The PA-5000 series are new next generation firewalls with throughput of up to 20Gbps. They use multiple CPUs, RAM, and hardware acceleration engines to provide security functions. The PA-5000 architecture includes a control plane for management and a high throughput data plane. GlobalProtect provides secure remote access by creating a VPN tunnel between remote clients and gateways, and enforces security policies based on host information profiles gathered from endpoints. PAN-OS 4.0 provides more granular security policies and controls, an improved user interface, and networking enhancements such as active/active high availability and IPv6 support. New security features include botnet detection, enhanced intrusion prevention signatures, and client certificate authentication for captive portals.

1. AGENDA PA-5000 Series GlobalProtect PAN-OS 4.0

2. PA-5000 Series

3. PA-5000 Series PA-5060 PA-5050 PA-5020

4. