Académique Documents
Professionnel Documents
Culture Documents
Implementation of the
Palo Alto Networks
Firewall
PA-EDU-201 rev b
3/8/10 12:24 PM
Agenda
Day 1
1.
Introduction
6.
SSL Decryption
2.
Firewall Deployment
7.
VPN
3.
Application Control
8.
4
4.
Content Identification
Advanced Deployment
Options
9.
Management
10.
Data Mining
5.
Page 2 |
Day 2
User Identification
3.0-a
3/8/10 12:24 PM
Intruduction
3/8/10 12:24 PM
Evasive Applications
Port 5050
Blocked
tcp/443
tcp/443
Port 80
Open
Page 4 |
3.0-a
Page 5 |
F
I
R
E
W
A
L
L
Yahoo Messenger
PingFU - Proxy
Bittorrent Client
Port 6681
Blocked
3.0-a
3/8/10 12:24 PM
PA-4060
PA-4050
PA-4020
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 XFP (10 Gig) I/O
4 SFP (1 Gig) I/O
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
16 copper gigabit
8 SFP interfaces
2 Gbps FW
2 Gbps threat prevention
500,000 sessions
16 copper gigabit
8 SFP interfaces
PA-4000 Classification
= Business Application
= Media
Page 6 |
3.0-a
= Instant Messaging
2 dedicated HA ports
= Web Mail
Page 7 |
3.0-a
3/8/10 12:24 PM
Flash
Matching
Engine
RAM
Dual-core
CPU
RAM
RAM
CPU
1
CPU
2
CPU
3
..
RAM
HDD
SSL
IPSec
QoS
Route,
ARP,
MAC
lookup
CPU
16
RAM
RAM
DeCompression
NAT
Control Plane
Page 8 |
RAM
PA-2050
PA-2020
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
1U rack-mountable chassis
Data Plane
3.0-a
Page 9 |
3.0-a
3/8/10 12:24 PM
PA-500 Specifications
Flash
Matching
Engine
RAM
RAM
RAM
1Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
RAM
CPU
4
RAM
RAM
HDD
SSL
IPSec
1Gbps
Route,
ARP,
MAC
lookup
Network Processor
Front-end network processing
offloads security processors
Hardware accelerated route lookup,
MAC lookup and NAT
NAT
Control Plane
Page 10 |
'
D&tDsWED
h
^
sWE
'
ZWEK^
Z:
Data Plane
3.0-a
Page 11 |
3.0-a
3/8/10 12:24 PM
PA-500 Architecture
Single Pass
Operations once per packet
W
,
,
ZD
ZD
Wh
,
ZD
^^>
/W^
Control Plane
Page 12 |
D^W
,
,
^^>
/W^
^
User/group mapping
Content scanning
threats, URLs,
confidential data
One policy
Parallel Processing
Function-specific hardware
engines
Separate data/control planes
Data Plane
3.0-a
Page 13 |
3.0-a
3/8/10 12:24 PM
Transparent In-Line
Firewall Replacement
Thank You
Page 14 |
3.0-a
3.0-a
Page 15 |
3/8/10 12:25 PM
Firewall Deployment
3/8/10 12:25 PM
Agenda
Security Zones
L3 Interface Configuration
Virtual Routers
Security Policy Basics
NAT Policy
Page 2 |
3.0-a
3/8/10 12:25 PM
Security Zones
DMZ
Internet - DMZ
Guests
Data Center
Users
Page 3 |
3.0-a
Internet
Page 4 |
Interface
Zone
Address
E 1/2
Internet
161.23.4.56
E 1/11
DMZ
172.16.1.254
E 1/12.10
Users
192.168.10.254
E 1/12.20
Users
192.168.20.254
E 1/12.30
VoIP
192.168.30.254
3.0-a
3/8/10 12:25 PM
Layer 3 Interfaces
Virtual Routers
L3 Interfaces are
added to Virtual
Routers (VR)
The VR contains all
routing information
E1/11
12.4.5.77
E1/9
10.1.1.254
PAN Device
Internet
Static Routes
Dynamic Routing
Protocol configuration
E1/10
192.168.100.254
LAN
10.1.1.0
DMZ
192.168.100.0
Vrouter A
Page 5 |
3.0-a
Page 6 |
3.0-a
3/8/10 12:26 PM
Configure L3 Interface
Interface
Type
Select
Interface
IP Address
Range
Virtual
Router
IP Address
Zone
Page 7 |
3.0-a
Lease
Options
Page 8 |
3.0-a
3/8/10 12:26 PM
Address Objects
policy
Networks
Can be named
Users
Applications
-
Represent content
Services
Page 9 |
3.0-a
Page 10 |
Represent L4 addresses
2009 Palo Alto Networks. Proprietary and Confidential
3.0-a
3/8/10 12:26 PM
NAT Policy
Network Address Translation Policies define when and
Internet
192.168.41.22
74.125.19.23
Private IPs
Public IPs
Page 11 |
3.0-a
Page 12 |
3.0-a
3/8/10 12:45 PM
DA
10.1.1.47 4.2.2.2
SP
DP
43778
80
Page 13 |
SA
DA
64.3.1.22 4.2.2.2
3.0-a
SP
DP
1031
80
SA
DA
SP
DP
12.67.5.2
64.10.11.103
5467
80
Page 14 |
SA
DA
SP
DP
12.67.5.2
192.168.10.100
5467
80
3.0-a
3/8/10 12:46 PM
Thank You
3.0-a
Page 15 |
3/8/10 12:46 PM
Application
Identification
3/8/10 12:46 PM
Agenda
What is an Application?
Application Control Center (ACC)
Application Identification
Single Pass Architecture and Packet Flow
Application groups and Filters
Security Policy Examples
Application Override Policy
Page 2 |
3.0-a
3/8/10 12:46 PM
What is an Application?
GMail
GTalk
Google Calendar
iGoogle
eMule
UltraSurf
Page 3 |
3.0-a
Page 4 |
3.0-a
3/8/10 12:46 PM
Protocol Decoders
Detect Protocol in Protocol
Provide context for signatures
Protocol Decoders
SSL
Forward proxy
Protocol Decryption
Decryption
HTTP
Application Signatures
webex
Application Signatures
Mode shift
Heuristics
Uses patterns of communication
Page 5 |
3.0-a
Page 6 |
3.0-a
3/8/10 12:46 PM
Flow Logic
Encrypted Bittorrent
Protocol Decoders
Unknown
Examine communications
Heuristics
Initial
Packet
Processing
Source
Zone /
Address
Forwarding
Lookup
Security
Pre Policy
Check
Allowed
Ports
Session
Created
Application
Check for
SSL
Security
Policy
Post Policy
Processing
Destination
Zone
NAT Policy
SSL
Decryption
Policy
Application
Override
Policy
App ID
Check
Security
Policy
Check
Security
Profiles
SP3
SSL ReEncrypted
NAT
Applied
Packet
Forwarded
Encrypted Bittorent
Page 7 |
3.0-a
Page 8 |
3.0-a
3/8/10 12:46 PM
TCP Example
UDP Example
Source Address
Destination Address
Source Address
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45
Destination Address
00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51
bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02
ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02
Destination Port
Destination Port
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45 00
Application Data
00 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 00
Application Data
syn ack
00 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 01
ack
00 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f
get
03 63 6f 6d 00 00 01 00 01
Meebo
1f 8b 08 00 00 00 00 00 00 03 b4 57 fd 6f db 36
13 fe 57 ae 1a 36 3b 99 2d 35 fb 00 da c4 f6 b0 .
26 e9 bb bc 48 9a 60 75 57 0c 7d 8b 81 92 4e 12
63 89 54 49 2a ae 57 e4 7f df 1d 25 39 b2 f7 91
fe b0 37 08 60 ea 78 3c de 3d 7c ee 78 9c 3d 39
bb 3e 5d fe 7a 73 0e 3f 2d af 2e e1 e6 cd 8b cb
...........................................
Page 10 |
3.0-a
Page 11 |
3.0-a
3/8/10 12:47 PM
Application Filters
Applications
Individual
Application
Static Group
Page 12 |
3.0-a
Page 13 |
3.0-a
3/8/10 12:47 PM
Known_Good
Page 14 |
3.0-a
Page 15 |
Static Group of
Applications
Known_Bad
-
DNS
Games
Web-browsing
IM
SSL
P2P
Flash
Remote Access
Tunneling
3.0-a
3/8/10 12:47 PM
unwanted
Third rule catches all other applications could be
Adjusting Risk
3.0-a
Page 17 |
3.0-a
3/8/10 12:47 PM