Showing posts with label Palo Alto. Show all posts
Showing posts with label Palo Alto. Show all posts

Wednesday, February 10, 2016

Palo Alto Study Notes: Firewall Configuration Essentials I (101) PAN-OS v.6.1

To view Firewall Configuration Essentials 101 Course, please login to the Palo Alto Networks Learning Center.


1. Palo Alto Networks Platforms

The PA-500, PA-200, and VM-Series firewalls do not support virtual systems. High Availability and Aggregated interfaces are also only supported on higher models of the product.

Saturday, January 3, 2015

Configure Palo Alto VM 6.0.0 in Vmware Workstation and ESXi

Palo Alto Networks has developed Virtualized Firewalls VM series to run in virtual environment. Here is the list for supported hypervisors from its website:
The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances, allowing you to safely enable applications flowing into, and across your private, public and hybrid cloud computing environments.Automation features such as VM monitoring, dynamic address groups and a REST-based API allow you to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when your VMs change.The VM-Series supports the following hypervisors:
  • VMWare ESXi and NSX
  • Citrix SDX,
  • KVM (Centos/RHEL)
  • Ubuntu
  • Amazon Web Services

There are four models for different requirements:
  • VM-100
  • VM-200
  • VM-300
  • VM-1000-HV
I have got a VM including two files (PA-VM-6.0.0.ovf and PA-VM-6.0.0-disk1.vmdk) and deployed it into my lab environment to test. Here are some steps:
1. Imported VM into Vmware workstation 

It was successful but need a 64-bit host and Intel VT-x need to be enabled for running this VM in Workstation. 

2. Deploy OVF file into ESXi lab

By selecting "File -> Deploy OVF Template... ", you can deploy OVF into ESXi.
I havd to change network adapter 2 to Internal v_switch and keep the network adapter 1 to Internet v_switch.

3. Start VM in ESXi Lab Enviroment
You will need to wait 1 minute to log in after login prompt shows up.

Type admin / admin as username and password after Login prompt shows up for 1 minute.
4. Basic configuration:

4.1. Once you got to the prompt (admin@PA-VM), type


4.2. You are now in the config mode, type the following command in order to give an IP address for the

PAN management and Web Access,

set deviceconfig system ip-address netmask default-gateway dns-setting servers primary

4.3. Hit Enter and then Type "commit"

note: Remember that we can use "?" to see all the commands and use "TAB" to complete the commands

5. Test
Try to ping the IP address of the PAN-OS and If successful, then open a browser and type ""Use the admin / admin for username and password.
Now the firewall is fully up and running. Enjoy the fun from this product coming from world leading security company

Monday, October 1, 2012

Palo Alto for NGFW facts from Checkpoint view

Compare Palo Alto with Checkpoint from Checkpoint website based on NSS Labs results:

Palo AltoCheck Point
NSS Labs Results - Protects Against HTML Evasions*33%100%
NSS Labs Results - Overall Protection**93%98%
File Sharing Applications170531
Total Applications1,5114,733
Application Social Network Widgets0240,000+
URL Filtering20 million on box100 million cloud based
Data Loss Prevention9 file types and regular expression match532 file types plus file attributes, document templates, dictionaries, keywords and scripting language match
Anti-Bot< 1 million protections (signatures/ DNS/ URLs/ IPs)250 million addresses analyzed for bot discovery
Reputation based protectionUnique multi-tier detection engine (reputation, signatures, mail activity and behavior based) with real-time security intelligence through ThreatCloud

* NSS Labs NGFW Test, 2012
** NSS Labs IPS Test, 2012

Palo Alto Networks ignores Standard OSI Model - focused on the application layer

PAN is focused on the
application layer

The seven layers of the Open Systems Interconnection model divide networking and security into discrete manageable components. The SANS Institute and other leading security organizations realize that we must comprehend all layers to deliver complete security.
Palo Alto Networks' focus on the application layer can lead to more security exposures for their customers. Check Point's balanced approach recognizes the importance of considering both the application and networks layers to assess all risks and deliver strong security.
It is only when we can see our networks as individual
components that we can adequately secure these levels.

SANS Institute

Palo Alto Networks defaults to open ports, leaving organizations exposed to attacks
Palo Alto Networks' single pass architecture defaults to open all ports, leaving organizations exposed to attacks. Why? Because its App-ID needs to interact with the application so it can be identified and classified. For security, this is a big problem.
Why would you want to provide attackers an advantage as they prepare a targeted attack? Attackers scan ports to discover vulnerabilities. Because of Palo Alto's focus on application inspection and App-ID, it must first allow a connection to identify the application to enforce policy. This insecurity allows a port scan to divulge details to the attacker about your configurations, devices and security. App-ID focuses on identifying the application first, so it risks unnecessary security exposures.
The Palo Alto approach requires that traffic be allowed to determine the application, something the Network World Clear Choice test noted "could easily result in unintended consequences and insecure configurations – a valid concern."

Palto Alto Networks may cause you to blow your PCI audit
Palo Alto Networks' focus on its next generation firewall and the application layer also raises a serious issue for compliance with the PCI Data Security Standard. Organizations spend enormous resources preparing for pass-or-fail PCI audits. One of the clearly stated requirements in the PCI DSS specification is for the organization to deploy "stateful inspection" in the firewall. According to Palo Alto, stateful inspection is being replaced with what they call "new core technology called App-ID." It would be very unfortunate for an organization to fail a PCI audit because it made a bad firewall choice.
PCI DSS RequirementsTesting Procedures
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.)1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a perviously established session.)
Stateful inspection is being replaced with our new core technology called App-ID, which identifies and classifies applications on the network regardless of port, protocol, evasive tactic or SSL encryption.

CTO, Palo Alto Networks

How Palo Alto Networks can be bypassed with cache poisoning
SIP traffic gets past PAN FW as HTTP traffic
Palo Alto Networks is vulnerable to cache poisoning. For example, a Session Initiation Protocol (SIP) or any other protocol connection can be used as a channel for attacking a company's internal networks. The SIP session could initially be blocked accurately, but by taking advantage of the cache poisoning vulnerability, the SIP session could bypass a Palo Alto firewall. The vulnerability could be exploited as follows:
  1. HTTP is allowed with firewall policy
  2. Opening a SIP session typically used with VoIP communications is correctly blocked
  3. Generating HTTP traffic that causes the cache to hit its threshold – meaning traffic continues going through the cache but is no longer inspected by the firewall
  4. Switching the HTTP connection to SIP, which is then allowed – and exposes you to risk
Strong security products do not allow cache poisoning, and a strong firewall will never stop inspecting network traffic.
Defcon 2011, Brad Woodberg, Juniper Networks


Check Point protects against 100% of evasion techniques tested by NSS Labs
ProductIP Packet FragmentationTCP Stream SegmentationRPC FragmentationURL ObfuscationHTML EvasionFTP EvasionTotal
Check Point100%100%100%100%100%100%100%
Source: NSS Labs NGFW Test, 2012

ProductClient ProtectionServer ProtectionOverall Protection
Check Point99%97%98.3%
Source: NSS Labs IPS Test, 2012
NSS Labs has released the results of its 2012 IPS Group Test that reviewed Intrusion Prevention System products from eight vendors. Once again, the Check Point IPS performed exceptionally well in the tests, demonstrating top-ranked IPS protection. The Check Point 12600 Appliance IPS protected against 100% of the evasion techniques attempted by NSS Labs.
"Resistance to known evasion techniques was perfect... IP fragmentation, TCP stream segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion all failed to trick the product into ignoring valid attacks. Not only were the fragmented and obfuscated attacks blocked successfully, but all of them were also decoded accurately."
The Check Point IPS scored an overall protection rating of 98.3%, improving its 97.3% overall protection rating from the 2011 NSS Labs IPS test.
Highlights of Check Point's performance in the NSS IPS Group Test include:
  • Superior Security
  • Top of the pack with overall protection score of 98.3%
  • Strong security with 100% coverage of evasion techniques
  • A top score for server protection, 97%
  • Best in Class management system that is robust and granular

The App Gap
  • Check Point tracks more than 531 file sharing apps (a critical application category for enterprises), Palo Alto tracks 170.
  • Check Point tracks more than 4,733 total apps, Palo Alto tracks 1,511.
  • Check Point tracks almost a quarter million widgets, Palo Alto tracks 0.
Check Point tracks more apps, and provides extra granularity of protection because attacks on widgets and configurations go after the individual or specific capabilities of some applications. Palo Alto is supposed to be an "application security expert," so wouldn't you expect its focus on the application layer to provide a complete solution? Consider three prominent examples, such as Poison Ivy, Access Remote PC and Anyplace Control. Check Point has application controls for all three; Palo Alto has none.
The numbers tell the story. Unfortunately, business owners using Palo Alto are left on their own to figure out what to do with untracked apps.
Palo Alto's limited application coverage is a visibility and security issue.


Palo Alto Networks has limited visibility of risk
NO examination of data in PDF—only 9 file formats are supported
NO identification of non-English characters in .docx (Office 2007 and above documents)
NO protection for customer list or any dictionary larger than 350 items
NO protection for personally identifiable information other than US SSN & CCN
NO protection for HIPAA, GLBA, SEC filings
NO protection for source code, CAD-CAM, ASIC or FPGA designs, patent filings
NO validation for IBAN, tax numbers, service request numbers, etc.
The Palo Alto solution provides incomplete visibility for protecting information and inspecting content. Its technology has limited abilities to deeply inspect a variety of file formats and data types beyond the basics. Why risk your critical corporate data or intellectual property with Palo Alto Networks? Check Point provides you with complete visibility and comprehensive protection.
We found that the file blocking was easily fooled. For example, putting a file into a zip archive effectively hid the file type, as did changing the first few bytes of the file (by adding blank lines) and, in one case, changing the filename—which we didn't expect to work.

 August 2011
PAN's promised functionality does not translate to reality in real-world deployments.

Leading Online Investment Firm
PAN's solution is full of holes.

International Film School


Palo Alto Networks has weak management capabilities
Palo Alto Networks has no built-in central monitoring tools for VPN configuration.
With Palo Alto Networks, each tunnel is configured separately.
A mesh of 30 gateways requires manual set-up of 870 tunnels!

Here's one example of a gap in Palo Alto's security management: its configuration and management of Virtual Private Networks. When setting up VPNs, tunnels must be defined for the VPN connectivity. When configuring Palo Alto VPNs, you are required to manually configure gateways for each tunnel. For 30 security gateways, this would require 870 tunnels. You would need to manually configure each one and develop scripts to stitch them together. Palo Alto does not have built-in centralized monitoring tools for VPN configuration.
Obviously, the manual effort required by Palo Alto will make large deployments very difficult. As noted in its latest Next Generation Firewall product review by Network World: "Large VPN deployments will not want to move to Palo Alto…any large deployment would have to be built entirely by hand".
Check Point offers 1-click VPN configuration, which automates the process and improves your productivity. With Check Point, there is no need to manually build and configure 870 individual VPN tunnels! And our SmartView Monitor provides complete visibility into online tunnel status and VPN counters.
Large VPN deployments will not want to move to Palo Alto... any large deployment would have to be built entirely by hand.

NetworkWorld August 2011
Palo Alto Networks doesn't have anything comparable to Check Point Multi-Domain Management.

Major Energy Company