The PA-5000 series are new next generation firewalls with throughput of up to 20Gbps. They use multiple CPUs, RAM, and hardware acceleration engines to provide security functions. The PA-5000 architecture includes a control plane for management and a high throughput data plane. GlobalProtect provides secure remote access by creating a VPN tunnel between remote clients and gateways, and enforces security policies based on host information profiles gathered from endpoints. PAN-OS 4.0 provides more granular security policies and controls, an improved user interface, and networking enhancements such as active/active high availability and IPv6 support. New security features include botnet detection, enhanced intrusion prevention signatures, and client certificate authentication for captive portals.
24. PA-5000 Series Features Redundant, hot swap AC or DC power supplies SFP+ transceivers Hard Disks Two disk bays Solid State Drives Single 120GB included, additional 120 or 240GB drives are available. RAID 1 when two drives installed (must be identical) Hot-swappable fan tray
26. What is Global Protect? Global Protect applies security policy to end points regardless of their location Runs as a client on Windows PC Gathers host information (OPSWAT based) Creates VPN for remote clients Locates nearest portal for VPN connection Transparent operation to user
27. GP Architecture The Portal authenticates the user and directs them to a gateway where policy is Enforced. Portal 2 1 Gateway Gateway 2
28. Initial GP connection Laptop user makes an initial connection to the Portal and authenticates. Portal provides the software, HIP configuration, and gateway list. The downloaded Agent is installed and configured. Agent gathers host information, and finds closest Gateway If the closest Gateway is "internal” then no VPN If the closest Gateway is "external” then builds VPN HIP data is sent to Gateway The Gateway enforces security policy based on user, application, content AND the HIP submitted from the client.
29. HIP – Host Information Profile HIP Objects define an end point “Does the client have AV and is it enabled?” “Does the client have updated Microsoft patches?” “Is the client running notepad.exe?” End points return this information to the gateway HIP Profiles are defined by the objects an endpoint matches Security policy can be defined based on HIP profile “VPN clients who are members of HR can only access the HR database if they have disk encryption enabled”
30. HIP Object options Patch Management IsEnabled? LastScanTime MissingPatchList Vendor/Product Disk Encryption DiskState for each volume Vendor/Product Antivirus DataFileTime Vendor/Product LastFullScanTime RealTimeScanEnabled? Anti-Spyware DataFileTime Vendor/Product LastFullScanTime Firewall IsFirewallEnabled? Vendor/Product Host Info Machine Name Domain Organization
32. Configuring Global Protect Portal Portal has many of the same authentication configuration of a SSL VPN Portal They can interoperate with some 3rd party VPN clients 3rd party clients can be set to override the GP tunnel Administrator can control what HIP objects are returned to the portal The portal determine what settings the UI of the client will use
33. Configuring Global Protect Gateway Gateway provides client addressing information Can provide basic messages to clients that pass / fail HIP profiles Contains all client VPN configuration
59. Heartbeat Backup Link – Split Brain Protection <Heartbeat/Hello> <Heartbeat/Hello> Redundant path Data Plane status confirmation Supported on full product line
60. DNS Proxy Firewall acts as DNS server for clients Firewall uses DNS based on: Priority (Primary, Secondary) Domain Name ( xxx.local uses internal DNS, xxx.com uses public DNS) Static entry Is enabled by interface
61. IPv6 Support IPv6 Layer 3 interfaces IPv6 addresses in all policy IPv6 static routes in Virtual Routers ICMPv6 support DHCPv6 support Support for Neighbor Discovery
62. Networking enhancements Virtual Systems as routing targets Used in Virtual routers Used in PBF DNS based Address book entries Allow www.apple.com Country based Address book entries Block everything from Canada
64. Active/Active HA Both devices in the cluster are active and passing traffic Devices back each other, taking over primary ownership if either one fails Both devices load share the traffic BUT REMEMBER No increase in session capacity Not designed to increase throughput Supported modes L3 and vwire
65. Packet handling within the cluster Session ownership and session setup can be two different devices in the cluster It is atypical to implement it in this way Session setup Session setup maybe distributed among devices in HA group using IP modulo or hash Layer2 to Layer4 processing is handled by the session setup device This requires a dedicated HA interface- HA3 link Session ownership This device is responsible for all layer 7 processing
66. Session setup options IP modulo One device sets sessions for even numbered IP address and the peer sets sessions for odd numbered IP address This is preferred as it is deterministic IP hash Hash of either source or combination source/destination IP address is used for distributing session setup
67. Deployment topologies: Floating IP address Redundancy of IP address is accomplished using floating IP address Each interface on device is configured with floating IP addresses Floating IP address ownership is determined based on the device priority Load sharing is done externally via ECMP or configuring the clients with different default gateways RED- BACK GREEN-ACTIVE
68. Deployment topologies: ARP load sharing Firewalls share a virtual IP address Unique Virtual MAC per device is generated for the virtual IP address ARP load sharing is used for load balancing incoming traffic Hash or modulo of the source address of ARP requests to determine which device should handle the requests
70. Agenda - Security Enhancements Client cert auth for Captive Portal Botnet Detection and DDoS policy IPS action enhancements SSH Decryption Updated URL logging and reporting Global Protect Authentication Sequence Kerberos support
71. Client Certificate in Captive Portal Formerly available for SSL VPN and device authentication Now can be used in captive portal configuration Client Certificate can be configured as the only authentication option No Auth profile required Unlike client certs with admin authentication, this will be transparent. Uses the 3.1 “Client Certificate Profile” object
72. Drive-by Download Protection Warn end users about file transfer events New ‘Continue’ file blocking action Customizable response page The response page has a ‘continue’ button. If the user clicks ‘continue’, the file transfer will continue
73. Customizable Brute Force Attack Settings User defined thresholds for brute force signatures. Defined in the profile
74. Custom Combination Signatures Combine multiple signatures to create custom combination signatures Take individual spyware or vulnerability threat IDs and group them into one custom signature Take individual signatures and apply thresholds for number of hits over specified time period
75. Block IP Action (Blackhole) Block all future traffic from a host after triggering a security condition Spyware and vulnerability signatures DoS protection rulebase Zone protection Block time in seconds Max 21600 seconds in DoS protection rulebase Max 3600 seconds in spyware and vulnerability profiles Block method: Based on sourceIP or source-and-destination IP
76. DoS Protection Rulebase Extends existing DoS protections that are currently configurable on a per-zone basis Rules based on source/dest zone, source/dest IP, country, service, and user Two types of profiles are supported: Aggregate: Thresholds apply to all traffic Classified: Thresholds apply either on basis of source IP, destination IP or a combination of both.
77. Behavior-based Botnet Detection Collate information from Traffic, Threat, URL logs to identify potentially botnet-infected hosts A report will be generated each day list of infected hosts, description (why we believe the host to be infected) Confidence level Following parameters (configurable) to detect botnets Unknown TCP/UDP IRC HTTP traffic (malware sites, recently registered, IP domains, Dynamic Domains) Users can configure a query for specific traffic
78. Updated URL Logging Can log just container pages Previously cnn.com created 26 URL logs Can filter to have just one Uses the Container Page setting in the device tab Full URL logging Now logs up to 1023 bytes of the URL Previous max was 256
79. SSH Decryption Uses same tactic as SSL decryption No additional configuration required New “Block if failed to decrypt” option User certificates Unsupported crypto system Can now block the connection Previously we would allow it
80. Authentication Sequence Can configure multiple authentication profiles If the first one in the list fails the next will be attempted Can be used to cycle through multiple RADIUS or Active Directory Forest designs The Authentication Sequence object can be used in the same locations as a regular Authentication profile
81. Native Kerberos Authentication Firewall can now authenticate to AD without the use of an Agent Can be used like RADIUS or LDAP authentication servers Does not retrieve group membership – AD Agent or LDAP server required.
Things to talk about:-Moving farther into datacenter coreNotes:-CPS: connections per second
Things to talk about:-What is it and what is the point? -Control outside of the network -Security outside of network
Things to talk about:-Installer is MSI and can be pushed out via GPO-Option to allow user to disable (not recommended), optional password required
Things to talk about:-3rd party supported VPN clients -PAN SSL VPN -Juniper Network Connect -Cisco Systems VPN Adapter
** Global ProtectDemo After This Slide**
Things to talk about:Touch on all of these as they do not come up again.Notes:User-ID-x-forwarded-for: used by proxies to keep user info when requesting info from web servers -Security hole as it would be sending internal IP addresses out onto the webURL Filtering-URL Logging will now log 1023 bytes of requested url
Things to talk about:UI upgrades on next slide, Explain the rest.
Things to talk about:-Easy Object creation (from within rule creation and also lower left on the rules page)-Switching between tabs saves your place-Commit checks for application dependencies-Policy Viewer-Edit whole policy at once (Security, NAT…)-Regions-Reports is diff (Click on reports and look to the right) -Managing custom reports is much different-PCAP from GUI-Locks -Config-only you can edit config/commit -Commit-people can edit, only you can commit -Can be automatically aquired (device tab, setup, management options)**UI Demo After This Slide**-Security Rules (tagging, drag-n-drop, object value visibility, filtering, rule editing-quick & whole interface, regions)-Tab Switching-Config/commit Locks-Commit app dependency check-PCAP from GUI
Things to talk about:Explain these except for Active/Active, DNS Proxy, VR-VR Routing, Country-based, just touch on those.Notes: Overlapping IP Address Support: To facilitate shared use of a device, the system now supports the use ofthe devices layer 3 services for clients that have the same IP address of interfaces or hosts in anothervirtual router. Untagged Subinterfaces: Multiple untagged layer 3 interfaces can now be created on a single physicalinterface. The source interface will be determined based on the destination IP address as opposed to aVLAN tag.Adjust TCP MSS - maximum segment size (MSS) is adjusted to 40 bytes less than the interface MTU. Addresses the situation in which a tunnel through the network requires a smaller MSS. If a packet cannot fit within the MSS without fragmenting, this setting allows an adjustment to be made.
Things to talk about:Why did we add?To address split brain issues resulting from lost HA1 link. Very common for platforms using in-band HA1.How is this configured?Simple checkbox
The Neighbor Discovery Protocol defines mechanisms for providing the following functionality: Router discovery: hosts can locate routers residing on attached links. Prefix discovery: hosts can discover address prefixes that are on-link for attached links. Parameter discovery: hosts can find link parameters (e.g., MTU). Address autoconfiguration: stateless configuration of addresses of network interfaces. Address resolution: mapping between IP addresses and link-layer addresses. Next-hop determination: hosts can find next-hop routers for a destination. Neighbor unreachability detection (NUD): determine that a neighbor is no longer reachable on the link. Duplicate address detection (DAD): nodes can check whether an address is already in use. Redirect: router can inform a node about better first-hop routers. Recursive DNS Server (RDNSS) assignment via a router advertisement (RA) options.[2]
Things to talk about:-Virtual Systems/Routers as routing targets -Available in Virtual Routers as well as Policy-Based Forwarding rules -SSL VPN/Management of firewall via primary link in WAN failover config
Things to talk about:-Reason for HA3 Link: After session setup packet will be forwarded back to the session owner for Layer 7 processing to preserve the forwarding path
Notes:ECMP = Equal Cost Multi Path routing.
Things to talk about:-SSH V2 with interactive auth
**Authentication, Reporting (Custom & Default), Botnet, DoS, and Drive by Download Demo After This Slide**
