Palo Alto Troubleshooting

Palo Alto: VPN Troubleshooting Transform IDs

When trying to establish a cross-vendor or business to business IPSec tunnel, finding an exact match in settings can be difficult.

Palo Alto can provide some great troubleshooting debug tools if you know where to look.

To activate debugging for VPNs, SSH to the Palo Alto firewall, and active debugging with these commands:

# Debug the IPSec tunnel
debug ike tunnel <IP-Sec-Tunnel:Proxy-ID> on debug
# Debug the IKE
debug ike gateway <IKE-Gateway> on debug
# Open log file and update automatically with new content
tail follow yes mp-log ikemgr.log

In a recent set-up, there was a proposal mismatch in the system logs that provided little detail. The Palo Alto was responding to a VPN initialisation from a peer.

The debug logs by SSH’ing provided a good clue to what was going wrong:

2021-08-18 10:54:35.438 +0100  [DEBG]: {    8:   81}: see whether there's matching transform
2021-08-18 10:54:35.438 +0100  [DEBG]: {    8:   81}: transform ID doesn't match: my [20], peer [18], skip to next ...
2021-08-18 10:54:35.438 +0100  [DEBG]: {    8:   81}: no peer transform matched; try next my transform proposal
2021-08-18 10:54:35.438 +0100  [DEBG]: {    8:   81}: none of my proposal matched
2021-08-18 10:54:35.438 +0100  [PERR]: {    8:   81}: no proposal chosen

The line transform ID doesn't match: my [20], peer [18], skip to next ... gave away the issue.

Comparing the table on IANAs IKEv2 Parameters, it shows that 20 corresponded to ‘ENCR_AES_GCM_16’, and 18 corresponded to ‘ENCR_AES_GCM_8’. I asked our peer to switch to ‘ENCR_AES_GCM_16’ and the VPN established on the next connection attempt.

If you still have the SSH windows open, you’ll see the latest output of the connection attempt, and be able to determine if it was successful or not.

Ctrl + C will exit the log file flow, and remember to turn off the debugs once finished:

# Debug the IPSec tunnel
debug ike tunnel <IP-Sec-Tunnel:Proxy-ID> off
# Debug the IKE
debug ike gateway <IKE-Gateway> off

Palo Alto

Palo Alto VPN Troubleshooting: Testing

In some policy based site to site VPNs, for the VPN to begin initialising, ‘interesting’ traffic needs to reach the router.

Interesting traffic can be defined in the ‘Proxy IDs’ section of the IPSec tunnel in Palo Alto.

When interesting traffic reaches the Palo Alto, if the VPN has not yet established, it will try establish the VPN.

There may be times where you can’t generate this interesting traffic, but you can manually trigger the tunnel to try establish a connection through the Palo Alto CLI.

With these two commands, you can test both IKE and IPSec establishment:

test vpn ike-sa gateway <gateway_name>
test vpn ipsec-sa tunnel <tunnel_name>


Palo Alto

Palo Alto: Manual Failover Process

In an active-passive pair, steps can be taken to ensure that the firewall has a succesful failover if work needs to be carried out on the active firewall.

Under Device > High Availability, ensure the pre-emptive box for the firewall you are going to suspend is unticked. Changes to this checkbox will need to commited to the firewall.

Once commited, go to Device > High Avilability > Operational Commands > Suspend Local Device on the active firewall that needs to be suspended.

Palo Alto

Palo Alto: HIP Policy Check Failing Gradually

This issue occured as part of PAN-148676, which was reported to be fixed in 8.1.16, 9.1.10, and 9.1.4

An issue was investigated recently where HIP policy checks began failing for more and more users over a period of time when connecting via GlobalProtect. It was initially thought an unknown change was being made to user devices that was gradually being pushed out, turns out that was wrong!

As part and parcel of troubleshooting the firewall was rebooted, however it did not come back online cleanly. The HA agent kept exiting, the cdb process kept failing to start, and all the data plane interfaces were reporting as down. It really looked like the firewall had got itself into a bit of a mess.

A second reboot did not help, eventually some poking and Google searching led to checking the disk space usage; logging onto the CLI using local credentials to do this since external authentication was also not working as expected!

The command to check the disk space within the command line interface was show system disk space

/dev/sda8              XG   XG     0 100% /opt/panlogs

When you think of logs, you think that a full partition of log files shouldn’t really be a big deal, turns out that is a pretty incorrect statement!

Log files were cleared down using the command clear log acc which managed to clear up around 10-15% of space. The firewall was rebooted shortly thereafter and luckily everything came back online as normal.

EDU-110 Study Palo Alto

Palo Alto EDU-110: Active/Passive High Availability


Describe the differences between active/active and active/passive high availability

Define the prerequisites for creating a high availability pair

Describe the metrics used to detect a firewall failure

Configure the firewall interfaces used for heartbeats and hellos

Configure a high availability pair

Firewall High Availability Overview

High availability is remains a concern for mission critical networks. Palo Alto firewalls can be used as a high availability pair. When firewalls are set up in this pair, they provide redundancy and help business continuity.

If one firewalls fails for any reason, the other firewall can take over with minimal loss of service.

Palo Alto firewalls support both active/passive and active/active high availability configurations.

Both firwalls will synchronise their network, object, and policy configurations plus session information.

Note that only changes that have been comitted are shared between the firewalls.

Some information is not shared that is firewall sepcific, this is management interface IP address, high availability specific configuration, log data, and the application command center.

To get a consoliated view of applications and logs across a high availability pair, Panorama must be used.

Active/Passive High Availability

One firewall manages traffic whilst the other synchronised and ready to move to an active state if a failure occurs.

In this mode, the firewalls will both share the same configuration settings, and one will actively manage traffic until a failure occurs.

If an active firewall fails, the passive firewall will transition to an active state and takes over seamlessy enforcing the same policies to maintain network security.

In an active/passive setup, session capacity or network throughput is not increased.

Active/Passive high availability is supported in virtual wire, layer 2, and layer 3 deployments.

Active passive high availability has the simplicity of design, meaning any troubleshooting is easier.

Active/Active High Availability

In an active/active high availability deployment, both firewalls in the pair are active and processing traffic.

Both firewalls maintain their own session and routing tables, plus synchronise to each other.

The active/active configuration is designed to support environments that require asymmetric routing.

Active/active high avilability does not increase the session capacity or network throughput. Active/active high availability is supported in virtual wire and layer 3 deployments.

Active/active mode requires advanced design concepts, and can result in more complicated networks.

Depending on how the active/active high availability is implemented, it might require additonal configuration such as dynamic routing protocols on both firewalls, replication of NAT pools, and deployment of floating IP addresses to provide seamless failover.

Both firewalls in the active/active configuration process traffic, so firewalls will use the additional concepts of session owner and session setup to perform layer 7 content inspection.

Active/active mode is recommended if each firewall needsi tso wen routing instances, and if full real time redundancy is required out of both firewalls at all times.

Active/active will have faster failover and can handle peak traffic flows better than active/passive mode since both firewalls are processing traffic.

Note the PA-200 series firewall supports only high availability lite without synchronisation capability and can not be configured for active/active high availability.

The VM-Series firewall in Amazon Web Services only supports active/passive high availability

High Availability Prerequisities

Before high availability can be enabled on the Palo Alto firewall pair, both firewalls need to be the same hardware model.

The PAN-OS version must be the same, except when there is a temporary version mismatch during a software upgrade.

The Palo Alto firewall pair must also have up to date application, url, and threat databases.

A high availability interface type must be configured, and the firewall correctly licenced.

The firewall must also have a matching slot configuration (applies to multi-slot firewalls)

Specific requirements on VM-Series firewalls is that the firewall must use the same hypervisor, and the number of CPU cores requires to be the same.

Active/Passive High Availability Links

The high availability control link is used to exchange hellos, heartbeats and high availability state information.

The control link is also used to synchronise routing and User-ID information between mangement planes.

The active firewall also uses this link to synchronise configuration changes with it’s peer firewall.

The firewalls exchange hello messages messages and heartbeats at configurable interviews to verify the peer firewall is responsive and operational.

Hello messages are sent from one peer to the other to verify the state of the firewall.

The heartbeat is an ICMP ping sent to the high availability peer. A response from the peer indicated that the firewall is connected and responsive.

The control link is a layer 3 that requires an IP address.

The data link layer is a layer 2 link but can be configured as a layer 3 link that requires an IP address. The layer 3 link is only required if the data links are not on the same subnet. In layer 2 mode, the data link type uses ethertype 0x7261

The data link is used to synchronise sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in the high availability pair. Data flow on the data link is unidirectional and flows from the active firewall to the passive firewall.

Dedicated and Non-Dedicated High Availabilty Ports

Some of the Palo Alto firewall range have high availability ports, and others require the management or in-band ports to be used as high availbility links.

The control link provides synchronisation for functions that are part of the management plane.

Using the dedicated HA1 port or the management port as the control link is more efficient than using the data planes in-band ports as the synchronisation packets need to pass from the data from the data plane to the management plane is not required.

The dedicated HA1 port requires an IP address that is different from the managment interface address. With devices with the dedicated ports, an ethernet cable can directly connect the dedicated HA1 ports and the dedicated HA2 ports to the device pair.

For firewalls without a dedicated high availability port, the best practice is to use the management port for the control link to allow a direct connection to be formed between management planes on the firewall.

Any in-band port can be used for the data link. Any in-band port that is used for a Control or Data link must be configured as the interface type HA.

Firewalls with dedicated HA ports are:

  • PA-800
  • PA-3000
  • PA-3200
  • PA-5000
  • PA-7000

Firewalls without a dedicated high availability port:

  • PA-200 and PA-500 Series
  • VM Series

High Availability Backup Links

Backup links provide redundancy for control and the data links.a

The purpose of configuring a bkacup control link is to avoid a split brain scenario.

Split brain operation occurs when a non redundant control link goes down, which causes the managment plane to miss heartbearts, although both firewalls are still functioning.

In this situation, the passive firewall concludes that the active firewall is down and attempts to start services that are already running on the active firewall, causing a split brain operation.

Dedicated and redundant management plane control links connections can help prevent split brain.

In band ports are used as backup links for dedicated HA1 and HA2 ports. The following needs to be considered when configuring these ports:

  • The IP address of the primary and backup HA links must not overlap
  • HA backup links must be on a different subnet from the primary HA links
  • HA1 backup ports and HA2 backup ports must be configured on physically seperate ports

PA-7000 Series HA Links

High availabiltiy on the PA-7000 series mandates the use of specific ports on the switch management card.

The HA1-A port is the control link. This port connects directly to the HA1-A port on the second firewall in the pair, or connected together through a switch or router.

The control link cannot be configured on NPC data ports or the MGT port.

The HA1-B port is the backup control link. This port connects directly to the HA1-B port on the second firewall in the pair, or through a switch/router. The backup control link also can not be configured on NCP data ports or the MGMT port

The high speed chassis interconnect, or HCSI, is used as the HA Data link and backup data link. Each HCSI port is a quad port SFP+ interface. Each HCSI port has four 10GB links internally for a combined speed of 40GB.

The HSCI ports are not routable and must be connected directly to each other. The HCSI-A on the first chassis connects directly to the HSCI-A on the second chassis, and so on.

Once fully connected, the connectivity will provide full 80Gbps transfers rate. In software the four HSCI-A ports are treated as a single HA inteface, this goes the same for the four HSCI-B ports.

If in the rare isntance the distance between the high availability pairs exceeds the maximum distance of the HSCI interface, in band ports can instead be used for data link connections.

Designating an Active Firewall

The firewall in a high availability pair will be a ssigned a device priority to indicate a preference for which firewall should assume the active role.

If a designated firewall in a HA pair needs to be made the active firewall, the pre-emptive behavior on both devices and a priority should be assigned.

The fireewall with the lower priority value is designated as the active firewall. The other firewall is designated as the passive firewall.

By default, pre-emption is disabled. When enabled the firewall with lower priority can resume as the active firewall when it recovers from whatever event stopped it working.

If pre-emption is disabled, this can give an administrator a chance to check why a firewall failed before bringing it back into service.

Failure Detection

The firewall can use several monitored metrics to detect a failure.

The firewall uses hello messages and heartbeats to verify that the peer firewall is responsive and operating.

Hello messages are sent from one peer to the other at the configured hello interval to verify the state of the other f irewall.

The heartbeat is an ICMP ping to the high availability peer over the Control link, and the peer responds to the ping to establish that the firewalls are connected and responsive.

Firewalls can be configured to monitor the link states of the physical interfaces. A firewall can be configured to trigger a failure if any or all the monitored interfaces in the group fail. The default behavior for monitored groups of ports is to failover if any port in the group fails.

The firewall can be configured to monitor mission critical IP addresse via ICMP pings to test reachability. Again a group can be defined to list the IP addresses that require to be monitored.

An IP address is deemed unreachable if ten pings fail by default, the failover settings can be set to fail the firewall if any or all the IP addresses become unreachable. Similar to interfaces, the default behavior is failover if any of the IP addresses fail.

The PA-3000, PA-5000, and PA-7000 series firewalls can also force a failvoer if an internal system health check fails. The health check is not configurable and is enabled to monitor critical components such as the field programmable gate arrays and CPUs.

General health checks can also cause a failover on any platform.

The failover will also occur if the firewall is suspended, or if pre-emption occurs.

HA Timer Profiles

High Availability timer profiles define the parameters associated with detecting failures and triggering failover.

Complexity can be reduced with configuring seven different high availability timers by selecting different profiles. The Advanced profile gives access and control to each of the seven different timers

The recommended profile is used for typical failover times, whilst the aggressive profile is used for faster failover time settings.

Note these preset values can change in different PAN-OS releases

Heartbeat Backup on the Management Port

Enablement of heartbeat backup on the management port can help prevent split brain operations, as redundant heartbeats and hello messages are transmitted over the management port on the management plane.

As heartbeat is an ICMP ping, the management port if configured for heartbeat backup must have pings enabled on the management interface.

Active/Passive High Availability Startup

The firewall remaisn in the INITIAL state after boot-up until it discovers a peer and negotiation begins. After a 60 second time out, the firewall becomes ACTIVE if HA negotiation has not started.

The ACTIVE state is the normal traffic-handling state of the active firewall in an active/passive configuration.

The PASSIVE state is the normal state of the passive firewall in an active/passive configuration. The passive firewall is synchronising flow state, run-time objects, and configuration.

If passive link state is configured, the passive firewall is running, the passive firewall is running routing protocols, monitoring link and path state. The passive firewall pre-negotitates LACP and LLDP if LACP and LLDP pre-negotiation are configured. The firewall does not process any other types of traffic.

A firewall in the SUSPENDED state cannot participate in the election process and become either active or passive. To suspend a firewall, click Device -> High Availability -> Operational Comamnds and click the Suspend local device link.

To re-active the firewall, click Make local device functional link.

The NON-FUNCTIONAL state is an error state due to a data-plane failure or configuration mismatch.

Firewall StateDescription
INITIALTransient state of a firewall until it joins the HA pair. The firewall will remain in this state after boot-up until it discovers a peer and negotiations begin.
ACTIVENormal traffic handling state
PASSIVENormal traffic is discarded, might process LLDP and LACP traffic
SUSPENDEDAdministratively disabled

Monitor Firewall States

The state of the individual firewalls in a high availability pair can be monitored from the Dashboard tab of the web interface. There is colour coded display about the major components of high availability, these states are green for good, yellow for passive, and red for critical.

Synchronisation of the firewalls must be initiated manually the first time a firewall pair is connected.

This is required to prevent administrators accidently setting the wrong firewall as active and overwriting the configuration they wish to push to the peer.

Even though Sync to Peer is available on the passive device, it should only be ran from the active device or the current configuration on the active device may overwritten with an earlier out of date configuration.

EDU-110 Study Palo Alto

Palo Alto EDU 110: Monitoring and Reporting


Create an interactive, graphical summary of the applications with the ACC

Export policy rules, objects, and IPS signatures using the configuration table export

Create a predefined report to view traffic statistics for the previous day

Describe how log files are forwarded to an external source

Configure a Server Profile to forward logs to a syslog server


Local Filters

Applying a local filter allows interaction with a graph and customises the display so details can be seen and information can be accessed on a specific widget.

The local filter is persistent across reboots

Global Filters

A global filter allows the display to be limited and details the administrator wishes to see, removing unrelated information from the display.

An example is all events can be displayed related to a specfic user and application. The users IP address or username and application can be applied as global filter, and display only information regaridng the user and the application through all tabs and widgets on the ACC. Global filters are not persistent.

Global Filters can be applied in three ways:

  • Set a global filter from the table. Select an attribute from the table in any widget and apply the attribute as a global filter
  • Promote a local filter to a global filter. Allows you to take a local filter, which can be attribute in a single graph or table in a widget and apply that attribute globally. When the local filter is replicated to a global filter, the display is updated across all tabs on the ACC.
  • Define a global filter using th Global Filters pane on the ACC.

Session Browser

Selecting Monitor -> Session Browser alls the administrator to browse and filter sessions that are currently on the firewall

Configuration Table Export

Starting with Pan-OS 8.1, policy rules, objects, and IPS signatures from Panorama and firewalls can be exported to demonstrate regulatory compliance to external auditors, or conduct periodic reviews of firewall configuration and generate reports about firewalls policies.

Auditors no longer need direct access to firewalls to take screenshots, or use the XMI API to generate configuration reports.

Form the web interface, configuration data for policies, objects, network, and devices, plus panorama configurations, the exceptions in antivirus, antispyware, and vulnerability protection can be exported.

Configure table export works like a printout, and generated files can not be exported back into the firewall.

The data that is viewed on the web interface is exported into a CSV or PDF format.

Filters can be applied and matched with the report criteria, plus searching within PDF reports allows data to be found quicly.

Every time configuration data is exported, a system log is generated to record the event.

Types of Reports

Predefined Reports

Over 40 reports including Applications, Traffic, Threat and URL Filtering

Botnet Reports

Behavior-based mechanisms to identify potential infected hosts

Custom Reports

With the query builder

PDF Summary Reports

Aggregated reports

User or group-activity reports

Includes URL categories and browse-time calculations

Report groups

Compile reports into a single emailed PDF

User or Group Activity Reports

  1. Serlect Monitor -> PDF -> Reports -> User Activity Report
  2. Click Add and then enter a name for the report
  3. Create the report:
    1. For a User Activity report: Select User and enter the Username or IP address (IPv4 or IPv6) of the user who will be the subject of the report
    2. For a Group Activity report: Select Group and select the Group Name from which to retrieve user group information in the report
    3. For a Custom User or Group Activity report: Select Filter Builder and select the appropriate Connector, Atrribute, Operator, and Value for the report
  4. Select the time period for the report from the drop down list.
    1. It should be noted that the number of logs that are analysed in a user activity report is determined by the number of rows defined on the Max Rows in User Activity Report on the Logging and Reporting Settings section in Device -> Setup -> Management
  5. Select Include Detailed Browsing to include detailed URL logs in the report.
    1. The detailed browsing information can include a large volume of logs (thousands of logs) for the selected user or user group and can make the report very large
  6. To run the report on demand, click Run Now
  7. To save the report, click OK
    1. User/Group Activity reports cannot be saved on the firewall

PDF Summary Reports

PDF summary reports contain information compiled from existing reports based on the data for the top five in each category.

PDF summary reports also provide trend charts that are not available in other reports

Report Groups

Report groups enable a set of reports to be created that the firewall can compile and send as a single aggregate PDF report with an optional title page and all constituent reports included.

Exporting Current Listing to CSV

To export the current log listing to CSV, select the Export to CSV icon.

EXporting of the log listing to CSV format generates a CSV of up to 65,535 logs.

To change this number of limits, use the Max Row in CSV Export field on the Log Export and Reporting subtab. Select Device -> Setup -> Management -> Logging and Reporting Settings

Scheduled Log Export

A daily export of logs can besent to a FTP or SCP server in a CSV format.

Traffic, Threat, URL, Data Filtering, HIP Match, and WildFire logs can be exported.

After the first export, only logs collected since the last export will be sent in the next export.

The log file also includes logs of the last calendar day.

Forwarding Logs to External Sources

The firewall provides logs that record configuration changes, system events, security threats and traffic flows.

Logs can be forwarded to a Panorama management appliance, which can generate SNMP traps or syslog messages and send e-mail notifications.

The firewall can also forward logs using HTTP/HTTPS. This capability allows the firewall to integrate with external systems that provide a HTTP-based API and trigger automated actions when a specific event occurs on the firewall.

Logs most commonly are sent to Panorama or to an external syslog server for long-term storage and analysis.

Panorama provides the ability to manage a distributed network of Palo Alto Networks firewalls from a centalised location where the administrator can:

  • View of all the firewall traffic
  • Manage all aspects of device configuration
  • Push global policies
  • Generate reports about traffic patterns or security incidents

Panorama is available as a dedicated management appliance known as the M-100 or M-500, or as a virtual appliance.

If the M-100 is used as a log collector, it’s maximum storage is 7 terabytes.

The M-500 supports up to 24 terabytes

Cortex Data Lake

Cortex Data Lake provides cloud-based, centralised log storage and aggregation for on-premises, virtual, private cloud, and public cloud firewalls, plus Global Protect Cloud Service.

Panorama provides the interface for all logs stored in Cortex Data Lake.

From Panorama, an aggregated view of all logs can be observed, and reports, log analysis, and forensics can be generated from this logged data.

Cortex Data lake also provides isolation of data from other customers, avoiding cross-contamination of logged data.

Data redundancy is maintained through storage of multiple copies of the log datacase to ensure access when needed.

Current Cortex Data Lake facilities are in two regions, North America and Europe.

The location can be configured to where log data is forwarded.

Syslog Overview

Syslog is a standard log transport mechanism that enable aggregation of log data from different network devices such as routers, firewalls, and printers from different vendors into a central repository for archive, analysis, and reporting.

Syslog log forwarding can be used to forward logs to a system information and event manager.

Many SIEM vendors and models are compatible with PAN-OS software.

Syslog can be transported over UDP, TCP, or SSL with authentication.

SNMP Monitoring Overview

If the SNMP manager is on a non management, allow SNMP on the interface management profile for that interface and create a service route for SNMP to use that interface.

Creating an SNMP Traps Server Profile


Trap Repository Adress

Community String



EngineID: (Get with the OID


Auth uses SHA

Privlege uses AES

EDU-110 Study Palo Alto

Palo Alto EDU-110: Site to Site VPNs


  • Describe the three basic requirements for creating a VPN
  • Configure the interface, IP addresses, and PSK for the IKE Gateway
  • Configure the DH group, encryption methods, and authentication methods for an IKE Cryptographic profile
  • Configure a static route in the route table for the tunnel
  • Troubleshoot IPSec VPN issues from the responder side of the VPN tunnel

Site to Site Overview

IPsec VPNs are implemented between Palo Alto firewalls as routed based tunnels, rather than policy based designs.

In a route based VPN, the determining factor of which traffic will be tunneled is the final destination of that traffic.

Route based VPNs are easy to deploy and can scale easily due to the advantage of being supported by dynamic routing protocols.

The Palo Alto firewall can also interoperate with third party policy based VPN devices.

When recieved traffic is destined for a remote private network, it looks up the next hop in the routing table.

If it is a remote network, the routing table points to a logical tunnel interface.

This interface is not a real interface, but has the information required to create an IPSec tunnel.

Once the traffic is sent to this logical tunnel interface, the VPN is created and traffic is sent through it.

Palo Altos support IKE version 1 and 2. Version 1 is more commonly used but version 2 supports the requirements of the Network Device Protection Profile, or NDPP.

The option of ‘IKEv2 preferred mode’ provides the ability for the Palo Alto to fall back to IKEv1 after 5 failed retries, that takes around 30 seconds.

IKE Phase 1

IKE Phase 1 identifies the end points of the VPN.

Phase 1 uses peer IDs to identify the devices at each end of the VPN. This is often just the public IP address of the device.

In situations where the public IP is not static, it can be replaced with a domain name or other text value

Three settings are available on Palo Alto firewalls: Aggressive, Main, and Auto

Five snippits of information are transmitted during Phase 1:

  1. Authentication Method
  2. Diffie-Hellman key exchange
  3. Symmetric Key Algorithm / Bulk Data Encryption
  4. Hashing Algorithm
  5. Lifetime

IKE Phase 2

Phase 2 creates the tunnel that will encapsulate data traffic.

Whilst IKE Phase 1 deals with the authentication, Phase 2 focuses on the data that is transmitted across the tunnel.

Each side of the tunnel has proxy IDs to identify the traffic it is sending and what it expects to receive. These IDs can be a specific network range or a generic network of

Both sides need to know what the other side will be sending in order for the VPN tunnel to work.

Five snippits of information are transmitted during Phase 2, these are:

  1. IPSec type and mode
  2. Diffie-Hellman / PFS
  3. Symmetric Key Algorithm / Bulk Data Encryption
  4. Hashing Algorithm
  5. Lifetime before rekeying

Route Based Site to Site VPN

A single VPN may be sufficient for connecting between a singel central site and a remote site.

Connections between a central site and multiple remote sites require VPN tunnels for each central remote site pair.

Each tunnel is bound to a tunnel inteface.

VPN traffic is moved across the tunnel interface to the same virtual router as the incoming plaintext traffic.

If a packet comes to the firewall, the route lookup function can determine the most approriate tunnel to use.

The tunnel interface appears to the Palo Alto operating system as a normal interface, and existing routing protocols and infrastructure can be applied.

Each tunnel interface can have a maximum of 10 IPSec tunnels, that allow creation of IPSec tunnels for individual networks that are associated on the same tunnel interface as the firewall.

VPN Tunnel Component Interaction

Three basic requirements for creating a VPN in Pan-OS:

  1. Create the tunnel interface or Phase 1 Objects
    1. See Network -> Intefaces -> Tunnel
    2. The new logical interface must be added to a Layer 3 zone and to a virtual router just as any other logical Layer 3 interface would
  2. Configure the IPSec tunnel or Phase 2 Objects:
    1. A basic interface can be used when creating a tunnel between PAN-OS devices with known IP addresses
    2. The only values needed are the tunnel interface to use, local peer ID, remote peer ID, and pre-shared key
    3. If configuration is with another Palo Alto firewall, make use of the default crypto profiles
    4. If the configuration is with another vendors firewall, configure the advanced settings in Crypto Profiles to match both sides
  3. Add a static route to the virtual router or enable a routing protocol such as BGP, OSPF, or RIP
    1. Add a route table entry fo the remote network that points to the tunnel interface in Steps 1 and 2
    2. Create a route for the remote network using the tunnel interface
    3. No next-hop IP address is required when tunnel interfaces are used
    4. Ensure to create a security rule to allow tunneled traffic

Troubleshooting IPSec Tunnels

Begin by looking at the IPSec Tunnel page, each tunnel provides useful troubleshooting information.

Go to Network -> IPSec tunnels

Tunnel Status, green indicates a Phase 2 SA tunnel has established. Red indicates SA is not available or has expired.

IKE Gateway Status: Green indicates a valid IKE Phase 1 SA or IKEv2 IKE SA. Red indicates that IKE Phase 1 SA is not available or has expired

Tunnel Interface Status:

Green indicates that the tunnel interface is up, because tunnel monitor is disabled or the tunnel monitor status is up and the monitoring IP is reachable. Red indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote IP address is unreachable.

Tunnels are established only when traffic is attempting to cross. The test vpn command in the CLI can be used to initiate a tunnel manually.

Common VPN error messages

Always troubleshoot error messages from the responder!

IssueInitiator ErrorResponder Error
Wrong IP/no ConnectionP1 – TimeoutP1 – Timeout
No matching P1 proposalP1 – TimeoutNo suitable proposal (P1)
Mismatched peer IDP1 – TimeoutPeer identifier does not match
No matching P2 proposalNo proposal chosenNo suitable proposal (P2)
PFS Group MismatchP2 – TimeoutPFS group mismatch
Mismatched proxy IDP2 – TimeoutCannot find matching Phase 2 tunnel
EDU-110 Study Palo Alto

Palo Alto EDU-110: Global Protect

Describe the three major components of GlobalProtect

Configure the client and server certificates to authenticate the agent and the portal

Define the three methods supported for GlobalProtect client connections

Configure the tunnel parameters for an external gateway connection

Extending the security platform with GlobalProtect

GlobalProtect builds on the technology of and offers several features over traditional VPNs:

  • Extends Next Generation Firewall capabilities to endpoints
  • Delivers full traffic visibility
  • Simplifies management
  • Unifies policies
  • Stops advanced threats

Expanding the boundries of the organisation network the clients endpoint anywhere in the world, GlobalProtect can work on remote laptops and mobiles devices.

GlobalProtect can determine the closest available gateway to the roaming device and establish a secure connection using strong authentication.

Laptops and mobiles devices can stay conencted to the organisations network at all times, and behave as if they have never left the corporate network.

GlobalProtect can ensure that the same secure application enablement policies that protect users at the organisation are enforced for all users where ever they are in the world.

Components of GlobalProtect

GlobalProtect comes in three components:

  • GlobalProtect Portal
    • Provides the management functions for the GlobalProtect infrastrucutre. Every client that connects to the GlobalProtect netweork receives configuration information from this portal.
  • GlobalProtect Gateways
    • Provides security encofrmcenet for traffic and GlobalProtect agents and apps. External gateways provide security enforcement and VPN access for remeote users. Internal gateways apply security policy for access to internal resources
  • GlobalProtect Client Software
    • Runs on end users systems and enables access to network resources via the deploy GlobalProtect portals and gateways

GlobalProtect Install Agents

The installer is in an .msi for Windows, or .pkg for Mac.

GlobalProtect has installation agents for Android, Chroembook, iOS, and Universal Windows Platform.

The iOS and Android versions are available through their respective app stores.

The GlobalProtect app for Linux extends User-ID and Security Policy enforcement to users on Linux endpoints.

The app is available in .deb, .rpm, or .tar packages, and compatibilty with operating systems such as CentOS 7.0, Red Hat Enterprise 7.0, or Ubuntu 14.04 and later

It provides a command line interface and functions as an SSL or IPSec VPN client.

The Linux App supports common GlobalProtect features and authentication methods such as client certificate authentication, server certificate validation, authentication cookies, and two factor authentication.

Connection Sequence for GlobalProtect

  1. The GlobalProtect client on the local system connects to the GlobalProtect Portal for authentication.
  2. After authorization is confirmed, the portal sends the client configurations and a list of GlobalProtect Gateways.
  3. The client connects to the bets gateway (based on SSL response time and local priority) to respond to the connection request.

It is the client that communicates directly with portals and gateways, there is direct communication among gateways or between gateways and portals.

Once the client is installed and enabled, it contacts the portal when setting up a connection. Any time the client contacts to the portal, the portal authenticates the connection.

A GlobalProtect Topology

The GlobalProtect implementation requires at least one portal and one gateway.

The portal and gateway can be configured on the same firewall.

In the most simple configuration, a single firewall is configured to serve gateway and p otal services from the same IP addres. This provides the end users with VPN access to the organisations networks with a minimum of configuration.

If the gateway and portal share a single IP address, only one certificate is needed for the firewall.

An Advanced GlobalProtect Topology

Larger environments GlobalProtect can be configured with multiple gatewaysd.

Additional gateways can be used to provide access to multiple protected networks, and can provide redundancy and performance improvements for end users.

GlobalProtect clients can connect directly to a gateway, from a list provided by the portal, and by default, the chosen gateway is the one that responds the fastest to the connection request.

To ensure consistent access, multiple gateways often require the networks to be connected to each other by VPN so the end user has access to the same data regardless of which gateway they connect too.

Although there will always be one portal, the portal is not a single point of failure. If the firewall that hosts the portal is unreachable the client can use their cached configuration to contact other gateways.

The only limitation is an offline portal, which a new client can not be serviced or configuration changes will not be downloaded by existing clients.

This issue can be resolved by fixing the offline portal, or redirecting clients via DNS to another portal.

GlobalProtect in the cloud

With major cloud providers having worldwide locations, with VM series firewalls and globalprotect mobile security, this allows an organisation to extend their security policy to remote users and devices regardless of their location in the world.

GlobalProtect establishes a secure connection to protect the user from internet threats and can enforce application based access control where ever they are in the world.

Prisma Access

In marketing terms:

Prisma access is:

  • security delivered from the cloud
  • scalable, mangeable architecture
  • consistent security for both remote locations and mobile users
  • managed centrally by panorama

Prisma access allows the administrator to scale their networks based on growth of the headquarters, remote networks, and mobile users.

Subscriptions are Threat Prevention, URL F iltering, WildFire are all included with Prisma Access.

Panorama is used to onboard sites, manage policies and query logs for monitoring and reporting capabilities.

Determining Internal or External Gateways

The portal can provide an IP address and DNS hostname as part of the information passed to the client to determine if the host is inside or outside the corporate network

The DNS hostname and IP address must correspond to a device whose name can only be resolved by an internal web server

The agent performs a reverse lookup on the IP address. If it recieves a hostname as the response, the agent assumes it is an internal network and connects to the gateways in the internal list.

If no response is recieved by the lookup, the client connects to the gateways in the external list.

If an internal host detect hostname and address pair is not provided, the client connection attempts to connect to the internal gateways first, then the external gateways.

Clientless VPN

Clientless VPN allows the user to have secure access to an organisations network from a SSL-enabled web browser without needing to install client software

Users can log into the GlobalProtect portal using a web browser and launch the web applications that have been published for that user

A user can access applications that have been made available to them. The user who logs in will be able to see a list of applications that they can launch

Security policies will need to be configured to allow traffic from GlobalProtect clients to the security zone associated with the GlobalProtet portal that hosts the landing apge.

Security policies will need to be configured to allow user-based traffic from the GlobalProtect portal zone to the security zone where the published application servers are hosted.

GlobalProtect for Internal User Based Access

An internal gateway that is used in conjunction with User-ID technology can be used to provide a secure, accurate, method of identifying and controlling traffic by user

Internal gateways are useful in sensitive environments where authenticated access to critical resources is required

HIP Profiles can be configured on the gateway to ensure compliance with internal maintenance requirements, such as the latest security patches and anti-virus definitions are installed, whether disk encryption is enabled, and if any other software is required to bne installed.

GlobalProtect Certficates

Connectivity between all components of GlobalProtect is authenticated using SSL certificates.

The portal can act as a CA for the system, using a self signed or imported subordinate issuing a CA certificate, or an administrator can generate their own certificates using their own CA.

The portal, gateways, and agents msut use certificates all signed by the same certificate authority.

Before any information is tranferred, the client verifies the gateway is using a server certificate signed by a trusted CA.

The gateway also verifies that the client has a client certificate signed by the correct CA.

If they are third parties who may not trust a self signed CA, a third paty CA who is trusted by all parties should be used for the portal.

The portal includes public certificate of the CA, and the needed client certificate and key as part of a configuration bundle sent to the client.

GlobalProtect gateways use the same client certificate to authenticate and identify the client,

Support is provided from the Palo Alto for the portal to export the server certificate and key for the gateways. If an external CA is used, the CA certificate, along with a server certificate and key can imported along with a server certificate and key for the portals and gatewats, and a client certificate and key for the clients.

Portals and gateways do not communicate directly, so the gateway certificates need to be manually imported onto firewalls.

Authentication Server Profiles and GlobalProtect

GlobalProtect uses the same system of server profiles and authentication profiles that administration or user-id use.

Agent Software

The GlobalProtect client apge lists available GlobalProtect releases.

When the agent connects to the portal, the firewall will check the version and installs the currently activated version if it is different from the version currently on the system.

Only the portal provides the software, so if seperate from the gateway it will need to be maintained.

GlobalProtect Portal

As most configuration for GlobalProtect to work happens on the portal, the portal is responsbile for co-ordinating communications between all other components for GlobalProtect to work.

GlobalProtect administrators can set the level of control that end users have over their own coinnections, from a fully locked down configuration to one that permits to choose what gateway they want to connect too.

GlobalProtect App Connection Methods

on-demand: Allows users to establish a connection on demand. This user must explictly initiate the connection

user-logon: Automatically establishes a GlobalProtect client connection after the user logs into their computer. If the use of single sign on is enabled, the agent uses the Windows credentials of the user to authenticate to the portal in a process that is completely seamless to the user. The authentication profile must use the same verification process as the logon service.

pre-logon: Preserves pre-login and post-login services provided by organisation infrastructure regardless of where a machine might be located. GlobalProtect establishes a connection, even if a user is not logged into the computer. This means the company can create a logicial network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs based on machine certificates deployed outside of GlobalProtect

When User-ID technology isi n use, pre-login conditiuons are marked with a user identifier of ‘pre-login’ rather than an explict user. Once a user has logged in ‘pre-login’ changes to the username of the client device.

Internal gateways only support always-on methods, user-login or pre-login.

The connection method is selected by navigating to Network -> GlobalProtect -> Portals -> Agent

GlobalProtect Gateway

The GlobalProtect gateway provides the endpoint for the agents connection

If tunnel mode is enabled, the client sends all traffic through the conencted gateway.

Note that external gateways always require a tunel, internal gateways do not but can be configured to use one.

Split tunnels are supported, but this feature is not recommended for extending the firewall policy with application control and visibility to all mobile users.

Gateways enforce the policy based on the HIP profiles that are received.

GlobalProtect and User-ID

The GlobalProtect client provides a way of mapping user information to the firewall directly.

Every user that has the GlobalProtect agent or app running requires the user to enter their login details to access orgainisation rsources.

This login information can be mapped to the User-ID user mapping table on the firewall for visiblity and user-based securtity policy enforcement.

Since users must authenticate to gain access to the network, their user to IP address is explictly known.

GlobalProtect Agent

The GlobalProtect client software runs on end users systems and enables access to the organisations network via GlobalProtect Portals and Gateways that have been deployed.

EDU-110 Study Palo Alto

Palo Altro EDU-110: User-ID


Describe the four main components of User-ID

Describe the differences between the integrated agent and the Windows-based agent

Define the methods to map IP addresses to users

Configure the PAN-OS integrated agent to ocnnect to monitored servers

Configure the Windows-based agent to probe IP addresses for username information

User-ID’s Purpose

The purpose of User-ID is to identify the user on the network and the IP addresses of the computers the user is logged in too.

User-ID can retrieve information from a connected LDAP directory server.

The goal of User-ID is to give the ability to write policies, display logs, and display reports using usernames rather than just numercial IP addresses and port numbers.

Usernames and group names can be used as matching criteria in Authentication policies, Decryption policies, DoS protection policies, Policy Based Forwarding policies, QoS policies, Security Policies, and Tunnel Inspection Policies.

User-ID Main Functions

Before user and group based policy rules can be created, the firewall requires a list of all users and their group mappings.

The firewall uses group mapping and user mapping to collect the information required.

Group Mapping is learned from group names and member users from a LDAP directory server.

User Mapping includes several different methods to collect IP address-to-username information.

The user mapping can be chosen by the administrator to suit different needs and environments. Different methods can be used at different sites.

User-ID Components

Palo Alto Networks Fireewall

  • Maps IP addresses to usernames
  • Maps usernames to group names

PAN-OS Integrated User-ID Agent

  • Runs on the firewall
  • Collects IP address to username information

Windows-based User-ID Agent

  • Runs on a domain member
  • Collects IP address-to-username information
  • Sends information to the firewall

Palo Alto Networks Terminal Services Agent

  • Runs on Micorsoft and Citrix terminal servers
  • Collects IP and port nubmer to username information
  • Sends information to the firewall

Forms of User-ID Agent

CapabilityPAN-OS Integrated AgentWindows-Based agent
Included with PAN-OS softwareYesNo
Available for download from Palo Alto Networks and can be installed on one or more Windows SystemsNoYes
A firewall can communicate with both agent types at the same timeYesYes
Can monitor up to 100 domain controllers or Exchange serversYesYes
Can monitor users and domain controllers only from a single Active Directory, or AD, domainYesYes
Designed for small and midsize deploymentsYesNo
Can handle larger environments or multiforest domainsNoYes

Integrated Agent verues Windows Based Agent

The Windows based agent and the PAN-OS integrated perform the same basic tasks, but use different underlying communication protocols.

The Windows based agent uses MS-RPC, which requires full Windows Security logs to be sent to the agent, where they are filtererd for relevant User-ID information. This agent is best for reading local logs.

The Pan-OS integrated agent users either the Windows Management Instrumentation (WMI) or the Windows Remote Management Protocol (WinRM), which allows the agent to retrieve only the relevant User-ID information from the security logs. This agent is best for reading remote logs.

In summary, use an integrated agent for remote sites, or install a Windows-based agent at the local site.

User Mapping Methods

User Authentication

  • GlobalProtect – Login Events
  • Captive Portal – Web Forms


  • Aruba/ClearPass
  • User/Group Mapping
  • Devices that can format and send XML over HTTP

Syslog Listening

  • Third Party WLAN controller
  • Third Party Proxy
  • Third Party VPN
  • Network access control systems
  • 802.1x devices

Port Mapping

  • Terminal Services Agent
  • Microsoft Remote Desktop Services
  • Citrix Presentation Server
  • Citrix XenApp

XFF Headers

  • Third Party Proxy

Server Monitoring

  • eDirectory – Login or logout events in authentication logs
  • Microsoft Exchange – Login or logout events in authentication logs
  • Microsoft Active Directory – Login or logout events in authentication logs

Session tables are also read to confirm known IP address to username mappings based on current Windosws file and printer shares

Client Probing

  • Windows Clients

User Mapping Using Global Protect

Every GlobalProtect user is required to enter their login credentials to access to the VPN

GlobalProtect can directly add the username to the firewalls User-ID mapping table

GlobalProtect is listed as the best solution for high security enviroments

User-ID information can be provided by clients that are conneted to an internal network via an internal Global Protect gateway without establishing a VPN tunnel to the firewall.

User-ID Syslog Monitoring

Syslog monitoring may be a good fit where existing network services exist that authenticate users. These services could include 802.1x devices, Wireless controllers, Apple Open Directory serves, proxy servers and other related services.

These services can be configured to send syslog messages that contain information about login and logout events, and configure the User-ID agent to parse those messages.

The integrated and Windows based agents can retrieve these syslog messages. Syslog Parse Profiles are used to parse syslog messages. With environments with different services with varying messages, custom Syslog Parse Profiles can be set up to pick up on login and logout events. If the Pan-OS integrated User-ID agent is used, Palo Alto provide predefined Syslog Parse Profiles through Application content updates.

The User-ID agent can parse for login events to map IP addresses to usernames and parse for logout events so the firewall deletes outdated mappings. Deletion of outdated mappings is useful were IP address assignments are changed often.

User-ID Operation Overview: Domain Controllers

Before User-ID can operate, it must be enabled on the relevant security zone.

If User-ID is enabled, the firewall consults the administrator-defined User-ID configuiration to determine which agents the firewall has available to gather IP address and username information.

Once User-ID has retrived the IP address and username information from an agent, it can use the firewalls LDAP configuration to retrieve user to group mapping information from a LDAP server.

With the information requirements satisified, the security policy can be checked for a match.

In terms of Domain Controllers User-ID, When a user logs into their laptop, which is an Active Directory member, the AD domain controller logs a logon event with the username and IP address of the station.

User-ID Domain Controller Monitoring

Palo Alto recomended passive server monitoring (due to low overheads) allows a User-ID agent to monitor the security logs for user logon or logout events for a Microsoft domain controller.

The AD domain must be configured to log succesful logon events into the security logs.

Users are able to authenticate to any domain controller in a domain, and security logs are not replicated between seperate domain controller servers. Server monitoring needs to be turned on for all controllers to capture all user login events. User-ID agents can monitor multiple domain controllers, but only a single domain.

Step 1 – Parse and record

On startup, the User-ID agent parses the security event logs for user logon events

Step 2 – Check Logs

The User-ID agent checks Security logs on a regular basis for only new logon or logout events

Step 3 – Mappings cached

User mappings are cached for the first time equal to the timeout value set in the User ID agent

User-ID Windows Session Monitoring

Clients thats have a connected shared file/folder or print resource will have their session information stored on a Domain Controller.

This is an additional Windows-based method to resolve IP addresses to users. Consult the shared resource session table recorded on the Domain Controller.

User-ID Mapping Recommendations

UseIf you have…
GlobalProtectGlobalProtect VPN Clients
Captive PortalWeb clients that do not use the domain server
Syslog ListenerNon-windows systems, NAC mechanisms such as wireless controllers, 802.1x devices, or proxy servers
User-ID agent: Session monitoringExchange servers, domain controllers, or eDirectory servers
User-ID agent: Session monitoringWindows file and print shares
Terminal Services agentMulti-user systems such as Microsoft Desktop Services or Citrix Metaframe Presentation Server (XenApp)
User-ID agent: Client probingWindows clients that often change IP addresses
XML APIDevices and applications not integrated with User-ID

Steps for configuring User-ID

  1. Enable User-ID by zone
  2. Configure user mapping methods
  3. Configure group mapping (Optional)
  4. Modify firewall policy rules to use usernames or group names

To enable user-ID by zone, tick the ‘Enable User Identification’ box on the zone settings on the firewall.

By default User-ID tries to map all user from all networks found within a User-ID enabled zone.

The include list can be used to limit the networks that the firewall tries to map IP addresses too.

The exclude list can be used to exclude a subnet of network included in an Include list.

If WMI probing is enabled, by default only private IP address ranges are probed. To probe public addressing ranges, those ranges need to be included in the Include List.

Configuring the PAN-OS Integrated User-ID Agent

  1. On the domain controller, create a service account with the required permissions to run the agent
  2. On the firewall define the address of the servers to be monitored
  3. Add the service account to monitor the servers
  4. Configure session monitoring (optional step)
  5. Configure WMI probing (optional step)
  6. Commit the configuration and verify agent status

Configure the Windows-Based User-ID Agent

  1. On the domain controller, create a service account with the require permissions to run the agent
  2. Select a Windows domain member
  3. Download and install User-ID agent software
  4. Run the User-ID agent installer
  5. Configure the User-ID agent
  6. Configure the firewall to connect to the User-ID agent
  7. Verify connection status

Selecting the Installation Location

The Windows-based agent can be installed on 32 or 64 bit machines running Windows XP SP3 or later

The agent is to be installed on the same network site as the monitored server to optimise bandwidth use

Two agents can be installed on two member servers in case one agent or a single domain controller fails.

The agent can be installed on a domain controller, though this is not recommended best practice.

Selecting Users and Groups for a Security Policy

any – matches any value for user

pre-login – Used with certain GlobalProtect implementations

known-user – Matches any user or group identified by User-ID

unknown – Matches traffic where the user could not be identified by User-ID methods

select – Matches a specific user or group identified by User-ID

For larger enterprise, it is best to set policy rules by groups rather than users.

EDU-110 Study Palo Alto

Palo Alto EDU-110: Wildfire


  • Describe how a firewall works with WildFire Threat Intelligence Cloud
  • Describe how WildFire analysis is used to update URL categories listed in the PAN-DB URL Filtering data
  • Configure Session Information Settings to specify which type of session information will be sent to Wildfire
  • Define a WildFire Analysis Profile
  • Configure both the types of information submitted to WildFire and the amouht of information is returned to the firewall in the report

Evolution of Malware

In modern times malware has evolved.

Instead of being a simple replication of a virus, it has adapted to be highly evasive and adaptable to avoid deteciton. Highly targeted and sophisticated when launching attacks

This new breed of malware that is often the core of the most sophisticated attacks on organisations networks today

Often this new malware is customised for a particular attack, making it more difficult for traditional signature-based anti-malware solutions to detect it

WildFire Threat Intelligence Cloud`

Palo Alto firewalls arouind the world automatically forward unknown files and URL links found in emails to the WildFire Threat Intelligence Cloud Cloud, or one of the three regional clouds for analysis.

The three regional clouds are in Europe, Japan, or Singapore.

Each cloud analyses samples and generates malware signatures and verdicts independently of other WildFire clouds.

The sample could be detected as Benign, Grayware, Malware or Phishing. If Phishing the PAN-DB URL Database will get updated.

WildFire signatures and verdicts are shared globaly which allow WildFire users to benefit from the anti-malware coverage no matter where they are in the world.

WildFire users can also use the WildFire XML API or WildFire Dashboard to manually upload files to WildFire for analysis.

Recap of Wildfire

WildFire is a cloud based virtual sandbox used to evaluate unknown files and URL links found in e-mails.

The evaluation occurs for Android, Linux, MAC OSX, Windows XP, Windows 7 and Windows 10

If malware or phishing is founmd, WildFire creates a new antivirus signature or adds the URL to the PAN-DB Phishing URL category.

These updates are available in minutes for firewalls around the world to download.

Overview of Wildfires Operation

For the daily threat updates, the new signature is normally delivered within 24 to 48 hours

WildFire Verdict Descriptions


Safe and does not exhibit malicious behavior


No security threat but may display obtrusive behavior


Malicious in nature and intend and can pose a security threat


Based on properties and behaviors the website displays

WildFire Protects E-mail

The Palo Alto firewall has the capability to send email attachements or URL links to WildFire for analysis.

The firewall nor Wildfire store or enable viewing of the email contents.

If WildFire detects a malicious file, it immediatly creates a new anti-virus signature that can be downloaded by Palo Alto firewalls around the world.

This new antivirus signature can help prevent further compromise of other machines in the network and around the world.

If the firewall has a WildFire and PAN-DB licence, the firewall can gain access to the signatures in as little as 5 minutes.

If WildFire determines a file attachment or e-mail URL link is malicious, it includes the email header in WildFire Submissions logs that it returns to the firewall. If User-ID technology is eanbled, the log can be used to quickly find and remediate the threats received by the user.

Content Packages and Wildfire Updates

WildFIre analysis is used to create new antivirus signaturtes.

It also is used to update the URLs and URL categories listed in the PAN-DB URL Filtering database.

Antivirus signatures are made available within 24 to 48 hours as content updates to the Antivirus content database.

Daily downloads of the antivirus content database can be scheduled. Firewall access to the AntiVirus content database is permitted with a Threat Prevention Licence.

Antivirus signatures are also available as little as 5 minutes as content from the WildFire Signatures database. A firewall can scheduled as little as every minute to check for updates. Access to this database is permitted with a WildFire licence.

URL updates are available within 5 minutes as content updates to the PAN-DB URL Filtering database.

Updates of the firewall with new content updates of the PAN-DB URL Filtering do not need to be scheduled, as new URL information is downloaded dynamically as needed.

Firewall access to the PAB-DB URL filtering database is enabled using a URL Filtering Licence.

Standard and Licensed Functionality

Standard Subscription

  • Windows XP and 7 analysis
  • Windows PE file analysis
    • EXE, DLL, SCR, FON, and others
  • Antivirus signatures delivered by daily dynamic content updates (requires Threat Prevention licence)
  • Automatic file submission

WildFire licensed service

  • Standard subscription features
  • Additional file type analysis:
    • Microsoft Office extensions, PDF, JAR, CLASS, SWF, SWC, APK, Mach-O, DMG, RAR, 7-Zip, Linux ELF, PKG
  • WildFire signature updates every 5 minutes
  • API file submission
  • WildFire private cloud appliance
    • WF-500

WildFire Licenses


There are two different content package formats for WildFire content updates, content packages for 7.1 and later, and content packages for 7.0 and earlier.

The content packages contain the same set of signatures


A licence allows users to submit files for analysis to WildFire using the WildFire XML API

Private Cloud

A WildFire licence entitles a firewall to use the WF-500 appliance as a WildFire private cloud service.

WildFire Private Cloud

The WF-500 is a WildFire private cloud solution. It supports Windows XP and Windows 7 virtual environments and requires a Windows 7 64-bit image to be installed on the appliance.

The WF-500 locally analyses unknown files, plus files and URLs found in email.

The advantage being that these files will never leave your network.

The WF-500 does not support scanning of APK files.

The WF-500 locally generates antivirus signatures and categorises URLs.

The administrator can choose whether to automatically forward malware files to the public cloud for signature generation.

The WF-500 appliances supports the WildFire XML API.

Content updates to the WF-500 are provided daily, helping to imrpove analysis accuracy. Trusted code-signing certificates, malware domain lists, new signatures are examples of content packages provided to the WF-500 via updates.

The WF-500 can be configured to provide automatic download and installation of WF-500 content packages, or can be manually accomplished by an administrator.

Hybrid Cloud

The Hybrid Cloud combines the public and private cloud solutions.

If a WF-500 applioance is used, a WildFire hybrid cloud can be enabled that lets the WF-500 analyse sensitive file types locally, whie less sensitive file types are sent to the WildFire public cloud.

Files that are not supported on the WF-500, such as APK, can be set to be forwarded to the public cloud.

If public and private cloud solutions have configuration overlap, the private cloud analysis will prevail.

WildFire Appliance Cluster

Up to 20 WildFire appliances (WF-500) can form a WildFire appliance cluster on a single network.

Clusters are useful where the WildFire public cloud can not be used.

The larger clusters have better support for a larger firewall deployment on a single network over the capability a single WildFire appliance provides.

Wildfire clusters also provide fault tolerance, and a single signature package is provided to all firewalls connected to that cluster.

Encryption can be enabled on appliance clusters too, beginning with PAN-OS 8.1.

Encryption can be switched on to maintain confidentiality of transmitted content.

Clusters can be operated in a FIPS/CC environment where they are configured using FIPS/CC compliant certificates.

WildFire Analysis Profiles

WildFire analysis profiles are objects that are added to security profile rules that are configured with an action of “allow”.

WildFire analysis profiles are not required for security profile rules with the deny action, because no further processing is needed of traffic that will be dropped.

WildFire Analysis are applied to all packets during the life of a session.

WildFire anaylsis profiles represent additional security checks on files in allowed network traffic.

WildFire analysis profiles allow more granular control over allowed traffic.

An example is that the firewall can be configured to submit files to Wildfire only when a specific file type is matched, and they are transferred in a specific direction by a specific application.

Files submitted by WildFire are logged to Monitor -> Logs -> WildFire -> Submissions

The firewall contains a pre-defined, read only default WildFire Analysis Profile.

It can be customised by creating a new WildFire profile, or cloning the default profile and editing that clone.

The default profile rule sends all unknown files from any applications allowed by the rul,e to the WildFire public cloud for analysis.

WildFire Reporting Overview

Each time that the WildFire technology analyses a file or URL link, it will report it’s finding to the firewall.

The administrator can configure the information submitted to WildFire and the amount of information that is returned to the firewall in the report.

Information reported back to the firewall is recorded by the firewall in the WildFire submissions log.