PAN-OS 6.

1 Release
Introduction to Administering the New Features in PAN-OS 6.1

Agenda
Introducing PAN-OS 6.1
Dates and Details

Main Features and Functions of Focus

Security rulebase enhancement
Authenticated NTP
Half Closed TCP session handling
WildFire Enhancements

Honorable Mentions
Resources for Installation, Upgrading, Training

2 | 2014, Palo Alto Networks. Confidential and Proprietary.

Key Dates and Availability

Public Launch Date October 21st
Press release
Website, collateral updates and launch page
Blog

PAN-OS 6.1 Launch

Whats New in 6.1
Two minute video

Overview of Palo Alto Networks Security Solutions for Cloud Computing

VM-Series datasheet
KVM datasheet
AWS datasheet

Accompanying Updates to the Partner Portal

Customer and Partner Presentation; You Can Have it All
Benefits and success

Security Rulebase Enhancement

Security Zones and Policies

Security Policies use Zones to regulate and log traffic

Intra-zone traffic is allowed by default

Inter-zone traffic is denied by default
DMZ
Internet

Guests
Users

5 | 2014, Palo Alto Networks. Confidential and Proprietary.

Data Center

Security Zone Rules Three Types

Intra-zone Traffic within the same zone
Allowed by default

Inter-zone Traffic traversing from one zone to another

Denied by default

Universal Traffic applying to both zones (Intra-zone &

Inter-zone)
Behaves as normal checks the rule and applies the action

6 | 2014, Palo Alto Networks. Confidential and Proprietary.

Security Zone Rule Types Benefits

More efficient Rule base management
Create only a single rule to handle the Intra-zone traffic for a set of zones
without affecting the Inter-zone traffic and vice versa.

Deny all Intra-zone traffic without having to create a number of explicit

rules, or by creating a catch-all rule
No longer a need for an any any any deny rule.

Enable logging on both Intra-zone and Inter-zone traffic

Logs associated with Intrazone-default" and Interzone-default" rules are
treated the same as any other logs from other rules
This enables you to filter and see the traffic that is being blocked
No longer need to create explicit rules for every zone pair just to see logs

May now enable Security Profiles on both Intra-zone and Inter-zone

rules.

7 | 2014, Palo Alto Networks. Confidential and Proprietary.

Rule Type Example Intrazone

Intrazone Rule Type

From zone

matches

To zone

ZoneA

ZoneA

ZoneB

ZoneB

8 | 2014, Palo Alto Networks. Confidential and Proprietary.

Rule Type Example Interzone

Interzone Rule Type:

From zone

9 | 2014, Palo Alto Networks. Confidential and Proprietary.

matches

To zone

ZoneA

ZoneA

ZoneB

ZoneB

Rule Type Example Universal (The Default)

Universal Rule Type:

From zone

10 | 2014, Palo Alto Networks. Confidential and Proprietary.

matches

To zone

ZoneA

ZoneA

ZoneB

ZoneB

Security Zone Rule Enable Logging

Two pre-defined default rules and both are Read Only.

Intrazone-default
Interzone-default

Override to configure additional settings

This will enable you to turn on logging.

11 | 2012, Palo Alto Networks. Confidential and Proprietary.

Security Zone Rule Enable Logging

Two pre-defined default rules - Both are Read Only.

Intrazone-default
Interzone-default

Override to configure additional settings such as Logging

12 | 2012, Palo Alto Networks. Confidential and Proprietary.

Authenticated NTP

NTP Protocol Unauthenticated vs. Authenticated NTP

Without authenticating NTP messages, the possibility exists for the
firewall to be compromised.
Tampering with the system clock to change the time.

If the firewall uses schedule-based policies, this will adversely

impact the application of the Security and QoS policies of the
firewall.
The firewall may be blocked from connecting to various SSL
services related to management or SSL decryption if its time is
tampered with.
Threat and traffic logs can be hidden by temporarily tampering with
the firewall's clock while malicious activity takes place.

14 | 2014, Palo Alto Networks. Confidential and Proprietary.

Authenticated NTP Basics

Supported from NTP version NTP-4.2.6
NTPv4 supports time-stamped digital signatures and X.509 certificates
to verify the source as per common industry practices. It also supports
several optional identity schemes based on cryptographic challengeresponse algorithms.

Two broad methods of authenticating : Symmetric key and Autokey

Symmetric Key Modes : Symmetric key MD5 hash, Symmetric key
SHA1 hash
PKI : Autokey IFF scheme, Autokey GQ scheme

15 | 2014, Palo Alto Networks. Confidential and Proprietary.

NTP Autokey
The Autokey protocol exchanges cryptographic values in a manner
designed to resist clogging and replay attacks.
Uses time-stamped digital signatures to sign a session key and
then a pseudo-random sequence to bind each session key to the
preceding one and eventually to the signature.

16 | 2014, Palo Alto Networks. Confidential and Proprietary.

NTP GUI Configuration

Device > Services > Edit icon > NTP

17 | 2014, Palo Alto Networks. Confidential and Proprietary.

NTP CLI Configuration

set deviceconfig system ntp-servers primary-ntp-server authentication-type

symmetric-key key-id <1-65534>

set deviceconfig system ntp-servers primary-ntp-server authentication-type

symmetric-key algorithm md5 authentication-key <value>

set deviceconfig system ntp-servers primary-ntp-server authentication-type

symmetric-key algorithm sha1 authentication-key <value>

set deviceconfig system ntp-servers primary-ntp-server authentication-type

autokey

18 | 2014, Palo Alto Networks. Confidential and Proprietary.

NTP Troubleshooting CLI

admin@PA-3060> show ntp
NTP state:
NTP synched to 10.4.6.22
NTP server: 10.4.6.21
status: available
reachable: yes
authentication-type: autokey
NTP server: 10.4.6.22
status: synched
reachable: yes
authentication-type: symmetric key
admin@PA-3060>

19 | 2014, Palo Alto Networks. Confidential and Proprietary.

PAN-OS Upgrade / Downgrade

When Upgrading to PAN-OS 6.1
NTP settings will be retained and authentication will be set to
none.
NTP rpm will be upgraded to the NTP-4.2.6

During Downgrade to PAN-OS 6.0 or Below

NTP authentication settings will be cleared

20 | 2014, Palo Alto Networks. Confidential and Proprietary.

TCP Half-Closed Session Handling

Introducing New TCP Wait Timers

TCP Half-Closed Timer
May now increase or decrease the time the firewall will wait
before closing a session

Unverified RST Timer

Provides an additional security measure

PAN-OS 6.0

22 | 2014, Palo Alto Networks. Confidential and Proprietary.

PAN-OS 6.1

TCP Half-Closed Session Handling

The current TCP close state depends on a single timer to remove the session
from the session table, a "TCP wait timer. This timer was triggered upon the
first FIN/RST (default 30 seconds).

In some applications, there might be some additional data following the FIN
packet, or some additional process time, before the second FIN is sent. If
the second FIN exceeds 30 seconds the session will be removed. The late
arriving second FIN will then be dropped possibly causing the client/server
application to hang.

This new feature allows the first FIN to trigger the TCP half-close timer
enabling the additional traffic to successfully pass without timing out.

Once the second FIN is seen, it will then trigger the TCP time-wait timer.

23 | 2014, Palo Alto Networks. Confidential and Proprietary.

TCP half-closed session handling FIN

TCP - Half Closed session
Client

Server

(1) -----------FIN------------> Start the TCP half-closed timer : default 120

seconds
(2) <----------ACK------------(3) <---------DATA------------(4) ----------ACK------------->
(Repeat (3) and (4)...)
(5) <---------FIN-------------- Start the TCP time-wait timer : default 15
seconds
(6) ----------ACK------------->

24 | 2014, Palo Alto Networks. Confidential and Proprietary.

Unverified RST Timer

If the RST packet has the correct

sequence number, we can close
the TCP state as similar to earlier
versions. The time-wait timer is
started of which the RST packet is
subject to. (same behavior as
before, using time_wait timer).

If the RST packet falls outside of

the TCP window it is dropped.
(Same behavior as earlier)

If the RST packet cannot verify the

TCP sequence number (but not
out-of-window of the sequence #), it
will use the unverified-rst timer to
help prevent DoS attacks.

25 | 2014, Palo Alto Networks. Confidential and Proprietary.

Configuration TCP Session Timeout Settings

Device > Setup > Session > Session Settings > Timeouts

26 | 2014, Palo Alto Networks. Confidential and Proprietary.

Session Timeout Settings Application Specific

Objects > Applications > Search > lpd

27 | 2014, Palo Alto Networks. Confidential and Proprietary.

TCP Half-Closed Session Handling CLI Commands

TCP timer setting commands:

set session
> timeout-tcp-half-closed

set session tcp half closed timeout value in seconds

> timeout-tcp-time-wait

set session tcp closed timeout value in seconds (RST

with verified sequence number)

> timeout-tcp-unverified-rst

set session tcp timeout value after receiving a RST with

unverified sequence number in seconds

Configure command:
set deviceconfig setting session timeout-tcp-half-closed <time>
set deviceconfig setting session timeout-tcp-unverified-rst <time>

Global Counters:
session_unverified_rst

Session aging timer modified by unverified RST

session_pkt_in_closed_state

Session is closing or closed and still receive TCP pkt

28 | 2014, Palo Alto Networks. Confidential and Proprietary.

WildFire Enhancements

Introducing the Following to WildFire

Signature Generation on the WF-500
Email Link Analysis
Email Header Information
Content Updates

30 | 2014, Palo Alto Networks. Confidential and Proprietary.

Extending Signature Generation Capabilities to WF-500

Generate local malware and command-andcontrol signatures directly on the WildFire

appliance

Provides 3 types of protection:

Antivirus signatures prevent malware
downloads
DNS signatures block command-and-control
traffic
URL malware categorization block commandand-control traffic

Distribute local WF-500 signatures to all PAN-OS

firewalls across the network for consistent
network protection

Signatures are updated every 5 minutes

31 | 2012, Palo Alto Networks. Confidential and Proprietary.

Local WildFire Appliance

AV

DNS

URL

Identify and Protect Against Malicious Email Links

PAN-OS firewalls detect and send web links in

suspicious emails to WildFire

WildFire visits the webpage and analyzes the

traffic to detect exploits and malware

http://comp-intra.net/ref?d8ca2

URL

Prevent patient-0 from getting compromised by

quickly adding the URL to PAN-DB

Quickly identify targeted users and machines via

email headers and integration with User-ID

WildFire
Mail server

Only available in the WildFire Cloud

Exploit

BLOCK

Compromised
host

32 | 2012, Palo Alto Networks. Confidential and Proprietary.

Email Header Information

Configure the User-ID option to enable the

firewall to match User-ID information with email
header, information identified in email links and
email attachments that are forwarded to WildFire.

When a match occurs, the user name in the

WildFire log email header section will contain a
link that when clicked, will bring up the ACC
filtered by the User or Group of users.

Sender/Receiver; Subject;
Fields

URL /
Attachments

WildFire

Email Session or Email Protocol refers to

SMTP and POP3 only.

Mail server
Exploit

If used over SSL decryption will be required

IMAP is not supported at this time

BLOCK

Compromised
host

33 | 2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Analysis Report

34 | 2012, Palo Alto Networks. Confidential and Proprietary.

Email Header Information Panorama Configuration

35 | 2012, Palo Alto Networks. Confidential and Proprietary.

Email Header Information Panorama Configuration

36 | 2012, Palo Alto Networks. Confidential and Proprietary.

Used to populate Recipient

User-ID

Mail Attributes automatically

based on LDAP Server Type

WildFire Cloud Updates

WildFire Signature Updates
- Are now every 15 minutes

WildFire API Limits Increased

-

37 | 2012, Palo Alto Networks. Confidential and Proprietary.

Are now 1,000 uploads a day (previously 100)

Are now 10,000 queries a day (previously 1,000)

Additional WildFire Enhancements

New daily content updates for the WF-500 provide additional cloud
intelligence
The content updates help improve WF-500 analysis accuracy by providing daily
updates to trusted code signing certificates, domains, file hashes, and other useful
information
Just as with PAN-OS content, the WF-500 content packages can be automatically
downloaded and installed, or manually downloaded and installed to the WF-500

WildFire API on the WF-500 to support automation and 3rd party

integrations
Support for Palo Alto Networks Traps advanced endpoint protection
product

38 | 2012, Palo Alto Networks. Confidential and Proprietary.

Extending Next-Generation Security to

Public Clouds
Datacenters and Virtualization

Hybrid approach safely enables private clouds

corporate network/DMZ

Physical appliances secure

North/South traffic

Panorama and NSX

for orchestration,
policy management,
and context sharing
Virtual appliances with
VMware NSX secure
East/West traffic

Physical
servers
Virtualized servers

40 | 2014, Palo Alto Networks. Confidential and Proprietary.

VM-Series for Amazon Web Services

Perimeter security between Virtual

Private Cloud (VPC) and Internet or
enterprise data center

Deployed through AWS console and as

L3 edge gateway to Internet

VM Monitoring for AWS

corporate data
center

Extends existing VM Monitoring function

in PAN-OS to poll VPC EC2 instances
Tags include: IDs, state, subnet, type,
placement, DNS names, and custom
tags

Web
AWS
Management
Console

41 | 2014, Palo Alto Networks. Confidential and Proprietary.

App

D
B

VM-Series for KVM in private and public clouds

Supports Linux bridges or Open vSwitch on RedHat, Ubuntu, and CentOS

OpenStack plugin automates:

Deployment of VM-Series on KVM

Configuration of management IP, default gateway, and Panorama IP
Interface configuration and insertion as L3 router between subnets
Link to Panorama device groups
Population of Dynamic Address Group tags

Standard
Standard Hardware
Hardware
42 | 2012, Palo Alto Networks. Confidential and Proprietary.

Additional 6.1 Features

WildFire
Analysis of web-based Adobe Flash files
Windows 7 64-bit analysis VM
Analysis report enhancements
Severity
Coverage status

URL Filtering
Full path categorization

Networking
LACP support
Increased NAT capacity

GlobalProtect
Support for third-party Windows credential providers

Management
M-100 multiple interfaces

43 | 2014, Palo Alto Networks. Confidential and Proprietary.

LACP Support

Link Aggregation Control Protocol (LACP) is a protocol designed to

automatically configure link bundles and uses a continuous messaging
protocol to identify and correct partial or full link failures.

44 | 2014, Palo Alto Networks. Confidential and Proprietary.

SSL Forward Proxy: Support for 2048 bit keys

Public CAs and some popular browsers are dropping, or limiting, support for X.509
certificates using 1024 bit keys.

45 | 2014, Palo Alto Networks. Confidential and Proprietary.

Management: Session End Reason Logging

Additional field to support your management, identification and troubleshooting efforts

Monitor > Logs > Traffic

46 | 2014, Palo Alto Networks. Confidential and Proprietary.

Management: Session End Reason Logging

We look to provide precise reasons for mitigation actions we take on a particular

session

At various phases during packet processing, session may be denied, bypassed, etc.

47 | 2014, Palo Alto Networks. Confidential and Proprietary.

BrightCloud Database https://support.paloaltonetworks.com

Download the BrightCloud database to a host that has Internet access.

48 | 2014, Palo Alto Networks. Confidential and Proprietary.

Manual Upload of the BrightCloud Database

In deployments where Panorama or a firewall has no direct Internet access, you

can now manually upload a BrightCloud database and install it.

49 | 2014, Palo Alto Networks. Confidential and Proprietary.

Network Address Translation Capacity Enhancements

50 | 2014, Palo Alto Networks. Confidential and Proprietary.

PAN-OS NAT Capacity Limits v6.1 vs. v6.0

51 | 2014, Palo Alto Networks. Confidential and Proprietary.

Online Resources

Support Resources

53 | 2012, Palo Alto Networks. Confidential and Proprietary.

Installation, Upgrading, Tech Docs, & Training

54 | 2012, Palo Alto Networks. Confidential and Proprietary.