtectionpolicyrule.Thenameis

Protection > casesensitiveandcanhaveupto31characters,whichcanbeletters,numbers,
General spaces,hyphens,andunderscores.Thenamemustbeuniqueonafirewalland,
onPanorama,uniquewithinitsdevicegroupandanyancestorordescendant
devicegroups.
Tags Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.A
tagisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthosethat
aretaggedwithaparticularkeyword.Forexample,youmaywanttotagcertain
securitypolicieswithInboundtoDMZ,decryptionpolicieswiththewords
DecryptorNodecrypt,orusethenameofaspecificdatacenterforpolicies
associatedwiththatlocation.

Policies Policies>DoSProtection

aDoSProtection
Policy
Type Policies > DoS SelectthetypeofsourcetowhichtheDoSProtectionpolicyruleapplies:

Protection > InterfaceApplytheruletotrafficcomingfromthespecifiedinterfaceor
Source groupofinterfaces.
ZoneApplytheruletotrafficcomingfromanyinterfaceinaspecifiedzone.
ClickAddtoselectmultipleinterfacesorzones.
SourceAddress SelectAnyorAddandspecifyoneormoresourceaddressestowhichtheDoS
Protectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.
SourceUser SpecifyoneormoresourceuserstowhichtheDoSProtectionpolicyrule
applies:
anyIncludespacketsregardlessofthesourceuser.
pre-logonIncludespacketsfromremoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheirsystem.When
pre-logonisconfiguredonthePortalforGlobalProtectclients,anyuserwho
althoughtheuserisnotdirectlyloggedin,theirmachinesareauthenticated
onthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPaddress
withuserdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
guestlevelaccesstosomethingbecausetheywillhaveanIPaddressonyour
addresstousernamemappinginformationonthefirewall.
SelectIncludesusersspecifiedinthiswindow.Forexample,youcanselect
oneuser,alistofindividuals,somegroups,ormanuallyaddusers.
SAMLidentityproviderserverandnotfromtheUserIDagent,thelist
ofusersdoesnotdisplay;youmustenteruserinformationmanually.
Type Policies > DoS SelectthetypeofdestinationtowhichtheDoSProtectionpolicyruleapplies:

Protection > InterfaceApplytheruletopacketsgoingtothespecifiedinterfaceorgroup
Destination ofinterfaces.ClickAddandselectoneormoreinterfaces.
ZoneApplytheruletopacketsgoingtoanyinterfaceinthespecifiedzone.
ClickAddandselectoneormorezones.
Destination SelectAnyorAddandspecifyoneormoredestinationaddressestowhichthe
Address DoSProtectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.

Policies>DoSProtection Policies

aDoSProtection
Policy
Service Policies > DoS ClickAddandselectoneormoreservicestowhichtheDoSProtectionpolicy

Protection > applies.ThedefaultisAnyservice.
Option /
Action Protection SelecttheactionthatthefirewallperformsonpacketsthatmatchtheDoS
Protectionpolicyrule:
DenyDropallpacketsthatmatchtherule.
AllowPermitallpacketsthatmatchtherule.
ProtectEnforceprotections(onpacketsthatmatchtherule)specifiedin
theDoSProtectionprofileappliedtothisrule.Packetsthatmatchtherule
arecountedtowardthethresholdratesintheDoSProtectionprofile,which
inturntriggeranalarm,activateanotheraction,andtriggerpacketdrops
whenthemaximumrateisexceeded.
Schedule SpecifytheschedulewhentheDoSProtectionpolicyruleisineffect.The
defaultsettingofNoneindicatesnoschedule;thepolicyisalwaysineffect.
Alternatively,selectascheduleorcreateanewscheduletocontrolwhenthe
DoSProtectionpolicyruleisineffect.EnteraNamefortheschedule.Select
Sharedtosharethisschedulewitheveryvirtualsystemonamultiplevirtual
systemfirewall.SelectaRecurrence ofDaily,Weekly,orNon-recurring.Add
aStart TimeandEnd Timeinhours:minutes,basedona24hourclock.
LogForwarding Ifyouwanttotriggerforwardingofthreatlogentriesformatchedtraffictoan
externalservice,suchastoasyslogserverorPanorama,selectaLog
ForwardingprofileorclickProfiletocreateanewone.
Onlytrafficthatmatchesanactionintherulewillbeloggedand
forwarded.
Aggregate SelectanAggregateDoSProtectionprofilethatspecifiesthethresholdratesat
whichtheincomingconnectionspersecondtriggeranalarm,activateanaction,
andexceedamaximumrate.Allincomingconnections(theaggregate)count
towardthethresholdsspecifiedinanAggregateDoSProtectionprofile.
AnAggregateprofilesettingofNonemeanstherearenothresholdsettingsin
placefortheaggregatetraffic.SeeObjects>SecurityProfiles>DoS
Protection.
Classified Selectthisoptionandspecifythefollowing:
ProfileSelectaClassifiedDoSProtectionprofiletoapplytothisrule.
AddressSelectwhetherincomingconnectionscounttowardthe
thresholdsintheprofileiftheymatchthesource-ip-only,
destination-ip-only,orsrc-dest-ip-both.
IfyouspecifyaClassifiedDoSProtectionprofile,onlytheincoming
connectionsthatmatchasourceIPaddress,destinationIPaddress,orsource
anddestinationIPaddresspaircounttowardthethresholdsspecifiedinthe
profile.Forexample,youcanspecifyaClassifiedDoSProtectionprofilewitha
Max Rateof100cps,andspecifyanAddresssettingofsource-ip-onlyinthe
rule.Theresultwouldbealimitof100connectionspersecondforthat
particularsourceIPaddress.
SeeObjects>SecurityProfiles>DoSProtection.

Objects
Objectsaretheelementsthatenableyoutoconstruct,schedule,andsearchforpolicyrules,andSecurity
Profilesprovidethreatprotectioninpolicyrules.
ThissectiondescribeshowtoconfiguretheSecurityProfilesandobjectsthatyoucanusewithPolicies:
Move,Clone,Override,orRevertObjects
Objects>Addresses
Objects>AddressGroups
Objects>Regions
Objects>Applications
Objects>ApplicationGroups
Objects>ApplicationFilters
Objects>Services
Objects>ServiceGroups
Objects>Tags
Objects>GlobalProtect>HIPObjects
Objects>GlobalProtect>HIPProfiles
Objects>ExternalDynamicLists
Objects>CustomObjects
Objects>SecurityProfileGroups
Objects>LogForwarding
Objects>Authentication
Objects>DecryptionProfile
Objects>Schedules

Move,Clone,Override,orRevertObjects Objects
Move,Clone,Override,orRevertObjects
Seethefollowingtopicsforoptionstomodifyexistingobjects:
MoveorCloneanObject
OverrideorRevertanObject
MoveorCloneanObject
Whenmovingorcloningobjects,youcanassignaDestination(avirtualsystemonafirewalloradevicegroup
onPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveanobject,selecttheobjectintheObjectstab,clickMove,selectMove to other vsys(firewallonly)or
Move to other device group(Panoramaonly),completethefieldsinthefollowingtable,andthenclickOK.
Tocloneanobject,selecttheobjectintheObjectstab,clickClone,completethefieldsinthefollowingtable,
andthenclickOK.
Move/CloneSettings Description
SelectedObjects DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepoliciesorobjectsyouselectedfortheoperation.
Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.
Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.
OverrideorRevertanObject
InPanorama,youcannestdevicegroupsinatreehierarchyofuptofourlevels.Atthebottomlevel,adevice
groupcanhaveparent,grandparent,andgreatgrandparentdevicegroupsatsuccessivelyhigherlevels
collectivelycalledancestorsfromwhichthebottomleveldevicegroupinheritspoliciesandobjects.Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroupscollectivelycalled
descendants.Youcanoverrideanobjectinadescendantsothatitsvaluesdifferfromthoseinanancestor.
Thisoverridecapabilityisenabledbydefault.However,youcannotoverridesharedordefault
(preconfigured)objects.Thewebinterfacedisplaysthe icontoindicateanobjecthasinheritedvalues
anddisplaysthe icontoindicateaninheritedobjecthasoverriddenvalues.
OverrideanobjectSelecttheObjectstab,selectthedescendantDevice Groupthatwillhavethe
overriddenversion,selecttheobject,clickOverride,andeditthesettings.YoucannotoverrideNameor
Sharedsettingsforanobject.

Objects Move,Clone,Override,orRevertObjects
RevertanoverriddenobjecttoitsinheritedvaluesSelecttheObjectstab,selecttheDevice Groupthat
hastheoverriddenversion,selecttheobject,clickRevert,andclickYestoconfirmtheoperation.
DisableoverridesforanobjectSelecttheObjectstab,selecttheDevice Groupwheretheobjectresides,
clicktheobjectNametoeditit,selectDisable override,andclickOK.Overridesforthatobjectarethen
disabledinalldevicegroupsthatinherittheobjectfromtheselectedDevice Group.
ReplaceallobjectoverridesacrossPanoramawiththevaluesinheritedfromtheSharedlocationor
ancestordevicegroupsSelectPanorama > Setup > Management,editthePanoramaSettings,select
Ancestor Objects Take Precedence,andclickOK.YoumustthencommittoPanoramaandtothedevice
groupscontainingoverridestopushtheinheritedvalues.

Objects>Addresses Objects
Objects>Addresses
AnaddressobjectcanincludeanIPv4orIPv6address(singleIP,range,subnet)oraFQDN.Itallowsyouto
reusethesameobjectasasourceordestinationaddressacrossallthepolicyrulebaseswithouthavingto
additmanuallyeachtime.ItisconfiguredusingthewebinterfaceortheCLIandacommitoperationis
requiredtomaketheobjectapartoftheconfiguration.
Todefineanaddressobject,clickAddandfillinthefollowingfields:
AddressObjectSettings Description
Name Enteranamethatdescribestheaddressestobedefined(upto63
characters).Thisnameappearsintheaddresslistwhendefiningsecurity
policies.Thenameiscasesensitiveandmustbeunique.Useonlyletters,
numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheaddressobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theaddressobjectwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisaddressobjectindevicegroupsthatinherittheobject.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheobject.
Description Enteradescriptionfortheobject(upto255characters).
Type SpecifyanIPv4orIPv6addressoraddressrange,oranFQDN.
IP Netmask:
EntertheIPv4orIPv6addressorIPaddressrangeusingthefollowing
notation:
ip_address/mask or ip_address
wherethemaskisthenumberofsignificantbinarydigitsusedforthe
networkportionoftheaddress.Ideally,forIPv6,youspecifyonlythe
networkportion,notthehostportion.
Examples:
192.168.80.150/32(indicatesoneaddress)
192.168.80.0/24(indicatesalladdressesfrom192.168.80.0through
192.168.80.255)
2001:db8::/32
2001:db8:123:1::/64
IP Range:
Enterarangeofaddressesusingthefollowingformat:
ip_addressip_address
wherebothaddressescanbeIPv4orbothcanbeIPv6.
Example:
2001:db8:123:1::12001:db8:123:1::22

Objects Objects>Addresses
AddressObjectSettings Description
Type(continued) FQDN:
TospecifyanaddressusingtheFQDN,selectFQDNandenterthedomain
name.
TheFQDNinitiallyresolvesatcommittime.Entriesaresubsequently
refreshedwhenthefirewallperformsacheckevery30minutes;allchanges
intheIPaddressfortheentriesarepickedupattherefreshcycle
TheFQDNisresolvedbythesystemDNSserveroraNetwork>DNSProxy
object,ifaproxyisconfigured.
Tags Selectorenterthetagsthatyouwishtoapplytothisaddressobject.
YoucandefineataghereorusetheObjects>Tagstabtocreatenewtags.
Forinformationontags,seeObjects>Tags.

Objects>AddressGroups Objects
Objects>AddressGroups
Tosimplifythecreationofsecuritypolicies,addressesthatrequirethesamesecuritysettingscanbe
combinedintoaddressgroups.Anaddressgroupcanbestaticordynamic.
DynamicAddressGroups:Adynamicaddressgrouppopulatesitsmembersdynamicallyusinglooksups
fortagsandtagbasedfilters.Dynamicaddressgroupsareveryusefulifyouhaveanextensivevirtual
infrastructurewherechangesinvirtualmachinelocation/IPaddressarefrequent.Forexample,youhave
asophisticatedfailoversetuporprovisionnewvirtualmachinesfrequentlyandwouldliketoapplypolicy
totrafficfromortothenewmachinewithoutmodifyingtheconfiguration/rulesonthefirewall.
Touseadynamicaddressgroupinpolicyyoumustcompletethefollowingtasks:
Defineadynamicaddressgroupandreferenceitinapolicyrule.
NotifythefirewalloftheIPaddressesandthecorrespondingtags,sothatmembersofthedynamic
addressgroupcanbeformed.YoucandothisusingexternalscriptsthatusetheXMLAPIonthe
firewallor,foraVMwarebasedenvironment,youcanselectDevice > VM Information Sourcesto
configuresettingsonthefirewall.
Dynamicaddressgroupscanalsoincludestaticallydefinedaddressobjects.Ifyoucreateanaddress
objectandapplythesametagsthatyouhaveassignedtoadynamicaddressgroup,thatdynamicaddress
groupwillincludeallstaticanddynamicobjectsthatmatchthetags.Youcan,thereforeusetagstopull
togetherbothdynamicandstaticobjectsinthesameaddressgroup.
StaticAddressGroups:Astaticaddressgroupcanincludeaddressobjectsthatarestatic,dynamic
addressgroups,oritcanbeacombinationofbothaddressobjectsanddynamicaddressgroups.
Tocreateanaddressgroup,clickAddandfillinthefollowingfields:
AddressGroupSettings Description
Name Enteranamethatdescribestheaddressgroup(upto63characters).This
nameappearsintheaddresslistwhendefiningsecuritypolicies.Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
Shared Selectthisoptionifyouwanttheaddressgrouptobeavailableto:
selection,theaddressgroupwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thisaddressgroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
Description Enteradescriptionfortheobject(upto255characters).

Objects Objects>AddressGroups
AddressGroupSettings Description
Type SelectStaticorDynamic.
Tocreateadynamicaddressgroup,usethematchcriteriaisassemblethe
memberstobeincludedinthegroup.DefinetheMatchcriteriausingthe
ANDorORoperators.
Toviewthelistofattributesforthematchcriteria,youmusthave
configuredthefirewalltoaccessandretrievetheattributesfromthe
source/host.Eachvirtualmachineontheconfiguredinformation
source(s)isregisteredwiththefirewallandthefirewallcanpollthe
machinetoretrievechangesinIPaddressorconfigurationwithout
anymodificationsonthefirewall.
Forastaticaddressgroup,clickAddandselectoneormoreAddresses.Click
Addtoaddanobjectoranaddressgrouptotheaddressgroup.Thegroup
cancontainaddressobjects,andbothstaticanddynamicaddressgroups.
Tags Selectorenterthetagsthatyouwishtoapplytothisaddressgroup.For
informationontags,seeObjects>Tags.
MembersCountand Afteryouaddanaddressgroup,theMembersCountcolumnontheObjects
Address > Address Groupspageindicateswhethertheobjectsinthegroupare
populateddynamicallyorstatically.
Forastaticaddressgroup,youcanviewthecountofthemembersinthe
addressgroup.
Foranaddressgroupthatusestagstodynamicallypopulatemembersor
hasbothstaticanddynamicmembers,toviewthemembers,clickthe
More...linkintheAddresscolumn.YoucannowviewtheIPaddresses
thatareregisteredtotheaddressgroup.
TypeindicateswhethertheIPaddressisastaticaddressobjector
beingdynamicallyregisteredanddisplaystheIPaddress.
ActionallowsyoutoUnregister TagsfromanIPaddress.Clickthe
linktoAddtheregistrationsourceandspecifythetagstounregister.

Objects>Regions Objects
Objects>Regions
Thefirewallsupportscreationofpolicyrulesthatapplytospecifiedcountriesorotherregions.Theregionis
availableasanoptionwhenspecifyingsourceanddestinationforsecuritypolicies,decryptionpolicies,and
DoSpolicies.Youcanchoosefromastandardlistofcountriesorusetheregionsettingsdescribedinthis
sectiontodefinecustomregionstoincludeasoptionsforSecuritypolicyrules.
Thefollowingtablesdescribetheregionsettings:
RegionSettings Description
Name Enteranamethatdescribestheregion(upto31characters).Thisname
appearsintheaddresslistwhendefiningsecuritypolicies.Thenameis
GeoLocation Tospecifylatitudeandlongitude,selectthisoptionandspecifythevalues
(xxx.xxxxxxformat).Thisinformationisusedinthetrafficandthreatmapsfor
AppScope.RefertoMonitor>Logs.
Addresses SpecifyanIPaddress,rangeofIPaddresses,orsubnettoidentifytheregion,
usinganyofthefollowingformats:
x.x.x.x
x.x.x.xy.y.y.y
x.x.x.x/n

Objects Objects>Applications
Objects>Applications
Whatareyoulookingfor? See
Understandtheapplication ApplicationsOverview
settingsandattributesdisplayed
ontheApplicationspage. ActionsSupportedonApplications
Addanewapplicationormodifyan DefiningApplications
existingapplication.
ApplicationsOverview
TheApplicationspagelistsvariousattributesofeachapplicationdefinition,suchastheapplicationsrelative
securityrisk(1to5).Theriskvalueisbasedoncriteriasuchaswhethertheapplicationcansharefiles,is
pronetomisuse,ortriestoevadefirewalls.Highervaluesindicatehigherrisk.
Thetopapplicationbrowserareaofthepageliststheattributesthatyoucanusetofilterthedisplayas
follows.Thenumbertotheleftofeachentryrepresentsthetotalnumberofapplicationswiththatattribute.
Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.
ThefollowingtabledescribesapplicationdetailscustomapplicationsandPaloAltoNetworksapplications
mightdisplaysomeorallofthesefields.
ApplicationDetails Description
Name Nameoftheapplication.
Description Descriptionoftheapplication(upto255characters).
AdditionalInformation Linkstowebsources(Wikipedia,Google,andYahoo!)thatcontain
additionalinformationabouttheapplication.
StandardPorts Portsthattheapplicationusestocommunicatewiththenetwork.
Dependson Listofotherapplicationsthatarerequiredforthisapplicationtorun.
Whencreatingapolicyruletoallowtheselectedapplication,youmust
alsobesurethatyouareallowinganyotherapplicationsthatthe
applicationdependson.

Objects>Applications Objects
ImplicitlyUses Otherapplicationsthattheselectedapplicationdependsonbutthat
youdonotneedtoaddtoyourSecuritypolicyrulestoallowthe
selectedapplicationbecausethoseapplicationsaresupported
implicitly.
PreviouslyIdentifiedAs ForanewAppID,orAppIDsthatarechanged,thisindicateswhat
theapplicationwaspreviouslyidentifiedas.Thishelpsyouassess
whetherpolicychangesarerequiredbasedonchangesinthe
application.IfanAppIDisdisabled,sessionsassociatedwiththat
applicationwillmatchpolicyasthepreviouslyidentifiedasapplication.
Similarly,disabledAppIDswillappearinlogsastheapplicationthey
werepreviousidentifiedas.
DenyAction AppIDsaredevelopedwithadefaultdenyactionthatdictateshow
thefirewallrespondswhentheapplicationisincludedinaSecurity
policyrulewithadenyaction.Thedefaultdenyactioncanspecify
eitherasilentdroporaTCPreset.Youcanoverridethisdefaultaction
inSecuritypolicy.
Characteristics
Evasive Usesaportorprotocolforsomethingotherthanitsoriginallyintended
purposewiththehopethatitwilltraverseafirewall.
ExcessiveBandwidth Consumesatleast1Mbpsonaregularbasisthroughnormaluse.
PronetoMisuse Oftenusedfornefariouspurposesoriseasilysetuptoexposemore
thantheuserintended.
SaaS Onthefirewall,SoftwareasaService(SaaS)ischaracterizedasa
servicewherethesoftwareandinfrastructureareownedandmanaged
bytheapplicationserviceproviderbutwhereyouretainfullcontrolof
thedata,includingwhocancreate,access,share,andtransferthedata.
Keepinmindthatinthecontextofhowanapplicationischaracterized,
SaaSapplicationsdifferfromwebservices.Webservicesarehosted
applicationswhereeithertheuserdoesntownthedata(forexample,
Pandora)orwheretheserviceisprimarilycomprisedofsharingdata
fedbymanysubscribersforsocialpurposes(forexample,LinkedIn,
Twitter,orFacebook).
CapableofFileTransfer Hasthecapabilitytotransferafilefromonesystemtoanotherovera
network.
TunnelsOtherApplications Isabletotransportotherapplicationsinsideitsprotocol.
UsedbyMalware Malwarehasbeenknowntousetheapplicationforpropagation,
attack,ordatatheft,orisdistributedwithmalware.
HasKnownVulnerabilities Haspubliclyreportedvulnerabilities.
Widelyused Likelyhasmorethan1,000,000users.
ContinueScanningforOther Instructsthefirewalltocontinuetotryandmatchagainstother
Applications applicationsignatures.Ifyoudonotselectthisoption,thefirewall
stopslookingforadditionalapplicationmatchesafterthefirst
matchingsignature.

Classification
Category Theapplicationcategorywillbeoneofthefollowing:
businesssystems
collaboration
generalinternet
media
networking
unknown
Subcategory Thesubcategoryinwhichtheapplicationisclassified.Different
categorieshavedifferentsubcategoriesassociatedwiththem.For
example,subcategoriesinthecollaborationcategoryincludeemail,
filesharing,instantmessaging,Internetconferencing,socialbusiness,
socialnetworking,voipvideo,andwebposting.Whereas,
subcategoriesinthebusinesssystemscategoryincludeauthservice,
database,erpcrm,generalbusiness,management,officeprograms,
softwareupdate,andstoragebackup.
Technology Theapplicationtechnologywillbeoneofthefollowing:
clientserver:Anapplicationthatusesaclientservermodelwhere
oneormoreclientscommunicatewithaserverinthenetwork.
networkprotocol:Anapplicationthatisgenerallyusedfor
systemtosystemcommunicationthatfacilitatesnetwork
operation.ThisincludesmostoftheIPprotocols.
peertopeer:Anapplicationthatcommunicatesdirectlywithother
clientstotransferinformationinsteadofrelyingonacentralserver
tofacilitatethecommunication.
browserbased:Anapplicationthatreliesonawebbrowserto
function.
Risk Assignedriskoftheapplication.
Tocustomizethissetting,clicktheCustomizelink,enteravalue(15),
andclickOK.
Options
SessionTimeout Periodoftime,inseconds,requiredfortheapplicationtotimeoutdue
toinactivity(rangeis1604800seconds).Thistimeoutisforprotocols
otherthanTCPorUDP.ForTCPandUDP,refertothenextrowsin
thistable.
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.
TCPTimeout(seconds) Timeout,inseconds,forterminatingaTCPapplicationflow(rangeis
1604800).
clickOK.
Avalueof0indicatesthattheglobalsessiontimerwillbeused,which
is3600secondsforTCP.

UDPTimeout(seconds): Timeout,inseconds,forterminatingaUDPapplicationflow(rangeis
1604800seconds).
clickOK.
TCPHalfClosed(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontablebetweenreceivingthefirstFINpacketandreceivingthe
secondFINpacketorRSTpacket.Ifthetimerexpires,thesessionis
closed(rangeis1604800).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Half Closedsetting.
TCPTimeWait(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontableafterreceivingthesecondFINpacketoraRSTpacket.If
thetimerexpires,thesessionisclosed(rangeis1600).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Time Waitsetting.
AppIDEnabled IndicateswhethertheAppIDisenabledordisabled.IfanAppIDis
disabled,trafficforthatapplicationwillbetreatedasthePreviously
Identified AsAppIDinbothSecuritypolicyandinlogs.For
applicationsaddedaftercontentreleaseversion490,youhavethe
abilitytodisablethemwhileyoureviewthepolicyimpactofthenew
app.Afterreviewingpolicy,youmaychoosetoenabletheAppID.You
alsohavetheabilitytodisableanapplicationthatyouhavepreviously
enabled.Onamultivsysfirewall,youcandisableAppIDsseparately
ineachvirtualsystem.
WhenthefirewallisnotabletoidentifyanapplicationusingtheAppID,thetrafficisclassifiedasunknown:
unknowntcporunknownudp.Thisbehaviorappliestoallunknownapplicationsexceptthosethatfully
emulateHTTP.Formoreinformation,refertoMonitor>Botnet.
Youcancreatenewdefinitionsforunknownapplicationsandthendefinesecuritypoliciesforthenew
applicationdefinitions.Inaddition,applicationsthatrequirethesamesecuritysettingscanbecombinedinto
applicationgroupstosimplifythecreationofsecuritypolicies.

