Discover the ins and outs of using Palo Alto Networks’ Software NGFW (Flex) credits to seamlessly renew your cloud-based or virtualized software NGFW devices! Dive into this exciting guide where we unravel the mysteries of software NGFW credits, show you how they're allocated to your deployment profile, and walk you through the renewal and verification process.

Learn to calculate your required NGFW credits with the online Credit Estimator and much more. Get ready to master your NGFW credits and keep your network security top-notch!

Key Topics:

• Grasping the Basics of Software NGFW (Flex) Credits
• Estimating Your NGFW Credit Needs with the Credit Estimator
• Renewing Your Deployment Profile with NGFW Credits
• Summary

Grasping the Basics of Software NGFW (Flex) Credits

Palo Alto Networks’ Cloud-based (Azure, AWS, GCP) and virtualized (ESXi, Hyper-V, KVM) deployments, aka software NGFW devices, are licensed using Software NGFW credits (Flex Credits). When deploying a software NGFW device, you are required to purchase the correct amount of NGFW credits to allow the deployment, licensing and operation of the device. The amount of NGFW credits required, depend on the specifications of your NGFW device which include:

• Number and type (VM-Series or CN-Series) of firewalls deployed.
• Number of vCPUs per firewall.
• Subscriptions e.g Threat Prevention, URL Filtering, Wildfire etc.
• Management Options e.g Panorama Management, Panorama Log Collector etc.
• Support Options e.g Premium or Platinum support.

NGFW credits are subscription-based, meaning they expire 12 or 36 months after purchase (depending on your contract), regardless of how many credits you use.  For example, if you purchase 100 NGFW credits 12-month subscription and use 80 NGFW credits for your deployment, the remaining 20 NGFW credits will be available for consumption, but expire at the end of the contract.

It's crucial to purchase the right amount of NGFW credits to minimize any that go unused.

Estimating Your NGFW Credit Needs with the Credit Estimator

This article’s purpose is to help you quickly master Palo Alto QoS concepts and learn to configure QoS on Palo Alto Firewalls in a simple and efficient way. QoS is considered a complicated topic however thanks to Palo Alto’s intuitive firewall GUI interface and our real-scenarios, you’ll quickly grasp all necessary QoS basics and be ready to implement your own QoS policies!

You’ll learn basic QoS terms such as Ingress and Egress traffic, Differentiated Service Code Point (DSCP), Traffic Policing, Traffic Shaping, Palo Alto QoS Classes, Palo Alto QoS Policies, how to build Palo Alto QoS policies, how to configure Palo Alto QoS Classes and finally how to enable and monitor QoS on Palo Alto firewall interfaces (both standalone & AE Aggregate interfaces), view QoS bandwidth graphs and more!

Key Topics:

• Introduction to Palo Alto QoS
• Palo Alto QoS Classes
• Palo Alto QoS Policies
• Configuring QoS Class-based Policies & Profiles
• Enabling QoS on Palo Alto Firewall Physical & Aggregate (AE) Interfaces
• Summary

Find more great articles by visiting our Palo Alto Firewall Section.

Introduction to Palo Alto QoS

QoS was born from the IEEE group during 1995-1998 by establishing the standard IEEE 802.1P. The main purpose of QoS is to prioritise desired traffic over other type of traffic or to limit the amount of bandwidth applications can consume, by utilizing different mechanisms. This ensures network performance, avoids bottlenecks, congestion or overutilization of network links. A frequently used example of QoS is the prioritising Real-time traffic e.g voice or video, over other type of traffic:

QoS Priority Queues - Packet classification and prioritization

In the example above, voice packets (blue) are given a higher priority against others, therefore immediately being forwarded by the firewall out via the output interface. Since voice packets are very sensitive to delay, they are usually handled with priority to avoid issues in a real-time voice streams e.g VoIP telephone call between two endpoints.

Overview of QoS Configuration on Palo Alto Firewalls

This article provides comprehensive guidance on the manual processes involved in downloading, uploading, and installing (import) any PAN-OS version on a Palo Alto Firewall. It details the steps for searching and downloading the desired PAN-OS version, as well as the supported methods for uploading the software to your Palo Alto Firewall, including Web, TFTP, and SCP. Additionally, the article offers valuable tips aimed at facilitating a smooth and successful upgrade process.

The necessity for a manual upgrade of a Palo Alto firewall arises in instances where the system operates within an isolated environment employing air-gap architecture and lacks direct internet access. This requirement is further applicable in scenarios where the firewall is devoid of valid licenses, remains unregistered, or serves as a replacement unit as exemplified in a Return Merchandise Authorization (RMA) context.

Whether performing upgrades manually or automatically, it is crucial to consider the same upgrade path rules outlined in our article Complete guide to upgrading Palo Alto firewalls. Individuals unfamiliar with these rules are strongly encouraged to review the article before initiating any PAN-OS upgrade.

Key Topics:

• Downloading PAN-OS Software
• Uploading PAN-OS Software Images to the Firewall
  • Uploading via Web GUI
  • Uploading via TFTP
  • Uploading via SCP
• Verifying Uploaded PAN-OS Software Images (GUI & CLI)
• Installing PAN-OS Software Images
  • Installation via Web GUI
  • Installation via CLI
• Summary

Explore our dedicated Palo Alto section to access a collection of high-quality technical articles.

Downloading PAN-OS Software

Begin by downloading the needed software from the Palo Alto Networks support page. Make sure you have a valid support contract.

Once logged in, select Updates on the left pane, followed by Software Updates from the right pane:

This article will show you how to configure an IPSec VPN tunnel between a Palo Alto firewall (all PANOS versions) and Meraki MX security appliance. Our comprehensive guide includes IPSec VPN setup for static & dynamic IP endpoints, Full tunnel VPN configuration, Split tunnel VPN configuration, special considerations for Full & Split tunnel modes,  IPSec Phase 1 - IKE gateway & crypto policies, IPSec Phase 2 – Tunnel encryption algorithms & authentication plus more.

 Key Topics:

Palo Alto Firewall Setup

• Step 1 – Create a Tunnel Interface
• Step 2 – Configure IKE Crypto Profile (IKEv1 - Phase 1)
• Step 3 – Configure IKE Gateway
• Step 4 – Configure IPSec Crypto Profile – (IKE Phase 2)
• Step 5 – Create IPSec Tunnel
• Step 6 – Configure VPN Routing (Remote Site Traffic)
• Step 7 – Configure Security Policies (IKE/IPSec & Remote Site Traffic)

Meraki MX Security Appliance Setup

• Step 1 – Enable Site-to-Site VPN
• Step 2 – Enable VPN Mode for Local Networks
• Step 3 – Configure Non-Meraki VPN Peer, IKE Version, Auth ID, Subnets & Preshared Secret
• Step 4 – Configure IPSec Policies (Phase 1 & Phase 2)
• Step 5 – Split Tunnel and Full Tunnel Mode
• Step 6 - Initiate and Test the VPN Tunnel
• Summary

This article assumes both Palo Alto firewall and Meraki MX are fully configured to allow local clients access to the internet. We’ll first begin with the configuration of the Palo Alto firewall and then work on the Meraki MX appliance.

Visit our Palo Alto Firewall section for more articles covering Palo Alto technologies.

Step 1 – Create a Tunnel Interface

Under Network, select Interfaces then the Tunnel menu option. The firewall will now show all configured tunnel interfaces. The interface ‘tunnel’, as shown below, by default exists on all firewalls:

This article will show you how to upgrade your standalone Firewall PAN-OS, explain the differences between a Base Image and a Maintenance Release Image. We’ll also explain the PAN-OS upgrade paths, show how to backup and export your configuration, deal with common PAN-OS install errors (upgrading requires greater content version). Finally, we will explain why newer PAN-OS releases might not be visible for download in your firewall’s software section.

While the same process described below can be used to upgrade Panorama PAN-OS, it is important to ensure the Panorama PAN-OS version is equal or greater than the firewalls. When upgrading PAN-OS for both Panorama and Firewall appliances, always upgrade Panorama first.

Key Topics:

• Prerequisites for PAN-OS Upgrades
• Understanding PAN-OS Upgrade Paths
• Backing Up & Exporting Firewall Configuration
• Downloading & Installing PAN-OS Software
• Dealing with Common Install Errors: Upgrading Requires Greater Content Version
• Why Aren’t the Latest PAN-OS Releases Available for Download?
• Summary

Our article How to Manually Download, Import & Install PAN-OS on Palo Alto Firewalls via CLI & Web GUI interface provides detailed instructions and insights on PAN-OS upgrades for unlicensed/unregistered Palo Alto Firewalls .

Prerequisites for PAN-OS Upgrades

It is important to note that only eligible Palo Alto customers, that is, those with an active contract, can receive updates for their firewalls. Our article How to Register and Activate Palo Alto Support, Subscription Servers, and Licenses covers this process in great detail.

Understanding PAN-OS Upgrade Paths

Direct (one-step) upgrade to the latest PAN-OS depends on the current version your firewall is running. When upgrading from a fairly old to a newer PAN-OS version, multi-step upgrades might be necessary. This ensures the device’s configuration is migrated to the PAN-OS's newer supported features and that nothing “breaks” during the upgrade process.

Like most vendors, Palo Alto Networks produce a base image and maintenance releases. Maintenance releases are small upgrades of the base image and deal with bug fixes and sometimes introduce small enhancements.

As a rule of thumb, firewalls should be running the Palo Alto preferred PAN-OS release (requires account login), and it is generally a good practice to install these releases as they are published.

When upgrading your PAN-OS to the latest maintenance release of a newer base release, the firewall will likely require you to download the new base release before allowing you to install its latest maintenance release.

For example, our firewall is currently running version 9.0.3-h3, noted by the ‘tick’ on the Currently Installed column, and our goal is to upgrade to version 9.1.4 (preferred release) as shown below:

When attempting to download version 9.1.4, a maintenance release for base 9.1.0, we received an error (see screenshot below) explaining that we need to download 9.1.0 base image first (no installation required). Once downloaded, we can proceed with the download and installation of version 9.1.4.

Backing Up & Exporting Firewall Configuration

It is imperative to backup and export the configuration before attempting to upgrade. To create a backup go to Devices > Setup, then select the Operations (3) tab and Save named configuration snapshot (4):

Once the backup is complete, it is highly recommend to export the configuration by selecting Export named configuration snapshot (5) and saving it in a safe place.

Downloading & Installing PAN-OS Software

We will be upgrading our firewall from PAN-OS 9.0.3-h3 to 9.1.4. As explained previously, for this process, we will download base 9.1.0 and then download & install maintenance release 9.1.4.

Newer PAN-OS versions can be downloaded directly from the firewall GUI (recommended). Alternatively, they can be downloaded from https://support.paloaltonetworks.com  and then upload it manually.

