Palo Alto Networks PAN-OS 4.0 New Features

1. AGENDAPA-5000 SeriesGlobalProtectPAN-OS 4.0

2. PA-5000 Series

3. PA-5000 SeriesPA-5060PA-5050PA-5020

4. Introducing the PA-5000 SeriesHigh performance Next Gen Firewall3 Models, up to 20Gbps throughput, 10Gbps threat

5. RAMFPGA (Security Profiles)RAMRAMRAMProcess Breakdown (PA-4000 Series)FPGAAV, Anti Spyware, and Vulnerability protection signatures

6. File and data filtering signatures10GbpsCavium Multi-Core Security ProcessorApp-ID

7. Decoders

8. Session setup and tear-down

9. Session table

10. Segment reassembly, normalization

11. 100k URL filtering cache

12. Disabled fast-path flows: ‘set session offload no’RAMCPU3CPU16CPU1CPU2. .Dual-coreCPURAMRAMRAMSSLIPSecDe-CompressionHDD10GbpsDevice ServerURL Database (20 million + 1 million dynamic)QoSRoute, ARP, MAC lookupNATEZ Chip 10 Gig Network ProcessorApp-Override flows

13. Fast-path flows

14. Zone Protection Profiles

15. QOS

16. PBFControl PlaneData Plane

17. PA-5000 Series ArchitectureQuad-core mgmt

18. High speed logging and route update

19. Dual hard drivesRAMRAMSignature MatchSignature MatchSignature Match HW EngineStream-based uniform sig. match

20. Vulnerability exploits (IPS), virus, spyware, CC#, SSN, and moreRAMRAMRAMRAMRAMRAMCore 2Core 1RAM10Gbps10GbpsRAMCPU12CPU1CPU2CPU12CPU1CPU2CPU12CPU1CPU2RAMRAMRAM.........Core 4Core 3SSDRAMRAMRAMSSDSSLIPSecDe-Compress.SSLIPSecDe-Compress.SSLIPSecDe-Compress.Control Plane20Gbps80 Gbps switch fabric interconnect

21. 20 Gbps QoS engineSecurity ProcessorsHigh density parallel processing for flexible security functionality

22. Hardware-acceleration for standardized complex functions (SSL, IPSec, decompression)Flow controlRoute, ARP, MAC lookupNATNetwork Processor20 Gbps front-end network processing

23. Hardware accelerated per-packet route lookup, MAC lookup and NATSwitchFabricQoSData PlaneSwitch Fabric

24. PA-5000 Series FeaturesRedundant, hot swap AC or DC power suppliesSFP+ transceiversHard DisksTwo disk baysSolid State Drives Single 120GB included, additional 120 or 240GB drives are available. RAID 1 when two drives installed (must be identical)Hot-swappable fan tray

25. Global Protect

26. What is Global Protect?Global Protect applies security policy to end points regardless of their locationRuns as a client on Windows PCGathers host information (OPSWAT based)Creates VPN for remote clientsLocates nearest portal for VPN connectionTransparent operation to user

27. GP ArchitectureThe Portal authenticates the user and directs them to a gateway where policy is Enforced.Portal21GatewayGateway2

28. Initial GP connectionLaptop user makes an initial connection to the Portal and authenticates.Portal provides the software, HIP configuration, and gateway list.The downloaded Agent is installed and configured. Agent gathers host information, and finds closest GatewayIf the closest Gateway is "internal” then no VPNIf the closest Gateway is "external” then builds VPNHIP data is sent to GatewayThe Gateway enforces security policy based on user, application, content AND the HIP submitted from the client.

29. HIP – Host Information ProfileHIP Objects define an end point “Does the client have AV and is it enabled?”“Does the client have updated Microsoft patches?”“Is the client running notepad.exe?”End points return this information to the gatewayHIP Profiles are defined by the objects an endpoint matchesSecurity policy can be defined based on HIP profile“VPN clients who are members of HR can only access the HR database if they have disk encryption enabled”

30. HIP Object optionsPatch Management IsEnabled?LastScanTimeMissingPatchListVendor/ProductDisk Encryption DiskState for each volumeVendor/ProductAntivirus DataFileTimeVendor/ProductLastFullScanTimeRealTimeScanEnabled?Anti-Spyware DataFileTimeVendor/ProductLastFullScanTimeFirewall IsFirewallEnabled?Vendor/ProductHost Info Machine NameDomainOrganization

31. HIP Objects and Profile examples

32. Configuring Global Protect PortalPortal has many of the same authentication configuration of a SSL VPN PortalThey can interoperate with some 3rd party VPN clients3rd party clients can be set to override the GP tunnelAdministrator can control what HIP objects are returned to the portalThe portal determine what settings the UI of the client will use

33. Configuring Global Protect GatewayGateway provides client addressing informationCan provide basic messages to clients that pass / fail HIP profilesContains all client VPN configuration

34. Policy Example using GP

35. PAN-OS 4.0: A Significant Milestone

36. PAN-OS 4.0: More Control…App-IDCustom App-IDs for unknown protocolsApp and threats stats collectionSSH tunneling control (for port forwarding control)6,000 custom App-IDsUser-IDWindows 2003 64-bit, Windows 2008 32- and 64-bit Terminal Server support; XenApp 6 supportClient certificates for captive portalAuthentication sequence flowStrip x-forwarded-for headerDestination port in captive portal rulesThreat Prevention & Data FilteringBehavior-based botnet C&C detection

37. PDF virus scanning

38. Drive by download protection

39. Hold-down time scan detection

40. Time attribute for IPS and custom signatures

41. DoS protection rulebaseURL FilteringContainer page filtering, logging, and reporting

42. Seamless URL activation

43. “Full” URL logging

44. Manual URL DB uploads (weekly)PAN-OS 4.0: Easy to Use Gets Easier…New UI ArchitectureStreamline policy management workflowRule tagging, drag-n-drop, quick rule editing, object value visibility, filtering, and morePanoramaExtended config sharing (all rulebases, objects & profiles shared to device)

45. Dynamic log storage via NFS

46. Panorama HA

47. UAR from Panorama

48. Exportable config backups

49. Comprehensive config auditManagementFQDN-based address objects

50. Configurable log storage by log type

51. Configurable event/log format (including CEF for ArcSight)

52. Configuration transactions

53. SNMPv3 support

54. Extended reporting for VSYS admins (scheduler, UAR, summary reports, email forwarding)

55. PCAP configuration in UIPAN-OS 4.0: New UI ArchitectureStreamline policy management workflowRule: taggingdrag-n-dropquick rule editingobject value visibilityFilteringMuch more

56. Networking Enhancements

57. PAN-OS 4.0: Improved Deployment Flexibility…NetworkingActive/Active HAHA enhancements (link failover, next-hop gateway for HA1, more)IPv6 L2/L3 basic supportDNS proxyDoS source/dest IP session limitingVSYS resource control (# rules, tunnels, more)Country-based policiesOverlapping IP support (across multiple VRs)VR to VR routingVirtual System as destination of PBF ruleUntagged subinterfacesTCP MSS adjustmentNetConnect SSL-VPNPassword expiration notification

58. Mac OS support (released w/ PAN-OS 3.1.4)HA EnhancementsAdded back up link for HA1 and HA2 to protect against “Split Brain”Support for devices with HA links on different subnetsEnhanced timers for better fail over controlActive / Active HA clusters

59. Heartbeat Backup Link – Split Brain Protection<Heartbeat/Hello><Heartbeat/Hello>Redundant pathData Plane status confirmationSupported on full product line

60. DNS ProxyFirewall acts as DNS server for clientsFirewall uses DNS based on:Priority (Primary, Secondary)Domain Name ( xxx.local uses internal DNS, xxx.com uses public DNS)Static entryIs enabled by interface

61. IPv6 SupportIPv6 Layer 3 interfacesIPv6 addresses in all policyIPv6 static routes in Virtual RoutersICMPv6 supportDHCPv6 supportSupport for Neighbor Discovery

62. Networking enhancementsVirtual Systems as routing targetsUsed in Virtual routersUsed in PBFDNS based Address book entriesAllow www.apple.comCountry based Address book entriesBlock everything from Canada

63. Active/Active HA

64. Active/Active HABoth devices in the cluster are active and passing trafficDevices back each other, taking over primary ownership if either one failsBoth devices load share the trafficBUT REMEMBERNo increase in session capacityNot designed to increase throughputSupported modesL3 and vwire

65. Packet handling within the clusterSession ownership and session setup can be two different devices in the cluster It is atypical to implement it in this waySession setupSession setup maybe distributed among devices in HA group using IP modulo or hashLayer2 to Layer4 processing is handled by the session setup deviceThis requires a dedicated HA interface- HA3 linkSession ownershipThis device is responsible for all layer 7 processing

66. Session setup options IP moduloOne device sets sessions for even numbered IP address and the peer sets sessions for odd numbered IP addressThis is preferred as it is deterministicIP hashHash of either source or combination source/destination IP address is used for distributing session setup

67. Deployment topologies: Floating IP addressRedundancy of IP address is accomplished using floating IP addressEach interface on device is configured with floating IP addressesFloating IP address ownership is determined based on the device priorityLoad sharing is done externally via ECMP or configuring the clients with different default gatewaysRED- BACK GREEN-ACTIVE

68. Deployment topologies: ARP load sharingFirewalls share a virtual IP addressUnique Virtual MAC per device is generated for the virtual IP addressARP load sharing is used for load balancing incoming trafficHash or modulo of the source address of ARP requests to determine which device should handle the requests

69. Security Enhancements

70. Agenda - Security EnhancementsClient cert auth for Captive PortalBotnet Detection and DDoS policyIPS action enhancementsSSH DecryptionUpdated URL logging and reportingGlobal ProtectAuthentication SequenceKerberos support

71. Client Certificate in Captive PortalFormerly available for SSL VPN and device authenticationNow can be used in captive portal configurationClient Certificate can be configured as the only authentication optionNo Auth profile requiredUnlike client certs with admin authentication, this will be transparent.Uses the 3.1 “Client Certificate Profile” object

72. Drive-by Download ProtectionWarn end users about file transfer eventsNew ‘Continue’ file blocking actionCustomizable response pageThe response page has a ‘continue’ button. If the user clicks ‘continue’, the file transfer will continue

73. Customizable Brute Force Attack SettingsUser defined thresholds for brute force signatures. Defined in the profile

74. Custom Combination SignaturesCombine multiple signatures to create custom combination signaturesTake individual spyware or vulnerability threat IDs and group them into one custom signatureTake individual signatures and apply thresholds for number of hits over specified time period

75. Block IP Action (Blackhole)Block all future traffic from a host after triggering a security condition Spyware and vulnerability signaturesDoS protection rulebaseZone protectionBlock time in secondsMax 21600 seconds in DoS protection rulebaseMax 3600 seconds in spyware and vulnerability profilesBlock method: Based on sourceIP or source-and-destination IP

76. DoS Protection RulebaseExtends existing DoS protections that are currently configurable on a per-zone basisRules based on source/dest zone, source/dest IP, country, service, and userTwo types of profiles are supported:Aggregate: Thresholds apply to all traffic Classified: Thresholds apply either on basis of source IP, destination IP or a combination of both.

77. Behavior-based Botnet DetectionCollate information from Traffic, Threat, URL logs to identify potentially botnet-infected hostsA report will be generated each day list of infected hosts, description (why we believe the host to be infected)Confidence levelFollowing parameters (configurable) to detect botnetsUnknown TCP/UDP IRCHTTP traffic (malware sites, recently registered, IP domains, Dynamic Domains)Users can configure a query for specific traffic

78. Updated URL LoggingCan log just container pagesPreviously cnn.com created 26 URL logsCan filter to have just oneUses the Container Page setting in the device tabFull URL loggingNow logs up to 1023 bytes of the URLPrevious max was 256

79. SSH DecryptionUses same tactic as SSL decryptionNo additional configuration requiredNew “Block if failed to decrypt” optionUser certificatesUnsupported crypto systemCan now block the connectionPreviously we would allow it

80. Authentication SequenceCan configure multiple authentication profilesIf the first one in the list fails the next will be attemptedCan be used to cycle through multiple RADIUS or Active Directory Forest designsThe Authentication Sequence object can be used in the same locations as a regular Authentication profile

81. Native Kerberos AuthenticationFirewall can now authenticate to AD without the use of an AgentCan be used like RADIUS or LDAP authentication serversDoes not retrieve group membership – AD Agent or LDAP server required.

82. QuestionsQuestions?

Palo Alto Networks PAN-OS 4.0 New Features

More Related Content

What's hot (20)

Similar to Palo Alto Networks PAN-OS 4.0 New Features (20)

Recently uploaded (20)

Palo Alto Networks PAN-OS 4.0 New Features

Editor's Notes