Difference between revisions of "PAN-OS"
Jump to navigation
Jump to search
(35 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | PAN-OS is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref> | + | [[wikipedia:PAN-OS]] is software running on [[Firewall/Palo Alto PA-Series|Palo Alto firewalls]].<ref>https://docs.paloaltonetworks.com/pan-os</ref>. |
− | * [[Firewall]] capabilities | + | |
+ | |||
+ | == Features == | ||
+ | * [[Firewall]] capabilities: [[Flood protection]] | ||
* [[QoS]] | * [[QoS]] | ||
− | * [[URL Filtering]] | + | * [[URL Filtering]] (License based) |
− | * [[GlobalProtect]] ([[VPN]]) | + | * [[File blocking]] |
+ | * [[GlobalProtect]] Gateway ([[VPN]]) (License based) | ||
* [[packet inspection]] | * [[packet inspection]] | ||
− | * [[ | + | * [[Threat prevention]] ([[WildFire]]) (License based), features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html |
* PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database | * PAN-OS authentication methods: [[Kerberos]], [[RADIUS]], [[LDAP]], [[SAML]] 2.0, client certificates, biometric sign-in, and a local user database | ||
* PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]] | * PAN-OS daemons: [[RASMGR]], [[SSLMGR]], [[SATD]], [[IDE]], [[Route]] and [[IKE]] | ||
Line 16: | Line 20: | ||
* <code>show</code> | * <code>show</code> | ||
* <code>[[show session all]]</code> | * <code>[[show session all]]</code> | ||
− | * <code>[[show system info]]</code> (Includes <code>sw-version</code> output) | + | * <code>[[show session info]]</code> |
− | * <code>show system state</code> | + | * <code>[[show system info]]</code> (Includes <code>sw-version</code> output and [[serial]]) |
+ | * <code>[[show system state]]</code> | ||
+ | * <code>[[show system resources]]</code> | ||
* <code>show system disk-space files</code> | * <code>show system disk-space files</code> | ||
* <code>less mp-log authd.log</code> | * <code>less mp-log authd.log</code> | ||
* <code>[[show routing route]]</code> | * <code>[[show routing route]]</code> | ||
− | * <code>show running [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration) | + | * <code>[[show running]] [[nat]]-policy</code> (See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration) |
− | * <code>show running security-policy</code> | + | * <code>[[show running security-policy]]</code> |
+ | * <code>[[show counter]] global filter delta yes packet-filter yes</code> | ||
* <code>show jobs id x</code> | * <code>show jobs id x</code> | ||
* <code>edit rulebase security</code> | * <code>edit rulebase security</code> | ||
* <code>edit rulebase nat</code> | * <code>edit rulebase nat</code> | ||
− | [[VPN]] | + | |
+ | ===[[VPN]]=== | ||
{{show vpn TOC}} | {{show vpn TOC}} | ||
[[PVST+]] commands | [[PVST+]] commands | ||
− | Troubleshooting | + | ===Troubleshooting=== |
*<code>[[ping]] host <destination-ip-address></code> | *<code>[[ping]] host <destination-ip-address></code> | ||
*<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code> | *<code>ping source <ip-address-on-dataplane> host <destination-ip-address></code> | ||
*<code>show [[netstat]] statistics yes</code> | *<code>show [[netstat]] statistics yes</code> | ||
+ | *<code>test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password</code> | ||
− | [[Panorama]] | + | ===[[Panorama]]=== |
*<code>show log-collector preference-list</code> | *<code>show log-collector preference-list</code> | ||
*<code>show logging-status device <firewall-serial-number></code> | *<code>show logging-status device <firewall-serial-number></code> | ||
− | Logs | + | ===Logs=== |
* <code>[[show log config]]</code> | * <code>[[show log config]]</code> | ||
** <code>[[show log config cmd equal commit]]</code> | ** <code>[[show log config cmd equal commit]]</code> | ||
Line 47: | Line 56: | ||
* <code>[[show log system]]</code> | * <code>[[show log system]]</code> | ||
− | [[Wildfire]] | + | ===[[Wildfire]]=== |
* <code>[[show wildfire]] wf-vm-pe-utilization</code> | * <code>[[show wildfire]] wf-vm-pe-utilization</code> | ||
* <code>show wildfire wf-vm-doc-utilization</code> | * <code>show wildfire wf-vm-doc-utilization</code> | ||
Line 65: | Line 74: | ||
* <code>move rulebase nat rules YOUR_RULE_NAME top</code> | * <code>move rulebase nat rules YOUR_RULE_NAME top</code> | ||
* <code>delete rulebase nat rules YOUR_RULE_NAME</code> | * <code>delete rulebase nat rules YOUR_RULE_NAME</code> | ||
+ | |||
+ | === [[GlobalProtect]] === | ||
+ | {{GlobalProtect commands}} | ||
+ | |||
+ | |||
+ | === [[License]] === | ||
+ | * <code>[[request license info]]</code> | ||
+ | |||
+ | === Others === | ||
+ | * <code>[[set]] cli [[pager]] off</code> | ||
== Activities == | == Activities == | ||
Line 84: | Line 103: | ||
* Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK | * Create a [[IPSec]] [[VPN]] access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK | ||
* Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html | * Configure [[MFA]]: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html | ||
− | * Configure [[syslog]] | + | * Configure [[PAN-OS syslog]] |
* Read [[PAN-OS]] [[Port Scan]] Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC | * Read [[PAN-OS]] [[Port Scan]] Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC | ||
Line 93: | Line 112: | ||
* Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html | * Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html | ||
* Configure ssh [[Port forwarding]] https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW | * Configure ssh [[Port forwarding]] https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW | ||
− | + | * [[PAN-OS Packet Capture]] | |
== Related terms == | == Related terms == | ||
* [[Mobile Device Management (MDM)]] | * [[Mobile Device Management (MDM)]] | ||
− | + | * [[HIP]] | |
+ | * <code>[[neq]]</code> | ||
+ | * [[less]] mp-log authd.lo</code> | ||
+ | * <code>[[ansible-galaxy collection install paloaltonetworks.panos]]</code> | ||
+ | * [[PAN-OS reports]] | ||
+ | * [[External Dynamic List (EDL)]] | ||
== See also == | == See also == |
Latest revision as of 08:16, 31 August 2021
wikipedia:PAN-OS is software running on Palo Alto firewalls.[1].
Contents
Features[edit]
- Firewall capabilities: Flood protection
- QoS
- URL Filtering (License based)
- File blocking
- GlobalProtect Gateway (VPN) (License based)
- packet inspection
- Threat prevention (WildFire) (License based), features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
- PAN-OS authentication methods: Kerberos, RADIUS, LDAP, SAML 2.0, client certificates, biometric sign-in, and a local user database
- PAN-OS daemons: RASMGR, SSLMGR, SATD, IDE, Route and IKE
PAN-OS CLI[edit]
configure
commit
find command
show
show session all
show session info
show system info
(Includessw-version
output and serial)show system state
show system resources
show system disk-space files
less mp-log authd.log
show routing route
show running nat-policy
(See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)show running security-policy
show counter global filter delta yes packet-filter yes
show jobs id x
edit rulebase security
edit rulebase nat
VPN[edit]
PVST+ commands
Troubleshooting[edit]
ping host <destination-ip-address>
ping source <ip-address-on-dataplane> host <destination-ip-address>
show netstat statistics yes
test authentication authentication-profile <AUTHENTICATION-PROFILE-NAME> username <USERNAME> password
Panorama[edit]
show log-collector preference-list
show logging-status device <firewall-serial-number>
Logs[edit]
Wildfire[edit]
show wildfire wf-vm-pe-utilization
show wildfire wf-vm-doc-utilization
show wildfire wf-vm-elinkda-utilization
show wildfire wf-vm-archive-utilization
show wildfire global sample-device-lookup sha256 equal <SHA_256>.
show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.
Rules[edit]
set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow
move rulebase security rules YOUR_RULE_NAME top
move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME
delete rulebase security rules YOUR_RULE_NAME
NAT (Valid actions: top, bottom, before, after)
set rulebase nat rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2
move rulebase nat rules YOUR_RULE_NAME top
delete rulebase nat rules YOUR_RULE_NAME
GlobalProtect[edit]
show global-protect-gateway current-user
show global-protect-gateway previous-user
show global-protect-gateway gateway
show global-protect-gateway flow
[2]
- current-satellite Show current GlobalProtect gateway satellites
- current-user Show current GlobalProtect gateway users
- flow Show dataplane GlobalProtect gateway tunnel information
- flow-site-to-site Show dataplane GlobalProtect site-to-site gateway tunnel information
- gateway Show list of GlobalProtect gateway configuration
- previous-satellite Show previous GlobalProtect gateway satellites
- previous-user Show previous user session for GlobalProtect gateway users
License[edit]
Others[edit]
Activities[edit]
Basic[edit]
- Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
- Create a backup of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups.html
- Read PAN-OS 9.0 Administration guide:
- Read PAN-OS 9.0 New features guide: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html such as Rule Changes Archive [3]
- Read PAN-OS Release Notes
- Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
- Read Palo Alto basics of Palo Alto traffic monitoring filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
- Review https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/9-0/pan-os-cli-quick-start/pan-os-cli-quick-start.pdf
- Read https://weberblog.net/cli-commands-for-troubleshooting-palo-alto-firewalls/
Intermediate[edit]
- Create a IPSec VPN access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
- Configure MFA: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
- Configure PAN-OS syslog
- Read PAN-OS Port Scan Triggering method in zone protection profile: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljjCAC
- General overview: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC
- Configure Host Destination NAT: https://www.youtube.com/watch?v=ocnNiNW7jDE&list=PLD6FJ8WNiIqWPjNPk5Oi1TxE7SJnoPr-D#action=share
- Destination Host example: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
- Destination host with port: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-with-port-translation-example.html
- Configure ssh Port forwarding https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMwKCAW
- PAN-OS Packet Capture
Related terms[edit]
- Mobile Device Management (MDM)
- HIP
neq
- less mp-log authd.lo
ansible-galaxy collection install paloaltonetworks.panos
- PAN-OS reports
- External Dynamic List (EDL)
See also[edit]
- DMZ, Port knocking, Bastion host, Firewall Software:
iptables
ufw
firewalld
nftables
firewall-cmd
ipfw (FreeBSD)
PF (OpenBSD)
, netsh advfirewall, PAN-OS, WAF, pfsense, VyOS, Cisco ASA, DMZ, F5, URL Filtering, port forwarding, macOS application firewall, Windows firewall, Fortigate, ngrok, Network ACL - PAN-OS (Palo Alto): PAN-OS Releases,
show vpn
, GlobalProtect, GlobalProtect logs, WildFire,show log
,show session all
, MDM,match
, PAN-OS reports, HIP, Zone - Cisco IOS, PAN-OS, Junos OS, FortiOS
- Terraform PAN-OS: https://www.terraform.io/docs/providers/panos/index.html
Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html
Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS
Advertising: