Palo Alto Networks Architecture

The Single-Pass Architecture

The Control Plane and Data Plane

Flow Logic Explained

Single-Pass Parallel Processing™ (SP3) Architecture

Single Pass• Operations once per

packet- Traffic classification (app

identification)- User/group mapping- Content scanning –

threats, URLs, confidential data

• One policy

Parallel Processing• Function-specific

parallel processing hardware engines

• Separate data/control planes

Control Plane and Data PlaneControl Plane Data Plane

Signature Match Processor• Palo Alto Networks’ uniform

signatures• Multiple memory banks – memory

bandwidth scales performance

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for

standardized complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt• High speed logging and

route updates

Signature Match Processor

RAM

RAM

RAM

RAM

Dual-coreCPU RAM

RAM

HDD

Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route

lookup, MAC lookup and NAT

CPU16. .

SSL IPSec De-Compression

CPU1

CPU2 RAM

RAMCPU3

QoS

Route, ARP, MAC lookup

NAT

*

**

* Implemented in software on PA-200 and PA-500

**Implemented in software on the PA-200, PA-500, and PA-3020

Flow Logic of the Next-Generation Firewall

Initial Packet

Processing

Source Zone/ Address/ User-ID

PBF/ Forwarding

Lookup

Destination Zone

NAT PolicyEvaluated

Security Pre-Policy

Check Allowed

Ports

Session Created

ApplicationCheck for Encrypted

Traffic

Decryption Policy

Application Override

PolicyApp-ID

Security Policy

Check Security Policy

Check Security Profiles

Post Policy Processing

Re-Encrypt Traffic

NAT Policy Applied

Packet Forwarded

Configuration and Management

Your Initial Configuration

Initial configurations must be performed over the dedicated out-of-band management interface (MGT) or a Console connection

The device has the following default values:• MGT interface IP address: 192.168.1.1• User name: admin

• Password: admin

Initial Configuration - Hardware

Management Port

Configuring the MGT interface - CLILast login: Tue September 27 18:38:30 2012 from 192.168.1.4

Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.

admin@PA-500> configure

Entering configuration mode

[edit]

admin@PA-500# set deviceconfig system ip-address 10.30.11.1 netmask 255.255.255.0 default-gateway 10.30.11.254 dns-setting servers primary 172.16.20.230

admin@PA-500# commit

....10%....20%....30%....40%....50%....60%....70%....80%....90%....100%

Configuration committed successfully

[edit]

admin@PA-500#DNS: 172.16.20.230

Internet

10.30.11.254

10.30.11.1

10.30.11.0/24

Configuring the MGT interface - GUIDevice > Management

Administrative Controls

Navigating the GUIFunctional

Category Tabs

Display Tasks List

Language Preference Setting

GUI error prompts

Application Command Center (ACC) Tab Displays highest counts for specific monitoring categories: Application, URL

Filtering, Threat, Data Filtering

Shows counts for top addresses, countries, zones, and rules

Used to create dynamic reports Filter Sort

• Links to log information- Click an icon to jump to the

corresponding log in the Monitor tab- Filters set in the ACC will be applied to

the log after the jump

Monitor tab - Logs

Policies generate information that is added to log databases

Monitor > Traffic

CLI ModesThe CLI has functional modes: Operational and Configuration

Operational Mode Default mode when you first log in Represented by the > prompt on the interface Involves actions which are executed immediately Actions do not require a commit operation

Configuration Mode Issue the configure command to transition from Operational to Configuration mode Represented by the # prompt on the interface Changes will be stored in firewall memory until a commit operation is run

CLI ToolsCommands and options must be typed completely

The Tab key and Space bar will auto-complete Most output can be piped through a match or except filter to limit results

Online help: ? or Tab key Online help will provide a list of available options If no output is given, preceding option is invalid Standard help messages include: * This option is required> Additional nested options for this command+ Additional command options can be added to this command| Pipe command output through match or except filter <Enter> Command can be executed without further options

Find Command Overview

It may be difficult to remember op commands or configuration hierarchies

The Find command helps administrators locate keywords for operational commands within the command hierarchy

Works for all admin roles though output is limited to the allowed commands

All command combinations are pre-generated to provide a better user experience

CLI Find Command with Keyword

Find commands in CLI (with or without quotes)

admin@PA-500> find command ?+ keyword CLI keyword <Enter> Finish input

admin@PA-500> find command keyword fpgadebug device-server set config <basic|tdb|fpga|all>debug device-server unset config <basic|tdb|fpga|all>debug dataplane fpga set sw_aho <yes|no>debug dataplane fpga set sw_dfa <yes|no>debug dataplane fpga set sw_dlp <yes|no>debug dataplane fpga state

Find configurations in configure mode

admin@PA-500# find command keyword “tcp asymmetric-path”set deviceconfig setting tcp asymmetric-path <drop|bypass><global|drop|bypass>

CLI Find Command w/o Keyword

Find commands without keyword will display all commands

admin@PA-500> find commandtarget set <value>target show schedule uar-report user <value> user-group <value> skip-detailed-browsing <yes|no> title <value> period <value> start-time <value> end-time <value> vsys <value> schedule botnet-report period <last-calendar-day|last-24-hrs> topn <1-500> query <value> clear arp <value>|<all>clear neighbor <value>|<all>clear mac <value>|<all>clear job id <0-4294967295>clear query id <0-4294967295>clear query all-by-session clear report id <0-4294967295>clear report all-by-session [...]

PAN-OS REST APIAllows an external system to execute commands remotely on a PAN firewall or a Panorama server

Used to: Read/Write firewall Configuration commands Import dynamic and software updates Export firewall information (e.g. configuration, certificates, logs) Extract data in XML format for use in other report writing systems Execute Operational commands

•REST API over SSL

•Device Config / Report data

External System

API Browser

API browser shows the XML and API formatted versions of selected CLI commands

https://hostname/api