Pan Os Web Interface Help
Pan Os Web Interface Help
Version 10.1
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
October 6, 2021
Dashboard...........................................................................................................45
Dashboard Widgets..................................................................................................................................47
ACC.......................................................................................................................49
A First Glance at the ACC......................................................................................................................51
ACC Tabs.................................................................................................................................................... 53
ACC Widgets..............................................................................................................................................54
ACC Actions............................................................................................................................................... 56
Working with Tabs and Widgets............................................................................................. 56
Working with Filters—Local Filters and Global Filters........................................................ 57
Monitor................................................................................................................59
Monitor > Logs.......................................................................................................................................... 61
Log Types....................................................................................................................................... 61
Log Actions.................................................................................................................................... 66
Monitor > External Logs......................................................................................................................... 69
Monitor > Automated Correlation Engine..........................................................................................70
Monitor > Automated Correlation Engine > Correlation Objects.................................... 70
Monitor > Automated Correlation Engine > Correlated Events....................................... 71
Monitor > Packet Capture......................................................................................................................73
Packet Capture Overview.......................................................................................................... 73
Building Blocks for a Custom Packet Capture...................................................................... 74
Enable Threat Packet Capture.................................................................................................. 76
Monitor > App Scope.............................................................................................................................. 78
App Scope Overview...................................................................................................................78
App Scope Summary Report..................................................................................................... 78
App Scope Change Monitor Report........................................................................................ 79
App Scope Threat Monitor Report.......................................................................................... 81
App Scope Threat Map Report.................................................................................................83
Policies...............................................................................................................105
Policy Types............................................................................................................................................. 107
Move or Clone a Policy Rule...............................................................................................................108
Audit Comment Archive....................................................................................................................... 109
Audit Comments........................................................................................................................ 109
Config Logs (between commits).............................................................................................109
Rule Changes.............................................................................................................................. 110
Rule Usage Hit Count Query.............................................................................................................. 111
Device Rule Usage for Rule Hit Count Query....................................................................112
Policies > Security.................................................................................................................................. 113
Security Policy Overview.........................................................................................................113
Building Blocks in a Security Policy Rule.............................................................................114
Creating and Managing Policies.............................................................................................123
Overriding or Reverting a Security Policy Rule..................................................................126
Applications and Usage............................................................................................................ 128
Security Policy Optimizer........................................................................................................ 132
Policies > NAT.........................................................................................................................................135
NAT Policies General Tab........................................................................................................135
NAT Original Packet Tab......................................................................................................... 136
NAT Translated Packet Tab.................................................................................................... 137
NAT Active/Active HA Binding Tab..................................................................................... 139
NAT Target Tab......................................................................................................................... 140
Policies > QoS......................................................................................................................................... 141
Policies > Policy Based Forwarding................................................................................................... 145
Policy Based Forwarding General Tab................................................................................. 145
Policy Based Forwarding Source Tab................................................................................... 146
Policy Based Forwarding Destination/Application/Service Tab.....................................147
Policy Based Forwarding Forwarding Tab...........................................................................147
Policy Based Forwarding Target Tab....................................................................................149
Policies > Decryption............................................................................................................................ 150
Decryption General Tab...........................................................................................................150
Decryption Source Tab.............................................................................................................151
Decryption Destination Tab....................................................................................................152
Decryption Service/URL Category Tab................................................................................152
Decryption Options Tab.......................................................................................................... 153
Decryption Target Tab............................................................................................................. 154
iv TABLE OF CONTENTS
Policies > Network Packet Broker..................................................................................................... 155
Network Packet Broker General Tab....................................................................................155
Network Packet Broker Source Tab..................................................................................... 156
Network Packet Broker Destination Tab.............................................................................157
Network Packet Broker Application/Service/Traffic Tab................................................ 157
Network Packet Broker Path Selection Tab....................................................................... 158
Network Packet Broker Policy Optimizer Rule Usage......................................................158
Policies > Tunnel Inspection................................................................................................................160
Building Blocks in a Tunnel Inspection Policy.................................................................... 160
Policies > Application Override.......................................................................................................... 166
Application Override General Tab.........................................................................................166
Application Override Source Tab...........................................................................................167
Application Override Destination Tab..................................................................................168
Application Override Protocol/Application Tab.................................................................168
Application Override Target Tab........................................................................................... 168
Policies > Authentication......................................................................................................................170
Building Blocks of an Authentication Policy Rule..............................................................170
Create and Manage Authentication Policy..........................................................................175
Policies > DoS Protection.................................................................................................................... 176
DoS Protection General Tab...................................................................................................176
DoS Protection Source Tab.....................................................................................................177
DoS Protection Destination Tab............................................................................................178
DoS Protection Option/Protection Tab............................................................................... 178
DoS Protection Target Tab..................................................................................................... 180
Policies > SD-WAN................................................................................................................................181
SD-WAN General Tab.............................................................................................................. 181
SD-WAN Source Tab................................................................................................................182
SD-WAN Destination Tab....................................................................................................... 183
SD-WAN Application/Service Tab........................................................................................ 183
SD-WAN Path Selection Tab..................................................................................................184
SD-WAN Target Tab.................................................................................................................185
Objects.............................................................................................................. 187
Move, Clone, Override, or Revert Objects...................................................................................... 189
Move or Clone an Object........................................................................................................189
Override or Revert an Object.................................................................................................189
Objects > Addresses..............................................................................................................................191
Objects > Address Groups................................................................................................................... 193
Objects > Regions.................................................................................................................................. 195
Objects > Dynamic User Groups........................................................................................................196
Objects > Applications.......................................................................................................................... 198
Applications Overview..............................................................................................................198
Actions Supported on Applications.......................................................................................202
Defining Applications................................................................................................................205
Objects > Application Groups............................................................................................................. 209
Objects > Application Filters............................................................................................................... 210
Objects > Services..................................................................................................................................211
Objects > Service Groups.....................................................................................................................213
Objects > Tags........................................................................................................................................ 214
Create Tags................................................................................................................................. 214
View Rulebase as Groups........................................................................................................ 215
Manage Tags............................................................................................................................... 218
Objects > Devices.................................................................................................................................. 221
Objects > External Dynamic Lists...................................................................................................... 222
TABLE OF CONTENTS v
Objects > Custom Objects...................................................................................................................227
Objects > Custom Objects > Data Patterns....................................................................... 227
Objects > Custom Objects > Spyware/Vulnerability.....................................................................233
Objects > Custom Objects > URL Category....................................................................................237
Objects > Security Profiles.................................................................................................................. 239
Actions in Security Profiles..................................................................................................... 239
Objects > Security Profiles > Antivirus.............................................................................................243
Objects > Security Profiles > Anti-Spyware Profile.......................................................................246
Objects > Security Profiles > Vulnerability Protection................................................................. 251
Objects > Security Profiles > URL Filtering..................................................................................... 255
URL Filtering General Settings............................................................................................... 255
URL Filtering Categories.......................................................................................................... 256
URL Filtering Settings............................................................................................................... 258
User Credential Detection.......................................................................................................259
HTTP Header Insertion............................................................................................................ 261
URL Filtering Inline ML............................................................................................................ 262
Objects > Security Profiles > File Blocking......................................................................................264
Objects > Security Profiles > WildFire Analysis............................................................................. 266
Objects > Security Profiles > Data Filtering.................................................................................... 268
Objects > Security Profiles > DoS Protection.................................................................................270
Objects > Security Profiles > Mobile Network Protection...........................................................274
Objects > Security Profiles > SCTP Protection...............................................................................280
Objects > Security Profile Groups..................................................................................................... 285
Objects > Log Forwarding....................................................................................................................286
Objects > Authentication..................................................................................................................... 289
Objects > Decryption Profile...............................................................................................................291
Decryption Profile General Settings..................................................................................... 291
Settings to Control Decrypted Traffic..................................................................................292
Settings to Control Traffic that is not Decrypted..............................................................297
Settings to Control Decrypted SSH Traffic.........................................................................298
Objects > Packet Broker Profile......................................................................................................... 300
Objects > SD-WAN Link Management.............................................................................................303
Objects > SD-WAN Link Management > Path Quality Profile....................................... 303
Objects > SD-WAN Link Management > SaaS Quality Profile.......................................304
Objects > SD-WAN Link Management > Traffic Distribution-Profile...........................305
Objects > SD-WAN Link Management > Error Correction Profile................................ 306
Objects > Schedules.............................................................................................................................. 308
Network............................................................................................................ 309
Network > Interfaces.............................................................................................................................311
Firewall Interfaces Overview.................................................................................................. 311
Common Building Blocks for Firewall Interfaces...............................................................312
Common Building Blocks for PA-7000 Series Firewall Interfaces................................. 313
Tap Interface............................................................................................................................... 314
HA Interface................................................................................................................................315
Virtual Wire Interface............................................................................................................... 315
Virtual Wire Subinterface........................................................................................................ 317
PA-7000 Series Layer 2 Interface......................................................................................... 317
PA-7000 Series Layer 2 Subinterface.................................................................................. 319
PA-7000 Series Layer 3 Interface......................................................................................... 319
Layer 3 Interface........................................................................................................................330
Layer 3 Subinterface................................................................................................................. 339
Log Card Interface.....................................................................................................................348
Log Card Subinterface.............................................................................................................. 349
vi TABLE OF CONTENTS
Decrypt Mirror Interface......................................................................................................... 350
Aggregate Ethernet (AE) Interface Group........................................................................... 351
Aggregate Ethernet (AE) Interface........................................................................................ 354
Network > Interfaces > VLAN............................................................................................................ 360
Network > Interfaces > Loopback..................................................................................................... 368
Network > Interfaces > Tunnel...........................................................................................................370
Network > Interfaces > SD-WAN......................................................................................................372
Network > Zones....................................................................................................................................373
Security Zone Overview.......................................................................................................... 373
Building Blocks of Security Zones......................................................................................... 373
Network > VLANs.................................................................................................................................. 376
Network > Virtual Wires...................................................................................................................... 377
Network > Virtual Routers...................................................................................................................378
General Settings of a Virtual Router.....................................................................................378
Static Routes............................................................................................................................... 379
Route Redistribution................................................................................................................. 381
RIP..................................................................................................................................................383
OSPF..............................................................................................................................................385
OSPFv3.........................................................................................................................................390
BGP................................................................................................................................................395
IP Multicast..................................................................................................................................408
ECMP............................................................................................................................................ 412
More Runtime Stats for a Virtual Router............................................................................ 414
More Runtime Stats for a Logical Router............................................................................ 424
Network > Routing > Logical Routers...............................................................................................429
General Settings of a Logical Router.................................................................................... 429
Static Routes for a Logical Router.........................................................................................432
BGP Routing for a Logical Router......................................................................................... 434
Network > Routing > Routing Profiles > BGP....................................................................437
Network > IPSec Tunnels.....................................................................................................................441
IPSec VPN Tunnel Management............................................................................................441
IPSec Tunnel General Tab....................................................................................................... 441
IPSec Tunnel Proxy IDs Tab................................................................................................... 444
IPSec Tunnel Status on the Firewall..................................................................................... 445
IPSec Tunnel Restart or Refresh............................................................................................445
Network > GRE Tunnels.......................................................................................................................446
GRE Tunnels................................................................................................................................446
Network > DHCP................................................................................................................................... 448
DHCP Overview.........................................................................................................................448
DHCP Addressing...................................................................................................................... 448
DHCP Server...............................................................................................................................449
DHCP Relay.................................................................................................................................452
DHCP Client................................................................................................................................452
Network > DNS Proxy.......................................................................................................................... 454
DNS Proxy Overview................................................................................................................454
DNS Proxy Settings...................................................................................................................455
Additional DNS Proxy Actions............................................................................................... 457
Network > QoS.......................................................................................................................................458
QoS Interface Settings............................................................................................................. 458
QoS Interface Statistics............................................................................................................460
Network > LLDP.....................................................................................................................................461
LLDP Overview.......................................................................................................................... 461
Building Blocks of LLDP...........................................................................................................461
Network > Network Profiles............................................................................................................... 464
Network > Network Profiles > GlobalProtect IPSec Crypto...........................................464
Device................................................................................................................501
Device > Setup........................................................................................................................................503
Device > Setup > Management.......................................................................................................... 504
Device > Setup > Operations..............................................................................................................529
Enable SNMP Monitoring........................................................................................................ 535
Device > Setup > HSM.........................................................................................................................538
Hardware Security Module Provider Settings.................................................................... 538
HSM Authentication..................................................................................................................539
Hardware Security Operations...............................................................................................539
Hardware Security Module Provider Configuration and Status..................................... 540
Hardware Security Module Status........................................................................................ 541
Device > Setup > Services................................................................................................................... 542
Configure Services for Global and Virtual Systems...........................................................542
Global Services Settings...........................................................................................................542
IPv4 and IPv6 Support for Service Route Configuration................................................. 545
Destination Service Route....................................................................................................... 548
Device > Setup > Interfaces................................................................................................................ 549
Device > Setup > Telemetry................................................................................................................552
Device > Setup > Content-ID............................................................................................................. 553
Device > Setup > WildFire.................................................................................................................. 559
Device > Setup > Session.................................................................................................................... 562
Session Settings..........................................................................................................................562
Session Timeouts....................................................................................................................... 566
TCP Settings................................................................................................................................568
Decryption Settings: Certificate Revocation Checking.....................................................570
Decryption Settings: Forward Proxy Server Certificate Settings................................... 571
Decryption Settings: SSL Decryption Settings................................................................... 572
VPN Session Settings................................................................................................................573
Device Setup Ace................................................................................................................................... 574
Device > Setup > DLP.......................................................................................................................... 575
Device > High Availability.................................................................................................................... 576
Important Considerations for Configuring HA................................................................... 576
HA General Settings..................................................................................................................577
HA Communications................................................................................................................. 580
HA Link and Path Monitoring.................................................................................................583
HA Active/Active Config......................................................................................................... 585
Cluster Config............................................................................................................................. 587
Device > Log Forwarding Card...........................................................................................................589
Device > Config Audit...........................................................................................................................591
Device > Password Profiles................................................................................................................. 592
Username and Password Requirements...............................................................................592
Device > Administrators....................................................................................................................... 594
Device > Admin Roles...........................................................................................................................597
TABLE OF CONTENTS ix
Device > Server Profiles > HTTP....................................................................................................... 676
Device > Server Profiles > NetFlow..................................................................................................679
Device > Server Profiles > RADIUS...................................................................................................681
Device > Server Profiles > TACACS+............................................................................................... 683
Device > Server Profiles > LDAP....................................................................................................... 684
Device > Server Profiles > Kerberos................................................................................................. 686
Device > Server Profiles > SAML Identity Provider...................................................................... 687
Device > Server Profiles > DNS......................................................................................................... 690
Device > Server Profiles > Multi Factor Authentication...............................................................691
Device > Local User Database > Users............................................................................................ 693
Device > Local User Database > User Groups............................................................................... 694
Device > Scheduled Log Export......................................................................................................... 695
Device > Software..................................................................................................................................697
Device > Dynamic Updates................................................................................................................. 699
Device > Licenses...................................................................................................................................702
Device > Support....................................................................................................................................704
Device > Master Key and Diagnostics..............................................................................................705
Deploy Master Key................................................................................................................... 707
Device > Policy Recommendation > IoT.......................................................................................... 709
Device > Policy > Recommendation SaaS........................................................................................711
User Identification..........................................................................................713
Device > User Identification > User Mapping.................................................................................715
Palo Alto Networks User-ID Agent Setup...........................................................................715
Monitor Servers..........................................................................................................................723
Include or Exclude Subnetworks for User Mapping..........................................................725
Device > User Identification > Connection Security..................................................................... 727
Device > User Identification > Terminal Server Agents............................................................... 728
Device > User Identification > Group Mapping Settings Tab......................................................730
Device > User Identification > Cloud Identity Engine...................................................................734
Device > User Identification > Authentication Portal................................................................... 736
GlobalProtect...................................................................................................739
Network > GlobalProtect > Portals................................................................................................... 741
GlobalProtect Portals General Tab........................................................................................742
GlobalProtect Portals Authentication Configuration Tab................................................ 744
GlobalProtect Portals Portal Data Collection Tab............................................................. 746
GlobalProtect Portals Agent Tab........................................................................................... 746
GlobalProtect Portals Clientless VPN Tab...........................................................................767
GlobalProtect Portal Satellite Tab......................................................................................... 770
Network > GlobalProtect > Gateways..............................................................................................774
GlobalProtect Gateways General Tab.................................................................................. 774
GlobalProtect Gateway Authentication Tab....................................................................... 776
GlobalProtect Gateways Agent Tab......................................................................................777
GlobalProtect Gateway Satellite Tab....................................................................................787
Network > GlobalProtect > MDM..................................................................................................... 790
Network > GlobalProtect > Device Block List................................................................................ 791
Network > GlobalProtect > Clientless Apps....................................................................................792
Network > GlobalProtect > Clientless App Groups.......................................................................793
Objects > GlobalProtect > HIP Objects............................................................................................794
HIP Objects General Tab.........................................................................................................794
HIP Objects Mobile Device Tab............................................................................................ 796
HIP Objects Patch Management Tab................................................................................... 797
x TABLE OF CONTENTS
HIP Objects Firewall Tab.........................................................................................................798
HIP Objects Anti-Malware Tab.............................................................................................. 798
HIP Objects Disk Backup Tab................................................................................................ 799
HIP Objects Disk Encryption Tab..........................................................................................799
HIP Objects Data Loss Prevention Tab............................................................................... 800
HIP Objects Certificate Tab.................................................................................................... 800
HIP Objects Custom Checks Tab.......................................................................................... 801
Objects > GlobalProtect > HIP Profiles............................................................................................ 802
Device > GlobalProtect Client............................................................................................................ 804
Managing the GlobalProtect App Software........................................................................ 804
Setting Up the GlobalProtect App........................................................................................ 805
Using the GlobalProtect App..................................................................................................805
TABLE OF CONTENTS xi
SD-WAN Devices...................................................................................................................... 897
SD-WAN VPN Clusters............................................................................................................898
SD-WAN Monitoring................................................................................................................ 899
SD-WAN Reports.......................................................................................................................900
Panorama > VMware NSX................................................................................................................... 902
Configure a Notify Group........................................................................................................902
Create Service Definitions.......................................................................................................903
Configure Access to the NSX Manager............................................................................... 904
Create Steering Rules............................................................................................................... 905
Panorama > Log Ingestion Profile...................................................................................................... 907
Panorama > Log Settings......................................................................................................................908
Panorama > Server Profiles > SCP.....................................................................................................910
Panorama > Scheduled Config Export.............................................................................................. 911
Panorama > Software............................................................................................................................913
Manage Panorama Software Updates.................................................................................. 913
Display Panorama Software Update Information.............................................................. 914
Panorama > Device Deployment........................................................................................................915
Manage Software and Content Updates............................................................................. 915
Display Software and Content Update Information......................................................... 917
Schedule Dynamic Content Updates.................................................................................... 918
Revert Content Versions from Panorama............................................................................919
Manage Firewall Licenses........................................................................................................ 920
Panorama > Device Registration Auth Key..................................................................................... 922
Add a Device Registration Auth Key.................................................................................... 922
13
14 PAN-OS WEB INTERFACE HELP | Web Interface Basics
© 2021 Palo Alto Networks, Inc.
Firewall Overview
Palo Alto Networks® next-generation firewalls inspect all traffic (including applications, threats, and
content), and tie that traffic to the user, regardless of location or device type. The user, application, and
content—the elements that run your business—become integral components of your enterprise security
policy. This allows you to align security with your business policies, as well as write rules that are easy to
understand and maintain.
As part of our Security Operating Platform, our next-generation firewalls provide your organization with the
ability to:
• Securely enable applications (including software-as-a-service applications), users, and content by
classifying all traffic (regardless of port).
• Reduce risk of an attack using a positive enforcement model, by allowing all desired applications and
blocking everything else.
• Apply security policies to block known vulnerability exploits, viruses, ransomware, spyware, botnets, and
other unknown malware, such as advanced persistent threats.
• Protect your data centers (including virtualized data centers) by segmenting data and applications, as
well as enforcing the Zero Trust principle.
• Apply consistent security across your on-premises and cloud environments.
• Embrace secure mobile computing by extending the Security Operating Platform to users and devices,
no matter where they are located.
• Get centralized visibility and streamline network security, making your data actionable so you can
prevent successful cyberattacks.
• Identify and prevent attempts to steal credentials by stopping the submission of valid corporate
credentials to illegitimate websites, and neutralizing an attacker’s ability to use stolen credentials for
lateral movement or network compromise by enforcing authentication policies at the network layer.
After you log in to the web interface, the last login time information appears at the bottom left of the
window. If one or more failed logins occurred since the last successful login, a caution icon appears to
the right of the last login information. Hover over the caution symbol to view the number of failed login
attempts or click to view the Failed Login Attempts Summary window, which lists the administrative
account name, the source IP address, and the reason for the login failure.
If you see multiple failed login attempts that you do not recognize as your own, you should work with your
network administrator to locate the system that is performing the brute-force attack and then investigate
the user and host computer to identify and eradicate any malicious activity. If you see that the last login
date and time indicates an account compromise, you should immediately change your password and then
perform a configuration audit to determine if suspicious configuration changes were committed. Revert
the configuration to a known good configuration if you see that logs were cleared or if you have difficulty
determining if improper changes were made using your account.
Anytime the Message of the Day changes, the message appears in your next session even
if you selected Do not show again during a previous login. You must then reselect this option
to avoid seeing the modified message in subsequent sessions.
To navigate the dialog pages, click the right ( ) and left ( ) arrows along the sides of the dialog or click a
page selector ( ) along the bottom of the dialog. After you Close the dialog, you can manually reopen it
by clicking messages ( ) at the bottom of the web interface.
To configure a message of the day, select Device > Setup > Management and edit the Banners and
Messages settings.
Some columns are hidden by default. To display or hide specific columns, open the drop-
down in any column header, select Columns, and select (display) or clear (hide) the column
names.
Field/Button Description
To filter the tasks, enter a text string based on a value in one of the
columns and Apply Filter ( ). For example, entering edl will filter
the list to display only EDLFetch (fetch external dynamic lists) tasks.
To remove filtering, Remove Filter ( ).
Type The type of task, such as log request, license refresh, or commit. If
the information related to the task (such as warnings) is too long to
fit in the Messages column, you can click the Type value to see all the
details.
Job ID A number that identifies the task. From the CLI, you can use the Job
ID to see additional details about a task. For example, you can see the
position of a commit task in the commit queue by entering:
End Time The date and time when the task finished. This column is hidden by
default.
Start Time The date and time when the task started. For commit tasks, the Start
Time indicates when the commit was added to the commit queue.
Messages Displays details about the task. If the entry indicates that there are too
many messages, you can click the task Type to see the messages.
For commit tasks, the Messages include the dequeued time to indicate
when PAN-OS started performing the commit. To see the description
an administrator entered for a commit, click Commit Description. For
details, see Commit Changes.
Clear Commit Queue Cancel all pending commits initiated by administrators or PAN-OS.
This button is available only to administrators who have one of the
following predefined roles: superuser, device administrator, virtual
system administrator, or Panorama administrator.
Field/Button Description
Commit All Changes Commits all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that the firewall commits when you select this option.
Instead, the administrator role assigned to the account you used to log
in determines the commit scope:
• Superuser role—The firewall commits the changes of all
administrators.
• Custom role—The privileges of the Admin Role profile assigned to
your account determine the commit scope (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, the firewall commits changes configured by any and all
administrators. If your Admin Role profile does not include the
privilege to Commit For Other Admins, the firewall commits only
your changes and not those of other administrators.
If you have implemented access domains, the firewall automatically
applies those domains to filter the commit scope (see Device > Access
Domain). Regardless of your administrative role, the firewall commits
only the configuration changes in the access domains assigned to your
account.
Commit Changes Made By Filters the scope of the configuration changes the firewall commits.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the commit scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned to
your account determine your filtering options (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, you can limit the commit scope to changes configured by
specific administrators and to changes in specific locations. If your
Admin Role profile does not include the privilege to Commit For
When you commit changes to a virtual system, you must include the
changes of all administrators who added, deleted, or repositioned
rules for the same rulebase in that virtual system.
Commit Scope Lists the locations that have changes to commit. Whether the list
includes all changes or a subset of the changes depends on several
factors, as described for Commit All Changes and Commit Changes
Made By. The locations can be any of the following:
• shared-object—Settings that are defined in the Shared location.
• policy-and-objects—Policy rules or objects that are defined on a
firewall that does not have multiple virtual systems.
• device-and-network—Network and device settings that are global
(such as Interface Management profiles) and not specific to a
virtual system. This also applies to network and device settings on
a firewall that does not have multiple virtual systems.
• <virtual-system>—The name of the virtual system in which policy
rules or objects are defined on a firewall that has multiple virtual
systems. This also includes network and device settings that are
specific to a virtual system (such as zones).
Include in Commit Enables you to select the changes you want to commit. By default,
all changes within the Commit Scope are selected. This column
(Partial commit only)
displays only after you choose to Commit Changes Made By specific
administrators.
Group by Location Type Groups the list of configuration changes in the Commit Scope by
Location Type.
Preview Changes Enables you to compare the configurations you selected in the
Commit Scope to the running configuration. The preview window
uses color coding to indicate which changes are additions (green),
modifications (yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.
Change Summary Lists the individual settings for which you are committing changes.
The Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Virtual
Systems.
• Location—The name of the virtual system where the setting is
defined. The column displays Shared for settings that are not
specific to a virtual system.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Committed—Indicates whether the commit currently
includes the setting.
• Previous Owners—Administrators who made changes to the
setting before the last change.
Optionally, you can Group By column name (such as Type).
Select an object in the change list to view the Object Level
Difference.
Validate Commit Validates whether the firewall configuration has correct syntax and
is semantically complete. The output includes the same errors and
Description Allows you to enter a description (up to 512 characters) to help other
administrators understand what changes you made.
Commit Starts the commit or, if other commits are pending, adds your commit
to the commit queue.
Commit Status Provides progress during the commit, then provides results after the
commit. Commit results include success or failure, details of commit
changes, and commit warnings. Warnings include:
• Commit—Lists general commit warnings.
• App Dependency—Lists any app dependencies required for
existing rules.
• Rule Shadow—Lists any shadow rules.
You should periodically save your changes so that you don’t lose them if the firewall or
Panorama reboots.
Saving your changes to the candidate configuration does not activate those changes; you
must Commit Changes to activate them.
The Save Changes dialog displays the options described in the following table:
Field/Button Description
Save All Changes Saves all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that the firewall saves when you select this option. Instead,
the administrator role assigned to the account you used to log in
determines the save scope:
• Superuser role—The firewall saves the changes of all
administrators.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine the save scope (see Device > Admin
Roles). If the profile includes the privilege to Save For Other
Admins, the firewall saves changes configured by any and all
administrators. If your Admin Role profile does not include the
privilege to Save For Other Admins, the firewall saves only your
changes and not those of other administrators.
If you have implemented access domains, the firewall automatically
applies those domains to filter the save scope (see Device > Access
Domain). Regardless of your administrative role, the firewall saves
only the configuration changes in the access domains assigned to your
account.
Save Changes Made By Filters the scope of the configuration changes the firewall saves.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the save scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine your filtering options (see Device >
Save Scope Lists the locations that have changes to save. Whether the list
includes all changes or a subset of the changes depends on several
factors, as described for the Save All Changes and Save Changes
Made By options. The locations can be any of the following:
• shared-object—Settings that are defined in the Shared location.
• policy-and-objects—(Firewall only) Policy rules or objects that are
defined on a firewall that does not have multiple virtual systems.
• device-and-network—(Firewall only) Network and device settings
that are global (such as Interface Management profiles) and not
specific to a virtual system.
• <virtual-system>—(Firewall only) The name of the virtual system
in which policy rules or objects are defined on a firewall that has
multiple virtual systems. This also includes network and device
settings that are specific to a virtual system (such as zones).
• <device-group>—(Panorama only) The name of the device group in
which the policy rules or objects are defined.
• <template>—(Panorama only) The name of the template or
template stack in which the settings are defined.
• <log-collector-group>—(Panorama only) The name of the Collector
Group in which the settings are defined.
• <log-collector>—(Panorama only) The name of the Log Collector in
which the settings are defined.
Location Type This column categorizes the locations where the changes were made:
• Virtual Systems—(Firewall only) Settings that are defined in a
specific virtual system.
• Device Groups—(Panorama only) Settings that are defined in a
specific device group.
• Templates—(Panorama only) Settings that are defined in a specific
template or template stack.
Include in Save Enables you to select the changes you want to save. By default, all
changes within the Save Scope are selected. This column displays only
(Partial save only)
after you choose to Save Changes Made By specific administrators.
Group by Location Type Groups the list of configuration changes in the Save Scope by
Location Type.
Preview Changes Enables you to compare the configurations you selected in the Save
Scope to the running configuration. The preview window uses color
coding to indicate which changes are additions (green), modifications
(yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.
Change Summary Lists the individual settings for which you are saving changes. The
Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Virtual
Systems.
• Location—The name of the virtual system where the setting is
defined. The column displays Shared for settings that are not
specific to a virtual system.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Saved—Indicates whether the save operation will include
the setting.
• Previous Owners—Administrators who made changes to the
setting before the last change.
Field/Button Description
Revert All Changes Reverts all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that the firewall reverts when you select this option. Instead,
the administrator role assigned to the account you used to log in
determines the revert scope:
• Superuser role—The firewall reverts the changes of all
administrators.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine the revert scope (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, the firewall reverts changes configured by any and all
administrators. If your Admin Role profile does not include the
privilege to Commit For Other Admins, the firewall reverts only
your changes and not those of other administrators.
Revert Changes Made By Filters the scope of configuration changes that the firewall reverts.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the revert scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned to
your account determine your filtering options (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, you can limit the revert scope to changes configured by
specific administrators and to changes in specific locations. If your
Admin Role profile does not include the privilege to Commit For
Revert Scope Lists the locations that have changes to revert. Whether the list
includes all changes or a subset of the changes depends on several
factors, as described for the Revert All Changes and Revert Changes
Made By options. The locations can be any of the following:
• shared-object—Settings that are defined in the Shared location.
• policy-and-objects—(Firewall only) Policy rules or objects that are
defined on a firewall that does not have multiple virtual systems.
• device-and-network—(Firewall only) Network and device settings
that are global (such as Interface Management profiles) and not
specific to a virtual system.
• <virtual-system>—(Firewall only) The name of the virtual system
in which policy rules or objects are defined on a firewall that has
multiple virtual systems. This also includes network and device
settings that are specific to a virtual system (such as zones).
• <device-group>—(Panorama only) The name of the device group in
which the policy rules or objects are defined.
• <template>—(Panorama only) The name of the template or
template stack in which the settings are defined.
• <log-collector-group>—(Panorama only) The name of the Collector
Group in which the settings are defined.
• <log-collector>—(Panorama only) The name of the Log Collector in
which the settings are defined.
Location Type This column categorizes the locations where the changes were made:
• Virtual Systems—(Firewall only) Settings that are defined in a
specific virtual system.
• Device Group—(Panorama only) Settings that are defined in a
specific device group.
• Template—(Panorama only) Settings that are defined in a specific
template or template stack.
• Log Collector Group—(Panorama only) Settings that are specific to
a Collector Group configuration.
Include in Revert Enables you to select the changes you want to revert. By default,
all changes within the Revert Scope are selected. This column
(Partial revert only)
displays only after you choose to Revert Changes Made By specific
administrators.
Group by Location Type Lists the configuration changes in the Revert Scope by Location Type.
Preview Changes Enables you to compare the configurations you selected in the Revert
Scope to the running configuration. The preview window uses color
coding to indicate which changes are additions (green), modifications
(yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.
Change Summary Lists the individual settings for which you are reverting changes. The
Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Virtual
Systems.
• Location—The name of the virtual system where the setting is
defined. The column displays Shared for settings that are not
specific to a virtual system.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Reverted—Indicates whether the revert operation will
include the setting.
Field/Button Description
Location On a firewall with more than one virtual system (vsys), the scope of
the lock can be a specific vsys or the Shared location.
Created At The date and time when an administrator set the lock.
Logged In Indicates whether the administrator who set the lock is currently
logged in.
Take a Lock To set a lock, Take a Lock, select the Type, select the Location
(multiple virtual system firewalls only), enter optional Comments, click
OK, and then Close.
Remove Lock To release a lock, select it, Remove Lock, click OK, and then Close.
To launch global find, click the Search icon on the upper right side of the web interface. Global Find is
available from all web interface pages and locations. The following is a list of Global Find features to help
you perform successful searches:
• If you initiate a search on a firewall that has multiple virtual systems enabled or if administrative roles
are defined, Global Find will return results only for areas of the firewall for which you have permission to
access. The same applies to Panorama device groups; you will see search results only for device groups
to which you have administrative access.
• Spaces in search text are handled as AND operations. For example, if you search on corp policy, both
corp and policy must exist in the configuration item for it to be included in the search results.
• To find an exact phrase, surround the phrase in quotes.
• To re-run a previous search, click Global Find and a list of the last 20 searches are displayed. Click any
item in the list to re-run that search. The search history list is unique to each administrative account.
Global Find is available for each field that is searchable. For example, in the case of a Security policy,
you can search on the following fields: Name, Tags, Zone, Address, User, HIP Profile, Application, UUID,
and Service. To perform a search, click the drop-down next to any of these fields and click Global Find.
For example, if you click Global Find on a zone named l3-vlan-trust, Global Find will search the entire
configuration for that zone name and return results for each location where the zone is referenced. The
search results are grouped by category and you can hover over any item to view details or you can click an
item to navigate to the configuration page for that item.
Global Find does not search dynamic content that the firewall allocates to users (such as logs, address
ranges, or individual DHCP addresses). In the case of DHCP, you can search on a DHCP server attribute,
such as the DNS entry, but you cannot search for individual addresses issued to users. Another example is
usernames that the firewall collects when you enable the User-ID™ feature. In this case, a username or user
group that exists in the User-ID database is only searchable if the name or group exists in the configuration,
such as when a user group name is defined in a policy. In general, you can only search for content that the
firewall writes to the configuration.
Looking for more?
Learn more about using Global Find to search the firewall or Panorama configuration.
ID Unique threat signature ID. Select View in Threat Vault to open a Threat Vault
search in a new browser window and look up the latest information that the Palo
Alto Networks threat database has for this signature. The Threat Vault entry for
the threat signature might include additional details, including the first and last
content releases to include updates to the signature and the minimum PAN-OS
version required to support the signature.
Severity The threat severity level: informational, low, medium, high, or critical.
CVE Publicly known security vulnerabilities associated with the threat. The Common
Vulnerabilities and Exposures (CVE) identifier is the most useful identifier for
finding information about unique vulnerabilities as vendor-specific IDs commonly
encompass multiple vulnerabilities.
Vendor ID The vendor-specific identifier for a vulnerability. For example, MS16-148 is the
vendor ID for one or more Microsoft vulnerabilities and APBSB16-39 is the vendor
ID for one or more Adobe vulnerabilities.
Reference Research sources you can use to learn more about the threat.
Exempt Profiles Security profiles that define a different enforcement action for the threat signature
than the default signature action. The threat exception is only active when exempt
profiles are attached to a security policy rule (check if the exception is Used in
current security rule).
Used in current security Active threat exceptions—A check mark in this column indicates that the firewall is
rule actively enforcing the threat exception (the Exempt Profiles that define the threat
exception are attached to a security policy rule).
If this column is clear, the firewall is enforcing the threat based only on the
recommended default signature action.
Exempt IP Addresses Exempt IP addresses—You can add an IP address on which to filter the threat
exception or view existing Exempt IP Addresses. This option enforces a threat
exception only when the associated session has either a source or destination IP
address that matches the exempt IP address. For all other sessions, the threat is
enforced based on the default signature action.
If you’re having trouble viewing threat details, check for the following conditions:
• The firewall Threat Prevention license is active (Device > Licenses).
• The latest Antivirus and Threats and Applications content updates are installed.
• Threat Vault access is enabled (select Device > Setup > Management and edit the
Logging and Reporting setting to Enable Threat Vault Access).
• The default (or custom) Antivirus, Anti-Spyware, and Vulnerability Protection security
profiles are applied to your security policy.
Field/Button Description
Search AutoFocus for... Click to launch an AutoFocus search for the artifact.
Sessions The number of private sessions in which WildFire detected the artifact. Private
sessions are sessions running only on firewalls associated with your support
account. Hover over a session bar to view the number of sessions per month.
Samples Organization and global samples (files and email links) associated with the artifact
and grouped by WildFire verdict (benign, grayware, malware, phishing). Global
refers to samples from all WildFire submissions, while organization refers only to
samples submitted to WildFire by your organization.
Click on a WildFire verdict to launch an AutoFocus search for the artifact filtered
by scope (organization or global) and WildFire verdict.
Request The domain that submitted a DNS request. Click the domain to launch an
AutoFocus search for it.
Response The IP address or domain to which the DNS request resolved. Click the IP address
or domain to launch an AutoFocus search.
First Seen The date and time that the Request, Response, and Type combination was first
seen based on passive DNS history.
Last Seen The date and time that the Request, Response, and Type combination was most
recently seen based on passive DNS history.
SHA256 The SHA-256 hash for a sample. Click the hash to launch an AutoFocus search for
that hash.
Create Date The date and time that WildFire analyzed a sample and assigned a WildFire verdict
to it.
Update Date The date and time that WildFire updated the WildFire verdict for a sample.
Verdict The WildFire verdict for a sample: benign, grayware, malware, or phishing.
File Name Enter a name (maximum of 200 characters) to identify the exported data. This name
becomes the name of the downloaded file that is generated by the export.
File Type Select the type of export output to generate. You can choose either PDF or CSV
format.
Page Size The default page size is Letter (8.5 by 11.0 inches). You cannot change the page size.
By default, the PDF is generated in portrait orientation and changes to landscape
orientation to accommodate the maximum number of columns.
Description Enter a description (maximum of 255 characters) to provide context and additional
information about the export.
(PDF only)
Table Data Shows the table data that will be exported. If you need to clear the filtering settings
that you set previously, click Show All Columns to show all policy rules under the
selected policy type. Then you can add or remove columns and apply filters as
needed.
Show All Remove all filters and show all table columns.
Columns
You must have the ZTP plugin installed on your Panorama management server to access
ZTP functionality.
STEP 1 | After powering on the firewall, use a terminal emulator such as PuTTY to watch for the
following CLI prompt:
Do you want to exit ZTP mode and configure your firewall in standard mode
(yes/no)[no]?
Enter yes. The system then asks you to confirm. Enter yes again to boot the firewall in standard mode.
STEP 2 | (If you miss the above CLI prompt) You can also change your boot mode using the web interface.
Go to the firewall login screen at any point before or during the startup process. A prompt asks
if you want to continue booting in ZTP mode or if you want to switch to standard mode. Select
Standard Mode and the firewall begins rebooting in standard mode.
STEP 3 | Set up the firewall manually if using standard mode. If using ZTP mode, the device group and
template configuration defined on the Panorama management server are automatically pushed
to the firewall by the ZTP service.
• (Standard mode) Change the IP address on your computer to an address in the 192.168.1.0/24
network, such as 192.168.1.2. From a web browser, go to https://192.168.1.1. When prompted, log
in to the web interface using the default username and password (admin/admin).
• (ZTP mode) Follow the instructions provided by your Panorama administrator to register your ZTP
firewall. You must enter the serial number (12-digit number identified as S/N) and claim key (8-digit
number). These numbers are on stickers attached to the back of the device.
45
46 PAN-OS WEB INTERFACE HELP | Dashboard
© 2021 Palo Alto Networks, Inc.
Dashboard Widgets
By default, the Dashboard displays widgets in a Layout of 3 Columns but you can customize the Dashboard
to display only 2 Columns, instead.
You can also decide which widgets to display or hide so that you see only those you want to monitor. To
display a widget, select a widget category from the Widgets drop-down and select a widget to add it to the
Dashboard (widget names that appear in faded grayed-out text are already displayed). Hide (stop displaying)
a widget by closing the widget ( in the widget header). The firewalls and Panorama save your widget
display settings across logins (separately for each administrator).
Refer to the Last updated timestamp to determine when the Dashboard data was last refreshed. You can
manually refresh the entire Dashboard ( in the top right corner of the Dashboard) or you can refresh
individual widgets ( within each widget header). Use the unlabeled drop-down next to the manual
Dashboard refresh option ( ) to select the automatic refresh interval for the entire Dashboard (in
minutes): 1 min, 2 mins, or 5 mins; to disable automatic refresh for the entire Dashboard, select Manual.
Application Widgets
Top Applications Displays the applications with the most sessions. The block size indicates the
relative number of sessions (mouse over the block to view the number), and
the color indicates the security risk—from green (lowest) to red (highest). Click
an application to view its application profile.
Top High Risk Similar to Top Applications except that it displays the highest-risk applications
Applications with the most sessions.
ACC Risk Factor Displays the average risk factor (1-5) for the network traffic processed over
the past week. Higher values indicate higher risk.
System Widgets
General Information Displays the firewall or Panorama name and model, the Panorama CPU and
RAM, the Panorama system mode, the PAN-OS® or Panorama software
version, the IPv4 and IPv6 management IP information, the serial number, the
CPU ID and UUID, the application, threat, and URL filtering definition versions,
the current date and time, and the length of time since the last restart.
System Resources Displays the Management CPU usage, Data Plane usage, and the Session
Count (the number of sessions established through the firewall or Panorama).
Logged In Admins Displays the source IP address, session type (web interface or CLI), and session
start time for each administrator who is currently logged in.
Logs Widgets
Threat Logs Displays the threat ID, application, and date and time for the last 10 entries in
the Threat log. The threat ID is a malware description or URL that violates the
URL filtering profile. Displays only entries from the last 60 minutes.
URL Filtering Logs Displays the description and date and time for the last 60 minutes in the URL
Filtering log.
Data Filtering Logs Displays the description and date and time for the last 60 minutes in the Data
Filtering log.
Config Logs Displays the administrator username, client (web interface or CLI), and date
and time for the last 10 entries in the Configuration log. Displays only entries
from the last 60 minutes.
System Logs Displays the description and date and time for the last 10 entries in the System
log.
49
50 PAN-OS WEB INTERFACE HELP | ACC
© 2021 Palo Alto Networks, Inc.
A First Glance at the ACC
The following table shows the ACC tab and describes each component.
1 Tabs The ACC includes predefined tabs that provide visibility into network traffic,
threat activity, blocked activity, tunnel activity, and mobile network activity (if
GTP security is enabled). For information on each tab, see ACC Tabs.
2 Widgets Each tab includes a default set of widgets that best represent the events and
trends associated with the tab. The widgets allow you to survey the data using
the following filters: bytes (in and out), sessions, content (files and data), URL
categories, applications, users, threats (malicious, benign, grayware, phishing), and
count. For information on each widget, see ACC Widgets.
3 Time The charts and graphs in each widget provide a real-time and historic view. You
can choose a custom range or use the predefined time periods that range from the
last 15 minutes up to the last 90 days or last 30 calendar days.
The time period used to render data, by default, is the last hour. The date and time
interval are displayed on screen. For example:
4 Global Filters The global filters allow you to set the filter across all tabs. The charts and graphs
apply the selected filters before rendering the data. For information on using the
filters, see ACC Actions.
5 Application The application view allows you filter the ACC view by either the sanctioned
View and unsanctioned applications in use on your network, or by the risk level of the
applications in use on your network. Green indicates sanctioned applications, blue
6 Risk Meter The risk meter (1=lowest to 5=highest) indicates the relative security risk on your
network. The risk meter uses a variety of factors such as the type of applications
seen on the network and the risk levels associated with the applications, the
threat activity and malware as seen through the number of blocked threats, and
compromised hosts or traffic to malware hosts and domains.
7 Source The data used for the display varies between the firewall and Panorama™. You
have the following options to select what data is used to generate the views on
the ACC:
Virtual System: On a firewall that is enabled for multiple virtual systems, you can
use the Virtual System drop-down to change the ACC display to include all virtual
systems or just a selected virtual system.
Device Group: On Panorama, you can use the Device Group drop-down to
change the ACC display to include data from all device groups or just a selected
device group.
Data Source: On Panorama, you can also change the display to use Panorama or
Remote Device Data (managed firewall data). When the data source is Panorama,
you can filter the display for a specific device group.
8 Export You can export the widgets displayed in the current tab as a PDF.
You can also customize tabs and widgets as described in Working with Tabs and Widgets.
1 View You can sort the data by bytes, sessions, threats, count, users, content,
applications, URLs, malicious, benign, grayware, phishing, file(name)s, data,
profiles, objects, portals, gateways, and profiles. The available options vary by
widget.
2 Graph The graphical display options are treemap, line graph, horizontal bar graph,
stacked area graph, stacked bar graph, pie chart, and map. The available options
vary by widget and the interaction experience varies with each graph type. For
example, the widget for Applications using Non-Standard Ports allows you to
choose between a treemap and a line graph.
To drill down into the display, click on the graph. The area you click on becomes
a filter and allows you to zoom in and view more granular information about that
selection.
3 Table The detailed view of the data used to render the graph displays in a table below
the graph.
You can click and set a local filter or a global filter for elements in the table. With a
local filter, the graph is updated and the table is sorted by that filter.
With a global filter, the view across the ACC pivots to display only the information
specific to your filter.
4 Actions The following are actions available in the title bar of a widget:
For a description of each widget, see the details on using the ACC.
• Edit a tab.
Select the tab and click edit next to the tab name to edit the tab.
Example: .
• Export a tab
1. Edit a tab.
2.
Select to export the current tab. The tab downloads to your computer as a .txt file. You must
enable pop-ups to download the file.
• Import a tab
1. Add a custom tab.
2.
Select to import a tab.
3. Browse to the text (.txt) file and select it.
• To delete a widget or widget group, edit the tab and then click delete ( [X] ). You cannot undo a
deletion.
1.
Select a widget and click Filter ( ).
2.
Add ( ) filters you want to apply.
3. Click Apply. These filters are persistent across reboots.
The number of local filters applied on a widget are indicated next to the widget name.
• Remove a filter.
• Negate filters.
59
60 PAN-OS WEB INTERFACE HELP | Monitor
© 2021 Palo Alto Networks, Inc.
Monitor > Logs
The following topics provide additional information about monitoring logs.
Log Types
• Monitor > Logs
The firewall displays all logs so that role-based administration permissions are respected. Only the
information that you are permitted to see is visible, which varies depending on the types of logs you are
viewing. For information on administrator permissions, see Device > Admin Roles.
Traffic Displays an entry for the start and end of each session. Each
entry includes the date and time, source and destination zones,
addresses and ports, application name, security rule name applied
to the flow, rule action (allow, deny, or drop), ingress and egress
interface, number of bytes, and session end reason.
The Type column indicates whether the entry is for the start or
end of the session, or whether the session was denied or dropped.
A “drop” indicates that the security rule that blocked the traffic
specified “any” application, while a “deny” indicates the rule
identified a specific application.
If traffic is dropped before the application is identified, such as
when a rule drops all traffic for a specific service, the application is
shown as “not-applicable”.
Drill down in traffic logs for more details on individual entries,
artifacts, and actions:
•
Click Details ( ) to view additional details about the session,
such as whether an ICMP entry aggregates multiple sessions
between the same source and destination (the Count value will
be greater than one).
• On a firewall with an active AutoFocus™ license, hover next to
an IP address, filename, URL, user agent, threat name, or hash
Threat Displays an entry for each security alarm generated by the firewall.
Each entry includes the date and time, a threat name or URL, the
source and destination zones, addresses, and ports, the application
name, security rule name applied to the flow, and the alarm action
(allow or block) and severity.
The Type column indicates the type of threat, such as “virus” or
“spyware;” the Name column is the threat description or URL; and
the Category column is the threat category (such as “keylogger”) or
URL category.
Drill down in threat logs for more details on individual entries,
artifacts, and actions:
•
Click Details ( ) to view additional details about the threat,
such as whether the entry aggregates multiple threats of the
same type between the same source and destination (the Count
value will be greater than one).
• On a firewall with an active AutoFocus license, hover next to
an IP address, filename, URL, user agent, threat name, or hash
contained in a log entry and click the drop-down ( ) to open
the AutoFocus Intelligence Summary for that artifact.
•
If local packet captures are enabled, click Download ( ) to
access captured packets. To enable local packet captures, refer
to the subsections under Objects > Security Profiles.
• To view more details about a threat or to quickly configure
threat exemptions directly from the threat logs, click the threat
name in the Name column. The Exempt Profiles list shows all
custom Antivirus, Anti-spyware, and Vulnerability protection
profiles. To configure an exemption for a threat signature,
select the check box to the left of the security profile name and
save your change. To add exemptions for IP Addresses (up to
100 IP addresses per signature), highlight the security profile,
add the IP address(es) in the Exempt IP Addresses section and
click OK to save. To view or modify the exemption, go to the
associated security profile and click the Exceptions tab. For
example, if the threat type is vulnerability, select Objects >
Security Profiles > Vulnerability Protection, click the associated
profile then click the Exceptions tab.
• To add a device to the quarantine list (Device > Device
Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).
URL Filtering Displays logs for URL filters, which control access to websites and
whether users can submit credentials to websites.
WildFire Submissions Displays logs for files and email links that the firewall forwarded
for WildFire™ analysis. The WildFire cloud analyzes the sample
and returns analysis results, which include the WildFire verdict
assigned to the sample (benign, malware, grayware, or phishing).
You can confirm if the firewall allowed or blocked a file based on
Security policy rules by viewing the Action column.
On a firewall with an active AutoFocus license, hover next to an IP
address, filename, URL, user agent, threat name, or hash (in the File
Digest column) contained in a log entry and click the drop-down
( ) to open the AutoFocus Intelligence Summary for the artifact.
Data Filtering Displays logs for the security policies with attached Data Filtering
profiles, to help prevent sensitive information such as credit card
or social security numbers from leaving the area protected by the
firewall, and File Blocking profiles, that prevent certain file types
from being uploaded or downloaded.
To configure password protection for access the details for a log
entry, click . Enter the password and click OK. Refer to Device >
Response Pages for instructions on changing or deleting the data
protection password.
HIP Match Displays all HIP matches that the GlobalProtect™ gateway
identifies when comparing the raw HIP data reported by the agent
to the defined HIP objects and HIP profiles. Unlike other logs, a
HIP match is logged even when it does not match a security policy.
For more information, refer to Network > GlobalProtect > Portals.
To add a device to the quarantine list (Device > Device
Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).
IP-Tag Displays information about how and when a tag was applied to a
particular IP address. Use this information to determine when and
why a particular IP address was placed in an address group and
what policy rules impact that address. The log includes Receive
Time (the date and time when the first and last packet of the
session arrived), Virtual System, Source IP-Address, Tag, Event,
Timeout, Source Name, and Source Type.
Tunnel Inspection Displays an entry for the start and end of each inspected tunnel
session. The log includes the Receive Time (date and time the first
and last packet in the session arrived), Tunnel ID, Monitor Tag,
Session ID, Security rule applied to the tunnel traffic, and more.
See Policies > Tunnel Inspection for more information.
System Displays an entry for each system event. Each entry includes the
date and time, the event severity, and an event description.
Alarms The alarms log records detailed information on alarms that are
generated by the system. The information in this log is also
reported in Alarms. Refer to Define Alarm Settings.
You can use the Unified log set with the AutoFocus
threat intelligence portal. Set up an AutoFocus
search to add AutoFocus search filters directly to
the Unified log filter field.
Log Actions
The following table describes log actions.
Action Description
Filter Logs Each log page has a filter field at the top of the page. You can add artifacts to the field,
such as an IP address or a time range, to find matching log entries. The icons to the
right of the field enable you to apply, clear, create, save, and load filters.
• Create a filter:
• Click an artifact in a log entry to add that artifact to the filter.
•
Click Add ( ) to define new search criteria. For each criterion, select the
Connector that defines the search type (and or or), the Attribute on which to
base the search, an Operator to define the scope of the search, and a Value for
evaluation against log entries. Add each criterion to the filter field and Close
when you finish. You can then apply ( ) the filter.
Export Logs
Click Export to CSV ( ) to export all logs matched to the current filter to a CSV-
formatted report and continue to Download file. By default, the report contains up to
2,000 lines of logs. To change the line limit for generated CSV reports, select Device >
Setup > Management > Logging and Reporting Settings > Log Export and Reporting
and enter a new Max Rows in CSV Export value.
Highlight Select to highlight log entries that match the action. The filtered logs are highlighted in
Policy Actions the following colors:
• Green—Allow
• Yellow—Continue, or override
• Red—Deny, drop, drop-icmp, rst-client, reset-server, reset-both, block-continue,
block-override, block-url, drop-all, sinkhole
Monitor > External These threat events include all prevention, notification, provisional, and post-
Logs > Traps ESM > detection events that are reported by the Traps agents.
Threat
Monitor > External ESM Server system events include changes related to ESM status, licenses,
Logs > Traps ESM > ESM Tech Support files, and communication with WildFire.
System
Monitor > External Policy change events include changes to rules, protection levels, content
Logs > Traps ESM > updates, hash control logs, and verdicts.
Policy
Monitor > External Agent change events occur on the endpoint and include changes to content
Logs > Traps ESM > updates, licenses, software, connection status, one-time action rules,
Agent processes and services, and quarantined files.
Monitor > External ESM configuration change events include system-wide changes to licensing,
Logs > Traps ESM > administrative users and roles, processes, restriction settings, and conditions.
Config
Panorama can correlate discrete security events on the endpoints with events on the network to trace any
suspicious or malicious activity between the endpoints and the firewall. To view correlated events that
Panorama identifies, see Monitor > Automated Correlation Engine > Correlated Events.
What are correlation objects? Monitor > Automated Correlation Engine > Correlation Objects
What is a correlated event? Monitor > Automated Correlation Engine > Correlated Events
Where do I see the match
evidence for a correlation match?
How can I see a graphical view of See the Compromised Hosts widget in ACC.
correlation matches?
Name and Title The label indicates the type of activity that the correlation object detects.
ID A unique number identifies the correlation object. This number is in the 6000 series.
Category A summary of the kind of threat or harm posed to the network, user, or host.
State The state indicates whether the correlation object is enabled (active) or disabled
(inactive).
Description The description specifies the match conditions for which the firewall or Panorama will
analyze logs. It describes the escalation pattern or progression path that will be used
to identify malicious activity or suspicious host behavior.
Field Description
Update Time The timestamp when the match was last updated.
Object Name The name of the correlation object that triggered the match.
Source Address The IP address of the user from whom the traffic originated
Source User The user and user group information from the directory server, if User-ID™ is
enabled.
Severity A rating that classifies the risk based on the extent of damage caused.
Summary A description that summarizes the evidence gathered on the correlated event.
To view the detailed log view, click Details ( ) for an entry. The detailed log view includes all the evidence
for a match:
Match Object Details—Presents information on the correlation object that triggered the
Information match. For information on correlation objects, see Monitor > Automated Correlation
Engine > Correlation Objects.
Match Details—A summary of the match details that includes the match time, last
update time on the match evidence, severity of the event, and an event summary.
Match This tab includes all the evidence that corroborates the correlated event. It lists detailed
Evidence information on the evidence collected for each session.
See a graphical display of the information in the Correlated Events tab, see the Compromised Hosts widget
on the ACC > Threat Activity tab. In the Compromised Hosts widget, the display is aggregated by source
user and IP address and sorted by severity.
To configure notifications when a correlated event is logged, go to the Device > Log Settings or
Panorama > Log Settings tab.
The packet capture feature is CPU-intensive and can degrade firewall performance. Only
use this feature when necessary and make sure to turn it off after you collect the required
packets.
Manage Filters Configure Filtering When enabling custom packet captures, you should
define filters so that only the packets that match the
filters are captured. This will make it easier to locate the
information you need in the pcaps and will reduce the
processing power required by the firewall to perform
the packet capture.
Click Add to add a new filter and configure the
following fields:
• Id—Enter or select an identifier for the filter.
• Ingress Interface—Select the ingress interface on
which you want to capture traffic.
• Source—Specify the source IP address of the traffic
to capture.
• Destination—Specify the destination IP address of
the traffic to capture.
Filtering Configure Filtering After defining filters, set the Filtering to ON. If filtering
is OFF, then all traffic is captured.
Packet Capture Configure Capturing Click the toggle switch to turn packet capture ON or
OFF.
You must select at least one capture stage. Click Add
and specify the following:
• Stage—Indicate the point at which to capture
packets:
• drop—When packet processing encounters an
error and the packet is dropped.
• firewall—When the packet has a session match
or a first packet with a session is successfully
created.
• receive—When the packet is received on the
dataplane processor.
• transmit—When the packet is transmitted on the
dataplane processor.
Captured Files Captured Files Contains a list of custom packet captures previously
generated by the firewall. Click a file to download it to
your computer. To delete a packet capture, select the
packet capture and then Delete it.
• File Name—Lists the packet capture files. The file
names are based on the file name you specify for the
capture stage
• Date—Date the file was generated.
• Size (MB)—The size of the capture file.
After you turn on packet capture and then turn it off,
you must click Refresh ( ) before any new PCAP files
display in this list.
Clear All Settings Click Clear All Settings to turn off packet capture and to
Settings clear all packet capture settings.
Antivirus Select a custom antivirus profile and, in the Antivirus tab, select Packet Capture.
Anti-Spyware Select a custom Anti-Spyware profile, click the DNS Signatures tab and, in the
Packet Capture drop-down, select single-packet or extended-capture.
Vulnerability Select a custom Vulnerability Protection profile and, in the Rules tab, click Add to
Protection add a new rule or select an existing rule. Then select the Packet Capture drop-down
and select single-packet or extended-capture.
In Anti-Spyware and Vulnerability Protection profiles, you can also enable packet capture on
exceptions. Click the Exceptions tab and in the Packet Capture column for a signature, click
the drop-down and select single-packet or extended-capture.
(Optional) To define the length of a threat packet capture based on the number of packets captured (which
is based on a global setting), select Device > Setup > Content-ID and, in the Content-ID™ Settings section,
modify the Extended Packet Capture Length (packets) field (range is 1-50; default is 5).
After you enable packet capture on a security profile, you need to verify that the profile is part of a security
rule. For information on how to add a security profile to a security rule, see Security Policy Overview.
Each time the firewall detects a threat when packet capture is enabled on the security profile, you can
download ( ) or export the packet capture.
Top Bar
Count Sessions and Count Bytes Determines whether to display session or byte
information.
Bottom Bar
Top Bar
Bottom Bar
Each threat type is color-coded as indicated in the legend below the chart. Click a country on the map to
Zoom In and then Zoom Out as needed. This report contains the following options.
Top Bar
Zoom In and Zoom Out Zoom in and zoom out of the map.
Bottom Bar
Top Bar
Filter Applies a filter to display only the selected item. None displays
all entries.
Count Sessions and Count Bytes Determines whether to display session or byte information.
Bottom Bar
Top Bar
Count Sessions and Count Bytes Determines whether to display session or byte
information.
Zoom In and Zoom Out Zoom in and zoom out of the map.
Bottom Bar
Field Description
Block Time Month/day and hours:minutes:seconds when the IP address went on the
Block IP List.
Type Type of block action: whether the hardware (hw) or software (sw) blocked the
IP address.
When you configure a DoS Protection policy or a Security policy that uses
a Vulnerability Protection profile to block connections from source IPv4
addresses, the firewall automatically blocks that traffic in hardware before
those packets use CPU or packet buffer resources. If attack traffic exceeds
the blocking capacity of the hardware, the firewall uses software to block the
traffic.
Source IP Address Source IP address of the packet that the firewall blocked.
Ingress Zone Security zone assigned to the interface where the packet entered the firewall.
Time Remaining Number of seconds remaining for the IP address to be on the Block IP List.
Block Source Name of the classified DoS Protection profile or Vulnerability protection
object name where you specified the Block IP action.
Total Blocked IPs: x out Count of blocked IP addresses (x) out of the number of blocked IP addresses
of y (z% used) the firewall supports (y), and the corresponding percentage of blocked IP
addresses used (z).
Search for specific Select a value in a column, which enters a filter in the Filters field, and click the
Block IP List right arrow to initiate the search for entries with that value.
information
Click the X to remove the filter.
View Block IP List Enter a page number in the Page field or click the single arrows to see the Next
entries beyond the Page or Previous Page of entries. Click the double arrows to view the Last Page
current screen or First Page of entries.
View detailed Click on a Source IP Address of an entry, which links to Network Solutions Who
information about Is with information about the address.
an IP address on the
Block IP List
Clear the entire Block Click Clear All to permanently delete all entries, which means those packets are
IP List no longer blocked.
Test Run Time Frame Select the time interval for the report—Last 24 Hours (default) or Last
Calendar Day.
Run Now Click Run Now to manually and immediately generate a report. The report
displays in a new tab within the Botnet Report dialog.
No. of Rows Specify the number of rows to display in the report (default is 100).
Scheduled Select this option to automatically generate the report daily. By default, this
option is enabled.
Query Builder (Optional) Add queries to the Query Builder to filter the report
output by attributes such as source/destination IP addresses, users,
or zones. For example, if you know that traffic initiated from the IP
address 192.0.2.0 contains no potential botnet activity, you can add
not (addr.src in 192.0.2.0) as a query to exclude that host from
the report output.
• Connector—Select a logical connector (and or or). If you select Negate,
the report will exclude the hosts that the query specifies.
• Attribute—Select a zone, address, or user that is associated with the
hosts that the firewall evaluates for botnet activity.
• Operator—Select an operator to relate the Attribute to a Value.
• Value—Enter a value for the query to match.
The default Botnet report configuration is optimal. If you believe the default values identify
false positives, create a support ticket so Palo Alto Networks can reevaluate the values.
HTTP Traffic Enable and define the Count for each type of HTTP Traffic that the report
will include. The Count values you enter are the minimum number of events
of each traffic type that must occur for the report to list the associated host
with a higher confidence score (higher likelihood of botnet infection). If the
number of events is less than the Count, the report will display the lower
confidence score or (for certain traffic types) won’t display an entry for the
host.
• Malware URL visit (range is 2–1000; default is 5)—Identifies users
communicating with known malware URLs based on malware and
botnet URL filtering categories.
• Use of dynamic DNS (range is 2–1000; default is 5)—Looks for dynamic
DNS query traffic that might indicate malware, botnet communications,
or exploit kits. Generally, using dynamic DNS domains is very risky.
Malware often uses dynamic DNS to avoid IP address block lists.
Consider using URL filtering to block such traffic.
• Browsing to IP domains (range is 2–1000; default is 10)—Identifies users
who browse to IP domains instead of URLs.
• Browsing to recently registered domains (range is 2–1000; default is 5)
—Looks for traffic to domains that were registered within the past 30
days. Attackers, malware, and exploit kits often use newly registered
domains.
• Executable files from unknown sites (range is 2–1000; default is 5)—
Identifies executable files downloaded from unknown URLs. Executable
files are a part of many infections and, when combined with other types
of suspicious traffic, can help you prioritize host investigations.
Unknown Applications Define the thresholds that determine whether the report will include traffic
associated with suspicious Unknown TCP or Unknown UDP applications.
• Sessions Per Hour (range is 1–3600; default is 10)—The report includes
traffic that involves up to the specified number of application sessions
per hour.
• Destinations Per Hour (range is 1–3600; default is 10)—The report
includes traffic that involves up to the specified number of application
destinations per hour.
• Minimum Bytes (range is 1–200; default is 50)—The report includes
traffic for which the application payload equals or exceeds the specified
size.
• Maximum Bytes (range is 1–200; default is 100)—The report includes
traffic for which the application payload is equal to or less than the
specified size.
To create PDF summary reports, click Add. The PDF Summary Report page opens to show all of the
available report elements.
Managing PDF Reports
There is a maximum of 18 report elements allowed. If you have 18 already, you must
delete existing elements before you can add new ones.
To Save the report, enter a report name, and click OK.
To display PDF reports, select Monitor > Reports, click PDF Summary Report to select a report, and click a
day in the calendar to download a report for that day.
New PDF summary reports will not appear until after the report runs, which will occur
automatically every 24 hours at 2 a.m.
Name Enter a name to identify the report (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Type For User Activity Report: Select User and enter the Username or IP address
(IPv4 or IPv6) of the user who will be the subject of the report.
For Group Activity Report: Select Group and enter the Group Name.
Additional Filters Select Filter Builder to create filters for the User/Group Activity Report.
Time Period Select the time frame for the report from the drop-down.
Include Detailed (Optional) Select this option to include detailed URL logs in the report.
Browsing
The detailed browsing information can include a large volume
of logs (thousands) for the selected user or user group and
cause a report to be very large.
The Group Activity Report does not include Browsing Summary by URL Category; all other
information is common across the User Activity Report and the Group Activity Report.
To run the report on demand, click Run Now. To change the maximum number of rows that display in the
report, see Logging and Reporting Settings.
To save the report, click OK. You can then schedule the report for email delivery (Monitor > PDF Reports >
Email Scheduler).
Log Filter Text Box Write the filter you would like to apply to the log.
You can write multiple filters.
Select Apply to apply the built filter to the User Activity or Group Activity Report.
Make sure you tag applications consistently across all firewalls or device groups. If the same
application is tagged as sanctioned in one virtual system and is not sanctioned in another—
or on Panorama, if an application is unsanctioned in a parent device group but is tagged as
sanctioned in a child device group (or vice versa)—the SaaS Application Usage report will
produce overlapping results.
On the ACC, set the Application View to By Sanctioned State to visually identify applications
that have different sanctioned state across virtual systems or device groups. Green
indicates sanctioned applications, blue is for unsanctioned applications, and yellow indicates
applications that have a different sanctioned state across different virtual systems or device
groups.
To configure the report, click Add and specify the following information:
Name Enter a name to identify the report (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Time Period Select the time frame for the report from the drop-down. The report includes
data from the current day (the day on which the report is generated).
Include logs from From the drop-down, select whether you want to generate the report on
a selected user group, on a selected zone, or for all user groups and zones
configured on the firewall or Panorama.
• For a selected user group—Select the User Group for which the firewall or
Panorama will filter the logs.
• For a selected zone—Select the Zone for which the firewall or Panorama
will filter the logs.
• For all user groups and zones—You can report on all groups or choose
up to 25 user groups for which you want visibility. If you have more than
25 groups, the firewall or Panorama will display the top 25 groups in the
report and assign all remaining user groups to the Others group.
Include user group This option filters the logs for the user groups you want to include in the
information in the report. Select the manage groups or the manage groups for the selected zone
report link to choose up to 25 user groups for which you want visibility.
(Not available if you When you generate a report for specific user groups on a selected zone, users
choose to generate the who are not a member of any of the selected groups are assigned to a user
report on a Selected group called Others.
User Group.)
User group Select the user group(s) for which you want to generate the report. This
option displays only when you choose Selected User Group in the Include
logs from drop-down.
Zone Select the zone for which you want to generate the report. This option
displays only when you choose Selected Zone in the Include logs from drop-
down.
You can then select include user group information in the report.
Include detailed The SaaS Application Usage PDF report is a two-part report. By default, both
application category parts of the report are generated. The first part of the report (ten pages)
information in report focuses on the SaaS applications used on your network during the reporting
period.
Clear this option if you do not want the second part of the report that
includes detailed information for SaaS and non-SaaS applications for each
application subcategory listed in the first part of the report. This second part
of the report includes the names of the top applications in each subcategory
and information about users, user groups, files, bytes transferred, and threats
generated from these applications.
Without the detailed information, the report is ten-pages long.
Limit max subcategories Select whether you want to use all application subcategories in the SaaS
in the report to Application Usage report or whether you want to limit the maximum number
to 10, 15, 20, or 25 subcategories.
When you reduce the maximum number of subcategories, the detailed
report is shorter because you limit the SaaS and non-SaaS application activity
information included in the report.
Name Enter a name to identify the report group (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Title Page Select this option to include a title page in the report.
Title Enter the name that will appear as the report title.
Report selection / For each report to include in the group, select the report in the left column
Widgets and Add it to the right column. You can select the following report types:
• Predefined Report
• Custom Report
• PDF Summary Report
• CSV
• Log View—Whenever you create a custom report, the firewall
automatically creates a Log View report with the same name. The Log
View report shows the logs that the firewall used to build the contents of
the custom report. To include the log view data, when creating a report
group, add your Custom Reports and then add the matching Log View
reports. The aggregate report generated for the report group displays the
custom report data followed by the log data.
After you save the report group, the Widgets column of the Report Groups
page lists the reports you added to the group.
To use the report group, refer to Monitor > PDF Reports > Email Scheduler.
Name Enter a name to identify the schedule (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Report Group Select the report group (Monitor > PDF Reports > Report Groups) or the SaaS
Application Usage report (Monitor > PDF Reports > SaaS Application Usage)
you want to schedule.
Email Profile Select the profile that defines the email settings. Refer to Device > Server
Profiles > Email for information on defining email profiles.
Recurrence Select the frequency at which to generate and send the report.
Override Email Enter an optional email address to use instead of the recipient specified in the
Addresses email profile.
Send test email Click to send a test email to the email address defined in the selected Email
Profile.
After the firewall has generated a scheduled custom report, you risk invalidating the past
results of that report if you modify its configuration to change its future output. If you need to
modify a scheduled report configuration, the best practice is to create a new report.
Add a custom report to create a new one. To base the report on an existing template, Load Template and
select the template. To generate a report on demand, instead of or in addition to the Scheduled time, click
Run Now. Specify the following settings to define the report.
Name Enter a name to identify the report (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Database Choose the database to use as the data source for the report.
Scheduled Select this option to run the report each night. The report then becomes
available by selecting Monitor > Reports.
Time Frame Choose a fixed time frame or choose Custom and specify a date and time
range.
Sort By Choose sorting options to organize the report, including the amount of
information to include in the report. The available options depend on the
choice of database.
Group By Choose grouping options to organize the report, including the amount of
information to include in the report. The available options depend on the
choice of database.
Columns Select Available Columns to include in the custom report and add (
) them to Selected Columns. Select Up, Down, Top, and Bottom to
reorder selected columns. As needed, you can also select and remove ( )
previously selected columns.
Query Builder To build a report query, specify the following and click Add. Repeat as
needed to construct the full query.
• Connector—Choose the connector (and or or) to precede the expression
you are adding.
• Negate—Select this option to interpret the query as a negation. In the
previous example, the negate option causes a match on entries that are
not in the past 24 hours or are not from the untrust zone.
• Attribute—Choose a data element. The available options depend on the
choice of database.
105
106 PAN-OS WEB INTERFACE HELP | Policies
© 2021 Palo Alto Networks, Inc.
Policy Types
Policies enable you to control firewall operation by enforcing rules and automating actions. The firewall
supports the following policy types:
• Basic security policies to block or allow a network session based on the application, the source and
destination zones and addresses, and—optionally—based on the service (port and protocol). Zones
identify the physical or logical interfaces that send or receive the traffic. See Policies > Security.
• Network Address Translation (NAT) policies to translate addresses and ports. See to Policies > NAT.
• Quality of Service (QoS) policies to determine how traffic is classified for treatment when it passes
through an interface with QoS enabled. See Policies > QoS.
• Policy-based forwarding policies to override the routing table and specify an egress interface for traffic.
See Policies > Policy Based Forwarding.
• Decryption policies to specify traffic decryption for security policies. Each policy can specify the
categories of URLs for the traffic you want to decrypt. SSH decryption is used to identify and control
SSH tunneling in addition to SSH shell access. See Policies > Decryption.
• Tunnel Inspection policies to enforce Security, DoS Protection, and QoS policies on tunneled traffic, and
to view tunnel activity. See Policies > Tunnel Inspection.
• Override policies to override the application definitions provided by the firewall. See Policies >
Application Override.
• Authentication policies to define authentication for end users who access network resources. See
Policies > Authentication.
• Denial of service (DoS) policies to protect against DoS attacks and take protective action in response to
rule matches. See Policies > DoS Protection.
• SD-WAN policies to determine link path management between the source and destination zones when
link path health degrades below the approved, configured health metrics. See Policies > SD-WAN.
Shared polices pushed from Panorama™ display in orange on the firewall web interface. You can edit these
shared policies only on Panorama; you cannot edit them on the firewall.
View Rulebase as Groups to view all the tag groups used in a rulebase. In rule bases with many rules,
viewing the rulebase as groups simplifies the display by presenting the tags, color code, and the number of
rules in each group while preserving the established rule hierarchy.
Selected Rules Displays the Name and current Location (virtual system or device group) of
the policy rules you selected for the operation.
Destination Select the new location for the policy or object: a virtual system, device
group, or Shared. The default value is the Virtual System or Device Group
that you selected in the Policies or Objects tab.
Error out on first detected error Select this option (selected by default) to make the firewall or Panorama
in validation display the first error it finds and stop checking for more errors. For
example, an error occurs if the Destination doesn’t include an object that is
referenced in the policy rule you are moving. If you clear this selection, the
firewall or Panorama will find all errors before displaying them.
• Audit Comments
• Config Logs (between commits)
• Rule Changes
Audit Comments
View the Audit Comment history for a selected policy rule. Apply and save filters to quickly identify specific
audit comments and to export the displayed audit comments in CSV format.
Field Description
Config Version Configuration revision version. 0 indicates the first time the policy rule was created
and committed to Panorama.
Field Description
Before Change Rule information before the change occurred. For example; if you rename a rule, the
previous name is displayed.
After Change Rule information after the change occurred. For example, if you rename a rule, the
new name is displayed.
Rule Changes
View and compare configuration version of the selected policy rule to analyze what changes occurred. In
the drop-down, select the two policy rule config versions you want to compare.
Task Description
Hit Count
Timeframe Indicate the time frame to query the selected rulebase. Select from the predetermined
time frames or set a Custom time frame.
Usage Select the rule usage to query: Any, Unused, Used, or Partially Used (Panorama only).
Since (Custom Timeframe only) Select the date and time from which to query the policy
rulebase.
Exclude rules Select this option to exclude any rules that were manually reset by a user within the
reset during specified number of days.
the last _ days
Actions
PDF/CSV Export the filtered policy rules currently displayed in PDF or CSV format.
Reset Rule Hit Reset the rule usage data for the Selected rules or for All rules that have been filtered
Counter and are currently displayed.
Tag Apply one or more group tags to one or more selected policy rules. The group tag must
already exist in order to tag the policy rule(s).
Untag Remove one or more group tags from one or more selected policy rules.
Field Description
Device Group Device group that device or virtual system belongs to.
Hit Count Total number of traffic matches for the policy rule.
Last Hit Date and time of the latest traffic match for the policy rule.
First Hit Date and time of the first traffic match for the policy rule.
Last Update Date and time of the last received rule usage information from the device to the
Received Panorama management server.
Modified Date and time the policy rule was last modified. Column is blank if the policy rule has
not been modified.
What are the fields available to Building Blocks in a Security Policy Rule
create a Security policy rule?
How can I use the web interface to Creating and Managing Policies
manage Security policy rules?
Overriding or Reverting a Security Policy Rule
Applications and Usage
Security Policy Optimizer
To ensure that end users authenticate when they try to access your network resources, the
firewall evaluates Authentication policy before Security policy. For details, see Policies >
Authentication.
For traffic that doesn’t match any user-defined rules, the default rules apply. The default rules—displayed at
the bottom of the security rulebase—are predefined to allow all intrazone traffic (within the zone) and deny
all interzone traffic (between zones). Although these rules are part of the predefined configuration and are
read-only by default, you can Override them and change a limited number of settings, including the tags,
action (allow or deny), log settings, and security profiles.
The interface includes the following tabs for defining Security policy rules.
• General—Select the General tab to configure a name and description for the Security policy rule.
• Source—Select the Source tab to define the source zone or source address from which the traffic
originates.
• User—Select the User tab to enforce policy for individual users or a group of users. If you are using
GlobalProtect™ with host information profile (HIP) enabled, you can also base the policy on information
collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the
firewall about the user's local configuration. The HIP information can be used for granular access control
based on the security programs that are running on the host, registry values, and many other checks
such as whether the host has antivirus software installed.
Rule number N/A The firewall automatically numbers each rule and the order
of the rules will change as rules are moved. When you filter
rules to match specific filters, each rule displays with its
number in the context of the complete set of rules in the
rulebase and its place in the evaluation order.
Panorama independently numbers pre-rules and post-rules.
When Panorama pushes rules to a managed firewall, the
rule numbering incorporates hierarchy in pre-rules, firewall
rules, and post-rules within a rulebase and reflects the rule
sequence and its evaluation order.
Name General Enter a name to identify the rule. The name is case-sensitive
and can have up to 63 characters, which can be letters,
numbers, spaces, hyphens, and underscores. The name must
be unique on a firewall and, on Panorama, unique within its
device group and any ancestor or descendant device groups.
Rule Type Specifies whether the rule applies to traffic within a zone,
between zones, or both:
• universal (default)—Applies the rule to all matching
interzone and intrazone traffic in the specified source
and destination zones. For example, if you create a
universal rule with source zones A and B and destination
zones A and B, the rule would apply to all traffic within
zone A, all traffic within zone B, and all traffic from zone
A to zone B and all traffic from zone B to zone A.
• intrazone—Applies the rule to all matching traffic
within the specified source zones (you cannot specify a
Source Zone Source Add source zones (default is Any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire). To define new
zones, refer to Network > Zones.
Multiple zones can be used to simplify management.
For example, if you have three different internal zones
(Marketing, Sales, and Public Relations) that are all directed
to the untrusted destination zone, you can create one rule
that covers all cases.
Source Address Source Add source addresses, address groups, or regions (default
is Any). Select from the drop-down or select Address
object, Address Group, or Regions (bottom of the drop-
down) to specify the settings. Objects>Addresses and
Objects>AddressGroups describe the types of address
objects and address groups, respectively, that a Security
policy rule supports.
Selecting the Negate option will apply the rule to source
addresses from the specified zone except for the addresses
specified.
Source User Source Add the source users or groups of users subject to the
policy:
• any—Includes any traffic regardless of user data.
• pre-logon—Includes remote users that are connected to
the network using GlobalProtect, but are not logged into
Source Device Source Add the host devices subject to the policy:
• any—Includes any device.
• no-hip—HIP information is not required. This setting
enables access from third-party devices that cannot
collect or submit HIP information.
• quarantine—Includes any device that is in the quarantine
list (Device > Device Quarantine).
• select—Includes selected devices as determined by your
configuration. For example, you can add a device object
based on model, OS, OS family, or vendor.
Source HIP Profile Source Add host information profiles (HIP) to enable you to collect
information about the security status of your end hosts,
such as whether they have the latest security patches
and antivirus definitions installed. Using host information
profiles for policy enforcement enables granular security
that ensures that the remote hosts accessing your critical
resources are adequately maintained and in adherence with
your security standards before they are allowed to access
your network resources. The following source HIP profiles
are supported:
Network Slice Source Add one or more source network slices based on network
slice service type (SST) in a 5G network, as follows:
• Standardized (predefined) SST
• eMBB (enhanced Mobile Broadband)—For faster
speeds and high data rates, such as video streaming.
• URLLC (Ultra-Reliable Low-Latency Communications)
—For mission-critical applications that are sensitive
to latency, such as critical IoT (healthcare, wireless
payments, home control, and vehicle communication).
• MIoT (Massive Internet of Things)—For example,
smart metering, smart waste management, anti-theft,
asset management, and location tracking.
• Network Slice SST - Operator-Specific—You name and
specify the slice. The format of the slice name is text
followed by a comma (,) and a number (range is 128 to
255). For example, Enterprise Oil2,145.
Destination Zone Destination Add destination zones (default is any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire). To define new
zones, refer to Network > Zones.
Multiple zones can be used to simplify management.
For example, if you have three different internal zones
(Marketing, Sales, and Public Relations) that are all directed
to the untrusted destination zone, you can create one rule
that covers all cases.
Application Application Add specific applications for the Security policy rule. If an
application has multiple functions, you can select the overall
application or individual functions. If you select the overall
application, all functions are included and the application
definition is automatically updated as future functions are
added.
If you are using application groups, filters, or containers
in the Security policy rule, you can view details of these
objects by hovering over the object in the Application
column, opening the drop-down, and selecting Value. This
allows you to view application members directly from the
policy without having to navigate to the Object tab.
Service Service/URL Select the services that you want to limit to specific TCP or
Category UDP port numbers. Choose one of the following from the
drop-down:
• any—The selected applications are allowed or denied on
any protocol or port.
• application-default—The selected applications are
allowed or denied only on their default ports defined
by Palo Alto Networks®. This option is recommended
for allow policies because it prevents applications
from running on unusual ports and protocols which, if
unintentional, can be a sign of undesired application
behavior and usage.
Action Setting Actions Select the Action the firewall takes on traffic that matches
the attributes defined in a rule:
• Allow (default)—Allows the matched traffic.
• Deny—Blocks matched traffic and enforces the default
Deny Action defined for the application that is denied.
To view the deny action defined by default for an
application, view the application details (Objects >
Applications).
Because the default deny action varies by application, the
firewall could block the session and send a reset for one
application while it silently drops the session for another
application.
• Drop—Silently drops the application. A TCP reset is not
sent to the host or application unless you select Send
ICMP Unreachable.
• Reset client—Sends a TCP reset to the client-side device.
• Reset server—Sends a TCP reset to the server-side
device.
• Reset both client and server—Sends a TCP reset to both
the client-side and server-side devices.
• Send ICMP Unreachable—Available only for Layer 3
interfaces. When you configure Security policy rule to
drop traffic or to reset the connection, the traffic does
not reach the destination host. In such cases, for all UDP
traffic and for TCP traffic that is dropped, you can enable
the firewall to send an ICMP Unreachable response to
the source IP address from where the traffic originated.
Enabling this setting allows the source to gracefully
close or clear the session and prevents applications from
breaking.
To view the ICMP Unreachable Packet Rate configured
on the firewall, view Session Settings (Device > Setup >
Session).
To override the default action defined on the predefined
interzone and intrazone rules: see Overriding or Reverting a
Security Policy Rule.
Profile Setting Actions To specify the additional checking that the firewall performs
on packets that match the Security profile rule, select
individual Antivirus, Vulnerability Protection, Anti-Spyware,
URL Filtering, File Blocking, Data Filtering, WildFire Analysis,
Mobile Network Protection, and SCTP Protection profiles.
To specify a profile group rather than individual profiles,
select the Profile Type to be Group and then select a Group
Profile.
Log Setting and Actions To generate entries in the local traffic log for traffic that
Other Settings matches this rule, select the following options:
• Log At Session Start (disabled by default)—Generates a
traffic log entry for the start of a session.
You can also modify the log settings on the default rules.
Specify any combination of the following options:
• Schedule—To limit the days and times when the rule is
in effect, select a schedule from the drop-down. Define
New schedules as needed (refer to Settings to Control
Decrypted SSL Traffic).
• QoS Marking—To change the Quality of Service (QoS)
setting on packets matching the rule, select IP DSCP or
Basics Rule Usage • Rule Created—Creation date and time of the rule.
• Last Edited—The last date and time the rule was edited.
Activity Rule Usage • Hit Count—The total number of times traffic matched
(hit) the rule.
• First Hit—Time of the first rule match.
• Last Hit—Time of the last rule match.
Traffic (past 30 days) Rule Usage • Bytes—The amount of traffic on the rule over the past 30
days in bytes.
Any (target all Target Enable (check) to push the policy rule to all managed
devices) firewalls in the device group.
Panorama only
Tags Add one or more tags to push the policy rule to managed
firewalls in the device group with the specified tag.
Panorama only
Target to all but Enable (check) to push the policy rule to all managed
these specified firewalls associated with the device group except for the
devices and tags selected device(s) and tag(s).
Panorama only
Task Description
Add Add a new policy rule or select a rule on which to base a new rule and Clone Rule. The
copied rule, “rulen” is inserted below the selected rule, where n is the next available
integer that makes the rule name unique. For details on cloning, see Move or Clone a
Policy Rule.
Override and Revert actions pertain only to the default rules displayed at the bottom
of the Security rulebase. These predefined rules—allow all intrazone traffic and
deny all interzone traffic—instruct the firewall about how to handle traffic that does
not match any other rule in the rulebase. Because they are part of the predefined
configuration, you must Override them to edit select policy settings. If you are using
Panorama, you can also Override the default rules and then push them to firewalls
in a Device Group or Shared context. You can also Revert the default rules, which
restores the predefined settings or the settings pushed from Panorama. For details,
see Overriding or Reverting a Security Policy Rule.
Move Rules are evaluated from the top down and as they are enumerated on the Policies
page. To change the order in which the rules are evaluated against network traffic,
select a rule and Move Up, Move Down, Move Top, Move Bottom, or Move to a
different rulebase or device group. For details, see Move or Clone a Policy Rule.
Copy UUID Copy the UUID of the rule to the clipboard for use when searching the configuration
or the logs.
Enable/Disable To disable a rule, select and Disable it; to enable a rule that is disabled, select and
Enable it.
Monitor Rule To identify rules that have not been used since the last time the firewall was restarted,
Usage Highlight Unused Rules. Unused rules have a dotted background. You can then decide
whether to Disable a rule or Delete it. Rules not currently in use are displayed with a
dotted yellow background. When policy rule hit count is enabled, the Hit Count data is
used to determine whether a rule is unused.
Each firewall maintains a traffic flag for the rules that have a match.
Because the flag is reset when a dataplane reset occurs on a reboot
or a restart, it is best practice to monitor this list periodically to
determine whether the rule had a match since the last check before
you delete or disable it.
Reset rule Hit The Hit Count tracks the total traffic hits for the policy rule. The total traffic hit count
count persists through reboot, upgrade, and data plane restart.
Alternatively, Reset Rule Hit Counter (bottom menu). To clear the hit count statistics,
select All Rules or select specific rules and reset hit count statistics only for the
Selected rules.
View the First Hit to identify when the Security policy was first hit. The date is
formated as date hh:mm:ss year. You cannot reset this value.
View the Last Hit to identify when the Security policy was last used. The date is
formated as date hh:mm:ss year. You cannot reset this value.
Show/Hide Show or hide the columns that display under Policies. Select the column name to
columns toggle the display.
Apply filters To apply a filter to the list, select from the Filter Rules drop-down. To define a filter,
choose Filter from the item drop-down.
The default rules are not part of rulebase filtering and always show up
in the list of filtered rules.
To view the network sessions that were logged as matches against the policy, choose
Log Viewer from the rule name drop-down.
To display the current value, choose Value from the entry drop-down. You can also
edit, filter, or remove items directly from the column menu. For example, to view
addresses included in an address group, hover over the object in the Address column
and select Value from the drop-down. This allows you to quickly view the members
and the corresponding IP addresses for the address group without having to navigate
to the Object tab.
To find objects used within a policy based on their name or IP address, use the filter.
After you apply the filter, you will see only the items that match the filter. The filter
also works with embedded objects. For example, when you filter on 10.1.4.8, only the
policy that contains that address is displayed:
Preview rules Preview Rules to view a list of the rules before you push the rules to the managed
(Panorama firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each
only) device group (and managed firewall) to make it easier to scan through a large numbers
of rules.
Export Administrative roles with a minimum of read-only access can export the policy
Configuration rulebase as PDF/CSV. You can apply filters to create more specific table configuration
Table
Highlight Highlight any policy rule with no traffic matches in the Rule Usage column.
Unused Rule
Group Manage tag groups when you have the View Rulebase as Groups box checked. You
can perform the following actions:
• Move rules in group to different rulebase or device group—Move the selected tag
group to a different device group.
• Change group of all rules—Move the rules in the selected tag group to a different
tag group in the rulebase.
• Delete all rules in group—Deletes all rules in the selected tag group.
• Clone all rules in group—Clones the rules in the selected tag group to a device
group.
View Rulebase View Rulebase as Groups to view the policy rulebase using the tag used in Group
as Groups Rules by Tag . The visible policy rules are those which belong to the selected tag
group.
Test Policy Perform a test of the protection policies for the selected policy rulebase to verify that
Match the correct traffic is denied and allowed.
General Tab
Name The Name that identifies the rule is read-only; you cannot override it.
Rule Type The Rule Type is read-only; you cannot override it.
Actions Tab
Action Setting Select the appropriate Action for traffic that matches the rule.
• Allow—(default) Allows the traffic.
• Deny—Blocks traffic and enforces the default Deny Action that is
defined for the application that the firewall is denying. To view the
deny action that is defined by default for an application, view the
application details in Objects > Applications.
• Drop—Silently drops the application. The firewall does not send a
TCP reset message to the host or application.
• Reset client—Sends a TCP reset message to the client-side device.
• Reset server—Sends a TCP reset message to the server-side
device.
• Reset both—Sends a TCP reset message to both the client-side and
server-side devices.
Profile Setting Profile Type—Assign profiles or profile groups to the security rule:
• To specify the checking that the default security profiles perform,
select Profiles and then select one or more of the individual
Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering,
File Blocking, Data Filtering, WildFire Analysis, SCTP Protection,
and Mobile Network Protection profiles.
• To assign a profile group rather than individual profiles, select
Group and then select a Group Profile from the drop-down.
• To define new profiles ( Objects > Security Profiles) or profile
groups, click New in the drop-down for the corresponding profile
or group profile.
You must have a SaaS Inline Security subscription to see the New App Viewer in the
interface. The New App Viewer includes cloud-delivered applications in addition to
content-delivered applications and if you don’t have a SaaS Inline Security subscription,
you don’t receive cloud-delivered applications.
• Policies > Security > Policy Optimizer > Rules Without App Controls and then click the number in Apps
Seen or click Compare.
• Policies > Security > Policy Optimizer > Unused Apps and then click the number in Apps Seen or click
Compare.
• Policies > Security and then click the number in Apps Seen
On the Usage tab of the Security policy rule, you can also Compare Applications & Applications Seen to
access tools that help you to migrate from port-based Security policy rules to application-based Security
policy rules and to eliminate unused applications from rules in Applications & Usage.
Field Description
Apps Seen All applications seen and allowed on the firewall that matched
the rule. The number next to Apps Seen indicates how many
applications were seen on the rule.
• Applications—The applications seen on the rule. For example,
if a rule allows web-browsing traffic (as seen in Apps on Rule),
you may see many applications in the Apps Seen list because
there are many applications identified as web-browsing.
• Subcategory—The subcategory of the application.
• Risk—The risk rating of the application.
• First Seen—The first day the application was seen on the
network.
• Last Seen—The most recent day the application was seen on
the network.
Create Cloned Rule > Applications Select applications and then clone or add individual applications
to a rule:
Add to This Rule
• Name (Clone and Add Apps to Existing Rule dialogs only).
Add to Existing Rule > Applications
• Clone: Enter the name of the new cloned rule.
• Add Apps to Existing Rule: Select the rule to which to add
applications or enter the name of the rule.
• Applications:
• Add container app (default): Selects all apps in the
container, apps seen on the rule, and container apps that
have not been seen on the rule. Future apps seen for the
Create Cloned Rule > Application Select applications and then clone or add applications to a rule in
Group an Application Group in the Create Cloned Rule or Add Apps to
Existing Rule dialog box:
Add to Existing Rule > Application
Group • Cloned Rule Name or Name:
• Cloned Rule Name: Enter the name of the new cloned rule.
• Name: Select the rule to which to add the Application
Group or enter the name of the rule.
• Policy Action (Cloned rule only)—Select whether to allow or
deny the traffic in the cloned rule.
• Add to Application Group—Select an existing group or type a
new name to create a new Application Group.
• Applications:
• Add container app (default): Selects all apps in the
container, apps seen on the rule, and container apps that
have not been seen on the rule. Future apps seen for the
container will match the rule, thus future-proofing it as the
app changes.
• Add specific apps seen: Selects only apps that have actually
been seen on the rule. (You can also manually select
container apps and functional apps.)
• Application:
• The selected applications seen on the rule, highlighted
green.
Create Cloned Rule > Application Select applications and then clone or add applications to a rule in
Filter an Application Filter in the Create Cloned Rule or Add Apps to
Existing Rule dialog box:
Add to Existing Rule > Application
Filter • Cloned Rule Name or Existing Rule Name:
• Cloned Rule Name: Enter the name of the new cloned rule.
• Existing Rule Name: Select the rule to which to add the
Application Filter or enter the name of the rule.
• Policy Action (Cloned rule only)—Select whether to allow or
deny the traffic in the cloned rule.
• Application Filter Name—Select an existing filter or type a new
name to create a new Application Filter.
The Application Filter works the same way as Objects >
Application Filters (see Create an Application Filter). You can
filter cloud-based (with a SaaS Inline Security subscription) and
content-based applications and add them to existing or new
filters.
Traffic (Bytes, 30 days) Traffic (30 days)—The amount of traffic in bytes seen during the
last 30-day period.
Apps Allowed The applications that the rule allows. Open the Application dialog,
from which you can add and delete applications on the rule.
Application (New App Viewer only) The applications that the rule allows.
Apps Seen The number of applications seen on the rule. Click the number
to open the Applications & Usage dialog, which enables you
to compare the applications configured on the rule against the
applications seen on the rule and to modify the applications.
Day with No New Apps The number of days since the last new application was seen on
the rule.
(Rule Usage) Last Hit The most recent time that traffic matched the rule.
(Rule Usage) First Hit The first time that traffic matched the rule.
(Rule Usage) Hit Count The number of times that traffic matched the rule.
Modified The date and time that the rule was last modified.
Created The date and time that the rule was created.
Timeframe The time period (number of days) for which data is displayed.
Usage Displays:
• Any (all) rules on the firewall over the specified Timeframe,
regardless of whether traffic matched the rules (used rules) or
not (unused rules).
• Unused rules that traffic has not matched over the specified
Timeframe.
• Used rules that traffic has matched over the specified
Timeframe.
Exclude rules reset during the last Does not display rules for which you Reset Rule Hit Counter
xx days within the specified number of days (from 1-5,000 days). For
example, this enables you to examine older rules that have not
matched traffic over a Timeframe while excluding newer rules
that may not have had time to match traffic.
Reset Date The last date on which the rule’s hit counter was reset.
Name Enter a name to identify the rule. The name is case-sensitive and can have up to 63
characters, which can be letters, numbers, spaces, hyphens, and underscores. The
name must be unique on a firewall and, on Panorama, unique within its device group
and any ancestor or descendant device groups.
Tag If you want to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies. This is
useful when you have defined many policies and want to view those that are tagged
with a particular keyword.
Group Rules by Enter a tag with which to group similar policy rules. The group tag allows you to
Tag view your policy rule base based on these tags. You can group rules based on a Tag.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The audit
comment is case-sensitive and can have up to 256 characters, which can be letters,
numbers, spaces, hyphens, and underscores.
Audit Comment View previous Audit Comments for the policy rule. You can export the Audit
Archive Comment Archive CSV format.
Source Zone / Select one or more source and destination zones for the original (non-NAT)
Destination Zone packet (default is Any). Zones must be of the same type (Layer 2, Layer 3, or
virtual wire). To define new zones, refer to Network > Zones.
You can specify multiple zones to simplify management. For example, you can
configure settings so that multiple internal NAT addresses are directed to the
same external IP address.
Destination Interface Specify the destination interface of packets the firewall translates. You can
use the destination interface to translate IP addresses differently in the case
where the network is connected to two ISPs with different IP address pools.
Service Specify the service for which the firewall translates the source or destination
address. To define a new service group, select Objects > Service Groups.
Source Address / Specify a combination of source and destination addresses for the firewall to
Destination Address translate.
For NPTv6, the prefixes configured for Source Address and Destination
Address must be in the format xxxx:xxxx::/yy. The address cannot have an
interface identifier (host) portion defined. The range of supported prefix
lengths is /32 to /64.
Source Address Select the Translation Type (dynamic or static address pool) and enter an IP address
Translation or address range (address1—address2) to which the source address is translated
(Translated Address). The size of the address range is limited by the type of address
pool:
• Dynamic IP and Port—Address selection is based on a hash of the source IP
address. For a given source IP address, the firewall uses the same translated
source address for all sessions. Dynamic IP and Port (DIPP) source NAT supports
approximately 64,000 concurrent sessions on each IP address in the NAT pool.
Some models support oversubscription, which allows a single IP to host more
than 64,000 concurrent sessions.
Palo Alto Networks® DIPP NAT supports more NAT sessions than are supported
by the number of available IP addresses and ports. With oversubscription, the
firewall can use IP address and port combinations two times simultaneously on
PA-220, PA-820, PA-850, VM-50, VM-300, and VM-1000-HV firewalls, four
times simultaneously on PA-5220 firewall and PA-3200 Series firewalls, and
eight times simultaneously on PA-5250, PA-5260, PA-5280, PA-7050, PA-7080,
VM-500, and VM-700 firewalls when destination IP addresses are unique.
• Dynamic IP—Translates to the next available address in the specified range but
the port number remains unchanged. Up to 32,000 consecutive IP addresses are
supported. A dynamic IP pool can contain multiple subnets, so you can translate
your internal network addresses to two or more separate public subnets.
• Advanced (Dynamic IP/Port Fallback)—Use this option to create a fallback pool
that performs IP and port translation and is used if the primary pool runs out
of addresses. You can define addresses for the pool by using the Translated
Address option or the Interface Address option; the latter option is for interfaces
that receive an IP address dynamically. When creating a fallback pool, make sure
addresses do not overlap with addresses in the primary pool.
Source Address • Static IP—The same address is always used for the translation and the port is
Translation (cont) unchanged. For example, if the source range is 192.168.0.1—192.168.0.10
and the translation range is 10.0.0.1—10.0.0.10, address 192.168.0.2 is always
translated to 10.0.0.2. The address range is virtually unlimited.
You must use Static IP translation for NPTv6 Source Address Translation. For
NPTv6, the prefixes configured for Translated Address must be in the format
xxxx:xxxx::/yy and the address cannot have an interface identifier (host) portion
defined. The range of supported prefix lengths is /32 to /64.
Bi-directional (Optional) Enable bidirectional translation for a Static IP source address translation
if you want the firewall to create a corresponding translation (NAT or NPTv6) in the
opposite direction of the translation you configure.
Destination Configure the following options to have the firewall perform destination NAT. You
Address typically use Destination NAT to allow an internal server, such as an email server, to
Translation be accessible from the public network.
Translation Type Select the type of translation the firewall performs on the destination address:
and Translated
• None (default)
Address
• Static IP—Enter a Translated Address as an IP address or range of IP addresses
and a Translated Port number (1 to 65535) to which the original destination
address and port number are translated. If the Translated Port field is blank, the
destination port is not changed.
For NPTv6, the prefixes configured for the Destination prefix Translated
Address must be in the format xxxx:xxxx::/yy. The address cannot have an
interface identifier (host) portion defined. The range of supported prefix lengths
is /32 to /64.
Session If you select the destination NAT translation to be to Dynamic IP (with session
Distribution distribution), it’s possible that the destination translated address (to an FQDN,
Method address object, or address group) can resolve to more than one address. You can
choose how the firewall distributes (assigns) sessions among those addresses to
provide more balanced session distribution:
• Round Robin—(default) Assigns new sessions to IP addresses in rotating order.
Unless your environment dictates that you choose one of the other distribution
methods, use this method.
Enable DNS In PAN-OS 9.0.2 and later 9.0 releases, if the destination NAT policy rule type
Rewrite is ipv4 and the destination address translation type is Static IP, the Enable DNS
Rewrite option is available. You can enable DNS rewrite if you use destination
NAT and also use DNS services on one side of the firewall to resolve FQDNs for
a client on the other side of the firewall. When the DNS response traverses the
firewall, the firewall rewrites the IP address in the DNS response, relative to the
original destination address or translated destination address that the DNS response
matches in the NAT policy rule. A single NAT policy rule has the firewall perform
NAT on packets that match the rule and perform NAT on IP addresses in DNS
responses that match the rule. You must specify how the firewall performs NAT on
an IP address in a DNS response relative to the NAT rule—reverse or forward:
• reverse—(default) If the packet is a DNS response that matches the translated
destination address in the rule, translate the DNS response using the reverse
translation that the rule uses. For example, if the rule translates 1.1.1.10 to
192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
• forward—If the packet is a DNS response that matches the original destination
address in the rule, translate the DNS response using the same translation
the rule uses. For example, if the rule translates 1.1.1.10 to 192.168.1.10, the
firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.
Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)
Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.
Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.
Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags
General Tab
Name Enter a name to identify the rule (up to 63 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies.
This is useful when you have defined many policies and want to view those
that are tagged with a particular keyword. For example, you may want
to tag certain security policies with Inbound to DMZ, decryption policies
with the words Decrypt and No-decrypt, or use the name of a specific data
center for policies associated with that location.
Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag allows
you to view your policy rule base based on these tags. You can group rules
based on a Tag.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters, which
can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.
Source Tab
Source Zone Select one or more source zones (default is any). Zones must be of the same
type (Layer 2, Layer 3, or virtual wire).
Source Address Specify a combination of source IPv4 or IPv6 addresses for which the
identified application can be overridden. To select specific addresses,
choose select from the drop-down and do any of the following:
•
Select this option next to the appropriate addresses and/or address
groups in the Available column, and click Add to add your selections
to the Selected column.
• Enter the first few characters of a name in the search field to list all
addresses and address groups that start with those characters. Selecting
an item in the list enables this option in the Available column. Repeat
this process as often as needed, and then click Add.
