Web Interface Reference Guide Version 6.1

Web Interface Reference Guide Version 6.1

Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/ About this Guide This guide describes the Palo Alto Networks next-generation firewall and Panorama web interfaces. It provides information on how to use the web interface and reference information about how to populate fields within the interface: For information on the additional capabilities and for instructions on configuring the features on the firewall and Panorama, see https://www.paloaltonetworks.com/documentation. For access to the knowledge base, complete documentation set, discussion forums, and videos, see https://live.paloaltonetworks.com. For contacting support, for information on the support programs, or to manage your account or devices, see https://support.paloaltonetworks.com For the latest release notes, go to the software downloads page at https://support.paloaltonetworks.com/updates/softwareupdates. To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com. Palo Alto Networks, Inc. www.paloaltonetworks.com 2007 2015 Palo Alto Networks. All rights reserved. Palo Alto Networks and PAN-OS are trademarks of Palo Alto Networks, Inc. Revision Date: April 27, 2015 2

April 27, 2015 - Palo Alto Networks COMPANY CONFIDENTIAL Table of Contents Chapter 1 Introduction................................................ 11 Firewall Overview............................................. 11 Features and Benefits.......................................... 12 Management Interfaces........................................ 13 Chapter 2 Getting Started............................................ 15 Preparing the Firewall......................................... 15 Setting Up the Firewall......................................... 15 Using the Firewall Web Interface................................. 17 Committing Changes................................................ 19 Navigating to Configuration Pages.................................... 20 Using Tables on Configuration Pages.................................. 20 Required s.................................................... 20 Locking Transactions................................................ 21 Supported Browsers................................................ 21 Getting Help Configuring the Firewall............................. 22 Obtaining More Information.......................................... 22 Technical Support.................................................. 22 Chapter 3 Device Management......................................... 23 System Setup, Configuration, and License Management.................... 24 Defining Management Settings....................................... 24 Defining Operations Settings......................................... 37 Defining Hardware Security Modules.................................. 41 SNMP........................................................... 43 Defining Services Settings............................................ 44 Defining Content-ID Settings.......................................... 48 Configuring WildFire Settings........................................ 50 Defining Session Settings............................................ 51 Session Settings................................................ 52 Session Timeouts................................................ 53 Decryption Settings: Certificate Revocation Checking................... 55 Decryption Settings: Forward Proxy Server Certificate Settings........... 56 Palo Alto Networks 3

Comparing Configuration Files....................................... 57 Installing a License................................................. 58 Defining VM Information Sources..................................... 59 Installing the Software.............................................. 63 Updating Threat and Application Definitions............................ 65 Administrator Roles, Profiles, and Accounts.............................. 67 Defining Administrator Roles...................................... 68 Defining Password Profiles.......................................... 69 Username and Password Requirements.............................. 71 Creating Administrative Accounts..................................... 71 Specifying Access Domains for Administrators........................... 73 Setting Up Authentication Profiles..................................... 74 Creating a Local User Database...................................... 76 Adding Local User Groups.......................................... 77 Configuring RADIUS Server Settings................................ 77 Configuring LDAP Server Settings..................................... 78 Configuring Kerberos Settings (Native Active Directory Authentication)........ 78 Setting Up an Authentication Sequence................................. 79 Scheduling Log Exports............................................. 80 Defining Logging Destinations........................................ 81 Defining Configuration Log Settings................................... 83 Defining System Log Settings......................................... 83 Defining HIP Match Log Settings...................................... 84 Defining Alarm Log Settings......................................... 84 Managing Log Settings............................................. 85 Configuring SNMP Trap Destinations.................................. 86 Configuring Syslog Servers.......................................... 88 Custom Syslog s................................... 89 Configuring Email Notification Settings................................. 96 Configuring Netflow Settings......................................... 97 Using Certificates.................................................. 97 Managing Device Certificates..................................... 98 Managing the Default Trusted Certificate Authorities.................. 102 Creating a Certificate Profile....................................... 102 Adding an OCSP Responder........................................ 104 Encrypting Private Keys and Passwords on the Firewall................... 105 Enabling HA on the Firewall........................................ 107 Defining Virtual Systems........................................... 116 Configuring Shared Gateways...................................... 118 Defining Custom Response Pages.................................... 120 Viewing Support Information........................................ 121 Chapter 4 Network Settings........................................... 123 Defining Virtual Wires............................................. 123 Configuring a Firewall Interface..................................... 124 Configuring an Ethernet Interface................................. 124 Configuring an Ethernet Subinterface.............................. 132 Configuring a Virtual Wire Interface.............................. 138 Configuring a Virtual Wire Subinterface........................... 139 Configuring a Tap Interface..................................... 139 Configuring a Log Card Interface................................. 140 4 Palo Alto Networks

Configuring a Decrypt Mirror Interface............................ 141 Configuring Aggregate Interface Groups.......................... 141 Configuring an Aggregate Ethernet Interface....................... 144 Configuring an HA Interface.................................... 145 Configuring a VLAN Interface................................... 146 Configuring a Loopback Interface................................ 150 Configuring a Tunnel Interface................................... 151 Configuring a Virtual Router........................................ 153 Configuring the General tab.................................... 153 Configuring the Static Routes tab................................. 154 Configuring the Redistribution Profiles Tab......................... 155 Configuring the RIP Tab........................................ 156 Configuring the OSPF Tab...................................... 158 Configuring the OSPFv3 Tab.................................... 163 Configuring the BGP Tab....................................... 168 Configuring the Multicast Tab.................................... 176 Defining Security Zones........................................ 179 More Runtime Stats for a Virtual Router............................ 181 VLAN Support................................................... 187 DHCP Server and Relay........................................... 188 DNS Proxy..................................................... 190 Defining Interface Management Profiles.............................. 191 Defining Monitor Profiles.......................................... 192 Defining Zone Protection Profiles.................................... 193 Configuring Flood Protection.................................... 194 Configuring Reconnaissance Protection............................ 195 Configuring Packet Based Attack Protection........................ 196 Chapter 5 Policies and Security Profiles................................. 201 Policy Types.................................................... 201 Guidelines on Defining Policies...................................... 202 Specifying Users and Applications for Policies....................... 204 Defining Policies on Panorama...................................... 205 Defining Security Policies.......................................... 206 General Tab................................................. 207 Source Tab.................................................. 208 User Tab.................................................... 208 Destination Tab............................................... 210 Application Tab.............................................. 210 Service/URL Category Tab..................................... 211 Actions Tab.................................................. 212 NAT Policies.................................................... 214 Determining Zone Configuration in NAT and Security Policy............ 216 NAT Rule Options............................................. 216 NAT Policy Examples.......................................... 217 NAT64..................................................... 217 NAT64 Examples............................................. 218 219 Defining Network Address Translation Policies......................... 222 General Tab................................................. 222 Palo Alto Networks 5

Original Packet Tab........................................... 223 Translated Packet Tab.......................................... 223 Policy-Based Forwarding Policies.................................... 225 General Tab................................................. 225 Source Tab................................................... 226 Destination/Application/Service Tab.............................. 227 Forwarding Tab............................................... 227 Decryption Policies................................................ 228 General Tab................................................. 229 Source Tab................................................... 229 Destination Tab............................................... 230 URL Category Tab............................................. 231 Options Tab.................................................. 231 Defining Application Override Policies................................ 231 General Tab................................................. 232 Source Tab................................................... 232 Destination Tab............................................... 233 Protocol/Application Tab....................................... 233 Defining Captive Portal Policies..................................... 233 General Tab................................................. 234 Source Tab................................................... 235 Destination Tab............................................... 235 Service/URL Category Tab...................................... 235 Action Tab................................................... 236 Defining DoS Policies.............................................. 236 General Tab................................................. 236 Source Tab................................................... 238 Destination Tab............................................... 239 Options/Protection Tab......................................... 239 Security Profiles............................................. 240 Antivirus Profiles.................................................. 241 Antivirus Profile Page.......................................... 242 Antivirus Tab................................................. 242 Exceptions Tab................................................ 243 Anti-spyware Profiles............................................. 243 Vulnerability Protection Profiles..................................... 246 URL Filtering Profiles.............................................. 249 File Blocking Profiles.............................................. 254 Data Filtering Profiles............................................. 259 DoS Profiles..................................................... 261 Other Policy Objects.......................................... 263 Defining Address Objects....................................... 264 Defining Address Groups.......................................... 265 Defining Regions.............................................. 267 Applications and Application Groups................................. 269 Defining Applications........................................... 273 Defining Application Groups..................................... 276 Application Filters................................................ 276 Services........................................................ 277 Service Groups.................................................. 279 Working with Tags............................................... 279 Data Patterns.................................................... 280 Dynamic Block Lists................................................ 282 6 Palo Alto Networks

Custom Spyware and Vulnerability Signatures.......................... 284 Defining Data Patterns.......................................... 285 Defining Spyware and Vulnerability Signatures...................... 285 Custom URL Categories......................................... 288 Security Profile Groups............................................ 290 Log Forwarding.................................................. 291 Decryption Profiles................................................ 293 Schedules....................................................... 295 Chapter 6 Reports and Logs.......................................... 297 Using the Dashboard......................................... 298 Using the Application Command Center........................... 299 Using App Scope............................................ 303 Summary Report............................................... 304 Change Monitor Report......................................... 305 Threat Monitor Report.......................................... 306 Threat Map Report............................................. 308 Network Monitor Report......................................... 309 Traffic Map Report............................................ 311 Viewing the Logs............................................. 312 Viewing Session Information...................................... 316 Working with Botnet Reports................................... 316 Configuring the Botnet Report.................................... 316 Managing Botnet Reports........................................ 318 Managing PDF Summary Reports................................ 319 Managing User/Group Activity Reports........................... 321 Managing Report Groups...................................... 322 Scheduling Reports for Email Delivery............................ 323 Viewing Reports............................................. 323 Generating Custom Reports.................................... 324 Taking Packet Captures....................................... 325 Chapter 7 Configuring the Firewall for User Identification.............................................. 329 Configuring the Firewall for User Identification.......................... 329 User Mapping Tab............................................. 330 User-ID Agents Tab............................................ 335 Terminal Services Agents Tab.................................... 336 Group Mapping Tab........................................... 337 Captive Portal Settings Tab...................................... 339 Chapter 8 Configuring IPSec Tunnels.................................... 343 Defining IKE Gateways............................................ 343 Palo Alto Networks 7

IKE Gateway General Tab...................................... 344 IKE Gateway Advanced Phase 1 Options Tab....................... 344 Setting Up IPSec Tunnels........................................... 345 IPSec Tunnel General Tab....................................... 345 IPSec Tunnel Proxy ID Tab....................................... 347 Viewing IPSec Tunnel Status on the Firewall......................... 348 Defining IKE Crypto Profiles........................................ 348 Defining IPSec Crypto Profiles....................................... 349 Chapter 9 GlobalProtect Settings....................................... 351 Setting Up the GlobalProtect Portal.................................. 351 Portal Configuration Tab........................................ 351 Client Configuration Tab........................................ 353 Satellite Configuration Tab...................................... 359 Setting Up the GlobalProtect Gateways.............................. 361 General Tab................................................. 361 Client Configuration Tab........................................ 362 Satellite Configuration Tab...................................... 365 Setting Up Gateway Access to a Mobile Security Manager............... 367 Creating HIP Objects.............................................. 369 General Tab................................................. 369 Mobile Device Tab............................................ 370 Patch Management Tab........................................ 372 Firewall Tab.................................................. 372 Antivirus Tab................................................. 373 Anti-Spyware Tab............................................. 374 Disk Backup Tab.............................................. 374 Disk Encryption Tab............................................ 375 Data Loss Prevention Tab....................................... 375 Custom Checks Tab............................................ 376 Setting Up HIP Profiles............................................ 377 Setting Up and Activating the GlobalProtect Agent...................... 378 Setting Up the GlobalProtect Agent.................................. 380 Using the GlobalProtect Agent................................... 380 Chapter 10 Configuring Quality of Service................................ 381 Configuring QoS for Firewall Interfaces............................... 381 Defining QoS Profiles......................................... 383 Defining QoS Policies......................................... 384 Displaying QoS Statistics...................................... 387 Chapter 11 Central Device Management Using Panorama................................................. 389 Panorama Tab................................................... 391 Switching Device Context........................................... 393 8 Palo Alto Networks

Setting Up Storage Partitions........................................ 394 Configuring High Availability (HA).................................... 394 Adding Devices................................................... 396 Backing Up Firewall Configurations................................... 398 Defining Device Groups............................................ 399 Shared Objects and Policies..................................... 400 Applying Policy to a Specific Device in a Device Group................ 401 Defining Panorama Administrator Roles................................ 402 Creating Panorama Administrative Accounts............................ 403 Specifying Panorama Access Domains for Administrators.................. 405 Committing your Changes in Panorama........................... 405 Templates.................................................. 407 Overriding Template Settings.................................... 408 Deleting Templates............................................. 409 Logging and Reporting........................................ 409 Enable Log Forwarding........................................ 410 Managing Log Collectors...................................... 413 Adding a Log Collector............................................ 413 Installing a Software Update on a Collector............................ 417 Defining Log Collector Groups.................................. 418 Generating User Activity Reports................................ 420 Viewing Firewall Deployment Information......................... 421 Scheduling Dynamic Updates................................... 422 Scheduling Configuration Exports................................ 422 Upgrading the Panorama Software.............................. 424 Register VM-Series Firewall as a Service on the NSX Manager........ 425 Updating Information from the VMware Service Manager.............. 427 Appendix A Custom Pages............................................. 429 Antivirus and Anti-spyware Block Page................................ 429 Application Block Page............................................ 431 File Blocking Block Page............................................ 431 SSL Decryption Opt-out Page....................................... 432 Captive Portal Comfort Page....................................... 432 SSL VPN Login Page.............................................. 432 SSL Certificate Revoked Notify Page................................. 434 URL Filtering and Category Match Block Page.......................... 434 URL Filtering Continue and Override Page............................. 435 URL Filtering Safe Search Enforcement Block Page....................... 436 Appendix B Application Categories, Subcategories, Technologies, and Characteristics 437 Application Categories and Subcategories........................ 437 Application Technologies...................................... 439 Application Characteristics..................................... 439 Palo Alto Networks 9

Appendix C Common Criteria/Federal Information Processing Standards Support.. 441 Enabling CC/FIPS Mode........................................... 441 CC/FIPS Security Functions......................................... 442 Appendix D Open Source Licenses....................................... 443 Artistic License............................................... 444 BSD....................................................... 445 GNU General Public License.................................... 446 GNU Lesser General Public License.............................. 450 MIT/X11................................................... 456 OpenSSH................................................... 456 PSF....................................................... 460 PHP....................................................... 460 Zlib....................................................... 461 Appendix E Firewall Access to External Web Resources....................... 463 Application Database......................................... 464 Threat/Antivirus Database..................................... 464 PAN-DB URL Filtering Database................................. 464 Brightcloud URL Filtering Database.............................. 464 WildFire................................................... 464 Index.................................................... 467 10 Palo Alto Networks

Chapter 1 Introduction This section provides an overview of the firewall: Firewall Overview Features and Benefits Management Interfaces Firewall Overview The Palo Alto Networks firewall allows you to specify security policies based on accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. For example, you can define security policies for specific applications, rather than rely on a single policy for all port 80 connections. For each identified application, you can specify a security policy to block or allow traffic based on the source and destination zones and addresses (IPv4 and IPv6). Each security policy can also specify security profiles to protect against viruses, spyware, and other threats. Palo Alto Networks Introduction 11

Features and Benefits Features and Benefits The firewall provides granular control over the traffic allowed to access your network. The primary features and benefits include: Application-based policy enforcement Access control by application is far more effective when application identification is based on more than just protocol and port number. High risk applications can be blocked, as well as high risk behavior, such as filesharing. Traffic encrypted with the s Layer (SSL) protocol can be decrypted and inspected. User Identification (User-ID) User-ID allows administrators to configure and enforce firewall policies based on users and user groups, instead of or in addition to network zones and addresses. The firewall can communicate with many directory servers, such as Microsoft Active Directory, edirectory, SunOne, OpenLDAP, and most other LDAP based directory servers to provide user and group information to the firewall. This information can then be used to provide an invaluable method of providing secure application enablement that can be defined per user or group. For example, the administrator could allow one organization to use a web-based application, but no other organizations in the company would be able to use that application. You can also configure granular control of certain components of an application based on users and groups. See Configuring the Firewall for User Identification. Threat prevention Threat prevention services that protect the network from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source (see Security Profiles ). URL filtering Outbound connections can be filtered to prevent access to inappropriate web sites (see URL Filtering Profiles ). Traffic visibility Extensive reports, logs, and notification mechanisms provide detailed visibility into network application traffic and security events. The Application Command Center (ACC) in the web interface identifies the applications with the most traffic and the highest security risk (see Reports and Logs ). Networking versatility and speed The firewall can augment or replace your existing firewall, and can be installed transparently in any network or configured to support a switched or routed environment. Multi-gigabit speeds and a single-pass architecture provide all services with little or no impact on network latency. GlobalProtect GlobalProtect provides security for client systems, such as laptops, that are used in the field by allowing easy and secure login from anywhere in the world. Fail-safe operation High availability support provides automatic failover in the event of any hardware or software disruption (see Enabling HA on the Firewall ). Malware analysis and reporting WildFire provides detailed analysis and reporting on malware that traverses the firewall. VM-Series Firewall Provides a virtual instance of PAN-OS positioned for use in a virtualized data center environment and particularly well suited for private and public cloud deployments. Installs on any x86 device that is capable of running VMware ESXi, without the need to deploy Palo Alto Networks hardware. 12 Introduction Palo Alto Networks

Management Interfaces Management and Panorama Each firewall is managed through an intuitive web interface or a command-line interface (CLI), or all devices can be centrally managed through the Panorama centralized management system, which has a web interface very similar to the device web interface. Management Interfaces The firewall supports the following management interfaces. See Supported Browsers for a list of supported browsers. Web interface Configuration and monitoring over HTTP or HTTPS from a web browser. CLI Text-based configuration and monitoring over Telnet, Secure Shell (SSH), or the console port (see the PAN-OS Command Line Interface Reference Guide). Panorama Palo Alto Networks product that provides web-based management, reporting, and logging for multiple firewalls. The Panorama interface is similar to the device web interface, with additional management functions included. See Central Device Management Using Panorama for information on using Panorama. Simple Network Management Protocol (SNMP) Palo Alto Networks products support SNMPv2c and SNMPv3, read-only access over SNMP, and support for SNMP traps. See Configuring SNMP Trap Destinations ). Syslog Provides message generation for one or more remote syslog servers (see Configuring Syslog Servers ). XML API Provides a Representational State Transfer (REST)-based interface to access device configuration, operational status, reports, and packet captures from the firewall. There is an API browser available on the firewall at https://<firewall>/api, where <firewall> is the host name or IP address of the firewall. This link provides help on the parameters required for each type of API call. See the XML API Usage Guide for more information. Palo Alto Networks Introduction 13

Management Interfaces 14 Introduction Palo Alto Networks

Chapter 2 Getting Started This chapter describes how to set up and start using the firewall: Preparing the Firewall Setting Up the Firewall Using the Firewall Web Interface Getting Help Configuring the Firewall Preparing the Firewall Perform the following tasks to prepare the firewall for setup: 1. Mount the firewall in a rack and power it up as described in the Hardware Reference Guide for your platform. 2. Register your firewall at https://support.paloaltonetworks.com to obtain the latest software and App-ID updates, and to activate support or subscriptions with the authorization codes emailed to you. 3. Obtain an IP address from your network administrator for configuring the management port on the firewall. Setting Up the Firewall To perform the initial firewall setup: 1. Connect your computer to the management port (MGT) on the firewall using an RJ-45 Ethernet cable. 2. Start your computer. Assign a static IP address to your computer on the 192.168.1.0 network (for example, 192.168.1.5) with a netmask of 255.255.255.0. 3. Launch a supported web browser and enter https://192.168.1.1. The browser automatically opens the Palo Alto Networks login page. Palo Alto Networks Getting Started 15

Setting Up the Firewall 4. Enter admin in both the Name and Password fields, and click Login. The system presents a warning that the default password should be changed. Click OK to continue. 5. On the Device tab, choose Setup and configure the following (for general instructions on configuring settings in the web interface, see Using the Firewall Web Interface ): On the Management tab under Management Interface Settings, enter the firewall s IP address, netmask, and default gateway. On the Services tab, enter the IP address of the Domain Name System (DNS) server. Enter the IP address or host and domain name of the Network Time Protocol (NTP) server and select your time zone. Click Support on the side menu. If this is the first Palo Alto Networks firewall for your company, click Register Device to register the firewall. (If you have already registered a firewall, you have received a user name and password.) Click the Activate support using authorization codes link and enter the authorization codes that have been emailed to you for any optional features. Use a space to separate multiple authorization codes. 6. Click Administrators under the Devices tab. 7. Click admin. 8. In the New Password and Confirm New Password fields, enter and confirm a casesensitive password (up to 15 characters). 9. Click OK to submit the new password. 10. Commit the configuration to make these settings active. When the changes are committed, the firewall will be reachable through the IP address assigned in Step 5. For information on committing changes, see Committing Changes. The default configuration of the firewall when delivered from the factory, or after a factory reset is performed, is a virtual wire between Ethernet ports 1 and 2 with a default policy to deny all inbound traffic and allow all outbound traffic. 16 Getting Started Palo Alto Networks

Using the Firewall Web Interface Using the Firewall Web Interface The following conventions apply when using the firewall interface. To display the menu items for a general functional category, click the tab, such as Objects or Device, near the top of the browser window. Click an item on the side menu to display a panel. To display submenu items, click the icon to the left of an item. To hide submenu items, click the icon to the left of the item. On most configuration pages, you can click Add to create a new item. To delete one or more items, select their check boxes and click Delete. In most cases, the system prompts you to confirm by clicking OK or to cancel the deletion by clicking Cancel. On some configuration pages, you can select the check box for an item and click Clone to create a new item with the same information as the selected item. Palo Alto Networks Getting Started 17

Using the Firewall Web Interface To modify an item, click its underlined link. To view help information on a page, click the Help icon in upper right area of the page. To view the current list of tasks, click the Tasks icon in the lower right corner of the page. The Task Manager window opens to show the list of tasks, along with status, start times, associated messages, and actions. Use the Show drop-down list to filter the list of tasks. The web interface language is controlled by the current language of the computer that is managing the device if a specific language preference has not been defined. For example, if the computer you use to manage the firewall has a locale of Spanish, when you log in to the firewall, the web interface will be in Spanish. To specify a language that will always be used for a given account regardless of the locale of the computer, click the Language icon in the lower right corner of the page and the Language Preference window opens. Click the drop-down list to select the desired language and then click OK to save your change. On pages that list information you can modify (for example, the Setup page on the Devices tab), click the icon in the upper right corner of a section to edit the settings. 18 Getting Started Palo Alto Networks

Using the Firewall Web Interface After you configure settings, you must click OK or Save to store the changes. When you click OK, the current candidate configuration is updated. Committing Changes Click Commit at the top of the web interface to open the commit dialog box. The following options are available in the commit dialog box. Click the Advanced link, if needed, to display the options: Include Device and Network configuration Include the device and network configuration changes in the commit operation. Include Shared Object configuration (Multi-virtual system firewalls only) Include the shared object configuration changes in the commit operation. Include Policy and Objects (Non-multi-virtual system firewalls only) Include the policy and object configuration changes in the commit operation. Include virtual system configuration Include all virtual systems or choose Select one or more virtual systems. For more information about committing changes, see Defining Operations Settings. Preview Changes Click this button to bring up a two-pane window that shows proposed changes in the candidate configuration compared to the current running configuration. You can choose the number of lines of context to display, or show all lines. Changes are color coded based on items that have been added, modified, or Palo Alto Networks Getting Started 19

Using the Firewall Web Interface deleted. The Device > Config Audit feature performs the same function, see Comparing Configuration Files. Note: Configuration changes that span multiple configuration areas may require a full commit. For example, if you make certain changes in the Device tab and then click Commit and only select the Include Device and Network configuration option, some items will not commit. This includes certificates and User-ID options as well as Server Profiles used for User- ID, such as an LDAP server profile. This can also occur if you perform a partial commit after importing a configuration. To commit these types of changes, do a full commit and select both Include Device and Network configuration and Include Policy and Object configuration. Navigating to Configuration Pages Each configuration section in this guide shows the menu path to the configuration page. For example, to reach the Vulnerability Protection page, choose the Objects tab and then choose Vulnerability Protection under Security Profiles in the side menu. This is indicated in this guide by the following path: Objects > Security Profiles > Vulnerability Protection Using Tables on Configuration Pages The tables on configuration pages include sorting and column chooser options. Click a column header to sort on that column, and click again to change the sort order. Click the arrow to the right of any column and select check boxes to choose the columns to display. Required s Required fields are shown with a light yellow background. A message indicating that the field is required appears when you hover over or click in the field entry area. 20 Getting Started Palo Alto Networks

Using the Firewall Web Interface Locking Transactions The web interface provides support for multiple administrators by allowing an administrator to lock a current set of transactions, thereby preventing configuration changes or commit operations by another administrator until the lock is removed. The following types of locks are supported: Config lock Blocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser on the system. Commit Lock Blocks other administrators from committing changes until all of the locks have been released. This type of lock prevents collisions that can occur when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released when the current changes are committed by the administrator who applied the lock, or it can be released manually. Any administrator can open the lock window to view the current transactions that are locked, along with a timestamp for each. To lock a transaction, click the unlocked icon on the top bar to open the Locks dialog box. Click Take a Lock, select the scope of the lock from the drop-down list, and click OK. Add additional locks as needed, and then click Close to close the Lock dialog box. The transaction is locked, and the icon on the top bar changes to a locked icon that shows the number of locked items in parentheses. To unlock a transaction, click the locked icon on the top bar to open the Locks window. Click the icon for the lock that you want to remove, and click Yes to confirm. Click Close to close the Lock dialog box. You can arrange to automatically acquire a commit lock by selecting the Automatically acquire commit lock check box in the Management area of the Device Setup page. See System Setup, Configuration, and License Management. Supported Browsers The following web browsers are supported for access to the firewall web interface: Internet Explorer 7+ Firefox 3.6+ Safari 5+ Chrome 11+ Palo Alto Networks Getting Started 21

Getting Help Configuring the Firewall Getting Help Configuring the Firewall Use the information in this section to obtain help on using the firewall. Obtaining More Information To obtain more information about the firewall, see the following: General information Go to http://www.paloaltonetworks.com. Documentation For information on the additional capabilities and for instructions on configuring the features on the firewall, go to https://www.paloaltonetworks.com/ documentation. Online help Click Help in the upper-right corner of the web interface to access the online help system. Knowledge Base For access to the knowledge base, a collaborative area for customer and partner interaction, discussion forums, and videos, go to https:// live.paloaltonetworks.com. Technical Support For technical support, for information on support programs, or to manage your account or devices, go to https://support.paloaltonetworks.com. 22 Getting Started Palo Alto Networks

Chapter 3 Device Management Use the following sections for field reference on basic system configuration and maintenance tasks on the firewall: System Setup, Configuration, and License Management Defining VM Information Sources Installing the Software Updating Threat and Application Definitions Administrator Roles, Profiles, and Accounts Setting Up Authentication Profiles Setting Up an Authentication Sequence Creating a Certificate Profile Scheduling Log Exports Defining Logging Destinations Defining Alarm Log Settings Configuring Netflow Settings Using Certificates Encrypting Private Keys and Passwords on the Firewall Enabling HA on the Firewall Defining Virtual Systems Defining Custom Response Pages Viewing Support Information Palo Alto Networks Device Management 23

System Setup, Configuration, and License Management The following sections describe how to define network settings for management access, defining service routes and services, and how to manage configuration options such as global session timeouts, content identification, WildFire malware analysis and reporting: Defining Management Settings Defining Operations Settings Defining Hardware Security Modules SNMP Defining Services Settings Defining Content-ID Settings Configuring WildFire Settings Defining Session Settings Comparing Configuration Files Installing a License Defining Management Settings Device > Setup > Management Panorama > Setup > Management On a firewall, use the Device > Setup > Management tab to configure management settings. On Panorama, use the Device > Setup > Management tab to configure managed firewalls via Panorama templates. Use the Panorama > Setup > Management tab to configure settings for Panorama itself. For firewall management, optionally you can use the IP address of a loopback interface instead of the management port (see Configuring a Loopback Interface ). Table 1. Management Settings Item General Settings Hostname Enter a host name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31 characters). Login Banner Time Zone Enter custom text that will be displayed on the firewall login page. The text is displayed below the Name and Password fields. Select the time zone of the firewall. 24 Device Management Palo Alto Networks

Table 1. Management Settings (Continued) Item Locale Time Serial Number (virtual machines only) Geo Location Automatically acquire commit lock Certificate Expiration Check Multi Virtual System Capability URL Filtering Database (Panorama only) Authentication Settings Authentication Profile Certificate Profile Idle Timeout # Failed Attempts Lockout Time Select a language for PDF reports from the drop-down list. See Managing PDF Summary Reports. If you have a specific language preference set for the web interface, PDF reports will still use the language specified in this locale setting. See language preference in Using the Firewall Web Interface. To set the date and time on the firewall, click Set Time. Enter the current date in (YYYY/MM/DD) or click the calendar icon to select a month and day. Enter the current time in 24-hour format (HH:MM:SS). You can also define an NTP server from Device > Setup > Services. Enter the serial number of the firewall/panorama. Find the serial number in the order fulfillment email that was sent to you. Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall. Automatically apply a commit lock when you change the candidate configuration. For more information, see Locking Transactions. Instruct the firewall to create warning messages when on-box certificates near their expiration dates. Enables the use of multiple virtual systems (if the firewall model supports that feature). For details, see Defining Virtual Systems. Select a URL filtering vendor to enable on Panorama: brightcloud or paloaltonetworks (PAN-DB). Select the authentication profile to use for administrator access to the firewall. For instructions on configuring authentication profiles, see Setting Up Authentication Profiles. Select the certificate profile to use for administrator access to the firewall. For instructions on configuring certificate profiles, see Creating a Certificate Profile. Enter the timeout interval in minutes (0-1440). A value of 0 means that the management, web, or CLI session does not time out. Enter the number of failed login attempts (0-10, default 0) that PAN-OS allows for the web interface and CLI before locking the account. A value of 0 specifies unlimited attempts. Enter the number of minutes (0-60) for which PAN-OS locks out a user upon reaching the # Failed Attempts limit. The default 0 specifies unlimited attempts. Palo Alto Networks Device Management 25

Table 1. Management Settings (Continued) Item Panorama Settings: Device > Setup > Management If you use Panorama to manage the firewall, configure the following settings on the firewall or in a template on Panorama. These settings establish a connection between the firewall and Panorama, and determine the connection timeouts. If you edit the settings on a firewall (not in a template on Panorama), you can also enable or disable the propagation of policies, objects, device groups, and template information from Panorama to the firewall. Note: You must also configure connection timeouts and object sharing settings on Panorama: see Panorama Settings: Panorama > Setup > Management. Panorama Servers Receive Timeout for Connection to Panorama Send Timeout for Connection to Panorama Retry Count for SSL Send to Panorama Disable/Enable Panorama Policy and Objects Enter the IP address of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second Panorama Servers field, enter the IP address of the secondary Panorama server. Enter the timeout for receiving TCP messages from Panorama (1-240 seconds, default 240). Enter the timeout for sending TCP messages to Panorama (1-240 seconds, default 240). Enter the number of retries for attempts to send Secure Socket Layer (SSL) messages to Panorama (1-64, default 25). This button appears when you edit the Panorama Settings on a firewall (not in a template on Panorama). By default, Panorama propagates the policies and objects that are defined for a device group to the firewalls assigned to that group. Clicking Disable Panorama Policy and Objects disables that propagation. By default, this operation also removes those policies and objects from the firewall. To keep a local copy of the device group policies and objects on the firewall before disabling propagation, in the dialog box that the button opens, select the Import Panorama Policy and Objects before disabling check box. Then, when you click OK, PAN-OS copies the policies and objects to the current candidate configuration. After you perform a commit, the policies and objects become part of the firewall configuration: Panorama no longer manages them. Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of the firewall. This option generally applies to situations where the firewall requires rules and object values that differ from those defined in the device group. An example situation is when you move a firewall out of production and into a laboratory environment for testing. To revert firewall policy and object management to Panorama, click Enable Panorama Policy and Objects. 26 Device Management Palo Alto Networks

Table 1. Management Settings (Continued) Item Disable/Enable Device and Network Template This button appears when you edit the Panorama Settings on a firewall (not in a template on Panorama). By default, Panorama propagates the device and network configurations defined for a template to the firewalls assigned to that template. Clicking Disable Device and Network Template disables that propagation. By default, this operation also removes the template information from the firewall. To keep a local copy of the template information on the firewall before disabling propagation, in the dialog box that the button opens, select the Import Device and Network Templates before disabling check box. Then, when you click OK, PAN-OS copies the information defined in the template to the current candidate configuration on the firewall. After you perform a commit, the template information becomes part of the firewall configuration: Panorama no longer manages that information. Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of the firewall. This option generally applies to situations where the firewall requires rules and object values that differ from those defined in the device group. An example situation is when you move a firewall out of production and into a laboratory environment for testing. To make the firewall resume accepting templates, click Enable Device and Network Templates. Panorama Settings: Panorama > Setup > Management If you use Panorama to manage firewalls, configure the following settings on Panorama. These settings determine timeouts and SSL message attempts for the connections between Panorama and managed firewalls, as well as object sharing parameters. Note: You must also configure Panorama connection settings on the firewall, or in a template on Panorama: see Panorama Settings: Device > Setup > Management. Receive Timeout for Connection to Device Send Timeout for Connection to Device Retry Count for SSL Send to Device Share Unused Address and Service Objects with Devices Shared Objects Take Precedence Enter the timeout for receiving TCP messages from all managed firewalls (1-240 seconds, default 240). Enter the timeout for sending TCP messages to all managed firewalls (1-240 seconds, default 240). Enter the number of retries for attempts to send Secure Socket Layer (SSL) messages to managed firewalls (1-64, default 25). Select this check box to share all Panorama shared objects and device group-specific objects with managed firewalls. This setting is enabled by default. If you clear the check box, PAN-OS checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that PAN-OS sends only necessary objects to managed firewalls. Select the check box to specify that shared objects take precedence over device group objects. In this case, device group objects cannot override corresponding objects of the same name from a shared location; PAN-OS discards any device group object with the same name as a shared object. By default, this system-wide setting is disabled: device groups override corresponding shared objects of the same name. Palo Alto Networks Device Management 27