Beruflich Dokumente
Kultur Dokumente
1 Release
Introduction to Administering the New Features in PAN-OS 6.1
Agenda
Introducing PAN-OS 6.1
Dates and Details
Honorable Mentions
Resources for Installation, Upgrading, Training
Guests
Users
Data Center
From zone
matches
To zone
ZoneA
ZoneA
ZoneB
ZoneB
From zone
matches
To zone
ZoneA
ZoneA
ZoneB
ZoneB
From zone
matches
To zone
ZoneA
ZoneA
ZoneB
ZoneB
Authenticated NTP
NTP Autokey
The Autokey protocol exchanges cryptographic values in a manner
designed to resist clogging and replay attacks.
Uses time-stamped digital signatures to sign a session key and
then a pseudo-random sequence to bind each session key to the
preceding one and eventually to the signature.
PAN-OS 6.0
PAN-OS 6.1
The current TCP close state depends on a single timer to remove the session
from the session table, a "TCP wait timer. This timer was triggered upon the
first FIN/RST (default 30 seconds).
In some applications, there might be some additional data following the FIN
packet, or some additional process time, before the second FIN is sent. If
the second FIN exceeds 30 seconds the session will be removed. The late
arriving second FIN will then be dropped possibly causing the client/server
application to hang.
This new feature allows the first FIN to trigger the TCP half-close timer
enabling the additional traffic to successfully pass without timing out.
Once the second FIN is seen, it will then trigger the TCP time-wait timer.
Server
> timeout-tcp-time-wait
> timeout-tcp-unverified-rst
Configure command:
set deviceconfig setting session timeout-tcp-half-closed <time>
set deviceconfig setting session timeout-tcp-unverified-rst <time>
Global Counters:
session_unverified_rst
session_pkt_in_closed_state
WildFire Enhancements
AV
DNS
URL
http://comp-intra.net/ref?d8ca2
URL
WildFire
Mail server
Exploit
BLOCK
Compromised
host
Sender/Receiver; Subject;
Fields
URL /
Attachments
WildFire
Mail server
Exploit
BLOCK
Compromised
host
Physical
servers
Virtualized servers
corporate data
center
Web
AWS
Management
Console
App
D
B
Standard
Standard Hardware
Hardware
42 | 2012, Palo Alto Networks. Confidential and Proprietary.
WildFire
Analysis of web-based Adobe Flash files
Windows 7 64-bit analysis VM
Analysis report enhancements
Severity
Coverage status
URL Filtering
Full path categorization
Networking
LACP support
Increased NAT capacity
GlobalProtect
Support for third-party Windows credential providers
Management
M-100 multiple interfaces
LACP Support
Public CAs and some popular browsers are dropping, or limiting, support for X.509
certificates using 1024 bit keys.
At various phases during packet processing, session may be denied, bypassed, etc.
Online Resources
Support Resources