• Enter one or more IP addresses (one per line), with or without a network
mask. The general format is: <ip_address>/<mask>
• To remove addresses, select them (Selected column) and click Delete or
select any to clear all addresses and address groups.
To add new addresses that can be used in this or other policies, click New
Address. To define new address groups, select Objects > Address Groups.
Source User Specify the source users and groups to which the QoS policy will apply.
Negate Select this option to have the policy apply if the specified information on
this tab does NOT match.
Destination Tab
Destination Zone Select one or more destination zones (default is any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire).
Destination Address Specify a combination of source IPv4 or IPv6 addresses for which the
identified application can be overridden. To select specific addresses,
choose select from the drop-down and do any of the following:
•
Select this option next to the appropriate addresses and/or address
groups in the Available column, and Add your selections to the
Selected column.
• Enter the first few characters of a name in the search field to list all
addresses and address groups that start with those characters. Selecting
an item in the list enables this option in the Available column. Repeat
this process as often as needed, and then click Add.
• Enter one or more IP addresses (one per line), with or without a network
mask. The general format is: <ip_address>/<mask>.
• To remove addresses, select them (Selected column) and click Delete or
select any to clear all addresses and address groups.
To add new addresses that can be used in this or other policies, click New
Address.
Negate Select this option to have the policy apply if the specified information on
this tab does not match.
Application Tab
Application Select specific applications for the QoS rule. To define new applications or
application groups, select Objects > Applications.
If an application has multiple functions, you can select the overall
application or individual functions. If you select the overall application,
all functions are included, and the application definition is automatically
updated as future functions are added.
If you are using application groups, filters, or container in the QoS rule, you
can view details on these objects by holding your mouse over the object in
the Application column, click the down arrow and select Value. This enables
you to easily view application members directly from the policy without
having to go to the Objects tab.
Service Select services to limit to specific TCP and/or UDP port numbers. Choose
one of the following from the drop-down:
• any—The selected applications are allowed or denied on any protocol or
port.
• application-default—The selected applications are allowed or denied
only on their default ports defined by Palo Alto Networks. This option is
recommended for allow policies.
• Select—Click Add. Choose an existing service or choose Service or
Service Group to specify a new entry.
DSCP/TOS Tab
Any Select Any (default) to allow the policy to match to traffic regardless of the
Differentiated Services Code Point (DSCP) value or the IP Precedence/Type
of Service (ToS) defined for the traffic.
Class Choose the QoS class to assign to the rule, and click OK. Class
characteristics are defined in the QoS profile. Refer to Network > Network
Profiles > QoS for information on configuring settings for QoS classes.
Schedule • Select None for the policy rule to remain active at all times.
• From the drop-down, select Schedule (calendar icon) to set a single time
range or a recurring time range during which the rule is active.
Any (target all devices) Enable (check) to push the policy rule to all managed firewalls in the device
group.
Devices Select one or more managed firewalls associated with the device group to
push the policy rule to.
Tags Add one or more tags to push the policy rule to managed firewalls in the
device group with the specified tag.
Target to all but these Enable (check) to push the policy rule to all managed firewalls associated
specified devices and tags with the device group except for the selected device(s) and tag(s).
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and can have
up to 63 characters, which can be letters, numbers, spaces, hyphens, and
underscores. The name must be unique on a firewall and, on Panorama,
unique within its device group and any ancestor or descendant device
groups.
Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies.
This is useful when you have defined many policies and want to view those
that are tagged with a particular keyword. For example, you may want
to tag certain security policies with Inbound to DMZ, decryption policies
with the words Decrypt and No-decrypt, or use the name of a specific data
center for policies associated with that location.
Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag allows
you to view your policy rule base based on these tags. You can group rules
based on a Tag.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters, which
can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.
Field Description
Source Zone To choose source zones (default is any), click Add and select from the drop-
down. To define new zones, refer to Network > Zones.
Multiple zones can be used to simplify management. For example, if you
have three different internal zones (Marketing, Sales, and Public Relations)
that are all directed to the untrusted destination zone, you can create one
rule that covers all cases.
Source Address Click Add to add source addresses, address groups, or regions (default
is any). Select from the drop-down, or click Address, Address Group, or
Regions at the bottom of the drop-down, and specify the settings.
Source User Click Add to choose the source users or groups of users subject to the
policy. The following source user types are supported:
• any—Include any traffic regardless of user data.
• pre-logon—Include remote users that are connected to the network
using GlobalProtect™, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps, any
user who is not currently logged into their machine will be identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP with
user data mapped. This option is equivalent to the “domain users” group
on a domain.
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could use unknown for
guest level access to something because they will have an IP on your
Field Description
Destination Address Click Add to add destination addresses or address groups (default is any).
By default, the rule applies to Any IP address. Select from the drop-down,
or click Address or Address Group at the bottom of the drop-down, and
specify the settings.
Application/Service Select specific applications or services for the PBF rule. To define new
applications, refer to Defining Applications. To define application groups,
refer to Objects > Application Groups.
You can view details on these applications by holding your mouse over the
object in the Application column, clicking the down arrow, and selecting
Value. This enables you to easily view application information directly from
the policy without having to go to the Object tabs.
Next Hop If you direct the packet to a specific interface, specify the Next Hop for the
packet in one of the following ways:
• IP Address—Select IP Address and select an address object (or create a
new address object) that uses an IPv4 or IPv6 address.
• FQDN—Select FQDN and select an address object (or create a new
address object) that uses an FQDN.
• None—There is no next hop; the packet is dropped.
Enforce Symmetric (Required for asymmetric routing environments) Select Enforce Symmetric
Return Return and enter one or more IP addresses in the Next Hop Address List.
Enabling symmetric return ensures that return traffic (such as from the
Trust zone on the LAN to the Internet) is forwarded out through the same
interface through which traffic ingresses from the internet.
Schedule To limit the days and times when the rule is in effect, select a schedule
from the drop-down. To define new schedules, refer to Settings to Control
Decrypted SSL Traffic.
Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)
Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.
Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.
Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags
The firewall doesn’t decrypt applications that break decryption technically, for example
because they use pinned certificates or client authentication.
Refer to the List of Applications Excluded from SSL Decryption.
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and
can have up to 63 characters, which can be letters, numbers, spaces,
hyphens, and underscores. The name must be unique on a firewall
and, on Panorama, unique within its device group and any ancestor or
descendant device groups.
Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want
Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag
allows you to view your policy rule base based on these tags. You can
group rules based on a Tag.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters,
which can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.
Field Description
Source Zone Click Add to choose source zones (default is any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to
Network > Zones.
Multiple zones can be used to simplify management. For example, if you
have three different internal zones (Marketing, Sales, and Public Relations)
that are all directed to the untrusted destination zone, you can create one
rule that covers all cases.
Source Address Click Add to add source addresses, address groups, or regions (default
is any). Select from the drop-down, or click Address, Address Group, or
Regions at the bottom of the drop-down, and specify the settings. Select
Negate to choose any address except the configured ones.
Source User Click Add to choose the source users or groups of users subject to the
policy. The following source user types are supported:
• any—Include any traffic regardless of user data.
• pre-logon—Include remote users that are connected to the network
using GlobalProtect, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps, any
user who is not currently logged into their machine will be identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP with
user data mapped. This option is equivalent to the “domain users” group
on a domain.
Field Description
Destination Zone Click Add to choose destination zones (default is any). Zones must
be of the same type (Layer 2, Layer 3, or virtual wire). To define
new zones, refer to Network > Zones.
Multiple zones can be used to simplify management. For example,
if you have three different internal zones (Marketing, Sales, and
Public Relations) that are all directed to the untrusted destination
zone, you can create one rule that covers all cases.
Destination Address Click Add to add destination addresses, address groups, or regions
(default is any). Select from the drop-down, or click Address,
Address Group, or Regions at the bottom of the drop-down, and
specify the settings. Select Negate to choose any address except
the configured ones.
Field Description
Service Apply the decryption policy to traffic based on specific TCP port
numbers. Choose one of the following from the drop-down:
• any—The selected applications are allowed or denied on any
protocol or port.
URL Category Tab Select URL categories for the decryption rule.
• Choose any to match any sessions regardless of the URL
category.
• To specify a category, click Add and select a specific category
(including a custom category) from the drop-down. You can
add multiple categories. Refer to for information on defining
custom categories.
Field Description
Decryption Profile Attach a decryption profile to the policy rule in order to block
and control certain aspects of the traffic. For details on creating a
decryption profile, select Objects > Decryption Profile.
Log Settings
Log Successful SSL (Optional) Creates detailed logs of successful SSL Decryption
Handshake handshakes. Disabled by default.
Log Unsuccessful SSL Creates detailed logs of unsuccessful SSL Decryption handshakes so
Handshake you can find the cause of decryption issues. Enabled by default.
Log Forwarding Specify the method and location to forward GlobalProtect SSL
handshake (decryption) logs.
Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)
Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.
Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.
Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and can have
up to 63 characters, which can be letters, numbers, spaces, hyphens, and
underscores. The name must be unique on a firewall and, on Panorama,
unique within its device group and any ancestor or descendant device
groups.
Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies.
This is useful when you have defined many policies and want to view
policies that are tagged with a particular keyword. For example, the tag
could indicate network location, Layer 3 security chains, or Layer 1 security
chains.
Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag allows
you to view groups of policy rules base based on these tags.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters, which
can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.
Field Description
Source Zone To choose source zones (default is any), click Add and select from the drop-
down. To define new zones, refer to Network > Zones.
You can add multiple zones to simplify management.
Source Address Add source addresses, address groups, or regions (default is Any). Select
from the drop-down or select Address object, Address Group, or Regions
(bottom of the drop-down) to specify the settings. Objects > Addresses
and Objects > Address Groups describe the types of address objects and
address groups, respectively, that a policy rule supports.
Selecting the Negate option applies the rule to source addresses from the
specified zone except for the addresses specified.
Source User Click Add to choose the source users or groups of users subject to the
policy. The following source user types are supported:
• any—Include any traffic regardless of user data.
• pre-logon—Include remote users that are connected to the network
using GlobalProtect™, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps,
any user who is not currently logged into their machine is identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP with
user data mapped. This option is equivalent to the “domain users” group
on a domain.
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could use unknown for
guest level access to something because they will have an IP on your
network, but are not authenticated to the domain and do not have IP
address-to-user mapping information on the firewall.
• Select—Includes selected users as determined by the selection in
this window. For example, you may want to add one user, a list of
individuals, some groups, or manually add users.
Field Description
Destination Zone To choose source zones (default is any), click Add and select from the drop-
down. To define new zones, refer to Network > Zones.
You can add multiple zones to simplify management.
Destination Address Add destination addresses, address groups, or regions (default is Any).
Select from the drop-down or click Address object, Address Group, or
Regions (bottom of the drop-down) to specify address settings. Objects
> Addresses and Objects > Address Groups describe the types of address
objects and address groups, respectively, that a policy rule supports.
Selecting the Negate option applies the rule to destination addresses in the
specified zone except for the addresses specified.
Destination Device Add the host devices subject to the policy individually or select Any to
include all devices.
Field Description
Traffic Type Select the traffic type or traffic types to forward to the security chain. You
can select one, some, or all of the traffic types in one rule:
• Forward TLS(Decrypted) Traffic—(Default) Forwards decrypted TLS
traffic to the security chain specified by the Packet Broker profile
attached to the Network Packet Broker policy.
• Forward TLS(Non-Decrypted) Traffic—Forwards undecrypted TLS
traffic to the security chain specified by the Packet Broker profile
attached to the Network Packet Broker policy.
• Forward Non-TLS Traffic—Forwards cleartext (non-TLS) traffic to the
security chain specified by the Packet Broker profile attached to the
Network Packet Broker policy.
Application Add specific applications for the Network Packet Broker policy rule. If an
application has multiple functions, you can select the container application
or individual functional applications. If you select the container application,
all functional applications are included and the application definition is
automatically updated as future functional apps are added to the container
app.
Service Select the services that you want to limit to specific TCP or UDP port
numbers. Choose one of the following from the drop-down:
• any—(Default) The selected applications are forwarded on any protocol
or port.
• application-default—The selected applications are forwarded only if
they are on their default ports as defined by Palo Alto Networks®.
(Applications that run on non-standard ports and protocols, if
unintentional, can be a sign of undesired application behavior and
usage, and if intentional, can be a sign of malicious behavior. However,
internal custom applications may use non-standard ports and require
exceptions.)
• Select—Add an existing service or choose Service or Service Group to
specify a new entry. (Or select Objects > Services and Objects > Service
Groups).
Field Description
Timeframe The time period (number of days) for which data is displayed.
Usage • Any all Network Packet Broker policy rules on the firewall over the
specified Timeframe, regardless of whether traffic matched the rules
(used rules) or not (unused rules).
• Unused rules that traffic has not matched over the specified Timeframe.
• Used rules that traffic has matched over the specified Timeframe.
Exclude rules reset during Omits displaying rules for which you Reset Rule Hit Counter within the
the last “n” days specified number of days (from 1-5,000 days). For example, this enables
you to examine older rules that have not matched traffic over a particular
Timeframe while excluding newer rules that may not have had time to
match traffic.
Packet Broker • Profile—The name of the Packet Broker profile associated with the
policy rule.
• Traffic Type—The type or types of traffic the rule controls (one or more
of decrypted TLS, non-decrypted TLS, and non-TLS traffic).
Rule Usage • Hit Count—The number of times that traffic matched the rule.
• Last Hit—The most recent time that traffic matched the rule.
• First Hit—The first time that traffic matched the rule.
• Reset Date—The last date on which the rule’s hit counter was reset.
Modified The date and time that the rule was last modified.
Created The date and time that the rule was created.
What are the fields available to Building Blocks in a Tunnel Inspection Policy
create a Tunnel Inspection policy?
How can I view tunnel inspection Log Types and Severity Levels
logs?
Name General Enter a name for the Tunnel Inspection policy beginning
with an alphanumeric character and containing zero or
more alphanumeric, underscore, hyphen, period, or space
characters.
Group Rules by Tag Enter a tag with which to group similar policy rules. The
group tag allows you to view your policy rule base based
on these tags. You can group rules based on a Tag.
Audit Comment View previous Audit Comments for the policy rule. You
Archive can export the Audit Comment Archive in CSV format.
Source Zone Source Add one or more source zones of packets to which the
Tunnel Inspection policy applies (default is Any).
Destination Zone Destination Add one or more destination zones of packets to which
the Tunnel Inspection policy applies (default is Any).
Tunnel Protocol Inspection Add one or more tunnel Protocols that you want the
firewall to inspect:
• GRE—Firewall inspects packets that use Generic
Route Encapsulation in the tunnel.
Maximum Tunnel Inspection > Inspect Specify whether the firewall will inspect One
Inspection Levels Options Level (default) or Two Levels (Tunnel In Tunnel)
of encapsulation. For VXLAN, select One Level, as
inspection only occurs on the outer layer.
Drop packet if over (Optional) Drop packets that contain more levels of
maximum tunnel encapsulation than you specified for Maximum Tunnel
inspection level Inspection Levels.
Drop packet if (Optional) Drop packets that contain a protocol inside the
unknown protocol tunnel that the firewall cannot identify.
inside tunnel
Return Scanned (Optional) Enable this option to return the traffic to the
VXLAN Tunnel to originating VXLAN tunnel endpoint (VTEP). For example,
Source use this option to return the encapsulated packet to
the source VTEP. Supported only on Layer 3, Layer 3
subinterface, aggregate-interface Layer 3, and VLAN.
Enable Security Inspection > (Optional) Enable Security Options to assign security
Options Security Options zones for separate Security policy treatment of tunnel
content. The inner content source will belong to the
Tunnel Source Zone you specify and the inner content
destination will belong to the Tunnel Destination Zone
you specify.
Tunnel Source Zone If you Enable Security Options, select a tunnel zone that
you created, and the inner content will use this source
zone for the purpose of policy enforcement.
Otherwise, by default the inner content source belongs
to the same zone as the outer tunnel source, and the
policies of the outer tunnel source zone apply to the
inner content source zone also.
Monitor Name Inspection > (Optional) Enter a monitor name to group similar traffic
Monitor Options together for monitoring the traffic in logs and reports.
Monitor Tag (Optional) Enter a monitor tag number that can group
(number) similar traffic together for logging and reporting (range is
1 to 16,777,215). The tag number is globally defined.
Log at Session Start (Optional) Select this option to generate a log at the
start of a cleartext tunnel session that matches the
Tunnel Inspection policy. This setting overrides the Log
at Session Start setting in the Security Policy rule that
applies to the session.
Tunnel logs are stored separately from traffic logs. The
information with the outer tunnel session (GRE, non-
encrypted IPSec, or GTP-U) is stored in the Tunnel logs
and the inner traffic flows are stored in the Traffic logs.
This separation allows you to easily report on tunnel
activity (as opposed to inner content activity) with the
ACC and reporting features.
Log at Session End (Optional) Select this option to capture a log at the end
of a cleartext tunnel session that matches the Tunnel
Inspection policy. This setting overrides the Log at
Session End setting in the Security Policy rule that
applies to the session.
Log Forwarding (Optional) Select a Log Forwarding profile from the drop-
down to specify where to forward tunnel inspection logs.
(This setting is separate from the Log Forwarding setting
in a Security policy rule, which applies to traffic logs.)
Any (target all Target Enable (check) to push the policy rule to all managed
devices) firewalls in the device group.
Panorama only
Tags Add one or more tags to push the policy rule to managed
firewalls in the device group with the specified tag.
Panorama only
Target to all but Enable (check) to push the policy rule to all managed
these specified firewalls associated with the device group except for the
devices and tags selected device(s) and tag(s).
Panorama only
If possible, avoid using application override policies because they prevent the firewall from
using App-ID to identify applications and from performing layer 7 inspection for threats. To
support internal proprietary applications, it’s better to create custom applications that include
the application signature so the firewall performs layer 7 inspection and scans the application
traffic for threats. If a commercial application doesn’t have an App-ID, submit a request for
a new App-ID. If a public application definition (default ports or signature) changes so the
firewall no longer identifies the application correctly, create a support ticket so Palo Alto
Networks can update the definition. In the meantime, create a custom application so the
firewall continues to perform layer 7 inspection of the traffic.
Like security policies, application override policies can be as general or specific as needed. The policy rules
are compared against the traffic in sequence, so the more specific rules must precede the more general
ones.
Because the App-ID engine in PAN-OS classifies traffic by identifying the application-specific content
in network traffic, the custom application definition cannot simply use a port number to identify an
application. The application definition must also include traffic (restricted by source zone, source IP address,
destination zone, and destination IP address).
To create a custom application with application override:
• Create a custom application (see Defining Applications). It is not required to specify signatures for the
application if the application is used only for application override rules.
• Define an application override policy that specifies when the custom application should be invoked. A
policy typically includes the IP address of the server running the custom application and a restricted set
of source IP addresses or a source zone.
Use the following tables to configure an application override rule.
• Application Override General Tab
• Application Override Source Tab
• Application Override Destination Tab
• Application Override Protocol/Application Tab
• (Panorama only) Application Override Target Tab
Looking for more?
See Use Application Objects in Policy
Name Enter a name to identify the rule. The name is case-sensitive and
can have up to 63 characters, which can be letters, numbers, spaces,
hyphens, and underscores. The name must be unique on a firewall
and, on Panorama, unique within its device group and any ancestor or
descendant device groups.
Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want
to view those that are tagged with a particular keyword. For example,
you may want to tag certain security policies with Inbound to DMZ,
decryption policies with the words Decrypt and No-decrypt, or use the
name of a specific data center for policies associated with that location.
Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag
allows you to view your policy rule base based on these tags. You can
select to group rules based on a Tag.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment s case-sensitive and can have up to 256 characters,
which can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive View previous Audit Comments for the policy rule. Audit Comment
Archive can be exported in CSV format.
Field Description
Source Zone Add source zones (default is any). Zones must be of the same type
(Layer 2, Layer 3, or virtual wire). To define new zones, refer to
Network > Zones.
Multiple zones can be used to simplify management. For example,
if you have three different internal zones (Marketing, Sales, and
Public Relations) that are all directed to the untrusted destination
zone, you can create one rule that covers all cases.
Source Address Add source addresses, address groups, or regions (default is any).
Select from the drop-down, or click Address, Address Group, or
Regions at the bottom of the drop-down, and specify the settings.
Select Negate to choose any address except the configured ones.
Field Description
Destination Zone Click Add to choose destination zones (default is any). Zones must
be of the same type (Layer 2, Layer 3, or virtual wire). To define
new zones, refer to Network > Zones.
Multiple zones can be used to simplify management. For example,
if you have three different internal zones (Marketing, Sales, and
Public Relations) that are all directed to the untrusted destination
zone, you can create one rule that covers all cases.
Destination Address Click Add to add destination addresses, address groups, or regions
(default is any). Select from the drop-down, or click Address,
Address Group, or Regions at the bottom of the drop-down, and
specify the settings.
Select Negate to choose any address except the configured ones.
Field Description
Protocol Select the protocol (TCP or UDP) for which to allow an application override.
Port Enter the port number (0 to 65535) or range of port numbers (port1-port2)
for the specified destination addresses. Multiple ports or ranges must be
separated by commas.
Application Select the override application for traffic flows that match the above
rule criteria. When overriding to a custom application, there is no threat
inspection that is performed. The exception to this is when you override to
a pre-defined application that supports threat inspection.
To define new applications, refer to Objects > Applications).
Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)
Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.
Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.
Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags
What are the fields available to Building Blocks of an Authentication Policy Rule
create an Authentication rule?
How can I use the web interface Create and Manage Authentication Policy
to manage Authentication policy?
For Panorama, see Move or Clone a Policy Rule
The firewall does not prompt users to authenticate if they access non-web-based resources
(such as a printer) through a GlobalProtect™ gateway that is internal or in tunnel mode.
Instead, the users will see connection failure messages. To ensure users can access these
resources, set up an authentication portal and train users to visit it when they see connection
failures. Consult your IT department to set up an authentication portal.
The following table describes each building block or component in an Authentication policy rule. Before you
Add a rule, complete the prerequisites described in Create and Manage Authentication Policy.
Rule number N/A Each rule is automatically numbered and the order
changes as rules are moved. When you filter rules to
match specific filters, the Policies > Authentication
page lists each rule with its number in the context of the
complete set of rules in the rulebase and its place in the
evaluation order. For details, see rule sequence and its
evaluation order .
Name General Enter a name to identify the rule. The name is case-
sensitive and can have up to 63 characters, which can
be letters, numbers, spaces, hyphens, and underscores.
The name must be unique on a firewall and, on
Tag Select a tag for sorting and filtering rules (see Objects >
Tags).
Group Rules by Enter a tag with which to group similar policy rules. The
Tag group tag allows you to view your policy rule base based
on these tags. You can group rules based on a Tag.
Audit View previous Audit Comments for the policy rule. You
Comment can export the Audit Comment Archive in CSV format.
Archive
Source Zone Source Add zones to apply the rule only to traffic coming from
interfaces in the zones that you specify (default is any).
To define new zones, see Network > Zones.
Source User User Select the source users or user groups to which the rule
applies:
• any—Includes any traffic regardless of source user.
• pre-logon—Includes remote users who are not
logged into their client systems but whose client
systems connect to the network through the
GlobalProtect pre-logon feature .
• known-user—Includes all users for whom the firewall
already has IP address-to-username mappings before
the rule evokes authentication.
• unknown—Includes all users for whom the firewall
does not have IP address-to-username mappings.
After the rule evokes authentication, the firewall
Destination Destination Add zones to apply the rule only to traffic going to
Zone interfaces in the zones that you specify (default is any).
To define new zones, see Network > Zones.
Service Service/URL Category Select from the following options to apply the rule only
to services on specific TCP and UDP port numbers:
• any—Specifies services on any port and using any
protocol.
• default—Specifies services only on the default ports
that Palo Alto Networks defines.
• Select—Enables you to Add services or service
groups. To create new services and service groups,
see Objects > Services and Objects > Service
Groups.
URL Category Select the URL categories to which the rule applies:
• Select any to specify all traffic regardless of the URL
category.
• Add categories. To define custom categories, see
Objects > Custom Objects > URL Category.
Any (target all Target Enable (check) to push the policy rule to all managed
devices) firewalls in the device group.
Panorama only
Target to all Enable (check) to push the policy rule to all managed
but these firewalls associated with the device group except for
specified the selected device(s) and tag(s).
devices and
tags
Panorama only
Task Description
Add Perform the following prerequisites before creating Authentication policy rules:
Configure the User-ID™ Authentication Portal settings (see Device > User
Identification > Authentication Portal Settings). The firewall uses Authentication
Portal to display the first authentication factor that the Authentication rule
requires. Authentication Portal also enables the firewall to record the timestamps
associated with authentication Timeout periods and to update user mappings.
Configure a server profile that specifies how the firewall can access the service that
will authenticate users (see Device > Server Profiles).
Assign the server profile to an authentication profile that specifies authentication
settings (see Device > Authentication Profile).
Assign the authentication profile to an authentication enforcement object that
specifies the authentication method (see Objects > Authentication).
To create a rule, perform one of the following steps and then complete the fields
described in Building Blocks of an Authentication Policy Rule:
• Click Add.
• Select a rule on which to base the new rule and click Clone Rule. The firewall
inserts the copied rule, named <rulename>#, below the selected rule, where # is
the next available integer that makes the rule name unique, and generates a new
UUID for the cloned rule. For details, see Move or Clone a Policy Rule.
Modify To modify a rule, click the rule Name and edit the fields described in Building Blocks of
an Authentication Policy Rule.
If the firewall received the rule from Panorama, the rule is read-only;
you can edit it only on Panorama.
Move When matching traffic, the firewall evaluates rules from top to bottom in the order
that the Policies > Authentication page lists them. To change the evaluation order,
select a rule and Move Up, Move Down, Move Top, or Move Bottom. For details, see
Move or Clone a Policy Rule.
Enable/Disable To disable a rule, select and Disable it. To re-enable a disabled rule, select and Enable
it.
Highlight To identify rules that have not matched traffic since the last time the firewall was
Unused Rules restarted, Highlight Unused Rules. You can then decide whether to disable or delete
unused rules. The page highlights unused rules with a dotted yellow background.
Preview rules Click Preview Rules to view a list of the rules before you push the rules to the
(Panorama managed firewalls. Within each rulebase, the page visually demarcates the rule
only) hierarchy for each device group (and managed firewall) to facilitate scanning of
numerous rules.
Field Description
Name Enter a name to identify the DoS Protection policy rule. The name is case-sensitive
and can have up to 63 characters, which can be letters, numbers, spaces, hyphens, and
underscores. The name must be unique on a firewall and, on Panorama, unique within
its device group and any ancestor or descendant device groups.
Tags If you want to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies. A tag is
useful when you have defined many policies and want to view those that are tagged
with a particular keyword. For example, you may want to tag certain security policies
with Inbound to DMZ, decryption policies with the words Decrypt or No-decrypt, or
use the name of a specific data center for policies associated with that location.
Group Rules by Enter a tag with which to group similar policy rules. The group tag allows you to view
Tag your policy rule base based on these tags. You can group rules based on a Tag.
Audit Enter a comment to audit the creation or editing of the policy rule. The audit comment
Comment is case-sensitive and can have up to 256 characters, which can be letters, numbers,
spaces, hyphens, and underscores.
Audit View previous Audit Comments for the policy rule. You can export the Audit
Comment Comment Archive in CSV format.
Archive
Field Description
Type Select the type of source to which the DoS Protection policy rule applies:
• Interface —Apply the rule to traffic coming from the specified interface or group of
interfaces.
• Zone—Apply the rule to traffic coming from any interface in a specified zone.
Click Add to select multiple interfaces or zones.
Source Select Any or Add and specify one or more source addresses to which the DoS
Address Protection policy rule applies.
(Optional) Select Negate to specify that the rule applies to any addresses except those
specified.
Source User Specify one or more source users to which the DoS Protection policy rule applies:
• any—Includes packets regardless of the source user.
• pre-logon—Includes packets from remote users that are connected to the network
using GlobalProtect, but are not logged into their system. When pre-logon is
configured on the Portal for GlobalProtect apps, any user who is not currently
logged into their machine will be identified with the username pre-logon. You can
then create policies for pre-logon users and although the user is not directly logged
in, their machines are authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP address with
user data mapped. This option is equivalent to the “domain users” group on a
domain.
• unknown—Includes all unauthenticated users, which means IP addresses that are
not mapped to a user. For example, you could use unknown for guest level access
to something because they will have an IP address on your network, but will not
be authenticated to the domain and will not have IP address-to-username mapping
information on the firewall.
• Select—Includes users specified in this window. For example, you can select one
user, a list of individuals, some groups, or manually add users.
Field Description
Type Select the type of destination to which the DoS Protection policy rule applies:
• Interface—Apply the rule to packets going to the specified interface or group of
interfaces. Click Add and select one or more interfaces.
• Zone—Apply the rule to packets going to any interface in the specified zone. Click
Add and select one or more zones.
Destination Select Any or Add and specify one or more destination addresses to which the DoS
Address Protection policy rule applies.
(Optional) Select Negate to specify that the rule applies to any addresses except those
specified.
Field Description
Service Click Add and select one or more services to which the DoS Protection policy applies.
The default is Any service. For example, if the DoS policy protects web servers, specify
HTTP, HTTPS, and any other appropriate service ports for the web applications.
Action Select the action the firewall performs on packets that match the DoS Protection
policy rule:
• Deny—Drop all packets that match the rule.
• Allow—Permit all packets that match the rule.
Schedule Specify the schedule when the DoS Protection policy rule is in effect. The default
setting of None indicates no schedule; the policy is always in effect.
Alternatively, select a schedule or create a new schedule to control when the DoS
Protection policy rule is in effect. Enter a Name for the schedule. Select Shared to
share this schedule with every virtual system on a multiple virtual system firewall.
Select a Recurrence of Daily, Weekly, or Non-recurring. Add a Start Time and End
Time in hours:minutes, based on a 24-hour clock.
Log If you want to trigger forwarding of threat log entries for matched traffic to an
Forwarding external service, such as to a syslog server or Panorama, select a Log Forwarding
profile or click Profile to create a new one.
The firewall logs and forwards only traffic that matches an action in the
rule.
Aggregate Aggregate DoS Protection profiles set thresholds that apply to combined group of
devices specified in the DoS Protection rule to protect those server groups. For
example, an Alarm Rate threshold of 10,000 CPS means that when the total new CPS
to the entire group exceeds 10,000 CPS, the firewall triggers an alarm message.
Select an Aggregate DoS Protection profile that specifies the threshold rates at which
the incoming connections per second trigger an alarm, activate an action, and exceed a
maximum rate. All incoming connections (the aggregate) count toward the thresholds
specified in an Aggregate DoS Protection profile.
An Aggregate profile setting of None means there are no threshold settings in place
for the aggregate traffic. See Objects > Security Profiles > DoS Protection.
Classified Classified DoS Protection profiles set thresholds that apply to each individual device
specified in the DoS Protection rule to protect individual or small groups of critical
servers. For example, an Alarm Rate threshold of 10,000 CPS means that when the
total new CPS to any individual server specified in the rule exceeds 10,000 CPS, the
firewall triggers an alarm message.
Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)
Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.
Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.
Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and
can have up to 63 characters, which can be letters, numbers, spaces,
hyphens, and underscores. The name must be unique on a firewall
and, on Panorama, unique within its device group and any ancestor or
descendant device groups.
Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want
to view those that are tagged with a particular keyword. For example,
you may want to tag certain SD-WAN policies with unique tags that
identify specific hubs or branches that the rules applies to.
Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag
allows you to view your policy rule base based on these tags. You can
select to group rules based on a Tag.
Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters,
which can be letters, numbers, spaces, hyphens, and underscores.
Audit Comment Archive View previous Audit Comments for the policy rule. Audit Comment
Archive can be exported in CSV format.
Field Description
Source Zone To specify a source zone, select Add and select one or more zones, or select
Any zone.
Specifying multiple zones can simplify management. For example, if you
have three branches in different zones and you want the remaining match
criteria and path selection to be the same for the three branches, you can
create one SD-WAN rule and specify the three source zones to cover the
three branches.
Source Address To specify source addresses, Add source addresses or external dynamic
lists (EDL), select from the drop-down, or select Address and create a new
address object. Alternatively, select Any source address (default).
Source User To specify certain users, select Add (the type then indicates select) and
enter a user, list of users, or groups of users. Alternatively, select a type of
user:
• any—(default) Include any user, regardless of user data.
• pre-logon—Include remote users who are connected to the network
using GlobalProtect™, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps, any
user who is not currently logged into their machine will be identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP
address with user data mapped. This option is equivalent to the “domain
users” group on a domain.
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could select unknown
for guest-level access to something because they will have an IP address
on your network, but will not be authenticated to the domain and will
not have IP address-to-user mapping information on the firewall.
Field Description
Destination Zone Add destination zones (default is any). Zones must be Layer 3. To
define new zones, refer to Network > Zones.
Add Multiple zones to simplify management. For example, if you have
three different internal zones (Marketing, Sales, and Public Relations)
that are all directed to the untrusted destination zone, you can create
one rule that covers all cases.
Destination Address Add destination addresses, address groups, External Dynamic Lists
(EDL), or regions (default is Any). Select from the drop-down, or click
Address or Address Group at the bottom of the drop-down, and
specify the settings.
Select Negate to choose any address except the configured ones.
Field Description
Path Quality Profile Select a path quality profile that determines the maximum jitter,
latency and packet loss percentage thresholds you want to apply to the
specified applications and services. If a path quality profile has not yet
been created, you can create a New SD-WAN Path Quality Profile.
SaaS Quality Profile Select a SaaS quality profile to specify the path quality thresholds for
latency, jitter, and packet loss for a hub or branch firewall that has
Direct Internet Access (DIA) link to a Software-as-a-Service (SaaS)
application. If a SaaS quality profile has not yet been created, you can
create a New SaaS Quality Profile. Default is None (disabled).
Error Correction Profile Select an Error Correction Profile or create a new Error Correction
Profile, which specifies the parameters to control forward error
correction (FEC) or path duplication for the applications or services
specified in the rule. This profile can be used by either hub or branch
firewall. Default is None (disabled).
Applications Add specific applications for the SD-WAN policy rule, or select Any. If
an application has multiple functions, select the overall application or
individual functions. If you select the overall application, all functions
Service Add specific services for the SD-WAN policy rule and select on which
ports packets from these services are allowed or denied:
• any—The selected services are allowed or denied on any protocol or
port.
• application-default—The selected services are allowed or denied
only on their default ports defined by Palo Alto Networks®. This
option is recommended for policies that specify the allow action
because it prevents services from running on unusual ports and
protocols which, if unintentional, can be a sign of undesired service
behavior and usage.
Traffic Distribution Profile From the drop-down select a traffic distribution profile, which
determines how the firewall selects an alternate path for the
application or service traffic when one of the path health metrics for
the preferred path exceeds the threshold configured in the path quality
profile for the rule.
Field Description
Any (target all devices) Enable (check) to push the SD-WAN policy rule to all devices by the
Panorama management server.
Devices Select one or more devices to which to push the SD-WAN policy rule.
You can filter devices based on device state, platform, device group,
templates, tags, or HA status.
Target to all but these Enable (check) to target and push the policy rule to all devices except
specified devices and tags for the selected Devices and Tags.
187
188 PAN-OS WEB INTERFACE HELP | Objects
© 2021 Palo Alto Networks, Inc.
Move, Clone, Override, or Revert Objects
See the following topics for options to modify existing objects:
• Move or Clone an Object
• Override or Revert an Object
Selected Objects Displays the Name and current Location (virtual system or device
group) of the policies or objects you selected for the operation.
Destination Select the new location for the policy or object: a virtual system,
device group, or Shared. The default value is the Virtual System or
Device Group that you selected in the Policies or Objects tab.
Error out on first detected Select this option (selected by default) to make the firewall or
error in validation Panorama display the first error it finds and stop checking for more
errors. For example, an error occurs if the Destination doesn’t include
an object that is referenced in the policy rule you are moving. If you
clear this selection, the firewall or Panorama will find all errors before
displaying them.
Name Enter a name (up to 63 characters) that describes the addresses you will
include as part of this object. This name appears in the address list when
defining security policy rules. The name is case-sensitive, must be unique,
and can contain only letters, numbers, spaces, hyphens, and underscores.
Shared Select this option if you want to share this address object with:
• Every virtual system (vsys) on a multi-vsys firewall—If you do not
select this option, the address object will be available only to the Virtual
System selected in the Objects tab.
• Every device group on Panorama—If you do not select this option, the
address object will be available only to the Device Group selected in the
Objects tab.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this address object in device groups that inherit this object. By default, this
selection is disabled, which means administrators can override the settings
for any device group that inherits the object.
Resolve After selecting the address type and entering an IP address or FQDN, click
Resolve to see the associated FQDN or IP addresses, respectively (based on
the DNS configuration of the firewall or Panorama).
You can change an address object from an FQDN to an IP Netmask or vice
versa. To change from an FQDN to an IP Netmask, click Resolve to see
the IP addresses that the FQDN resolves to, then select one and Use this
address. The address object Type dynamically changes to IP Netmask and
the IP address you selected appears in the text field.
Alternatively, to change an address object from an IP Netmask to an FQDN,
click Resolve to see the DNS name that the IP Netmask resolves to, then
select the FQDN and Use this FQDN. The Type changes to FQDN and the
FQDN appears in the text field.
Tags Select or enter the tags that you want to apply to this address object. You
can define a tag here or use the Objects > Tags tab to create new tags.
Name Enter a name that describes the address group (up to 63 characters). This
name appears in the address list when defining security policies. The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Shared Select this option if you want the address group to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the address group will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the address
group will be available only to the Device Group selected in the Objects
tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this address group object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.
For a static address group, click Add and select one or more Addresses.
Click Add to add an object or an address group to the address group. The
group can contain address objects, and both static and dynamic address
groups.
Tags Select or enter the tags that you wish to apply to this address group. For
information on tags, see Objects > Tags.
Members Count and After you add an address group, the Members Count column on the
Address Objects > Address Groups page indicates whether the objects in the group
are populated dynamically or statically.
• For a static address group, you can view the count of the members in
the address group.
• For an address group that uses tags to dynamically populate members
or has both static and dynamic members, to view the members, click the
More... link in the Address column. You can now view the IP addresses
that are registered to the address group.
• Type indicates whether the IP address is a static address object or
being dynamically registered and displays the IP address.
• Action allows you to Unregister Tags from an IP address. Click the
link to Add the registration source and specify the tags to unregister.
Name Select a name that describes the region. This name appears in the address
list when defining security policies.
Geo Location To specify latitude and longitude, select this option and specify the values
(xxx.xxxxxx format). This information is used in the traffic and threat maps
for App-Scope. Refer to Monitor > Logs.
Name Enter a Name that describes the dynamic user group (up to 63 characters).
This name appears in the source user list when defining Security policy
rules. The name must be unique and use only alphanumeric characters,
spaces, hyphens, and underscores.
Shared Select this option if you want the match criteria of the dynamic user group
to be available to every device group on Panorama.
(Panorama only)
Panorama does not share the members of the group with
device groups.
If you clear this option, the match criteria of the dynamic user group are
available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
of this dynamic user group in device groups that inherit the object. This
(Panorama only)
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.
Match Add Match Criteria to define the members in the dynamic user group using
the AND or OR operators to include multiple tags.
Tags (Optional) Select or enter the static object tags that you want to apply to
the dynamic user group object. This tags the dynamic user group object
itself, not the members in the group. The tags you select allow you to group
related items and are not related to the match criteria. For information on
tags, see Objects > Tags.
After you add a dynamic user group, you can view the following information for the group:
Location Identifies whether the match criteria for the dynamic user
group is available to every device group on Panorama (Shared)
(Panorama only)
or to the selected device group.
Users Select more to see the list of users in the dynamic user group.
Applications Overview
The Applications page lists various attributes of each application definition, such as the application’s relative
security risk (1 to 5). The risk value is based on criteria such as whether the application can share files, is
prone to misuse, or tries to evade firewalls. Higher values indicate higher risk.
The top application browser area of the page lists the attributes that you can use to filter the display
as follows. The number to the left of each entry represents the total number of applications with that
attribute.
Weekly content releases periodically include new decoders and contexts for which you can
develop signatures.
The following table describes application details—custom applications and Palo Alto® Networks applications
might display some or all of these fields.
Additional Information Links to web sources (Wikipedia, Google, and Yahoo!) that contain
additional information about the application.
Standard Ports Ports that the application uses to communicate with the network.
Depends on List of other applications that are required for this application to run.
When creating a policy rule to allow the selected application, you
Implicitly Uses Other applications that the selected application depends on but
that you do not need to add to your Security policy rules to allow
the selected application because those applications are supported
implicitly.
Previously Identified As For a new App-ID™, or App-IDs that are changed, this indicates
what the application was previously identified as. This helps you
assess whether policy changes are required based on changes in the
application. If an App-ID is disabled, sessions associated with that
application will match policy as the previously identified as application.
Similarly, disabled App-IDs will appear in logs as the application they
were previous identified as.
Deny Action App-IDs are developed with a default deny action that dictates how
the firewall responds when the application is included in a Security
policy rule with a deny action. The default deny action can specify
either a silent drop or a TCP reset. You can override this default action
in Security policy.
Characteristics
Evasive Uses a port or protocol for something other than its originally
intended purpose with the hope that it will traverse a firewall.
Excessive Bandwidth Consumes at least 1 Mbps on a regular basis through normal use.
Prone to Misuse Often used for nefarious purposes or is easily set up to expose more
than the user intended.
Capable of File Transfer Has the capability to transfer a file from one system to another over a
network.
Tunnels Other Applications Is able to transport other applications inside its protocol.
Used by Malware Malware has been known to use the application for propagation,
attack, or data theft, or is distributed with malware.
Continue Scanning for Other Instructs the firewall to continue to try and match against other
Applications application signatures. If you do not select this option, the firewall
stops looking for additional application matches after the first
matching signature.
SaaS Characteristics
Poor Terms of Service Applications with unfavorable terms of service that can compromise
enterprise data.
Poor Financial Viability Applications with the potential to be out of business within the next
18 to 24 months.
Classification
Options
Session Timeout Period of time, in seconds, required for the application to time out due
to inactivity (range is 1-604800 seconds). This timeout is for protocols
other than TCP or UDP. For TCP and UDP, refer to the next rows in
this table.
To customize this setting, click the Customize link, enter a value, and
click OK.
TCP Timeout (seconds) Timeout, in seconds, for terminating a TCP application flow (range is
1-604800).
To customize this setting, click the Customize link, enter a value, and
click OK.
A value of 0 indicates that the global session timer will be used, which
is 3600 seconds for TCP.
UDP Timeout (seconds): Timeout, in seconds, for terminating a UDP application flow (range is
1-604800 seconds).
To customize this setting, click the Customize link, enter a value, and
click OK.
TCP Half Closed (seconds) Maximum length of time, in seconds, that a session remains in the
session table between receiving the first FIN packet and receiving the
second FIN packet or RST packet. If the timer expires, the session is
closed (range is 1-604800).
Default: If this timer is not configured at the application level, the
global setting is used.
If this value is configured at the application level, it overrides the
global TCP Half Closed setting.
TCP Time Wait (seconds) Maximum length of time, in seconds, that a session remains in the
session table after receiving the second FIN packet or a RST packet. If
the timer expires, the session is closed (range is 1-600).
Default: If this timer is not configured at the application level, the
global setting is used.
If this value is configured at the application level, it overrides the
global TCP Time Wait setting.
When the firewall is not able to identify an application using the App-ID, the traffic is classified as unknown:
unknown-tcp or unknown-udp. This behavior applies to all unknown applications except those that fully
emulate HTTP. For more information, refer to Monitor > Botnet.
You can create new definitions for unknown applications and then define security policies for the new
application definitions. In addition, applications that require the same security settings can be combined into
application groups to simplify the creation of security policies.
Filter by application • To search for a specific application, enter the application name or
description in the Search field and press Enter. The drop-down
allows you to search or filter for a specific application or view All
applications, Custom applications, Disabled applications, or Tagged
applications.
The application is listed and the filter columns are updated to show
statistics for the applications that matched the search. A search will
match partial strings. When you define security policies, you can write
rules that apply to all applications that match a saved filter. Such rules
are dynamically updated when a new application is added through a
content update that matches the filter.
• To filter by application attributes displayed on the page, click an item
to use as a basis for filtering. For example, to restrict the list to the
collaboration category, click collaboration and the list will display only
applications in this category.
View and/or customize Click the application name link, to view the application description
application details. including the standard port and characteristics of the application, risk
among other details. For details on the application settings, see Defining
Applications.
If the icon to the left of the application name has a yellow pencil ( ),
the application is a custom application.
Disable an applications You can Disable an application (or several applications) so that the
application signature is not matched against traffic. Security rules defined
to block, allow, or enforce a matching application are not applied to
the application traffic when the app is disabled. You might choose to
disable an application that is included with a new content release version
because policy enforcement for the application might change when the
application is uniquely identified. For example, an application that is
identified as web-browsing traffic is allowed by the firewall prior to a
new content version installation; after installing the content update, the
uniquely identified application no longer matches the Security rule that
allows web-browsing traffic. In this case, you could choose to disable the
application so that traffic matched to the application signature continues
to be classified as web-browsing traffic and is allowed.
Enable an application Select a disabled application and Enable it so that the firewall can manage
the application according to your configured security policies.
Import an application To import an application, click Import. Browse to select the file, and
select the target virtual system from the Destination drop-down.
Export an application To export an application, select this option for the application and click
Export. Follow the prompts to save the file.
Assess policy impact after Review Policies to assess the policy-based enforcement for applications
installing a new content before and after installing a content release version. Use the Policy
release Review dialog to review policy impact for new applications included
in a downloaded content release version. The Policy Review dialog
allows you to add or remove a pending application (an application that
is downloaded with a content release version but is not installed on
the firewall) to or from an existing Security policy rule; policy changes
for pending applications do not take effect until the corresponding
content release version is installed. You can also access the Policy Review
dialog when downloading and installing content release versions on the
Device > Dynamic Updates page.
Tag an application A predefined tag named sanctioned is available for you to tag SaaS
applications. While a SaaS application is an application that is identified
as Saas=yes in the details on application characteristics, you can use the
sanctioned tag on any application.
Select an application, click Edit Tags and from the drop-down, select
the predefined Sanctioned tag to identify any application that you want
to explicitly allow on your network. When you then generate the SaaS
Application Usage Report (see Monitor > PDF Reports > SaaS Application
Usage), you can compare statistics on the application that you have
sanctioned versus unsanctioned SaaS applications that are being used on
your network.
When you tag an application as sanctioned, the following restrictions
apply:
• The sanctioned tag cannot be applied to an application group.
• The sanctioned tag cannot be applied at the Shared level; you can tag
an application only per device group or per virtual system.
• The sanctioned tag cannot be used to tag applications included in a
container app, such as facebook-mail, which is part of the facebook
container app.
Defining Applications
Select Objects > Applications to Add a new custom application for the firewall to evaluate when applying
policies.
Configuration Tab
Name Enter the application name (up to 31 characters). This name appears in the
applications list when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, periods, hyphens,
and underscores. The first character must be a letter.
Shared Select this option if you want the application to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the application will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the
application will be available only to the Device Group selected in the
Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this application object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.
Description Enter a description of the application for general reference (up to 255
characters).
Category Select the application category, such as email or database. The category is
used to generate the Top Ten Application Categories chart and is available
for filtering (refer to ACC).
Parent App Specify a parent application for this application. This setting applies when a
session matches both the parent and the custom applications; however, the
custom application is reported because it is more specific.
Risk Select the risk level associated with this application (1=lowest to 5=highest).
Characteristics Select the application characteristics that may place the application at risk.
For a description of each characteristic, refer to Characteristics.
Advanced Tab
Port If the protocol used by the application is TCP and/or UDP, select Port and
enter one or more combinations of the protocol and port number (one
entry per line). The general format is:
<protocol>/<port>
where the <port> is a single port number, or dynamic for dynamic port
assignment.
Examples: TCP/dynamic or UDP/32.
This setting applies when using app-default in the Service column of a
Security rule.
IP Protocol To specify an IP protocol other than TCP or UDP, select IP Protocol, and
enter the protocol number (1 to 255).
ICMP Type To specify an Internet Control Message Protocol version 4 (ICMP) type,
select ICMP Type and enter the type number (range is 0-255).
ICMP6 Type To specify an Internet Control Message Protocol version 6 (ICMPv6) type,
select ICMP6 Type and enter the type number (range is 0-255).
Timeout Enter the number of seconds before an idle application flow is terminated
(range is 0-604800 seconds). A zero indicates that the default timeout of
the application will be used. This value is used for protocols other than TCP
and UDP in all cases and for TCP and UDP timeouts when the TCP timeout
and UDP timeout are not specified.
TCP Timeout Enter the number of seconds before an idle TCP application flow is
terminated (range is 0-604800 seconds). A zero indicates that the default
timeout of the application will be used.
UDP Timeout Enter the number of seconds before an idle UDP application flow is
terminated (range is 0-604800 seconds). A zero indicates that the default
timeout of the application will be used.
TCP Half Closed Enter the maximum length of time that a session remains in the session
table, between receiving the first FIN and receiving the second FIN or RST.
If the timer expires, the session is closed.
Default: If this timer is not configured at the application level, the global
setting is used (range is 1-604800 seconds).
TCP Time Wait Enter the maximum length of time that a session remains in the session
table after receiving the second FIN or a RST. If the timer expires, the
session is closed.
Default: If this timer is not configured at the application level, the global
setting is used (range is 1-600 seconds).
If this value is configured at the application level, it overrides the global TCP
Time Wait setting.
Scanning Select the scanning types that you want to allow based on Security Profiles
(file types, data patterns, and viruses).
Signatures Tab
Signatures Click Add to add a new signature, and specify the following information:
• Signature Name—Enter a name to identify the signature.
• Comment—Enter an optional description.
• Ordered Condition Match—Select if the order in which signature
conditions are defined is important.
• Scope—Select whether to apply this signature only to the current
Transaction or to the full user Session.
Specify the conditions that identify the signature. These conditions are used
to generate the signature that the firewall uses to match the application
patterns and control traffic:
• To add a condition, select Add And Condition or Add Or Condition.
To add a condition within a group, select the group and then click Add
Condition.
• Select an Operator from the drop-down. The options are Pattern
Match, Greater Than, Less Than, and Equal To and specify the following
options:
(For Pattern Match only)
• Context—Select from the available contexts. These contexts are
updated using dynamic content updates.
• Pattern— Specify a regular expression to specify unique string
context values that apply to the custom application.
It is not required to specify signatures for the application if the application is used only for
application override rules.
Name Enter a name that describes the application group (up to 31 characters).
This name appears in the application list when defining security policies.
The name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Shared Select this option if you want the application group to be available to:
Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the application group will be available only to the Virtual System
selected in the Objects tab.
Every device group on Panorama. If you clear this selection, the application
group will be available only to the Device Group selected in the Objects
tab.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this application group object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.
Applications Click Add and select applications, application filters, and/or other
application groups to be included in this group.
To filter on additional columns, select an entry in the columns. The filtering is successive: category filters
are applied first followed by subcategory filters, technology filters, risk filters, tags, and then characteristic
filters.
As you select filters, the list of applications that display on the page is automatically updated.
Name Enter the service name (up to 63 characters). This name appears in the
services list when defining Security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Shared Select this option if you want the service object to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the service object will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the service
object will be available only to the Device Group selected in the Objects
tab.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this service object in device groups that inherit the object. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the object.
Destination Port Enter the destination port number (0 to 65535) or range of port numbers
(port1-port2) used by the service. Multiple ports or ranges must be
separated by commas. The destination port is required.
Source Port Enter the source port number (0 to 65535) or range of port numbers
(port1-port2) used by the service. Multiple ports or ranges must be
separated by commas. The source port is optional.
The following settings display only if you choose to override application timeouts and create custom
session timeouts for a service:
TCP Timeout Set the maximum length of time in seconds that a TCP session can remain
open after data transmission has started. When this time expires, the
session closes.
Range is 1 - 604800. Default value is 3600 seconds.
TCP Half Closed Set the maximum length of time in seconds that a session remains
open when only one side of the connection has attempted to close the
connection.
This setting applies to:
• The time period after the firewall receives the first FIN packet (indicates
that one side of the connection is attempting to close the session) but
before it receives the second FIN packet (indicates that the other side of
the connection is closing the session).
• The time period before receiving an RST packet (indicating an attempt to
reset the connection).
If the timer expires, the session closes.
Range is 1 - 604800. Default value is 120 seconds.
TCP Wait Time Set the maximum length of time in seconds that a session remains open
after receiving the second of the two FIN packets required to terminate a
session, or after receiving an RST packet to reset a connection.
When the timer expires, the session closes.
Range is 1 - 600. Default value is 15 seconds.
Name Enter the service group name (up to 63 characters). This name appears in
the services list when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Shared Select this option if you want the service group to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the service group will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the service
group will be available only to the Device Group selected in the Objects
tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this service group object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.
Service Click Add to add services to the group. Select from the drop-down or click
Service at the bottom of the drop-down and specify the settings. Refer to
Objects > Services for a description of the settings.
Looking for more? • Use Tags to Group and Visually Distinguish Objects
• SD-WAN Link Tag
Create Tags
• Objects > Tags
Select Tags to create a tag, assign a color or to delete, rename, and clone tags. Each object can have up to
64 tags; when an object has multiple tags, it displays the color of the first tag applied.
On the firewall, the Tags tab displays the tags that you define locally on the firewall or push from Panorama
to the firewall. On Panorama, the Tags tab displays the tags that you define on Panorama. This tab does not
display the tags that are dynamically retrieved from the VM Information sources defined on the firewall for
forming dynamic address groups nor does it display tags that are defined using the XML or REST API.
When you create a new tag, the tag is automatically created in the Virtual System or Device Group that is
currently selected on the firewall or Panorama.
Name Enter a unique tag name (up to 127 characters). The name is not case-
sensitive.
Shared Select this option if you want the tag to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the tag is available only to the Virtual System selected in the
Objects tab.
• Every device group on Panorama. If you disable (clear) this option, the
tag will be available only to the Device Group selected in the Objects
tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this tag in device groups that inherit the tag. This selection is cleared
by default, which means administrators can override the settings for any
device group that inherits the tag.
Color Select a color from the color palette in the drop-down (default is None).
Comments Add a label or description to describe for what the tag is used.
• Add a tag: Add a tag and then fill in the following fields:
You can also create a new tag when you create or edit policy in the Policies tab. The tag is automatically
created in the Device Group or Virtual System that is currently selected.
• Edit a tag: Click a tag to edit, rename, or assign a color to a tag.
• Delete a tag: Click Delete and select the tag. You cannot delete a predefined tag.
• Move or Clone a tag: The options to move or clone a tag allow you to copy a tag or move a tag to a
different Device Group or Virtual System on firewalls with multiple virtual systems enabled.
Move or Clone and select the tag. Select the Destination location—Device Group or Virtual System.
Disable (clear) this option to Error out on first detected error in validation if you want the validation
process to discover all errors for the object before displaying the errors. This option is enabled by default
and the validation process stops when the first error is detected and only displays the error.
• Override or Revert a tag (Panorama only): The Override option is available only if you did not select
the Disable override option when you created the tag. The Override option allows you to override the
color assigned to the tag that was inherited from a shared or ancestor device group. The Location is the
current device group. You can also Disable override to prevent future override attempts.
Revert changes to undo recent modifications of a tag. When you revert a tag, the Location field displays
the device group or virtual system from where the tag was inherited.
Move Rules in Group to Move all policy rules in the selected tag group to a different rulebase or
Different Rulebase or device group.
Device Group
Change Group of All Move all rules in the selected tag group to a different tag group.
Rules
Move All Rules in Group Move all rules in the selected tag group within the rulebase.
Delete All Rules in Group Delete all rules in the selected tag group.
Clone All Rules in Group Clone all rules in the selected tag group.
Field Description
(Panorama only) Select whether to move the rules to the Pre-Rulebase or Post-Rulebase of
Destination Type the destination device group.
Rule Order Select where in the rulebase to move the rules. You can choose:
• Move Top—Move rules to the top of the rulebase of the destination
device group.
• Move Bottom—Move rules to the end of the rulebase of the destination
device group.
• Before Rule—Move rules before the selected rule in the rulebase of the
destination device group.
• After Rule—Move rules after the selected rule in the rulebase of the
destination device group.
Error out on first detected Check this box to determine how errors are displayed if encountered during
error in validation validation. If checked, each error is displayed individually. If unchecked, the
errors are aggregated and displayed as a single error.
Errors detected during validation cause the rule move job to fail, and no
rules are moved to the destination device group.
Field Description
Move Top Move Top inserts the rules at the top of the destination tag group.
Move Bottom Move bottom inserts the rules at the bottom of the destination tag group.
Field Description
Move Top Move Top inserts the rules at before the destination tag group.
Move Bottom Move bottom inserts the rules after the destination tag group.
(Panorama only) Select whether to clone the rules to the Pre-Rulebase or Post-Rulebase of
Destination Type the destination device group.
Rule Order Select where in the rulebase to clone the rules. You can choose:
• Move Top—Insert cloned rules at the top of the rulebase of the
destination device group.
• Move Bottom—Insert cloned rules at the end of the rulebase of the
destination device group.
• Before Rule—Insert cloned rules before the selected rule in the rulebase
of the destination device group.
• After Rule—Inserted cloned rules after the selected rule in the rulebase
of the destination device group.
Error out on first detected Select this option to determine how errors are displayed if encountered
error in validation during validation. If enabled, each error is displayed individually. If disabled
(cleared), the errors are aggregated and displayed as a single error.
Errors detected during validation cause the rule clone job to fail, and no
rules are cloned to the destination device group.
Manage Tags
The following table lists the actions that you can perform when grouping rules by group tags.
• Tag a rule.
1. Select View Rules as Groups.
2. Select one or more rules on the right pane.
3. From the group tag drop-down, Apply Tag to the Selected Rules.
• Untag a rule.
1. View Rulebase as Groups to view the group tags your rules are assigned to.
2. Select one or more rules on the right pane.
3. From the group tag drop-down, Apply Tag to the Selected Rules.
4. Remove tags to the selected rules. Additionally, you may Delete All tags assigned to the rule.
Select a group tag from the drop-down in the move rule window and select whether you want to Move
Before or Move After the tag selected in the drop-down.
Button/Field Description
Location The location of the device group for the device object.
Add Click Add to add a new device object. Enter a Name and
optionally, a Description. Select additional metadata for
the device, such as Category, OS, and Model. You can also
Browse the list of devices to select the device you want to
add. Click OK to confirm your changes.
Delete Select a device object you no longer need then Delete it.
Move Select the device object you want to move then Move it.
Clone Select the device object on which to base the new device
profile and Clone it.
You cannot change the external dynamic list order when lists are grouped by type.
To retrieve the latest version of the external dynamic list from the server that hosts it, select an external
dynamic list and Import Now.
You cannot delete, clone, or edit the settings of the Palo Alto Networks malicious IP address
feeds.
Add a new external dynamic list and configure the settings described in the table below.
Name Enter a name to identify the external dynamic list (up to 32 characters).
This name identifies the list for policy rule enforcement.
Shared Enable this option if you want the external dynamic list to be available
to:
(Multiple virtual systems
(multi-vsys) and Panorama • Every virtual system (vsys) on a multi-vsys firewall.
only)
If you disable (clear) this option, then the external dynamic list is
available only to the Virtual System selected in the Objects tab.
• Every device group on Panorama.
Disable override (Panorama Enable this option to prevent administrators from overriding the
only) settings of this external dynamic list object in device groups that inherit
the object. This option is disabled (cleared) by default, which means
administrators can override the settings for any device group that
inherits the object.
Test Source URL (Firewall Test Source URL to verify that the firewall can connect to the server
only) that hosts the external dynamic list.
192.168.80.150/32
2001:db8:123:1::1 or 2001:db8:123:1::/64
192.168.80.0/24
2001:db8:123:1::1 - 2001:db8:123:1::22
In the example above, the first line indicates all addresses from
192.168.80.0 through 192.168.80.255. A subnet or an IP address
range, such as 92.168.20.0/24 or 192.168.20.40 – 192.168.20.50,
counts as one IP address entry and not as multiple IP addresses.
• Domain List—Each list can contain only one domain name entry per
line. For example:
www.p301srv03.paloalonetworks.com
ftp.example.co.uk
test.domain.net
For the list of domains included in the external dynamic list, the
firewall creates a set of custom signatures of the spyware type
with medium severity so that you can use the sinkhole action for a
custom list of domains.
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-
for-Success.aspx
*.example.com/*
For each URL list, the default action is set to Allow. To edit the
default action, see Objects > Security Profiles > URL Filtering.
Type (cont) • Subscriber Identity List—Each list contains subscriber IDs for a 3G,
4G, or 5G network. In the Source field, enter a URL for the firewall
to access the list.
• Equipment Identity List—Each list contains equipment IDs for a 3G,
4G, or 5G network. In the Source field, enter a URL for the firewall
to access the list.
Description Enter a description for the external dynamic list (up to 255 characters).
Source • If the external dynamic list is a Predefined IP List, select Palo Alto
Networks - Bulletproof IP addresses, Palo Alto Networks - High
risk IP addresses, or Palo Alto Networks - Known malicious IP
addresses as the list source.
• If the external dynamic list is a Predefined URL List, the default
setting is panw-auth-portal-exclude-list.
• If the external dynamic list is an IP List, a Domain List, or a URL List,
enter an HTTP or HTTPS URL path that contains the text file (for
example, http://192.0.2.20/myfile.txt).
• If the external dynamic list is a Domain List, you can Automatically
®
expand to include subdomains. This option enables the PAN-OS
software to evaluate all lower-level components of the domain
names listed in the external dynamic list file. This option is disabled
by default.
• If the external dynamic list is a Subscriber Identity List or Equipment
Identity List, enter a URL path that contains the list.
Certificate Profile If the external dynamic list has an HTTPS URL, select an existing
certificate profile (firewall and Panorama) or create a new Certificate
(IP List, Domain List, or URL
Profile (firewall only) for authenticating the web server that hosts
List only)
the list. For more information on configuring a certificate profile, see
Device > Certificate Management > Certificate Profile.
Default: None (Disable Cert profile)
Client Authentication Enable this option (disabled by default) to add a username and
password that the firewall will use when accessing an external dynamic
list source that requires basic HTTP authentication. This setting is
available only when the external dynamic list has an HTTPS URL.
• Username—Enter a valid username to access the list.
• Password/Confirm Password—Enter and confirm the password for
the username.
Check for updates Specify the frequency at which the firewall retrieves the list from
the web server. You can set the interval to every Every Five Minutes
(default), Hourly, Daily, Weekly, or Monthly, at which the firewall
retrieves the list. The interval is relative to the last commit. So, for the
five-minute interval, the commit occurs in 5 minutes if the last commit
was an hour ago. The commit updates all policy rules that reference the
list so that the firewall can successfully enforce policy rules.
Learn more about syntax for regular Syntax for Regular Expression Data Patterns
expression data patterns and see some
Regular Expression Data Pattern Examples
examples.
Name Enter the data pattern name (up to 31 characters). The name case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Description Enter a description for the data pattern (up to 255 characters).
Shared Select this option if you want the data pattern to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the data pattern will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the data
pattern will be available only to the Device Group selected in the
Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this data pattern object in device groups that inherit the object. This
Pattern Type Select the type of data pattern you want to create:
• Predefined Pattern
• Regular Expression
• File Properties
Predefined Pattern Palo Alto Networks provides predefined data patterns to scan for certain
types of information in files, for example, for credit card numbers or social
security numbers. To configure data filtering based on a predefined pattern,
Add a pattern and select the following:
• Name—Select a predefined pattern to use to filter for sensitive data.
When you pick a predefined pattern, the Description populates
automatically.
• Select the File Type in which you want to detect the predefined pattern.
Regular Expression Add a custom data pattern. Give the pattern a descriptive Name, set the
File Type you want to scan for the data pattern, and enter the regular
expression that defines the Data Pattern.
For regular expression data pattern syntax details and examples, see:
• Syntax for Regular Expression Data Patterns
• Regular Expression Data Pattern Examples
File Properties Build a data pattern to scan for file properties and the associated values.
For example, Add a data pattern to filter for Microsoft Word documents
and PDFs where the document title includes the words “sensitive”,
“internal”, or “confidential”.
• Give the data pattern a descriptive Name.
• Select the File Type that you want to scan.
• Select the File Property that you want to scan for a specific value.
• Enter the Property Value for which you want to scan.
Pattern length Requires 7 literal characters, which Requires two literal characters.
cannot include a period (.), an
asterisk (*), a plus sign (+), or a range
([a-z]).
Case-insensitivity Requires you to define patterns Allows you to use the i option on a
for all possible strings to match all sub-pattern.
variations of a term.
®
The regular expression syntax in PAN-OS is similar to traditional regular expression engines but every
engine is unique. The Classic Syntax and Enhanced Syntax tables describe the syntax supported in the PAN-
OS pattern-matching engines.
Classic Syntax
- Specify a range.
Example: [c-z] matches any character between c and z inclusive.
& The ampersand (& ) is a special character so, to look for & in a string,
you must use &.
Enhanced Syntax
The enhanced pattern-matching engine supports all of the Classic Syntax as well as the following syntax:
Anchor characters
Specify where to match an expression.
Option modifiers
Change the behavior of a sub-pattern. Enter (?<option>) to enable or (?-<option>) to disable.
i Enable case-insensitivity.
Example: ((?i)\bconfidential\b) matches
ConfiDential.
Weekly content releases periodically include new decoders and contexts for which you can
develop signatures.
You can optionally include a time attribute when defining custom signatures by specifying a threshold per
interval for triggering possible actions in response to an attack. Action is taken only after the threshold is
reached.
Use the Custom Spyware Signature page to define signatures for Anti-Spyware profiles. Use the Custom
Vulnerability Signature page to define signatures for Vulnerability Protection profiles.
Configuration Tab
Threat ID Enter a numeric identifier for the configuration (spyware signatures range
is 15000-18000 and 6900001 - 7000000; vulnerability signatures range is
41000-45000 and 6800001-6900000).
Shared Select this option if you want the custom signature to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the custom signature will be available only to the Virtual
System selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the custom
signature will be available only to the Device Group selected in the
Objects tab.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this signature in device groups that inherit the signature. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the signature.
Default Action Assign the default action to take if the threat conditions are met. For a list
of actions, see Actions in Security Profiles.
Direction Indicate whether the threat is assessed from the client to server, server to
client, or both.
Affected System Indicate whether the threat involves the client, server, either, or both.
Applies to vulnerability signatures, but not spyware signatures.
Vendor Specify the vendor identifier for the vulnerability as an external reference
for additional background and analysis.
Bugtraq Specify the bugtraq (similar to CVE) as an external reference for additional
background and analysis.
Signatures Tab
Standard Signature Select Standard and then Add a new signature. Specify the following
information:
• Standard—Enter a name to identify the signature.
• Comment—Enter an optional description.
• Ordered Condition Match—Select if the order in which signature
conditions are defined is important.
• Scope—Select whether to apply this signature only to the current
transaction or to the full user session.
Add a condition by clicking Add Or Condition or Add And Condition.
To add a condition within a group, select the group and then click Add
Condition. Add a condition to a signature so that the signature is generated
for traffic when the parameters you define for the condition are true.
Select an Operator from the drop-down. The operator defines the type
of condition that must be true for the custom signature to match to
traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match
operators.
• When choosing a Pattern Match operator, specify for the following to
be true for the signature to match to traffic:
• Context—Select from the available contexts.
• Pattern—Specify a regular expression. See Pattern Rules Syntax for
pattern rules for regular expressions.
• Qualifier and Value—Optionally, add qualifier/value pairs.
• Negate—Select Negate so that the custom signature matches to
traffic only when the defined Pattern Match condition is not true.
This allows you to ensure that the custom signature is not triggered
under certain conditions.
Description Enter a description for the URL category (up to 255 characters).
Shared Select this option if you want the URL category to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you disable
(clear) this option, the URL category is available only to the Virtual
System selected in the Objects tab.
• Every device group on Panorama. If you disable (clear) this option,
the URL category is available only to the Device Group selected in
the Objects tab.
Disable override (Panorama Select this option to prevent administrators from overriding the
only) settings of this custom URL object in device groups that inherit
the object. This selection is disabled by default, which means
administrators can override the settings for any device group that
inherits the object.
Sites Manage sites for the custom URL category (each URL added or
imported can have a maximum of 255 characters).
• Add—Add URLs, only one per row. Each URL can be in the
format “www.example.com” or can include wildcards, such as
“*.example.com”. For additional information on supported formats,
see Block List in Objects > Security Profiles > URL Filtering.
The
Allow
action
does
not
generate
logs
related
to the
signatures
or
profiles.
You cannot delete a profile that is used in a policy rule; you must first remove the profile from
the policy rule.
Field Description
Name Enter a profile name (up to 31 characters). This name appears in the list of
antivirus profiles when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, periods, and
underscores.
Shared Select this option if you want the profile to be available to:
(Panorama only) • Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile will
be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this Antivirus profile in device groups that inherit the profile. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the profile.
Action Tab
Specify the action for the different types of traffic, such as FTP and HTTP.
Enable Packet Capture Select this option if you want to capture identified packets.
Decoders and Actions For each type of traffic that you want to inspect for viruses, select an action
from the drop-down. You can define different actions for standard antivirus
signatures (Signature Action column), signatures generated by the WildFire
system (WildFire Signature Action column), and malicious threats detected
in real-time by the WildFire Inline ML models (WildFire Inline ML Action
column).
Some environments may have requirements for a longer soak time for
antivirus signatures, so this option enables the ability to set different actions
for the two antivirus signature types provided by Palo Alto Networks. For
For the best security, clone the default Antivirus profile and
set the Action and WildFire Action for all the decoders to
reset-both and attach the profile to all Security policy rules
that allow traffic.
Application Exceptions The Applications Exceptions table allows you to define applications that will
and Actions not be inspected. For example, to block all HTTP traffic except for a specific
application, you can define an antivirus profile for which the application is
an exception. Block is the action for the HTTP decoder, and Allow is the
exception for the application. For each application exception, select the action
to be taken when the threat is detected. For a list of actions, see Actions in
Security Profiles.
To find an application, start typing the application name in the text box. A
matching list of applications is displayed, and you can make a selection.
Only create an exception if you are sure an identified virus is not a threat (false positive).
If you believe you have discovered a false positive, open a support case with TAC so
Palo Alto Networks can analyze and fix the incorrectly identified virus signature. When
the issue is resolved, remove the exception from the profile immediately.
Threat ID To add specific threats that you want to ignore, enter one Threat ID at a time
and click Add. Threat IDs are presented as part of the threat log information.
Refer to Monitor > Logs.
Palo Alto Networks recommends forwarding samples to the WildFire cloud when Wildfire
inline ML is enabled. This allows samples that trigger a false-positive to be automatically
corrected upon secondary analysis. Additionally, it provides data for improving ML
models for future updates.
Available Models For each available WildFire inline ML Model, you can select one of the
following action settings:
• enable (inherit per-protocol actions)—Traffic is inspected according to
your selections in the WildFire Inline ML Action column in the decoders
section of the Action tab.
• alert-only (override more strict actions to alert)—Traffic is inspected
according to your selections in the WildFire Inline ML Action column
in the decoders section of the Action tab. Any action with a severity
level higher than alert (drop, reset-client, reset-server, reset-both) will be
overridden to alert, allowing traffic to pass while generating and saving an
alert in the threat logs.
• disable (for all protocols)—Traffic is allowed to pass without any policy
action.
File Exceptions The File Exceptions table allows you to define specific files that you do not
want analyzed, such as false-positives.
To create a new file exception entry, Add a new entry and provide the partial
hash, filename, and description of the file that you want to exclude from
enforcement.
To find an existing file exception, start typing the partial hash value, file name,
or description in the text box. A list of file exceptions matching any of those
values are displayed.
You can find partial hashes in the threat logs (Monitor > Logs
> Threat).
Name Enter a profile name (up to 31 characters). This name appears in the list of
Anti-Spyware profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
periods, and underscores.
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Anti-Spyware profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.
Threat Name Enter any to match all signatures, or enter text to match any signature
containing the entered text as part of the signature name.
Action Choose an action for each threat. For a list of actions, see Actions in
Security Profiles.
The Default action is based on the pre-defined action that is part of each
signature provided by Palo Alto Networks. To view the default action for
a signature, select Objects > Security Profiles > Anti-Spyware and Add or
select an existing profile. Click the Exceptions tab and then click Show all
signatures to see a list of all signatures and the associated Action.
Packet Capture Select this option if you want to capture identified packets.
Select single-packet to capture one packet when a threat is detected,
or select the extended-capture option to capture from 1 to 50 packets
(default is 5 packets). Extended-capture provides more context about the
threat when analyzing the threat logs. To view the packet capture, select
Monitor > Logs > Threat, locate the log entry you are interested in, and
then click the green down arrow in the second column. To define the
number of packets to capture, select Device > Setup > Content-ID and
then edit the Content-ID™ Settings.
If the action for a given threat is allow, the firewall does not trigger a
Threat log and does not capture packets. If the action is alert, you can
set the packet capture to single-packet or extended-capture. All blocking
actions (drop, block, and reset actions) capture a single packet. The content
package on the device determines the default action.
Exceptions Enable each threat for which you want to assign an action or select All
to respond to all listed threats. The list depends on the selected host,
category, and severity. If the list is empty, there are no threats for the
current selections.
Use IP Address Exemptions to add IP address filters to a threat exception.
If IP addresses are added to a threat exception, the threat exception action
for that signature overrides the action for a rule only when the signature is
triggered by a session with a source or destination IP address that matches
an IP address in the exception. You can add up to 100 IP addresses per
signature. With this option, you do not have to create a new policy rule and
new vulnerability profile to create an exception for a specific IP address.
You can configure specific DNS signature sources with separate policy actions, log severity level, and
packet capture settings. Hosts that perform DNS queries for malware domains will appear in the botnet
report. Additionally, you can specify sinkhole IPs in the DNS Sinkhole Settings if you are sinkholing
malware DNS queries.
DNS Signature Source Allows you to select the lists for which you want to enforce an action when
a DNS query occurs. There are two default DNS signature policy options:
• Palo Alto Networks Content—A local downloadable signature list that is
updated through dynamic content updates.
• DNS Security—A cloud-based DNS security service that performs
pro-active analysis of DNS data and provides real-time access to the
complete Palo Alto Networks DNS signature database.
Log Severity Allows you to specify the log severity level that is recorded when the
firewall detects a domain matching a DNS signature.
Policy Action Choose an action to take when DNS lookups are made to known malware
sites. The options are alert, allow, block, or sinkhole. The default action for
Palo Alto Networks DNS signatures is sinkhole.
The DNS sinkhole action provides administrators with a method of
identifying infected hosts on the network using DNS traffic, even when
the firewall is north of a local DNS server (for example, the firewall cannot
see the originator of the DNS query). When a threat prevention license
is installed and an Anti-Spyware profile is enabled in a Security Profile,
the DNS-based signatures trigger on DNS queries directed at malware
domains. In a typical deployment where the firewall is north of the local
DNS server, the threat log identifies the local DNS resolver as the source
of the traffic rather than the actual infected host. Sinkholing malware DNS
queries solves this visibility problem by forging responses to the queries
directed at malicious domains, so that clients attempting to connect to
malicious domains (for command-and-control, for example) instead attempt
connections to an IP address specified by the administrator. Infected
hosts can then be easily identified in the traffic logs because any host
that attempts to connect to the sinkhole IP are most likely infected with
malware.
Packet Capture Select this option for a given source if you want to capture identified
packets.
DNS Sinkhole Settings After sinkhole action is defined for a DNS signature source, specify an
IPv4 and/or IPv6 address that will be used for sinkholing. By default, the
sinkhole IP address is set to a Palo Alto Networks server. You can then
use the traffic logs or build a custom report that filters on the sinkhole IP
address and identify infected clients.
The following is the sequence of events that will occur when an DNS
request is sinkholed:
Malicious software on an infected client computer sends a DNS query to
resolve a malicious host on the Internet.
The client's DNS query is sent to an internal DNS server, which then
queries a public DNS server on the other side of the firewall.
The DNS query matches a DNS entry in the specified DNS signature
database source, so the sinkhole action will be performed on the query.
The infected client then attempts to start a session with the host, but uses
the forged IP address instead. The forged IP address is the address defined
in the Anti-Spyware profile DNS Signatures tab when the sinkhole action is
selected.
The administrator is alerted of a malicious DNS query in the threat log, and
can then search the traffic logs for the sinkhole IP address and can easily
locate the client IP address that is trying to start a session with the sinkhole
IP address.
Apply a Vulnerability Protection profile to every Security Policy rule that allows traffic to
protect against buffer overflows, illegal code execution, and other attempts to exploit client-
and server-side vulnerabilities.
The Rules settings specify collections of signatures to enable, as well as actions to be taken when a
signature within a collection is triggered.
The Exceptions settings allows you to change the response to a specific signature. For example, you
can block all packets that match a signature, except for the selected one, which generates an alert. The
Exception tab supports filtering functions.
The Vulnerability Protection page presents a default set of columns. Additional columns of information
are available by using the column chooser. Click the arrow to the right of a column header and select the
columns from the Columns sub-menu.
The following tables describe the Vulnerability Protection profile settings:
Name Enter a profile name (up to 31 characters). This name appears in the list of
Vulnerability Protection profiles when defining security policies. The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, periods, and underscores.
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Vulnerability Protection profile in device groups that inherit the
profile. This selection is cleared by default, which means administrators can
override the settings for any device group that inherits the profile.
Rules Tab
Threat Name Specify a text string to match. The firewall applies a collection of signatures
to the rule by searching signature names for this text string.
CVE Specify common vulnerabilities and exposures (CVEs) if you want to limit
the signatures to those that also match the specified CVEs.
Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx
is the unique identifier. You can perform a string match on this field. For
example, to find vulnerabilities for the year 2011, enter “2011”.
Host Type Specify whether to limit the signatures for the rule to those that are client
side, server side, or either (any).
Action Choose the action to take when the rule is triggered. For a list of actions,
see Actions in Security Profiles.
The Default action is based on the pre-defined action that is part of each
signature provided by Palo Alto Networks. To view the default action for
a signature, select Objects > Security Profiles > Vulnerability Protection
and Add or select an existing profile. Click the Exceptions tab and then click
Show all signatures to see a list of all signatures and the associated Action.
For the best security, set the Action for both client and
server critical, high, and medium severity events to reset-
both and use the default action for Informational and Low
severity events.
Packet Capture Select this option if you want to capture identified packets.
Select single-packet to capture one packet when a threat is detected,
or select the extended-capture option to capture from 1 to 50 packets
(default is 5 packets). Extended-capture provides more context to the
threat when analyzing the threat logs. To view the packet capture, select
Monitor > Logs > Threat and locate the log entry you are interested in
and then click the green down arrow in the second column. To define
the number of packets that should be captured, select Device > Setup >
Content-ID and then edit the Content-ID Settings.
Exceptions Tab
Enable Select Enable for each threat for which you want to assign an action, or
select All to respond to all listed threats. The list depends on the selected
host, category, and severity. If the list is empty, there are no threats for the
current selections.
ID
Vendor ID Specify vendor IDs if you want to limit the signatures to those that also
match the specified vendor IDs.
For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy
is the two-digit year and xxx is the unique identifier. For example, to match
Microsoft for the year 2009, enter “MS09” in the Search field.
Threat Name
Only create a threat exception if you are sure an identified
threat is not a threat (false positive). If you believe you
have discovered a false positive, open a support case with
TAC so Palo Alto Networks can investigate the incorrectly
identified threat. When the issue is resolved, remove the
exception from the profile immediately.
IP Address Exemptions Click into the IP Address Exemptions column to Add IP address filters to
a threat exception. When you add an IP address to a threat exception, the
threat exception action for that signature will take precedence over the
rule's action only if the signature is triggered by a session with either a
source or destination IP address matching an IP address in the exception.
You can add up to 100 IP addresses per signature. You must enter a unicast
IP address (that is, an address without a netmask), such as 10.1.7.8 or
2001:db8:123:1::1. By adding IP address exemptions, you do not have to
create a new policy rule and new vulnerability profile to create an exception
for a specific IP address.
Rule
CVE The CVE column shows identifiers for common vulnerabilities and
exposures (CVE). These unique, common identifiers are for publicly known
information security vulnerabilities.
Host
Category Select a vulnerability category if you want to limit the signatures to those
that match that category.
Severity
Action Choose an action from the drop-down, or choose from the Action drop-
down at the top of the list to apply the same action to all threats.
Packet Capture Select Packet Capture if you want to capture identified packets.
Show all signatures Enable Show all signatures to list all signatures. If Show all signatures is
disabled, only the signatures that are exceptions are listed.
Block search results if the end user is not URL Filtering Settings
using the strictest safe search settings.
Looking for more? • Learn more about how to configure URL Filtering.
• Use URL categories to prevent credential phishing.
• To create custom URL categories, select Objects >
Custom Objects > URL Category.
• To import a list of URLs that you want to enforce,
select Objects > External Dynamic Lists.
Name Enter a profile name (up to 31 characters). This name appears in the list
of URL filtering profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Shared Select this option if you want the profile to be available to:
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this URL Filtering profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.
Category Displays the URL categories and lists for which you can define web access
and usage policy. By default, the Site Access and User Credential Submission
permissions for all categories are set to Allow.
URL categories and lists are grouped into three drop-downs:
• Custom URL Categories—Select Objects > Custom Objects > URL
Category to define a custom URL category. You can base custom URL
categories on a list of URLs or on multiple predefined categories.
• External Dynamic URL Lists— Select Objects > External Dynamic Lists to
enable the firewall to import a list of URLs from a web server.
• Pre-defined Categories—Lists all URL categories defined by PAN-DB, the
Palo Alto Networks URL, and the IP cloud database.
Site Access For each URL category, select the action to take when a user attempts to
access a URL in that category:
• alert—Allows access to the web site but adds an alert to the URL log each
time a user accesses the URL.
• none (custom URL category only)—If you created custom URL categories,
set the action to none to allow the firewall to inherit the URL filtering
category assignment from your URL database vendor. Setting the action to
none gives you the flexibility to ignore custom categories in a URL filtering
profile while allowing you to use the custom URL category as a match
criteria in policy rules (Security, Decryption, and QoS) to make exceptions
or to enforce different actions. To delete a custom URL category, you
must set the action to none in any profile where the custom category is
used. For information on custom URL categories, see Objects > Custom
Objects > URL Category.
User Credential For each URL category, select User Credential Submissions to allow or
Submission disallow users from submitting valid corporate credentials to a URL in that
category. Before you can control user credential submissions based on URL
category, you must enable credential submission detection (select the User
Credential Detection tab).
URL categories with the Site Access set to block are set to automatically also
block user credential submissions.
• alert—Allows users to submit credentials to the website, but generate
a URL Filtering log each time a user submits credentials to sites in this
category.
• allow (default)—Allows users to submit credentials to the website.
Check URL Category Click to access the PAN-DB URL Filtering database, where you can enter a
URL or IP address to view categorization information.
Dynamic URL Filtering Select to enable cloud lookup for categorizing the URL. This option is invoked
(disabled by default) if the local database is unable to categorize the URL.
(Configurable for If the URL is unresolved after a 5 second timeout, the response is displayed as
BrightCloud only) Not resolved URL.
Log container page only Select this option to log only the URLs that match the content type that is
specified. The firewall doesn’t log related web links during the session, such
Default: Enabled
as advertisements and content links, which reduces the logging and memory
load while still logging relevant URLs.
Enable Safe Search Select this option to enforce strict safe search filtering.
Enforcement
Many search engines have a safe search setting that filters out adult images
Default: Disabled and videos in search query return traffic. When you select the setting to
Enable Safe Search Enforcement, the firewall blocks search results if the end
A URL filtering license
user is not using the strictest safe search settings in the search query. The
is not required to use
firewall can enforce safe search for the following search providers: Google,
this feature.
Yahoo, Bing, Yandex, and YouTube. This is a best-effort setting and is not
guaranteed by the search providers to work with every website.
To use safe search enforcement you must enable this setting and then attach
the URL filtering profile Security policy rule. The firewall will then block any
HTTP Header Logging Enabling HTTP Header Logging provides visibility into the attributes included
in the HTTP request sent to a server. When enabled one or more of the
following attribute-value pairs are recorded in the URL Filtering log:
• User-Agent—The web browser that the user used to access the URL. This
information is sent in the HTTP request to the server. For example, the
User-Agent can be Internet Explorer or Firefox. The User-Agent value in
the log supports up to 1024 characters.
• Referer—The URL of the web page that linked the user to another web
page; it is the source that redirected (referred) the user to the web page
that is being requested. The referer value in the log supports up to 256
characters.
• X-Forwarded-For—The header field option that preserves the IP address
of the user who requested the web page. It allows you to identify the IP
address of the user, which is particularly useful if you have a proxy server
on your network or you have implemented Source NAT, that is masking
the user’s IP address such that all requests seem to originate from the
proxy server’s IP address or a common IP address. The x-forwarded-for
value in the log supports up to 128 characters.
Configure user credential detection so that users can submit credentials only to sites
in specified URL categories, which reduces the attack surface by preventing credential
submission to sites in untrusted categories. If you block all the URL categories in a URL
Filtering profile for user credential submission, you don’t need to check credentials.
The firewall uses one of three methods to detect valid credentials submitted to web pages. Each method
requires User-ID™, which enables the firewall to compare username and password submissions to web
pages against valid, corporate credentials. Select one of these methods to then continue to prevent
credential phishing based on URL category.
You must configure the firewall to decrypt traffic that you want to monitor for user credentials.
IP User This credential detection method checks for valid username submissions.
You can use this method to detect credential submissions that include a valid
corporate username (regardless of the accompanying password). The firewall
determines a username match by verifying that the username matches the
user logged in the source IP address of the session. To use this method, the
firewall matches the submitted username against its IP-address-to-username
mapping table. To use this method you can use any of the user mapping
methods described in Map IP Addresses to Users.
Group Mapping The firewall determines if the username a user submits to a restricted site
matches any valid corporate username. To do this, the firewall matches the
submitted username to the list of usernames in its user-to-group mapping
table to detect when users submit a corporate usernames to a site in a
restricted category.
This method only checks for corporate username submissions based on LDAP
group membership, which makes it simple to configure, but more prone to
false positives. You must enable group mapping to use this method.
Domain Credential This credential detection method enables the firewall to check for a valid
corporate username and the associated password. The firewall determines
if the username and password a user submits matches the same user’s
corporate username and password.
To do this, the firewall must able to match credential submissions to valid
corporate usernames and passwords and verify that the username submitted
maps to the IP address of the logged in user. This mode is supported only
with the Windows-based User-ID agent, and requires that the User-ID agent
is installed on a read-only domain controller (RODC) and equipped with
the User-ID Credential Service Add-on. To use this method, you must also
enable User-ID to map IP addresses to users using any of the supported user
mapping methods, including Authentication Policy, Authentication Portal, and
GlobalProtect.™
See Prevent Credential Phishing for details on each of the methods the
firewall can use to check for valid corporate credential submissions, and for
steps to enable phishing prevention.
Valid Username Set the severity for logs that indicate the firewall detected a valid username
Detected Log Severity submission to a website.
This log severity is associated with events where a valid username is
submitted to websites with credential submission permissions to alert, block
or continue. Logs that record when a user submits a valid username to a
website for which credential submissions are allowed have a severity of
informational. Select Categories to review or adjust the URL categories to
which credential submissions are allowed and blocked.
The firewall supports header insertion for HTTP/1.x traffic only; the firewall does not support
header insertion for HTTP/2 traffic.
You can create insertion entries based on a predefined HTTP header insertion type or you can create your
own custom type. Header insertion is typically performed for custom HTTP headers but you can also insert
standard HTTP headers.
Header insertion occurs when:
1. An HTTP request matches a Security policy rule with one or more configured HTTP header insertion
entries.
2. A specified domain matches the domain found in the HTTP Host header.
3. The action is anything other than block.
The firewall can perform HTTP header insertion only for the GET, POST, PUT, and HEAD
methods.
If you enable HTTP header insertion and the identified header is missing from a request, the firewall inserts
the header. If the identified header already exists in the request, then the firewall overwrites the header
values with the values that you specify.
Add an insertion entry or select an existing insertion entry to modify it. When needed, you can also select
an insertion entry and Delete it.
The default block list action for a new HTTP header insertion entry is block. If you
want a different action, go to URL Filtering Categories and select the appropriate action.
Alternatively, add the insertion entry to a profile that is configured with the desired action.
Type The Type of entry you want to create. Entries can be either predefined
or custom. The firewall uses content updates to populate and maintain
predefined entries.
To include the username in the HTTP header, select Dynamic Fields.
Domains Header insertion occurs when a domain in this list matches the Host header
of the HTTP request.
If you are creating a predefined entry, the domain list is predefined in a
content update. This is sufficient for most use cases but you can add or delete
domains as needed.
To create a custom entry, Add at least one domain to this list.
Each domain name can be up to 256 characters and you can identify a
maximum of 50 domains for each entry. You can use an asterisk (*) as a
Header When you create a predefined entry, the Header list is pre-populated by a
content update. This is sufficient for most use cases but you can add or delete
headers as needed.
When you create a custom entry, add one or more headers (up to a total of
five) to this list.
Header names can have up to 100 characters but cannot include spaces.
To include the username in the HTTP header, select X-Authenticated-User
then select the Value, or Add a new header.
Value Configure the Value using a maximum of 512 characters. The header value
varies depending on what information you want to include in the HTTP
header for the specified domains. For example, manage user access to SaaS
applications by selecting predefined types or by using custom entries.
To include the username in the HTTP header, select the domain and
username format that the security device requires:
• ($domain)\($user)
• WinNT://($domain)/($user)
Alternatively, enter a custom format using the ($user) and ($domain)
dynamic tokens (for example, ($user)@($domain)).
The firewall populates the user and domain dynamic tokens using the primary
username in the group mapping profile.
Field Description
Available Models For each available inline ML model, you can select one of the following
actions:
• Alert—The website is allowed and a log entry is generated in the URL
filtering log.
• Allow—The website is allowed and no log entry is generated.
Exceptions You can define URL Exceptions for specific web sites that you do not want
analyzed, such as those that might trigger false-positives.
To add URL exceptions, you must first define a valid EDL (external dynamic
list) or custom URL category. Click Add to view and select from the available
options.
For the best security, apply the predefined strict profile. If you need to support critical
applications that use a file type which the strict profile blocks, clone the strict profile and
make only the file type exceptions you need. Apply the cloned profile to a Security Policy rule
that restricts the exception to only the sources, destinations, and users that need to use the
file type. You can also use Direction to restrict the exception to uploading or downloading.
If you don’t block all Windows PE files, send all unknown files to WildFire for analysis.
For user accounts, set the Action to continue to help prevent drive-by downloads where
malicious web sites, emails, or pop-ups cause users to inadvertently download malicious
files. Educate users that a Continue prompt for a file transfer they didn’t knowingly initiate
may mean they are subject to a malicious download.
Name Enter a profile name (up to 31 characters). This name appears in the list
of file blocking profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this File Blocking profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.
Rules Define one or more rules to specify the action taken (if any) for the selected
file types. To add a rule, specify the following and click Add:
• Name—Enter a rule name (up to 31 characters).
• Applications—Select the applications the rule applies to or select any.
• File Types—Click in the file types field and then click Add to view a
list of supported file types. Click a file type to add it to the profile and
continue to add additional file types as needed. If you select Any, the
defined action is taken on all supported file types.
Use the predefined default profile to forward all unknown files to WildFire for analysis. In
addition, set up WildFire appliance content updates to download and install every minute so
you always have the most recent support.
Name Enter a descriptive name for the WildFire analysis profile (up to 31
characters). This name appears in the list of WildFire Analysis profiles
that you can choose from when defining a Security policy rule. The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Description Optionally describe the profile rules or the intended use for the profile (up
to 255 characters).
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Vulnerability Protection profile in device groups that inherit the
profile. This selection is cleared by default, which means administrators can
override the settings for any device group that inherits the profile.
Rules Define one or more rules to specify traffic to forward to either the WildFire
public cloud or the WildFire appliance (private cloud) for analysis.
• Enter a descriptive Name for any rules you add to the profile (up to 31
characters).
• Add an Application so that any application traffic will be matched to the
rule and forwarded to the specified analysis destination.
• Select a File Type to be analyzed at the defined analysis destination for
the rule.
Name Enter a profile name (up to 31 characters). This name appears in the list of
log forwarding profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Data Filtering profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.
Data Capture Select this option to automatically collect the data that is blocked by the
filter.
Data Pattern Add an existing data pattern to use for filtering or select New to configure a
new data pattern object (Objects > Custom Objects > Data Patterns).
File Types Specify the file types to include in the filtering rule:
Direction Specify whether to apply the filter in the upload direction, download
direction, or both.
Alert Threshold Specify the number of times the data pattern must be detected in a file to
trigger an alert.
Block Threshold Block files that contain at least this many instances of the data pattern.
Log Severity Define the log severity recorded for events that match this data filtering
profile rule.
Create DoS Protection profiles and policies to protect critical individual devices or small
groups of devices, especially internet-facing devices such as web servers and database
servers.
You can configure Aggregate and Classified DoS Protection profiles. You can apply an Aggregate profile, a
Classified profile, or one of each type to a DoS Protection policy rule. If you apply both profile types to a
rule, the firewall applies the Aggregate profile first and then applies the Classified profile if needed.
• A Classified DoS Protection profile has Classified selected as the Type. When you apply a Classified
DoS Protection profile to a DoS Protection rule whose action is Protect, the firewall counts connections
toward the profile’s CPS thresholds if the packet meets the specified Address type: source-ip-only,
destination-ip-only, or src-dest-ip-both.
• An Aggregate DoS Protection profile has Aggregate selected as the Type. When you apply an Aggregate
DoS Protection profile a DoS Protection rule whose action is Protect, the firewall counts all connections
(the combined number of connections for the group of devices specified in the rule) that meet the
criteria for the rule toward the profile’s CPS thresholds.
To apply a DoS Protection profile to a DoS Protection policy, see Policies > DoS Protection.
If you have a multiple virtual system (multi-vsys) environment and have configured the
following:
• External zones to enable inter-virtual system communication and
• Shared gateways to allow virtual systems to share a common interface and a single IP
address for external communications, then
The following Zone and DoS protection mechanisms are disabled on the external zone:
• SYN cookies
• IP fragmentation
• ICMPv6
To enable IP fragmentation and ICMPv6 protection, create a separate zone protection profile
for the shared gateway.
To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection
profile with either Random Early Drop or SYN cookies. On an external zone, only Random
Early Drop is available for SYN Flood protection.
Name Enter a profile name (up to 31 characters). This name appears in the list of
log forwarding profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this DoS Protection profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.
SYN Flood tab Select this option to enable the type of flood protection indicated on the
tab and specify the following settings:
UDP Flood tab
• Action—(SYN Flood only) Action that the firewall performs if the DoS
ICMP Flood tab
Protection policy action is Protect and if incoming CPS reach the
ICMPv6 Flood tab Activate Rate. Choose one of the following:
Other IP Flood tab • Random Early Drop—Drop packets randomly when connections per
second reach the Activate Rate threshold.
• SYN cookies—Use SYN cookies to generate acknowledgments so
that it is not necessary to drop connections during a SYN flood
attack.
GTP Inspection
PFCP For Packet Forwarding Control Protocol (PFCP), enable Stateful Inspection
to inspect PFCP traffic. When you enable stateful inspection for PFCP
traffic, the firewall inspects the traffic between the MEC and the remote
or central site to help prevent attacks such as Denial of Service (DOS) or
spoofing.
Filtering Options
RAT Filtering All Radio Access Technologies (RAT) are allowed by default. GTP-C Create-
PDP-Request and Create-Session-Request messages are filtered or allowed
based on the RAT filter. You can specify whether to allow, block or alert on
the following RAT that the user equipment uses to access the mobile core
network:
• UTRAN
• GERAN
• WLAN
• GAN
• HSPA Evolution
• EUTRAN
• Virtual
• EUTRAN-NB-IoT
• LTE-M
• NR
The following RAT are available when enabling 5G-HTTP2:
• WLAN
• EUTRAN
• Virtual
• NR
APN Filtering The Access Point Name (APN) is a reference to a GGSN/ PGW that user
equipment requires to connect to the internet. In 5G, one format of Data
Network Name (DNN) is the APN. The APN is composed of one or two
identifiers:
• APN Network Identifier that defines the external network to which the
GGSN/PGW is connected and optionally a requested service by the
mobile station. This part of the APN is mandatory.
• APN Operator Identifier that defines in which PLMN GPRS/EPS
backbone the GGSN/PGW is located. This part of the APN is optional.
All APNs are allowed by default. The APN filter enables you to allow, block,
or alert GTP traffic based on the APN value. GTP-C Create-PDP-Request
and Create-Session-Request messages are filtered or allowed based on the
rules defined for APN filtering.
You can manually add or import an APN filtering list into the firewall. The
value for the APN must include the network ID or the domain name of the
network (for example, example.com) and, optionally, the operator ID.
For APN filtering, the wildcard '*' allows you to match for all APN. A
combination of '*' and other characters is not supported for wildcards. For
example, "internet.mnc* " is treated as a regular APN and will not filter all
entries that start with internet.mnc.
The firewall supports a maximum of 1,000 APN filters.
Max Concurrent Tunnels Allows you to limit the maximum number of GTP-U tunnels to a destination
Allowed per Destination IP address, for example to the GGSN (range is 0 to 100,000,000 tunnels)
Alert at Max Concurrent Specify the threshold at which the firewall triggers an alert when the
Tunnels per Destination number of maximum GTP-U tunnels to a destination have been established.
A GTP log message of high severity is generated when the configured
tunnel limit is reached.
Logging frequency The number of events that the firewall counts before it generates a log
when the configured GTP tunnel limits are exceeded. This setting allows
you to reduce the volume to messages logged (range is 0 to 100,000,000;
default is 100).
Overbilling Protection Select the virtual system that serves as the Gi/ SGi firewall on your firewall.
The Gi/ SGi firewall inspects the mobile subscriber IP traffic traversing over
the Gi/ SGi interface from the PGW/ GGSN to the external PDN (packet
data network) such as the internet and secures internet access for mobile
subscribers.
Overbilling can occur when a GGSN assigns a previously used IP address
from the End User IP address pool to a mobile subscriber. When a malicious
server on the internet continues to send packets to this IP address as
it did not close the session initiated for the previous subscriber and
the session is still open on the Gi Firewall. To disallow data from being
delivered, whenever a GTP tunnel is deleted (detected by delete-PDP or
GTPv1-C Allowed Allows you to selectivity enable logging of the allowed GTPv1-C messages,
Messages if you have enabled stateful inspection for GTPv1?C. These messages
generate logs to help you troubleshoot issues as needed.
By default, the firewall does not log allowed messages. The logging options
for allowed GTPv1-C messages are:
• Tunnel Management—These GTPv1-C messages are used to manage
the GTP-U tunnels, which carry encapsulated IP packets and signaling
messages between a given pair of network nodes like SGSN and GGSN.
It includes messages such as Create PDP Context Request, Create PDP
Context Response, Update PDP Context Request, Update PDP Context
Response, Delete PDP Context Request, Delete PDP Context Response.
• Path Management—These GTPv1-C messages are typically sent by the
GSN or Radio Network Controller (RNC) to the other GSN or RNC to
find out if the peer is alive. It includes messages such as Echo Request
and Echo Response.
• Others—These messages include location management, mobility
management, RAN information management, and Multimedia Broadcast
Multicast Service (MBMS) messages.
Log User Location Enables you to include the user location information, such as area code and
Cell ID, in GTP logs.
GTPv2-C Allowed Enables you to selectively enable logging of the allowed GTPv2-C messages
Messages if you enabled stateful inspection for GTPv2-C. These messages generate
logs to help you troubleshoot issues as needed.
By default, the firewall does not log allowed messages. The logging options
for allowed GTPv2-C messages are:
• Tunnel Management—These GTPv2-C messages are used to manage
the GTP-U tunnels, which carry encapsulated IP packets and signaling
messages between a given pair of network nodes such as the SGW
and PGW. It includes the following types of messages: Create Session
Request, Create Session Response, Create Bearer Request, Create
GTP-U Allowed Messages Enables you to selectively enable logging of the allowed GTP-U messages if
you enabled stateful inspection for GTPv2-C or GTPv1-C. These messages
generate logs to help you troubleshoot issues as needed.
The logging options for allowed GTP-U messages are:
• Tunnel Management—These are GTP-U signaling messages such as
Error Indication.
• Path Management—These GTP-U messages are sent by a network node
(such as eNodeB) to another network node (such as SGW) to find out if
the peer is alive. It includes messages such as Echo Request/Response.
• G-PDU—G-PDU (GTP-U PDU) is used for carrying user data packets
within the network nodes in the mobile core network; it consists of a
GTP header plus a T-PDU.
G-PDU Packets Logged Enable this option to verify that the firewall is inspecting GTP-U PDUs. The
per New GTP-U Tunnel firewall generates a log for the specified number of G-PDU packets in each
new GTP-U tunnel (range is 1 to 10; default is 1).
5G-C Allowed Messages Select N11 to selectively enable logging of allowed N11 messages. N11
messages help you with troubleshooting and provide deeper visibility
into the HTTP/2 messages exchanged over an N11 interface for different
procedures. This field is available only if you enabled 5G-HTTP2 on the 5G-
C tab in the Mobile Network Protection profile.
PFCP Allowed Messages Allows you to selectively enable logging of the allowed PFCP messages if
you enabled stateful inspection for PFCP. These messages generate logs to
help you troubleshoot issues as needed.
The logging options for allowed PFCP messages are:
• Session Establishment—These PFCP messages set up the session,
including establishing the GTP-U tunnel.
• Session Modification—These PFCP messages are sent if the session ID
or PDR ID changes (for example, as a result of moving from a 4G to a
5G network. It includes messages such as PFCP Session Modification
Request and PFCP Session Modification Response.
• Session Deletion—These PFCP messages terminate the PFCP session,
including releasing associated resources.
SCTP Inspection
Unknown Chunk Select the firewall action when it receives an SCTP packet with an
unknown chunk (the chunk is not defined in RFC3758, RFC4820,
RFC4895, RFC4960, RFC5061, or RFC 6525):
• allow (default)—Allow the packet to pass without modification.
• alert—Allow the packet to pass without modification and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
• block—Nullify the chunk before passing the packet and generate
an SCTP log.
Chunk Flags Select the firewall action when it receives an SCTP packet with a
chunk flag inconsistent with RFC4960:
• allow (default)—Allow the packet to pass without modification.
• alert—Allow the packet to pass without modification and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
• block—Drop the packet and generate an SCTP log.
Invalid Length Select the firewall action when it receives an SCTP chunk with an
invalid length:
• allow (default)—Allow the packet or chunk to pass without
modification.
• block—Drop the packet and generate an SCTP log (you need to
allocate log storage for these logs—see Log Storage tab.
IP address limit for multihoming Enter the maximum number of IP addresses you can configure for an
SCTP endpoint before the firewall generates an alert message (range
is 1 to 8; default is 4).
SCTP multihoming is the ability of an endpoint to support more
than one IP address for an association with a peer. If one path to an
endpoint fails, SCTP selects one of the other destination IP addresses
provided for that association.
Log Settings Select any combination of settings to generate SCTP logs for allowed
chunks, association start and end, and state failure events:
• Log at Association Start
• Log at Association End
• Log Allowed Association Initialization Chunks
• Log Allowed Heartbeat Chunks
• Log Allowed Association Termination Chunks
• Log All Control Chunks
• Log State Failure Events
For the firewall to store SCTP logs, you need to allocate SCTP log
storage (see Log Storage tab under Logging and Reporting Settings:
Device > Setup > Management).
Filtering Options
SCTP Filtering
Action Specify the action the firewall takes on data chunks containing the
specified PPID:
• allow (default)—Allow the chunk to pass without modification.
• alert—Allow the chunk to pass without modification and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
• block—Nullify the chunk before passing the packet and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
SCTP packets are matched to filters in the list from top to bottom. If you create more than one SCTP
filter for a profile, the order of SCTP filters makes a difference. Select a filter and Move Up or Move
Down to change its relative priority in the SCTP Filtering list.
Diameter Filtering
Action Specify the action the firewall takes on Diameter chunks containing
the specified Diameter Application IDs, Command Code, and AVPs.
If the inspected chunk includes the specified Diameter Application ID
and any of the specified Diameter Command Codes and any of the
specified Diameter AVPs, then:
• allow (default)—Allow the chunk to pass without modification.
• alert—Allow the chunk to pass without modification and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
• block—Nullify the chunk before passing the packet and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
Diameter Application ID Specify the Diameter Application ID for a chunk on which the firewall
takes the specified action.
• any
• 3GPP-Rx
• 3GPP-S6a/S6d
• 3GPP-S6c
• 3GPP-S9
• 3GPP-S13/S13
• 3GPP-Sh
• Diameter Base Accounting
• Diameter Common Messages
• Diameter Credit Control
Diameter Command Code Specify the Diameter Command Codes for a chunk on which the
firewall takes the specified action. Select any, select one of the
Diameter Command Codes from the drop-down, or enter a specific
value (the range is from 0 to 16,777,215). The drop-down includes
only those command codes that apply to the Diameter Application
ID selected. You can add multiple Diameter Command Codes in a
Diameter filter.
Diameter AVP Specify the Diameter Attribute-Value Pair (AVP) codes for a chunk
on which the firewall takes the specified action. Enter one or more
AVP codes or values (the range is from 1 to 16,777,215).
If you create more than one Diameter filter for a profile, the order of Diameter filters makes a difference.
Select a filter and Move Up or Move Down to adjust its relative priority in the Diameter Filtering list.
SS7 Filtering
Action Specify the action the firewall takes on SS7 chunks containing the
specified SS7 filter elements. If the chunk being inspected contains
the SCCP Calling Party SSN and any of the specified SCCP Calling
Party Global Title (GT) values and any of the specified Operation
Codes, then:
• allow (default)—Allow the chunk to pass without modification.
• alert—Allow the chunk to pass without modification and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
• block—Nullify the chunk before passing the packet and generate
an SCTP log (you need to allocate log storage for these logs—see
Log Storage tab under Logging and Reporting Settings: Device >
Setup > Management).
SCCP Calling Party SSN Specify the SCCP Calling Party SSN for a chunk on which the firewall
takes the specified action. Select any-map or Add one of the SCCP
Calling Party SSNs from the drop-down:
• HLR(MAP)
• VLR(MAP)
• MSC(MAP)
• EIR(MAP)
• GMLC(MAP)
• gsmSCF(MAP)
• SIWF(MAP)
• SGSN(MAP)
• GGSN(MAP)
• CSS(MAP)
SCCP Calling Party GT Specify the SCCP Calling Party GT value for a chunk on which the
firewall takes the specified action. Select Any or Add a numerical
value up to 15 digits. You can also enter a group of SCCP Calling
Party GT values using a prefix. For example: 876534*. You can add
multiple SCCP Calling Party GT values in an SS7 filter.
For SCCP Calling Party SSN: INAP and SCCP Management, this
option is disabled.
Operation Code Specify the operation code for a chunk on which the firewall takes
the specified action:
For the following SCCP Calling Party SSNs, select any, or an
operation code from the drop-down, or enter a specific value (range
is 1 to 255):
• HLR(MAP)
• VLR(MAP)
• MSC(MAP)
• EIR(MAP)
• GMLC(MAP)
• gsmSCF(MAP)
• SIWF(MAP)
• SGSN(MAP)
• GGSN(MAP)
• CSS(MAP)
For SCCP Calling Party SSN: CAP, enter a value (range is 1 to 255).
For SCCP Calling Party SSN: INAP and SCCP Management, this
option is disabled.
You can add multiple operation codes in an SS7 filter.
If you create more than one SS7 filter for a profile, the order of SS7 filters makes a difference. Select a
filter and Move Up or Move Down to adjust its relative priority in the SS7 Filtering list.
Name Enter the profile group name (up to 31 characters). This name appears in
the profiles list when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Shared (Panorama only) Select this option if you want the profile group to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile group will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
group will be available only to the Device Group selected in the Objects
tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Security Profile group object in device groups that inherit the
object. This selection is cleared by default, which means administrators can
override the settings for any device group that inherits the object.
You should forward logs to Panorama or to external storage for many reasons, including:
compliance, redundancy, running analytics, centralized monitoring, and reviewing threat
behaviors and long-term patterns. In addition, the firewall has limited log storage capacity
and deletes the oldest logs as when the storage space fills up. Be sure to forward Threat
logs and WildFire logs.
To enable a PA-7000 Series firewall to forward logs or forward files to WildFire®, you must
first configure a Log Card Interface on the PA-7000 Series firewall. As soon as you configure
this interface, the firewall will automatically use this port—there is no special configuration
required. Just configure a data port on one of the PA-7000 Series Network Processing
Cards (NPCs) as a Log Card interface type and ensure that the network that you use can
communicate with your log servers. For WildFire forwarding, the network must communicate
successfully with the WildFire cloud or WildFire appliance (or both).
Name Enter a name (up to 64 characters) to identify the profile. This name
appears in the list of Log Forwarding profiles when defining Security policy
rules. The name is case-sensitive, must be unique, and can contain only
letters, numbers, spaces, hyphens, and underscores.
Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall—If you disable (clear)
this option, the profile is available only to the Virtual System selected in
the Objects tab.
• Every device group on Panorama—If you disable (clear) this option, the
profile is available only to the Device Group selected in the Objects tab.
Enable enhanced Enhanced Application Logs for Palo Alto Networks Cloud Services is
application logging available with a Cortex Data Lake subscription. Enhanced application
to Cortex Data Lake logging allows the firewall to collect data specifically intended to increase
(including traffic and url visibility into network activity for apps running in the Palo Alto Networks
logs) (Panorama only) Cloud Services environment.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this Log Forwarding profile in device groups that inherit the profile. This
Description Enter a description to explain the purpose of this Log Forwarding profile.
Match List (unlabeled) Add one or more match list profiles (up to 64) that specify forwarding
destinations, log attribute-based filters to control which logs the firewall
forwards, and actions to perform on the logs (such as automatic tagging).
Complete the following two fields (Name and Description) for each match
list profile.
Name (match list profile) Enter a name (up to 31 characters) to identify the match list profile.
Description (match list Enter a description (up to 1,023 characters) to explain the purpose of this
profile) match list profile.
Log Type Select the type of logs to which this match list profile applies:
authentication (auth), data, gtp, sctp, threat, traffic, tunnel, URL, or
WildFire.
Filter By default, the firewall forwards All Logs of the selected Log Type. To
forward a subset of the logs, select an existing filter from the drop-down
or select Filter Builder to add a new filter. For each query in a new filter,
specify the following fields and Add the query:
• Connector—Select the connector logic (and/or) for the query. Select
Negate if you want to apply negation to the logic. For example, to avoid
forwarding logs from an untrusted zone, select Negate, select Zone as
the Attribute, select equal as the Operator, and enter the name of the
untrusted Zone in the Value column.
• Attribute—Select a log attribute. The available attributes depend on the
Log Type.
• Operator—Select the criterion to determine whether the attribute
applies (such as equal). The available criteria depend on the Log Type.
• Value—Specify the attribute value to match.
To display or export the logs that the filter matches, View Filtered Logs,
which provides the same options as the Monitoring tab pages (such as
Monitoring > Logs > Traffic).
Panorama Select Panorama if you want to forward logs to Log Collectors or the
Panorama management server or to forward logs to the Logging Service.
Panorama/Logging
Service (Panorama only) If you enable this option, you must configure log forwarding to Panorama.
To use the Logging Service, you must also Enable the Logging Service in
Device > Setup > Management.
SNMP Add one or more SNMP Trap server profiles to forward logs as SNMP traps
(see Device > Server Profiles > SNMP Trap).
Email Add one or more Email server profiles to forward logs as email notifications
(see Device > Server Profiles > Email).
Syslog Add one or more Syslog server profiles to forward logs as syslog messages
(see Device > Server Profiles > Syslog).
HTTP Add one or more HTTP server profiles to forward logs as HTTP requests
(see Device > Server Profiles > HTTP).
Built-in Actions You can select from two types of built-in actions when you Add an action
to perform—Tagging and Integration.
• Tagging—Add or remove a tag to the source or destination IP address
in a log entry automatically and register the IP address and tag mapping
to a User-ID agent on the firewall or Panorama, or to a remote User-
ID agent so that you can respond to an event and dynamically enforce
Security policy. The ability to tag an IP address and dynamically enforce
policy using dynamic address groups gives you better visibility, context,
and control for consistently enforcing Security policy irrespective of
where the IP address moves across your network.
Configure the following settings:
• Add an action and enter a name to describe it.
• Select the target IP address you want to tag—Source Address or
Destination Address.
You can take an action for all log types that include a source or
destination IP address in the log entry. You can tag the source IP
address only, in Correlation logs and HIP Match logs; you cannot
configure an action for System logs and Configuration logs because the
log type does not include an IP address in the log entry.
• Select the action—Add Tag or Remove Tag.
• Select whether to register the IP address and tag mapping to the
Local User-ID agent on this firewall or Panorama, or to a Remote
User-ID agent.
• To register the IP address and tag mapping to a Remote User-ID
agent, select the HTTP server profile (Device > Server Profiles >
HTTP) that will enable forwarding.
• Configure the IP-Tag Timeout to set, in minutes, the amount of time
that IP address-to-tag mapping is maintained. Setting the timeout
to 0 means that the IP-Tag mapping does not timeout (range is 0 to
43200 (30 days); default is 0).
Authentication Description
Enforcement Settings
Name Enter a descriptive name (up to 31 characters) to help you identify the object
when defining Authentication rules. The name is case-sensitive and must be
unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared (Panorama only) Select this option if you want the object to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the object will be available only to the Virtual System selected in
the Objects tab.
• Every device group on Panorama. If you clear this selection, the object will
be available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this authentication enforcement object in device groups that inherit the
object. This selection is cleared by default, which means administrators can
override the settings for any device group that inherits the object.
Authentication Profile Select the authentication profile that specifies the service to use for validating
the identities of users.
Message Enter instructions that tell users how to respond to the first authentication
challenge that they see when their traffic triggers the Authentication rule.
The message displays in the Authentication Portal Comfort Page. If you don’t
enter a message, the default Authentication Portal Comfort Page displays
(see Device > Response Pages).
Block and control SSL decrypted traffic. Settings to Control Decrypted SSL Traffic
Block and control traffic that you have Settings to Control Traffic that is not Decrypted
excluded from decryption (for example,
traffic classified as health and medicine or
financial services).
Block and control decrypted SSH traffic. Settings to Control Decrypted SSH Traffic
Name Enter a profile name (up to 31 characters). This name appears in the list of
decryption profiles when defining decryption policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Shared (Panorama Select this option if you want the profile to be available to:
only)
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection,
the profile will be available only to the Virtual System selected in the Objects
tab.
• Every device group on Panorama. If you clear this selection, the profile will be
available only to the Device Group selected in the Objects tab.
Disable override Select this option to prevent administrators from overriding the settings of this
(Panorama only) Decryption profile in device groups that inherit the profile. This selection is
cleared by default, which means administrators can override the settings for any
device group that inherits the profile.
Forwarded Only Select Forwarded Only if you want to mirror decrypted traffic only after Security
policy enforcement. With this option, only traffic that is forwarded through the
(Supported on all
firewall is mirrored. This option is useful if you are forwarding the decrypted
models except the
traffic to other threat detection devices, such as a DLP device or another
VM-Series firewall
intrusion prevention system (IPS). If you clear this selection (the default setting),
on AWS, Azure, NSX
the firewall will mirror all decrypted traffic to the interface before security
edition, and Citrix
policies lookup, which allows you to replay events and analyze traffic that
SDX.)
generates a threat or triggers a drop action.
Server Certificate Validation—Select options to control server certificates for decrypted traffic.
Block sessions with Terminate the TLS connection if the server certificate is expired. This
expired certificates prevents users from accepting expired certificates and continuing with an
TLS session.
Block sessions with Terminate the TLS session if the server certificate issuer is untrusted.
untrusted issuers
Block sessions with untrusted issuers because an untrusted
issuer may indicate a man-in-the-middle attack, a replay
attack, or another attack.
Block sessions with Terminate the TLS session if a server returns a certificate revocation
unknown certificate status of “unknown”. Certificate revocation status indicates if trust for the
status certificate has been or has not been revoked.
Block sessions on the Terminate the TLS session if the certificate status cannot be retrieved
certificate status check within the amount of time that the firewall is configured to stop waiting for
timeout a response from a certificate status service. You can configure Certificate
Status Timeout value when creating or modifying a certificate profile
(Device > Certificate Management > Certificate Profile).
Blocking sessions when the status check times out is a tradeoff between
tighter security and a better user experience. If certificate revocation
servers respond slowly, blocking on a timeout may block sites that have
valid certificates. You can increase the timeout value for Certificate
Revocation Checking (CRL) and Online Certificate Status Protocol (OCSP) if
you are concerned about timing out valid certificates.
Restrict certificate Limits the certificate extensions used in the dynamic server certificate to
extensions key usage and extended key usage.
Append certificate's CN Enable the firewall to add a Subject Alternative Name (SAN) extension to
value to SAN extension the impersonation certificate it presents to clients as part of Forward Proxy
decryption. When a server certificate contains only a Common Name (CN),
the firewall adds a SAN extension to the impersonation certificate based on
the server certificate CN.
This option is useful in cases where browsers require server certificates
to use a SAN and no longer support certificate matching based on CNs;
it ensures that end users can continue to access their requested web
resources and that the firewall can continue to decrypt sessions even if a
server certificate contains only a CN.
Block sessions with Terminate sessions if PAN-OS does not support the “client hello” message.
unsupported versions PAN-OS supports SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
Block sessions with Terminate the session if the cipher suite specified in the TLS handshake if it
unsupported cipher suites is not supported by PAN-OS.
Block sessions with client Terminate sessions with client authentication for Forward Proxy traffic.
authentication
Block sessions with client authentication unless an
important application requires it, in which case you should
create a separate Decryption profile and apply it only to
traffic that requires client authentication.
Failure Checks—Select the action to take if system resources are not available to process decryption.
Block sessions if Terminate sessions if system resources are not available to process
resources not available decryption.
Whether to block sessions when resources aren’t available is a tradeoff
between tighter security and a better user experience. If you don’t block
sessions when resources aren’t available, the firewall won’t be able to
decrypt traffic that you want to decrypt when resources are impacted.
However, blocking sessions when resources aren’t available may affect the
user experience because sites that are normally reachable may become
temporarily unreachable.
Block sessions if HSM not Terminate sessions if a hardware security module (HSM) is not available to
available sign certificates.
Whether to block sessions if the HSM isn’t available depends on your
compliance rules about where private keys must come from and how you
want to handle encrypted traffic if the HSM isn’t available.
Block downgrade on no Terminate the session if system resources are not available to process the
resources TLSv1.3 handshake (instead of downgrading to TLSv1.2).
Whether to block sessions when resources aren’t available is a tradeoff
between tighter security and a better user experience. If you block
downgrading the handshake to TLSv1.2 when TLSv1.3 resources
aren’t available, the firewall drops the session. If you do not block
Client Extension
Strip ALPN The firewall processes and inspects HTTP/2 traffic by default. However,
you can disable HTTP/2 inspection by specifying for the firewall to Strip
ALPN. With this option selected, the firewall removes any value contained
in the Application-Layer Protocol Negotiation (ALPN) TLS extension).
Because ALPN is used to secure HTTP/2 connections, when there is no
value specified for this TLS extension, the firewall either downgrades
HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
For unsupported modes and failure modes, the session information is cached for 12
hours, so future sessions between the same hosts and server pair are not decrypted.
Enable the options to block those sessions instead.
Unsupported Mode Checks—Select options to control sessions if unsupported modes are detected in
TLS traffic.
Block sessions with Terminate sessions if PAN-OS does not support the “client hello” message.
unsupported versions PAN-OS supports SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
Block sessions with Terminate the session if the cipher suite used is not supported by PAN-OS.
unsupported cipher suites
Block sessions that use cipher suites you don’t support.
You configure which cipher suites (encryption algorithms) to
allow on the SSL Protocol Settings tab. Don’t allow users to
connect to sites with weak cipher suites.
Failure Checks—Select the action to take if system resources are not available.
Block sessions if Terminate sessions if system resources are not available to process
resources not available decryption.
Block sessions if HSM not Terminate sessions if a hardware security module (HSM) is not available to
available decrypt the session key.
Whether to block sessions if the HSM isn’t available depends on your
compliance rules about where private keys must come from and how you
want to handle encrypted traffic if the HSM isn’t available.
Block downgrade on no Terminate the session if system resources are not available to process the
resources TLSv1.3 handshake (instead of downgrading to TLSv1.2).
Whether to block sessions when resources aren’t available is a tradeoff
between tighter security and a better user experience. If you block
downgrading the handshake to TLSv1.2 when TLSv1.3 resources
aren’t available, the firewall drops the session. If you do not block
downgrading the handshake, then if resources aren’t available for the
TLSv1.3 handshake, the firewall downgrades to TLSv1.2.
Protocol Versions Enforce the use of minimum and maximum protocol versions for the TLS
session.
Min Version Set the minimum protocol version that can be used to establish the TLS
connection.
Max Version Set the maximum protocol version that can be used to establish the TLS
connection. You can choose the option Max so that no maximum version is
specified; in this case, protocol versions that are equivalent to or are a later
version than the selected minimum version are supported.
Key Exchange Algorithms Enforce the use of the selected key exchange algorithms for the TLS
session.
All three algorithms (RSA, DHE, and ECDHE) are enabled by default. The
DHE (Diffie-Hellman) and ECDHE (elliptic curve Diffie-Hellman) enable
Perfect Forward Secrecy (PFS) for Forward Proxy or Inbound Inspection
decryption.
Encryption Algorithms Enforce the use of the selected encryption algorithms for the TLS session.
Authentication Enforce the use of the selected authentication algorithms for the TLS
Algorithms session.
Block sessions with Terminate the SSL connection if the server certificate is expired. This
expired certificates prevents users from accepting expired certificates and continuing with an
SSL session.
Block sessions with Terminate the SSL session if the server certificate issuer is untrusted.
untrusted issuers
Block sessions with untrusted issuers because an untrusted
issuer may indicate a man-in-the-middle attack, a replay
attack, or another attack.
Unsupported Mode Checks—Use these options to control sessions if unsupported modes are detected in
SSH traffic. Supported SSH version is SSH version 2.
Block sessions Terminate sessions if the “client hello” message is not supported by PAN-OS.
with unsupported
versions Always block sessions with unsupported versions to prevent
access to sites with weak protocols. On the SSL Protocol
Settings tab, set the minimum Protocol Version to TLSv1.2 to
block sites with weak protocol versions. If a site you need to
access for business purposes uses a weaker protocol, create a
separate Decryption profile that allows the weaker protocol and
specify it in a Decryption policy rule that applies only to the sites
for which you must allow the weaker protocol.
Block sessions Terminate sessions if the algorithm specified by the client or server is not
with unsupported supported by PAN-OS.
algorithms
Always block sessions with unsupported algorithms to prevent
access to sites that use weak algorithms.
Failure Checks—Select actions to take if SSH application errors occur and if system resources are not
available.
Block sessions Terminate sessions if system resources are not available to process decryption.
if resources not
Whether to block sessions when resources aren’t available is a tradeoff between
available
tighter security and a better user experience. If you don’t block sessions when
resources aren’t available, the firewall won’t be able to decrypt traffic that you
want to decrypt when resources are impacted. However, blocking sessions when
resources aren’t available may affect the user experience because sites that are
normally reachable may become temporarily unreachable.
General Tab
Security Chain Type Select the type of security chain to which the firewall forwards decrypted
traffic:
• Routed (Layer 3): The devices in this type of security chain use Layer 3
interfaces to connect to the security-chain network. Each interface must
have an assigned IP address and subnet mask. You configure security-
chain devices with static routes or use dynamic routing to direct inbound
and outbound traffic to the next device in the security chain and then
back to the firewall.
• Transparent Bridge: In a transparent-bridge security-chain network, all
security-chain devices have two Transparent Bridge mode interfaces
connected to the security-chain network. Transparent Bridge interfaces
do not have IP addresses, subnet masks, default gateways, or local
routing tables. Security-chain appliances receive traffic on one interface,
analyze the traffic and enforce security, and then the traffic egresses the
other interface to the next security-chain device.
Enable IPv6 (Transparent Bridge mode only) Enable IPv6 traffic forwarding.
Flow Direction Select whether traffic enters the security chain from one firewall interface
and exits the security to the other firewall interface, or if traffic can enter
and exit the security chain from both firewall interfaces.
• Unidirectional—The firewall forwards all traffic to the security chain
through Interface #1 and receives the traffic back from the security
chain on Interface #2.
Interface #1 The Network Packet Broker interfaces that the firewall uses to forward
traffic to and receive traffic from a security chain. You must configure
Interface #2 each interface as a Network Packet Broker interface, as described at the
beginning of this help topic.
The options on this tab are only available for Layer 3 (routed) security chains.
First Device Enter the IPv4 address of the first and last devices in the security chain or
define a new Address Object to easily reference the device.
Last Device
Session Distribution When forwarding to multiple Routed (Layer 3) security chains, choose the
Method method that the firewall uses to distribute sessions among multiple security
chains:
• IP Modulo—The firewall assigns sessions based on the IP modulo hash
of the source and destination IP addresses.
On Health Check Failure When you enable health checks (Path Monitoring, HTTP Monitoring, or
HTTP Monitoring Latency), you also decide what happens if a chain (or
all chains if there are multiple chains) fails. If there are multiple chains and
one or more chains fail a health check but at least one chain is still healthy,
the firewall distributes traffic to the remaining chains based on the Session
Distribution Method. If all of the chains associated with a pair of firewall
Network Packet Broker interfaces, you can:
• Bypass Security Chain—The firewall forwards the traffic to its
destination instead of to the failed chain(s). The firewall still applies
configured security profiles and protections to the traffic.
• Block Session—The firewall blocks the session.
Health Check Failed If you configure more than one health check (you can configure all three
Condition health checks on a chain), configure how the firewall defines a failure:
• OR Condition—If any selected health check fails, the On Health Check
Failure action occurs.
• AND Condition—If all of the selected health checks fail, the On Health
Check Failure action occurs.
Path Monitoring Enable path, HTTP latency, or HTTP monitoring, or a combination of the
three health checks to identify when security chains experience a failure,
Latency Monitoring and configure the metrics that determine when a failure has occurred:
• Path Monitoring—Checks device connectivity; set the ping count, ping
HTTP Monitoring
interval in seconds, and recovery hold time in seconds.
• HTTP Monitoring—Checks device availability and response time; set the
HTTP count and HTTP interval in seconds.
• HTTP Monitoring Latency—Checks device processing speed and
efficiency; set the maximum latency in milliseconds, the latency duration
in seconds, and log latency that exceeds the duration. When you select
HTTP Monitoring Latency, HTTP Monitoring is automatically selected.
Both must be selected to enable latency monitoring.
Name Enter a name for the path quality profile using a maximum of 31
alphanumeric characters, underscore, hyphen, space, and period.
Packet Loss (%) Threshold—Enter the percentage of packets lost on the link before the
threshold is exceeded (range is 1 to 100.0; default is 1).
Name Enter a name for the path quality profile using alphanumeric characters,
underscore, hyphen, space, and period.
Shared (Panorama only) Check (enable) to make the SaaS Quality profile shared across all device
groups.
Disable Override Check (enable) to disable the ability to override the SaaS Quality profile
(Panorama only) settings locally on the managed firewall.
Adaptive The SaaS application session activity is monitored for send and receive
activity and the path health status is derived automatically without any
additional health checks on the SD-WAN interface. This option is selected by
default.
HTTP/HTTPS Specify the SaaS application to monitor using the HTTP or HTTPS URL.
• Monitored URL—The HTTP or HTTPS URL of the SaaS application.
• Probe Interval (sec)—Specify, in seconds, the interval the firewall probes
the path quality health between the firewall and the SaaS application.
Default is 3 seconds.
Name Enter a name for the Traffic Distribution Profile using a maximum of 31
alphanumeric characters, hyphen, space, underscore, and period.
Best Available If cost is not a factor and you will allow applications to use any path out of the
Path branch, select Best Available Path. The firewall distributes traffic and fails over to a
link from among the links belonging to all the Link Tags in the list based path quality
metrics to provide the best application experience to users.
Top Down If you have expensive or low capacity links that you want to use only as a last resort
Priority or as a backup link, select the Top Down Priority method and place the tags that
include those links last in the list of Link Tags for this profile. The firewall uses the
top Link Tag in the list first to determine the links on which to session load traffic
and on which to fail over. If none of the links in the top Link Tag are qualified, the
firewall selects a link from the second Link Tag in the list. If none of the links in the
second Link Tag are qualified, the process continues as necessary until the firewall
finds a qualified link in the last Link Tag. If all associated links are overloaded and no
link meets quality thresholds, the firewall uses the Best Available Path method to
select a link on which to forward traffic.
If the application’s jitter, latency, or packet loss exceeds its configured threshold, the
firewall starts at the top of the Top Down list of Link Tags to find a link to which it
fails over.
Weighted Select Weighted Session Distribution if you want to manually load traffic (that
Session matches the rule) onto your ISP and WAN links and you don’t require failover during
Distribution brownout conditions. You manually specify the link’s load when you apply a static
percentage of new sessions that the interfaces grouped with a single tag will get.
You might select this method for applications that aren’t sensitive to latency and
that require a lot of the link’s bandwidth capacity, such as large branch backups and
Link Tags Add the Link Tags you want the firewall to consider during the link selection process
you chose for this profile. The order of tags matters if you chose the Top Down
Priority method; use Move Up or Move Down to change the order of tags.
Weight If you chose the Weighted Session Distribution method, enter a percentage for each
Link Tag you added. The sum of the percentage values must equal 100%.
Name Add a descriptive name for the Error Correction Profile using a
maximum of 31 alphanumeric characters.
Shared Select to make the Error Correction Profile available to all device groups
on Panorama and to every virtual system on a multi-vsys hub or branch
to which you push the configuration.
Panorama can access an Error Correction Profile that is Shared in the
firewall configuration validation and successfully commit and push
the configuration to branches and hubs. The commit fails if Panorama
cannot reference an Error Correction Profile.
Disable override Select to prevent administrators from overriding the settings of this
Error Correction Profile in device groups that inherit the profile. (Disable
override is unavailable if Shared is selected.)
Activation Threshold (Packet When packet loss exceeds this percentage, FEC or packet duplication
Loss %) is activated for the configured applications in the SD-WAN policy rule
where the Error Correction Profile is applied. Range is 1 to 99; default is
2.
Forward Error Correction / Select whether to employ forward error correction (FEC) or packet
Packet Duplication duplication. Packet duplication requires even more resources than FEC.
Packet Loss Correction Ratio (Forward Error Correction only) Ratio of parity bits to data packets. The
higher the ratio of parity bits to data packets that the encoder sends
to the decoder, the higher the probability that the decoder can repair
packet loss. However a higher ratio requires more redundancy and
therefore more bandwidth overhead, which is a trade-off for achieving
error correction. Select one of the predefined ratios:
• 10% (20:2) (Default)
• 20% (20:4)
• 30% (20:6)
• 40% (20:8)
• 50% (20:10)
The parity ratio applies to the encoding firewall’s outgoing traffic. For
example, if the hub parity ratio is 50% and the branch parity ratio is 20%,
the hub will receive a ratio of 20% and the branch will receive a ratio of
50%.
Recovery Duration (ms) Maximum number of milliseconds that the receiving firewall (decoder)
can spend performing packet recovery on lost data packets using the
parity packets it received; range is 1 to 5,000; default is 1,000.
The firewall immediately sends data packets it receives to the
destination. During the recovery duration for a block of data, the firewall
performs packet recovery for any lost data packets. When the recovery
duration expires, the associated parity bits for that block are discarded.
The encoder sends the Recovery Duration value to the decoder; the
Recovery Duration setting on the decoder has no impact.
When a Security policy rule is invoked by a defined schedule, only new sessions are affected
by the applied Security policy rule. Existing sessions are not affected by the scheduled
policy.
Name Enter a schedule name (up to 31 characters). This name appears in the
schedule list when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Shared (Panorama only) Select this option if you want the schedule to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the schedule will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the
schedule will be available only to the Device Group selected in the
Objects tab.
Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this schedule in device groups that inherit the schedule. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the schedule.
Daily Click Add and specify a Start Time and End Time in 24-hour format
(HH:MM).
Weekly Click Add, select a Day of Week, and specify the Start Time and End Time
in 24-hour format (HH:MM).
Non-recurring Click Add and specify a Start Date, Start Time, End Date, and End Time.
309
310 PAN-OS WEB INTERFACE HELP | Network
© 2021 Palo Alto Networks, Inc.
Network > Interfaces
Firewall interfaces (ports) enable a firewall to connect with other network devices and with other interfaces
within the firewall. The following topics describe the interface types and how to configure them:
For a description of components that are unique or different when you configure interfaces
on a PA-7000 Series firewall, or when you use Panorama™ to configure interfaces on any
firewall, see Common Building Blocks for PA-7000 Series Firewall Interfaces.
Interface (Interface The interface name is predefined and you cannot change it. However, you
Name) can append a numeric suffix for subinterfaces, aggregate interfaces, VLAN
interfaces, loopback interfaces, tunnel interfaces, and SD-WAN interfaces.
Interface Type For Ethernet interfaces (Network > Interfaces > Ethernet), you can select the
interface type:
• Tap
• HA
• Decrypt Mirror (Supported on all firewalls except on the VM-Series NSX,
Citrix SDX, AWS, and Azure.)
• Virtual Wire
• Layer 2
• Layer 3
• Log Card (PA-7000 Series firewall only)
• Aggregate Ethernet
Management Profile Select a Management Profile (Network > Interfaces > <if-config > Advanced >
Other Info) that defines the protocols (such as SSH, Telnet, and HTTP) you can
use to manage the firewall over this interface.
Link State For Ethernet interfaces, Link State indicates whether the interface is currently
accessible and can receive traffic over the network:
• Green—Configured and up
• Red—Configured but down or disabled
• Gray—Not configured
Hover over the link state to display a tool tip that indicates the link speed and
duplex settings for that interface.
IP Address (Optional) Configure the IPv4 or IPv6 address of the Ethernet, VLAN, loopback,
or tunnel interface. For an IPv4 address, you can also select the addressing
mode (Type) for the interface: Static, DHCP Client, or PPPoE.
Virtual Router Assign a virtual router to the interface or click Virtual Router to define a new
one (see Network > Virtual Routers). Select None to remove the current virtual
router assignment from the interface.
Tag (Subinterface only) Enter the VLAN tag (1-4,094) for the subinterface.
VLAN Select Network > Interfaces > VLAN and modify an existing VLAN or Add
a new one (see Network > VLANs). Select None to remove the current
VLAN assignment from the interface. To enable switching between Layer 2
interfaces, or to enable routing through a VLAN interface, you must configure
a VLAN object.
Virtual System If the firewall supports multiple virtual systems and that capability is enabled,
select a virtual system (vsys) for the interface or click Virtual System to define
a new vsys.
Security Zone Select a Security Zone (Network > Interfaces > <if-config > Config) for the
interface, or select Zone to define a new one. Select None to remove the
current zone assignment from the interface.
Features For Ethernet interfaces, this column indicates whether the following features
are enabled:
DHCP Client
DNS Proxy
NDP Monitor
NetFlow profile
SD-WAN
On PA-7000 Series firewalls, you must configure a Log Card Interface on one data port.
Slot Select the slot number (1-12) of the interface. Only PA-7000 Series
firewalls have multiple slots. If you use Panorama to configure an
interface for any other firewall model, select Slot 1.
Interface (Interface Select the name of an interface that is associated with the selected Slot.
Name)
Tap Interface
• Network > Interfaces > Ethernet
You can use a tap interface to monitor traffic on a port.
To configure a tap interface, click the name of an Interface (ethernet1/1, for example) that is not configured
and specify the following information.
Interface Ethernet The interface name is predefined and you cannot change it.
Name Interface
Virtual System Ethernet If the firewall supports multiple virtual systems and that capability
Interface > is enabled, select a virtual system for the interface or click Virtual
Config System to define a new vsys.
Security Zone Select a security zone for the interface or click Zone to define a new
zone. Select None to remove the current zone assignment from the
interface.
Link Speed Ethernet Select the interface speed in Mbps (10, 100, or 1000), or select auto
Interface > to have the firewall automatically determine the speed.
Advanced
Link Duplex Select whether the interface transmission mode is full-duplex (full),
half-duplex (half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled (down),
or determined automatically (auto).
HA Interface
• Network > Interfaces > Ethernet
Each high availability (HA) interface has a specific function: one interface is for configuration
synchronization and heartbeats, and the other interface is for state synchronization. If active/active high
availability is enabled, the firewall can use a third HA interface to forward packets.
Some Palo Alto Networks firewalls include dedicated physical ports for use in HA
deployments (one for the control link and one for the data link). For firewalls that do not
include dedicated ports, you must specify the data ports that will be used for HA. For
additional information on HA, refer to “Device > Virtual Systems”.
To configure an HA interface, click the name of an Interface (ethernet1/1, for example) that is not
configured and specify the following information.
HA Interface Description
Settings
Interface The interface name is predefined and you cannot change it.
Name
Link Speed Select the interface speed in Mbps (10, 100, or 1000), or select auto to
have the firewall automatically determine the speed.
Link Duplex Select whether the interface transmission mode is full-duplex (full), half-
duplex (half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled (down), or
determined automatically (auto).
If you are using an existing interface for the virtual wire, first remove the interface from any
associated security zone.
Interface Ethernet The interface name is predefined and you cannot change it.
Name Interface
Virtual Wire Ethernet Select a virtual wire, or click Virtual Wire to define a new one
Interface > (Network > Virtual Wires). Select None to remove the current virtual
Config wire assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that capability
is enabled, select a virtual system for the interface or click Virtual
System to define a new vsys.
Security Zone Select a security zone for the interface, or click Zone to define a new
zone. Select None to remove the current zone assignment from the
interface.
Link Speed Ethernet Select a specific interface speed in Mbps or select auto to have the
Interface > firewall automatically determine the speed. Both interfaces in the
Advanced virtual wire must have the same speed.
Link Duplex Select whether the interface transmission mode is full-duplex (full),
half-duplex (half), or negotiated automatically (auto). Both interfaces
in the virtual wire must have the same transmission mode.
Link State Select whether the interface status is enabled (up), disabled (down),
or determined automatically (auto).
Enable LLDP Ethernet Select to enable Link Layer Discovery Protocol (LLDP) on the
Interface > interface. LLDP functions at the link layer to discover neighboring
Advanced > devices and their capabilities.
LLDP
Profile If LLDP is enabled, select an LLDP profile to assign to the interface
or click LLDP Profile to create a new profile (see Network >
Network Profiles > LLDP Profile). Select None to configure the
firewall to use global defaults.
Interface The read-only Interface Name displays the name of the vwire interface you selected.
Name In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
Netflow If you want to export unidirectional IP traffic that traverses an ingress subinterface
Profile to a NetFlow server, select the server profile or click Netflow Profile to define a new
profile (see Device > Server Profiles > NetFlow). Selecting None removes the current
NetFlow server assignment from the subinterface.
IP Classifier Click Add and enter an IP address, IP range, or subnet to classify the traffic on this
vwire subinterface.
Virtual Wire Select a virtual wire, or click Virtual Wire to define a new one (see Network >
Virtual Wires). Select None to remove the current virtual wire assignment from the
subinterface.
Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a
virtual system (vsys) for the subinterface or click Virtual System to define a new vsys.
Security Zone Select a security zone for the subinterface, or click Zone to define a new zone. Select
None to remove the current zone assignment from the subinterface.
Interface Ethernet The interface name is predefined and you cannot change it.
Name Interface
Virtual System If the firewall supports multiple virtual systems and that capability
is enabled, select a virtual system for the interface or click Virtual
System to define a new vsys.
Security Zone Select a Security Zone for the interface or click Zone to define a
new zone. Select None to remove the current zone assignment from
the interface.
Link Speed Ethernet Select the interface speed in Mbps (10, 100, or 1000) or select auto
Interface > to have the firewall automatically determine the speed.
Advanced
Link Duplex Select whether the interface transmission mode is full-duplex (full),
half-duplex (half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled (down),
or determined automatically (auto).
Enable LLDP Ethernet Select to enable Link Layer Discovery Protocol (LLDP) on the
Interface > interface. LLDP functions at the link layer to discover neighboring
Advanced > devices and their capabilities.
LLDP
LLDP Profile If LLDP is enabled, select an LLDP profile to assign to the interface
or click LLDP Profile to create a new profile (see Network >
Network Profiles > LLDP Profile). Select None to configure the
firewall to use global defaults.
Layer 2 Description
Subinterface
Settings
Interface The read-only Interface Name displays the name of the physical interface you
Name selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the
subinterface.
Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress subinterface
to a NetFlow server, select the server profile or click Netflow Profile to define a new
profile (see Device > Server Profiles > NetFlow). Select None to remove the current
NetFlow server assignment from the subinterface.
VLAN To enable switching between Layer 2 interfaces or to enable routing through a VLAN
interface, select a VLAN, or click VLAN to define a new VLAN (see Network > VLANs).
Select None to remove the current VLAN assignment from the subinterface.
Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a
virtual system (vsys) for the subinterface or click Virtual System to define a new vsys.
Security Zone Select a security zone for the subinterface or click Zone to define a new zone. Select
None to remove the current zone assignment from the subinterface.
Interface Name Ethernet The interface name is predefined and you cannot change it.
Interface
Comment Enter an optional description for the interface.
Virtual Router Ethernet Select a virtual router, or click Virtual Router to define a new
Interface > one (see Network > Virtual Routers). Select None to remove the
Config current virtual router assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that
capability is enabled, select a virtual system (vsys) for the
interface or click Virtual System to define a new vsys.
Security Zone Select a security zone for the interface or click Zone to define a
new zone. Select None to remove the current zone assignment
from the interface.
Enable SD-WAN Ethernet Select Enable SD-WAN to enable SD-WAN functionality for the
Interface > Ethernet interface.
IPv4
Type Select the method for assigning an IPv4 address type to the
interface:
• Static—You must manually specify the IP address.
• PPPoE—The firewall will use the interface for Point-to-Point
Protocol over Ethernet (PPPoE).
• DHCP Client—Enables the interface to act as a Dynamic
Host Configuration Protocol (DHCP) client and receive a
dynamically assigned IP address.
IP Ethernet Click Add, then perform one of the following steps to specify a
Interface > static IP address and network mask for the interface.
IPv4
• Type the entry in Classless Inter-domain Routing (CIDR)
notation: ip_address/mask (for example, 192.168.2.0/24).
• Select an existing address object of type IP netmask.
• Click Address to create an address object of type IP netmask.
You can enter multiple IP addresses for the interface. The
forwarding information base (FIB) your firewall uses determines
the maximum number of IP addresses.
Show PPPoE Client (Optional) Opens a dialog that displays parameters that the
Runtime Info firewall negotiated with the Internet service provider (ISP) to
establish a connection. The specific information depends on the
ISP.
Static Address Perform one of the following steps to specify the IP address that
the Internet service provider assigned (no default value):
• Type the entry in Classless Inter-Domain Routing (CIDR)
notation: ip_address/mask (for example, 192.168.2.0/24).
• Select an existing address object of type IP netmask.
• Click Address to create an address object of type IP netmask.
• Select None to remove the current address assignment from
the interface.
Default Route (Optional) For the route between the firewall and Internet
Metric service provider, enter a route metric (priority level) to associate
with the default route and to use for path selection (range is
1 to 65,535). The priority level increases as the numeric value
decreases.
Passive Select to use passive mode. In passive mode, a PPPoE end point
waits for the access concentrator to send the first frame.
Send Hostname Select to have the firewall (as a DHCP client) send the hostname
of the interface (Option 12) to the DHCP server. If you Send
Hostname, then the hostname of the firewall is the choice
in the hostname field by default. You can send that name or
enter a custom hostname (64 characters maximum including
uppercase and lowercase letters, numbers, periods, hyphens, and
underscores.
Default Route For the route between the firewall and DHCP server, optionally
Metric enter a route metric (priority level) to associate with the default
route and to use for path selection (range is 1 to 65,535, no
default). The priority level increases as the numeric value
decreases.
Show DHCP Client Select to display all settings received from the DHCP server,
Runtime Info including DHCP lease status, dynamic IP address assignment,
subnet mask, gateway, and server settings (DNS, NTP, domain,
WINS, NIS, POP3, and SMTP).
Enable IPv6 on the Ethernet Select to enable IPv6 addressing on this interface.
interface Interface >
IPv6
Interface ID Enter the 64-bit extended unique identifier (EUI-64) in
hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If
you leave this field blank, the firewall uses the EUI-64 generated
from the MAC address of the physical interface. If you enable
the Use interface ID as host portion option when adding an
address, the firewall uses the interface ID as the host portion of
that address.
Address Click Add and configure the following parameters for each IPv6
address:
• Address—Enter an IPv6 address and prefix length (for
example, 2001:400:f00::1/64). You can also select an existing
IPv6 address object or click Address to create an address
object.
• Enable address on interface—Select to enable the IPv6
address on the interface.
• Use interface ID as host portion—Select to use the Interface
ID as the host portion of the IPv6 address.
Enable Duplication Ethernet Select to enable duplicate address detection (DAD), then
Address Detection Interface > configure the other fields in this section.
IPv6 >
DAD Attempts Address Specify the number of DAD attempts within the neighbor
Resolution solicitation interval (NS Interval) before the attempt to identify
neighbors fails (range is 1 to 10; default is 1).
Reachable Time Specify the length of time, in seconds, that a neighbor remains
reachable after a successful query and response (range is 10 to
36,000; default is 30).
NS Interval Specify the number of seconds for DAD attempts before failure
(neighbor is indicated (range is 1 to 10; default is 1).
solicitation interval)
Min Interval (sec) Specify the minimum interval, in seconds, between RAs that the
firewall will send (range is 3 to 1,350; default is 200). The firewall
will send RAs at random intervals between the minimum and
maximum values you configure.
Max Interval (sec) Specify the maximum interval, in seconds, between RAs that the
firewall will send (range is 4 to 1,800; default is 600). The firewall
will send RAs at random intervals between the minimum and
maximum values you configure.
Hop Limit Specify the hop limit to apply to clients for outgoing packets
(range is 1 to 255; default is 64). Enter 0 for no hop limit.
Link MTU Specify the link maximum transmission unit (MTU) to apply to
clients. Select unspecified for no link MTU (range is 1,280 to
9,192; default is unspecified).
Reachable Time Specify the reachable time (in milliseconds) that the client
(ms) will use to assume a neighbor is reachable after receiving a
reachability confirmation message. Select unspecified for
no reachable time value (range is 0 to 3,600,000; default is
unspecified).
Retrans Time (ms) Specify the retransmission timer that determines how long the
client will wait (in milliseconds) before retransmitting neighbor
solicitation messages. Select unspecified for no retransmission
time (range is 0 to 4,294,967,295; default is unspecified).
Router Lifetime Specify how long the client will use the firewall as the default
(sec) gateway (range is 0 to 9,000; default is 1,800). Zero specifies
that the firewall is not the default gateway. When the lifetime
expires, the client removes the firewall entry from its Default
Router List and uses another router as the default gateway.
Router Preference If the network segment has multiple IPv6 routers, the client uses
this field to select a preferred router. Select whether the RA
Managed Select to indicate to the client that addresses are available via
Configuration DHCPv6.
Consistency Check Ethernet Select if you want the firewall to verify that RAs sent from other
Interface > routers are advertising consistent information on the link. The
IPv6 > Router firewall logs any inconsistencies in a system log; the type is
Advertisement ipv6nd.
(cont)
Other Select to indicate to the client that other address information
Configuration (for example, DNS-related settings) is available via DHCPv6.
Include DNS Ethernet Select to enable the firewall to send DNS information in NDP
information Interface > router advertisement (RA) messages from this IPv6 Ethernet
in Router IPv6 > DNS interface. The other DNS Support fields in this table are visible
Advertisement Support only after you select this option.
Server Add one or more recursive DNS (RDNS) server addresses for
the firewall to send in NDP router advertisements from this
IPv6 Ethernet interface. RDNS servers send a series of DNS
lookup requests to root DNS and authoritative DNS servers to
ultimately provide an IP address to the DNS client.
You can configure a maximum of eight RDNS servers that the
firewall sends—in the order listed from top to bottom—in an
NDP router advertisement to the recipient, which then uses
those addresses in the same order. Select a server and Move Up
or Move Down to change the order of the servers or Delete a
server from the list when you no longer need it.
Lifetime Enter the maximum number of seconds after the IPv6 DNS client
receives the router advertisement before the client can use the
RDNS servers to resolve domain names (range is Max Interval
(sec) to twice Max Interval; default is 1,200).
Suffix Add and configure one or more domain names (suffixes) for the
DNS search list (DNSSL). Maximum length is 255 bytes.
A DNS search list is a list of domain suffixes that a DNS client
router appends (one at a time) to an unqualified domain name
before it enters the name into a DNS query, thereby using a
fully qualified domain name in the DNS query. For example, if
a DNS client tries to submit a DNS query for “quality” without
a suffix, the router appends a period and the first DNS suffix
from the DNS search list to that name and then transmits the
DNS query. If the first DNS suffix on the list is “company.com”,
the resulting DNS query from the router is for the FQDN
“quality.company.com”.
If the DNS query fails, the router appends the second DNS
suffix from the list to the unqualified name and transmits a new
Lifetime Enter the maximum number of seconds after the IPv6 DNS client
receives the router advertisement that it can use a domain name
(suffix) on the DNS Search List (range is the value of Max Interval
(sec) to twice the Max Interval; default is 1,200).
SD-WAN Interface Ethernet If you selected Enable SD-WAN on the IPv4 tab, the firewall
Status Interface > indicates SD-WAN Interface Status: Enabled. If you
SD-WAN didn’t Enable SD-WAN, it indicates Disabled.
SD_WAN Interface Select the SD-WAN Interface Profile to apply to this Ethernet
Profile interface or add a new SD-WAN Interface Profile.
NAT IP Address Select the type of IP address assignment and specify the IP
Type address or FQDN of the public-facing interface on that NAT-
performing device, or specify that DDNS derives the address.
Thus, Auto VPN can use the address as the tunnel endpoint of
the hub or branch.
• Static IP—Select the Type to be IP Address or FQDN and
enter the IPv4 address or FQDN.
• DDNS—Dynamic DNS (DDNS) derives the IP address of the
upstream NAT device.
Link Speed Ethernet Select the interface speed in Mbps (10, 100, or 1000) or select
Interface > auto.
Advanced
Link Duplex Select whether the interface transmission mode is full-duplex
(full), half-duplex (half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled
(down), or determined automatically (auto).
Management Ethernet Select a profile that defines the protocols (for example, SSH,
Profile Interface > Telnet, and HTTP) you can use to manage the firewall over this
Advanced > interface. Select None to remove the current profile assignment
Other Info from the interface.
Adjust TCP MSS Select to adjust the maximum segment size (MSS) to
accommodate bytes for any headers within the interface MTU
byte size. The MTU byte size minus the MSS Adjustment Size
equals the MSS byte size, which varies by IP protocol:
• IPv4 MSS Adjustment Size—Range is 40 to 300; default is 40.
• IPv6 MSS Adjustment Size—Range is 60 to 300; default is 60.
Use these settings to address the case where a tunnel through
the network requires a smaller MSS. If a packet has more bytes
than the MSS without fragmentation, this setting enables the
adjustment.
Encapsulation adds length to headers so it is helpful to configure
the MSS adjustment size to allow bytes for such things as an
MPLS header or tunneled traffic that has a VLAN tag.
IP Address Ethernet To add one or more static Address Resolution Protocol (ARP)
Interface > entries, click Add and enter an IP address and its associated
MAC Address
Advanced > hardware (MAC) address. To delete an entry, select the entry
ARP Entries and click Delete. Static ARP entries reduce ARP processing and
preclude man-in-the-middle attacks for the specified addresses.
Enable NDP Proxy Ethernet Select to enable the Neighbor Discovery Protocol (NDP) proxy
Interface > for the interface. The firewall will respond to ND packets
Advanced > requesting MAC addresses for IPv6 addresses in this list. In the
NDP Proxy ND response, the firewall sends its own MAC address for the
interface to indicate it will act as proxy by responding to packets
destined for those addresses.
It is recommended that you select Enable NDP Proxy if you use
Network Prefix Translation IPv6 (NPTv6).
If Enable NDP Proxy is selected, you can filter numerous
Address entries by entering a search string and clicking Apply
Filter ( ).
Address Click Add to enter one or more IPv6 addresses, IP ranges, IPv6
subnets, or address objects for which the firewall will act as
the NDP proxy. Ideally, one of these addresses is the same
address as that of the source translation in NPTv6. The order of
addresses does not matter.
If the address is a subnetwork, the firewall will send an ND
response for all addresses in the subnet, so we recommend
that you also add the IPv6 neighbors of the firewall and then
select Negate to instruct the firewall not to respond to these IP
addresses.
Negate Select Negate for an address to prevent NDP proxy for that
address. You can negate a subset of the specified IP address
range or IP subnet.
Enable LLDP Ethernet Select to enable Link Layer Discovery Protocol (LLDP) on
Interface > the interface. LLDP functions at the link layer to discover
Advanced > neighboring devices and their capabilities.
LLDP
LLDP Profile If LLDP is enabled, select an LLDP profile to assign to the
interface or click LLDP Profile to create a new profile (see
Network > Network Profiles > LLDP Profile). Select None to
configure the firewall to use global defaults.
Settings Ethernet Select Settings to make the DDNS fields available to configure.
Interface >
Enable Advanced > Enable DDNS on the interface. You must initially enable DDNS
DDNS to configure it. (If your DDNS configuration is unfinished, you
Update Interval Enter the interval (in days) between updates that the firewall
(days) sends to the DDNS server to update IP addresses mapped to
FQDNs (range is 1 to 30; default is 1).
Certificate Profile Create a Certificate Profile to verify the DDNS service. The
DDNS service presents the firewall with a certificate signed by
the certificate authority (CA).
Vendor Select the DDNS vendor (and version) that provides DDNS
service to this interface:
• DuckDNS v1
• DynDNS v1
• FreeDNS Afraid.org Dynamic API v1
• FreeDNS Afraid.org v1
• No-IP v1
• Palo Alto Networks DDNS—You must use this for SD-WAN
AE interfaces and SD-WAN Layer 3 subinterfaces.
The Name and Value fields that follow the vendor name are
vendor-specific. The read-only fields notify you of parameters
that the firewall uses to connect to the DDNS service. Configure
the other fields, such as a password that the DDNS service
provides to you and a timeout that the firewall uses if it doesn’t
receive a response from the DDNS server.
IPv4 tab - IP Add the IPv4 addresses configured on the interface and select
them. All selected IP addresses are registered with the DDNS
provider (Vendor).
IPv6 tab - IPv6 Add the IPv6 addresses configured on the interface and select
them. All selected IP addresses are registered with the DDNS
provider (Vendor).
Show Runtime Info Displays the DDNS registration: DDNS provider, resolved
FQDN, and the mapped IP address(es) with an asterisk (*)
indicating the primary IP address. Each DDNS provider has its
own return codes to indicate the status of the hostname update,
and a return date, for troubleshooting purposes.
Layer 3 Interface
• Network > Interfaces > Ethernet
Configure an Ethernet Layer 3 interface to which you can route traffic.
Interface Name The read-only Interface Name field displays the name of the physical interface
you selected.
NetFlow Profile If you want to export unidirectional IP traffic that traverses an ingress interface to
a NetFlow server, select the NetFlow profile or select NetFlow Profile to create a
new profile (see Device > Server Profiles > NetFlow). Select None to remove the
current NetFlow server assignment from the interface.
Config Tab
Virtual Router Assign a virtual router to the interface, or click Virtual Router to define a new one
(see Network > Virtual Routers). Select None to remove the current virtual router
assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that capability is enabled,
select a virtual system (vsys) for the interface or select Virtual System to define a
new vsys.
Security Zone Select a security zone for the interface or select Zone to define a new zone. Select
None to remove the current zone assignment from the interface.
IPv4 Tab
Enable SD-WAN Select Enable SD-WAN to enable SD-WAN functionality for the Ethernet
interface.
Enable Bonjour (PA-220, PA-800, and PA-3200 series only) When you enable this option,
Reflector the firewall forwards Bonjour multicast advertisements and queries received
on and forwarded to this interface to all other L3 and AE interfaces and
subinterfaces where you enable this option. This helps ensure user access and
device discoverability in network environments that use segmentation to route
IP Add and perform one of the following steps to specify a static IP address and
network mask for the interface or AE interface.
• Type the entry in Classless Inter-Domain Routing (CIDR) notation:
ip_address/mask (for example, 192.168.2.0/24).
• Select an existing address object of type IP netmask.
• Create an Address object of type IP netmask.
You can enter multiple IP addresses for the interface. The forwarding information
base (FIB) your system uses determines the maximum number of IP addresses.
Delete an IP address when you no longer need it.
SD-WAN Gateway If you selected Enable SD-WAN, enter the IPv4 address of the SD-WAN gateway.
Enable Select Enable to activate the interface for Point-to-Point Protocol over Ethernet
(PPPoE) termination. The interface is a PPPoE termination point to support
connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL
modem but no other PPPoE device to terminate the connection.
Username Enter the username your ISP provided for the point-to-point connection.
Show PPPoE Client Select to view information about the PPPoE interface.
Runtime Info
Static Address Request from the PPPoE server a desired IPv4 address. PPPoE server may assign
that address or another address.
automatically Select this option to automatically create a default route that points to the default
create default gateway that the PPPoE server provides.
route pointing to
peer
Default Route Enter the default route metric (priority level) for the PPPoE connection (default is
Metric 10). A route with a lower number has higher priority during route selection. For
example, a route with a metric of 10 is used before a route with a metric of 100.
Access If your ISP provided the name of an Access Concentrator, enter it. Firewall will
Concentrator connect with this Access Concentrator on the IPS end. This is a string value of 0 to
255 characters.
Service Firewall (PPPoE client) can provide the desired service request to the PPPoE
server. It is a string value of 0 to 255 characters.
Passive Firewall (PPPOE client) waits for the PPPoE server to initiate a connection. If this
is not enabled, firewall initiates a connection.
Enable Enable the interface to act as a Dynamic Host Configuration Protocol (DHCP)
client and receive a dynamically assigned IP address.
Automatically Select this option to cause the firewall to create a static route to a default
create default gateway. The default gateway is useful when clients are trying to access many
route pointing to destinations that don’t need to have routes maintained in a routing table on the
default gateway firewall.
provided by server
Send Hostname Select this option to assign a hostname to the DHCP client interface and send that
hostname (Option 12) to a DHCP server, which can register the hostname with
the DNS server. The DNS server can then automatically manage hostname-to-
dynamic IP address resolutions. External hosts can identify the interface by its
hostname. The default value indicates system-hostname, which is the firewall
hostname that you set in Device > Setup > Management > General Settings.
Alternatively, enter a hostname for the interface, which can be a maximum of 64
characters, including uppercase and lowercase letters, numbers, period, hyphen,
and underscore.
Default Route Enter a default route metric (priority level) for the route between the firewall and
Metric the DHCP server (range is 1 to 65,535; there is no default metric). A route with a
lower number has higher priority during route selection. For example, a route with
a metric of 10 is used before a route with a metric of 100.
Show DHCP Client Select this option to see all of the settings the client has inherited from its DHCP
Runtime Info server, including DHCP lease status, dynamic IP address assignment, subnet mask,
gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
IPv6 Tab
Interface ID Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for
example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses
the EUI-64 generated from the MAC address of the physical interface. If you
enable the Use interface ID as host portion option when adding an address, the
firewall uses the interface ID as the host portion of that address.
Address Add an IPv6 address and prefix length (for example, 2001:400:f00::1/64).
Alternatively, select an existing IPv6 address object or create a new IPv6 address
object.
Use interface ID as Select to use the Interface ID as the host portion of the IPv6 address.
host portion
Send Router Select to enable router advertisement (RA) for this IP address. (You must also
Advertisement enable the global Enable Router Advertisement option on the interface.) For
details on RA, see Enable Router Advertisement in this table. The following fields
apply only if you Enable Router Advertisement:
• Valid Lifetime—Length of time, in seconds, that the firewall considers the
address valid. The valid lifetime must equal or exceed the Preferred Lifetime.
The default is 2,592,000.
• Preferred Lifetime—Length of time, in seconds, that the valid address is
preferred, which means the firewall can use it to send and receive traffic.
After the preferred lifetime expires, the firewall cannot use the address to
establish new connections, but any existing connections are valid until the
Valid Lifetime expires. The default is 604,800.
• On-link—Select if systems that have addresses within the prefix are reachable
without a router.
• Autonomous—Select if systems can independently create an IP address by
combining the advertised prefix with an interface ID.
Enable Duplicate Select to enable duplicate address detection (DAD), then configure the DAD
Address Detection Attempts, Reachable Time (sec), and NS Interval.
DAD Attempts Specify the number of DAD attempts within the neighbor solicitation interval (NS
Interval) before the attempt to identify neighbors fails (range is 1 to 10; default is
1).
Reachable Time Specify the length of time, in seconds, that a neighbor remains reachable after a
(sec) successful query and response (range is 1 to 36,000; default is 30).
NS Interval (sec) Specify the number of seconds for DAD attempts before failure is indicated (range
is 1 to 10; default is 1).
Enable NDP Select to enable Neighbor Discovery Protocol (NDP) monitoring. When enabled,
Monitoring you can select NDP ( in the Features column) to view information about a
neighbor the firewall discovered, such as the IPv6 address, the corresponding
MAC address, and the User-ID (on a best-case basis).
Enable Router To provide Neighbor Discovery on IPv6 interfaces, select and configure the other
Advertisement fields in this section. IPv6 DNS clients that receive the router advertisement (RA)
messages use this information.
RA enables the firewall to act as a default gateway for IPv6 hosts that are not
statically configured and to provide the host with an IPv6 prefix for address
configuration. You can use a separate DHCPv6 server in conjunction with this
feature to provide DNS and other settings to clients.
This is a global setting for the interface. If you want to set RA options for
individual IP addresses, Add and configure an IPv6 address in the IP address
table. If you set RA options for any IPv6 address, you must Enable Router
Advertisement for the interface.
Min Interval (sec) Specify the minimum interval, in seconds, between RAs that the firewall will send
(range is 3 to 1,350; default is 200). The firewall sends RAs at random intervals
between the minimum and maximum values you configure.
Max Interval (sec) Specify the maximum interval, in seconds, between RAs that the firewall will send
(range is 4 to 1,800; default is 600). The firewall sends RAs at random intervals
between the minimum and maximum values you configure.
Hop Limit Specify the hop limit to apply to clients for outgoing packets (range is 1 to 255;
default is 64) or select unspecified, which maps to a system default.
Link MTU Specify the link maximum transmission unit (MTU) to apply to clients (range is
1,280 to 1,500) or default to unspecified, which maps to a system default.
Reachable Time Specify the reachable time (in milliseconds) that the client will use to assume a
(ms) neighbor is reachable after receiving a reachability confirmation message (range is
0 to 3,600,000) or default to unspecified, which maps to a system default.
Retrans Time (ms) Specify the retransmission timer that determines how long the client will wait (in
milliseconds) before retransmitting neighbor solicitation messages (range is 0 to
4,294,967,295) or default to unspecified, which maps to a system default.
Router Lifetime Specify how long, in seconds, the client will use the firewall as the default gateway
(sec) (range is 0 to 9,000; default is 1,800). Zero specifies that the firewall is not the
default gateway. When the lifetime expires, the client removes the firewall entry
from its Default Router List and uses another router as the default gateway.
Router Preference If the network segment has multiple IPv6 routers, the client uses this field to
select a preferred router. Select whether the RA advertises the firewall router as
having a High, Medium (default), or Low priority relative to other routers on the
segment.
Managed Select to indicate to the client that addresses are available via DHCPv6.
Configuration
Other Select to indicate to the client that other address information (for example, DNS-
Configuration related settings) is available via DHCPv6.
Consistency Check Select if you want the firewall to verify that RAs sent from other routers
are advertising consistent information on the link. The firewall logs any
inconsistencies in a system log; the type is ipv6nd.
DNS Support Tab Available if you Enable Router Advertisement on the Router Advertisement Tab)
Include DNS Select for the firewall to send DNS information in NDP router advertisements
information from this IPv6 Ethernet interface. The other DNS Support fields (Server, Lifetime,
in Router Suffix, and Lifetime) are visible only after you select this option.
Advertisement
Server Add one or more recursive DNS (RDNS) server addresses for the firewall to send
in NDP router advertisements from this IPv6 Ethernet interface. RDNS servers
send a series of DNS look up requests to root DNS and authoritative DNS servers
to ultimately provide an IP address to the DNS client.
You can configure a maximum of eight RDNS Servers that the firewall sends—in
order listed from top to bottom—in an NDP router advertisement to the recipient,
which then uses them in the same order. Select a server and Move Up or Move
Down to change the order of the servers or Delete a server from the list when
you no longer need it.
Lifetime Enter the maximum number of seconds after the IPv6 DNS client receives the
router advertisement before the client can use an RDNS server to resolve domain
names (range is Max Interval (sec) to twice Max Interval (sec); default is 1,200).
Suffix Add one or more domain names (suffixes) for the DNS search list (DNSSL).
Maximum length is 255 bytes.
A DNS search list is a list of domain suffixes that a DNS client router appends
(one at a time) to an unqualified domain name before it enters the name into a
DNS query, thereby using a fully qualified domain name in the query. For example,
Lifetime Enter the maximum number of seconds after the IPv6 DNS client receives the
router advertisement that it can use a domain name (suffix) on the DNS search
list (range is the value of Max Interval (sec) to twice Max Interval (sec); default is
1,200).
SD-WAN Tab
SD-WAN Interface If you selected Enable SD-WAN on the IPv4 tab, the firewall indicates SD-WAN
Status Interface Status: Enabled. If you didn’t Enable SD-WAN, it indicates
Disabled.
SD-WAN Interface Select the SD-WAN Interface Profile to apply to this Ethernet interface or add a
Profile new SD-WAN Interface Profile.
You must Enable SD-WAN for the interface before you can apply
an SD-WAN Interface Profile.
Upstream NAT If your SD-WAN hub or branch is behind a device that is performing NAT, Enable
upstream NAT for the hub or branch.
NAT IP Address Select the type of IP address assignment and specify the IP address or FQDN of
Type the public-facing interface on that NAT-performing device, or specify that DDNS
derives the address. Thus, Auto VPN can use the address as the tunnel endpoint
of the hub or branch.
• Static IP—Select the Type to be IP Address or FQDN and enter the IPv4
address or FQDN.
• DDNS—Dynamic DNS (DDNS) derives the IP address of the upstream NAT
device.
Advanced Tab
Link Speed Select the interface speed in Mbps (10, 100, or 1000) or select auto.
Link Duplex Select whether the interface transmission mode is full-duplex (full), half-duplex
(half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled (down), or determined
automatically (auto).
Management Select a Management profile that defines the protocols (for example, SSH, Telnet,
Profile and HTTP) you can use to manage the firewall over this interface. Select None to
remove the current profile assignment from the interface.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this
interface (range is 576 to 9,192; default is 1,500). If machines on either side of
the firewall perform Path MTU Discovery (PMTUD) and the interface receives a
packet exceeding the MTU, the firewall returns an ICMP fragmentation needed
message to the source indicating the packet is too large.
Adjust TCP MSS Select to adjust the maximum segment size (MSS) to accommodate bytes for any
headers within the interface MTU byte size. The MTU byte size minus the MSS
Adjustment Size equals the MSS byte size, which varies by IP protocol:
• IPv4 MSS Adjustment Size—Range is 40 to 300; default is 40.
• IPv6 MSS Adjustment Size—Range is 60 to 300; default is 60.
Use these settings to address the case where a tunnel through the network
requires a smaller MSS. If a packet has more bytes than the MSS without
fragmentation, this setting enables the adjustment.
Encapsulation adds length to headers so it helps to configure the MSS adjustment
size to allow bytes for such things as an MPLS header or tunneled traffic that has
a VLAN tag.
Untagged Select this option if the corresponding subinterfaces for this interface aren’t
Subinterface tagged.
IP Address To add one or more static Address Resolution Protocol (ARP) entries, Add an IP
address and its associated hardware [media access control (MAC)] address. To
MAC Address
delete an entry, select the entry and click Delete. Static ARP entries reduce ARP
processing.
IPv6 Address To provide neighbor information for Neighbor Discovery Protocol (NDP), Add the
IPv6 address and MAC address of the neighbor.
MAC Address
Enable NDP Proxy Enable Neighbor Discovery Protocol (NDP) proxy for the interface. The firewall
will respond to ND packets requesting MAC addresses for IPv6 addresses in this
list. In the ND response, the firewall sends its own MAC address for the interface
so that the firewall will receive the packets meant for the addresses in the list.
It is recommended that you enable NDP proxy if you are using Network Prefix
Translation IPv6 (NPTv6).
If you selected Enable NDP Proxy, you can filter numerous Address entries by
entering a filter and clicking Apply Filter (gray arrow).
Address Add one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for
which the firewall will act as NDP proxy. Ideally, one of these addresses is the
same address as that of the source translation in NPTv6. The order of addresses
does not matter.
If the address is a subnetwork, the firewall will send an ND response for all
addresses in the subnet, so we recommend you also add the IPv6 neighbors of the
firewall and then click Negate to instruct the firewall not to respond to these IP
addresses.
Negate Negate an address to prevent NDP proxy for that address. You can negate a
subset of the specified IP address range or IP subnet.
Enable LLDP Enable Link Layer Discovery Protocol (LLDP) for the interface. LLDP functions at
the link layer to discover neighboring devices and their capabilities by sending and
receiving LLDP data units to and from neighbors.
LLDP Profile Select an LLDP Profile or create a new LLDP Profile. The profile is the way in
which you configure the LLDP mode, enable syslog and SNMP notifications, and
configure the optional Type-Length-Values (TLVs) you want transmitted to LLDP
peers.
Enable Enable DDNS on the interface. You must initially enable DDNS to configure it. (If
your DDNS configuration is unfinished, you can save it without enabling it so that
you don’t lose your partial configuration.)
Update Interval Enter the interval (in days) between updates that the firewall sends to the DDNS
(days) server to update IP addresses mapped to FQDNs (range is 1 to 30; default is 1).
Certificate Profile Create a Certificate Profile to verify the DDNS service. The DDNS service
presents the firewall with a certificate signed by the certificate authority (CA).
Hostname Enter a hostname for the interface, which is registered with the DDNS Server (for
example, host123.domain123.com, or host123). The firewall does not validate the
hostname except to confirm that the syntax uses valid characters allowed by DNS
for a domain name.
Vendor Select the DDNS vendor (and version) that provides DDNS service to this
interface:
• DuckDNS v1
• DynDNS v1
• FreeDNS Afraid.org Dynamic API v1
• Free DNS Afraid.org v1
• No-IP v1
• Palo Alto Networks DDNS (applies to SD-WAN Full Mesh with DDNS, SD-
WAN AE subinterfaces and SD-WAN Layer 3 subinterfaces)
The Name and Value fields that follow the vendor name are vendor-specific. The
read-only fields notify you of parameters that the firewall uses to connect to the
DDNS service. Configure the other fields, such as a password that the DDNS
service provides to you and a timeout that the firewall uses if it doesn’t receive a
response from the DDNS server.
IPv4 Tab Add the IPv4 addresses configured on the interface and then select them. You can
select only as many IPv4 addresses as the DDNS provider allows. All selected IP
addresses are registered with the DDNS provider (Vendor).
IPv6 Tab Add the IPv6 addresses configured on the interface and then select them. You can
select only as many IPv6 addresses as the DDNS provider allows. All selected IP
addresses are registered with the DDNS provider (Vendor).
Show Runtime Info Displays the DDNS registration: DDNS provider, resolved FQDN, and the mapped
IP address(es) with an asterisk (*) indicating the primary IP address. Each DDNS
provider has its own return codes to indicate the status of the hostname update,
and a return date, for troubleshooting purposes.
Layer 3 Subinterface
• Network > Interfaces > Ethernet
For each Ethernet port configured as a physical Layer 3 interface, you can define additional logical Layer
3 interfaces (subinterfaces). You can also configure Layer 3 subinterfaces for an SD-WAN AE interface.
Create an SD WAN AE interface group, select the group and Add Subinterface, and specify the following
information.
To configure a PA-7000 Series Layer 3 Interface, select a physical interface, Add Subinterface, and specify
the following information.
Interface Name Layer3 The read-only Interface Name field displays the name of the
Subinterface physical interface you selected. In the adjacent field, enter a
numeric suffix (1 to 9,999) to identify the subinterface.
Tag Enter the VLAN tag (1 to 4,094) for the subinterface. For ease of
use, use the same number as the numeric suffix for the Interface
Name.
Virtual Router Layer3 Assign a virtual router to the interface, or click Virtual Router
Subinterface > to define a new one (see Network > Virtual Routers). Select
Config None to remove the current virtual router assignment from the
interface.
Virtual System If the firewall supports multiple virtual systems and that
capability is enabled, select a virtual system (vsys) for the
subinterface or click Virtual System to define a new vsys.
Security Zone Select a security zone for the subinterface, or click Zone to
define a new zone. Select None to remove the current zone
assignment from the subinterface.
Enable SD-WAN Layer3 Select to enable SD-WAN on the Layer3 subinterface for a Layer
Subinterface > 3 interface or an SD-WAN AE interface group.
IPv4
Enable Bonjour (PA-220, PA-800, and PA-3200 series only) When you
Reflector enable this option, the firewall forwards Bonjour multicast
advertisements and queries received on and forwarded to this
interface to all other L3 and AE interfaces and subinterfaces
where you enable this option. This helps ensure user access
and device discoverability in network environments that use
segmentation to route traffic for security or administrative
purposes. You can enable this option on up to 16 interfaces.
IP Layer3 Add and perform one of the following steps to specify a static IP
Subinterface > address and network mask for the interface.
IPv4, Type =
• Type the entry in Classless Inter-Domain Routing (CIDR)
Static
notation: ip_address/mask (for example, 192.168.2.0/24).
• Select an existing address object of type IP netmask.
• Create an Address object of type IP netmask.
You can enter multiple IP addresses for the interface. The
forwarding information base (FIB) your system uses determines
the maximum number of IP addresses.
Delete an IP address when you no longer need it.
Send Hostname Select to have the firewall (as a DHCP client) send the hostname
of the interface (Option 12) to the DHCP server. If you Send
Hostname, by default, then the hostname of the firewall is the
choice in the hostname field by default. You can send that name
or enter a custom hostname (64 characters maximum including
uppercase and lowercase letters, numbers, periods, hyphens, and
underscores.
Default Route (Optional) For the route between the firewall and DHCP server,
Metric you can enter a route metric (priority level) to associate with the
default route and to use for path selection (range is 1 to 65535;
there is no default). The priority level increases as the numeric
value decreases.
Show DHCP Client Select Show DHCP Client Runtime Info to display all settings
Runtime Info received from the DHCP server, including DHCP lease status,
dynamic IP address assignment, subnet mask, gateway, and
server settings (DNS, NTP, domain, WINS, NIS, POP3, and
SMTP).
Enable IPv6 on the Layer3 Select to enable IPv6 addressing on this interface.
interface Subinterface >
IPv6
Address Click Add and configure the following parameters for each IPv6
address:
• Address—Enter an IPv6 address and prefix length (for
example, 2001:400:f00::1/64). You can also select an existing
IPv6 address object or click Address to create an address
object.
• Enable address on interface—Select to enable the IPv6
address on the interface.
• Use interface ID as host portion—Select to use the Interface
ID as the host portion of the IPv6 address.
• Anycast—Select to include routing through the nearest node.
• Send Router Advertisement—Select to enable router
advertisement (RA) for this IP address. (You must also
enable the global Enable Router Advertisement option
on the interface.) For details on RA, see Enable Router
Advertisement in this table.
The remaining fields apply only if you enable RA.
• Valid Lifetime—The length of time, in seconds, that the
firewall considers the address as valid. The valid lifetime
must equal or exceed the Preferred Lifetime. The default
is 2,592,000.
• Preferred Lifetime—The length of time, in seconds, that
the valid address is preferred, which means the firewall
can use it to send and receive traffic. After the preferred
lifetime expires, the firewall cannot use the address to
establish new connections but any existing connections
are valid until the Valid Lifetime expires. The default is
604,800.
• On-link—Select if systems that have addresses within the
prefix are reachable without a router.
• Autonomous—Select if systems can independently create
an IP address by combining the advertised prefix with an
interface ID.
Enable Duplication Layer3 Select to enable duplicate address detection (DAD), then
Address Detection Subinterface > configure the other fields in this section.
IPv6 >
DAD Attempts Address Specify the number of DAD attempts within the neighbor
Resolution solicitation interval (NS Interval) before the attempt to identify
neighbors fails (range is 1 to 10; default is 1).
Reachable Time Specify the length of time, in seconds, that a neighbor remains
reachable after a successful query and response (range is 1 to
36,000; default is 30).
NS Interval Specify the number of seconds for DAD attempts before failure
(neighbor is indicated (range is 1 to 10; default is 1).
solicitation interval)
Enable Router Layer3 To provide Neighbor Discovery on IPv6 interfaces, select and
Advertisement Subinterface > configure the other fields in this section. IPv6 DNS clients
IPv6 > Router that receive the router advertisement (RA) messages use this
Advertisement information.
RA enables the firewall to act as a default gateway for IPv6 hosts
that are not statically configured and to provide the host with
an IPv6 prefix for address configuration. You can use a separate
DHCPv6 server in conjunction with this feature to provide DNS
and other settings to clients.
This is a global setting for the interface. If you want to set
RA options for individual IP addresses, Add and configure an
Address in the IP address table. If you set RA options for any
IP address, you must Enable Router Advertisement for the
interface.
Min Interval (sec) Specify the minimum interval, in seconds, between RAs that the
firewall will send (range is 3 to 1,350; default is 200). The firewall
will send RAs at random intervals between the minimum and
maximum values you configure.
Max Interval (sec) Specify the maximum interval, in seconds, between RAs that the
firewall will send (range is 4 to 1,800; default is 600). The firewall
will send RAs at random intervals between the minimum and
maximum values you configure.
Hop Limit Specify the hop limit to apply to clients for outgoing packets
(range is 1 to 255; default is 64). Enter 0 for no hop limit.
Link MTU Specify the link maximum transmission unit (MTU) to apply to
clients. Select unspecified for no link MTU (range is 1,280 to
9,192; default is unspecified).
Reachable Time Specify the reachable time (in milliseconds) that the client
(ms) will use to assume a neighbor is reachable after receiving a
reachability confirmation message. Select unspecified for
Retrans Time (ms) Specify the retransmission timer that determines how long the
client will wait (in milliseconds) before retransmitting neighbor
solicitation messages. Select unspecified for no retransmission
time (range is 0 to 4,294,967,295; default is unspecified).
Router Lifetime Specify how long, in seconds, the client will use the firewall as
(sec) the default gateway (range is 0 to 9,000; default is 1,800). Zero
specifies that the firewall is not the default gateway. When
the lifetime expires, the client removes the firewall entry from
its Default Router List and uses another router as the default
gateway.
Router Preference If the network segment has multiple IPv6 routers, the client uses
this field to select a preferred router. Select whether the RA
advertises the firewall router as having a High, Medium (default),
or Low priority relative to other routers on the segment.
Managed Select to indicate to the client that addresses are available via
Configuration DHCPv6.
Consistency Check Layer3 Select if you want the firewall to verify that RAs sent from other
Subinterface > routers are advertising consistent information on the link. The
IPv6 > Router firewall logs any inconsistencies in a system log; the type is
Advertisement ipv6nd.
(cont)
Include DNS Layer3 Select for the firewall to send DNS information in NDP router
information Subinterface > advertisements from this IPv6 Ethernet subinterface. The other
in Router IPv6 > DNS DNS Support fields in this table are visible only after you select
Advertisement Support this option.
Server Add one or more recursive DNS (RDNS) server addresses for
the firewall to send in NDP router advertisements from this
IPv6 Ethernet interface. RDNS servers send a series of DNS
look up requests to root DNS and authoritative DNS servers to
ultimately provide an IP address to the DNS client.
You can configure a maximum of 8 RDNS Servers that the
firewall sends—in order listed from top to bottom—in an NDP
router advertisement to the recipient, which then uses them in
the same order. Select a server and Move Up or Move Down to
change the order of the servers or Delete a server from the list
when you no longer need it.
Lifetime Enter maximum number of seconds after the IPv6 DNS client
receives the router advertisement before the client can use an
Suffix Layer3 Add one or more domain names (suffixes) for the DNS search list
Subinterface > (DNSSL). Maximum length is 255 bytes.
IPv6 > DNS
A DNS search list is a list of domain suffixes that a DNS client
Support
router appends (one at a time) to an unqualified domain name
(cont)
before it enters the name into a DNS query, thereby using a fully
qualified domain name in the query. For example, if a DNS client
tries to submit a DNS query for the name “quality” without a
suffix, the router appends a period and the first DNS suffix from
the DNS search list to the name and transmits the DNS query.
If the first DNS suffix on the list is “company.com”, the resulting
query from the router is for the fully qualified domain name
“quality.company.com”.
If the DNS query fails, the router appends the second DNS suffix
from the list to the unqualified name and transmits a new DNS
query. The router uses the DNS suffixes until a DNS lookup is
successful (ignores the remaining suffixes) or until the router has
tried all of suffixes on the list.
Configure the firewall with the suffixes that you want to provide
to the DNS client router in a Neighbor Discovery DNSSL option;
the DNS client receiving the DNSSL option uses the suffixes in
its unqualified DNS queries.
You can configure a maximum of 8 domain names (suffixes) for
a DNS search list option that the firewall sends—in order listed
from top to bottom— in an NDP router advertisement to the
recipient, which uses them in the same order. Select a suffix and
Move Up or Move Down to change the order or Delete a suffix
when you no longer need it.
Lifetime Layer3 Enter the maximum number of seconds after the IPv6 DNS client
Subinterface > receives the router advertisement that it can use a domain name
IPv6 > DNS (suffix) on the DNS search list (range is the value of Max Interval
Support (sec) to twice the Max Interval; default is 1,200).
(cont)
Adjust TCP MSS Layer3 Select to adjust the maximum segment size (MSS) to
Subinterface > accommodate bytes for any headers within the interface MTU
Advanced > byte size. The MTU byte size minus the MSS Adjustment Size
Other Info equals the MSS byte size, which varies by IP protocol:
• IPv4 MSS Adjustment Size—Range is 40 to 300; default is 40.
• IPv6 MSS Adjustment Size—Range is 60 to 300; default is 60.
Use these settings to address the case where a tunnel through
the network requires a smaller MSS. If a packet has more bytes
than the MSS without fragmentation, this setting enables the
adjustment.
Encapsulation adds length to headers so it helps to configure the
MSS adjustment size to allow bytes for such things as an MPLS
header or tunneled traffic that has a VLAN tag.
IP Address Layer3 To add one or more static Address Resolution Protocol (ARP)
Subinterface > entries, Add an IP address and its associated hardware [media
MAC Address
Advanced > access control (MAC)] address. To delete an entry, select
ARP Entries the entry and click Delete. Static ARP entries reduce ARP
processing.
Enable NDP Proxy Layer3 Enable Neighbor Discovery Protocol (NDP) proxy for the
Subinterface > interface. The firewall will respond to ND packets requesting
Advanced > MAC addresses for IPv6 addresses in this list. In the ND
NDP Proxy response, the firewall sends its own MAC address for the
interface so that the firewall will receive the packets meant for
the addresses in the list.
It is recommended that you enable NDP proxy if you are using
Network Prefix Translation IPv6 (NPTv6).
If you selected Enable NDP Proxy, you can filter numerous
Address entries by entering a filter and clicking Apply Filter (gray
arrow).
Settings Layer3 Select Settings to make the DDNS fields available to configure.
Subinterface >
Enable Advanced > Enable DDNS on the interface. You must initially enable DDNS
DDNS to configure it. (If your DDNS configuration is unfinished, you
can save it without enabling it so that you don’t lose your partial
configuration.)
Update Interval Layer3 Enter the interval (in days) between updates that the firewall
(days) Subinterface > sends to the DDNS server to update IP addresses mapped to
Advanced > FQDNs (range is 1 to 30; default is 1).
DDNS
The firewall also updates DDNS upon receiving
a new IP address for the interface from the
DHCP server.
Certificate Profile Create a Certificate Profile to verify the DDNS service. The
DDNS service presents the firewall with a certificate signed by
the certificate authority (CA).
Vendor Layer3 Select the DDNS vendor (and version) that provides DDNS
Subinterface > service to this interface:
Advanced >
• DuckDNS v1
DDNS
• DynDNS v1
• FreeDNS Afraid.org Dynamic API v1
• FreeDNS Afraid.org v1
• No-IP v1
• Palo Alto Networks DDNS—You must choose this vendor
for SD-WAN AE subinterfaces or SD-WAN Layer 3
subinterfaces.
The Name and Value fields that follow the vendor name are
vendor-specific. The read-only fields notify you of parameters
that the firewall uses to connect to the DDNS service. Configure
IPv4 tab - IP Add the IPv4 addresses configured on the interface and then
select them. You can select only as many IPv4 addresses as the
DDNS provider allows. All selected IP addresses are registered
with the DDNS provider (Vendor).
IPv6 tab - IPv6 Add the IPv6 addresses configured on the interface and then
select them. You can select only as many IPv6 addresses as the
DDNS provider allows. All selected IP addresses are registered
with the DDNS provider (Vendor).
Show Runtime Info Layer3 Displays the DDNS registration: DDNS provider, resolved
Subinterface > FQDN, and the mapped IP address(es) with an asterisk (*)
Advanced > indicating the primary IP address. Each DDNS provider has its
DDNS own return codes to indicate the status of the hostname update,
and a return date, for troubleshooting purposes.
You can configure only one port on the firewall as type Log Card. If you enable log
forwarding but do not configure an interface with the Log Card type, you get an error when
you attempt to commit your changes.
This information pertains to configuring a Log Processing Card (LPC). To learn how to
configure a Log Forwarding Card (LFC), see Device > Log Forwarding Card
To configure a log card interface, select an Interface that is not configured (ethernet1/16, for example) and
configure the settings described in the following table.
Link Speed Ethernet Select the interface speed in Mbps (10, 100, or 1000) or select
Interface > auto (default) to have the firewall automatically determine the
Advanced speed based on the connection. For interfaces that have a non-
configurable speed, auto is the only option.
Link State Select whether the interface status is enabled (up), disabled
(down), or determined automatically based on the connection
(auto). The default is auto.
Interface LPC Interface Name (read-only) displays the name of the log card
Name Subinterface interface you selected. In the adjacent field, enter a numeric suffix
(1-9,999) to identify the subinterface.
Virtual System LPC Select the virtual system (vsys) to which the Log Processing Card
Subinterface > (LPC) subinterface is assigned. Alternatively, you can click Virtual
Config Systems to add a new vsys. Once an LPC subinterface is assigned to
a vsys, that interface is used as the source interface for all services
that forward logs (syslog, email, SNMP) from the log card.
Decryption port mirroring is not available on the VM-Series for public cloud platforms (AWS,
Azure, Google Cloud Platform), VMware NSX, and Citrix SDX.
To configure a decrypt mirror interface, click the name of an Interface (ethernet1/1, for example) that is not
configured and specify the following information.
Interface Name The interface name is predefined and you cannot change it.
Link Speed Select the interface speed in Mbps (10, 100, or 1000), or select auto to have the
firewall automatically determine the speed.
Link Duplex Select whether the interface transmission mode is full-duplex (full), half-duplex
(half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled (down), or determined
automatically (auto).
All Palo Alto Networks firewalls except the VM-Series models support AE interface groups.
You can aggregate the HA3 (packet forwarding) interfaces in a high availability (HA) active/
active configuration but only on the following firewall models:
• PA-220
• PA-800 Series
• PA-3200 Series
• PA-5200 Series
To configure an AE interface group, Add Aggregate Group, configure the settings described in the following
table, and then assign interfaces to the group (see Aggregate Ethernet (AE) Interface).
Interface Aggregate The read-only Interface Name is set to ae. In the adjacent field,
Name Ethernet enter a numeric suffix to identify the AE interface group. The range
Interface of the numeric suffix depends on how many AE groups the firewall
Interface Type Select the interface type, which controls the remaining
configuration requirements and options:
• HA—Select only if the interface is an HA3 link between two
firewalls in an active/active deployment. Optionally, select a
NetFlow Profile and configure the settings on the LACP tab (see
Enable LACP).
• Virtual Wire—(Optional) Select a NetFlow Profile and configure
the settings on the Config and Advanced tabs as described in
Virtual Wire Settings.
• Layer 2—(Optional) Select a NetFlow Profile; configure the
settings on the Config and Advanced tabs as described in Layer
2 Interface Settings; and, optionally, configure the LACP tab (see
Enable LACP).
• Layer 3—(Optional) Select a NetFlow Profile; configure the
settings on the Config tab, the IPv4 or IPv6 tab, and the
Advanced tab as described in Layer 3 Interface Settings; and,
optionally, configure the LACP tab (see Enable LACP). SD-
WAN supports AE interface groups of Layer 3 interfaces and
subinterfaces.
Enable LACP Aggregate Select if you want to enable Link Aggregation Control Protocol
Ethernet (LACP) for the AE interface group. LACP is disabled by default.
Interface >
If you enable LACP, interface failure detection is automatic at the
LACP
physical and data link layers regardless of whether the firewall and
its LACP peer are directly connected. (Without LACP, interface
failure detection is automatic only at the physical layer between
directly connected peers.) LACP also enables automatic failover to
standby interfaces if you configure hot spares (see Max Ports).
Mode Select the LACP mode of the firewall. Between any two LACP
peers, we recommend that you configure one as active and the
other as passive. LACP cannot function if both peers are passive.
• Passive (default)—The firewall passively responds to LACP status
queries from peer devices.
• Active—The firewall actively queries the LACP status (available
or unresponsive) of peer devices.
Transmission Select the rate at which the firewall exchanges queries and
Rate responses with peer devices:
• Fast—Every second
• Slow (default)—Every 30 seconds
Fast Failover Select if, when an interface goes down, you want the firewall to
fail over to an operational interface within one second. Otherwise,
failover occurs at the standard IEEE 802.1AX-defined speed (at least
three seconds).
System Priority Aggregate The number that determines whether the firewall or its peer
Ethernet overrides the other with respect to port priorities (see Max Ports
Interface > below).
LACP (cont)
The lower the number, the higher the priority (range
is 1 to 65,535; default is 32,768).
Max Interfaces The number of interfaces (1 to 8) that can be active at any given
time in an LACP aggregate group. This value cannot exceed the
number of interfaces you assign to the group. If the number of
assigned interfaces exceeds the number of active interfaces, the
firewall uses the LACP port priorities of the interfaces to determine
which are in standby mode. You set the LACP port priorities when
configuring individual interfaces for the group (see Aggregate
Ethernet (AE) Interface).
MAC Address Aggregate If you Use Same System MAC Address, select a system-generated
Ethernet MAC address or enter your own MAC address for both firewalls
Interface > in the active/passive HA pair. You must verify that the address is
LACP (cont) globally unique.
If you enabled Link Aggregation Control Protocol (LACP) for the AE interface group, select
the same Link Speed and Link Duplex for every interface in that group. For non-matching
values, the commit operation displays a warning and PAN-OS defaults to the higher speed
and full duplex.
Interface Aggregate The interface name is predefined and you cannot change it.
Name Ethernet
Interface
Comment (Optional) Enter a description for the interface.
Link Speed Select the interface speed in Mbps (10, 100, or 1000), or select auto
to have the firewall automatically determine the speed.
Link Duplex Select whether the interface transmission mode is full-duplex (full),
half-duplex (half), or negotiated automatically (auto).
Link State Select whether the interface status is enabled (up), disabled (down),
or determined automatically (auto).
LACP Port The firewall only uses this field if you enabled Link Aggregation
Priority Control Protocol (LACP) for the aggregate group. If the number of
interfaces you assign to the group exceeds the number of active
interfaces (the Max Ports field), the firewall uses the LACP port
priorities of the interfaces to determine which are in standby
mode. The lower the numeric value, the higher the priority (range is
1-65,535; default is 32,768).
Virtual Router Aggregate Select the virtual router to which you assign the Aggregate Ethernet
Ethernet interface.
Interface >
Security Zone Config Select the security zone to which you assign the Aggregate Ethernet
interface.
Enable Bonjour Aggregate (PA-220, PA-800, and PA-3200 series only) When you enable this
Reflector Ethernet option, the firewall forwards Bonjour multicast advertisements and
Interface > queries received on and forwarded to this interface to all other L3
IPv4 and AE interfaces and subinterfaces where you enable this option.
This helps ensure user access and device discoverability in network
environments that use segmentation to route traffic for security
or administrative purposes. You can enable this option on up to 16
interfaces.
Enable Aggregate Select to enable duplicate address detection (DAD), which then
Duplication Ethernet allows you to specify the number of DAD Attempts.
Address Interface >
Detection IPv6 > Address
Resolution
DAD Attempts Specify the number of DAD attempts within the neighbor
solicitation interval (NS Interval) before the attempt to identify
neighbors fails (range is 1-10; default is 1).
NS Interval Specify the length of time, in seconds, before a DAD attempt failure
(neighbor is indicated (range is 1-10; default is 1).
solicitation
interval)
Enable Router Aggregated Select to provide Neighbor Discovery on IPv6 interfaces and
Advertisement Ethernet configure the other fields in this section. IPv6 DNS clients
Interface > that receive the router advertisement (RA) messages use this
IPv6 > Router information.
Advertisement
RA enables the firewall to act as a default gateway for IPv6 hosts
that are not statically configured and to provide the host with
an IPv6 prefix for address configuration. You can use a separate
DHCPv6 server in conjunction with this feature to provide DNS and
other settings to clients.
This is a global setting for the interface. If you want to set RA
options for individual IP addresses, Add and configure an Address
in the IP address table. If you set RA options for any IP address, you
must Enable Router Advertisement for the interface.
Min Interval Specify the minimum interval, in seconds, between RAs that the
(sec) firewall will send (range is 3-1,350; default is 200). The firewall will
send RAs at random intervals between the minimum and maximum
values you configure.
Max Interval Specify the maximum interval, in seconds, between RAs that the
(sec) firewall will send (range is 4-1,800; default is 600). The firewall will
send RAs at random intervals between the minimum and maximum
values you configure.
Hop Limit Specify the hop limit to apply to clients for outgoing packets (range
is 1-255; default is 64). Enter 0 for no hop limit.
Link MTU Specify the link maximum transmission unit (MTU) to apply to
clients. Select unspecified for no link MTU (range is 1,280-9,192;
default is unspecified).
Reachable Specify the reachable time, in milliseconds, that the client will use
Time (ms) to assume a neighbor is reachable after receiving a reachability
confirmation message. Select unspecified for no reachable time
value (range is 0-3,600,000; default is unspecified).
Retrans Time Specify the retransmission timer that determines how long the
(ms) client will wait, in milliseconds, before retransmitting neighbor
solicitation messages. Select unspecified for no retransmission time
(range is 0-4,294,967,295; default is unspecified).
Router Specify how long, in seconds, the client will use the firewall as the
Lifetime (sec) default gateway (range is 0-9,000; default is 1,800). Zero specifies
that the firewall is not the default gateway. When the lifetime
expires, the client removes the firewall entry from its Default Router
List and uses another router as the default gateway.
Router If the network segment has multiple IPv6 routers, the client uses
Preference this field to select a preferred router. Select whether the RA
advertises the firewall router as having a High, Medium (default), or
Low priority relative to other routers on the segment.
Managed Select to indicate to the client that addresses are available via
Configuration DHCPv6.
Other Select to indicate to the client that other address information (such
Configuration as DNS-related settings) is available via DHCPv6.
Consistency Aggregated Select if you want the firewall to verify that RAs sent from other
Check Ethernet routers are advertising consistent information on the link. The
Interface > firewall logs any inconsistencies in a system log; the type is ipv6nd.
IPv6 > Router
Advertisement
(cont)
Include DNS Aggregated Select for the firewall to send DNS information in NDP router
information Ethernet advertisement (RA) messages from this IPv6 Aggregated Ethernet
in Router Interface > interface. The other DNS Support fields in this table are visible only
Advertisement IPv6 > DNS after you select this option.
Support
Server Add one or more recursive DNS (RDNS) server addresses for
the firewall to send in NDP router advertisements from this IPv6
Aggregated Ethernet interface. RDNS servers send a series of DNS
lookup requests to root DNS servers and authoritative DNS servers
to ultimately provide an IP address to the DNS client.
You can configure a maximum of eight RDNS Servers that the
firewall sends—in the order listed from top to bottom—in an NDP
router advertisement to the recipient, which then uses those
addresses in the same order. Select a server and Move Up or Move
Down to change the order of the servers or Delete a server when
you no longer need it.
Lifetime Enter the maximum number of seconds after the IPv6 DNS client
receives the router advertisement that it can use the RDNS Servers
to resolve domain names (range is the value of Max Interval (sec) to
twice the Max Interval; default is 1,200).
Suffix Add and configure one or more domain names (suffixes) for the
DNS search list (DNSSL). The maximum suffix length is 255 bytes.
A DNS search list is a list of domain suffixes that a DNS client
router appends (one at a time) to an unqualified domain name
before it enters the name into a DNS query, thereby using a fully
qualified domain name in the DNS query. For example, if a DNS
client tries to submit a DNS query for the name “quality” without
a suffix, the router appends a period and the first DNS suffix from
the DNS search list to the name and transmits the DNS query.
Lifetime Aggregated Enter the maximum number of seconds after the IPv6 DNS client
Ethernet receives the router advertisement that it can use a domain name
Interface > (suffix) on the DNS search list (range is the value of Max Interval
IPv6 > DNS (sec) to twice the Max Interval; default is 1,200).
Support (cont)
Interface VLAN The read-only Interface Name is set to vlan. In the adjacent field,
Name Interface enter a numeric suffix (1 to 9,999) to identify the interface.
VLAN VLAN Select a VLAN or click VLAN to define a new one (see Network >
Interface > VLANs). Select None to remove the current VLAN assignment from
Config the interface.
Virtual Router Assign a virtual router to the interface, or click Virtual Router to
define a new one (see Network > Virtual Routers). Select None to
remove the current virtual router assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that capability
is enabled, select a virtual system (vsys) for the interface or click
Virtual System to define a new vsys.
Security Zone Select a security zone for the interface, or click Zone to define a
new zone. Select None to remove the current zone assignment from
the interface.
Type VLAN Select the method for assigning an IPv4 address type to the
Interface > interface:
IPv4
• Static—You must manually specify the IP address.
• DHCP Client—Enables the interface to act as a Dynamic Host
Configuration Protocol (DHCP) client and receive a dynamically
assigned IP address.
IP VLAN Click Add, then perform one of the following steps to specify a
Interface > static IP address and network mask for the interface.
IPv4
• Type the entry in Classless Inter-Domain Routing (CIDR)
notation: ip_address/mask (for example, 192.168.2.0/24).
• Select an existing address object of type IP netmask.
• Create an Address object of type IP netmask.
You can enter multiple IP addresses for the interface. The
forwarding information base (FIB) your system uses determines the
maximum number of IP addresses.
Delete an IP address when you no longer need it.
Send Select to configure the firewall (as a DHCP client) to send the
Hostname hostname of the interface (Option 12) to the DHCP server. If you
Send Hostname, then by default, the hostname of the firewall is the
choice in the hostname field. You can send that name or enter a
custom hostname (64 characters maximum including uppercase and
lowercase letters, numbers, periods, hyphens, and underscores.
Default Route For the route between the firewall and DHCP server, optionally
Metric enter a route metric (priority level) to associate with the default
route and to use for path selection (range is 1 to 65,535; there is no
default). The priority level increases as the numeric value decreases.
Show DHCP Select to display all settings received from the DHCP server,
Client Runtime including DHCP lease status, dynamic IP address assignment, subnet
Info mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS,
POP3, and SMTP).
Address VLAN Click Add and configure the following parameters for each IPv6
Interface > address:
IPv6 (cont)
• Address—Enter an IPv6 address and prefix length (e.g.
2001:400:f00::1/64). You can also select an existing IPv6
address object or click Address to create an address object.
• Enable address on interface—Select to enable the IPv6 address
on the interface.
• Use interface ID as host portion—Select to use the Interface ID
as the host portion of the IPv6 address.
• Anycast—Select to include routing through the nearest node.
• Send RA—Select to enable router advertisement (RA) for this
IP address. When you select this option, you must also globally
Enable Router Advertisement on the interface. For details on
RA, see Enable Router Advertisement.
The remaining fields apply only if you enable RA.
• Valid Lifetime—The length of time, in seconds, that the
firewall considers the address as valid. The valid lifetime
must equal or exceed the Preferred Lifetime. The default is
2,592,000.
• Preferred Lifetime—The length of time, in seconds, that the
valid address is preferred, which means the firewall can use
it to send and receive traffic. After the preferred lifetime
expires, the firewall cannot use the address to establish new
connections but any existing connections are valid until they
exceed the Valid Lifetime. The default is 604,800.
• On-link—Select if systems with IP addresses within the
advertised prefix are reachable without a router.
• Autonomous—Select if systems can independently create
an IP address by combining the advertised prefix with an
interface ID.
Enable VLAN Select to enable duplicate address detection (DAD), which allows
Duplication Interface > you to specify the number of DAD Attempts.
Address IPv6 > Address
Detection Resolution
DAD Attempts Specify the number of DAD attempts within the neighbor
solicitation interval (NS Interval) before the attempt to identify
neighbors fails (range is 1 to 10; default is 1).
NS Interval Specify the number of seconds for DAD attempts before failure is
(neighbor indicated (range is 1 to 10; default is 1).
solicitation
interval)
Enable Router VLAN Select to provide Neighbor Discovery on IPv6 interfaces and
Advertisement Interface > configure the other fields in this section. IPv6 DNS clients
IPv6 > Router that receive the router advertisement (RA) messages use this
Advertisement information.
RA enables the firewall to act as a default gateway for IPv6 hosts
that are not statically configured and to provide the host with
an IPv6 prefix for address configuration. You can use a separate
DHCPv6 server in conjunction with this feature to provide DNS and
other settings to clients.
This is a global setting for the interface. If you want to set RA
options for individual IP addresses, Add an Address to the IP
address table and configure it. If you set RA options for any IP
address, you must Enable Router Advertisement for the interface.
Min Interval Specify the minimum interval, in seconds, between RAs that the
(sec) firewall will send (range is 3 to 1,350; default is 200). The firewall
will send RAs at random intervals between the minimum and
maximum values you configure.
Max Interval Specify the maximum interval, in seconds, between RAs that the
(sec) firewall will send (range is 4 to 1,800; default is 600). The firewall
will send RAs at random intervals between the minimum and
maximum values you configure.
Hop Limit Specify the hop limit to apply to clients for outgoing packets (range
is 1 to 255; default is 64). Enter 0 for no hop limit.
Link MTU Specify the link maximum transmission unit (MTU) to apply to
clients. Select unspecified for no link MTU (range is 1,280 to 9,192;
default is unspecified).
Reachable Specify the reachable time, in milliseconds, that the client will use
Time (ms) to assume a neighbor is reachable after receiving a reachability
confirmation message. Select unspecified for no reachable time
value (range is 0 to 3,600,000; default is unspecified).
Retrans Time Specify the retransmission timer that determines how long the
(ms) client will wait (in milliseconds) before retransmitting neighbor
Router Specify how long, in seconds, the client will use the firewall as the
Lifetime (sec) default gateway (range is 0 to 9,000; default is 1,800). Zero specifies
that the firewall is not the default gateway. When the lifetime
expires, the client removes the firewall entry from its Default Router
List and uses another router as the default gateway.
Router If the network segment has multiple IPv6 routers, the client uses
Preference this field to select a preferred router. Select whether the RA
advertises the firewall router as having a High, Medium (default), or
Low priority relative to other routers on the segment.
Managed Select to indicate to the client that addresses are available via
Configuration DHCPv6.
Other Select to indicate to the client that other address information (for
Configuration example, DNS-related settings) is available via DHCPv6.
Consistency VLAN Select if you want the firewall to verify that RAs sent from other
Check Interface > routers are advertising consistent information on the link. The
IPv6 > Router firewall logs any inconsistencies in a system log; the type is ipv6nd.
Advertisement
(cont)
Include DNS VLAN Select for the firewall to send DNS information in NDP router
information Interface > advertisements from this IPv6 VLAN interface. The other DNS
in Router IPv6 > DNS Support fields in this table are visible only after you select this
Advertisement Support option.
Server Add one or more recursive DNS (RDNS) server addresses for the
firewall to send in NDP router advertisements from this IPv6 VLAN
interface. RDNS servers send a series of DNS lookup requests
to root DNS servers and authoritative DNS servers to ultimately
provide an IP address to the DNS client.
You can configure a maximum of eight RDNS servers that the
firewall sends— in the order listed from top to bottom—in an NDP
router advertisement to the recipient, which then uses them in the
same order. Select a server and Move Up or Move Down to change
the order of the servers or Delete a server from the list when you
no longer need it.
Lifetime Enter the maximum number of seconds after the IPv6 DNS client
receives the router advertisement that it can use the RDNS servers
to resolve domain names (range is the value of Max Interval (sec) to
twice the Max Interval; default is 1,200).
Suffix Add and configure one or more domain names (suffixes) for the
DNS search list (DNSSL). The maximum suffix length is 255 bytes.
Lifetime Enter the maximum number of seconds after the IPv6 DNS client
receives the router advertisement that it can use a domain name
(suffix) on the DNS search list (range is the value of Max Interval
(sec) to twice the Max Interval; default is 1,200).
MTU Enter the maximum transmission unit (MTU) in bytes for packets
sent on this interface (range is 576 to 9,192; default is 1,500). If
machines on either side of the firewall perform Path MTU Discovery
(PMTUD) and the interface receives a packet exceeding the MTU,
the firewall returns an ICMP fragmentation needed message to the
source indicating the packet is too large.
Adjust TCP Select to adjust the maximum segment size (MSS) to accommodate
MSS bytes for any headers within the interface MTU byte size. The MTU
byte size minus the MSS Adjustment Size equals the MSS byte size,
which varies by IP protocol:
• IPv4 MSS Adjustment Size—Range is 40 to 300; default is 40.
• IPv6 MSS Adjustment Size—Range is 60 to 300; default is 60.
IP Address VLAN To add one or more static Address Resolution Protocol (ARP)
Interface > entries, click Add and enter an IP address, enter its associated
MAC Address
Advanced > hardware [media access control (MAC)] address, and select a Layer
Interface ARP Entries 3 interface that can access the hardware address. To delete an
entry, select the entry and click Delete. Static ARP entries reduce
ARP processing and preclude man-in-the-middle attacks for the
specified addresses.
IPv6 Address VLAN To provide neighbor information for Neighbor Discovery Protocol
Interface > (NDP), click Add and enter the IPv6 address and MAC address of
MAC Address
Advanced > the neighbor.
ND Entries
Enable NDP VLAN Select to enable Neighbor Discovery Protocol (NDP) Proxy for
Proxy Interface > the interface. The firewall will respond to ND packets requesting
Advanced > MAC addresses for IPv6 addresses in this list. In the ND response,
NDP Proxy the firewall sends its own MAC address for the interface, and is
basically saying, “send me the packets meant for these addresses.”
(Recommended) Enable NDP Proxy if you are using Network Prefix
Translation IPv6 (NPTv6).
If you Enable NDP Proxy, you can filter numerous Address entries:
first enter a filter and then apply it (green arrow).
Negate Select Negate for an address to prevent NDP proxy for that
address. You can negate a subset of the specified IP address range
or IP subnet.
Settings VLAN Select Settings to make the DDNS fields available to configure.
Interface >
Enable Advanced > Enable DDNS on the interface. You must initially enable DDNS
DDNS to configure it. (If your DDNS configuration is unfinished, you
can save it without enabling it so that you don’t lose your partial
configuration.)
Update Enter the interval (in days) between updates that the firewall sends
Interval (days) to the DDNS server to update IP addresses mapped to FQDNs
(range is 1 to 30; default is 1).
Certificate Select a Certificate Profile that you created (or create a new one) to
Profile verify the DDNS service. The DDNS service presents the firewall
with a certificate signed by the certificate authority (CA).
Hostname Enter a hostname for the interface, which is registered with the
DDNS Server (for example, host123.domain123.com, or host123).
The firewall does not validate the hostname except to confirm that
the syntax uses valid characters allowed by DNS for a domain name.
Vendor Select the DDNS vendor (and version number) that provides DDNS
service to this interface:
• DuckDNS v1
• DynDNS v1
• FreeDNS Afraid.org Dynamic API v1
• FreeDNS Afraid.org v1
• No-IP v1
The Name and Value fields that follow the vendor name are vendor-
specific. Some fields are read-only to notify you of the parameters
that the firewall uses to connect to the DDNS service. Configure the
other fields, such as a password that the DDNS service provides to
you and a timeout the firewall uses if it doesn’t receive a response
from the DDNS server.
IPv4 tab - IP Add the IPv4 addresses configured on the interface and select them.
All selected IP addresses are registered with the DDNS provider
(Vendor).
IPv6 tab - IPv6 VLAN Add the IPv6 addresses configured on the interface and select them.
Interface > All selected IP addresses are registered with the DDNS provider
Advanced > (Vendor).
DDNS(cont)
Show Runtime Displays the DDNS registration: DDNS provider, resolved FQDN,
Info and the mapped IP address(es) with an asterisk (*) indicating the
primary IP address. Each DDNS provider has its own return codes
to indicate the status of the hostname update, and a return date, for
troubleshooting purposes.
Interface Loopback The read-only Interface Name is set to loopback. In the adjacent
Name Interface field, enter a numeric suffix (1-9999) to identify the interface.
Virtual Router Loopback Assign a virtual router to the interface, or click Virtual Router to
Interface > define a new one (see Network > Virtual Routers). Select None to
Config remove the current virtual router assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that capability
is enabled, select a virtual system (vsys) for the interface or click
Virtual System to define a new vsys.
Security Zone Select a security zone for the interface, or click Zone to define a
new zone. Select None to remove the current zone assignment from
the interface.
MTU Enter the maximum transmission unit (MTU) in bytes for packets
sent on this interface (576-9,192; default is 1,500). If machines on
either side of the firewall perform Path MTU Discovery (PMTUD)
and the interface receives a packet exceeding the MTU, the firewall
returns an ICMP fragmentation needed message to the source
indicating the packet is too large.
Adjust TCP Select to adjust the maximum segment size (MSS) to accommodate
MSS bytes for any headers within the interface MTU byte size. The MTU
byte size minus the MSS Adjustment Size equals the MSS byte size,
which varies by IP protocol:
• IPv4 MSS Adjustment Size—Range is 40-300; default is 40.
• IPv6 MSS Adjustment Size—Range is 60-300; default is 60.
IP Loopback Click Add, then perform one of the following steps to specify a
Interface > static IP address and network mask for the interface.
IPv4
• Enter an IPv4 address with a subnet mask of /32; for example,
192.168.2.1/32. Only a /32 subnet mask is supported.
• Select an existing address object of type IP netmask.
• Click Address to create an address object of type IP netmask.
You can enter multiple IP addresses for the interface. The
forwarding information base (FIB) your system uses determines the
maximum number of IP addresses.
To delete an IP address, select the address and click Delete.
Address Click Add and configure the following parameters for each IPv6
address:
• Address—Enter an IPv6 address and prefix length (e.g.
2001:400:f00::1/64). You can also select an existing IPv6
address object or click Address to create an address object.
• Enable address on interface—Select to enable the IPv6 address
on the interface.
• Use interface ID as host portion—Select to use the Interface ID
as the host portion of the IPv6 address.
• Anycast—Select to include routing through the nearest node.
Interface Tunnel The read-only Interface Name is set to tunnel. In the adjacent field,
Name Interface enter a numeric suffix (1-9,999) to identify the interface.
Virtual Router Tunnel Assign a virtual router to the interface, or click Virtual Router to
Interface > define a new one (see Network > Virtual Routers). Select None to
Config remove the current virtual router assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that capability
is enabled, select a virtual system (vsys) for the interface or click
Virtual System to define a new vsys.
Security Zone Select a security zone for the interface, or click Zone to define a
new zone. Select None to remove the current zone assignment from
the interface.
MTU Enter the maximum transmission unit (MTU) in bytes for packets
sent on this interface (576-9,192; default is 1,500). If machines on
either side of the firewall perform Path MTU Discovery (PMTUD)
and the interface receives a packet exceeding the MTU, the firewall
returns an ICMP fragmentation needed message to the source
indicating the packet is too large.
IP Tunnel Click Add, then perform one of the following steps to specify a
Interface > static IP address and network mask for the interface.
IPv4
• Type the entry in Classless Inter-Domain Routing (CIDR)
notation: ip_address/mask (for example, 192.168.2.0/24).
• Select an existing address object of type IP netmask.
• Click Address to create an address object of type IP netmask.
Interface ID Tunnel Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal
Interface > format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this
IPv6 field blank, the firewall uses the EUI-64 generated from the MAC
address of the physical interface. If you enable the Use interface ID
as host portion option when adding an address, the firewall uses the
interface ID as the host portion of that address.
Address Click Add and configure the following parameters for each IPv6
address:
• Address—Enter an IPv6 address and prefix length (e.g.
2001:400:f00::1/64). You can also select an existing IPv6
address object or click Address to create an address object.
• Enable address on interface—Select to enable the IPv6 address
on the interface.
• Use interface ID as host portion—Select to use the Interface ID
as the host portion of the IPv6 address.
• Anycast—Select to include routing through the nearest node.
Interface Name The read-only Interface Name is set to sdwan. In the adjacent field, enter a numeric
suffix (1 to 9,999) to identify the virtual SD-WAN interface.
Comment The best practice is to enter a user-friendly description for the interface, such as
to internet or to Western USA hub. Your comments will make it easier to
identify interfaces rather than trying to decipher auto-generated names in logs and
reports.
Link Tag Tag on an SD-WAN link; for example, Cheap Broadband or Backup.
Config Tab
Virtual Router Assign a virtual router to the interface, or select Virtual Router to define a new one
(see Network > Virtual Routers). Select None to remove the current virtual router
assignment from the interface.
Virtual System If the firewall supports multiple virtual systems and that capability is enabled, you
must select vsys1 for the interface.
Security Zone Select a security zone for the interface, or select Zone to define a new zone. Select
None to remove the current zone assignment from the interface. The virtual SD-
WAN interface and all of its interface members must be in the same security zone,
thus ensuring the same security policy rules apply to all paths from the branch to the
same destination.
Advanced Tab
Interfaces Select the Layer 3 Ethernet interfaces (for Direct Internet Access [DIA]) or virtual
VPN tunnel interfaces (for hub) that constitute this virtual SD-WAN interface. The
firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic
to a DIA or a hub location. The interfaces can have different tags. If you enter more
than one interface, they must all be the same type (either VPN tunnel or DIA).
Looking for more? Segment Your Network Using Interfaces and Zones
Name Enter a zone name (up to 31 characters). This name appears in the list of
zones when defining security policies and configuring interfaces. The name
is case-sensitive and must be unique within the virtual router. Use only
letters, numbers, spaces, hyphens, periods, and underscores.
Location This field is present only if the firewall supports multiple virtual systems
(vsys) and that capability is enabled. Select the vsys to which this zone
applies.
Type Select a zone type (Tap, Virtual Wire, Layer2, Layer3, External, or Tunnel)
to view all the Interfaces of that type that have not been assigned to a
zone. The Layer 2 and Layer 3 zone types list all Ethernet interfaces and
subinterfaces of that type. Add the interfaces that you want to assign to the
zone.
Zone Protection Profiles Select a profile that specifies how the firewall responds to attacks from
this zone. To create a new profile, see Network > Network Profiles > Zone
Protection. The best practice is to defend each zone with Zone Protection
profile.
Enable Packet Buffer Configure Packet Buffer Protection (Device > Setup > Session) globally
Protection and apply it to each zone. The firewall applies Packet Buffer Protection to
the ingress zone only. Packet Buffer Protection based on buffer utilization
percentage is enabled by default. An alternative is to configure Packet
Buffer Protection based on latency. It is a best practice to enable Packet
Buffer Protection on each zone to protect the firewall buffers.
Log Setting Select a Log Forwarding profile for forwarding zone protection logs to an
external system.
If you have a Log Forwarding profile named default, that profile will be
automatically selected for this drop-down when defining a new security
zone. You can override this default setting at any time by continuing to
select a different Log Forwarding profile when setting up a new security
zone. To define or add a new Log Forwarding profile (and to name a profile
default so that this drop-down is populated automatically), click New (refer
to Objects > Log Forwarding).
User Identification ACL By default, if you do not specify subnetworks in this list, the firewall applies
Include List the user mapping information it discovers to all the traffic of this zone for
use in logs, reports, and policies.
To limit the application of user mapping information to specific
subnetworks within the zone, then for each subnetwork click Add and
select an address (or address group) object or type the IP address range (for
example, 10.1.1.1/24). The exclusion of all other subnetworks is implicit
because the Include List is an allow list, so you do not need to add them to
the Exclude List.
Add entries to the Exclude List only to exclude user mapping information
for a subset of the subnetworks in the Include List. For example, if you add
10.0.0.0/8 to the Include List and add 10.2.50.0/22 to the Exclude List,
the firewall includes user mapping information for all the zone subnetworks
of 10.0.0.0/8 except 10.2.50.0/22, and excludes information for all zone
subnetworks outside of 10.0.0.0/8.
User Identification ACL To exclude user mapping information for a subset of the subnetworks in
Exclude List the Include List, Add an address (or address group) object or type the IP
address range for each subnetwork to exclude.
If you add entries to the Exclude List but not the Include
List, the firewall excludes user mapping information for all
subnetworks within the zone, not just the subnetworks you
added.
Name Enter a VLAN name (up to 31 characters). This name appears in the list of
VLANs when configuring interfaces. The name is case-sensitive and must
be unique. Use only letters, numbers, spaces, hyphens, and underscores.
VLAN Interface Select a Network > Interfaces > VLAN to allow traffic to be routed outside
the VLAN.
Static MAC Configuration Specify the interface through which a MAC address is reachable. This will
override any learned interface-to-MAC mappings.
Virtual Wire Name Enter a virtual wire name (up to 31 characters). This name appears in the
list of virtual wires when configuring interfaces. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Interfaces Select two Ethernet interfaces from the displayed list for the virtual wire
configuration. Interfaces are listed here only if they have the virtual wire
interface type and have not been assigned to another virtual wire.
For information on virtual wire interfaces, see Virtual Wire Interface.
Tag Allowed Enter the tag number (0-4094) or range of tag numbers (tag1-tag2) for the
traffic allowed on the virtual wire. A tag value of zero (default) indicates
untagged traffic. Multiple tags or ranges must be separated by commas.
Traffic that has an excluded tag value is dropped.
When utilizing virtual wire subinterfaces, the Tag Allowed list will cause all
traffic with the listed tags to be classified to the parent virtual wire. Virtual
wire subinterfaces must utilize tags that do not exist in the parent's Tag
Allowed list.
Multicast Firewalling Select if you want to be able to apply security rules to multicast traffic. If
this setting is not enabled, multicast traffic is forwarded across the virtual
wire.
Link State Pass Through Select if you want to bring down the other interface in a virtual wire pair
when a down link state is detected. If you do not select or you disable this
option, link status is not propagated across the virtual wire.
View information about a virtual More Runtime Stats for a Virtual Router
router.
Name Specify a name to describe the virtual router (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Interfaces Select the interfaces that you want to include in the virtual router. Thus,
they can be used as outgoing interfaces in the virtual router’s routing table.
To specify the interface type, refer to Network > Interfaces.
Static Routes
• Network > Virtual Routers > Static Routes
Optionally add one or more static routes. Click the IP or IPv6 tab to specify the route using an IPv4 or IPv6
address. It is usually necessary to configure default routes (0.0.0.0/0) here. Default routes are applied for
destinations that are otherwise not found in the virtual router’s routing table.
Name Enter a name to identify the static route (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Interface Select the interface to forward packets to the destination, or configure the
next hop settings, or both.
Admin Distance Specify the administrative distance for the static route (10-240; default is
10).
Route Table Select the route table into which the firewall installs the static route:
• Unicast—Installs the route into the unicast route table.
• Multicast—Installs the route into the multicast route table.
• Both—Installs the route into the unicast and multicast route tables.
• No Install—Does not install the route in the route table (RIB); the firewall
retains the static route for future reference until you delete the route.
BFD Profile To enable Bidirectional Forwarding Detection (BFD) for a static route on
a PA-3200 Series, PA-5200 Series, PA-7000 Series, or VM-Series firewall,
select one of the following:
• default (default BFD settings)
• a BFD profile that you have created on the firewall
• New BFD Profile to create a new BFD profile
Select None (Disable BFD) to disable BFD for the static route.
To use BFD on a static route:
• Both the firewall and the peer at the opposite end of the static route
must support BFD sessions.
• The static route Next Hop type must be IP Address and you must enter
a valid IP address.
• The Interface setting cannot be None; you must select an interface
(even if you are using a DHCP address).
Path Monitoring Select to enable path monitoring for the static route.
Failure Condition Select the condition under which the firewall considers the monitored path
down and thus the static route down:
• Any—If any one of the monitored destinations for the static route is
unreachable by ICMP, the firewall removes the static route from the RIB
and FIB and adds the dynamic or static route that has the next lowest
metric going to the same destination to the FIB.
• All—If all of the monitored destinations for the static route are
unreachable by ICMP, the firewall removes the static route from the RIB
and FIB and adds the dynamic or static route that has the next lowest
metric going to the same destination to the FIB.
Select All to avoid the possibility of a single monitored destination signaling
a static route failure when that monitored destination is simply offline for
maintenance, for example.
Preemptive Hold Time Enter the number of minutes a downed path monitor must remain in Up
(min) state—the path monitor evaluates all of its member monitored destinations
and must remain Up before the firewall reinstalls the static route into the
RIB. If the timer expires without the link going down or flapping, the link is
deemed stable, path monitor can remain Up, and the firewall can add the
static route back into the RIB.
Enable Select to enable path monitoring of this specific destination for the static
route; the firewall sends ICMP pings to this destination.
Source IP Select the IP address that the firewall will use as the source in the ICMP
ping to the monitored destination:
• If the interface has multiple IP addresses, select one.
• If you select an interface, the firewall uses the first IP address assigned
to the interface by default.
• If you select DHCP (Use DHCP Client address), the firewall uses the
address that DHCP assigned to the interface. To see the DHCP address,
select Network > Interfaces > Ethernet and in the row for the Ethernet
interface, click on Dynamic DHCP Client. The IP Address appears in the
Dynamic IP Interface Status window.
Destination IP Enter a robust, stable IP address or address object for which the firewall
will monitor the path. The monitored destination and the static route
destination must use the same address family (IPv4 or IPv6)
Ping Interval (sec) Specify the ICMP ping interval in seconds to determine how frequently the
firewall monitors the path (pings the monitored destination; range is 1-60;
default is 3).
Ping Count Specify the number of consecutive ICMP ping packets that do not return
from the monitored destination before the firewall considers the link down.
Based on the Any or All failure condition, if path monitoring is in failed
state, the firewall removes the static route from the RIB (range is 3-10;
default is 5).
For example, a Ping Interval of 3 seconds and Ping Count of 5 missed pings
(the firewall receives no ping in the last 15 seconds) means path monitoring
detects a link failure. If path monitoring is in failed state and the firewall
receives a ping after 15 seconds, the link is deemed up; based on the Any or
All failure condition, path monitoring to Any or All monitored destinations
can be deemed up, and the Preemptive Hold Time starts.
Route Redistribution
• Network > Virtual Router > Redistribution Profiles
Redistribution profiles direct the firewall to filter, set priority, and perform actions based on desired
network behavior. Route redistribution allows static routes and routes that are acquired by other protocols
to be advertised through specified routing protocols.
Priority Enter a priority (range is 1-255) for this profile. Profiles are matched in
order (lowest number first).
Interface Select the interfaces to specify the forwarding interfaces of the candidate
route.
Destination To specify the destination of the candidate route, enter the destination IP
address or subnet (format x.x.x.x or x.x.x.x/n) and click Add. To remove an
entry, click remove ( ).
Next Hop To specify the gateway of the candidate route, enter the IP address or
subnet (format x.x.x.x or x.x.x.x/n) that represents the next hop and click
Add. To remove an entry, click remove ( ).
Path Type Select the route types of the candidate OSPF route.
Area Specify the area identifier for the candidate OSPF route. Enter the OSPF
area ID (format x.x.x.x), and click Add.
To remove an entry, click remove ( ).
Tag Specify OSPF tag values. Enter a numeric tag value (1-255), and click Add.
To remove an entry, click remove ( ).
RIP
• Network > Virtual Routers > RIP
Configuring the Routing Information Protocol (RIP) includes the following general settings:
Reject Default Route (Recommended) Select if you do not want to learn any default routes
through RIP.
BFD To enable Bidirectional Forwarding Detection (BFD) for RIP globally for the
virtual router on a PA-5200 Series, PA-7000 Series, and VM-Series firewall,
select one of the following:
• default (profile with the default BFD settings)
• a BFD profile that you have created on the firewall
• New BFD Profile to create a new BFD profile
Select None (Disable BFD) to disable BFD for all RIP interfaces on the
virtual router; you cannot enable BFD for a single RIP interface.
Advertise Select to enable advertisement of a default route to RIP peers with the
specified metric value.
Metric Specify a metric value for the router advertisement. This field is visible only
if you enable Advertise.
BFD To enable BFD for a RIP interface (and thereby override the BFD setting for
RIP, as long as BFD is not disabled for RIP at the virtual router level), select
one of the following:
• default (profile with the default BFD settings)
• a BFD profile that you created on the firewall
• New BFD Profile to create a new BFD profile
Select None (Disable BFD) to disable BFD for the RIP interface.
RIP Timing
Interval Seconds (sec) Define the length of the timer interval in seconds. This duration is used for
the remaining RIP timing fields (range is 1-60).
Update Intervals Enter the number of intervals between route update announcements (range
is 1-3,600).
Expire Intervals Enter the number of intervals between the time that the route was last
updated to its expiration (range is 1-3,600).
Delete Intervals Enter the number of intervals between the time that the route expires to its
deletion (range is 1-3,600).
Profile Name Enter a name for the authentication profile to authenticate RIP messages.
Allow Redistribute Select to permit the firewall to redistribute its default route to peers.
Default Route
Redistribution Profile Click Add and select or create a redistribution profile that allows you to
modify route redistribution, filter, priority, and action based on the desired
network behavior. Refer to Route Redistribution.
OSPF
• Network > Virtual Router > OSPF
Configuring the Open Shortest Path First (OSPF) protocol requires you to configure the following general
settings (except BFD, which is optional):
Reject Default Route (Recommended) Select if you do not want to learn any default routes
through OSPF.
Router ID Specify the router ID associated with the OSPF instance in this virtual
router. The OSPF protocol uses the router ID to uniquely identify the OSPF
instance.
Areas
Area ID Configure the area over which the OSPF parameters can be applied.
Enter an identifier for the area in x.x.x.x format. This is the identifier that
each neighbor must accept to be part of the same area.
Range Click Add to aggregate LSA destination addresses in the area into subnets.
Enable or suppress advertising LSAs that match the subnet, and click OK.
Repeat to add additional ranges.
Interface Add an interface to be included in the area and enter the following
information:
• Interface—Choose the interface.
• Enable—Cause the OSPF interface settings to take effect.
• Passive—Select if you do not want the OSPF interface to send or receive
OSPF packets. Although OSPF packets are not sent or received if you
choose this option, the interface is included in the LSA database.
• Link type—Choose Broadcast if you want all neighbors that are
accessible through the interface to be discovered automatically by
multicasting OSPF hello messages, such as an Ethernet interface.
Choose p2p (point-to-point) to automatically discover the neighbor.
Choose p2mp (point-to-multipoint) when neighbors must be defined
manually. Defining neighbors manually is allowed only for p2mp mode.
• Metric—Enter the OSPF metric for this interface (0-65,535).
• Priority—Enter the OSPF priority for this interface (0-255). It is the
priority for the router to be elected as a designated router (DR) or as a
backup DR (BDR) according to the OSPF protocol. When the value is
zero, the router will not be elected as a DR or BDR.
• Auth Profile—Select a previously-defined authentication profile.
• BFD—To enable Bidirectional Forwarding Detection (BFD) for an OSPF
peer interface (and thereby override the BFD setting for OSPF, as long
as BFD is not disabled for OSPF at the virtual router level), select one of
the following:
• default (default BFD settings)
• a BFD profile that you have created on the firewall
• New BFD Profile to create a new BFD profile
• Select None (Disable BFD) to disable BFD for the OSPF peer
interface.
• Hello Interval (sec)—Interval, in seconds, at which the OSPF process
sends hello packets to its directly connected neighbors (range is 0-3600;
default is 10).
• Dead Counts—Number of times the hello interval can occur for a
neighbor without OSPF receiving a hello packet from the neighbor,
before OSPF considers that neighbor down. The Hello Interval
multiplied by the Dead Counts equals the value of the dead timer (range
is 3-20; default is 4).
• Retransmit Interval (sec)—Length of time, in seconds, that OSPF waits
to receive a link-state advertisement (LSA) from a neighbor before OSPF
retransmits the LSA (range is 0-3,600; default is 10).
• Transit Delay (sec)—Length of time, in seconds, that an LSA is delayed
before it is sent out of an interface (range is 0-3,600; default is 1).
Interface (cont) • Graceful Restart Hello Delay (sec)—Applies to an OSPF interface when
Active/Passive High Availability is configured. Graceful Restart Hello
Delay is the length of time during which the firewall sends Grace LSA
packets at 1-second intervals. During this time, no hello packets are
sent from the restarting firewall. During the restart, the dead timer
(which is the Hello Interval multiplied by the Dead Counts) is also
counting down. If the dead timer is too short, the adjacency will go
Virtual Link Configure the virtual link settings to maintain or enhance backbone area
connectivity. The settings must be defined for area boarder routers, and
must be defined within the backbone area (0.0.0.0). Click Add, enter the
following information for each virtual link to be included in the backbone
area, and click OK.
• Name—Enter a name for the virtual link.
• Neighbor ID—Enter the router ID of the router (neighbor) on the other
side of the virtual link.
• Transit Area—Enter the area ID of the transit area that physically
contains the virtual link.
• Enable—Select to enable the virtual link.
• Timing—It is recommended that you keep the default timing settings.
• Auth Profile—Select a previously-defined authentication profile.
Profile Name Enter a name for the authentication profile. To authenticate the OSPF
messages, first define the authentication profiles and then apply them to
interfaces on the OSPF tab.
Name Select the name of a redistribution profile. The value must be an IP subnet
or valid redistribution profile name.
New Tag Specify a tag for the matched route that has a 32-bit value.
Metric (Optional) Specify the route metric to be associated with the exported
route and used for path selection (range is 1-65,535).
RFC 1583 Compatibility Select to ensure compatibility with RFC 1583 (OSPF Version 2).
Timers • SPF Calculation Delay (sec)—Allows you to tune the delay time between
receiving new topology information and performing an SPF calculation.
Lower values enable faster OSPF re-convergence. Routers peering with
the firewall should be tuned in a similar manner to optimize convergence
times.
• LSA Interval (sec)—Specifies the minimum time between transmissions
of two instances of the same LSA (same router, same type, same LSA
ID). This is equivalent to MinLSInterval in RFC 2328. Lower values can
be used to reduce re-convergence times when topology changes occur.
OSPFv3
• Network > Virtual Router > OSPFv3
Configuring the Open Shortest Path First v3 (OSPFv3) protocol requires configuring the first three settings
in the following table (BFD is optional):
Reject Default Route Select if you do not want to learn any default routes through OSPF.
Router ID Specify the router ID associated with the OSPF instance in this virtual
router. The OSPF protocol uses the router ID to uniquely identify the OSPF
instance.
Authentication Select the name of the Authentication profile that you want to
specify for this OSPF area.
Range Click Add to aggregate LSA destination IPv6 addresses in the area
by subnet. Enable or suppress advertising LSAs that match the
subnet, and click OK. Repeat to add additional ranges.
Interface Click Add and enter the following information for each interface
to be included in the area, and click OK.
• Interface—Choose the interface.
• Enable—Cause the OSPF interface settings to take effect.
• Instance ID –Enter an OSPFv3 instance ID number.
• Passive—Select to if you do not want the OSPF interface to
send or receive OSPF packets. Although OSPF packets are
not sent or received if you choose this option, the interface is
included in the LSA database.
• Link type—Choose Broadcast if you want all neighbors that are
accessible through the interface to be discovered automatically
by multicasting OSPF hello messages, such as an Ethernet
interface. Choose p2p (point-to-point) to automatically
discover the neighbor. Choose p2mp (point-to-multipoint)
when neighbors must be defined manually. Defining neighbors
manually is allowed only for p2mp mode.
• Metric—Enter the OSPF metric for this interface (0-65,535).
• Priority—Enter the OSPF priority for this interface (0-255). It is
the priority for the router to be elected as a designated router
(DR) or as a backup DR (BDR) according to the OSPF protocol.
When the value is zero, the router will not be elected as a DR
or BDR.
Profile Name Enter a name for the authentication profile. To authenticate the
OSPF messages, first define the authentication profiles and then
apply them to interfaces on the OSPF tab.
SPI Specify the security parameter index (SPI) for packet traversal
from the remote firewall to the peer.
New Tag Specify a tag for the matched route that has a 32-bit value.
Disable Transit Select if you want to set the R-bit in router LSAs sent from this
Routing for SPF firewall to indicate that the firewall is not active. When in this
Calculation state, the firewall participates in OSPFv3 but other routers do not
send transit traffic. In this state, local traffic will still be forwarded
to the firewall. This is useful while performing maintenance with a
dual-homed network because traffic can be re-routed around the
firewall while it can still be reached.
BGP
• Network > Virtual Router > BGP
Configuring Border Gateway Protocol (BGP) requires you to configure Basic BGP Settings to enable BGP
and configure the Router ID and AS Number as described in the following table. In addition, you must
configure a BGP peer as part of a BGP peer group.
Configure the remaining BGP settings on the following tabs as needed for your network:
• General: See BGP General Tab.
AS Number Enter the number of the AS to which the virtual router belongs,
based on the router ID (range is 1 to 4,294,967,295).
Reject Default BGP > General Select to ignore any default routes that are advertised by BGP peers.
Route
Install Route Select to install BGP routes in the global routing table.
Aggregate Select to enable route aggregation even when routes have different
MED Multi-Exit Discriminator (MED) values.
Default Local Specifies a value that the firewall can use to determine preferences
Preference among different paths.
Auth Profiles Add a new auth profile and configure the following settings:
• Profile Name—Enter a name to identify the profile.
• Secret/Confirm Secret—Enter and confirm a passphrase for BGP
peer communications.
Delete ( ) profiles when you no longer need them.
ECMP Multiple BGP > Select if you enable ECMP for a virtual router and you want to run
AS Support Advanced ECMP over multiple BGP autonomous systems.
Enforce First Causes the firewall to drop an incoming Update packet from an
AS for EBGP eBGP peer that doesn’t list the eBGP peer’s own AS number as
the first AS number in the AS_PATH attribute. This prevents BGP
from further processing a spoofed or erroneous Update packet that
arrives from an AS other than a neighboring AS. Default is enabled.
Confederation Specify the autonomous system number identifier that is visible only
Member AS within the BGP confederation (also called a sub-autonomous system
number). Use a BGP confederation to divide autonomous systems
into sub-autonomous systems and reduce full mesh peering.
Dampening BGP > Route dampening is a method that determine whether a route is
Profiles Advanced suppressed from being advertised because it is flapping. Route
(cont) dampening can reduce the number of times routers are forced to
reconverge due to routes flapping. Settings include:
• Profile Name—Enter a name to identify the profile.
• Enable—Activate the profile.
• Cutoff—Specify a route withdrawal threshold above which a
route advertisement is suppressed (range is 0.0-1,000.0; default
is 1.25).
• Reuse—Specify a route withdrawal threshold below which a
suppressed route is used again (range is 0.0-1,000.0; default is
5).
• Max. Hold Time—Specify the maximum length of time, in
seconds, that a route can be suppressed, regardless of how
unstable it has been (range is 0-3,600; default is 900).
• Decay Half Life Reachable—Specify the length of time, in
seconds, after which a route’s stability metric is halved if the
firewall considers the route is reachable (range is 0-3,600;
default is 300).
• Decay Half Life Unreachable—Specify the length of time, in
seconds, after which a route’s stability metric is halved if the
firewall considers the route is unreachable (range is 0-3,600;
default is 300).
Delete ( ) profiles when you no longer need them.
Name BGP > Peer Enter a name to identify the peer group.
Group
Enable Select to activate the peer group.
Soft Reset with Select to perform a soft reset of the firewall after updating the peer
Stored Info settings.
Type Specify the type of peer or group and configure the associated
settings (see below in this table for descriptions of Import Next Hop
and Export Next Hop).
• IBGP—Specify the following:
• Export Next Hop
• EBGP Confed—Specify the following:
• Export Next Hop
• IBGP Confed—Specify the following:
• Export Next Hop
• EBGP—Specify the following:
• Import Next Hop
• Export Next Hop
• Remove Private AS (select if you want to force BGP to
remove private AS numbers from the AS_PATH attribute).
Name BGP > Peer Add a New BGP peer and enter a name to identify it.
Group > Peer
Enable Select to activate the peer.
Enable BGP > Peer Enables the firewall to support the Multiprotocol BGP Address
MP-BGP Group > Peer > Family Identifier for IPv4 and IPv6 and Subsequent Address Family
Extensions Addressing Identifier options per RFC 4760.
Address Family Select either the IPv4 or IPv6 address family that BGP sessions with
Type this peer will support.
Peer Address Select the type of address that identifies the peer:
—Type and
• IP—Select IP and select an address object that uses an IP address
Address
(or create a new address object that uses an IP address).
• FQDN—Select FQDN and select an address object that uses an
FQDN (or create a new address object that uses an FQDN).
Auth Profile BGP > Peer Select a profile or select New Auth Profile from the drop down.
Group > Peer > Enter a Profile Name and the Secret, and Confirm Secret.
Connection
Keep Alive Options Specify an interval after which routes from a peer are suppressed
Interval according to the hold time setting (range is 0-1,200 seconds; default
is 30 seconds).
Multi Hop Set the time-to-live (TTL) value in the IP header (range is 0 to 255;
default is 0). The default value of 0 means 1 for eBGP. The default
value of 0 means 255 for iBGP.
Open Delay Specify the delay time between opening the peer TCP connection
Time and sending the first BGP open message (range is 0-240 seconds;
default is 0 seconds).
Hold Time Specify the period of time that may elapse between successive
KEEPALIVE or UPDATE messages from a peer before the peer
Idle Hold Time Specify the time to wait in the idle state before retrying connection
to the peer (range is 1-3,600 seconds; default is 15 seconds).
Incoming Specify the incoming port number and Allow traffic to this port.
Connections—
Remote Port
Outgoing Specify the outgoing port number and Allow traffic from this port
Connections—
Local Port
Reflector BGP > Peer Select the type of reflector client (Non-Client, Client, or Meshed
Client Group > Peer > Client). Routes that are received from reflector clients are shared
Advanced with all internal and external BGP peers.
Enable Sender Enable to cause the firewall to check the AS_PATH attribute of a
Side Loop route in its FIB before it sends the route in an update, to ensure
Detection that the peer AS number is not on the AS_PATH list. If it is, the
firewall removes it to prevent a loop. Usually the receiver does
loop detection, but this optimization feature has the sender do loop
detection.
Used By Select the peer groups that will use this rule.
AS-Path BGP > Import Specify a regular expression for filtering of AS paths.
Regular or Export >
Expression Match
Route Table For an Import Rule, specify which route table the matching routes
will be imported into: unicast, multicast, or both.
For an Export Rule, specify which route table the matching routes
will be exported from: unicast, multicast, or both.
Next Hop Specify next hop routers or subnets for route filtering
Action BGP > Import Specify an action (Allow or Deny) to take when the match
or Export > conditions are met.
Action
Dampening Specify the dampening parameter, only if the action is Allow.
MED Specify a MED value, only if the action is Allow (0- 65,535).
Weight Specify a weight value, only if the action is Allow (0- 65,535).
Next Hop Specify a next hop router, only if the action is Allow.
Origin Specify the path type of the originating route: IGP, EGP, or
incomplete, only if the action is Allow.
Delete rules when you no longer need them or Clone a rule when
appropriate. You can also select rules and Move Up or Move Down
to change their order.
Policy BGP > Specify a name for this conditional advertisement policy rule.
Conditional
Enable Adv Select to enable this conditional advertisement policy rule.
Used By Add the peer groups that will use this conditional advertisement
policy rule.
Non Exist BGP > Use this tab to specify the prefix(es) of the preferred route. This
Filter Conditional specifies the route that you want to advertise, if it is available in
Adv > Non the local BGP routing table. (If a prefix is going to be advertised and
Exist Filters matches a Non Exist filter, the advertisement will be suppressed.)
Add a Non Exist Filter and specify a name to identify this filter.
Route Table Specify which route table (unicast, multicast, or both) the firewall
will search to see if the matched route is present. If the matched
route is not present in that route table, only then will the firewall
allow the advertisement of the alternate route.
Address Prefix Add the exact Network Layer Reachability Information (NLRI) prefix
for the preferred route(s).
Next Hop Specify next hop routers or subnets for filtering the route.
Advertise BGP > Use this tab to specify the prefix(es) of the route in the Local-RIB
Filter Conditional routing table to advertise if the route in the Non Exist filter is not
Adv > available in the local routing table.
Advertise
If a prefix is to be advertised and does not match a Non Exist filter,
Filters
the advertisement will occur.
Add an advertise filter and specify a name to identify this filter.
Route Table Specify which route table the firewall uses when a matched route is
to be conditionally advertised: unicast, multicast, or both.
Address Prefix Add the exact Network Layer Reachability Information (NLRI) prefix
for the route to be advertised if the preferred route is not available.
Next Hop Specify next hop routers or subnets for route filtering.
AS Set Select to cause the firewall, for this aggregation rule, to include the
set of AS numbers (AS set) in the AS path of the aggregate route.
Name BGP > Define the attributes that will cause the matched routes to be
Aggregate > suppressed. Add and enter a name for a Suppress Filter.
Suppress
Enable Filters Select to enable the Suppress Filter.
AS Path Specify a regular expression for AS_PATH to filter which routes will
Regular be aggregated, for example, ^5000 means routes learned from AS
Expression 5000.
MED Specify the MED that filters which routes will be aggregated.
Route Table Specify which route table to use for aggregated routes that should
be suppressed (not advertised): unicast, multicast, or both.
Address Prefix Enter the IP address that you want to suppress from advertisement.
Next Hop Enter the next hop address of the BGP prefix that you want to
suppress.
From Peer Enter the IP address of the peer from which the BGP prefix (that you
want to suppress) was received.
Name BGP > Define the attributes for an Advertise Filter that causes the firewall
Aggregate > to advertise to peers any route that matches the filter. Click Add and
Advertise enter a name for the Advertise Filter.
Filters
Enable Select to enable this Advertise Filter.
AS Path Specify a regular expression for AS_PATH to filter which routes will
Regular be advertised.
Expression
Route Table Specify which route table to use for an Advertise Filter of aggregate
routes: unicast, multicast, or both.
Next Hop Enter the Next Hop address of the IP address you want BGP to
advertise.
From Peer Enter the IP address of the peer from which the prefix was received,
that you want BGP to advertise.
Allow BGP > Redist Permits the firewall to redistribute its default route to BGP peers.
Redistribute Rules
Default Route
Route Table Specify which route table the route will be redistributed into:
unicast, multicast, or both.
Set Origin Select the origin for the redistributed route (igp, egp, or incomplete).
The value incomplete indicates a connected route.
Set MED Enter a MED for the redistributed route in the range
0-4,294,967,295.
Set Local Enter a local preference for the redistributed route in the range
Preference 0-4,294,967,295.
Set AS Path Enter an AS path limit for the redistributed route in the range 1-255.
Limit
IP Multicast
• Network > Virtual Router > Multicast
Configuring Multicast protocols requires configuring the following standard setting:
RP Type Choose the type of Rendezvous Point (RP) that will run on this virtual
router. A static RP must be explicitly configured on other PIM routers
whereas a candidate RP is elected automatically.
• None—Choose if there is no RP running on this virtual router.
• Static—Specify a static IP address for the RP and choose options for RP
Interface and RP Address from the drop-down. Select Override learned
RP for the same group if you want to use the specified RP instead of the
RP elected for this group.
• Candidate—Specify the following information for the candidate RP
running on this virtual router:
• RP Interface—Select an interface for the RP. Valid interface types
include loopback, L3, VLAN, aggregate Ethernet, and tunnel.
• RP Address—Select an IP address for the RP.
• Priority—Specify a priority for candidate RP messages (default 192).
• Advertisement interval—Specify an interval between advertisements
for candidate RP messages.
• Group list—If you choose Static or Candidate, click Add to specify a list
of groups for which this candidate RP is proposing to be the RP.
Interface Add one or more firewall interfaces that belong to the interface group
and therefore share multicast group permissions, IGMP settings and PIM
settings.
Group Permissions Specify multicast groups that participate in PIM Any-Source Multicast
(ASM) or PIM Source-Specific Multicast (SSM):
• Any Source—Add a Name to identify a multicast Group that is allowed
to receive multicast traffic from any source on the interfaces in the
interface group. By default the group is Included in the Any Source list.
Deselect Included to easily exclude a group without deleting the group
configuration.
• Source Specific—Add a Name for a multicast Group and Source IP
address pair for which multicast traffic is allowed on the interfaces in
the interface group. By default the Group and Source pair is Included in
the Source Specific list. Deselect Included to easily exclude a Group and
Source pair without deleting the configuration.
IGMP Specify settings for IGMP traffic. IGMP must be enabled for multicast
receiver-facing interfaces.
• Enable—Select to enable the IGMP configuration.
• IGMP Version—Choose version 1, 2, or 3 to run on the interface.
• Enforce Router-Alert IP Option—Select to require the router-alert IP
option when speaking IGMPv2 or IGMPv3. This must be disabled for
compatibility with IGMPv1.
• Robustness—Choose an integer value to account for packet loss on a
network (range is 1 to 7; default is 2). If packet loss is common, choose a
higher value.
• Max Sources—Specify the maximum number of source-specific
memberships allowed for the interface group (range is 1 to 65,535 or
unlimited).
• Max Groups—Specify the maximum number of multicast groups allowed
for this interface group (range is 1 to 65,535 or unlimited).
• Query Configuration—Specify the following:
• Query Interval—Specify the interval at which general queries are sent
to all receivers.
• Max Query Response Time—Specify the maximum time between a
general query and a response from a receiver.
• Last Member Query Interval—Specify the interval between group or
source-specific query messages (including those sent in response to
leave-group messages).
• Immediate Leave—Select to leave the group immediately when a
leave message is received.
Multicast Group/Prefix Specify the multicast address or prefix for which multicast routing switches
to SPT distribution when throughput to the group or prefix reaches the
threshold setting.
Threshold (kbps) Select a setting to specify the point at which multicast routing switches to
SPT distribution for the corresponding multicast group or prefix:
• 0 (switch on first data packet)—(default) When a multicast packet
for the group or prefix arrives, the virtual router switches to SPT
distribution.
• never (do not switch to spt)—The virtual router continues to forward
multicast traffic to this group or prefix down the shared tree.
• Enter the total number of kilobits from multicast packets that can arrive
for the corresponding multicast group or prefix at any interface and over
any time period (range is 1 to 4,294,967,295). When throughput reaches
this number, the virtual router switches to SPT distribution.
Name Identify a multicast group for which the firewall provides source-specific
multicast (SSM) services.
Group Specify a multicast group address that can accept multicast packets from a
specific source only.
Included Select to include the multicast group in the SSM address space.
Route Age Out Time (sec) Allows you to tune the duration, in seconds, for which a multicast route
remains in the routing table on the firewall after the session ends (range is
210-7200; default is 210).
ECMP
• Network > Virtual Routers > Router Settings > ECMP
Equal Cost Multiple Path (ECMP) processing is a networking feature that enables the firewall to use up to
four equal-cost routes to the same destination. Without this feature, if there are multiple equal-cost routes
to the same destination, the virtual router chooses one of those routes from the routing table and adds it
to its forwarding table; it will not use any of the other routes unless there is an outage in the chosen route.
Enabling ECMP functionality on a virtual router allows the firewall have up to four equal-cost paths to a
destination in its forwarding table, allowing the firewall to:
• Load balance flows (sessions) to the same destination over multiple equal-cost links.
• Make use of the available bandwidth on all links to the same destination rather than leave some links
unused.
• Dynamically shift traffic to another ECMP member to the same destination if a link fails, rather than
waiting for the routing protocol or RIB table to elect an alternative path, which can help reduce down
time when links fail.
ECMP load balancing is done at the session level, not at the packet level. This means the firewall chooses an
equal-cost path at the start of a new session, not each time the firewall receives a packet.
Enabling, disabling, or changing ECMP on an existing virtual router causes the system to
restart the virtual router, which might cause existing sessions to be terminated.
To configure ECMP for a virtual router, select a virtual router and, for Router Settings, select the ECMP tab
and configure the ECMP Settings as described.
ECMP Settings
• Network > Virtual Routers > Router Settings > ECMP
Use the following fields to configure equal-cost multi-path (ECMP) settings.
Symmetric Return (Optional) Select Symmetric Return to cause return packets to egress out
the same interface on which the associated ingress packets arrived. This
configures the firewall to use the ingress interface when sending return
packets instead of the ECMP interface, which means that the Symmetric
Return setting overrides load balancing. This behavior occurs only for traffic
flows from the server to the client.
Strict Source Path By default, IKE and IPSec traffic originating at the firewall egresses an
interface that the ECMP load-balancing method determines. Select Strict
Source Path to ensure that IKE and IPSec traffic originating at the firewall
always egresses the physical interface to which the source IP address of
the IPSec tunnel belongs. Enable Strict Source Path when the firewall has
more than one ISP providing equal-cost paths to the same destination. The
ISPs typically perform a Reverse Path Forwarding (RPF) check (or a different
check to prevent IP address spoofing) to confirm that the traffic is egressing
the same interface on which it arrived. Because ECMP by default chooses an
egress interface based on the configured ECMP method (instead of choosing
the source interface as the egress interface), that will not be what the ISP
expects and the ISP can block legitimate return traffic. In this use case,
enable Strict Source Path so that the firewall uses the egress interface that is
the interface to which the source IP address of the IPSec tunnel belongs.
Max Path Select the maximum number of equal-cost paths: (2, 3, or 4) to a destination
network that can be copied from the RIB to the FIB (default is 2).
Method Choose one of the following ECMP load-balancing algorithms to use on the
virtual router. ECMP load balancing is done at the session level, not at the
packet level. This means that the firewall (ECMP) chooses an equal-cost path
at the start of a new session, not each time a packet is received.
Routing Tab
The following table describes the virtual router’s runtime stats for the Route Table, Forwarding Table, and
the Static Route Monitoring table.
Route Table
Route Table Select Unicast or Multicast to display either the unicast or multicast route table.
Display Address Select IPv4 Only, IPv6 Only, or IPv4 and IPv6 (default) to control which group of
Family addresses to display in the table.
Destination IPv4 address and netmask or IPv6 address and prefix length of networks the
virtual router can reach.
Next Hop IP address of the device at the next hop toward the Destination network. A next
hop of 0.0.0.0 indicates the default route.
Metric Metric for the route. When a routing protocol has more than one route to the
same destination network, it prefers the route with the lowest metric value. Each
routing protocol uses a different type of metric; for example, RIP uses hop count.
Weight Weight for the route. For example, when BGP has more than one route to the
same destination, it will prefer the route with the highest weight.
Age Age of the route entry in the routing table. Static routes have no age.
Interface Egress interface of the virtual router that will be used to reach the next hop.
Forwarding Table
The firewall chooses the best route—from the route table (RIB) toward a destination
network—to place in the FIB.
Display Address Select IPv4 Only, IPv6 Only, or IPv4 and IPv6 (default) to control which route
Family table to display.
Destination Best IPv4 address and netmask or IPv6 address and prefix length to a network
the virtual router can reach, selected from the Route Table.
Next Hop IP address of the device at the next hop toward the Destination network. A next
hop of 0.0.0.0 indicates the default route.
Interface Egress interface the virtual router will use to reach the next hop.
MTU Maximum transmission unit (MTU); maximum number of bytes that the firewall
will transmit in a single TCP packet to this destination.
Destination IPv4 address and netmask or IPv6 address and prefix length of a network the
virtual router can reach.
Next Hop IP address of the device at the next hop toward the Destination network. A next
hop of 0.0.0.0 indicates the default route.
Metric Metric for the route. When there is more than one static route to the same
destination network, the firewall prefers the route with the lowest metric value.
Interface Egress interface of the virtual router that will be used to reach the next hop.
Path Monitoring If path monitoring is enabled for this static route, Fail On indicates:
(Fail On)
• All—Firewall considers the static route down and will fail over if all of the
monitored destinations for the static route are down.
• Any—Firewall considers the static route down and will fail over if any one of
the monitored destinations for the static route is down.
If static route path monitoring is disabled, Fail On indicates Disabled.
Status Status of the static route based on ICMP pings to the monitored destinations:
Up, Down, or path monitoring for the static route is Disabled.
RIP Tab
The following table describes the virtual router’s Runtime Stats for RIP.
Summary Tab
Interval Seconds Number of seconds in an interval. RIP uses this value (a length of time) to control
its Update, Expire, and Delete Intervals.
Update Intervals Number of intervals between RIP route advertisement updates that the virtual
router sends to peers.
Expire Intervals Number of intervals since the last update the virtual router received from a peer,
after which the virtual router marks the routes from the peer as unusable.
Delete Intervals Number of intervals after a route has been marked as unusable that, if no update
is received, the firewall deletes the route from the routing table.
Interface Tab
Send Allowed Check mark indicates this interface is allowed to send RIP packets.
Receive Allowed Check mark indicates this interface is allowed to receive RIP packets.
Advertise Default Check mark indicates that RIP will advertise its default route to its peers.
Route
Default Route Metric (hop count) assigned to the default route. The lower the metric value, the
Metric higher priority it has in the route table to be selected as the preferred path.
Peer Tab
Last Update Date and time that the last update was received from this peer.
Invalid Packets Count of invalid packets received from this peer. Possible causes that the firewall
cannot parse the RIP packet: x bytes over a route boundary, too many routes in
packet, bad subnet, illegal address, authentication failed, or not enough memory.
Invalid Routes Count of invalid routes received from this peer. Possible causes: route is invalid,
import fails, or not enough memory.
BGP Tab
The following table describes the virtual router’s Runtime Stats for BGP.
Summary Tab
Reject Default Indicates whether the Reject Default Route option is configured, which causes
Route the VR to ignore any default routes that are advertised by BGP peers.
Redistribute Default Indicates whether the Allow Redistribute Default Route option is configured.
Route
Install Route Indicates whether the Install Route option is configured, which causes the VR to
install BGP routes in the global routing table.
Local Member AS Local Member AS number (valid only if the VR is in a confederation). The field is
0 if the VR is not in a confederation.
Default Local Displays the Default Local Preference configured for the VR.
Preference
Always Compare Indicates whether the Always Compare MED option is configured, which enables
MED a comparison to choose between routes from neighbors in different autonomous
systems.
Aggregate Indicates whether the Aggregate MED option is configured, which enables route
Regardless MED aggregation even when routes have different MED values.
Deterministic MED Indicates whether the Deterministic MED comparison option is configured,
Processing which enables a comparison to choose between routes that are advertised by
IBGP peers (BGP peers in the same AS).
Peak RIB Out Peak number of Adj-RIB-Out routes that have been allocated at any one time.
Entries
Peer Tab
Status Status of the peer, such as Active, Connect, Established, Idle, OpenConfirm, or
OpenSent.
Soft Reset Support Yes or no indicates whether the peer group supports soft reset. When routing
policies to a BGP peer change, routing table updates might be affected. A soft
reset of BGP sessions is preferred over a hard reset because a soft reset allows
routing tables to be updated without clearing the BGP sessions.
Remove Private AS Indicates whether updates will have private AS numbers removed from the
AS_PATH attribute before the update is sent.
Prefix Network prefix and subnet mask in the Local Routing Information Base.
Flag * indicates the route was chosen as the best BGP route.
Weight Weight attribute assigned to the Prefix. If the firewall has more than one route
to the same Prefix, the route with the highest weight is installed in the IP routing
table.
Local Pref. Local preference attribute for the route, which is used to choose the exit point
toward the prefix if there are multiple exit points. A higher local preference is
preferred over a lower local preference.
AS Path List of autonomous systems in the path to the Prefix network; the list is
advertised in BGP updates.
Origin Origin attribute for the Prefix; how BGP learned of the route.
MED Multi-Exit Discriminator (MED) attribute of the route. The MED is a metric
attribute for a route, which the AS advertising the route suggests to an external
AS. A lower MED is preferred over a higher MED.
Local Pref. Local preference attribute to access the prefix, which is used to choose the exit
point toward the prefix if there are multiple exit points. A higher local preference
is preferred over a lower local preference.
Origin Origin attribute for the Prefix; how BGP learned of the route.
MED Multi-Exit Discriminator (MED) attribute to the Prefix. The MED is a metric
attribute for a route, which the AS that is advertising the route suggests to an
external AS. A lower MED is preferred over a higher MED.
Aggr. Status Indicates whether this route is aggregated with other routes.
Multicast Tab
The following table describes the virtual router’s Runtime Stats for IP multicast.
FIB Tab
Group Route entry in the forwarding information base (FIB); multicast group address to
which the virtual router will forward packets.
Incoming Interfaces Interfaces where multicast packets for the group arrive.
Outgoing Interfaces Interfaces out which the virtual router forwards multicast packets for the group.
Querier IP address of the IGMP querier on the multiaccess segment connected to the
interface.
Querier Up Time Number of seconds that the IGMP querier has been up.
Querier Expiry Time Number of seconds remaining before the Other Querier Present timer expires.
Groups Limit Maximum number of groups per interface that IGMP can process simultaneously.
Sources Limit Maximum number of sources per interface that IGMP can process
simultaneously.
Immediate Leave Yes or no indicates whether Immediate Leave is configured. Immediate leave
indicates that the virtual router will remove an interface from the forwarding
table entry without sending the interface IGMP group-specific queries.
Filter Mode Include or exclude the source. The virtual router is configured to include all
traffic, or only traffic from this source (include), or traffic from any source except
this one (exclude).
Exclude Expiry Number of seconds remaining before the interface Exclude state expires.
V1 Host Timer Time remaining until the local router assumes that there are no longer any IGMP
Version 1 members on the IP subnet attached to the interface.
V2 Host Timer Time remaining until the local router assumes that there are no longer any IGMP
Version 2 members on the IP subnet attached to the interface.
Join/Prune Interval Interval configured for Join and Prune messages (in seconds).
Assert Interval PIM Assert interval configured (in seconds) for the virtual router to send Assert
messages. PIM uses the Assert mechanism to initiate the election of the PIM
forwarder for the multiaccess network.
DR Priority Priority configured for the Designated Router on the multiaccess segment
connected to the interface.
BSR Border Yes or no indicates whether the interface is on a virtual router that is a bootstrap
router (BSR) located at the border of an enterprise LAN.
Secondary Address Secondary IP address of the PIM neighbor reachable from the interface.
Expiry Time Length of time remaining before the neighbor expires because the virtual router
is not receiving hello packets from the neighbor.
Generation ID Randomly generated 32-bit value that is regenerated every time PIM forwarding
is started or restarted on the interface (includes when the router itself restarts).
DR Priority Designated Router priority that the virtual router received in the last PIM hello
message from this neighbor.
Protocol Static route (IP address family of static route) or dynamic routing protocol that is
running BFD on the interface.
State BFD states of the local and remote BFD peers: admin down, down, init, or up.
Uptime Length of time BFD has been up (hours, minutes, seconds, and milliseconds).
Discriminator (local) Discriminator for local BFD peer. A discriminator is a unique, nonzero value the
peers use to distinguish multiple BFD sessions between them.
Session Details Click Details to see BFD information for a session such as the IP addresses of the
local and remote neighbors, the last received remote diagnostic code, number of
transmitted and received control packets, number of errors, information about
the last packet causing state change, and more.
Route Table
Display Address Family Select IPv4 Only, IPv6 Only, or IPv4 and IPv6 (default) to
control which group of addresses to display in the table.
Destination IPv4 address and netmask or IPv6 address and prefix length of
networks the logical router can reach.
Next Hop IP address of the device at the next hop toward the
Destination network. A next hop of 0.0.0.0 indicates the
default route.
Metric Metric for the route. When a routing protocol has more than
one route to the same destination network, it prefers the route
with the lowest metric value. Each routing protocol uses a
different type of metric; for example, RIP uses hop count.
Interface Egress interface of the logical router that will be used to reach
the next hop.
Forwarding Table
The firewall chooses the best route—from the route table (RIB) toward a destination
network—to place in the FIB.
Destination Best IPv4 address and netmask or IPv6 address and prefix
length to a network the logical router can reach, selected from
the Route Table.
Next Hop IP address of the device at the next hop toward the
Destination network. A next hop of 0.0.0.0 indicates the
default route.
Interface Egress interface the logical router will use to reach the next
hop.
Destination IPv4 address and netmask or IPv6 address and prefix length of
a network the logical router can reach.
Next Hop IP address of the device at the next hop toward the
Destination network. A next hop of 0.0.0.0 indicates the
default route.
Metric Metric for the route. When there is more than one static route
to the same destination network, the firewall prefers the route
with the lowest metric value.
Interface Egress interface of the logical router that will be used to reach
the next hop.
Path Monitoring (Fail On) If path monitoring is enabled for this static route, Fail On
indicates:
• All—Firewall considers the static route down and will fail
over if all of the monitored destinations for the static route
are down.
• Any—Firewall considers the static route down and will fail
over if any one of the monitored destinations for the static
route is down.
If static route path monitoring is disabled, Fail On indicates
Disabled.
Summary Tab
Max Peer Restart Time (sec) Number of seconds configured for Graceful Restart max peer
restart time.
Stale Route Time (sec) Number of seconds configured for Graceful Restart stale route
time.
Peer Tab
Peer Group Name of the peer group to which this peer belongs.
State Established
Route
Name IPv4 or IPv6 route in the routing table: an IPv4 or IPv6 address
and prefix length.
MED 0 or blank
Metric 0 or blank
Network
Next Hop IP address of the next hop to reach the network identified as the
route (Name).
Peer Name
Prefix
Prefix Length
The Advanced Route Engine is currently in preview mode only and provides a limited feature
set.
Defining a logical router requires that you add Layer 3 interfaces to the logical router and configure any
combination of static routes and BGP routing, as required by your network. You can also configure other
features, such as ECMP.
View information about a logical router. More Runtime Stats for a Logical Router
Name Specify a name to describe the logical router (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Interface
Interface Add the Layer 3 interfaces that you want to include in the logical
router. These interfaces can be used as outgoing interfaces in the
logical router’s routing table.
To specify the interface type, refer to Network > Interfaces.
When you add an interface, its connected routes are added
automatically.
Administrative Distances
ECMP
Enable Enables Equal-Cost Multiple Path (ECMP) for the logical router.
Symmetric Return (Optional) Select Symmetric Return to cause return packets to egress
out the same interface on which the associated ingress packets arrived.
That is, the firewall will use the ingress interface on which to send
return packets, rather than use the ECMP interface, so the Symmetric
Return setting overrides load balancing. This behavior occurs only for
traffic flows from the server to the client.
Strict Source Path By default, IKE and IPSec traffic originating at the firewall egresses an
interface that the ECMP load-balancing method determines. Select
Strict Source Path to ensure that IKE and IPSec traffic originating at
the firewall always egresses the physical interface to which the source
IP address of the IPSec tunnel belongs. You would enable Strict Source
Path when the firewall has more than one ISP providing equal-cost
paths to the same destination. The ISPs typically perform a Reverse
Path Forwarding (RPF) check (or a different check to prevent IP address
spoofing) to confirm that the traffic is egressing the same interface on
which it arrived. Because ECMP by default would choose an egress
interface based on the configured ECMP method (instead of choosing
the source interface as the egress interface), that would not be what
the ISP expects and the ISP could block legitimate return traffic. In this
use case, enable Strict Source Path so that the firewall uses the egress
interface that is the interface to which the source IP address of the
IPSec tunnel belongs.
Load-Balancing Method Choose one of the following ECMP load-balancing algorithms to use
on the virtual router. ECMP load balancing is done at the session level,
not at the packet level. This means that the firewall (ECMP) chooses an
equal-cost path at the start of a new session, not each time a packet is
received.
• IP Modulo—By default, the virtual router load balances sessions
using this option, which uses a hash of the source and destination IP
addresses in the packet header to determine which ECMP route to
use.
• IP Hash—There are two IP hash methods that determine which
ECMP route to use:
• If you select IP Hash, by default the firewall uses a hash of the
source and destination IP addresses.
• Alternatively, you can select Use Source Address Only (available
in PAN-OS 8.0.3 and later releases). This IP hash method ensures
that all sessions belonging to the same source IP address always
take the same path.
• Optionally select Use Source/Destination Ports to include the
ports in either hash calculation. You can also enter a Hash Seed
value (an integer) to further randomize load balancing.
• Weighted Round Robin—This algorithm can be used to take into
consideration different link capacities and speeds. Upon choosing
this algorithm, the Interface window opens. Click Add and select
an Interface to be included in the weighted round robin group.
For each interface, enter the Weight to be used for that interface.
Weight defaults to 100; range is 1-255. The higher the weight for
a specific equal-cost path, the more often that equal-cost path will
be selected for a new session. A higher speed link should be given
a higher weight than a slower link, so that more of the ECMP traffic
RIB Filter
IPv4 - BGP Route Map Select a route map to control the IPv4 BGP routes being added to the
global RIB. Default is None.
IPv4 - OSPFv2 Route Map Select a route map to control the IPv4 OSPFv2 routes being added to
the global RIB. Default is None.
IPv4 - Static Route Map Select a route map to control the IPv4 static routes being added to the
global RIB. Default is None.
IPv4 - Connected Route Map Select a route map to control the IPv4 connected routes being added
to the global RIB. Default is None.
IPv6 - BGP Route Map Select a route map to control the IPv6 BGP routes being added to the
global RIB. Default is None.
IPv6 - OSPFv3 Route Map Select a route map to control the IPv6 OSPFv3 routes being added to
the global RIB. Default is None.
IPv6 - Static Route Map Select a route map to control the IPv6 static routes being added to the
global RIB. Default is None.
IPv6 - Connected Route Map Select a route map to control the IPv6 connected routes being added
to the global RIB. Default is None.
Name Enter a name to identify the static route (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Admin Dist Specify the administrative distance for the static route (range is 10 to 240;
default is 10).
Metric Specify a valid metric for the static route (range is 1 to 65,535; default is
10).
Profile Select a BFD profile to apply to the static route. Default is None (Disable
BFD).
Failure Condition Select the condition under which the firewall considers the monitored path
down and thus the static route down:
• Any—If any one of the monitored destinations for the static route is
unreachable by ICMP, the firewall removes the static route from the
RIB and FIB and adds the dynamic or static route that has the next
lowest metric going to the same destination to the FIB.
• All—If all of the monitored destinations for the static route are
unreachable by ICMP, the firewall removes the static route from the
RIB and FIB and adds the dynamic or static route that has the next
lowest metric going to the same destination to the FIB.
Select All to avoid the possibility of a single monitored destination
signaling a static route failure when that monitored destination is simply
offline for maintenance, for example.
Preemptive Hold Time Enter the number of minutes a downed path monitor must remain in Up
(min) state—the path monitor evaluates all of its member monitored destinations
and must remain Up before the firewall reinstalls the static route into the
RIB. If the timer expires without the link going down or flapping, the link is
deemed stable, path monitor can remain Up, and the firewall can add the
static route back into the RIB.
Name Add a name for the monitored destination (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Enable Select to enable path monitoring of this specific destination for the static
route; the firewall sends ICMP pings to this destination.
Source IP Select the IP address that the firewall will use as the source in the ICMP
ping to the monitored destination:
• If the interface has multiple IP addresses, select one.
• If you select an interface, the firewall uses the first IP address assigned
to the interface by default.
• If you select DHCP (Use DHCP Client Address), the firewall uses
the address that DHCP assigned to the interface. To see the DHCP
address, select Network > Interfaces > Ethernet and in the row for
the Ethernet interface, click on Dynamic DHCP Client. The IP Address
appears in the Dynamic IP Interface Status window.
• PPPOE (Use PPPoE Client Address)
Destination IP Enter a robust, stable IP address or address object for which the firewall
will monitor the path. The monitored destination and the static route
destination must use the same address family (IPv4 or IPv6)
Ping Interval (sec) Specify the ICMP ping interval in seconds to determine how frequently the
firewall monitors the path (pings the monitored destination; range is 1 to
60; default is 3).
Ping Count Specify the number of consecutive ICMP ping packets that do not return
from the monitored destination before the firewall considers the link
down. Based on the Any or All failure condition, if path monitoring is in
failed state, the firewall removes the static route from the RIB (range is 3
to 10; default is 5).
For example, a Ping Interval of 3 seconds and Ping Count of 5 missed
pings (the firewall receives no ping in the last 15 seconds) means path
monitoring detects a link failure. If path monitoring is in failed state
and the firewall receives a ping after 15 seconds, the link is deemed up;
based on the Any or All failure condition, path monitoring to Any or All
monitored destinations can be deemed up, and the Preemptive Hold Time
starts.
General
Router ID Assign a Router ID to BGP for the logical router, which is typically an IPv4
address to ensure the Router ID is unique.
Local AS Assign the local autonomous system (AS) to which the logical router belongs
based on the Router ID (range for a 2-byte or 4-byte AS number is to 1 to
4,294,967,295).
ECMP Multiple AS Enable if you configured ECMP and you want to run ECMP over multiple
Support BGP autonomous systems.
Enforce First AS Select to cause the firewall to drop an incoming Update message from an
EBGP peer that does not list the EBGP peer’s own AS number as the first AS
number in the AS_PATH attribute. (Enabled by default.)
Fast Failover Fast failover of EBGP is enabled by default. Disable EBGP fast failover if it
causes the firewall to unnecessarily withdraw BGP routes.
Default Local Preference Specify the default local preference that can be used to determine
preferences among different paths; range is 0 to 4,294,967,295; default is
100.
Graceful Restart—Enable Enables graceful restart for BGP so that packet forwarding is not disrupted
during a BGP restart (enabled by default).
Stale Route Time Specify the length of time, in seconds, that a route can stay in the stale state
(range is 1 to 3,600; default is 120).
Max Peer Restart Time Specify the maximum length of time, in seconds, that the local device
accepts as a grace period restart time for peer devices (range is 1 to 3,600;
default is 120).
Path Selection—Always Select to choose paths from neighbors in different autonomous systems;
Compare MED default is disabled. The Multi-Exit Discriminator (MED) is an external metric
that lets neighbors know about the preferred path into an AS. A lower value
is preferred over a higher value.
Deterministic MED Select to choose between routes that are advertised by IBGP peers (BGP
Comparison peers in the same AS). Default is enabled.
Peer Group
Type Select the type of peer group as IBGP (Internal BGP, peering within an AS) or
EBGP (External BGP—peering between two autonomous systems).
AFI IP Unicast Select or create an AFI IPv4 profile to apply the settings in the profile to the
peer group; default is None.
AFI IPv6 Unicast Select or create an AFI IPv6 profile to apply the settings in the profile to the
peer group; default is None.
Timer Profile Select or create a Timers profile to apply to the peer group; default is None.
Multi Hop Set the time-to-live (TTL) value in the IP header. Range is 1 to 255; a setting
of 0 means use the default value: 1 for EBGP; 255 for IBGP.
Peer
Peer—Addressing
Inherit AFI/SAFI config Select for the peer to inherit the AFI and Subsequent AFI (SAFI) from the
from peer-group peer group.
AFI IP Unicast (Available if Inherit AFI/SAFI config from peer is disabled) Select or create
an AFI IPv4 profile to apply the settings in the profile to the peer; default is
None.
AFI IPv6 Unicast (Available if Inherit AFI/SAFI config from peer is disabled) Select or create
an AFI IPv6 profile to apply the settings in the profile to the peer; default is
None.
Local Address - Interface Select the Layer 3 interface for which you are configuring BGP. Interfaces
configured with a static IP address and interfaces configured as a DHCP
client are available to select. If you select an interface where DHCP assigns
the address, the IP address will indicate None. DHCP will later assign an
IP address to the interface; you can see the address when you view More
Runtime Stats for the logical router.
IP If the interface has more than one IP address, enter the IP address and
netmask you want to use.
Peer—Connection Options These settings override the same option you have set for the peer group to
which the peer belongs.
Timer Profile Select or create a Timers profile. Alternatively, select inherit (Inherit from
Peer-Group) or None, both of which cause the peer to use the Timers profile
specified for the peer group.
Multi Hop Select inherit (Inherit from Peer-Group) or None, both of which cause the
peer to use the value specified for the peer group.
Peer—Advanced
Enable Sender Side Loop Select to cause the firewall to check the AS_PATH attribute of a route in its
Detection forwarding information base (FIB) before it sends the route in an Update,
to ensure that the peer AS number is not on the AS_PATH list. If it is, the
firewall removes it to prevent a loop. Default is enabled.
BGP Redistribution
Redistribution Rules
IPv4 Unicast Select or create a Redistribution profile to specify which static or connected
IPv4 routes to redistribute to the IPv4 unicast route table. Default is None.
IPv6 Unicast Select or create a Redistribution profile to specify which static or connected
IPv6 routes to redistribute to the IPv6 unicast route table. Default is None.
Network
Network Add a corresponding IPv4 or IPv6 network address; subnets with matching
network addresses are advertised to BGP peers of the logical router.
Unicast Select to install the matching routes into the Unicast routing table of all BGP
peers.
Secret Enter the Secret and Confirm Secret. The Secret is used as a key in MD5
authentication.
Keep Alive Interval (sec) Enter the interval, in seconds, after which routes from the peer are
suppressed according to the Hold Time setting (range is 0 to 1,200; default
is 30).
Hold Time (sec) Enter the length of time, in seconds, that may elapse between successive
Keepalive or Update messages from the peer before the peer connection
is closed (range is 3 to 3,600; default is 90).
Minimum Route Advertise Enter the minimum about of time, in seconds, that must occur between
Interval (sec) two successive Update messages (that a BGP speaker [the firewall] sends
to a BGP peer) that advertise routes or withdrawal of routes (range is 1 to
600; default is 30).
Name Enter a name for the Address Family Identifier (AFI) profile (maximum of
31 characters).
Advertise all paths to a Advertise all routes in the BGP routing information base (RIB).
peer
Advertise the best path per Enable to ensure that BGP advertises the best path for each neighboring
neighboring AS AS, and not a generic path for all autonomous systems. Disable this if you
want to advertise the same path to all autonomous systems.
Allow AS in Specify whether to allow routes that include the firewall’s own
autonomous system (AS) number:
• Origin—Accept routes even if the firewall’s own AS is present in the
AS_PATH.
• Occurrence—Number of times the firewall’s own AS can be in an
AS_PATH.
• None—(default setting) No action taken.
Override ASNs in You might use the BGP AS override feature if you have multiple sites
outbound updates if AS- belonging to the same AS (AS 64512, for example) and there is another
Path equals Remote-AS AS between them. A router between the two sites receives an Update
advertising a route that can access AS 64512. To avoid the second site
dropping the Update because it is also in AS 64512, the intermediate
router replaces AS 64512 with its own ASN, AS 64522, for example.
Originate Default Route Select to advertise a default route. Disable if you want to advertise only
routes that go to specific destinations.
Threshold (%) Enter the threshold percentage of the maximum number of prefixes. If the
peer advertises more than the threshold, the firewall takes the specified
Action (warning or restart). Range is 1 to 100%.
Action Specify the action the firewall takes on the BGP connection after the
maximum number of prefixes is exceeded: Warning Only message in logs
or Restart the BGP peer connection.
Remove Private AS To have BGP remove private AS numbers form the AS_PATH attribute in
Updates that the firewall sends to a peer in another AS, select one of the
following:
• All—Remove all private AS numbers.
• Replace AS—Replace all private AS numbers with the firewall’s AS
number.
• None—(default setting) No action taken.
Route Reflector Client Enable the firewall as a BGP Route Reflector Client.
Send Community Select the type of BGP community attribute to send in outbound Update
messages:
• All—Send all communities.
• Both—Send standard and extended communities.
• Extended—Send extended communities.
• Large—Send large communities.
• Standard—Send standard communities.
• None—Do not send any communities.
IPv4 or IPv6 Select IPv4 or IPv6 Address Family Identifier (AFI) to specify which type of
route is redistributed.
Static Select Static and Enable to redistribute IPv4 or IPv6 static routes (that
match the AFI you selected) into the BGP routing information base (RIB) of
the BGP peers.
Metric Enter the metric to apply to the static routes being redistributed into BGP
(range is 1 to 65,535).
Metric Enter the metric to apply to the connected routes being redistributed into
BGP (range is 1 to 65,535).
Add Add a new IPSec VPN tunnel. See IPSec Tunnel General Tab for instructions
on configuring the new tunnel.
Enable Enable a tunnel that has been disabled (tunnels are enabled by default).
Disable Disable a tunnel that you don’t want to use but are not, yet, ready to delete.
PDF/CSV Export the IPSec Tunnel configuration in PDF/CSV format. You can apply
filters to customize the table output and include only the columns you need.
Only the columns visible in the Export dialog are exported. See Export
Configuration Table Data.
Name Enter a Name to identify the tunnel (up to 63 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
The 63-character limit for this field includes the tunnel name in addition to
the Proxy ID, which is separated by a colon character.
Tunnel Interface Select an existing tunnel interface, or click New Tunnel Interface. For
information on creating a tunnel interface, refer to Network > Interfaces >
Tunnel.
IPv4 or IPv6 Select IPv4 or IPv6 to configure the tunnel to have endpoints with that IP
type of address.
Local For IPv4: Enter an IP address or subnet in the format x.x.x.x/mask (for
example, 10.1.2.0/24).
For IPv6: Enter an IP address and prefix length in the format
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefix-length (or per IPv6
convention, for example, 2001:DB8:0::/48).
IPv6 addressing does not require that all zeros be written; leading zeros can
be omitted and one grouping of consecutive zeros can be replaced by two
adjacent colons (::).
For an IKEv2 traffic selector, this field is converted to Source IP Address.
Protocol Specify the protocol and port numbers for the local and remote ports:
Number—Specify the protocol number (used for interoperability with third-
party devices).
• Any—Allow TCP and/or UDP traffic.
• TCP—Specify the local and remote TCP port numbers.
• UDP—Specify the local and remote UDP port numbers.
Each configured proxy ID will count towards the IPSec VPN tunnel capacity
of the firewall.
This field is also used as an IKEv2 traffic selector.
How to provide interoperability with another Select Add GRE Encapsulation when you create an
vendor’s tunnel endpoint IPSec tunnel.
GRE Tunnels
• Network > GRE Tunnels
First configure a tunnel interface (Network > Interfaces > Tunnel). Then add a generic routing encapsulation
(GRE) Tunnel and provide the following information, referencing the tunnel interface you created:
Copy ToS Header Select to copy the Type of Service (ToS) field from
the inner IP header to the outer IP header of the
encapsulated packets to preserve the original ToS
information.
Keep Alive Select to enable the Keep Alive function for the
GRE tunnel (disabled by default). If you enable
Keep Alive, by default it takes three unreturned
keepalive packets (Retries) at 10-second intervals
for the GRE tunnel to go down, and it takes five
Hold Timer intervals at 10-second intervals for the
GRE tunnel to come back up.
DHCP Server
DHCP Relay
DHCP Overview
• Network > DHCP
DHCP uses a client-server model of communication. This model consists of three roles that the firewall can
fulfill: DHCP client, DHCP server, and DHCP relay agent.
• A firewall acting as a DHCP client (host) can request an IP address and other configuration settings from
a DHCP server. Users on client firewalls save configuration time and effort, and need not know the
addressing plan of the network or other network resources and options inherited from the DHCP server.
• A firewall acting as a DHCP server can service clients. By using one of the DHCP addressing
mechanisms, the administrator saves configuration time and has the benefit of reusing a limited number
of IP addresses clients no longer need network connectivity. The server can also deliver IP addressing
and DHCP options to multiple clients.
• A firewall acting as a DHCP relay agent listens for broadcast and unicast DHCP messages and relays
them between DHCP clients and servers.
DHCP uses User Datagram Protocol (UDP), RFC 768, as its transport protocol. DHCP messages that a client
sends to a server are sent to well-known port 67 (UDP—Bootstrap Protocol and DHCP). DHCP messages
that a server sends to a client are sent to port 68.
DHCP Addressing
There are three ways that a DHCP server either assigns or sends an IP address to a client:
• Automatic allocation—The DHCP server assigns a permanent IP address to a client from its IP Pools. On
the firewall, a Lease specified as Unlimited means the allocation is permanent.
DHCP Server
• Network > DHCP > DHCP Server
The following section describes each component of the DHCP server. Before you configure a DHCP server,
you should already have configured a Layer 3 Ethernet or Layer 3 VLAN interface that is assigned to a
virtual router and a zone. You should also know a valid pool of IP addresses from your network plan that
can be designated to be assigned by your DHCP server to clients.
When you add a DHCP server, you configure the settings described in the table below.
Interface DHCP Server Name of the interface that will serve as the DHCP
server.
Ping IP when DHCP Server > Lease If you click Ping IP when allocating new IP, the server
allocating new will ping the IP address before it assigns that address
IP to its client. If the ping receives a response, that means
a different firewall already has that address, so it is not
available for assignment. The server assigns the next
address from the pool instead. If you select this option,
Inheritance DHCP Server > Options Select None (default) or select a source DHCP client
Source interface or PPPoE client interface to propagate
various server settings to the DHCP server. If you
specify an Inheritance Source, select one or more
options below that you want inherited from this
source.
One benefit of specifying an inheritance source is
that DHCP options are quickly transferred from the
server that is upstream of the source DHCP client. It
also keeps the client’s options updated if an option
on the inheritance source is changed. For example, if
the inheritance source firewall replaces its NTP server
(which had been identified as the Primary NTP server),
the client will automatically inherit the new address as
its Primary NTP server.
Gateway DHCP Server > Options Specify the IP address of the network gateway (an
(cont) interface on the firewall) that is used to reach any
device not on the same LAN as this DHCP server.
Subnet Mask Specify the network mask that applies to the addresses
in the IP Pools.
Custom DHCP Click Add and enter the Name of the custom option
options you want the DHCP Server to send to clients.
Enter an Option Code (range is 1-254).
If Option Code 43 is entered, the Vendor Class
Identifier (VCI) field appears. Enter a match criterion
that will be compared to the incoming VCI from the
client’s Option 60. The firewall looks at the incoming
VCI from the client’s Option 60, finds the matching
VCI in its own DHCP server table, and returns the
corresponding value to the client in Option 43. The
VCI match criterion is a string or hex value. A hex value
must have a “0x” prefix.
Select Inherited from DCHP server inheritance source
to have the server inherit the value for that option
DHCP Relay
• Network > DHCP > DHCP Relay
Before configuring a firewall interface as a DHCP relayagent, make sure you have configured a Layer 3
Ethernet or Layer 3 VLAN interface and that you assigned the interface to a virtual router and a zone.
You want that interface to be able to pass DHCP messages between clients and servers. Each interface
can forward messages to a maximum of eight external IPv4 DHCP servers and eight external IPv6 DHCP
servers. A client sends a DHCPDISCOVER message to all configured servers, and the firewall relays the
DHCPOFFER message of the first server that responds back to the requesting client.
Interface Name of the interface that will be the DHCP relay agent.
IPv4 / IPv6 Select the type of DHCP server and IP address you will specify.
DHCP Server IP Enter the IP address of the DHCP server to and from which you will relay
Address DHCP messages.
Interface If you selected IPv6 as the IP address protocol for the DHCP server and
specified a multicast address, you must also specify an outgoing interface.
DHCP Client
• Network > Interfaces > Ethernet > IPv4
• Network > Interfaces > VLAN > IPv4
Before configuring a firewall interface as a DHCP client, make sure you have configured a Layer 3 Ethernet
or Layer 3 VLAN interface and that you assigned the interface to a virtual router and a zone. Perform this
task if you need to use DHCP to request an IPv4 address for an interface on your firewall.
Type Select DHCP Client and then Enable to configure the interface as a DHCP
client.
Automatically create Causes the firewall to create a static route to a default gateway that will
default route pointing to be useful when clients are trying to access many destinations that do not
default gateway provided need to have routes maintained in a routing table on the firewall.
by server
Default Route Metric Optionally, enter a Default Route Metric (priority level) for the route
between the firewall and the DHCP server. A route with a lower number
has higher priority during route selection. For example, a route with a
metric of 10 is used before a route with a metric of 100 (range is 1-65535;
no default).
Show DHCP Client Displays all settings received from the DHCP server, including DHCP lease
Runtime Info status, dynamic IP assignment, subnet mask, gateway, and server settings
(DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
Location Specify the virtual system to which the DNS proxy object
applies:
• Shared: Proxy applies to all virtual systems. If you
choose Shared, the Server Profile field is not available.
Instead, enter the Primary and Secondary DNS server IP
addresses or address objects.
• Select a virtual system to use this DNS proxy; you must
configure a virtual system first. Select Device > Virtual
Systems, select a virtual system, and select a DNS
Proxy.
Check inheritance Select to see the server settings that are currently assigned
source status to the DHCP client and PPPoE client interfaces. These may
include DNS, WINS, NTP, POP3, SMTP, or DNS suffix.
(Shared location only)
Server Profile Select or create a new DNS server profile. This field does
not appear if the Location of virtual systems was specified
(Virtual System
as Shared.
location only)
Name DNS Proxy > A name is required so that an entry can be referenced and
DNS Proxy modified via the CLI.
Rules
Turn on caching of Select to enable caching of domains that are resolved by
domains resolved by this mapping.
this mapping
Domain Name Add one or more domain names to which the firewall
compares incoming FQDNs. If the FQDN matches one of
the domains in the rule, the firewall forwards the query to
the Primary/Secondary DNS server specified for this proxy.
To delete a domain name from the rule, select it and click
Delete.
DNS Server Profile Select or add a DNS server profile to define DNS settings
for the virtual system, including the primary and secondary
(Shared location only)
DNS server to which the firewall sends domain name
queries.
Name DNS Proxy > Enter a name for the static entry.
Static Entries
FQDN Enter the Fully Qualified Domain Name (FQDN) to map to
the static IP addresses defined in the Address field.
Address Add one or more IP addresses that map to this domain. The
firewall includes all of these addresses in its DNS response,
and the client chooses which IP address to use. To delete
an address, select the address and click Delete.
TCP Queries DNS Proxy > Select to enable DNS queries using TCP. Specify the
Advanced maximum number of concurrent pending TCP DNS
requests (Max Pending Requests) that the firewall will
support (range is 64 to 256; default is 64).
UDP Queries Retries DNS Proxy > Specify settings for UDP query retries:
Advanced
• Interval—Time, in seconds, after which the DNS proxy
sends another request if it hasn’t received a response
(range is 1 to 30; default is 2).
• Attempts—Maximum number of attempts (excluding the
first attempt) after which the DNSP tries the next DNS
server (range is 1 to 30; default is 5).
Cache DNS Proxy > You must have Cache enabled (enabled by default) if this
Advanced DNS proxy object is used for queries that the firewall
Looking for more? See Quality of Service for complete QoS workflows, concepts and
use cases.
Clear Text QoS Select the default QoS profiles for clear text and for tunneled traffic.
Interface > You must specify a default profile for each. For clear text traffic,
Tunnel
Physical the default profile applies to all clear text traffic as an aggregate.
Interface
Interface > For tunneled traffic, the default profile is applied individually to
Default Profile each tunnel that does not have a specific profile assignment in the
Tunnel
detailed configuration section. For instructions on defining QoS
Interface
profiles, refer to Network > Network Profiles > QoS.
Egress QoS Enter the bandwidth that is guaranteed for clear text or tunneled
Guaranteed Interface > traffic from this interface.
(Mbps) Clear Text
Traffic/
Egress Max Tunneled Enter the maximum throughput (in Mbps) for clear text or tunneled
(Mbps) Traffic traffic leaving the firewall through this interface. The value is 0 by
default, which specifies the firewall limit (60,000 Mbps in PAN-
OS 7.1.16 and later releases; 16,000 in PAN-OS 7.1.15 and earlier
releases). The Egress Max for clear text or tunneled traffic must be
less than or equal to the Egress Max for the physical interface.
Add • Click Add on the Clear Text Traffic tab to define additional
granularity to the treatment of clear text traffic. Click individual
entries to configure the following settings:
• Name—Enter a name to identify these settings.
• QoS Profile—Select the QoS profile to apply to the specified
interface and subnet. For instructions on defining QoS
profiles, refer to Network > Network Profiles > QoS.
• Source Interface—Select the firewall interface.
• Destination interface—(PA-3200 Series, PA-5200 Series,
PA-5400 Series, PA-7000 Series only) Select the destination
interface for which the traffic is intended.
• Source Subnet—Select a subnet to restrict the settings to
traffic coming from that source, or keep the default any to
apply the settings to any traffic from the specified interface.
• Click Add from the Tunneled Traffic tab to override the default
profile assignment for specific tunnels and configure the
following settings:
• Tunnel Interface—Select the tunnel interface on the firewall.
• QoS Profile—Select the QoS profile to apply to the specified
tunnel interface.
For example, assume a configuration with two sites, one of which
has a 45 Mbps connection and the other a T1 connection to the
firewall. You can apply restrictive QoS settings to the T1 site so that
the connection is not overloaded while also allowing more flexible
settings for the site with the 45 Mbps connection.
To remove a clear text or tunneled traffic entry, clear the entry and
click Delete.
Bandwidth Shows the real time bandwidth charts for the selected node and classes. This
information is updated every two seconds.
Applications Lists all active applications for the selected QoS node and/or class.
Source Users Lists all the active source users for the selected QoS node and/or class.
Destination Lists all the active destination users for the selected QoS node and/or class.
Users
Security Rules Lists the security rules matched to and enforcing the selected QoS node and/or
class.
QoS Rules Lists the QoS rules matched to and enforcing the selected QoS node and/or class.
Configure an LLDP profile. Network > Network Profiles > LLDP Profile
LLDP Overview
LLDP allows the firewall to send and receive Ethernet frames containing LLDP data units (LLDPDUs) to and
from neighbors. The receiving device stores the information in a MIB, which can be accessed by the Simple
Network Management Protocol (SNMP). LLDP enables network devices to map their network topology and
learn capabilities of the connected devices, which makes troubleshooting easier—especially for virtual wire
deployments where the firewall would typically go undetected in a network topology.
Transmit Interval LLDP General Specify the interval, in seconds, at which LLDPDUs are
(sec) transmitted (range is 1-3,600; default is 30).
Transmit Delay (sec) Specify the delay time, in seconds, between LLDP
transmissions sent after a change is made in a Type-
Length-Value (TLV) element. The delay helps to prevent
flooding the segment with LLDPDUs if many network
changes spike the number of LLDP changes or if the
interface flaps. The Transmit Delay must be less than the
Transmit Interval (range is 1-600; default is 2).
Hold Time Multiple Specify a value that is multiplied by the Transmit Interval
to determine the total TTL hold time (range is 1-100;
default is 4).
The TTL hold time is the length of time the firewall
will retain the information from the peer as valid. The
maximum TTL hold time is 65,535 seconds, regardless of
the multiplier value.
Notification Interval Specify the interval, in seconds, at which syslog and SNMP
Trap notifications are transmitted when MIB changes
occur (range is 1-3,600; default is 5).
spyglass filter LLDP > Status Optionally enter a data value in the filter row and click the
gray arrow, which causes only the rows that include that
data value to be displayed. Click the red X to Clear Filter.
Dropped Transmit Count of LLDPDUs that were not transmitted out the
interface because of an error. For example, a length
error when the system is constructing an LLDPDU for
transmission.
Aged Out Count of items deleted from the Receive MIB due to
proper TTL expiration.
spyglass filter LLDP > Peers Optionally enter a data value in the filter row and click the
gray arrow, which causes only the rows that include that
data value to be displayed. Click the red X to Clear Filter.
More Info Click More Info to see Remote Peer Details, which are
based on the Mandatory and Optional TLVs.
For VPN tunnels between GlobalProtect gateways and satellites (firewalls), see Network >
Network Profiles > IPSec Crypto.
Name Enter a name to identify the profile. The name is case-sensitive, must
be unique, and can have up to 31 characters. Use only letters, numbers,
spaces, hyphens, and underscores.
Encryption Click Add and select the desired encryption algorithms. For highest security,
change the order (top to bottom) to: aes-256-gcm, aes-128-gcm, aes-128-
cbc.
Authentication Click Add and select the authentication algorithm. Currently, the only
option is sha1.
Add To create a new IKE gateway, click Add. See IKE Gateway General Tab and
IKE Gateway Advanced Options Tab for instructions on configuring the new
gateway.
Enable To enable a gateway that has been disabled, select the gateway and click
Enable, which is the default setting for a gateway.
PDF/CSV Administrative roles with a minimum of read-only access can export the
object configuration table as PDF/CSV. You can apply filters to create more
specific table configuration outputs for things such as audits. Only visible
columns in the web interface will be exported. See Configuration Table
Export.
Name Enter a Name to identify the gateway (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Version Select the IKE version that the gateway supports and must agree to use
with the peer gateway: IKEv1 only mode, IKEv2 only mode, or IKEv2
preferred mode. IKEv2 preferred mode causes the gateway to negotiate
for IKEv2 and that is what they will use if the peer also supports IKEv2;
otherwise, the gateway falls back to IKEv1.
Address Type Select the type of IP address the gateway uses: IPv4 or IPv6.
Local IP Address Select or enter the IP address for the local interface that is the endpoint of
the tunnel.
Peer IP Address Select one of the following settings and enter the corresponding
information for the peer:
Type
• Dynamic—Select this option if the peer IP address or FQDN value is
unknown. When the peer IP address type is Dynamic, it is up to the peer
to initiate the IKE gateway negotiation.
• IP—Enter Peer Address as an IPv4 or IPv6 address or an address object
that is an IPv4 or IPv6 address.
• FQDN—Enter Peer Address as an FQDN or an address object that uses
an FQDN.
If you enter an FQDN or FQDN address object that resolves to more
than one IP address, the firewall selects the preferred address from the
set of addresses that match the Address Type (IPv4 or IPv6) of the IKE
gateway as follows:
• If no IKE security association (SA) has been negotiated, the preferred
address is the IP address with the smallest value.
• If an address is used by the IKE gateway and is in the set of returned
addresses, it is used (whether or not it is smallest).
• If an address is used by the IKE gateway but isn’t in the set of
returned addresses, a new address is selected: the smallest address in
the set.
Authentication Select the type of authentication: Pre-Shared Key or Certificate that will
occur with the peer gateway. Depending on the selection, see Pre-Shared
Key Fields or Certificate Fields.
Pre-Shared Key / If you select Pre-Shared Key, enter a single security key to use for
symmetric authentication across the tunnel. The Pre-Shared Key value is a
Confirm Pre-Shared Key
string that the administrator creates using a maximum of 255 ASCII or non-
ASCII characters. Generate a key that is difficult to crack with dictionary
attacks; use a pre-shared key generator, if necessary.
Local Identification Defines the format and identification of the local gateway, which are
used with the pre-shared key for both IKEv1 phase 1 SA and IKEv2 SA
establishment.
Choose one of the following types and enter the value: FQDN (hostname),
IP address, KEYID (binary format ID string in HEX), or User FQDN (email
address).
If you don’t specify a value, the gateway will use the local IP address as the
Local Identification value.
Peer Identification Defines the type and identification of the peer gateway, which are
used with the pre-shared key during IKEv1 phase 1 SA and IKEv2 SA
establishment.
Choose one of the following types and enter the value: FQDN (hostname),
IP address, KEYID (binary format ID string in HEX), or User FQDN (email
address).
If you don’t specify a value, the gateway will use the IP address of the peer
as the Peer Identification value.
Certificate Fields
Local Certificate If Certificate is selected as the Authentication type, from the drop-down,
select a certificate that is already on the firewall.
Alternatively, you could Import a certificate, or Generate a new certificate,
as follows:
Import:
• Certificate Name—Enter a name for the certificate you are importing.
• Shared—Click if this certificate is to be shared among multiple virtual
systems.
• Certificate File—Click Browse to navigate to the location where the
certificate file is located. Click on the file and select Open.
• File Format—Select one of the following:
• Base64 Encoded Certificate (PEM)—Contains the certificate, but not
the key. Cleartext.
• Encrypted Private Key and Certificate (PKCS12)—Contains both the
certificate and the key.
• Private key resides on Hardware Security Module—Click if the firewall
is a client of an HSM server where the key resides.
• Import Private Key—Click if a private key is to be imported because it is
in a different file from the certificate file.
• Block Private Key Export—When you select Import Private Key,
prevents any administrators, including Superusers, from exporting
the private key.
• Key File—Browse and navigate to the key file to import. This entry is
if you chose PEM as the File Format.
• Passphrase and Confirm Passphrase—Enter to access the key.
HTTP Certificate Click HTTP Certificate Exchange and enter the Certificate URL to use
Exchange the Hash-and-URL method to tell the peer where to fetch the certificate.
The Certificate URL is the URL of the remote server where you store your
certificate.
If the peer indicates that it also supports Hash and URL, then certificates
are exchanged through the SHA1 Hash-and-URL exchange.
When the peer receives the IKE certificate payload, it sees the HTTP URL
and fetches the certificate from that server. Then the peer uses the hash
specified in the certificate payload to check the certificates downloaded
from the HTTP server.
Local Identification Identifies how the local peer is identified in the certificate. Choose one
of the following types and enter the value: Distinguished Name (Subject),
FQDN (hostname), IP address, or User FQDN (email address).
Peer Identification Identifies how the remote peer is identified in the certificate. Choose one
of the following types and enter the value: Distinguished Name (Subject),
FQDN (hostname), IP address, or User FQDN (email address).
Peer ID Check Select Exact or Wildcard. This setting applies to the Peer Identification
being examined to validate the certificate. For example, if the Peer
Identification is a Name equal to domain.com, you select Exact, and the
name of the certificate in the IKE ID payload is mail.domain2.com, the IKE
negotiation will fail. But if you selected Wildcard, then only characters
in the Name string before the wildcard asterisk (*) must match and any
character after the wildcard can be different.
Permit peer identification Select if you want the flexibility of having a successful IKE SA even though
and certificate payload the peer identification does not match the certificate payload.
identification mismatch
Certificate Profile Select a profile or create a new Certificate Profile that configures the
certificate options that apply to the certificate that the local gateway sends
Enable strict validation of Select if you want to strictly control how the key is used.
peer’s extended key use
Enable Passive Mode Click to have the firewall only respond to IKE connections and never initiate
them.
Enable NAT Traversal Click to have UDP encapsulation used on IKE and UDP protocols, enabling
them to pass through intermediate NAT devices.
Enable NAT Traversal if Network Address Translation (NAT) is configured
on a device between the IPSec VPN terminating points.
IKEv1 Tab
Exchange Mode Choose auto, aggressive, or main. In auto mode (default), the device
can accept both main mode and aggressive mode negotiation requests;
however, whenever possible, it initiates negotiation and allows exchanges
in main mode. You must configure the peer device with the same exchange
mode to allow it to accept negotiation requests initiated from the first
device.
IKE Crypto Profile Select an existing profile, keep the default profile, or create a new profile.
The profiles selected for IKEv1 and IKEv2 can differ.
For information on IKE Crypto profiles, see Network > Network Profiles >
IKE Crypto.
Enable Fragmentation Click to allow the local gateway to receive fragmented IKE packets. The
maximum fragmented packet size is 576 bytes.
Dead Peer Detection Click to enable and enter an interval (2 - 100 seconds) and delay before
retrying (2 - 100 seconds). Dead peer detection identifies inactive or
unavailable IKE peers and can help restore resources that are lost when a
peer is unavailable.
IKEv2 Tab
IKE Crypto Profile Select an existing profile, keep the default profile, or create a new profile.
The profiles selected for IKEv1 and IKEv2 can differ.
For information on IKE Crypto profiles, see Network > Network Profiles >
IKE Crypto.
Strict Cookie Validation Click to enable Strict Cookie Validation on the IKE gateway.
• When you enable Strict Cookie Validation, IKEv2 cookie validation is
always enforced; the initiator must send an IKE_SA_INIT containing a
cookie.
• When you disable Strict Cookie Validation (default), the system will
check the number of half-open SAs against the global Cookie Activation
Threshold, which is a VPN Sessions setting. If the number of half-open
SAs exceeds the Cookie Activation Threshold, the initiator must send an
IKE_SA_INIT containing a cookie.
Liveness Check The IKEv2 Liveness Check is always on; all IKEv2 packets serve the
purpose of a liveness check. Click this box to have the system send empty
informational packets after the peer has been idle for a specified number of
seconds. Range: 2-100. Default: 5.
If necessary, the side that is trying to send IKEv2 packets attempts
the liveness check up to 10 times (all IKEv2 packets count toward the
retransmission setting). If it gets no response, the sender closes and deletes
the IKE_SA and CHILD_SA. The sender starts over by sending out another
IKE_SA_INIT.
Name Enter a Name to identify the profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
IPSec Protocol Select a protocol for securing data that traverses the VPN tunnel:
• ESP—Encapsulating Security Payload protocol encrypts the data,
authenticates the source, and verifies data integrity.
• AH—Authentication Header protocol authenticates the source and
verifies data integrity.
Encryption (ESP protocol Click Add and select the desired encryption algorithms. For highest security,
only) use Move Up and Move Down to change the order (top to bottom) to the
following: aes-256-gcm, aes-256-cbc, aes-192-cbc, aes-128-gcm, aes-128-
ccm (the VM-Series firewall doesn’t support this option), aes-128-cbc, 3des,
and des. You can also select null (no encryption).
Authentication Click Add and select the desired authentication algorithms. For highest
security, use Move Up and Move Down to change the order (top to
bottom) to the following: sha512, sha384, sha256, sha1, md5. If the IPSec
Protocol is ESP, you can also select none (no authentication).
DH Group Select the Diffie-Hellman (DH) group for Internet Key Exchange (IKE):
group1, group2, group5, group14, group19, or group20. For highest
security, choose the group with the highest number. If you don’t want to
renew the key that the firewall creates during IKE phase 1, select no-pfs (no
perfect forward secrecy): the firewall reuses the current key for the IPSec
security association (SA) negotiations.
Lifetime Select units and enter the length of time (default is one hour) that the
negotiated key will stay effective.
Lifesize Select optional units and enter the amount of data that the key can use for
encryption.
DH Group Specify the priority for Diffie-Hellman (DH) groups. Click Add and select
groups: group1, group2, group5, group14, group19, or group20. For
highest security, select an item and then click Move Up or Move Down to
move the groups with higher numeric identifiers to the top of the list. For
example, move group14 above group2.
Authentication Specify the priority for hash algorithms. Click Add and select algorithms. For
highest security, select an item and then click Move Up or Move Down to
change the order (top to bottom) to the following:
• sha512
• sha384
• sha256
• sha1
• md5
• none
Key Lifetime Select unit of time and enter the length of time that the negotiated IKE
Phase 1 key will be effective (default is 8 hours).
• IKEv2—Before the key lifetime expires, the SA must be re-keyed or else,
upon expiration, the SA must begin a new Phase 1 key negotiation.
• IKEv1—Will not actively do a Phase-1 re-key before expiration. Only
when the IKEv1 IPSec SA expires will it trigger IKEv1 Phase 1 re-key.
IKEv2 Authentication Specify a value (range is 0-50; default is 0) that is multiplied by the Key
Multiple Lifetime to determine the authentication count. The authentication count
is the number of times that the gateway can perform IKEv2 IKE SA re-key
before the gateway must start over with IKEv2 re-authentication. A value
of 0 disables the re-authentication feature.
Field Description
Name Enter a name to identify the monitor profile (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Action Specify an action to take if the tunnel is not available. If the threshold
number of heartbeats is lost, the firewall takes the specified action.
• wait-recover—Wait for the tunnel to recover; do not take additional
action. Packets will continue to be sent according to the PBF rule.
• fail-over—Traffic will fail over to a backup path, if one is available. The
firewall uses routing table lookup to determine routing for the duration
of this session.
In both cases, the firewall tries to negotiate new IPSec keys to accelerate
the recovery.
Interval Specify the time between heartbeats (range is 2 to 10; default is 3).
Threshold Specify the number of heartbeats to be lost before the firewall takes the
specified action (range is 2 to 10; default is 5).
Field Description
Name Enter a profile name (up to 31 characters). This name appears in the list of
Interface Management profiles when configuring interfaces. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Administrative • Telnet—Use to access the firewall CLI. Telnet uses plaintext, which is not as
Management Services secure as SSH.
Network Services • Ping—Use to test connectivity with external services. For example, you can
ping the interface to verify it can receive PAN-OS software and content
updates from the Palo Alto Networks Update Server.
• HTTP OCSP—Use to configure the firewall as an Online Certificate
Status Protocol (OCSP) responder. For details, see Device > Certificate
Management > OCSP Responder.
• SNMP—Use to process firewall statistics queries from an SNMP manager.
For details, see Enable SNMP Monitoring.
• Response Pages—Use to enable response pages for:
• Authentication Portal—The ports used to serve Authentication Portal
response pages are left open on Layer 3 interfaces: port 6080 for NTLM,
6081 for Authentication Portal without an SSL/TLS Server Profile, and
6082 for Authentication Portal with an SSL/TLS Server Profile. For
details, see Device > User Identification > Authentication Portal Settings.
• URL Admin Override—For details, see Device > Setup > Content-ID.
• User-ID—Use to enable Redistribution of user mappings among firewalls.
• User-ID Syslog Listener-SSL—Use to allow the PAN-OS integrated User-ID
agent to collect syslog messages over SSL. For details, see Configure Access
to Monitored Servers.
Permitted IP Enter the list of IPv4 or IPv6 addresses from which the interface allows access.
Addresses
Apply a Zone Protection profile to each zone to layer in extra protection against IP floods,
reconnaissance, packet-based attacks, and non-IP protocol attacks. Zone Protection on the
firewall should be a second layer of protection after a dedicated DDoS device at the internet
perimeter.
To augment zone protection capabilities on the firewall, configure a DoS Protection policy (Policies > DoS
Protection) to match on a specific zone, interface, IP address, or user.
Zone protection is enforced only when there is no session match for the packet because
zone protection is based on new connections per second (cps), not on packets per second
(pps). If the packet matches an existing session, it will bypass the zone protection setting.
Name Network > Enter a profile name (up to 31 characters). This name appears in the
Network list of Zone Protection profiles when configuring zones. The name
Continue to create the Zone Protection profile by configuring any combination of settings based on what
types of protection your zone needs:
• Flood Protection
• Reconnaissance Protection
• Packet Based Attack Protection
• Protocol Protection
• Ethernet SGT Protection
If you have a multi virtual system environment, and have enabled the following:
• External zones to enable inter virtual system communication
• Shared gateways to allow virtual systems to share a common interface and a single IP
address for external communications
the following Zone and DoS protection mechanisms will be disabled on the external zone:
• SYN cookies
• IP fragmentation
• ICMPv6
To enable IP fragmentation and ICMPv6 protection for the shared gateway, you must create
a separate Zone Protection profile for the shared gateway.
To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection
profile with either Random Early Drop or SYN cookies; on an external zone, only Random
Early Drop is available for SYN Flood protection.
Flood Protection
• Network > Network Profiles > Zone Protection > Flood Protection
Configure a profile that provides flood protection against SYN, ICMP, ICMPv6, SCTP INIT, and UDP
packets, as well as protection against flooding from other types of IP packets. The rates are in connections
per second; for example, an incoming SYN packet that doesn’t match an existing session is considered a
new connection.
SYN Network > Network Select to enable protection against SYN floods.
Profiles > Zone
Action Protection > Flood Select the action to take in response to a SYN flood attack.
Protection
Alarm Rate Network > Network Enter the number of SYN packets (not matching an existing
(connections/ Profiles > Zone session) the zone receives per second that triggers an
sec) Protection > Flood alarm. You can view alarms on the Dashboard and in
Protection (cont) the threat log (Monitor > Packet Capture). Range is 0 to
2,000,000; default is 10,000.
ICMP Network > Network Select to enable protection against ICMP floods.
Profiles > Zone
Alarm Rate Protection > Flood Enter the number of ICMP echo requests (pings not
(connections/ Protection (cont) matching an existing session) that the zone receives per
sec) second that triggers an attack alarm. Range is 0-2,000,000;
default is 10,000.
SCTP INIT Network > Network Select to enable protection against floods of Stream
Profiles > Zone Control Transmission Protocol (SCTP) packets that contain
Protection > Flood an Initiation (INIT) chunk. An INIT chunk cannot be bundled
Protection (cont) with other chunks, so the packet is referred to as an SCTP
INIT packet.
Alarm Rate Enter the number of SCTP INIT packets (not matching an
(connections/ existing session) that the zone receives per second that
sec) triggers an attack alarm. Range is 0-2,000,000. Default per
firewall model is:
• PA-5280—10,000
• PA-5260—7,000
• PA-5250—5,000
• PA-5220—3,000
• VM-700—1,000
• VM-500—500
• VM-300—250
• VM-100—200
• VM-50—100
Maximum Network > Network Enter the maximum number of SCTP INIT packets (not
(connections/ Profiles > Zone matching an existing session) that the zone receives
sec) Protection > Flood per second before packets exceeding the maximum are
Protection (cont) dropped. Range is 1 to 2,000,000. Default per firewall
model is:
• PA-5280—20,000
• PA-5260—14,000
• PA-5250—10,000
• PA-5220—6,000
• VM-700—2,000
• VM-500—1,000
• VM-300—500
• VM-100—400
• VM-50—200
UDP Network > Network Select to enable protection against UDP floods.
Profiles > Zone
Alarm Rate Protection > Flood Enter the number of UDP packets (not matching an existing
(connections/ Protection (cont) session) that the zone receives per second that triggers an
sec) attack alarm. Range is 0-2,000,000; default is 10,000.
ICMPv6 Network > Network Select to enable protection against ICMPv6 floods.
Profiles > Zone
Alarm Rate Protection > Flood Enter the number of ICMPv6 echo requests (pings not
(connections/ Protection (cont) matching an existing session) that the zone receives per
sec) second that triggers an attack alarm. Range is 0-2,000,000;
default is 10,000.
Other IP Network > Network Select to enable protection against other IP (non-TCP, non-
Profiles > Zone ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods.
Protection > Flood
Alarm Rate Protection (cont) Enter the number of other IP packets (non-TCP, non-
(connections/ ICMP, non-ICMPv6, non-SCTP, and non-UDP packets) (not
sec) matching an existing session) the zone receives per second
that triggers an attack alarm. Range is 0-2,000,000; default
is 10,000.
Reconnaissance Protection
• Network > Network Profiles > Zone Protection > Reconnaissance Protection
The following settings define reconnaissance protection:
TCP Port Scan Network > Enable configures the profile to enable protection against TCP port
Network scans.
Profiles > Zone
UDP Port Scan Protection > Enable configures the profile to enable protection against UDP port
scans.
Action Action that the system will take in response to the corresponding
reconnaissance attempt:
• Allow—Permits the port scan or host sweep reconnaissance.
• Alert—Generates an alert for each port scan or host sweep that
matches the threshold within the specified time interval (the
default action).
• Block—Drops all subsequent packets from the source to the
destination for the remainder of the specified time interval.
• Block IP—Drops all subsequent packets for the specified
Duration, in seconds (range is 1-3,600). Track By determines
whether to block source or source-and-destination traffic.
For example, block attempts above the threshold number per
interval that are from a single source (more stringent), or block
attempts that have a source and destination pair (less stringent).
Interval (sec) Time interval, in seconds, for TCP or UDP port scan detection
(range is 2-65,535; default is 2).
Time interval, in seconds, for host sweep detection (range is
2-65,535; default is 10).
Threshold Number of scanned port events or host sweep events within the
(events) specified time interval that triggers the Action (range is 2-65,535;
default is 100).
Spoofed IP Network > Check that the source IP address of the ingress packet is routable
address Network and the routing interface is in the same zone as the ingress
Profiles > Zone interface. If either condition is not true, discard the packet.
Protection >
Packet The firewall does not consider Policy Based
Based Attack Forwarding (PBF) rules during this check; it
Protection > IP considers only routes listed in the routing table
Drop (RIB), that is, routes listed under the CLI output for
show routing route.
For a firewall in Common Criteria (CC) mode, you can enable logging
for discarded packets. On the firewall web interface, select Device >
Log Settings. In the Manage Logs section, select Selective Audit and
enable Packet Drop Logging.
IP Option Drop Select the settings in this group to enable the firewall to drop
packets containing these IP Options.
Strict Source Discard packets with the Strict Source Routing IP option set.
Routing Strict Source Routing is an option whereby a source of a datagram
provides routing information through which a gateway or host must
send the datagram.
Loose Source Discard packets with the Loose Source Routing IP option set.
Routing Loose Source Routing is an option whereby a source of a datagram
provides routing information and a gateway or host is allowed to
choose any route of a number of intermediate gateways to get the
datagram to the next address in the route.
Record Route Discard packets with the Record Route IP option set. When a
datagram has this option, each router that routes the datagram adds
its own IP address to the header, thus providing the path to the
recipient.
TCP Drop
To instruct the firewall what to do with certain TCP packets it receives in the zone, specify the following
settings.
Mismatched Network > Attackers can construct connections with overlapping but different
overlapping Network data in them to cause misinterpretation of the connection. Attackers
TCP segment Profiles > Zone can use IP spoofing and sequence number prediction to intercept
Protection > a user’s connection and inject their own data. Use this setting to
Packet report an overlap mismatch and drop the packet when segment data
Based Attack does not match in these scenarios:
Protection >
• The segment is within another segment.
TCP Drop
• The segment overlaps with part of another segment.
• The segment covers another segment.
This protection mechanism uses sequence numbers to determine
where packets reside within the TCP data stream.
TCP SYN with Prevent a TCP session from being established if the TCP SYN
Data packet contains data during a three-way handshake. Enabled by
default.
TCP SYNACK Prevent a TCP session from being established if the TCP SYN-ACK
with Data packet contains data during a three-way handshake. Enabled by
default.
Reject Non- Determine whether to reject the packet if the first packet for the
SYN TCP TCP session setup is not a SYN packet:
• global—Use system-wide setting that is assigned through TCP
Settings or the CLI.
• yes—Reject non-SYN TCP.
• no—Accept non-SYN TCP.
Strip TCP Determine whether to strip the TCP Timestamp or TCP Fast Open
Options option from TCP packets.
TCP Network > Determine whether the packet has a TCP timestamp in the header
Timestamp Network and, if it does, strip the timestamp from the header.
Profiles > Zone
Protection > Strip the TCP timestamp from packets that have it to
Packet prevent a timestamp DoS attack.
Based Attack
Protection >
TCP Drop
TCP Fast Open Strip the TCP Fast Open option (and data payload, if any) from the
TCP SYN or SYN-ACK packet during a TCP three-way handshake.
When this is cleared (disabled), the TCP Fast Open option is
allowed, which preserves the speed of a connection setup by
including data delivery. This functions independently of the TCP
SYN with Data and TCP SYN-ACK with Data. Disabled by default.
# set
deviceconfig setting tcp strip-mptcp-option <yes|
no>
ICMP Ping ID Network > Discard packets if the ICMP ping packet has an identifier value of 0.
0 Network
Profiles >
ICMP Zone Discard packets that consist of ICMP fragments.
Fragment Protection >
Packet
ICMP Large Based Attack Discard ICMP packets that are larger than 1024 bytes.
Packet (>1024) Protection >
ICMP Drop
Discard ICMP Discard ICMP packets that are embedded with an error message.
embedded
with error
message
IPv6 Drop
To instruct the firewall to drop certain IPv6 packets it receives in the zone, select the following settings to
enable them.
Type 0 Network > Discard IPv6 packets containing a Type 0 routing header. See RFC
Routing Network 5095 for Type 0 routing header information.
Heading Profiles >
Zone
IPv4 Protection > Discard IPv6 packets that are defined as an RFC 4291 IPv4-
compatible Packet Compatible IPv6 address.
address Based Attack
Needless Discard IPv6 packets with the last fragment flag (M=0) and offset of
fragment zero.
header
MTU in ICMP Discard IPv6 packets that contain a Packet Too Big ICMPv6
‘Packet Too message when the maximum transmission unit (MTU) is less than
Big’ less than 1,280 bytes.
1280 bytes
Routing Discard IPv6 packets that contain the Routing extension header,
extension which directs packets to one or more intermediate nodes on its way
to its destination.
Invalid IPv6 Discard IPv6 packets that contain invalid IPv6 options in an
options in extension header.
extension
header
Non-zero Discard IPv6 packets that have a header with a reserved field not set
reserved field to zero.
ICMPv6 Drop
To instruct the firewall what to do with certain ICMPv6 packets it receives in the zone, select the following
settings to enable them.
ICMPv6 Network > Require an explicit Security policy match for Destination
destination Network Unreachable ICMPv6 messages, even when the message is
unreachable - Profiles > associated with an existing session.
require explicit Zone
Protection >
ICMPv6 time Require an explicit Security policy match for Time Exceeded ICMPv6
exceeded - messages, even when the message is associated with an existing
require explicit session.
security rule
match
Protocol Protection
• Network > Network Profiles > Zone Protection > Protocol Protection
The firewall normally allows non-IP protocols between Layer 2 zones and between virtual wire zones.
Protocol protection allows you to control which non-IP protocols are allowed (include) or denied (exclude)
between or within security zones on a Layer 2 VLAN or virtual wire. Examples of non-IP protocols include
AppleTalk, Banyan VINES, Novell, NetBEUI, and Supervisory Control and Data Acquisition (SCADA) systems
such as Generic Object Oriented Substation Event (GOOSE).
After you configure protocol protection in a Zone Protection profile, apply the profile to an ingress security
zone on a Layer 2 VLAN or virtual wire.
Enable Protocol Protection on internet-facing zones to prevent layer 2 traffic from protocols
you don’t use from getting on your network.
Rule Type Network > Specify the type of list you are creating for protocol protection:
Network
• Include List—Only the protocols on the list are allowed—in
Profiles > Zone
addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and
Protection >
VLAN tagged frames (0x8100). All other protocols are implicitly
Protocol
denied (blocked).
Protection
• Exclude List—Only the protocols on the list are denied; all
other protocols are implicitly allowed. You cannot exclude IPv4
(0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames
(0x8100).
Protocol Name Enter the protocol name that corresponds to the Ethertype code
you are adding to the list. The firewall does not verify that the
protocol name matches the Ethertype code but the Ethertype code
does determine the protocol filter.
Enable Enable the Ethertype code on the list. If you want to disable a
protocol for testing purposes but not delete it, disable it, instead.
Layer 2 SGT Exclude List Network > Network Profiles > Enter a name for the list of
Zone Protection > Ethernet SGT Security Group Tags (SGTs).
Protection
Tag Enter the Layer 2 SGTs in
headers of packets that you
want to exclude (drop) when the
SGT matches this list in the Zone
Protection profile applied to a
zone (range is 0 to 65,535).
Profile Name Enter a name to identify the profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Egress Max Enter the maximum throughput (in Mbps) for traffic leaving the firewall
through this interface. The value is 0 by default, which specifies the firewall
limit (60,000 Mbps in PAN-OS 7.1.16 and later releases; 16,000 in PAN-OS
7.1.15 and earlier releases).
The Egress Max for a QoS profile must be less than or equal to the Egress
Max for the physical interface enabled with QoS. See Network > QoS.
Egress Guaranteed Enter the bandwidth that is guaranteed for this profile (Mbps). When the
egress guaranteed bandwidth is exceeded, the firewall passes traffic on a
best-effort basis.
Classes Add and specify how to treat individual QoS classes. You can select one or
more classes to configure:
• Class—If you do not configure a class, you can still include it in a QoS
policy. In this case, the traffic is subject to overall QoS limits. Traffic that
does not match a QoS policy will be assigned to class 4.
• Priority—Click and select a priority to assign it to a class:
• real-time
• high
• medium
• low
When contention occurs, traffic that is assigned a lower priority is dropped.
Real-time priority uses its own separate queue.
• Egress Max—Click and enter the maximum throughput (in Mbps) for this
class. The value is 0 by default, which specifies the firewall limit (60,000
Mbps in PAN-OS 7.1.16 and later releases; 16,000 in PAN-OS 7.1.15
and earlier releases). The Egress Max for a QoS class must be less than
or equal to the Egress Max for the QoS profile.
Mode Select the mode in which LLDP will function: transmit-receive, transmit-only,
or receive-only.
SNMP Syslog Enables SNMP trap and syslog notifications, which will occur at the global
Notification Notification Interval. If enabled, the firewall will send both an SNMP trap and
a syslog event as configured in the Device > Log Settings > System > SNMP
Trap Profile and Syslog Profile.
Port Description Enables the ifAlias object of the firewall to be sent in the Port Description TLV.
System Name Enables the sysName object of the firewall to be sent in the System Name TLV.
System Description Enables the sysDescr object of the firewall to be sent in the System
Description TLV.
System Capabilities Enables the deployment mode (L3, L2, or virtual wire) of the interface to be
sent, via the following mapping, in the System Capabilities TLV.
• If L3, the firewall advertises router (bit 6) capability and the Other bit (bit 1).
• If L2, the firewall advertises MAC Bridge (bit 3) capability and the Other bit
(bit 1).
• If virtual wire, the firewall advertises Repeater (bit 2) capability and the
Other bit (bit 1).
SNMP MIB will combine capabilities configured on interfaces into a single
entry.
Management Address Enables the Management Address to be sent in the Management Address TLV.
You can enter up to four management addresses, which are sent in the order
they are specified. To change the order, click Move Up or Move Down.
Interface Select an interface whose IP address will be the Management Address. If you
select None, you can enter an IP address in the field next to the IPv4 or IPv6
selection.
IP Choice Select IPv4 or IPv6, and in the adjacent field, select or enter the IP address
to be transmitted as the Management Address. At least one management
address is required if Management Address TLV is enabled. If no management
IP address is configured, the system uses the MAC address of the transmitting
interface as the management address transmitted.
What fields are available to create a BFD Building Blocks of a BFD Profile
profile?
View BFD status for a virtual router. View BFD Summary and Details
BFD Overview
BFD is a protocol that recognizes a failure in the bidirectional path between two forwarding engines,
such as interfaces, data links, or the actual forwarding engines. In the PAN-OS implementation, one of
the forwarding engines is an interface on the firewall and the other is an adjacent configured BFD peer.
The BFD failure detection between two engines is extremely fast, providing faster failover than could be
achieved by link monitoring or frequent dynamic routing health checks, such as Hello packets or heartbeats.
After BFD detects a failure, it notifies the routing protocol to switch to an alternate path to the peer. If BFD
is configured for a static route, the firewall removes the affected routes from the RIB and FIB tables.
BFD is supported on the following interface types: physical Ethernet, AE, VLAN, tunnel (Site-to-Site VPN
and LSVPN), and subinterfaces of Layer 3 interfaces. For each static route or dynamic routing protocol, you
can enable or disable BFD, select the default BFD profile, or configure a BFD profile.
Name Name of the BFD profile (up to 31 characters). The name is case-sensitive and
must be unique on the firewall. Use only letters, numbers, spaces, hyphens, and
underscores.
Desired Minimum interval (in milliseconds) at which you want the BFD protocol to send BFD
Minimum Tx control packets. Minimum value on PA-7000 Series is 50; minimum on PA#3200
Interval (ms) Series is 100; minimum on VM-Series is 200 (maximum value is 2000; default is
1000).
Required Minimum interval (in milliseconds) at which BFD can receive BFD control packets.
Minimum Rx Minimum value on PA-7000 Series is 50; minimum on PA-3200 Series is 100;
Interval (ms) minimum on VM-Series is 200 (maximum value is 2000; default is 1000).
Detection Time The local system calculates the detection time as the Detection Time Multiplier
Multiplier received from the remote system multiplied by the agreed transmit interval of
the remote system (the greater of the Required Minimum Rx Interval and the last
received Desired Minimum Tx Interval). If BFD does not receive a BFD control
packet from its peer before the detection time expires, a failure has occurred (range
is 2 to 50; default is 3).
Hold Time (ms) Delay (in milliseconds) after a link comes up before the firewall transmits BFD
control packets. Hold Time applies to BFD Active mode only. If the firewall receives
BFD control packets during the Hold Time, it ignores them (range is 0-120000;
default is 0). The default setting of 0 means no transmit Hold Time is used; the
firewall sends and receives BFD control packets immediately after the link is
established.
Enable Multihop Enables BFD over multiple hops. Applies to BGP implementation only.
Minimum Rx TTL Minimum Time-to-Live value (number of hops) BFD will accept (receive) when it
supports multihop BFD. Applies to BGP implementation only (range is 1-254; there
is no default).
View a BFD summary. Select Network > Virtual Routers and in the row of the
virtual router you are interested in, click More Runtime
Stats. Select the BFD Summary Information tab.
View BFD details. Select details in the row of the interface you are
interested in to view BFD Details.
Name Enter the name of the SD-WAN Interface Profile using a maximum of 31
alphanumeric characters. The name must begin with an alphanumeric character
and can contain letters, numbers, underscores (_), hyphens (-), periods (.), and
spaces.
Link Tag Select the Link Tag that this profile will assign to the interface or add a new tag. A
link tag bundles physical links (different ISPs) for the firewall to select from during
path selection and failover.
Link Type Select the physical link type from the predefined list (ADSL/DSL, Cable Modem,
Ethernet, Fiber, LTE/3G/4G/5G, MPLS, Microwave/Radio, Satellite, WiFi, or
Other). The firewall can support any CPE device that terminates and hands off
as an Ethernet connection to the firewall; for example, WiFi access points, LTE
modems, laser-microwave CPEs all can terminate with an Ethernet hand-off.
Maximum Enter the maximum download speed from the ISP in megabits per second; range is
Download (Mbps) 1 to 100,000, there is no default value. Ask your ISP for the link speed or sample
the link’s maximum speeds with a tool such as speedtest.net and take an average
of the maximums over a good length of time.
Maximum Upload Enter the maximum upload speed from the ISP in megabits per second; range is 1
(Mbps) to 100,000, there is no default value. Ask your ISP for the link speed or sample the
link’s maximum speeds with a tool such as speedtest.net and take an average of
the maximums over a good length of time.
Eligible for Error Select this setting to make interfaces (where you apply this profile) eligible
Correction Profile for the encoding firewall to select them for Forward Error Correction (FEC) or
interface selection packet duplication. You can deselect this setting so that expensive FEC or packet
duplication is never used on an expensive link (interface) where you apply the
profile. The Link Type specified for the profile determines whether the default
setting of Eligible for Error Correction Profile interface selection is selected or
not.
To configure FEC or packet duplication, create an SD-WAN Error Correction
Profile.
VPN Data Tunnel Determines whether the branch-to-hub traffic and the return traffic flows through
Support a VPN tunnel for added security (enabled by default) or flows outside of the VPN
tunnel to avoid encryption overhead.
• Leave VPN Data Tunnel Support enabled for public link types that have direct
internet connections or internet breakout capability, such as cable modem,
ADSL, and other internet connections.
• You can disable VPN Data Tunnel Support for private link types such as MPLS,
satellite, or microwave that do not have internet breakout capability. However,
you must first ensure the traffic cannot be intercepted because it will be sent
outside of the VPN tunnel.
• The branch many have DIA traffic that needs to fail over to the private MPLS
link connecting to the hub, and reach the internet from the hub. The VPN Data
VPN Failover (PAN-OS 10.0.3 and later releases) When you configure DIA AnyPath, you need
Metric a way to specify the failover order of individual VPN tunnels bundled in a hub
virtual interface or branch virtual interface to which DIA fails over. Specify the
VPN Failover Metric for the VPN tunnel (link); range is 1 to 65,535; default is 10.
The lower the metric value, the higher the priority of the tunnel (link where you
apply this profile) to be chosen during failover.
For example, set the metric to a low value and apply the profile to a broadband
interface; then create a different profile that sets a high metric to apply to an
expensive LTE interface to ensure it is used only after broadband has failed over.
If you have only one link at the hub, that link supports all of the
virtual interfaces and DIA traffic. If you want to use the link types
in a specific order, you must apply a Traffic Distribution profile
to the hub that specifies Top Down Priority, and then order the
Link Tags to specify the preferred order. (If you apply a Traffic
Distribution profile that instead specifies Best Available Path, the
firewall will use the link, regardless of cost, to choose the best
performing path to the branch.) In summary, Link Tags in a Traffic
Distribution Profile, the Link Tag applied to a hub virtual interface,
and a VPN Failover Metric work only when the Traffic Distribution
profile specifies Top Down Priority.
Path Monitoring Select the path monitoring mode in which the firewall monitors the interfaces
where you apply this SD-WAN Interface Profile.
• Aggressive—(default for all link types except LTE and Satellite) Firewall
sends probe packets to the opposite end of the SD-WAN link at a constant
frequency.
Use Relaxed mode when you have low bandwidth links, links
that charge by usage (such as LTE), or when fast detection
isn’t as important as preserving cost and bandwidth.
Probe Frequency Enter the probe frequency, which is the number of times per second that the
(per second) firewall sends a probe packet to the opposite end of the SD-WAN link (range is 1
to 5; default is 5).
Probe Idle Time If you select Relaxed path monitoring, you can set the probe idle time (in seconds)
(seconds) that the firewall waits between sets of probe packets (range is 1 to 60; default is
60).
Failback Hold Time Enter the length of time (in seconds) that the firewall waits for a recovered link to
(seconds) remain qualified before the firewall reinstates that link as the preferred link after it
has failed over (range is 20 to 120; default is 120). The failback hold time prevents
a recovered link from being reinstated as the preferred link too quickly and having
it fail again right away.
501
502 PAN-OS WEB INTERFACE HELP | Device
© 2021 Palo Alto Networks, Inc.
Device > Setup
• Device > Setup > Management
• Device > Setup > Operations
• Device > Setup > HSM
• Device > Setup > Services
• Device > Setup > Interfaces
• Device > Setup > Telemetry
• Device > Setup > Content-ID
• Device > Setup > WildFire
• Device > Setup > Session
• Device > Setup > DLP
Item Description
General Settings
Domain Enter the name of the network domain for the firewall (up to 31
characters).
Optionally, you can configure the firewalls and Panorama to use
a domain that a DHCP server provides. See Accept DHCP server-
provided Domain (Firewall only).
Accept DHCP server-provided (Applies only when the Management Interface IP Type is DHCP
Hostname (Firewall only) Client) Select this option to have the management interface
accept the hostname it receives from the DHCP server. The
hostname from the server (if valid) overwrites any value specified
in the Hostname field.
Accept DHCP server-provided (Applies only when the Management Interface IP Type is DHCP
Domain (Firewall only) Client) Select this option to have the management interface
accept the domain (DNS suffix) it receives from the DHCP server.
The domain from the server overwrites any value specified in the
Domain field.
Login Banner Enter text (up to 3,200 characters) to display on the web interface
login page below the Name and Password fields.
Force Admins to Acknowledge Select this option to display and force administrators to select
Login Banner I Accept and Acknowledge the Statement Below (above the
login banner on the login page), which forces administrators to
acknowledge that they understand and accept the contents of the
message before they can Login.
SSL/TLS Service Profile Assign an existing SSL/TLS Service profile or create a new one to
specify a certificate and the SSL/TLS protocol settings allowed on
the management interface (see Device > Certificate Management
> SSL/TLS Service Profile). The firewall or Panorama uses this
certificate to authenticate to administrators who access the web
interface through the management (MGT) interface or through
any other interface that supports HTTP/HTTPS management
traffic (see Network > Network Profiles > Interface Mgmt). If you
select none (default), the firewall or Panorama uses a predefined
certificate.
Locale Select a language for PDF reports from the drop-down. See
Monitor > PDF Reports > Manage PDF Summary.
Even if you have a specific language preference set for the web
interface, PDF reports will use the language specified for Locale.
Date Set the date on the firewall; enter the current date (in YYYY/MM/
DD format) or select the date from the drop-down.
Time Set the time on the firewall; enter the current time) in 24-hour
format) or select the time from the drop-down.
Serial Number Enter the serial number for Panorama. You can find the serial
number in the order fulfillment email you received from Palo Alto
(Panorama virtual appliances only)
Networks®.
Automatically acquire commit lock Select this option to automatically apply a commit lock when you
change the candidate configuration. For more information, see
Lock Configurations.
Certificate Expiration Check Instruct the firewall to create warning messages when on-box
certificates approach their expiration date.
Multiple Virtual System Capability Enables the use of multiple virtual systems on firewalls that
support this feature (see Device > Virtual Systems).
URL Filtering Database Select a URL Filtering vendor for use with Panorama: brightcloud
or paloaltonetworks (PAN-DB).
(Panorama only)
Use Hypervisor Assigned MAC Select this option to have the VM-Series firewall use the MAC
Addresses address that the hypervisor assigned, instead of generating a
MAC address using the PAN-OS custom schema.
(VM-Series firewalls only)
If you enable this option and use an IPv6 address for the
interface, the interface ID cannot use the EUI-64 format, which
derives the IPv6 address from the interface MAC address. In a
high availability (HA) active/passive configuration, a commit error
occurs if you use the EUI-64 format.
GTP Security Select this option to enable the ability to inspect the control plane
and user dataplane messages in the GPRS Tunneling Protocol
(GTP) traffic. See Objects > Security Profiles > Mobile Network
Protection to configure a Mobile Network Protection profile so
that you can enforce policy on GTP traffic.
SCTP Security Select this option to enable the ability to inspect and filter Stream
Control Transmission Protocol (SCTP) packets and chunks, and
to apply SCTP initiation (INIT) flood protection. See Objects
> Security Profiles > SCTP Protection. For SCTP INIT flood
protection, see Configure SCTP INIT Flood Protection.
Advanced Routing Select this option to enable the advanced routing engine, which
supports BGP and static routes. You must commit and reboot the
firewall for the change to the new routing engine to take effect
(or to change back to the legacy route engine).
Tunnel Acceleration Select this option to improve performance and throughput for
traffic going through GRE tunnels, VXLAN tunnels, and GTP-U
tunnels This option is enabled by default.
• GRE and VXLAN tunnel acceleration—Supported on PA-3200
Series firewalls and PA-7000 Series firewalls with PA-7000-
NPC and SMC-B.
• GTP-U tunnel acceleration—Supported on PA-7000 Series
firewalls with PA-7000-NPC and SMC-B. For GTP-U tunnel
traffic to have tunnel acceleration, Tunnel Acceleration
must be enabled, GTP must be enabled, no tunnel content
inspection (TCI) policy rules for GTP-U protocol can be
configured, and a Security policy rule with a Mobile Network
Protection profile attached must allow the GTP traffic.
Device Certificate
Get certificate Click to enter the One Time Password (OTP) generated from
the Palo Alto Networks Customer Support Portal. The device
Authentication Settings
Authentication Profile Select the authentication profile (or sequence) the firewall uses
to authenticate administrative accounts that you define on an
external server instead of locally on the firewall (see Device >
Authentication Profile). When external administrators log in, the
firewall requests authentication and authorization information
(such as the administrative role) from the external server.
Enabling authentication for external administrators requires
additional steps based on the server type that the authentication
profile specifies, which must be one of the following:
• RADIUS
• TACACS+
• SAML
Idle Timeout Enter the maximum time (in minutes) without any activity on the
web interface or CLI before an administrator is automatically
logged out (range is 0 to 1,440; default is 60). A value of 0 means
that inactivity does not trigger an automatic logout.
API Key Lifetime Enter the length of time (in minutes) for which the API key is valid
(range is 0 to 525,600; default is 0). A value of 0 means that the
API key never expires.
Expire All API Keys to invalidate all previously generated API
keys. Use this option with caution because all existing keys are
rendered useless and any operation where you are currently using
those API keys will stop functioning.
API Keys Last Expired Displays the timestamp of when the API key last expired. This
field has no value if you have never reset your keys.
Failed Attempts Enter the number of failed login attempts (0 to 10) that the
firewall allows for the web interface and CLI before locking
out the administrator account. A value of 0 specifies unlimited
login attempts. The default value is 0 for firewalls in normal
operational mode and 10 for firewalls in FIPS-CC mode. Limiting
login attempts can help protect the firewall from brute force
attacks.
Lockout Time Enter the number of minutes (range is 0 to 60) for which the
firewall locks out an administrator from access to the web
interface and CLI after reaching the Failed Attempts limit. A
value of 0 (default) means the lockout applies until another
administrator manually unlocks the account.
Max Session Count Enter the number of concurrent sessions allowed for all
administrator and user accounts (range is 0 to 4). A value of 0
(default) means that an unlimited amount of concurrent sessions
are allowed.
Max Session Time Enter the number of minutes (range is 60 to 1,499) that an active,
non-idle administrator can remain logged in. Once this max
session time is reached, the session is terminated and requires re-
authentication to begin another session. The default value is set
to 0 (30 days), which cannot be manually entered. If no value is
entered, the Max Session Time defaults to 0.
Require Tag on Policies Requires at least one tag when creating a new policy rule. If a
policy rule already exists when you enable this option, you must
add at least one tag the next time you edit the rule.
Require Description on Policies Requires that you add a Description when you create a new
policy rule. If a policy rule already exists when you enable this
option, you must add a Description the next time you edit the
rule.
Fail Commit if Policies Have No Forces your commit to fail if you do not add any tags or a
Tags or Descriptions description to the policy rule. If a policy rule already exists when
you enable this option, the commit will fail if no tag or description
are added the next time you edit the rule.
To fail the commit, you must Require tag on policies or Require
description on policies.
Require Audit Comment on Policies Requires Audit Comment when creating a new policy rule. If a
policy rule already exists when you enable this option, you must
add Audit Comment the next time you edit the rule.
Audit Comment Regular Expression Specify requirements for the comment format parameters in audit
comments.
Policy Rule Hit Count Tracks how often traffic matches the policy rules you configured
on the firewall. When enabled, you can view the total Hit Count
for total traffic matches against each rule along with the date and
time when the rule was Created, Modified, was First Hit and Last
Hit.
The firewall uses an SSL connection with AES256 encryption to register with Panorama.
By default, Panorama and the firewall authenticate each other using predefined 2,048-
bit certificates and they use the SSL connection for configuration management and log
collection. To further secure the SSL connections between Panorama, firewalls, and log
collectors, see Secure Client Communication to configure custom certificates between
the firewall and Panorama or a log collector.
Auth Key Enter the device registration auth key generated on Panorama..
Receive Timeout for Connection to Enter the timeout (in seconds) for receiving TCP messages from
Panorama Panorama (range is 1 to 240; default is 240).
Send Timeout for Connection to Enter the timeout (in seconds) for sending TCP messages to
Panorama Panorama (range is 1 to 240; default is 240).
Retry Count for SSL Send to Enter the number of retry attempts allowed when sending Secure
Panorama Socket Layer (SSL) messages to Panorama (range is 1 to 64;
default is 25).
Enable Automated Commit Enable to enable the firewall to automatically verify its connection
Recovery to the Panorama management server when a configuration is
committed and pushed to the firewall, and at configured intervals
after a configuration is successfully pushed.
When enabled, and the firewall fails to verify its connection to
the Panorama management server, the firewall and Panorama
management automatically revert their configuration to the
previous running configuration to restore connectivity.
Number of attempts to check for When Enabled Automated Commit Recovery is enabled,
Panorama connectivity configure the number of times the firewall tests its connection to
the Panorama management server.
Interval between retries (sec) When Enable Automated Commit Recovery is enabled, configure
the time in seconds between the number of attempts the firewall
tests its connection to the Panorama management server.
Secure Client Communication Enable Secure Client Communication to ensure that the firewall
uses configured custom certificates (instead of the default
certificate) to authenticate SSL connections with Panorama or log
collectors.
• None (default)—No device certificate is configured and the
default predefined certificate is used.
• Local—The firewall uses a local device certificate and the
corresponding private key generated on the firewall or
imported from an existing enterprise PKI server.
• Certificate—Select the local device certificate you
generated or imported. This certificate can be unique to
the firewall (based on a hash of the serial number of that
firewall) or it can be a common device certificate used by all
firewalls that connect to Panorama.
• Certificate Profile—Select the Certificate Profile from
the drop-down. The Certificate Profile defines the CA
certificate for verifying client certificates and how to verify
certificate revocation status.
• SCEP—The firewall uses a device certificate and private key
generated by a Simple Certificate Enrollment Protocol (SCEP)
server.
• SCEP Profile—Select a Device > Certificate Management
> SCEP from the drop-down. The SCEP Profile provides
Panorama with the necessary information to authenticate
client devices against a SCEP server in your enterprise PKI.
Disable/Enable Panorama Policy This option displays only when you edit the Panorama Settings on
and Objects a firewall (not in a template on Panorama).
Disable Panorama Policy and Objects to disable the propagation
of device group policies and objects to the firewall. By default,
this action also removes those policies and objects from the
firewall. To keep a local copy of the device group policies and
objects on the firewall, in the dialog that opens when you click
this option, select Import Panorama Policy and Objects before
disabling. After you perform a commit, these policies and objects
become part of the firewall configuration and Panorama no longer
manages them.
Disable/Enable Device and This option displays only when you edit the Panorama Settings on
Network Template a firewall (not in a template on Panorama).
Disable Device and Network Template to disable the propagation
of template information (device and network configurations) to
the firewall. By default, this action also removes the template
information from the firewall. To keep a local copy of the
template information on the firewall, in the dialog that opens
when you select this option, select Import Device and Network
Templates before disabling. After you perform a commit, the
template information becomes part of the firewall configuration
and Panorama no longer manages that information.
The firewall uses an SSL connection with AES256 encryption to register with Panorama.
By default, Panorama and the firewall authenticate each other using predefined 2,048-
bit certificates and they use the SSL connection for configuration management and
log collection. To further secure these SSL connections, see Customize Secure Server
Communication to configure custom certificates between Panorama and its clients.
Receive Timeout for Connection to Enter the timeout (in seconds) for receiving TCP messages from
Device all managed firewalls (range is 1 to 240; default is 240).
Send Timeout for Connection to Enter the timeout (in seconds) for sending TCP messages to all
Device managed firewalls (range is 1 to 240; default is 240).
Retry Count for SSL Send to Device Enter the number of allowed retry attempts when sending Secure
Socket Layer (SSL) messages to managed firewalls (range is 1 to
64; default is 25).
Share Unused Address and Service Select this option (enabled by default) to share all Panorama
Objects with Devices shared objects and device-group-specific objects with managed
firewalls.
If you disable this option, the appliance checks Panorama policies
for references to address, address group, service, and service
group objects, and does not share any unreferenced objects.
This option reduces the total object count by ensuring that the
appliance sends only necessary objects to managed firewalls.
If you have a policy rule that targets specific devices in a device
group, then the objects used in that policy are considered used in
that device group.
Objects defined in ancestors will Select this option (disabled by default) to specify that the
take higher precedence object values in ancestor groups take precedence over those
in descendant groups when device groups at different levels in
the hierarchy have objects of the same type and name but with
different values. This means that when you perform a device
group commit, the ancestor values replace any override values.
Likewise, this option causes the value of a shared object to
override the values of objects of the same type and name in
device groups.
Selecting this option displays the Find Overridden Objects link.
Find Overridden Objects Select this option (bottom of the Panorama Settings dialog) to
list any shadowed objects. A shadowed object is an object in the
Shared location that has the same name but a different value in
a device group. The link displays only if you specify that Objects
defined in ancestors will take higher precedence.
Enable reporting and filtering on Select this option (disabled by default) to enable Panorama to
groups locally store usernames, user group names, and username-to-
group mapping information that it receives from firewalls. This
option is global to all device groups in Panorama. However, you
must also enable local storage at the level of each device group by
specifying a Master Device and configuring the firewall to Store
users and groups from Master Device.
Secure Client Communications Using Secure Client Communication ensures that the client
Panorama uses configured custom certificates (instead of the
default predefined certificate) to authenticate SSL connections
with another Panorama appliance in an HA pair or WildFire
appliance.
• Predefined (default)—No device certificate is configured and
Panorama uses the default predefined certificate.
• Local—Panorama uses a local device certificate and the
corresponding private key generated on the firewall or
imported from an existing enterprise PKI server.
• Certificate—Select the local device certificate.
• Certificate Profile—Select the Certificate Profile from the
drop-down.
• SCEP—Panorama uses a device certificate and private key
generated by a Simple Certificate Enrollment Protocol (SCEP)
server.
For the logs that firewalls send to Panorama Log Collectors, you set storage
quotas and expiration periods in each Collector Group (see Panorama > Collector
Groups).
• Attributes for calculating and exporting user activity reports.
• Predefined reports created on the firewall or Panorama.
You must use SCP from operational mode to export the core file:
Session Log Storage and PA-5200 Series and PA-7000 Series firewalls store management
Management Log Storage tabs logs and session logs on separate disks. Select the tab for each set
of logs and configure the settings described in Log Storage tab:
Single Disk Storage and Multi Disk If you use a Panorama template to configure log quotas and
Storage tabs expiration periods, configure the settings in one or both of the
following tabs based on the firewalls assigned to the template:
(Panorama template only)
• PA-5200 Series and PA-7000 Series firewalls—Select Multi
Disk Storage and configure the settings in the Session Log
Storage and Management Log Storage tabs.
Log Export and Reporting tab Configure the following log export and reporting settings as
needed:
• Number of Versions for Config Audit—Enter the number of
configuration versions to save before discarding the oldest
ones (default is 100). You can use these saved versions to
audit and compare changes in configuration.
• Number of Versions for Config Backups—(Panorama only)
Enter the number of configuration backups to save before
discarding the oldest ones (default is 100).
• Max Rows in CSV Export—Enter the maximum number of
rows that will appear in the CSV reports generated when
you Export to CSV from the traffic logs view (range is 1 to
1,048,576; default is 65,535).
• Max Rows in User Activity Report—Enter the maximum
number of rows that is supported for the detailed user activity
reports (range is 1 to 1,048,576; default is 5,000).
Log Export and Reporting tab (cont) • Average Browse Time (sec)—Configure this variable to adjust
how the browse time is calculated in seconds for the Monitor
> PDF Reports > User Activity Report (range is 0 to 300
seconds; default is 60).
The calculation will ignore sites categorized as web
advertisements and content delivery networks. The browse
time calculation is based on container pages logged in the URL
filtering logs. Container pages are used as the basis for this
After you configure the Message of the Day and click OK, administrators who
subsequently log in and active administrators who refresh their browsers will see the
new or updated message immediately; a commit is not required. This enables you to
warn other administrators of an impending commit before you perform that commit.
Message of the Day Select this option to enable the Message of the Day dialog to
display when an administrator logs in to the web interface.
(check box)
Message of the Day Enter the text (up to 3,200 characters) for the Message of the
Day dialog.
(text-entry field)
Allow Do Not Display Again Select this option (disabled by default) to include a Do not
show again option in the Message of the Day dialog. This gives
administrators the option to avoid seeing the same message in
subsequent logins.
Title Enter text for the Message of the Day header (default is Message
of the Day).
Background Color Select a background color for the Message of the Day dialog. The
default (None) is a light gray background.
Icon Select a predefined icon to appear above the text in the Message
of the Day dialog:
• None (default)
• Error
• Help
• Information
• Warning
Header Banner Enter the text that the header banner displays (up to 3,200
characters).
Header Color Select a color for the header background. The default (None) is a
transparent background.
Header Text Color Select a color for the header text. The default (None) is black.
Same banner for header and footer Select this option (enabled by default) if you want the footer
banner to have the same text and colors as the header banner.
When enabled, the fields for the footer banner text and colors are
grayed out.
Footer Banner Enter the text that the footer banner displays (up to 3,200
characters).
Footer Color Select a color for the footer background. The default (None) is a
transparent background.
Footer Text Color Select a color for the footer text. The default (None) is black.
Block Repeated Characters Specify the number of sequential duplicate characters permitted
in a password (range is 3 to 15).
If you set the value to 3, the password can contain the same
character in sequence three times but if the same character
is used four or more times in sequence, the password is not
permitted.
For example, if the value is set to 3, the system will accept the
password test111 or 111test111, but not test1111, because the
number 1 appears four times in sequence.
Block Username Inclusion Select this option to prevent the account username (or reversed
(including reversed) version of the name) from being used in the password.
New Password Differs By When administrators change their passwords, the characters must
Characters differ by the specified value.
Require Password Change on First Select this option to prompt administrators to change their
Login passwords the first time they log in to the firewall.
Prevent Password Reuse Limit Require that a previous password is not reused based on the
specified count. For example, if the value is set to 4, you could not
reuse any of your last 4 passwords (range is 0 to 50).
Block Password Change Period User cannot change their passwords until the specified number of
(days) days is reached (range is 0 to 365 days).
Required Password Change Period Require that administrators change their password on a regular
(days) basis (in days) (range is 0 to 365). For example, if the value is set
to 90, administrators are prompted to change their password
every 90 days.
You can also set an expiration warning from 0 to 30 days and
specify a grace period.
Expiration Warning Period (days) If a Required Password Change Period is set, you can use this
Expiration Warning Period to prompt users at each log in to
Post Expiration Admin Login Count Allow the administrator to log in a specified number of times after
(count) the required change date (range is 0 to 3). For example, if you set
this value to 3 and their account has expired, they can log in 3
more times without changing their password before their account
is locked out.
Post Expiration Grace Period (days) Allow the administrator to log in for a specified number of days
after the account has expired (range is 0 to 30).
AutoFocus™
Query Timeout (sec) Set the duration of time (in seconds) for the firewall to attempt
to query AutoFocus for threat intelligence data. If the AutoFocus
portal does not respond before the end of the specified period,
the firewall closes the connection.
The Logging Service is now called Cortex Data Lake; however, some firewall features
and buttons still display the Logging Service name.
Enable Cortex Data Lake Pick this option to enable the firewall (or, if you’re using
Panorama, firewalls that belong to the selected Template)
to forward logs to Cortex Data Lake (Cortex Data Lake was
previously called the Logging Service).
After you configure Log Forwarding (Objects > Log Forwarding),
the firewall forwards logs directly to Cortex Data Lake—this is
true even for Panorama-managed firewalls.
Enable Duplicate Logging (for Enable Duplicate Logging to continue to send logs to Panorama
Panorama-managed firewalls only) and distributed Log Collectors, in addition to sending logs to
Cortex Data Lake.
This is a helpful option if you’re evaluating Cortex Data Lake—
when enabled, the firewalls that belong to the selected Template
will save a copy of the logs to Cortex Data Lake and to your
Panorama or Distributed Log Collection architecture.
Enable Enhanced Application Enable Enhanced Application Logging if you want the firewall
Logging to collect data that increases network visibility for Palo Alto
Networks applications. For example, this increased network
visibility enables Palo Alto Networks Cortex XDR apps to better
categorize and establish a baseline for normal network activity so
that the firewall can detect unusual behavior that might indicate
an attack.
Enhanced Application Logging requires a Logging Service (Cortex
Data Lake) license. You cannot view these logs—they are designed
to be consumed only by Palo Alto Networks applications.
Region Select the geographic region of the Cortex Data Lake (Logging
Service) instance to which the firewall will forward logs. Log in to
the Cortex hub to confirm the region in which a Cortex Data Lake
instance is deployed (in the hub, select the settings gear on the
top menu bar and Manage Apps).
Connection count to Cortex Data (PA-7000 Series and PA-5200 Series firewalls only) Specify the
Lake for PA-7000 Series and number of connections for sending logs from the firewalls to
PA-5200 Series Firewalls Cortex Data Lake (range is 1 to 20; default is 5). You can use
the request logging-service-forwarding status
CLI command on the firewall to verify the number of active
connections between the firewall and Cortex Data Lake.
Onboard without Panorama You can enable firewalls that are not managed by Panorama
to send logs to Cortex Data Lake. To do this, you need to first
(for firewalls that are not managed
generate a key in the Cortex Data Lake app. This key enables
by Panorama)
the firewall to authenticate and securely connect to Cortex Data
Lake. After you generate the key, enter it and enable the firewall
to start forwarding logs to Cortex Data Lake.
Logging Service Status View the status of the connection to Cortex Data Lake. Show
Status to view the details for the following checks:
Server Profile A type of SSH service profile that applies to the SSH sessions for
the CLI management connections on your network. To apply an
existing server profile, select a profile, click OK, and Commit your
change.
You must Commit Changes you make in the candidate configuration to activate those
changes at which point they become part of the running configuration. As a best practice,
periodically Save Candidate Configurations.
You can use Secure Copy (SCP) commands from the CLI to export configuration files, logs,
reports, and other files to an SCP server and import the files to another firewall or Panorama
M-Series or virtual appliance. However, because the log database is too large for an export
or import to be practical, the following models do not support export or import of the entire
log database: PA-7000 Series firewalls (all PAN-OS® releases), Panorama virtual appliances
running Panorama 6.0 or later releases, and Panorama M-Series appliances (all Panorama
releases).
Function Description
Configuration Management
Revert to last saved Restores the default snapshot (.snapshot.xml) of the candidate
configuration configuration (the snapshot that you create or overwrite when you select
Config > Save Changes at the top right of the web interface).
(Panorama only) Select Device Groups & Templates to select specific
device groups, templates, or template stacks configurations to revert.
Device Group and Template Admins can only select the device groups,
templates, or template stacks designated in their assigned access domain.
Revert to running config Restores the current running configuration. This operation undoes all
changes that every administrator made to the candidate configuration since
the last commit. To revert only the changes of specific administrators, see
Revert Changes.
(Panorama only) Select Device Groups & Templates to select specific
device groups, templates, or template stacks configurations to revert.
Device Group and Template Admins can only select the device groups,
templates, or template stacks designated in their assigned access domain.
Save named configuration Creates a candidate configuration snapshot that does not overwrite the
snapshot default snapshot (.snapshot.xml). Enter a Name for the snapshot or select
an existing named snapshot to overwrite.
(Panorama only) Select Device Groups & Templates to select specific
device groups, templates, or template stacks configurations to save. Device
Group and Template Admins can only select the device groups, templates,
or template stacks designated in their assigned access domain.
Save candidate config Creates or overwrites the default snapshot of the candidate configuration
(.snapshot.xml) with the current candidate configuration. This is the same
action as when you select Config > Save Changes at the top right of the
Load named configuration Overwrites the current candidate configuration with one of the following:
snapshot (firewall)
• Custom-named candidate configuration snapshot (instead of the default
or snapshot).
Load named Panorama • Custom-named running configuration that you imported.
configuration snapshot • Current running configuration.
The configuration must reside on the firewall or Panorama onto which you
are loading it.
Select the Name of the configuration and enter the Decryption Key, which
is the master key of the firewall or Panorama (see Device > Master Key
and Diagnostics). The master key is required to decrypt all the passwords
and private keys within the configuration. If you are loading an imported
configuration, you must enter the master key of the firewall or Panorama
from which you imported. After the load operation finishes, the master key
of the firewall or Panorama onto which you loaded the configuration re-
encrypts the passwords and private keys.
To generate new UUIDs for all rules in the configuration (for example,
if you are loading a configuration from another firewall but you want to
maintain unique rules when you load that configuration), the superuser
must Regenerate Rule UUIDs for selected named configuration to generate
new UUIDs for all rules.
(Panorama only) Specify object, policy, device group, or template
configurations to partially load configurations from the named configuration
by selecting from the following:
• Load Shared Objects—Load only the Shared objects, along with all
device group and template configurations.
• Load Shared Policies—Load only the Shared policies, along with all
device group and template configurations.
• Select Device Groups & Templates—Specify device groups, templates,
or template stacks configurations to load. Device Group and Template
Admins can only select the device groups, templates, or template stacks
designated in their assigned access domain
• Retain Rule UUIDs—Keep the UUIDs in the current running
configuration.
Load configuration Overwrites the current candidate configuration with a previous version of
version (firewall) the running configuration that is stored on the firewall or Panorama.
or Select the Name of the configuration and enter the Decryption Key, which
is the master key of the firewall or Panorama (see Device > Master Key and
Load Panorama
Diagnostics). The master key is required to decrypt all the passwords and
configuration version
private keys within the configuration. After the load operation finishes, the
master key re-encrypts the passwords and private keys.
Export Panorama and Generates and exports the latest versions of the Panorama running
devices config bundle configuration backup and of each managed firewall. To automate the
process of creating and exporting the configuration bundle daily to an SCP
(Panorama only)
or FTP server, see Panorama > Device Deployment.
Export or push device Prompts you to select a firewall and perform one of the following actions
config bundle on the firewall configuration stored on Panorama:
(Panorama only) • Push & Commit the configuration to the firewall. This action cleans
the firewall (removes any local configuration from it) and pushes the
firewall configuration stored on Panorama. After you import a firewall
configuration, use this option to clean that firewall so you can manage it
using Panorama.
• Export the configuration to the firewall without loading it. To load the
configuration, you must access the firewall CLI and run the configuration
mode command load device-state. This command cleans the firewall in
the same way as the Push & Commit option.
• Use FW Master Key to encrypt the exported device configuration
bundle with the master key deployed on the managed firewall. Enter the
FW Master Key and then Confirm FW Master Key.
Export device state Exports the firewall state information as a bundle. In addition to the running
configuration, the state information includes device group and template
(Firewall only)
settings pushed from Panorama. If the firewall is a GlobalProtect™ portal,
Import named config Imports a running or candidate configuration from any network location.
snapshot Click Browse and select the configuration file to be imported.
Import device state Imports the state information bundle you exported from a firewall when
you chose to Export device state. Besides the running configuration, the
(Firewall only)
state information includes device group and template settings pushed from
Panorama. If the firewall is a GlobalProtect portal, the bundle also includes
certificate information, a list of satellites, and satellite authentication
information. If you replace a firewall or portal, you can restore the
information on the replacement by importing the state bundle.
• If a shared firewall object has the same name and value as an existing
shared Panorama object, the import excludes that firewall object.
• If the name or value of the shared firewall object differs from the
shared Panorama object, Panorama imports the firewall object into
each device group.
• If a configuration imported into a template references a shared
firewall object, Panorama imports that object into Shared regardless
of whether you select this option.
• If a shared firewall object references a configuration imported into a
template, Panorama imports the object into a device group regardless
of whether you select this option.
• Rule Import Location—Select whether Panorama will import policies as
pre-rules or post-rules. Regardless of your selection, Panorama imports
default security rules (intrazone-default and interzone-default) into the
post-rulebase.
Device Operations
Restart Dataplane Restart Dataplane to restart the data functions of the firewall without
rebooting. This option is not available on Panorama or PA-220, PA-800
Series, or VM-Series firewalls.
On a PA-7000 Series firewall, each NPC has a dataplane so you can restart
the NPC to perform this operation by running the command
request chassis restart slot.
Miscellaneous
For the Login Screen and Main UI, you can display ( ) the image as it will
appear; if necessary, the firewall crops the image to fit. For PDF reports, the
firewall automatically resizes the images to fit without cropping. In all cases,
the preview displays the recommended image dimensions.
The maximum image size for any logo is 128KB. The supported file
types are png and jpg. The firewall does not support image files that are
interlaced, images that contain alpha channels, and gif file types because
such files interfere with PDF report generation. You might need to contact
the illustrator who created an image to remove alpha channels or make
sure the graphics software you are using does not save files with the alpha
channel feature.
For information on generating PDF reports, see Monitor > PDF Reports >
Manage PDF Summary.
Storage Partition Setup Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode.
(Panorama only)
Field Description
Physical Location Specify the physical location of the firewall. When a log or trap is generated,
this information allows you to identify (in an SNMP manager) the firewall that
generated the notification.
Contact Enter the name or email address of the person responsible for maintaining the
firewall. This setting is reported in the standard system information MIB.
Use Specific Trap This option is selected by default, which means the firewall uses a unique OID
Definitions for each SNMP trap based on the event type. If you clear this option, every
trap will have the same OID.
Version Select the SNMP version: V2c (default) or V3. Your selection controls the
remaining fields that the dialog displays.
SNMP Community Enter the community string, which identifies an SNMP community of
String SNMP managers and monitored devices and also serves as a password to
authenticate the community members to each other when they exchange
SNMP get (statistics request) and trap messages. The string can have up to 127
characters, accepts all characters, and is case-sensitive.
For SNMP V3
Name / View You can assign a group of one or more views to the user of an SNMP manager
to control which MIB objects (statistics) the user can get from the firewall.
Each view is a paired OID and bitwise mask: the OID specifies a MIB and the
mask (in hexadecimal format) specifies which objects are accessible within
(include matching) or outside (exclude matching) that MIB.
For example, if the OID is 1.3.6.1, the matching Option is set to include and
the Mask is 0xf0, then the objects that the user requests must have OIDs that
match the first four nodes (f = 1111) of 1.3.6.1. The objects don’t need to
match the remaining nodes. In this example, 1.3.6.1.2 matches the mask and
1.4.6.1.2 doesn’t.
For each group of views, click Add, enter a Name for the group, and then
configure the following for each view you Add to the group:
• View—Specify a name for the view. The name can have up to 31 characters
that are alphanumeric, periods, underscores, or hyphens.
• OID—Specify the OID of the MIB.
• Option—Select the matching logic to apply to the MIB.
• Mask—Specify the mask in hexadecimal format.
Users SNMP user accounts provide authentication, privacy, and access control when
firewalls forward traps and SNMP managers get firewall statistics. For each
user, click Add and configure the following settings:
• Users—Specify a username to identify the SNMP user account. The
username you configure on the firewall must match the username
configured on the SNMP manager. The username can have up to 31
characters.
• View—Assign a group of views to the user.
• Auth Password—Specify the authentication password of the user. The
firewall uses the password to authenticate to the SNMP manager when
HSM Authentication
How do I view HSM status? Hardware Security Module Provider Configuration and Status
Module Name Add a module name for the HSM. This can be any ASCII string up to
31 characters long. Add up to 16 module names if you are configuring
independent or high availability SafeNet HSM configurations.
Server Address Specify an IPv4 address for any HSM module you are configuring.
High Availability (Optional) Select this option if you are configuring the SafeNet HSM modules
in a high availability configuration. You must configure the module name and
(SafeNet Network only)
server address of each HSM module.
Auto Recovery Retry Specify the number of times that the firewall will try to recover its connection
to an HSM before failing over to another HSM in an HSM HA configuration
(SafeNet Network only)
(range is 0—500; default is 0).
High Availability Group Specify a group name to be used for the HSM HA group. This name is used
Name internally by the firewall. It can be any ASCII string up to 31 characters long.
(SafeNet Network only)
Remove Filesystem Configure the IPv4 address of the remote file system used in the nShield
Address Connect HSM configuration.
(nCipher nShield
Connect only)
HSM Authentication
Select Setup Hardware Security Module and configure the following settings to authenticate the firewall to
the HSM.
Server Name Select an HSM server name from the drop-down, then select if you want
to authenticate and establish trust using automatic or manually generated
certificates.
• Automatic
• Manual
If you select Manual, you need to import and install the HSM server
manually generated certificate. Export the HSM client certificate to install
on the HSM server.
Administrator Password Enter the administrator password of the HSM to authenticate the firewall to
the HSM.
Setup Hardware Security Module Configures the firewall to authenticate with an HSM.
Show Detailed Information Displays information about HSM servers, HSM high availability
status, and HSM hardware.
Synchronize with Remote Synchronizes the key data from the nShield Connect remote file
Filesystem (nCipher nShield system to the firewall.
Connect only)
Reset Configuration Removes all HSM connections to the firewall. You must repeat all
authentication procedures after resetting the HSM configuration.
Select HSM Client Version Allows you to choose the version of software running on the HSM
(SafeNet Network only) client (the firewall). The HSM client version must be compatible
with the HSM server version. See the HSM vendor documentation
for a matrix of client-server version compatibility.
High Availability (SafeNet Network only) HSM high availability is configured if checked.
High Availability Group (SafeNet Network only) The group name configured on the firewall for HSM
Name high availability.
Remote Filesystem (nShield Connect only) The address of the remote filesystem.
Address
Firewall Source Address The address of the port used for the HSM service. By default this is the
management port address. It can be specified as a different port however
through the Services Route Configuration in Device > Setup > Services.
Master Key Secured by If checked, the master key is secured on the HSM.
HSM
Status Shows green if the firewall is connected and authenticated to the HSM and
shows red if the firewall is not authenticated or if network connectivity to the
HSM is down.
You can also Hardware Security Module Status for more details on the HSM
connection.
SafeNet Network HSM • Serial Number—The serial number of the HSM partition is displayed if the
HSM partition has successfully authenticated.
• Partition—The partition name on the HSM that was assigned on the
firewall.
• Module State—The current operating state of the HSM connection. This
field shows Authenticated if the HSM is displayed in this table.
Services
Update Server Represents the IP address or host name of the server from which
to download updates from Palo Alto Networks. The current value is
updates.paloaltonetworks.com. Do not change this setting unless instructed by
technical support.
Verify Update If you enable this option, the firewall or Panorama will verify that the server from
Server Identity which the software or content package is download has an SSL certificate signed by
a trusted authority. This adds an additional level of security for the communication
between firewalls or Panorama servers and the update server.
Verify the update server identity to validate that the server has an
SSL certificate signed by a trusted authority.
DNS Settings Choose the type of DNS service—Servers or DNS Proxy Object—for all DNS queries
that the firewall initiates in support of FQDN address objects, logging, and firewall
management. Options include:
• Primary and secondary DNS servers to provide domain name resolution.
• A DNS proxy configured on the firewall as an alternative to configuring DNS
servers. If you enable a DNS proxy, you must enable Cache and EDNS Cache
Responses (Network > DNS Proxy > Advanced).
Primary DNS Enter the IP address of the primary DNS server for DNS queries from the firewall.
Server For example, to find the update server, to resolve DNS entries in logs, or resolve
FDQN-based address objects.
Secondary DNS (Optional) Enter the IP address of a secondary DNS server to use if the primary
Server server is unavailable.
Minimum FQDN Set a limit on how fast the firewall refreshes FQDNs that it receives from a DNS.
Refresh Time The firewall refreshes an FQDN based on the TTL of the FQDN as long as the TTL
(sec) is greater than or equal to this Minimum FQDN Refresh Time (in seconds). If the
TTL is less than this Minimum FQDN Refresh Time, the firewall refreshes the FQDN
based on this Minimum FQDN Refresh Time (that is, the firewall does not honor
TTLs faster than this setting). The timer starts when the firewall receives a DNS
response from the DNS server or DNS proxy object resolving the FQDN (range is
0 to 14,400; default is 30). A setting of 0 means the firewall will refresh the FQDN
based on the TTL value in the DNS and does not enforce a minimum FQDN refresh
time.
If the TTL for the FQDN in the DNS is short, but FQDN resolutions
don’t change as frequently as the TTL timeframe so don’t require
a faster refresh, you should set a minimum FQDN Refresh Time to
avoid unnecessary FQDN refresh attempts.
FQDN Stale Specify the length of time (in minutes) that the firewall continues to use stale FQDN
Entry Timeout resolutions in the event of a network failure or unreachable DNS server —when an
(min) FQDN is not getting refreshed (range is 0 to 10,080; default is 1,440). A value of 0
means the firewall does not continue to use a stale entry. If the DNS server is still
unreachable at the end of the state timeout, the FQDN entry becomes unresolved
(stale resolutions are removed).
Make sure the FQDN Stale Entry Timeout value is short enough to
not allow incorrect traffic forwarding (which poses a security risk),
but is long enough to allow traffic continuity without causing an
unplanned network outage.
Server If the firewall needs to use a proxy server to reach Palo Alto Networks update
services, enter the IP address or host name of the proxy server.
User Enter the username for the administrator to enter when accessing the proxy server.
Password/ Enter and confirm the password for the administrator to enter when accessing the
Confirm proxy server.
Password
Use proxy to Enable the firewall to send logs to Cortex Data Lake through the proxy server.
send logs to
Cortex Data Lake
NTP
NTP Server Enter the IP address or hostname of an NTP server that you will use to synchronize
Address the clock on the firewall. Optionally, you can enter the IP address or hostname of
a second NTP server to synchronize the clock on the firewall if the primary server
becomes unavailable.
Authentication You can enable the firewall to authenticate time updates from an NTP server. For
Type each NTP server, select the type of authentication for the firewall to use:
• None (default)—Select this option to disable NTP Authentication.
• Symmetric Key—Select this option for the firewall to use symmetric key
exchange (shared secrets) to authenticate time updates from the NTP server. If
you select Symmetric Key, continue by specifying the following values:
• Key ID—Enter the Key ID (1–65534).
AutoFocus—AutoFocus™ server. — — —
Email—Email server.
HTTP—HTTP forwarding.
Multi-Factor Authentication—Multi-factor
authentication (MFA) server.
When customizing a Global service route, select Service Route Configuration and, on the IPv4 or IPv6
tab, select a service from the list of available services; you can also select multiple services and Set
Selected Service Routes to configure multiple service routes at once. To limit the selections in the Source
Address drop-down, select a Source Interface and then a Source Address (from that interface). A Source
Interface that is set to Any allows you to select a Source Address from any of the available interfaces. The
Source Address displays the IPv4 or IPv6 address assigned to the selected interface and the selected IP
address will be the source for the service traffic. You can Use default if you want the firewall to use the
management interface for the service route; however, if the packet destination IP address matches the
configured Destination IP address, the source IP address will be set to the Source Address configured for
the Destination. You do not have to define a destination address because the destination is configured
when you configure each service. For example, when you define your DNS servers (Device > Setup >
Services), you will set the destination for DNS queries. You can specify both an IPv4 and an IPv6 address
for a service.
An alternative way to customize a Global service route is to select Service Route Configuration and select
Destination. Specify a Destination IP address to which an incoming packet is compared. If the packet
destination address matches the configured Destination IP address, the source IP address is set to the
Source Address configured for the Destination. To limit the selections in the Source Address drop-down,
select a Source Interface and then select a Source Address (from that interface). A Source Interface that
is set to Any allows you to select a Source Address from any of the interfaces available. The MGT Source
Interface causes the firewall to use the management interface for the service route.
When you configure service routes for a Virtual System, choosing to Inherit Global Service Route
Configuration means that all services for the virtual system will inherit the global service route settings.
You can, instead, choose Customize, select IPv4 or IPv6, and select a service; you can also select multiple
services and Set Selected Service Routes. The Source Interface has the following three choices:
• Inherit Global Setting—The selected services inherit the global settings for those services.
Source Interface To limit the drop-down for Source Address, select a Source
Interface. Selecting Any causes all IP addresses on all interfaces
to be available in the Source Address drop-down. Selecting MGT
causes the firewall to use the MGT interface for the service route.
Source Address Select the Source Address for the service route; this address will
used for packets returning from the destination. You do not need
to enter the subnet for the destination address.
To configure the MGT interface on the M-500 appliance or the Panorama virtual appliance,
see Panorama > Setup > Interfaces.
You can use a loopback interface as an alternative to the MGT interface for firewall
management (Network > Interfaces > Loopback).
Item Description
Aux 1 / Aux 2 Select any of the following options to enable an auxiliary interface. These
interfaces provide 10Gbps (SFP+) throughput for:
(PA-5200 Series
firewalls only) • Firewall management traffic—You must enable the Network Services
(protocols) that administrators will use when accessing the web interface
and CLI to manage the firewall.
IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the interface.
Alternatively, you can assign the IP address of a loopback interface for
firewall management (see Network > Interfaces > Loopback). By default, the
IP address you enter is the source address for log forwarding.
Netmask (IPv4) If you assigned an IPv4 address to the interface, you must also enter a
network mask (for example, 255.255.255.0).
Default Gateway If you assigned an IPv4 address to the interface, you must also assign an IPv4
address to the default gateway (the gateway must be on the same subnet as
the interface).
IPv6 Address/Prefix If your network uses IPv6, assign an IPv6 address to the interface. To indicate
Length the netmask, enter an IPv6 prefix length (for example, 2001:db8:300::1/64).
Default IPv6 Gateway If you assigned an IPv6 address to the interface, you must also assign an IPv6
address to the default gateway (the gateway must be on the same subnet as
the interface); for example, 2001:db8:300::5.
Speed Configure a data rate and duplex option for the interface. The choices include
10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-
negotiate setting to have the firewall determine the interface speed.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this
interface (range is 576 to 1,500; default is 1,500).
Network Services Select the services you want to enable on the interface:
• HTTP OCSP—Use this service to configure the firewall as an Online
Certificate Status Protocol (OCSP) responder. For details, see Device >
Certificate Management > OCSP Responder.
• Ping—Use this service to test connectivity with external services. For
example, you can ping the interface to verify it can receive PAN-OS
software and content updates from the Palo Alto Networks Update
Server. In a high availability (HA) deployment, HA peers use ping to
exchange heartbeat backup information.
• SNMP—Use this service to process firewall statistics queries from an
SNMP manager. For details, see Enable SNMP Monitoring.
• User-ID—Use this service to enable Redistribution of user mappings
among firewalls.
• User-ID Syslog Listener-SSL—Use this service to enable the PAN-OS
integrated User-ID™ agent to collect syslog messages over SSL. For
details, see Configure Access to Monitored Servers.
• User-ID Syslog Listener-UDP—Use this service to enable the PAN-OS
integrated User-ID agent to collect syslog messages over UDP. For details,
see Configure Access to Monitored Servers.
Permitted IP Addresses Enter the IP addresses from which administrators can access the firewall
through the interface. An empty list (default) specifies that access is available
from any IP address.
URL Filtering
Dynamic URL Cache Click Edit and enter the timeout in hours. This value is used in dynamic URL
Timeout filtering to determine the length of time an entry remains in the cache after
it is returned from the URL filtering service. This option is applicable to URL
filtering using the BrightCloud database only. For more on URL filtering,
select Objects > Security Profiles > URL Filtering.
URL Continue Timeout Specify the interval following a user's Continue action before the user must
press continue again for URLs in the same category (range is 1 to 86,400
minutes; default is 15).
URL Admin Override Specify the interval after the user enters the Admin Override password
Timeout before the user must re-enter that password for URLs in the same category
(range is 1 to 86,400 minutes; default is 15).
Hold Client Request for Enable this option to specify that when the firewall cannot find category
Category Lookup information for a URL in its local cache, it holds the web request as it
queries PAN-DB.
Category Lookup Timeout Specify the amount of time, in seconds, that the firewall will try to look
(sec) up the category for a URL before determining that the category is not-
resolved (range is 1 to 60 seconds; default is 2).
URL Admin Lockout Specify the period of time that a user is locked out from attempting to use
Timeout the URL Admin Override password after three unsuccessful attempts (range
is 1 to 86,400 minutes; default is 30).
PAN-DB Server Specify the IPv4 address, IPv6 address, or FQDN for the private PAN-DB
servers on your network. You can add up to 20 entries.
(Required for connecting
to a private PAN-DB The firewall connects to the public PAN-DB cloud by default. The private
server) PAN-DB solution is for enterprises that do not allow firewalls to directly
access the PAN-DB servers in the public cloud. The firewalls access the
servers included in this PAN-DB server list for the URL database, URL
updates, and URL lookups for categorizing web pages.
Settings for URL Admin For each virtual system that you want to configure for URL admin override,
Override Add and specify the settings that apply when a URL filtering profile blocks a
Service URL The Cloud Services server URL to scan Enterprise Data Loss Prevention
(DLP) files.
• APAC—apac.hawkeye.services-edge.paloaltonetworks.com
• Europe—eu.hawkeye.services-edge.paloaltonetworks.com
• United States—us.hawkeye.services-
edge.paloaltonetworks.com
Content-ID Settings
Allow Forwarding of Enable this option to configure the firewall to forward decrypted content
Decrypted Content to an outside service when port mirroring or sending WildFire® files for
analysis.
Extended Packet Capture Set the number of packets to capture when the extended-capture option is
Length enabled in Anti-Spyware and Vulnerability Protection profiles (range is 1 to
50; default is 5).
Forward Segments Enable this option to forward segments and classify the application as
Exceeding TCP App-ID™ unknown-tcp when the App-ID queue exceeds the 64-segment limit. Use
Inspection Queue the following global counter to view the number of segments in excess of
this queue regardless of whether you enabled or disabled this option:
appid_exceed_queue_limit
Disable this option to prevent the firewall from forwarding TCP segments
and skipping App-ID inspection when the App-ID inspection queue is full.
Forward Segments Enable this option to forward TCP segments and skip content inspection
Exceeding TCP Content when the TCP content inspection queue is full. The firewall can queue up
Inspection Queue to 64 segments while waiting for the content engine. When the firewall
forwards a segment and skips content inspection due to a full content
inspection queue, it increments the following global counter:
ctd_exceed_queue_limit
Disable this option to prevent the firewall from forwarding TCP segments
and skipping content inspection when the content inspection queue is full.
When you disable this option, the firewall drops any segments that exceed
the queue limit and increments the following global counter:
ctd_exceed_queue_limit_drop
This pair of global counters applies to both TCP and UDP packets. If, after
viewing the global counters, you decide to change the setting, you can
modify it from within the CLI using the following CLI command:
set
deviceconfig setting ctd tcp-bypass-exceed-queue
Forward Datagrams Enable this option to forward UDP datagrams and skip content inspection
Exceeding UDP Content when the UDP content inspection queue is full. The firewall can queue
Inspection Queue up to 64 datagrams while waiting for a response from the content engine.
When the firewall forwards a datagram and skips content inspection due
to a UDP content inspection queue overflow, it increments the following
global counter:
ctd_exceed_queue_limit
Disable this option to prevent the firewall from forwarding datagrams and
skipping content inspection when the UDP content inspection queue is full.
With this option disabled, the firewall drops any datagrams that exceed the
queue limit and increments the following global counter:
ctd_exceed_queue_limit_drop
This pair of global counters applies to both TCP and UDP packets. If, after
viewing the global counters, you decide to change the setting, you can
modify it from within the CLI using the following command:
set
deviceconfig setting ctd udp-bypass-exceed-queue
Allow HTTP partial Enable this HTTP partial response option to enable a client to fetch only
response part of a file. When a next-generation firewall in the path of a transfer
identifies and drops a malicious file, it terminates the TCP session with
an RST packet. If the web browser implements the HTTP Range option,
it can start a new session to fetch only the remaining part of the file. This
prevents the firewall from triggering the same signature again due to the
lack of context into the initial session while, at the same time, allows the
web browser to reassemble the file and deliver the malicious content; to
prevent this, make sure to disable this option.
DNS Signature Lookup Specify the duration of time, in milliseconds, for the firewall to query the
Timeout (ms) DNS Security service. If the cloud does not respond before the end of the
specified period, the firewall releases the associated DNS response to the
requesting client (range is 0 to 60,000; default is 100).
X-Forwarded-For Headers
Use X-Forwarded-For
You cannot enable X-Forwarded-For for User-ID and
Header
Security Policy at the same time.
Strip-X-Forwarded-For Enable this option to remove the X-Forwarded-For (XFF) header, which
Header contains the IP address of a client requesting a web service when the
firewall is deployed between the internet and a proxy server. The firewall
zeroes out the header value before forwarding the request: the forwarded
packets don’t contain internal source IP information.
Content-ID Features
Manage Data Protection Add additional protection for access to logs that may contain sensitive
information, such as credit card or social security numbers.
Click Manage Data Protection to perform the following tasks:
• Set Password—If one is not already configured, enter and confirm a new
password.
• Change Password—Enter the old password and enter and confirm the
new password.
• Delete Password—Deletes the password and the data that was
protected.
Container Pages Use these settings to specify the types of URLs that the firewall will track or
log based on content type, such as application/pdf, application/soap+xml,
application/xhtml+, text/html, text/plain, and text/xml. Container pages are
set per virtual system, which you select from the Location drop-down. If a
virtual system does not have an explicit container page defined, the firewall
uses the default content types.
Add and enter a content type or select an existing content type.
Adding new content types for a virtual system overrides the default list
of content types. If there are no content types associated with a virtual
system, the default list of content types is used.
To forward decrypted content to WildFire, refer to Forward Decrypted SSL Traffic for
WildFire Analysis.
General Settings
WildFire Private Cloud Specify the IPv4/IPv6 address or FQDN of the WildFire appliance.
The firewall sends files for analysis to the specified WildFire appliance.
Panorama collects threat IDs from the WildFire appliance to enable the
addition of threat exceptions in Anti-Spyware profiles (for DNS signatures
only) and Antivirus profiles that you configure in device groups. Panorama
also collects information from the WildFire appliance to populate fields that
are missing in the WildFire Submissions logs received from firewalls running
software versions earlier than PAN-OS 7.0.
File Size Limits Specify the maximum file size that will be forwarded to the WildFire server.
For all best practice recommendations about file size limits, if the limit is too
large and prevents the firewall from forwarding multiple large zero-day files
at the same time, lower and tune the maximum limit based on the amount
of available firewall buffer space. If more buffer space is available, you can
increase the file size limit above the best practice recommendation. The best
practice recommendations are a good starting place for setting effective limits
that don’t overtax firewall resources. Available ranges are:
• pe (Portable Executable)—Range is 1 to 50MB; default is 16MB.
Report Benign Files When this option is enabled (disabled by default), files analyzed by WildFire
that are determined to be benign will appear in the Monitor > WildFire
Submissions log.
Even if this option is enabled on the firewall, email links that WildFire deems
benign will not be logged because of the potential quantity of links processed.
Report Grayware Files When this option is enabled (disabled by default), files analyzed by WildFire
that are determined to be grayware will appear in the Monitor > WildFire
Submissions log.
Session Settings
The following table describes session settings.
Rematch Sessions Click Edit and select Rematch Sessions to cause the firewall to apply newly
configured security policy rules to sessions that are already in progress.
This capability is enabled by default. If this setting is disabled, any policy
rule change applies to only those sessions initiated after the change was
committed.
For example, if a Telnet session started while an associated policy rule was
configured that allowed Telnet, and you subsequently committed a policy
rule change to deny Telnet, the firewall applies the revised policy rule to the
current session and blocks it.
ICMPv6 Token Bucket Enter the bucket size for rate limiting of ICMPv6 error messages. The token
Size bucket size is a parameter of the token bucket algorithm that controls how
bursty the ICMPv6 error packets can be (range is 10 to 65,535 packets;
default is 100).
ICMPv6 Error Packet Enter the average number of ICMPv6 error packets per second allowed
Rate globally through the firewall (range is 10 to 65,535; default is 100). This
value applies to all interfaces. If the firewall reaches the ICMPv6 error packet
rate, the ICMPv6 token bucket is used to enable throttling of ICMPv6 error
messages.
Enable IPv6 Firewalling To enable firewall capabilities for IPv6 traffic, Edit and select IPv6 Firewalling.
The firewall ignores all IPv6-based configurations if you do not enable IPv6
firewalling. Even if you enable IPv6 traffic on an interface, you must also
enable the IPv6 Firewalling option for IPv6 firewalling to function.
Enable Jumbo Frame Select to enable jumbo frame support on Ethernet interfaces. Jumbo frames
have a maximum transmission unit (MTU) of 9,192 bytes and are available
Global MTU
only on certain models.
• If you do not Enable Jumbo Frame, the Global MTU defaults to 1,500
bytes (range is 576 to 1,500).
• If you Enable Jumbo Frame, the Global MTU defaults to 9,192 bytes
(range is 9,192 to 9,216 bytes).
DHCP Broadcast If your firewall is acting as a DHCP server, select this option to enable session
Session logs for DHCP broadcast packets. The DHCP Broadcast Session option
enables generation of Enhanced Application Logs (EAL logs) for DHCP for
use by IoT Security and other services. If you do not enable this option, the
firewall forwards the packets without creating logs for the DHCP broadcast
packets.
NAT64 IPv6 Minimum Enter the global MTU for IPv6 translated traffic. The default of 1,280 bytes
Network MTU is based on the standard minimum MTU for IPv6 traffic (range is 1,280 to
9,216).
NAT Oversubscription Select the DIPP NAT oversubscription rate, which is the number of times that
Rate the firewall can use the same translated IP address and port pair concurrently.
Reducing the oversubscription rate decreases the number of source device
translations but will provide higher NAT rule capacities.
• Platform Default—Explicit configuration of the oversubscription rate is
turned off and the default oversubscription rate for the model applies. (See
default rates of firewall models at https://www.paloaltonetworks.com/
products/product-selection.html).
• 1x—1 time. This means no oversubscription; the firewall cannot use the
same translated IP address and port pair more than once concurrently.
• 2x—2 times
• 4x—4 times
• 8x—8 times
ICMP Unreachable Define the maximum number of ICMP Unreachable responses that the
Packet Rate (per sec) firewall can send per second. This limit is shared by IPv4 and IPv6 packets.
Default value is 200 messages per second (range is 1 to 65,535).
Packet Buffer Beginning in PAN-OS 10.0, Packet Buffer Protection is enabled by default
Protection globally and on each zone. As a best practice, keep packet buffer protection
enabled globally and on each zone to protect the firewall buffers from DoS
attacks and aggressive sessions and sources. This option protects the receive
buffers on the firewall from attacks or abusive traffic that causes system
resources to back up and legitimate traffic to get dropped. Packet buffer
protection identifies offending sessions, uses Random Early Detection (RED)
as a first line of defense, and discards the session or blocks the offending
IP address if abuse continues. If the firewall detects many small sessions or
rapid session creation (or both) from a particular IP address, it blocks that IP
address.
Take baseline measurements of firewall packet buffer utilization to
understand the firewall capacity and ensure that the firewall is properly
configured so that only an attack causes a large spike in buffer usage.
• Alert (%)—When packet buffer utilization exceeds this threshold for more
than 10 seconds, the firewall creates a log event every minute. The firewall
generates log events when packet buffer protection is enabled globally
(range is 0% to 99%; default is 50%). If the value is 0%, the firewall does
not create a log event. Start with the default threshold value and adjust as
necessary.
• Activate (%)—When this threshold is reached, the firewall begins to
mitigate the most abusive sessions (range is 0% to 99%; default is 80%).
If the value is 0%, the firewall does not apply RED. Start with the default
threshold value and adjust as necessary.
Packet Buffer • Block Hold Time (sec)—The amount of time, in seconds, that the session
Protection (cont) is allowed to continue before the session is discarded or the source IP
address is blocked (range is 0 to 65,535; default is 60). This timer monitors
RED-mitigated sessions to see if they are still pushing buffer utilization or
latency above the configured threshold. If the abusive behavior continues
past the block hold time, the session is discarded. If the value is 0, the
firewall does not discard sessions based on packet buffer protection. Start
with the default value, monitor packet buffer utilization or latency, and
adjust the time value as necessary.
• Block Duration (sec)—The amount of time, in seconds, that a discarded
session remains discarded or a blocked IP address remains blocked (range
is 1 to 15,999,999; default is 3,600). Use the default value unless blocking
an IP address for one hour is too severe a penalty for your business
conditions, in which case you can reduce the duration. Monitor packet
buffer utilization or latency and adjust the duration as necessary.
Multicast Route Setup Select this option (disabled by default) to enable multicast route setup
Buffering buffering, which allows the firewall to preserve the first packet in a multicast
session when the multicast route or forwarding information base (FIB) entry
does not yet exist for the corresponding multicast group. By default, the
Multicast Route Setup If you enable Multicast Route Setup Buffering, you can tune the buffer size,
Buffer Size which specifies the buffer size per flow (range is 1 to 2,000; default is 1,000.)
The firewall can buffer a maximum of 5,000 packets.
Session Timeouts
Some session timeouts define the duration for which PAN-OS maintains a session on the firewall after
inactivity in the session. By default, when the session timeout for the protocol expires, PAN-OS closes the
session. The Discard session timeouts define the maximum time that a session remains open after PAN-OS
denies the session based on Security policy rules.
On the firewall, you can define a number of timeouts for TCP, UDP, ICMP, and SCTP sessions in particular.
The Default timeout applies to any other type of session. All of these timeouts are global, meaning they
apply to all of the sessions of that type on the firewall.
In addition to the global settings, you have the flexibility to define timeouts for an individual application in
the Objects > Applications tab. The timeouts available for that application appear in the Options window.
The firewall applies application timeouts to an application that is in Established state. When configured,
timeouts for an application override the global TCP, UDP, or SCTP session timeouts.
Use the options in this section to configure global session timeout settings—specifically for TCP, UDP,
ICMP, SCTP, and for all other types of sessions.
The defaults are optimal values and the best practice is to use the default values. However, you can modify
these according to your network needs. Setting a value too low could cause sensitivity to minor network
delays and could result in a failure to establish connections with the firewall. Setting a value too high could
delay failure detection.
Discard Default Maximum length of time (in seconds) that a non-TCP/UDP/SCTP session
remains open after PAN-OS denies the session based on Security policy
rules configured on the firewall (range is 1 to 15,999,999; default is 60).
Discard TCP Maximum length of time (in seconds) that a TCP session remains open after
PAN-OS denies the session based on Security policy rules configured on the
firewall (range is 1 to 15,999,999; default is 90).
Discard UDP Maximum length of time (in seconds) that a UDP session remains open after
PAN-OS denies the session based on Security policy rules configured on the
firewall (range is 1 to 15,999,999; default is 60).
ICMP Maximum length of time that an ICMP session can be open without an ICMP
response (range is 1 to 15,999,999; default is 6).
Scan Maximum length of time, in seconds, that a session can be inactive before
the firewall clears the session and recovers the buffer resources the session
was using. The inactive time is the length of time that has passed since the
session was last refreshed by a packet or an event. Range is 5 to 30; default
is 10.
TCP Maximum length of time that a TCP session remains open without a
response, after a TCP session is in the Established state (after the handshake
is complete and/or data transmission has started); (range is 1 to 15,999,999;
default is 3,600).
TCP handshake Maximum length of time, in seconds, between receiving the SYN-ACK and
the subsequent ACK to fully establish the session (ranges is 1 to 60; default
is 10).
TCP init Maximum length of time, in seconds, between receiving the SYN and SYN-
ACK before starting the TCP handshake timer (ranges is 1 to 60; default is 5).
TCP Half Closed Maximum length of time, in seconds, between receiving the first FIN and
receiving the second FIN or a RST (range is 1 to 604,800; default is 120).
TCP Time Wait Maximum length of time, in seconds, after receiving the second FIN or a RST
(range is 1 to 600; default is 15).
Unverified RST Maximum length of time, in seconds, after receiving a RST that cannot be
verified (the RST is within the TCP window but has an unexpected sequence
number, or the RST is from an asymmetric path); (ranges is 1 to 600; default
is 30).
UDP Maximum length of time, in seconds, that a UDP session remains open
without a UDP response (range is 1 to 1,599,999; default is 30).
Authentication Portal The authentication session timeout in seconds for the Authentication Portal
web form (default is 30, range is 1 to 1,599,999). To access the requested
content, the user must enter the authentication credentials in this form and
be successfully authenticated.
The authentication session timeout in seconds for the Authentication Portal
web form (default is 30, range is 1 to 1,599,999). To access the requested
content, the user must enter the authentication credentials in this form and
be successfully authenticated.
SCTP INIT Maximum length of time, in seconds, from receiving an SCTP INIT chunk that
the firewall must receive the INIT ACK chunk before the firewall stops the
SCTP association initiation (range is 1 to 60; default is 5).
SCTP COOKIE Maximum length of time, in seconds, from receiving an SCTP INIT ACK
chunk with the state COOKIE parameter that the firewall must receive the
Discard SCTP Maximum length of time, in seconds, that an SCTP association remains open
after PAN-OS denies the session based on Security policy rules configured
on the firewall (range is 1 to 604,800; default is 30).
SCTP Maximum length of time, in seconds, that can elapse without SCTP traffic for
an association before all sessions in the association time out (range is 1 to
604,800; default is 3,600).
SCTP Shutdown Maximum length of time, in seconds, that the firewall waits after an SCTP
SHUTDOWN chunk to receive a SHUTDOWN ACK chunk before the
firewall disregards the SHUTDOWN chunk (range is 1 to 600; default is 30).
TCP Settings
The following table describes TCP settings.
Forward segments Select this option if you want the firewall to forward segments that exceed
exceeding TCP out-of- the TCP out-of-order queue limit of 64 per session. If you disable this option,
order queue the firewall drops segments that exceed the out-of-order queue limit. To see
a count of the number of segments that the firewall dropped as a result of
enabling this option, run the following CLI command:
show
counter global tcp_exceed_flow_seg_limit
Allow arbitrary ACK in Enable to globally reject the packet if the first packet for the TCP session
response to SYN setup is not a SYN packet.
Drop segments with The TCP timestamp records when the segment was sent and allows the
null timestamp option firewall to verify that the timestamp is valid for that session, preventing TCP
sequence number wrapping. The TCP timestamp is also used to calculate
round trip time. With this option enabled, the firewall drops packets with
show
counter global tcp_invalid_ts_option
Asymmetric Path Set globally whether to drop or bypass packets that contain out-of-sync ACKs
or out-of-window sequence numbers.
• Drop—Drop packets that contain an asymmetric path.
• Bypass—Bypass scanning on packets that contain an asymmetric path.
Urgent Data Flag Use this option to configure whether the firewall allows the urgent pointer
(URG bit flag) in the TCP header. The urgent pointer in the TCP header is used
to promote a packet for immediate processing—the firewall removes it from
the processing queue and expedites it through the TCP/IP stack on the host.
This process is called out-of-band processing.
Because the implementation of the urgent pointer varies by host, setting
this option to Clear (the default and recommended setting) eliminates any
ambiguity by disallowing out-of-band processing so that the out-of-band
byte in the payload becomes part of the payload and the packet is not
processed urgently. Additionally, the Clear setting ensures that the firewall
sees the exact stream in the protocol stack as the host for whom the packet
is destined. To see a count of the number of segments in which the firewall
cleared the URG flag when this option is set to Clear, run the following CLI
command:
show
counter global tcp_clear_urg
Drop segments without Illegal TCP segments without any flags set can be used to evade content
flag inspection. With this option enabled (the default) the firewall drops packets
that have no flags set in the TCP header. To see a count of the number of
segments that the firewall dropped as a result of this option, run the following
CLI command:
show counter
global tcp_flag_zero
Strip MPTCP option Enabled globally by default to convert (Multipath TCP) MPTCP connections to
standard TCP connections.
SIP TCP cleartext Select one of the following options to set the cleartext proxy behavior for SIP
TCP sessions when a segmented SIP header is detected.
• Always Off—Disables the cleartext proxy. Disable the proxy when the SIP
message size is generally smaller than the MSS and when the SIP messages
fit within a single segment, or if you need to ensure TCP proxy resources
are reserved for SSL forward proxy or HTTP/2.
• Always enabled—Default. Uses TCP proxy for all SIP over TCP sessions to
help with the correct reassembly and ordering of TCP segments for proper
ALG operation.
• Automatically enable proxy when needed—When selected, the cleartext
proxy is automatically enabled for sessions where the ALG detects SIP
message fragmentation. Helps optimize the proxy when it is also used for
SSL forward proxy or HTTP/2.
TCP Retransmit Scan If enabled, the checksum for the original packet is scanned when a
retransmitted packet is seen. If the checksum are different between the
(PAN-OS 10.0.2 or
original and retransmitted packet, the retransmitted packet is assumed to be
later)
malicious and dropped.
Enable: CRL Select this option to use the certificate revocation list (CRL) method to
verify the revocation status of certificates.
If you also enable Online Certificate Status Protocol (OCSP), the firewall
first tries OCSP; if the OCSP server is unavailable, the firewall then tries
the CRL method.
For more information on decryption certificates, see Keys and
Certificates for Decryption.
Receive Timeout: CRL If you enabled the CRL method for verifying certificate revocation
status, specify the interval in seconds (1 to 60; default is 5) after which
the firewall stops waiting for a response from the CRL service.
Enable: OCSP Select this option to use OCSP to verify the revocation status of
certificates.
Receive Timeout: OCSP If you enabled the OCSP method for verifying certificate revocation
status, specify the interval in seconds (1 to 60; default is 5) after which
the firewall stops waiting for a response from the OCSP responder.
Block Session With Select this option to block SSL/TLS sessions when the OCSP or CRL
Unknown Certificate Status service returns a certificate revocation status of unknown. Otherwise,
the firewall proceeds with the session.
Block Session On Certificate Select this option to block SSL/TLS sessions after the firewall registers a
Status Check Timeout CRL or OCSP request timeout. Otherwise, the firewall proceeds with the
session.
Certificate Status Timeout Specify the interval in seconds (1 to 60; default is 5) after which the
firewall stops waiting for a response from any certificate status service
and applies any session blocking logic you optionally define. The
Certificate Status Timeout relates to the OCSP/CRL Receive Timeout as
follows:
• If you enable both OCSP and CRL—The firewall registers a request
timeout after the lesser of two intervals passes: the Certificate
Status Timeout value or the aggregate of the two Receive Timeout
values.
• If you enable only OCSP—The firewall registers a request timeout
after the lesser of two intervals passes: the Certificate Status
Timeout value or the OCSP Receive Timeout value.
• If you enable only CRL—The firewall registers a request timeout after
the lesser of two intervals passes: the Certificate Status Timeout
value or the CRL Receive Timeout value.
Send handshake messages to CTD for inspection Select to enable CTD to inspect SSL/TLS
handshakes during decrypted web sessions.
Cookie Activation Specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall,
Threshold above which cookie validation is triggered. When the number of half-open
IKE SAs exceeds the Cookie Activation Threshold, the Responder will request
a cookie, and the Initiator must respond with an IKE_SA_INIT containing
a cookie. If the cookie validation is successful, another SA session can be
initiated.
A value of 0 means that cookie validation is always on.
The Cookie Activation Threshold is a global firewall setting and should be
lower than the Maximum Half Opened SA setting, which is also global (range
is 0 to 65535; default is 500).
Maximum Half Opened Specify the maximum number of IKEv2 half-open IKE SAs that Initiators
SA can send to the firewall without getting a response. Once the maximum is
reached, the firewall will not respond to new IKE_SA_INIT packets (range is 1
to 65535; default is 65535).
Maximum Cached Specify the maximum number of peer certificate authority (CA) certificates
Certificates retrieved via HTTP that the firewall can cache. This value is used only by the
IKEv2 Hash and URL feature (range is 1 to 4000; default is 500).
You must have a valid SaaS Security Inline license on the firewall to use ACE. If you do not
have a SaaS Security Inline license on a firewall, that firewall cannot install ACE App-IDs or
use them in Security policy. Panorama does not require a license to manage firewalls that
use ACE.
Field Description
Max Latency (sec) Specify the maximum latency in seconds (between 1 and
240) for a file upload before an action is taken by the
firewall. Default is 60.
Action on Max Latency Specify the action the firewall takes when a file upload
latency reaches the configured Max Latency.
• Allow (default)— Firewall allows a file upload to
continue to the DLP cloud service when the maximum
latency is reached.
• Block—Firewall blocks a file upload to the DLP cloud
service that reaches the configured maximum latency.
Max File Size (MB) Enforce a maximum file size (between 1 and 20) for upload
to the DLP cloud service. Default is 20.
Action on Max File Size Specify the action the firewall takes when a file upload
reaches the configured Max File Sized.
• Allow (default)— Firewall allows a file upload to
continue to the DLP cloud service if the file is the
configured maximum file size.
• Block—Firewall blocks a file upload to the DLP cloud
service if the file is the configured maximum file size.
Log Files Not Scanned Check (enable) to generate an alert in the data filtering log
when a file could not be uploaded to the DLP cloud service.
Action on any Error Specify the action the firewall takes when an error is
encountered during a file upload to the DLP cloud service.
• Allow (default)— Firewall allows a file upload to
continue to the DLP cloud service if an error is
encountered during upload.
• Block—Firewall blocks a file upload to the DLP cloud
service if an error is encountered during upload.
In an HA pair, both peers must be of the same model, must be running the same PAN-OS
and Content Release version, and must have the same set of licenses.
In addition, for the VM-Series firewalls, both peers must be on the same hypervisor and
must have the same number of CPU cores allocated on each peer.
On supported firewall models, you can create a cluster of HA firewalls for session survivability within and
between data centers. If a link goes down, the sessions fail over to a different firewall in the cluster. Such
synchronization is helpful in use cases where HA peers are spread across multiple data centers or they are
spread between an active data center and a standby data center. Another use case is horizontal scaling,
where you add HA cluster members to a single data center to scale security and ensure session survivability.
HA pairs can belong to an HA cluster and they count as two firewalls in the cluster. The number of firewalls
supported in an HA cluster depends on the firewall model.
• Important Considerations for Configuring HA
• HA General Settings
• HA Communications
• HA Link and Path Monitoring
• HA Active/Active Config
• Cluster Config
In a High Availability (HA) active/passive configuration with firewalls that use 10 gigabit
SFP+ ports, when a failover occurs and the active firewall changes to a passive state, the
10 gigabit Ethernet port is taken down and then brought back up to refresh the port, but
does not enable transmit until the firewall becomes active again. If you have monitoring
software on the neighboring device, it will see the port as flapping because it is going
down and then up again. This is different behavior than the action with other ports, such
as the 1 gigabit Ethernet port, which is disabled and still allows transmit, so flapping is not
detected by the neighboring device.
HA General Settings
• Device > High Availability > General
To configure high availability (HA) pairs or HA cluster members, begin by selecting Device > High
Availability > General and configuring the general settings.
HA Settings Description
General Tab
HA Pair Settings— Enable HA Pair to activate HA pair functionality and to access the following
Setup settings:
• Group ID—Enter a number to identify the HA pair (1 to 63). This field is
required (and must be unique) if multiple HA pairs reside on the same
broadcast domain.
• Description—(Optional) Enter a description for the HA pair.
• Mode—Set the type of HA deployment: Active Passive or Active Active.
• Device ID—In active/active configuration, set the Device ID to determine
which peer will be active-primary (set Device ID to 0) and which will be
active-secondary (set the Device ID to 1).
• Enable Config Sync—Select this option to enable synchronization of
configuration settings between the peers.
Enable config sync so that both devices always have the same
configuration and process traffic the same way.
Active/Passive • Passive Link State—Select one of the following options to specify whether
Settings the data links on the passive firewall should remain up. This option is not
available in the VM-Series firewall in AWS.
• Flap Max—A flap is counted when the firewall leaves the active state
within 15 minutes after it last left the active state. Specify the maximum
number of flaps that are permitted before the firewall is determined to be
suspended and the passive firewall takes over (range is 0 to 16; default is
3). The value 0 means there is no maximum (an infinite number of flaps is
required before the passive firewall takes over).
• Preemption Hold Time (min)—Number of minutes that a passive or active-
secondary peer waits before taking over as the active or active-primary
peer (range is 1 to 60; default is 1).
• Monitor Fail Hold Up Time (ms)—Time interval, in milliseconds, during
which the firewall will remain active following a path monitor or link
monitor failure. This setting is recommended to avoid an HA failover due to
the occasional flapping of neighboring devices (range is 0 to 60,000; default
is 0).
• Additional Master Hold Up Time (ms)—Additional time, in milliseconds,
applied to the same event as the Monitor Fail Hold Up Time (range is 0 to
60,000; default is 500). The additional time interval is applied only to the
active peer in active/passive mode and to the active-primary peer in active/
active mode. This timer is recommended to avoid a failover when both
peers experience the same link or path monitor failure simultaneously.
SSH HA Profile Setting A type of SSH service profile that applies to the SSH sessions for the high
availability (HA) appliances on your network. To apply an existing HA profile,
select a profile, click OK, and Commit your change.
Clustering Settings Enable Cluster Participation to access the clustering settings. Firewalls that
support HA clustering allow clusters of member firewalls (individuals or HA
pairs where each firewall in a pair counts toward the total). The number of
members per cluster that a firewall model supports is as follows:
• PA-3200 Series: 6 members
• PA-5200 Series: 16 members
• PA-7080 Series: 4 members
• PA-7050 Series: 6 members
Configure the cluster:
• Cluster ID—A unique numeric ID for an HA cluster in which all members
can share session state (range is 1 to 99; there is no default).
• Cluster Description—Short helpful description for the cluster.
• Cluster Synchronization Timeout (min)—Maximum number of minutes that
the local firewall waits before going to Active state when another cluster
member (for example, in unknown state) is preventing the cluster from fully
synchronizing (range is 0 to 30; default is 0).
• Monitor Fail Hold Down Time (min)—Number of minutes after which a
down link is retested to see if it is back up (range is 1 to 60; default is 1).
Operational Commands
Suspend local device To place the local HA peer into a suspended state and temporarily disable HA
functionality on it, use the following CLI operational command:
(or Make local device
functional) • request high-availability state suspend
To place the suspended local HA peer back into a functional state, use the CLI
operational command:
• request high-availability state functional
To test failover, you can uncable the active (or active-primary) firewall.
HA Communications
• Device > High Availability > HA Communications
To configure HA links for HA pairs or HA clustering, select Device > High Availability > HA
Communications.
HA Links Description
Control Link The firewalls in an HA pair use HA links to synchronize data and maintain state
(HA1)/Control Link information. Some firewall models have a dedicated Control Link and dedicated
(HA1 Backup) backup Control Link; for example, PA-5200 Series firewalls have HA1-A and
HA1-B. In this case, you should enable the Heartbeat Backup option in the
Elections Settings. If you are using a dedicated HA1 port for the Control Link HA
When using a data port for the HA control link, keep in mind
that because the control messages have to communicate
from the dataplane to the management plane, if a failure
occurs in the dataplane, peers cannot communicate HA control
link information and a failover will occur. It is best to use the
dedicated HA ports, or on firewalls that do not have a dedicated
HA port, use the management port.
Control Link Specify the following settings for the primary and backup HA control links:
(HA1)/Control Link • Port—Select the HA port for the primary and backup HA1 interfaces. The
(HA1 Backup) backup setting is optional.
• IPv4/IPv6 Address—Enter the IPv4 or IPv6 address of the HA1 interface for
the primary and backup HA1 interfaces. The backup setting is optional.
Data Link (HA2) Specify the following settings for the primary and backup data link:
Clustering Links Configure settings for HA4 links, which are dedicated HA cluster links that
synchronize session state among all cluster members having the same cluster ID.
The HA4 link between cluster members detects connectivity failures between
cluster members.
• Port—Select an HA interface to be the HA4 link (for example, ethernet1/1).
• IPv4/IPv6 Address—Enter the IP address of the local HA4 interface.
• Netmask—Enter the netmask.
• HA4 Keep-alive Threshold (ms)—Length of time within which the firewall
must receive keepalives from a cluster member to know that the cluster
member is functional (range is 5,000 to 60,000; default is 10,000).
Configure HA4 Backup settings:
• Port—Select an HA interface to be the HA4 backup link.
• IPv4/IPv6 Address—Enter the address of the local HA4 backup link.
• Netmask—Enter the netmask.
Link Groups Define one or more link groups to monitor specific Ethernet links. To add a link
group, specify the following and click Add:
• Name—Enter a link group name.
• Enabled—Enable the link group.
• Failure Condition—Select whether a failure occurs when any or all of the
selected links fail.
• Interfaces—Select one or more Ethernet interfaces to be monitored.
Path Group Define one or more path groups to monitor specific destination addresses for
the interface type. Add Virtual Wire Path, and Add VLAN Path, and Add Virtual
Destination IP for • Destination IP—Add one or more destination IP address groups to monitor for
Path Group the path group.
• Destination IP Group—Enter a name for the group.
• Add one or more Destination IP addresses to monitor for the group.
• Enabled—Select to enable the Destination IP group.
• Failure Condition: Select Any (to specify that if a ping failure occurs for
any IP address in the group, the destination group is considered to have
failed) or All (to specify that if a ping failure occurs for all IP addresses in the
group, the destination group is considered to have failed).
HA Active/Active Config
• Device > High Availability > Active/Active Config
To configure settings for an Active/Active HA pair, select Device > High Availability > Active/Active
Config.
Packet Forwarding Enable peers to forward packets over the HA3 link for session setup and for
Layer 7 inspection (App-ID, Content-ID, and threat inspection) of asymmetrically
routed sessions.
HA3 Interface Select the data interface you plan to use to forward packets between active/
active HA peers. The interface you use must be a dedicated Layer 2 interface set
to Interface Type HA.
QoS Sync Synchronize the QoS profile selection on all physical interfaces. Use this option
when both peers have similar link speeds and require the same QoS profiles on
all physical interfaces. This setting affects the synchronization of QoS settings on
the Network tab. QoS policy is synchronized regardless of this setting.
Tentative Hold Time When a firewall in an HA active/active configuration fails, it will go into a
(sec) tentative state. The transition from tentative state to active-secondary state
triggers the Tentative Hold Time, during which the firewall attempts to build
routing adjacencies and populate its route table before it will process any
packets. Without this timer, the recovering firewall would enter the active-
secondary state immediately and would silently discard packets because it would
not have the necessary routes (default is 60 seconds).
Session Owner The session owner is responsible for all Layer 7 inspection (App-ID and Content-
Selection ID) for the session and for generating all Traffic logs for the session. Select one
of the following options to specify how to determine the session owner for a
packet:
• First packet—Select this option to designate the firewall that receives the
first packet in a session as the session owner. This is the best practice
configuration to minimize traffic across HA3 and distribute the dataplane load
across peers.
• Primary Device—Select this option if you want the active-primary firewall to
own all sessions. In this case, if the active-secondary firewall receives the first
packet, it will forward all packets requiring Layer 7 inspection to the active-
primary firewall over the HA3 link.
Virtual Address Click Add, select the IPv4 or IPv6 tab and then click Add again to enter options
to specify the type of HA virtual address to use: Floating or ARP Load Sharing.
You can also mix the type of virtual address types in the pair. For example, you
could use ARP load sharing on the LAN interface and a Floating IP on the WAN
interface.
• Floating—Enter an IP address that will move between HA peers in the
event of a link or system failure. Configure two floating IP addresses on the
interface, so that each firewall will own one and then set the priority. If either
firewall fails, the floating IP address transitions to the HA peer.
• Device 0 Priority—Set the priority for the firewall with Device ID 0 to
determine which firewall will own the floating IP address. A firewall with
the lowest value will have the highest priority.
• Device 1 Priority—Set the priority for the firewall with Device ID 1 to
determine which firewall will own the floating IP address. A firewall with
the lowest value will have the highest priority.
• Failover address if link state is down—Use the failover address when the
link state is down on the interface.
• Floating IP bound to the Active-Primary HA device—Select this option to
bind the floating IP address to the active-primary peer. In the event one
peer fails, traffic is sent continuously to the active-primary peer even after
the failed firewall recovers and becomes the active-secondary peer.
Virtual Address • ARP Load Sharing—Enter an IP address that will be shared by the HA pair and
(cont) provide gateway services for hosts. This option is only required if the firewall
is on the same broadcast domain as the hosts. Select the Device Selection
Algorithm:
• IP Modulo—Select the firewall that will respond to ARP requests based on
the parity of the ARP requesters IP address.
• IP Hash—Select the firewall that will respond to ARP requests based on a
hash of the ARP requesters IP address.
Cluster Config
• Device > High Availability > Cluster Config
Add members to an HA cluster by selecting Device > High Availability > Cluster Config.
Add Add a cluster member. You must add the local firewall and if you are using HA
pairs, you must add both HA peers of the pair as cluster members.
• (Supported firewalls) Device Serial Number—Enter the unique serial number of
the cluster member.
• (Panorama) Device—Select a device from the dropdown and enter a Device
Name.
• HA4 IP Address—Enter the IP address of the HA4 link for the cluster member.
Delete Select one or more cluster members and Delete them from the cluster.
Enable (Supported firewalls) You can determine whether or not a cluster member
synchronizes sessions with other members. By default, all members are allowed
to synchronize sessions. If you disable synchronization for one or more members,
select Enable to re-enable synchronization for one or more members.
Disable (Supported firewalls) Select one or more members and Disable synchronization
with other members.
Refresh (Panorama) Select Refresh to refresh the list of HA devices in the HA cluster.
Configure the ports in Device Card > Log Forwarding. The firewall uses these ports to forward all dataplane
logs to an external system, such as Panorama or a syslog server.
See the PA-7000 Series Hardware Reference Guide for information about the LFC requirements and
components.
For an LFC interface, configure the settings described in the following table.
Name Enter an interface name. For an LFC, you must select lfc1/1 or lfc1/9 from the
drop-down menu.
Link Speed Select the interface speed in Mbps (10000 or 40000), or select auto (default) to
have the firewall automatically determine the speed based on the connection.
The interface speed available is dependent on the Name used (lfc1/1 or lfc1/9).
For interfaces that have a non-configurable speed, auto is the only option.
Link State Select whether the interface status is enabled (up), disabled (down), or
determined automatically based on the connection (auto). The default is auto.
Subinterfaces are available if you have multi-vsys enabled. To configure an LFC subinterface, add a
subinterface and use the setting described in the following table.
Interface Name Interface Name (read-only) displays the name of the log card interface you
selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the
subinterface.
Make the tag the same as the subinterface number for ease of
use.
Virtual System Select the virtual system (vsys) to which the Log Forwarding Card (LFC)
subinterface is assigned. Alternatively, you can click Virtual Systems to add a
new vsys. Once an LFC subinterface is assigned to a vsys, that interface is used
as the source interface for all services that forward logs (syslog, email, SNMP)
from the log card.
Configuration name drop- Select two configurations to compare in the (unlabeled) configuration
downs (unlabeled) name drop-downs (the defaults are Running config and Candidate
config).
Context drop-down Use the Context drop-down to specify the number of lines to display
before and after the highlighted differences in each file. Specifying
more lines can help you correlate the audit results to settings in the
web interface. If you set the Context to All, the results include the
entire configuration files.
Previous ( ) and These navigation arrows are enabled when consecutive configuration
versions are selected in the configuration name drop-downs. Click
Next ( ) to compare the previous pair of configurations in the drop-downs or
click to compare the next pair of configurations.
You cannot assign password profiles to administrative accounts that use local database
authentication (see Device > Local User Database > Users).
To create a password profile, Add and specify the information in the following table.
Name Enter a name to identify the password profile (up to 31 characters). The name is
case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Required Password Require that administrators change their password on a regular basis specified
Change Period a by a number of days (range is 0 to 365). Example, if the value is set to 90,
(days) administrators will be prompted to change their password every 90 days. You
can also set an expiration warning from 0 to 30 days and specify a grace period.
Expiration Warning If a required password change period is set, this setting can be used to prompt
Period (days) the user to change their password at each log in as the forced password change
date approaches (range is 0 to 30).
Post Expiration Allow the administrator to log in a specified number of times after their account
Admin Login Count has expired. Example, if the value is set to 3 and their account has expired, they
can log in 3 more times before their account is locked out (range is 0 to 3).
Post Expiration Allow the administrator to log in the specified number of days after their account
Grace Period (days) has expired (range is 0 to 30).
Password Character Set There are no restrictions on any password field character sets.
Remote Admin, SSL-VPN, The following characters are not allowed for the username:
or Authentication Portal
• Backtick (`)
• Angular brackets (< and >)
• Ampersand (&)
• Asterisk (*)
• At sign (@)
• Question mark (?)
• Pipe (|)
• Single-Quote (‘)
• Semicolon (;)
• Double-Quote (")
• Dollar ($)
• Parentheses ( '(' and ')' )
• Colon (':')
Local Administrator The following are the allowed characters for local usernames:
Accounts
• Lowercase (a-z)
• Uppercase (A-Z)
• Numeric (0-9)
• Underscore (_)
• Period (.)
• Hyphen (-)
Local Administrator Commonly used words and phrases are not allowed as passwords,
Passwords regardless of any combination of upper and lower case letters.
To define Panorama administrators, see Panorama > Managed Devices > Summary.
Use only client certificate Select this option to use client certificate authentication for web
authentication (web) access. If you select this option, a username and password are
not required; the certificate is sufficient to authenticate access
to the firewall.
Use Public Key Authentication (SSH) Select this option to use SSH public key authentication. Click
Import Key and browse to select the public key file. The
uploaded key appears in the read-only text area.
Supported key file formats are IETF SECSH and OpenSSH.
Supported key algorithms are DSA (1,024 bits) and RSA (768 to
4,096 bits).
Administrator Type Assign a role to this administrator. The role determines what the
administrator can view and modify.
If you select Role Based, select a custom role profile from the
drop-down. For details, see Device > Admin Roles.
If you select Dynamic, you can select one of the following
predefined roles:
• Superuser—Has full access to the firewall and can define new
administrator accounts and virtual systems. You must have
superuser privileges to create an administrative user with
superuser privileges.
• Superuser (read-only)—Has read-only access to the firewall.
• Device administrator—Has full access to all firewall settings
except for defining new accounts or virtual systems.
• Device administrator (read-only)—Has read-only access to
all firewall settings except password profiles (no access) and
administrator accounts (only the logged in account is visible).
• Virtual system administrator—Has access to specific virtual
systems on the firewall to create and manage specific aspects
of virtual systems (if Multi Virtual System Capability is
enabled). A virtual system administrator doesn’t have access
to network interfaces, virtual routers, IPSec tunnels, VLANs,
virtual wires, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or
network profiles.
• Virtual system administrator (read-only)—Has read-only
access to specific virtual systems on the firewall to view
specific aspects of virtual systems (if Multi Virtual System
Capability is enabled). A virtual system administrator with
read-only access doesn’t have access to network interfaces,
virtual routers, IPSec tunnels, VLANs, virtual wires, GRE
tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual System Click Add to select the virtual systems that the administrator can
manage.
(Virtual system administrator role
only)
To define Admin Role profiles for Panorama administrators, see Panorama > Admin Roles.
The firewall has three predefined roles you can use for common criteria purposes. You first use the
superuser role for initial firewall configuration and to create the administrator accounts for the Security
Administrator, Audit Administrator, and Cryptographic Administrator. After you create these accounts and
apply the proper common criteria Admin Roles, you then log in using those accounts. The default superuser
account in Federal Information Processing Standard (FIPS)/Common Criteria (CC) FIPS-CC mode is admin
and the default password is paloalto. In standard operating mode, the default admin password is admin. The
predefined Admin Roles were created where there is no overlap in capabilities, except that all have read-
only access to the audit trail (except audit administrator with full read/delete access. These admin roles
cannot be modified and are defined as follows:
• auditadmin—The Audit Administrator is responsible for the regular review of the firewall’s audit data.
• cryptoadmin—The Cryptographic Administrator is responsible for the configuration and maintenance of
cryptographic elements related to the establishment of secure connections to the firewall.
• securityadmin—The Security Administrator is responsible for all other administrative tasks (such as
creating Security policy) not addressed by the other two administrative roles.
To add an Admin Role profile, click Add and specify the settings described in the following table.
Create custom roles to limit administrator access to only what each type of administrator
needs. For each type of administrator, enable, disable, or set read-only access for Web UI,
XML API, Command Line, and REST API access.
Name Enter a name to identify this administrator role (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Description (Optional) Enter a description for the role (up to 255 characters).
WebUI Click the icons for specific web interface features to set the permitted
access privileges:
XML API Click the icons for specific XML API features to set the permitted access
privileges (Enable or Disable).
Command Line Select the type of role for CLI access. The default is None, which means
access to the CLI is not permitted. The other options vary by Role scope:
• Device
• superuser—Has full access to the firewall and can define new
administrator accounts and virtual systems. You must have superuser
privileges to create an administrative user with superuser privileges.
• superreader—Has read-only access to the firewall.
• deviceadmin—Has full access to all firewall settings except for
defining new accounts or virtual systems.
• devicereader—Has read-only access to all firewall settings except
password profiles (no access) and administrator accounts (only the
logged in account is visible).
• Virtual System
• vsysadmin—Has access to specific virtual systems on the firewall
to create and manage specific aspects of virtual systems. The
vsysadmin setting doesn’t control firewall-level or network-level
functions (such as static and dynamic routing, IP addresses of
interfaces, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE
tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles).
• vsysreader—Has read-only access to specific virtual systems on
the firewall and specific aspects of a virtual system. The vsysreader
setting doesn’t have access to firewall-level or network-level
functions (such as static and dynamic routing, IP addresses of
interfaces, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE
tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles).
REST API Click the icons for specific REST API features to set the permitted access
privileges (Enable, Read Only, or Disable).
On Panorama, you can manage access domains locally or by using RADIUS VSAs,
TACACS+ VSAs, or SAML attributes (see Panorama > Access Domains).
Name Enter a name for the access domain (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers,
hyphens, underscores, and periods.
Virtual Systems Select virtual systems in the Available column and Add them.
Access Domains are only supported on firewalls that support virtual
systems.
Create at least one Authentication profile to provide external authentication, which keeps
all authentication requests in one place for easier management and uses a standard
authentication process that includes services such as tracking. Best is to create and prioritize
(Device > Authentication Sequence) multiple Authentication profiles using different methods
in case of authentication failure, and to create at least one local login account to fall back on
if all external methods fail.
You can also use this page to register a firewall or Panorama service (such as administrative access to the
web interface) with a SAML identity provider (IdP). Registering the service enables the firewall or Panorama
to use the IdP for authenticating users who request the service. You register a service by entering its SAML
metadata on the IdP. The firewall and Panorama make registration easy by automatically generating a SAML
metadata file based on the authentication profile that you assigned to the service; you can export this
metadata file to the IdP.
• Authentication Profile
• SAML Metadata Export from an Authentication Profile
Authentication Profile
• Device > Authentication Profile
Select Device > Authentication Profile or Panorama > Authentication Profile to manage authentication
profiles. To create a new profile, Add one and complete the following fields.
After configuring an authentication profile, use the test authentication CLI command
to determine whether the firewall or Panorama management server can communicate with
the back-end authentication server and whether the authentication request succeeded. You
can perform authentication tests on the candidate configuration to determine whether the
configuration is correct before you commit.
Name Enter a name to identify the profile. The name is case-sensitive, can have
up to 31 characters, and can include only letters, numbers, spaces, hyphens,
underscores, and periods. The name must be unique in the current Location
(firewall or virtual system) relative to other authentication profiles and to
authentication sequences.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location; its value is
predefined as Shared (firewalls) or as Panorama. After you save the profile, you
can’t change its Location.
Authentication Tab
The firewall invokes the authentication service that you configure in this tab before invoking any multi-
factor authentication (MFA) services that you add in the Factors Tab.
If the firewall integrates with an MFA vendor through RADIUS instead of the vendor API,
you must configure a RADIUS server profile for that vendor, not an MFA server profile.
Type Select the type of service that provides the first (and optionally the only)
authentication challenge that users see. Based on your selection, the dialog
displays other settings that you define for the service. The options are:
• None—Do not use any authentication.
• Cloud Authentication Service—Use the cloud-based authentication service
that the Cloud Identity Engine provides.
• Local Database—Use the local authentication database on the firewall. This
option is not available on Panorama.
• RADIUS—Use a Remote Authentication Dial-In User Service (RADIUS)
server.
• TACACS+—Use a Terminal Access Controller Access-Control System Plus
(TACACS+) server.
• LDAP—Use a Lightweight Directory Access Protocol (LDAP) server.
• Kerberos—Use a Kerberos server.
• SAML—Use a Security Assertion Markup Language 2.0 (SAML 2.0) identity
provider (IdP).
Server Profile Select the authentication server profile from the drop-down. See Device >
Server Profiles > RADIUS, Device > Server Profiles > TACACS+, Device > Server
(RADIUS, TACACS+,
Profiles > LDAP, or Device > Server Profiles > Kerberos.
LDAP, or Kerberos
only)
IdP Server Profile Select the SAML Identity Provider server profile from the drop-down. See
Device > Server Profiles > SAML Identity Provider.
(SAML only)
Retrieve user group Select this option to collect user group information from Vendor-Specific
from RADIUS Attributes (VSAs) defined on the RADIUS server. The firewall uses the
information to match authenticating users against Allow List entries, not for
(RADIUS only)
enforcing policies or generating reports.
Retrieve user group Select this option to collect user group information from Vendor-Specific
from TACACS+ Attributes (VSAs) defined on the TACACS+ server. The firewall uses the
information to match authenticating users against Allow List entries, not for
(TACACS+ only)
enforcing policies or generating reports.
Login Attribute Enter an LDAP directory attribute that uniquely identifies the user and
functions as the login ID for that user.
(LDAP only)
Password Expiry If the authentication profile is for GlobalProtect users, enter the number of days
Warning before password expiration to start displaying notification messages to users
to alert them that their passwords are expiring in x number of days. By default,
(LDAP only)
notification messages will display seven days before password expiry (range is 1
to 255). Users will not be able to access the VPN if their passwords expire.
Certificate for Signing Select the certificate that the firewall will use to sign SAML messages that it
Requests sends to the identity provider (IdP). This field is required if you enable the Sign
SAML Message to IdP option in the IdP Server Profile (see Device > Server
(SAML only)
Profiles > SAML Identity Provider). Otherwise, selecting a certificate to sign
SAML messages is optional.
When generating or importing a certificate and its associated private key, the
key usage attributes specified in the certificate control how you can use the
key:
• If the certificate explicitly lists key usage attributes, one of the attributes
must be Digital Signature, which is not available in certificates that you
generate on the firewall. In this case, you must Import the certificate and key
from your enterprise certificate authority (CA) or a third-party CA.
• If the certificate doesn’t specify key usage attributes, you can use the key
for any purpose, including signing messages. In this case, you can use any
method to obtain the certificate and key for signing SAML messages.
Enable Single Logout Select this option to enable users to log out of every authenticated service by
logging out of any single service. Single logout (SLO) applies only to services
(SAML only)
that users accessed through SAML authentication. The services can be external
Certificate Profile Select the Certificate Profile that the firewall will use to validate:
(SAML only) • The Identity Provider Certificate specified in the IdP Server Profile. The IdP
uses this certificate to authenticate to the firewall. The firewall validates the
certificate when you Commit the authentication profile configuration.
• SAML messages that the IdP sends to the firewall for single sign-on (SSO)
and single logout (SLO) authentication. The IdP uses the Identity Provider
Certificate specified in the IdP Server Profile to sign the messages.
See Device > Certificate Management > Certificate Profile.
User Domain The firewall uses the User Domain for matching authenticating users against
and Allow List entries and for User-ID group mapping .
Username Modifier You can specify a Username Modifier to modify the format of the domain and
username that a user enters during login. The firewall uses the modified string
(All authentication for authentication. Select from the following options:
types except
SAML and Cloud • To send only the unmodified user input, leave the User Domain blank
Authentication (default) and set the Username Modifier to the variable %USERINPUT%
Service) (default).
• To prepend a domain to the user input, enter a User Domain, and set the
Username Modifier to %USERDOMAIN%\%USERINPUT%.
• To append a domain to the user input, enter a User Domain and set the
Username Modifier to %USERINPUT%@%USERDOMAIN%.
Kerberos Realm If your network supports Kerberos single sign-on (SSO), enter the Kerberos
Realm (up to 127 characters). This is the hostname portion of the user login
(All authentication
name. For example, the user account name user@EXAMPLE.LOCAL has realm
types except
EXAMPLE.LOCAL.
SAML and Cloud
Kerberos Keytab If your network supports Kerberos single sign-on (SSO) , click Import, click
(All authentication Browse to locate the keytab file, and then click OK. A keytab contains Kerberos
types except account information (principal name and hashed password) for the firewall,
SAML and Cloud which is required for SSO authentication. Each authentication profile can have
Authentication one keytab. During authentication, the firewall first tries to use the keytab to
Service) establish SSO. If it succeeds and the user attempting access is in the Allow List,
authentication succeeds immediately. Otherwise, the authentication process
falls back to manual authentication (username/password) of the specified Type,
which doesn’t have to be Kerberos.
Username Attribute Enter the SAML attribute that identifies the username of an authenticating
user in messages from the IdP (default is username). If the IdP Server Profile
(SAML only)
contains metadata that specifies a username attribute, the firewall automatically
populates this field with that attribute. The firewall matches usernames
retrieved from SAML messages with users and user groups in the Allow List
of the authentication profile. Because you cannot configure the firewall to
modify the domain/username string that a user enters during SAML logins, the
login username must exactly match an Allow List entry. This is the only SAML
attribute that is mandatory.
User Group Attribute Enter the SAML attribute that identifies the user group of an authenticating
user in messages from the IdP (default is usergroup). If the IdP Server
(SAML only)
Profile contains metadata that specifies a user group attribute, the field
automatically uses that attribute. The firewall uses the group information to
match authenticating users against Allow List entries, not for policies or reports.
Admin Role Attribute Enter the SAML attribute that identifies the administrator role of an
authenticating user in messages from the IdP (default is admin-role). This
(SAML only)
attribute applies only to firewall administrators, not to end users. If the IdP
Server Profile contains metadata that specifies an admin-role attribute, the
firewall automatically populates this field with that attribute. The firewall
matches its predefined (dynamic) roles or Admin Role profiles with the roles
retrieved from SAML messages to enforce role-based access control. If a
SAML message has multiple admin-role values for an administrator with only
Access Domain Enter the SAML attribute that identifies the access domain of an authenticating
Attribute user in messages from the IdP (default is access-domain). This attribute applies
only to firewall administrators, not to end users. If the IdP Server Profile
(SAML only)
contains metadata that specifies an access-domain attribute, the firewall
automatically populates this field with that attribute. The firewall matches its
locally configured access domains with those retrieved from SAML messages to
enforce access control. If a SAML message has multiple access-domain values
for an administrator with only one access domain, matching applies only to the
first (left-most) value in the access-domain attribute. For an administrator with
more than one access domain, the matching can apply to multiple values in the
attribute.
Region Select the regional endpoint for your Cloud Identity Engine instance.
(Cloud
The region you select must match the region you select when
Authentication
you activate your Cloud Identity Engine instance.
Service only)
Instance If you have more than one instance, select the Cloud Identity Engine instance
you want to use.
(Cloud
Authentication
Service only)
Profile If you have more than one Cloud Identity Engine identity provider profile (IdP
profile), select the Cloud Identity Engine IdP profile you want to use.
(Cloud
Authentication
Service only)
Maximum Clock Enter the maximum acceptable time difference in seconds between the IdP and
Skew (seconds) firewall system times at the moment when the firewall validates a message that
it receives from the IdP (range is 1 to 900; default is 60). If the time difference
(Cloud
exceeds this value, the validation (and thus authentication) fails.
Authentication
Service only)
force multi-factor Enable force multi-factor authentication in cloud if your IdP is configured to
authentication in require users to log in using multi-factor authentication.
cloud
(Cloud
Authentication
Service only)
Factors Tab
Enable Additional Select this option if you want the firewall to invoke additional authentication
Authentication factors (challenges) after users successfully respond to the first factor (specified
Factors in the Type field on the Authentication tab).
Advanced Tab
Allow List Click Add and select all or select the specific users and groups that can
authenticate with this profile. When a user authenticates, the firewall matches
the associated username or group against the entries in this list. If you don’t add
entries, no users can authenticate.
Failed Attempts Enter the number of failed successive login attempts (0 to 10) that the firewall
allows before locking out the user account. A value of 0 specifies unlimited login
(All authentication
attempts. The default value is 0 for firewalls in normal operational mode and 10
types except SAML)
for firewalls in FIPS-CC mode.
If you set the Failed Attempts to a value other than 0 but leave
the Lockout Time at 0, the Failed Attempts is ignored and the
user is never locked out.
Lockout Time Enter the number of minutes (range is 0 to 60; default is 0) for which the
firewall locks out a user account after the user reaches the number of Failed
(All authentication
Attempts. A value of 0 means the lockout applies until an administrator
types except SAML)
manually unlocks the user account.
If you set the Lockout Time to a value other than 0 but leave the
Failed Attempts at 0, the Lockout Time is ignored and the user
is never locked out.
Some of the metadata in the exported file derives from the SAML IdP server profile assigned
to the authentication profile (Device > Server Profiles > SAML Identity Provider). However,
the exported file always specifies POST as the HTTP binding method, regardless of the
method specified in the SAML IdP server profile. The IdP will use the POST method to send
SAML messages to the firewall or Panorama.
To export SAML metadata from an authentication profile, click the SAML Metadata link in the
Authentication column and complete the following fields. To import the metadata file into an IdP, refer to
your IdP documentation.
Commands Select the service for which you want to export SAML metadata:
• management (default)—Provides administrator access to the web
interface.
• authentication-portal—Provides end user access to network resources
through Authentication Portal.
• global-protect—Provides end user access to network resources through
GlobalProtect.
Your selection determines which other fields the dialog displays.
[Management | Enter the name of the authentication profile from which you are exporting
Authentication Portal metadata. The default value is the profile from which you opened the dialog
| GlobalProtect] Auth by clicking the Metadata link.
Profile
Management Choice Select an option for specifying an interface that is enabled for management
traffic (such as the MGT interface):
(Management only)
• Interface—Select the interface from the list of interfaces on the firewall.
• IP Hostname—Enter the IP address or hostname of the interface. If you
enter a hostname, the DNS server must have an address (A) record that
maps to the IP address.
[Authentication Portal Select the virtual system for which the Authentication Portal settings or
| GlobalProtect] Virtual GlobalProtect portal are defined.
System
(Authentication Portal
or GlobalProtect only)
Configure an authentication sequence with multiple authentication profiles that use different
authentication methods. Configure at least two external authentication methods and one
local (internal) method so connectivity issues don’t prevent authentication. Make the
local authentication profile the last profile in the sequence so it’s only used if all external
authentication methods fail. (External authentication provides dedicated, reliable, centralized
authentication services, including logging and troubleshooting features.)
Name Enter a name to identify the sequence. The name is case-sensitive, can have
up to 31 characters, and can include only letters, numbers, spaces, hyphens,
underscores, and periods. The name must be unique in the current Location
(firewall or virtual system) relative to other authentication sequences and to
authentication profiles.
Location Select the scope in which the sequence is available. In the context of a
firewall that has more than one virtual system (vsys), select a vsys or select
Shared (all virtual systems). In any other context, you can’t select the
Location; its value is predefined as Shared (firewalls) or as Panorama. After
you save the sequence, you can’t change its Location.
Use domain Select this option (selected by default) if you want the firewall to match
to determine the domain name that a user enters during login with the User Domain or
authentication profile Kerberos Realm of an authentication profile associated with the sequence
and then use that profile to authenticate the user. The user input that the
firewall uses for matching can be the text preceding the username (with a
backslash separator) or the text following the username (with a @ separator).
If the firewall does not find a match, it tries the authentication profiles in the
sequence in top-to-bottom order.
Authentication Profiles Click Add and select from the drop-down for each authentication profile you
want to add to the sequence. To change the list order, select a profile and
click Move Up or Move Down. To remove a profile, select it and click Delete.
Add or delete data redistribution agents. Device > Data Redistribution > Agents
View information on data redistribution clients. Device > Data Redistribution > Clients
Configure the data redistribution agent Device > Data Redistribution > Collector Settings
collector name and pre-shared key.
Define the subnetworks that the data Device > Data Redistribution > Include/Exclude
redistribution agent includes or excludes when Networks
redistributing data.
Add an Agent Using Select how you want to add the data redistribution agent:
• Serial Number— Select this option and then select the
Serial Number.
• Host and Port—Select this option and enter the following
host and port information:
• Host—Enter the hostname.
• LDAP Proxy—Select this option to use the host as an
LDAP proxy.
• Port—Enter the port number where the agent listens for
requests.
• Collector Name—Enter the Collector Name and Pre-
Shared Key that identify the firewall or virtual system as
a User-ID agent.
Data type Select the type of data that you want to redistribute (IP User
Mappings, IP Tags, User Tags, HIP, or Quarantine List).
After you configure a data redistribution agent, you can view the following information for the
redistribution agent:
Collector Pre-Shared Key / Confirm Enter and confirm the Pre-Shared Key (up to 255
Collector Pre-Shared Key alphanumeric characters) for the collector.
Task Description
Add To limit discovery to a specific subnetwork, Add a subnetwork profile and complete
the following fields:
• Name—Enter a name to identify the subnetwork.
• Enabled—Select this option to enable inclusion or exclusion of the subnetwork for
server monitoring.
• Discovery—Select whether the User-ID agent will Include or Exclude the
subnetwork.
• Network Address—Enter the IP address range of the subnetwork.
The agent applies an implicit exclude all rule to the list. For example, if you add
subnetwork 10.0.0.0/8 with the Include option, the agent excludes all other
subnetworks even if you don’t add them to the list. Add entries with the Exclude
option only if you want the agent to exclude a subset of the subnetworks you
explicitly included. For example, if you add 10.0.0.0/8 with the Include option and add
10.2.50.0/22 with the Exclude option, the User-ID agent will perform discovery on all
the subnetworks of 10.0.0.0/8 except 10.2.50.0/22, and will exclude all subnetworks
outside of 10.0.0.0/8. If you add Exclude profiles without adding any Include profiles,
the agent excludes all subnetworks, not just the ones you added.
Delete To remove a subnetwork from the list, select and Delete it.
Tip: To remove a subnetwork from the Include/Exclude Networks list without deleting
its configuration, edit the subnetwork profile and clear Enabled.
Custom By default, the agent evaluates the subnetworks in the order you add them, from
Include/ top-first to bottom-last. To change the evaluation order, click Custom Include/
Exclude Exclude Network Sequence. You can then Add, Delete, Move Up, or Move Down the
Network subnetworks to create a custom evaluation order.
The Host ID displays in the GlobalProtect logs automatically. For the Host ID to display
in the Traffic, Threat, or Unified logs, the firewall must have at least one security policy
rule with the Source Device set to Quarantine. Without this setting in the security policy,
Traffic, Threat or Unified logs will not have the Host ID, and the log forwarding profile will
not take effect.
• The device was added to the quarantine list using an API.
• The firewall received the quarantine list as a part of redistributed entry (the quarantine list was
redistributed from another Panorama appliance or firewall).
The Device Quarantine table includes the following fields.
Field Description
Reason The reason that the device is quarantined. A reason of Admin Add means
that an administrator manually added the device to the table.
Time Stamp The time that the administrator or Security policy rule added the device
to the quarantine list.
Source Device/App The IP address of the Panorama, firewall, or third-party app that added
the device to the quarantine list.
Serial Number (Optional) The serial number of the quarantined device (if available).
User Name (Optional) The username of the GlobalProtect client user who was logged
in to the device when it was quarantined.
When monitoring ESXi hosts that are part of the VM-Series NSX edition solution, use
Dynamic Address Groups instead of using VM Information Sources to learn about changes
in the virtual environment. For the VM-Series NSX edition solution, the NSX Manager
provides Panorama with information on the NSX security group to which an IP address
belongs. The information from the NSX Manager provides the full context for defining the
match criteria in a Dynamic Address Group because it uses the service profile ID as a
distinguishing attribute and allows you to properly enforce policy when you have overlapping
IP addresses across different NSX security groups.
You can register up to a maximum of 32 tags to an IP address.
Each VM on a monitored ESXi or vCenter server must have VMware Tools installed and
running. VMware Tools provide the ability to IP address and other values assigned to
each VM.
To collect the values assigned to the monitored VMs, the firewall monitors the attributes in the following
tables.
• UUID
• Name
• Guest OS
• Annotation
• VM State — the power state can be poweredOff, poweredOn, standBy, or unknown.
• Architecture
• Guest OS
• Image ID
• Instance ID
• Instance State
• Instance Type
• Key Name
• Placement—Tenancy, Group Name, and Availability Zone
• Private DNS Name
• Public DNS Name
• Subnet ID
• Tag (key, value); up to 18 tags supported per instance
• VPC ID
• Hostname of the VM
• Machine type
• Project ID
• Source (OS type)
• Status
• Subnetwork
• VPC Network
• Zone
Add—Add a new source for VM Monitoring and fill in the details based on the source you are monitoring:
• For VMware ESXi or vCenter Server, see Settings to Enable VM Information Sources for VMware ESXi
and vCenter Servers.
• For AWS-VPC, see Settings to Enable VM Information Sources for AWS VPC.
• For Google Compute Engine (GCE), see Settings to Enable VM Information Sources for Google Compute
Engine.
Refresh Connected—Refreshes the connection status in the on-screen display; this does not refresh the
connection between the firewall and the monitored sources.
Delete—Deletes any configured VM Information source that you select.
PDF/CSV—Exports the VM Information source configuration table as a PDF or comma-separated values
(CSV) file. See Configuration Table Export.
To retrieve the tags for the virtual machines, the firewall requires an account with read-only
access on the VMware ESXi and vCenter servers.
Name Enter a name to identify the monitored source (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Description (Optional) Add a label to identify the location or function of the source.
Port Specify the port on which the host/source is listening. (default port 443).
Enabled By default the communication between the firewall and the configured
source is enabled.
The connection status between the monitored source and the firewall
displays in the interface as follows:
• Connected
• Disconnected
• Pending; the connection status also displays as yellow when the
monitored source is disabled.
Clear the Enabled option to disable communication between the host and
the firewall.
Timeout Enter the interval in hours after which the connection to the monitored
source is closed, if the host does not respond (range is 2–10; default is 2).
(Optional) To change the default value, Enable timeout when the source is
disconnected and specify a value. When the specified limit is reached, if the
host is inaccessible, or if the host does not respond, the firewall will close
the connection to the source.
Source Enter the FQDN or the IP address of the host/source being monitored.
Update Interval Specify the interval, in seconds, at which the firewall retrieves information
from the source (range is 5–600; default is 5).
Name Enter a name to identify the monitored source (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Description (Optional) Add a label to identify the location or function of the source.
Enabled By default the communication between the firewall and the configured
source is enabled.
The connection status between the monitored source and the firewall
displays in the interface as follows:
• Connected
• Disconnected
• Pending; The connection status also displays as yellow when the
monitored source is disabled.
Clear the Enabled option to disable communication between the host and
the firewall.
Source Add the URI in which the Virtual Private Cloud resides. For example,
ec2.us-west-1.amazonaws.com
The syntax is: ec2.<your_AWS_region>.amazonaws.com; for AWS China
it is: ec2.<AWS_region>.amazonaws.com.cn
Access Key ID Enter the alphanumeric text string that uniquely identifies the user who
owns or is authorized to access the AWS account.
This information is a part of the AWS Security Credentials. The firewall
requires the credentials—Access Key ID and the Secret Access Key—to
digitally sign API calls made to the AWS services.
Secret Access Key Enter the password and confirm your entry.
Update Interval Specify the interval, in seconds, at which the firewall retrieves
information from the source (range is 60 to 1,200; default is 60).
Timeout The interval in hours after which the connection to the monitored source
is closed, if the host does not respond (default is 2)
(Optional) Enable timeout when the source is disconnected. When the
specified limit is reached, if the source is inaccessible, or if the source
does not respond, the firewall will close the connection to the source.
Enabled The communication between the firewall and the configured source
is enabled by default.
The connection status between the monitored source and the
firewall displays in the interface as follows:
• —Connected
• —Disconnected
• —Pending or the monitored source is disabled.
Clear the Enabled option to disable communication between the
configured source and the firewall.
When you disable communication, all the registered IP address and
tags are removed from the associated dynamic address group. This
means that policy rules will not apply to the GCE instances from this
Google Cloud Project.
Service Account Credential (Only for Service Account) Upload the JSON file with the credentials
for the service account. This file allows the firewall to authenticate to
the instance and authorizes access to the metadata.
You can create an account on the Google Cloud console (IAM &
admin > Service Accounts). Refer to the Google documentation
for information on how to create an account, add a key to it, and
download the JSON file that you need to upload to the firewall.
Project ID Enter the alphanumeric text string that uniquely identifies the Google
Cloud Project that you want to monitor.
Update Interval Specify the interval (in seconds) at which the firewall retrieves
information from the source (range is 60 to 1,200; default is 60).
Timeout The interval (in hours) after which the connection to the monitored
source is closed if the host does not respond (default is 2).
(Optional) Enable timeout when the source is disconnected. When
the specified limit is reached, if the source is inaccessible or does not
respond, the firewall will close the connection to the source. When
the source is disconnected, all the IP addresses and tags that were
registered from this project are removed from the dynamic address
group.
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Destination Port Enter the specific destination port for which traffic is intended.
Source User Enter the user from which the traffic originated.
Show all potential match rules Enable this option to show all potential rule matches until the first
until first allow rule matched rule result. Disable (clear) to return only the first matched
rule in the test results.
(Firewall only) Check HIP mask Select to check the security status of the end device that is accessing
your network.
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Destination Port Enter the specific destination port for which traffic is intended.
Source User Select the user from which the traffic originated.
Codepoint Type Select the type of codepoint encoding you want to test.
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Source Port Enter the specific port the traffic originated from.
Destination Port Enter the specific destination port for which traffic is intended.
To Interface Enter the destination interface on the device for which the traffic is
intended.
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
From Interface Enter the interface on the device from which the traffic originated.
Destination Port Enter the specific destination port for which traffic is intended.
Source User Enter the user from which the traffic originated.
Field Description
Test Configuration
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
From Interface Enter the interface on the device from which the traffic originated.
To Interface Enter the destination interface on the device for which the traffic is
intended.
Destination Port Enter the specific destination port for which traffic is intended.
Source User Enter the user from which the traffic originated.
Routing
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
FiB Lookup, Mfib Lookup Select one of the following for Lookup:
• FiB—Perform route lookup within activate route table
• Mfib—Perform multicast route lookup within active route table
Virtual Router Specific virtual router within which the routing test is performed.
Select the virtual router from the drop-down.
ECMP
Source IP Enter the specific IP address from which the traffic originated.
Source Port Enter the specific port from which the traffic originated.
Destination IP Enter the specific IP address for which the traffic is intended.
Destination Port Enter the specific destination port for which the traffic is intended.
Test Wildfire
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Threat Vault
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Ping
The ping troubleshooting test is only supported on firewalls running PAN-OS 9.0 or later releases.
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Bypass routing table, use Enable this option to bypass the routing table and use a specified
specified interface interface. Disable (clear) this option to test the configured routing
table.
Don’t fragment echo request Enable this option to not fragment the echo request packets for the
packets (IPv4) test. Disable
Don’t attempt to print Enable this option to display IP addresses in test results and not
addresses symbolically resolve the IP address hostname. Disable (clear) to resolve IP address
hostnames.
Size Enter the size, in bytes, of the request packets (range is 0 to 65468).
Display detailed output Enable to display a detailed output of the test results.
Trace Route
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Use IPv4 Enable to use the IPv4 address of the selected devices.
Use IPv6 Enable to use the IPv6 address of the selected devices.
First TTL Enter the time-to-live used in the first outgoing probe packet (range is
1 to 255).
Set the “don’t fragment” bit Enable this option to not fragment the ICMP packet in to multiple
packets if the path cannot support the configured maximum
transmission unit (MTU).
Enable socket level debugging Enable this option to allows you to debug on the socket level.
Don’t attempt to print Enable this option to display IP addresses in test results and not
addresses symbolically resolve the IP address hostname. Disable (clear) to resolve IP address
hostnames.
Bypass routing tables and send Enable this option to bypass any configured routing tables and test
directly to a host directly with the host.
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems that have been selected for
Devices testing.
Field Description
(Panorama only) Select device Select device/VSYS to specify which devices and virtual systems
for which to test the policy functionality. Admin and device group &
Template users are presented with the devices and virtual systems
based on their access domain. Additionally, you can select the
Panorama management server as a device.
(Panorama only) Selected Lists the devices and virtual systems selected for testing.
Devices
Update Server
Field Description
Field Description
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls support multiple virtual
systems. However, PA-3200 Series firewalls require a license for enabling multiple virtual
systems. The PA-220 and PA-800 Series firewalls do not support multiple virtual systems.
Before enabling multiple virtual systems, consider the following:
• A vsys administrator creates and manages all items needed for Security policy per assigned virtual
system.
• Zones are objects within a vsys. Before defining a policy or policy object, select the appropriate Virtual
System from the drop-down on the Policies or Objects tab.
• You can set remote logging destinations (SNMP, syslog, and email), applications, services, and profiles to
be available to all virtual systems (shared) or to a single vsys.
• If you have multiple virtual systems, you can select a vsys as a User-ID hub to share the IP address-to-
username mapping information between virtual systems.
• You can configure globally (to all virtual systems on a firewall) or vsys-specific service routes (Device >
Setup > Services).
• You can rename a vsys only on the local firewall. On Panorama, renaming a vsys is not supported. If you
rename a vsys on Panorama, the result is an entirely new vsys or the new vsys name gets mapped to the
wrong vsys on the firewall.
Before defining a vsys, you must first enable the multi-vsys functionality on the firewall. Select Device >
Setup > Management, edit the General Settings, select Multi Virtual System Capability, and click OK. This
adds a Device > Virtual Systems page. Select the page, Add a vsys, and specify the following information.
ID Enter an integer identifier for the vsys. Refer to the data sheet for your firewall
model for information on the number of supported virtual systems.
Name Enter a name (up to 31 characters) to identify the vsys. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Allow Select this option to allow the virtual system to forward decrypted content to an
Forwarding outside service when port mirroring or sending WildFire files for analysis. See also
of Decrypted Decryption Port Mirroring.
Content
General Tab Select a DNS Proxy object if you want to apply DNS proxy rules to this vsys.
(Network > DNS Proxy).
To include objects of a particular type, select that type (interface, VLAN, virtual wire,
virtual router, or visible virtual system), Add an object, and select the object from
the drop-down. You can add one or more objects of any type. To remove an object,
select and Delete it.
Resource Tab Specify the following resource limits allowed for this vsys. Each field displays the
valid range of values, which varies per firewall model. The default setting is 0, which
means the limit for the vsys is the limit for the firewall model. However, the limit
for a specific setting isn’t replicated for each vsys. For example, if a firewall has four
virtual systems, each virtual system can’t have the total number of Decryption Rules
allowed per firewall. After the total number of Decryption Rules for all of the virtual
systems reaches the firewall limit, you cannot add more.
• Sessions Limit—Maximum number of sessions.
Name Enter a name for the shared gateway (up to 31 characters). The name is
case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores. Only the name is required.
DNS Proxy (Optional) If a DNS proxy is configured, select which DNS server(s) to use
for domain name queries.
For more information on how to implement certificates on the firewall and Panorama, refer to
Certificate Management .
After a certificate is generated, the page displays Other Supported Actions to Manage
Certificates.
SCEP Profile (SCEP certificates only) Select a SCEP Profile to define how the firewall or
Panorama communicates with a SCEP server and to define settings for the
SCEP certificate. For details, see Device > Certificate Management > SCEP.
You can configure a firewall that serves as a GlobalProtect portal to request
SCEP certificates on demand and automaticallydeploy the certificates to
endpoints.
The remaining fields in the Generate Certificate dialog do not apply to SCEP
certificates. After specifying the Certificate Name and SCEP Profile, click
Generate.
Common Name (Required) Enter the IP address or FQDN that will appear on the certificate.
Shared On a firewall that has more than one virtual system (vsys), select Shared if
you want the certificate to be available to every vsys.
Signed By To sign the certificate, you can use a certificate authority (CA) certificate
that you imported into the firewall. The certificate can also be self-signed,
in which case the firewall is the CA. If you are using Panorama, you also
have the option of generating a self-signed certificate for Panorama.
If you imported CA certificates or issued any on the firewall (self-signed),
the drop-down includes the CAs available to sign the certificate that you
are creating.
To generate a certificate signing request (CSR), select External Authority
(CSR). After the firewall generates the certificate and the key pair, you can
export the CSR and send it to the CA for signing.
Certificate Authority Select this option if you want the firewall to issue the certificate.
Marking this certificate as a CA allows you to use this certificate to sign
other certificates on the firewall.
Block Private Key Export When you generate a certificate, select this option to block all
administrators, including Superusers, from exporting the private key.
OCSP Responder Select an OCSP responder profile from the drop-down (see Device >
Certificate Management > OCSP Responder). The corresponding host name
appears in the certificate.
Algorithm Select a key generation algorithm for the certificate: RSA or Elliptic Curve
DSA (ECDSA).
ECDSA uses smaller key sizes than the RSA algorithm and, therefore,
provides a performance enhancement for processing SSL/TLS connections.
ECDSA also provides equal or greater security than RSA. ECDSA is
recommended for client browsers and operating systems that support it but
you may be required to select RSA for compatibility with legacy browsers
and operating systems.
You cannot use a hardware security module (HSM) to store private ECDSA
keys used for SSL Forward Proxy or Inbound Inspection decryption.
Digest Select the Digest algorithm for the certificate. The available options depend
on the key generation Algorithm:
• RSA—MD5, SHA1, SHA256, SHA384, or SHA512
• Elliptic Curve DSA—SHA256 or SHA384
If the firewall is in FIPS-CC mode and the key generation Algorithm is RSA,
you must select SHA256, SHA384, or SHA512 as the Digest algorithm. If
the Algorithm is Elliptic Curve DSA, both Digest algorithms (SHA256 and
SHA384) work.
Expiration (days) Specify the number of days (default is 365) that the certificate will be valid.
Certificate Attributes Add additional Certificate Attributes to identify the entity to which you
are issuing the certificate. You can add any of the following attributes:
If you configured a hardware security module (HSM), the private keys are stored on the
external HSM storage, not on the firewall.
Revoke Select the certificate that you want to revoke, and click Revoke. The
certificate will be instantly set to revoked status. No commit is required.
Export Select the certificate you want to export, click Export, and select a File
Format:
• Encrypted Private Key and Certificate (PKCS12)—The exported file will
contain both the certificate and private key.
• Base64 Encoded Certificate (PEM)—If you want to export the private
key also, select Export Private Key and enter a Passphrase and Confirm
Passphrase.
• Binary Encoded Certificate (DER)—You can export only the certificate,
not the key: ignore Export Private Key and passphrase fields.
Import HA Key The HA keys must be swapped across both the firewalls peers; that is the
key from firewall 1 must be exported and then imported in to firewall 2 and
Export HA Key vice versa.
To import keys for high availability (HA), click Import HA Key and Browse
to specify the key file for import.
To export keys for HA, click Export HA Key and specify a location to save
the file.
Define the usage of the In the Name column, select the certificate and then select options
certificate appropriate for how you plan to use the certificate.
PDF/CSV Administrative roles with a minimum of read-only access can export the
managed certificate configuration table as PDF/CSV. You can apply filters
to create more specific table configuration outputs for things such as
Disable Select the CA and Disable it. You might use this option to trust only
specific CAs or to disable all other CAs and trust only your local CA.
Export Select and Export the CA certificate. You can import into another system
or view the certificate offline.
Location Select the scope in which the profile is available. In the context of
a firewall that has more than one virtual system (vsys), select a vsys
or select Shared (all virtual systems). In any other context, you can’t
select the Location; its value is predefined as Shared (firewalls) or as
Panorama. After you save the profile, you can’t change its Location.
Username Field If GlobalProtect only uses certificates for portal and gateway
authentication, the PAN-OS software uses the certificate field you
select in the Username Field drop-down as the username and matches
it to the IP address for the User-ID service:
• Subject—The common name.
• Subject Alt—The Email or Principal Name.
• None—Typically for GlobalProtect device or pre-login
authentication.
Domain Enter the NetBIOS domain so the PAN-OS software can map users
through User-ID.
Use CRL Select this option to use a certificate revocation list (CRL) to verify the
revocation status of certificates.
Use OCSP Select this option to use OCSP to verify the revocation status of
certificates.
CRL Receive Timeout Specify the interval (1 to 60 seconds) after which the firewall stops
waiting for a response from the CRL service.
OCSP Receive Timeout Specify the interval (1 to 60 seconds) after which the firewall stops
waiting for a response from the OCSP responder.
Certificate Status Timeout Specify the interval (1 to 60 seconds) after which the firewall stops
waiting for a response from any certificate status service and applies
any session blocking logic you define.
Block session if certificate Select this option if you want the firewall to block sessions when
status is unknown the OCSP or CRL service returns a certificate revocation status of
unknown. Otherwise, the firewall proceeds with the sessions.
Block sessions if certificate Select this option if you want the firewall to block sessions after it
status cannot be retrieved registers an OCSP or CRL request timeout. Otherwise, the firewall
within timeout proceeds with the sessions.
Block sessions if the certificate (GlobalProtect only) Select this option if you want the firewall to block
was not issued to the sessions when the serial number attribute in the subject of the client
authenticating device certificate does not match the host ID that the GlobalProtect app
reports for the endpoint. Otherwise, the firewall allows the sessions.
This option applies only to GlobalProtect certificate authentication.
Enable an OCSP responder so that if a certificate was revoked, you are notified and can take
appropriate action to establish a secure connection to the portal and gateways.
Location Select the scope in which the responder is available. In the context
of a firewall that has more than one virtual system (vsys), select a
vsys or select Shared (all virtual systems). In any other context, you
can’t select the Location; its value is predefined as Shared. After
you save the responder, you can’t change its Location.
Host Name Enter the host name (recommended) or IP address of the OCSP
responder. From this value, PAN-OS automatically derives a URL
and adds it to the certificate being verified. If you configure the
firewall as an OCSP responder, the host name must resolve to an
IP address in the interface that the firewall uses for OCSP services.
In the client systems that request firewall or Panorama services, the certificate trust list (CTL)
must include the certificate authority (CA) certificate that issued the certificate specified in
the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting
the services. Most third-party CA certificates are present by default in client browsers. If
an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA
certificate to the CTL in client browsers.
To add a profile, click Add, complete the fields in the following table.
Shared If the firewall has more than one virtual system (vsys), selecting this
option makes the profile available on all virtual systems. By default,
this option is cleared and the profile is available only for the vsys
selected in the Device tab, Location drop-down.
Min Version Select the earliest (Min Version) and latest (Max Version) version
of TLS that services can use: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3,
Max Version or Max (the latest available version).
On firewalls in FIPS/CC mode running PAN-OS 8.0 or
a later release, TLSv1.1 is the earliest supported TLS
version; do not select TLSv1.0.
Client certificates that are used when requesting firewall
services that rely on TLSv1.2 cannot have SHA512 as a
digest algorithm. The client certificates must use a lower
digest algorithm (such as SHA384) or you must limit the
Max Version to TLSv1.1 for the services.
For more information on how to create a SCEP profile, refer to Deploying Certificates Using
SCEP
.
To start a new SCEP configuration, click Add and then complete the following fields.
Location Select a Location for the profile if the system has multiple virtual systems.
The location identifies where the SCEP configuration is available.
SCEP Challenge (Optional) To make SCEP-based certificate generation more secure, you
can configure a SCEP challenge-response mechanism (a one-time password
(OTP)) between the public key infrastructure (PKI) and the portal for each
certificate request.
The challenge mechanism that you select determines the source of the
OTP. If you select Fixed, copy the enrollment challenge password from the
SCEP server for the PKI and enter the string in the portal’s Password dialog
that displays when configured as Fixed. Each time the portal requests a
certificate, it uses this password to authenticate with the PKI. If you select
Dynamic, you enter the username and password of your choice (possibly
the credentials of the PKI administrator) and the SCEP Server URL where
the portal-client submits these credentials. This username and password
remains the same while the SCEP server transparently generates an OTP
password for the portal upon each certificate request. (You can see this
OTP change after a screen refresh in “The enrollment challenge password
is” field upon each certificate request.) The PKI transparently passes each
new password to the portal, which then uses the password for its certificate
request.
Configuration
Server URL Enter the URL at which the portal requests and receives client certificates
from the SCEP server. Example:
http://<hostname or IP>/certsrv/mscep/.
CA-IDENT Name Enter a string to identify the SCEP server. Maximum length is 255
characters.
Subject Configure the Subject to include identifying information about the device
and optionally user and provide this information in the certificate signing
request (CSR) to the SCEP server.
When used to request client certificates for endpoints, the endpoint sends
identifying information about the device that includes its host ID value.
The host ID value varies by device type, either GUID (Windows) MAC
address of the interface (Mac), Android ID (Android devices), UDID (iOS
devices), or a unique name that GlobalProtect assigns (Chrome). When used
to request certificates for satellite devices, the host ID value is the device
serial number.
To specify additional information in the CSR, enter the Subject name. The
subject must be a distinguished name in the <attribute>=<value> format
and must include the common name (CN) key. For example:
O=acme,CN=acmescep
O=acme,CN=$HOSTID
• Static CN—The CN you specify will be used as the subject for all
certificates issued by the SCEP server. For example:
O=acme,CN=acmescep
Subject Alternative Name After you select a type other than None, a dialog displays for you to enter
Type the appropriate value:
Cryptographic Settings • Number of Bits—Select the key’s Number of Bits for the certificate. If
the firewall is in FIPS-CC mode, the generated keys must be at least
2,048 bits. (FIPS-CC operation is indicated on the firewall login page and
the firewall status bar.)
• Digest—Select the Digest algorithm for the certificate: SHA1, SHA256,
SHA384, or SHA512. If the firewall is in FIPS-CC mode, you must select
SHA256, SHA384, or SHA512 as the Digest algorithm.
Use as digital signature Select this option to configure the endpoint to use the private key in the
certificate to validate a digital signature.
Use for key encipherment Select this option to configure the client endpoint to use the private key
in the certificate to encrypt data exchanged over the HTTPS connection
established with the certificates issued by the SCEP server.
CA Certificate Fingerprint (Optional) To ensure that the portal connects to the correct SCEP server,
enter the CA Certificate Fingerprint. Obtain this fingerprint from the SCEP
server interface in the Thumbprint field.
Log in to the SCEP server’s administrative user interface (for example, at
http://<hostname or IP>/CertSrv/mscep_admin/). Copy the thumbprint and
enter it in CA Certificate Fingerprint.
SCEP Server SSL To enable SSL, select the root CA Certificate for the SCEP server.
Authentication Optionally, you can enable mutual SSL authentication between the SCEP
server and the GlobalProtect portal by selecting a Client Certificate.
You can also exclude traffic from decryption based on application, source, destination,
URL category, and service.
Use the settings on this page to Modify or Add a Decryption Exclusion and to Manage Decryption
Exclusions.
Shared Select Shared to share a decryption exclusion across all virtual systems in a
multiple virtual system firewall.
While predefined decryption exclusions are shared by default, you can enable
and disable both predefined and custom entries for a specific virtual system.
Description (Optional) Describe the application that you are excluding from decryption,
including why the application breaks when decrypted.
Exclude Exclude the application from decryption. Disable this option to start
decrypting an application that was previously excluded from decryption.
Show obsoletes Show obsoletes to view predefined entries that Palo Alto Networks no longer
defines as decryption exclusions.
More about obsolete entries:
Updates to predefined decryption exclusions (including the removal of a
predefined entry) are delivered to the firewall as part of Applications and
Threats content updates. Predefined entries with Exclude from decryption
enabled are automatically removed from the list of SSL decryption exclusions
when the firewall receives a content update that no longer includes that
entry.
However, predefined entries with Exclude from decryption disabled remain
on the SSL decryption list even after the firewall receives a content update
Show Local Exclusion Show Local Exclusion Cache displays the sites that the firewall automatically
Cache excluded from decryption because of technical circumstances that prevent
decryption, such as pinned certificates, client authentication, or unsupported
ciphers. The Local SSL Decryption Cache differs from the SSL Decryption
Exclusion List (Device > Certificate Management > SSL Decryption
Exclusion), which contains the sites that prevent decryption that Palo Alto
Networks has identified and to which you can add permanent decryption
exclusions that you choose to make. The the firewall populates the Local SSL
Decryption Cache with locally discovered decryption exceptions, based on
the settings of the Decryption profile associated with the Decryption policy
rule that controls the traffic.
Excluded sites remain in the local cache for 12 hours and then age out. Each
exclusion entry includes information about the application, the server, the
reason why the firewall automatically excluded the site from decryption, the
Decryption profile applied to the traffic, and the Vsys.
After applying a profile, you must perform an SSH service restart from your CLI to activate
the profile.
Application Block Page Access blocked because the application is blocked by a Security policy
rule.
Authentication Portal Comfort The firewall displays this page so that users can enter login credentials
Page to access services that are subject to Authentication policy rules
(see Policies > Authentication). Enter a message that tells users
how to respond to this authentication challenge. The firewall
authenticates users based on the Authentication Profile specified in
the authentication enforcement object assigned to an Authentication
rule (see Objects > Authentication).
Data Filtering Block Page Content was matched against a data filtering profile and blocked
because sensitive information was detected.
File Blocking Continue Page Page for users to confirm that downloading should continue. This
option is available only if Continue functionality is enabled in the
security profile. Select Objects > Security Profiles > File Blocking.
File Blocking Block Page Access blocked because access to the file is blocked.
GlobalProtect App Help Page Custom help page for GlobalProtect users (accessible from the
settings menu on the GlobalProtect status panel).
GlobalProtect Portal Login Login page for users who attempt to authenticate to the
Page GlobalProtect portal webpage.
GlobalProtect Portal Home Home page for users who successfully authenticate to the
Page GlobalProtect portal webpage.
GlobalProtect App Welcome Welcome page for users who successfully connect to GlobalProtect.
Page
MFA Login Page The firewall displays this page so that users can respond to multi-
factor authentication (MFA) challenges when accessing services
SAML Auth Internal Error Page Page to inform users that SAML authentication failed. The page
includes a link for the user to retry authentication.
SSL Certificate Errors Notify Notification that an SSL certificate has been revoked.
Page
SSL Decryption Opt-out Page User warning page indicating that the firewall will decrypt SSL
sessions for inspection.
URL Filtering and Category Access blocked by a URL filtering profile or because the URL category
Match Block Page is blocked by a Security policy rule.
URL Filtering Continue and Page with initial block policy that allows users to bypass the block. For
Override Page example, a user who thinks the page was blocked inappropriately can
click Continue to proceed to the page.
With the override page, a password is required for the user to
override the policy that blocks this URL. See the URL Admin Override
section for instructions on setting the override password.
URL Filtering Safe Search Access blocked by a Security policy rule with a URL filtering profile
Enforcement Block Page that has the Safe Search Enforcement option enabled.
The user sees this page if a search is performed using Bing, Google,
Yahoo, Yandex, or YouTube and their browser or search engine
account setting for Safe Search is not set to strict. The block page will
instruct the user to set the Safe Search setting to strict.
Anti Phishing Block Page Displays to users when they attempt to enter valid corporate
credentials (usernames or passwords) on a web page for which
credential submissions are blocked. The user can continue to access
the site but remains unable to submit valid corporate credentials to
any associated web forms.
Select Objects > Security Profiles > URL Filtering to enable credential
detection and control credential submissions to web pages based on
URL category.
Anti Phishing Continue Page This page warns users against submitting corporate credentials
(usernames and passwords) to a web site. Warning users against
submitting credentials can help to discourage them from reusing
corporate credentials and to educate them about possible phishing
attempts. Users see this page when they attempt to submit credentials
to a site for which the User Credential Submission permissions are
set to continue (see Objects > Security Profiles > URL Filtering). They
must select Continue to enter credentials on the site.
You can perform any of the following functions for Response Pages.
The free tier of Security Center is automatically enabled on your Azure subscription.
You can forward the following log types : System, Configuration, User-ID, HIP Match, and Correlation
logs. To specify destinations for each log type, Add one or more match list profiles (up to 64) and complete
the fields described in the following table.
To forward Traffic, Threat, WildFire Submissions, URL Filtering, Data Filtering, Tunnel
Inspection, GTP, and Authentication logs, you must configure a Log Forwarding profile (see
Objects > Log Forwarding).
Name Enter a name (up to 31 characters) to identify the match list profile. A valid
name must start with an alphanumeric character and can contain zeros,
alphanumeric characters, underscores, hyphens, periods, or spaces.
Filter By default, the firewall forwards All Logs of the type for which you add the
match list profile. To forward a subset of the logs, open the drop-down and
select an existing filter or select Filter Builder to add a new filter. For each
query in a new filter, specify the following fields and Add the query:
Set the filter to forward logs for all event severity levels (the
default filter is All Logs). To create separate log forwarding
methods for different severity levels, specify one or more
severity levels in the Filter, configure a Forward Method,
and then repeat the process for the rest of the severity
levels.
Description Enter a description (up to 1,023 characters) to explain the purpose of this
match list profile.
SNMP Add one or more SNMP Trap server profiles to forward logs as SNMP traps
(see Device > Server Profiles > SNMP Trap).
Email Add one or more Email server profiles to forward logs as email notifications
(see Device > Server Profiles > Email).
Syslog Add one or more Syslog server profiles to forward logs as syslog messages
(see Device > Server Profiles > Syslog).
HTTP Add one or more HTTP server profiles to forward logs as HTTP requests
(see Device > Server Profiles > HTTP).
Built-in Actions You can select from two types of built-in actions when you Add an action
to perform—Tagging and Integration.
• Tagging—You can add an action for all log types that include a source
or destination IP address in the log entry by configuring the following
settings as needed.
When you enable alarms, you can view the current list by clicking Alarms ( ) in the bottom of the
web interface.
To add an alarm, edit the Alarm Settings described in the following table.
Enable CLI Alarm Enable CLI alarm notifications whenever alarms occur.
Notifications
Enable Web Alarm Open a window to display alarms on user sessions, including when they
Notifications occur and when they are acknowledged.
Enable Audible Alarms An audible alarm tone will play every 15 seconds on the administrator's
computer when the administrator is logged into the web interface
and unacknowledged alarms exist. The alarm tone will play until the
administrator acknowledges all alarms.
To view and acknowledge alarms, click Alarms.
This feature is only available when the firewall is in FIPS-CC mode.
<Log-type> Log DB Generate an alarm when a log database reaches the indicated percentage of
the maximum size.
Security Violations An alarm is generated if a particular IP address or port hits a deny rule the
Threshold / specified number of times in the Security Violations Threshold setting
within the period (seconds) specified in the Security Violations Time Period
Security Violations Time
setting.
Period
Violations Threshold / An alarm is generated if the collection of rules reaches the number of rule
limit violations specified in the Violations Threshold field during the period
Violations Time Period /
specified in the Violations Time Period field. Violations are counted when a
Security Policy Tags session matches an explicit deny policy.
Use Security Policy Tags to specify the tags for which the rule limit
thresholds will generate alarms. These tags become available to be specified
when defining security policies.
Selective Audit The selective audit options are only available when the firewall is in FIPS-
CC mode.
Specify the following settings:
• FIPS-CC Specific Logging—Enables verbose logging required for
Common Criteria (CC) compliance.
• Packet Drop Logging—Logs packets dropped by the firewall.
• Suppress Login Success Logging—Stops logging of successful
administrator logins to the firewall.
Clear Logs
• Device > Log Settings
You can clear logs on the firewall when you Manage Logs on the Log Settings page. Click the log type you
want to clear and click Yes to confirm the request.
To automatically delete logs and reports, you can configure expiration periods. For details,
see Logging and Reporting Settings.
Don’t delete a server profile that any system log setting or logging profile uses.
Name Enter a name for the SNMP profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared
(all virtual systems). In any other context, you can’t select the Location; its
value is predefined as Shared (firewalls) or as Panorama. After you save the
profile, you can’t change its Location.
Version Select the SNMP version: V2c (default) or V3. Your selection controls the
remaining fields that the dialog displays. For either version, you can add up
to four SNMP managers.
Name Specify a name for the SNMP manager. The name can have up to 31
characters that are alphanumeric, periods, underscores, or hyphens.
For SNMP V3
Name Specify a name for the SNMP manager. The name can have up to 31
characters that are alphanumeric, periods, underscores, or hyphens.
EngineID Specify the engine ID of the firewall. When an SNMP manager and the
firewall authenticate to each other, trap messages use this value to uniquely
identify the firewall. If you leave the field blank, the messages use the
firewall serial number as the EngineID. If you enter a value, it must be in
hexadecimal format, prefixed with 0x, and with another 10-128 characters
to represent any number of 5-64 bytes (2 characters per byte). For firewalls
in a high availability (HA) configuration, leave the field blank so that the
SNMP manager can identify which HA peer sent the traps; otherwise, the
value is synchronized and both peers will use the same EngineID.
Auth Password Specify the authentication password of the SNMP user. The firewall uses
the password to authenticate to the SNMP manager. The password must be
8–256 characters and all characters are allowed.
Priv Password Specify the privacy password of the SNMP user. The password must be 8–
256 characters and all characters are allowed.
Authentication Protocol Select the Secured Hash Algorithm (SHA) for the SNMP manager password.
You can select SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
Privacy Protocol Select the Advanced Encryption Standard (AES) for SNMP traps and
responses to statistics requests. You can select AES-128, AES-192, or
AES-256.
• To select the Syslog Server profile for System, Config, User-ID, HIP Match, and
Correlation logs, see Device > Log Settings.
• To select the Syslog Server Profile For Traffic, Threat, Wildfire, URL Filtering, Data
Filtering, Tunnel Inspection, Authentication, and GTP logs, see Objects > Log Forwarding.
• You cannot delete a server profile that the firewall uses in any System or Config log
settings or Log Forwarding profile.
Name Enter a name for the syslog profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared
(all virtual systems). In any other context, you can’t select the Location; its
value is predefined as Shared (firewalls) or as Panorama. After you save the
profile, you can’t change its Location.
Servers Tab
Name Click Add and enter a name for the syslog server (up to 31 characters).
The name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Transport Select whether to transport the syslog messages over UDP, TCP, or SSL.
Port Enter the port number of the syslog server (the standard port for UDP is
514; the standard port for SSL is 6514; for TCP you must specify a port
number).
Format Specify the syslog format to use: BSD (the default) or IETF.
Facility Select one of the Syslog standard values. Select the value that maps to how
your Syslog server uses the facility field to manage messages. For details on
the facility field, see RFC 3164 (BSD format) or RFC 5424 (IETF format).
Log Type Click the log type to open a dialog box that allows you to specify a custom
log format. In the dialog box, click a field to add it to the Log Format area.
Other text strings can be edited directly in the Log Format area. Click OK
to save the settings. View a description of each field that can be used for
custom logs .
For details on the fields that can be used for custom logs, see Device >
Server Profiles > Email.
Escaping Specify escape sequences. Escaped characters is a list of all the characters
to be escaped without spaces.
• To select the Email Server profile for System, Config, User-ID, HIP Match, and
Correlation logs, see Device > Log Settings.
• To select the Email Server Profile For Traffic, Threat, Wildfire, URL Filtering, Data
Filtering, Tunnel Inspection, Authentication, and GTP logs, see Objects > Log Forwarding.
• You can also schedule email reports (Monitor > PDF Reports > Email Scheduler).
• You cannot delete a server profile that the firewall uses in any System or Config log
settings or Log Forwarding profile.
Name Enter a name for the server profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared
(Virtual systems only)
(all virtual systems). In any other context, you can’t select the Location; its
value is predefined as Shared (firewalls) or as Panorama. After you save the
profile, you can’t change its Location.
Servers Tab
Name Enter a name to identify the server (up to 31 characters). This field is just a
label and does not have to be the host name of an existing email server.
Email Display Name Enter the name shown in the From field of the email.
Additional Recipient Optionally, enter the email address of another recipient. You can only add
one additional recipient. To add multiple recipients, add the email address
of a distribution list.
Email Gateway Enter the IP address or host name of the server that sends the email.
Protocol Select the protocol you want to use to send the email (Unauthenticated
SMTP or SMTP over TLS).
Port Enter the port number you want to use to send the email if it differs from
the default (25 for SMTP or 587 for TLS).
TLS Version Select the TLS version you want to use (1.2 or 1.1).
Certificate Profile Select the certificate profile for the firewall to use to authenticate the email
server.
(SMTP over TLS only)
Username Enter the username of the account that sends the email.
(SMTP over TLS only)
Password Enter the password of the account that sends the email.
(SMTP over TLS only)
Confirm Password Confirm the password of the account that sends the email.
(SMTP over TLS only)
Test Connection Confirm the connection between the email server and the firewall.
(SMTP over TLS only)
Log Type Click the log type to open a dialog box that allows you to specify a custom
log format. In the dialog box, click a field to add it to the Log Format area.
Click OK to save your changes.
Escaping Specify the Escaped Characters (all characters to not interpret literally)
without spaces and specify the Escape Character for the escape sequence.
To define an HTTP server profile, Add a new profile and configure the settings in the following table.
Name Enter a name for the server profile (up to 31 characters). The name is case-
sensitive and must be unique. A valid name must start with an alphanumeric
character and can contain zeros, alphanumeric characters, underscores,
hyphens, dots, or spaces.
Location Select the scope in which the server profile is available. In the context of
a firewall that has more than one virtual system (vsys), select a vsys or
select Shared (all virtual systems). In any other context, you can’t select the
Location; its value is predefined as Shared (firewalls) or as Panorama. After
you save the profile, you can’t change the Location.
Tag Registration Tag registration allows you to add or remove a tag on a source or
destination IP address in a log entry and register the IP address and tag
mapping to the User-ID agent on a firewall using HTTP(S). You can then
define dynamic address groups that use these tags as a filtering criteria to
determine its members, and enforce policy rules to an IP address based on
tags.
Add the connection details to enable HTTP(S) access to the User-ID agent
on a firewall.
To register tags to the User-ID agent on Panorama, you do not need a
server profile. Additionally, you cannot use the HTTP server profile to
register tags to a User-ID agent running on a Windows server.
Servers Tab
Name Add an HTTP(s) server and enter a name (up to 31 characters) or remote
User-ID agent. A valid name must be unique and start with an alphanumeric
character; the name can contain zeros, alphanumeric characters,
underscores, hyphens, dots, or spaces.
Port Enter the port number on which to access the server or firewall. The default
port for HTTP is 80 and for HTTPS is 443.
For tag registration, the firewall uses HTTP or HTTPS to connect to the
web server on the firewalls that are configured as User-ID agents.
TLS Version Select the TLS version supported for SSL on the server. The default is 1.2.
Certificate Profile Select the certificate profile to use for the TLS connection with the server.
The firewall uses the specified certificate profile to validate the server
certificate when establishing a secure connection to the server.
HTTP Method Select the HTTP method that the server supports. The options are GET,
PUT, POST (default), and DELETE.
For the User-ID agent, use the GET method.
Username Enter the username that has access privileges to complete the HTTP
method you selected.
If you are registering tags to the User-ID agent on a firewall, the username
must be that of an administrator with a superuser role.
Test Server Connection Select a server and Test Server Connection to test network connectivity to
the server.
This test does not test connectivity to a server that is running the User-ID
agent.
Log Type The log type available for HTTP forwarding displays. Click the log type to
open a dialog box that allows you to specify a custom log format.
Format Displays whether the log type uses the default format, a predefined format,
or a custom payload format that you defined.
Pre-defined Formats Select the format for your service or vendor for sending logs. Predefined
formats are pushed through content updates and can change each time you
install a new content update on the firewall or Panorama.
URI Format Specify the resource to which you want to send logs using HTTP(S).
If you create a custom format, the URI is the resource endpoint on the
HTTP service. The firewall appends the URI to the IP address you defined
earlier to construct the URL for the HTTP request. Ensure that the URI and
payload format matches the syntax that your third-party vendor requires.
You can use any attribute supported on the selected log type within the
HTTP Header, Parameter, and Value pairs, and the request payload.
Payload Select the log attributes you want to include as the payload in the HTTP
message to the external web server.
Send Test Log Click this button to validate that the external web server receives the
request and in the correct payload format.
Name Enter a name for the Netflow server profile (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Template Refresh Rate The firewall periodically refreshes NetFlow templates to re-evaluate which
one to use (in case the type of exported data changes) and to apply any
changes to the fields in the selected template. Specify the rate at which
the firewall refreshes NetFlow templates in Minutes (range is 1 to 3,600;
default is 30) and Packets (exported records—range is 1 to 600; default is
20), according to the requirements of your NetFlow collector. The firewall
refreshes the template after either threshold is passed. The required
refresh rate depends on the NetFlow collector. If you add multiple NetFlow
collectors to the server profile, use the value of the collector with the
fastest refresh rate.
Active Timeout Specify the frequency (in minutes) at which the firewall exports data
records for each session (range is 1 to 60; default is 5). Set the frequency
based on how often you want the NetFlow collector to update traffic
statistics.
PAN-OS Field Types Export PAN-OS specific fields for App-ID and the User-ID service in
Netflow records.
Servers
Name Specify a name to identify the server (up to 31 characters). The name is
case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Server Specify the hostname or IP address of the server. You can add a maximum
of two servers per profile.
Port Specify the port number for server access (default is 2055).
Profile Name Enter a name to identify the server profile (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Location Select the scope in which the profile is available. In the context of a
firewall that has more than one virtual system (vsys), select a vsys or
select Shared (all virtual systems). In any other context, you can’t select
the Location; its value is predefined as Shared (firewalls) or as Panorama.
After you save the profile, you can’t change its Location.
Administrator Use Only Select this option to specify that only administrator accounts can use the
profile for authentication. For firewalls that have multiple virtual systems,
this option appears only if the Location is Shared.
Authentication Protocol Select the Authentication Protocol that the firewall uses to secure a
connection to the RADIUS server:
• PEAP-MSCHAPv2— (Default) Protected EAP (PEAP) with Microsoft
Challenge-Handshake Authentication Protocol (MSCHAPv2) provides
improved security over PAP or CHAP by transmitting both the
username and password in an encrypted tunnel.
• PEAP with GTC—Select Protected EAP (PEAP) with Generic Token
Card (GTC) to use one-time tokens in an encrypted tunnel.
• EAP-TTLS with PAP—Select EAP with Tunneled Transport Layer
Security (TTLS) and PAP to transport plaintext credentials for PAP in
an encrypted tunnel.
• CHAP—Select Challenge-Handshake Authentication Protocol
(CHAP) if the RADIUS server does not support EAP or PAP or is not
configured for it.
Allow users to change (PEAP-MSCHAPv2 with GlobalProtect 4.1 or later) Select this option to
passwords after expiry allow GlobalProtect users to change expired passwords.
Make Outer Identity (PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) This option
Anonymous is enabled by default to anonymize the user’s identity in the outer tunnel
that the firewall creates after authenticating with the server.
Certificate Profile (PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) Select
or configure a Certificate Profile to associate with the RADIUS server
profile. The firewall uses the Certificate Profile to authenticate with the
RADIUS server.
Retries Specify the number of times to retry after a timeout (range is 1–5, default
is 3).
Profile Name Enter a name to identify the server profile (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location; its value
is predefined as Shared (firewalls) or as Panorama. After you save the profile,
you can’t change its Location.
Administrator Use Only Select this option to specify that only administrator accounts can use the
profile for authentication. For multi-vsys firewalls, this option appears only if
the Location is Shared.
Timeout Enter an interval in seconds after which an authentication request times out
(range is 1–20; default is 3).
Authentication Protocol Select the Authentication Protocol that the firewall uses to secure a
connection to the TACACS+ server:
• CHAP—Challenge-Handshake Authentication Protocol (CHAP) is the
default and preferred protocol because it is more secure than PAP.
• PAP—Select Password Authentication Protocol (PAP) if the TACACS+
server does not support CHAP or is not configured for it.
• Auto—The firewall first tries to authenticate using CHAP. If the TACACS+
server doesn’t respond, the firewall falls back to PAP.
Use single connection Select this option to use the same TCP session for all authentications. This
for all authentication option improves performance by avoiding the processing required to initiate
and tear down a separate TCP session for each authentication event.
Servers Click Add and specify the following settings for each TACACS+ server:
• Name—Enter a name to identify the server.
• TACACS+ Server—Enter the IP address or FQDN of the TACACS+ server.
• Secret/Confirm Secret—Enter and confirm a key to verify and encrypt the
connection between the firewall and the TACACS+ server.
• Port—Enter the server port (default is 49) for authentication requests.
Profile Name Enter a name to identify the profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location; its value
is predefined as Shared (firewalls) or as Panorama. After you save the profile,
you can’t change its Location.
Administrator Use Only Select this option to specify that only administrator accounts can use the
profile for authentication. For firewalls that have multiple virtual systems, this
option appears only if the Location is Shared.
Server List For each LDAP server, Add a host Name, IP address or FQDN (LDAP Server),
and Port (default is 389).
Base DN Specify the root context in the directory server to narrow the search for user
or group information.
Bind DN Specify the login name (Distinguished Name) for the directory server.
Password/Confirm Specify the bind account password. The agent saves the encrypted password
Password in the configuration file.
Bind Timeout Specify the time limit (in seconds) imposed when connecting to the directory
server (range is 1 to 30; default is 30).
Search Timeout Specify the time limit (in seconds) imposed when performing directory
searches (range is 1 to 30; default is 30).
Retry Interval Specify the interval (in seconds) after which the system will try to connect to
the LDAP server after a previous failed attempt (range is 1 to 3,600; default is
60).
Require SSL/TLS Select this option if you want the firewall to use SSL or TLS for
secured connection communications with the directory server. The protocol depends on the
server port:
• 389 (default)—TLS (Specifically, the firewall uses the Start TLS operation,
which upgrades the initial plaintext connection to TLS.)
• 636—SSL
• Any other port—The firewall first attempts to use TLS. If the directory
server doesn’t support TLS, the firewall falls back to SSL.
Verify Server Select this option (cleared by default) if you want the firewall to verify the
Certificate for SSL certificate that the directory server presents for SSL/TLS connections. The
sessions firewall verifies the certificate in two respects:
• The certificate is trusted and valid. For the firewall to trust the certificate,
its root certificate authority (CA) and any intermediate certificates must
be in the certificate store under Device > Certificate Management >
Certificates > Device Certificates.
• The certificate name must match the host Name of the LDAP server. The
firewall first checks the certificate attribute Subject AltName for matching,
then tries the attribute Subject DN. If the certificate uses the FQDN of the
directory server, you must use the FQDN in the LDAP Server field for the
name matching to succeed.
If the verification fails, the connection fails. To enable this verification, you
must also select Require SSL/TLS secured connection.
To use Kerberos authentication, your back-end Kerberos server must be accessible over an
IPv4 address. IPv6 addresses are not supported.
Profile Name Enter a name to identify the server (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has more than one virtual system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location; its value
is predefined as Shared (firewalls) or as Panorama. After you save the profile,
you can’t change its Location.
Administrator Use Only Select this option to specify that only administrator accounts can use the
profile for authentication. For firewalls that have multiple virtual systems, this
option appears only if the Location is Shared.
Servers For each Kerberos server, click Add and specify the following settings:
• Name—Enter a name for the server.
• Kerberos Server—Enter the server IPv4 address or FQDN.
• Port—Enter an optional port (range is 1 to 65,535; default is 88) for
communication with the server.
Authentication sequences don’t support authentication profiles that specify SAML IdP server
profiles.
In most cases, you cannot use SSO to access multiple apps on the same mobile device.
You cannot enable SLO for Authentication Portal users.
The easiest way to create a SAML IdP server profile is to Import a metadata file containing the registration
information from the IdP. After saving a server profile with imported values, you can edit the profile to
modify the values. If the IdP doesn’t provide a metadata file, you can Add the server profile and manually
enter the information. After creating a server profile, assign it to an authentication profile (see Device >
Authentication Profile) for specific firewall or Panorama services.
Profile Name Enter a name to identify the server (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Location Select the scope in which the profile is available. In the context of a firewall
that has multiple virtual systems, select a virtual system or select Shared (all
virtual systems). In any other context, you can’t select the Location; its value
is predefined as Shared (firewalls) or as Panorama. After you save the profile,
you can’t change its Location.
Administrator Use Only Select this option to specify that only administrator accounts can use the
profile for authentication. For firewalls that have multiple virtual systems, this
option appears only if the Location is Shared.
Identity Provider ID Enter an identifier for the IdP. Your IdP provides this information.
Identity Provider Select the certificate that the IdP uses to sign SAML messages that it sends
Certificate to the firewall. You must select an IdP certificate to ensure the integrity of
messages that the IdP sends to the firewall. To validate the IdP certificate
against the issuing Certificate Authority (CA), you must specify a Certificate
Profile in any authentication profile that references the IdP server profile (see
Device > Authentication Profile).
Identity Provider SSO Enter the URL that the IdP advertises for its single-sign on (SSO) service.
URL
If you create the server profile by importing a metadata file and the file
specifies multiple SSO URLs, the firewall uses the first URL that specifies a
POST or redirect binding method.
Identity Provider SLO Enter the URL that the IdP advertises for its single logout (SLO) service.
URL
If you create the server profile by importing a metadata file and the file
specifies multiple SLO URLs, the firewall uses the first URL that specifies a
POST or redirect binding method.
SSO SAML HTTP Select the HTTP binding associated with the Identity Provider SSO URL. The
Binding firewall uses the binding to send SAML messages to the IdP. The options are:
• POST—The firewall sends messages using base64-encoded HTML forms.
• Redirect—The firewall sends base64-encoded and URL-encoded SSO
messages within URL parameters.
SLO SAML HTTP Select the HTTP binding associated with the Identity Provider SLO URL. The
Binding firewall uses the binding to send SAML messages to the IdP. The options are:
Identity Provider This field displays only if you Import an IdP metadata file that you uploaded
Metadata to the firewall from the IdP. The file specifies the values and signing
certificate for a new SAML IdP server profile. Browse to the file, specify the
Profile Name and Maximum Clock Skew, and then click OK to create the
profile. Optionally, you can edit the profile to change the imported values.
Validate Identity Select this option to validate the chain of trust and optionally the revocation
Provider Certificate status of the IdP signing certificate.
To enable this option, a Certificate Authority (CA) must issue your IdP’s
signing certificate. You must create a Certificate Profile that has the CA that
issued the IdP’s signing certificate. In the Authentication Profile, select the
SAML Server profile and Certificate Profile to validate the IdP certificate (see
Device > Authentication Profile).
If your IdP signing certificate is a self-signed certificate, there is no chain
of trust; as a result, you cannot enable this option. The firewall always
validates the signature of the SAML Responses or Assertions against the
Identity Provider certificate that you configure whether or not you enable
the Validate Identity Provider Certificate option. If your IdP provides a
self-signed certificate, ensure that you are using PAN-OS 10.1 to mitigate
exposure to CVE-2020-2021.
Sign SAML Message to Select this option to specify that the firewall sign messages it sends to the
IdP IdP. The firewall uses the Certificate for Signing Requests that you specify in
an authentication profile (see Device > Authentication Profile).
Maximum Clock Skew Enter the maximum acceptable time difference in seconds between the
IdP and firewall system times at the moment when the firewall validates a
message that it receives from the IdP (range is 1 to 900; default is 60). If the
time difference exceeds this value, the validation (and thus authentication)
fails.
Inheritance Source Select None if the DNS server addresses are not inherited. Otherwise,
specify the DNS server from which the profile should inherit settings.
Service Route IPv4 Select this option if you want to specify that packets going to the DNS
server are sourced from an IPv4 address.
Source Interface Specify the source interface that packets going to the DNS server will use.
Source Address Specify the IPv4 source address from which packets going to the DNS
server are sourced.
Service Route IPv6 Select this option if you want to specify that packets going to the DNS
server are sourced from an IPv6 address.
Source Interface Specify the source interface that packets going to the DNS server will use.
Source Address Specify the IPv6 source address from which packets going to the DNS
server are sourced.
The complete procedure to configure MFA requires additional tasks besides creating a
server profile.
Authentication sequences do not support authentication profiles that specify MFA server
profiles.
If the firewall integrates with your MFA vendor through RADIUS, configure a RADIUS server
profile (see Device > Server Profiles > RADIUS). The firewall supports all MFA vendors
through RADIUS.
Profile Name Enter a name to identify the server (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Location On a firewall that has more than one virtual system (vsys), select a vsys or the
Shared location. After you save the profile, you cannot change its Location.
Certificate Profile Select the Certificate Profile that specifies the certificate authority (CA)
certificate that the firewall will use to validate the MFA server certificate
when setting up a secure connection to the server. For details, see Device >
Certificate Management > Certificate Profile.
MFA Vendor / Value Select an MFA vendor MFA Vendor and enter a Value for each vendor
attribute. The attributes vary by vendor. Refer to your vendor documentation
for the correct values.
• Duo v2:
• API Host—The hostname of the Duo v2 server.
• Integration Key and Secret Key—The firewall uses these keys to
authenticate to the Duo v2 server and to sign authentication requests
You cannot configure Device > Password Profiles for administrative accounts that use local
database authentication.
To Add a local user to the database, configure the settings described in the following table.
Name Enter a name to identify the user (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Location Select the scope in which the user account is available. In the context of
a firewall that has more than one virtual system (vsys), select a vsys or
select Shared (all virtual systems). In any other context, you can’t select the
Location; its value is predefined as Shared (firewalls) or as Panorama. After
you save the user account, you can’t change its Location.
Name Enter a name to identify the group (up to 31 characters). The name is
case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Location Select the scope in which the user group is available. In the context of
a firewall that has more than one virtual system (vsys), select a vsys or
select Shared (all virtual systems). In any other context, you can’t select
the Location; its value is predefined as Shared (firewalls) or as Panorama.
After you save the user group, you can’t change its Location.
All Local Users Click Add to select the users you want to add to the group.
Name Enter a name to identify the profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
You cannot change the name after the profile is created.
Log Type Select the type of log (traffic, threat, gtp, sctp, tunnel, userid, auth, url, data,
hipmatch, or wildfire). Default is traffic.
Scheduled Export Start Enter the time of day (hh:mm) to start the export using a 24-hour clock (00:00
Time (Daily) - 23:59).
Protocol Select the protocol to use to export logs from the firewall to a remote host:
• FTP—This protocol is not secure.
• SCP—This protocol is secure. After completing the remaining fields, you
must click Test SCP server connection to test connectivity between the
firewall and the SCP server and you must verify and accept the host key of
the SCP server.
Hostname Enter the host name or IP address of the FTP server that will be used for the
export.
Port Enter the port number that the FTP server will use. Default is 21.
Path Specify the path located on the FTP server that will be used to store the
exported information.
Enable FTP Passive Select this option to use passive mode for the export. By default, this option is
Mode selected.
Username Enter the user name for access to the FTP server. Default is anonymous.
Password / Confirm Enter the password for access to the FTP server. A password is not required if
Password the user is anonymous.
Test SCP server If you set the Protocol to SCP, you must click this button to test connectivity
connection between the firewall and the SCP server and then verify and accept the host
key of the SCP server.
(SCP protocol only)
If you use a Panorama template to configure the log export
schedule, you must perform this step after committing the
template configuration to the firewalls. After the template
commit, log in to each firewall, open the log export schedule,
and click Test SCP server connection.
Decrypt failed: GnuPG edit non-zero, with code 171072 Failed to load into
PAN software manager.
The following table provides help for using the Software page.
Version Lists the software versions that are currently available on the Palo Alto
Networks Update Server. To check if a new software release is available
from Palo Alto Networks, click Check Now. The firewall uses the service
route to connect to the Update Server and checks for new versions and, if
there are updates available, and displays them at the top of the list.
Release Date Indicates the date and time Palo Alto Networks made the release available.
Available Indicates that the corresponding version of the software image is uploaded
or downloaded to the firewall.
Currently Installed Indicates whether the corresponding version of the software image is
activated and is currently running on the firewall.
Action Indicates the current action you can take for the corresponding software
image as follows:
• Download—The corresponding software version is available on the Palo
Alto Networks Update Server; click to Download an available software
version.
• Install—The corresponding software version has been downloaded
or uploaded to the firewall; click to Install the software. A reboot is
required to complete the upgrade process.
• Reinstall—The corresponding software version was installed previously;
click to Reinstall the same version.
Release Notes Provides a link to the release notes for the corresponding software update.
This link is only available for updates that you download from the Palo Alto
Networks Update Server: it is not available for uploaded updates.
Check Now Checks whether a new software update is available from Palo Alto
Networks.
Upload Imports a software update image from a computer that the firewall can
access. Typically, you perform this action if the firewall doesn’t have
Internet access, which is required when downloading updates from the
Palo Alto Networks Update Server. For uploads, use an Internet-connected
computer to visit the Palo Alto Networks website, download the software
image from the Support site (Software Updates), download the update to
your computer, select Device > Software on the firewall and Upload the
software image. In a high availability (HA) configuration, you can select
Sync To Peer to push the imported software image to the HA peer. After
the upload, the Software page displays the same information (for example,
version and size) and Install/Reinstall options for uploaded and downloaded
software. Release Notes option is not active for uploaded software.
Version Lists the versions that are currently available on the Palo Alto Networks
Update Server. To check if a new software release is available from Palo
Alto Networks, click Check Now. The firewall uses the service route
to connect to the Update Server and checks for new content release
versions and, if there are updates available, displays them at the top of
the list.
Last checked Displays the date and time that the firewall last connected to the update
server and checked if an update was available.
File Name List the filename; it includes the content version information.
Features Lists what type of signatures the content version might include.
For Applications and Threats content release versions, this field might
display an option to review Apps, Threats. Click this option to view
new application signatures made available since the last content release
version installed on the firewall. You can also use the New Applications
dialog to Enable/Disable new applications. You might choose to disable
a new application included in a content release if you want to avoid any
policy impact from an application being uniquely identified (an application
might be treated differently before and after a content installation if a
previously unknown application is identified and categorized differently).
Release Date The date and time Palo Alto Networks made the content release
available.
Downloaded A check mark in this column indicates that the corresponding content
release version has been downloaded to the firewall.
Currently Installed A check mark in this column indicates that the corresponding content
release version is currently running on the firewall.
Action Indicates the current action you can take for the corresponding software
image as follows:
• Download—The corresponding content release version is available
on the Palo Alto Networks Update Server; click to Download the
content release version. If the firewall does not have access to the
Internet, use an Internet-connected computer to go to the Customer
Support Portal and select Dynamic Updates. Find the content release
version you want and click Download to save the update package to
your local computer. Then manually Upload the software image to the
firewall. Additionally, downloading an Application and Threat content
release version enables the option to Review Policies that are affected
by new application signatures included with the release.
Documentation Provides a link to the release notes for the corresponding version.
Upload If the firewall does not have access to the Palo Alto Networks Update
Server, you can manually download dynamic updates from the Palo
Alto Networks Support site in the Dynamic Updates section. After you
download an update to your computer, Upload the update to the firewall.
You then select Install From File and select the file you downloaded.
Install From File After you manually upload an update file to the firewall, use this option to
install the file. In the Package Type drop-down, select the type of update
you are installing (Application and Threats, Antivirus, or WildFire), click
OK, select the file you want to install and then click OK again to start the
installation.
To enable licenses for URL filtering, you must install the license, download the database,
and click Activate. If you are using PAN-DB for URL Filtering, you will need to Download
the initial seed database first and then Activate.
You can also run the CLI command request url-filtering download
paloaltonetworks region < regionname>.
• Deactivate VM: This option is available on the VM-Series firewall with the Bring Your Own License
model that supports perpetual and term-based licenses; the on-demand license model does not support
this functionality. Click Deactivate VM when you no longer need an instance of the VM-Series firewall.
It allows you to free up all active licenses—subscription licenses, VM-Capacity licenses, and support
entitlements— using this option. The licenses are credited back to your account and you can then
apply the licenses on a new instance of a VM-Series firewall, when you need it. When the license is
deactivated, the VM-Series firewall functionality is disabled and the firewall is in an unlicensed state.
However, the configuration remains intact.
• Click Continue Manually if the VM-Series firewall does not have direct internet access. The firewall
generates a token file. Click Export license token to save the token file to your local computer and
then reboot the firewall. Log in to the Palo Alto Networks Support portal, select Assets > Devices,
and Deactivate VM to use this token file and complete the deactivation process.
• Click Continue to deactivate the licenses on the VM-Series firewall. Click Reboot Now to complete
the license deactivation process.
• Click Cancel if you want to cancel and close the Deactivate VM window.
• Upgrade VM Capacity: This option allows you to upgrade the capacity of your currently licensed
VM-Series firewall. Upon upgrading the capacity, the VM-Series firewall retains all configuration and
subscriptions it had prior to the upgrade.
• If your firewall has connectivity to the license server—Select Authorization Code, enter your
authorization code in the Authorization Code field, and click Continue to initiate the capacity
upgrade.
• If your firewall does not have connectivity to the license server—Select License Key, click Complete
Manually to generate a token file, and save the token file to your local computer. Then log in to the
Palo Alto Networks Support portal, select Assets > Devices, and Deactivate License(s) to use the
token file. Download the license key for your VM-Series firewall to your local computer, add the
license key to the firewall, and click Continue to complete the capacity upgrade.
• If your firewall has connectivity to the license server but you do not have an Authorization Code—
Select Fetch from license server, upgrade the firewall’s capacity license on the license server before
If your browser is configured to automatically open files after download, you should turn
off that option so the browser downloads the support file instead of attempting to open
and extract it.
• Stats Dump File—Click Generate Stats Dump File to generate a set of XML reports that summarizes
network traffic over the last 7 days. After the report is generated, you can Download Stats Dump File.
The Palo Alto Networks or Authorized Partner systems engineer uses the report to generate a Security
Lifecycle Review (SLR). The SLR highlights what has been found on the network and the associated
business or security risks that may be present and is typically used as part of the evaluation process. For
more information on the SLR, contact your Palo Alto Networks or Authorized Partner systems engineer.
For firewalls managed by a Panorama™ management server, you can generate a stats dump file for
a single managed firewall at a time or generate a single stats dump file for all firewalls managed by
Panorama.
• Core Files—If your firewall experiences a system process failure it will generate a core file that contains
details about the process and why it failed. Click the Download Core Files link to view a list of available
core files and then click a core file name to download it. After you download the file, upload it to a Palo
Alto Networks support case to obtain assistance in resolving the issue.
The contents of the core files can be interpreted only by a Palo Alto Networks support
engineer.
The only way to restore the default master key is to perform a factory reset .
Palo Alto Networks recommends you configure a new master key instead of using the default key, store the
key in a safe location, and periodically change it. For extra privacy, you can use a hardware security module
to encrypt the master key (see Device > Setup > HSM). Configuring a unique master key on each firewall or
Panorama management server ensures that an attacker who learns the master key for one appliance cannot
access the passwords and private keys on any of your other appliances. However, you must use the same
master key across multiple appliances in the following cases:
• High availability (HA) configurations—If you deploy firewalls or Panorama in an HA configuration, use
the same master key on both firewalls or Panorama management servers in the pair. Otherwise, HA
synchronization does not work.
• Panorama managing WildFire appliances and Log Collectors—You must configure the same master key
on Panorama, WildFire appliances, and managed collectors. Otherwise, push operations from Panorama
will fail.
To configure a master key, edit the Master Key settings and use the following table to determine the
appropriate values:
Master Key Enable to configure a unique master key. Disable (clear) to use the default
master key.
Current Master Key Specify the key that is currently used to encrypt all of the private keys and
passwords on the firewall.
New Master Key To change the master key, enter a 16-character string and confirm the new
key.
Confirm Master Key
Life Time Specify the number of Days and Hours after which the master key expires.
Range is 1 to 438,000 days (50 years).
You must configure a new master key before the current key expires. If
the master key expires, the firewall or Panorama automatically reboots in
Maintenance mode. You must then perform a factory reset .
Time for Reminder Enter the number of Days and Hours before the master key expires when
the firewall generates an expiration alarm. The firewall automatically opens
the System Alarms dialog to display the alarm.
Stored on HSM Enable this option only if the master key is encrypted on a Hardware
Security Module (HSM). You cannot use HSM on a dynamic interface such
as a DHCP client or PPPoE.
The HSM configuration is not synchronized between peer firewalls in
HA mode. Therefore, each peer in an HA pair can connect to a different
HSM source. If you are using Panorama and need to keep both peer
configurations in sync, use Panorama templates to configure the HSM
source on the managed firewalls.
The PA-220 does not support HSM.
Auto Renew Master Key Enable to automatically renew the master key for a specified number of
days and hours. Disable (clear) to allow the master key to expire after the
configured key life time.
Auto Renew with Same Master Key by specifying the number of Days and
Hours by which to extend the master key encryption (range is 1 hour to
730 days).
Common Criteria In Common Criteria mode, additional options are available to run a
cryptographic algorithm self-test and software integrity self-test. A
scheduler is also included to specify the times at which the two self-tests
will run.
Field Description
Filter Filter for which managed devices to display based on Platform, Device Groups,
Templates, Tags, HA Status, or Software Version.
Details Details about the master key deployment job. If the job failed, details describing the
reasons for failing are displayed here.
Summary
Progress Displays a progress bar indicating the progress of the master key deployment job. the
following information is displayed:
• Results Succeeded—Number of devices the master key was successfully deployed
to.
Button/Field Description
Policy Import Details View detailed information about the policy rule
recommendation, such as device group Location,
rule name, the user who imported the policy,
whether the policy rule recommendation Is
Updated, when the policy rule recommendation
was imported, and when the policy rule
recommendation was last updated.
Device Profile The device profile for the source device in the
policy rule recommendation.
Destination Device Profile The destination device profile that the firewall
allows for the policy rule recommendation.
Services The services (for example, ssl) that the policy rule
recommendation allows.
URL Category The URL filtering categories that the policy rule
recommendation allows.
Tags The tags that identify the policy rule for the policy
rule recommendation.
New Update Available Identifies that there is a new update for this
policy rule recommendation that you must import
from the IoT Security app. When you import the
policy rule recommendation update, the firewall
dynamically updates the security policy rule. If
you have more than one device group, the value
remains Yes until you import the policy rule
recommendation update to all device groups.
Import Policy After using the IoT Security app to Activate your
policy rule recommendations, Import Policy to
import the policy rule recommendations to use in
your security policy rules.
Rebuild All Mappings If the mappings become out of sync (for example,
if you restore a previous configuration) you can
Rebuild All Mappings to restore the policy rule
recommendation mappings.
Field Description
Tags The tags that identify the policy rule for the policy
rule recommendation.
New Update Available Identifies that there is a new update for the policy
rule recommendation. Check the Applications
713
714 PAN-OS WEB INTERFACE HELP | User Identification
© 2021 Palo Alto Networks, Inc.
Device > User Identification > User Mapping
Configure the PAN-OS integrated User-ID agent that runs on the firewall to map IP addresses to
usernames.
Looking for more? Configure User Mapping Using the PAN-OS IntegratedUser-IDAgent .
Ensure that the firewall has the most current user Cache
mapping information as users roam and obtain
new IP addresses.
Because WMI probing trusts data that is reported back from an endpoint, Palo Alto Network
recommends that you do not use this method to obtain User-ID mapping information in a
high-security network. If you configure the User-ID agent to obtain mapping information by
parsing Active Directory (AD) security event logs or syslog messages, or using the XML API,
Palo Alto Networks recommends you disable WMI probing.
If you do use WMI probing, do not enable it on external, untrusted interfaces. Doing so
causes the agent to send WMI probes containing sensitive information—such as the
username, domain name, and password hash of the User-ID agent service account—outside
of your network. An attacker could potentially exploit this information to penetrate and gain
further access to your network.
User Name Enter the domain credentials (User Name and Password) for the
account that the firewall will use to access Windows resources. The
account requires permissions to perform WMI queries on client
computers and to monitor Microsoft Exchange servers and domain
controllers. Use domain\username syntax for the User Name. If you
Configure Access to Monitored Servers using Kerberos for server
authentication, enter the Kerberos User Principal Name (UPN).
Domain’s DNS Name Enter the DNS name of the monitored server. If you Configure Access
to Monitored Servers using Kerberos for server authentication, enter
the Kerberos Realm domain. You must configure this setting if you are
using WinRM-HTTP as the transport protocol when you Configure
Access to Monitored Servers.
Password/Confirm Password Enter and confirm the password for the account that the firewall uses
to access Windows resources.
Kerberos Server Profile Select the Kerberos Server Profile for the Kerberos server that
controls access to the Realm to retrieve security logs and session
The complete procedure to configure the PAN-OS integrated User-ID agent to monitor
servers and probe clients requires additional tasks besides defining the Active Directory
authentication settings.
Server Monitoring
• Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Server
Monitor
To enable the User-ID agent to map IP addresses to usernames by searching for logon events in the security
event logs of servers, configure the settings described in the following table.
If the query load is high for Windows server logs, Windows server sessions, or eDirectory
servers, the observed delay between queries might significantly exceed the specified
frequency or interval.
The complete procedure to configure the PAN-OS integrated User-ID agent to monitor
servers requires additional tasks besides configuring the server monitoring settings.
Enable Security Log Select this option to enable security log monitoring on Windows
servers.
Server Log Monitor Frequency Specify the frequency in seconds at which the firewall will query
(sec) Windows server security logs for user mapping information (range is
1-3600; default is 2). This is the interval between when the firewall
finishes processing the last query and when the firewall sends the
next query.
Enable Session Select this option to enable monitoring of user sessions on the
monitored servers. Each time a user connects to a server, a session is
created; the firewall can use this information to identify the user IP
address.
Server Session Read Frequency Specify the frequency in seconds at which the firewall will query
(sec) Windows server user sessions for user mapping information (range is
1-3600; default is 10). This is the interval between when the firewall
finishes processing the last query and when it starts the next query.
Novell eDirectory Query Specify the frequency in seconds at which the firewall will query
Interval (sec) Novell eDirectory servers for user mapping information (range is
1-3600; default is 30). This is the interval between when the firewall
finishes processing the last query and when it starts the next query.
Syslog Service Profile Select an SSL/TLS service profile that specifies the certificate and
allowed SSL/TLS versions for communications between the firewall
and any syslog senders that the User-ID agent monitors. For details,
see Device > Certificate Management > SSL/TLS Service Profile and
Syslog Filters. If you select none, the firewall uses its predefined, self-
signed certificate.
Client Probing
• Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Client
Probing
You can configure the PAN-OS integrated User-ID agent to perform Windows Management
Instrumentation (WMI) client probing for each client system that the user mapping process identifies.
The User-ID agent periodically probes each learned IP address to verify that the same user is still logged in.
When the firewall encounters an IP address for which it has no user mapping, it sends the address to the
User-ID agent for an immediate probe. To configure client probing settings, complete the following fields.
The complete procedure to configure the PAN-OS integrated User-ID agent to probe clients requires
additional tasks besides configuring the WMI client probing settings.
Probe Interval (min) Enter the probe interval in minutes (range is 1-1440; default is 20).
This is the interval between when the firewall finishes processing the
last request and when it starts the next request.
In large deployments, it is important to set the interval properly
to allow time to probe each client that the user mapping process
identified. Example, if you have 6,000 users and an interval of 10
minutes, it would require 10 WMI requests per second from each
client.
Cache
• Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Cache
To ensure that the firewall has the most current user mapping information as users roam and obtain new
IP addresses, configure timeouts for clearing user mappings from the firewall cache. This timeout applies
to user mappings learned through any method except Authentication Portal. For mappings learned through
Authentication Portal, set the timeout in the Authentication Portal Settings (Device > User Identification >
Authentication Portal Settings, Timer and Idle Timer fields).
To match usernames collected from User-ID sources even if a domain is not included, configure the firewall
to allow matching usernames without domains. You should only use this option if the usernames in your
organization are not duplicated across domains.
Enable User Identification Select this option to enable a timeout value for user mapping entries.
Timeout When the timeout value is reached for an entry, the firewall clears
it and collects a new mapping. This ensures that the firewall has the
most current information as users roam and obtain new IP addresses.
User Identification Timeout Set the timeout value in minutes for user mapping entries (range is 1
(min) to 3,600; default is 45).
Allow matching usernames Select this option to allow the firewall to match users if the domain
without domains is not provided by the User-ID source. To prevent users from being
misidentified, only select this option if your usernames are not
duplicated across domains.
Redistribution
• Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup >
Redistribution
To enable a firewall or virtual system to serve as a User-ID agent that redistributes user mapping
information along with the timestamps associated with authentication challenges, configure the settings
described in the following table. When you later connect this firewall to an appliance (such as Panorama)
that will receive the mapping information and timestamps, the appliance uses these fields to identify the
firewall or virtual system as a User-ID agent.
Collector Name Enter a collector name (up to 255 alphanumeric characters) to identify
the firewall or virtual system as a User-ID agent.
Pre-Shared Key/Confirm Pre- Enter a pre-shared key (up to 255 alphanumeric characters) to identify
Shared Key the firewall or virtual system as a User-ID agent.
Syslog Filters
• Device > User Identification > User Mapping > Palo Alto Networks User-ID Agent Setup > Syslog
Filters
The User-ID agent uses Syslog Parse profiles to filter syslog messages sent from the syslog senders that
the agent monitors for IP address-to-username mapping information (see Configure Access to Monitored
Servers). Each profile can parse syslog messages for either of the following event types, but not both:
• Authentication (login) events—Used to add user mappings to the firewall.
• Logout events—Used to delete user mappings that are no longer current. Deleting outdated mappings is
useful in environments where IP address assignments change often.
Palo Alto Networks provides the firewall with predefined Syslog Parse profiles through Applications content
updates. To dynamically update the list of profiles as vendors develop new filters, schedule these dynamic
content updates (see Device > Dynamic Updates). The predefined profiles are global to the firewall,
The complete procedure to configure the User-ID agent to parse a syslog sender for user
mapping information requires additional tasks besides creating a Syslog Parse profile.
Field Description
Syslog Parse Profile Enter a name for the profile (up to 63 alphanumeric characters).
Description Enter a description for the profile (up to 255 alphanumeric characters).
Type Specify the type of parsing for filtering the user mapping information:
• Regex Identifier—Use Event Regex, Username Regex, and Address
Regex to specify regular expressions (regex) that describe search
patterns for identifying and extracting user mapping information
from syslog messages. The firewall uses the regex to match
authentication or logout events in syslog messages and to match
the usernames and IP addresses within matching messages.
• Field Identifier—Use the Event String, Username Prefix, Username
Delimiter, Address Prefix, Address Delimiter, and Addresses Per
Log fields to specify strings for matching the authentication or
logout event and for identifying the user mapping information in
syslog messages.
The remaining fields in the dialog vary based on your selection.
Configure the fields as described in the following rows.
Event Regex Enter the regex for identifying successful authentication or logout
events. For the example message used with this table, the regex
(authentication\ success) {1} extracts the first {1} instance
of the string authentication success. The backslash before the
space is a standard regex escape character that instructs the regex
engine not to treat the space as a special character.
Username Regex Enter the regex for identifying the username field in authentication
success or logout messages. For the example message used with
this table, the regex User:([a-zA-Z0-9\\\._]+) would match
Address Regex Enter the regex to identify the IP address portion of authentication
success or logout messages. In the example message used with this
table, the regular expression Source:([0-9]{1,3}\.[0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches the IPv4 address
Source:192.168.0.212 and adds 192.168.0.212 as the IP address
in the username mapping.
Username Prefix Enter the matching string to identify the beginning of the username
field within authentication or logout syslog messages. The field does
not support regex expressions such as \s (for a space) or \t (for a
tab). In the example message used with this table, User: identifies
the start of the username field.
Username Delimiter Enter the delimiter that marks the end of the username field within
an authentication or logout message. Use \s to indicate a standalone
space (as in the example message) and \t to indicate a tab.
Address Prefix Enter a matching string to identify the start of the IP address field in
syslog messages. The field does not support regex expressions such
as \s (for a space) or \t (for a tab). In the example message used with
this table, Source: identifies the start of the address field.
Address Delimiter Enter the matching string that marks the end of the IP address field
within authentication success or logout messages. For example, enter
\n to indicate the delimiter is a line break.
Addresses Per Log Enter the maximum number of IP addresses that you want the firewall
to parse (default is 1; range is 1—3).
Define the ignore user list on the firewall that is the User-ID agent, not the client. If you
define the ignore user list on the client firewall, the users in the list are still mapped during
redistribution.
Configure at least two User-ID monitored servers so if a server goes down, the firewall can
still learn IP-address-to-username mappings.
The complete procedure to configure the PAN-OS integrated User-ID agent to monitor
servers requires additional tasks besides creating server profiles.
Enabled Select this option to enable log monitoring for this server.
Type Select the server type. Your selection determines which other fields this dialog
displays.
• Microsoft Active Directory
• Microsoft Exchange
• Novell eDirectory
• Syslog Sender
Network Address Enter the server IP address or FQDN for the monitored server. If you use Kerberos
for server authentication, you must enter an FQDN. This option is not supported
when the Type is Novell eDirectory.
Server Profile Select an LDAP server profile for connecting to the Novell eDirectory server (Device
> Server Profiles > LDAP).
(Novell
eDirectory only)
Connection Type Select whether the User-ID agent listens for syslog messages on the UDP port (514)
or the SSL port (6514). If you select SSL, the Syslog Service Profile you select when
(Syslog Sender
you enable Server Monitoring determines which SSL/TLS versions are allowed and
only)
the certificate that the firewall uses to secure a connection to the syslog sender.
Filter If the server Type is Syslog Sender, then Add one or more Syslog Parse profiles to
use for extracting usernames and IP addresses from the syslog messages received
(Syslog Sender
from this server. You can add a custom profile (see Syslog Filters) or a predefined
only)
profile. For each profile, set the Event Type:
• login—The User-ID agent parses syslog messages for login events to create user
mappings.
• logout—The User-ID agent parses syslog messages for logout events to delete
user mappings that are no longer current. In networks where IP address
assignment is dynamic, automatic deletion improves the accuracy of user
mappings by ensuring that the agent maps each IP address only to the currently
associated user.
Default Domain (Optional) If the server Type is Syslog Sender, enter a domain name to override
Name the current domain name in the username of your syslog message or prepend the
domain to the username if your syslog message doesn’t contain a domain.
(Syslog Sender
only)
Display server For each monitored server, the User Mapping page displays the Status of the
information connection from the User-ID agent to the server. After you Add a server, the firewall
tries to connect to it. If the connection attempt is successful, the Server Monitoring
section displays Connected in the Status column. If the firewall cannot connect,
the Status column displays an error condition, such as Connection refused or
Connection timeout.
For details on the other fields that the Server Monitoring section displays, see
Configure Access to Monitored Servers.
Add To Configure Access to Monitored Servers, Add each server that the User-ID agent will
monitor for user mapping information.
Delete To remove a server from the user mapping process (discovery), select the server and
Delete it.
Tip: To remove a server from discovery without deleting its configuration, edit the
server entry and clear Enabled.
Discover You can automatically Discover Microsoft Active Directory domain controllers using
DNS. The firewall will discover domain controllers based on the domain name entered
in the Device > Setup > Management page, General Settings section, Domain field.
After discovering a domain controller, the firewall creates an entry for it in the Server
Monitoring list; you can then enable the server for monitoring.
The Discover feature works for domain controllers only, not Exchange
servers or eDirectory servers.
Use the include and exclude lists to define the subnets in which the firewall performs user
mapping.
You can perform the following tasks on the Include/Exclude Networks list:
Task Description
Add To limit discovery to a specific subnetwork, Add a subnetwork profile and complete
the following fields:
Delete To remove a subnetwork from the list, select and Delete it.
Tip: To remove a subnetwork from the Include/Exclude Networks list without deleting
its configuration, edit the subnetwork profile and clear Enabled.
Custom By default, the User-ID agent evaluates the subnetworks in the order you add them,
Include/ from top-first to bottom-last. To change the evaluation order, click Custom Include/
Exclude Exclude Network Sequence. You can then Add, Delete, Move Up, or Move Down the
Network subnetworks to create a custom evaluation order.
Task Description
User-ID From the drop-down, select the certificate profile to use when authenticating Windows
Certificate User-ID agents or select New Certificate Profile to create a new certificate profile.
Profile Select None to remove the certificate profile and use default authentication instead.
To require server certificate validation with the Windows server when you Configure
Access to Monitored Servers using Kerberos for server authentication, make sure you
configure NTP in the Global Services Settings and select the Root CA as the certificate
profile.
Remove All Removes the certificate profile attached to the User-ID Connection Security
(Template configuration for the selected template.
Configuration
Only)
You must install and configure the TS agents before configuring access to them. The
complete procedure to configure user mapping for terminal server users requires additional
tasks besides configuring connections to TS agents.
Task Description
Display In the Terminal Server Agents page, the Connected column displays the status of the
information / connections from the firewall to the TS agents. A green icon indicates a successful
Refresh connection, a yellow icon indicates a disabled connection, and a red icon indicates a
Connected failed connection. If you think the connection status might have changed since you first
opened the page, click Refresh Connected to update the status display.
Add To configure access to a TS agent, Add an agent and configure the following fields:
• Name—Enter a name to identify the TS agent (up to 31 characters). The name is
case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
• Host—Enter the static IP address or hostname of the terminal server where the TS
agent is installed.
• Port—Enter the port number (default is 5009) that the TS agent service uses to
communicate with the firewall.
• Alternative Hosts—If the terminal server where the TS agent is installed has multiple
IP addresses that can appear as the source IP address for the outgoing traffic, Add
and enter up to eight additional static IP addresses or hostnames.
• Enabled—Select this option to enable the firewall to communicate with this TS
agent.
Delete To remove the configuration that enables access to a TS agent, select the agent and
click Delete.
PDF/CSV Administrative roles with a minimum of read-only access can export the device
configuration table as PDF/CSV. You can apply filters to create more specific table
The complete procedure for mapping usernames to groups requires additional tasks besides
creating group mapping configurations.
Add and configure the following fields as needed to create a group mapping configuration. To remove a
group mapping configuration, select and Delete it. If you want to disable a group mapping configuration
without deleting it, edit the configuration and clear the Enabled option.
If you create multiple group mapping configurations that use the same base distinguished
name (DN) or LDAP server, the group mapping configurations cannot contain overlapping
groups (for example, the Include list for one group mapping configuration cannot contain a
group that is also in a different group mapping configuration).
Name Device > User Identification > Enter a name to identify the group mapping
Group Mapping Settings configuration (up to 31 characters). The name
is case-sensitive and must be unique. Use
only letters, numbers, spaces, hyphens, and
underscores.
Server Profile Device > User Identification > Select the LDAP server profile to use for group
Group Mapping Settings > mapping on this firewall.
Server Profile
Update Interval Specify the interval in seconds after which the
firewall will initiate a connection with the LDAP
directory server to obtain any updates that were
made to the groups that firewall policies use
(range is 60 to 86,400).
User Attributes Device > User Identification Specify the directory attributes to identify users:
> Group Mapping Settings >
• Primary Username—Specify the attribute the
User and Group Attributes
User-ID source provides for the username
(for example, userPrincipalName or
sAMAccountName)
Available Groups Device > User Identification > Use these fields to limit the number of groups
Group Mapping Settings > that the firewall displays when you create a
Included Groups Group Include List security rule. Browse the LDAP tree to find the
groups you want to use in rules. To include a
group, select and add ( ) it in the Available
Groups list. To remove a group from the list,
select and delete ( ) it from the Included
Groups list.
Name Device > User Identification > Create custom groups based on LDAP filters
Group Mapping Settings > so that you can base firewall policies on user
LDAP Filter Custom Group attributes that don’t match existing user groups
in the LDAP directory.
The User-ID service maps all the LDAP directory
users who match the filter to the custom group.
If you create a custom group with the same
Distinguished Name (DN) as an existing Active
Directory group domain name, the firewall uses
the custom group in all references to that name
(for example, in policies and logs). To create a
custom group, Add and configure the following
fields:
• Name—Enter a custom group name that is
unique in the group mapping configuration
for the current firewall or virtual system.
• LDAP Filter—Enter a filter of up to 2,048
characters.
Before you can configure a Cloud Identity Engine profile on the firewall, you must install a
device certificate and activate a Cloud Identity Engine instance on the hub.
To search the profiles, enter a keyword as the filter ( ) and Apply Filter ( ).
User Attributes Select a Directory Attribute for each user attribute Name.
You must select a Primary Username; all other fields are
optional.
Group Attributes Select a Directory Attribute for each group attribute Name.
You must select a Group Name; the remaining field is
optional.
Device Attributes (GlobalProtect only) If you are using GlobalProtect and you
have enabled Serial Number Check, select the Endpoint
Serial Number to allow the Cloud Identity Engine to collect
serial numbers from managed endpoints. This information
is used by the GlobalProtect portal to check if the serial
number exists in the directory for verification that the
endpoint is managed by GlobalProtect.
If Authentication Portal uses an SSL/TLS Service profile (Device > Certificate Management
> SSL/TLS Service Profile), authentication profile (Device > Authentication Profile), or
Certificate Profile (Device > Certificate Management > Certificate Profile), then configure
the profile before you begin. The complete procedure to configure Authentication Portal
requires additional tasks in addition to configuring these profiles.
You must Enable Authentication Portal to enforce Authentication policy (see Policies >
Authentication).
Field Description
Idle Timer (min) Enter the user time-to-live (TTL) value in minutes for a Authentication Portal session
(range is 1 to 1,440; default is 15). This timer resets every time there is activity from
an Authentication Portal user. If idle time for a user exceeds the Idle Timer value,
PAN-OS removes the Authentication Portal user mapping and the user must log in
again.
Timer (min) This is the maximum TTL in minutes, which is the maximum time that any
Authentication Portal session can remain mapped (range is 1 to 1,440; default is
60). After this duration elapses, PAN-OS removes the mapping and users must re-
authenticate even if the session is active. This timer prevents stale mappings and
overrides the Idle Timer value.
You should always set the expiration Timer higher than the Idle
Timer.
SSL/TLS Service To specify a firewall server certificate and the allowed protocols for securing
Profile redirect requests, select an SSL/TLS service profile (Device > Certificate
Management > SSL/TLS Service Profile). If you select None, the firewall uses its
local default certificate for SSL/TLS connections.
In the SSL/TLS Service Profile, set the Min Version to TLSv1.2 and
set the Max Version to Max to provide the strongest security against
SSL/TLS protocol vulnerabilities. Setting the Max Version to Max
ensures that as stronger protocols become available, the firewall
always uses the latest version.
Authentication You can select an authentication profile (Device > Authentication Profile) to
Profile authenticate users when their traffic matches an Authentication policy rule
(Policies > Authentication). However, the authentication profile you select in the
Authentication Portal Settings applies only to rules that reference one of the default
authentication enforcement objects (Objects > Authentication). This is typically
the case right after an upgrade to PAN-OS 8.0 because all Authentication rules
initially reference the default objects. For rules that reference custom authentication
enforcement objects, select the authentication profile when you create the object.
GlobalProtect Specify the port that GlobalProtect™ uses to receive inbound authentication
Network Port prompts from multi-factor (MFA) gateways. (range is 1 to 65,536; default is 4,501).
for Inbound To support multi-factor authentication, a GlobalProtect endpoint must receive
Authentication and acknowledge UDP prompts that are inbound from the MFA gateway. When a
Prompts (UDP) GlobalProtect endpoint receives a UDP message on the specified network port and
the UDP message comes from a trusted firewall or gateway, GlobalProtect displays
the authentication message (seeCustomize the GlobalProtect App ).
Mode Select how the firewall captures web requests for authentication:
• Transparent—The firewall intercepts web requests according to the
Authentication rule and impersonates the original destination URL, issuing an
HTTP 401 message to prompt the user to authenticate. However, because the
firewall does not have the real certificate for the destination URL, the browser
displays a certificate error to users attempting to access a secure site. Therefore,
only use this mode when absolutely necessary, such as in Layer 2 or virtual wire
deployments.
• Redirect—The firewall intercepts web requests according to the Authentication
rule and redirects them to the specified Redirect Host. The firewall uses an HTTP
302 redirect to prompt the user to authenticate. The best practice is to use
Redirect because it provides a better end-user experience (displays no certificate
errors and allows session cookies that make browsing seamless because Redirect
doesn’t remap when timeouts expire). However, it requires that you enable
response pages on the Interface Management profile assigned to the ingress
Layer 3 interface (for details, see Network > Network Profiles > Interface Mgmt
and PA-7000 Series Layer 3 Interface).
Another benefit of the Redirect mode is that it allows for session cookies, which
enable the user to continue browsing to authenticated sites without requiring re-
mapping each time the timeouts expire. This is especially useful for users who
roam from one IP address to another (for example, from the corporate LAN to the
wireless network) because they don’t need to re-authenticate when their IP address
changes as long as the session stays open.
Set the timeout value short enough so that it doesn’t lead to stale
user mapping entries in cookies but long enough to promote a
good user experience by not prompting users to log in multiple
times during a session. Start with a value less than or equal to
480 minutes (8 hours) and adjust the value as necessary.
• Roaming—Select this option to retain the cookie if the IP address changes
while the session is active (such as when the endpoint moves from a wired to a
wireless network). The user must re-authenticate only if the cookie times out or
the user closes the browser.
Redirect Host Specify the intranet hostname that resolves to the IP address of the Layer 3
interface to which the firewall redirects web requests.
(Redirect mode
only)
If users authenticate through Kerberos single sign-on (SSO), the
Redirect Host must be the same as the hostname specified in the
Kerberos keytab.
Certificate You can select a Certificate Profile (Device > Certificate Management > Certificate
Profile Profile) to authenticate users when their traffic matches any Authentication policy
rule (Policies > Authentication).
For this authentication type, Authentication Portal prompts the endpoint browser of
the user to present a client certificate. Therefore, you must deploy client certificates
to each user system. Furthermore, on the firewall, you must install the certificate
authority (CA) certificate that issued the client certificates and assign the CA
certificate to the Certificate Profile. This is the only authentication method that
enables Transparent authentication for macOS and Linux endpoints.
739
740 PAN-OS WEB INTERFACE HELP | GlobalProtect
© 2021 Palo Alto Networks, Inc.
Network > GlobalProtect > Portals
Select Network > GlobalProtect > Portals to set up and manage a GlobalProtect™ portal. The portal
provides the management functions for the GlobalProtect infrastructure. Every endpoint that participates
in the GlobalProtect network receives its configuration from the portal, including information about the
available gateways and any client certificates that are necessary for the app to connect to a gateway. In
addition, the portal controls the behavior and distribution of the GlobalProtect app software to macOS and
Windows endpoints. For Linux endpoints, you must obtain the software from the Support Site; for mobile
devices, the GlobalProtect app is distributed through the Apple App Store (for iOS devices), through Google
Play (for Android devices), and through the Microsoft Store (for Windows Phone and other Windows UWP
devices), and, for Chromebooks, the GlobalProtect app is distributed by the Chromebook Management
Console or through Google Play.
To add a portal configuration, click Add to open the GlobalProtect Portal dialog.
How can I define the data that the GlobalProtect Portals Portal Data Collection Tab
GlobalProtect app collects from
endpoints?
What client authentication options can I GlobalProtect Portals Agent Authentication Tab
configure?
How can I assign a configuration to GlobalProtect Portals Agent Config Selection Criteria Tab
a specific group of devices based on
operating system, user, and/or user
group?
How can I configure the settings and GlobalProtect Portals Agent Internal Tab
priority of the internal gateways?
How can I configure the settings and GlobalProtect Portals Agent External Tab
priority of the external gateways?
What settings can I customize on the GlobalProtect Portals Agent App Tab
look and behavior of the GlobalProtect
app?
How can I configure data collection GlobalProtect Portals Agent Data Collection Tab
options?
How can I configure the GlobalProtect GlobalProtect Portals Clientless VPN Tab
portal to allow access to web
applications without installing the
GlobalProtect app?
Name Type a name for the portal (up to 31 characters). The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Location For a firewall that is in multiple virtual system mode, the Location is the
virtual system (vsys) where the GlobalProtect portal is available. For a
firewall that is not in multi-vsys mode, Location selection is not available.
After you save the portal, you cannot change Location.
Network Settings
Interface Select the name of the firewall interface that will be the ingress for
communications from remote endpoints and firewalls.
IP Address Specify the IP address on which to run the GlobalProtect portal web
service. Select the IP Address Type and then enter the IP Address.
• The IP address type can be IPv4 (for IPv4 traffic only), IPv6 (for IPv6
traffic only), or IPv4 and IPv6. Use IPv4 and IPv6 if your network
Log Settings
Log Successful SSL (Optional) Creates detailed logs of successful SSL Decryption handshakes.
Handshake Disabled by default.
Log Unsuccessful SSL Creates detailed logs of unsuccessful SSL Decryption handshakes so you
Handshake can find the cause of decryption issues. Enabled by default.
Log Forwarding Specify the method and location to forward GlobalProtect SSL handshake
(decryption) logs.
Appearance
Portal Login Page (Optional) Choose a custom login page for user access to the portal. You
can select the factory-default page or Import a custom page. The default
is None. To prevent access to this page from a web browser, Disable this
page.
Portal Landing Page (Optional) Choose a custom landing page for the portal. You can select the
factory-default page or Import a custom page. The default is None.
App Help Page (Optional) Choose a custom help page to assist the user with GlobalProtect.
You can select the factory-default page or Import a custom page. The
factory-default help page is provided with the GlobalProtect app software.
If you select a custom help page, the GlobalProtect portal provides the
help page with the GlobalProtect portal configuration. When you leave
the default value of None, the GlobalProtect app suppresses the page and
removes the option from the menu.
Server Authentication
SSL/TLS Service Select an existing SSL/TLS Service profile. The profile specifies a certificate
Profile and the allowed protocols for securing traffic on the management interface.
The Common Name (CN) and, if applicable, the Subject Alternative Name
(SAN) fields of the certificate associated with the profile must match the IP
address or FQDN of the Interface selected in the General tab.
Client Authentication
Name Enter a name to identify the client authentication configuration. (The client
authentication configuration is independent of the SSL/TLS service profile.)
You can create multiple client authentication configurations and differentiate
them by operating system. For example, you can add one unique
authentication profile for Windows endpoints and another authentication
profile for macOS endpoints.
You can also create configurations that GlobalProtect deploys to apps in Pre-
logon mode (before the user has logged in to the system) or that it applies
to any user. (Pre-logon establishes a VPN tunnel to a GlobalProtect gateway
before the user logs in to GlobalProtect.)
Username Label Specify a custom username label for GlobalProtect portal login. For example,
Username (only) or Email Address (username@domain).
Password Label Specify a custom password label for GlobalProtect portal login. For example,
Password (Turkish) or Passcode (for two-factor, token-based authentication).
Authentication To help end users know the type of credentials they need for logging in, enter
Message a message or keep the default message. The maximum length of the message is
256 characters.
Allow Authentication If you select No, users must authenticate to the gateway using both user
with User Credentials credentials and client certificates. If you select Yes, users can authenticate to
OR Client Certificate the gateway using either user credentials or client certificates.
Certificate Profile
Certificate Profile (Optional) Select the Certificate Profile the portal uses to match those client
certificates that come from user endpoints. With a Certificate Profile, the
portal authenticates the user only if the certificate from the client matches this
profile.
If you set the Allow Authentication with User Credentials OR Client
Certificate option to No, you must select a Certificate Profile. If you set the
Allow Authentication with User Credentials OR Client Certificate option to
Yes, the Certificate Profile is optional.
The certificate profile is independent of the OS. Also, this profile is active even
if you enable Authentication Override, which overrides the Authentication
Profile to allow authentication using encrypted cookies.
Custom Checks Define custom host information that you want the
app to collect:
• Windows—Add a check for a particular registry
key or key value.
• Mac—Add a check for a particular plist key or
key value.
Specify the trusted root CA certificate that the GlobalProtect app uses to verify the identity of
the GlobalProtect portal and gateways. If the portal or gateway presents a certificate that has
not been signed or issued by the same certificate authority that issued the trusted root CA,
the GlobalProtect app cannot establish a connection with the portal or gateway.
If you have different types of users that require different configurations, you can create separate agent
configurations to support them. The portal subsequently uses the user or group name and OS of the client
to determine the agent configuration to deploy. As with security rule evaluations, the portal looks for
a match, starting from the top of the list. When the portal finds a match, it delivers the corresponding
configuration to the app. Therefore, if you have multiple agent configurations, it is important to order them
so that more specific configurations (configurations for specific users or operating systems) are above the
more generic configurations. Use Move Up and Move Down to reorder the configurations. As needed,
Add a new agent configuration. For detailed information on configuring the portal and creating agent
configurations, refer to GlobalProtect Portals in the GlobalProtect Administrator’s Guide. When you Add a
new agent configuration or modify an existing one, the Configs window opens and displays five tabs, which
are described in the following tables:
• GlobalProtect Portals Agent Authentication Tab
Authentication Tab
Client Certificate (Optional) Select the source that distributes the client
certificate to an endpoint, which then presents the certificate
to the gateways. A client certificate is required if you are
configuring mutual SSL authentication.
Save User Credentials Select Yes to save the username and password on the app or
select No to force the users to provide the password—either
transparently via the endpoint or by manually entering one—
each time they connect. Select Save Username Only to save
only the username each time a user connects. Select Only with
User Fingerprint to allow biometric sign-in. When biometric
sign-on is enabled on an endpoint, GlobalProtect uses the
Authentication Override
Generate cookie for authentication Select this option to configure the portal to generate
override encrypted, endpoint-specific cookies. The portal sends this
cookie to the endpoint after the user first authenticates with
the portal.
Accept cookie for authentication Select this option to configure the portal to authenticate
override endpoints through a valid, encrypted cookie. When the
endpoint presents a valid cookie, the portal verifies that the
cookie was encrypted by the portal, decrypts the cookie, and
then authenticates the user.
Cookie Lifetime Specify the hours, days, or weeks that the cookie is valid. The
typical lifetime is 24 hours. The ranges are 1–72 hours, 1–52
weeks, or 1–365 days. After the cookie expires, the user must
enter login credentials and the portal subsequently encrypts a
new cookie to send to the user endpoint.
Certificate to Encrypt/Decrypt Cookie Select the certificate to use for encrypting and decrypting the
cookie.
Internal gateways - all Select this option to use dynamic passwords to connect to
internal gateways.
External gateways - manual only Select this option to use dynamic passwords to connect to
external gateways that are configured as Manual gateways.
External gateways-auto discovery Select this option to use dynamic passwords to connect to any
remaining external gateways that the app can automatically
discover (gateways which are not configured as Manual).
User/User Gruop Add the specific users or user groups to which this
configuration applies.
Device Checks
Machine account exists with device serial number Configure matching criteria based on whether
the endpoint serial number exists in the Active
Directory.
Custom Checks
Internal Host Detection Select this option to allow the GlobalProtect app to determine if it is inside
the enterprise network. This option applies only to endpoints that are
Hostname Enter the Hostname that resolves to the IP address within the internal
network.
Internal Gateways
Specify the internal Add internal gateways that include the following information for each:
gateways to which an app
• Name—A label of up to 31 characters to identify the gateway. The name
can request access and
is case-sensitive and must be unique. Use only letters, numbers, spaces,
also provide HIP reports
hyphens, and underscores.
(if HIP is enabled in the
GlobalProtect Portals • Address—The IP address or FQDN of the firewall interface for the
Agent Data Collection gateway. This value must match the Common Name (CN) and SAN (if
Tab). specified) in the gateway server certificate. For example, if you used an
FQDN to generate the certificate, you must enter the FQDN here.
• Source Address—A source address or address pool for endpoints. When
users connect, GlobalProtect recognizes the source address of the
device. Only the GlobalProtect apps with IP addresses that are included
in the source address pool can authenticate with this gateway and send
HIP reports.
• DHCP Option 43 Code (Windows and Mac only)—DHCP sub-option
codes for gateway selection. Specify one or more sub-option codes (in
decimal). The GlobalProtect app reads the gateway address from values
defined by the sub-option codes.
Cutoff Time (sec) Specify the number of seconds that an app waits for all of the available
gateways to respond before it selects the best gateway. For subsequent
connection requests, the app tries to connect to only those gateways that
responded before the cutoff. A value of 0 means the app uses the TCP
Connection Timeout in AppConfigurations in the App tab (range is 0 to 10;
default is 5).
External Gateways
Specify the list of Add external gateways that include the following information for each:
firewalls to which apps
• Name—A label of up to 31 characters to identify the gateway. The name
can try to connect
is case-sensitive and must be unique. Use only letters, numbers, spaces,
when establishing a
hyphens, and underscores.
tunnel while not on the
corporate network. • Address—The IP address or FQDN of the firewall interface where
the gateway is configured. The value must match the CN (and SAN if
specified) in the gateway server certificate. For example, if you used a
FQDN to generate the certificate, you must also enter the FQDN here.
• Source Region—Source region for endpoints. When users connect,
GlobalProtect recognizes the endpoint region and only allows users to
connect to gateways that are configured for that region. For gateway
choices, source region is considered first, then gateway priority.
• Priority—Select a value (Highest, High, Medium, Low, Lowest, or
Manual only) to help the app determine which gateway to use. Manual
only prevents the GlobalProtect app from attempting to connect to this
gateway when Auto Discovery is enabled on the endpoint. The app will
first contact all specified gateways with a Highest, High, or Medium
priority and establish a tunnel with the gateway that provides the fastest
response. If the higher priority gateways are unreachable, the app next
contacts any additional gateways with lower priority values (excludes
Manual only gateways).
• Manual—Select this option to let users manually select (or switch
to) a gateway. The GlobalProtect app can connect to any external
gateway that is configured as Manual. When the app pconnects
to another gateway, the existing tunnel is disconnected and a new
tunnel established. The manual gateways can also have a different
authentication mechanism than the primary gateway. If an endpoint
is restarted or if a rediscovery is performed, the GlobalProtect app
connects to the primary gateway. This feature is useful if a group of
users needs to connect temporarily to a specific gateway to access a
secure segment of your network.
Third Party VPN To direct the GlobalProtect app to ignore selected, third-party VPN clients
so that GlobalProtect does not conflict with them, Add the name of the
VPN client: Select the name from the list, or enter the name in the field
provided. GlobalProtect ignores the route settings for the specified VPN
clients if you configure this feature.
App Configurations
GlobalProtect App Config Refresh Specify the number of hours the GlobalProtect portal waits
Interval (hours) before it initiates the next refresh of an app’ss configuration
(range is 1 to 168; default is 24).
Allow User to Disable GlobalProtect Specifies whether users are allowed to disable the
App GlobalProtect app and, if so, what—if anything—they must do
before they can disable the app:
• Allow—Allow any user to disable the GlobalProtect app as
needed.
• Disallow—Do not allow end users to disable the
GlobalProtect app.
• Allow with Comment—Allow users to disable the
GlobalProtect app on their endpoint but require that they
submit their reason for disabling the app.
• Allow with Passcode—Allow users to enter a passcode
to disable the GlobalProtect app. This option requires
the user to enter and confirm a Passcode value that,
like a password, does not display when typed. Typically,
administrators provide a passcode to users before
unplanned or unanticipated events prevent users from
connecting to the network by using the GlobalProtect VPN.
You can provide the passcode through email or as a posting
on your organization’s website.
• Allow with Ticket—This option enables a challenge-
response mechanism where, after a user attempts to
disable GlobalProtect, the endpoint displays an 8-character
hexadecimal ticket request number. The user must contact
the firewall administrator or support team (preferably
by phone for security purposes) to provide this number.
From the firewall (Network > GlobalProtect > Portals), the
administrator or support person can then click Generate
Ticket and enter the ticket Request number to obtain the
Ticket number (also an 8-character hexadecimal number).
The administrator or support person provides this ticket
number to the user, who then enters it into the challenge
field to disable the app.
Allow User to Uninstall GlobalProtect Specifies whether users are allowed to uninstall the
App GlobalProtect app and, if so, what—if anything—they must do
before they can uninstall the app:
• Allow—Allow any user to uninstall the GlobalProtect app as
needed.
• Disallow—Do not allow end users to uninstall the
GlobalProtect app.
• Allow with Password—Enforce a password to uninstall the
GlobalProtect app. This option requires the user to enter
and confirm a password before they can proceed with
uninstallation. You can provide the password through email
or as a posting on your organization’s website.
This option requires Content Release version 8196-5685 and
later.
Allow User to Upgrade GlobalProtect Specifies whether end-users can upgrade the GlobalProtect
App app software and, if they can, whether they can choose when
to upgrade:
• Disallow—Prevent users from upgrading the app software.
• Allow Manually—Allow users to manually check for
and initiate upgrades by selecting Check Version in the
GlobalProtect app.
• Allow with Prompt (default)—Prompt users when a new
version is activated on the firewall and allow users to
upgrade their software when it is convenient.
• Allow Transparently—Automatically upgrade the app
software whenever a new version becomes available on the
portal.
• Internal—Automatically upgrade the app software
whenever a new version becomes available on the portal,
but wait until the endpoint is connected internally to
the corporate network. This prevents delays caused by
upgrades over low-bandwidth connections.
Allow User to Sign Out from Specifies whether users are permitted to manually sign out of
GlobalProtect App the Globalprotect app:
(Windows, macOS, iOS, Android, and • Yes (default)—Allow any user to sign out from the
Chrome Only) GlobalProtect app as needed.
• No—Do not allow end users to sign out from the
GlobalProtect app.
This option requires Content Release version 8196-5685 and
later.
Use Single Sign-on (Windows) Select No to disable single sign-on (SSO). With SSO enabled
(default), the GlobalProtect app automatically uses the
Windows login credentials to authenticate and then connect
to the GlobalProtect portal and gateway. GlobalProtect can
also wrap third-party credentials to ensure that Windows
Use Single Sign-on (macOS) Select No to disable single sign-on (SSO). With SSO enabled
(default), the GlobalProtect app automatically uses the macOS
login credentials to authenticate and then connect to the
GlobalProtect portal and gateway.
This option requires Content Release version 8196-5685 and
later.
Clear Single Sign-On Credentials on Select No to keep single sign-on credentials when the user
Logout logs out. Select Yes (default) to clear them and force the user
to enter credentials upon the next login.
(Windows Only)
Automatic Restoration of VPN Enter a timeout value, in minutes, from 0 to 180 to specify
Connection Timeout the action the GlobalProtect app takes when the tunnel is
disconnected due to network instability or endpoint state
changes by entering; default is 30.
• 0—Disable this feature so that GlobalProtect does not
attempt to reestablish the tunnel after the tunnel is
disconnected.
• 1-180—Enable this feature so that GlobalProtect attempts
to reestablish the tunnel connection if the tunnel is down
for a period of time which does not exceed the timeout
value you specify here. For example, with a timeout
value of 30 minutes, GlobalProtect does not attempt to
reestablish the tunnel if the tunnel is disconnected for 45
minutes. However, if the tunnel is disconnected for 15
minutes, GlobalProtect attempts to reconnect because the
number of minutes has not exceeded the timeout value.
Wait Time Between VPN Connection Enter the amount of time, in seconds, the GlobalProtect app
Restore Attempts waits between attempts to reestablish the connection with
the last-connected gateway when you enable Automatic
Restoration of VPN Connection Timeout. Specify a longer
or shorter wait time depending on your network conditions.
Range is 1 to 60 seconds; the default is 5.
Enforce GlobalProtect Connection for Select Yes to force all network traffic to traverse a
Network Access GlobalProtect tunnel. Select No (default) if GlobalProtect is
not required for network access and users can still access the
internet even when GlobalProtect is disabled or disconnected.
To provide instructions to users before traffic is blocked,
configure a Traffic Blocking Notification Message and
optionally specify when to display the message (Traffic
Blocking Notification Delay).
To permit traffic required to establish a connection with a
captive portal, specify a Captive Portal Exception Timeout.
The user must authenticate with the portal before the timeout
expires. To provide additional instructions, configure a Captive
Portal Detection Message and optionally specify when to
display the message (Captive Portal Notification Delay).
Allow traffic to specified hosts/ If desired, you can configure up to ten IP addresses or
networks when Enforce GlobalProtect network segments for which you want to allow access
Connection for Network Access when you enforce GlobalProtect for network access but the
is enabled and GlobalProtect connection is not established. Separate multiple values with
Connection is not established commas. Exclusions can improve the user experience by
allowing users to access local resources when GlobalProtect
is disconnected. For example when GlobalProtect is not
connected, GlobalProtect can exclude link-local addresses to
allow access to a local network segment or broadcast domain.
Captive Portal Exception Timeout (sec) To enforce GlobalProtect for network access but provide
a grace period to allow users enough time to connect to a
captive portal, specify the timeout in seconds (range is 0 to
3600). For example, a value of 60 means the user must log in
to the captive portal within one minute after GlobalProtect
detects the captive portal. A value of 0 means GlobalProtect
does not allow users to connect to a captive portal and
immediately blocks access.
Automatically Launch Webpage in To automatically launch your default web browser upon
Default Browser Upon Captive Portal captive portal detection so that users can log in to the captive
Detection portal seamlessly, enter the fully qualified domain name
(FQDN) or IP address of the website that you want to use for
the initial connection attempt that initiates web traffic when
the default web browser launches (maximum length is 256
characters). The captive portal then intercepts this website
connection attempt and redirects the default web browser to
the captive portal login page. If this field is empty (default),
GlobalProtect does not launch the default web browser
automatically upon captive portal detection.
Traffic Blocking Notification Delay Specify a value, in seconds, to determine when to display the
(sec) notification message. GlobalProtect starts the countdown to
display the notification after the network is reachable (range is
5 to 120; default is 15).
Display Traffic Blocking Notification Specifies whether a message appears when GlobalProtect is
Message required for network access. Select No to disable the message.
Select Yes to enable the message (GlobalProtect displays the
message when GlobalProtect is disconnected but detects that
the network is reachable.)
Traffic Blocking Notification Message Customize a notification message to display to users when
GlobalProtect is required for network access. GlobalProtect
displays the message when GlobalProtect is disconnected but
detects the network is reachable. The message can indicate
the reason for blocking the traffic and provide instructions on
how to connect. For example:
Allow User to Dismiss Traffic Blocking Select No to always display traffic blocking notifications. By
Notifications default the value is set to Yes meaning users are permitted to
dismiss the notifications.
Display Captive Portal Detection Specifies whether a message appears when GlobalProtect
Message detects a captive portal. Select Yes to display the message.
Select No (default) to suppress the message (GlobalProtect
does not display a message when GlobalProtect detects a
captive portal).
Captive Portal Detection Message Customize a notification message to display to users when
GlobalProtect detects the network which provides additional
instructions for connecting to a captive portal. For example:
Captive Portal Detection Delay If you enable a Captive Portal Detection Message, you can
specify the delay in seconds after captive portal detection at
which GlobalProtect displays the detection message (range is 1
to 120; default is 5).
Client Certificate Store Lookup Select the type of certificate or certificates that an app looks
up in its personal certificate store. The GlobalProtect app uses
the certificate to authenticate to the portal or a gateway and
then establish a VPN tunnel to the GlobalProtect gateway.
• User—Authenticate by using the certificate that is local to
the user’s account.
• Machine—Authenticate by using the certificate that is
local to the endpoint. This certificate applies to all the user
accounts permitted to use the endpoint.
• User and machine (default)—Authenticate by using the user
certificate and the machine certificate.
SCEP Certificate Renewal Period (days) This mechanism is for renewing a SCEP-generated certificate
before the certificate actually expires. You specify the
maximum number of days before certificate expiry that the
portal can request a new certificate from the SCEP server in
your PKI system (range is 0 to 30; default is 7). A value of 0
means that the portal does not automatically renew the client
certificate when it refreshes a client configuration.
For an app to get the new certificate, the user must log in
during the renewal period (the portal does not request the
new certificate for a user during this renewal period unless the
user logs in).
For example, suppose that a client certificate has a lifespan of
90 days and this certificate renewal period is 7 days. If a user
logs in during the final 7 days of the certificate lifespan, the
portal generates the certificate and downloads it along with a
Extended Key Usage OID for Client Enter the extended key usage of a client certificate by
Certificate specifying its object identifier (OID). This setting ensures that
the GlobalProtect app selects only a certificate that is intended
for client authentication and enables GlobalProtect to save the
certificate for future use.
Retain Connection on Smart Card Select Yes to retain the connection when a user removes a
Removal smart card containing a client certificate. Select No (default) to
terminate the connection when a user removes a smart card.
(Windows Only)
Allow Overriding Username from Select No to force GlobalProtect to use the username of the
Client Certificate client certificate and prevent GlobalProtect from overriding it
(enabled by default).
Enable Advanced View Select No to restrict the user interface on the app to the basic,
minimum view (enabled by default).
Allow User to Dismiss Welcome Page Select No to force the Welcome Page to appear each time a
user initiates a connection. This restriction prevents a user
from dismissing important information, such as terms and
conditions that may be required by your organization to
maintain compliance.
Enable Rediscover Network Option Select No to prevent users from manually initiating a network
rediscovery.
Enable Resubmit Host Profile Option Select No to prevent users from manually triggering
resubmission of the latest HIP.
Allow User to Change Portal Address Select No to disable the Portal field on the Home tab in the
GlobalProtect app. However, because the user will then be
unable to specify a portal to which to connect, you must
supply the default portal address in the Windows registry or
Mac plist:
• Windows registry—HKEY_LOCAL_MACHINE\SOFTWARE
\PaloAlto Networks\GlobalProtect\PanSetup
with key Portal
• Mac plist—/Library/Preferences/
com.paloaltonetworks.GlobalProtect.pansetup.plist
with key Portal
For more information about pre-deploying the portal
address, see Customizable App Settings in the GlobalProtect
Administrator’s Guide.
Allow User to Continue with Invalid Select No to prevent the app from establishing a connection
Portal Server Certificate with the portal if the portal certificate is not valid.
Display GlobalProtect Icon Select No to hide the GlobalProtect icon on the endpoint.
If the icon is hidden, users cannot perform certain tasks,
such as viewing troubleshooting information, changing
passwords, rediscovering the network, or performing an on-
demand connection. However, HIP notification messages,
login prompts, and certificate dialogs do display when user
interaction is necessary.
User Switch Tunnel Rename Timeout Specify the number of seconds that a remote user has to be
(sec) authenticated by a GlobalProtect gateway after logging into
an endpoint by using Microsoft’s Remote Desktop Protocol
(Windows only)
(RDP) (range is 0 to 600; default is 0). Requiring the remote
user to authenticate within a limited amount of time maintains
security.
After authenticating the new user and switching the tunnel to
the user, the gateway renames the tunnel.
A value of 0 means that the current user’s tunnel is not
renamed but, instead, is immediately terminated. In this case,
the remote user gets a new tunnel and has no time limit for
authenticating to a gateway (other than the configured TCP
timeout).
Pre-Logon Tunnel Rename Timeout This setting controls how GlobalProtect handles the pre-logon
(sec) (Windows Only) tunnel that connects an endpoint to the gateway.
A value of -1 means the pre-logon tunnel does not time out
after a user logs on to the endpoint; GlobalProtect renames
the tunnel to reassign it to the user. However, the tunnel
persists even if the renaming fails or if the user does not log in
to the GlobalProtect gateway.
A value of 0 means when the user logs on to the endpoint,
GlobalProtect immediately terminates the pre-logon tunnel
instead of renaming it. In this case, GlobalProtect initiates
a new tunnel for the user instead of allowing the user to
connect over the pre-logon tunnel. Typically, this setting is
most useful when you set the Connect Method to Pre-logon
then On-demand, which forces the user to manually initiate
the connection after the initial logon.
A value of 1 to 600 indicates the number of seconds in which
the pre-logon tunnel can remain active after a user logs on
to the endpoint. During this time, GlobalProtect enforces
policies on the pre-logon tunnel. If the user authenticates
with the GlobalProtect gateway within the timeout period,
GlobalProtect reassigns the tunnel to the user. If the user does
not authenticate with the GlobalProtect gateway before the
timeout, GlobalProtect terminates the pre-logon tunnel.
Preserve Tunnel on User Logoff To enable GlobalProtect to preserve the existing VPN tunnel
Timeout (sec) after users log out of their endpoint, specify a Preserve Tunnel
on User Logoff Timeout value (range is 0 to 600 seconds;
Show System Tray Notifications Select No to hide notifications from the user. Select Yes
(default) to display notifications in the system tray area.
(Windows only)
Custom Password Expiration Message Create a custom message to display to users when their
password is about to expire. The maximum message length is
(LDAP Authentication Only)
200 characters.
Automatically Use SSL When IPSec Is Specify the amount of time (in hours) during which you want
Unreliable (hours) the GlobalProtect app to Automatically Use SSL When IPSec
Is Unreliable (range is 0-168 hours). If you configure this
option, the GlobalProtect app does not attempt to establish
an IPSec tunnel during the specified time period. This timer
initiates each time an IPSec tunnel goes down due to a tunnel
keepalive timeout.
If you accept the default value of 0, the app does not fall back
to establishing an SSL tunnel if it can establish an IPSec tunnel
successfully. It falls back to establishing an SSL tunnel only
when the IPSec tunnel cannot be established.
GlobalProtect Connection MTU (bytes) Enter the GlobalProtect connection maximum transmission
unit (MTU) value between 1000 to 1420 bytes that is used
by the GlobalProtect app to connect to the gateway. The
default value is 1400 bytes. You can optimize the connection
experience for end users connecting over networks that
require MTU values lower than the standard of 1500 bytes.
By reducing the MTU size, you can eliminate performance and
connectivity issues that occur due to fragmentation when the
VPN tunnel connections go through multiple Internet Service
Providers (ISPs) and network paths with MTU lower than 1500
bytes.
Maximum Internal Gateway Enter the maximum number of times the GlobalProtect agent
Connection Attempts should retry the connection to an internal gateway after the
first attempt fails (range is 0 to 100; default is 0, which means
the GlobalProtect app does not retry the connection). By
increasing the value, you enable the app to automatically
connect to an internal gateway that is temporarily down or
unreachable during the first connection attempt but comes
back up before the specified number of retries are exhausted.
Increasing the value also ensures that the internal gateway
receives the most up-to-date user and host information.
Portal Connection Timeout (sec) The number of seconds (between 1 and 600) before a
connection request to the portal times out due to no response
from the portal. When your firewall is running Applications
and Threats content versions earlier than 777-4484, the
default is 30. Starting with Content Release version 777-4484,
the default is 5.
TCP Connection Timeout (sec) The number of seconds (between 1 and 600) before a TCP
connection request times out due to unresponsiveness
from either end of the connection. When your firewall is
running Applications and Threats content versions earlier than
777-4484, the default is 60. Starting with Content Release
version 777-4484, the default is 5.
TCP Receive Timeout (sec) The number of seconds before a TCP connection times out
due to the absence of some partial response of a TCP request
(range is 1 to 600; default is 30).
Resolve All FQDNs Using DNS Servers (GlobalProtect 4.0.3 and later releases) Configure the DNS
Assigned by the Tunnel (Windows resolution preferences when the GlobalProtect tunnel is
Only) connected on Windows endpoints:
• Select Yes (default) to enable the GlobalProtect app to
allow Windows endpoints to resolve all DNS queries with
the DNS servers you configure on the gateway instead of
allowing the endpoint to send some DNS queries to the
DNS servers set on the physical adapter.
• Select No to allow Windows endpoints to send DNS
queries to the DNS server set on the physical adapter
if the initial query to the DNS server configured on the
gateway is not resolved. This option retains the native
Windows behavior to query all DNS servers on all adapters
recursively but can result in long wait times to resolve some
DNS queries.
To configure DNS settings for GlobalProtect app 4.0.2 and
earlier releases, use the Update DNS Settings at Connect
option.
Update DNS Settings at Connect (GlobalProtect 4.0.2 and earlier releases) Configure the DNS
server preferences for the GlobalProtect tunnel:
(Windows Only) (Deprecated)
• Select No (default) to allow Windows endpoints to send
DNS queries to the DNS server set on the physical adapter
if the initial query to the DNS server configured on the
gateway is not resolved. This option retains the native
Windows behavior to query all DNS servers on all adapters
recursively but can result in long wait times to resolve some
DNS queries.
• Select Yes to enable Windows endpoints to resolve all
DNS queries with the DNS servers you configure on the
gateway instead of the DNS servers set on the physical
Detect Proxy for Each Connection Select No to auto-detect the proxy for the portal connection
and use that proxy for subsequent connections. Select Yes
(Windows only)
(default) to auto-detect the proxy at every connection.
Set Up Tunnel Over Proxy (Windows & Specify whether GlobalProtect must use or bypass proxies.
Mac Only) Select No to require GlobalProtect to bypass proxies. Select
Yes to require GlobalProtect to use proxies. Based on the
GlobalProtect proxy use, endpoint OS, and tunnel type,
network traffic will behave differently.
Send HIP Report Immediately if Select No to prevent the GlobalProtect app from sending HIP
Windows Security Center (WSC) State data when the status of the Windows Security Center (WSC)
Changes changes. Select Yes (default) to immediately send HIP data
when the status of the WSC changes.
(Windows Only)
Network Port for Inbound Specifies the port number a GlobalProtect endpoint uses to
Authentication Prompts (UDP) receive inbound authentication prompts from MFA gateways.
The default port is 4501. To change the port, specify a number
from 1 to 65535.
Inbound Authentication Message Customize a notification message to display when users try
to access a resource that requires additional authentication.
When users try to access a resource that requires additional
authentication, GlobalProtect receives a UDP packet
containing the inbound authentication prompt and displays
this message. The UDP packet also contains the URL for the
Authentication Portal page you specify when you Configure
Multi-Factor Authentication. GlobalProtect automatically
appends the URL to the message. For example:
Log Gateway Selection Criteria Select Yes to enable the GlobalProtect app to send the
gateway selection criteria logs to the firewall. The default is
No. The app does not send the enhanced logs for the gateway
selection criteria to the firewall.
Display Status Panel at Startup Select Yes to automatically display the GlobalProtect status
(Windows Only) panel when users establish a connection for the first time.
Select No to suppress the GlobalProtect status panel when
users establish a connection for the first time.
Passcode/Confirm Passcode Enter and then confirm a passcode if the setting for Allow
User to Disable GlobalProtect App is Allow with Passcode.
Treat this passcode like a password—record it and store it
in a secure place. You can distribute the passcode to new
Max Times User Can Disable Specify the maximum number of times that a user can disable
GlobalProtect before the user must connect to a firewall. The
default value of 0 means users have no limit to the number of
times they can disable the app.
Disable Timeout (min) Specify the maximum number of minutes the GlobalProtect
app can be disabled. After the specified time passes, the app
tries to connect to the firewall. The default of 0 indicates that
the disable period is unlimited.
Mobile Security Manager If you are using the GlobalProtect Mobile Security Manager
for mobile device management (MDM), enter the IP address
or FQDN of the device check#in (enrollment) interface on the
GP-100 appliance.
Enrollment Port The port number the mobile endpoint should use when
connecting to the GlobalProtect Mobile Security Manager for
enrollment. The Mobile Security Manager listens on port 443
by default.
Collect HIP Data Clear this option to prevent the app from collecting and sending HIP data.
Max Wait Time (sec) Specify how many seconds the app should search for HIP data before
submitting the available data (range is 10-60; default is 20).
Certificate Profile Select the certificate profile that the GlobalProtect portal uses to match the
machine certificate sent by the GlobalProtect app.
Exclude Categories Select Exclude Categories to specify the host information categories for
which you do not want the app to collect HIP data. Select a Category (such
as data-loss-prevention) to exclude from HIP collection. After selecting a
category, you can Add a particular Vendor and, then, you can Add specific
products from the vendor to further refine the exclusion as needed. Click
OK to save settings in each dialog.
Custom Checks Select Custom Checks to define custom host information you want the app
to collect. For example, if you have any required applications that are not
included in the Vendor or Product lists for creating HIP objects, you can
create a custom check to determine whether that application is installed
(it has a corresponding Windows registry or Mac plist key) or is currently
running (has a corresponding running process):
• Windows—Add a check for a particular registry key or key value.
• Mac—Add a check for particular plist key or key value.
• Process List—Add the processes you want to check for on user
endpoints to see if they are running. For example, to determine whether
a software application is running, add the name of the executable file
to the process list. You can add a process to the Windows tab, the Mac
tab, or both.
General tab
Clientless VPN Select Clientless VPN to specify general information about the Clientless VPN
session:
Hostname The IP address or FQDN for the GlobalProtect portal that hosts the web
applications landing page. The GlobalProtect Clientless VPN rewrites
application URLs with this hostname.
Security Zone The zone for the Clientless VPN configuration. Security rules defined in this
zone control which applications users can access.
DNS Proxy The DNS server that resolves application names. Select a DNS proxy server or
configure a New DNS Proxy (Network > DNS Proxy).
Login Lifetime The number of Minutes (range is 60 to 1,440) or Hours (range is 1 to 24;
default is 3) that a clientless SSL VPN session is valid. After the specified time,
users must re-authenticate and start a new clientless VPN session.
Inactivity Timeout The number of Minutes (range is 5 to 1,440; default is 30) or Hours (range is
1 to 24) that a clientless SSL VPN session can remain idle. If there is no user
activity during the specified amount of time, the user must re-authenticate
and start a new clientless VPN session.
Max User The maximum numbers of users that can be logged into the portal at the same
time (default is 10; range is 1 to no maximum). When the maximum number of
users is reached, additional clientless VPN users cannot log in to the portal.
Applications tab
Applications to User Add one or more Applications to User Mapping to match users with
Mapping published applications. This mapping controls which users or user groups
can use a clientless VPN to access applications. You must define the
applications and application groups before mapping them to users (Network
> GlobalProtect > Clientless Apps and Network > GlobalProtect > Clientless
App Groups).
• Name—Enter a name for the mapping (up to 31 characters). The name
is case-sensitive, must be unique, and can contain only letters, numbers,
spaces, hyphens, and underscores.
• Display application URL address bar—Select this option to display an
application URL address bar from which users can launch applications that
are not published on the applications landing page. when enabled, users
can click the Application URL link on the page and specify a URL.
User/User Group You can Add individual users or user groups to which the current application
configuration applies. These users have permission to launch the configured
applications using a GlobalProtect clientless VPN.
In addition to users and groups, you can specify when these settings apply to
the users or groups:
• any—The application configuration applies to all users (no need to Add
users or user groups).
• select—The application configuration applies only to users and user groups
you Add to this list.
Applications You can Add individual applications or application groups to the mapping.
The Source Users you included in the configuration can use GlobalProtect
clientless VPN to launch the applications you add.
Protocol Versions Select the required minimum and maximum TLS/SSL versions. The higher the
TLS version, the more secure the connection. Choices include SSLv3, TLSv1.0,
TLSv1.1, or TLSv1.2.
Key Exchange Select the supported algorithm types for key exchange. Choices include RSA,
Algorithms Diffie-Hellman (DHE), or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE).
Authentication Select the supported authentication algorithms. Choices are: MD5, SHA1,
Algorithms SHA256, or SHA384. SHA256 or higher is recommended.
Server Certificate Enable which actions to take for the following issues that can occur when an
Verification application presents a server certificate:
• Block sessions with expired certificate—If the server certificate has
expired, block access to the application.
• Block sessions with untrusted issuers—If the server certificate is issued
from an untrusted certificate authority, block access to the application.
• Block sessions with unknown certificate status—If the OCSP or CRL
service returns a certificate revocation status of unknown, block access to
the application.
• Block sessions on certificate status check timeout—If the certificate status
check times out before receiving a response from any certificate status
service, block access to the application.
Proxy tab
Use Proxy Select to allow the GlobalProtect portal to use the proxy server to access the
published applications.
Server Specify the hostname (or IP address) and port number of the proxy server.
Port
User Specify the username and password needed to log in to the proxy server.
Enter the password again for verification.
Password
Rewrite Exclude (Optional) Add domain names, host names, or IP addresses to the Rewrite
Domain List Exclude Domain List. The clientless VPN acts as a reverse proxy and modifies
pages returned by the published applications. When a remote users accesses
the URL, the requests go through the GlobalProtect portal. In some cases,
the application may have pages that do not need to be accessed through
the portal. Specify domains that should be excluded from rewrite rules and
cannot be rewritten.
Paths are not supported in host and domain names. The wildcard character (*)
for host and domain names can only appear at the beginning of the name (for
example, *.etrade.com).
Devices Add a satellite using the firewall Serial Number. The portal can accept
a serial number or login credentials to identify who is requesting a
connection; if the portal does not receive a serial number, it requests login
credentials. If you identify the satellite by its firewall serial number, you do
not need to provide user login credentials when the satellite first connects
to acquire the authentication certificate and its initial configuration.
After the satellite authenticates by either a serial number or login
credentials, the Satellite Hostname is automatically added to the portal.
Enrollment User/User The portal can use Enrollment User/User Group settings with or without
Group serial numbers to match a satellite to this configuration. Satellites that do
not match on a serial number are required to authenticate either as an
individual user or group member.
Add the user or group you want to control with this configuration.
Gateways Click Add to enter the IP address or hostname of the gateway(s) satellites
by which this configuration can establish IPSec tunnels. Enter the FQDN
or IP address of the interface where the gateway is configured in the
Gateways field. IP addresses can be specified as IPv6, IPv4, or both. Select
IPv6 Preferred to specify preference of IPv6 connections in a dual stack
environment.
(Optional) If you are adding two or more gateways to the configuration, the
Routing Priority helps the satellite pick the preferred gateway (range is 1 to
25). Lower numbers have higher priority (for gateways that are available).
The satellite multiplies the routing priority by 10 to determine the routing
metric.
Trusted Root CA Click Add and then select the CA certificate for issuing gateway server
certificates. Satellite Trusted Root CA certificates are pushed to endpoints
at the same time as the portal agent configuration.
Client Certificate
Local • Issuing Certificate—Select the root CA issuing certificate the portal uses
to issue certificates to a satellite after it successfully authenticates. If the
needed certificate does not already exist on the firewall, you can Import
or Generate it.
Name Enter a name for the gateway (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Location For a firewall that is in multiple virtual system mode, the Location is the
virtual system (vsys) where the GlobalProtect gateway is available. For a
firewall that is not in multi-vsys mode, the Location field does not appear in
the GlobalProtect Gateway dialog.
Interface Select the name of the firewall interface that will serve as the ingress
interface for remote endpoints. (These interfaces must already exist.)
IP Address (Optional) Specify the IP address for gateway access. Select the IP Address
Type, then enter the IP Address.
• The IP address type can be IPv4 (IPv4 traffic only), IPv6 (IPv6 traffic
only), or IPv4 and IPv6. Use IPv4 and IPv6 if your network supports
dual-stack configurations, where IPv4 and IPv6 run at the same time.
The IP address must be compatible with the IP address type. For example,
172.16.1.0 for IPv4 or 21DA:D3:0:2F3b for IPv6. If you choose IPv4 and
IPv6, enter the appropriate address type for each.
Log Settings
Log Successful SSL (Optional) Creates detailed logs of successful SSL Decryption handshakes.
Handshake Disabled by default.
Log Unsuccessful SSL Creates detailed logs of unsuccessful SSL Decryption handshakes so you
Handshake can find the cause of decryption issues. Enabled by default.
Log Forwarding Specify the method and location to forward GlobalProtect SSL handshake
(decryption) logs.
SSL/TLS Service Profile Select an SSL/TLS service profile for securing this
GlobalProtect gateway. For details about the contents of a
service profile, see Device > Certificate Management > SSL/
TLS Service Profile.
Authentication Message To help end users know what credentials they should use for
logging into this gateway, you can enter a message or keep the
Allow Authentication with User If you select No, users must authenticate to the gateway
Credentials OR Client Certificate using both user credentials and client certificates. If you select
Yes, users can authenticate to the gateway using either user
credentials or client certificates.
Certificate Profile
Certificate Profile (Optional) Select the Certificate Profile the gateway uses to
match those client certificates that come from user endpoints.
With a Certificate Profile, the gateway authenticates the user
only if the certificate from the client matches this profile.
If you set the Allow Authentication with User Credentials
OR Client Certificate option to No, you must select a
Certificate Profile. If you set the Allow Authentication with
User Credentials OR Client Certificate option to Yes, the
Certificate Profile is optional.
The certificate profile is independent of the OS.
Block login for quarantined devices Specify whether to block gateway login for GlobalProtect
client devices that are in the quarantine list (Device > Device
Quarantine).
Tunnel Mode Select Tunnel Mode to enable tunnel mode and then specify the following
settings:
• Tunnel Interface—Choose a tunnel interface for access to this gateway.
• Max User—Specify the maximum number of users that can
simultaneously access the gateway for authentication, HIP updates, and
GlobalProtect app updates. If the maximum number of users is reached,
subsequent users are denied access with a message that indicates the
maximum number of users has been reached (range varies by platform
and is displayed when the field is empty).
• Enable IPSec—Select this option to enable IPSec mode for endpoint
traffic, making IPSec the primary method and SSL-VPN the fallback
method. The remaining options are not available until IPSec is enabled.
• GlobalProtect IPSec Crypto—Select a GlobalProtect IPSec Crypto
profile that specifies authentication and encryption algorithms for the
VPN tunnels. The default profile uses AES-128-CBC encryption and
SHA1 authentication. For details, see Network > Network Profiles >
GlobalProtect IPSec Crypto.
• Enable X-Auth Support—Select this option to enable Extended
Authentication (X-Auth) support in the GlobalProtect gateway when
IPSec is enabled. With X-Auth support, third party IPSec VPN clients
that support X-Auth (such as the IPSec VPN client on Apple iOS and
Android devices and the VPNC client on Linux) can establish a VPN
tunnel with the GlobalProtect gateway. The X-Auth option provides
remote access from the VPN client to a specific GlobalProtect gateway.
Because X-Auth access provides limited GlobalProtect functionality,
consider using the GlobalProtect App for simplified access to the full
security feature set GlobalProtect provides on iOS and Android devices.
Selecting X-Auth Support activates the Group Name and Group
Password options:
• If the group name and group password are specified, the first
authentication phase requires both parties to use this credential
to authenticate. The second phase requires a valid username and
password, which is verified through the authentication profile
configured in the Authentication section.
• If no group name and group password are defined, the first
authentication phase is based on a valid certificate presented by the
third-party VPN client. This certificate is then validated through the
certificate profile configured in the authentication section.
• By default, the user is not required to re-authenticate when the key
used to establish the IPSec tunnel expires. To require the user to re-
authenticate, clear the Skip Auth on IKE Rekey option.
Source User Add the specific users or user groups to which this
configuration applies.
IP Pools tab
Retrieve Framed-IP-Address attribute Select this option to enable the GlobalProtect gateway to
from authentication server assign fixed IP addresses by use of an external authentication
server. When this option is enabled, the GlobalProtect
gateway allocates the IP address for connecting to devices by
using the Framed-IP-Address attribute from the authentication
server.
No direct access to local network Select this option to disable split tunneling, including direct
access to local networks on Windows and macOS endpoints.
This function prevents a user from sending traffic to proxies
or local resources, such as a home printer. When the tunnel
is established, all traffic is routed through the tunnel and is
subject to policy enforcement by the firewall.
Include Add routes to include in the VPN tunnel. These are the routes
the gateway pushes to the remote users’ endpoint to specify
what user endpoints can send through the VPN connection.
Exclude Add routes to exclude from the VPN tunnel. These routes are
sent through the physical adapter on endpoints rather than
through the virtual adapter (the tunnel).
You can define the routes you send through the VPN tunnel
as routes you include in the tunnel, routes you exclude from
the tunnel, or a combination of both. For example, you can set
up split tunneling to allow remote users to access the internet
without going through the VPN tunnel. Excluded routes should
be more specific than the included routes to avoid excluding
more traffic than you intend to exclude.
If you don’t include or exclude routes, every request is routed
through the tunnel (no split tunneling). In this case, each
internet request passes through the firewall and then out to
the network. This method can prevent the possibility of an
external party accessing user endpoints and gaining access to
the internal network (with a user endpoint acting as a bridge).
Include Client Application Process Add the software as a service (SaaS) or public cloud
Name applications that you want to include in the VPN tunnel using
the application process name. These are the applications
the gateway pushes to the endpoints of remote users to
specify what those user endpoints can send through the VPN
connection.
Exclude Client Application Process Add the software as a service (SaaS) or public cloud
Name applications that you want to exclude from the VPN tunnel
using the application process name. These applications are
sent through the physical adapter on endpoints rather than the
virtual adapter (the tunnel).
If you do not include or exclude any applications, every
request is routed through the tunnel (no split tunneling). In this
case, each Internet request passes through the firewall and
out to the network. This method can prevent external parties
from accessing user endpoints to gain access to the internal
network.
DNS Server Specify the IP address of the DNS server to which the
GlobalProtect app with this client setting configuration sends
DNS queries. You can add multiple DNS servers by separating
each IP address with a comma.
DNS Suffix Specify the DNS suffix that the endpoint should use locally
when an unqualified hostname is entered that the endpoint
cannot resolve. You can enter multiple DNS suffixes (up to
100) by separating each suffix with a comma.
Network Services options are available only if you have enable tunnel mode and define a
tunnel interface on the Tunnel Settings Tab.
Inheritance Source Select a source to propagate DNS server and other settings from the
selected DHCP client or PPPoE client interface into the GlobalProtect apps’
configuration. With this setting, all client network configurations, such as
DNS servers and WINS servers, are inherited from the configuration of the
interface selected in the Inheritance Source.
Check inheritance source Click Inheritance Source to see the server settings that are currently
status assigned to the client interfaces.
Primary DNS Enter the IP addresses of the primary and secondary servers that provide
DNS to the clients.
Secondary DNS
Primary WINS Enter the IP addresses of the primary and secondary servers that provide
Windows Internet Naming Service (WINS) to the endpoints.
Secondary WINS
Inherit DNS Suffixes Select this option to inherit the DNS suffixes from the inheritance source.
DNS Suffix Add a suffix that the endpoint should use locally when an unqualified
hostname, which it cannot resolve, is entered. You can enter multiple
suffixes (up to 100) by separating each suffix with a comma.
Timeout Configuration
Login Lifetime Specify the number of days, hours, or minutes allowed for a single gateway
login session.
Inactivity Logout Specify the amount of time (in minutes) after which an inactive session
is automatically logged out. Users are logged out of GlobalProtect if the
GlobalProtect app has not routed traffic through the VPN tunnel or if
the gateway does not receive a HIP check from the endpoint within the
configured time period.
Disable Automatic Enable this option to prevent automatic restoration of SSL VPN tunnels.
Restoration of SSL VPN
If you enable this option, GlobalProtect will not support
Resilient VPN.
Restrict Authentication Enable this option to restrict authentication cookie usage based on one of
Cookie Usage (for the following conditions:
Automatic Restoration
• The original Source IP for which the authentication cookie was issued—
of VPN tunnel or
Restricts authentication cookie usage to endpoints with the same public
Authentication Override)
source IP address of the endpoint to which the cookie was originally
to
issued.
• The original Source IP network range—Restricts authentication
cookie usage to endpoints with public source IP addresses within the
designated network IP address range. Enter a Source IPv4 Netmask to
specify a range of IPv4 addresses or enter a Source IPv6 Netmask to
specify a range of IPv6 addresses.
If you set either netmask to 0, this option is disabled for the specified IP
address type. For example, you can set a netmask to 0 if your portal or
Exclude video Select this option to allow video streaming traffic to be excluded from the
applications from the VPN tunnel.
tunnel
Applications Add or Browse for the video streaming applications that you want to
exclude from the VPN tunnel.
This video redirect is applicable to any video traffic type from the following
applications:
• Youtube
• Dailymotion
• Netflix
For other video streaming applications, only the following video types can
be redirected:
• MP4
• WebM
• MPEG
Video streaming traffic can only be excluded from the VPN tunnel. If you
do not exclude any video streaming applications, all requests are routed
through the tunnel (no split tunneling). In this case, each Internet request
passes through the firewall and out to the network. This method can
prevent external parties from accessing user endpoints to gain access to the
internal network.
HIP Notification Add HIP Notifications and configure the options. You can Enable
notifications for the Match Message, the Not Match Message, or both and
then specify whether to Show Notification As a System Tray Balloon or a
Pop Up Message. Then specify the message to match or not match.
Use these settings to notify the end user about the state of the machine,
such as a warning message that the host system does not have a required
application installed. For the Match Message, you can also enable the option
to Include Mobile App List to indicate what applications triggered the HIP
match.
Tunnel Configuration Select Tunnel Configuration and select an existing Tunnel Interface,
or select New Tunnel Interface from the drop-down. See Network >
Interfaces > Tunnel for more information.
• Replay attack detection—Protect against replay attacks.
Tunnel Monitoring Select Tunnel Monitoring to enable the satellites to monitor gateway
tunnel connections, allowing them to failover to a backup gateway if the
connection fails.
• Destination Address—Specify an IPv4 or IPv6 address for the tunnel
monitor will use to determine if there is connectivity to the gateway
(for example, an IP address on the network protected by the gateway).
Alternatively, if you configured an IP address for the tunnel interface,
you can leave this field blank and the tunnel monitor will instead use the
tunnel interface to determine if the connection is active.
• Tunnel Monitor Profile—Failover to another gateway is the only type of
tunnel monitoring profile supported with LSVPN.
Crypto Profiles Select an IPSec Crypto Profile or create a new one. A crypto profile
determines the protocols and algorithms for identification, authentication,
and encryption for the VPN tunnels. Because both tunnel endpoints in
an LSVPN are trusted firewalls within your organization, you typically use
the default profile, which uses ESP protocol, DH group2, AES 128 CVC
encryption, and SHA-1 authentication. See Network > Network Profiles >
GlobalProtect IPSec Crypto for more details.
Inheritance Source Select a source to propagate DNS server and other settings from the
selected DHCP client or PPPoE client interface into the GlobalProtect
satellite configuration. With this setting, all network configuration, such as
DNS servers, are inherited from the configuration of the interface selected
in the Inheritance Source.
Primary DNS Enter the IP addresses of the primary and secondary servers that provide
DNS to the satellites.
Secondary DNS
DNS Suffix Click Add to enter a suffix that the satellite should use locally when an
unqualified hostname is entered that it cannot resolve. You can enter
multiple suffixes by separating them with commas.
Inherit DNS Suffix Select this option to send the DNS suffix to the satellites to use locally
when an unqualified hostname is entered that it cannot resolve.
The servers and routers in the networks must route the traffic for this
IP pool to the firewall. For example, for the 192.168.0.0/16 network, a
satellite can be assigned the address 192.168.0.10.
If you are using dynamic routing, make sure that the IP address pool you
designate for satellites does not overlap with the IP addresses you manually
assigned to the tunnel interfaces on your gateways and satellites.
Accept published routes Enable Accept published routes to accept routes advertised by the satellite
into the gateway’s routing table. If you do not select this option, the
gateway does not accept any routes advertised by the satellites.
Permitted Subnets If you want to be more restrictive about accepting the routes advertised by
the satellites, Add Permitted subnets and define the subnets from which
the gateway may accept routes; subnets advertised by the satellites that
are not part of the list are filtered out. For example, if all the satellites are
configured with 192.168.x.0/24 subnet on the LAN side, you can configure
a permitted route of 192.168.0.0/16 on the gateway. This configuration
causes the gateway to accept the routes from the satellite only if it is in the
192.168.0.0/16 subnet.
Name Enter a name for the Mobile Security Manager (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
If the firewall is in multiple virtual system mode, the MDM settings displays
the virtual system (vsys) where the Mobile Security Manager is available.
For a firewall that is not in multi-vsys mode, this field does not appear in
the MDM dialog. After you save the Mobile Security Manager, you cannot
change its location.
Connection Settings
Server Enter the IP address or FQDN of the interface on the Mobile Security
Manager where the gateway connects to retrieve HIP reports. Ensure that
you have a service route to this interface.
Connection Port The connection port is where the Mobile Security Manager listens for HIP
report requests. The default port is 5008, which is the same port on which
the GlobalProtect Mobile Security Manager listens. If you are using a third-
party Mobile Security Manager, enter the port number on which that server
listens for HIP report requests.
Client Certificate Choose the client certificate for the gateway to present to the Mobile
Security Manager when it establishes an HTTPS connection. This certificate
is required only if the Mobile Security Manager is configured to use mutual
authentication.
Trusted Root CA Click Add and then select the root CA certificate that was used to issue the
certificate for the interface where the gateway connects to retrieve HIP
reports. (This server certificate can be different from the certificate issued
for the endpoint check-in interface on the Mobile Security Manager).You
must import the root CA certificate and add it to this list.
Name Enter a name for the device block list (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Location For a firewall that is in multiple virtual system mode, the Location is
the virtual system (vsys) where the GlobalProtect gateway is available.
For a firewall that is not in multi-vsys mode, the Location field does not
appear in the GlobalProtect Gateway dialog. After you save the gateway
configuration, you cannot change the Location.
Host ID Enter the unique ID that identifies the endpoint, a combination of host
name and unique device ID. For each Host ID, specify the corresponding
Hostname.
Hostname Enter a hostname to identify the device (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Name Enter a descriptive name for the application (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Location For a firewall that is in multiple virtual system mode, the Location is
the virtual system (vsys) where the GlobalProtect gateway is available.
For a firewall that is not in multi-vsys mode, the Location field does not
appear in the GlobalProtect Gateway dialog. After you save the gateway
configuration, you cannot change the Location.
Application Home URL Enter the URL where the application is located (up to 4095 characters).
Application Description (Optional) Enter a description of the application (up to 255 characters). Use
only letters, numbers, spaces, hyphens, and underscores.
Application Icon (Optional) Upload an icon to identify the application on the published
application page. You can browse to upload the icon.
Name Enter a descriptive name for the application group (up to 31 characters). The
name is case-sensitive, must be unique, and can contain only letters, numbers,
spaces, hyphens, and underscores.
Location For a firewall that is in multiple virtual system mode, the Location is the virtual
system (vsys) where the GlobalProtect gateway is available. For a firewall
that is not in multi-vsys mode, the Location field does not appear in the
GlobalProtect Gateway dialog. After you save the gateway configuration, you
cannot change the Location.
Name Enter a name for the HIP object (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Shared If you select Shared, the current HIP objects become available to:
Every virtual system (vsys) on the firewall, if you are logged in to a firewall
that is in multiple virtual system mode. If you clear this selection, the object
will be available to only the vsys selected in the Virtual System drop-down of
the Objects tab. For a firewall that is not in multi-vsys mode, this option is not
available in the HIP Object dialog.
Host Info Select this option to activate the options for configuring the host information.
Managed Filter based on whether the endpoint is managed or not managed. To match
endpoints that are managed, select Yes. To match endpoints that are not
managed, select No.
Disable override Controls override access to the HIP object in the device groups that are
(Panorama only) descendants of the Device Group selected in the Objects tab. Select this
option to prevent administrators from creating local copies of the object in
descendant device groups by overriding its inherited values. This option is
cleared by default (override is enabled).
Domain To match on a domain name, choose an operator from the drop-down and
enter a string to match.
OS To match on a host OS, choose Contains from the first drop-down, select a
vendor from the second drop-down, and then select an OS version from the
third drop-down; or you can select All to match on any OS version from the
selected vendor.
Client Version To match on a specific version number, select an operator from the drop-down
and then enter a string to match (or not match) in the text box.
Host Name To match on a specific host name or part of a host name, select an operator
from the drop-down and then enter a string to match (or not match, depending
on what operator you selected) in the text box.
Host ID The host ID is a unique ID that GlobalProtect assigns to identify the host. The
host ID value varies by device type:
• Windows—Machine GUID stored in the Windows registry
(HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
• macOS—MAC address of the first built-in physical network interface
• Android—Android ID
• iOS—UDID
• Linux—Product UUID retrieved from the system DMI table
• Chrome—GlobalProtect-assigned unique alphanumeric string with length of
32 characters
To match on a specific host ID, select the operator from the drop-down and
then enter a string to match (or not match, depending on what operator you
selected) in the text box.
Serial Number To match on all or part of an endpoint serial number, choose an operator from
the drop-down and then enter a string to match.
Network Use this field to enable filtering on a specific mobile device network
configuration. This match criteria applies to mobile devices only.
Select an operator from the drop-down and then select the type of network
connection to filter on from the second drop-down: Wifi, Mobile, Ethernet
(available only for Is Not filters), or Unknown. After you select a network type,
enter any additional strings to match on, if available, such as the Mobile Carrier
or Wifi SSID.
To collect mobile device attributes and utilize them in HIP enforcement policies,
GlobalProtect requires an MDM server. GlobalProtect currently supports HIP integration with
the AirWatch MDM server.
Mobile Device Select this option to enable filtering on host data collected from mobile
devices that are running the GlobalProtect app and to enable the Device,
Settings, and Apps tabs.
Device tab • Model—To match on a particular device model, choose an operator from
the drop-down and enter a string to match.
• Tag—To match on tag value defined on the GlobalProtect Mobile
Security Manager, choose an operator from the first drop-down and
then select a tag from the second drop-down.
• Phone Number—To match on all or part of a device phone number,
choose an operator from the drop-down and enter a string to match.
• IMEI—To match on all or part of a device International Mobile
Equipment Identity (IMEI) number, choose an operator from the drop-
down and enter a string to match.
Settings tab • Passcode—Filter based on whether the device has a passcode set. To
match devices that have a passcode set, select Yes. To match devices
that do not have a passcode set, select no.
• Rooted/Jailbroken—Filter based on whether the device has been rooted
or jailbroken. To match devices that have been rooted or jailbroken,
select Yes. To match devices that have not been rooted or jailbroken,
select No.
• Disk Encryption—Filter based on whether the device data has been
encrypted. To match devices that have disk encryption enabled, select
Apps tab • Apps—(Android devices only) Select this option to enable filtering based
on the apps that are installed on the device and whether or not the
device has any malware-infected apps installed.
• Criteria tab
• Has Malware—Select Yes to match devices that have malware-
infected apps installed. Select No to match devices that do not
have malware-infected apps installed. Select None to not use Has
Malware as match criteria.
• Include tab
• Package—To match devices that have specific apps installed, Add
an app and enter the unique app name in reverse DNS format. For
example, com.netflix.mediaclient and then enter the corresponding
app Hash, which the GlobalProtect app calculates and submits with
the device HIP report.
Patch Management Select this option to enable matching on the patch management status of
the host and enable the Criteria and Vendor tabs.
Vendor tab Define specific vendors of patch management software and products to
look for on the endpoint to determine a match. Click Add and then choose
a Vendor from the drop-down. Optionally, click Add to choose a specific
Product. Click OK to save the settings.
Select Firewall to enable matching on the firewall software status of the host:
• Is Installed—Match on whether firewall software is installed on the host.
• Is Enabled—Match on whether firewall software is enabled on the host. If the Is Installed selection is
cleared, this field is automatically set to none and is disabled for editing.
• Vendor and Product—Define specific firewall software vendors and/or products to look for on the
host to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally,
click Add to choose a specific Product. Click OK to save the settings.
• Exclude Vendor—Select this option to match hosts that do not have software from the specified
vendor.
Select Anti-Malware to enable matching based on the antivirus or anti-spyware coverage on the host.
Define additional matching criteria for the match as follows:
• Is Installed—Match on whether antivirus or anti-spyware software is installed on the host.
Select Disk Backup to enable matching on the disk backup status on the host and then define additional
matching criteria for the match as follows:
• Is Installed—Match on whether disk backup software is installed on the host.
• Last Backup Time—Specify whether to match based on the time that the last disk backup was run.
Select an operator from the drop-down and then specify a number of Days or Hours to match
against.
• Vendor and Product—Define specific disk backup software vendors and products to match on the
host. Click Add and then choose a Vendor from the drop-down. Optionally, click Add to choose a
specific Product. Click OK to save the settings.
• Exclude Vendor—Select this option to match hosts that do not have software from the specified
vendor.
Disk Encryption Select Disk Encryption to enable matching on the disk encryption status on
the host.
Vendor Define specific disk encryption software vendors and products to match on
the endpoint. Click Add and then choose a Vendor from the drop-down.
Optionally, click Add to choose a specific Product. Click OK to save the
settings and return to the Disk Encryption tab.
Select Data Loss Prevention to enable matching on the data loss prevention (DLP) status on the host
(Windows hosts only) and then define additional matching criteria for the match as follows:
• Is Installed—Match on whether DLP software is installed on the host.
• Is Enabled—Match on whether DLP software is enabled on the host. If the Is Installed selection is
cleared, this field is automatically set to none and is disabled for editing.
• Vendor and Product—Define specific DLP software vendors and/or products to look for on the host
to determine a match. Click Add and then choose a Vendor from the drop-down. Optionally, click
Add to choose a specific Product. Click OK to save the settings.
• Exclude Vendor—Select this option to match hosts that do not have software from the specified
vendor.
Select Validate Certificate to enable matching based on certificate profiles and certificate attributes.
Then define the matching criteria as follows:
• Certificate Profile—Select the certificate profile that the GlobalProtect gateway will use to validate
the machine certificate sent in the HIP report.
• Certificate Field—Select a certificate attribute used for matching against the machine certificate.
• Value—Set the value for the attribute.
Custom Checks Select Custom Checks to enable matching on custom checks you defined
on the GlobalProtect portal.
Process List To check the host system for a specific process, click Add and then enter
the process name. By default, the app checks for running processes; if
you want to see if a specific process is not running, clear the Running
selection. Processes can be operating system level processes or user-space
application processes.
Registry Key To check Windows hosts for a specific registry key, click Add and enter
the Registry Key to match. To match only the hosts that lack the specified
registry key or the key’s value, mark the Key does not exist or match the
specified value data box.
To match on specific values, click Add and then enter the Registry Value
and Value Data. To match hosts that explicitly do not have the specified
value or value data, select Negate.
Click OK to save the settings.
Plist To check Mac hosts for a specific entry in the property list (plist), click Add
and enter the Plist name. To match only the hosts that do not have the
specified plist, select Plist does not exist.
To match on specific key-value pair within the plist, click Add and then
enter the Key and the corresponding Value to match. To match hosts that
explicitly do not have the specified key or value, select Negate.
Click OK to save the settings.
Name Enter a name for the profile (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Shared Select Shared to make the current HIP profile available to:
• Every virtual system (vsys) on the firewall, if you are logged in to a
firewall that is in multiple virtual system mode. If you clear this selection,
the profile is available only to the vsys selected in the Virtual System
drop-down on the Objects tab. For a firewall that is not in multi-vsys
mode, this option does not appear in the HIP Profile dialog.
• All device groups on Panorama. If you clear this selection, the profile is
available only to the device group selected in the Device Group drop-
down on the Objects tab.
After you save the profile, you cannot change its Shared setting. Select
Objects > GlobalProtect > HIP Profiles to view the current Location.
Disable override Controls override access to the HIP profile in device groups that are
(Panorama only) descendants of the Device Group selected in the Objects tab. Select this
option if you want to prevent administrators from creating local copies of
the profile in descendant device groups by overriding its inherited values.
This option is cleared by default (override is enabled).
Match Click Add Match Criteria to open the HIP Objects/Profiles Builder.
Select the first HIP object or profile you want to use as match criteria and
then add ( ) it to the Match text box on the HIP Objects/Profiles Builder
dialog. Keep in mind that if you want the HIP profile to evaluate the object
as a match only when the criteria in the object is not true for a flow, select
NOT before adding the object.
Continue adding match criteria as appropriate for the profile you are
building, and ensure you select the appropriate Boolean operator (AND
When you have finished adding the objects and profiles to the new HIP
profile, click OK.
View more information about the Managing the GlobalProtect Agent Software
GlobalProtect software releases.
For the initial download and installation of the GlobalProtect app, the user of the endpoint
must be logged in with administrator rights. For subsequent upgrades, administrator rights
are not required.
Version This version number is of the GlobalProtect app software that is available
on the Palo Alto Networks Update Server. To see if a new app software
release is available from Palo Alto Networks, click Check Now. The firewall
uses its service route to connect to the Update Server to determine if new
versions are available and displays them at the top of the list.
Release Date The date and time Palo Alto Networks made the release available.
Downloaded A check mark in this column indicates that the corresponding version of the
app software package has been downloaded to the firewall.
Currently Activated A check mark in this column indicates that the corresponding version of the
app software has package has been activated on the firewall and can be
Action Indicates the current action you can take for the corresponding app
software package as follows:
• Download—The corresponding app software version is available on
the Palo Alto Networks Update Server. Click Download to initiate the
download. If the firewall does not have access to the Internet, use an
Internet-connected computer to go to the Customer Support site, and
then select Updates > Software Updates to look for and Download new
app software versions to your local computer. Then manually Upload
the app software to the firewall.
• Activate—The corresponding app software version has been
downloaded to the firewall, but apps cannot yet download it. Click
Activate to activate the software and enable app upgrade. To activate
a software update you manually uploaded to the firewall, click Activate
From File and select the version you want to activate from the drop-
down (you may need to refresh the screen for it to show as Currently
Activated).
• Reactivate—The corresponding app software has been activated and is
ready for the endpoint to download. Because only one version of the
GlobalProtect app software can be active on the firewall at one time,
if your end users require access to a different version than is currently
active, you have to Activate the other version to make it the Currently
Active version.
Release Note Provides a link to the GlobalProtect release notes for the corresponding
app version.
Remove the previously downloaded app software image from the firewall.
Make sure you select the correct installation option for your host operating system (32-bit or
64-bit). If you are installing on a 64-bit host, use the 64-bit browser and Java combination for
the initial installation.
To install the app, open the installer file and follow the on-screen instructions.
For internal mode, the Connection tab displays the entire list of available gateways. For
external mode, the Connection tab displays the gateway to which you are connected and
additional details about the gateway (such as gateway IP address and uptime).
• Host Profile tab—Displays the endpoint data that GlobalProtect uses to monitor and enforce security
policies through the Host Information Profile (HIP). Click Resubmit Host Profile to manually resubmit
HIP data to the gateway.
• Troubleshooting tab—On macOS endpoints, this tab allows you to Collect Logs and set the Logging
Level. On Windows endpoints, this tab allows you to Collect Logs, set the Logging Level, and view the
following information to assist in troubleshooting:
• Network Configurations—Displays the current system configuration.
• Routing Table—Displays information on how the GlobalProtect connection is currently routed.
• Sockets—Displays socket information for the current active connections.
• Logs—Allows the user to display logs for the GlobalProtect app and service. Choose the log type and
debugging level. Click Start to begin logging and Stop to terminate logging.
• Notification tab—Displays the list of notifications triggered on the GlobalProtect app. To view more
details about a specific notification, double-click the notification.
807
808 PAN-OS WEB INTERFACE HELP | Panorama Web Interface
© 2021 Palo Alto Networks, Inc.
Use the Panorama Web Interface
The web interface on both Panorama and the firewall has the same look and feel. However, the Panorama
web interface includes additional options and a Panorama-specific tab for managing Panorama and for using
Panorama to manage firewalls and Log Collectors.
The following common fields appear in the header or footer of several Panorama web interface pages.
Context You can use the Context drop-down above the left-side menu to switch
between the Panorama web interface and a firewall web interface (see
Context Switch).
In the Dashboard and Monitor tabs, click refresh ( ) in the tab header to
manually refresh data in those tabs. You can also use the unlabeled drop-
down on the right side of the tab header to select an automatic refresh
interval in minutes (1 min, 2 mins, or 5 mins); to disable automatic refreshing,
select Manual.
Access Domain An access domain defines access to specific device groups, templates, and
individual firewalls (through the Context drop-down). If you log in as an
administrator with multiple access domains assigned to your account, the
Dashboard, ACC, and Monitor tabs display information (such as log data) only
for the Access Domain you select in the footer of the web interface.
Device Group A device group comprises firewalls and virtual systems that you manage as a
group (see Panorama > Device Groups). The Dashboard, ACC, and Monitor
tabs display information (such as log data) only for the Device Group you
select in the tab header. In the Policies and Objects tabs, you can configure
settings for a specific Device Group or for all device groups (select Shared).
Template A template is a group of firewalls with common network and device settings,
and a template stack is a combination of templates (see Panorama >
Templates). In the Network and Device tabs, you configure settings for a
specific Template or template stack. Because you can edit settings only within
individual templates, the settings in these tabs are read-only if you select a
template stack.
View by: Device By default, the Network and Device tabs display the settings and values
available to firewalls that are in normal operational mode and that support
Mode multiple virtual systems and VPNs. However, you can use the following
options to filter the tabs to display only the mode-specific settings you want
to edit:
• In the Mode drop-down, select or clear the Multi VSYS, Operational
Mode, and VPN Mode options.
The Panorama tab provides the following pages for managing Panorama and Log Collectors.
High Availability Enables you to configure high availability (HA) for a pair of Panorama
management servers. Select Panorama > High Availability.
Config Audit Enables you to see the differences between configuration files. Select Device >
Config Audit.
Password Profiles Enables you to define password profiles for Panorama administrators. Select
Device > Password Profiles.
Administrators Enables you to configure Panorama administrator accounts. Select Panorama >
Administrators.
Admin Roles Enables you to define administrative roles, which control the privileges and
responsibilities of administrators who access Panorama. Select Panorama >
Admin Roles.
Access Domain Enables you to control administrator access to device groups, templates,
template stacks, and the web interface of firewalls. Select Panorama > Access
Domains.
Authentication Enables you to specify a profile for authenticating access to Panorama. Select
Profile Device > Authentication Profile.
Authentication Enables you to specify a series of authentication profiles to use for permitting
Sequence access to Panorama. Select Device > Authentication Sequence.
User Identification Enables you to configure a custom certificate profile for mutual authentication
with User-ID agents. Select Device > User Identification > Connection Security.
Data Redistribution Enables you to selectively redistribute data to other firewalls or Panorama
management systems. Select Device > Data Redistribution.
Managed Devices Enables you to manage firewalls, which includes adding firewalls to Panorama
as managed devices, displaying firewall connection and license status, tagging
firewalls, updating firewall software and content, and loading configuration
backups. Select Panorama > Managed Devices > Summary.
Templates Enables you to manage configuration options in the Device and Network tabs.
Templates and template stacks enable you to reduce the administrative effort
of deploying multiple firewalls with the same or similar configurations. Select
Panorama > Templates.
Device Groups Enables you to configure device groups, which group firewalls based on function,
network segmentation, or geographic location. Device groups can include
physical firewalls, virtual firewalls, and virtual systems.
Typically, firewalls in a device group need similar policy configurations. Using
the Policies and Objects tab on Panorama, device groups provide a way to
implement a layered approach for managing policies across a network of
managed firewalls. You can nest device groups in a tree hierarchy of up to four
levels. Descendant groups automatically inherit the policies and objects of
ancestor groups and of the Shared location. Select Panorama > Device Groups.
Managed Collectors Enables you to manage Log Collectors. Because you use Panorama to configure
Log Collectors, they are also called managed collectors. A managed collector can
be local to the Panorama management server (M-Series appliance or Panorama
virtual appliance in Panorama mode) or a Dedicated Log Collector (M-Series
appliance in Log Collector mode). Select Panorama > Managed Collectors.
You can also install Software Updates for Dedicated Log Collectors.
Collector Groups Enables you to manage Collector Groups. A Collector Group logically groups Log
Collectors so you can apply the same configuration settings and assign firewalls
to them. Panorama uniformly distributes the logs among all the disks in a Log
Collector and across all members in the Collector Group. Select Panorama >
Collector Groups.
Plugins Enables you to manage plugins for third-party integration, such as VMware NSX.
Select Panorama > VMware NSX.
Certificate Enables you to configure and manage certificates, certificate profiles, and keys.
Management Select Manage Firewall and Panorama Certificates.
Log Settings Enables you to forward logs to Simple Network Management Protocol (SNMP)
trap receivers, syslog servers, email servers, and HTTP servers. Select Device >
Log Settings.
Server Profiles Enables you to configure profiles for the different server types that provide
services to Panorama. Select any of the following to configure a specific server
type:
• Device > Server Profiles > Email
• Device > Server Profiles > HTTP
• Device > Server Profiles > SNMP Trap
• Device > Server Profiles > Syslog
• Device > Server Profiles > RADIUS
• Device > Server Profiles > TACACS+
• Device > Server Profiles > LDAP
• Device > Server Profiles > Kerberos
• Device > Server Profiles > SAML Identity Provider
Scheduled Config Enables you to export Panorama and firewall configurations to an FTP server or
Export Secure Copy (SCP) server on a daily basis. Select Panorama > Scheduled Config
Export.
Software Enables you to update Panorama software. Select Panorama > Software.
Dynamic Updates Enables you to view the latest application definitions and information for new
security threats, such as Antivirus signatures (threat prevention license required)
and then update Panorama with the new definitions. Select Device > Dynamic
Updates.
Support Enables you to access product and security alerts from Palo Alto Networks.
Select Device > Support.
Device Deployment Enables you to deploy software and content updates to firewalls and Log
Collectors. Select Panorama > Device Deployment.
Master Key and Enables you to specify a master key to encrypt private keys on Panorama. By
Diagnostics default, Panorama stores private keys in encrypted form even if you don’t specify
a new master key. Select Device > Master Key and Diagnostics.
When pushing configurations to managed devices, Panorama 8.0 and later releases
push the running configuration, which is the configuration that is committed to Panorama.
Panorama 7.1 and earlier releases push the candidate configuration, which includes
uncommitted changes. Therefore, Panorama 8.0 and later releases do not let you push
changes to managed devices until you first commit the changes to Panorama.
• Commit > Push to Devices—Pushes the Panorama running configuration to device groups, templates,
Collector Groups, and WildFire clusters and appliances.
• Commit > Commit and Push—Commits all configuration changes to the local Panorama configuration
and then pushes the Panorama running configuration to device groups, templates, Collector Groups, and
WildFire clusters and appliances.
You can filter pending changes by administrator or location and then commit, push, validate, or preview
only those changes. The location can be specific device groups, templates, Collector Groups, Log Collectors,
WildFire appliances and clusters, shared settings, or the Panorama management server.
When you commit changes, they become part of the running configuration. Changes that you haven’t
committed are part of the candidate configuration. Panorama queues commit requests so that you can
initiate a new commit while a previous commit is in progress. Panorama performs the commits in the order
they are initiated but prioritizes auto-commits that are initiated by Panorama (such as FQDN refreshes).
However, if the queue already has the maximum number of administrator-initiated commits, you must
wait for Panorama to finish processing a pending commit before initiating a new one. You can use the
Task Manager ( ) to clear the commit queue or see details about commits. For more information on
configuration changes, commit processes, commit validations, and the commit queue, refer to Panorama
Commit and Validation Operations. You can also Save Candidate Configurations, Revert Changes, and
import, export, or load configurations (Device > Setup > Operations).
The following options are available for committing, validating, or previewing configuration changes.
Field/Button Description
The following options apply when you commit to Panorama by selecting Commit > Commit to Panorama
or Commit > Commit and Push.
Commit All Changes Commits all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that Panorama commits when you select this option. Instead,
the administrator role assigned to the account you used to log in
determines the commit scope:
• Superuser role—Panorama commits the changes of all
administrators.
Commit Changes Made By Filters the scope of the configuration changes Panorama commits.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the commit scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine your filtering options (see Panorama
> Admin Roles). If the profile includes the privilege to Commit
For Other Admins, you can limit the commit scope to changes
configured by specific administrators and to changes in specific
locations. If your Admin Role profile does not include the privilege
to Commit For Other Admins, you can limit the commit scope only
to the changes you made in specific locations.
Filter the commit scope as follows:
• Filter by administrator—Even if your role allows committing
the changes of other administrators, the commit scope includes
only your changes by default. To add other administrators
to the commit scope, click the <usernames> link, select the
administrators, and click OK.
• Filter by location—Select the specific locations for changes to
Include in Commit.
If you have implemented access domains, Panorama automatically
filters the commit scope based on those domains (see Panorama >
Access Domains). Regardless of your administrative role and your
filtering choices, the commit scope includes only the configuration
changes in the access domains assigned to your account.
When you commit changes to a device group, you must include the
changes of all administrators who added, deleted, or repositioned
rules for the same rulebase in that device group.
Commit Scope Lists the locations that have changes to commit. Whether the list
includes all changes or a subset of the changes depends on several
Include in Commit Enables you to select the changes you want to commit. By default,
all changes within the Commit Scope are selected. This column
(Partial commit only)
displays only after you choose to Commit Changes Made By specific
administrators.
Group by Type Groups the list of configuration changes in the Commit Scope by
Location Type.
Preview Changes Enables you to compare the configurations you selected in the
Commit Scope to the running configuration. The preview window
uses color coding to indicate which changes are additions (green),
modifications (yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.
Change Summary Lists the individual settings for which you are committing changes.
The Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Device
Groups, Templates, Collector Groups, WildFire Appliances, or
Wildfire Appliance Clusters.
• Location—The name of the device group, template, Collector
Group, WildFire cluster, or WildFire appliance where the setting
is defined. The column displays Shared for settings that are not
defined in these locations.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Committed—Indicates whether the commit will include the
setting.
• Previous Owners—Administrators who made changes to the
setting before the last change.
Optionally, you can Group By column name (such as Type).
Validate Commit Validates whether the Panorama configuration has correct syntax
and is semantically complete. The output includes the same errors
and warnings that a commit would display, including rule shadowing
and application dependency warnings. The validation process enables
you to find and fix errors before you commit (it makes no changes to
the running configuration). This is useful if you have a fixed commit
window and want to be sure the commit will succeed without errors.
The following options apply when you push configuration changes to managed devices by selecting
Commit > Push to Devices or Commit > Commit and Push.
Push Scope Lists the locations that have changes to push. The locations that the
scope includes by default depend on which of the following options
you select:
• Commit > Commit and Push—The scope includes all locations with
changes that require a Panorama commit.
• Commit > Push to Devices—The scope includes all locations
associated with entities (firewalls, virtual systems, Log Collectors,
WildFire clusters, WildFire appliances) that are Outof Sync with
the Panorama running configuration (see Panorama > Managed
Devices > Summary and Panorama > Managed Collectors for the
synchronization status).
For both selections, Panorama filters the Push Scope by:
• Administrators—Panorama applies the same filters as for the
Commit Scope (see Commit All Changes or Commit Changes Made
By).
• Access domains—If you implemented access domains, Panorama
automatically filters the Push Scope based on those domains (see
Panorama > Access Domains). Regardless of your administrative
role and your filtering choices, the scope includes the configuration
changes only in access domains assigned to your account.
You can Edit Selections for the Push Scope instead of accepting the
default locations.
You can #unique_543 when you select Commit > Push to Devices.
Entities For each device group or template, this column lists the firewalls (by
device name or serial number) or virtual systems (by name) included in
the push operation.
Edit Selections Click to select the entities to include in the push operation:
• Device Groups and Templates
• Log Collector Groups
Panorama won’t let you push changes that you did not
yet commit to the Panorama configuration.
Device Groups and Templates Edit Selections and select Device Groups or Templates to display the
options in the following rows.
Filters Filter the list of templates, template stacks, or device groups and the
associated firewalls and virtual systems.
You can also filter managed firewalls according to their commit state,
device state, tags, and high availability (HA) status.
Last Commit State Indicates whether the firewall and virtual system configurations are
synchronized with the template or device group configurations in
Panorama.
HA Status Indicates the high availability (HA) state of the listed firewalls:
• Active—Normal traffic-handling operational state.
• Passive—Normal backup state.
• Initiating—The firewall is in this state for up to 60 seconds after
bootup.
• Non-functional—Error state.
• Suspended—An administrator disabled the firewall.
• Tentative—For a link or path monitoring event in an active/active
configuration.
Changes Pending (Panorama) Indicates whether a Panorama commit is (yes) or is not (no) required
Commit before you push changes to the selected firewalls and virtual systems.
Preview Changes column Preview Changes to compare the configurations you selected in the
Push Scope to the Panorama running configuration. Panorama filters
the output to show results only for the firewalls and virtual systems
you selected in the Device Groups or Templates tab. The preview
window uses color coding to indicate which changes are additions
(green), modifications (yellow), or deletions (red).
Expand All Displays the firewalls and virtual systems assigned to templates,
template stacks, or device groups.
Collapse All Displays only the templates, template stacks, or device groups, not the
firewalls or virtual systems assigned to them.
Group HA Peers Groups firewalls that are peers in a high availability (HA) configuration.
The resulting list displays the active firewall (or active-primary
firewall in an active/active configuration) first and the passive firewall
(or active-secondary firewall in an active/active configuration) in
parentheses. This enables you to easily identify firewalls that are in
HA mode. When pushing shared policies, you can push to the grouped
pair instead of individual peers.
Validate Click to validate the configurations you are pushing to the selected
firewalls and virtual systems. The Task Manager automatically opens
to display the validation status.
Filter Selected If you want the list to display only specific firewalls or virtual systems,
select them and then select Filter Selected.
Merge with Candidate Config (Selected by default) Merges the configuration changes pushed from
Panorama with any pending configuration changes that administrators
implemented locally on the target firewall. The push operation triggers
PAN-OS® to commit the merged changes. If you clear this selection,
the commit excludes the candidate configuration on the firewall.
Include Device and Network (Selected by default) Pushes both the device group changes and the
Templates associated template changes to the selected firewalls and virtual
systems in a single operation. To push these changes as separate
(Device Groups tab only)
operations, clear this option.
Force Template Values Overrides all local settings with objects defined in the templates or
template stacks. This includes locally configured objects as well as
objects pushed from Panorama that were locally overwritten. If an
object is locally configured on the firewall, but is not configured in a
Log Collector Groups Edit Selections and select Log Collector Groups to include in the push
operation. This tab displays the following options:
• Select All—Selects every Collector Group in the list.
• Deselect All—Deselects every Collector Group in the list.
WildFire Appliances and Edit Selections and select WildFire Appliances and Clusters to display
Clusters the following options.
Name Select the WildFire appliances and clusters to which Panorama will
push changes.
Last Commit State Indicates whether the WildFire appliance and cluster configurations
are synchronized with Panorama.
No Default Selections Enable (check) to remove the devices selected by default to manually
select specific devices to push to. The default devices Panorama
pushes to are based on the impacted device group and template
configuration changes.
Validate Device Group Push Validates the configurations you are pushing to the device groups in
the Push Scope list. The Task Manager automatically opens to display
the validation status.
Validate Template Push Validates the configurations you are pushing to the templates in the
Push Scope list. The Task Manager automatically opens to display the
validation status.
Group by Location Type Select to use Location Type to group the Push Scope list.
The following options apply when you commit the Panorama configuration or push changes to devices.
Commit / Push / Commit and Starts the commit or, if other commits are pending, adds the commit
Push request to the commit queue.
You must reboot Panorama after changing the storage partition settings: select
Panorama > Setup > Operations and Reboot Panorama.
NFS storage is not available to the Panorama virtual appliance in Panorama mode or to
M-Series appliances.
Log Directory Specify the full path name of the directory where the logs will reside.
Protocol Specify the protocol (UDP or TCP) for communication with the NFS server.
Port Specify the port for communication with the NFS server.
Read Size Specify the maximum size in bytes (range is 256 to 32,768) for NFS read operations.
Write Size Specify the maximum size in bytes (range is 256 to 32,768) for NFS write
operations.
Copy on Setup Select to mount the NFS partition and copy any existing logs to the destination
directory on the server when Panorama boots.
Test Logging Select to perform a test that mounts the NFS partition and presents a success or
Partitions failure message.
To reduce traffic on the MGT interface, configure other interfaces to deploy updates, collect
logs, and communicate with Collector Groups. In an environment with heavy log traffic, you
can configure several interfaces for log collection. Additionally, to improve the security of
management traffic, you can define a separate subnet (IPv4 Netmask or IPv6 Prefix Length)
for the MGT interface that is more private than the subnets for the other interfaces.
To configure an interface, click the Interface Name and configure the settings described in the following
table.
Always specify the IP address, the netmask (for IPv4) or prefix length (for IPv6), and
the default gateway for the MGT interface. If you omit values for some settings (such as
the default gateway), you can access Panorama only through the console port for future
configuration changes. You cannot commit the configurations for other interfaces unless you
specify all three settings. This requirement does not apply to a Panorama virtual appliance
on supported cloud hypervisors because only DHCP is support for interfaces.
Eth1 / Eth2 / Eth3 / You must enable an interface to configure it. The exception is the MGT
Eth4 / Eth5 interface, which is enabled by default.
IP Address (IPv4) If your network uses IPv4 addresses, assign an IPv4 address to the interface.
Netmask (IPv4) If you assigned an IPv4 address to the interface, you must also enter a network
mask (such as 255.255.255.0).
Default Gateway If you assigned an IPv4 address to the interface, you must also assign an IPv4
(IPv4) address to the default gateway (the gateway must be on the same subnet as
the interface).
IPv6 Address/Prefix If your network uses IPv6 addresses, assign an IPv6 address to the
Length interface. To indicate the netmask, enter an IPv6 prefix length (such as
2001:400:f00::1/64).
Default IPv6 Gateway If you assigned an IPv6 address to the interface, you must also assign an IPv6
address to the default gateway (the gateway must be on the same subnet as
the interface).
Speed Set the speed for the interface to 10Mbps, 100Mbps, 1Gbps, or 10Gbps (Eth4
and Eth5 only) at full or half duplex. Use the default auto-negotiate setting to
have Panorama determine the interface speed.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this
interface (range is 576 to 1,500; default is 1,500).
Device Management Enable the interface (enabled by default on the MGT interface) for managing
and Device Log firewalls and Log Collectors and collecting their logs. You can enable multiple
Collection interfaces to perform these functions.
Collector Group Enable the interface for Collector Group communication (the default is the
Communication MGT interface). Only one interface can perform this function.
Syslog Forwarding Enable the interface for forwarding syslogs (the default is the MGT interface).
Only one interface can perform this function.
Device Deployment Enable the interface for deploying software and content updates to firewalls
and Log Collectors (the default is the MGT interface). Only one interface can
perform this function.
Administrative • HTTP—Enables access the Panorama web interface. HTTP uses plaintext,
Management Services which is not as secure as HTTPS.
Network Connectivity The Ping service is available on any interface. You can use ping to test
Services connectivity between the Panorama interface and external services. In a high
availability (HA) deployment, HA peers use ping to exchange heartbeat backup
information.
The following services are available only on the MGT interface:
• SNMP—Enables Panorama to process statistics queries from an SNMP
manager. For details, see Enable SNMP Monitoring.
• User-ID—Enables Panorama to redistribute user mapping information
received from User-ID agents.
Permitted IP Enter the IP addresses from which administrators can access Panorama on this
Addresses interface. An empty list (default) specifies that access is available from any IP
address.
Setup
Click Edit ( ) to configure the following settings.
Peer HA IP Address Enter the IP address of the MGT interface on the peer.
Enable Encryption When enabled, the MGT interface encrypts communication between the HA
peers. Before enabling encryption, export the HA key from each HA peer and
import the key into the other peer. You import and export the HA key on the
Panorama > Certificate Management > Certificates page (see Manage Firewall
and Panorama Certificates).
Monitor Hold Time Enter the number of milliseconds that the system will wait before acting on a
(ms) control link failure (range is 1,000 to 60,000; default is 3,000).
Election Settings
Click Edit ( ) to configure the following settings.
Priority This setting determines which peer is the primary recipient for firewall logs.
Assign one peer as Primary and the other as Secondary in the HA pair.
(Required on the
Panorama virtual When you configure Log Storage Partitions for a Panorama Virtual Appliance
appliance) in Legacy Mode, you can use its internal disk (default) or a Network File
System (NFS) for log storage. If you configure an NFS, only the primary
recipient receives the firewall logs. If you configure internal disk storage, the
firewalls send logs to both the primary and the secondary peer by default but
you can change this by enabling Only Active Primary Logs to Local Disk in the
Logging and Reporting Settings.
Preemptive Select to enable the primary Panorama to resume active operation after
recovering from a failure. When disabled, the secondary Panorama remains
active even after the primary Panorama recovers from a failure.
HA Timer Settings Your selection determines the values for the remaining HA election settings,
which control the failover speed:
• Recommended—Select for typical (default) failover timer settings. To see
the associated values, select Advanced and Load Recommended.
• Aggressive—Select for faster failover timer settings. To see the associated
values, select Advanced and Load Aggressive.
Promotion Hold Time Enter the number of milliseconds (range is 0 to 60,000) the secondary
(ms) Panorama peer waits before taking over after the primary peer goes down. The
recommended (default) value is 2,000; the aggressive value is 500.
Hello Interval (ms) Enter the number of milliseconds (range is 8,000 to 60,000) between
hello packets that are sent to verify that the other peer is operational. The
recommended (default) and aggressive value is 8,000.
Heartbeat Interval (ms) Specify the frequency in milliseconds (range is 1,000 to 60,000) at which
Panorama sends ICMP pings to the HA peer. The recommended (default) value
is 2,000; the aggressive value is 1,000.
Preemption Hold Time This field applies only if you also select Preemptive. Enter the number of
(min) minutes (range is 1 to 60) the passive Panorama peer will wait before falling
back to active status after it recovers from an event that caused failover. The
recommended (default) and aggressive value is 1.
Monitor Fail Hold Up Specify the number of milliseconds (range is 0 to 60,000) Panorama waits after
Time (ms) a path monitor failure before attempting to re-enter the passive state. During
this period, the passive peer is not available to take over for the active peer in
the event of failure. This interval enables Panorama to avoid a failover due to
the occasional flapping of neighboring devices. The recommended (default) and
aggressive value is 0.
Additional Master Specify the number of milliseconds (range is 0 to 60,000) during which the
Hold Up Time (ms) preempting peer remains in the passive state before taking over as the active
peer. The recommended (default) value is 7,000; the aggressive value is 5,000.
Path Monitoring
Click Edit ( ) to configure HA path monitoring.
Failure Condition Select whether a failover occurs when Any or All of the monitored path groups
fail to respond.
Path Group
To create a path group for HA path monitoring, click Add and complete the following fields.
Failure Condition Select whether a failure occurs when Any or All of the specified destination
addresses fails to respond.
Ping Interval Specify the number of milliseconds between the ICMP echo messages that
verify that the path to the destination IP address is up (range is 1,000 to
60,000; default is 5,000).
Ping Count Specify the number of failed pings before declaring a failure (range is 3 to 10;
default is 3).
Destination IPs Enter one or more destination IP addresses to monitor. Use commas to
separate multiple addresses.
Task Description
Create Cluster As needed, Create Cluster, enter a name for the new cluster, and then click
OK.
Existing clusters that you configured locally and added to Panorama by adding
the individual WildFire appliance nodes are listed along with their WildFire
nodes and node roles (Panorama > Managed WildFire Appliances).
The cluster name must be a valid subdomain name that begins with a
lowercase character or number and that can contain hyphens only when
they are not the first or last character in the cluster name—no spaces or
other characters are allowed. The maximum length of a cluster name is 63
characters.
After you create a cluster, you can add managed WildFire appliances to the
cluster and manage them on Panorama. When you add a WildFire appliance
to Panorama, you automatically register the appliance with Panorama.
You can create a maximum of 10 managed WildFire clusters on Panorama
and each cluster can have up to 20 WildFire appliance nodes. Panorama can
manage up to an aggregate total of 200 standalone appliances and cluster
nodes.
Import Cluster Config Import Cluster Config to import an existing cluster configuration. If you select
a cluster before you Import Cluster Config, the Controller and Cluster are
automatically populated with the appropriate information for the selected
cluster. If you do not select a cluster before you Import Cluster Config, then
you must select the Controller and the Cluster populates automatically based
on the Controller node you select.
Remove From If you no longer need to manage a WildFire cluster from Panorama, Remove
Panorama From Panorama and select Yes to confirm your action. After you remove a
cluster from Panorama management, you can manage the cluster locally from
a Controller node. You can add the cluster back in to the Panorama appliance
at any time if you want to again manage the cluster centrally instead of
locally.
Task Description
Add Appliance Add Appliance to add one or more WildFire appliances to a Panorama
appliance for centralized management. Enter the serial number of each
WildFire appliance on a separate row (new line). Panorama can manage up
to an aggregate total of 200 WildFire cluster nodes and standalone WildFire
appliances.
On each WildFire appliance you want to manage on Panorama, configure
the IP address or FQDN of the Panorama appliance (Panorama server) and,
optionally, the backup Panorama server using the following WildFire appliance
CLI commands:
set
deviceconfig system panorama-server <ip-address | FQDN>
set deviceconfig system panorama-server-2 <ip-address
| FQDN>
Import Config Select a WildFire appliance and Import Config to import (only) the running
configuration for that appliance to Panorama.
Remove If you no longer need to manage a WildFire appliance from Panorama, Remove
the appliance and select Yes to confirm your action. After you remove an
appliance from Panorama management, you can manage the appliance locally
using its CLI. If needed, you can add the appliance back into the Panorama
appliance at any time if you want to again manage the appliance centrally
instead of locally.
Serial Number The serial number of the appliance. The Managed WildFire Clusters view
displays the serial number in the same column as the appliance name (the
(Managed WildFire
serial number is not part of the name).
Appliances view only)
Software Version The software version installed and running on the appliance.
Cluster Name The name of the cluster in which the appliance is included as a node; nothing
displays here for a standalone appliance.
Analysis Environment The analysis environment (vm1, vm2, vm3, vm4, or vm5). Each analysis
environment represents a set of operating systems and applications:
• vm-1 supports Windows XP, Adobe Reader 9.3.3, Flash 9, PE, PDF, and
Office 2003 and earlier Office releases.
• vm-2 supports Windows XP, Adobe Reader 9.4.0, Flash 10n, PE, PDF, and
Office 2007 and earlier Office releases.
Config Status The configuration synchronization status of the appliance. The Panorama
appliance checks for WildFire appliance settings and reports configuration
differences between the appliance configuration and the configuration saved
for that appliance on Panorama.
• In Sync—The appliance configuration is in sync with its saved configuration
on Panorama.
• Out of Sync—The appliance configuration is not in sync with its saved
configuration on Panorama. You can mouse over the eyeglass to display
the cause of the sync failure.
Cluster Status Cluster Status displays three types of information for each cluster node:
(Managed WildFire • Services available (normal operating conditions):
Clusters page only)
• wfpc (WildFire Private Cloud)—The malware sample analysis and
reporting service.
• signature—The local signature generation service.
• Progress of operations—the operation name followed by a colon (:) and the
status:
• Operations—Status for decommission, suspend, and reboot operations.
• Progress status—Operation status notifications are the same for each
operation: requested, ongoing, denied, success, or fail.
For example, if you suspend a node and the operation is ongoing, Cluster
Status displays suspend:ongoing, or if you reboot a node and the
operation has been requested but has not yet begun, Cluster Status
displays reboot:requested.
• Error conditions:
Cluster Status displays the following error conditions:
• Cluster—cluster:offline or cluster:splitbrain.
• Service—service:suspended or service:none.
Last Commit State Commit succeeded if the most recent commit succeeded or commit
failed if the most recent commit failed. View details about the last commit
by selecting the state.
View View cluster or appliance utilization statistics. You can view only individual
appliances (Panorama > Managed WildFire Appliances) or you can view only
cluster statistics (Panorama > Managed WildFire Clusters).
• Appliance—(Standalone appliance view only) The appliance serial number.
• Cluster—(Cluster view only) The cluster name. You can also select a
different cluster to view.
• Duration—Displays the time period for which statistics are collected and
displayed. You can select different durations:
• 15 Min
• Last Hour
• Last 24 Hours (default)
• Last 7 Days
• All
The Utilization View has four tabs and, on each tab, you determine what is
displayed based on your configured Duration.
General Tab The General tab displays aggregated resource utilization statistics for a cluster
or an appliance. The other tabs display more granular information about
resource utilization by file type:
• Total Disk Usage—The total cluster or appliance disk usage.
• Verdict—The Total number of verdicts, the number of each verdict type
assigned to files—Malware, Grayware, and Benign; and how many verdicts
were Error verdicts.
• Sample Statistics—The total number of samples Submitted and Analyzed
and how many samples are Pending analysis.
• Analysis Environment & System Utilization:
• File Type Analyzed—The type of file that was analyzed—Executable,
Non-Executable, or Links.
• Virtual Machine Usage—The number of virtual machines used for
each file type analyzed and how many virtual machines are available
to analyze each file type. For example, for Executable files, VM usage
could be 6/10 (six VMs used and ten VMs available).
• Files Analyzed—The number of files of each type that were analyzed.
Executable, Non- The Executable, Non-Executable, and Links display similar information about
Executable, and Links each type of file:
Tabs
• Verdict—Details about verdicts by file type. You can filter the results:
• Search box—Enter search terms to filter the verdicts. The search box
indicates the number of file types (items) in the list. After you enter
search terms, apply the filter ( ) or clear the filter ( ) and enter a
different set of terms.
• File Type—List files by type. For example, the Executable
tab displays .exe and .dll file types; the Non-Executable tab
displays .pdf, .jar, .doc, .ppt, .xls, .docx, .pptx, .xlsx, .rtf, class, and .swf
file types; and the Links tab displays elink file type information.
• For each File Type, the total number of verdicts for Malware,
Grayware, and Benign files, the number of Error verdicts, and the Total
number of verdicts are displayed on each tab.
• Sample Statistics—Details about sample analysis by file type.
• Search box—Same as the Verdict search box.
• File Type—Same as the Verdict File Type.
• For each File Type, the total number of files Submitted for analysis, the
total number Analyzed, and the number Pending analysis are displayed
on each tab.
View View information about the firewalls connected to the cluster or the
appliance. You can view only individual appliances (Panorama > Managed
WildFire Appliances) or you can view only cluster statistics (Panorama >
Managed WildFire Clusters).
• Appliance—(Standalone appliance view only) The appliance serial number.
• Cluster—(Cluster view only) The cluster name, you can also select a
different cluster to view.
• Refresh—Refresh the display.
Registered and The Registered tab displays information about firewalls registered to the
Submitting Samples cluster or appliance, regardless of whether the firewalls are submitting
Tabs samples.
The Submitting Samples tab displays information about firewalls that are
actively submitting samples to the WildFire cluster or appliance.
The type of information displayed on these tabs and how to filter the
information is similar for both:
• Search box—Enter search terms to filter the list of firewalls. The search
box indicates the number of firewalls (items) in the list. After you enter
search terms, apply the filter ( ) or clear the filter ( ) and enter a
different set of terms.
• S/N—The serial number of the firewall.
• IP Address—The IP address of the firewall.
• Model—The model number of the firewall.
• Software Version—The software version installed and running on the
firewall.
Setting Description
General tab
Register Firewall To The domain name to which you register firewalls. Format must be
wfpc.service.<cluster-name>.<domain>. For example, the default
domain name is wfpc.service.mycluster.paloaltonetworks.com.
Content Update Server Enter the Content Update Server location or use the default
wildfire.paloaltonetworks.com so that the cluster or appliance
receives content updates from the closest server in the Content Delivery
Network infrastructure. Connecting to the global cloud gives you the benefit
of accessing signatures and updates based on threat analysis from all sources
connected to the cloud, instead of relying only on the analysis of local threats.
Check Server Identity Check Server Identity to confirm the identity of the update server by
matching the common name (CN) in the certificate with the IP address or
FQDN of the server.
WildFire Cloud Server Enter the global WildFire Cloud Server location or use the default
wildfire.paloaltonetworks.com so that the cluster or appliance
can send information to the closest server. You can choose whether to
send information and what types of information to send to the global cloud
(WildFire Cloud Services).
Sample Analysis Image Select the VM image for the cluster or appliance to use for sample analysis
(default is vm-5). You can Get a Malware Test File (WildFire API) to see the
result of the sample analysis.
WildFire Cloud Services If the cluster or appliance is connected to the global WildFire Cloud Server,
you can choose whether to Send Analysis Data, Send Malicious Samples,
Send Diagnostics to the global cloud or any combination of the three. You can
also choose whether to perform a Verdict Lookup in the global cloud. Sending
information to the global cloud benefits the entire community of WildFire
Sample Data Retention The number of days to retain benign or grayware samples and malicious
samples:
• Benign/Grayware samples—Range is 1 to 90; default is 14.
• Malicious samples—Minimum is 1 and there is no maximum (indefinite);
default is indefinite.
Signature Generation Select whether you want the cluster or appliance to generate signatures for
AV, DNS, URLs, or any combination of the three.
Appliance tab
Panorama Server Enter the IP address or FQDN of the appliance or of the primary Panorama
managing the cluster.
Panorama Server 2 Enter the IP address or FQDN of the appliance or of the backup Panorama
managing the cluster.
Primary DNS Server Enter the IP address of the primary DNS Server.
Secondary DNS Server Enter the IP address of the secondary DNS Server.
Timezone Select the time zone to use for the cluster or appliance.
Primary NTP Server Enter the IP address of the primary NTP Server and set the Authentication
Type to None (default), Symmetric Key, or Autokey.
Setting the Authentication Type to Symmetric Key reveals four more fields:
• Key ID—Enter the authentication key ID.
• Algorithm—Set the authentication algorithm to SHA1 or MD5.
• Authentication Key—Enter the authentication key.
• Confirm Authentication Key—Enter the authentication key again to
confirm it.
Secondary NTP Server Enter the IP address of the secondary NTP Server and set the Authentication
Type to None (default), Symmetric Key, or Autokey.
Setting the Authentication Type to Symmetric Key reveals four more fields:
• Key ID—Enter the authentication key ID.
• Algorithm—Set the authentication algorithm to SHA1 or MD5.
• Authentication Key—Enter the authentication key.
• Confirm Authentication Key—Enter the authentication key again to
confirm it.
Login Banner Enter a banner message that displays when users log in to the cluster or
appliance.
Add Add log forwarding profiles (Panorama > Managed WildFire Clusters >
<cluster> > Logging > System or Panorama > Managed WildFire Clusters >
<cluster> > Logging > Configuration) to forward:
• system or configuration logs as SNMP traps to SNMP trap receivers.
• syslog messages to syslog servers.
• email notifications to email servers.
• HTTP requests to HTTP servers.
No other log types are supported (see Device > Log Settings).
The Log Forwarding profiles specify which logs to forward and to which
destination servers. For each profile, complete the following:
• Name—A name that identifies the log settings (up to 31 characters) that
consists of alphanumeric characters and underscores only—spaces and
special characters are not allowed.
• Filter—By default, the Panorama appliance forwards All Logs of the
specified profile. To forward a subset of the logs, select a filter (severity
eq critical, severity eq high, severity eq informational, severity eq low, or
severity eq medium) or select Filter Builder to create a new filter.
• Description—Enter a description (up to 1,023 characters) to explain the
purpose of the profile.
Add > Filter > Filter Use Filter Builder to create new log filters. Select Create Filter to construct
Builder filters and, for each query in a new filter, specify the following settings and
then Add the query:
• Connector—Select the connector logic (and or or). Select Negate if you
want to apply negation. For example, to avoid forwarding a subset of log
descriptions, select Description as the Attribute, select contains as the
Operator, and enter the description string as the Value to identify the
description or descriptions that you don’t want to forward.
• Attribute—Select a log attribute. The options vary by log type.
• Operator—Select the criterion that determines how the attribute applies
(such as contains). The options vary by log type.
• Value—Specify the attribute value to match.
• Add—Add the new filter.
To display or export logs that the filter matches, select View Filtered Logs.
• To find matching log entries, you can add artifacts to the search field, such
as an IP address or a time range.
• Select the time period for which you want to see logs: Last 15 Minutes,
Last Hour, Last 6 Hrs, Last 12 Hrs, Last 24 Hrs, Last 7 Days, Last 30 Days,
or All (default).
• Use the options to the right of the time period drop-down to apply, clear,
add, save, and load filters:
• Apply filters ( )—Display log entries that match the terms in the
search field.
• Clear filters ( )—Clear the filter field.
• Add a new filter ( )—Define new search criteria (takes you to Add
Log Filter, which is similar to create filters).
• Save a filter ( )—Enter a name for the filter and then click OK.
• Use a saved filter ( )—Add a saved filter to the filter field.
• Export to CSV ( )—Export logs to a CSV-formatted report and then
Download file. By default, the report contains up to 2,000 lines of logs.
To change the line limit for generated CSV reports, select Device >
Setup > Management > Logging and Reporting Settings > Log Export
and Reporting and enter a new Max Rows in CSV Export value.
You can change the number and order of entries displayed per page and you
can use the paging controls at the bottom left of the page to navigate through
the log list. Log entries are retrieved in blocks of 10 pages.
• per page—Use the drop-down to change the number of log entries per
page (20, 30, 40, 50, 75, or 100).
• ASC or DESC—Select ASC to sort results in ascending order (oldest log
entry first) or DESC to sort in descending order (newest log entry first).
The default is DESC.
• Resolve Hostname—Select to resolve external IP addresses to domain
names.
• Highlight Policy Actions—Specify an action and select to highlight log
entries that match the action. The filtered logs are highlighted in the
following colors:
Delete Select and then Delete the log forwarding settings you want to remove from
the System or Configuration log list.
Authentication tab
Authentication Profile Select a configured authentication profile to define the authentication service
that validates the login credentials of the WildFire appliance or Panorama
administrators.
Failed Attempts Enter the number of failed login attempts that the WildFire appliance allows
on the CLI before locking out the administrator (range is 0 to 10; default is
10). Limiting login attempts helps protect the WildFire appliance from brute
force attacks. A value of 0 specifies unlimited login attempts.
Lockout Time (min) Enter the number of minutes for which the WildFire appliance locks out an
administrator from access to the CLI after reaching the Failed Attempts limit
(range is 0 to 60; default is 5). A value of 0 means the lockout applies until
another administrator manually unlocks the account.
Idle Timeout (min) Enter the maximum number of minutes without any activity on the CLI before
an administrator is automatically logged out (range is 0 to 1,440; default
is None). A value of 0 means that inactivity does not trigger an automatic
logout.
Max Session Count Enter the number of active sessions the administrator can have open
concurrently, The default is 0, which means that the WildFire appliance can
have an unlimited number of concurrently active sessions.
Max Session time Enter the number of minutes the administrator can be logged in before being
automatically logged out. The default is 0, which means that the administrator
can be logged in indefinitely even if idle.
Local Administrators Add and configure new administrators for the WildFire appliance. These
administrators are unique to the WildFire appliance are managed from this
page (Panorama > Managed WildFire Appliances > Authentication).
Clustering tab (Managed WildFire Clusters only) and Interfaces tab (Managed WildFire Appliances only)
You must add appliances to Panorama to manage interfaces and add appliances to clusters to manage
node interfaces.
Appliance Select a cluster node to access the Appliance and Interfaces tabs for
that node. The Appliance tab node information is prepopulated and not
(Clustering tab only)
configurable except for the hostname. The Interfaces tab lists the node
interfaces. Select an interface to manage it as described in:
• Interface Name Management
• Interface Name Analysis Environment Network
• Interface Name Ethernet2
• Interface Name Ethernet3
Interface Name Configure settings for the WildFire appliance cluster or standalone WildFire
Analysis Environment appliance analysis environment network interface (Ethernet1, also known as
Network the VM interface):
• Speed and Duplex—Set to auto-negotiate (default), 10Mbps-half-duplex,
10Mbps-full-duplex, 100Mbps-half-duplex, 100Mbps-full-duplex, 1Gbps-
half-duplex, or 1Gbps-full-duplex.
• IP Address—Enter the interface IP address.
• Netmask—Enter the interface netmask.
• Default Gateway—Enter the IP address of the default gateway.
• MTU—Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
• DNS Server—Enter the DNS server IP address.
• Link State—Set the interface link state to Up or Down.
Interface Name You can set the same parameters for the Ethernet2 and Ethernet3 interfaces:
Ethernet2
• Speed and Duplex—Set to auto-negotiate (default), 10Mbps-half-duplex,
Interface Name 10Mbps-full-duplex, 100Mbps-half-duplex, 100Mbps-full-duplex, 1Gbps-
Ethernet3 half-duplex, or 1Gbps-full-duplex.
• IP Address—Enter the interface IP address.
• Netmask—Enter the interface netmask.
• Default Gateway—Enter the IP address of the default gateway.
• MTU—Enter the MTU in bytes (range is 576 to 1,500; default is 1,500).
• Management Services—Enable Ping if you want the interface to support
ping services.
• Clustering Services—Select cluster services:
• HA—If there are two Controller nodes in the cluster, you can configure
the Ethernet2 or the Ethernet3 interface as an HA interface so that
management information is available to both Controller nodes. If the
cluster node you are configuring is the primary Controller node, mark it
as the HA interface.
Depending on how you use the WildFire appliance Ethernet interfaces,
alternatively, you can configure the management interface (Ethernet1)
as the HA and HA Backup interfaces on the primary and backup
Controller nodes, respectively. The HA and HA Backup interfaces must
be the same interface (management, Ethernet2, or Ethernet3) on the
primary and backup Controller nodes. You cannot use Ethernet1 as the
HA/HA Backup interface.
• HA Backup—If the cluster node you are configuring is the backup
Controller node, mark it as the HA Backup interface.
• Cluster Management—Configure the Ethernet2 or Ethernet3 interface
as the interface used for cluster-wide management and communication.
Role When a cluster has member appliances, the appliance roles can be Controller,
Controller Backup, or Worker. Select Controller or Backup Controller to
(Clustering tab only)
change the WildFire appliance used for each role from the appliances in the
cluster. Changing the Controller results in data loss during the role change.
Browse The Clustering tab lists the WildFire appliance nodes in the cluster. Browse
to view and add standalone WildFire appliances that the Panorama device
(Clustering tab only)
already manages:
Delete Select one or more appliances from the Appliance list and then Delete them
from the cluster. You can remove a Controller node only if there are two
(Clustering tab only)
Controller nodes in the cluster.
Manage Controller Select Manage Controller to specify a Controller and a Controller Backup
from the WildFire appliance nodes that belong to the cluster. The current
(Clustering tab only)
Controller node and backup Controller node are selected by default. The
backup Controller node can’t be the same node as the primary Controller
node.
Communication tab
Customize Secure • SSL/TLS Service Profile—Select an SSL/TLS service profile from the drop-
Server Communication down. This profile defines the certificate and supported SSL/TLS versions
that connected devices use to communicate with WildFire.
• Certificate Profile—Select a certificate profile from the drop-down. This
certificate profile defines certificate revocation checking behavior and the
root CA used to authenticate the certificate chain presented by the client.
• Custom Certificate Only—When enabled, WildFire only accepts custom
certificates for authentication with connecting devices.
• Check Authorization List—Client devices connecting to WildFire are
checked against the authorization list. A device need match only one
item on the list to be authorized. If no match is found, the device is not
authorized.
• Authorization List—Add an Authorization List and complete the following
fields to set criteria for authorizing client devices. The Authorization List
supports a maximum of 16 entries.
• Identifier—Select Subject or Subject Alt. Name as the authorization
identifier.
• Type—If you selected Subject Alt. Name as the Identifier, then select
IP, hostname, or e-mail as the type of the identifier. If you selected
Subject, then common-name is the identifier type.
• Value—Enter the identifier value.
Secure Client Using Secure Client Communication ensures that WildFire uses configured
Communication custom certificates (instead of the default predefined certificate) to
authenticate SSL connections with another WildFire appliance.
Name Enter a login username for the administrator (up to 15 characters). The
name is case-sensitive, must be unique, and can contain only letters,
numbers, hyphens, and underscores.
Use only client certificate Select to use client certificate authentication for web interface access.
authentication (Web) If you select this option, a username (Name) and Password are not
required.
Password/Confirm Password Enter and confirm a case-sensitive password for the administrator
(up to 15 characters). To ensure security, Palo Alto Networks
recommends that administrators change their passwords periodically
using a combination of lowercase letters, uppercase letters, and
numbers. Be sure to use the best practices for password strength to
ensure a strict password.
Device Group and Template administrators cannot access Panorama >
Administrators. To change their local password, these administrators
click their username (beside Logout at the bottom of the web
interface). This also applies to administrators with a custom Panorama
role in which access to Panorama > Administrators is disabled.
You can use password authentication in conjunction with an
Authentication Profile (or sequence) or with local database
authentication.
You can set password expiration parameters by selecting a
Password Profile (see Device > Password Profiles) and setting
Minimum Password Complexity parameters (see Device > Setup >
Management), but only for administrative accounts that Panorama
authenticates locally.
Use Public Key Authentication Select to use SSH public key authentication: click Import Key, Browse
(SSH) to select the public key file, and click OK. The Administrator dialog
displays the uploaded key in the read-only text area.
Supported key file formats are IETF SECSH and OpenSSH. Supported
key algorithms are DSA (1024 bits) and RSA (768 to 4096 bits).
Administrator Type The type selection determines the administrative role options:
• Dynamic—Roles that provide access to Panorama and managed
firewalls. When new features are added, Panorama automatically
updates the definitions of dynamic roles; you never need to
manually update them.
• Custom Panorama Admin—Configurable roles that have read-write
access, read-only access, or no access to Panorama features.
• Device Group and Template Admin—Configurable roles that have
read-write access, read-only access, or no access to features for
the device groups and templates that are assigned to the access
domains you select for this administrator.
Profile Select a custom Panorama role (see Panorama > Managed Devices >
Summary).
(Custom Panorama Admin
administrator type)
Access Domain to For each access domain (up to 25) you want to assign to the
Administrator Role administrator, Add an Access Domain from the drop-down (see
Panorama > Access Domains) and then click the adjacent Admin Role
(Device Group and Template
cell and select a custom Device Group and Template administrator
Admin administrator type)
role from the drop-down (see Panorama > Managed Devices >
Summary). When administrators with access to more than one domain
log in to Panorama, an Access Domain drop-down appears in the
footer of the web interface. Administrators can select any assigned
Access Domain to filter the monitoring and configuration data that
Panorama displays. The Access Domain selection also filters the
firewalls that the Context drop-down displays.
Password Profile Select a Password Profile (see Device > Password Profiles).
If you use a RADIUS server to authenticate administrators, map the administrator roles and
access domains to RADIUS Vendor Specific Attributes (VSAs).
Web UI Select from the following options to set the type of access permitted for
specific features in the Panorama context ( Web UI list) and firewall context
( Context Switch UI list):
• Enable ( )—Read and write access
• Read Only ( )—Read-only access
• Disable ( )—No access
XML API Select the type of XML API access ( Enable or Disable) for Panorama and
managed firewalls:
( Panorama role only)
• Report—Access to Panorama and firewall reports.
• Log—Access to Panorama and firewall logs.
• Configuration—Permissions to retrieve or modify Panorama and firewall
configurations.
• Operational Requests—Permissions to run operational commands on
Panorama and firewalls.
• Commit—Permissions to commit Panorama and firewall configurations.
• User-ID Agent—Access to the User-ID agent.
REST API Select the type of access (Enable, Read Only, or Disable) that applies to
each REST API endpoint for Panorama and managed firewalls. You can
( Panorama role only)
assign role access to endpoints in the following categories.
• Objects
• Policies
• Network
• Device
Context Switch
Device Admin Role Enter the device admin role name to allow a Panorama administrator to
context switch between the Panorama and managed firewall web interface.
Name Enter a name for the access domain (up to 31 characters). The name is
case-sensitive, must be unique, and can contain only letters, numbers,
hyphens, and underscores.
Shared Objects Select one of the following access privileges for the objects that
device groups in this access domain inherit from the Shared location.
Regardless of privilege, administrators can’t override shared or default
(predefined) objects.
• read—Administrators can display and clone shared objects but
cannot perform any other operations on them. When adding non-
shared objects or cloning shared objects, the destination must be a
device group within the access domain, not Shared.
• write—Administrators can perform all operations on shared
objects. This is the default value.
• shared-only—Administrators can add objects only to Shared.
Administrators can also display, edit, and delete shared objects
but cannot move or clone them. A consequence of this selection is
that administrators cannot perform any operations on non-shared
objects other than to display them.
Device Groups Enable or disable read-write access for specific device groups in the
access domain. You can also click Enable All or Disable All. Enabling
read-write access for a device group automatically enables the same
access for its descendants. If you manually disable a descendant,
access for its highest ancestor automatically changes to read-only. By
default, access is disabled for all device groups.
If you want the list to display only specific device groups, select the
device group names and Filter Selected.
Templates For each template or template stack you want to assign, click Add and
select it from the drop-down.
Device Context Select the firewalls to which the administrator can switch context
for performing local configuration. If the list is long, you can filter by
Log Collector Groups For each Collector Group you want to assign, Add and select it from
the drop-down.
View the scheduled config push history. Scheduled Config Push Execution History
Recurrence Whether the scheduled configuration push is a one time push or a recurring
scheduled push (monthly, weekly, or daily).
Time For a recurring schedule, the time (hh:mm) and day the configuration push is
scheduled to occur.
For a one-time schedule, the time (hh:mm) scheduled configuration push is
scheduled to occur.
Status Execution status of the last scheduled configuration push. Click to view the
full execution history for all managed firewalls associated with the scheduled
configuration push.
Devices Managed firewalls impacted by the with the scheduled configuration push. Displays
impacted firewalls based on device group and template changes.
Disabled Check to disable the scheduled configuration push. Uncheck to re-enable the
scheduled configuration push.
Type Select One-time schedule to schedule a configuration push on a specific date and
time. Select Recurring schedule to schedule a configuration push
Time Time (hh:mm:ss) at which the configuration push is scheduled to occur on the
scheduled configuration push Date.
Recurrence Whether the scheduled configuration push is a one time push (None) or a recurring
scheduled push (Monthly, Weekly, or Daily). Default is None.
Device Groups Select managed firewalls associated with one or more device groups.
• Merge with Device Candidate Config (enabled by default)—Merges the
configuration changes pushed from Panorama with any pending configuration
changes implemented locally on the target firewall. The push triggers the PAN-
OS® software to commit the merged changes. If you disable this selection, the
commit excludes the candidate configuration on the firewall.
• Include Device and Network Templates (enabled by default)—Pushes both
the device group changes and the associated template changes to the selected
firewalls and virtual systems in a single operation. To push these changes as
separate operations, disable this option.
Templates Select managed firewalls associated with one or more template stacks.
• Merge with Device Candidate Config (enabled by default)—Merges the
configuration changes pushed from Panorama with any pending configuration
changes implemented locally on the target firewall. The push triggers the PAN-
OS software to commit the merged changes. If you disable this selection, the
commit excludes the candidate configuration on the firewall.
Last Push Time Time that the scheduled configuration push occurred (MM/DD/YYY HH:MM:SS).
Devices Total number of managed firewalls associated with the scheduled configuration
push.
Success Total number of managed firewalls associated with the scheduled configuration
push for which the push was successful.
Fail Total number of managed firewalls associated with the scheduled configuration
push for which the push failed.
Revert Total number of managed firewalls for which the scheduled configuration push
failed and the configuration was reverted.
Tasks View the Panorama task manager and the jobs associated with the configuration
push.
Task Description
Add Add firewalls and enter their serial numbers (one per row) to add them as managed
devices. The Managed Devices window will then display Managed Firewall Information,
including connection status, installed updates, and properties that were set during initial
configuration.
Check the Associate Devices box to associate the firewalls with a device group or
template stack.
Import multiple firewalls in CSV format to be managed by the Panorama management
server. A sample CSV file is available for download.
Next, enter the IP address of the Panorama management server on each firewall (see
Device > Setup > Management) so that Panorama can manage the firewalls.
Reassociate Reassign one or more selected firewalls to a different device group or template stack.
Delete Select one or more firewalls and Delete them from the list of firewalls that Panorama
manages.
Tag Select one or more firewalls, click Tag, and enter a text string of up to 31 characters or
select an existing tag. Do not use an empty space. Wherever the web interface displays
a long list of firewalls (for example, in the dialog for installing software), tags provide
one means to filter the list. For example, you can use a tag called branch office to filter
for all branch office firewalls across your network.
Group HA Select Group HA Peers if you want the Managed Devices page to group firewalls that
Peers are peers in a high availability (HA) configuration. You then can only select to perform
actions on both peers or neither peer in each HA pair.
PDF/CSV Administrative roles with a minimum of read-only access can export the managed
firewall table as PDF/CSV. You can apply filters to create more specific table
configuration outputs for things such as audits. Only visible columns in the web
interface will be exported. See Configuration Table Export.
Deploy Deploy a new master key or update an existing master key of one or more devices.
Master Key
Request OTP Generate an One Time Password (OTP) for managed firewalls.
from CSP
• Custom selected devices—Generate an OTP for the selected managed firewalls to
install a device certificate in order to leverage Palo Alto Networks cloud services.
• Select all devices without a certificate—Generate an OTP for any managed firewall
without a device certificate successfully installed in order to leverage Palo Alto
Networks cloud services.
Upload OTP Paste the OTP generated from the Customer Support Portal to install a device
certificate for all managed firewalls.
Device Group Displays the name of the device group in which the firewall is a
member. By default, this column is hidden, though you can display
it by selecting the drop-down in any column header and selecting
Columns > Device Group.
The page displays firewalls in clusters according to their device group.
Each cluster has a header row that displays the device group name,
the total number of assigned firewalls, the number of connected
firewalls, and the device group path in the hierarchy. For example,
Data center (2/4 Devices Connected): Shared > Europe > Data
center would indicate that a device group named Data center has
four member firewalls (two of which are connected) and is a child of
a device group named Europe. You can collapse or expand any device
group to hide or display its firewalls.
Virtual System Lists the virtual systems available on a firewall that is in Multiple
Virtual Systems mode.
Operational Mode Displays the operational mode of the firewall. Can be FIPS-CC or
Normal.
Software Version | Apps Displays the software and content versions that are currently installed
and Threat | Antivirus | URL on the firewall. For details, see Firewall Software and Content
Filtering | GlobalProtect™ Updates.
Client | WildFire
Last Master Key Push Displays the status of the master key deployment from Panorama to
the firewall.
Timestamp—Displays the date and time of the latest master key push
from Panorama.
Containers—If you deployed the CN-Series firewall to secure your containerized application workloads
on Kubernetes clusters, use the following columns.
Container Number of Nodes Displays the number of containerized firewall data plane (CN-NGFW)
that are connected to the Management plane (CN-Mgmt) registered to
Panorama.
The value can be 0—30 CN-NGFW pods for each pair of CN-Mgmt
pods.
Clone device variable definition from another device in the template stack?
Type Select the type of update you want to install: PAN-OS Software,
GlobalProtect Client software, Apps and Threats signatures, Antivirus
signatures, WildFire, or URL Filtering.
File Select the update image. The drop-down includes only images that you
downloaded or uploaded to Panorama using the Panorama > Device
Deployment pages.
Devices Select the firewalls on which you want to install the image.
Current Version The update version of the selected Type that is currently installed on
the firewall.
Group HA Peers Select to group firewalls that are peers in a high availability (HA)
configuration.
Filter Selected If you want the Devices list to display only specific firewalls, select the
corresponding device names and Filter Selected.
Upload only to device Select to upload the image on the firewall but not automatically reboot
the firewall. The image is installed when you manually reboot the
firewall.
Reboot device after Install Select to upload and install the software image. The installation process
(Software only) triggers a reboot.
Disable new apps in content Select to disable applications in the update that are new relative to
update (Apps and Threats the last installed update. This protects against the latest threats while
only) giving you the flexibility to enable applications after preparing any
policy updates. Then, to enable applications, log in to the firewall,
select Device > Dynamic Updates, click Apps in the Features column
Firewall Backups
• Panorama > Managed Devices
Panorama automatically backs up every configuration change you commit to managed firewalls. To manage
the backups for a firewall, select Panorama > Managed Devices, click Manage in the Backups column for
the firewall, and perform any of the following tasks.
To configure the number of firewall configuration backups that Panorama stores, select
Panorama > Setup > Management, edit the Logging and Reporting Settings, select Log
Export and Reporting, and enter the Number of Versions for Config Backups (default is 100).
Task Description
Display details about a saved or In the Version column for the backup, click the saved
committed configuration. configuration filename or committed configuration version
number to display the contents of the associated XML file.
Restore a saved or committed In the Action column for the backup, click Load and Commit.
configuration to the candidate
Loading a firewall configuration reverts the local device
configuration.
configuration and does not revert the configuration pushed from
Panorama. After you Load the firewall backup, you must context
switch to the firewall web interface or launch the firewall web
interface to Commit.
Remove a saved configuration. In the Action column for the saved backup, click Delete ( ).
The Host ID displays in the GlobalProtect logs automatically. For the Host ID to display
in the Traffic, Threat, or Unified logs, the Panorama appliance must have at least one
security policy rule with the Source Device set to Quarantine. Without this setting in
the security policy, Traffic, Threat or Unified logs will not have the Host ID, and the log
forwarding profile will not take effect.
Field Description
Reason The reason that the device is quarantined. A reason of Admin Add means
that an administrator manually added the device to the table.
Time Stamp The time that the administrator or Security policy rule added the device
to the quarantine list.
Source Device/App The IP address of the Panorama, firewall, or third-party app that added
the device to the quarantine list.
Serial Number (Optional) The serial number of the quarantined device (if available).
User Name (Optional) The username of the GlobalProtect client user who was logged
in to the device when it was quarantined.
View Detailed Device Health. View the health metrics of the devices managed by
the Panorama.
Device
Throughput (Kilobits) The data throughput over time (five-minute average) measured in
kilobits per second.
CPS Total connections per second for the firewall over time (five-minute
average).
Session
Data Plane
Management Plane
Logging Rate (logs per second) Rate at which the firewalls are forwarding logs to Panorama or a Log
Collector (one-minute average).
Fans Displays the presence, current status, RPM, and last failure of the fans
in each fan tray. Fan status is displayed as A/B, where A is the number
of good, running fans and B is the total number of fans on the firewall.
Virtual firewalls display N/A.
Power Supplies Displays the presence, current status, and last failure timestamps.
Power supply status is displayed as A/B, where A is the number of
good, running power supplies and B is the total number of power
supplies on the device. Virtual firewalls display N/A.
Ports Total number of ports in use on the firewall. Ports are displayed as
A/B, where A is the number of good, running ports and B is the total
number of ports on the device.
Field Description
Actions
Time Filter Select the time filter to view the device health history from the drop-
down. You can select Last 12 hours, 24 hours, 7 days, 15 days, 30
days, or 90 days.
Show Average Select the average and standard distribution shown on all time-
trended widgets. You can select None, Last 24 hours, 7 days, or 15
days.
System Information
System Information The metadata associated with the device: IP address, software
version, antivirus version, HA status, serial number, App and Threat
version, Wildfire version, VSYS mode, model, and device mode.
Sessions
The Sessions tab displays the session information passing through the firewall. This information is displays
as six individual graphs.
Field Description
Connections per Second Total CPS for the device over time (five-minute average).
Packets per Second Total packets per second (averaged over five minutes) that passed
through the device.
Global Session Table Utilization The percentage of the global session table over time for firewalls that
(PA-7000 and PA-5200 have a global session table (averaged over five minutes).
appliances only)
Session Table Utilization Shows the percentage of the session table usage for each dataplane
for the firewall against time (averaged over five minutes).
SSL Decrypted Sessions Info Shows the number of decrypted SSL sessions over time (averaged
over five minutes).
SSL Proxy Session Utilization Shows the utilization percentage of proxy sessions over time
(averaged over five minutes).
Environments
The Environments tab displays the presence, status, and operating condition for hardware, such as power
supplies, fan trays, and disk drives. This tab displays only for hardware-based firewalls:
Field Description
Fan Status Displays the presence, current status, RPM, and last failure of the fans
in each fan tray. Fan status is displayed as A/B, where A is the number
of good, running fans and B is the total number of fans on the firewall.
Virtual firewalls display N/A.
Power Supply Displays the presence, current status, and last failure timestamps.
Power supply status is displayed as A/B, where A is the number of
Thermal Status Displays whether there are any thermal alarms associated with each
slot of the device. If there is an active alarm, the firewall also displays
more specific information here regarding exact temperature and
location.
System Disk Status Displays the available, used, and utilization percentage for the root,
pancfg, panlogs, and panrepo mounts.
System Disk Status also displays the disk name, size, and RAID status
for firewalls that are RAID enabled.
Interfaces
The Interfaces tab displays the status and statistics across all physical interfaces on the firewall.
Field Description
Interface Name The name of the interface. Select an Interface to view graphs of the
Bit Rate, Packets per Second, Errors, and Drops for the selected
interface.
Bit Rate Displays the bit rate (bps) for received and transmitted data.
Packets per Second Displays the packets per second for received and transmitted data.
Errors Displays the number of errors for received and transmitted data.
Logging
The Logging tab displays the logging rates and connections across manages firewalls.
Field Description
Logging Rate Displays the one-minute averaged rate for the device forwarding logs
to Panorama or a Log Collector.
Logging Connections Displays all available log forwarding connections, including their active
or inactive status.
External Log Forwarding Displays the sent, dropped, and average forwarding rate (logs per
second) for various types of external log forwarding methods.
Resources
The Resources tab displays the CPU and memory statistics for the firewall.
Field Description
Management Plane Memory Displays the time-trended, five-minute average of the management
plane memory as a percentage.
Packet Buffers Displays the time-trended, five-minute average of the packet buffer
utilization as a percentage. On a multiple dataplane system, this
display includes different dataplanes, CPU, and packet buffers in
different colors.
CPU Management Plane Displays the time-trended, five-minute average of the management
plane CPU.
CPU Data Plane Displays the time-trended, five-minute average per-core utilization
of the dataplane CPU. For systems with multiple data planes, you can
select which dataplane to view selector.
Mounts Displays the device system file info. This display includes the mount
Name, Allocated (KB), Used (KB), and Avail (KB) space, as well as the
Utilization percentage.
High Availability
The High Availability tab displays the HA status of the firewall and its HA peer. The top widget displays
the configuration and content version of the device and its peers. The bottom widget provides information
on the previous HA failovers and the reasons associated with it, including which firewall experienced the
failure.
Templates
Panorama supports up to 1,024 templates. You can Add a template and configure the settings as described
in the following table. After creating a template, you need to also Configure a Template Stack and add the
templates and firewalls to the template stack before you can manage your firewalls. After you configure a
template, you must commit your changes in Panorama (see Panorama Commit Operations).
Deleting a template does not delete the values that Panorama pushed to the firewall.
Name Enter a template name (up to 31 characters). The name is case-sensitive, must
be unique, and can contain only letters, numbers, spaces, hyphens, periods, and
underscores.
In the Device and Network tabs, this name appears in the Template drop-down.
The settings you modify in these tabs apply only to the selected Template.
Template Stacks
You can configure a template stack or assign templates to a template stack. Assigning firewalls to a template
stack allows you to push all necessary settings to the firewalls instead of adding every setting to every
template individually. Panorama supports up to 1,024 stacks. You can Add Stack to create a new template
Deleting a template stack or removing a firewall from a template stack does not delete the
values that Panorama previously pushed to that firewall; however, when you remove a
firewall from a template stack, Panorama no longer pushes new updates to that firewall.
Name Enter a stack name (up to 31 characters). The name is case-sensitive, must be
unique, must start with a letter, and can contain only letters, numbers, and
underscores. In the Device and Network tabs, the Template drop-down displays the
stack name and its assigned templates.
Templates Add each template you want to include in the stack (up to 8).
If templates have duplicate settings, Panorama pushes only the settings from the
template that is higher in the list when pushing settings to the assigned firewalls. For
example, if Template_A is above Template_B in the list and both templates define
the ethernet1/1 interface, then Panorama pushes the ethernet1/1 definition from
Template_A and not from Template_B. To change the order of templates in the list,
select a template and Move Up or Move Down.
Devices Select each firewall that you want to add to the stack.
If the list of firewalls is long, you can filter the list by Platforms, Device Groups,
Tags, and HA Status.
Group HA Peers Groups firewalls that are high availability (HA) peers. This enables you to easily
identify firewalls that have an HA configuration. When pushing settings from
the template stack, you can push to the grouped pair instead of to each firewall
individually.
Filter Selected To display only specific firewalls, select them and then Filter Selected.
Template (device and template Displays the name of the template to which the variable definition
stack) belongs.
Override (template stack and Overrides an existing template variable definition inherited from the
device) template stack or device. You cannot change the variable type or
name and you cannot override device-specific variables.
Revert (template stack and To clear any overridden values on the template stack or device
device) level; reverts the overridden variable to its original template variable
definition.
Get values used on device only Populate the selected variable with the value used on the firewall.
(device only) Requires that a template or template stack variable be already
defined and pushed to the firewall before Panorama can retrieve the
value. Values fetched from the firewall will Override the template
or template stack variable to create a device-specific variable. If no
variable definition has been pushed to the firewall, Panorama will
return Value not found for that variable.
Name Name the variable definition. All variable definition names must start
with the dollar sign (“$”) character.
Name Enter a name to identify the group (up to 31 characters). The name is case-sensitive,
must be unique across the entire device group hierarchy, and can contain only
letters, numbers, spaces, periods, hyphens, and underscores.
Devices Select each firewall that you want to add to the device group. If the list of firewalls
is long, you can filter by Device State, Platforms, Templates, or Tags. The Filters
section displays (in parentheses) the number of managed firewalls for each of these
categories.
If the purpose of a device group is purely organizational (that is, to contain other
device groups), you don’t need to assign firewalls to it.
Select All Selects every firewall and virtual system in the list.
Deselect All Deselects every firewall and virtual system in the list.
Group HA Peers Select to group firewalls that are peers in a high availability (HA) configuration. The
list then displays the active (or active-primary in an active/active configuration)
firewall first and the passive (or active-secondary in an active/active configuration)
firewall in parentheses. This enables you to easily identify firewalls that are in HA
mode. When pushing shared policies, you can push to the grouped pair instead of
individual peers.
Filter Selected If you want the Devices list to display only specific firewalls, select the firewalls and
then Filter Selected.
Parent Device Relative to the device group you are defining, select the device group (or the Shared
Group location) that is just above it in the hierarchy (default is Shared).
Master Device To configure policy rules and reports based on usernames and user groups, you
must select a Master Device. This is the firewall from which Panorama receives
usernames, user group names, and username-to-group mapping information.
Store users and This option displays only if you select a Master Device. The option enables
groups from Panorama to locally store usernames, user group names, and username-to-group
Master Device mapping information that it receives from the Master Device. To enable local
storage, you must also select Panorama > Setup > Management, edit the Panorama
Settings, and Enable reporting and filtering on groups.
Dynamically Added Device Properties—When a new device is added to the device group, Panorama
dynamically applies the specified authorization code and PAN-OS software version to the new device.
This displays only after a device group is associated with an NSX service definition in Panorama.
Authorization Enter the authorization code to be applied to devices added to this device group.
Code
SW Version Select the software version to be applied to devices added to this device group.
Collector Name The name that identifies this Log Collector. This name displays as the Log Collector
hostname.
Serial Number The serial number of the Panorama appliance that functions as the Log Collector.
If the Log Collector is local, this is the serial number of the Panorama management
server.
Software Version The Panorama software release installed on the Log Collector.
Connected The status of the connection between the Log Collector and Panorama.
Configuration Indicates whether the configuration on the Log Collector is synchronized with
Status/Detail Panorama.
Run Time Status/ The status of the connection between this and other Log Collectors in the Collector
Detail Group.
Log Certain actions (for example, adding disks) will cause the Log Collector to
Redistribution redistribute the logs among its disk pairs. This column indicates the completion
State status of the redistribution process as a percentage.
Last Commit Indicates whether the last Collector Group commit performed on the Log Collector
State failed or succeeded.
Statistics After you complete the Log Collector Configuration, click Statistics to view disk
information, CPU performance, and the average log rate (logs/second). To better
understand the log range you are reviewing, you can also view information on the
oldest log that the Log Collector received.
Configure the RAID disks that Log Collector RAID Disk Settings
store logs collected from firewalls.
Collector S/N (Required) Enter the serial number of the Panorama appliance that functions as the
Log Collector. If the Log Collector is local, enter the serial number of the Panorama
management server.
Collector Name Enter a name to identify this Log Collector (up to 31 characters). The name is case-
sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens,
and underscores.
This name displays as the Log Collector hostname.
Inbound Select the certificate that the managed collector must use to securely ingest logs
Certificate for from the Traps™ ESM server. This certificate is called an inbound certificate because
Secure Syslog the Panorama/ Managed Collector is the server to which the Traps ESM (client)
is sending logs; the certificate is required if the Transport protocol for the log
ingestion profile is SSL.
Certificate for Select a certificate for secure forwarding of syslogs to an external Syslog server. The
Secure Syslog certificate must have the Certificate for Secure Syslog option selected (see Manage
Firewall and Panorama Certificates). When you assign a Syslog server profile to the
Collector Group that includes this Log Collector (see Panorama > Collector Groups,
Panorama > Collector Groups > Collector Log Forwarding), the Transport protocol
of the server profile must be SSL (see Device > Server Profiles > Syslog).
Panorama Server Specify the IP address of the Panorama management server that manages this Log
IP Collector.
Panorama Server Specify the IP address of the secondary peer if the Panorama management server is
IP 2 deployed in a high availability (HA) configuration.
Primary DNS Enter the IP address of the primary DNS server. The Log Collector uses this server
Server for DNS queries (for example, to find the Panorama management server).
Secondary DNS (Optional) Enter the IP address a secondary DNS server to use if the primary server
Server is unavailable.
Primary NTP Enter the IP address or host name of the primary NTP server, if any. If you do not
Server use NTP servers, you can set the Log Collector time manually.
Secondary NTP (Optional) Enter the IP address or host name of secondary NTP servers to use if the
Server primary server is unavailable.
Latitude Enter the latitude (-90.0 to 90.0) of the Log Collector. Traffic and threat maps use
the latitude for App Scope.
Longitude Enter the longitude (-180.0 to 180.0) of the Log Collector. Traffic and threat maps
use the longitude for App Scope.
Failed Attempts Enter the number of failed login attempts that the Dedicated Log Collector allows
on the CLI before locking out the administrator (range is 0 to 10; default is 10).
Limiting login attempts helps protect the WildFire appliance from brute force
attacks. A value of 0 specifies unlimited login attempts.
Lockout Time Enter the number of minutes for which the Dedicated Log Collector locks out
(min) an administrator from access to the CLI after reaching the Failed Attempts limit
(range is 0 to 60; default is 5). A value of 0 means the lockout applies until another
administrator manually unlocks the account.
If you set the Failed Attempts to a value other than 0 but leave
the Lockout Time at 0, then the administrator is indefinitely locked
out until another administrator manually unlocks the locked-out
administrator. If no other administrator has been created, you must
reconfigure the Failed Attempts and Lockout Time settings on
Panorama and push the configuration change to the Log Collector.
To ensure that an administrator is never locked out, use the default
(0) value for both Failed Attempts and Lockout Time.
Idle Timeout Enter the maximum number of minutes without any activity on the CLI before an
(min) administrator is automatically logged out (range is 0 to 1,440; default is None). A
value of 0 means that inactivity does not trigger an automatic logout.
Max Session Enter the number of active sessions the administrator can have open concurrently,
Count The default is 0, which means that the Dedicated Log Collector can have an
unlimited number of concurrently active sessions.
Max Session time Enter the number of minutes the administrator can be logged in before being
automatically logged out. The default is 0, which means that the administrator can
be logged in indefinitely even if idle.
Local Add and configure new administrators for the Dedicated Log Collector. These
Administrators administrators are unique to the Dedicated Log Collector are managed from this
page (Panorama > Managed Collectors > Authentication).
To complete the configuration of the MGT interface, you must specify the IP address, the
netmask (for IPv4) or prefix length (for IPv6), and the default gateway. If you commit a partial
configuration (for example, you might omit the default gateway), you can access the firewall
or Panorama only through the console port for future configuration changes.
Always commit a complete MGT interface configuration. You cannot commit the
configurations for other interfaces unless you specify the IP address, the netmask (for IPv4)
or prefix length (for IPv6), and the default gateway.
Eth1 / Eth2 / Eth3 / You must enable an interface to configure it. The exception is the MGT
Eth4 / Eth5 interface, which is enabled by default.
Speed and Duplex Configure a data rate and duplex option for the interface. The choices include
10Mbps, 100Mbps, 1Gbps, and 10Gbps (Eth4 and Eth5 only) at full or half
duplex. Use the default auto-negotiate setting to have the Log Collector
determine the interface speed.
IP Address (IPv4) If your network uses IPv4 addresses, assign an IPv4 address to the interface.
Netmask (IPv4) If you assigned an IPv4 address to the interface, you must also enter a network
mask (such as 255.255.255.0).
Default Gateway If you assigned an IPv4 address to the interface, you must also assign an IPv4
(IPv4) address to the default gateway (the gateway must be on the same subnet as
the MGT interface).
IPv6 Address/Prefix If your network uses IPv6 addresses, assign an IPv6 address to the
Length interface. To indicate the netmask, enter an IPv6 prefix length (such as
2001:400:f00::1/64).
Default IPv6 Gateway If you assigned an IPv6 address to the interface, you must also assign an IPv6
address to the default gateway (the gateway must be on the same subnet as
the interface).
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this
interface (range is 576 to 1,500; default is 1,500).
Device Log Collection Enable the interface for collecting logs from firewalls. For a deployment with
high log traffic, you can enable multiple interfaces to perform this function.
This function is enabled by default on the MGT interface.
Collector Group Enable the interface for Collector Group communication (the default is the
Communication MGT interface). Only one interface can perform this function.
Syslog Forwarding Enable the interface for forwarding syslogs (the default is the MGT interface).
Only one interface can perform this function.
Network Connectivity The Ping service is available on any interface and enables you to test
Services connectivity between the Log Collector interface and external services.
The following services are available only on the MGT interface:
• SSH—Enables secure access to the Panorama CLI.
• SNMP—Enables the interface to receive statistics queries from an SNMP
manager. For details, see Enable SNMP Monitoring.
• User-ID—Enables the Log Collector to redistribute user mapping
information received from User-ID agents.
Permitted IP Enter the IP addresses of the client systems that can access the Log Collector
Addresses through this interface.
An empty list (default) specifies that access is available to any client system.
Palo Alto Networks recommends that you do not leave this list
blank; specify the client systems of Panorama administrators
(only) to prevent unauthorized access.
If you use an SNMP manager for centralized monitoring, you can see loggings statistics in
the panLogCollector MIB.
To configure a Dedicated Log Collector to connect to a User-ID agent, Add one and configure the settings
as described in the following table.
Name Enter a name (up to 31 characters) to identify the User-ID agent. The name is case-
sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens,
and underscores.
For a firewall serving as a User-ID agent, this field does not have to
match the Collector Name field.
Port Enter the port number on which the User-ID agent will listen for User-ID requests.
The default is port 5007 but you can specify any available port. Different User-ID
agents can use different ports.
Collector Name The collector that these fields refer to is the User-ID agent, not the Log Collector.
The fields apply only if the agent is a firewall or virtual system that redistributes user
Collector mappings to the Log Collector. Enter the Collector Name and Pre-Shared Key that
Pre-shared identify the firewall or virtual system as a User-ID agent. You must enter the same
Key / Confirm values as you did when configuring the firewall or virtual system to serve as a User-
Collector Pre- ID agent (see Redistribution).
shared key
Enabled Select to enable the Log Collector to communicate with the User-ID agent.
Connection Security
• Device > User Identification > Connection Security
• Panorama > User Identification > Connection Security
To configure a certificate profile used by the Log Collector to validate the certificate presented by Windows
User-ID agents. The Log Collector uses the selected certificate profile to verify the identity of the User-ID
agent by validating the server certificate presented by the agent.
Task Description
User-ID Certificate Profile From the drop-down, select the certificate profile the firewall or
Panorama uses to authenticate Windows User-ID agents or select New
Certificate Profile to create one. Select None to remove the certificate
profile.
Communication Settings
• Panorama > Managed Collectors > Communication
To configure custom certificate-based authentication between Log Collectors and Panorama, firewalls, and
other Log Collectors, configure the settings as described in the following table.
Secure Server Communication—Enabling Secure Server Communication validates the identity of client
devices connecting to the Log Collector.
SSL/TLS Service Profile Select a SSL/TLS service profile from the drop-down. This profile defines the
certificate presented by the Log Collector and specifies the range of SSL/TLS
versions acceptable for communication with the Log Collector.
Certificate Profile Select a certificate profile from the drop-down. This certificate profile defines
certificate revocation checking behavior and root CA used to authenticate the
certificate chain presented by the client.
Custom Certificate When enabled, the Log Collector only accepts custom certificates for
Only authentication with managed firewalls and Log Collectors.
Authorize Clients Based The Log Collector authorizes client devices based on uses a hash of their
on Serial Number serial number.
Check Authorization Client devices or device groups connecting to this Log Collector are checked
List against the authorization list.
Disconnect Wait Time The amount of time the Log Collector waits before breaking the current
(min) connection with its managed devices. The Log Collector then reestablishes
connections with its managed devices using the configured secure server
communications settings. The wait time begins after the secure server
communications configuration is committed.
Authorization List Authorization List—Select Add and complete the following fields to set
criteria.
• Identifier—Select Subject or Subject Alt. Name as the authorization
identifier.
• Type—If Subject Alt. Name is selected as the Identifier, select IP,
hostname, or e-mail as the type of the identifier. If Subject is selected,
common-name is used as the identifier type.
• Value—Enter the identifier value.
Secure Client Communication—Enabling Secure Client Communication ensures that the specified client
certificate is used for authenticating the Log Collector over SSL connections with Panorama, firewalls, or
other Log Collectors.
Certificate Type Select the type of device certificate (None, Local, or SCEP) used for securing
communication
None If None is selected, no device certificate is configured and the secure client
communication is not used. This is the default selection.
Local The Log Collector uses a local device certificate and the corresponding private
key generated on the Log Collector or imported from an existing enterprise
PKI server.
SCEP The Log Collector uses a device certificate and private key generated Simple
Certificate Enrollment Protocol (SCEP) server.
Certificate Profile— Select the Certificate Profile from the drop-down. This
certificate profile is used for defining the server authentication with the Log
Collector.
Check Server Identity The client device confirms the server’s identity by matching the common
name (CN) with server’s IP address or FQDN.
Because the Panorama management server shares its operating system with the local
default Log Collector, you upgrade both when installing a software update on the Panorama
management server (see Panorama > Software).
For Dedicated Log Collectors, you can also select Panorama > Device Deployment >
Software to install updates (see Manage Software and Content Updates).
To reduce traffic on the management (MGT) interface, you can configure Panorama to use a
separate interface for deploying updates (see Panorama > Setup > Interfaces).
Devices Select the Log Collectors on which to install the software. The dialog displays
the following information for each Log Collector:
• Device Name—The name of the Dedicated Log Collector.
• Current Version—The Panorama software release currently installed on the
Log Collector.
• HA Status—This column does not apply to Log Collectors. Dedicated Log
Collectors do not support high availability.
Filter Selected To display only specific Log Collectors, select the Log Collectors and Filter
Selected.
Upload only to device Select to upload the software to the Log Collector without automatically
(do not Install) rebooting it. The image is not installed until you manually reboot by logging
into the Log Collector CLI and running the request restart system
operational command.
Reboot device after Select to upload and automatically install the software. The installation process
Install reboots the Log Collector.
The predefined Collector Group named default contains the predefined Log Collector that is
local to the Panorama management server.
Name Panorama > Collector Enter a name to identify this Collector Group (up to 31
Groups > General characters). The name is case-sensitive and must be
unique. Use only letters, numbers, spaces, hyphens, and
underscores.
Log Storage Indicates the total storage quota for firewall logs that
the Collector Group receives and the available space.
Click the storage quota link to set the storage Quota(%)
and expiration period (Max Days) for the following log
types:
• Detailed Firewall Logs—Includes all the log types
in the Device > Setup > Logging and Reporting
Settings, such as traffic, threat, HIP match,
dynamically registered IP addresses (IP tag),
extended PCAPs, GTP and Tunnel, App Stats, and
more.
• Summary Firewall Logs—Includes all the summary
logs included in Device > Setup > Logging and
Reporting Settings, such as traffic summary, threat
summary, URL summary, and GTP and tunnel
summary.
• Infrastructure and Audit Logs—Includes the config,
system, user-ID and authentication logs.
• Palo Alto Networks Platform Logs—Includes logs
from Traps and other Palo Alto Networks products.
• 3rd Party External Logs—Includes logs from other
vendor integrations provided by Palo Alto Networks.
To use the default settings, click Restore Defaults.
Min Retention Enter the minimum log retention period in days (1–
Period (days) 2,000) that Panorama maintains across all Log Collectors
in the Collector Group. If the current date minus the
Collector Add the Log Collectors that will be part of this Collector
Group Group (up to 16). You can add any of the Log Collectors
Members that are available in the Panorama > Managed
Collectors page. All the Log Collectors for any particular
Collector Group must be the same model: for example,
all M-500 appliances or all Panorama virtual appliances.
Enable log If you select this option, each log in the Collector Group
redundancy will have two copies and each copy will reside on a
across different Log Collector. This redundancy ensures that,
collectors if any one Log Collector becomes unavailable, no logs
are lost: you can see all the logs forwarded to the
Collector Group and run reports for all the log data. Log
redundancy is available only if the Collector Group has
multiple Log Collectors and each Log Collector has the
same number of disks.
In the Panorama > Collector Groups page, the Log
Redistribution State column indicates the completion
status of the process as a percentage. All the Log
Collectors for any particular Collector Group must be
the same model: for example, all M-500 appliances or all
Panorama virtual appliances.
Enable Secure Enables the use of custom certificates for mutual SSL
Inter LC authentication between Log Collectors in a Collector
Communication Group.
Location Panorama > Collector Specify the location of the Collector Group.
Groups > Monitoring
Contact Specify an email contact (for example, the email address
of the SNMP administrator who will monitor the Log
Collectors).
Users (V3 only) Add the following settings for each SNMP user:
• Users—Enter a username for authenticating the user
to the SNMP manager.
• View—Select a group of views for the user.
• Authpwd—Enter a password for authenticating
the user to the SNMP manager (minimum eight
characters). Only Secure Hash Algorithm (SHA) is
supported for encrypting the password.
• Privpwd—Enter a privacy password for encrypting
SNMP messages to the SNMP manager (minimum
eight characters). Only Advanced Encryption
Standard (AES) is supported.
Devices / Panorama > Collector The log forwarding preference list controls which
Collectors Groups > Device Log firewalls forward logs to which Log Collectors. For each
Forwarding entry that you Add to the list, Modify the Devices list to
assign one or more firewalls and Add one or more Log
Collectors in the Collectors list.
By default, the firewalls you assign in a list entry will
send logs only to the primary (first) Log Collector as long
as it is available. If the primary Log Collector fails, the
firewalls send logs to the secondary Log Collector. If the
secondary fails, the firewalls send logs to the tertiary
Log Collector, and so on. To change the order, select a
Log Collector and click Move Up or Move Down.
System Panorama > Collector For each type of firewall log that you want to forward
Groups > Collector Log from this Collector Group to external services, Add one
Configuration Forwarding or more match list profiles. The profiles specify which
logs to forward and the destination servers. For each
HIP Match profile, complete the following:
• Name—Enter a name of up to 31 characters to
Traffic identify the match list profile.
• Filter—By default, the firewall forwards All Logs of
Threat
the type this match list profile applies to. To forward
a subset of the logs, select an existing filter or select
URL
Filter Builder to add a new filter. For each query in
a new filter, specify the following fields and Add the
Data query:
Ingestion Panorama > Collector Add one or more log ingestion profiles that allow
Profile Groups > Log Ingestion Panorama to receive logs from the Traps ESM server. To
configure a new log ingestion profile, see Panorama >
Log Ingestion Profile.
Log Admin Panorama > Collector Configure the Log Collector to generate and forward
Activity Groups > Audit audit logs of administrator activity to the select syslog
server.
• Operational Commands (disabled by default)
—Generate an audit log when an administrator
executes an operational or debug command in the
CLI. See the CLI Operational Command Hierarchy
for a full list of PAN-OS operational and debug
commands.
• Syslog Server—Select a target syslog server profile to
forward audit logs.
Redundancy Indicates whether log redundancy is enabled for the Collector Group. You can
Enabled enable log redundancy for a collector group after you complete or modify the Log
Collector Configuration.
Log Certain actions (for example, enabling log redundancy) will cause the Collector
Redistribution Group to redistribute the logs among its Log Collectors. This column indicates the
State completion status of the redistribution process as a percentage.
Plugins Description
Upload Allows you to upload a plug-in installation file from a local directory. This does not
install the plugin. After uploading the installation file, the Install link becomes active.
Actions • Install—Installs the specified version of the plug-in. Installing a new version of the
plug-in overwrites the previously installed version.
• Delete—Deletes the specified plug-in file.
• Remove Config—Removes all configuration related to the plug-in. To completely
remove all configuration related to a plugin, you must also perform and Uninstall
after using Remove Config.
When removing configuration from the Panorama plugin for VMware NSX,
this action deletes service definition(s) and service manager(s) only. It does not
remove other related configuration, such as zone, device groups, or templates.
Additionally, to complete this action in a Panorama HA deployment, you must
remove config on the active first, initiate a failover to make the secondary active,
and then remove config on the new active peer.
• Uninstall—Removes the current installation of the plug-in. This does not
remove the plug-in file from Panorama. If you uninstall the plug-in, you lose any
configuration related to that plug-in. Only use when completely removing the
related configuration.
SD-WAN Devices
• Panorama > SD-WAN > Devices
SD-WAN devices are branches or hubs that make up your VPN cluster and SD-WAN topology.
Field Description
Virtual Router Select the virtual router to use for routing between the SD-WAN hub and branches.
Name By default, an sdwan-default virtual router is created and enables Panorama to
automatically push router configurations.
Site Enter a user-friendly site name that identifies the hub or branch. For example, enter
the city name where the branch device is deployed.
Link Tag (PAN-OS 10.0.3 and later releases) For a hub, select the Link Tag that you created
for a hub virtual interface so the hub can participate in DIA AnyPath. Auto VPN
applies this link tag to the whole hub virtual interface, not an individual link. You
reference this Link Tag in the Traffic Distribution Profile to indicate the order of
failover to this hub virtual interface. On the branch device, Auto VPN uses this tag
to populate the Link Tag field on the SD-WAN virtual interface that terminates on
the hub device.
Zone Internet Add one or more security zones to identify traffic going to and coming from
untrusted sources.
Zone Hub Add one or more security zones to identify traffic going to and coming from the SD-
WAN hub devices.
Zone Branch Add one or more security zones to identify traffic going to and coming from the SD-
WAN branch devices.
Zone Internal Add one or more security zones to identify traffic going to and coming from the
trusted devices on the corporate network.
Router ID Specify the BGP router ID. The Border Gateway Protocol (BGP) router ID must be
unique between all routers.
AS Number Enter the Autonomous System number to define a commonly defined routing policy
to the internet. The AS number must unique for every hub and branch location.
Redistribution Select or create a redistribution profile to control which local prefixes are
Profile Name communicated to the hub router from the branch. By default, all locally connected
internet prefixes are advertised to the hub location.
Palo Alto Networks does not redistribute the branch office default
route(s) learned from the ISP.
Field Description
Branches Add one or more branch devices to associate with one or more hubs.
Hubs Add one or more hub devices to associate with one or more branch devices. If
multiple hubs are added, use path health quality metrics to control which is the
primary hub and which are the secondary.
SD-WAN Monitoring
• Panorama > SD-WAN > Monitoring
The Monitoring tab is a dashboard that displays a summary widgets of all your SD-WAN device health
metrics. This tool provides actionable intelligence about the activity on your SD-WAN network, by allowing
you to quickly identify applications or links experiencing performance issues. You can view path quality and
link performance for all VPN Clusters, or for a specific VPN Cluster, within a specified period of time.
At a glance, you can view the total number of VPN Clusters with branch or hub firewalls that are
experiencing impacted application performance, and those that are healthy. You can view the following
application and link health states for VPN Clusters:
• App Performance
• Impacted—One or more applications in the VPN Cluster for which none of the paths have jitter,
latency, or packet loss performance at or below the specified thresholds in the Path Quality Profile in
the list of paths that can be chosen.
• OK—Applications in the VPN Cluster are healthy and experiencing no jitter, latency, or packet loss
performance.
• Link Performance
• Error—One or more sites in the VPN Cluster for which none of the paths have jitter, latency, or
packet loss performance at or below the specified thresholds in the Path Quality Profile in the list of
paths that can be chosen.
• Warning—One or more Sites in the VPN Cluster have links with jitter, latency, or packet loss
performance measurements that compare unfavorably to a moving seven day average value of the
metric.
• OK—Links in the VPN Cluster are healthy and experiencing no jitter, latency, or packet loss
performance.
SD-WAN Reports
• Panorama > SD-WAN > Reports
Generate a report for application or link performance for the top applications or links that experienced the
highest frequency of health degradation in the specified period of time for auditing purposes. After a report
is configured, you must Run Now in order to view the report. Reports can be exported Functionality doesn’t
currently work. In what formats can reports be exported?
Cluster From the drop-down, select the cluster for which to generate a report. By default, all
is selected.
Site From the drop-down, select the site for which to generate a report. By default, all is
selected.
If all is selected for the Cluster, then you must generate a report for all sites
attributed to the cluster. If a specific cluster is selected, then you may select a
specific site for which to generate a report.
Application (App From the drop-down, select an application for which to generate a report. By
Performance default, all is selected.
Report Type
If all is selected for the Site, then you must generate a report for all applications
only)
attributed to the site. If a specific site is selected, then you may select a specific
application for which to generate a report.
Link Tag (Link From the drop-down, select a link tag for which to generate a report. By default, all
Performance is selected.
Report Type
If all is selected for the Site, then you must generate a report for all link tags created
only)
under site. If a specific site is selected, then you may select a specific link tag for
which to generate a report.
Link Type (Link From the drop-down, select a link type for which to generate a report. By default, all
Performance is selected.
Report Type
If all is selected for the Link Tag, then you must generate a report for all link types
only)
created under the Link Tag. If a specific Link Tag is selected, then you may select a
specific link type for which to generate a report.
Top N Specify the number of applications or links to include in the report. You may select
that the report include the top 5, 10, 25, 50, 100, 250, 500, or 1000 performing
applications or links. By default, 5 is selected.
Time Period Set the time period for which to run the report. None is selected by default, which
generates a report using all of the app and link performance data.
How do I configure the firewall to Select Objects > Address Groups and Policies > Security
consistently enforce policy in the
To enable Panorama and the firewalls to learn about the changes
dynamic vSphere environment?
in the virtual environment, use Dynamic Address Groups as source
and destination address objects in Security policy pre rules.
Notify Device Check the boxes of the device groups that must be notified of additions or
modifications to the virtual machines deployed on the network.
As new virtual machines are provisioned or existing machines are modified,
the changes in the virtual network are provided as updates to Panorama.
When configured to do so, Panorama populates and updates the dynamic
address objects referenced in policy rules so that the firewalls in the specified
device groups receive changes to the registered IP addresses in the dynamic
address groups.
Field Description
Name Enter the name for the service you want to display on the NSX Manager.
Description (Optional) Enter a label to describe the purpose or function of this service
definition.
Device Group Select the device group or device group hierarchy to which these VM-Series
firewalls will be assigned. For details, see Panorama > VMware NSX.
Template Select the template to which the VM-Series firewalls will be assigned. For details,
see Panorama > Templates.
Each service definition must be assigned to a unique template or template stack.
A template can have multiple zones (NSX Service Profile Zones for NSX)
associated with it. For a single-tenant deployment, create one zone (NSX Service
Profile Zone) in the template. If you have a multi-tenant deployment, create a
zone for each sub-tenant.
When you create a new NSX Service Profile Zone, it is automatically attached to a
pair of virtual wire subinterfaces. For more information, see Network > Zones.
VM-Series OVF Enter the URL (IP address or host name and path) where the NSX Manager can
URL access the OVF file to provision new VM-Series firewalls.
Service Manager Enter a name to identify the VM-Series firewall as a service. This name displays on
Name the NSX Manager and is used to deploy the VM-Series firewall on-demand.
Supports up to 63 characters; use only letters, numbers, hyphens, and underscores.
Description (Optional) Enter a label to describe the purpose or function of this service.
NSX Manager Specify the URL that Panorama will use to establish a connection with the NSX
URL Manager.
Confirm NSX
Manager
Password
Service Specify the service definitions associated with this service manager. Each service
Definitions manager supports up to 32 service definitions.
After committing the changes to Panorama, the VMware Service Manager window displays the connection
status between Panorama and the NSX Manager.
Status Displays the connection status between Panorama and the NSX Manager.
A successful connection displays as Registered—Panorama and the NSX Manager
are synchronized and the VM-Series firewall is registered as a service on the NSX
Manager.
For an unsuccessful connection, the status can be:
Synchronize Click Synchronize Dynamic Objects to refresh the dynamic object information from
Dynamic Objects the NSX Manager. Synchronizing dynamic objects enables you to maintain context
on changes in the virtual environment and allows you to safely enable applications
by automatically updating the Dynamic Address Groups used in policy rules.
NSX Config-Sync Select NSX Config-Sync to synchronize the service definitions configured on
Panorama with the NSX Manager. If you have any pending commits on Panorama,
this option is not available.
If the synchronization fails, view the details in the error message to know whether
the error is on Panorama or on the NSX Manager. For example, when you delete
a service definition on Panorama, the synchronization with the NSX Manager
fails if the service definition is referenced in a rule on the NSX Manager. Use the
information in the error message to determine the reason for failure and where you
need to take corrective action (on Panorama or on the NSX Manager).
Field Description
Auto-Generate Generates steering rules based on a security rule that is configured as follows:
Steering Rules
• Belongs to a parent or a child device group registered with an NSX Service
Manager.
Name Enter the name for the steering rule you want to display on the NSX Manager.
When auto-generated, Panorama adds the prefix auto_ to each steering rule and
replaces any space in the security policy rule name with an underscore ( _ ).
Description (Optional) Enter a label to describe the purpose or function of this service
definition.
NSX Traffic Specify the direction of the traffic that is redirected to the VM-Series firewall.
Direction
• inout—Creates an INOUT rule on NSX. Traffic of the specified type going
between the source and the destination is redirected to the VM-Series firewall.
Panorama uses this traffic direction for auto-generated steering rules.
• in—Creates an IN rule on NSX. Traffic of the specified type going to the source
from the destination is redirected to the VM-Series firewall.
• out—Creates an OUT rule on NSX. Traffic of the specified type going from the
source to the destination is redirected to the VM-Series firewall.
NSX Services Select the application (Active Directory Server, HTTP, DNS, etc.) traffic to redirect
to the VM-Series firewall.
Device Group Select a device group from the drop-down. The chosen device group determines
which security policies are applied to the steering rule. Device groups must be
associated with an NSX service definition.
Security Policy The security policy rule that the auto-generated steering rule is based on.
Field Description
Name Enter the name for the external Syslog ingestion profile. You can add up to 255
profiles.
Source Name Enter the name or IP address of the external sources that will send logs. You can
add up to 4 sources within a profile.
Port Enter the port on which Panorama will be accessible over the network and will use
to communicate and listen on.
For Traps ESM, select a value between the range of 23000-23999. You must
configure the same port number on the Traps ESM to enable communication
between Panorama and the ESM.
Transport Select TCP, UDP or SSL. If you select SSL, you must configure an inbound
certificate for secure syslog communication in Panorama > Managed Collectors >
General.
External Log Type Select the log type from the drop-down.
Use Monitor > External Logs to view information on the logs ingested from the Traps ESM server in to
Panorama.
For the logs that firewalls send to Log Collectors, complete the Log Collector
Configuration to enable forwarding to external services.
Before starting, you must define server profiles for the external services (see Device > Server Profiles
> SNMP Trap, Device > Server Profiles > Syslog, Device > Server Profiles > Email, and Device > Server
Profiles > HTTP). Then Add one or more match list profiles and configure the settings as described in the
following table.
Name Enter a name (up to 31 characters) to identify the match list profile.
Filter By default, Panorama forwards All Logs of the type for which you are
adding the match list profile. To forward a subset of the logs, open the
drop-down and select an existing filter or select Filter Builder to add a new
filter. For each query in a new filter, specify the following fields and Add the
query:
• Connector—Select the connector logic (and/or) for the query. Select
Negate if you want to apply negation to the logic. For example, to avoid
forwarding logs from an untrusted zone, select Negate, select Zone as
the Attribute, select equal as the Operator, and enter the name of the
untrusted Zone in the Value column.
• Attribute—Select a log attribute. The options depend on the log type.
• Operator—Select the criterion to determine whether the attribute
applies (such as equal). The available options depend on the log type.
• Value—Specify the attribute value for the query to match.
To display or export the logs that the filter matches, select View Filtered
Logs. This tab provides the same options as the Monitoring tab pages (such
as Monitoring > Logs > Traffic).
SNMP Add one or more SNMP Trap server profiles to forward logs as SNMP traps
(see Device > Server Profiles > SNMP Trap).
Email Add one or more Email server profiles to forward logs as email notifications
(see Device > Server Profiles > Email).
Syslog Add one or more Syslog server profiles to forward logs as syslog messages
(see Device > Server Profiles > Syslog).
HTTP Add one or more HTTP server profiles to forward logs as HTTP requests
(see Device > Server Profiles > HTTP).
Built-in Actions All log types except System logs and Configuration logs allow you to
configure actions.
• Add an action and enter a name to describe it.
• Select the IP address you want to tag—Source Address or Destination
Address.
• Select the action—Add Tag or Remove Tag.
• Select whether to distribute the tag to the local User-ID agent on this
device, or to a remote User-ID Agent.
• To distribute tags to a Remote device User-ID Agent, select the HTTP
server profile that will enable forwarding.
• Configure the IP-Tag Timeout to set, in minutes, the amount of time
that IP address-to-tag mapping is maintained. Setting the timeout to 0
means that the IP-Tag mapping does not timeout (range is 0 to 43200
(30 days); default is 0).
Name Enter a name to identify the server profile (up to 31 characters). The
name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.
Port Enter the server port for file transfer (range is 1–65,535; default is 22).
Password Enter and confirm the case-sensitive password for the username used to
access the SCP server.
Confirm Password
If Panorama has a high availability (HA) configuration, you must perform these instructions
on each peer to ensure the scheduled exports continue after a failover. Panorama does not
synchronize scheduled configuration exports between HA peers.
Scheduled export start time Specify the time of day to start the export (24 hour clock, format
(daily) HH:MM).
Protocol Select the protocol to use to export logs from Panorama to a remote
host. Secure Copy (SCP) is a secure protocol; FTP is not.
Hostname Enter the IP address or hostname of the target SCP or FTP server.
Path Specify the path to the folder or directory on the target server that
will store the exported configuration.
For example, if the configuration bundle is stored in a folder called
exported_config within a top level folder called Panorama, the syntax
for each server type is:
• SCP server: /Panorama/exported_config
• FTP server: //Panorama/exported_config
The following characters: .(period), +, { and }, /, -, _, 0-9, a-z, and
A-Z. Spaces are not supported in the file Path.
Password / Confirm Password Specify the password required to access the target system.
Use a password with maximum length of 15 characters. If the
password exceeds 15 characters, the test SCP connection will display
an error because the firewall encrypts the password when it tries to
Test SCP server connection Select to test communication between Panorama and the SCP host/
server.
To enable the secure transfer of data, you must verify and accept the
host key of the SCP server. The connection is not established until the
host key is accepted. If Panorama has an HA configuration, you must
perform this verification on each HA peer so that each one accepts
the host key of the SCP server.
By default, the Panorama management server saves up to two software updates. To make
space for newer updates, the server automatically deletes the oldest update. You can change
the number of software images that Panorama saves and manually delete images to free up
space.
Refer to Install Content and Software Updates for Panorama for important information about
version compatibility.
Task Description
Check Now If Panorama has access to the Internet, Check Now to display the latest update
information (see Display Panorama Software Update Information).
If Panorama does not have access to the external network, use a browser to visit the
Software Update site for update information.
Upload To upload a software image when Panorama does not have access to the Internet,
use a browser to visit theSoftware Update site, locate the desired release and
download the software image to a computer that Panorama can access, select
Panorama > Software, click Upload, Browse to and select the software image, and
click OK. When the upload is complete, the Downloaded column displays a check
mark and the Action column displays Install.
Download If Panorama has access to the Internet, Download (Action column) the desired
release. When the download is complete, the Downloaded column displays a check
mark.
Install Install (Action column) the software image. When the installation finishes, Panorama
logs you out while it reboots.
Release Notes If Panorama has access to the Internet, you can access the Release Notes for the
desired software release and review the release changes, fixes, known issues,
compatibility issues, and changes to default behavior.
If Panorama does not have access to the Internet, use a browser to visit the
Software Update site and download the appropriate release.
Deletes a software image when no longer needed or when you want to free up
space for more images.
Release Date The date and time when Palo Alto Networks made the update available.
Action Indicates the actions (Download, Install, or Reinstall) that are available for an image.
Release Notes Click Release Notes to access the release notes for the desired software release and
review the release changes, fixes, known issues, compatibility issues, and changes in
default behavior.
Deletes an update when no longer needed or to free up space for more downloads
or uploads.
See which software and content Display Software and Content Update Information
updates are installed or available
for download and installation.
Revert the content versions of one Revert Content Versions from Panorama
or more firewalls from Panorama.
To reduce traffic on the management (MGT) interface, you can configure Panorama to use a
separate interface for deploying updates (see Panorama > Setup > Interfaces).
Upgrade If a BrightCloud URL Filtering content update is available, click Upgrade. After a
successful upgrade, you can Install the update on firewalls.
Install After you Download or Upload a PAN-OS software, Panorama software, or content
update, click Install in the Action column and select:
• Devices—Select the firewalls or Log Collectors on which to install the update. If
the list is long, use the Filters. Select Group HA Peers to group firewalls that are
high availability (HA) peers. This enables you to easily identify firewalls that have
an HA configuration. To display only specific firewalls or Log Collectors, select
them and then Filter Selected.
• Upload only to device (software only)—Select to load the software without
automatically installing it. You must manually install the software.
• Reboot device after install (software only)—Select to specify that the installation
process automatically reboots the firewalls or Log Collectors. The installation
cannot finish until a reboot occurs.
• Disable new apps in content update (Applications and Threats only)—Select
to disable applications in the update that are new relative to the last installed
update. This protects against the latest threats while giving you the flexibility
to enable applications after preparing any policy updates. Then, to enable
applications, log in to the firewall, select Device > Dynamic Updates, click Apps
in the Features column to display the new applications, and click Enable/Disable
for each application you want to enable.
Activate After you Download or Upload a GlobalProtect app software update, click Activate
in the Action column and select the options as follows:
• Devices—Select the firewalls on which to activate the update. If the list is
long, use the Filters. Select Group HA Peers to group firewalls that are high
availability (HA) peers. This enables you to easily identify firewalls that have an
HA configuration. To display only specific firewalls, select them and then Filter
Selected.
• Upload only to device—Select if you don’t want PAN-OS to automatically
activate the uploaded image. You must log in to the firewall and activate it.
Release Notes Click Release Notes to access the release notes for the desired software release and
review the release changes, fixes, known issues, compatibility issues, and changes in
default behavior.
Documentation Click Documentation to access the release notes for the desired content release.
Deletes software or content updates when no longer needed or when you want to
free up space for more downloads or uploads.
Check Now Check Now to Display Software and Content Update Information.
Upload To deploy a software or content update when Panorama is not connected to the
Internet, download the update to your computer from the Software Updates
or Dynamic Updates site, select the Panorama > Device Deployment page that
corresponds to the update type, click Upload, select the update Type (content
updates only), select the uploaded file, and click OK. The steps to then install or
activate the update depend on the type:
• PAN-OS or Panorama software—When the upload is complete, the Downloaded
column displays check mark and you can the Action column displays Install.
• GlobalProtect Client or SSL VPN Client software—Activate from file.
• Dynamic updates—Install from file.
Install from File After you upload a content update, click Install from File, select the content Type,
select the filename of the update, and select the firewalls or Log Collectors.
Activate from After you upload a GlobalProtect app software update, click Activate from File,
File select the filename of the update, and select the firewalls.
Platform The designated firewall or Log Collector model for the update. A number indicates a
hardware firewall model (for example, 7000 indicates the PA-7000 Series firewall),
vm indicates the VM-Series firewall, and m indicates the M-Series appliance.
Features (Content only) Lists the type of signatures the content version might include.
Type (Content only) Indicates whether the download includes a full database update or an
incremental update.
Release Date The date and time when Palo Alto Networks made the update available.
Available (PAN-OS or Panorama software only) Indicates that the update is downloaded or
uploaded.
Downloaded (SSL VPN Client software, GlobalProtect Client software, or content only) A check
mark indicates that the update is downloaded.
Action Indicates the action you can perform on the update: Download, Upgrade, Install or
Activate.
Documentation (Content only) Provides a link to the release notes for the desired content release.
Release Notes (Software only) Provides a link to the release notes for the desired software release.
Deletes an update when no longer needed or when you want to free up space for
more downloads or uploads.
Name Enter a name to identify the scheduled job (up to 31 characters). The name is case-
sensitive, must be unique, and can contain only letters, numbers, hyphens, and
underscores.
Download Select the download source for the content update. You can select to download
Source content updates from the Palo Alto Networks Updates Server or from an SCP
server.
SCP Profile (SCP Select a configured SCP profile from which to download.
only)
SCP Path (SCP Enter the specific path on the SCP server from which to download the content
only) update.
Type Select the type of content update to schedule: App, App and Threat, Antivirus,
WildFire, or URL Database.
Recurrence Select the interval at which Panorama checks in with the update server. The
recurrence options vary by update type.
Time For a Daily update, select the Time from the 24-hour clock.
Disable new You can disable new apps in content updates only if you set the update Type to App
apps in content or App and Threat and only if Action is set to Download and Install.
update
Select to disable applications in the update that are new relative to the last installed
update. This protects against the latest threats while giving you the flexibility
to enable the applications after preparing any policy updates. Then, to enable
applications, log in to the firewall, select Device > Dynamic Updates, click Apps in
the Features column to display the new applications, and click Enable/Disable for
each application you want to enable.
Action • Download Only—Panorama™ will download the scheduled update. You must
manually install the update on firewalls and Log Collectors.
• Download and Install—Panorama will download and automatically install the
scheduled update.
• Download and SCP—Panorama will download and transfer the content update
package to the specified SCP server.
Devices Select Devices and then select the firewalls that will receive scheduled content
updates.
Log Collectors Select Log Collectors and then select the managed collectors that will receive
scheduled content updates.
Field Description
Virtual System Indicates whether the firewall does or does not support multiple virtual
systems.
Threat Indicates whether the license is active , inactive , or expired (along with the
Prevention expiration date).
URL
Support
GlobalProtect
Gateway
GlobalProtect
Portal
WildFire
Device Description
Registration Auth
Key Fields
Name Name of the device registration auth key. The name is case-sensitive, must be
unique across the entire device group hierarchy, and can contain only letters,
numbers, spaces, hyphens, and underscores.
Lifetime Key lifetime displays the number of days, hours, and minutes the device registration
auth key is valid to onboard new firewalls, Log Collectors, and WildFire appliances.
Count Number of times you can use the device registration auth key to onboard new
firewalls, Log Collectors, and WildFire appliances.
Serial Serial number of one or more new firewalls, Log Collectors, and WildFire appliances
for which the device registration auth key is valid.
Type Type of device for which authentication key is valid (Any, Firewalls, or Log
Collectors).
Device Description
Registration Auth
Key Settings
Name Enter a name to identify the device registration auth key. The name is case-
sensitive, must be unique across the entire device group hierarchy, and can contain
only letters, numbers, spaces, hyphens, and underscores.
Lifetime Specify the key lifetime for how long you can use the device registration auth key
may to onboard new firewalls, Log Collectors, and WildFire apliances.
Count Specify how many times you can use the authentication key to onboard new
firewalls, Log Collectors, and WildFire appliances.
Device Type Specify for which devices you can use the device registration auth key: Firewalls,
Log Collectors, or Any (default).
Devices Enter the firewall, Log Collector, and WildFire appliance serial numbers to specify
for which firewalls, Log Collectors, and WildFire appliances the device registration
auth key is valid.