PAN-OS
PAN-OS is software running on Palo Alto firewalls.[1] providing Firewall capabilities, QoS, URL Filtering, packet inspection and threat prevention (WildFire).
- Threat prevention (WildFire). Features: https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-90.html
- PAN-OS daemons: RASMGR, SSLMGR, SATD, IDE, Route and IKE
- PAN-OS authentication methods: Kerberos, RADIUS, LDAP, SAML 2.0, client certificates, biometric sign-in, and a local user database
Contents
PAN-OS CLI
configure
commit
show
show system info
show system state
show system disk-space files
less mp-log authd.log
show routing route
show running nat-policy
(See also: https://en.wikiversity.org/wiki/Cisco_Networking/CCENT/Network_Services#NAT_Configuration)show running security-policy
show jobs id x
edit rulebase security
edit rulebase nat
PVST+ commands
Troubleshooting
ping host <destination-ip-address>
ping source <ip-address-on-dataplane> host <destination-ip-address>
show netstat statistics yes
show log-collector preference-list
show logging-status device <firewall-serial-number>
Logs
show wildfire wf-vm-pe-utilization
show wildfire wf-vm-doc-utilization
show wildfire wf-vm-elinkda-utilization
show wildfire wf-vm-archive-utilization
show wildfire global sample-device-lookup sha256 equal <SHA_256>.
show wildfire local sample-processed {time [last-12-hrs | last-15-minutes | last-1-hr | last-24-hrs | last-30-days | last-7-days | last-calender-day | last-calender-month] \ count <number_of_samples>}.
Rules
set rulebase security rules YOUR_RULES_NAMES from Untrust to Trust source any destination any application any service any action allow
move rulebase security rules YOUR_RULE_NAME top
move rulebase security rules YOUR_RULE_NAME before YOUR_OTHER_RULE_NAME
delete rulebase security rules YOUR_RULE_NAME
NAT (Valid actions: top, bottom, before, after)
set rulebase nat rules YOUR_RULE_NAME source-translation dynamic-ip-and-port interface-address interface ethernet1/2
move rulebase nat rules YOUR_RULE_NAME top
delete rulebase nat rules YOUR_RULE_NAME
Manage Configuration Backups
The candidate configuration is a copy of the running configuration plus any inactive changes that you made after the last commit. Backing up versions of the running or candidate configuration enables you to later restore those versions on the firewall.
Back Up a Configuration
Creating configuration backups enables you to later Restore a Configuration. This is useful when you want to revert the firewall to all the settings of an earlier configuration because you can perform the restoration as a single operation instead of manually reconfiguring each setting in the current configuration.
Note: When you edit a setting and click OK, the firewall updates the candidate configuration but does not save a backup snapshot.
STEP 1
Save a local backup snapshot of the candidate configuration if it contains changes that you want to preserve in the event the firewall reboots. These are changes you are not ready to commit—for example, changes you cannot finish in the current login session.
Perform one of the following tasks based on whether you want to overwrite the default snapshot (.snapshot.xml) or create a snapshot with a custom name:
1. Overwrite the default snapshot—Click Save at the top of the web interface.
2. Create a custom-named snapshot:
- Select Device > Setup > Operations and Save named configuration snapshot.
- Enter a Name for the snapshot or select an existing snapshot to overwrite.
- Click OK and Close.
STEP 2
Export a candidate configuration, a running configuration, or the firewall state information to a host external to the firewall.
Select Device > Setup > Operations and click an export option:
Export named configuration snapshot —Export the current running configuration, a named candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the Name you specify.
Export configuration version —Select a Version of the running configuration to export as an XML file. The firewall creates a version whenever you commit configuration changes.
Export device state —Export the firewall state information as a bundle. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the exported information on the replacement by importing the state bundle.
Restore a Configuration
This is useful when you want to revert all firewall settings used in an earlier configuration; you can perform this restoration as a single operation instead of manually reconfiguring each setting in the current configuration.
The firewall automatically saves a new version of the running configuration whenever you commit changes and you can restore any of those versions. However, you must manually save a candidate configuration to later restore it.
1. Restore the current running configuration. This operation undoes all the changes you made to the candidate configuration since the last commit.
- Select Device > Setup > Operations and Revert to running configuration.
- Click Yes to confirm the operation.
2. Restore the default snapshot of the candidate configuration. This is the snapshot that you create or overwrite when you click Save at the top right of the web interface.
- Select Device > Setup > Operations and Revert to last saved configuration.
- Click Yes to confirm the operation.
- (Optional) Click Commit to overwrite the running configuration with the snapshot.
3. Restore a previous version of the running configuration that is stored on the firewall. The firewall creates a version whenever you commit configuration changes.
- Select 'Device > Setup > Operations' and Load configuration version.
- Select a configuration Version and click OK.
- (Optional) Click Commit to overwrite the running configuration with the version you just restored.
4. Restore one of the following: 5. Current running configuration (named running-config.xml) 6. Custom-named version of the running configuration that you previously imported 7. Custom-named candidate configuration snapshot (instead of the default snapshot)
- Select Device > Setup > Operations and click Load named configuration snapshot.
- Select the snapshot Name and click OK.
- (Optional) Click Commit to overwrite the running configuration with the snapshot.
8. Restore a running or candidate configuration that you previously exported to an external host.
- Select Device > Setup > Operations, click Import named configuration snapshot, Browse to the configuration file on the external host, and click OK.
- Click Load named configuration snapshot, select the Name of the configuration file you just imported, and click OK.
- (Optional) Click Commit to overwrite the running configuration with the snapshot you just imported.
9. Restore state information that you exported from a firewall. Besides the running configuration, the state information includes device group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the information also includes certificate information, a list of satellites, and satellite authentication information. If you replace a firewall or portal, you can restore the information on the replacement by importing the state bundle. Import state information:
- Select Device > Setup > Operations, click Import device state, Browse to the state bundle, and click OK.
- (Optional) Click Commit to apply the imported state information to the running configuration.
Activities
Basic
- Review additional PAN-OS examples: https://www.thegeekstuff.com/2019/06/paloalto-cli-security-nat-policy/
- Create a backup of your configuration: https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/9-0/pan-os-admin/firewall-administration/manage-configuration-backups.html
- Read PAN-OS 9.0 Administration guide:
- Read PAN-OS 9.0 New features guide: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features.html such as Rule Changes Archive [2]
- Read PAN-OS Release Notes
- Review PAN-OS CLI Quick Start: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html
- Read Palo Alto basics of Palo Alto traffic monitoring filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSlCAK
Intermediate
- Create a IPSec VPN access in tunnel mode (transport mode not supported): https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK
- Configure MFA: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-factor-authentication.html
- Configure syslog monitoring https://www.manageengine.com/products/firewall/help/configure-paloalto-firewalls.html
See also
- DMZ, Port knocking, Bastion host, Firewall Software:
iptables
ufw
firewalld
nftables
firewall-cmd
ipfw (FreeBSD)
PF (OpenBSD)
, netsh advfirewall, PAN-OS, WAF, pfsense, VyOS, Cisco ASA, DMZ, F5, URL Filtering, port forwarding, macOS application firewall, Windows firewall, Fortigate, ngrok, Network ACL - PAN-OS (Palo Alto): PAN-OS Releases,
show vpn
, GlobalProtect, GlobalProtect logs, WildFire,show log
,show session all
, MDM,match
, PAN-OS reports, HIP, Zone - Cisco IOS, PAN-OS, Junos OS, FortiOS
- Terraform PAN-OS: https://www.terraform.io/docs/providers/panos/index.html
Manual: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin.html
Draft - Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. https://en.wikiversity.org/wiki/Draft:Firewall/Palo_Alto_PA-Series/PAN-OS
Advertising: