Palo Alto Networks Users Group February 2014
Topics of Discussion Syslog configuration, Integration and supported partners Panachrome App Scope Destination NAT Wildfire decision making Pan OS 6.0 brief (if version 6.0 is released) PA-7050 Ignite Conference Open discussion/questions
Syslog-Log Format There are 5 log types that PAN-OS can generate: Traffic Threat Host Information Profile (hip match) Config System
Syslog-Sending Device Hostname By default, the messages do not contain the device hostname. In order to send the hostname in the message, it needs to be configured on the Device>Setup>management
Syslog-Sending Device Hostname
Syslog-Facility The syslog facility can be configured within the system when setting the syslog destination. Multiple syslog settings can be configured and referenced by the various log forwarding function if desired. The available facilities are: user, local0, local1, local2, local3, local4, local5, local6, and local7.
Syslog-Facility
Syslog Severity The syslog severity is set based on the log type and contents.
Syslog-Custom Event and Log Format Palo Alto Networks provides an interface for completely customizing the log message format that can be sent from Palo Alto Networks Next Generation Firewalls. Custom message formats can be configured under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format. Custom Key: Value attribute pairs can be added. Log customization can facilitate and trivialize the integration with external log parsing systems. This feature can be leveraged to achieve ArcSight Common Event Format (CEF) compliant log formatting, see https://live.paloaltonetworks.com/docs/doc-1770 for more information.
Syslog-Integration partners
Syslog Config
Panachrome Panachrome is an extension widget available for Google Chrome. It brings some of the command line functionality into a GUI interface.
Panachrome
Panachrome
Panachrome-Sessions
Panachrome-Resource Utilization
Panachrome-Counter Global
Panachrome Demo
App Scope Under the Monitor tab, there is a selection called App Scope App scope provides summary, change monitor, threat monitor, threat map, network monitor and traffic map
App Scope Change Monitor Report The Change Monitor report displays changes over a specified time period. Displays the top applications that gained in use over the last hour as compared with the last 24-hour period. The top applications are determined by session count and sorted by per cent. Threat Monitor Report The Threat Monitor report displays a count of the top threats over the selected time period. For example, shows the top 10 threat types for the past 6 hours. Threat Map Report The Threat Map report shows a geographical view of threats, including severity.
App Scope Traffic Map Report The Traffic Map report shows a geographical view of traffic flows according to sessions or flows. Network Monitor Displays a breakdown of application usage over time
Destination NAT Destination NAT is used to provide external access to public servers on the private network When configuring NAT on the firewall, it is important to note that a security policy must also be configured to allow the NAT traffic. Security policy will be matched based on the post-nat zone and the pre-nat IP address NAT rules must be configured to use the zones associated with pre-nat IP addresses configured in the policy. For example, if you are translating traffic that is incoming to an internal server (which is reached via a public IP by Internet users), it is necessary to configure the NAT policy using the zone in which the public IP address resides In this case, the source and destination zones would be the same. As another example, when translating outgoing host traffic to a public IP address, it is necessary to configure NAT policy with a source zone corresponding to the private IP addresses of those hosts. The pre-nat zone is required because this match occurs before the packet has been modified by NAT.
Destination NAT Security policy differs from NAT policy in that post-nat zones must be used to control traffic. NAT may influence the source or destination IP addresses and can potentially modify the outgoing interface and zone When creating security policies with specific IP addresses, it is important to note that pre-nat IP addresses will be used in the policy match Traffic subject to NAT must be explicitly permitted by the security policy when that traffic goes from one zone to another.
Destination NAT
Destination NAT
Wildfire Decision making Wildfire Overview WildFire provides the ability to identify malicious files by directly executing them in a virtual environment and observing malicious behavior. This enables Palo Alto Networks to identify malware quickly and accurately, even if the malware has never been seen in the wild before. WildFire makes use of a customer s on-premises firewalls in conjunction with the Palo Alto Networks cloud-based analysis engine to protect in-line performance, while using the cloud to ensure the fastest protections for all enterprise locations. Virtualized Sandbox: When the firewall encounters an unknown file (Portable Executable [PE] files initially), the file can be submitted to the WildFire virtualized sandbox. Submissions can be made manually or automatically based on policy. The sandbox provides virtual targets where Palo Alto Networks can directly observe more than 100 malicious behaviors that can reveal the presence of malware.
Wildfire decision making Automated Signature Generator: When a sample is identified as malware, it is passed on to a signature generator, which automatically generates a signature for the sample and tests it for accuracy. With WildFire in the cloud, signatures can be automatically regression tested against an extensive database of samples, and then delivered to all Palo Alto Networks customers as part of the daily malware signature updates. Palo Alto Networks also generates signatures for the all important command and control traffic, allowing staff to disrupt active attacks. Deep Visibility: The WildFire solution makes extensive use of Palo Alto Networks App-ID technology by identifying file transfers within all applications, not just email attachments or browser-based file downloads. Additionally, on-device SSL decryption enables administrators to configure policies that detect file transfers through HTTPS-encrypted web applications and send them to WildFire for analysis.
Wildfire decision making Actionable Intelligence: In addition to protection, administrators have access to a wealth of actionable information about the detected malware through the WildFire portal (https://wildfire.paloaltonetworks.com/wildfire). A detailed behavioral report of the malware is produced, along with information on the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home of the malware.
Wildfire decision making Reference PDF Flow Diagram
Pan-OS 6.0 Review Additional File Type Support As part of the WildFire subscription, the following advanced file types are now supported: Microsoft Office.doc,.xls, and.ppt; Portable Document Format (PDF); Java Applet (jar and class); and Android Application Package (APK). NOTE: The WF-500 does not support APK file analysis. Expanded Sandbox Operating Systems Microsoft Windows 7 32/bit has been added to the WildFire environment. When a file is analyzed by WlidFire, it will be run in both Windows XP and Windows 7. On a WF-500 WildFire appliance, you will need to select an image that will contain Windows XP or Windows 7 as well as a combination of other applications, such as different versions of Adobe Reader, and MS Office.
Pan-OS 6.0 Review WildFire Analysis Report The WildFire analysis report is now integrated with the logging features of the firewall and no longer requires a WildFire subscription. In addition, several new enhancements have been made to the report, including the ability to: o Export the full report to a PDF. o Download the file sample that was analyzed. o View all processes or filter by an individual process. o View the analysis results for each virtual machine environment in which the file was analyzed. o Re-submit the file sample to Palo Alto Networks for reevaluation if you think the file verdict (benign/malware) is incorrect.
Pan-OS 6.0 Review WildFire Logs on the Firewall When a firewall is configured with a file blocking profile and security policy to forward files to WildFire for analysis, a WildFire subscription is no longer required to receive WildFire logs on the firewall WildFire Reporting The WildFire detailed report is now integrated into the firewall showing session details and the WildFire detailed report, which was previously hosted on the WildFire cloud or WildFire appliance. In addition, Panorama no longer requires that all managed firewalls forward files to the same WildFire system as long as Panorama and the managed firewalls are running 6.0 or later.
Pan-OS 6.0 Review DNS Sinkholing DNS Sinkholing enables the firewall to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to an IP address that you define. This feature can be used to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client s DNS query (for example, when the firewall is north of the local DNS server). This feature can also be used to redirect malicious traffic to a honeypot or any other target host. URL Filtering Safe Search Enforcement This feature prevents users who are searching the Internet using one of the top three search providers Google, Bing, or Yahoo from viewing the search results unless the strictest safe search option is set in their browsers for these search engines. If the strictest safe search option is not set in the browser, users will see a block page instructing them on how to set the option for the given search provider.
Pan-OS 6.0 Review User-ID Integration with Syslog The Syslog Listener will listen for syslog messages from non-standard user authentication services (Proxies, NAC, Wireless Controllers) so that the User-ID Windows agent or the agentless user mapping feature on the firewall can extract the authentication events from the log. Syslog filters that you define allow User-ID to parse the messages and extract the IP addresses and usernames of users who successfully authenticated to the external service and add the information to the IP address to username mappings it maintains. o Syslog Listener natively supports BlueCoat Proxy, Citrix Access Gateway, Aerohive AP, Cisco ASA, Juniper SA Net Connect, and the Juniper Infranet Controller.
Pan-OS 6.0 Review Increased User-ID Active Users Limit The User-ID active user limit has been increased on the high-end firewall platforms, based on the memory capacity of the individual platforms. The following table summarizes the User-ID active limits on all Palo Alto Networks next-generation firewall platforms: Firewall Platform User-ID Active User Limit PA-5060-256,000 PA-5050 and PA-5020-128,000 PA-4000 Series, PA-3000 Series,PA-2000 Series, PA-500, and PA- 200-64,000
Pan-OS 6.0 Review Decryption Port Mirror Provides the ability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures such as NetWitness or Solera for archiving and analysis. This feature is necessary for organizations that require comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality. Note: Decryption port mirroring is available on the PA-5000 Series and PA-3000 Series platforms only. Increase Jumbo Frame Size The maximum transmission unit (MTU) size has been increased to provide compatibility with equipment from other vendors. The default MTU size for all Layer 3 interfaces (the Global MTU) is set to a value of 9192 bytes, but can be configured for any value in the range of 512-9216 bytes.
Pan-OS 6.0 Review Consolidation of Timers Used in a High Availability (HA) Setup To reduce the complexity in configuring HA timers used to detect a firewall failure and trigger a failover, three profiles have been added: o Recommended profile is for typical failover timer settings o Aggressive profile is for faster failover timer settings o Advanced profile allows you to customize the timer values to suit your network requirements. The profiles auto-populate the optimum HA timer values for the specific firewall platform to enable a more rapid HA deployment
Pan-OS 6.0 Review VM-Series on Citrix SDX The VM-Series firewall is now supported on the Citrix SDX hardware platform running Citrix XenServer. Deploying the VM- Series firewall (one or more instances) on the SDX server provides the ability to consolidate the NetScaler VPX and the VM-Series firewall on the same physical platform. This addresses consolidated application delivery controller and security needs for multi-tenant cloud deployments (business units, application owners, service providers) or Citrix XenApp XenDesktop deployments. Supported Citrix platforms are the 11500 or 17500 Series running Citrix XenServer version 6.0.2 or later.
Pan-OS 6.0 Review VM-Series for VMware NSX NOTE: The VM-Series for VMware NSX will be available in late Q1 CY2014. The Palo Alto Networks and VMware joint solution addresses challenges associated with applying network security to software defined networks. With this new offering, customers will be able to safely enable intra-server virtual machine communications. NSX, VMware's Networking and Security platform, automates the process of deploying and provisioning the VM-Series firewall as a service (also called Security Virtual Machine) on ESXi servers. VM to VM traffic is automatically steered to the VM-Series without requiring any manual virtual network configuration. VM context is also shared between NSX and Panorama, to keep track of virtual machine provisioning and changes.
Pan-OS 6.0 Review.
Pan-OS 6.0 Review Commit Improvement The commit operation in PAN-OS and Panorama has been enhanced to allow configuration edits during a commit. For example, if two administrators are logged in to the same firewall and the first administrator performs a commit, the second administrator can make updates to the configuration during the commit. This enhancement does not, however, allow multiple administrators to commit simultaneously. CLI Find Command The new CLI find command helps you find a command when you don t know where to start looking in the hierarchy. The command which is available in all CLI modes has two forms. You can either use find command alone to display the entire command hierarchy in the current command mode. Or, you can use find command with the keyword argument to locate all commands that have the specified keyword.
Pan-OS 6.0 Review Support for Syslog over TCP and SSL PAN-OS and Panorama now support using TCP or SSL (default is UDP) for reliable and secure transport of logs to an external syslog server. SSLv3 and TLSv1 are supported and the default SSL port is 6514. To separate individual syslog messages in a TCP stream, the delimiter formats available are LF- Line Feed (BSD Format, the default), and Message Length (IETF Format) Support for Color-Coded Tags Tags allow you to group objects using keywords/phrases and color (optional) to visually distinguish objects. You can apply tags to address objects, address groups (static and dynamic), zones, services, service groups, and policy rules. Enhancement in the Syslog Header You can now choose the format of the hostname field in the syslog header. The syslog header can display one of the following: FQDN (hostname and domain name), hostname, the IPv4 address, or the IPv6 address of the sending device.
Pan-OS 6.0 Review Scheduling Dynamic Updates from Panorama Dynamic updates for Applications and Threats, WildFire, Antivirus, and URL Database can now be scheduled. The frequency of the updates, and the option to only download or to download and install updates to all managed devices and managed collectors using Panorama is configurable.. Log Forwarding from Panorama Panorama now allows for forwarding of aggregated logs, email notifications, and SNMP traps to external servers. Forwarding logs from Panorama reduces the load on the firewalls and provides a reliable and streamlined approach to combine and forward logs/snmp traps/email notifications to external destinations.
Pan-OS 6.0 Review Support for PAN-DB and BrightCloud Databases In deployments where both PAN-DB and BrightCloud databases are used concurrently for URL filtering, Panorama provides the capability to create shared policies and push the policies to devices running different databases. When a mismatch occurs between the URL database vendor configured on Panorama and what is configured on the device, the device now maps and auto-migrates URL categories and URL profiles so that the policies are relevant for the database enabled on the device..
Palo Alto PA-7050 Palo Alto PA-7050 chassis based platform can scale to a 120 gig firewall. Video of product presentation
Ignite 2014 in Vegas Palo Alto Yearly conference March 31- April 1 The Cosmopolitan Great break out sessions Tech support break out room Excellent real world presentations
Questions??????