Alto MS Series User Manual

Palo Alto Networks®PAN-OS® Getting Started GuidePAN-OS 6.0

6 Getting Started GuideSet Up Management Access to the Firewall Integrate the Firewall into Your Management NetworkStep 4 Configure the interface. 1

96 Getting Started GuideConfigure an Active/Passive Pair Set Up High AvailabilityConfigure an Active/Passive PairThe following procedure shows how t

Getting Started Guide 97Set Up High Availability Configure an Active/Passive Pair Step 4 Set up the control link connection.This example shows an in-

98 Getting Started GuideConfigure an Active/Passive Pair Set Up High AvailabilityStep 7 Set up the data link connection (HA2) and the backup HA2 con

Getting Started Guide 99Set Up High Availability Configure an Active/Passive Pair Step 9 Set the device priority and enable preemption.This setting i

100 Getting Started GuideConfigure an Active/Passive Pair Set Up High AvailabilityStep 12 Enable HA. 1. Select Device > High Availability > Ge

Getting Started Guide 101Set Up High Availability Configure an Active/Passive Pair On the passive device: The state of the local device should displa

102 Getting Started GuideDefine the Failover Conditions Set Up High AvailabilityDefine the Failover ConditionsConfigure the Failover Triggers Step 1

Getting Started Guide 103Set Up High Availability Verify Failover Verify Failover To test that your HA configuration works properly trigger a manual

104 Getting Started GuideVerify Failover Set Up High Availability

Getting Started Guide 7Integrate the Firewall into Your Management Network Set Up Management Access to the Firewall Step 5 Because the firewall uses

8 Getting Started GuideSet Up Management Access to the Firewall Integrate the Firewall into Your Management NetworkStep 6 Configure an external-faci

Getting Started Guide 9Integrate the Firewall into Your Management Network Activate Firewall Services Activate Firewall ServicesBefore you can begin

10 Getting Started GuideActivate Firewall Services Integrate the Firewall into Your Management Network Threat Prevention—Provides antivirus, anti-s

Getting Started Guide 11Integrate the Firewall into Your Management Network Activate Firewall Services Manage Content UpdatesIn order to stay ahead o

12 Getting Started GuideActivate Firewall Services Integrate the Firewall into Your Management NetworkStep 2 Check for the latest updates.Click Chec

Getting Started Guide 13Integrate the Firewall into Your Management Network Activate Firewall Services Install Software UpdatesWhen installing a new

14 Getting Started GuideActivate Firewall Services Integrate the Firewall into Your Management NetworkStep 3 Download the update.Note If your firewa

Getting Started Guide 15Integrate the Firewall into Your Management Network Add Firewall Administrators Add Firewall AdministratorsBy default, every

iiContact InformationCorporate Headquarters:Palo Alto Networks4401 Great America ParkwaySanta Clara, CA 95054-1211http://www.paloaltonetworks.com/cont

16 Getting Started GuideAdd Firewall Administrators Integrate the Firewall into Your Management Network Local administrator account with SSL-based

Getting Started Guide 17Integrate the Firewall into Your Management Network Add Firewall Administrators Create a Local AdministratorStep 1 If you pla

18 Getting Started GuideAdd Firewall Administrators Integrate the Firewall into Your Management NetworkStep 2 (Optional) Set requirements for local

Getting Started Guide 19Integrate the Firewall into Your Management Network Monitor the Firewall Monitor the FirewallAnother thing to consider during

20 Getting Started GuideMonitor the Firewall Integrate the Firewall into Your Management NetworkView Local Log DataAll Palo Alto Networks next-gener

Getting Started Guide 21Integrate the Firewall into Your Management Network Monitor the Firewall Display Log Data on the DashboardYou can also monito

22 Getting Started GuideMonitor the Firewall Integrate the Firewall into Your Management NetworkForward Logs to External ServicesDepending on the ty

Getting Started Guide 23Integrate the Firewall into Your Management Network Monitor the Firewall Set Up Email AlertsSet Up SNMP Trap DestinationsSimp

24 Getting Started GuideMonitor the Firewall Integrate the Firewall into Your Management NetworkYou can also use SNMP to monitor the firewall. In th

Getting Started Guide 25Integrate the Firewall into Your Management Network Monitor the Firewall Define Syslog ServersSyslog is a standard log transp

Getting Started Guide iiiTable of ContentsIntegrate the Firewall into Your Management Network . . . . . . . . . . . . . . . . . .1Set Up Management A

26 Getting Started GuideMonitor the Firewall Integrate the Firewall into Your Management NetworkThere are five log types that PAN-OS can export to a

Getting Started Guide 27Integrate the Firewall into Your Management Network Monitor the Firewall Forward Logs to PanoramaBefore you can forward log f

28 Getting Started GuideMonitor the Firewall Integrate the Firewall into Your Management Network Config Logs—Enable forwarding of Config logs by sp

Getting Started Guide 29Integrate the Firewall into Your Management Network Monitor the Firewall Monitor the Firewall Using SNMPAll Palo Alto Network

30 Getting Started GuideMonitor the Firewall Integrate the Firewall into Your Management NetworkStep 3 Enable the SNMP manager to interpret firewall

Getting Started Guide 31Create the Security PerimeterThe following topics provide basic steps for configuring the firewall interfaces, defining zones,

32 Getting Started GuideSecurity Perimeter Overview Create the Security PerimeterSecurity Perimeter OverviewTraffic must pass through the firewall i

Getting Started Guide 33Create the Security Perimeter Security Perimeter Overview Virtual Wire DeploymentsIn a virtual wire deployment, the firewall

34 Getting Started GuideSecurity Perimeter Overview Create the Security PerimeterAbout Network Address Translation (NAT)When you use private IP addr

Getting Started Guide 35Create the Security Perimeter Security Perimeter Overview Field Description Required FieldsNameA label that supports up to 31

iv Getting Started Guide Table of ContentsProtect Your Network Against Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Enable Wi

36 Getting Started GuideSecurity Perimeter Overview Create the Security PerimeterURL CategoryUsing the URL Category as match criteria allows you to

Getting Started Guide 37Create the Security Perimeter Security Perimeter Overview Policy Best PracticesThe task of safely enabling Internet access an

38 Getting Started GuideSecurity Perimeter Overview Create the Security PerimeterSome examples of address and application policy objects are shown i

Getting Started Guide 39Create the Security Perimeter Security Perimeter Overview for information on using the default profiles in your security poli

40 Getting Started GuideSet Up Interfaces and Zones Create the Security PerimeterSet Up Interfaces and ZonesThe following sections provide informati

Getting Started Guide 41Create the Security Perimeter Set Up Interfaces and Zones Configure Interfaces and ZonesAfter you plan your zones and the cor

42 Getting Started GuideSet Up Interfaces and Zones Create the Security PerimeterStep 3 Configure the interface that connects to your internal netwo

Getting Started Guide 43Create the Security Perimeter Configure NAT Policies Configure NAT PoliciesBased on the example topology we used to create th

44 Getting Started GuideConfigure NAT Policies Create the Security PerimeterTranslate Internal Client IP Addresses to your Public IP AddressWhen a c

Getting Started Guide 45Create the Security Perimeter Configure NAT Policies Enable Clients on the Internal Network to Access your Public ServersWhen

Getting Started Guide 1Integrate the Firewall into Your Management NetworkThe following topics describe how to perform the initial configuration steps

46 Getting Started GuideConfigure NAT Policies Create the Security PerimeterEnable Bi-Directional Address Translation for your Public-Facing Servers

Getting Started Guide 47Create the Security Perimeter Configure NAT Policies Step 2 Create the NAT policy. 1. Select Policies > NAT and click Add

48 Getting Started GuideSet Up Basic Security Policies Create the Security PerimeterSet Up Basic Security PoliciesPolicies allow you to enforce rule

Getting Started Guide 49Create the Security Perimeter Set Up Basic Security Policies Define Basic Security Rules Step 1 Permit Internet access for al

50 Getting Started GuideSet Up Basic Security Policies Create the Security PerimeterStep 3 Restrict access from the Internet to the servers on the D

Getting Started Guide 51Create the Security Perimeter Set Up Basic Security Policies Test Your Security PoliciesTo verify that you have set up your b

52 Getting Started GuideSet Up Basic Security Policies Create the Security PerimeterMonitor the Traffic on Your NetworkNow that you have a basic sec

Getting Started Guide 53Create the Security Perimeter Set Up Basic Security Policies  In the ACC, review the most used applications and the high-ris

54 Getting Started GuideSet Up Basic Security Policies Create the Security Perimeter

Getting Started Guide 55Protect Your Network Against ThreatsThe Palo Alto Networks next-generation firewall has unique threat prevention capabilities

2 Getting Started GuideSet Up Management Access to the Firewall Integrate the Firewall into Your Management NetworkSet Up Management Access to the F

56 Getting Started GuideEnable WildFire Protect Your Network Against ThreatsEnable WildFireThe WildFire service is included as part of the base prod

Getting Started Guide 57Protect Your Network Against Threats Enable WildFire For more information on WildFire, refer to the Palo Alto Networks WildFi

58 Getting Started GuideScan Traffic for Threats Protect Your Network Against ThreatsScan Traffic for ThreatsSecurity profiles provide threat protec

Getting Started Guide 59Protect Your Network Against Threats Scan Traffic for Threats Step 3 Schedule signature updates.Best Practice for Updates:Per

60 Getting Started GuideScan Traffic for Threats Protect Your Network Against ThreatsSet Up File BlockingFile blocking profiles allow you to identif

Getting Started Guide 61Protect Your Network Against Threats Scan Traffic for Threats Step 2 Configure the file blocking options. 1. Click Add to def

62 Getting Started GuideScan Traffic for Threats Protect Your Network Against ThreatsStep 5 To test the file blocking configuration, access a client

Getting Started Guide 63Protect Your Network Against Threats Control Access to Web Content Control Access to Web ContentURL filtering provides visibi

64 Getting Started GuideControl Access to Web Content Protect Your Network Against ThreatsStep 4 Define how to control access to web content. If you

Getting Started Guide 65Protect Your Network Against Threats Control Access to Web Content For More InformationFor more details on URL filtering, ref

Getting Started Guide 3Integrate the Firewall into Your Management Network Set Up Management Access to the Firewall Set Up Network Access to the Fire

66 Getting Started GuideControl Access to Web Content Protect Your Network Against Threats

Getting Started Guide 67Configure User IdentificationUser Identification (User-ID) is a Palo Alto Networks next-generation firewall feature that allow

68 Getting Started GuideUser Identification Overview Configure User IdentificationUser Identification OverviewUser-ID seamlessly integrates Palo Alt

Getting Started Guide 69Configure User Identification User Identification Overview About User MappingHaving the names of the users and groups is only

70 Getting Started GuideUser Identification Overview Configure User IdentificationPortal policy requires user authentication, either transparently v

Getting Started Guide 71Configure User Identification Enable User Identification Enable User IdentificationTo enable policy enforcement based on user

72 Getting Started GuideEnable User Identification Configure User IdentificationMap Users to GroupsStep 1 Create an LDAP Server Profile that specifi

Getting Started Guide 73Configure User Identification Enable User Identification Map IP Addresses to UsersThe tasks you need to perform to map IP add

74 Getting Started GuideEnable User Identification Configure User IdentificationConfigure User MappingIn most cases, the majority of your network us

Getting Started Guide 75Configure User Identification Enable User Identification Step 2 Define the servers the firewall should monitor to collect IP

4 Getting Started GuideSet Up Management Access to the Firewall Integrate the Firewall into Your Management NetworkStep 6 Configure DNS, time and da

76 Getting Started GuideEnable User Identification Configure User IdentificationMap IP Addresses to User Names Using Captive PortalIf the firewall r

Getting Started Guide 77Configure User Identification Enable User Identification Captive Portal ModesThe Captive Portal mode defines how web requests

78 Getting Started GuideEnable User Identification Configure User IdentificationConfigure Captive PortalThe following procedure shows how to configu

Getting Started Guide 79Configure User Identification Enable User Identification Step 4 (Redirect mode only) To transparently redirect users without

80 Getting Started GuideEnable User Identification Configure User IdentificationStep 6 (Optional) Set up client certificate authentication. Note tha

Getting Started Guide 81Configure User Identification Enable User Identification Step 8 Configure the Captive Portal settings. 1. Select Device >

82 Getting Started GuideEnable User- and Group-Based Policy Configure User IdentificationEnable User- and Group-Based PolicyIn order to enable secur

Getting Started Guide 83Configure User Identification Enable User- and Group-Based Policy Step 3 Create your Captive Portal Policies.1. Select Polic

84 Getting Started GuideVerify the User-ID Configuration Configure User IdentificationVerify the User-ID ConfigurationAfter you configure User Ident

Getting Started Guide 85Configure User Identification Verify the User-ID Configuration Step 4 Test your Captive Portal configuration. 1. From the s

Getting Started Guide 5Integrate the Firewall into Your Management Network Set Up Management Access to the Firewall Set Up Network Access for Externa

86 Getting Started GuideVerify the User-ID Configuration Configure User IdentificationStep 6 Verify that user names are displayed in reports (Monito

Getting Started Guide 87Set Up High AvailabilityHigh availability (HA) is a configuration in which two firewalls are placed in a group to prevent a si

88 Getting Started GuideHA Overview Set Up High AvailabilityHA OverviewOn Palo Alto Networks firewalls, you can set up two devices as an HA pair. HA

Getting Started Guide 89Set Up High Availability HA Overview On devices with dedicated HA ports (HA1 and HA2) such as the PA-3000 Series, PA-4000 Ser

90 Getting Started GuideHA Overview Set Up High AvailabilityFailover TriggersWhen a failure occurs on the active device and the passive device takes

Getting Started Guide 91Set Up High Availability HA Overview Timers Description PA-7050PA-5000 SeriesPA-4000 SeriesPA-3000 SeriesPA-2000 SeriesPA-500

92 Getting Started GuideHA Overview Set Up High AvailabilityAdditional master hold up timeThis time interval is applied to the same event as Monitor

Getting Started Guide 93Set Up High Availability Prerequisites for Active/Passive HA Prerequisites for Active/Passive HATo set up high availability o

94 Getting Started GuideConfiguration Guidelines Set Up High AvailabilityConfiguration GuidelinesTo set up an active (PeerA) passive (PeerB) pair in

Getting Started Guide 95Set Up High Availability Configuration Guidelines Independent Configuration SettingsPeerA PeerBControl Link IP address of the