Palo Alto ‘mode’ configurations

 What are the four deployment mode, and explain?

a.TAP Mode providing:

 A Network tap is a device that provides a way to access data flowing across a computer network.

Tap mode deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.

The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a TAP mode interface and connecting it with a switch SPAN port, The Switch SPAN port provides the firewall with the mirrored traffic.

Why use Tap Mode?

By deploying the firewall in TAP mode, you can get visibility into what applications are running and your network

without having to make any changes to your network design.

In addition, when tap mode, the firewall can also identify threats on your network.

Keep in mind, however, that because the traffic is not running through the firewall when in tap mode it can not take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.

b.V-Wire Mode /Virtual Wire mode:

In a virtual wire deployment, you install a firewall transparently on a network segment by binding two

firewall ports(Interfaces) together. The virtual wire logically connects the two interfaces, hence,

the virtual wire is internal to the firewall.

Use a virtual wire deployment only when you want to integrate a firewall into a topology seamlessly. Two connected interfaces on the firewall need not do any switching and routing.

the firewall is considered a bump in the wire for these two interfaces.

How does it work in Virtual wire mode?

Each virtual wire interface is directly connected to a layer2 or layer3 networking device or host.

The virtual wire interfaces have no layer2 or layer3 address.

When one of the virtual wire interfaces receives a frame or packet, it ignores any layer2 or layer3 address

for switching or routing purposes but applies your security or NAT policy rule before passing an all frame

or packet over the virtual wire to the second interface and on to the network device connected to it.

virtual wire interface will allow layer2 and layer3 packets from connected devices to pass transparently as 

long as the policies applied to the zone or interface allow the traffic. The virtual wire interfaces themselves

don't participate in routing or switching.

L 2 Interface

In a layer 2 deployment, the firewall provides the switching between two or more Networks.

Devices are connected to a Layer 2 segment;

The firewall forwards the frames to the proper port, which is associated with the MAC address identified in the frame. Configure a layer 2 interface when a switch is required.

Layer 2

You can either configure a L2 with no VLANs or with VLANs.

when your organization wants to divide a LAN into separate Virtual LANs(VLANs)to keep traffic and policies for different departments separate, you can logically group layer 2 hosts into VLANs and thus divide a Layer 2 Network segament into broadcast domains.

For example, you can create VLANs for the finance and Engineering departments. To do so, configure a layer 2 interface, subinterface, and VLAN.

Layer 3

In a Layer 3 deployment, the firewall routes traffic between multiple ports using TCP/IP addressing. Before you can configure Layer 3 interface, you must configure the virtual routers that you want the firewall to use to route the traffic for each layer 3 interface.

layer 3 deployments require more network planning and configuration preparation than do most other firewall interfaces but still are the most widely used in firewall deployments.

Palo Alto Next-Generations firewall

What Makes Palo Alto Different?

Based on patent-pending App-ID™ technology, Palo Alto Networks' next-generation

firewalls accurately identify applications - regardless of port, protocol, evasive tactic

or SSL encryption - and scan content to stop threats and prevent data leakage.

Enterprises can for the first time embrace Web 2.0 and maintain complete visibility

and control, while significantly reducing the total cost of ownership through device consolidation.

Here are some of the unique capabilities available only in next-generation firewalls from Palo Alto Networks.

* The only firewall to classify traffic based on the accurate identification of the

application, not just port/protocol information.

* The only firewall to identify, control and inspect SSL encrypted traffic and

applications.

* The only firewall with real-time (line-rate, low latency) content scanning to protect

against viruses, spyware, data leakage and application vulnerabilities based on a

stream-based threat prevention engine.

* The only firewall to provide graphical visualization of applications on the network

with detailed user, group and network-level data categorized by sessions, bytes,

ports, threats and time.

* The only firewall with line-rate, low-latency performance for all services, even under load.

App-ID:  classifying traffic on all ports all the time – irrespective of protocol, encryption, and/or any other evasion tactic Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. 

Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-IDTM, a patent-pending traffic classification mechanism that is unique to Palo Alto Networks, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.

App-ID:

Classify traffic based on applications, not ports. App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner:

• Traffic is first classified based on the IP address and port.

• Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics.

• If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.

• Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).

• For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application. As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.

User-ID: securely enable applications on your network based on users and groups – not just IP addresses

Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications means that IP addresses alone have become ineffective as a mechanism for monitoring and controlling user activity. Palo Alto Networks' next-generation firewalls integrate with the widest range of user repositories on the firewall market, enabling organizations to incorporate user and group information into their security policies. Through User-ID, organizations also get full visibility into user activity on the network as well as user-based.

Content-ID: Real-time content scanning blocks threats, controls web surfing, and limits data and file transfers.

Content-ID combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers, detect and block a wide range of threats and control non-work related web surfing. The application visibility and control delivered by App-ID, combined with the content inspection enabled by Content-ID means that IT departments can regain control over application traffic and the related content. The NSS-rated IPS blocks known and unknown vulnerability exploits, buffer overflows, DoS attacks, and port scans from compromising and damaging enterprise information resources. IPS mechanisms include: Protocol decoder-based analysis statefully decodes the protocol, Protocol anomaly-based protection detect non-RFC compliance protocol usage, Stateful pattern matching detects attacks over multiple packets, Statistical anomaly detection prevent rate-based DoS floods, Heuristic-based analysis detect anomalous packet and traffic patterns such as port scans and port sweeps, Custom vulnerability or spyware phone home signatures that can be used in either the anti-spyware or vulnerability protection profiles, Other attack protection capabilities such as blocking invalid or malformed packets, IP defragmentation, and TCP reassembly to protect against evasion and obfuscation methods.

URL Filtering by Bright Cloud:

Complementing the threat prevention and application control capabilities is a fully integrated, URL filtering database consisting of 20 million URLs across 76 categories that enables IT departments to monitor and control employee web surfing activities.

• File and Data Filtering:

Data filtering features enable administrators to implement policies that will reduce the risks associated with the transfer of unauthorized files and data. 

• File blocking by type: 

Control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension).

• Data filtering: 

Control the transfer of sensitive data patterns such as credit card and social security numbers in application content or attachments. 

• File transfer function control: 

Control the file transfer functionality within an individual application, allowing application use yet preventing undesired inbound or outbound file transfer.