1、Palo Alto Networks PSE Exam Preparation GuideFocusesNext Generation Security PlatformAttack LifecycleSingle Pass Parallel Processing Architecture DatasheetAppIDSecurity PoliciesContentID - Security Profiles (Threat Prevention)Automated Correlation EngineDecryption UserIDWildfire - Threat Intelligenc

2、e CloudHigh AvailabilityPanoramaTrapsAutofocusApertureSLRMigration ToolDelivering the Next Generation Security Platform3 | 2015,Palo Alto Networks. Confidential and Proprietary. NATIVELY INTEGRATEDEXTENSIBLEAUTOMATEDCLOUD NETWORK ENDPOINTNEXT-GENERATION FIREWALLADVANCED ENDPOINT PROTECTIONTHREAT INT

3、ELLIGENCE CLOUDPreventing attacks at every stage of the attack lifecycle4 | 2015,Palo Alto Networks. Confidential and Proprietary. Breach the perimeter1Deliver the malware2Lateral movement3Exfiltrate data4URL FilteringPrevent use of social engineeringBlock known malicious URLs and IP addressesNext-G

4、eneration Firewall / GlobalProtectVisibility into all traffic, including SSLEnable business-critical applicationsBlock high-risk applicationsBlock commonly exploited file typesThreat PreventionBlock known exploits, malware and inbound command-and-control communicationsWildFireSend specific ing files

5、 and email links from the internet to public or private cloud for inspectionDetect unknown threatsAutomatically deliver protections globallyNext-Generation Firewall / GlobalProtectEstablish secure zones with strictly enforced access controlProvide ongoing monitoring and inspection of all traffic bet

6、ween zones Threat PreventionBlock outbound command-and-control communicationsBlock file and data pattern uploadsDNS monitoring and sinkholingTraps / WildFireBlock known and unknown vulnerability exploitsBlock known and unknown malwareProvide detailed forensics on attacksURL FilteringBlock outbound c

7、ommunication to known malicious URLs and IP addressesWildFireDetecting unknown threats pervasively throughout the networkMulti Pass Architecture Todays Problem5 | 2015,Palo Alto Networks. Confidential and Proprietary. Single Pass Architecture Palo Alto Networks6 | 2015,Palo Alto Networks. Confidenti

8、al and Proprietary. DataSheet - HardwareDataSheet - VMPA-7050 Technical Details9U Chassis, 8 slotsHot swap cards2+2 redundant power (AC or DC) standardRedundant cooling6 x Network Processing Cards2 x 32 core DP CPUsOption 1: 4x10Gig SFP+, 8xSFP, 12x10/100/1000Option 2: 2x40Gig QSFP+, 12x10Gig SFP+1

9、x Switch / Management CardHigh speed switch fabricHigh performance management CPUDedicated 2x1Gbps, 2x40Gbps for HAFirst Packet Processor (FPP)1 x Log Processing CardHigh speed x86+MIPS processors4 x 1TB HDD for 2TB RAID19 | 2015,Palo Alto Networks. Confidential and Proprietary. PA-7080 Technical De

10、tails19U Chassis, 12 slotsHot swap cards2+2 redundant power (AC or DC) standardRedundant cooling10 x Network Processing Cards2 x 32 core DP CPUsOption 1: 4x10Gig SFP+, 8xSFP, 12x10/100/1000Option 2: 2x40Gig QSFP+, 12x10Gig SFP+1 x Switch / Management CardHigh speed switch fabricHigh performance mana

11、gement CPUDedicated 2x1Gbps, 2x40Gbps for HAFirst Packet Processor (FPP)1 x Log Processing CardHigh speed x86+MIPS processors4 x 1TB HDD for 2TB RAID110 | 2015,Palo Alto Networks. Confidential and Proprietary. PA appliances: PA-5000 SeriesPA-505010 Gbps FW5 Gbps threat prevention4 Gbps IPSec VPN10,0

12、00 SSL VPN Users2,000,000 sessionsUp to 125 VSYS(4) SFP+ (10 Gig) I/O(8) SFP (1 Gig) I/O(12) 10/100/1000PA-50205 Gbps FW2 Gbps threat prevention2 Gbps IPSec VPN5,000 SSL VPN Users1,000,000 sessionsUp to 20 VSYS(8) SFP (1 Gig) I/O(12) 10/100/1000PA-506020 Gbps FW10 Gbps threat prevention4 Gbps IPSec

13、VPN20,000 SSL VPN Users4,000,000 sessionsUp to 225 VSYS(4) SFP+ (10 Gig) I/O(8) SFP (1 Gig) I/O(12) 10/100/1000Hot swappable fans, power supplies Dual, solid state hard drivesDedicated HA and management interfaces2U standard rack mount form factorApplication IdentificationApp-ID is the ability to id

14、entify applications and application functionsApp-ID uses various methods to determine what exactly is running in the session:Protocol decodersProtocol decryptionApplication signaturesHeuristics are used when the above methods can not identify the application. This is the method by which applications

15、 such as the proprietarily-encrypted BitTorrent and Ultrasurf are identifiedApp-ID even works in these scenarios:If the application is running on a different port than expectedIf the application is being transmitted in an SSL tunnel (the firewall can forward proxy the SSL connection) or if it employ

16、s SSHv2If the application is going through an HTTP proxyApplication Groups and Application FiltersApplications Groups are static. Applications are manually added and maintained by firewall administrators.Applications Filters are dynamic. Applications are filtered by traits such as risk, subcategory,

17、 technology, characteristic, etc.Security Policy OperationAll traffic flowing from one security zone to another security zone requires a policy to allow the trafficThe policy list is evaluated from the top downThe first rule that matches the traffic is usedNo further rules are evaluated after the ma

18、tchWhen configuring a security to allow an application through the firewall, the service field should be set to “application-default”. That will restrict the application to only use its standard ports (example: DNS will be restricted to only use port 53).Note that intra-zone traffic is allowed by de

19、faultIf you create a rule at the end of the list that says to deny (and log) all traffic, that will block intra-zone traffic (which may not be your intention)Security Policy DependenciesCreating Security Policy Rules Action SettingsWhen this field is set with a “drop” or a “reset” action, you also m

20、ay send an ICMP unreachable message.Monitoring logs - TrafficAll sessions are logged at session close and put into the traffic logTraffic log can be viewed under Monitor tab - Logs - Traffic.The application that was detected is shown in the log.Filters can be created, using a syntax similar to wires

21、harkHere is an example where you are viewing all traffic between 6 and :Monitoring logs Traffic (2)Packet CaptureOn the CLICreatepacketfiltersdebug dataplanepacket-diag set filter match source destination debug dataplanepacket-diag set filter ondebug dataplanepacket-diag show settingOn the Web UILog

22、 ForwardingThe logs on the firewall can be forwarded to multiple locations. Upon generation of a log message, that message can be immediately forwarded to:Syslog serverSNMP managerEmailPanoramaYou configure the log message destination via a Log Forwarding Profile:Unknown ApplicationsScenario: a netw

23、ork has a particular application that runs on a specific port, yet the Palo Alto firewall identifies it as “unknown-tcp” or “unknown-udp”To configure the firewall to identify this app, you will need to do three things:Create a new applicationCreate an application override policyMake sure there is a

24、security policy that permits the trafficSteps to Define a New ApplicationObjects - Applications, click NewSpecify the application name and propertiesOn advanced tab, enter the port number that uniquely identifies the appNothing else required, click okPolicies - Application Override- Add RuleSpecify

25、port numberConfig application to be the one you just createdPolicies - Security - Add RuleConfigure as appropriate: src zone/dest zone/src addr/dest addr/src userSelect the new app in the application columnFor service, select “application default”Select the action you want (permit/deny)CommitMore on

26、 Unknown ApplicationsApp override policies are checked before security policies. The app override policy will be used in place of our App-ID engine to identify the traffic. Security profiles CANNOT be assigned to Application Override policies. Application Override policies bypass the Signature Match

27、 Engine entirely, which means that this also eliminates the option of performing Content-ID on this traffic. Because of this fact, the Application Override feature should be used with internal traffic only. The solution on the previous page is a short-term solution. If the application is one that ot

28、her companies use, it is mended that the customer submit pcaps of the application to Palo Alto Support. Then our engineering team can create a new signature for the particular app.Security ProfilesSecurity Profiles look for malicious use of allowed applicationsSecurity Policies define which applicat

29、ions are allowedProfiles are applied to policies that allow trafficUsing Security ProfilesAnti-Virus ProfilesA decoder is a software process on the firewall that interprets the protocol. In the antivirus and anti-spyware security profiles, you can specify actions based upon the 6 main decoders in th

30、e system, shown to the left.Email Protocols and AV/Spyware ProtectionConfiguring ExceptionsVulnerability ProtectionProvides IPS functionalityDetects attempts to use known exploits on the networkVulnerability Protection DNS SinkholingDNS sinkholing helps you to identify infected hosts on the protecte

31、d network using DNS traffic in situations where the firewall cannot see the infected clients DNS query (that is, the firewall cannot see the originator of the DNS query). In a typical deployment where the firewall is north of the local DNS server, the threat log will identify the local DNS resolver

32、as the source of the traffic rather than the actual infected host.URL Filtering ProfileActions can be defined for each categoryNotification page for user can be customizedAllow List and Block List accept wild cardsTo specify all servers in a domain called , two entries must be created: *. URL Filter

33、ing ActionsAllow Traffic is passed, no log generatedBlock Traffic is blocked. Block log generatedAlert Traffic is allowed. Allow log generatedContinue User is warned that the site is questionable. Block-Continue log generatedIf user clicks through the traffic is allowed and a Continue log is generat

34、edOverride Traffic is blocked. User is offered chance to enter override password. Block-Override log generatedIf user enters password the traffic is allowed and an Override log is generatedMisc. URL Filtering TopicsThe Order URL Filtering profiles are checked:- Block List- Allow List- Custom URL Cat

35、egories- DP URL Cache- MP URL CacheTo determine the category of an URL from the CLI:test url Default Block PagesSignature Update Hierarchy35 | 2015,Palo Alto Networks. Confidential and Proprietary. WeeklyDaily15-minuteApp-ID updates“IPS” signatures(vulnerability, anti-spyware)AntivirusBotnet support

36、(zone file, dynamic DNS, malware URLs)DNS signaturesWildFire signaturesData Filtering OverviewScan traffic for potentially sensitive strings of dataData strings defined by regular expressionsData pattern must be at least 7 characters in lengthDefault strings are defined for SSN and credit card numbe

37、rsEach data string is assigned a weightAlert threshhold and block threshhold is based upon weightsData Filtering ExampleCredit Card Weight = 1SSN Weight = 2Alert Threshold = 4Block Threshold = 8Count =1Count =8Count =4AlertBlockSingleSession+(1)(3)(4)File BlockingThe file blocking profile helps in e

38、nforcing different types of actions from being uploaded or downloaded.The different type of action which the Palo Alto Networks firewall can do for a file block, alert, and continue. These actions can be applied for either uploading, downloadingor for both action and for either a specific or any app

39、lication. The file type can also be chosen from a more specific to any file type.Disable Server Response InspectionThe vulnerability protection profile by default scans traffic going in both directions (from client to server, and from server to client)Most IPSs only examine the traffic from the clie

40、nt to server.The way to examine traffic from only client to server on the Palo Alto firewall is to check the box to “disable server response inspection” on the security policy (options column).Zone Protection ProfileProtects against most common flood, reconnaissance attacks, and other packet-based a

41、ttacksCan be used to apply similar settings to multiple zonesApplied to destination zonesNetwork Network Profiles Zone ProtectionZone Protection TypesNetwork Network Profiles Zone ProtectionAutomated Correlation EngineAutomated Correlation Engine (PA-3000, PA-5000, PA-7050, Panorama)42 | 2015,Palo A

42、lto Networks. Confidential and Proprietary. Correlation Object External ProbingCompromisedHost Vulnerability Exploit C&C Malware URLCorrelation Objects aredefined and developed by the Palo Alto Networks Threat Research team, and are delivered with the weekly dynamic updates to the firewallDecryption

43、 PoliciesSSL Forward Proxy (Outbound SSL Decryption)SSL Inbound InspectionSSH DecryptionUserServerSSH TunnelSSH TunnelInternal UserExternal ServerExternal UserInternal ServerOutbound SSL Inspection by a Forward ProxyRequest SSL ConnectionSession Key 1Client verifies the certificate from the firewall

44、.Server sends its certificate to the firewall.Firewall signs a copy of the server certificate with its own CA certificate.Session Key 2InternalUserExternalServerCA CertServer CertUserID Palo Alto Networks firewalls support monitoring of the following enterprise services:Microsoft Active DirectoryLig

45、htweight Directory Access Protocol (LDAP)Novell eDirectoryCitrix Metaframe Presentation Server or XenAppMicrosoftTerminal ServicesThe User Identification (User-ID) feature of the Palo Alto Networks next-generation firewall enables you to create policies and perform reporting based on users and group

46、s rather than individual IP addresses.The different methods of user mapping:Server MonitoringClient ProbingPort mappingSyslogCaptive PortalGlobalProtectUser-ID XML APIUser-ID and AD DomainsSingle-AD DomainPort 389 (or 636 for SSL).Firewall can connect directly to a DC for a list of users and groups.

47、Any additional DCs are used for fault tolerance.Multidomain AD ForestPort 3268 (or 3269 for SSL).A single firewall can communicate with multiple DCs on different domains.Domain ControllerDCs in Separate DomainsWildFireWildFire reliles upon two main technologies: a virtual sandbox environment and a m

48、alware signature generatorWildfire VerdictBenignGraywareMalwareWildFire Advanced File Type SupportIn addition to PE files, a subscription allows the firewall to also forward the following advanced file types: APK (WildFire cloud only), PDF, Microsoft Office, and Java Applet.WildFireProvides a virtua

49、l sandbox environment for Windows PE files A hash of each file is sent to the WildFire cloud. If no existing signature exists, the file is uploaded. The new signature will be made available as part of the next AV UpdateFiles up to 10 MB in size can be manually uploaded to the WildFire portal for ins

50、pectionWildFire Analysis VerdictsBenign:Files categorized as benign are safe and do not exhibit malicious behavior.Grayware:Files categorized as grayware do not pose a direct security threat, but might display otherwise obtrusive behavior.Grayware can include adware, spyware, and browser helper obje

51、cts (BHOs).Malware:Files categorized as malware are malicious in intent or nature and can pose a security threat.Malware can include viruses, worms, trojans, remote access tools (RATs), rootkits, and botnets.AnalysisVerdictBenignGraywareMalwareThreat Intelligence Cloud50 | 2015,Palo Alto Networks. C

52、onfidential and Proprietary. Automatically identifiedTHE UNKNOWNREMEDIATIONAutomatically prevented192,000 Anti-malware protections per day24,000 URL protections per day12,000 DNS protections per day15,00024,00013,500Protections delivered automatically in 15 minutesRich forensics and reporting for qu

53、ick, detailed investigation15 minutesforensicsreportingTHREAT INTELLIGENCE CLOUDWildFireThreat PreventionURL FilteringForensics & ReportingThreat Intelligence CloudContent-based AV Protections: Because metadata from the header is used, Palo Alto Networks auto-generated signatures are based on payloa

54、d this is very different from signatures based on hash. Hashes are easily mutated and hash-based signatures bypassed. A single Palo Alto Networks AV signature covers multiple variations of the malware file potentially thousands of mutations, including variants that havent been created or discovered

55、yet. Encrypted Data Is Analyzed: The Threat Intelligence Cloud passes threat data from all traffic, including anything sent with encryption. This is increasingly important, as nearly 35 percent of all enterprise traffic today is sent and received over SSL. Identifies Mobile Threats: The mobile devic

56、e is a largely popular attack vector, with total infected devices in 2014 estimated at 16 million , and Android phones accounting for 50 percent of that total. Palo Alto Networks Threat Intelligence Cloud analysis includes APK files, mobile browsers, and links within text messages, and extends its l

57、ayered protections to all mobile devices. All Data Remains Private: Submissions are secured by an encryption certificate that Palo Alto Networks signs on both sides, making sure all data remains safe and well-guarded. Professional Threat Analysis: Palo Alto Networks in-house threat research teams, i

58、ncluding Unit 42, analyze data amassed by the Threat Intelligence Cloud to identify and investigate cutting edge attack methods and malware, and report on unfolding trends within the black hat space.Packet FlowRefer to this document on the packet flow in PANOS: Have a general understanding of how pa

59、cket are processed by the Palo Alto Networks firewallDetermine which of the following is checked first: NAT rules, security rules, PBF rules, app-IDPrior to the session being established, a forward lookup is performed to determine what the post-NATed zone will be. The packet flow process is intrinsi

60、cally tied to the Single Pass Parallel Processing (SP3) hardware architecture of the Palo Alto Networks next-generation firewall. Applications are identified once a session is created on an allowed port. High Availability: Active/Passive2 unit cluster provides Stateful synchronizationHA 1 syncs cert