Web Interface Help

PANOS
WebInterface
ReferenceGuide
Version8.0
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribesthePaloAltoNetworksnextgenerationfirewallandPanoramawebinterfaces.Itprovides
referenceinformationonhowtopopulatefieldswithinthesewebinterface.Foradditionalinformation,refertothe
followingresources:
Forinformationontheadditionalcapabilitiesandforinstructionsonconfiguringthefeaturesonthefirewall,
refertohttps://www.paloaltonetworks.com/documentation.
Foraccesstotheknowledgebase,discussionforums,andvideos,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,see
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
2014-2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of
their respective companies.
RevisionDate:February6,2017
2 PANOS8.0WebInterfaceReferenceGuide PaloAltoNetworks,Inc.
TableofContents
WebInterfaceBasics ................................................. 13
FirewallOverview .................................................................14
FeaturesandBenefits..............................................................15
LastLoginTimeandFailedLoginAttempts ...........................................16
MessageoftheDay ...............................................................17
TaskManager.....................................................................18
Language.........................................................................20
Alarms...........................................................................20
CommitChanges ..................................................................21
SaveCandidateConfigurations......................................................25
RevertChanges...................................................................29
LockConfigurations ...............................................................33
GlobalFind.......................................................................34
ThreatDetails.....................................................................35
AutoFocusIntelligenceSummary ....................................................37
Dashboard.......................................................... 39
ACC ................................................................ 41
AFirstGlanceattheACC.......................................................42
ACCTabs .....................................................................43
ACCWidgets .................................................................44
ACCActions..................................................................45
Monitor............................................................. 49
Monitor>Logs....................................................................50
LogTypes ....................................................................50
LogActions...................................................................53
Monitor>ExternalLogs ............................................................55
Monitor>AutomatedCorrelationEngine.............................................56
Monitor>AutomatedCorrelationEngine>CorrelationObjects .........................57
Monitor>AutomatedCorrelationEngine>CorrelatedEvents ..........................58
Monitor>PacketCapture ..........................................................59
PacketCaptureOverview......................................................59
BuildingBlocksforaCustomPacketCapture......................................60
EnableThreatPacketCapture ...................................................63
PaloAltoNetworks,Inc. PANOS8.0WebInterfaceReferenceGuide 3
TableofContents
Monitor>AppScope .............................................................. 64
SummaryReport ............................................................... 65
ChangeMonitorReport......................................................... 66
ThreatMonitorReport.......................................................... 67
ThreatMapReport ............................................................. 68
NetworkMonitorReport........................................................ 69
TrafficMapReport ............................................................. 71
Monitor>SessionBrowser ......................................................... 72
Monitor>BlockIPList............................................................. 73
BlockIPListEntries............................................................ 73
VieworDeleteBlockIPListEntries .............................................. 74
Monitor>Botnet .................................................................. 75
ManagingBotnetReports ....................................................... 75
ConfiguringtheBotnetReport................................................... 76
Monitor>PDFReports............................................................. 77
Monitor>PDFReports>ManagePDFSummary ...................................... 78
Monitor>PDFReports>UserActivityReport........................................ 80
Monitor>PDFReports>SaaSApplicationUsage ..................................... 81
Monitor>PDFReports>ReportGroups ............................................. 83
Monitor>PDFReports>EmailScheduler............................................ 84
Monitor>ManageCustomReports .................................................. 85
Monitor>Reports................................................................. 86
Policies .............................................................87
PolicyTypes ...................................................................... 88
MoveorCloneaPolicyRule ........................................................ 89
Policies>Security ................................................................. 90
SecurityPolicyOverview ....................................................... 90
BuildingBlocksinaSecurityPolicyRule .......................................... 91
CreatingandManagingPolicies .................................................. 98
OverridingorRevertingaSecurityPolicyRule....................................100
Policies>NAT ...................................................................102
GeneralTab ..................................................................102
OriginalPacketTab ...........................................................103
TranslatedPacketTab.........................................................104
Active/ActiveHABindingTab ..................................................105
Policies>QoS....................................................................107
Policies>PolicyBasedForwarding..................................................111
GeneralTab ..................................................................111
SourceTab ...................................................................112
Destination/Application/ServiceTab............................................113
ForwardingTab ...............................................................113
Policies>Decryption..............................................................115
GeneralTab ..................................................................115
SourceTab ...................................................................116
TableofContents
DestinationTab .............................................................. 117

Service/URLCategoryTab ..................................................... 118
OptionsTab.................................................................. 118
Policies>TunnelInspection ....................................................... 119
BuildingBlocksinaTunnelInspectionPolicy ..................................... 119
Policies>ApplicationOverride..................................................... 122
GeneralTab.................................................................. 123
SourceTab................................................................... 123
DestinationTab .............................................................. 124
Protocol/ApplicationTab...................................................... 124
Policies>Authentication .......................................................... 125
BuildingBlocksofanAuthenticationPolicyRule .................................. 125
CreateandManageAuthenticationPolicy ....................................... 128
Policies>DoSProtection.......................................................... 129
DoSProtectionPolicyOverview ................................................ 129
BuildingBlocksofaDoSProtectionPolicy ....................................... 130
Objects ............................................................133
Move,Clone,Override,orRevertObjects........................................... 134
MoveorCloneanObject...................................................... 134
OverrideorRevertanObject................................................... 134
Objects>Addresses .............................................................. 136
Objects>AddressGroups ......................................................... 138
Objects>Regions................................................................ 140
Objects>Applications............................................................ 141
ApplicationsOverview ........................................................ 141
ActionsSupportedonApplications.............................................. 145
DefiningApplications ......................................................... 147
Objects>ApplicationGroups ...................................................... 150
Objects>ApplicationFilters ....................................................... 151
Objects>Services ................................................................ 152
Objects>ServiceGroups.......................................................... 153
Objects>Tags ................................................................... 154
CreateTags .................................................................. 154
UsetheTagBrowser .......................................................... 155
ManageTags ................................................................. 156
Objects>ExternalDynamicLists ................................................... 158
Objects>CustomObjects ......................................................... 161
Objects>CustomObjects>DataPatterns.......................................... 162
DataPatternSettings ......................................................... 162
SyntaxforRegularExpressionDataPatterns..................................... 163
RegularExpressionDataPatternExamples....................................... 164
Objects>CustomObjects>Spyware/Vulnerability................................... 165
Objects>CustomObjects>URLCategory .......................................... 169
Objects>SecurityProfiles......................................................... 170
TableofContents
ActionsinSecurityProfiles .....................................................170
Objects>SecurityProfiles>Antivirus...............................................173
Objects>SecurityProfiles>AntiSpywareProfile....................................175
Objects>SecurityProfiles>VulnerabilityProtection .................................178
Objects>SecurityProfiles>URLFiltering ...........................................181
GeneralSettings..............................................................181
Categories ...................................................................182
Overrides....................................................................183
URLFilteringSettings .........................................................185
UserCredentialDetection......................................................186
Objects>SecurityProfiles>FileBlocking ...........................................188
Objects>SecurityProfiles>WildFireAnalysis.......................................190
Objects>SecurityProfiles>DataFiltering ..........................................191
Objects>SecurityProfiles>DoSProtection .........................................193
Objects>SecurityProfileGroups...................................................196
Objects>LogForwarding .........................................................197
Objects>Authentication..........................................................200
Objects>DecryptionProfile .......................................................202
DecryptionProfileGeneralSettings .............................................202
SettingstoControlDecryptedSSLTraffic ........................................203
SettingstoControlTrafficthatisnotDecrypted..................................205
SettingstoControlDecryptedSSHTraffic .......................................205
Objects>Schedules ..............................................................207
Network.......................................................... 209
Network>VirtualWires...........................................................210
Network>Interfaces..............................................................211
FirewallInterfacesOverview ...................................................212
CommonBuildingBlocksforFirewallInterfaces...................................212
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces....................213
Layer2Interface ..............................................................214
Layer2Subinterface ..........................................................215
Layer3Interface ..............................................................215
Layer3Subinterface ..........................................................226
VirtualWireInterface .........................................................235
VirtualWireSubinterface......................................................236
TapInterface .................................................................237
LogCardInterface ............................................................238
LogCardSubinterface.........................................................239
DecryptMirrorInterface .......................................................240
AggregateEthernet(AE)InterfaceGroup.........................................241
AggregateEthernet(AE)Interface...............................................244
HAInterface .................................................................249
Network>Interfaces>VLAN ......................................................250
Network>Interfaces>Loopback...................................................256
TableofContents
Network>Interfaces>Tunnel ..................................................... 258

Network>VirtualRouters......................................................... 260
GeneralSettingsofaVirtualRouter ............................................. 261
StaticRoutes ................................................................. 261
RouteRedistribution.......................................................... 264
RIP ......................................................................... 265
OSPF ....................................................................... 268
OSPFv3..................................................................... 274
BGP......................................................................... 281
IPMulticast .................................................................. 296
ECMP ....................................................................... 300
MoreRuntimeStatsforaVirtualRouter ......................................... 302
Network>Zones................................................................. 311
BuildingBlocksofSecurityZones ............................................... 311
Network>VLANs ................................................................ 314
Network>IPSecTunnels.......................................................... 315
IPSecVPNTunnelManagement ................................................ 315
IPSecTunnelGeneralTab...................................................... 316
IPSecTunnelProxyIDsTab .................................................... 318
IPSecTunnelStatusontheFirewall............................................. 319
IPSecTunnelRestartorRefresh................................................ 319
Network>DHCP ................................................................ 320
DHCPOverview.............................................................. 320
DHCPAddressing ............................................................ 321
DHCPServer................................................................. 321
DHCPRelay ................................................................. 324
DHCPClient................................................................. 324
Network>DNSProxy............................................................ 325
DNSProxyOverview ......................................................... 325
DNSProxySettings ........................................................... 326
AdditionalDNSProxyActions .................................................. 328
Network>QoS .................................................................. 329
QoSInterfaceSettings ........................................................ 329
QoSInterfaceStatistics........................................................ 331
Network>LLDP ................................................................. 332
BuildingBlocksofLLDP....................................................... 332
Network>NetworkProfiles ....................................................... 335
Network>NetworkProfiles>GlobalProtectIPSecCrypto ............................ 336
Network>NetworkProfiles>IKEGateways ........................................ 337
IKEGatewayManagement..................................................... 337
IKEGatewayGeneralTab...................................................... 338
IKEGatewayAdvancedOptionsTab............................................ 341
IKEGatewayRestartorRefresh................................................ 342
Network>NetworkProfiles>IPSecCrypto......................................... 343
Network>NetworkProfiles>IKECrypto ........................................... 344
Network>NetworkProfiles>InterfaceMgmt ....................................... 345
Network>NetworkProfiles>Monitor ............................................. 346
TableofContents
Network>NetworkProfiles>ZoneProtection.......................................347
BuildingBlocksofZoneProtectionProfiles.......................................348
FloodProtection ..............................................................349
ReconnaissanceProtection .....................................................352
PacketBasedAttackProtection.................................................353
ProtocolProtection ...........................................................360
Network>NetworkProfiles>LLDPProfile ..........................................361
Network>NetworkProfiles>BFDProfile...........................................362
BFDOverview................................................................362
BuildingBlocksofaBFDProfile ................................................363
Network>NetworkProfiles>QoS.................................................365
Device ............................................................ 367

Device>Setup ...................................................................368
Device>Setup>Management .....................................................369
Device>Setup>Operations .......................................................384
EnableSNMPMonitoring......................................................390
Device>Setup>HSM............................................................392
HardwareSecurityModuleProviderSettings .....................................392
HSMAuthentication...........................................................393
HardwareSecurityModuleProviderConfigurationandStatus ......................393
HardwareSecurityModuleStatus ...............................................394
Device>Setup>Services .........................................................395
DestinationServiceRoute......................................................399
Device>Setup>Interfaces ........................................................400
Device>Setup>Telemetry........................................................404
Device>Setup>ContentID.......................................................406
Device>Setup>WildFire.........................................................410
Device>Setup>Session ..........................................................412
SessionSettings ..............................................................412
SessionTimeouts .............................................................414
TCPSettings .................................................................416
DecryptionSettings:CertificateRevocationChecking .............................418
DecryptionSettings:ForwardProxyServerCertificateSettings .....................419
VPNSessionSettings ..........................................................420
Device>HighAvailability..........................................................421
HALite......................................................................421
ImportantConsiderationsforConfiguringHA.....................................421
ConfigureHASettings .........................................................422
Device>ConfigAudit .............................................................432
Device>PasswordProfiles ........................................................433
UsernameandPasswordRequirements ..........................................434
Device>Administrators ...........................................................435
Device>AdminRoles .............................................................437
Device>AccessDomain ..........................................................439
TableofContents
Device>AuthenticationProfile.................................................... 440
ConfigureanAuthenticationProfile ............................................. 440
ExportSAMLMetadatafromanAuthenticationProfile ............................ 445
Device>AuthenticationSequence ................................................. 447
Device>VMInformationSources .................................................. 448
Device>VirtualSystems .......................................................... 452
Device>SharedGateways ........................................................ 454
Device>CertificateManagement.................................................. 455
Device>CertificateManagement>Certificates...................................... 456
ManageFirewallandPanoramaCertificates ...................................... 456
ManageDefaultTrustedCertificateAuthorities .................................. 460
Device>CertificateManagement>CertificateProfile................................ 461
Device>CertificateManagement>OCSPResponder ................................ 463
Device>CertificateManagement>SSL/TLSServiceProfile ........................... 464
Device>CertificateManagement>SCEP........................................... 465
Device>CertificateManagement>SSLDecryptionExclusion......................... 468
Device>ResponsePages ......................................................... 470
Device>LogSettings ............................................................. 472
SelectLogForwardingDestinations ............................................. 472
DefineAlarmSettings ......................................................... 474
ClearLogs ................................................................... 475
Device>ServerProfiles ........................................................... 476
Device>ServerProfiles>SNMPTrap.............................................. 477
Device>ServerProfiles>Syslog ................................................... 479
Device>ServerProfiles>Email .................................................... 481
Device>ServerProfiles>HTTP ................................................... 482
Device>ServerProfiles>NetFlow ................................................. 484
Device>ServerProfiles>RADIUS................................................. 485
Device>ServerProfiles>TACACS+................................................ 486
Device>ServerProfiles>LDAP ................................................... 487
Device>ServerProfiles>Kerberos ................................................ 489
Device>ServerProfiles>SAMLIdentityProvider.................................... 490
Device>ServerProfiles>DNS .................................................... 493
Device>ServerProfiles>MultiFactorAuthentication ................................ 494
Device>LocalUserDatabase>Users.............................................. 496
Device>LocalUserDatabase>UserGroups........................................ 497
Device>ScheduledLogExport .................................................... 498
Device>Software................................................................ 499
Device>DynamicUpdates ........................................................ 501
Device>Licenses ................................................................ 505
BehavioronLicenseExpiry .................................................... 506
TableofContents
Device>Support .................................................................507
Device>MasterKeyandDiagnostics...............................................508
UserIdentification ................................................. 511

Device>UserIdentification>UserMapping .........................................512
EnableWMIAuthentication ....................................................513
EnableClientProbing..........................................................513
EnableServerMonitoring......................................................514
ConfigureCacheTimeoutsforUserMappingEntries..............................516
EnableNTLMAuthentication ...................................................516
EnableRedistributionofUserMappingsAmongFirewalls..........................517
ManageSyslogMessageFilters .................................................518
ManagetheUserIgnoreList....................................................519
MonitorServers ..............................................................520
IncludeorExcludeSubnetworksforUserMapping ................................522
Device>UserIdentification>ConnectionSecurity ...................................524
Device>UserIdentification>UserIDAgents........................................525
ConfigureAccesstoUserIDAgents.............................................525
ManageAccesstoUserIDAgents ..............................................527
Device>UserIdentification>TerminalServicesAgents ...............................528
Device>UserIdentification>GroupMappingSettings................................529
Device>UserIdentification>CaptivePortalSettings .................................533
GlobalProtect...................................................... 537
Network>GlobalProtect>Portals..................................................538
GeneralTab ..................................................................539
AuthenticationConfigurationTab ...............................................540
AgentConfigurationTab .......................................................542
ClientlessConfigurationTab....................................................556
SatelliteConfigurationTab.....................................................559
Network>GlobalProtect>Gateways...............................................562
GeneralTab ..................................................................563
AuthenticationTab ............................................................564
AgentTab....................................................................564
SatelliteConfigurationTab.....................................................572
Network>GlobalProtect>MDM...................................................574
Network>GlobalProtect>BlockList ...............................................575
Network>GlobalProtect>ClientlessApps..........................................576
Network>GlobalProtect>ClientlessAppGroups....................................577
Objects>GlobalProtect>HIPObjects..............................................578
GeneralTab ..................................................................579
MobileDeviceTab............................................................580
PatchManagementTab........................................................581
FirewallTab ..................................................................582
AntivirusTab .................................................................582
AntiSpywareTab .............................................................583
TableofContents
DiskBackupTab.............................................................. 583
DiskEncryptionTab........................................................... 584
DataLossPreventionTab...................................................... 584
CustomChecksTab ........................................................... 585
Objects>GlobalProtect>HIPProfiles .............................................. 586
Device>GlobalProtectClient...................................................... 588
ManagingtheGlobalProtectAgentSoftware ..................................... 588
SettingUptheGlobalProtectAgent ............................................. 589
UsingtheGlobalProtectAgent ................................................. 590
PanoramaWebInterface ............................................591
UsethePanoramaWebInterface .................................................. 593
ContextSwitch .................................................................. 597
PanoramaCommitOperations..................................................... 598
DefiningPoliciesonPanorama..................................................... 607
LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode ................ 608
Panorama>Setup>Interfaces ..................................................... 609
Panorama>HighAvailability....................................................... 611
Panorama>ManagedWildFireClusters ............................................. 614
ManagedWildFireClusterTasks................................................ 614
ManagedWildFireApplianceTasks............................................. 615
ManagedWildFireInformation................................................. 616
ManagedWildFireClusterandApplianceAdministration .......................... 619
Panorama>Administrators ........................................................ 627
Panorama>AdminRoles .......................................................... 629
Panorama>AccessDomains ...................................................... 631
Panorama>ManagedDevices..................................................... 632
ManagedFirewallAdministration............................................... 632
ManagedFirewallInformation.................................................. 633
FirewallSoftwareandContentUpdates ......................................... 635
FirewallBackups.............................................................. 636
Panorama>Templates ............................................................ 638
Templates ................................................................... 638
TemplateStacks .............................................................. 640
Panorama>DeviceGroups ........................................................ 641
Panorama>ManagedCollectors................................................... 643
LogCollectorInformation...................................................... 643
LogCollectorConfiguration .................................................... 644
SoftwareUpdatesforDedicatedLogCollectors .................................. 652
Panorama>CollectorGroups ...................................................... 654
CollectorGroupConfiguration ................................................. 654
CollectorGroupInformation ................................................... 659
Panorama>Plugins............................................................... 660
TableofContents
Panorama>VMwareNSX.........................................................661
ConfigureaNotifyGroup......................................................662
CreateServiceDefinitions......................................................663
ConfigureAccesstotheNSXManager...........................................664
CreateSteeringRules..........................................................665
Panorama>LogIngestionProfile ...................................................667
Panorama>LogSettings ..........................................................668
Panorama>ScheduledConfigExport ...............................................670
Panorama>Software .............................................................671
ManagePanoramaSoftwareUpdates............................................672
DisplayPanoramaSoftwareUpdateInformation..................................673
Panorama>DeviceDeployment....................................................674
ManageSoftwareandContentUpdates .........................................674
DisplaySoftwareandContentUpdateInformation ................................676
ScheduleDynamicContentUpdates.............................................677
ManageFirewallLicenses......................................................678
WebInterfaceBasics
FirewallOverview
FeaturesandBenefits
LastLoginTimeandFailedLoginAttempts
MessageoftheDay
TaskManager
Language
Alarms
CommitChanges
SaveCandidateConfigurations
RevertChanges
LockConfigurations
GlobalFind
ThreatDetails
AutoFocusIntelligenceSummary
FirewallOverview WebInterfaceBasics
FirewallOverview
PaloAltoNetworksnextgenerationfirewallssafelyenableapplicationsandpreventmodernthreatsby
inspectingalltrafficapplications,threats,andcontentandtyingittotheuser,regardlessoflocationor
devicetype.Theapplication,content,andusertheelementsthatrunyourbusinessbecomeintegral
componentsofyourSecuritypolicy.Thisallowsyoutoalignsecuritywithyourkeybusinessinitiatives.With
ournextgenerationsecurityplatform,youreduceresponsetimestoincidents,discoverunknownthreats,
andstreamlinesecuritynetworkdeployment.
Safelyenableapplications,users,andcontentbyclassifyingalltraffic,determiningthebusinessusecase,
andassigningpoliciestoallowandprotectaccesstorelevantapplications.
Preventthreatsbyeliminatingunwantedapplicationstoreduceyourthreatfootprintandapplytargeted
Securitypolicyrulestoblockknownvulnerabilityexploits,viruses,spyware,botnets,andunknown
malware(APTs).
Protectyourdatacentersthroughthevalidationofapplications,isolationofdata,controloverrogue
applications,andhighspeedthreatprevention.
Securepublicandprivatecloudcomputingenvironmentswithincreasedvisibilityandcontrol;deploy,
enforce,andmaintainSecuritypolicyrulesatthesamepaceasyourvirtualmachines.
WebInterfaceBasics FeaturesandBenefits
FeaturesandBenefits
ThePaloAltoNetworksnextgenerationfirewallsprovidegranularcontroloverthetrafficallowedtoaccess
yournetwork.Theprimaryfeaturesandbenefitsinclude:
Applicationbasedpolicyenforcement(AppID)Accesscontrolaccordingtoapplicationtypeisfar
moreeffectivewhenapplicationidentificationisbasedonmorethanjustprotocolandportnumber.The
AppIDservicecanblockhighriskapplications,aswellashighriskbehavior,suchasfilesharing,and
trafficencryptedwiththeSecureSocketsLayer(SSL)protocolcanbedecryptedandinspected.
Useridentification(UserID)TheUserIDfeatureallowsadministratorstoconfigureandenforce
firewallpoliciesbasedonusersandusergroupsinsteadoforinadditiontonetworkzonesandaddresses.
Thefirewallcancommunicatewithmanydirectoryservers,suchasMicrosoftActiveDirectory,
eDirectory,SunOne,OpenLDAP,andmostotherLDAPbaseddirectoryserverstoprovideuserand
groupinformationtothefirewall.Youcanthenusethisinformationforsecureapplicationenablement
thatcanbedefinedperuserorgroup.Forexample,theadministratorcouldallowoneorganizationtouse
awebbasedapplicationbutnotallowanyotherorganizationsinthecompanytousethatsame
application.Youcanalsoconfiguregranularcontrolofcertaincomponentsofanapplicationbasedon
usersandgroups(seeUserIdentification).
ThreatpreventionThreatpreventionservicesthatprotectthenetworkfromviruses,worms,spyware,
andothermalicioustrafficcanbevariedbyapplicationandtrafficsource(seeObjects>SecurityProfiles).
URLfilteringOutboundconnectionscanbefilteredtopreventaccesstoinappropriatewebsites(see
Objects>SecurityProfiles>URLFiltering).
TrafficvisibilityExtensivereports,logs,andnotificationmechanismsprovidedetailedvisibilityinto
networkapplicationtrafficandsecurityevents.TheApplicationCommandCenter(ACC)intheweb
interfaceidentifiestheapplicationswiththemosttrafficandthehighestsecurityrisk(seeMonitor).
NetworkingversatilityandspeedThePaloAltoNetworksfirewallcanaugmentorreplaceyourexisting
firewallandcanbeinstalledtransparentlyinanynetworkorconfiguredtosupportaswitchedorrouted
environment.Multigigabitspeedsandasinglepassarchitectureprovidetheseservicestoyouwithlittle
ornoimpactonnetworklatency.
GlobalProtectTheGlobalProtectsoftwareprovidessecurityforclientsystems,suchaslaptopsthat
areusedinthefield,byallowingeasyandsecureloginfromanywhereintheworld.
FailsafeoperationHighavailability(HA)supportprovidesautomaticfailoverintheeventofany
hardwareorsoftwaredisruption(seeDevice>VirtualSystems).
MalwareanalysisandreportingTheWildFirecloudbasedanalysisserviceprovidesdetailedanalysis
andreportingonmalwarethatpassesthroughthefirewall.IntegrationwiththeAutoFocusthreat
intelligenceserviceallowsyoutoassesstheriskassociatedwithyournetworktrafficatorganization,
industry,andgloballevels.
VMSeriesfirewallAVMSeriesfirewallprovidesavirtualinstanceofPANOSpositionedforuseina
virtualizeddatacenterenvironmentandisidealforyourprivate,public,andhybridcloudcomputing
environments.
ManagementandPanoramaYoucanmanageeachfirewallthroughanintuitivewebinterfaceor
throughacommandlineinterface(CLI)oryoucancentrallymanageallfirewallsthroughthePanorama
centralizedmanagementsystem,whichhasawebinterfaceverysimilartothewebinterfaceonPaloAlto
Networksfirewalls.
LastLoginTimeandFailedLoginAttempts WebInterfaceBasics
LastLoginTimeandFailedLoginAttempts
Todetectmisuseandpreventexploitationofaprivilegedaccount,suchasanadministrativeaccountona
PaloAltoNetworksfirewallorPanorama,thewebinterfaceandthecommandlineinterface(CLI)displays
yourlastlogintimeandanyfailedloginattemptsforyourusernamewhenyoulogin.Thisinformationallows
youtoeasilyidentifywhethersomeoneisusingyouradministrativecredentialstolaunchanattack.
Afteryoulogintothewebinterface,thelastlogintime informationappearsatthebottomleftofthe
window.Ifoneormorefailedloginsoccurredsincethelastsuccessfullogin,acautioniconappearstothe
rightofthelastlogininformation.Hoveroverthecautionsymboltoviewthenumberoffailedloginattempts
orclicktoviewtheFailed Login Attempts Summarywindow,whichliststheadministrativeaccountname,the
sourceIPaddress,andthereasonfortheloginfailure.
Ifyouseemultiplefailedloginattemptsthatyoudonotrecognizeasyourown,youshouldworkwithyour
networkadministratortolocatethesystemthatisperformingthebruteforceattackandtheninvestigate
theuserandhostcomputertoidentifyanderadicateanymaliciousactivity.Ifyouseethatthelastlogindate
andtimeindicatesanaccountcompromise,youshouldimmediatelychangeyourpasswordandthenperform
aconfigurationaudittodetermineifsuspiciousconfigurationchangeswerecommitted.Revertthe
configurationtoaknowngoodconfigurationifyouseethatlogswereclearedorifyouhavedifficulty
determiningifimproperchangesweremadeusingyouraccount.
WebInterfaceBasics MessageoftheDay
MessageoftheDay
IfyouoranotheradministratorconfiguredamessageofthedayorPaloAltoNetworksembeddedoneas
partofasoftwareorcontentrelease,aMessageoftheDaydialogdisplaysautomaticallywhenuserslogin
tothewebinterface.Thisensuresthatusersseeimportantinformation,suchasanimpendingsystemrestart,
thatimpactsthetaskstheyintendtoperform.
Thedialogdisplaysonemessageperpage.IfthedialogincludestheoptiontoselectDo not show again,you
canselectitforeachmessagethatyoudontwantthedialogtodisplayaftersubsequentlogins.
AnytimetheMessage of the Daychanges,themessageappearsinyournextsessionevenifyouselectedDo

not show againduringapreviouslogin.Youmustthenreselectthisoptiontoavoidseeingthemodified
messageinsubsequentsessions.
Tonavigatethedialogpages,clicktheright( )andleft( )arrowsalongthesidesofthedialogorclicka

pageselector( )alongthebottomofthedialog.AfteryouClosethedialog,youcanmanuallyreopenit
byclickingmessages( )atthebottomofthewebinterface.
Toconfigureamessageoftheday,selectDevice > Setup > ManagementandedittheBannersandMessages
settings.
TaskManager WebInterfaceBasics
TaskManager
ClickTasksatthebottomofthewebinterfacetodisplaythetasksthatyou,otheradministrators,orPANOS
initiatedsincethelastfirewallreboot(forexample,manualcommitsorautomaticFQDNrefreshes).Foreach
task,theTaskManagerprovidestheinformationandactions describedinthetablebelow.
Somecolumnsarehiddenbydefault.Todisplayorhidespecificcolumns,openthedropdowninanycolumn
header,selectColumns,andselect(display)orclear(hide)thecolumnnames.
Field/Button Description
Tofilterthetasks,enteratextstringbasedonavalueinoneofthe
columnsandApplyFilter( ).Forexample,enteringedlwillfilterthe
listtodisplayonlyEDLFetch(fetchexternaldynamiclists)tasks.To
removefiltering,RemoveFilter( ).
Type Thetypeoftask,suchaslogrequest,licenserefresh,orcommit.Ifthe
informationrelatedtothetask(suchaswarnings)istoolongtofitin
theMessagescolumn,youcanclicktheTypevaluetoseeallthe
details.
Status Indicateswhetherthetaskispending(suchascommitswithQueued
status),inprogress(suchaslogrequestswithActivestatus),
completed,orfailed.Forcommitsinprogress,theStatusindicatesthe
percentageofcompletion.
JobID Anumberthatidentifiesthetask.FromtheCLI,youcanusetheJobID
toseeadditionaldetailsaboutatask.Forexample,youcanseethe
positionofacommittaskinthecommitqueuebyentering:
> show jobs id <job-id>
Thiscolumnishiddenbydefault.
EndTime Thedateandtimewhenthetaskfinished.Thiscolumnishiddenby
default.
StartTime Thedateandtimewhenthetaskstarted.Forcommittasks,theStart
Timeindicateswhenthecommitwasaddedtothecommitqueue.
Messages Displaysdetailsaboutthetask.Iftheentryindicatesthattherearetoo
manymessages,youcanclickthetaskTypetoseethemessages.
Forcommittasks,theMessagesincludethedequeuedtimetoindicate
whenPANOSstartedperformingthecommit.Toseethedescription
anadministratorenteredforacommit,clickCommit Description.For
details,seeCommitChanges.
Action Clickxtocancelapendingcommitinitiatedbyanadministratoror
PANOS.Thisbuttonisavailableonlytoadministratorswhohaveone
ofthefollowingpredefinedroles:superuser,deviceadministrator,
virtualsystemadministrator,orPanoramaadministrator.
WebInterfaceBasics TaskManager
Show Selectthetasksyouwanttodisplay:
All Tasks(default)
Alltasksofacertaintype(Jobs,Reports,orLog Requests)
AllRunningtasks(inprogress)
AllRunningtasksofacertaintype(Jobs,Reports,orLog Requests)
(Panoramaonly)Usetheseconddropdowntodisplaythetasksfor
Panorama(default)oraspecificmanagedfirewall.
ClearCommitQueue CancelallpendingcommitsinitiatedbyadministratorsorPANOS.This
buttonisavailableonlytoadministratorswhohaveoneofthe
followingpredefinedroles:superuser,deviceadministrator,virtual
systemadministrator,orPanoramaadministrator.
Language WebInterfaceBasics
Language
Bydefault,thelocale(suchasSpanish)ofthecomputerfromwhichyoulogintothefirewalldeterminesthe
languagethatthewebinterfacedisplays.TochangetheLanguage(bottomofthewebinterface),selecta
LanguagefromthedropdownandclickOK.Thewebinterfacethenrefreshesusingthenewlanguage.
Alarms
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype(see
DefineAlarmSettings).Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystem
Alarmsdialogtodisplaythealarm.Afterclosingthedialog,youcanreopenitanytimebyclickingAlarms
( )atthebottomofthewebinterface.Topreventthefirewallfromautomaticallyopeningthedialogfor
aparticularalarm,selectUnacknowledgedAlarmsandclickAcknowledgetomovethealarmstothe
AcknowledgedAlarmslist.
WebInterfaceBasics CommitChanges
CommitChanges
ClickCommitatthetoprightofthewebinterfaceandspecifyanoperationforpendingchangestothe
firewallconfiguration:commit(activate),validate,orpreview .Youcanfilterpendingchangesby
administratororlocationandthenpreview,validate,andcommitonlythosechanges.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Thefirewallqueuescommitrequestssothatyoucaninitiateanewcommitwhileapreviouscommitisin
progress.Thefirewallperformsthecommitsintheordertheyareinitiatedbutprioritizesautocommitsthat
areinitiatedbythefirewall(suchasFQDNrefreshes).However,ifthequeuealreadyhasthemaximum
numberofadministratorinitiatedcommits,youmustwaitforthefirewalltofinishprocessingapending
commitbeforeinitiatinganewone.
UsetheTaskManagertocancelcommitsorseedetailsaboutcommitsthatarepending,inprogress,
completed,orfailed.
TheCommitdialogdisplaystheoptionsdescribedinthefollowingtable.
CommitAllChanges Commitsallchangesforwhichyouhaveadministrativeprivileges
(default).Youcannotmanuallyfilterthescopeoftheconfiguration
changesthatthefirewallcommitswhenyouselectthisoption.Instead,
theadministratorroleassignedtotheaccountyouusedtologin
determinesthecommitscope:
SuperuserroleThefirewallcommitsthechangesofall
administrators.
CustomroleTheprivilegesoftheAdminRoleprofileassignedto
youraccountdeterminethecommitscope(seeDevice>Admin
Roles).IftheprofileincludestheprivilegetoCommit For Other
Admins,thefirewallcommitschangesconfiguredbyanyandall
administrators.IfyourAdminRoleprofiledoesnotincludethe
privilegetoCommit For Other Admins,thefirewallcommitsonly
yourchangesandnotthoseofotheradministrators.
Ifyouhaveimplementedaccessdomains,thefirewallautomatically
appliesthosedomainstofilterthecommitscope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallcommits
onlytheconfigurationchangesintheaccessdomainsassignedtoyour
account.
CommitChanges WebInterfaceBasics
CommitChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallcommits.
Theadministrativeroleassignedtotheaccountyouusedtologin
determinesyourfilteringoptions:
SuperuserroleYoucanlimitthecommitscopetochangesthat
specificadministratorsmadeandtochangesinspecificlocations.
youraccountdetermineyourfilteringoptions(seeDevice>Admin
Admins,youcanlimitthecommitscopetochangesconfiguredby
specificadministratorsandtochangesinspecificlocations.Ifyour
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimitthecommitscopeonlytothechanges
youmadeinspecificlocations.
Filterthecommitscopeasfollows:
FilterbyadministratorEvenifyourroleallowscommittingthe
changesofotheradministrators,thecommitscopeincludesonly
yourchangesbydefault.Toaddotheradministratorstothecommit
scope,clickthe<usernames>link,selecttheadministrators,and
clickOK.
FilterbylocationSelectthespecificlocationsforchangesto
IncludeinCommit.
filtersthecommitscopebasedonthosedomains(seeDevice>Access
Domain).Regardlessofyouradministrativeroleandyourfiltering
choices,thecommitscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
Afteryouloadaconfiguration(Device>Setup>Operations),
youmustCommit All Changes.
Whenyoucommitchangestoavirtualsystem,youmust
includethechangesofalladministratorswhoadded,deleted,
orrepositionedrulesforthesamerulebaseinthatvirtual
system.
CommitScope Liststhelocationsthathavechangestocommit.Whetherthelist
includesallchangesorasubsetofthechangesdependsonseveral
factors,asdescribedforCommitAllChangesandCommitChanges
MadeBy.Thelocationscanbeanyofthefollowing:
shared-objectSettingsthataredefinedintheSharedlocation.
policy-and-objectsPolicyrulesorobjectsthataredefinedona
firewallthatdoesnothavemultiplevirtualsystems.
device-and-networkNetworkanddevicesettingsthatareglobal
(suchasInterfaceManagementprofiles)andnotspecifictoavirtual
system.Thisalsoappliestonetworkanddevicesettingsonafirewall
thatdoesnothavemultiplevirtualsystems.
<virtual-system>Thenameofthevirtualsysteminwhichpolicy
rulesorobjectsaredefinedonafirewallthathasmultiplevirtual
systems.Thisalsoincludesnetworkanddevicesettingsthatare
specifictoavirtualsystem(suchaszones).
WebInterfaceBasics CommitChanges
LocationType Thiscolumncategorizesthelocationsofpendingchanges:
Virtual SystemsSettingsthataredefinedinaspecificvirtual
system.
Other ChangesSettingsthatarenotspecifictoavirtualsystem
(suchassharedobjects).
IncludeinCommit Enablesyoutoselectthechangesyouwanttocommit.Bydefault,all
(partialcommitonly) changeswithintheCommit Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoCommit Changes Made Byspecific
administrators.
Theremightbedependenciesthataffectthechangesyou
includeinacommit.Forexample,ifyouaddanobjectand
anotheradministratortheneditsthatobject,youcannot
committhechangefortheotheradministratorwithoutalso
committingyourownchange.
GroupbyLocationType GroupsthelistofconfigurationchangesintheCommit Scopeby

Location Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheCommit
Scopetotherunningconfiguration.Thepreviewwindowusescolor
codingtoindicatewhichchangesareadditions(green),modifications
(yellow),ordeletions(red).
Tohelpyoumatchthechangestosectionsofthewebinterface,you
canconfigurethepreviewwindowtodisplayLines of Contextbefore
andaftereachchange.Theselinesarefromthefilesofthecandidate
andrunningconfigurationsthatyouarecomparing.
Becausethepreviewresultsdisplayinanewbrowserwindow,
yourbrowsermustallowpopups.Ifthepreviewwindowdoes
notopen,refertoyourbrowserdocumentationforthestepsto
allowpopups.
ChangeSummary Liststheindividualsettingsforwhichyouarecommittingchanges.The
Change Summarylistdisplaysthefollowinginformationforeach
setting:
Object NameThenamethatidentifiesthepolicy,object,network
setting,ordevicesetting.
TypeThetypeofsetting(suchasAddress,Securityrule,orZone).
Location TypeIndicateswhetherthesettingisdefinedinVirtual
Systems.
LocationThenameofthevirtualsystemwherethesettingis
defined.ThecolumndisplaysSharedforsettingsthatarenot
specifictoavirtualsystem.
OperationsIndicateseveryoperation(create,edit,ordelete)
performedonthesettingsincethelastcommit.
OwnerTheadministratorwhomadethelastchangetothesetting.
Will Be CommittedIndicateswhetherthecommitcurrently
includesthesetting.
Previous OwnersAdministratorswhomadechangestothesetting
beforethelastchange.
Optionally,youcanGroup Bycolumnname(suchasType).
CommitChanges WebInterfaceBasics
ValidateCommit Validateswhetherthefirewallconfigurationhascorrectsyntaxandis
semanticallycomplete.Theoutputincludesthesameerrorsand
warningsthatacommitwoulddisplay,includingruleshadowingand
applicationdependencywarnings.Thevalidationprocessenablesyou
tofindandfixerrorsbeforeyoucommit(itmakesnochangestothe
runningconfiguration).Thisisusefulifyouhaveafixedcommit
windowandwanttobesurethecommitwillsucceedwithouterrors.
Description Allowsyoutoenteradescription(upto512characters)tohelpother
administratorsunderstandwhatchangesyoumade.
TheSystemlogforacommiteventwilltruncatedescriptions
longerthan512characters.
Commit Startsthecommitor,ifothercommitsarepending,addsyourcommit
tothecommitqueue.
WebInterfaceBasics SaveCandidateConfigurations
SaveCandidateConfigurations
SelectConfig > Save ChangesatthetoprightofthefirewallorPanoramawebinterfacetosaveanewsnapshot

fileofthecandidateconfigurationortooverwriteanexistingconfigurationfile.IfthefirewallorPanorama
rebootsbeforeyoucommityourchanges,youcanthenrevertthecandidateconfigurationtothesaved
snapshottorestorechangesyoumadeafterthelastcommit.Toreverttothesnapshot,selectDevice > Setup
> OperationsandLoad named configuration snapshot.Ifyoudontreverttothesnapshotafterareboot,the
candidateconfigurationwillbethesameasthelastcommittedconfiguration(therunningconfiguration).
Youcanfilterwhichconfigurationchangestosavebasedonadministratororlocation.Thelocationcanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Youshouldperiodicallysaveyourchangessothatyoudontlosethemifthefirewallor
Panoramareboots.
Savingyourchangestothecandidateconfigurationdoesnotactivatethosechanges;youmustCommitChanges
toactivatethem.
TheSaveChangesdialogdisplaystheoptionsdescribedinthefollowingtable:
SaveAllChanges Savesallchangesforwhichyouhaveadministrativeprivileges
changesthatthefirewallsaveswhenyouselectthisoption.Instead,
determinesthesavescope:
SuperuserroleThefirewallsavesthechangesofalladministrators.
youraccountdeterminethesavescope(seeDevice>AdminRoles).
IftheprofileincludestheprivilegetoSave For Other Admins,the
firewallsaveschangesconfiguredbyanyandalladministrators.If
yourAdminRoleprofiledoesnotincludetheprivilegetoSave For
Other Admins,thefirewallsavesonlyyourchangesandnotthose
ofotheradministrators.
appliesthosedomainstofilterthesavescope(seeDevice>Access
Domain).Regardlessofyouradministrativerole,thefirewallsavesonly
theconfigurationchangesintheaccessdomainsassignedtoyour
account.
SaveCandidateConfigurations WebInterfaceBasics
SaveChangesMadeBy Filtersthescopeoftheconfigurationchangesthefirewallsaves.The
administrativeroleassignedtotheaccountyouusedtologin
SuperuserroleYoucanlimitthesavescopetochangesthat
Roles).IftheprofileincludestheprivilegetoSave For Other
Admins,youcanlimitthesavescopetochangesconfiguredby
AdminRoleprofiledoesnotincludetheprivilegetoSave For Other
Admins,youcanlimitthesavescopeonlytothechangesyoumade
inspecificlocations.
Filterthesavescopeasfollows:
FilterbyadministratorEvenifyourroleallowssavingthechanges
ofotheradministrators,thesavescopeincludesonlyyourchanges
bydefault.Toaddotheradministratorstothesavescope,clickthe
<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectchangesinspecificlocationstoIncludein
Save.
filtersthesavescopebasedonthosedomains(seeDevice>Access
choices,thesavescopeincludesonlytheconfigurationchangesinthe
accessdomainsassignedtoyouraccount.
SaveScope Liststhelocationsthathavechangestosave.Whetherthelistincludes
allchangesorasubsetofthechangesdependsonseveralfactors,as
describedfortheSaveAllChangesandSaveChangesMadeBy
options.Thelocationscanbeanyofthefollowing:
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.
WebInterfaceBasics SaveCandidateConfigurations
LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Groups(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Templates(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Collector Groups(Panoramaonly)Settingsthatarespecifictoa
CollectorGroupconfiguration.
IncludeinSave Enablesyoutoselectthechangesyouwanttosave.Bydefault,all
(partialsaveonly) changeswithintheSave Scopeareselected.Thiscolumndisplaysonly
afteryouchoosetoSave Changes Made Byspecificadministrators.
Theremightdependenciesthataffectthechangesyouinclude
inasave.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotsavethe
changefortheotheradministratorwithoutalsosavingyour
ownchange.
GroupbyLocationType GroupsthelistofconfigurationchangesintheSave ScopebyLocation

Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheSave
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.
SaveCandidateConfigurations WebInterfaceBasics
ChangeSummary Liststheindividualsettingsforwhichyouaresavingchanges.The
setting:
Systems.
Will Be SavedIndicateswhetherthesaveoperationwillinclude
thesetting.
Save Savestheselectedchangestoaconfigurationsnapshotfile:
IfyouselectedSave All Changes,thefirewalloverwritesthedefault
configurationsnapshotfile(.snapshot.xml).
IfyouselectedSave Changes Made By,specifytheNameofanew
orexistingconfigurationfile,andclickOK.
WebInterfaceBasics RevertChanges
RevertChanges
SelectConfig > Revert ChangesatthetoprightofthefirewallorPanoramawebinterfacetoundochanges

madetothecandidateconfigurationsincethelastcommit.Revertingchangesrestoresthesettingstothe
valuesoftherunningconfiguration.Youcanfilterwhichconfigurationchangestorevertbasedon
administratororlocation.Thelocationcanbespecificvirtualsystems,sharedpoliciesandobjects,orshared
deviceandnetworksettings.
YoucannotrevertchangesuntilthefirewallorPanoramafinishesprocessingallcommitsthatarependingor
inprogress.Afteryouinitiatetherevertprocess,thefirewallorPanoramaautomaticallylocksthecandidate
andrunningconfigurationssothatotheradministratorscannoteditsettingsorcommitchanges.After
completingtherevertprocess,thefirewallorPanoramaautomaticallyremovesthelock.
TheRevertChangesdialogdisplaystheoptionsdescribedinthefollowingtable:
RevertAllChanges Revertsallchangesforwhichyouhaveadministrativeprivileges
changesthatthefirewallrevertswhenyouselectthisoption.Instead,
determinestherevertscope:
SuperuserroleThefirewallrevertsthechangesofall
administrators.
youraccountdeterminetherevertscope(seeDevice>Admin
Admins,thefirewallrevertschangesconfiguredbyanyandall
privilegetoCommit For Other Admins,thefirewallrevertsonly
InAdminRoleprofiles,theprivilegesforcommittingalso
applytoreverting.
Ifyouimplementedaccessdomains,thefirewallautomaticallyapplies
thosedomainstofiltertherevertscope(seeDevice>AccessDomain).
Regardlessofyouradministrativerole,thefirewallrevertsonlythe
configurationchangesintheaccessdomainsassignedtoyouraccount.
RevertChanges WebInterfaceBasics
RevertChangesMadeBy Filtersthescopeofconfigurationchangesthatthefirewallreverts.The
SuperuserroleYoucanlimittherevertscopetochangesthat
Admins,youcanlimittherevertscopetochangesconfiguredby
AdminRoleprofiledoesnotincludetheprivilegetoCommit For
Other Admins,youcanlimittherevertscopeonlytothechanges
youmadeinspecificlocations.
Filtertherevertscopeasfollows:
FilterbyadministratorEvenifyourroleallowsrevertingthe
changesofotheradministrators,therevertscopeincludesonlyyour
changesbydefault.Toaddotheradministratorstotherevertscope,
clickthe<usernames>link,selecttheadministrators,andclickOK.
FilterbylocationSelectthechangesinspecificlocationstoInclude
inRevert.
filterstherevertscopebasedonthosedomains(seeDevice>Access
choices,therevertscopeincludesonlytheconfigurationchangesin
theaccessdomainsassignedtoyouraccount.
RevertScope Liststhelocationsthathavechangestorevert.Whetherthelist
factors,asdescribedfortheRevertAllChangesandRevertChanges
MadeByoptions.Thelocationscanbeanyofthefollowing:
policy-and-objects(firewallonly)Policyrulesorobjectsthatare
definedonafirewallthatdoesnothavemultiplevirtualsystems.
device-and-network(firewallonly)Networkanddevicesettings
thatareglobal(suchasInterfaceManagementprofiles)andnot
<virtual-system>(firewallonly)Thenameofthevirtualsystemin
whichpolicyrulesorobjectsaredefinedonafirewallthathas
multiplevirtualsystems.Thisalsoincludesnetworkanddevice
settingsthatarespecifictoavirtualsystem(suchaszones).
<device-group>(Panoramaonly)Thenameofthedevicegroupin
whichthepolicyrulesorobjectsaredefined.
<template>(Panoramaonly)Thenameofthetemplateor
templatestackinwhichthesettingsaredefined.
<log-collector-group>(Panoramaonly)ThenameoftheCollector
Groupinwhichthesettingsaredefined.
<log-collector>(Panoramaonly)ThenameoftheLogCollectorin
whichthesettingsaredefined.
WebInterfaceBasics RevertChanges
LocationType Thiscolumncategorizesthelocationswherethechangesweremade:
Virtual Systems(firewallonly)Settingsthataredefinedina
specificvirtualsystem.
Device Group(Panoramaonly)Settingsthataredefinedina
specificdevicegroup.
Template(Panoramaonly)Settingsthataredefinedinaspecific
templateortemplatestack.
Log Collector Group(Panoramaonly)Settingsthatarespecificto
aCollectorGroupconfiguration.
Log Collector(Panoramaonly)SettingsthatarespecifictoaLog
Collectorconfiguration.
Other ChangesSettingsthatarenotspecifictoanyofthe
precedingconfigurationareas(suchassharedobjects).
IncludeinRevert Enablesyoutoselectthechangesyouwanttorevert.Bydefault,all
(partialrevertonly) changeswithintheRevert Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoRevert Changes Made Byspecific
administrators.
Theremightdependenciesthataffectthechangesyouinclude
inarevert.Forexample,ifyouaddanobjectandanother
administratortheneditsthatobject,youcannotrevertyour
changewithoutalsorevertingthechangefortheother
administrator.
GroupbyLocationType ListstheconfigurationchangesintheRevert ScopebyLocation Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheRevert
Becausethepreviewresultsdisplayinanewwindow,your
browsermustallowpopupwindows.Ifthepreviewwindow
doesnotopen,refertoyourbrowserdocumentationforthe
stepstounblockpopupwindows.
RevertChanges WebInterfaceBasics
ChangeSummary Liststheindividualsettingsforwhichyouarerevertingchanges.The
setting:
Systems.
Will Be RevertedIndicateswhethertherevertoperationwill
includethesetting.
Revert Revertstheselectedchanges.
WebInterfaceBasics LockConfigurations
LockConfigurations
Tohelpyoucoordinateconfigurationtaskswithotherfirewalladministratorsduringconcurrentlogin
sessions,thewebinterfaceenablesyoutoapplyaconfigurationorcommitlock sothatother
administratorscannotchangetheconfigurationorcommitchangesuntilthelockisremoved.
Atthetoprightofthewebinterface,alockedpadlock( )indicatesthatoneormorelocksareset(with
thenumberoflocksinparentheses);anunlockedpadlock( )indicatesthatnolocksareset.Clickingeither
padlockopenstheLocksdialog,whichprovidesthefollowingoptionsandfields.
Toconfigurethefirewalltoautomaticallysetacommitlockwheneveranadministratorchangesthecandidate
configuration,selectDevice > Setup > Management,edittheGeneralSettings,enableAutomatically
Acquire Commit Lock,andthenclickOKandCommit.
Whenyourevertchanges(Config > Revert Changes),thefirewallautomaticallylocksthecandidateand
runningconfigurationsothatotheradministratorscannoteditsettingsorcommitchanges.Aftercompletingthe
revertprocess,thefirewallautomaticallyremovesthelock.
Admin Theusernameoftheadministratorwhosetthelock.
Location Onafirewallwithmorethanonevirtualsystem(vsys),thescopeofthe
lockcanaspecificvsysortheSharedlocation.
Type Thelocktypecanbe:
ConfigLockBlocksotheradministratorsfromchangingthe
candidateconfiguration.Onlyasuperuserortheadministratorwho
setthelockcanremoveit.
CommitLockBlocksotheradministratorsfromcommitting
changesmadetothecandidateconfiguration.Thecommitqueue
doesnotacceptnewcommitsuntilalllocksarereleased.Thislock
preventscollisionsthatcanoccurwhenmultipleadministrators
makechangesduringconcurrentloginsessionsandone
administratorfinishesandinitiatesacommitbeforetheother
administratorshavefinished.Thefirewallautomaticallyremovesthe
lockaftercompletingthecommitforwhichtheadministratorsetthe
lock.Asuperuserortheadministratorwhosetthelockcanalso
manuallyremoveit.
Comment Enterupto256charactersoftext.Thisisusefulforother
administratorswhowanttoknowthereasonforthelock.
CreatedAt Thedateandtimewhenanadministratorsetthelock.
LoggedIn Indicateswhethertheadministratorwhosetthelockiscurrently
loggedin.
TakeaLock Tosetalock,Take a Lock,selecttheType,selecttheLocation(multiple

virtualsystemfirewallsonly),enteroptionalComments,clickOK,and
thenClose.
RemoveLock Toreleasealock,selectit,Remove Lock,clickOK,andthenClose.
GlobalFind WebInterfaceBasics
GlobalFind
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyname,threatID,orapplicationname.Thesearchresultsare
groupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterfacesothatyoucan
easilyfindalloftheplaceswherethestringexistsorisreferenced.
Tolaunchglobalfind,clickthe Searchicon ontheupperrightsideofthewebinterface.GlobalFind
isavailablefromallwebinterfacepagesandlocations.ThefollowingisalistofGlobalFindfeaturestohelp
youperformsuccessfulsearches:
Ifyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifadministrativerolesare
defined,GlobalFindwillreturnresultsonlyforareasofthefirewallforwhichyouhavepermissionto
access.ThesameappliestoPanoramadevicegroups;youwillseesearchresultsonlyfordevicegroups
towhichyouhaveadministrativeaccess.
SpacesinsearchtextarehandledasANDoperations.Forexample,ifyousearchoncorp policy,both
corpandpolicymustexistintheconfigurationitemforittobeincludedinthesearchresults.
Tofindanexactphrase,surroundthephraseinquotes.
Torerunaprevioussearch,clickGlobalFindandalistofthelast20searchesaredisplayed.Clickany
iteminthelisttorerunthatsearch.Thesearchhistorylistisuniquetoeachadministrativeaccount.
GlobalFindisavailableforeachfieldthatissearchable.Forexample,inthecaseofasecuritypolicy,youcan
searchonthefollowingfields:Name,Tags,Zone,Address,User,HIPProfile,Application,andService.To
performasearch,clickthedropdownnexttoanyofthesefieldsandclickGlobal Find.Forexample,ifyou
clickGlobal Findonazonenamedl3vlantrust,GlobalFindwillsearchtheentireconfigurationforthatzone
nameandreturnresultsforeachlocationwherethezoneisreferenced.Thesearchresultsaregroupedby
categoryandyoucanhoveroveranyitemtoviewdetailsoryoucanclickanitemtonavigatetothe
configurationpageforthatitem.
GlobalFinddoesnotsearchdynamiccontentthatthefirewallallocatestousers(suchaslogs,addressranges,
orindividualDHCPaddresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchasthe
DNSentry,butyoucannotsearchforindividualaddressesissuedtousers.Anotherexampleisusernames
thatthefirewallcollectswhenyouenabletheUserIDfeature.Inthiscase,ausernameorusergroupthat
existsintheUserIDdatabaseisonlysearchableifthenameorgroupexistsintheconfiguration,suchas
whenausergroupnameisdefinedinapolicy.Ingeneral,youcanonlysearchforcontentthatthefirewall
writestotheconfiguration.
Lookingformore?
LearnmoreaboutusingGlobalFindtosearchthefirewallorPanoramaconfiguration.
WebInterfaceBasics ThreatDetails
ThreatDetails
Monitor>Logs>Threat
ACC>ThreatActivity
Objects>SecurityProfiles>AntiSpyware/VulnerabilityProtection
UsetheThreatDetailsdialogtolearnmoreaboutthethreatsignatureswithwhichthefirewallisequipped
andtheeventsthattriggerthosesignatures.Threatdetailsareprovidedfor:
Threatlogsthatrecordthethreatsthatthefirewalldetects(Monitor > Logs > Threat)
Thetopthreatsfoundinyournetwork(ACC > Threat Activity)
Threatsignaturesthatyouwanttomodifyorexcludefromenforcement(Objects > Security Profiles >
Anti-Spyware/Vulnerability Protection)
Whenyoufindathreatsignatureyouwanttolearnmoreabout,hoverovertheThreat NameorthethreatID
andclickException toreviewthethreatdetails.Thethreatdetailsallowyoutoeasilycheckwhetherathreat
signatureisconfiguredasanexceptiontoyoursecuritypolicyandtofindthelatestThreatVaultinformation
aboutaspecificthreat.ThePaloAltoNetworksThreatVaultdatabaseisintegratedwiththefirewall,
allowingyoutoviewexpandeddetailsaboutthreatsignaturesinthefirewallcontextorlaunchaThreatVault
searchinanewbrowserwindowforaloggedthreat.
Dependingonthetypeofthreatyoureviewing,thedetailsincludeallorsomeofthethreatdetailsdescribed
inthefollowingtable.
ThreatDetails Description
Name Threatsignaturename.
ID UniquethreatsignatureID.SelectView in Threat VaulttoopenaThreatVaultsearch

inanewbrowserwindowandlookupthelatestinformationthatthePaloAlto
Networksthreatdatabasehasforthissignature.TheThreatVaultentryforthethreat
signaturemightincludeadditionaldetails,includingthefirstandlastcontentreleases
toincludeupdatestothesignatureandtheminimumPANOSversionrequiredto
supportthesignature.
Description Informationaboutthethreatthattriggersthesignature.
Severity Thethreatseveritylevel:informational,low,medium,high,orcritical.
CVE Publiclyknownsecurityvulnerabilitiesassociatedwiththethreat.TheCommon
VulnerabilitiesandExposures(CVE)identifieristhemostusefulidentifierforfinding
informationaboutuniquevulnerabilitiesasvendorspecificIDscommonly
encompassmultiplevulnerabilities.
Bugtraq ID TheBugtraqIDassociatedwiththethreat.
Vendor ID Thevendorspecificidentifierforavulnerability.Forexample,MS16148isthe
vendorIDforoneormoreMicrosoftvulnerabilitiesandAPBSB1639isthevendor
IDforoneormoreAdobevulnerabilities.
Reference Researchsourcesyoucanusetolearnmoreaboutthethreat.
ThreatDetails WebInterfaceBasics
ThreatDetails Description
Exempt Profiles Securityprofilesthatdefineadifferentenforcementactionforthethreatsignature

thanthedefaultsignatureaction.Thethreatexceptionisonlyactivewhenexempt
profilesareattachedtoasecuritypolicyrule(checkiftheexceptionisUsedincurrent
securityrule).
Used in current security ActivethreatexceptionsAcheckmarkinthiscolumnindicatesthatthefirewallis

rule activelyenforcingthethreatexception(theExemptProfilesthatdefinethethreat
exceptionareattachedtoasecuritypolicyrule).
Ifthiscolumnisclear,thefirewallisenforcingthethreatbasedonlyonthe
recommendeddefaultsignatureaction.
Exempt IP Addresses ExemptIPaddressesYoucanaddanIPaddressonwhichtofilterthethreat

exceptionorviewexistingExempt IP Addresses.Thisoptionenforcesathreat
exceptiononlywhentheassociatedsessionhaseitherasourceordestinationIP
addressthatmatchestheexemptIPaddress.Forallothersessions,thethreatis
enforcedbasedonthedefaultsignatureaction.
Ifyourehavingtroubleviewingthreatdetails,checkforthefollowingconditions:
ThefirewallThreatPreventionlicenseisactive(Device > Licenses).
ThelatestAntivirusandThreatsandApplicationscontentupdatesareinstalled.
ThreatVaultaccessisenabled(selectDevice > Setup > ManagementandedittheLogging and
ReportingsettingtoEnable Threat Vault Access).
Thedefault(orcustom)Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofilesareappliedto
yoursecuritypolicy.
WebInterfaceBasics AutoFocusIntelligenceSummary
AutoFocusIntelligenceSummary
YoucanviewagraphicaloverviewofthreatintelligencethatAutoFocuscompilestohelpyouassessthe
pervasivenessandriskofthefollowingfirewallartifacts:
IPAddress
URL
Domain
Useragent(foundintheUserAgentcolumnofDataFilteringlogs)
Threatname(onlyforthreatsofthesubtypesvirusandwildfirevirus)
Filename
SHA256hash(foundintheFileDigestcolumnofWildFireSubmissionslogs)
ToviewtheAutoFocusIntelligenceSummarywindow,youmusthaveanactiveAutoFocussubscriptionand
enableAutoFocusthreatintelligence .Hoveroveranartifacttoopenthedropdown( )andthenclick
AutoFocus.TheAutoFocusIntelligenceSummaryisonlyavailablewhenyou:
ViewTraffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogs(Monitor > Logs).
Viewexternaldynamiclistentries .
SearchAutoFocusfor... ClicktolaunchanAutoFocussearchfortheartifact.
Analysis Information Tab
Sessions ThenumberofprivatesessionsinwhichWildFiredetectedtheartifact.Privatesessions
aresessionsrunningonlyonfirewallsassociatedwithyoursupportaccount.Hoverover
asessionbartoviewthenumberofsessionspermonth.
Samples Organizationandglobalsamples(filesandemaillinks)associatedwiththeartifactand
groupedbyWildFireverdict(benign,grayware,ormalware).Globalreferstosamples
fromallWildFiresubmissions,whileorganizationrefersonlytosamplessubmittedto
WildFirebyyourorganization.
ClickonaWildFireverdicttolaunchanAutoFocussearchfortheartifactfilteredby
scope(organizationorglobal)andWildFireverdict.
MatchingTags AutoFocustags matchedtotheartifact:

PrivateTagsVisibleonlytoAutoFocususersassociatedwithyoursupportaccount.
PublicTagsVisibletoallAutoFocususers.
Unit42TagsIdentifythreatsandcampaignsthatposeadirectsecurityrisk.These
tagsarecreatedbyUnit42(thePaloAltoNetworksthreatintelligenceandresearch
team).
InformationalTagsUnit42tagsthatidentifycommoditythreats.
Hoveroveratagtoviewthetagdescriptionandothertagdetails.
ClickatagtolaunchanAutoFocussearchforthattag.
Toviewmorematchingtagsforanartifact,clicktheellipsis(...)tolaunchanAutoFocus
searchforthatartifact.TheTagscolumnintheAutoFocussearchresultsdisplaysmore
matchingtagsfortheartifact.
AutoFocusIntelligenceSummary WebInterfaceBasics
Passive DNS Tab

ThePassiveDNStabdisplayspassiveDNShistoryassociatedwiththeartifact.Thistabonlydisplaysmatching
informationiftheartifactisanIPaddress,domain,orURL.
Request ThedomainthatsubmittedaDNSrequest.ClickthedomaintolaunchanAutoFocus
searchforit.
Type TheDNSrequesttype(example:A,NS,CNAME).
Response TheIPaddressordomaintowhichtheDNSrequestresolved.ClicktheIPaddressor
domaintolaunchanAutoFocussearch.
TheResponsecolumndoesnotdisplayprivateIPaddresses.
Count Thenumberoftimestherequestwasmade.
FirstSeen ThedateandtimethattheRequest,Response,andTypecombinationwasfirstseen
basedonpassiveDNShistory.
LastSeen ThedateandtimethattheRequest,Response,andTypecombinationwasmostrecently
seenbasedonpassiveDNShistory.
Matching Hashes Tab

TheMatchingHashestabdisplaysthefivemostrecentprivatesampleswhereWildFiredetectedtheartifact.Private
samplesaresamplesdetectedonlyonfirewallsassociatedwithyoursupportaccount.
SHA256 TheSHA256hashforasample.ClickthehashtolaunchanAutoFocussearchforthat
hash.
FileType Thefiletypeofthesample.
CreateDate ThedateandtimethatWildFireanalyzedasampleandassignedaWildFireverdicttoit.
UpdateDate ThedateandtimethatWildFireupdatedtheWildFireverdictforasample.
Verdict TheWildFireverdictforasample:benign,grayware,ormalware.
Dashboard
TheDashboardwidgetsshowgeneralfirewallorPanoramainformation,suchasthesoftwareversion,
statusofeachinterface,resourceutilization,andupto10entriesforeachofseverallogtypes;logwidgets
displayentriesfromthelasthour.Bydefault,theDashboarddisplayswidgetsinaLayoutof3 Columnsbutyou
cancustomizetheDashboardtodisplayonly2 Columns,instead.
Youcanalsodecidewhichwidgetstodisplayorhidesothatyouseeonlythoseyouwanttomonitor.To
displayawidget,selectawidgetcategoryfromtheWidgetsdropdownandselectawidgettoaddittothe
Dashboard(widgetnamesthatappearinfadedgrayedouttextarealreadydisplayed).Hide(stopdisplaying)
awidgetbyclosingthewidget( inthewidgetheader).ThefirewallsandPanoramasaveyourwidget
displaysettingsacrosslogins(separatelyforeachadministrator).
RefertotheLast updatedtimestamptodeterminewhentheDashboarddatawaslastrefreshed.Youcan
manuallyrefreshtheentireDashboard( inthetoprightcorneroftheDashboard)oryoucanrefresh
individualwidgets( withineachwidgetheader).Usetheunlabeleddropdownnexttothemanual
Dashboardrefreshoption( )toselecttheautomaticrefreshintervalfortheentireDashboard(inminutes):
1 min,2 mins,or5 mins;todisableautomaticrefreshfortheentireDashboard,selectManual.
DashboardWidgets Description
Application Widgets
TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplicationsexceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
ACCRiskFactor Displaystheaverageriskfactor(15)forthenetworktrafficprocessedoverthepastweek.
Highervaluesindicatehigherrisk.
System Widgets
GeneralInformation DisplaysthefirewallorPanoramanameandmodel,thePANOSorPanoramasoftware
version,theapplication,threat,andURLfilteringdefinitionversions,thecurrentdateand
time,andthelengthoftimesincethelastrestart.
Interfaces Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
(Firewallonly)
SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount(the
numberofsessionsestablishedthroughthefirewallorPanorama).
HighAvailability Indicateswhenhighavailability(HA)isenabledtheHAstatusofthelocalandpeer
firewall/Panoramagreen(active),yellow(passive),orblack(other).Formoreinformation
aboutHA,refertoDevice>VirtualSystemsorPanorama>HighAvailability.
Locks Showsconfigurationlocksthatadministratorshaveset.
LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(webinterfaceorCLI),andsessionstarttime
foreachadministratorwhoiscurrentlyloggedin.
Dashboard
DashboardWidgets Description
Logs Widgets
ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
Displaysonlyentriesfromthelast60minutes.
URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
ConfigLogs Displaystheadministratorusername,client(webinterfaceorCLI),anddateandtimefor
thelast10entriesintheConfigurationlog.Displaysonlyentriesfromthelast60minutes.
SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfiginstalledentryindicatesconfigurationchangeswerecommitted
successfully.Displaysonlyentriesfromthelast60minutes.
ACC
TheApplicationCommandCenter(ACC)isananalyticaltoolthatprovidesactionableintelligenceaboutthe
activitywithinyournetwork.TheACCusesthefirewalllogstographicallydepicttraffictrendsonyour
network.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizetherelationships
betweeneventsonthenetworkincludingnetworkusagepatterns,trafficpatterns,andsuspiciousactivity
andanomalies.
Whatdoyouwanttoknow? See:
HowdoIusetheACC? AFirstGlanceattheACC
ACCTabs
ACCWidgets
HowdoIinteractwiththeACC? ACCActions
WorkingwithTabsandWidgets
WorkingwithFilters
Looking for more? UsetheApplicationCommandCenter
ACC
AFirstGlanceattheACC
1 Tabs TheACCincludespredefinedtabsthatprovidevisibilityintonetworktraffic,threatactivity,
blockedactivity,andtunnelactivity.Forinformationoneachtab,seeACCTabs.
2 Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheeventsandtrends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowingfilters:
bytes(inandout),sessions,content(filesanddata),URLcategories,applications,users,
threats(malicious,benign,grayware,phishing),andcount.Forinformationoneachwidget,
seeACCWidgets.
3 Time Thechartsandgraphsineachwidgetprovidearealtimeandhistoricview.Youcanchoose
acustomrangeorusethepredefinedtimeperiodsthatrangefromthelast15minutesup
tothelast30daysorlast30calendardays.
Thetimeperiodusedtorenderdata,bydefault,isthelasthour.Thedateandtimeinterval
aredisplayedonscreen.Forexample:
11/11 10:30:00-01/12 11:29:59
4 GlobalFilters Theglobalfiltersallowyoutosetthefilteracrossalltabs.Thechartsandgraphsapplythe
selectedfiltersbeforerenderingthedata.Forinformationonusingthefilters,seeACC
Actions.
ACC
5 Application TheapplicationviewallowsyoufiltertheACCviewbyeitherthesanctionedand
View unsanctionedapplicationsinuseonyournetwork,orbytheriskleveloftheapplicationsin
useonyournetwork.Greenindicatessanctionedapplications,blueunsanctioned
applications,andyellowindicatesapplicationsthathavedifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.
6 RiskMeter Theriskmeter(1=lowestto5=highest)indicatestherelativesecurityriskonyournetwork.
Theriskmeterusesavarietyoffactorssuchasthetypeofapplicationsseenonthenetwork
andtherisklevelsassociatedwiththeapplications,thethreatactivityandmalwareasseen
throughthenumberofblockedthreats,andcompromisedhostsortraffictomalwarehosts
anddomains.
7 Source ThedatausedforthedisplayvariesbetweenthefirewallandPanorama.Youhavethe
followingoptionstoselectwhatdataisusedtogeneratetheviewsontheACC:
VirtualSystem:Onafirewallthatisenabledformultiplevirtualsystems,youcanusethe
Virtual SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjust
aselectedvirtualsystem.
DeviceGroup:OnPanorama,youcanusetheDevice GroupdropdowntochangetheACC
displaytoincludedatafromalldevicegroupsorjustaselecteddevicegroup.
DataSource:OnPanorama,youcanalsochangethedisplaytousePanoramaorRemote
Device Data(managedfirewalldata).WhenthedatasourceisPanorama,youcanfilterthe
displayforaspecificdevicegroup.
8 Export YoucanexportthewidgetsdisplayedinthecurrenttabasaPDF.
ACCTabs
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.Itfocusesonthetop
applicationsbeingused,thetopuserswhogeneratetrafficwithadrilldownintothebytes,content,
threatsorURLsaccessedbytheuser,andthemostusedsecurityrulesagainstwhichtrafficmatches
occur.Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,orIPaddress,
byingressoregressinterfaces,andbyhostinformationsuchastheoperatingsystemsofthedevices
mostcommonlyusedonthenetwork.
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork.Itfocusesonthetopthreats
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,topWildFiresubmissionsby
filetypeandapplication,andapplicationsthatusenonstandardports.TheCompromisedHostswidget
supplementsdetectionwithbettervisualizationtechniques.Itusestheinformationfromthecorrelated
eventstab(Monitor>AutomatedCorrelationEngine>CorrelatedEvents)topresentanaggregatedview
ofcompromisedhostsonyournetworkbysourceusersorIPaddresses,sortedonseverity.
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsinthis
taballowyoutoviewactivitydeniedbyapplicationname,username,threatname,content(filesand
data),andthetopsecurityruleswithadenyactionthatblockedtraffic.
Tunnel ActivityDisplaystheactivityoftunneltrafficthatthefirewallinspectedbasedonyourtunnel
inspectionpolicies.InformationincludestunnelusagebasedontunnelID,monitortag,user,andtunnel
protocolssuchasGenericRoutingEncapsulation(GRE),GeneralPacketRadioService(GPRS)Tunneling
ProtocolforUserData(GTPU),andnonencryptedIPSec.
ACC
ACCWidgets
Thewidgetsoneachtabareinteractive.Youcansetfiltersanddrilldownintothedisplaytocustomizethe
viewandfocusontheinformationyouneed.
Eachwidgetisstructuredtodisplaythefollowinginformation:
1 View Youcansortthedatabybytes,sessions,threats,count,users,content,
applications,URLs,malicious,benign,grayware,phishing,file(name)s,data,
profiles,objects.Theavailableoptionsvarybywidget.
2 Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,
stackedareagraph,stackedbargraph,andmap.Theavailableoptionsvaryby
widgetandtheinteractionexperiencevarieswitheachgraphtype.Forexample,
thewidgetforApplicationsusingNonStandardPortsallowsyoutochoose
betweenatreemapandalinegraph.
Todrilldownintothedisplay,clickonthegraph.Theareayouclickonbecomes
afilterandallowsyoutozoominandviewmoregranularinformationaboutthat
selection.
3 Table Thedetailedviewofthedatausedtorenderthegraphdisplaysinatablebelow
thegraph.
Youcanclickandsetalocalfilteroraglobalfilterforelementsinthetable.With
alocalfilter,thegraphisupdatedandthetableissortedbythatfilter.
Withaglobalfilter,theviewacrosstheACCpivotstodisplayonlythe
informationspecifictoyourfilter.
ACC
4 Actions Thefollowingareactionsavailableinthetitlebarofawidget:
MaximizeviewAllowsyoutoenlargethewidgetandviewitinalarger
screenspace.Inthemaximizedview,youcanseemorethanthetoptenitems
thatdisplayinthedefaultwidgetview.
SetuplocalfiltersAllowsyoutoaddfiltersthatrefinethedisplaywithinthe
widget.SeeWorkingwithFiltersLocalFiltersandGlobalFilters.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >
<log-type>).Thelogsarefilteredusingthetimeperiodforwhichthegraphis
rendered.
Ifyousetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andfiltersanddisplaysonlylogsthatmatchyourfilterset.
ExportAllowsyoutoexportthegraphasaPDF.
Foradescriptionofeachwidget,seethedetailsonusingtheACC.
ACCActions
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkingwithFiltersLocalFiltersandGlobalFilters
Addacustomtab. 1. SelectAdd( )alongthelistoftabs.

2. AddaView Name.Thisnamewillbeusedasthe
nameforthetab.Youcanaddupto10customtabs.
Editatab. Selectthetabandclickeditnexttothetabnametoedit
thetab.
Example: .
Setatabasdefault 1. Editatab.
2. Select tosetthecurrenttabasthedefault.
Eachtimeyoulogintothefirewall,thistabwill
display.
Saveatabstate 1. Editatab.
2. Select tosaveyourpreferencesinthecurrent
tabasthedefault.
Thetabstateincludinganyfiltersthatyoumayhave
setaresynchronizedacrossHApeers.
ACC
WorkingwithTabsandWidgets(Continued)
Exportatab 1. Editatab.
2. Select toexportthecurrenttab.Thetab
downloadstoyourcomputerasa.txtfile.Youmust
enablepopupstodownloadthefile.
Importatab 1. Addacustomtab.
2. Select toimportatab.
3. Browsetothetext(.txt)fileandselectit.
Seewhichwidgetsareincludedinaview. 1. Selecttheviewandclickedit( ).
2. SelecttheAdd Widgetsdropdowntoreview
selectedwidgets.
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widgetandthenselectthewidgetyou
wanttoadd.Youcanselectamaximumof12
widgets.
3. (Optional)Tocreateatwocolumnlayout,selectAdd
Widget Group.Youcandraganddropwidgetsinto
thetwocolumndisplay.Asyoudragthewidgetinto
thelayout,aplaceholderwilldisplayforyoutodrop
thewidget.
Youcannotnameawidgetgroup.
Deleteatab,widget,orwidgetgroup. Todeleteacustomtab,selectthetabandclickdelete(
).
Youcannotdeleteapredefinedtab.
Todeleteawidgetorwidgetgroup,editthetaband
thenclickdelete([X]).Youcannotundoadeletion.
Resetthedefaultview. Onapredefinedview,suchastheBlocked Activityview,

youcandeleteoneormorewidgets.Ifyouwanttoreset
thelayouttoincludethedefaultsetofwidgetsforthetab,
editthetabandReset View.
WorkingwithFiltersLocalFiltersandGlobalFilters
TohonethedetailsandfinelycontrolwhattheACCdisplays,youcanusefilters:
LocalFiltersLocalfiltersareappliedonaspecificwidget.Alocalfilterallowsyoutointeractwiththe
graphandcustomizethedisplaysothatyoucandigintothedetailsandaccesstheinformationyouwant
tomonitoronaspecificwidget.Youcanapplyalocalfilterintwoways:clickintoanattributeinthegraph
ortable;orselectSet Filterwithinawidget.Set Filterallowsyoutosetalocalfilterthatispersistentacross
reboots.
ACC
GlobalfiltersGlobalfiltersareappliedacrosstheACC.Aglobalfilterallowsyoutopivotthedisplay
aroundthedetailsyoucaremostaboutandexcludetheunrelatedinformationfromthecurrentdisplay.
Forexample,toviewalleventsrelatedtoaspecificuserandapplication,youcanapplytheusersIP
addressandspecifytheapplicationtocreateaglobalfilterthatdisplaysonlyinformationpertainingto
thatuserandapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent
acrosslogins.
Globalfilterscanbeappliedinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertobeaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidgetandapplythe
attributegloballytoupdatethedisplayacrossalltabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
WorkingwithFilters
Setalocalfilter. 1. SelectawidgetandclickFilter( ).
Youcanalsoclickanattributeinthe 2. Add( )filtersyouwanttoapply.
tablebelowthegraphtoapplyitas
3. ClickApply.Thesefiltersarepersistentacross
alocalfilter.
reboots.
Thenumberoflocalfiltersappliedonawidgetare
indicatednexttothewidgetname.
Setaglobalfilterfromatable. Hoveroveranattributeinatableandclickthearrowthat
appearstotherightoftheattribute.
SetaglobalfilterusingtheGlobalFilters Add( )filtersyouwanttoapply.

pane.
Promotealocalfiltertoasglobalfilter. 1. Onanytableinawidget,selectanattribute.Thissets
theattributeasalocalfilter.
2. Topromotethefiltertoaglobalfilter,hoveroverthe
attributeandclickthearrowtotherightofthe
attribute.
Removeafilter. ClickRemove( )toremoveafilter.

GlobalfiltersLocatedintheGlobalFilterspane.
LocalfiltersClickFilter( )tobringuptheSetLocal
Filtersdialogandthenselectthefilterandremoveit.
Clearallfilters GlobalfiltersClear AllGlobalFilters.

LocalfiltersSelectawidgetandclickFilter( ).Then
Clear AllintheSetLocalFilterswidget.
Negatefilters SelectanattributeandNegate( )afilter.

GlobalfiltersLocatedintheGlobalFilterspane.
LocalfiltersClickFilter( )tobringuptheSetLocal
Filtersdialogaddafilter,andthennegateit.
ACC
WorkingwithFilters(Continued)
Viewwhatfiltersareinuse. GlobalfiltersThenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
LocalfiltersThenumberoflocalfiltersappliedona
widgetaredisplayednexttothewidgetname.Toview
thefilters,clickSetLocalFilters.
Monitor
Thefollowingtopicsdescribethefirewallreportsandlogsyoucanusetomonitoractivityonyournetwork:
Monitor>Logs
Monitor>ExternalLogs
Monitor>AutomatedCorrelationEngine
Monitor>PacketCapture
Monitor>AppScope
Monitor>SessionBrowser
Monitor>BlockIPList
Monitor>Botnet
Monitor>PDFReports
Monitor>ManageCustomReports
Monitor>Reports
Monitor>Logs Monitor
Monitor>Logs
Tellmeaboutthedifferenttypesof LogTypes
logs.
Filterlogs. LogActions
Exportlogs.
Viewdetailsforindividuallog
entries.
Modifythelogdisplay.
Looking for more? Monitorandmanagelogs.
LogTypes
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsarerespected.Onlythe
informationthatyouhavepermissiontoseeisincluded,andthismightvarydependingonthetypesoflogs
youareviewing.Forinformationonadministratorpermissions,refertoDevice>AdminRoles.
LogType Description
Traffic Displaysanentryforthestartandendofeachsession.Eachentryincludesthedate
andtime,sourceanddestinationzones,addressesandports,applicationname,
securityrulenameappliedtotheflow,ruleaction(allow,deny,ordrop),ingressand
egressinterface,numberofbytes,andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession,
orwhetherthesessionwasdeniedordropped.Adropindicatesthatthesecurity
rulethatblockedthetrafficspecifiedanyapplication,whileadenyindicatesthe
ruleidentifiedaspecificapplication.
Iftrafficisdroppedbeforetheapplicationisidentified,suchaswhenaruledropsall
trafficforaspecificservice,theapplicationisshownasnotapplicable.
Drilldownintrafficlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthesession,suchaswhether
anICMPentryaggregatesmultiplesessionsbetweenthesamesourceand
destination(theCountvaluewillbegreaterthanone).
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
Monitor Monitor>Logs
LogType Description
Threat Displaysanentryforeachsecurityalarmgeneratedbythefirewall.Eachentry
includesthedateandtime,athreatnameorURL,thesourceanddestinationzones,
addresses,andports,theapplicationname,andthealarmaction(alloworblock)and
severity.
TheTypecolumnindicatesthetypeofthreat,suchasvirusorspyware;the
NamecolumnisthethreatdescriptionorURL;andtheCategorycolumnisthe
threatcategory(suchaskeylogger)orURLcategory.
Drilldowninthreatlogsformoredetailsonindividualentriesandartifacts:
ClickDetails( )toviewadditionaldetailsaboutthethreat,suchaswhether
theentryaggregatesmultiplethreatsofthesametypebetweenthesamesource
anddestination(theCountvaluewillbegreaterthanone).
filename,URL,useragent,threatname,orhashcontainedinalogentryandclick
thedropdown( )toopentheAutoFocusIntelligenceSummaryforthat
artifact.
Iflocalpacketcapturesareenabled,clickDownload( )toaccesscaptured
packets.Toenablelocalpacketcaptures,refertothesubsectionsunderObjects
> Security Profiles.
Toviewmoredetailsaboutathreatortoquicklyconfigurethreatexemptions
directlyfromthethreatlogs,clickthethreatnameintheNamecolumn.The
ExemptProfileslistshowsallcustomAntivirus,Antispyware,andVulnerability
protectionprofiles.Toconfigureanexemptionforathreatsignature,selectthe
checkboxtotheleftofthesecurityprofilenameandsaveyourchange.Toadd
exemptionsforIPAddresses(upto100IPaddressespersignature),highlightthe
securityprofile,addtheIPaddress(es)intheExemptIPAddressessectionand
clickOKtosave.Toviewormodifytheexemption,gototheassociatedsecurity
profileandclicktheExceptionstab.Forexample,ifthethreattypeis
vulnerability,selectObjects > Security Profiles > Vulnerability Protection,click
theassociatedprofilethenclicktheExceptionstab.
URLFiltering DisplayslogsforURLfilters,whichcontrolaccesstowebsitesandwhetherusers
cansubmitcredentialstowebsites.
SelectObjects>SecurityProfiles>URLFilteringtodefineURLfilteringsettings,
includingwhichURLcategoriestoblockorallowandtowhichyouwanttograntor
disablecredentialsubmissions.YoucanalsoenableloggingoftheHTTPheader
optionsfortheURL.
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
WildFire DisplayslogsforfilesandemaillinksthatthefirewallforwardedforWildFire
Submissions analysis.TheWildFirecloudanalyzesthesampleandreturnsanalysisresults,which
includetheWildFireverdictassignedtothesample(benign,malware,grayware,or
phishing).YoucanconfirmifthefirewallallowedorblockedafilebasedonSecurity
policyrulesbyviewingtheActioncolumn.
filename,URL,useragent,threatname,orhash(intheFileDigestcolumn)contained
inalogentryandclickthedropdown( )toopentheAutoFocusIntelligence
Summaryfortheartifact.
LogType Description
DataFiltering DisplayslogsforthesecuritypolicieswithattachedDataFilteringprofiles,tohelp
preventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingtheareaprotectedbythefirewall,andFileBlockingprofiles,thatprevent
certainfiletypesfrombeinguploadedordownloaded.
Toconfigurepasswordprotectionforaccessthedetailsforalogentry,click .
EnterthepasswordandclickOK.RefertoDevice>ResponsePagesforinstructions
onchangingordeletingthedataprotectionpassword.
Thesystempromptsyoutoenterthepasswordonlyoncepersession.
HIPMatch DisplaysallHIPmatchesthattheGlobalProtectgatewayidentifieswhen
comparingtherawHIPdatareportedbytheagenttothedefinedHIPobjectsand
HIPprofiles.Unlikeotherlogs,aHIPmatchisloggedevenwhenitdoesnotmatch
asecuritypolicy.Formoreinformation,refertoNetwork>GlobalProtect>Portals.
UserID DisplaysinformationaboutIPaddresstousernamemappings,suchasthesourceof
themappinginformation,whentheUserIDagentperformedthemapping,andthe
remainingtimebeforemappingsexpire.Youcanusethisinformationtohelp
troubleshootUserIDissues.Forexample,ifthefirewallisapplyingthewrongpolicy
ruleforauser,youcanviewthelogstoverifywhetherthatuserismappedtothe
correctIPaddressandwhetherthegroupassociationsarecorrect.
TunnelInspection Displaysanentryforthestartandendofeachinspectedtunnelsession.Thelog
includestheReceiveTime(dateandtimethefirstandlastpacketinthesession
arrived),TunnelID,MonitorTag,SessionID,Securityruleappliedtothetunnel
traffic,andmore.SeePolicies>TunnelInspectionformoreinformation.
Configuration Displaysanentryforeachconfigurationchange.Eachentryincludesthedateand
time,theadministratorusername,theIPaddressfromwherethechangewasmade,
thetypeofclient(webinterfaceorCLI),thetypeofcommandexecuted,whether
thecommandsucceededorfailed,theconfigurationpath,andthevaluesbeforeand
afterthechange.
System Displaysanentryforeachsystemevent.Eachentryincludesthedateandtime,the
eventseverity,andaneventdescription.
Alarms Thealarmslogrecordsdetailedinformationonalarmsthataregeneratedbythe
system.TheinformationinthislogisalsoreportedinAlarms.RefertoDefineAlarm
Settings.
Authentication Displaysinformationaboutauthenticationeventsthatoccurwhenenduserstryto
accessnetworkresourcesforwhichaccessiscontrolledbyAuthenticationpolicy
rules.Youcanusethisinformationtohelptroubleshootaccessissuesandtoadjust
yourAuthenticationpolicyasneeded.Inconjunctionwithcorrelationobjects,you
canalsouseAuthenticationlogstoidentifysuspiciousactivityonyournetwork,
suchasbruteforceattacks.
Optionally,youcanconfigureAuthenticationrulestoLogAuthenticationTimeouts.
Thesetimeoutsrelatetotheperiodoftimewhenauserneedauthenticatefora
resourceonlyoncebutcanaccessitrepeatedly.Seeinginformationaboutthe
timeoutshelpsyoudecideifandhowtoadjustthem.
SystemlogsrecordauthenticationeventsrelatingtoGlobalProtectandto
administratoraccesstothewebinterface.
Monitor Monitor>Logs
LogType Description
Unified DisplaysthelatestTraffic,Threat,URLFiltering,WildFireSubmissions,andData
Filteringlogentriesinasingleview.Thecollectivelogviewenablesyouto
investigateandfilterthesedifferenttypesoflogstogether(insteadofsearching
eachlogsetseparately).Or,youcanchoosewhichlogtypestodisplay:clickthe
arrowtotheleftofthefilterfieldandselecttraffic,threat,url,data,and/or
wildfiretodisplayonlytheselectedlogtypes.
filename,URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryforthatartifact.
Thefirewalldisplaysalllogssothatrolebasedadministrationpermissionsare
respected.WhenviewingUnifiedlogs,onlythelogsthatyouhavepermissiontosee
aredisplayed.Forexample,anadministratorwhodoesnothavepermissiontoview
WildFireSubmissionslogswillnotseeWildFireSubmissionslogentrieswhen
viewingUnifiedlogs.Forinformationonadministratorpermissions,refertoDevice
>AdminRoles.
YoucanusetheUnifiedlogsetwiththeAutoFocusthreatintelligence
portal.SetupanAutoFocussearch toaddAutoFocussearchfilters
directlytotheUnifiedlogfilterfield.
LogActions
Action Description
FilterLogs Eachlogpagehasafilterfieldatthetopofthepage.Youcanaddartifactstothefield,
suchasanIPaddressoratimerange,tofindmatchinglogentries.Theiconstotheright
ofthefieldenableyoutoapply,clear,create,save,andloadfilters.
Createafilter:
Clickanartifactinalogentrytoaddthatartifacttothefilter.
ClickAdd( )todefinenewsearchcriteria.Foreachcriterion,selectthe
Connectorthatdefinesthesearchtype(andoror),theAttributeonwhichto
basethesearch,anOperatortodefinethescopeofthesearch,andaValuefor
evaluationagainstlogentries.AddeachcriteriontothefilterfieldandClose
whenyoufinish.Youcanthenapply( )thefilter.
IftheValuestringmatchesanOperator(suchashasorin),enclosethestring
inquotationmarkstoavoidasyntaxerror.Forexample,ifyoufilterby
destinationcountryanduseINasaValuetospecifyINDIA,enterthefilteras
( dstloc eq "IN" ).
Thelogfilter(receive_time in last-60-seconds)causesthenumberof
logentries(andlogpages)displayedtogroworshrinkovertime.
ApplyfiltersClickApplyFilter( )todisplaylogentriesthatmatchthecurrent
filter.
DeletefiltersClickClearFilter( )toclearthefilterfield.
SaveafilterClickSaveFilter( ),enteranameforthefilter,andclickOK.
UseasavedfilterClickLoadFilter( )toaddasavedfiltertothefilterfield.
Action Description
ExportLogs ClickExporttoCSV( )toexportalllogsmatchedtothecurrentfiltertoa

CSVformattedreportandcontinuetoDownload file.Bydefault,thereportcontainsup
to2,000linesoflogs.TochangethelinelimitforgeneratedCSVreports,selectDevice
> Setup > Management > Logging and Reporting Settings > Log Export and Reporting
andenteranewMax Rows in CSV Exportvalue.
Highlight Selecttohighlightlogentriesthatmatchtheaction.Thefilteredlogsarehighlightedin
PolicyActions thefollowingcolors:
GreenAllow
YellowContinue,oroverride
RedDeny,drop,dropicmp,rstclient,resetserver,resetboth,blockcontinue,
blockoverride,blockurl,dropall,sinkhole
ChangeLog Tocustomizethelogdisplay:
Display ChangetheautomaticrefreshintervalSelectanintervalfromtheinterval
dropdown(60 seconds,30 seconds,10 seconds,orManual).
ChangethenumberandorderofentriesdisplayedperpageLogentriesare
retrievedinblocksof10pages.
Usethepagingcontrolsatthebottomofthepagetonavigatethroughthelog
list.
Tochangethenumberoflogentriesperpage,selectthenumberofrowsfrom
theperpagedropdown(20,30,40,50,75,or100).
Tosorttheresultsinascendingordescendingorder,usetheASCorDESC
dropdown.
ResolveIPaddressestodomainnamesSelectResolve Hostnametobeginresolving
externalIPaddressestodomainnames.
ChangetheorderinwhichlogsaredisplayedSelectDESCtodisplaylogsin
descendingorderbeginningwithlogentrieswiththemostrecentReceiveTime.
SelectASCtodisplaylogsinascendingorderbeginningwithlogentrieswiththe
oldestReceiveTime.
ViewDetails Toviewinformationaboutindividuallogentries:
forIndividual Todisplayadditionaldetails,clickDetails( )foranentry.Ifthesourceor
LogEntries destinationhasanIPaddresstodomainorusernamemappingdefinedinthe
Addressespage,thenameispresentedinsteadoftheIPaddress.Toviewthe
associatedIPaddress,moveyourcursoroverthename.
OnafirewallwithanactiveAutoFocuslicense,hovernexttoanIPaddress,filename,
URL,useragent,threatname,orhashcontainedinalogentryandclickthe
dropdown( )toopentheAutoFocusIntelligenceSummaryfortheartifact.
Monitor Monitor>ExternalLogs
Monitor>ExternalLogs
UsethispagetoviewlogsingestedfromtheTrapsEndpointSecurityManager(ESM)intoLogCollectors
thataremanagedbyPanorama.ToviewTrapsESMlogsonPanorama,dothefollowing:
OntheTrapsESMserver,configurePanoramaasaSyslogserverandselecttheloggingeventstoforward
toPanorama.Theeventscanincludesecurityevents,policychanges,agentandESMServerstatus
changes,andchangestoconfigurationsettings.
OnaPanoramathatisdeployedinPanoramamodewithoneormoreManagedLogCollectors,setupa
logingestionprofile(Panorama>LogIngestionProfile)andattachtheprofiletoaCollectorGroup
(Panorama>CollectorGroups)inwhichtostoretheTrapsESMlogs.
ExternallogsarenotassociatedwithadevicegroupandarevisibleonlywhenyouselectDevice Group:All
becausethelogsarenotforwardedfromfirewalls.
LogType Description
Monitor > External Logs > Thesethreateventsincludeallprevention,notification,provisional,and

Traps ESM >Threat postdetectioneventsthatarereportedbytheTrapsagents.
Monitor > External Logs > ESMServersystemeventsincludechangesrelatedtoESMstatus,licenses,ESMTech

Traps ESM > System Supportfiles,andcommunicationwithWildFire.
Monitor > External Logs > Policychangeeventsincludechangestorules,protectionlevels,contentupdates,

Traps ESM > Policy hashcontrollogs,andverdicts.
Monitor > External Logs > Agentchangeeventsoccurontheendpointandincludechangestocontentupdates,

Traps ESM > Agent licenses,software,connectionstatus,onetimeactionrules,processesandservices,
andquarantinedfiles.
Monitor > External Logs > ESMconfigurationchangeeventsincludesystemwidechangestolicensing,

Traps ESM > Config administrativeusersandroles,processes,restrictionsettings,andconditions.
Panoramacancorrelatediscretesecurityeventsontheendpointswitheventsonthenetworktotraceany
suspiciousormaliciousactivitybetweentheendpointsandthefirewall.Toviewcorrelatedeventsthat
Panoramaidentifies,seeMonitor>AutomatedCorrelationEngine>CorrelatedEvents.
Monitor>AutomatedCorrelationEngine Monitor
Monitor>AutomatedCorrelationEngine
Theautomatedcorrelationenginetrackspatternsonyournetworkandcorrelateseventsthatindicatean
escalationinsuspiciousbehaviororeventsthatamounttomaliciousactivity.Theenginefunctionsasyour
personalsecurityanalystwhoscrutinizesisolatedeventsacrossthedifferentsetsoflogsonthefirewall,
queriesthedataforspecificpatterns,andconnectsthedotssothatyouhaveactionableinformation.
Thecorrelationengineusescorrelationobjectsthatgeneratecorrelatedevents.Correlatedeventscollate
evidencetohelpyoutracecommonalityacrossseeminglyunrelatednetworkeventsandprovidethefocus
forincidentresponse.
Theautomatedcorrelationengineissupportedonthefollowingmodelsonly:
PanoramaMSeriesandthevirtualappliance
PA800Seriesfirewalls
Whatarecorrelationobjects? Monitor>AutomatedCorrelationEngine>Correlation
Objects
Whatisacorrelatedevent? Monitor>AutomatedCorrelationEngine>Correlated
WheredoIseethematchevidence Events
foracorrelationmatch?
HowcanIseeagraphicalviewof SeetheCompromisedHostswidgetinACC.
correlationmatches?
Looking for more? UsetheAutomatedCorrelationEngine
Monitor Monitor>AutomatedCorrelationEngine>CorrelationObjects
Monitor>AutomatedCorrelationEngine>Correlation
Objects
Tocountertheadvancesinexploitsandmalwaredistributionmethods,correlationobjectsextendthe
signaturebasedmalwaredetectioncapabilitiesonthefirewall.Theyprovidetheintelligenceforidentifying
suspiciousbehaviorpatternsacrossdifferentsetsoflogsandtheygathertheevidencerequiredto
investigateandpromptlyrespondtoanevent.
Acorrelationobjectisadefinitionfilethatspecifiespatternsformatching,thedatasourcestousefor
performingthelookups,andthetimeperiodwithinwhichtolookforthesepatterns.Apatternisaboolean
structureofconditionsthatquerythedatasources,andeachpatternisassignedaseverityandathreshold,
whichisnumberoftimethepatternmatchoccurswithinadefinedtimelimit.Whenapatternmatchoccurs,
acorrelationeventislogged.
Thedatasourcesusedforperforminglookupscanincludethefollowinglogs:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Forexample,thedefinitionfora
correlationobjectcanincludeasetofpatternsthatquerythelogsforevidenceofinfectedhosts,evidence
ofmalwarepatterns,orforlateralmovementofmalwareinthetraffic,urlfiltering,andthreatlogs.
CorrelationobjectsaredefinedbyPaloAltoNetworksandarepackagedwithcontentupdates.Youmust
haveavalidthreatpreventionlicensetogetcontentupdates.
Bydefault,allcorrelationobjectsareenabled.Todisableanobject,selecttheobjectandDisableit.
Correlation Description
ObjectFields
NameandTitle Thelabelindicatesthetypeofactivitythatthecorrelationobjectdetects.
ID Auniquenumberidentifiesthecorrelationobject.Thisnumberisinthe6000series.
Category Asummaryofthekindofthreatorharmposedtothenetwork,user,orhost.
State Thestateindicateswhetherthecorrelationobjectisenabled(active)ordisabled
(inactive).
Description ThedescriptionspecifiesthematchconditionsforwhichthefirewallorPanoramawill
analyzelogs.Itdescribestheescalationpatternorprogressionpaththatwillbeused
toidentifymaliciousactivityorsuspicioushostbehavior.
Monitor>AutomatedCorrelationEngine>CorrelatedEvents Monitor
Monitor>AutomatedCorrelationEngine>Correlated
Events
CorrelatedeventsexpandthethreatdetectioncapabilitiesonthefirewallandPanorama;thecorrelated
eventsgatherevidenceofsuspiciousorunusualbehaviorofusersorhostsonthenetwork.
Thecorrelationobjectmakesitpossibletopivotoncertainconditionsorbehaviorsandtracecommonalities
acrossmultiplelogsources.Whenthesetofconditionsspecifiedinacorrelationobjectareobservedonthe
network,eachmatchisloggedasacorrelatedevent.
Thecorrelatedeventincludesthedetailslistedinthefollowingtable.
Field Description
MatchTime Thetimethecorrelationobjecttriggeredamatch.
UpdateTime Thetimestampwhenthematchwaslastupdated.
ObjectName Thenameofthecorrelationobjectthattriggeredthematch.
SourceAddress TheIPaddressoftheuserfromwhomthetrafficoriginated
SourceUser Theuserandusergroupinformationfromthedirectoryserver,ifUserIDis
enabled.
Severity Aratingthatclassifiestheriskbasedontheextentofdamagecaused.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Toviewthedetailedlogview,clickDetails( )foranentry.Thedetailedlogviewincludesalltheevidence
foramatch:
Tab Description
Match ObjectDetailsPresentsinformationonthecorrelationobjectthattriggeredthe
Information match.Forinformationoncorrelationobjects,seeMonitor>AutomatedCorrelation
Engine>CorrelationObjects.
MatchDetailsAsummaryofthematchdetailsthatincludesthematchtime,last
updatetimeonthematchevidence,severityoftheevent,andaneventsummary.
Match Thistabincludesalltheevidencethatcorroboratesthecorrelatedevent.Itlists
Evidence detailedinformationontheevidencecollectedforeachsession.
SeeagraphicaldisplayoftheinformationintheCorrelated Eventstab,seetheCompromisedHostswidget
ontheACC > Threat Activitytab.IntheCompromisedHostswidget,thedisplayisaggregatedbysourceuser
andIPaddressandsortedbyseverity.
Toconfigurenotificationswhenacorrelatedeventislogged,gototheDevice > Log SettingsorPanorama >
Log Settingstab.
Monitor Monitor>PacketCapture
Monitor>PacketCapture
AllPaloAltoNetworksfirewallshaveabuiltinpacketcapture(pcap)featureyoucanusetocapturepackets
thattraversethenetworkinterfacesonthefirewall.Youcanthenusethecaptureddatafortroubleshooting
purposesortocreatecustomapplicationsignatures.
ThepacketcapturefeatureisCPUintensiveandcandegradefirewallperformance.Onlyuse
thisfeaturewhennecessaryandmakesuretoturnitoffafteryoucollecttherequiredpackets.
Whatarethedifferentmethods PacketCaptureOverview
thefirewallcanusetocapture
packets?
HowdoIgenerateacustompacket BuildingBlocksforaCustomPacketCapture
capture?
HowdoIgeneratepacketcaptures EnableThreatPacketCapture
whenthefirewalldetectsathreat?
WheredoIdownloadapacket PacketCaptureOverview
capture?
Looking for more?
Turnonextendedpacketcapture Device>Setup>ContentID
forsecurityprofiles.
Usepacketcapturetowrite SeeDoc2015.
customapplicationsignatures.
Thisexampleusesathirdpartyappbutyoucanusethe
firewalltocapturetherequiredpackets.
Preventafirewalladminfrom DefineWebInterfaceAdministratorAccess.
viewingpacketcaptures.
Seeanexample. SeeTakePacketCaptures.
PacketCaptureOverview
YoucanconfigureaPaloAltoNetworksfirewalltoperformacustompacketcaptureorathreatpacket
capture.
CustomPacketCaptureCapturepacketsforalltrafficortrafficbasedonfiltersyoudefine.Forexample,
youcanconfigurethefirewalltocaptureonlypacketstoandfromaspecificsourceanddestinationIP
addressorport.Usethesepacketcapturestotroubleshootnetworktrafficrelatedissuesortogather
applicationattributestowritecustomapplicationsignatures(Monitor > Packet Capture).Youdefinethefile
namebasedonthestage(Drop,Firewall,Receive,orTransmit)and,afterthepcapiscomplete,you
downloadthepcapintheCapturedFilessection.
Monitor>PacketCapture Monitor
ThreatPacketCaptureCapturepacketswhenthefirewalldetectsavirus,spyware,orvulnerability.You
enablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.These
packetcapturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulorto
learnmoreaboutthemethodsusedbyanattacker.Theactionforthethreatmustbesettoeitherallow
oralert;otherwise,thethreatisblockedandpacketscannotbecaptured.Youconfigurethistypeof
packetcaptureintheObjects > Security Profiles.Todownload( )pcaps,selectMonitor > Threat.
BuildingBlocksforaCustomPacketCapture
ThefollowingtabledescribesthecomponentsoftheMonitor > Packet Capturepagethatyouusetoconfigure

packetcaptures,enablepacketcapture,andtodownloadpacketcapturefiles.
CustomPacket ConfiguredIn Description

CaptureBuilding
Blocks
ManageFilters ConfigureFiltering Whenenablingcustompacketcaptures,youshoulddefine

filterssothatonlythepacketsthatmatchthefiltersare
captured.Thiswillmakeiteasiertolocatetheinformationyou
needinthepcapsandwillreducetheprocessingpowerrequired
bythefirewalltoperformthepacketcapture.
ClickAddtoaddanewfilterandconfigurethefollowingfields:
IdEnterorselectanidentifierforthefilter.
Ingress InterfaceSelecttheingressinterfaceonwhichyou
wanttocapturetraffic.
SourceSpecifythesourceIPaddressofthetrafficto
capture.
DestinationSpecifythedestinationIPaddressofthetraffic
tocapture.
Src PortSpecifythesourceportofthetraffictocapture.
Dest PortSpecifythedestinationportofthetrafficto
capture.
ProtoSpecifytheprotocolnumbertofilter(1255).For
example,ICMPisprotocolnumber1.
Non-IPChoosehowtotreatnonIPtraffic(excludeallIP
traffic,includeallIPtraffic,includeonlyIPtraffic,ordonot
includeanIPfilter).BroadcastandAppleTalkareexamplesof
NonIPtraffic.
IPv6SelectthisoptiontoincludeIPv6packetsinthefilter.
Filtering ConfigureFiltering Afterdefiningfilters,settheFilteringtoON.IffilteringisOFF,

thenalltrafficiscaptured.
PreParseMatch ConfigureFiltering Thisoptionisforadvancedtroubleshootingpurposes.Aftera

packetenterstheingressport,itproceedsthroughseveral
processingstepsbeforeitisparsedformatchesagainst
preconfiguredfilters.
Itispossibleforapacket,duetoafailure,tonotreachthe
filteringstage.Thiscanoccur,forexample,ifaroutelookupfails.
SetthePre-Parse MatchsettingtoONtoemulateapositive
matchforeverypacketenteringthesystem.Thisallowsthe
firewalltocapturepacketsthatdonotreachthefiltering
process.Ifapacketisabletoreachthefilteringstage,itisthen
processedaccordingtothefilterconfigurationanddiscardedif
itfailstomeetfilteringcriteria.
Monitor>PacketCapture Monitor
CustomPacket ConfiguredIn Description

CaptureBuilding
Blocks
PacketCapture ConfigureCapturing ClickthetoggleswitchtoturnpacketcaptureONorOFF.

Youmustselectatleastonecapturestage.ClickAddandspecify
thefollowing:
StageIndicatethepointatwhichtocapturepackets:
dropWhenpacketprocessingencountersanerrorand
thepacketisdropped.
firewallWhenthepackethasasessionmatchorafirst
packetwithasessionissuccessfullycreated.
receiveWhenthepacketisreceivedonthedataplane
processor.
transmitWhenthepacketistransmittedonthe
dataplaneprocessor.
FileSpecifythecapturefilename.Thefilenameshould
beginwithaletterandcanincludeletters,digits,periods,
underscores,orhyphens.
Packet CountSpecifythemaximumnumberofpackets,
afterwhichcapturingstops.
Byte CountSpecifythemaximumnumberofbytes,after
whichcapturingstops.
CapturedFiles CapturedFiles Containsalistofcustompacketcapturespreviouslygenerated

bythefirewall.Clickafiletodownloadittoyourcomputer.To
deleteapacketcapture,selectthepacketcaptureandthen
Deleteit.
File NameListsthepacketcapturefiles.Thefilenamesare
basedonthefilenameyouspecifyforthecapturestage
DateDatethefilewasgenerated.
Size (MB)Thesizeofthecapturefile.
Afteryouturnonpacketcaptureandthenturnitoff,youmust
clickRefresh( )beforeanynewpcapfilesdisplayinthislist.
ClearAllSettings Settings ClickClear All Settingstoturnoffpacketcaptureandtoclear

allpacketcapturesettings.
Thisdoesnotturnoffpacketcapturesetinasecurity
profile.Forinformationonenablingpacketcaptureona
securityprofile,seeEnableThreatPacketCapture.
EnableThreatPacketCapture
Objects>SecurityProfiles
Toenablethefirewalltocapturepacketswhenitdetectsathreat,enablethepacketcaptureoptioninthe
securityprofile.
FirstselectObjects > Security Profilesandthenmodifythedesiredprofileasdescribedinthefollowingtable:
PacketCapture Location
Optionsin
SecurityProfiles
Antivirus Selectacustomantivirusprofileand,intheAntivirustab,selectPacket Capture.
AntiSpyware SelectacustomAntiSpywareprofile,clicktheDNS Signaturestaband,inthe

Packet Capturedropdown,selectsingle-packetorextended-capture.
Vulnerability SelectacustomVulnerabilityProtectionprofileand,intheRulestab,clickAddto
Protection addanewruleorselectanexistingrule.ThenselectthePacket Capturedropdown
andselectsingle-packetorextended-capture.
InAntiSpywareandVulnerabilityProtectionprofiles,youcanalsoenablepacketcaptureonexceptions.Click
theExceptionstabandinthePacketCapturecolumnforasignature,clickthedropdownandselect
single-packetorextended-capture.
(Optional)Todefinethelengthofathreatpacketcapturebasedonthenumberofpacketscaptured(and
whichisbasedonaglobalsetting),selectDevice > Setup > Content-IDand,intheContentIDSettingssection,
modifytheExtended Packet Capture Length (packets)field(rangeis150;defaultis5).
Afteryouenablepacketcaptureonasecurityprofile,youneedtoverifythattheprofileispartofasecurity
rule.Forinformationonhowtoaddasecurityprofiletoasecurityrule,seeSecurityPolicyOverview.
Eachtimethefirewalldetectsathreatwhenpacketcaptureisenabledonthesecurityprofile,youcan
download( )orexportthepacketcapture.
Monitor>AppScope Monitor
Monitor>AppScope
TheAppScopereportsprovidegraphicalvisibilityintothefollowingaspectsofyournetwork:
Changesinapplicationusageanduseractivity
Usersandapplicationsthattakeupmostofthenetworkbandwidth
Networkthreats
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected,andhelpspinpoint
problematicbehavior;eachreportprovidesadynamic,usercustomizablewindowintothenetwork.The
reportsincludeoptionstoselectthedataandrangestodisplay.OnPanorama,youcanalsoselecttheData
Sourcefortheinformationthatisdisplayed.Thedefaultdatasource(onnewPanoramainstallations)uses
thelocaldatabaseonPanorama,whichstoreslogsforwardedbythemanagedfirewalls;onanupgrade,the
defaultdatasourceistheRemote Device Data(managedfirewalldata).Tofetchanddisplayanaggregated
viewofthedatadirectlyfromthemanagedfirewalls,younowhavetoswitchthesourcefromPanoramato
Remote Device Data.
HoveringthemouseoverandclickingeitherthelinesorbarsonthechartsswitchestotheACCandprovides
detailedinformationaboutthespecificapplication,applicationcategory,user,orsource.
ApplicationCommand Description
CenterCharts
Summary SummaryReport
ChangeMonitor ChangeMonitorReport
ThreatMonitor ThreatMonitorReport
ThreatMap ThreatMapReport
NetworkMonitor NetworkMonitorReport
TrafficMap TrafficMapReport
Monitor Monitor>AppScope
SummaryReport
TheSummaryreportdisplayschartsforthetopfivegainers,losers,andbandwidthconsumingapplications,
applicationcategories,users,andsources.
ToexportthechartsinthesummaryreportasaPDF,clickExport( ).Eachchartissavedasapage
inthePDFoutput.
AppScopeSummaryReport
ChangeMonitorReport
TheChangeMonitorreportdisplayschangesoveraspecifiedtimeperiod.Forexample,thefigurebelow
displaysthetopapplicationsthatgainedinuseoverthelasthourascomparedwiththelast24hourperiod.
Thetopapplicationsaredeterminedbysessioncountandsortedbypercentage.
AppScopeChangeMonitorReport
Thisreportcontainsthefollowingoptions.
ChangeMonitorReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththehighest
measurementincludedinthechart.
Application Determinesthetypeofitemreported:Application,
ApplicationCategory,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreased
overthemeasuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreased
overthemeasuredperiod.
New Displaysmeasurementsofitemsthatwereaddedover
themeasureperiod.
Dropped Displaysmeasurementsofitemsthatwere
discontinuedoverthemeasureperiod.
Filter Appliesafiltertodisplayonlytheselecteditem.None
displaysallentries.
ChangeMonitorReportOptions Description
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.
Sort Determineswhethertosortentriesbypercentageor
rawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Bottom Bar
Compare(interval) Specifiestheperiodoverwhichthechange
measurementsaretaken.
ThreatMonitorReport
TheThreatMonitorreportdisplaysacountofthetopthreatsovertheselectedtimeperiod.Forexample,
thefigurebelowshowsthetop10threattypesforthepast6hours.
AppScopeThreatMonitorReport
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.
ThreatMonitorReportOptions Description
Top Bar
Threat Determinesthetypeofitemmeasured:Threat,Threat
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Bottom Bar
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheThreatMapreportshowsageographicalviewofthreats,includingseverity.
AppScopeThreatMapReport
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.Clickacountryonthemapto
Zoom InandthenZoom Outasneeded.Thisreportcontainsthefollowingoptions.
ThreatMapReportOptions Description
Top Bar
Incomingthreats Displaysincomingthreats.
Outgoingthreats Displaysoutgoingthreats.
Filter Appliesafiltertodisplayonlytheselecteditem.
ZoomInandZoomOut Zoominandzoomoutofthemap.
Bottom Bar
Indicatestheperiodoverwhichthemeasurementsaretaken.
NetworkMonitorReport
TheNetworkMonitorreportdisplaysthebandwidthdedicatedtodifferentnetworkfunctionsoverthe
specifiedperiodoftime.Eachnetworkfunctioniscolorcodedasindicatedinthelegendbelowthechart.
Forexample,theimagebelowshowsapplicationbandwidthforthepast7daysbasedonsession
information.
AppScopeNetworkMonitorReport
Thereportcontainsthefollowingoptions.
NetworkMonitorReportOptions Description
Top Bar
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyteinformation.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Bottom Bar
Indicatestheperiodoverwhichthechangemeasurementsare
taken.
TrafficMapReport
TheTrafficMapreportshowsageographicalviewoftrafficflowsaccordingtosessionsorflows.
AppScopeTrafficMapReport
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.Thisreportcontainsthefollowing
options.
TrafficMapReportOptions Description
Top Bar
Top10 Determinesthenumberofrecordswiththe
highestmeasurementincludedinthechart.
Incomingtraffic Displaysincomingtraffic.
Outgoingtraffic Displaysoutgoingtraffic.
CountSessionsandCountBytes Determineswhethertodisplaysessionorbyte
information.
ZoomInandZoomOut Zoominandzoomoutofthemap.
Export Exportthegraphasa.pngimageorasaPDF.
Bottom Bar
Indicatestheperiodoverwhichthechange
measurementsaretaken.
Monitor>SessionBrowser Monitor
Monitor>SessionBrowser
SelectMonitor > Session Browsertobrowseandfiltercurrentrunningsessionsonthefirewall.Forinformation

onfilteringoptionsforthispage,seeLogActions.
Monitor Monitor>BlockIPList
Monitor>BlockIPList
YoucanconfigurethefirewalltoplaceIPaddressesontheblocklistinseveralways,includingthefollowing:
ConfigureaDoSProtectionpolicyrulewiththeActiontoProtectandapplyaClassifiedDoSProtection
profiletotherule.TheprofileincludestheBlockDuration.
ConfigureaSecuritypolicyrulewithaVulnerabilityProtectionprofilethatusesarulewiththeActionto
Block IPandapplytheruletoazone.
TheBlockIPListissupportedonPA3050,PA3060,PA5000Series,PA5200Series,andPA7000Series
firewalls.
WhatdotheBlockIPListfields BlockIPListEntries
indicate?
HowdoIfilter,navigate,ordelete VieworDeleteBlockIPListEntries
BlockIPListentries?
Looking for more? SetUpAntivirus,AntiSpyware,andVulnerabilityProtection

DoSProtectionAgainstFloodingofNewSessions
MonitorBlockedIPAddresses
BlockIPListEntries
ThefollowingtableexplainstheblocklistentryforasourceIPaddressthatthefirewallisblocking.
Field Description
BlockTime Month/dayandhours:minutes:secondswhentheIPaddresswentontheBlock
IPList.
Type Typeofblockaction:whetherthehardware(hw)orsoftware(sw)blockedthe
IPaddress.
WhenyouconfigureaDoSProtectionpolicyoraSecuritypolicythatusesa
VulnerabilityProtectionprofiletoblockconnectionsfromsourceIPv4
addresses,thefirewallautomaticallyblocksthattrafficinhardwarebefore
thosepacketsuseCPUorpacketbufferresources.Ifattacktrafficexceedsthe
blockingcapacityofthehardware,thefirewallusessoftwaretoblockthe
traffic.
SourceIPAddress SourceIPaddressofthepacketthatthefirewallblocked.
IngressZone Securityzoneassignedtotheinterfacewherethepacketenteredthefirewall.
TimeRemaining NumberofsecondsremainingfortheIPaddresstobeontheBlockIPList.
BlockSource NameoftheclassifiedDoSProtectionprofileorVulnerabilityprotectionobject
namewhereyouspecifiedtheBlockIPaction.
Monitor>BlockIPList Monitor
Field Description
TotalBlockedIPs:xoutof CountofblockedIPaddresses(x)outofthenumberofblockedIPaddressesthe
y(z%used) firewallsupports(y),andthecorrespondingpercentageofblockedIPaddresses
used(z).
VieworDeleteBlockIPListEntries
NavigatetheBlockIPlistentries,viewdetailedinformation,anddeleteanentryifdesired.
VieworDeleteBlockIPListEntries
Searchforspecific Selectavalueinacolumn,whichentersafilterintheFiltersfield,andclicktheright
BlockIPList arrowtoinitiatethesearchforentrieswiththatvalue.
information ClicktheXtoremovethefilter.
ViewBlockIPList EnterapagenumberinthePagefieldorclickthesinglearrowstoseetheNextPage
entriesbeyondthe orPreviousPageofentries.ClickthedoublearrowstoviewtheLastPageorFirst
currentscreen Pageofentries.
Viewdetailed ClickonaSourceIPAddressofanentry,whichlinkstoNetworkSolutionsWhoIs
informationaboutanIP withinformationabouttheaddress.
addressontheBlockIP
List
DeleteBlockIPList SelectanentryandclickDelete.
entries
CleartheentireBlockIP ClickClear Alltopermanentlydeleteallentries,whichmeansthosepacketsareno

List longerblocked.
Monitor Monitor>Botnet
Monitor>Botnet
Thebotnetreportenablesyoutousebehaviorbasedmechanismstoidentifypotentialmalwareand
botnetinfectedhostsinyournetwork.Thereportassignseachhostaconfidencescoreof1to5toindicate
thelikelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Beforeschedulingthereportor
runningitondemand,youmustconfigureittoidentifytypesoftrafficassuspicious.ThePANOS
AdministratorsGuideprovidesdetailsoninterpretingbotnetreportoutput.
ManagingBotnetReports
ConfiguringtheBotnetReport
ManagingBotnetReports
Monitor>Botnet>ReportSetting
Beforegeneratingthebotnetreport,youmustspecifythetypesoftrafficthatindicatepotentialbotnet
activity(seeConfiguringtheBotnetReport).Toscheduleadailyreportorrunitondemand,clickReport
Settingandcompletethefollowingfields.Toexportareport,selectitandExport to PDF,Export to CSV,or
Export to XML.
BotnetReportSettings Description
TestRunTimeFrame SelectthetimeintervalforthereportLast 24 Hours(default)orLast

Calendar Day.
RunNow ClickRun Nowtomanuallyandimmediatelygenerateareport.Thereport

displaysinanewtabwithintheBotnetReportdialog.
No.ofRows Specifythenumberofrowstodisplayinthereport(defaultis100).
Scheduled Selectthisoptiontoautomaticallygeneratethereportdaily.Bydefault,this
optionisenabled.
QueryBuilder (Optional)AddqueriestotheQueryBuildertofilterthereportoutputby
attributessuchassource/destinationIPaddresses,users,orzones.For
example,ifyouknowthattrafficinitiatedfromtheIPaddress192.0.2.0
containsnopotentialbotnetactivity,youcanadd
not (addr.src in 192.0.2.0)asaquerytoexcludethathostfromthe
reportoutput.
ConnectorSelectalogicalconnector(andoror).IfyouselectNegate,
thereportwillexcludethehoststhatthequeryspecifies.
AttributeSelectazone,address,oruserthatisassociatedwiththehosts
thatthefirewallevaluatesforbotnetactivity.
OperatorSelectanoperatortorelatetheAttributetoaValue.
ValueEnteravalueforthequerytomatch.
Monitor>Botnet Monitor
ConfiguringtheBotnetReport
Monitor>Botnet>Configuration
Tospecifythetypesoftrafficthatindicatepotentialbotnetactivity,clickConfigurationontherightsideof
theBotnetpageandcompletethefollowingfields.Afterconfiguringthereport,youcanrunitondemandor
scheduleittorundaily(seeMonitor>PDFReports>ManagePDFSummary).
BotnetConfiguration Description
Settings
HTTPTraffic EnableanddefinetheCountforeachtypeofHTTPTrafficthatthereport
willinclude.TheCountvaluesyouenteraretheminimumnumberofevents
ofeachtraffictypethatmustoccurforthereporttolisttheassociatedhost
withahigherconfidencescore(higherlikelihoodofbotnetinfection).Ifthe
numberofeventsislessthantheCount,thereportwilldisplaythelower
confidencescoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.
Malware URL visit(rangeis21000;defaultis5)Identifiesusers
communicatingwithknownmalwareURLsbasedonmalwareandbotnet
URLfilteringcategories.
Use of dynamic DNS(rangeis21000;defaultis5)Looksfordynamic
DNSquerytrafficthatmightindicatemalware,botnetcommunications,
orexploitkits.Generally,usingdynamicDNSdomainsisveryrisky.
MalwareoftenusesdynamicDNStoavoidIPblacklisting.Considerusing
URLfilteringtoblocksuchtraffic.
Browsing to IP domains(rangeis21000;defaultis10)Identifiesusers
whobrowsetoIPdomainsinsteadofURLs.
Browsing to recently registered domains(rangeis21000;defaultis
5)Looksfortraffictodomainsthatwereregisteredwithinthepast30
days.Attackers,malware,andexploitkitsoftenusenewlyregistered
domains.
Executable files from unknown sites(rangeis21000;defaultis5)
IdentifiesexecutablefilesdownloadedfromunknownURLs.Executable
filesareapartofmanyinfectionsand,whencombinedwithothertypes
ofsuspicioustraffic,canhelpyouprioritizehostinvestigations.
UnknownApplications Definethethresholdsthatdeterminewhetherthereportwillincludetraffic
associatedwithsuspiciousUnknownTCPorUnknownUDPapplications.
Sessions Per Hour(rangeis13600;defaultis10)Thereportincludes
trafficthatinvolvesuptothespecifiednumberofapplicationsessionsper
hour.
Destinations Per Hour(rangeis13600;defaultis10)Thereport
includestrafficthatinvolvesuptothespecifiednumberofapplication
destinationsperhour.
Minimum Bytes(rangeis1200;defaultis50)Thereportincludes
trafficforwhichtheapplicationpayloadequalsorexceedsthespecified
size.
Maximum Bytes(rangeis1200;defaultis100)Thereportincludes
trafficforwhichtheapplicationpayloadisequaltoorlessthanthe
specifiedsize.
IRC SelectthisoptiontoincludetrafficinvolvingIRCservers.
Monitor Monitor>PDFReports
Monitor>PDFReports
Monitor>PDFReports>ManagePDFSummary
Monitor>PDFReports>UserActivityReport
Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>ReportGroups
Monitor>PDFReports>EmailScheduler
Monitor>PDFReports>ManagePDFSummary Monitor
Monitor>PDFReports>ManagePDFSummary
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
PDFSummaryReport
TocreatePDFsummaryreports,clickAdd.ThePDF Summary Reportpageopenstoshowalloftheavailable

reportelements.
ManagingPDFReports
Monitor Monitor>PDFReports>ManagePDFSummary
Useoneormoreoftheseoptionstodesignthereport:
Toremoveanelementfromthereport,clickdelete([X])orcleartheitemfromtheappropriate
dropdown.
Selectadditionalelementsbyselectingthemintheappropriatedropdown.
Draganddropanelementtomoveittoanotherareaofthereport.
Thereisamaximumof18reportelementsallowed.Ifyouhave18already,youmustdelete
existingelementsbeforeyoucanaddnewones.
ToSavethereport,enterareportname,andclickOK.
TodisplayPDFreports,selectMonitor > ReportsandclickPDF Summary Reportandclickareporttoopenor
savethatreport.Youcanalsoexportareportusingtheoptionsatthebottomofthepage(Export to PDF,
Export to CSV,orExport to XML)orclickadayinthecalendartodownloadareportforthatday.
NewPDFsummaryreportswillnotappearuntilafterthereportruns,whichwilloccur
automaticallyevery24hoursat2a.m.
Monitor>PDFReports>UserActivityReport Monitor
Monitor>PDFReports>UserActivityReport
Usethispagetocreatereportsthatsummarizetheactivityofindividualusersorusergroups.ClickAddand
specifythefollowinginformation.
User/GroupActivity Description
ReportSettings
Name Enteranametoidentifythereport(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
hyphens,andunderscores.
Type ForUserActivityReport:SelectUserandentertheUsernameorIP address

(IPv4orIPv6)oftheuserwhowillbethesubjectofthereport.
ForGroupActivityReport:SelectGroupandentertheGroup Name.
TimePeriod Selectthetimeframeforthereportfromthedropdown.
IncludeDetailed (Optional)SelectthisoptiontoincludedetailedURLlogsinthereport.
Browsing Thedetailedbrowsinginformationcanincludealargevolumeoflogs
(thousands)fortheselecteduserorusergroupandcauseareportto
beverylarge.
TheGroupActivityReportdoesnotincludeBrowsingSummarybyURLCategory;allother
informationiscommonacrosstheUserActivityReportandtheGroupActivityReport.
Torunthereportondemand,clickRun Now.Tochangethemaximumnumberofrowsthatdisplayinthe
report,seeLoggingandReportingSettings.
Tosavethereport,clickOK.Youcanthenschedulethereportforemaildelivery(Monitor>PDFReports>
EmailScheduler).
Monitor Monitor>PDFReports>SaaSApplicationUsage
Monitor>PDFReports>SaaSApplicationUsage
UsethispagetocreateareportthatsummarizestheSaaSapplicationactivityonyournetwork.This
predefinedreportpresentsacomparisononthesanctionedversusunsanctionedSaaSapplicationusageon
yournetworkandyoucanusethisinformationtohelpsteeryouruserstowardsanctionedapplications.You
canthenenforcegranularcontextandapplicationbasedpoliciesforSaaSapplicationsthatyouwanttoallow
orblockonyournetwork.
Forgeneratinganaccurateandinformativereport,youmusttagthesanctionedapplicationsonyour
network(seeActionsSupportedonApplications).ThefirewallandPanoramaconsideranyapplication
withoutthispredefinedtagasunsanctionedforuseonthenetwork.Itisimportanttoknowaboutthe
sanctionedapplicationsandunsanctionedapplicationsthatareprevalentonyournetworkbecause
unsanctionedSaaSapplicationsareapotentialthreattoinformationsecurity;theyarenotapprovedforuse
onyournetworkandcancauseanexposuretothreatsandlossofprivateandsensitivedata.
.
Makesureyoutagapplicationsconsistentlyacrossallfirewallsordevicegroups.Ifthesameapplicationistagged
assanctionedinonevirtualsystemandisnotsanctionedinanotheroronPanorama,ifanapplicationis
unsanctionedinaparentdevicegroupbutistaggedassanctionedinachilddevicegroup(orviceversa)theSaaS
ApplicationUsagereportwillproduceoverlappingresults.
OntheACC,settheApplication ViewtoBy Sanctioned Statetovisuallyidentifyapplicationsthathave
differentsanctionedstateacrossvirtualsystemsordevicegroups.Greenindicatessanctionedapplications,blueis
forunsanctionedapplications,andyellowindicatesapplicationsthathaveadifferentsanctionedstateacross
differentvirtualsystemsordevicegroups.
Toconfigurethereport,clickAddandspecifythefollowinginformation:
SaaSApplicationUsage Description
ReportSettings
TimePeriod Selectthetimeframeforthereportfromthedropdown:Last 7 Days,Last 30

Days,orLast 90 Days.Thereportincludesdatafromthecurrentday(theday
onwhichthereportisgenerated).
Includelogsfrom Fromthedropdown,selectwhetheryouwanttogeneratethereportona
selectedusergroup,onaselectedzone,orforallusergroupsandzones
configuredonthefirewallorPanorama.
ForaselectedusergroupSelecttheUser Groupforwhichthefirewallor
Panoramawillfilterthelogs.
ForaselectedzoneSelecttheZoneforwhichthefirewallorPanorama
willfilterthelogs.
ForallusergroupsandzonesYoucanreportonallgroupsorchooseup
to25usergroupsforwhichyouwantvisibility.Ifyouhavemorethan25
groups,thefirewallorPanoramawilldisplaythetop25groupsinthereport
andassignallremainingusergroupstotheOthersgroup.
Monitor>PDFReports>SaaSApplicationUsage Monitor
SaaSApplicationUsage Description
ReportSettings
Includeusergroup Thisoptionfiltersthelogsfortheusergroupsyouwanttoincludeinthe
informationinthereport report.Selectthemanage groupsorthemanage groups for the selected
(Notavailableifyou zonelinktochooseupto25usergroupsforwhichyouwantvisibility.
choosetogeneratethe Whenyougenerateareportforspecificusergroupsonaselectedzone,users
reportonaSelected whoarenotamemberofanyoftheselectedgroupsareassignedtoauser
User Group.) groupcalledOthers.
Usergroup Selecttheusergroup(s)forwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected User GroupintheInclude logs from
dropdown.
Zone Selectthezoneforwhichyouwanttogeneratethereport.Thisoption
displaysonlywhenyouchooseSelected ZoneintheInclude logs from
dropdown.
YoucanthenselectIncludeusergroupinformationinthereport.
Includedetailed TheSaaSApplicationUsagePDFreportisatwopartreport.Bydefault,both
applicationcategory partsofthereportaregenerated.Thefirstpartofthereport(tenpages)
informationinreport focusesontheSaaSapplicationsusedonyournetworkduringthereporting
period.
Clearthisoptionifyoudonotwantthesecondpartofthereportthatincludes
detailedinformationforSaaSandnonSaaSapplicationsforeachapplication
subcategorylistedinthefirstpartofthereport.Thissecondpartofthereport
includesthenamesofthetopapplicationsineachsubcategoryand
informationaboutusers,usergroups,files,bytestransferred,andthreats
generatedfromtheseapplications.
Withoutthedetailedinformation,thereportistenpageslong.
Limitmaxsubcategories SelectwhetheryouwanttouseallapplicationsubcategoriesintheSaaS
inthereportto ApplicationUsagereportorwhetheryouwanttolimitthemaximumnumber
to10,15,20,or25subcategories.
Whenyoureducethemaximumnumberofsubcategories,thedetailedreport
isshorterbecauseyoulimittheSaaSandnonSaaSapplicationactivity
informationincludedinthereport.
ClickRun Nowtogeneratethereportondemand.
Toschedulethereport,seeMonitor>PDFReports>EmailScheduler.
OnPA200andPA500firewalls,theSaaSApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkyouusetoopenthereportinawebbrowser.
Formoreinformationonthereport,seeManageReporting .
Monitor Monitor>PDFReports>ReportGroups
Monitor>PDFReports>ReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
ReportGroupSettings Description
Name Enteranametoidentifythereportgroup(upto31characters).Thenameis
TitlePage Selectthisoptiontoincludeatitlepageinthereport.
Title Enterthenamethatwillappearasthereporttitle.
Reportselection/ Foreachreporttoincludeinthegroup,selectthereportintheleftcolumnand
Widgets Addittotherightcolumn.Youcanselectthefollowingreporttypes:
PredefinedReport
CustomReport
PDFSummaryReport
CSV
LogViewWheneveryoucreateacustomreport,thefirewall
automaticallycreatesaLogViewreportwiththesamename.TheLogView
reportshowsthelogsthatthefirewallusedtobuildthecontentsofthe
customreport.Toincludethelogviewdata,whencreatingareportgroup,
addyourCustom ReportsandthenaddthematchingLog Viewreports.
Theaggregatereportgeneratedforthereportgroupdisplaysthecustom
reportdatafollowedbythelogdata.
Afteryousavethereportgroup,theWidgetscolumnoftheReportGroups
pageliststhereportsyouaddedtothegroup.
Tousethereportgroup,refertoMonitor>PDFReports>EmailScheduler.
Monitor>PDFReports>EmailScheduler Monitor
Monitor>PDFReports>EmailScheduler
UsetheEmailschedulertoschedulereportsfordeliverybyemail.Beforeaddingaschedule,youmustdefine
reportgroupsandanemailprofile.RefertoMonitor>PDFReports>ReportGroupsandDevice>Server
Profiles>Email.
Scheduledreportsbeginrunningat2:00AM,andemailforwardingoccursafterallscheduledreportshave
finishedrunning.
EmailSchedulerSettings Description
Name Enteranametoidentifytheschedule(upto31characters).Thenameis
ReportGroup Selectthereportgroup(Monitor>PDFReports>ReportGroups)ortheSaaS
ApplicationUsagereport(Monitor>PDFReports>SaaSApplicationUsage)
youwanttoschedule.
EmailProfile Selecttheprofilethatdefinestheemailsettings.RefertoDevice>Server
Profiles>Emailforinformationondefiningemailprofiles.
Recurrence Selectthefrequencyatwhichtogenerateandsendthereport.
OverrideEmail Enteranoptionalemailaddresstouseinsteadoftherecipientspecifiedinthe
Addresses emailprofile.
Sendtestemail ClicktosendatestemailtotheemailaddressdefinedintheselectedEmail
Profile.
Monitor Monitor>ManageCustomReports
Monitor>ManageCustomReports
Youcancreatecustomreportstorunondemandoronschedule(eachnight).Forreportsthatarepredefined,
selectMonitor > Reports.
Addacustomreporttocreateanewone.Tobasethereportonanexistingtemplate,Load Templateandselect
thetemplate.Togenerateareportondemand,insteadoforinadditiontotheScheduledtime,clickRun Now.
Specifythefollowingsettingstodefinethereport.
CustomReportSettings Description
Description Enteradescriptionforthecustomreport.
Database Choosethedatabasetouseasthedatasourceforthereport.
Scheduled Selectthisoptiontorunthereporteachnight.Thereportthenbecomes
availablebyselectingMonitor > Reports.
TimeFrame ChooseafixedtimeframeorchooseCustomandspecifyadateandtime
range.
SortBy Choosesortingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.
GroupBy Choosegroupingoptionstoorganizethereport,includingtheamountof
informationtoincludeinthereport.Theavailableoptionsdependonthe
choiceofdatabase.
Columns SelectAvailableColumnstoincludeinthecustomreportandadd( )them

toSelectedColumns.SelectUp,Down,Top,andBottomtoreorderselected
columns.Asneeded,youcanalsoselectandremove( )previouslyselected
columns.
QueryBuilder Tobuildareportquery,specifythefollowingandclickAdd.Repeatas
neededtoconstructthefullquery.
ConnectorChoosetheconnector(andoror)toprecedetheexpression
youareadding.
NegateSelectthisoptiontointerpretthequeryasanegation.Inthe
previousexample,thenegateoptioncausesamatchonentriesthatare
notinthepast24hoursorarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthe
choiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattribute
applies(suchas=).Theavailableoptionsdependonthechoiceof
database.
ValueSpecifytheattributevaluetomatch.
Formoreinformation,seeGenerateCustomReports.
Monitor>Reports Monitor
Monitor>Reports
Thefirewallprovidesvarioustop50reportsofthetrafficstatisticsforthepreviousdayoraselectedday
inthepreviousweek.
Toviewareport,expandareportcategory(suchasCustomReports)ontherightsideofthepageandselect
areportname.Thepagelistsreportsinsections.Youcanviewtheinformationineachreportfortheselected
timeperiod.
Bydefault,thefirewalldisplaysallreportsforthepreviouscalendarday.Toviewreportsforotherdates,
selectareportgenerationdateinthecalendaratthebottomrightofthepage.
Toviewreportsonasystemotherthanthefirewall,selectanexportoption:
Export to PDF
Export to CSV
Export to XML
Policies
Thissectiondescribesthefirewallwebinterfacesyoucanusetoconfigurepolicies:
PolicyTypes
MoveorCloneaPolicyRule
Policies>Security
Policies>NAT
Policies>QoS
Policies>PolicyBasedForwarding
Policies>Decryption
Policies>TunnelInspection
Policies>ApplicationOverride
Policies>Authentication
Policies>DoSProtection
PolicyTypes Policies
PolicyTypes
Policiesenableyoutocontrolfirewalloperationbyenforcingrulesandautomatingactions.Thefirewall
supportsthefollowingpolicytypes:
Basicsecuritypoliciestoblockorallowanetworksessionbasedontheapplication,thesourceand
destinationzonesandaddresses,andoptionallybasedontheservice(portandprotocol).Zones
identifythephysicalorlogicalinterfacesthatsendorreceivethetraffic.SeePolicies>Security.
NetworkAddressTranslation(NAT)policiestotranslateaddressesandports.SeetoPolicies>NAT.
QualityofService(QoS)policiestodeterminehowtrafficisclassifiedfortreatmentwhenitpasses
throughaninterfacewithQoSenabled.SeePolicies>QoS.
Policybasedforwardingpoliciestooverridetheroutingtableandspecifyanegressinterfacefortraffic.
SeePolicies>PolicyBasedForwarding.
Decryptionpoliciestospecifytrafficdecryptionforsecuritypolicies.Eachpolicycanspecifythe
categoriesofURLsforthetrafficyouwanttodecrypt.SSHdecryptionisusedtoidentifyandcontrolSSH
tunnelinginadditiontoSSHshellaccess.SeePolicies>Decryption.
TunnelInspectionpoliciestoenforceSecurity,DoSProtection,andQoSpoliciesontunneledtraffic,and
toviewtunnelactivity.SeePolicies>TunnelInspection.
Overridepoliciestooverridetheapplicationdefinitionsprovidedbythefirewall.SeePolicies>
ApplicationOverride.
Authenticationpoliciestodefineauthenticationforenduserswhoaccessnetworkresources.See
Policies>Authentication.
Denialofservice(DoS)policiestoprotectagainstDoSattacksandtakeprotectiveactioninresponseto
rulematches.SeePolicies>DoSProtection.
SharedpolicespushedfromPanoramadisplayinorangeonthefirewallwebinterface.You
caneditthesesharedpoliciesonlyonPanorama;youcannoteditthemonthefirewall.
UsetheTagBrowsertoviewallthetagsusedinarulebase.Inrulebaseswithmanyrules,the
tagbrowsersimplifiesthedisplaybypresentingthetags,colorcode,andtherulenumbersin
whichtagsareused.
Policies MoveorCloneaPolicyRule
MoveorCloneaPolicyRule
Whenmovingorcloningpolicies ,youcanassignaDestination(avirtualsystemonafirewalloradevice
grouponPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveapolicyrule,selecttheruleinthePoliciestab,clickMove,selectMove to other vsys(firewallsonly)
orMove to other device group(Panoramaonly),specifythefieldsinthefollowingtable,andthenclickOK.
Tocloneapolicyrule,selecttheruleinthePoliciestab,clickClone,specifythefieldsinthefollowingtable,
andthenclickOK.
Move/CloneSettings Description
SelectedRules DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepolicyrulesyouselectedfortheoperation.
Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.
Ruleorder Selecttherulepositionrelativetootherrules:
Move topTherulewillprecedeallotherrules.
Move bottomTherulewillfollowallotherrules.
Before ruleIntheadjacentdropdown,selectthesubsequentrule.
After ruleIntheadjacentdropdown,selecttheprecedingrule.
Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.
Policies>Security Policies
Policies>Security
Securitypolicyrulesreferencesecurityzonesandenableyoutoallow,restrict,andtracktrafficonyour
networkbasedontheapplication,userorusergroup,andservice(portandprotocol).Bydefault,thefirewall
includesasecurityrulenamedrule1thatallowsalltrafficfromtheTrustzonetotheUntrustzone.
WhatisaSecuritypolicy? SecurityPolicyOverview
ForPanorama,seeMoveorCloneaPolicyRule
Whatarethefieldsavailableto BuildingBlocksinaSecurityPolicyRule
createaSecuritypolicyrule?
HowcanIusethewebinterfaceto CreatingandManagingPolicies
manageSecuritypolicyrules?
OverridingorRevertingaSecurityPolicyRule
Looking for more? SecurityPolicy
SecurityPolicyOverview
Securitypoliciesallowyoutoenforcerulesandtakeaction,andcanbeasgeneralorspecificasneeded.The
policyrulesarecomparedagainsttheincomingtrafficinsequence,andbecausethefirstrulethatmatches
thetrafficisapplied,themorespecificrulesmustprecedethemoregeneralones.Forexample,arulefora
singleapplicationmustprecedearuleforallapplicationsifallothertrafficrelatedsettingsarethesame.
Toensurethatendusersauthenticatewhentheytrytoaccessyournetworkresources,thefirewallevaluates
AuthenticationpolicybeforeSecuritypolicy.Fordetails,seePolicies>Authentication.
Fortrafficthatdoesntmatchanyuserdefinedrules,thedefaultrulesapply.Thedefaultrulesdisplayedat
thebottomofthesecurityrulebasearepredefinedtoallowallintrazonetraffic(withinthezone)anddeny
allinterzonetraffic(betweenzones).Althoughtheserulesarepartofthepredefinedconfigurationandare
readonlybydefault,youcanOverridethemandchangealimitednumberofsettings,includingthetags,
action(allowordeny),logsettings,andsecurityprofiles.
TheinterfaceincludesthefollowingtabsfordefiningSecuritypolicyrules.
GeneralSelecttheGeneraltabtoconfigureanameanddescriptionfortheSecuritypolicyrule.
SourceSelecttheSourcetabtodefinethesourcezoneorsourceaddressfromwhichthetraffic
originates.
UserSelecttheUsertabtoenforcepolicyforindividualusersoragroupofusers.Ifyouareusing
GlobalProtectwithhostinformationprofile(HIP)enabled,youcanalsobasethepolicyoninformation
collectedbyGlobalProtect.Forexample,theuseraccesslevelcanbedeterminedHIPthatnotifiesthe
firewallabouttheuser'slocalconfiguration.TheHIPinformationcanbeusedforgranularaccesscontrol
basedonthesecurityprogramsthatarerunningonthehost,registryvalues,andmanyothercheckssuch
aswhetherthehosthasantivirussoftwareinstalled.
DestinationSelecttheDestinationtabtodefinethedestinationzoneordestinationaddressforthetraffic.
Policies Policies>Security
ApplicationSelecttheApplicationtabtohavethepolicyactionoccurbasedonanapplicationor
applicationgroup.AnadministratorcanalsouseanexistingAppIDsignatureandcustomizeittodetect
proprietaryapplicationsortodetectspecificattributesofanexistingapplication.Customapplicationsare
definedinObjects > Applications.
Service/URL CategorySelecttheService/URL CategorytabtospecifyaspecificTCPand/orUDPport
numberoraURLcategoryasmatchcriteriainthepolicy.
ActionSelecttheActiontabtodeterminetheactionthatwillbetakenbasedontrafficthatmatchesthe
definedpolicyattributes.
BuildingBlocksinaSecurityPolicyRule
Thefollowingsectiondescribeseachcomponentinasecuritypolicyrule.Whenyouviewthedefault
securityrule,orcreateanewrule,youcanconfiguretheoptionsdescribedhere.
BuildingBlocksin ConfiguredIn Description

aSecurityRule
Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas

rulesaremoved.Whenyoufilterrulestomatchspecificfilter(s),
eachruleislistedwithitsnumberinthecontextofthecomplete
setofrulesintherulebaseanditsplaceintheevaluationorder.
InPanorama,prerulesandpostrulesareindependently
numbered.WhenrulesarepushedfromPanoramatoamanaged
firewall,therulenumberingincorporateshierarchyinprerules,
firewallrules,andpostruleswithinarulebaseandreflectsthe
rulesequenceanditsevaluationorder.

aSecurityRule
Name General Enteranametoidentifytherule.Thenameiscasesensitiveand

canhaveupto31characters,whichcanbeletters,numbers,
spaces,hyphens,andunderscores.Thenamemustbeuniqueon
afirewalland,onPanorama,uniquewithinitsdevicegroupand
anyancestorordescendantdevicegroups.
Tag Addandspecifythetagforthepolicy.
Apolicytagisakeywordorphrasethatallowsyoutosortor
filterpolicies.Thisisusefulwhenyouhavedefinedmany
policiesandwanttoviewthosethataretaggedwithaparticular
keyword.Forexample,youmaywanttotagcertainruleswith
specificwordslikeDecryptandNodecrypt,orusethenameof
aspecificdatacenterforpoliciesassociatedwiththatlocation.
Youcanalsoaddtagstothedefaultrules.
Type Specifieswhethertheruleappliestotrafficwithinazone,
betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzone
andintrazonetrafficinthespecifiedsourceanddestination
zones.Forexample,ifyoucreateauniversalrulewithsource
zonesAandBanddestinationzonesAandB,therulewould
applytoalltrafficwithinzoneA,alltrafficwithinzoneB,and
alltrafficfromzoneAtozoneBandalltrafficfromzoneBto
zoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthe
specifiedsourcezones(youcannotspecifyadestinationzone
forintrazonerules).Forexample,ifyousetthesourcezone
toAandB,therulewouldapplytoalltrafficwithinzoneA
andalltrafficwithinzoneB,butnottotrafficbetweenzones
AandB.
interzoneAppliestheruletoallmatchingtrafficbetween
thespecifiedsourceanddestinationzones.Forexample,if
yousetthesourcezonetoA,B,andCandthedestination
zonetoAandB,therulewouldapplytotrafficfromzoneA
tozoneB,fromzoneBtozoneA,fromzoneCtozoneA,and
fromzoneCtozoneB,butnottrafficwithinzonesA,B,orC.
SourceZone Source ClickAddtochoosesourcezones(defaultisany).Zonesmustbe

ofthesametype(Layer2,Layer3,orvirtualwire).Todefinenew
zones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.For
example,ifyouhavethreedifferentinternalzones(Marketing,
Sales,andPublicRelations)thatarealldirectedtotheuntrusted
destinationzone,youcancreateonerulethatcoversallcases.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions
(defaultisany).Selectfromthedropdown,orclickAddress,
Address Group,orRegionsatthebottomofthedropdown,
andspecifythesettings.

aSecurityRule
SourceUser User ClickAddtochoosethesourceusersorgroupsofuserssubject

tothepolicy.Thefollowingsourceusertypesaresupported:
anyIncludeanytrafficregardlessofuserdata.
pre-logonIncluderemoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheir
system.WhenthePrelogonoptionisconfiguredonthe
PortalforGlobalProtectclients,anyuserwhoisnotcurrently
loggedintotheirmachinewillbeidentifiedwiththeusername
prelogon.Youcanthencreatepoliciesforprelogonusers
andalthoughtheuserisnotloggedindirectly,theirmachines
areauthenticatedonthedomainasiftheywerefullylogged
in.
known-userIncludesallauthenticatedusers,whichmeans
anyIPwithuserdatamapped.Thisoptionisequivalenttothe
domainusersgrouponadomain.
unknownIncludesallunauthenticatedusers,whichmeans
IPaddressesthatarenotmappedtoauser.Forexample,you
coulduseunknownforguestlevelaccesstosomething
becausetheywillhaveanIPonyournetworkbutwillnotbe
authenticatedtothedomainandwillnothaveIPtouser
mappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbythe
selectioninthiswindow.Forexample,youmaywanttoadd
oneuser,alistofindividuals,somegroups,ormanuallyadd
users.
IfthefirewallcollectsuserinformationfromaRADIUS,
TACACS+,orSAMLidentityproviderserverandnot
fromtheUserIDagent,thelistofusersdoesnot
display;youmustenteruserinformationmanually.
SourceHIPProfile ClickAddtochoosehostinformationprofiles(HIP)toidentify
users.AHIPenablesyoutocollectinformationaboutthe
securitystatusofyourendhosts,suchaswhethertheyhavethe
latestsecuritypatchesandantivirusdefinitionsinstalled.Using
hostinformationprofilesforpolicyenforcementenables
granularsecuritythatensuresthattheremotehostsaccessing
yourcriticalresourcesareadequatelymaintainedandin
adherencewithyoursecuritystandardsbeforetheyareallowed
accesstoyournetworkresources.ThefollowingsourceHIP
profilesaresupported:
anyIncludesanyendpoint,regardlessofHIPinformation.
selectIncludesselectedHIPprofilesasdeterminedbythe
selectioninthewindow.Forexample,youmaywanttoadd
oneHIPprofile,alistofHIPprofiles,ormanuallyaddHIP
profiles.
no-hipHIPinformationisnotrequired.Thissettingenables
accessfromthirdpartyclientsthatcannotcollectorsubmit
HIPinformation.

aSecurityRule
DestinationZone Destination ClickAddtochoosedestinationzones(defaultisany).Zones

mustbeofthesametype(Layer2,Layer3,orvirtualwire).To
definenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.For
example,ifyouhavethreedifferentinternalzones(Marketing,
Sales,andPublicRelations)thatarealldirectedtotheuntrusted
destinationzone,youcancreateonerulethatcoversallcases.
Onintrazonerules,youcannotdefineaDestination
Zonebecausethesetypesofrulesonlymatchtraffic
withasourceandadestinationwithinthesamezone.To
specifythezonesthatmatchanintrazoneruleyouonly
needtosettheSourceZone.
Destination ClickAddtoadddestinationaddresses,addressgroups,or
Address regions(defaultisany).Selectfromthedropdown,orclick
Addressatthebottomofthedropdown,andspecifyaddress
settings.
Application Application Selectspecificapplicationsforthesecurityrule.Ifanapplication

hasmultiplefunctions,youcanselecttheoverallapplicationor
individualfunctions.Ifyouselecttheoverallapplication,all
functionsareincludedandtheapplicationdefinitionis
automaticallyupdatedasfuturefunctionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainersinthe
securityrule,youcanviewdetailsoftheseobjectsbyholding
yourmouseovertheobjectintheApplicationcolumn,clickthe
dropdownarrowandselectValue.Thisallowsyoutoview
applicationmembersdirectlyfromthepolicywithouthavingto
navigatetotheObjecttab.

aSecurityRule
Service Service/URL Category SelectservicestolimittospecificTCPand/orUDPport

numbers.Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonany
protocolorport.
application-defaultTheselectedapplicationsareallowed
ordeniedonlyontheirdefaultportsdefinedbyPaloAlto
Networks.Thisoptionisrecommendedforallowpolicies
becauseitpreventsapplicationsfromrunningonunusual
portsandprotocolwhich,ifnotintentional,canbeasignof
undesiredapplicationbehaviorandusage.
Whenyouusethisoption,thefirewallstillchecksfor
allapplicationsonallportsbut,withthis
configuration,applicationsareonlyallowedontheir
defaultportsandprotocols.
SelectClickAdd.Chooseanexistingserviceorchoose
ServiceorService Grouptospecifyanewentry.(Orselect
Objects>ServicesandObjects>ServiceGroups).
URLCategory SelectURLcategoriesforthesecurityrule.
Chooseanytoallowordenyallsessionsregardlessofthe
URLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory
(includingacustomcategory)fromthedropdown.Youcan
addmultiplecategories.SelectObjects>ExternalDynamic
Liststodefinecustomcategories.

aSecurityRule
Action Actions Tospecifytheactionfortrafficthatmatchestheattributes

definedinarule,selectfromthefollowingactions:
Allow(default)Allowsthetraffic.
DenyBlockstraffic,andenforcesthedefaultDenyAction
definedfortheapplicationthatisbeingdenied.Toviewthe
denyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
Becausethedefaultdenyactionvariesbyapplication,the
firewallcouldblockthesessionandsendaresetforone
application,whileitcoulddropthesessionsilentlyfor
anotherapplication.
DropSilentlydropstheapplication.ATCPresetisnotsent
tothehost/application,unlessyouselectSend ICMP
Unreachable.
Reset clientSendsaTCPresettotheclientsidedevice.
Reset serverSendsaTCPresettotheserversidedevice.
Reset bothSendsaTCPresettoboththeclientsideand
serversidedevices.
Send ICMP UnreachableOnlyavailableforLayer3
interfaces.WhenyouconfigureSecuritypolicyruletodrop
trafficortoresettheconnection,thetrafficdoesnotreach
thedestinationhost.Insuchcases,forallUDPtrafficandfor
TCPtrafficthatisdropped,youcanenablethefirewallto
sendanICMPUnreachableresponsetothesourceIPaddress
fromwherethetrafficoriginated.Enablingthissettingallows
thesourcetogracefullycloseorclearthesessionand
preventsapplicationsfrombreaking.
ToviewtheICMPUnreachablePacketRateconfiguredon
thefirewall,viewtheSessionSettingssectioninDevice >
Setup > Session.
Tooverridethedefaultactiondefinedonthepredefined
interzoneandintrazonerules:seeOverridingorRevertinga
SecurityPolicyRule
ProfileSetting Actions Tospecifythecheckingdonebythedefaultsecurityprofiles,

selectindividualAntivirus,AntiSpyware,Vulnerability
Protection,URLFiltering,FileBlocking,and/orDataFiltering
profiles.
Tospecifyaprofilegroupratherthanindividualprofiles,select
Profile Type Groupandthenselectaprofilegroupfromthe
Group Profiledropdown.
Todefinenewprofilesorprofilegroups,clickNewnexttothe
appropriateprofileorgroup(refertoObjects>SecurityProfile
Groups).
Youcanalsoattachsecurityprofiles(orprofilegroups)tothe
defaultrules.

aSecurityRule
Options Actions TheOptionstabincludestheloggingsettingsandacombination

ofotheroptionslistedbelow.
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log At Session StartGeneratesatrafficlogentryforthe
startofasession(disabledbydefault).
Log At Session EndGeneratesatrafficlogentryfortheend
ofasession(enabledbydefault).
Ifthesessionstartorendentriesarelogged,dropand
denyentriesarealsologged.
Log Forwarding ProfileToforwardthelocaltrafficlogand

threatlogentriestoremotedestinations,suchasPanorama
andsyslogservers,selectalogprofilefromtheLog
Forwarding Profiledropdown.
Thegenerationofthreatlogentriesisdeterminedby
thesecurityprofiles.Todefinenewlogprofiles,click
New (refertoObjects>LogForwarding).
Youcanalsomodifythelogsettingsonthedefaultrules.Specify
anycombinationofthefollowingoptions:
ScheduleTolimitthedaysandtimeswhentheruleisin
effect,selectaschedulefromthedropdown.Todefinenew
schedules,clickNew(refertoSettingstoControlDecrypted
SSLTraffic).
QoS MarkingTochangetheQualityofService(QoS)setting
onpacketsmatchingtherule,selectIP DSCPorIP
PrecedenceandentertheQoSvalueinbinaryorselecta
predefinedvaluefromthedropdown.Formoreinformation
onQoS,refertoQualityofService .
Disable Server Response InspectionTodisablepacket
inspectionfromtheservertotheclient,selectthisoption.
Thisoptionmaybeusefulunderheavyserverloadconditions.
Description General Enteradescriptionforthepolicy(upto255characters).
CreatingandManagingPolicies
SelectthePolicies > Securitypagetoadd,andmodify,andmanagesecuritypolicies:
Task Description
Add Toaddanewpolicyrule,dooneofthefollowing:
ClickAddatthebottomofthepage.
SelectaruleonwhichtobasethenewruleandclickClone Ruleorselectarule
byclickingthewhitespaceoftheruleandselectClone Ruleatthebottomofthe
page(arulethatisselectedinthewebinterfacedisplayswithayellow
background).Thecopiedrule,rulenisinsertedbelowtheselectedrule,wheren
isthenextavailableintegerthatmakestherulenameunique.Fordetailson
cloning,seeMoveorCloneaPolicyRule.
Modify Tomodifyarule,clicktherule.
IftheruleispushedfromPanorama,theruleisreadonlyonthefirewallandcannot
beeditedlocally.
OverrideandRevertactionspertainonlytothedefaultrulesthataredisplayedatthe
bottomoftheSecurityrulebase.Thesepredefinedrulesallowallintrazonetraffic
anddenyallinterzonetrafficinstructthefirewallonhowtohandletrafficthatdoes
notmatchanyotherruleintherulebase.Becausetheyarepartofthepredefined
configuration,youmustOverridetheminordertoeditselectpolicysettings.Ifyou
areusingPanorama,youcanalsoOverridethedefaultrules,andthenpushthemto
firewallsinaDeviceGrouporSharedcontext.YoucanalsoRevertthedefaultrules,
whichrestoresthepredefinedsettingsorthesettingspushedfromPanorama.For
details,seeOverridingorRevertingaSecurityPolicyRule.
Move RulesareevaluatedtopdownandasenumeratedonthePoliciespage.Tochange
theorderinwhichtherulesareevaluatedagainstnetworktraffic,selectaruleand
clickMove Up,Move Down,Move Top,orMove Bottom.Fordetails,seeMoveor
CloneaPolicyRule.
Delete SelectaruleandclickDeletetoremovetheexistingrule.
Enable/Disable Todisablearule,selecttheruleandclickDisable.Toenablearulethatisdisabled,
selecttheruleandclickEnable.
ViewUnused Toidentifyrulesthathavenotbeenusedsincethelasttimethefirewallwas
rules restarted,selectHighlight Unused Rules.Youcanthendecidewhethertodisable
theruleordeleteit.Rulesnotcurrentlyinusearedisplayedwithadottedyellow
background.
Eachfirewallmaintainsaflagfortherulesthathaveamatch.Becausetheflag
isresetwhenadataplaneresetoccursonarebootorarestart,monitorthis
listperiodicallytodeterminewhethertherulehashadamatchsincethelast
checkbeforeyoudeleteordisableit.
Task Description
Show/Hide ToshoworhidethecolumnsthatdisplayinthePoliciespages,selectthisoption
columns nexttothecolumnnametotogglethedisplayofeachcolumn.
Applyfilters Toapplyafiltertothelist,selectfromtheFilter Rulesdropdown.Toaddavalueto

defineafilter,clickthedropdownfortheitemandchooseFilter.
Thedefaultrulesarenotpartofrulebasefilteringandalwaysshowupinthe
listoffilteredrules.
Toviewthenetworksessionsthatwereloggedasmatchesagainstthepolicy,click
thedropdownfortherulenameandchooseLog Viewer.
Todisplaythecurrentvaluebyclickingthedropdownfortheentryandchoosing
Value.Youcanalsoedit,filter,orremovecertainitemsdirectlyfromthecolumn
menu.Forexample,toviewaddressesincludedinanaddressgroup,holdyourmouse
overtheobjectintheAddresscolumn,clickthedropdownandselectValue.This
allowsyoutoquicklyviewthemembersandthecorrespondingIPaddressesforthe
addressgroupwithouthavingtonavigatetotheObjecttab.
TofindobjectsusedwithinapolicybasedontheirnameorIPaddress,usethefilter
option.Afteryouapplythefilter,youwillseeonlytheitemsthatmatchthefilter.The
filteralsoworkswithembeddedobjects.Example:whenyoufilteron10.1.4.8,only
thepolicythatcontainsthataddressisdisplayed:
Previewrules UsePreview Rulestoviewalistoftherulesbeforeyoupushtherulestothe

(Panorama managedfirewalls.Withineachrulebase,thehierarchyofrulesisvisually
only) demarcatedforeachdevicegroup(andmanagedfirewall)tomakeiteasiertoscan
throughalargenumbersofrules.
OverridingorRevertingaSecurityPolicyRule
Thedefaultsecurityrulesinterzonedefaultandintrazonedefaulthavepredefinedsettingsthatyoucan
overrideonafirewalloronPanorama.Ifafirewallreceivesthedefaultrulesfromadevicegroup,youcan
alsooverridethedevicegroupsettings.Thefirewallorvirtualsystemwhereyouperformtheoverridestores
alocalversionoftheruleinitsconfiguration.Thesettingsyoucanoverrideareasubsetofthefullset(the
followingtableliststhesubsetforsecurityrules).Fordetailsonthedefaultsecurityrules,seePolicies>
Security.
Tooverridearule,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.The
Namecolumndisplaystheinheritanceicon( )forrulesyoucanoverride.Selecttherule,clickOverride,
andeditthesettingsinthefollowingtable.
TorevertanoverriddenruletoitspredefinedsettingsortothesettingspushedfromaPanoramadevice
group,selectPolicies > SecurityonafirewallorPolicies > Security > Default RulesonPanorama.TheName
columndisplaystheoverrideicon( )forrulesthathaveoverriddenvalues.Selecttherule,clickRevert,
andclickYestoconfirmtheoperation.
FieldstoOverrideaDefault Description
SecurityRule
General Tab
Name TheNamethatidentifiestheruleisreadonly;youcannotoverrideit.
RuleType TheRule Typeisreadonly;youcannotoverrideit.
Description TheDescriptionisreadonly;youcannotoverrideit.
Tag SelectTagsfromthedropdown.
Apolicytagisakeywordorphrasethatenablesyoutosortorfilter
policies.Thisisusefulwhenyouhavedefinedmanypoliciesandwant
toviewthosethataretaggedwithaparticularkeyword.Forexample,
youmightwanttotagcertainsecuritypolicieswithInboundtoDMZ,
tagspecificdecryptionpolicieswiththewordsDecryptorNodecrypt,
orusethenameofaspecificdatacenterforpoliciesassociatedwith
thatlocation.
Actions Tab
ActionSetting SelecttheappropriateActionfortrafficthatmatchestherule.
Allow(default)Allowsthetraffic.
DenyBlockstrafficandenforcesthedefaultDenyActionthatis
definedfortheapplicationthatthefirewallisdenying.Toviewthe
denyactionthatisdefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applications.
DropSilentlydropstheapplication.Thefirewalldoesnotsenda
TCPresetmessagetothehostorapplication.
Reset clientSendsaTCPresetmessagetotheclientsidedevice.
Reset serverSendsaTCPresetmessagetotheserversidedevice.
Reset bothSendsaTCPresetmessagetoboththeclientsideand
serversidedevices.

FieldstoOverrideaDefault Description
SecurityRule
ProfileSetting Profile TypeAssignprofilesorprofilegroupstothesecurityrule:

Tospecifythecheckingthatthedefaultsecurityprofilesperform,
selectProfilesandthenselectoneormoreoftheindividual
Antivirus,Vulnerability Protection,Anti-Spyware,URL Filtering,
File Blocking,Data Filtering,andWildFire Analysisprofiles.
Toassignaprofilegroupratherthanindividualprofiles,selectGroup
andthenselectaGroup Profilefromthedropdown.
Todefinenewprofiles(Objects>SecurityProfiles)orprofilegroups
(Objects>SecurityProfileGroups),clickNewinthedropdownfor
thecorrespondingprofileorgroup.
LogSetting Specifyanycombinationofthefollowingoptions:
Log ForwardingToforwardthelocaltrafficlogandthreatlog
entriestoremotedestinations,suchasPanoramaandsyslog
servers,selectaLog Forwardingprofilefromthedropdown.
SecurityprofilesdeterminethegenerationofThreatlogentries.To
defineanewLog Forwardingprofile,selectProfileinthe
dropdown(seeObjects>LogForwarding).
Togenerateentriesinthelocaltrafficlogfortrafficthatmatches
thisrule,selectthefollowingoptions:
Log at Session StartGeneratesatrafficlogentryforthestart
ofasession(selectedbydefault).
Log at Session EndGeneratesatrafficlogentryfortheendof
asession(clearedbydefault).
Ifyouconfigurethefirewalltoincludesessionstartorsession
endentriesintheTrafficlog,itwillalsoincludedropanddeny
entries.

Policies>NAT Policies
Policies>NAT
IfyoudefineLayer3interfacesonthefirewall,youcanconfigureaNetworkAddressTranslation(NAT)
policy tospecifywhethersourceordestinationIPaddressesandportsareconvertedbetweenpublicand
privateaddressesandports.Forexample,privatesourceaddressescanbetranslatedtopublicaddresseson
trafficsentfromaninternal(trusted)zonetoapublic(untrusted)zone.NATisalsosupportedonvirtualwire
interfaces.
NATrulesarebasedonsourceanddestinationzones,sourceanddestinationaddresses,andapplication
service(suchasHTTP).Likesecuritypolicies,NATpolicyrulesarecomparedagainstincomingtrafficin
sequence,andthefirstrulethatmatchesthetrafficisapplied.
Asneeded,addstaticroutestothelocalroutersothattraffictoallpublicaddressesisroutedtothefirewall.
Youmayalsoneedtoaddstaticroutestothereceivinginterfaceonthefirewalltoroutetrafficbacktothe
privateaddress.
ThefollowingtablesdescribetheNATandNPTv6(IPv6toIPv6NetworkPrefixTranslation)settings:
GeneralTab
OriginalPacketTab
TranslatedPacketTab
Active/ActiveHABindingTab
Lookingformore?
SeeNAT
GeneralTab
Policies>NAT>General
SelecttheGeneraltabtoconfigureanameanddescriptionfortheNATorNPTv6policy.Youcanconfigure
atagtoallowyoutosortorfilterpolicieswhenmanypoliciesexist.SelectthetypeofNATpolicyyouare
creating,whichaffectswhichfieldsareavailableontheOriginal PacketandTranslated Packettabs.
NATRule Description
GeneralSettings
Name Enteranametoidentifytherule.Thenameiscasesensitiveandcanhaveup
to31characters,whichcanbeletters,numbers,spaces,hyphens,and
underscores.Thenamemustbeuniqueonafirewalland,onPanorama,
uniquewithinitsdevicegroupandanyancestorordescendantdevicegroups.
Description Enteradescriptionfortherule(upto255characters).
Tag Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.
Thisisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthose
thataretaggedwithaparticularkeyword.

Policies Policies>NAT
NATRule Description
GeneralSettings
NATType Specifythetypeoftranslation:
ipv4translationbetweenIPv4addresses.
nat64translationbetweenIPv6andIPv4addresses.
nptv6translationbetweenIPv6prefixes.
YoucannotcombineIPv4andIPv6addressrangesinasingleNATrule.
OriginalPacketTab
Policies>NAT>OriginalPacket
SelecttheOriginal Packettabtodefinethesourceanddestinationzonesofpacketsthatthefirewallwill
translateand,optionally,specifythedestinationinterfaceandtypeofservice.Youcanconfiguremultiple
sourceanddestinationzonesofthesametypeandyoucanapplytheruletospecificnetworksorspecificIP
addresses.
NATRuleOriginal Description
PacketSettings
SourceZone/ Selectoneormoresourceanddestinationzonesfortheoriginal
DestinationZone (nonNAT)packet(defaultisAny).Zonesmustbeofthesametype
(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
Youcanspecifymultiplezonestosimplifymanagement.Forexample,
youcanconfiguresettingssothatmultipleinternalNATaddressesare
directedtothesameexternalIPaddress.
DestinationInterface Specifythedestinationinterfaceofpacketsthefirewalltranslates.You
canusethedestinationinterfacetotranslateIPaddressesdifferently
inthecasewherethenetworkisconnectedtotwoISPswithdifferent
IPaddresspools.
Service Specifytheserviceforwhichthefirewalltranslatesthesourceor
destinationaddress.Todefineanewservicegroup,selectObjects>
ServiceGroups.
SourceAddress/ Specifyacombinationofsourceanddestinationaddressesforthe
DestinationAddress firewalltotranslate.
ForNPTv6,theprefixesconfiguredforSource Addressand
Destination Addressmustbeintheformatxxxx:xxxx::/yy.Theaddress
cannothaveaninterfaceidentifier(host)portiondefined.Therangeof
supportedprefixlengthsis/32to/64.

TranslatedPacketTab
Policy>NAT>TranslatedPacket
SelecttheTranslated Packettabtodetermine,forSourceAddressTranslation,thetypeoftranslation to
performonthesource,andtheaddressand/orporttowhichthesourcewillbetranslated.
YoucanalsoenableDestinationAddressTranslationforaninternalhostthatneedstobeaccessedbya
publicIPaddress.Inthiscase,youdefineasourceaddress(public)anddestinationaddress(private)inthe
Original Packettabforaninternalhost,andintheTranslated PackettabyouenableDestination Address
TranslationandentertheTranslated Address.Whenthepublicaddressisaccessed,itwillbetranslatedtothe
internal(destination)addressoftheinternalhost.
NATRule Description
TranslatedPacket
Settings
SourceAddress SelecttheTranslationType(dynamicorstaticaddresspool),andenteranIPaddressor
Translation addressrange(address1address2)thatthesourceaddressistranslatedto(Translated
Address).Thesizeoftheaddressrangeislimitedbythetypeofaddresspool:
Dynamic IP And PortAddressselectionisbasedonahashofthesourceIPaddress.Fora
givensourceIPaddress,thefirewallusesthesametranslatedsourceaddressforall
sessions.DynamicIPandPortsourceNATsupportsapproximately64,000concurrent
sessionsoneachIPaddressintheNATpool.Onsomemodels,oversubscriptionis
supported,whichallowsasingleIPtohostmorethan64,000concurrentsessions.
PaloAltoNetworksDynamicIP/portNATsupportsmoreNATsessionsthanaresupported
bythenumberofavailableIPaddressesandports.ThefirewallcanuseIPaddressandport
combinationsuptotwotimes(simultaneously)onthePA200,PA500,andPA3000
Seriesfirewalls,fourtimesonthePA5020firewalls,andeighttimesonthePA5050and
PA5060firewallswhendestinationIPaddressesareunique.
Dynamic IPThenextavailableaddressinthespecifiedrangeisused,buttheportnumber
isunchanged.Upto32,000consecutiveIPaddressesaresupported.AdynamicIPpoolcan
containmultiplesubnets,soyoucantranslateyourinternalnetworkaddressestotwoor
moreseparatepublicsubnets.
Advanced (Dynamic IP/Port Fallback)Usethisoptiontocreateafallbackpoolthatwill
performIPandporttranslationandwillbeusediftheprimarypoolrunsoutofaddresses.
YoucandefineaddressesforthepoolbyusingtheTranslatedAddressoptionorthe
InterfaceAddressoption,whichisforinterfacesthatreceiveanIPaddressdynamically.
Whencreatingafallbackpool,makesureaddressesdonotoverlapwithaddressesinthe
primarypool.
Static IPThesameaddressisalwaysusedforthetranslationandtheportisunchanged.
Forexample,ifthesourcerangeis192.168.0.1192.168.0.10andthetranslationrangeis
10.0.0.110.0.0.10,address192.168.0.2isalwaystranslatedto10.0.0.2.Theaddressrange
isvirtuallyunlimited.
NPTv6mustuseStatic IPtranslationforSourceAddressTranslation.ForNPTv6,the
prefixesconfiguredforTranslated Addressmustbeintheformatxxxx:xxxx::/yy.The
addresscannothaveaninterfaceidentifier(host)portiondefined.Therangeofsupported
prefixlengthsis/32to/64.
NoneTranslationisnotperformed.

Policies Policies>NAT
NATRule Description
TranslatedPacket
Settings
Bidirectional (Optional)Enablebidirectionaltranslationifyouwantthefirewalltocreateacorresponding
translation(NATorNPTv6)intheoppositedirectionofthetranslationyouconfigure.
Ifyouenablebidirectionaltranslation,youmustensurethatyouhavesecuritypolicies
inplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,thebidirectional
featureallowspacketstobetranslatedautomaticallyinbothdirections.
DestinationAddress EnteranIPaddressorrangeofIPaddressesandatranslatedportnumber(165535)towhich
Translation thedestinationaddressandportnumberaretranslated.IftheTranslated Portfieldisblank,
thedestinationportisnotchanged.Destinationtranslationistypicallyusedtoallowan
internalserver,suchasanemailserver,tobeaccessedfromthepublicnetwork.
ForNPTv6,theprefixesconfiguredforDestinationprefixTranslated Addressmustbeinthe
formatxxxx:xxxx::/yy.Theaddresscannothaveaninterfaceidentifier(host)portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TranslatedPortisnotsupportedforNPTv6becauseNPTv6isstrictlyprefix
translation.ThePortandHostaddresssectionissimplyforwardedunchanged.
Active/ActiveHABindingTab
Policies>NAT>Active/ActiveHABinding
TheActive/ActiveHABindingtabisavailableonlyifthefirewallisinahighavailability(HA)active/active
configuration.Inthisconfiguration,youmustbindeachsourceNATrule(whetherstaticordynamicNAT)to
DeviceID0orDeviceID1;youmustbindeachdestinationNATruletoeitherDeviceID0,DeviceID1,both
(DeviceID0andDeviceID1),ortotheactiveprimaryfirewall.
SelectanActive/Active HA BindingsettingtobindtheNATruletoanHAfirewallasfollows:
0BindstheNATruletothefirewallthathasHADeviceID0.
1BindstheNATruletothefirewallthathasHADevice ID 1.
bothBindstheNATruletoboththefirewallthathasHADeviceID0andthefirewallthathasHADevice
ID1.ThissettingdoesnotsupportDynamicIPorDynamicIPandPortNAT.
primaryBindstheNATruletothefirewallthatisinHAactiveprimarystate.Thissettingdoesnot
supportDynamicIPorDynamicIPandPortNAT.
YoutypicallyconfiguredevicespecificNATruleswhenthetwoHApeershaveuniqueNATIPaddresspools.
Whenthefirewallcreatesanewsession,theHAbindingdetermineswhichNATrulesthesessioncanmatch.
Thebindingmustincludethesessionownerfortheruletomatch.Thesessionsetupfirewallperformsthe
NATrulematchingbutthesessioniscomparedtoNATrulesthatareboundtothesessionownerand
translatedaccordingtooneoftherules.Fordevicespecificrules,thefirewallskipsallNATrulesthatarenot
boundtothesessionowner.Forexample,supposethefirewallwithDeviceID1isthesessionownerand
thesessionsetupfirewall.WhenDeviceID1attemptstomatchasessiontoaNATrule,itignoresallrules
boundtoDeviceID0.
Ifonepeerfails,thesecondpeercontinuestoprocesstrafficforthesynchronizedsessionsfromthefailed
peer,includingNATtranslations.PaloAltoNetworksrecommendsyoucreateaduplicateNATrulethatis
boundtothesecondDeviceID.Therefore,therearetwoNATruleswiththesamesourcetranslation
addressesandthesamedestinationtranslationaddressesoneruleboundtoeachDeviceID.This

configurationallowstheHApeertoperformnewsessionsetuptasksandperformNATrulematchingfor
NATrulesthatareboundtoitsDeviceID.WithoutaduplicateNATrule,thefunctioningpeerwilltryto
performtheNATpolicymatchbutthesessionwontmatchthefirewallsowndevicespecificrulesandthe
firewallskipsallotherNATrulesthatarenotboundtoitsDeviceID.
Lookingformore?
SeeNATinActive/ActiveHAMode

Policies Policies>QoS
Policies>QoS
AddQoSpolicy rulestodefinethetrafficthatreceivesspecificQoStreatmentandassignaQoSclass
foreachQoSpolicyruletospecifythattheassignedclassofserviceappliestoalltrafficmatchedtothe
associatedruleasitexitsaQoSenabledinterface.
QoSpolicyrulespushedtoafirewallfromPanoramaareshowninorangeandcannotbeeditedatthefirewall
level.
Additionally,tofullyenablethefirewalltoprovideQoS:
SetbandwidthlimitsforeachQoSclassofservice(selectNetwork>NetworkProfiles>QoStoaddor
modifyaQoSprofile).
EnableQoSonaninterface(selectNetwork>QoS).
RefertoQualityofService forcompleteQoSworkflows,concepts,andusecases.
Addanewruleorcloneanexistingruleandthendefinethefollowingfields.
QoSPolicyRuleSettings
General Tab
Name Enteranametoidentifytherule(upto31characters).Thenameis
Description Enteranoptionaldescription.
Tag Ifyouneedtotagthepolicy,Addandspecifythetag.
thataretaggedwithaparticularkeyword.Forexample,youmaywanttotag
certainsecuritypolicieswithInboundtoDMZ,decryptionpolicieswiththe
wordsDecryptandNodecrypt,orusethenameofaspecificdatacenterfor
policiesassociatedwiththatlocation.
Source Tab
SourceZone Selectoneormoresourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).

Policies>QoS Policies
SourceAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andclickAddtoaddyourselections
totheSelectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.Todefinenewaddressgroups,selectObjects>AddressGroups.
SourceUser SpecifythesourceusersandgroupstowhichtheQoSpolicywillapply.
Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesNOTmatch.
Destination Tab
DestinationZone Selectoneormoredestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).
DestinationAddress SpecifyacombinationofsourceIPv4orIPv6addressesforwhichthe
identifiedapplicationcanbeoverridden.Toselectspecificaddresses,
chooseselectfromthedropdownanddoanyofthefollowing:
Selectthisoptionnexttotheappropriateaddresses and/oraddress
groups intheAvailablecolumn,andAddyourselectionstothe
Selectedcolumn.
Enterthefirstfewcharactersofanameinthesearchfieldtolistall
addressesandaddressgroupsthatstartwiththosecharacters.Selecting
aniteminthelistenablesthisoptionintheAvailablecolumn.Repeatthis
processasoftenasneeded,andthenclickAdd.
EnteroneormoreIPaddresses(oneperline),withorwithoutanetwork
mask.Thegeneralformatis:
<ip_address>/<mask>
Toremoveaddresses,selectthem(Selectedcolumn)andclickDeleteor
selectanytoclearalladdressesandaddressgroups.
Toaddnewaddressesthatcanbeusedinthisorotherpolicies,clickNew
Address.
Negate Selectthisoptiontohavethepolicyapplyifthespecifiedinformationonthis
tabdoesnotmatch.

Policies Policies>QoS
Application Tab
Application SelectspecificapplicationsfortheQoSrule.Todefinenewapplicationsor
applicationgroups,selectObjects > Applications.
Ifanapplicationhasmultiplefunctions,youcanselecttheoverallapplication
orindividualfunctions.Ifyouselecttheoverallapplication,allfunctionsare
included,andtheapplicationdefinitionisautomaticallyupdatedasfuture
functionsareadded.
Ifyouareusingapplicationgroups,filters,orcontainerintheQoSrule,you
canviewdetailsontheseobjectsbyholdingyourmouseovertheobjectin
theApplicationcolumn,clickthedownarrowandselectValue.Thisenables
youtoeasilyviewapplicationmembersdirectlyfromthepolicywithout
havingtogototheObjectstab.
Service/URL Category Tab
Service SelectservicestolimittospecificTCPand/orUDPportnumbers.Choose
oneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsareallowedordenied
onlyontheirdefaultportsdefinedbyPaloAltoNetworks.Thisoptionis
recommendedforallowpolicies.
SelectClickAdd.ChooseanexistingserviceorchooseServiceor
Service Grouptospecifyanewentry.
URLCategory SelectURLcategoriesfortheQoSrule.
SelectAnytoensurethatasessioncanmatchthisQoSruleregardlessof
theURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
RefertoObjects>ExternalDynamicListsforinformationondefining
customcategories.
DSCP/TOS Tab
Any SelectAny(default)toallowthepolicytomatchtotrafficregardlessofthe
DifferentiatedServicesCodePoint(DSCP)valueortheIPPrecedence/Type
ofService(ToS)definedforthetraffic.
Codepoints SelectCodepointstoenabletraffictoreceiveQoStreatmentbasedonthe
DSCPorToSvaluedefinedapacketsIPheader.TheDSCPandToSvalues
areusedtoindicatethelevelofservicerequestedfortraffic,suchashigh
priorityorbesteffortdelivery.Usingcodepointsasmatchingcriteriaina
QoSpolicyallowsasessiontoreceiveQoStreatmentbasedonthe
codepointdetectedatthebeginningofthesession.
ContinuetoAddcodepointstomatchtraffictotheQoSpolicy:
GivecodepointentriesadescriptiveName.
SelecttheTypeofcodepointyouwanttouseasmatchingcriteriaforthe
QoSpolicyandthenselectaspecificCodepointvalue.Youcanalsocreate
aCustom CodepointbyenteringaCodepoint NameandBinary Value.

Policies>QoS Policies
Other Settings Tab
Class ChoosetheQoSclasstoassigntotherule,andclickOK.Classcharacteristics
aredefinedintheQoSprofile.RefertoNetwork>NetworkProfiles>QoS
forinformationonconfiguringsettingsforQoSclasses.
Schedule SelectNoneforthepolicyruletoremainactiveatalltimes.
Fromthedropdown,selectSchedule(calendaricon)tosetasingletime
rangeorarecurringtimerangeduringwhichtheruleisactive.

Policies Policies>PolicyBasedForwarding
Normally,whentrafficentersthefirewall,theingressinterfacevirtualrouterdictatestheroutethat
determinestheoutgoinginterfaceanddestinationsecurityzonebasedondestinationIPaddress.Bycreating
apolicybasedforwarding(PBF)rule ,youcanspecifyotherinformationtodeterminetheoutgoing
interface,includingsourcezone,sourceaddress,sourceuser,destinationaddress,destinationapplication,
anddestinationservice.TheinitialsessiononagivendestinationIPaddressandportthatisassociatedwith
anapplicationwillnotmatchanapplicationspecificruleandwillbeforwardedaccordingtosubsequentPBF
rules(thatdonotspecifyanapplication)orthevirtualroutersforwardingtable.Allsubsequentsessionson
thatdestinationIPaddressandportforthesameapplicationwillmatchanapplicationspecificrule.To
ensureforwardingthroughPBFrules,applicationspecificrulesarenotrecommended.
Whennecessary,PBFrulescanbeusedtoforcetrafficthroughanadditionalvirtualsystemusingthe
ForwardtoVSYSforwardingaction.Inthiscase,itisnecessarytodefineanadditionalPBFrulethatwill
forwardthepacketfromthedestinationvirtualsystemoutthroughaparticularegressinterface onthe
firewall.
Thefollowingtablesdescribethepolicybasedforwardingsettings:
GeneralTab
SourceTab
Destination/Application/ServiceTab
ForwardingTab
Lookingformore?
RefertoPolicyBasedForwarding
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionforthePBFpolicy.Atagcanalsobeconfigured
toallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
uniquewithinitsdevicegroupandanyancestorordescendantdevice
groups.
Description Enteradescriptionforthepolicy(upto255characters).

Policies>PolicyBasedForwarding Policies
SourceTab
Select the Source tab to define the source zone or source address that defines the incoming source traffic to
which the forwarding policy will be applied.
Field Description
SourceZone Tochoosesourcezones(defaultisany),clickAddandselectfromthe
dropdown.Todefinenewzones,refertoNetwork>Zones.
Multiplezonescanbeusedtosimplifymanagement.Forexample,ifyou
havethreedifferentinternalzones(Marketing,Sales,andPublicRelations)
thatarealldirectedtotheuntrusteddestinationzone,youcancreateone
rulethatcoversallcases.
OnlyLayer3typezonesaresupportedforpolicybasedforwarding.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.
SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
isnotcurrentlyloggedintotheirmachinewillbeidentifiedwiththe
usernameprelogon.Youcanthencreatepoliciesforprelogonusersand
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
unknownIncludesallunauthenticatedusers,whichmeansIPaddresses
thatarenotmappedtoauser.Forexample,youcoulduseunknownfor
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
network,butwillnotbeauthenticatedtothedomainandwillnothaveIP
addresstousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
IfthefirewallcollectsuserinformationfromaRADIUS,TACACS+,or
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.

Policies Policies>PolicyBasedForwarding
Destination/Application/ServiceTab
SelecttheDestination/Application/Servicetabtodefinethedestinationsettingsthatwillbeappliedtotraffic
thatmatchestheforwardingrule.
Field Description
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultisany).
Bydefault,theruleappliestoAnyIPaddress.Selectfromthedropdown,orclick
Address,Address Group,orRegionsatthebottomofthedropdown,andspecify
thesettings.
Application/Service SelectspecificapplicationsorservicesforthePBFrule.Todefinenew
applications,refertoDefiningApplications.Todefineapplicationgroups,referto
Objects>ApplicationGroups.
ApplicationspecificrulesarenotrecommendedforusewithPBF.
Wheneverpossible,useaserviceobject,whichistheLayer4port(TCPor
UDP)usedbytheprotocolorapplication.
Ifyouareusingapplicationgroups,filters,orcontainerinthePBFrule,youcan
viewdetailsontheseobjectsbyholdingyourmouseovertheobjectinthe
Applicationcolumn,clickingthedownarrowandselectingValue.Thisenablesyou
toeasilyviewapplicationmembersdirectlyfromthepolicywithouthavingtogo
totheObjecttabs.
ForwardingTab
SelecttheForwardingtabtodefinetheactionandnetworkinformationthatwillbeappliedtotrafficthat
matchestheforwardingpolicy.TrafficcanbeforwardedtoanexthopIPaddress,avirtualsystem,orthe
trafficcanbedropped.
Field Description
Action Selectoneofthefollowingoptions:
ForwardSpecifythenexthopIPaddressandegressinterface(the
interfacethatthepackettakestogettothespecifiednexthop).
Forward To VSYSChoosethevirtualsystemtoforwardtofromthe
dropdown.
DiscardDropthepacket.
No PBFDonotalterthepaththatthepacketwilltake.Thisoption,
excludesthepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedintherule.Matching
packetsusetheroutetableinsteadofPBF;thefirewallusestheroute
tabletoexcludethematchedtrafficfromtheredirectedport.
EgressInterface DirectsthepackettoaspecificEgressInterface
NextHop Ifyoudirectthepackettoaspecificinterface,specifytheNextHopIP
addressforthepacket.
Monitor EnableMonitoringtoverifyconnectivitytoatargetIP Addressortothe

Next HopIPaddress.SelectMonitorandattachamonitoringProfile(default
orcustom)thatspecifiestheactionwhentheIPaddressisunreachable.

Policies>PolicyBasedForwarding Policies
Field Description
EnforceSymmetricReturn (Requiredforasymmetricroutingenvironments)SelectEnforce Symmetric

ReturnandenteroneormoreIPaddressesintheNext Hop AddressList.
Enablingsymmetricreturnensuresthatreturntraffic(say,fromtheTrust
zoneontheLANtotheInternet)isforwardedoutthroughthesameinterface
throughwhichtrafficingressesfromtheInternet.
Schedule Tolimitthedaysandtimeswhentheruleisineffect,selectaschedulefrom
thedropdown.Todefinenewschedules,refertoSettingstoControl
DecryptedSSLTraffic.

Policies Policies>Decryption
Policies>Decryption
Youcanconfigurethefirewalltodecrypttrafficforvisibility,control,andgranularsecurity.Decryption
policiescanapplytoSecureSocketsLayer(SSL)includingSSLencapsulatedprotocolssuchasIMAP(S),
POP3(S),SMTP(S),andFTP(S),andSecureShell(SSH)traffic.SSHdecryptioncanbeusedtodecrypt
outboundandinboundSSHtraffictoassurethatsecureprotocolsarenotbeingusedtotunneldisallowed
applicationsandcontent.
Addadecryptionpolicyruletodefinetrafficthatyouwanttodecrypt(forexample,youcandecrypttraffic
basedonURLcategorization).Decryptionpolicyrulesarecomparedagainstthetrafficinsequence,somore
specificrulesmustprecedethemoregeneralones.
SSLforwardproxydecryptionrequirestheconfigurationofatrustedcertificatethatwillbepresentedtothe
useriftheservertowhichtheuserisconnectingpossessesacertificatesignedbyaCAtrustedbythe
firewall.CreateacertificateontheDevice > Certificate Management > Certificatespageandthenclickthename
ofthecertificateandselectForward Trust Certificate.
Certainapplicationswillnotfunctioniftheyaredecryptedbythefirewall.Topreventthisfrom
occurring,PANOSwillnotdecrypttheSSLtrafficfortheseapplicationsandthedecryption
rulesettingswillnotapply.
RefertotheListofApplicationsExcludedfromSSLDecryption.
Thefollowingtablesdescribethedecryptionpolicysettings:
GeneralTab
SourceTab
DestinationTab
Service/URLCategoryTab
OptionsTab
Lookingformore?
SeeDecryption
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionforthedecryptionpolicy.Atagcanalsobe
configuredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
groups.

Policies>Decryption Policies
Field Description
SourceTab
SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetraffictowhichthe
decryptionpolicywillbeapplied.
Field Description
SourceZone ClickAddtochoosesourcezones(defaultisany).Zonesmustbeofthesame
type(Layer2,Layer3,orvirtualwire).Todefinenewzones,refertoNetwork
>Zones.
SourceAddress ClickAddtoaddsourceaddresses,addressgroups,orregions(defaultisany).
Selectfromthedropdown,orclickAddress,Address Group,orRegionsat
thebottomofthedropdown,andspecifythesettings.SelectNegateto
chooseanyaddressexcepttheconfiguredones.

Policies Policies>Decryption
Field Description
SourceUser ClickAddtochoosethesourceusersorgroupsofuserssubjecttothepolicy.
Thefollowingsourceusertypesaresupported:
pre-logonIncluderemoteusersthatareconnectedtothenetworkusing
GlobalProtect,butarenotloggedintotheirsystem.WhenthePrelogon
optionisconfiguredonthePortalforGlobalProtectclients,anyuserwho
althoughtheuserisnotloggedindirectly,theirmachinesare
authenticatedonthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPwith
userdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
guestlevelaccesstosomethingbecausetheywillhaveanIPonyour
tousermappinginformationonthefirewall.
SelectIncludesselectedusersasdeterminedbytheselectioninthis
window.Forexample,youmaywanttoaddoneuser,alistofindividuals,
somegroups,ormanuallyaddusers.
SAMLidentityproviderserverandnotfromtheUserIDagent,the
listofusersdoesnotdisplay;youmustenteruserinformation
manually.
DestinationTab
SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.
Field Description
DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.Select
Negatetochooseanyaddressexcepttheconfiguredones.

Policies>Decryption Policies
Service/URLCategoryTab
SelecttheService/URL CategorytabtoapplythedecryptionpolicytotrafficbasedonTCPportnumberorto
anyURLcategory(oralistofcategories).
Field Description
Service ApplythedecryptionpolicytotrafficbasedonspecificTCPportnumbers.
Chooseoneofthefollowingfromthedropdown:
anyTheselectedapplicationsareallowedordeniedonanyprotocolor
port.
application-defaultTheselectedapplicationsaredecrypted(orare
exemptfromdecryption)onlyonthedefaultportsdefinedforthe
applicationsbyPaloAltoNetworks.
SelectClickAdd.ChooseanexistingserviceorspecifyanewServiceor
Service Group.(OrselectObjects>ServicesandObjects>Service
Groups).
URLCategoryTab SelectURLcategoriesforthedecryptionrule.
ChooseanytomatchanysessionsregardlessoftheURLcategory.
Tospecifyacategory,clickAddandselectaspecificcategory(includinga
customcategory)fromthedropdown.Youcanaddmultiplecategories.
Refertoforinformationondefiningcustomcategories.
OptionsTab
SelecttheOptionstabtodetermineifthematchedtrafficshouldbedecryptedornot.IfDecryptisset,specify
thedecryptiontype.Youcanalsoaddadditionaldecryptionfeaturesbyconfiguringorselectingadecryption
profile.
Field Description
Action Selectdecryptorno-decryptforthetraffic.
Type Selectthetypeoftraffictodecryptfromthedropdown:
SSL Forward ProxySpecifiesthatthepolicywilldecryptclienttraffic
destinedforanexternalserver.
SSH ProxySpecifiesthatthepolicywilldecryptSSHtraffic.Thisoption
allowsyoutocontrolSSHtunnelinginpoliciesbyspecifyingthe
sshtunnelAppID.
SSL Inbound InspectionSpecifiesthatthepolicywilldecryptSSL
inboundinspectiontraffic.
DecryptionProfile Attachadecryptionprofiletothepolicyruleinordertoblockandcontrol
certainaspectsofthetraffic.Fordetailsoncreatingadecryptionprofile,
selectObjects>DecryptionProfile.

Policies Policies>TunnelInspection
Policies>TunnelInspection
Youcanconfigurethefirewalltoinspectthetrafficcontentofthefollowingcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)
NonencryptedIPSectraffic(NULLEncryptionAlgorithmforIPSecandtransportmodeAHIPSec)
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU);supportedonlyon
PA5200SeriesandVMSeriesfirewalls.
YoucanusetunnelcontentinspectiontoenforceSecurity,DoSProtection,andQoSpoliciesontrafficin
thesetypesoftunnelsandontrafficnestedwithinanothercleartexttunnel(forexample,NullEncrypted
IPSecinsideaGREtunnel).
CreateaTunnelInspectionpolicythat,whenmatchinganincomingpacket,determineswhichtunnel
protocolsinthepacketthefirewallwillinspectandthatspecifiestheconditionsunderwhichthefirewall
dropsorcontinuestoprocessthepacket.YoucanviewtunnelinspectionlogsandtunnelactivityintheACC
toverifythattunneledtrafficcomplieswithyourcorporatesecurityandusagepolicies.
ThefirewallsupportstunnelcontentinspectiononEthernetinterfacesandsubinterfaces,AEinterfaces,
VLANinterfaces,andVPNandLSVPNtunnels.ThefeatureissupportedinLayer3,Layer2,virtualwire,and
tapdeployments.Tunnelcontentinspectionworksonsharedgatewaysandonvirtualsystemtovirtual
systemcommunications.
Whatarethefieldsavailableto BuildingBlocksinaTunnelInspectionPolicy
createaTunnelInspectionpolicy?
HowcanIviewtunnelinspection LogTypesandSeverityLevels
logs?
Lookingformore? TunnelContentInspection
BuildingBlocksinaTunnelInspectionPolicy
ThefollowingtabledescribesthefieldsyouconfigureforaTunnelInspectionpolicy.

aTunnel
InspectionPolicy
Name General EnteranamefortheTunnelInspectionpolicybeginningwithanalphanumeric

characterandcontainingzeroormorealphanumeric,underscore(_),hyphen(),
dot(.),andspacecharacters.
Description (Optional)EnteradescriptionfortheTunnelInspectionpolicy.
Tags (Optional)Enteroneormoretagsforreportingandloggingpurposesthat
identifythepacketsthataresubjecttotheTunnelInspectionpolicy.

Policies>TunnelInspection Policies

aTunnel
InspectionPolicy
SourceZone Source AddoneormoresourcezonesofpacketstowhichtheTunnelInspectionpolicy

applies(defaultisAny).
SourceAddress (Optional)AddsourceIPv4orIPv6addresses,addressgroups,orGeoRegion
addressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).
SourceUser (Optional)AddsourceusersofpacketstowhichtheTunnelInspectionpolicy
applies(defaultisany).
Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.
DestinationZone Destination AddoneormoredestinationzonesofpacketstowhichtheTunnelInspection

policyapplies(defaultisAny).
Destination (Optional)AdddestinationIPv4orIPv6addresses,addressgroups,orGeo
Address RegionaddressobjectsofpacketstowhichtheTunnelInspectionpolicyapplies
(defaultisAny).
Negate (Optional)SelectNegatetochooseanyaddressesexceptthespecifiedones.
TunnelProtocol Inspection AddoneormoretunnelProtocolsthatyouwantthefirewalltoinspect:

GREFirewallinspectspacketsthatuseGenericRouteEncapsulationinthe
tunnel.
GTP-UFirewallinspectspacketsthatuseGeneralPacketRadioService
(GPRS)TunnelingProtocolforUserData(GTPU)inthetunnel(supported
onlyonPA5200SeriesandVMSeriesfirewalls).
Non-encrypted IPSecFirewallinspectspacketsthatusenonencrypted
IPSec(NullEncryptedIPSecortransportmodeAHIPSec)inthetunnel.
Toremoveaprotocolfromyourlist,selectandDeleteit.
MaximumTunnel Inspection > Selectthemaximumleveloftunnelsthefirewallwillinspect:One Level(default)

InspectionLevels Inspect orTwo Levels (Tunnel In Tunnel).
Options
Droppacketif (Optional)Droppacketsthatcontainmorelevelsofencapsulationthan
overmaximum configuredforMaximumTunnelInspectionLevels.
tunnelinspection
level
Droppacketif (Optional)Droppacketsthatcontainatunnelprotocolthatusesaheaderthat
tunnelprotocol isnoncompliantwiththeRFCforthatprotocol.Noncompliantheaderscan
failsstrictheader indicatesuspiciouspackets.ThisoptioncausesthefirewalltoverifyGRE
check headersagainstRFC2890.
DontenablethisoptionifyourfirewallistunnelingGREwithadevicethat
implementsaversionofGREolderthanRFC2890.
Droppacketif (Optional)Droppacketsthatcontainaprotocolinsidethetunnelthatthe
unknownprotocol firewallcannotidentify.
insidetunnel

Policies Policies>TunnelInspection

aTunnel
InspectionPolicy
EnableSecurity Inspection > (Optional)Enable Security Optionstoassignsecurityzonesforseparate

Options Security Securitypolicytreatmentoftunnelcontent.Theinnercontentsourcewill
Options belongtotheTunnel Source Zoneyouspecifyandtheinnercontent
destinationwillbelongtotheTunnel Destination Zoneyouspecify.
IfyoudonotEnable Security Options,theinnercontentsourcebelongstothe
samesourcezoneastheoutertunnelsource,andtheinnercontentdestination
belongstothesamedestinationzoneastheoutertunneldestination.
Therefore,boththeinnercontentsourceanddestinationaresubjecttothe
sameSecuritypoliciesthatapplytothoseouterzones.
TunnelSource (Optional)Selectoneofthefollowing:
Zone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunnelsourcezone.
Tunnel (Optional)Selectoneofthefollowing:
DestinationZone DefaultTheinnercontentwillusethesamezonethatisusedintheouter
tunnelforpolicyenforcement.
AseparatetunnelzoneAtunnelzoneyoucreatesothattheSecurity
policiesassociatedwiththatzoneapplytothetunneldestinationzone.
MonitorName Inspection > (Optional)Enteramonitornametogroupsimilartraffictogetherformonitoring

Monitor thetrafficinlogsandreports.
Options
MonitorTag (Optional)Enteramonitortagnumberthatcangroupsimilartraffictogetherfor
(number) loggingandreporting(rangeis1to16,777,215).Thetagnumberisglobally
defined.

Policies>ApplicationOverride Policies
Tochangehowthefirewallclassifiesnetworktrafficintoapplications,youcanspecifyapplicationoverride
policies.Forexample,ifyouwanttocontroloneofyourcustomapplications,anapplicationoverridepolicy
canbeusedtoidentifytrafficforthatapplicationaccordingtozone,sourceanddestinationaddress,port,
andprotocol.Ifyouhavenetworkapplicationsthatareclassifiedasunknown,youcancreatenew
applicationdefinitionsforthem(refertoDefiningApplications).
Likesecuritypolicies,applicationoverridepoliciescanbeasgeneralorspecificasneeded.Thepolicyrules
arecomparedagainstthetrafficinsequence,sothemorespecificrulesmustprecedethemoregeneralones.
BecausetheAppIDengineinPANOSclassifiestrafficbyidentifyingtheapplicationspecificcontentin
networktraffic,thecustomapplicationdefinitioncannotsimplyuseaportnumbertoidentifyanapplication.
Theapplicationdefinitionmustalsoincludetraffic(restrictedbysourcezone,sourceIPaddress,destination
zone,anddestinationIPaddress).
Tocreateacustomapplicationwithapplicationoverride:
Createacustomapplication(seeDefiningApplications).Itisnotrequiredtospecifysignaturesforthe
applicationiftheapplicationisusedonlyforapplicationoverriderules.
Defineanapplicationoverridepolicythatspecifieswhenthecustomapplicationshouldbeinvoked.A
policytypicallyincludestheIPaddressoftheserverrunningthecustomapplicationandarestrictedset
ofsourceIPaddressesorasourcezone.
Usethefollowingtablestoconfigureanapplicationoverriderule.
GeneralTab
SourceTab
DestinationTab
Protocol/ApplicationTab
Lookingformore?
SeeUseApplicationObjectsinPolicy

Policies Policies>ApplicationOverride
GeneralTab
SelecttheGeneraltabtoconfigureanameanddescriptionfortheapplicationoverridepolicy.Atagcanalso
beconfiguredtoallowyoutosortorfilterpolicieswhenalargenumberofpoliciesexist.
Field Description
groups.
SourceTab
SelecttheSourcetabtodefinethesourcezoneorsourceaddressthatdefinestheincomingsourcetrafficto
whichtheapplicationoverridepolicywillbeapplied.
Field Description
SourceZone Addsourcezones(defaultisany).Zonesmustbeofthesametype(Layer2,
Layer3,orvirtualwire).Todefinenewzones,refertoNetwork>Zones.
SourceAddress Addsourceaddresses,addressgroups,orregions(defaultisany).Selectfrom
thedropdown,orclickAddress,Address Group,orRegionsatthebottom
ofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.

Policies>ApplicationOverride Policies
DestinationTab
SelecttheDestinationtab todefinethedestinationzoneordestinationaddressthatdefinesthedestination
traffictowhichthepolicywillbeapplied.
Field Description
DestinationZone ClickAddtochoosedestinationzones(defaultisany).Zonesmustbeofthe
sametype(Layer2,Layer3,orvirtualwire).Todefinenewzones,referto
Network>Zones.
DestinationAddress ClickAddtoadddestinationaddresses,addressgroups,orregions(defaultis
any).Selectfromthedropdown,orclickAddress,Address Group,or
Regionsatthebottomofthedropdown,andspecifythesettings.
SelectNegatetochooseanyaddressexcepttheconfiguredones.
Protocol/ApplicationTab
SelecttheProtocol/Applicationtabtodefinetheprotocol(TCPorUDP),port,andapplicationthatfurther
definestheattributesoftheapplicationforthepolicymatch.
Field Description
Protocol Selecttheprotocol(TCPorUDP)forwhichtoallowanapplicationoverride.
Port Entertheportnumber(0to65535)orrangeofportnumbers(port1port2)
forthespecifieddestinationaddresses.Multipleportsorrangesmustbe
separatedbycommas.
Application Selecttheoverrideapplicationfortrafficflowsthatmatchtheaboverule
criteria.Whenoverridingtoacustomapplication,thereisnothreat
inspectionthatisperformed.Theexceptiontothisiswhenyouoverridetoa
predefinedapplicationthatsupportsthreatinspection.
Todefinenewapplications,refertoObjects>Applications).

Policies Policies>Authentication
YourAuthenticationpolicyenablesyoutoauthenticateendusersbeforetheycanaccessnetworkresources.
Whatarethefieldsavailableto BuildingBlocksofanAuthenticationPolicyRule
createanAuthenticationrule?
HowcanIusethewebinterfaceto CreateandManageAuthenticationPolicy
manageAuthenticationpolicy?
ForPanorama,seeMoveorCloneaPolicyRule
Looking for more? AuthenticationPolicy
BuildingBlocksofanAuthenticationPolicyRule
Wheneverauserrequestsaresource(suchaswhenvisitingawebpage),thefirewallevaluates
Authenticationpolicy.Basedonthematchingpolicyrule,thefirewallthenpromptstheusertorespondto
oneormorechallengesofdifferentfactors(types),suchasloginandpassword,voice,SMS,push,or
onetimepassword(OTP)authentication.Aftertheuserrespondstoallthefactors,thefirewallevaluates
Securitypolicy(seePolicies>Security)todeterminewhethertoallowaccesstotheresource.
Thefirewalldoesnotpromptuserstoauthenticateiftheyaccessnonwebbasedresources(suchasaprinter)
throughaGlobalProtectgateway thatisinternalorintunnelmode.Instead,theuserswillseeconnection
failuremessages.Toensureuserscanaccesstheseresources,setupanauthenticationportalandtrainusersto
visititwhentheyseeconnectionfailures.ConsultyourITdepartmenttosetupanauthenticationportal.
ThefollowingtabledescribeseachbuildingblockorcomponentinanAuthenticationpolicyrule.Beforeyou
Addarule,completetheprerequisitesdescribedinCreateandManageAuthenticationPolicy.

anAuthentication
Rule
Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas

rulesaremoved.Whenyoufilterrulestomatchspecificfilters,
thePolicies > Authenticationpagelistseachrulewithits
numberinthecontextofthecompletesetofrulesinthe
rulebaseanditsplaceintheevaluationorder.Fordetails,see
rulesequenceanditsevaluationorder .
Name General Enteranametoidentifytherule.Thenameiscasesensitiveand

canhaveupto31characters,whichcanbeletters,numbers,
spaces,hyphens,andunderscores.Thenamemustbeuniqueon
afirewalland,onPanorama,uniquewithinitsdevicegroupand
anyancestorordescendantdevicegroups.
Tag Selectatagforsortingandfilteringrules(seeObjects>Tags).

Policies>Authentication Policies

anAuthentication
Rule
SourceZone Source Addzonestoapplytheruleonlytotrafficcomingfrom

interfacesinthezonesthatyouspecify(defaultisany).
Todefinenewzones,seeNetwork>Zones.
SourceAddress Addaddressesoraddressgroupstoapplytheruleonlytotraffic
originatingfromthesourcesthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.
SourceUser User Selectthesourceusersorusergroupstowhichtheruleapplies:

anyIncludesanytrafficregardlessofsourceuser.
pre-logonIncludesremoteuserswhoarenotloggedinto
theirclientsystemsbutwhoseclientsystemsconnecttothe
networkthroughtheGlobalProtectprelogonfeature .
known-userIncludesallusersforwhomthefirewallalready
hasIPaddresstousernamemappingsbeforetheruleevokes
authentication.
unknownIncludesallusersforwhomthefirewalldoesnot
haveIPaddresstousernamemappings.Aftertherule
evokesauthentication,thefirewallcreatesusermappingsfor
unknownusersbasedontheusernamestheyentered.
SelectIncludesonlytheusersandusergroupsthatyouAdd
totheSourceUserlist.
IfthefirewallcollectsuserinformationfromaRADIUS,
TACACS+,orSAMLidentityproviderserverandnot
fromtheUserIDagent,thelistofusersdoesnot
display;youmustenteruserinformationmanually.
SourceHIPProfile Addhostinformationprofiles(HIP)toidentifyusers.AHIP
enablesyoutocollectinformationaboutthesecuritystatusof
yourendhosts,suchaswhethertheyhavethelatestsecurity
patchesandantivirusdefinitions.Fordetailsandtodefinenew
HIPs,seeObjects>GlobalProtect>HIPProfiles.
DestinationZone Destination Addzonestoapplytheruleonlytotrafficgoingtointerfacesin

thezonesthatyouspecify(defaultisany).Todefinenewzones,
seeNetwork>Zones.
Destination Addaddressesoraddressgroupstoapplytheruleonlytothe
Address destinationsthatyouspecify(defaultisany).
SelectNegatetochooseanyaddressexcepttheselectedones.
Todefinenewaddressoraddressgroups,seeObjects>
AddressesandObjects>AddressGroups.

Policies Policies>Authentication

anAuthentication
Rule
Service Service/URL Category Selectfromthefollowingoptionstoapplytheruleonlyto

servicesonspecificTCPandUDPportnumbers:
anySpecifiesservicesonanyportandusinganyprotocol.
defaultSpecifiesservicesonlyonthedefaultportsthatPalo
AltoNetworksdefines.
SelectEnablesyoutoAddservicesorservicegroups.To
createnewservicesandservicegroups,seeObjects>
ServicesandObjects>ServiceGroups.
URLCategory SelecttheURLcategoriestowhichtheruleapplies:
SelectanytospecifyalltrafficregardlessoftheURL
category.
Addcategories.Todefinecustomcategories,seeObjects>
CustomObjects>URLCategory.
Authentication Actions Selecttheauthenticationenforcementobject(Objects>

Enforcement Authentication)thatspecifiesthemethod(suchasCaptive
Portalorbrowserchallenge)andauthenticationprofilethatthe
firewallusestoauthenticateusers.Theauthenticationprofile
defineswhetherusersrespondtoasinglechallengeorto
multifactorauthentication(seeDevice>Authentication
Profile).Youcanselectapredefinedorcustomauthentication
enforcementobject.
Timeout Toreducethefrequencyofauthenticationchallengesthat
interrupttheuserworkflow,youcanspecifytheintervalin
minutes(defaultis60)whenthefirewallpromptstheuserto
authenticateonlyonceforrepeatedaccesstoresources.
IftheAuthentication Enforcementobjectspecifiesmultifactor
authentication,theusermustauthenticateonceforeachfactor.
Thefirewallrecordsatimestampandreissuesachallengeonly
whenthetimeoutforafactorexpires.Redistributing the
timestampstootherfirewallsenablesyoutoapplythetimeout
evenifthefirewallthatinitiallyallowsaccessforauserisnotthe
samefirewallthatlatercontrolsaccessforthatuser.
Log Selectthisoption(disabledbydefault)ifyouwantthefirewallto
Authentication generateAuthenticationlogswhenevertheTimeoutassociated
Timeouts withanauthenticationfactorexpires.Enablingthisoption
providesmoredatatotroubleshootaccessissues.In
conjunctionwithcorrelationobjects,youcanalsouse
Authenticationlogstoidentifysuspiciousactivityonyour
network(suchasbruteforceattacks).
Enablingthisoptionincreaseslogtraffic.
LogForwarding SelectaLogForwardingprofileifyouwantthefirewallto
forwardAuthenticationlogstoPanoramaortoexternalservices
suchasasyslogserver(seeObjects>LogForwarding).

Policies>Authentication Policies
CreateandManageAuthenticationPolicy
SelectthePolicies > AuthenticationpagetocreateandmanageAuthenticationpolicyrules:
Task Description
Add PerformthefollowingprerequisitesbeforecreatingAuthenticationpolicyrules:
ConfiguretheUserIDCaptivePortalsettings(seeDevice>User
Identification>CaptivePortalSettings).ThefirewallusesCaptivePortalto
displaythefirstauthenticationfactorthattheAuthenticationrulerequires.
CaptivePortalalsoenablesthefirewalltorecordthetimestampsassociated
withauthenticationTimeoutperiodsandtoupdateusermappings.
Configureaserverprofilethatspecifieshowthefirewallcanaccesstheservice
thatwillauthenticateusers(seeDevice>ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifies
authenticationsettings(seeDevice>AuthenticationProfile).
Assigntheauthenticationprofiletoanauthenticationenforcementobjectthat
specifiestheauthenticationmethod(seeObjects>Authentication).
Tocreatearule,performoneofthefollowingstepsandthencompletethefields
describedinBuildingBlocksofanAuthenticationPolicyRule:
ClickAdd.
SelectaruleonwhichtobasethenewruleandclickClone Rule.Thefirewall
insertsthecopiedrule,named<rulename>#,belowtheselectedrule,where#is
thenextavailableintegerthatmakestherulenameunique.Fordetails,seeMove
orCloneaPolicyRule.
Modify Tomodifyarule,clicktheruleNameandeditthefieldsdescribedinBuildingBlocks
ofanAuthenticationPolicyRule.
IfthefirewallreceivedtherulefromPanorama,theruleisreadonly;youcan
edititonlyonPanorama.
Move Whenmatchingtraffic,thefirewallevaluatesrulesfromtoptobottomintheorder
thatthePolicies > Authenticationpageliststhem.Tochangetheevaluationorder,
selectaruleandMove Up,Move Down,Move Top,orMove Bottom.Fordetails,see
MoveorCloneaPolicyRule.
Delete Toremoveanexistingrule,selectandDeleteit.
Enable/Disable Todisablearule,selectandDisableit.Toreenableadisabledrule,selectandEnable
it.
Highlight Toidentifyrulesthathavenotmatchedtrafficsincethelasttimethefirewallwas
UnusedRules restarted,Highlight Unused Rules.Youcanthendecidewhethertodisableordelete
unusedrules.Thepagehighlightsunusedruleswithadottedyellowbackground.
Previewrules ClickPreview Rulestoviewalistoftherulesbeforeyoupushtherulestothe

(Panorama managedfirewalls.Withineachrulebase,thepagevisuallydemarcatestherule
only) hierarchyforeachdevicegroup(andmanagedfirewall)tofacilitatescanningof
numerousrules.

Policies Policies>DoSProtection
WhatisaDoSProtectionpolicy? DoSProtectionPolicyOverview
Whatarethefieldsavailableto BuildingBlocksofaDoSProtectionPolicy
createaDoSProtectionpolicy?
HowdoIconfigureaDoS SeeObjects>SecurityProfiles>DoSProtection
Protectionprofile?
Lookingformore? SeeDosProtectionPolicies
DoSProtectionPolicyOverview
ADoSProtectionpolicyallowsyoutoprotectagainstDoSattacksbyspecifyingwhethertodenyorallow
packetsthatmatchasourceinterface,zone,addressoruserand/oradestinationinterface,zone,oruser.
Alternatively,youcanchoosetheProtectactionandspecifyaDoSprofilewhereyousetthethresholds
(sessionsorpacketspersecond)thattriggeranalarm,activateaprotectiveaction,andindicatethemaximum
rateabovewhichpacketsaredropped.Thus,youcancontrolthenumberofsessionsbetweeninterfaces,
zones,addresses,andcountriesbasedonaggregatesessionsorsourceand/ordestinationIPaddresses.For
example,youcancontroltraffictoandfromcertainaddressesoraddressgroups,orfromcertainusersand
forcertainservices.
ThefirewallenforcesDoSProtectionpolicyrulesbeforeSecuritypolicyrulestoensurethefirewallusesits
resourcesinthemostefficientmanner.IfaDoSProtectionpolicyruledeniesapacket,thatpacketnever
reachesaSecuritypolicyrule.

Policies>DoSProtection Policies
BuildingBlocksofaDoSProtectionPolicy

aDoSProtection
Policy
Name Policies > DoS EnteranametoidentifytheDoSProtectionpolicyrule.Thenameis

Protection > casesensitiveandcanhaveupto31characters,whichcanbeletters,numbers,
General spaces,hyphens,andunderscores.Thenamemustbeuniqueonafirewalland,
onPanorama,uniquewithinitsdevicegroupandanyancestorordescendant
devicegroups.
Tags Ifyouwanttotagthepolicy,Addandspecifythetag.
Apolicytagisakeywordorphrasethatallowsyoutosortorfilterpolicies.A
tagisusefulwhenyouhavedefinedmanypoliciesandwanttoviewthosethat
aretaggedwithaparticularkeyword.Forexample,youmaywanttotagcertain
securitypolicieswithInboundtoDMZ,decryptionpolicieswiththewords
DecryptorNodecrypt,orusethenameofaspecificdatacenterforpolicies
associatedwiththatlocation.

Policies Policies>DoSProtection

aDoSProtection
Policy
Type Policies > DoS SelectthetypeofsourcetowhichtheDoSProtectionpolicyruleapplies:

Protection > InterfaceApplytheruletotrafficcomingfromthespecifiedinterfaceor
Source groupofinterfaces.
ZoneApplytheruletotrafficcomingfromanyinterfaceinaspecifiedzone.
ClickAddtoselectmultipleinterfacesorzones.
SourceAddress SelectAnyorAddandspecifyoneormoresourceaddressestowhichtheDoS
Protectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.
SourceUser SpecifyoneormoresourceuserstowhichtheDoSProtectionpolicyrule
applies:
anyIncludespacketsregardlessofthesourceuser.
pre-logonIncludespacketsfromremoteusersthatareconnectedtothe
networkusingGlobalProtect,butarenotloggedintotheirsystem.When
pre-logonisconfiguredonthePortalforGlobalProtectclients,anyuserwho
althoughtheuserisnotdirectlyloggedin,theirmachinesareauthenticated
onthedomainasiftheywerefullyloggedin.
known-userIncludesallauthenticatedusers,whichmeansanyIPaddress
withuserdatamapped.Thisoptionisequivalenttothedomainusersgroup
onadomain.
guestlevelaccesstosomethingbecausetheywillhaveanIPaddressonyour
addresstousernamemappinginformationonthefirewall.
SelectIncludesusersspecifiedinthiswindow.Forexample,youcanselect
oneuser,alistofindividuals,somegroups,ormanuallyaddusers.
SAMLidentityproviderserverandnotfromtheUserIDagent,thelist
ofusersdoesnotdisplay;youmustenteruserinformationmanually.
Type Policies > DoS SelectthetypeofdestinationtowhichtheDoSProtectionpolicyruleapplies:

Protection > InterfaceApplytheruletopacketsgoingtothespecifiedinterfaceorgroup
Destination ofinterfaces.ClickAddandselectoneormoreinterfaces.
ZoneApplytheruletopacketsgoingtoanyinterfaceinthespecifiedzone.
ClickAddandselectoneormorezones.
Destination SelectAnyorAddandspecifyoneormoredestinationaddressestowhichthe
Address DoSProtectionpolicyruleapplies.
(Optional)SelectNegatetospecifythattheruleappliestoanyaddresses
exceptthosespecified.

Policies>DoSProtection Policies

aDoSProtection
Policy
Service Policies > DoS ClickAddandselectoneormoreservicestowhichtheDoSProtectionpolicy

Protection > applies.ThedefaultisAnyservice.
Option /
Action Protection SelecttheactionthatthefirewallperformsonpacketsthatmatchtheDoS
Protectionpolicyrule:
DenyDropallpacketsthatmatchtherule.
AllowPermitallpacketsthatmatchtherule.
ProtectEnforceprotections(onpacketsthatmatchtherule)specifiedin
theDoSProtectionprofileappliedtothisrule.Packetsthatmatchtherule
arecountedtowardthethresholdratesintheDoSProtectionprofile,which
inturntriggeranalarm,activateanotheraction,andtriggerpacketdrops
whenthemaximumrateisexceeded.
Schedule SpecifytheschedulewhentheDoSProtectionpolicyruleisineffect.The
defaultsettingofNoneindicatesnoschedule;thepolicyisalwaysineffect.
Alternatively,selectascheduleorcreateanewscheduletocontrolwhenthe
DoSProtectionpolicyruleisineffect.EnteraNamefortheschedule.Select
Sharedtosharethisschedulewitheveryvirtualsystemonamultiplevirtual
systemfirewall.SelectaRecurrence ofDaily,Weekly,orNon-recurring.Add
aStart TimeandEnd Timeinhours:minutes,basedona24hourclock.
LogForwarding Ifyouwanttotriggerforwardingofthreatlogentriesformatchedtraffictoan
externalservice,suchastoasyslogserverorPanorama,selectaLog
ForwardingprofileorclickProfiletocreateanewone.
Onlytrafficthatmatchesanactionintherulewillbeloggedand
forwarded.
Aggregate SelectanAggregateDoSProtectionprofilethatspecifiesthethresholdratesat
whichtheincomingconnectionspersecondtriggeranalarm,activateanaction,
andexceedamaximumrate.Allincomingconnections(theaggregate)count
towardthethresholdsspecifiedinanAggregateDoSProtectionprofile.
AnAggregateprofilesettingofNonemeanstherearenothresholdsettingsin
placefortheaggregatetraffic.SeeObjects>SecurityProfiles>DoS
Protection.
Classified Selectthisoptionandspecifythefollowing:
ProfileSelectaClassifiedDoSProtectionprofiletoapplytothisrule.
AddressSelectwhetherincomingconnectionscounttowardthe
thresholdsintheprofileiftheymatchthesource-ip-only,
destination-ip-only,orsrc-dest-ip-both.
IfyouspecifyaClassifiedDoSProtectionprofile,onlytheincoming
connectionsthatmatchasourceIPaddress,destinationIPaddress,orsource
anddestinationIPaddresspaircounttowardthethresholdsspecifiedinthe
profile.Forexample,youcanspecifyaClassifiedDoSProtectionprofilewitha
Max Rateof100cps,andspecifyanAddresssettingofsource-ip-onlyinthe
rule.Theresultwouldbealimitof100connectionspersecondforthat
particularsourceIPaddress.
SeeObjects>SecurityProfiles>DoSProtection.

Objects
Objectsaretheelementsthatenableyoutoconstruct,schedule,andsearchforpolicyrules,andSecurity
Profilesprovidethreatprotectioninpolicyrules.
ThissectiondescribeshowtoconfiguretheSecurityProfilesandobjectsthatyoucanusewithPolicies:
Move,Clone,Override,orRevertObjects
Objects>Addresses
Objects>AddressGroups
Objects>Regions
Objects>Applications
Objects>ApplicationGroups
Objects>ApplicationFilters
Objects>Services
Objects>ServiceGroups
Objects>Tags
Objects>GlobalProtect>HIPObjects
Objects>GlobalProtect>HIPProfiles
Objects>ExternalDynamicLists
Objects>CustomObjects
Objects>SecurityProfileGroups
Objects>LogForwarding
Objects>Authentication
Objects>DecryptionProfile
Objects>Schedules

Move,Clone,Override,orRevertObjects Objects
Move,Clone,Override,orRevertObjects
Seethefollowingtopicsforoptionstomodifyexistingobjects:
MoveorCloneanObject
OverrideorRevertanObject
MoveorCloneanObject
Whenmovingorcloningobjects,youcanassignaDestination(avirtualsystemonafirewalloradevicegroup
onPanorama)forwhichyouhaveaccesspermissions,includingtheSharedlocation.
Tomoveanobject,selecttheobjectintheObjectstab,clickMove,selectMove to other vsys(firewallonly)or
Move to other device group(Panoramaonly),completethefieldsinthefollowingtable,andthenclickOK.
Tocloneanobject,selecttheobjectintheObjectstab,clickClone,completethefieldsinthefollowingtable,
andthenclickOK.
Move/CloneSettings Description
SelectedObjects DisplaystheNameandcurrentLocation(virtualsystemordevice
group)ofthepoliciesorobjectsyouselectedfortheoperation.
Destination Selectthenewlocationforthepolicyorobject:avirtualsystem,device
group,orShared.ThedefaultvalueistheVirtual SystemorDevice
GroupthatyouselectedinthePoliciesorObjectstab.
Erroroutonfirstdetectederror Selectthisoption(selectedbydefault)tomakethefirewallor
invalidation Panoramadisplaythefirsterroritfindsandstopcheckingformore
errors.Forexample,anerroroccursiftheDestinationdoesntinclude
anobjectthatisreferencedinthepolicyruleyouaremoving.Ifyou
clearthisselection,thefirewallorPanoramawillfindallerrorsbefore
displayingthem.
OverrideorRevertanObject
InPanorama,youcannestdevicegroupsinatreehierarchyofuptofourlevels.Atthebottomlevel,adevice
groupcanhaveparent,grandparent,andgreatgrandparentdevicegroupsatsuccessivelyhigherlevels
collectivelycalledancestorsfromwhichthebottomleveldevicegroupinheritspoliciesandobjects.Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroupscollectivelycalled
descendants.Youcanoverrideanobjectinadescendantsothatitsvaluesdifferfromthoseinanancestor.
Thisoverridecapabilityisenabledbydefault.However,youcannotoverridesharedordefault
(preconfigured)objects.Thewebinterfacedisplaysthe icontoindicateanobjecthasinheritedvalues
anddisplaysthe icontoindicateaninheritedobjecthasoverriddenvalues.
OverrideanobjectSelecttheObjectstab,selectthedescendantDevice Groupthatwillhavethe
overriddenversion,selecttheobject,clickOverride,andeditthesettings.YoucannotoverrideNameor
Sharedsettingsforanobject.

Objects Move,Clone,Override,orRevertObjects
RevertanoverriddenobjecttoitsinheritedvaluesSelecttheObjectstab,selecttheDevice Groupthat
hastheoverriddenversion,selecttheobject,clickRevert,andclickYestoconfirmtheoperation.
DisableoverridesforanobjectSelecttheObjectstab,selecttheDevice Groupwheretheobjectresides,
clicktheobjectNametoeditit,selectDisable override,andclickOK.Overridesforthatobjectarethen
disabledinalldevicegroupsthatinherittheobjectfromtheselectedDevice Group.
ReplaceallobjectoverridesacrossPanoramawiththevaluesinheritedfromtheSharedlocationor
ancestordevicegroupsSelectPanorama > Setup > Management,editthePanoramaSettings,select
Ancestor Objects Take Precedence,andclickOK.YoumustthencommittoPanoramaandtothedevice
groupscontainingoverridestopushtheinheritedvalues.

Objects>Addresses Objects
Objects>Addresses
AnaddressobjectcanincludeanIPv4orIPv6address(singleIP,range,subnet)oraFQDN.Itallowsyouto
reusethesameobjectasasourceordestinationaddressacrossallthepolicyrulebaseswithouthavingto
additmanuallyeachtime.ItisconfiguredusingthewebinterfaceortheCLIandacommitoperationis
requiredtomaketheobjectapartoftheconfiguration.
Todefineanaddressobject,clickAddandfillinthefollowingfields:
AddressObjectSettings Description
Name Enteranamethatdescribestheaddressestobedefined(upto63
characters).Thisnameappearsintheaddresslistwhendefiningsecurity
policies.Thenameiscasesensitiveandmustbeunique.Useonlyletters,
numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheaddressobjecttobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthis
selection,theaddressobjectwillbeavailableonlytotheVirtual System
selectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsof
(Panoramaonly) thisaddressobjectindevicegroupsthatinherittheobject.Thisselectionis
clearedbydefault,whichmeansadministratorscanoverridethesettingsfor
anydevicegroupthatinheritstheobject.
Description Enteradescriptionfortheobject(upto255characters).
Type SpecifyanIPv4orIPv6addressoraddressrange,oranFQDN.
IP Netmask:
EntertheIPv4orIPv6addressorIPaddressrangeusingthefollowing
notation:
ip_address/mask or ip_address
wherethemaskisthenumberofsignificantbinarydigitsusedforthe
networkportionoftheaddress.Ideally,forIPv6,youspecifyonlythe
networkportion,notthehostportion.
Examples:
192.168.80.150/32(indicatesoneaddress)
192.168.80.0/24(indicatesalladdressesfrom192.168.80.0through
192.168.80.255)
2001:db8::/32
2001:db8:123:1::/64
IP Range:
Enterarangeofaddressesusingthefollowingformat:
ip_addressip_address
wherebothaddressescanbeIPv4orbothcanbeIPv6.
Example:
2001:db8:123:1::12001:db8:123:1::22

Objects Objects>Addresses
AddressObjectSettings Description
Type(continued) FQDN:
TospecifyanaddressusingtheFQDN,selectFQDNandenterthedomain
name.
TheFQDNinitiallyresolvesatcommittime.Entriesaresubsequently
refreshedwhenthefirewallperformsacheckevery30minutes;allchanges
intheIPaddressfortheentriesarepickedupattherefreshcycle
TheFQDNisresolvedbythesystemDNSserveroraNetwork>DNSProxy
object,ifaproxyisconfigured.
Tags Selectorenterthetagsthatyouwishtoapplytothisaddressobject.
YoucandefineataghereorusetheObjects>Tagstabtocreatenewtags.
Forinformationontags,seeObjects>Tags.

Objects>AddressGroups Objects
Objects>AddressGroups
Tosimplifythecreationofsecuritypolicies,addressesthatrequirethesamesecuritysettingscanbe
combinedintoaddressgroups.Anaddressgroupcanbestaticordynamic.
DynamicAddressGroups:Adynamicaddressgrouppopulatesitsmembersdynamicallyusinglooksups
fortagsandtagbasedfilters.Dynamicaddressgroupsareveryusefulifyouhaveanextensivevirtual
infrastructurewherechangesinvirtualmachinelocation/IPaddressarefrequent.Forexample,youhave
asophisticatedfailoversetuporprovisionnewvirtualmachinesfrequentlyandwouldliketoapplypolicy
totrafficfromortothenewmachinewithoutmodifyingtheconfiguration/rulesonthefirewall.
Touseadynamicaddressgroupinpolicyyoumustcompletethefollowingtasks:
Defineadynamicaddressgroupandreferenceitinapolicyrule.
NotifythefirewalloftheIPaddressesandthecorrespondingtags,sothatmembersofthedynamic
addressgroupcanbeformed.YoucandothisusingexternalscriptsthatusetheXMLAPIonthe
firewallor,foraVMwarebasedenvironment,youcanselectDevice > VM Information Sourcesto
configuresettingsonthefirewall.
Dynamicaddressgroupscanalsoincludestaticallydefinedaddressobjects.Ifyoucreateanaddress
objectandapplythesametagsthatyouhaveassignedtoadynamicaddressgroup,thatdynamicaddress
groupwillincludeallstaticanddynamicobjectsthatmatchthetags.Youcan,thereforeusetagstopull
togetherbothdynamicandstaticobjectsinthesameaddressgroup.
StaticAddressGroups:Astaticaddressgroupcanincludeaddressobjectsthatarestatic,dynamic
addressgroups,oritcanbeacombinationofbothaddressobjectsanddynamicaddressgroups.
Tocreateanaddressgroup,clickAddandfillinthefollowingfields:
AddressGroupSettings Description
Name Enteranamethatdescribestheaddressgroup(upto63characters).This
nameappearsintheaddresslistwhendefiningsecuritypolicies.Thename
iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
Shared Selectthisoptionifyouwanttheaddressgrouptobeavailableto:
selection,theaddressgroupwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theaddress
groupwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thisaddressgroupobjectindevicegroupsthatinherittheobject.This
selectionisclearedbydefault,whichmeansadministratorscanoverridethe
settingsforanydevicegroupthatinheritstheobject.
Description Enteradescriptionfortheobject(upto255characters).

Objects Objects>AddressGroups
AddressGroupSettings Description
Type SelectStaticorDynamic.
Tocreateadynamicaddressgroup,usethematchcriteriaisassemblethe
memberstobeincludedinthegroup.DefinetheMatchcriteriausingthe
ANDorORoperators.
Toviewthelistofattributesforthematchcriteria,youmusthave
configuredthefirewalltoaccessandretrievetheattributesfromthe
source/host.Eachvirtualmachineontheconfiguredinformation
source(s)isregisteredwiththefirewallandthefirewallcanpollthe
machinetoretrievechangesinIPaddressorconfigurationwithout
anymodificationsonthefirewall.
Forastaticaddressgroup,clickAddandselectoneormoreAddresses.Click
Addtoaddanobjectoranaddressgrouptotheaddressgroup.Thegroup
cancontainaddressobjects,andbothstaticanddynamicaddressgroups.
Tags Selectorenterthetagsthatyouwishtoapplytothisaddressgroup.For
informationontags,seeObjects>Tags.
MembersCountand Afteryouaddanaddressgroup,theMembersCountcolumnontheObjects
Address > Address Groupspageindicateswhethertheobjectsinthegroupare
populateddynamicallyorstatically.
Forastaticaddressgroup,youcanviewthecountofthemembersinthe
addressgroup.
Foranaddressgroupthatusestagstodynamicallypopulatemembersor
hasbothstaticanddynamicmembers,toviewthemembers,clickthe
More...linkintheAddresscolumn.YoucannowviewtheIPaddresses
thatareregisteredtotheaddressgroup.
TypeindicateswhethertheIPaddressisastaticaddressobjector
beingdynamicallyregisteredanddisplaystheIPaddress.
ActionallowsyoutoUnregister TagsfromanIPaddress.Clickthe
linktoAddtheregistrationsourceandspecifythetagstounregister.

Objects>Regions Objects
Objects>Regions
Thefirewallsupportscreationofpolicyrulesthatapplytospecifiedcountriesorotherregions.Theregionis
availableasanoptionwhenspecifyingsourceanddestinationforsecuritypolicies,decryptionpolicies,and
DoSpolicies.Youcanchoosefromastandardlistofcountriesorusetheregionsettingsdescribedinthis
sectiontodefinecustomregionstoincludeasoptionsforSecuritypolicyrules.
Thefollowingtablesdescribetheregionsettings:
RegionSettings Description
Name Enteranamethatdescribestheregion(upto31characters).Thisname
appearsintheaddresslistwhendefiningsecuritypolicies.Thenameis
GeoLocation Tospecifylatitudeandlongitude,selectthisoptionandspecifythevalues
(xxx.xxxxxxformat).Thisinformationisusedinthetrafficandthreatmapsfor
AppScope.RefertoMonitor>Logs.
Addresses SpecifyanIPaddress,rangeofIPaddresses,orsubnettoidentifytheregion,
usinganyofthefollowingformats:
x.x.x.x
x.x.x.xy.y.y.y
x.x.x.x/n

Objects Objects>Applications
Objects>Applications
Whatareyoulookingfor? See
Understandtheapplication ApplicationsOverview
settingsandattributesdisplayed
ontheApplicationspage. ActionsSupportedonApplications
Addanewapplicationormodifyan DefiningApplications
existingapplication.
ApplicationsOverview
TheApplicationspagelistsvariousattributesofeachapplicationdefinition,suchastheapplicationsrelative
securityrisk(1to5).Theriskvalueisbasedoncriteriasuchaswhethertheapplicationcansharefiles,is
pronetomisuse,ortriestoevadefirewalls.Highervaluesindicatehigherrisk.
Thetopapplicationbrowserareaofthepageliststheattributesthatyoucanusetofilterthedisplayas
follows.Thenumbertotheleftofeachentryrepresentsthetotalnumberofapplicationswiththatattribute.
Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.
ThefollowingtabledescribesapplicationdetailscustomapplicationsandPaloAltoNetworksapplications
mightdisplaysomeorallofthesefields.
ApplicationDetails Description
Name Nameoftheapplication.
Description Descriptionoftheapplication(upto255characters).
AdditionalInformation Linkstowebsources(Wikipedia,Google,andYahoo!)thatcontain
additionalinformationabouttheapplication.
StandardPorts Portsthattheapplicationusestocommunicatewiththenetwork.
Dependson Listofotherapplicationsthatarerequiredforthisapplicationtorun.
Whencreatingapolicyruletoallowtheselectedapplication,youmust
alsobesurethatyouareallowinganyotherapplicationsthatthe
applicationdependson.

Objects>Applications Objects
ImplicitlyUses Otherapplicationsthattheselectedapplicationdependsonbutthat
youdonotneedtoaddtoyourSecuritypolicyrulestoallowthe
selectedapplicationbecausethoseapplicationsaresupported
implicitly.
PreviouslyIdentifiedAs ForanewAppID,orAppIDsthatarechanged,thisindicateswhat
theapplicationwaspreviouslyidentifiedas.Thishelpsyouassess
whetherpolicychangesarerequiredbasedonchangesinthe
application.IfanAppIDisdisabled,sessionsassociatedwiththat
applicationwillmatchpolicyasthepreviouslyidentifiedasapplication.
Similarly,disabledAppIDswillappearinlogsastheapplicationthey
werepreviousidentifiedas.
DenyAction AppIDsaredevelopedwithadefaultdenyactionthatdictateshow
thefirewallrespondswhentheapplicationisincludedinaSecurity
policyrulewithadenyaction.Thedefaultdenyactioncanspecify
eitherasilentdroporaTCPreset.Youcanoverridethisdefaultaction
inSecuritypolicy.
Characteristics
Evasive Usesaportorprotocolforsomethingotherthanitsoriginallyintended
purposewiththehopethatitwilltraverseafirewall.
ExcessiveBandwidth Consumesatleast1Mbpsonaregularbasisthroughnormaluse.
PronetoMisuse Oftenusedfornefariouspurposesoriseasilysetuptoexposemore
thantheuserintended.
SaaS Onthefirewall,SoftwareasaService(SaaS)ischaracterizedasa
servicewherethesoftwareandinfrastructureareownedandmanaged
bytheapplicationserviceproviderbutwhereyouretainfullcontrolof
thedata,includingwhocancreate,access,share,andtransferthedata.
Keepinmindthatinthecontextofhowanapplicationischaracterized,
SaaSapplicationsdifferfromwebservices.Webservicesarehosted
applicationswhereeithertheuserdoesntownthedata(forexample,
Pandora)orwheretheserviceisprimarilycomprisedofsharingdata
fedbymanysubscribersforsocialpurposes(forexample,LinkedIn,
Twitter,orFacebook).
CapableofFileTransfer Hasthecapabilitytotransferafilefromonesystemtoanotherovera
network.
TunnelsOtherApplications Isabletotransportotherapplicationsinsideitsprotocol.
UsedbyMalware Malwarehasbeenknowntousetheapplicationforpropagation,
attack,ordatatheft,orisdistributedwithmalware.
HasKnownVulnerabilities Haspubliclyreportedvulnerabilities.
Widelyused Likelyhasmorethan1,000,000users.
ContinueScanningforOther Instructsthefirewalltocontinuetotryandmatchagainstother
Applications applicationsignatures.Ifyoudonotselectthisoption,thefirewall
stopslookingforadditionalapplicationmatchesafterthefirst
matchingsignature.

Classification
Category Theapplicationcategorywillbeoneofthefollowing:
businesssystems
collaboration
generalinternet
media
networking
unknown
Subcategory Thesubcategoryinwhichtheapplicationisclassified.Different
categorieshavedifferentsubcategoriesassociatedwiththem.For
example,subcategoriesinthecollaborationcategoryincludeemail,
filesharing,instantmessaging,Internetconferencing,socialbusiness,
socialnetworking,voipvideo,andwebposting.Whereas,
subcategoriesinthebusinesssystemscategoryincludeauthservice,
database,erpcrm,generalbusiness,management,officeprograms,
softwareupdate,andstoragebackup.
Technology Theapplicationtechnologywillbeoneofthefollowing:
clientserver:Anapplicationthatusesaclientservermodelwhere
oneormoreclientscommunicatewithaserverinthenetwork.
networkprotocol:Anapplicationthatisgenerallyusedfor
systemtosystemcommunicationthatfacilitatesnetwork
operation.ThisincludesmostoftheIPprotocols.
peertopeer:Anapplicationthatcommunicatesdirectlywithother
clientstotransferinformationinsteadofrelyingonacentralserver
tofacilitatethecommunication.
browserbased:Anapplicationthatreliesonawebbrowserto
function.
Risk Assignedriskoftheapplication.
Tocustomizethissetting,clicktheCustomizelink,enteravalue(15),
andclickOK.
Options
SessionTimeout Periodoftime,inseconds,requiredfortheapplicationtotimeoutdue
toinactivity(rangeis1604800seconds).Thistimeoutisforprotocols
otherthanTCPorUDP.ForTCPandUDP,refertothenextrowsin
thistable.
Tocustomizethissetting,clicktheCustomizelink,enteravalue,and
clickOK.
TCPTimeout(seconds) Timeout,inseconds,forterminatingaTCPapplicationflow(rangeis
1604800).
clickOK.
Avalueof0indicatesthattheglobalsessiontimerwillbeused,which
is3600secondsforTCP.

UDPTimeout(seconds): Timeout,inseconds,forterminatingaUDPapplicationflow(rangeis
1604800seconds).
clickOK.
TCPHalfClosed(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontablebetweenreceivingthefirstFINpacketandreceivingthe
secondFINpacketorRSTpacket.Ifthetimerexpires,thesessionis
closed(rangeis1604800).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Half Closedsetting.
TCPTimeWait(seconds) Maximumlengthoftime,inseconds,thatasessionremainsinthe
sessiontableafterreceivingthesecondFINpacketoraRSTpacket.If
thetimerexpires,thesessionisclosed(rangeis1600).
Default:Ifthistimerisnotconfiguredattheapplicationlevel,the
globalsettingisused.
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobal
TCP Time Waitsetting.
AppIDEnabled IndicateswhethertheAppIDisenabledordisabled.IfanAppIDis
disabled,trafficforthatapplicationwillbetreatedasthePreviously
Identified AsAppIDinbothSecuritypolicyandinlogs.For
applicationsaddedaftercontentreleaseversion490,youhavethe
abilitytodisablethemwhileyoureviewthepolicyimpactofthenew
app.Afterreviewingpolicy,youmaychoosetoenabletheAppID.You
alsohavetheabilitytodisableanapplicationthatyouhavepreviously
enabled.Onamultivsysfirewall,youcandisableAppIDsseparately
ineachvirtualsystem.
WhenthefirewallisnotabletoidentifyanapplicationusingtheAppID,thetrafficisclassifiedasunknown:
unknowntcporunknownudp.Thisbehaviorappliestoallunknownapplicationsexceptthosethatfully
emulateHTTP.Formoreinformation,refertoMonitor>Botnet.
Youcancreatenewdefinitionsforunknownapplicationsandthendefinesecuritypoliciesforthenew
applicationdefinitions.Inaddition,applicationsthatrequirethesamesecuritysettingscanbecombinedinto
applicationgroupstosimplifythecreationofsecuritypolicies.

ActionsSupportedonApplications
Youcanperformanyofthefollowingactionsonthispage:
ActionsSupportedfor Description
Applications
Filterbyapplication Tosearchforaspecificapplication,entertheapplicationnameordescription
intheSearchfieldandpressEnter.Thedropdowntotherightofthesearch
boxallowsyoutosearchorfilterforaspecificapplicationorviewAll
applications,Custom applications,Disabled applications,orTagged
applications.
Theapplicationislistedandthefiltercolumnsareupdatedtoshowstatistics
fortheapplicationsthatmatchedthesearch.Asearchwillmatchpartial
strings.Whenyoudefinesecuritypolicies,youcanwriterulesthatapplytoall
applicationsthatmatchasavedfilter.Suchrulesaredynamicallyupdated
whenanewapplicationisaddedthroughacontentupdatethatmatchesthe
filter.
Tofilterbyapplicationattributesdisplayedonthepage;clickanitemthatyou
wanttouseasabasisforfiltering.Forexample,torestrictthelisttothe
collaborationcategory,clickcollaborationandthelistwillonlyshow
applicationsinthiscategory.
Tofilteronadditionalcolumns,selectanentryintheothercolumns.The
filteringissuccessive:firstCategoryfiltersareapplied,thenSubcategory
filters,thenTechnologyfilters,thenRiskfilters,andfinallyCharacteristic
filters.Forexample,ifyouapplyaCategory,Subcategory,andRiskfilter,the
Technologycolumnisautomaticallyrestrictedtothetechnologiesthatare
consistentwiththeselectedCategoryandSubcategory,eventhougha
Technologyfilterhasnotbeenexplicitlyapplied.Eachtimeyouapplyafilter,
thelistofapplicationsinthelowerpartofthepageautomaticallyupdates.To
createanewapplicationfilter,seeObjects>ApplicationFilters.
Addanewapplication. Toaddanewapplication,seeDefiningApplications.
Viewand/orcustomize Clicktheapplicationnamelink,toviewtheapplicationdescriptionincludingthe
applicationdetails. standardportandcharacteristicsoftheapplication,riskamongotherdetails.For
detailsontheapplicationsettings,seeDefiningApplications.
Iftheicontotheleftoftheapplicationnamehasayellowpencil( ),the
applicationisacustomapplication.

ActionsSupportedfor Description
Applications
Disableanapplications YoucanDisableanapplication(orseveralapplications)sothattheapplication
signatureisnotmatchedagainsttraffic.Securityrulesdefinedtoblock,allow,or
enforceamatchingapplicationarenotappliedtotheapplicationtrafficwhen
theappisdisabled.Youmightchoosetodisableanapplicationthatisincluded
withanewcontentreleaseversionbecausepolicyenforcementforthe
applicationmightchangewhentheapplicationisuniquelyidentified.For
example,anapplicationthatisidentifiedaswebbrowsingtrafficisallowedby
thefirewallpriortoanewcontentversioninstallation;afterinstallingthe
contentupdate,theuniquelyidentifiedapplicationnolongermatchesthe
Securityrulethatallowswebbrowsingtraffic.Inthiscase,youcouldchooseto
disabletheapplicationsothattrafficmatchedtotheapplicationsignature
continuestobeclassifiedaswebbrowsingtrafficandisallowed.
Enableanapplication SelectadisabledapplicationandEnabletheapplicationsothatitcanbe
enforcedaccordingtoyourconfiguredsecuritypolicies.
Importanapplication Toimportanapplication,clickImport.Browsetoselectthefile,andselectthe
targetvirtualsystemfromtheDestinationdropdown.
Exportanapplication Toexportanapplication,selectthisoptionfortheapplicationandclickExport.
Followthepromptstosavethefile.
Assesspolicyimpactafter Review Policiestoassessthepolicybasedenforcementforapplicationsbefore

installinganewcontentrelease. andafterinstallingacontentreleaseversion.UsethePolicyReviewdialogto
reviewpolicyimpactfornewapplicationsincludedinadownloadedcontent
releaseversion.ThePolicyReviewdialogallowsyoutoaddorremoveapending
application(anapplicationthatisdownloadedwithacontentreleaseversionbut
isnotinstalledonthefirewall)toorfromanexistingSecuritypolicyrule;policy
changesforpendingapplicationsdonottakeeffectuntilthecorresponding
contentreleaseversionisinstalled.YoucanalsoaccessthePolicyReviewdialog
whendownloadingandinstallingcontentreleaseversionsontheDevice >
Dynamic Updatespage.
Taganapplication. ApredefinedtagnamedsanctionedisavailableforyoutotagSaaSapplications.
WhileaSaaSapplicationisanapplicationthatisidentifiedasSaas=yesinthe
detailsonapplicationcharacteristics,youcanusethesanctionedtagonany
application.
Selectanapplication,clickTag Application,and,fromthedropdown,selectthe
predefinedSanctionedtagtoidentifyanyapplicationthatyouwanttoexplicitly
allowonyournetwork.WhenyouthengeneratetheSaaSApplicationUsage
Report(seeMonitor>PDFReports>SaaSApplicationUsage),youcancompare
statisticsontheapplicationthatyouhavesanctionedversusunsanctionedSaaS
applicationsthatarebeingusedonyournetwork.
Whenyoutaganapplicationassanctioned,thefollowingrestrictionsapply:
Thesanctionedtagcannotbeappliedtoanapplicationgroup.
ThesanctionedtagcannotbeappliedattheSharedlevel;youcantagan
applicationonlyperdevicegrouporpervirtualsystem.
Thesanctionedtagcannotbeusedtotagapplicationsincludedinacontainer
app,suchasfacebookmail,whichispartofthefacebookcontainerapp.
YoucanalsoRemove tagorOverride tag.Theoverrideoptionisonlyavailable
onafirewallthathasinheritedsettingsfromadevicegrouppushedfrom
Panorama.

DefiningApplications
SelectObjects > ApplicationstoAddanewcustomapplicationforthefirewalltoevaluatewhenapplying

policies.
NewApplicationSettings Description
Configuration Tab
Name Entertheapplicationname(upto31characters).Thisnameappearsinthe
applicationslistwhendefiningsecuritypolicies.Thenameiscasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,periods,hyphens,
andunderscores.Thefirstcharactermustbealetter.
Shared Selectthisoptionifyouwanttheapplicationtobeavailableto:
selection,theapplicationwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,the
applicationwillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.
(Panoramaonly) thisapplicationobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettings
foranydevicegroupthatinheritstheobject.
Description Enteradescriptionoftheapplicationforgeneralreference(upto255
characters).
Category Selecttheapplicationcategory,suchasemailordatabase.Thecategoryis
usedtogeneratetheTopTenApplicationCategorieschartandisavailable
forfiltering(refertoACC).
Subcategory Selecttheapplicationsubcategory,suchasemailordatabase.The
subcategoryisusedtogeneratetheTopTenApplicationCategorieschart
andisavailableforfiltering(refertoACC).
Technology Selectthetechnologyfortheapplication.
ParentApp Specifyaparentapplicationforthisapplication.Thissettingapplieswhena
sessionmatchesboththeparentandthecustomapplications;however,the
customapplicationisreportedbecauseitismorespecific.
Risk Selecttherisklevelassociatedwiththisapplication(1=lowestto5=highest).
Characteristics Selecttheapplicationcharacteristicsthatmayplacetheapplicationatrisk.
Foradescriptionofeachcharacteristic,refertoCharacteristics.

Advanced Tab
Port IftheprotocolusedbytheapplicationisTCPand/orUDP,selectPortand
enteroneormorecombinationsoftheprotocolandportnumber(oneentry
perline).Thegeneralformatis:
<protocol>/<port>
wherethe<port>isasingleportnumber,ordynamicfordynamicport
assignment.
Examples:TCP/dynamicorUDP/32.
Thissettingapplieswhenusingapp-defaultintheServicecolumnofa
Securityrule.
IPProtocol TospecifyanIPprotocolotherthanTCPorUDP,selectIP Protocol,and

entertheprotocolnumber(1to255).
ICMPType TospecifyanInternetControlMessageProtocolversion4(ICMP)type,
selectICMP Typeandenterthetypenumber(rangeis0255).
ICMP6Type TospecifyanInternetControlMessageProtocolversion6(ICMPv6)type,
selectICMP6 Typeandenterthetypenumber(rangeis0255).
None Tospecifysignaturesindependentofprotocol,selectNone.
Timeout Enterthenumberofsecondsbeforeanidleapplicationflowisterminated
(rangeis0604800seconds).Azeroindicatesthatthedefaulttimeoutofthe
applicationwillbeused.ThisvalueisusedforprotocolsotherthanTCPand
UDPinallcasesandforTCPandUDPtimeoutswhentheTCPtimeoutand
UDPtimeoutarenotspecified.
TCPTimeout EnterthenumberofsecondsbeforeanidleTCPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.
UDPTimeout EnterthenumberofsecondsbeforeanidleUDPapplicationflowis
terminated(rangeis0604800seconds).Azeroindicatesthatthedefault
timeoutoftheapplicationwillbeused.
TCPHalfClosed Enterthemaximumlengthoftimethatasessionremainsinthesessiontable,
betweenreceivingthefirstFINandreceivingthesecondFINorRST.Ifthe
timerexpires,thesessionisclosed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1604800seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
HalfClosedsetting.
TCPTimeWait Enterthemaximumlengthoftimethatasessionremainsinthesessiontable
afterreceivingthesecondFINoraRST.Ifthetimerexpires,thesessionis
closed.
Default:Ifthistimerisnotconfiguredattheapplicationlevel,theglobal
settingisused(rangeis1600seconds).
Ifthisvalueisconfiguredattheapplicationlevel,itoverridestheglobalTCP
TimeWaitsetting.
Scanning SelectthescanningtypesthatyouwanttoallowbasedonSecurityProfiles
(filetypes,datapatterns,andviruses).

Signature Tab
Signatures ClickAddtoaddanewsignature,andspecifythefollowinginformation:
Signature NameEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
TransactionortothefulluserSession.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
Specifytheconditionsthatidentifythesignature.Theseconditionsareused
togeneratethesignaturethatthefirewallusestomatchtheapplication
patternsandcontroltraffic:
Toaddacondition,selectAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
SelectanOperatorfromthedropdown.TheoptionsarePattern Match,
Greater Than,Less Than,andEqual Toandspecifythefollowingoptions:
(ForPatternMatchonly)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates.
PatternSpecifyaregularexpressiontospecifyuniquestring
contextvaluesthatapplytothecustomapplication.
Performapacketcapturetoidentifythecontext.SeePattern
RulesSyntaxforpatternrulesforregularexpressions.
(ForGreaterThan,LessThan)
ContextSelectfromtheavailablecontexts.Thesecontextsare
updatedusingdynamiccontentupdates
ValueSpecifyavaluetomatchon(rangeis04294967295).
Qualifier and Value(Optional)Addqualifier/valuepairs.
(ForEqualToonly)
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP(forexample,unknownreqtcp)oradditionalcontextsthatare
availablethroughdynamiccontentupdates(forexample,
dnp3reqfunccode).
ForunknownrequestsandresponsesforTCPorUDP,specify
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.
Forallothercontexts,specifyaValuethatispertinenttotheapplication.
Tomoveaconditionwithinagroup,selecttheconditionandMove Upor
Move Down.Tomoveagroup,selectthegroupandMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
Itisnotrequiredtospecifysignaturesfortheapplicationiftheapplicationisusedonlyfor
applicationoverriderules.

Objects>ApplicationGroups Objects
Objects>ApplicationGroups
Tosimplifythecreationofsecuritypolicies,applicationsrequiringthesamesecuritysettingscanbe
combinedbycreatinganapplicationgroup.(Todefineanewapplication,refertoDefiningApplications.)
NewApplicationGroup Description
Settings
Name Enteranamethatdescribestheapplicationgroup(upto31characters).This
nameappearsintheapplicationlistwhendefiningsecuritypolicies.The
nameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheapplicationgrouptobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,
theapplicationgroupwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theapplication
groupwillbeavailableonlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) thisapplicationgroupobjectindevicegroupsthatinherittheobject.This
Applications ClickAddandselectapplications,applicationfilters,and/orotherapplication
groupstobeincludedinthisgroup.

Objects Objects>ApplicationFilters
Objects>ApplicationFilters
Applicationfiltershelptosimplifyrepeatedsearches.Todefineanapplicationfilter,Addandenteraname
foryournewfilter.Intheupperareaofthewindow,clickanitemthatyouwanttouseasabasisforfiltering.
Forexample,torestrictthelisttotheCollaborationcategory,clickcollaboration.
Tofilteronadditionalcolumns,selectanentryinthecolumns.Thefilteringissuccessive:categoryfiltersare
appliedfirstfollowedbysubcategoryfilters,technologyfilters,riskfilters,andthencharacteristicfilters.
Asyouselectfilters,thelistofapplicationsthatdisplayonthepageisautomaticallyupdated.

Objects>Services Objects
Objects>Services
Whenyoudefinesecuritypoliciesforspecificapplications,youcanselectoneormoreservicestolimitthe
portnumberstheapplicationscanuse.Thedefaultserviceisany,whichallowsallTCPandUDPports.
TheHTTPandHTTPSservicesarepredefined,butyoucanaddadditionalservicedefinitions.Servicesthat
areoftenassignedtogethercanbecombinedintoservicegroupstosimplifythecreationofsecuritypolicies
(refertoObjects>ServiceGroups).
Thefollowingtabledescribestheservicesettings:
ServiceSettings Description
Name Entertheservicename(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
mustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description Enteradescriptionfortheservice(upto255characters).
Shared Selectthisoptionifyouwanttheserviceobjecttobeavailableto:
selection,theserviceobjectwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
objectwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thisserviceobjectindevicegroupsthatinherittheobject.Thisselectionis
anydevicegroupthatinheritstheobject.
Protocol Selecttheprotocolusedbytheservice(TCPorUDP).
DestinationPort Enterthedestinationportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thedestinationportisrequired.
SourcePort Enterthesourceportnumber(0to65535)orrangeofportnumbers
(port1port2)usedbytheservice.Multipleportsorrangesmustbe
separatedbycommas.Thesourceportisoptional.

Objects Objects>ServiceGroups
Objects>ServiceGroups
Tosimplifythecreationofsecuritypolicies,youcancombineservicesthathavethesamesecuritysettings
intoservicegroups.Todefinenewservices,refertoObjects>Services.
Thefollowingtabledescribestheservicegroupsettings:
ServiceGroupSettings Description
Name Entertheservicegroupname(upto63characters).Thisnameappearsinthe
serviceslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
underscores.
Shared Selectthisoptionifyouwanttheservicegrouptobeavailableto:
selection,theservicegroupwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theservice
tab.
(Panoramaonly) thisservicegroupobjectindevicegroupsthatinherittheobject.This
Service ClickAddtoaddservicestothegroup.Selectfromthedropdownorclick
Serviceatthebottomofthedropdownandspecifythesettings.Referto
Objects>Servicesforadescriptionofthesettings.

Objects>Tags Objects
Objects>Tags
Tagsallowyoutogroupobjectsusingkeywordsorphrases.Tagscanbeappliedtoaddressobjects,address
groups(staticanddynamic),zones,services,servicegroups,andtopolicyrules.Youcanuseatagstosortor
filterobjects,andtovisuallydistinguishobjectsbecausetheycanhavecolor.Whenacolorisappliedtoa
tag,thePolicytabdisplaystheobjectwithabackgroundcolor.
ApredefinedtagnamedSanctionedisavailablefortaggingapplications(Objects > Applications).Thesetagsare
requiredforaccuratelyMonitor>PDFReports>SaaSApplicationUsage.
HowdoIcreatetags? CreateTags
Whatisthetagbrowser? UsetheTagBrowser
Searchforrulesthataretagged. ManageTags
Grouprulesusingtags.
Viewtagsusedinpolicy.
Applytagstopolicy.
Looking for more? SeePolicy.
CreateTags
SelectObjects > Tagstocreateatag,assignacolor,delete,rename,andclonetags.Eachobjectcanhaveup

to64tags;whenanobjecthasmultipletags,itdisplaysthecolorofthefirsttagappliedtoit.
Onthefirewall,theObjects >Tagstabdisplaysthetagsthatyoudefinelocallyonthefirewallorpushfrom
Panoramatothefirewall;onPanorama,itdisplaysthetagsthatyoudefineonPanorama.Thistabdoesnot
displaythetagsthataredynamicallyretrievedfromtheVMInformationsourcesdefinedonthefirewallfor
formingdynamicaddressgroups,ortagsthataredefinedusingtheXMLAPI.
Whenyoucreateanewtag,thetagisautomaticallycreatedintheVirtualSystemorDeviceGroupthatis
currentlyselectedonthefirewallorPanorama.
TagSettings Description
Name Enterauniquetagname(upto127characters).Thenameisnot
casesensitive.
Shared Selectthisoptionifyouwantthetagtobeavailableto:
thetagwillbeavailableonlytotheVirtual SystemselectedintheObjects
tab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thetagwillbe
availableonlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) thistagindevicegroupsthatinheritthetag.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritsthetag.

Objects Objects>Tags
TagSettings Description
Color Selectacolorfromthecolorpaletteinthedropdown.Thedefaultvalueis
None.
Comments Addalabelordescriptiontoremindyouwhatthetagisusedfor.
Addatag:Toaddanewtag,clickAddandthenfillinthefollowingfields:
YoucanalsocreateanewtagwhenyoucreateoreditpolicyinthePoliciestab.Thetagisautomatically
createdintheDeviceGrouporVirtualSystemthatiscurrentlyselected.
Editatag:Toedit,rename,orassignacolortoatag,clickthetagnamethatdisplaysasalinkandmodify
thesettings.
Deleteatag:Todeleteatag,clickDeleteandselectthetaginthewindow.Youcannotdeleteapredefined
tag.
MoveorCloneatag:Theoptionstomoveorcloneatagallowsyoutocopyatagormoveatagtoa
differentDeviceGrouporVirtualSystemonfirewallswithmultiplevirtualsystemsenabled.
ClickCloneorMoveandselectthetaginthewindow.SelecttheDestinationlocationDeviceGroupor
VirtualSystemforthetag.ClearthisselectionforError out on first detected error in validationifyouwant
thevalidationprocesstodiscoveralltheerrorsfortheobjectbeforedisplayingtheerrors.Bydefault,this
optionisenabledandthevalidationprocessstopswhenthefirsterrorisdetectedandonlydisplaysthe
error.
OverrideorRevertatag(Panoramaonly):TheOverrideoptionisavailableifyouhavenotselectedthe
Disableoverrideoptionwhencreatingthetag.Itallowsyoutooverridethecolorassignedtothetagthat
wasinheritedfromasharedorancestordevicegroup.TheLocationfielddisplaysthecurrentdevice
group.YoucanalsoselecttheDisableoverridetodisablefurtheroverrides.
Toundothechangesonatag,clickRevert.Whenyourevertatag,theLocationfielddisplaysthedevice
grouporvirtualsystemfromwherethetagwasinherited.
UsetheTagBrowser
Policies>Rulebase(Security,NAT,QoS...)
Thetagbrowserpresentsasummaryofallthetagsusedwithinarulebase(policyset).Itallowsyoutoseea
listofallthetagsandtheorderinwhichtheyarelistedintherulebase.
Youcansort,browse,search,andfilterforaspecifictag,orviewonlythefirsttagappliedtoeachruleinthe
rulebase.
Thefollowingtabledescribestheoptionsinthetagbrowser:
UsetheTagBrowser Description
Tag(#) Displaysthelabelandtherulenumberorrangeofnumbersinwhichthetag
isusedcontiguously.
Hoveroverthelabeltoseethelocationwheretherulewasdefined.The
locationcanbeinheritedfromtheSharedlocation,adevicegroup,ora
virtualsystem.
Rule Liststherulenumberorrangeofnumbersassociatedwiththetags.

Objects>Tags Objects
UsetheTagBrowser Description
Filterbyfirsttaginrule Displaysonlythefirsttagappliedtoeachruleintherulebase,whenselected.
Thisviewisparticularlyusefulifyouwanttonarrowthelistandviewrelated
rulesthatmightbespreadaroundtherulebase.Forexample,ifthefirsttag
ineachruledenotesitsfunctionadministration,webaccess,datacenter
access,proxyyoucannarrowtheresultandscantherulesbasedon
function.
RuleOrder Sortsthetagsintheorderofappearancewithintheselectedrulebase.When
displayedinorderofappearance,tagsusedincontiguousrulesaregrouped
together.Therulenumberwithwhichthetagisassociatedisdisplayedalong
withthetagname.
Alphabetical Sortsthetagsinalphabeticalorderwithintheselectedrulebase.Thedisplay
liststhetagname,color(ifacolorisassigned),andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoesnotdisplayrule
numbersforuntaggedrules.WhenyouselectNone,therightpaneisfiltered
todisplayrulesthathavenotagsassignedtothem.
Clear Clearsthefilteronthecurrentlyselectedtagsinthesearchbar.
Searchbar Allowsyoutosearchforatag,enterthetermandclickthegreenarrowto
applythefilter.
Italsodisplaysthetotalnumberoftagsintherulebaseandthenumberof
selectedtags.
Forotheractions,seeManageTags.
ManageTags
Thefollowingtableliststheactionsthatyoucanperformusingthetagbrowser.
ManageTags
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
Selectataginthetagbrowserand,fromthe
dropdown,selectApply the Tag to the
Selection(s).
Draganddroptagsfromthetagbrowserontothe
tagcolumnoftherule.Whenyoudropthetags,a
confirmationdialogdisplays.
Viewthecurrentlyselectedtags. 1. Selectoneormoretagsinthetagbrowser.Thetags
arefilteredusinganORoperator.
2. Therightpaneupdatestodisplaytherulesthathave
anyoftheselectedtags.
3. Toviewthecurrentlyselectedtags,hoveroverthe
Clearlabelinthetagbrowser.

Objects Objects>Tags
ManageTags(Continued)
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,select
Youcanfilterrulesbasedontagswithan oneormoretagsinthetagbrowser.Therightpanewill
ANDoranORoperator. displayonlytherulesthatincludethecurrentlyselected
tags.
ANDfilter:Toviewrulesthathavealltheselectedtags,
hoveroverthenumberintheRulecolumnofthetag
browserandselectFilterinthedropdown.Repeatto
addmoretags.
Clickthe inthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Untagarule. HoverovertherulenumberintheRulecolumnofthetag
browserandselectUntag Rule(s)inthedropdown.
Confirmthatyouwanttoremovetheselectedtagfrom
therule.
Reorderaruleusingtags. Selectoneormoretagsandhoverovertherulenumber
intheRulecolumnofthetagbrowserandselectMove
Rule(s)inthedropdown.
Selectatagfromthedropdowninthemoverulewindow
andselectwhetheryouwanttoMove BeforeorMove
Afterthetagselectedinthedropdown.
Addanewrulethatappliestheselected Selectoneormoretags,hoverovertherulenumberinthe
tags. Rulecolumnofthetagbrowser,andselectAdd New Rule
inthedropdown.
Thenumericalorderofthenewrulevariesbywhether
youselectedaruleontherightpane.Ifnorulewas
selectedontherightpane,thenewrulewillbeadded
aftertheruletowhichtheselectedtag(s)belongs.
Otherwise,thenewruleisaddedaftertheselectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetag
nameyouwanttosearchforandclick todisplaythe
tagsthatmatchyourinput.

Objects>ExternalDynamicLists Objects
Objects>ExternalDynamicLists
AnexternaldynamiclistisanaddressobjectbasedonanimportedlistofIPaddresses,URLs,ordomain
namesthatyoucanuseinpolicyrulestoblockorallowtraffic.Thislistmustbeatextfilesavedtoaweb
serverthatisaccessiblebythefirewall.Thefirewallusesthemanagement(MGT)interfacebydefaultto
retrievethislist.
WithanactiveThreatPreventionlicense,PaloAltoNetworksprovidestwoDynamicIPLists:PaloAlto
NetworksHighriskIPaddressesandPaloAltoNetworksKnownmaliciousIPaddresses.Thesefeedsboth
containmaliciousIPaddressentries,whichyoucanusetoblocktrafficfrommalicioushosts.Thefirewall
receivesdailyupdatesforthesefeedsthroughantiviruscontentupdates.
YoucanuseanIPaddresslistasanaddressobjectinthesourceanddestinationofyourpolicyrules;youcan
useaURLListinObjects>SecurityProfiles>URLFilteringorasamatchcriteriainSecuritypolicyrules;and
youcanuseadomainlistinObjects>SecurityProfiles>AntiSpywareProfileforsinkholingspecified
domainnames.
Oneachfirewallmodel,youcanuseupto30externaldynamiclistswithuniquesourcesacrossallSecurity
policyrules.Themaximumnumberofentriesthatthefirewallsupportsforeachlisttypevariesbasedonthe
firewallmodel(viewthedifferentfirewalllimitsforeachexternaldynamiclisttype).Listentriesonlycount
towardthemaximumlimitiftheexternaldynamiclistisusedinpolicy.Ifyouexceedthemaximumnumber
ofentriesthataresupportedonamodel,thefirewallgeneratesaSystemlogandskipstheentriesthat
exceedthelimit.TocheckthenumberofIPaddresses,domains,andURLscurrentlyusedinpolicyandthe
totalnumbersupportedonthefirewall,clickList Capacities(firewallonly).
Toretrievethelatestversionoftheexternaldynamiclistfromtheserverthathostsit,selectanexternal
dynamiclistandclickImport Now.
Youcannotdelete,clone,oreditthesettingsofthePaloAltoNetworksmaliciousIPaddressfeeds.
ClickAddtocreateanewexternaldynamiclistandconfigurethesettingsdescribedinthetablebelow.
ExternalDynamicListSettings Description
Name Enteranametoidentifytheexternaldynamiclist(upto32characters).Thisname
identifiesthelistwhenyouusethelisttoenforcepolicy.
Shared Selectthisoptionifyouwanttheexternaldynamiclisttobeavailableto:
theexternaldynamiclistwillbeavailableonlytotheVirtual Systemselectedin
theObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theexternal
dynamiclistwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
Disableoverride(Panoramaonly) Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
externaldynamiclistobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforany
devicegroupthatinheritstheobject.

Objects Objects>ExternalDynamicLists
TestSourceURL(firewallonly) Clicktoverifythatthefirewallcanconnecttotheserverthathoststheexternal
dynamiclist.
Thistestdoesnotcheckwhethertheserverauthenticatessuccessfully.
Create List Tab
Type Selectfromthefollowingtypesofexternaldynamiclists:
Youcannotmix Predefined IP ListListsofthistypeuseaPaloAltoNetworksmaliciousor
IP addresses,URLs,and highriskIPaddressfeedasasourceoflistentries(activeThreatPrevention
domainnamesinasingle licenserequired).
list.Eachlistmustinclude IP ListEachlistcanincludeIPrangesandIPsubnetsintheIPv4andIPv6
entriesofonlyonetype. addressspace.ThelistmustcontainonlyoneIPaddress,range,orsubnetper
line.Example:
192.168.80.150/32
2001:db8:123:1::1 or 2001:db8:123:1::/64
192.168.80.0/24 (this indicates all addresses from 192.168.80.0 through
192.168.80.255)
2001:db8:123:1::1 - 2001:db8:123:1::22
AsubnetoranIPaddressrange,suchas92.168.20.0/24or
192.168.20.40192.168.20.50,countasoneIPaddressentryandnotas
multipleIPaddresses.
Domain ListEachlistcanhaveonlyonedomainnameentryperline.Example:
www.p301srv03.paloalonetworks.com
ftp.example.co.uk
test.domain.net
ForthelistofdomainsincludedintheExternalDynamicList,thefirewall
createsasetofcustomsignaturesoftypespywareandmediumseverity,so
thatyoucanusethesinkholeactionforacustomlistofdomains.
URL ListEachlistcanhaveonlyoneURLentryperline.Example:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
*.example.com/*
ForeachURLlist,thedefaultactionissettoallow.Toeditthedefaultaction,
seeObjects>SecurityProfiles>URLFiltering.
Description Enteradescriptionfortheexternaldynamiclist(upto255characters).
Source EnteranHTTPorHTTPSURLpaththatcontainsthetextfile.Forexample,
http://1.1.1.1/myfile.txt.
IftheexternaldynamiclistisaPredefinedIPList,selectPalo Alto
Networks - High risk IP addressesorPalo Alto Networks - Known
malicious IP addressesasthelistsource.

Objects>ExternalDynamicLists Objects
CertificateProfile IftheexternaldynamiclisthasanHTTPSURL,selectanexistingcertificateprofile
(firewallandPanorama)orcreateanewCertificate Profile(firewallonly)for
authenticatingthewebserverthathoststhelist.Formoreinformationon
configuringacertificateprofile,seeDevice>CertificateManagement>
CertificateProfile.
Default:None (Disable Cert profile)
Tomaximizethenumberofexternaldynamicliststhatyoucanuseto
enforcepolicy,usethesamecertificateprofiletoauthenticateexternal
dynamicliststhatusethesamesourceURLsothatthelistscountasonly
oneexternaldynamiclist.ExternaldynamiclistsfromthesamesourceURL
thatusedifferentcertificateprofilesarecountedasuniqueexternal
dynamiclists.
ClientAuthentication Selectthisoption(disabledbydefault)toaddausernameandpasswordforthe
firewalltousewhenaccessinganexternaldynamiclistsourcethatrequiresbasic
HTTPauthentication.Thissettingisavailableonlywhentheexternaldynamiclist
hasanHTTPSURL.
UsernameEnteravalidusernametoaccessthelist.
Password/Confirm PasswordEnterandconfirmthepasswordforthe
username.
Repeat Specifythefrequencyinwhichthefirewallretrievesthelistfromthewebserver.
YoucanchooseHourly,Five Minute,Daily,Weekly,orMonthly.Attheconfigured
interval,thefirewallretrievesthelistandautomaticallycommitsthechangesto
theconfiguration.Anypolicyrulesthatreferencethelistareupdatedsothatthe
firewallcansuccessfullyenforcepolicy.
YoudonothaveatoconfigureafrequencyforapredefinedIPlistbecause
thefirewalldynamicallyreceivescontentupdateswithanactiveThreat
Preventionlicense.
List Entries and Exceptions Tab
ListEntries Displaystheentriesintheexternaldynamiclist.
AddanentryasalistexceptionSelectupto100entriesandclickSubmit( ).
ViewanAutoFocusthreatintelligencesummaryforanitemHoveroveran
entry,clickthedropdown,andclickAutoFocus.YoumusthaveanAutoFocus
licenseandenableAutoFocusthreatintelligenceonthefirewall toviewan
itemsummary.
CheckifanIPaddress,domain,orURLisintheexternaldynamiclistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.
ManualExceptions Displaysexceptionstotheexternaldynamiclist.
EditanexceptionClickonanexceptionandmakeyourchanges.
ManuallyenteranexceptionAddanewexceptionmanually.
RemoveanexceptionfromtheManualExceptionslistSelectandDeletean
exception.
CheckifanIPaddress,domain,orURLisintheManualExceptionslistEntera
valueinthefilterfieldandApplyFilter( ).ClearFilter([X])togobackto
viewingthecompletelist.Youcannotsaveyourchangestotheexternal
dynamiclistifyouhaveduplicateentriesintheManualExceptionslist.

Objects Objects>CustomObjects
Objects>CustomObjects
Createcustomdatapatterns,vulnerabilityandspywaresignatures,andURLcategoriestousewithpolicies:
Objects>CustomObjects>DataPatterns
Objects>CustomObjects>Spyware/Vulnerability
Objects>CustomObjects>URLCategory

Objects>CustomObjects>DataPatterns Objects
Objects>CustomObjects>DataPatterns
Whatareyoulookingfor? See:
Create a data pattern. DataPatternSettings

Learn more about syntax for regular expression SyntaxforRegularExpressionDataPatterns
data patterns and see some examples.
RegularExpressionDataPatternExamples
DataPatternSettings
SelectObjects > Custom Objects > Data Patternstodefinethecategoriesofsensitiveinformationthatyoumay

wanttofilter.Forinformationondefiningdatafilteringprofiles,selectObjects>SecurityProfiles>Data
Filtering.
Youcancreatethreetypesofdatapatternsforthefirewalltousewhenscanningforsensitiveinformation:
PredefinedUsethepredefineddatapatternstoscanfilesforsocialsecurityandcreditcardnumbers.
Regular ExpressionCreatecustomdatapatternsusingregularexpressions.
File PropertiesScanfilesforspecificfilepropertiesandvalues.
DataPatternSettings Description
Name Enterthedatapatternname(upto31characters).Thenamecasesensitive
andmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Description Enteradescriptionforthedatapattern(upto255characters).
Shared Selectthisoptionifyouwantthedatapatterntobeavailableto:
selection,thedatapatternwillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,thedata
patternwillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thisdatapatternobjectindevicegroupsthatinherittheobject.This
PatternType Selectthetypeofdatapatternyouwanttocreate:
PredefinedPattern
RegularExpression
FileProperties

Objects Objects>CustomObjects>DataPatterns
DataPatternSettings Description
PredefinedPattern PaloAltoNetworksprovidespredefineddatapatternstoscanforcertain
typesofinformationinfiles,forexample,forcreditcardnumbersorsocial
securitynumbers.Toconfiguredatafilteringbasedonapredefinedpattern,
Addapatternandselectthefollowing:
NameSelectapredefinedpatterntousetofilterforsensitivedata.
Whenyoupickapredefinedpattern,theDescriptionpopulates
automatically.
SelecttheFile Typeinwhichyouwanttodetectthepredefinedpattern.
RegularExpression Addacustomdatapattern.GivethepatternadescriptiveName,settheFile
Typeyouwanttoscanforthedatapattern,andentertheregularexpression
thatdefinestheData Pattern.
Forregularexpressiondatapatternsyntaxdetailsandexamples,see:
SyntaxforRegularExpressionDataPatterns
FileProperties Buildadatapatterntoscanforfilepropertiesandtheassociatedvalues.For
example,AddadatapatterntofilterforMicrosoftWorddocumentsand
PDFswherethedocumenttitleincludesthewordssensitive,internal,or
confidential.
GivethedatapatternadescriptiveName.
SelecttheFile Typethatyouwanttoscan.
SelecttheFile Propertythatyouwanttoscanforaspecificvalue.
EntertheProperty Valueforwhichyouwanttoscan.
SyntaxforRegularExpressionDataPatterns
Whencreatingaregularexpressiondatapattern,thefollowinggeneralrequirementsapply:
Thepatternmusthavestringofatleastsevenbytestomatch.Itcancontainmorethansevenbytesbut
notfewer.
Thestringmatchmayormaynotbecasesensitive,dependingonwhichdecoderyouuse.Whenyou
needcasesensitivity,definepatternsforallpossiblestringstomatchallvariationsofaterm.Forexample,
tomatchanydocumentsdesignatedasconfidential,youmustcreateapatternthatincludes
confidential,Confidential,andCONFIDENTIAL.
TheregularexpressionsyntaxinPANOSissimilartotraditionalregularexpressionenginesbutevery
engineisunique.ThefollowingtabledescribesthesyntaxsupportedinPANOS.
Pattern Description
RulesSyntax
. Matchanysinglecharacter.
? Matchtheprecedingcharacterorexpression0or1time.ThegeneralexpressionMUST
beinsideapairofparentheses.
Example:(abc)?

Objects>CustomObjects>DataPatterns Objects
Pattern Description
RulesSyntax
* Matchtheprecedingcharacterorexpression0ormoretimes.Thegeneralexpression
MUSTbeinsideapairofparentheses.
Example:(abc)*
+ Matchtheprecedingcharacterorregularexpressiononeormoretimes.Thegeneral
expressionMUSTbeinsideapairofparentheses.
Example:(abc)+
| Equivalenttoor.
Example:((bif)|(scr)|(exe))matchesbif,scrorexe.
Thealternativesubstringsmustbeinparentheses.
Usedtocreaterangeexpressions.
Example:[cz]matchesanycharacterbetweencandz,inclusive.
[] Matchany.
Example:[abz]:matchesanyofthecharactersa,b,orz.
^ Matchanyexcept.
Example:[^abz]matchesanycharacterexcepta,b,orz.
{} Min/Maxnumberofbytes.
Example:{1020}matchesanystringthatisbetween10and20bytes.Thismustbe
directlyinfrontofafixedstring,andonlysupports.
\ Toperformaliteralmatchonanyoneofthespecialcharactersabove,itMUSTbeescaped
byprecedingthemwitha\(backslash).
&amp &isaspecialcharacter,sotolookforthe&inastringyoumustuse&ampinstead.
Thefollowingareexamplesofvalidcustompatterns:
.*((Confidential)|(CONFIDENTIAL))
LooksforthewordConfidentialorCONFIDENTIALanywhere
.*atthebeginningspecifiestolookanywhereinthestream
Dependingonthecasesensitivityrequirementsofthedecoder,thismaynotmatchconfidential
(alllowercase)
.*((Proprietary&ampConfidential)|(ProprietaryandConfidential))
LooksforeitherProprietary&ConfidentialorProprietaryandConfidential
MoreprecisethanlookingforConfidential
.*(PressRelease).*((Draft)|(DRAFT)|(draft))
LooksforPressReleasefollowedbyvariousformsoftheworddraft,whichmayindicatethatthe
pressreleaseisn'treadytobesentoutsidethecompany
.*(Trinidad)
Looksforaprojectcodename,suchasTrinidad

Objects Objects>CustomObjects>Spyware/Vulnerability
Objects>CustomObjects>Spyware/Vulnerability
Thefirewallsupportstheabilitytocreatecustomspywareandvulnerabilitysignaturesusingthefirewall
threatengine.Youcanwritecustomregularexpressionpatternstoidentifyspywarephonehome
communicationorvulnerabilityexploits.Theresultingspywareandvulnerabilitypatternsbecomeavailable
foruseinanycustomvulnerabilityprofiles.Thefirewalllooksforthecustomdefinedpatternsinnetwork
trafficandtakesthespecifiedactionforthevulnerabilityexploit.
Weeklycontentreleasesperiodicallyincludenewdecodersandcontextsforwhichyoucan
developsignatures.
Youcanoptionallyincludeatimeattributewhendefiningcustomsignaturesbyspecifyingathresholdper
intervalfortriggeringpossibleactionsinresponsetoanattack.Actionistakenonlyafterthethresholdis
reached.
UsetheCustom Spyware SignaturepagetodefinesignaturesforAntiSpywareprofiles.UsetheCustom
Vulnerability SignaturepagetodefinesignaturesforVulnerabilityProtectionprofiles.
CustomVulnerabilityand Description
SpywareSignature
Settings
Configuration Tab
ThreatID Enteranumericidentifierfortheconfiguration(spywaresignaturesrangeis
1500018000;vulnerabilitysignaturesrangeis4100045000).
Name Specifythethreatname.
Shared Selectthisoptionifyouwantthecustomsignaturetobeavailableto:
selection,thecustomsignaturewillbeavailableonlytotheVirtual
SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,thecustom
signaturewillbeavailableonlytotheDevice Groupselectedinthe
Objectstab.
(Panoramaonly) thissignatureindevicegroupsthatinheritthesignature.Thisselectionis
anydevicegroupthatinheritsthesignature.
Comment Enteranoptionalcomment.
Severity Assignalevelthatindicatestheseriousnessofthethreat.
DefaultAction Assignthedefaultactiontotakeifthethreatconditionsaremet.Foralistof
actions,seeActionsinSecurityProfiles.
Direction Indicatewhetherthethreatisassessedfromtheclienttoserver,serverto
client,orboth.
AffectedSystem Indicatewhetherthethreatinvolvestheclient,server,either,orboth.
Appliestovulnerabilitysignatures,butnotspywaresignatures.

Objects>CustomObjects>Spyware/Vulnerability Objects
SpywareSignature
Settings
CVE Specifythecommonvulnerabilityenumeration(CVE)asanexternal
referenceforadditionalbackgroundandanalysis.
Vendor Specifythevendoridentifierforthevulnerabilityasanexternalreference
foradditionalbackgroundandanalysis.
Bugtraq Specifythebugtraq(similartoCVE)asanexternalreferenceforadditional
backgroundandanalysis.
Reference Addanylinkstoadditionalanalysisorbackgroundinformation.The
informationisshownwhenauserclicksonthethreatfromtheACC,logs,or
vulnerabilityprofile.

Objects Objects>CustomObjects>Spyware/Vulnerability
SpywareSignature
Settings
Signatures Tab
StandardSignature SelectStandardandthenAddanewsignature.Specifythefollowing
information:
StandardEnteranametoidentifythesignature.
CommentEnteranoptionaldescription.
Ordered Condition MatchSelectiftheorderinwhichsignature
conditionsaredefinedisimportant.
ScopeSelectwhethertoapplythissignatureonlytothecurrent
transactionortothefullusersession.
AddaconditionbyclickingAdd Or ConditionorAdd And Condition.Toadd
aconditionwithinagroup,selectthegroupandthenclickAdd Condition.
Addaconditiontoasignaturesothatthesignatureisgeneratedfortraffic
whentheparametersyoudefinefortheconditionaretrue.Selectan
Operatorfromthedropdown.Theoperatordefinesthetypeofcondition
thatmustbetrueforthecustomsignaturetomatchtotraffic.Choosefrom
Less Than,Equal To,Greater Than,orPattern Matchoperators.
WhenchoosingaPattern Matchoperator,specifyforthefollowingtobe
trueforthesignaturetomatchtotraffic:
ContextSelectfromtheavailablecontexts.
PatternSpecifyaregularexpression.SeePatternRulesSyntaxfor
patternrulesforregularexpressions.
Qualifier and ValueOptionally,addqualifier/valuepairs.
NegateSelectNegatesothatthecustomsignaturematchesto
trafficonlywhenthedefinedPatternMatchconditionisnottrue.
Thisallowsyoutoensurethatthecustomsignatureisnottriggered
undercertainconditions.
AcustomsignaturecannotbecreatedwithonlyNegate
conditions;atleastonepositiveconditionmustbeincluded
inorderforanegateconditiontospecified.Also,ifthescope
ofthesignatureissettoSession,aNegateconditioncannot
beconfiguredasthelastconditiontomatchtotraffic.
Youcandefineexceptionsforcustomvulnerabilityorspyware
signaturesusingthenewoptiontonegatesignaturegeneration
whentrafficmatchesbothasignatureandtheexceptiontothe
signature.Usethisoptiontoallowcertaintrafficinyournetworkthat
mightotherwisebeclassifiedasspywareoravulnerabilityexploit.In
thiscase,thesignatureisgeneratedfortrafficthatmatchesthe
pattern;trafficthatmatchesthepatternbutalsomatchesthe
exceptiontothepatternisexcludedfromsignaturegenerationand
anyassociatedpolicyaction(suchasbeingblockedordropped).For
example,youcandefineasignaturetobegeneratedforredirected
URLs;however,youcannowalsocreateanexceptionwherethe
signatureisnotgeneratedforURLsthatredirecttoatrusteddomain.

Objects>CustomObjects>Spyware/Vulnerability Objects
SpywareSignature
Settings
WhenchoosinganEqual To,Less Than,orGreater Thanoperator,specify

forthefollowingtobetrueforthesignaturetomatchtotraffic:
ContextSelectfromunknownrequestsandresponsesforTCPor
UDP.
PositionSelectbetweenthefirstfourorsecondfourbytesinthe
payload.
MaskSpecifya4bytehexvalue,forexample,0xffffff00.
ValueSpecifya4bytehexvalue,forexample,0xaabbccdd.
CombinationSignature SelectCombinationandspecifythefollowinginformation:
SelectCombination Signaturestospecifyconditionsthatdefinesignatures:
AddaconditionbyclickingAdd AND ConditionorAdd OR Condition.To
addaconditionwithinagroup,selectthegroupandthenclickAdd
Condition.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.
SelectTime Attributetospecifythefollowinginformation:
Number of HitsSpecifythethresholdthatwilltriggeranypolicybased
actionasanumberofhits(11000)inaspecifiednumberofseconds
(13600).
Aggregation CriteriaSpecifywhetherthehitsaretrackedbysourceIP
address,destinationIPaddress,oracombinationofsourceand
destinationIPaddresses.
Tomoveaconditionwithinagroup,selecttheconditionandclickMove
UporMove Down.Tomoveagroup,selectthegroupandclickMove Up
orMove Down.Youcannotmoveconditionsfromonegrouptoanother.

Objects Objects>CustomObjects>URLCategory
Objects>CustomObjects>URLCategory
UsethecustomURLcategorypagetocreateyourcustomlistofURLsanduseitinaURLfilteringprofileor
asmatchcriteriainpolicyrules.InacustomURLcategory,youcanaddURLentriesindividually,orimporta
textfilethatcontainsalistofURLs.
URLentriesaddedtocustomcategoriesarecaseinsensitive.
ThefollowingtabledescribesthecustomURLsettings:
CustomURLCategory Description
Settings
Name EnteranametoidentifythecustomURLcategory(upto31characters).This
namedisplaysinthecategorylistwhendefiningURLfilteringpoliciesandin
thematchcriteriaforURLcategoriesinpolicyrules.Thenameis
Description EnteradescriptionfortheURLcategory(upto255characters).
Shared SelectthisoptionifyouwanttheURLcategorytobeavailableto:
selection,theURLcategorywillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theURL
categorywillbeavailableonlytotheDevice GroupselectedintheObjects
tab.
(Panoramaonly) thiscustomURLobjectindevicegroupsthatinherittheobject.This
Sites AddClickAddtoenterURLs,onlyoneineachrow.EachURLcanbein
theformatwww.example.comorcanincludewildcards,suchas
*.example.com.Foradditionalinformationonformatssupported,see
BlockListinObjects>SecurityProfiles>URLFiltering.
ImportClickImportandbrowsetoselectthetextfilethatcontainsthe
listofURLs.EnteronlyoneURLperrow.EachURLcanbeintheformat
www.example.comorcanincludewildcards,suchas*.example.com.
Foradditionalinformationonformatssupported,seeBlockListinObjects
>SecurityProfiles>URLFiltering.
ExportClickExporttoexportthecustomURLentriesincludedinthelist.
TheURLsareexportedasatextfile.
DeleteSelectanentryandclickDeletetoremovetheURLfromthelist.
TodeleteacustomcategorythatyouhaveusedinaURLfiltering
profile,youmustsettheactiontoNonebeforeyoucandeletethe
customcategory.SeeCategoryactionsinObjects>SecurityProfiles
>URLFiltering.

Objects>SecurityProfiles Objects
SecurityprofilesprovidethreatprotectioninSecurityPolicy.EachSecuritypolicyrulecanincludeoneor
moreSecurityProfiles.Thefollowingareavailableprofiletypes:
Antivirusprofilestoprotectagainstworms,viruses,andtrojansandtoblockspywaredownloads.See
Objects>SecurityProfiles>Antivirus.
AntiSpywareprofilestoblockattemptsfromspywareoncompromisedhoststryingtophonehomeor
beaconouttoexternalcommandandcontrol(C2)servers.SeeObjects>SecurityProfiles>
AntiSpywareProfile.
Vulnerabilityprotectionprofilestostopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.SeeObjects>SecurityProfiles>VulnerabilityProtection.
URLfilteringprofilestorestrictusersaccesstospecificwebsitesand/orwebsitecategories,suchas
shoppingorgambling.SeeObjects>SecurityProfiles>URLFiltering.
Fileblockingprofilestoblockselectedfiletypes,andinthespecifiedsessionflowdirection
(inbound/outbound/both).SeeObjects>SecurityProfiles>FileBlocking.
WildFireanalysisprofilestospecifyforfileanalysistobeperformedlocallyontheWildFireappliance
orintheWildFirecloud.SeeObjects>SecurityProfiles>WildFireAnalysis.
Datafilteringprofilesthathelppreventsensitiveinformationsuchascreditcardorsocialsecurity
numbersfromleavingaprotectednetwork.SeeObjects>SecurityProfiles>DataFiltering.
DoSProtectionprofilesareusedwithDoSProtectionpolicyrulestoprotectthefirewallfrom
highvolumesinglesessionandmultiplesessionattacks.SeeObjects>SecurityProfiles>DoS
Protection.
Inadditionaltoindividualprofiles,youcancombineprofilesthatareoftenappliedtogether,andcreate
SecurityProfilegroups(Objects > Security Profile Groups).
ActionsinSecurityProfiles
Theactionspecifieshowthefirewallrespondstoathreatevent.Everythreatorvirussignaturethatis
definedbyPaloAltoNetworksincludesadefaultaction,whichistypicallyeithersettoAlert, whichinforms
youusingtheoptionyouhaveenabledfornotification,ortoReset Both,whichresetsbothsidesofthe
connection.However,youcandefineoroverridetheactiononthefirewall.Thefollowingactionsare
applicablewhendefiningAntivirusprofiles,AntiSpywareprofiles,VulnerabilityProtectionprofiles,custom
spywareobjects,customvulnerabilityobjects,orDoSProtectionprofiles.
Action Description Antivirus AntiSpywar Vulnerability Custom DoS

Profile eprofile Protection Object Protection
Profile Spywareand Profile
Vulnerability
Default Takesthedefaultaction RandomEarly

thatisspecifiedinternally Drop
foreachthreatsignature.
Forantivirusprofiles,it
takesthedefaultaction
forthevirussignature.

Objects Objects>SecurityProfiles

Vulnerability
Allow Permitstheapplication
traffic.
Alert Generatesanalertfor
eachapplicationtraffic Generatesan
flow.Thealertissavedin alertwhen
thethreatlog. attackvolume
(cps)reaches
theAlarm
thresholdset
intheprofile.
Drop Dropstheapplication
traffic.
Reset Client ForTCP,resetsthe

clientsideconnection.
ForUDP,theconnection
isdropped
Reset Server ForTCP,resetsthe

serversideconnection.
isdropped
Reset Both ForTCP,resetsthe

connectiononbothclient
andserverends.
isdropped
Block IP Blockstrafficfromeither
asourceora
sourcedestinationpair;
Configurablefora
specifiedperiodoftime.
Sinkhole ThisactiondirectsDNS
queriesformalicious
domainstoasinkholeIP
address.
Theactionisavailablefor
PaloAltoNetworksDNS
signaturesandforcustom
domainsincludedin
Objects>External
DynamicLists.

Objects>SecurityProfiles Objects

Vulnerability
Random Causesthefirewallto
Early Drop randomlydroppackets
whenconnectionsper
secondreachtheActivate
RatethresholdinaDoS
Protectionprofileapplied
toaDoSProtectionrule.
SYN Cookies Causesthefirewallto

generateSYNcookiesto
authenticateaSYNfroma
clientwhenconnections
persecondreachthe
ActivateRateThresholdin
aDoSProtectionprofile
appliedtoaDoS
Protectionrule.
Youcannotdeleteaprofilethatisusedinapolicyrule;youmustfirstremovetheprofilefrom
thepolicyrule.

Objects Objects>SecurityProfiles>Antivirus
Objects>SecurityProfiles>Antivirus
UsetheAntivirus Profilespagetoconfigureoptionstohavethefirewallscanforvirusesonthedefinedtraffic.
Settheapplicationsthatshouldbeinspectedforvirusesandtheactiontotakewhenavirusisdetected.The
defaultprofileinspectsallofthelistedprotocoldecodersforviruses,generatesalertsforSimpleMail
TransportProtocol(SMTP),InternetMessageAccessProtocol(IMAP),andPostOfficeProtocolVersion3
(POP3),andtakesthedefaultactionforotherapplications(alertordeny),dependingonthetypeofvirus
detected.TheprofilewillthenbeattachedtoaSecuritypolicyruletodeterminethetraffictraversing
specificzonesthatwillbeinspected.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ToaddanewAntivirusprofile,selectAddandenterthefollowingsettings:
Field Description
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofantivirus
profileswhendefiningsecuritypolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,periods,andunderscores.
Description Enteradescriptionfortheprofile(upto255characters).
Shared Selectthisoptionifyouwanttheprofiletobeavailableto:
Everyvirtualsystem(vsys)onamultivsysfirewall.Ifyouclearthisselection,the
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbe
availableonlytotheDevice GroupselectedintheObjectstab.
Disableoverride Selectthisoptiontopreventadministratorsfromoverridingthesettingsofthis
(Panoramaonly) Antivirusprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroup
thatinheritstheprofile.
The Antivirus tab allows you to specify the action for the different types of traffic, such as ftp, and http.
PacketCapture Selectthisoptionifyouwanttocaptureidentifiedpackets.
DecodersandActions Foreachtypeoftrafficthatyouwanttoinspectforviruses,selectanactionfrom
thedropdown.Youcandefinedifferentactionsforstandardantivirussignatures
(Actioncolumn)andsignaturesgeneratedbytheWildFiresystem(WildFireAction
column).
Someenvironmentsmayhaverequirementsforalongersoaktimeforantivirus
signatures,sothisoptionenablestheabilitytosetdifferentactionsforthetwo
antivirussignaturetypesprovidedbyPaloAltoNetworks.Forexample,the
standardantivirussignaturesgothroughalongersoakperiodbeforebeingreleased
(24hours),versusWildFiresignatures,whichcanbegeneratedandreleasedwithin
15minutesafterathreatisdetected.Becauseofthis,youmaywanttochoosethe
alertactiononWildFiresignaturesinsteadofblocking.

Objects>SecurityProfiles>Antivirus Objects
Field Description
ApplicationsExceptions TheApplications Exceptiontableallowsyoutodefineapplicationsthatwillnotbe

andActions inspected.Forexample,toblockallHTTPtrafficexceptforaspecificapplication,
youcandefineanantivirusprofileforwhichtheapplicationisanexception.Block
istheactionfortheHTTPdecoder,andAllowistheexceptionfortheapplication.
Foreachapplicationexception,selecttheactiontobetakenwhenthethreatis
detected.Foralistofactions,seeActionsinSecurityProfiles.
Tofindanapplication,starttypingtheapplicationnameinthetextbox.Amatching
listofapplicationsisdisplayed,andyoucanmakeaselection.
VirusException TheVirus Exceptionstabtodefinealistofthreatsthatwillbeignoredbythe

antivirusprofile.
ThreatID Toaddspecificthreatsthatyouwanttoignore,enteroneThreatIDatatimeand
clickAdd.ThreatIDsarepresentedaspartofthethreatloginformation.Referto
Monitor>Logs.

Objects Objects>SecurityProfiles>AntiSpywareProfile
Objects>SecurityProfiles>AntiSpywareProfile
YoucanattachanAntiSpywareprofiletoaSecuritypolicyrulefordetectingconnectionsinitiatedby
spywareandcommandandcontrol(C2)malwareinstalledonsystemsonyournetwork.Youcanchoose
betweentwopredefinedAntiSpywareprofilesinaSecuritypolicyrule.Eachoftheseprofileshasasetof
predefinedrules(withthreatsignatures)organizedbytheseverityofthethreat;eachthreatsignature
includesadefaultactionthatisspecifiedbyPaloAltoNetworks.
DefaultThedefaultprofileusesthedefaultactionforeverysignature,asspecifiedbyPaloAlto
Networkswhenthesignatureiscreated.
StrictThestrictprofileoverridestheactiondefinedinthesignaturefileforcritical,high,andmedium
severitythreats,andsetsittotheblockaction.Thedefaultactionistakenwithlowandinformational
severitythreats.
Youcanalsocreatecustomprofiles.Youcan,forexample,reducethestringencyforAntiSpyware
inspectionfortrafficbetweentrustedsecurityzones,andmaximizetheinspectionoftrafficreceived
fromtheInternet,ortrafficsenttoprotectedassetssuchasserverfarms.
ThefollowingtablesdescribetheAntiSpywareprofile settings:
AntiSpywareProfile Description
Settings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistof
AntiSpywareprofileswhendefiningsecuritypolicies.Thenameis
hyphens,periods,andunderscores.
selection,theprofilewillbeavailableonlytotheVirtual Systemselected
intheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofile
willbeavailableonlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) thisAntiSpywareprofileindevicegroupsthatinherittheprofile.This
settingsforanydevicegroupthatinheritstheprofile.
Rules
AntiSpywarerulesallowyoutodefineacustomseverityandactiontotakeonanythreat,aspecific
threatnamethatcontainsthetextthatyouenter,and/orbyathreatcategory,suchasadware.
Addanewrule,oryoucanselectanexistingruletoandselectFind Matching Signaturestofilterthreat
signaturesbasedonthatrule.
RuleName Specifytherulename.
ThreatName Enteranytomatchallsignatures,orentertexttomatchanysignature
containingtheenteredtextaspartofthesignaturename.
Severity Chooseaseveritylevel(critical,high,medium,low,orinformational).

Objects>SecurityProfiles>AntiSpywareProfile Objects
Settings
Action Chooseanactionforeachthreat.Foralistofactions,seeActionsinSecurity
Profiles.
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.
Exceptions Tab
Allowsyoutochangetheactionforaspecificsignature.Forexample,youcangeneratealertsfora
specificsetofsignaturesandblockallpacketsthatmatchallothersignatures.Threatexceptionsare
usuallyconfiguredwhenfalsepositivesoccur.Tomakemanagementofthreatexceptionseasier,youcan
addthreatexceptionsdirectlyfromtheMonitor > Logs > Threatlist.Ensurethatyouobtainthelatest
contentupdatessothatyouareprotectedagainstnewthreatsandhavenewsignaturesforany
falsepositives.
Exceptions SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
UsetheIPAddressExemptionscolumntoaddIPaddressfilterstoathreat
exception.IfIPaddressesareaddedtoathreatexception,thethreat
exceptionactionforthatsignaturewillonlybetakenovertherule'saction
ifthesignatureistriggeredbyasessionhavingeitherthesourceor
destinationIPmatchinganIPintheexception.Youcanaddupto100IP
addressespersignature.Withthisoption,youdonothavetocreateanew
policyruleandnewvulnerabilityprofiletocreateanexceptionforaspecific
IPaddress.
DNS Signature Tab

TheDNS Signaturessettingsprovidesanadditionalmethodofidentifyinginfectedhostsonanetwork.
ThesesignaturesdetectspecificDNSlookupsforhostnamesthathavebeenassociatedwithmalware.
TheDNSsignaturescanbeconfiguredtoallow,alert,sinkhole,orblockwhenthesequeriesareobserved,
justaswithregularantivirussignatures.Additionally,hoststhatperformDNSqueriesformalware
domainswillappearinthebotnetreport.DNSsignaturesaredownloadedaspartoftheantivirusupdates.
ExternalDynamicList Allowsyoutoselectthelistsforwhichyouwanttoenforceanactionwhen
Domains aDNSqueryoccurs.Bydefault,thelistofDNSsignaturesprovidedthrough
contentupdates(PaloAltoNetworksDNSSignatureslist)issinkholed.The
defaultIPaddressusedforsinkholingbelongstoPaloAltoNetworks
(71.19.152.112).ThisIPaddressisnotstaticandcanbemodifiedthrough
contentupdatesonthefirewallorPanorama.
Toaddanewlist,clickAddandselecttheExternalDynamicListoftype
Domainthatyouhadcreated.Tocreateanewlist,seeObjects>External
DynamicLists.

Objects Objects>SecurityProfiles>AntiSpywareProfile
Settings
ActiononDNSqueries ChooseanactiontobetakenwhenDNSlookupsaremadetoknown
malwaresites.Theoptionsarealert,allow,block,orsinkhole.Thedefault
actionforPaloAltoNetworksDNSsignaturesissinkhole.
TheDNSsinkholeactionprovidesadministratorswithamethodof
identifyinginfectedhostsonthenetworkusingDNStraffic,evenwhenthe
firewallisnorthofalocalDNSserver(i.e.thefirewallcannotseethe
originatoroftheDNSquery).Whenathreatpreventionlicenseisinstalled
andanAntiSpywareprofileisenabledinaSecurityProfile,theDNSbased
signatureswilltriggeronDNSqueriesdirectedatmalwaredomains.Ina
typicaldeploymentwherethefirewallisnorthofthelocalDNSserver,the
threatlogwillidentifythelocalDNSresolverasthesourceofthetraffic
ratherthantheactualinfectedhost.SinkholingmalwareDNSqueriessolves
thisvisibilityproblembyforgingresponsestothequeriesdirectedat
maliciousdomains,sothatclientsattemptingtoconnecttomalicious
domains(forcommandandcontrol,forexample)insteadattempt
connectionstoanIPaddressspecifiedbytheadministrator.Infectedhosts
canthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIParemostlikelyinfectedwithmalware.
Afterselectingthesinkholeaction,specifyanIPv4and/orIPv6addressthat
willbeusedforsinkholing.Bydefault,thesinkholeIPaddressissettoaPalo
AltoNetworksserver.Youcanthenusethetrafficlogsorbuildacustom
reportthatfiltersonthesinkholeIPaddressandidentifyinfectedclients.
ThefollowingisthesequenceofeventsthatwilloccurwhenanDNSrequest
issinkholed:
MalicioussoftwareonaninfectedclientcomputersendsaDNSqueryto
resolveamalicioushostontheInternet.
Theclient'sDNSqueryissenttoaninternalDNSserver,whichthenqueries
apublicDNSserverontheothersideofthefirewall.
TheDNSquerymatchesaDNSentryintheDNSsignaturesdatabase,sothe
sinkholeactionwillbeperformedonthequery.
Theinfectedclientthenattemptstostartasessionwiththehost,butuses
theforgedIPaddressinstead.TheforgedIPaddressistheaddressdefined
intheAntiSpywareprofileDNSSignaturestabwhenthesinkholeactionis
selected.
TheadministratorisalertedofamaliciousDNSqueryinthethreatlog,and
canthensearchthetrafficlogsforthesinkholeIPaddressandcaneasily
locatetheclientIPaddressthatistryingtostartasessionwiththesinkhole
IPaddress.
ThreatID ManuallyenterDNSsignatureexceptions(rangeis
40000004999999).

Objects>SecurityProfiles>VulnerabilityProtection Objects
Objects>SecurityProfiles>VulnerabilityProtection
ASecuritypolicyrulecanincludespecificationofaVulnerabilityProtectionprofilethatdeterminesthelevel
ofprotectionagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.TherearetwopredefinedprofilesavailablefortheVulnerabilityProtectionfeature:
Thedefaultprofileappliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
vulnerabilities.Itdoesnotdetectlowandinformationalvulnerabilityprotectionevents.
Thestrictprofileappliestheblockresponsetoallclientandservercritical,highandmediumseverity
spywareeventsandusesthedefaultactionforlowandinformationalvulnerabilityprotectionevents.
Customizedprofilescanbeusedtominimizevulnerabilitycheckingfortrafficbetweentrustedsecurity
zones,andtomaximizeprotectionfortrafficreceivedfromuntrustedzones,suchastheInternet,aswellas
thetrafficsenttohighlysensitivedestinations,suchasserverfarms.ToapplyVulnerabilityProtection
profilestoSecuritypolicies,refertoPolicies>Security.
TheRulessettingsspecifycollectionsofsignaturestoenable,aswellasactionstobetakenwhenasignature
withinacollectionistriggered.
TheExceptionssettingsallowsyoutochangetheresponsetoaspecificsignature.Forexample,youcan
blockallpacketsthatmatchasignature,exceptfortheselectedone,whichgeneratesanalert.TheException
tabsupportsfilteringfunctions.
TheVulnerability Protectionpagepresentsadefaultsetofcolumns.Additionalcolumnsofinformationare
availablebyusingthecolumnchooser.Clickthearrowtotherightofacolumnheaderandselectthecolumns
fromtheColumnssubmenu.
ThefollowingtablesdescribetheVulnerabilityProtectionprofilesettings:
VulnerabilityProtection Description
ProfileSettings
VulnerabilityProtectionprofileswhendefiningsecuritypolicies.Thename
hyphens,periods,andunderscores.
intheObjectstab.
(Panoramaonly) thisVulnerabilityProtectionprofileindevicegroupsthatinherittheprofile.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheprofile.
Rules Tab
RuleName Specifyanametoidentifytherule.
ThreatName Specifyatextstringtomatch.Thefirewallappliesacollectionofsignatures
totherulebysearchingsignaturenamesforthistextstring.

Objects Objects>SecurityProfiles>VulnerabilityProtection
ProfileSettings
Action Choosetheactiontotakewhentheruleistriggered.Foralistofactions,see
ActionsinSecurityProfiles.
TheDefaultactionisbasedonthepredefinedactionthatispartofeach
signatureprovidedbyPaloAltoNetworks.Toviewthedefaultactionfora
signature,selectObjects > Security Profiles > Vulnerability Protectionand
Addorselectanexistingprofile.ClicktheExceptionstabandthenclick
Show all signaturestoseealistofallsignaturesandtheassociatedAction.
HostType Specifywhethertolimitthesignaturesfortheruletothosethatareclient
side,serverside,oreither(any).
Selectsingle-packettocaptureonepacketwhenathreatisdetected,or
selecttheextended-captureoptiontocapturefrom1to50packets.
Extendedcapturewillprovidesmuchmorecontexttothethreatwhen
analyzingthethreatlogs.Toviewthepacketcapture,selectMonitor > Logs
> Threatandlocatethelogentryyouareinterestedinandthenclickthe
greendownarrowinthesecondcolumn.Todefinethenumberofpackets
thatshouldbecaptured,selectDevice > Setup > Content-IDandthenedit
theContentIDSettings.
Packetcaptureswillonlyoccuriftheactionisalloworalert.Iftheblock
actionisset,thesessionisendedimmediately.
Category Selectavulnerabilitycategoryifyouwanttolimitthesignaturestothose
thatmatchthatcategory.
CVEList Specifycommonvulnerabilitiesandexposures(CVEs)ifyouwanttolimitthe
signaturestothosethatalsomatchthespecifiedCVEs.
EachCVEisintheformatCVEyyyyxxxx,whereyyyyistheyearandxxxxis
theuniqueidentifier.Youcanperformastringmatchonthisfield.For
example,tofindvulnerabilitiesfortheyear2011,enter2011.
VendorID SpecifyvendorIDsifyouwanttolimitthesignaturestothosethatalso
matchthespecifiedvendorIDs.
Forexample,theMicrosoftvendorIDsareintheformMSyyxxx,whereyy
isthetwodigityearandxxxistheuniqueidentifier.Forexample,tomatch
Microsoftfortheyear2009,enterMS09.
Severity Selectseveritiestomatch(informational,low,medium,high,orcritical)if
youwanttolimitthesignaturestothosethatalsomatchthespecified
severities.

Objects>SecurityProfiles>VulnerabilityProtection Objects
ProfileSettings
Exceptions Tab
Threats SelectEnableforeachthreatforwhichyouwanttoassignanaction,or
selectAlltorespondtoalllistedthreats.Thelistdependsontheselected
host,category,andseverity.Ifthelistisempty,therearenothreatsforthe
currentselections.
Chooseanactionfromthedropdown,orchoosefromtheAction
dropdownatthetopofthelisttoapplythesameactiontoallthreats.Ifyou
selectedShow All,thenallsignaturesarelisted.Ifnot,onlythesignatures
thatareexceptionsarelisted.
SelectPacket Captureifyouwanttocaptureidentifiedpackets.
Thevulnerabilitysignaturedatabasecontainssignaturesthatindicatea
bruteforceattack;forexample,ThreatID40001triggersonanFTPbrute
forceattack.Bruteforcesignaturestriggerwhenaconditionoccursina
certaintimethreshold.Thethresholdsarepreconfiguredforbruteforce
signatures,andcanbechangedbyclickingedit( )nexttothethreat
nameontheVulnerabilitytab(withtheCustomoptionselected).Youcan
specifythenumberofhitsperunitoftimeandwhetherthethresholdapplies
tosource,destination,orsourceanddestination.
ThresholdscanbeappliedonasourceIP,destinationIPoracombinationof
sourceIPanddestinationIP.
Thedefaultactionisshowninparentheses.TheCVEcolumnshows
identifiersforcommonvulnerabilitiesandexposures(CVE).Theseunique,
commonidentifiersareforpubliclyknowninformationsecurity
vulnerabilities.
ClickintotheIPAddressExemptionscolumntoAddIPaddressfilterstoa
threatexception.WhenyouaddanIPaddresstoathreatexception,the
threatexceptionactionforthatsignaturewilltakeprecedenceoverthe
rule'sactiononlyifthesignatureistriggeredbyasessionwitheithera
sourceordestinationIPaddressmatchinganIPaddressintheexception.
Youcanaddupto100IPaddressespersignature.Youmustenteraunicast
IPaddress(thatis,anaddresswithoutanetmask),suchas10.1.7.8or
2001:db8:123:1::1.ByaddingIPaddressexemptions,youdonothaveto
createanewpolicyruleandnewvulnerabilityprofiletocreateanexception
foraspecificIPaddress.

Objects Objects>SecurityProfiles>URLFiltering
Objects>SecurityProfiles>URLFiltering
YoucanuseURLfiltering profilestocontrolaccesstowebcontent.
Control access to websites based on URL category. Categories

Enable the firewall to detect corporate credential UserCredentialDetection
submissions, and then control the URL categories
to which users can submit credentials. Categories
Enforce safe search settings. URLFilteringSettings

Enable logging of HTTP headers. URLFilteringSettings
Define website block and allow lists. Overrides
Allow password-based access to certain sites. Overrides
Looking for more? LearnmoreaboutandconfigureURLFiltering .
PreventCredentialPhishing basedonURLcategory.
TocreatecustomURLcategorieswithyourownlistsof
URLs,selectObjects>CustomObjects>URLCategory.
GeneralSettings
GeneralSettings Description
URLfilteringprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.
(Panoramaonly) thisURLFilteringprofileindevicegroupsthatinherittheprofile.This

Objects>SecurityProfiles>URLFiltering Objects
Categories
Objects>SecurityProfiles>URLFiltering>Categories
CategoriesSettings Description
Category Inadditiontothepredefinedcategories,bothcustomURLcategoriesandexternal
dynamiclistsoftypeURLaredisplayedunderCategory.Bydefault,theSite Access
andUser Credential SubmissionpermissionsforallcategoriesaresettoAllow.
SiteAccess ForeachURLcategory,selecttheactiontotakewhenauserattemptstoaccessa
URLinthatcategory(Site Access):
alertAllowsaccesstothewebsitebutaddsanalerttotheURLlogeachtimea
useraccessestheURL.
allowAllowsaccesstothewebsite.
blockBlocksaccesstothewebsite.IftheSiteAccesstoaURLcategoryissetto
block,theUserCredentialSubmissionpermissionsisautomaticallyalsosetto
block.
continueDisplaysapagetousersthattowarnthemagainstcontinuingtoaccess
thepage.Toaccessthewebsite,theusermustclickContinue.
TheContinuepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.
overrideDisplaysaresponsepagethatpromptstheusertoenteravalid
passwordinordertogainaccesstothesite.ConfigureURLAdminOverride
settings(Device > Setup > Content ID)tomanagepasswordandotheroverride
settings.(SeealsotheManagementSettingstableinDevice>Setup>
ContentID).
TheOverridepageswillnotbedisplayedproperlyonclientmachinesthat
areconfiguredtouseaproxyserver.
none(customURLcategoryonly)IfyouhavecreatedcustomURLcategories,set
theactiontononetoallowthefirewalltoinherittheURLfilteringcategory
assignmentfromyourURLdatabasevendor.Settingtheactiontononegivesyou
theflexibilitytoignorecustomcategoriesinaURLfilteringprofile,whileallowing
youtousethecustomURLcategoryasamatchcriteriainpolicyrules(Security,
Decryption,andQoS)tomakeexceptionsortoenforcedifferentactions.To
deleteacustomURLcategory,youmustsettheactiontononeinanyprofile
wherethecustomcategoryisused.ForinformationoncustomURLcategories,
seeObjects>CustomObjects>URLCategory.

CategoriesSettings Description
UserCredential ForeachURLcategory,selecttheUser Credential Submissionstoallowordisallow

Submission usersfromsubmittingvalidcorporatecredentialstoaURLinthatcategory.Before
youcancontrolusercredentialsubmissionsbasedonURLcategory,youmustenable
credentialsubmissiondetection(selecttheUser Credential Detectiontab).
URLcategorieswiththeSite Accesssettoblockareautomaticallysettoalsoblock
usercredentialsubmissions.
alertAllowuserstosubmitcredentialstothewebsite,butgenerateaURL
Filteringlogeachtimeausersubmitscredentialstositesinthiscategory.
allow(default)Allowuserstosubmitcredentialstothewebsite.
blockBlockusersfromsubmittingcredentialstothewebsite.Adefault
antiphishingresponsepageblocksusercredentialsubmissions.
continueDisplayaresponsepagetousersthatpromptsthemtoselectContinue
tosubmitcredentialstothesite.Bydefault,anantiphishingcontinuepage
displaystowarnuserswhentheyattempttosubmitcredentialstositestowhich
credentialsubmissionsarediscouraged.Youcanchoosetocreateacustom
responsepagetowarnusersagainstphishingattemptsortoeducatethemagainst
reusingvalidcorporatecredentialsonotherwebsites.
CheckURLCategory ClicktoaccessthePANDBURLFilteringdatabase,whereyoucanenteraURLorIP
addresstoviewcategorizationinformation.
DynamicURLFiltering SelecttoenablecloudlookupforcategorizingtheURL.Thisoptionisinvokedifthe
Default:Disabled localdatabaseisunabletocategorizetheURL.
(Configurablefor IftheURLisunresolvedaftera5secondtimeoutwindow,theresponseisdisplayed
BrightCloudonly) asNot resolved URL.
WithPANDB,this
optionisenabled
bydefaultandis
notconfigurable.
Overrides
Objects>SecurityProfiles>URLFiltering>Overrides

OverridesSettings Description
ActiononLicense WithBrightCloud:
Expiration IfyouareusingtheBrightClouddatabase,youcanconfiguretheactiontotakeifthe
URLfilteringlicenseexpires:
BlockBlocksaccesstoallwebsites.Uponlicenseexpiration,allURLsare
blocked,notjusttheURLcategoriespreviouslysettoblock.
AllowAllowsaccesstoallwebsites.Uponlicenseexpiration,allURLsare
allowed,notjusttheURLcategoriessettoallow.
WithPANDB:
IfthelicenseexpiresforPANDB,URLfilteringisnotenforced:
URLcategoriesthatarecurrentlyinthecachewillbeusedtoeitherblockorallow
contentbasedonyourconfiguration.Usingcachedresultsisasecurityrisk
becausethecategorizationinformationmightbestale.
URLsthatarenotinthecachewillbecategorizedasnotresolvedandwillbe
allowed.
Alwaysrenewyourlicenseintimetoensurenetworksecurity.
AllowList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoallowor
Ifyouwouldliketo generatealertson.EntereachIPaddressorURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheallowlistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
allow(withouta toallowtheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Thislisttakesprecedenceovertheselectedwebsitecategories.

OverridesSettings Description
BlockList EntertheIPaddressesorURLpathnamesofthewebsitesthatyouwanttoblockor
Ifyouwouldliketo generatealertson.EntereachURLoneperline.
useanExternal YoumustomitthehttpandhttpsportionoftheURLswhenaddingweb
DynamicListto sitestothelist.
dynamicallyupdate
thelistofURLs Entriesintheblocklistareanexactmatchandarecaseinsensitive.Forexample,
thatyouwishto "www.paloaltonetworks.comisdifferentfrom"paloaltonetworks.com".Ifyouwant
block(withouta toblocktheentiredomain,youshouldincludeboth"*.paloaltonetworks.com"and
commit),see "paloaltonetworks.com".
Objects>External Examples:
DynamicLists. www.paloaltonetworks.com
198.133.219.25/en/US
Blockandallowlistssupportwildcardpatterns.Thefollowingcharactersare
consideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.
AtokencanbeanynumberofASCIIcharactersthatdoesnotcontainanyseparator
characteror*.Forexample,thefollowingpatternsarevalid:
*.yahoo.com
(Tokens are: "*", "yahoo" and "com")
www.*.com
(Tokens are: "www", "*" and "com")
www.yahoo.com/search=*
(Tokens are: "www", "yahoo", "com", "search", "*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacter
inthetoken.
ww*.yahoo.com
www.y*.com
Action Selecttheactiontotakewhenawebsiteintheblocklistisaccessed.
alertAllowtheusertoaccessthewebsite,butaddanalerttotheURLlog.
blockBlockaccesstothewebsite.
continueAllowtheusertoaccesstheblockedpagebyclickingContinueonthe
blockpage.
overrideAllowtheusertoaccesstheblockedpageafterenteringapassword.
ThepasswordandotheroverridesettingsarespecifiedintheURLAdminOverride
areaoftheSettingspage(refertotheManagementSettingstableinDevice>
Setup>Management).
URLFilteringSettings
Objects>SecurityProfiles>URLFiltering>URLFilteringSettings

URLFilteringSettings Descriptions
Logcontainerpageonly SelectthisoptiontologonlytheURLsthatmatchthecontenttypethatisspecified.
Default:Enabled
EnableSafeSearch Selectthisoptiontoenforcestrictsafesearchfiltering.
Enforcement Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesand
Default:Disabled videosinsearchqueryreturntraffic.WhenyouselectthesettingtoEnableSafe
AURLfilteringlicenseis SearchEnforcement,thefirewallblockssearchresultsiftheenduserisnotusingthe
notrequiredtousethis strictestsafesearchsettingsinthesearchquery.Thefirewallcanenforcesafesearch
feature. forthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.This
isabesteffortsettingandisnotguaranteedbythesearchproviderstoworkwith
everywebsite.
TousesafesearchenforcementyoumustenablethissettingandthenattachtheURL
filteringprofileSecuritypolicyrule.Thefirewallwillthenblockanymatchingsearch
queryreturntrafficthatisnotusingthestrictestsafesearchsettings.
IfyouareperformingasearchonYahooJapan(yahoo.co.jp)whileloggedinto
yourYahooaccount,thelockoptionforthesearchsettingmustalsobe
enabled.
Topreventusersfrombypassingthisfeaturebyusingothersearchproviders,
configuretheURLfilteringprofiletoblockthesearchenginescategoryand
thenallowaccesstoBing,Google,Yahoo,Yandex,andYouTube.
HTTPHeaderLogging EnablingHTTPHeaderLoggingprovidesvisibilityintotheattributesincludedinthe
HTTPrequestsenttoaserver.Whenenabledoneormoreofthefollowing
attributevaluepairsarerecordedintheURLFilteringlog:
UserAgentThewebbrowserthattheuserusedtoaccesstheURL.This
informationissentintheHTTPrequesttotheserver.Forexample,theUserAgent
canbeInternetExplorerorFirefox.TheUserAgentvalueinthelogsupportsup
to1024characters.
RefererTheURLofthewebpagethatlinkedtheusertoanotherwebpage;itis
thesourcethatredirected(referred)theusertothewebpagethatisbeing
requested.Thereferervalueinthelogsupportsupto256characters.
XForwardedForTheheaderfieldoptionthatpreservestheIPaddressofthe
userwhorequestedthewebpage.ItallowsyoutoidentifytheIPaddressofthe
user,whichisparticularlyusefulifyouhaveaproxyserveronyournetworkoryou
haveimplementedSourceNAT,thatismaskingtheusersIPaddresssuchthatall
requestsseemtooriginatefromtheproxyserversIPaddressoracommonIP
address.Thexforwardedforvalueinthelogsupportsupto128characters.
UserCredentialDetection
Objects>SecurityProfiles>URLFiltering>UserCredentialDetection
Enablethefirewalltodetectwhenuserssubmitcorporatecredentials.Thefirewallusesoneofthree
methodstodetectvalidcredentialssubmittedtowebpages.EachmethodrequiresUserID,whichenables
thefirewalltocompareusernameandpasswordsubmissionstowebpagesagainstvalid,corporate
credentials.SelectoneofthesemethodstothencontinuetoPreventCredentialPhishing basedonURL
category.

UserCredentialDetection Description
Settings
IPUser Thiscredentialdetectionmethodchecksforvalidusernamesubmissions.Youcanuse
thismethodtodetectcredentialsubmissionsthatincludeavalidcorporateusername
(regardlessoftheaccompanyingpassword).Thefirewalldeterminesausername
matchbyverifyingthattheusernamematchestheuserloggedinthesourceIP
addressofthesession.Tousethismethod,thefirewallmatchesthesubmitted
usernameagainstitsIPaddresstousernamemappingtable.Tousethismethodyou
canuseanyoftheusermappingmethodsdescribedinMapIPAddressestoUsers.
GroupMapping Thefirewalldeterminesiftheusernameausersubmitstoarestrictedsitematches
anyvalidcorporateusername.Todothis,thefirewallmatchesthesubmitted
usernametothelistofusernamesinitsusertogroupmappingtabletodetectwhen
userssubmitacorporateusernamestoasiteinarestrictedcategory.
ThismethodonlychecksforcorporateusernamesubmissionsbasedonLDAPgroup
membership,whichmakesitsimpletoconfigure,butmorepronetofalsepositives.
Youmustenablegroupmapping tousethismethod.
DomainCredential Thiscredentialdetectionmethodenablesthefirewalltocheckforavalidcorporate
usernameandtheassociatedpassword.Thefirewalldeterminesiftheusernameand
passwordausersubmitsmatchesthesameuserscorporateusernameandpassword.
Todothis,thefirewallmustabletomatchcredentialsubmissionstovalidcorporate
usernamesandpasswordsandverifythattheusernamesubmittedmapstotheIP
addressoftheloggedinuser.ThismodeissupportedonlywiththeWindowsbased
UserIDagent,andrequiresthattheUserIDagentisinstalledonareadonlydomain
controller(RODC)andequippedwiththeUserIDCredentialServiceAddon.Touse
thismethod,youmustalsoenableUserIDtoMapIPAddressestoUsersusingany
ofthesupportedusermappingmethods,includingAuthenticationPolicyandCaptive
PortalandGlobalProtect.
SeePreventCredentialPhishing fordetailsoneachofthemethodsthefirewall
canusetocheckforvalidcorporatecredentialsubmissions,andforstepstoenable
phishingprevention.
ValidUsernameDetected Settheseverityforlogsthatindicatethefirewalldetectedavalidusername
LogSeverity submissiontoawebsite.
Thislogseverityisassociatedwitheventswhereavalidusernameissubmittedto
websiteswithcredentialsubmissionpermissionstoalert,blockorcontinue.Logsthat
recordwhenausersubmitsavalidusernametoawebsiteforwhichcredential
submissionsareallowedhaveaseverityofinformational.SelectCategoriestoreview
oradjusttheURLcategoriestowhichcredentialsubmissionsareallowedand
blocked.

Objects>SecurityProfiles>FileBlocking Objects
Objects>SecurityProfiles>FileBlocking
YoucanattachaFileBlockingprofiletoaSecuritypolicyrule(Policies>Security)toblockusersfrom
uploadingordownloadingspecifiedfiletypesortogenerateanalertwhenauserattemptstouploador
downloadspecifiedfiletypes.
Thefollowingtablesdescribethefileblockingprofilesettings.
FileBlockingProfile Description
Settings
fileblockingprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.
(Panoramaonly) thisFileBlockingprofileindevicegroupsthatinherittheprofile.This

Objects Objects>SecurityProfiles>FileBlocking
FileBlockingProfile Description
Settings
Rules Defineoneormorerulestospecifytheactiontaken(ifany)fortheselected
filetypes.Toaddarule,specifythefollowingandclickAdd:
NameEnterarulename(upto31characters).
ApplicationsSelecttheapplicationstheruleappliestoorselectany.
File TypesClickinthefiletypesfieldandthenclickAddtoviewalistof
supportedfiletypes.Clickafiletypetoaddittotheprofileandcontinue
toaddadditionalfiletypesasneeded.IfyouselectAny,thedefinedaction
istakenonallsupportedfiletypes.
DirectionSelectthedirectionofthefiletransfer(Upload,Download,or
Both).
ActionSelecttheactiontakenwhentheselectedfiletypesaredetected:
alertAnentryisaddedtothethreatlog.
blockThefileisblocked.
continueAmessagetotheuserindicatesthatadownloadhasbeen
requestedandaskstheusertoconfirmwhethertocontinue.Thepurpose
istowarntheuserofapossibleunknowndownload(alsoknownasa
drivebydownload)andtogivetheusertheoptionofcontinuingor
stoppingthedownload.
Whenyoucreateafileblockingprofilewiththeactioncontinueor
continue-and-forward(usedforWildFireforwarding),youcanonly
choosetheapplicationweb-browsing.Ifyouchooseanyother
application,trafficthatmatchestheSecuritypolicyrulewillnotflow
throughthefirewallduetothefactthattheuserswillnotbeprompted
withacontinuepage.
forwardThefileisautomaticallysenttoWildFire.
continue-and-forwardAcontinuepageispresented,andthefileissent
toWildFire(combinesthecontinueandforwardactions).Thisactiononly
workswithwebbasedtraffic.Thisisduetothefactthatausermustclick
continuebeforethefilewillbeforwardandthecontinueresponsepage
optionisonlyavailablewithhttp/https.

Objects>SecurityProfiles>WildFireAnalysis Objects
Objects>SecurityProfiles>WildFireAnalysis
UseaWildFireAnalysisprofiletospecifyforWildFirefileanalysistobeperformedlocallyontheWildFire
applianceorintheWildFirecloud.Youcanspecifytraffictobeforwardedtothepubliccloudorprivatecloud
basedonfiletype,application,orthetransmissiondirectionofthefile(uploadordownload).Aftercreating
aWildFireanalysisprofile,addingtheprofiletoapolicy(Policies > Security)furtherallowsyouapplythe
profilesettingstoanytrafficmatchedtothatpolicy(forexample,aURLcategorydefinedinthepolicy).
WildFireAnalysisProfileSettings
Name EnteradescriptivenamefortheWildFireanalysisprofile(upto31
characters).ThisnameappearsinthelistofWildFireAnalysisprofilesthat
youcanchoosefromwhendefiningaSecuritypolicyrule.Thenameis
Description Optionallydescribetheprofilerulesortheintendedusefortheprofile(up
to255characters).
intheObjectstab.
Rules DefineoneormorerulestospecifytraffictoforwardtoeithertheWildFire
publiccloudortheWildFireappliance(privatecloud)foranalysis.
EnteradescriptiveNameforanyrulesyouaddtotheprofile(upto31
characters).
AddanApplicationsothatanyapplicationtrafficwillbematchedtothe
ruleandforwardedtothespecifiedanalysisdestination.
SelectaFile Typetobeanalyzedatthedefinedanalysisdestinationfor
therule.
AWildFireprivatecloud(hostedbyaWF500appliance)doesnot
supportanalysisforAPKfiles.
ApplytheruletotrafficdependingonthetransmissionDirection.Youcan
applytheruletouploadtraffic,downloadtraffic,orboth.
SelecttheDestinationfortraffictobeforwardedforanalysis:
Selectpubliccloudsothatalltrafficmatchedtotheruleisforwarded
totheWildFirepubliccloudforanalysis.
Selectprivatecloudsothatalltrafficmatchedtotheruleis
forwardedtotheWildFireapplianceforanalysis.

Objects Objects>SecurityProfiles>DataFiltering
Objects>SecurityProfiles>DataFiltering
Datafilteringenablesthefirewalltodetectsensitiveinformationsuchascreditcardorsocialsecurity
numbersorinternalcorporatedocumentsandpreventthisdatafromleavingasecurenetwork.Beforeyou
enabledatafiltering,selectObjects>CustomObjects>DataPatternstodefinethetypeofdatayouwant
tofilter(suchassocialsecuritynumbersordocumenttitlesthatcontainthewordconfidential).Youcan
addseveraldatapatternobjectstoasingleDataFilteringprofileand,whenattachedtoaSecuritypolicyrule,
thefirewallscansallowedtrafficforeachdatapatternandblocksmatchingtrafficbasedonthedatafiltering
profilesettings.
DataFilteringProfile Description
Settings
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.
(Panoramaonly) thisDataFilteringprofileindevicegroupsthatinherittheprofile.This
DataCapture Selectthisoptiontoautomaticallycollectthedatathatisblockedbythe
filter.
SpecifyapasswordforManageDataProtectionontheSettingspagetoview
yourcaptureddata.RefertoDevice>Setup>Management.
DataPattern AddanexistingdatapatterntouseforfilteringorselectNewtoconfigurea
newdatapatternobject(Objects>CustomObjects>DataPatterns).
Applications Specifytheapplicationstoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedapplications.This
selectiondoesnotblockallpossibleapplications,justthelistedones.
ClickAddtospecifyindividualapplications.
FileTypes Specifythefiletypestoincludeinthefilteringrule:
Chooseanytoapplythefiltertoallofthelistedfiletypes.Thisselection
doesnotblockallpossiblefiletypes,justthelistedones.
ClickAddtospecifyindividualfiletypes.
Direction Specifywhethertoapplythefilterintheuploaddirection,download
direction,orboth.

Objects>SecurityProfiles>DataFiltering Objects
DataFilteringProfile Description
Settings
AlertThreshold Specifythenumberoftimesthedatapatternmustbedetectedinafileto
triggeranalert.
BlockThreshold Blockfilesthatcontainatleastthismanyinstancesofthedatapattern.
LogSeverity Definethelogseverityrecordedforeventsthatmatchthisdatafiltering
profilerule.

Objects Objects>SecurityProfiles>DoSProtection
Objects>SecurityProfiles>DoSProtection
DoSProtectionprofilesaredesignedforhighprecisiontargetingandtheyaugmentZoneProtection
profiles.ADoSProtectionprofilespecifiesthethresholdratesatwhichnewconnectionspersecond(cps)
triggeranalarmandanaction(specifiedintheDoSProtectionpolicy).TheDoSProtectionprofilealso
specifiesthemaximumrateofconnectionspersecondandhowlongablockedIPaddressremainsonthe
BlockIPlist.YouapplyaDoSprotectionprofiletoaDoSprotectionpolicyrulewhereyouspecifythecriteria
forpacketstomatchtherule.
ADoSProtectionprofileisconfiguredtobeanAggregateorClassifiedtype.YoucanapplyaClassifiedDoS
ProtectionprofiletoaClassifiedDoSProtectionrule.
AClassifiedDoSProtectionrulehasClassifiedselectedandspecifiesaClassifiedDoSProtectionprofile.
WhenaDoSProtectionruleactionisProtect,thefirewallcountsconnectionstowardthecpsthresholds
oftheDoSProtectionprofileifthepacketmeetsthespecifiedAddresstype:sourceiponly,
destinationiponly,orsrcdestipboth.
Bycomparison,aDoSProtectionruleisanAggregaterulewhenClassifiedisnotselected.WhenaDoS
ProtectionruleactionisProtect,anAggregaterulecausesthefirewalltocountallconnectionsthatmeet
thecriteriafortherule(theaggregate)towardthecpsthresholdsthatarespecifiedintheAggregateDoS
Protectionprofileidentifiedintherule.
ToapplyaDoSProtectionprofiletoaDoSProtectionpolicy,seePolicies>DoSProtection.
Ifyouhaveamultiplevirtualsystem(multivsys)environmentandhaveconfiguredthefollowing:
Externalzonestoenableintervirtualsystemcommunicationand
SharedgatewaystoallowvirtualsystemstoshareacommoninterfaceandasingleIPaddressforexternal
communications,then
ThefollowingZoneandDoSprotectionmechanismsaredisabledontheexternalzone:
SYNcookies
IPfragmentation
ICMPv6
ToenableIPfragmentationandICMPv6protection,createaseparatezoneprotectionprofilefortheshared
gateway.
ToprotectagainstSYNfloodsonasharedgateway,youcanapplyaSYNFloodprotectionprofilewitheither
RandomEarlyDroporSYNcookies.Onanexternalzone,onlyRandomEarlyDropisavailableforSYNFlood
protection.
DoSProtectionProfileSettings
logforwardingprofileswhendefiningsecuritypolicies.Thenameis
intheObjectstab.

Objects>SecurityProfiles>DoSProtection Objects
(Panoramaonly) thisDoSProtectionprofileindevicegroupsthatinherittheprofile.This
Description Enteradescriptionoftheprofile(upto255characters).
Type Selectoneofthefollowingprofiletypes:
aggregateApplytheDoSthresholdsconfiguredintheprofiletoall
connectionsthatmatchtherulecriteriaonwhichthisprofileisapplied.
Forexample,anaggregaterulewithaSYNfloodthresholdof10,000
connectionspersecond(cps)countsallconnectionsthathitthat
particularDoSrule.
classifiedApplytheDoSthresholdsconfiguredintheprofiletothe
connectionsthatmatchtheclassificationcriterion(sourceIPaddress,
destinationIPaddress,orsourceanddestinationIPaddresspair).
Flood Protection Tab
SYNFloodtab Selectthisoptiontoenablethetypeoffloodprotectionindicatedonthetab
UDPFloodtab andspecifythefollowingsettings:
ICMPFloodtab Action(SYN Floodonly)ActionthatthefirewallperformsiftheDoS
ICMPv6tab ProtectionpolicyactionisProtectandifincomingconnectionsper
second(cps)reachtheActivate Rate.Chooseoneofthefollowing:
OtherIPtab
Random Early DropDroppacketsrandomlywhenconnectionsper
secondreachtheActivate Ratethreshold.
SYN cookiesUseSYNcookiestogenerateacknowledgmentsso
thatitisnotnecessarytodropconnectionsduringaSYNflood
attack.
Alarm RateSpecifythethresholdrate(cps)atwhichaDoSalarmis
generated(rangeis0to2,000,000cps;defaultis10,000cps).
Activate RateSpecifythethresholdrate(cps)atwhichaDoSresponse
isactivated.TheDoSresponseisconfiguredintheActionfieldoftheDoS
Protectionprofile(RandomEarlyDroporSYNcookies).TheActivate
Raterangeis0to2,000,000cps;defaultis10,000cps.
IftheprofileActionisRandom Early Drop(RED),whenincoming
connectionspersecondreachtheActivate Ratethreshold,REDoccurs.If
thecpsrateincreases,theREDrateincreasesaccordingtoanalgorithm.
ThefirewallcontinueswithREDuntilthecpsratereachestheMax Rate
threshold.
Max RateSpecifythethresholdrateofincomingconnectionsper
secondthefirewallallows.AttheMax Ratethreshold,thefirewalldrops
100%ofnewconnections(rangeis2to2,000,000cps;defaultis
40,000 cps.)
Block DurationSpecifythelengthoftime(seconds)duringwhichthe
offendingIPaddressremainsontheBlockIPlistandconnectionswiththe
IPaddressareblocked.Thefirewalldoesntcountpacketsthatarrive
duringtheblockdurationtowardtheAlarmRate,ActivateRate,orMax
Ratethresholds(rangeis1to21,600seconds;defaultis300 seconds).
Resources Protection Tab
Sessions Selectthisoptiontoenableresourcesprotection.

Objects Objects>SecurityProfiles>DoSProtection
MaxConcurrentLimit Specifythemaximumnumberofconcurrentsessions.
FortheAggregateprofiletype,thislimitappliestoalltraffichittingthe
DoSProtectionruleonwhichtheDoSProtectionprofileisapplied.
FortheClassifiedprofiletype,thislimitappliestothetrafficona
classifiedbasis(sourceIP,destinationIPorsourceanddestinationIP)
hittingtheDoSProtectionruletowhichtheDoSProtectionprofileis
applied.

Objects>SecurityProfileGroups Objects
Objects>SecurityProfileGroups
ThefirewallsupportstheabilitytocreateSecurityProfilegroups,whichspecifysetsofSecurityProfilesthat
canbetreatedasaunitandthenaddedtosecuritypolicies.Forexample,youcancreateathreatsSecurity
ProfilegroupthatincludesprofilesforAntivirus,AntiSpyware,andVulnerabilityProtectionandthencreate
aSecuritypolicyrulethatincludesthethreatsprofile.
Antivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,andfileblockingprofilesthatareoften
assignedtogethercanbecombinedintoprofilegroupstosimplifythecreationofsecuritypolicies.
TodefineanewSecurityProfile,selectObjects > Security Profiles.
ThefollowingtabledescribestheSecurityProfilesettings:
SecurityProfileGroup Description
Settings
Name Entertheprofilegroupname(upto31characters).Thisnameappearsinthe
profileslistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
underscores.
Shared Selectthisoptionifyouwanttheprofilegrouptobeavailableto:
selection,theprofilegroupwillbeavailableonlytotheVirtual System
tab.
(Panoramaonly) thisSecurityProfilegroupobjectindevicegroupsthatinherittheobject.
Thisselectionisclearedbydefault,whichmeansadministratorscanoverride
thesettingsforanydevicegroupthatinheritstheobject.
Profiles SelectanAntivirus,AntiSpyware,VulnerabilityProtection,URLfiltering,
and/orfileblockingprofiletobeincludedinthisgroup.Datafilteringprofiles
canalsobespecifiedinSecurityProfilegroups.RefertoObjects>Security
Profiles>DataFiltering.

Objects Objects>LogForwarding
Objects>LogForwarding
Bydefault,thelogsthatthefirewallgeneratesresideonlyinitslocalstorage.However,ifyouwanttouse
Panoramaorexternalservices(suchasasyslogserver)tocentrallymonitorloginformation,youcandefine
aLogForwardingprofileandassignittoSecurity,Authentication,andDoSProtectionpolicyrules.Log
ForwardingprofilesdefineforwardingdestinationsforthefollowingLogTypes:Traffic,Threat,WildFire
Submissions,URLFiltering,DataFiltering,TunnelInspection,andAuthenticationlogs.
Toforwardotherlogtypes,seeDevice>LogSettings.
OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceforthefirewalltoforward
logstothefollowingloggingdestinations:Syslog,HTTP,Email,andSNMP.Thisisalsorequired
toforwardfilestoWildFire.Aftertheportisconfigured,logforwardingandWildFireforwarding
willautomaticallyusethisportandthereisnospecialconfigurationrequiredforthistooccur.
JustconfigureadataportononeofthePA7000SeriesNPCsasinterfacetypeLogCardand
ensurethatthenetworkthatwillbeusedcancommunicatewithyourlogservers.ForWildFire
forwarding,thenetworkmustcommunicatesuccessfullywiththeWildFirecloudand/or
WildFireappliance.
ThefollowingtabledescribestheLogForwardingprofilesettings:
LogForwardingProfile Description
Settings
Name Enteraname(upto64characters)toidentifytheprofile.Thisnameappears
inthelistofLogForwardingprofileswhendefiningSecuritypolicyrules.The
intheObjectstab.
(Panoramaonly) thisLogForwardingprofileindevicegroupsthatinherittheprofile.This
Description EnteradescriptiontoexplainthepurposeofthisLogForwardingprofile.
MatchList(unlabeled) Addoneormorematchlistprofiles(upto64)thatspecifyforwarding
destinations,logattributebasedfilterstocontrolwhichlogsthefirewall
forwards,andactionstoperformonthelogs(suchasautomatictagging).
Completethefollowingtwofieldsforeachmatchlistprofile.
Name(matchlistprofile) Enteraname(upto31characters)toidentifythematchlistprofile.
Description(matchlist Enteradescription(upto1,023characters)toexplainthepurposeofthis
profile) matchlistprofile.
LogType Selectthetypeoflogstowhichthismatchlistprofileapplies:traffic,threat,
WildFire,URL,data,tunnel,orauthentication(auth).

Objects>LogForwarding Objects
Settings
Filter Bydefault,thefirewallforwardsAll LogsoftheselectedLog Type.To

forwardasubsetofthelogs,selectanexistingfilterfromthedropdownor
selectFilter Buildertoaddanewfilter.Foreachqueryinanewfilter,
specifythefollowingfieldsandAddthequery:
ConnectorSelecttheconnectorlogic(and/or)forthequery.Select
Negateifyouwanttoapplynegationtothelogic.Forexample,toavoid
forwardinglogsfromanuntrustedzone,selectNegate,selectZoneasthe
Attribute,selectequalastheOperator,andenterthenameofthe
untrustedZoneintheValuecolumn.
AttributeSelectalogattribute.Theavailableattributesdependonthe
Log Type.
OperatorSelectthecriteriontodeterminewhethertheattributeapplies
(suchasequal).TheavailablecriteriadependontheLog Type.
Todisplayorexport thelogsthatthefiltermatches,selectView Filtered
Logs.ThistabprovidesthesameoptionsastheMonitoringtabpages(such
asMonitoring > Logs > Traffic).
Panorama SelectPanoramaifyouwanttoforwardlogstoLogCollectorsorthe
Panoramamanagementserver.Ifyouenablethisoption,youmustconfigure
logforwardingtoPanorama .
SNMP AddoneormoreSNMPTrapserverprofilestoforwardlogsasSNMPtraps
(seeDevice>ServerProfiles>SNMPTrap).
Email AddoneormoreEmailserverprofilestoforwardlogsasemailnotifications
(seeDevice>ServerProfiles>Email).
Syslog AddoneormoreSyslogserverprofilestoforwardlogsassyslogmessages
(seeDevice>ServerProfiles>Syslog).
HTTP AddoneormoreHTTPserverprofilestoforwardlogsasHTTPrequests(see
Device>ServerProfiles>HTTP).

Objects Objects>LogForwarding
Settings
BuiltinActions Addtheactiontoperform.Addorremoveatagtothesourceordestination
IPaddressinalogentryautomaticallyandregistertheIPaddressandtag
mappingtoaUserIDagentonthefirewallorPanorama,ortoaremote
UserIDagentsothatyoucanrespondtoaneventanddynamicallyenforce
Securitypolicy.TheabilitytotaganIPaddressanddynamicallyenforce
policyusingdynamicaddressgroupsgivesyoubettervisibility,context,and
controlforconsistentlyenforcingSecuritypolicyirrespectiveofwherethe
IPaddressmovesacrossyournetwork.
Configurethefollowingsettings:
Addanactionandenteranametodescribeit.
SelectthetargetIPaddressyouwanttotagSource Addressor
Destination Address.
Youcantakeanactionforalllogtypesthatincludeasourceordestination
IPaddressinthelogentry.YoucantagthesourceIPaddressonly,in
CorrelationlogsandHIPMatchlogs;youcannotconfigureanactionfor
SystemlogsandConfigurationlogsbecausethelogtypedoesnotinclude
anIPaddressinthelogentry.
SelecttheactionAdd TagorRemove Tag.
SelectwhethertoregistertheIPaddressandtagmappingtotheLocal
User-IDagentonthisfirewallorPanorama,ortoaRemote User-ID
agent.
ToregistertheIPaddressandtagmappingtoaRemote User-IDagent,
selecttheHTTPserverprofile(Device>ServerProfiles>HTTP)thatwill
enableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetarget
sourceordestinationIPaddress.

Objects>Authentication Objects
Objects>Authentication
Anauthenticationenforcementobjectspecifiesthemethodandservicetouseforauthenticatingendusers
whoaccessyournetworkresources.YouassigntheobjecttoAuthenticationpolicyrules,whichinvokethe
authenticationmethodandservicewhentrafficmatchesarule(seePolicies>Authentication).
Thefirewallhasthefollowingpredefined,readonlyauthenticationenforcementobjects:
default-browser-challengeThefirewalltransparentlyobtainsuserauthenticationcredentials.Ifyou
selectthisaction,youmustenableKerberosSingleSignOn(SSO)orNTLANManager(NTLM)
authenticationwhenyouconfigureCaptivePortal .IfKerberosSSOauthenticationfails,thefirewall
fallsbacktoNTLMauthentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktotheauthenticationmethodspecifiedinthepredefineddefault-web-formobject.
default-web-formToauthenticateusers,thefirewallusesthecertificateprofileorauthenticationprofile
youspecifiedwhenconfiguringCaptivePortal .Ifyouspecifiedanauthenticationprofile,thefirewall
ignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortalpagefortheusertoenter
authenticationcredentials.
default-no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticatingusers.
Beforecreatingacustomauthenticationenforcementobject:
Configureaserverprofilethatspecifieshowtoconnecttotheauthenticationservice(seeDevice>
ServerProfiles).
Assigntheserverprofiletoanauthenticationprofilethatspecifiesauthenticationsettingssuchas
Kerberossinglesignonparameters(seeDevice>AuthenticationProfile).
Tocreateacustomauthenticationenforcementobject,clickAddandcompletethefollowingfields:
Authentication Description
EnforcementSettings
Name Enteradescriptivename(upto31characters)tohelpyouidentifytheobjectwhen
definingAuthenticationrules.Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,andunderscores.
Shared Selectthisoptionifyouwanttheobjecttobeavailableto:
objectwillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theobjectwillbeavailable
onlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) authenticationenforcementobjectindevicegroupsthatinherittheobject.Thisselection
isclearedbydefault,whichmeansadministratorscanoverridethesettingsforanydevice
groupthatinheritstheobject.

Objects Objects>Authentication
EnforcementSettings
AuthenticationMethod Selectamethod:
browser-challengeThefirewalltransparentlyobtainsuserauthentication
credentials.Ifyouselectthisaction,theAuthentication Profileyouselectmusthave
KerberosSSOenabledorelseyoumusthaveconfiguredNTLMintheCaptivePortal
settings .IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLM
authentication.IfyoudidnotconfigureNTLM,orNTLMauthenticationfails,the
firewallfallsbacktoweb-formauthentication.
web-formToauthenticateusers,thefirewallusesthecertificateprofileyou
specifiedwhenconfiguringCaptivePortal ortheAuthentication Profileyouselect
intheauthenticationenforcementobject.IfyouselectanAuthentication Profile,the
firewallignoresanyKerberosSSOsettingsintheprofileandpresentsaCaptivePortal
pagefortheusertoenterauthenticationcredentials.
no-captive-portalThefirewallevaluatesSecuritypolicywithoutauthenticating
users.
AuthenticationProfile Selecttheauthenticationprofilethatspecifiestheservicetouseforvalidatingthe
identitiesofusers.
Message Enterinstructionsthattellusershowtorespondtothefirstauthenticationchallengethat
theyseewhentheirtraffictriggerstheAuthenticationrule.Themessagedisplaysinthe
Captive Portal Comfort Page.Ifyoudontenteramessage,thedefaultCaptive Portal
Comfort Pagedisplays(seeDevice>ResponsePages).
ThefirewalldisplaystheCaptive Portal Comfort Pageonlyforthefirst
authenticationchallenge(factor),whichyoudefineintheAuthenticationtabof
theAuthentication Profile(seeDevice>AuthenticationProfile).Formultifactor
authentication(MFA)challengesthatyoudefineintheFactorstaboftheprofile,
thefirewalldisplaystheMFA Login Page.

Objects>DecryptionProfile Objects
Objects>DecryptionProfile
DecryptionprofilesenableyoutoblockandcontrolspecificaspectsoftheSSLforwardproxy,SSLinbound
inspection,andSSHtraffic.Afteryoucreateadecryptionprofile,youcanthenaddthatprofiletoa
decryptionpolicy;anytrafficmatchedtothedecryptionpolicywillbeenforcedaccordingtotheprofile
settings.
YoucanalsocontroltheCAsthatyourfirewalltrusts.Formoreinformation,refertoManageDefaultTrusted
CertificateAuthorities.
Adefaultdecryptionprofileisconfiguredonthefirewall,andisautomaticallyincludedinnewdecryption
policies(youcannotmodifythedefaultdecryptionprofile).ClickAddtocreateanewdecryptionprofile,or
selectanexistingprofiletoCloneormodifyit.
Addanewdecryptionprofile. DecryptionProfileGeneralSettings
Enableportmirroringfordecryptedtraffic.
BlockandcontrolSSLdecryptedtraffic. SettingstoControlDecryptedSSLTraffic
Blockandcontroltrafficthatyouhaveexcluded SettingstoControlTrafficthatisnotDecrypted
fromdecryption(forexample,trafficclassified
ashealthandmedicineorfinancialservices).
BlockandcontroldecryptedSSHtraffic. SettingstoControlDecryptedSSHTraffic
DecryptionProfileGeneralSettings
DecryptionProfile Description
GeneralSettings
Name Enteraprofilename(upto31characters).Thisnameappearsinthelistofdecryption
profileswhendefiningdecryptionpolicies.Thenameiscasesensitiveandmustbe
unique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
profilewillbeavailableonlytotheVirtual SystemselectedintheObjectstab.
EverydevicegrouponPanorama.Ifyouclearthisselection,theprofilewillbeavailable
onlytotheDevice GroupselectedintheObjectstab.
(Panoramaonly) Decryptionprofileindevicegroupsthatinherittheprofile.Thisselectionisclearedby
default,whichmeansadministratorscanoverridethesettingsforanydevicegroupthat
inheritstheprofile.

Objects Objects>DecryptionProfile
DecryptionProfile Description
GeneralSettings
DecryptionMirroring SelectanInterfacetousefordecryptionportmirroring.
Interface Beforeyoucanenabledecryptionportmirroring,youmustobtainaDecryption
(PA3000Series, PortMirrorlicense,installthelicense,andrebootthefirewall.
PA5000Series,and
PA7000Series
firewallsonly)
ForwardedOnly SelectForwarded OnlyifyouwanttomirrordecryptedtrafficonlyafterSecuritypolicy

(PA3000Series, enforcement.Withthisoption,onlytrafficthatisforwardedthroughthefirewallis
PA5000Series,and mirrored.Thisoptionisusefulifyouareforwardingthedecryptedtraffictootherthreat
PA7000Series detectiondevices,suchasaDLPdeviceoranotherintrusionpreventionsystem(IPS).If
firewallsonly) youclearthisselection(thedefaultsetting),thefirewallwillmirroralldecryptedtraffic
totheinterfacebeforesecuritypolicieslookup,whichallowsyoutoreplayeventsand
analyzetrafficthatgeneratesathreatortriggersadropaction.
SettingstoControlDecryptedSSLTraffic
ThefollowingtabledescribesthesettingsyoucanusetocontrolSSLtrafficthathasbeendecryptedusing
eitherSSLForwardProxydecryptionorSSLInboundInspection.Youcanusethesesettingstolimitorblock
SSLsessionsbasedoncriteriaincludingthestatusoftheexternalservercertificate,theuseofunsupported
ciphersuitesorprotocolversions,ortheavailabilityofsystemresourcestoprocessdecryption.
SSLDecryptionTab Description
Settings
SSLForwardProxyTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLForwardProxy.
ServerCertificateValidationSelectoptionstocontrolservercertificatesfordecryptedSSLtraffic.
Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.
Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers
Blocksessionswith TerminatetheSSLsessionifaserverreturnsacertificaterevocationstatus
unknowncertificatestatus ofunknown.Certificaterevocationstatusindicatesiftrustforthe
certificatehasbeenorhasnotbeenrevoked.
Blocksessionsonthe TerminatetheSSLsessionifthecertificatestatuscannotberetrievedwithin
certificatestatuscheck theamountoftimethatthefirewallisconfiguredtostopwaitingfora
timeout responsefromacertificatestatusservice.YoucanconfigureCertificate
Status Timeoutvaluewhencreatingormodifyingacertificateprofile
(Device > Certificate Management > Certificate Profile).
Restrictcertificate Limitsthecertificateextensionsusedinthedynamicservercertificatetokey
extensions usageandextendedkeyusage.

Settings
UnsupportedModeChecksSelectoptionstocontrolunsupportedSSLapplications.
Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversion PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.
Blocksessionswith TerminatethesessioniftheciphersuitespecifiedintheSSLhandshakeifit
unsupportedciphersuites isnotsupportedbyPANOS.
Blocksessionswithclient TerminatesessionswithclientauthenticationforSSLforwardproxytraffic.
authentication
FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailabletoprocessdecryption.
Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.
BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available signcertificates.
Forunsupportedmodesandfailuremodes,thesessioninformationiscachedfor12hours,so
futuresessionsbetweenthesamehostsandserverpairarenotdecrypted.Enabletheoptionsto
blockthosesessionsinstead.
SSLInboundInspectionTabSelectoptionstolimitorblockSSLtrafficdecryptedusingSSLInbound
Inspection.
UnsupportedModeChecksSelectoptionstocontrolsessionsifunsupportedmodesaredetectedin
SSLtraffic.
Blocksessionswith TerminatesessionsifPANOSdoesnotsupporttheclienthellomessage.
unsupportedversions PANOSsupportsSSLv3,TLS1.0,TLS1.1,andTLS1.2.
Blocksessionswith TerminatethesessioniftheciphersuiteusedisnotsupportedbyPANOS.
unsupportedciphersuites
FailureChecksSelecttheactiontotakeifsystemresourcesarenotavailable.
Blocksessionsifresources Terminatesessionsifsystemresourcesarenotavailabletoprocess
notavailable decryption.
BlocksessionsifHSMnot Terminatesessionsifahardwaresecuritymodule(HSM)isnotavailableto
available decryptthesessionkey.
SSLProtocolSettingsTabSelectthefollowingsettingstoenforceprotocolversionsandciphersuites
forSSLsessiontraffic.
ProtocolVersions EnforcetheuseofminimumandmaximumprotocolversionsfortheSSL
session.
MinVersion SettheminimumprotocolversionthatcanbeusedtoestablishtheSSL
connection.
MaxVersion SetthemaximumprotocolversionthatcanbeusedtoestablishtheSSL
connection.YoucanchoosetheoptionMaxsothatnomaximumversionis
specified;inthiscase,protocolversionsthatareequivalenttoorarealater
versionthantheselectedminimumversionaresupported.

Objects Objects>DecryptionProfile
Settings
KeyExchangeAlgorithms EnforcetheuseoftheselectedkeyexchangealgorithmsfortheSSLsession.
ToimplementPerfectForwardSecrecy(PFS)forSSLForwardProxy
decryptedtraffic,youcanselectDHEtoenableDiffieHellmankeyexchange
basedPFSorECDHEtoenableellipticcurveDiffieHellmanbasedPFS.
EncryptionAlgorithms EnforcetheuseoftheselectedencryptionalgorithmsfortheSSLsession.
AuthenticationAlgorithms EnforcetheuseoftheselectedauthenticationalgorithmsfortheSSL
session.
SettingstoControlTrafficthatisnotDecrypted
YoucanusetheNo Decryptiontabtoenablesettingstoblocktrafficthatismatchedtoadecryptionpolicy
configuredwiththeNo Decryptaction(Policies > Decryption > Action).Usetheseoptionstocontrolserver
certificatesforthesession,thoughthefirewalldoesnotdecryptandinspectthesessiontraffic.
NoDecryptionTab Description
Settings
Blocksessionswith TerminatetheSSLconnectioniftheservercertificateisexpired.Thiswill
expiredcertificates preventauserfrombeingabletoacceptanexpiredcertificateand
continuingwithanSSLsession.
Blocksessionswith TerminatetheSSLsessioniftheservercertificateissuerisuntrusted.
untrustedissuers
SettingstoControlDecryptedSSHTraffic
ThefollowingtabledescribesthesettingsyoucanusetocontroldecryptedinboundandoutboundSSH
traffic.ThesesettingsallowyoutolimitorblockSSHtunneledtrafficbasedoncriteriaincludingtheuseof
unsupportedalgorithms,thedetectionofSSHerrors,ortheavailabilityofresourcestoprocessSSHProxy
decryption.
SSHProxyTab Description
Settings
UnsupportedModeChecksUsetheseoptionstocontrolsessionsifunsupportedmodesaredetected
inSSHtraffic.SupportedSSHversionisSSHversion2.
Blocksessionswith TerminatesessionsiftheclienthellomessageisnotsupportedbyPANOS.
unsupportedversions
Blocksessionswith Terminatesessionsifthealgorithmspecifiedbytheclientorserverisnot
unsupported supportedbyPANOS.
algorithms

SSHProxyTab Description
Settings
FailureChecksSelectactionstotakeifSSHapplicationerrorsoccurandifsystemresourcesarenot
available.
Blocksessionson TerminatesessionsifSSHerrorsoccur.
SSHerrors
Blocksessionsif Terminatesessionsifsystemresourcesarenotavailabletoprocessdecryption.
resourcesnot
available

Objects Objects>Schedules
Objects>Schedules
Objects>Schedules
Bydefault,Securitypolicyrulesarealwaysineffect(alldatesandtimes).TolimitaSecuritypolicyruleto
specifictimes,youcandefineschedules,andthenapplythemtotheappropriatepolicies.Foreachschedule,
youcanspecifyafixeddateandtimerangeorarecurringdailyorweeklyschedule.Toapplyschedulesto
securitypolicies,refertoPolicies>Security.
WhenaSecuritypolicyruleisinvokedbyadefinedschedule,onlynewsessionsareaffectedby
theappliedSecuritypolicyrule.Existingsessionsarenotaffectedbythescheduledpolicy.
ScheduleSettings Description
Name Enteraschedulename(upto31characters).Thisnameappearsinthe
schedulelistwhendefiningsecuritypolicies.Thenameiscasesensitiveand
underscores.
Shared Selectthisoptionifyouwantthescheduletobeavailableto:
selection,theschedulewillbeavailableonlytotheVirtual System
EverydevicegrouponPanorama.Ifyouclearthisselection,theschedule
(Panoramaonly) thisscheduleindevicegroupsthatinherittheschedule.Thisselectionis
anydevicegroupthatinheritstheschedule.
Recurrence Selectthetypeofschedule(Daily,Weekly,orNon-Recurring).
Daily ClickAddandspecifyaStart TimeandEnd Timein24hourformat

(HH:MM).
Weekly ClickAdd,selectaDay of Week,andspecifytheStart TimeandEnd Timein

24hourformat(HH:MM).
Nonrecurring ClickAddandspecifyaStart Date,Start Time,End Date,andEnd Time.

Objects>Schedules Objects

Network
Network>VirtualWires
Network>Interfaces
Network>VirtualRouters
Network>Zones
Network>VLANs
Network>IPSecTunnels
Network>DHCP
Network>DNSProxy
Network>QoS
Network>LLDP
Network>NetworkProfiles

Network>VirtualWires Network
Network>VirtualWires
SelectNetwork > Virtual Wirestodefinevirtualwiresafteryouhavespecifiedtwovirtualwireinterfaceson

thefirewall(Network>Interfaces).
VirtualWireSettings Description
VirtualWireName Enteravirtualwirename(upto31characters).Thisnameappearsinthelist
ofvirtualwireswhenconfiguringinterfaces.Thenameiscasesensitiveand
underscores.
Interfaces SelecttwoEthernetinterfacesfromthedisplayedlistforthevirtualwire
configuration.Interfacesarelistedhereonlyiftheyhavethevirtualwire
interfacetypeandhavenotbeenassignedtoanothervirtualwire.
Forinformationonvirtualwireinterfaces,seeVirtualWireInterface.
TagAllowed Enterthetagnumber(04094)orrangeoftagnumbers(tag1tag2)forthe
trafficallowedonthevirtualwire.Atagvalueofzeroindicatesuntagged
traffic(thedefault).Multipletagsorrangesmustbeseparatedbycommas.
Trafficthathasanexcludedtagvalueisdropped.
Tagvaluesarenotchangedonincomingoroutgoingpackets.
Whenutilizingvirtualwiresubinterfaces,theTag Allowedlistwillcauseall
trafficwiththelistedtagstobeclassifiedtotheparentvirtualwire.Virtual
wiresubinterfacesmustutilizetagsthatdonotexistintheparent'sTag
Allowedlist.
MulticastFirewalling Selectifyouwanttobeabletoapplysecurityrulestomulticasttraffic.Ifthis
settingisnotenabled,multicasttrafficisforwardedacrossthevirtualwire.
LinkStatePassThrough Selectifyouwanttobringdowntheotherinterfaceinavirtualwirepair
whenadownlinkstateisdetected.Ifyoudonotselectoryoudisablethis
option,linkstatusisnotpropagatedacrossthevirtualwire.

Network Network>Interfaces
Network>Interfaces
Firewallinterfaces(ports)enableafirewalltoconnectwithothernetworkdevicesandwithotherinterfaces
withinthefirewall.Thefollowingtopicsdescribetheinterfacetypesandhowtoconfigurethem:
Whatarefirewallinterfaces? FirewallInterfacesOverview
Iamnewtofirewallinterfaces; CommonBuildingBlocksforFirewallInterfaces
whatarethecomponentsofa
firewallinterface? CommonBuildingBlocksforPA7000SeriesFirewall
Interfaces
Ialreadyunderstandfirewall Physical Interfaces (Ethernet)
interfaces;howcanIfind
Layer2Interface
informationonconfiguringa
specificinterfacetype? Layer2Subinterface
Layer3Interface
Layer3Subinterface
VirtualWireInterface
VirtualWireSubinterface
TapInterface
LogCardInterface
LogCardSubinterface
DecryptMirrorInterface
AggregateEthernet(AE)InterfaceGroup
AggregateEthernet(AE)Interface
HAInterface
Logical Interfaces
Network>Interfaces>VLAN
Network>Interfaces>Loopback
Network>Interfaces>Tunnel
Looking for more? Networking

Network>Interfaces Network
FirewallInterfacesOverview
Theinterfaceconfigurationsoffirewalldataportsenabletraffictoenterandexitthefirewall.APaloAlto
Networksfirewallcanoperateinmultipledeploymentssimultaneouslybecauseyoucanconfigurethe
interfacestosupportdifferentdeployments.Forexample,youcanconfiguretheEthernetinterfacesona
firewallforvirtualwire,Layer2,Layer3,andtapmodedeployments.Theinterfacesthatthefirewall
supportsare:
PhysicalInterfacesThefirewallsupportstwokindsofEthernetcopperandfiberopticthatcansend
andreceivetrafficatdifferenttransmissionrates.YoucanconfigureEthernetinterfacesasthefollowing
types:tap,highavailability(HA),logcard(interfaceandsubinterface),decryptmirror,virtualwire
(interfaceandsubinterface),Layer2(interfaceandsubinterface),Layer3(interfaceandsubinterface),and
aggregateEthernet.Theavailableinterfacetypesandtransmissionspeedsvarybyhardwaremodel.
LogicalInterfacesTheseincludevirtuallocalareanetwork(VLAN)interfaces,loopbackinterfaces,and
tunnelinterfaces.YoumustsetupthephysicalinterfacebeforedefiningaVLANoratunnelinterface.
CommonBuildingBlocksforFirewallInterfaces
SelectNetwork > Interfacestodisplayandconfigurethecomponentsthatarecommontomostinterface

types.
ForadescriptionofcomponentsthatareuniqueordifferentwhenyouconfigureinterfacesonaPA7000Series
firewall,orwhenyouusePanoramatoconfigureinterfacesonanyfirewall,seeCommonBuildingBlocksfor
PA7000SeriesFirewallInterfaces.
FirewallInterface Description
Building Blocks
Interface(Interface Theinterfacenameispredefinedandyoucannotchangeit.However,youcan
Name) appendanumericsuffixforsubinterfaces,aggregateinterfaces,VLANinterfaces,
loopbackinterfaces,andtunnelinterfaces.
InterfaceType ForEthernetinterfaces(Network > Interfaces > Ethernet),youcanselectthe

interfacetype:
Tap
HA
Decrypt Mirror(PA7000Series,PA5000Series,andPA3000Seriesfirewalls
only)
Virtual Wire
Layer 2
Layer 3
Log Card(PA7000Seriesfirewallonly)
Aggregate Ethernet
ManagementProfile SelectaManagement Profile(Network > Interfaces > <if-config > Advanced > Other
Info)thatdefinestheprotocols(suchasSSH,Telnet,andHTTP)youcanuseto
managethefirewalloverthisinterface.

FirewallInterface Description
Building Blocks
(Continued)
LinkState ForEthernetinterfaces,LinkStateindicateswhethertheinterfaceiscurrently
accessibleandcanreceivetrafficoverthenetwork:
GreenConfiguredandup
RedConfiguredbutdownordisabled
GrayNotconfigured
Hoveroverthelinkstatetodisplayatooltipthatindicatesthelinkspeedandduplex
settingsforthatinterface.
IPAddress (Optional)ConfiguretheIPv4orIPv6addressoftheEthernet,VLAN,loopback,or
tunnelinterface.ForanIPv4address,youcanalsoselecttheaddressingmode(Type)
fortheinterface:Static,DHCP Client,orPPPoE.
VirtualRouter AssignavirtualroutertotheinterfaceorclickVirtual Routertodefineanewone

(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtualrouter
assignmentfromtheinterface.
Tag(Subinterfaceonly) EntertheVLANtag(14,094)forthesubinterface.
VLAN SelectNetwork > Interfaces > VLANandmodifyanexistingVLANorAddanewone

(seeNetwork>VLANs).SelectNonetoremovethecurrentVLANassignmentfrom
theinterface.ToenableswitchingbetweenLayer2interfaces,ortoenablerouting
throughaVLANinterface,youmustconfigureaVLANobject.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,select
avirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone SelectaSecurity Zone(Network > Interfaces > <if-config> Config)fortheinterface,

orselectZonetodefineanewone.SelectNonetoremovethecurrentzone
assignmentfromtheinterface.
Features ForEthernetinterfaces,thiscolumnindicateswhetherthefollowingfeaturesare
enabled:
DHCPClient
DNSProxy
GlobalProtectgatewayenabled
LinkAggregationControlProtocol(LACP)
LinkLayerDiscoveryProtocol(LLDP)
NDPMonitor
NetFlowprofile
QualityofService(QoS)profile
Comment Adescriptionoftheinterfacefunctionorpurpose.
CommonBuildingBlocksforPA7000SeriesFirewallInterfaces
ThefollowingtabledescribesthecomponentsoftheNetwork > Interfaces > Ethernetpagethatareuniqueor

differentwhenyouconfigureinterfacesonaPA7000Seriesfirewall,orwhenyouusePanoramato
configureinterfacesonanyfirewall.ClickAdd Interfacetocreateanewinterfaceorselectanexisting
interface(ethernet1/1,forexample)toeditit.

OnPA7000Seriesfirewalls,youmustconfigureaLogCardInterfaceononedataport.
PA7000SeriesFirewall Description
InterfaceBuildingBlocks
Slot Selecttheslotnumber(112)oftheinterface.OnlyPA7000Seriesfirewallshave
multipleslots.IfyouusePanoramatoconfigureaninterfaceforanyotherfirewall
model,selectSlot 1.
Interface(InterfaceName) SelectthenameofaninterfacethatisassociatedwiththeselectedSlot.
Layer2Interface
Network>Interfaces>Ethernet
SelectNetwork > Interfaces > EthernettoconfigureaLayer2interface.clickthenameofanInterface
(ethernet1/1,forexample)thatisnotconfiguredandspecifythefollowinginformation.
Layer2Interface ConfiguredIn Description

Settings
InterfaceName Ethernet Theinterfacenameispredefinedandyoucannotchangeit.

Interface
Comment Enteranoptionaldescriptionfortheinterface.
InterfaceType SelectLayer2.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningressinterface
toaNetFlowserver,selecttheserverprofileorclickNetflow Profiletodefine
anewprofile(seeDevice>ServerProfiles>NetFlow).SelectNonetoremove
thecurrentNetFlowserverassignmentfromtheinterface.
VLAN Ethernet ToenableswitchingbetweenLayer2interfacesortoenableroutingthrougha

Interface > Config VLANinterface,selectanexistingVLANorclickVLANtodefineanewVLAN
(seeNetwork>VLANs).SelectNonetoremovethecurrentVLANassignment
fromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone SelectaSecurity ZonefortheinterfaceorclickZonetodefineanewzone.

SelectNonetoremovethecurrentzoneassignmentfromtheinterface.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectautotohavethe

Interface > firewallautomaticallydeterminethespeed.
Advanced
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex
(half),ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),or
determinedautomatically(auto).


Settings
EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.LLDP

Interface > functionsatthelinklayertodiscoverneighboringdevicesandtheircapabilities.
Advanced > LLDP
Profile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>LLDP
Profile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHA IfLLDPisenabled,selecttoallowanHApassivefirewalltoprenegotiateLLDP
PassiveState withitspeerbeforethefirewallbecomesactive.
Layer2Subinterface
ForeachEthernetportconfiguredasaphysicalLayer2interface,youcandefineanadditionallogicalLayer
2interface(subinterface)foreachVLANtagassignedtothetrafficthattheportreceives.Toenable
switchingbetweenLayer2subinterfaces,assignthesameVLANobjecttothesubinterfaces.
ToconfigureaLayer2Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
thefollowinginformation.
Layer2SubinterfaceSettings
InterfaceName ThereadonlyInterfaceNamedisplaysthenameofthephysicalinterfaceyouselected.Inthe
adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.
Comment Enteranoptionaldescriptionforthesubinterface.
Tag EntertheVLANtag(14,094)forthesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.
VLAN ToenableswitchingbetweenLayer2interfacesortoenableroutingthroughaVLANinterface,
selectaVLAN,orclickVLANtodefineanewVLAN(seeNetwork>VLANs).SelectNonetoremove
thecurrentVLANassignmentfromthesubinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone SelectasecurityzoneforthesubinterfaceorclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.
Layer3Interface

ToconfigureaLayer3interface,clickthenameofanInterface(ethernet1/1,forexample)thatisnot
configuredandspecifythefollowinginformation.

Settings

Interface
InterfaceType SelectLayer3.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
interfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
interface.
VirtualRouter Ethernet Selectavirtualrouter,orclickVirtual Routertodefineanewone(see

Interface > Network>VirtualRouters).SelectNonetoremovethecurrentvirtual
Config routerassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)fortheinterfaceorclickVirtual
Systemtodefineanewvsys.
SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectauto.

Interface >
LinkDuplex Advanced Selectwhethertheinterfacetransmissionmodeisfullduplex(full),
halfduplex(half),ornegotiatedautomatically(auto).


Settings
ManagementProfile Ethernet Selectaprofilethatdefinestheprotocols(forexample,SSH,Telnet,and

Interface > HTTP)youcanusetomanagethefirewalloverthisinterface.SelectNone
Advanced > Other toremovethecurrentprofileassignmentfromtheinterface.
Info
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(5769,192;defaultis1,500).Ifmachinesoneithersideof
thefirewallperformPathMTUDiscovery(PMTUD)andtheinterface
receivesapacketexceedingtheMTU,thefirewallreturnsanICMP
fragmentationneededmessagetothesourceindicatingthepacketistoo
large.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
IPv4 MSS Adjustment SizeRangeis40300;defaultis40.
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoitishelpfultoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.
UntaggedSubinterface SpecifiesthatallsubinterfacesbelongingtothisLayer3interfaceare
untagged.PANOSselectsanuntaggedsubinterfaceastheingress
interfacebasedonthepacketdestination.IfthedestinationistheIP
addressofanuntaggedsubinterface,itmapstothesubinterface.Thisalso
meansthatpacketsinthereversedirectionmusthavetheirsource
addresstranslatedtotheIPaddressoftheuntaggedsubinterface.A
byproductofthisclassificationmechanismisthatallmulticastand
broadcastpacketsareassignedtothebaseinterface,notany
subinterfaces.BecauseOpenShortestPathFirst(OSPF)usesmulticast,
thefirewalldoesnotsupportitonuntaggedsubinterfaces.
IPAddress Ethernet ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,click

MACAddress Interface > AddandenteranIPaddressanditsassociatedhardware(MAC)address.
Advanced > ARP Todeleteanentry,selecttheentryandclickDelete.StaticARPentries
Entries reduceARPprocessingandprecludemaninthemiddleattacksforthe
specifiedaddresses.
IPv6Address Ethernet ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),

MACAddress Interface > clickAddandentertheIPaddressandMACaddressoftheneighbor.
Advanced > ND
Entries


Settings
EnableNDPProxy Ethernet SelecttoenabletheNeighborDiscoveryProtocol(NDP)proxyforthe

Interface > interface.ThefirewallwillrespondtoNDpacketsrequestingMAC
Advanced > NDP addressesforIPv6addressesinthislist.IntheNDresponse,thefirewall
Proxy sendsitsownMACaddressfortheinterfacetoindicateitwillactasproxy
byrespondingtopacketsdestinedforthoseaddresses.
ItisrecommendedthatyouselectEnable NDP ProxyifyouuseNetwork
PrefixTranslationIPv6(NPTv6).
IfEnable NDP Proxyisselected,youcanfilternumerousAddressentries
byenteringasearchstringandclickingApplyFilter( ).
Address ClickAddtoenteroneormoreIPv6addresses,IPranges,IPv6subnets,or
addressobjectsforwhichthefirewallwillactastheNDPproxy.Ideally,
oneoftheseaddressesisthesameaddressasthatofthesource
translationinNPTv6.Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendthatyoualsoaddtheIPv6
neighborsofthefirewallandthenselectNegatetoinstructthefirewall
nottorespondtotheseIPaddresses.
Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.You
cannegateasubsetofthespecifiedIPaddressrangeorIPsubnet.
EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.

Interface > LLDPfunctionsatthelinklayertodiscoverneighboringdevicesandtheir
Advanced > LLDP capabilities.
LLDPProfile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>
LLDPProfile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHAPassive IfLLDPisenabled,selecttoallowthefirewallasanHApassivefirewallto
State prenegotiateLLDPwithitspeerbeforethefirewallbecomesactive.
Type Ethernet SelectthemethodforassigninganIPv4addresstypetotheinterface:

Interface > IPv4 StaticYoumustmanuallyspecifytheIPaddress.
PPPoEThefirewallwillusetheinterfaceforPointtoPointProtocol
overEthernet(PPPoE).
DHCP ClientEnablestheinterfacetoactasaDynamicHost
ConfigurationProtocol(DHCP)clientandreceiveadynamically
assignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)modedo
notsupportPPPoEorDHCPClient.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.


Settings
IPv4 address Type = Static
IP Ethernet ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIP
Interface > IPv4 addressandnetworkmaskfortheinterface.
TypetheentryinClasslessInterdomainRouting(CIDR)notation:
ip_address/mask(forexample,192.168.2.0/24).
SelectanexistingaddressobjectoftypeIP netmask.
ClickAddresstocreateanaddressobjectoftypeIP netmask.
YoucanentermultipleIPaddressesfortheinterface.Theforwarding
informationbase(FIB)yourfirewallusesdeterminesthemaximum
numberofIPaddresses.
TodeleteanIPaddress,selecttheaddressandclickDelete.
IPv4 address Type = PPPoE
Enable Ethernet SelecttoactivatetheinterfaceforPPPoEtermination.

Interface > IPv4 >
Username PPPoE > General Entertheusernameforthepointtopointconnection.
Password/Confirm Enterandthenconfirmthepasswordfortheusername.
Password
ShowPPPoEClient (Optional)Opensadialogthatdisplaysparametersthatthefirewall
RuntimeInfo negotiatedwiththeInternetserviceprovider(ISP)toestablisha
connection.ThespecificinformationdependsontheISP.


Settings
Authentication Ethernet SelecttheauthenticationprotocolforPPPoEcommunications:CHAP

Interface > IPv4 > (ChallengeHandshakeAuthenticationProtocol),PAP(Password
PPPoE > AuthenticationProtocol),orthedefaultAuto(thefirewalldeterminesthe
Advanced protocol).SelectNonetoremovethecurrentprotocolassignmentfrom
theinterface.
StaticAddress PerformoneofthefollowingstepstospecifytheIPaddressthatthe
Internetserviceproviderassigned(nodefaultvalue):
TypetheentryinClasslessInterDomainRouting(CIDR)notation:
SelectNonetoremovethecurrentaddressassignmentfromthe
interface.
Automaticallycreate SelecttoautomaticallycreateadefaultroutethatpointstothePPPoE
defaultroutepointing peerwhenconnected.
topeer
DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandInternetservice
provider,enteraroutemetric(prioritylevel)toassociatewiththedefault
routeandtouseforpathselection(rangeis165,535).Theprioritylevel
increasesasthenumericvaluedecreases.
AccessConcentrator (Optional)EnterthenameoftheaccessconcentratorontheInternet
serviceproviderendtowhichthefirewallconnects(nodefault).
Service (Optional)Entertheservicestring(nodefault).
Passive Selecttousepassivemode.Inpassivemode,aPPPoEendpointwaitsfor
theaccessconcentratortosendthefirstframe.
IPv4 address Type = DHCP
Enable Ethernet SelecttoactivatetheDHCPclientontheinterface.

Interface > IPv4
Automaticallycreate Selecttoautomaticallycreateadefaultroutethatpointstothedefault
defaultroutepointing gatewaythattheDHCPserverprovides.
todefaultgateway
providedbyserver
DefaultRouteMetric FortheroutebetweenthefirewallandDHCPserver,optionallyentera
routemetric(prioritylevel)toassociatewiththedefaultrouteandtouse
forpathselection(rangeis165,535,nodefault).Theprioritylevel
increasesasthenumericvaluedecreases.
ShowDHCPClient SelecttodisplayallsettingsreceivedfromtheDHCPserver,including
RuntimeInfo DHCPleasestatus,dynamicIPaddressassignment,subnetmask,
gateway,andserversettings(DNS,NTP,domain,WINS,NIS,POP3,and
SMTP).


Settings
EnableIPv6onthe Ethernet SelecttoenableIPv6addressingonthisinterface.

interface Interface > IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.
Address ClickAddandconfigurethefollowingparametersforeachIPv6address:
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
Enable address on interfaceSelecttoenabletheIPv6addressonthe
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
AnycastSelecttoincluderoutingthroughthenearestnode.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisement.
TheremainingfieldsapplyonlyifyouenableRA.
Valid LifetimeThelengthoftime,inseconds,thatthefirewall
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime(defaultis2,592,000).
Preferred LifetimeThelengthoftime,inseconds,thatthevalid
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires
(defaultis604,800).
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.


Settings
EnableDuplication Ethernet Selecttoenableduplicateaddressdetection(DAD),thenconfigurethe

AddressDetection Interface > IPv6 > otherfieldsinthissection.
Address
DADAttempts Resolution SpecifythenumberofDADattemptswithintheneighborsolicitation
interval(NS Interval)beforetheattempttoidentifyneighborsfails(range
is110;defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis1036,000;defaultis30).
NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).
EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDPMonitor( inFeaturescolumn)andview
informationaboutaneighborthatthefirewalldiscovered,suchasthe
IPv6address,thecorrespondingMACaddress,andtheUserID(ona
bestcasebasis).


Settings
EnableRouter Ethernet Toprovidestatelessaddressautoconfiguration(SLAAC)onIPv6

Advertisement Interface > IPv6 > interfaces,selectandconfiguretheotherfieldsinthissection.IPv6DNS
Router clientsthatreceivetherouteradvertisement(RA)messagesusethis
Advertisement information.
RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatare
notstaticallyconfiguredandtoprovidethehostwithanIPv6prefixfor
addressconfiguration.YoucanuseaseparateDHCPv6serverin
conjunctionwiththisfeaturetoprovideDNSandothersettingstoclients.
Thisisaglobalsettingfortheinterface.IfyouwanttosetRAoptionsfor
individualIPaddresses,clickAddintheIPaddresstableandconfigurethe
Address.IfyousetRAoptionsforanyIPaddress,youmustselectthe
Enable Router Advertisementoptionfortheinterface.
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
willsend(rangeis31,350;defaultis200).ThefirewallwillsendRAsat
randomintervalsbetweentheminimumandmaximumvaluesyou
configure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
configure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).
ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
RouterLifetime(sec) Specifyhowlong,insecond,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.
RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.
Managed SelecttoindicatetotheclientthataddressesareavailableviaDHCPv6.
Configuration


Settings
ConsistencyCheck Ethernet SelectifyouwantthefirewalltoverifythatRAssentfromotherrouters

Interface > IPv6 > areadvertisingconsistentinformationonthelink.Thefirewalllogsany
Router inconsistenciesinasystemlog;thetypeisipv6nd.
Advertisement
OtherConfiguration (cont) Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.


Settings
IncludeDNS Ethernet SelecttoenablethefirewalltosendDNSinformationinNDProuter

informationinRouter Interface > IPv6 > advertisement(RA)messagesfromthisIPv6Ethernetinterface.Theother
Advertisement DNS Support DNSSupportfieldsinthistablearevisibleonlyafteryouselectthis
option.
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewall
sendsintheorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusesthoseaddressesinthe
sameorder.SelectaserverandMove UporMove Downtochangethe
orderoftheserversorDeleteaserverfromthelistwhenyounolonger
needit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceives
therouteradvertisementthatitcanusetheRDNSserverstoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Interval;defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNS
searchlist(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothatnameandthentransmits
theDNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
triesDNSsuffixesuntilaDNSlookupissuccessful(ignorestheremaining
suffixes)oruntiltherouterhastriedallsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
Youcanconfigureamaximumofeightdomainnames(suffixes)foraDNS
searchlistthatthefirewallsendsintheorderlistedfromtoptobottom
inanNDProuteradvertisementtotherecipient,whichusesthose
addressesinthesameorder.SelectasuffixandMove UporMove Down
tochangetheorderofthesuffixesorDeleteasuffixfromthelistwhen
younolongerneedit.
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSSearchList(rangeisthevalueofMaxInterval(sec)totwicetheMax

Layer3Subinterface
ForeachEthernetportconfiguredasaphysicalLayer3interface,youcandefineadditionallogicalLayer3
interfaces(subinterfaces).
ToconfigureaLayer3Interface,selecttherowofthatphysicalInterface,clickAdd Subinterface,andspecify
Layer3Subinterface ConfiguredIn Description

Settings
InterfaceName Layer3 ThereadonlyInterface Namefielddisplaysthenameofthephysical

Subinterface interfaceyouselected.Intheadjacentfield,enteranumericsuffix
(19,999)toidentifythesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningress
subinterfacetoaNetFlowserver,selecttheserverprofileorclickNetflow
Profiletodefineanewprofile(seeDevice>ServerProfiles>NetFlow).
SelectNonetoremovethecurrentNetFlowserverassignmentfromthe
subinterface.
VirtualRouter Layer3 Assignavirtualroutertotheinterface,orclickVirtual Routertodefinea

Subinterface > newone(seeNetwork>VirtualRouters).SelectNonetoremovethe
Config currentvirtualrouterassignmentfromtheinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityis
enabled,selectavirtualsystem(vsys)forthesubinterfaceorclickVirtual
Systemtodefineanewvsys.
SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanew
zone.SelectNonetoremovethecurrentzoneassignmentfromthe
subinterface.


Settings
ManagementProfile Layer3 Management ProfileSelectaprofilethatdefinestheprotocols(for

Subinterface > example,SSH,Telnet,andHTTP)youcanusetomanagethefirewallover
Advanced > Other thisinterface.SelectNonetoremovethecurrentprofileassignmentfrom
Info theinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssenton
thisinterface(rangeis5769,192;defaultis1,500).Ifmachinesoneither
sideofthefirewallperformPathMTUDiscovery(PMTUD)andthe
interfacereceivesapacketexceedingtheMTU,thefirewallreturnsan
ICMPfragmentationneededmessagetothesourceindicatingthepacketis
toolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytes
foranyheaderswithintheinterfaceMTUbytesize.TheMTUbytesize
minustheMSSAdjustmentSizeequalstheMSSbytesize,whichvariesby
IPprotocol:
Usethesesettingstoaddressthecasewhereatunnelthroughthe
networkrequiresasmallerMSS.IfapackethasmorebytesthantheMSS
withoutfragmentation,thissettingenablestheadjustment.
EncapsulationaddslengthtoheaderssoithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderor
tunneledtrafficthathasaVLANtag.
IPAddress Layer3 ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,Add

MACAddress Subinterface > anIPaddressanditsassociatedhardware[mediaaccesscontrol(MAC)]
Advanced > ARP address.Todeleteanentry,selecttheentryandclickDelete.StaticARP
Entries entriesreduceARPprocessingandprecludemaninthemiddleattacks
forthespecifiedaddresses.
IPv6Address Layer3 ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),

MACAddress Subinterface > AddtheIPaddressandMACaddressoftheneighbor.
Advanced > ND
Entries


Settings
EnableNDPProxy Layer3 EnableNeighborDiscoveryProtocol(NDP)proxyfortheinterface.The

Subinterface > firewallwillrespondtoNDpacketsrequestingMACaddressesforIPv6
Advanced > NDP addressesinthislist.IntheNDresponse,thefirewallsendsitsownMAC
Proxy addressfortheinterfacesothatthefirewallwillreceivethepackets
meantfortheaddressesinthelist.
ItisrecommendedthatyouenableNDPproxyifyouareusingNetwork
PrefixTranslationIPv6(NPTv6).
IfyouselectedEnable NDP Proxy,youcanfilternumerousAddress
entriesbyenteringafilterandclickingApplyFilter(grayarrow).
Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddress
objectsforwhichthefirewallwillactasNDPproxy.Ideally,oneofthese
addressesisthesameaddressasthatofthesourcetranslationinNPTv6.
Theorderofaddressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponsefor
alladdressesinthesubnet,sowerecommendyoualsoaddtheIPv6
neighborsofthefirewallandthenclickNegatetoinstructthefirewallnot
torespondtotheseIPaddresses.
Negate NegateanaddresstopreventNDPproxyforthataddress.Youcannegate
asubsetofthespecifiedIPaddressrangeorIPsubnet.
Type Layer3 SelectthemethodforassigninganIPv4addresstypetothesubinterface:

Subinterface > StaticYoumustmanuallyspecifytheIPaddress.
IPv4 DHCP ClientEnablesthesubinterfacetoactasaDynamicHost
ConfigurationProtocol(DHCP)clientandreceiveadynamically
assignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)mode
dontsupportDHCPClient.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthe
tabwillvary.
IP Layer3 AddandperformoneofthefollowingstepstospecifyastaticIPaddress
Subinterface > andnetworkmaskfortheinterface.
IPv4, Type = TypetheentryinClasslessInterDomainRouting(CIDR)notation:
Static ip_address/mask(forexample,192.168.2.0/24).
CreateanAddressobjectoftypeIP netmask.
informationbase(FIB)yoursystemusesdeterminesthemaximum
numberofIPaddresses.
DeleteanIPaddresswhenyounolongerneedit.


Settings
Enable Layer3 SelecttoactivatetheDHCPclientontheinterface.

Subinterface >
Automaticallycreate IPv4, Type = Selecttoautomaticallycreateadefaultroutethatpointstothedefault
defaultroutepointing DHCP gatewaythattheDHCPserverprovides.
todefaultgateway
providedbyserver
DefaultRouteMetric (Optional)FortheroutebetweenthefirewallandDHCPserver,youcan
enteraroutemetric(prioritylevel)toassociatewiththedefaultrouteand
touseforpathselection(rangeis165535;thereisnodefault).The
prioritylevelincreasesasthenumericvaluedecreases.
ShowDHCPClient SelectShow DHCP Client Runtime Infotodisplayallsettingsreceived

RuntimeInfo fromtheDHCPserver,includingDHCPleasestatus,dynamicIPaddress
assignment,subnetmask,gateway,andserversettings(DNS,NTP,
domain,WINS,NIS,POP3,andSMTP).


Settings
EnableIPv6onthe Layer3 SelecttoenableIPv6addressingonthisinterface.

interface Subinterface >
IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimal
format(forexample,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfield
blank,thefirewallusestheEUI64generatedfromtheMACaddressof
thephysicalinterface.IfyouenabletheUse interface ID as host portion
optionwhenaddinganaddress,thefirewallusestheinterfaceIDasthe
hostportionofthataddress.
AddressEnteranIPv6addressandprefixlength(forexample,
2001:400:f00::1/64).YoucanalsoselectanexistingIPv6address
objectorclickAddresstocreateanaddressobject.
interface.
Use interface ID as host portionSelecttousetheInterface IDasthe
hostportionoftheIPv6address.
Send Router AdvertisementSelecttoenablerouteradvertisement
(RA)forthisIPaddress.(YoumustalsoenabletheglobalEnable Router
Advertisementoptionontheinterface.)FordetailsonRA,seeEnable
RouterAdvertisementinthistable.
considerstheaddressasvalid.Thevalidlifetimemustequalor
exceedthePreferred Lifetime.Thedefaultis2,592,000.
addressispreferred,whichmeansthefirewallcanuseittosend
andreceivetraffic.Afterthepreferredlifetimeexpires,thefirewall
cannotusetheaddresstoestablishnewconnectionsbutany
existingconnectionsarevaliduntiltheValid Lifetimeexpires.The
defaultis604,800.
On-linkSelectifsystemsthathaveaddresseswithintheprefix
arereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIP
addressbycombiningtheadvertisedprefixwithaninterfaceID.


Settings
EnableDuplication Layer3 Selecttoenableduplicateaddressdetection(DAD),thenconfigurethe

AddressDetection Subinterface> otherfieldsinthissection.
IPv6 > Address
DADAttempts Resolution SpecifythenumberofDADattemptswithintheneighborsolicitation
interval(NS Interval)beforetheattempttoidentifyneighborsfails(range
is110;defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachable
afterasuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval(neighbor SpecifythenumberofsecondsforDADattemptsbeforefailureis
solicitationinterval) indicated(rangeis110;defaultis1).
EnableNDP SelecttoenableNeighborDiscoveryProtocol(NDP)monitoring.When
Monitoring enabled,youcanselectNDP( inFeaturescolumn)toviewinformation
aboutaneighborthefirewalldiscovered,suchastheIPv6address,the
correspondingMACaddress,andtheUserID(onabestcasebasis).


Settings
EnableRouter Layer3 ToprovideNeighborDiscoveryonIPv6interfaces,selectandconfigure

Advertisement Subinterface > theotherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
IPv6 > Router advertisement(RA)messagesusethisinformation.
Advertisement RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatare
notstaticallyconfiguredandtoprovidethehostwithanIPv6prefixfor
addressconfiguration.YoucanuseaseparateDHCPv6serverin
conjunctionwiththisfeaturetoprovideDNSandothersettingstoclients.
individualIPaddresses,AddandconfigureanAddressintheIPaddress
table.IfyousetRAoptionsforanyIPaddress,youmustEnable Router
Advertisementfortheinterface.
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewall
configure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewall
configure.
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis
1255;defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.
SelectunspecifiedfornolinkMTU(rangeis1,2809,192;defaultis
unspecified).
ReachableTime(ms) Specifythereachabletime(inmilliseconds)thattheclientwilluseto
assumeaneighborisreachableafterreceivingareachabilityconfirmation
message.Selectunspecifiedfornoreachabletimevalue(rangeis
03,600,000;defaultisunspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwill
wait(inmilliseconds)beforeretransmittingneighborsolicitation
messages.Selectunspecifiedfornoretransmissiontime(rangeis
04,294,967,295;defaultisunspecified).
RouterLifetime(sec) Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthe
firewallisnotthedefaultgateway.Whenthelifetimeexpires,theclient
removesthefirewallentryfromitsDefaultRouterListandusesanother
routerasthedefaultgateway.
RouterPreference IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfield
toselectapreferredrouter.SelectwhethertheRAadvertisesthefirewall
routerashavingaHigh,Medium(default),orLowpriorityrelativetoother
routersonthesegment.
Configuration
OtherConfiguration Selecttoindicatetotheclientthatotheraddressinformation(for
example,DNSrelatedsettings)isavailableviaDHCPv6.


Settings
ConsistencyCheck Layer3 SelectifyouwantthefirewalltoverifythatRAssentfromotherrouters

Subinterface > areadvertisingconsistentinformationonthelink.Thefirewalllogsany
IPv6 > Router inconsistenciesinasystemlog;thetypeisipv6nd.
Advertisement
(cont)


Settings
IncludeDNS Layer3 SelectforthefirewalltosendDNSinformationinNDProuter

informationinRouter Subinterface > advertisementsfromthisIPv6Ethernetsubinterface.TheotherDNS
Advertisement IPv6 > DNS Supportfieldsinthistablearevisibleonlyafteryouselectthisoption.
Support
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewall
tosendinNDProuteradvertisementsfromthisIPv6Ethernetinterface.
RDNSserverssendaseriesofDNSlookuprequeststorootDNSservers
andauthoritativeDNSserverstoultimatelyprovideanIPaddresstothe
DNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewall
sendsinorderlistedfromtoptobottominanNDProuter
advertisementtotherecipient,whichthenusestheminthesameorder.
SelectaserverandMove UporMove Downtochangetheorderofthe
serversorDeleteaserverfromthelistwhenyounolongerneedit.
therouteradvertisementthatitcanuseanRDNSservertoresolve
domainnames(rangeisthevalueofMaxInterval(sec)totwicetheMax
Suffix Addoneormoredomainnames(suffixes)fortheDNSsearchlist(DNSSL).
Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouter
appends(oneatatime)toanunqualifieddomainnamebeforeitentersthe
nameintoaDNSquery,therebyusingafullyqualifieddomainnameinthe
DNSquery.Forexample,ifaDNSclienttriestosubmitaDNSqueryfor
thenamequalitywithoutasuffix,therouterappendsaperiodandthe
firstDNSsuffixfromtheDNSsearchlisttothenameandtransmitsthe
DNSquery.IfthefirstDNSsuffixonthelistiscompany.com,the
resultingDNSqueryfromtherouterisforthefullyqualifieddomainname
quality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthe
listtotheunqualifiednameandtransmitsanewDNSquery.Therouter
usestheDNSsuffixesuntilaDNSlookupissuccessful(ignoresthe
remainingsuffixes)oruntiltherouterhastriedallofsuffixesonthelist.
Configurethefirewallwiththesuffixesthatyouwanttoprovidetothe
DNSclientrouterinaNeighborDiscoveryDNSSLoption;theDNSclient
receivingtheDNSSLoptionusesthesuffixesinitsunqualifiedDNS
queries.
searchlistoptionthatthefirewallsendsinorderlistedfromtopto
bottominanNDProuteradvertisementtotherecipient,whichuses
theminthesameorder.SelectasuffixandMove UporMove Downto
changetheorderofthesuffixesorDeleteasuffixwhenyounolonger
needit.
therouteradvertisementthatitcanuseadomainname(suffix)onthe
DNSsearchlist(rangeisthevalueofMaxInterval(sec)totwicetheMax

VirtualWireInterface
AvirtualwireinterfacebindstwoEthernetportstogether,allowingforalltraffictopassbetweentheports,
orjusttrafficwithselectedVLANtags(nootherswitchingorroutingservicesareavailable).Youcanalso
createVirtualWiresubinterfacesandclassifytrafficaccordingtoanIPaddress,IPrange,orsubnet.Avirtual
wirerequiresnochangestoadjacentnetworkdevices.
Tosetupavirtualwirethroughthefirewall,identifytheinterfacetouseforthevirtualwire(Network >
Interfaces > Ethernet),specifythevirtualwireinterfacesettingsasdescribedinthefollowingtable,andthen
Addthevirtualwire(Network > Virtual Wires).
Ifyouareusinganexistinginterfaceforthevirtualwire,firstremovetheinterfacefromanyassociatedsecurity
zone.
VirtualWire ConfiguredIn Description

InterfaceSetting

Interface
InterfaceType SelectVirtual Wire.
VirtualWire Ethernet Selectavirtualwire,orclickVirtual WiretodefinenewNetwork>Virtual

Interface > Config Wires.SelectNonetoremovethecurrentvirtualwireassignmentfromthe
interface.
selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone Selectasecurityzonefortheinterface,orclickZonetodefineanewzone.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe

Advanced
EnableLLDP Ethernet SelecttoenableLinkLayerDiscoveryProtocol(LLDP)ontheinterface.LLDP

Interface > functionsatthelinklayertodiscoverneighboringdevicesandtheircapabilities.
Advanced > LLDP
Profile IfLLDPisenabled,selectanLLDPprofiletoassigntotheinterfaceorclick
LLDP Profiletocreateanewprofile(seeNetwork>NetworkProfiles>LLDP
Profile).SelectNonetoconfigurethefirewalltouseglobaldefaults.
EnableinHA IfLLDPisenabled,selecttoconfigureanHApassivefirewalltoprenegotiate
PassiveState LLDPwithitspeerbeforethefirewallbecomesactive.
IfLLDPisnotenabled,selecttoconfigureanHApassivefirewalltosimplypass
LLDPpacketsthroughthefirewall.

VirtualWireSubinterface
Virtualwire(vwire)subinterfacesallowyoutoseparatetrafficbyVLANtagsoraVLANtagandIPclassifier
combination,assignthetaggedtraffictoadifferentzoneandvirtualsystem,andthenenforcesecurity
policiesforthetrafficthatmatchesthedefinedcriteria.
ToaddaVirtualWireInterfaceselecttherowforthatinterface,clickAdd Subinterface,andspecifythe
followinginformation.
VirtualWire Description
Subinterface
Settings
InterfaceName ThereadonlyInterface Namedisplaysthenameofthevwireinterfaceyouselected.Inthe

adjacentfield,enteranumericsuffix(19,999)toidentifythesubinterface.
NetflowProfile IfyouwanttoexportunidirectionalIPtrafficthattraversesaningresssubinterfacetoaNetFlow
server,selecttheserverprofileorclickNetflow Profiletodefineanewprofile(seeDevice>Server
Profiles>NetFlow).SelectingNoneremovesthecurrentNetFlowserverassignmentfromthe
subinterface.
IPClassifier ClickAddandenteranIPaddress,IPrange,orsubnettoclassifythetrafficonthisvwire
subinterface.
VirtualWire Selectavirtualwire,orclickVirtual Wiretodefineanewone(seeNetwork>VirtualWires).Select

Nonetoremovethecurrentvirtualwireassignmentfromthesubinterface.
VirtualSystem Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,selectavirtualsystem
(vsys)forthesubinterfaceorclickVirtual Systemtodefineanewvsys.
SecurityZone Selectasecurityzoneforthesubinterface,orclickZonetodefineanewzone.SelectNoneto
removethecurrentzoneassignmentfromthesubinterface.

TapInterface
Youcanuseatapinterfacetomonitortrafficonaport.
Toconfigureatapinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfiguredandspecify
TapInterface ConfiguredIn Description

Settings

Interface
InterfaceType SelectTap.
VirtualSystem Ethernet Ifthefirewallsupportsmultiplevirtualsystemsandthatcapabilityisenabled,

Interface > Config selectavirtualsystemfortheinterfaceorclickVirtual Systemtodefineanew
vsys.
SecurityZone SelectasecurityzonefortheinterfaceorclickZonetodefineanewzone.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe

Advanced

LogCardInterface
IfyouconfigurelogforwardingonaPA7000Seriesfirewall,youmustconfigureonedataportastypeLog
Card.Thisisbecausethetrafficandloggingcapabilitiesofthisfirewallmodelexceedthecapabilitiesofthe
management(MGT)interface.Alogcarddataportperformslogforwardingforsyslog,email,Simple
NetworkManagementProtocol(SNMP),Panoramalogforwarding,andWildFirefileforwarding.
YoucanconfigureonlyoneportonthefirewallastypeLog Card.Ifyouenablelogforwardingbutdonot
configureaninterfacewiththeLog Cardtype,yougetanerrorwhenyouattempttocommityourchanges.
Toconfigurealogcardinterface,selectanInterfacethatisnotconfigured(ethernet1/16,forexample)and
configurethesettingsdescribedinthefollowingtable.
LogCard ConfiguredIn Description

InterfaceSettings
Slot Ethernet Selecttheslotnumber(112)oftheinterface.

Interface
InterfaceName Theinterfacenameispredefinedandyoucannotchangeit.
InterfaceType SelectLog Card.
IPv4 Ethernet IfyournetworkusesIPv4,definethefollowing:

Interface > Log IP addressTheIPv4addressoftheport.
Card Forwarding NetmaskThenetworkmaskfortheIPv4addressoftheport.
Default GatewayTheIPv4addressofthedefaultgatewayfortheport.
IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.
LinkSpeed Ethernet SelecttheinterfacespeedinMbps(10,100,or1000)orselectauto(default)to

Interface > havethefirewallautomaticallydeterminethespeedbasedontheconnection.
Advanced Forinterfacesthathaveanonconfigurablespeed,autoistheonlyoption.
Theminimumrecommendedspeedfortheconnectionis1000(Mbps).
(half),ornegotiatedautomaticallybasedontheconnection(auto).Thedefault
isauto.
determinedautomaticallybasedontheconnection(auto).Thedefaultisauto.

LogCardSubinterface
ToaddaLogCardInterface,selecttherowforthatinterface,Add Subinterface,andspecifythefollowing
information.
LogCard ConfiguredIn Description

Subinterface
Settings
InterfaceName LPC Subinterface Interface Name(readonly)displaysthenameofthelogcardinterfaceyou

selected.Intheadjacentfield,enteranumericsuffix(19,999)toidentifythe
subinterface.
Tag EntertheVLANTag(04,094)forthesubinterface.
Makethetagthesameasthesubinterfacenumberforeaseofuse.
VirtualSystem LPC Subinterface Selectthevirtualsystem(vsys)towhichtheLogProcessingCard(LPC)

> Config subinterfaceisassigned.Alternatively,youcanclickVirtual Systemstoadda
newvsys.OnceanLPCsubinterfaceisassignedtoavsys,thatinterfaceisused
asthesourceinterfaceforallservicesthatforwardlogs(syslog,email,SNMP)
fromthelogcard.
IPv4 Ethernet IfyournetworkusesIPv4,definethefollowing:

Interface > Log IP addressTheIPv4addressoftheport.
Card Forwarding NetmaskThenetworkmaskfortheIPv4addressoftheport.
IPv6 IfyournetworkusesIPv6,definethefollowing:
IP addressTheIPv6addressoftheport.

DecryptMirrorInterface
TousetheDecryptionPortMirrorfeature,youmustselecttheDecrypt Mirrorinterfacetype.Thisfeatureenables
creatingacopyofdecryptedtrafficfromafirewallandsendingittoatrafficcollectiontoolthatcanreceiverawpacket
capturessuchasNetWitnessorSoleraforarchivingandanalysis.Organizationsthatrequirecomprehensivedata
captureforforensicandhistoricalpurposesordataleakprevention(DLP)functionalityrequirethisfeature.Decryption
portmirroringisonlyavailableonPA7000Seriesfirewalls,PA5000Seriesfirewalls,andPA3000Seriesfirewalls.To
enablethefeature,youmustacquireandinstallthefreelicense.
Toconfigureadecryptmirrorinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.
DecryptMirrorInterfaceSettings
InterfaceType SelectDecrypt Mirror.
LinkSpeed SelecttheinterfacespeedinMbps(10,100,or1000),orselectautotohavethe
firewallautomaticallydeterminethespeed.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).

AggregateEthernet(AE)InterfaceGroup
AnAEinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfacesintoa
singlevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.AnAE
interfacegroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinueto
supporttraffic.
BeforeconfiguringanAEinterfacegroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidth(1Gbpsor10Gbps)andinterfacetype(HA3,virtualwire,
Layer2,orLayer3).YoucanadduptoeightAEinterfacegroupsperfirewallandeachgroupcanhaveupto
eightinterfaces.
AllPaloAltoNetworksfirewallsexceptthePA200andVMSeriesmodelssupportAEinterfacegroups.
YoucanaggregatetheHA3(packetforwarding)interfacesinahighavailability(HA)active/activeconfigurationbut
onlyonthefollowingfirewallmodels:
PA220
PA500
PA800Series
PA3000Series
PA5000Series
PA5200Series
ToconfigureanAEinterfacegroup,Add Aggregate Group,configurethesettingsdescribedinthefollowing

table,andthenassigninterfacestothegroup(seeAggregateEthernet(AE)Interface).
Aggregate ConfiguredIn Description

InterfaceGroup
Settings
InterfaceName Aggregate ThereadonlyInterface Nameissettoae.Intheadjacentfield,enteranumeric

Ethernet suffix(1to8)toidentifytheAEinterfacegroup.
Interface
InterfaceType Selecttheinterfacetype,whichcontrolstheremainingconfiguration
requirementsandoptions:
HAOnlyselectiftheinterfaceisanHA3linkbetweentwofirewallsinan
active/activedeployment.OptionallyselectaNetflow Profileandconfigure
theLACPtab(seeEnableLACP).
Virtual WireOptionallyselectaNetflow Profile,andconfiguretheConfig
andAdvancedtabsasdescribedinVirtualWireSettings.
Layer 2OptionallyselectaNetflow Profile;configuretheConfigand
AdvancedtabsasdescribedinLayer2InterfaceSettings;andoptionally
configuretheLACPtab(seeEnableLACP).
Layer 3OptionallyselectaNetflow Profile;configuretheConfig,IPv4or
IPv6,andAdvancedtabsasdescribedinLayer3InterfaceSettings;and
optionallyconfiguretheLACPtab(seeEnableLACP).
thecurrentNetFlowserverassignmentfromtheAEinterfacegroup.


InterfaceGroup
Settings
EnableLACP Aggregate SelectifyouwanttoenableLinkAggregationControlProtocol(LACP)forthe

Ethernet AEinterfacegroup.LACPisdisabledbydefault.
Interface > LACP IfyouenableLACP,interfacefailuredetectionisautomaticatthephysicaland
datalinklayersregardlessofwhetherthefirewallanditsLACPpeeraredirectly
connected.(WithoutLACP,interfacefailuredetectionisautomaticonlyatthe
physicallayerbetweendirectlyconnectedpeers).LACPalsoenablesautomatic
failovertostandbyinterfacesifyouconfigurehotspares(seeMaxPorts).
Mode SelecttheLACPmodeofthefirewall.BetweenanytwoLACPpeers,itis
recommendedthatoneisactiveandtheotherispassive.LACPcannotfunction
ifbothpeersarepassive.
ActiveThefirewallactivelyqueriestheLACPstatus(availableor
unresponsive)ofpeerdevices.
Passive(default)ThefirewallpassivelyrespondstoLACPstatusqueries
frompeerdevices.
Transmission Selecttherateatwhichthefirewallexchangesqueriesandresponseswithpeer
Rate devices:
FastEverysecond
SlowEvery30seconds(thisisthedefaultsetting)
FastFailover Selectif,whenaninterfacegoesdown,youwantthefirewalltofailovertoan
operationalinterfacewithinonesecond.Otherwise,failoveroccursatthe
standardIEEE802.1AXdefinedspeed(atleastthreeseconds).


InterfaceGroup
Settings
SystemPriority Aggregate Thenumberthatdetermineswhetherthefirewalloritspeeroverridesthe

Ethernet otherwithrespecttoportpriorities(seetheMax Portsfielddescriptionbelow).
Interface > LACP Thelowerthenumber,thehigherthepriority(rangeis165,535;
(cont) defaultis32,768).
MaxPorts Thenumberofinterfaces(18)thatcanbeactiveatanygiventimeinanLACP
aggregategroup.Thevaluecannotexceedthenumberofinterfacesyouassign
tothegroup.Ifthenumberofassignedinterfacesexceedsthenumberofactive
interfaces,thefirewallusestheLACPportprioritiesoftheinterfacesto
determinewhichareinstandbymode.YousettheLACPportprioritieswhen
configuringindividualinterfacesforthegroup(seeAggregateEthernet(AE)
Interface).
EnableinHA Forfirewallsdeployedinahighavailability(HA)active/passiveconfiguration,
PassiveState selecttoallowthepassivefirewalltoprenegotiateLACPwithitsactivepeer
beforeafailoveroccurs.Prenegotiationspeedsupfailoverbecausethe
passivefirewalldoesnothavetonegotiateLACPbeforebecomingactive.
SameSystem Thisappliesonlytofirewallsdeployedinahighavailability(HA)active/passive
MACAddressfor configuration;firewallsinanactive/activeconfigurationrequireuniqueMAC
ActivePassive addresses.
HA HAfirewallpeershavethesamesystempriorityvalue.However,inan
active/passivedeployment,thesystemIDforeachcanbethesameor
different,dependingonwhetheryouassignthesameMACaddress.
hentheLACPpeers(alsoinHAmode)arevirtualized(appearingtothe
networkasasingledevice),usingthesamesystemMACaddressforthe
firewallsminimizeslatencyduringfailover.WhentheLACPpeersare
notvirtualized,usingtheuniqueMACaddressofeachfirewall
minimizesfailoverlatency.
LACPusestheMACaddresstoderiveasystemIDforeachLACPpeer.Ifthe
firewallpairandpeerpairhaveidenticalsystempriorityvalues,LACPusesthe
systemIDvaluestodeterminewhichoverridestheotherwithrespecttoport
priorities.IfbothfirewallshavethesameMACaddress,bothwillhavethesame
systemID,whichwillbehigherorlowerthanthesystemIDoftheLACPpeers.
IftheHAfirewallshaveuniqueMACaddresses,itispossibleforonetohavea
highersystemIDthantheLACPpeerswhiletheotherhasalowersystemID.
Inthelattercase,whenfailoveroccursonthefirewalls,portprioritization
switchesbetweentheLACPpeersandthefirewallthatbecomesactive.
MACAddress IfyouenabledUse Same System MAC Address,selectasystemgenerated

MACaddress,orenteryourown,forbothfirewallsintheactive/passivehigh
availability(HA)pair.Youmustverifytheaddressisgloballyunique.

AggregateEthernet(AE)Interface
ToconfigureanAggregateEthernet(AE)Interface,firstconfigureanAggregateEthernet(AE)Interface
Groupandclickthenameoftheinterfaceyouwillassigntothatgroup.Theinterfaceyouselectmustbethe
sametypeasthatdefinedfortheAEinterfacegroup(forexample,Layer3);youwillchangethetypeto
Aggregate Ethernetwhenyouconfiguretheinterface.Specifythefollowinginformationfortheinterface.
IfyouenabledLinkAggregationControlProtocol(LACP)fortheAEinterfacegroup,selectthesame
Link SpeedandLink Duplexforeveryinterfaceinthatgroup.Fornonmatchingvalues,thecommit
operationdisplaysawarningandPANOSdefaultstothehigherspeedandfullduplex.

InterfaceSettings
InterfaceName Aggregate Theinterfacenameispredefinedandyoucannotchangeit.

Ethernet
Comment Interface (Optional)Enteradescriptionfortheinterface.
InterfaceType SelectAggregate Ethernet.
AggregateGroup Assigntheinterfacetoanaggregategroup.
LACPPort ThefirewallonlyusesthisfieldifyouenabledLinkAggregationControl
Priority Protocol(LACP)fortheaggregategroup.Ifthenumberofinterfacesyouassign
tothegroupexceedsthenumberofactiveinterfaces(theMaxPortsfield),the
firewallusestheLACPportprioritiesoftheinterfacestodeterminewhichare
instandbymode.Thelowerthenumericvalue,thehigherthepriority(rangeis
165,535;defaultis32,768).
VirtualRouter Aggregate SelectthevirtualroutertowhichyouassigntheAggregateEthernetinterface.

Ethernet
SecurityZone Interface > SelectthesecurityzonetowhichyouassigntheAggregateEthernetinterface.
Config


InterfaceSettings
EnableIPv6on Aggregate SelecttoenableIPv6onthisinterface.

theinterface Ethernet
Interface > IPv6
InterfaceID Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for
example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
usestheEUI64generatedfromtheMACaddressofthephysicalinterface.If
youUse interface ID as host portionwhenaddinganaddress,thefirewalluses
theinterfaceIDasthehostportionofthataddress.
Address AddanIPv6addressandconfigurethefollowingparameters:
AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
YoucanalsoselectanexistingIPv6addressobjectorclickAddresstocreate
one.
interface.
Use interface ID as host portionSelecttousetheInterface IDasthehost
portionoftheIPv6address.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
TheremainingfieldsapplyarevisibleonlyafteryouenableRA:
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.


InterfaceSettings
Enable Aggregate Selecttoenableduplicateaddressdetection(DAD),whichthenallowsyouto

Duplication Ethernet specifythenumberofDADAttempts.
Address Interface > IPv6 >
Detection Address
Resolution
DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval Specifythelengthoftime,inseconds,beforeaDADattemptfailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)
EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).


InterfaceSettings
EnableRouter Aggregated SelecttoprovideNeighborDiscoveryonIPv6interfacesandconfigurethe

Advertisement Ethernet otherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
Interface > IPv6 > advertisement(RA)messagesusethisinformation.
Router RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatarenot
Advertisement staticallyconfiguredandtoprovidethehostwithanIPv6prefixforaddress
configuration.YoucanuseaseparateDHCPv6serverinconjunctionwiththis
featuretoprovideDNSandothersettingstoclients.
individualIPaddresses,AddandconfigureanAddressintheIPaddresstable.
IfyousetRAoptionsforanyIPaddress,youmustEnable Router
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
send(rangeis31,350;defaultis200).ThefirewallwillsendRAsatrandom
intervalsbetweentheminimumandmaximumvaluesyouconfigure.
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis1,2809,192;defaultisunspecified).
ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait,
inmilliseconds,beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).
RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.
Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.
Configuration
Other Selecttoindicatetotheclientthatotheraddressinformation(suchas
Configuration DNSrelatedsettings)isavailableviaDHCPv6.


InterfaceSettings
Consistency Aggregated SelectifyouwantthefirewalltoverifythatRAssentfromotherroutersare

Check Ethernet advertisingconsistentinformationonthelink.Thefirewalllogsany
Interface > IPv6 > inconsistenciesinasystemlog;thetypeisipv6nd.
Router
Advertisement
(cont)
IncludeDNS Aggregated SelectforthefirewalltosendDNSinformationinNDProuteradvertisement

informationin Ethernet (RA)messagesfromthisIPv6AggregatedEthernetinterface.TheotherDNS
Router Interface > IPv6 > Supportfieldsinthistablearevisibleonlyafteryouselectthisoption.
Advertisement DNS Support
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6AggregatedEthernet
interface.RDNSserverssendaseriesofDNSlookuprequeststorootDNS
serversandauthoritativeDNSserverstoultimatelyprovideanIPaddressto
theDNSclient.
YoucanconfigureamaximumofeightRDNSServersthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusesthoseaddressesinthesameorder.Selectaserver
andMove UporMove DowntochangetheorderoftheserversorDeletea
serverwhenyounolongerneedit.
Lifetime EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe
routeradvertisementthatitcanusetheRDNSServerstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandtransmitstheDNSquery.IfthefirstDNSsuffix
onthelistiscompany.com,theresultingDNSqueryfromtherouterisforthe
fullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesyouwanttoprovidetotheDNSclient
routerinaNeighborDiscoveryDNSSLoption;theDNSclientreceivingthe
DNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusestheminthesameorder.
SelectasuffixandMove UporMove Downtochangetheorderofthesuffixes
orDeleteasuffixfromthelistwhenyounolongerneedit.


InterfaceSettings
Lifetime Aggregated EnterthemaximumnumberofsecondsaftertheIPv6DNSclientreceivesthe

Ethernet routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
Interface > IPv6 > list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
DNS Support 1,200).
(cont)
HAInterface
Eachhighavailability(HA)interfacehasaspecificfunction:oneinterfaceisforconfigurationsynchronization
andheartbeats,andtheotherinterfaceisforstatesynchronization.Ifactive/activehighavailabilityis
enabled,thefirewallcanuseathirdHAinterfacetoforwardpackets.
SomePaloAltoNetworksfirewallsincludededicatedphysicalportsforuseinHAdeployments(oneforthecontrol
linkandoneforthedatalink).Forfirewallsthatdonotincludededicatedports,youmustspecifythedataportsthat
willbeusedforHA.ForadditionalinformationonHA,refertoDevice>VirtualSystems.
ToconfigureanHAinterface,clickthenameofanInterface(ethernet1/1,forexample)thatisnotconfigured
andspecifythefollowinginformation.
HAInterface Description
Settings
InterfaceType SelectHA.
LinkDuplex Selectwhethertheinterfacetransmissionmodeisfullduplex(full),halfduplex(half),
ornegotiatedautomatically(auto).
LinkState Selectwhethertheinterfacestatusisenabled(up),disabled(down),ordetermined
automatically(auto).

Network>Interfaces>VLAN Network
Network>Interfaces>VLAN
AVLANinterfacecanprovideroutingintoaLayer3network(IPv4andIPv6).YoucanaddoneormoreLayer
2Ethernetports(seeLayer2Interface)toaVLANinterface.
VLANInterface ConfigureIn Description

Settings
InterfaceName VLAN Interface ThereadonlyInterface Nameissettovlan.Intheadjacentfield,entera

numericsuffix(19999)toidentifytheinterface.
VLAN VLAN Interface > SelectaVLANorclickVLANtodefineanewone(seeNetwork>VLANs).

Config SelectNonetoremovethecurrentVLANassignmentfromtheinterface.
VirtualRouter Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew

one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
routerassignmentfromtheinterface.
selectavirtualsystem(vsys)fortheinterfaceorclickVirtual Systemtodefine
anewvsys.
Management VLAN Interface > Management ProfileSelectaprofilethatdefinestheprotocols(forexample,

Profile Advanced > Other SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthis
interface(rangeis5769,192;defaultis1,500).Ifmachinesoneithersideofthe
firewallperformPathMTUDiscovery(PMTUD)andtheinterfacereceivesa
packetexceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
messagetothesourceindicatingthepacketistoolarge.
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.

Network Network>Interfaces>VLAN

Settings
IPAddress VLAN Interface > ToaddoneormorestaticAddressResolutionProtocol(ARP)entries,clickAdd

MACAddress Advanced > ARP andenteranIPaddress,enteritsassociatedhardware[mediaaccesscontrol
Interface Entries (MAC)]address,andselectaLayer3interfacethatcanaccessthehardware
address.Todeleteanentry,selecttheentryandclickDelete.StaticARPentries
reduceARPprocessingandprecludemaninthemiddleattacksforthe
specifiedaddresses.
IPv6Address VLAN Interface > ToprovideneighborinformationforNeighborDiscoveryProtocol(NDP),click

MACAddress Advanced > ND Add andentertheIPv6addressandMACaddressoftheneighbor.
Entries
EnableNDP VLAN Interface > SelecttoenableNeighborDiscoveryProtocol(NDP)Proxyfortheinterface.

Proxy Advanced > NDP ThefirewallwillrespondtoNDpacketsrequestingMACaddressesforIPv6
Proxy addressesinthislist.IntheNDresponse,thefirewallsendsitsownMAC
addressfortheinterface,andisbasicallysaying,sendmethepacketsmeant
fortheseaddresses.
(Recommended)EnableNDPProxyifyouareusingNetworkPrefixTranslation
IPv6(NPTv6).
IfyouEnable NDP Proxy,youcanfilternumerousAddressentries:firstenter
afilterandthenapplyit(greenarrow).
Address AddoneormoreIPv6addresses,IPranges,IPv6subnets,oraddressobjectsfor
whichthefirewallwillactasNDPProxy.Ideally,oneoftheseaddressesisthe
sameaddressasthatofthesourcetranslationinNPTv6.Theorderof
addressesdoesnotmatter.
Iftheaddressisasubnetwork,thefirewallwillsendanNDresponseforall
addressesinthesubnet,sowerecommendyoualsoaddthefirewallsIPv6
neighborsandthenclickNegatetoinstructthefirewallnottorespondtothese
IPaddresses.
Negate SelectNegateforanaddresstopreventNDPproxyforthataddress.Youcan
negateasubsetofthespecifiedIPaddressrangeorIPsubnet.
For an IPv4 address
Type VLAN Interface > SelectthemethodforassigninganIPv4addresstypetotheinterface:

IPv4 StaticYoumustmanuallyspecifytheIPaddress.
DHCP ClientEnablestheinterfacetoactasaDynamicHostConfiguration
Protocol(DHCP)clientandreceiveadynamicallyassignedIPaddress.
Firewallsthatareinactive/activehighavailability(HA)modedont
supportDHCPClient.
BasedonyourIPaddressmethodselection,theoptionsdisplayedinthetabwill
vary.


Settings
IPv4addressType=Static
IP VLAN Interface > ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress

IPv4 andnetworkmaskfortheinterface.
CreateanAddressobjectoftypeIP netmask.
informationbase(FIB)yoursystemusesdeterminesthemaximumnumberof
IPaddresses.
DeleteanIPaddresswhenyounolongerneedit.
IPv4 address Type = DHCP
Enable VLAN Interface > SelecttoactivatetheDHCPclientontheinterface.

IPv4
Automatically Selecttoautomaticallycreateadefaultroutethatpointstothedefaultgateway
createdefault thattheDHCPserverprovides.
routepointingto
defaultgateway
providedby
server
DefaultRoute FortheroutebetweenthefirewallandDHCPserver,optionallyenteraroute
Metric metric(prioritylevel)toassociatewiththedefaultrouteandtouseforpath
selection(rangeis165,535;thereisnodefault).Theprioritylevelincreasesas
thenumericvaluedecreases.
ShowDHCP SelecttodisplayallsettingsreceivedfromtheDHCPserver,includingDHCP
ClientRuntime leasestatus,dynamicIPaddressassignment,subnetmask,gateway,andserver
Info settings(DNS,NTP,domain,WINS,NIS,POP3,andSMTP).
For an IPv6 address
EnableIPv6on VLAN Interface > SelecttoenableIPv6addressingonthisinterface.

theinterface IPv6
youenabletheUse interface ID as host portionoptionwhenaddingan
address,thefirewallusestheinterfaceIDasthehostportionofthataddress.


Settings
Address VLAN Interface > ClickAddandconfigurethefollowingparametersforeachIPv6address:

IPv6 (cont) AddressEnteranIPv6addressandprefixlength(e.g.2001:400:f00::1/64).
anaddressobject.
interface.
Send RASelecttoenablerouteradvertisement(RA)forthisIPaddress.
Whenyouselectthisoption,youmustalsogloballyEnable Router
Advertisementontheinterface.FordetailsonRA,seeEnableRouter
Advertisement.
considerstheaddressasvalid.Thevalidlifetimemustequalorexceed
thePreferred Lifetime.Thedefaultis2,592,000.
addressispreferred,whichmeansthefirewallcanuseittosendand
receivetraffic.Afterthepreferredlifetimeexpires,thefirewallcannot
usetheaddresstoestablishnewconnectionsbutanyexisting
connectionsarevaliduntiltheyexceedtheValid Lifetime.Thedefault
is604,800.
On-linkSelectifsystemswithIPaddresseswithintheadvertised
prefixarereachablewithoutarouter.
AutonomousSelectifsystemscanindependentlycreateanIPaddress
bycombiningtheadvertisedprefixwithaninterfaceID.
Enable VLAN Interface > Selecttoenableduplicateaddressdetection(DAD),whichallowsyoutospecify

Duplication IPv6 > Address thenumberofDADAttempts.
Address Resolution
Detection
DADAttempts SpecifythenumberofDADattemptswithintheneighborsolicitationinterval
(NS Interval)beforetheattempttoidentifyneighborsfails(rangeis110;
defaultis1).
ReachableTime Specifythelengthoftime,inseconds,thataneighborremainsreachableafter
asuccessfulqueryandresponse(rangeis136,000;defaultis30).
NSInterval SpecifythenumberofsecondsforDADattemptsbeforefailureisindicated
(neighbor (rangeis110;defaultis1).
solicitation
interval)
EnableNDP SelecttoenableNeighborDiscoveryProtocolmonitoring.Whenenabled,you
Monitoring canselecttheNDP( inFeaturescolumn)andviewinformationsuchasthe
IPv6addressofaneighborthefirewallhasdiscovered,thecorrespondingMAC
addressandUserID(onabestcasebasis).


Settings
EnableRouter VLAN Interface > SelecttoprovideNeighborDiscoveryonIPv6interfacesandconfigurethe

Advertisement IPv6 > Router otherfieldsinthissection.IPv6DNSclientsthatreceivetherouter
Advertisement advertisement(RA)messagesusethisinformation.
RAenablesthefirewalltoactasadefaultgatewayforIPv6hoststhatarenot
staticallyconfiguredandtoprovidethehostwithanIPv6prefixforaddress
configuration.YoucanuseaseparateDHCPv6serverinconjunctionwiththis
featuretoprovideDNSandothersettingstoclients.
individualIPaddresses,AddanAddresstotheIPaddresstableandconfigure
it.IfyousetRAoptionsforanyIPaddress,youmustEnable Router
MinInterval(sec) Specifytheminimuminterval,inseconds,betweenRAsthatthefirewallwill
MaxInterval(sec) Specifythemaximuminterval,inseconds,betweenRAsthatthefirewallwill
HopLimit Specifythehoplimittoapplytoclientsforoutgoingpackets(rangeis1255;
defaultis64).Enter0fornohoplimit.
LinkMTU Specifythelinkmaximumtransmissionunit(MTU)toapplytoclients.Select
unspecifiedfornolinkMTU(rangeis12809192;defaultisunspecified).
ReachableTime Specifythereachabletime,inmilliseconds,thattheclientwillusetoassumea
(ms) neighborisreachableafterreceivingareachabilityconfirmationmessage.
Selectunspecifiedfornoreachabletimevalue(rangeis03,600,000;defaultis
unspecified).
RetransTime(ms) Specifytheretransmissiontimerthatdetermineshowlongtheclientwillwait
(inmilliseconds)beforeretransmittingneighborsolicitationmessages.Select
unspecifiedfornoretransmissiontime(rangeis04,294,967,295;defaultis
unspecified).
RouterLifetime Specifyhowlong,inseconds,theclientwillusethefirewallasthedefault
(sec) gateway(rangeis09,000;defaultis1,800).Zerospecifiesthatthefirewallis
notthedefaultgateway.Whenthelifetimeexpires,theclientremovesthe
firewallentryfromitsDefaultRouterListandusesanotherrouterasthe
defaultgateway.
Router IfthenetworksegmenthasmultipleIPv6routers,theclientusesthisfieldto
Preference selectapreferredrouter.SelectwhethertheRAadvertisesthefirewallrouter
ashavingaHigh,Medium(default),orLowpriorityrelativetootherrouterson
thesegment.
Configuration
Other Selecttoindicatetotheclientthatotheraddressinformation(forexample,
Configuration DNSrelatedsettings)isavailableviaDHCPv6.


Settings
Consistency VLAN Interface > SelectifyouwantthefirewalltoverifythatRAssentfromotherroutersare

Check IPv6 > Router advertisingconsistentinformationonthelink.Thefirewalllogsany
Advertisement inconsistenciesinasystemlog;thetypeisipv6nd.
(cont)
IncludeDNS VLAN Interface > SelectforthefirewalltosendDNSinformationinNDProuteradvertisements

informationin IPv6 > DNS fromthisIPv6VLANinterface.TheotherDNSSupportfieldsinthistableare
Router Support visibleonlyafteryouselectthisoption.
Advertisement
Server AddoneormorerecursiveDNS(RDNS)serveraddressesforthefirewallto
sendinNDProuteradvertisementsfromthisIPv6VLANinterface.RDNS
serverssendaseriesofDNSlookuprequeststorootDNSserversand
authoritativeDNSserverstoultimatelyprovideanIPaddresstotheDNSclient.
YoucanconfigureamaximumofeightRDNSserversthatthefirewallsends
intheorderlistedfromtoptobottominanNDProuteradvertisementtothe
recipient,whichthenusestheminthesameorder.SelectaserverandMove Up
orMove DowntochangetheorderoftheserversorDeleteaserverfromthe
listwhenyounolongerneedit.
routeradvertisementthatitcanusetheRDNSserverstoresolvedomain
names(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;
defaultis1,200).
Suffix Addandconfigureoneormoredomainnames(suffixes)fortheDNSsearchlist
(DNSSL).Themaximumsuffixlengthis255bytes.
ADNSsearchlistisalistofdomainsuffixesthataDNSclientrouterappends
(oneatatime)toanunqualifieddomainnamebeforeitentersthenameintoa
DNSquery,therebyusingafullyqualifieddomainnameintheDNSquery.For
example,ifaDNSclienttriestosubmitaDNSqueryforthenamequality
withoutasuffix,therouterappendsaperiodandthefirstDNSsuffixfromthe
DNSsearchlisttothenameandthentransmitstheDNSquery.IfthefirstDNS
suffixonthelistiscompany.com,theresultingDNSqueryfromtherouteris
forthefullyqualifieddomainnamequality.company.com.
IftheDNSqueryfails,therouterappendsthesecondDNSsuffixfromthelist
totheunqualifiednameandtransmitsanewDNSquery.TheroutertriesDNS
suffixesuntilaDNSlookupissuccessful(ignorestheremainingsuffixes)oruntil
therouterhastriedallofsuffixesonthelist.
ConfigurethefirewallwiththesuffixesthatyouwanttoprovidetotheDNS
clientrouterinaNeighborDiscoveryDNSSLoption;theDNSclientreceiving
theDNSSLoptionusesthesuffixesinitsunqualifiedDNSqueries.
searchlistthatthefirewallsendsinorderlistedfromtoptobottominan
NDProuteradvertisementtotherecipient,whichusesthoseaddressesinthe
sameorder.SelectasuffixandMove UporMove Downtochangetheorderof
thesuffixesorDeleteasuffixfromthelistwhenyounolongerneedit.
routeradvertisementthatitcanuseadomainname(suffix)ontheDNSsearch
list(rangeisthevalueofMaxInterval(sec)totwicetheMaxInterval;defaultis
1,200).

Network>Interfaces>Loopback Network
Network>Interfaces>Loopback
Usethefollowingfieldstoconfigurealoopbackinterface:
Loopback ConfigureIn Description

InterfaceSettings
InterfaceName Loopback ThereadonlyInterface Nameissettoloopback.Intheadjacentfield,entera

Interface numericsuffix(19999)toidentifytheinterface.
VirtualRouter Loopback Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew

Interface > Config one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
anewvsys.
Management Tunnel Interface Management ProfileSelectaprofilethatdefinestheprotocols(forexample,

Profile > Advanced > SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Other Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
AdjustTCPMSS Selecttoadjustthemaximumsegmentsize(MSS)toaccommodatebytesfor
anyheaderswithintheinterfaceMTUbytesize.TheMTUbytesizeminusthe
MSSAdjustmentSizeequalstheMSSbytesize,whichvariesbyIPprotocol:
Usethesesettingstoaddressthecasewhereatunnelthroughthenetwork
requiresasmallerMSS.IfapackethasmorebytesthantheMSSwithout
fragmentation,thissettingenablestheadjustment.
Encapsulationaddslengthtoheaders,soithelpstoconfiguretheMSS
adjustmentsizetoallowbytesforsuchthingsasanMPLSheaderortunneled
trafficthathasaVLANtag.

Network Network>Interfaces>Loopback
Loopback ConfigureIn Description

InterfaceSettings
For an IPv4 address
IP Loopback ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress
Interface > IPv4 andnetworkmaskfortheinterface.
IPaddresses.
For an IPv6 address
EnableIPv6on Loopback SelecttoenableIPv6addressingonthisinterface.

theinterface Interface > IPv6
anaddressobject.
interface.

Network>Interfaces>Tunnel Network
Network>Interfaces>Tunnel
Usethefollowingfieldstoconfigureatunnelinterface:
TunnelInterface ConfigureIn Description

Settings
InterfaceName Tunnel Interface ThereadonlyInterface Nameissettotunnel.Intheadjacentfield,entera

numericsuffix(19,999)toidentifytheinterface.
VirtualRouter Tunnel Interface Assignavirtualroutertotheinterface,orclickVirtual Routertodefineanew

> Config one(seeNetwork>VirtualRouters).SelectNonetoremovethecurrentvirtual
anewvsys.
Management Tunnel Interface Management ProfileSelectaprofilethatdefinestheprotocols(forexample,

Profile > Advanced > SSH,Telnet,andHTTP)youcanusetomanagethefirewalloverthisinterface.
Other Info SelectNonetoremovethecurrentprofileassignmentfromtheinterface.
interface(5769,192;defaultis1,500).Ifmachinesoneithersideofthefirewall
performPathMTUDiscovery(PMTUD)andtheinterfacereceivesapacket
exceedingtheMTU,thefirewallreturnsanICMPfragmentationneeded
For an IPv4 address
IP Tunnel Interface ClickAdd,thenperformoneofthefollowingstepstospecifyastaticIPaddress

> IPv4 andnetworkmaskfortheinterface.
IPaddresses.
For an IPv6 address
EnableIPv6on Tunnel Interface SelecttoenableIPv6addressingonthisinterface.

theinterface > IPv6

Network Network>Interfaces>Tunnel
TunnelInterface ConfigureIn Description

Settings
InterfaceID Tunnel Interface Enterthe64bitextendeduniqueidentifier(EUI64)inhexadecimalformat(for

> IPv6 example,00:26:08:FF:FE:DE:4E:29).Ifyouleavethisfieldblank,thefirewall
anaddressobject.
interface.

Network>VirtualRouters Network
Thefirewallrequiresavirtualroutertoobtainroutestoothersubnetseitherusingstaticroutesthatyou
manuallydefine,orthroughparticipationinLayer3routingprotocols(dynamicroutes).EachLayer3
interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociatedwithavirtual
router.Eachinterfacecanbelongtoonlyonevirtualrouter.
Definingavirtualrouterrequiresgeneralsettingsandanycombinationofstaticroutesordynamicrouting
protocols,asrequiredbyyournetwork.Youcanalsoconfigureotherfeaturessuchasrouteredistribution
andECMP.
Whataretherequiredelementsof GeneralSettingsofaVirtualRouter
avirtualrouter?
Configure:
StaticRoutes
RouteRedistribution
RIP
OSPF
OSPFv3
BGP
IPMulticast
ECMP
Viewinformationaboutavirtual MoreRuntimeStatsforaVirtualRouter
router.
Looking for more? Networking

Network Network>VirtualRouters
GeneralSettingsofaVirtualRouter
Network>VirtualRouters>RouterSettings>General
AllvirtualroutersrequirethatyouassignLayer3interfacesandadministrativedistancemetricsasdescribed
VirtualRouterGeneral Description
Settings
Name Specifyanametodescribethevirtualrouter(upto31characters).Thename
Interfaces Selecttheinterfacesthatyouwanttoincludeinthevirtualrouter.Thus,they
canbeusedasoutgoinginterfacesinthevirtualroutersroutingtable.
Tospecifytheinterfacetype,refertoNetwork>Interfaces.
Whenyouaddaninterface,itsconnectedroutesareaddedautomatically.
AdministrativeDistances Specifythefollowingadministrativedistances:
Static routesRangeis10240;defaultis10.
OSPF IntRangeis10240;defaultis30.
OSPF ExtRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
StaticRoutes
Network>VirtualRouters>StaticRoutes
Optionallyaddoneormorestaticroutes.ClicktheIPorIPv6tabtospecifytherouteusinganPv4orIPv6
address.Itisusuallynecessarytoconfiguredefaultroutes(0.0.0.0/0)here.Defaultroutesareappliedfor
destinationsthatareotherwisenotfoundinthevirtualroutersroutingtable.
StaticRouteSettings Description
Name Enteranametoidentifythestaticroute(upto31characters).Thenameis
Destination EnteranIPaddressandnetworkmaskinClasslessInterdomainRouting
(CIDR)notation:ip_address/mask(forexample,192.168.2.0/24forIPv4or
2001:db8::/32forIPv6).
Interface Selecttheinterfacetoforwardpacketstothedestination,orconfigurethe
nexthopsettings,orboth.

NextHop Selectoneofthefollowing:
IP AddressSelecttoentertheIPaddressofthenexthoprouter.
Next VRSelecttoselectavirtualrouterinthefirewallasthenexthop.
Thisallowsyoutorouteinternallybetweenvirtualrouterswithinasingle
firewall.
DiscardSelectifyouwanttodroptrafficthatisaddressedtothis
destination.
NoneSelectifthereisnonexthopfortheroute.
AdminDistance Specifytheadministrativedistanceforthestaticroute(10240;defaultis
10).
Metric Specifyavalidmetricforthestaticroute(165535).
RouteTable Selecttheroutetableintowhichthefirewallinstallsthestaticroute:
UnicastInstallstherouteintotheunicastroutetable.
MulticastInstallstherouteintothemulticastroutetable.
BothInstallstherouteintotheunicastandmulticastroutetables.
No InstallDoesnotinstalltherouteintheroutetable(RIB);thefirewall
retainsthestaticrouteforfuturereferenceuntilyoudeletetheroute.
BFDProfile ToenableBidirectionalForwardingDetection(BFD)forastaticrouteona
PA3000Series,PA5000Series,PA5200Series,PA7000Series,or
VMSeriesfirewall,selectoneofthefollowing:
default(defaultBFDsettings)
aBFDprofilethatyouhavecreatedonthefirewall
New BFD ProfiletocreateanewBFDprofile
SelectNone (Disable BFD)todisableBFDforthestaticroute.
TouseBFDonastaticroute:
Boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.
ThestaticrouteNext HoptypemustbeIP Addressandyoumustentera
validIPaddress.
TheInterfacesettingcannotbeNone;youmustselectaninterface(even
ifyouareusingaDHCPaddress).
PathMonitoring Selecttoenablepathmonitoringforthestaticroute.
FailureCondition Selecttheconditionunderwhichthefirewallconsidersthemonitoredpath
downandthusthestaticroutedown:
AnyIfanyoneofthemonitoreddestinationsforthestaticrouteis
unreachablebyICMP,thefirewallremovesthestaticroutefromtheRIB
andFIBandaddsthedynamicorstaticroutethathasthenextlowest
metricgoingtothesamedestinationtotheFIB.
AllIfallofthemonitoreddestinationsforthestaticrouteare
unreachablebyICMP,thefirewallremovesthestaticroutefromtheRIB
andFIBandaddsthedynamicorstaticroutethathasthenextlowest
metricgoingtothesamedestinationtotheFIB.
SelectAlltoavoidthepossibilityofasinglemonitoreddestination
signalingastaticroutefailurewhenthatmonitoreddestinationissimply
offlineformaintenance,forexample.

PreemptiveHoldTime EnterthenumberofminutesadownedpathmonitormustremaininUp
(min) statethepathmonitorevaluatesallofitsmembermonitoreddestinations
andmustremainUpbeforethefirewallreinstallsthestaticrouteintothe
RIB.Ifthetimerexpireswithoutthelinkgoingdownorflapping,thelinkis
deemedstable,pathmonitorcanremainUp,andthefirewallcanaddthe
staticroutebackintotheRIB.
Ifthelinkgoesdownorflapsduringtheholdtime,pathmonitorfailsandthe
timerrestartswhenthedownedmonitorreturnstoUpstate.APreemptive
Hold Time ofzerocausesthefirewalltoreinstallthestaticrouteintotheRIB
immediatelyuponthepathmonitorcomingup.Rangeis01,440;defaultis2.
Name Enteranameforthemonitoreddestination(upto31characters).
Enable Selecttoenablepathmonitoringofthisspecificdestinationforthestatic
route;thefirewallsendsICMPpingstothisdestination.
SourceIP SelecttheIPaddressthatthefirewallwilluseasthesourceintheICMPping
tothemonitoreddestination:
IftheinterfacehasmultipleIPaddresses,selectone.
Ifyouselectaninterface,thefirewallusesthefirstIPaddressassignedto
theinterfacebydefault.
IfyouselectDHCP (Use DHCP Client address),thefirewallusesthe
addressthatDHCPassignedtotheinterface.ToseetheDHCPaddress,
selectNetwork > Interfaces > Ethernet andintherowfortheEthernet
interface,clickonDynamic DHCP Client.TheIPAddressappearsinthe
DynamicIPInterfaceStatuswindow.
DestinationIP Enterarobust,stableIPaddressoraddressobjectforwhichthefirewallwill
monitorthepath.Themonitoreddestinationandthestaticroutedestination
mustusethesameaddressfamily(IPv4orIPv6)
PingInterval(sec) SpecifytheICMPpingintervalinsecondstodeterminehowfrequentlythe
firewallmonitorsthepath(pingsthemonitoreddestination;rangeis160;
defaultis3).
PingCount SpecifythenumberofconsecutiveICMPpingpacketsthatdonotreturn
fromthemonitoreddestinationbeforethefirewallconsidersthelinkdown.
BasedontheAnyorAllfailurecondition,ifpathmonitoringisinfailedstate,
thefirewallremovesthestaticroutefromtheRIB(rangeis310;defaultis5).
Forexample,aPingIntervalof3secondsandPingCountof5missedpings
(thefirewallreceivesnopinginthelast15seconds)meanspathmonitoring
detectsalinkfailure.Ifpathmonitoringisinfailedstateandthefirewall
receivesapingafter15seconds,thelinkisdeemedup;basedontheAnyor
Allfailurecondition,pathmonitoringtoAnyorAllmonitoreddestinations
canbedeemedup,andthePreemptiveHoldTimestarts.

RouteRedistribution
Network>VirtualRouter>RedistributionProfiles
Redistributionprofilesdirectthefirewalltofilter,setpriority,andperformactionsbasedondesirednetwork
behavior.Routeredistributionallowsstaticroutesandroutesthatareacquiredbyotherprotocolstobe
advertisedthroughspecifiedroutingprotocols.
Redistributionprofilesmustbeappliedtoroutingprotocolsinordertotakeeffect.Withoutredistribution
rules,eachprotocolrunsseparatelyanddoesnotcommunicateoutsideitspurview.Redistributionprofiles
canbeaddedormodifiedafterallroutingprotocolsareconfiguredandtheresultingnetworktopologyis
established.
ApplyredistributionprofilestotheRIPandOSPFprotocolsbydefiningexportrules.Applyredistribution
profilestoBGPintheRedistribution Rulestab.Refertothefollowingtable.
RedistributionProfile Description
Settings
Name AddaRedistribution Profileandentertheprofilename.
Priority Enterapriority(rangeis1255)forthisprofile.Profilesarematchedinorder
(lowestnumberfirst).
Redistribute Choosewhethertoperformrouteredistributionbasedonthesettingsinthis
window.
RedistSelecttoredistributematchingcandidateroutes.Ifyouselectthis
option,enteranewmetricvalue.Alowermetricvaluemeansamore
preferredroute.
No RedistSelecttonotredistributematchingcandidateroutes.
General Filter Tab
Type Selecttheroutetypesofthecandidateroute.
Interface Selecttheinterfacestospecifytheforwardinginterfacesofthecandidate
route.
Destination Tospecifythedestinationofthecandidateroute,enterthedestinationIP
addressorsubnet(formatx.x.x.xorx.x.x.x/n)andclickAdd.Toremovean
entry,clickremove( ).
NextHop Tospecifythegatewayofthecandidateroute,entertheIPaddressorsubnet
(formatx.x.x.xorx.x.x.x/n)thatrepresentsthenexthopandclickAdd.To
removeanentry,clickremove( ).
OSPF Filter Tab
PathType SelecttheroutetypesofthecandidateOSPFroute.
Area SpecifytheareaidentifierforthecandidateOSPFroute.EntertheOSPF
area ID(formatx.x.x.x),andclickAdd.
Toremoveanentry,clickremove( ).
Tag SpecifyOSPFtagvalues.Enteranumerictagvalue(1255),andclickAdd.
Toremoveanentry,clickremove( ).

RedistributionProfile Description
Settings
BGP Filter Tab
Community SpecifyacommunityforBGProutingpolicy.
ExtendedCommunity SpecifyanextendedcommunityforBGProutingpolicy.
RIP
Network>VirtualRouters>RIP
ConfiguringtheRoutingInformationProtocol(RIP)includesthefollowinggeneralsettings:
RIPSettings Description
Enable SelecttoenableRIP.
RejectDefaultRoute (Recommended)Selectifyoudonotwanttolearnanydefaultroutes
throughRIP.
BFD ToenableBidirectionalForwardingDetection(BFD)forRIPgloballyforthe
virtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,andVMSeriesfirewall,selectoneofthefollowing:
default(profilewiththedefaultBFDsettings)
SelectNone (Disable BFD)todisableBFDforallRIPinterfacesonthevirtual
router;youcannotenableBFDforasingleRIPinterface.
Inaddition,RIPsettingsonthefollowingtabsmustbeconfigured:
Interfaces:SeeRIPInterfacesTab.
Timers:SeeRIPTimersTab.
Auth Profiles:SeeRIPAuthProfilesTab.
Export Rules:SeeRIPExportRulesTab.

RIPInterfacesTab
Network>VirtualRouters>RIP>Interfaces
UsethefollowingfieldstoconfigureRIPinterfaces:
RIPInterfaceSettings Description
Interface SelecttheinterfacethatrunstheRIPprotocol.
Enable Selecttoenablethesesettings.
Advertise SelecttoenableadvertisementofadefaultroutetoRIPpeerswiththe
specifiedmetricvalue.
Metric Specifyametricvaluefortherouteradvertisement.Thisfieldisvisibleonly
ifyouenableAdvertise.
AuthProfile Selecttheprofile.
Mode Selectnormal,passive,orsend-only.
BFD ToenableBFDforaRIPinterface(andtherebyoverridetheBFDsettingfor
RIP,aslongasBFDisnotdisabledforRIPatthevirtualrouterlevel),select
oneofthefollowing:
default(profilewiththedefaultBFDsettings)
aBFDprofilethatyoucreatedonthefirewall
SelectNone (Disable BFD)todisableBFDfortheRIPinterface.
RIPTimersTab
Network>VirtualRouter>RIP>Timers
ThefollowingtabledescribesthetimersthatcontrolRIProuteupdatesandexpirations.
RIPTimerSettings Description
RIP Timing
IntervalSeconds(sec) Definethelengthofthetimerintervalinseconds.Thisdurationisusedfor
theremainingRIPtimingfields(rangeis160).
UpdateIntervals Enterthenumberofintervalsbetweenrouteupdateannouncements(range
is13,600).
ExpireIntervals Enterthenumberofintervalsbetweenthetimethattheroutewaslast
updatedtoitsexpiration(rangeis13,600).
DeleteIntervals Enterthenumberofintervalsbetweenthetimethattherouteexpirestoits
deletion(rangeis13,600).

RIPAuthProfilesTab
Network>VirtualRouter>RIP>AuthProfiles
Bydefault,thefirewalldoesnotauthenticateRIPmessagesbetweenneighbors.ToauthenticateRIP
messagesbetweenneighbors,createanauthenticationprofileandapplyittoaninterfacerunningRIPona
virtualrouter.ThefollowingtabledescribesthesettingsfortheAuth Profilestab.
RIPAuthProfileSettings Description
ProfileName EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
PasswordType Selectthetypeofpassword(simpleorMD5).
IfyouselectSimple,enterthesimplepasswordandthenconfirm.
IfyouselectMD5,enteroneormorepasswordentries,includingKey-ID
(0255),Key,andoptionalPreferredstatus.ClickAddforeachentry,and
thenclickOK.Tospecifythekeytobeusedtoauthenticateoutgoing
message,selectthePreferredoption.
RIPExportRulesTab
Network>VirtualRouter>RIP>ExportRules
RIPexportrulesallowyoutocontrolwhichroutesthevirtualroutersendstopeers.
RIPExportRules Description
Settings
AllowRedistributeDefault Selecttopermitthefirewalltoredistributeitsdefaultroutetopeers.
Route
RedistributionProfile ClickAddandselectorcreatearedistributionprofilethatallowsyouto
modifyrouteredistribution,filter,priority,andactionbasedonthedesired
networkbehavior.RefertoRouteRedistribution.

OSPF
Network>VirtualRouter>OSPF
ConfiguringtheOpenShortestPathFirst(OSPF)protocolrequiresyoutoconfigurethefollowinggeneral
settings(exceptBFD,whichisoptional):
OSPFSettings Description
Enable SelecttoenabletheOSPFprotocol.
RejectDefaultRoute (Recommended)Selectifyoudonotwanttolearnanydefaultroutes
throughOSPF.
RouterID SpecifytherouterIDassociatedwiththeOSPFinstanceinthisvirtualrouter.
TheOSPFprotocolusestherouterIDtouniquelyidentifytheOSPF
instance.
BFD ToenableBidirectionalForwardingDetection(BFD)forOSPFgloballyfor
thevirtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,orVMSeriesfirewall,selectoneofthefollowing:
SelectNone (Disable BFD)todisableBFDforallOSPFinterfacesonthe
virtualrouter;youcannotenableBFDforasingleOSPFinterface.
Inaddition,youmustconfigureOSPFsettingsonthefollowingtabs:
Areas:SeeOSPFAreasTab.
Auth Profiles:SeeOSPFAuthProfilesTab.
Export Rules:SeeOSPFExportRulesTab.
Advanced:SeeOSPFAdvancedTab.

OSPFAreasTab
Network>VirtualRouter>OSPF>Areas
ThefollowingfieldsdescribetheOSPFareasettings:
OSPFAreasSettings Description
Areas
AreaID ConfiguretheareaoverwhichtheOSPFparameterscanbeapplied.
Enteranidentifierfortheareainx.x.x.xformat.Thisistheidentifierthateach
neighbormustaccepttobepartofthesamearea.
Type Selectoneofthefollowingoptions.
NormalTherearenorestrictions;theareacancarryalltypesofroutes.
StubThereisnooutletfromthearea.Toreachadestinationoutsideof
thearea,itisnecessarytogothroughtheborder,whichconnectstoother
areas.Ifyouselectthisoption,selectAccept Summaryifyouwantto
acceptthistypeoflinkstateadvertisement(LSA)fromotherareas.Also,
specifywhethertoincludeadefaultrouteLSAinadvertisementstothe
stubareaalongwiththeassociatedmetricvalue(rangeis1255).
IftheAccept SummaryoptiononastubareaAreaBorderRouter(ABR)
interfaceisdisabled,theOSPFareawillbehaveasaTotallyStubbyArea
(TSA)andtheABRwillnotpropagateanysummaryLSAs.
NSSA(NotSoStubbyArea)Itispossibletoleavetheareadirectly,but
onlybyroutesotherthanOSPFroutes.Ifyouselectthisoption,select
Accept SummaryifyouwanttoacceptthistypeofLSA.SelectAdvertise
Default RoutetospecifywhethertoincludeadefaultrouteLSAin
advertisementstothestubareaalongwiththeassociatedmetricvalue
(1255).Also,selecttheroutetypeusedtoadvertisethedefaultLSA.Click
AddintheExternal Rangessectionandenterrangesifyouwantto
enableorsuppressadvertisingexternalroutesthatarelearnedthrough
NSSAtootherareas.

Range ClickAddtoaggregateLSAdestinationaddressesintheareaintosubnets.
EnableorsuppressadvertisingLSAsthatmatchthesubnet,andclickOK.
Repeattoaddadditionalranges.
Interface Addaninterfacetobeincludedintheareaandenterthefollowing
information:
InterfaceChoosetheinterface.
EnableCausetheOSPFinterfacesettingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfacetosendorreceive
OSPFpackets.AlthoughOSPFpacketsarenotsentorreceivedifyou
choosethisoption,theinterfaceisincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthatareaccessible
throughtheinterfacetobediscoveredautomaticallybymulticasting
OSPFhellomessages,suchasanEthernetinterface.Choosep2p
(pointtopoint)toautomaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefinedmanually.Defining
neighborsmanuallyisallowedonlyforp2mpmode.
MetricEntertheOSPFmetricforthisinterface(065,535).
PriorityEntertheOSPFpriorityforthisinterface(0255).Itisthe
priorityfortheroutertobeelectedasadesignatedrouter(DR)orasa
backupDR(BDR)accordingtotheOSPFprotocol.Whenthevalueiszero,
therouterwillnotbeelectedasaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthenticationprofile.
BFDToenableBidirectionalForwardingDetection(BFD)foranOSPF
peerinterface(andtherebyoverridetheBFDsettingforOSPF,aslongas
BFDisnotdisabledforOSPFatthevirtualrouterlevel),selectoneofthe
following:
SelectNone (Disable BFD)todisableBFDfortheOSPFpeer
interface.
Hello Interval (sec)Interval,inseconds,atwhichtheOSPFprocess
sendshellopacketstoitsdirectlyconnectedneighbors(rangeis03600;
defaultis10).
Dead CountsNumberoftimesthehellointervalcanoccurforaneighbor
withoutOSPFreceivingahellopacketfromtheneighbor,beforeOSPF
considersthatneighbordown.TheHello IntervalmultipliedbytheDead
Countsequalsthevalueofthedeadtimer(rangeis320;defaultis4).
Retransmit Interval (sec)Lengthoftime,inseconds,thatOSPFwaitsto
receivealinkstateadvertisement(LSA)fromaneighborbeforeOSPF
retransmitstheLSA(rangeis03,600;defaultis10).
Transit Delay (sec)Lengthoftime,inseconds,thatanLSAisdelayed
beforeitissentoutofaninterface(rangeis03,600;defaultis1).

Interface(cont) Graceful Restart Hello Delay (sec)AppliestoanOSPFinterfacewhen

Active/PassiveHighAvailabilityisconfigured.Graceful Restart Hello
DelayisthelengthoftimeduringwhichthefirewallsendsGraceLSA
packetsat1secondintervals.Duringthistime,nohellopacketsaresent
fromtherestartingfirewall.Duringtherestart,thedeadtimer(whichisthe
Hello IntervalmultipliedbytheDead Counts)isalsocountingdown.Ifthe
deadtimeristooshort,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itisrecommendedthatthe
deadtimerbeatleastfourtimesthevalueoftheGraceful Restart Hello
Delay.Forexample,aHello Intervalof10secondsandaDead Countsof
4yieldadeadtimerof40seconds.IftheGraceful Restart Hello Delayis
setto10seconds,that10seconddelayofhellopacketsiscomfortably
withinthe40seconddeadtimer,sotheadjacencywillnottimeoutduring
agracefulrestart(rangeis110;defaultis10).
VirtualLink Configurethevirtuallinksettingstomaintainorenhancebackbonearea
connectivity.Thesettingsmustbedefinedforareaboarderrouters,and
mustbedefinedwithinthebackbonearea(0.0.0.0).ClickAdd,enterthe
followinginformationforeachvirtuallinktobeincludedinthebackbone
area,andclickOK.
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)ontheother
sideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathatphysicallycontains
thevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttimingsettings.
OSPFAuthProfilesTab
Network>VirtualRouter>OSPF>AuthProfiles
ThefollowingfieldsdescribetheOSPFauthenticationprofilesettings:
OSPFAuthProfile Description
Settings
ProfileName Enteranamefortheauthenticationprofile.ToauthenticatetheOSPF
messages,firstdefinetheauthenticationprofilesandthenapplythemto
interfacesontheOSPFtab.
PasswordType Selectthetypeofpassword(simpleorMD5).
IfyouselectSimple,enterthepassword.
IfyouselectMD5,enteroneormorepasswordentries,includingKey-ID
(0255),Key,andoptionalPreferredstatus.ClickAddforeachentry,and
thenclickOK.Tospecifythekeytobeusedtoauthenticateoutgoing
message,selectthePreferredoption.

OSPFExportRulesTab
Network>VirtualRouter>OSPF>ExportRules
ThefollowingtabledescribesthefieldstoexportOSPFroutes:
OSPFExportRules Description
Settings
AllowRedistributeDefault SelecttopermitredistributionofdefaultroutesthroughOSPF.
Route
Name Selectthenameofaredistributionprofile.ThevaluemustbeanIPsubnetor
validredistributionprofilename.
NewPathType Choosethemetrictypetoapply.
NewTag Specifyatagforthematchedroutethathasa32bitvalue.
Metric (Optional)Specifytheroutemetrictobeassociatedwiththeexportedroute
andusedforpathselection(rangeis165,535).

OSPFAdvancedTab
Network>VirtualRouter>OSPF>Advanced
ThefollowingfieldsdescribeRFC1583compatibility,OSPFtimers,andgracefulrestart:
OSPFAdvancedSettings Description
RFC1583Compatibility SelecttoensurecompatibilitywithRFC1583(OSPFVersion2).
Timers SPF Calculation Delay (sec)Allowsyoutotunethedelaytimebetween

receivingnewtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routerspeeringwith
thefirewallshouldbetunedinasimilarmannertooptimizeconvergence
times.
LSA Interval (sec)Specifiestheminimumtimebetweentransmissionsof
twoinstancesofthesameLSA(samerouter,sametype,sameLSAID).This
isequivalenttoMinLSIntervalinRFC2328.Lowervaluescanbeusedto
reducereconvergencetimeswhentopologychangesoccur.
GracefulRestart Enable Graceful RestartEnabledbydefault,afirewallenabledforthis

featurewillinstructneighboringrouterstocontinueusingaroutethrough
thefirewallwhileatransitiontakesplacethatrendersthefirewall
temporarilydown.
Enable Helper ModeEnabledbydefault,afirewallenabledforthismode
continuestoforwardtoanadjacentdevicewhenthatdeviceisrestarting.
Enable Strict LSA CheckingEnabledbydefault,thisfeaturecausesan
OSPFhelpermodeenabledfirewalltoexithelpermodeifatopology
changeoccurs.
Grace Period (sec)Periodoftime,inseconds,thatpeerdevicesshould
continuetoforwardtothisfirewallwhileadjacenciesarebeing
reestablishedortherouterisbeingrestarted(rangeis51,800;defaultis
120).
Max Neighbor Restart TimeMaximumgraceperiod,inseconds,thatthe
firewallwillacceptasahelpmoderouter.Ifthepeerdevicesoffersa
longergraceperiodinitsgraceLSA,thefirewallwillnotenterhelpermode
(rangeis51,800;defaultis140).

OSPFv3
Network>VirtualRouter>OSPFv3
ConfiguringtheOpenShortestPathFirstv3(OSPFv3)protocolrequiresconfiguringthefirstthreesettings
inthefollowingtable(BFDisoptional):
OSPFv3Settings Description
Enable SelecttoenabletheOSPFprotocol.
RejectDefaultRoute SelectifyoudonotwanttolearnanydefaultroutesthroughOSPF.
RouterID SpecifytherouterIDassociatedwiththeOSPFinstanceinthisvirtualrouter.
TheOSPFprotocolusestherouterIDtouniquelyidentifytheOSPF
instance.
BFD ToenableBidirectionalForwardingDetection(BFD)forOSPFv3globallyfor
thevirtualrouteronaPA3000Series,PA5000Series,PA5200Series,
PA7000Series,andVMSeriesfirewall,selectoneofthefollowing:
(SelectNone (Disable BFD)todisableBFDforallOSPFv3interfaceson
thevirtualrouter;youcannotenableBFDforasingleOSPFv3interface.)
Inaddition,configureOSPFv3settingsonthefollowingtabs:
Areas:SeeOSPFv3AreasTab.
Auth Profiles:SeeOSPFv3AuthProfilesTab.
Export Rules:SeeOSPFv3ExportRulesTab.
Advanced:SeeOSPFv3AdvancedTab.

OSPFv3AreasTab
Network>VirtualRouter>OSPFv3>Areas
ThefollowingfieldsdescribeOSPFv3areas:
OSPv3AreasSettings Description
Authentication SelectthenameoftheAuthenticationprofilethatyouwanttospecifyfor
thisOSPFarea.
Type Selectoneofthefollowing:
NormalTherearenorestrictions;theareacancarryalltypesofroutes.
StubThereisnooutletfromthearea.Toreachadestinationoutsideof
thearea,itisnecessarytogothroughtheborder,whichconnectstoother
areas.Ifyouselectthisoption,selectAccept Summaryifyouwantto
acceptthistypeoflinkstateadvertisement(LSA)fromotherareas.Also,
specifywhethertoincludeadefaultrouteLSAinadvertisementstothe
stubareaalongwiththeassociatedmetricvalue(1255).
IftheAccept SummaryoptiononastubareaAreaBorderRouter(ABR)
interfaceisdisabled,theOSPFareawillbehaveasaTotallyStubbyArea
(TSA)andtheABRwillnotpropagateanysummaryLSAs.
NSSA(NotSoStubbyArea)Itispossibletoleavetheareadirectly,but
onlybyroutesotherthanOSPFroutes.Ifyouselectthisoption,select
Accept SummaryifyouwanttoacceptthistypeofLSA.Specifywhether
toincludeadefaultrouteLSAinadvertisementstothestubareaalong
withtheassociatedmetricvalue(1255).Also,selecttheroutetypeused
toadvertisethedefaultLSA.ClickAddintheExternal Rangessectionand
enterrangesifyouwanttoenableorsuppressadvertisingexternalroutes
thatarelearnedthroughNSSAtootherareas
Range ClickAddtoaggregateLSAdestinationIPv6addressesintheareabysubnet.
EnableorsuppressadvertisingLSAsthatmatchthesubnet,andclickOK.
Repeattoaddadditionalranges.

Interface ClickAddandenterthefollowinginformationforeachinterfacetobe
includedinthearea,andclickOK.
InterfaceChoosetheinterface.
EnableCausetheOSPFinterfacesettingstotakeeffect.
Instance ID EnteranOSPFv3instanceIDnumber.
PassiveSelecttoifyoudonotwanttheOSPFinterfacetosendor
receiveOSPFpackets.AlthoughOSPFpacketsarenotsentorreceivedif
youchoosethisoption,theinterfaceisincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthatareaccessible
throughtheinterfacetobediscoveredautomaticallybymulticasting
OSPFhellomessages,suchasanEthernetinterface.Choosep2p
(pointtopoint)toautomaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefinedmanually.Defining
neighborsmanuallyisallowedonlyforp2mpmode.
MetricEntertheOSPFmetricforthisinterface(065,535).
PriorityEntertheOSPFpriorityforthisinterface(0255).Itisthe
priorityfortheroutertobeelectedasadesignatedrouter(DR)orasa
backupDR(BDR)accordingtotheOSPFprotocol.Whenthevalueiszero,
therouterwillnotbeelectedasaDRorBDR.
BFDToenableBidirectionalForwardingDetection(BFD)foranOSPFv3
peerinterface(andtherebyoverridetheBFDsettingforOSPFv3,aslong
asBFDisnotdisabledforOSPFv3atthevirtualrouterlevel),selectone
ofthefollowing:
SelectNone (Disable BFD)todisableBFDfortheOSPFv3peer
interface.
Hello Interval (sec)Interval,inseconds,atwhichtheOSPFprocess
sendshellopacketstoitsdirectlyconnectedneighbors(rangeis03,600;
defaultis10).
Dead CountsNumberoftimesthehellointervalcanoccurforaneighbor
withoutOSPFreceivingahellopacketfromtheneighbor,beforeOSPF
considersthatneighbordown.TheHello IntervalmultipliedbytheDead
Countsequalsthevalueofthedeadtimer(rangeis320;defaultis4).
Retransmit Interval (sec)Lengthoftime,inseconds,thatOSPFwaitsto
receivealinkstateadvertisement(LSA)fromaneighborbeforeOSPF
retransmitstheLSA(rangeis03,600;defaultis10).
Transit Delay (sec)Lengthoftime,inseconds,thatanLSAisdelayed
beforethefirewallsendsitoutofaninterface(rangeis03,600;default
is 1).

Interface(continued) Graceful Restart Hello Delay (sec)AppliestoanOSPFinterfacewhen

Active/PassiveHighAvailabilityisconfigured.Graceful Restart Hello
DelayisthelengthoftimeduringwhichthefirewallsendsGraceLSA
packetsat1secondintervals.Duringthistime,nohellopacketsaresent
fromtherestartingfirewall.Duringtherestart,thedeadtimer(whichisthe
Hello IntervalmultipliedbytheDead Counts)isalsocountingdown.Ifthe
deadtimeristooshort,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itisrecommendedthatthe
deadtimerbeatleastfourtimesthevalueoftheGraceful Restart Hello
Delay.Forexample,aHello Intervalof10secondsandaDead Countsof
4yieldadeadtimerof40seconds.IftheGraceful Restart Hello Delayis
setto10seconds,that10seconddelayofhellopacketsiscomfortably
withinthe40seconddeadtimer,sotheadjacencywillnottimeoutduring
agracefulrestart(rangeis110;defaultis10).
NeighborsForp2pmpinterfaces,entertheneighborIPaddressforall
neighborsthatarereachablethroughthisinterface.
VirtualLinks Configurethevirtuallinksettingstomaintainorenhancebackbonearea
connectivity.Thesettingsmustbedefinedforareaboarderrouters,and
mustbedefinedwithinthebackbonearea(0.0.0.0).ClickAdd,enterthe
followinginformationforeachvirtuallinktobeincludedinthebackbone
area,andclickOK.
NameEnteranameforthevirtuallink.
Instance IDEnteranOSPFv3instanceIDnumber.
Neighbor IDEntertherouterIDoftherouter(neighbor)ontheother
sideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathatphysicallycontains
thevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttimingsettings.

OSPFv3AuthProfilesTab
Network>VirtualRouter>OSPFv3>AuthProfiles
UsethefollowingfieldstoconfigureauthenticationforOSPFv3.
OSPFv3AuthProfile Description
Settings
ProfileName Enteranamefortheauthenticationprofile.ToauthenticatetheOSPF
messages,firstdefinetheauthenticationprofilesandthenapplythemto
interfacesontheOSPFtab.
SPI Specifythesecurityparameterindex(SPI)forpackettraversalfromthe
remotefirewalltothepeer.
Protocol Specifyeitherofthefollowingprotocols:
ESPEncapsulatingSecurityPayloadprotocol.
AHAuthenticationHeaderprotocol
CryptoAlgorithm Specifyoneofthefollowing
NoneNocryptoalgorithmwillbeused.
SHA1(default)SecureHashAlgorithm1.
SHA256SecureHashAlgorithm2.Asetoffourhashfunctionswitha
256bitdigest.
384bitdigest.
512bitdigest.
MD5TheMD5messagedigestalgorithm.
Key/ConfirmKey Enterandconfirmanauthenticationkey.
Encryption(ESPprotocol Specifyoneofthefollowing:
only) 3des(default)appliesTripleDataEncryptionAlgorithm(3DES)using
threecryptographickeysof56bits.
aes-128-cbcappliestheAdvancedEncryptionStandard(AES)using
cryptographickeysof128bits.
nullNoencryptionisused.
Key/ConfirmKey Enterandconfirmanencryptionkey.

OSPFv3ExportRulesTab
Network>VirtualRouter>OSPFv3>ExportRules
UsethefollowingfieldstoexportOSPFv3routes.
OSPFv3ExportRules Description
Settings
AllowRedistributeDefault SelecttopermitredistributionofdefaultroutesthroughOSPF.
Route
Name Selectthenameofaredistributionprofile.ThevaluemustbeanIPsubnetor
validredistributionprofilename.
NewPathType Choosethemetrictypetoapply.
NewTag Specifyatagforthematchedroutethathasa32bitvalue.
Metric (Optional)Specifytheroutemetrictobeassociatedwiththeexportedroute
andusedforpathselection(rangeis165,535).

OSPFv3AdvancedTab
Network>VirtualRouter>OSPFv3>Advanced
UsethefollowingfieldstodisabletransitroutingforSPFcalculations,configureOSPFv3timers,and
configuregracefulrestartforOSPFv3.
OSPFv3Advanced Description
Settings
DisableTransitRoutingfor SelectifyouwanttosettheRbitinrouterLSAssentfromthisfirewallto
SPFCalculation indicatethatthefirewallisnotactive.Wheninthisstate,thefirewall
participatesinOSPFv3butotherroutersdonotsendtransittraffic.Inthis
state,localtrafficwillstillbeforwardedtothefirewall.Thisisusefulwhile
performingmaintenancewithadualhomednetworkbecausetrafficcanbe
reroutedaroundthefirewallwhileitcanstillbereached.
Timers SPF Calculation Delay (sec)Thisisadelaytimerallowingyoutotunethe

delaytimebetweenreceivingnewtopologyinformationandperformingan
SPFcalculation.LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannertooptimize
convergencetimes.
LSA Interval (sec)Theoptionspecifiestheminimumtimebetween
transmissionsoftwoinstancesofthesameLSA(samerouter,sametype,
sameLSAID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhentopology
changesoccur.
GracefulRestart Enable Graceful RestartEnabledbydefault,afirewallenabledforthis

featurewillinstructneighboringrouterstocontinueusingaroutethrough
thefirewallwhileatransitiontakesplacethatrendersthefirewall
temporarilydown.
Enable Helper ModeEnabledbydefault,afirewallenabledforthismode
continuestoforwardtoanadjacentdevicewhenthatdeviceisrestarting.
Enable Strict LSA CheckingEnabledbydefault,thisfeaturecausesan
OSPFhelpermodeenabledfirewalltoexithelpermodeifatopology
changeoccurs.
Grace Period (sec)Theperiodoftime,inseconds,thatpeerdevices
continuetoforwardtothisfirewallwhileadjacenciesarebeing
reestablishedorwhiletherouterisbeingrestarted(rangeis51,800;
defaultis120).
Max Neighbor Restart TimeThemaximumgraceperiod,inseconds,that
thefirewallwillacceptasahelpmoderouter.Ifthepeerdevicesoffersa
longergraceperiodinitsgraceLSA,thefirewallwillnotenterhelpermode
(rangeis5800;defaultis140).

BGP
Network>VirtualRouter>BGP
ConfiguringBorderGatewayProtocol(BGP)requiresyoutoconfigureBasicBGPSettingstoenableBGPand
configuretheRouterIDandASNumberasdescribedinthefollowingtable.Inaddition,youmustconfigure
aBGPpeeraspartofaBGPpeergroup.
ConfiguretheremainingBGPsettingsonthefollowingtabsasneededforyournetwork:
General:SeeBGPGeneralTab.
Advanced:SeeBGPAdvancedTab.
Peer Group:SeeBGPPeerGroupTab.
Import:SeeBGPImportandExportTabs.
Export:SeeBGPImportandExportTabs.
Conditional Adv:SeeBGPConditionalAdvTab.
Aggregate:SeeBGPAggregateTab.
Redist Rules:SeeBGPRedistRulesTab.
BasicBGPSettings
TouseBGPonavirtualrouter,youmustenableBGPandconfiguretheRouterIDandASNumber;enabling
BFDisoptional.
BGPSettings ConfigureIn Description
Enable BGP SelecttoenableBGP.
RouterID EntertheIPaddresstoassigntothevirtualrouter.
ASNumber EnterthenumberoftheAStowhichthevirtualrouterbelongs,basedonthe
routerID(rangeis14,294,967,295).
BFD ToenableBidirectionalForwardingDetection(BFD)forBGPgloballyforthe
virtualrouteronaPA3000Series,PA5000Series,PA5200Series,PA7000
Series,orVMSeriesfirewall,selectoneofthefollowing:
anexistingBFDprofileonthefirewall
createaNew BFD Profile
SelectNone (Disable BFD)todisableBFDforallBGPinterfacesonthevirtual
router;youcannotenableBFDforasingleBGPinterface.
IfyouenableordisableBFDglobally,allinterfacesrunningBGPare
takendownandbroughtbackupwiththeBFDfunction,whichcan
disruptBGPtraffic.Therefore,enableBFDonBGPinterfacesduringan
offpeaktimewhenreconvergencedoesnotimpactproductiontraffic.

BGPGeneralTab
Network>VirtualRouter>BGP>General
UsethefollowingfieldstoconfiguregeneralBGPsettings.
BGPGeneral ConfigureIn Description

Settings
RejectDefault BGP > General SelecttoignoreanydefaultroutesthatareadvertisedbyBGPpeers.

Route
InstallRoute SelecttoinstallBGProutesintheglobalroutingtable.
AggregateMED SelecttoenablerouteaggregationevenwhenrouteshavedifferentMultiExit
Discriminator(MED)values.
DefaultLocal Specifiesavaluethatthefirewallcanusetodeterminepreferencesamong
Preference differentpaths.
ASFormat Selectthe2byte(default)or4byteformat.Thissettingisconfigurablefor
interoperabilitypurposes.
AlwaysCompare EnableMEDcomparisonforpathsfromneighborsindifferentautonomous
MED systems.
Deterministic EnableMEDcomparisontochoosebetweenroutesthatareadvertisedbyiBGP
MEDComparison peers(BGPpeersinthesameautonomoussystem).
AuthProfiles Addanewauthprofileandconfigurethefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphraseforBGPpeer
communications.
Delete( )profileswhenyounolongerneedthem.

BGPAdvancedTab
Network>VirtualRouter>BGP>Advanced
AdvancedBGPsettingsincludeavarietyofcapabilities.YoucanrunECMPovermultipleBGPautonomous
systems.YoucanrequireeBGPpeerstolisttheirownASasthefirstASinanAS_PATHattribute(toprevent
spoofedUpdatepackets).YoucanconfigureBGPgracefulrestart,ameansbywhichBGPpeersindicate
whethertheycanpreserveforwardingstateduringaBGPrestarttominimizetheconsequencesofroutes
flapping(goingupanddown).YoucanconfigureroutereflectorsandASconfederations,whicharetwo
methodstoavoidhavingafullmeshofBGPpeeringsinanAS.Youcanconfigureroutedampeningto
preventunnecessaryrouterconvergencewhenaBGPnetworkisunstableandroutesareflapping.
BGPAdvanced ConfigureIn Description

Settings
ECMPMultiple BGP > Advanced SelectifyouenableECMPforavirtualrouterandyouwanttorunECMPover

ASSupport multipleBGPautonomoussystems.
EnforceFirstAS CausesthefirewalltodropanincomingUpdatepacketfromaneBGPpeerthat
forEBGP doesntlisttheeBGPpeersownASnumberasthefirstASnumberinthe
AS_PATHattribute.ThispreventsBGPfromfurtherprocessingaspoofedor
erroneousUpdatepacketthatarrivesfromanASotherthananeighboringAS.
Defaultisenabled.
GracefulRestart Activatethegracefulrestartoption.
Stale Route TimeSpecifythelengthoftime,inseconds,thataroutecan
stayinthestalestate(rangeis13,600;defaultis120).
Local Restart TimeSpecifythelengthoftime,inseconds,thatthefirewall
takestorestart.Thisvalueisadvertisedtopeers(rangeis13,600;defaultis
120).
Max Peer Restart TimeSpecifythemaximumlengthoftime,inseconds,
thatthefirewallacceptsasagraceperiodrestarttimeforpeerdevices
(rangeis13,600;defaultis120).
ReflectorCluster SpecifyanIPv4identifiertorepresentthereflectorcluster.Aroutereflector
ID (router)inanASperformsaroleofreadvertisingroutesitlearnedtoitspeers
(ratherthanrequirefullmeshconnectivityandallpeerssendroutestoeach
other).Theroutereflectorsimplifiesconfiguration.
Confederation SpecifytheidentifierfortheASconfederationtobepresentedasasingleAS
MemberAS toexternalBGPpeers.UseaBGPconfederationtodivideautonomoussystems
intosubautonomoussystemsandreducefullmeshpeering.

BGPAdvanced ConfigureIn Description

Settings
Dampening BGP > Advanced Routedampeningisamethodthatdeterminewhetherarouteissuppressed

Profiles (cont) frombeingadvertisedbecauseitisflapping.Routedampeningcanreducethe
numberoftimesroutersareforcedtoreconvergeduetoroutesflapping.
Settingsinclude:
Profile NameEnteranametoidentifytheprofile.
EnableActivatetheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhicharoute
advertisementissuppressed(rangeis0.01,000.0;defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhichasuppressed
routeisusedagain(rangeis0.01,000.0;defaultis5).
Max. Hold TimeSpecifythemaximumlengthoftime,inseconds,thata
routecanbesuppressed,regardlessofhowunstableithasbeen(rangeis
03,600;defaultis900).
Decay Half Life ReachableSpecifythelengthoftime,inseconds,after
whicharoutesstabilitymetricishalvedifthefirewallconsiderstherouteis
reachable(rangeis03,600;defaultis300).
Decay Half Life UnreachableSpecifythelengthoftime,inseconds,after
whicharoutesstabilitymetricishalvedifthefirewallconsiderstherouteis
unreachable(rangeis03,600;defaultis300).
Delete( )profileswhenyounolongerneedthem.

BGPPeerGroupTab
Network>VirtualRouter>BGP>PeerGroup
ABGPpeergroupisacollectionofBGPpeersthatsharesettings,suchasthetypeofpeergroup(EBGP,for
example),orthesettingtoremoveprivateASnumbersfromtheAS_PATHlistthatthevirtualroutersends
inUpdatepackets.BGPpeergroupssaveyoufromhavingtoconfiguremultiplepeerswiththesame
settings.YoumustconfigureatleastoneBGPpeergroupinordertoconfiguretheBGPpeersthatbelong
tothegroup.
BGPPeerGroup ConfigureIn Description

Settings
Name BGP > Peer Group Enteranametoidentifythepeergroup.
Enable Selecttoactivatethepeergroup.
Aggregated SelecttoincludeapathtotheconfiguredaggregatedconfederationAS.
ConfedASPath
SoftResetwith Selecttoperformasoftresetofthefirewallafterupdatingthepeersettings.
StoredInfo
Type Specifythetypeofpeerorgroupandconfiguretheassociatedsettings(see
belowinthistablefordescriptionsofImport Next HopandExport Next Hop).
IBGPSpecifythefollowing:
Export Next Hop
EBGP ConfedSpecifythefollowing:
Export Next Hop
IBGP ConfedSpecifythefollowing:
Export Next Hop
EBGPSpecifythefollowing:
Import Next Hop
Export Next Hop
Remove Private AS(selectifyouwanttoforceBGPtoremoveprivate
ASnumbersfromtheAS_PATHattribute).
ImportNextHop Chooseanoptionfornexthopimport:
OriginalUsetheNextHopaddressprovidedintheoriginalroute
advertisement.
Use PeerUsethepeer'sIPaddressastheNextHopaddress.
ExportNextHop Chooseanoptionfornexthopexport:
ResolveResolvetheNextHopaddressusingtheForwardingInformation
Base(FIB).
OriginalUsetheNextHopaddressprovidedintheoriginalroute
advertisement.
Use SelfReplacetheNextHopaddresswiththevirtualrouter'sIPaddress
toensurethatitwillbeintheforwardingpath.
RemovePrivate SelecttoremoveprivateautonomoussystemsfromtheAS_PATHlist.
AS


Settings
(Continued)
Name BGP > Peer Group AddaNewBGPpeerandenteranametoidentifyit.

> Peer
Enable Selecttoactivatethepeer.
PeerAS Specifytheautonomoussystem(AS)ofthepeer.
EnableMPBGP BGP > Peer Group EnablesthefirewalltosupporttheMultiprotocolBGPAddressFamily

Extensions > Peer > IdentifierforIPv4andIPv6andSubsequentAddressFamilyIdentifieroptions
Addressing perRFC4760.
AddressFamily SelecteithertheIPv4orIPv6addressfamilythatBGPsessionswiththispeer
Type willsupport.
Subsequent SelecteithertheUnicastorMulticastsubsequentaddressfamilyprotocolthe
AddressFamily BGPsessionswiththispeerwillcarry.
LocalAddress Chooseafirewallinterface.
Interface
LocalAddressIP ChoosealocalIPaddress.
PeerAddressIP SpecifytheIPaddressandportofthepeer.
AuthProfile BGP > Peer Group SelectaprofileorselectNew Auth Profilefromthedropdown.EnteraProfile

> Peer > NameandtheSecret,andConfirm Secret.
Connection
KeepAlive Options Specifyanintervalafterwhichroutesfromapeeraresuppressedaccordingto
Interval theholdtimesetting(rangeis01,200seconds;defaultis30seconds).
MultiHop Setthetimetolive(TTL)valueintheIPheader(rangeis1255;defaultis0).
Thedefaultvalueof0means2foreBGPand255foriBGP.
OpenDelayTime SpecifythedelaytimebetweenopeningthepeerTCPconnectionandsending
thefirstBGPopenmessage(rangeis0240seconds;defaultis0seconds).
HoldTime SpecifytheperiodoftimethatmayelapsebetweensuccessiveKEEPALIVEor
UPDATEmessagesfromapeerbeforethepeerconnectionisclosed.(rangeis
33,600seconds;defaultis90seconds).
IdleHoldTime Specifythetimetowaitintheidlestatebeforeretryingconnectiontothepeer
(rangeis13,600seconds;defaultis15seconds).
Incoming SpecifytheincomingportnumberandAllowtraffictothisport.
Connections
RemotePort
Outgoing SpecifytheoutgoingportnumberandAllowtrafficfromthisport
Connections
LocalPort


Settings
(Continued)
ReflectorClient BGP > Peer Group Selectthetypeofreflectorclient(Non-Client,Client,orMeshed Client).

> Peer > Routesthatarereceivedfromreflectorclientsaresharedwithallinternaland
Advanced externalBGPpeers.
PeeringType SpecifyaBilateralpeerorleaveUnspecified.
MaxPrefixes SpecifythemaximumnumberofsupportedIPprefixes(1100,000or
unlimited).
EnableSender EnabletocausethefirewalltochecktheAS_PATHattributeofarouteinitsFIB
SideLoop beforeitsendstherouteinanupdate,toensurethatthepeerASnumberisnot
Detection ontheAS_PATHlist.Ifitis,thefirewallremovesittopreventaloop.Usually
thereceiverdoesloopdetection,butthisoptimizationfeaturehasthesender
doloopdetection.
BFD ToenableBidirectionalForwardingDetection(BFD)foraBGPpeer(and
therebyoverridetheBFDsettingforBGP,aslongasBFDisnotdisabledfor
BGPatthevirtualrouterlevel),selectthedefaultprofile(defaultBFDsettings),
anexistingBFDprofile,Inherit-vr-global-setting(toinherittheglobalBGP
BFDprofile),orNew BFD Profile(tocreateanewBFDprofile).Disable BFD
disablesBFDfortheBGPpeer.
IfyouenableordisableBFDglobally,allinterfacesrunningBGPwillbe
takendownandbroughtbackupwiththeBFDfunction.Thiscan
disruptallBGPtraffic.WhenyouenableBFDontheinterface,the
firewallwillstoptheBGPconnectiontothepeertoprogramBFDon
theinterface.ThepeerdevicewillseetheBGPconnectiondrop,which
canresultinareconvergencethatimpactsproductiontraffic.
Therefore,enableBFDonBGPinterfacesduringanoffpeaktime
whenareconvergencewillnotimpactproductiontraffic.

BGPImportandExportTabs
Network>VirtualRouter>BGP>Import
Network>VirtualRouter>BGP>Export
AddanewImportorExportruletoimportorexportBGProutes.
BGPImportand ConfigureIn Description

ExportSettings
Rules BGP > Import or Specifyanametoidentifytherule.

Export > General
Enable Selecttoactivatetherule.
UsedBy Selectthepeergroupsthatwillusethisrule.
ASPathRegular BGP > Import or SpecifyaregularexpressionforfilteringofASpaths.

Expression Export > Match
Community Specifyaregularexpressionforfilteringofcommunitystrings.
Regular
Expression
Extended Specifyaregularexpressionforfilteringofextendedcommunitystrings.
Community
Regular
Expression
MED SpecifyaMultiExitDiscriminatorvalueforroutefilteringintherange
04,294,967,295.
RouteTable ForanImport Rule,specifywhichroutetablethematchingrouteswillbe

importedinto:unicast,multicast,orboth.
ForanExport Rule,specifywhichroutetablethematchingrouteswillbe
exportedfrom:unicast,multicast,orboth.
AddressPrefix SpecifyIPaddressesorprefixesforroutefiltering.
NextHop Specifynexthoproutersorsubnetsforroutefiltering
FromPeer Specifypeerroutersforroutefiltering

BGPImportand ConfigureIn Description

ExportSettings
(Continued)
Action BGP > Import or Specifyanaction(AlloworDeny)totakewhenthematchconditionsaremet.

Export > Action
Dampening Specifythedampeningparameter,onlyiftheactionisAllow.
LocalPreference Specifyalocalpreferencemetric,onlyiftheactionisAllow.
MED SpecifyaMEDvalue,onlyiftheactionisAllow(065,535).
Weight Specifyaweightvalue,onlyiftheactionisAllow(065,535).
NextHop Specifyanexthoprouter,onlyiftheactionisAllow.
Origin Specifythepathtypeoftheoriginatingroute:IGP,EGP,orincomplete,onlyif
theactionisAllow.
ASPathLimit SpecifyanASpathlimit,onlyiftheactionisAllow.
ASPath SpecifyanASpath:None,Remove,Prepend,Remove and Prepend,onlyifthe

actionisAllow.
Community Specifyacommunityoption:None,Remove All,Remove Regex,Append,or

Overwrite,onlyiftheactionisAllow.
Extended Specifyacommunityoption:None,Remove All,Remove Regex,Append,or

Community Overwrite,onlyiftheactionisAllow.
Delete ruleswhenyounolongerneedthemorClonearulewhen
appropriate.YoucanalsoselectrulesandMove UporMove Downtochange
theirorder.

BGPConditionalAdvTab
Network>VirtualRouter>BGP>ConditionalAdv
ABGPconditionaladvertisementallowsyoutocontrolwhichroutetoadvertiseintheeventthatapreferred
routeisnotavailableinthelocalBGProutingtable(LocRIB),indicatingapeeringorreachabilityfailure.This
isusefulwhereyouwanttotrytoforceroutestooneASoveranother,suchaswhenyouhavelinkstothe
internetthroughmultipleISPsandyouwanttraffictoberoutedtooneproviderinsteadoftheotherexcept
whenthereisalossofconnectivitytothepreferredprovider.
Forconditionaladvertisement,youconfigureaNonExistfilterthatspecifiesthepreferredroute(s)(Address
Prefix)plusanyotherattributesthatidentifythepreferredroute(suchasASPathRegularExpression).Ifa
routematchingtheNonExistfilterisnotfoundinthelocalBGProutingtable,onlythenwillthefirewallallow
advertisementofthealternateroute(theroutetotheother,nonpreferredprovider)asspecifiedinits
Advertisefilter.
Toconfigureconditionaladvertisement,selecttheConditional Advtab,Addaconditionaladvertisement,and
configurethevaluesdescribedinthefollowingtable.
BGPConditional ConfigureIn Description

Advertisement
Settings
Policy BGP > Specifyanameforthisconditionaladvertisementpolicyrule.

Conditional Adv
Enable Selecttoenablethisconditionaladvertisementpolicyrule.
UsedBy Addthepeergroupsthatwillusethisconditionaladvertisementpolicyrule.


Advertisement
Settings
(Continued)
NonExistFilter BGP > Usethistabtospecifytheprefix(es)ofthepreferredroute.Thisspecifiesthe

Conditional Adv > routethatyouwanttoadvertise,ifitisavailableinthelocalBGProutingtable.
Non Exist Filters (IfaprefixisgoingtobeadvertisedandmatchesaNonExistfilter,the
advertisementwillbesuppressed.)
AddaNonExistFilterandspecifyanametoidentifythisfilter.
Enable SelecttoactivatetheNonExistfilter.
ASPathRegular SpecifyaregularexpressionforfilteringASpaths.
Expression
Community Specifyaregularexpressionforfilteringcommunitystrings.
Regular
Expression
Extended Specifyaregularexpressionforfilteringextendedcommunitystrings.
Community
Regular
Expression
MED SpecifyaMEDvalueforroutefiltering(rangeis04,294,967,295).
RouteTable Specifywhichroutetable(unicast,multicast,orboth)thefirewallwillsearch
toseeifthematchedrouteispresent.Ifthematchedrouteisnotpresentin
thatroutetable,onlythenwillthefirewallallowtheadvertisementofthe
alternateroute.
AddressPrefix AddtheexactNetworkLayerReachabilityInformation(NLRI)prefixforthe
preferredroute(s).
NextHop Specifynexthoproutersorsubnetsforfilteringtheroute.
FromPeer Specifypeerroutersforroutefiltering.


Advertisement
Settings
(Continued)
AdvertiseFilter BGP > Usethistabtospecifytheprefix(es)oftherouteintheLocalRIBroutingtable

Conditional Adv > toadvertiseiftherouteintheNonExistfilterisnotavailableinthelocalrouting
Advertise Filters table.
IfaprefixistobeadvertisedanddoesnotmatchaNonExistfilter,the
advertisementwilloccur.
Addanadvertisefilterandspecifyanametoidentifythisfilter.
Enable Selecttoactivatethefilter.
ASPathRegular SpecifyaregularexpressionforfilteringASpaths.
Expression
Community Specifyaregularexpressionforfilteringcommunitystrings.
Regular
Expression
Extended Specifyaregularexpressionforfilteringextendedcommunitystrings.
Community
Regular
Expression
MED SpecifyaMEDvalueforroutefiltering(rangeis04,294,967,295).
RouteTable Specifywhichroutetablethefirewalluseswhenamatchedrouteistobe
conditionallyadvertised:unicast,multicast,orboth.
AddressPrefix AddtheexactNetworkLayerReachabilityInformation(NLRI)prefixforthe
routetobeadvertisedifthepreferredrouteisnotavailable.
NextHop Specifynexthoproutersorsubnetsforroutefiltering.
FromPeer Specifypeerroutersforroutefiltering.

BGPAggregateTab
Network>VirtualRouter>BGP>Aggregate
Routeaggregationistheactofcombiningspecificroutes(thosewithalongerprefixlength)intoasingle
route(withashorterprefixlength)toreduceroutingadvertisementsthatthefirewallmustsendandtohave
fewerroutesintheroutetable.
BGPAggregate ConfigureIn Description

Settings
Name BGP > Aggregate Enteranamefortheaggregationrule.
Prefix Enterasummaryprefix(IPaddress/prefixlength)thatwillbeusedtoaggregate
thelongerprefixes.
Enable Selecttoenablethisaggregationofroutes.
Summary Selecttosummarizeroutes.
ASSet Selecttocausethefirewall,forthisaggregationrule,toincludethesetofAS
numbers(ASset)intheASpathoftheaggregateroute.TheASsetisthe
unorderedlistoftheoriginASnumbersfromtheindividualroutesthatare
aggregated.
Name BGP > Aggregate Definetheattributesthatwillcausethematchedroutestobesuppressed.Add

> Suppress andenteranameforaSuppressFilter.
Filters
Enable SelecttoenabletheSuppressFilter.
ASPathRegular SpecifyaregularexpressionforAS_PATHtofilterwhichrouteswillbe
Expression aggregated,forexample,^5000meansrouteslearnedfromAS5000.
Community Specifyaregularexpressionforcommunitiestofilterwhichrouteswillbe
Regular aggregated,forexample,500:.*matchescommunitieswith500:x.
Expression
Extended Specifyaregularexpressionforextendedcommunitiestofilterwhichroutes
Community willbeaggregated.
Regular
Expression
MED SpecifytheMEDthatfilterswhichrouteswillbeaggregated.
RouteTable Specifywhichroutetabletouseforaggregatedroutesthatshouldbe
suppressed(notadvertised):unicast,multicast,orboth.
AddressPrefix EntertheIPaddressthatyouwanttosuppressfromadvertisement.
NextHop EnterthenexthopaddressoftheBGPprefixthatyouwanttosuppress.
FromPeer EntertheIPaddressofthepeerfromwhichtheBGPprefix(thatyouwantto
suppress)wasreceived.

BGPAggregate ConfigureIn Description

Settings
(Continued)
Name BGP > Aggregate DefinetheattributesforanAdvertiseFilterthatcausesthefirewalltoadvertise

> Advertise topeersanyroutethatmatchesthefilter.ClickAddandenteranameforthe
Filters AdvertiseFilter.
Enable SelecttoenablethisAdvertiseFilter.
ASPathRegular SpecifyaregularexpressionforAS_PATHtofilterwhichrouteswillbe
Expression advertised.
Community SpecifyaregularexpressionforCommunitytofilterwhichrouteswillbe
Regular advertised.
Expression
Extended SpecifyaregularexpressionforExtendedCommunitytofilterwhichrouteswill
Community beadvertised.
Regular
Expression
MED SpecifyaMEDvaluetofilterwhichrouteswillbeadvertised.
RouteTable SpecifywhichroutetabletouseforanAdvertiseFilterofaggregateroutes:
unicast,multicast,orboth.
AddressPrefix EnteranIPaddressthatyouwantBGPtoadvertise.
NextHop EntertheNextHopaddressoftheIPaddressyouwantBGPtoadvertise.
FromPeer EntertheIPaddressofthepeerfromwhichtheprefixwasreceived,thatyou
wantBGPtoadvertise.
BGP > Aggregate Definetheattributesfortheaggregateroute.

> Aggregate
LocalPreference Route Attributes Localpreferenceintherange04,294,967,295.
MED MultiExitDiscriminatorintherange04,294,967,295.
Weight Weightintherange065,535.
NextHop NextHopIPaddress.
Origin Originoftheroute:igp,egp,orincomplete.
ASPathLimit ASPathLimitintherange1255.
ASPath SelectType:NoneorPrepend.
Community SelectType:None,Remove All,Remove Regex,Append,orOverwrite.
Extended SelectType:None,Remove All,Remove Regex,Append,orOverwrite.

Community

BGPRedistRulesTab
Network>VirtualRouter>BGP>RedistRules
ConfigurethesettingsdescribedinthefollowingtabletocreaterulesforredistributingBGProutes.
BGP ConfigureIn Description

Redistribution
RulesSettings
Allow BGP > Redist PermitsthefirewalltoredistributeitsdefaultroutetoBGPpeers.

Redistribute Rules
DefaultRoute
Name AddanIPsubnetorcreatearedistributionrulefirst.
Enable Selecttoenablethisredistributionrule.
RouteTable Specifywhichroutetabletheroutewillberedistributedinto:unicast,
multicast,orboth.
Metric Enterametricintherange165,535.
SetOrigin Selecttheoriginfortheredistributedroute(igp,egp,orincomplete).Thevalue
incompleteindicatesaconnectedroute.
SetMED EnteraMEDfortheredistributedrouteintherange04,294,967,295.
SetLocal Enteralocalpreferencefortheredistributedrouteintherange
Preference 04,294,967,295.
SetASPathLimit EnteranASpathlimitfortheredistributedrouteintherange1255.
SetCommunity Selectorentera32bitvalueindecimalorhexadecimalorinAS:VALformat;
ASandVALareeachintherange065,535.Enteramaximumof10
communities.
SetExtended Entera64bitvalueinhexadecimalorinTYPE:AS:VALorTYPE:IP:VALformat.
Community TYPEis16bits;ASorIPis16bits;VALis32bits.Enteramaximumoffive
extendedcommunities.

IPMulticast
Network>VirtualRouter>Multicast
ConfiguringMulticastprotocolsrequiresconfiguringthefollowingstandardsetting:
MulticastSetting Description
Enable Selecttoenablemulticastrouting.
Inaddition,settingsonthefollowingtabsmustbeconfigured:
Rendezvous Point:SeeMulticastRendezvousPointTab.
Interfaces:SeeMulticastInterfacesTab.
SPT Threshold:SeeMulticastSPTThresholdTab.
Source Specific Address Space:SeeMulticastSourceSpecificAddressTab.

Advanced:SeeMulticastAdvancedTab.

MulticastRendezvousPointTab
Network>VirtualRouter>Multicast>RendezvousPoint
UsethefollowingfieldstoconfigureanIPmulticastrendezvouspoint:
MulticastSettings Description
RendezvousPoint
RPType ChoosethetypeofRendezvousPoint(RP)thatwillrunonthisvirtualrouter.
AstaticRPmustbeexplicitlyconfiguredonotherPIMrouterswhereasa
candidateRPiselectedautomatically.
NoneChooseifthereisnoRPrunningonthisvirtualrouter.
StaticSpecifyastaticIPaddressfortheRPandchooseoptionsforRP
InterfaceandRP Addressfromthedropdown.SelectOverride learned
RP for the same groupifyouwanttousethespecifiedRPinsteadofthe
RPelectedforthisgroup.
CandidateSpecifythefollowinginformationforthecandidateRP
runningonthisvirtualrouter:
RP InterfaceSelectaninterfacefortheRP.Validinterfacetypes
includeloopback,L3,VLAN,aggregateEthernet,andtunnel.
RP AddressSelectanIPaddressfortheRP.
PrioritySpecifyapriorityforcandidateRPmessages(default192).
Advertisement intervalSpecifyanintervalbetween
advertisementsforcandidateRPmessages.
Group listIfyouchooseStaticorCandidate,clickAddtospecifyalistof
groupsforwhichthiscandidateRPisproposingtobetheRP.
RemoteRendezvousPoint ClickAddandspecifythefollowing:
IP addressSpecifytheIPaddressfortheRP.
Override learned RP for the same groupSelecttousethespecifiedRP
insteadoftheRPelectedforthisgroup.
GroupSpecifyalistofgroupsforwhichthespecifiedaddresswillactas
theRP.
MulticastInterfacesTab
Network>VirtualRouter>Multicast>Interfaces
Usethefollowingfieldstoconfiguremulticastinterfaces:
Interfaces
Name Enteranametoidentifyaninterfacegroup.
Interface ClickAddtospecifyoneormorefirewallinterfaces.

Interfaces(Continued)
GroupPermissions Specifygeneralrulesformulticasttraffic:
Any SourceClickAddtospecifyalistofmulticastgroupsforwhich
PIMSMtrafficispermitted.
Source-SpecificClickAddtospecifyalistofmulticastgroupand
multicastsourcepairsforwhichPIMSSMtrafficispermitted.
IGMP SpecifyrulesforIGMPtraffic.IGMPmustbeenabledforhostfacing
interfaces(IGMProuter)orforIGMPproxyhostinterfaces.
EnableSelecttoenabletheIGMPconfiguration.
IGMP VersionChooseversion1,2,or3torunontheinterface.
Enforce Router-Alert IP OptionSelecttorequiretherouteralertIP
optionwhenspeakingIGMPv2orIGMPv3.Thismustbedisabledfor
compatibilitywithIGMPv1.
RobustnessChooseanintegervaluetoaccountforpacketlossona
network(rangeis17;defaultis2).Ifpacketlossiscommon,choosea
highervalue.
Max SourcesSpecifythemaximumnumberofsourcespecific
membershipsallowedonthisinterface(0=unlimited).
Max GroupsSpecifythemaximumnumberofgroupsallowedonthis
interface.
Query ConfigurationSpecifythefollowing:
Query intervalSpecifytheintervalatwhichgeneralqueriesaresent
toallhosts.
Max Query Response TimeSpecifythemaximumtimebetweena
generalqueryandaresponsefromahost.
Last Member Query IntervalSpecifytheintervalbetweengroupor
sourcespecificquerymessages(includingthosesentinresponseto
leavegroupmessages).
Immediate LeaveSelecttoleavethegroupimmediatelywhena
leavemessageisreceived.
PIMconfiguration SpecifythefollowingProtocolIndependentMulticast(PIM)settings:
EnableSelecttoallowthisinterfacetoreceiveand/orforwardPIM
messages.
Assert IntervalSpecifytheintervalbetweenPIMassertmessages.
Hello IntervalSpecifytheintervalbetweenPIMhellomessages.
Join Prune IntervalSpecifytheintervalbetweenPIMjoinandprune
messages(seconds).Defaultis60.
DR PrioritySpecifythedesignatedrouterpriorityforthisinterface.
BSR BorderSelecttousetheinterfaceasthebootstrapborder.
PIM NeighborsClickAddtospecifythelistofneighborsthatwill
communicatewithusingPIM.

MulticastSPTThresholdTab
Network>VirtualRouter>Multicast>SPTThreshold
UsethefollowingfieldstoconfiguremulticastSPTthresholds:
MulticastSettingsSPT Description
Threshold
Name TheShortestPathTree(SPT)thresholddefinesthethroughputrate(inkbps)
atwhichmulticastroutingwillswitchfromsharedtreedistribution(sourced
fromtherendezvouspoint)tosourcetreedistribution.
AddthefollowingSPTsettings:
Multicast Group PrefixSpecifythemulticastIPaddress/prefixforwhich
theSPTwillbeswitchedtosourcetreedistributionwhenthethroughput
reachesthedesiredthreshold(kbps).
ThresholdSpecifythethroughputatwhichtoswitchfromsharedtree
distributiontosourcetreedistribution.
MulticastSourceSpecificAddressTab
Network>VirtualRouter>Multicast>SourceSpecificAddressSpace
Defineanameforamulticastgroupandconfiguresourcespecificmulticastservices.
SourceSpecificAddress
Space
Name Definesthemulticastgroupsforwhichthefirewallwillprovide
sourcespecificmulticast(SSM)services.
Addthefollowingsettingsforsourcespecificaddresses:
NameEnteranametoidentifythisgroupofsettings.
GroupSpecifygroupsfortheSSMaddressspace.
IncludedSelecttoincludethespecifiedgroupsintheSSMaddress
space.
MulticastAdvancedTab
Network>VirtualRouter>Multicast>Advanced
Configurethelengthoftimeamulticastrouteremainsintheroutingtableafterthesessionends.
MulticastAdvanced Description
Settings
RouteAgeOutTime(sec) Allowsyoutotunetheduration,inseconds,forwhichamulticastroute
remainsintheroutingtableonthefirewallafterthesessionends(rangeis
2107200;defaultis210).

ECMP
Network>VirtualRouters>RouterSettings>ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewallhaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Makeuseoftheavailablebandwidthonalllinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
waitingfortheroutingprotocolorRIBtabletoelectanalternativepath,whichcanhelpreducedown
timewhenlinksfail.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevel.Thismeansthefirewallchoosesan
equalcostpathatthestartofanewsession,noteachtimethefirewallreceivesapacket.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestartthevirtualrouter,
whichmightcauseexistingsessionstobeterminated.
ToconfigureECMPforavirtualrouter,selectavirtualrouterand,forRouter Settings,selecttheECMPtab
andconfiguretheECMPSettingsasdescribed.
Whatarethefieldsavailableto ECMPSettings
configureECMP?
Looking for more? ECMP

ECMPSettings
Network>VirtualRouters>RouterSettings>ECMP
UsethefollowingfieldstoconfigureEqualCostMultiplePathsettings.
ECMPSettings Description
Enable EnableECMP.
Enabling,disabling,orchangingECMPrequiresthatyourestartthe
firewall,whichmightcausesessionstobeterminated.
SymmetricReturn (Optional)SelectSymmetric Returntocausereturnpacketstoegressoutthe

sameinterfaceonwhichtheassociatedingresspacketsarrived.Thatis,the
firewallwillusetheingressinterfaceonwhichtosendreturnpackets,rather
thanusetheECMPinterface,sotheSymmetric Returnsettingoverridesload
balancing.Thisbehavioroccursonlyfortrafficflowsfromtheservertothe
client.
MaxPath Selectthemaximumnumberofequalcostpaths:(2,3,or4)toadestination
networkthatcanbecopiedfromtheRIBtotheFIB.Defaultis2.
Method ChooseoneofthefollowingECMPloadbalancingalgorithmstouseonthe
virtualrouter.ECMPloadbalancingisdoneatthesessionlevel,notatthe
packetlevel.Thismeansthatthefirewall(ECMP)choosesanequalcostpathat
thestartofanewsession,noteachtimeapacketisreceived.
IP ModuloBydefault,thevirtualrouterloadbalancessessionsusingthis
option,whichusesahashofthesourceanddestinationIPaddressesinthe
packetheadertodeterminewhichECMProutetouse.
IP HashOptionallyclickUse Source/Destination Portstoincludetheports
inthehashcalculation,inadditiontothesourceanddestinationIP
addresses.YoucanalsoenteraHash Seedvalue(aninteger)tofurther
randomizeloadbalancing.
Weighted Round RobinThisalgorithmcanbeusedtotakeinto
considerationdifferentlinkcapacitiesandspeeds.Uponchoosingthis
algorithm,theInterfacewindowopens.ClickAddandselectanInterfaceto
beincludedintheweightedroundrobingroup.Foreachinterface,enterthe
Weighttobeusedforthatinterface.Weightdefaultsto100;rangeis1255.
Thehighertheweightforaspecificequalcostpath,themoreoftenthat
equalcostpathwillbeselectedforanewsession.Ahigherspeedlinkshould
begivenahigherweightthanaslowerlink,sothatmoreoftheECMPtraffic
goesoverthefasterlink.ClickAddagaintoaddanotherinterfaceand
weight.
Balanced Round RobinDistributesincomingECMPsessionsequallyacross
links.

MoreRuntimeStatsforaVirtualRouter
Afteryouconfigurestaticroutesorroutingprotocolsforavirtualrouter,selectNetwork > Virtual Routers,and

selectMore Runtime Statsinthelastcolumntoseedetailedinformationaboutthevirtualrouter,suchasthe
routetable,forwardingtable,andtheroutingprotocolsandstaticroutesyouconfigured.Thesewindows
providemoreinformationthancanfitonasinglescreenforthevirtualrouter.Thewindowdisplaysthe
followingtabs:
Routing:SeeRoutingTab.
RIP:SeeRIPTab.
BGP:SeeBGPTab.
Multicast:SeeMulticastTab.
BFD Summary Information:SeeBFDSummaryInformationTab.
RoutingTab
TheRoutingTabisdividedintothreetabs:
Routing Table:SeeRouteTableTab.
Forwarding Table:SeeForwardingTableTab.
Static Route Monitoring:SeeStaticRouteMonitoringTab.
RouteTableTab
ThefollowingtabledescribesthevirtualroutersRuntime StatsfortheRoute Table.
RouteTableRuntime Description
Stats
RouteTable SelectUnicastorMulticasttodisplayeithertheunicastormulticastroutetable.
DisplayAddress SelectIPv4 Only,IPv6 Only,orIPv4 and IPv6(default)tocontrolwhichgroupof

Family addressestodisplayinthetable.
Destination IPv4addressandnetmaskorIPv6addressandprefixlengthofnetworksthe
virtualroutercanreach.
NextHop IPaddressofthedeviceatthenexthoptowardtheDestinationnetwork.Anext
hopof0.0.0.0indicatesthedefaultroute.
Metric Metricfortheroute.Whenaroutingprotocolhasmorethanoneroutetothe
samedestinationnetwork,itpreferstheroutewiththelowestmetricvalue.Each
routingprotocolusesadifferenttypeofmetric;forexample,RIPuseshopcount.
Weight Weightfortheroute.Forexample,whenBGPhasmorethanoneroutetothe
samedestination,itwillprefertheroutewiththehighestweight.

RouteTableRuntime Description
Stats
Flags A?BActiveandlearnedviaBGP
A CActiveandaresultofaninternalinterface(connected)Destination=
network
A HActiveandaresultofaninternalinterface(connected)Destination=
Hostonly
A RActiveandlearnedviaRIP
A SActiveandstatic
SInactive(becausethisroutehasahighermetric)andstatic
O1OSPFexternaltype1
O2OSPFexternaltype2
OiOSPFintraarea
OoOSPFinterarea
Age Ageoftherouteentryintheroutingtable.Staticrouteshavenoage.
Interface Egressinterfaceofthevirtualrouterthatwillbeusedtoreachthenexthop.
Refresh Clicktorefreshtheruntimestatsinthetable.
ForwardingTableTab
ThefollowingtabledescribesRuntime StatsfortheForwarding Table(ForwardingInformationBaseFIB)on

avirtualrouter.Thefirewallchoosesthebestroutefromtheroutetable(RIB)towardadestination
networktoplaceintheFIB.
ForwardingTable Description
RuntimeStats
DisplayAddress SelectIPv4 Only,IPv6 Only,orIPv4 and IPv6(default)tocontrolwhichroutetable

Family todisplay.
Destination BestIPv4addressandnetmaskorIPv6addressandprefixlengthtoanetworkthe
virtualroutercanreach,selectedfromtheRouteTable.
Flags uRouteisup.
hRouteistoahost.
gRouteistoagateway.
eFirewallselectedthisrouteusingEqualCostMultipath(ECMP).
*Routeisthepreferredpathtoadestinationnetwork.
Interface Egressinterfacethevirtualrouterwillusetoreachthenexthop.
MTU Maximumtransmissionunit(MTU);maximumnumberofbytesthatthefirewall
willtransmitinasingleTCPpackettothisdestination.
Refresh Clicktorefreshtheruntimestatsinthetable.

StaticRouteMonitoringTab
ThefollowingtabledescribesthevirtualroutersRuntime StatsforStatic Route Monitoring.
StaticRoute Description
MonitoringRuntime
Stats
Destination IPv4addressandnetmaskorIPv6addressandprefixlengthofanetworkthe
virtualroutercanreach.
Metric Metricfortheroute.Whenthereismorethanonestaticroutetothesame
destinationnetwork,thefirewallpreferstheroutewiththelowestmetricvalue.
Weight Weightfortheroute.
Flags A?BActiveandlearnedviaBGP
A CActiveandaresultofaninternalinterface(connected)Destination=
network
A HActiveandaresultofaninternalinterface(connected)Destination=
Hostonly
A RActiveandlearnedviaRIP
A SActiveandstatic
SInactive(becausethisroutehasahighermetric)andstatic
O1OSPFexternaltype1
O2OSPFexternaltype2
OiOSPFintraarea
OoOSPFinterarea
Interface Egressinterfaceofthevirtualrouterthatwillbeusedtoreachthenexthop.
PathMonitoring(Fail Ifpathmonitoringisenabledforthisstaticroute,FailOnindicates:
On) AllFirewallconsidersthestaticroutedownandwillfailoverifallofthe
monitoreddestinationsforthestaticroutearedown.
AnyFirewallconsidersthestaticroutedownandwillfailoverifanyoneof
themonitoreddestinationsforthestaticrouteisdown.
Ifstaticroutepathmonitoringisdisabled,FailOnindicatesDisabled.
Status StatusofthestaticroutebasedonICMPpingstothemonitoreddestinations:Up,
Down,orpathmonitoringforthestaticrouteisDisabled.
Refresh Refreshestheruntimestatsinthetable.

RIPTab
ThefollowingtabledescribesthevirtualroutersRuntimeStatsforRIP.
RIPRuntimeStats Description
Summary Tab
IntervalSeconds Numberofsecondsinaninterval.RIPusesthisvalue(alengthoftime)tocontrol
itsUpdate,Expire,andDeleteIntervals.
UpdateIntervals NumberofintervalsbetweenRIProuteadvertisementupdatesthatthevirtual
routersendstopeers.
ExpireIntervals Numberofintervalssincethelastupdatethevirtualrouterreceivedfromapeer,
afterwhichthevirtualroutermarkstheroutesfromthepeerasunusable.
DeleteIntervals Numberofintervalsafteraroutehasbeenmarkedasunusablethat,ifnoupdate
isreceived,thefirewalldeletestheroutefromtheroutingtable.
Interface Tab
Address IPaddressofaninterfaceonthevirtualrouterwhereRIPisenabled.
AuthType Typeofauthentication:simplepassword,MD5,ornone.
SendAllowed CheckmarkindicatesthisinterfaceisallowedtosendRIPpackets.
ReceiveAllowed CheckmarkindicatesthisinterfaceisallowedtoreceiveRIPpackets.
AdvertiseDefault CheckmarkindicatesthatRIPwilladvertiseitsdefaultroutetoitspeers.
Route
DefaultRouteMetric Metric(hopcount)assignedtothedefaultroute.Thelowerthemetricvalue,the
higherpriorityithasintheroutetabletobeselectedasthepreferredpath.
KeyId Authenticationkeyusedwithpeers.
Preferred Preferredkeyforauthentication.
Peer Tab
PeerAddress IPaddressofapeertothevirtualroutersRIPinterface.
LastUpdate Dateandtimethatthelastupdatewasreceivedfromthispeer.
RIPVersion RIPversionthepeerisrunning.
InvalidPackets Countofinvalidpacketsreceivedfromthispeer.Possiblecausesthatthefirewall
cannotparsetheRIPpacket:xbytesoverarouteboundary,toomanyroutesin
packet,badsubnet,illegaladdress,authenticationfailed,ornotenoughmemory.
InvalidRoutes Countofinvalidroutesreceivedfromthispeer.Possiblecauses:routeisinvalid,
importfails,ornotenoughmemory.

BGPTab
ThefollowingtabledescribesthevirtualroutersRuntimeStatsforBGP.
BGPRuntimeStats Description
Summary Tab
RouterId RouterIDassignedtotheBGPinstance.
RejectDefaultRoute IndicateswhethertheRejectDefaultRouteoptionisconfigured,whichcauses
theVRtoignoreanydefaultroutesthatareadvertisedbyBGPpeers.
RedistributeDefault IndicateswhethertheAllowRedistributeDefaultRouteoptionisconfigured.
Route
InstallRoute IndicateswhethertheInstallRouteoptionisconfigured,whichcausestheVRto
installBGProutesintheglobalroutingtable.
GracefulRestart IndicateswhetherornotGracefulRestartisenabled(support).
ASSize IndicateswhethertheASFormatsizeselectedis2Byteor4Byte.
LocalAS NumberoftheAStowhichtheVRbelongs.
LocalMemberAS LocalMemberASnumber(validonlyiftheVRisinaconfederation).Thefieldis
0iftheVRisnotinaconfederation.
ClusterID DisplaystheReflectorClusterIDconfigured.
DefaultLocal DisplaystheDefaultLocalPreferenceconfiguredfortheVR.
Preference
AlwaysCompare IndicateswhethertheAlwaysCompareMEDoptionisconfigured,whichenables
MED acomparisontochoosebetweenroutesfromneighborsindifferentautonomous
systems.
AggregateRegardless IndicateswhethertheAggregateMEDoptionisconfigured,whichenablesroute
MED aggregationevenwhenrouteshavedifferentMEDvalues.
DeterministicMED IndicateswhethertheDeterministicMEDcomparisonoptionisconfigured,which
Processing enablesacomparisontochoosebetweenroutesthatareadvertisedbyIBGP
peers(BGPpeersinthesameAS).
CurrentRIBOut NumberofentriesintheRIBOuttable.
Entries
PeakRIBOutEntries PeaknumberofAdjRIBOutroutesthathavebeenallocatedatanyonetime.
Peer Tab
Name Nameofthepeer.
Group Nameofthepeergrouptowhichthispeerbelongs.
LocalIP IPaddressoftheBGPinterfaceontheVR.
PeerIP IPaddressofthepeer.
PeerAS Autonomoussystemtowhichthepeerbelongs.

(Continued)
PasswordSet Yesornoindicateswhetherauthenticationisset.
Status Statusofthepeer,suchasActive,Connect,Established,Idle,OpenConfirm,or
OpenSent.
StatusDuration Durationofthepeersstatus.
(secs.)
Peer Group Tab
GroupName Nameofapeergroup.
Type Typeofpeergroupconfigured,suchasEBGPorIBGP.
AggregateConfed. YesornoindicateswhethertheAggregateConfederationASoptionis
AS configured.
SoftResetSupport Yesornoindicateswhetherthepeergroupsupportssoftreset.Whenrouting
policiestoaBGPpeerchange,routingtableupdatesmightbeaffected.Asoft
resetofBGPsessionsispreferredoverahardresetbecauseasoftresetallows
routingtablestobeupdatedwithoutclearingtheBGPsessions.
NextHopSelf Yesornoindicateswhetherthisoptionisconfigured.
NextHopThirdParty Yesornoindicateswhetherthisoptionisconfigured.
RemovePrivateAS IndicateswhetherupdateswillhaveprivateASnumbersremovedfromthe
AS_PATHattributebeforetheupdateissent.
Local RIB Tab
Prefix NetworkprefixandsubnetmaskintheLocalRoutingInformationBase.
Flag *indicatestheroutewaschosenasthebestBGProute.
NextHop IPaddressofthenexthoptowardthePrefix.
Peer Nameofpeer.
Weight WeightattributeassignedtothePrefix.Ifthefirewallhasmorethanonerouteto
thesamePrefix,theroutewiththehighestweightisinstalledintheIProuting
table.
LocalPref. Localpreferenceattributefortheroute,whichisusedtochoosetheexitpoint
towardtheprefixiftherearemultipleexitpoints.Ahigherlocalpreferenceis
preferredoveralowerlocalpreference.
ASPath ListofautonomoussystemsinthepathtothePrefixnetwork;thelistis
advertisedinBGPupdates.
Origin OriginattributeforthePrefix;howBGPlearnedoftheroute.
MED MultiExitDiscriminator(MED)attributeoftheroute.TheMEDisametric
attributeforaroute,whichtheASadvertisingtheroutesuggeststoanexternal
AS.AlowerMEDispreferredoverahigherMED.
FlapCount Numberofflapsfortheroute.
RIB Out Tab

(Continued)
Prefix NetworkroutingentryintheRoutingInformationBase.
NextHop IPaddressofthenexthoptowardthePrefix.
Peer PeertowhichtheVRwilladvertisethisroute.
LocalPref. Localpreferenceattributetoaccesstheprefix,whichisusedtochoosetheexit
pointtowardtheprefixiftherearemultipleexitpoints.Ahigherlocalpreference
ispreferredoveralowerlocalpreference.
ASPath ListofautonomoussystemsinthepathtothePrefixnetwork.
Origin OriginattributeforthePrefix;howBGPlearnedoftheroute.
MED MultiExitDiscriminator(MED)attributetothePrefix.TheMEDisametric
attributeforaroute,whichtheASthatisadvertisingtheroutesuggeststoan
externalAS.AlowerMEDispreferredoverahigherMED.
Adv.Status Advertisedstatusoftheroute.
Aggr.Status Indicateswhetherthisrouteisaggregatedwithotherroutes.
MulticastTab
ThefollowingtabledescribesthevirtualroutersRuntimeStatsforIPMulticast.
MulticastRuntime Description
Stats
FIB Tab
Group MulticastgroupaddressthattheVRwillforward.
Source Multicastsourceaddress.
IncomingInterfaces IndicatesinterfaceswherethemulticasttrafficcomesinontheVR.
IGMP Interface Tab
Interface InterfacethathasIGMPenabled.
Version Version1,2,or3ofInternetGroupManagementProtocol(IGMP).
Querier IPaddressoftheIGMPquerieronthatinterface.
QuerierUpTime LengthoftimethatIGMPquerierhasbeenup.
QuerierExpiryTime TimeremainingbeforethecurrenttheOtherQuerierPresenttimerexpires.
Robustness RobustnessvariableoftheIGMPinterface.
GroupsLimit Numberofmulticastgroupsallowedontheinterface.
SourcesLimit Numberofmulticastsourcesallowedontheinterface.

Stats(Continued)
ImmediateLeave YesornoindicateswhetherImmediateLeaveisconfigured.Immediateleave
indicatesthatthevirtualrouterwillremoveaninterfacefromtheforwardingtable
entrywithoutsendingtheinterfaceIGMPgroupspecificqueries.
IGMP Membership Tab
Interface Nameofaninterfacetowhichthemembershipbelongs.
Group IPMulticastgroupaddress.
Source Sourceaddressofmulticasttraffic.
UpTime Lengthoftimethismembershipbeenup.
ExpiryTime Lengthoftimeremainingbeforemembershipexpires.
FilterMode Includeorexcludethesource.VRisconfiguredtoincludealltraffic,oronlytraffic
fromthissource(include),ortrafficfromanysourceexceptthisone(exclude).
ExcludeExpiry TimeremainingbeforetheinterfaceExcludestateexpires.
V1HostTimer TimeremaininguntilthelocalrouterassumesthattherearenolongeranyIGMP
Version1membersontheIPsubnetattachedtotheinterface.
V2HostTimer TimeremaininguntilthelocalrouterassumesthattherearenolongeranyIGMP
Version2membersontheIPsubnetattachedtotheinterface.
PIM Group Mapping Tab
Group IPaddressofthegroupmappedtoaRendezvousPoint.
RP IPaddressofRendezvousPointforthegroup.
Origin IndicateswheretheVRlearnedoftheRP.
PIMMode ASMorSSM.
Inactive IndicatesthatthemappingofthegrouptotheRPisinactive.
PIM Interface Tab
Interface NameofinterfaceparticipatinginPIM.
Address IPaddressoftheinterface.
DR IPaddressoftheDesignatedRouterontheinterface.
HelloInterval Hellointervalconfigured,inseconds.
Join/PruneInterval Join/Pruneintervalconfigured,inseconds.
AssertInterval Assertintervalconfigured,inseconds.
DRPriority PriorityconfiguredfortheDesignatedRouter.
BSRBorder Yesorno.
PIM Neighbor Tab
Interface NameofinterfaceintheVR.

Stats(Continued)
Address IPaddressoftheneighbor.
SecondaryAddress SecondaryIPaddressoftheneighbor.
UpTime Lengthoftimetheneighborhasbeenup.
ExpiryTime LengthoftimeremainingbeforetheneighborexpiresbecausetheVRisnot
receivinghellopacketsfromtheneighbor.
GenerationID ValuethattheVRreceivedfromtheneighborinthelastPIMhellomessage
receivedonthisinterface.
DRPriority DesignatedRouterprioritythattheVRreceivedinthelastPIMhellomessage
fromthisneighbor.
BFDSummaryInformationTab
BFDsummaryinformationincludesthefollowingdata.
BFDSummary Description
InformationRuntime
Stats
Interface InterfacethatisrunningBFD.
Protocol Staticroute(IPaddressfamilyofstaticroute)ordynamicroutingprotocolthatis
runningBFDontheinterface.
LocalIPAddress IPaddressoftheinterfacewhereyouconfiguredBFD.
NeighborIPAddress IPaddressofBFDneighbor.
State BFDstatesofthelocalandremoteBFDpeers:admin down,down,init,orup.
Uptime LengthoftimeBFDhasbeenup(hours,minutes,seconds,andmilliseconds).
Discriminator(local) DiscriminatorforlocalBFDpeer.Adiscriminatorisaunique,nonzerovaluethe
peersusetodistinguishmultipleBFDsessionsbetweenthem.
Discriminator DiscriminatorforremoteBFDpeer.
(remote)
Errors NumberofBFDerrors.
SessionDetails ClickDetailstoseeBFDinformationforasessionsuchastheIPaddressesofthe
localandremoteneighbors,thelastreceivedremotediagnosticcode,numberof
transmittedandreceivedcontrolpackets,numberoferrors,informationabout
thelastpacketcausingstatechange,andmore.

Network Network>Zones
Network>Zones
Securityzonesarealogicalwaytogroupphysicalandvirtualinterfacesonthefirewalltocontrolandlogthe
trafficthattraversesspecificinterfacesonyournetwork.Aninterfaceonthefirewallmustbeassignedtoa
securityzonebeforetheinterfacecanprocesstraffic.Azonecanhavemultipleinterfacesofthesametype
assignedtoit(suchastap,layer2,orlayer3interfaces),butaninterfacecanbelongtoonlyonezone.
Policyrulesonthefirewallusesecurityzonestoidentifywherethetrafficcomesfromandwhereitisgoing.
Trafficcanflowfreelywithinazonebuttrafficcannotflowbetweendifferentzonesuntilyoudefinea
Securitypolicyrulethatallowsit.Toallowordenyinterzonetraffic,Securitypolicyrulesmustreferencea
sourcezoneanddestinationzone(notinterfaces)andthezonesmustbeofthesametype;thatis,aSecurity
policyrulecanallowordenytrafficfromoneLayer2zoneonlytoanotherLayer2zone.
Whatarethefields BuildingBlocksofSecurityZones
availabletoconfigure
securityzones?
Looking for more? SegmentYourNetworkUsingInterfacesandZones
BuildingBlocksofSecurityZones
Todefineasecurityzone,clickAddandspecifythefollowinginformation.
SecurityZoneSettings Description
Name Enterazonename(upto31characters).Thisnameappearsinthelistofzones
whendefiningsecuritypoliciesandconfiguringinterfaces.Thenameis
casesensitiveandmustbeuniquewithinthevirtualrouter.Useonlyletters,
numbers,spaces,hyphens,periods,andunderscores.
Location Thisfieldispresentonlyifthefirewallsupportsmultiplevirtualsystems(vsys)
andthatcapabilityisenabled.Selectthevsystowhichthiszoneapplies.
Type Selectazonetype(Tap,Virtual Wire,Layer2,Layer3,External,orTunnel)to

viewalltheInterfacesofthattypethathavenotbeenassignedtoazone.The
Layer2andLayer3zonetypeslistallEthernetinterfacesandsubinterfacesof
thattype.Addtheinterfacesthatyouwanttoassigntothezone.
TheExternalzoneisusedtocontroltrafficbetweenmultiplevirtualsystemson
asinglefirewall.Itdisplaysonlyonfirewallsthatsupportmultiplevirtual
systemsandonlyiftheMulti Virtual System Capabilityisenabled.For
informationonexternalzonessee,InterVSYSTrafficThatRemainsWithinthe
Firewall.
Aninterfacecanbelongtoonlyonezoneinonevirtualsystem.
Interfaces Addoneormoreinterfacestothiszone.

Network>Zones Network
ZoneProtectionProfiles Selectaprofilethatspecifieshowthefirewallrespondstoattacksfromthis
zone.Tocreateanewprofile,seeNetwork>NetworkProfiles>Zone
Protection.
EnablePacketBuffer IfyouhaveconfiguredPacketBufferProtection,selecttoapplythepacket
Protection bufferprotectionsettings,configuredunderDevice>Setup>Session,tothis
zone(disabledbydefault).Packetbufferprotectionisappliedtotheingress
zoneonly.
LogSetting SelectaLogForwardingprofileforforwardingzoneprotectionlogstoan
externalsystem.
IfyouhaveaLogForwardingprofilenameddefault,thatprofilewillbe
automaticallyselectedforthisdropdownwhendefininganewsecurityzone.
Youcanoverridethisdefaultsettingatanytimebycontinuingtoselecta
differentLogForwardingprofilewhensettingupanewsecurityzone.To
defineoraddanewLogForwardingprofile(andtonameaprofiledefaultso
thatthisdropdownispopulatedautomatically),clickNew(refertoObjects>
LogForwarding).
IfyouareconfiguringthezoneinaPanoramatemplate,theLog Setting
dropdownlistsonlysharedLogForwardingprofiles;tospecifya
nonsharedprofile,youmusttypeitsname.
EnableUserIdentification IfyouconfiguredUserIDtoperformIPaddresstousernamemapping
(discovery),selecttoapplythemappinginformationtotrafficinthiszone.If
youdisablethisoption,firewalllogs,reports,andpolicieswillexcludeuser
mappinginformationfortrafficwithinthezone.
Bydefault,ifyouselectthisoption,thefirewallappliesusermapping
informationtothetrafficofallsubnetworksinthezone.Tolimitthe
informationtospecificsubnetworkswithinthezone,usetheInclude Listand
Exclude List.
EnableUserIDontrustedzonesonly.IfyouenableUserIDandclient
probingonanexternaluntrustedzone(suchastheinternet),probes
couldbesentoutsideyourprotectednetwork,resultinginan
informationdisclosureoftheUserIDagentserviceaccountname,
domainname,andencryptedpasswordhash,whichcouldallowan
attackertogainunauthorizedaccesstoprotectedresources.
UserIDperformsdiscoveryforthezoneonlyifitfallswithinthe
networkrangethatUserIDmonitors.Ifthezoneisoutsidethatrange,
thefirewalldoesnotapplyusermappinginformationtothezonetraffic
evenifyouselectEnable User Identification.Fordetails,seeInclude
orExcludeSubnetworksforUserMapping.

Network Network>Zones
UserIdentificationACL Bydefault,ifyoudonotspecifysubnetworksinthislist,thefirewallappliesthe
IncludeList usermappinginformationitdiscoverstoallthetrafficofthiszoneforusein
logs,reports,andpolicies.
Tolimittheapplicationofusermappinginformationtospecificsubnetworks
withinthezone,thenforeachsubnetworkclickAddandselectanaddress(or
addressgroup)objectortypetheIPaddressrange(forexample,10.1.1.1/24).
Theexclusionofallothersubnetworksisimplicit:youdonotneedtoaddthem
totheExclude List.
AddentriestotheExclude Listonlytoexcludeusermappinginformationfora
subsetofthesubnetworksintheInclude List.Forexample,ifyouadd
10.0.0.0/8totheInclude Listandadd10.2.50.0/22totheExclude List,the
firewallincludesusermappinginformationforallthezonesubnetworksof
10.0.0.0/8except10.2.50.0/22,andexcludesinformationforallzone
subnetworksoutsideof10.0.0.0/8.
Youcanonlyincludesubnetworksthatfallwithinthenetworkrange
thatUserIDmonitors.Fordetails,seeIncludeorExcludeSubnetworks
forUserMapping.
UserIdentificationACL Toexcludeusermappinginformationforasubsetofthesubnetworksinthe
ExcludeList Include List,Addanaddress(oraddressgroup)objectortypetheIPaddress
rangeforeachsubnetworktoexclude.
IfyouaddentriestotheExclude ListbutnottheInclude List,the
firewallexcludesusermappinginformationforallsubnetworkswithin
thezone,notjustthesubnetworksyouadded.

Network>VLANs Network
Network>VLANs
ThefirewallsupportsVLANsthatconformtotheIEEE802.1Qstandard.EachLayer2interfacedefinedon
thefirewallcanbeassociatedwithaVLAN.ThesameVLANcanbeassignedtomultipleLayer2interfaces
buteachinterfacecanbelongtoonlyoneVLAN.
VLANSettings Description
Name EnteraVLANname(upto31characters).Thisnameappearsinthe
listofVLANswhenconfiguringinterfaces.Thenameis
VLANInterface SelectaNetwork>Interfaces>VLANtoallowtraffictoberouted
outsidetheVLAN.
Interfaces SpecifyfirewallinterfacesfortheVLAN.
StaticMAC SpecifytheinterfacethroughwhichaMACaddressisreachable.This
Configuration willoverrideanylearnedinterfacetoMACmappings.

Network Network>IPSecTunnels
SelectNetwork > IPSec TunnelstoestablishandmanageIPSecVPNtunnelsbetweenfirewalls.Thisisthe

Phase2portionoftheIKE/IPSecVPNsetup.
ManageIPSecVPNtunnels. IPSecVPNTunnelManagement
ConfigureanIPSectunnel. IPSecTunnelGeneralTab
IPSecTunnelProxyIDsTab
ViewIPSectunnelstatus. IPSecTunnelStatusontheFirewall
RestartorrefreshanIPSectunnel. IPSecTunnelRestartorRefresh
Looking for more? SetupanIPSectunnel.
IPSecVPNTunnelManagement
ThefollowingtabledescribeshowtomanageyourIPSecVPNtunnels.
FieldstoManageIPSecVPNTunnels
Add AddanewIPSecVPNtunnel.SeeIPSecTunnelGeneralTabforinstructions
onconfiguringthenewtunnel.
Delete Deleteatunnelthatyounolongerneed.
Enable Enableatunnelthathasbeendisabled(tunnelsareenabledbydefault).
Disable Disableatunnelthatyoudontwanttousebutarenot,yet,readytodelete.

Network>IPSecTunnels Network
IPSecTunnelGeneralTab
Network>IPSecTunnels>General
UsethefollowingfieldstosetupanIPSectunnel.
IPSecTunnelGeneral Description
Settings
Name EnteraNametoidentifythetunnel(upto63characters).Thenameis
The63characterlimitforthisfieldincludesthetunnelnameinadditionto
theProxyID,whichisseparatedbyacoloncharacter.
TunnelInterface Selectanexistingtunnelinterface,orclickNew Tunnel Interface.For

informationoncreatingatunnelinterface,refertoNetwork>Interfaces>
Tunnel.
IPv4orIPv6 SelectIPv4orIPv6toconfigurethetunneltohaveendpointswiththatIP
typeofaddress.
Type Selectwhethertouseanautomaticallygeneratedormanuallyentered
securitykey.Auto keyisrecommended.
AutoKey IfyouchooseAuto Key,specifythefollowing:

IKE GatewayRefertoNetwork>NetworkProfiles>IKEGatewaysfor
descriptionsoftheIKEgatewaysettings.
IPSec Crypto ProfileSelectanexistingprofileorkeepthedefault
profile.Todefineanewprofile,clickNewandfollowtheinstructionsin
Network>NetworkProfiles>IPSecCrypto.
ClickShow Advanced Optionstoaccesstheremainingfields.
Enable Replay ProtectionSelecttoprotectagainstreplayattacks.
Copy TOS HeaderCopythe(TypeofService)TOSfieldfromtheinnerIP
headertotheouterIPheaderoftheencapsulatedpacketsinorderto
preservetheoriginalTOSinformation.ThisalsocopiestheExplicit
CongestionNotification(ECN)field.
Tunnel MonitorSelecttoalertthedeviceadministratoroftunnel
failuresandtoprovideautomaticfailovertoanotherinterface.
YouneedtoassignanIPaddresstothetunnelinterfacefor
monitoring.
Destination IPSpecifyanIPaddressontheothersideofthetunnel
thatthetunnelmonitorwillusetodetermineifthetunnelisworking
properly.
ProfileSelectanexistingprofilethatwilldeterminetheactionsthat
aretakenifthetunnelfails.Iftheactionspecifiedinthemonitor
profileiswaitrecover,thefirewallwillwaitforthetunneltobecome
functionalandwillNOTseekanalternatepathwiththeroutetable.
Ifthefailoveractionisused,thefirewallwillchecktheroutetable
toseeifthereisanalternateroutethatcanbeusedtoreachthe
destination.Formoreinformation,seeNetwork>NetworkProfiles
>Monitor.

IPSecTunnelGeneral Description
Settings(Continued)
ManualKey IfyouchooseManual Key,specifythefollowing:

Local SPISpecifythelocalsecurityparameterindex(SPI)forpacket
traversalfromthelocalfirewalltothepeer.SPIisahexadecimalindex
thatisaddedtotheheaderforIPSectunnelingtoassistindifferentiating
betweenIPSectrafficflows.
InterfaceSelecttheinterfacethatisthetunnelendpoint.
Local AddressSelecttheIPaddressforthelocalinterfacethatisthe
endpointofthetunnel.
Remote SPISpecifytheremotesecurityparameterindex(SPI)for
packettraversalfromtheremotefirewalltothepeer.
ProtocolChoosetheprotocolfortrafficthroughthetunnel(ESPorAH).
AuthenticationChoosetheauthenticationtypefortunnelaccess(SHA1,
SHA256,SHA384,SHA512,MD5,orNone).
Key/Confirm KeyEnterandconfirmanauthenticationkey.
EncryptionSelectanencryptionoptionfortunneltraffic(3des,
aes-128-cbc,aes-192-cbc,aes-256-cbc,des,ornull[noencryption]).
Key/Confirm KeyEnterandconfirmanencryptionkey.
GlobalProtectSatellite IfyouchooseGlobalProtect Satellite,specifythefollowing:

NameEnteranametoidentifythetunnel(upto31characters).The
Tunnel InterfaceSelectanexistingtunnelinterface,orclickNewTunnel
Interface.
Portal AddressEntertheIPaddressoftheGlobalProtectPortal.
InterfaceSelecttheinterfacefromthedropdownthatistheegress
interfacetoreachtheGlobalProtectPortal.
Local IP AddressEntertheIPaddressoftheegressinterfacethat
connectstotheGlobalProtectPortal.
Advanced Options
Publish all static and connected routes to GatewaySelecttopublishall
routesfromthesatellitetotheGlobalProtectGatewayinwhichthis
satelliteisconnected.
SubnetClickAddtomanuallyaddlocalsubnetsforthesatellitelocation.
Ifothersatellitesareusingthesamesubnetinformation,youmustNAT
alltraffictothetunnelinterfaceIP.Also,thesatellitemustnotshare
routesinthiscase,soallroutingwillbedonethroughthetunnelIP.
External Certificate AuthoritySelectifyouwilluseanexternalCAto
managecertificates.Onceyouhaveyourcertificatesgenerated,youwill
needtoimportthemintothesatelliteandselecttheLocal Certificateand
theCertificate Profile.

Network>IPSecTunnels Network
IPSecTunnelProxyIDsTab
Network>IPSecTunnels>ProxyIDs
TheIPSec Tunnel Proxy IDstabisseparatedintotwotabs:IPv4andIPv6.Thehelpissimilarforbothtypes;the
differencesbetweenIPv4andIPv6aredescribedintheLocalandRemotefieldsinthefollowingtable.
TheIPSec Tunnel Proxy IDstabisalsousedforspecifyingtrafficselectorsforIKEv2.
ProxyIDsIPv4andIPv6 Description
Settings
ProxyID ClickAddandenteranametoidentifytheproxy.
ForanIKEv2trafficselector,thisfieldisusedastheName.
Local ForIPv4:EnteranIPaddressorsubnetintheformatx.x.x.x/mask(for
example,10.1.2.0/24).
ForIPv6:EnteranIPaddressandprefixlengthintheformat
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefixlength(orperIPv6
convention,forexample,2001:DB8:0::/48).
IPv6addressingdoesnotrequirethatallzerosbewritten;leadingzeroscan
beomittedandonegroupingofconsecutivezeroscanbereplacedbytwo
adjacentcolons(::).
ForanIKEv2trafficselector,thisfieldisconvertedtoSourceIPAddress.
Remote Ifrequiredbythepeer:
ForIPv4,enteranIPaddressorsubnetintheformatx.x.x.x/mask(for
example,10.1.1.0/24).
ForIPv6,enteranIPaddressandprefixlengthintheformat
xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/prefixlength(orperIPv6
convention,forexample,2001:DB8:55::/48).
ForanIKEv2trafficselector,thisfieldisconvertedtoDestinationIP
Address.
Protocol Specifytheprotocolandportnumbersforthelocalandremoteports:
NumberSpecifytheprotocolnumber(usedforinteroperabilitywith
thirdpartydevices).
AnyAllowTCPand/orUDPtraffic.
TCPSpecifythelocalandremoteTCPportnumbers.
UDPSpecifythelocalandremoteUDPportnumbers.
EachconfiguredproxyIDwillcounttowardstheIPSecVPNtunnelcapacity
ofthefirewall.
ThisfieldisalsousedasanIKEv2trafficselector.

IPSecTunnelStatusontheFirewall
ToviewthestatusofcurrentlydefinedIPSecVPNtunnels,opentheIPSec Tunnelspage.Thefollowingstatus
informationisreportedonthepage:
TunnelStatus(firststatuscolumn)GreenindicatesanIPSecphase2securityassociation(SA)tunnel.
RedindicatesthatIPSecphase2SAisnotavailableorhasexpired.
IKEGatewayStatusGreenindicatesavalidIKEphase1SAorIKEv2IKESA.RedindicatesthatIKE
phase1SAisnotavailableorhasexpired.
TunnelInterfaceStatusGreenindicatesthatthetunnelinterfaceisup(becausetunnelmonitoris
disabledorbecausetunnelmonitorstatusisUPandthemonitoringIPaddressisreachable).Redindicates
thatthetunnelinterfaceisdownbecausethetunnelmonitorisenabledandtheremotetunnel
monitoringIPaddressisunreachable.
IPSecTunnelRestartorRefresh
SelectNetwork > IPSec Tunnelstodisplaystatusoftunnels.InthefirstStatuscolumnisalinktotheTunnel
Info.ClickthetunnelyouwanttorestartorrefreshtoopentheTunnel Infopageforthattunnel.Clickonone
ofentriesinthelistandthenclick:
RestartRestarttheselectedtunnel.Arestartdisruptstrafficgoingacrossthetunnel.
RefreshShowthecurrentIPSecSAstatus.

Network>DHCP Network
Network>DHCP
DynamicHostConfigurationProtocol(DHCP)isastandardizedprotocolthatprovidesTCP/IPandlinklayer
configurationparametersandnetworkaddressestodynamicallyconfiguredhostsonaTCP/IPnetwork.An
interfaceonaPaloAltoNetworksfirewallcanactasaDHCPserver,client,orrelayagent.Assigningthese
rolestodifferentinterfacesallowsthefirewalltoperformmultipleroles.
WhatisDHCP? DHCPOverview
HowdoesaDHCPserverallocate DHCPAddressing
addresses?
Configureaninterfaceonthefirewalltoactasa:
DHCPServer
DHCPRelay
Network>DNSProxy
Looking for more? DHCP
DHCPOverview
Network>DHCP
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthefirewallcan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AfirewallactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientfirewallssaveconfigurationtimeandeffort,andneednotknowthe
addressingplanofthenetworkorothernetworkresourcesandoptionsinheritedfromtheDHCPserver.
AfirewallactingasaDHCPservercanserviceclients.ByusingoneoftheDHCPaddressingmechanisms,
theadministratorsavesconfigurationtimeandhasthebenefitofreusingalimitednumberofIP
addressesclientsnolongerneednetworkconnectivity.TheservercanalsodeliverIPaddressingand
DHCPoptionstomultipleclients.
AfirewallactingasaDHCPrelayagentlistensforbroadcastandunicastDHCPmessagesandrelaysthem
betweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPmessages
thataserversendstoaclientaresenttoport68.

Network Network>DHCP
DHCPAddressing
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientfirewall.TheDHCP
assignmentremainsinplaceeveniftheclientdisconnects(logsoff,reboots,hasapoweroutage,etc.).
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientfirewallisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
firewallisturnedoff,unplugged,rebooted,orapoweroutageoccurs.
KeepthefollowingpointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youcanconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocateeveryaddressintheIP PoolsasaReserved Address,therearenodynamicaddresses
freetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanyfirewall.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPServer
Network>DHCP>DHCPServer
ThefollowingsectiondescribeseachcomponentoftheDHCPserver.BeforeyouconfigureaDHCPserver,
youshouldalreadyhaveconfiguredaLayer3EthernetorLayer3VLANinterfacethatisassignedtoavirtual
routerandazone.YoushouldalsoknowavalidpoolofIPaddressesfromyournetworkplanthatcanbe
designatedtobeassignedbyyourDHCPservertoclients.
WhenyouaddaDHCPserver,youconfigurethesettingsdescribedinthetablebelow.
DHCPServer ConfiguredIn Description

Settings
Interface DHCP Server NameoftheinterfacethatwillserveastheDHCPserver.
Mode Selectenabledorautomode.Automodeenablestheserver
anddisablesitifanotherDHCPserverisdetectedonthe
network.Thedisabledsettingdisablestheserver.


Settings
(Continued)
PingIPwhen DHCP Server > Lease IfyouclickPing IP when allocating new IP,theserverwillping
allocatingnewIP theIPaddressbeforeitassignsthataddresstoitsclient.Ifthe
pingreceivesaresponse,thatmeansadifferentfirewall
alreadyhasthataddress,soitisnotavailableforassignment.
Theserverassignsthenextaddressfromthepoolinstead.If
youselectthisoption,theProbeIPcolumninthedisplaywill
haveacheckmark.
Lease Specifyaleasetype.
UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIPPoolsandassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionally,thenumberof
Minutes.
IPPools SpecifythestatefulpoolofIPaddressesfromwhichtheDHCP
serverchoosesanaddressandassignsittoaDHCPclient.
Youcanenterasingleaddress,anaddress/<masklength>,
suchas192.168.1.0/24,orarangeofaddresses,suchas
192.168.1.10192.168.1.20.
ReservedAddress OptionallyspecifyanIPaddress(formatx.x.x.x)fromtheIP
poolsthatyoudonotwantdynamicallyassignedbytheDHCP
server.
IfyoualsospecifyaMAC Address(formatxx:xx:xx:xx:xx:xx),
theReserved Addressisassignedtothefirewallassociated
withthatMACaddresswhenthatfirewallrequestsanIP
addressthroughDHCP.
InheritanceSource DHCP Server > Options SelectNone(default)orselectasourceDHCPclientinterface

orPPPoEclientinterfacetopropagatevariousserversettings
totheDHCPserver.IfyouspecifyanInheritance Source,
selectoneormoreoptionsbelowthatyouwantinherited
fromthissource.
OnebenefitofspecifyinganinheritancesourceisthatDHCP
optionsarequicklytransferredfromtheserverthatis
upstreamofthesourceDHCPclient.Italsokeepstheclients
optionsupdatedifanoptionontheinheritancesourceis
changed.Forexample,iftheinheritancesourcefirewall
replacesitsNTPserver(whichhadbeenidentifiedasthe
Primary NTPserver),theclientwillautomaticallyinheritthe
newaddressasitsPrimary NTPserver.
Checkinheritance IfyouselectedanInheritance Source,clickCheck inheritance

sourcestatus source statustoopentheDynamicIPInterfaceStatus
window,whichdisplaystheoptionsthatareinheritedfromthe
DHCPclient.

Network Network>DHCP

Settings
(Continued)
Gateway DHCP Server > Options (cont) SpecifytheIPaddressofthenetworkgateway(aninterfaceon

thefirewall)thatisusedtoreachanydevicenotonthesame
LANasthisDHCPserver.
SubnetMask Specifythenetworkmaskthatappliestotheaddressesinthe
IP Pools.
Options Forthefollowingfields,clickthedropdownandselectNone
orinherited,orentertheIPaddressoftheremoteserverthat
yourDHCPserverwillsendtoclientsforaccessingthat
service.Ifyouselectinherited,theDHCPserverinheritsthe
valuesfromthesourceDHCPclientspecifiedasthe
Inheritance Source.
TheDHCPserversendsthesesettingstoitsclients.
Primary DNS, Secondary DNSIPaddressofthepreferred
andalternateDomainNameSystem(DNS)servers.
Primary WINS,Secondary WINSIPaddressofthe
preferredandalternateWindowsInternetNameService
(WINS)servers.
Primary NIS,Secondary NISIPaddressofthepreferred
andalternateNetworkInformationService(NIS)servers.
Primary NTP,Secondary NTPIPaddressoftheavailable
networktimeprotocol(NTP)servers.
POP3 ServerIPaddressofaPostOfficeProtocolversion
3(POP3)server.
SMTP ServerIPaddressofaSimpleMailTransfer
Protocol(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthattheclientcannot
resolve.
CustomDHCP ClickAddandentertheNameofthecustomoptionyouwant
options theDHCPServertosendtoclients.
EnteranOption Code(rangeis1254).
IfOption Code 43isentered,theVendorClassIdentifier(VCI)
fieldappears.Enteramatchcriterionthatwillbecomparedto
theincomingVCIfromtheclientsOption60.Thefirewall
looksattheincomingVCIfromtheclientsOption60,findsthe
matchingVCIinitsownDHCPservertable,andreturnsthe
correspondingvaluetotheclientinOption43.TheVCImatch
criterionisastringorhexvalue.Ahexvaluemusthavea0x
prefix.
SelectInherited from DCHP server inheritance sourceto
havetheserverinheritthevalueforthatoptioncodefromthe
inheritancesourceinsteadofyouenteringanOption Value.
Asanalternativetothisoption,youcanproceedwiththe
following:
Option Type:SelectIP Address,ASCII,orHexadecimalto
specifythetypeofdatausedfortheOptionValue.
ForOption Value,clickAddandenterthevalueforthecustom
option.

DHCPRelay
Network>DHCP>DHCPRelay
BeforeconfiguringafirewallinterfaceasaDHCPrelayagent,makesureyouhaveconfiguredaLayer 3
EthernetorLayer3VLANinterfaceandthatyouassignedtheinterfacetoavirtualrouterandazone.You
wantthatinterfacetobeabletopassDHCPmessagesbetweenclientsandservers.Eachinterfacecan
forwardmessagestoamaximumofeightexternalIPv4DHCPserversandeightexternalIPv6DHCPservers.
AclientsendsaDHCPDISCOVERmessagetoallconfiguredservers,andthefirewallrelaystheDHCPOFFER
messageofthefirstserverthatrespondsbacktotherequestingclient.
DHCPRelay Description
Settings
Interface NameoftheinterfacethatwillbetheDHCPrelayagent.
IPv4/IPv6 SelectthetypeofDHCPserverandIPaddressyouwillspecify.
DHCPServerIP EntertheIPaddressoftheDHCPservertoandfromwhich
Address youwillrelayDHCPmessages.
Interface IfyouselectedIPv6astheIPaddressprotocolfortheDHCP
serverandspecifiedamulticastaddress,youmustalsospecify
anoutgoinginterface.
DHCPClient
Network>Interfaces>Ethernet>IPv4
Network>Interfaces>VLAN>IPv4
BeforeconfiguringafirewallinterfaceasaDHCPclient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterfaceandthatyouassignedtheinterfacetoavirtualrouterandazone.Performthis
taskifyouneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
DHCPClientSettings Description
Type SelectDHCP ClientandthenEnabletoconfiguretheinterfaceasaDHCPclient.
Automaticallycreatedefault Causesthefirewalltocreateastaticroutetoadefaultgatewaythatwillbeuseful
routepointingtodefault whenclientsaretryingtoaccessmanydestinationsthatdonotneedtohave
gatewayprovidedbyserver routesmaintainedinaroutingtableonthefirewall.
DefaultRouteMetric Optionally,enteraDefault Route Metric(prioritylevel)fortheroutebetweenthe

firewallandtheDHCPserver.Aroutewithalowernumberhashigherpriority
duringrouteselection.Forexample,aroutewithametricof10isusedbeforea
routewithametricof100(rangeis165535;nodefault).
ShowDHCPClientRuntime DisplaysallsettingsreceivedfromtheDHCPserver,includingDHCPleasestatus,
Info dynamicIPassignment,subnetmask,gateway,andserversettings(DNS,NTP,
domain,WINS,NIS,POP3,andSMTP).

Network Network>DNSProxy
Network>DNSProxy
DNSserversperformtheserviceofresolvingadomainnamewithanIPaddressandviceversa.Whenyou
configurethefirewallasaDNSproxy,itactsasanintermediarybetweenclientsandserversandasaDNS
serverbyresolvingqueriesfromitsDNScacheorforwardingqueriestootherDNSservers.Usethispageto
configurethesettingsthatdeterminehowthefirewallservesasaDNSproxy.
HowdoesthefirewallproxyDNSrequests? DNSProxyOverview
HowdoIconfigureaDNSproxy? DNSProxySettings
HowdoIconfigurestaticFQDNtoIP
addressmappings?
HowcanImanageDNSproxies? AdditionalDNSProxyActions
Lookingformore? DNS
DNSProxyOverview
YoucanconfigurethefirewalltoactasaDNSserver.First,createaDNSproxyandselecttheinterfacesto
whichtheproxyapplies.ThenspecifythedefaultDNSprimaryandsecondaryserverstowhichthefirewall
sendstheDNSquerieswhenitdoesntfindthedomainnameinitsDNSproxycache(andwhenthedomain
namedoesntmatchaproxyrule).
TodirectDNSqueriestodifferentDNSserversbasedondomainnames,createDNSproxyrules.Specifying
multipleDNSserverscanensurelocalizationofDNSqueriesandincreaseefficiency.Forexample,youcan
forwardallcorporateDNSqueriestoacorporateDNSserverandforwardallotherqueriestoISPDNS
servers.
UsethefollowingtabstodefineaDNSproxy(beyondthedefaultDNSprimaryandsecondaryservers):
Static EntriesAllowsyoutoconfigurestaticFQDNtoIPaddressmappingsthatthefirewallcachesand
sendstohostsinresponsetoDNSqueries.
DNS Proxy RulesAllowsyoutospecifydomainnamesandcorrespondingprimaryandsecondaryDNS
serverstoresolvequeriesthatmatchtherule.IfthedomainnameisntintheDNSproxycache,the
firewallsearchesforamatchintheDNSproxy(ontheinterfaceonwhichthequeryarrived),andforwards
thequerytoaDNSserverbasedonthematchresults.Ifnomatchresults,thefirewallsendsthequery
tothedefaultDNSprimaryandsecondaryservers.Youcanenablecachingofdomainsthatmatchthe
rule.
AdvancedAllowsyoutoenablecachingandcontrolTCPqueriesandUDPQueryRetries.Thefirewall
sendsTCPorUDPDNSqueriesthroughtheconfiguredinterface.UDPqueriesswitchovertoTCPwhen
aDNSqueryresponseistoolongforasingleUDPpacket.

Network>DNSProxy Network
DNSProxySettings
ClickAddandconfigurethefirewalltoactasaDNSproxy.Youcanconfigureamaximumof256DNSproxies
onafirewall.
DNSProxySettings ConfiguredIn Description
Enable DNS Proxy SelecttoenablethisDNSproxy.
Name SpecifyanametoidentifytheDNSproxyobject(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonly
Location SpecifythevirtualsystemtowhichtheDNSproxyobjectapplies:
Shared:Proxyappliestoallvirtualsystems.IfyouchooseShared,
theServer Profilefieldisnotavailable.Instead,enterthePrimary
andSecondaryDNSserverIPaddressesoraddressobjects.
SelectavirtualsystemtousethisDNSproxy;youmustconfigure
avirtualsystemfirst.SelectDevice > Virtual Systems,selecta
virtualsystem,andselectaDNS Proxy.
InheritanceSource SelectasourcefromwhichtoinheritdefaultDNSserversettings.
(Sharedlocationonly) Thisiscommonlyusedinbranchofficedeploymentswherethe
firewall'sWANinterfaceisaddressedbyDHCPorPPPoE.
Checkinheritancesource Selecttoseetheserversettingsthatarecurrentlyassignedtothe
status DHCPclientandPPPoEclientinterfaces.ThesemayincludeDNS,
(Sharedlocationonly) WINS,NTP,POP3,SMTP,orDNSsuffix.
Primary/Secondary SpecifytheIPaddressesofthedefaultprimaryandsecondaryDNS
(Sharedlocationonly) serverstowhichthisfirewall(asDNSproxy)sendsDNSqueries.If
theprimaryDNSservercannotbefound,thefirewallusesthe
secondaryDNSserver.
ServerProfile SelectorcreateanewDNSserverprofile.Thisfielddoesnotappear
(VirtualSystemlocation iftheLocationofvirtualsystemswasspecifiedasShared.
only)
Interface AddaninterfacetofunctionasaDNSproxy.Youcanaddmultiple
interfaces.ToremovetheDNSproxyfromaninterface,selectand
Deleteit.
AninterfaceisnotrequirediftheDNSProxyisusedonlyforservice
routefunctionality.UseadestinationserviceroutewithaDNSproxy
withnointerfaceifyouwantthedestinationserviceroutetosetthe
sourceIPaddress.Otherwise,theDNSproxyselectsaninterfaceIP
addresstouseasasource(whennoDNSserviceroutesareset).

Network Network>DNSProxy
Name DNS Proxy > DNS Anameisrequiredsothatanentrycanbereferencedandmodified

Proxy Rules viatheCLI.
Turnoncachingof Selecttoenablecachingofdomainsthatareresolvedbythis
domainsresolvedbythis mapping.
mapping
DomainName Addoneormoredomainnamestowhichthefirewallcompares
incomingFQDNs.IftheFQDNmatchesoneofthedomainsinthe
rule,thefirewallforwardsthequerytothePrimary/SecondaryDNS
serverspecifiedforthisproxy.Todeleteadomainnamefromthe
rule,selectitandclickDelete.
DNSServerProfile SelectoraddaDNSserverprofiletodefineDNSsettingsforthe
(Sharedlocationonly) virtualsystem,includingtheprimaryandsecondaryDNSserverto
whichthefirewallsendsdomainnamequeries.
Primary/Secondary EnterthehostnameorIPaddressoftheprimaryandsecondaryDNS
(VirtualSystemlocation serverstowhichthefirewallsendsmatchingdomainnamequeries.
only)
Name DNS Proxy > Static Enteranameforthestaticentry.

Entries
FQDN EntertheFullyQualifiedDomainName(FQDN)tomaptothestatic
IPaddressesdefinedintheAddressfield.
Address AddoneormoreIPaddressesthatmaptothisdomain.Thefirewall
includesalloftheseaddressesinitsDNSresponse,andtheclient
chooseswhichIPaddresstouse.Todeleteanaddress,selectthe
addressandclickDelete.

Network>DNSProxy Network
TCPQueries DNS Proxy > SelecttoenableDNSqueriesusingTCP.Specifythemaximum

Advanced numberofconcurrentpendingTCPDNSrequests(Max Pending
Requests)thatthefirewallwillsupport(rangeis64256;defaultis
64).
UDPQueriesRetries SpecifysettingsforUDPqueryretries:
IntervalTime,inseconds,afterwhichtheDNSproxysends
anotherrequestifithasntreceivedaresponse(rangeis130;
defaultis2).
AttemptsMaximumnumberofattempts(excludingthefirst
attempt)afterwhichtheDNSPtriesthenextDNSserver(rangeis
130;defaultis5).
Cache SelecttoenablethefirewalltocacheDNSentries(enabledby
default)andspecifythefollowing:
Enable TTLLimitthelengthoftimethefirewallcachesDNS
entriesfortheproxyobject.TTLisdisabledbydefault.Thenenter
Time to Live (sec)thenumberofsecondsafterwhichallcached
entriesfortheproxyobjectareremovedandnewDNSrequests
mustberesolvedandcachedagain.Rangeis6086,400.Thereis
nodefaultTTL;entriesremainuntilthefirewallrunsoutofcache
memory.
Cache EDNS ResponsesSelectCacheExtensionMechanisms
forDNS(EDNS)Responsesifyouwantthefirewalltocache
partialDNSresponsesthataregreaterthan512bytes.Ifa
subsequentFQDNforthecachedentryarrives,thefirewallsends
thepartialDNSresponse.
DontselectthisifyouwanttosendDNSresponsesgreaterthan
512bytes.
AdditionalDNSProxyActions
AfterconfiguringthefirewallasaDNSProxy,youcanperformthefollowingactionsontheNetwork > DNS

ProxypagetomanageDNSproxyconfigurations:
ModifyTomodifyaDNSproxy,clickintothenameoftheDNSproxyconfiguration.
DeleteSelectaDNSproxyentryandclickDeletetoremovetheDNSproxyconfiguration.
DisableTodisableaDNSproxy,clickintothenameoftheDNSproxyentryandcleartheEnableoption.
ToenableaDNSproxythatisdisabled,clickintothenameoftheDNSproxyentryandselectEnable.

Network Network>QoS
Network>QoS
Whatareyoulookingfor? See::
Setbandwidthlimitsforan QoSInterfaceSettings
interfaceandenforceQoSfor
trafficexitinganinterface.
Monitortrafficexitinga QoSInterfaceStatistics
QoSenabledinterface.
Looking for more? SeeQualityofServiceforcompleteQoSworkflows,conceptsand

usecases.
SelectPolicies>QoStoassignmatchedtrafficaQoSclass,or
selectNetwork>NetworkProfiles>QoStodefinebandwidth
limitsandpriorityforuptoeightQoSclasses.
QoSInterfaceSettings
EnableQoSonaninterfacetosetbandwidthlimitsfortheinterfaceand/ortoenabletheinterfacetoenforce
QoSforegresstraffic.EnablingaQoSinterfaceincludesattachingaQoSprofiletotheinterface.QoSis
supportedonphysicalinterfacesand,dependingonfirewallmodel,QoSisalsosupportedonsubinterfaces
andAggregateEthernet(AE)interfaces.SeethePaloAltoNetworksproductcomparisontooltoviewQoS
featuresupportforyourfirewallmodel.
Togetstarted,AddormodifyaQoSInterface,andthenconfiguresettingsasdescribedinthefollowingtable.
QoSInterface ConfiguredIn Description

Settings
InterfaceName QoS Interface > SelectthefirewallinterfaceonwhichtoenableQoS.

Physical
EgressMax Interface Enterthelimitontrafficleavingthefirewallthroughthisinterface.
(Mbps) Thoughthisisnotarequiredfield,werecommendalwaysdefining
theEgressMaxvalueforaQoSinterface.
TurnonQoS SelecttoenableQoSontheselectedinterface.
featureonthis
interface
ClearText QoS Interface > SelectthedefaultQoSprofilesforcleartextandfortunneledtraffic.You

TunnelInterface Physical mustspecifyadefaultprofileforeach.Forcleartexttraffic,thedefault
Interface > profileappliestoallcleartexttrafficasanaggregate.Fortunneledtraffic,the
TunnelInterface Default Profile defaultprofileisappliedindividuallytoeachtunnelthatdoesnothavea
specificprofileassignmentinthedetailedconfigurationsection.For
instructionsondefiningQoSprofiles,refertoNetwork>NetworkProfiles>
QoS.

Network>QoS Network
QoSInterface ConfiguredIn Description

Settings
Egress QoS Interface > Enterthebandwidththatisguaranteedforcleartextortunneledtrafficfrom

Guaranteed Clear Text thisinterface.
(Mbps) Traffic/ Tunneled
Traffic
EgressMax Enterthelimitoncleartextortunneledtrafficleavingthefirewallthrough
(Mbps) thisinterface.
Add ClickAddontheClear Text Traffictabtodefineadditionalgranularityto

thetreatmentofcleartexttraffic.Clickindividualentriestoconfigurethe
followingsettings:
NameEnteranametoidentifythesesettings.
QoS ProfileSelecttheQoSprofiletoapplytothespecifiedinterface
andsubnet.ForinstructionsondefiningQoSprofiles,referto
Network>NetworkProfiles>QoS.
Source InterfaceSelectthefirewallinterface.
Source SubnetSelectasubnettorestrictthesettingstotraffic
comingfromthatsource,orkeepthedefaultanytoapplythesettings
toanytrafficfromthespecifiedinterface.
ClickAddfromtheTunneled Traffictabtooverridethedefaultprofile
assignmentforspecifictunnelsandconfigurethefollowingsettings:
Tunnel InterfaceSelectthetunnelinterfaceonthefirewall.
QoS ProfileSelecttheQoSprofiletoapplytothespecifiedtunnel
interface.
Forexample,assumeaconfigurationwithtwosites,oneofwhichhasa45
MbpsconnectionandtheotheraT1connectiontothefirewall.Youcanapply
restrictiveQoSsettingstotheT1sitesothattheconnectionisnot
overloadedwhilealsoallowingmoreflexiblesettingsforthesitewiththe45
Mbpsconnection.
Toremoveacleartextortunneledtrafficentry,cleartheentryandclick
Delete.
Ifthecleartextortunneledtrafficsectionsareleftblank,thevaluesspecified
inthePhysicalInterfacetabsDefaultProfilesectionareused.

Network Network>QoS
QoSInterfaceStatistics
Network>QoS>Statistics
ForaQoSinterface,selectStatisticstoviewbandwidth,session,andapplicationinformationforconfigured
QoSinterfaces.
QoSStatistics Description
Bandwidth Showstherealtimebandwidthchartsfortheselectednodeandclasses.This
informationisupdatedeverytwoseconds.
TheQoSEgressMaxandEgressGuaranteedlimitationsconfiguredforthe
QoSclassesmightbeshownwithaslightlydifferentvalueintheQoS
statisticsscreen.Thisisnormalbehaviorandisduetohowthehardware
enginesummarizesbandwidthlimitsandcounters.Thereisnooperation
concernasthebandwidthutilizationgraphsdisplaytherealtimevaluesand
quantities.
Applications ListsallactiveapplicationsfortheselectedQoSnodeand/orclass.
SourceUsers ListsalltheactivesourceusersfortheselectedQoSnodeand/orclass.
DestinationUsers ListsalltheactivedestinationusersfortheselectedQoSnodeand/orclass.
SecurityRules ListsthesecurityrulesmatchedtoandenforcingtheselectedQoSnodeand/or
class.
QoSRules ListstheQoSrulesmatchedtoandenforcingtheselectedQoSnodeand/orclass.

Network>LLDP Network
Network>LLDP
LinkLayerDiscoveryProtocol(LLDP)providesanautomaticmethodofdiscoveringneighboringdevicesand
theircapabilitiesattheLinkLayer.
LLDPallowsthefirewalltosendandreceiveEthernetframescontainingLLDPdataunits(LLDPDUs)toand
fromneighbors.ThereceivingdevicestorestheinformationinaMIB,whichcanbeaccessedbytheSimple
NetworkManagementProtocol(SNMP).LLDPenablesnetworkdevicestomaptheirnetworktopologyand
learncapabilitiesoftheconnecteddevices,whichmakestroubleshootingeasierespeciallyforvirtualwire
deploymentswherethefirewallwouldtypicallygoundetectedinanetworktopology.
Whatareyoulookingfor? See::
Configure LLDP. BuildingBlocksofLLDP

Configure an LLDP profile. Network>NetworkProfiles>LLDPProfile
Looking for more? LLDP
BuildingBlocksofLLDP
ToenableLLDPonthefirewall,clickEdit,clickEnable,andoptionallyconfigurethefoursettingsshownin
thefollowingtable,ifthedefaultsettingsdonotsuityourenvironment.Theremainingtableentriesdescribe
thestatusandpeerstatistics.
LLDPSettings ConfiguredIn Description
TransmitInterval(sec) LLDP General Specifytheinterval,inseconds,atwhichLLDPDUsare

transmitted(rangeis13,600;defaultis30).
TransmitDelay(sec) Specifythedelaytime,inseconds,betweenLLDP
transmissionssentafterachangeismadeina
TypeLengthValue(TLV)element.Thedelayhelpsto
preventfloodingthesegmentwithLLDPDUsifmany
networkchangesspikethenumberofLLDPchangesorif
theinterfaceflaps.TheTransmit Delaymustbelessthan
theTransmit Interval(rangeis1600;defaultis2).
HoldTimeMultiple SpecifyavaluethatismultipliedbytheTransmit Interval

todeterminethetotalTTLholdtime(rangeis1100;
defaultis4).
TheTTLholdtimeisthelengthoftimethefirewallwill
retaintheinformationfromthepeerasvalid.Themaximum
TTLholdtimeis65,535seconds,regardlessofthe
multipliervalue.
NotificationInterval Specifytheinterval,inseconds,atwhichsyslogandSNMP
TrapnotificationsaretransmittedwhenMIBchanges
occur(rangeis13,600;defaultis5).

Network Network>LLDP
LLDPSettings ConfiguredIn Description(Continued)
spyglassfilter LLDP > Status Optionallyenteradatavalueinthefilterrowandclickthe

grayarrow,whichcausesonlytherowsthatincludethat
datavaluetobedisplayed.ClicktheredXtoClearFilter.
Interface NameoftheinterfacesthathaveLLDPprofilesassignedto
them.
LLDP LLDPstatus:enabledordisabled.
Mode LLDPmodeoftheinterface:Tx/Rx,TxOnly,orRxOnly.
Profile Nameoftheprofileassignedtotheinterface.
TotalTransmitted CountofLLDPDUstransmittedouttheinterface.
DroppedTransmit CountofLLDPDUsthatwerenottransmittedoutthe
interfacebecauseofanerror.Forexample,alengtherror
whenthesystemisconstructinganLLDPDUfor
transmission.
TotalReceived CountofLLDPframesreceivedontheinterface.
DroppedTLV CountofLLDPframesdiscardeduponreceipt.
Errors CountofTimeLengthValue(TLV)elementsthatwere
receivedontheinterfaceandcontainederrors.Typesof
TLVerrorsinclude:oneormoremandatoryTLVsmissing,
outoforder,containingoutofrangeinformation,or
lengtherror.
Unrecognized CountofTLVsreceivedontheinterfacethatarenot
recognizedbytheLLDPlocalagent,forexample,because
theTLVtypeisinthereservedTLVrange.
AgedOut CountofitemsdeletedfromtheReceiveMIBdueto
properTTLexpiration.
ClearLLDPStatistics SelecttoclearalloftheLLDPstatistics.
spyglassfilter LLDP > Peers Optionallyenteradatavalueinthefilterrowandclickthe

grayarrow,whichcausesonlytherowsthatincludethat
datavaluetobedisplayed.ClicktheredXtoClearFilter.
LocalInterface Interfaceonthefirewallthatdetectedtheneighboring
device.
RemoteChassisID ChassisIDofthepeer;theMACaddressisused.

Network>LLDP Network
LLDPSettings ConfiguredIn Description(Continued)
PortID LLDP > Peers PortIDofthepeer.

(cont)
Name Nameofthepeer.
MoreInfo ClickMore InfotoseeRemotePeerDetails,whichare

basedontheMandatoryandOptionalTLVs.
ChassisType ChassisTypeisMACaddress.
MACAddress MACaddressofthepeer.
SystemName Nameofthepeer.
SystemDescription Descriptionofthepeer.
PortDescription Portdescriptionofthepeer.
PortType Interfacename.
PortID Firewallusestheifnameoftheinterface.
SystemCapabilities Capabilitiesofthesystem.O=Other,P=Repeater,
B=Bridge,W=WirelessLAN,R=Router,T=Telephone
EnabledCapabilities Capabilitiesenabledonthepeer.
ManagementAddress Managementaddressofthepeer.

Network Network>NetworkProfiles
Network>NetworkProfiles
Network>NetworkProfiles>GlobalProtectIPSecCrypto
Network>NetworkProfiles>IKEGateways
Network>NetworkProfiles>IPSecCrypto
Network>NetworkProfiles>IKECrypto
Network>NetworkProfiles>InterfaceMgmt
Network>NetworkProfiles>Monitor
Network>NetworkProfiles>ZoneProtection
Network>NetworkProfiles>LLDPProfile
Network>NetworkProfiles>BFDProfile
Network>NetworkProfiles>QoS

Network>NetworkProfiles>GlobalProtectIPSecCrypto Network
Network>NetworkProfiles>GlobalProtectIPSecCrypto
UsetheGlobalProtect IPSec Crypto Profilespagetospecifyalgorithmsforauthenticationandencryptionin

VPNtunnelsbetweenaGlobalProtectgatewayandclients.Theorderinwhichyouaddalgorithmsisthe
orderinwhichthefirewallappliesthem,andcanaffecttunnelsecurityandperformance.Tochangethe
order,selectanalgorithmandMove UporMove Down.
ForVPNtunnelsbetweenGlobalProtectgatewaysandsatellites(firewalls),seeNetwork>
NetworkProfiles>IPSecCrypto.
GlobalProtectIPSecCryptoProfileSettings
Name Enteranametoidentifytheprofile.Thenameiscasesensitive,mustbe
unique,andcanhaveupto31characters.Useonlyletters,numbers,spaces,
Encryption ClickAddandselectthedesiredencryptionalgorithms.Forhighestsecurity,
changetheorder(toptobottom)to:aes-256-gcm,aes-128-gcm,
aes-128-cbc.
Authentication ClickAddandselecttheauthenticationalgorithm.Currently,theonlyoption
issha1.

Network Network>NetworkProfiles>IKEGateways
Usethispagetomanageordefineagateway,includingtheconfigurationinformationnecessarytoperform
InternetKeyExchange(IKE)protocolnegotiationwithapeergateway.ThisisthePhase1portionofthe
IKE/IPSecVPNsetup.
Tomanage,configure,restart,orrefreshanIKEgateway,seethefollowing:
IKEGatewayManagement
IKEGatewayGeneralTab
IKEGatewayAdvancedOptionsTab
IKEGatewayRestartorRefresh
IKEGatewayManagement
ThefollowingtabledescribeshowtomanageyourIKEgateways.
ManageIKEGateways Description
Add TocreateanewIKEgateway,clickAdd.SeeIKEGatewayGeneralTaband
IKEGatewayAdvancedOptionsTabforinstructionsonconfiguringthenew
gateway.
Delete Todeleteagateway,selectthegatewayandclickDelete.
Enable Toenableagatewaythathasbeendisabled,selectthegatewayandclick
Enable,whichisthedefaultsettingforagateway.
Disable Todisableagateway,selectthegatewayandclickDisable.

Network>NetworkProfiles>IKEGateways Network
IKEGatewayGeneralTab
Network>NetworkProfiles>IKEGateways>General
ThefollowingtabledescribesthebeginningstepsforhowtoconfigureanIKEgateway.IKEisPhase1ofthe
IKE/IPSecVPNprocess.Afterperformingthesesteps,seeIKEGatewayAdvancedOptionsTab.
IKEGatewayGeneral Description
Settings
Name EnteraNametoidentifythegateway(upto31characters).Thenameis
Version SelecttheIKEversionthatthegatewaysupportsandmustagreetousewith
thepeergateway:IKEv1 only mode,IKEv2 only mode,orIKEv2 preferred
mode.IKEv2preferredmodecausesthegatewaytonegotiateforIKEv2,and
ifthepeeralsosupportsIKEv2,thatiswhattheywilluse.Otherwise,the
gatewayfallsbacktoIKEv1.
IPv4/IPv6 SelectthetypeofIPaddressthegatewayuses.
Interface SpecifytheoutgoingfirewallinterfacetotheVPNtunnel.
LocalIPAddress SelectorentertheIPaddressforthelocalinterfacethatistheendpointof
thetunnel.
PeerIPType SelectStaticorDynamicforthepeeronthefarendofthetunnel.
PeerIPAddress IfStaticisselectedforPeer IP Type,specifytheIPaddressofthepeeron

theremoteendofthetunnel.
Authentication SelectthetypeofAuthentication,Pre-Shared KeyorCertificate,thatwill

occurwiththepeergateway.Dependingontheselection,seePreShared
KeyFieldsorCertificateFields.
Pre-Shared Key Fields
PreSharedKey/ IfyouselectPre-Shared Key,enterasinglesecuritykeytouseforsymmetric

ConfirmPreSharedKey authenticationacrossthetunnel.ThePre-Shared Keyvalueisastringthat
theadministratorcreates.Useamaximumof255ASCIIornonASCII
characters.Generateakeythatisdifficulttocrackwithdictionaryattacks;
useapresharedkeygenerator,ifnecessary.
LocalIdentification Definestheformatandidentificationofthelocalgateway,whichareused
withthepresharedkeyforbothIKEv1phase1SAandIKEv2SA
establishment.
Chooseoneofthefollowingtypesandenterthevalue:FQDN(hostname),IP
address,KEYID(binaryformatIDstringinHEX),User FQDN(emailaddress).
Ifnovalueisspecified,thelocalIPaddresswillbeusedastheLocal
Identificationvalue.
PeerIdentification Definesthetypeandidentificationofthepeergateway,whichareusedwith
thepresharedkeyduringIKEv1phase1SAandIKEv2SAestablishment.
Chooseoneofthefollowingtypesandenterthevalue:FQDN(hostname),IP
address,KEYID(binaryformatIDstringinHEX),User FQDN(emailaddress).
Ifnovalueisspecified,thepeersIPaddresswillbeusedasthePeer
Identificationvalue.

Settings
Certificate Fields
LocalCertificate IfCertificateisselectedastheAuthenticationtype,fromthedropdown,
selectacertificatethatisalreadyonthefirewall.
Alternatively,youcouldImportacertificate,orGenerateanewcertificate,
asfollows:
Import:
Certificate NameEnteranameforthecertificateyouareimporting.
SharedClickifthiscertificateistobesharedamongmultiplevirtual
systems.
Certificate FileClickBrowsetonavigatetothelocationwherethe
certificatefileislocated.ClickonthefileandselectOpen.
File FormatSelectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthecertificate,butnot
thekey.Cleartext.
Encrypted Private Key and Certificate (PKCS12)Containsboththe
certificateandthekey.
Private key resides on Hardware Security ModuleClickifthefirewallis
aclientofanHSMserverwherethekeyresides.
Import private keyClickifaprivatekeyistobeimportedbecauseitisin
adifferentfilefromthecertificatefile.
Key FileBrowseandnavigatetothekeyfiletoimport.Thisentryis
ifyouchosePEMastheFileFormat.
PassphraseandConfirm PassphraseEntertoaccessthekey.
Generate:
Certificate NameEnteranameforthecertificateyouarecreating.
Common NameEnterthecommonname,whichistheIPaddressor
FQDNtoappearonthecertificate.
SharedClickifthiscertificateistobesharedamongmultiplevirtual
systems.
Signed BySelectExternalAuthority(CSR)orenterthefirewallIP
address.ThisentrymustbeaCA.
Certificate AuthorityClickifthefirewallistherootCA.
OCSP ResponderEntertheOSCPthattrackswhetherthecertificateis
validorrevoked.
AlgorithmSelectRSAorEllipticCurveDSAtogeneratethekeyforthe
certificate.
Number of BitsSelect512,1024,2048,or3072asthenumberofbits
inthekey.
DigestSelectmd5,sha1,sha256,sha384,orsha512asthemethodto
revertthestringfromthehash.
Expiration (days)Enterthenumberofdaysthatthecertificateisvalid.
Certificate Attributes:TypeOptionallyselectadditionalattributetypes
fromthedropdowntobeinthecertificate.
ValueEnteravaluefortheattribute.

Settings
HTTPCertificate ClickHTTP Certificate ExchangeandentertheCertificate URLinorderto

Exchange usetheHashandURLmethodtonotifythepeerwheretofetchthe
certificate.TheCertificateURListheURLoftheremoteserverwhereyou
havestoredyourcertificate.
IfthepeerindicatesthatittoosupportsHashandURL,certificatesare
exchangedthroughtheSHA1HashandURLexchange.
WhenthepeerreceivestheIKEcertificatepayload,itseestheHTTPURL,
andfetchesthecertificatefromthatserver.Itwillusethehashspecifiedin
thecertificatepayloadtocheckthecertificatesdownloadedfromthehttp
server.
LocalIdentification Identifieshowthelocalpeerisidentifiedinthecertificate.Chooseoneofthe
followingtypesandenterthevalue:Distinguished Name(Subject),FQDN
(hostname),IP address,orUser FQDN(emailaddress).
PeerIdentification Identifieshowtheremotepeerisidentifiedinthecertificate.Chooseoneof
thefollowingtypesandenterthevalue:Distinguished Name(Subject),
FQDN(hostname),IP address,orUser FQDN(emailaddress).
PeerIDCheck SelectExactorWildcard.ThissettingappliestothePeerIdentificationthat
isbeingexaminedtovalidatethecertificate.SupposethePeerIdentification
wasaNameequaltodomain.com.IfyouselectExactandnameofthe
certificateintheIKEIDpayloadismail.domain2.com,theIKEnegotiationwill
fail.ButifyouselectedWildcard,anycharacterintheNamestringbeforethe
wildcardasterisk(*)mustmatchandanycharacterafterthewildcardcan
differ.
Permitpeeridentification SelectifyouwanttheflexibilityofhavingasuccessfulIKESAeventhough
andcertificatepayload thepeeridentificationdoesnotmatchthecertificatepayload.
identificationmismatch
CertificateProfile SelectaprofileorcreateanewCertificate Profilethatconfiguresthe

certificateoptionsthatapplytothecertificatethelocalgatewaysendstothe
peergateway.SeeDevice>CertificateManagement>CertificateProfile.
Enablestrictvalidationof Selectifyouwanttostrictlycontrolhowthekeycanbeused.
peersextendedkeyuse

IKEGatewayAdvancedOptionsTab
Network>NetworkProfiles>IKEGateways>AdvancedOptions
ConfigureadvancedIKEgatewaysettingssuchaspassivemode,NATTraversal,andIKEv1settingssuchas
deadpeerdetection.
IKEGatewayAdvanced Description
Options
EnablePassiveMode ClicktohavethefirewallonlyrespondtoIKEconnectionsandneverinitiate
them.
EnableNATTraversal ClicktohaveUDPencapsulationusedonIKEandUDPprotocols,enabling
themtopassthroughintermediateNATdevices.
EnableNATTraversalifNetworkAddressTranslation(NAT)isconfiguredon
adevicebetweentheIPSecVPNterminatingpoints.
IKEv1 Tab
ExchangeMode Chooseauto,aggressive,ormain.Inautomode(default),thedevicecan
acceptbothmainmodeandaggressivemodenegotiationrequests;
however,wheneverpossible,itinitiatesnegotiationandallowsexchangesin
mainmode.Youmustconfigurethepeerdevicewiththesameexchange
modetoallowittoacceptnegotiationrequestsinitiatedfromthefirst
device.
IKECryptoProfile Selectanexistingprofile,keepthedefaultprofile,orcreateanewprofile.
TheprofilesselectedforIKEv1andIKEv2candiffer.
ForinformationonIKECryptoprofiles,seeNetwork>NetworkProfiles>
IKECrypto.
EnableFragmentation ClicktoallowthelocalgatewaytoreceivefragmentedIKEpackets.The
maximumfragmentedpacketsizeis576bytes.
DeadPeerDetection Clicktoenableandenteraninterval(2100seconds)anddelaybefore
retrying(2100seconds).Deadpeerdetectionidentifiesinactiveor
unavailableIKEpeersandcanhelprestoreresourcesthatarelostwhena
peerisunavailable.

IKEGatewayAdvanced Description
Options
IKEv2 Tab
IKECryptoProfile Selectanexistingprofile,keepthedefaultprofile,orcreateanewprofile.
TheprofilesselectedforIKEv1andIKEv2candiffer.
ForinformationonIKECryptoprofiles,seeNetwork>NetworkProfiles>
IKECrypto.
StrictCookieValidation ClicktoenableStrict Cookie ValidationontheIKEgateway.

WhenyouenableStrict Cookie Validation,IKEv2cookievalidationis
alwaysenforced;theinitiatormustsendanIKE_SA_INITcontaininga
cookie.
WhenyoudisableStrict Cookie Validation(default),thesystemwillcheck
thenumberofhalfopenSAsagainsttheglobalCookie Activation
Threshold,whichisaVPNSessionssetting.Ifthenumberofhalfopen
SAsexceedstheCookie Activation Threshold,theinitiatormustsendan
IKE_SA_INITcontainingacookie.
LivenessCheck TheIKEv2Liveness Checkisalwayson;allIKEv2packetsservethepurpose

ofalivenesscheck.Clickthisboxtohavethesystemsendempty
informationalpacketsafterthepeerhasbeenidleforaspecifiednumberof
seconds.Range:2100.Default:5.
Ifnecessary,thesidethatistryingtosendIKEv2packetsattemptsthe
livenesscheckupto10times(allIKEv2packetscounttowardthe
retransmissionsetting).Ifitgetsnoresponse,thesenderclosesanddeletes
theIKE_SAandCHILD_SA.Thesenderstartsoverbysendingoutanother
IKE_SA_INIT.
IKEGatewayRestartorRefresh
SelectNetwork > IPSec Tunnelstodisplaystatusoftunnels.InthesecondStatuscolumnisalinktotheIKE
Info.Clickthegatewayyouwanttorestartorrefresh.TheIKEInfopageopens.Clickoneoftheentriesin
thelistandclick:
RestartRestartstheselectedgateway.Arestartwilldisrupttrafficgoingacrossthetunnel.Therestart
behaviorsforIKEv1andIKEv2aredifferent,asfollows:
IKEv1Youcanrestart(clear)aPhase1SAorPhase2SAindependentlyandonlythatSAis
affected.
IKEv2CausesallchildSAs(IPSectunnels)tobeclearedwhentheIKEv2SAisrestarted.
IfyourestarttheIKEv2SA,allunderlyingIPSectunnelsarealsocleared.
IfyourestarttheIPSecTunnel(childSA)associatedwithanIKEv2SA,therestartwillnotaffectthe
IKEv2SA.
RefreshShowsthecurrentIKESAstatus.

Network Network>NetworkProfiles>IPSecCrypto
Network>NetworkProfiles>IPSecCrypto
SelectNetwork > Network Profiles > IPSec CryptotoconfigureIPSecCryptoprofilesthatspecifyprotocolsand

algorithmsforauthenticationandencryptioninVPNtunnelsbasedonIPSecSAnegotiation(Phase2).
ForVPNtunnelsbetweenGlobalProtectgatewaysandclients,seeNetwork>NetworkProfiles
>GlobalProtectIPSecCrypto.
IPSecCryptoProfile Description
Settings
Name EnteraNametoidentifytheprofile(upto31characters).Thenameis
IPSecProtocol SelectaprotocolforsecuringdatathattraversestheVPNtunnel:
ESPEncapsulatingSecurityPayloadprotocolencryptsthedata,
authenticatesthesource,andverifiesdataintegrity.
AHAuthenticationHeaderprotocolauthenticatesthesourceand
verifiesdataintegrity.
Encryption(ESPprotocol ClickAddandselectthedesiredencryptionalgorithms.Forhighestsecurity,
only) useMove UpandMove Downtochangetheorder(toptobottom)tothe
following:aes-256-gcm,aes-256-cbc,aes-192-cbc,aes-128-gcm,
aes-128-ccm(theVMSeriesfirewalldoesntsupportthisoption),
aes-128-cbc,3des,anddes.Youcanalsoselectnull(noencryption).
Authentication ClickAddandselectthedesiredauthenticationalgorithms.Forhighest
security,useMove UpandMove Downtochangetheorder(toptobottom)
tothefollowing:sha512,sha384,sha256,sha1,md5.IftheIPSec Protocol
isESP,youcanalsoselectnone(noauthentication).
DHGroup SelecttheDiffieHellman(DH)groupforInternetKeyExchange(IKE):
group1,group2,group5,group14,group19,orgroup20.Forhighest
security,choosethegroupwiththehighestnumber.Ifyoudontwantto
renewthekeythatthefirewallcreatesduringIKEphase1,selectno-pfs(no
perfectforwardsecrecy):thefirewallreusesthecurrentkeyfortheIPSec
securityassociation(SA)negotiations.
Lifetime Selectunitsandenterthelengthoftime(defaultisonehour)thatthe
negotiatedkeywillstayeffective.
Lifesize Selectoptionalunitsandentertheamountofdatathatthekeycanusefor
encryption.

Network>NetworkProfiles>IKECrypto Network
Network>NetworkProfiles>IKECrypto
UsetheIKE Crypto Profilespagetospecifyprotocolsandalgorithmsforidentification,authentication,and

encryption(IKEv1orIKEv2,Phase 1).
Tochangetheorderinwhichanalgorithmorgroupislisted,selecttheitemandthenclickMove UporMove
Down.Theorderdeterminesthefirstchoicewhensettingsarenegotiatedwitharemotepeer.Thesettingat
thetopofthelistisattemptedfirst,continuingdownthelistuntilanattemptissuccessful.
IKECryptoProfile Description
Settings
Name Enteranamefortheprofile.
DHGroup SpecifythepriorityforDiffieHellman(DH)groups.ClickAddandselect
groups:group1,group2,group5,group14,group19,orgroup20.Forhighest
security,selectanitemandthenclickMove UporMove Downtomovethe
groupswithhighernumericidentifierstothetopofthelist.Forexample,
movegroup14abovegroup2.
Authentication Specifythepriorityforhashalgorithms.ClickAddandselectalgorithms.For
highestsecurity,selectanitemandthenclickMove UporMove Downto
changetheorder(toptobottom)tothefollowing:sha512,sha384,sha256,
sha1,md5.
Encryption SelecttheappropriateEncapsulatingSecurityPayload(ESP)authentication
options.ClickAddandselectalgorithms.Forhighestsecurity,selectanitem
andthenclickMove UporMove Downtochangetheorder(toptobottom)
tothefollowing:aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des.
KeyLifetime SelectunitoftimeandenterthelengthoftimethatthenegotiatedIKEPhase
1keywillbeeffective(defaultis8 hours).
IKEv2Beforethekeylifetimeexpires,theSAmustberekeyedorelse,
uponexpiration,theSAmustbeginanewPhase1keynegotiation.
IKEv1WillnotactivelydoaPhase1rekeybeforeexpiration.Only
whentheIKEv1IPSecSAexpireswillittriggerIKEv1Phase1rekey.
IKEv2Authentication Specifyavalue(rangeis050;defaultis0)thatismultipliedbytheKey
Multiple Lifetimetodeterminetheauthenticationcount.Theauthenticationcountis
thenumberoftimesthatthegatewaycanperformIKEv2IKESArekey
beforethegatewaymuststartoverwithIKEv2reauthentication.Avalueof
0disablesthereauthenticationfeature.

Network Network>NetworkProfiles>InterfaceMgmt
Network>NetworkProfiles>InterfaceMgmt
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheservicesand
IPaddressesthatafirewallinterfacepermits.YoucanassignanInterfaceManagementprofiletoLayer3
Ethernetinterfaces(includingsubinterfaces)andtologicalinterfaces(aggregategroup,VLAN,loopback,and
tunnelinterfaces).ToassignanInterfaceManagementprofile,seeNetwork>Interfaces.
Field Description
InterfaceManagementprofileswhenconfiguringinterfaces.Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,hyphens,
andunderscores.
PermittedServices PingUsetotestconnectivitywithexternalservices.Forexample,youcanpingthe
interfacetoverifyitcanreceivePANOSsoftwareandcontentupdatesfromthePalo
AltoNetworksUpdateServer.
TelnetUsetoaccessthefirewallCLI.Telnetusesplaintext,whichisnotassecureas
SSH.
EnableSSHinsteadofTelnetformanagementtrafficontheinterface.
SSHUseforsecureaccesstothefirewallCLI.
HTTPUsetoaccessthefirewallwebinterface.HTTPusesplaintext,whichisnotas
secureasHTTPS.
EnableHTTPSinsteadofHTTPformanagementtrafficontheinterface.
HTTP OCSPUsetoconfigurethefirewallasanOnlineCertificateStatusProtocol
(OCSP)responder.Fordetails,seeDevice>CertificateManagement>OCSP
Responder.
HTTPSUseforsecureaccesstothefirewallwebinterface.
SNMPUsetoprocessfirewallstatisticsqueriesfromanSNMPmanager.Fordetails,
seeEnableSNMPMonitoring.
Response PagesUsetoenableresponsepagesfor:
Captive PortalTheportsusedtoserveCaptivePortalresponsepagesareleft
openonLayer3interfaces:port6080forNTLM,6081forCaptivePortalin
transparentmode,and6082forCaptivePortalinredirectmode.Fordetails,see
Device>UserIdentification>CaptivePortalSettings.
URL Admin OverrideFordetails,seeDevice>Setup>ContentID.
User-IDUsetoEnableRedistributionofUserMappingsAmongFirewalls.
User-ID Syslog Listener-SSLUsetoallowthePANOSintegratedUserIDagentto
collectsyslogmessagesoverSSL.Fordetails,seeConfigureAccesstoMonitored
Servers.
User-ID Syslog Listener-UDPUsetoallowthePANOSintegratedUserIDagentto
collectsyslogmessagesoverUDP.Fordetails,seeConfigureAccesstoMonitored
Servers.
PermittedIPAddresses EnterthelistofIPv4orIPv6addressesfromwhichtheinterfaceallowsaccess.

Network>NetworkProfiles>Monitor Network
Network>NetworkProfiles>Monitor
AmonitorprofileisusedtomonitorIPSectunnelsandtomonitoranexthopdeviceforpolicybased
forwarding(PBF)rules.Inbothcases,themonitorprofileisusedtospecifyanactiontotakewhenaresource
(IPSectunnelornexthopdevice)becomesunavailable.Monitorprofilesareoptional,butcanbeveryuseful
formaintainingconnectivitybetweensitesandtoensurethatPBFrulesaremaintained.Thefollowing
settingsareusedtoconfigureamonitorprofile.
Field Description
Name Enteranametoidentifythemonitorprofile(upto31characters).Thename
Action Specifyanactiontotakeifthetunnelisnotavailable.Ifthethresholdnumber
ofheartbeatsislost,thefirewalltakesthespecifiedaction.
wait-recoverWaitforthetunneltorecover;donottakeadditional
action.PacketswillcontinuetobesentaccordingtothePBFrule.
fail-overTrafficwillfailovertoabackuppath,ifoneisavailable.The
firewallusesroutingtablelookuptodetermineroutingforthedurationof
thissession.
Inbothcases,thefirewalltriestonegotiatenewIPSeckeystoacceleratethe
recovery.
Interval Specifythetimebetweenheartbeats(rangeis210;defaultis3).
Threshold Specifythenumberofheartbeatstobelostbeforethefirewalltakesthe
specifiedaction(rangeis210;defaultis5).

Network Network>NetworkProfiles>ZoneProtection
Network>NetworkProfiles>ZoneProtection
AZoneProtectionprofileappliedtoazoneoffersprotectionagainstmostcommonfloods,reconnaissance
attacks,otherpacketbasedattacks,andtheuseofnonIPprotocols.Itisdesignedtoprovidebroadbased
protectionattheingresszone(thatis,thezonewheretrafficentersthefirewall)andisnotdesignedto
protectaspecificendhostortrafficgoingtoaparticulardestinationzone.Youcanattachonezone
protectionprofiletoazone.
Toaugmentzoneprotectioncapabilitiesonthefirewall,configureaDoSProtectionpolicy(Policies>DoS
Protection)tomatchonaspecificzone,interface,IPaddress,oruser.
Zoneprotectionisenforcedonlywhenthereisnosessionmatchforthepacketbecausezoneprotectionisbased
onnewconnectionspersecond(cps),notonpacketspersecond(pps).Ifthepacketmatchesanexistingsession,
itwillbypassthezoneprotectionsetting.
HowdoIcreateaZoneProtection BuildingBlocksofZoneProtectionProfiles
profile?
FloodProtection
ReconnaissanceProtection
PacketBasedAttackProtection
ProtocolProtection

Network>NetworkProfiles>ZoneProtection Network
BuildingBlocksofZoneProtectionProfiles
TocreateaZoneProtectionprofile,Addoneandgiveitaname.
ZoneProtection ConfiguredIn Description

ProfileSettings
Name Network > Enteraprofilename(upto31characters).ThisnameappearsinthelistofZone

Network Profiles Protectionprofileswhenconfiguringzones.Thenameiscasesensitiveand
> Zone Protection mustbeunique.Useonlyletters,numbers,spaces,andunderscores.
Description EnteranoptionaldescriptionfortheZoneProtectionprofile.
ContinuetocreatetheZoneProtectionprofilebyconfiguringanycombinationofsettingsbasedonwhat
typesofprotectionyourzoneneeds:
FloodProtection
ProtocolProtection
Ifyouhaveamultivirtualsystemenvironment,andhaveenabledthefollowing:
Externalzonestoenableintervirtualsystemcommunication
SharedgatewaystoallowvirtualsystemstoshareacommoninterfaceandasingleIPaddress
forexternalcommunications
thefollowingZoneandDoSprotectionmechanismswillbedisabledontheexternalzone:
SYNcookies
IPfragmentation
ICMPv6
ToenableIPfragmentationandICMPv6protectionforthesharedgateway,youmustcreatea
separateZoneProtectionprofileforthesharedgateway.
ToprotectagainstSYNfloodsonasharedgateway,youcanapplyaSYNFloodprotection
profilewitheitherRandomEarlyDroporSYNcookies;onanexternalzone,onlyRandomEarly
DropisavailableforSYNFloodprotection.

FloodProtection
Network>NetworkProfiles>ZoneProtection>FloodProtection
ConfigureaprofilethatprovidesfloodprotectionagainstSYN,ICMP,ICMPv6,andUDPpackets,aswellas
protectionagainstfloodingfromothertypesofIPpackets.

ProfileSettings
FloodProtection
SYN Network > SelecttoenableprotectionagainstSYNfloods.

Network Profiles
Action > Zone Protection SelecttheactiontotakeinresponsetoaSYNfloodattack.
> Flood Random Early DropCausesSYNpacketstobedroppedtomitigateaflood
Protection attack:
WhentheflowexceedstheAlertratethreshold,analarmisgenerated.
WhentheflowexceedstheActivateratethreshold,thefirewalldrops
individualSYNpacketsrandomlytorestricttheflow.
WhentheflowexceedstheMaximumratethreshold,100%of
incomingSYNpacketsaredropped.
SYN CookiesCausesthefirewalltoactlikeaproxy,intercepttheSYN,
generateacookieonbehalfoftheservertowhichtheSYNwasdirected,
andsendaSYNACKwiththecookietotheoriginalsource.Onlywhenthe
sourcereturnsanACKwiththecookietothefirewalldoesthefirewall
considerthesourcevalidandforwardtheSYNtotheserver.Thisisthe
preferredAction.
AlarmRate EnterthenumberofSYNpackets(notmatchinganexistingsession)thezone
(connections/sec) receivespersecondthattriggersanalarm.Youcanviewalarmsonthe
Dashboardandinthethreatlog(Monitor>PacketCapture).
Activate EnterthenumberofSYNpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondthattriggerstheActionspecifiedinthisZone
Protectionprofile.Thefirewallusesanalgorithmtoprogressivelydropmore
packetsastheattackrateincreases,untiltheratereachestheMaximumrate.
ThefirewallstopsdroppingtheSYNpacketsiftheincomingratedropsbelow
theActivatethreshold.
Maximum EnterthemaximumnumberofSYNpackets(notmatchinganexistingsession)
(connections/sec) thatthezonereceivespersecondbeforepacketsexceedingthemaximumare
dropped.


ProfileSettings
FloodProtection
ICMP Network > SelecttoenableprotectionagainstICMPfloods.

Network Profiles
AlarmRate > Zone Protection EnterthenumberofICMPechorequests(pingsnotmatchinganexisting
(connections/sec) > Flood session)thatthezonereceivespersecondthattriggersanattackalarm.
Protection (cont)
Activate EnterthenumberofICMPpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondbeforesubsequentICMPpacketsaredropped.The
firewallusesanalgorithmtoprogressivelydropmorepacketsastheattackrate
increases,untiltheratereachestheMaximumrate.Thefirewallstopsdropping
theICMPpacketsiftheincomingratedropsbelowtheActivatethreshold.
Maximum EnterthemaximumnumberofICMPpackets(notmatchinganexistingsession)
(connections/sec) thatthezonereceivespersecondbeforepacketsexceedingthemaximumare
dropped.
ICMPv6 SelecttoenableprotectionagainstICMPv6floods.
AlarmRate EnterthenumberofICMPv6echorequests(pingsnotmatchinganexisting
(connections/sec) session)thatthezonereceivespersecondthattriggersanattackalarm.
Activate EnterthenumberofICMPv6packets(notmatchinganexistingsession)that
(connections/sec) thezonereceivespersecondbeforesubsequentICMPv6packetsaredropped.
Thefirewallusesanalgorithmtoprogressivelydropmorepacketsastheattack
rateincreases,untiltheratereachestheMaximumrate.Thefirewallstops
droppingtheICMPv6packetsiftheincomingratedropsbelowtheActivate
threshold.
Maximum EnterthemaximumnumberofICMPv6packets(notmatchinganexisting
(connections/sec) session)thatthezonereceivespersecondbeforepacketsexceedingthe
maximumaredropped.
UDP SelecttoenableprotectionagainstUDPfloods.
AlarmRate EnterthenumberofUDPpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondthattriggersanattackalarm.
Activate EnterthenumberofUDPpackets(notmatchinganexistingsession)thatthe
(connections/sec) zonereceivespersecondthattriggersrandomdroppingofUDPpackets.The
firewallusesanalgorithmtoprogressivelydropmorepacketsastheattackrate
increases,untiltheratereachestheMaximumrate.Thefirewallstopsdropping
theUDPpacketsiftheincomingratedropsbelowtheActivatethreshold.
Maximum EnterthemaximumnumberofUDPpackets(notmatchinganexistingsession)
(connections/sec) thezonereceivespersecondbeforepacketsexceedingthemaximumare
dropped.
Other IP SelecttoenableprotectionagainstotherIP(nonTCP,nonICMP,
nonICMPv6,andnonUDP)floods.
AlarmRate EnterthenumberofotherIPpackets(nonTCP,nonICMP,nonICMPv6,and
(connections/sec) nonUDPpackets)(notmatchinganexistingsession)thezonereceivesper
secondthattriggersanattackalarm.


ProfileSettings
FloodProtection
Activate EnterthenumberofotherIPpackets(nonTCP,nonICMP,nonICMPv6,and
(connections/sec) nonUDPpackets)(notmatchinganexistingsession)thezonereceivesper
secondthattriggersrandomdroppingofotherIPpackets.Thefirewallusesan
algorithmtoprogressivelydropmorepacketsastheattackrateincreases,until
theratereachestheMaximumrate.ThefirewallstopsdroppingtheOtherIP
packetsiftheincomingratedropsbelowtheActivatethreshold.
Maximum EnterthemaximumnumberofotherIPpackets(nonTCP,nonICMP,
(connections/sec) nonICMPv6,andnonUDPpackets)(notmatchinganexistingsession)the
zonereceivespersecondbeforepacketsexceedingthemaximumaredropped.

Network>NetworkProfiles>ZoneProtection>ReconnaissanceProtection
Thefollowingsettingsdefinereconnaissanceprotection:

ProfileSettings
Reconnaissance
Protection
TCPPortScan Network > EnableconfigurestheprofiletoenableprotectionagainstTCPportscans.

Network Profiles >
UDPPortScan Zone Protection > EnableconfigurestheprofiletoenableprotectionagainstUDPportscans.
Reconnaissance
HostSweep Enableconfigurestheprofiletoenableprotectionagainsthostsweeps.
Protection
Action Actionthatthesystemwilltakeinresponsetothecorresponding
reconnaissanceattempt:
AllowPermitstheportscanorhostsweepreconnaissance.
AlertGeneratesanalertforeachportscanorhostsweepthatmatches
thethresholdwithinthespecifiedtimeinterval(thedefaultaction).
BlockDropsallsubsequentpacketsfromthesourcetothedestinationfor
theremainderofthespecifiedtimeinterval.
Block IPDropsallsubsequentpacketsforthespecifiedDuration,in
seconds(rangeis13,600).Track Bydetermineswhethertoblocksource
orsourceanddestinationtraffic.Forexample,blockattemptsabovethe
thresholdnumberperintervalthatarefromasinglesource(more
stringent),orblockattemptsthathaveasourceanddestinationpair(less
stringent).
Interval(sec) Timeinterval,inseconds,forTCPorUDPportscandetection(rangeis
265,535;defaultis 2).
Timeinterval,inseconds,forhostsweepdetection(rangeis265,535;default
is10).
Threshold Numberofscannedporteventsorhostsweepeventswithinthespecified
(events) timeintervalthattriggerstheAction(rangeis265,535;defaultis100).
SourceAddress IPaddresseswhitelistedfromthereconnaissanceprotection.Thelistsupports
Exclusion amaximumof20IPaddressesorNetmaskaddressobjects.
Name:Enteradescriptivenamefortheaddresstoexclude.
AddressType:SelectIPv4orIPv6fromthedropdown.
Address:Selectanaddressoraddressobjectfromthedropdownorenter
onemanually.

Network>NetworkProfiles>ZoneProtection>PacketBasedAttackProtection
YoucanconfigurePacketBasedAttackprotectiontodropthefollowingtypesofpackets:
IPDrop
TCPDrop
ICMPDrop
IPv6Drop
ICMPv6Drop

IPDrop
ToinstructthefirewallwhattodowithcertainIPpacketsitreceivesinthezone,specifythefollowing
settings.

ProfileSettings
PacketBased
AttackProtection
SpoofedIP Network > DiscardpacketswithaspoofedIPaddress.

address Network Profiles
> Zone Protection
StrictIPAddress > Packet Based DiscardpacketswithmalformedsourceordestinationIPaddresses.For
Check Attack Protection example,discardpacketswherethesourceordestinationIPaddressisthe
> IP Drop sameasthenetworkinterfaceaddress,isabroadcastaddress,aloopback
address,alinklocaladdress,anunspecifiedaddress,orisreservedforfuture
use.
ForafirewallinCommonCriteria(CC)mode,youcanenableloggingfor
discardedpackets.Onthefirewallwebinterface,selectDevice > Log Settings.
IntheManageLogssection,selectSelective AuditandenablePacket Drop
Logging.
Fragmented DiscardfragmentedIPpackets.
traffic
IPOptionDrop Selectthesettingsinthisgrouptoenablethefirewalltodroppackets
containingtheseIPOptions.
StrictSource DiscardpacketswiththeStrictSourceRoutingIPoptionset.StrictSource
Routing Routingisanoptionwherebyasourceofadatagramprovidesrouting
informationthroughwhichagatewayorhostmustsendthedatagram.
LooseSource DiscardpacketswiththeLooseSourceRoutingIPoptionset.LooseSource
Routing Routingisanoptionwherebyasourceofadatagramprovidesrouting
informationandagatewayorhostisallowedtochooseanyrouteofanumber
ofintermediategatewaystogetthedatagramtothenextaddressintheroute.
Timestamp DiscardpacketswiththeTimestampIPoptionset.
RecordRoute DiscardpacketswiththeRecordRouteIPoptionset.Whenadatagramhasthis
option,eachrouterthatroutesthedatagramaddsitsownIPaddresstothe
header,thusprovidingthepathtotherecipient.
Security Discardpacketsifthesecurityoptionisdefined.
StreamID DiscardpacketsiftheStreamIDoptionisdefined.
Unknown Discardpacketsiftheclassandnumberareunknown.
Malformed Discardpacketsiftheyhaveincorrectcombinationsofclass,number,and
lengthbasedonRFCs791,1108,1393,and2113.

TCPDrop
ToinstructthefirewallwhattodowithcertainTCPpacketsitreceivesinthezone,specifythefollowing
settings.

ProfileSettings
PacketBased
AttackProtection
Mismatched Network > Attackerscanconstructconnectionswithoverlappingbutdifferentdatain

overlappingTCP Network Profiles themtocausemisinterpretationoftheconnection.AttackerscanuseIP
segment > Zone Protection spoofingandsequencenumberpredictiontointerceptausersconnectionand
> Packet Based injecttheirowndata.Usethissettingtoreportanoverlapmismatchanddrop
Attack Protection thepacketwhensegmentdatadoesnotmatchinthesescenarios:
> TCP Drop Thesegmentiswithinanothersegment.
Thesegmentoverlapswithpartofanothersegment.
Thesegmentcoversanothersegment.
Thisprotectionmechanismusessequencenumberstodeterminewhere
packetsresidewithintheTCPdatastream.
SplitHandshake PreventaTCPsessionfrombeingestablishedifthesessionestablishment
proceduredoesnotusethewellknownthreewayhandshake.Afourwayor
fivewaysplithandshakeorasimultaneousopensessionestablishment
procedureareexamplesofvariationsthatwouldnotbeallowed.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessions
andallLayer 7processesforsplithandshakeandsimultaneousopensession
establishmentwithoutconfiguringSplit Handshake.Whenthisisconfigured
forazoneprotectionprofileandtheprofileisappliedtoazone,TCPsessions
forinterfacesinthatzonemustbeestablishedusingthestandardthreeway
handshake;thevariationsarenotallowed.
TCPSYNwith PreventaTCPsessionfrombeingestablishediftheTCPSYNpacketcontains
Data dataduringathreewayhandshake.Enabledbydefault.
TCPSYNACK PreventaTCPsessionfrombeingestablishediftheTCPSYNACKpacket
withData containsdataduringathreewayhandshake.Enabledbydefault.
RejectNonSYN DeterminewhethertorejectthepacketifthefirstpacketfortheTCPsession
TCP setupisnotaSYNpacket:
globalUsesystemwidesettingthatisassignedthroughtheCLI.
yesRejectnonSYNTCP.
noAcceptnonSYNTCP.
AllowingnonSYNTCPtrafficmaypreventfileblockingpolicies
fromworkingasexpectedincaseswheretheclientand/orserver
connectionisnotsetaftertheblockoccurs.
AsymmetricPath DeterminewhethertodroporbypasspacketsthatcontainoutofsyncACKs
oroutofwindowsequencenumbers:
globalUsesystemwidesettingthatisassignedthroughtheCLI.
dropDroppacketsthatcontainanasymmetricpath.
bypassBypassscanningonpacketsthatcontainanasymmetricpath.
StripTCPOptions DeterminewhethertostriptheTCPTimestamporTCPFastOpenoptionfrom
TCPpackets.


ProfileSettings
PacketBased
AttackProtection
TCPTimestamp Network > DeterminewhetherthepackethasaTCPtimestampintheheaderand,ifit

Network Profiles does,stripthetimestampfromtheheader.
> Zone Protection
> Packet Based
Attack Protection
> TCP Drop
TCPFastOpen StriptheTCPFastOpenoption(anddatapayload,ifany)fromtheTCPSYNor
SYNACKpacketduringaTCPthreewayhandshake.
Whenthisiscleared(disabled),theTCPFastOpenoptionisallowed,which
preservesthespeedofaconnectionsetupbyincludingdatadelivery.This
functionsindependentlyoftheTCPSYNwithDataandTCPSYNACKwith
Data.Disabledbydefault.
MultipathTCP MPTCPisanextensionofTCPthatallowsaclienttomaintainaconnectionby
(MPTCP)Options simultaneouslyusingmultiplepathstoconnecttothedestinationhost.By
default,MPTCPsupportisdisabled,basedontheglobalMPTCPsetting.
RevieworadjusttheMPTCPsettingsforthesecurityzonesassociatedwith
thisprofile:
noEnableMPTCPsupport(donotstriptheMPTCPoption).
yesDisableMPTCPsupport(striptheMPTCPoption).Withthis
configured,MPTCPconnectionsareconvertedtostandardTCP
connections,asMPTCPisbackwardscompatiblewithTCP.
(Default) globalSupportMPTCPbasedontheglobalMPTCPsetting.By
default,theglobalMPTCPsettingissettoyessothatMPTCPisdisabled
(theMPTCPoptionisstrippedfromthepacket).Youcanrevieworadjustthe
globalMPTCPsettingusingthefollowingCLIcommand:
set deviceconfig setting tcp strip-mptcp-option <yes|no>

ICMPDrop
ToinstructthefirewalltodropcertainICMPpacketsitreceivesinthezone,selectthefollowingsettingsto
enablethem.

ProfileSettings
PacketBased
AttackProtection
ICMPPingID0 Network > DiscardpacketsiftheICMPpingpackethasanidentifiervalueof0.

Network Profiles
ICMPFragment > Zone Protection DiscardpacketsthatconsistofICMPfragments.
> Packet Based
ICMPLarge DiscardICMPpacketsthatarelargerthan1024bytes.
Attack Protection
Packet(>1024)
> ICMP Drop
DiscardICMP DiscardICMPpacketsthatareembeddedwithanerrormessage.
embeddedwith
errormessage
SuppressICMP StopsendingICMPTTLexpiredmessages.
TTLExpiredError
SuppressICMP StopsendingICMPfragmentationneededmessagesinresponsetopackets
FragNeeded thatexceedtheinterfaceMTUandhavethedonotfragment(DF)bitset.This
settingwillinterferewiththePMTUDprocessperformedbyhostsbehindthe
firewall.

IPv6Drop
ToinstructthefirewalltodropcertainIPv6packetsitreceivesinthezone,selectthefollowingsettingsto
enablethem.

ProfileSettings
PacketBased
AttackProtection
Type0Routing Network > DiscardIPv6packetscontainingaType0routingheader.SeeRFC5095for

Heading Network Profiles Type0routingheaderinformation.
> Zone Protection
IPv4compatible > Packet Based DiscardIPv6packetsthataredefinedasanRFC4291IPv4CompatibleIPv6
address Attack Protection address.
> IPv6 Drop
Anycastsource DiscardIPv6packetsthatcontainananycastsourceaddress.
address
Needless DiscardIPv6packetswiththelastfragmentflag(M=0)andoffsetofzero.
fragmentheader
MTUinICMP DiscardIPv6packetsthatcontainaPacketTooBigICMPv6messagewhenthe
PacketTooBig maximumtransmissionunit(MTU)islessthan1,280bytes.
lessthan1280
bytes
HopbyHop DiscardIPv6packetsthatcontaintheHopbyHopOptionsextensionheader.
extension
Routingextension DiscardIPv6packetsthatcontaintheRoutingextensionheader,whichdirects
packetstooneormoreintermediatenodesonitswaytoitsdestination.
Destination DiscardIPv6packetsthatcontaintheDestinationOptionsextension,which
extension containsoptionsintendedonlyforthedestinationofthepacket.
InvalidIPv6 DiscardIPv6packetsthatcontaininvalidIPv6optionsinanextensionheader.
optionsin
extensionheader
Nonzero DiscardIPv6packetsthathaveaheaderwithareservedfieldnotsettozero.
reservedfield

ICMPv6Drop
ToinstructthefirewallwhattodowithcertainICMPv6packetsitreceivesinthezone,selectthefollowing
settingstoenablethem.

ProfileSettings
PacketBased
AttackProtection
ICMPv6 Network > RequireanexplicitSecuritypolicymatchforDestinationUnreachableICMPv6

destination Network Profiles messages,evenwhenthemessageisassociatedwithanexistingsession.
unreachable > Zone Protection
requireexplicit > Packet Based
securityrule Attack Protection
match > ICMPv6 Drop
ICMPv6packet RequireanexplicitSecuritypolicymatchforPacketTooBigICMPv6messages,
toobigrequire evenwhenthemessageisassociatedwithanexistingsession.
explicitsecurity
rulematch
ICMPv6time RequireanexplicitSecuritypolicymatchforTimeExceededICMPv6messages,
exceeded evenwhenthemessageisassociatedwithanexistingsession.
requireexplicit
securityrule
match
ICMPv6 RequireanexplicitSecuritypolicymatchforParameterProblemICMPv6
parameter messages,evenwhenthemessageisassociatedwithanexistingsession.
problemrequire
explicitsecurity
rulematch
ICMPv6redirect RequireanexplicitSecuritypolicymatchforRedirectMessageICMPv6
requireexplicit messages,evenwhenthemessageisassociatedwithanexistingsession.
securityrule
match

ProtocolProtection
Network>NetworkProfiles>ZoneProtection>ProtocolProtection
ThefirewallnormallyallowsnonIPprotocolsbetweenLayer2zonesandbetweenvirtualwirezones.
ProtocolprotectionallowsyoutocontrolwhichnonIPprotocolsareallowed(include)ordenied(exclude)
betweenorwithinsecurityzonesonaLayer2VLANorvirtualwire.ExamplesofnonIPprotocolsinclude
AppleTalk,BanyanVINES,Novell,NetBEUI,andSupervisoryControlandDataAcquisition(SCADA)systems
suchasGenericObjectOrientedSubstationEvent(GOOSE).
AfteryouconfigureprotocolprotectioninaZoneProtectionprofile,applytheprofiletoaningresssecurity
zoneonaLayer2VLANorvirtualwire.

ProfileSettings
Protocol
Protection
RuleType Network > Specifythetypeoflistyouarecreatingforprotocolprotection:

Network Profiles Include ListOnlytheprotocolsonthelistareallowedinadditiontoIPv4
> Zone Protection (0x0800),IPv6(0x86DD),ARP(0x0806),andVLANtaggedframes(0x8100).
> Protocol Allotherprotocolsareimplicitlydenied(blocked).
Protection Exclude ListOnlytheprotocolsonthelistaredenied;allotherprotocols
areimplicitlyallowed.YoucannotexcludeIPv4(0x0800),IPv6(0x86DD),
ARP(0x0806),orVLANtaggedframes(0x8100).
ProtocolName EntertheprotocolnamethatcorrespondstotheEthertypecodeyouare
addingtothelist.Thefirewalldoesnotverifythattheprotocolnamematches
theEthertypecodebuttheEthertypecodedoesdeterminetheprotocolfilter.
Enable EnabletheEthertypecodeonthelist.Ifyouwanttodisableaprotocolfor
testingpurposesbutnotdeleteit,disableit,instead.
Ethertype(hex) EnteranEthertypecode(protocol)precededby0xtoindicatehexadecimal
(rangeis0x0000to0xFFFF).Alistcanhaveamaximumof64Ethertypes.
SomesourcesofEthertypecodesare:
IEEEhexadecimalEthertype
standards.ieee.org/develop/regauth/ethertype/eth.txt
http://www.cavebear.com/archive/cavebear/Ethernet/type.html

Network Network>NetworkProfiles>LLDPProfile
Network>NetworkProfiles>LLDPProfile
ALinkLayerDiscoveryProtocol(LLDP)profileisthewayinwhichyouconfiguretheLLDPmodeofthe
firewall,enablesyslogandSNMPnotifications,andconfiguretheoptionalTypeLengthValues(TLVs)you
wanttransmittedtoLLDPpeers.AfterconfiguringtheLLDPprofile,youassigntheprofiletooneormore
interfaces.
LearnmoreaboutLLDP,includinghowtoconfigureandmonitorLLDP.
LLDPProfileSettings Description
Name SpecifyanamefortheLLDPprofile.
Mode SelectthemodeinwhichLLDPwillfunction:transmit-receive,transmit-only,or
receive-only.
SNMPSyslogNotification EnablesSNMPtrapandsyslognotifications,whichwilloccurattheglobalNotification
Interval.Ifenabled,thefirewallwillsendbothanSNMPtrapandasyslogeventas
configuredintheDevice > Log Settings > System > SNMP Trap ProfileandSyslog
Profile.
PortDescription EnablestheifAliasobjectofthefirewalltobesentinthePortDescriptionTLV.
SystemName EnablesthesysNameobjectofthefirewalltobesentintheSystemNameTLV.
SystemDescription EnablesthesysDescrobjectofthefirewalltobesentintheSystemDescriptionTLV.
SystemCapabilities Enablesthedeploymentmode(L3,L2,orvirtualwire)oftheinterfacetobesent,viathe
followingmapping,intheSystemCapabilitiesTLV.
IfL3,thefirewalladvertisesrouter(bit6)capabilityandtheOtherbit(bit1).
IfL2,thefirewalladvertisesMACBridge(bit3)capabilityandtheOtherbit(bit 1).
Ifvirtualwire,thefirewalladvertisesRepeater(bit2)capabilityandtheOtherbit
(bit 1).
SNMPMIBwillcombinecapabilitiesconfiguredoninterfacesintoasingleentry.
ManagementAddress EnablestheManagement AddresstobesentintheManagementAddressTLV.Youcan

enteruptofourmanagementaddresses,whicharesentintheordertheyarespecified.
Tochangetheorder,clickMove UporMove Down.
Name SpecifyanamefortheManagementAddress.
Interface SelectaninterfacewhoseIPaddresswillbetheManagementAddress.Ifyouselect
None,youcanenteranIPaddressinthefieldnexttotheIPv4orIPv6selection.
IPChoice SelectIPv4orIPv6,andintheadjacentfield,selectorentertheIPaddresstobe
transmittedastheManagementAddress.Atleastonemanagementaddressisrequired
ifManagement AddressTLVisenabled.IfnomanagementIPaddressisconfigured,the
systemusestheMACaddressofthetransmittinginterfaceasthemanagementaddress
transmitted.

Network>NetworkProfiles>BFDProfile Network
BidirectionalForwardingDetection(BFD)enablesextremelyfastdetectionofalinkfailure,which
acceleratesfailovertoadifferentroute.
WhatisBFD? BFDOverview
WhatfieldsareavailabletocreateaBFD BuildingBlocksofaBFDProfile
profile?
ViewBFDstatusforavirtualrouter. ViewBFDSummaryandDetails
Looking for more? LearnmoreaboutandconfigureBFD.
ConfigureBFDfor:
StaticRoutes
BGP
OSPF
OSPFv3
RIP
BFDOverview
BFDisaprotocolthatrecognizesafailureinthebidirectionalpathbetweentwoforwardingengines,such
asinterfaces,datalinks,ortheactualforwardingengines.InthePANOSimplementation,oneofthe
forwardingenginesisaninterfaceonthefirewallandtheotherisanadjacentconfiguredBFDpeer.TheBFD
failuredetectionbetweentwoenginesisextremelyfast,providingfasterfailoverthancouldbeachievedby
linkmonitoringorfrequentdynamicroutinghealthchecks,suchasHellopacketsorheartbeats.
AfterBFDdetectsafailure,itnotifiestheroutingprotocoltoswitchtoanalternatepathtothepeer.IfBFD
isconfiguredforastaticroute,thefirewallremovestheaffectedroutesfromtheRIBandFIBtables.
BFDissupportedonthefollowinginterfacetypes:physicalEthernet,AE,VLAN,tunnel(SitetoSiteVPN
andLSVPN),andsubinterfacesofLayer3interfaces.Foreachstaticrouteordynamicroutingprotocol,you
canenableordisableBFD,selectthedefaultBFDprofile,orconfigureaBFDprofile.

Network Network>NetworkProfiles>BFDProfile
BuildingBlocksofaBFDProfile
YoucanenableBFDforastaticrouteordynamicroutingprotocolbyapplyingthedefaultBFDprofileora
BFDprofilethatyoucreate.ThedefaultprofileusesthedefaultBFDsettingsandcannotbechanged.You
canAddanewBFDprofileandspecifythefollowinginformation.
BFDProfile Description
Settings
Name NameoftheBFDprofile(upto31characters).Thenameiscasesensitiveandmust
beuniqueonthefirewall.Useonlyletters,numbers,spaces,hyphens,and
underscores.
Mode ModeinwhichBFDoperates:
ActiveBFDinitiatessendingcontrolpackets(default).AtleastoneoftheBFD
peersmustbeactive;theycanbothbeactive.
PassiveBFDwaitsforthepeertosendcontrolpacketsandrespondsas
required.
DesiredMinimum Minimuminterval(inmilliseconds)atwhichyouwanttheBFDprotocoltosendBFD
TxInterval(ms) controlpackets.MinimumvalueonPA7000/PA5000Seriesis50;minimumon
PA3000Seriesis100;minimumonVMSeriesis200(maximumvalueis2000;
defaultis1000).
IfyouhavemultipleprotocolsthatusedifferentBFDprofilesonthesame
interface,configuretheBFDprofileswiththesameDesired Minimum Tx
Interval.
Required Minimuminterval(inmilliseconds)atwhichBFDcanreceiveBFDcontrolpackets.
MinimumRx MinimumvalueonPA7000/PA5000Seriesis50;minimumonPA3000Seriesis
Interval(ms) 100;minimumonVMSeriesis200(maximumvalueis2000;defaultis1000).
DetectionTime Thetransmitinterval(negotiatedfromtheDesired Minimum Tx Interval)multiplied

Multiplier bytheDetection Time Multiplierequalsthedetectiontime.IfBFDdoesnotreceive
aBFDcontrolpacketfromitspeerbeforethedetectiontimeexpires,afailurehas
occurred(rangeis250;defaultis3).
HoldTime(ms) Delay(inmilliseconds)afteralinkcomesupbeforethefirewalltransmitsBFD
controlpackets.Hold TimeappliestoBFDActivemodeonly.Ifthefirewallreceives
BFDcontrolpacketsduringtheHold Time,itignoresthem(rangeis0120000;
defaultis0).Thedefaultsettingof0meansnotransmitHold Timeisused;the
firewallsendsandreceivesBFDcontrolpacketsimmediatelyafterthelinkis
established.
EnableMultihop EnablesBFDovermultiplehops.AppliestoBGPimplementationonly.
MinimumRxTTL MinimumTimetoLivevalue(numberofhops)BFDwillaccept(receive)whenit
supportsmultihopBFD.AppliestoBGPimplementationonly(rangeis1254;there
isnodefault).

Network>NetworkProfiles>BFDProfile Network
ViewBFDSummaryandDetails
ThefollowingtabledescribesBFDsummaryinformation.
ViewBFDInformation
ViewaBFDsummary. SelectNetwork > Virtual Routersandintherowofthe

virtualrouteryouareinterestedin,clickMore Runtime
Stats.SelecttheBFD Summary Informationtab.
ViewBFDdetails. Selectdetailsintherowoftheinterfaceyouare
interestedintoviewBFDDetails.

Network Network>NetworkProfiles>QoS
Network>NetworkProfiles>QoS
AddaQoSprofiletodefinethebandwidthlimitsandpriorityforuptoeightclassesofservice.Youcanset
bothguaranteedandmaximumbandwidthlimitsforindividualclassesandforthecollectiveclasses.
Prioritiesdeterminehowtrafficistreatedinthepresenceofcontention.
TofullyenablethefirewalltoprovideQoS,also:
DefinethetrafficthatyouwanttoreceiveQoStreatment(selectPolicies>QoStoaddormodifyaQoS
policy).
EnableQoSonaninterface(selectNetwork>QoS).
SeeQualityofService forcompleteQoSworkflows,concepts,andusecases.
QoSProfileSettings
ProfileName Enteranametoidentifytheprofile(upto31characters).Thenameis
EgressMax Enterthemaximumbandwidthallowedforthisprofile(Mbps).
TheEgressMaxvalueforaQoSprofilemustbelessthanorequaltothe
EgressMaxvaluedefinedforthephysicalinterfaceenabledwithQoS.See
Network>QoS.
Thoughthisisnotarequiredfield,itisrecommendedtoalways
definetheEgressMaxvalueforaQoSprofile.
EgressGuaranteed Enterthebandwidththatisguaranteedforthisprofile(Mbps).Whenthe
egressguaranteedbandwidthisexceeded,thefirewallpassestrafficona
besteffortbasis.

Network>NetworkProfiles>QoS Network
QoSProfileSettings
Classes AddandspecifyhowtotreatindividualQoSclasses.Youcanselectoneor
moreclassestoconfigure:
ClassIfyoudonotconfigureaclass,youcanstillincludeitinaQoS
policy.Inthiscase,thetrafficissubjecttooverallQoSlimits.Trafficthat
doesnotmatchaQoSpolicywillbeassignedtoclass4.
PriorityClickandselectaprioritytoassignittoaclass:
real-time
high
medium
low
Whencontentionoccurs,trafficthatisassignedalowerpriorityis
dropped.Realtimepriorityusesitsownseparatequeue.
Egress MaxClickandenterthebandwidthlimit(Mbps)forthisclass.The
EgressMaxvalueforaQoSclassmustbelessthanorequaltotheEgress
MaxvaluedefinedfortheQoSprofile.
Thoughthisisnotarequiredfield,werecommendyoualways
definetheEgress MaxvalueforaQoSprofile.
Egress GuaranteedClickandentertheguaranteedbandwidth
(Mbps)forthisclass.Guaranteedbandwidthassignedtoaclassisnot
reservedforthatclassbandwidththatisunusedcontinuestoremain
availabletoalltraffic.However,whentheegressguaranteedbandwidth
foratrafficclassisexceeded,thefirewallpassesthattrafficona
besteffortbasis.

Device
Usethefollowingsectionsforfieldreferenceonbasicsystemconfigurationandmaintenancetasksonthe
firewall:
Device>Setup
Device>HighAvailability
Device>ConfigAudit
Device>PasswordProfiles
Device>Administrators
Device>AdminRoles
Device>AccessDomain
Device>AuthenticationProfile
Device>AuthenticationSequence
Device>UserIdentification
Device>VMInformationSources
Device>VirtualSystems
Device>SharedGateways
Device>CertificateManagement
Device>ResponsePages
Device>LogSettings
Device>ServerProfiles
Device>LocalUserDatabase>Users
Device>LocalUserDatabase>UserGroups
Device>ScheduledLogExport
Device>Software
Device>GlobalProtectClient
Device>DynamicUpdates
Device>Licenses
Device>Support
Device>MasterKeyandDiagnostics

Device>Setup Device
Device>Setup
Device>Setup>Management
Device>Setup>Operations
Device>Setup>HSM
Device>Setup>Services
Device>Setup>Interfaces
Device>Setup>Telemetry
Device>Setup>ContentID
Device>Setup>WildFire
Device>Setup>Session

Device Device>Setup>Management
Panorama>Setup>Management
Onafirewall,selectDevice > Setup > Managementtoconfiguremanagementsettings.
OnPanorama,selectDevice > Setup > ManagementtoconfigurefirewallsthatyoumanagewithPanorama
templates.SelectPanorama > Setup > ManagementtoconfiguresettingsforPanorama.
ThefollowingmanagementsettingsapplytoboththefirewallandPanorama,exceptwhereotherwisenoted.
GeneralSettings
AuthenticationSettings
PanoramaSettings:Device>Setup>Management(settingsconfiguredonthefirewalltoconnectto
Panorama)
PanoramaSettings:Panorama>Setup>Management(settingsconfiguredonPanoramaforits
connectiontofirewalls)
LoggingandReportingSettings
BannersandMessages
MinimumPasswordComplexity
AutoFocus
Item Description
General Settings
Hostname Enterahostname(upto31characters).Thenameiscasesensitiveandmust
beunique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
Ifyoudontenteravalue,PANOSusesthefirewallmodel(forexample,
PA5050_2)asthedefault.
Optionally,youcanconfigurethefirewalltouseahostnamethataDHCP
serverprovides.SeeAcceptDHCPserverprovidedHostname(Firewall
only).
Domain EntertheFullyQualifiedDomainName(FQDN)ofthefirewall(upto31
characters).
Ifyoudontenteravalue,PANOSusesthefirewallmodel(forexample,
PA5050_2)asthedefault.
Optionally,youcanconfigurethefirewalltouseadomainthataDHCP
serverprovides.SeeAcceptDHCPserverprovidedDomain(Firewallonly).
AcceptDHCP (AppliesonlywhentheManagementInterfaceIPTypeisDHCPClient.)
serverprovidedHostname Selectthisoptiontohavethemanagementinterfaceacceptthehostnameit
(Firewallonly) receivesfromtheDHCPserver.Thehostnamefromtheserver(ifvalid)
overwritesanyvaluespecifiedintheHostnamefield.
AcceptDHCP (AppliesonlywhentheManagementInterfaceIPTypeisDHCPClient.)
serverprovidedDomain Selectthisoptiontohavethemanagementinterfaceacceptthedomain
(Firewallonly) (DNSsuffix)itreceivesfromtheDHCPserver.Thedomainfromtheserver
overwritesanyvaluespecifiedintheDomainfield.

Device>Setup>Management Device
Item Description
LoginBanner Entertext(upto3,200characters)todisplayonthewebinterfaceloginpage
belowtheNameandPasswordfields.
ForceAdminsto SelectthisoptiontodisplayandforceadministratorstoselecttheI Accept

AcknowledgeLogin and Acknowledge the Statement Belowoptionabovetheloginbanneron
Banner theloginpage;administratorsmustacknowledgethemessagebeforethey
canLogin.
SSL/TLSServiceProfile AssignanexistingSSL/TLSServiceprofileorcreateanewonetospecifya
certificateandtheSSL/TLSprotocolsettingsallowedonthemanagement
interface(seeDevice>CertificateManagement>SSL/TLSServiceProfile).
ThefirewallorPanoramausesthiscertificatetoauthenticateto
administratorswhoaccessthewebinterfacethroughthemanagement
(MGT)interfaceorthroughanyotherinterfacethatsupportsHTTP/HTTPS
managementtraffic(seeNetwork>NetworkProfiles>InterfaceMgmt).If
youselectnone(default),thefirewallorPanoramausesapredefined
certificate.
Thepredefinedcertificateisprovidedforconvenience.Forbetter
security,assignanSSL/TLSServiceprofile.Toensuretrust,the
certificatemustbesignedbyacertificateauthority(CA)certificate
thatisinthetrustedrootcertificatestoreoftheclientsystems.
TimeZone Selectthetimezoneofthefirewall.
Locale SelectalanguageforPDFreportsfromthedropdown.SeeMonitor>PDF
Reports>ManagePDFSummary.
Evenifyouhaveaspecificlanguagepreferencesetforthewebinterface,
PDFreportswillusethelanguagespecifiedforLocale.
Time Setthedateandtimeonthefirewall:
Enterthecurrentdate(inYYYY/MM/DDformat)orselectthedatefrom
thedropdown.
Enterthecurrenttimein24hourformat(HH:MM:SS).
YoucanalsodefineanNTPserverfromDevice > Setup > Services.
SerialNumber EntertheserialnumberforPanorama.Findtheserialnumberintheorder
(Panoramavirtual fulfillmentemailthatyoureceivedfromPaloAltoNetworks.
appliancesonly)
GeoLocation Enterthelatitude(90.0to90.0)andlongitude(180.0to180.0)ofthe
firewall.
Automaticallyacquire Selectthisoptiontoautomaticallyapplyacommitlockwhenyouchangethe
commitlock candidateconfiguration.Formoreinformation,seeLockConfigurations.
CertificateExpiration Instructthefirewalltocreatewarningmessageswhenonboxcertificates
Check neartheirexpirationdates.

Item Description
MultipleVirtualSystem Enablestheuseofmultiplevirtualsystemsonfirewallsthatsupportthis
Capability feature(seeDevice>VirtualSystems).
Toenablemultiplevirtualsystemsonafirewall,firewallpoliciesmust
referencenomorethan640distinctusergroups.Ifnecessary,
reducethenumberofreferencedusergroups.Then,afteryou
enableandaddmultiplevirtualsystems,thepoliciescanthen
referenceanother640usergroupsforeachadditionalvirtual
system.
URLFilteringDatabase SelectaURLFilteringvendorforusewithPanorama:brightcloudor
(Panoramaonly) paloaltonetworks(PANDB).
UseHypervisorAssigned SelectthisoptiontohavetheVMSeriesfirewallusetheMACaddressthat
MACAddresses thehypervisorassigned,insteadofgeneratingaMACaddressusingthe
(VMSeriesfirewallsonly) PANOScustomschema.
IfyouenablethisoptionanduseanIPv6addressfortheinterface,the
interfaceIDmustnotusetheEUI64format,whichderivestheIPv6address
fromtheinterfaceMACaddress.Inahighavailability(HA)active/passive
configuration,acommiterroroccursiftheEUI64formatisused.
Authentication Settings
AuthenticationProfile Selecttheauthenticationprofile(orsequence)thefirewallusesto
authenticateadministrativeaccountsthatyoudefineonanexternalserver
insteadoflocallyonthefirewall(seeDevice>AuthenticationProfile).When
externaladministratorslogin,thefirewallrequestsauthenticationand
authorizationinformation(suchastheadministrativerole)fromtheexternal
server.
Enablingauthenticationforexternaladministratorsrequiresadditionalsteps
basedontheservertypethattheauthenticationprofilespecifies,which
mustbeoneofthefollowing:
RADIUS
TACACS+
SAML
AdministratorscanuseSAMLtoauthenticatetothewebinterface
butnottotheCLI.
ForRADIUSandTACACS+authentication,youcanconfigurethe
firewalltoauthenticateeitherexternalorlocaladministratorsbut
notboth.SpecifyinganauthenticationprofileintheAuthentication
SettingsdisablesRADIUSandTACACS+authenticationforlocal
administrators.
SelectNonetodisableauthenticationforexternaladministrators.
Foradministrativeaccountsthatyoudefinelocally(onthefirewall),the
firewallauthenticatesusingtheauthenticationprofileassignedtothose
accounts(seeDevice>Administrators).
CertificateProfile Selectacertificateprofiletoverifytheclientcertificatesofadministrators
whoareconfiguredforcertificatebasedaccesstothefirewallweb
interface.Forinstructionsonconfiguringcertificateprofiles,seeDevice>
CertificateManagement>CertificateProfile.

Item Description
IdleTimeout Enterthemaximumtime(inminutes)withoutanyactivityontheweb
interfaceorCLIbeforeanadministratorisautomaticallyloggedout(rangeis
0to1,440;defaultis60).Avalueof0meansthatinactivitydoesnottrigger
anautomaticlogout.
Bothmanualandautomaticrefreshingofwebinterfacepages(such
astheDashboardtabandSystemAlarmsdialog)resettheIdle
Timeoutcounter.Toenablethefirewalltoenforcethetimeout
whenyouareonapagethatsupportsautomaticrefreshing,setthe
refreshintervaltoManualortoavaluehigherthantheIdle Timeout.
YoucanalsodisableAuto RefreshintheACCtab.
FailedAttempts Enterthenumberoffailedloginattempts(rangeis0to10)thatthefirewall
allowsforthewebinterfaceandCLIbeforelockingouttheadministrator
account.Avalueof0(default)specifiesunlimitedloginattempts.Limiting
loginattemptscanhelpprotectthefirewallfrombruteforceattacks.
IfyousettheFailed Attemptstoavalueotherthan0butleavethe
Lockout Timeat0,theFailed Attemptsisignoredandtheuseris
neverlockedout.
LockoutTime Enterthenumberofminutes(rangeis0to60)forwhichthefirewalllocks
outanadministratorfromaccesstothewebinterfaceandCLIafterreaching
theFailed Attemptslimit.Avalueof0(default)meansthelockoutapplies
untilanotheradministratormanuallyunlockstheaccount.
IfyousettheLockout Timetoavalueotherthan0butleavethe
Failed Attemptsat0,theLockout Timeisignoredandtheuseris
neverlockedout.
Panorama Settings: Device > Setup > Management

ConfigurethefollowingsettingsonthefirewallorinatemplateonPanorama.Thesesettingsestablisha
connectionfromthefirewalltoPanorama.
YoumustalsoconfigureconnectionandobjectsharingsettingsonPanorama:seePanoramaSettings:
Panorama>Setup>Management.
ThefirewallusesanSSLconnectionwithAES256encryptiontoregisterwithPanorama.By
default,Panoramaandthefirewallauthenticateeachotherusingpredefined2,048bit
certificatesandtheyusetheSSLconnectionforconfigurationmanagementandlogcollection.To
furthersecuretheSSLconnectionsbetweenPanorama,firewalls,andlogcollectors,seeSecure
ClientCommunicationtoconfigurecustomcertificatesbetweenthefirewallandPanoramaora
logcollector.
PanoramaServers EntertheIPaddressorFQDNofthePanoramaserver.IfPanoramaisina
highavailability(HA)configuration,inthesecondPanorama Serversfield,
entertheIPaddressorFQDNofthesecondaryPanoramaserver.
ReceiveTimeoutfor EnterthetimeoutinsecondsforreceivingTCPmessagesfromPanorama
ConnectiontoPanorama (rangeis1240;defaultis240).
SendTimeoutfor EnterthetimeoutinsecondsforsendingTCPmessagestoPanorama(range
ConnectiontoPanorama is1to240;defaultis240).
RetryCountforSSLSend EnterthenumberofretryattemptsallowedwhensendingSecureSocket
toPanorama Layer(SSL)messagestoPanorama(rangeis1to64;defaultis25).

Item Description
SecureClient EnablingSecure Client Communicationensuresthatthefirewalluses

Communication configuredcustomcertificates(insteadofthedefaultcertificate)to
authenticateSSLconnectionswithPanoramaorlogcollectors.
None(Default)IfNoneisselected,nodevicecertificateisconfigured
andthedefaultpredefinedcertificateisused.LocalThefirewallusesa
localdevicecertificateandthecorrespondingprivatekeygeneratedon
thefirewallorimportedfromanexistingenterprisePKIserver.
Certificate:Selectthelocaldevicecertificate.Thiscertificatecanbe
uniquetothefirewall(basedonahashofthefirewallsserialnumber)
oritcanbeacommondevicecertificateusedbyallfirewallsthat
connecttoPanorama.
Certificate Profile:SelecttheCertificateProfilefromthe
dropdown.
SCEPThefirewallusesadevicecertificateandprivatekeygeneratedby
aSimpleCertificateEnrollmentProtocol(SCEP)server.
SCEP Profile:SelectaSCEPProfilefromthedropdown.
Certificate Profile:SelecttheCertificateProfilefromthe
dropdown.
Check Server IdentityTheclientdeviceconfirmstheidentityofthe
serverbymatchingthecommonname(CN)withtheIPaddressorFQDN
oftheserver.
Disable/EnablePanorama ThisoptiondisplaysonlywhenyoueditthePanorama Settingsonafirewall

PolicyandObjects (notinatemplateonPanorama).
Disable Panorama Policy and Objectstodisablethepropagationofdevice
grouppoliciesandobjectstothefirewall.Bydefault,thisactionalso
removesthosepoliciesandobjectsfromthefirewall.Tokeepalocalcopyof
thedevicegrouppoliciesandobjectsonthefirewall,inthedialogthatopens
whenyouclickthisoption,selectImport Panorama Policy and Objects
before disabling.Afteryouperformacommit,thepoliciesandobjects
becomepartofthefirewallconfigurationandPanoramanolongermanages
them.
Undernormaloperatingconditions,disablingPanoramamanagementis
unnecessaryandcouldcomplicatethemaintenanceandconfigurationof
firewalls.Thisoptiongenerallyappliestosituationswherefirewallsrequire
rulesandobjectvaluesthatdifferfromthosedefinedinthedevicegroup.
Anexampleiswhenyoumoveafirewalloutofproductionandintoa
laboratoryenvironmentfortesting.
TorevertfirewallpolicyandobjectmanagementtoPanorama,clickEnable
Panorama Policy and Objects.

Item Description
Disable/EnableDeviceand ThisoptiondisplaysonlywhenyoueditthePanorama Settingsonafirewall

NetworkTemplate (notinatemplateonPanorama).
Disable Device and Network Templatetodisablethepropagationof
templateinformation(deviceandnetworkconfigurations)tothefirewall.By
default,thisactionalsoremovesthetemplateinformationfromthefirewall.
Tokeepalocalcopyofthetemplateinformationonthefirewall,inthedialog
thatopenswhenyouselectthisoption,selectImport Device and Network
Templates before disabling.Afteryouperformacommit,thetemplate
informationbecomespartofthefirewallconfigurationandPanoramano
longermanagesthatinformation.
Undernormaloperatingconditions,disablingPanoramamanagementis
unnecessaryandcouldcomplicatethemaintenanceandconfigurationof
firewalls.Thisoptiongenerallyappliestosituationswherefirewallsrequire
deviceandnetworkconfigurationvaluesthatdifferfromthosedefinedin
thetemplate.Anexampleiswhenyoumoveafirewalloutofproductionand
intoalaboratoryenvironmentfortesting.
Toconfigurethefirewalltoaccepttemplatesagain,clickEnable Device and
Network Templates.
Panorama Settings: Panorama > Setup > Management

IfyouusePanoramatomanagefirewalls,configurethefollowingsettingsonPanorama.Thesesettings
determinetimeoutsandSSLmessageattemptsfortheconnectionsfromPanoramatomanagedfirewalls,
aswellasobjectsharingparameters.
YoumustalsoconfigurePanoramaconnectionsettingsonthefirewall,orinatemplateonPanorama:see
PanoramaSettings:Device>Setup>Management.
ThefirewallusesanSSLconnectionwithAES256encryptiontoregisterwithPanorama.By
default,Panoramaandthefirewallauthenticateeachotherusingpredefined2,048bit
certificatesandtheyusetheSSLconnectionforconfigurationmanagementandlogcollection.To
furthersecuretheseSSLconnections,seeSecureServerCommunicationtoconfigurecustom
certificatesbetweenPanoramaanditsclients.
ReceiveTimeoutfor EnterthetimeoutinsecondsforreceivingTCPmessagesfromallmanaged
ConnectiontoDevice firewalls(rangeis1to240;defaultis240).
SendTimeoutfor EnterthetimeoutinsecondsforsendingTCPmessagestoallmanaged
ConnectiontoDevice firewalls(rangeis1to240;defaultis240).
RetryCountforSSLSend EnterthenumberofallowedretryattemptswhensendingSecureSocket
toDevice Layer(SSL)messagestomanagedfirewalls(rangeis1to64;defaultis25).
ShareUnusedAddressand SelectthisoptiontoshareallPanoramasharedobjectsand
ServiceObjectswith devicegroupspecificobjectswithmanagedfirewalls.Thissettingisenabled
Devices bydefault.
Ifyouclearthisoption,PANOSchecksPanoramapoliciesforreferencesto
address,addressgroup,service,andservicegroupobjects,anddoesnot
shareanyunreferencedobjects.Thisoptionreducesthetotalobjectcount
byensuringthatPANOSsendsonlynecessaryobjectstomanaged
firewalls.

Item Description
Objectsdefinedin Selectthisoption(disabledbydefault)tospecifythattheobjectvaluesin
ancestorswilltakehigher ancestorgroupstakeprecedenceoverthoseindescendantgroupswhen
precedence devicegroupsatdifferentlevelsinthehierarchyhaveobjectsofthesame
typeandnamebutwithdifferentvalues.Thismeansthatwhenyouperform
adevicegroupcommit,theancestorvaluesreplaceanyoverridevalues.
Likewise,thisoptioncausesthevalueofasharedobjecttooverridethe
valuesofobjectsofthesametypeandnameindevicegroups.
SelectingthisoptiondisplaystheFindOverriddenObjectslink.
FindOverriddenObjects ClickthislinkatthebottomofthePanoramaSettingsdialogtolistany
shadowedobjects.AshadowedobjectisanobjectintheSharedlocationthat
hasthesamenamebutadifferentvalueinadevicegroup.Thelinkdisplays
onlyifyouspecifythatObjectsdefinedinancestorswilltakehigher
precedence.
Enablereportingand Selectthisoption(disabledbydefault)toenablePanoramatolocallystore
filteringongroups usernames,usergroupnames,andusernametogroupmappinginformation
thatitreceivesfromfirewalls.Thisoptionisglobaltoalldevicegroupsin
Panorama.However,youmustalsoenablelocalstorageatthelevelofeach
devicegroupbyspecifyingaMasterDeviceandselectingtheStoreusers
andgroupsfromMasterDeviceoption.
SecureServer Custom Certificate OnlyWhenenabled,Panoramaonlyacceptscustom

Communication certificatesforauthenticationwithmanagedfirewallsandlogcollectors.
SSL/TLS Service ProfileSelectanSSL/TLSserviceprofilefromthe
dropdown.ThisprofiledefinesthecertificateandsupportedSSL/TLS
versionsthatthefirewallcanusetocommunicatewithPanorama.
Certificate ProfileSelectacertificateprofilefromthedropdown.This
certificateprofiledefinescertificaterevocationcheckingbehaviorandthe
rootCAusedtoauthenticatethecertificatechainpresentedbytheclient.
Authorization ListSelectAddandcompletethefollowingfieldstoset
criteriaforauthorizingclientdevices.TheAuthorizationListsupportsa
maximumof16entries.
IdentifierSelectSubjectorSubject Alt. Nameastheauthorization
identifier.
TypeIfyouselectedSubject Alt. NameastheIdentifier,thenselect
IP,hostname,ore-mailasthetypeoftheidentifier.Ifyouselected
Subject,thencommonnameistheidentifiertype.
ValueEntertheidentifiervalue.
Authorize Clients Based on Serial NumberPanoramaauthorizesclient
devicesbasedonahashoftheirserialnumber.
Check Authorization ListClientdevicesconnectingtoPanoramaare
checkedagainsttheauthorizationlist.Adeviceneedmatchonlyoneitem
onthelisttobeauthorized.Ifnomatchisfound,thedeviceisnot
authorized.
Disconnect Wait Time (min)TheamountoftimePanoramawaitsbefore
terminatingthecurrentconnectionwithitsmanageddevices.Panorama
thenreestablishesconnectionswithitsmanageddevicesusingthe
configuredsecureservercommunicationssettings.Thewaittimebegins
afterthesecureservercommunicationsconfigurationiscommitted.

Item Description
Logging and Reporting Settings

Usethissectiontomodify:
Expirationperiodsandstoragequotasforreportsandforthefollowinglogstypes.Thesettingsare
synchronizedacrosshighavailabilitypairs.
Logsofalltypesthatthefirewallgeneratesandstoreslocally(Device > Setup > Management).
Thesettingsapplytoallthevirtualsystemsonthefirewall.
LogsthatanMSeriesapplianceoraPanoramavirtualapplianceinPanoramamodegeneratesand
storeslocally:System,Config,ApplicationStatistics,andUserIDlogs(Panorama > Setup >
Management).
LogsofalltypesthatthePanoramavirtualapplianceinLegacymodegenerateslocallyorcollects
fromfirewalls(Panorama > Setup > Management).
ForthelogsthatfirewallssendtoPanoramaLogCollectors,yousetstoragequotasand
expirationperiodsineachCollectorGroup(seePanorama>CollectorGroups).
Attributesforcalculatingandexportinguseractivityreports.
PredefinedreportscreatedonthefirewallorPanorama.

Item Description
LogStoragetab Foreachlogtype,specify:
(Panoramamanagement QuotaTheQuota,asapercentage,allocatedontheharddiskforlog
serverandallfirewall storage.WhenyouchangeaQuotavalue,theassociateddiskallocation
modelsexceptPA5200 changesautomatically.Ifthetotalofallthevaluesexceeds100%,a
SeriesandPA7000Series messageappearsonthepageinredandanerrormessageappearswhen
firewalls) youtrytosavethesettings.Ifthishappens,adjustthepercentagessothe
Panoramadisplays totaliswithinthe100%limit.
thistabifyouedit Max DaysThelength,indays,ofthelogexpirationperiod(rangeis1to
theLoggingand 2,000).ThefirewallorPanoramaautomaticallydeleteslogsthatexceed
ReportingSettings thespecifiedperiod.Bydefault,thereisnoexpirationperiod,which
onthePanorama > meanslogsneverexpire.
Setup > ThefirewallorPanoramaevaluateslogsasitcreatesthemanddeletes
Management logsthatexceedtheexpirationperiodorquotasize.
page.Ifyouusea Weeklysummarylogscanagebeyondthethresholdbeforethe
Panorama nextdeletioniftheyreachtheexpirationthresholdbetween
templateto timeswhenthefirewallorPanoramadeleteslogs.Whenalog
configurethe quotareachesthemaximumsize,newlogentriesstart
settingsfor overwritingtheoldestlogentries.Ifyoureducealogquotasize,
firewalls(Device > thefirewallorPanoramaremovestheoldestlogswhenyou
Setup > committhechanges.Inahighavailability(HA)active/passive
Management),see configuration,thepassivepeerdoesnotreceivelogsand,
SingleDiskStorage therefore,doesnotdeletethemunlessfailoveroccursandit
andMultiDisk becomesactive.
Storagetabs.
Core FilesIfyourfirewallexperiencesasystemprocessfailure,itwill
generateacorefilethatcontainsdetailsabouttheprocessandwhyit
failed.Ifacorefileistoolargeforthedefaultcorefilestoragelocation
(/var/corespartition),youcanenablethelarge-corefileoptionto
allocateanalternateandlargerstoragelocation(/opt/panlogs/cores).A
PaloAltoNetworkssupportengineercanincreasetheallocatedstorage
ifneeded.
Toenableordisablethelarge-corefileoption,enterthefollowingCLI
commandfromconfigurationmodeandthencommittheconfiguration:
# set deviceconfig settings management large-core [yes|no]
Thecorefilewillbedeletedwhenyoudisabletheoption.
YoumustuseSCPfromoperationalmodetoexportthecorefile:
> scp export core-file large-corefile
ThecontentsofthecorefilescanbeinterpretedonlybyaPalo
AltoNetworkssupportengineer.
Restore DefaultsSelectthisoptiontoreverttothedefaultvalues.
Session Log Storageand PA5200SeriesandPA7000Seriesfirewallsstoremanagementlogsand

Management Log Storage sessionlogsonseparatedisks.Selectthetabforeachsetoflogsand
tabs configurethesettingsdescribedinLogStoragetab:
(PA5200Seriesand Session Log StorageSelectSession Log Quotaandsetthequotasand
PA7000Seriesfirewalls expirationperiodsforTraffic,Threat,URLFiltering,HIPMatch,UserID,
only) GTP/Tunnel,andAuthenticationlogs,aswellasExtendedThreatPCAPs.
Management Log StorageSetquotasandexpirationperiodsfor
System,Config,andAppStatslogs,aswellasforHIPReports,Data
FilteringCaptures,AppPCAPs,andDebugFilterPCAPs.

Item Description
Single Disk Storageand IfyouuseaPanoramatemplatetoconfigurelogquotasandexpiration

Multi Disk Storagetabs periods,configurethesettingsinoneorbothofthefollowingtabsbasedon
(Panoramatemplateonly) thefirewallsassignedtothetemplate:
PA5200SeriesandPA7000SeriesfirewallsSelectMulti Disk Storage
andconfigurethesettingsintheSessionLogStorageandManagement
LogStoragetabs.
AllotherfirewallmodelsSelectSingle Disk Storage,selectSession Log
Quota,andconfigurethesettingsontheLogStoragetab.

Item Description
LogExportandReporting Configurethefollowinglogexportandreportingsettingsasneeded:
tab Number of Versions for Config AuditEnterthenumberofconfiguration
versionstosavebeforediscardingtheoldestones(defaultis100).You
canusethesesavedversionstoauditandcomparechangesin
configuration.
Number of Versions for Config Backups(Panoramaonly)Enterthe
numberofconfigurationbackupstosavebeforediscardingtheoldest
ones(defaultis100).
Max Rows in CSV ExportEnterthemaximumnumberofrowsthatwill
appearintheCSVreportsgeneratedwhenyouExport to CSVfromthe
trafficlogsview(rangeis1to1,048,576;defaultis65,535).
Max Rows in User Activity ReportEnterthemaximumnumberofrows
thatissupportedforthedetaileduseractivityreports(rangeis1to
1,048,576;defaultis5,000).
Average Browse Time (sec)Configurethisvariabletoadjusthowthe
browsetimeiscalculatedinsecondsfortheMonitor>PDFReports>
UserActivityReport(rangeis0to300seconds;defaultis60).
Thecalculationwillignoresitescategorizedaswebadvertisementsand
contentdeliverynetworks.Thebrowsetimecalculationisbasedon
containerpagesloggedintheURLfilteringlogs.Containerpagesareused
asthebasisforthiscalculationbecausemanysitesloadcontentfrom
externalsitesthatshouldnotbeconsidered.Formoreinformationonthe
containerpage,seeContainerPages.
Theaveragebrowsetimesettingistheaveragetimethattheadminthinks
itshouldtakeausertobrowseawebpage.Anyrequestmadeafterthe
averagebrowsetimehaselapsedwillbeconsideredanewbrowsing
activity.Thecalculationwillignoreanynewwebpagesthatareloaded
betweenthetimeofthefirstrequest(starttime)andtheaveragebrowse
time.Thisbehaviorwasdesignedtoexcludeanyexternalsitesthatare
loadedwithinthewebpageofinterest.
Example:Iftheaveragebrowsetimesettingis2minutesandauseropens
awebpageandviewsthatpagefor5minutes,thebrowsetimeforthat
pagewillstillbe2minutes.Thisisdonebecausethereisnowayto
determinehowlongauserviewsagivenpage.
Page Load Threshold (sec)Thisoptionallowsyoutoadjustthe
assumedtimeinsecondsthatittakesforpageelementstoloadonthe
page(rangeis0to60;defaultis20).Anyrequestthatoccursbetweenthe
firstpageloadandthepageloadthresholdisassumedtobeelementsof
thepage.Anyrequeststhatoccuroutsideofthepageloadthresholdis
assumedtobetheuserclickingalinkwithinthepage.Thepageload
thresholdisalsousedinthecalculationsfortheMonitor>PDFReports
>UserActivityReport.
Syslog HOSTNAME FormatSelectwhethertousetheFQDN,hostname,
orIPaddress(v4orv6)inthesyslogmessageheader.Thisheader
identifiesthefirewallorPanoramamanagementserverwherethe
messageoriginated.
Report RuntimeSelectthetimeofday(defaultis2A.M.)whenthe
firewallorPanoramastartsgeneratingdailyscheduledreports.
Report Expiration PeriodSettheexpirationperiod(indays)forreports
(rangeis1to2,000).Bydefault,thereisnoexpirationperiod,which
meansreportsneverexpire.ThefirewallorPanoramadeletesexpired
reportsnightlyat2a.m.accordingtoitssystemtime.

Item Description
Stop Traffic when LogDb full(Firewallonly;disabledbydefault)Select

thisoptionifyouwanttrafficthroughthefirewalltostopwhenthelog
databaseisfull.
Enable Threat Vault Access(Enabledbydefault)Enablesthefirewallto
accesstheThreatVaulttogatherthelatestinformationaboutdetected
threats.Thisinformationisavailableforthreatlogsandfortopthreat
activitychartedontheACC.
Enable Log on High DP Load(Firewallonly;disabledbydefault)Select
thisoptiontospecifythatasystemlogentryisgeneratedwhenthepacket
processingloadonthefirewallisat100%CPUutilization.
AhighCPUloadcancauseoperationaldegradationbecausetheCPUdoes
nothaveenoughcyclestoprocessallpackets.Thesystemlogalertsyou
tothisissue(alogentryisgeneratedeachminute)andallowsyouto
investigatetheprobablecause.
Enable High Speed Log Forwarding(PA5200SeriesandPA7000
Seriesfirewallsonly;disabledbydefault)PaloAltoNetworksrecommends
selectingthisoptionifyouwanttoforwardlogstoPanoramaatuptoa
maximumrateof120,000logs/second.Whendisabled,thefirewall
forwardslogstoPanoramaatamaximumrateofonly80,000logs/second.
Ifyouenablethisoption,thefirewalldoesnotstorelogslocallyordisplay
themintheDashboard,ACC,orMonitortabs.Additionally,youmust
configurelogforwardingtoPanorama tousethisoption.
(Panoramaonly) Buffered Log Forwarding from Device(Enabledbydefault)Allowsthe

firewalltobufferlogentriesonitsharddisk(localstorage)whenitloses
connectivitytoPanorama.WhentheconnectiontoPanoramaisrestored,
thelogentriesareforwardedtoPanorama;thediskspaceavailablefor
bufferingdependsonthelogstoragequotaforthefirewallmodelandthe
volumeoflogsthatarependingrollover.Iftheavailablespaceis
consumed,theoldestentriesaredeletedtoallowloggingofnewevents.
Get Only New Logs on Convert to Primary(Disabledbydefault)This
optionappliesonlytoaPanoramavirtualapplianceinLegacymodethat
writeslogstoaNetworkFileSystem(NFS).WithNFSlogging,onlythe
primaryPanoramaismountedtotheNFS.Therefore,thefirewallssend
logstotheactiveprimaryPanoramaonly.Thisoptionenablesyouto
configurefirewallstoonlysendnewlygeneratedlogstoPanoramawhen
anHAfailoveroccursandthesecondaryPanoramaresumesloggingtothe
NFS(afteritispromotedasprimary).Thisbehavioristypicallyenabledto
preventthefirewallsfromsendingalargevolumeofbufferedlogswhen
connectivitytoPanoramaisrestoredafterasignificantperiodoftime.
Only Active Primary Logs to Local Disk(Disabledbydefault)Thisoption
appliesonlytoaPanoramavirtualapplianceinLegacymode.Thisoption
enablesyoutoconfigureonlytheactivePanoramatosavelogstothelocal
disk.

Item Description
Pre-Defined Reports(Enabledbydefault)Predefinedreportsfor
application,traffic,threat,andURLFilteringareavailableonthefirewalland
onPanorama.
Becausethefirewallsconsumememoryresourcesingeneratingtheresults
hourly(andforwardingittoPanoramawhereitisaggregatedandcompiled
forviewing),toreducememoryusageyoucandisablethereportsthatare
notrelevanttoyou;todisableareport,clearthisoptionforthereport.
ClickSelect AllorDeselect Alltoentirelyenableordisablethegeneration
ofpredefinedreports.
Beforedisablingareport,verifythatthereisntaGroupReportora
PDFReportusingit.Ifyoudisableapredefinedreportassignedto
asetofreports,theentiresetofreportswillhavenodata.
Banners and Messages

ToviewallmessagesinaMessageoftheDaydialog,seeMessageoftheDay.
AfteryouconfiguretheMessageoftheDayandclickOK,administratorswhosubsequentlylog
inandactiveadministratorswhorefreshtheirbrowserswillseetheneworupdatedmessage
immediately;acommitisnotrequired.Thisenablesyoutowarnotheradministratorsofan
impendingcommitbeforeyouperformthatcommit.
MessageoftheDay SelectthisoptiontoenabletheMessageoftheDaydialogtodisplayupon
(checkbox) logintothewebinterface.
MessageoftheDay Enterthetext(upto3,200characters)fortheMessageoftheDaydialog.
(textentryfield)
AllowDoNotDisplay SelectthisoptiontoincludeaDo not show againoptionintheMessageof

Again theDaydialog(disabledbydefault).Thisgivesadministratorstheoptionto
avoidseeingthesamemessageinsubsequentlogins.
IfyoumodifytheMessage of the Daytext,themessagedisplays
eventoadministratorswhoselectedDo not show again.
Administratorsmustreselectthisoptiontoavoidseeingthesame
messageinsubsequentsessions.
Title EntertextfortheMessageoftheDayheader(defaultisMessage of the

Day).
BackgroundColor SelectabackgroundcolorfortheMessageoftheDaydialog.Thedefault
(None)isalightgraybackground.
Icon SelectapredefinedicontoappearabovethetextintheMessageoftheDay
dialog:
None(default)
Error
Help
Information
Warning
HeaderBanner Enterthetextthattheheaderbannerdisplays(upto3,200characters).
HeaderColor Selectacolorfortheheaderbackground.Thedefault(None)isatransparent
background.
HeaderTextColor Selectacolorfortheheadertext.Thedefault(None)isblack.

Item Description
Samebannerforheader Selectthisoption(enabledbydefault)ifyouwantthefooterbannertohave
andfooter thesametextandcolorsastheheaderbanner.Whenenabled,thefieldsfor
thefooterbannertextandcolorsaregrayedout.
FooterBanner Enterthetextthatthefooterbannerdisplays(upto3,200characters).
FooterColor Selectacolorforthefooterbackground.Thedefault(None)isatransparent
background.
FooterTextColor Selectacolorforthefootertext.Thedefault(None)isblack.
Minimum Password Complexity
Enabled Enableminimumpasswordrequirementsforlocalaccounts.Withthis
feature,youcanensurethatlocaladministratoraccountsonthefirewallwill
adheretoadefinedsetofpasswordrequirements.
Youcanalsocreateapasswordprofilewithasubsetoftheseoptionsthat
willoverridethesesettingsandcanbeappliedtospecificaccounts.Formore
information,seeDevice>PasswordProfilesandseeUsernameand
PasswordRequirementsforinformationonvalidcharactersthatcanbeused
foraccounts.
Themaximumpasswordlengthis31characters.Avoidsetting
requirementsthatPANOSdoesnotaccept.Forexample,donotset
arequirementof10uppercase,10lowercase,10numbers,and10
specialcharactersbecausethatwouldexceedthemaximumlength
of31characters.
Ifyouhavehighavailability(HA)configured,alwaysusetheprimary
peerwhenconfiguringpasswordcomplexityoptionsandcommit
soonaftermakingchanges.
Minimumpasswordcomplexitysettingsdonotapplytolocal
databaseaccountsforwhichyouspecifiedaPassword Hash(see
Device>LocalUserDatabase>Users).
MinimumLength Requireminimumlengthfrom1to15characters.
MinimumUppercase Requireaminimumnumberofuppercaselettersfrom0to15characters.
Letters
MinimumLowercase Requireaminimumnumberoflowercaselettersfrom0to15characters.
Letters
MinimumNumericLetters Requireaminimumnumberofnumericlettersfrom0to15numbers.
MinimumSpecial Requireaminimumnumberofspecialcharacters(nonalphanumeric)from0
Characters to15characters.
BlockRepeated Specifythenumberofsequentialduplicatecharacterspermittedina
Characters password(rangeis2to15).
Ifyousetthevalueto2,thepasswordcancontainthesamecharacterin
sequencetwice,butifthesamecharacterisusedthreeormoretimesin
sequence,thepasswordisnotpermitted.
Forexample,ifthevalueissetto2,thesystemwillacceptthepassword
test11or11test11,butnottest111,becausethenumber1appearsthree
timesinsequence.

Item Description
BlockUsernameInclusion Selectthisoptiontopreventtheaccountusername(orreversedversionof
(includingreversed) thename)frombeingusedinthepassword.
NewPasswordDiffersBy Whenadministratorschangetheirpasswords,thecharactersmustdifferby
Characters thespecifiedvalue.
RequirePasswordChange Selectthisoptiontoprompttheadministratorstochangetheirpasswords
onFirstLogin thefirsttimetheylogintothefirewall.
PreventPasswordReuse Requirethatapreviouspasswordisnotreusedbasedonthespecifiedcount.
Limit Example,ifthevalueissetto4,youcouldnotreusetheanyofyourlast4
passwords(rangeis0to50).
BlockPasswordChange Usercannotchangetheirpasswordsuntilthespecifiednumberofdayshas
Period(days) beenreached(rangeis0to365days).
RequiredPassword Requirethatadministratorschangetheirpasswordonaregularbasis
ChangePeriod(days) specifiedabythenumberofdaysset,rangingfrom0to365days.Example,
ifthevalueissetto90,administratorswillbepromptedtochangetheir
passwordevery90days.
Youcanalsosetanexpirationwarningfrom0to30daysandspecifyagrace
period.
ExpirationWarningPeriod Ifarequiredpasswordchangeperiodisset,thissettingcanbeusedto
(days) prompttheusertochangetheirpasswordateachloginastheforced
passwordchangedateapproaches(rangeis0to30days).
Allowedexpiredadmin Allowtheadministratortologinthespecifiednumberoftimesafterthe
login(count) accounthasexpired.Example,ifthevalueissetto3andtheiraccounthas
expired,theycanlogin3moretimesbeforetheiraccountislockedout
(rangeis0to3logins).
PostExpirationGrace Allowtheadministratortologinthespecifiednumberofdaysafterthe
Period(days) accounthasexpired(rangeis0to30days).
AutoFocus
Enabled EnablethefirewalltoconnecttoanAutoFocusportaltoretrievethreat
intelligencedataandtoenableintegratedsearchesbetweenthefirewalland
AutoFocus.
WhenconnectedtoAutoFocus,thefirewalldisplaysAutoFocusdata
associatedwithTraffic,Threat,URLFiltering,WildFireSubmissions,and
DataFilteringlogentries(Monitor > Logs).Youcanclickonanartifactin
thesetypesoflogentries(suchasanIPaddressoraURL)todisplaya
summaryoftheAutoFocusfindingsandstatisticsforthatartifact.Youcan
thenopenanexpandedAutoFocussearchfortheartifactdirectlyfromthe
firewall.
CheckthatyourAutoFocuslicenseisactiveonthefirewall:select
Device > Licenses.IftheAutoFocuslicenseisnotdisplayed,useone
oftheLicense Managementoptionstoactivatethelicense.
AutoFocusURL EntertheAutoFocusURL:
https://autofocus.paloaltonetworks.com:10443
QueryTimeout(sec) SetthedurationoftimeforthefirewalltoattempttoqueryAutoFocusfor
threatintelligencedata.IftheAutoFocusportaldoesnotrespondbeforethe
endofthespecifiedperiod,thefirewallwillclosetheconnection.

Device>Setup>Operations Device
Youcanperformthefollowingtaskstomanagetherunningandcandidateconfigurationsofthefirewalland
Panorama.IfyoureusingaPanoramavirtualappliance,youcanalsousethesettingsonthispageto
configureLogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode.
YoumustCommitChangesyoumakeinthecandidateconfigurationtoactivatethosechanges,atwhich
pointtheybecomepartoftherunningconfiguration.Asabestpractice,periodicallySaveCandidate
Configurations.
YoucanuseSecureCopy(SCP)commandsfromtheCLI toexportconfigurationfiles,logs,reports,
andotherfilestoanSCPserverandimportthefilestoanotherfirewallorPanorama.However,because
thelogdatabaseistoolargeforanexportorimporttobepracticalonthefollowingmodels,theydonot
supportexportingorimportingtheentirelogdatabase:PA7000Seriesfirewalls(allPANOSreleases),
PanoramavirtualappliancerunningPanorama6.0orlaterreleases,andPanoramaMSeriesappliances
(allPanoramareleases).
Function Description
Configuration Management
Reverttolastsavedconfig Restoresthedefaultsnapshot(.snapshot.xml)ofthecandidateconfiguration
(thesnapshotthatyoucreateoroverwritewhenyouselectConfig > Save
Changesatthetoprightofthewebinterface).
Reverttorunningconfig Restoresthecurrentrunningconfiguration.Thisoperationundoesallthe
changesthatalladministratorsmadetothecandidateconfigurationsince
thelastcommit.Torevertonlythechangesofspecificadministrators,see
RevertChanges.
Savenamedconfiguration Createsacandidateconfigurationsnapshotthatdoesnotoverwritethe
snapshot defaultsnapshot(.snapshot.xml).EnteraNameforthesnapshotorselectan
existingnamedsnapshottooverwrite.
Savecandidateconfig Createsoroverwritesthedefaultsnapshotofthecandidateconfiguration
(.snapshot.xml)withthecurrentcandidateconfiguration.Thisisthesame
actionaswhenyouselectConfig > Save Changesatthetoprightoftheweb
interface.Tosaveonlythechangesofspecificadministrators,seeSave
CandidateConfigurations.
Loadnamedconfiguration Overwritesthecurrentcandidateconfigurationwithoneofthefollowing:
snapshot(firewall) Customnamedcandidateconfigurationsnapshot(insteadofthedefault
or snapshot).
LoadnamedPanorama Customnamedrunningconfigurationthatyouimported.
configurationsnapshot Currentrunningconfiguration.
TheconfigurationmustresideonthefirewallorPanoramaontowhichyou
areloadingit.
SelecttheNameoftheconfigurationandentertheDecryption Key,which
isthemasterkeyofthefirewallorPanorama(seeDevice>MasterKeyand
Diagnostics).Themasterkeyisrequiredtodecryptallthepasswordsand
privatekeyswithintheconfiguration.Ifyouareloadinganimported
configuration,youmustenterthemasterkeyofthefirewallorPanorama
fromwhichyouimported.Aftertheloadoperationfinishes,themasterkey
ofthefirewallorPanoramaontowhichyouloadedtheconfiguration
reencryptsthepasswordsandprivatekeys.

Device Device>Setup>Operations
Loadconfigurationversion Overwritesthecurrentcandidateconfigurationwithapreviousversionof
(firewall) therunningconfigurationthatisstoredonthefirewallorPanorama.
or SelecttheNameoftheconfigurationandentertheDecryption Key,which
LoadPanorama isthemasterkeyofthefirewallorPanorama(seeDevice>MasterKeyand
configurationversion Diagnostics).Themasterkeyisrequiredtodecryptallthepasswordsand
privatekeyswithintheconfiguration.Aftertheloadoperationfinishes,the
masterkeyreencryptsthepasswordsandprivatekeys.
Exportnamed Exportsthecurrentrunningconfiguration,acandidateconfiguration
configurationsnapshot snapshot,orapreviouslyimportedconfiguration(candidateorrunning).The
firewallexportstheconfigurationasanXMLfilewiththespecifiedname.
Youcansavethesnapshotinanynetworklocation.
Exportconfiguration ExportsaVersionoftherunningconfigurationasanXMLfile.
version
ExportPanoramaand Generatesandexportsthelatestversionsoftherunningconfiguration
devicesconfigbundle backupofPanoramaandofeachmanagedfirewall.Toautomatetheprocess
(Panoramaonly) ofcreatingandexportingtheconfigurationbundledailytoanSCPorFTP
server,seePanorama>DeviceDeployment.
Exportorpushdevice Promptsyoutoselectafirewallandperformoneofthefollowingactionson
configbundle thefirewallconfigurationstoredonPanorama:
(Panoramaonly) Push & Committheconfigurationtothefirewall.Thisactioncleansthe
firewall(removesanylocalconfigurationfromit)andpushesthefirewall
configurationstoredonPanorama.Afteryouimportafirewall
configuration,usethisoptiontocleanthatfirewallsoyoucanmanageit
usingPanorama.
Exporttheconfigurationtothefirewallwithoutloadingit.Toloadthe
configuration,youmustaccessthefirewallCLIandruntheconfiguration
modecommandload device-state.Thiscommandcleansthefirewallin
thesamewayasthePush & Commitoption.
TheseoptionsareavailableonlyforfirewallsrunningPANOS6.0.4
andlaterreleases.
Exportdevicestate Exportsthefirewallstateinformationasabundle.Inadditiontotherunning
(firewallonly) configuration,thestateinformationincludesdevicegroupandtemplate
settingspushedfromPanorama.IfthefirewallisaGlobalProtectportal,
thebundlealsoincludescertificateinformation,alistofsatellitesthatthe
portalmanages,andsatelliteauthenticationinformation.Ifyoureplacea
firewallorportal,youcanrestoretheexportedinformationonthe
replacementbyimportingthestatebundle.
Important:Youmustmanuallyrunthefirewallstateexportorcreatea
scheduledXMLAPIscripttoexportthefiletoaremoteserver.Thisshould
bedoneonaregularbasisbecausesatellitecertificatesoftenchange.
TocreatethefirewallstatefilefromtheCLI,fromconfigurationmoderun
save device state.Thefilewillbenameddevice_state_cfg.tgzandis
storedin/opt/pancfg/mgmt/devicestate.Theoperationalcommandto
exportthefirewallstatefileis scp export device-state (youcanalso
use tftp export device-state).
ForinformationonusingtheXMLAPI,refertothePANOSandPanorama
XMLAPIUsageGuide .

Importnamedconfig Importsarunningorcandidateconfigurationfromanynetworklocation.
snapshot ClickBrowseandselecttheconfigurationfiletobeimported.
Importdevicestate Importsthestateinformationbundlethatyouexportedfromafirewallusing
(firewallonly) theExport device stateoption.Besidestherunningconfiguration,thestate
informationincludesdevicegroupandtemplatesettingspushedfrom
Panorama.IfthefirewallisaGlobalProtectportal,thebundlealsoincludes
certificateinformation,alistofsatellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,canyoucanrestorethe
informationonthereplacementbyimportingthestatebundle.

ImportDevice ImportsafirewallconfigurationintoPanorama.Panoramaautomatically
Configurationto createsatemplatetocontainthenetworkanddevice configurations.For
Panorama eachvirtualsystem(vsys)onthefirewall,Panoramaautomaticallycreatesa
(Panoramaonly) devicegrouptocontainthepolicyandobjectconfigurations.Thedevice
groupswillbeonelevelbelowtheSharedlocationinthehierarchy,though
youcanreassignthemtoadifferentparentdevicegroupafterfinishingthe
import(seePanorama>VMwareNSX).
ThecontentversionsonPanorama(forexample,Applicationsand
Threatsdatabase)mustbethesameasorhigherthantheversions
onthefirewallfromwhichyouwillimportaconfiguration.
Configurethefollowingimportoptions:
DeviceSelectthefirewallfromwhichPanoramawillimportthe
configurations.Thedropdownincludesonlyfirewallsthatareconnected
toPanoramaandarenotassignedtoanydevicegrouportemplate.You
canselectonlyanentirefirewall,notanindividualvsys.
Template NameEnteranameforthetemplatethatwillcontainthe
importeddeviceandnetworksettings.Foramultivsysfirewall,thefield
isblank.Forotherfirewalls,thedefaultvalueisthefirewallname.You
cannotusethenameofanexistingtemplate.
Device Group Name Prefix(multivsysfirewallsonly)Optionally,adda
characterstringasaprefixforeachdevicegroupname.
Device Group NameForamultivsysfirewall,eachdevicegrouphasa
vsysnamebydefault.Foraotherfirewalls,thedefaultvalueisthefirewall
name.Youcaneditthedefaultnamesbutcannotusethenameofan
existingdevicegroup.
Import devices' shared objects into Panorama's shared contextThis
optionisselectedbydefault,whichmeansPanoramaimportsobjectsthat
belongtoSharedinthefirewalltoSharedinPanorama.
Panoramaregardsallobjectsassharedonafirewallwithout
multiplevirtualsystems.Ifyouclearthisoption,Panoramacopies
sharedfirewallobjectsintodevicegroupsinsteadofShared.This
settinghasthefollowingexceptions:
Ifasharedfirewallobjecthasthesamenameandvalueasanexisting
sharedPanoramaobject,theimportexcludesthatfirewallobject.
Ifthenameorvalueofthesharedfirewallobjectdiffersfromthe
sharedPanoramaobject,Panoramaimportsthefirewallobjectinto
eachdevicegroup.
Ifaconfigurationimportedintoatemplatereferencesashared
firewallobject,PanoramaimportsthatobjectintoSharedregardless
ofwhetheryouselectthisoption.
Ifasharedfirewallobjectreferencesaconfigurationimportedintoa
template,Panoramaimportstheobjectintoadevicegroup
regardlessofwhetheryouselectthisoption.
Rule Import LocationSelectwhetherPanoramawillimportpoliciesas
prerulesorpostrules.Regardlessofyourselection,Panoramaimports
defaultsecurityrules(intrazonedefaultandinterzonedefault)intothe
postrulebase.
IfPanoramahasarulewiththesamenameasafirewallrulethatyou
import,Panoramadisplaysbothrules.However,rulenamesmustbe
unique:deleteoneoftherulesbeforeperformingacommiton
Panoramaorelsethecommitwillfail.

Device Operations
Reboot TorestartthefirewallorPanorama,clickReboot Device.Thefirewallor

Panoramalogsyouout,reloadsthesoftware(PANOSorPanorama)and
activeconfiguration,closesandlogsexistingsessions,andcreatesaSystem
logentrythatshowsthenameoftheadministratorwhoinitiatedthe
shutdown.Anyconfigurationchangesthatwerenotsavedorcommittedare
lost(seeDevice>Setup>Operations).
Ifthewebinterfaceisnotavailable,usetheoperationalCLI
command:
request restart system.
Shutdown ToperformagracefulshutdownofthefirewallorPanorama,clickShutdown
DeviceorShutdown PanoramaandthenclickYesontheconfirmation
prompt.Anyconfigurationchangesthathavenotbeensavedorcommitted
arelost.Alladministratorswillbeloggedoffandthefollowingprocesseswill
occur:
Allloginsessionswillbeloggedoff.
Interfaceswillbedisabled.
Allsystemprocesseswillbestopped.
Existingsessionswillbeclosedandlogged.
SystemLogswillbecreatedthatwillshowtheadministratornamewho
initiatedtheshutdown.Ifthislogentrycannotbewritten,awarningwill
appearandthesystemwillnotshutdown.
DiskdriveswillbecleanlyunmountedandthefirewallorPanoramawill
poweredoff.
Youneedtounplugthepowersourceandplugitbackinbeforeyoucan
poweronthefirewallorPanorama.
Ifthewebinterfaceisnotavailable,usethefollowingCLIcommand:
request shutdown system
RestartDataPlane Torestartthedatafunctionsofthefirewallwithoutrebooting,clickRestart
Dataplane.ThisoptionisnotavailableonPanoramaoronPA200,PA220,
PA800Series,orVMSeriesfirewalls.
Ifthewebinterfaceisnotavailable,usethefollowingCLIcommand:
request restart dataplane

Miscellaneous
CustomLogos Usethisoptiontocustomizeanyofthefollowing:
Loginscreenbackgroundimage
MainUI(UserInterface)headerimage
PDFreporttitlepageimage.RefertoMonitor>PDFReports>Manage
PDFSummary.
PDFreportfooterimage
Click touploadanimagefile, topreview,or toremovea
previouslyuploadedimage.
Supportedfiletypesarepng,gif,andjpg.
Imagefilesthatcontainanalphachannelarenotsupportedand
whenusedinPDFreports,thereportswillnotbegenerated
properly.Youmayneedtocontacttheillustratorwhocreatedthe
imagetoremovealphachannelsintheimageormakesurethe
graphicssoftwareyouareusingdoesnotsavefileswiththealpha
channelfeature.
Toreturntothedefaultlogo,removeyourentryandcommit.
Themaximumimagesizeforanylogoimageis128KB.
Fortheloginscreenandmainuserinterfaceoptions,whenyou
click ,theimageisshownasitwillbedisplayed.Ifnecessary,
theimageiscroppedtofit.ForthePDFreports,theimagesare
autoresizedtofitwithoutcropping.Inallcases,thepreview
showstherecommendedimagedimensions.
ForinformationongeneratingPDFreports,seeMonitor>PDFReports>
ManagePDFSummary.
SNMPSetup EnableSNMPMonitoring.
StoragePartitionSetup LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode.
(Panoramaonly)
AWS CloudWatch Setup
EnableCloudWatch SelectthisoptiontoenabletheVMSeriesfirewallinAWStoconnectto
Monitoring AWSCloudWatch(disabledbydefault).Whenenabled,thefirewall
publishescustomPANOSmetricsonhealthstatusandutilizationto
CloudWatch.YoucanthenmonitorthemetricofyourchoiceinCloudWatch
orcreateautoscalingpoliciestotriggeralarmsandtakeanactionwhenthe
monitoredmetricreachesaspecifiedthresholdvalue.
ThisoptionisavailableonlyfortheVMSeriesfirewallonAWSdeployed
usinganIAMrolewiththecorrectpermissions.
Whenyoudisablethisoption,thefirewalldoesnotpublishmetricsto
CloudWatchortriggeranyCloudWatchalarmsorautoscalinggroupactions
youdefined.
CloudWatchNamespace Enteranametoaggregatemetricspublishedbyallthefirewallsthatusethis
namespace.Forexample,createanamespaceforallfirewallsthatsecurean
internetfacingapplication.Firewallsinthesamenamespacecanbelongto
anautoscalinggroupacrossmultipleAvailabilityZoneswithinanAWS
region.
Thenamemustbeastringwith1to255charactersandcannotbeginwith
AWS/(reservedforAWSservices).

UpdateInterval(min) Thefrequency(inminutes)atwhichthefirewallpublishesmetricsto
CloudWatch(rangeis1to60;defaultis5).Fordetailsonthemetrics,refer
totheVMSeriesDeploymentGuide.
EnableSNMPMonitoring
SimpleNetworkManagementProtocol(SNMP)isastandardprotocolformonitoringthedevicesonyour
network.SelectOperationstoconfigurethefirewalltousetheSNMPversionthatyourSNMPmanager
supports(SNMPv2corSNMPv3).ForalistoftheMIBsthatyoumustloadintotheSNMPmanagersoitcan
interpretthestatisticsitcollectsfromthefirewall,seeSupportedMIBs .Toconfiguretheserverprofile
thatenablesthefirewalltocommunicatewiththeSNMPtrapdestinationsonyournetwork,seeDevice>
ServerProfiles>SNMPTrap.TheSNMPMIBsdefineallSNMPtrapsthatthefirewallgenerates.AnSNMP
trapidentifiesaneventwithauniqueObjectID(OID)andtheindividualfieldsaredefinedasavariable
binding(varbind)list.ClickSNMP Setup andspecifythefollowingsettingstoallowSNMPGETrequestsfrom
yourSNMPmanager:
Field Description
PhysicalLocation Specifythephysicallocationofthefirewall.Whenalogortrapisgenerated,this
informationallowsyoutoidentify(inanSNMPmanager)thefirewallthatgenerated
thenotification.
Contact Enterthenameoremailaddressofthepersonresponsibleformaintainingthe
firewall.ThissettingisreportedinthestandardsysteminformationMIB.
UseSpecificTrap Thisoptionisselectedbydefault,whichmeansthefirewallusesauniqueOIDfor
Definitions eachSNMPtrapbasedontheeventtype.Ifyouclearthisoption,everytrapwillhave
thesameOID.
Version SelecttheSNMPversion:V2c(default)orV3.Yourselectioncontrolstheremaining
fieldsthatthedialogdisplays.
For SNMP V2c
SNMPCommunityString Enterthecommunitystring,whichidentifiesanSNMPcommunityofSNMPmanagers
andmonitoreddevicesandalsoservesasapasswordtoauthenticatethecommunity
memberstoeachotherwhentheyexchangeSNMPget(statisticsrequest)andtrap
messages.Thestringcanhaveupto127characters,acceptsallcharacters,andis
casesensitive.
Dontusethedefaultcommunitystringpublic.BecauseSNMPmessages
containcommunitystringsincleartext,considerthesecurityrequirementsof
yournetworkwhendefiningcommunitymembership(administratoraccess).

Field Description
For SNMP V3
Name/View YoucanassignagroupofoneormoreviewstotheuserofanSNMPmanagerto
controlwhichMIBobjects(statistics)theusercangetfromthefirewall.Eachviewis
apairedOIDandbitwisemask:theOIDspecifiesaMIBandthemask(inhexadecimal
format)specifieswhichobjectsareaccessiblewithin(includematching)oroutside
(excludematching)thatMIB.
Forexample,iftheOIDis1.3.6.1,thematchingOptionissettoincludeandtheMask
is0xf0,thentheobjectsthattheuserrequestsmusthaveOIDsthatmatchthefirst
fournodes(f=1111)of1.3.6.1.Theobjectsdontneedtomatchtheremaining
nodes.Inthisexample,1.3.6.1.2matchesthemaskand1.4.6.1.2doesnt.
Foreachgroupofviews,clickAdd,enteraNameforthegroup,andthenconfigure
thefollowingforeachviewyouAddtothegroup:
ViewSpecifyanamefortheview.Thenamecanhaveupto31charactersthat
arealphanumeric,periods,underscores,orhyphens.
OIDSpecifytheOIDoftheMIB.
OptionSelectthematchinglogictoapplytotheMIB.
MaskSpecifythemaskinhexadecimalformat.
Toprovideaccesstoallmanagementinformation,usethetoplevelOID
1.3.6.1,settheMaskto0xf0,andsetthematchingOptiontoinclude.
Users SNMPuseraccountsprovideauthentication,privacy,andaccesscontrolwhen
firewallsforwardtrapsandSNMPmanagersgetfirewallstatistics.Foreachuser,click
Addandconfigurethefollowingsettings:
UsersSpecifyausernametoidentifytheSNMPuseraccount.Theusernameyou
configureonthefirewallmustmatchtheusernameconfiguredontheSNMP
manager.Theusernamecanhaveupto31characters.
ViewAssignagroupofviewstotheuser.
Auth PasswordSpecifytheauthenticationpasswordoftheuser.Thefirewall
usesthepasswordtoauthenticatetotheSNMPmanagerwhenforwardingtraps
andrespondingtostatisticsrequests.ThefirewallusesSecureHashAlgorithm
(SHA1160)toencryptthepassword.Thepasswordmustbe8256characters
andallcharactersareallowed.
Priv PasswordSpecifytheprivacypasswordoftheuser.Thefirewallusesthe
passwordandAdvancedEncryptionStandard(AES128)toencryptSNMPtraps
andresponsestostatisticsrequests.Thepasswordmustbe8256charactersand
allcharactersareallowed.

Device>Setup>HSM Device
Device>Setup>HSM
SelectDevice > Setup > HSMtoconfigureaHardwareSecurityModule(HSM)andtoviewHSMstatus.
WhatisthepurposeofaHardware SecureKeyswithaHardwareSecurityModule
SecurityModule(HSM)andwhere
canIfinddetailedconfiguration
procedures?
Configure:
HardwareSecurityModuleProviderSettings
HSMAuthentication
HowdoIviewHSMstatus? HardwareSecurityModuleProviderConfigurationand
Status
HardwareSecurityModuleStatus
HardwareSecurityModuleProviderSettings
ToconfigureaHardwareSecurityModule(HSM)onthefirewall,edittheHardwareSecurityModule
Providersettings:
HardwareSecurity Description
ModuleProvider
Settings
ProviderConfigured SelecttheHSMvendor:
NoneNootherconfigurationrequired.
SafeNet Network HSM
Thales nShield Connect
ModuleName SpecifyamodulenamefortheHSM.ThiscanbeanyASCIIstringupto31
characterslong.Createmultiplemodulenamesifyouareconfiguringahigh
availabilityHSMconfiguration.
ServerAddress SpecifyanIPv4addressforanyHSMmodulesyouareconfiguring.
HighAvailability SelectthisoptionifyouareconfiguringtheHSMmodulesinahighavailability
(SafeNetNetworkonly) configuration.ThemodulenameandserveraddressofeachHSMmodule
mustbeconfigured.
AutoRecoveryRetry Specifythenumberoftimesthatthefirewallwilltrytorecoveritsconnection
(SafeNetNetworkonly) toanHSMbeforefailingovertoanotherHSMinanHSMhighavailability
configuration(rangeis0to500).
HighAvailabilityGroup SpecifyagroupnametobeusedfortheHSMhighavailabilitygroup.This
Name. nameisusedinternallybythefirewall.ItcanbeanyASCIIstringupto31
(SafeNetNetworkonly) characterslong.

Device Device>Setup>HSM
HardwareSecurity Description
ModuleProvider
Settings
RemoteFilesystem ConfiguretheIPv4addressoftheremotefilesystemusedintheThales
Address NshieldConnectHSMconfiguration.
(ThalesNshieldConnect
Only)
HSMAuthentication
SelectSetup Hardware Security Moduleandconfigurethefollowingsettingstoauthenticatethefirewalltothe

HSM.
HSMModuleAuthentication
ServerName SelectanHSMservernamefromthedropdown.
AdministratorPassword EntertheadministratorpasswordoftheHSMtoauthenticatethefirewallto
theHSM.
HardwareSecurityModuleProviderConfigurationandStatus
TheHardwareSecurityModuleProvidersectionshowstheHSMconfigurationsettingsandtheconnectivity
statusoftheHSM.
HardwareSecurityModuleProviderStatus
ProviderConfigured SelecttheHSMvendorconfiguredonthefirewall:
None
SafeNet Network HSM
Thales nShield Connect
HighAvailability (SafeNetNetworkonly)HSMhighavailabilityisconfiguredifchecked.
HighAvailabilityGroup (SafeNetNetworkonly)ThegroupnameconfiguredonthefirewallforHSM
Name highavailability.
FirewallSourceAddress TheaddressoftheportusedfortheHSMservice.Bydefaultthisisthe
managementportaddress.Itcanbespecifiedasadifferentporthowever
throughtheServicesRouteConfigurationinDevice > Setup > Services.
MasterKeySecuredby Ifchecked,themasterkeyissecuredontheHSM.
HSM
Status ShowsgreenifthefirewallisconnectedandauthenticatedtotheHSMand
showsredifthefirewallisnotauthenticatedorifnetworkconnectivitytothe
HSMisdown.
YoucanalsoHardwareSecurityModuleStatusformoredetailsontheHSM
connection.

Device>Setup>HSM Device
TheHardwareSecurityModuleStatussectionprovidesthefollowinginformationaboutHSMsthathave
beensuccessfullyauthenticated.ThedisplayisdifferentdependingontheHSMproviderconfigured
(SafeNetorThales).
SafeNetLunaSA SerialNumberTheserialnumberoftheHSMpartitionisdisplayedifthe
HSMpartitionwassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthefirewall.
ModuleStateThecurrentoperatingstateoftheHSMconnection.This
fieldshowsAuthenticatediftheHSMisdisplayedinthistable.
ThalesNshieldConnect NameTheServernameoftheHSM.
IPaddressTheIPaddressoftheHSMthatwasassignedonthefirewall.
ModuleStateThecurrentoperatingstateoftheHSMconnection.This
settingshowsAuthenticatedifthefirewallsuccessfullyauthenticatedtothe
HSMandshowsNot Authenticatedifauthenticationfailed.

Device Device>Setup>Services
Device>Setup>Services
Onafirewallwheremultiplevirtualsystemsareenabled,selectServicestodisplaytheGlobalandVirtual
Systemstabswhereyousetservicesthatthefirewalloritsvirtualsystems,respectively,usetooperate
efficiently.(Ifthefirewallisasinglevirtualsystemorifmultiplevirtualsystemsaredisabled,therearenot
twotabs,butjustaServicesmenu.)
SelectGlobaltosetservicesforthewholefirewall.Thesesettingsarealsousedasthedefaultvaluesfor
virtualsystemsthatdonothaveacustomizedsettingforaservice.
EditServicestodefinethedestinationIPaddressesofDNSservers,theUpdateServer,andtheProxy
Server.UsethededicatedNTPtabtoconfigureNetworkTimeProtocolsettings.SeeTable 12forfield
descriptionsoftheavailableServicesoptions.
InService Features,clickService Route Configurationtospecifyhowthefirewallwillcommunicatewith
otherservers/devicesforservicessuchasDNS,email,LDAP,RADIUS,syslog,andmanymore.Thereare
twowaystoconfigureglobalserviceroutes:
TheUse Management Interface for alloptionwillforceallfirewallservicecommunicationswith
externalserversthroughthemanagementinterface(MGT).Ifyouselectthisoption,youmust
configuretheMGTinterfacetoallowcommunicationsbetweenthefirewallandtheservers/devices
thatprovideservices.ToconfiguretheMGTinterface,selectDevice>Setup>Managementand
editthesettings.
TheCustomizeoptionallowsyougranularcontroloverservicecommunicationbyconfiguringa
specificsourceinterfaceandIPaddressthattheservicewilluseasthedestinationinterfaceand
destinationIPaddressinitsresponse.(Forexample,youcouldconfigureaspecificsourceIP/
interfaceforallemailcommunicationbetweenthefirewallandanemailserver,anduseadifferent
sourceIP/interfaceforPaloAltoNetworksServices.)Selecttheoneormoreservicesyouwantto
customizetohavethesamesettingsandclickSet Selected Service Routes.Theservicesarelistedin
Table 13,whichindicateswhetheraservicecanbeconfiguredfortheGlobalfirewallorVirtual
Systems,andwhethertheservicesupportsanIPv4and/orIPv6sourceaddress.
TheDestinationtabisanotherGlobalserviceroutefeaturethatyoucancustomize.Thistabappearsinthe
ServiceRouteConfigurationwindowandisdescribedinDestinationServiceRoute.
UsetheVirtual Systemstabtospecifyserviceroutesforasinglevirtualsystem.SelectaLocation(virtual
system)andclickService Route Configuration.SelectInherit Global Service Route ConfigurationorCustomize
serviceroutesforavirtualsystem.Ifyouchoosetocustomizesettings,selectIPv4orIPv6.Selecttheoneor
moreservicesyouwanttocustomizetohavethesamesettingsandclickSet Selected Service Routes.See
Table 13forservicesthatcanbecustomized.
TocontrolandredirectDNSqueriesbetweensharedandspecificvirtualsystems,youcanuseaDNSproxy
andaDNSServerprofile.

Device>Setup>Services Device
Configuretheglobalservicessettingsasdescribedinthefollowingtable.
GlobalServices Description
Settings
Services
DNS ChoosethetypeofDNSservice:ServerorDNS Proxy Object.ThissettingisusedforallDNS

queriesthatthefirewallinitiatedinsupportofFQDNaddressobjects,logging,andfirewall
management.Optionsinclude:
PrimaryandsecondaryDNSserverstoprovidedomainnameresolution.
ADNSproxythathasbeenconfiguredonthefirewallisanalternativetoconfiguringDNS
servers.
PrimaryDNSServer EntertheIPaddressoftheprimaryDNSserver.TheserverisusedforDNSqueriesfromthe
firewall,forexample,tofindtheupdateserver,toresolveDNSentriesinlogs,orfor
FDQNbasedaddressobjects.
SecondaryDNS EntertheIPaddressofasecondaryDNSservertouseiftheprimaryserverisunavailable
Server (optional).
UpdateServer ThissettingrepresentstheIPaddressorhostnameoftheserverusedtodownloadupdates
fromPaloAltoNetworks.Thecurrentvalueisupdates.paloaltonetworks.com.Donotchange
theservernameunlessinstructedbytechnicalsupport.
VerifyUpdateServer Ifthisoptionisenabled,thefirewallorPanoramawillverifythattheserverfromwhichthe
Identity softwareorcontentpackageisdownloadhasanSSLcertificatesignedbyatrustedauthority.
Thisoptionaddsanadditionallevelofsecurityforthecommunicationbetweenthe
firewall/Panoramaserverandtheupdateserver.
Proxy Server section
Server IfthefirewallneedstouseaproxyservertoreachPaloAltoNetworksupdateservices,enter
theIPaddressorhostnameoftheserver.
Port Entertheportfortheproxyserver.

GlobalServices Description
Settings
User Entertheusernametoaccesstheserver.
Password/Confirm Enterandconfirmthepasswordfortheusertoaccesstheproxyserver.
Password
NTP
NTPServerAddress EntertheIPaddressorhostnameofanNTPserverthatyouwanttousetosynchronizethe
firewallsclock.OptionallyentertheIPaddressorhostnameofasecondNTPserverto
synchronizethefirewallsclockwithiftheprimaryserverbecomesunavailable.
AuthenticationType YoucanenablethefirewalltoauthenticatetimeupdatesfromanNTPserver.ForeachNTP
server,selectthetypeofauthenticationforthefirewalltouse:
None(Default)SelectthisoptiontodisableNTPAuthentication.
Symmetric KeySelectthisoptionforthefirewalltousesymmetrickeyexchange(shared
secrets)toauthenticatetheNTPserverstimeupdates.IfyouselectSymmetricKey,
continuebyenteringthefollowingfields:
Key IDEntertheKeyID(165534).
AlgorithmSelecttheAlgorithmtouseinNTPauthentication(MD5orSHA1).
Authentication Key/Confirm Authentication KeyEnterandconfirmtheauthentication
algorithmsauthenticationkey.
AutokeySelectthisoptionforthefirewalltouseautokey(publickeycryptography)to
authenticatetheNTPserverstimeupdates.
Configuretheserviceroutesettingsasdescribedinthefollowingtable.
ServiceRouteConfigurationSettings Global Virtual

System
IPv4 IPv6 IPv4 IPv6
AutoFocusAutoFocusserver.
CRLStatusCertificaterevocationlist(CRL)server.
PanoramapushedupdatesContentandsoftwareupdates
deployedfromPanorama
DNSDomainNameSystemserver.*Forvirtualsystems,DNS * *
isdoneintheDNSServerProfile.
ExternalDynamicListsUpdatesforexternaldynamiclists.
EmailEmailserver.
HSMHardwaresecuritymoduleserver.
KerberosKerberosauthenticationserver.
LDAPLightweightDirectoryAccessProtocolserver.
MDMMobileDeviceManagementserver.
MultiFactorAuthenticationMultifactorauthentication
(MFA)server.

Device>Setup>Services Device
ServiceRouteConfigurationSettings Global Virtual

System
IPv4 IPv6 IPv4 IPv6
NetflowNetFlowcollectorforcollectingnetworktraffic
statistics.
NTPNetworkTimeProtocolserver.
PaloAltoNetworksServicesUpdatesfromPaloAlto
NetworksandthepublicWildFireserver.Thisisalsotheservice
routeforforwardingtelemetrydatatoPaloAltoNetworks.
PanoramaPanoramamanagementserver.
PanoramaLogForwarding(PA5200Seriesfirewallsonly)Log
forwardingfromthefirewalltoLogCollectors.
ProxyServerthatisactingasProxytothefirewall.
RADIUSRemoteAuthenticationDialinUserServiceserver.
SCEPSimpleCertificateEnrollmentProtocolforrequesting
anddistributingclientcertificates.
SNMPTrapSimpleNetworkManagementProtocoltrap
server.
SyslogServerforsystemmessagelogging.
TACACS+TerminalAccessControllerAccessControlSystem
Plus(TACACS+)serverforauthentication,authorization,and
accounting(AAA)services.
UIDAgentUserIDAgentserver.
URLUpdatesUniformResourceLocator(URL)updatesserver.
VMMonitorVirtualMachineMonitorserver.
WildFirePrivatePrivatePaloAltoNetworksWildFireserver.
WhencustomizingaGlobalserviceroute,oneithertheIPv4orIPv6tab,selectfromthelistofavailable
services,clickSet Selected Service Routes,andselecttheSource InterfaceandSource Addressfromthe
dropdown.ASourceInterfacethatissettoAnyallowsyoutoselectaSourceAddressfromanyofthe
interfacesavailable.TheSourceAddressdisplaystheIPv4orIPv6addressassignedtotheselectedinterface;
theselectedIPaddresswillbethesourcefortheservicetraffic.Youdonothavetodefineadestination
addressbecausethedestinationisconfiguredwhenconfiguringeachservice.Forexample,whenyoudefine
yourDNSservers(Device > Setup > Services),thatwillsetthedestinationforDNSqueries.
WhenconfiguringserviceroutesforaVirtual System,theInherit Global Service Route Configurationoption
meansthatallservicesforthevirtualsystemwillinherittheglobalserviceroutesettings.Oryoucanchoose
Customize,selectIPv4orIPv6,selectaservice,andclickSet Selected Service Routes.TheSource Interfacehas
thefollowingthreechoices:
Inherit Global SettingTheselectedserviceswillinherittheglobalsettingsforthoseservices.
AnyAllowsyoutoselectaSourceAddressfromanyoftheinterfacesavailable(interfacesinthespecific
virtualsystem).

AninterfacefromthedropdownFortheservicesbeingconfigured,theserversresponseswillbesent
totheselectedinterfacebecausethatwasthesourceinterface.
ForSource Address,selectanaddressfromthedropdown.Fortheservicesselected,theserversresponses
willbesenttothissourceaddress.
DestinationServiceRoute
Device>Setup>Services>Global
ReturningtotheGlobaltab,whenyouclickonService Route ConfigurationandthenCustomize,theDestination
tabappears.DestinationserviceroutesareavailableundertheGlobaltabonly(nottheVirtual Systemstab),
sothattheservicerouteforanindividualvirtualsystemcannotoverrideroutetableentriesthatarenot
associatedwiththatvirtualsystem.
Adestinationserviceroutecanbeusedtoaddacustomizedredirectionofaservicethatisnotsupportedon
theCustomizelistofservices(Table 13).Adestinationservicerouteisawaytosetuproutingtooverridethe
forwardinginformationbase(FIB)routetable.AnysettingsintheDestinationserviceroutesoverridethe
routetableentries.Theycouldberelatedorunrelatedtoanyservice.
TheDestinationtabisforthefollowingusecases:
Whenaservicedoesnothaveanapplicationserviceroute.
Withinasinglevirtualsystem,whenyouwanttousemultiplevirtualroutersoracombinationofvirtual
routerandmanagementport.
DestinationServiceRouteSettings Description
Destination EntertheDestinationIPaddress.
SourceInterface SelecttheSource Interfacethatwillbeusedforpacketsreturning

fromthedestination.
SourceAddress SelecttheSource Addressthatwillbeusedforpacketsreturning

fromthedestination.Youdonotneedtoenterthesubnetforthe
destinationaddress.

Device>Setup>Interfaces Device
Device>Setup>Interfaces
Usethispagetoconfigureconnectionsettings,allowedservices,andadministrativeaccessforthe
management(MGT)interfaceonallfirewallmodelsandfortheauxiliaryinterfaces(AUX1andAUX2)on
PA5200Seriesfirewalls.
PaloAltoNetworksrecommendsthatyoualwaysspecifytheIPaddressandnetmask(forIPv4)orprefix
length(forIPv6)andthedefaultgatewayforeveryinterface.IfyouomitanyofthesesettingsfortheMGT
interface(suchasthedefaultgateway),youcanaccessthefirewallonlythroughtheconsoleportforfuture
configurationchanges.
ToconfiguretheMGTinterfaceontheM100orM500appliance,orthePanoramavirtualappliance,see
Panorama>Setup>Interfaces.
YoucanusealoopbackinterfaceasanalternativetotheMGTinterfaceforfirewallmanagement(Network>
Interfaces>Loopback).

Device Device>Setup>Interfaces
Item Description
Type Selectone:
(MGTinterfaceonly) StaticRequiresyoutoentertheIP Address(IPv4),Netmask(IPv4),andDefault
Gatewaymanually.
DHCP ClientConfigurestheMGTinterfaceasaDHCPclientsothatthefirewall
cansendDHCPDiscoverorRequestmessagestofindaDHCPserver.Theserver
respondsbyprovidinganIPaddress(IPv4),netmask(IPv4),anddefaultgateway
fortheMGTinterface.DHCPontheMGTinterfaceisturnedoffbydefaultforthe
VMSeriesfirewall(exceptfortheVMSeriesfirewallinAWSandAzure).Ifyou
selectDHCP Client,optionallyselecteitherorbothofthefollowingClient
Options:
Send HostnameCausestheMGTinterfacetosenditshostnametothe
DHCPserveraspartofDHCPOption12.
Send Client IDCausestheMGTinterfacetosenditsclientidentifieraspart
ofDHCPOption61.
IfyouselectDHCP Client,optionallyclickShow DHCP Client Runtime Infotoview
thedynamicIPinterfacestatus:
InterfaceIndicatesMGTinterface.
IPAddressIPaddressoftheMGTinterface.
NetmaskSubnetmaskfortheIPaddress,whichindicateswhichbitsarenetwork
orsubnetworkandwhichbitsarehost.
GatewayDefaultgatewayfortrafficleavingtheMGTinterface.
Primary/SecondaryNTPIPaddressofuptotwoNTPserversservingtheMGT
interface.IftheDHCPServerreturnsNTPserveraddresses,thefirewallconsiders
themonlyifyoudidnotmanuallyconfigureNTPserveraddresses.Ifyoumanually
configuredNTPserveraddresses,thefirewalldoesnotoverwritethemwiththose
fromtheDHCPserver.
LeaseTimeNumberofdays,hours,minutes,andsecondsthattheDHCPIP
addressisassigned.
ExpiryTimeYear/Month/Day,Hours/Minutes/Seconds,andtimezone,
indicatingwhenDHCPleasewillexpire.
DHCPServerIPaddressoftheDHCPServerrespondingtoMGTinterfaceDHCP
Client.
DomainNameofdomaintowhichtheMGTinterfacebelongs.
DNSServerIPaddressofuptotwoDNSserversservingtheMGTinterface.If
theDHCPServerreturnsDNSserveraddresses,thefirewallconsidersthemonly
ifyoudidnotmanuallyconfigureDNSserveraddresses.Ifyoumanually
configuredDNSserveraddresses,thefirewalldoesnotoverwritethemwiththose
fromtheDHCPserver.
Optionally,youcanRenewtheDHCPleasefortheIPaddressassignedtotheMGT
interface.Otherwise,Closethewindow.

Device>Setup>Interfaces Device
Item Description
Aux1/Aux2 Selectanyofthefollowingoptionstoenableanauxiliaryinterface.Theseinterfaces
(PA5200Seriesfirewalls provide10Gbps(SFP+)throughputfor:
only) FirewallmanagementtrafficYoumustenabletheServices(protocols)that
administratorswillusewhenaccessingthewebinterfaceandCLItomanagethe
firewall.
EnableHTTPSinsteadofHTTPforthewebinterfaceandenableSSH
insteadofTelnetfortheCLI.
Highavailability(HA)synchronizationbetweenfirewallpeersAfterconfiguring
theinterface,youmustselectitastheHAControlLink(Device > High Availability
> General).
LogforwardingtoPanoramaYoumustconfigureaserviceroutewiththe
Panorama Log Forwardingserviceenabled(Device>Setup>Services).
IPAddress(IPv4) IfyournetworkusesIPv4,assignanIPv4addresstotheinterface.Alternatively,you
canassigntheIPaddressofaloopbackinterfaceforfirewallmanagement(see
Network>Interfaces>Loopback).Bydefault,theIPaddressyouenteristhesource
addressforlogforwarding.
Netmask(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoenteranetworkmask
(forexample,255.255.255.0).
DefaultGateway IfyouassignedanIPv4addresstotheinterface,youmustalsoassignanIPv4address
tothedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
IPv6Address/Prefix IfyournetworkusesIPv6,assignanIPv6addresstotheinterface.Toindicatethe
Length netmask,enteranIPv6prefixlength(forexample,2001:400:f00::1/64).
DefaultIPv6Gateway IfyouassignedanIPv6addresstotheinterface,youmustalsoassignanIPv6address
tothedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
Speed Configureadatarateandduplexoptionfortheinterface.Thechoicesinclude
10Mbps,100Mbps,and1Gbpsatfullorhalfduplex.Usethedefaultautonegotiate
settingtohavethefirewalldeterminetheinterfacespeed.
Thissettingmustmatchtheportsettingsontheneighboringnetwork
equipment.Toensurematchingsettings,selectautonegotiateifthe
neighboringequipmentsupportsthatoption.
interface(rangeis576to1,500;defaultis1,500).

Device Device>Setup>Interfaces
Item Description
Services Selecttheservicesyouwanttoenableontheinterface:
HTTPUsethisservicetoaccessthefirewallwebinterface.
HTTPusesplaintext,whichisnotassecureasHTTPS.Therefore,PaloAlto
NetworksrecommendyouenableHTTPSinsteadofHTTPfor
managementtrafficontheinterface.
HTTP OCSPUsethisservicetoconfigurethefirewallasanOnlineCertificate
StatusProtocol(OCSP)responder.Fordetails,seeDevice>Certificate
Management>OCSPResponder.
HTTPSUsethisserviceforsecureaccesstothefirewallwebinterface.
TelnetUsethisservicetoaccessthefirewallCLI.
Telnetusesplaintext,whichisnotassecureasSSH.Therefore,PaloAlto
NetworksrecommendyouenableSSHinsteadofTelnetformanagement
trafficontheinterface.
SSHUsethisserviceforsecureaccesstothefirewallCLI.
PingUsethisservicetotestconnectivitywithexternalservices.Forexample,
youcanpingtheinterfacetoverifyitcanreceivePANOSsoftwareandcontent
updatesfromthePaloAltoNetworksUpdateServer.Inahighavailability(HA)
deployment,HApeersusepingtoexchangeheartbeatbackupinformation.
SNMPUsethisservicetoprocessfirewallstatisticsqueriesfromanSNMP
manager.Fordetails,seeEnableSNMPMonitoring.
User-IDUsethisservicetoEnableRedistributionofUserMappingsAmong
Firewalls.
User-ID Syslog Listener-SSLUsethisservicetoenablethePANOSintegrated
UserIDagenttocollectsyslogmessagesoverSSL.Fordetails,seeConfigure
AccesstoMonitoredServers.
User-ID Syslog Listener-UDPUsethisservicetoenablethePANOSintegrated
UserIDagenttocollectsyslogmessagesoverUDP.Fordetails,seeConfigure
PermittedIPAddresses EntertheIPaddressesfromwhichadministratorscanaccessthefirewallthroughthe
interface.Anemptylist(default)specifiesthataccessisavailablefromanyIPaddress.
Donotleavethelistblank;specifyonlytheIPaddressesoffirewall
administratorstopreventunauthorizedaccess.

Device>Setup>Telemetry Device
Device>Setup>Telemetry
Telemetryistheprocessofcollectingandtransmittingdataforanalysis.Whenyouenabletelemetryonthe
firewall,thefirewallcollectsandforwardsdatathatincludesinformationonapplications,threats,device
health,andpassiveDNStoPaloAltoNetworks.AllPaloAltoNetworksusersbenefitfromthedatathateach
telemetryparticipantshares,makingtelemetryacommunitydrivenapproachtothreatprevention.Learn
moreabouttelemetryanditsbenefits .
Telemetryisanoptinfeatureand,formosttelemetrydata,youcanpreviewtheinformationthatthefirewall
collects.PaloAltoNetworksdoesnotshareyourtelemetrydatawithothercustomersorthirdparty
organizations.
SelectDevice > Setup > TelemetrytochoosetelemetrydatatosharewithPaloAltoNetworks.TheThreat
PreventionDataandThreatPreventionPacketCapturesreportsprovidePaloAltoNetworksmorevisibility
intoyournetworktrafficthanothertelemetryreports.
TelemetrySettings Description
ReportSample Clickareportsample( )toviewanXMLformattedreportinaseparatetab.Thedata

inthereportsampleisbasedonfirewallactivityinthefourhourssinceyoufirstviewed
thereportsample.ThefirewallprovidesareportsampleforApplication,Threat
Prevention,URL,andFileTypeIdentificationreportsonly.
Areportcanconsistofmultiplereports:
TypeDescribesthenameofthereport.
AggregateListsthelogfieldsthatthefirewallcollectsforthereport(refertoSyslog
FieldDescriptions todeterminethenameofthefieldsastheyappearinthefirewall
logs).
ValuesIndicatestheunitsofmeasureusedinthereport(forexample,thevalue
countfortheAttackingCountriesreportreferstothenumberoftimesthefirewall
detectedathreateventassociatedwithaparticularcountry).
Areportsampledoesnotdisplayanyentriesifthefirewalldidnotfindanymatching
trafficforthereport.Youcanonlygenerateanewreportsamplewhenyourestartthe
firewall.
ApplicationReports Sharethenumberandsizeofknownapplicationsgroupedbydestinationport,unknown
(Disabledbydefault) applicationsgroupedbydestinationport,andunknownapplicationsgroupedby
destinationIPaddress.ThefirewallgeneratesthesereportsfromTrafficlogs.
Whenenabled,thefirewallforwardsApplicationReportsevery4hours.
ThreatPreventionReports Sharethenumberofthreatsforeachsourcecountryanddestinationport,attacker
(Disabledbydefault) information,andthecorrelationobjectsthatthreateventstriggeredwhenthefirewall
wascollectingdataforthesereports.
Whenenabled,thefirewallforwardsThreatPreventionReportsevery4hours.
URLReports SharereportsgeneratedfromURLfilteringlogswiththefollowingPANDBURL
(Disabledbydefault) categories:malware,phishing,dynamicDNS,proxyavoidance,questionable,parked,and
unknown(URLsthatPANDBhasnotyetcategorized).ThefirewallalsosendsPANDB
statisticsatthetimethatthedatafortheURLReportswascollected.Thesestatistics
includetheversionoftheURLfilteringdatabaseonthefirewallandonthePANDB
cloud,thenumberofURLsinthosedatabases,andthenumberofURLsthatthefirewall
categorized.ThesestatisticsarebasedonthetimethatthefirewallforwardedtheURL
Reports.
Whenenabled,thefirewallforwardsURLReportsevery4hours.

Device Device>Setup>Telemetry
TelemetrySettings Description
FileTypeIdentification Sharereportsaboutfilesthatthefirewallallowedorblockedbasedondatafiltering
Reports andfileblocking settings.
(Disabledbydefault) Whenenabled,thefirewallforwardsFileTypeIdentificationReportsevery4hours.
ThreatPreventionData SharelogsfromthreateventsthattriggeredsignaturesthatPaloAltoNetworksis
(Disabledbydefault) evaluating.ThecollectedinformationmayincludesourceorvictimIPaddresses.Enabling
thisoptionalsoallowsunreleasedsignaturesthatPaloAltoNetworksiscurrently
testingtoruninthebackground.Thesesignaturesdonotaffectyoursecuritypolicy
rulesandfirewalllogsandhavenoimpacttoyourfirewallperformance.
Whenenabled,thefirewallforwardsThreatPreventionDataevery5minutes.Click
Download Threat Prevention Data( )todownloadatarballfile(.tar.gz)withthemost
recent100foldersofThreat Prevention DataandThreat Prevention Packet Captures
thatthefirewallforwardedtoPaloAltoNetworks.Ifyouneverenabledthesesettingsor
ifyouenabledthembutnothreateventshavematchedtheconditionsforthese
telemetrysettings,thefirewalldoesnotgenerateafileandinsteadreturnsanerror
message.
ThreatPreventionPacket Sharepacketcaptures(ifyouenabledyourfirewalltotakethreatpacketcaptures )
Captures fromthreateventsthattriggersignaturesthatPaloAltoNetworksisevaluating.The
(Disabledbydefault) collectedinformationmayincludesourceorvictimIPaddresses.
Whenenabled,thefirewallforwardsThreatPreventionPacketCapturesevery5
minutes.
ToenableThreatPreventionPacketCaptures,youmustalsoenableThreat
PreventionData.
ProductUsageStatistics Sharebacktracesoffirewallprocessesthathavefailed,aswellasinformationaboutthe
(Disabledbydefault) firewallstatus.Backtracesoutlinetheexecutionhistoryofthefailedprocesses.Product
UsageStatisticsalsoincludedetailsaboutthefirewallmodelandthePANOSand
contentreleaseversionsinstalledonyourfirewall.
ToviewtheinformationthatthefirewallsendsasProductUsageStatistics,enterthe
followingoperationalCLIcommand:
show system info
Whenenabled,thefirewallforwardsProductUsageStatisticsevery5minutes.
PassiveDNSMonitoring AllowthefirewalltoactasapassiveDNSsensorandsendDNSinformationtoPaloAlto
(Disabledbydefault) Networksforanalysis.ThedatayousharethroughpassiveDNSmonitoringconsists
solelyofdomaintoIPaddressmappings.ThePaloAltoNetworksthreatresearchteam
usesthisinformationtoimprovePANDBURLcategoryandDNSbasedC2signature
accuracyandWildFiremalwaredetection.PassiveDNSmonitoringisaglobalsettingthat
appliestoallfirewalltraffic.
Whenenabled,thefirewallforwardsPassiveDNSMonitoringdatain1MBbatches.
SelectAll Enablealltelemetrysettings.
DeselectAll Disablealltelemetrysettings.

Device>Setup>ContentID Device
Device>Setup>ContentID
UsetheContentIDtabtodefinesettingsforURLfiltering,dataprotection,andcontainerpages.
ContentIDSettings Description
URL Filtering
DynamicURLCache ClickEditandenterthetimeout(inhours).ThisvalueisusedindynamicURL
Timeout filteringtodeterminethelengthoftimeanentryremainsinthecacheafter
itisreturnedfromtheURLfilteringservice.ThisoptionisapplicabletoURL
filteringusingtheBrightClouddatabaseonly.FormoreonURLfiltering,
selectObjects>SecurityProfiles>URLFiltering.
URLContinueTimeout Specifytheintervalinminutesfollowingauser'scontinueactionbeforethe
usermustpresscontinueagainforURLsinthesamecategory(rangeis1to
86,400;defaultis15).
URLAdminOverride Specifytheintervalinminutesaftertheuserenterstheadminoverride
Timeout passwordbeforetheusermustreentertheadminoverridepasswordfor
URLsinthesamecategory(rangeis1to86,400;defaultis900).
URLAdminLockout Specifytheperiodoftimeinminutesthatauserislockedoutfrom
Timeout attemptingtousetheURLAdminOverridepasswordfollowingthree
unsuccessfulattempts(rangeis1to86,400;defaultis1,800).
PANDBServer SpecifytheIPv4address,IPv6address,orFQDNfortheprivatePANDB
(Requiredforconnecting server(s)onyournetwork.Youcanenterupto20entries.
toaprivatePANDB ThefirewallconnectstothepublicPANDBcloud,bydefault.Theprivate
server) PANDBsolutionisforenterprisesthatdisallowthefirewall(s)fromdirectly
accessingthePANDBserversinthepubliccloud.Thefirewallsaccessthe
serversincludedinthisPANDBserverlistfortheURLdatabase,URL
updates,andURLlookupsforcategorizingwebpages.
URL Admin Override
SettingsforURLAdmin ForeachvirtualsystemthatyouwanttoconfigureforURLadminoverride,
Override clickAddandspecifythesettingsthatapplywhenaURLfilteringprofile
blocksapageandtheOverrideactionisspecified(fordetails,selectObjects
>SecurityProfiles>URLFiltering):
Location(multivsysfirewallsonly)Selectthevirtualsystemfromthe
dropdown.
Password/Confirm PasswordEnterthepasswordthattheusermust
entertooverridetheblockpage.
SSL/TLS Service ProfileTospecifyacertificateandtheallowedTLS
protocolversionsforsecuringcommunicationswhenredirectingthrough
thespecifiedserver,selectanSSL/TLSServiceprofile.Fordetails,see
Device>CertificateManagement>SSL/TLSServiceProfile.
ModeDetermineswhethertheblockpageisdeliveredtransparently(it
appearstooriginateattheblockedwebsite)orredirectstheusertothe
specifiedserver.IfyouchooseRedirect,entertheIPaddressfor
redirection.
Clickdeletetoremoveanentry.

Device Device>Setup>ContentID
Content-ID Settings
Allowforwardingof Selectthisoptiontoallowthefirewalltoforwarddecryptedcontenttoan
decryptedcontent outsideservice.Thisallowsthefirewalltoforwarddecryptedcontentwhen
portmirroringorsendingWildFirefilesforanalysis.
Forafirewallwithmultiplevirtualsystem(multivsys)capability,youenable
thisoptionindividuallyforeachvirtualsystem.SelectDevice > Virtual
Systemsandselectthevirtualsystemonwhichyouwanttoenable
forwardingofdecryptedcontent.TheoptionisavailableontheVirtual
Systemdialog.
ExtendedPacketCapture Setthenumberofpacketstocapturewhentheextendedcaptureoptionis
Length enabledinAntiSpywareandVulnerabilityProtectionprofiles(rangeis1to
50;defaultis5).
Forwardsegments Selectthisoptiontoforwardsegmentsandclassifytheapplicationas
exceedingTCPAppID unknowntcpwhentheAppIDqueueexceedsthe64segmentlimit.Use
inspectionqueue thefollowingglobalcountertoviewthenumberofsegmentsinexcessof
thisqueueregardlessofwhetheryouenabledordisabledthisoption:
appid_exceed_queue_limit.
DisablethisoptiontopreventthefirewallfromforwardingTCPsegments
andskippingAppIDinspectionwhentheAppIDinspectionqueueisfull.
Thisoptionisdisabledbydefaultandyoushouldleaveitdisabledfor
maximumsecurity.
Whenthisoptionisdisabled,youmaynoticeincreasedlatencyon
streamswheremorethan64segmentswerequeuedawaiting
AppIDprocessing.
Forwardsegments SelectthisoptiontoenableforwardingofTCPsegmentsandskipcontent
exceedingTCPcontent inspectionwhentheTCPcontentinspectionqueueisfull.Thefirewallcan
inspectionqueue queueupto64segmentswhilewaitingforthecontentengine.Whenthe
firewallforwardsasegmentandskipscontentinspectionduetoafull
contentinspectionqueue,itincrementsthefollowingglobalcounter:
ctd_exceed_queue_limit
DisablethisoptiontopreventthefirewallfromforwardingTCPsegments
andskippingcontentinspectionwhenthecontentinspectionqueueisfull.
Withthisoptiondisabled,thefirewalldropsanysegmentsthatexceedthe
queuelimitandincrementsthefollowingglobalcounter:
ctd_exceed_queue_limit_drop
ThispairofglobalcountersappliestobothTCPandUDPpackets.If,after
viewingtheglobalcounters,youdecidetochangethesetting,youcan
modifyitfromwithintheCLIusingthefollowingCLIcommand:
set deviceconfig setting ctd tcp-bypass-exceed-queue
Thisoptionisenabledbydefault.However,PaloAltoNetworks
recommendsthatyoudisablethisoptionformaximumsecurity.
Keepinmindthatdisablingthisoptioncouldresultinperformance
degradationandsomeapplicationsmayincurlossoffunctionality,
particularlyinhighvolumetrafficsituations.

Device>Setup>ContentID Device
Forwarddatagrams SelectthisoptiontoenableforwardingofUDPdatagramsandskipcontent
exceedingUDPcontent inspectionwhentheUDPcontentinspectionqueueisfull.Thefirewallcan
inspectionqueue queueupto64datagramswhilewaitingaresponsefromthecontentengine.
Whenthefirewallforwardsadatagramandskipscontentinspectiondueto
aUDPcontentinspectionqueueoverflow,itincrementsthefollowingglobal
counter:
ctd_exceed_queue_limit
Disablethisoptiontopreventthefirewallfromforwardingdatagramsand
skippingcontentinspectionwhentheUDPcontentinspectionqueueisfull.
Withthisoptiondisabled,thefirewalldropsanydatagramsthatexceedthe
queuelimitandincrementsthefollowingglobalcounter:
ctd_exceed_queue_limit_drop
ThispairofglobalcountersappliestobothTCPandUDPpackets.If,after
viewingtheglobalcounters,youdecidetochangethesetting,youcan
modifyitfromwithintheCLIusingthefollowingcommand:
set deviceconfig setting ctd udp-bypass-exceed-queue
Thisoptionisenabledbydefault.However,PaloAltoNetworks
recommendsthatyoudisablethisoptionformaximumsecurity.
Keepinmindthatdisablingthisoptioncouldresultinperformance
degradationandsomeapplicationsmayincurlossoffunctionality,
particularlyinhighvolumetrafficsituations.
AllowHTTPHeaderRange SelectthisoptiontoenabletheHTTPRangeoption.TheHTTPRangeoption
Option allowsaclienttofetchonlypartofafile.Whenanextgenerationfirewallin
thepathofatransferidentifiesanddropsamaliciousfile,itterminatesthe
TCPsessionwithanRSTpacket.IfthewebbrowserimplementstheHTTP
Rangeoption,itcanstartanewsessiontofetchonlytheremainingpartof
thefile.Thispreventsthefirewallfromtriggeringthesamesignatureagain
duetothelackofcontextintotheinitialsession,whileatthesametime
allowingthewebbrowsertoreassemblethefileanddeliverthemalicious
content.Topreventthis,makesurethisoptionisdisabled.
Bydefault,theAllow HTTP header range optionisenabled.
However,PaloAltoNetworksrecommendsyoudisablethisoption
formaximumsecurity.Disablingthisoptionshouldnotimpact
deviceperformance;however,HTTPfiletransferinterruption
recoverymaybeimpaired.Inaddition,disablingthisoptioncanalso
impactstreamingmediaservices,suchasNetflix,MicrosoftUpdates,
andPaloAltoNetworkscontentupdates.

Device Device>Setup>ContentID
X-Forwarded-For Headers
UseXForwardedFor SelectthisoptiontospecifythatUserIDreadsIPaddressesfromthe
HeaderinUserID XForwardedFor(XFF)headerinclientrequestsforwebserviceswhenthe
firewallisdeployedbetweentheInternetandaproxyserverthatwould
otherwisehideclientIPaddresses.UserIDmatchestheIPaddressesit
readswithusernamesthatyourpoliciesreferencesothatthosepoliciescan
controlandlogaccessfortheassociatedusersandgroups.Iftheheaderhas
multipleIPaddresses,UserIDusesthefirstentryfromtheleft.
Insomecases,theheadervalueisacharacterstringinsteadofanIPaddress.
IfthestringmatchesausernamethatUserIDhasmappedtoanIPaddress,
thefirewallusesthatusernameforgroupmappingreferencesinpolicies.If
noIPaddressmappingexistsforthestring,thefirewallinvokesthepolicy
rulesinwhichthesourceuserissettoanyorunknown.
URLFilteringlogsdisplaythematchedusernamesintheSourceUserfield.
IfUserIDcannotperformthematchingorisnotenabledforthezone
associatedwiththeIPaddress,theSourceUserfielddisplaystheXFFIP
addresswiththeprefixx-fwd-for.
StripXForwardedFor SelectthisoptiontoremovetheXForwardedFor(XFF)header,which
Header containstheIPaddressofaclientrequestingawebservicewhenthefirewall
isdeployedbetweentheInternetandaproxyserver.Thefirewallzeroesout
theheadervaluebeforeforwardingtherequest:theforwardedpackets
dontcontaininternalsourceIPinformation.
SelectingthisoptiondoesntdisabletheuseofXFFheadersforuser
attributioninpolicies;thefirewallzeroesouttheXFFvalueonly
afterusingitforuserattribution.
Content-ID Features
ManageDataProtection Addadditionalprotectionforaccesstologsthatmaycontainsensitive
information,suchascreditcardnumbersorsocialsecuritynumbers.
ClickManage Data Protectionandconfigurethefollowing:
Tosetanewpasswordifonehasnotalreadybeenset,clickSet
Password.Enterandconfirmthepassword.
Tochangethepassword,clickChange Password.Entertheoldpassword,
andenterandconfirmthenewpassword.
Todeletethepasswordandthedatathathasbeenprotected,clickDelete
Password.
ContainerPages UsethesesettingstospecifythetypesofURLsthatthefirewallwilltrackor
logbasedoncontenttype,suchasapplication/pdf,application/soap+xml,
application/xhtml+,text/html,text/plain,andtext/xml.Containerpagesare
setpervirtualsystem,whichyouselectfromtheLocationdropdown.Ifa
virtualsystemdoesnothaveanexplicitcontainerpagedefined,thedefault
contenttypesareused.
ClickAddandenterorselectacontenttype.
Addingnewcontenttypesforavirtualsystemoverridesthedefaultlistof
contenttypes.Iftherearenocontenttypesassociatedwithavirtualsystem,
thedefaultlistofcontenttypesisused.

Device>Setup>WildFire Device
Device>Setup>WildFire
SelectDevice > Setup > WildFiretoconfigureWildFiresettingsonthefirewallandPanorama.Youcanenable

boththeWildFirecloudandaWildFireappliancetobeusedtoperformfileanalysis.Youcanalsosetfilesize
limitsandsessioninformationthatwillbereported.AfterpopulatingWildFiresettings,youcanspecifywhat
filestoforwardtotheWildFirecloudortheWildFireappliancebycreatingaWildFire Analysisprofile(Objects
> Security Profiles > WildFire Analysis).
ToforwarddecryptedcontenttoWildFire,youneedtoselectAllow Forwarding of
Decrypted ContentinDevice > Setup > Content-ID > URL FilteringSettings.
WildFireSettings Description
General Settings
WildFirePublicCloud Enter wildfire.paloaltonetworks.com tosendfilestotheWildFire

globalcloud,hostedintheUnitedStates,foranalysis.Alternatively,youcan
insteadsendfilestoaWildFireregionalcloudforanalysis.Regionalcloudsare
designedtoadheretothedataprivacyexpectationsyoumighthave
dependingonyourlocation.
WildFirePrivateCloud SpecifytheIPaddressorFQDNoftheWildFireappliance.
ThefirewallsendsfilesforanalysistothespecifiedWildFireappliance.
PanoramacollectsthreatIDsfromtheWildFireappliancetoenablethe
additionofthreatexceptionsinAntiSpywareprofiles(forDNSsignatures
only)andAntivirusprofilesthatyouconfigureindevicegroups.Panoramaalso
collectsinformationfromtheWildFireappliancetopopulatefieldsthatare
missingintheWildFireSubmissionslogsreceivedfromfirewallsrunning
softwareversionsearlierthanPANOS7.0.
FileSizeLimits SpecifythemaximumfilesizethatwillbeforwardedtotheWildFireserver.
Availablerangesare:
flash(AdobeFlash)Rangeis1to10MB;defaultis5MB.
apk(AndroidApplication)Rangeis1to50MB;default10MB.
pdf(PortableDocumentFormat)Rangeis100KBto1,000KB;defaultis
200KB.
jar(PackagedJavaclassfile)Rangeis1to10MB;defaultis1MB.
pe(PortableExecutable)Rangeis1to10MB;defaultis2MB.
ms-office(MicrosoftOffice)Rangeis200KBto10,000KB;defaultis
500KB.
Theprecedingvaluesmightdifferbasedonthecurrentversionof
PANOSorthecontentrelease.Toseevalidranges,clickintheSize
Limitfield;apopupdisplaystheavailablerangeanddefaultvalue.
ReportBenignFiles Whenthisoptionisenabled(disabledbydefault),filesanalyzedbyWildFire
thataredeterminedtobebenignwillappearintheMonitor > WildFire
Submissionslog.
Evenifthisoptionisenabledonthefirewall,emaillinksthatWildFiredeems
benignwillnotbeloggedbecauseofthepotentialquantityoflinksprocessed.

Device Device>Setup>WildFire
WildFireSettings Description
ReportGraywareFiles Whenthisoptionisenabled(disabledbydefault),filesanalyzedbyWildFire
thataredeterminedtobegraywarewillappearintheMonitor > WildFire
Submissionslog.
Evenifthisoptionisenabledonthefirewall,emaillinksthatWildFire
determinestobegraywarewillnotbeloggedbecauseofthepotential
quantityoflinksprocessed.
Session Information Settings
Settings SpecifytheinformationtobeforwardedtotheWildFireserver.Bydefault,all
areselected:
Source IPSourceIPaddressthatsentthesuspectedfile.
Source PortSourceportthatsentthesuspectedfile.
Destination IPDestinationIPaddressforthesuspectedfile.
Destination PortDestinationportforthesuspectedfile.
VsysFirewallvirtualsystemthatidentifiedthepossiblemalware.
ApplicationUserapplicationthatwasusedtotransmitthefile.
UserTargeteduser.
URLURLassociatedwiththesuspectedfile.
FilenameNameofthefilethatwassent.
Email senderProvidesthesendernameinWildFirelogsandWildFire
detailedreportswhenamaliciousemaillinkisdetectedinSMTPandPOP3
traffic.
Email recipientProvidestherecipientnameinWildFirelogsandWildFire
traffic.
Email subjectProvidestheemailsubjectinWildFirelogsandWildFire
traffic.

Device>Setup>Session Device
Device>Setup>Session
SelectDevice > Setup > Sessiontoconfiguresessionageouttimes,decryptioncertificatesettings,andglobal

sessionrelatedsettingssuchasfirewallingIPv6trafficandrematchingSecuritypolicytoexistingsessions
whenthepolicychanges.Thetabhasthefollowingsections:
SessionSettings
SessionTimeouts
TCPSettings
DecryptionSettings:CertificateRevocationChecking
DecryptionSettings:ForwardProxyServerCertificateSettings
VPNSessionSettings
SessionSettings
SessionSettings Description
RematchSessions ClickEditandselectRematch Sessionstocausethefirewalltoapplynewly

configuredsecuritypoliciestosessionsthatarealreadyinprogress.This
capabilityisenabledbydefault.Ifthissettingisdisabled,anypolicychange
appliesonlytosessionsinitiatedafterthepolicychangewascommitted.
Forexample,ifaTelnetsessionstartedwhileanassociatedpolicywas
configuredthatallowedTelnet,andyousubsequentlycommittedapolicy
changetodenyTelnet,thefirewallappliestherevisedpolicytothecurrent
sessionandblocksit.
ICMPv6TokenBucket EnterthebucketsizeforratelimitingofICMPv6errormessages.Thetoken
Size bucketsizeisaparameterofthetokenbucketalgorithmthatcontrolshow
burstytheICMPv6errorpacketscanbe(rangeis1065,535packets;default
100).
ICMPv6ErrorPacket EntertheaveragenumberofICMPv6errorpacketspersecondallowed
Rate globallythroughthefirewall(rangeis1065,535packets/second;defaultis
100packets/second).Thisvalueappliestoallinterfaces.Ifthefirewallreaches
theICMPv6errorpacketrate,theICMPv6tokenbucketisusedtoenable
throttlingofICMPv6errormessages.
EnableIPv6Firewalling ToenablefirewallcapabilitiesforIPv6,clickEditandselectIPv6 Firewalling.

AllIPv6basedconfigurationsareignoredifIPv6isnotenabled.EvenifIPv6
isenabledforaninterface,theIPv6 Firewallingoptionmustalsobeenabled
forIPv6tofunction.

Device Device>Setup>Session
EnableJumboFrame SelecttoenablejumboframesupportonEthernetinterfaces.Jumboframes
GlobalMTU haveamaximumtransmissionunit(MTU)of9192bytesandareavailableon
certainmodels.
IfyoudonotcheckEnable Jumbo Frame,theGlobal MTUdefaultsto1500
bytes(rangeis5761,500).
IfyoucheckEnable Jumbo Frame,theGlobal MTUdefaultsto9,192 bytes
(rangeis9,1929,216 bytes.
IfyouenablejumboframesandyouhaveinterfaceswheretheMTUisnot
specificallyconfigured,thoseinterfaceswillautomaticallyinheritthejumbo
framesize.Therefore,beforeyouenablejumboframes,ifyouhaveany
interfacethatyoudonotwanttohavejumboframes,youmustsettheMTU
forthatinterfaceto1500 bytesoranothervalue.ToconfiguretheMTUfor
theinterface(Network > Interfaces > Ethernet),seeLayer3Interface.
NAT64IPv6Minimum EntertheglobalMTUforIPv6translatedtraffic.Thedefaultof1280bytesis
NetworkMTU basedonthestandardminimumMTUforIPv6traffic.
NATOversubscription SelecttheDIPPNAToversubscriptionrate,whichisthenumberoftimesthat
Rate thesametranslatedIPaddressandportpaircanbeusedconcurrently.
Reducingtheoversubscriptionratewilldecreasethenumberofsourcedevice
translations,butwillprovidehigherNATrulecapacities.
Platform DefaultExplicitconfigurationoftheoversubscriptionrateis
turnedoff;thedefaultoversubscriptionrateforthemodelapplies.See
defaultratesoffirewallmodelsat
https://www.paloaltonetworks.com/products/productselection.html.
1x1time.Thismeansnooversubscription;eachtranslatedIPaddressand
portpaircanbeusedonlyonceatatime.
2x2times
4x4times
8x8times
ICMPUnreachable DefinethemaximumnumberofICMPUnreachableresponsesthatthe
PacketRate(persec) firewallcansendpersecond.ThislimitissharedbyIPv4andIPv6packets.
Defaultvalueis200messagespersecond(rangeis165,535).
AcceleratedAging Enablesacceleratedagingoutofidlesessions.
Selectthisoptiontoenableacceleratedagingandspecifythethreshold(%)
andscalingfactor.
WhenthesessiontablereachestheAccelerated Aging Threshold(%full),
PANOSappliestheAccelerated Aging Scaling Factortotheaging
calculationsforallsessions.Thedefaultscalingfactoris2,meaningthat
acceleratedagingoccursataratetwiceasfastastheconfiguredidletime.The
configuredidletimedividedby2resultsinafastertimeoutofonehalfthe
time.Tocalculatethesessionsacceleratedaging,PANOSdividesthe
configuredidletime(forthattypeofsession)bythescalingfactorto
determineashortertimeout.
Forexample,ifthescalingfactoris10,asessionthatwouldnormallytimeout
after3600secondswouldtimeout10timesfaster(in1/10ofthetime),which
is360seconds.

PacketBufferProtection Enablepacketbufferprotection.Thisoptionprotectsthereceivebufferson
thefirewallfromattacksorabusivetrafficthatcausessystemresourcesto
backupandcauselegitimatetraffictobedropped.Packetbufferprotectionis
achievedbyidentifyingoffendingsessions,usingRandomEarlyDrop(RED)as
afirstlineofdefense,anddiscardingthesessionifabusecontinues.Ifthe
firewalldetectsmanysmallsessionsorrapidsessioncreation(orboth)froma
particularIPaddress,itblocksthatIPaddress.
Alert (%)Whenpacketbufferutilizationexceedsthisthresholdformore
than10seconds,thefirewallcreatesalogeventeveryminute.Thefirewall
generateslogeventswhenpacketbufferprotectionisenabledglobally.The
defaultthresholdis50%andtherangeis0%to99%.Ifthevalueis0%,the
firewalldoesnotcreatealogevent.
Activate (%)Whenthisthresholdisreached,thefirewallbeginsto
mitigatethemostabusivesessionsonthezonewithPackBufferProtection
enabled.Thedefaultthresholdis50%andtherangeis0%to99%.Ifthe
valueis0%,thefirewalldoesnotapplyRED.
Block Hold Time (sec)Theamountoftime,inseconds,thesessionis
allowedtocontinuebeforeitisdiscarded.Thistimermonitors
REDmitigatedsessionstoseeiftheyarestillpushingbufferutilization
abovetheconfiguredthreshold.Iftheabusivebehaviorcontinuespastthe
blockholdtime,thesessionisdiscarded.Bydefault,theblockholdtimeis
60seconds.Therangeis0to65,535seconds.Ifthevalueis0,thefirewall
doesnotdiscardsessionsbasedonpacketbufferprotection.
Block Duration (sec)Theamountoftime,inseconds,thatadiscarded
sessionremainsdiscardedorablockedIPaddressremainsblocked.The
defaultis3,600secondswitharangeof0secondsto15,999,999seconds.
Ifthisvalueis0,thefirewalldoesnotdiscardsessionsorblockIPaddresses
basedonpacketbufferprotection.
MulticastRouteSetup Selectthisoption(disabledbydefault)toenablemulticastroutesetup
Buffering buffering,whichallowsthefirewalltopreservethefirstpacketinamulticast
sessionwhenthemulticastrouteorforwardinginformationbase(FIB)entry
doesnotyetexistforthecorrespondingmulticastgroup.Bydefault,the
firewalldoesnotbufferthefirstmulticastpacketinanewsession;instead,it
usesthefirstpackettosetupthemulticastroute.Thisisexpectedbehavior
formulticasttraffic.Youonlyneedtoenablemulticastroutesetupbuffering
ifyourcontentserversaredirectlyconnectedtothefirewallandyourcustom
applicationcannotwithstandthefirstpacketinthesessionbeingdropped.
MulticastRouteSetup IfyouenableMulticastRouteSetupBuffering,youcantunethebuffersize,
BufferSize whichspecifiesthebuffersizeperflow(rangeis1to2,000;defaultis1,000.)
Thefirewallcanbufferamaximumof5,000packets.
SessionTimeouts
AsessiontimeoutdefinesthedurationforwhichPANOSmaintainsasessiononthefirewallafterinactivity
inthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthesession.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.

Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects > Applicationstab.ThetimeoutsavailableforthatapplicationappearintheOptionswindow.The
firewallappliesapplicationtimeoutstoanapplicationthatisinEstablishedstate.Whenconfigured,timeouts
foranapplicationoverridetheglobalTCPorUDPsessiontimeouts.
UsetheoptionsinthissectiontoconfigureglobalsessiontimeoutsettingsspecificallyforTCP,UDPand
ICMP,andforallothertypesofsessions.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetworkneeds.Settinga
valuetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultinafailuretoestablish
connectionswiththefirewall.Settingavaluetoohighcoulddelayfailuredetection.
SessionTimeouts Description
Settings
Default Maximumlengthoftime,inseconds,thatanonTCP/UDPornonICMP
sessioncanbeopenwithoutaresponse(rangeis1to15,999,999;defaultis
30).
DiscardTimeouts PANOSappliesthediscardtimeoutwhendenyingasessionbasedonsecurity
policiesconfiguredonthefirewall.
DiscardDefault AppliesonlytononTCP/UDPtraffic(rangeis1to15,999,999;defaultis60).
DiscardTCP AppliestoTCPtraffic(rangeis1to15,999,999;defaultis90).
DiscardUDP AppliestoUDPtraffic(rangeis1to15,999,999;defaultis60).
ICMP MaximumlengthoftimethatanICMPsessioncanbeopenwithoutanICMP
response(rangeis1to15,999,999;defaultis6).
Scan Maximumlengthoftime,inseconds,thatanysessionremainsopenafteritis
consideredinactive.PANOSregardsanapplicationasinactivewhenit
exceedsthetricklingthresholddefinedfortheapplication(rangeis5to30;
defaultis10).
TCP MaximumlengthoftimethataTCPsessionremainsopenwithoutaresponse,
afteraTCPsessionisintheEstablishedstate(afterthehandshakeiscomplete
and/ordatatransmissionhasstarted);(rangeis1to15,999,999;defaultis
3,600).
TCPhandshake Maximumlengthoftime,inseconds,betweenreceivingtheSYNACKandthe
subsequentACKtofullyestablishthesession(rangesis1to60;defaultis10).
TCPinit Maximumlengthoftime,inseconds,betweenreceivingtheSYNand
SYNACKbeforestartingtheTCPhandshaketimer(rangesis1to60;default
is5).
TCPHalfClosed Maximumlengthoftime,inseconds,betweenreceivingthefirstFINand
receivingthesecondFINoraRST(rangeis1to604,800;defaultis120).
TCPTimeWait Maximumlengthoftime,inseconds,afterreceivingthesecondFINoraRST
(rangeis1to600;defaultis15).
UnverifiedRST Maximumlengthoftime,inseconds,afterreceivingaRSTthatcannotbe
verified(theRSTiswithintheTCPwindowbuthasanunexpectedsequence
number,ortheRSTisfromanasymmetricpath);(rangesis1to600;defaultis
30).

SessionTimeouts Description
Settings
UDP Maximumlengthoftime,inseconds,thataUDPsessionremainsopen
withoutaUDPresponse(rangeis1to1,599,999;defaultis30).
CaptivePortal TheauthenticationsessiontimeoutinsecondsfortheCaptivePortalweb
form(defaultis30,rangeis1to1,599,999).Toaccesstherequestedcontent,
theusermustentertheauthenticationcredentialsinthisformandbe
successfullyauthenticated.
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,usetheDevice >
User Identification > Captive Portal Settingstab.SeeDevice>User
Identification>CaptivePortalSettings.
TCPSettings
TCPSettings Description
UrgentDataFlag Usethisoptiontoconfigurewhetherthefirewallallowstheurgentpointer
(URGbitflag)intheTCPheader.TheurgentpointerintheTCPheaderisused
topromoteapacketforimmediateprocessingthefirewallremovesitfrom
theprocessingqueueandexpeditesitthroughtheTCP/IPstackonthehost.
Thisprocessiscalledoutofbandprocessing.
Becausetheimplementationoftheurgentpointervariesbyhost,settingthis
optiontoClear(thedefaultandrecommendedsetting)eliminatesany
ambiguitybydisallowingoutofbandprocessingsothattheoutofbandbyte
inthepayloadbecomespartofthepayloadandthepacketisnotprocessed
urgently.Additionally,theClearsettingensuresthatthefirewallseesthe
exactstreamintheprotocolstackasthehostforwhomthepacketisdestined.
Toseeacountofthenumberofsegmentsinwhichthefirewallclearedthe
URGflagwhenthisoptionissettoClear,runthefollowingCLIcommand:
show counter global tcp_clear_urg
Bydefault,thisflagissettoClearandshouldremainthiswayforthe
mostsecuredeployment.Thisshouldnotresultinperformance
degradation;intherareinstancethatapplications,suchastelnet,are
usingtheurgentdatafeature,TCPmaybeimpacted.Ifyousetthisflag
toDo Not Modify,thefirewallallowspacketswiththeURGbitflagin
theTCPheaderandenablesoutofbandprocessing(not
recommended).

TCPSettings Description
Dropsegmentswithout IllegalTCPsegmentswithoutanyflagssetcanbeusedtoevadecontent
flag inspection.Withthisoptionenabled(thedefault)thefirewalldropspackets
thathavenoflagssetintheTCPheader.Toseeacountofthenumberof
segmentsthatthefirewalldroppedasaresultofthisoption,runthefollowing
CLIcommand:
show counter global tcp_flag_zero
Thisoptionisenabledbydefaultandshouldremainthiswayforthe
mostsecuredeployment.Enablingthisoptionshouldnotresultin
performancedegradation.However,ifanetworkstackincorrectly
generatessegmentswithnoTCPflags,enablingthisoptionmayresult
inconnectivityissues.
Dropsegmentswithnull TheTCPtimestamprecordswhenthesegmentwassentandallowsthe
timestampoption firewalltoverifythatthetimestampisvalidforthatsession,preventingTCP
sequencenumberwrapping.TheTCPtimestampisalsousedtocalculate
roundtriptime.Withthisoptionenabled,thefirewalldropspacketswithnull
timestamps.Toseeacountofthenumberofsegmentsthatthefirewall
droppedasaresultofenablingthisoption,runthefollowingCLIcommand:
show counter global tcp_invalid_ts_option
Thisoptionisenabledbydefaultandshouldremainthiswayforthe
mostsecuredeployment.Enablingthisoptionshouldnotresultin
performancedegradation.However,ifanetworkstackincorrectly
generatessegmentswithanullTCPtimestampoptionvalue,enabling
thisoptionmayresultinconnectivityissues.
Forwardsegments Selectthisoptionifyouwantthefirewalltoforwardsegmentsthatexceedthe
exceedingTCP TCPoutoforderqueuelimitof64persession.Ifyoudisablethisoption,the
outoforderqueue firewalldropssegmentsthatexceedtheoutoforderqueuelimit.Toseea
countofthenumberofsegmentsthatthefirewalldroppedasaresultof
enablingthisoption,runthefollowingCLIcommand:
show counter global tcp_exceed_flow_seg_limit
Thisoptionisdisabledbydefaultandshouldremainthiswayforthe
mostsecuredeployment.Disablingthisoptionmayresultinincreased
latencyforthespecificstreamthatreceivedover64segmentsoutof
order.ThereshouldbenolossofconnectivitybecausetheTCPstack
shouldhandlemissingsegmentsretransmission.

DecryptionSettings:CertificateRevocationChecking
SelectSession,andinDecryptionSettings,selectCertificate Revocation Checkingtosettheparameters

describedinthefollowingtable.
SessionFeatures:Certificate Description
RevocationCheckingSettings
Enable:CRL Selectthisoptiontousethecertificaterevocationlist(CRL)methodtoverify
therevocationstatusofcertificates.
IfyoualsoenableOnlineCertificateStatusProtocol(OCSP),thefirewallfirst
triesOCSP;iftheOCSPserverisunavailable,thefirewallthentriestheCRL
method.
Formoreinformationondecryptioncertificates,seeKeysandCertificatesfor
Decryption.
ReceiveTimeout:CRL IfyouenabledtheCRLmethodforverifyingcertificaterevocationstatus,
specifytheintervalinseconds(1to60;defaultis5)afterwhichthefirewall
stopswaitingforaresponsefromtheCRLservice.
Enable:OCSP SelectthisoptiontouseOCSPtoverifytherevocationstatusofcertificates.
ReceiveTimeout:OCSP IfyouenabledtheOCSPmethodforverifyingcertificaterevocationstatus,
specifytheintervalinseconds(1to60;defaultis5)afterwhichthefirewall
stopswaitingforaresponsefromtheOCSPresponder.
BlockSessionWithUnknown SelectthisoptiontoblockSSL/TLSsessionswhentheOCSPorCRLservice
CertificateStatus returnsacertificaterevocationstatusofunknown.Otherwise,thefirewall
proceedswiththesession.
BlockSessionOnCertificate SelectthisoptiontoblockSSL/TLSsessionsafterthefirewallregistersaCRL
StatusCheckTimeout orOCSPrequesttimeout.Otherwise,thefirewallproceedswiththesession.
CertificateStatusTimeout Specifytheintervalinseconds(1to60;defaultis5)afterwhichthefirewall
stopswaitingforaresponsefromanycertificatestatusserviceandappliesany
sessionblockinglogicyouoptionallydefine.TheCertificate Status Timeout
relatestotheOCSP/CRLReceive Timeoutasfollows:
IfyouenablebothOCSPandCRLThefirewallregistersarequesttimeout
afterthelesseroftwointervalspasses:theCertificate Status Timeout
valueortheaggregateofthetwoReceive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequesttimeoutafterthe
lesseroftwointervalspasses:theCertificate Status Timeoutvalueorthe
OCSPReceive Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequesttimeoutafterthe
lesseroftwointervalspasses:theCertificate Status Timeoutvalueorthe
CRLReceive Timeoutvalue.

DecryptionSettings:ForwardProxyServerCertificateSettings
IntheSessiontab,DecryptionSettingssection,selectForward Proxy Server Certificate Settingstoconfigure

theKey Sizeandhashingalgorithmofthecertificatesthatthefirewallpresentstoclientswhenestablishing
sessionsforSSL/TLSForwardProxydecryption.Thefollowingtabledescribestheparameters.
SessionFeatures:ForwardProxyServerCertificateSettings
Definedbydestination SelectthisoptionifyouwantPANOStogeneratecertificatesbasedonthe
host keythatthedestinationserveruses:
IfthedestinationserverusesanRSA1024bitkey,PANOSgeneratesa
certificatewiththatkeysizeandanSHA1hashingalgorithm.
Ifthedestinationserverusesakeysizelargerthan1024bits(forexample,
2048bitsor4096bits),PANOSgeneratesacertificatethatusesa
2048bitkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024bitRSA SelectthisoptionifyouwantPANOStogeneratecertificatesthatuseanRSA
1024bitkeyandSHA1hashingalgorithmregardlessofthekeysizethatthe
destinationserveruses.AsofDecember31,2013,publiccertificate
authorities(CAs)andpopularbrowsershavelimitedsupportforX.509
certificatesthatusekeysoffewerthan2048bits.Inthefuture,dependingon
itssecuritysettings,whenpresentedwithsuchkeysthebrowsermightwarn
theuserorblocktheSSL/TLSsessionentirely.
2048bitRSA SelectthisoptionifyouwantPANOStogeneratecertificatesthatuseanRSA
2048bitkeyandSHA256hashingalgorithmregardlessofthekeysizethat
thedestinationserveruses.PublicCAsandpopularbrowserssupport
2048bitkeys,whichprovidebettersecuritythanthe1024bitkeys.

VPNSessionSettings
SelectSession,andinVPNSessionSettings,configureglobalsettingsrelatedtothefirewallestablishinga
VPNsession.Thefollowingtabledescribesthesettings.
VPNSessionSettings Description
CookieActivation SpecifyamaximumnumberofIKEv2halfopenIKESAsallowedperfirewall,
Threshold abovewhichcookievalidationistriggered.WhenthenumberofhalfopenIKE
SAsexceedstheCookieActivationThreshold,theResponderwillrequesta
cookie,andtheInitiatormustrespondwithanIKE_SA_INITcontainingacookie.
Ifthecookievalidationissuccessful,anotherSAsessioncanbeinitiated.
Avalueof0meansthatcookievalidationisalwayson.
TheCookieActivationThresholdisaglobalfirewallsettingandshouldbelower
thantheMaximumHalfOpenedSAsetting,whichisalsoglobal(rangeis0to
65535;defaultis500).
MaximumHalfOpened SpecifythemaximumnumberofIKEv2halfopenIKESAsthatInitiatorscansend
SA tothefirewallwithoutgettingaresponse.Oncethemaximumisreached,the
firewallwillnotrespondtonewIKE_SA_INITpackets(rangeis1to65535;default
is65535).
MaximumCached Specifythemaximumnumberofpeercertificateauthority(CA)certificates
Certificates retrievedviaHTTPthatthefirewallcancache.Thisvalueisusedonlybythe
IKEv2HashandURLfeature(rangeis1to4000;defaultis500).

Device Device>HighAvailability
Forredundancy,deployyourPaloAltoNetworksnextgenerationfirewallsinahighavailability
configuration.TherearetwoHAdeployments:
active/passiveInthisdeployment,theactivepeercontinuouslysynchronizesitsconfigurationand
sessioninformationwiththepassivepeerovertwodedicatedinterfaces.Intheeventofahardwareor
softwaredisruptionontheactivefirewall,thepassivefirewallbecomesactiveautomaticallywithoutloss
ofservice.Active/passiveHAdeploymentsaresupportedwithallinterfacemodes:virtualwire,Layer2
orLayer3.
active/activeInthisdeployment,bothHApeersareactiveandprocessingtraffic.Suchdeploymentsare
mostsuitedforscenariosinvolvingasymmetricroutingorincaseswhereyouwanttoallowdynamic
routingprotocols(OSPF,BGP)tomaintainactivestatusacrossbothpeers.Active/activeHAissupported
onlyinthevirtualwireandLayer3interfacemodes.InadditiontotheHA1andHA2links,active/active
deploymentsrequireadedicatedHA3link.HA3linkisusedaspacketforwardinglinkforsessionsetup
andasymmetrictraffichandling.
InanHApair,bothpeersmustbeofthesamemodel,mustberunningthesamePANOSandContent
Releaseversion,andmusthavethesamesetoflicenses.
Inaddition,fortheVMSeriesfirewalls,bothpeersmustbeonthesamehypervisorandmusthavethe
samenumberofCPUcoresallocatedoneachpeer.
HALite
ImportantConsiderationsforConfiguringHA
ConfigureHASettings
HALite
ThePA200firewallsupportsHAlite,aversionofactive/passiveHAthatdoesnotincludeanysession
synchronization.HAlitedoesprovideconfigurationsynchronizationandsynchronizationofsomeruntime
items.ItalsosupportsfailoverofIPSectunnels(sessionsmustbereestablished),DHCPserverlease
information,DHCPclientleaseinformation,PPPoEleaseinformation,andthefirewall'sforwardingtable
whenconfiguredinLayer3mode.
ImportantConsiderationsforConfiguringHA
ThesubnetthatisusedforthelocalandpeerIPshouldnotbeusedanywhereelseonthevirtualrouter.
TheOSandContentReleaseversionsshouldbethesameoneachfirewall.Amismatchcanpreventpeer
firewallsfromsynchronizing.
TheLEDsaregreenontheHAportsfortheactivefirewallandamberonthepassivefirewall.
Tocomparetheconfigurationofthelocalandpeerfirewalls,usingtheConfig AudittoolontheDevicetab
byselectingthedesiredlocalconfigurationintheleftselectionboxandthepeerconfigurationintheright
selectionbox.

Device>HighAvailability Device
SynchronizethefirewallsfromthewebinterfacebyclickingPush ConfigurationintheHAwidgetonthe
Dashboard.Theconfigurationonthefirewallfromwhichyoupushtheconfigurationoverwritesthe
configurationonthepeerfirewall.TosynchronizethefirewallsfromtheCLIontheactivefirewall,use
thecommandrequest high-availability sync-to-remote running-config.
InaHighAvailability(HA)active/passiveconfigurationwithfirewallsthatuse10gigabitSFP+ports,whena
failoveroccursandtheactivefirewallchangestoapassivestate,the10gigabitEthernetportistakendownand
thenbroughtbackuptorefreshtheport,butdoesnotenabletransmituntilthefirewallbecomesactiveagain.If
youhavemonitoringsoftwareontheneighboringdevice,itwillseetheportasflappingbecauseitisgoingdown
andthenupagain.Thisisdifferentbehaviorthantheactionwithotherports,suchasthe1gigabitEthernetport,
whichisdisabledandstillallowstransmit,soflappingisnotdetectedbytheneighboringdevice.
ConfigureHASettings
ToconfigureHAsettings,selectDevice > High Availabilityandthen,foreachgroupofsettings,specifythe

correspondinginformationdescribedinthefollowingtable.
HASettings Description
General Tab
Setup Specifythefollowingsettings:
Enable HAActivateHAfunctionality.
Group IDEnteranumbertoidentifytheHApair(1to63).Thisfieldis
required(andmustbeunique)ifmultipleHApairsresideonthesame
broadcastdomain.
DescriptionEnteradescriptionoftheHApair(optional).
ModeSetthetypeofHAdeployment:Active PassiveorActive Active.
Device IDInactive/activeconfiguration,settheDeviceIDtodetermine
whichpeerwillbeactiveprimary(setDevice IDto0)andwhichwillbe
activesecondary(settheDevice IDto1).
Enable Config SyncSelectthisoptiontoenablesynchronizationof
configurationsettingsbetweenthepeers.
Configsyncshouldalwaysbeenabled.
Peer HA1 IP AddressEntertheIPaddressoftheHA1interfaceofthepeer

firewall.
Backup Peer HA1 IP AddressEntertheIPaddressforthepeersbackup
controllink.

Active/PassiveSettings Passive Link StateSelectoneofthefollowingoptionstospecifywhether

thedatalinksonthepassivefirewallshouldremainup.Thisoptionisnot
availableintheVMSeriesfirewallinAWS.
autoThelinksthathavephysicalconnectivityremainphysicallyupbut
inadisabledstate;theydonotparticipateinARPlearningorpacket
forwarding.Thiswillhelpinconvergencetimesduringthefailoverasthe
timetobringupthelinksissaved.Inordertoavoidnetworkloops,donot
selectthisoptionifthefirewallhasanyLayer2interfacesconfigured.
shutdownForcestheinterfacelinktothedownstate.Thisisthedefault
option,whichensuresthatloopsarenotcreatedinthenetwork.
Monitor Fail Hold Down Time (min)Thisvaluebetween160minutes
determinestheintervalinwhichafirewallwillbeinanonfunctionalstate
beforebecomingpassive.Thistimerisusedwhentherearemissedheartbeats
orhellomessagesduetoalinkorpathmonitoringfailure.

ElectionSettings Specifyorenablethefollowingsettings:
Device PriorityEnterapriorityvaluetoidentifytheactivefirewall.The
firewallwiththelowervalue(higherpriority)becomestheactivefirewall
(rangeis0255)whenthepreemptivecapabilityisenabledonbothfirewalls
inthepair.
Heartbeat BackupUsesthemanagementportsontheHAfirewallsto
provideabackuppathforheartbeatandhellomessages.Themanagement
portIPaddresswillbesharedwiththeHApeerthroughtheHA1controllink.
Noadditionalconfigurationisrequired.
PreemptiveEnablesthehigherpriorityfirewalltoresumeactive
(active/passive)oractiveprimary(active/active>operationafterrecovering
fromafailure.ThePreemptionoptionmustbeenabledonbothfirewallsfor
thehigherpriorityfirewalltoresumeactiveoractiveprimaryoperationupon
recoveryfollowingafailure.Ifthissettingisoff,thenthelowerpriority
firewallremainsactiveoractiveprimaryevenafterthehigherpriority
firewallrecoversfromafailure.
HA Timer SettingsSelectoneofthepresetprofiles:
Recommended:Usefortypicalfailovertimersettings
Aggressive:Useforfasterfailovertimersettings.
Toviewthepresetvalueforanindividualtimerincludedina
profile,selectAdvancedandclickLoad RecommendedorLoad
Aggressive.Thepresetvaluesforyourhardwaremodelwillbe
displayedonscreen.
Advanced:Allowsyoutocustomizethevaluestosuityournetwork
requirementforeachofthefollowingtimers:
Promotion Hold TimeEnterthetimethatthepassivepeer(in
active/passivemode)ortheactivesecondarypeer(inactive/active
mode)willwaitbeforetakingoverastheactiveoractiveprimarypeer
aftercommunicationswiththeHApeerhavebeenlost.Thisholdtime
willbeginonlyafterthepeerfailuredeclarationhasbeenmade.
Hello IntervalEnterthenumberofmillisecondsbetweenthehello
packetssenttoverifythattheHAprogramontheotherfirewallis
operational(rangeis8,00060,000;defaultis8,000).
Heartbeat IntervalSpecifyhowfrequentlytheHApeersexchange
heartbeatmessagesintheformofanICMPping(rangeis1,00060,000
ms;nodefault).
Maximum No. of FlapsAflapiscountedwhenthefirewallleavesthe
activestatewithin15minutesafteritlastlefttheactivestate.Youcan
specifythemaximumnumberofflapsthatarepermittedbeforethe
firewallisdeterminedtobesuspendedandthepassivefirewalltakes
over(rangeis016;defaultis3).Thevalue0meansthereisno
maximum(aninfinitenumberofflapsisrequiredbeforethepassive
firewalltakesover).
Preemption Hold TimeEnterthetimeinminutesthatapassiveor
activesecondarypeerwaitsbeforetakingoverastheactiveor
activeprimarypeer(rangeis160;defaultis1).

Monitor Fail Hold Up Time (ms)Specifytheintervalduringwhichthe

firewallwillremainactivefollowingapathmonitororlinkmonitor
failure.ThissettingisrecommendedtoavoidanHAfailoverduetothe
occasionalflappingofneighboringdevices(rangeis0to60,000ms;
defaultis0ms).
Additional Master Hold Up Time (min)Thistimeintervalisappliedto
thesameeventasMonitorFailHoldUpTime(rangeis0to60,000ms;
defaultis500ms).Theadditionaltimeintervalisappliedonlytothe
activepeerinactive/passivemodeandtotheactiveprimarypeerin
active/activemode.Thistimerisrecommendedtoavoidafailoverwhen
bothpeersexperiencethesamelink/pathmonitorfailure
simultaneously.

ControlLink ThefirewallsinanHApairuseHAlinks tosynchronizedataandmaintain

(HA1)/ControlLink stateinformation.TherecommendedconfigurationfortheHAcontrollink
(HA1Backup) connectionistousethededicatedHA1linkbetweenthetwofirewallsanduse
themanagementportastheControlLink(HABackup)interface.Inthiscase,
youdonotneedtoenabletheHeartbeatBackupoptionintheElections
Settingspage.IfyouareusingaphysicalHA1portfortheControlLinkHAlink
andadataportforControlLink(HABackup),itisrecommendedthatenablethe
HeartbeatBackupoption.
ForfirewallsthatdonothaveadedicatedHAport,suchasPA200andPA220
firewalls,youshouldconfigurethemanagementportfortheControlLinkHA
connectionandadataportinterfaceconfiguredwithtypeHAfortheControl
LinkHA1Backupconnection.Becausethemanagementportisusedinthis
case,thereisnoneedtoenabletheHeartbeatBackupoptionintheElections
Settingspagebecausetheheartbeatbackupswillalreadyoccurthroughthe
managementinterfaceconnection.
OntheVMSeriesfirewallinAWS,themanagementportisusedastheHA1
link.
WhenusingadataportfortheHAcontrollink,keepinmindthat
becausethecontrolmessageshavetocommunicatefromthedataplane
tothemanagementplane,ifafailureoccursinthedataplane,peers
cannotcommunicateHAcontrollinkinformationandafailoverwill
occur.ItisbesttousethededicatedHAports,oronfirewallsthatdonot
haveadedicatedHAport,usethemanagementport.
SpecifythefollowingsettingsfortheprimaryandbackupHAcontrollinks:
PortSelecttheHAportfortheprimaryandbackupHA1interfaces.The
backupsettingisoptional.
IPv4/IPv6 AddressEntertheIPv4orIPv6addressoftheHA1interfacefor
theprimaryandbackupHA1interfaces.Thebackupsettingisoptional.
NetmaskEnterthenetworkmaskfortheIPaddress(suchas
255.255.255.0)fortheprimaryandbackupHA1interfaces.Thebackup
settingisoptional.
GatewayEntertheIPaddressofthedefaultgatewayfortheprimaryand
backupHA1interfaces.Thebackupsettingisoptional.
Link Speed(ModelswithdedicatedHAportsonly)Selectthespeedforthe
controllinkbetweenthefirewallsforthededicatedHA1port.
Link Duplex(ModelswithdedicatedHAportsonly)Selectaduplexoption
forthecontrollinkbetweenthefirewallsforthededicatedHA1port.
Encryption EnabledEnableencryptionafterexportingtheHAkeyfromthe
HApeerandimportingitontothisfirewall.TheHAkeyonthisfirewallmust
alsobeexportedfromthisfirewallandimportedontheHApeer.Configure
thissettingfortheprimaryHA1interface.Import/exportkeysonthe
Certificatespage(seeDevice>CertificateManagement>CertificateProfile).
Monitor Hold Time (ms)Enterthelengthoftime(milliseconds)thatthe
firewallwillwaitbeforedeclaringapeerfailureduetoacontrollinkfailure
(rangeis1,000to60,000;defaultis3,000).Thisoptionmonitorsthephysical
linkstatusoftheHA1port(s).

DataLink(HA2) Specifythefollowingsettingsfortheprimaryandbackupdatalink:
WhenanHA2 PortSelecttheHAport.Configurethissettingfortheprimaryandbackup
backuplinkis HA2interfaces.Thebackupsettingisoptional.
configured, IP AddressSpecifytheIPv4orIPv6addressoftheHAinterfaceforthe
failovertothe primaryandbackupHA2interfaces.Thebackupsettingisoptional.
backuplinkwill NetmaskSpecifythenetworkmaskfortheHAinterfacefortheprimary
occurifthereis andbackupHA2interfaces.Thebackupsettingisoptional.
aphysicallink
GatewaySpecifythedefaultgatewayfortheHAinterfacefortheprimary
failure.With
andbackupHA2interfaces.Thebackupsettingisoptional.IftheHA2IP
theHA2
addressesofthefirewallsareinthesamesubnet,theGatewayfieldshould
keepalive
beleftblank.
optionenabled,
thefailoverwill Enable Session SynchronizationEnablesynchronizationofthesession
alsooccurifthe informationwiththepassivefirewall,andchooseatransportoption.
HAkeepalive TransportChooseoneofthefollowingtransportoptions:
messagesfail EthernetUsewhenthefirewallsareconnectedbacktobackor
basedonthe throughaswitch(Ethertype0x7261).
defined IPUsewhenLayer3transportisrequired(IPprotocolnumber99).
threshold.
UDPUsetotakeadvantageofthefactthatthechecksumiscalculated
ontheentirepacketratherthanjusttheheader,asintheIPoption(UDP
port29281).ThebenefitofusingUDPmodeisthepresenceoftheUDP
checksumtoverifytheintegrityofasessionsyncmessage.
Link Speed(ModelswithdedicatedHAportsonly)Selectthespeedforthe
controllinkbetweenpeersforthededicatedHA2port.
Link Duplex(ModelswithdedicatedHAportsonly)Selectaduplexoption
forthecontrollinkbetweenpeersforthededicatedHA2port.
HA2 keep-aliveSelectthisoptiontomonitorthehealthoftheHA2
datalinkbetweenHApeers.Thisoptionisdisabledbydefaultandyou
canenableitononeorbothpeers.Ifenabled,thepeerswilluse
keepalivemessagestomonitortheHA2connectiontodetectafailure
basedontheThresholdyouset(defaultis10,000ms).Ifyouenable
HA2keepalive,theHA2KeepaliverecoveryActionwillbetaken.
SelectanAction:
Log OnlyLogsthefailureoftheHA2interfaceinthesystemlogasa
criticalevent.Selectthisoptionforactive/passivedeploymentsbecause
theactivepeeristheonlyfirewallforwardingtraffic.Thepassivepeeris
inabackupstateandisnotforwardingtraffic;thereforeasplitdatapath
isnotrequired.IfyouhavenotconfiguredanyHA2Backuplinks,state
synchronizationwillbeturnedoff.IftheHA2pathrecovers,an
informationallogwillbegenerated.
Split DatapathSelectthisoptioninactive/activeHAdeploymentsto
instructeachpeertotakeownershipoftheirlocalstateandsession
tableswhenitdetectsanHA2interfacefailure.WithoutHA2
connectivity,nostateandsessionsynchronizationcanhappen;this
actionallowsseparatemanagementofthesessiontablestoensure
successfultrafficforwardingbyeachHApeer.Topreventthiscondition,
configureanHA2Backuplink.
Threshold (ms)Thedurationinwhichkeepalivemessageshavefailed
beforeoneoftheaboveactionswillbetriggered(rangeis5,000to
60,000ms;defaultis10,000ms).

Link and Path Monitoring Tab (Not available for the VM-Series firewall in AWS)
PathMonitoring Specifythefollowing:
EnabledEnablepathmonitoring.Pathmonitoringenablesthefirewallto
monitorspecifieddestinationIPaddressesbysendingICMPpingmessages
tomakesurethattheyareresponsive.Usepathmonitoringforvirtualwire,
Layer2,orLayer3configurationswheremonitoringofothernetwork
devicesisrequiredforfailoverandlinkmonitoringaloneisnotsufficient.
Failure ConditionSelectwhetherafailoveroccurswhenanyorallofthe
monitoredpathgroupsfailtorespond.
PathGroup Defineoneormorepathgroupstomonitorspecificdestinationaddresses.To
addapathgroup,clickAddfortheinterfacetype(Virtual Wire,VLAN,orVirtual
Router)andspecifythefollowing:
NameSelectavirtualwire,VLAN,orvirtualrouterfromthedropdown(the
dropdownispopulateddependingonifyouareaddingavirtualwire,VLAN,
orvirtualrouterpath).
EnabledEnablethepathgroup.
Failure ConditionSelectwhetherafailureoccurswhenanyorallofthe
specifieddestinationaddressesfailstorespond.
Source IPForvirtualwireandVLANinterfaces,enterthesourceIPaddress
usedintheprobepacketssenttothenexthoprouter(DestinationIP
address).Thelocalroutermustbeabletoroutetheaddresstothefirewall.
ThesourceIPaddressforpathgroupsassociatedwithvirtualrouterswillbe
automaticallyconfiguredastheinterfaceIPaddressthatisindicatedinthe
routetableastheegressinterfaceforthespecifieddestinationIPaddress.
Destination IPsEnteroneormore(commaseparated)destination
addressestobemonitored.
Ping IntervalSpecifytheintervalbetweenpingsthataresenttothe
destinationaddress(rangeis200to60,000ms;defaultis200ms).
Ping CountSpecifythenumberoffailedpingsbeforedeclaringafailure
LinkMonitoring Specifythefollowing:
EnabledEnablelinkmonitoring.Linkmonitoringallowsfailovertobe
triggeredwhenaphysicallinkorgroupofphysicallinksfails.
Failure ConditionSelectwhetherafailoveroccurswhenanyorallofthe
monitoredlinkgroupsfail.
LinkGroups DefineoneormorelinkgroupstomonitorspecificEthernetlinks.Toaddalink
group,specifythefollowingandclickAdd:
NameEnteralinkgroupname.
EnabledEnablethelinkgroup.
Failure ConditionSelectwhetherafailureoccurswhenanyorallofthe
selectedlinksfail.
InterfacesSelectoneormoreEthernetinterfacestobemonitored.
Active/Active Config Tab
PacketForwarding EnablepeerstoforwardpacketsovertheHA3linkforsessionsetupandfor
Layer7inspection(AppID,ContentID,andthreatinspection)of
asymmetricallyroutedsessions.

HA3Interface Selectthedatainterfaceyouplantousetoforwardpacketsbetween
active/activeHApeers.TheinterfaceyouusemustbeadedicatedLayer2
interfacesettoInterfaceTypeHA.
IftheHA3linkfails,theactivesecondarypeerwilltransitiontothe
nonfunctionalstate.Topreventthiscondition,configureaLink
AggregationGroup(LAG)interfacewithtwoormorephysicalinterfaces
astheHA3link.ThefirewalldoesnotsupportanHA3Backuplink.An
aggregateinterfacewithmultipleinterfaceswillprovideadditional
capacityandlinkredundancytosupportpacketforwardingbetweenHA
peers.
Youmustenablejumboframesonthefirewallandonallintermediary
networkingdeviceswhenusingtheHA3interface.Toenablejumbo
frames,selectDevice > Setup > SessionandselecttheoptiontoEnable
Jumbo FrameintheSessionSettingssection.
VRSync ForcesynchronizationofallvirtualroutersconfiguredontheHApeers.
Usethisoptionwhenthevirtualrouterisnotconfiguredfordynamicrouting
protocols.Bothpeersmustbeconnectedtothesamenexthoprouterthrough
aswitchednetworkandmustusestaticroutingonly.
QoSSync SynchronizetheQoSprofileselectiononallphysicalinterfaces.Usethisoption
whenbothpeershavesimilarlinkspeedsandrequirethesameQoSprofileson
allphysicalinterfaces.ThissettingaffectsthesynchronizationofQoSsettings
ontheNetworktab.QoSpolicyissynchronizedregardlessofthissetting.
TentativeHoldTime WhenafirewallinanHAactive/activeconfigurationfails,itwillgointoa
(sec) tentativestate.Thetransitionfromtentativestatetoactivesecondarystate
triggerstheTentativeHoldTime,duringwhichthefirewallattemptstobuild
routingadjacenciesandpopulateitsroutetablebeforeitwillprocessany
packets.Withoutthistimer,therecoveringfirewallwouldenterthe
activesecondarystateimmediatelyandwouldblackholepacketsbecauseit
wouldnothavethenecessaryroutes(defaultis60seconds).
SessionOwner ThesessionownerisresponsibleforallLayer7inspection(AppIDand
Selection ContentID)forthesessionandforgeneratingallTrafficlogsforthesession.
Selectoneofthefollowingoptionstospecifyhowtodeterminethesession
ownerforapacket:
First packetSelectthisoptiontodesignatethefirewallthatreceivesthe
firstpacketinasessionasthesessionowner.Thisistherecommended
configurationtominimizetrafficacrossHA3anddistributethedataplane
loadacrosspeers.
Primary DeviceSelectthisoptionifyouwanttheactiveprimaryfirewallto
ownallsessions.Inthiscase,iftheactivesecondaryfirewallreceivesthefirst
packet,itwillforwardallpacketsrequiringLayer7inspectiontothe
activeprimaryfirewallovertheHA3link.

SessionSetup ThefirewallresponsibleforsessionsetupperformsLayer2throughLayer4
processing(includingaddresstranslation)andcreatesthesessiontableentry.
Becausesessionsetupconsumesmanagementplaneresources,youcanselect
oneofthefollowingoptionstohelpdistributetheload:
Primary DeviceTheactiveprimaryfirewallsetsupallsessions.
IP ModuloDistributessessionsetupbasedontheparityofthesourceIP
address.
IP HashDistributessessionsetupbasedonahashofthesourceIPaddress
orsourceanddestinationIPaddress,andhashseedvalueifyouneedmore
randomization.
First PacketThefirewallthatreceivesthefirstpacketperformssession
setup,evenincaseswherethepeerownsthesession.Thisoptionminimizes
trafficovertheHA3linkandensuresthatthemanagementplaneintensive
workofsettingupthesessionalwayshappensonthefirewallthatreceives
thefirstpacket.
VirtualAddress ClickAdd,selecttheIPv4orIPv6tabandthenclickAddagaintoenteroptions
tospecifythetypeofHAvirtualaddresstouse:FloatingorARPLoadSharing.
Youcanalsomixthetypeofvirtualaddresstypesinthepair.Forexample,you
coulduseARPloadsharingontheLANinterfaceandaFloatingIPontheWAN
interface.
FloatingEnteranIPaddressthatwillmovebetweenHApeersintheevent
ofalinkorsystemfailure.ConfiguretwofloatingIPaddressesonthe
interface,sothateachfirewallwillownoneandthensetthepriority.Ifeither
firewallfails,thefloatingIPaddresstransitionstotheHApeer.
Device 0 PrioritySetthepriorityforthefirewallwithDeviceID0to
determinewhichfirewallwillownthefloatingIPaddress.Afirewallwith
thelowestvaluewillhavethehighestpriority.
Device 1 PrioritySetthepriorityforthefirewallwithDeviceID1to
determinewhichfirewallwillownthefloatingIPaddress.Afirewallwith
thelowestvaluewillhavethehighestpriority.
Failover address if link state is downUsethefailoveraddresswhen
thelinkstateisdownontheinterface.
Floating IP bound to the Active-Primary HA deviceSelectthisoption
tobindthefloatingIPaddresstotheactiveprimarypeer.Intheevent
onepeerfails,trafficissentcontinuouslytotheactiveprimarypeer
evenafterthefailedfirewallrecoversandbecomesthe
activesecondarypeer.
ARP Load SharingEnteranIPaddressthatwillbesharedbytheHApair
andprovidegatewayservicesforhosts.Thisoptionisonlyrequiredifthe
firewallisonthesamebroadcastdomainasthehosts.SelecttheDevice
Selection Algorithm:
IP ModuloSelectthefirewallthatwillrespondtoARPrequestsbased
ontheparityoftheARPrequestersIPaddress.
IP HashSelectthefirewallthatwillrespondtoARPrequestsbasedon
ahashoftheARPrequestersIPaddress.

Operational Commands
Suspendlocaldevice PlacestheHApeerinasuspendedstate,andtemporarilydisablesHA
(orMakelocaldevice functionalityonthefirewall.Ifyoususpendthecurrentlyactivefirewall,the
functional) otherpeerwilltakeover.
Toplaceasuspendedfirewallbackintoafunctionalstate,usethefollowing
operationalmodeCLIcommand:
request high-availability state functional
Totestfailover,youcaneitheruncabletheactive(oractiveprimary)firewallor
youcanclickthislinktosuspendtheactivefirewall.

Device>ConfigAudit Device
Device>ConfigAudit
SelectDevice > Config Audittoseethedifferencesbetweenconfigurationfiles.Thepagedisplaysthe

configurationssidebysideinseparatepanesandhighlightsthedifferenceslinebylineusingcolorsto
indicateadditions(green),modifications(yellow),ordeletions(red):
ConfigAuditSettings Description
Configurationname Selecttwoconfigurationstocompareinthe(unlabeled)configuration
dropdowns(unlabeled) namedropdowns(thedefaultsareRunning configandCandidate
config).
Youcanfilteradropdownbyenteringatextstringderived
fromtheDescriptionvalueofthecommitoperationassociated
withthedesiredconfiguration(seeCommitChanges).
Contextdropdown UsetheContextdropdowntospecifythenumberoflinestodisplay
beforeandafterthehighlighteddifferencesineachfile.Specifying
morelinescanhelpyoucorrelatetheauditresultstosettingsinthe
webinterface.IfyousettheContexttoAll,theresultsincludethe
entireconfigurationfiles.
Go ClickGotostarttheaudit.
Previous( )and Thesenavigationarrowsareenabledwhenconsecutiveconfiguration

Next( ) versionsareselectedintheconfigurationnamedropdowns.Click
tocomparethepreviouspairofconfigurationsinthe
dropdownsorclick tocomparethenextpairofconfigurations.

Device Device>PasswordProfiles
Panorama>PasswordProfiles
SelectDevice > Password ProfilesorPanorama > Password Profilestosetbasicpasswordrequirementsfor
individuallocalaccounts.PasswordprofilesoverrideanyMinimumPasswordComplexitysettingsyou
definedforalllocalaccounts(Device > Setup > Management).
Toapplyapasswordprofiletoanaccount,selectDevice > Administrators(forfirewalls)orPanorama >
Administrators(forPanorama),selectanaccount,andthenselectthePassword Profile.
Youcannotassignpasswordprofilestoadministrativeaccountsthatuselocaldatabaseauthentication(see
Device>LocalUserDatabase>Users).
Tocreateapasswordprofile,Addandspecifytheinformationinthefollowingtable.
PasswordProfile Description
Settings
Name Enteranametoidentifythepasswordprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,hyphens,
andunderscores.
RequiredPassword Requirethatadministratorschangetheirpasswordonaregularbasisspecifieda
ChangePeriod(days) byanumberofdays(rangeis0to365).Example,ifthevalueissetto90,
administratorswillbepromptedtochangetheirpasswordevery90days.Youcan
alsosetanexpirationwarningfrom0to30daysandspecifyagraceperiod.
ExpirationWarning Ifarequiredpasswordchangeperiodisset,thissettingcanbeusedtopromptthe
Period(days) usertochangetheirpasswordateachloginastheforcedpasswordchangedate
approaches(rangeis0to30).
PostExpiration Allowtheadministratortologinaspecifiednumberoftimesaftertheiraccount
AdminLoginCount hasexpired.Example,ifthevalueissetto3andtheiraccounthasexpired,they
canlogin3moretimesbeforetheiraccountislockedout(rangeis0to3).
PostExpirationGrace Allowtheadministratortologinthespecifiednumberofdaysaftertheiraccount
Period(days) hasexpired(rangeis0to30).

Device>PasswordProfiles Device
UsernameandPasswordRequirements
ThefollowingtableliststhevalidcharactersthatcanbeusedinusernamesandpasswordsforPANOSand
Panoramaaccounts.
AccountType UsernameandPasswordRestrictions
PasswordCharacterSet Therearenorestrictionsonanypasswordfieldcharactersets.
RemoteAdmin,SSLVPN,or Thefollowingcharactersarenotallowedfortheusername:
CaptivePortal Backtick(`)
Angularbrackets(<and>)
Ampersand(&)
Asterisk(*)
Atsign(@)
Questionmark(?)
Pipe(|)
SingleQuote()
Semicolon(;)
DoubleQuote(")
Dollar($)
Parentheses('('and')')
Colon(':')
LocalAdministratorAccounts Thefollowingaretheallowedcharactersforlocalusernames:
Lowercase(az)
Uppercase(AZ)
Numeric(09)
Underscore(_)
Period(.)
Hyphen()
Loginnamescannotstartwithahyphen().

Device Device>Administrators
Device>Administrators
AdministratoraccountscontrolaccesstofirewallsandPanorama.Afirewalladministratorcanhavefullor
readonlyaccesstoasinglefirewallortoavirtualsystemonasinglefirewall.Firewallshaveapredefined
adminaccountthathasfullaccess.
TodefinePanoramaadministrators,seePanorama>ManagedDevices.
Thefollowingauthenticationoptionsaresupported:
PasswordauthenticationTheadministratorentersausernameandpasswordtologin.This
authenticationrequiresnocertificates.Youcanuseitinconjunctionwithauthenticationprofiles,orfor
localdatabaseauthentication.
Clientcertificateauthentication(web)Thisauthenticationrequiresnousernameorpassword;the
certificatesufficestoauthenticateaccesstothefirewall.
Publickeyauthentication(SSH)Theadministratorgeneratesapublic/privatekeypaironthemachine
thatrequiresaccesstothefirewall,andthenuploadsthepublickeytothefirewalltoallowsecureaccess
withoutrequiringtheadministratortoenterausernameandpassword.
Toaddanadministrator,clickAddandfillinthefollowinginformation:
AdministratorAccountSettings Description
Name Enteraloginnamefortheadministrator(upto31characters).The
hyphens,periods,andunderscores.Loginnamescannotstartwitha
hyphen().
AuthenticationProfile Selectanauthenticationprofileforadministratorauthentication.You
canusethissettingforRADIUS,TACACS+,LDAP,Kerberos,SAML,or
localdatabaseauthentication.Fordetails,seeDevice>Authentication
Profile.
Useonlyclientcertificate Selectthisoptiontouseclientcertificateauthenticationforweb
authentication(web) access.Ifyouselectthisoption,ausernameandpasswordarenot
required;thecertificateissufficienttoauthenticateaccesstothe
firewall.
NewPassword Enterandconfirmacasesensitivepasswordfortheadministrator(up
ConfirmNewPassword to31characters).YoucanalsoselectSetup > Managementtoenforce
aminimumpasswordlength.
Toensurethatthefirewallmanagementinterfaceremains
secure,werecommendthatyouperiodicallychange
administrativepasswordsusingamixtureoflowercaseletters,
uppercaseletters,andnumbers.Youcanalsoconfigure
MinimumPasswordComplexitysettingsforalladministrators
onthefirewall.

Device>Administrators Device
UsePublicKeyAuthentication(SSH) SelectthisoptiontouseSSHpublickeyauthentication.ClickImport
Keyandbrowsetoselectthepublickeyfile.Theuploadedkeyappears
inthereadonlytextarea.
SupportedkeyfileformatsareIETFSECSHandOpenSSH.Supported
keyalgorithmsareDSA(1,024bits)andRSA(768to4,096bits).
Ifthepublickeyauthenticationfails,thefirewallpromptsthe
administratorforausernameandpassword.
Role Assignaroletothisadministrator.Theroledetermineswhatthe
administratorcanviewandmodify.
IfyouselectRole Based,selectacustomroleprofilefromthe
dropdown.Fordetails,seeDevice>AdminRoles.
IfyouselectDynamic,youcanselectoneofthefollowingpredefined
roles:
SuperuserHasfullaccesstothefirewallandcandefinenew
administratoraccountsandvirtualsystems.Youmusthave
superuserprivilegestocreateanadministrativeuserwithsuperuser
privileges.
Superuser(readonly)Hasreadonlyaccesstothefirewall.
Device administratorHasfullaccesstoallfirewallsettingsexcept
fordefiningnewaccountsorvirtualsystems.
Device administrator(readonly)Hasreadonlyaccesstoall
firewallsettingsexceptpasswordprofiles(noaccess)and
administratoraccounts(onlytheloggedinaccountisvisible).
Virtual system administratorHasfullaccesstospecificvirtual
systemsonthefirewall(ifmultiplevirtualsystemsareenabled).
Virtual system administrator(readonly)Hasreadonlyaccessto
specificvirtualsystemsonthefirewall(ifmultiplevirtualsystemsare
enabled).
VirtualSystem ClickAddtoselectthevirtualsystemsthattheadministratorcan
(Virtualsystemadministratorroleonly) manage.
PasswordProfile Selectthepasswordprofile,ifapplicable.Tocreateanewpassword
profile,seeDevice>PasswordProfiles.

Device Device>AdminRoles
Device>AdminRoles
SelectDevice > Admin RolestodefineAdminRoleprofiles,whicharecustomrolesthatdeterminetheaccess

privilegesandresponsibilitiesofadministrativeusers.YouassignAdminRoleprofilesordynamicroles
whenyouDevice>Administrators.
TodefineAdminRoleprofilesforPanoramaadministrators,seePanorama>ManagedDevices.
Thefirewallhasthreepredefinedrolesyoucanuseforcommoncriteriapurposes.Youfirstusethesuperuser
roleforinitialfirewallconfigurationandtocreatetheadministratoraccountsfortheSecurityAdministrator,
AuditAdministrator,andCryptographicAdministrator.Afteryoucreatetheseaccountsandapplytheproper
commoncriteriaAdminRoles,youthenloginusingthoseaccounts.ThedefaultsuperuseraccountinFederal
InformationProcessingStandard(FIPS)/CommonCriteria(CC)FIPSCCmodeis admin andhasadefault
passwordof paloalto.Instandardoperatingmode,thedefaultadminpasswordisadmin.Thepredefined
AdminRoleswerecreatedwherethereisnooverlapincapabilities,exceptthatallhavereadonlyaccessto
theaudittrail(exceptauditadministratorwithfullread/deleteaccess.Theseadminrolescannotbemodified
andaredefinedasfollows:
auditadminTheAuditAdministratorisresponsiblefortheregularreviewofthefirewallsauditdata.
cryptoadminTheCryptographicAdministratorisresponsiblefortheconfigurationandmaintenanceof
cryptographicelementsrelatedtotheestablishmentofsecureconnectionstothefirewall.
securityadminTheSecurityAdministratorisresponsibleforallotheradministrativetasks(e.g.creating
Securitypolicy)notaddressedbytheothertwoadministrativeroles.
ToaddanAdminRoleprofile,clickAddandspecifythesettingsdescribedinthefollowingtable.
AdministratorRoleSettings
Name Enteranametoidentifythisadministratorrole(upto31characters).The
Description (Optional)Enteradescriptionfortherole(upto255characters).
Role Selectthescopeofadministrativeresponsibility:
DeviceTheroleappliestotheentirefirewall,regardlesswhetherithas
morethanonevirtualsystem(vsys).
Virtual SystemTherole appliestospecificvirtualsystemsonthe
firewall.Youselectthevirtualsystemswhenyoucreateadministrative
accounts(Device>Administrators).
WebUI Clicktheiconsforspecificwebinterfacefeatures tosetthepermitted

accessprivileges:
EnableRead/writeaccesstotheselectedfeature.
Read OnlyReadonlyaccesstotheselectedfeature.
DisableNoaccesstotheselectedfeature.
XMLAPI ClicktheiconsforspecificXMLAPI featurestosetthepermittedaccess

privileges(Enable,Read Only,orDisable).

Device>AdminRoles Device
AdministratorRoleSettings
CommandLine SelectthetypeofroleforCLIaccess.ThedefaultisNone,whichmeans
accesstotheCLIisnotpermitted.TheotheroptionsvarybyRolescope:
Device
superuserHasfullaccesstothefirewallandcandefinenew
administratoraccountsandvirtualsystems.Youmusthave
superuserprivilegestocreateanadministrativeuserwithsuperuser
privileges.
superreaderHasreadonlyaccesstothefirewall.
deviceadminHasfullaccesstoallfirewallsettingsexceptfor
definingnewaccountsorvirtualsystems.
devicereaderHasreadonlyaccesstoallfirewallsettingsexcept
passwordprofiles(noaccess)andadministratoraccounts(onlythe
loggedinaccountisvisible).
Virtual System
vsysadminHasfullaccesstospecificvirtualsystemsonthe
firewall.
vsysreaderHasreadonlyaccesstospecificvirtualsystemsonthe
firewall.

Device Device>AccessDomain
Device>AccessDomain
Device>AccessDomain
Configureaccessdomainstorestrictadministratoraccesstospecificvirtualsystemsonthefirewall.The
firewallsupportsaccessdomainsonlyifyouuseaRADIUS,TACACS+,orSAMLidentityserver(IdP)server
tomanageadministratorauthenticationandauthorization.Toenableaccessdomains,youmustdefine:
AserverprofilefortheexternalauthenticationserverSeeDevice>ServerProfiles>RADIUS,Device>
ServerProfiles>TACACS+,andDevice>ServerProfiles>SAMLIdentityProvider.
RADIUSVendorSpecificAttributes(VSAs),TACACS+VSAs,orSAMLattributes.
Whenanadministratorattemptstologintothefirewall,thefirewallqueriestheexternalserverforthe
accessdomainoftheadministrator.Theexternalserverreturnstheassociateddomainandthefirewallthen
restrictstheadministratortothevirtualsystemsthatyouspecifiedintheaccessdomain.Ifthefirewalldoes
notuseanexternalserverforauthenticatingandauthorizingadministrators,theDevice > Access Domain
settingsareignored.
OnPanorama,youcanmanageaccessdomainslocallyorbyusingRADIUSVSAs,TACACS+VSAs,orSAML
attributes(seePanorama>AccessDomains).
AccessDomainSettings Description
Name Enteranamefortheaccessdomain(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,hyphens,
underscores,andperiods.
VirtualSystems SelectvirtualsystemsintheAvailablecolumnandAddthem.
AccessDomainsareonlysupportedonfirewallsthatsupportvirtual
systems.

Device>AuthenticationProfile Device
Usethispagetoconfiguresettingsforauthenticatingadministratorsandendusers.Thefirewalland
Panoramasupportlocal,RADIUS,TACACS+,LDAP,Kerberos,SAML2.0,andmultifactorauthentication
(MFA)services.
YoucanalsousethispagetoregisterafirewallorPanoramaservice(suchasadministrativeaccesstothe
webinterface)withaSAMLidentityprovider(IdP).RegisteringtheserviceenablesthefirewallorPanorama
tousetheIdPforauthenticatinguserswhorequesttheservice.YouregisteraservicebyenteringitsSAML
metadataontheIdP.ThefirewallandPanoramamakeregistrationeasybyautomaticallygeneratingaSAML
metadatafilebasedontheauthenticationprofilethatyouassignedtotheservice;youcanexportthis
metadatafiletotheIdP.
ConfigureanAuthenticationProfile
ExportSAMLMetadatafromanAuthenticationProfile
ConfigureanAuthenticationProfile
SelectDevice > Authentication ProfileorPanorama > Authentication Profiletomanageauthenticationprofiles.
Tocreateanewprofile,Addoneandcompletethefollowingfields.
Afterconfiguringanauthenticationprofile,usethetest authenticationCLIcommandtodetermine
whetherthefirewallorPanoramamanagementservercancommunicatewiththebackendauthenticationserver
andwhethertheauthenticationrequestsucceeded.Youcanperformauthenticationtests onthecandidate
configurationtodeterminewhethertheconfigurationiscorrectbeforeyoucommit.
AuthenticationProfile Description
Settings
Name Enteranametoidentifytheprofile.Thenameiscasesensitive,canhaveupto31
characters,andcanincludeonlyletters,numbers,spaces,hyphens,underscores,and
periods.ThenamemustbeuniqueinthecurrentLocation(firewallorvirtualsystem)
relativetootherauthenticationprofilesandtoauthenticationsequences.
Inafirewallthatisinmultiplevirtualsystemsmode,iftheLocationofthe
authenticationprofileisavirtualsystem,dontenterthesamenameasan
authenticationsequenceintheSharedlocation.Similarly,iftheprofileLocationis
Shared,dontenterthesamenameasasequenceinavirtualsystem.Whileyoucan
commitanauthenticationprofileandsequencewiththesamenamesinthesecases,
itcanresultinreferenceerrors.
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewallthathasmore
thanonevirtualsystem(vsys),selectavsysorselectShared(allvirtualsystems).Inany
othercontext,youcantselecttheLocation;itsvalueispredefinedasShared(forfirewalls)
orasPanorama.Afteryousavetheprofile,youcantchangeitsLocation.

Device Device>AuthenticationProfile
Settings
Authentication Tab
Thefirewallinvokestheauthenticationservicethatyouconfigureinthistabbeforeinvokinganymultifactor
authentication(MFA)servicesthatyouaddintheFactorsTab.
IfthefirewallintegrateswithanMFAvendorthroughRADIUSinsteadofthevendorAPI,youmustconfigure
aRADIUSserverprofileforthatvendor,notanMFAserverprofile.
Type Selectthetypeofservicethatprovidesthefirst(andoptionallyonly)authentication
challengethatuserssee.Basedonyourselection,thedialogdisplaysothersettingsthatyou
definefortheservice.Theoptionsare:
NoneDonotuseanyauthentication.
Local DatabaseUsethelocalauthenticationdatabaseonthefirewall.Thisoptionisnot
availableonPanorama.
RADIUSUseaRemoteAuthenticationDialInUserService(RADIUS)server.
TACACS+UseaTerminalAccessControllerAccessControlSystemPlus(TACACS+)
server.
LDAPUseaLightweightDirectoryAccessProtocol(LDAP)server.
KerberosUseaKerberosserver.
SAMLUseaSecurityAssertionMarkupLanguage2.0(SAML2.0)identityprovider(IdP).
AdministratorscanuseSAMLtoauthenticatetothefirewallorPanoramaweb
interfacebutnottotheCLI.
ServerProfile Selecttheauthenticationserverprofilefromthedropdown.SeeDevice>ServerProfiles>
(RADIUS,TACACS+, RADIUS,Device>ServerProfiles>TACACS+,Device>ServerProfiles>LDAP,orDevice
LDAP,orKerberosonly) >ServerProfiles>Kerberos.
IdPServerProfile SelecttheSAMLIdentityProviderserverprofilefromthedropdown.SeeDevice>Server
(SAMLonly) Profiles>SAMLIdentityProvider.
Retrieveusergroupfrom SelectthisoptiontocollectusergroupinformationfromVendorSpecificAttributes(VSAs)
RADIUS definedontheRADIUSserver.Thefirewallusestheinformationtomatchauthenticating
(RADIUSonly) usersagainstAllowListentries,notforenforcingpoliciesorgeneratingreports.
Retrieveusergroupfrom SelectthisoptiontocollectusergroupinformationfromVendorSpecificAttributes(VSAs)
TACACS+ definedontheTACACS+server.Thefirewallusestheinformationtomatchauthenticating
(TACACS+only) usersagainstAllowListentries,notforenforcingpoliciesorgeneratingreports.
LoginAttribute EnteranLDAPdirectoryattributethatuniquelyidentifiestheuserandfunctionsasthelogin
(LDAPonly) IDforthatuser.

Settings
PasswordExpiry IftheauthenticationprofileisforGlobalProtectusers,enterthenumberofdaysbefore
Warning passwordexpirationtostartdisplayingnotificationmessagestouserstoalertthemthat
(LDAPonly) theirpasswordsareexpiringinxnumberofdays.Bydefault,notificationmessageswill
displaysevendaysbeforepasswordexpiry(rangeis1to255).Userswillnotbeableto
accesstheVPNiftheirpasswordsexpire.
ConsiderconfiguringtheGlobalProtectagentstousetheprelogonconnection
method .Thiswillenableuserstoconnecttothedomaintochangetheir
passwordsevenafterthepasswordhasexpired.
Ifusersallowtheirpasswordstoexpire,theadministratorcanassignatemporaryLDAP
passwordtoenableuserstologintotheVPN.Inthisworkflow,werecommendsettingthe
Authentication ModifierintheportalconfigurationtoCookie authentication for config
refresh(otherwise,thetemporarypasswordwillbeusedtoauthenticatetotheportal,but
thegatewayloginwillfail,preventingVPNaccess).
CertificateforSigning SelectthecertificatethatthefirewallwillusetosignSAMLmessagesthatitsendstothe
Requests identityprovider(IdP).ThisfieldisrequiredifyouenabletheSign SAML Message to IdP
(SAMLonly) optionintheIdP Server Profile(seeDevice>ServerProfiles>SAMLIdentityProvider).
Otherwise,selectingacertificatetosignSAMLmessagesisoptional.
Whengeneratingorimportingacertificateanditsassociatedprivatekey,thekeyusage
attributesspecifiedinthecertificatecontrolhowyoucanusethekey:
Ifthecertificateexplicitlylistskeyusageattributes,oneoftheattributesmustbeDigital
Signature,whichisnotavailableincertificatesthatyougenerateonthefirewall.Inthis
case,youmustImportthecertificateandkeyfromyourenterprisecertificateauthority
(CA)orathirdpartyCA.
Ifthecertificatedoesntspecifykeyusageattributes,youcanusethekeyforany
purpose,includingsigningmessages.Inthiscase,youcanuseanymethodtoobtainthe
certificateandkey forsigningSAMLmessages.
PaloAltoNetworksrecommendsusingasigningcertificatetoensuretheintegrity
ofSAMLmessagessenttotheIdP.
EnableSingleLogout Selectthisoptiontoenableuserstologoutofeveryauthenticatedservicebyloggingout
(SAMLonly) ofanysingleservice.Singlelogout(SLO)appliesonlytoservicesthatusersaccessed
throughSAMLauthentication.Theservicescanbeexternaltoyourorganizationorinternal
(suchasthefirewallwebinterface).ThisoptionappliesonlyifyouenteredanIdentity
Provider SLO URLintheIdPServerProfile.YoucannotenableSLOforCaptivePortalusers.
Afterloggingoutusers,thefirewallautomaticallyremovestheirIP
addresstousernamemappings .
CertificateProfile SelecttheCertificateProfilethatthefirewallwillusetovalidate:
(SAMLonly) TheIdentity Provider CertificatespecifiedintheIdPServerProfile.TheIdPusesthis
certificatetoauthenticatetothefirewall.Thefirewallvalidatesthecertificatewhenyou
Committheauthenticationprofileconfiguration.
SAMLmessagesthattheIdPsendstothefirewallforsinglesignon(SSO)andsingle
logout(SLO)authentication.TheIdPusestheIdentity Provider Certificatespecifiedin
theIdPServerProfiletosignthemessages.
SeeDevice>CertificateManagement>CertificateProfile.

Settings
UserDomain ThefirewallusestheUser DomainformatchingauthenticatingusersagainstAllowList

and entriesandforUserIDgroupmapping .
UsernameModifier YoucanspecifyaUsername Modifiertomodifythedomain/usernamestringthatauser
(Allauthenticationtypes entersduringlogin.Thefirewallusesthemodifiedstringforauthentication.Selectfromthe
exceptSAML) followingoptions:
Tosendonlytheunmodifieduserinput,leavetheUser Domainblank(default)andset
theUsername Modifiertothevariable%USERINPUT%(default).
Toprependadomaintotheuserinput,enteraUser Domain,andsettheUsername
Modifierto%USERDOMAIN%\%USERINPUT%.
Toappendadomaintotheuserinput,enteraUser DomainandsettheUsername
Modifierto%USERINPUT%@%USERDOMAIN%.
IftheUsername Modifierincludesthe%USERDOMAIN%variable,theUser
Domainvaluereplacesanydomainstringthattheuserenters.Ifyouspecifythe
%USERDOMAIN%variableandleavetheUser Domainblank,thefirewallremoves
anyuserentereddomainstring.Thefirewallresolvesdomainnamestothe
appropriateNetBIOSnameforUserIDgroupmapping.Thisappliestobothparent
andchilddomains.User Domainmodifierstakeprecedenceoverautomatically
derivedNetBIOSnames.
KerberosRealm IfyournetworksupportsKerberossinglesignon(SSO),entertheKerberos Realm(upto

(Allauthenticationtypes 127characters).Thisisthehostnameportionoftheuserloginname.Forexample,theuser
exceptSAML) accountnameuser@EXAMPLE.LOCALhasrealmEXAMPLE.LOCAL.
KerberosKeytab IfyournetworksupportsKerberossinglesignon(SSO) ,clickImport,clickBrowseto

(Allauthenticationtypes locatethekeytabfile,andthenclickOK.AkeytabcontainsKerberosaccountinformation
exceptSAML) (principalnameandhashedpassword)forthefirewall,whichisrequiredforSSO
authentication.Eachauthenticationprofilecanhaveonekeytab.Duringauthentication,the
firewallfirsttriestousethekeytabtoestablishSSO.Ifitsucceedsandtheuserattempting
accessisintheAllowList,authenticationsucceedsimmediately.Otherwise,the
authenticationprocessfallsbacktomanualauthentication(username/password)ofthe
specifiedType,whichdoesnthavetobeKerberos.
IfthefirewallisinFIPS/CCmode,thealgorithmmustbeaes128ctshmacsha196
oraes256ctshmacsha196.Otherwise,youcanalsousedes3cbcsha1or
arcfourhmac.However,ifthealgorithminthekeytabdoesnotmatchthealgorithm
intheserviceticketthattheTicketGrantingServiceissuestoclientstoenableSSO,
theSSOprocessfails.YourKerberosadministratordetermineswhichalgorithmsthe
serviceticketsuse.
UsernameAttribute EntertheSAMLattributethatidentifiestheusernameofanauthenticatinguserinmessages
(SAMLonly) fromtheIdP(defaultisusername).IftheIdP Server Profilecontainsmetadatathatspecifies
ausernameattribute,thefirewallautomaticallypopulatesthisfieldwiththatattribute.The
firewallmatchesusernamesretrievedfromSAMLmessageswithusersandusergroupsin
theAllow Listoftheauthenticationprofile.Becauseyoucannotconfigurethefirewallto
modifythedomain/usernamestringthatauserentersduringSAMLlogins,thelogin
usernamemustexactlymatchanAllow Listentry.ThisistheonlySAMLattributethatis
mandatory.
SAMLmessagesmightdisplaytheusernameinthesubjectfield.Thefirewall
automaticallychecksthesubjectfieldiftheusernameattributedoesntdisplaythe
username.

Settings
UserGroupAttribute EntertheSAMLattributethatidentifiestheusergroupofanauthenticatinguserin
(SAMLonly) messagesfromtheIdP(defaultisusergroup).IftheIdP Server Profilecontainsmetadata
thatspecifiesausergroupattribute,thefieldautomaticallyusesthatattribute.Thefirewall
usesthegroupinformationtomatchauthenticatingusersagainstAllow Listentries,notfor
policiesorreports.
AdminRoleAttribute EntertheSAMLattributethatidentifiestheadministratorroleofanauthenticatinguserin
(SAMLonly) messagesfromtheIdP(defaultisadmin-role).Thisattributeappliesonlytofirewall
administrators,nottoendusers.IftheIdP Server Profilecontainsmetadatathatspecifies
anadminroleattribute,thefirewallautomaticallypopulatesthisfieldwiththatattribute.
Thefirewallmatchesitspredefined(dynamic)rolesorAdminRoleprofileswiththeroles
retrievedfromSAMLmessagestoenforcerolebasedaccesscontrol.IfaSAMLmessagehas
multipleadminrolevaluesforanadministratorwithonlyonerole,matchingappliesonlyto
thefirst(leftmost)valueintheadminroleattribute.Foranadministratorwithmorethan
onerole,thematchingcanapplytomultiplevaluesintheattribute.
AccessDomainAttribute EntertheSAMLattributethatidentifiestheaccessdomainofanauthenticatinguserin
(SAMLonly) messagesfromtheIdP(defaultisaccess-domain).Thisattributeappliesonlytofirewall
administrators,nottoendusers.IftheIdP Server Profilecontainsmetadatathatspecifies
anaccessdomainattribute,thefirewallautomaticallypopulatesthisfieldwiththat
attribute.Thefirewallmatchesitslocallyconfiguredaccessdomainswiththoseretrieved
fromSAMLmessagestoenforceaccesscontrol.IfaSAMLmessagehasmultiple
accessdomainvaluesforanadministratorwithonlyoneaccessdomain,matchingapplies
onlytothefirst(leftmost)valueintheaccessdomainattribute.Foranadministratorwith
morethanoneaccessdomain,thematchingcanapplytomultiplevaluesintheattribute.
Factors Tab
EnableAdditional Selectthisoptionifyouwantthefirewalltoinvokeadditionalauthenticationfactors
AuthenticationFactors (challenges)afteruserssuccessfullyrespondtothefirstfactor(specifiedintheTypefieldon
theAuthenticationtab).Thisoptionisavailableonlyforendusers,notforfirewall
administrators.Afterconfiguringanauthenticationprofilethatusesmultifactor
authentication(MFA),youmustassignittoanauthenticationenforcementobject(Objects
>Authentication)andassigntheobjecttotheAuthenticationpolicyrules(Policies>
Authentication)thatcontrolaccesstoyournetworkresources.
Factors AddanMFAserverprofile(Device>ServerProfiles>MultiFactorAuthentication)foreach
authenticationfactorthatthefirewallwillinvokeafteruserssuccessfullyrespondtothe
firstfactor(specifiedintheTypefieldontheAuthenticationtab).Thefirewallinvokeseach
factorinthetoptobottomorderthatyoulisttheMFAservicesthatprovidethefactors.To
changetheorder,selectaserverprofileandMove UporMove Down.Youcanspecifyupto
threeadditionalfactors.EachMFAserviceprovidesonefactor.SomeMFAserviceslet
userschooseonefactorfromalistofseveral.ThefirewallintegrateswiththeseMFA
servicesthroughvendorAPIs.
Advanced Tab
AllowList ClickAddandselectallorselectthespecificusersandgroupsthatcanauthenticatewith
thisprofile.Whenauserauthenticates,thefirewallmatchestheassociatedusernameor
groupagainsttheentriesinthislist.Ifyoudontaddentries,nouserscanauthenticate.
IfyouenteredaUser Domainvalue,youdontneedtospecifydomainsintheAllow
List.Forexample,iftheUser Domainisbusinessincandyouwanttoadduser
admin1totheAllow List,enteringadmin1hasthesameeffectasentering
businessinc\admin1.Youcanspecifygroupsthatalreadyexistinyourdirectory
serviceorspecifycustomgroupsbasedonLDAPfilters.

Settings
FailedAttempts Enterthenumberoffailedsuccessiveloginattempts(rangeis0to10;defaultis0)thatthe
(Allauthenticationtypes firewallallowsbeforelockingouttheuseraccount.Avalueof0specifiesunlimitedlogin
exceptSAML) attempts.Limitingloginattemptscanhelpprotectagainstbruteforceattacks.
IfyousettheFailed Attemptstoavalueotherthan0butleavetheLockout Time
at0,theFailed Attemptsisignoredandtheuserisneverlockedout.
LockoutTime Enterthenumberofminutes(rangeis0to60;defaultis0)forwhichthefirewalllocksout
(Allauthenticationtypes auseraccountaftertheuserreachesthenumberofFailed Attempts.Avalueof0means
exceptSAML) thelockoutappliesuntilanadministratormanuallyunlockstheuseraccount.
IfyousettheLockout Timetoavalueotherthan0butleavetheFailed Attempts
at0,theLockout Timeisignoredandtheuserisneverlockedout.
ExportSAMLMetadatafromanAuthenticationProfile
ThefirewallandPanoramacanuseaSAMLidentityprovider(IdP)toauthenticateuserswhorequest
services.Foradministrators,theservicecanbeaccesstothewebinterface.Forendusers,theservicecan
beCaptivePortalorGlobalProtect,whichenableaccesstoyournetworkresources.ToenableSAML
authenticationforaservice,youmustregisterthatservicebyenteringspecificinformationaboutitonthe
IdPintheformofSAMLmetadata.ThefirewallandPanoramasimplifyregistrationbyautomatically
generatingaSAMLmetadatafilebasedontheauthenticationprofilethatyouassignedtotheserviceand
youcanexportthismetadatafiletotheIdP.Exportingthemetadataisaneasieralternativetotypingthe
valuesforeachmetadatafieldintheIdP.
SomeofthemetadataintheexportedfilederivesfromtheSAMLIdPserverprofileassignedtothe
authenticationprofile(Device>ServerProfiles>SAMLIdentityProvider).However,theexportedfilealways
specifiesPOSTastheHTTPbindingmethod,regardlessofthemethodspecifiedintheSAMLIdPserverprofile.
TheIdPwillusethePOSTmethodtosendSAMLmessagestothefirewallorPanorama.
ToexportSAMLmetadatafromanauthenticationprofile,clicktheSAMLMetadatalinkintheAuthentication
columnandcompletethefollowingfields.ToimportthemetadatafileintoanIdP,refertoyourIdP
documentation.
SAMLMetadataExport Description
Settings
Commands SelecttheserviceforwhichyouwanttoexportSAMLmetadata:
management(default)Providesadministratoraccesstothewebinterface.
captive-portalProvidesenduseraccesstonetworkresourcesthroughCaptive
Portal.
global-protectProvidesenduseraccesstonetworkresourcesthrough
GlobalProtect.
Yourselectiondetermineswhichotherfieldsthedialogdisplays.
[Management | Captive Enterthenameoftheauthenticationprofilefromwhichyouareexportingmetadata.

Portal | GlobalProtect] Thedefaultvalueistheprofilefromwhichyouopenedthedialogbyclickingthe
Auth Profile Metadatalink.

SAMLMetadataExport Description
Settings
Management Choice Selectanoptionforspecifyinganinterfacethatisenabledformanagementtraffic

(Managementonly) (suchastheMGTinterface):
InterfaceSelecttheinterfacefromthelistofinterfacesonthefirewall.
IP HostnameEntertheIPaddressorhostnameoftheinterface.Ifyouentera
hostname,theDNSservermusthaveanaddress(A)recordthatmapstotheIP
address.
[Captive Portal | SelectthevirtualsystemforwhichtheCaptivePortalsettingsorGlobalProtectportal

GlobalProtect] Virtual aredefined.
System
(CaptivePortalor
GlobalProtectonly)
IP Hostname EntertheIPaddressorhostnameoftheservice.
(CaptivePortalor CaptivePortalEntertheRedirect HostIPaddressorhostname(Device > User
GlobalProtectonly) Identification > Captive Portal Settings).
GlobalProtectEntertheHostnameorIP AddressoftheGlobalProtectportal.
Ifyouenterahostname,theDNSservermusthaveanaddress(A)recordthatmaps
totheIPaddress.

Device Device>AuthenticationSequence
Panorama>AuthenticationSequence
Insomeenvironments,useraccountsresideinmultipledirectories(suchasLDAPandRADIUS).An
authenticationsequenceisasetofauthenticationprofilesthatthefirewalltriestouseforauthenticating
userswhentheylogin.Thefirewalltriestheprofilessequentiallyfromthetopofthelisttothebottom
applyingtheauthentication,Kerberossinglesignon,allowlist,andaccountlockoutvaluesforeachuntil
oneprofilesuccessfullyauthenticatestheuser.Thefirewallonlydeniesaccessifallprofilesinthesequence
failtoauthenticate.Fordetailsonauthenticationprofiles,seeDevice>AuthenticationProfile.
SequenceSettings
Name Enteranametoidentifythesequence.Thenameiscasesensitive,canhave
upto31characters,andcanincludeonlyletters,numbers,spaces,hyphens,
underscores,andperiods.ThenamemustbeuniqueinthecurrentLocation
(firewallorvirtualsystem)relativetootherauthenticationsequencesandto
authenticationprofiles.
Inafirewallthathasmultiplevirtualsystems,iftheLocationofthe
authenticationsequenceisavirtualsystem(vsys),dontenterthe
samenameasanauthenticationprofileintheSharedlocation.
Similarly,ifthesequenceLocationisShared,dontenterthesame
nameasaprofileinavsys.Whileyoucancommitanauthentication
sequenceandprofilewiththesamenamesinthesecases,reference
errorsmightoccur.
Location Selectthescopeinwhichthesequenceisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared(all
virtualsystems).Inanyothercontext,youcantselecttheLocation;itsvalue
ispredefinedasShared(forfirewalls)orasPanorama.Afteryousavethe
sequence,youcantchangeitsLocation.
Usedomaintodetermine Selectthisoption(selectedbydefault)ifyouwantthefirewalltomatchthe
authenticationprofile domainnamethatauserentersduringloginwiththeUser Domainor
Kerberos Realmofanauthenticationprofileassociatedwiththesequence
andthenusethatprofiletoauthenticatetheuser.Theuserinputthatthe
firewallusesformatchingcanbethetextprecedingtheusername(witha
backslashseparator)orthetextfollowingtheusername(witha@separator).
Ifthefirewalldoesnotfindamatch,ittriestheauthenticationprofilesinthe
sequenceintoptobottomorder.
AuthenticationProfiles ClickAddandselectfromthedropdownforeachauthenticationprofileyou
wanttoaddtothesequence.Tochangethelistorder,selectaprofileandclick
Move UporMove Down.Toremoveaprofile,selectitandclickDelete.
Youcannotaddanauthenticationprofilethatspecifiesamultifactor
authentication(MFA)serverprofileoraSecurityAssertionMarkup
Language(SAML)IdentityProviderserverprofile.

Device>VMInformationSources Device
Device>VMInformationSources
UsethistabtoproactivelytrackchangesontheVirtualMachines(VMs)deployedonanyofthesesources
VMwareESXiserver,VMwarevCenterserverortheAmazonWebServices,VirtualPrivateCloud
(AWSVPC).
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanorama
withinformationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformation
fromtheNSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamic
AddressGroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyou
toproperlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSX
securitygroups.
Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanberegisteredto
anIPaddress.
TherearetwowaystomonitorVMInformationSources:
ThefirewallcanmonitortheVMwareESXiserver,VMwarevCenterserverandtheAWSVPC
environmentsandretrievechangesasyouprovisionormodifytheguestsconfiguredonthemonitored
sources.Foreachfirewallorforeachvirtualsystemonamultiplevirtualsystemscapablefirewall,you
canconfigureupto10sources.
Ifyourfirewallsareconfiguredinahighavailabilityconfiguration:
inanactive/passivesetup,onlytheactivefirewallmonitorstheVMinformationsources.
inanactive/activesetup,onlythefirewallwiththepriorityvalueofprimarymonitorstheVM
informationsources.
ForinformationonhowVMInformationSourcesandDynamicAddressGroupscanworksynchronously
andenableyoutomonitorchangesinthevirtualenvironment,refertotheVMSeriesDeploymentGuide.
ForIPaddresstousermapping,youcaneitherconfiguretheVMInformationSourcesontheWindows
UserIDagentoronthefirewalltomonitortheVMwareESXiandvCenterserverandretrievechanges
asyouprovisionormodifytheguestsconfiguredontheserver.Upto100sourcesaresupportedonthe
WindowsUserIDagent;supportforAWSisnotavailablefortheUserIDagent.
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.
VMwareToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedto
eachVM.

Device Device>VMInformationSources
TocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorstheattributesinthefollowing
table.
AttributesMonitoredonaVMwareSource AttributesMonitoredontheAWSVPC
UUID Architecture
Name GuestOS
GuestOS ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown. InstanceState
Annotation InstanceType
Version KeyName
NetworkVirtualSwitchName,PortGroup PlacementTenancy,GroupName,AvailabilityZone
Name,andVLANID PrivateDNSName
ContainerNamevCenterName,DataCenter PublicDNSName
ObjectName,ResourcePoolName,Cluster
SubnetID
Name,Host,HostIPaddress.
Tag(key,value)(upto18tagssupportedperinstance)
VPCID
AddToaddanewsourceforVMMonitoring,clickAddandthenfillinthedetailsbasedonthesourcebeing
monitored:
ForVMwareESXiorvCenterServer,seeSettingstoEnableVMInformationSourcesforVMwareESXi
orvCenterServer.
ForAWSVPC,seeSettingstoEnableVMInformationSourcesforAWSVPC.
Refresh ConnectedClicktorefreshtheconnectionstatus;itrefreshestheonscreendisplay.Thisoptiondoes
notrefreshtheconnectionbetweenthefirewallandthemonitoredsources.
DeleteSelectaconfiguredVMInformationsourceandclicktoremovetheconfiguredsource.
SettingstoEnableVMInformationSourcesforVMwareESXiorvCenterServer
Name Enteranametoidentifythemonitoredsource(upto31characters).The
Type Selectwhetherthehost/sourcebeingmonitoredisanESXi serveror

vCenter server.
Description (Optional)Addalabeltoidentifythelocationorfunctionofthesource.
Port Specifytheportonwhichthehost/sourceislistening.(defaultport443).
Enabled Bydefaultthecommunicationbetweenthefirewallandtheconfigured
sourceisenabled.
Theconnectionstatusbetweenthemonitoredsourceandthefirewall
displaysintheinterfaceasfollows:
Connected
Disconnected
Pending;theconnectionstatusalsodisplaysasyellowwhenthe
monitoredsourceisdisabled.
CleartheEnabledoptiontodisablecommunicationbetweenthehostand
thefirewall.

Device>VMInformationSources Device
SettingstoEnableVMInformationSourcesforVMwareESXiorvCenterServer
Timeout Entertheintervalinhoursafterwhichtheconnectiontothemonitored
sourceisclosed,ifthehostdoesnotrespond(rangeis210;defaultis2).
(Optional)Tochangethedefaultvalue,selectthisoptiontoEnable timeout
when the source is disconnectedandspecifythevalue.Whenthespecified
limitisreachedorifthehostisinaccessibleorthehostdoesnotrespond,the
firewallwillclosetheconnectiontothesource.
Source EntertheFQDNortheIPaddressofthehost/sourcebeingmonitored.
Username Specifytheusernamerequiredtoauthenticatetothesource.
Password Enterthepasswordandconfirmyourentry.
UpdateInterval Specifytheinterval,inseconds,atwhichthefirewallretrievesinformation
fromthesource(rangeis5600;defaultis5).
SettingstoEnableVMInformationSourcesforAWSVPC
Name Enteranametoidentifythemonitoredsource(upto31characters).Thename
Type SelectAWS VPC.
Description (Optional)Addalabeltoidentifythelocationorfunctionofthesource.
Enabled Bydefaultthecommunicationbetweenthefirewallandtheconfiguredsource
isenabled.
Theconnectionstatusbetweenthemonitoredsourceandthefirewalldisplays
intheinterfaceasfollows:
Connected
Disconnected
Pending;Theconnectionstatusalsodisplaysasyellowwhenthe
monitoredsourceisdisabled.
CleartheEnabledoptiontodisablecommunicationbetweenthehostandthe
firewall.
Source AddtheURIinwhichtheVirtualPrivateCloudresides.Forexample,
ec2.uswest1.amazonaws.com.
Thesyntaxis:ec2.<your_AWS_region>.amazonaws.com
AccessKeyID Enterthealphanumerictextstringthatuniquelyidentifiestheuserwhoowns
orisauthorizedtoaccesstheAWSaccount.
ThisinformationisapartoftheAWSSecurityCredentials.Thefirewallrequires
thecredentialsAccessKeyIDandtheSecretAccessKeytodigitallysignAPI
callsmadetotheAWSservices.
SecretAccessKey Enterthepasswordandconfirmyourentry.
UpdateInterval Specifytheinterval,inseconds,atwhichthefirewallretrievesinformationfrom
thesource(rangeis60to1,200;defaultis60).

Device Device>VMInformationSources
SettingstoEnableVMInformationSourcesforAWSVPC
Timeout Theintervalinhoursafterwhichtheconnectiontothemonitoredsourceis
closed,ifthehostdoesnotrespond(defaultis2)
(Optional)SelectthisoptiontoEnable timeout when the source is
disconnected.Whenthespecifiedlimitisreachedorifthesourceisinaccessible
orthesourcedoesnotrespond,thefirewallwillclosetheconnectiontothe
source.
VPCID EntertheIDoftheAWSVPCtomonitor,forexample,vpc1a2b3c4d.OnlyEC2
instancesthataredeployedwithinthisVPCaremonitored.
IfyouraccountisconfiguredtouseadefaultVPC,thedefaultVPCIDwillbe
listedunderAWSAccountAttributes.

Device>VirtualSystems Device
Device>VirtualSystems
Avirtualsystem(vsys)isanindependent(virtual)firewallinstancethatyoucanseparatelymanagewithina
physicalfirewall.EachvsyscanbeanindependentfirewallwithitsownSecuritypolicy,interfaces,and
administrators;avsysenablesyoutosegmenttheadministrationofallpolicies,reporting,andvisibility
functionsthatthefirewallprovides.Forexample,ifyouwanttocustomizethesecurityfeaturesforthe
trafficthatisassociatedwithyourFinancedepartment,youcandefineaFinancevsysandthendefine
securitypoliciesthatpertainonlytothatdepartment.Tooptimizepolicyadministration,youcanmaintain
separateadministratoraccountsforoverallfirewallandnetworkfunctionswhilecreatingvsysadministrator
accountsthatallowaccesstoindividualvsys.ThisallowsthevsysadministratorintheFinancedepartment
tomanagethesecuritypoliciesonlyforthatdepartment.
Networkingfunctions,includingstaticanddynamicrouting,pertaintoanentirefirewallandallitsvsys;vsys
donotcontrolfirewallandnetworklevelfunctions.Foreachvsys,youcanspecifyacollectionofphysical
andlogicalfirewallinterfaces(includingVLANsandvirtualwires)andsecurityzones.Ifyourequirerouting
segmentationforeachvsys,youmustcreate/assignadditionalvirtualroutersandassigninterfaces,VLANs,
andvirtualwiresasneeded.
IfyouuseaPanoramatemplatetodefinevsys,youcansetonevsysasthedefault.Thedefaultvsysand
MultipleVirtualSystemsmodedeterminewhetherfirewallsacceptvsysspecificconfigurationsduringa
templatecommit:
FirewallsthatareinMultipleVirtualSystemsmodeacceptvsysspecificconfigurationsforallvsysthat
aredefinedinthetemplate.
FirewallsthatarenotinMultipleVirtualSystemsmodeacceptvsysspecificconfigurationsonlyforthe
defaultvsys.Ifyoudonotsetavsysasthedefault,thesefirewallsacceptnovsysspecificconfigurations.
PA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewallssupportmultiplevirtualsystems;
however,PA3000Seriesfirewallsrequirealicenseforenablingmultiplevirtualsystems.ThePA200and
PA220,PA500,andPA800Seriesfirewallsdonotsupportmultiplevirtualsystems.
Beforeenablingmultiplevsys,considerthefollowing:
Avsysadministratorcreatesandmanagesallitemsneededforpolicies.
Zonesareobjectswithinvsys.Beforedefiningapolicyorpolicyobject,selecttheVirtual Systemfromthe
dropdownonthePoliciesorObjectstab.
Youcansetremoteloggingdestinations(SNMP,syslog,andemail),applications,services,andprofilesto
beavailabletoallvsys(shared)ortoasinglevsys.
Youcanconfigureglobal(toallvsysonafirewall)orvsysspecificserviceroutes(seeDevice>Setup>
Services).
Beforedefiningvsys,youmustfirstenablethemultiplevsyscapabilityonthefirewall:selectDevice > Setup
> Management,edittheGeneral Settings,selectMulti Virtual System Capability,andclickOK.ThisaddsaDevice
> Virtual Systemspage.Selectthepage,clickAdd,andspecifythefollowinginformation.
VirtualSystemSettings Description
ID Enteranintegeridentifierforthevsys.Refertothedatasheetforyour
firewallmodelforinformationonthenumberofsupportedvsys.
IfyouuseaPanoramatemplatetoconfigurethevsys,thisfielddoes
notappear.

Device Device>VirtualSystems
VirtualSystemSettings Description
Name Enteraname(upto31characters)toidentifythevsys.Thenameis
IfyouuseaPanoramatemplatetopushvsysconfigurations,thevsys
nameinthetemplatemustmatchthevsysnameonthefirewall.
AllowForwardingof Selectthisoptiontoallowthevirtualsystemtoforwarddecryptedcontent
DecryptedContent toanoutsideservicewhenportmirroringorsendingWildFirefilesfor
analysis.ForinformationonDecryptionPortMirroring,seeDecryptionPort
Mirroring.
GeneralTab SelectaDNS ProxyobjectifyouwanttoapplyDNSproxyrulestothisvsys.

SeeNetwork>DNSProxy.
Toincludeobjectsofaparticulartype,selectthattype(interface,VLAN,
virtualwire,virtualrouter,orvisiblevirtualsystem),clickAdd,andselectthe
objectfromthedropdown.Youcanaddoneormoreobjectsofanytype.
Toremoveanobject,selectitandclickDelete.
ResourceTab Specifytheresourcelimitsallowedforthisvsys:
Sessions LimitMaximumnumberofsessions.
Security RulesMaximumnumberofsecurityrules.
NAT RulesMaximumnumberofNATrules.
Decryption RulesMaximumnumberdecryptionrules.
QoS RulesMaximumnumberofQoSrules.
Application Override RulesMaximumnumberofapplicationoverride
rules.
Policy Based Forwarding RulesMaximumnumberofpolicybased
forwarding(PBF)rules.
Captive Portal RulesMaximumnumberofcaptiveportal(CP)rules.
DoS Protection RulesMaximumnumberofdenialofservice(DoS)rules.
Site to Site VPN TunnelsMaximumnumberofsitetositeVPNtunnels.
Concurrent GlobalProtect TunnelsMaximumnumberofconcurrent
remoteGlobalProtectusers.

Device>SharedGateways Device
Device>SharedGateways
Sharedgateways allowmultiplevirtualsystemstoshareasingleinterfaceforexternalcommunication
(typicallyconnectedtoacommonupstreamnetworksuchasanInternetServiceProvider).Allofthevirtual
systemscommunicatewiththeoutsideworldthroughthephysicalinterfaceusingasingleIPaddress.A
singlevirtualrouterisusedtoroutetrafficforallofthevirtualsystemsthroughthesharedgateway.
SharedgatewaysuseLayer3interfaces,andatleastoneLayer3interfacemustbeconfiguredasashared
gateway.Communicationsoriginatinginavirtualsystemandexitingthefirewallthroughasharedgateway
requiresimilarpolicytocommunicationspassingbetweentwovirtualsystems.Youcouldconfigurean
Externalvsyszonetodefinesecurityrulesinthevirtualsystem.
SharedGatewaySettings Description
ID Identifierforthegateway(notusedbyfirewall).
Name Enteranameforthesharedgateway(upto31characters).Thenameis
hyphens,andunderscores.Onlythenameisrequired.
DNSProxy (Optional)IfaDNSproxyisconfigured,selectwhichDNSserver(s)tousefor
domainnamequeries.
Interfaces Selecttheinterfacesthesharedgatewaywilluse.

Device Device>CertificateManagement
Device>CertificateManagement
Device>CertificateManagement>Certificates
Device>CertificateManagement>CertificateProfile
Device>CertificateManagement>OCSPResponder
Device>CertificateManagement>SSL/TLSServiceProfile
Device>CertificateManagement>SCEP
Device>CertificateManagement>SSLDecryptionExclusion

Device>CertificateManagement>Certificates Device
Device>CertificateManagement>Certificates
SelectDevice > Certificate Management > Certificates > Device Certificatestomanage(generate,import,renew,

delete,andrevoke)certificates,whichareusedtosecurecommunicationacrossanetwork.Youcanalso
exportandimportthehighavailability(HA)keythatsecurestheconnectionbetweenHApeersonthe
network.SelectDevice > Certificate Management > Certificates > Default Trusted Certificate Authoritiestoview,
enable,anddisablethecertificateauthorities(CAs)thatthefirewalltrusts.
FormoreinformationonhowtoimplementcertificatesonthefirewallandPanorama,referto
CertificateManagement .
ManageFirewallandPanoramaCertificates
ManageDefaultTrustedCertificateAuthorities
ManageFirewallandPanoramaCertificates
Device>CertificateManagement>Certificates>DeviceCertificates
Panorama>CertificateManagement>Certificates
SelectDevice > Certificate Management > Certificates > Device CertificatesorPanorama > Certificate Management
> Certificates > Device CertificatestodisplaythecertificatesthatthefirewallorPanoramausesfortaskssuch
assecuringaccesstothewebinterface,SSLdecryption,orLSVPN.
Thefollowingaresomeusesforcertificates.Definetheusageofthecertificateafteryougenerateit(see
ManageDefaultTrustedCertificateAuthorities).
Forward TrustThefirewallusesthiscertificatetosignacopyoftheservercertificatethatthefirewall
presentstoclientsduringSSLForwardProxydecryption whenthecertificateauthority(CA)that
signedtheservercertificateisinthetrustedCAlistonthefirewall.
Forward UntrustThefirewallusesthiscertificatetosignacopyoftheservercertificatethefirewall
presentstoclientsduringSSLForwardProxydecryption whentheCAthatsignedtheservercertificate
isnotinthetrustedCAlistonthefirewall.
Trusted Root CAThefirewallusesthiscertificateasatrustedCAforSSLForwardProxydecryption ,
GlobalProtect ,URLAdminOverride ,andCaptivePortal .Thefirewallhasalargelistofexisting
trustedCAs.ThetrustedrootCAcertificateisforadditionalCAsthatyourorganizationtrustsbutthat
arenotpartofthepreinstalledtrustedlist.
SSL ExcludeThefirewallusesthiscertificateifyouconfiguredecryptionexceptions toexclude
specificserversfromSSL/TLSdecryption.
Certificate for Secure SyslogThefirewallusesthiscertificatetosecurethedeliveryoflogsassyslog
messages toasyslogserver.

Device Device>CertificateManagement>Certificates
Togenerateacertificate,clickGenerateandspecifythefollowingfields:
SettingstoGeneratea Description
Certificate
CertificateType Selecttheentitythatgeneratesthecertificate:
LocalThefirewallorPanoramageneratesthecertificate.
SCEPASimpleCertificateEnrollmentProtocol(SCEP)servergeneratesthe
certificateandsendsittothefirewallorPanorama.
CertificateName (Required)Enteraname(upto31characters)toidentifythecertificate.The
SCEPProfile (SCEPcertificatesonly)SelectaSCEP Profiletodefinehowthefirewallor

PanoramacommunicateswithaSCEPserverandtodefinesettingsforthe
SCEPcertificate.Fordetails,seeDevice>CertificateManagement>SCEP.
YoucanconfigureafirewallthatservesasaGlobalProtectportaltorequest
SCEPcertificatesondemandandautomaticallydeploy thecertificatesto
endpoints.
TheremainingfieldsintheGenerateCertificatedialogdonotapplytoSCEP
certificates.AfterspecifyingtheCertificate NameandSCEP Profile,click
Generate.
CommonName (Required)EntertheIPaddressorFQDNthatwillappearonthecertificate.
Shared Onafirewallthathasmorethanonevirtualsystem(vsys),selectSharedif
youwantthecertificatetobeavailabletoeveryvsys.
SignedBy Tosignthecertificate,youcanuseacertificateauthority(CA)certificate
thatyouimportedintothefirewall.Thecertificatecanalsobeselfsigned,in
whichcasethefirewallistheCA.IfyouareusingPanorama,youalsohave
theoptionofgeneratingaselfsignedcertificateforPanorama.
IfyouimportedCAcertificatesorissuedanyonthefirewall(selfsigned),the
dropdownincludestheCAsavailabletosignthecertificatethatyouare
creating.
Togenerateacertificatesigningrequest(CSR),selectExternal Authority
(CSR).Afterthefirewallgeneratesthecertificateandthekeypair,youcan
exporttheCSRandsendittotheCAforsigning.
CertificateAuthority Selectthisoptionifyouwantthefirewalltoissuethecertificate.
MarkingthiscertificateasaCAallowsyoutousethiscertificatetosign
othercertificatesonthefirewall.
OCSPResponder SelectanOSCPresponderprofilefromthedropdown(seeDevice>
CertificateManagement>OCSPResponder).Thecorrespondinghostname
appearsinthecertificate.

SettingstoGeneratea Description
Certificate
Algorithm Selectakeygenerationalgorithmforthecertificate:RSAorElliptic Curve

DSA(ECDSA).
ECDSAusessmallerkeysizesthantheRSAalgorithmand,therefore,
providesaperformanceenhancementforprocessingSSL/TLSconnections.
ECDSAalsoprovidesequalorgreatersecuritythanRSA.ECDSAis
recommendedforclientbrowsersandoperatingsystemsthatsupportitbut
youmayberequiredtoselectRSAforcompatibilitywithlegacybrowsers
andoperatingsystems.
FirewallsrunningPANOS6.1orearlierreleaseswilldeleteany
ECDSAcertificatesthatyoupushfromPanoramaandanyRSA
certificatessignedbyanECDSAcertificateauthority(CA)willbe
invalidonthosefirewalls.
NumberofBits Selectthekeylengthforthecertificate.
IfthefirewallisinFIPSCCmodeandthekeygenerationAlgorithmisRSA,
theRSAkeysgeneratedmustbe2048or3027bits.IftheAlgorithmis
Elliptic Curve DSA,bothkeylengthoptions(256and384)work.
Digest SelecttheDigestalgorithmforthecertificate.Theavailableoptionsdepend
onthekeygenerationAlgorithm:
RSAMD5,SHA1,SHA256,SHA384,orSHA512
Elliptic Curve DSASHA256orSHA384
IfthefirewallisinFIPSCCmodeandthekeygenerationAlgorithmisRSA,
youmustselectSHA256,SHA384,orSHA512astheDigestalgorithm.Ifthe
AlgorithmisElliptic Curve DSA,bothDigestalgorithms(SHA256and
SHA384)work.
Expiration(days) Specifythenumberofdays(defaultis365)thatthecertificatewillbevalid.
IfyouspecifyaValidity PeriodinaGlobalProtectsatellite
configuration,thatvaluewilloverridethevalueenteredinthisfield.
CertificateAttributes AddadditionalCertificate Attributestoidentifytheentitytowhichyouare

issuingthecertificate.Youcanaddanyofthefollowingattributes:Country,
State,Locality,Organization,Department,andEmail.Inaddition,youcan
specifyoneofthefollowingSubjectAlternativeNamefields:Host Name
(SubjectAltName:DNS),IP(SubjectAltName:IP),andAlt Email
(SubjectAltName:email).
Toaddacountryasacertificateattribute,selectCountryfromthe
TypecolumnandthenclickintotheValuecolumntoseetheISO
6366CountryCodes.
Ifyouconfiguredahardwaresecuritymodule(HSM),theprivatekeysarestoredontheexternal
HSMstorage,notonthefirewall.

Device Device>CertificateManagement>Certificates
Afteryougeneratethecertificate,itsdetailsdisplayonthepage.
OtherSupportedActions Description
toManageCertificates
Delete SelectthecertificateandDeleteit.
Ifthefirewallhasadecryptionpolicy,youcannotdeleteacertificate
forwhichusageissettoForward Trust CertificateorForward
Untrust Certificate.Tochangethecertificateusage,seeManage
DefaultTrustedCertificateAuthorities.
Revoke Selectthecertificatethatyouwanttorevoke,andclickRevoke.The
certificatewillbeinstantlysettorevokedstatus.Nocommitisrequired.
Renew Incaseacertificateexpiresorisabouttoexpire,selectthecorresponding
certificateandclickRenew.Setthevalidityperiod(indays)forthecertificate
andclickOK.
IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesitwith
anewcertificatethathasadifferentserialnumberbutthesameattributes
astheoldcertificate.
Ifanexternalcertificateauthority(CA)signedthecertificateandthefirewall
usestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationto
updatethecertificatestatus
Import Importacertificateandconfigureasfollows:
EnterCertificateNametoidentifythecertificate.
Browsetothecertificatefile.IfyouimportaPKCS12 certificateand
privatekey,asinglefilecontainsboth.IfyouimportaPEMcertificate,the
filecontainsonlythecertificate.
SelecttheFile Formatforthecertificate.
SelectPrivate key resides on Hardware Security ModuleifanHSM
storesthekeyforthiscertificate.ForHSMdetails,seeDevice>Setup>
HSM.
Import private keyasneeded(PEMformatonly).IfyouselectedPKCS12
asthecertificateFile Format,theselectedCertificate Fileincludesthe
key.IfyouselectedthePEMformat,browsetotheencryptedprivatekey
file(generallynamed*.key).Forbothformats,enterthePassphraseand
Confirm Passphrase.
WhenyouimportacertificatetoaPaloAltoNetworksfirewallor
PanoramaserverthatisinFIPSCCmode,youmustimportthe
certificateasaBase64EncodedCertificate(PEM)andyoumust
encrypttheprivatekeywithAES.Also,youmustuseSHA1asthe
passphrasebasedkeyderivationmethod.
ToimportaPKCS12certificate,convertthecertificatetothePEM
format(usingatoolsuchasOpenSSL);ensurethatthepassword
phraseyouuseduringconversionisatleastsixcharacters.

OtherSupportedActions Description
toManageCertificates
Export Selectthecertificateyouwanttoexport,clickExport,andselectaFile
Format:
EncryptedPrivateKeyandCertificate(PKCS12)Theexportedfilewill
containboththecertificateandprivatekey.
Base64EncodedCertificate(PEM)Ifyouwanttoexporttheprivatekey
also,selectExportPrivateKeyandenteraPassphraseandConfirm
Passphrase.
BinaryEncodedCertificate(DER)Youcanexportonlythecertificate,
notthekey:ignoreExportPrivateKeyandpassphrasefields.
ImportHAKey TheHAkeysmustbeswappedacrossboththefirewallspeers;thatisthe
keyfromfirewall1mustbeexportedandthenimportedintofirewall2and
ExportHAKey viceversa.
Toimportkeysforhighavailability(HA),clickImport HA KeyandBrowseto
specifythekeyfileforimport.
ToexportkeysforHA,clickExport HA Keyandspecifyalocationtosave
thefile.
Definetheusageofthe IntheNamecolumn,selectthecertificateandthenselectoptions
certificate appropriateforhowyouplantousethecertificate.
ManageDefaultTrustedCertificateAuthorities
Device>CertificateManagement>Certificates>DefaultTrustedCertificateAuthorities
Usethispagetoview,disable,orexport,thepreincludedcertificateauthorities(CAs)thatthefirewalltrusts.
ForeachCA,thename,subject,issuer,expirationdateandvaliditystatusisdisplayed.
TheCAcertificatesgeneratedonthefirewalldontappearinthislist;theyappearonlyintheDevice >
Certificate Management > Certificates > Device Certificatespage.
TrustedCertificate Description
AuthoritiesSettings
Enable IfyoudisabledaCA,youcanreEnableit.
Disable SelecttheCAandDisableit.Youmightusethisoptiontotrustonly
specificCAsortodisableallotherCAsandtrustonlyyourlocalCA.
Export SelectandExporttheCAcertificate.Youcanimportintoanother
systemorviewthecertificateoffline.

Device Device>CertificateManagement>CertificateProfile
Panorama>CertificateManagement>CertificateProfiles
Certificateprofilesdefinewhichcertificateauthority(CA)certificatestouseforverifyingclientcertificates,
howtoverifycertificaterevocationstatus,andhowthatstatusconstrainsaccess.Youselecttheprofiles
whenconfiguringcertificateauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSecVPN,and
webinterfaceaccesstofirewallsandPanorama.Youcanconfigureaseparatecertificateprofileforeachof
theseservices.
CertificateProfileSettings Description
Name (Required)Enteranametoidentifytheprofile(upto31characters).
Thenameiscasesensitiveandmustbeunique.Useonlyletters,
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofa
firewallthathasmorethanonevirtualsystem(vsys),selectavsysor
selectShared(allvirtualsystems).Inanyothercontext,youcantselect
theLocation;itsvalueispredefinedasShared(forfirewalls)oras
Panorama.Afteryousavetheprofile,youcantchangeitsLocation.
UsernameField IfGlobalProtectonlyusescertificatesforportalandgateway
authentication,PANOSusesthecertificatefieldyouselectinthe
Username FielddropdownastheusernameandmatchesittotheIP
addressfortheUserIDservice:
SubjectPANOSusesthecommonname.
Subject AltPANOSusestheEmailorPrincipalName.
NoneTypicallyforGlobalProtectdeviceorprelogin
authentication.
Domain EntertheNetBIOSdomainsoPANOScanmapusersthroughUserID.
CACertificates (Required)ClickAddandselectaCA Certificatetoassigntotheprofile.

Optionally,ifthefirewallusesOnlineCertificateStatusProtocol
(OCSP)toverifycertificaterevocationstatus,configurethefollowing
fieldstooverridethedefaultbehavior.Formostdeployments,these
fieldsdonotapply.
Bydefault,thefirewallusestheOCSPresponderURL(seeDevice>
CertificateManagement>OCSPResponder).TooverridetheOSCP
respondersetting,enteraDefault OCSP URL(startingwithhttp://
orhttps://).
Bydefault,thefirewallusesthecertificateselectedintheCA
CertificatefieldtovalidateOCSPresponses.Touseadifferent
certificateforvalidation,selectitintheOCSP Verify CA Certificate
field.
UseCRL Selectthisoptiontouseacertificaterevocationlist(CRL)toverifythe
revocationstatusofcertificates.

Device>CertificateManagement>CertificateProfile Device
CertificateProfileSettings Description
UseOCSP SelectthisoptiontouseOCSPtoverifytherevocationstatusof
certificates.
IfyouselectbothOCSPandCRL,thefirewallfirsttriesOCSP
andonlyfallsbacktotheCRLmethodiftheOCSPresponderis
unavailable.
CRLReceiveTimeout Specifytheinterval(1to60seconds)afterwhichthefirewallstops
waitingforaresponsefromtheCRLservice.
OCSPReceiveTimeout Specifytheinterval(1to60seconds)afterwhichthefirewallstops
waitingforaresponsefromtheOCSPresponder.
CertificateStatusTimeout Specifytheinterval(1to60seconds)afterwhichthefirewallstops
waitingforaresponsefromanycertificatestatusserviceandapplies
anysessionblockinglogicyoudefine.
Blocksessionifcertificatestatus Selectthisoptionifyouwantthefirewalltoblocksessionswhenthe
isunknown OCSPorCRLservicereturnsacertificaterevocationstatusof
unknown.Otherwise,thefirewallproceedswiththesession.
Blocksessionsifcertificate Selectthisoptionifyouwantthefirewalltoblocksessionsafterit
statuscannotberetrieved registersanOCSPorCRLrequesttimeout.Otherwise,thefirewall
withintimeout proceedswiththesession.

Device Device>CertificateManagement>OCSPResponder
SelectDevice > Certificate Management > OCSP RespondertodefineanOnlineCertificateStatusProtocol

(OCSP)responder(server)toverifytherevocationstatusofcertificates.
BesidesaddinganOCSPresponder,enablingOCSPrequiresthefollowingtasks:
EnablecommunicationbetweenthefirewallandtheOCSPserver:selectDevice > Setup > Management,
selectHTTP OCSPinManagementInterfaceSettings,andthenclickOK.
IfthefirewallwilldecryptoutboundSSL/TLStraffic,optionallyconfigureittoverifytherevocationstatus
ofdestinationservercertificates:selectDevice > Setup > Sessions,clickDecryption Certificate Revocation
Settings,selectEnableintheOCSPsettings,entertheReceive Timeout(theintervalafterwhichthefirewall
stopswaitingforanOCSPresponse),andthenclickOK.
Optionally,toconfigurethefirewallasanOCSPresponder,addanInterfaceManagementprofiletothe
interfaceusedforOCSPservices.First,selectNetwork > Network Profiles > Interface Mgmt,clickAdd,select
HTTP OCSP,andthenclickOK.Second,selectNetwork > Interfaces,clickthenameoftheinterfacethatthe
firewallwilluseforOCSPservices,selectAdvanced > Other info,selecttheInterfaceManagementprofile
youconfigured,andthenclickOKandCommit.
OCSPResponderSettings Description
Name Enteranametoidentifytheresponder(upto31characters).The
nameiscasesensitive.Itmustbeuniqueanduseonlyletters,
Location Selectthescopeinwhichtheresponderisavailable.Inthecontext
ofafirewallthathasmorethanonevirtualsystem(vsys),selecta
vsysorselectShared(allvirtualsystems).Inanyothercontext,you
cantselecttheLocation;itsvalueispredefinedasShared.Afteryou
savetheresponder,youcantchangeitsLocation.
HostName Enterthehostname(recommended)orIPaddressoftheOCSP
responder.Fromthisvalue,PANOSautomaticallyderivesaURL
andaddsittothecertificatebeingverified.Ifyouconfigurethe
firewallasanOCSPresponder,thehostnamemustresolvetoanIP
addressintheinterfacethatthefirewallusesforOCSPservices.

Device>CertificateManagement>SSL/TLSServiceProfile Device
Panorama>CertificateManagement>SSL/TLSServiceProfile
SSL/TLSserviceprofilesspecifyaservercertificateandaprotocolversionorrangeofversionsforfirewall
orPanoramaservicesthatuseSSL/TLS(suchasadministrativeaccesstothewebinterface).Bydefiningthe
protocolversions,theprofilesenableyoutorestricttheciphersuitesthatareavailableforsecuring
communicationwiththeclientsystemsrequestingtheservices.
IntheclientsystemsthatrequestfirewallorPanoramaservices,thecertificatetrustlist(CTL)mustincludethe
certificateauthority(CA)certificatethatissuedthecertificatespecifiedintheSSL/TLSserviceprofile.Otherwise,
userswillseeacertificateerrorwhenrequestingtheservices.MostthirdpartyCAcertificatesarepresentby
defaultinclientbrowsers.IfanenterpriseorfirewallgeneratedCAcertificateistheissuer,youmustdeploythat
CAcertificatetotheCTLinclientbrowsers.
Toaddaprofile,clickAdd,completethefieldsinthefollowingtable.
SSL/TLSServiceProfileSettings Description
Name Enteranametoidentifytheprofile(upto31characters).Thename
iscasesensitive.Itmustbeuniqueanduseonlyletters,numbers,
Shared Ifthefirewallhasmorethanonevirtualsystem(vsys),selectingthis
optionmakestheprofileavailableonallvirtualsystems.Bydefault,
thisoptionisclearedandtheprofileisavailableonlyforthevsys
selectedintheDevicetab,Locationdropdown.
Certificate Select,import,orgenerateacertificatetoassociatewiththeprofile
(seeManageFirewallandPanoramaCertificates).
Donotusecertificateauthority(CA)certificatesforSSL/TLS
services;useonlysignedcertificates.
MinVersion SelecttheearliestTLSversionthatservicestowhichthisprofileis
assignedcanuse:TLSv1.0,TLSv1.1,orTLSv1.2.
MaxVersion SelectthelatestTLSversionthatservicestowhichthisprofileis
assignedcanuse:TLSv1.0,TLSv1.1,TLSv1.2,orMax(thelatest
availableversion).

Device Device>CertificateManagement>SCEP
Thesimplecertificateenrollmentprotocol(SCEP)providesamechanismforissuingauniquecertificateto
endpoints,gateways,andsatellitedevices.SelectDevice > Certificate Management > SCEPtocreateanSCEP
configuration.
TostartanewSCEPconfiguration,clickAddandthencompletethefollowingfields.
SCEPSettings Description
Name SpecifyadescriptiveNametoidentifythisSCEPconfiguration,suchas
SCEP_Example.ThisnamedistinguishesaSCEPprofilefromotherinstances
thatyoumighthaveamongtheconfigurationprofiles.
Location SelectaLocationfortheprofileifthesystemhasmultiplevirtualsystems.
ThelocationidentifieswheretheSCEPconfigurationisavailable.
One Time Password (Challenge)
SCEPChallenge (Optional)TomakeSCEPbasedcertificategenerationmoresecure,youcan
configureaSCEPchallengeresponsemechanism(aonetimepassword
(OTP))betweenthepublickeyinfrastructure(PKI)andtheportalforeach
certificaterequest.
Afteryouconfigurethismechanism,itsoperationisinvisible,andno
furtherinputfromyouisnecessary.
ThechallengemechanismthatyouselectdeterminesthesourceoftheOTP.
IfyouselectFixed,copytheenrollmentchallengepasswordfromtheSCEP
serverforthePKIandenterthestringintheportalsPassworddialogthat
displayswhenconfiguredasFixed.Eachtimetheportalrequestsa
certificate,itusesthispasswordtoauthenticatewiththePKI.Ifyouselect
Dynamic,youentertheusernameandpasswordofyourchoice(possiblythe
credentialsofthePKIadministrator)andtheSCEPServer URLwherethe
portalclientsubmitsthesecredentials.Thisusernameandpassword
remainsthesamewhiletheSCEPservertransparentlygeneratesanOTP
passwordfortheportaluponeachcertificaterequest.(YoucanseethisOTP
changeafterascreenrefreshinTheenrollmentchallengepasswordisfield
uponeachcertificaterequest.)ThePKItransparentlypasseseachnew
passwordtotheportal,whichthenusesthepasswordforitscertificate
request.
TocomplywiththeU.S.FederalInformationProcessingStandard
(FIPS),selectDynamic,specifyaServer URLthatusesHTTPS,and
enableSCEP Server SSL Authentication.(FIPSCCoperationis
indicatedonthefirewallloginpageandinthefirewallstatusbar.)
Configuration
ServerURL EntertheURLatwhichtheportalrequestsandreceivesclientcertificates
fromtheSCEPserver.Example:
http://<hostname or IP>/certsrv/mscep/.
CAIDENTName EnterastringtoidentifytheSCEPserver.Maximumlengthis255
characters.

Device>CertificateManagement>SCEP Device
Subject ConfiguretheSubjecttoincludeidentifyinginformationaboutthedevice
andoptionallyuserandprovidethisinformationinthecertificatesigning
request(CSR)totheSCEPserver.
Whenusedtorequestclientcertificatesforendpoints,theendpointsends
identifyinginformationaboutthedevicethatincludesitshostIDvalue.The
hostIDvaluevariesbydevicetype,eitherGUID(Windows)MACaddressof
theinterface(Mac),AndroidID(Androiddevices),UDID(iOSdevices),ora
uniquenamethatGlobalProtectassigns(Chrome).Whenusedtorequest
certificatesforsatellitedevices,thehostIDvalueisthedeviceserial
number.
TospecifyadditionalinformationintheCSR,entertheSubjectname.The
subjectmustbeadistinguishednameinthe <attribute>=<value>format
andmustincludethecommonname(CN)key.Forexample:
O=acme,CN=acmescep
TherearetwowaystospecifytheCN:
(Recommended)TokenbasedCNEnteroneofthesupportedtokens
$USERNAME, $EMAILADDRESS, or $HOSTID.Usetheusernameoremail
addressvariabletoensurethattheportalrequestscertificatesfora
specificuser.Torequestcertificatesforthedeviceonly,specifythe
hostidvariable.WhentheGlobalProtectportalpushestheSCEPsettings
totheagent,theCNportionofthesubjectnameisreplacedwiththe
actualvalue(username,hostid,oremailaddress)ofthecertificateowner.
Forexample:
O=acme,CN=$HOSTID
StaticCNTheCNyouspecifywillbeusedasthesubjectforall
certificatesissuedbytheSCEPserver.Forexample:
O=acme,CN=acmescep
SubjectAlternativeName AfteryouselectatypeotherthanNone,adialogdisplaysforyoutoenter
Type theappropriatevalue:
RFC 822 NameEntertheemailnameinacertificatessubjectorSubject
AlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluatecertificates.
Uniform Resource Identifier (URI)EnterthenameoftheURIresource
fromwhichtheclientobtainsthecertificate.
CryptographicSettings Number of BitsSelectthekeysNumber of Bitsforthecertificate.Ifthe

firewallisinFIPSCCmode,thegeneratedkeysmustbeatleast2,048bits.
(FIPSCCoperationisindicatedonthefirewallloginpageandthefirewall
statusbar.)
DigestSelecttheDigestalgorithmforthecertificate:SHA1,SHA256,
SHA384,orSHA512.IfthefirewallisinFIPSCCmode,youmustselect
SHA256,SHA384,orSHA512astheDigestalgorithm.
Useasdigitalsignature Selectthisoptiontoconfiguretheendpointtousetheprivatekeyinthe
certificatetovalidateadigitalsignature.
Useforkeyencipherment Selectthisoptiontoconfiguretheclientendpointtousetheprivatekeyin
thecertificatetoencryptdataexchangedovertheHTTPSconnection
establishedwiththecertificatesissuedbytheSCEPserver.

Device Device>CertificateManagement>SCEP
CACertificateFingerprint (Optional)ToensurethattheportalconnectstothecorrectSCEPserver,
entertheCA Certificate Fingerprint.ObtainthisfingerprintfromtheSCEP
serverinterfaceintheThumbprintfield.
LogintotheSCEPserversadministrativeuserinterface(forexample,at
http://<hostnameorIP>/CertSrv/mscep_admin/).Copythethumbprintand
enteritinCA Certificate Fingerprint.
SCEPServerSSL ToenableSSL,selecttherootCA CertificatefortheSCEPserver.Optionally,

Authentication youcanenablemutualSSLauthenticationbetweentheSCEPserverandthe
GlobalProtectportalbyselectingaClient Certificate.

Device>CertificateManagement>SSLDecryptionExclusion Device
Device>CertificateManagement>SSLDecryption
Exclusion
ViewandmanageSSLdecryptionexclusions .Therearetwotypesofdecryptionexclusions,predefined
exclusionsandcustomexclusions:
Predefineddecryptionexclusionsallowapplicationsandservicesthatmightbreakwhenthefirewall
decryptsthemtoremainencrypted.PaloAltoNetworksdefinesthepredefineddecryptionexclusions
anddeliversupdatesandadditionstothepredefinedexclusionslistatregularintervalsaspartofthe
applicationsandthreatscontentupdate.Predefinedexclusionsareenabledbydefault,butyoucan
choosetodisabletheexclusionasneeded.
Youcancreatecustomdecryptionexclusionstoexcludeservertrafficfromdecryption.Alltraffic
originatingfromordestinedtothetargetedserverremainsencrypted.
Youcanalsoexcludetrafficfromdecryption basedonapplication,source,destination,URLcategory,and
service.
UsethesettingsonthispagetoModifyorAddaDecryptionExclusionandtoManageDecryption
Exclusions.
SSLDecryptionExclusions Description
Settings
Modify or Add a Decryption Exclusion
Hostname EnteraHostnametodefineacustomdecryptionexclusion.Thehostnamedefined
hereiscomparedagainsttheSNIrequestedbytheclientortheCNpresentedinthe
servercertificate.Youcanalsouseawildcardasterisk(*)tocreateadecryption
exclusionforallhostnamesassociatedwithadomain.Sessionswheretheserver
presentsaCNthatcontainsthedefineddomainareexcludedfromdecryption.
Hostnamesshouldbeuniqueforeachentryifapredefinedentryisdeliveredtothe
firewallthatmatchesanexistingcustomentry,thecustomentrytakesprecedence.
YoucannotedittheHostnameforapredefineddecryptionexclusion.
Shared SelectSharedtoshareadecryptionexclusionacrossallvirtualsystemsinamultiple
virtualsystemfirewall.
Whilepredefineddecryptionexclusionsaresharedbydefault,youcanenableand
disablebothpredefinedandcustomentriesforaspecificvirtualsystem.
Description (Optional)Describetheapplicationthatyouareexcludingfromdecryption,including
whytheapplicationbreakswhendecrypted.
Exclude Excludetheapplicationfromdecryption.Disablethisoptiontostartdecryptingan
applicationthatwaspreviouslyexcludedfromdecryption.
Manage Decryption Exclusions
Enable Enableoneormoreentriestoexcludethemfromdecryption.

Device Device>CertificateManagement>SSLDecryptionExclusion
SSLDecryptionExclusions Description
Settings
Disable Disableoneormorepredefineddecryptionexclusions.
Becausedecryptionexclusionsidentifyapplicationsthatbreakwhendecrypted,
disablingoneoftheseentrieswillcausetheapplicationtobeunsupported.The
firewallwillattempttodecrypttheapplicationandtheapplicationwillbreak.Youcan
usethisoptionifyouwanttoensurecertainencryptedapplicationsdonotenteryour
network.
Show obsoletes Show obsoletestoviewpredefinedentriesthatPaloAltoNetworksnolonger

definesasdecryptionexclusions.
Moreaboutobsoleteentries:
Updatestopredefineddecryptionexclusions(includingtheremovalofapredefined
entry)aredeliveredtothefirewallaspartofApplicationsandThreatscontent
updates.PredefinedentrieswithExclude from decryptionenabledareautomatically
removedfromthelistofSSLdecryptionexclusionswhenthefirewallreceivesa
contentupdatethatnolongerincludesthatentry.
However,predefinedentrieswithExclude from decryptiondisabledremainonthe
SSLdecryptionlistevenafterthefirewallreceivesacontentupdatethatnolonger
includesthatentry.WhenyouShow obsoletes,youwillseethesedisabled
predefinedentriesthatarenotcurrentlybeingenforced;youcanremovethese
entriesmanuallyasneeded.

Device>ResponsePages Device
Device>ResponsePages
CustomresponsepagesarethewebpagesthatdisplaywhenausertriestoaccessaURL.Youcanprovide
acustomHTMLmessagethatisdownloadedanddisplayedinsteadoftherequestedwebpageorfile.
Eachvirtualsystemcanhaveitsowncustomresponsepages.Thefollowingtabledescribesthetypesof
customresponsepagesthatsupportcustomermessages.
CustomResponsePageTypes Description
AntivirusBlockPage Accessblockedduetoavirusinfection.
ApplicationBlockPage AccessblockedbecausetheapplicationisblockedbyaSecuritypolicy
rule.
CaptivePortalComfortPage Thefirewalldisplaysthispagesothatuserscanenterlogincredentials
toaccessservicesthataresubjecttoAuthenticationpolicyrules(see
Policies>Authentication).Enteramessagethattellsusershowto
respondtothisauthenticationchallenge.Thefirewallauthenticates
usersbasedontheAuthentication Profilespecifiedinthe
authenticationenforcementobjectassignedtoanAuthenticationrule
(seeObjects>Authentication).
Youcandisplayuniqueauthenticationinstructionsforeach
AuthenticationrulebyenteringaMessageintheassociated
authenticationenforcementobject.Themessagedefinedin
theobjectoverridesthemessagedefinedintheCaptivePortal
ComfortPage.
FileBlockingContinuePage Pageforuserstoconfirmthatdownloadingshouldcontinue.This
optionisavailableonlyifContinuefunctionalityisenabledinthe
securityprofile.SelectObjects>SecurityProfiles>FileBlocking.
FileBlockingBlockPage Accessblockedbecauseaccesstothefileisblocked.
GlobalProtectPortalHelpPage CustomhelppageforGlobalProtectusers(accessiblefromtheportal).
GlobalProtectPortalLoginPage PageforuserswhoattempttoaccesstheGlobalProtectportal.
GlobalProtectWelcomePage WelcomepageforuserswhoattempttologintotheGlobalProtect
portal.
MFALoginPage Thefirewalldisplaysthispagesothatuserscanrespondtomultifactor
authentication(MFA)challengeswhenaccessingservicesthatare
subjecttoAuthenticationpolicyrules(seePolicies>Authentication).
EnteramessagethattellsusershowtorespondtotheMFAchallenges.
SAMLAuthInternalErrorPage PagetoinformusersthatSAMLauthenticationfailed.Thepage
includesalinkfortheusertoretryauthentication.
SSLCertificateErrorsNotify NotificationthatanSSLcertificatehasbeenrevoked.
Page
SSLDecryptionOptoutPage UserwarningpageindicatingthatthefirewallwilldecryptSSLsessions
forinspection.
URLFilteringandCategory AccessblockedbyaURLfilteringprofileorbecausetheURLcategory
MatchBlockPage isblockedbyaSecuritypolicyrule.

Device Device>ResponsePages
CustomResponsePageTypes Description
URLFilteringContinueand Pagewithinitialblockpolicythatallowsuserstobypasstheblock.For
OverridePage example,auserwhothinksthepagewasblockedinappropriatelycan
clickContinuetoproceedtothepage.
Withtheoverridepage,apasswordisrequiredfortheusertooverride
thepolicythatblocksthisURL.SeetheURLAdminOverridesection
forinstructionsonsettingtheoverridepassword.
URLFilteringSafeSearch AccessblockedbyaSecuritypolicyrulewithaURLfilteringprofilethat
EnforcementBlockPage hastheSafe Search Enforcementoptionenabled.
TheuserseesthispageifasearchisperformedusingBing,Google,
Yahoo,Yandex,orYouTubeandtheirbrowserorsearchengine
accountsettingforSafeSearchisnotsettostrict.Theblockpagewill
instructtheusertosettheSafeSearchsettingtostrict.
AntiPhishingBlockPage Displaystouserswhentheyattempttoentervalidcorporate
credentials(usernamesorpasswords)onawebpageforwhich
credentialsubmissionsareblocked.Theusercancontinuetoaccess
thesitebutremainsunabletosubmitvalidcorporatecredentialstoany
associatedwebforms.
SelectObjects>SecurityProfiles>URLFilteringtoenablecredential
detectionandcontrolcredentialsubmissionstowebpagesbasedon
URLcategory.
AntiPhishingContinuePage Thispagewarnsusersagainstsubmittingcorporatecredentials
(usernamesandpasswords)toawebsite.Warningusersagainst
submittingcredentialscanhelptodiscouragethemfromreusing
corporatecredentialsandtoeducatethemaboutpossiblephishing
attempts.Usersseethispagewhentheyattempttosubmitcredentials
toasiteforwhichtheUser Credential Submissionpermissionsareset
tocontinue(seeObjects>SecurityProfiles>URLFiltering).Theymust
selectContinuetoentercredentialsonthesite.
YoucanperformanyofthefollowingfunctionsforResponse Pages.
ToimportacustomHTMLresponsepage,clickthelinkofthepagetypeyouwouldliketochangeand
thenclickimport/export.Browsetolocatethepage.Amessageisdisplayedtoindicatewhetherthe
importsucceeded.Fortheimporttobesuccessful,thefilemustbeinHTMLformat.
ToexportacustomHTMLresponsepage,clickExportforthetypeofpage.Selectwhethertoopenthe
fileorsaveittodiskand,ifappropriate,selectAlways use the same option.
ToenableordisabletheApplication BlockpageorSSL Decryption Opt-outpages,clickEnableforthetype
ofpage.SelectordeselectEnable,asappropriate.
Tousethedefaultresponsepageinsteadofapreviouslyuploadedcustompage,deletethecustomblock
pageandcommit.Thiswillsetthedefaultblockpageasthenewactivepage.

Device>LogSettings Device
Device>LogSettings
SelectDevice > Log Settingstoconfigurealarms,clearlogs,orenablelogforwardingtoPanoramaandexternal

services.
SelectLogForwardingDestinations
DefineAlarmSettings
ClearLogs
SelectLogForwardingDestinations
Device>LogSettings
UsethesesettingstoconfigurelogforwardingtoPanorama,SNMPtrapreceivers,emailservers,Syslog
servers,andHTTPservers.YoucanalsoaddorremovetagsfromasourceordestinationIPaddressinalog
entry;alllogtypesexceptSystemlogsandConfigurationlogssupporttagging.
Youcanforwardthefollowinglogtypes :System,Configuration,UserID,HIPMatch,andCorrelationlogs.
Tospecifydestinationsforeachlogtype,Addoneormorematchlistprofiles(upto64)andcompletethe
fieldsdescribedinthefollowingtable.
ToforwardTraffic,Threat,WildFireSubmissions,URLFiltering,DataFiltering,Tunnel
Inspection,GTP,andAuthenticationlogs,youmustconfigureaLogForwardingprofile(see
Objects>LogForwarding).
MatchListProfileSettings Description
Name Enteraname(upto31characters)toidentifythematchlistprofile.Avalid
namemuststartwithanalphanumericcharacterandcancontainzeroes,
alphanumericcharacters,underscores,hyphens,dots,orspaces.
Filter Bydefault,thefirewallforwardsAll Logsofthetypeforwhichyouaddthe

matchlistprofile.Toforwardasubsetofthelogs,openthedropdownand
selectanexistingfilterorselectFilter Buildertoaddanewfilter.Foreach
queryinanewfilter,specifythefollowingfieldsandAddthequery:
AttributeSelectalogattribute.Theavailableattributesvarybylogtype.
(suchasequal).Theavailablecriteriavarybythelogtype.
Todisplayorexport thelogsthatthefiltermatches,selectView Filtered
Description Enteradescription(upto1,023characters)toexplainthepurposeofthis
matchlistprofile.

Device Device>LogSettings
Panorama SelectPanoramaifyouwanttoforwardlogstoLogCollectorsorthe
Panoramamanagementserver.Ifyouenablethisoption,youmustconfigure
logforwardingtoPanorama .
YoucannotforwardCorrelationlogsfromfirewallstoPanorama.
PanoramageneratesCorrelationlogsbasedonthefirewalllogsit
receives.
BuiltinActions YoucanaddanactionforalllogtypesthatincludeasourceordestinationIP
addressinthelogentrybyconfiguringthefollowingsettingsasneeded.
YoucantagonlythesourceIPaddressinCorrelationlogsandHIP
Matchlogs.YoucannotconfigureanyactionforSystemlogsand
ConfigurationlogsbecausethelogtypedoesnotincludeanIP
addressinthelogentry.
SelecttheIPaddressyouwanttoautomaticallytagSource Addressor
Destination Address.
SelectwhethertoregistertheIPaddressandtagmappingtotheLocal
User-IDagentonthisfirewallorPanorama,ortoaRemote User-ID
agent.
ToregistertheIPaddressandtagmappingtoaRemote User-IDagent,
selecttheHTTPserverprofile(Device>ServerProfiles>HTTP)thatwill
enableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetarget
sourceordestinationIPaddress.

Device>LogSettings Device
DefineAlarmSettings
Device>LogSettings
UsetheAlarmSettingstoconfigureAlarmsfortheCLIandthewebinterface.Youcanconfigurenotifications
forthefollowingevents:
Asecurityrule(orgroupofrules)hasbeenmatchedataspecifiedthresholdandwithinaspecifiedtime
interval.
Encryption/Decryptionfailurethresholdismet.
TheLogdatabaseforeachlogtypeisnearingfull;thequotabydefaultissettonotifywhen90%ofthe
availablediskspaceisused.Configuringalarmsallowstotakeactionbeforethediskisfull,andlogsare
purged.
Whenyouenablealarms,youcanviewthecurrentlistbyclickingAlarms( )inthebottomoftheweb
interface.
Toaddanalarm,edittheAlarmSettingsdescribedinthefollowingtable.
AlarmLogSettings Description
EnableAlarms AlarmsarevisibleonlyifyouEnable Alarms.

Ifyoudisablealarms,thefirewalldoesnotalertyoutocriticalevents
thatrequireaction.Forexample,analarmtellsyouwhenthemaster
keyisabouttoexpire;ifthekeyexpiresbeforeyouchangeit,the
firewallrebootsintoMaintenancemodeandthenrequiresafactory
reset.
EnableCLIAlarm EnableCLIalarmnotificationswheneveralarmsoccur.
Notifications
EnableWebAlarm Openawindowtodisplayalarmsonusersessions,includingwhenthey
Notifications occurandwhentheyareacknowledged.
EnableAudibleAlarms Anaudiblealarmtonewillplayevery15secondsontheadministrator's
computerwhentheadministratorisloggedintothewebinterfaceand
unacknowledgedalarmsexist.Thealarmtonewillplayuntilthe
administratoracknowledgesallalarms.
Toviewandacknowledgealarms,clickAlarms.
ThisfeatureisonlyavailablewhenthefirewallisinFIPSCCmode.
Encryption/Decryption Specifythenumberofencryption/decryptionfailuresafterwhichanalarmis
FailureThreshold generated.
<Logtype>LogDB Generateanalarmwhenalogdatabasereachestheindicatedpercentageof
themaximumsize.
SecurityViolations AnalarmisgeneratedifaparticularIPaddressorporthitsadenyrulethe
Threshold/ specifiednumberoftimesintheSecurity Violations Thresholdsetting
SecurityViolationsTime withintheperiod(seconds)specifiedintheSecurity Violations Time Period
Period setting.

Device Device>LogSettings
AlarmLogSettings Description
ViolationsThreshold/ Analarmisgeneratedifthecollectionofrulesreachesthenumberofrule
ViolationsTimePeriod/ limitviolationsspecifiedintheViolations Thresholdfieldduringtheperiod
SecurityPolicyTags specifiedintheViolations Time Periodfield.Violationsarecountedwhena
sessionmatchesanexplicitdenypolicy.
UseSecurity Policy Tagstospecifythetagsforwhichtherulelimit
thresholdswillgeneratealarms.Thesetagsbecomeavailabletobespecified
whendefiningsecuritypolicies.
SelectiveAudit TheselectiveauditoptionsareonlyavailablewhenthefirewallisinFIPSCC
mode.
Specifythefollowingsettings:
FIPS-CC Specific LoggingEnablesverboseloggingrequiredfor
CommonCriteria(CC)compliance.
Packet Drop LoggingLogspacketsdroppedbythefirewall.
Suppress Login Success LoggingStopsloggingofsuccessful
administratorloginstothefirewall.
Suppress Login Failure LoggingStopsloggingoffailedadministrator
loginstothefirewall.
TLS Session LoggingLogstheestablishmentofTLSsessions.
CA (OCSP/CRL) Session Establishment LoggingLogssession
establishmentbetweenthefirewallandacertificateauthoritywhenthe
firewallsendsarequesttocheckcertificaterevocationstatususingthe
OnlineCertificateStatusProtocoloraCertificateRevocationListserver
request.(Disabledbydefault.)
IKE Session Establishment LoggingLogsIPSecIKEsession
establishmentwhentheVPNgatewayonthefirewallauthenticateswith
apeer.ThepeercanbeaPaloAltoNetworksfirewallsoranothersecurity
deviceusedtoinitiateandterminateVPNconnections.Theinterface
namethatisspecifiedinthelogistheinterfacethatisboundtotheIKE
gateway.TheIKEgatewaynameisalsodisplayedifapplicable.Disabling
thisoptionstopsloggingofallIKEloggingevents.(Enabledbydefault.)
Suppressed AdministratorsStopsloggingofchangesthatthelisted
administratorsmaketothefirewallconfiguration.
ClearLogs
Device>LogSettings
YoucanclearlogsonthefirewallwhenyouManageLogsontheLogSettingspage.Clickthelogtypeyou
wanttoclearandclickYestoconfirmtherequest.
Toautomaticallydeletelogsandreports,youcanconfigureexpirationperiods.Fordetails,see
LoggingandReportingSettings.

Device>ServerProfiles Device
Device>ServerProfiles
Device>ServerProfiles>SNMPTrap
Device>ServerProfiles>Syslog
Device>ServerProfiles>Email
Device>ServerProfiles>HTTP
Device>ServerProfiles>NetFlow
Device>ServerProfiles>RADIUS
Device>ServerProfiles>TACACS+
Device>ServerProfiles>LDAP
Device>ServerProfiles>Kerberos
Device>ServerProfiles>SAMLIdentityProvider
Device>ServerProfiles>DNS
Device>ServerProfiles>MultiFactorAuthentication

Device Device>ServerProfiles>SNMPTrap
SimpleNetworkManagementProtocol(SNMP)isastandardprotocolformonitoringthedevicesonyour
network.Toalertyoutosystemeventsorthreatsonyournetwork,monitoreddevicessendSNMPtrapsto
SNMPmanagers(trapservers).SelectDevice > Server Profiles > SNMP TraporPanorama > Server Profiles >
SNMP TraptoconfiguretheserverprofilethatenablesthefirewallorPanoramatosendtrapstotheSNMP
managers.ToenableSNMPGETmessages(statisticsrequestsfromanSNMPmanager),seeEnableSNMP
Monitoring.
Aftercreatingtheserverprofile,youmustspecifywhichlogtypeswilltriggerthefirewalltosendSNMP
traps(Device>LogSettings).ForalistoftheMIBsthatyoumustloadintotheSNMPmanagersoitcan
interprettraps,seeSupportedMIBs .
Dontdeleteaserverprofilethatanysystemlogsettingorloggingprofileuses.
SNMPTrapServerProfile Description
Settings
Name EnteranamefortheSNMPprofile(upto31characters).Thenameis
Location Selectthescopeinwhichtheprofileisavailable.Inthecontextofafirewall
thathasmorethanonevirtualsystem(vsys),selectavsysorselectShared
(allvirtualsystems).Inanyothercontext,youcantselecttheLocation;its
valueispredefinedasShared(forfirewalls)orasPanorama.Afteryousave
theprofile,youcantchangeitsLocation.
Version SelecttheSNMPversion:V2c(default)orV3.Yourselectioncontrolsthe
remainingfieldsthatthedialogdisplays.Foreitherversion,youcanaddup
tofourSNMPmanagers.
For SNMP V2c
Name SpecifyanamefortheSNMPmanager.Thenamecanhaveupto31
charactersthatarealphanumeric,periods,underscores,orhyphens.
SNMPManager SpecifytheFQDNorIPaddressoftheSNMPmanager.
Community Enterthecommunitystring,whichidentifiesanSNMPcommunityofSNMP
managersandmonitoreddevicesandalsoservesasapasswordto
authenticatethecommunitymemberstoeachotherduringtrapforwarding.
Thestringcanhaveupto127characters,acceptsallcharacters,andis
casesensitive.
Donotusethedefaultcommunitystringpublic.BecauseSNMP
messagescontaincommunitystringsincleartext,considerthe
securityrequirementsofyournetworkwhendefiningcommunity
membership(administratoraccess).

Device>ServerProfiles>SNMPTrap Device
SNMPTrapServerProfile Description
Settings
For SNMP V3
Name SpecifyanamefortheSNMPmanager.Thenamecanhaveupto31
charactersthatarealphanumeric,periods,underscores,orhyphens.
SNMPManager SpecifytheFQDNorIPaddressoftheSNMPmanager.
User SpecifyausernametoidentifytheSNMPuseraccount(upto31characters).
Theusernameyouconfigureonthefirewallmustmatchtheusername
configuredontheSNMPmanager.
EngineID SpecifytheengineIDofthefirewall.WhenanSNMPmanagerandthe
firewallauthenticatetoeachother,trapmessagesusethisvaluetouniquely
identifythefirewall.Ifyouleavethefieldblank,themessagesusethe
firewallserialnumberastheEngineID.Ifyouenteravalue,itmustbein
hexadecimalformat,prefixedwith0x,andwithanother10128characters
torepresentanynumberof564bytes(2charactersperbyte).Forfirewalls
inahighavailability(HA)configuration,leavethefieldblanksothatthe
SNMPmanagercanidentifywhichHApeersentthetraps;otherwise,the
valueissynchronizedandbothpeerswillusethesameEngineID.
AuthPassword SpecifytheauthenticationpasswordoftheSNMPuser.Thefirewallusesthe
passwordtoauthenticatetotheSNMPmanager.ThefirewallusesSecure
HashAlgorithm(SHA1160)toencryptthepassword.Thepasswordmust
be8256charactersandallcharactersareallowed.
PrivPassword SpecifytheprivacypasswordoftheSNMPuser.Thefirewallusesthe
passwordandAdvancedEncryptionStandard(AES128)toencrypttraps.
Thepasswordmustbe8256charactersandallcharactersareallowed.

Device Device>ServerProfiles>Syslog
SelectDevice > Server Profiles > SyslogorPanorama > Server Profiles > Syslogtoconfigureaserverprofile
forforwardingfirewall,Panorama,andLogCollectorlogsassyslogmessagestoasyslogserver.Todefinea
syslogserverprofile,clickAddandspecifyingtheNewSyslogServerfields.
ToselecttheSyslogServerprofileforSystem,Config,UserID,HIPMatch,and
Correlationlogs,seeDevice>LogSettings.
ToselecttheSyslogServerProfileForTraffic,Threat,Wildfire,URLFiltering,Data
Filtering,TunnelInspection,Authentication,andGTPlogs,seeObjects>Log
Forwarding.
YoucannotdeleteaserverprofilethatthefirewallusesinanySystemorConfiglog
settingsorLogForwardingprofile.
SyslogServerSettings Description
Name Enteranameforthesyslogprofile(upto31characters).Thenameis
Servers Tab
Name ClickAddandenteranameforthesyslogserver(upto31characters).The
Server EntertheIPaddressofthesyslogserver.
Transport SelectwhethertotransportthesyslogmessagesoverUDP,TCP,orSSL.
Port Entertheportnumberofthesyslogserver(thestandardportforUDPis
514;thestandardportforSSLis6514;forTCPyoumustspecifyaport
number).
Format Specifythesyslogformattouse:BSD(thedefault)orIETF.
Facility SelectoneoftheSyslogstandardvalues.Selectthevaluethatmapstohow
yourSyslogserverusesthefacilityfieldtomanagemessages.Fordetailson
thefacilityfield,seeRFC3164(BSDformat)orRFC5424(IETFformat).
Custom Log Format Tab
LogType Clickthelogtypetoopenadialogboxthatallowsyoutospecifyacustom
logformat.Inthedialogbox,clickafieldtoaddittotheLogFormatarea.
OthertextstringscanbeediteddirectlyintheLogFormatarea.ClickOKto
savethesettings.Viewadescriptionofeachfieldthatcanbeusedfor
customlogs .
Fordetailsonthefieldsthatcanbeusedforcustomlogs,seeDevice>
ServerProfiles>Email.

Device>ServerProfiles>Syslog Device
SyslogServerSettings Description
Escaping Specifyescapesequences.Escaped charactersisalistofallthecharacters

tobeescapedwithoutspaces.

Device Device>ServerProfiles>Email
SelectDevice > Server Profiles > SyslogorPanorama > Server Profiles > Syslogtoconfigureaserverprofile
forforwardinglogsasemailnotifications.TodefineanEmailserverprofile,AddaprofileandspecifyEmail
NotificationSettings.
ToselecttheSyslogServerprofileforSystem,Config,UserID,HIPMatch,andCorrelation
logs,seeDevice>LogSettings.
ToselecttheSyslogServerProfileForTraffic,Threat,Wildfire,URLFiltering,DataFiltering,
TunnelInspection,Authentication,andGTPlogs,seeObjects>LogForwarding.
YoucanalsoMonitor>PDFReports>EmailScheduler.
YoucannotdeleteaserverprofilethatthefirewallusesinanySystemorConfiglogsettings
orLogForwardingprofile.
EmailNotificationSettings Description
Name Enteranamefortheserverprofile(upto31characters).Thenameis
Servers Tab
Server Enteranametoidentifytheserver(upto31characters).Thisfieldisjusta
labelanddoesnothavetobethehostnameofanexistingSMTPserver.
DisplayName EnterthenameshownintheFromfieldoftheemail.
From EntertheFromemailaddress,suchassecurity_alert@company.com.
To Entertheemailaddressoftherecipient.
AdditionalRecipient Optionally,entertheemailaddressofanotherrecipient.Youcanonlyadd
oneadditionalrecipient.Toaddmultiplerecipients,addtheemailaddressof
adistributionlist.
Gateway EntertheIPaddressorhostnameoftheSimpleMailTransportProtocol
(SMTP)serverusedtosendtheemail.
Custom Log Format Tab
LogType Clickthelogtypetoopenadialogboxthatallowsyoutospecifyacustom
logformat.Inthedialogbox,clickafieldtoaddittotheLogFormatarea.
ClickOKtosavethesettings.
Escaping Includeescapedcharactersandspecifytheescapecharacterorcharacters.

Device>ServerProfiles>HTTP Device
SelectDevice > Server Profiles > HTTPorPanorama > Server Profiles > HTTPtoconfigureaserverprofilefor
forwardinglogs.YoucanconfigurethefirewalltoforwardlogstoanHTTP(S)destination,ortointegrate
withanyHTTPbasedservicethatexposesanAPI,andmodifytheURL,HTTPheader,parameters,andthe
payloadintheHTTPrequesttomeetyourneeds.YoucanalsousetheHTTPserverprofiletoaccessfirewalls
runningtheintegratedPANOSUserIDagentandregisteroneormoretagstoasourceordestinationIP
addressonlogsthatafirewallgenerated.
TousetheHTTPserverprofiletoforwardlogs:
SeeDevice>LogSettingsforSystem,Config,UserID,HIPMatch,andCorrelationlogs.
SeeObjects>LogForwardingforTraffic,Threat,WildFire,URLFiltering,DataFiltering,
TunnelInspection,Authentication,andGTPlogs.
YoucannotdeleteanHTTPserverprofileifitisusedtoforwardlogs.Todeleteaserverprofile
onthefirewallorPanorama,youmustdeleteallreferencestotheprofilefromtheDevice > Log
settingsorObjects > Log Forwardingprofile.
TodefineanHTTPserverprofile,Addanewprofileandconfigurethesettingsinthefollowingtable.
HTTPServerSettings Description
Name Enteranamefortheserverprofile(upto31characters).Thenameis
casesensitiveandmustbeunique.Avalidnamemuststartwithan
alphanumericcharacterandcancontainzeroes,alphanumericcharacters,
underscores,hyphens,dots,orspaces.
Location Selectthescopeinwhichtheserverprofileisavailable.Inthecontextofa
firewallthathasmorethanonevirtualsystem(vsys),selectavsysorselect
Shared(allvirtualsystems).Inanyothercontext,youcantselectthe
Location;itsvalueispredefinedasShared(forfirewalls)orasPanorama.
Afteryousavetheprofile,youcantchangetheLocation.
TagRegistration Tagregistrationallowsyoutoaddorremoveatagonasourceordestination
IPaddressinalogentryandregistertheIPaddressandtagmappingtothe
UserIDagentonafirewallusingHTTP(S).Youcanthendefinedynamic
addressgroupsthatusethesetagsasafilteringcriteriatodetermineits
members,andenforcepolicyrulestoanIPaddressbasedontags.
AddtheconnectiondetailstoenableHTTP(S)accesstotheUserIDagent
onafirewall.
ToregistertagstotheUserIDagentonPanorama,youdonotneedaserver
profile.Additionally,youcannotusetheHTTPserverprofiletoregistertags
toaUserIDagentrunningonaWindowsserver.
Servers Tab
Name AddanHTTP(s)serverandenteraname(upto31characters)orremote
UserIDagent.Avalidnamemustbeuniqueandstartwithanalphanumeric
character;thenamecancontainzeroes,alphanumericcharacters,
underscores,hyphens,dots,orspaces.
Aserverprofilecanincludeuptofourservers.
Address EntertheIPaddressoftheHTTP(S)server.
Fortagregistration,specifytheIPaddressofthefirewallconfiguredasa
UserIDagent.

Device Device>ServerProfiles>HTTP
HTTPServerSettings Description
Protocol Selecttheprotocol:HTTPorHTTPS.
Port Entertheportnumberonwhichtoaccesstheserverorfirewall.Thedefault
portforHTTPis80andforHTTPSis443.
Fortagregistration,thefirewallusesHTTPorHTTPStoconnecttotheweb
serveronthefirewallsthatareconfiguredasUserIDagents.
HTTPMethod SelecttheHTTPmethodthattheserversupports.TheoptionsareGET,
PUT,POST(default),andDELETE.
FortheUserIDagent,usetheGETmethod.
Username EntertheusernamethathasaccessprivilegestocompletetheHTTPmethod
youselected.
IfyouareregisteringtagstotheUserIDagentonafirewall,theusername
mustbethatofanadministratorwithasuperuserrole.
Password Enterthepasswordtoauthenticatetotheserverorthefirewall.
TestServerConnection SelectaserverandTest Server Connectiontotestnetworkconnectivityto

theserver.
ThistestdoesnottestconnectivitytoaserverthatisrunningtheUserID
agent.
Payload Format Tab
LogType ThelogtypeavailableforHTTPforwardingdisplays.Clickthelogtypeto
openadialogboxthatallowsyoutospecifyacustomlogformat.
Format Displayswhetherthelogtypeusesthedefaultformat,apredefinedformat,
oracustompayloadformatthatyoudefined.
PredefinedFormats Selecttheformatforyourserviceorvendorforsendinglogs.Predefined
formatsarepushedthroughcontentupdatesandcanchangeeachtimeyou
installanewcontentupdateonthefirewallorPanorama.
Name Enteranameforthecustomlogformat.
URIFormat SpecifytheresourcetowhichyouwanttosendlogsusingHTTP(S).
Ifyoucreateacustomformat,theURIistheresourceendpointontheHTTP
service.ThefirewallappendstheURItotheIPaddressyoudefinedearlier
toconstructtheURLfortheHTTPrequest.EnsurethattheURIandpayload
formatmatchesthesyntaxthatyourthirdpartyvendorrequires.Youcan
useanyattributesupportedontheselectedlogtypewithintheHTTP
Header,Parameter,andValuepairs,andtherequestpayload.
HTTPHeaders AddaHeaderanditscorrespondingvalue.
Parameters Includetheoptionalparametersandvalues.
Payload SelectthelogattributesyouwanttoincludeasthepayloadintheHTTP
messagetotheexternalwebserver.
SendTestLog Clickthisbuttontovalidatethattheexternalwebserverreceivesthe
requestandinthecorrectpayloadformat.

Device>ServerProfiles>NetFlow Device
Device>ServerProfiles>NetFlow
AllPaloAltoNetworksfirewallssupportNetFlowVersion9.Thefirewallssupportonlyunidirectional
NetFlow,notbidirectional.YoucanenableNetFlowexportsonallinterfacetypesexceptHA,logcard,or
decryptmirror.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
NetFlowcollectorsrequiretemplatestodeciphertheexportedfields.Thefirewallselectsatemplatebased
onthetypeofdataitexports:IPv4orIPv6traffic,withorwithoutNAT,andwithstandardor
enterprisespecificfields.
ToconfigureNetFlowdataexports,defineaNetFlowserverprofile,whichspecifiestheNetFlowservers
thatwillreceivethedataandspecifiesexportparameters.Afteryouassigntheprofiletoaninterface(see
Network>Interfaces),thefirewallexportsNetFlowdataforalltraffictraversingthatinterfacetothe
specifiedservers.
NetflowSettings Description
Name EnteranamefortheNetflowserverprofile(upto31characters).Thename
TemplateRefreshRate SpecifythenumberofMinutes(rangeis1to3,600;defaultis30)orPackets
(rangeis1to600;defaultis20)afterwhichthefirewallrefreshesthe
NetFlowtemplatetoapplyanychangestoitsfieldsorachangetothe
templateselection.TherequiredrefreshfrequencydependsontheNetFlow
collector.IfyouaddmultipleNetFlowcollectorstotheserverprofile,use
thevalueofthecollectorwiththefastestrefreshrate.
ActiveTimeout Specifythefrequency(inminutes)atwhichthefirewallexportsdatarecords
foreachsession(rangeis1to60;defaultis5).Setthefrequencybasedon
howoftenyouwanttheNetFlowcollectortoupdatetrafficstatistics.
PANOSFieldTypes ExportPANOSspecificfieldsforAppIDandtheUserIDserviceinNetflow
records.
Servers
Name Specifyanametoidentifytheserver(upto31characters).Thenameis
Server SpecifythehostnameorIPaddressoftheserver.Youcanaddamaximum
oftwoserversperprofile.
Port Specifytheportnumberforserveraccess(defaultis2055).

Device Device>ServerProfiles>RADIUS
SelectDevice > Server Profiles > RADIUSorPanorama > Server Profiles > RADIUStoconfiguresettings forthe
RemoteAuthenticationDialInUserService(RADIUS)serversthatauthenticationprofilesreference(see
Device>AuthenticationProfile).YoucanuseRADIUStoauthenticateenduserswhoaccessyournetwork
resources(throughGlobalProtectorCaptivePortal),toauthenticateadministratorsdefinedlocallyonthe
firewallorPanorama,andtoauthenticateandauthorizeadministratorsdefinedexternallyontheRADIUS
server.
RADIUSServerSettings Description
ProfileName Enteranametoidentifytheserverprofile(upto31characters).Thenameis
profile,youcantchangeitsLocation.
AdministratorUseOnly Selectthisoptiontospecifythatonlyadministratoraccountscanusethe
profileforauthentication.Forfirewallsthathavemultiplevirtualsystems,this
optionappearsonlyiftheLocationisShared.
Timeout Enteranintervalinsecondsafterwhichanauthenticationrequesttimesout
IfyouusetheRADIUSserverprofiletointegratethefirewallwithan
MFAservice,enteranintervalthatgivesusersenoughtimetorespond
totheauthenticationchallenge.Forexample,iftheMFAservice
promptsforaonetimepassword(OTP),usersneedtimetoseethe
OTPontheirendpointdeviceandthenentertheOTPintheMFAlogin
page.
AuthenticationProtocol SelecttheAuthentication Protocolthatthefirewallusestosecurea

connectiontotheRADIUSserver:
CHAPChallengeHandshakeAuthenticationProtocol(CHAP)isthe
defaultandpreferredprotocolbecauseitismoresecurethanPAP.
PAPSelectPasswordAuthenticationProtocol(PAP)iftheRADIUSserver
doesnotsupportCHAPorisnotconfiguredforit.
AutoThefirewallfirsttriestoauthenticateusingCHAP.IftheRADIUS
serverdoesntrespond,thefirewallfallsbacktoPAP.
Retries Enterthenumberofautomaticretriesfollowingatimeoutbeforetherequest
fails(rangeis1to5;defaultis3).
Servers Configureinformationforeachserverinthepreferredorder.
NameEnteranametoidentifytheserver.
RADIUS ServerEntertheserverIPaddressorFQDN.
Secret/Confirm SecretEnterandconfirmakeytoverifyandencryptthe
connectionbetweenthefirewallandtheRADIUSserver.
PortEntertheserverport(rangeis1to65,535;defaultis1812)for
authenticationrequests.

Device>ServerProfiles>TACACS+ Device
SelectDevice > Server Profiles > TACACS+orPanorama > Server Profiles > TACACS+toconfigurethesettings
thatdefinehowthefirewallorPanoramaconnectstoTerminalAccessControllerAccessControlSystem
Plus(TACACS+)servers(seeDevice>AuthenticationProfile).YoucanuseTACACS+toauthenticateend
userswhoaccessyournetworkresources(throughGlobalProtectorCaptivePortal),toauthenticate
administratorsdefinedlocallyonthefirewallorPanorama,andtoauthenticateandauthorizeadministrators
definedexternallyontheTACACS+server.
TACACS+Server Description
Settings
ProfileName Enteranametoidentifytheserverprofile(upto31characters).Thenameis
profileforauthentication.Formultivsysfirewalls,thisoptionappearsonlyif
theLocationisShared.
Timeout Enteranintervalinsecondsafterwhichanauthenticationrequesttimesout
(rangeis120;defaultis3).
AuthenticationProtocol SelecttheAuthentication Protocolthatthefirewallusestosecurea

connectiontotheTACACS+server:
CHAPChallengeHandshakeAuthenticationProtocol(CHAP)isthe
defaultandpreferredprotocolbecauseitismoresecurethanPAP.
PAPSelectPasswordAuthenticationProtocol(PAP)iftheTACACS+
serverdoesnotsupportCHAPorisnotconfiguredforit.
AutoThefirewallfirsttriestoauthenticateusingCHAP.IftheTACACS+
serverdoesntrespond,thefirewallfallsbacktoPAP.
Usesingleconnectionfor SelectthisoptiontousethesameTCPsessionforallauthentications.This
allauthentication optionimprovesperformancebyavoidingtheprocessingrequiredtoinitiate
andteardownaseparateTCPsessionforeachauthenticationevent.
Servers ClickAddandspecifythefollowingsettingsforeachTACACS+server:
NameEnteranametoidentifytheserver.
TACACS+ ServerEntertheIPaddressorFQDNoftheTACACS+server.
Secret/Confirm SecretEnterandconfirmakeytoverifyandencryptthe
connectionbetweenthefirewallandtheTACACS+server.
PortEntertheserverport(defaultis49)forauthenticationrequests.

Device Device>ServerProfiles>LDAP
SelectDevice > Server Profiles > LDAPorPanorama > Server Profiles > LDAPtoconfiguresettings forthe
LightweightDirectoryAccessProtocol(LDAP)serversthatauthenticationprofilesreference(seeDevice>
AuthenticationProfile).YoucanuseLDAPtoauthenticateenduserswhoaccessyournetworkresources
(throughGlobalProtectorCaptivePortal)andadministratorsdefinedlocallyonthefirewallorPanorama.
LDAPServerSettings Description
ProfileName Enteranametoidentifytheprofile(upto31characters).Thenameis
Servers ForeachLDAPserver,clickAddandenterthehostName,IPaddressor
FQDN(LDAP Server),andPort(defaultis389).
Type Choosetheservertypefromthedropdown.
BaseDN Specifytherootcontextinthedirectoryservertonarrowthesearchforuser
orgroupinformation.
BindDN Specifytheloginname(DistinguishedName)forthedirectoryserver.
Password/Confirm Specifythebindaccountpassword.Theagentsavestheencryptedpassword
Password intheconfigurationfile.
BindTimeout Specifythetimelimit(inseconds)imposedwhenconnectingtothedirectory
server(rangeis1to30;defaultis30).
SearchTimeout Specifythetimelimit(inseconds)imposedwhenperformingdirectory
searches(rangeis1to30;defaultis30).
RetryInterval Specifytheinterval(inseconds)afterwhichthesystemwilltrytoconnectto
theLDAPserverafterapreviousfailedattempt(rangeis1to3,600;defaultis
60).
RequireSSL/TLSsecured SelectthisoptionifyouwantthefirewalltouseSSLorTLSfor
connection communicationswiththedirectoryserver.Theprotocoldependsonthe
serverport:
389(default)TLS(Specifically,thefirewallusestheStartTLSoperation,
whichupgradestheinitialplaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallfirstattemptstouseTLS.Ifthedirectory
serverdoesntsupportTLS,thefirewallfallsbacktoSSL.
Thisoptionisselectedbydefault.

Device>ServerProfiles>LDAP Device
LDAPServerSettings Description
VerifyServerCertificate Selectthisoption(clearedbydefault)ifyouwantthefirewalltoverifythe
forSSLsessions certificatethatthedirectoryserverpresentsforSSL/TLSconnections.The
firewallverifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewalltotrustthecertificate,
itsrootcertificateauthority(CA)andanyintermediatecertificatesmustbe
inthecertificatestoreunderDevice > Certificate Management >
Certificates > Device Certificates.
ThecertificatenamemustmatchthehostNameoftheLDAPserver.The
firewallfirstchecksthecertificateattributeSubjectAltNameformatching,
thentriestheattributeSubjectDN.IfthecertificateusestheFQDNofthe
directoryserver,youmustusetheFQDNintheLDAP Serverfieldforthe
namematchingtosucceed.
Iftheverificationfails,theconnectionfails.Toenablethisverification,you
mustalsoselectRequire SSL/TLS secured connection.

Device Device>ServerProfiles>Kerberos
SelectDevice > Server Profiles > KerberosorPanorama > Server Profiles > Kerberostoconfigureaserver
profile thatenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleroraKerberos
V5compliantauthenticationserver.AfterconfiguringaKerberosserverprofileyoucanassignittoan
authenticationprofile(seeDevice>AuthenticationProfile).YoucanuseKerberostoauthenticateendusers
whoaccessyournetworkresources(throughGlobalProtectorCaptivePortal)andadministratorsdefined
locallyonthefirewallorPanorama.
TouseKerberosauthentication,yourbackendKerberosservermustbeaccessibleoveranIPv4
address.IPv6addressesarenotsupported.
KerberosServerSettings Description
ProfileName Enteranametoidentifytheserver(upto31characters).Thenameis
Servers ForeachKerberosserver,clickAddandspecifythefollowingsettings:
NameEnteranamefortheserver.
Kerberos ServerEntertheserverIPv4addressorFQDN.
PortEnteranoptionalport(rangeis1to65,535;defaultis88)for
communicationwiththeserver.

Device>ServerProfiles>SAMLIdentityProvider Device
UsethispagetoregisteraSecurityAssertionMarkupLanguage(SAML)2.0identityprovider(IdP)withthe
firewallorPanorama.RegistrationisanecessarysteptoenablethefirewallorPanoramatofunctionasa
SAMLserviceprovider,whichcontrolsaccesstoyournetworkresources.Whenadministratorsandend
usersrequestresources,theserviceproviderredirectstheuserstotheIdPforauthentication.Theendusers
canbeGlobalProtectorCaptivePortalusers.Theadministratorscanbemanagedlocallyonthefirewalland
PanoramaormanagedexternallyintheIdPidentitystore.YoucanconfigureSAMLsinglesignon(SSO)so
thateachusercanautomaticallyaccessmultipleresourcesafterloggingintoone.Youcanalsoconfigure
SAMLsinglelogout(SLO)sothateachusercansimultaneouslylogoutofeverySSOenabledserviceby
loggingoutofanysingleservice.
AuthenticationsequencesdontsupportauthenticationprofilesthatspecifySAMLIdPserverprofiles.
Inmostcases,youcannotuseSSOtoaccessmultipleappsonthesamemobiledevice.
YoucannotenableSLOforCaptivePortalusers.
TheeasiestwaytocreateaSAMLIdPserverprofileistoImportametadatafilecontainingtheregistration
informationfromtheIdP.Aftersavingaserverprofilewithimportedvalues,youcanedittheprofileto
modifythevalues.IftheIdPdoesntprovideametadatafile,youcanAddtheserverprofileandmanually
entertheinformation.Aftercreatingaserverprofile,assignittoanauthenticationprofile(seeDevice>
AuthenticationProfile)forspecificfirewallorPanoramaservices.
SAMLIdentityProvider Description
ServerSettings
ProfileName Enteranametoidentifytheserver(upto31characters).Thenameis
thathasmultiplevirtualsystems,selectavirtualsystemorselectShared(all
IdentityProviderID EnteranidentifierfortheIdP.YourIdPprovidesthisinformation.

Device Device>ServerProfiles>SAMLIdentityProvider
ServerSettings
IdentityProvider SelectthecertificatethattheIdPusestosignSAMLmessagesthatitsendsto
Certificate thefirewall.TovalidatetheIdPcertificate,youmustspecifyaCertificate
ProfileinanyauthenticationprofilethatreferencestheIdPserverprofile(see
Device>AuthenticationProfile).
Whengeneratingorimportingacertificateanditsassociatedprivatekey,
rememberthatthekeyusageattributesspecifiedinthecertificatecontrol
whatyoucanusethekeyfor.Ifthecertificateexplicitlylistskeyusage
attributes,oneoftheattributesmustbeDigitalSignature,whichisnot
availableincertificatesthatyougenerateonthefirewall.Inthiscase,youmust
Importthecertificateandkeyfromyourenterprisecertificateauthority(CA)
orathirdpartyCA.Ifthecertificatedoesntspecifykeyusageattributes,you
canusethekeyforanypurpose,includingsigningmessages.Inthiscase,you
canuseanymethodtoobtainthecertificateandkey forsigningSAML
messages.
IdPcertificatessupportthefollowingalgorithms:
PublickeyalgorithmsRSA(1,024bitsorlarger)andECDSA(allsizes).A
firewallinFIPS/CCmodesupportsRSA(2,048bitsorlarger)andECDSA(all
sizes).
SignaturealgorithmsSHA1,SHA256,SHA384,andSHA512.Afirewallin
FIPS/CCmodesupportsSHA256,SHA384,andSHA512.
PaloAltoNetworksrecommendsselectinganIdPcertificatetoensure
theintegrityofmessagesthattheIdPsendstothefirewall.
IdentityProviderSSO EntertheURLthattheIdPadvertisesforitssinglesignon(SSO)service.
URL Ifyoucreatetheserverprofilebyimportingametadatafileandthefile
specifiesmultipleSSOURLs,thefirewallusesthefirstURLthatspecifiesa
POSTorredirectbindingmethod.
PaloAltoNetworksstronglyrecommendsusingaURLthatrelieson
HTTPS,althoughSAMLalsosupportsHTTP.
IdentityProviderSLO EntertheURLthattheIdPadvertisesforitssinglelogout(SLO)service.
URL Ifyoucreatetheserverprofilebyimportingametadatafileandthefile
specifiesmultipleSLOURLs,thefirewallusesthefirstURLthatspecifiesa
POSTorredirectbindingmethod.
PaloAltoNetworksstronglyrecommendsusingaURLthatrelieson
HTTPS,althoughSAMLalsosupportsHTTP.
SSOSAMLHTTPBinding SelecttheHTTPbindingassociatedwiththeIdentity Provider SSO URL.The

firewallusesthebindingtosendSAMLmessagestotheIdP.Theoptionsare:
POSTThefirewallsendsmessagesusingbase64encodedHTMLforms.
RedirectThefirewallsendsbase64encodedandURLencodedSSO
messageswithinURLparameters.
IfyouimportanIdPmetadatafilethathasmultipleSSOURLs,the
firewallusesthebindingofthefirstURLthatusesthePOSTor
redirectmethod.ThefirewallignoresURLsthatuseotherbindings.

Device>ServerProfiles>SAMLIdentityProvider Device
ServerSettings
SLOSAMLHTTPBinding SelecttheHTTPbindingassociatedwiththeIdentity Provider SLO URL.The

firewallusesthebindingtosendSAMLmessagestotheIdP.Theoptionsare:
POSTThefirewallsendsmessagesusingbase64encodedHTMLforms.
RedirectThefirewallsendsbase64encodedandURLencodedSSO
messageswithinURLparameters.
IfyouimportanIdPmetadatafilethathasmultipleSLOURLs,the
firewallusesthebindingofthefirstURLthatusesthePOSTor
redirectmethod.ThefirewallignoresURLsthatuseotherbindings.
IdentityProvider ThisfielddisplaysonlyifyouImportanIdPmetadatafilethatyouuploaded
Metadata tothefirewallfromtheIdP.Thefilespecifiesthevaluesandsigningcertificate
foranewSAMLIdPserverprofile.Browsetothefile,specifytheProfileName
andMaximumClockSkew,andthenclickOKtocreatetheprofile.Optionally,
youcanedittheprofiletochangetheimportedvalues.
ValidateIdentity SelectthisoptiontohavethefirewallauthenticatetheIdPbyverifyingthe
ProviderCertificate Identity Provider Certificate.Theverificationoccursafteryouassignthe
SAMLIdPserverprofiletoanauthenticationprofileandCommitthe
configuration.Intheauthenticationprofile,selectaCertificate Profileto
verifytheIdPcertificate(seeDevice>AuthenticationProfile).
SignSAMLMessageto SelectthisoptiontospecifythatthefirewallsignmessagesitsendstotheIdP.
IdP ThefirewallusestheCertificate for Signing Requeststhatyouspecifyinan
authenticationprofile(seeDevice>AuthenticationProfile).
Usingasigningcertificateensurestheintegrityofmessagessentto
theIdP.
MaximumClockSkew EnterthemaximumacceptabletimedifferenceinsecondsbetweentheIdP
andfirewallsystemtimesatthemomentwhenthefirewallvalidatesa
messagethatitreceivesfromtheIdP(rangeis1to900;defaultis60).Ifthe
timedifferenceexceedsthisvalue,thevalidation(andthusauthentication)
fails.

Device Device>ServerProfiles>DNS
Device>ServerProfiles>DNS
Tosimplifyconfigurationforavirtualsystem,aDNSserverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryDNSaddressesforDNSservers,
andthesourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNS
server.Thesourceinterfaceandsourceaddressareusedasthedestinationinterfaceanddestinationaddress
inthereplyfromtheDNSserver.
ADNSserverprofileisforavirtualsystemonly;itisnotfortheglobalSharedlocation.
DNSServerProfileSettings Description
Name NametheDNSServerprofile.
Location Selectthevirtualsystemtowhichtheprofileapplies.
InheritanceSource SelectNoneiftheDNSserveraddressesarenotinherited.Otherwise,specifythe
DNSserverfromwhichtheprofileshouldinheritsettings.
Checkinheritancesource Clicktoseetheinheritancesourceinformation.
status
PrimaryDNS SpecifytheIPaddressoftheprimaryDNSserver.
SecondaryDNS SpecifytheIPaddressofthesecondaryDNSserver.
ServiceRouteIPv4 SelectthisoptionifyouwanttospecifythatpacketsgoingtotheDNSserverare
sourcedfromanIPv4address.
SourceInterface SpecifythesourceinterfacethatpacketsgoingtotheDNSserverwilluse.
SourceAddress SpecifytheIPv4sourceaddressfromwhichpacketsgoingtotheDNSserverare
sourced.
ServiceRouteIPv6 SelectthisoptionifyouwanttospecifythatpacketsgoingtotheDNSserverare
sourcedfromanIPv6address.
SourceInterface SpecifythesourceinterfacethatpacketsgoingtotheDNSserverwilluse.
SourceAddress SpecifytheIPv6sourceaddressfromwhichpacketsgoingtotheDNSserverare
sourced.

Device>ServerProfiles>MultiFactorAuthentication Device
Device>ServerProfiles>MultiFactorAuthentication
Usethispagetoconfigureamultifactorauthentication(MFA)serverprofilethatdefineshowthefirewall
connectstoanMFAserver.MFAcanprotectyourmostsensitiveresourcesbyensuringthatattackers
cannotaccessyournetworkandmovelaterallythroughitbycompromisingasingleauthenticationfactor
(forexample,stealinglogincredentials).ThefirewallsupportsMFAonlyforendusers,notfirewall
administrators.YoucanconfigureanMFAserverprofileforDuov2,OktaAdaptive,andPingIDMFA.After
configuringtheserverprofile,assignittoauthenticationprofilesfortheservicesthatrequireauthentication
(seeDevice>AuthenticationProfile).
Thecompleteprocedure toconfigureMFArequiresadditionaltasksbesidescreatingaserverprofile.
AuthenticationsequencesdonotsupportauthenticationprofilesthatspecifyMFAserverprofiles.
IfthefirewallintegrateswithyourMFAvendorthroughRADIUS,configureaRADIUSserverprofile(seeDevice
>ServerProfiles>RADIUS).ThefirewallsupportsallMFAvendorsthroughRADIUS.
MFAServerSettings Description
Name Enteranametoidentifytheserver(upto31characters).Thenameis
Location Onafirewallthathasmorethanonevirtualsystem(vsys),selectavsysorthe
Sharedlocation.Afteryousavetheprofile,youcannotchangeitsLocation.
CertificateProfile SelecttheCertificate Profilethatspecifiesthecertificateauthority(CA)

certificatethatthefirewallwillusetovalidatetheMFAservercertificate
whensettingupasecureconnectiontotheserver.Fordetails,seeDevice>
CertificateManagement>CertificateProfile.

Device Device>ServerProfiles>MultiFactorAuthentication
MFAServerSettings Description
Type/Value SelectanMFAvendorTypeandenteraValueforeachvendorattribute.The
attributesvarybyvendor.Refertoyourvendordocumentationforthecorrect
values.
Duo v2:
API HostThehostnameoftheDuov2server.
Integration KeyandSecret KeyThefirewallusesthesekeysto
authenticatetotheDuov2serverandtosignauthenticationrequests
thatitsendstotheserver.Tosecurethesekeys,themasterkeyonthe
firewallautomaticallyencryptsthemsothattheirplaintextvaluesare
notexposedanywhereinthefirewallstorage.ContactyourDuov2
administratortoobtainthekeys.
TimeoutEnterthetimeinsecondsafterwhichthefirewalltimesout
whenattemptingtocommunicatewiththeAPI Host(rangeis5to600;
defaultis30).Thisintervalmustbelongerthanthetimeoutbetween
theAPIhostandtheendpointdeviceoftheuser.
Base URIIfyourorganizationhostsalocalauthenticationproxy
serverfortheDuov2server,entertheproxyserverURI(default
/auth/v2).
Okta Adaptive:
API HostThehostnameoftheOktaserver.
serverfortheOktaserver,entertheproxyserverURI(default/api/v1).
TokenThefirewallusesthistokentoauthenticatetotheOktaserver
andtosignauthenticationrequeststhatitsendstotheserver.To
securethetoken,themasterkeyonthefirewallautomaticallyencrypts
itsothatitsplaintextvalueisnotexposedanywhereinthefirewall
storage.ContactyourOktaadministratortoobtainthetoken.
OrganizationThesubdomainforyourorganizationintheAPI Host.
whenattemptingtocommunicatewiththeAPI Host(rangeis5to600;
defaultis30).Thisintervalmustbelongerthanthetimeoutbetween
theAPIhostandtheendpointdeviceoftheuser.
PingID:
serverforthePingIDserver,entertheproxyserverURI(default
/pingid/rest/4).
Host nameEnterthehostnameofthePingIDserver(default
idpxnyl3m.pingidentity.com).
Use Base64 KeyandTokenThefirewallusesthekeyandtokento
authenticatetothePingIDserverandtosignauthenticationrequests
thatitsendstotheserver.Tosecurethekeyandtoken,themasterkey
onthefirewallautomaticallyencryptsthemsothattheirplaintext
valuesarenotexposedanywhereinthefirewallstorage.Contactyour
PingIDadministratortoobtainthevalues.
PingID Client Organization IDThePingIDidentifierforyour
organization.
whenattemptingtocommunicatewiththePingIDserverspecifiedin
theHost namefield(rangeis5to600;defaultis30).Thisintervalmust
belongerthanthetimeoutbetweenthePingIDserverandthe
endpointdeviceoftheuser.

Device>LocalUserDatabase>Users Device
Device>LocalUserDatabase>Users
Youcansetupalocaldatabaseonthefirewalltostoreauthenticationinformationforfirewall
administrators ,CaptivePortalendusers ,andenduserswhoauthenticatetoaGlobalProtectportal
andGlobalProtectgateway .Localdatabaseauthenticationrequiresnoexternalauthenticationservice;
youperformallaccountmanagementonthefirewall.Aftercreatingthelocaldatabaseand(optionally)
assigningtheuserstogroups(seeDevice>LocalUserDatabase>UserGroups),youcanDevice>
AuthenticationProfilebasedonthelocaldatabase.
YoucannotconfigureDevice>PasswordProfilesforadministrativeaccountsthatuselocaldatabase
authentication.
ToAddalocalusertothedatabase,configurethesettingsdescribedinthefollowingtable.
LocalUserSettings Description
Name Enteranametoidentifytheuser(upto31characters).Thenameis
Location Selectthescopeinwhichtheuseraccountisavailable.Inthecontextofa
Location;itsvalueispredefinedasShared(forfirewalls)orasPanorama.After
yousavetheuseraccount,youcantchangeitsLocation.
Mode Usethisfieldtospecifytheauthenticationoption:
PasswordEnterandconfirmapasswordfortheuser.
Password HashEnterahashedpasswordstring.Thiscanbeusefulif,for
example,youwanttoreusethecredentialsforanexistingUnixaccountbut
dontknowtheplaintextpassword,onlythehashedpassword.Thefirewall
acceptsanystringofupto63charactersregardlessofthealgorithmused
togeneratethehashvalue.TheoperationalCLIcommandrequest
password-hash passwordusestheMD5algorithmwhenthefirewallisin
normalmodeandtheSHA256algorithmwhenthefirewallisinCC/FIPS
mode.
AnyMinimumPasswordComplexityparametersyousetforthe
firewall(Device > Setup > Management)donotapplytoaccounts
thatuseaPassword Hash.
Enable Selectthisoptiontoactivatetheuseraccount.

Device Device>LocalUserDatabase>UserGroups
Device>LocalUserDatabase>UserGroups
SelectDevice > Local User Database > User Groupstoaddusergroupinformationtothelocaldatabase.
LocalUserGroupSettings Description
Name Enteranametoidentifythegroup(upto31characters).Thenameis
Location Selectthescopeinwhichtheusergroupisavailable.Inthecontextofa
Location;itsvalueispredefinedasShared(forfirewalls)orasPanorama.After
yousavetheusergroup,youcantchangeitsLocation.
AllLocalUsers ClickAddtoselecttheusersyouwanttoaddtothegroup.

Device>ScheduledLogExport Device
Device>ScheduledLogExport
Youcanscheduleexportsoflogs andsavetheminCSVformattoaFileTransferProtocol(FTP)serveror
useSecureCopy(SCP)tosecurelytransferdatabetweenthefirewallandaremotehost.Logprofilescontain
thescheduleandFTPserverinformation.Forexample,aprofilemayspecifythatthepreviousdayslogsare
collectedeachdayat3AMandstoredonaparticularFTPserver.
ClickAddandfillinthefollowingdetails:
ScheduledLogExport Description
Settings
Name Enteranametoidentifytheprofile(upto31characters).Thenameis
Youcannotchangethenameaftertheprofileiscreated.
Description Enteranoptionaldescription(upto255characters).
Enable Selectthisoptiontoenabletheschedulingoflogexports.
LogType Selectthetypeoflog(traffic,threat,url,data,orhipmatch).Defaultistraffic.
ScheduledExportStart Enterthetimeofday(hh:mm)tostarttheexportusinga24hourclock(00:00
Time(Daily) 23:59).
Protocol Selecttheprotocoltousetoexportlogsfromthefirewalltoaremotehost:
FTPThisprotocolisnotsecure.
SCPThisprotocolissecure.Aftercompletingtheremainingfields,you
mustclickTest SCP server connectiontotestconnectivitybetweenthe
firewallandtheSCPserverandyoumustverifyandacceptthehostkeyof
theSCPserver.
Hostname EnterthehostnameorIPaddressoftheFTPserverthatwillbeusedforthe
export.
Port EntertheportnumberthattheFTPserverwilluse.Defaultis21.
Path SpecifythepathlocatedontheFTPserverthatwillbeusedtostorethe
exportedinformation.
EnableFTPPassive Selectthisoptiontousepassivemodefortheexport.Bydefault,thisoption
Mode isselected.
Username EntertheusernameforaccesstotheFTPserver.Defaultisanonymous.
Password/Confirm EnterthepasswordforaccesstotheFTPserver.Apasswordisnotrequired
Password iftheuserisanonymous.
TestSCPserver IfyousettheProtocoltoSCP,youmustclickthisbuttontotestconnectivity
connection betweenthefirewallandtheSCPserverandthenverifyandacceptthehost
(SCPprotocolonly) keyoftheSCPserver.
IfyouuseaPanoramatemplatetoconfigurethelogexportschedule,
youmustperformthisstepaftercommittingthetemplate
configurationtothefirewalls.Afterthetemplatecommit,loginto
eachfirewall,openthelogexportschedule,andclickTest SCP server
connection.

Device Device>Software
Device>Software
SelectDevice > Softwaretoviewtheavailablesoftwarereleases,downloadoruploadarelease,installa

release(asupportlicenseisrequired),deleteasoftwareimagefromthefirewall,orviewreleasenotes.Make
suretoreviewthefollowingrecommendationsbeforeupgradingordowngradingthesoftwareversion:
ReviewtheRelease Notestoviewadescriptionofthechangesinareleaseandtoviewthemigrationpath
toinstallthesoftware.
Saveabackupyourcurrentconfigurationsinceafeaturereleasemaymigratecertainconfigurationsto
accommodatenewfeatures.(SelectDevice > Setup > OperationsandselectExport named configuration
snapshot,selectrunning-config.xmlandthenclickOKtosavetheconfigurationfiletoyourcomputer.)
Whendowngrading,itisrecommendedthatyoudowngradeintoaconfigurationthatmatchesthe
softwareversion.
Whenupgradingahighavailability(HA)pairtoanewfeaturerelease(wherethefirstorseconddigitin
thePANOSversionchanges,forexamplefrom5.0to6.0orfrom6.0to6.1),theconfigurationmightbe
migratedtoaccommodatenewfeatures.Ifsessionsynchronizationisenabled,sessionswillnotbe
synchronizedifonefirewallintheclusterisrunningadifferentPANOSfeaturerelease.
IfyouneedtoupgradeafirewalltoaPANOSmaintenancereleaseforwhichthebasereleaseishigher
thanthecurrentlyinstalledsoftware,youmustdownload(withoutinstalling)thebasereleasetothe
firewallbeforedownloadingandinstallingthemaintenancerelease.Forexample,toupgradeafirewall
fromPANOS5.0.12toPANOS6.0.3,download(withoutinstalling)PANOS6.0.0tothefirewallbefore
downloadingandinstallingPANOS6.0.3.
Thedateandtimesettingsonthefirewallmustbecurrent.PANOSsoftwareisdigitallysignedandthe
firewallchecksthesignaturebeforeinstallinganewversion.Ifthedatesettingonthefirewallisnot
current,thefirewallmightperceivethesoftwaresignaturetobeerroneouslyinthefutureandwilldisplay
thefollowingmessage:
Decrypt failed: GnuPG edit non-zero, with code 171072 Failed to load into PAN software manager.
ThefollowingtableprovideshelpforusingtheSoftwarepage.
SoftwareOptionsFields Description
Version ListsthesoftwareversionsthatarecurrentlyavailableonthePaloAlto
NetworksUpdateServer.Tocheckifanewsoftwarereleaseisavailable
fromPaloAltoNetworks,clickCheck Now.Thefirewallusestheservice
routetoconnecttotheUpdateServerandchecksfornewversionsand,if
thereareupdatesavailable,anddisplaysthematthetopofthelist.
Size Indicatesthesizeofthesoftwareimage.
ReleaseDate IndicatesthedateandtimePaloAltoNetworksmadethereleaseavailable.
Available Indicatesthatthecorrespondingversionofthesoftwareimageisuploaded
ordownloadedtothefirewall.
CurrentlyInstalled Indicateswhetherthecorrespondingversionofthesoftwareimageis
activatedandiscurrentlyrunningonthefirewall.

Device>Software Device
SoftwareOptionsFields Description
Action Indicatesthecurrentactionyoucantakeforthecorrespondingsoftware
imageasfollows:
DownloadThecorrespondingsoftwareversionisavailableonthePalo
AltoNetworksUpdateServer;clicktoDownloadanavailablesoftware
version.
InstallThecorrespondingsoftwareversionhasbeendownloadedor
uploadedtothefirewall;clicktoInstallthesoftware.Arebootisrequired
tocompletetheupgradeprocess.
ReinstallThecorrespondingsoftwareversionwasinstalledpreviously;
clicktoReinstallthesameversion.
ReleaseNotes Providesalinktothereleasenotesforthecorrespondingsoftwareupdate.
ThislinkisonlyavailableforupdatesthatyoudownloadfromthePaloAlto
NetworksUpdateServer:itisnotavailableforuploadedupdates.
Removesthepreviouslydownloadedoruploadedsoftwareimagefromthe
firewall.Youwouldonlywanttodeletethebaseimageforolderreleases
thatwillnotneedupgrading.Forexample,ifyouarerunning7.0,youcan
removethebaseimagefor6.1unlessyouthinkyoumightneedto
downgrade.
CheckNow CheckswhetheranewsoftwareupdateisavailablefromPaloAlto
Networks.
Upload Importsasoftwareupdateimagefromacomputerthatthefirewallcan
access.Typically,youperformthisactionifthefirewalldoesnthaveInternet
access,whichisrequiredwhendownloadingupdatesfromthePaloAlto
NetworksUpdateServer.Foruploads,useanInternetconnectedcomputer
tovisitthePaloAltoNetworkswebsite,downloadthesoftwareimagefrom
theSupportsite(SoftwareUpdates),downloadtheupdatetoyour
computer,selectDevice > SoftwareonthefirewallandUploadthesoftware
image.Inahighavailability(HA)configuration,youcanselectSync To Peer
topushtheimportedsoftwareimagetotheHApeer.Aftertheupload,the
Softwarepagedisplaysthesameinformation(forexample,versionandsize)
andInstall/Reinstalloptionsforuploadedanddownloadedsoftware.
Release Notesoptionisnotactiveforuploadedsoftware.

Device Device>DynamicUpdates
Panorama>DynamicUpdates
PaloAltoNetworksregularlypostsupdatesforapplicationdetection,threatprotection,andGlobalProtect
datafilesthroughdynamicupdatesasfollows:
AntivirusIncludesnewandupdatedantivirussignatures,includingWildFiresignaturesand
automaticallygeneratedcommandandcontrol(C2)signatures.WildFiresignaturesdetectmalwarefirst
seenbyfirewallsfromaroundtheworld.AutomaticallygeneratedC2signaturesdetectcertainpatterns
inC2traffic(insteadoftheC2serversendingmaliciouscommandstoacompromisedsystem);these
signaturesenablethefirewalltodetectC2activityevenwhentheC2hostisunknownorchangesrapidly.
YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.Newantivirussignaturesare
publisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andinthiscaseyouwillgetthisupdateinsteadof
theApplicationsupdate).NewApplicationsandThreatsupdatesarepublishedweekly,andyoucanset
thefirewalltoretrievethelatestupdateswithin30minutesofavailability.Youcanalsochoosetoinstall
onlythenewthreatsignaturesinacontentreleaseversion.Youarepromptedwiththisoptionbothwhen
installingacontentreleaseandwhensettingthescheduletoautomaticallyinstallcontentrelease
versions.Thisoptionallowsyoutobenefitfromnewthreatsignaturesimmediately;youcanthenreview
thepolicyimpactfornewapplicationsignaturesandmakeanynecessarypolicyupdatesbeforeenabling
them.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
subscriptioninordertoreceivetheseupdates.Inaddition,youmustcreateaschedulefortheseupdates
beforeGlobalProtectwillfunction.
GlobalProtectClientlessVPNContainsnewandupdatedapplicationsignaturestoenableClientless
VPNaccesstocommonwebapplicationsfromtheGlobalProtectportal.YoumusthaveaGlobalProtect
subscriptiontoreceivetheseupdates.Inaddition,youmustcreateaschedulefortheseupdatesbefore
GlobalProtectClientlessVPNwillfunction.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirepubliccloud.WildFiresignatureupdatesaremadeavailableeveryfiveminutes.You
cansetthefirewalltocheckfornewupdatesasfrequentlyaseveryminutetoensurethatthefirewall
retrievesthelatestWildFiresignatureswithinaminuteofavailability.WithouttheWildFiresubscription,
youmustwait24to48hoursfortheWildFiresignaturestorollintotheApplicationsandThreatupdate.
SelectDevice > Setup > WildFiretoenableWildFire Public Cloudanalysis.

Device>DynamicUpdates Device
WFPrivateProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebyaWF500appliance.ToreceivecontentupdatesfromaWF500appliance,thefirewalland
appliancemustbothberunningPANOS6.1oralaterreleaseandthefirewallmustbeconfiguredto
forwardfilesandemaillinkstotheWildFirePrivateCloud.SelectDevice>Setup>WildFiretoenable
WildFirePrivateCloudanalysis.
Youcanviewthelatestupdates,readthereleasenotesforeachupdate,andthenselecttheupdateyouwant
todownloadandinstall.Youcanalsoreverttoapreviouslyinstalledversionofanupdate.
IfyouaremanagingyourfirewallsusingPanoramaandwanttoscheduledynamicupdatesforoneormore
firewalls,seeScheduleDynamicContentUpdates.
DynamicUpdatesOptions Description
Version ListstheversionsthatarecurrentlyavailableonthePaloAltoNetworks
UpdateServer.TocheckifanewsoftwarereleaseisavailablefromPaloAlto
Networks,clickCheck Now.Thefirewallusestheserviceroutetoconnectto
theUpdateServerandchecksfornewcontentreleaseversionsand,ifthere
areupdatesavailable,displaysthematthetopofthelist.
Lastchecked Displaysthedateandtimethatthefirewalllastconnectedtotheupdate
serverandcheckedifanupdatewasavailable.
Schedule Allowsyoutoschedulethefrequencyforretrievingupdates.
Youcandefinehowoftenandwhenthedynamiccontentupdatesoccur
theRecurrenceandtimeandwhethertoDownload OnlyortoDownload
and Installthescheduledupdatesonthefirewall.
Whenschedulingrecurringdownloadsandinstallationsforcontentupdates,
youcanchoosetoDisable new apps in content update.Thisoptionenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilitytoenable
applicationsafterpreparingpolicyupdatesthatmightbenecessaryfor
applicationsthatarenewlyidentifiedandpossiblytreateddifferently
followingtheupdate.(Tolaterenableapplicationsthatareautomatically
disabledforscheduledcontentupdates,selectApps, Threatsonthe
DynamicUpdatespageorselectObjects > Applications).
Inrareinstances,therecanbeanerrorinacontentupdate.Youcanreduce
thechanceofbeingimpactedbyanunexpectedissuebydelayingupdatesto
newversionsuntilcontentupdatesarereleasedforaspecifiednumberof
hours.Todelayupdatestonewcontentversions,addaThreshold (hours)
value.Forexample,ifyouspecifyathresholdof48hoursandyourfirewall
isconfiguredtodownloadandinstallupdateseveryhour,thefirewallwill
querytheupdateservereveryhourbutwillnotdownloadandinstallanew
updateuntilthatupdateremainsavailableformorethan48hours.
FileName Listthefilename;itincludesthecontentversioninformation.
Features Listswhattypeofsignaturesthecontentversionmightinclude.
ForApplicationsandThreatscontentreleaseversions,thisfieldmight
displayanoptiontoreviewApps, Threats.Clickthisoptiontoviewnew
applicationsignaturesmadeavailablesincethelastcontentreleaseversion
installedonthefirewall.YoucanalsousetheNew Applicationsdialogto
Enable/Disable newapplications.Youmightchoosetodisableanew
applicationincludedinacontentreleaseifyouwanttoavoidanypolicy
impactfromanapplicationbeinguniquelyidentified(anapplicationmightbe
treateddifferentlybeforeandafteracontentinstallationifapreviously
unknownapplicationisidentifiedandcategorizeddifferently).

Device Device>DynamicUpdates
Type Indicateswhetherthedownloadincludesafulldatabaseupdateoran
incrementalupdate.
Size Displaysthesizeofthecontentupdatepackage.
ReleaseDate ThedateandtimePaloAltoNetworksmadethecontentreleaseavailable.
Downloaded Acheckmarkinthiscolumnindicatesthatthecorrespondingcontentrelease
versionhasbeendownloadedtothefirewall.
CurrentlyInstalled Acheckmarkinthiscolumnindicatesthatthecorrespondingcontentrelease
versioniscurrentlyrunningonthefirewall.
Action Indicatesthecurrentactionyoucantakeforthecorrespondingsoftware
imageasfollows:
DownloadThecorrespondingcontentreleaseversionisavailableonthe
PaloAltoNetworksUpdateServer;clicktoDownloadthecontentrelease
version.IfthefirewalldoesnothaveaccesstotheInternet,usean
InternetconnectedcomputertogototheDynamicUpdatessitetolook
forandDownloadthecontentreleaseversiontoyourlocalcomputer.
ThenmanuallyUploadthesoftwareimagetothefirewall.Additionally,
downloadinganApplicationandThreatcontentreleaseversionenables
theoptiontoReview Policiesthatareaffectedbynewapplication
signaturesincludedwiththerelease.
Review Policies(ApplicationandThreatcontentonly)Reviewanypolicy
impactfornewapplicationsincludedinacontentreleaseversion.Usethis
optiontoassessthetreatmentanapplicationreceivesbothbeforeand
afterinstallingacontentupdate.YoucanalsousethePolicyReviewdialog
toaddorremoveapendingapplication(anapplicationthatisdownloaded
withacontentreleaseversionbutisnotinstalledonthefirewall)toor
fromanexistingSecuritypolicyrule;policychangesforpending
applicationsdonottakeeffectuntilthecorrespondingcontentrelease
versionisinstalled.
InstallThecorrespondingcontentreleaseversionhasbeendownloaded
tothefirewall;clicktoInstalltheupdate.Wheninstallinganew
ApplicationsandThreatscontentreleaseversion,youarepromptedwith
theoptiontoDisable new apps in content update.Thisoptionenables
protectionagainstthelatestthreats,whilegivingyoutheflexibilityto
enableapplicationsafterpreparinganypolicyupdates,duetotheimpact
ofnewapplicationsignatures(toenableapplicationsyouhavepreviously
disabled,selectApps, ThreatsontheDynamicUpdatespageorselect
Objects > Applications).
RevertThecorrespondingcontentreleaseversionhasbeendownloaded
previouslyToreinstallthesameversion,clickRevert.
Documentation Providesalinktothereleasenotesforthecorrespondingversion.
Removethepreviouslydownloadedcontentreleaseversionfromthe
firewall.
Upload IfthefirewalldoesnothaveaccesstothePaloAltoNetworksUpdateServer,
youcanmanuallydownloaddynamicupdatesfromthePaloAltoNetworks
SupportsiteintheDynamicUpdatessection.Afteryoudownloadanupdate
toyourcomputer,Uploadtheupdatetothefirewall.YouthenselectInstall
From File andselectthefileyoudownloaded.

Device>DynamicUpdates Device
InstallFromFile Afteryoumanuallyuploadanupdatefiletothefirewall,usethisoptionto
installthefile.InthePackage Typedropdown,selectthetypeofupdateyou
areinstalling(Application and Threats,Antivirus,orWildFire),clickOK,
selectthefileyouwanttoinstallandthenclickOKagaintostartthe
installation.

Device Device>Licenses
Device>Licenses
SelectDevice > Licensestoactivatelicensesonallfirewallmodels.Whenyoupurchaseasubscriptionfrom

PaloAltoNetworks,youreceiveanauthorizationcodetoactivateoneormorelicensekeys.
OntheVMSeriesfirewall,thispagealsoallowsyoutodeactivateavirtualmachine(VM).
ThefollowingactionsareavailableontheLicensespage:
Retrievelicensekeysfromlicenseserver:Selecttoenablepurchasedsubscriptionsthatrequirean
authorizationcodeandhavebeenactivatedonthesupportportal.
Activatefeatureusingauthorizationcode:Selecttoenablepurchasedsubscriptionsthatrequirean
authorizationcodeandhavenotbeenpreviouslyactivatedonthesupportportal.Thenenteryour
authorizationcode,andclickOK.
Manuallyuploadlicensekey:Ifthefirewalldoesnothaveconnectivitytothelicenseserverandyouwant
touploadlicensekeysmanually,downloadthelicensekeyfilefrom
https://support.paloaltonetworks.com,andsaveitlocally.ClickManuallyuploadlicensekey,click
Browse,selectthefile,andthenclickOK.
ToenablelicensesforURLfiltering,youmustinstallthelicense,downloadthedatabase,andclick
Activate.IfyouareusingPANDBforURLFiltering,youwillneedtoDownloadtheinitialseed
databasefirstandthenActivate.
YoucanalsoruntheCLIcommand request url-filtering download paloaltonetworks
region <region name>.
Deactivate VM:ThisoptionisavailableontheVMSeriesfirewallwiththeBringYourOwnLicensemodel
thatsupportsperpetualandtermbasedlicenses;theondemandlicensemodeldoesnotsupportthis
functionality.
ClickDeactivate VMwhenyounolongerneedaninstanceoftheVMSeriesfirewall.Itallowyoutofree
upallactivelicensessubscriptionlicenses,VMCapacitylicenses,andsupportentitlementsusingthis
option.Thelicensesarecreditedbacktoyouraccountandyoucanthenapplythelicensesonanew
instanceofaVMSeriesfirewall,whenyouneedit.
Whenthelicenseisdeactivated,theVMSeriesfirewallfunctionalityisdisabledandthefirewallisinan
unlicensedstate.However,theconfigurationremainsintact.
ClickContinue ManuallyiftheVMSeriesfirewalldoesnothavedirectinternetaccess.Thefirewall
generatesatokenfile.ClickExport license tokentosavethetokenfiletoyourlocalcomputerand
thenrebootthefirewall.LogintothePaloAltoNetworksSupportportal,selectAssets > Devices,and
Deactivate VMtousethistokenfileandcompletethedeactivationprocess.
ClickContinuetodeactivatethelicensesontheVMSeriesfirewall.ClickReboot Nowtocompletethe
licensedeactivationprocess.
ClickCancelifyouwanttocancelandclosetheDeactivateVMwindow.
Upgrade VM Capacity:ThisoptionallowsyoutoupgradethecapacityofyourcurrentlylicensedVMSeries
firewall.Uponupgradingthecapacity,theVMSeriesfirewallretainsallconfigurationandsubscriptions
ithadpriortotheupgrade.
IfyourfirewallhasconnectivitytothelicenseserverSelectAuthorization Code,enteryour
authorizationcodeintheAuthorizationCodefield,andclickContinuetoinitiatethecapacity
upgrade.
IfyourfirewalldoesnothaveconnectivitytothelicenseserverSelectLicense Key,clickComplete
Manuallytogenerateatokenfile,andsavethetokenfiletoyourlocalcomputer.Thenlogintothe
PaloAltoNetworksSupportportal,selectAssets > Devices,andDeactivate License(s)tousethetoken

Device>Licenses Device
file.DownloadthelicensekeyforyourVMSeriesfirewalltoyourlocalcomputer,addthelicense
keytothefirewall,andclickContinuetocompletethecapacityupgrade.
IfyourfirewallhasconnectivitytothelicenseserverbutyoudonothaveanAuthorizationCode
SelectFetch from license server,upgradethefirewallscapacitylicenseonthelicenseserverbefore
youattempttoupgradethecapacity,andthenafteryouverifythatthelicenseisupgradedonthe
licenseserver,clickContinuetoinitiatethecapacityupgrade.
BehavioronLicenseExpiry
ContactthePaloAltoNetworksoperationsteamorsalesforinformationonrenewingyour
licenses/subscriptions.
IftheThreatPreventionsubscriptiononthefirewallexpires,thefollowingwilloccur:
Asystemlogentryisgenerated;theentrystatesthatthesubscriptionhasexpired.
Allthreatpreventionfeatureswillcontinuetofunctionusingthesignaturesthatwereinstalledat
thetimethelicenseexpired.
Newsignaturescannotbeinstalleduntilavalidlicenseisinstalled.Also,theabilitytorollbacktoa
previousversionofthesignaturesisnotsupportedifthelicenseisexpired.
CustomAppIDsignatureswillcontinuetofunctionandcanbemodified.
Ifthesupportlicenseexpires,threatpreventionandthreatpreventionupdateswillcontinuetofunction
normally.
Ifyoursupportentitlementexpires,softwareupdateswillnobeavailable.Youwillneedtorenewyour
licensetocontinueaccesstosoftwareupdatesandtointeractwiththetechnicalsupportgroup.
IfatermbasedVMcapacitylicenseexpires,youcannotobtainsoftwareorcontentupdatesonthe
firewalluntilyourenewthelicense. Althoughyoumighthaveavalidsubscription(threatpreventionor
WildFire,forexample)andsupportlicense,youmusthaveavalidcapacitylicensetoobtainthelatest
softwareorcontentupdates.

Device Device>Support
Device>Support
Device>Support
Panorama>Support
SelectDevice > SupportorPanorama > Supporttoaccesssupportrelatedoptions.YoucanviewthePaloAlto
Networkscontactinformation,viewyoursupportexpirationdate,andviewproductandsecurityalertsfrom
PaloAltoNetworksbasedontheserialnumberofyourfirewall.
Performanyofthefollowingfunctionsonthispage:
SupportProvidesinformationonthesupportstatusofthedeviceandprovidesalinktoactivatesupport
usinganauthorizationcode.
ProductionAlerts/ApplicationandThreatAlertsThesealertswillberetrievedfromthePaloAlto
Networksupdateserverswhenthispageisaccessed/refreshed.Toviewthedetailsofproductionalerts,
orapplicationandthreatalerts,clickthealertname.Productionalertswillbepostedifthereisalarge
scalerecallorurgentissuerelatedtoagivenrelease.Theapplicationandthreatalertswillbepostedif
significantthreatsarediscovered.
LinksProvidescommonsupportlinkstohelpyoumanageyourdeviceandtoaccesssupportcontact
information.
TechSupportFileClickGenerate Tech Support Filetogenerateasystemfilethatthesupportteamcan
usetohelptroubleshootissuesthatyoumaybeexperiencingwiththefirewall.Afteryougeneratethe
file,Download Tech Support FileandthensendittothePaloAltoNetworksSupportdepartment.
Ifyourbrowserisconfiguredtoautomaticallyopenfilesafterdownload,youshouldturnoffthat
optionsothebrowserdownloadsthesupportfileinsteadofattemptingtoopenandextractit.
StatsDumpFileClickGenerate Stats Dump FiletogenerateasetofXMLreportsthatsummarizes

networktrafficoverthelast7days.Afterthereportisgenerated,youcanDownload Stats Dump File.The
PaloAltoNetworksorAuthorizedPartnersystemsengineerusesthereporttogenerateanApplication
VisibilityandRiskReport(AVRReport).TheAVRhighlightswhathasbeenfoundonthenetworkandthe
associatedbusinessorsecurityrisksthatmaybepresentandistypicallyusedaspartoftheevaluation
process.FormoreinformationontheAVRReport,pleasecontactyouPaloAltoNetworksorAuthorized
Partnersystemsengineer.
CoreFilesIfyourfirewallexperiencesasystemprocessfailureitwillgenerateacorefilethatcontains
detailsabouttheprocessandwhyitfailed.ClicktheDownload Core Fileslinktoviewalistofavailablecore
filesandthenclickacorefilenametodownloadit.Afteryoudownloadthefile,uploadittoaPaloAlto
Networkssupportcasetoobtainassistanceinresolvingtheissue.
ThecontentsofthecorefilescanbeinterpretedonlybyaPaloAltoNetworkssupportengineer.

Device>MasterKeyandDiagnostics Device
SelectDevice > Master Key and DiagnosticsorPanorama > Master Key and Diagnosticstoconfigurethemaster
keythatencryptsallpasswordsandprivatekeysonthefirewallorPanorama(suchastheRSAkeyfor
authenticatingadministratorswhoaccesstheCLI).Encryptingpasswordsandkeysimprovessecurityby
ensuringtheirplaintextvaluesarenotexposedanywhereonthefirewallorPanorama.
Theonlywaytorestorethedefaultmasterkeyistoperformafactoryreset .
PaloAltoNetworksrecommendsyouconfigureanewmasterkeyinsteadofusingthedefaultkey,storethe
keyinasafelocation,andperiodicallychangeit.Forextraprivacy,youcanuseahardwaresecuritymodule
toencryptthemasterkey(seeDevice>Setup>HSM).Configuringauniquemasterkeyoneachfirewallor
Panoramamanagementserverensuresthatanattackerwholearnsthemasterkeyforoneappliancecannot
accessthepasswordsandprivatekeysonanyofyourotherappliances.However,youmustusethesame
masterkeyacrossmultipleappliancesinthefollowingcases:
Highavailability(HA)configurationsIfyoudeployfirewallsorPanoramainanHAconfiguration,usethe
samemasterkeyonbothfirewallsorPanoramamanagementserversinthepair.Otherwise,HA
synchronizationdoesnotwork.
PanoramapushesconfigurationstofirewallsIfyouusePanoramatopushconfigurationstomanaged
firewalls,usethesamemasterkeyonPanoramaandthemanagedfirewalls.Otherwise,pushoperations
fromPanoramawillfail.
Toconfigureamasterkey,edittheMasterKeysettingsandusethefollowingtabletodeterminethe
appropriatevalues:
MasterKeyand Description
DiagnosticsSettings
CurrentMasterKey Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysand
passwordsonthefirewall.
NewMasterKey Tochangethemasterkey,entera16characterstringandconfirmthenew
ConfirmMasterKey key.
LifeTime SpecifythenumberofDaysandHoursafterwhichthemasterkeyexpires
(rangeis1to730days).
Youmustconfigureanewmasterkeybeforethecurrentkeyexpires.
Ifthemasterkeyexpires,thefirewallorPanoramaautomatically
rebootsinMaintenancemode.Youmustthenperformafactory
reset .
TimeforReminder EnterthenumberofDaysandHoursbeforethemasterkeyexpireswhenthe
firewallgeneratesanexpirationalarm.Thefirewallautomaticallyopensthe
SystemAlarmsdialogtodisplaythealarm.
Toensuretheexpirationalarmdisplays,selectDevice > Log Settings,
edittheAlarmSettings,andEnable Alarms.

Device Device>MasterKeyandDiagnostics
MasterKeyand Description
DiagnosticsSettings
StoredonHSM EnablethisoptiononlyifthemasterkeyisencryptedonaHardwareSecurity
Module(HSM).YoucannotuseHSMonadynamicinterfacesuchasaDHCP
clientorPPPoE.
TheHSMconfigurationisnotsynchronizedbetweenpeerfirewallsinHA
mode.Therefore,eachpeerinanHApaircanconnecttoadifferentHSM
source.IfyouareusingPanoramaandneedtokeepbothpeerconfigurations
insync,usePanoramatemplatestoconfiguretheHSMsourceonthe
managedfirewalls.
ThePA200,PA220,andPA500firewallsdonotsupportHSM.
CommonCriteria InCommonCriteriamode,additionaloptionsareavailabletoruna
cryptographicalgorithmselftestandsoftwareintegrityselftest.A
schedulerisalsoincludedtospecifythetimesatwhichthetwoselftestswill
run.

Device>MasterKeyandDiagnostics Device

UserIdentification
Device>UserIdentification
UserIdentification(UserID)isaPaloAltoNetworksnextgenerationfirewallfeaturethatseamlessly
integrateswitharangeofenterprisedirectoryandterminalservicestotieapplicationactivityandpoliciesto
usernamesandgroupsinsteadofjustIPaddresses.ConfiguringUserIDenablestheApplicationCommand
Center(ACC),AppScope,reports,andlogstoincludeusernamesinadditiontouserIPaddresses.Youcan
configurethefollowingagentstomapIPaddressestousernamesandmapusernamestousergroups:
PANOSintegratedUserIDagentsrunningonthefirewall.
WindowsbasedUserIDagentsinstalledondirectoryserversinyournetwork.
TerminalServices(TS)agentsinstalledonWindows/Citrixterminalserversandthatmapusernamesto
portsonsystemswheremultipleusershavethesameIPaddress.
Youcanconfigureseveralmethodsforcollectinguserandgroupmappinginformation ,includingserver
monitoring,syslogmessageparsing,portmapping,XForwardedFor(XFF)headers,andCaptivePortal
authentication.Inanetworkwithmultiplefirewallsandhundredsofuseridentificationsourcesoruserswho
relyonlocalsourcesforauthenticationbutwhoaccessremoteresources,youcansimplifyUserID
managementbyconfiguringusermappingredistribution amongfirewalls.
Ifthefirewallhasmultiplevirtualsystems,eachvirtualsystemrequiresaseparateUserIDconfiguration;by
default,virtualsystemsdontshareusermappinginformation,thoughyoucanconfigurethemfor
redistribution.WhenconfiguringUserID,selectthevirtualsystemintheLocationdropdownatthetopof
theDevice > User Identificationpage.
ConfigurethePANOSintegrated Device>UserIdentification>UserMapping
UserIDagenttomapIPaddresses
tousernames.
Configurethefirewallto Device>UserIdentification>ConnectionSecurity
authenticatewithWindows
UserIDAgents.
Configurethefirewalltoreceive Device>UserIdentification>UserIDAgents
usermappinginformationfrom
WindowsbasedUserIDagentsor
fromPanorama,LogCollectors,
orotherfirewalls.
Configureusermappingin Device>UserIdentification>TerminalServicesAgents
deploymentswheremultipleusers
onasystemhavethesameIP
address.
Configureusernametogroup Device>UserIdentification>GroupMappingSettings
mapping.
UseCaptivePortaltoforceusers Device>UserIdentification>CaptivePortalSettings
toauthenticate.
Looking for more? UserID

Device>UserIdentification>UserMapping UserIdentification
Device>UserIdentification>UserMapping
ConfigurethePANOSintegratedUserIDagentthatrunsonthefirewalltomapIPaddressestousernames.
ConfigurethePANOS EnabletheUserIDagenttomonitorserverlogsforusermapping
integratedUserIDagent. information:EnableServerMonitoring.
Thesesettingsdefinethe
methodsthattheUserID Ensurethatthefirewallhasthemostcurrentusermappinginformation
agentusestoperformuser asusersroamandobtainnewIPaddresses:ConfigureCacheTimeouts
mapping. forUserMappingEntries.
Enablefirewallstoshareuserandgroupmappinginformationto
simplifyUserIDmanagement:EnableRedistributionofUserMappings
AmongFirewalls.
ConfiguretheUserIDagenttoparsesyslogmessagesforusermapping
information:ManageSyslogMessageFilters.
ConfiguretheUserIDagenttoomitspecificusernamesfromthe
mappingprocess:ManagetheUserIgnoreList.
EnableNTLANManager(NTLM)authenticationforusermapping
throughCaptivePortal:EnableNTLMAuthentication.
EnabletheUserIDagenttouseWindowsManagement
Instrumentation(WMI)toprobeclientsystemsandmonitoringservers
forusermappinginformation:EnableWMIAuthentication.
EnabletheUserIDagenttoprobeclientsystemsforusermapping
information:EnableClientProbing.
Manageaccesstothe MonitorServers
serversthattheUserID
agentmonitorsforuser
mappinginformation.
Managethesubnetworks IncludeorExcludeSubnetworksforUserMapping
thatthefirewallincludesor
excludeswhenmappingIP
addressestousernames.
Looking for more? ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent .

UserIdentification Device>UserIdentification>UserMapping
EnableWMIAuthentication
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>WMI
Authentication
ToconfigurethePANOSintegratedUserIDagenttouseWindowsManagementInstrumentation(WMI)
forprobingclientsystemsandmonitoringMicrosoftExchangeserversanddomaincontrollersforuser
mappinginformation,completethefollowingfields.
BecauseWMIprobingtrustsdatathatisreportedbackfromanendpoint,PaloAltoNetworkrecommendsthat
youdonotusethismethodtoobtainUserIDmappinginformationinahighsecuritynetwork.Ifyouconfigure
theUserIDagenttoobtainmappinginformationbyparsingActiveDirectory(AD)securityeventlogsorsyslog
messages,orusingtheXMLAPI,PaloAltoNetworksrecommendsyoudisableWMIprobing.
IfyoudouseWMIprobing,donotenableitonexternal,untrustedinterfaces.Doingsocausestheagenttosend
WMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpasswordhashofthe
UserIDagentserviceaccountoutsideofyournetwork.Anattackercouldpotentiallyexploitthisinformation
topenetrateandgainfurtheraccesstoyournetwork.
WMIAuthenticationSettings Description
UserName Enterthedomaincredentials(User NameandPassword)forthe

accountthatthefirewallwillusetoaccessWindowsresources.The
Password/ConfirmPassword accountrequirespermissionstoperformWMIqueriesonclient
computersandtomonitorMicrosoftExchangeserversanddomain
controllers.Usedomain\usernamesyntaxfortheUser Name.
Thecompleteprocedure toconfigurethePANOSintegratedUserIDagenttomonitor
serversandprobeclientsrequiresadditionaltasksbesidesdefiningtheWMIauthentication
settings.
EnableClientProbing
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Client
Probing
YoucanconfiguretheUserIDagenttoperformWMIclientprobing foreachclientsystemthattheuser
mappingprocessidentifies.TheUserIDagentwillperiodicallyprobeeachlearnedIPaddresstoverifythat
thesameuserisstillloggedin.WhenthefirewallencountersanIPaddressforwhichithasnousermapping,
itsendstheaddresstotheUserIDagentforanimmediateprobe.Toconfigureclientprobingsettings,
completethefollowingfields.
Donotenableclientprobingonhighsecuritynetworks.Clientprobingcangeneratealarge
amountofnetworktrafficandcanposeasecuritythreatwhenmisconfigured.Insteadcollect
usermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollers
andthroughintegrationswithSyslogortheXMLAPI,whichhavetheaddedbenefitofallowing
youtosafelycaptureusermappinginformationfromanydevicetypeoroperatingsystem,
insteadofjustWindowsclients.
Thecompleteprocedure toconfigurethePANOSintegratedUserIDagenttoprobeclients
requiresadditionaltasksbesidesconfiguringtheclientprobingsettings.
ThePANOSIntegratedUserIDagentdoesnotsupportNetBIOSprobingbutthe
WindowsbasedUserIDagent doessupportit.

ClientProbingSettings Description
EnableProbing SelectthisoptiontoenableWMIprobing.
ProbeInterval(min) Entertheprobeintervalinminutes(rangeis11440;defaultis20).This
istheintervalbetweenwhenthefirewallfinishesprocessingthelast
requestandwhenitstartsthenextrequest.
Inlargedeployments,itisimportanttosettheintervalproperlyto
allowtimetoprobeeachclientthattheusermappingprocess
identified.Example,ifyouhave6,000usersandanintervalof10
minutes,itwouldrequire10WMIrequestspersecondfromeach
client.
Iftheproberequestloadishigh,theobserveddelaybetween
requestsmightsignificantlyexceedtheintervalyouspecify.
EnableServerMonitoring
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Server
Monitor
ToenabletheUserIDagenttomapIPaddressestousernamesbysearchingforlogoneventsinthesecurity
eventlogsofservers,configurethesettingsdescribedinthefollowingtable.
IfthequeryloadishighforWindowsserverlogs,Windowsserversessions,oreDirectory
servers,theobserveddelaybetweenqueriesmightsignificantlyexceedthespecifiedfrequency
orinterval.
serversrequiresadditionaltasksbesidesconfiguringtheservermonitoringsettings.
ServerMonitoringSettings Description
EnableSecurityLog SelectthisoptiontoenablesecuritylogmonitoringonWindows
servers.
ServerLogMonitorFrequency Specifythefrequencyinsecondsatwhichthefirewallwillquery
(sec) Windowsserversecuritylogsforusermappinginformation(rangeis
13600;defaultis2).Thisistheintervalbetweenwhenthefirewall
finishesprocessingthelastqueryand
EnableSession Selectthisoptiontoenablemonitoringofusersessionsonthe
monitoredservers.Eachtimeauserconnectstoaserver,asessionis
created;thefirewallcanusethisinformationtoidentifytheuserIP
address.
DonotEnable Session.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServerOperator
privilegessothatitcanreadallusersessions.Instead,you
shoulduseaSyslogorXMLAPIintegrationtomonitorsources
thatcaptureloginandlogouteventsforalldevicetypesand
operatingsystems(insteadofonlyWindowsoperating
systems),suchaswirelesscontrollersandNACs.

ServerMonitoringSettings Description
ServerSessionReadFrequency Specifythefrequencyinsecondsatwhichthefirewallwillquery
(sec) Windowsserverusersessionsforusermappinginformation(rangeis
13600;defaultis10).Thisistheintervalbetweenwhenthefirewall
finishesprocessingthelastqueryandwhenitstartsthenextquery.
NovelleDirectoryQuery SpecifythefrequencyinsecondsatwhichthefirewallwillqueryNovell
Interval(sec) eDirectoryserversforusermappinginformation(rangeis13600;
defaultis30).Thisistheintervalbetweenwhenthefirewallfinishes
processingthelastqueryandwhenitstartsthenextquery.
SyslogServiceProfile SelectanSSL/TLSserviceprofilethatspecifiesthecertificateand
allowedSSL/TLSversionsforcommunicationsbetweenthefirewall
andanysyslogsendersthattheUserIDagentmonitors.Fordetails,
seeDevice>CertificateManagement>SSL/TLSServiceProfileand
ManageSyslogMessageFilters.Ifyouselectnone,thefirewallusesits
predefined,selfsignedcertificate.

ConfigureCacheTimeoutsforUserMappingEntries
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Cache
ToensurethatthefirewallhasthemostcurrentusermappinginformationasusersroamandobtainnewIP
addresses,configuretimeoutsforclearingusermappingsfromthefirewallcache.Thistimeoutappliesto
usermappingslearnedthroughanymethodexceptCaptivePortal.FormappingslearnedthroughCaptive
Portal,setthetimeoutintheCaptivePortalSettings(Device>UserIdentification>CaptivePortalSettings,
TimerandIdle Timerfields).
CacheSettings Description
EnableUserIdentification Selectthisoptiontoenableatimeoutvalueforusermappingentries.
Timeout Whenthetimeoutvalueisreachedforanentry,thefirewallclearsit
andcollectsanewmapping.Thisensuresthatthefirewallhasthemost
currentinformationasusersroamandobtainnewIPaddresses.
UserIdentificationTimeout Setthetimeoutvalueinminutesforusermappingentries(rangeis1to
(min) 3,600;defaultis45).
Ifyouconfigurefirewallstoredistributemappinginformation,
eachfirewallclearsthemappingentriesitreceivesbasedon
thetimeoutyousetonthatfirewall,notonthetimeoutssetin
theforwardingfirewalls.
EnableNTLMAuthentication
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>NTLM
YoucanuseNTLANManager(NTLM) toauthenticateonlyWindowsusers.Whenaclientwebrequest
matchesanAuthenticationpolicyruleinwhichtheauthenticationenforcementobjectspecifiesa
browserchallenge(seePolicies>Authentication),anNTLMchallengetransparentlyauthenticatestheclient.
ThefirewallthencollectsusermappinginformationfromtheNTLMdomain.
YoucanenableNTLMauthenticationprocessingforonlyonevirtualsystemperfirewall,whichyouselectin
theLocationdropdownatthetopoftheUser Mappingpage.
Optionally,youcanusethefirewalltoperformNTLMauthenticationprocessingforotherfirewallsbyadding
itasaUserIDagenttothosefirewalls.Fordetails,seeConfigureAccesstoUserIDAgents.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothedomaincontrollerwhere
youinstalledtheagent.Fordetails,seetheNTLM AuthenticationfieldinDevice>UserIdentification>Captive
PortalSettings.
ConfigureAuthenticationrulestouseKerberossinglesignon insteadofNTLM
authentication.Kerberosisastronger,morerobustauthenticationmethodthanNTLManddoes
notrequirethefirewalltohaveanadministrativeaccounttojointhedomain.Fordetailson
configuringtheauthenticationmethodsforAuthenticationrules,seeObjects>Authentication.
ThecompleteprocedurestoconfigureCaptivePortal orWindowsbasedUserIDagents
requireadditionaltasksbesidesenablingNTLM.

ToconfigureNTLMauthenticationprocessing,specifythesettingsdescribedinthefollowingtable.
Field Description
EnableNTLMauthentication SelectthisoptiontoenableNTLMauthenticationprocessing.
processing
NTLMDomain EntertheNTLMdomainname.
AdminUserName(forthe EntertheadministratoraccountthathasaccesstotheNTLMdomain.
NTLMdomain) DonotincludethedomainintheAdmin User Namefield.
Otherwise,thefirewallwillfailtojointhedomain.
Password/ConfirmPassword Enterthepasswordfortheadministratoraccountthathasaccessto
(fortheNTLMdomain) NTLMdomain.
EnableRedistributionofUserMappingsAmongFirewalls
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>
Redistribution
ToenableafirewallorvirtualsystemtoserveasaUserIDagentthatredistributesusermappinginformation
alongwiththetimestampsassociatedwithauthenticationchallenges,configurethesettingsdescribedinthe
followingtable.Whenyoulaterconnectthisfirewalltoanappliance(suchasPanorama)thatwillreceivethe
mappinginformationandtimestamps,theapplianceusesthesefieldstoidentifythefirewallorvirtualsystem
asaUserIDagent.
Thecompleteprocedure toconfigurefirewallstoredistributeusermappinginformationand
authenticationtimestampsrequiresadditionaltasksbesidesspecifyingtheredistributionsettings.
Bydefault,afirewallwithmultiplevirtualsystemsdoesntredistributeusermappinginformationacross
itsvirtualsystems,thoughyoucanconfigurethemforredistribution.
RedistributionSettings Description
CollectorName Enteracollectorname(upto255alphanumericcharacters)toidentify
thefirewallorvirtualsystemasaUserIDagent.
PreSharedKey/Confirm Enterapresharedkey(upto255alphanumericcharacters)toidentify
PreSharedKey thefirewallorvirtualsystemasaUserIDagent.

ManageSyslogMessageFilters
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>Syslog
Filters
TheUserIDagentusesSyslogParseprofilestofiltersyslogmessages sentfromthesyslogsendersthat
youselectformonitoring(seeConfigureAccesstoMonitoredServers).Eachprofilecanparsesyslog
messagesforeitherofthefollowingeventtypes,butnotboth:
Authentication(login)eventsUsedtoaddIPaddresstousernamemappingstothefirewall.
LogouteventsUsedtodeleteusermappingsthatarenolongercurrent.Deletingoutdatedmappingsis
usefulinenvironmentswhereIPaddressassignmentschangeoften.
PaloAltoNetworksprovidespredefinedSyslogParseprofilesthroughApplicationscontentupdates .To
dynamicallyupdatethelistofprofilesasvendorsdevelopnewfilters,scheduledynamiccontentupdates(see
Device>DynamicUpdates).Thepredefinedprofilesareglobaltothefirewall,whereasthecustomprofiles
youconfigureapplyonlytothevirtualsystem(Location)selectedintheDevice > User Identification > User
Mapping.
SyslogmessagesmustmeetthefollowingcriteriaforaUserIDagenttoparsethem:
Eachmessagemustbeasinglelinetextstring.Anewline(\n)oracarriagereturnplusanewline(\r\n)
arethedelimitersforlinebreaks.
Themaximumsizeforindividualmessagesis2,048bytes.
MessagessentoverUDPmustbecontainedinasinglepacket;messagessentoverSSLcanspanmultiple
packets.Asinglepacketmightcontainmultiplemessages.
Toconfigureacustomprofile,clickAddandspecifythesettingsdescribedinthefollowingtable.Thefield
descriptionsinthistableusealogineventexamplefromasyslogmessagewiththefollowingformat:
[Tue Jul 5 13:15:04 2005 CDT] Administrator authentication success User:domain\johndoe_4 Source:192.168.0.212
Thecompleteprocedure toconfiguretheUserIDagenttoparseasyslogsenderforuser
mappinginformationrequiresadditionaltasksbesidescreatingaSyslogParseprofile.
Field Description
SyslogParseProfile Enteranamefortheprofile(upto63alphanumericcharacters).
Description Enteradescriptionfortheprofile(upto255alphanumericcharacters).
Type Specifythetypeofparsingforfilteringtheusermappinginformation:
Regex IdentifierUseEvent Regex,Username Regex,and
Address Regextospecifyregularexpressions(regex)thatdescribe
searchpatternsforidentifyingandextractingusermapping
informationfromsyslogmessages.Thefirewallusestheregexto
matchauthenticationorlogouteventsinsyslogmessagesandto
matchtheusernamesandIPaddresseswithinmatchingmessages.
Field IdentifierUsetheEvent String,Username Prefix,
Username Delimiter,Address Prefix,andAddress Delimiterfields
tospecifystringsformatchingtheauthenticationorlogoutevent
andforidentifyingtheusermappinginformationinsyslog
messages.
Theremainingfieldsinthedialogvarybasedonyourselection.
Configurethefieldsasdescribedinthefollowingrows.

Field Description
EventRegex Entertheregexforidentifyingsuccessfulauthenticationorlogout
events.Fortheexamplemessageusedwiththistable,theregex
(authentication\ success){1}extractsthefirst{1}instanceofthe
stringauthentication success.Thebackslashbeforethespaceisa
standardregexescapecharacterthatinstructstheregexenginenotto
treatthespaceasaspecialcharacter.
UsernameRegex Entertheregexforidentifyingtheusernamefieldinauthentication
successorlogoutmessages.Fortheexamplemessageusedwiththis
table,theregexUser:([a-zA-Z0-9\\\._]+)wouldmatchthestring
User:johndoe_4andextractacme\johndoe1astheusername.
AddressRegex EntertheregextoidentifytheIPaddressportionofauthentication
successorlogoutmessages.Intheexamplemessageusedwiththis
table,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
matchestheIPv4addressSource:192.168.0.212andadds
192.168.0.212astheIPaddressintheusernamemapping.
EventString Enteramatchingstringtoidentifyauthenticationsuccessorlogout
messages.Fortheexamplemessageusedwiththistable,youwould
enterthestringauthentication success.
UsernamePrefix Enterthematchingstringtoidentifythebeginningoftheusername
fieldwithinauthenticationorlogoutsyslogmessages.Thefielddoes
notsupportregexexpressionssuchas\s(foraspace)or\t(foratab).
Intheexamplemessageusedwiththistable,User:identifiesthestart
oftheusernamefield.
UsernameDelimiter Enterthedelimiterthatmarkstheendoftheusernamefieldwithinan
authenticationorlogoutmessage.Use\stoindicateastandalone
space(asintheexamplemessage)and\ttoindicateatab.
AddressPrefix EnteramatchingstringtoidentifythestartoftheIPaddressfieldin
syslogmessages.Thefielddoesnotsupportregexexpressionssuchas
\s(foraspace)or\t(foratab).Intheexamplemessageusedwiththis
table,Source:identifiesthestartoftheaddressfield.
AddressDelimiter EnterthematchingstringthatmarkstheendoftheIPaddressfield
withinauthenticationsuccessorlogoutmessages.Forexample,enter
\ntoindicatethedelimiterisalinebreak.
ManagetheUserIgnoreList
Device>UserIdentification>UserMapping>PaloAltoNetworksUserIDAgentSetup>UserIgnore
List
TheignoreuserlistdefineswhichuseraccountsdontrequireIPaddresstousernamemapping(forexample,
kioskaccounts).Toconfigurethelist,clickAddandenterausername.Youcanuseanasteriskasawildcard
charactertomatchmultipleusernamesbutonlyasthelastcharacterintheentry.Forexample,
corpdomain\it-admin* matchesalladministratorsinthe corpdomain domainwhoseusernamesstart
withthestring it-admin.Youcanaddupto5,000entriestoexcludefromusermapping.

MonitorServers
UsetheServerMonitoringsectiontodefinetheMicrosoftExchangeServers,ActiveDirectory(AD)domain
controllers,NovelleDirectoryservers,orsyslogsendersthattheUserIDagentmonitorsforloginevents.
ConfigureAccesstoMonitoredServers
ManageAccesstoMonitoredServers
IncludeorExcludeSubnetworksforUserMapping
ConfigureAccesstoMonitoredServers
UsetheServerMonitoringsectiontoAddserverprofilesthatspecifytheservers(upto100)thefirewallwill
monitor.
serversrequiresadditionaltasksbesidescreatingserverprofiles.
ServerMonitoring Description
Settings
Name Enteranamefortheserver.
Description Enteradescriptionoftheserver.
Enabled Selectthisoptiontoenablelogmonitoringforthisserver.
Type Selecttheservertype.Yourselectiondetermineswhichotherfieldsthisdialog
displays.
NetworkAddress EntertheserverIPaddressorFQDN.ThisoptiondoesntapplyiftheTypeisNovell
eDirectory.

ServerMonitoring Description
Settings
ServerProfile SelectanLDAPserverprofileforconnectingtotheNovelleDirectoryserver(Device
(NovelleDirectory >ServerProfiles>LDAP).
only)
ConnectionType SelectwhethertheUserIDagentlistensforsyslogmessagesontheUDPport(514)
(SyslogSender ortheSSLport(6514).IfyouselectSSL,theSyslog Service Profileyouselectwhen
only) youEnableServerMonitoringdetermineswhichSSL/TLSversionsareallowedand
thecertificatethatthefirewallusestosecureaconnectiontothesyslogsender.
Asasecuritybestpractice,selectSSLwhenusingthePANOSintegrated
UserIDagenttomapIPaddressestousernames.IfyouselectUDP,ensure
thatthesyslogsenderandclientarebothonadedicated,securenetworkto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
Filter IftheserverTypeisSyslog Sender,thenAddoneormoreSyslogParseprofilesto

(SyslogSender useforextractingusernamesandIPaddressesfromthesyslogmessagesreceived
only) fromthisserver.Youcanaddacustomprofile(seeManageSyslogMessageFilters)
orapredefinedprofile.Foreachprofile,settheEvent Type:
loginTheUserIDagentparsessyslogmessagesforlogineventstocreateuser
mappings.
logoutTheUserIDagentparsessyslogmessagesforlogouteventstodelete
usermappingsthatarenolongercurrent.InnetworkswhereIPaddress
assignmentisdynamic,automaticdeletionimprovestheaccuracyofuser
mappingsbyensuringthattheagentmapseachIPaddressonlytothecurrently
associateduser.
IfyouaddapredefinedSyslogParseprofile,checkitsnametodetermine
whetheritisintendedtomatchloginorlogoutevents.
DefaultDomain (Optional)IftheserverTypeisSyslog Sender,enteradomainnametoprependto

Name theusernameifthelogentryhasnodomainname.
ManageAccesstoMonitoredServers
PerformthefollowingtasksintheServerMonitoringsectiontomanageaccesstotheserversthatthe
UserIDagentmonitorsforusermappinginformation.
Task Description
Displayserver Foreachmonitoredserver,theUserMappingpagedisplaystheStatusofthe
information connectionfromtheUserIDagenttotheserver.AfteryouAddaserver,thefirewall
triestoconnecttoit.Iftheconnectionattemptissuccessful,theServerMonitoring
sectiondisplaysConnectedintheStatuscolumn.Ifthefirewallcannotconnect,the
Statuscolumndisplaysanerrorcondition,suchasConnection refusedorConnection
timeout.
FordetailsontheotherfieldsthattheServerMonitoringsectiondisplays,seeConfigure
Add ToConfigureAccesstoMonitoredServers,AddeachserverthattheUserIDagentwill
monitorforusermappinginformation.

Task Description
Delete Toremoveaserverfromtheusermappingprocess(discovery),selecttheserverand
Deleteit.
Tip:Toremoveaserverfromdiscoverywithoutdeletingitsconfiguration,editthe
serverentryandclearEnabled.
Discover YoucanautomaticallyDiscoverMicrosoftActiveDirectorydomaincontrollersusing
DNS.Thefirewallwilldiscoverdomaincontrollersbasedonthedomainnameentered
intheDevice > Setup > Managementpage,General Settingssection,Domainfield.
Afterdiscoveringadomaincontroller,thefirewallcreatesanentryforitintheServer
Monitoringlist;youcanthenenabletheserverformonitoring.
TheDiscoverfeatureworksfordomaincontrollersonly,notExchangeservers
oreDirectoryservers.
IncludeorExcludeSubnetworksforUserMapping
UsetheInclude/ExcludeNetworkslisttodefinethesubnetworksthattheUserIDagentwillincludeor
excludewhenperformingIPaddresstousernamemapping(discovery).Bydefault,ifyoudontaddany
subnetworkstothelist,theUserIDagentperformsdiscoveryforuseridentificationsourcesinall
subnetworksexceptwhenusingWMIprobingforclientsystemsthathavepublicIPv4addresses.(Public
IPv4addressesarethoseoutsidethescopeofRFC1918andRFC3927).
ToenableWMIprobingforpublicIPv4addresses,youmustaddtheirsubnetworkstothelistandsettheir
DiscoveryoptiontoInclude.Ifyouconfigurethefirewalltoredistributeusermappinginformation toother
firewalls,thediscoverylimitsyouspecifyinthelistwillapplytotheredistributedinformation.Youcan
performthefollowingtasksontheInclude/ExcludeNetworkslist:
Task Description
Add Tolimitdiscoverytoaspecificsubnetwork,Addasubnetworkprofileandcompletethe
followingfields:
NameEnteranametoidentifythesubnetwork.
EnabledSelectthisoptiontoenableinclusionorexclusionofthesubnetworkfor
servermonitoring.
DiscoverySelectwhethertheUserIDagentwillIncludeorExcludethe
subnetwork.
Network AddressEntertheIPaddressrangeofthesubnetwork.
TheUserIDagentappliesanimplicitexcludeallruletothelist.Forexample,ifyouadd
subnetwork10.0.0.0/8withtheIncludeoption,theUserIDagentexcludesallother
subnetworksevenifyoudontaddthemtothelist.AddentrieswiththeExcludeoption
onlyifyouwanttheUserIDagenttoexcludeasubsetofthesubnetworksyouexplicitly
included.Forexample,ifyouadd10.0.0.0/8withtheIncludeoptionandadd
10.2.50.0/22withtheExcludeoption,theUserIDagentwillperformdiscoveryonall
thesubnetworksof10.0.0.0/8except10.2.50.0/22,andwillexcludeallsubnetworks
outsideof10.0.0.0/8.IfyouaddExcludeprofileswithoutaddinganyIncludeprofiles,
theUserIDagentexcludesallsubnetworks,notjusttheonesyouadded.

Task Description
Delete Toremoveasubnetworkfromthelist,selectandDeleteit.
Tip:ToremoveasubnetworkfromtheInclude/ExcludeNetworkslistwithoutdeleting
itsconfiguration,editthesubnetworkprofileandclearEnabled.
Custom Bydefault,theUserIDagentevaluatesthesubnetworksintheorderyouaddthem,
Include/Exclude fromtopfirsttobottomlast.Tochangetheevaluationorder,clickCustom
Network Include/Exclude Network Sequence.YoucanthenAdd,Delete,Move Up,orMove
Downthesubnetworkstocreateacustomevaluationorder.

Device>UserIdentification>ConnectionSecurity UserIdentification
Device>UserIdentification>ConnectionSecurity
Edit( )theUserIDConnectionSecuritysettingstoselectthecertificateprofileusedbythefirewalltovalidatethe
certificatepresentedbyWindowsUserIDagents.Thefirewallusestheselectedcertificateprofiletoverifytheidentity
oftheUserIDagentbyvalidatingtheservercertificatepresentedbytheagent.
Task Description
UserID Fromthedropdown,selectthecertificateprofiletousewhenauthenticatingWindows
Certificate UserIDagentsorselectNewCertificateProfiletocreateanewcertificateprofile.
Profile SelectNonetoremovethecertificateprofileandusedefaultauthenticationinstead.
RemoveAll RemovesthecertificateprofileattachedtotheUserIDConnectionSecurity
(Template configurationfortheselectedtemplate.
Configuration
Only)

UserIdentification Device>UserIdentification>UserIDAgents
Device>UserIdentification>UserIDAgents
TomapusernamestoIPaddresses,UserIDagentsmonitorvarioussources,suchasdirectoryservers.The
agentssendtheusermappingstofirewalls,LogCollectors,orPanoramaandeachoftheseappliancescan
thenserveasredistributionpointsthatforwardthemappingstootherfirewalls,LogCollectors,orPanorama.
Forafirewall(Device > User Identification > User-ID Agents)orPanorama(Panorama > User Identification)to
collectusermappings,youmustconfigureitsconnectionstotheUserIDagentsorredistributionpoints.
ToconfigureDedicatedLogCollectorstoconnecttoUserIDagentsorredistributionpoints,
defineUserIDAgentSettings.YoucannotconfigurelocalLogCollectorstoconnecttoUserID
agentsorredistributionpoints.
AlthoughyoucanconfigureaLogCollectororPanoramatoredistributeusermappings,these
devicescannotmapIPaddressestousernames.OnlyWindowsbasedUserIDagentsand
PANOSintegratedUserIDagentscanperformusermapping.
Thecompleteproceduretoconfigureusermapping requiresadditionaltasksbesides
configuringconnectionstoUserIDagents.
ConfigureAccesstoUserIDAgents
ManageAccesstoUserIDAgents
ConfigureAccesstoUserIDAgents
EachfirewallandPanoramamanagementservercanconnecttoamaximumof100UserIDagentsor
UserIDredistributionpoints(oramixtureofboth).Toaddaconnection,clickAddandcompletethe
followingfields.
UserIDAgent Description
Settings
Name Enteradescriptivename(upto31characters)fortheUserIDagentorredistribution
point.Thenameiscasesensitiveandmustbeunique.Useonlyletters,numbers,
Forafirewallorvirtualsystemservingasaredistributionpoint,thisfielddoes
nothavetomatchtheCollectorNamefield.
AddanAgent SelecthowthefirewallidentifiestheUserIDagentorredistributionpoint:
Using Serial NumberSelectthisoptionforaPanoramamanagementserverthat
(firewallonly) redistributesUserIDmappings.
Host and PortSelectthisoptionforWindowsbasedUserIDagentsorfor
firewalls,virtualsystems,andLogCollectorsthatredistributeUserIDmappings.
SerialNumber SelectthePanoramamanagementserverthatredistributesusermappingstothe
(firewallonly) firewall.Forhighavailability(HA)deployments,youcanselecttheactivePanorama
(panorama)orthepassivePanorama(panorama2).
Youdonotneedtospecifythehost,port,orotherconnectioninformation
becauseyoudefinedtheseduringinitialconfigurationofthefirewall.

Device>UserIdentification>UserIDAgents UserIdentification
Settings
Host WindowsbasedUserIDagentsEntertheIPaddressoftheWindowshoston
whichtheUserIDagentisinstalled.
Firewall(PANOSintegratedUserIDagent)EntertheIPaddressoftheMGT
interfaceorserviceroutethatthefirewallusestosendusermappings.Forthe
MGTinterface,youcanenterahostnameinsteadoftheIPaddress.
LogCollectorsthatredistributeusermappingsEnterthehostnameorIPaddress
oftheinterfacethattheLogCollectorusestosendusermappings.
Port EntertheportnumberonwhichtheUserIDagentlistensforUserIDrequests.The
defaultis5007butyoucanspecifyanyavailableportanddifferentUserIDagents
canusedifferentports.
ThedefaultportforsomeearlierversionsoftheUserIDagentis2010.
CollectorName EntertheCollector NameandPre-Shared Keythatidentifythefirewallorvirtual

systemasaUserIDagent.Enterthesamevaluesaswhenyouconfiguredthe
Collector firewallorvirtualsystemtoredistributeusermappings(seeEnableRedistributionof
PresharedKey/ UserMappingsAmongFirewalls).
ConfirmCollector
ThecollectorthesefieldsrefertoistheUserIDagent,notaLogCollector,
Presharedkey
andthefieldsareconfigurableonlywhentheagentisafirewallorvirtual
system.
UseasLDAP SelectthisoptiontousethisUserIDagentasaproxyformonitoringthedirectory
Proxy servertomapusernamestogroups.Tousethisoption,youmustconfiguregroup
(firewallonly) mappingonthefirewall(Device>UserIdentification>GroupMappingSettings).
ThefirewallpushesthatconfigurationtotheUserIDagenttoenableittomap
usernamestogroups.
Thisoptionisusefulindeploymentswherethefirewallcannotdirectlyaccessthe
directoryserver.Itisalsousefulindeploymentsthatbenefitfromreducingthe
numberofqueriesthedirectoryservermustprocess;multiplefirewallscanreceive
thegroupmappinginformationfromthecacheonasingleUserIDagentinsteadof
requiringeachfirewalltoquerytheserverdirectly.
UseforNTLM SelectthisoptiontousethisUserIDagentasaproxyforperformingNTLAN
Authentication Manager(NTLM)authentication whenaclientwebrequestmatchesan
(firewallonly) Authenticationpolicyrule.TheUserIDagentmonitorsthedomaincontrollerfor
usermappinginformationandforwardstheinformationtothefirewall.Tousethis
option,youmustalsoEnableNTLMAuthenticationontheUserIDagent.
Thisoptionisusefulindeploymentswherethefirewallcannotdirectlyaccessthe
domaincontrollertoperformNTLMauthentication.Itisalsousefulindeployments
thatbenefitfromreducingthenumberofauthenticationrequeststhedomain
controllermustprocess;multiplefirewallscanreceivetheusermappinginformation
fromthecacheonasingleUserIDagentinsteadofrequiringeachfirewalltoquery
thedomaincontrollerdirectly.
ConfigureAuthenticationrulestouseKerberossinglesignon insteadof
NTLMauthentication.Kerberosisastronger,morerobustauthentication
methodthanNTLManddoesnotrequirethefirewalltohavean
administrativeaccounttojointhedomain.Fordetailsonconfiguringthe
authenticationmethodsforAuthenticationrules,seeObjects>
Authentication.
Enabled SelectthisoptiontoenablethefirewallorPanoramatocommunicatewiththe
UserIDagentorredistributionpoint.

UserIdentification Device>UserIdentification>UserIDAgents
ManageAccesstoUserIDAgents
PerformthefollowingtasksformanagingconnectionsfromthefirewalltoUserIDagentsorredistribution
points.
Task Description
Display SelectDevice > User Identification > User-ID AgentsorPanorama > User
information/ IdentificationtoseewhetherthefirewallorPanoramaisconnectedtoeachUserID
Refresh agentorredistributionpoint.TheConnectedcolumndisplaysagreenicontoindicatea
Connected successfulconnection,ayellowicontoindicateadisabledconnection,andarediconto
indicateafailedconnection.Ifyouthinktheconnectionstatusmighthavechanged
sinceyoufirstviewedstatus,Refresh Connectedtoupdatethestatusdisplay.
Fortheotherdisplayedfields,seeConfigureAccesstoUserIDAgents.
Add AddandthenConfigureAccesstoUserIDAgents.
Delete ToremovetheconfigurationthatenablesthefirewalltoconnecttoaUserIDagentor
redistributionpoint,Deletetheagentorredistributionpoint.
TodisableaccesstoaUserIDagentorredistributionpointwithoutdeletingits
configuration,edititandcleartheEnabledoption.
CustomAgent IfyouenableUserIDagentstoperformNTLANManager(NTLM)authentication on
Sequence behalfofthefirewall,thenbydefaultthefirewallcommunicateswiththeagentsin
theorderyouaddthemfromtoptobottom(seehowtoUse for NTLM Authentication
inConfigureAccesstoUserIDAgents).Tochangetheorderofhowthefirewall
communicateswithagents,clickCustom Agent Sequence,Addeachagent,Move Upor
Move Downagentstorepositionthem,andclickOK.

Device>UserIdentification>TerminalServicesAgents UserIdentification
Device>UserIdentification>TerminalServicesAgents
OnasystemthatsupportsmultipleuserswhosharethesameIPaddress,aTerminalServices(TS)agent
identifiesindividualusersbyallocatingportrangestoeachone.TheTSagentinformseveryconnected
firewalloftheallocatedportrangesothatthefirewallscanenforcepolicybasedonusersandusergroups.
Allfirewallmodelscancollectusernametoportmappinginformationfromupto5,000multiusersystems.
ThenumberofTSagentsfromwhichafirewallcancollectthemappinginformationvariesbyfirewallmodel:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
maximum400TSagents
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls:
maximum1,000TSagents
YoumustinstallandconfiguretheTSagentsbeforeconfiguringaccesstothem.Thecomplete
procedure toconfigureusermappingforterminalserverusersrequiresadditionaltasks
besidesconfiguringconnectionstoTSagents.
YoucanperformthefollowingtaskstomanageaccesstoTSagents.
Task Description
Display IntheTerminal Services Agentspage,theConnectedcolumndisplaysthestatusofthe

information/ connectionsfromthefirewalltotheTSagents.Agreeniconindicatesasuccessful
Refresh connection,ayellowiconindicatesadisabledconnection,andarediconindicatesa
Connected failedconnection.Ifyouthinktheconnectionstatusmighthavechangedsinceyoufirst
openedthepage,clickRefresh Connectedtoupdatethestatusdisplay.
Add ToconfigureaccesstoaTSagent,Addanagentandconfigurethefollowingfields:
NameEnteranametoidentifytheTSagent(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonlyletters,numbers,spaces,hyphens,and
underscores.
HostEntertheIPaddressoftheterminalserverwheretheTSagentisinstalled.
PortEntertheportnumber(defaultis5009)thattheTSagentserviceusesto
communicatewiththefirewall.
Alternative IP AddressesIftheterminalserverwheretheTSagentisinstalledhas
multipleIPaddressesthatcanappearasthesourceIPaddressfortheoutgoing
traffic,AddandenteruptoeightadditionalIPaddresses.
EnabledSelectthisoptiontoenablethefirewalltocommunicatewiththisTSagent.
Delete ToremovetheconfigurationthatenablesaccesstoaTSagent,selecttheagentandclick
Delete.
TodisableaccesstoaTSagentwithoutdeletingitsconfiguration,edittheagent
andcleartheEnabledoption.

UserIdentification Device>UserIdentification>GroupMappingSettings
Device>UserIdentification>GroupMappingSettings
Tobasesecuritypoliciesandreportsonusersandusergroups,thefirewallretrievesthelistofgroupsand
thecorrespondinglistofmembersspecifiedandmaintainedonyourdirectoryservers.Thefirewallsupports
avarietyofLDAPdirectoryservers,includingtheMicrosoftActiveDirectory(AD),theNovelleDirectory,
andtheSunONEDirectoryServer.
ThenumberofdistinctusergroupsthateachfirewallorPanoramacanreferenceacrossallpoliciesvariesby
model:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
1,000groups
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls,andall
Panoramamodels:10,000groups
Beforecreatingagroupmappingconfiguration,youmustconfigureanLDAPserverprofile(Device>Server
Profiles>LDAP).
Thecompleteprocedure tomapusernamestogroupsrequiresadditionaltasksbesides
creatinggroupmappingconfigurations.
ClickAddandcompletethefollowingfieldstocreateagroupmappingconfiguration.Toremoveagroup
mappingconfiguration,selectandDeleteit.Ifyouwanttodisableagroupmappingconfigurationwithout
deletingit,edittheconfigurationandcleartheEnabledoption.
GroupMapping ConfiguredIn Description

SettingsServer
Profile
Name Device > User Identification > Enteranametoidentifythegroupmapping

Group Mapping Settings configuration(upto31characters).Thenameis
casesensitiveandmustbeunique.Useonly
letters,numbers,spaces,hyphens,and
underscores.
ServerProfile Device > User Identification > SelecttheLDAPserverprofiletouseforgroup

Group Mapping Settings > mappingonthisfirewall.
Server Profile
UpdateInterval Specifytheintervalinsecondsafterwhichthe
firewallwillinitiateaconnectionwiththeLDAP
directoryservertoobtainanyupdatesthatwere
madetothegroupsthatfirewallpoliciesuse
(rangeis60to86,400).

Device>UserIdentification>GroupMappingSettings UserIdentification

SettingsServer
Profile
UserDomain Bydefault,theUser Domainfieldisblank:the

firewallautomaticallydetectsthedomainnames
forActiveDirectoryservers.Ifyouenteravalue,
itoverridesanydomainnamesthatthefirewall
retrievesfromtheLDAPsource.Yourentrymust
betheNetBIOSname.
Thisfieldonlyaffectstheusernamesand
groupnamesretrievedfromtheLDAP
source.Tooverridethedomainassociated
withausernameforuserauthentication,
configuretheUser Domainand
Username Modifierfortheauthentication
profileyouassigntothatuser(seeDevice
>AuthenticationProfile).
GroupObjects Search FilterEnteranLDAPquerythat

specifieswhichgroupstoretrieveandtrack.
Object ClassEnteragroupdefinition.The
defaultisobjectClass=group,whichspecifies
thatthesystemretrievesallobjectsinthe
directorythatmatchthegroupSearch Filter
andhaveobjectClass=group.
Group NameEntertheattributethatspecifies
thegroupname.Forexample,inActive
Directory,thisattributeisCN(Common
Name).
Group MemberEntertheattributethat
containsthegroupmembers.Forexamplein
ActiveDirectory,thisattributeismember.
UserObjects Search FilterEnteranLDAPquerythat

specifieswhichuserstoretrieveandtrack.
Object ClassEnterauserobjectdefinition.For
exampleinActiveDirectory,theobjectClassis
user.
User NameEntertheattributeforthe
username.Forexample,inActiveDirectory,the
defaultusernameattributeis
samAccountName.

UserIdentification Device>UserIdentification>GroupMappingSettings

SettingsServer
Profile
MailDomains WhenthefirewallreceivesaWildFirelogfora
maliciousemail,theemailrecipientinformationin
thelogismatchedagainstusermapping
informationfromtheUserIDagent.Thelog
containsalinktotheuserthat,whenclicked,
displaystheACCfilteredbytheuser.Iftheemail
issenttoadistributionlist,theACCisfilteredby
thememberscontainedinthelist.
Theemailheaderandusermappinginformation
willhelpyouquicklytrackandthwartthreatsthat
arrivethroughemailbymakingiteasiertoidentify
theuserswhoreceivedtheemail.
Mail AttributesPANOSautomatically
populatesthisfieldbasedontheLDAPserver
type(SunONE,ActiveDirectory,orNovell).
Domain ListEntertheemaildomainsinyour
organizationasacommaseparatedlistofupto
256characters.
Enabled Selectthisoptiontoenableserverprofilefor
groupmapping.
AvailableGroups Device > User Identification > Usethesefieldstolimitthenumberofgroupsthat

Group Mapping Settings > thefirewalldisplayswhenyoucreateasecurity
IncludedGroups Group Include List rule.BrowsetheLDAPtreetofindthegroupsyou
wanttouseinrules.Toincludeagroup,selectitin
theAvailableGroupslistandAdd( )it.To
removeagroupfromthelist,selectitinthe
IncludedGroupslistandDelete( )it.
ThecombinedmaximumfortheIncluded Groups
andCustom Grouplistsis640entriesforeach
groupmappingconfiguration.

Device>UserIdentification>GroupMappingSettings UserIdentification

SettingsServer
Profile
Name Device > User Identification > CreatecustomgroupsbasedonLDAPfiltersso

Group Mapping Settings > thatyoucanbasefirewallpoliciesonuser
LDAPFilter Custom Group attributesthatdontmatchexistingusergroupsin
theLDAPdirectory.
TheUserIDservicemapsalltheLDAPdirectory
userswhomatchthefiltertothecustomgroup.If
youcreateacustomgroupwiththesame
DistinguishedName(DN)asanexistingActive
Directorygroupdomainname,thefirewalluses
thecustomgroupinallreferencestothatname
(forexample,inpoliciesandlogs).Tocreatea
customgroup,clickAddandconfigurethe
followingfields:
NameEnteracustomgroupnamethatis
uniqueinthegroupmappingconfigurationfor
thecurrentfirewallorvirtualsystem.
LDAP FilterEnterafilterofupto2,048
characters.
Useonlyindexedattributesinthefilter
toexpediteLDAPsearchesand
minimizetheperformanceimpacton
theLDAPdirectoryserver;thefirewall
doesnotvalidateLDAPfilters.
ThecombinedmaximumfortheIncluded Groups
andCustom Grouplistsis640entries.
Todeleteacustomgroup,selectandDeleteit.To
makeacopyofacustomgroup,selectandClone
it,andeditthefieldsasappropriate.
Afteraddingorcloningacustomgroup,
youmustCommityourchangesbefore
yournewcustomgroupisavailablein
policiesandobjects.

UserIdentification Device>UserIdentification>CaptivePortalSettings
Device>UserIdentification>CaptivePortalSettings
Edit( )theCaptivePortal Settingstoconfigurethefirewalltoauthenticateuserswhosetrafficmatches

anAuthenticationpolicyrule.
IfCaptivePortalwilluseanSSL/TLSServiceprofile(Device>CertificateManagement>
SSL/TLSServiceProfile),authenticationprofile(Device>AuthenticationProfile),orCertificate
Profile(Device>CertificateManagement>CertificateProfile),thenconfiguretheprofilebefore
youbegin.Thecompleteprocedure toconfigureCaptivePortalrequiresadditionaltasks
besidesconfiguringtheseprofiles.
YoumustEnable Captive PortaltoenforceAuthenticationpolicy(seePolicies>
Authentication).
Field Description
EnableCaptive SelectthisoptiontoenableCaptivePortal.
Portal
IdleTimer(min) Entertheusertimetolive(TTL)valueinminutesforaCaptivePortalsession(range
is1to1,440;defaultis15).Thistimerresetseverytimethereisactivityfroma
CaptivePortaluser.IfidletimeforauserexceedstheIdle Timervalue,PANOS
removestheCaptivePortalusermappingandtheusermustloginagain.
Timer(min) ThisisthemaximumTTLinminutes,whichisthemaximumtimethatanyCaptive
Portalsessioncanremainmapped(rangeis1to1,440;defaultis60).Afterthis
durationelapses,PANOSremovesthemappingandusersmustreauthenticate
evenifthesessionisactive.Thistimerpreventsstalemappingsandoverridesthe
Idle Timervalue.
YoushouldalwayssettheexpirationTimerhigherthantheIdle Timer.
SSL/TLSService Tospecifyafirewallservercertificateandtheallowedprotocolsforsecuringredirect
Profile requests,selectanSSL/TLSserviceprofile(Device>CertificateManagement>
SSL/TLSServiceProfile).IfyouselectNone,thefirewallusesitslocaldefault
certificateforSSL/TLSconnections.
Totransparentlyredirectuserswithoutdisplayingcertificateerrors,assignaprofile
associatedwithacertificatethatmatchestheIPaddressoftheinterfacetowhich
youareredirectingwebrequests.
Authentication Youcanselectanauthenticationprofile(Device>AuthenticationProfile)to
Profile authenticateuserswhentheirtrafficmatchesanAuthenticationpolicyrule(Policies
>Authentication).However,theauthenticationprofileyouselectintheCaptive
PortalSettingsappliesonlytorulesthatreferenceoneofthedefaultauthentication
enforcementobjects(Objects>Authentication).Thisistypicallythecaserightafter
anupgradetoPANOS8.0becauseallAuthenticationrulesinitiallyreferencethe
defaultobjects.Forrulesthatreferencecustomauthenticationenforcementobjects,
selecttheauthenticationprofilewhenyoucreatetheobject.

Device>UserIdentification>CaptivePortalSettings UserIdentification
Field Description
GlobalProtect SpecifytheportthatGlobalProtectusestoreceiveinboundauthentication
NetworkPortfor promptsfrommultifactor(MFA)gateways.(rangeis1to65,536;defaultis4,501).
Inbound Tosupportmultifactorauthentication,aGlobalProtectclientmustreceiveand
Authentication acknowledgeUDPpromptsthatareinboundfromtheMFAgateway.Whena
Prompts(UDP) GlobalProtectclientreceivesaUDPmessageonthespecifiednetworkportandthe
UDPmessagecomesfromatrustedfirewallorgateway,GlobalProtectdisplaysthe
authenticationmessage(seeCustomizetheGlobalProtectAgent ).
Mode Selecthowthefirewallcaptureswebrequestsforauthentication:
TransparentThefirewallinterceptswebrequestsaccordingtothe
AuthenticationruleandimpersonatestheoriginaldestinationURL,issuingan
HTTP401messagetoprompttheusertoauthenticate.However,becausethe
firewalldoesnothavetherealcertificateforthedestinationURL,thebrowser
displaysacertificateerrortousersattemptingtoaccessasecuresite.Therefore,
onlyusethismodewhenabsolutelynecessary,suchasinLayer2orvirtualwire
deployments.
RedirectThefirewallinterceptswebrequestsaccordingtotheAuthentication
ruleandredirectsthemtothespecifiedRedirectHost.ThefirewallusesanHTTP
302redirecttoprompttheusertoauthenticate.Thisisthepreferredmode
becauseitprovidesabetterenduserexperience(nocertificateerrors).However,
itrequiresthatyouenableresponsepagesontheInterfaceManagementprofile
assignedtotheingressLayer3interface(fordetails,seeNetwork>Network
Profiles>InterfaceMgmtandLayer3Interface).
AnotherbenefitoftheRedirectmodeisthatitallowsforsessioncookies,which
enabletheusertocontinuebrowsingtoauthenticatedsiteswithoutrequiring
remappingeachtimethetimeoutsexpire.Thisisespeciallyusefulforuserswho
roamfromoneIPaddresstoanother(forexample,fromthecorporateLANtothe
wirelessnetwork)becausetheydontneedtoreauthenticatewhentheirIP
addresschangesaslongasthesessionstaysopen.
RedirectmodeisrequiredifCaptivePortalusesKerberosSSOorNTLM
authenticationbecausethebrowserprovidescredentialsonlytotrusted
sites.RedirectmodeisalsorequiredifCaptivePortalusesmultifactor
authentication(MFA).
SessionCookie EnableSelectthisoptiontoenablesessioncookies.
(Redirectmode TimeoutIfyouEnablesessioncookies,thistimerspecifiesthenumberof
only) minutesforwhichthecookieisvalid(rangeis60to10,080;defaultis1,440).
RoamingSelectthisoptiontoretainthecookieiftheIPaddresschangeswhile
thesessionisactive(suchaswhentheclientmovesfromawiredtoawireless
network).Theusermustreauthenticateonlyifthecookietimesoutortheuser
closesthebrowser.
RedirectHost SpecifytheintranethostnamethatresolvestotheIPaddressoftheLayer 3interface

(Redirectmode towhichthefirewallredirectswebrequests.
only)

UserIdentification Device>UserIdentification>CaptivePortalSettings
Field Description
CertificateProfile YoucanselectaCertificateProfile(Device>CertificateManagement>Certificate
Profile)toauthenticateuserswhentheirtrafficmatchesanyAuthenticationpolicy
rule(Policies>Authentication).
Forthisauthenticationtype,CaptivePortalpromptstheclientbrowseroftheuser
topresentaclientcertificate.Therefore,youmustdeployclientcertificatestoeach
usersystem.Furthermore,onthefirewall,youmustinstallthecertificateauthority
(CA)certificatethatissuedtheclientcertificatesandassigntheCAcertificatetothe
CertificateProfile.ThisistheonlyauthenticationmethodthatenablesTransparent
authenticationforMacOSandLinuxclients.
NTLM WhenyouconfigureCaptivePortalforNTLANManager(NTLM)authentication ,
Authentication thefirewallusesanencryptedchallengeresponsemechanismtotransparently
obtainusercredentialsfromthebrowserwithoutpromptingtheuser.
ToinvokeNTLMauthentication,Authenticationpolicyrulesmustspecifyan
Authentication EnforcementobjectwiththeAuthentication Methodsetto
browser-challengeordefault-browser-challenge(Objects>Authentication).If
theobjectspecifiesanAuthentication ProfilewithKerberossinglesignon(SSO)
enabled,thefirewallfirstattemptsKerberosauthenticationbeforefallingbackto
NTLM.IfthebrowsercannotperformNTLMorifNTLMauthenticationfails,the
firewallfallsbacktoweb-formordefault-web-formastheAuthentication Method.
Bydefault,InternetExplorersupportsNTLM.YoucanconfigureFirefoxandChrome
touseit,aswell,butyoucannotuseNTLMtoauthenticatenonWindowsclients.
ChooseKerberosSSO transparentauthenticationoverNTLM
authenticationwhenconfiguringCaptivePortal.Kerberosisastronger,more
robustauthenticationmethodthanNTLManditdoesnotrequirethefirewall
tohaveanadministrativeaccounttojointhedomain.
TheseoptionsapplyonlytotheWindowsbasedUserIDagents.Whenusing
thePANOSintegratedUserIDagent,thefirewallmustbeableto
successfullyresolvetheDNSnameofyourdomaincontrollertojointhe
domain.YoucanthenEnableNTLMAuthenticationinthePANOS
integratedUserIDagentsetupandprovidethecredentialsforthefirewallto
jointhedomain.NTLMisavailableonlyforWindowsServerversion2003
andearlierversions.
ToconfigureNTLMforusewithWindowsbasedUserIDagents,definethe
following:
AttemptsThenumberofattemptsafterwhichNTLMauthenticationfails(range
is1to60;defaultis1).
TimeoutThenumberofsecondsafterwhichNTLMauthenticationtimesout
Reversion TimeThenumberofsecondsafterwhichthefirewallwillretry
contactingthefirstUserIDagentlisted(inDevice > User Identification > User-ID
Agents)afterthatagentbecomesunavailable(rangeis60to3,600;defaultis
300).

Device>UserIdentification>CaptivePortalSettings UserIdentification

GlobalProtect
GlobalProtectprovidesacompleteinfrastructureformanagingyourmobileworkforcetoenablesecure
accessforallofyourusers,regardlessofwhatdevicestheyareusingorwheretheyarelocated.The
followingfirewallwebinterfacepagesallowyoutoconfigureandmanageGlobalProtectcomponents:
Network>GlobalProtect>Portals
Network>GlobalProtect>Gateways
Network>GlobalProtect>MDM
Network>GlobalProtect>BlockList
Network>GlobalProtect>ClientlessApps
Network>GlobalProtect>ClientlessAppGroups
Lookingformore?
SeetheGlobalProtectAdministratorsGuide tolearnmoreaboutGlobalProtect,includingdetailson
settinguptheGlobalProtectinfrastructure,howtousehostinformationtoenforcepolicy,andstepbystep
instructionsforconfiguringcommonGlobalProtectdeployments.

Network>GlobalProtect>Portals GlobalProtect
Network>GlobalProtect>Portals
SelectNetwork > GlobalProtect > PortalstosetupandmanageaGlobalProtectportal.Theportalprovides

themanagementfunctionsfortheGlobalProtectinfrastructure.Everyendpointthatparticipatesinthe
GlobalProtectnetworkreceivesitsconfigurationfromtheportal,includinginformationabouttheavailable
gatewaysandanyclientcertificatesthatmightbenecessaryfortheclienttoconnecttoagateway.In
addition,theportalcontrolsthebehavioranddistributionoftheGlobalProtectagentsoftwaretoMacand
Windowslaptops.(Formobiledevices,theGlobalProtectappisdistributedthroughtheAppleAppStorefor
iOSdevices,throughGooglePlayforAndroiddevices,andthroughtheMicrosoftStoreforWindowsPhone
andotherWindowsUWPdevices;andforChromebooks,theGlobalProtectappisdistributedbythe
ChromebookManagementConsoleorthroughGooglePlay).
Toaddaportalconfiguration,clickAddtoopentheGlobalProtectPortaldialog.
WhatgeneralsettingsshouldIconfigurefor GeneralTab
theGlobalProtectportal?
HowcanIassignanauthenticationprofileto AuthenticationConfigurationTab
aportalconfiguration?
WhatclientauthenticationoptionscanI AuthenticationTab
configure?
HowcanIassignaconfigurationtoaspecific User/UserGroupTab
groupofdevicesbasedonoperatingsystem,
user,and/orusergroup?
HowcanIconfigurethesettingsandpriority InternalTab
oftheinternalgateways?
HowcanIconfigurethesettingsandpriority ExternalTab
oftheexternalgateways?
HowcanIcreateseparateclient AgentConfigurationTab
configurationsfordifferenttypesofusers?
WhatsettingscanIcustomizeonthelook AppTab
andbehavioroftheGlobalProtectagent?
HowcanIconfiguredatacollectionoptions? DataCollectionTab
HowcanIconfiguretheGlobalProtectportal ClientlessConfigurationTab
toallowaccesstowebapplicationswithout
installingaGlobalProtectclient?
HowcanIextendVPNconnectivitytoa SatelliteConfigurationTab
firewallwhichactsasasatellite?
Looking for more? Fordetailed,stepbystepinstructionsonsettinguptheportal,refer

toConfigureaGlobalProtectPortalintheGlobalProtect
AdministratorsGuide.

GlobalProtect Network>GlobalProtect>Portals
GeneralTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Generaltodefinethenetwork

settingsthatanagentorappusestoconnecttotheGlobalProtectportal.Optionally,youcandisablethe
loginpageorspecifyacustomportalloginandhelppagesforGlobalProtect.Forinformationonhowto
createandimportcustompages,refertoCustomizethePortalLogin,Welcome,andHelpPagesinthe
GlobalProtectAdministratorsGuide.
GlobalProtectPortal Description
Settings
Name Typeanamefortheportal(upto31characters).Thenameiscasesensitive
underscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthe
virtualsystem(vsys)wheretheGlobalProtectportalisavailable.Fora
firewallthatisnotinmultivsysmode,Locationselectionisnotavailable.
Afteryousavetheportal,youcannotchangeLocation.
Network Settings
Interface Selectthenameofthefirewallinterfacethatwillbetheingressfor
communicationsfromremoteclientsandfirewalls.
IPAddress SpecifytheIPaddressonwhichtoruntheGlobalProtectportalwebservice.
SelecttheIP Address TypeandthenentertheIP Address.
TheIPaddresstypecanbeIPv4(forIPv4trafficonly),IPv6(forIPv6
trafficonly),orIPv4 and IPv6.UseIPv4 and IPv6ifyournetworksupports
dualstackconfigurations,whereIPv4andIPv6runatthesametime.
TheIPaddressmustbecompatiblewiththeIPaddresstype.Forexample,
172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.
IfyouchooseIPv4 and IPv6,entertheappropriateIPaddresstypefor
each.
Appearance
PortalLoginPage (Optional)Chooseacustomloginpageforuseraccesstotheportal.Youcan
selectthefactory-defaultpageorImportacustompage.Thedefaultis
None.Topreventaccesstothispagefromawebbrowser,Disablethispage.
PortalLandingPage (Optional)Chooseacustomlandingpagefortheportal.Youcanselectthe
factory-defaultpageorImportacustompage.ThedefaultisNone.
AppHelpPage (Optional)ChooseacustomhelppagetoassisttheuserwithGlobalProtect.
Youcanselectthefactory-defaultpageorImportacustompage.The
defaultisNone.

AuthenticationConfigurationTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Authenticationtoconfigureseveral

differenttypesofGlobalProtectportalsettings:
AnSSL/TLSserviceprofilethattheportalandserversuseforauthentication.Theserviceprofileis
independentoftheothersettingsinAuthentication.
Uniqueauthenticationschemesthatarebasedprimarilyontheoperatingsystemoftheuserendpoints
andsecondarilyonanoptionalauthenticationprofile.
(Optional)ACertificate Profile,whichenablesGlobalProtecttouseaspecificcertificateprofilefor
authenticatingtheuser.Thecertificatefromtheclientmustmatchthecertificateprofile(ifclient
certificatesarepartofthesecurityscheme).
Server Authentication
SSL/TLSServiceProfile SelectanexistingSSL/TLSServiceprofile.Theprofilespecifiesacertificateandthe
allowedprotocolsforsecuringtrafficonthemanagementinterface.TheCommonName
(CN)and,ifapplicable,theSubjectAlternativeName(SAN)fieldsofthecertificate
associatedwiththeprofilemustmatchtheIPaddressorfullyqualifieddomainname
(FQDN)oftheInterfaceselectedintheGeneraltab.
InGlobalProtectVPNconfigurations,useaprofileassociatedwithacertificate
fromatrusted,thirdpartyCAoracertificatethatyourinternalenterpriseCA
generated.
Client Authentication
Name Enteranametoidentifytheclientauthenticationconfiguration.(Theclientauthentication
configurationisindependentoftheSSL/TLSserviceprofile.).
Youcancreatemultipleclientauthenticationconfigurationsanddifferentiatethem
primarilybyoperatingsystemandadditionallybyuniqueauthenticationprofiles(forthe
sameOS).Forexample,youcanaddclientauthenticationconfigurationsfordifferent
operatingsystemsbutalsohavedifferentconfigurationsforthesameOSthatare
differentiatedbyuniqueauthenticationprofiles.(Youshouldmanuallyordertheseprofiles
frommostspecifictomostgeneral.Forexample,allusersandanyOSisthemostgeneral.)
YoucanalsocreateconfigurationsthatGlobalProtectdeploystoagentsinpre-logon
mode(beforetheuserhasloggedintothesystem)orthatitappliestoanyuser.(Prelogon
establishesaVPNtunneltoaGlobalProtectgatewaybeforetheuserlogsinto
GlobalProtect.)
OS Todeployaclientauthenticationprofilespecifictotheoperatingsystem(OS)onan
endpoint,AddtheOS(Any,Android,Chrome,iOS,Mac,Windows,orWindowsUWP).The
OSistheprimarydifferentiatorbetweenconfigurations.(SeeAuthenticationProfilefor
furtherdifferentiation.)
TheadditionaloptionsofBrowserandSatelliteenableyoutospecifytheauthentication
profiletouseforspecificscenarios.SelectBrowsertospecifytheauthenticationprofile
tousetoauthenticateauseraccessingtheportalfromawebbrowserwiththeintentof
downloadingtheGlobalProtectagent(WindowsandMac).SelectSatellitetospecifythe
authenticationprofiletousetoauthenticatethesatellite(LSVPN).

(Continued)
AuthenticationProfile InadditiontodistinguishingaclientauthenticationconfigurationbyanOS,youcanfurther
differentiatebyspecifyinganauthenticationprofile.(YoucancreateaNew
Authentication Profileorselectanexistingone.)Toconfiguremultipleauthentication
optionsforanOS,youcancreatemultipleclientauthenticationprofiles.
IfyouareconfiguringanLSVPNinGateways,youcannotsavethatconfiguration
unlessyouselectanauthenticationprofilehere.Also,ifyouplantouseserial
numberstoauthenticatesatellites,theportalmusthaveanauthenticationprofile
availablewhenitcannotlocateorvalidateafirewallserialnumber.
SeealsoDevice>AuthenticationProfile.
AuthenticationMessage Tohelpendusersknowthetypeofcredentialstheyneedforloggingin,enteramessage
orkeepthedefaultmessage.Themaximumlengthofthemessageis100characters.
Certificate Profile
CertificateProfile (Optional)SelecttheCertificate Profiletheportalusestomatchthoseclientcertificates

thatcomefromuserendpoints.WithaCertificateProfile,theportalauthenticatestheuser
onlyifthecertificatefromtheclientmatchesthisprofile.
ThecertificateprofileisindependentoftheOS.Also,thisprofileisactiveevenifyou
enableAuthenticationOverride,whichoverridestheAuthenticationProfiletoallow
authenticationusingencryptedcookies.

AgentConfigurationTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtectportalconfig> > Agenttodefinetheagent

configurationsettings.TheGlobalProtectportaldeploystheconfigurationtothedeviceaftertheconnection
isfirstestablished.
Youcanalsospecifythattheportalautomaticallydeploytrustedrootcertificateauthority(CA)certificates
andintermediatecertificates.IftheendpointsdonottrusttheservercertificatesthattheGlobalProtect
gatewaysandGlobalProtectMobileSecurityManagerareusing,theendpointsneedthesecertificatesto
establishHTTPSconnectionstothegatewaysorMobileSecurityManager.Theportalpushesthecertificates
youspecifyheretotheclientalongwiththeclientconfiguration.
ToaddatrustedrootCAcertificate,AddanexistingcertificateorImportanewone.Toinstall(transparently)
thetrustedrootCAcertificatesthatarerequiredforSSLForwardProxydecryptioninthecertificatestore
ontheclient,selectInstall in Local Root Certificate Store.
Ifyouhavedifferenttypesofusersthatrequiredifferentconfigurations,youcancreateseparateagent
configurationstosupportthem.TheportalsubsequentlyusestheuserorgroupnameandOSoftheclient
todeterminetheagentconfigurationtodeploy.Aswithsecurityruleevaluations,theportallooksfora
match,startingfromthetopofthelist.Whentheportalfindsamatch,itdeliversthecorresponding
configurationtotheagent/app.Therefore,ifyouhavemultipleagentconfigurations,itisimportanttoorder
themsothatmorespecificconfigurations(configurationsforspecificusersoroperatingsystems)areabove
themoregenericconfigurations.UseMove UpandMove Downtoreordertheconfigurations.Asneeded,Add
anewagentconfiguration.Fordetailedinformationonconfiguringtheportalandcreatingagent
configurations,refertoGlobalProtectPortalsintheGlobalProtectAdministratorsGuide.WhenyouAdda
newagentconfigurationormodifyanexistingone,theagentConfigsdialogopensanddisplaysfivetabs,
whicharedescribedinthefollowingtables:
AuthenticationTab
User/UserGroupTab
InternalTab
ExternalTab
AppTab
DataCollectionTab

AuthenticationTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Authentication
toconfiguretheauthenticationsettingsthatapplytotheagentconfiguration.
ClientAuthentication
ConfigurationSettings
Authentication Tab
Name Enteradescriptivenameforthisconfigurationforclientauthentication.
ClientCertificate (Optional)Selectthesourcethatdistributestheclientcertificatetoaclient,
whichthenpresentsthecertificatetothegateways.Aclientcertificateis
requiredifyouareconfiguringmutualSSLauthentication.
IfSCEPisconfiguredforprelogonintheportalclientconfiguration,the
portalgeneratesamachinecertificatethatisstoredinthesystemcertificate
storeforgatewayauthenticationandconnections.
TouseacertificatethatisLocaltothefirewallinsteadofagenerated
certificatefromthePKIthroughSCEP,selectacertificatethatisalready
uploadedtothefirewall.
IfyouuseaninternalCAtodistributecertificatestoclients,selectNone
(default).WhenyouselectNone,theportaldoesnotpushacertificatetothe
client.
SaveUserCredentials SelectYestosavetheusernameandpasswordontheagentorselectNoto
forcetheuserstoprovidethepasswordeithertransparentlyviatheclient
orbymanuallyenteringoneeachtimetheyconnect.SelectSave
Username Onlytosaveonlytheusernameeachtimeauserconnects.
Authentication Override
Generatecookiefor Selectthisoptiontoconfiguretheportaltogenerateencrypted,
authenticationoverride endpointspecificcookies.Theportalsendsthiscookietotheendpointafter
theuserfirstauthenticateswiththeportal.
Acceptcookiefor Selectthisoptiontoconfiguretheportaltoauthenticateclientsthrougha
authenticationoverride valid,encryptedcookie.Whentheendpointpresentsavalidcookie,the
portalverifiesthatthecookiewasencryptedbytheportal,decryptsthe
cookie,andthenauthenticatestheuser.
CookieLifetime Specifythehours,days,orweeksthatthecookieisvalid.Thetypicallifetime
is24hours.Therangesare172hours,152weeks,or1365days.After
thecookieexpires,theusermustenterlogincredentialsandtheportal
subsequentlyencryptsanewcookietosendtotheuserendpoint.
Certificateto Selectthecertificatetouseforencryptinganddecryptingthecookie.
Encrypt/DecryptCookie Ensurethattheportalandgatewaysusethesamecertificateto
encryptanddecryptcookies.(Configurethecertificateaspartofa
gatewayclientconfiguration.SeeNetwork>GlobalProtect>
Gateways).

ClientAuthentication
(Continued)
Components that Require Dynamic Passwords (Two-Factor Authentication)
ToconfigureGlobalProtecttosupportdynamicpasswordssuchasonetimepasswords(OTPs)specify
theportalorgatewaytypesthatrequireuserstoenterdynamicpasswords.Wheretwofactor
authenticationisnotenabled,GlobalProtectusesregularauthenticationusinglogincredentials(suchas
AD)andacertificate.
Whenyouenableaportaloragatewaytypefortwofactorauthentication,thatportalorgateway
promptstheuserafterinitialportalauthenticationtosubmitcredentialsandasecondOTP(orother
dynamicpassword).
However,ifyoualsoenableauthenticationoverride,anencryptedcookieisusedtoauthenticatetheuser
(aftertheuserisfirstauthenticatedforanewsession)and,thus,preemptstherequirementfortheuser
toreentercredentials(aslongasthecookieisvalid).Therefore,theuseristransparentlyloggedin
whenevernecessaryaslongasthecookieisvalid.Youspecifythelifetimeofthecookie.
Portal Selectthisoptiontousedynamicpasswordstoconnecttotheportal.
Internalgatewaysall Selectthisoptiontousedynamicpasswordstoconnecttointernal
gateways.
Externalgateways Selectthisoptiontousedynamicpasswordstoconnecttoexternal
manualonly gatewaysthatareconfiguredasManualgateways.
Externalgatewaysauto Selectthisoptiontousedynamicpasswordstoconnecttoany
discovery remainingexternalgatewaysthattheagentcanautomatically
discover(gatewayswhicharenotconfiguredasManual).

User/UserGroupTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > User/User
Grouptospecifytheoperatingsystemsandusersorusergroupstowhichthisagentconfigurationapplies.If
thisagentconfigurationcannotaccommodateallcombinationsofoperatingsystemsanduserscapabilities,
consideraddinganotheragentconfiguration.Ifyouhavemultipleagentconfigurationsthatare
differentiatedbyoperatingsystemsandusersorusergroups,themostspecificconfigurationsshouldbeat
thetopofthetableinAgentandthemostgeneral(suchasanyOSandabroadgroupmembership)atthe
bottom.Youcanmoveanagentconfigurationupordownasneeded.
Forgroups,theonlysupportedtypeofauthenticationserviceisLDAP.
ClientUser/UserGroup
OS Auserorgroupmembercanhavemultipledeviceswhoseoperatingsystems
differfromeachother(forexample,auserwithoneendpointrunning
WindowsOSandanotherendpointrunningMacOS).Theportalcanprovide
configurationsthatarespecifictotheOSoneachendpoint.Forthecurrent
agentconfiguration,youcanAddoneormoreclientoperatingsystemsto
specifywhichclientsreceivetheconfiguration.Aportalautomaticallylearns
theOSoftheclientdeviceandincorporatesdetailsforthatOSintheclient
configuration.YoucanselectAnyOSoraspecificOS(Android,Chrome,iOS,
Mac,Windows,orWindowsUWP);youcanalsoselectmorethanoneOS.
TheinformationinUser/UserGroupsdescribeshowyoucanfurther
differentiatebyselectionofusers,usergroups,andchoiceofany,prelogon
orselect.
User/UserGroup YoucanAddindividualusersorusergroupstowhichthecurrentagent
configurationapplies.
Youmustconfiguregroupmapping(Device > User Identification >
Group Mapping Settings)beforeyoucanselectthegroups.
Inadditiontousersandgroups,youcanusethedropdownto
specifywhenthesesettingsapplytotheusersorgroups:
anyTheagentconfigurationappliestoallusers(noneedtoAddusersor
usergroups).
selectTheagentconfigurationappliesonlytousersandusergroupsyou
Addtothislist.
pre-logonTheagentconfigurationappliesonlytotheusersanduser
groupsyouAddthatalsoareconfiguredforprelogonorprelogonthen
ondemand.Theprelogonoptionappliestoprelogonusersbeforethey
logintotheirsystem.Tousethepre-logonoption,youmustalsoenable
aprelogon(orprelogonthenondemand)ConnectMethodintheApp
tabforthisagentconfiguration.IfyouspecifyaprelogonConnect
Methodbutspecifyanyusersorgroups,theconfigurationappliesto
prelogonusersbeforeandaftertheylogin.

InternalTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Internalto
configurethesettingsforinternalgatewaysforanagentconfiguration.
InternalSettings
Internal Host Detection
InternalHostDetection SelectthisoptiontoallowtheGlobalProtectagenttodetermineifitisinside
theenterprisenetwork.Thisoptionappliesonlytoendpointsthatare
configuredtocommunicatewithinternalgateways.
Whentheuserattemptstologin,theagentdoesareverseDNSlookupof
aninternalhostusingthespecifiedHostnametothespecifiedIP Address.
Thehostservesasareferencepointthatisreachableiftheendpointisinside
theenterprisenetwork.Iftheagentfindsthehost,theendpointisinsidethe
networkandtheagentconnectstoaninternalgateway;iftheagentfailsto
findtheinternalhost,theendpointisoutsidethenetworkandtheagent
establishesatunneltooneoftheexternalgateways.
trafficonly),orboth.UseIPv4andIPv6ifyournetworksupportsdual
stackconfigurations,whereIPv4andIPv6runatthesametime.
172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.
IfyouchooseIPv4andIPv6,entertheappropriateIPaddresstypefor
each.
Hostname EntertheHostnamethatresolvestotheIPaddresswithintheinternal
network.
Internal Gateways
Specifytheinternal Addinternalgatewaysthatincludethefollowinginformationforeach:
gatewaystowhichan NameAlabelofupto31characterstoidentifythegateway.Thename
agentorappcanrequest iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
accessandalsoprovide hyphens,andunderscores.
HIPreports(ifHIPis AddressTheIPaddressorFQDNofthefirewallinterfaceforthe
enabledintheData gateway.ThisvaluemustmatchtheCommonName(CN)andSAN(if
CollectionTab). specified)inthegatewayservercertificate.Forexample,ifyouusedan
FQDNtogeneratethecertificate,youmustentertheFQDNhere.
Source AddressAsourceaddressoraddresspoolforclientdevices.
Whenusersconnect,GlobalProtectrecognizesthesourceaddressofthe
device.OnlytheGlobalProtectagentswithIPaddressesthatareincluded
inthesourceaddresspoolcanauthenticatewiththisgatewayandsend
HIPreports.
DHCP Option 43 Code (WindowsandMaconly)DHCPsuboptioncodes
forgatewayselection.Specifyoneormoresuboptioncodes(indecimal).
TheGlobalProtectAgentreadsthegatewayaddressfromvaluesdefined
bythesuboptioncodes.

ExternalTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Externalto
configurethesettingsforexternalgatewaysforanagentconfiguration.
ExternalSettings
CutoffTime(sec) Specifythenumberofsecondsthatanagentorappwaitsforallofthe
availablegatewaystorespondbeforeitselectsthebestgateway.For
subsequentconnectionrequests,theagentorapptriestoconnecttoonly
thosegatewaysthatrespondedbeforethecutoff.Avalueof0meansthe
agentorappusestheTCP Connection TimeoutinAppConfigurationsinthe
Apptab(rangeis0to10;defaultis5).
External Gateways
Specifythelistoffirewalls Addexternalgatewaysthatincludethefollowinginformationforeach:
towhichagentscantryto NameAlabelofupto31characterstoidentifythegateway.Thename
connectwhenestablishing iscasesensitiveandmustbeunique.Useonlyletters,numbers,spaces,
atunnelwhilenotonthe hyphens,andunderscores.
corporatenetwork. AddressTheIPaddressorFQDNofthefirewallinterfacewherethe
gatewayisconfigured.ThevaluemustmatchtheCN(andSANif
specified)inthegatewayservercertificate.Forexample,ifyouuseda
FQDNtogeneratethecertificate,youmustalsoentertheFQDNhere.
Source RegionSourceregionforclientdevices.Whenusersconnect,
GlobalProtectrecognizesthedeviceregionandonlyallowsusersto
connecttogatewaysthatareconfiguredforthatregion.Forgateway
choices,sourceregionisconsideredfirst,thengatewaypriority.
PrioritySelectavalue(Highest,High,Medium,Low,Lowest,orManual
only)tohelptheagentdeterminewhichgatewaytouse.Theagentwill
contactallspecifiedgateways(exceptthosewithapriorityofManual
only)andestablishatunnelwiththefirewallthatprovidesthefastest
responseandthehighestpriorityvalue.Manual onlypreventsthe
GlobalProtectagentfromattemptingtoconnecttothisgatewaywhen
Auto Discoveryisenabledontheclient.
ManualSelectthisoptiontoletusersmanuallyselect(orswitchto)a
gateway.TheGlobalProtectagentcanconnecttoanyexternalgateway
thatisconfiguredasManual.Whentheagentorappconnectstoanother
gateway,theexistingtunnelisdisconnectedandanewtunnel
established.Themanualgatewayscanalsohaveadifferent
authenticationmechanismthantheprimarygateway.Ifaclientsystemis
restartedorifarediscoveryisperformed,theGlobalProtectagent
connectstotheprimarygateway.Thisfeatureisusefulifagroupofusers
needstoconnecttemporarilytoaspecificgatewaytoaccessasecure
segmentofyournetwork.
Third Party VPN
ThirdPartyVPN TodirecttheGlobalProtectagentorapptoignoreselected,thirdpartyVPN
clientssothatGlobalProtectdoesnotconflictwiththem,Addthenameof
theVPNclient:Selectthenamefromthelist,orenterthenameinthefield
provided.GlobalProtectignorestheroutesettingsforthespecifiedVPN
clientsifyouconfigurethisfeature.

AppTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Apptospecify
howendusersinteractwiththeGlobalProtectagentsinstalledontheirsystems.Youcandefinedifferent
appsettingsforthedifferentGlobalProtectagentconfigurationsyoucreate.
GlobalProtectApp Description
WelcomePage Selectawelcomepagetopresenttoendusersaftertheyconnectto
GlobalProtect.Youcanselectthefactory-defaultpageorImportacustom
page.ThedefaultisNone.
App Configurations
ConnectMethod On-demand (Manual user initiated connection)Usersmustlaunchthe

GlobalProtectagentorappandtheninitiateaconnectiontotheportaland
entertheirGlobalProtectcredentials.Thisoptionisusedprimarilyfor
remoteaccessconnections.
User-logon (Always On)TheGlobalProtectagentorappautomatically
establishesaconnectiontotheportalaftertheuserlogsintoanendpoint.
Theportalrespondsbyprovidingtheclientwiththeappropriateagent
configuration.Subsequently,theagentsetsupatunneltooneofthe
gatewaysspecifiedintheagentconfigurationreceivedfromtheportal.
Pre-logonPrelogonensuresremoteWindowsandMacusersarealways
connectedtothecorporatenetworkandenablesuserlogonscriptsand
applicationofdomainpolicieswhentheuserlogsintotheendpoint.
Becausetheendpointcanconnecttothecorporatenetworkasifitwere
internal,userscanloginwithnewpasswordswhentheirpasswordsexpire
orreceivehelpwithpasswordrecoveryiftheyforgettheirpassword.With
prelogon,theGlobalProtectagentestablishesaVPNtunneltoa
GlobalProtectgatewaybeforetheuserlogsintotheendpoint;the
endpointrequestsauthenticationbysubmittingapreinstalledmachine
certificatetothegateway.Then,onWindowsendpoints,thegateway
reassignstheVPNtunnelfromtheprelogonusertotheusernamethat
loggedintotheendpoint;onMacendpoints,theagentdisconnectsand
createsanewVPNtunnelfortheuser.
Therearetwoprelogonconnectmethods,eitherofwhichenablesthe
sameprelogonfunctionalitythattakesplacebeforeuserslogintothe
endpoint.However,afteruserslogintotheendpoint,theprelogon
connectmethoddetermineswhentheGlobalProtectagentconnectionis
established:
Pre-logon (Always On)TheGlobalProtectagentautomatically
attemptstoconnectandreconnecttoGlobalProtectgateways.
Mobiledevicesdonotsupportprelogonfunctionality,andtherefore
willdefaulttotheUser-logon (Always On) connectmethodifthis
connectmethodisspecified.
Pre-logon then On-demand(availableonlywithcontentrelease
5903397andlaterreleases)UsersmustlaunchtheGlobalProtect
agentorappandtheninitiatetheconnectionmanually.Mobile
devicesdonotsupportprelogonfunctionality,andthereforewill
defaulttotheOn-demand (Manual user initiated connection)
connectmethodifthisconnectmethodisspecified.

(Continued)
GlobalProtectAppConfig SpecifythenumberofhourstheGlobalProtectportalwaitsbeforeitinitiates
RefreshInterval(hours) thenextrefreshofaclientsconfiguration(rangeis1to168;defaultis24).
AllowUsertoDisable SpecifieswhetherusersareallowedtodisabletheGlobalProtectagentand,
GlobalProtectApp ifso,whatifanythingtheymustdobeforetheycandisabletheagent:
AllowAllowanyusertodisabletheGlobalProtectagentasneeded.
DisallowDonotallowenduserstodisabletheGlobalProtectagent.
Allow with CommentAllowuserstodisabletheGlobalProtectagentor
appontheirendpointbutrequirethattheysubmittheirreasonfor
disablingtheagent.
Allow with PasscodeAllowuserstoenterapasscodetodisablethe
GlobalProtectagentorapp.Thisoptionrequirestheusertoenterand
confirmaPasscodevaluethat,likeapassword,doesnotdisplaywhen
typed.Typically,administratorsprovideapasscodetousersbefore
unplannedorunanticipatedeventspreventusersfromconnectingtothe
networkbyusingtheGlobalProtectVPN.Youcanprovidethepasscode
throughemailorasapostingonyourorganizationswebsite.
Allow with TicketThisoptionenablesachallengeresponsemechanism
where,afterauserattemptstodisableGlobalProtect,theendpoint
displaysan8character,hexadecimal,ticketrequestnumber.Theuser
thencontactsthefirewalladministratororsupportteam(preferablyby
phoneforsecurity)andprovidesthisnumber.Theadministratoror
supportpersontypesthehexadecimalticketrequestnumberintothe
Agent User Override Keyfield(intheGlobalProtectagentconfiguration
Agenttab)sotheycanseetheticketnumber(alsoan8character
hexadecimalnumber).Theadministratororsupportpersonthenprovides
thisticketnumbertotheuserwhothenenterstheticketnumberintothe
challengefieldtodisabletheagent.
AllowUsertoUpgrade SpecifieswhetherenduserscanupgradetheGlobalProtectagentsoftware
GlobalProtectApp and,iftheycan,whethertheycanchoosewhentoupgrade:
DisallowPreventusersfromupgradingtheagentorappsoftware.
Allow ManuallyAllowuserstomanuallycheckforandinitiateupgrades
byselectingCheck VersionintheGlobalProtectagent.
Allow with Prompt (default)Promptuserswhenanewversionis
activatedonthefirewallandallowuserstoupgradetheirsoftwarewhen
itisconvenient.
Allow TransparentlyAutomaticallyupgradetheagentsoftware
wheneveranewversionbecomesavailableontheportal.
InternalAutomaticallyupgradetheagentsoftwarewheneveranew
versionbecomesavailableontheportal,butwaituntiltheendpointis
connectedinternallytothecorporatenetwork.Thispreventsdelays
causedbyupgradesoverlowbandwidthconnections.
UseSingleSignon SelectNotodisablesinglesignon(SSO).WithSSOenabled(default),the
(WindowsOnly) GlobalProtectagentautomaticallyusestheWindowslogincredentialsto
authenticateandthenconnecttotheGlobalProtectportalandgateway.
GlobalProtectcanalsowrapthirdpartycredentialstoensurethatWindows
userscanauthenticateandconnectevenwhenathirdpartycredential
providerisusedtowraptheWindowslogincredentials.

(Continued)
ClearSingleSignOn SelectNotokeepsinglesignoncredentialswhentheuserlogsout.Select
CredentialsonLogout Yes(default)toclearthemandforcetheusertoentercredentialsuponthe
(WindowsOnly) nextlogin.
UseDefault SelectNotouseonlyKerberosauthentication.SelectYes(default)toretry
Authenticationon authenticationbyusingthedefaultauthenticationmethodafterafailureto
KerberosAuthentication authenticatewithKerberos.
Failure
(WindowsOnly)
ClientCertificateStore Selectthetypeofcertificateorcertificatesthatanagentorapplooksupin
Lookup itspersonalcertificatestore.TheGlobalProtectagentorappusesthe
certificatetoauthenticatetotheportaloragatewayandthenestablisha
VPNtunneltotheGlobalProtectgateway.
UserAuthenticatebyusingthecertificatethatislocaltotheusers
account.
MachineAuthenticatebyusingthecertificatethatislocaltothe
endpoint.Thiscertificateappliestoalltheuseraccountspermittedtouse
theendpoint.
User and machine(default)Authenticatebyusingtheusercertificate
andthemachinecertificate.
SCEPCertificateRenewal ThismechanismisforrenewingaSCEPgeneratedcertificatebeforethe
Period(days) certificateactuallyexpires.Youspecifythemaximumnumberofdaysbefore
certificateexpirythattheportalcanrequestanewcertificatefromtheSCEP
serverinyourPKIsystem(rangeis0to30;defaultis7).Avalueof0means
thattheportaldoesnotautomaticallyrenewtheclientcertificatewhenit
refreshesaclientconfiguration.
Foranagentorapptogetthenewcertificate,theusermustloginduringthe
renewalperiod(theportaldoesnotrequestthenewcertificateforauser
duringthisrenewalperiodunlesstheuserlogsin).
Forexample,supposethataclientcertificatehasalifespanof90daysand
thiscertificaterenewalperiodis7days.Ifauserlogsinduringthefinal7
daysofthecertificatelifespan,theportalgeneratesthecertificateand
downloadsitalongwitharefreshedclientconfiguration.SeeGlobalProtect
AppConfigRefreshInterval(hours).
ExtendedKeyUsageOID Entertheextendedkeyusageofaclientcertificatebyspecifyingitsobject
forClientCertificate identifier(OID).ThissettingensuresthattheGlobalProtectagentselects
onlyacertificatethatisintendedforclientauthenticationandenables
GlobalProtecttosavethecertificateforfutureuse.
EnableAdvancedView SelectNotorestricttheuserinterfaceontheclientsidetothebasic,
minimumview(enabledbydefault).
AllowUsertoDismiss SelectNotoforcetheWelcomePagetoappeareachtimeauserinitiatesa
WelcomePage connection.Thisrestrictionpreventsauserfromdismissingimportant
information,suchastermsandconditionsthatmayberequiredbyyour
organizationtomaintaincompliance.
EnableRediscover SelectNotopreventusersfrommanuallyinitiatinganetworkrediscovery.
NetworkOption

(Continued)
EnableResubmitHost SelectNotopreventusersfrommanuallytriggeringresubmissionofthe
ProfileOption latestHIP.
AllowUsertoChange SelectNotodisablethePortalfieldontheHometabintheGlobalProtect
PortalAddress agentorapp.However,becausetheuserwillthenbeunabletospecifya
portaltowhichtoconnect,youmustsupplythedefaultportaladdressinthe
WindowsregistryorMacplist:
WindowsregistryHKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto
Networks\GlobalProtect\PanSetupwithkeyPortal
Macplist
/Library/Preferences/com.paloaltonetworks.GlobalProtect.pan
setup.plist withkeyPortal
Formoreinformationaboutpredeployingtheportaladdress,see
CustomizableAgentSettingsintheGlobalProtectAdministratorsGuide.
AllowUsertoContinue SelectNotopreventtheagentfromestablishingaconnectionwiththeportal
withInvalidPortalServer iftheportalcertificateisnotvalid.
Certificate
DisplayGlobalProtectIcon SelectNotohidetheGlobalProtecticonontheclientsystem.Iftheiconis
hidden,userscannotperformcertaintasks,suchasviewingtroubleshooting
information,changingpasswords,rediscoveringthenetwork,orperforming
anondemandconnection.However,HIPnotificationmessages,login
prompts,andcertificatedialogsdodisplaywhenuserinteractionis
necessary.
UserSwitchTunnel Specifythenumberofsecondsthataremoteuserhastobeauthenticated
RenameTimeout(sec) byaGlobalProtectgatewayafterloggingintoanendpointbyusing
(Windowsonly) MicrosoftsRemoteDesktopProtocol(RDP)(rangeis0to600;defaultis0).
Requiringtheremoteusertoauthenticatewithinalimitedamountoftime
maintainssecurity.
Afterauthenticatingthenewuserandswitchingthetunneltotheuser,the
gatewayrenamesthetunnel.
Avalueof0meansthatthecurrentuserstunnelisnotrenamedbut,instead,
isimmediatelyterminated.Inthiscase,theremoteusergetsanewtunnel
andhasnotimelimitforauthenticatingtoagateway(otherthanthe
configuredTCPtimeout).
ShowSystemTray SelectNotohidenotificationsfromtheuser.SelectYes(default)todisplay
Notifications notificationsinthesystemtrayarea.
(Windowsonly)
CustomPassword Createacustommessagetodisplaytouserswhentheirpasswordisabout
ExpirationMessage toexpire.Themaximummessagelengthis200characters.
(LDAPAuthentication
Only)

(Continued)
MaximumInternal EnterthemaximumnumberoftimestheGlobalProtectagentshouldretry
GatewayConnection theconnectiontoaninternalgatewayafterthefirstattemptfails(rangeis0
Attempts to100;defaultis0,whichmeanstheGlobalProtectagentdoesnotretrythe
connection).Byincreasingthevalue,youenabletheagenttoautomatically
connecttoaninternalgatewaythatistemporarilydownorunreachable
duringthefirstconnectionattemptbutcomesbackupbeforethespecified
numberofretriesareexhausted.Increasingthevaluealsoensuresthatthe
internalgatewayreceivesthemostuptodateuserandhostinformation.
PortalConnection Thenumberofsecondsbeforeaconnectionrequesttotheportaltimesout
Timeout(sec) duetonoresponsefromtheportal(rangeis1to600;defaultis30).
TCPConnectionTimeout ThenumberofsecondsbeforeaTCPconnectionrequesttimesoutdueto
(sec) unresponsivenessfromeitherendoftheconnection(rangeis1to600;
defaultis60).
TCPReceiveTimeout(sec) ThenumberofsecondsbeforeaTCPconnectiontimesoutduetothe
absenceofsomepartialresponseofaTCPrequest(rangeis1to600;default
is30).
UpdateDNSSettingsat SelectYestoflushtheDNScacheandforcealladapterstousetheDNS
Connect settingsintheconfiguration.SelectNo(default)tousetheDNSsettingsof
(WindowsOnly) theclient.
DetectProxyforEach SelectNotoautodetecttheproxyfortheportalconnectionandusethat
Connection proxyforsubsequentconnections.SelectYes(default)toautodetectthe
(Windowsonly) proxyateveryconnection.
SendHIPReport SelectNotopreventtheGlobalProtectagentfromsendingHIPdatawhen
ImmediatelyifWindows thestatusoftheWindowsSecurityCenter(WSC)changes.SelectYes
SecurityCenter(WSC) (default)toimmediatelysendHIPdatawhenthestatusoftheWSCchanges.
StateChanges
(WindowsOnly)
EnforceGlobalProtect SelectYestoforceallnetworktraffictotraverseaGlobalProtecttunnel.
ConnectionforNetwork SelectNo(default)ifGlobalProtectisnotrequiredfornetworkaccessand
Access userscanstillaccesstheinternetevenwhenGlobalProtectisdisabledor
disconnected.Toprovideinstructionstousersbeforetrafficisblocked,
configureaTraffic Blocking Notification Messageandoptionallyspecify
whentodisplaythemessage(Traffic Blocking Notification Delay).Topermit
trafficrequiredtoestablishaconnectionwithacaptiveportal,specifya
Captive Portal Exception Timeout.Theusermustauthenticatewiththe
portalbeforethetimeoutexpires.Toprovideadditionalinstructions,
configureaCaptive Portal Detection Message.
CaptivePortalException ToenforceGlobalProtectfornetworkaccessbutprovideagraceperiodto
Timeout(sec) allowusersenoughtimetoconnecttoacaptiveportal,specifythetimeout
inseconds(rangeis0to3600).Forexample,avalueof60meanstheuser
mustlogintothecaptiveportalwithinoneminuteafterGlobalProtect
detectsthecaptiveportal.Avalueof0meansGlobalProtectdoesnotallow
userstoconnecttoacaptiveportalandimmediatelyblocksaccess.

(Continued)
TrafficBlocking Specifyavalue,inseconds,todeterminewhentodisplaythenotification
NotificationDelay(sec) message.GlobalProtectstartsthecountdowntodisplaythenotification
afterthenetworkisreachable(rangeis5to120;defaultis15).
DisplayTrafficBlocking SpecifieswhetheramessageappearswhenGlobalProtectisrequiredfor
NotificationMessage networkaccess.SelectNotodisablethemessage.SelectYestoenablethe
message(GlobalProtectdisplaysthemessagewhenGlobalProtectis
disconnectedbutdetectsthatthenetworkisreachable.)
TrafficBlocking CustomizeanotificationmessagetodisplaytouserswhenGlobalProtectis
NotificationMessage requiredfornetworkaccess.GlobalProtectdisplaysthemessagewhen
GlobalProtectisdisconnectedbutdetectsthenetworkisreachable.The
messagecanindicatethereasonforblockingthetrafficandprovide
instructionsonhowtoconnect.Forexample:
To access the network, you much first connect to
GlobalProtect.
Themessagemustbe512orfewercharacters.
AllowUsertoDismiss SelectNotoalwaysdisplaytrafficblockingnotifications.Bydefaultthevalue
TrafficBlocking issettoYes meaningusersarepermittedtodismissthenotifications.
Notifications
DisplayCaptivePortal SpecifieswhetheramessageappearswhenGlobalProtectdetectsacaptive
DetectionMessage portal.SelectYes todisplaythemessage.SelectNo(default)tosuppressthe
message(GlobalProtectdoesnotdisplayamessagewhenGlobalProtect
detectsacaptiveportal).
IfyouenableaCaptive Portal Detection Message,themessage
appears85secondsbeforetheCaptive Portal Exception Timeout.
SoiftheCapture Portal Exception Timeoutis90secondsorless,the
messageappears5secondsafteracaptiveportalisdetected.
CaptivePortalDetection CustomizeanotificationmessagetodisplaytouserswhenGlobalProtect
Message detectsthenetworkwhichprovidesadditionalinstructionsforconnectingto
acaptiveportal.Forexample:
GlobalProtect has temporarily permitted network access
for you to connect to the internet. Follow instructions
from your internet provider. If you let the connection
time out, open GlobalProtect and click Connect to try
again.
EnableInbound Tosupportmultifactorauthentication(MFA),aGlobalProtectclientmust
AuthenticationPrompts receiveandacknowledgeUDPpromptsthatareinboundfromthegateway.
fromMFAGateways SelectYes toenableaGlobalProtectclienttoreceiveandacknowledgethe
prompt.SelectNo(default)forGlobalProtecttoblockUDPpromptsfromthe
gateway.
NetworkPortforInbound SpecifiestheportnumberaGlobalProtectclientusestoreceiveinbound
AuthenticationPrompts authenticationpromptsfromMFAgateways.Thedefaultportis4501.To
(UDP) changetheport,specifyanumberfrom1to65535.

(Continued)
TrustedMFAGateways SpecifiesthelistoffirewallsorauthenticationgatewaysaGlobalProtect
clienttrustsformultifactorauthentication.WhenaGlobalProtectclient
receivesaUDPmessageonthespecifiednetworkport,GlobalProtect
displaysanauthenticationmessageonlyiftheUDPpromptcomesfroma
trustedgateway.
DefaultMessagefor Customizeanotificationmessagetodisplaywhenuserstrytoaccessa
InboundAuthentication resourcethatrequiresadditionalauthentication.Forexample:
Prompts You have attempted to access a protected resource that
requires additional authentication. Proceed to
authenticate at www.mylogin.com)
IPv6Preferred SpecifiesthepreferredprotocolforGlobalProtectclientcommunications.
SelectNotochangethepreferredprotocoltoIPv4.SelectYes(default)to
makeIPv6thepreferredconnectionadualstackenvironment.
RetainConnectionon SelectYestoretaintheconnectionwhenauserremovesasmartcard
SmartCardRemoval containingaclientcertificate.SelectNo(default)toterminatetheconnection
(WindowsOnly) whenauserremovesasmartcard.
Disable GlobalProtect Agent or App
Passcode/Confirm EnterandthenconfirmapasscodeifthesettingforAllow User to Disable

Passcode GlobalProtect AppisAllow with Passcode.Treatthispasscodelikea
passwordrecorditandstoreitinasecureplace.Youcandistributethe
passcodetonewGlobalProtectusersbyemailorpostitinasupportareaof
yourcompanywebsite.
IfcircumstancespreventtheendpointfromestablishingaVPNconnection
andthisfeatureisenabled,ausercanenterthispasscodeintheagentorapp
interfacetodisabletheGlobalProtectagentandgetInternetaccesswithout
usingtheVPN.
MaxTimesUserCan SpecifythemaximumnumberoftimesthatausercandisableGlobalProtect
Disable beforetheusermustconnecttoafirewall.Thedefaultvalueof0means
usershavenolimittothenumberoftimestheycandisabletheagent.
DisableTimeout(min) SpecifythemaximumnumberofminutestheGlobalProtectagentorappcan
bedisabled.Afterthespecifiedtimepasses,theagenttriestoconnecttothe
firewall.Thedefaultof0indicatesthatthedisableperiodisunlimited.
Mobile Security Manager Settings
MobileSecurityManager IfyouareusingtheGlobalProtectMobileSecurityManagerformobile
devicemanagement(MDM),entertheIPaddressorFQDNofthedevice
checkin(enrollment)interfaceontheGP100appliance.
EnrollmentPort Theportnumberthemobileendpointshouldusewhenconnectingtothe
GlobalProtectMobileSecurityManagerforenrollment.TheMobileSecurity
Managerlistensonport443bydefault.
Keepthisportnumbersothatmobileendpointusersarenot
promptedforaclientcertificateduringtheenrollmentprocess(other
possiblevaluesare443,7443,and8443).

DataCollectionTab
SelectNetwork > GlobalProtect > Portals > <GlobalProtect-portal-config> > Agent > <agent-config> > Data Collection
todefinethedatatheagentcollectsfromtheclientintheHIPreport:
GlobalProtectData Description
CollectionConfiguration
Settings
CollectHIPData ClearthisselectiontopreventtheagentfromcollectingandsendingHIP
data.
MaxWaitTime(sec) SpecifyhowmanysecondstheagentorappshouldsearchforHIPdata
beforesubmittingtheavailabledata(rangeis1060;defaultis20).
ExcludeCategories SelectExclude Categoriestospecifythehostinformationcategoriesfor

whichyoudonotwanttheagentorapptocollectHIPdata.Selecta
Category(suchasdatalossprevention)toexcludefromHIPcollection.
Afterselectingacategory,youcanAddandaparticularVendorand,then,
youcanAddspecificproductsfromthevendortofurtherrefinethe
exclusionasneeded.ClickOKtosavesettingsineachdialog.
CustomChecks SelectCustom Checkstodefinecustomhostinformationyouwantthe

agenttocollect.Forexample,ifyouhaveanyrequiredapplicationsthatare
notincludedintheVendororProductlistsforcreatingHIPobjects,youcan
createacustomchecktodeterminewhetherthatapplicationisinstalled(it
hasacorrespondingWindowsregistryorMacplistkey)oriscurrently
running(hasacorrespondingrunningprocess):
WindowsAddacheckforaparticularregistrykeyorkeyvalue.
MacAddacheckforparticularplistkeyorkeyvalue.
Process ListAddtheprocessesyouwanttocheckforonuserendpoints
toseeiftheyarerunning.Forexample,todeterminewhetherasoftware
applicationisrunning,addthenameoftheexecutablefiletotheprocess
list.YoucanaddaprocesstotheWindowstab,theMactab,orboth.

ClientlessConfigurationTab
Youcannow configuretheGlobalProtect portalto providesecureremoteaccesstocommonenterpriseweb

applications thatuseHTML,HTML5,andJavaScripttechnologies.Usershavetheadvantageofsecure
accessfromSSLenabledwebbrowsers withoutinstallingGlobalProtectclientsoftware.Thisisusefulwhen
youneedtoenablepartnerorcontractoraccesstoapplications,andtosafelyenableunmanagedassets,
includingpersonaldevices.ThisfeaturerequiresyoutoinstallaGlobalProtectsubscriptiononthefirewall
thathoststheClientlessVPNfromtheGlobalProtectportal.SelectNetwork > GlobalProtect > Portals >
<GlobalProtect-portal-config> > ClienttoconfiguretheGlobalProtectClientlessVPNsettingsontheportalas
ClientlessConfiguration
Settings
General SelectClientless VPNtospecifygeneralinformationabouttheClientlessVPN

session:
HostnameTheIPaddressorFQDNfortheGlobalProtectportalthathoststhe
webapplicationslandingpage.TheGlobalProtectClientlessVPNrewrites
applicationURLswiththishostname.
IfyouuseNetworkAddressTranslation(NAT)toprovideaccesstothe
GlobalProtectportal,theIPaddressorFQDNyouentermustmatch(or
resolveto)theNATIPaddressfortheGlobalProtectportal(thepublicIP
address).
Security ZoneThezonefortheClientlessVPNconfiguration.Securityrules
definedinthiszonecontrolwhichapplicationsuserscanaccess.
DNS ProxyTheDNSserverthatresolvesapplicationnames.SelectaDNS proxy
serverorconfigureaNew DNS Proxy(Network>DNSProxy).
Login LifetimeThenumberofMinutes(rangeis60to1,440)orHours(rangeis
1to24;defaultis3)thataclientlessSSLVPNsessionisvalid.Afterthespecified
time,usersmustreauthenticateandstartanewclientlessVPNsession.
Inactivity TimeoutThenumberofMinutes(rangeis5to1,440;defaultis30)or
Hours(rangeis1to24)thataclientlessSSLVPNsessioncanremainidle.Ifthere
isnouseractivityduringthespecifiedamountoftime,theusermust
reauthenticateandstartanewclientlessVPNsession.
Max UserThemaximumnumbersofusersthatcanbeloggedintotheportalat
thesametime(defaultis10;rangeis1tonomaximum).Whenthemaximum
numberofusersisreached,additionalclientlessVPNuserscannotlogintothe
portal.
Applications tab
ApplicationstoUser AddoneormoreApplications to User Mapping tomatchuserswithpublished

Mapping applications.Thismappingcontrolswhichusersorusergroupscanuseaclientless
VPNtoaccessapplications.Youmustdefinetheapplicationsandapplicationgroups
beforemappingthemtousers(Network>GlobalProtect>ClientlessAppsand
Network>GlobalProtect>ClientlessAppGroups).
NameEnteranameforthemapping(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,spaces,
Allow user to launch unpublished applications.Selectthisoptiontoallowusers
toaccessapplicationsthatarenotpublishedontheapplicationslandingpage.
(UserscanclicktheApplication URLslinkonthepageandspecifyaURL.)

Settings(Continued)
SourceUser YoucanAddindividualusersorusergroupstowhichthecurrentapplication
configurationapplies.Theseusershavepermissiontolaunchtheconfigured
applicationsusingaGlobalProtectclientlessVPN.
Youmustconfiguregroupmapping(Device > User Identification > Group
Mapping Settings)beforeyoucanselectthegroups.
Inadditiontousersandgroups,youcanspecifywhenthesesettingsapplytothe
usersorgroups:
anyTheapplicationconfigurationappliestoallusers(noneedtoAddusersor
usergroups).
selectTheapplicationconfigurationappliesonlytousersandusergroupsyou
Addtothislist.
Applications YoucanAddindividualapplicationsorapplicationgroupstothemapping.TheSource
UsersyouincludedintheconfigurationcanuseGlobalProtectclientlessVPNto
launchtheapplicationsyouadd.
CryptoSettings SpecifytheauthenticationandencryptionalgorithmsfortheSSLsessionsbetween
thefirewallandthepublishedapplications:
Protocol VersionsSelecttherequiredminimumandmaximumTLS/SSLversions.
ThehighertheTLSversion,themoresecuretheconnection.Choicesinclude
SSLv3,TLSv1.0,TLSv1.1,orTLSv1.2.
Key Exchange AlgorithmsSelectthesupportedalgorithmtypesforkey
exchange.ChoicesincludeRSA,DiffieHellman(DHE),orEllipticCurveEphemeral
DiffieHellman(ECDHE).
Encryption AlgorithmsSelectthesupportedencryptionalgorithms.AES128or
higherisrecommended.
Authentication AlgorithmsSelectthesupportedauthenticationalgorithms.
Choicesare:MD5,SHA1,SHA256,orSHA384.SHA256orhigherisrecommended.
ServerCertificate Enablewhichactionstotakeforthefollowingissuesthatcanoccurwhenan
Verification applicationpresentsaservercertificate:
Block sessions with expired certificateIftheservercertificatehasexpired,
blockaccesstotheapplication.
Block sessions with untrusted issuersIftheservercertificateisissuedfroman
untrustedcertificateauthority,blockaccesstotheapplication.
Block sessions with unknown certificate statusIftheOSCPorCRLservice
returnsacertificaterevocationstatusofunknown,blockaccesstotheapplication.
Block sessions on certificate status check timeoutIfthecertificatestatuscheck
timesoutbeforereceivingaresponsefromanycertificatestatusservice,block
accesstotheapplication.

Settings(Continued)
Proxy (Optional)Addaproxyserver.Specifythesesettingsifusersneedtoreachthe
applicationsthroughaproxyserver.Withthisconfiguration,theGlobalProtectportal
mustusetheproxyservertoaccessthepublishedapplications.
NameAlabelofupto31characterstoidentifytheproxyserver.Thenameis
DomainsAddthedomainsservedbytheproxyserver.
Use ProxySelecttoallowtheGlobalProtectportaltousetheproxyserverto
accessthepublishedapplications.
Server, PortSpecifythehostname(orIPaddress)andportnumberoftheproxy
server.
User,PasswordSpecifytheusernameandpasswordneededtologintothe
proxyserver.Enterthepasswordagainforverification.
Advanced Settings (Optional)Adddomainnames,hostnames,orIPaddressestotheRewrite Exclude

Domain List.TheclientlessVPNactsasareverseproxyandmodifiespagesreturned
bythepublishedapplications.WhenaremoteusersaccessestheURL,therequests
gothroughtheGlobalProtectportal.Insomecases,theapplicationmayhavepages
thatdonotneedtobeaccessedthroughtheportal.Specifydomainsthatshouldbe
excludedfromrewriterulesandcannotberewritten.
Pathsarenotsupportedinhostanddomainnames.Thewildcardcharacter(*)for
hostanddomainnamescanonlyappearatthebeginningofthename(forexample,
*.etrade.com).

SatelliteConfigurationTab
AsatelliteisaPaloAltoNetworksfirewalltypicallyatabranchofficethatactsasaGlobalProtectagent
toenablethesatellitetoestablishVPNconnectivitytoaGlobalProtectgateway.LikeaGlobalProtectagent,
asatellitereceivesitsinitialconfigurationfromtheportal,whichincludesthecertificatesandVPN
configurationroutinginformationandenablethesatellitetoconnecttoallconfiguredgatewaystoestablish
VPNconnectivity.
BeforeconfiguringtheGlobalProtectsatellitesettingsonthebranchofficefirewall,youmustconfigurean
interfacewithWANconnectivityandsetupasecurityzoneandpolicytoallowthebranchofficeLANto
communicatewiththeInternet.YoucanthenselectNetwork > GlobalProtect > Portals >
<GlobalProtect-portal-config> > Satellite > <GlobalProtect-satellite>toconfiguretheGlobalProtectsatellite
settingsontheportalasdescribedinthefollowingtable.
SatelliteConfiguration
Settings
General NameAnameforthissatelliteconfigurationontheGlobalProtectportal.
Configuration Refresh Interval (hours)Howoftenasatelliteshould
checktheportalforconfigurationupdates(rangeis148;defaultis24).
Devices AddasatelliteusingthefirewallSerial Number.Theportalcanaccepta

serialnumberorlogincredentialstoidentifywhoisrequestingaconnection;
iftheportaldoesnotreceiveaserialnumber,itrequestslogincredentials.If
youidentifythesatellitebyitsfirewallserialnumber,youdonotneedto
provideuserlogincredentialswhenthesatellitefirstconnectstoacquirethe
authenticationcertificateanditsinitialconfiguration.
Afterthesatelliteauthenticatesbyeitheraserialnumberorlogin
credentials,theSatellite Hostnameisautomaticallyaddedtotheportal.
EnrollmentUser/User TheportalcanuseEnrollment User/User Groupsettingswithorwithout

Group serialnumberstomatchasatellitetothisconfiguration.Satellitesthatdonot
matchonaserialnumberarerequiredtoauthenticateeitherasanindividual
userorgroupmember.
Addtheuserorgroupyouwanttocontrolwiththisconfiguration.
Beforeyoucanrestricttheconfigurationtospecificgroups,you
mustenableGroupMappinginthefirewall(Device > User
Identification > Group Mapping Settings).

Settings(Continued)
Gateways ClickAddtoentertheIPaddressorhostnameofthegateway(s)satellitesby
whichthisconfigurationcanestablishIPSectunnels.EntertheFQDNorIP
addressoftheinterfacewherethegatewayisconfiguredintheGateways
field.IPaddressescanbespecifiedasIPv6,IPv4,orboth.SelectIPv6
PreferredtospecifypreferenceofIPv6connectionsinadualstack
environment.
(Optional)Ifyouareaddingtwoormoregatewaystotheconfiguration,the
Routing Priority helpsthesatellitepickthepreferredgateway(rangeis1to
25).Lowernumbershavehigherpriority(forgatewaysthatareavailable).
Thesatellitemultipliestheroutingpriorityby10todeterminetherouting
metric.
Routespublishedbythegatewayareinstalledonthesatelliteas
staticroutes.Themetricforthestaticrouteis10timestherouting
priority.Ifyouhavemorethanonegateway,besuretosetthe
routingprioritysothatroutesadvertisedbybackupgatewayshave
highermetricsthanthesameroutesadvertisedbyprimarygateways.
Forexample,ifyousettheroutingpriorityfortheprimarygateway
andbackupgatewayto1and10respectively,thesatellitewilluse
10asthemetricfortheprimarygatewayand100asthemetricfor
thebackupgateway.
Thesatellitealsosharesitsnetworkandroutinginformationwiththe
gatewaysifyouPublish all static and connected routes to Gateway
(Network > IPSec tunnels > <tunnel> > Advancedavailableonlywhenyou
selectGlobalProtect Satellite on the <tunnel> > General).
TrustedRootCA ClickAddandthenselecttheCAcertificateforissuinggatewayserver
certificates.
Allyourgatewaysshouldusethesameissuer.
YoucanImportorGeneratearootCAcertificateforissuingyour
gatewayservercertificatesifonedoesnotalreadyexistonthe
portal.

Settings(Continued)
Client Certificate
Local Issuing CertificateSelecttherootCAissuingcertificatetheportaluses

toissuecertificatestoasatelliteafteritsuccessfullyauthenticates.Ifthe
neededcertificatedoesnotalreadyexistonthefirewall,youcanImport
orGenerate it.
Ifacertificatedoesnotalreadyresideonthefirewall,youcan
ImportorGenerateanissuingcertificate.
OCSP ResponderSelecttheOCSPResponderthesatelliteusestoverify
therevocationstatusofcertificatespresentedbytheportalandgateways.
SelectNonetospecifythatOCSPisnotusedforverifyingrevocationofa
certificate.
Validity Period(days)SpecifytheGlobalProtectsatellitecertificate
lifetime(rangeis7to365;defaultis7).
Certificate Renewal Period(days)Specifythenumberofdaysbefore
expirationthatcertificatescanbeautomaticallyrenewed(rangeis3to30;
defaultis3).
SCEP SCEPSelectaSCEPprofileforgeneratingclientcertificates.Iftheprofile
isnotinthedropdown,youcancreateaNewprofile.
Certificate Renewal Period(days)Specifythenumberofdaysbefore
expirationthatcertificatescanbeautomaticallyrenewed(rangeis3to30;
defaultis3).

Network>GlobalProtect>Gateways GlobalProtect
Network>GlobalProtect>Gateways
SelectNetwork > GlobalProtect > GatewaystoconfigureaGlobalProtectgateway.AgatewaycanprovideVPN

connectionsforGlobalProtectagentsorappsorforGlobalProtectsatellites.
FromtheGlobalProtectGatewaydialog,Addanewgatewayconfigurationorselectanexistinggateway
configurationtomodifyit.
WhatgeneralsettingscanIconfigureforthe GeneralTab
GlobalProtectgateway?
HowdoIconfigurethegatewayclient AuthenticationTab
authentication?
HowdoIconfigurethetunnelandnetwork AgentTab
settingsthatenableanagentorappto
establishaVPNtunnelwiththegateway?
HowdoIconfigurethetunnelandnetwork SatelliteConfigurationTab
settingstoenablethesatellitestoestablish
VPNconnectionswithagatewayactingasa
satellite?
Looking for more? Fordetailed,stepbystepinstructionsonsettinguptheportal,refer

toConfigureGlobalProtectGatewaysintheGlobalProtect
AdministratorsGuide.

GlobalProtect Network>GlobalProtect>Gateways
GeneralTab
SelectNetwork > GlobalProtect > Gateways > Generaltodefinethegatewayinterfacetowhichtheagentsor

appscanconnectandspecifyhowthegatewayauthenticatesendpointclients.
GlobalProtectGateway Description
GeneralSettings
Name Enteranameforthegateway(upto31characters).Thenameis
virtualsystem(vsys)wheretheGlobalProtectgatewayisavailable.Fora
firewallthatisnotinmultivsysmode,theLocationfielddoesnotappearin
theGlobalProtectGatewaydialog.
Afteryousavethegatewayconfiguration,youcannotchangethe
Location.
Network Settings Area
Interface Selectthenameofthefirewallinterfacethatwillserveastheingress
interfaceforremoteendpoints.(Theseinterfacesmustalreadyexist.)
IPAddress (Optional)SpecifytheIPaddressforgatewayaccess.SelecttheIP Address

Type,thenentertheIP Address.
trafficonly),orIPv4 and IPv6.UseIPv4 and IPv6ifyournetworksupports
dualstackconfigurations,whereIPv4andIPv6runatthesametime.
172.16.1.0forIPv4or21DA:D3:0:2F3bforIPv6.IfyouchooseIPv4 and
IPv6,entertheappropriateaddresstypeforeach.

AuthenticationTab
SelectNetwork > GlobalProtect > Gateways > Authentication toidentifytheSSL/TLSserviceprofileandto

configurethedetailsofclientauthentication.Youcanaddmultipleclientauthenticationconfigurations.
GlobalProtectGatewayAuthenticationSettings
SSL/TLSServiceProfile SelectanSSL/TLSserviceprofileforsecuringthisGlobalProtectgateway.For
detailsaboutthecontentsofaserviceprofile,seeDevice>Certificate
Management>SSL/TLSServiceProfile.
Client Authentication Area
Name Enterauniquenametoidentifythisconfiguration.
OS Bydefault,theconfigurationappliestoallclients.Youcanrefinethelistofclient
endpointsbyOS(Android,Chrome,iOS,Mac,Windows,orWindowsUWP),by
Satellitedevices,orbythirdpartyIPSecVPNclients(X-Auth).
TheOSisthemaindifferentiatorbetweenmultipleconfigurations.Ifyouneed
multipleconfigurationsforoneOS,youcanfurtherdistinguishthe
configurationsbyyourchoiceofauthenticationprofile.
Ordertheconfigurationsfrommostspecificatthetopofthelisttomost
generalatthebottom.
AuthenticationProfile Chooseanauthenticationprofileorsequencefromthedropdownto
authenticateaccesstothegateway.RefertoDevice>AuthenticationProfile.
AuthenticationMessage Tohelpendusersknowwhatcredentialstheyshoulduseforloggingintothis
gateway,youcanenteramessageorkeepthedefaultmessage.Themessage
canhaveamaximumof100characters.
CertificateProfile (Optional)SelecttheCertificate Profilethegatewayusestomatchthoseclient

certificatesthatcomefromuserendpoints.WithaCertificateProfile,the
gatewayauthenticatestheuseronlyifthecertificatefromtheclientmatches
thisprofile(seeDevice>CertificateManagement>CertificateProfile).
AgentTab
SelectNetwork > GlobalProtect > Gateways > Agenttoconfigurethetunnelsettingsthatenableanagentorapp

toestablishaVPNtunnelwiththegateway.Inaddition,thistabletsyouspecifytimeoutsforVPNs,network
servicesofDNSandWINS,andHIPnotificationmessagesforendusersuponmatchingornotmatchinga
HIPprofileattachedtoaSecuritypolicyrule.
ConfigureAgentsettingsonthefollowingtabs:
TunnelSettingsTab
TimeoutSettingsTab
ClientSettingsTab
NetworkServicesTab
HIPNotificationTab

TunnelSettingsTab
SelectNetwork > GlobalProtect > Gateways > Agent > Tunnel Settingstoenabletunnelingandconfigurethe
tunnelparameters.
Tunnelparametersarerequiredifyouaresettingupanexternalgateway.Ifyouareconfiguringaninternal
gateway,tunnelparametersareoptional.
ClientTunnelMode
TunnelMode SelectTunnel Modetoenabletunnelmodeandthenspecifythefollowing

settings:
Tunnel InterfaceChooseatunnelinterfaceforaccesstothisgateway.
Max UserSpecifythemaximumnumberofusersthatcansimultaneously
accessthegatewayforauthentication,HIPupdates,andGlobalProtect
agentandappupdates.Ifthemaximumnumberofusersisreached,
subsequentusersaredeniedaccesswithamessagethatindicatesthe
maximumnumberofusershasbeenreached(rangeis11024;bydefault,
thereisnolimit).
Enable IPSecSelectthisoptiontoenableIPSecmodeforclienttraffic,
makingIPSectheprimarymethodandSSLVPNthefallbackmethod.The
remainingoptionsarenotavailableuntilIPSecisenabled.
GlobalProtect IPSec CryptoSelectaGlobalProtectIPSecCryptoprofile
thatspecifiesauthenticationandencryptionalgorithmsfortheVPN
tunnels.ThedefaultprofileusesAES128CBCencryptionandSHA1
authentication.Fordetails,seeNetwork>NetworkProfiles>
GlobalProtectIPSecCrypto.
Enable X-Auth SupportSelectthisoptiontoenableExtended
Authentication(XAuth)supportintheGlobalProtectgatewaywhen
IPSecisenabled.WithXAuthsupport,thirdpartyIPSecVPNclientsthat
supportXAuth(suchastheIPSecVPNclientonAppleiOSandAndroid
devicesandtheVPNCclientonLinux)canestablishaVPNtunnelwiththe
GlobalProtectgateway.TheXAuthoptionprovidesremoteaccessfrom
theVPNclienttoaspecificGlobalProtectgateway.BecauseXAuth
accessprovideslimitedGlobalProtectfunctionality,considerusingthe
GlobalProtectAppforsimplifiedaccesstothefullsecurityfeatureset
GlobalProtectprovidesoniOSandAndroiddevices.
SelectingX-Auth SupportactivatestheGroup NameandGroup
Passwordoptions:
Ifthegroupnameandgrouppasswordarespecified,thefirst
authenticationphaserequiresbothpartiestousethiscredentialto
authenticate.Thesecondphaserequiresavalidusernameand
password,whichisverifiedthroughtheauthenticationprofile
configuredintheAuthenticationsection.
Ifnogroupnameandgrouppasswordaredefined,thefirst
authenticationphaseisbasedonavalidcertificatepresentedbythe
thirdpartyVPNclient.Thiscertificateisthenvalidatedthroughthe
certificateprofileconfiguredintheauthenticationsection.
Bydefault,theuserisnotrequiredtoreauthenticatewhenthekey
usedtoestablishtheIPSectunnelexpires.Torequiretheuserto
reauthenticate,cleartheSkip Auth on IKE Rekeyoption.

TimeoutSettingsTab
SelectNetwork > GlobalProtect > Gateways > Agent > Timeout Settingstodefinethemaximumvaluethatauser
sessionortunnelconnectioncanbeidle.
ClientTunnelMode
TimeoutSettings
TimeoutConfiguration
LoginLifetime Specifythenumberofdays,hours,orminutesallowedforasinglegateway
loginsession.
InactivityLogout Specifythenumberofdays,hours,orminutesafterwhichaninactivesession
isautomaticallyloggedout.
DisconnectonIdle Specifythenumberofminutesatwhichaclientisloggedoutof
GlobalProtectiftheGlobalProtectapphasnotroutedtrafficthroughthe
VPNtunnelinthespecifiedamountoftime.

ClientSettingsTab
SelectNetwork > GlobalProtect > Gateways > Agent > Client Settingstoconfiguresettingsforthevirtualnetwork
adapterontheclientsystemwhenanagentestablishesatunnelwiththegateway.
SomeClientSettingsoptionsareavailableonlyafteryouenabletunnelmodeanddefineatunnelinterfaceonthe
TunnelSettingsTab.
ClientSettingsand
NetworkConfiguration
Authentication
Name Enteranametoidentifytheclientsettingsconfiguration(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonlyletters,
AuthenticationOverride Enablethegatewaytousesecure,devicespecific,encryptedcookiesto
authenticatetheuseraftertheuserfirstauthenticatesusingthe
authenticationschemespecifiedbytheauthenticationorcertificateprofile.
Generate cookie for authentication overrideDuringthelifetimeofthe
cookie,theagentpresentsthiscookieeachtimetheuserauthenticates
withthegateway.
Cookie LifetimeSpecifythehours,days,orweeksthatthecookieis
valid.Thetypicallifetimeis24hours.Therangesare172hours,152
weeks,or1365days.Afterthecookieexpires,theusermustenterlogin
credentialsandthegatewaysubsequentlyencryptsanewcookietosend
touserdevice.
Accept cookie for authentication overrideSelectthisoptionto
configurethegatewaytoacceptauthenticationusingtheencrypted
cookie.Whentheagentpresentsthecookie,thegatewayvalidatesthat
thecookiewasencryptedbythegatewaybeforeauthenticatingtheuser.
Certificate to Encrypt/Decrypt CookieSelectthecertificatethe
gatewayusestousewhenencryptinganddecryptingthecookie.
Ensurethatthegatewayandportalbothusethesamecertificateto
encryptanddecryptcookies.
User/UserGrouptab Specifytheuserorusergroupandclientoperatingsystemtowhichthis
agentconfigurationapplies.
User/UserGroup Addaspecificuserorusergrouptowhichthisconfigurationapplies.
Youmustconfiguregroupmapping(Device > User Identification >
Group Mapping Settings)beforeyoucanselectusersandgroups.
Youcanalsocreateconfigurationsthataredeployedtoagentsorappsin
pre-logonmode(beforetheuserlogsintotheendpoint)orconfigurations
todeploytoanyuser.

ClientSettingsand
(Continued)
OS Todeployconfigurationsbasedontheoperatingsystemrunningonthe
endpoint,AddanOS(Android,Chrome,iOS,Mac,Windows,WindowsUWP).
Alternatively,youcanleavethisvaluesettoAnysothatconfiguration
deploymentisbasedonlyontheuserorusergroupandnotontheoperating
systemoftheendpoint.
IP Pools tab
Retrieve SelectthisoptiontoenabletheGlobalProtectgatewaytoassignfixedIP
FramedIPAddress addressesbyuseofanexternalauthenticationserver.Whenthisoptionis
attributefrom enabled,theGlobalProtectgatewayallocatestheIPaddressforconnecting
authenticationserver todevicesbyusingtheFramedIPAddressattributefromtheauthentication
server.
AuthenticationServerIP AddasubnetorrangeofIPaddressestoassigntoremoteusers.Whenthe
Pool tunnelisestablished,theGlobalProtectgatewayallocatestheIPaddressin
thisrangetoconnectingdevicesusingtheFramedIPAddressattributefrom
theauthenticationserver.YoucanaddIPv4orIPv6addresses.
YoucanenableandconfigureAuthentication Server IP Poolonlyifyou
enableRetrieve Framed-IP-Address attribute from authentication server.
TheauthenticationserverIPpoolmustbelargeenoughtosupport
allconcurrentconnections.IP addressassignmentisfixedandis
retainedaftertheuserdisconnects.Configuremultiplerangesfrom
differentsubnetstoallowthesystemtoofferclientsanIPaddress
thatdoesnotconflictwithotherinterfacesontheclient.
TheserversandroutersinthenetworksmustroutethetrafficforthisIPpool
tothefirewall.Forexample,forthe192.168.0.0/16network,aremoteuser
canreceivetheaddress192.168.0.10.
IPPool AddarangeofIPaddressestoassigntoremoteusers.Whenthetunnelis
established,aninterfaceiscreatedontheremoteusersendpointwithan
addressinthisrange.YoucanaddIPv4orIPv6addresses.
Toavoidconflicts,theIPpoolmustbelargeenoughtosupportall
concurrentconnections.Thegatewaymaintainsanindexofclients
andIPaddressessothattheclientautomaticallyreceivesthesame
IPaddressthenexttimeitconnects.Configuringmultipleranges
fromdifferentsubnetsallowsthesystemtoofferclientsanIP
addressthatdoesnotconflictwithotherinterfacesontheclient.
TheserversandroutersinthenetworksmustroutethetrafficforthisIPpool
tothefirewall.Forexample,forthe192.168.0.0/16network,aremoteuser
maybeassignedtheaddress192.168.0.10.

ClientSettingsand
(Continued)
Split Tunnel tab
Nodirectaccesstolocal Selectthisoptiontodisablesplittunneling,includingdirectaccesstolocal
network networksonWindowsandMacOSendpoints.Thisfunctionpreventsauser
fromsendingtraffictoproxiesorlocalresources,suchasahomeprinter.
Whenthetunnelisestablished,alltrafficisroutedthroughthetunnelandis
subjecttopolicyenforcementbythefirewall.
Includes AddroutestoincludeintheVPNtunnel.Thesearetheroutesthegateway
pushestotheremoteusersendpointtospecifywhatuserendpointscan
sendthroughtheVPNconnection.
Excludes AddroutestoexcludefromtheVPNtunnel.Theseroutesaresentthrough
thephysicaladapteronendpointsratherthanthroughthevirtualadapter
(thetunnel).
YoucandefinetheroutesyousendthroughtheVPNtunnelasroutesyou
includeinthetunnel,routesyouexcludefromthetunnel,oracombination
ofboth.Forexample,youcansetupsplittunnelingtoallowremoteusersto
accesstheinternetwithoutgoingthroughtheVPNtunnel.Excludedroutes
shouldbemorespecificthantheincludedroutestoavoidexcludingmore
trafficthanyouintendtoexclude.
Ifyoudontincludeorexcluderoutes,everyrequestisroutedthroughthe
tunnel(nosplittunneling).Inthiscase,eachinternetrequestpassesthrough
thefirewallandthenouttothenetwork.Thismethodcanpreventthe
possibilityofanexternalpartyaccessinguserendpointsandgainingaccess
totheinternalnetwork(withauserendpointactingasabridge).

NetworkServicesTab
SelectNetwork > GlobalProtect > Gateways > Agent > Network ServicestoconfigureDNSsettingsthatwillare
assignedtothevirtualnetworkadapterontheclientsystemwhenanagentestablishesatunnelwiththe
gateway.
NetworkServicesoptionsareavailableonlyifyouhaveenabletunnelmodeanddefineatunnelinterfaceonthe
TunnelSettingsTab.
ClientNetworkServices
InheritanceSource SelectasourcetopropagateDNSserverandothersettingsfromthe
selectedDHCPclientorPPPoEclientinterfaceintotheGlobalProtect
agents'orappsconfiguration.Withthissetting,allclientnetwork
configurations,suchasDNSserversandWINSservers,areinheritedfrom
theconfigurationoftheinterfaceselectedintheInheritanceSource.
Checkinheritancesource ClickInheritanceSourcetoseetheserversettingsthatarecurrentlyassigned
status totheclientinterfaces.
PrimaryDNS EntertheIPaddressesoftheprimaryandsecondaryserversthatprovide
SecondaryDNS DNStotheclients.
PrimaryWINS EntertheIPaddressesoftheprimaryandsecondaryserversthatprovide
SecondaryWINS WindowsInternetNamingService(WINS)totheclients.
InheritDNSSuffixes SelectthisoptiontoinherittheDNSsuffixesfromtheinheritancesource.
DNSSuffix Addasuffixthattheclientshoulduselocallywhenanunqualifiedhostname
isenteredthatitcannotresolve.Youcanentermultiplesuffixesby
separatingthemwithcommas.

HIPNotificationTab
SelectNetwork > GlobalProtect > Gateways > Agent > HIP Notificationtodefinethenotificationmessagesthat
endusersseewhenasecurityrulewithahostinformationprofile(HIP)isenforced.
TheseoptionsareavailableonlyifyoucreatedHIPProfilesandaddedthemtoyoursecuritypolicies.
GlobalProtectClientHIP Description
NotificationConfiguration
Settings
HIPNotification AddHIPNotificationsandconfiguretheoptions.YoucanEnablenotifications
fortheMatch Message,theNot Match Message,orbothandthenspecify
whethertoShow Notification AsaSystem Tray BalloonoraPop Up Message.
Thenspecifythemessagetomatchornotmatch.
Usethesesettingstonotifytheenduseraboutthestateofthemachine,suchas
awarningmessagethatthehostsystemdoesnothavearequiredapplication
installed.FortheMatchMessage,youcanalsoenabletheoptiontoInclude
Mobile App List toindicatewhatapplicationstriggeredtheHIPmatch.
YoucanformatHIPnotificationmessagesinrichHTML,whichcan
includelinkstoexternalwebsitesandresources.Clickhyperlink( )
intherichtextsettingstoolbartoaddlinks.

SatelliteConfigurationTab
AsatelliteisaPaloAltoNetworksfirewalltypicallyatabranchofficethatactsasaGlobalProtectagent
toenableittoestablishVPNconnectivitytoaGlobalProtectgateway.SelectNetwork > GlobalProtect >
Gateways > Satellite Configurationtodefinethegatewaytunnelandnetworksettingstoenablethesatellites
toestablishVPNconnectionswithit.Youcanalsoconfigureroutesadvertisedbythesatellites.
TunnelSettingstab
NetworkSettingstab
RouteFiltertab
Settings
Tunnel Settings tab
TunnelConfiguration SelectTunnel ConfigurationandselectanexistingTunnel Interface,or

selectNew Tunnel Interfacefromthedropdown.SeeNetwork>Interfaces
>Tunnelformoreinformation.
Replay attack detectionProtectagainstreplayattacks.
Copy TOSCopytheTypeofService(ToS)headerfromtheinnerIP
headertotheouterIPheaderoftheencapsulatedpacketstopreservethe
originalToSinformation.
Configuration refresh interval (hours)Specifyhowoftensatellites
shouldchecktheportalforconfigurationupdates(rangeis148;default
is2).
TunnelMonitoring SelectTunnel Monitoringtoenablethesatellitestomonitorgatewaytunnel

connections,allowingthemtofailovertoabackupgatewayifthe
connectionfails.
Destination AddressSpecifyanIPv4orIPv6addressforthetunnel
monitorwillusetodetermineifthereisconnectivitytothegateway(for
example,anIPaddressonthenetworkprotectedbythegateway).
Alternatively,ifyouconfiguredanIPaddressforthetunnelinterface,you
canleavethisfieldblankandthetunnelmonitorwillinsteadusethe
tunnelinterfacetodetermineiftheconnectionisactive.
Tunnel Monitor ProfileFailovertoanothergatewayistheonlytypeof
tunnelmonitoringprofilesupportedwithLSVPN.
CryptoProfiles SelectanIPSec Crypto Profileorcreateanewone.Acryptoprofile

determinestheprotocolsandalgorithmsforidentification,authentication,
andencryptionfortheVPNtunnels.Becausebothtunnelendpointsinan
LSVPNaretrustedfirewallswithinyourorganization,youtypicallyusethe
defaultprofile,whichusesESPprotocol,DHgroup2,AES128CVC
encryption,andSHA1authentication.SeeNetwork>NetworkProfiles>
GlobalProtectIPSecCryptoformoredetails.
Network Settings tab
InheritanceSource SelectasourcetopropagateDNSserverandothersettingsfromthe
selectedDHCPclientorPPPoEclientinterfaceintotheGlobalProtect
satelliteconfiguration.Withthissetting,allnetworkconfiguration,suchas
DNSservers,areinheritedfromtheconfigurationoftheinterfaceselected
intheInheritanceSource.

Settings(Continued)
PrimaryDNS EntertheIPaddressesoftheprimaryandsecondaryserversthatprovide
SecondaryDNS DNStothesatellites.
DNSSuffix ClickAddtoenterasuffixthatthesatelliteshoulduselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.Youcanenter
multiplesuffixesbyseparatingthemwithcommas.
InheritDNSSuffix SelectthisoptiontosendtheDNSsuffixtothesatellitestouselocallywhen
anunqualifiedhostnameisenteredthatitcannotresolve.
IPPool AddarangeofIPaddressestoassigntothetunnelinterfaceonsatellites
uponestablishmentoftheVPNtunnel.YoucanspecifyIPv6orIPv4
addresses.
TheIPpoolmustbelargeenoughtosupportallconcurrent
connections.IP addressassignmentisdynamicandnotretained
afterthesatellitedisconnects.Configuringmultiplerangesfrom
differentsubnetswillallowthesystemtooffersatellitesanIP
addressthatdoesnotconflictwithotherinterfacesonthesatellites.
TheserversandroutersinthenetworksmustroutethetrafficforthisIP
pooltothefirewall.Forexample,forthe192.168.0.0/16network,asatellite
canbeassignedtheaddress192.168.0.10.
Ifyouareusingdynamicrouting,makesurethattheIPaddresspoolyou
designateforsatellitesdoesnotoverlapwiththeIPaddressesyoumanually
assignedtothetunnelinterfacesonyourgatewaysandsatellites.
AccessRoute ClickAddandthenenterroutesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthroughthetunnel,leave
thisfieldblank.
Torouteonlysometrafficthroughthegateway(calledsplittunneling),
specifythedestinationsubnetsthatmustbetunneled.Inthiscase,the
satelliteroutestrafficthatisnotdestinedforaspecifiedaccessrouteby
usingitsownroutingtable.Forexample,youcanchoosetotunnelonly
thetrafficdestinedforyourcorporatenetworkandusethelocalsatellite
toenablesafeInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthesummaryroute
forthenetworkprotectedbyeachsatellite.
Route Filter tab
EnableAccept published routestoacceptroutesadvertisedbythesatelliteintothegatewaysrouting

table.Ifyoudonotselectthisoption,thegatewaydoesnotacceptanyroutesadvertisedbythesatellites.
Ifyouwanttobemorerestrictiveaboutacceptingtheroutesadvertisedbythesatellites,AddPermitted
subnetsanddefinethesubnetsfromwhichthegatewaymayacceptroutes;subnetsadvertisedbythe
satellitesthatarenotpartofthelistarefilteredout.Forexample,ifallthesatellitesareconfiguredwith
192.168.x.0/24subnetontheLANside,youcanconfigureapermittedrouteof192.168.0.0/16onthe
gateway.Thisconfigurationcausesthegatewaytoaccepttheroutesfromthesatelliteonlyifitisinthe
192.168.0.0/16subnet.

Network>GlobalProtect>MDM GlobalProtect
Network>GlobalProtect>MDM
IfyouareusingaMobileSecurityManagertomanageendusermobiledevicesandyouareusing
HIPenabledpolicyenforcement,youmustconfigurethegatewaytocommunicatewiththeMobileSecurity
ManagertoretrievetheHIPreportsforthemanageddevices.
FormoredetailedinformationonsettinguptheGlobalProtectMobileSecurityManagerservice,refertoSet
UptheGlobalProtectMobileSecurityManagerintheGlobalProtectAdministratorsGuide,Version6.2.For
detailedstepbystepinstructionsforsettingupthegatewaytoretrievetheHIPreportsonthe
GlobalProtectMobileSecurityManager,refertoEnableGatewayAccesstotheGlobalProtectMobile
SecurityManager.
AddMDMinformationfortheMobileSecurityManagertoenablethegatewaytocommunicatewiththe
MobileSecurityManager.
GlobalProtectMDM Description
Settings
Name EnteranamefortheMobileSecurityManager(upto31characters).The
virtualsystem(vsys)wheretheMobileSecurityManagerisavailable.Fora
theMDMdialog.AfteryousavetheMobileSecurityManager,youcannot
changeitsLocation.
Connection Settings
Server EntertheIPaddressorFQDNoftheinterfaceontheMobileSecurity
ManagerwherethegatewayconnectstoretrieveHIPreports.Ensurethat
youhaveaserviceroutetothisinterface.
ConnectionPort TheconnectionportiswheretheMobileSecurityManagerlistensforHIP
reportrequests.Thedefaultportis5008,whichisthesameportonwhich
theGlobalProtectMobileSecurityManagerlistens.Ifyouareusinga
thirdpartyMobileSecurityManager,entertheportnumberonwhichthat
serverlistensforHIPreportrequests.
ClientCertificate ChoosetheclientcertificateforthegatewaytopresenttotheMobile
SecurityManagerwhenitestablishesanHTTPSconnection.Thiscertificate
isrequiredonlyiftheMobileSecurityManagerisconfiguredtousemutual
authentication.
TrustedRootCA ClickAddandthenselecttherootCAcertificatethatwasusedtoissuethe
certificatefortheinterfacewherethegatewayconnectstoretrieveHIP
reports.(Thisservercertificatecanbedifferentfromthecertificateissued
forthedevicecheckininterfaceontheMobileSecurityManager).Youmust
importtherootCAcertificateandaddittothislist.

GlobalProtect Network>GlobalProtect>BlockList
Network>GlobalProtect>BlockList
SelectNetwork > GlobalProtect > Device Block List (firewallonly)toadddevicestotheGlobalProtectdevice

blocklist.DevicesonthislistarenotpermittedtoestablishaGlobalProtectVPNconnection.
DeviceBlockListSettings Description
Name Enteranameforthedeviceblocklist(upto31characters).Thenameis
theGlobalProtectGatewaydialog.Afteryousavethegateway
configuration,youcannotchangetheLocation.
HostID EntertheuniqueIDthatidentifiestheclient,acombinationofhostname
anduniquedeviceID.ForeachHostID,specifythecorresponding
Hostname.
Hostname Enterahostnametoidentifythedevice(upto31characters).Thenameis

Network>GlobalProtect>ClientlessApps GlobalProtect
Network>GlobalProtect>ClientlessApps
SelectNetwork > GlobalProtect > Clientless Appstoaddapplicationsthatareaccessiblethroughthe

GlobalProtectClientlessVPN.YoucanaddindividualclientlessapplicationsandthenselectNetwork >
GlobalProtect > Clientless App Groups todefineapplicationgroups.
GlobalProtectClientlessVPNprovidessecureremoteaccesstocommonenterprisewebapplicationsthat
useHTML,HTML5,andJavaScripttechnologies.Usershavetheadvantageofsecureaccessfrom
SSLenabledwebbrowserswithoutinstallingGlobalProtectclientsoftware.Thisisusefulwhenyouneedto
enablepartnerorcontractoraccesstoapplicationsandtosafelyenableunmanagedassets,including
personaldevices.
YouneedtheGlobalProtect Clientless VPNdynamicupdatestousethisfeature.Thisfeaturealsorequiresyou
toinstallaGlobalProtectsubscriptiononthefirewallthathoststheClientlessVPNfromtheGlobalProtect
portal.
ClientlessAppsSettings Description
Name Enteradescriptivenamefortheapplication(upto31characters).Thename
theGlobalProtectGatewaydialog.Afteryousavethegateway
configuration,youcannotchangetheLocation.
ApplicationHomeURL EntertheURLwheretheapplicationislocated(upto4095characters).
ApplicationDescription (Optional)Enteradescriptionoftheapplication(upto255characters).Use
onlyletters,numbers,spaces,hyphens,andunderscores.
ApplicationIcon (Optional)Uploadanicontoidentifytheapplicationonthepublished
applicationpage.Youcanbrowsetouploadtheicon.

GlobalProtect Network>GlobalProtect>ClientlessAppGroups
Network>GlobalProtect>ClientlessAppGroups
SelectNetwork > GlobalProtect > Clientless App Groupstogroupapplicationsthatareaccessiblethroughthe

GlobalProtectClientlessVPN.Youcanaddexistingclientlessapplicationstoagrouporconfigurenew
clientlessapplicationsforthegroup.Groupsareusefulforworkingwithmultipleapplicationsatthesame
time.Forexample,youmighthaveastandardsetofSaaSapplications(suchasWorkday,JIRA,orBugzilla)
thatyouwanttoconfigureforClientlessVPNaccess.
ClientlessAppGroups Description
Settings
Name Enteradescriptivenamefortheapplicationgroup(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,spaces,hyphens,
andunderscores.
Location Forafirewallthatisinmultiplevirtualsystemmode,theLocationisthevirtualsystem
(vsys)wheretheGlobalProtectgatewayisavailable.Forafirewallthatisnotinmultivsys
mode,theLocationfielddoesnotappearintheGlobalProtectGatewaydialog.Afteryou
savethegatewayconfiguration,youcannotchangetheLocation.
Applications AddanApplicationfromthedropdownorconfigureanewclientlessapplicationandadd
ittothegroup.Toconfigureanewclientlessapplication,refertoNetwork>GlobalProtect
>ClientlessApps.

Objects>GlobalProtect>HIPObjects GlobalProtect
SelectObjects > GlobalProtect > HIP Objectstodefineobjectsforahostinformationprofile(HIP).HIPobjects

providethematchingcriteriaforfilteringtherawdatareportedbyanagentorappthatyouwanttouseto
enforcepolicy.Forexample,iftherawhostdataincludesinformationaboutseveralantiviruspackagesona
client,youmightbeinterestedinaparticularapplicationbecauseyourorganizationrequiresthatpackage.
Forthisscenario,youcreateaHIPobjecttomatchthespecificapplicationyouwanttoenforce.
ThebestwaytodeterminetheHIPobjectsyouneedistodeterminehowyouwillusethehostinformation
toenforcepolicy.KeepinmindthattheHIPobjectsaremerelybuildingblocksthatallowyoutocreatethe
HIPprofilesthatyoursecuritypoliciescanuse.Therefore,youmaywanttokeepyourobjectssimple,
matchingononething,suchasthepresenceofaparticulartypeofrequiredsoftware,membershipina
specificdomain,orthepresenceofaspecificclientOS.Withthisapproach,youhavetheflexibilitytocreate
averygranular,HIPaugmentedpolicy.
TocreateaHIPobject,clickAddtoopentheHIPObjectdialog.Foradescriptionofwhattoenterinaspecific
field,seethetablesthatfollow.
GeneralTab
MobileDeviceTab
PatchManagementTab
FirewallTab
AntivirusTab
AntiSpywareTab
DiskBackupTab
DiskEncryptionTab
DataLossPreventionTab
CustomChecksTab
FormoredetailedinformationoncreatingHIPaugmentedsecuritypolicies,refertoConfigureHIPBased
PolicyEnforcementintheGlobalProtectAdministratorsGuide.

GlobalProtect Objects>GlobalProtect>HIPObjects
GeneralTab
SelectObjects > GlobalProtect > HIP Objects > GeneraltospecifyanameforthenewHIPobjectandconfigure

theobjecttomatchagainstgeneralhostinformationsuchasdomain,operatingsystem,orthetypeof
networkconnectivityithas.
HIPObjectGeneral Description
Settings
Name EnteranamefortheHIPobject(upto31characters).Thenameiscasesensitiveandmust
beunique.Useonlyletters,numbers,spaces,hyphens,andunderscores.
Shared IfyouselectShared,thecurrentHIPobjectsbecomeavailableto:
Everyvirtualsystem(vsys)onthefirewall,ifyouareloggedintoafirewallthatisin
multiplevirtualsystemmode.Ifyouclearthisselection,theobjectwillbeavailabletoonly
thevsysselectedintheVirtual SystemdropdownoftheObjectstab.Forafirewallthat
isnotinmultivsysmode,thisoptionisnotavailableintheHIPObjectdialog.
AlldevicegroupsonPanorama.Ifyouclearthisselection,theobjectwillbeavailableonly
tothedevicegroupselectedintheDevice GroupdropdownoftheObjectstab.
Afteryousavetheobject,youcannotchangeitsSharedsetting.SelectObjects >
GlobalProtect > HIP ObjectstoseethecurrentLocation.
Description (Optional)Enteradescription.
Disableoverride ControlsoverrideaccesstotheHIPobjectinthedevicegroupsthataredescendantsof
(Panoramaonly) theDevice GroupselectedintheObjectstab.Selectthisoptiontopreventadministrators
fromcreatinglocalcopiesoftheobjectindescendantdevicegroupsbyoverridingits
inheritedvalues.Thisoptionisclearedbydefault(overrideisenabled).
HostInfo Selectthisoptiontoactivatetheoptionsforconfiguringthehostinformation.
Domain Tomatchonadomainname,chooseanoperatorfromthedropdownandenterastring
tomatch.
OS TomatchonahostOS,chooseContainsfromthefirstdropdown,selectavendorfrom
theseconddropdown,andthenselectanOSversionfromthethirddropdown;oryou
canselectAlltomatchonanyOSversionfromtheselectedvendor.

HIPObjectGeneral Description
Settings(Continued)
ClientVersions Tomatchonaspecificversionnumber,selectanoperatorfromthedropdownandthen
enterastringtomatch(ornotmatch)inthetextbox.
HostName Tomatchonaspecifichostnameorpartofahostname,selectanoperatorfromthe
dropdownandthenenterastringtomatch(ornotmatch,dependingonwhatoperator
youselected)inthetextbox.
HostID ThehostIDisauniqueIDthatGlobalProtectassignstoidentifythehost.ThehostIDvalue
variesbydevicetype:
WindowsMachineGUIDstoredintheWindowsregistry
(HKEY_Local_Machine\Software\Microsoft\Cryptography\MachineGuid)
macOSMACaddressofthefirstbuiltinphysicalnetworkinterface
AndroidAndroidID
iOSUDID
ChromeGlobalProtectassigneduniquealphanumericstringwithlengthof32
characters
TomatchonaspecifichostID,selecttheoperatorfromthedropdownandthenentera
stringtomatch(ornotmatch,dependingonwhatoperatoryouselected)inthetextbox.
Network Usethisfieldtoenablefilteringonaspecificmobiledevicenetworkconfiguration.This
matchcriteriaappliestomobiledevicesonly.
Selectanoperatorfromthedropdownandthenselectthetypeofnetworkconnectionto
filteronfromtheseconddropdown:Wifi,Mobile,Ethernet(availableonlyforIs Not
filters),orUnknown.Afteryouselectanetworktype,enteranyadditionalstringstomatch
on,ifavailable,suchastheMobileCarrierorWifiSSID.
MobileDeviceTab
SelectObjects > GlobalProtect > HIP Objects > Mobile DevicetoenableHIPmatchingondatacollectedfrom

mobiledevicesthatruntheGlobalProtectapp.
HIPObjectMobileDevice Description
Settings
MobileDevice Selectthisoptiontoenablefilteringonhostdatacollectedfrommobile
devicesthatarerunningtheGlobalProtectappandtoenabletheDevice,
Settings,andAppstabs.

HIPObjectMobileDevice Description
Settings(Continued)
Devicetab Serial NumberTomatchonallorpartofadeviceserialnumber,choose

anoperatorfromthedropdownandenterastringtomatch.
ModelTomatchonaparticulardevicemodel,chooseanoperatorfrom
thedropdownandenterastringtomatch.
TagTomatchontagvaluedefinedontheGlobalProtectMobileSecurity
Manager,chooseanoperatorfromthefirstdropdownandthenselecta
tagfromtheseconddropdown.
Phone NumberTomatchonallorpartofadevicephonenumber,choose
anoperatorfromthedropdownandenterastringtomatch.
IMEITomatchonallorpartofadeviceInternationalMobileEquipment
Identity(IMEI)number,chooseanoperatorfromthedropdownandenter
astringtomatch.
Settingstab PasscodeFilterbasedonwhetherthedevicehasapasscodeset.To
matchdevicesthathaveapasscodeset,selectYes.Tomatchdevicesthat
donothaveapasscodeset,selectno.
Device ManagedFilterbasedonwhetherthedeviceismanagedbyan
MDM.Tomatchdevicesthataremanaged,selectYes.Tomatchdevices
thatarenotmanaged,selectNo.
Rooted/JailbrokenFilterbasedonwhetherthedevicehasbeenrooted
orjailbroken.Tomatchdevicesthathavebeenrootedorjailbroken,select
Yes.Tomatchdevicesthathavenotbeenrootedorjailbroken,selectNo.
Disk EncryptionFilterbasedonwhetherthedevicedatahasbeen
encrypted.Tomatchdevicesthathavediskencryptionenabled,selectyes.
Tomatchdevicesthatdonothavediskencryptionenabled,selectno.
Time Since Last Check-inFilterbasedonwhenthedevicelastchecked
inwiththeMDM.Selectanoperatorfromthedropdownandthenspecify
thenumberofdaysforthecheckinwindow.Forexample,youcould
definetheobjecttomatchdevicesthathavenotcheckedinwithinthelast
5days.
Appstab Apps(Androiddevicesonly)Selectthisoptiontoenablefilteringbased
ontheappsthatareinstalledonthedeviceandwhetherornotthedevice
hasanymalwareinfectedappsinstalled.
Criteriatab
Has MalwareSelectYestomatchdevicesthathavemalwareinfected
appsinstalled.SelectNotomatchdevicesthatdonothave
malwareinfectedappsinstalled.SelectNonetonotuseHas Malwareas
matchcriteria.
Includetab
PackageTomatchdevicesthathavespecificappsinstalled,Addanapp
andentertheuniqueappnameinreverseDNSformat.Forexample,
com.netflix.mediaclientandthenenterthecorrespondingappHash,which
theGlobalProtectappcalculatesandsubmitswiththedeviceHIPreport.
PatchManagementTab
SelectObjects > GlobalProtect > HIP Objects > Patch ManagementtoenableHIPmatchingonthepatchstatusof

theGlobalProtectclients.

HIPObjectPatch Description
ManagementSettings
PatchManagement Selectthisoptiontoenablematchingonthepatchmanagementstatusofthe
hostandenabletheCriteriaandVendortabs.
Criteriatab Specifythefollowingsettings:
Is InstalledMatchonwhetherpatchmanagementsoftwareisinstalled
onthehost.
Is EnabledMatchonwhetherpatchmanagementsoftwareisenabledon
thehost.IftheIs Installedselectioniscleared,thisfieldisautomatically
settononeandisdisabledforediting.
SeveritySelectfromthelistoflogicaloperatorsformatchingon
whetherthehosthasmissingpatchesofthespecifiedseveritynumber.
CheckMatchonwhethertheendpointhasmissingpatches.
PatchesMatchonwhetherthehosthasspecificpatches.ClickAddand
enterfilenamesforthespecificpatchnamestocheckfor.
Vendortab Definespecificvendorsofpatchmanagementsoftwareandproductstolook
forontheendpointtodetermineamatch.ClickAddandthenchoosea
Vendorfromthedropdown.Optionally,clickAddtochooseaspecific
Product.ClickOKtosavethesettings.
FirewallTab
SelectObjects > GlobalProtect > HIP Objects > FirewalltoenableHIPmatchingbasedonthefirewallsoftware

statusoftheGlobalProtectclients.
HIPObjectFirewallSettings
SelectFirewalltoenablematchingonthefirewallsoftwarestatusofthehost:
Is InstalledMatchonwhetherfirewallsoftwareisinstalledonthehost.
Is EnabledMatchonwhetherfirewallsoftwareisenabledonthehost.IftheIs Installedselectioniscleared,this
fieldisautomaticallysettononeandisdisabledforediting.
Vendor and ProductDefinespecificfirewallsoftwarevendorsand/orproductstolookforonthehosttodetermine
amatch.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochooseaspecific
Product.ClickOKtosavethesettings.
Exclude VendorSelectthisoptiontomatchhoststhatdonothavesoftwarefromthespecifiedvendor.
AntivirusTab
SelectObjects > GlobalProtect > HIP Objects > AntivirustoenableHIPmatchingbasedontheantiviruscoverage

ontheGlobalProtectclients.

HIPObjectAntivirusSettings
SelectAntivirustoenablematchingontheantiviruscoverageonthehostandthendefineadditionalmatchingcriteria
forthematchasfollows:
Is InstalledMatchonwhetherantivirussoftwareisinstalledonthehost.
Real Time ProtectionMatchonwhetherrealtimeantivirusprotectionisenabledonthehost.IftheIs Installed
selectioniscleared,thisfieldisautomaticallysettoNoneandisdisabledforediting.
Virus Definition VersionMatchwhenthevirusdefinitionshavebeenupdatedwithinaspecifiednumberofdays
orreleaseversions.
Product VersionMatchaspecificversionoftheantivirussoftware.Tospecifyaversion,selectanoperatorfrom
thedropdownandthenenterastringrepresentingtheproductversion.
Last Scan TimeMatchonthetimethatthelastantivirusscanwasrun.Selectanoperatorfromthedropdownand
thenspecifyanumberofDaysorHourstomatchagainst.
Vendor and ProductDefinespecificantivirussoftwarevendorsand/orproductstolookforonthehostto
determineamatch.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochoosea
specificProduct.ClickOKtosavethesettings.
AntiSpywareTab
SelectObjects > GlobalProtect > HIP Objects > Anti-SpywaretoenableHIPmatchingbasedontheantispyware

coverageontheGlobalProtectclients.
HIPObjectAntiSpywareSettings
SelectAnti-Spywaretoenablematchingontheantispywarecoverageonthehostandthendefineadditionalmatching
criteriaforthematchasfollows:
Real Time ProtectionMatchonwhetherrealtimeantispywareprotectionisenabledonthehost.IftheIs
Installedselectioniscleared,thisfieldisautomaticallysettononeandisdisabledforediting.
Is InstalledMatchonwhetherantispywaresoftwareisinstalledonthehost.
Virus Definition VersionSelectanoperatorfromthelistandthenentertheversionsofvirusdefinitiontomatch.
IftheoperatorisWithinorNot Within,specifyanumberofdaysorreleaseversions.
Product VersionSelectanoperatorfromthelistandthenentertheproductversiontomatchaspecificversionof
antispywaresoftware.
Last Scan TimeSpecifywhethertomatchbasedonthetimethatthelastantispywarescanran.Selectanoperator
andthenspecifyanumberofDaysorHourstomatch.
Vendor and ProductDefinespecificantispywaresoftwarevendorsorproductstolookforonthehostto
determineamatch.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochoosea
specificProduct.ClickOKtosavethesettings.
DiskBackupTab
SelectObjects > GlobalProtect > HIP Objects > Disk Backup toenableHIPmatchingbasedonthediskbackup
statusoftheGlobalProtectclients.

HIPObjectDiskBackupSettings
SelectDisk Backuptoenablematchingonthediskbackupstatusonthehostandthendefineadditionalmatching
criteriaforthematchasfollows:
Is InstalledMatchonwhetherdiskbackupsoftwareisinstalledonthehost.
Last Backup TimeSpecifywhethertomatchbasedonthetimethatthelastdiskbackupwasrun.Selectan
operatorfromthedropdownandthenspecifyanumberofDaysorHourstomatchagainst.
Vendor and ProductDefinespecificdiskbackupsoftwarevendorsandproductstomatchonthehost.ClickAdd
andthenchooseaVendorfromthedropdown.Optionally,clickAddtochooseaspecificProduct.ClickOKtosave
thesettings.
DiskEncryptionTab
SelectObjects > GlobalProtect > HIP Objects > Disk Encryption toenableHIPmatchingbasedonthedisk
encryptionstatusoftheGlobalProtectclients.
HIPObjectDisk Description
EncryptionSettings
DiskEncryption SelectDisk Encryptiontoenablematchingonthediskencryptionstatuson

thehost.
Criteria Specifythefollowingsettings:
Is InstalledMatchonwhetherdiskencryptionsoftwareisinstalledon
thehost.
Encrypted LocationsClickAddtospecifythedriveorpathtocheckfor
diskencryptionwhendeterminingamatch:
Encrypted LocationsEnterspecificlocationstocheckforencryptionon
thehost.
StateSpecifyhowtomatchthestateoftheencryptedlocationby
choosinganoperatorfromthedropdownandthenselectingapossible
state(full,none,partial,not-available).
Vendor Definespecificdiskencryptionsoftwarevendorsandproductstomatchon
theendpoint.ClickAddandthenchooseaVendorfromthedropdown.
Optionally,clickAddtochooseaspecificProduct.ClickOKtosavethe
settingsandreturntotheDisk Encryptiontab.
DataLossPreventionTab
SelectObjects > GlobalProtect > HIP Objects > Data Loss PreventiontoconfigureHIPmatchingthatisbasedon
whethertheGlobalProtectclientsarerunningdatalosspreventionsoftware.

HIPObjectDataLossPreventionSettings
SelectData Loss Preventiontoenablematchingonthedatalossprevention(DLP)statusonthehost(Windowshosts

only)andthendefineadditionalmatchingcriteriaforthematchasfollows:
Is EnabledMatchonwhetherDLPsoftwareisenabledonthehost.IftheIs Installedselectioniscleared,thisfield
isautomaticallysettononeandisdisabledforediting.
Is InstalledMatchonwhetherDLPsoftwareisinstalledonthehost.
Vendor and ProductDefinespecificDLPsoftwarevendorsand/orproductstolookforonthehosttodeterminea
match.ClickAddandthenchooseaVendorfromthedropdown.Optionally,clickAddtochooseaspecificProduct.
CustomChecksTab
SelectObjects > GlobalProtect > HIP Objects > Custom Checks toenableHIPmatchingonanycustomchecksyou
havedefinedontheGlobalProtectportal.FordetailsonaddingthecustomcheckstotheHIPcollection,see
Network>GlobalProtect>Portals.
HIPObjectCustom Description
ChecksSettings
CustomChecks SelectCustom Checkstoenablematchingoncustomchecksyoudefinedon

theGlobalProtectportal.
ProcessList Tocheckthehostsystemforaspecificprocess,clickAddandthenenterthe
processname.Bydefault,theagentchecksforrunningprocesses;ifyoujust
wanttoseeifaspecificprocessispresentonthesystemevenifnotrunning,
cleartheRunningselection.
RegistryKey TocheckWindowshostsforaspecificregistrykey,clickAddandenterthe
Registry Keytomatch.Tomatchonlythehoststhatlackthespecified
registrykeyorthekeysvalue,marktheKey does not exist or match the
specified value databox.
Tomatchonspecificvalues,clickAddandthenentertheRegistry Valueand
Value Data.Tomatchhoststhatexplicitlydonothavethespecifiedvalueor
valuedata,selectNegate.
Plist TocheckMachostsforaspecificentryinthepropertylist(plist),clickAdd
andenterthePlistname.Tomatchonlythehoststhatdonothavethe
specifiedplist,selectPlist does not exist.
Tomatchonspecifickeyvaluepairwithintheplist,clickAddandthenenter
theKeyandthecorrespondingValuetomatch.Tomatchhoststhatexplicitly
donothavethespecifiedkeyorvalue,selectNegate.

Objects>GlobalProtect>HIPProfiles GlobalProtect
SelectObjects > GlobalProtect > HIP ProfilestocreatetheHIPprofilesacollectionofHIPobjectstobe

evaluatedtogethereitherformonitoringorforSecuritypolicyenforcementthatyouusetosetup
HIPenabledsecuritypolicies.WhencreatingHIPprofiles,youcancombinetheHIPobjectsyoupreviously
created(aswellasotherHIPprofiles)byusingBooleanlogic,sothatwhenatrafficflowisevaluatedagainst
theresultingHIPprofile,itwilleithermatchornotmatch.Uponamatch,thecorrespondingpolicyruleis
enforced;ifthereisnomatch,theflowisevaluatedagainstthenextrule(aswithanyotherpolicymatching
criteria).
TocreateaHIPprofile,clickAdd.Thefollowingtableprovidesinformationonwhattoenterinthefieldsin
theHIPProfiledialog.FormoredetailedinformationonsettingupGlobalProtectandtheworkflowfor
creatingHIPaugmentedsecuritypolicies,refertoConfigureHIPBasedPolicyEnforcementinthe
GlobalProtectAdministratorsGuide.
HIPProfileSettings Description
Name Enteranamefortheprofile(upto31characters).Thenameiscasesensitive
underscores.
Description (Optional)Enteradescription.
Shared SelectSharedtomakethecurrentHIPprofileavailableto:
Everyvirtualsystem(vsys)onthefirewall,ifyouareloggedintoafirewall
thatisinmultiplevirtualsystemmode.Ifyouclearthisselection,the
profileisavailableonlytothevsysselectedintheVirtual System
dropdownontheObjectstab.Forafirewallthatisnotinmultivsys
mode,thisoptiondoesnotappearintheHIPProfiledialog.
AlldevicegroupsonPanorama.Ifyouclearthisselection,theprofileis
availableonlytothedevicegroupselectedintheDevice Group
dropdownontheObjectstab.
Afteryousavetheprofile,youcannotchangeitsSharedsetting.Select
Objects > GlobalProtect > HIP ProfilestoviewthecurrentLocation.
Disableoverride ControlsoverrideaccesstotheHIPprofileindevicegroupsthatare
(Panoramaonly) descendantsoftheDevice GroupselectedintheObjectstab.Selectthis
optionifyouwanttopreventadministratorsfromcreatinglocalcopiesofthe
profileindescendantdevicegroupsbyoverridingitsinheritedvalues.This
optionisclearedbydefault(overrideisenabled).

GlobalProtect Objects>GlobalProtect>HIPProfiles
HIPProfileSettings Description
(Continued)
Match ClickAdd Match CriteriatoopentheHIPObjects/ProfilesBuilder.

SelectthefirstHIPobjectorprofileyouwanttouseasmatchcriteriaand
thenadd( )ittotheMatchtextboxontheHIPObjects/ProfilesBuilder
dialog.KeepinmindthatifyouwanttheHIPprofiletoevaluatetheobject
asamatchonlywhenthecriteriaintheobjectisnottrueforaflow,select
NOTbeforeaddingtheobject.
Continueaddingmatchcriteriaasappropriatefortheprofileyouare
building,andensureyouselecttheappropriateBooleanoperator(ANDor
OR)betweeneachaddition(andusingtheNOToperatorwhenappropriate).
TocreateacomplexBooleanexpression,youmustmanuallyaddthe
parenthesisintheproperplacesintheMatchtextboxtoensurethattheHIP
profileisevaluatedusingtheintendedlogic.Forexample,thefollowing
expressionindicatesthattheHIPprofilewillmatchtrafficfromahostthat
haseitherFileVaultdiskencryption(forMacOSsystems)orTrueCryptdisk
encryption(forWindowssystems)andalsobelongstotherequiredDomain
andhasaSymantecantivirusclientinstalled:
((MacOS and FileVault) or (Windows and
TrueCrypt)) and Domain and SymantecAV
WhenyouhavefinishedaddingtheobjectsandprofilestothenewHIP
profile,clickOK.

Device>GlobalProtectClient GlobalProtect
Viewmoreinformationaboutthe ManagingtheGlobalProtectAgentSoftware
GlobalProtectagentsoftwarereleases.
InstalltheGlobalProtectagentsoftware. SettingUptheGlobalProtectAgent
UsetheGlobalProtectagentsoftware. UsingtheGlobalProtectAgent
Looking for more? Fordetailed,stepbystepinstructionsonsettingupthe
GlobalProtectclientsoftware,refertoDeploytheGlobalProtect
ClientSoftwareintheGlobalProtectAdministratorsGuide.
ManagingtheGlobalProtectAgentSoftware
SelectDevice > GlobalProtect Client(firewallonly)todownloadandactivatetheGlobalProtectagentsoftware

onthefirewallthathoststheportal.Thereafter,endpointsthatconnecttotheportaldownloadtheagent
software.Intheagentconfigurationsyouspecifyontheportal,youdefinehowandwhentheportalpushes
softwaretoendpoints.Yourconfigurationdetermineswhetherupgradesoccurautomaticallywhenthe
agentconnects,whetherendusersarepromptedtoupgrade,orwhetherupgradingisprohibitedforallora
particularsetofusers.SeeAllowUsertoUpgradeGlobalProtectAppformoredetails.Fordetailsonthe
optionsfordistributingtheGlobalProtectagentsoftwareandforstepbystepinstructionsfordeployingthe
software,refertoDeploytheGlobalProtectClientSoftwareintheGlobalProtectAdministratorsGuide.
FortheinitialdownloadandinstallationoftheGlobalProtectagent,theuseroftheclientendpointmustbe
loggedinwithadministratorrights.Forsubsequentupgrades,administratorrightsarenotrequired.
GlobalProtectClient Description
Settings
Version ThisversionnumberisoftheGlobalProtectagentsoftwarethatisavailable
onthePaloAltoNetworksUpdateServer.Toseeifanewagentsoftware
releaseisavailablefromPaloAltoNetworks,clickCheckNow.Thefirewall
usesitsserviceroutetoconnecttotheUpdateServertodetermineifnew
versionsareavailableanddisplaysthematthetopofthelist.
Size Thesizeoftheagentsoftwarebundle.
ReleaseDate ThedateandtimePaloAltoNetworksmadethereleaseavailable.
Downloaded Acheckmarkinthiscolumnindicatesthatthecorrespondingversionofthe
agentsoftwarepackagehasbeendownloadedtothefirewall.
CurrentlyActivated Acheckmarkinthiscolumnindicatesthatthecorrespondingversionofthe
agentsoftwarehaspackagehasbeenactivatedonthefirewallandcanbe
downloadedbyconnectingagents.Onlyoneversionofthesoftwarecanbe
activatedatatime.

GlobalProtect Device>GlobalProtectClient
GlobalProtectClient Description
Settings(Continued)
Action Indicatesthecurrentactionyoucantakeforthecorrespondingagent
softwarepackageasfollows:
DownloadThecorrespondingagentsoftwareversionisavailableonthe
PaloAltoNetworksUpdateServer.ClickDownloadtoinitiatethe
download.IfthefirewalldoesnothaveaccesstotheInternet,usean
InternetconnectedcomputertogototheSoftwareUpdatesitetolook
forandDownloadnewagentsoftwareversionstoyourlocalcomputer.
ThenmanuallyUploadtheagentsoftwaretothefirewall.
ActivateThecorrespondingagentsoftwareversionhasbeen
downloadedtothefirewall,butagentscannotyetdownloadit.Click
Activatetoactivatethesoftwareandenableagentupgrade.Toactivatea
softwareupdateyoumanuallyuploadedtothefirewall,clickActivate
From Fileandselecttheversionyouwanttoactivatefromthedropdown
(youmayneedtorefreshthescreenforittoshowasCurrently Activated).
ReactivateThecorrespondingagentsoftwarehasbeenactivatedandis
readyfortheclienttodownload.Becauseonlyoneversionofthe
GlobalProtectagentsoftwarecanbeactiveonthefirewallatonetime,if
yourendusersrequireaccesstoadifferentversionthaniscurrently
active,youhavetoActivatetheotherversiontomakeittheCurrently
Activeversion.
ReleaseNote ProvidesalinktotheGlobalProtectreleasenotesforthecorresponding
agentversion.
Removethepreviouslydownloadedagentsoftwareimagefromthefirewall.
SettingUptheGlobalProtectAgent
TheGlobalProtectagent(PanGPAgent)isanapplicationthatisinstalledontheclientsystem(typicallya
laptop)tosupportGlobalProtectconnectionswithportalsandgatewaysandissupportedbythe
GlobalProtectservice(PanGPService).
Besuretochoosethecorrectinstallationoptionforyourhostoperatingsystem(32bitor
64bit).Ifyouareinstallingona64bithost,usethe64bitbrowserandJavacombinationfor
theinitialinstallation.
Toinstalltheagent,opentheinstallerfileandfollowtheonscreeninstructions.

Device>GlobalProtectClient GlobalProtect
UsingtheGlobalProtectAgent
ThetabsintheGlobalProtectagentcontainusefulinformationaboutstatusandsettingsandprovide
informationtoassistintroubleshootingconnectionissues.
Home tabAllowsuserstochangetheportalIPaddressorhostnameandentertheirauthentication
credentials.Alsodisplayscurrentconnectionstatusandlistsanywarningsorerrors.
Details tabDisplaysinformationaboutthecurrentconnection,includingportalIPaddressesand
protocol,andpresentsbyteandpacketstatisticsaboutthenetworkconnection.
Host State tabDisplaystheinformationstoredintheHIP.Clickacategoryontheleftsideofthewindow
todisplaytheconfiguredinformationforthatcategoryontherightsideofthewindow.
Troubleshooting tabDisplaysinformationtoassistintroubleshooting.
Network ConfigurationsDisplaysthecurrentclientsystemconfiguration.
Routing TableDisplaysinformationonhowtheGlobalProtectconnectioniscurrentlyrouted.
SocketsDisplayssocketinformationforthecurrentactiveconnections.
LogsAllowstheusertodisplaylogsfortheGlobalProtectagent(PanGPAgent)andservice(PanGP
Service).Choosethelogtypeanddebugginglevel.ClickStarttobeginloggingandStoptoterminate
logging.

PanoramaWebInterface
PanoramaisthecentralizedmanagementsystemforthePaloAltoNetworksfamilyofnextgeneration
firewalls.Panoramaprovidesasinglelocationfromwhereyoucanoverseeallapplications,users,and
contentonyournetworkandthenusethisknowledgetocreatepoliciesthatcontrolandprotectyour
network.UsingPanoramaforcentralizedpolicyandfirewallmanagementincreasesyouroperational
efficiencyasyoumanageyourdistributedfirewallnetwork.Panoramaisavailablebothasadedicated
hardware(MSeries)applianceandasaVMwarevirtualappliance(runningonanESXiserverorthevCloud
Airplatform).
WhilemanyPanoramawebinterfaceviewsandsettingsareidenticaltothoseyouseeonthefirewallweb
interface,thefollowingtopicsdescribeoptionsavailableexclusivelyonthePanoramawebinterfacefor
managingPanorama,firewalls,andLogCollectors.
UsethePanoramaWebInterface
ContextSwitch
PanoramaCommitOperations
DefiningPoliciesonPanorama
LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode
Panorama>Setup>Interfaces
Panorama>HighAvailability
Panorama>ManagedWildFireClusters
Panorama>Administrators
Panorama>AdminRoles
Panorama>AccessDomains
Panorama>ManagedDevices
Panorama>Templates
Panorama>DeviceGroups
Panorama>ManagedCollectors
Panorama>CollectorGroups
Panorama>Plugins
Panorama>VMwareNSX
Panorama>LogIngestionProfile
Panorama>LogSettings
Panorama>ScheduledConfigExport
Panorama>Software
Panorama>DeviceDeployment
Lookingformore?

PanoramaWebInterface
SeethePanoramaAdministratorsGuide fordetailsonsettingupandusingPanoramaforcentralized
management.

PanoramaWebInterface UsethePanoramaWebInterface
UsethePanoramaWebInterface
ThewebinterfaceonbothPanoramaandthefirewallhasthesamelookandfeel.However,thePanorama
webinterfaceincludesadditionaloptionsandaPanoramaspecifictabformanagingPanoramaandforusing
PanoramatomanagefirewallsandLogCollectors.
ThefollowingcommonfieldsappearintheheaderorfooterofseveralPanoramawebinterfacepages.
CommonField Description
Context YoucanusetheContextdropdownabovetheleftsidemenutoswitchbetweenthe
Panoramawebinterfaceandafirewallwebinterface(seeContextSwitch).
IntheDashboardandMonitortabs,clickrefresh( )inthetabheadertomanually
refreshdatainthosetabs.Youcanalsousetheunlabeleddropdownontherightside
ofthetabheadertoselectanautomaticrefreshintervalinminutes(1 min,2 mins,or
5 mins);todisableautomaticrefreshing,selectManual.
Access Domain Anaccessdomaindefinesaccesstospecificdevicegroups,templates,andindividual

firewalls(throughtheContextdropdown).Ifyouloginasanadministratorwith
multipleaccessdomainsassignedtoyouraccount,theDashboard,ACC,andMonitor
tabsdisplayinformation(suchaslogdata)onlyfortheAccess Domainyouselectin
thefooterofthewebinterface.
Ifonlyoneaccessdomainisassignedtoyouraccount,thewebinterfacedoes
notdisplaytheAccess Domaindropdown.
Device Group Adevicegroupcomprisesfirewallsandvirtualsystemsthatyoumanageasagroup

(seePanorama>DeviceGroups).TheDashboard,ACC,andMonitortabsdisplay
information(suchaslogdata)onlyfortheDevice Groupyouselectinthetabheader.
InthePoliciesandObjectstabs,youcanconfiguresettingsforaspecificDevice
Grouporforalldevicegroups(selectShared).
Template Atemplateisagroupoffirewallswithcommonnetworkanddevicesettings,anda
templatestackisacombinationoftemplates(seePanorama>Templates).Inthe
NetworkandDevicetabs,youconfiguresettingsforaspecificTemplateortemplate
stack.Becauseyoucaneditsettingsonlywithinindividualtemplates,thesettingsin
thesetabsarereadonlyifyouselectatemplatestack.
View by: Device Bydefault,theNetworkandDevicetabsdisplaythesettingsandvaluesavailableto

firewallsthatareinnormaloperationalmodeandthatsupportmultiplevirtual
Mode systemsandVPNs.However,youcanusethefollowingoptionstofilterthetabsto
displayonlythemodespecificsettingsyouwanttoedit:
IntheModedropdown,selectorcleartheMulti VSYS,Operational Mode,and
VPN Modeoptions.
Setallthemodeoptionstoreflectthemodeconfigurationofaparticularfirewall
byselectingitintheView by: Devicedropdown.

UsethePanoramaWebInterface PanoramaWebInterface
ThePanoramatabprovidesthefollowingpagesformanagingPanoramaandLogCollectors.
PanoramaPages Description
Setup SelectPanorama > Setupforthefollowingtasks:

Specifygeneralsettings(suchasthePanoramahostname)andsettingsfor
authentication,logs,reports,AutoFocus,banners,themessageoftheday,
andpasswordcomplexity.Thesesettingsaresimilartothoseyouconfigurefor
firewalls:selectDevice>Setup>Management.
Backupandrestoreconfigurations,rebootPanorama,andshutdown
Panorama.Theseoperationsaresimilartothoseyouperformforfirewalls:
selectDevice>Setup>Operations.
DefineserverconnectionsforDNS,NTP,andPaloAltoNetworksupdates.
Thesesettingsaresimilartothoseyouconfigureforfirewalls:selectDevice>
Setup>Services.
DefinenetworksettingsforPanoramainterfaces.SelectPanorama>Setup>
Interfaces.
SpecifysettingsfortheWildFireappliance.Thesesettingsaresimilarto
thoseyouconfigureforfirewalls:electDevice>Setup>WildFire.
Managehardwaresecuritymodule(HSM)settings.Thesesettingsaresimilar
tothoseyouconfigureforfirewalls:selectDevice>Setup>HSM.
HighAvailability Enablesyoutoconfigurehighavailability(HA)forapairofPanorama
managementservers.SelectPanorama>HighAvailability.
ConfigAudit Enablesyoutoseethedifferencesbetweenconfigurationfiles.SelectDevice>
ConfigAudit.
PasswordProfiles EnablesyoutodefinepasswordprofilesforPanoramaadministrators.Select
Device>PasswordProfiles.
Administrators EnablesyoutoconfigurePanoramaadministratoraccounts.SelectPanorama>
Administrators.
Ifanadministratoraccountislockedout,theAdministratorspage
displaysalockintheLockedUsercolumn.Youcanclickthelocktounlock
theaccount.
AdminRoles Enablesyoutodefineadministrativeroles,whichcontroltheprivilegesand
responsibilitiesofadministratorswhoaccessPanorama.SelectPanorama>
AdminRoles.
AccessDomain Enablesyoutocontroladministratoraccesstodevicegroups,templates,
templatestacks,andthewebinterfaceoffirewalls.SelectPanorama>Access
Domains.
Authentication EnablesyoutospecifyaprofileforauthenticatingaccesstoPanorama.Select
Profile Device>AuthenticationProfile.
Authentication Enablesyoutospecifyaseriesofauthenticationprofilestouseforpermitting
Sequence accesstoPanorama.SelectDevice>AuthenticationSequence.
UserIdentification EnablesyoutoconfigurePanoramatoreceiveusermappinginformationfrom
UserIDagents.SelectDevice>UserIdentification>UserIDAgents.
ManagedDevices Enablesyoutomanagefirewalls,whichincludesaddingfirewallstoPanoramaas
manageddevices,displayingfirewallconnectionandlicensestatus,tagging
firewalls,updatingfirewallsoftwareandcontent,andloadingconfiguration
backups.SelectPanorama>ManagedDevices.

PanoramaWebInterface UsethePanoramaWebInterface
Templates EnablesyoutomanageconfigurationoptionsintheDeviceandNetworktabs.
Templatesandtemplatestacksenableyoutoreducetheadministrativeeffortof
deployingmultiplefirewallswiththesameorsimilarconfigurations.Select
Panorama>Templates.
DeviceGroups Enablesyoutoconfiguredevicegroups,whichgroupfirewallsbasedonfunction,
networksegmentation,orgeographiclocation.Devicegroupscaninclude
physicalfirewalls,virtualfirewalls,andvirtualsystems.
Typically,firewallsinadevicegroupneedsimilarpolicyconfigurations.Usingthe
PoliciesandObjectstabonPanorama,devicegroupsprovideawaytoimplement
alayeredapproachformanagingpoliciesacrossanetworkofmanagedfirewalls.
Youcannestdevicegroupsinatreehierarchyofuptofourlevels.Descendant
groupsautomaticallyinheritthepoliciesandobjectsofancestorgroupsandof
theSharedlocation.SelectPanorama>DeviceGroups.
ManagedCollectors EnablesyoutomanageLogCollectors.BecauseyouusePanoramatoconfigure
LogCollectors,theyarealsocalledmanagedcollectors.Amanagedcollectorcan
belocaltothePanoramamanagementserver(MSeriesapplianceorPanorama
virtualapplianceinPanoramamode)oraDedicatedLogCollector(MSeries
applianceinLogCollectormode).SelectPanorama>ManagedCollectors.
YoucanalsoinstallSoftwareUpdatesforDedicatedLogCollectors.
YoucanconvertaPanoramamanagementservertoaDedicatedLog
Collector.
CollectorGroups EnablesyoutomanageCollectorGroups.ACollectorGrouplogicallygroupsLog
Collectorssoyoucanapplythesameconfigurationsettingsandassignfirewalls
tothem.PanoramauniformlydistributesthelogsamongallthedisksinaLog
CollectorandacrossallmembersintheCollectorGroup.SelectPanorama>
CollectorGroups.
Plugins Enablesyoutomanagepluginsforthirdpartyintegration,suchasVMwareNSX.
SelectPanorama>VMwareNSX.
VMwareNSX EnablesyoutoautomateprovisioningofVMSeriesfirewallsbyenabling
communicationbetweentheNSXManagerandPanorama.SelectPanorama>
VMwareNSX.
Certificate Enablesyoutoconfigureandmanagecertificates,certificateprofiles,andkeys.
Management SelectManageFirewallandPanoramaCertificates.
LogSettings EnablesyoutoforwardlogstoSimpleNetworkManagementProtocol(SNMP)
trapreceivers,syslogservers,emailservers,andHTTPservers.SelectDevice>
LogSettings.

UsethePanoramaWebInterface PanoramaWebInterface
ServerProfiles Enablesyoutoconfigureprofilesforthedifferentservertypesthatprovide
servicestoPanorama.Selectanyofthefollowingtoconfigureaspecificserver
type:
ScheduledConfig EnablesyoutoexportPanoramaandfirewallconfigurationstoanFTPserveror
Export SecureCopy(SCP)serveronadailybasis.SelectPanorama>ScheduledConfig
Export.
Software EnablesyoutoupdatePanoramasoftware.SelectPanorama>Software.
DynamicUpdates Enablesyoutoviewthelatestapplicationdefinitionsandinformationfornew
securitythreats,suchasAntivirussignatures(threatpreventionlicenserequired)
andthenupdatePanoramawiththenewdefinitions.SelectDevice>Dynamic
Updates.
Support EnablesyoutoaccessproductandsecurityalertsfromPaloAltoNetworks.
SelectDevice>Support.
DeviceDeployment EnablesyoutodeploysoftwareandcontentupdatestofirewallsandLog
Collectors.SelectPanorama>DeviceDeployment.
MasterKeyand EnablesyoutospecifyamasterkeytoencryptprivatekeysonPanorama.By
Diagnostics default,Panoramastoresprivatekeysinencryptedformevenifyoudontspecify
anewmasterkey.SelectDevice>MasterKeyandDiagnostics.

PanoramaWebInterface ContextSwitch
ContextSwitch
IntheheaderofeveryPanoramawebinterfacepage,youcanusetheContextdropdownabovetheleftside
menutoswitchbetweenthePanoramawebinterfaceandafirewallwebinterface.Whenyouselecta
firewall,thewebinterfacerefreshestoshowallthepagesandoptionsfortheselectedfirewallsothatyou
canmanageitlocally.Thedropdowndisplaysonlythefirewallstowhichyouhaveadministrativeaccess(see
Panorama>AccessDomains)andthatareconnectedtoPanorama.
YoucanusetheFilterstosearchforfirewallsbyPlatforms(model),DeviceGroups,Templates,Tags,orHA
Status.YoucanalsoenteratextstringinthefilterbartosearchbyDeviceName.
Theiconsoffirewallsthatareinhighavailability(HA)modewillhavecoloredbackgroundstoindicatetheir
HAstate.

PanoramaCommitOperations PanoramaWebInterface
PanoramaCommitOperations
ClickCommitatthetoprightofthewebinterfaceandselectanoperationforpendingchangestothe
PanoramaconfigurationandchangesthatPanoramapushestofirewalls,LogCollectors,andWildFire
clustersandappliances:
Commit > Commit to PanoramaActivateschangesyoumadeintheconfigurationofthePanorama
managementserver.Thisactionalsocommitsdevicegroup,template,CollectorGroup,andWildFire
clusterandappliancechangestothePanoramaconfigurationwithoutpushingthechangestofirewalls,
LogCollectors,orWildFireclustersandappliances.CommittingjusttothePanoramaconfiguration
enablesyoutosavechangesthatarenotreadyforactivationonthefirewalls,LogCollectors,orWildFire
clustersandappliances.
Whenpushingconfigurationstomanageddevices,Panorama8.0andlaterreleasespushthe
runningconfiguration,whichistheconfigurationthatiscommittedtoPanorama.Panorama7.1
andearlierreleasespushthecandidateconfiguration,whichincludesuncommittedchanges.
Therefore,Panorama8.0andlaterreleasesdonotletyoupushchangestomanageddevices
untilyoufirstcommitthechangestoPanorama.
Commit > Push to DevicesPushesthePanoramarunningconfigurationtodevicegroups,templates,

CollectorGroups,andWildFireclustersandappliances.
Commit > Commit and PushCommitsallconfigurationchangestothelocalPanoramaconfigurationand
thenpushesthePanoramarunningconfigurationtodevicegroups,templates,CollectorGroups,and
WildFireclustersandappliances.
Youcanfilterpendingchangesbyadministratororlocationandthencommit,push,validate,orpreviewonly
thosechanges.Thelocationcanbespecificdevicegroups,templates,CollectorGroups,LogCollectors,
WildFireappliancesandclusters,sharedsettings,orthePanoramamanagementserver.
Whenyoucommitchanges,theybecomepartoftherunningconfiguration.Changesthatyouhavent
committedarepartofthecandidateconfiguration.Panoramaqueuescommitrequestssothatyoucan
initiateanewcommitwhileapreviouscommitisinprogress.Panoramaperformsthecommitsintheorder
theyareinitiatedbutprioritizesautocommitsthatareinitiatedbyPanorama(suchasFQDNrefreshes).
However,ifthequeuealreadyhasthemaximumnumberofadministratorinitiatedcommits,youmustwait
forPanoramatofinishprocessingapendingcommitbeforeinitiatinganewone.YoucanusetheTask
Manager( )toclearthecommitqueueorseedetailsaboutcommits.Formoreinformationon
configurationchanges,commitprocesses,commitvalidations,andthecommitqueue,refertoPanorama
CommitandValidationOperations.YoucanalsoSaveCandidateConfigurations,RevertChanges,and
import,export,orloadconfigurations(Device>Setup>Operations).

PanoramaWebInterface PanoramaCommitOperations
Thefollowingoptionsareavailableforcommitting,validating,orpreviewingconfigurationchanges.
ThefollowingoptionsapplywhenyoucommittoPanoramabyselectingCommit > Commit to Panorama

orCommit > Commit and Push.
CommitAllChanges Commitsallchangesforwhichyouhaveadministrativeprivileges
changesthatPanoramacommitswhenyouselectthisoption.Instead,
determinesthecommitscope:
SuperuserrolePanoramacommitsthechangesofall
administrators.
youraccountdeterminethecommitscope(seePanorama>Admin
Admins,Panoramacommitschangesconfiguredbyanyandall
privilegetoCommit For Other Admins,Panoramacommitsonly
Ifyouhaveimplementedaccessdomains,Panoramaautomatically
appliesthosedomainstofilterthecommitscope(seePanorama>
AccessDomains).Regardlessofyouradministrativerole,Panorama
commitsonlytheconfigurationchangesintheaccessdomains
assignedtoyouraccount.

CommitChangesMadeBy FiltersthescopeoftheconfigurationchangesPanoramacommits.The
SuperuserroleYoucanlimitthecommitscopetochangesthat
youraccountdetermineyourfilteringoptions(seePanorama>
AdminRoles).IftheprofileincludestheprivilegetoCommit For
Other Admins,youcanlimitthecommitscopetochanges
configuredbyspecificadministratorsandtochangesinspecific
locations.IfyourAdminRoleprofiledoesnotincludetheprivilege
toCommit For Other Admins,youcanlimitthecommitscopeonly
tothechangesyoumadeinspecificlocations.
Filterthecommitscopeasfollows:
FilterbyadministratorEvenifyourroleallowscommittingthe
changesofotheradministrators,thecommitscopeincludesonly
yourchangesbydefault.Toaddotheradministratorstothecommit
scope,clickthe<usernames>link,selecttheadministrators,and
clickOK.
FilterbylocationSelectthespecificlocationsforchangesto
IncludeinCommit.
Ifyouhaveimplementedaccessdomains,Panoramaautomatically
filtersthecommitscopebasedonthosedomains(seePanorama>
AccessDomains).Regardlessofyouradministrativeroleandyour
filteringchoices,thecommitscopeincludesonlytheconfiguration
changesintheaccessdomainsassignedtoyouraccount.
Afteryouloadaconfiguration(Device>Setup>Operations),
youmustCommit All Changes.
Whenyoucommitchangestoadevicegroup,youmustinclude
thechangesofalladministratorswhoadded,deleted,or
repositionedrulesforthesamerulebaseinthatdevicegroup.
CommitScope Liststhelocationsthathavechangestocommit.Whetherthelist
factors,asdescribedforCommitAllChangesandCommitChanges
MadeBy.Thelocationscanbeanyofthefollowing:
<device-group>Thenameofthedevicegroupinwhichthepolicy
rulesorobjectsaredefined.
<template>Thenameofthetemplateortemplatestackinwhich
thesettingsaredefined.
<log-collector-group>ThenameoftheCollectorGroupinwhich
thesettingsaredefined.
<log-collector>ThenameoftheLogCollectorinwhichthe
settingsaredefined.
<wildfire-appliances>TheserialnumberoftheWildFire
applianceinwhichthesettingsaredefined.
<wildfire-appliance-clusters>ThenameoftheWildFirecluster
inwhichthesettingsaredefined.

PanoramaSettingsthatarespecifictothePanoramamanagement
serverconfiguration.
Device GroupSettingsthataredefinedinaspecificdevicegroup.
TemplateSettingsthataredefinedinaspecifictemplateor
templatestack.
Log Collector GroupSettingsthatarespecifictoaCollectorGroup
configuration.
Log CollectorSettingsthatarespecifictoaLogCollector
configuration.
WildFire Appliance ClustersSettingsthatarespecifictoa
WildFireapplianceclusterconfiguration.
WildFire AppliancesSettingsthatarespecifictoaWildFire
appliance.
Other ChangesSettingsthatarenotspecifictoanyofthe
precedingconfigurationareas(suchassharedobjects).
IncludeinCommit Enablesyoutoselectthechangesyouwanttocommit.Bydefault,all
(partialcommitonly) changeswithintheCommit Scopeareselected.Thiscolumndisplays
onlyafteryouchoosetoCommit Changes Made Byspecific
administrators.
Theremightbedependenciesthataffectthechangesyou
includeinacommit.Forexample,ifyouaddanobjectand
anotheradministratortheneditsthatobject,youcannot
committhechangefortheotheradministratorwithoutalso
committingyourownchange.
GroupbyType GroupsthelistofconfigurationchangesintheCommit Scopeby

Location Type.
PreviewChanges EnablesyoutocomparetheconfigurationsyouselectedintheCommit
allowpopups.

ChangeSummary Liststheindividualsettingsforwhichyouarecommittingchanges.The
setting:
Location TypeIndicateswhetherthesettingisdefinedinDevice
Groups,Templates,Collector Groups,WildFire Appliances,or
Wildfire Appliance Clusters.
LocationThenameofthedevicegroup,template,CollectorGroup,
WildFirecluster,orWildFireappliancewherethesettingisdefined.
ThecolumndisplaysSharedforsettingsthatarenotdefinedin
theselocations.
Will Be CommittedIndicateswhetherthecommitwillincludethe
setting.
ValidateCommit ValidateswhetherthePanoramaconfigurationhascorrectsyntaxand
issemanticallycomplete.Theoutputincludesthesameerrorsand
warningsthatacommitwoulddisplay,includingruleshadowingand
applicationdependencywarnings.Thevalidationprocessenablesyou
tofindandfixerrorsbeforeyoucommit(itmakesnochangestothe
runningconfiguration).Thisisusefulifyouhaveafixedcommit
windowandwanttobesurethecommitwillsucceedwithouterrors.

Thefollowingoptionsapplywhenyoupushconfigurationchangestomanageddevicesbyselecting
Commit > Push to DevicesorCommit > Commit and Push.
PushScope Liststhelocationsthathavechangestopush.Thelocationsthatthe
scopeincludesbydefaultdependonwhichofthefollowingoptions
youselect:
Commit > Commit and PushThescopeincludesalllocationswith
changesthatrequireaPanoramacommit.
Commit > Push to DevicesThescopeincludesalllocations
associatedwithentities(firewalls,virtualsystems,LogCollectors,
WildFireclusters,WildFireappliances)thatareOut of Syncwith
thePanoramarunningconfiguration(seePanorama>Managed
DevicesandPanorama>ManagedCollectorsforthe
synchronizationstatus).
Forbothselections,PanoramafiltersthePush Scopeby:
AdministratorsPanoramaappliesthesamefiltersasforthe
Commit Scope(seeCommitAllChangesorCommitChangesMade
By).
AccessdomainsIfyouimplementedaccessdomains,Panorama
automaticallyfiltersthePush Scopebasedonthosedomains(see
Panorama>AccessDomains).Regardlessofyouradministrative
roleandyourfilteringchoices,thescopeincludestheconfiguration
changesonlyinaccessdomainsassignedtoyouraccount.
YoucanEditSelectionsforthePush Scopeinsteadofacceptingthe
defaultlocations.
Device GroupsSettingsdefinedinaspecificdevicegroup.
TemplatesSettingsdefinedinaspecifictemplateortemplate
stack.
Log Collector GroupsSettingsspecifictoaCollectorGroup
configuration.
WildFire ClustersSettingsspecifictoaWildFirecluster
configuration.
WildFire AppliancesSettingsspecifictoaWildFireappliance
configuration.
Entities Foreachdevicegrouportemplate,thiscolumnliststhefirewalls(by
devicenameorserialnumber)orvirtualsystems(byname)includedin
thepushoperation.
IfyoupushchangestoaCollectorGroup,theoperation
includesalltheLogCollectorsthataremembersofthegroup,
eventhoughtheyarenotlisted.
EditSelections Clicktoselecttheentitiestoincludeinthepushoperation:
DeviceGroupsandTemplates
LogCollectorGroups
WildFireAppliancesandClusters
Panoramawontletyoupushchangesthatyoudidnotyet
committothePanoramaconfiguration.

DeviceGroupsandTemplates Edit SelectionsandselectDevice GroupsorTemplatestodisplaythe

optionsinthefollowingrows.
Filters Filterthelistoftemplates,templatestacks,ordevicegroupsandthe
associatedfirewallsandvirtualsystems.
Name Selectthetemplates,templatestacks,devicegroups,firewalls,or
virtualsystemstoincludeinthepushoperation.
LastCommitState Indicateswhetherthefirewallandvirtualsystemconfigurationsare
synchronizedwiththetemplateordevicegroupconfigurationsin
Panorama.
HAStatus Indicatesthehighavailability(HA)stateofthelistedfirewalls:
ActiveNormaltraffichandlingoperationalstate.
PassiveNormalbackupstate.
InitiatingThefirewallisinthisstateforupto60secondsafter
bootup.
Non-functionalErrorstate.
SuspendedAnadministratordisabledthefirewall.
TentativeForalinkorpathmonitoringeventinanactive/active
configuration.
ChangesPending IndicateswhetheraPanoramacommitis(yes)orisnot(no)required
(Panorama)Commit beforeyoupushchangestotheselectedfirewallsandvirtualsystems.
PreviewChanges Preview Changestocomparetheconfigurationsyouselectedinthe

column Push ScopetothePanoramarunningconfiguration.Panoramafilters
theoutputtoshowresultsonlyforthefirewallsandvirtualsystems
youselectedintheDevice GroupsorTemplatestab.Thepreview
windowusescolorcodingtoindicatewhichchangesareadditions
(green),modifications(yellow),ordeletions(red).
allowpopups.
SelectAll Selectsallentriesinthelist.
DeselectAll Deselectsallentriesinthelist.
ExpandAll Displaysthefirewallsandvirtualsystemsassignedtotemplates,
templatestacks,ordevicegroups.
CollapseAll Displaysonlythetemplates,templatestacks,ordevicegroups,notthe
firewallsorvirtualsystemsassignedtothem.

GroupHAPeers Groupsfirewallsthatarepeersinahighavailability(HA)configuration.
Theresultinglistdisplaystheactivefirewall(oractiveprimaryfirewall
inanactive/activeconfiguration)firstandthepassivefirewall(or
activesecondaryfirewallinanactive/activeconfiguration)in
parentheses.ThisenablesyoutoeasilyidentifyfirewallsthatareinHA
mode.Whenpushingsharedpolicies,youcanpushtothegroupedpair
insteadofindividualpeers.
ForHApeersinanactive/passiveconfiguration,consider
addingbothfirewallsortheirvirtualsystemstothesame
devicegroup,template,ortemplatestacksothatyoucanpush
theconfigurationtobothpeerssimultaneously.
Validate Clicktovalidatetheconfigurationsyouarepushingtotheselected
firewallsandvirtualsystems.TheTaskManagerautomaticallyopensto
displaythevalidationstatus.
FilterSelected Ifyouwantthelisttodisplayonlyspecificfirewallsorvirtualsystems,
selectthemandthenselectFilter Selected.
MergewithCandidate (Selectedbydefault)Mergestheconfigurationchangespushedfrom
Config Panoramawithanypendingconfigurationchangesthatadministrators
implementedlocallyonthetargetfirewall.Thepushoperationtriggers
PANOStocommitthemergedchanges.Ifyouclearthisselection,
thecommitexcludesthecandidateconfigurationonthefirewall.
Clearthisselectionifyouallowfirewalladministratorsto
commitchangeslocallyonafirewallandyoudontwantto
includethoselocalchangeswhencommittingchangesfrom
Panorama.
Anotherbestpracticeistoperformaconfigurationauditonthe
firewalltoreviewanylocalchangesbeforepushingchanges
fromPanorama(seeDevice>ConfigAudit).
IncludeDeviceand (Selectedbydefault)Pushesboththedevicegroupchangesandthe
NetworkTemplates associatedtemplatechangestotheselectedfirewallsandvirtual
(DeviceGroupstabonly) systemsinasingleoperation.Topushthesechangesasseparate
operations,clearthisoption.
ForceTemplateValues (Disabledbydefault)Overridesalllocalconfigurationsettingsand
removesallobjectsontheselectedfirewallsthatdontexistinthe
templateortemplatestackorthatareoverriddeninthelocal
configuration.Thepushoperationrevertsallexistingconfigurationon
thefirewallandensuresthatthefirewallinheritsonlythesettings
definedinthetemplateortemplatestack.
LogCollectorGroups Edit SelectionsandselectLog Collector Groupstoincludeinthepush

operation.Thistabdisplaysthefollowingoptions:
Select AllSelectseveryCollectorGroupinthelist.
Deselect AllDeselectseveryCollectorGroupinthelist.
WildFireAppliancesand Edit SelectionsandselectWildFire Appliances and Clustersto

Clusters displaythefollowingoptions.
Filters FilterthelistofWildFireappliancesandclusters.
Name SelecttheWildFireappliancesandclusterstowhichPanoramawill
pushchanges.

LastCommitState IndicateswhethertheWildFireapplianceandclusterconfigurations
aresynchronizedwithPanorama.
ValidateDeviceGroupPush Validatestheconfigurationsyouarepushingtothedevicegroupsin
thePushScopelist.TheTaskManagerautomaticallyopenstodisplay
thevalidationstatus.
ValidateTemplatePush Validatestheconfigurationsyouarepushingtothetemplatesinthe
PushScopelist.TheTaskManagerautomaticallyopenstodisplaythe
validationstatus.
GroupbyLocationType SelecttouseLocation TypetogroupthePushScopelist.
ThefollowingoptionsapplywhenyoucommitthePanoramaconfigurationorpushchangestodevices.
Description Enteradescription(upto512characters)tohelpotheradministrators
understandwhatchangesyoumade.
TheSystemlogforacommiteventwilltruncatedescriptions
longerthan512characters.
Commit/Push/Commitand Startsthecommitor,ifothercommitsarepending,addsthecommit
Push requesttothecommitqueue.

PanoramaWebInterface DefiningPoliciesonPanorama
DefiningPoliciesonPanorama
DeviceGroupsonPanoramaallowyoutocentrallymanagepoliciesonthefirewalls.Policiesdefinedon
PanoramaarecreatedeitherasPreRulesorPostRules;PreRulesandPostRulesallowyoutocreatealayered
approachinimplementingpolicy.
PrerulesandPostrulescanbedefinedinasharedcontextassharedpoliciesforallmanagedfirewallsorin
adevicegroupcontexttomakeitspecifictoadevicegroup.BecausePrerulesandPostRulesaredefined
onPanoramaandthenpushedfromPanoramatothemanagedfirewalls,youcanviewtherulesonthe
managedfirewallsbutcaneditthePreRulesandPostRulesonlyinPanorama.
PreRulesRulesthatareaddedtothetopoftheruleorderandareevaluatedfirst.Youcanuseprerules
toenforcetheAcceptableUsePolicyforanorganization;forexample,toblockaccesstospecificURL
categoriesortoallowDNStrafficforallusers.
PostRulesRulesthatareaddedatthebottomoftheruleorderandareevaluatedaftertheprerules
andrulesthatarelocallydefinedonthefirewall.Postrulestypicallyincluderulestodenyaccesstotraffic
basedontheAppID,UserID,orService.
DefaultRulesRulesthatspecifyhowthefirewallhandlestrafficthatdoesnotmatchanyPreRules,Post
Rules,orlocalfirewallrules.TheserulesarepartofthepredefinedPanoramaconfiguration.ToOverride
andenableeditingofselectsettingsintheserules,seeOverridingorRevertingaSecurityPolicyRule.
Preview Rulestoviewalistofallrulesbeforeyoupushtherulestothemanagedfirewalls.Withineach
rulebase,thehierarchyofrulesisvisuallydemarcatedforeachdevicegroup(andmanagedfirewall)tomake
iteasiertoscanthroughalargenumbersofrules.
WhenyouaddoreditaruleinPanorama,aTargettabdisplays.Youcanusethistabtoapplytheruleto
specificfirewallsordescendantdevicegroupsoftheDevice Group(orSharedlocation)wheretheruleis
defined.IntheTargettab,Anyisselectedbydefault,whichmeanstheruleappliestoallthefirewallsand
descendantdevicegroups.Totargetspecificfirewallsordevicegroups,clearAnyandselecttheirnames.To
excludespecificfirewallsordevicegroups,clearAny,selecttheirnames,andselectTarget to all but these
specified devices.Ifthelistofdevicegroupsandfirewallsislong,youcanapplyFilterstosearchtheentries
byattributes(suchasPlatforms)orbyatextstringformatchingnames.
Tocreatepolicies,seetherelevantsectionforeachrulebase:
Policies>Security
Policies>NAT
Policies>QoS
Policies>Decryption

LogStoragePartitionsforaPanoramaVirtualApplianceinLegacyMode PanoramaWebInterface
LogStoragePartitionsforaPanoramaVirtualAppliancein
LegacyMode
Panorama>Setup>Operations
Bydefault,aPanoramavirtualapplianceinLegacymodehasasinglediskpartitionforalldatainwhich
10.89GBisallocatedforlogstorage.Increasingdisksizedoesnotincreasethelogstoragecapacity;however,
youcanmodifythelogstoragecapacityusingthefollowingoptions:
NetworkFileSystem(NFS)TheoptiontomountNFSstorageisavailableonlyforaPanoramavirtual
appliancethatisinLegacymodeandrunningonaVMwareESXiserver.TomountNFSstorage,select
Storage Partition SetupintheMiscellaneoussection,settheStorage PartitiontoNFS V3,andconfigurethe
settingsasdescribedinTable:NFSStorageSettings.
DefaultinternalstorageReverttothedefaultinternalstoragepartition(applicableonlytoPanoramaon
anESXiserveroronthevCloudAirplatformwhereyoupreviouslyconfiguredanothervirtualloggingdisk
ormountedtoanNFS).Toreverttothedefaultinternalstoragepartition,selectStorage Partition Setupin
theMiscellaneoussectionandsettheStorage PartitiontoInternal.
VirtualloggingdiskYoucanaddanothervirtualdisk(upto8TB)forPanoramarunningonVMwareESXi
version5.5andlaterreleasesorforPanoramarunningontheVMwarevCloudAirplatform.However,
Panoramastopsusingthedefault10.89GBlogstorageontheoriginaldiskandcopiesanyexistinglogs
tothenewdisk.(EarlierESXiversionssupportonlyupto2TBvirtualdisks.)
YoumustrebootPanoramaafterchangingthestoragepartitionsettings:selectPanorama >
Setup > OperationsandReboot Panorama.
NFSstorageisnotavailabletothePanoramavirtualapplianceinPanoramamodeortoMSeries
appliances.
Table:NFSStorageSettings
PanoramaStorage Description
Partition
SettingsNFSV3
Server SpecifytheFQDNorIPaddressoftheNFSserver.
LogDirectory Specifythefullpathnameofthedirectorywherethelogswillreside.
Protocol Specifytheprotocol(UDPorTCP)forcommunicationwiththeNFSserver.
Port SpecifytheportforcommunicationwiththeNFSserver.
ReadSize Specifythemaximumsizeinbytes(rangeis256to32,768)forNFSreadoperations.
WriteSize Specifythemaximumsizeinbytes(rangeis256to32,768)forNFSwriteoperations.
CopyonSetup SelecttomounttheNFSpartitionandcopyanyexistinglogstothedestination
directoryontheserverwhenPanoramaboots.
TestLogging SelecttoperformatestthatmountstheNFSpartitionandpresentsasuccessor
Partitions failuremessage.

PanoramaWebInterface Panorama>Setup>Interfaces
Panorama>Setup>Interfaces
SelectPanorama > Setup > InterfacestoconfiguretheinterfacesthatPanoramausestomanagefirewallsand

LogCollectors,deploysoftwareandcontentupdatestofirewallsandLogCollectors,collectlogsfrom
firewalls,andcommunicatewithCollectorGroups.Bydefault,PanoramausestheMGTinterfaceforall
communicationwithfirewallsandLogCollectors.
ToreducetrafficontheMGTinterface,configureotherinterfacestodeployupdates,collectlogs,and
communicatewithCollectorGroups.Inanenvironmentwithheavylogtraffic,youcanconfigureseveral
interfacesforlogcollection.Additionally,toimprovethesecurityofmanagementtraffic,youcandefinea
separatesubnet(IPv4NetmaskorIPv6Prefix Length)fortheMGTinterfacethatismoreprivatethanthe
subnetsfortheotherinterfaces.
TheavailableinterfacesvarybasedonthePanoramamodel.
Interface Maximum M500 M100 PanoramaVirtual

Speed Appliance Appliance Appliance
Management (MGT) 1Gbps
Ethernet1 (Eth1) 1Gbps
Toconfigureaninterface,clicktheInterfaceNameandconfigurethesettingsdescribedinthefollowing
table.
AlwaysspecifytheIPaddress,netmask(forIPv4)orprefixlength(forIPv6),anddefaultgatewayfortheMGT
interface.Ifyouomitvaluesforsomesettings(suchasthedefaultgateway),youcanonlyaccessPanorama
throughtheconsoleportforfutureconfigurationchanges.Youcannotcommittheconfigurationsforother
interfacesunlessyouspecifyallthreesettings.
InterfaceSettings Description
Eth1/Eth2/Eth3/Eth4/ Youmustenableaninterfacetoconfigureit.TheexceptionistheMGTinterface,whichis
Eth5 enabledbydefault.
IPAddress(IPv4) IfyournetworkusesIPv4,assignanIPv4addresstotheinterface.
Netmask(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoenteranetworkmask(such
as255.255.255.0).
DefaultGateway(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoassignanIPv4addressto
thedefaultgateway(thegatewaymustbeonthesamesubnetastheinterface).
IPv6Address/Prefix IfyournetworkusesIPv6,assignanIPv6addresstotheinterface.Toindicatethenetmask,
Length enteranIPv6prefixlength(suchas2001:400:f00::1/64).
DefaultIPv6Gateway IfyouassignedanIPv6addresstotheinterface,youmustalsoassignanIPv6addressto

Panorama>Setup>Interfaces PanoramaWebInterface
InterfaceSettings Description
Speed Setthespeedfortheinterfaceto10Mbps,100Mbps,1Gbps,or10Gbps(Eth4andEth5
only)atfullorhalfduplex.UsethedefaultautonegotiatesettingtohavePanorama
determinetheinterfacespeed.
Thissettingmustmatchtheinterfacesettingsonneighboringnetworkequipment.
Toensurematchingsettings,selectautonegotiateiftheneighboringequipment
supportsthatoption.
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthisinterface
(rangeis576to1,500;defaultis1,500).
Device Management and Enabletheinterface(enabledbydefaultontheMGTinterface)formanagingfirewallsand

Device Log Collection LogCollectorsandcollectingtheirlogs.Youcanenablemultipleinterfacestoperform
thesefunctions.
Collector Group EnabletheinterfaceforCollectorGroupcommunication(thedefaultistheMGT

Communication interface).Onlyoneinterfacecanperformthisfunction.
Device Deployment EnabletheinterfacefordeployingsoftwareandcontentupdatestofirewallsandLog

Collectors(thedefaultistheMGTinterface).Onlyoneinterfacecanperformthisfunction.
Network Connectivity ThePingserviceisavailableonanyinterface.Youcanusepingtotestconnectivity

Services betweenthePanoramainterfaceandexternalservices.Inahighavailability(HA)
deployment,HApeersusepingtoexchangeheartbeatbackupinformation.
ThefollowingservicesareavailableonlyontheMGTinterface:
HTTPEnablesaccessthePanoramawebinterface.HTTPusesplaintext,whichisnot
assecureasHTTPS.
EnableHTTPSinsteadofHTTPformanagementtrafficontheinterface.
HTTPSEnablessecureaccesstothePanoramawebinterface.
TelnetEnablesaccessthePanoramaCLI.Telnetusesplaintext,whichisnotassecure
asSSH.
EnableSSHinsteadofTelnetformanagementtrafficontheinterface.
SSHEnablessecureaccesstothePanoramaCLI.
SNMPEnablesPanoramatoprocessstatisticsqueriesfromanSNMPmanager.For
details,seeEnableSNMPMonitoring.
User-IDEnablesPanoramatoredistributeusermappinginformationreceivedfrom
UserIDagents.
PermittedIPAddresses EntertheIPaddressesfromwhichadministratorscanaccessPanoramaonthisinterface.
Anemptylist(default)specifiesthataccessisavailablefromanyIPaddress.
Donotleavethislistblank;specifytheIPaddressesofPanoramaadministrators
(only)topreventunauthorizedaccess.

PanoramaWebInterface Panorama>HighAvailability
Panorama>HighAvailability
Toenablehighavailability(HA)onPanorama,configurethesettingsasdescribedinthefollowingtable.
PanoramaHASettings Description
Setup
ClickEdit( )toconfigurethefollowingsettings.
EnableHA SelecttoenableHA.
PeerHAIPAddress EntertheIPaddressoftheMGTinterfaceonthepeer.
EnableEncryption Whenenabled,theMGTinterfaceencryptscommunicationbetweentheHA
peers.Beforeenablingencryption,exporttheHAkeyfromeachHApeerand
importthekeyintotheotherpeer.YouimportandexporttheHAkeyonthe
Panorama > Certificate Management > Certificatespage(seeManageFirewall
andPanoramaCertificates).
HAconnectivityusesTCPport28withencryptionenabledandTCP
port28769whenencryptionisnotenabled.
MonitorHoldTime Enterthenumberofmillisecondsthatthesystemwillwaitbeforeactingona
(ms) controllinkfailure(rangeis1,000to60,000;defaultis3,000).
SecureClientCommunicationvalidatestheidentityofPanoramaHApeers.
Certificate SelectthelocalPanoramacertificate.Thiscertificateprofiledefinescertificate
revocationcheckingbehaviorandtherootCAusedtoauthenticatethe
certificatechainingforthePanoramaHApeer.
CertificateProfile SelectaCertificateProfilethatdefineshowPanoramaauthenticateswithitsHA
peerandwithotherservers.Thisprofilemustmatchthecertificateprofile
configuredunderPanorama > Setup > Panorama Settings.
CheckServerIdentity SelecttospecifythatPanoramaconfirmstheidentityofitsHApeerbymatching
thecommonname(CN)configuredintheservercertificateforthepeer.

Panorama>HighAvailability PanoramaWebInterface
Election Settings
ClickEdit( )toconfigurethefollowingsettings.
Priority Thissettingdetermineswhichpeeristheprimaryrecipientforfirewalllogs.
(Requiredonthe AssignonepeerasPrimaryandtheotherasSecondaryintheHApair.
Panoramavirtual WhenyouconfigureLogStoragePartitionsforaPanoramaVirtualAppliancein
appliance) LegacyMode,youcanuseitsinternaldisk(default)oraNetworkFileSystem
(NFS)forlogstorage.IfyouconfigureanNFS,onlytheprimaryrecipient
receivesthefirewalllogs.Ifyouconfigureinternaldiskstorage,thefirewalls
sendlogstoboththeprimaryandthesecondarypeerbydefaultbutyoucan
changethisbyenablingOnly Active Primary Logs to Local DiskintheLogging
andReportingSettings.
Preemptive SelecttoenabletheprimaryPanoramatoresumeactiveoperationafter
recoveringfromafailure.Whendisabled,thesecondaryPanoramaremains
activeevenaftertheprimaryPanoramarecoversfromafailure.
HATimerSettings YourselectiondeterminesthevaluesfortheremainingHAelectionsettings,
whichcontrolthefailoverspeed:
RecommendedSelectfortypical(default)failovertimersettings.Toseethe
associatedvalues,selectAdvancedandLoad Recommended.
AggressiveSelectforfasterfailovertimersettings.Toseetheassociated
values,selectAdvancedandLoad Aggressive.
AdvancedSelecttodisplaytheremainingHAelectionsettingsand
customizetheirvalues.
SeetheRecommendedandAggressivevaluesforthefollowingsettings.
PromotionHoldTime Enterthenumberofmilliseconds(rangeis0to60,000)thesecondaryPanorama
(ms) peerwaitsbeforetakingoveraftertheprimarypeergoesdown.The
recommended(default)valueis2,000;theaggressivevalueis500.
HelloInterval(ms) Enterthenumberofmilliseconds(rangeis8,000to60,000)betweenhello
packetsthataresenttoverifythattheotherpeerisoperational.The
recommended(default)andaggressivevalueis8,000.
HeartbeatInterval(ms) Specifythefrequencyinmilliseconds(rangeis1,000to60,000)atwhich
PanoramasendsICMPpingstotheHApeer.Therecommended(default)value
is2,000;theaggressivevalueis1,000.
PreemptionHoldTime ThisfieldappliesonlyifyoualsoselectPreemptive.Enterthenumberof
(min) minutes(rangeis1to60)thepassivePanoramapeerwillwaitbeforefalling
backtoactivestatusafteritrecoversfromaneventthatcausedfailover.The
recommended(default)andaggressivevalueis1.
MonitorFailHoldUp Specifythenumberofmilliseconds(rangeis0to60,000)Panoramawaitsafter
Time(ms) apathmonitorfailurebeforeattemptingtoreenterthepassivestate.During
thisperiod,thepassivepeerisnotavailabletotakeoverfortheactivepeerin
theeventoffailure.ThisintervalenablesPanoramatoavoidafailoverdueto
theoccasionalflappingofneighboringdevices.Therecommended(default)and
aggressivevalueis0.
AdditionalMasterHold Specifythenumberofmilliseconds(rangeis0to60,000)duringwhichthe
UpTime(ms) preemptingpeerremainsinthepassivestatebeforetakingoverastheactive
peer.Therecommended(default)valueis7,000;theaggressivevalueis5,000.

PanoramaWebInterface Panorama>HighAvailability
Path Monitoring
ClickEdit( )toconfigureHApathmonitoring.
Enabled Selecttoenablepathmonitoring.PathmonitoringenablesPanoramatomonitor
specifieddestinationIPaddressesbysendingICMPpingmessagestoverifythat
theyareresponsive.
FailureCondition SelectwhetherafailoveroccurswhenAnyorAllofthemonitoredpathgroups
failtorespond.
Path Group
TocreateapathgroupforHApathmonitoring,clickAddandcompletethefollowingfields.
Name Specifyanameforthepathgroup.
Enabled Selecttoenablethepathgroup.
FailureCondition SelectwhetherafailureoccurswhenAnyorAllofthespecifieddestination
addressesfailstorespond.
PingInterval SpecifythenumberofmillisecondsbetweentheICMPechomessagesthat
verifythatthepathtothedestinationIPaddressisup(rangeis1,000to60,000;
defaultis5,000).
PingCount Specifythenumberoffailedpingsbeforedeclaringafailure(rangeis3to10;
defaultis3).
DestinationIPs EnteroneormoredestinationIPaddressestomonitor.Usecommastoseparate
multipleaddresses.

Panorama>ManagedWildFireClusters PanoramaWebInterface
Panorama>ManagedWildFireAppliances
YoucanmanageWildFireWF500appliancesinclustersorasstandaloneappliancesfromaPanorama
MSeriesorvirtualappliance.Managingclusters(Panorama > Managed WildFire Clusters)andmanaging
standaloneappliances(Panorama > Managed WildFire Appliances)sharemanycommonadministrativeand
configurationtaskssobothareincludedinthefollowingtopics.
AfteryouaddWildFireWF500appliancestoPanorama,usethewebinterfacetoaddthoseappliancesto
andmanagethemasclustersortomanagethemasstandaloneappliances.
ManagedWildFireClusterTasks
ManagedWildFireApplianceTasks
ManagedWildFireInformation
ManagedWildFireClusterandApplianceAdministration
ManagedWildFireClusterTasks
YoucancreateandremoveWildFireapplianceclustersfromPanorama.Additionally,youcansave
configurationtimebyimportingconfigurationsfromoneclustertoanother.
Task Description
Create Cluster Asneeded,Create Cluster,enteranameforthenewcluster,andthenclickOK.

ExistingclustersyouconfiguredlocallyandaddedtoPanoramabyaddingthe
individualWildFireappliancenodesarelistedalongwiththeirWildFirenodesandthe
noderoles(Panorama > Managed WildFire Appliances).
Theclusternamemustbeavalidsubdomainnamethatbeginswithalowercase
characterornumberandcancontainhyphensonlyiftheyarenotthefirstorlast
characterintheclustername;nospacesorothercharactersareallowed.The
maximumlengthofaclusternameis63characters.
Afteryoucreateacluster,youcanaddmanagedWF500appliancestothecluster
andmanagethemonPanorama.WhenyouaddaWildFireappliancetoPanorama,
youautomaticallyregistertheappliancewithPanorama.
Youcancreateamaximumof10managedWildFireclustersonPanoramaandeach
clustercanhaveupto20WildFireappliancenodes.Panoramacanmanageuptoan
aggregatetotalof200standaloneappliancesandclusternodes.
Import Cluster Config Import Cluster Configtoimportanexistingclusterconfiguration.Ifyouselecta

clusterbeforeyouImport Cluster Config,theControllerandClusterare
automaticallypopulatedwiththeappropriateinformationfortheselectedcluster.If
youdonotselectaclusterbeforeyouImport Cluster Config,thenyoumustselect
theControllerandtheClusterpopulatesautomaticallybasedontheControllernode
youselect.
Afteryouimporttheconfiguration,Commit to Panoramatosavetheimported
candidateconfigurationinthePanoramarunningconfiguration.

PanoramaWebInterface Panorama>ManagedWildFireClusters
Task Description
Remove From Panorama IfyounolongerneedtomanageaWildFireclusterfromPanorama,Remove From

PanoramaandselectYestoconfirmyouraction.Afteryouremoveaclusterfrom
Panoramamanagement,youcanmanagetheclusterlocallyfromaControllernode.
YoucanaddtheclusterbackintothePanoramaapplianceatanytimeifyouwantto
againmanagetheclustercentrallyinsteadoflocally.
ManagedWildFireApplianceTasks
Youcanadd,remove,andmanagestandaloneWildFireWF500appliancesonaPanoramadevice.Afteryou
addstandaloneappliances,youcanaddthemtoWildFireapplianceclustersasclusternodesoryoucan
managethemasindividualstandaloneappliances.
Task Description
Add Appliance Add AppliancetoaddoneormoreWildFireappliancestoaPanoramaappliancefor

centralizedmanagement.EntertheserialnumberofeachWildFireapplianceona
separaterow(newline).Panoramacanmanageuptoanaggregatetotalof200WildFire
clusternodesandstandaloneWildFireappliances.
OneachWildFireapplianceyouwanttomanageonPanorama,configuretheIPaddress
orFQDNofthePanoramaappliance(Panoramaserver)and,optionally,thebackup
PanoramaserverusingthefollowingWildFireapplianceCLIcommands:
set deviceconfig system panorama-server <ip-address | FQDN>
set deviceconfig system panorama-server-2 <ip-address | FQDN>
Import Config SelectaWildFireapplianceandImport Configtoimport(only)therunningconfiguration
forthatappliancetoPanorama.
Afteryouimporttheconfiguration,Commit to Panoramatosavetheimportedcandidate
configurationinthePanoramarunningconfiguration.
Remove IfyounolongerneedtomanageaWildFireappliancefromPanorama,Removethe
applianceandselectYestoconfirmyouraction.Afteryouremoveanappliancefrom
Panoramamanagement,youcanmanagetheappliancelocallyusingitsCLI.Ifneeded,you
canaddtheappliancebackintothePanoramaapplianceatanytimeifyouwanttoagain
managetheappliancecentrallyinsteadoflocally.

ManagedWildFireInformation
SelectPanorama > Managed WildFire Clusterstodisplaythefollowinginformationforeachmanagedcluster

(youcanalsoselectstandaloneappliancesfromthispageanddisplaytheirinformation)orselectPanorama
> Managed WildFire Appliancestodisplaytheinformationforstandaloneappliances.
Unlessnoted,theinformationinthefollowingtableappliestobothWildFireclustersandstandalone
appliances.Theinformationpreviouslyconfiguredforaclusterorapplianceisprepopulated.
ManagedWildFire Description
Information
Appliance Thenameoftheappliance.
TheManagedWildFireClustersviewdisplaysappliancesgroupedbycluster,includes
thestandaloneappliancesavailabletoaddtoacluster,andincludestheserialnumber
(inparenthesis)withtheappliancename(theserialnumberisnotpartofthename).
Serial Number Theserialnumberoftheappliance.TheManagedWildFireClustersviewdisplaysthe

(ManagedWildFire serialnumberinthesamecolumnastheappliancename(theserialnumberisnotpart
Appliancesviewonly) ofthename).
Software Version Thesoftwareversioninstalledandrunningontheappliance.
IP Address TheIPaddressoftheappliance.
Connected TheconnectionstatebetweentheapplianceandPanoramaeitherConnectedor
Disconnected.
Cluster Name Thenameoftheclusterinwhichtheapplianceisincludedasanode;nothingdisplays

hereforastandaloneappliance.
Analysis Environment Theanalysisenvironment(vm1,vm2,vm3,vm4,orvm5).Eachanalysisenvironment

representsasetofoperatingsystemsandapplications:
vm1supportsWindowsXP,AdobeReader9.3.3,Flash9,PE,PDF,andOffice
2003andearlierOfficereleases.
vm2supportsWindowsXP,AdobeReader9.4.0,Flash10n,PE,PDF,andOffice
vm3supportsWindowsXP,AdobeReader11,Flash11,PE,PDF,andOffice
vm4supportsWindows732bit,AdobeReader11,Flash11,PE,PDF,andOffice
vm5supportsWindows764bit,AdobeReader11,Flash11,PE,PDF,andOffice
Content Theversionnumberofthecontentreleaseversion.
Role Theappliancerole:
StandaloneTheapplianceisnotaclusternode.
ControllerTheapplianceistheclusterControllernode.
Controller BackupTheapplianceistheclusterControllerbackupnode.
WorkerTheapplianceisaWorkernodeinthecluster.

Information
Config Status Theconfigurationsynchronizationstatusoftheappliance.ThePanoramaappliance

checksforWildFireappliancesettingsandreportsconfigurationdifferencesbetween
theapplianceconfigurationandtheconfigurationsavedforthatapplianceon
Panorama.
In SyncTheapplianceconfigurationisinsyncwithitssavedconfigurationon
Panorama.
Out of SyncTheapplianceconfigurationisnotinsyncwithitssaved
configurationonPanorama.Youcanmouseovertheeyeglasstodisplaythecause
ofthesyncfailure.
Cluster Status ClusterStatusdisplaysthreetypesofinformationforeachclusternode:

(ManagedWildFire Servicesavailable(normaloperatingconditions):
Clusterspageonly) wfpc(WildFirePrivateCloud)Themalwaresampleanalysisandreporting
service.
signatureThelocalsignaturegenerationservice.
Progressofoperationstheoperationnamefollowedbyacolon(:)andthestatus:
OperationsStatusfordecommission,suspend,andrebootoperations.
ProgressstatusOperationstatusnotificationsarethesameforeach
operation:requested,ongoing,denied,success,orfail.
Forexample,ifyoususpendanodeandtheoperationisongoing,ClusterStatus
displayssuspend:ongoing,orifyourebootanodeandtheoperationhasbeen
requestedbuthasnotyetbegun,ClusterStatusdisplaysreboot:requested.
Errorconditions:
ClusterStatusdisplaysthefollowingerrorconditions:
Clustercluster:offlineorcluster:splitbrain.
Serviceservice:suspendedorservice:none.
Last Commit State Commit succeededifthemostrecentcommitsucceededorcommit failedifthe

mostrecentcommitfailed.Viewdetailsaboutthelastcommitbyselectingthestate.
Utilization > View
View Viewclusterorapplianceutilizationstatistics.Youcanviewonlyindividualappliances
(Panorama > Managed WildFire Appliances)oryoucanviewonlyclusterstatistics
(Panorama > Managed WildFire Clusters).
Appliance(Standaloneapplianceviewonly)Theapplianceserialnumber.
Cluster(Clusterviewonly)Theclustername.Youcanalsoselectadifferent
clustertoview.
DurationDisplaysthetimeperiodforwhichstatisticsarecollectedand
displayed.Youcanselectdifferentdurations:
15 Min
Last Hour
Last 24 Hours (default)
Last 7 Days
All
TheUtilizationViewhasfourtabsand,oneachtab,youdeterminewhatis
displayedbasedonyourconfiguredDuration.

Information
General Tab TheGeneraltabdisplaysaggregatedresourceutilizationstatisticsforaclusteroran

appliance.Theothertabsdisplaymoregranularinformationaboutresource
utilizationbyfiletype:
Total Disk UsageThetotalclusterorappliancediskusage.
VerdictTheTotalnumberofverdicts,thenumberofeachverdicttypeassigned
tofilesMalware,Grayware,andBenign;andhowmanyverdictswereError
verdicts.
Sample StatisticsThetotalnumberofsamplesSubmittedandAnalyzedand
howmanysamplesarePendinganalysis.
Analysis Environment & System Utilization:
File Type AnalyzedThetypeoffilethatwasanalyzedExecutable,
Non-Executable,orLinks.
Virtual Machine UsageThenumberofvirtualmachinesusedforeachfile
typeanalyzedandhowmanyvirtualmachinesareavailabletoanalyzeeach
filetype.Forexample,forExecutablefiles,VMusagecouldbe6/10(sixVMs
usedandtenVMsavailable).
Files AnalyzedThenumberoffilesofeachtypethatwereanalyzed.
Executable, The Executable,Non-Executable,andLinksdisplaysimilarinformationabouteach

Non-Executable, and Links typeoffile:
Tabs VerdictDetailsaboutverdictsbyfiletype.Youcanfiltertheresults:
SearchboxEntersearchtermstofiltertheverdicts.Thesearchboxindicates
thenumberoffiletypes(items)inthelist.Afteryouentersearchterms,apply
thefilter( )orclearthefilter( )andenteradifferentsetofterms.
File TypeListfilesbytype.Forexample,theExecutabletabdisplays.exe
and.dllfiletypes;theNon-Executabletabdisplays.pdf,.jar,.doc,.ppt,.xls,
.docx,.pptx,.xlsx,.rtf,class,and.swffiletypes;andtheLinkstabdisplays
elinkfiletypeinformation.
ForeachFile Type,thetotalnumberofverdictsforMalware,Grayware,and
Benignfiles,thenumberofErrorverdicts,andtheTotalnumberofverdicts
aredisplayedoneachtab.
Sample StatisticsDetailsaboutsampleanalysisbyfiletype.
SearchboxSameastheVerdictsearchbox.
File TypeSameastheVerdictFile Type.
ForeachFile Type,thetotalnumberoffilesSubmittedforanalysis,thetotal
numberAnalyzed,andthenumberPendinganalysisaredisplayedoneach
tab.
Firewalls Connected > View
View Viewinformationaboutthefirewallsconnectedtotheclusterortheappliance.You
canviewonlyindividualappliances(Panorama > Managed WildFire Appliances)or
youcanviewonlyclusterstatistics(Panorama > Managed WildFire Clusters).
Appliance(Standaloneapplianceviewonly)Theapplianceserialnumber.
Cluster(Clusterviewonly)Theclustername,youcanalsoselectadifferent
clustertoview.
RefreshRefreshthedisplay.

Information
Registered and Submitting TheRegisteredtabdisplaysinformationaboutfirewallsregisteredtotheclusteror

Samples Tabs appliance,regardlessofwhetherthefirewallsaresubmittingsamples.
TheSubmitting Samplestabdisplaysinformationaboutfirewallsthatareactively
submittingsamplestotheWildFireclusterorappliance.
Thetypeofinformationdisplayedonthesetabsandhowtofiltertheinformationis
similarforboth:
SearchboxEntersearchtermstofilterthelistoffirewalls.Thesearchbox
indicatesthenumberoffirewalls(items)inthelist.Afteryouentersearchterms,
applythefilter( )orclearthefilter( )andenteradifferentsetofterms.
S/NTheserialnumberofthefirewall.
IP AddressTheIPaddressofthefirewall.
ModelThemodelnumberofthefirewall.
Software VersionThesoftwareversioninstalledandrunningonthefirewall.
ManagedWildFireClusterandApplianceAdministration
SelectPanorama > Managed WildFire ClustersandselectaclustertomanageitorselectaWildFireappliance

(Panorama > Managed WildFire Appliances)tomanageastandaloneappliance.ThePanorama > Managed
WildFire Clusterviewlistsclusternodes(WildFireappliancesthataremembersofthecluster)andstandalone
appliancessothatyoucanaddavailableappliancestoacluster.Becausetheclustermanagesthenodes,
selectingaclusternodeprovidesonlylimitedmanagementcapability.
Unlessnoted,thesettingsanddescriptionsinthefollowingtableapplytobothWildFireclustersand
WildFirestandaloneappliances.Informationpreviouslyconfiguredontheclusteroranapplianceis
prepopulated.ChangesandadditionstotheinformationmustbecommittedonPanoramaandthenpushed
totheappliances.
Setting Description
General Tab
Name TheclusterorapplianceNameortheapplianceserialnumber.
Enable DNS Enable DNSserviceforthecluster.

(WildFireclustersonly)
Register Firewall To Thedomainnametowhichyouregisterfirewalls.Formatmustbe

wfpc.service.<cluster-name>.<domain>.Forexample,thedefaultdomainname
iswfpc.service.mycluster.paloaltonetworks.com.
Content Update Server EntertheContent Update Serverlocationorusethedefault

wildfire.paloaltonetworks.comsothattheclusterorappliancereceivescontent
updatesfromtheclosestserverintheContentDeliveryNetworkinfrastructure.
Connectingtotheglobalcloudgivesyouthebenefitofaccessingsignaturesand
updatesbasedonthreatanalysisfromallsourcesconnectedtothecloud,insteadof
relyingonlyontheanalysisoflocalthreats.
Check Server Identity Check Server Identitytoconfirmtheidentityoftheupdateserverbymatchingthe

commonname(CN)inthecertificatewiththeIPaddressorFQDNoftheserver.

Setting Description
WildFire Cloud Server EntertheglobalWildFire Cloud Serverlocationorusethedefault

wildfire.paloaltonetworks.comsothattheclusterorappliancecansend
informationtotheclosestserver.Youcanchoosewhethertosendinformationand
whattypesofinformationtosendtotheglobalcloud(WildFire Cloud Services).
Sample Analysis Image SelecttheVMimagetheclusterorapplianceusesforsampleanalysis.Thedefault

imageisvm5.YoucanGetaMalwareTestFile(WildFireAPI)toseetheresultofthe
sampleanalysis.
WildFire Cloud Services IftheclusterorapplianceisconnectedtotheglobalWildFireCloudServer,youcan

choosewhethertoSend Analysis Data,Send Malicious Samples,andSend
Diagnosticstotheglobalcloud,andwhethertoperformaVerdict Lookupinthe
globalcloud.Sendinginformationtotheglobalcloudbenefitstheentirecommunity
ofWildFireapplianceusersbecausethesharedinformationincreasestheabilityof
everyappliancetoidentifymalicioustrafficandpreventitfromtraversingthe
network.
Sample Data Retention Thenumberofdaystoretainbenignorgraywaresamplesandmalicioussamples:

Benign/GraywaresamplesRangeis1to90;defaultis14.
MalicioussamplesMinimumis1andthereisnomaximum(indefinite);defaultis
indefinite.
Analysis Environment Environment Networkingenablesvirtualmachinestocommunicatewiththe

Services internet.YoucanselectAnonymous Networkingtomakenetworkcommunication
anonymousbutyoumustselectEnvironment Networkingbeforeyoucanenable
Anonymous Networking.
Differentnetworkenvironmentsproducedifferenttypesofanalysisloadsdepending
onwhethermoredocumentsneedtobeanalyzedormoreexecutablefilesneedto
beanalyzed.YoucanconfigureyourPreferredAnalysisEnvironmenttoallocatemore
resourcestoExecutablesortoDocuments,dependingontheneedsofyour
environment.TheDefaultallocationisbalancedbetweenExecutablesand
Documents.
TheamountofavailableresourcesdependsonhowmanyWildFirenodesareinthe
cluster.
Signature Generation SelectwhetheryouwanttheclusterorappliancetogeneratesignaturesforAV,DNS,

andURLs.
Appliance Tab
Hostname EnterthehostnameoftheWildFireappliance.
(StandaloneWildFire
applianceonly)
Panorama Server EntertheIPaddressorFQDNoftheapplianceoroftheprimaryPanoramamanaging

thecluster.
Panorama Server 2 EntertheIPaddressorFQDNoftheapplianceorofthebackupPanoramamanaging

thecluster.
Domain Enterthedomainnameoftheapplianceclusterorappliance.
Primary DNS Server EntertheIPaddressoftheprimaryDNSServer.
Secondary DNS Server EntertheIPaddressofthesecondaryDNSServer.
Timezone Selectthetimezonetousefortheclusterorappliance.

Setting Description
Latitude EnterthelatitudeoftheoftheWildFireappliance.
(StandaloneWildFire
applianceonly)
Longitude EnterthelongitudeoftheoftheWildFireappliance.
(StandaloneWildFire
applianceonly)
Primary NTP Server EntertheIPaddressoftheprimaryNTPServerandsettheAuthenticationTypeto

None,Symmetric Key,orAutokey.ThedefaultisNone.
SettingtheAuthenticationTypetoSymmetric Keyrevealsfourmorefields:
Key IDEntertheauthenticationkeyID.
AlgorithmSelecttheauthenticationalgorithm,SHA1orMD5.
Authentication KeyEntertheauthenticationkey.
Confirm Authentication KeyEntertheauthenticationkeyagaintoconfirmit.
Secondary NTP Server EntertheIPaddressofthesecondaryNTPServerandsettheAuthenticationType

toNone,Symmetric Key,orAutokey.ThedefaultisNone.
SettingtheAuthenticationTypetoSymmetric Keyrevealsfourmorefields:
Key IDEntertheauthenticationkeyID.
AlgorithmSelecttheauthenticationalgorithm,SHA1orMD5.
Authentication KeyEntertheauthenticationkey.
Confirm Authentication KeyEntertheauthenticationkeyagaintoconfirmit.
Login Banner Enterabannermessagethatdisplayswhenuserslogintotheclusterorappliance.
Logging Tab (Includes System Tab and Configuration Tab)
Add Addlogforwardingprofiles(Panorama > Managed WildFire Clusters > <cluster> >

Logging > SystemorPanorama > Managed WildFire Clusters > <cluster> > Logging
> Configuration)toforward:
systemorconfigurationlogsasSNMPtrapstoSNMPtrapreceivers.
syslogmessagestosyslogservers.
emailnotificationstoemailservers.
HTTPrequeststoHTTPservers.
Nootherlogtypesaresupported(seeDevice>LogSettings).
Thelogforwardingprofilesspecifywhichlogstoforwardandtowhichdestination
servers.Foreachprofile,completethefollowing:
NameAnamethatidentifiesthelogsettings(upto31characters)thatconsists
ofalphanumericcharactersandunderscoresonlyspacesandspecialcharacters
arenotallowed.
FilterBydefault,thePanoramaapplianceforwardsAll Logsofthespecified
profile.Toforwardasubsetofthelogs,selectafilter(severity eq critical,severity
eq high,severity eq informational,severity eq low,orseverity eq medium)or
selectFilter Buildertocreateanewfilter.
DescriptionEnteradescription(upto1,023characters)toexplainthepurpose
oftheprofile.

Setting Description
Add > Filter > Filter Builder UseFilter Buildertocreatenewlogfilters.SelectCreate Filtertoconstructfilters

and,foreachqueryinanewfilter,specifythefollowingsettingsandthenAddthe
query:
ConnectorSelecttheconnectorlogic(andoror).SelectNegateifyouwantto
applynegation.Forexample,toavoidforwardingasubsetoflogdescriptions,
selectDescriptionastheAttribute,selectcontainsastheOperator,andenterthe
descriptionstringastheValuetoidentifythedescriptionordescriptionsthatyou
dontwanttoforward.
AttributeSelectalogattribute.Theoptionsvarybylogtype.
OperatorSelectthecriterionthatdetermineshowtheattributeapplies(suchas
contains).Theoptionsvarybylogtype.
AddAddthenewfilter.
Todisplayorexportlogsthatthefiltermatches,selectView Filtered Logs.
Tofindmatchinglogentries,youcanaddartifactstothesearchfield,suchasan
IPaddressoratimerange.
Selectthetimeperiodforwhichyouwanttoseelogs(Last 15 Minutes,Last Hour,
Last 6 Hrs,Last 12 Hrs,Last 24 Hrs,Last 7 Days,orAll).ThedefaultisAll.
Usetheoptionstotherightofthetimeperioddropdowntoapply,clear,create,
save,andloadfilters:
Applyfilters( )Displaylogentriesthatmatchthetermsinthesearch
field.
Clearfilters( )Clearthefilterfield.
Createanewfilter( )Definenewsearchcriteria(takesyoutoAddLog
Filter,whichissimilartocreatefilters).
Saveafilter( )EnteranameforthefilterandthenclickOK.
Useasavedfilter( )Addasavedfiltertothefilterfield.
ExporttoCSV( )ExportlogstoaCSVformattedreportandDownload
filedownloadsthereport.Bydefault,thereportcontainsupto2,000linesof
logs.TochangethelinelimitforgeneratedCSVreports,selectDevice > Setup
> Management > Logging and Reporting Settings > Log Export and
ReportingandenteranewMax RowsinCSV Exportvalue.
Youcanchangethenumberandorderofentriesdisplayedperpageandyoucanuse
thepagingcontrolsatthebottomleftofthepagetonavigatethroughtheloglist.Log
entriesareretrievedinblocksof10pages.
perpageUsethedropdowntochangethenumberoflogentriesperpage(20,
30,40,50,75,or100).
ASCorDESCSelectASCtosortresultsinascendingorder(oldestlogentryfirst)
orDESCtosortindescendingorder(newestlogentryfirst).ThedefaultisDESC.
Resolve HostnameSelecttoresolveexternalIPaddressestodomainnames.
Highlight Policy ActionsSpecifyanactionandselecttohighlightlogentriesthat
matchtheaction.Thefilteredlogsarehighlightedinthefollowingcolors:
GreenAllow
YellowContinue,oroverride
RedDeny,drop,dropicmp,rstclient,resetserver,resetboth,
blockcontinue,blockoverride,blockurl,dropall,sinkhole
Delete SelectandthenDeletethelogforwardingsettingsyouwanttoremovefromthe
SystemorConfigurationloglist.
Authentication Tab

Setting Description
Remote Authentication SelecttheAuthentication Profileforaccess.ThedefaultisNone.Ifthereareno

authenticationprofilestochoosefrom,youcanConfigureanAuthenticationProfile
andSequence.
Local Authentication Configurelocalauthenticationfortheadministrator:

AdministratorThisisalwaysadminbecausethereisonlyoneadminleveluser
onaPanoramaappliance.
ModeSelectthelocalauthenticationmodeeitherPasswordorPassword Hash:
PasswordEnterandconfirmauserpassword.
Password HashEnterahashedpasswordstring.Forexample,ahashed
passwordisusefulifyouwanttoreusethecredentialsforanexistingUnix
accountbutyoudontknowtheplaintextpasswordandyourememberthe
hashedpassword.Theapplianceacceptsanystringofupto63characters
regardlessofthealgorithmusedtogeneratethehashvalue.AnyMinimum
PasswordComplexityparametersyousetforthefirewall(Panorama > Setup
> Management)donotapplytoaccountsthatuseaPasswordHash.
Timeout Configuration Configureclusterauthenticationtimeouts:

Idle Timeout (min)Settheidletimeoutinminutes.Whenauserremainsidle
longerthantheidletimeoutspecified,thesystemendstheuserssession.The
defaultisNone(notimeout).
Failed AttemptsSetthenumberoffailedloginattemptsbeforethesystemlocks
auseroutofthesystem.Thedefaultis10failedattempts.
Lockout Time (min)Settheamountoftimeinminutesthatalockedoutuser
mustwaitbeforeloggingin.Thedefaultis5minutes.
Clustering Tab (Managed WildFire Clusters only) and Interface Tab (Managed WildFire Appliances only)
YoumustaddappliancestoPanoramatomanageinterfacesandaddappliancestoclusterstomanage
clustersnodeinterfaces.
Appliance SelectaclusternodetoaccesstheApplianceandInterfacestabsforthatnode.The
(ClusteringTabonly) Appliancetabnodeinformationisprepopulatedandisnotconfigurableexceptfor
thehostname.TheInterfacestabliststhenodeinterfaces.Selectaninterfaceto
manageitasdescribedinInterfaceNameManagement,InterfaceNameAnalysis
EnvironmentNetwork,InterfaceNameEthernet2,andInterfaceNameEthernet3.

Setting Description
Interface Name ThemanagementinterfaceisEthernet0.Configureorviewmanagementinterface

Management settings:
Speed and DuplexSelectfromauto-negotiate,10Mbps-half-duplex,
10Mbps-full-duplex,100Mbps-half-duplex,100Mbps-full-duplex,
1Gbps-half-duplex,and1Gbps-full-duplex.Thedefaultisauto-negotiate.
IP AddressEntertheinterfaceIPaddress.
NetmaskEntertheinterfacenetmask.
Default GatewayEntertheIPaddressofthedefaultgateway.
MTUEntertheMTUinbytes(rangeis576to1,500;defaultis1,500).
Management ServicesSelectthemanagementservicesyouwanttosupport.
YoucansupportPing,SSH,andSNMPservices.
ConfigureproxysettingsifyouuseaproxyservertoconnecttotheInternet:
ServerIPaddressoftheproxyserver.
PortPortnumberconfiguredontheproxyservertolistenforPanoramadevice
requests.
UserUsernameconfiguredontheproxyserverforauthentication.
PasswordandConfirm PasswordPasswordconfiguredontheproxyserverfor
authentication.
Clustering Services (ClusteringtabOnly)SelecttheHAservice:
HAIftherearetwoControllernodesinthecluster,youcanconfigurethe
managementinterfaceasanHAinterfacesothatmanagementinformationis
availabletobothControllernodes.Iftheclusternodeyouareconfiguringis
theprimaryControllernode,markitastheHA interface.
DependingonhowyouusetheWildFireapplianceEthernetinterfaces,
alternatively,youcanconfigureEtherent2orEthernet3astheHAandHA
BackupinterfacesontheprimaryandbackupControllernodes,respectively.
Forexample,youcanuseEthernet2astheHAandHABackupinterface.The
HAandHABackupinterfacesmustbethesameinterface(management,
Ethernet2,orEthernet3)ontheprimaryandbackupControllernodes.You
cannotuseEthernet1astheHA/HABackupinterface.
HA BackupIftheclusternodeyouareconfiguringisthebackupController
node,markitastheHA Backup interface.
SpecifyIPaddressesthatarepermittedontheinterface:
SearchboxEntersearchtermstofilterthepermittedIPaddresslist.Thesearch
boxindicatesthenumberofIPaddresses(items)inthelistsoyouknowhowlong
thelistis.Afteryouentersearchterms,applythefilter( )orclearthefilter(
)andenteradifferentsetofterms.
AddAddapermittedIPaddressbyspecifyingtheIPaddress.
DeleteSelectandDeletetheIPaddressoraddressesyouwanttoremovefrom
managementinterfaceaccess.

Setting Description
Interface Name Analysis ConfiguresettingsfortheWildFireapplianceclusterorstandaloneWildFire

Environment Network applianceanalysisenvironmentnetworkinterface(Ethernet1,alsoknownastheVM
interface):
Speed and DuplexSelectfromauto-negotiate,10Mbps-half-duplex,
DNS ServerEntertheDNSserverIPaddress.
Link StateSettheinterfacelinkstatetoUporDown.
ManagementServicesSelectPingifyouwanttheinterfacetosupportping
services.
SpecifyIPaddressesthatarepermittedontheinterface:
SearchboxEntersearchtermstofilterthepermittedIPaddresslist.Thesearch
boxindicatesthenumberofIPaddresses(items)inthelistsoyouknowhowlong
thelistis.Afteryouentersearchterms,applythefilter( )orclearthefilter(
)andenteradifferentsetofterms.
AddAddapermittedIPaddressbyspecifyingtheIPaddress.
DeleteSelecttheIPaddressorIPaddressesyouwanttoremovefrom
managementinterfaceaccessandthenDelete.
Interface Name Ethernet2 YoucansetthesameparametersfortheEthernet2andEthernet3interfaces:

Interface Name Ethernet3 Speed and DuplexSelectfromauto-negotiate,10Mbps-half-duplex,
ManagementServicesSelectPingifyouwanttheinterfacetosupportping
services.
Clustering ServicesSelectclusterservices:
HAIftherearetwoControllernodesinthecluster,youcanconfigurethe
Ethernet2ortheEthernet3interfaceasanHAinterfacesothatmanagement
informationisavailabletobothControllernodes.Iftheclusternodeyouare
configuringistheprimaryControllernode,markitastheHA interface.
DependingonhowyouusetheWildFireapplianceEthernetinterfaces,
alternatively,youcanconfigurethemanagementinterface(Ethernet1)asthe
HAandHABackupinterfacesontheprimaryandbackupControllernodes,
respectively.TheHAandHABackupinterfacesmustbethesameinterface
(management,Ethernet2,orEthernet3)ontheprimaryandbackupController
nodes.YoucannotuseEthernet1astheHA/HABackupinterface.
HA BackupIftheclusternodeyouareconfiguringisthebackupController
node,markitastheHA Backup interface.
Cluster ManagementConfiguretheEthernet2orEthernet3interfaceasthe
interfaceusedforclusterwidemanagementandcommunication.

Setting Description
Role Whenaclusterhasmemberappliances,theappliancerolescanbeController,
(ClusteringTabonly) ControllerBackup,orWorker.SelectControllerorBackup Controllertochangethe
WildFireapplianceusedforeachrolefromtheappliancesinthecluster.Changingthe
Controllerresultsindatalossduringtherolechange.
Browse TheClusteringtabliststheWildFireappliancenodesinthecluster.Browsetoview
(ClusteringTabonly) andaddstandaloneWildFireappliancesthatthePanoramadevicealreadymanages:
SearchboxEntersearchtermstofilterthenodelist.Thesearchboxindicatesthe
numberofappliances(items)inthelistsoyouknowhowlongthelistis.Afteryou
entersearchterms,applythefilter( )orclearthefilter( )andentera
differentsetofterms.
AddNodesAddeachnodetotheclusterusingthe( )nexttothenodeinthe
list.
ThefirstWildFireapplianceyouaddtoaclusterautomaticallybecomesthe
Controllernode.ThesecondWildFireapplianceyouaddautomaticallybecomesthe
ControllerBackupnode.
Youcanaddupto20WildFireappliancestoacluster.AfteraddingtheControllerand
ControllerBackupnodes,allsubsequentaddednodesareWorkernodes.
Delete SelectoneormoreappliancesfromtheAppliancelistandthenDeletethemfromthe
(ClusteringTabonly) cluster.YoucanremoveaControllernodeonlyiftherearetwoControllernodesin
thecluster.
Manage Controller SelectManage ControllertospecifyaControllerandaController Backupfromthe

(ClusteringTabonly) WildFireappliancenodesthatbelongtothecluster.ThecurrentControllernodeand
backupControllernodeareselectedbydefault.ThebackupControllernodecantbe
thesamenodeastheprimaryControllernode.

PanoramaWebInterface Panorama>Administrators
Panorama>Administrators
SelectPanorama > AdministratorstocreateandmanageaccountsforPanoramaadministrators.

IfyoulogintoPanoramaasanadministratorwithasuperuserrole,youcanunlocktheaccountsofother
administratorsbyclickingthelockiconsintheLockedUsercolumn.Alockedoutadministratorcannot
accessPanorama.Panoramalocksoutadministratorswhoexceedtheallowednumberoffailedsuccessive
attemptstoaccessPanoramaasdefinedintheAuthentication Profileassignedtotheiraccounts(seeDevice
>AuthenticationProfile).
Tocreateanadministratoraccount,clickAddandconfigurethesettingsasdescribedinthefollowingtable.
Name Enteraloginusernamefortheadministrator(upto15characters).The
nameiscasesensitive,mustbeunique,andcancontainonlyletters,
numbers,hyphens,andunderscores.
AuthenticationProfile Selectanauthenticationprofileorsequencetoauthenticatethis
administrator.Fordetails,seeDevice>AuthenticationProfileor
Device>AuthenticationSequence.
Useonlyclientcertificate Selecttouseclientcertificateauthenticationforwebinterfaceaccess.
authentication(Web) Ifyouselectthisoption,ausername(Name)andPasswordarenot
required.
Password/ConfirmPassword Enterandconfirmacasesensitivepasswordfortheadministrator(up
to15characters).Toensuresecurity,PaloAltoNetworksrecommends
thatadministratorschangetheirpasswordsperiodicallyusinga
combinationoflowercaseletters,uppercaseletters,andnumbers.
DeviceGroupandTemplateadministratorscannotaccessPanorama >
Administrators.Tochangetheirlocalpassword,theseadministrators
clicktheirusername(besideLogoutatthebottomoftheweb
interface).ThisalsoappliestoadministratorswithacustomPanorama
roleinwhichaccesstoPanorama> Administratorsisdisabled.
Youcanusepasswordauthenticationinconjunctionwithan
Authentication Profile(orsequence)orwithlocaldatabase
authentication.
YoucansetpasswordexpirationparametersbyselectingaPassword
Profile(seeDevice>PasswordProfiles)andsettingMinimum
PasswordComplexityparameters(seeDevice>Setup>Management),
butonlyforadministrativeaccountsthatPanoramaauthenticates
locally.
UsePublicKeyAuthentication SelecttouseSSHpublickeyauthentication:clickImport Key,Browse

(SSH) toselectthepublickeyfile,andclickOK.TheAdministratordialog
displaystheuploadedkeyinthereadonlytextarea.
SupportedkeyfileformatsareIETFSECSHandOpenSSH.Supported
keyalgorithmsareDSA(1024bits)andRSA(768to4096bits).
Ifpublickeyauthenticationfails,Panoramapresentsaloginand
passwordprompt.

Panorama>Administrators PanoramaWebInterface
AdministratorType Thetypeselectiondeterminestheadministrativeroleoptions:
DynamicRolesthatprovideaccesstoPanoramaandmanaged
firewalls.Whennewfeaturesareadded,Panoramaautomatically
updatesthedefinitionsofdynamicroles;youneverneedto
manuallyupdatethem.
Custom Panorama AdminConfigurablerolesthathavereadwrite
access,readonlyaccess,ornoaccesstoPanoramafeatures.
Device Group and Template AdminConfigurablerolesthathave
readwriteaccess,readonlyaccess,ornoaccesstofeaturesforthe
devicegroupsandtemplatesthatareassignedtotheaccess
domainsyouselectforthisadministrator.
AdminRole Selectapredefinedrole:
(Dynamicadministratortype) SuperuserFullreadwriteaccesstoPanoramaandalldevice
groups,templates,andmanagedfirewalls.
Superuser (Read Only)ReadonlyaccesstoPanoramaandall
devicegroups,templates,andmanagedfirewalls.
Panorama administratorFullaccesstoPanoramaexceptforthe
followingactions:
Create,modify,ordeletePanoramaorfirewalladministrators
androles.
Export,validate,revert,save,load,orimportaconfiguration
(Device > Setup > Operations).
ConfigureaScheduled Config ExportinthePanoramatab.
Profile SelectacustomPanoramarole(seePanorama>ManagedDevices).
(CustomPanoramaAdmin
administratortype)
AccessDomaintoAdministrator Foreachaccessdomain(upto25)youwanttoassigntothe
Role administrator,AddanAccess Domainfromthedropdown(see
(DeviceGroupandTemplate Panorama>AccessDomains)andthenclicktheadjacentAdminRole
Adminadministratortype) cellandselectacustomDeviceGroupandTemplateadministratorrole
fromthedropdown(seePanorama>ManagedDevices).When
administratorswithaccesstomorethanonedomainloginto
Panorama,anAccess Domaindropdownappearsinthefooterofthe
webinterface.AdministratorscanselectanyassignedAccess Domain
tofilterthemonitoringandconfigurationdatathatPanoramadisplays.
TheAccess DomainselectionalsofiltersthefirewallsthattheContext
dropdowndisplays.
IfyouuseaRADIUSservertoauthenticateadministrators,you
mustmapadministratorrolesandaccessdomainstoRADIUS
VSAs.BecauseVSAstringssupportalimitednumberof
characters,ifyouconfigurethemaximumnumberofaccess
domain/rolepairs(25)foranadministrator,theNamevalues
foreachaccessdomainandeachrolemustnotexceedan
averageof9characters.
PasswordProfile SelectaPassword Profile(seeDevice>PasswordProfiles).

PanoramaWebInterface Panorama>AdminRoles
Panorama>AdminRoles
AdminRoleprofilesarecustomrolesthatdefinetheaccessprivilegesandresponsibilitiesofadministrators.
Forexample,therolesassignedtoanadministratorcontrolwhichreportsheorshecangenerateandwhich
devicegrouportemplateconfigurationstheadministratorcanvieworchange.
ForaDeviceGroupandTemplateadministrator,youcanassignaseparateroletoeachaccessdomainthat
isassignedtotheadministrativeaccount(seePanorama>AccessDomains).Mappingrolestoaccess
domainsenablesyoutoachieveverygranularcontrolovertheinformationthatadministratorscanaccess
onPanorama.Forexample,considerascenariowhereyouconfigureanaccessdomainthatincludesallthe
devicegroupsforfirewallsinyourdatacentersandyouassignthataccessdomaintoanadministratorwho
isallowedtomonitordatacentertrafficbutwhoisnotallowedtoconfigurethefirewalls.Inthiscase,you
wouldmaptheaccessdomaintoarolethatenablesallmonitoringprivilegesbutdisablesaccesstodevice
groupsettings.
TocreateanAdminRoleprofile,Addaprofileandconfigurethesettingsasdescribedinthefollowingtable.
IfyouuseaRADIUSservertoauthenticateadministrators,maptheadministratorrolesand
accessdomainstoRADIUSVendorSpecificAttributes(VSAs) .
PanoramaAdministrator Description
RoleSettings
Name Enteranametoidentifythisadministratorrole(upto31characters).The
nameiscasesensitive,mustbeuniqueandcancontainonlyletters,
Description (Optional)Enteradescriptionoftherole.
Role Selectthescopeofadministrativeresponsibility:PanoramaorDevice Group

and Template.
WebUI Selectfromthefollowingoptionstosetthetypeofaccesspermittedfor
specificfeaturesinthePanoramacontext(Web UI list)andfirewallcontext
(Context Switch UI list):
Enable ( )Readandwriteaccess
Read Only( )Readonlyaccess
Disable( )Noaccess

Panorama>AdminRoles PanoramaWebInterface
PanoramaAdministrator Description
RoleSettings
XMLAPI SelectthetypeofXMLAPIaccess(Enable,Read Only,orDisable)for

(Panoramaroleonly) Panoramaandmanagedfirewalls:
ReportAccesstoPanoramaandfirewallreports.
LogAccesstoPanoramaandfirewalllogs.
ConfigurationPermissionstoretrieveormodifyPanoramaandfirewall
configurations.
Operational RequestsPermissionstorunoperationalcommandson
Panoramaandfirewalls.
CommitPermissionstocommitPanoramaandfirewallconfigurations.
User-ID AgentAccesstotheUserIDagent.
ExportPermissionstoexportfilesfromPanoramaandfirewalls(suchas
configurations,blockorresponsepages,certificates,andkeys).
ImportPermissionstoimportfilesintoPanoramaandfirewalls(suchas
softwareupdates,contentupdates,licenses,configurations,certificates,
blockpages,andcustomlogs).
CommandLine SelectthetypeofroleforCLIaccess:
(Panoramaroleonly) None(Default)AccesstothePanoramaCLInotpermitted.
superuserFullaccesstoPanorama.
superreaderReadonlyaccesstoPanorama.
panorama-adminFullaccesstoPanoramaexceptforthefollowing
actions:
Create,modify,ordeletePanoramaadministratorsandroles.
Export,validate,revert,save,load,orimportaconfiguration.
Scheduleconfigurationexports.

PanoramaWebInterface Panorama>AccessDomains
Panorama>AccessDomains
AccessdomainscontroltheaccessthatDeviceGroupandTemplateadministratorshavetospecificdevice
groups(tomanagepoliciesandobjects),totemplates(tomanagenetworkanddevicesettings),andtothe
webinterfaceofmanagedfirewalls(throughcontextswitching).Youcandefineupto4,000accessdomains
andmanagethemlocallyorbyusingRADIUSVendorSpecificAttributes(VSAs),TACACS+VSAs,orSAML
attributes.Tocreateanaccessdomain,Addadomainandconfigurethesettingsasdescribedinthefollowing
table.
AccessDomainSettings Description
Name Enteranamefortheaccessdomain(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,
SharedObjects Selectoneofthefollowingaccessprivilegesfortheobjectsthatdevice
groupsinthisaccessdomaininheritfromtheSharedlocation.
Regardlessofprivilege,administratorscantoverridesharedordefault
(predefined)objects.
readAdministratorscandisplayandclonesharedobjectsbut
cannotperformanyotheroperationsonthem.Whenadding
nonsharedobjectsorcloningsharedobjects,thedestinationmust
beadevicegroupwithintheaccessdomain,notShared.
writeAdministratorscanperformalloperationsonsharedobjects.
Thisisthedefaultvalue.
shared-onlyAdministratorscanaddobjectsonlytoShared.
Administratorscanalsodisplay,edit,anddeletesharedobjectsbut
cannotmoveorclonethem.Aconsequenceofthisselectionisthat
administratorscannotperformanyoperationsonnonshared
objectsotherthantodisplaythem.
DeviceGroups Enableordisablereadwriteaccessforspecificdevicegroupsinthe
accessdomain.YoucanalsoclickEnable AllorDisable All.Enabling
readwriteaccessforadevicegroupautomaticallyenablesthesame
accessforitsdescendants.Ifyoumanuallydisableadescendant,
accessforitshighestancestorautomaticallychangestoreadonly.By
default,accessisdisabledforalldevicegroups.
Ifyouwantthelisttodisplayonlyspecificdevicegroups,selectthe
devicegroupnamesandFilter Selected.
Ifyousettheaccessforsharedobjectstoshared-only,
Panoramaappliesreadonlyaccesstoanydevicegroupsfor
whichyouspecifyreadwriteaccess.
Templates Foreachtemplateortemplatestackyouwanttoassign,clickAddand
selectitfromthedropdown.
DeviceContext Selectthefirewallstowhichtheadministratorcanswitchcontextfor
(Correspondstothe performinglocalconfiguration.Ifthelistislong,youcanfilterby
Device/VirtualSystemscolumn Device State,Platforms,Device Groups,Templates,Tags,andHA
intheAccessDomainpage) Status.

Panorama>ManagedDevices PanoramaWebInterface
APaloAltoNetworksfirewallthatPanoramamanagesiscalledamanageddevice.Panoramacanmanage
firewallsrunningthesamemajorreleaseorearliersupportedversionsbutPanoramacannotmanage
firewallsrunningalaterreleaseversion.Forexample,Panorama7.1canmanagefirewallsrunningPANOS
7.1andearliersupportedreleasesbutitcannotmanagefirewallsrunningPANOS8.0.
ManagedFirewallAdministration
ManagedFirewallInformation
FirewallSoftwareandContentUpdates
FirewallBackups
ManagedFirewallAdministration
Youcanperformthefollowingadministrativetasksonfirewalls.
Task Description
Add Addfirewallsandentertheirserialnumbers(oneperrow)toaddthemasmanaged
devices.TheManaged DeviceswindowwillthendisplayManagedFirewallInformation,
includingconnectionstatus,installedupdates,andpropertiesthatweresetduringinitial
configuration.
Next,entertheIPaddressofthePanoramamanagementserveroneachfirewall(see
Device>Setup>Management)sothatPanoramacanmanagethefirewalls.
ThefirewallregisterswithPanoramaoveranSSLconnectionwithAES256
encryption.Panoramaandthefirewallauthenticateeachotherusing2,048bit
certificatesandusetheSSLconnectionforconfigurationmanagementandlog
collection.
Delete SelectoneormorefirewallsandclickDeletetoremovethemfromthelistoffirewalls
thatPanoramamanages.
Tag Selectoneormorefirewalls,clickTag,andenteratextstringofupto31charactersor
selectanexistingtag.Donotuseanemptyspace.Whereverthewebinterfacedisplays
alonglistoffirewalls(forexample,inthedialogforinstallingsoftware),tagsprovideone
meanstofilterthelist.Forexample,youcanuseatagcalledbranchofficetofilterfor
allbranchofficefirewallsacrossyournetwork.
Install ClickInstalltoinstallFirewallSoftwareandContentUpdates.
GroupHA SelectGroup HA PeersifyouwanttheManaged Devicespagetogroupfirewallsthat

Peers arepeersinahighavailability(HA)configuration.Youthencanonlyselecttoperform
actionsonbothpeersorneitherpeerineachHApair.
Manage ClickManagetomanageFirewallBackups.
(Backups)

PanoramaWebInterface Panorama>ManagedDevices
ManagedFirewallInformation
SelectPanorama > Managed Devicestodisplaythefollowinginformationforeachmanagedfirewall.
ManagedFirewallInformation Description
DeviceGroup DisplaysthenameofthePanorama>VMwareNSXinwhichthe
firewallisamember.Bydefault,thiscolumnishidden,thoughyoucan
displayitbyselectingthedropdowninanycolumnheaderand
selectingColumns > Device Group.
Regardlessofwhetherthecolumnisvisible,thepagedisplaysfirewalls
inclustersaccordingtotheirdevicegroup.Eachclusterhasaheader
rowthatdisplaysthedevicegroupname,thetotalnumberofassigned
firewalls,thenumberofconnectedfirewalls,andthedevicegrouppath
inthehierarchy.Forexample,Datacenter (2/4 Devices Connected):
Shared > Europe > Datacenterwouldindicatethatadevicegroup
namedDatacenterhasfourmemberfirewalls(twoofwhichare
connected)andisachildofadevicegroupnamedEurope.Youcan
collapseorexpandanydevicegrouptohideordisplayitsfirewalls.
DeviceName Displaysthehostnameorserialnumberofthefirewall.
FortheVMSeriesNSXeditionfirewall,thefirewallnameappendsthe
hostnameoftheESXihost.Forexample,PAVM:HostNY5105
VirtualSystem ListsthevirtualsystemsavailableonafirewallthatisinMultipleVirtual
Systemsmode.
Tags Displaysthetagsdefinedforeachfirewall/virtualsystem.
SerialNumber Displaystheserialnumberofthefirewall.
IPAddress DisplaystheIPaddressofthefirewall/virtualsystem.
Template Displaysthetemplateortemplatestacktowhichthefirewallis
assigned.

Status DeviceStateIndicatesthestateoftheconnectionbetween
Panoramaandthefirewall:ConnectedorDisconnected.
AVMSeriesfirewallcanhavetwoadditionalstates:
DeactivatedIndicatesthatyouhavedeactivatedavirtualmachine
eitherdirectlyonthefirewallorbyselectingDeactivate VMs
(Panorama > Device Deployment > Licenses)andremovedall
licensesandentitlementsonthefirewall.Adeactivatedfirewallisno
longerconnectedtoPanoramabecausethedeactivationprocess
removestheserialnumberontheVMSeriesfirewall.
PartiallydeactivatedIndicatesthatyouhaveinitiatedthelicense
deactivationprocessfromPanorama,buttheprocessisnotfully
completebecausethefirewallisofflineandPanoramacannot
communicatewithit.
HAStatusIndicateswhetherthefirewallis:
ActiveNormaltraffichandlingoperationalstate
PassiveNormalbackupstate
bootup
NonfunctionalErrorstate
SuspendedAnadministratordisabledthefirewall
configuration
SharedPolicyIndicateswhetherthepolicyandobjectconfigurations
onthefirewallaresynchronizedwithPanorama.
TemplateIndicateswhetherthenetworkanddeviceconfigurations
onthefirewallaresynchronizedwithPanorama.
CertificateIndicatesthemanageddevicesclientcertificatestatus.
PredefinedThemanageddeviceisusingapredefinedcertificate
toauthenticatewithPanorama.
DeployedThecustomcertificateissuccessfullydeployedonthe
manageddevice.
ExpiresinNdaysNhoursThecurrentlyinstalledcertificatewill
expireinlessthan30days.
ExpiresinNminutesThecurrentlyinstalledcertificatewillexpire
inlessthanoneday.
ClientIdentityCheckPassedThecertificatecommonname
matchestheserialnumberoftheconnectingdevice.
OCSPStatusUnknownPanoramacannotgettheOCSPstatus
fromtheOCSPresponder.
OCSPStatusUnavailablePanoramacannotcontacttheOCSP
responder.
CRLStatusUnknownPanoramacannotgettherevocationstatus
fromtheCRLdatabase.
CRLStatusUnavailablePanoramacannotcontacttheCRL
database.

OCSP/CRLStatusUnknownPanoramacannotgettheOCSPor
revocationstatuswhenbothareenabled.
OCSP/CRLStatusUnavailablePanoramacannotcontacttheOCSP
orCRLdatabasewhenbothareenabled.
UntrustedIssuerThemanageddevicehasacustomcertificatebut
theserverisnotvalidatingit.
LastCommitStateIndicateswhetherthelastcommitfailedor
succeededonthefirewall.
SoftwareVersion|Appsand Displaysthesoftwareandcontentversionsthatarecurrentlyinstalled
Threat|Antivirus|URLFiltering onthefirewall.Fordetails,seeFirewallSoftwareandContentUpdates.
|GlobalProtectClient|
WildFire
Backups Oneachfirewallcommit,PANOSautomaticallysendsafirewall
configurationbackuptoPanorama.ClickManagetoviewtheavailable
configurationbackupsandoptionallyloadone.Fordetails,seeFirewall
Backups.
FirewallSoftwareandContentUpdates
Toinstallasoftwareorcontentupdateonamanagedfirewall,firstusethePanorama > Device Deployment

pagestodownloadoruploadtheupdatetoPanorama.ThenselectthePanorama > Managed Devicespage,
clickInstall,andcompletethefollowingfields.
Toreducetrafficonthemanagement(MGT)interface,youcanconfigurePanoramatousea
separateinterfacefordeployingupdates(seePanorama>Setup>Interfaces).
FirewallSoftware/Content Description
UpdateInstallationOptions
Type Selectthetypeofupdateyouwanttoinstall:PANOSSoftware,
GlobalProtect Clientsoftware,Apps and Threatssignatures,Antivirus
signatures,WildFire,orURL Filtering.
File Selecttheupdateimage.Thedropdownincludesonlyimagesthatyou
downloadedoruploadedtoPanoramausingthePanorama > Device
Deploymentpages.
Filters SelectFilterstofiltertheDeviceslist.
Devices Selectthefirewallsonwhichyouwanttoinstalltheimage.
DeviceName Thefirewallname.
CurrentVersion TheupdateversionoftheselectedTypethatiscurrentlyinstalledonthe
firewall.

FirewallSoftware/Content Description
UpdateInstallationOptions
HAStatus Indicateswhetherthefirewallis:
ActiveNormaltraffichandlingoperationalstate
PassiveNormalbackupstate
bootup
NonfunctionalErrorstate
SuspendedAnadministratordisabledthefirewall
configuration
GroupHAPeers Selecttogroupfirewallsthatarepeersinahighavailability(HA)
configuration.
FilterSelected IfyouwanttheDeviceslisttodisplayonlyspecificfirewalls,selectthe
correspondingdevicenamesandFilter Selected.
Uploadonlytodevice Selecttouploadtheimageonthefirewallbutnotautomaticallyreboot
thefirewall.Theimageisinstalledwhenyoumanuallyrebootthe
firewall.
RebootdeviceafterInstall Selecttouploadandinstallthesoftwareimage.Theinstallationprocess
(Softwareonly) triggersareboot.
Disablenewappsincontent Selecttodisableapplicationsintheupdatethatarenewrelativetothe
update(AppsandThreats lastinstalledupdate.Thisprotectsagainstthelatestthreatswhilegiving
only) youtheflexibilitytoenableapplicationsafterpreparinganypolicy
updates.Then,toenableapplications,logintothefirewall,selectDevice
> Dynamic Updates,clickAppsintheFeaturescolumntodisplaythe
newapplications,andclickEnable/Disableforeachapplicationyou
wanttoenable.
FirewallBackups
Panoramaautomaticallybacksupeveryconfigurationchangeyoucommittomanagedfirewalls.Tomanage
thebackupsforafirewall,selectPanorama > Managed Devices,clickManageintheBackupscolumnforthe
firewall,andperformanyofthefollowingtasks.
ToconfigurethenumberoffirewallconfigurationbackupsthatPanoramastores,select
Panorama > Setup > Management,edittheLoggingandReportingSettings,selectLog
Export and Reporting,andentertheNumber of Versions for Config Backups(defaultis
100).
Task Description
Displaydetailsaboutasavedor IntheVersioncolumnforthebackup,clickthesavedconfiguration
committedconfiguration. filenameorcommittedconfigurationversionnumbertodisplay
thecontentsoftheassociatedXMLfile.

Task Description
Restoreasavedorcommitted IntheActioncolumnforthebackup,clickLoadandCommit.
configurationtothecandidate
configuration.
Removeasavedconfiguration. IntheActioncolumnforthesavedbackup,clickDelete( ).

Panorama>Templates PanoramaWebInterface
Panorama>Templates
ThroughtheDeviceandNetworktabs,youcandeployacommonbaseconfigurationtomultiplefirewallsthat
requiresimilarsettingsusingatemplateoratemplatestack(acombinationoftemplates).Whenmanaging
firewallconfigurationswithPanorama,youuseacombinationofdevicegroups(tomanagesharedpolicies
andobjects)andtemplates(tomanageshareddeviceandnetworksettings).
InadditiontothesettingsavailablefromthedialogsforcreatingTemplatesorTemplateStacks,Panorama >
Templatesdisplaysthefollowingcolumns:
TypeIdentifiesthelistedentriesastemplatesortemplatestacks.
StackListsthetemplatesassignedtoatemplatestack.
Whatdoyouwanttodo? See:
Add,clone,edit,ordeletea Templates
template
Add,clone,edit,ordeletea TemplateStacks
templatestack
Looking for more? TemplatesandTemplateStacks

ManageTemplatesandTemplateStacks
Templates
Panoramasupportsupto1,024templates.Toconfigureatemplate,Addoneandconfigurethesettingsas
Afterconfiguringatemplate,youmustcommityourchangesinPanorama(seePanorama
CommitOperations).Afteryouconfigurethenetworkanddevicesettingsoffirewallsassigned
tothetemplate,youmustperformatemplatecommittopushthesettingstothefirewalls.
Deletingatemplate,orremovingafirewallfromone,doesnotdeletethevaluesthatPanorama
haspushedtothefirewall.Whenyouremoveafirewallfromatemplate,Panoramanolonger
pushesnewupdatestothatfirewall.
TemplateSettings Description
Name Enteratemplatename(upto31characters).Thenameiscasesensitive,mustbe
unique,andcancontainonlyletters,numbers,spaces,hyphens,periods,and
underscores.
IntheDeviceandNetworktabs,thisnameappearsintheTemplatedropdown.The
settingsyoumodifyinthesetabsapplyonlytotheselectedTemplate.
DefaultVSYS SelectavirtualsystemifyouwantPanoramatopushconfigurationsspecifictothat
virtualsystem(suchasinterfaces)tofirewallsthatdonthavemultiplevirtual
systems.
Description Enteradescriptionforthetemplate.

PanoramaWebInterface Panorama>Templates
TemplateSettings Description
Devices Selecteachfirewallthatyouwanttoaddtothetemplate.Youcanassignagiven
firewalltoonlyonetemplateorstack.Therefore,ifyouwillusethetemplateonly
withinastack,donotassignfirewallstothetemplate,justtothestack(seeTemplate
Stacks).
Ifthelistoffirewallsislong,youcanfilteritbyPlatforms,Device Groups,Tags,and
HA Status.Foreachofthesecategories,thedialogdisplaysthenumberofmanaged
firewalls.
Youcanassignfirewallsthathavenonmatchingmodes(VPNmode,multiple
virtualsystemsmode,oroperationalmode)tothesametemplate.Panorama
pushesmodespecificsettingsonlytofirewallsthatsupportthosemodes.
SelectAll Selectseveryfirewallinthelist.
DeselectAll Deselectseveryfirewallinthelist.
GroupHAPeers Selecttogroupfirewallsthatarehighavailability(HA)peers.Thelistthendisplays
theactivefirewall(oractiveprimaryfirewallinanactive/activeconfiguration)first
anddisplaysthepassivefirewall(oractivesecondaryfirewallinanactive/active
configuration)inparentheses.Thisenablesyoutoeasilyidentifyfirewallsthathave
anHAconfigurationand,whenpushingtemplatesettings,youcanpushtothe
groupedpairinsteadoftoeachfirewallindividually.
FilterSelected Todisplayonlyspecificfirewalls,selectthefirewallsandthenFilter Selected.

Panorama>Templates PanoramaWebInterface
TemplateStacks
Atemplatestackisacombinationoftemplates.Byassigningfirewallstoastack,youcanpushallthe
necessarysettingstothemwithouttheredundancyofaddingeverysettingtoeverytemplate.Panorama
supportsupto1,024stacks.Toconfigureatemplatestack,Add Stackandconfigurethesettingsasdescribed
Afterconfiguringatemplatestack,commityourchangesinPanorama(seePanoramaCommit
Operations).Afteryouconfigurethenetworkanddevicesettingsoffirewallsassignedtothe
stack,youmustperformatemplatecommittopushthesettingstothefirewalls.
Deletingatemplatestackorremovingafirewallfromatemplatestackdoesnotdeletethe
valuesthatPanoramapreviouslypushedtothatfirewall;however,whenyouremoveafirewall
fromatemplatestack,Panoramanolongerpushesnewupdatestothatfirewall.
TemplateStack Description
Settings
Name Enterastackname(upto31characters).Thenameiscasesensitive,mustbeunique,
muststartwithaletter,andcancontainonlyletters,numbers,andunderscores.In
theDeviceandNetworktabs,theTemplatedropdowndisplaysthestacknameand
itsassignedtemplates.
Description Enteradescriptionforthestack.
Templates Addeachtemplateyouwanttoincludeinthestack(upto16).
Iftemplateshaveduplicatesettings,Panoramapushesonlythesettingsofthehigher
templateinthelisttotheassignedfirewalls.Forexample,ifTemplate_Aisabove
Template_Binthelist,andbothtemplatesdefinetheethernet1/1interface,
Panoramapushestheethernet1/1definitionfromTemplate_Aandnotfrom
Template_B.Tochangetheorder,selectatemplateandMove UporMove Down.
Panoramadoesntvalidatetemplatecombinationsinstackssoplantheorder
inawaythatavoidsinvalidrelationships.
Devices Selecteachfirewallthatyouwanttoaddtothestack.
Ifthelistoffirewallsislong,youcanfilteritbyPlatforms,Device Groups,Tags,and
HA Status.
Youcanassignfirewallsthathavenonmatchingmodes(VPNmode,multiple
virtualsystemsmode,oroperationalmode)tothesamestack.Panorama
pushesmodespecificsettingsonlytofirewallsthatsupportthosemodes.
SelectAll Selectseveryfirewallinthelist.
DeselectAll Deselectseveryfirewallinthelist.
GroupHAPeers Groupsfirewallsthatarehighavailability(HA)peers.Thisenablesyoutoeasily
identifyfirewallsthathaveanHAconfiguration.Whenpushingsettingsfromthe
templatestack,youcanpushtothegroupedpairinsteadoftoeachfirewall
individually.
FilterSelected Todisplayonlyspecificfirewalls,selectthemandthenFilter Selected.

PanoramaWebInterface Panorama>DeviceGroups
Panorama>DeviceGroups
Devicegroupscomprisefirewallsandvirtualsystemsyouwanttomanageasagroup,suchasthefirewalls
thatmanageagroupofbranchofficesorindividualdepartmentsinacompany.Panoramatreatsthesegroups
assingleunitswhenapplyingpolicies.Firewallscanbelongtoonlyonedevicegroupbut,becausevirtual
systemsaredistinctentitiesinPanorama,youcanassignvirtualsystemswithinafirewalltodifferentdevice
groups.
YoucannestdevicegroupsinatreehierarchyofuptofourlevelsundertheSharedlocationtoimplement
alayeredapproachformanagingpoliciesacrossyournetworkoffirewalls.Atthebottomlevel,adevice
groupcanhaveparent,grandparent,andgreatgrandparentdevicegroupsatsuccessivelyhigherlevels
collectivelycalledancestorsfromwhichthebottomleveldevicegroupinheritspoliciesandobjects.Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroupscollectivelycalled
descendants.WhenyouselectPanorama > Device Groups,theNamecolumndisplaysthisdevicegroup
hierarchy.
Afteradding,editing,ordeletingadevicegroup,performaPanoramacommitanddevicegroupcommit(see
PanoramaCommitOperations).Panoramathenpushestheconfigurationchangestothefirewallsthatare
assignedtothedevicegroup;Panoramasupportsupto1,024devicegroups.
Toconfigureadevicegroup,Addoneandconfigurethesettingsasdescribedinthefollowingtable.
DeviceGroup Description
Settings
Name Enteranametoidentifythegroup(upto31characters).Thenameiscasesensitive,
mustbeuniqueacrosstheentiredevicegrouphierarchy,andcancontainonly
Description Enteradescriptionforthedevicegroup.
Devices Selecteachfirewallthatyouwanttoaddtothedevicegroup.Ifthelistoffirewalls
islong,youcanfilterbyDevice State,Platforms,Templates,orTags.TheFilters
sectiondisplays(inparentheses)thenumberofmanagedfirewallsforeachofthese
categories.
Ifthepurposeofadevicegroupispurelyorganizational(thatis,tocontainother
devicegroups),youdontneedtoassignfirewallstoit.
SelectAll Selectseveryfirewallandvirtualsysteminthelist.
DeselectAll Deselectseveryfirewallandvirtualsysteminthelist.
GroupHAPeers Selecttogroupfirewallsthatarepeersinahighavailability(HA)configuration.The
listthendisplaystheactive(oractiveprimaryinanactive/activeconfiguration)
firewallfirstandthepassive(oractivesecondaryinanactive/activeconfiguration)
firewallinparentheses.ThisenablesyoutoeasilyidentifyfirewallsthatareinHA
mode.Whenpushingsharedpolicies,youcanpushtothegroupedpairinsteadof
individualpeers.
ForHApeersinanactive/passiveconfiguration,consideraddingboth
firewallsortheirvirtualsystemstothesamedevicegroup.Thisenablesyou
topushtheconfigurationtobothpeerssimultaneously.
FilterSelected IfyouwanttheDeviceslisttodisplayonlyspecificfirewalls,selectthefirewallsand
thenFilter Selected.

Panorama>DeviceGroups PanoramaWebInterface
DeviceGroup Description
Settings
ParentDevice Relativetothedevicegroupyouaredefining,selectthedevicegroup(ortheShared
Group location)thatisjustaboveitinthehierarchy(defaultisShared).
MasterDevice Toconfigurepolicyrulesandreportsbasedonusernamesandusergroups,youmust
selectaMaster Device.ThisisthefirewallfromwhichPanoramareceives
usernames,usergroupnames,andusernametogroupmappinginformation.
WhenyouchangetheMaster DeviceorsetittoNone,Panoramalosesallthe
userandgroupinformationreceivedfromthatfirewall.
Storeusersand ThisoptiondisplaysonlyifyouselectaMaster Device.TheoptionenablesPanorama

groupsfrom tolocallystoreusernames,usergroupnames,andusernametogroupmapping
MasterDevice informationthatitreceivesfromtheMaster Device.Toenablelocalstorage,you
mustalsoselectPanorama > Setup > Management,editthePanoramaSettings,and
Enablereportingandfilteringongroups.
DynamicallyAddedDevicePropertiesWhenanewdeviceisaddedtothedevicegroup,Panorama
dynamicallyappliesthespecifiedauthorizationcodeandPANOSsoftwareversiontothenewdevice.
ThisdisplaysonlyafteradevicegroupisassociatedwithanNSXservicedefinitioninPanorama.
Authorization Entertheauthorizationcodetobeappliedtodevicesaddedtothisdevicegroup.
Code
SWVersion Selectthesoftwareversiontobeappliedtodevicesaddedtothisdevicegroup.

PanoramaWebInterface Panorama>ManagedCollectors
ThePanoramamanagementserver(MSeriesapplianceorPanoramavirtualapplianceinPanoramamode)
canmanageDedicatedLogCollectors(MSeriesappliancesinLogCollectormode).EachPanorama
managementserveralsohasaalocalpredefinedLogCollector(nameddefault)toprocessthelogsit
receivesdirectlyfromfirewalls.(APanoramavirtualapplianceinLegacymodeprocessesthelogsitreceives
directlyfromfirewallswithoutusingalocalLogCollector.)
TousePanoramaformanagingaDedicatedLogCollector,addtheLogCollectorasamanagedcollector.
Whatdoyouwanttodo? See:
DisplayLogCollectorinformation LogCollectorInformation
Add,edit,ordeleteaLogCollector LogCollectorConfiguration
UpdatePanoramasoftwareona SoftwareUpdatesforDedicatedLogCollectors
LogCollector
Looking for more? CentralizedLoggingandReporting
ConfigureaManagedCollector
LogCollectorInformation
SelectPanorama > Managed CollectorstodisplaythefollowinginformationforLogCollectors.Additional

parametersareconfigurableduringLogCollectorConfiguration.
LogCollector Description
Information
CollectorName ThenamethatidentifiesthisLogCollector.ThisnamedisplaysastheLogCollector
hostname.
SerialNumber TheserialnumberofthePanoramaappliancethatfunctionsastheLogCollector.If
theLogCollectorislocal,thisistheserialnumberofthePanoramamanagement
server.
SoftwareVersion ThePanoramasoftwarereleaseinstalledontheLogCollector.
IPAddress TheIPaddressofthemanagementinterfaceontheLogCollector.
Connected ThestatusoftheconnectionbetweentheLogCollectorandPanorama.
Configuration IndicateswhethertheconfigurationontheLogCollectorissynchronizedwith
Status/Detail Panorama.
RunTime ThestatusoftheconnectionbetweenthisandotherLogCollectorsintheCollector
Status/Detail Group.
LogRedistribution Certainactions(forexample,addingdisks)willcausetheLogCollectorto
State redistributethelogsamongitsdiskpairs.Thiscolumnindicatesthecompletion
statusoftheredistributionprocessasapercentage.

Panorama>ManagedCollectors PanoramaWebInterface
Information
LastCommitState IndicateswhetherthelastCollectorGroupcommitperformedontheLogCollector
failedorsucceeded.
Statistics AfteryoucompletetheLogCollectorConfiguration,clickStatisticstoviewdisk
information,CPUperformance,andtheaveragelograte(logs/second).Tobetter
understandthelograngeyouarereviewing,youcanalsoviewinformationonthe
oldestlogthattheLogCollectorreceived.
IfyouuseanSNMPmanagerforcentralizedmonitoring,youcanalsosee
loggingsstatisticsinthepanLogCollectorMIB.
LogCollectorConfiguration
SelectPanorama > Managed CollectorstomanageLogCollectors.WhenyouAddanewLogCollectorasa

managedcollector,thesettingsyouconfigurevarybasedonthelocationoftheLogCollectorandwhether
youdeployedPanoramainahighavailability(HA)configuration:
DedicatedLogCollectorWhenyouaddtheLogCollector,initiallytheInterfacestabdoesntdisplay.You
mustentertheserialnumber(Collector S/N)oftheLogCollector,clickOK,andthenedittheLogCollector
todisplaytheinterfacesettings.
DefaultLogCollectorthatislocaltothesolitary(nonHA)oractive(HA)Panoramamanagement
serverAfteryouentertheserialnumber(Collector S/N)ofthePanoramamanagementserver,the
CollectordialogdisplaysonlytheDisks,Communicationsettings,andasubsetoftheGeneralsettings.The
LogCollectorderivesitsvaluesforallothersettingsfromtheconfigurationofthePanoramamanagement
server.
(HAonly)DefaultLogCollectorthatislocaltothepassivePanoramamanagementserverPanorama
treatsthisLogCollectorasremotesoyoumustconfigureitasyouwouldconfigureaDedicatedLog
Collector.
ThecompleteproceduretoconfigureaLogCollectorrequiresadditionaltasks.
IdentifytheLogCollectorand GeneralLogCollectorSettings
defineitsconnectionstothe
Panoramamanagementserverand
toexternalservices.
ConfigureaccesstotheLog LogCollectorCLIAuthenticationSettings
CollectorCLI.
Configuretheinterfacesthatthe LogCollectorInterfaceSettings
DedicatedLogCollectorusesfor
managementtraffic,Collector
Groupcommunication,andlog
collection.

ConfiguretheRAIDdisksthat LogCollectorRAIDDiskSettings
storelogscollectedfromfirewalls.
ConfiguretheLogCollectorto UserIDAgentSettings
receiveusermappinginformation
fromUserIDagents.
ConfiguretheLogCollectorto ConnectionSecurity
authenticatewithWindows
UserIDAgents.
Configuresecuritysettingsfor CommunicationSettings
communicationwithPanorama,
otherLogCollectors,andfirewalls.
GeneralLogCollectorSettings
Panorama>ManagedCollectors>General
ConfigurethesettingsasdescribedinthefollowingtabletoidentifyaLogCollectoranddefineits
connectionstothePanoramamanagementserver,DNSservers,andNTPservers.
GeneralSettings
CollectorS/N (Required)EntertheserialnumberofthePanoramaappliancethatfunctionsasthe
LogCollector.IftheLogCollectorislocal,entertheserialnumberofthePanorama
managementserver.
CollectorName EnteranametoidentifythisLogCollector(upto31characters).Thenameis
ThisnamedisplaysastheLogCollectorhostname.
Inbound Selectthecertificatethatthemanagedcollectormustusetosecurelyingestlogs
Certificatefor fromtheTrapsESMserver.Thiscertificateiscalledaninboundcertificatebecause
SecureSyslog thePanorama/ManagedCollectoristheservertowhichtheTrapsESM(client)is
sendinglogs;thecertificateisrequirediftheTransportprotocolforthelogingestion
profileisSSL.
Certificatefor SelectacertificateforsecureforwardingofsyslogstoanexternalSyslogserver.The
SecureSyslog certificatemusthavetheCertificate for Secure Syslogoptionselected(seeManage
FirewallandPanoramaCertificates).WhenyouassignaSyslogserverprofiletothe
CollectorGroupthatincludesthisLogCollector(seePanorama>CollectorGroups,
Panorama > Collector Groups > Collector Log Forwarding),theTransportprotocol
oftheserverprofilemustbeSSL(seeDevice>ServerProfiles>Syslog).
PanoramaServer SpecifytheIPaddressofthePanoramamanagementserverthatmanagesthisLog
IP Collector.
PanoramaServer SpecifytheIPaddressofthesecondarypeerifthePanoramamanagementserveris
IP2 deployedinahighavailability(HA)configuration.
Domain EnterthedomainnameoftheLogCollector.

GeneralSettings
PrimaryDNS EntertheIPaddressoftheprimaryDNSserver.TheLogCollectorusesthisserver
Server forDNSqueries(forexample,tofindthePanoramamanagementserver).
SecondaryDNS (Optional)EntertheIPaddressasecondaryDNSservertouseiftheprimaryserver
Server isunavailable.
PrimaryNTP EntertheIPaddressorhostnameoftheprimaryNTPserver,ifany.Ifyoudonotuse
Server NTPservers,youcansettheLogCollectortimemanually.
SecondaryNTP (Optional)EntertheIPaddressorhostnameofsecondaryNTPserverstouseifthe
Server primaryserverisunavailable.
Timezone SelectthetimezoneoftheLogCollector.
Latitude Enterthelatitude(90.0to90.0)oftheLogCollector.Trafficandthreatmapsuse
thelatitudeforAppScope.
Longitude Enterthelongitude(180.0to180.0)oftheLogCollector.Trafficandthreatmaps
usethelongitudeforAppScope.

LogCollectorCLIAuthenticationSettings
Panorama>ManagedCollectors>Authentication
AnMSeriesapplianceinLogCollectormode(DedicatedLogCollector)hasnowebinterface,onlyaCLI.You
canusethePanoramamanagementservertoconfiguremostsettingsonaDedicatedLogCollectorbutsome
settingsrequireCLIaccess.ToconfigureauthenticationsettingsforCLIaccess,configurethesettingsas
Authentication
Settings
Users AlwaysdisplaysasadminandisusedforthelocalCLIloginnameontheLog
Collector.
Mode SelectthepasswordMode:
PasswordEnteraplaintextPasswordandConfirm Password.
Password HashEnterahashedpasswordstring.Thiscanbeusefulif,for
example,youwanttoreusethepasswordofanexistingUnixaccountbutdonot
knowtheplaintextpassword,onlythehashedpassword.Panoramaacceptsany
stringofupto63charactersregardlessofthealgorithmusedtogeneratethehash
value.TheoperationalCLIcommandrequest password-hash password
<password>usestheMD5algorithm.Whenyoucommityourchanges,Panorama
pushesthehashvaluetotheLogCollectorandtheadministratorpasswordwillbe
thespecified<password>.
FailedAttempts EnterthenumberoffailedloginattemptsallowedontheCLIbeforelockingoutthe
administratoraccount(rangeis0to10;defaultis0).Thedefault(0)specifies
unlimitedloginattempts.LimitingloginattemptscanhelpprotecttheLogCollector
frombruteforceattacks.
IfyousettheFailed Attemptstoavalueotherthan0butleavetheLockout
Timeat0,theFailed Attemptsisignoredandtheuserisneverlockedout.If
youusethedefault0forbothfields,theuserisneverlockedout.
LockoutTime EnterthenumberofminutesforwhichtheLogCollectorlocksouttheadministrator
outafterreachingthenumberofFailed Attempts(rangeis0to60;defaultis0).
IfyousettheLockout Timetoavalueotherthan0butleavetheFailed
Attemptsat0,theLockout Timeisignoredandtheuserisneverlockedout.
Ifyouusethedefault0forbothfields,theuserisneverlockedout.

LogCollectorInterfaceSettings
Panorama>ManagedCollectors>Interfaces
Bydefault,DedicatedLogCollectors(MSeriesappliancesinLogCollectormode)usethemanagement
(MGT)interfaceformanagementtraffic,logcollection,andCollectorGroupcommunication.However,Palo
AltoNetworksrecommendsthatyouassignseparateinterfacesforlogcollectionandCollectorGroup
communicationtoreducetrafficontheMGTinterface.Youcanimprovesecuritybydefiningaseparate
subnetfortheMGTinterfacethatismoreprivatethanthesubnetsfortheotherinterfaces.Touseseparate
interfaces,youmustfirstconfigurethemonthePanoramamanagementserver(seeDevice>Setup>
Management).TheinterfacesthatareavailableforlogcollectionandCollectorGroupcommunicationvary
basedontheLogCollectorappliancemodel:
M100applianceEthernet1,Ethernet2,Ethernet3(all1Gbpsinterfaces)
M500applianceEthernet1(1Gbps),Ethernet2(1Gbps),Ethernet3(1Gbps),Ethernet4(10Gbps)
Ethernet5(10Gbps)
Toconfigureaninterface,selectthelinkandconfigurethesettingsasdescribedinthefollowingtable.
TocompletetheconfigurationoftheMGTinterface,youmustspecifytheIPaddress,netmask(forIPv4)orprefix
length(forIPv6),anddefaultgateway.Ifyoucommitapartialconfiguration(forexample,youmightomitthe
defaultgateway),youcanonlyaccessthefirewallorPanoramathroughtheconsoleportforfutureconfiguration
changes.
AlwayscommitacompleteMGTinterfaceconfiguration.Youcannotcommittheconfigurationsforother
interfacesunlessyouspecifytheIPaddress,netmask(forIPv4)orprefixlength(forIPv6),anddefaultgateway.
LogCollectorInterface Description
Settings
Eth1/Eth2/Eth3/Eth4/ Youmustenableaninterfacetoconfigureit.TheexceptionistheMGTinterface,whichis
Eth5 enabledbydefault.
SpeedandDuplex Configureadatarateandduplexoptionfortheinterface.Thechoicesinclude10Mbps,
100Mbps,1Gbps,and10Gbps(Eth4andEth5only)atfullorhalfduplex.Usethedefault
auto-negotiatesettingtohavetheLogCollectordeterminetheinterfacespeed.
Thissettingmustmatchtheinterfacesettingsontheneighboringnetwork
equipment.
IPAddress(IPv4) IfyournetworkusesIPv4,assignanIPv4addresstotheinterface.
Netmask(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoenteranetworkmask(such
as255.255.255.0).
DefaultGateway(IPv4) IfyouassignedanIPv4addresstotheinterface,youmustalsoassignanIPv4addressto
thedefaultgateway(thegatewaymustbeonthesamesubnetastheMGTinterface).
IPv6Address/Prefix IfyournetworkusesIPv6,assignanIPv6addresstotheinterface.Toindicatethenetmask,
Length enteranIPv6prefixlength(suchas2001:400:f00::1/64).
DefaultIPv6Gateway IfyouassignedanIPv6addresstotheinterface,youmustalsoassignanIPv6addressto
MTU Enterthemaximumtransmissionunit(MTU)inbytesforpacketssentonthisinterface
(rangeis576to1,500;defaultis1,500).

LogCollectorInterface Description
Settings
Device Log Collection Enabletheinterfaceforcollectinglogsfromfirewalls.Foradeploymentwithhighlog

traffic,youcanenablemultipleinterfacestoperformthisfunction.Thisfunctionisenabled
bydefaultontheMGTinterface.
Collector Group EnabletheinterfaceforCollectorGroupcommunication.Onlyoneinterfacecanperform

Communication thisfunction(defaultisMGTinterface).
Network Connectivity ThePingserviceisavailableonanyinterface,andenablesyoutotestconnectivity

Services betweentheLogCollectorinterfaceandexternalservices.
ThefollowingservicesareavailableonlyontheMGTinterface:
SSHEnablessecureaccesstothePanoramaCLI.
SNMPEnablestheinterfacetoreceivestatisticsqueriesfromanSNMPmanager.For
details,seeEnableSNMPMonitoring.
User-IDEnablestheLogCollectortoredistributeusermappinginformationreceived
fromUserIDagents.
PermittedIPAddresses EntertheIPaddressesoftheclientsystemsthatcanaccesstheLogCollectorthroughthis
interface.
Anemptylist(default)specifiesthataccessisavailabletoanyclientsystem.
PaloAltoNetworksrecommendsthatyoudonotleavethislistblank;specifythe
clientsystemsofPanoramaadministratorstopreventunauthorizedaccess.
LogCollectorRAIDDiskSettings
Panorama>ManagedCollectors>Disks
AfteryouconfigureloggingdisksontheMSeriesapplianceorPanoramavirtualappliance,youcanAddthem
totheLogCollectorconfiguration.
Bydefault,MSeriesappliancesareshippedwiththefirstRAID1diskpairinstalledinbaysA1andA2.Inthe
software,thediskpairinbaysA1andA2isnamedDiskPairA.Theremainingbaysarenamedsequentially:
DiskPairB,DiskPairC,andsoon.TheM500appliancesupportsupto12diskpairswhiletheM100
appliancesupportsupto4diskpairs.Youcaninstallpairsof2TBor1TBdiskswithinthesameappliance;
however,disksizemustbethesameforbothdrivewithineachpair.
ThePanoramavirtualappliancesupportsupto12virtualloggingdisksfor24TBofstoragecapacity.
Afteryouadddiskpairs,theLogCollectorredistributesitsexistinglogsacrossallthedisks,whichcantake
hoursforeachterabyteoflogs.Duringtheredistributionprocess,themaximumlogingestionrateisreduced.
InthePanorama > Managed Collectorspage,theLogRedistributionStatecolumnindicatesthecompletion
statusoftheprocessasapercentage.
IfyouuseanSNMPmanagerforcentralizedmonitoring,youcanseeloggingsstatisticsinthepanLogCollector
MIB.

UserIDAgentSettings
Panorama>ManagedCollectors>UserIDAgents
ADedicatedLogCollectorcanreceiveusermappingsfromupto100UserIDagents.Theagentscanbe
PANOSintegratedUserIDagentsthatrunonfirewallsorWindowsbasedUserIDagents.Onafirewall
withmultiplevirtualsystems,eachvirtualsystemcanserveasaseparateUserIDagent.TheLogCollector
canthenredistributetheusermappingstofirewallsorthePanoramamanagementserver.
Thecompleteprocedurestoconfigureusermappingandusermappingredistributionrequire
additionaltasksbesidesconnectingtoUserIDagents.
ToconfigureaDedicatedLogCollectortoconnecttoaUserIDagent,Addoneandconfigurethesettingsas
Settings
Name Enteraname(upto31characters)toidentifytheUserIDagent.Thenameis
ForafirewallservingasaUserIDagent,thisfielddoesnothavetomatch
theCollectorNamefield.
Host WindowsbasedUserIDagentEntertheIPaddressoftheWindowshoston
whichtheUserIDagentisinstalled.
Firewall(PANOSintegratedUserIDagent)EnterthehostnameorIPaddress
oftheinterfacethatthefirewallusestoredistributeusermappings.
Port EntertheportnumberonwhichtheUserIDagentwilllistenforUserIDrequests.
Thedefaultisport5007butyoucanspecifyanyavailableport.DifferentUserID
agentscanusedifferentports.
SomeearlierversionsoftheUserIDagentuseport2010asthedefault.
CollectorName ThecollectorthatthesefieldsrefertoistheUserIDagent,nottheLogCollector.
Thefieldsapplyonlyiftheagentisafirewallorvirtualsystemthatredistributesuser
Collector mappingstotheLogCollector.EntertheCollector NameandPre-Shared Keythat
PresharedKey/ identifythefirewallorvirtualsystemasaUserIDagent.Youmustenterthesame
ConfirmCollector valuesasyoudidwhenconfiguringthefirewallorvirtualsystemtoserveasa
Presharedkey UserIDagent(seeEnableRedistributionofUserMappingsAmongFirewalls).
Enabled SelecttoenabletheLogCollectortocommunicatewiththeUserIDagent.
ConnectionSecurity
Panorama>ManagedCollectors>ConnectionSecurity
ToconfigureacertificateprofileusedbytheLogCollectortovalidatethecertificatepresentedbyWindowsUserID
agents.TheLogCollectorusestheselectedcertificateprofiletoverifytheidentityoftheUserIDagentbyvalidatingthe
servercertificatepresentedbytheagent.

Task Description
UserID Fromthedropdown,selectthecertificateprofileusedtoauthenticatewithWindows
Certificate UserIDagentsorselectNewCertificateProfiletocreateone.SelectNonetoremove
Profile thecertificateprofile.
CommunicationSettings
Panorama>ManagedCollectors>Communication
ToconfigurecustomcertificatebasedauthenticationbetweenLogCollectorsandPanorama,firewalls,and
otherLogCollectors,configurethesettingsasdescribedinthefollowingtable.
CommunicationSettings Description
SecureServerCommunicationEnablingSecure Server Communicationvalidatestheidentityofclientdevices

connectingtotheLogCollector.
SSL/TLSServiceProfile SelectaSSL/TLSserviceprofilefromthedropdown.Thisprofiledefinesthe
certificatepresentedbytheLogCollectorandspecifiestherangeofSSL/TLS
versionsacceptableforcommunicationwiththeLogCollector.
CertificateProfile Selectacertificateprofilefromthedropdown.Thiscertificateprofiledefines
certificaterevocationcheckingbehaviorandrootCAusedtoauthenticatethe
certificatechainpresentedbytheclient.
CustomCertificateOnly Whenenabled,theLogCollectoronlyacceptscustomcertificatesforauthentication
withmanagedfirewallsandLogCollectors.
AuthorizeClientsBasedon TheLogCollectorauthorizesclientdevicesbasedonusesahashoftheirserial
SerialNumber number.
CheckAuthorizationList ClientdevicesordevicegroupsconnectingtothisLogCollectorarecheckedagainst
theauthorizationlist.
DisconnectWaitTime TheamountoftimetheLogCollectorwaitsbeforebreakingthecurrentconnection
(min) withitsmanageddevices.TheLogCollectorthenreestablishesconnectionswithits
manageddevicesusingtheconfiguredsecureservercommunicationssettings.The
waittimebeginsafterthesecureservercommunicationsconfigurationiscommitted.
AuthorizationList Authorization ListSelectAddandcompletethefollowingfieldstosetcriteria.

IdentifierSelectSubjectorSubject Alt. Nameastheauthorizationidentifier.
TypeIfSubjectAlt.NameisselectedastheIdentifier,selectIP,hostname,or
e-mailasthetypeoftheidentifier.IfSubjectisselected,commonnameisused
astheidentifiertype.
ValueEntertheidentifiervalue.
Secure Client CommunicationEnablingSecure Client Communicationensuresthatthespecifiedclient

certificateisusedforauthenticatingtheLogCollectoroverSSLconnectionswithPanorama,firewalls,orother
LogCollectors.
CertificateType Selectthetypeofdevicecertificate(None,Local,orSCEP)usedforsecuring
communication
None IfNoneisselected,nodevicecertificateisconfiguredandthesecureclient
communicationisnotused.Thisisthedefaultselection.

CommunicationSettings Description
Local TheLogCollectorusesalocaldevicecertificateandthecorrespondingprivatekey
generatedontheLogCollectororimportedfromanexistingenterprisePKIserver.
CertificateSelectthelocaldevicecertificate.Thiscertificatecanbeauniquetothe
firewall(basedonahashoftheLogCollectorsserialnumber)oracommondevice
certificateusedbyallLogCollectorsconnectingtoPanorama.
CertificateProfileSelecttheCertificateProfilefromthedropdown.Thiscertificate
profileisusedfordefiningtheserverauthenticationwiththeLogCollector.
SCEP TheLogCollectorusesadevicecertificateandprivatekeygeneratedSimple
CertificateEnrollmentProtocol(SCEP)server.
SCEPProfileSelectaSCEPProfilefromthedropdown.
CertificateProfileSelecttheCertificateProfilefromthedropdown.This
certificateprofileisusedfordefiningtheserverauthenticationwiththeLog
Collector.
CheckServerIdentity Theclientdeviceconfirmstheserversidentitybymatchingthecommonname(CN)
withserversIPaddressorFQDN.
SoftwareUpdatesforDedicatedLogCollectors
ToinstallasoftwareimageonaDedicatedLogCollector,downloadoruploadtheimagetoPanorama(see
Panorama>DeviceDeployment),clickInstallandcompletethefollowingfields.
BecausethePanoramamanagementserversharesitsoperatingsystemwiththelocaldefault
LogCollector,youupgradebothwheninstallingasoftwareupdateonthePanorama
managementserver(seePanorama>Software).
ForDedicatedLogCollectors,youcanalsoselectPanorama > Device Deployment >
Softwaretoinstallupdates(seeManageSoftwareandContentUpdates).
Toreducetrafficonthemanagement(MGT)interface,youcanconfigurePanoramatousea
separateinterfacefordeployingupdates(seePanorama>Setup>Interfaces).
FieldstoInstalla Description
SoftwareUpdateona
LogCollector
File Selectadownloadedoruploadedsoftwareimage.
Devices SelecttheLogCollectorsonwhichtoinstallthesoftware.Thedialogdisplaysthe
followinginformationforeachLogCollector:
DeviceNameThenameoftheDedicatedLogCollector.
CurrentVersionThePanoramasoftwarereleasecurrentlyinstalledontheLog
Collector.
HAStatusThiscolumndoesnotapplytoLogCollectors.DedicatedLogCollectors
donotsupporthighavailability.
FilterSelected TodisplayonlyspecificLogCollectors,selecttheLogCollectorsandFilter Selected.

FieldstoInstalla Description
SoftwareUpdateona
LogCollector
Uploadonlytodevice(do SelecttouploadthesoftwaretotheLogCollectorwithoutautomaticallyrebootingit.
notInstall) TheimageisnotinstalleduntilyoumanuallyrebootbyloggingintotheLogCollector
CLIandrunningthe request restart system operationalcommand.
RebootdeviceafterInstall Selecttouploadandautomaticallyinstallthesoftware.Theinstallationprocessreboots
theLogCollector.

Panorama>CollectorGroups PanoramaWebInterface
Panorama>CollectorGroups
EachCollectorGroupcanhaveuptoeightLogCollectors,towhichyouassignfirewallsforforwardinglogs.
YoucanthenusePanoramatoquerytheLogCollectorsforaggregatedlogviewingandinvestigation.
ThepredefinedCollectorGroupnameddefaultcontainsthepredefinedLogCollectorthatis
localtothePanoramamanagementserver.
CollectorGroupConfiguration
CollectorGroupInformation
CollectorGroupConfiguration
ToconfigureaCollectorGroup,clickAddandcompletethefollowingfields.
CollectorGroup ConfiguredIn Description

Settings
Name Panorama > Collector Groups > EnteranametoidentifythisCollectorGroup(upto31

General characters).Thenameiscasesensitiveandmustbeunique.Use
onlyletters,numbers,spaces,hyphens,andunderscores.
LogStorage Indicatesthetotalstoragequotaforfirewalllogsthatthe
CollectorGroupreceivesandtheavailablespace.
ClickthestoragequotalinktosetthestorageQuota(%) and
expirationperiod(Max Days)forthefollowinglogtypes:
Detailed Firewall LogsIncludesallthelogtypesinthe
Device > Setup > Logging and Reporting Settings,suchas
traffic,threat,HIPmatch,dynamicallyregisteredIPaddresses
(IPtag),extendedPCAPs,GTPandTunnel,AppStats,and
more.
Summary Firewall LogsIncludesallthesummarylogs
includedinDevice > Setup > Logging and Reporting
Settings,suchastrafficsummary,threatsummary,URL
summary,andGTPandtunnelsummary.
Infrastructure and Audit LogsIncludestheconfig,system,
userIDandauthenticationlogs.
Palo Alto Networks Platform LogsIncludeslogsfromTraps
andotherPaloAltoNetworksproducts.
3rd Party External LogsIncludeslogsfromothervendor
integrationsprovidedbyPaloAltoNetworks.
Tousethedefaultsettings,clickRestore Defaults.
MinRetention Entertheminimumlogretentionperiodindays(12,000)that
Period(days) PanoramamaintainsacrossallLogCollectorsintheCollector
Group.Ifthecurrentdateminusthedateoftheoldestlogisless
thanthedefinedminimumretentionperiod,Panorama
generatesaSystemlogasanalertviolation.

PanoramaWebInterface Panorama>CollectorGroups

Settings
CollectorGroup AddtheLogCollectorsthatwillbepartofthisCollectorGroup
Members (uptoeight).YoucanaddanyoftheLogCollectorsthatare
availableinthePanorama > Managed Collectorspage.Allthe
LogCollectorsforanyparticularCollectorGroupmustbethe
samemodel:allM100appliances,allM500appliances,orall
Panoramavirtualappliances.
AfteryouaddLogCollectorstoanexistingCollector
Group,Panoramaredistributesitsexistinglogsacrossall
theLogCollectors,whichcantakehoursforeach
terabyteoflogs.Duringtheredistributionprocess,the
maximumloggingrateisreduced.InthePanorama >
Collector Groupspage,theLogRedistributionState
columnindicatesthecompletionstatusoftheprocessas
apercentage.
Enablelog Ifyouselectthisoption,eachlogintheCollectorGroupwill
redundancyacross havetwocopiesandeachcopywillresideonadifferentLog
collectors Collector.Thisredundancyensuresthat,ifanyoneLog
Collectorbecomesunavailable,nologsarelost:youcanseeall
thelogsforwardedtotheCollectorGroupandrunreportsforall
thelogdata.LogredundancyisavailableonlyiftheCollector
GrouphasmultipleLogCollectorsandeachLogCollectorhas
thesamenumberofdisks.
Afteryouenableredundancy,Panoramaredistributesthe
existinglogsacrossalltheLogCollectors,whichcantakehours
foreachterabyteoflogs.Duringtheredistributionprocess,the
maximumloggingrateisreduced.InthePanorama > Collector
Groupspage,theLogRedistributionStatecolumnindicatesthe
completionstatusoftheprocessasapercentage.AlltheLog
CollectorsforanyparticularCollectorGroupmustbethesame
model:allM100appliances:allM500appliances,orall
Panoramavirtualappliances.
Becauseenablingredundancycreatesmorelogs,this
configurationrequiresmorestoragecapacity.Enabling
redundancydoublesthelogprocessingtrafficina
CollectorGroup,whichreducesitsmaximumlogging
ratebyhalf,aseachLogCollectormustdistributeacopy
ofeachlogitreceives.(WhenaCollectorGrouprunsout
ofspace,itdeletesolderlogs.)
Forwardtoall (PA5200SeriesandPA7000Seriesfirewallsonly)Selectto
collectorsinthe sendlogstoeveryLogCollectorinthepreferencelist.Panorama
preferencelist usesroundrobinloadbalancingtoselectwhichLogCollector
receivesthelogsatanygivenmoment.Thisisdisabledby
default:firewallssendlogsonlytothefirstLogCollectorinthe
listunlessthatLogCollectorbecomesunavailable(seeDevices
/Collectors).


Settings
Location Panorama > Collector Groups > SpecifythelocationoftheCollectorGroup.

Monitoring
Contact Specifyanemailcontact(forexample,theemailaddressofthe
SNMPadministratorwhowillmonitortheLogCollectors).
Version SpecifytheSNMPversionforcommunicationwiththe
Panoramamanagementserver:V2corV3.
SNMPenablesyoutocollectinformationaboutLogCollectors,
includingconnectionstatus,diskdrivestatistics,software
version,averageCPUusage,averagelogs/second,andstorage
durationperlogtype.SNMPinformationisavailableonaper
CollectorGroupbasis.
SNMPCommunity EntertheSNMP Community String,whichidentifiesa

String(V2conly) communityofSNMPmanagersandmonitoreddevices(Log
Collectors,inthiscase),andservesasapasswordto
authenticatethecommunitymemberstoeachother.
Dontusethedefaultcommunitystringpublic;itiswell
knownandthereforenotsecure.
Views(V3only) AddagroupofSNMPviewsand,inViews,enteranameforthe
group.
Eachviewisapairedobjectidentifier(OID)andbitwisemask:
theOIDspecifiesamanagedinformationbase(MIB)andthe
mask(inhexadecimalformat)specifieswhichSNMPobjectsare
accessiblewithin(includematching)oroutside(exclude
matching)thatMIB.
Foreachviewinthegroup,Addthefollowingsettings:
ViewEnteranameforaview.
OIDEntertheOID.
Option(includeorexclude)Choosewhethertheviewwill
excludeorincludetheOID.
MaskSpecifyamaskvalueforafilterontheOID(for
example,0xf0).
Users(V3only) AddthefollowingsettingsforeachSNMPuser:
UsersEnterausernameforauthenticatingtheusertothe
SNMPmanager.
ViewSelectagroupofviewsfortheuser.
AuthpwdEnterapasswordforauthenticatingtheuserto
theSNMPmanager(minimumeightcharacters).OnlySecure
HashAlgorithm(SHA)issupportedforencryptingthe
password.
PrivpwdEnteraprivacypasswordforencryptingSNMP
messagestotheSNMPmanager(minimumeightcharacters).
OnlyAdvancedEncryptionStandard(AES)issupported.


Settings
Devices/ Panorama > Collector Groups > Thelogforwardingpreferencelistcontrolswhichfirewalls

Collectors Device Log Forwarding forwardlogstowhichLogCollectors.Foreachentrythatyou
Addtothelist,ModifytheDeviceslisttoassignoneormore
firewallsandAddoneormoreLogCollectorsintheCollectors
list.
Bydefault,thefirewallsyouassigninalistentrywillsendlogs
onlytotheprimary(first)LogCollectoraslongasitisavailable.
IftheprimaryLogCollectorfails,thefirewallssendlogstothe
secondaryLogCollector.Ifthesecondaryfails,thefirewalls
sendlogstothetertiaryLogCollector,andsoon.Tochangethe
order,selectaLogCollectorandclickMove UporMove Down.
Youcanoverridethedefaultlogforwardingbehaviorfor
PA5200SeriesandPA7000Seriesfirewallsby
selectingForwardtoallcollectorsinthepreferencelist
intheGeneraltab.


Settings
System Panorama > Collector Groups > Foreachtypeoffirewalllogthatyouwanttoforwardfromthis

Collector Log Forwarding CollectorGrouptoexternalservices,Addoneormorematchlist
Configuration profiles.Theprofilesspecifywhichlogstoforwardandthe
destinationservers.Foreachprofile,completethefollowing:
HIPMatch
NameEnteranameofupto31characterstoidentifythe
Traffic matchlistprofile.
FilterBydefault,thefirewallforwardsAll Logsofthetype
Threat
thismatchlistprofileappliesto.Toforwardasubsetofthe
WildFire logs,selectanexistingfilterorselectFilter Buildertoadda
newfilter.Foreachqueryinanewfilter,specifythefollowing
Correlation fieldsandAddthequery:
ConnectorSelecttheconnectorlogic(and/or).Select
GTP
Negateifyouwanttoapplynegation.Forexample,to
Authentication avoidforwardinglogsfromanuntrustedzone,select
Negate,selectZoneastheAttribute,selectequalasthe
UserID Operator,andenterthenameoftheuntrustedZonein
theValuecolumn.
Tunnel
AttributeSelectalogattribute.Theoptionsvarybylog
type.
OperatorSelectthecriterionthatdetermineshowthe
attributeapplies(suchasequal).Theoptionsvarybylog
type.
Todisplayorexportthelogsthatthefiltermatches,select
View Filtered Logs.Thistabprovidesthesameoptionsasthe
Monitoringtabpages(suchasMonitoring > Logs > Traffic).
DescriptionEnteradescriptionofupto1,023charactersto
explainthepurposeofthismatchlistprofile.
DestinationserversForeachservertype,Addoneormore
serverprofiles.Toconfigureserverprofiles,seeDevice>
ServerProfiles>SNMPTrap,Device>ServerProfiles>
Syslog,Device>ServerProfiles>Email,orDevice>Server
Profiles>HTTP.
BuiltinActionsYoucanAddactionsforalllogtypesexcept
SystemandConfigurationlogs:
EnteradescriptivenamefortheAction.
SelecttheIPaddressyouwanttotagSource Address
orDestination Address.YoucantagonlythesourceIP
addressinCorrelationlogsandHIPMatchlogs.
SelectwhethertoregisterthetagwiththelocalUserID
agentonthisPanorama,orwitharemoteUserIDAgent.
ToregistertagswithaRemote device User-ID Agent,
selecttheHTTPserverprofilethatwillenable
forwarding.
EnterorselecttheTagsyouwanttoapplyorremove
fromthetargetsourceordestinationIPaddress.
IngestionProfile Panorama > Collector Groups > AddoneormorelogingestionprofilesthatallowPanoramato

Log Ingestion receivelogsfromtheTrapsESMserver.Toconfigureanewlog
ingestionprofile,seePanorama>LogIngestionProfile.

CollectorGroupInformation
SelectPanorama > Collector GroupstodisplaythefollowinginformationforCollectorGroups.Additionalfields

areconfigurableafteryoucompletetheLogCollectorConfiguration.
CollectorGroup Description
Information
Name AnamethatidentifiestheCollectorGroup.
Redundancy IndicateswhetherlogredundancyisenabledfortheCollectorGroup.Youcanenable
Enabled logredundancyforacollectorgroupafteryoucompleteormodifytheLog
CollectorConfiguration.
Collectors TheLogCollectorsassignedtotheCollectorGroup.
LogRedistribution Certainactions(forexample,enablinglogredundancy)willcausetheCollector
State GrouptoredistributethelogsamongitsLogCollectors.Thiscolumnindicatesthe
completionstatusoftheredistributionprocessasapercentage.

Panorama>Plugins PanoramaWebInterface
Panorama>Plugins
SelectPanorama > Pluginstoadd,remove,andmanagethepluginsthatsupportthirdpartyintegration.
Plugins Description
Upload Allowsyoutouploadaplugininstallationfilefromalocaldirectory.Thisdoesnotinstall
theplugin.Afteruploadingtheinstallationfile,theInstalllinkbecomesactive.
FileName Thepluginfilename.
Version Thepluginversionnumber.
Releasedate Thereleasedateofthisversionoftheplugin.
Size Thepluginfilesize.
Installed ProvidesthecurrentinstallationstatusofeachpluginonPanorama.
Actions InstallInstallsthespecifiedversionoftheplugin.Installinganewversionofthe
pluginoverwritesthepreviouslyinstalledversion.
DeleteDeletesthespecifiedpluginfile.
Remove ConfigRemovesallconfigurationrelatedtotheplugin.
UninstallRemovesthecurrentinstallationoftheplugin.Thisdoesnotremovethe
pluginfilefromPanorama.Ifyouuninstalltheplugin,youloseanyconfiguration
relatedtothatplugin.Onlyusewhencompletelyremovingtherelatedconfiguration.

PanoramaWebInterface Panorama>VMwareNSX
Panorama>VMwareNSX
ToautomatetheprovisioningofaVMSeriesNSXeditionfirewall,youmustenablecommunicationbetween
theNSXManagerandPanorama.WhenPanoramaregisterstheVMSeriesfirewallasaserviceontheNSX
Manager,theNSXManagerhastheconfigurationsettingsrequiredtoprovisiononeormoreinstancesof
theVMSeriesfirewallsoneachESXihostinthecluster.
HowdoIconfigureaNotify ConfigureaNotifyGroup
Group?
HowdoIdefinetheconfiguration CreateServiceDefinitions
fortheVMSeriesNSXedition
firewall?
HowdoIconfigurePanoramato ConfigureAccesstotheNSXManager
communicatewiththeNSX
Manager?
HowdoIdefinesteeringrulesfor CreateSteeringRules
theVMSeriesNSXedition
firewall?
HowdoIconfigurethefirewallto SelectObjects>AddressGroupsandPolicies>Security
consistentlyenforcepolicyinthe
dynamicvSphereenvironment? ToenablePanoramaandthefirewallstolearnaboutthechangesin
thevirtualenvironment,useDynamicAddressGroupsassource
anddestinationaddressobjectsinSecuritypolicyprerules.
Looking for more? SeeSetupaVMSeriesNSXEditionFirewall

Panorama>VMwareNSX PanoramaWebInterface
ConfigureaNotifyGroup
Panorama>NotifyGroup
NotifyGroupSettings Description
Name Enteradescriptivenameforyournotifygroup.
NotifyDevice Checktheboxesof thedevicegroupsthatmustbenotifiedofadditionsor

modificationstothevirtualmachinesdeployedonthenetwork.
Asnewvirtualmachinesareprovisionedorexistingmachinesaremodified,the
changesinthevirtualnetworkareprovidedasupdatestoPanorama.When
configuredtodoso,Panoramapopulatesandupdatesthedynamicaddressobjects
referencedinpolicyrulessothatthefirewallsinthespecifieddevicegroupsreceive
changestotheregisteredIPaddressesinthedynamicaddressgroups.
Toenablenotification,makesuretoselecteverydevicegrouptowhichyouwantto
enablenotification.Ifyouarenotabletoselectadevicegroup(nocheckbox
available),itmeansthatthedevicegroupisautomaticallyincludedbyvirtueofthe
devicegrouphierarchy.
Thisnotificationprocesscreatescontextawarenessandmaintainsapplication
securityonthenetwork.If,forexample,youhaveagroupofhardwarebased
perimeterfirewallsthatmustbenotifiedwhenanewapplicationorwebserveris
deployed,thisprocessinitiatesanautomaticrefreshofthedynamicaddressgroups
forthespecifieddevicegroup.Andallpolicyrulesthatreferencethedynamicaddress
objectnowautomaticallyincludeanynewlydeployedormodifiedapplicationorweb
serversandcanbesecurelyenabledbasedonyourcriteria.

CreateServiceDefinitions
Panorama>VMwareNSX>ServiceDefinitions
AservicedefinitionallowsyoutoregistertheVMSeriesfirewallasapartnersecurityserviceontheNSX
Manager.Youcandefineupto32servicedefinitionsonPanoramaandsynchronizethemontheNSX
Manager.
Typically,youwillcreateoneservicedefinitionforeachtenantinanESXicluster.Eachservicedefinition
specifiestheOVF(PANOSversion)usedtodeploythefirewallandincludestheconfigurationforthe
VMSeriesfirewallsinstalledontheESXicluster.Tospecifytheconfiguration,aservicedefinitionmusthave
auniquetemplate,auniquedevicegroupandthelicenseauthcodesforthefirewallsthatwillbedeployed
usingtheservicedefinition.Whenthefirewallisdeployed,itconnectstoPanoramaandreceivesbothits
configurationsettingsincludingthezone(s)foreachtenantordepartmentthatthefirewallwillsecureand
itspolicysettingsfromthedevicegroupspecifiedintheservicedefinition.
Toaddanewservicedefinition,configurethesettingsasdescribedinthefollowingtable.
Field Description
Name EnterthenamefortheserviceyouwanttodisplayontheNSXManager.
Description (Optional)Enteralabeltodescribethepurposeorfunctionofthisservicedefinition.
DeviceGroup SelectthedevicegroupordevicegrouphierarchytowhichtheseVMSeriesfirewalls
willbeassigned.Fordetails,seePanorama>VMwareNSX.
Template SelectthetemplatetowhichtheVMSeriesfirewallswillbeassigned.Fordetails,see
Panorama>Templates.
Eachservicedefinitionmustbeassignedtoauniquetemplateortemplatestack.
Atemplatecanhavemultiplezones(NSXServiceProfileZonesforNSX)associatedwith
it.Forasingletenantdeployment,createonezone(NSXServiceProfileZone)inthe
template.Ifyouhaveamultitenantdeployment,createazoneforeachsubtenant.
WhenyoucreateanewNSXServiceProfileZone,itisautomaticallyattachedtoapair
ofvirtualwiresubinterfaces.Formoreinformation,seeNetwork>Zones.
VMSeriesOVFURL EntertheURL(IPaddressorhostnameandpath)wheretheNSXManagercanaccess
theOVFfiletoprovisionnewVMSeriesfirewalls.
NotifyGroups Selectanotifygroupfromthedropdown.

ConfigureAccesstotheNSXManager
Panorama>VMwareNSX>ServiceManagers
ToenablePanoramatocommunicatewiththeNSXManager,Addandconfigurethesettingsasdescribedin
thefollowingtable.
ServiceManagers Description
ServiceManager EnteranametoidentifytheVMSeriesfirewallasaservice.Thisnamedisplayson
Name theNSXManagerandisusedtodeploytheVMSeriesfirewallondemand.
Supportsupto63characters;useonlyletters,numbers,hyphens,andunderscores.
Description (Optional)Enteralabeltodescribethepurposeorfunctionofthisservice.
NSXManagerURL SpecifytheURLthatPanoramawillusetoestablishaconnectionwiththeNSX
Manager.
NSXManager Entertheauthenticationcredentialsusernameandpasswordconfiguredonthe
Login NSXManager.PanoramausesthesecredentialstoauthenticatewiththeNSX
Manager.
NSXManager
Password
ConfirmNSX
Manager
Password
Service Specifytheservicedefinitionsassociatedwiththisservicemanager.Eachservice
Definitions managersupportsupto32servicedefinitions.
AftercommittingthechangestoPanorama,theVMwareServiceManagerwindowdisplaystheconnectionstatus
betweenPanoramaandtheNSXManager.
SyncStatus Description
Status DisplaystheconnectionstatusbetweenPanoramaandtheNSXManager.
AsuccessfulconnectiondisplaysasRegisteredPanoramaandtheNSXManager
aresynchronizedandtheVMSeriesfirewallisregisteredasaserviceontheNSX
Manager.
Foranunsuccessfulconnection,thestatuscanbe:
ConnectedErrorUnabletoreach/establishanetworkconnectionwiththeNSX
Manager.
NotauthorizedTheaccesscredentials(usernameand/orpassword)are
incorrect.
UnregisteredTheservicemanager,servicedefinition,orserviceprofileis
unavailableorwasdeletedontheNSXManager.
OutofsyncTheconfigurationsettingsdefinedonPanoramaaredifferentfrom
whatisdefinedontheNSXManager.ClickOut of syncfordetailsonthereasons
forfailure.Forexample,NSXManagermayhaveaservicedefinitionwiththe
samenameasdefinedonPanorama.Tofixtheerror,usetheservicedefinition
namelistedintheerrormessagetovalidatetheservicedefinitionontheNSX
Manager.UntiltheconfigurationonPanoramaandtheNSXManageris
synchronized,youcannotaddanewservicedefinitiononPanorama.

SyncStatus Description
Synchronize ClickSynchronize Dynamic Objectstorefreshthedynamicobjectinformationfrom

DynamicObjects theNSXManager.Synchronizingdynamicobjectsenablesyoutomaintaincontext
onchangesinthevirtualenvironmentandallowsyoutosafelyenableapplications
byautomaticallyupdatingtheDynamicAddressGroupsusedinpolicyrules.
OnPanorama,youcanviewonlytheIPaddressesthataredynamically
registeredfromtheNSXManager.Panoramadoesnotdisplaythedynamic
IPaddressesthatareregistereddirectlytothefirewalls.IfyouuseVM
InformationSources(notsupportedontheVMSeriesNSXeditionfirewalls)
ortheXMLAPItoregisterIPaddressesdynamicallytothefirewalls,you
mustlogintoeachfirewalltoviewthecompletelistofdynamicIPaddresses
(boththosethatPanoramapushedandthosethatarelocallyregistered)on
thefirewall.
NSXConfigSync SelectNSX Config-Synctosynchronizetheservicedefinitionsconfiguredon

PanoramawiththeNSXManager.IfyouhaveanypendingcommitsonPanorama,
thisoptionisnotavailable.
Ifthesynchronizationfails,viewthedetailsintheerrormessagetoknowwhether
theerrorisonPanoramaorontheNSXManager.Forexample,whenyoudeletea
servicedefinitiononPanorama,thesynchronizationwiththeNSXManagerfailsif
theservicedefinitionisreferencedinaruleontheNSXManager.Usethe
informationintheerrormessagetodeterminethereasonforfailureandwhereyou
needtotakecorrectiveaction(onPanoramaorontheNSXManager).
CreateSteeringRules
Panorama>VMwareNSX>SteeringRules
SteeringrulesdeterminewhattrafficfromwhichguestsintheclusterissteeredtotheVMSeriesfirewall.
Field Description
AutoGenerate Generatessteeringrulesbasedonasecurityrulethatisconfiguredasfollows:
SteeringRules BelongstoaparentorachilddevicegroupregisteredwithanNSXServiceManager.
Hasthesamezoneasthesourceanddestination(notanytoany).
Hasonlyonezone.
Hasnostaticaddressgroup,IPrange,ornetmaskconfiguredforthepolicy.
Bydefault,steeringrulesgeneratedthroughPanoramahavenoNSXServices
configuredandtheNSXTrafficDirectionissettoinout.Aftergeneratingsteeringrules,
youcanupdateindividualsteeringrulestochangetheNSXTrafficDirectionoraddNSX
Services.Panoramaautomaticallypopulatesthefollowingfields(exceptDescriptionand
NSXServices)whenyouautogeneratesteeringrules.
Name EnterthenameforthesteeringruleyouwanttodisplayontheNSXManager.When
autogenerated,Panoramaaddstheprefixauto_toeachsteeringruleandreplacesany
spaceinthesecuritypolicyrulenamewithanunderscore(_).
Description (Optional)Enteralabeltodescribethepurposeorfunctionofthisservicedefinition.

Field Description
NSXTrafficDirection SpecifythedirectionofthetrafficthatisredirectedtotheVMSeriesfirewall.
inoutCreatesanINOUTruleonNSX.Trafficofthespecifiedtypegoingbetween
thesourceandthedestinationisredirectedtotheVMSeriesfirewall.Panoramauses
thistrafficdirectionforautogeneratedsteeringrules.
inCreatesanINruleonNSX.Trafficofthespecifiedtypegoingtothesourcefrom
thedestinationisredirectedtotheVMSeriesfirewall.
outCreatesanOUTruleonNSX.Trafficofthespecifiedtypegoingfromthesource
tothedestinationisredirectedtotheVMSeriesfirewall.
NSXServices Selecttheapplication(ActiveDirectoryServer,HTTP,DNS,etc.)traffictoredirectto
theVMSeriesfirewall.
DeviceGroup Selectadevicegroupfromthedropdown.Thechosendevicegroupdetermineswhich
securitypoliciesareappliedtothesteeringrule.Devicegroupsmustbeassociatedwith
anNSXservicedefinition.
SecurityPolicy Thesecuritypolicyrulethattheautogeneratedsteeringruleisbasedon.

PanoramaWebInterface Panorama>LogIngestionProfile
Panorama>LogIngestionProfile
UsethelogingestionprofiletoenablePanoramatoreceivelogsfromexternalsources.InPANOS8.0.0,
Panorama(inPanoramamode)canserveasaSyslogreceiverthatcaningestlogsfromtheTrapsESMserver
usingSyslog.SupportfornewexternallogsourcesandtheupdatesfornewerTrapsESMversionswillbe
pushedthroughcontentupdates.
Toenablelogingestion,youmustconfigurePanoramaasaSyslogreceiverontheTrapsESMserver,define
alogingestionprofileonPanoramaandattachthelogingestionprofiletoaLogCollectorgroup.
ToaddanewexternalSyslogingestionprofile,Addaprofileandconfigurethesettingsasdescribedinthe
followingtable.
Field Description
Name EnterthenamefortheexternalSyslogingestionprofile.Youcanaddupto255profiles.
SourceName EnterthenameorIPaddressoftheexternalsourcesthatwillsendlogs.Youcanaddup
to4sourceswithinaprofile.
Port EntertheportonwhichPanoramawillbeaccessibleoverthenetworkandwilluseto
communicateandlistenon.
ForTrapsESM,selectavaluebetweentherangeof2300023999.Youmustconfigure
thesameportnumberontheTrapsESMtoenablecommunicationbetweenPanorama
andtheESM.
Transport SelectTCP,UDPorSSL.IfyouselectSSL,youmustconfigureaninboundcertificatefor
securesyslogcommunicationinPanorama>ManagedCollectors>General.
ExternalLogType Selectthelogtypefromthedropdown.
Version Selecttheversionfromthedropdown.
UseMonitor>ExternalLogstoviewinformationonthelogsingestedfromtheTrapsESMserverinto
Panorama.

Panorama>LogSettings PanoramaWebInterface
Panorama>LogSettings
UsetheLog Settingspagetoforwardthefollowinglogtypestoexternalservices:
System,Configuration,UserID,andCorrelationlogsthatthePanoramamanagementserver(MSeries
applianceorPanoramavirtualapplianceinPanoramamode)generateslocally.
LogsofalltypesthatthePanoramavirtualapplianceinLegacymodegenerateslocallyorcollectsfrom
firewalls.
ForthelogsthatfirewallssendtoLogCollectors,completetheLogCollectorConfigurationto
enableforwardingtoexternalservices.
Beforestarting,youmustdefineserverprofilesfortheexternalservices(seeDevice>ServerProfiles>
SNMPTrap,Device>ServerProfiles>Syslog,Device>ServerProfiles>Email,andDevice>ServerProfiles
>HTTP).ThenAddoneormorematchlistprofilesandconfigurethesettingsasdescribedinthefollowing
table.
Name Enteraname(upto31characters)toidentifythematchlistprofile.
Filter Bydefault,PanoramaforwardsAll Logsofthetypeforwhichyouareadding

thematchlistprofile.Toforwardasubsetofthelogs,openthedropdown
andselectanexistingfilterorselectFilter Buildertoaddanewfilter.For
eachqueryinanewfilter,specifythefollowingfieldsandAddthequery:
AttributeSelectalogattribute.Theoptionsdependonthelogtype.
(suchasequal).Theavailableoptionsdependonthelogtype.
ValueSpecifytheattributevalueforthequerytomatch.
Todisplayorexportthelogsthatthefiltermatches,selectView Filtered
Description Enteradescriptionofupto1,024characterstoexplainthepurposeofthis
matchlistprofile.

PanoramaWebInterface Panorama>LogSettings
BuiltinActions AlllogtypesexceptSystemlogsandConfigurationlogsallowyouto
configureactions.
SelecttheIPaddressyouwanttotagSource AddressorDestination
Address.
SelectwhethertodistributethetagtothelocalUserIDagentonthisdevice,
ortoaremoteUserIDAgent.
TodistributetagstoaRemote device User-ID Agent,selecttheHTTP
serverprofilethatwillenableforwarding.
EnterorselecttheTagsyouwanttoapplyorremovefromthetargetsource
ordestinationIPaddress.YoucantagthesourceIPaddressonly,in
CorrelationlogsandHIPMatchlogs.

Panorama>ScheduledConfigExport PanoramaWebInterface
Panorama>ScheduledConfigExport
ToscheduleanexportofalltherunningconfigurationsonPanoramaandfirewalls,Addanexporttaskand
configurethesettingsasdescribedinthefollowingtable.
IfPanoramahasahighavailability(HA)configuration,youmustperformtheseinstructionson
eachpeertoensurethescheduledexportscontinueafterafailover.Panoramadoesnot
synchronizescheduledconfigurationexportsbetweenHApeers.
ScheduledConfiguration Description
ExportSettings
Name Enteranametoidentifytheconfigurationexportjob(upto31
characters).Thenameiscasesensitiveandmustbeunique.Useonly
letters,numbers,hyphens,andunderscores.
Enable Selecttoenabletheexportjob.
Scheduledexportstarttime Specifythetimeofdaytostarttheexport(24hourclock,format
(daily) HH:MM).
Protocol SelecttheprotocoltousetoexportlogsfromPanoramatoaremote
host.SecureCopy(SCP)isasecureprotocol;FTPisnot.
Hostname EntertheIPaddressorhostnameofthetargetSCPorFTPserver.
Port Entertheportnumberonthetargetserver.
Path Specifythepathtothefolderordirectoryonthetargetserverthatwill
storetheexportedconfiguration.
Forexample,iftheconfigurationbundleisstoredinafoldercalled
exported_configwithinatoplevelfoldercalledPanorama,thesyntax
foreachservertypeis:
SCPserver:/Panorama/exported_config
FTPserver://Panorama/exported_config
EnableFTPPassiveMode SelecttouseFTPpassivemode.
Username Specifytheusernamerequiredtoaccessthetargetsystem.
Password/ConfirmPassword Specifythepasswordrequiredtoaccessthetargetsystem.
TestSCPserverconnection SelecttotestcommunicationbetweenPanoramaandtheSCP
host/server.
Toenablethesecuretransferofdata,youmustverifyandacceptthe
hostkeyoftheSCPserver.Theconnectionisnotestablisheduntilthe
hostkeyisaccepted.IfPanoramahasanHAconfiguration,youmust
performthisverificationoneachHApeersothateachoneacceptsthe
hostkeyoftheSCPserver.

PanoramaWebInterface Panorama>Software
Panorama>Software
UsethispagetomanagePanoramasoftwareupdatesonthePanoramamanagementserver.
ManagePanoramaSoftwareUpdates
DisplayPanoramaSoftwareUpdateInformation

Panorama>Software PanoramaWebInterface
ManagePanoramaSoftwareUpdates
SelectPanorama > Softwaretoperformthetasksdescribedinthefollowingtable.
Bydefault,thePanoramamanagementserversavesuptotwosoftwareupdates.Tomakespace
fornewerupdates,theserverautomaticallydeletestheoldestupdate.Youcanchangethe
numberofsoftwareimagesthatPanoramasavesandmanuallydeleteimagestofreeupspace.
RefertoInstallContentandSoftwareUpdatesforPanoramaforimportantinformationabout
versioncompatibility.
Task Description
CheckNow IfPanoramahasaccesstotheInternet,Check Nowtodisplaythelatestupdate

information(seeDisplayPanoramaSoftwareUpdateInformation).
IfPanoramadoesnothaveaccesstotheexternalnetwork,useabrowsertovisitthe
SoftwareUpdatesiteforupdateinformation.
Upload TouploadasoftwareimagewhenPanoramadoesnothaveaccesstotheInternet,
useabrowsertovisittheSoftwareUpdatesite,locatethedesiredreleaseand
downloadthesoftwareimagetoacomputerthatPanoramacanaccess,select
Panorama > Software,clickUpload,Browsetoandselectthesoftwareimage,and
clickOK.Whentheuploadiscomplete,theAvailablecolumndisplaysUploaded.
Download IfPanoramahasaccesstotheInternet,Download(Actioncolumn)thedesired
release.Whenthedownloadiscomplete,theAvailablecolumndisplaysDownloaded.
Install Install(Actioncolumn)thesoftwareimage.Whentheinstallationfinishes,Panorama
logsyououtwhileitreboots.
Panoramaperiodicallyperformsafilesystemintegritycheck(FSCK)to
preventcorruptionofthePanoramasystemfiles.Thischeckoccursafter
eightrebootsoratarebootthatoccurs90daysafterthelastFSCK.A
warningappearsinthewebinterfaceandSSHloginscreensifanFSCKisin
progressandyoucannotloginuntilitcompletes.Thetimetocompletethis
processvariesbystoragesystemsize;foralargesystem,itcantakeseveral
hoursbeforeyoucanlogbackintoPanorama.Toviewprogress,setup
consoleaccesstoPanorama.
ReleaseNotes IfPanoramahasaccesstotheInternet,youcanaccesstheRelease Notesforthe

desiredsoftwarereleaseandreviewthereleasechanges,fixes,knownissues,
compatibilityissues,andchangestodefaultbehavior.
IfPanoramadoesnothaveaccesstotheInternet,useabrowsertovisittheSoftware
Updatesiteanddownloadtheappropriaterelease.
Deletesasoftwareimagewhennolongerneededorwhenyouwanttofreeupspace
formoreimages.

PanoramaWebInterface Panorama>Software
DisplayPanoramaSoftwareUpdateInformation
SelectPanorama > Softwaretodisplaythefollowinginformation.TodisplaythelatestinformationfromPalo

AltoNetworks,clickCheck Now.
Softwareand Description
ContentUpdate
Information
Version ThePanoramasoftwareversion
Size Thesizeinmegabytesofthesoftwareimage.
ReleaseDate ThedateandtimewhenPaloAltoNetworksmadetheupdateavailable.
Available Indicateswhethertheimageisavailableforinstallation.
CurrentlyInstalled Acheckmarkindicatesthattheupdatethatisinstalled.
Action Indicatestheactions(Download,Install,orReinstall)thatareavailableforanimage.
ReleaseNotes ClickRelease Notestoaccessthereleasenotesforthedesiredsoftwarereleaseand

reviewthereleasechanges,fixes,knownissues,compatibilityissues,andchangesin
defaultbehavior.
Deletesanupdatewhennolongerneededortofreeupspaceformoredownloads
oruploads.

Panorama>DeviceDeployment PanoramaWebInterface
Panorama>DeviceDeployment
YoucanusePanoramatodeploysoftwareandcontentupdatestomultiplefirewallsandLogCollectorsand
tomanagefirewalllicenses.
Deploysoftwareandcontent ManageSoftwareandContentUpdates
updatestofirewallsandLog
Collectors.
Seewhichsoftwareandcontent DisplaySoftwareandContentUpdateInformation
updatesareinstalledoravailable
fordownloadandinstallation.
Scheduleautomaticcontent ScheduleDynamicContentUpdates
updatesforfirewallsandLog
Collectors
View,activate,deactivate,and ManageFirewallLicenses
refreshlicenses.
Seethestatusoffirewalllicenses.
Looking for more? ManageLicensesandUpdates.
ManageSoftwareandContentUpdates
Panorama>DeviceDeployment>Software
PanoramaprovidesthefollowingoptionsfordeployingsoftwareandcontentupdatestofirewallsandLog
Collectors.
Toreducetrafficonthemanagement(MGT)interface,youcanconfigurePanoramatouseaseparateinterface
fordeployingupdates(seePanorama>Setup>Interfaces).
PanoramaDevice Description
Deployment
Options
Download TodeployasoftwareorcontentupdatewhenPanoramaisconnectedtotheInternet,
Downloadtheupdate.Whenthedownloadfinishes,theAvailablecolumndisplays
Downloaded.Youcanthen:
InstallthePANOS/Panoramasoftwareupdateorcontentupdate.
ActivatetheGlobalProtectClient(GlobalProtectagent/app)orSSLVPNClient
softwareupdate.
Upgrade IfaBrightCloudURLFilteringcontentupdateisavailable,clickUpgrade.Aftera
successfulupgrade,youcanInstalltheupdateonfirewalls.

PanoramaWebInterface Panorama>DeviceDeployment
Deployment
Options
Install AfteryouDownloadorUploadaPANOSsoftware,Panoramasoftware,orcontent
update,clickInstallintheActioncolumnandselect:
DevicesSelectthefirewallsorLogCollectorsonwhichtoinstalltheupdate.If
thelistislong,usetheFilters.SelectGroup HA Peerstogroupfirewallsthatare
highavailability(HA)peers.Thisenablesyoutoeasilyidentifyfirewallsthathave
anHAconfiguration.TodisplayonlyspecificfirewallsorLogCollectors,select
themandthenFilter Selected.
Upload only to device(softwareonly)Selecttoloadthesoftwarewithout
automaticallyinstallingit.Youmustmanuallyinstallthesoftware.
Reboot device after install(softwareonly)Selecttospecifythattheinstallation
processautomaticallyrebootsthefirewallsorLogCollectors.Theinstallation
cannotfinishuntilarebootoccurs.
Disable new apps in content update(ApplicationsandThreatsonly)Selectto
disableapplicationsintheupdatethatarenewrelativetothelastinstalledupdate.
Thisprotectsagainstthelatestthreatswhilegivingyoutheflexibilitytoenable
applicationsafterpreparinganypolicyupdates.Then,toenableapplications,log
intothefirewall,selectDevice > Dynamic Updates,clickAppsintheFeatures
columntodisplaythenewapplications,andclickEnable/Disableforeach
applicationyouwanttoenable.
YoucanalsoselectPanorama > Managed Devices toinstallFirewall
SoftwareandContentUpdatesorPanorama > Managed Collectorsto
installSoftwareUpdatesforDedicatedLogCollectors.
Activate AfteryouDownloadorUploadaGlobalProtectClient(GlobalProtectagent/app)
softwareupdate,clickActivateintheActioncolumnandselecttheoptionsas
follows:
DevicesSelectthefirewallsonwhichtoactivatetheupdate.Ifthelistislong,use
theFilters.SelectGroupHAPeerstogroupfirewallsthatarehighavailability(HA)
peers.ThisenablesyoutoeasilyidentifyfirewallsthathaveanHAconfiguration.
Todisplayonlyspecificfirewalls,selectthemandthenFilter Selected.
Upload only to deviceSelectifyoudontwantPANOStoautomaticallyactivate
theuploadedimage.Youmustlogintothefirewallandactivateit.
ReleaseNotes ClickRelease Notestoaccessthereleasenotesforthedesiredsoftwarereleaseand

reviewthereleasechanges,fixes,knownissues,compatibilityissues,andchangesin
defaultbehavior.
Documentation ClickDocumentationtoaccessthereleasenotesforthedesiredcontentrelease.
Deletessoftwareorcontentupdateswhennolongerneededorwhenyouwantto
freeupspaceformoredownloadsoruploads.
CheckNow Check NowtoDisplaySoftwareandContentUpdateInformation.

Deployment
Options
Upload TodeployasoftwareorcontentupdatewhenPanoramaisnotconnectedtothe
Internet,downloadtheupdatetoyourcomputerfromtheSoftwareUpdatesor
DynamicUpdatessite,selectthePanorama > Device Deploymentpagethat
correspondstotheupdatetype,clickUpload,selecttheupdateType(content
updatesonly),selecttheuploadedfile,andclickOK.Thestepstotheninstallor
activatetheupdatedependonthetype:
PANOSorPanoramasoftwareWhentheuploadiscomplete,theAvailable
columndisplaysUploaded.Youcantheninstallthesoftwareupdate.
GlobalProtectClientorSSLVPNClientsoftwareActivatefromfile.
DynamicupdatesInstallfromfile.
InstallfromFile Afteryouuploadacontentupdate,clickInstall from File,selectthecontentType,

selectthefilenameoftheupdate,andselectthefirewallsorLogCollectors.
ActivatefromFile AfteryouuploadaGlobalProtectClient(GlobalProtectagent/app)softwareupdate,
clickActivate from File,selectthefilenameoftheupdate,andselectthefirewalls.
Schedules SelecttoScheduleDynamicContentUpdates.
DisplaySoftwareandContentUpdateInformation
Panorama>DeviceDeployment>Software
SelectPanorama > Device Deployment > Software todisplayPANOSSoftware,GlobalProtect Clientsoftware,
andDynamic Updates(content)thatarecurrentlyinstalledoravailablefordownloadandinstallation.The
Dynamic Updatespageorganizestheinformationbycontenttype(Antivirus,ApplicationsandThreats,URL
Filtering,andWildFire)andindicatesthedateandtimeofthelastcheckforupdatedinformation.Todisplay
thelatestsoftwareorcontentinformationfromPaloAltoNetworks,clickCheck Now.
SoftwareandContentUpdateInformation
Version Thesoftwareorcontentupdateversion.
FileName Thenameoftheupdatefile.
Platform ThedesignatedfirewallorLogCollectormodelfortheupdate.Anumberindicatesa
hardwarefirewallmodel(forexample,7000indicatesthePA7000Seriesfirewall),
vmindicatestheVMSeriesfirewall,andmindicatestheMSeriesappliance.
Features (Contentonly)Liststhetypeofsignaturesthecontentversionmightinclude.
Type (Contentonly)Indicateswhetherthedownloadincludesafulldatabaseupdateoran
incrementalupdate.
Size Thesizeoftheupdatefile.
ReleaseDate ThedateandtimewhenPaloAltoNetworksmadetheupdateavailable.
Available (PANOSorPanoramasoftwareonly)Indicatesthattheupdateisdownloadedor
uploaded.

PanoramaWebInterface Panorama>DeviceDeployment
SoftwareandContentUpdateInformation
Downloaded (SSLVPNClientsoftware,GlobalProtectClientsoftware,orcontentonly)Acheck
markindicatesthattheupdateisdownloaded.
Action Indicatestheactionyoucanperformontheupdate:Download,Upgrade,Installor
Activate.
Documentation (Contentonly)Providesalinktothereleasenotesforthedesiredcontentrelease.
ReleaseNotes (Softwareonly)Providesalinktothereleasenotesforthedesiredsoftwarerelease.
Deletesanupdatewhennolongerneededorwhenyouwanttofreeupspacefor
moredownloadsoruploads.
ScheduleDynamicContentUpdates
Panorama>DeviceDeployment>DynamicUpdates
Toscheduleanautomaticdownloadandinstallationofanupdate,clickSchedules,clickAdd,andconfigure
thesettingsasdescribedinthefollowingtable.
DynamicUpdateScheduleSettings
Name Enteranametoidentifythescheduledjob(upto31characters).Thenameis
casesensitive,mustbeunique,andcancontainonlyletters,numbers,hyphens,and
underscores.
Disabled Selecttodisablethescheduledjob.
Type Selectthetypeofcontentupdatetoschedule:App,App and Threat,Antivirus,

WildFire,orURL Database.
Recurrence SelecttheintervalatwhichPanoramachecksinwiththeupdateserver.The
recurrenceoptionsvarybyupdatetype.
Time ForaDailyupdate,selecttheTimefromthe24hourclock.
ForaWeeklyupdate,selecttheDayofweek,andtheTimefromthe24hourclock.
Disablenewapps YoucandisablenewappsincontentupdatesonlyifyousettheupdateTypetoApp
incontentupdate orApp and ThreatandonlyifActionissettoDownload and Install.
Selecttodisableapplicationsintheupdatethatarenewrelativetothelastinstalled
update.Thisprotectsagainstthelatestthreatswhilegivingyoutheflexibilityto
enabletheapplicationsafterpreparinganypolicyupdates.Then,toenable
applications,logintothefirewall,selectDevice > Dynamic Updates,clickAppsinthe
Featurescolumntodisplaythenewapplications,andclickEnable/Disableforeach
applicationyouwanttoenable.
Action Download OnlyPanoramawilldownloadthescheduledupdate.Youmust

manuallyInstalltheupdateonfirewallsandLogCollectors.
Download and InstallPanoramawilldownloadandautomaticallyinstallthe
scheduledupdate.
Devices SelectDevicesandthenselectthefirewallsthatwillreceivescheduledcontent
updates.

DynamicUpdateScheduleSettings
LogCollectors SelectLog Collectorsandthenselectthemanagedcollectorsthatwillreceive

scheduledcontentupdates.
ManageFirewallLicenses
Panorama>DeviceDeployment>Licenses
SelectPanorama > Device Deployment > Licensestoperformthefollowingtasks:
UpdatelicensesoffirewallsthatdonthavedirectinternetaccessClickRefresh.
ActivatealicenseonfirewallsToactivatealicenseonfirewalls,clickActivate,selectthefirewallsand,inthe
AuthCodecolumn,entertheauthorizationcodesthatPaloAltoNetworksprovidedforthefirewalls.
Deactivateallthelicensesandsubscriptions/entitlementsinstalledonVMSeriesfirewallsClick
Deactivate VMs,selectthefirewalls(thelistdisplaysonlyfirewallsrunningPANOS7.0orlaterreleases),andclick:
ContinueDeactivatesthelicensesandautomaticallyregistersthechangeswiththelicensingserver.
Thelicensesarecreditedbacktoyouraccountandareavailableforreuse.
Complete ManuallyGeneratesatokenfile.UsethisifPanoramadoesnothavedirectInternet
access.Tocompletethedeactivationprocess,youmustlogintotheSupportportal,selectAssets,
clickDeactivate License(s),uploadthetokenfile,andclickSubmit.Afteryoucompletethe
deactivationprocess.
Youcanalsoviewthecurrentlicensestatusformanagedfirewalls.Forfirewallsthathavedirectinternet
access,Panoramaautomaticallyperformsadailycheckinwiththelicensingserver,retrieveslicenseupdates
andrenewals,andpushesthemtothefirewalls.Thecheckinishardcodedtooccurbetween1and2A.M.;
youcannotchangethisschedule.

FirewallLicenseInformation
Device Thefirewallname.
VirtualSystem Indicateswhetherthefirewalldoes ordoesnot supportmultiplevirtual

systems.
ThreatPrevention Indicateswhetherthelicenseisactive ,inactive ,orexpired (alongwith

theexpirationdate).
URL
Support
GlobalProtect
Gateway
GlobalProtect
Portal
WildFire
VMSeries Indicateswhetherthisis orisnot aVMSeriesfirewall.

Capacity

Web Interface Help

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Web Interface Help

Enviado por

Direitos autorais:

Formatos disponíveis

PANOS

Palo Alto Networks, Inc.

DestinationTab .............................................................. 117

Network>Interfaces>Tunnel ..................................................... 258

Device ............................................................ 367

UserIdentification ................................................. 511

AnytimetheMessage of the Daychanges,themessageappearsinyournextsessionevenifyouselectedDo

Tonavigatethedialogpages,clicktheright( )andleft( )arrowsalongthesidesofthedialogorclicka

GroupbyLocationType GroupsthelistofconfigurationchangesintheCommit Scopeby

SelectConfig > Save ChangesatthetoprightofthefirewallorPanoramawebinterfacetosaveanewsnapshot

GroupbyLocationType GroupsthelistofconfigurationchangesintheSave ScopebyLocation

SelectConfig > Revert ChangesatthetoprightofthefirewallorPanoramawebinterfacetoundochanges

GroupbyLocationType ListstheconfigurationchangesintheRevert ScopebyLocation Type.

TakeaLock Tosetalock,Take a Lock,selecttheType,selecttheLocation(multiple

RemoveLock Toreleasealock,selectit,Remove Lock,clickOK,andthenClose.

ID UniquethreatsignatureID.SelectView in Threat VaulttoopenaThreatVaultsearch

Exempt Profiles Securityprofilesthatdefineadifferentenforcementactionforthethreatsignature

Used in current security ActivethreatexceptionsAcheckmarkinthiscolumnindicatesthatthefirewallis

Exempt IP Addresses ExemptIPaddressesYoucanaddanIPaddressonwhichtofilterthethreat

Analysis Information Tab

MatchingTags AutoFocustags matchedtotheartifact:

Passive DNS Tab

Matching Hashes Tab

Addacustomtab. 1. SelectAdd( )alongthelistoftabs.

Resetthedefaultview. Onapredefinedview,suchastheBlocked Activityview,

SetaglobalfilterusingtheGlobalFilters Add( )filtersyouwanttoapply.

Removeafilter. ClickRemove( )toremoveafilter.

Clearallfilters GlobalfiltersClear AllGlobalFilters.

Negatefilters SelectanattributeandNegate( )afilter.

Looking for more? Monitorandmanagelogs.

ExportLogs ClickExporttoCSV( )toexportalllogsmatchedtothecurrentfiltertoa

Monitor > External Logs > Thesethreateventsincludeallprevention,notification,provisional,and

Monitor > External Logs > ESMServersystemeventsincludechangesrelatedtoESMstatus,licenses,ESMTech

Monitor > External Logs > Policychangeeventsincludechangestorules,protectionlevels,contentupdates,

Monitor > External Logs > Agentchangeeventsoccurontheendpointandincludechangestocontentupdates,

Monitor > External Logs > ESMconfigurationchangeeventsincludesystemwidechangestolicensing,

Looking for more? UsetheAutomatedCorrelationEngine

Looking for more?

ThefollowingtabledescribesthecomponentsoftheMonitor > Packet Capturepagethatyouusetoconfigure

CustomPacket ConfiguredIn Description

ManageFilters ConfigureFiltering Whenenablingcustompacketcaptures,youshoulddefine

Filtering ConfigureFiltering Afterdefiningfilters,settheFilteringtoON.IffilteringisOFF,

PreParseMatch ConfigureFiltering Thisoptionisforadvancedtroubleshootingpurposes.Aftera

CustomPacket ConfiguredIn Description

PacketCapture ConfigureCapturing ClickthetoggleswitchtoturnpacketcaptureONorOFF.

CapturedFiles CapturedFiles Containsalistofcustompacketcapturespreviouslygenerated

ClearAllSettings Settings ClickClear All Settingstoturnoffpacketcaptureandtoclear

Antivirus Selectacustomantivirusprofileand,intheAntivirustab,selectPacket Capture.

AntiSpyware SelectacustomAntiSpywareprofile,clicktheDNS Signaturestaband,inthe

SelectMonitor > Session Browsertobrowseandfiltercurrentrunningsessionsonthefirewall.Forinformation

Looking for more? SetUpAntivirus,AntiSpyware,andVulnerabilityProtection

CleartheentireBlockIP ClickClear Alltopermanentlydeleteallentries,whichmeansthosepacketsareno

TestRunTimeFrame SelectthetimeintervalforthereportLast 24 Hours(default)orLast

RunNow ClickRun Nowtomanuallyandimmediatelygenerateareport.Thereport

TocreatePDFsummaryreports,clickAdd.ThePDF Summary Reportpageopenstoshowalloftheavailable

Type ForUserActivityReport:SelectUserandentertheUsernameorIP address

TimePeriod Selectthetimeframeforthereportfromthedropdown:Last 7 Days,Last 30

Columns SelectAvailableColumnstoincludeinthecustomreportandadd( )them

BuildingBlocksin ConfiguredIn Description

Rulenumber N/A Eachruleisautomaticallynumberedandtheorderchangesas

BuildingBlocksin ConfiguredIn Description

Name General Enteranametoidentifytherule.Thenameiscasesensitiveand

SourceZone Source ClickAddtochoosesourcezones(defaultisany).Zonesmustbe

BuildingBlocksin ConfiguredIn Description