Escolar Documentos
Profissional Documentos
Cultura Documentos
SSL VPN
Helpful troubleshooting information
Content-ID Real-time content scanning block threats, controls web surfing, and limits data and file transfers
Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content. The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks and port scans from compromising and damaging enterprise information resources. IPS mechanisms include: Protocol decoder-based analysis statefully decodes the protocol, Protocol anomaly-based protection detect non-RFC compliance protocol usage, Stateful pattern matching detects attacks over multiple packets, Statistical anomaly detection prevent rate-based DoS floods, Heuristic-based analysis detect anomalous packet and traffic patterns such as port scans and port sweeps, Custom vulnerability or spyware phone home signatures that can be used in either the antispyware or vulnerability protection profiles, Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation, and TCP reassembly to protect against evasion and obfuscation methods.
By utilizing tap mode interfaces, the device can be connected to a core switches span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the device cannot block any harmful traffic nor can it decrypt SSL connections. This is also a method to analyze your traffic and build rules based on facts removing best-guess prior to go-live.
b. V-Wire Mode providing Using Vwire interfaces the device can be inserted into an existing topology without requiring any reallocation of network addresses or redesign of the network topology. In this mode all of the protection and decryption features of the device can be used. Will not participate in NAT or dynamic routing. c. Layer 3 Mode providing Using L3 interfaces the device can take the place of any current enterprise firewall deployment. Can also participate in NAT and dynamic routing (RIP, OSPF, and BGP)
1. Full Mesh implementation where all devices are physically connected with each other supporting a more resilient network architecture
* Remote VPN device is different than what you administer * Need to access only one subnet or one network at the remote site, across the VPN
SSL VPN
Palo Alto firewall devices can support SSL VPN connectivity. There are no differences that stand out between the implementation of an SSL VPN with Palo Alto vs. Cisco, Juniper, etc. The Palo Alto disseminates a thin client via the web browser to the requesting workstation when connectivity first establishes. If the thin client is not installed the Palo Alto will attempt to send the software to end user. The software is called NetConnect and it supports IPSEC VPN vs. SSL VPN. This is important information to know when troubleshooting with the customer. Note: the versions of software Distributed by the Palo Alto are all manageable and decided by the administrator. If the thin client is not utilized to establish an IPSEC tunnel then SSL is utilized by the system as a fall back. SSL VPN must be configured in your policy to allow the functionality desired. Note: SSL VPN implementation should also include a SSL [X.509] certificate from a known and trusted certificate authority. This prevents end users from receiving a certificate error. This is to ensure the requesting browser of your identity and also ensure the end user the session is utilizing encryption.
Troubleshooting VPN tunnel issues show vpn tunnel Shows current tunnels displays tunnel ID in first column {TnID} show vpn flow tunnel-id {TnID} Shows detailed information on the tunnel ID specified Will display packets and bytes through the tunnel
For example: show log traffic receive time in last-60-seconds For example: show log traffic receive_time in ? will display all pre-defined intervals For example: show log traffic app equal gmail will display any matches in the system log for gmail
show session id will display session IDs on the Palo Alto. This provides information such as timeout value, shows security rule that allowed the session, and shows QoS information.
There is a Session Browser usable in the GUI of the Palo Alto. The abilities of this application are extremely powerful. Test policy commands -- provides you the ability to test policies on the Palo Alto device to ensure they function as intended.
test security-policy-match from Training to 2Corpnet source 10.30.11.50 destination 4.2.2.2 application dns will display the policy allowing the source: Training to: 2Corpnet with SRCIP: 10.30.11.50 to DSTIP: 4.2.2.2 for DNS
Rule bases you can utilize this test with: security-policy-match, cp-policy-match, ssl-policy-match, and natpolicy-match Utilizing PING ping host <IP address> ping source 10.1.1.1 host 4.2.2.2
https://support.paloaltonetworks.com/pa-portal/index.php
Presentation by James Sommer, Shriram Ayyar, with help from paloaltonetworks.com, Palo Alto Networks EDU-201 & EDU301 (advanced troubleshooting), and juniper.com