Difference between revisions of "PAN-OS"

From wikieduonline
Jump to navigation Jump to search
 
(90 intermediate revisions by 2 users not shown)
Line 1: Line 1:
PAN-OS is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref> providing Firewall capabilities, [[QoS]], [[URL Filtering]], [[packet inspection]] and [[threat prevention]] (WildFire).
+
[[wikipedia:PAN-OS]] is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref>.
 +
 
 +
 
 +
== Features ==
 +
* [[Firewall]] capabilities: [[Flood protection]]
 +
* [[QoS]]
 +
* [[URL Filtering]] (License based)
 +
* [[File blocking]]
 +
* [[GlobalProtect]] Gateway ([[VPN]]) (License based)
 +
* [[packet inspection]]
 +
* [[Threat prevention]] ([[WildFire]]) (License based), features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
 +
* PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database
 +
* PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]]
  
* Threat prevention (Wildfire). Features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
 
  
 
== PAN-OS CLI ==
 
== PAN-OS CLI ==
* <code>show system info</code>
+
* <code>configure</code>
 +
* <code>commit</code>
 +
* <code>find command</code>
 +
* <code>show</code>
 +
* <code>[[show session all]]</code>
 +
* <code>[[show session info]]</code>
 +
* <code>[[show system info]]</code> (Includes <code>sw-version</code> output and [[serial]])
 +
* <code>[[show system state]]</code>
 +
* <code>[[show system resources]]</code>
 
* <code>show system disk-space files</code>
 
* <code>show system disk-space files</code>
 
* <code>less mp-log authd.log</code>
 
* <code>less mp-log authd.log</code>
* <code>show routing route</code>
+
* <code>[[show routing route]]</code>
* <code>show running [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
+
* <code>[[show running]] [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)
 +
* <code>[[show running security-policy]]</code>
 +
* <code>[[show counter]] global filter delta yes packet-filter yes</code>
 +
* <code>show jobs id x</code>
 +
* <code>edit rulebase security</code>
 +
* <code>edit rulebase nat</code>
 +
 
  
[[VPN]]
+
===[[VPN]]===
* <code>show [[VPN|vpn]] flow</code>
+
{{show vpn TOC}}
* <code>show [[VPN|vpn]] gateway</code>
 
* <code>show [[VPN|vpn]] ike-sa</code>
 
* <code>show [[VPN|vpn]] ipsec-sa</code>
 
* <code>show [[VPN|vpn]] tunnel</code>
 
  
 
[[PVST+]] commands
 
[[PVST+]] commands
  
Troubleshooting
+
===Troubleshooting===
 
*<code>[[ping]] host <destination-ip-address></code>
 
*<code>[[ping]] host <destination-ip-address></code>
 
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code>
 
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code>
 
*<code>show [[netstat]] statistics yes</code>
 
*<code>show [[netstat]] statistics yes</code>
 +
*<code>test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password</code>
  
Panorama
+
===[[Panorama]]===
 
*<code>show log-collector preference-list</code>
 
*<code>show log-collector preference-list</code>
 
*<code>show logging-status device <firewall-serial-number></code>
 
*<code>show logging-status device <firewall-serial-number></code>
  
Wildfire
+
===Logs===
* <code>show wildfire wf-vm-pe-utilization</code>
+
* <code>[[show log config]]</code>
 +
** <code>[[show log config cmd equal commit]]</code>
 +
** <code>[[show log config csv-output equal yes]]</code>
 +
* <code>[[show log system]]</code>
 +
 
 +
===[[Wildfire]]===
 +
* <code>[[show wildfire]] wf-vm-pe-utilization</code>
 
* <code>show wildfire wf-vm-doc-utilization</code>
 
* <code>show wildfire wf-vm-doc-utilization</code>
 
* <code>show wildfire wf-vm-elinkda-utilization</code>
 
* <code>show wildfire wf-vm-elinkda-utilization</code>
Line 36: Line 64:
 
* <code>show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.</code>
 
* <code>show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.</code>
  
== PAN-OS Releases ==
+
=== Rules ===
* PAN-OS 9.0 (Release Notes: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-release-notes.html)
+
* <code>set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow</code>
** Easy transition your legacy rulebase to a best practice application-based rulebase
+
* <code>move rulebase security rules YOUR_RULE_NAME top</code>
** Strict Enforcement of Standard Ports
+
* <code>move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME</code>
** Real-Time Enforcement and Expanded Capacities for DAGs
+
* <code>delete rulebase security rules YOUR_RULE_NAME</code>
** [[Panorama]] can now manage up to 5,000 firewall
+
 
** Multi-Category and Risk-Based URL Filtering
+
[[NAT]] (Valid actions: top, bottom, before, after)
** DNS Security Service
+
* <code>set rulebase [[nat]] rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2</code>
** Policy Match and Connectivity Tests from the Web Interface
+
* <code>move rulebase nat rules YOUR_RULE_NAME top</code>
** [[HTTP/2]] Inspection
+
* <code>delete rulebase nat rules YOUR_RULE_NAME</code>
** Consolidated Deployment for [[GlobalProtect]] Portals and Gateways
+
 
* PAN-OS 8.0 End-of-life on October 31, 2019
+
=== [[GlobalProtect]] ===
 +
{{GlobalProtect commands}}
 +
 
 +
 
 +
=== [[License]] ===
 +
* <code>[[request license info]]</code>
 +
 
 +
=== Others ===
 +
* <code>[[set]] cli [[pager]] off</code>
  
 
== Activities ==
 
== Activities ==
Basic
+
=== Basic ===
* Create a backup of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-0/pan-os-admin/firewall-administration/manage-configuration-backups.html
+
* Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
 +
* Create a [[backup]] of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups.html
 
* Read PAN-OS 9.0 Administration guide:
 
* Read PAN-OS 9.0 Administration guide:
 
** https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
 
** https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-admin/pan-os-admin.pdf
 
** https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin
 
** https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin
 
* Read PAN-OS 9.0 New features guide: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html such as Rule Changes Archive <ref>https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/management-features/rule-changes-archive.html</ref>
 
* Read PAN-OS 9.0 New features guide: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html such as Rule Changes Archive <ref>https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/management-features/rule-changes-archive.html</ref>
* Read PAN-OS 7.1 Release Notes: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-release-notes/pan-os-7-1-release-information/features-introduced-in-pan-os-7-1
+
* Read [[PAN-OS Release Notes]]
 
* Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
 
* Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
 +
* Read Palo Alto basics of [[Palo Alto traffic monitoring filtering]]: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
 +
* Review https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf
 +
* Read https://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/
 +
  
Intermediate
+
=== Intermediate ===
 
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
 
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
 
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
 
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
 +
* Configure [[PAN-OS syslog]]
 +
* Read [[PAN-OS]] [[Port Scan]] Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC
 +
 +
[[NAT]]
 +
* General overview: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
 +
* Configure Host Destination NAT: https://www.youtube.com/watch?v=ocnNiNW7jDE&list=PLD6FJ8WNiIqWPjNPk5Oi1TxE7SJnoPr-D#action=share
 +
* Destination Host example: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
 +
* Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html
 +
* Configure ssh [[Port forwarding]] https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW
 +
* [[PAN-OS Packet Capture]]
 +
 +
== Related terms ==
 +
* [[Mobile Device Management (MDM)]]
 +
* [[HIP]]
 +
* <code>[[neq]]</code>
 +
* [[less]] mp-log authd.lo</code>
 +
* <code>[[ansible-galaxy collection install paloaltonetworks.panos]]</code>
 +
* [[PAN-OS reports]]
 +
* [[External Dynamic List (EDL)]]
  
 
== See also ==
 
== See also ==
 
{{Firewalls}}
 
{{Firewalls}}
 
+
* {{PAN-OS}}
 +
* {{Networking OS}}
 +
* [[Terraform]] PAN-OS: https://www.terraform.io/docs/providers/panos/index.html
  
 
[[Category:Firewalls]]
 
[[Category:Firewalls]]
Line 72: Line 134:
 
[[Category:IT]]
 
[[Category:IT]]
  
 +
Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html
  
 
Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS
 
Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS

Latest revision as of 08:16, 31 August 2021

wikipedia:PAN-OS is software running on Palo Alto firewalls.[1].


Features[edit]


PAN-OS CLI[edit]


VPN[edit]

PVST+ commands

Troubleshooting[edit]

  • ping host <destination-ip-address>
  • ping source <ip-address-on-dataplane> host <destination-ip-address>
  • show netstat statistics yes
  • test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password

Panorama[edit]

  • show log-collector preference-list
  • show logging-status device <firewall-serial-number>

Logs[edit]

Wildfire[edit]

  • show wildfire wf-vm-pe-utilization
  • show wildfire wf-vm-doc-utilization
  • show wildfire wf-vm-elinkda-utilization
  • show wildfire wf-vm-archive-utilization
  • show wildfire global sample-device-lookup sha256 equal <SHA_256>.
  • show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.

Rules[edit]

  • set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow
  • move rulebase security rules YOUR_RULE_NAME top
  • move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME
  • delete rulebase security rules YOUR_RULE_NAME

NAT (Valid actions: top, bottom, before, after)

  • set rulebase nat rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2
  • move rulebase nat rules YOUR_RULE_NAME top
  • delete rulebase nat rules YOUR_RULE_NAME

GlobalProtect[edit]

current-satellite Show current GlobalProtect gateway satellites
current-user Show current GlobalProtect gateway users
flow Show dataplane GlobalProtect gateway tunnel information
flow-site-to-site Show dataplane GlobalProtect site-to-site gateway tunnel information
gateway Show list of GlobalProtect gateway configuration
previous-satellite Show previous GlobalProtect gateway satellites
previous-user Show previous user session for GlobalProtect gateway users


License[edit]

Others[edit]

Activities[edit]

Basic[edit]


Intermediate[edit]

NAT

Related terms[edit]

See also[edit]

Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html

Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS

Advertising: