lesson 4 Flashcards
pan-os
- operating platform of next generation firewall software by palo alto
- supports all business sizes
- can be controlled by command line, web gui, panorama api, and snmp
pan-os standard features
- dual stack networking
- zone based architecture
- vpn
- high availability
- qos traffic shaping
- virtual routing and firewall configurations
three tenants of pan-os
- identifying the app (app-id)
- identifying the user (user-id)
- identifying the content (content-id)
pan-os security zones
- allow for granular policy-based control
- traffic between zone interfaces can be independently identified and controlled
pan-os security policies
-enforced by configuring rules
pan-os security policy defaults
- intrazone-default, allows traffic within a zone
- interzone-default, denies traffic between zones
pan-os objects
- represent physical and virtual network components
- divided into categories
pan-os object categories
- network objects
- applications and services
- security profiles
- user
pan-os network objects object category
-addresses, hosts, address groups
pan-os applications and services object category
- applications
- application types
- services
- protocols
pan-os security profiles object category
- antivirus
- anti-spyware
- url filtering
- data filtering
pan-os user object category
- users
- user groups
pan-os tags
- colour coded labels that can be assigned to identify items throughout the firewall configuration
- allow you to easier identify related items
- allow you to use alternate view options when working with large configs
pan-os management interface
- out of band
- physical or virtual interface
pan-os software updates
- system software
- antivirus and spyware definitions (daily)
- malicious domains and urls
- application and threat signatures (weekly/monthly)
- wildfire (every 5 minutes)
pan-os deployment options
- tap
- virtual wire
- layer 3
pan-os flow logic for new sessions
- source zone
- zone and/or dos protection
- forwarding lookup (pbf)
- destination zone (plus dnat check)
- security policy check (app-id ignored)
- assign session id
- inspect app-id and content-id
- check for encryption (if there is a decrypt policy, move back to inspection)
- enforce security policy and profiles
- forward traffic (re-encrypt if decrypted)
pan-os flow logic for existing sessions
- inspect app-id and content-id
- check for encryption (if there is a decrypt policy, move back to inspection)
- enforce security policy and profiles
- forward traffic (re-encrypt if decrypted)
pan-os security policy data plane fundamentals
- all traffic passing through the data plane is matched to a security policy
- management traffic does not pass through the data plane
pan-os security policy rules fundamentals
- policy rules are defined using zones, apps, addresses, users and host information profiles (HIP)
- evaluated from top to bottom, stops when a match is found
- policy rules are directional but replies are always allowed
- if traffic will be initiated from both zones two policies are required
- universally unique identifiers (UUIDs) are assigned to a policy rule upon creation which provides a trail that captures all changes made to a rule and who made the most recent change
pan-os firewall type
-stateful
pan-os security policy session fundamentals
- sessions are identified by source and destination ip address, source and destination port numbers, protocol, and source security zone
- each session is assigned a unique session id
- each session consists of two flows, client-to-server and server-to-client, with clients considered to be the initiating device
pan-os security policy rule types
- intrazone
- interzone
- universal
pan-os nat types
- source nat
- destination nat
pan-os source nat
- modifies source address
- used by internal clients with private ips when they access hosts on the internet
pan-os destination nat
- modifies the destination address
- used to provide hosts on the internet access to private (internal) servers
