Difference between revisions of "PAN-OS"

From wikieduonline
Jump to navigation Jump to search
Tags: Mobile web edit, Mobile edit
 
(53 intermediate revisions by 2 users not shown)
Line 1: Line 1:
PAN-OS is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref> providing [[Firewall]] capabilities, [[QoS]], [[URL Filtering]], [[packet inspection]] and [[threat prevention]] (WildFire).
+
[[wikipedia:PAN-OS]] is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref>.
  
* Threat prevention ([[WildFire]]). Features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
+
 
 +
== Features ==
 +
* [[Firewall]] capabilities: [[Flood protection]]
 +
* [[QoS]]
 +
* [[URL Filtering]] (License based)
 +
* [[File blocking]]
 +
* [[GlobalProtect]] Gateway ([[VPN]]) (License based)
 +
* [[packet inspection]]
 +
* [[Threat prevention]] ([[WildFire]]) (License based), features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
 +
* PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database
 
* PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]]
 
* PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]]
* PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database
+
 
  
 
== PAN-OS CLI ==
 
== PAN-OS CLI ==
 
* <code>configure</code>
 
* <code>configure</code>
 
* <code>commit</code>
 
* <code>commit</code>
 +
* <code>find command</code>
 
* <code>show</code>
 
* <code>show</code>
* <code>show system info</code>
+
* <code>[[show session all]]</code>
* <code>show system state</code>
+
* <code>[[show session info]]</code>
 +
* <code>[[show system info]]</code> (Includes <code>sw-version</code> output and [[serial]])
 +
* <code>[[show system state]]</code>
 +
* <code>[[show system resources]]</code>
 
* <code>show system disk-space files</code>
 
* <code>show system disk-space files</code>
 
* <code>less mp-log authd.log</code>
 
* <code>less mp-log authd.log</code>
 
* <code>[[show routing route]]</code>
 
* <code>[[show routing route]]</code>
* <code>show running [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
+
* <code>[[show running]] [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
* <code>show running security-policy</code>
+
* <code>[[show running security-policy]]</code>
 +
* <code>[[show counter]] global filter delta yes packet-filter yes</code>
 
* <code>show jobs id x</code>
 
* <code>show jobs id x</code>
 
* <code>edit rulebase security</code>
 
* <code>edit rulebase security</code>
 
* <code>edit rulebase nat</code>
 
* <code>edit rulebase nat</code>
  
[[VPN]]
+
 
 +
===[[VPN]]===
 
{{show vpn TOC}}
 
{{show vpn TOC}}
  
 
[[PVST+]] commands
 
[[PVST+]] commands
  
Troubleshooting
+
===Troubleshooting===
 
*<code>[[ping]] host <destination-ip-address></code>
 
*<code>[[ping]] host <destination-ip-address></code>
 
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code>
 
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code>
 
*<code>show [[netstat]] statistics yes</code>
 
*<code>show [[netstat]] statistics yes</code>
 +
*<code>test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password</code>
  
[[Panorama]]
+
===[[Panorama]]===
 
*<code>show log-collector preference-list</code>
 
*<code>show log-collector preference-list</code>
 
*<code>show logging-status device <firewall-serial-number></code>
 
*<code>show logging-status device <firewall-serial-number></code>
  
Logs
+
===Logs===
 
* <code>[[show log config]]</code>
 
* <code>[[show log config]]</code>
 
** <code>[[show log config cmd equal commit]]</code>
 
** <code>[[show log config cmd equal commit]]</code>
 +
** <code>[[show log config csv-output equal yes]]</code>
 
* <code>[[show log system]]</code>
 
* <code>[[show log system]]</code>
  
[[Wildfire]]
+
===[[Wildfire]]===
 
* <code>[[show wildfire]] wf-vm-pe-utilization</code>
 
* <code>[[show wildfire]] wf-vm-pe-utilization</code>
 
* <code>show wildfire wf-vm-doc-utilization</code>
 
* <code>show wildfire wf-vm-doc-utilization</code>
Line 58: Line 75:
 
* <code>delete rulebase nat rules YOUR_RULE_NAME</code>
 
* <code>delete rulebase nat rules YOUR_RULE_NAME</code>
  
==Manage Configuration Backups==
+
=== [[GlobalProtect]] ===
The candidate configuration is a copy of the running configuration plus any inactive changes that you made after the
+
{{GlobalProtect commands}}
last commit. Backing up versions of the running or candidate configuration enables you to later restore
 
those versions on the firewall.
 
 
 
===Back Up a Configuration===
 
Creating configuration backups enables you to later Restore a Configuration. This is useful when you want
 
to revert the firewall to all the settings of an earlier configuration because you can perform the restoration
 
as a single operation instead of manually reconfiguring each setting in the current configuration.
 
 
 
Note: When you edit a setting and click OK, the firewall updates the candidate configuration but
 
does not save a backup snapshot.
 
 
 
'''<u>STEP 1</u>'''
 
 
 
Save a local backup snapshot of the candidate configuration if it contains changes that you
 
want to preserve in the event the firewall reboots.
 
These are changes you are not ready to commit—for example, changes you cannot finish in the current
 
login session.
 
 
 
Perform one of the following tasks based on whether you want to overwrite the default snapshot
 
(.snapshot.xml) or create a snapshot with a custom name:
 
  
1. Overwrite the default snapshot—Click '''Save''' at the top of the web interface.
 
  
2. Create a custom-named snapshot:
+
=== [[License]] ===
*Select '''Device > Setup > Operations''' and Save named configuration snapshot.
+
* <code>[[request license info]]</code>
*Enter a Name for the snapshot or select an existing snapshot to overwrite.
 
*Click '''OK''' and '''Close'''.
 
  
'''<u>STEP 2</u>'''
+
=== Others ===
 
+
* <code>[[set]] cli [[pager]] off</code>
Export a candidate configuration, a running configuration, or the firewall state information to a
 
host external to the firewall.
 
 
 
Select '''Device > Setup > Operations''' and click an export option:
 
 
 
'''Export named configuration snapshot''' —Export the current running configuration, a named candidate
 
configuration snapshot, or a previously imported configuration (candidate or running). The firewall
 
exports the configuration as an XML file with the Name you specify.
 
 
 
'''Export configuration version''' —Select a Version of the running configuration to export as an XML file.
 
The firewall creates a version whenever you commit configuration changes.
 
 
 
'''Export device state''' —Export the firewall state information as a bundle. Besides the running
 
configuration, the state information includes device group and template settings pushed from
 
Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate
 
information, a list of satellites, and satellite authentication information. If you replace a firewall or
 
portal, you can restore the exported information on the replacement by importing the state bundle.
 
 
 
===Restore a Configuration===
 
This is useful when you want to revert all firewall settings used in an earlier configuration;
 
you can perform this restoration as a single operation instead of manually reconfiguring each setting in the
 
current configuration.
 
 
 
The firewall automatically saves a new version of the running configuration whenever you commit changes
 
and you can restore any of those versions. However, you must manually save a candidate configuration to
 
later restore it.
 
 
 
1. Restore the current running configuration.
 
This operation undoes all the changes you made to the candidate configuration since the last commit.
 
* Select '''Device > Setup > Operations''' and Revert to running configuration.
 
* Click '''Yes''' to confirm the operation.
 
 
 
2. Restore the default snapshot of the candidate configuration.
 
This is the snapshot that you create or overwrite when you click '''Save''' at the top right of the web
 
interface.
 
*Select '''Device > Setup > Operations''' and Revert to last saved configuration.
 
*Click '''Yes''' to confirm the operation.
 
*(Optional) Click Commit to overwrite the running configuration with the snapshot.
 
 
 
3. Restore a previous version of the running configuration that is stored on the firewall.
 
The firewall creates a version whenever you commit configuration changes.
 
 
 
*Select ''''Device > Setup > Operations'''' and Load configuration version.
 
*Select a configuration Version and click '''OK.'''
 
*(Optional) Click Commit to overwrite the running configuration with the version you just restored.
 
 
 
4. Restore one of the following:
 
5. Current running configuration (named running-config.xml)
 
6. Custom-named version of the running configuration that you previously imported
 
7. Custom-named candidate configuration snapshot (instead of the default snapshot)
 
*'''Select Device > Setup > Operations''' and click Load named configuration snapshot.
 
*Select the snapshot '''Name''' and click '''OK.'''
 
*(Optional) Click Commit to overwrite the running configuration with the snapshot.
 
 
 
8. Restore a running or candidate configuration that you previously exported to an external host.
 
*Select '''Device > Setup > Operations''', click Import named configuration snapshot, Browse to the configuration file on the external host, and click OK.
 
*Click '''Load named configuration snapshot,''' select the Name of the configuration file you just imported, and click '''OK.'''
 
*(Optional) Click Commit to overwrite the running configuration with the snapshot you just imported.
 
 
 
9. Restore state information that you exported from a firewall.
 
Besides the running configuration, the state information includes device group and template settings
 
pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate
 
information, a list of satellites, and satellite authentication information. If you replace a firewall or portal,
 
you can restore the information on the replacement by importing the state bundle.
 
Import state information:
 
*Select '''Device > Setup > Operations,''' click '''Import device state,''' Browse to the state bundle, and click '''OK.'''
 
*(Optional) Click Commit to apply the imported state information to the running configuration.
 
  
 
== Activities ==
 
== Activities ==
 
=== Basic ===
 
=== Basic ===
 
* Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
 
* Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
* Create a backup of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-0/pan-os-admin/firewall-administration/manage-configuration-backups.html
+
* Create a [[backup]] of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups.html
 
* Read PAN-OS 9.0 Administration guide:
 
* Read PAN-OS 9.0 Administration guide:
 
** https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
 
** https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
Line 169: Line 96:
 
* Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
 
* Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
 
* Read Palo Alto basics of [[Palo Alto traffic monitoring filtering]]: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
 
* Read Palo Alto basics of [[Palo Alto traffic monitoring filtering]]: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
 +
* Review https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf
 +
* Read https://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/
 +
  
 
=== Intermediate ===
 
=== Intermediate ===
 
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
 
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
 
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
 
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
* Configure [[syslog]] monitoring https://www.manageengine.com/products/firewall/help/configure-paloalto-firewalls.html
+
* Configure [[PAN-OS syslog]]
 +
* Read [[PAN-OS]] [[Port Scan]] Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC
 +
 
 +
[[NAT]]
 +
* General overview: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
 +
* Configure Host Destination NAT: https://www.youtube.com/watch?v=ocnNiNW7jDE&list=PLD6FJ8WNiIqWPjNPk5Oi1TxE7SJnoPr-D#action=share
 +
* Destination Host example: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
 +
* Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html
 +
* Configure ssh [[Port forwarding]] https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW
 +
* [[PAN-OS Packet Capture]]
 +
 
 +
== Related terms ==
 +
* [[Mobile Device Management (MDM)]]
 +
* [[HIP]]
 +
* <code>[[neq]]</code>
 +
* [[less]] mp-log authd.lo</code>
 +
* <code>[[ansible-galaxy collection install paloaltonetworks.panos]]</code>
 +
* [[PAN-OS reports]]
 +
* [[External Dynamic List (EDL)]]
  
 
== See also ==
 
== See also ==

Latest revision as of 08:16, 31 August 2021

wikipedia:PAN-OS is software running on Palo Alto firewalls.[1].


Features[edit]


PAN-OS CLI[edit]


VPN[edit]

PVST+ commands

Troubleshooting[edit]

  • ping host <destination-ip-address>
  • ping source <ip-address-on-dataplane> host <destination-ip-address>
  • show netstat statistics yes
  • test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password

Panorama[edit]

  • show log-collector preference-list
  • show logging-status device <firewall-serial-number>

Logs[edit]

Wildfire[edit]

  • show wildfire wf-vm-pe-utilization
  • show wildfire wf-vm-doc-utilization
  • show wildfire wf-vm-elinkda-utilization
  • show wildfire wf-vm-archive-utilization
  • show wildfire global sample-device-lookup sha256 equal <SHA_256>.
  • show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.

Rules[edit]

  • set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow
  • move rulebase security rules YOUR_RULE_NAME top
  • move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME
  • delete rulebase security rules YOUR_RULE_NAME

NAT (Valid actions: top, bottom, before, after)

  • set rulebase nat rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2
  • move rulebase nat rules YOUR_RULE_NAME top
  • delete rulebase nat rules YOUR_RULE_NAME

GlobalProtect[edit]

current-satellite Show current GlobalProtect gateway satellites
current-user Show current GlobalProtect gateway users
flow Show dataplane GlobalProtect gateway tunnel information
flow-site-to-site Show dataplane GlobalProtect site-to-site gateway tunnel information
gateway Show list of GlobalProtect gateway configuration
previous-satellite Show previous GlobalProtect gateway satellites
previous-user Show previous user session for GlobalProtect gateway users


License[edit]

Others[edit]

Activities[edit]

Basic[edit]


Intermediate[edit]

NAT

Related terms[edit]

See also[edit]

Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html

Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS

Advertising: