book

Mastering Palo Alto Networks - Third Edition

Name: Mastering Palo Alto Networks - Third Edition
Author: Tom Piens aka 'reaper'
ISBN: 9781836644811

by Tom Piens aka 'reaper'

May 2025

Intermediate to advanced

646 pages

15h 55m

English

Packt Publishing

Read now

Unlock full access

Preface
Who this book is forWhat this book coversTo get the most out of this bookGet in touchStay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
Understanding the Core Technologies
Technical requirementsUnderstanding the zone-based firewallExpected behavior when determining zonesUnderstanding App-ID and Content-IDHow App-ID gives more controlHow Content-ID makes things safeInline evaluationThe management and data planesAuthenticating and authorizing users with User-IDSummary
Setting up a New Device
Technical requirementsGaining access to the user interfaceAccessing the management interfaceConnecting to the web interface and CLIAdding licenses and setting up dynamic updatesCreating a new accountRegistering a new deviceActivating licensesActivating licenses via the customer support portalActivating licenses via the web interfaceDownloading and scheduling dynamic updatesUpgrading the firewallUnderstanding the partitionsUpgrade considerationsUpgrading via the CLIUpgrading via the web interfaceLimiting access via an access listAccessing internet resources from offline managementAdmin accountsDynamic accountsRole-based administratorsPassword securityExternal authenticationThe TACACS+ server profileThe LDAP server profileThe RADIUS server profileThe Kerberos server profileThe SAML server profileThe MFA profileSetting up the authentication profileUnderstanding the interface typesVWireThe Layer 3 interfaceExploring the interfaceVRThe Layer 2 interface and VLANsTap interfacesThe Decryption Port Mirror interfaceThe loopback interfaceThe tunnel interfaceSubinterfacesHA interfacesAE interfacesSummary
Building Strong Policies
Technical requirementsUnderstanding and preparing security profilesThe Antivirus profileThe Anti-Spyware profileThe Vulnerability Protection profileURL Filtering profileCustom URL categoriesConfiguring the URL Filtering profileURL filtering prioritiesThe File Blocking profileThe WildFire Analysis profileCustom objectsThe Custom Spyware/Vulnerability objectsThe custom data patternSecurity profile groupsUnderstanding and building security rulesDropping “bad” trafficAction optionsAllowing applicationsApplication dependenciesApplication-default versus manual service portsControlling logging and schedulesAddress objectsTagsPolicy OptimizerThe Apps Seen columnCreating NAT rulesInbound NATOutbound NATHide NAT or one-to-many NATOne-to-one NATU-turn or hairpin NATEnable DNS RewriteSummarySubscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
Taking Control of Sessions
Technical requirementsControlling the bandwidth with quality-of-service policiesDSCP and ToS headersQoS enforcement in the firewallCreating QoS profilesCreating QoS policiesLeveraging SSL decryption to look inside encrypted sessionsSSH proxySSL forward proxySSL Inbound InspectionForwarding sessions to an external deviceRedirecting sessions over different paths using policy-based forwardingRedirecting critical trafficLoad balancingPolicy based forwardingIPSec redundancy via virtual routersEqual cost multipath as an alternativeSummary
Services and Operational Modes
Technical requirementsApplying a DHCP client and DHCP serverDHCP clientDHCP server and relayConfiguring a DNS proxySetting up high availabilityActive/Passive modeActive/Active modeClusteringFirewall statesHA interfacesSetting up Active/Passive modeSetting up Active/Active modeHA1 encryptionEnabling virtual systemsCreating a new VSYSAdministrators in a multi-VSYS environmentInter-VSYS routingCreating a shared gatewayManaging certificatesSummary
Identifying Users and Controlling Access
Technical requirementsUser-ID basicsConfiguring WMI probesSetting up a User-ID agentConfiguring the User-ID agentAdding the User-ID agent to the firewallSetting up a Terminal Server agentConfiguring the TS agentAdding the TS agent to the firewallAgentless User-IDConfiguring group mappingThe Cloud Identity EngineConfiguring Entra ID (Azure) enterprise applicationsSetting up a captive portalAuthenticating usersConfiguring the authentication portalUsing APIs for User-IDUser credential phishing preventionSummary
Managing Firewalls Through Panorama
Technical requirementsSetting up PanoramaInitial Panorama configurationPanorama loggingAdding disks to PanoramaLog collection optionsDeploying Log CollectorsDevice groupsAdding managed devicesPreparing device groupsCreating policies and objectsImportant things to know when creating objects in device groupsSetting up default attributesSetting up templates and template stacksLeveraging variables to customize common configurationsPanorama managementDevice deploymentMigrating unmanaged to managed devicesPanorama HAReplacing one device with anotherTips and tricksSummarySubscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
Managing Firewalls Through Strata Cloud Manager
Setting up Strata Logging ServiceActivating Strata Cloud ManagerCreating a subtenantActivating Strata Cloud Manager from the hubActivating AIOps or Strata Cloud Manager for NGFWConfiguring Strata Cloud ManagerStarting with the Manage tabNGFW and Prisma AccessSecurity rulesSnippetsSecurity profilesAccess managementAssociating devices to Strata Cloud ManagerManaging devices and device configuration through WorkflowsDevice OnboardingFolder ManagementDevice ManagementDevice Settings and Global SettingsExploring dashboardsSummary
Upgrading Firewalls and Panorama
Technical requirementsDocumenting key aspectsUpgrade considerationsUpgrade pathPreparing for the upgradeThe upgrade processUpgrading a single Panorama instanceUpgrading a Panorama HA clusterUpgrading log collectors (or firewalls) through PanoramaUpgrading a single firewallUpgrading a firewall clusterAfter the upgradeThe rollback procedureThe downgrade procedureSpecial case for upgrading older hardwareSummary

Logging and Reporting
Technical requirementsLog storageConfiguring log collectors and log collector groupsLeveraging Strata Logging ServiceLogging to an external syslogConfiguring log forwarding profilesSystem logsFirewall logsFiltering logsPredefined reports and creating custom reportsPredefined reportsCustom reportsUsing the Application Command CenterSummary
Virtual Private Networks (VPNs)
Technical requirementsConfiguring GREConfiguring the IPSec site-to-site VPNSetting up a (phase 1) IKE Crypto profileSetting up a (phase 2) IPSec Crypto profileSetting up the IKE GatewaySetting up the tunnel interfaceCreating the IPSec tunnelConfiguring GlobalProtectSetting up the portalClientless VPNSetting up the gatewayHIP objects and profilesSummarySubscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
Advanced Protection
Technical requirementsCreating custom applications and application overridesApplication overrideSignature-based custom applicationsCreating custom threat signaturesImplementing zone protection and DoS protectionSystem protection settingsPacket Buffer ProtectionTCP settingsConfiguring zone protectionPacket Buffer Protection and L3 & L4 Header InspectionConfiguring DoS protectionSummary
Troubleshooting Common Session Issues
Technical requirementsUsing the tools in the web interfaceLog filesPacket capturesConfiguring filtersConfiguring capturingCapturing packets on the management interfaceBotnet reportsInterpreting session detailsUnderstanding session states and typesTerminating and clearing sessionsViewing session data from the CLIApplying filtersUsing the troubleshooting toolTesting policiesTesting connectivityTesting with tracerouteUsing Maintenance Mode to resolve and recover from system issuesSummary
A Deep Dive Into Troubleshooting
Technical requirementsUnderstanding global countersFinding issues through countersAnalyzing session flowsPreparationExecutionCleanupA practical exampleDebugging processesCLI troubleshooting commands cheat sheetSummary
Cloud-Based Firewall Deployment
Technical requirementsLicensing a cloud firewallDeploying a firewall in AzureBootstrapping a firewallCreating a new storage accountCreating a bootstrap file shareThe init-cfg.txt fileThe bootstrap.xml fileBootstrapping a firewall on AzurePutting the firewall in lineAdding a new public IP addressAdding the Untrust subnet to an NSGCreating a server subnetSetting up routingForcing internal hosts to route over the firewallSetting up a load balancerSummarySubscribe to _secpro – the newsletter read by 65,000+ cybersecurity professionals
Appendix
Enabling the Advanced Routing EngineActivating cloud logging without centralized managementTroubleshooting SLS connectivityPrerequisitesTesting connectivityNo logs showing in Strata Logging ServiceSummary
Other Books You May Enjoy
Stay relevant in a rapidly changing cybersecurity world – join 65,000+ SecPro subscribers
Index

Content preview from Mastering Palo Alto Networks - Third Edition

11 Virtual Private Networks (VPNs)

There are several ways of connecting devices in a secure way. In this chapter, we will learn about site-to-site VPNs and the challenges you may encounter when connecting to different vendors. Palo Alto Networks firewalls currently support the following protocols:

Generic Routing Encapsulation (GRE) is a fairly old protocol that is not very secure but can be useful if legacy devices need to be connected to the firewall to provide rudimentary security to the encapsulated packets.
Internet Protocol Security (IPSec) is the de facto tunneling protocol between remote sites and can be used for very strong encryption.
Secure Socket Layer (SSL), which is really Transport Layer Security (TLS), is used to connect endpoints ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Mastering Palo Alto Networks - Second Edition

Publisher Resources

ISBN: 9781836644811

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Palo Alto Networks - Third Edition

by Tom Piens aka 'reaper'

11

Virtual Private Networks (VPNs)

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.