From the GUI, go to Device > Software, then click on Check Now (3) to update the software list. When complete, click on Download (4) for base image 9.1.0:

When complete, click on Download (5) on version 9.1.4, then install (option will be available once the image has downloaded). During the installation a progress bar will be displayed:

As soon as the installation process is complete, the firewall will ask to reboot:

Dealing with Common Install Errors: Upgrading Requires Greater Content Version

A common error users are faced with when attempting to install a newer PAN-OS is the “Error: Upgrading from xxx to xxx requires a content version 8226 or greater and found 8165-5521” error as shown below:

This error is related to the Applications and Threats version the firewall is currently running which is most likely outdated. 

To fix this, go to Device > Dynamic Updates and click on the Check Now (3) button as shown below:

Next, download (5) the latest version of Applications and Threats. Once the download is complete, the install option will become available. Proceed with the installation of the newly downloaded Applications and Threats version:

Another common error is the Image File Authentication Error – Failed to Load into Software Manager error. This is covered in detail in our article How to Fix Palo Alto Firewall “Error: Image File Authentication Error”.

Why Aren’t the Latest PAN-OS Releases Available for Download?

Palo Alto Networks continuously publish new PAN-OS releases; however, they might not be available/visible on your firewall if they are not compatible with the version your firewall is currently running.

At the time of writing, PAN-OS 10.0 was available however if you take a close look at the available software, you notice that it is not listed:

After upgrading to version 9.1.4 we went back and clicked the Check Now button. PAN-OS 10 was available to download and install:

Summary

This article showed how to upgrade a standalone Palo Alto Firewall PAN-OS, it explained the different PAN-OS images (Base Image, Maintenance Release) and PAN-OS upgrade paths depending on your current PAN-OS. We also saw how to download and install the PAN-OS software, common installation errors (requires greater content version error) and finally explained why latest PAN-OS releases are not made available in your firewall’s software download section.

While Palo Alto Networks makes the software upgrade process an easy task, sometimes problems can occur. One frequently seen issue is the “Error: Image File Authentication Error – Failed to Load into Software Manager” error when trying to download a new software image.

Readers and also refer to our articles How to Manually Download, Import & Install PAN-OS on Palo Alto Firewalls via CLI & Web GUI interface and Complete Guide to Upgrading Palo Alto Firewall PAN-OS & Panorama. Prerequisites, Upgrade Paths, Config Backup, Application & Threats Update & More for more technical insights and advice on PAN-OS upgrades.

This error can occur on a standalone or HA-Pair Firewall configuration:

Additional technical articles are available in our Palo Alto Firewall Section.

How To Fix The 'Image File Authentication Error'

To fix this problem, simply click the Check Now link at the bottom left corner. This will force the Palo Alto Firewall to connect to the update server and refresh the list of available software images:

 As soon as the above refresh process is complete, you can proceed to download the desired software image:

The screenshot below confirms the selected image has been downloaded and loaded into software manager, ready to be installed:

More Information About The Error

The “Error: Image File Authentication Error – Failed to Load into Software Manager” error is encountered after initiating the download of any image from within the Software area:

As soon as the user initiates the download process, the Firewall will begin downloading the selected PAN-OS version. Once the download is complete the progress bar reaches the 99% mark and will pause for a significant time as shown below:

During this process, a closer look at the firewall logs via SSH shows the following error is produced:

The linux tail command will continuously update the ms.log file entries so you can observe in real-time all entries within the log file.

The log output seems to imply that there is a missing file or some type of information is not available. This issue is fixed as soon as the firewall is forced to check for new updates.

Summary

This article explains how to resolve the “Error: Image File Authentication Error – Failed to Load into Software Manager” error encountered when trying to download a new firewall software image. We showed the error produced by the firewall and how to fix this by forcing the firewall to Check for new software updates. We also dived into the mp-log ms.log log file and examined the messages produced there during the error.

Customers purchasing a new Palo Alto Firewall appliance or support contract will receive an authorization code which is required to activate their technical support, license and service subscriptions – this, plus lots more useful information is included below.

Key Topics:

• Benefits of a Support Account, Firewall Registering and License Activation
• Creating a Palo Alto Support Account – New Customers
• Registering a Palo Alto Device – New & Existing Customers
• Activating Palo Alto Support and Subscription License
• Summary

Additional technical articles are available in our Palo Alto Firewall Section

The diagram below shows the steps new customers should follow to successfully register and activate their Palo Alto products:

Benefits of a Support Account, Firewall Registration and License Activation

Registering your security appliance has many benefits, especially when you consider that any unpatched or outdated security appliance is unable to provide adequate protection against today’s complex and intelligent security threats. Furthermore by registering your appliance you are protecting your investment as you become a ‘known’ customer to Palo Alto allowing you to engage the vendor and benefit from the wide range of services offered.

By creating a Support Account, registering your Firewall appliance and activating your License you’ll be able to perform the following:

• Register and manage your firewall appliances(s). Palo Alto call these “Assets”
• Create and manage support cases
• Create and manage users from your organization
• Give members of your team access to Palo Alto support services
• Gain access to a variety of tools found in the support portal
• Obtain knowledge and answers to questions
• Obtain access to the Palo Alto live community
• Download PAN-OS (Palo Alto Operating System) software updates for your device
• Download Antivirus updates
• Download Antispam updates
• Download Threat protection updates
• Update App-ID Database on your device
• Ensure the URL Filtering engine is up to date
• Gain access to Wildfire which allows the firewall to safely ‘detonate’ suspicious files in the cloud

The above list is indicative and shows the variety of services offered to registered Palo Alto customers with an active subscription service.

Creating a Palo Alto Support Account - New Customers

Registering your account is a simple process that only takes a few minutes. During the registration process you’ll be able to register your Palo Alto Firewall appliance and later activate your support and subscription license. To begin, visit the Palo Alto Support page https://support.paloaltonetworks.com/ and click on the Sign In link at the top right corner of the page:

On the next screen, enter a valid email address, verify you’re human (reCAPTCHA) and finally click on the Submit button:

On the next page select to register your device using its Serial Number or Authorization Code or alternatively you can register a VM-Series model purchased from the public cloud marketplace or a Could Security Provider (CSSP). In our example, we’ll be selecting the first option. When ready, click on the Submit button:

Next, enter all required details to create the new account. Towards the end of the page you can enter the Device Serial Number or Auth Code. We selected to insert the device serial number:

The Auth Code is an 8-digit code which is emailed to the customer (PDF file) as soon as the physical appliance is shipped from Palo Alto Networks. This means that under most circumstances the Auth Code is received before the physical appliance.

When filling in your details keep in mind that it is important to ensure the address entered is correct as it will be used for any future RMA process.

It is highly advisable to subscribe to all mailing lists to ensure you receive updates and security advisory notifications.

Once the registration process is complete, you can proceed activating the support and software licenses.

Registering a Palo Alto Device – New & Existing Customers

Existing customers with support contracts need to follow a similar process outline below in order to register their new Palo Alto device and activate the subscription services purchased.

To begin, visit the Palo Alto Support page https://support.paloaltonetworks.com/ and click on the Sign In link at the top right corner of the page. On the next page, click on the Go to portal button:

Next, enter your Email Address and Password to complete the login process.

Once done, you’ll be presented with the main Customer Support page where you’ll find important alerts regarding the support portal and see a summary of your recent activity as shown in the below screenshot. Now click on the Register a Device button:

On the next page select the Device Type. Select the correct Device Type. We selected Register device using Serial Number or Authorization Code to register our firewall appliance. When ready, click on the Next button:

Now provide the device Serial Number, Device Name (provide a meaningful name to help distinguish this device from other devices) and Location information for RMA purposes. We can tick the Device will be used offline option if the device is to be used in an isolated environment with no internet access.

When ready click on the Agree and Submit button at the bottom right of the page (not shown):

After a few seconds the support portal will confirm our Palo Alto Firewall was successfully registered and provide the highly recommended option of Run Day 1 Configuration:

The optional Day 1 Configuration step can be run by clicking on the Run Day 1 Configuration button. If you decide to skip this step you can find this option from the main support page, under the Tools section as shown in the screenshot below:

When selecting Run Day 1 Configuration, you need to provide some basic information about your firewall such as Hostname, Management IP address, PAN-OS version, DNS Servers etc. This information is then used to generate an initial firewall configuration file (xml file) based on Palo Alto Networks Best Practices.

You can then download the file and upload it to the firewall appliance using it as a base configuration.

The Run Day 1 Configuration option is a great start for people with limited experience on Palo Alto Firewalls but is also a good practice to follow for any newly deployed Firewalls and therefore highly recommended.

The Run Day 1 Configuration tool is designed for new (unconfigured) firewalls! Applying to a production device will clear its configuration!

Activating Palo Alto Support and Subscription License

Once the Firewall registration process is complete, the final step is to activate your license. When this process is complete, the Firewall appliance will be covered under warranty replacement, be able to download software PAN-OS updates and depending on the subscriptions purchased, have access to Wildfire, URL filtering, Antispyware, Threat Intelligence updates and more.

To activate licenses, your Palo Alto user account must be assigned the ELA Administrator role. You can add this role under Members > Manage Users

To begin, from the Support Home page navigate to Assets > Devices. Here you’ll see a list of all currently registered devices. Locate the device for which the license needs to be activated and click on the pencil icon under the Actions column:

On the next page select Activate Auth-Code under the Activate Licenses section and insert the Authorization Code. Now click on the Agree and Submit button:

Once the activation process is complete a green bar will briefly appear confirming the license was successfully activated. Notice how the page has been updated to include the features activated along with their Expiration Date:

If you have multiple service (or feature) licenses purchased for your product, for example Threat Prevention License, WildFire License, Support etc, insert the Authorization Code for one service and click on the Agree and Submit button. Repeat the process until all services/features are activated.

This completes the Palo Alto License Activation process. You should now have all licenses/features fully registered and able to obtain technical support for your device(s).

Summary

In this article we outlined the benefits of registering your Palo Alto security device. We explained in detail how to create a Palo Alto support account, register your Palo Alto Firewall and how to activate your Palo Alto License & Subscription services in order to obtain technical support, RMA hardware replacement, product updates, antivirus updates, wildfire, antispam updates, Threat Prevention, URL Filtering, Global Protect and more.

It’s easy to mix and match the interface types and deployment options in real world deployments and this seems to be the strongest selling point of Palo Alto Networks Next-Generation Firewalls. Network segmentation becomes easier due to the flexibility offered by a single pair of Palo Alto appliances.

Below is a list of the configuration options available for Ethernet (physical) interfaces:

• Tap Mode
• Virtual Wire
• Layer 2
• Layer 3
• Aggregate Interfaces
• HA

Following are the Logical interface options available:

• VLAN
• Loopback
• Tunnel
• Decrypt Mirror

The various interface types offered by Palo Alto Networks Next-Generation Firewalls provide flexible deployment options.

Tap Mode Deployment Option

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring).

A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the destination SPAN port is the switch port to which our Palo Alto Firewall connects, as shown in the diagram below:

Figure 1. Palo Alto Next Generation Firewall deployed in TAP mode

The advantage of this deployment model is that it allows organizations to closely monitor traffic to their servers or network without requiring any changes to the network infrastructure.

During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN Destination ports are configured while also enabling Tap mode at the Firewall.

Tap mode offers visibility of application, user and content, however, we must be mindful that the firewall is unable to control the traffic as no security rules can be applied in this mode. Tap mode simply offers visibility in the ACC tab of the dashboard. The catch here is to ensure that the tap interface is assigned to a security zone.

Virtual Wire  (V-Wire) Deployment Option

Virtual Wire, also know as V-Wire, deployment options use Virtual Wire interfaces. The great thing about V-Wire deployment is that the firewall can be inserted into an existing topology without requiring any changes to the existing network topology.

The V-Wire deployment options overcome the limitations of TAP mode deployment, as engineers are able to monitor and control traffic traversing the link. A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT and decryption.

Figure 2. Palo Alto Next Generation Firewall deployed in V-Wire mode

Layer 2 Deployment Option

Palo Alto Networks Next Generation Firewall can also be deployed in Layer 2 mode. In this mode switching is performed between two or more network segments as shown in the diagram below:

Figure 3. Palo Alto Next Generation Firewall deployed in Layer 2 mode

In Layer 2 deployment mode the firewall is configured to perform switching between two or more network segments. Traffic traversing the firewall is examined, as per policies, providing increased security and visibility within the internal network.

In this mode the firewall interfaces are capable of supporting Access or Trunk Links (802.1Q trunking) and do not participate in the Spanning Tree topology. Any BPDUs received on the firewall interfaces are directly forwarded to the neighboring Layer 2 switch without being processed. Routing traffic between VLAN networks or other networks can be achieved via a default Gateway which is usually a Layer 3 switch supporting InterVLAN routing, a Firewall security appliance, or even Router-on-a-Stick design.

Layer 3 Deployment Option

Layer 3 deployment mode is a popular deployment setup. In this mode the firewall routes traffic between multiple interfaces, each of which is configured with an IP address and security zone. The Firewall interfaces can also be configured to obtain their IP address via a DHCP server and can be used to manage the security appliance.

Figure 4 – Palo Alto Next Generation Firewall deployed in Layer 3 mode

The diagram above shows a typical Layer 3 deployment setup where the Firewall routes and controls traffic between three different IP networks. Similar to other setup methods, all traffic traversing the Firewall is examined and allowed or blocked according to the security policies configured.

Summary

In this article we examined a few of the different deployment modes available for Palo Alto firewalls. We talked about Tap mode, Virtual Wire mode, Layer 2 and Layer 3 deployment modes. Each deployment method is used to satisfy different security requirements and allows flexible configuration options. Visit our Palo Alto Firewalls Section for more in-depth technical articles.

Palo Alto Networks Next-Generation Firewalls zones have no dependency on their physical location and they may reside in any location within the enterprise network. This is also illustrated in the network security diagram below:

Figure 1. Palo Alto Firewall Security Zones can contain networks in different locations

The above topology illustrated shows VLANs 10, 11 ,12 and 2 managed by a Cisco Catalyst 4507R+E Switch and are all part of OSPF Area 0 and visible as routes in the Palo Alto Firewall. A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2).

When aggregation interface ae1.2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone, all networks learnt by the OSPF routing protocol on interface ae1.2 will be part of the DMZ Security Zone.

Creating a Security Zone involves tasks such as naming the zone, assigning the interfaces to the new zone created and more. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone.

The diagram below depicts the order in which packets are processed by the Palo Alto Firewall:

Figure 2. Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall

It is without doubt Zone based firewalls provide greater flexibility in security design and are also considered easier to administer and maintain especially in large scale network deployments.

Palo Alto Networks Next-Generation Firewalls have four main types of Zones namely as shown in the screenshot below:

• Tap Zone. Used in conjunction with SPAN/RSPAN to monitor traffic.
• Virtual Wire. Also known as Transparent Firewall.
• Layer 2. Used when switching between two or more networks.
• Layer 3. Used when routing between two or more networks. Interfaces must be assigned an IP address.

Figure 3. Types of Security Zones in Palo Alto Firewalls

Palo Alto Networks Next-Generation Firewalls have special zone called External which is used to pass traffic between Virtual Systems (vsys) configured on the same firewall appliance. The External zone type is only available in the Palo Alto Networks Next-Generation Firewalls which are capable of Virtual Systems and also the External Zone is visible only when the multi-vsys feature is enabled.

Creating A Security Zone

This section focuses on creating different types of Security zones in Palo Alto Networks Next-Generation Firewalls

Step 1. Login to the WebUI of Palo Alto Networks Next-Generation Firewall

Step 2. From the menu, click Network > Zones > Add

Figure 4. Creating a new Zone in Palo Alto Firewall

Step 3. Provide the name for the new Zone, and select the zone type and click OK:

Figure 5. Creating a zone in a Palo Alto Firewall

In a similar manner we can repeat steps 1 to 3 to create Tap, Virtual Wire or Layer 2 security zones.

Finally it is important to note that the zone names is case sensitive, so one needs to be careful as the zone FiewallCX and firewallcx are considered different zones:

Figure 6. Identically named Security zones using different letter cases result in different Security zones

Figure 7. Example of case sensitive security zones with identical zone names

Creating a security zone in Palo Alto Networks Next-Generation Firewalls involves three steps:

Step 1. Specify the Zone name

Step 2. Select the Zone type

Step 3. Assign the Interface

The interfaces part will be dealt in upcoming posts as one need to understand types of interfaces Palo Alto Networks Next-Generation Firewalls offers and how they work.

In Palo Alto Networks Next-Generation Firewalls zone names have no predefined meaning or policy associations, basically they are created to group the services by functions for examples one can group all the Domain Controllers in one security group no matter even if they are part of different networks.

Figure 8. Example of grouping Domain Controllers in same security zone – DMZ

As mentioned Palo Alto Networks Next-Generation Firewalls works with the principle of Security zones, by default Intra-Zone traffic is allowed and Inter-Zone traffic is denied. More technical articles can be found in our Palo Alto Network Firewall section.

For more Technical articles on Palo Alto Networks Firewalls, visit our Palo Alto Networks Firewall Section.

Flow Logic Of The Next-Generation Firewall

The diagram below is a simplified version of the flow logic of a packet travelling through a Palo Alto Networks Next-Generation Firewall and this can be always used a reference to study the packet processing sequence:

Figure 1. Flow Logic of a packet inside the Palo Alto Networks Next Generation Firewall

Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. This is similar to Cisco IOS Routers Zone-based Firewalls and Cisco ASA Firewalls.

Users interested can also download for free the Palo Alto Networks document “Day in the Life of a Packet” found in our Palo Alto Networks Download section which explains in great detail the packet flow sequence inside the Palo Alto Networks Firewall.

App-ID & User-ID – Features That Set Palo Alto Apart From The Competition

App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.

App-ID: Application-based Policy Enforcement

App-ID is the biggest asset of Palo Alto Networks Next-Generation Firewalls. Traditional firewalls block traffic based on protocol and/or ports, which years ago seemed to be the best way of securing the network perimeter, however this approach today is inadequate as applications (including SSL VPNs) can easily bypass a port-based firewall by hopping between ports or using well-known open ports such as tcp-http (80) or tcp/udp-dns (53) normally found open.

A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for P2P file sharing, which is quite dangerous:

Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic

With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications traversing the network. Following is the order in which traffic is examined and classified:

1. Traffic is classified based on the IP Address and port
2. Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics.
3. For evasive applications which cannot be identified though advance signature and protocol analysis Palo Alto Networks Next-Generation Firewalls applies heuristics or behavioral analysis to determine the identity of the application.

Using the above process Palo Alto Networks Next-Generation Firewalls are very successful in identifying DNS traffic not only at the port level but also at the Application level, making it extremely difficult for an evasive application like BitTorrent to use any open ports and pass through the firewall undetected.

User Identification (User-ID)

User-ID is one more key determining factor that places Palo Alto Networks Next-Generation Firewalls apart from the competition.

Traditionally, security policies and rules were applied based on IP addresses. However, these days both the users and applications have a dynamic nature which means that IP addresses alone have become inefficient for monitoring and controlling user activity. A single user might access the network from multiple devices (laptops, tablets, smartphones, servers).

Thanks to the User-ID feature of the Palo Alto Networks Next-Generation Firewalls administrators are able to configure and enforce firewall policies based on users and user groups instead of network zones and addresses.

The Palo Alto Networks Next-Generation Firewall can communicate with many directory servers, such as Microsoft Active Directory, eDirectory, SunOne, OpenLDAP, and most other LDAP-based directory servers to provide user and group information to the firewall. With this powerful feature, large organizations are able to create security policies that are user or group based, without worrying about IP addresses associated to them.

Threat Prevention

Palo Alto Networks Next-Generation Firewalls are very effective in preventing threats and they do offer real-time threat prevention from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source.

Application Command Control (ACC)

Palo Alto Networks Next-Generation Firewalls offer the most interactive graphical summary of the applications, URLs, users, threats, and content traversing the network. The ACC makes use of the firewall logs to provide the visibility of the traffic patterns, information on threats, user activity, Rule usage and many other information in an interactive graphical form:

Figure 3. Palo Alto Application Command Center provides maximum visibility on network traffic (click to enlarge)

Summary

This article why Palo Alto Networks Next-Generation Firewalls are really unique in many terms. Features such as App-ID and User-ID allow in-depth control of applications and users, making it possible to fully manage small to very large enterprises without a problem. The Application Command Control (ACC) helps give the administrator a complete view of applications and services accessing the internet alongside with some very useful statistics. To discover more in-depth technical articles on Palo Alto Networks Firewalls, please visit our Palo Alto Networks Firewall section.

More technical and how-to articles covering Palo Alto's Firewalls can be found in our Palo Alto Networks Firewall Section

Palo Alto Networks Next-Generation Firewall’s main strength is its Single Pass Parallel Processing (SP3) Architecture, which comprises two key components:

1. Single Pass Software
2. Parallel Processing Hardware

Figure 1.   Palo Alto Networks Firewall Single Pass Parallel Processing Architecture

Single Pass Software

Palo Alto Networks Next-Generation Firewall is empowered with Single Pass Software, which processes the packet to perform functions like networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for identifying threats and contents, which are all performed once per packet as shown in the illustration below:

Figure 2: Palo Alto Networks Firewall - Single-Pass Architecture Traffic Flow

This processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall enormously reduces the processing overhead, other vendor firewalls using a different type of architecture produce a significantly higher overhead when processing packets traversing the firewall. It’s been observed that the Unified Threat Management (UTM), which processes the traffic using multi-pass architecture, results in process overhead, latency introduction and throughput degradation.

The diagram below illustrates the multi-pass architecture process used by other vendors’ firewalls, clearly showing differences to the Palo Alto Networks Firewall architecture and how the processing overhead is produced:

Figure 3: Traffic Flow for multi-pass architecture resulting in additional overhead processing

Palo Alto Networks Next-Generation Firewall Single Pass Software scans the contents based on the same stream and it uses uniform signature matching patterns to detect and block threats. By adopting this methodology Palo Alto Networks Next-Generation Firewall is negating the use of separate scan engines and signature sets, which results in low latency and high throughput.

Parallel Processing Hardware

Palo Alto Networks Parallel Processing hardware ensures function-specific processing is done in parallel at the hardware level which, in combination with the dedicated Data plane and Control plane, produces stunning performance results. By separating the Data plane and Control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the Platform. At the same time, this means there is no dependency on either plane as each has its own CPU and RAM as illustrated in the diagram below:

Figure 4: Palo Alto Networks Firewall Hardware Architecture – Separation of Data Plane and Control Plane

The Control Plane is responsible for tasks such as management, configuration of Palo Alto Networks Next-Generation Firewall and it takes care of logging and reporting functions.

Palo Alto Networks Next-Generation Firewall offers processors dedicated to specific functions that work in parallel. The Data Plane in the high-end models contains three types of processors (CPUs) connected by high-speed 1Gbps busses.

The three type of processors are:

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar tasks.
3. Network Processor: Dedicated processor responsible for network functions such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

Summary

Palo Alto Networks unique architecture and design has played a significant role in helping place it apart from the rest of its competitors. Its Single Platform Parallel Processing architecture coupled with the single management system results in a fast and highly sophisticated Next-Generation Firewall that won’t be left behind anytime soon. For more technical information and articles covering configuration and technical features of the Palo Alto Networks Firewall, visit our Palo Alto Networks Firewall Section.

The introduction of Next Generation Firewalls has changed the dimension of management and configuration of firewalls, most of the well-known Firewall vendors have done a major revamp, be it the traditional command line mode or the GUI mode.

Palo Alto Networks is no different to many of those vendors, yet it is unique in terms of its WebUI. It’s a whole new experience when you access the WebUI of Palo Alto Networks Next-Generation Firewalls.

In order to start with an implementation of the Palo Alto Networks Next-Generation Firewalls one needs to configure them. Palo Alto Networks Next-Generation Firewalls can be accessed by either an out-of-band management port labelled as MGT or a Serial Console port (similar to Cisco devices). By using the MGT port, one can separate the management functions of the firewall from the data processing functions. All initial configurations must be performed either on out-of-band management interface or by using a serial console port. The serial port has default values of 9600-N-1 and a standard roll over cable can be used to connect to a serial port.

Figure 1.   Palo Alto Networks Firewall PA-5020 Management & Console Port

By default, Palo Alto Networks Next-Generation Firewalls use MGT port to retrieve license information and update the threats and application signature, therefore it is imperative the MGT port has proper DNS settings configured and is able to access the internet.

Note: The instructions below apply to all Palo Alto Firewall models!

To access the Palo Alto Networks Firewall for the first time through the MGT port, we need to connect a laptop to the MGT port using a straight-thru Ethernet cable. By default, the web gui interface is accessed through the following IP Address and login credentials (note they are in lower case):

• MGT Port IP Address: 192.168.1.1 /24
• Username: admin
• Password: admin

For security reasons it’s always recommended to change the default admin credentials. Until this condition is satisfied, the Palo Alto Networks Firewall alerts the administrator to change the default password every time he logs in, as shown in the screenshot below:

Figure 2. Palo Alto Networks Firewall alerts the administrator to change the default password

Performing The Initial Setup In Palo Alto Networks Firewall Check List

Below is a list of the most important initial setup tasks that should be performed on a Palo Alto Networks Firewall regardless of the model:

• Change the default login credentials
• Configure the management IP Address & managed services (https, ssh, icmp etc)
• Configure DNS & NTP Settings
• Register and Activate the Palo Alto Networks Firewall

Let’s take a look at each step in greater detail.

Change The Default Login Credentials

Step 1: Establish connectivity with the Palo Alto Networks Firewall by connecting an Ethernet cable between the Management and the laptop’s Ethernet interface.

Step 2: Configure the laptop Ethernet interface with an IP address within the 192.168.1.0/24 network. Keep in mind that we’ll find the Palo Alto Networks Firewall at 192.168.1.1 so this IP must not be used.

Step 3: Open a web browser and navigate to the URL https://192.168.1.1 – Take note that this is an HTTPS site. At this point the Palo Alto Networks Firewall login page appears.

Step 4: Enter admin for both name and password fields.

Step 5: From the main menu, click Device > Administrators > admin

• Type the old password in the Old Password field
• Type the new password in the New Password field
• Type new password in the Confirm New Password field
• Click ok

Configure The Management IP Address & Management Services (HTTPS, SSH, ICMP)

At this point we have connectivity to the Palo Alto Networks Firewall and need to change the management IP address:

Step 1: Logon to the Palo Alto Networks Firewall using the new credentials entered in the previous section.

Step 2: From the web interface click Device > Setup > Management and select the Management Interface Settings radio button as shown below:

Figure 3. Accessing the Palo Alto Netowkrs Firewall Management IP Address tab

Next, change the IP Address accordingly and enable or disable any management services as required. HTTPS, SSH and Ping (ICMP) are enabled by default. When ready click ok:

Figure 4. Changing the Management IP Address & services on the Palo Alto Networks Firewall

Step 3: Now click on Commit on the top right corner to save and commit the changes to the new configuration

Configure DNS & NTP Settings In Palo Alto Networks

This section assumes all previous steps have been completed and we are currently logged into the Palo Alto Networks Firewall web interface.

Step 1: From the menu, click Device > Setup > Services and configure the DNS Servers as required. When ready, click on OK:

Figure 5. Configuring DNS Settings on Palo Alto Networks firewall

Step 2: Click on the Commit button on the top right corner to commit the new changes.

Configure Management IP Address, Default Gateway, DNS & NTP Settings CLI (PAN-OS)

Similar to Cisco devices, Palo Alto Networks devices can be configured by web or CLI interface. While CLI interface tends to be slightly more challenging it does provides complete control of configuration options and extensive debugging capabilities.

This section shows how to configure your Palo Alto Networks firewall using the console port. The computer’s serial port must have the following settings to correctly connect and display data via the console port:

Step 1: Login to the device using the default credentials (admin / admin).

Step 2: Enter configuration mode by typing configure:

Step 3: Configure the IP address, subnet mask, default gateway and DNS Severs by using following PAN-OS CLI command in one line:

admin@PA-3050# set deviceconfig system ip-address 192.168.1.10 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers primary 8.8.8.8 secondary 4.4.4.4

Step 4: Commit changes

admin@PA-3050# commit

Registering & Activating Palo Alto Networks Firewall

This section assumes all previous steps have been completed and we are currently logged into the Palo Alto Networks Firewall web interface.

Step 1: Click Dashboard and look for the serial information in the General Information Widget,

If the widget is not added, click on Widgets > Systems > General Information:

Figure 6. Adding Widgets to the Palo Alto Networks Firewall Web Interface

Step 2: Create a support account with Palo Alto Support.

Registering your Palo Alto Networks device is essential so you can receive product updates, firmware upgrades, support and much more.

First we need to create an account at https://support.paloaltonetworks.com and then proceed with the registration of our Palo Alto Networks Firewall device, during which we’ll need to provide the sales order number or customer ID, serial number of the device or authorization code provided by our Palo Alto Networks Authorized partner.

Further details about registration and activation process can be found in our article How to Register a Palo Alto Firewall and Activate Support, Subscription Services & Licenses. Covers All Models. 

Step 3: Activate the license by clicking Device > License and select Activate feature using authorization code:

Figure 7. Activating the Palo Alto Networks Firewall license

When prompted, enter the Authorization Code and then click OK.

Finally, verify that the license was successfully activated.

Once the Palo Alto Networks Firewall is activated, it is ready for configuration according to our business’s needs.

This article showed how to configure your Palo Alto Networks Firewall via Web interface and Command Line Interface (CLI). We covered configuration of Management interface, enable/disable management services (https, ssh etc), configure DNS and NTP settings, register and activate the Palo Alto Networks Firewall. For more in-depth technical articles make sure to visit our Palo Alto Networks Firewall section.

It’s no coincidence that Palo Alto Networks is considered to be a leader and pioneer when it comes to Next Generation Firewall appliances and Gartner seems to agree with this statement based on their Magic Quadrant report in the Next Generation Firewall Segment:

Figure 1. Gartner Magic Quadrant for Enterprise Network Firewalls

Palo Alto Networks Next-Generation Firewalls unique way of processing a packet using the Single ­­­Pass Parallel Processing (SP3) engine makes them a clear leader.

Note: Read all our technical articles covering Palo Alto Firewalls by visiting our Palo Alto Firewall Section.

Basically, the SP3 engine utilizes the same stream-based signature format to process the protection features like Anti-Virus, Spyware, Vulnerability Protection and Data Filtering. By doing so the firewall saves valuable processing power, unlike other Unified Threat Management (UTM) appliances which serially process each security feature offered, this often introduces latency to the network traffic.

The advanced security features like App-ID, User-ID, Content-ID along with Security profiles, comprising feature like Antivirus, Anti-Spyware, Vulnerability protection, URL Filtering, DoS Protection and Data Filtering makes Palo Alto the leader. Most importantly its malware analysis solution WildFire offers advanced protection from unknown threats.

Palo Alto Networks offers its firewalls as Hardware Platforms and Virtual Platforms. Its Hardware Platforms comes in different flavors.

Figure 2. The Palo Alto Firewall family

PA-200 and PA-500 Series Firewalls are meant for Small Businesses and come with very limited throughput and do not support Virtual Systems. Virtual Systems, also known as VSYS, is used to create virtual firewall instances in a single-pair of Palo Alto Firewalls, in other words, Virtual Systems can be compared to contexts in Cisco ASA Firewalls or vdom in Fortinet firewalls. The PA-200, PA-500 Series Firewalls offer a very limited number of security policies like security rules, NAT rules, policy based forwarding rules and a few more.

Datasheets on Palo Alto Firewall appliances and Virtual Servers are available at our Palo Alto Datasheets and Guides download area

The table below provides a clear comparison of features and technical specifications of both PA-500 and PA-200 firewall models: