Upload
i-dewa-made-pranata-wiana
View
254
Download
1
Embed Size (px)
Citation preview
Palo Alto Networks Architecture
The Single-Pass Architecture
The Control Plane and Data Plane
Flow Logic Explained
Single-Pass Parallel Processing™ (SP3) Architecture
Single Pass• Operations once per
packet- Traffic classification (app
identification)- User/group mapping- Content scanning –
threats, URLs, confidential data
• One policy
Parallel Processing• Function-specific
parallel processing hardware engines
• Separate data/control planes
Control Plane and Data PlaneControl Plane Data Plane
Signature Match Processor• Palo Alto Networks’ uniform
signatures• Multiple memory banks – memory
bandwidth scales performance
Multi-Core Security Processor• High density processing for flexible
security functionality• Hardware-acceleration for
standardized complex functions (SSL, IPSec, decompression)
Dedicated Control Plane• Highly available mgmt• High speed logging and
route updates
Signature Match Processor
RAM
RAM
RAM
RAM
Dual-coreCPU RAM
RAM
HDD
Network Processor• Front-end network processing offloads
security processors• Hardware accelerated QoS, route
lookup, MAC lookup and NAT
CPU16. .
SSL IPSec De-Compression
CPU1
CPU2 RAM
RAMCPU3
QoS
Route, ARP, MAC lookup
NAT
*
**
* Implemented in software on PA-200 and PA-500
**Implemented in software on the PA-200, PA-500, and PA-3020
Flow Logic of the Next-Generation Firewall
Initial Packet
Processing
Source Zone/ Address/ User-ID
PBF/ Forwarding
Lookup
Destination Zone
NAT PolicyEvaluated
Security Pre-Policy
Check Allowed
Ports
Session Created
ApplicationCheck for Encrypted
Traffic
Decryption Policy
Application Override
PolicyApp-ID
Security Policy
Check Security Policy
Check Security Profiles
Post Policy Processing
Re-Encrypt Traffic
NAT Policy Applied
Packet Forwarded
Configuration and Management
Your Initial Configuration
Initial configurations must be performed over the dedicated out-of-band management interface (MGT) or a Console connection
The device has the following default values:• MGT interface IP address: 192.168.1.1• User name: admin
• Password: admin
Initial Configuration - Hardware
Management Port
Configuring the MGT interface - CLILast login: Tue September 27 18:38:30 2012 from 192.168.1.4
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.
admin@PA-500> configure
Entering configuration mode
[edit]
admin@PA-500# set deviceconfig system ip-address 10.30.11.1 netmask 255.255.255.0 default-gateway 10.30.11.254 dns-setting servers primary 172.16.20.230
admin@PA-500# commit
....10%....20%....30%....40%....50%....60%....70%....80%....90%....100%
Configuration committed successfully
[edit]
admin@PA-500#DNS: 172.16.20.230
Internet
10.30.11.254
10.30.11.1
10.30.11.0/24
Configuring the MGT interface - GUIDevice > Management
Administrative Controls
Navigating the GUIFunctional
Category Tabs
Display Tasks List
Language Preference Setting
GUI error prompts
Application Command Center (ACC) Tab Displays highest counts for specific monitoring categories: Application, URL
Filtering, Threat, Data Filtering
Shows counts for top addresses, countries, zones, and rules
Used to create dynamic reports Filter Sort
• Links to log information- Click an icon to jump to the
corresponding log in the Monitor tab- Filters set in the ACC will be applied to
the log after the jump
Monitor tab - Logs
Policies generate information that is added to log databases
Monitor > Traffic
CLI ModesThe CLI has functional modes: Operational and Configuration
Operational Mode Default mode when you first log in Represented by the > prompt on the interface Involves actions which are executed immediately Actions do not require a commit operation
Configuration Mode Issue the configure command to transition from Operational to Configuration mode Represented by the # prompt on the interface Changes will be stored in firewall memory until a commit operation is run
CLI ToolsCommands and options must be typed completely
The Tab key and Space bar will auto-complete Most output can be piped through a match or except filter to limit results
Online help: ? or Tab key Online help will provide a list of available options If no output is given, preceding option is invalid Standard help messages include: * This option is required> Additional nested options for this command+ Additional command options can be added to this command| Pipe command output through match or except filter <Enter> Command can be executed without further options
Find Command Overview
It may be difficult to remember op commands or configuration hierarchies
The Find command helps administrators locate keywords for operational commands within the command hierarchy
Works for all admin roles though output is limited to the allowed commands
All command combinations are pre-generated to provide a better user experience
CLI Find Command with Keyword
Find commands in CLI (with or without quotes)
admin@PA-500> find command ?+ keyword CLI keyword <Enter> Finish input
admin@PA-500> find command keyword fpgadebug device-server set config <basic|tdb|fpga|all>debug device-server unset config <basic|tdb|fpga|all>debug dataplane fpga set sw_aho <yes|no>debug dataplane fpga set sw_dfa <yes|no>debug dataplane fpga set sw_dlp <yes|no>debug dataplane fpga state
Find configurations in configure mode
admin@PA-500# find command keyword “tcp asymmetric-path”set deviceconfig setting tcp asymmetric-path <drop|bypass><global|drop|bypass>
CLI Find Command w/o Keyword
Find commands without keyword will display all commands
admin@PA-500> find commandtarget set <value>target show schedule uar-report user <value> user-group <value> skip-detailed-browsing <yes|no> title <value> period <value> start-time <value> end-time <value> vsys <value> schedule botnet-report period <last-calendar-day|last-24-hrs> topn <1-500> query <value> clear arp <value>|<all>clear neighbor <value>|<all>clear mac <value>|<all>clear job id <0-4294967295>clear query id <0-4294967295>clear query all-by-session clear report id <0-4294967295>clear report all-by-session [...]
PAN-OS REST APIAllows an external system to execute commands remotely on a PAN firewall or a Panorama server
Used to: Read/Write firewall Configuration commands Import dynamic and software updates Export firewall information (e.g. configuration, certificates, logs) Extract data in XML format for use in other report writing systems Execute Operational commands
•REST API over SSL
•Device Config / Report data
External System
API Browser
API browser shows the XML and API formatted versions of selected CLI commands
https://hostname/api