Difference between revisions of "PAN-OS"

PAN-OS is software running on Palo Alto firewalls.^[1] providing:

• Firewall capabilities
• QoS
• URL Filtering
• GlobalProtect (VPN)
• packet inspection
• threat prevention (WildFire), features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
• PAN-OS authentication methods: Kerberos, RADIUS, LDAP, SAML 2.0, client certificates, biometric sign-in, and a local user database
• PAN-OS daemons: RASMGR, SSLMGR, SATD, IDE, Route and IKE

PAN-OS CLI

• configure
• commit
• find command
• show
• show session all
• show system info (Includes sw-version output)
• show system state
• show system disk-space files
• less mp-log authd.log
• show routing route
• show running nat-policy (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
• show running security-policy
• show jobs id x
• edit rulebase security
• edit rulebase nat

VPN

• show vpn flow
• show vpn gateway
• show vpn ike-sa
• show vpn ipsec-sa
• show vpn tunnel

PVST+ commands

Troubleshooting

• ping host <destination-ip-address>
• ping source <ip-address-on-dataplane> host <destination-ip-address>
• show netstat statistics yes

Panorama

• show log-collector preference-list
• show logging-status device <firewall-serial-number>

Logs

• show log config
  • show log config cmd equal commit
  • show log config csv-output equal yes
• show log system

Wildfire

• show wildfire wf-vm-pe-utilization
• show wildfire wf-vm-doc-utilization
• show wildfire wf-vm-elinkda-utilization
• show wildfire wf-vm-archive-utilization
• show wildfire global sample-device-lookup sha256 equal <SHA_256>.
• show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.

Rules

• set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow
• move rulebase security rules YOUR_RULE_NAME top
• move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME
• delete rulebase security rules YOUR_RULE_NAME

NAT (Valid actions: top, bottom, before, after)

• set rulebase nat rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2
• move rulebase nat rules YOUR_RULE_NAME top
• delete rulebase nat rules YOUR_RULE_NAME

Activities

Basic

• Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
• Create a backup of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups.html
• Read PAN-OS 9.0 Administration guide:
  • https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
  • https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin
• Read PAN-OS 9.0 New features guide: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html such as Rule Changes Archive ^[2]
• Read PAN-OS Release Notes
• Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
• Read Palo Alto basics of Palo Alto traffic monitoring filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
• Review https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf
• Read https://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/

Intermediate

• Create a IPSec VPN access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
• Configure MFA: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
• Configure syslog monitoring https://www.manageengine.com/products/firewall/help/configure-paloalto-firewalls.html
• Read PAN-OS Port Scan Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC

NAT

• General overview: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
• Configure Host Destination NAT: https://www.youtube.com/watch?v=ocnNiNW7jDE&list=PLD6FJ8WNiIqWPjNPk5Oi1TxE7SJnoPr-D#action=share
• Destination Host example: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
• Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html
• Configure ssh Port forwarding https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW

Related terms

• Mobile Device Management (MDM)
• HIP
• neq

See also

• DMZ, Port knocking, Bastion host, Firewall Software: iptables ufw firewalld nftables firewall-cmd ipfw (FreeBSD) PF (OpenBSD), netsh advfirewall, PAN-OS, WAF, pfsense, VyOS, Cisco ASA, DMZ, F5, URL Filtering, port forwarding, macOS application firewall, Windows firewall, Fortigate, ngrok, Network ACL
• PAN-OS (Palo Alto): PAN-OS Releases, show vpn, GlobalProtect, GlobalProtect logs, WildFire, show log, show session all, MDM, match, PAN-OS reports, HIP, Zone
• Cisco IOS, PAN-OS, Junos OS, FortiOS
• Terraform PAN-OS: https://www.terraform.io/docs/providers/panos/index.html

Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html

Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS