Web Interface Reference Guide Version 6.1

Transcription

1 Web Interface Reference Guide Version 6.1

2 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA About this Guide This guide describes the Palo Alto Networks next-generation firewall and Panorama web interfaces. It provides information on how to use the web interface and reference information about how to populate fields within the interface: For information on the additional capabilities and for instructions on configuring the features on the firewall and Panorama, see For access to the knowledge base, complete documentation set, discussion forums, and videos, see For contacting support, for information on the support programs, or to manage your account or devices, see For the latest release notes, go to the software downloads page at To provide feedback on the documentation, please write to us at: Palo Alto Networks, Inc Palo Alto Networks. All rights reserved. Palo Alto Networks and PAN-OS are trademarks of Palo Alto Networks, Inc. Revision Date: April 27,

3 April 27, Palo Alto Networks COMPANY CONFIDENTIAL Table of Contents Chapter 1 Introduction Firewall Overview Features and Benefits Management Interfaces Chapter 2 Getting Started Preparing the Firewall Setting Up the Firewall Using the Firewall Web Interface Committing Changes Navigating to Configuration Pages Using Tables on Configuration Pages Required s Locking Transactions Supported Browsers Getting Help Configuring the Firewall Obtaining More Information Technical Support Chapter 3 Device Management System Setup, Configuration, and License Management Defining Management Settings Defining Operations Settings Defining Hardware Security Modules SNMP Defining Services Settings Defining Content-ID Settings Configuring WildFire Settings Defining Session Settings Session Settings Session Timeouts Decryption Settings: Certificate Revocation Checking Decryption Settings: Forward Proxy Server Certificate Settings Palo Alto Networks 3

4 Comparing Configuration Files Installing a License Defining VM Information Sources Installing the Software Updating Threat and Application Definitions Administrator Roles, Profiles, and Accounts Defining Administrator Roles Defining Password Profiles Username and Password Requirements Creating Administrative Accounts Specifying Access Domains for Administrators Setting Up Authentication Profiles Creating a Local User Database Adding Local User Groups Configuring RADIUS Server Settings Configuring LDAP Server Settings Configuring Kerberos Settings (Native Active Directory Authentication) Setting Up an Authentication Sequence Scheduling Log Exports Defining Logging Destinations Defining Configuration Log Settings Defining System Log Settings Defining HIP Match Log Settings Defining Alarm Log Settings Managing Log Settings Configuring SNMP Trap Destinations Configuring Syslog Servers Custom Syslog s Configuring Notification Settings Configuring Netflow Settings Using Certificates Managing Device Certificates Managing the Default Trusted Certificate Authorities Creating a Certificate Profile Adding an OCSP Responder Encrypting Private Keys and Passwords on the Firewall Enabling HA on the Firewall Defining Virtual Systems Configuring Shared Gateways Defining Custom Response Pages Viewing Support Information Chapter 4 Network Settings Defining Virtual Wires Configuring a Firewall Interface Configuring an Ethernet Interface Configuring an Ethernet Subinterface Configuring a Virtual Wire Interface Configuring a Virtual Wire Subinterface Configuring a Tap Interface Configuring a Log Card Interface Palo Alto Networks

5 Configuring a Decrypt Mirror Interface Configuring Aggregate Interface Groups Configuring an Aggregate Ethernet Interface Configuring an HA Interface Configuring a VLAN Interface Configuring a Loopback Interface Configuring a Tunnel Interface Configuring a Virtual Router Configuring the General tab Configuring the Static Routes tab Configuring the Redistribution Profiles Tab Configuring the RIP Tab Configuring the OSPF Tab Configuring the OSPFv3 Tab Configuring the BGP Tab Configuring the Multicast Tab Defining Security Zones More Runtime Stats for a Virtual Router VLAN Support DHCP Server and Relay DNS Proxy Defining Interface Management Profiles Defining Monitor Profiles Defining Zone Protection Profiles Configuring Flood Protection Configuring Reconnaissance Protection Configuring Packet Based Attack Protection Chapter 5 Policies and Security Profiles Policy Types Guidelines on Defining Policies Specifying Users and Applications for Policies Defining Policies on Panorama Defining Security Policies General Tab Source Tab User Tab Destination Tab Application Tab Service/URL Category Tab Actions Tab NAT Policies Determining Zone Configuration in NAT and Security Policy NAT Rule Options NAT Policy Examples NAT NAT64 Examples Defining Network Address Translation Policies General Tab Palo Alto Networks 5

6 Original Packet Tab Translated Packet Tab Policy-Based Forwarding Policies General Tab Source Tab Destination/Application/Service Tab Forwarding Tab Decryption Policies General Tab Source Tab Destination Tab URL Category Tab Options Tab Defining Application Override Policies General Tab Source Tab Destination Tab Protocol/Application Tab Defining Captive Portal Policies General Tab Source Tab Destination Tab Service/URL Category Tab Action Tab Defining DoS Policies General Tab Source Tab Destination Tab Options/Protection Tab Security Profiles Antivirus Profiles Antivirus Profile Page Antivirus Tab Exceptions Tab Anti-spyware Profiles Vulnerability Protection Profiles URL Filtering Profiles File Blocking Profiles Data Filtering Profiles DoS Profiles Other Policy Objects Defining Address Objects Defining Address Groups Defining Regions Applications and Application Groups Defining Applications Defining Application Groups Application Filters Services Service Groups Working with Tags Data Patterns Dynamic Block Lists Palo Alto Networks

7 Custom Spyware and Vulnerability Signatures Defining Data Patterns Defining Spyware and Vulnerability Signatures Custom URL Categories Security Profile Groups Log Forwarding Decryption Profiles Schedules Chapter 6 Reports and Logs Using the Dashboard Using the Application Command Center Using App Scope Summary Report Change Monitor Report Threat Monitor Report Threat Map Report Network Monitor Report Traffic Map Report Viewing the Logs Viewing Session Information Working with Botnet Reports Configuring the Botnet Report Managing Botnet Reports Managing PDF Summary Reports Managing User/Group Activity Reports Managing Report Groups Scheduling Reports for Delivery Viewing Reports Generating Custom Reports Taking Packet Captures Chapter 7 Configuring the Firewall for User Identification Configuring the Firewall for User Identification User Mapping Tab User-ID Agents Tab Terminal Services Agents Tab Group Mapping Tab Captive Portal Settings Tab Chapter 8 Configuring IPSec Tunnels Defining IKE Gateways Palo Alto Networks 7

8 IKE Gateway General Tab IKE Gateway Advanced Phase 1 Options Tab Setting Up IPSec Tunnels IPSec Tunnel General Tab IPSec Tunnel Proxy ID Tab Viewing IPSec Tunnel Status on the Firewall Defining IKE Crypto Profiles Defining IPSec Crypto Profiles Chapter 9 GlobalProtect Settings Setting Up the GlobalProtect Portal Portal Configuration Tab Client Configuration Tab Satellite Configuration Tab Setting Up the GlobalProtect Gateways General Tab Client Configuration Tab Satellite Configuration Tab Setting Up Gateway Access to a Mobile Security Manager Creating HIP Objects General Tab Mobile Device Tab Patch Management Tab Firewall Tab Antivirus Tab Anti-Spyware Tab Disk Backup Tab Disk Encryption Tab Data Loss Prevention Tab Custom Checks Tab Setting Up HIP Profiles Setting Up and Activating the GlobalProtect Agent Setting Up the GlobalProtect Agent Using the GlobalProtect Agent Chapter 10 Configuring Quality of Service Configuring QoS for Firewall Interfaces Defining QoS Profiles Defining QoS Policies Displaying QoS Statistics Chapter 11 Central Device Management Using Panorama Panorama Tab Switching Device Context Palo Alto Networks

9 Setting Up Storage Partitions Configuring High Availability (HA) Adding Devices Backing Up Firewall Configurations Defining Device Groups Shared Objects and Policies Applying Policy to a Specific Device in a Device Group Defining Panorama Administrator Roles Creating Panorama Administrative Accounts Specifying Panorama Access Domains for Administrators Committing your Changes in Panorama Templates Overriding Template Settings Deleting Templates Logging and Reporting Enable Log Forwarding Managing Log Collectors Adding a Log Collector Installing a Software Update on a Collector Defining Log Collector Groups Generating User Activity Reports Viewing Firewall Deployment Information Scheduling Dynamic Updates Scheduling Configuration Exports Upgrading the Panorama Software Register VM-Series Firewall as a Service on the NSX Manager Updating Information from the VMware Service Manager Appendix A Custom Pages Antivirus and Anti-spyware Block Page Application Block Page File Blocking Block Page SSL Decryption Opt-out Page Captive Portal Comfort Page SSL VPN Login Page SSL Certificate Revoked Notify Page URL Filtering and Category Match Block Page URL Filtering Continue and Override Page URL Filtering Safe Search Enforcement Block Page Appendix B Application Categories, Subcategories, Technologies, and Characteristics 437 Application Categories and Subcategories Application Technologies Application Characteristics Palo Alto Networks 9

10 Appendix C Common Criteria/Federal Information Processing Standards Support Enabling CC/FIPS Mode CC/FIPS Security Functions Appendix D Open Source Licenses Artistic License BSD GNU General Public License GNU Lesser General Public License MIT/X OpenSSH PSF PHP Zlib Appendix E Firewall Access to External Web Resources Application Database Threat/Antivirus Database PAN-DB URL Filtering Database Brightcloud URL Filtering Database WildFire Index Palo Alto Networks

11 Chapter 1 Introduction This section provides an overview of the firewall: Firewall Overview Features and Benefits Management Interfaces Firewall Overview The Palo Alto Networks firewall allows you to specify security policies based on accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. For example, you can define security policies for specific applications, rather than rely on a single policy for all port 80 connections. For each identified application, you can specify a security policy to block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each security policy can also specify security profiles to protect against viruses, spyware, and other threats. Palo Alto Networks Introduction 11

12 Features and Benefits Features and Benefits The firewall provides granular control over the traffic allowed to access your network. The primary features and benefits include: Application-based policy enforcement Access control by application is far more effective when application identification is based on more than just protocol and port number. High risk applications can be blocked, as well as high risk behavior, such as filesharing. Traffic encrypted with the s Layer (SSL) protocol can be decrypted and inspected. User Identification (User-ID) User-ID allows administrators to configure and enforce firewall policies based on users and user groups, instead of or in addition to network zones and addresses. The firewall can communicate with many directory servers, such as Microsoft Active Directory, edirectory, SunOne, OpenLDAP, and most other LDAP based directory servers to provide user and group information to the firewall. This information can then be used to provide an invaluable method of providing secure application enablement that can be defined per user or group. For example, the administrator could allow one organization to use a web-based application, but no other organizations in the company would be able to use that application. You can also configure granular control of certain components of an application based on users and groups. See Configuring the Firewall for User Identification. Threat prevention Threat prevention services that protect the network from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source (see Security Profiles ). URL filtering Outbound connections can be filtered to prevent access to inappropriate web sites (see URL Filtering Profiles ). Traffic visibility Extensive reports, logs, and notification mechanisms provide detailed visibility into network application traffic and security events. The Application Command Center (ACC) in the web interface identifies the applications with the most traffic and the highest security risk (see Reports and Logs ). Networking versatility and speed The firewall can augment or replace your existing firewall, and can be installed transparently in any network or configured to support a switched or routed environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or no impact on network latency. GlobalProtect GlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. Fail-safe operation High availability support provides automatic failover in the event of any hardware or software disruption (see Enabling HA on the Firewall ). Malware analysis and reporting WildFire provides detailed analysis and reporting on malware that traverses the firewall. VM-Series Firewall Provides a virtual instance of PAN-OS positioned for use in a virtualized data center environment and particularly well suited for private and public cloud deployments. Installs on any x86 device that is capable of running VMware ESXi, without the need to deploy Palo Alto Networks hardware. 12 Introduction Palo Alto Networks

13 Management Interfaces Management and Panorama Each firewall is managed through an intuitive web interface or a command-line interface (CLI), or all devices can be centrally managed through the Panorama centralized management system, which has a web interface very similar to the device web interface. Management Interfaces The firewall supports the following management interfaces. See Supported Browsers for a list of supported browsers. Web interface Configuration and monitoring over HTTP or HTTPS from a web browser. CLI Text-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console port (see the PAN-OS Command Line Interface Reference Guide). Panorama Palo Alto Networks product that provides web-based management, reporting, and logging for multiple firewalls. The Panorama interface is similar to the device web interface, with additional management functions included. See Central Device Management Using Panorama for information on using Panorama. Simple Network Management Protocol (SNMP) Palo Alto Networks products support SNMPv2c and SNMPv3, read-only access over SNMP, and support for SNMP traps. See Configuring SNMP Trap Destinations ). Syslog Provides message generation for one or more remote syslog servers (see Configuring Syslog Servers ). XML API Provides a Representational State Transfer (REST)-based interface to access device configuration, operational status, reports, and packet captures from the firewall. There is an API browser available on the firewall at where <firewall> is the host name or IP address of the firewall. This link provides help on the parameters required for each type of API call. See the XML API Usage Guide for more information. Palo Alto Networks Introduction 13

14 Management Interfaces 14 Introduction Palo Alto Networks

15 Chapter 2 Getting Started This chapter describes how to set up and start using the firewall: Preparing the Firewall Setting Up the Firewall Using the Firewall Web Interface Getting Help Configuring the Firewall Preparing the Firewall Perform the following tasks to prepare the firewall for setup: 1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide for your platform. 2. Register your firewall at to obtain the latest software and App-ID updates, and to activate support or subscriptions with the authorization codes ed to you. 3. Obtain an IP address from your network administrator for configuring the management port on the firewall. Setting Up the Firewall To perform the initial firewall setup: 1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet cable. 2. Start your computer. Assign a static IP address to your computer on the network (for example, ) with a netmask of Launch a supported web browser and enter The browser automatically opens the Palo Alto Networks login page. Palo Alto Networks Getting Started 15

16 Setting Up the Firewall 4. Enter admin in both the Name and Password fields, and click Login. The system presents a warning that the default password should be changed. Click OK to continue. 5. On the Device tab, choose Setup and configure the following (for general instructions on configuring settings in the web interface, see Using the Firewall Web Interface ): On the Management tab under Management Interface Settings, enter the firewall s IP address, netmask, and default gateway. On the Services tab, enter the IP address of the Domain Name System (DNS) server. Enter the IP address or host and domain name of the Network Time Protocol (NTP) server and select your time zone. Click Support on the side menu. If this is the first Palo Alto Networks firewall for your company, click Register Device to register the firewall. (If you have already registered a firewall, you have received a user name and password.) Click the Activate support using authorization codes link and enter the authorization codes that have been ed to you for any optional features. Use a space to separate multiple authorization codes. 6. Click Administrators under the Devices tab. 7. Click admin. 8. In the New Password and Confirm New Password fields, enter and confirm a casesensitive password (up to 15 characters). 9. Click OK to submit the new password. 10. Commit the configuration to make these settings active. When the changes are committed, the firewall will be reachable through the IP address assigned in Step 5. For information on committing changes, see Committing Changes. The default configuration of the firewall when delivered from the factory, or after a factory reset is performed, is a virtual wire between Ethernet ports 1 and 2 with a default policy to deny all inbound traffic and allow all outbound traffic. 16 Getting Started Palo Alto Networks

17 Using the Firewall Web Interface Using the Firewall Web Interface The following conventions apply when using the firewall interface. To display the menu items for a general functional category, click the tab, such as Objects or Device, near the top of the browser window. Click an item on the side menu to display a panel. To display submenu items, click the icon to the left of an item. To hide submenu items, click the icon to the left of the item. On most configuration pages, you can click Add to create a new item. To delete one or more items, select their check boxes and click Delete. In most cases, the system prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel. On some configuration pages, you can select the check box for an item and click Clone to create a new item with the same information as the selected item. Palo Alto Networks Getting Started 17

18 Using the Firewall Web Interface To modify an item, click its underlined link. To view help information on a page, click the Help icon in upper right area of the page. To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task Manager window opens to show the list of tasks, along with status, start times, associated messages, and actions. Use the Show drop-down list to filter the list of tasks. The web interface language is controlled by the current language of the computer that is managing the device if a specific language preference has not been defined. For example, if the computer you use to manage the firewall has a locale of Spanish, when you log in to the firewall, the web interface will be in Spanish. To specify a language that will always be used for a given account regardless of the locale of the computer, click the Language icon in the lower right corner of the page and the Language Preference window opens. Click the drop-down list to select the desired language and then click OK to save your change. On pages that list information you can modify (for example, the Setup page on the Devices tab), click the icon in the upper right corner of a section to edit the settings. 18 Getting Started Palo Alto Networks

19 Using the Firewall Web Interface After you configure settings, you must click OK or Save to store the changes. When you click OK, the current candidate configuration is updated. Committing Changes Click Commit at the top of the web interface to open the commit dialog box. The following options are available in the commit dialog box. Click the Advanced link, if needed, to display the options: Include Device and Network configuration Include the device and network configuration changes in the commit operation. Include Shared Object configuration (Multi-virtual system firewalls only) Include the shared object configuration changes in the commit operation. Include Policy and Objects (Non-multi-virtual system firewalls only) Include the policy and object configuration changes in the commit operation. Include virtual system configuration Include all virtual systems or choose Select one or more virtual systems. For more information about committing changes, see Defining Operations Settings. Preview Changes Click this button to bring up a two-pane window that shows proposed changes in the candidate configuration compared to the current running configuration. You can choose the number of lines of context to display, or show all lines. Changes are color coded based on items that have been added, modified, or Palo Alto Networks Getting Started 19

20 Using the Firewall Web Interface deleted. The Device > Config Audit feature performs the same function, see Comparing Configuration Files. Note: Configuration changes that span multiple configuration areas may require a full commit. For example, if you make certain changes in the Device tab and then click Commit and only select the Include Device and Network configuration option, some items will not commit. This includes certificates and User-ID options as well as Server Profiles used for User- ID, such as an LDAP server profile. This can also occur if you perform a partial commit after importing a configuration. To commit these types of changes, do a full commit and select both Include Device and Network configuration and Include Policy and Object configuration. Navigating to Configuration Pages Each configuration section in this guide shows the menu path to the configuration page. For example, to reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability Protection under Security Profiles in the side menu. This is indicated in this guide by the following path: Objects > Security Profiles > Vulnerability Protection Using Tables on Configuration Pages The tables on configuration pages include sorting and column chooser options. Click a column header to sort on that column, and click again to change the sort order. Click the arrow to the right of any column and select check boxes to choose the columns to display. Required s Required fields are shown with a light yellow background. A message indicating that the field is required appears when you hover over or click in the field entry area. 20 Getting Started Palo Alto Networks

21 Using the Firewall Web Interface Locking Transactions The web interface provides support for multiple administrators by allowing an administrator to lock a current set of transactions, thereby preventing configuration changes or commit operations by another administrator until the lock is removed. The following types of locks are supported: Config lock Blocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser on the system. Commit Lock Blocks other administrators from committing changes until all of the locks have been released. This type of lock prevents collisions that can occur when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released when the current changes are committed by the administrator who applied the lock, or it can be released manually. Any administrator can open the lock window to view the current transactions that are locked, along with a timestamp for each. To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks as needed, and then click Close to close the Lock dialog box. The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of locked items in parentheses. To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock dialog box. You can arrange to automatically acquire a commit lock by selecting the Automatically acquire commit lock check box in the Management area of the Device Setup page. See System Setup, Configuration, and License Management. Supported Browsers The following web browsers are supported for access to the firewall web interface: Internet Explorer 7+ Firefox 3.6+ Safari 5+ Chrome 11+ Palo Alto Networks Getting Started 21

22 Getting Help Configuring the Firewall Getting Help Configuring the Firewall Use the information in this section to obtain help on using the firewall. Obtaining More Information To obtain more information about the firewall, see the following: General information Go to Documentation For information on the additional capabilities and for instructions on configuring the features on the firewall, go to documentation. Online help Click Help in the upper-right corner of the web interface to access the online help system. Knowledge Base For access to the knowledge base, a collaborative area for customer and partner interaction, discussion forums, and videos, go to live.paloaltonetworks.com. Technical Support For technical support, for information on support programs, or to manage your account or devices, go to 22 Getting Started Palo Alto Networks

23 Chapter 3 Device Management Use the following sections for field reference on basic system configuration and maintenance tasks on the firewall: System Setup, Configuration, and License Management Defining VM Information Sources Installing the Software Updating Threat and Application Definitions Administrator Roles, Profiles, and Accounts Setting Up Authentication Profiles Setting Up an Authentication Sequence Creating a Certificate Profile Scheduling Log Exports Defining Logging Destinations Defining Alarm Log Settings Configuring Netflow Settings Using Certificates Encrypting Private Keys and Passwords on the Firewall Enabling HA on the Firewall Defining Virtual Systems Defining Custom Response Pages Viewing Support Information Palo Alto Networks Device Management 23

24 System Setup, Configuration, and License Management The following sections describe how to define network settings for management access, defining service routes and services, and how to manage configuration options such as global session timeouts, content identification, WildFire malware analysis and reporting: Defining Management Settings Defining Operations Settings Defining Hardware Security Modules SNMP Defining Services Settings Defining Content-ID Settings Configuring WildFire Settings Defining Session Settings Comparing Configuration Files Installing a License Defining Management Settings Device > Setup > Management Panorama > Setup > Management On a firewall, use the Device > Setup > Management tab to configure management settings. On Panorama, use the Device > Setup > Management tab to configure managed firewalls via Panorama templates. Use the Panorama > Setup > Management tab to configure settings for Panorama itself. For firewall management, optionally you can use the IP address of a loopback interface instead of the management port (see Configuring a Loopback Interface ). Table 1. Management Settings Item General Settings Hostname Enter a host name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31 characters). Login Banner Time Zone Enter custom text that will be displayed on the firewall login page. The text is displayed below the Name and Password fields. Select the time zone of the firewall. 24 Device Management Palo Alto Networks

25 Table 1. Management Settings (Continued) Item Locale Time Serial Number (virtual machines only) Geo Location Automatically acquire commit lock Certificate Expiration Check Multi Virtual System Capability URL Filtering Database (Panorama only) Authentication Settings Authentication Profile Certificate Profile Idle Timeout # Failed Attempts Lockout Time Select a language for PDF reports from the drop-down list. See Managing PDF Summary Reports. If you have a specific language preference set for the web interface, PDF reports will still use the language specified in this locale setting. See language preference in Using the Firewall Web Interface. To set the date and time on the firewall, click Set Time. Enter the current date in (YYYY/MM/DD) or click the calendar icon to select a month and day. Enter the current time in 24-hour format (HH:MM:SS). You can also define an NTP server from Device > Setup > Services. Enter the serial number of the firewall/panorama. Find the serial number in the order fulfillment that was sent to you. Enter the latitude (-90.0 to 90.0) and longitude ( to 180.0) of the firewall. Automatically apply a commit lock when you change the candidate configuration. For more information, see Locking Transactions. Instruct the firewall to create warning messages when on-box certificates near their expiration dates. Enables the use of multiple virtual systems (if the firewall model supports that feature). For details, see Defining Virtual Systems. Select a URL filtering vendor to enable on Panorama: brightcloud or paloaltonetworks (PAN-DB). Select the authentication profile to use for administrator access to the firewall. For instructions on configuring authentication profiles, see Setting Up Authentication Profiles. Select the certificate profile to use for administrator access to the firewall. For instructions on configuring certificate profiles, see Creating a Certificate Profile. Enter the timeout interval in minutes (0-1440). A value of 0 means that the management, web, or CLI session does not time out. Enter the number of failed login attempts (0-10, default 0) that PAN-OS allows for the web interface and CLI before locking the account. A value of 0 specifies unlimited attempts. Enter the number of minutes (0-60) for which PAN-OS locks out a user upon reaching the # Failed Attempts limit. The default 0 specifies unlimited attempts. Palo Alto Networks Device Management 25

26 Table 1. Management Settings (Continued) Item Panorama Settings: Device > Setup > Management If you use Panorama to manage the firewall, configure the following settings on the firewall or in a template on Panorama. These settings establish a connection between the firewall and Panorama, and determine the connection timeouts. If you edit the settings on a firewall (not in a template on Panorama), you can also enable or disable the propagation of policies, objects, device groups, and template information from Panorama to the firewall. Note: You must also configure connection timeouts and object sharing settings on Panorama: see Panorama Settings: Panorama > Setup > Management. Panorama Servers Receive Timeout for Connection to Panorama Send Timeout for Connection to Panorama Retry Count for SSL Send to Panorama Disable/Enable Panorama Policy and Objects Enter the IP address of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second Panorama Servers field, enter the IP address of the secondary Panorama server. Enter the timeout for receiving TCP messages from Panorama (1-240 seconds, default 240). Enter the timeout for sending TCP messages to Panorama (1-240 seconds, default 240). Enter the number of retries for attempts to send Secure Socket Layer (SSL) messages to Panorama (1-64, default 25). This button appears when you edit the Panorama Settings on a firewall (not in a template on Panorama). By default, Panorama propagates the policies and objects that are defined for a device group to the firewalls assigned to that group. Clicking Disable Panorama Policy and Objects disables that propagation. By default, this operation also removes those policies and objects from the firewall. To keep a local copy of the device group policies and objects on the firewall before disabling propagation, in the dialog box that the button opens, select the Import Panorama Policy and Objects before disabling check box. Then, when you click OK, PAN-OS copies the policies and objects to the current candidate configuration. After you perform a commit, the policies and objects become part of the firewall configuration: Panorama no longer manages them. Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of the firewall. This option generally applies to situations where the firewall requires rules and object values that differ from those defined in the device group. An example situation is when you move a firewall out of production and into a laboratory environment for testing. To revert firewall policy and object management to Panorama, click Enable Panorama Policy and Objects. 26 Device Management Palo Alto Networks

27 Table 1. Management Settings (Continued) Item Disable/Enable Device and Network Template This button appears when you edit the Panorama Settings on a firewall (not in a template on Panorama). By default, Panorama propagates the device and network configurations defined for a template to the firewalls assigned to that template. Clicking Disable Device and Network Template disables that propagation. By default, this operation also removes the template information from the firewall. To keep a local copy of the template information on the firewall before disabling propagation, in the dialog box that the button opens, select the Import Device and Network Templates before disabling check box. Then, when you click OK, PAN-OS copies the information defined in the template to the current candidate configuration on the firewall. After you perform a commit, the template information becomes part of the firewall configuration: Panorama no longer manages that information. Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of the firewall. This option generally applies to situations where the firewall requires rules and object values that differ from those defined in the device group. An example situation is when you move a firewall out of production and into a laboratory environment for testing. To make the firewall resume accepting templates, click Enable Device and Network Templates. Panorama Settings: Panorama > Setup > Management If you use Panorama to manage firewalls, configure the following settings on Panorama. These settings determine timeouts and SSL message attempts for the connections between Panorama and managed firewalls, as well as object sharing parameters. Note: You must also configure Panorama connection settings on the firewall, or in a template on Panorama: see Panorama Settings: Device > Setup > Management. Receive Timeout for Connection to Device Send Timeout for Connection to Device Retry Count for SSL Send to Device Share Unused Address and Service Objects with Devices Shared Objects Take Precedence Enter the timeout for receiving TCP messages from all managed firewalls (1-240 seconds, default 240). Enter the timeout for sending TCP messages to all managed firewalls (1-240 seconds, default 240). Enter the number of retries for attempts to send Secure Socket Layer (SSL) messages to managed firewalls (1-64, default 25). Select this check box to share all Panorama shared objects and device group-specific objects with managed firewalls. This setting is enabled by default. If you clear the check box, PAN-OS checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that PAN-OS sends only necessary objects to managed firewalls. Select the check box to specify that shared objects take precedence over device group objects. In this case, device group objects cannot override corresponding objects of the same name from a shared location; PAN-OS discards any device group object with the same name as a shared object. By default, this system-wide setting is disabled: device groups override corresponding shared objects of the same name. Palo Alto Networks Device Management 27