ActionsSupportedonApplications
Youcanperformanyofthefollowingactionsonthispage:
ActionsSupportedfor Description
Applications
Filterbyapplication Tosearchforaspecificapplication,entertheapplicationnameordescription
intheSearchfieldandpressEnter.Thedropdowntotherightofthesearch
boxallowsyoutosearchorfilterforaspecificapplicationorviewAll
applications,Custom applications,Disabled applications,orTagged
applications.
Theapplicationislistedandthefiltercolumnsareupdatedtoshowstatistics
fortheapplicationsthatmatchedthesearch.Asearchwillmatchpartial
strings.Whenyoudefinesecuritypolicies,youcanwriterulesthatapplytoall
applicationsthatmatchasavedfilter.Suchrulesaredynamicallyupdated
whenanewapplicationisaddedthroughacontentupdatethatmatchesthe
filter.
Tofilterbyapplicationattributesdisplayedonthepage;clickanitemthatyou
wanttouseasabasisforfiltering.Forexample,torestrictthelisttothe
collaborationcategory,clickcollaborationandthelistwillonlyshow
applicationsinthiscategory.
Tofilteronadditionalcolumns,selectanentryintheothercolumns.The
filteringissuccessive:firstCategoryfiltersareapplied,thenSubcategory
filters,thenTechnologyfilters,thenRiskfilters,andfinallyCharacteristic
filters.Forexample,ifyouapplyaCategory,Subcategory,andRiskfilter,the
Technologycolumnisautomaticallyrestrictedtothetechnologiesthatare
consistentwiththeselectedCategoryandSubcategory,eventhougha
Technologyfilterhasnotbeenexplicitlyapplied.Eachtimeyouapplyafilter,
thelistofapplicationsinthelowerpartofthepageautomaticallyupdates.To
createanewapplicationfilter,seeObjects>ApplicationFilters.
Addanewapplication. Toaddanewapplication,seeDefiningApplications.
Viewand/orcustomize Clicktheapplicationnamelink,toviewtheapplicationdescriptionincludingthe
applicationdetails. standardportandcharacteristicsoftheapplication,riskamongotherdetails.For
detailsontheapplicationsettings,seeDefiningApplications.
Iftheicontotheleftoftheapplicationnamehasayellowpencil( ),the
applicationisacustomapplication.

ActionsSupportedfor Description
Applications
Disableanapplications YoucanDisableanapplication(orseveralapplications)sothattheapplication
signatureisnotmatchedagainsttraffic.Securityrulesdefinedtoblock,allow,or
enforceamatchingapplicationarenotappliedtotheapplicationtrafficwhen
theappisdisabled.Youmightchoosetodisableanapplicationthatisincluded
withanewcontentreleaseversionbecausepolicyenforcementforthe
applicationmightchangewhentheapplicationisuniquelyidentified.For
example,anapplicationthatisidentifiedaswebbrowsingtrafficisallowedby
thefirewallpriortoanewcontentversioninstallation;afterinstallingthe
contentupdate,theuniquelyidentifiedapplicationnolongermatchesthe
Securityrulethatallowswebbrowsingtraffic.Inthiscase,youcouldchooseto
disabletheapplicationsothattrafficmatchedtotheapplicationsignature
continuestobeclassifiedaswebbrowsingtrafficandisallowed.
Enableanapplication SelectadisabledapplicationandEnabletheapplicationsothatitcanbe
enforcedaccordingtoyourconfiguredsecuritypolicies.
Importanapplication Toimportanapplication,clickImport.Browsetoselectthefile,andselectthe
targetvirtualsystemfromtheDestinationdropdown.
Exportanapplication Toexportanapplication,selectthisoptionfortheapplicationandclickExport.
Followthepromptstosavethefile.
Assesspolicyimpactafter Review Policiestoassessthepolicybasedenforcementforapplicationsbefore

installinganewcontentrelease. andafterinstallingacontentreleaseversion.UsethePolicyReviewdialogto
reviewpolicyimpactfornewapplicationsincludedinadownloadedcontent
releaseversion.ThePolicyReviewdialogallowsyoutoaddorremoveapending
application(anapplicationthatisdownloadedwithacontentreleaseversionbut
isnotinstalledonthefirewall)toorfromanexistingSecuritypolicyrule;policy
changesforpendingapplicationsdonottakeeffectuntilthecorresponding
contentreleaseversionisinstalled.YoucanalsoaccessthePolicyReviewdialog
whendownloadingandinstallingcontentreleaseversionsontheDevice >
Dynamic Updatespage.
Taganapplication. ApredefinedtagnamedsanctionedisavailableforyoutotagSaaSapplications.
WhileaSaaSapplicationisanapplicationthatisidentifiedasSaas=yesinthe
detailsonapplicationcharacteristics,youcanusethesanctionedtagonany
application.
Selectanapplication,clickTag Application,and,fromthedropdown,selectthe
predefinedSanctionedtagtoidentifyanyapplicationthatyouwanttoexplicitly
allowonyournetwork.WhenyouthengeneratetheSaaSApplicationUsage
Report(seeMonitor>PDFReports>SaaSApplicationUsage),youcancompare
statisticsontheapplicationthatyouhavesanctionedversusunsanctionedSaaS
applicationsthatarebeingusedonyournetwork.
Whenyoutaganapplicationassanctioned,thefollowingrestrictionsapply:
Thesanctionedtagcannotbeappliedtoanapplicationgroup.
ThesanctionedtagcannotbeappliedattheSharedlevel;youcantagan
applicationonlyperdevicegrouporpervirtualsystem.
Thesanctionedtagcannotbeusedtotagapplicationsincludedinacontainer
app,suchasfacebookmail,whichispartofthefacebookcontainerapp.
YoucanalsoRemove tagorOverride tag.Theoverrideoptionisonlyavailable
onafirewallthathasinheritedsettingsfromadevicegrouppushedfrom
Panorama.

DefiningApplications
SelectObjects > ApplicationstoAddanewcustomapplicationforthefirewalltoevaluatewhenapplying

policies.
NewApplicationSettings Description
Configuration Tab
Name Entertheapplicationname(upto31characters).Thisnameappearsinthe
applicationslistwhendefiningsecuritypolicies.Thenameiscasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,periods,hyphens,
andunderscores.Thefirstcharactermustbealetter.
Shared Selectthisoptionifyouwanttheapplicationtobeavailableto:
selection,theapplicationwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,the
applicationwillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.
(Panoramaonly) thisapplicationobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettings
foranydevicegroupthatinheritstheobject.
Description Enteradescriptionoftheapplicationforgeneralreference(upto255
characters).
Category Selecttheapplicationcategory,suchasemailordatabase.Thecategoryis
usedtogeneratetheTopTenApplicationCategorieschartandisavailable
forfiltering(refertoACC).
Subcategory Selecttheapplicationsubcategory,suchasemailordatabase.The
subcategoryisusedtogeneratetheTopTenApplicationCategorieschart
andisavailableforfiltering(refertoACC).
Technology Selectthetechnologyfortheapplication.
ParentApp Specifyaparentapplicationforthisapplication.Thissettingapplieswhena
sessionmatchesboththeparentandthecustomapplications;however,the
customapplicationisreportedbecauseitismorespecific.
Risk Selecttherisklevelassociatedwiththisapplication(1=lowestto5=highest).
Characteristics Selecttheapplicationcharacteristicsthatmayplacetheapplicationatrisk.
Foradescriptionofeachcharacteristic,refertoCharacteristics.

Advanced Tab
Port IftheprotocolusedbytheapplicationisTCPand/orUDP,selectPortand
enteroneormorecombinationsoftheprotocolandportnumber(oneentry
perline).Thegeneralformatis:
<protocol>/<port>
wherethe<port>isasingleportnumber,ordynamicfordynamicport
assignment.
Examples:TCP/dynamicorUDP/32.
Thissettingapplieswhenusingapp-defaultintheServicecolumnofa
Securityrule.
IPProtocol TospecifyanIPprotocolotherthanTCPorUDP,selectIP Protocol,and

entertheprotocolnumber(1to255).
ICMPType TospecifyanInternetControlMessageProtocolversion4(ICMP)type,
selectICMP Typeandenterthetypenumber(rangeis0255).
ICMP6Type TospecifyanInternetControlMessageProtocolversion6(ICMPv6)type,
selectICMP6 Typeandenterthetypenumber(rangeis0255).
None Tospecifysignaturesindependentofprotocol,selectNone.
Timeout Enterthenumberofsecondsbeforeanidleapplicationflowisterminated
(rangeis0604800seconds).Azeroindicatesthatthedefaulttimeoutofthe
applicationwillbeused.ThisvalueisusedforprotocolsotherthanTCPand
UDPinallcasesandforTCPandUDPtimeoutswhentheTCPtimeoutand
UDPtimeoutarenotspecified.
TCPTimeout EnterthenumberofsecondsbeforeanidleTCPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.
UDPTimeout EnterthenumberofsecondsbeforeanidleUDPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.
TCPHalfClosed Enterthemaximumlengthoftimethatasessionremainsinthesessiontable,
betweenreceivingthefirstFINandreceivingthesecondFINorRST.Ifthe
timerexpires,thesessionisclosed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1604800seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
HalfClosedsetting.
TCPTimeWait Enterthemaximumlengthoftimethatasessionremainsinthesessiontable
afterreceivingthesecondFINoraRST.Ifthetimerexpires,thesessionis
closed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1600seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
TimeWaitsetting.
Scanning SelectthescanningtypesthatyouwanttoallowbasedonSecurityProfiles
(filetypes,datapatterns,andviruses).

Signature Tab
Signatures ClickAddtoaddanewsignature,andspecifythefollowinginformation:
Signature NameEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
TransactionortothefulluserSession.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
Specifytheconditionsthatidentifythesignature.Theseconditionsareused
togeneratethesignaturethatthefirewallusestomatchtheapplication
patternsandcontroltraffic:
Toaddacondition,selectAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
SelectanOperatorfromthedropdown.TheoptionsarePattern Match,
Greater Than,Less Than,andEqual Toandspecifythefollowingoptions:
(ForPatternMatchonly)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates.
PatternSpecifyaregularexpressiontospecifyuniquestring
contextvaluesthatapplytothecustomapplication.
Performapacketcapturetoidentifythecontext.SeePattern
RulesSyntaxforpatternrulesforregularexpressions.
(ForGreaterThan,LessThan)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates
ValueSpecifyavaluetomatchon(rangeis04294967295).
Qualifier and Value(Optional)Addqualifier/valuepairs.
(ForEqualToonly)
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP(forexample,unknownreqtcp)oradditionalcontextsthatare
availablethroughdynamiccontentupdates(forexample,
dnp3reqfunccode).
ForunknownrequestsandresponsesforTCPorUDP,specify
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.
Forallothercontexts,specifyaValuethatispertinenttotheapplication.
Tomoveaconditionwithinagroup,selecttheconditionandMove Upor
Move Down.Tomoveagroup,selectthegroupandMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
Itisnotrequiredtospecifysignaturesfortheapplicationiftheapplicationisusedonlyfor
applicationoverriderules.

Objects>ApplicationGroups Objects
Objects>ApplicationGroups
Tosimplifythecreationofsecuritypolicies,applicationsrequiringthesamesecuritysettingscanbe
combinedbycreatinganapplicationgroup.(Todefineanewapplication,refertoDefiningApplications.)
NewApplicationGroup Description
Settings
Name Enteranamethatdescribestheapplicationgroup(upto31characters).This
nameappearsintheapplicationlistwhendefiningsecuritypolicies.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheapplicationgrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
theapplicationgroupwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theapplication
groupwillbeavailableonlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) thisapplicationgroupobjectindevicegroupsthatinherittheobject.This
Applications ClickAddandselectapplications,applicationfilters,and/orotherapplication
groupstobeincludedinthisgroup.

Objects Objects>ApplicationFilters
Objects>ApplicationFilters
Applicationfiltershelptosimplifyrepeatedsearches.Todefineanapplicationfilter,Addandenteraname
foryournewfilter.Intheupperareaofthewindow,clickanitemthatyouwanttouseasabasisforfiltering.
Forexample,torestrictthelisttotheCollaborationcategory,clickcollaboration.
Tofilteronadditionalcolumns,selectanentryinthecolumns.Thefilteringissuccessive:categoryfiltersare
appliedfirstfollowedbysubcategoryfilters,technologyfilters,riskfilters,andthencharacteristicfilters.
Asyouselectfilters,thelistofapplicationsthatdisplayonthepageisautomaticallyupdated.

Objects>Services Objects
Objects>Services
Whenyoudefinesecuritypoliciesforspecificapplications,youcanselectoneormoreservicestolimitthe
portnumberstheapplicationscanuse.Thedefaultserviceisany,whichallowsallTCPandUDPports.
TheHTTPandHTTPSservicesarepredefined,butyoucanaddadditionalservicedefinitions.Servicesthat
areoftenassignedtogethercanbecombinedintoservicegroupstosimplifythecreationofsecuritypolicies
(refertoObjects>ServiceGroups).
Thefollowingtabledescribestheservicesettings:
ServiceSettings Description
Name Entertheservicename(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description Enteradescriptionfortheservice(upto255characters).
Shared Selectthisoptionifyouwanttheserviceobjecttobeavailableto:
selection,theserviceobjectwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thisserviceobjectindevicegroupsthatinherittheobject.Thisselectionis
anydevicegroupthatinheritstheobject.
Protocol Selecttheprotocolusedbytheservice(TCPorUDP).
DestinationPort Enterthedestinationportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thedestinationportisrequired.
SourcePort Enterthesourceportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thesourceportisoptional.

Objects Objects>ServiceGroups
Objects>ServiceGroups
Tosimplifythecreationofsecuritypolicies,youcancombineservicesthathavethesamesecuritysettings
intoservicegroups.Todefinenewservices,refertoObjects>Services.
Thefollowingtabledescribestheservicegroupsettings:
ServiceGroupSettings Description
Name Entertheservicegroupname(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
underscores.
Shared Selectthisoptionifyouwanttheservicegrouptobeavailableto:
selection,theservicegroupwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
tab.
(Panoramaonly) thisservicegroupobjectindevicegroupsthatinherittheobject.This
Service ClickAddtoaddservicestothegroup.Selectfromthedropdownorclick
Serviceatthebottomofthedropdownandspecifythesettings.Referto
Objects>Servicesforadescriptionofthesettings.

Objects>Tags Objects
Objects>Tags
Tagsallowyoutogroupobjectsusingkeywordsorphrases.Tagscanbeappliedtoaddressobjects,address
groups(staticanddynamic),zones,services,servicegroups,andtopolicyrules.Youcanuseatagstosortor
filterobjects,andtovisuallydistinguishobjectsbecausetheycanhavecolor.Whenacolorisappliedtoa
tag,thePolicytabdisplaystheobjectwithabackgroundcolor.
ApredefinedtagnamedSanctionedisavailablefortaggingapplications(Objects > Applications).Thesetagsare
requiredforaccuratelyMonitor>PDFReports>SaaSApplicationUsage.
HowdoIcreatetags? CreateTags
Whatisthetagbrowser? UsetheTagBrowser
Searchforrulesthataretagged. ManageTags
Grouprulesusingtags.
Viewtagsusedinpolicy.
Applytagstopolicy.
Looking for more? SeePolicy.
CreateTags
SelectObjects > Tagstocreateatag,assignacolor,delete,rename,andclonetags.Eachobjectcanhaveup

to64tags;whenanobjecthasmultipletags,itdisplaysthecolorofthefirsttagappliedtoit.
Onthefirewall,theObjects >Tagstabdisplaysthetagsthatyoudefinelocallyonthefirewallorpushfrom
Panoramatothefirewall;onPanorama,itdisplaysthetagsthatyoudefineonPanorama.Thistabdoesnot
displaythetagsthataredynamicallyretrievedfromtheVMInformationsourcesdefinedonthefirewallfor
formingdynamicaddressgroups,ortagsthataredefinedusingtheXMLAPI.
Whenyoucreateanewtag,thetagisautomaticallycreatedintheVirtualSystemorDeviceGroupthatis
currentlyselectedonthefirewallorPanorama.
TagSettings Description
Name Enterauniquetagname(upto127characters).Thenameisnot
casesensitive.
Shared Selectthisoptionifyouwantthetagtobeavailableto:
thetagwillbeavailableonlytotheVirtual SystemselectedintheObjects
tab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thetagwillbe
availableonlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) thistagindevicegroupsthatinheritthetag.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritsthetag.

Objects Objects>Tags
TagSettings Description
Color Selectacolorfromthecolorpaletteinthedropdown.Thedefaultvalueis
None.
Comments Addalabelordescriptiontoremindyouwhatthetagisusedfor.
Addatag:Toaddanewtag,clickAddandthenfillinthefollowingfields:
YoucanalsocreateanewtagwhenyoucreateoreditpolicyinthePoliciestab.Thetagisautomatically
createdintheDeviceGrouporVirtualSystemthatiscurrentlyselected.
Editatag:Toedit,rename,orassignacolortoatag,clickthetagnamethatdisplaysasalinkandmodify
thesettings.
Deleteatag:Todeleteatag,clickDeleteandselectthetaginthewindow.Youcannotdeleteapredefined
tag.
MoveorCloneatag:Theoptionstomoveorcloneatagallowsyoutocopyatagormoveatagtoa
differentDeviceGrouporVirtualSystemonfirewallswithmultiplevirtualsystemsenabled.
ClickCloneorMoveandselectthetaginthewindow.SelecttheDestinationlocationDeviceGroupor
VirtualSystemforthetag.ClearthisselectionforError out on first detected error in validationifyouwant
thevalidationprocesstodiscoveralltheerrorsfortheobjectbeforedisplayingtheerrors.Bydefault,this
optionisenabledandthevalidationprocessstopswhenthefirsterrorisdetectedandonlydisplaysthe
error.
OverrideorRevertatag(Panoramaonly):TheOverrideoptionisavailableifyouhavenotselectedthe
Disableoverrideoptionwhencreatingthetag.Itallowsyoutooverridethecolorassignedtothetagthat
wasinheritedfromasharedorancestordevicegroup.TheLocationfielddisplaysthecurrentdevice
group.YoucanalsoselecttheDisableoverridetodisablefurtheroverrides.
Toundothechangesonatag,clickRevert.Whenyourevertatag,theLocationfielddisplaysthedevice
grouporvirtualsystemfromwherethetagwasinherited.
UsetheTagBrowser
Policies>Rulebase(Security,NAT,QoS...)
Thetagbrowserpresentsasummaryofallthetagsusedwithinarulebase(policyset).Itallowsyoutoseea
listofallthetagsandtheorderinwhichtheyarelistedintherulebase.
Youcansort,browse,search,andfilterforaspecifictag,orviewonlythefirsttagappliedtoeachruleinthe
rulebase.
Thefollowingtabledescribestheoptionsinthetagbrowser:
UsetheTagBrowser Description
Tag(#) Displaysthelabelandtherulenumberorrangeofnumbersinwhichthetag
isusedcontiguously.
Hoveroverthelabeltoseethelocationwheretherulewasdefined.The
locationcanbeinheritedfromtheSharedlocation,adevicegroup,ora
virtualsystem.
Rule Liststherulenumberorrangeofnumbersassociatedwiththetags.

Objects>Tags Objects
UsetheTagBrowser Description
Filterbyfirsttaginrule Displaysonlythefirsttagappliedtoeachruleintherulebase,whenselected.
Thisviewisparticularlyusefulifyouwanttonarrowthelistandviewrelated
rulesthatmightbespreadaroundtherulebase.Forexample,ifthefirsttag
ineachruledenotesitsfunctionadministration,webaccess,datacenter
access,proxyyoucannarrowtheresultandscantherulesbasedon
function.
RuleOrder Sortsthetagsintheorderofappearancewithintheselectedrulebase.When
displayedinorderofappearance,tagsusedincontiguousrulesaregrouped
together.Therulenumberwithwhichthetagisassociatedisdisplayedalong
withthetagname.
Alphabetical Sortsthetagsinalphabeticalorderwithintheselectedrulebase.Thedisplay
liststhetagname,color(ifacolorisassigned),andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoesnotdisplayrule
numbersforuntaggedrules.WhenyouselectNone,therightpaneisfiltered
todisplayrulesthathavenotagsassignedtothem.
Clear Clearsthefilteronthecurrentlyselectedtagsinthesearchbar.
Searchbar Allowsyoutosearchforatag,enterthetermandclickthegreenarrowto
applythefilter.
Italsodisplaysthetotalnumberoftagsintherulebaseandthenumberof
selectedtags.
Forotheractions,seeManageTags.
ManageTags
Thefollowingtableliststheactionsthatyoucanperformusingthetagbrowser.
ManageTags
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
Selectataginthetagbrowserand,fromthe
dropdown,selectApply the Tag to the
Selection(s).
Draganddroptagsfromthetagbrowserontothe
tagcolumnoftherule.Whenyoudropthetags,a
confirmationdialogdisplays.
Viewthecurrentlyselectedtags. 1. Selectoneormoretagsinthetagbrowser.Thetags
arefilteredusinganORoperator.
2. Therightpaneupdatestodisplaytherulesthathave
anyoftheselectedtags.
3. Toviewthecurrentlyselectedtags,hoveroverthe
Clearlabelinthetagbrowser.

Objects Objects>Tags
ManageTags(Continued)
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,select
Youcanfilterrulesbasedontagswithan oneormoretagsinthetagbrowser.Therightpanewill
ANDoranORoperator. displayonlytherulesthatincludethecurrentlyselected
tags.
ANDfilter:Toviewrulesthathavealltheselectedtags,
hoveroverthenumberintheRulecolumnofthetag
browserandselectFilterinthedropdown.Repeatto
addmoretags.
Clickthe inthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Untagarule. HoverovertherulenumberintheRulecolumnofthetag
browserandselectUntag Rule(s)inthedropdown.
Confirmthatyouwanttoremovetheselectedtagfrom
therule.
Reorderaruleusingtags. Selectoneormoretagsandhoverovertherulenumber
intheRulecolumnofthetagbrowserandselectMove
Rule(s)inthedropdown.
Selectatagfromthedropdowninthemoverulewindow
andselectwhetheryouwanttoMove BeforeorMove
Afterthetagselectedinthedropdown.
Addanewrulethatappliestheselected Selectoneormoretags,hoverovertherulenumberinthe
tags. Rulecolumnofthetagbrowser,andselectAdd New Rule
inthedropdown.
Thenumericalorderofthenewrulevariesbywhether
youselectedaruleontherightpane.Ifnorulewas
selectedontherightpane,thenewrulewillbeadded
aftertheruletowhichtheselectedtag(s)belongs.
Otherwise,thenewruleisaddedaftertheselectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetag
nameyouwanttosearchforandclick todisplaythe
tagsthatmatchyourinput.

Objects>ExternalDynamicLists Objects
Objects>ExternalDynamicLists
AnexternaldynamiclistisanaddressobjectbasedonanimportedlistofIPaddresses,URLs,ordomain
namesthatyoucanuseinpolicyrulestoblockorallowtraffic.Thislistmustbeatextfilesavedtoaweb
serverthatisaccessiblebythefirewall.Thefirewallusesthemanagement(MGT)interfacebydefaultto
retrievethislist.
WithanactiveThreatPreventionlicense,PaloAltoNetworksprovidestwoDynamicIPLists:PaloAlto
NetworksHighriskIPaddressesandPaloAltoNetworksKnownmaliciousIPaddresses.Thesefeedsboth
containmaliciousIPaddressentries,whichyoucanusetoblocktrafficfrommalicioushosts.Thefirewall
receivesdailyupdatesforthesefeedsthroughantiviruscontentupdates.
YoucanuseanIPaddresslistasanaddressobjectinthesourceanddestinationofyourpolicyrules;youcan
useaURLListinObjects>SecurityProfiles>URLFilteringorasamatchcriteriainSecuritypolicyrules;and
youcanuseadomainlistinObjects>SecurityProfiles>AntiSpywareProfileforsinkholingspecified
domainnames.
Oneachfirewallmodel,youcanuseupto30externaldynamiclistswithuniquesourcesacrossallSecurity
policyrules.Themaximumnumberofentriesthatthefirewallsupportsforeachlisttypevariesbasedonthe
firewallmodel(viewthedifferentfirewalllimitsforeachexternaldynamiclisttype).Listentriesonlycount
towardthemaximumlimitiftheexternaldynamiclistisusedinpolicy.Ifyouexceedthemaximumnumber
ofentriesthataresupportedonamodel,thefirewallgeneratesaSystemlogandskipstheentriesthat
exceedthelimit.TocheckthenumberofIPaddresses,domains,andURLscurrentlyusedinpolicyandthe
totalnumbersupportedonthefirewall,clickList Capacities(firewallonly).
Toretrievethelatestversionoftheexternaldynamiclistfromtheserverthathostsit,selectanexternal
dynamiclistandclickImport Now.
Youcannotdelete,clone,oreditthesettingsofthePaloAltoNetworksmaliciousIPaddressfeeds.
ClickAddtocreateanewexternaldynamiclistandconfigurethesettingsdescribedinthetablebelow.
ExternalDynamicListSettings Description
Name Enteranametoidentifytheexternaldynamiclist(upto32characters).Thisname
identifiesthelistwhenyouusethelisttoenforcepolicy.
Shared Selectthisoptionifyouwanttheexternaldynamiclisttobeavailableto:
theexternaldynamiclistwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theexternal
dynamiclistwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride(Panoramaonly) Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
externaldynamiclistobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforany
devicegroupthatinheritstheobject.

Objects Objects>ExternalDynamicLists
TestSourceURL(firewallonly) Clicktoverifythatthefirewallcanconnecttotheserverthathoststheexternal
dynamiclist.
Thistestdoesnotcheckwhethertheserverauthenticatessuccessfully.
Create List Tab
Type Selectfromthefollowingtypesofexternaldynamiclists:
Youcannotmix Predefined IP ListListsofthistypeuseaPaloAltoNetworksmaliciousor
IP addresses,URLs,and highriskIPaddressfeedasasourceoflistentries(activeThreatPrevention
domainnamesinasingle licenserequired).
list.Eachlistmustinclude IP ListEachlistcanincludeIPrangesandIPsubnetsintheIPv4andIPv6
entriesofonlyonetype. addressspace.ThelistmustcontainonlyoneIPaddress,range,orsubnetper
line.Example:
192.168.80.150/32
2001:db8:123:1::1 or 2001:db8:123:1::/64
192.168.80.0/24 (this indicates all addresses from 192.168.80.0 through
192.168.80.255)
2001:db8:123:1::1 - 2001:db8:123:1::22
AsubnetoranIPaddressrange,suchas92.168.20.0/24or
192.168.20.40192.168.20.50,countasoneIPaddressentryandnotas
multipleIPaddresses.
Domain ListEachlistcanhaveonlyonedomainnameentryperline.Example:
www.p301srv03.paloalonetworks.com
ftp.example.co.uk
test.domain.net
ForthelistofdomainsincludedintheExternalDynamicList,thefirewall
createsasetofcustomsignaturesoftypespywareandmediumseverity,so
thatyoucanusethesinkholeactionforacustomlistofdomains.
URL ListEachlistcanhaveonlyoneURLentryperline.Example:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
*.example.com/*
ForeachURLlist,thedefaultactionissettoallow.Toeditthedefaultaction,
seeObjects>SecurityProfiles>URLFiltering.
Description Enteradescriptionfortheexternaldynamiclist(upto255characters).
Source EnteranHTTPorHTTPSURLpaththatcontainsthetextfile.Forexample,
http://1.1.1.1/myfile.txt.
IftheexternaldynamiclistisaPredefinedIPList,selectPalo Alto
Networks - High risk IP addressesorPalo Alto Networks - Known
malicious IP addressesasthelistsource.

Objects>ExternalDynamicLists Objects
CertificateProfile IftheexternaldynamiclisthasanHTTPSURL,selectanexistingcertificateprofile
(firewallandPanorama)orcreateanewCertificate Profile(firewallonly)for
authenticatingthewebserverthathoststhelist.Formoreinformationon
configuringacertificateprofile,seeDevice>CertificateManagement>
CertificateProfile.
Default:None (Disable Cert profile)
Tomaximizethenumberofexternaldynamicliststhatyoucanuseto
enforcepolicy,usethesamecertificateprofiletoauthenticateexternal
dynamicliststhatusethesamesourceURLsothatthelistscountasonly
oneexternaldynamiclist.ExternaldynamiclistsfromthesamesourceURL
thatusedifferentcertificateprofilesarecountedasuniqueexternal
dynamiclists.
ClientAuthentication Selectthisoption(disabledbydefault)toaddausernameandpasswordforthe
firewalltousewhenaccessinganexternaldynamiclistsourcethatrequiresbasic
HTTPauthentication.Thissettingisavailableonlywhentheexternaldynamiclist
hasanHTTPSURL.
UsernameEnteravalidusernametoaccessthelist.
Password/Confirm PasswordEnterandconfirmthepasswordforthe
username.
Repeat Specifythefrequencyinwhichthefirewallretrievesthelistfromthewebserver.
YoucanchooseHourly,Five Minute,Daily,Weekly,orMonthly.Attheconfigured
interval,thefirewallretrievesthelistandautomaticallycommitsthechangesto
theconfiguration.Anypolicyrulesthatreferencethelistareupdatedsothatthe
firewallcansuccessfullyenforcepolicy.
YoudonothaveatoconfigureafrequencyforapredefinedIPlistbecause
thefirewalldynamicallyreceivescontentupdateswithanactiveThreat
Preventionlicense.
List Entries and Exceptions Tab
ListEntries Displaystheentriesintheexternaldynamiclist.
AddanentryasalistexceptionSelectupto100entriesandclickSubmit( ).
ViewanAutoFocusthreatintelligencesummaryforanitemHoveroveran
entry,clickthedropdown,andclickAutoFocus.YoumusthaveanAutoFocus
licenseandenableAutoFocusthreatintelligenceonthefirewall toviewan
itemsummary.
CheckifanIPaddress,domain,orURLisintheexternaldynamiclistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.
ManualExceptions Displaysexceptionstotheexternaldynamiclist.
EditanexceptionClickonanexceptionandmakeyourchanges.
ManuallyenteranexceptionAddanewexceptionmanually.
RemoveanexceptionfromtheManualExceptionslistSelectandDeletean
exception.
CheckifanIPaddress,domain,orURLisintheManualExceptionslistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.Youcannotsaveyourchangestotheexternal
dynamiclistifyouhaveduplicateentriesintheManualExceptionslist.

Objects Objects>CustomObjects
Objects>CustomObjects
Createcustomdatapatterns,vulnerabilityandspywaresignatures,andURLcategoriestousewithpolicies:
Objects>CustomObjects>DataPatterns
Objects>CustomObjects>Spyware/Vulnerability
Objects>CustomObjects>URLCategory

Objects>CustomObjects>DataPatterns Objects
Objects>CustomObjects>DataPatterns
Whatareyoulookingfor? See:
Create a data pattern. DataPatternSettings

Learn more about syntax for regular expression SyntaxforRegularExpressionDataPatterns
data patterns and see some examples.
RegularExpressionDataPatternExamples
DataPatternSettings
SelectObjects > Custom Objects > Data Patternstodefinethecategoriesofsensitiveinformationthatyoumay

wanttofilter.Forinformationondefiningdatafilteringprofiles,selectObjects>SecurityProfiles>Data
Filtering.
Youcancreatethreetypesofdatapatternsforthefirewalltousewhenscanningforsensitiveinformation:
PredefinedUsethepredefineddatapatternstoscanfilesforsocialsecurityandcreditcardnumbers.
Regular ExpressionCreatecustomdatapatternsusingregularexpressions.
File PropertiesScanfilesforspecificfilepropertiesandvalues.
DataPatternSettings Description
Name Enterthedatapatternname(upto31characters).Thenamecasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description Enteradescriptionforthedatapattern(upto255characters).
Shared Selectthisoptionifyouwantthedatapatterntobeavailableto:
selection,thedatapatternwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,thedata
patternwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thisdatapatternobjectindevicegroupsthatinherittheobject.This
PatternType Selectthetypeofdatapatternyouwanttocreate:
PredefinedPattern
RegularExpression
FileProperties

Objects Objects>CustomObjects>DataPatterns
DataPatternSettings Description
PredefinedPattern PaloAltoNetworksprovidespredefineddatapatternstoscanforcertain
typesofinformationinfiles,forexample,forcreditcardnumbersorsocial
securitynumbers.Toconfiguredatafilteringbasedonapredefinedpattern,
Addapatternandselectthefollowing:
NameSelectapredefinedpatterntousetofilterforsensitivedata.
Whenyoupickapredefinedpattern,theDescriptionpopulates
automatically.
SelecttheFile Typeinwhichyouwanttodetectthepredefinedpattern.
RegularExpression Addacustomdatapattern.GivethepatternadescriptiveName,settheFile
Typeyouwanttoscanforthedatapattern,andentertheregularexpression
thatdefinestheData Pattern.
Forregularexpressiondatapatternsyntaxdetailsandexamples,see:
SyntaxforRegularExpressionDataPatterns
FileProperties Buildadatapatterntoscanforfilepropertiesandtheassociatedvalues.For
example,AddadatapatterntofilterforMicrosoftWorddocumentsand
PDFswherethedocumenttitleincludesthewordssensitive,internal,or
confidential.
GivethedatapatternadescriptiveName.
SelecttheFile Typethatyouwanttoscan.
SelecttheFile Propertythatyouwanttoscanforaspecificvalue.
EntertheProperty Valueforwhichyouwanttoscan.
SyntaxforRegularExpressionDataPatterns
Whencreatingaregularexpressiondatapattern,thefollowinggeneralrequirementsapply:
Thepatternmusthavestringofatleastsevenbytestomatch.Itcancontainmorethansevenbytesbut
notfewer.
Thestringmatchmayormaynotbecasesensitive,dependingonwhichdecoderyouuse.Whenyou
needcasesensitivity,definepatternsforallpossiblestringstomatchallvariationsofaterm.Forexample,
tomatchanydocumentsdesignatedasconfidential,youmustcreateapatternthatincludes
confidential,Confidential,andCONFIDENTIAL.
TheregularexpressionsyntaxinPANOSissimilartotraditionalregularexpressionenginesbutevery
engineisunique.ThefollowingtabledescribesthesyntaxsupportedinPANOS.
Pattern Description
RulesSyntax
. Matchanysinglecharacter.
? Matchtheprecedingcharacterorexpression0or1time.ThegeneralexpressionMUST
beinsideapairofparentheses.
Example:(abc)?

Objects>CustomObjects>DataPatterns Objects
Pattern Description
RulesSyntax
* Matchtheprecedingcharacterorexpression0ormoretimes.Thegeneralexpression
MUSTbeinsideapairofparentheses.
Example:(abc)*
+ Matchtheprecedingcharacterorregularexpressiononeormoretimes.Thegeneral
expressionMUSTbeinsideapairofparentheses.
Example:(abc)+
| Equivalenttoor.
Example:((bif)|(scr)|(exe))matchesbif,scrorexe.
Thealternativesubstringsmustbeinparentheses.
Usedtocreaterangeexpressions.
Example:[cz]matchesanycharacterbetweencandz,inclusive.
[] Matchany.
Example:[abz]:matchesanyofthecharactersa,b,orz.
^ Matchanyexcept.
Example:[^abz]matchesanycharacterexcepta,b,orz.
{} Min/Maxnumberofbytes.
Example:{1020}matchesanystringthatisbetween10and20bytes.Thismustbe
directlyinfrontofafixedstring,andonlysupports.
\ Toperformaliteralmatchonanyoneofthespecialcharactersabove,itMUSTbeescaped
byprecedingthemwitha\(backslash).
&amp &isaspecialcharacter,sotolookforthe&inastringyoumustuse&ampinstead.
Thefollowingareexamplesofvalidcustompatterns:
.*((Confidential)|(CONFIDENTIAL))
LooksforthewordConfidentialorCONFIDENTIALanywhere
.*atthebeginningspecifiestolookanywhereinthestream
Dependingonthecasesensitivityrequirementsofthedecoder,thismaynotmatchconfidential
(alllowercase)
.*((Proprietary&ampConfidential)|(ProprietaryandConfidential))
LooksforeitherProprietary&ConfidentialorProprietaryandConfidential
MoreprecisethanlookingforConfidential
.*(PressRelease).*((Draft)|(DRAFT)|(draft))
LooksforPressReleasefollowedbyvariousformsoftheworddraft,whichmayindicatethatthe
pressreleaseisn'treadytobesentoutsidethecompany
.*(Trinidad)
Looksforaprojectcodename,suchasTrinidad

Objects Objects>CustomObjects>Spyware/Vulnerability
Objects>CustomObjects>Spyware/Vulnerability
Thefirewallsupportstheabilitytocreatecustomspywareandvulnerabilitysignaturesusingthefirewall
threatengine.Youcanwritecustomregularexpressionpatternstoidentifyspywarephonehome
communicationorvulnerabilityexploits.Theresultingspywareandvulnerabilitypatternsbecomeavailable
foruseinanycustomvulnerabilityprofiles.Thefirewalllooksforthecustomdefinedpatternsinnetwork
trafficandtakesthespecifiedactionforthevulnerabilityexploit.
Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.
Youcanoptionallyincludeatimeattributewhendefiningcustomsignaturesbyspecifyingathresholdper
intervalfortriggeringpossibleactionsinresponsetoanattack.Actionistakenonlyafterthethresholdis
reached.
UsetheCustom Spyware SignaturepagetodefinesignaturesforAntiSpywareprofiles.UsetheCustom
Vulnerability SignaturepagetodefinesignaturesforVulnerabilityProtectionprofiles.
CustomVulnerabilityand Description
SpywareSignature
Settings
Configuration Tab
ThreatID Enteranumericidentifierfortheconfiguration(spywaresignaturesrangeis
1500018000;vulnerabilitysignaturesrangeis4100045000).
Name Specifythethreatname.
Shared Selectthisoptionifyouwantthecustomsignaturetobeavailableto:
selection,thecustomsignaturewillbeavailableonlytotheVirtual
SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thecustom
signaturewillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.
(Panoramaonly) thissignatureindevicegroupsthatinheritthesignature.Thisselectionis
anydevicegroupthatinheritsthesignature.
Comment Enteranoptionalcomment.
Severity Assignalevelthatindicatestheseriousnessofthethreat.
DefaultAction Assignthedefaultactiontotakeifthethreatconditionsaremet.Foralistof
actions,seeActionsinSecurityProfiles.
Direction Indicatewhetherthethreatisassessedfromtheclienttoserver,serverto
client,orboth.
AffectedSystem Indicatewhetherthethreatinvolvestheclient,server,either,orboth.
Appliestovulnerabilitysignatures,butnotspywaresignatures.

Objects>CustomObjects>Spyware/Vulnerability Objects
SpywareSignature
Settings
CVE Specifythecommonvulnerabilityenumeration(CVE)asanexternal
referenceforadditionalbackgroundandanalysis.
Vendor Specifythevendoridentifierforthevulnerabilityasanexternalreference
foradditionalbackgroundandanalysis.
Bugtraq Specifythebugtraq(similartoCVE)asanexternalreferenceforadditional
backgroundandanalysis.
Reference Addanylinkstoadditionalanalysisorbackgroundinformation.The
informationisshownwhenauserclicksonthethreatfromtheACC,logs,or
vulnerabilityprofile.

Objects Objects>CustomObjects>Spyware/Vulnerability
SpywareSignature
Settings
Signatures Tab
StandardSignature SelectStandardandthenAddanewsignature.Specifythefollowing
information:
StandardEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
transactionortothefullusersession.
AddaconditionbyclickingAdd Or ConditionorAdd And Condition.Toadd
aconditionwithinagroup,selectthegroupandthenclickAdd Condition.
Addaconditiontoasignaturesothatthesignatureisgeneratedfortraffic
whentheparametersyoudefinefortheconditionaretrue.Selectan
Operatorfromthedropdown.Theoperatordefinesthetypeofcondition
thatmustbetrueforthecustomsignaturetomatchtotraffic.Choosefrom
Less Than,Equal To,Greater Than,orPattern Matchoperators.
WhenchoosingaPattern Matchoperator,specifyforthefollowingtobe
trueforthesignaturetomatchtotraffic:
ContextSelectfromtheavailablecontexts.
PatternSpecifyaregularexpression.SeePatternRulesSyntaxfor
patternrulesforregularexpressions.
Qualifier and ValueOptionally,addqualifier/valuepairs.
NegateSelectNegatesothatthecustomsignaturematchesto
trafficonlywhenthedefinedPatternMatchconditionisnottrue.
Thisallowsyoutoensurethatthecustomsignatureisnottriggered
undercertainconditions.
AcustomsignaturecannotbecreatedwithonlyNegate
conditions;atleastonepositiveconditionmustbeincluded
inorderforanegateconditiontospecified.Also,ifthescope
ofthesignatureissettoSession,aNegateconditioncannot
beconfiguredasthelastconditiontomatchtotraffic.
Youcandefineexceptionsforcustomvulnerabilityorspyware
signaturesusingthenewoptiontonegatesignaturegeneration
whentrafficmatchesbothasignatureandtheexceptiontothe
signature.Usethisoptiontoallowcertaintrafficinyournetworkthat
mightotherwisebeclassifiedasspywareoravulnerabilityexploit.In
thiscase,thesignatureisgeneratedfortrafficthatmatchesthe
pattern;trafficthatmatchesthepatternbutalsomatchesthe
exceptiontothepatternisexcludedfromsignaturegenerationand
anyassociatedpolicyaction(suchasbeingblockedordropped).For
example,youcandefineasignaturetobegeneratedforredirected
URLs;however,youcannowalsocreateanexceptionwherethe
signatureisnotgeneratedforURLsthatredirecttoatrusteddomain.

Objects>CustomObjects>Spyware/Vulnerability Objects
SpywareSignature
Settings
WhenchoosinganEqual To,Less Than,orGreater Thanoperator,specify

forthefollowingtobetrueforthesignaturetomatchtotraffic:
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP.
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.
CombinationSignature SelectCombinationandspecifythefollowinginformation:
SelectCombination Signaturestospecifyconditionsthatdefinesignatures:
AddaconditionbyclickingAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.
SelectTime Attributetospecifythefollowinginformation:
Number of HitsSpecifythethresholdthatwilltriggeranypolicybased
actionasanumberofhits(11000)inaspecifiednumberofseconds
(13600).
Aggregation CriteriaSpecifywhetherthehitsaretrackedbysourceIP
address,destinationIPaddress,oracombinationofsourceand
destinationIPaddresses.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.

Objects Objects>CustomObjects>URLCategory
Objects>CustomObjects>URLCategory
UsethecustomURLcategorypagetocreateyourcustomlistofURLsanduseitinaURLfilteringprofileor
asmatchcriteriainpolicyrules.InacustomURLcategory,youcanaddURLentriesindividually,orimporta
textfilethatcontainsalistofURLs.
URLentriesaddedtocustomcategoriesarecaseinsensitive.
ThefollowingtabledescribesthecustomURLsettings:
CustomURLCategory Description
Settings
Name EnteranametoidentifythecustomURLcategory(upto31characters).This
namedisplaysinthecategorylistwhendefiningURLfilteringpoliciesandin
thematchcriteriaforURLcategoriesinpolicyrules.Thenameis
Description EnteradescriptionfortheURLcategory(upto255characters).
Shared SelectthisoptionifyouwanttheURLcategorytobeavailableto:
selection,theURLcategorywillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theURL
categorywillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thiscustomURLobjectindevicegroupsthatinherittheobject.This
Sites AddClickAddtoenterURLs,onlyoneineachrow.EachURLcanbein
theformatwww.example.comorcanincludewildcards,suchas
*.example.com.Foradditionalinformationonformatssupported,see
BlockListinObjects>SecurityProfiles>URLFiltering.
ImportClickImportandbrowsetoselectthetextfilethatcontainsthe
listofURLs.EnteronlyoneURLperrow.EachURLcanbeintheformat
www.example.comorcanincludewildcards,suchas*.example.com.
Foradditionalinformationonformatssupported,seeBlockListinObjects
>SecurityProfiles>URLFiltering.
ExportClickExporttoexportthecustomURLentriesincludedinthelist.
TheURLsareexportedasatextfile.
DeleteSelectanentryandclickDeletetoremovetheURLfromthelist.
TodeleteacustomcategorythatyouhaveusedinaURLfiltering
profile,youmustsettheactiontoNonebeforeyoucandeletethe
customcategory.SeeCategoryactionsinObjects>SecurityProfiles
>URLFiltering.

Objects>SecurityProfiles Objects
SecurityprofilesprovidethreatprotectioninSecurityPolicy.EachSecuritypolicyrulecanincludeoneor
moreSecurityProfiles.Thefollowingareavailableprofiletypes:
Antivirusprofilestoprotectagainstworms,viruses,andtrojansandtoblockspywaredownloads.See
Objects>SecurityProfiles>Antivirus.
AntiSpywareprofilestoblockattemptsfromspywareoncompromisedhoststryingtophonehomeor
beaconouttoexternalcommandandcontrol(C2)servers.SeeObjects>SecurityProfiles>
AntiSpywareProfile.
Vulnerabilityprotectionprofilestostopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.SeeObjects>SecurityProfiles>VulnerabilityProtection.
URLfilteringprofilestorestrictusersaccesstospecificwebsitesand/orwebsitecategories,suchas
shoppingorgambling.SeeObjects>SecurityProfiles>URLFiltering.
Fileblockingprofilestoblockselectedfiletypes,andinthespecifiedsessionflowdirection
(inbound/outbound/both).SeeObjects>SecurityProfiles>FileBlocking.
WildFireanalysisprofilestospecifyforfileanalysistobeperformedlocallyontheWildFireappliance
orintheWildFirecloud.SeeObjects>SecurityProfiles>WildFireAnalysis.
Datafilteringprofilesthathelppreventsensitiveinformationsuchascreditcardorsocialsecurity
numbersfromleavingaprotectednetwork.SeeObjects>SecurityProfiles>DataFiltering.
DoSProtectionprofilesareusedwithDoSProtectionpolicyrulestoprotectthefirewallfrom
highvolumesinglesessionandmultiplesessionattacks.SeeObjects>SecurityProfiles>DoS
Protection.
Inadditionaltoindividualprofiles,youcancombineprofilesthatareoftenappliedtogether,andcreate
SecurityProfilegroups(Objects > Security Profile Groups).
ActionsinSecurityProfiles
Theactionspecifieshowthefirewallrespondstoathreatevent.Everythreatorvirussignaturethatis
definedbyPaloAltoNetworksincludesadefaultaction,whichistypicallyeithersettoAlert, whichinforms
youusingtheoptionyouhaveenabledfornotification,ortoReset Both,whichresetsbothsidesofthe
connection.However,youcandefineoroverridetheactiononthefirewall.Thefollowingactionsare
applicablewhendefiningAntivirusprofiles,AntiSpywareprofiles,VulnerabilityProtectionprofiles,custom
spywareobjects,customvulnerabilityobjects,orDoSProtectionprofiles.
Action Description Antivirus AntiSpywar Vulnerability Custom DoS

Profile eprofile Protection Object Protection
Profile Spywareand Profile
Vulnerability
Default Takesthedefaultaction RandomEarly

thatisspecifiedinternally Drop
foreachthreatsignature.
Forantivirusprofiles,it
takesthedefaultaction
forthevirussignature.

Objects Objects>SecurityProfiles

Vulnerability
Allow Permitstheapplication
traffic.
Alert Generatesanalertfor
eachapplicationtraffic Generatesan
flow.Thealertissavedin alertwhen
thethreatlog. attackvolume
(cps)reaches
theAlarm
thresholdset
intheprofile.
Drop Dropstheapplication
traffic.
Reset Client ForTCP,resetsthe

clientsideconnection.
ForUDP,theconnection
isdropped
Reset Server ForTCP,resetsthe

serversideconnection.
isdropped
Reset Both ForTCP,resetsthe

connectiononbothclient
andserverends.
isdropped
Block IP Blockstrafficfromeither
asourceora
sourcedestinationpair;
Configurablefora
specifiedperiodoftime.
Sinkhole ThisactiondirectsDNS
queriesformalicious
domainstoasinkholeIP
address.
Theactionisavailablefor
PaloAltoNetworksDNS
signaturesandforcustom
domainsincludedin
Objects>External
DynamicLists.

Objects>SecurityProfiles Objects

Vulnerability
Random Causesthefirewallto
Early Drop randomlydroppackets
whenconnectionsper
secondreachtheActivate
RatethresholdinaDoS
Protectionprofileapplied
toaDoSProtectionrule.
SYN Cookies Causesthefirewallto

generateSYNcookiesto
authenticateaSYNfroma
clientwhenconnections
persecondreachthe
ActivateRateThresholdin
aDoSProtectionprofile
appliedtoaDoS
Protectionrule.
Youcannotdeleteaprofilethatisusedinapolicyrule;youmustfirstremovetheprofilefrom
thepolicyrule.

Objects Objects>SecurityProfiles>Antivirus
Objects>SecurityProfiles>Antivirus
UsetheAntivirus Profilespagetoconfigureoptionstohavethefirewallscanforvirusesonthedefinedtraffic.
Settheapplicationsthatshouldbeinspectedforvirusesandtheactiontotakewhenavirusisdetected.The
defaultprofileinspectsallofthelistedprotocoldecodersforviruses,generatesalertsforSimpleMail
TransportProtocol(SMTP),InternetMessageAccessProtocol(IMAP),andPostOfficeProtocolVersion3
(POP3),andtakesthedefaultactionforotherapplications(alertordeny),dependingonthetypeofvirus
detected.TheprofilewillthenbeattachedtoaSecuritypolicyruletodeterminethetraffictraversing
specificzonesthatwillbeinspected.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ToaddanewAntivirusprofile,selectAddandenterthefollowingsettings:
Field Description
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofantivirus
profileswhendefiningsecuritypolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,periods,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbe
availableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) Antivirusprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroup
thatinheritstheprofile.
The Antivirus tab allows you to specify the action for the different types of traffic, such as ftp, and http.
PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
DecodersandActions Foreachtypeoftrafficthatyouwanttoinspectforviruses,selectanactionfrom
thedropdown.Youcandefinedifferentactionsforstandardantivirussignatures
(Actioncolumn)andsignaturesgeneratedbytheWildFiresystem(WildFireAction
column).
Someenvironmentsmayhaverequirementsforalongersoaktimeforantivirus
signatures,sothisoptionenablestheabilitytosetdifferentactionsforthetwo
antivirussignaturetypesprovidedbyPaloAltoNetworks.Forexample,the
standardantivirussignaturesgothroughalongersoakperiodbeforebeingreleased
(24hours),versusWildFiresignatures,whichcanbegeneratedandreleasedwithin
15minutesafterathreatisdetected.Becauseofthis,youmaywanttochoosethe
alertactiononWildFiresignaturesinsteadofblocking.

Objects>SecurityProfiles>Antivirus Objects
Field Description
ApplicationsExceptions TheApplications Exceptiontableallowsyoutodefineapplicationsthatwillnotbe

andActions inspected.Forexample,toblockallHTTPtrafficexceptforaspecificapplication,
youcandefineanantivirusprofileforwhichtheapplicationisanexception.Block
istheactionfortheHTTPdecoder,andAllowistheexceptionfortheapplication.
Foreachapplicationexception,selecttheactiontobetakenwhenthethreatis
detected.Foralistofactions,seeActionsinSecurityProfiles.
Tofindanapplication,starttypingtheapplicationnameinthetextbox.Amatching
listofapplicationsisdisplayed,andyoucanmakeaselection.
VirusException TheVirus Exceptionstabtodefinealistofthreatsthatwillbeignoredbythe

antivirusprofile.
ThreatID Toaddspecificthreatsthatyouwanttoignore,enteroneThreatIDatatimeand
clickAdd.ThreatIDsarepresentedaspartofthethreatloginformation.Referto
Monitor>Logs.

Objects Objects>SecurityProfiles>AntiSpywareProfile
Objects>SecurityProfiles>AntiSpywareProfile
YoucanattachanAntiSpywareprofiletoaSecuritypolicyrulefordetectingconnectionsinitiatedby
spywareandcommandandcontrol(C2)malwareinstalledonsystemsonyournetwork.Youcanchoose
betweentwopredefinedAntiSpywareprofilesinaSecuritypolicyrule.Eachoftheseprofileshasasetof
predefinedrules(withthreatsignatures)organizedbytheseverityofthethreat;eachthreatsignature
includesadefaultactionthatisspecifiedbyPaloAltoNetworks.
DefaultThedefaultprofileusesthedefaultactionforeverysignature,asspecifiedbyPaloAlto
Networkswhenthesignatureiscreated.
StrictThestrictprofileoverridestheactiondefinedinthesignaturefileforcritical,high,andmedium
severitythreats,andsetsittotheblockaction.Thedefaultactionistakenwithlowandinformational
severitythreats.
Youcanalsocreatecustomprofiles.Youcan,forexample,reducethestringencyforAntiSpyware
inspectionfortrafficbetweentrustedsecurityzones,andmaximizetheinspectionoftrafficreceived
fromtheInternet,ortrafficsenttoprotectedassetssuchasserverfarms.
ThefollowingtablesdescribetheAntiSpywareprofile settings:
AntiSpywareProfile Description
Settings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
AntiSpywareprofileswhendefiningsecuritypolicies.Thenameis
hyphens,periods,andunderscores.
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) thisAntiSpywareprofileindevicegroupsthatinherittheprofile.This
settingsforanydevicegroupthatinheritstheprofile.
Rules
AntiSpywarerulesallowyoutodefineacustomseverityandactiontotakeonanythreat,aspecific
threatnamethatcontainsthetextthatyouenter,and/orbyathreatcategory,suchasadware.
Addanewrule,oryoucanselectanexistingruletoandselectFind Matching Signaturestofilterthreat
signaturesbasedonthatrule.
RuleName Specifytherulename.
ThreatName Enteranytomatchallsignatures,orentertexttomatchanysignature
containingtheenteredtextaspartofthesignaturename.
Severity Chooseaseveritylevel(critical,high,medium,low,orinformational).

Objects>SecurityProfiles>AntiSpywareProfile Objects
Settings
Action Chooseanactionforeachthreat.Foralistofactions,seeActionsinSecurity
Profiles.
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.
Exceptions Tab
Allowsyoutochangetheactionforaspecificsignature.Forexample,youcangeneratealertsfora
specificsetofsignaturesandblockallpacketsthatmatchallothersignatures.Threatexceptionsare
usuallyconfiguredwhenfalsepositivesoccur.Tomakemanagementofthreatexceptionseasier,youcan
addthreatexceptionsdirectlyfromtheMonitor > Logs > Threatlist.Ensurethatyouobtainthelatest
contentupdatessothatyouareprotectedagainstnewthreatsandhavenewsignaturesforany
falsepositives.
Exceptions SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
UsetheIPAddressExemptionscolumntoaddIPaddressfilterstoathreat
exception.IfIPaddressesareaddedtoathreatexception,thethreat
exceptionactionforthatsignaturewillonlybetakenovertherule'saction
ifthesignatureistriggeredbyasessionhavingeitherthesourceor
destinationIPmatchinganIPintheexception.Youcanaddupto100IP
addressespersignature.Withthisoption,youdonothavetocreateanew
policyruleandnewvulnerabilityprofiletocreateanexceptionforaspecific
IPaddress.
DNS Signature Tab

TheDNS Signaturessettingsprovidesanadditionalmethodofidentifyinginfectedhostsonanetwork.
ThesesignaturesdetectspecificDNSlookupsforhostnamesthathavebeenassociatedwithmalware.
TheDNSsignaturescanbeconfiguredtoallow,alert,sinkhole,orblockwhenthesequeriesareobserved,
justaswithregularantivirussignatures.Additionally,hoststhatperformDNSqueriesformalware
domainswillappearinthebotnetreport.DNSsignaturesaredownloadedaspartoftheantivirusupdates.
ExternalDynamicList Allowsyoutoselectthelistsforwhichyouwanttoenforceanactionwhen
Domains aDNSqueryoccurs.Bydefault,thelistofDNSsignaturesprovidedthrough
contentupdates(PaloAltoNetworksDNSSignatureslist)issinkholed.The
defaultIPaddressusedforsinkholingbelongstoPaloAltoNetworks
(71.19.152.112).ThisIPaddressisnotstaticandcanbemodifiedthrough
contentupdatesonthefirewallorPanorama.
Toaddanewlist,clickAddandselecttheExternalDynamicListoftype
Domainthatyouhadcreated.Tocreateanewlist,seeObjects>External
DynamicLists.

Objects Objects>SecurityProfiles>AntiSpywareProfile
Settings
ActiononDNSqueries ChooseanactiontobetakenwhenDNSlookupsaremadetoknown
malwaresites.Theoptionsarealert,allow,block,orsinkhole.Thedefault
actionforPaloAltoNetworksDNSsignaturesissinkhole.
TheDNSsinkholeactionprovidesadministratorswithamethodof
identifyinginfectedhostsonthenetworkusingDNStraffic,evenwhenthe
firewallisnorthofalocalDNSserver(i.e.thefirewallcannotseethe
originatoroftheDNSquery).Whenathreatpreventionlicenseisinstalled
andanAntiSpywareprofileisenabledinaSecurityProfile,theDNSbased
signatureswilltriggeronDNSqueriesdirectedatmalwaredomains.Ina
typicaldeploymentwherethefirewallisnorthofthelocalDNSserver,the
threatlogwillidentifythelocalDNSresolverasthesourceofthetraffic
ratherthantheactualinfectedhost.SinkholingmalwareDNSqueriessolves
thisvisibilityproblembyforgingresponsestothequeriesdirectedat
maliciousdomains,sothatclientsattemptingtoconnecttomalicious
domains(forcommandandcontrol,forexample)insteadattempt
connectionstoanIPaddressspecifiedbytheadministrator.Infectedhosts
canthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIParemostlikelyinfectedwithmalware.
Afterselectingthesinkholeaction,specifyanIPv4and/orIPv6addressthat
willbeusedforsinkholing.Bydefault,thesinkholeIPaddressissettoaPalo
AltoNetworksserver.Youcanthenusethetrafficlogsorbuildacustom
reportthatfiltersonthesinkholeIPaddressandidentifyinfectedclients.
ThefollowingisthesequenceofeventsthatwilloccurwhenanDNSrequest
issinkholed:
MalicioussoftwareonaninfectedclientcomputersendsaDNSqueryto
resolveamalicioushostontheInternet.
Theclient'sDNSqueryissenttoaninternalDNSserver,whichthenqueries
apublicDNSserverontheothersideofthefirewall.
TheDNSquerymatchesaDNSentryintheDNSsignaturesdatabase,sothe
sinkholeactionwillbeperformedonthequery.
Theinfectedclientthenattemptstostartasessionwiththehost,butuses
theforgedIPaddressinstead.TheforgedIPaddressistheaddressdefined
intheAntiSpywareprofileDNSSignaturestabwhenthesinkholeactionis
selected.
TheadministratorisalertedofamaliciousDNSqueryinthethreatlog,and
canthensearchthetrafficlogsforthesinkholeIPaddressandcaneasily
locatetheclientIPaddressthatistryingtostartasessionwiththesinkhole
IPaddress.
ThreatID ManuallyenterDNSsignatureexceptions(rangeis
40000004999999).

Objects>SecurityProfiles>VulnerabilityProtection Objects
Objects>SecurityProfiles>VulnerabilityProtection
ASecuritypolicyrulecanincludespecificationofaVulnerabilityProtectionprofilethatdeterminesthelevel
ofprotectionagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.TherearetwopredefinedprofilesavailablefortheVulnerabilityProtectionfeature:
Thedefaultprofileappliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
vulnerabilities.Itdoesnotdetectlowandinformationalvulnerabilityprotectionevents.
Thestrictprofileappliestheblockresponsetoallclientandservercritical,highandmediumseverity
spywareeventsandusesthedefaultactionforlowandinformationalvulnerabilityprotectionevents.
Customizedprofilescanbeusedtominimizevulnerabilitycheckingfortrafficbetweentrustedsecurity
zones,andtomaximizeprotectionfortrafficreceivedfromuntrustedzones,suchastheInternet,aswellas
thetrafficsenttohighlysensitivedestinations,suchasserverfarms.ToapplyVulnerabilityProtection
profilestoSecuritypolicies,refertoPolicies>Security.
TheRulessettingsspecifycollectionsofsignaturestoenable,aswellasactionstobetakenwhenasignature
withinacollectionistriggered.
TheExceptionssettingsallowsyoutochangetheresponsetoaspecificsignature.Forexample,youcan
blockallpacketsthatmatchasignature,exceptfortheselectedone,whichgeneratesanalert.TheException
tabsupportsfilteringfunctions.
TheVulnerability Protectionpagepresentsadefaultsetofcolumns.Additionalcolumnsofinformationare
availablebyusingthecolumnchooser.Clickthearrowtotherightofacolumnheaderandselectthecolumns
fromtheColumnssubmenu.
ThefollowingtablesdescribetheVulnerabilityProtectionprofilesettings:
VulnerabilityProtection Description
ProfileSettings
VulnerabilityProtectionprofileswhendefiningsecuritypolicies.Thename
hyphens,periods,andunderscores.
intheObjectstab.
(Panoramaonly) thisVulnerabilityProtectionprofileindevicegroupsthatinherittheprofile.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheprofile.
Rules Tab
RuleName Specifyanametoidentifytherule.
ThreatName Specifyatextstringtomatch.Thefirewallappliesacollectionofsignatures
totherulebysearchingsignaturenamesforthistextstring.

Objects Objects>SecurityProfiles>VulnerabilityProtection
ProfileSettings
Action Choosetheactiontotakewhentheruleistriggered.Foralistofactions,see
ActionsinSecurityProfiles.
TheDefaultactionisbasedonthepredefinedactionthatispartofeach
signatureprovidedbyPaloAltoNetworks.Toviewthedefaultactionfora
signature,selectObjects > Security Profiles > Vulnerability Protectionand
Addorselectanexistingprofile.ClicktheExceptionstabandthenclick
Show all signaturestoseealistofallsignaturesandtheassociatedAction.
HostType Specifywhethertolimitthesignaturesfortheruletothosethatareclient
side,serverside,oreither(any).
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.
Category Selectavulnerabilitycategoryifyouwanttolimitthesignaturestothose
thatmatchthatcategory.
CVEList Specifycommonvulnerabilitiesandexposures(CVEs)ifyouwanttolimitthe
signaturestothosethatalsomatchthespecifiedCVEs.
EachCVEisintheformatCVEyyyyxxxx,whereyyyyistheyearandxxxxis
theuniqueidentifier.Youcanperformastringmatchonthisfield.For
example,tofindvulnerabilitiesfortheyear2011,enter2011.
VendorID SpecifyvendorIDsifyouwanttolimitthesignaturestothosethatalso
matchthespecifiedvendorIDs.
Forexample,theMicrosoftvendorIDsareintheformMSyyxxx,whereyy
isthetwodigityearandxxxistheuniqueidentifier.Forexample,tomatch
Microsoftfortheyear2009,enterMS09.
Severity Selectseveritiestomatch(informational,low,medium,high,orcritical)if
youwanttolimitthesignaturestothosethatalsomatchthespecified
severities.

Objects>SecurityProfiles>VulnerabilityProtection Objects
ProfileSettings
Exceptions Tab
Threats SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
Chooseanactionfromthedropdown,orchoosefromtheAction
dropdownatthetopofthelisttoapplythesameactiontoallthreats.Ifyou
selectedShow All,thenallsignaturesarelisted.Ifnot,onlythesignatures
thatareexceptionsarelisted.
SelectPacket Captureifyouwanttocaptureidentifiedpackets.
Thevulnerabilitysignaturedatabasecontainssignaturesthatindicatea
bruteforceattack;forexample,ThreatID40001triggersonanFTPbrute
forceattack.Bruteforcesignaturestriggerwhenaconditionoccursina
certaintimethreshold.Thethresholdsarepreconfiguredforbruteforce
signatures,andcanbechangedbyclickingedit( )nexttothethreat
nameontheVulnerabilitytab(withtheCustomoptionselected).Youcan
specifythenumberofhitsperunitoftimeandwhetherthethresholdapplies
tosource,destination,orsourceanddestination.
ThresholdscanbeappliedonasourceIP,destinationIPoracombinationof
sourceIPanddestinationIP.
Thedefaultactionisshowninparentheses.TheCVEcolumnshows
identifiersforcommonvulnerabilitiesandexposures(CVE).Theseunique,
commonidentifiersareforpubliclyknowninformationsecurity
vulnerabilities.
ClickintotheIPAddressExemptionscolumntoAddIPaddressfilterstoa
threatexception.WhenyouaddanIPaddresstoathreatexception,the
threatexceptionactionforthatsignaturewilltakeprecedenceoverthe
rule'sactiononlyifthesignatureistriggeredbyasessionwitheithera
sourceordestinationIPaddressmatchinganIPaddressintheexception.
Youcanaddupto100IPaddressespersignature.Youmustenteraunicast
IPaddress(thatis,anaddresswithoutanetmask),suchas10.1.7.8or
2001:db8:123:1::1.ByaddingIPaddressexemptions,youdonothaveto
createanewpolicyruleandnewvulnerabilityprofiletocreateanexception
foraspecificIPaddress.

Objects Objects>SecurityProfiles>URLFiltering
Objects>SecurityProfiles>URLFiltering
YoucanuseURLfiltering profilestocontrolaccesstowebcontent.
Control access to websites based on URL category. Categories

Enable the firewall to detect corporate credential UserCredentialDetection
submissions, and then control the URL categories
to which users can submit credentials. Categories
Enforce safe search settings. URLFilteringSettings

Enable logging of HTTP headers. URLFilteringSettings
Define website block and allow lists. Overrides
Allow password-based access to certain sites. Overrides
Looking for more? LearnmoreaboutandconfigureURLFiltering .
PreventCredentialPhishing basedonURLcategory.
TocreatecustomURLcategorieswithyourownlistsof
URLs,selectObjects>CustomObjects>URLCategory.
GeneralSettings
GeneralSettings Description
URLfilteringprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.
(Panoramaonly) thisURLFilteringprofileindevicegroupsthatinherittheprofile.This

Objects>SecurityProfiles>URLFiltering Objects
Categories
Objects>SecurityProfiles>URLFiltering>Categories
CategoriesSettings Description
Category Inadditiontothepredefinedcategories,bothcustomURLcategoriesandexternal
dynamiclistsoftypeURLaredisplayedunderCategory.Bydefault,theSite Access
andUser Credential SubmissionpermissionsforallcategoriesaresettoAllow.
SiteAccess ForeachURLcategory,selecttheactiontotakewhenauserattemptstoaccessa
URLinthatcategory(Site Access):
alertAllowsaccesstothewebsitebutaddsanalerttotheURLlogeachtimea
useraccessestheURL.
allowAllowsaccesstothewebsite.
blockBlocksaccesstothewebsite.IftheSiteAccesstoaURLcategoryissetto
block,theUserCredentialSubmissionpermissionsisautomaticallyalsosetto
block.
continueDisplaysapagetousersthattowarnthemagainstcontinuingtoaccess
thepage.Toaccessthewebsite,theusermustclickContinue.
TheContinuepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.
overrideDisplaysaresponsepagethatpromptstheusertoenteravalid
passwordinordertogainaccesstothesite.ConfigureURLAdminOverride
settings(Device > Setup > Content ID)tomanagepasswordandotheroverride
settings.(SeealsotheManagementSettingstableinDevice>Setup>
ContentID).
TheOverridepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.
none(customURLcategoryonly)IfyouhavecreatedcustomURLcategories,set
theactiontononetoallowthefirewalltoinherittheURLfilteringcategory
assignmentfromyourURLdatabasevendor.Settingtheactiontononegivesyou
theflexibilitytoignorecustomcategoriesinaURLfilteringprofile,whileallowing
youtousethecustomURLcategoryasamatchcriteriainpolicyrules(Security,
Decryption,andQoS)tomakeexceptionsortoenforcedifferentactions.To
deleteacustomURLcategory,youmustsettheactiontononeinanyprofile
wherethecustomcategoryisused.ForinformationoncustomURLcategories,
seeObjects>CustomObjects>URLCategory.

CategoriesSettings Description
UserCredential ForeachURLcategory,selecttheUser Credential Submissionstoallowordisallow

Submission usersfromsubmittingvalidcorporatecredentialstoaURLinthatcategory.Before
youcancontrolusercredentialsubmissionsbasedonURLcategory,youmustenable
credentialsubmissiondetection(selecttheUser Credential Detectiontab).
URLcategorieswiththeSite Accesssettoblockareautomaticallysettoalsoblock
usercredentialsubmissions.
alertAllowuserstosubmitcredentialstothewebsite,butgenerateaURL
Filteringlogeachtimeausersubmitscredentialstositesinthiscategory.
allow(default)Allowuserstosubmitcredentialstothewebsite.
blockBlockusersfromsubmittingcredentialstothewebsite.Adefault
antiphishingresponsepageblocksusercredentialsubmissions.
continueDisplayaresponsepagetousersthatpromptsthemtoselectContinue
tosubmitcredentialstothesite.Bydefault,anantiphishingcontinuepage
displaystowarnuserswhentheyattempttosubmitcredentialstositestowhich
credentialsubmissionsarediscouraged.Youcanchoosetocreateacustom
responsepagetowarnusersagainstphishingattemptsortoeducatethemagainst
reusingvalidcorporatecredentialsonotherwebsites.
CheckURLCategory ClicktoaccessthePANDBURLFilteringdatabase,whereyoucanenteraURLorIP
addresstoviewcategorizationinformation.
DynamicURLFiltering SelecttoenablecloudlookupforcategorizingtheURL.Thisoptionisinvokedifthe
Default:Disabled localdatabaseisunabletocategorizetheURL.
(Configurablefor IftheURLisunresolvedaftera5secondtimeoutwindow,theresponseisdisplayed
BrightCloudonly) asNot resolved URL.
WithPANDB,this
optionisenabled
bydefaultandis
notconfigurable.
Overrides
Objects>SecurityProfiles>URLFiltering>Overrides

OverridesSettings Description
ActiononLicense WithBrightCloud:
Expiration IfyouareusingtheBrightClouddatabase,youcanconfiguretheactiontotakeifthe
URLfilteringlicenseexpires:
BlockBlocksaccesstoallwebsites.Uponlicenseexpiration,allURLsare
blocked,notjusttheURLcategoriespreviouslysettoblock.
AllowAllowsaccesstoallwebsites.Uponlicenseexpiration,allURLsare
allowed,notjusttheURLcategoriessettoallow.
WithPANDB:
IfthelicenseexpiresforPANDB,URLfilteringisnotenforced:
URLcategoriesthatarecurrentlyinthecachewillbeusedtoeitherblockorallow
contentbasedonyourconfiguration.Usingcachedresultsisasecurityrisk
becausethecategorizationinformationmightbestale.
URLsthatarenotinthecachewillbecategorizedasnotresolvedandwillbe
allowed.
Alwaysrenewyourlicenseintimetoensurenetworksecurity.
AllowList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoallowor
Ifyouwouldliketo generatealertson.EntereachIPaddressorURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheallowlistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
allow(withouta toallowtheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Thislisttakesprecedenceovertheselectedwebsitecategories.

OverridesSettings Description
BlockList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoblockor
Ifyouwouldliketo generatealertson.EntereachURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheblocklistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
block(withouta toblocktheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists. www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Action Selecttheactiontotakewhenawebsiteintheblocklistisaccessed.
alertAllowtheusertoaccessthewebsite,butaddanalerttotheURLlog.
blockBlockaccesstothewebsite.
continueAllowtheusertoaccesstheblockedpagebyclickingContinueonthe
blockpage.
overrideAllowtheusertoaccesstheblockedpageafterenteringapassword.
ThepasswordandotheroverridesettingsarespecifiedintheURLAdminOverride
areaoftheSettingspage(refertotheManagementSettingstableinDevice>
Setup>Management).
URLFilteringSettings
Objects>SecurityProfiles>URLFiltering>URLFilteringSettings

URLFilteringSettings Descriptions
Logcontainerpageonly SelectthisoptiontologonlytheURLsthatmatchthecontenttypethatisspecified.
Default:Enabled
EnableSafeSearch Selectthisoptiontoenforcestrictsafesearchfiltering.
Enforcement Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesand
Default:Disabled videosinsearchqueryreturntraffic.WhenyouselectthesettingtoEnableSafe
AURLfilteringlicenseis SearchEnforcement,thefirewallblockssearchresultsiftheenduserisnotusingthe
notrequiredtousethis strictestsafesearchsettingsinthesearchquery.Thefirewallcanenforcesafesearch
feature. forthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.This
isabesteffortsettingandisnotguaranteedbythesearchproviderstoworkwith
everywebsite.
TousesafesearchenforcementyoumustenablethissettingandthenattachtheURL
filteringprofileSecuritypolicyrule.Thefirewallwillthenblockanymatchingsearch
queryreturntrafficthatisnotusingthestrictestsafesearchsettings.
IfyouareperformingasearchonYahooJapan(yahoo.co.jp)whileloggedinto
yourYahooaccount,thelockoptionforthesearchsettingmustalsobe
enabled.
Topreventusersfrombypassingthisfeaturebyusingothersearchproviders,
configuretheURLfilteringprofiletoblockthesearchenginescategoryand
thenallowaccesstoBing,Google,Yahoo,Yandex,andYouTube.
HTTPHeaderLogging EnablingHTTPHeaderLoggingprovidesvisibilityintotheattributesincludedinthe
HTTPrequestsenttoaserver.Whenenabledoneormoreofthefollowing
attributevaluepairsarerecordedintheURLFilteringlog:
UserAgentThewebbrowserthattheuserusedtoaccesstheURL.This
informationissentintheHTTPrequesttotheserver.Forexample,theUserAgent
canbeInternetExplorerorFirefox.TheUserAgentvalueinthelogsupportsup
to1024characters.
RefererTheURLofthewebpagethatlinkedtheusertoanotherwebpage;itis
thesourcethatredirected(referred)theusertothewebpagethatisbeing
requested.Thereferervalueinthelogsupportsupto256characters.
XForwardedForTheheaderfieldoptionthatpreservestheIPaddressofthe
userwhorequestedthewebpage.ItallowsyoutoidentifytheIPaddressofthe
user,whichisparticularlyusefulifyouhaveaproxyserveronyournetworkoryou
haveimplementedSourceNAT,thatismaskingtheusersIPaddresssuchthatall
requestsseemtooriginatefromtheproxyserversIPaddressoracommonIP
address.Thexforwardedforvalueinthelogsupportsupto128characters.
UserCredentialDetection
Objects>SecurityProfiles>URLFiltering>UserCredentialDetection
Enablethefirewalltodetectwhenuserssubmitcorporatecredentials.Thefirewallusesoneofthree
methodstodetectvalidcredentialssubmittedtowebpages.EachmethodrequiresUserID,whichenables
thefirewalltocompareusernameandpasswordsubmissionstowebpagesagainstvalid,corporate
credentials.SelectoneofthesemethodstothencontinuetoPreventCredentialPhishing basedonURL
category.

UserCredentialDetection Description
Settings
IPUser Thiscredentialdetectionmethodchecksforvalidusernamesubmissions.Youcanuse
thismethodtodetectcredentialsubmissionsthatincludeavalidcorporateusername
(regardlessoftheaccompanyingpassword).Thefirewalldeterminesausername
matchbyverifyingthattheusernamematchestheuserloggedinthesourceIP
addressofthesession.Tousethismethod,thefirewallmatchesthesubmitted
usernameagainstitsIPaddresstousernamemappingtable.Tousethismethodyou
canuseanyoftheusermappingmethodsdescribedinMapIPAddressestoUsers.
GroupMapping Thefirewalldeterminesiftheusernameausersubmitstoarestrictedsitematches
anyvalidcorporateusername.Todothis,thefirewallmatchesthesubmitted
usernametothelistofusernamesinitsusertogroupmappingtabletodetectwhen
userssubmitacorporateusernamestoasiteinarestrictedcategory.
ThismethodonlychecksforcorporateusernamesubmissionsbasedonLDAPgroup
membership,whichmakesitsimpletoconfigure,butmorepronetofalsepositives.
Youmustenablegroupmapping tousethismethod.
DomainCredential Thiscredentialdetectionmethodenablesthefirewalltocheckforavalidcorporate
usernameandtheassociatedpassword.Thefirewalldeterminesiftheusernameand
passwordausersubmitsmatchesthesameuserscorporateusernameandpassword.
Todothis,thefirewallmustabletomatchcredentialsubmissionstovalidcorporate
usernamesandpasswordsandverifythattheusernamesubmittedmapstotheIP
addressoftheloggedinuser.ThismodeissupportedonlywiththeWindowsbased
UserIDagent,andrequiresthattheUserIDagentisinstalledonareadonlydomain
controller(RODC)andequippedwiththeUserIDCredentialServiceAddon.Touse
thismethod,youmustalsoenableUserIDtoMapIPAddressestoUsersusingany
ofthesupportedusermappingmethods,includingAuthenticationPolicyandCaptive
PortalandGlobalProtect.
SeePreventCredentialPhishing fordetailsoneachofthemethodsthefirewall
canusetocheckforvalidcorporatecredentialsubmissions,andforstepstoenable
phishingprevention.
ValidUsernameDetected Settheseverityforlogsthatindicatethefirewalldetectedavalidusername
LogSeverity submissiontoawebsite.
Thislogseverityisassociatedwitheventswhereavalidusernameissubmittedto
websiteswithcredentialsubmissionpermissionstoalert,blockorcontinue.Logsthat
recordwhenausersubmitsavalidusernametoawebsiteforwhichcredential
submissionsareallowedhaveaseverityofinformational.SelectCategoriestoreview
oradjusttheURLcategoriestowhichcredentialsubmissionsareallowedand
blocked.

Objects>SecurityProfiles>FileBlocking Objects
Objects>SecurityProfiles>FileBlocking
YoucanattachaFileBlockingprofiletoaSecuritypolicyrule(Policies>Security)toblockusersfrom
uploadingordownloadingspecifiedfiletypesortogenerateanalertwhenauserattemptstouploador
downloadspecifiedfiletypes.
Thefollowingtablesdescribethefileblockingprofilesettings.
FileBlockingProfile Description
Settings
fileblockingprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.
(Panoramaonly) thisFileBlockingprofileindevicegroupsthatinherittheprofile.This

Objects Objects>SecurityProfiles>FileBlocking
FileBlockingProfile Description
Settings
Rules Defineoneormorerulestospecifytheactiontaken(ifany)fortheselected
filetypes.Toaddarule,specifythefollowingandclickAdd:
NameEnterarulename(upto31characters).
ApplicationsSelecttheapplicationstheruleappliestoorselectany.
File TypesClickinthefiletypesfieldandthenclickAddtoviewalistof
supportedfiletypes.Clickafiletypetoaddittotheprofileandcontinue
toaddadditionalfiletypesasneeded.IfyouselectAny,thedefinedaction
istakenonallsupportedfiletypes.
DirectionSelectthedirectionofthefiletransfer(Upload,Download,or
Both).
ActionSelecttheactiontakenwhentheselectedfiletypesaredetected:
alertAnentryisaddedtothethreatlog.
blockThefileisblocked.
continueAmessagetotheuserindicatesthatadownloadhasbeen
requestedandaskstheusertoconfirmwhethertocontinue.Thepurpose
istowarntheuserofapossibleunknowndownload(alsoknownasa
drivebydownload)andtogivetheusertheoptionofcontinuingor
stoppingthedownload.
Whenyoucreateafileblockingprofilewiththeactioncontinueor
continue-and-forward(usedforWildFireforwarding),youcanonly
choosetheapplicationweb-browsing.Ifyouchooseanyother
application,trafficthatmatchestheSecuritypolicyrulewillnotflow
throughthefirewallduetothefactthattheuserswillnotbeprompted
withacontinuepage.
forwardThefileisautomaticallysenttoWildFire.
continue-and-forwardAcontinuepageispresented,andthefileissent
toWildFire(combinesthecontinueandforwardactions).Thisactiononly
workswithwebbasedtraffic.Thisisduetothefactthatausermustclick
continuebeforethefilewillbeforwardandthecontinueresponsepage
optionisonlyavailablewithhttp/https.

Objects>SecurityProfiles>WildFireAnalysis Objects
Objects>SecurityProfiles>WildFireAnalysis
UseaWildFireAnalysisprofiletospecifyforWildFirefileanalysistobeperformedlocallyontheWildFire
applianceorintheWildFirecloud.Youcanspecifytraffictobeforwardedtothepubliccloudorprivatecloud
basedonfiletype,application,orthetransmissiondirectionofthefile(uploadordownload).Aftercreating
aWildFireanalysisprofile,addingtheprofiletoapolicy(Policies > Security)furtherallowsyouapplythe
profilesettingstoanytrafficmatchedtothatpolicy(forexample,aURLcategorydefinedinthepolicy).
WildFireAnalysisProfileSettings
Name EnteradescriptivenamefortheWildFireanalysisprofile(upto31
characters).ThisnameappearsinthelistofWildFireAnalysisprofilesthat
youcanchoosefromwhendefiningaSecuritypolicyrule.Thenameis
Description Optionallydescribetheprofilerulesortheintendedusefortheprofile(up
to255characters).
intheObjectstab.
Rules DefineoneormorerulestospecifytraffictoforwardtoeithertheWildFire
publiccloudortheWildFireappliance(privatecloud)foranalysis.
EnteradescriptiveNameforanyrulesyouaddtotheprofile(upto31
characters).
AddanApplicationsothatanyapplicationtrafficwillbematchedtothe
ruleandforwardedtothespecifiedanalysisdestination.
SelectaFile Typetobeanalyzedatthedefinedanalysisdestinationfor
therule.
AWildFireprivatecloud(hostedbyaWF500appliance)doesnot
supportanalysisforAPKfiles.
ApplytheruletotrafficdependingonthetransmissionDirection.Youcan
applytheruletouploadtraffic,downloadtraffic,orboth.
SelecttheDestinationfortraffictobeforwardedforanalysis:
Selectpubliccloudsothatalltrafficmatchedtotheruleisforwarded
totheWildFirepubliccloudforanalysis.
Selectprivatecloudsothatalltrafficmatchedtotheruleis
forwardedtotheWildFireapplianceforanalysis.

Objects Objects>SecurityProfiles>DataFiltering
Objects>SecurityProfiles>DataFiltering
Datafilteringenablesthefirewalltodetectsensitiveinformationsuchascreditcardorsocialsecurity
numbersorinternalcorporatedocumentsandpreventthisdatafromleavingasecurenetwork.Beforeyou
enabledatafiltering,selectObjects>CustomObjects>DataPatternstodefinethetypeofdatayouwant
tofilter(suchassocialsecuritynumbersordocumenttitlesthatcontainthewordconfidential).Youcan
addseveraldatapatternobjectstoasingleDataFilteringprofileand,whenattachedtoaSecuritypolicyrule,
thefirewallscansallowedtrafficforeachdatapatternandblocksmatchingtrafficbasedonthedatafiltering
profilesettings.
DataFilteringProfile Description
Settings
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.
(Panoramaonly) thisDataFilteringprofileindevicegroupsthatinherittheprofile.This
DataCapture Selectthisoptiontoautomaticallycollectthedatathatisblockedbythe
filter.
SpecifyapasswordforManageDataProtectionontheSettingspagetoview
yourcaptureddata.RefertoDevice>Setup>Management.
DataPattern AddanexistingdatapatterntouseforfilteringorselectNewtoconfigurea
newdatapatternobject(Objects>CustomObjects>DataPatterns).
Applications Specifytheapplicationstoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedapplications.This
selectiondoesnotblockallpossibleapplications,justthelistedones.
ClickAddtospecifyindividualapplications.
FileTypes Specifythefiletypestoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedfiletypes.Thisselection
doesnotblockallpossiblefiletypes,justthelistedones.
ClickAddtospecifyindividualfiletypes.
Direction Specifywhethertoapplythefilterintheuploaddirection,download
direction,orboth.

Objects>SecurityProfiles>DataFiltering Objects
DataFilteringProfile Description
Settings
AlertThreshold Specifythenumberoftimesthedatapatternmustbedetectedinafileto
triggeranalert.
BlockThreshold Blockfilesthatcontainatleastthismanyinstancesofthedatapattern.
LogSeverity Definethelogseverityrecordedforeventsthatmatchthisdatafiltering
profilerule.

Objects Objects>SecurityProfiles>DoSProtection
Objects>SecurityProfiles>DoSProtection
DoSProtectionprofilesaredesignedforhighprecisiontargetingandtheyaugmentZoneProtection
profiles.ADoSProtectionprofilespecifiesthethresholdratesatwhichnewconnectionspersecond(cps)
triggeranalarmandanaction(specifiedintheDoSProtectionpolicy).TheDoSProtectionprofilealso
specifiesthemaximumrateofconnectionspersecondandhowlongablockedIPaddressremainsonthe
BlockIPlist.YouapplyaDoSprotectionprofiletoaDoSprotectionpolicyrulewhereyouspecifythecriteria
forpacketstomatchtherule.
ADoSProtectionprofileisconfiguredtobeanAggregateorClassifiedtype.YoucanapplyaClassifiedDoS
ProtectionprofiletoaClassifiedDoSProtectionrule.
AClassifiedDoSProtectionrulehasClassifiedselectedandspecifiesaClassifiedDoSProtectionprofile.
WhenaDoSProtectionruleactionisProtect,thefirewallcountsconnectionstowardthecpsthresholds
oftheDoSProtectionprofileifthepacketmeetsthespecifiedAddresstype:sourceiponly,
destinationiponly,orsrcdestipboth.
Bycomparison,aDoSProtectionruleisanAggregaterulewhenClassifiedisnotselected.WhenaDoS
ProtectionruleactionisProtect,anAggregaterulecausesthefirewalltocountallconnectionsthatmeet
thecriteriafortherule(theaggregate)towardthecpsthresholdsthatarespecifiedintheAggregateDoS
Protectionprofileidentifiedintherule.
ToapplyaDoSProtectionprofiletoaDoSProtectionpolicy,seePolicies>DoSProtection.
Ifyouhaveamultiplevirtualsystem(multivsys)environmentandhaveconfiguredthefollowing:
Externalzonestoenableintervirtualsystemcommunicationand
SharedgatewaystoallowvirtualsystemstoshareacommoninterfaceandasingleIPaddressforexternal
communications,then
ThefollowingZoneandDoSprotectionmechanismsaredisabledontheexternalzone:
SYNcookies
IPfragmentation
ICMPv6
ToenableIPfragmentationandICMPv6protection,createaseparatezoneprotectionprofilefortheshared
gateway.
ToprotectagainstSYNfloodsonasharedgateway,youcanapplyaSYNFloodprotectionprofilewitheither
RandomEarlyDroporSYNcookies.Onanexternalzone,onlyRandomEarlyDropisavailableforSYNFlood
protection.
DoSProtectionProfileSettings
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.

Objects>SecurityProfiles>DoSProtection Objects
(Panoramaonly) thisDoSProtectionprofileindevicegroupsthatinherittheprofile.This
Description Enteradescriptionoftheprofile(upto255characters).
Type Selectoneofthefollowingprofiletypes:
aggregateApplytheDoSthresholdsconfiguredintheprofiletoall
connectionsthatmatchtherulecriteriaonwhichthisprofileisapplied.
Forexample,anaggregaterulewithaSYNfloodthresholdof10,000
connectionspersecond(cps)countsallconnectionsthathitthat
particularDoSrule.
classifiedApplytheDoSthresholdsconfiguredintheprofiletothe
connectionsthatmatchtheclassificationcriterion(sourceIPaddress,
destinationIPaddress,orsourceanddestinationIPaddresspair).
Flood Protection Tab
SYNFloodtab Selectthisoptiontoenablethetypeoffloodprotectionindicatedonthetab
UDPFloodtab andspecifythefollowingsettings:
ICMPFloodtab Action(SYN Floodonly)ActionthatthefirewallperformsiftheDoS
ICMPv6tab ProtectionpolicyactionisProtectandifincomingconnectionsper
second(cps)reachtheActivate Rate.Chooseoneofthefollowing:
OtherIPtab
Random Early DropDroppacketsrandomlywhenconnectionsper
secondreachtheActivate Ratethreshold.
SYN cookiesUseSYNcookiestogenerateacknowledgmentsso
thatitisnotnecessarytodropconnectionsduringaSYNflood
attack.
Alarm RateSpecifythethresholdrate(cps)atwhichaDoSalarmis
generated(rangeis0to2,000,000cps;defaultis10,000cps).
Activate RateSpecifythethresholdrate(cps)atwhichaDoSresponse
isactivated.TheDoSresponseisconfiguredintheActionfieldoftheDoS
Protectionprofile(RandomEarlyDroporSYNcookies).TheActivate
Raterangeis0to2,000,000cps;defaultis10,000cps.
IftheprofileActionisRandom Early Drop(RED),whenincoming
connectionspersecondreachtheActivate Ratethreshold,REDoccurs.If
thecpsrateincreases,theREDrateincreasesaccordingtoanalgorithm.
ThefirewallcontinueswithREDuntilthecpsratereachestheMax Rate
threshold.
Max RateSpecifythethresholdrateofincomingconnectionsper
secondthefirewallallows.AttheMax Ratethreshold,thefirewalldrops
100%ofnewconnections(rangeis2to2,000,000cps;defaultis
40,000 cps.)
Block DurationSpecifythelengthoftime(seconds)duringwhichthe
offendingIPaddressremainsontheBlockIPlistandconnectionswiththe
IPaddressareblocked.Thefirewalldoesntcountpacketsthatarrive
duringtheblockdurationtowardtheAlarmRate,ActivateRate,orMax
Ratethresholds(rangeis1to21,600seconds;defaultis300 seconds).
Resources Protection Tab
Sessions Selectthisoptiontoenableresourcesprotection.

Objects Objects>SecurityProfiles>DoSProtection
MaxConcurrentLimit Specifythemaximumnumberofconcurrentsessions.
FortheAggregateprofiletype,thislimitappliestoalltraffichittingthe
DoSProtectionruleonwhichtheDoSProtectionprofileisapplied.
FortheClassifiedprofiletype,thislimitappliestothetrafficona
classifiedbasis(sourceIP,destinationIPorsourceanddestinationIP)
hittingtheDoSProtectionruletowhichtheDoSProtectionprofileis
applied.

Objects>SecurityProfileGroups Objects
Objects>SecurityProfileGroups
ThefirewallsupportstheabilitytocreateSecurityProfilegroups,whichspecifysetsofSecurityProfilesthat
canbetreatedasaunitandthenaddedtosecuritypolicies.Forexample,youcancreateathreatsSecurity
ProfilegroupthatincludesprofilesforAntivirus,AntiSpyware,andVulnerabilityProtectionandthencreate
aSecuritypolicyrulethatincludesthethreatsprofile.
Antivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,andfileblockingprofilesthatareoften
assignedtogethercanbecombinedintoprofilegroupstosimplifythecreationofsecuritypolicies.
TodefineanewSecurityProfile,selectObjects > Security Profiles.
ThefollowingtabledescribestheSecurityProfilesettings:
SecurityProfileGroup Description
Settings
Name Entertheprofilegroupname(upto31characters).Thisnameappearsinthe
profileslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
underscores.
Shared Selectthisoptionifyouwanttheprofilegrouptobeavailableto:
selection,theprofilegroupwillbeavailableonlytotheVirtual System
tab.
(Panoramaonly) thisSecurityProfilegroupobjectindevicegroupsthatinherittheobject.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheobject.
Profiles SelectanAntivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,
and/orfileblockingprofiletobeincludedinthisgroup.Datafilteringprofiles
canalsobespecifiedinSecurityProfilegroups.RefertoObjects>Security
Profiles>DataFiltering.

Objects Objects>LogForwarding
Objects>LogForwarding
Bydefault,thelogsthatthefirewallgeneratesresideonlyinitslocalstorage.However,ifyouwanttouse
Panoramaorexternalservices(suchasasyslogserver)tocentrallymonitorloginformation,youcandefine
aLogForwardingprofileandassignittoSecurity,Authentication,andDoSProtectionpolicyrules.Log
ForwardingprofilesdefineforwardingdestinationsforthefollowingLogTypes:Traffic,Threat,WildFire
Submissions,URLFiltering,DataFiltering,TunnelInspection,andAuthenticationlogs.
Toforwardotherlogtypes,seeDevice>LogSettings.
OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceforthefirewalltoforward
logstothefollowingloggingdestinations:Syslog,HTTP,Email,andSNMP.Thisisalsorequired
toforwardfilestoWildFire.Aftertheportisconfigured,logforwardingandWildFireforwarding
willautomaticallyusethisportandthereisnospecialconfigurationrequiredforthistooccur.
JustconfigureadataportononeofthePA7000SeriesNPCsasinterfacetypeLogCardand
ensurethatthenetworkthatwillbeusedcancommunicatewithyourlogservers.ForWildFire
forwarding,thenetworkmustcommunicatesuccessfullywiththeWildFirecloudand/or
WildFireappliance.
ThefollowingtabledescribestheLogForwardingprofilesettings:
LogForwardingProfile Description
Settings
Name Enteraname(upto64characters)toidentifytheprofile.Thisnameappears
inthelistofLogForwardingprofileswhendefiningSecuritypolicyrules.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
intheObjectstab.
(Panoramaonly) thisLogForwardingprofileindevicegroupsthatinherittheprofile.This
Description EnteradescriptiontoexplainthepurposeofthisLogForwardingprofile.
MatchList(unlabeled) Addoneormorematchlistprofiles(upto64)thatspecifyforwarding
destinations,logattributebasedfilterstocontrolwhichlogsthefirewall
forwards,andactionstoperformonthelogs(suchasautomatictagging).
Completethefollowingtwofieldsforeachmatchlistprofile.
Name(matchlistprofile) Enteraname(upto31characters)toidentifythematchlistprofile.
Description(matchlist Enteradescription(upto1,023characters)toexplainthepurposeofthis
profile) matchlistprofile.
LogType Selectthetypeoflogstowhichthismatchlistprofileapplies:traffic,threat,
WildFire,URL,data,tunnel,orauthentication(auth).

Objects>LogForwarding Objects
Settings
Filter Bydefault,thefirewallforwardsAll LogsoftheselectedLog Type.To

forwardasubsetofthelogs,selectanexistingfilterfromthedropdownor
selectFilter Buildertoaddanewfilter.Foreachqueryinanewfilter,
specifythefollowingfieldsandAddthequery:
ConnectorSelecttheconnectorlogic(and/or)forthequery.Select
Negateifyouwanttoapplynegationtothelogic.Forexample,toavoid
forwardinglogsfromanuntrustedzone,selectNegate,selectZoneasthe
Attribute,selectequalastheOperator,andenterthenameofthe
untrustedZoneintheValuecolumn.
AttributeSelectalogattribute.Theavailableattributesdependonthe
Log Type.
OperatorSelectthecriteriontodeterminewhethertheattributeapplies
(suchasequal).TheavailablecriteriadependontheLog Type.
ValueSpecifytheattributevaluetomatch.
Todisplayorexport thelogsthatthefiltermatches,selectView Filtered
Logs.ThistabprovidesthesameoptionsastheMonitoringtabpages(such
asMonitoring > Logs > Traffic).
Panorama SelectPanoramaifyouwanttoforwardlogstoLogCollectorsorthe
Panoramamanagementserver.Ifyouenablethisoption,youmustconfigure
logforwardingtoPanorama .
SNMP AddoneormoreSNMPTrapserverprofilestoforwardlogsasSNMPtraps
(seeDevice>ServerProfiles>SNMPTrap).
Email AddoneormoreEmailserverprofilestoforwardlogsasemailnotifications
(seeDevice>ServerProfiles>Email).
Syslog AddoneormoreSyslogserverprofilestoforwardlogsassyslogmessages
(seeDevice>ServerProfiles>Syslog).
HTTP AddoneormoreHTTPserverprofilestoforwardlogsasHTTPrequests(see
Device>ServerProfiles>HTTP).

Objects Objects>LogForwarding
Settings
BuiltinActions Addtheactiontoperform.Addorremoveatagtothesourceordestination
IPaddressinalogentryautomaticallyandregistertheIPaddressandtag
mappingtoaUserIDagentonthefirewallorPanorama,ortoaremote
UserIDagentsothatyoucanrespondtoaneventanddynamicallyenforce
Securitypolicy.TheabilitytotaganIPaddressanddynamicallyenforce
policyusingdynamicaddressgroupsgivesyoubettervisibility,context,and
controlforconsistentlyenforcingSecuritypolicyirrespectiveofwherethe
IPaddressmovesacrossyournetwork.
Configurethefollowingsettings:
Addanactionandenteranametodescribeit.
SelectthetargetIPaddressyouwanttotagSource Addressor
Destination Address.
Youcantakeanactionforalllogtypesthatincludeasourceordestination
IPaddressinthelogentry.YoucantagthesourceIPaddressonly,in
CorrelationlogsandHIPMatchlogs;youcannotconfigureanactionfor
SystemlogsandConfigurationlogsbecausethelogtypedoesnotinclude
anIPaddressinthelogentry.
SelecttheactionAdd TagorRemove Tag.
SelectwhethertoregistertheIPaddressandtagmappingtotheLocal
User-IDagentonthisfirewallorPanorama,ortoaRemote User-ID
agent.
ToregistertheIPaddressandtagmappingtoaRemote User-IDagent,
selecttheHTTPserverprofile(Device>ServerProfiles>HTTP)thatwill
enableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetarget
sourceordestinationIPaddress.

Objects>Authentication Objects
Objects>Authentication
Anauthenticationenforcementobjectspecifiesthemethodandservicetouseforauthenticatingendusers
whoaccessyournetworkresources.YouassigntheobjecttoAuthenticationpolicyrules,whichinvokethe
authenticationmethodandservicewhentrafficmatchesarule(seePolicies>Authentication).
Thefirewallhasthefollowingpredefined,readonlyauthenticationenforcementobjects:
default-browser-challengeThefirewalltransparentlyobtainsuserauthenticationcredentials.Ifyou
selectthisaction,youmustenableKerberosSingleSignOn(SSO)orNTLANManager(NTLM)
authenticationwhenyouconfigureCaptivePortal .IfKerberosSSOauthenticationfails,thefirewall
fallsbacktoNTLMauthentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktotheauthenticationmethodspecifiedinthepredefineddefault-web-formobject.
default-web-formToauthenticateusers,thefirewallusesthecertificateprofileorauthenticationprofile
youspecifiedwhenconfiguringCaptivePortal .Ifyouspecifiedanauthenticationprofile,thefirewall
ignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortalpagefortheusertoenter
authenticationcredentials.
default-no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticatingusers.
Beforecreatingacustomauthenticationenforcementobject:
Configureaserverprofilethatspecifieshowtoconnecttotheauthenticationservice(seeDevice>
ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifiesauthenticationsettingssuchas
Kerberossinglesignonparameters(seeDevice>AuthenticationProfile).
Tocreateacustomauthenticationenforcementobject,clickAddandcompletethefollowingfields:
Authentication Description
EnforcementSettings
Name Enteradescriptivename(upto31characters)tohelpyouidentifytheobjectwhen
definingAuthenticationrules.Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheobjecttobeavailableto:
objectwillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theobjectwillbeavailable
onlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) authenticationenforcementobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritstheobject.

Objects Objects>Authentication
Authentication Description
EnforcementSettings
AuthenticationMethod Selectamethod:
browser-challengeThefirewalltransparentlyobtainsuserauthentication
credentials.Ifyouselectthisaction,theAuthentication Profileyouselectmusthave
KerberosSSOenabledorelseyoumusthaveconfiguredNTLMintheCaptivePortal
settings .IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLM
authentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktoweb-formauthentication.
web-formToauthenticateusers,thefirewallusesthecertificateprofileyou
specifiedwhenconfiguringCaptivePortal ortheAuthentication Profileyouselect
intheauthenticationenforcementobject.IfyouselectanAuthentication Profile,the
firewallignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortal
pagefortheusertoenterauthenticationcredentials.
no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticating
users.
AuthenticationProfile Selecttheauthenticationprofilethatspecifiestheservicetouseforvalidatingthe
identitiesofusers.
Message Enterinstructionsthattellusershowtorespondtothefirstauthenticationchallengethat
theyseewhentheirtraffictriggerstheAuthenticationrule.Themessagedisplaysinthe
Captive Portal Comfort Page.Ifyoudontenteramessage,thedefaultCaptive Portal
Comfort Pagedisplays(seeDevice>ResponsePages).
ThefirewalldisplaystheCaptive Portal Comfort Pageonlyforthefirst
authenticationchallenge(factor),whichyoudefineintheAuthenticationtabof
theAuthentication Profile(seeDevice>AuthenticationProfile).Formultifactor
authentication(MFA)challengesthatyoudefineintheFactorstaboftheprofile,
thefirewalldisplaystheMFA Login Page.

Objects>DecryptionProfile Objects
Objects>DecryptionProfile
DecryptionprofilesenableyoutoblockandcontrolspecificaspectsoftheSSLforwardproxy,SSLinbound
inspection,andSSHtraffic.Afteryoucreateadecryptionprofile,youcanthenaddthatprofiletoa
decryptionpolicy;anytrafficmatchedtothedecryptionpolicywillbeenforcedaccordingtotheprofile
settings.
YoucanalsocontroltheCAsthatyourfirewalltrusts.Formoreinformation,refertoManageDefaultTrusted
CertificateAuthorities.
Adefaultdecryptionprofileisconfiguredonthefirewall,andisautomaticallyincludedinnewdecryption
policies(youcannotmodifythedefaultdecryptionprofile).ClickAddtocreateanewdecryptionprofile,or
selectanexistingprofiletoCloneormodifyit.
Addanewdecryptionprofile. DecryptionProfileGeneralSettings
Enableportmirroringfordecryptedtraffic.
BlockandcontrolSSLdecryptedtraffic. SettingstoControlDecryptedSSLTraffic
Blockandcontroltrafficthatyouhaveexcluded SettingstoControlTrafficthatisnotDecrypted
fromdecryption(forexample,trafficclassified
ashealthandmedicineorfinancialservices).
BlockandcontroldecryptedSSHtraffic. SettingstoControlDecryptedSSHTraffic
DecryptionProfileGeneralSettings
DecryptionProfile Description
GeneralSettings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofdecryption
profileswhendefiningdecryptionpolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbeavailable
onlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) Decryptionprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroupthat
inheritstheprofile.

Objects Objects>DecryptionProfile
DecryptionProfile Description
GeneralSettings
DecryptionMirroring SelectanInterfacetousefordecryptionportmirroring.
Interface Beforeyoucanenabledecryptionportmirroring,youmustobtainaDecryption
(PA3000Series, PortMirrorlicense,installthelicense,andrebootthefirewall.
PA5000Series,and
PA7000Series
firewallsonly)
ForwardedOnly SelectForwarded OnlyifyouwanttomirrordecryptedtrafficonlyafterSecuritypolicy

(PA3000Series, enforcement.Withthisoption,onlytrafficthatisforwardedthroughthefirewallis
PA5000Series,and mirrored.Thisoptionisusefulifyouareforwardingthedecryptedtraffictootherthreat
PA7000Series detectiondevices,suchasaDLPdeviceoranotherintrusionpreventionsystem(IPS).If
firewallsonly) youclearthisselection(thedefaultsetting),thefirewallwillmirroralldecryptedtraffic
totheinterfacebeforesecuritypolicieslookup,whichallowsyoutoreplayeventsand
analyzetrafficthatgeneratesathreatortriggersadropaction.
SettingstoControlDecryptedSSLTraffic
ThefollowingtabledescribesthesettingsyoucanusetocontrolSSLtrafficthathasbeendecryptedusing
eitherSSLForwardProxydecryptionorSSLInboundInspection.Youcanusethesesettingstolimitorblock
SSLsessionsbasedoncriteriaincludingthestatusoftheexternalservercertificate,theuseofunsupported
ciphersuitesorprotocolversions,ortheavailabilityofsystemresourcestoprocessdecryption.
SSLDecryptionTab Description
Settings
SSLForwardProxyTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLForwardProxy.
ServerCertificateValidationSelectoptionstocontrolservercertificatesfordecryptedSSLtraffic.
Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.
Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers
Blocksessionswith TerminatetheSSLsessionifaserverreturnsacertificaterevocationstatus
unknowncertificatestatus ofunknown.Certificaterevocationstatusindicatesiftrustforthe
certificatehasbeenorhasnotbeenrevoked.
Blocksessionsonthe TerminatetheSSLsessionifthecertificatestatuscannotberetrievedwithin
certificatestatuscheck theamountoftimethatthefirewallisconfiguredtostopwaitingfora
timeout responsefromacertificatestatusservice.YoucanconfigureCertificate
Status Timeoutvaluewhencreatingormodifyingacertificateprofile
(Device > Certificate Management > Certificate Profile).
Restrictcertificate Limitsthecertificateextensionsusedinthedynamicservercertificatetokey
extensions usageandextendedkeyusage.

Settings
UnsupportedModeChecksSelectoptionstocontrolunsupportedSSLapplications.
Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversion PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.
Blocksessionswith TerminatethesessioniftheciphersuitespecifiedintheSSLhandshakeifit
unsupportedciphersuites isnotsupportedbyPANOS.
Blocksessionswithclient TerminatesessionswithclientauthenticationforSSLforwardproxytraffic.
authentication
FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailabletoprocessdecryption.
Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.
BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available signcertificates.
Forunsupportedmodesandfailuremodes,thesessioninformationiscachedfor12hours,so
futuresessionsbetweenthesamehostsandserverpairarenotdecrypted.Enabletheoptionsto
blockthosesessionsinstead.
SSLInboundInspectionTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLInbound
Inspection.
UnsupportedModeChecksSelectoptionstocontrolsessionsifunsupportedmodesaredetectedin
SSLtraffic.
Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversions PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.
Blocksessionswith TerminatethesessioniftheciphersuiteusedisnotsupportedbyPANOS.
unsupportedciphersuites
FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailable.
Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.
BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available decryptthesessionkey.
SSLProtocolSettingsTabSelectthefollowingsettingstoenforceprotocolversionsandciphersuites
forSSLsessiontraffic.
ProtocolVersions EnforcetheuseofminimumandmaximumprotocolversionsfortheSSL
session.
MinVersion SettheminimumprotocolversionthatcanbeusedtoestablishtheSSL
connection.
MaxVersion SetthemaximumprotocolversionthatcanbeusedtoestablishtheSSL
connection.YoucanchoosetheoptionMaxsothatnomaximumversionis
specified;inthiscase,protocolversionsthatareequivalenttoorarealater
versionthantheselectedminimumversionaresupported.

Objects Objects>DecryptionProfile
Settings
KeyExchangeAlgorithms EnforcetheuseoftheselectedkeyexchangealgorithmsfortheSSLsession.
ToimplementPerfectForwardSecrecy(PFS)forSSLForwardProxy
decryptedtraffic,youcanselectDHEtoenableDiffieHellmankeyexchange
basedPFSorECDHEtoenableellipticcurveDiffieHellmanbasedPFS.
EncryptionAlgorithms EnforcetheuseoftheselectedencryptionalgorithmsfortheSSLsession.
AuthenticationAlgorithms EnforcetheuseoftheselectedauthenticationalgorithmsfortheSSL
session.
SettingstoControlTrafficthatisnotDecrypted
YoucanusetheNo Decryptiontabtoenablesettingstoblocktrafficthatismatchedtoadecryptionpolicy
configuredwiththeNo Decryptaction(Policies > Decryption > Action).Usetheseoptionstocontrolserver
certificatesforthesession,thoughthefirewalldoesnotdecryptandinspectthesessiontraffic.
NoDecryptionTab Description
Settings
Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.
Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers
SettingstoControlDecryptedSSHTraffic
ThefollowingtabledescribesthesettingsyoucanusetocontroldecryptedinboundandoutboundSSH
traffic.ThesesettingsallowyoutolimitorblockSSHtunneledtrafficbasedoncriteriaincludingtheuseof
unsupportedalgorithms,thedetectionofSSHerrors,ortheavailabilityofresourcestoprocessSSHProxy
decryption.
SSHProxyTab Description
Settings
UnsupportedModeChecksUsetheseoptionstocontrolsessionsifunsupportedmodesaredetected
inSSHtraffic.SupportedSSHversionisSSHversion2.
Blocksessionswith TerminatesessionsiftheclienthellomessageisnotsupportedbyPANOS.
unsupportedversions
Blocksessionswith Terminatesessionsifthealgorithmspecifiedbytheclientorserverisnot
unsupported supportedbyPANOS.
algorithms

SSHProxyTab Description
Settings
FailureChecksSelectactionstotakeifSSHapplicationerrorsoccurandifsystemresourcesarenot
available.
Blocksessionson TerminatesessionsifSSHerrorsoccur.
SSHerrors
Blocksessionsif Terminatesessionsifsystemresourcesarenotavailabletoprocessdecryption.
resourcesnot
available

Objects Objects>Schedules
Objects>Schedules
Objects>Schedules
Bydefault,Securitypolicyrulesarealwaysineffect(alldatesandtimes).TolimitaSecuritypolicyruleto
specifictimes,youcandefineschedules,andthenapplythemtotheappropriatepolicies.Foreachschedule,
youcanspecifyafixeddateandtimerangeorarecurringdailyorweeklyschedule.Toapplyschedulesto
securitypolicies,refertoPolicies>Security.
WhenaSecuritypolicyruleisinvokedbyadefinedschedule,onlynewsessionsareaffectedby
theappliedSecuritypolicyrule.Existingsessionsarenotaffectedbythescheduledpolicy.
ScheduleSettings Description
Name Enteraschedulename(upto31characters).Thisnameappearsinthe
schedulelistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
underscores.
Shared Selectthisoptionifyouwantthescheduletobeavailableto:
selection,theschedulewillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theschedule
(Panoramaonly) thisscheduleindevicegroupsthatinherittheschedule.Thisselectionis
anydevicegroupthatinheritstheschedule.
Recurrence Selectthetypeofschedule(Daily,Weekly,orNon-Recurring).
Daily ClickAddandspecifyaStart TimeandEnd Timein24hourformat

(HH:MM).
Weekly ClickAdd,selectaDay of Week,andspecifytheStart TimeandEnd Timein

24hourformat(HH:MM).
Nonrecurring ClickAddandspecifyaStart Date,Start Time,End Date,andEnd Time.

Objects>Schedules Objects

Network
Network>VirtualWires
Network>Interfaces
Network>VirtualRouters
Network>Zones
Network>VLANs
Network>IPSecTunnels
Network>DHCP
Network>DNSProxy
Network>QoS
Network>LLDP
Network>NetworkProfiles

Network>VirtualWires Network
Network>VirtualWires
SelectNetwork > Virtual Wirestodefinevirtualwiresafteryouhavespecifiedtwovirtualwireinterfaceson

thefirewall(Network>Interfaces).
VirtualWireSettings Description
VirtualWireName Enteravirtualwirename(upto31characters).Thisnameappearsinthelist
ofvirtualwireswhenconfiguringinterfaces.Thenameiscasesensitiveand
underscores.
Interfaces SelecttwoEthernetinterfacesfromthedisplayedlistforthevirtualwire
configuration.Interfacesarelistedhereonlyiftheyhavethevirtualwire
interfacetypeandhavenotbeenassignedtoanothervirtualwire.
Forinformationonvirtualwireinterfaces,seeVirtualWireInterface.
TagAllowed Enterthetagnumber(04094)orrangeoftagnumbers(tag1tag2)forthe
trafficallowedonthevirtualwire.Atagvalueofzeroindicatesuntagged
traffic(thedefault).Multipletagsorrangesmustbeseparatedbycommas.
Trafficthathasanexcludedtagvalueisdropped.
Tagvaluesarenotchangedonincomingoroutgoingpackets.
Whenutilizingvirtualwiresubinterfaces,theTag Allowedlistwillcauseall
trafficwiththelistedtagstobeclassifiedtotheparentvirtualwire.Virtual
wiresubinterfacesmustutilizetagsthatdonotexistintheparent'sTag
Allowedlist.
MulticastFirewalling Selectifyouwanttobeabletoapplysecurityrulestomulticasttraffic.Ifthis
settingisnotenabled,multicasttrafficisforwardedacrossthevirtualwire.
LinkStatePassThrough Selectifyouwanttobringdowntheotherinterfaceinavirtualwirepair
whenadownlinkstateisdetected.Ifyoudonotselectoryoudisablethis
option,linkstatusisnotpropagatedacrossthevirtualwire.

Network Network>Interfaces
Network>Interfaces
Firewallinterfaces(ports)enableafirewalltoconnectwithothernetworkdevicesandwithotherinterfaces
withinthefirewall.Thefollowingtopicsdescribetheinterfacetypesandhowtoconfigurethem:
Whatarefirewallinterfaces? FirewallInterfacesOverview
Iamnewtofirewallinterfaces; CommonBuildingBlocksforFirewallInterfaces
whatarethecomponentsofa
firewallinterface? CommonBuildingBlocksforPA7000SeriesFirewall
Interfaces
Ialreadyunderstandfirewall Physical Interfaces (Ethernet)
interfaces;howcanIfind
Layer2Interface
informationonconfiguringa
specificinterfacetype? Layer2Subinterface
Layer3Interface
Layer3Subinterface
VirtualWireInterface
VirtualWireSubinterface
TapInterface
LogCardInterface
LogCardSubinterface
DecryptMirrorInterface
AggregateEthernet(AE)InterfaceGroup
AggregateEthernet(AE)Interface
HAInterface
Logical Interfaces
Network>Interfaces>VLAN
Network>Interfaces>Loopback
Network>Interfaces>Tunnel
Looking for more? Networking

Network>Interfaces Network
FirewallInterfacesOverview
Theinterfaceconfigurationsoffirewalldataportsenabletraffictoenterandexitthefirewall.APaloAlto
Networksfirewallcanoperateinmultipledeploymentssimultaneouslybecauseyoucanconfigurethe
interfacestosupportdifferentdeployments.Forexample,youcanconfiguretheEthernetinterfacesona
firewallforvirtualwire,Layer2,Layer3,andtapmodedeployments.Theinterfacesthatthefirewall
supportsare:
PhysicalInterfacesThefirewallsupportstwokindsofEthernetcopperandfiberopticthatcansend
andreceivetrafficatdifferenttransmissionrates.YoucanconfigureEthernetinterfacesasthefollowing
types:tap,highavailability(HA),logcard(interfaceandsubinterface),decryptmirror,virtualwire
(interfaceandsubinterface),Layer2(interfaceandsubinterface),Layer3(interfaceandsubinterface),and
aggregateEthernet.Theavailableinterfacetypesandtransmissionspeedsvarybyhardwaremodel.
LogicalInterfacesTheseincludevirtuallocalareanetwork(VLAN)interfaces,loopbackinterfaces,and
tunnelinterfaces.YoumustsetupthephysicalinterfacebeforedefiningaVLANoratunnelinterface.
CommonBuildingBlocksforFirewallInterfaces
SelectNetwork > Interfacestodisplayandconfigurethecomponentsthatarecommontomostinterface

types.
ForadescriptionofcomponentsthatareuniqueordifferentwhenyouconfigureinterfacesonaPA7000Series
firewall,orwhenyouusePanoramatoconfigureinterfacesonanyfirewall,seeCommonBuildingBlocksfor
PA7000SeriesFirewallInterfaces.
FirewallInterface Description
Building Blocks
Interface(Interface Theinterfacenameispredefinedandyoucannotchangeit.However,youcan
Name) appendanumericsuffixforsubinterfaces,aggregateinterfaces,VLANinterfaces,
loopbackinterfaces,andtunnelinterfaces.
InterfaceType ForEthernetinterfaces(Network > Interfaces > Ethernet),youcanselectthe

interfacetype:
Tap
HA
Decrypt Mirror(PA7000Series,PA5000Series,andPA3000Seriesfirewalls
only)
Virtual Wire
Layer 2
Layer 3
Log Card(PA7000Seriesfirewallonly)
Aggregate Ethernet
ManagementProfile SelectaManagement Profile(Network > Interfaces > <if-config > Advanced > Other
Info)thatdefinestheprotocols(suchasSSH,Telnet,andHTTP)youcanuseto
managethefirewalloverthisinterface.

FirewallInterface Description
Building Blocks
(Continued)
LinkState ForEthernetinterfaces,LinkStateindicateswhethertheinterfaceiscurrently
accessibleandcanreceivetrafficoverthenetwork:
GreenConfiguredandup
RedConfiguredbutdownordisabled
GrayNotconfigured
Hoveroverthelinkstatetodisplayatooltipthatindicatesthelinkspeedandduplex
settingsforthatinterface.
IPAddress (Optional)ConfiguretheIPv4orIPv6addressoftheEthernet,VLAN,loopback,or
tunnelinterface.ForanIPv4address,youcanalsoselecttheaddressingmode(Type)
fortheinterface:Static,DHCP Client,orPPPoE.
VirtualRouter AssignavirtualroutertotheinterfaceorclickVirtual Routertodefineanewone

(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtualrouter
assignmentfromtheinterface.
Tag(Subinterfaceonly) EntertheVLANtag(14,094)forthesubinterface.
VLAN SelectNetwork > Interfaces > VLANandmodifyanexistingVLANorAddanewone

(seeNetwork>VLANs).SelectNonetoremovethecurrentVLANassignmentfrom
theinterface.ToenableswitchingbetweenLayer2interfaces,ortoenablerouting
throughaVLANinterface,youmustconfigureaVLANobject.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,select
avirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone SelectaSecurity Zone(Network > Interfaces > <if-config> Config)fortheinterface,

orselectZonetodefineanewone.SelectNonetoremovethecurrentzone
assignmentfromtheinterface.
Features ForEthernetinterfaces,thiscolumnindicateswhetherthefollowingfeaturesare
enabled:
DHCPClient
DNSProxy
GlobalProtectgatewayenabled
LinkAggregationControlProtocol(LACP)
LinkLayerDiscoveryProtocol(LLDP)
NDPMonitor
NetFlowprofile
QualityofService(QoS)profile
Comment Adescriptionoftheinterfacefunctionorpurpose.
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces
ThefollowingtabledescribesthecomponentsoftheNetwork > Interfaces > Ethernetpagethatareuniqueor

differentwhenyouconfigureinterfacesonaPA7000Seriesfirewall,orwhenyouusePanoramato
configureinterfacesonanyfirewall.ClickAdd Interfacetocreateanewinterfaceorselectanexisting
interface(ethernet1/1,forexample)toeditit.

OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceononedataport.
PA7000SeriesFirewall Description
InterfaceBuildingBlocks
Slot Selecttheslotnumber(112)oftheinterface.OnlyPA7000Seriesfirewallshave
multipleslots.IfyouusePanoramatoconfigureaninterfaceforanyotherfirewall
model,selectSlot 1.
Interface(InterfaceName) SelectthenameofaninterfacethatisassociatedwiththeselectedSlot.
Layer2Interface
Network>Interfaces>Ethernet
SelectNetwork > Interfaces > EthernettoconfigureaLayer2interface.clickthenameofanInterface
(ethernet1/1,forexample)thatisnotconfiguredandspecifythefollowinginformation.
Layer2Interface ConfiguredIn Description

Settings
InterfaceName Ethernet Theinterfacenameispredefinedandyoucannotchangeit.

Interface
Comment Enteranoptionaldescriptionfortheinterface.
InterfaceType SelectLayer2.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
VLAN Ethernet ToenableswitchingbetweenLayer2interfacesortoenableroutingthrougha

Interface > Config VLANinterface,selectanexistingVLANorclickVLANtodefineanewVLAN
(seeNetwork>VLANs).SelectNonetoremovethecurrentVLANassignment
fromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone SelectaSecurity ZonefortheinterfaceorclickZonetodefineanewzone.

SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectautotohavethe

Interface > firewallautomaticallydeterminethespeed.
Advanced
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).


Settings
EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.LLDP

Interface > functionsatthelinklayertodiscoverneighboringdevicesandtheircapabilities.
Advanced > LLDP
Profile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>LLDP
Profile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHA IfLLDPisenabled,selecttoallowanHApassivefirewalltoprenegotiateLLDP
PassiveState withitspeerbeforethefirewallbecomesactive.
Layer2Subinterface
ForeachEthernetportconfiguredasaphysicalLayer2interface,youcandefineanadditionallogicalLayer
2interface(subinterface)foreachVLANtagassignedtothetrafficthattheportreceives.Toenable
switchingbetweenLayer2subinterfaces,assignthesameVLANobjecttothesubinterfaces.
ToconfigureaLayer2Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
thefollowinginformation.
Layer2SubinterfaceSettings
InterfaceName ThereadonlyInterfaceNamedisplaysthenameofthephysicalinterfaceyouselected.Inthe
adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.
Comment Enteranoptionaldescriptionforthesubinterface.
Tag EntertheVLANtag(14,094)forthesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.
VLAN ToenableswitchingbetweenLayer2interfacesortoenableroutingthroughaVLANinterface,
selectaVLAN,orclickVLANtodefineanewVLAN(seeNetwork>VLANs).SelectNonetoremove
thecurrentVLANassignmentfromthesubinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone SelectasecurityzoneforthesubinterfaceorclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.
Layer3Interface

ToconfigureaLayer3interface,clickthenameofanInterface(ethernet1/1,forexample)thatisnot
configuredandspecifythefollowinginformation.

Settings

Interface
InterfaceType SelectLayer3.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
interfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
interface.
VirtualRouter Ethernet Selectavirtualrouter,orclickVirtual Routertodefineanewone(see

Interface > Network>VirtualRouters).SelectNonetoremovethecurrentvirtual
Config routerassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)fortheinterfaceorclickVirtual
Systemtodefineanewvsys.
SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectauto.

Interface >
LinkDuplex Advanced Selectwhethertheinterfacetransmissionmodeisfullduplex(full),
halfduplex(half),ornegotiatedautomatically(auto).


Settings
ManagementProfile Ethernet Selectaprofilethatdefinestheprotocols(forexample,SSH,Telnet,and

Interface > HTTP)youcanusetomanagethefirewalloverthisinterface.SelectNone
Advanced > Other toremovethecurrentprofileassignmentfromtheinterface.
Info
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(5769,192;defaultis1,500).Ifmachinesoneithersideof
thefirewallperformPathMTUDiscovery(PMTUD)andtheinterface
receivesapacketexceedingtheMTU,thefirewallreturnsanICMP
fragmentationneededmessagetothesourceindicatingthepacketistoo
large.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoitishelpfultoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.
UntaggedSubinterface SpecifiesthatallsubinterfacesbelongingtothisLayer3interfaceare
untagged.PANOSselectsanuntaggedsubinterfaceastheingress
interfacebasedonthepacketdestination.IfthedestinationistheIP
addressofanuntaggedsubinterface,itmapstothesubinterface.Thisalso
meansthatpacketsinthereversedirectionmusthavetheirsource
addresstranslatedtotheIPaddressoftheuntaggedsubinterface.A
byproductofthisclassificationmechanismisthatallmulticastand
broadcastpacketsareassignedtothebaseinterface,notany
subinterfaces.BecauseOpenShortestPathFirst(OSPF)usesmulticast,
thefirewalldoesnotsupportitonuntaggedsubinterfaces.
IPAddress Ethernet ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,click

MACAddress Interface > AddandenteranIPaddressanditsassociatedhardware(MAC)address.
Advanced > ARP Todeleteanentry,selecttheentryandclickDelete.StaticARPentries
Entries reduceARPprocessingandprecludemaninthemiddleattacksforthe
specifiedaddresses.
IPv6Address Ethernet ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),

MACAddress Interface > clickAddandentertheIPaddressandMACaddressoftheneighbor.
Advanced > ND
Entries


Settings
EnableNDPProxy Ethernet SelecttoenabletheNeighborDiscoveryProtocol(NDP)proxyforthe

Interface > interface.ThefirewallwillrespondtoNDpacketsrequestingMAC
Advanced > NDP addressesforIPv6addressesinthislist.IntheNDresponse,thefirewall
Proxy sendsitsownMACaddressfortheinterfacetoindicateitwillactasproxy
byrespondingtopacketsdestinedforthoseaddresses.
ItisrecommendedthatyouselectEnable NDP ProxyifyouuseNetwork
PrefixTranslationIPv6(NPTv6).
IfEnable NDP Proxyisselected,youcanfilternumerousAddressentries
byenteringasearchstringandclickingApplyFilter( ).
Address ClickAddtoenteroneormoreIPv6addresses,IPranges,IPv6subnets,or
addressobjectsforwhichthefirewallwillactastheNDPproxy.Ideally,
oneoftheseaddressesisthesameaddressasthatofthesource
translationinNPTv6.Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendthatyoualsoaddtheIPv6
neighborsofthefirewallandthenselectNegatetoinstructthefirewall
nottorespondtotheseIPaddresses.
Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.You
cannegateasubsetofthespecifiedIPaddressrangeorIPsubnet.
EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.

Interface > LLDPfunctionsatthelinklayertodiscoverneighboringdevicesandtheir
Advanced > LLDP capabilities.
LLDPProfile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>
LLDPProfile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHAPassive IfLLDPisenabled,selecttoallowthefirewallasanHApassivefirewallto
State prenegotiateLLDPwithitspeerbeforethefirewallbecomesactive.
Type Ethernet SelectthemethodforassigninganIPv4addresstypetotheinterface:

Interface > IPv4 StaticYoumustmanuallyspecifytheIPaddress.
PPPoEThefirewallwillusetheinterfaceforPointtoPointProtocol
overEthernet(PPPoE).
DHCP ClientEnablestheinterfacetoactasaDynamicHost
ConfigurationProtocol(DHCP)clientandreceiveadynamically
assignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)modedo
notsupportPPPoEorDHCPClient.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.


Settings
IPv4 address Type = Static
IP Ethernet ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIP
Interface > IPv4 addressandnetworkmaskfortheinterface.
TypetheentryinClasslessInterdomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yourfirewallusesdeterminesthemaximum
numberofIPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.
IPv4 address Type = PPPoE
Enable Ethernet SelecttoactivatetheinterfaceforPPPoEtermination.

Interface > IPv4 >
Username PPPoE > General Entertheusernameforthepointtopointconnection.
Password/Confirm Enterandthenconfirmthepasswordfortheusername.
Password
ShowPPPoEClient (Optional)Opensadialogthatdisplaysparametersthatthefirewall
RuntimeInfo negotiatedwiththeInternetserviceprovider(ISP)toestablisha
connection.ThespecificinformationdependsontheISP.


Settings
Authentication Ethernet SelecttheauthenticationprotocolforPPPoEcommunications:CHAP

Interface > IPv4 > (ChallengeHandshakeAuthenticationProtocol),PAP(Password
PPPoE > AuthenticationProtocol),orthedefaultAuto(thefirewalldeterminesthe
Advanced protocol).SelectNonetoremovethecurrentprotocolassignmentfrom
theinterface.
StaticAddress PerformoneofthefollowingstepstospecifytheIPaddressthatthe
Internetserviceproviderassigned(nodefaultvalue):
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
SelectNonetoremovethecurrentaddressassignmentfromthe
interface.
Automaticallycreate SelecttoautomaticallycreateadefaultroutethatpointstothePPPoE
defaultroutepointing peerwhenconnected.
topeer
DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandInternetservice
provider,enteraroutemetric(prioritylevel)toassociatewiththedefault
routeandtouseforpathselection(rangeis165,535).Theprioritylevel
increasesasthenumericvaluedecreases.
AccessConcentrator (Optional)EnterthenameoftheaccessconcentratorontheInternet
serviceproviderendtowhichthefirewallconnects(nodefault).
Service (Optional)Entertheservicestring(nodefault).
Passive Selecttousepassivemode.Inpassivemode,aPPPoEendpointwaitsfor
theaccessconcentratortosendthefirstframe.
IPv4 address Type = DHCP
Enable Ethernet SelecttoactivatetheDHCPclientontheinterface.

Interface > IPv4
Automaticallycreate Selecttoautomaticallycreateadefaultroutethatpointstothedefault
defaultroutepointing gatewaythattheDHCPserverprovides.
todefaultgateway
providedbyserver
DefaultRouteMetric FortheroutebetweenthefirewallandDHCPserver,optionallyentera
routemetric(prioritylevel)toassociatewiththedefaultrouteandtouse
forpathselection(rangeis165,535,nodefault).Theprioritylevel
increasesasthenumericvaluedecreases.
ShowDHCPClient SelecttodisplayallsettingsreceivedfromtheDHCPserver,including
RuntimeInfo DHCPleasestatus,dynamicIPaddressassignment,subnetmask,
gateway,andserversettings(DNS,NTP,domain,WINS,NIS,POP3,and
SMTP).


Settings
EnableIPv6onthe Ethernet SelecttoenableIPv6addressingonthisinterface.

interface Interface > IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.
Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisement.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime(defaultis2,592,000).
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires
(defaultis604,800).
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.


Settings
EnableDuplication Ethernet Selecttoenableduplicateaddressdetection(DAD),thenconfigurethe

AddressDetection Interface > IPv6 > otherfieldsinthissection.
Address
DADAttempts Resolution SpecifythenumberofDADattemptswithintheneighborsolicitation
interval(NS Interval)beforetheattempttoidentifyneighborsfails(range
is110;defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis1036,000;defaultis30).
NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).
EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDPMonitor( inFeaturescolumn)andview
informationaboutaneighborthatthefirewalldiscovered,suchasthe
IPv6address,thecorrespondingMACaddress,andtheUserID(ona
bestcasebasis).


Settings
EnableRouter Ethernet Toprovidestatelessaddressautoconfiguration(SLAAC)onIPv6

Advertisement Interface > IPv6 > interfaces,selectandconfiguretheotherfieldsinthissection.IPv6DNS
Router clientsthatreceivetherouteradvertisement(RA)messagesusethis
Advertisement information.
RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatare
notstaticallyconfiguredandtoprovidethehostwithanIPv6prefixfor
addressconfiguration.YoucanuseaseparateDHCPv6serverin
conjunctionwiththisfeaturetoprovideDNSandothersettingstoclients.
Thisisaglobalsettingfortheinterface.IfyouwanttosetRAoptionsfor
individualIPaddresses,clickAddintheIPaddresstableandconfigurethe
Address.IfyousetRAoptionsforanyIPaddress,youmustselectthe
Enable Router Advertisementoptionfortheinterface.
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis31,350;defaultis200).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
configure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).
ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
RouterLifetime(sec) Specifyhowlong,insecond,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.
RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.
Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration


Settings
ConsistencyCheck Ethernet SelectifyouwantthefirewalltoverifythatRAssentfromotherrouters

Interface > IPv6 > areadvertisingconsistentinformationonthelink.Thefirewalllogsany
Router inconsistenciesinasystemlog;thetypeisipv6nd.
Advertisement
OtherConfiguration (cont) Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.


Settings
IncludeDNS Ethernet SelecttoenablethefirewalltosendDNSinformationinNDProuter

informationinRouter Interface > IPv6 > advertisement(RA)messagesfromthisIPv6Ethernetinterface.Theother
Advertisement DNS Support DNSSupportfieldsinthistablearevisibleonlyafteryouselectthis
option.
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewall
sendsintheorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusesthoseaddressesinthe
sameorder.SelectaserverandMove UporMove Downtochangethe
orderoftheserversorDeleteaserverfromthelistwhenyounolonger
needit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanusetheRDNSserverstoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNS
searchlist(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothatnameandthentransmits
theDNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
triesDNSsuffixesuntilaDNSlookupissuccessful(ignorestheremaining
suffixes)oruntiltherouterhastriedallsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsintheorderlistedfromtoptobottom
inanNDProuteradvertisementtotherecipient,whichusesthose
addressesinthesameorder.SelectasuffixandMove UporMove Down
tochangetheorderofthesuffixesorDeleteasuffixfromthelistwhen
younolongerneedit.
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSSearchList(rangeisthevalueofMaxInterval(sec)totwicetheMax

Layer3Subinterface
ForeachEthernetportconfiguredasaphysicalLayer3interface,youcandefineadditionallogicalLayer3
interfaces(subinterfaces).
ToconfigureaLayer3Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
Layer3Subinterface ConfiguredIn Description

Settings
InterfaceName Layer3 ThereadonlyInterface Namefielddisplaysthenameofthephysical

Subinterface interfaceyouselected.Intheadjacentfield,enteranumericsuffix
(19,999)toidentifythesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
subinterfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.
VirtualRouter Layer3 Assignavirtualroutertotheinterface,orclickVirtual Routertodefinea

Subinterface > newone(seeNetwork>VirtualRouters).SelectNonetoremovethe
Config currentvirtualrouterassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)forthesubinterfaceorclickVirtual
Systemtodefineanewvsys.
SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanew
zone.SelectNonetoremovethecurrentzoneassignmentfromthe
subinterface.


Settings
ManagementProfile Layer3 Management ProfileSelectaprofilethatdefinestheprotocols(for

Subinterface > example,SSH,Telnet,andHTTP)youcanusetomanagethefirewallover
Advanced > Other thisinterface.SelectNonetoremovethecurrentprofileassignmentfrom
Info theinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(rangeis5769,192;defaultis1,500).Ifmachinesoneither
sideofthefirewallperformPathMTUDiscovery(PMTUD)andthe
interfacereceivesapacketexceedingtheMTU,thefirewallreturnsan
ICMPfragmentationneededmessagetothesourceindicatingthepacketis
toolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.
IPAddress Layer3 ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,Add

MACAddress Subinterface > anIPaddressanditsassociatedhardware[mediaaccesscontrol(MAC)]
Advanced > ARP address.Todeleteanentry,selecttheentryandclickDelete.StaticARP
Entries entriesreduceARPprocessingandprecludemaninthemiddleattacks
forthespecifiedaddresses.
IPv6Address Layer3 ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),

MACAddress Subinterface > AddtheIPaddressandMACaddressoftheneighbor.
Advanced > ND
Entries


Settings
EnableNDPProxy Layer3 EnableNeighborDiscoveryProtocol(NDP)proxyfortheinterface.The

Subinterface > firewallwillrespondtoNDpacketsrequestingMACaddressesforIPv6
Advanced > NDP addressesinthislist.IntheNDresponse,thefirewallsendsitsownMAC
Proxy addressfortheinterfacesothatthefirewallwillreceivethepackets
meantfortheaddressesinthelist.
ItisrecommendedthatyouenableNDPproxyifyouareusingNetwork
PrefixTranslationIPv6(NPTv6).
IfyouselectedEnable NDP Proxy,youcanfilternumerousAddress
entriesbyenteringafilterandclickingApplyFilter(grayarrow).
Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddress
objectsforwhichthefirewallwillactasNDPproxy.Ideally,oneofthese
addressesisthesameaddressasthatofthesourcetranslationinNPTv6.
Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendyoualsoaddtheIPv6
neighborsofthefirewallandthenclickNegatetoinstructthefirewallnot
torespondtotheseIPaddresses.
Negate NegateanaddresstopreventNDPproxyforthataddress.Youcannegate
asubsetofthespecifiedIPaddressrangeorIPsubnet.
Type Layer3 SelectthemethodforassigninganIPv4addresstypetothesubinterface:

Subinterface > StaticYoumustmanuallyspecifytheIPaddress.
IPv4 DHCP ClientEnablesthesubinterfacetoactasaDynamicHost
ConfigurationProtocol(DHCP)clientandreceiveadynamically
assignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)mode
dontsupportDHCPClient.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.
IP Layer3 AddandperformoneofthefollowingstepstospecifyastaticIPaddress
Subinterface > andnetworkmaskfortheinterface.
IPv4, Type = TypetheentryinClasslessInterDomainRouting(CIDR)notation:
Static ip_address/mask(forexample,192.168.2.0/24).
CreateanAddressobjectoftypeIP netmask.
informationbase(FIB)yoursystemusesdeterminesthemaximum
numberofIPaddresses.
DeleteanIPaddresswhenyounolongerneedit.


Settings
Enable Layer3 SelecttoactivatetheDHCPclientontheinterface.

Subinterface >
Automaticallycreate IPv4, Type = Selecttoautomaticallycreateadefaultroutethatpointstothedefault
defaultroutepointing DHCP gatewaythattheDHCPserverprovides.
todefaultgateway
providedbyserver
DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandDHCPserver,youcan
enteraroutemetric(prioritylevel)toassociatewiththedefaultrouteand
touseforpathselection(rangeis165535;thereisnodefault).The
prioritylevelincreasesasthenumericvaluedecreases.
ShowDHCPClient SelectShow DHCP Client Runtime Infotodisplayallsettingsreceived

RuntimeInfo fromtheDHCPserver,includingDHCPleasestatus,dynamicIPaddress
assignment,subnetmask,gateway,andserversettings(DNS,NTP,
domain,WINS,NIS,POP3,andSMTP).


Settings
EnableIPv6onthe Layer3 SelecttoenableIPv6addressingonthisinterface.

interface Subinterface >
IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisementinthistable.
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime.Thedefaultis2,592,000.
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires.The
defaultis604,800.
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.


Settings
EnableDuplication Layer3 Selecttoenableduplicateaddressdetection(DAD),thenconfigurethe

AddressDetection Subinterface> otherfieldsinthissection.
IPv6 > Address
DADAttempts Resolution SpecifythenumberofDADattemptswithintheneighborsolicitation
interval(NS Interval)beforetheattempttoidentifyneighborsfails(range
is110;defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).
EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDP( inFeaturescolumn)toviewinformation
aboutaneighborthefirewalldiscovered,suchastheIPv6address,the
correspondingMACaddress,andtheUserID(onabestcasebasis).


Settings
EnableRouter Layer3 ToprovideNeighborDiscoveryonIPv6interfaces,selectandconfigure

Advertisement Subinterface > theotherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
IPv6 > Router advertisement(RA)messagesusethisinformation.
Advertisement RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatare
notstaticallyconfiguredandtoprovidethehostwithanIPv6prefixfor
addressconfiguration.YoucanuseaseparateDHCPv6serverin
conjunctionwiththisfeaturetoprovideDNSandothersettingstoclients.
individualIPaddresses,AddandconfigureanAddressintheIPaddress
table.IfyousetRAoptionsforanyIPaddress,youmustEnable Router
Advertisementfortheinterface.
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
configure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
configure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).
ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
RouterLifetime(sec) Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.
RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.
Configuration
OtherConfiguration Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.


Settings
ConsistencyCheck Layer3 SelectifyouwantthefirewalltoverifythatRAssentfromotherrouters

Subinterface > areadvertisingconsistentinformationonthelink.Thefirewalllogsany
IPv6 > Router inconsistenciesinasystemlog;thetypeisipv6nd.
Advertisement
(cont)


Settings
IncludeDNS Layer3 SelectforthefirewalltosendDNSinformationinNDProuter

informationinRouter Subinterface > advertisementsfromthisIPv6Ethernetsubinterface.TheotherDNS
Advertisement IPv6 > DNS Supportfieldsinthistablearevisibleonlyafteryouselectthisoption.
Support
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewall
sendsinorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusestheminthesameorder.
SelectaserverandMove UporMove Downtochangetheorderofthe
serversorDeleteaserverfromthelistwhenyounolongerneedit.
therouteradvertisementthatitcanuseanRDNSservertoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Suffix Addoneormoredomainnames(suffixes)fortheDNSsearchlist(DNSSL).
Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothenameandtransmitsthe
DNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
usestheDNSsuffixesuntilaDNSlookupissuccessful(ignoresthe
remainingsuffixes)oruntiltherouterhastriedallofsuffixesonthelist.
Configurethefirewallwiththesuffixesthatyouwanttoprovidetothe
DNSclientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
searchlistoptionthatthefirewallsendsinorderlistedfromtopto
bottominanNDProuteradvertisementtotherecipient,whichuses
theminthesameorder.SelectasuffixandMove UporMove Downto
changetheorderofthesuffixesorDeleteasuffixwhenyounolonger
needit.
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSsearchlist(rangeisthevalueofMaxInterval(sec)totwicetheMax

VirtualWireInterface
AvirtualwireinterfacebindstwoEthernetportstogether,allowingforalltraffictopassbetweentheports,
orjusttrafficwithselectedVLANtags(nootherswitchingorroutingservicesareavailable).Youcanalso
createVirtualWiresubinterfacesandclassifytrafficaccordingtoanIPaddress,IPrange,orsubnet.Avirtual
wirerequiresnochangestoadjacentnetworkdevices.
Tosetupavirtualwirethroughthefirewall,identifytheinterfacetouseforthevirtualwire(Network >
Interfaces > Ethernet),specifythevirtualwireinterfacesettingsasdescribedinthefollowingtable,andthen
Addthevirtualwire(Network > Virtual Wires).
Ifyouareusinganexistinginterfaceforthevirtualwire,firstremovetheinterfacefromanyassociatedsecurity
zone.
VirtualWire ConfiguredIn Description

InterfaceSetting

Interface
InterfaceType SelectVirtual Wire.
VirtualWire Ethernet Selectavirtualwire,orclickVirtual WiretodefinenewNetwork>Virtual

Interface > Config Wires.SelectNonetoremovethecurrentvirtualwireassignmentfromthe
interface.
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe

Advanced
EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.LLDP

Interface > functionsatthelinklayertodiscoverneighboringdevicesandtheircapabilities.
Advanced > LLDP
Profile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>LLDP
Profile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHA IfLLDPisenabled,selecttoconfigureanHApassivefirewalltoprenegotiate
PassiveState LLDPwithitspeerbeforethefirewallbecomesactive.
IfLLDPisnotenabled,selecttoconfigureanHApassivefirewalltosimplypass
LLDPpacketsthroughthefirewall.

VirtualWireSubinterface
Virtualwire(vwire)subinterfacesallowyoutoseparatetrafficbyVLANtagsoraVLANtagandIPclassifier
combination,assignthetaggedtraffictoadifferentzoneandvirtualsystem,andthenenforcesecurity
policiesforthetrafficthatmatchesthedefinedcriteria.
ToaddaVirtualWireInterfaceselecttherowforthatinterface,clickAdd Subinterface,andspecifythe
followinginformation.
VirtualWire Description
Subinterface
Settings
InterfaceName ThereadonlyInterface Namedisplaysthenameofthevwireinterfaceyouselected.Inthe

adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectingNoneremovesthecurrentNetFlowserverassignmentfromthe
subinterface.
IPClassifier ClickAddandenteranIPaddress,IPrange,orsubnettoclassifythetrafficonthisvwire
subinterface.
VirtualWire Selectavirtualwire,orclickVirtual Wiretodefineanewone(seeNetwork>VirtualWires).Select

Nonetoremovethecurrentvirtualwireassignmentfromthesubinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.

TapInterface
Youcanuseatapinterfacetomonitortrafficonaport.
Toconfigureatapinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfiguredandspecify
TapInterface ConfiguredIn Description

Settings

Interface
InterfaceType SelectTap.
VirtualSystem Ethernet Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,

Interface > Config selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe

Advanced

LogCardInterface
IfyouconfigurelogforwardingonaPA7000Seriesfirewall,youmustconfigureonedataportastypeLog
Card.Thisisbecausethetrafficandloggingcapabilitiesofthisfirewallmodelexceedthecapabilitiesofthe
management(MGT)interface.Alogcarddataportperformslogforwardingforsyslog,email,Simple
NetworkManagementProtocol(SNMP),Panoramalogforwarding,andWildFirefileforwarding.
YoucanconfigureonlyoneportonthefirewallastypeLog Card.Ifyouenablelogforwardingbutdonot
configureaninterfacewiththeLog Cardtype,yougetanerrorwhenyouattempttocommityourchanges.
Toconfigurealogcardinterface,selectanInterfacethatisnotconfigured(ethernet1/16,forexample)and
configurethesettingsdescribedinthefollowingtable.
LogCard ConfiguredIn Description

InterfaceSettings
Slot Ethernet Selecttheslotnumber(112)oftheinterface.

Interface
InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.
InterfaceType SelectLog Card.
IPv4 Ethernet IfyournetworkusesIPv4,definethefollowing:

Interface > Log IP addressTheIPv4addressoftheport.
Card Forwarding NetmaskThenetworkmaskfortheIPv4addressoftheport.
Default GatewayTheIPv4addressofthedefaultgatewayfortheport.
IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectauto(default)to

Interface > havethefirewallautomaticallydeterminethespeedbasedontheconnection.
Advanced Forinterfacesthathaveanonconfigurablespeed,autoistheonlyoption.
Theminimumrecommendedspeedfortheconnectionis1000(Mbps).
(half),ornegotiatedautomaticallybasedontheconnection(auto).Thedefault
isauto.
determinedautomaticallybasedontheconnection(auto).Thedefaultisauto.

LogCardSubinterface
ToaddaLogCardInterface,selecttherowforthatinterface,Add Subinterface,andspecifythefollowing
information.
LogCard ConfiguredIn Description

Subinterface
Settings
InterfaceName LPC Subinterface Interface Name(readonly)displaysthenameofthelogcardinterfaceyou

selected.Intheadjacentfield,enteranumericsuffix(19,999)toidentifythe
subinterface.
Tag EntertheVLANTag(04,094)forthesubinterface.
Makethetagthesameasthesubinterfacenumberforeaseofuse.
VirtualSystem LPC Subinterface Selectthevirtualsystem(vsys)towhichtheLogProcessingCard(LPC)

> Config subinterfaceisassigned.Alternatively,youcanclickVirtual Systemstoadda
newvsys.OnceanLPCsubinterfaceisassignedtoavsys,thatinterfaceisused
asthesourceinterfaceforallservicesthatforwardlogs(syslog,email,SNMP)
fromthelogcard.
IPv4 Ethernet IfyournetworkusesIPv4,definethefollowing:

Interface > Log IP addressTheIPv4addressoftheport.
Card Forwarding NetmaskThenetworkmaskfortheIPv4addressoftheport.
IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.

DecryptMirrorInterface
TousetheDecryptionPortMirrorfeature,youmustselecttheDecrypt Mirrorinterfacetype.Thisfeatureenables
creatingacopyofdecryptedtrafficfromafirewallandsendingittoatrafficcollectiontoolthatcanreceiverawpacket
capturessuchasNetWitnessorSoleraforarchivingandanalysis.Organizationsthatrequirecomprehensivedata
captureforforensicandhistoricalpurposesordataleakprevention(DLP)functionalityrequirethisfeature.Decryption
portmirroringisonlyavailableonPA7000Seriesfirewalls,PA5000Seriesfirewalls,andPA3000Seriesfirewalls.To
enablethefeature,youmustacquireandinstallthefreelicense.
Toconfigureadecryptmirrorinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.
DecryptMirrorInterfaceSettings
InterfaceType SelectDecrypt Mirror.
LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).

AggregateEthernet(AE)InterfaceGroup
AnAEinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfacesintoa
singlevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.AnAE
interfacegroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinueto
supporttraffic.
BeforeconfiguringanAEinterfacegroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidth(1Gbpsor10Gbps)andinterfacetype(HA3,virtualwire,
Layer2,orLayer3).YoucanadduptoeightAEinterfacegroupsperfirewallandeachgroupcanhaveupto
eightinterfaces.
AllPaloAltoNetworksfirewallsexceptthePA200andVMSeriesmodelssupportAEinterfacegroups.
YoucanaggregatetheHA3(packetforwarding)interfacesinahighavailability(HA)active/activeconfigurationbut
onlyonthefollowingfirewallmodels:
PA220
PA500
PA800Series
PA3000Series
PA5000Series
PA5200Series
ToconfigureanAEinterfacegroup,Add Aggregate Group,configurethesettingsdescribedinthefollowing

table,andthenassigninterfacestothegroup(seeAggregateEthernet(AE)Interface).
Aggregate ConfiguredIn Description

InterfaceGroup
Settings
InterfaceName Aggregate ThereadonlyInterface Nameissettoae.Intheadjacentfield,enteranumeric

Ethernet suffix(1to8)toidentifytheAEinterfacegroup.
Interface
InterfaceType Selecttheinterfacetype,whichcontrolstheremainingconfiguration
requirementsandoptions:
HAOnlyselectiftheinterfaceisanHA3linkbetweentwofirewallsinan
active/activedeployment.OptionallyselectaNetflow Profileandconfigure
theLACPtab(seeEnableLACP).
Virtual WireOptionallyselectaNetflow Profile,andconfiguretheConfig
andAdvancedtabsasdescribedinVirtualWireSettings.
Layer 2OptionallyselectaNetflow Profile;configuretheConfigand
AdvancedtabsasdescribedinLayer2InterfaceSettings;andoptionally
configuretheLACPtab(seeEnableLACP).
Layer 3OptionallyselectaNetflow Profile;configuretheConfig,IPv4or
IPv6,andAdvancedtabsasdescribedinLayer3InterfaceSettings;and
optionallyconfiguretheLACPtab(seeEnableLACP).
thecurrentNetFlowserverassignmentfromtheAEinterfacegroup.


InterfaceGroup
Settings
EnableLACP Aggregate SelectifyouwanttoenableLinkAggregationControlProtocol(LACP)forthe

Ethernet AEinterfacegroup.LACPisdisabledbydefault.
Interface > LACP IfyouenableLACP,interfacefailuredetectionisautomaticatthephysicaland
datalinklayersregardlessofwhetherthefirewallanditsLACPpeeraredirectly
connected.(WithoutLACP,interfacefailuredetectionisautomaticonlyatthe
physicallayerbetweendirectlyconnectedpeers).LACPalsoenablesautomatic
failovertostandbyinterfacesifyouconfigurehotspares(seeMaxPorts).
Mode SelecttheLACPmodeofthefirewall.BetweenanytwoLACPpeers,itis
recommendedthatoneisactiveandtheotherispassive.LACPcannotfunction
ifbothpeersarepassive.
ActiveThefirewallactivelyqueriestheLACPstatus(availableor
unresponsive)ofpeerdevices.
Passive(default)ThefirewallpassivelyrespondstoLACPstatusqueries
frompeerdevices.
Transmission Selecttherateatwhichthefirewallexchangesqueriesandresponseswithpeer
Rate devices:
FastEverysecond
SlowEvery30seconds(thisisthedefaultsetting)
FastFailover Selectif,whenaninterfacegoesdown,youwantthefirewalltofailovertoan
operationalinterfacewithinonesecond.Otherwise,failoveroccursatthe
standardIEEE802.1AXdefinedspeed(atleastthreeseconds).


InterfaceGroup
Settings
SystemPriority Aggregate Thenumberthatdetermineswhetherthefirewalloritspeeroverridesthe

Ethernet otherwithrespecttoportpriorities(seetheMax Portsfielddescriptionbelow).
Interface > LACP Thelowerthenumber,thehigherthepriority(rangeis165,535;
(cont) defaultis32,768).
MaxPorts Thenumberofinterfaces(18)thatcanbeactiveatanygiventimeinanLACP
aggregategroup.Thevaluecannotexceedthenumberofinterfacesyouassign
tothegroup.Ifthenumberofassignedinterfacesexceedsthenumberofactive
interfaces,thefirewallusestheLACPportprioritiesoftheinterfacesto
determinewhichareinstandbymode.YousettheLACPportprioritieswhen
configuringindividualinterfacesforthegroup(seeAggregateEthernet(AE)
Interface).
EnableinHA Forfirewallsdeployedinahighavailability(HA)active/passiveconfiguration,
PassiveState selecttoallowthepassivefirewalltoprenegotiateLACPwithitsactivepeer
beforeafailoveroccurs.Prenegotiationspeedsupfailoverbecausethe
passivefirewalldoesnothavetonegotiateLACPbeforebecomingactive.
SameSystem Thisappliesonlytofirewallsdeployedinahighavailability(HA)active/passive
MACAddressfor configuration;firewallsinanactive/activeconfigurationrequireuniqueMAC
ActivePassive addresses.
HA HAfirewallpeershavethesamesystempriorityvalue.However,inan
active/passivedeployment,thesystemIDforeachcanbethesameor
different,dependingonwhetheryouassignthesameMACaddress.
hentheLACPpeers(alsoinHAmode)arevirtualized(appearingtothe
networkasasingledevice),usingthesamesystemMACaddressforthe
firewallsminimizeslatencyduringfailover.WhentheLACPpeersare
notvirtualized,usingtheuniqueMACaddressofeachfirewall
minimizesfailoverlatency.
LACPusestheMACaddresstoderiveasystemIDforeachLACPpeer.Ifthe
firewallpairandpeerpairhaveidenticalsystempriorityvalues,LACPusesthe
systemIDvaluestodeterminewhichoverridestheotherwithrespecttoport
priorities.IfbothfirewallshavethesameMACaddress,bothwillhavethesame
systemID,whichwillbehigherorlowerthanthesystemIDoftheLACPpeers.
IftheHAfirewallshaveuniqueMACaddresses,itispossibleforonetohavea
highersystemIDthantheLACPpeerswhiletheotherhasalowersystemID.
Inthelattercase,whenfailoveroccursonthefirewalls,portprioritization
switchesbetweentheLACPpeersandthefirewallthatbecomesactive.
MACAddress IfyouenabledUse Same System MAC Address,selectasystemgenerated

MACaddress,orenteryourown,forbothfirewallsintheactive/passivehigh
availability(HA)pair.Youmustverifytheaddressisgloballyunique.

AggregateEthernet(AE)Interface
ToconfigureanAggregateEthernet(AE)Interface,firstconfigureanAggregateEthernet(AE)Interface
Groupandclickthenameoftheinterfaceyouwillassigntothatgroup.Theinterfaceyouselectmustbethe
sametypeasthatdefinedfortheAEinterfacegroup(forexample,Layer3);youwillchangethetypeto
Aggregate Ethernetwhenyouconfiguretheinterface.Specifythefollowinginformationfortheinterface.
IfyouenabledLinkAggregationControlProtocol(LACP)fortheAEinterfacegroup,selectthesame
Link SpeedandLink Duplexforeveryinterfaceinthatgroup.Fornonmatchingvalues,thecommit
operationdisplaysawarningandPANOSdefaultstothehigherspeedandfullduplex.

InterfaceSettings
InterfaceName Aggregate Theinterfacenameispredefinedandyoucannotchangeit.

Ethernet
Comment Interface (Optional)Enteradescriptionfortheinterface.
InterfaceType SelectAggregate Ethernet.
AggregateGroup Assigntheinterfacetoanaggregategroup.
LACPPort ThefirewallonlyusesthisfieldifyouenabledLinkAggregationControl
Priority Protocol(LACP)fortheaggregategroup.Ifthenumberofinterfacesyouassign
tothegroupexceedsthenumberofactiveinterfaces(theMaxPortsfield),the
firewallusestheLACPportprioritiesoftheinterfacestodeterminewhichare
instandbymode.Thelowerthenumericvalue,thehigherthepriority(rangeis
165,535;defaultis32,768).
VirtualRouter Aggregate SelectthevirtualroutertowhichyouassigntheAggregateEthernetinterface.

Ethernet
SecurityZone Interface > SelectthesecurityzonetowhichyouassigntheAggregateEthernetinterface.
Config


InterfaceSettings
EnableIPv6on Aggregate SelecttoenableIPv6onthisinterface.

theinterface Ethernet
Interface > IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youUse interface ID as host portionwhenaddinganaddress,thefirewalluses
theinterfaceIDasthehostportionofthataddress.
Address AddanIPv6addressandconfigurethefollowingparameters:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
one.
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
TheremainingfieldsapplyarevisibleonlyafteryouenableRA:
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.


InterfaceSettings
Enable Aggregate Selecttoenableduplicateaddressdetection(DAD),whichthenallowsyouto

Duplication Ethernet specifythenumberofDADAttempts.
Address Interface > IPv6 >
Detection Address
Resolution
DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval Specifythelengthoftime,inseconds,beforeaDADattemptfailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)
EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).


InterfaceSettings
EnableRouter Aggregated SelecttoprovideNeighborDiscoveryonIPv6interfacesandconfigurethe

Advertisement Ethernet otherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
Interface > IPv6 > advertisement(RA)messagesusethisinformation.
Router RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatarenot
Advertisement staticallyconfiguredandtoprovidethehostwithanIPv6prefixforaddress
configuration.YoucanuseaseparateDHCPv6serverinconjunctionwiththis
featuretoprovideDNSandothersettingstoclients.
individualIPaddresses,AddandconfigureanAddressintheIPaddresstable.
IfyousetRAoptionsforanyIPaddress,youmustEnable Router
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis31,350;defaultis200).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis1,2809,192;defaultisunspecified).
ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait,
inmilliseconds,beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).
RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.
Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.
Configuration
Other Selecttoindicatetotheclientthatotheraddressinformation(suchas
Configuration DNSrelatedsettings)isavailableviaDHCPv6.


InterfaceSettings
Consistency Aggregated SelectifyouwantthefirewalltoverifythatRAssentfromotherroutersare

Check Ethernet advertisingconsistentinformationonthelink.Thefirewalllogsany
Interface > IPv6 > inconsistenciesinasystemlog;thetypeisipv6nd.
Router
Advertisement
(cont)
IncludeDNS Aggregated SelectforthefirewalltosendDNSinformationinNDProuteradvertisement

informationin Ethernet (RA)messagesfromthisIPv6AggregatedEthernetinterface.TheotherDNS
Router Interface > IPv6 > Supportfieldsinthistablearevisibleonlyafteryouselectthisoption.
Advertisement DNS Support
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6AggregatedEthernet
interface.RDNSserverssendaseriesofDNSlookuprequeststorootDNS
serversandauthoritativeDNSserverstoultimatelyprovideanIPaddressto
theDNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusesthoseaddressesinthesameorder.Selectaserver
andMove UporMove DowntochangetheorderoftheserversorDeletea
serverwhenyounolongerneedit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanusetheRDNSServerstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandtransmitstheDNSquery.IfthefirstDNSsuffix
onthelistiscompany.com,theresultingDNSqueryfromtherouterisforthe
fullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNSclient
routerinaNeighborDiscoveryDNSSLoption;theDNSclientreceivingthe
DNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusestheminthesameorder.
SelectasuffixandMove UporMove Downtochangetheorderofthesuffixes
orDeleteasuffixfromthelistwhenyounolongerneedit.


InterfaceSettings
Lifetime Aggregated EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe

Ethernet routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
Interface > IPv6 > list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
DNS Support 1,200).
(cont)
HAInterface
Eachhighavailability(HA)interfacehasaspecificfunction:oneinterfaceisforconfigurationsynchronization
andheartbeats,andtheotherinterfaceisforstatesynchronization.Ifactive/activehighavailabilityis
enabled,thefirewallcanuseathirdHAinterfacetoforwardpackets.
SomePaloAltoNetworksfirewallsincludededicatedphysicalportsforuseinHAdeployments(oneforthecontrol
linkandoneforthedatalink).Forfirewallsthatdonotincludededicatedports,youmustspecifythedataportsthat
willbeusedforHA.ForadditionalinformationonHA,refertoDevice>VirtualSystems.
ToconfigureanHAinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.
HAInterface Description
Settings
InterfaceType SelectHA.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).

Network>Interfaces>VLAN Network
Network>Interfaces>VLAN
AVLANinterfacecanprovideroutingintoaLayer3network(IPv4andIPv6).YoucanaddoneormoreLayer
2Ethernetports(seeLayer2Interface)toaVLANinterface.
VLANInterface ConfigureIn Description

Settings
InterfaceName VLAN Interface ThereadonlyInterface Nameissettovlan.Intheadjacentfield,entera

numericsuffix(19999)toidentifytheinterface.
VLAN VLAN Interface > SelectaVLANorclickVLANtodefineanewone(seeNetwork>VLANs).

Config SelectNonetoremovethecurrentVLANassignmentfromtheinterface.
VirtualRouter Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew

one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
routerassignmentfromtheinterface.
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.
Management VLAN Interface > Management ProfileSelectaprofilethatdefinestheprotocols(forexample,

Profile Advanced > Other SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(rangeis5769,192;defaultis1,500).Ifmachinesoneithersideofthe
firewallperformPathMTUDiscovery(PMTUD)andtheinterfacereceivesa
packetexceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.

Network Network>Interfaces>VLAN

Settings
IPAddress VLAN Interface > ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,clickAdd

MACAddress Advanced > ARP andenteranIPaddress,enteritsassociatedhardware[mediaaccesscontrol
Interface Entries (MAC)]address,andselectaLayer3interfacethatcanaccessthehardware
address.Todeleteanentry,selecttheentryandclickDelete.StaticARPentries
reduceARPprocessingandprecludemaninthemiddleattacksforthe
specifiedaddresses.
IPv6Address VLAN Interface > ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),click

MACAddress Advanced > ND Add andentertheIPv6addressandMACaddressoftheneighbor.
Entries
EnableNDP VLAN Interface > SelecttoenableNeighborDiscoveryProtocol(NDP)Proxyfortheinterface.

Proxy Advanced > NDP ThefirewallwillrespondtoNDpacketsrequestingMACaddressesforIPv6
Proxy addressesinthislist.IntheNDresponse,thefirewallsendsitsownMAC
addressfortheinterface,andisbasicallysaying,sendmethepacketsmeant
fortheseaddresses.
(Recommended)EnableNDPProxyifyouareusingNetworkPrefixTranslation
IPv6(NPTv6).
IfyouEnable NDP Proxy,youcanfilternumerousAddressentries:firstenter
afilterandthenapplyit(greenarrow).
Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddressobjectsfor
whichthefirewallwillactasNDPProxy.Ideally,oneoftheseaddressesisthe
sameaddressasthatofthesourcetranslationinNPTv6.Theorderof
addressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponseforall
addressesinthesubnet,sowerecommendyoualsoaddthefirewallsIPv6
neighborsandthenclickNegatetoinstructthefirewallnottorespondtothese
IPaddresses.
Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.Youcan
negateasubsetofthespecifiedIPaddressrangeorIPsubnet.
For an IPv4 address
Type VLAN Interface > SelectthemethodforassigninganIPv4addresstypetotheinterface:

IPv4 StaticYoumustmanuallyspecifytheIPaddress.
DHCP ClientEnablestheinterfacetoactasaDynamicHostConfiguration
Protocol(DHCP)clientandreceiveadynamicallyassignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)modedont
supportDHCPClient.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthetabwill
vary.


Settings
IPv4addressType=Static
IP VLAN Interface > ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress

IPv4 andnetworkmaskfortheinterface.
CreateanAddressobjectoftypeIP netmask.
informationbase(FIB)yoursystemusesdeterminesthemaximumnumberof
IPaddresses.
DeleteanIPaddresswhenyounolongerneedit.
IPv4 address Type = DHCP
Enable VLAN Interface > SelecttoactivatetheDHCPclientontheinterface.

IPv4
Automatically Selecttoautomaticallycreateadefaultroutethatpointstothedefaultgateway
createdefault thattheDHCPserverprovides.
routepointingto
defaultgateway
providedby
server
DefaultRoute FortheroutebetweenthefirewallandDHCPserver,optionallyenteraroute
Metric metric(prioritylevel)toassociatewiththedefaultrouteandtouseforpath
selection(rangeis165,535;thereisnodefault).Theprioritylevelincreasesas
thenumericvaluedecreases.
ShowDHCP SelecttodisplayallsettingsreceivedfromtheDHCPserver,includingDHCP
ClientRuntime leasestatus,dynamicIPaddressassignment,subnetmask,gateway,andserver
Info settings(DNS,NTP,domain,WINS,NIS,POP3,andSMTP).
For an IPv6 address
EnableIPv6on VLAN Interface > SelecttoenableIPv6addressingonthisinterface.

theinterface IPv6
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.


Settings
Address VLAN Interface > ClickAddandconfigurethefollowingparametersforeachIPv6address:

IPv6 (cont) AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
anaddressobject.
interface.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.
Enable VLAN Interface > Selecttoenableduplicateaddressdetection(DAD),whichallowsyoutospecify

Duplication IPv6 > Address thenumberofDADAttempts.
Address Resolution
Detection
DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval SpecifythenumberofsecondsforDADattemptsbeforefailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)
EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).


Settings
EnableRouter VLAN Interface > SelecttoprovideNeighborDiscoveryonIPv6interfacesandconfigurethe

Advertisement IPv6 > Router otherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
Advertisement advertisement(RA)messagesusethisinformation.
RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatarenot
staticallyconfiguredandtoprovidethehostwithanIPv6prefixforaddress
configuration.YoucanuseaseparateDHCPv6serverinconjunctionwiththis
featuretoprovideDNSandothersettingstoclients.
individualIPaddresses,AddanAddresstotheIPaddresstableandconfigure
it.IfyousetRAoptionsforanyIPaddress,youmustEnable Router
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis12809192;defaultisunspecified).
ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait
(inmilliseconds)beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).
RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.
Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.
Configuration
Other Selecttoindicatetotheclientthatotheraddressinformation(forexample,
Configuration DNSrelatedsettings)isavailableviaDHCPv6.


Settings
Consistency VLAN Interface > SelectifyouwantthefirewalltoverifythatRAssentfromotherroutersare

Check IPv6 > Router advertisingconsistentinformationonthelink.Thefirewalllogsany
Advertisement inconsistenciesinasystemlog;thetypeisipv6nd.
(cont)
IncludeDNS VLAN Interface > SelectforthefirewalltosendDNSinformationinNDProuteradvertisements

informationin IPv6 > DNS fromthisIPv6VLANinterface.TheotherDNSSupportfieldsinthistableare
Router Support visibleonlyafteryouselectthisoption.
Advertisement
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6VLANinterface.RDNS
serverssendaseriesofDNSlookuprequeststorootDNSserversand
authoritativeDNSserverstoultimatelyprovideanIPaddresstotheDNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusestheminthesameorder.SelectaserverandMove Up
orMove DowntochangetheorderoftheserversorDeleteaserverfromthe
listwhenyounolongerneedit.
routeradvertisementthatitcanusetheRDNSserverstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandthentransmitstheDNSquery.IfthefirstDNS
suffixonthelistiscompany.com,theresultingDNSqueryfromtherouteris
forthefullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesthatyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclientreceiving
theDNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusesthoseaddressesinthe
sameorder.SelectasuffixandMove UporMove Downtochangetheorderof
thesuffixesorDeleteasuffixfromthelistwhenyounolongerneedit.
routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
1,200).

Network>Interfaces>Loopback Network
Network>Interfaces>Loopback
Usethefollowingfieldstoconfigurealoopbackinterface:
Loopback ConfigureIn Description

InterfaceSettings
InterfaceName Loopback ThereadonlyInterface Nameissettoloopback.Intheadjacentfield,entera

Interface numericsuffix(19999)toidentifytheinterface.
VirtualRouter Loopback Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew

Interface > Config one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
anewvsys.
Management Tunnel Interface Management ProfileSelectaprofilethatdefinestheprotocols(forexample,

Profile > Advanced > SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Other Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.

Network Network>Interfaces>Loopback
Loopback ConfigureIn Description

InterfaceSettings
For an IPv4 address
IP Loopback ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress
Interface > IPv4 andnetworkmaskfortheinterface.
IPaddresses.
For an IPv6 address
EnableIPv6on Loopback SelecttoenableIPv6addressingonthisinterface.

theinterface Interface > IPv6
anaddressobject.
interface.

Network>Interfaces>Tunnel Network
Network>Interfaces>Tunnel
Usethefollowingfieldstoconfigureatunnelinterface:
TunnelInterface ConfigureIn Description

Settings
InterfaceName Tunnel Interface ThereadonlyInterface Nameissettotunnel.Intheadjacentfield,entera

numericsuffix(19,999)toidentifytheinterface.
VirtualRouter Tunnel Interface Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew

> Config one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
anewvsys.
Management Tunnel Interface Management ProfileSelectaprofilethatdefinestheprotocols(forexample,

Profile > Advanced > SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Other Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
For an IPv4 address
IP Tunnel Interface ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress

> IPv4 andnetworkmaskfortheinterface.
IPaddresses.
For an IPv6 address
EnableIPv6on Tunnel Interface SelecttoenableIPv6addressingonthisinterface.

theinterface > IPv6

Network Network>Interfaces>Tunnel
TunnelInterface ConfigureIn Description

Settings
InterfaceID Tunnel Interface Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for

> IPv6 example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
anaddressobject.
interface.

Network>VirtualRouters Network
Network>VirtualRouters
Thefirewallrequiresavirtualroutertoobtainroutestoothersubnetseitherusingstaticroutesthatyou
manuallydefine,orthroughparticipationinLayer3routingprotocols(dynamicroutes).EachLayer3
interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociatedwithavirtual
router.Eachinterfacecanbelongtoonlyonevirtualrouter.
Definingavirtualrouterrequiresgeneralsettingsandanycombinationofstaticroutesordynamicrouting
protocols,asrequiredbyyournetwork.Youcanalsoconfigureotherfeaturessuchasrouteredistribution
andECMP.
Whataretherequiredelementsof GeneralSettingsofaVirtualRouter
avirtualrouter?
Configure:
StaticRoutes
RouteRedistribution
RIP
OSPF
OSPFv3
BGP
IPMulticast
ECMP
Viewinformationaboutavirtual MoreRuntimeStatsforaVirtualRouter
router.
Looking for more? Networking

Network Network>VirtualRouters
GeneralSettingsofaVirtualRouter
Network>VirtualRouters>RouterSettings>General
AllvirtualroutersrequirethatyouassignLayer3interfacesandadministrativedistancemetricsasdescribed
inthefollowingtable.
VirtualRouterGeneral Description
Settings
Name Specifyanametodescribethevirtualrouter(upto31characters).Thename
Interfaces Selecttheinterfacesthatyouwanttoincludeinthevirtualrouter.Thus,they
canbeusedasoutgoinginterfacesinthevirtualroutersroutingtable.
Tospecifytheinterfacetype,refertoNetwork>Interfaces.
Whenyouaddaninterface,itsconnectedroutesareaddedautomatically.
AdministrativeDistances Specifythefollowingadministrativedistances:
Static routesRangeis10240;defaultis10.
OSPF IntRangeis10240;defaultis30.
OSPF ExtRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
StaticRoutes
Network>VirtualRouters>StaticRoutes
Optionallyaddoneormorestaticroutes.ClicktheIPorIPv6tabtospecifytherouteusinganPv4orIPv6
address.Itisusuallynecessarytoconfiguredefaultroutes(0.0.0.0/0)here.Defaultroutesareappliedfor
destinationsthatareotherwisenotfoundinthevirtualroutersroutingtable.
StaticRouteSettings Description
Name Enteranametoidentifythestaticroute(upto31characters).Thenameis
Destination EnteranIPaddressandnetworkmaskinClasslessInterdomainRouting
(CIDR)notation:ip_address/mask(forexample,192.168.2.0/24forIPv4or
2001:db8::/32forIPv6).
Interface Selecttheinterfacetoforwardpacketstothedestination,orconfigurethe
nexthopsettings,orboth.

Network>VirtualRouters Network
StaticRouteSettings Description
NextHop Selectoneofthefollowing:
IP AddressSelecttoentertheIPaddressofthenexthoprouter.
Next VRSelecttoselectavirtualrouterinthefirewallasthenexthop.
Thisallowsyoutorouteinternallybetweenvirtualrouterswithinasingle
firewall.
DiscardSelectifyouwanttodroptrafficthatisaddressedtothis
destination.
NoneSelectifthereisnonexthopfortheroute.
AdminDistance Specifytheadministrativedistanceforthestaticroute(10240;defaultis
10).
Metric Specifyavalidmetricforthestaticroute(165535).
RouteTable Selecttheroutetableintowhichthefirewallinstallsthestaticroute:
UnicastInstallstherou

Sprache

Willkommen bei Scribd!

Web Interface Help

Hochgeladen von

Dokumentinformationen

Beschreibung:

Datum des Uploads

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Beschreibung:

Copyright:

Verfügbare Formate

Web Interface Help

Hochgeladen von

Beschreibung:

Copyright:

Verfügbare Formate

Verwandte Titel

PANOS

Palo Alto Networks, Inc.

DestinationTab .............................................................. 117

Network>Interfaces>Tunnel ..................................................... 258

Device ............................................................ 367

UserIdentification ................................................. 511

AnytimetheMessage of the Daychanges,themessageappearsinyournextsessionevenifyouselectedDo

Tonavigatethedialogpages,clicktheright( )andleft( )arrowsalongthesidesofthedialogorclicka

GroupbyLocationType GroupsthelistofconfigurationchangesintheCommit Scopeby

SelectConfig > Save ChangesatthetoprightofthefirewallorPanoramawebinterfacetosaveanewsnapshot

GroupbyLocationType GroupsthelistofconfigurationchangesintheSave ScopebyLocation

SelectConfig > Revert ChangesatthetoprightofthefirewallorPanoramawebinterfacetoundochanges

GroupbyLocationType ListstheconfigurationchangesintheRevert ScopebyLocation Type.

TakeaLock Tosetalock,Take a Lock,selecttheType,selecttheLocation(multiple

RemoveLock Toreleasealock,selectit,Remove Lock,clickOK,andthenClose.

ID UniquethreatsignatureID.SelectView in Threat VaulttoopenaThreatVaultsearch

Exempt Profiles Securityprofilesthatdefineadifferentenforcementactionforthethreatsignature

Used in current security ActivethreatexceptionsAcheckmarkinthiscolumnindicatesthatthefirewallis

Exempt IP Addresses ExemptIPaddressesYoucanaddanIPaddressonwhichtofilterthethreat

Analysis Information Tab

MatchingTags AutoFocustags matchedtotheartifact:

Passive DNS Tab

Matching Hashes Tab

Addacustomtab. 1. SelectAdd( )alongthelistoftabs.

Resetthedefaultview. Onapredefinedview,suchastheBlocked Activityview,

SetaglobalfilterusingtheGlobalFilters Add( )filtersyouwanttoapply.

Removeafilter. ClickRemove( )toremoveafilter.

Clearallfilters GlobalfiltersClear AllGlobalFilters.

Negatefilters SelectanattributeandNegate( )afilter.

Looking for more? Monitorandmanagelogs.

ExportLogs ClickExporttoCSV( )toexportalllogsmatchedtothecurrentfiltertoa

Monitor > External Logs > Thesethreateventsincludeallprevention,notification,provisional,and

Monitor > External Logs > ESMServersystemeventsincludechangesrelatedtoESMstatus,licenses,ESMTech

Monitor > External Logs > Policychangeeventsincludechangestorules,protectionlevels,contentupdates,

Monitor > External Logs > Agentchangeeventsoccurontheendpointandincludechangestocontentupdates,

Monitor > External Logs > ESMconfigurationchangeeventsincludesystemwidechangestolicensing,

Looking for more? UsetheAutomatedCorrelationEngine

Looking for more?

ThefollowingtabledescribesthecomponentsoftheMonitor > Packet Capturepagethatyouusetoconfigure

CustomPacket ConfiguredIn Description

ManageFilters ConfigureFiltering Whenenablingcustompacketcaptures,youshoulddefine

Filtering ConfigureFiltering Afterdefiningfilters,settheFilteringtoON.IffilteringisOFF,

PreParseMatch ConfigureFiltering Thisoptionisforadvancedtroubleshootingpurposes.Aftera

CustomPacket ConfiguredIn Description

PacketCapture ConfigureCapturing ClickthetoggleswitchtoturnpacketcaptureONorOFF.

CapturedFiles CapturedFiles Containsalistofcustompacketcapturespreviouslygenerated

ClearAllSettings Settings ClickClear All Settingstoturnoffpacketcaptureandtoclear

Antivirus Selectacustomantivirusprofileand,intheAntivirustab,selectPacket Capture.

AntiSpyware SelectacustomAntiSpywareprofile,clicktheDNS Signaturestaband,inthe

SelectMonitor > Session Browsertobrowseandfiltercurrentrunningsessionsonthefirewall.Forinformation

Looking for more? SetUpAntivirus,AntiSpyware,andVulnerabilityProtection

CleartheentireBlockIP ClickClear Alltopermanentlydeleteallentries,whichmeansthosepacketsareno

TestRunTimeFrame SelectthetimeintervalforthereportLast 24 Hours(default)orLast

RunNow ClickRun Nowtomanuallyandimmediatelygenerateareport.Thereport

TocreatePDFsummaryreports,clickAdd.ThePDF Summary Reportpageopenstoshowalloftheavailable

Type ForUserActivityReport:SelectUserandentertheUsernameorIP address

TimePeriod Selectthetimeframeforthereportfromthedropdown:Last 7 Days,Last 30