PAN Firewall "Scan it all - Scan it once"

PAN Firewall "Scan it all - Scan it once"

Get Started. It's Free
or sign up with your email address
Rocket clouds
PAN Firewall "Scan it all - Scan it once" by Mind Map: PAN Firewall "Scan it all - Scan it once"

1. Architecture

1.1. Architecture

1.1.1. Dedicated Processing chip for NP and SP

2. HW - Osprey

2.1. HW - Osprey Venti

3. Any encrypted traffic that’s not being decrypted (SSL/SSH)

4. FW 1 Gbps

5. Administration Management

5.1. Account Administration

5.1.1. Scopes Multiple admin Logged in Configuration and System Log External authentication Local DB Radius AD LDAP Kerberos User certificates Abilities Device level account Virtual System level account

5.1.2. Server Profiles Connection FW to the Servers that need to be contacted when authenticating the users

5.1.3. Authentication Profiles Sequences Authentication Profiles For account that is not local Sequences When there is multiple source of authentication

5.1.4. Web UI and XML Permissions admin role Web Gui XML CLI

5.1.5. CLI Permissions superuser superreader deviceadmin devicereader

5.2. Creating Administrator accounts

5.2.1. role dynamic user right defined in built in roles role-based user-defined role

5.2.2. Demo Integrating with Radius Server Profile Authentication Sequence Radius Server fail

5.3. Configuration Management

5.3.1. Configuration types Candidate config become running after commit Running config

5.3.2. Commit operation Granular config Device and Network config Object and Policy Task Validate Save Version#, date/time

5.3.3. Transaction Lock Config lock block other user from making changes to the config Commit Lock block other admin from committing changes

5.3.4. Config Management Demo Device > Setup > Operations

5.3.5. Auditing Demo Device > Config Audit

5.3.6. Demo Config Lock Commit lock

5.4. PAN-OS Dynamic Updates

5.4.1. Licensing Device > Support Device > License Threat Prevention Decryption Port Mirroring URL Filtering Virtual System Global Protect WildFire

5.4.2. Dynamic Updates Device > Dynamic Updates anti virus signature Applications Application and Threat url filtering db Global protect Data WildFire

5.4.3. Software Update Device > Software Base release must be downloaded .0 prior installing the maintenance release Application and Threats dyn updates must be performed first to the recent package

5.4.4. Power Operations Device > Setup > Operations

5.5. HSM

5.5.1. Hardware Security Module SafeNet Luna SA Thales Nshield Connect

5.6. Session Settings and Timeout

5.6.1. TCP init (5s) Session timeout before SYN-ACK received

5.6.2. TCP half closed (120s) Triggered 1st FIN

5.6.3. TCP time wait (15s) Triggered 2nd FIN value < TCP half closed

5.6.4. Global settings used by all apps Timer settings at app level override global settings

5.6.5. Unverified RST

5.6.6. Config Device > Setup > Sessions show session info | match timeout

6. Interface Configuration

7. L3 Configuration

8. Platform and Architecture

8.1. PA-200 (Merlin)

8.1.1. Small and Medium Enterprise FW throughput 100 Mbps, 1000 sessions per sec Threat prevention 50 Mbps 64000 max sessions 1000 sessions per sec 4 10/100/1000 Mbps interface 25 IPSec VPN tunnels 25 Global Protect 10 Security Zones 250 max number of policies

8.1.2. Architecture Control Plane Management Data Plane Signature Matching Security Processing Network Processing Resources

8.1.3. HW

8.1.4. Differences HA lite A/P Use MGMT port as HA1 No HA2 no link aggregation no vsys

8.2. PA-500 (Peregrine)

8.2.1. Medium-Enterprise networks FW Throughput 250 Mbps Threat Prevention 100 Mbps 64000 max sessions 7500 sessions per sec (8) 10/100/1000 interfaces 250 IPSec VPN tunnels 100 GlobalProtect 20 security zones 1000 max number of policies

8.2.2. Medium to Large branch offices

8.2.3. Architecture Control Plane Configuration Logging Reporting Resources Data Plane Signature Matching Security Processing Network processing Resources No FPGA chips

8.2.4. Specs

8.3. PA-2000 series (Kestrel)

8.3.1. PA-2020 Specifications (12) 10/100/1000 interfaces, (2) Gigabit SFP Throughput 125000 max sessions 1000 IPSec VPN tunnels 1/6 virtual systems (base / max2) 40 security zones 2500 max number of polices

8.3.2. PA-2050 Specifications (16) 10/100/1000 interfaces, (4) Gigabit SFP Throughput 250000 max sessions 2000 IPSec VPN tunnels 1/6 virtual systems (base/max) 40 sec zones 5000 max number of polices

8.3.3. High Speed Networks of Medium to Large branch

8.3.4. Going to EOS 30 April 2015

8.3.5. HW

8.4. PA-3000 series

8.4.1. 3060 Front to back airflow Redundant power supply 2x 10G SFP

8.4.2. Specs

8.5. PA-4000 series (Falcon)

8.5.1. EOS

8.5.2. Specs

8.6. PA-5000 series (Hawk)

8.6.1. HW

8.6.2. Switch Fabric 80Gbps QoS 20Gbps

8.6.3. Specs Architecture 5060

8.7. PA-7050 (Condor)

8.7.1. HW

8.8. PA-7080

8.8.1. HW

8.9. Performance

8.9.1. Intranet

8.10. Next Gen Appliances Malware Management

8.10.1. WildFire WF-500 org prefer not to use public cloud identify, analise, blocks unknown malware Public Cloud Service

8.10.2. Panorama M-100 Centralized management and logging functions Virtual Panorama

8.10.3. Virtualized Firewalls Gateway VM-100 VM-200 VM-300 VM-1000-HC VM-1000-HV For NSX

8.10.4. GP100 Mobile Security Management

8.11. Single-Pass Architecture (SP3)

8.11.1. Single Pass Operations once per packet Traffic Classification (app Identification User/group mapping Content scanning - threats, URLs, confidential data One policy Stream based

8.11.2. Parallel Processing Function-specific parallel processing hardware engines Separate data / control planes

8.11.3. SP3 Engine : each of the protection features utilize the same stream-based signature format AntiVirus Spyware Vulnerability Protection Key processing Networking and management App-ID Content-ID User-ID Policy Engine

8.11.4. Control Plane and Data Plane

8.11.5. The Evolution of SP3 Architecture

8.11.6. Flow Logic

8.11.7. FastPath Any traffic that does not perform application-shifts and no known threats Any network protocols (OSPF, BGP, RIP) During Application Override (bypass application engine)

8.11.8. Discarded packet L3 IPv4 IPv6 L4

8.12. Initial Config

8.12.1. MGMT IP : username/password : admin/admin

8.12.2. CLI Configuration Mode # set deviceconfig system show job processed Operation Mode > configure

8.13. GUI Interface

8.13.1. Navigation Monitoring Function Dashboard ACC Monitor Configuration Policies Objects Network Device Task Help Administration Guide Language GUI errors Red Yellow highlights

8.14. CLI

8.14.1. Modes Operation Execute immediately Configuration Changes will be stored in memory until committed

8.14.2. Tools pipe | match except

8.14.3. Find find command keyword "vpn"

8.14.4. Debugs debug management-server on debug

8.14.5. Logs

8.15. API

8.15.1. allow external system to execute command remotely to PAN FW or Panorama server

8.15.2. https://hostname/api rest API browser

8.15.3. Demo Change dns-server Device > Service Commit via XML API

9. Terminology

9.1. APT

9.1.1. Advanced Persistent Threat

9.2. ASIC

9.2.1. Application Specific Integrated Circuits

9.3. C&C Server

9.3.1. Command and Control

9.4. CIM

9.4.1. Common Information Model

9.5. CVE

9.5.1. Common Vulnerabilities and Exposure

9.6. DGA

9.6.1. Domain Generation Algorithm

9.7. DSRI

9.7.1. Disable Server Response Inspection

9.8. EC2

9.8.1. Amazon - Elastic Compute Cloud

9.9. FPGA

9.9.1. Field Programmable Gate Array

9.10. HSM

9.10.1. Hardware Security Module

9.11. Juniper UAC

9.11.1. Unified Access Control

9.12. LPC

9.12.1. Log Processing Card 7050

9.13. Obfuscation

9.13.1. the hiding of intended meaning in communication, making communication confusing

9.14. PFS

9.14.1. Perfect Forward Secrecy

9.15. SSD

9.15.1. Solid State Storage Device introduce in new architecture PA-5000 PA-4000 has HDD

9.16. SLAAC

9.16.1. Stateless Address Auto-Configuration

9.17. WMI

9.17.1. Windows Management Instrumentation