72
114 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Use Case: Configure Firewalls Using Panorama
Manage Firewalls
Step 4 Create a Zone Protection profile for the
firewalls in the data center template
(T_DataCenter).
1. Select the Network tab and, in the Template drop‐down,
select T_DataCenter.
2. Select Network Profiles > Zone Protection and click Add.
3. For this example, enable protection against a SYN flood—In
the Flood Protection tab, select the SYN check box, set the
Action to SYN Cookies as, set the Alert packets/second to
100
, set the Activate packets/second to
1000
, and set the
Maximum packets/second to
10000
.
4. For this example, enable alerts—In the Reconnaissance
Protection tab, select the Enable check boxes for TCP Port
Scan, Host Sweep, and UDP Port Scan. Ensure the Action
values are set to alert (the default value).
5. Click OK to save the Zone Protection profile.
Step 5 Configure the interface and zone settings
in the data center template
(T_DataCenter), and then attach the
Zone Protection profile you just created.
Before performing this step, you
must have configured the
interfaces locally on the firewalls.
As a minimum, for each interface,
you must have defined the
interface type, assigned it to a
virtual router (if needed), and
attached a security zone.
1. Select the Network tab and, in the Template drop‐down,
select T_DataCenter.
2. Select Network > Interface and, in the Interface column, click
the interface name.
3. Select the Interface Type from the drop‐down.
4. In the Virtual Router drop‐down, click New Virtual Router.
When defining the router, ensure the Name matches what is
defined on the firewall.
5. In the Security Zone drop‐down, click New Zone. When
defining the zone, ensure that the Name matches what is
defined on the firewall.
6. Click OK to save your changes to the interface.
7. Select Network > Zones, and select the zone you just created.
Verify that the correct interface is attached to the zone.
8. In the Zone Protection Profile drop‐down, select the profile
you created, and click OK.
Step 6 Commit your template changes.
1. Click Commit, for the Commit Type select Panorama, and
click Commit again.
2. Click Commit, for the Commit Type select Template, select
the firewalls assigned to the templates in which you made
changes, and click Commit again.
Use Device Groups to Push Policy Rules
TASK 3
Use device groups to manage the policy rules on your firewalls.
Step 1 Create device groups and assign the
appropriate firewalls to each device
group: see Add a Device Group.
In this example, create device groups named
DG_BranchAndRegional and DG_DataCenter.
When configuring the DG_BranchAndRegional device group, you
must assign a Master firewall. This is the only firewall in the device
group that gathers user and group mapping information for policy
evaluation.
Use Templates to Administer a Base configuration (Continued)
VB.NET PDF - Annotate PDF with WPF PDF Viewer for VB.NET Text box. Click to add a text box to specific location on PDF page. Line color and fill can be set in properties. Copyright © <2000-2016> by <RasterEdge.com>.
how to fill out a pdf form with reader; how to fill out pdf forms in reader
55
© Palo Alto Networks, Inc.
Panorama 7.0 Administrator’s Guide • 115
Manage Firewalls
Use Case: Configure Firewalls Using Panorama
Step 2 Create a shared pre‐rule to allow DNS
and SNMP services.
1. Create a shared application group for the DNS and SNMP
services.
a. Select Objects > Application Group and click Add.
b. Enter a Name and select the Shared check box to create a
shared application group object.
c. Click Add, type
DNS
, and select dns from the list. Repeat for
SNMP and select snmp, snmp-trap.
d. Click OK to create the application group.
2. Create the shared rule.
a. Select the Policies tab and, in the Device Group drop‐down,
select Shared.
b. Select the Security > Pre-Rules rulebase.
c. Click Add and enter a Name for the security rule.
d. In the Source and Destination tabs for the rule, click Add
and enter a Source Zone and a Destination Zone for the
traffic.
e. In the Applications tab, click Add, type the name of the
applications group object you just created, and select it
from the drop‐down.
f. In the Actions tab, set the Action to Allow, and click OK.
Step 3 Define the corporate acceptable use
policy for all offices. In this example,
create a shared rule that restricts access
to some URL categories and denies
access to peer‐to‐peer traffic that is of
risk level 3, 4, or 5.
1. Select the Policies tab and, in the Device Group drop‐down,
select Shared.
2. Select Security > Pre-Rules and click Add.
3. In the General tab, enter a Name for the security rule.
4. In the Source and Destination tabs, click Add and select any
for the traffic Source Zone and Destination Zone.
5. In the Application tab, define the application filter:
a. Click Add and click New Application Filter in the footer of
the drop‐down.
b. Enter a Name, and select the Shared check box.
c. In the Risk column, select levels 3, 4, and 5.
d. In the Technology column, select peer-to-peer.
e. Click OK to save the new filter.
6. In the Service/URL Category tab, URL Category section, click
Add and select the categories you want to block (for example,
streaming-media, dating, and online-personal-storage).
7. You can also attach the default URL Filtering profile—In the
Actions tab, Profile Setting section, select the Profile Type
option Profiles, and select the URL Filtering option default.
8. Click OK to save the security pre‐rule.
Use Device Groups to Push Policy Rules (Continued)
75
116 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Use Case: Configure Firewalls Using Panorama
Manage Firewalls
Step 4 Allow Facebook for all users in the
Marketing group in the regional offices
only.
Enabling a security rule based on user
and group has the following prerequisite
tasks:
• Set up User‐ID on the firewalls.
• Enable User‐ID for each zone that
contains the users you want to
identify.
• Define a master firewall for the
DG_BranchAndRegional device group
(Step1).
1. Select the Policies tab and, in the Device Group drop‐down,
select DG_BranchAndRegional.
2. Select the Security > Pre-Rules rulebase.
3. Click Add and enter a Name for the security rule.
4. In the Source tab, Add the Source Zone that contains the
Marketing group users.
5. In the Destination tab, Add the Destination Zone.
6. In the User tab, Add the Marketing user group to the Source
User list.
7. In the Application tab, click Add, type
Facebook
, and then
select it from the drop‐down.
8. In the Action tab, set the Action to Allow.
9. In the Target tab, select the regional office firewalls and click
OK.
Step 5 Allow access to the Amazon cloud
application for the specified
hosts/servers in the data center.
1. Create an address object for the servers/hosts in the data
center that need access to the Amazon cloud application.
a. Select Objects > Addresses and, in the Device Group
drop‐down, select DG_DataCenter.
b. Click Add and enter a Name for the address object.
c. Select the Type, and specify an IP address and netmask (IP
Netmask), range of IP addresses (IP Range), or FQDN.
d. Click OK to save the object.
2. Create a security rule that allows access to the Amazon cloud
application.
a. Select Policies > Security > Pre-Rules and, in the Device
Group drop‐down, select DG_DataCenter.
b. Click Add and enter a Name for the security rule.
c. Select the Source tab, Add the Source Zone for the data
center, and Add the address object (Source Address) you
just defined.
d. Select the Destination tab and Add the Destination Zone.
e. Select the Application tab, click Add, type
amazon
, and
select the Amazon applications from the list.
f. Select the Action tab and set the Action to Allow.
g. Click OK to save the rule.
Step 6 To enable logging for all Internet‐bound
traffic on your network, create a rule that
matches trust zone to untrust zone.
1. Select the Policies tab and, in the Device Group drop‐down,
select Shared.
2. Select the Security > Pre-Rules rulebase.
3. Click Add and enter a Name for the security rule.
4. In the Source and Destination tabs for the rule, Add
trust_zone
as the Source Zone and
untrust_zone
as the
Destination Zone.
5. In the Action tab, set the Action to Deny, set the Log Setting
to Log at Session end, and click OK.
Use Device Groups to Push Policy Rules (Continued)
15
© Palo Alto Networks, Inc.
Panorama 7.0 Administrator’s Guide • 117
Manage Firewalls
Use Case: Configure Firewalls Using Panorama
Preview the Rules and Commit Changes
TASK 4
Preview your rules and commit your changes to Panorama, device groups, and templates.
Step 1 In the Policies tab, click Preview Rules, and select a Rulebase, Device Group, and Device. This preview
enables you to visually evaluate how rules are layered for a particular rulebase. Close the preview dialog
when you are done.
Step 2 Click Commit, for the Commit Type select Panorama, and click Commit again.
Step 3 Click Commit, for the Commit Type select Device Group, select the device groups you added, select the
Include Device and Network Templates check box, and click Commit again.
Step 4 In the Context drop‐down, select the firewall to access its web interface and confirm that Panorama applied
the template and policy configurations.
4
118 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Use Case: Configure Firewalls Using Panorama
Manage Firewalls
26
© Palo Alto Networks, Inc.
Panorama 7.0 Administrator’s Guide • 119
Manage Log Collection
All Palo Alto Networks next‐generation firewalls can generate logs that provide an audit trail of firewall
activities. For Centralized Logging and Reporting, you must forward the logs generated on the firewalls to
Panorama. You can then configure Panorama to aggregate the logs and forward them to remote logging
destinations. If you forward logs to a Panorama virtual appliance, you don’t need to perform any additional
tasks to enable logging. If you will forward logs to an M‐Series appliance in Panorama mode or Log Collector
mode, you must add the Log Collectors as managed collectors and assign them to Collector Groups to access,
manage, and update the Log Collectors using Panorama. To determine which deployment best suits your
needs, see Plan a Log Collection Deployment.
Configure a Managed Collector
Manage Collector Groups
Configure Log Forwarding to Panorama
Verify Log Forwarding to Panorama
Modify Log Forwarding and Buffering Defaults.
Configure Log Forwarding from Panorama to External Destinations
Log Collection Deployments
To manage the System and Config logs that Panorama generates locally, see Monitor Panorama.
38
120 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Configure a Managed Collector
Manage Log Collection
Configure a Managed Collector
To enable the Panorama management server (Panorama virtual appliance or M‐Series appliance in Panorama
mode) to manage a Log Collector, you must add it as a managed collector. The M‐Series appliance in
Panorama mode has a predefined local Log Collector. However, a Switch from Panorama Mode to Log
Collector Mode would remove the local Log Collector and would require you to re‐configure the appliance
as a Dedicated Log Collector (M‐Series appliance in Log Collector mode).
When the Panorama management server has a high availability (HA) configuration, you can
configure a local Log Collector on each HA peer. Dedicated Log Collectors don’t support HA.
Palo Alto Networks recommends that you install the same Applications update on Panorama as
on managed Collectors and firewalls. For details, see Panorama, Log Collector, and Firewall
Version Compatibility.
Configure a Managed Collector
Step 1 Perform initial setup of the M‐Series
appliance in Log Collector mode if you
haven’t already.
Only Dedicated Log Collectors require
this step.
1. Rack mount the M‐Series appliance. Refer to the M‐100 or
M‐500 Hardware Reference Guide for instructions.
2. Perform Initial Configuration of the M‐Series Appliance.
If the Log Collector will use the Eth1 and Eth2 interfaces for
log collection and Collector Group communication, you must
define those interfaces during initial configuration. By default,
the Log Collector uses the management interface for these
functions.
3. Register Panorama and Install Licenses.
4. Install Content and Software Updates for Panorama.
5. Switch from Panorama Mode to Log Collector Mode.
Switching the mode of an M‐Series appliance deletes
any existing log data and deletes all configurations
except the management access settings. After the
switch, the M‐Series appliance retains CLI access but
loses web interface access.
6. (Optional) Increase Storage on the M‐Series Appliance.
Documents you may be interested
Documents you may be interested