implementing-next-generation-firewall-with-palo-alto
Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.
What this skill does
# Implementing Next-Generation Firewall with Palo Alto ## Overview Palo Alto Networks Next-Generation Firewalls (NGFWs) move beyond traditional port-based rule enforcement to application-aware, identity-driven security policies. By leveraging App-ID for traffic classification, User-ID for identity-based enforcement, Content-ID for threat inspection, and SSL decryption for encrypted traffic visibility, organizations gain comprehensive control over network traffic. This skill covers end-to-end deployment from initial configuration through advanced threat prevention profiles. ## When to Use - When deploying or configuring implementing next generation firewall with palo alto capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Palo Alto Networks PA-series appliance or VM-Series virtual firewall - PAN-OS 10.2 or later - Valid Threat Prevention, URL Filtering, and WildFire licenses - Network topology documentation with zone definitions - LDAP/Active Directory integration credentials for User-ID - Internal CA certificate for SSL Forward Proxy decryption ## Core Concepts ### App-ID Technology App-ID classifies network traffic by application regardless of port, protocol, or encryption. The classification engine uses multiple identification techniques in sequence: 1. **Application Signatures** - Pattern matching against known application signatures 2. **SSL/TLS Decryption** - Decrypt traffic to identify applications hidden in encrypted tunnels 3. **Application Protocol Decoding** - Decode protocols to find applications tunneled within them 4. **Heuristic Analysis** - Behavioral analysis for applications that evade other methods The Policy Optimizer tool assists migration from legacy port-based rules to App-ID rules by analyzing traffic logs and recommending application-specific replacements. ### User-ID Integration User-ID maps IP addresses to user identities through multiple methods: - **Server Monitoring** - Parses Windows Security Event Logs (Event IDs 4624, 4768, 4769) - **Syslog Listening** - Receives authentication events from RADIUS, 802.1X, proxies - **GlobalProtect** - Maps VPN users automatically - **Captive Portal** - Web-based authentication for unknown users - **XML API** - Programmatic user mapping from custom sources ### Zone-Based Architecture Zones represent logical segments of the network. Security policies control traffic between zones (inter-zone) and within zones (intra-zone): | Zone | Purpose | Trust Level | |------|---------|-------------| | Trust | Internal corporate LAN | High | | Untrust | Internet-facing | None | | DMZ | Public-facing servers | Medium | | Guest | Guest wireless | Low | | DataCenter | Server infrastructure | High | ## Workflow ### Step 1: Initial System Configuration Configure management interface, DNS, NTP, and system settings: ``` set deviceconfig system hostname PA-FW01 set deviceconfig system domain corp.example.com set deviceconfig system dns-setting servers primary 10.0.1.10 set deviceconfig system dns-setting servers secondary 10.0.1.11 set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org set deviceconfig system timezone US/Eastern set deviceconfig system login-banner "Authorized access only. All activity is monitored." ``` ### Step 2: Configure Network Zones and Interfaces Define security zones and assign interfaces: ``` set zone Trust network layer3 ethernet1/1 set zone Untrust network layer3 ethernet1/2 set zone DMZ network layer3 ethernet1/3 set zone Guest network layer3 ethernet1/4 set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24 set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping set network interface ethernet ethernet1/2 layer3 dhcp-client set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ] ``` ### Step 3: Configure Zone Protection Profiles Protect against reconnaissance and DoS attacks at the zone level: ``` set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100 set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500 set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000 set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes set network profiles zone-protection-profile Strict-ZP flood udp enable yes set network profiles zone-protection-profile Strict-ZP flood icmp enable yes set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2 set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100 ``` ### Step 4: Configure Threat Prevention Profiles Create Anti-Virus, Anti-Spyware, Vulnerability Protection, and URL Filtering profiles: ``` # Anti-Spyware Profile set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip # Vulnerability Protection Profile set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip # URL Filtering Profile set profiles url-filtering Strict-URL credential-enforcement mode ip-user set profiles url-filtering Strict-URL block [ command-and-control malware phishing ] set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ] # File Blocking Profile set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block # WildFire Analysis Profile set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud ``` ### Step 5: Configure SSL Decryption Set up SSL Forward Proxy for outbound traffic inspection: ``` # Generate Forward Trust CA certificate request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes # Create Decryption Profile set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes # Create Decryption Policy set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt # Exclude sensitive categories (financial, healthcare) set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ] set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt ``` ### Step 6: Build Security Policies Create application-aware security policies with security profiles: ``` # Allow business applications from Trust to Internet set rulebase security rules Allow-Business from Trust to Untrust set rulebase security rules Allow-Business source-user any set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ] set rulebase security rules Allow-Business service application-default set rulebase security rules Allow-Business action allow set rulebase security rules Allow-Business profile-setting group Strict-S
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.