Implementing Next-Generation Firewall with Palo Alto

Overview

Palo Alto Networks Next-Generation Firewalls (NGFWs) move beyond traditional port-based rule enforcement to application-aware, identity-driven security policies. By leveraging App-ID for traffic classification, User-ID for identity-based enforcement, Content-ID for threat inspection, and SSL decryption for encrypted traffic visibility, organizations gain comprehensive control over network traffic. This skill covers end-to-end deployment from initial configuration through advanced threat prevention profiles.

Prerequisites

• Palo Alto Networks PA-series appliance or VM-Series virtual firewall
• PAN-OS 10.2 or later
• Valid Threat Prevention, URL Filtering, and WildFire licenses
• Network topology documentation with zone definitions
• LDAP/Active Directory integration credentials for User-ID
• Internal CA certificate for SSL Forward Proxy decryption

Core Concepts

App-ID Technology

App-ID classifies network traffic by application regardless of port, protocol, or encryption. The classification engine uses multiple identification techniques in sequence:

1. Application Signatures - Pattern matching against known application signatures
2. SSL/TLS Decryption - Decrypt traffic to identify applications hidden in encrypted tunnels
3. Application Protocol Decoding - Decode protocols to find applications tunneled within them
4. Heuristic Analysis - Behavioral analysis for applications that evade other methods

The Policy Optimizer tool assists migration from legacy port-based rules to App-ID rules by analyzing traffic logs and recommending application-specific replacements.

User-ID Integration

User-ID maps IP addresses to user identities through multiple methods:

• Server Monitoring - Parses Windows Security Event Logs (Event IDs 4624, 4768, 4769)
• Syslog Listening - Receives authentication events from RADIUS, 802.1X, proxies
• GlobalProtect - Maps VPN users automatically
• Captive Portal - Web-based authentication for unknown users
• XML API - Programmatic user mapping from custom sources

Zone-Based Architecture

Zones represent logical segments of the network. Security policies control traffic between zones (inter-zone) and within zones (intra-zone):

Implementation Steps

Step 1: Initial System Configuration

Configure management interface, DNS, NTP, and system settings:

set deviceconfig system hostname PA-FW01
set deviceconfig system domain corp.example.com
set deviceconfig system dns-setting servers primary 10.0.1.10
set deviceconfig system dns-setting servers secondary 10.0.1.11
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org
set deviceconfig system timezone US/Eastern
set deviceconfig system login-banner "Authorized access only. All activity is monitored."

Step 2: Configure Network Zones and Interfaces

Define security zones and assign interfaces:

set zone Trust network layer3 ethernet1/1
set zone Untrust network layer3 ethernet1/2
set zone DMZ network layer3 ethernet1/3
set zone Guest network layer3 ethernet1/4

set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping
set network interface ethernet ethernet1/2 layer3 dhcp-client

set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ]

Step 3: Configure Zone Protection Profiles

Protect against reconnaissance and DoS attacks at the zone level:

set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes
set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100
set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500
set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000
set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes

set network profiles zone-protection-profile Strict-ZP flood udp enable yes
set network profiles zone-protection-profile Strict-ZP flood icmp enable yes

set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip
set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2
set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100

Step 4: Configure Threat Prevention Profiles

Create Anti-Virus, Anti-Spyware, Vulnerability Protection, and URL Filtering profiles:

# Anti-Spyware Profile
set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet
set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip

# Vulnerability Protection Profile
set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip

# URL Filtering Profile
set profiles url-filtering Strict-URL credential-enforcement mode ip-user
set profiles url-filtering Strict-URL block [ command-and-control malware phishing ]
set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ]

# File Blocking Profile
set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block

# WildFire Analysis Profile
set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud

Step 5: Configure SSL Decryption

Set up SSL Forward Proxy for outbound traffic inspection:

# Generate Forward Trust CA certificate
request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes

# Create Decryption Profile
set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes

# Create Decryption Policy
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any
set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt

# Exclude sensitive categories (financial, healthcare)
set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust
set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ]
set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt

Step 6: Build Security Policies

Create application-aware security policies with security profiles:

# Allow business applications from Trust to Internet
set rulebase security rules Allow-Business from Trust to Untrust
set rulebase security rules Allow-Business source-user any
set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ]
set rulebase security rules Allow-Business service application-default
set rulebase security rules Allow-Business action allow
set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles

# Allow web browsing with URL filtering
set rulebase security rules Allow-Web from Trust to Untrust
set rulebase security rules Allow-Web application [ web-browsing ssl ]
set rulebase security rules Allow-Web action allow
set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL

# Block high-risk applications
set rulebase security rules Block-HighRisk from any to any
set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ]
set rulebase security rules Block-HighRisk action deny
set rulebase security rules Block-HighRisk log-end yes

# Default deny rule (explicit)
set rulebase security rules Deny-All from any to any source any destination any
set rulebase security rules Deny-All application any service any action deny
set rulebase security rules Deny-All log-end yes

Step 7: Configure Logging and SIEM Integration

Forward logs to a SIEM for correlation:

# Configure Syslog Server Profile
set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100
set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER

# Configure Log Forwarding Profile
set shared log-settings profiles SIEM-Forward match-list Threats log-type threat
set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic
set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list URL log-type url
set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server

Validation and Testing

1. Policy Audit - Review with show running security-policy and check for shadowed rules
2. Traffic Verification - Monitor Traffic logs for application classification accuracy
3. Threat Simulation - Use EICAR test file and known-bad URLs to validate threat profiles
4. SSL Decryption Test - Verify certificate chain in browser matches Forward Trust CA
5. Zone Protection Test - Run controlled SYN flood to verify SYN cookie activation
6. Policy Optimizer - Run Policy Optimizer to identify remaining port-based rules

# Verify active sessions
show session all filter application web-browsing

# Check threat log entries
show log threat direction equal backward

# Verify App-ID classification
show running application-override

# Check system resources
show system resources

Best Practices

• Least Privilege - Start with deny-all and explicitly allow only required applications
• App-ID Over Port - Replace port-based rules with application-specific rules using Policy Optimizer
• Decryption Coverage - Decrypt at least 80% of SSL traffic with appropriate privacy exclusions
• Security Profile Groups - Apply Anti-Virus, Anti-Spyware, Vulnerability, URL Filtering, File Blocking, and WildFire as a group
• Signature Updates - Enable automatic daily content updates for Applications and Threats
• HA Configuration - Deploy in active/passive HA pair for production environments
• Commit Validation - Always validate configuration before committing: validate full

References

• PAN-OS Admin Guide
• Best Practices for NGFW Deployment
• Palo Alto Firewall Best Practices Checklist
• NIST SP 800-41 Rev 1 - Firewall and Policy Guidelines