AutoFocus
The AutoFocus threat intelligence service enables security teams to prioritize their response to unique, targeted attacks and gain the
... [Show More] intelligence, analytics and context needed to protect your organization. It provides context around an attack spotted in your traffic and threat logs, such as the malware family, campaign, or malicious actor targeting your organization. AutoFocus correlates and gains intelligence from:
o WildFire® service - the industry's largest threat analysis environment
o PAN-DB URL filtering service
o MineMeld application for AutoFocus, enabling aggregation and correlation of any third-party threat intelligence source directly in AutoFocus
o Traps advanced endpoint protection
o Aperture SaaS-protection service
o Unit 42 threat intelligence and research team
o Intelligence from technology partners
o Palo Alto Networks global passive DNS network
GlobalProtect Secure Mobile Workforce
GlobalProtect cloud service reduces the operational burden associated with securing your remote networks and mobile users by leveraging a cloud-based security infrastructure managed by Palo Alto Networks.Uses client software to build secure personal VPN tunnels to the firewall.
URL Filtering Web Security
A firewall subscription/license. Most attacks and exposure to malicious content occurs during the normal course of web browsing activities, which requires the ability to allow safe, secure web access for all users. URL Filtering with PAN-DB automatically prevents attacks that leverage the web as an attack vector, including phishing links in emails, phishing sites, HTTP-based command and control, malicious sites and pages that carry exploit kits. Focuses on preventing access to PHISHING WEBSITES!!!
Active/Active HA
Both Active, used in specific circumstances, such as asynchronous routing setups. Both individually maintain routing and session tables, sync'd to the other. HIGHER RISK!
Active/Passive HA
One active, one standby firewall. Easiest to manage. Network, Objects, Policies Certificates and Session Table changes are synced.
Single Pass Architecture (SP3)
How a Palo Alto FW processes a packet with different variables which include: SRC/DST Zones, SRC/DST IPs, App-ID, User-ID, Content ID.
User-ID
Matching of a user to an IP address (or multiple IP addresses) allowing your Security policy to be based on who is behind the traffic, not the device. Can utilize Active Directory, a Captive Portal, etc.
Content-ID
Scanning of traffic for security threats (e.g., data leak prevention and URL filtering. virus, spyware, unwanted file transfers, specific data patterns, vulnerability attacks, and appropriate browsing access
App-ID
Scanning of traffic to identify the application that is involved, regardless of the protocol or port number used. Port number is used as secondary enforcement. ALWAYS ON and will show up in Traffic logs regardless of Security Policy settings.
Security Policies
ACLs that determine the firewall's ability to enable or block sessions. Security zones, source and destination IP address, application (App-ID), source user (User-ID), service (port), HIP match, and URL categories in the case of web traffic all can serve as traffic matching criteria for allow/block decision-making.
Security Zones
Zones designate a network segment that has similar security classification (i.e., Users, Data Center, DMZ Servers, Remote Users). All traffic must have a SRC/DST Zone.
Panorama
Panorama is the Palo Alto Networks enterprise management solution. Once Panorama and firewalls are linked, Panorama is the single interface to manage the entire enterprise. Should be implemented as a high availability cluster consisting of 2 identical platforms.
HA Monitoring
• During Boot, a FW looks for an HA Peer; after 60 seconds, if a peer hasn't been discovered, the FW will boot as Active.
• If a peer is found, it will negotiate with the peer.
If Preempt is active, determine who has highest priority - this FW becomes active.
•When a HA pair is stood up, a manual sync will need need to be done by a "sync to peer" push.
HA Monitoring Status Colors
Green: Good
Yellow: Warning (normal state for a standby firewall in an A/P pair)
Red: Error to be resolved
HA States
○ Initial - Transient state when it joins an HA pair
○ Active - normal state, primary and processing traffic
○ Passive - normal traffic is discarded, may process LLDP and LACP traffic
○ Suspended - administratively disabled
○ Non-functional - FW is non-functional and will need to have the issues resolved before it can return to service. [Show Less]