8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
1/27
Design andImplementation of the
Palo Alto Networks
FirewallPA-EDU-201 rev b
PaloAlto Training print indd 1
PaloAlto Training print.indd 13/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
2/27
Agenda
Day 11. Introduction
2. Firewall Deployment
3. Application Control
Day 26. SSL Decryption
7. VPN
8. Advanced Deployment
Options.
5. User Identification9. Management
10. Data Mining
2009 Palo Alto Networks. Proprietary and Confidential 3.0-aPage 2 |
PaloAlto Training print indd 2
PaloAlto Training print.indd 23/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
3/27
Intruduction
PaloAlto Training print indd 4
PaloAlto Training print.indd 43/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
4/27
Application Based Firewall
tcp/443tcp/443
Pag e 4 | 20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -a 2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -a
F
I
RE
W
A
L
L
Evasive Applications
Pag e 5 |
Yahoo Messenger
Port 5050
Blocked
Port 80
Open
PingFU - Proxy
Bittorrent Client
Port 6681
Blocked
PaloAlto Training print indd 5
PaloAlto Training print.indd 53/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
5/27
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
6/27
20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -aPag e 8 |
4000 Series Architecture
Flash Matching HW Engine
Palo Alto Networks uniform signatures
Multiple memory banks memorybandwidth scales performance
Multi-Core Security Processor
High density processing for flexiblesecurity functionality
Hardware-acceleration for standardizedcomplex functions (SSL, IPSec,decompression)
Dedicated Control Plane
Highly available mgmt
High speed logging androute updates
FlashMatchingEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
10 Gig Network Processor
Front-end network processing offloadssecurity processors
Hardware accelerated QoS, route lookup,MAC lookup and NAT
CPU16
. .
SSL IPSecDe-Compression
CPU1
CPU2
Control Plane Data Plane
RAM
RAMCPU3
QoS
Route,ARP,MAClookup
NAT
2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -aPag e 9 |
PA-2000 Series Specifications
- 1U rack-mountable chassis
- Single non-modular power supply
- 80GB hard drive (cold swappable)
- Dedicated out-of-band management port
- RJ-45 console port, user definable HA port
PA-2050
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
PA-2020
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
PaloAlto Training print indd 7
PaloAlto Training print.indd 73/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
7/27
20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -aPage 10 |
2000 Series Architecture
Route,ARP,MAClookup
NAT
Flash Matching HW Engine
Palo Alto Networks uniformsignatures
Multiple memory banks memorybandwidth scales performance
Multi-Core Security Processor
High density processing for flexiblesecurity functionality
Hardware-acceleration for standardizedcomplex functions (SSL, IPSec)
Dedicated Control Plane
Highly available mgmt
High speed logging androute updates
1Gbps
FlashMatchingEngine
RAM
RAM
RAM
RAM
Dual-coreCPU
RAM
RAM
HDD
Network Processor
Front-end network processingoffloads security processors
Hardware accelerated route lookup,MAC lookup and NAT
CPU4
SSL IPSec
CPU1
CPU2
1Gbps
Control Plane Data Plane
RAM
RAMCPU3
2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -aPage 11 |
PA-500 Specifications
PaloAlto Training print indd 8
PaloAlto Training print.indd 83/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
8/27
20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -aPage 12 |
PA-500 Architecture
Control Plane Data Plane
2 00 9 Pa lo A lto Ne tw or ks. Pro pr ie ta ry a nd C on fide nt ial 3 .0 -aPage 13 |
Single-Pass Parallel Processing (SP3) Architecture
Single Pass
Operations once per packet
- Traffic classification (appidentification)
- User/group mapping
- Content scanning threats, URLs,
confidential dataOne policy
Parallel Processing
Function-specific hardwareengines
Separate data/control planes
PaloAlto Training print indd 9
PaloAlto Training print.indd 93/8/10 12:24 PM
3/8/10 12:24 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
9/27
20 09 Pa lo Al to N etwo rks. Pro pr ie ta ry an d C on fide nt ial 3 .0 -aPage 14 |
Flexible Deployment Options
Visibility Transparent In-Line Firewall Replacement
Application, user and contentvisibility without inlinedeployment
IPS with app visibility & control
Consolidation of IPS & URLfiltering
Firewall replacement with appvisibility & control
Firewall + IPS
Firewall + IPS + URL filtering
Thank You
2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 15 |
PaloAlto Training print indd 10PaloAlto Training print.indd 10 3/8/10 12:25 PM3/8/10 12:25 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
10/27
Firewall Deployment
PaloAlto Training print indd 12PaloAlto Training print.indd 12 3/8/10 12:25 PM3/8/10 12:25 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
11/27
Agenda
Security Zones
L3 Interface Configuration
Security Policy Basics
NAT Policy
2009 Palo Alto Networks. Proprietary and Confidential 3.0-aPage 2 |
PaloAlto Training print indd 13PaloAlto Training print.indd 13 3/8/10 12:25 PM3/8/10 12:25 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
12/27
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -a
Security Zones
Zones represent networks of differing trust levels
Pag e 3 |
Internet
Data CenterUsers
Guests
DMZ
Internet - DMZ
Internet-DataCanter
Interfaces and Zones
An Interface must be in a Security Zone
A Security Zone can have multiple Interfaces
2 00 9 Pa lo A lto Ne tw or ks. Pr op rietar y an d Co nf ide nt ial 3 .0 -aPag e 4 |
Interface Zone Address
E 1/2 Internet 161.23.4.56
E 1/11 DMZ 172.16.1.254
E 1/12.10 Users 192.168.10.254
E 1/12.20 Users 192.168.20.254
E 1/12.30 VoIP 192.168.30.254
PaloAlto Training print indd 14PaloAlto Training print.indd 14 3/8/10 12:25 PM3/8/10 12:25 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
13/27
Layer 3 Interfaces
Provide Routing and NAT Functions
All L3 interfaces in a Virtual Router share a routing table
Each L3 interface has an IP Address
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 5 |
LAN10.1.1.0
Internet
DMZ192.168.100.0
E1/910.1.1.254
E1/10192.168.100.254
E1/1112.4.5.77
Vrouter A
PAN Device
Virtual Routers
L3 Interfaces areadded to VirtualRouters (VR)
The VR contains all
routing information- Static Routes
- Dynamic RoutingProtocol configuration
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPag e 6 |
PaloAlto Training print indd 15PaloAlto Training print.indd 15 3/8/10 12:26 PM3/8/10 12:26 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
14/27
Configure L3 Interface
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 7 |
Zone
VirtualRouter
IP Address
InterfaceType
Configuring DHCP Server
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPag e 8 |
Select
Interface
LeaseOptions
IP AddressRange
PaloAlto Training print indd 16PaloAlto Training print.indd 16 3/8/10 12:26 PM3/8/10 12:26 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
15/27
Introduction to Security Policy
All traffic going between security zones require an allowpolicy
The policy list is evaluated from the top down
The first rule that matches the traffic is used
No further rules are evaluated after the match
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 9 |
Building Blocks of Policy
Address Objects
- Hosts ( /32 mask)
- Networks
- Can be named
-
Can be added to groups Users
Applications
- Represent content
- Includes Static and Dynamic Groups
Services
- Represent L4 addresses
2 00 9 Pa lo A lto Ne tw or ks. Pr op rietar y an d Co nf ide nt ial 3 .0 -aPage 10 |
PaloAlto Training print indd 17PaloAlto Training print.indd 17 3/8/10 12:26 PM3/8/10 12:26 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
16/27
Simple Policy Walkthrough
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPage 11 |
192.168.41.22
74.125.19.23
E 1/2 Zone Users E 1/1 Zone Internet
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -a
NAT Policy
Network Address Translation Policies define when andhow translation occurs
Source Translation is commonly used for access to theInternet
Destination Translation is used to provide external accessto servers in the private network
Page 12 |
Public IPs
Private IPs
PaloAlto Training print indd 18PaloAlto Training print.indd 18 3/8/10 12:45 PM3/8/10 12:45 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
17/27
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -a
Source Address Translation
Page 13 |
SA DA SP DP
10.1.1.47 4.2.2.2 43778 80
SA DA SP DP
64.3.1.22 4.2.2.2 1031 80
Pre NAT From L3-trust -> L3-untrust
Post NAT From L3-trust -> L3-untrust
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -a
Destination Address Translation
Page 14 |
SA DA SP DP
12.67.5.2 64.10.11.103 5467 80
SA DA SP DP
12.67.5.2 192.168.10.100 5467 80
Pre NAT From L3-untrust -> L3-untrust
Post NAT From L3-untrust -> L3-trust
PaloAlto Training print indd 19PaloAlto Training print.indd 19 3/8/10 12:46 PM3/8/10 12:46 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
18/27
Thank You
2009 Palo Alto Networks. Proprietary and Confidential 3.0-a
Page 15 |
PaloAlto Training print indd 20PaloAlto Training print.indd 20 3/8/10 12:46 PM3/8/10 12:46 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
19/27
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
20/27
Agenda
What is an Application?
Application Control Center (ACC)
Single Pass Architecture and Packet Flow
Application groups and Filters Security Policy Examples
Application Override Policy
2009 Palo Alto Networks. Proprietary and Confidential 3.0-aPage 2 |
PaloAlto Training print indd 23PaloAlto Training print.indd 23 3/8/10 12:46 PM3/8/10 12:46 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
21/27
What is an Application?
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 3 |
iGoogle
GMail
GTalk
Google Calendar
eMule
UltraSurf
Lotus Notes
Central location to view
the state of the Network
Application Control Center
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPag e 4 |
PaloAlto Training print indd 24PaloAlto Training print.indd 24 3/8/10 12:46 PM3/8/10 12:46 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
22/27
Application Identification Components
Detect Protocol in Protocol
Provide context for signatures
Protocol Decoders
Man in the middle SSL decryption
Protocol Decryption
Detect applications initiating
Application Signatures
Uses patterns of communication
Heuristics
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 5 |
Application Identification - Signatures
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPag e 6 |
Protocol Decoders
Decryption
Application Signatures
SSL
Forward proxy
HTTP
webex
Webex desktop sharing
Mode shift
PaloAlto Training print indd 25PaloAlto Training print.indd 25 3/8/10 12:46 PM3/8/10 12:46 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
23/27
Application identification - Heuristics
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPag e 7 |
Unknown
Encrypted Bittorrent
Encrypted Bittorent
Heuristics
Protocol Decoders
Examine communications
Flow Logic
InitialPacket
Processing
SourceZone /
Address
ForwardingLookup
DestinationZone
NAT Policy
SecurityPre Policy
CheckAllowed
Ports
SessionCreated
ApplicationCheck for
SSL
SSLDecryption
Policy
ApplicationOverride
PolicyApp ID
SecurityPolicy
CheckSecurityPolicy
CheckSecurityProfiles
SP3
Post PolicyProcessing
SSL Re-Encrypted
NATApplied
PacketForwarded
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPag e 8 |
PaloAlto Training print indd 26
PaloAlto Training print.indd 263/8/10 12:46 PM
3/8/10 12:46 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
24/27
UDP Example
Source Address
Destination Address
Destination Port
Application Data
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPage 10 |
DNS Query for www.meebo.com
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45 00
00 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 00
00 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 01
00 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f
03 63 6f 6d 00 00 01 00 01
TCP Example
Source Address
Destination Address
Destination Port
Application Data
2 00 9 Pa lo A lto Ne tw or ks. Pr op rietar y an d Co nf ide nt ial 3 .0 -aPage 11 |
HTTP Connection to www.meebo.com
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45
00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51
bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02
ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02
TCP syn
1f8b080000000000 0003b457fd6 fdb36
1 3 f e 57 a e 1 a 3 6 3b 9 9 2 d 3 5 f b 0 0 d a c 4 f6 b 0 .
26e9bbbc 489a6075570c 7d8b81924e12
638954492aae57e4 7 fd f1d2539b2f791
feb0370860ea783c de3d7c ee789c 3d39
bb3e5dfe7a730e3f 2daf2ee1e6cd8bcb
...........................................
synack
ack
get
Meebo
PaloAlto Training print indd 27
PaloAlto Training print.indd 273/8/10 12:47 PM
3/8/10 12:47 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
25/27
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
26/27
Sample Common Filters
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPage 14 |
Used to cover families of applications
Frequently used for policies that block traffic
Sample Security Policy Application Groups
Known_Good
- Static Group ofApplications
DNS
Web-browsing
SSL
Flash
Known_Bad
- Static Group of filtersand applications
Games
IM
P2P
Remote Access
Tunneling
20 09 Palo A l to Ne tw or ks. Pr op rietar y a nd Co nf ide nt ial 3 .0 -aPage 15 |
PaloAlto Training print indd 29
PaloAlto Training print.indd 293/8/10 12:47 PM
3/8/10 12:47 PM
8/10/2019 PaloAPAN ACE Traininglto Training Print 01-30
27/27
Security Policy Example
First rule allows specific good applications
Second rule blocks applications that are obviouslyunwanted
Third rule catches all other applications could beallow or block based on environment
Administrators track traffic effected by the thirdrule and add it to Known_Good or Known_Bad
20 09 Palo Al to N etwo rks. Pro pr ie ta ry an d C on f id en tial 3 .0 -aPage 16 |
User Defined Application usage
Application Override
- Bypasses App ID for internal port based applications
Customizing Application settings
- Changing time out
-
Adjusting Risk Defining new HTTP applications
- New App-ID signatures for specific HTTP based applications
- User defined regexp
- Contextual signature engine
2 00 9 Pa lo A lto Ne tw or ks. Pr op rietar y an d Co nf ide nt ial 3 .0 -aPage 17 |
PaloAlto Training print indd 30
PaloAlto Training print.indd 303/8/10 12:47 PM
3/8/10 12:47 PM
Top Related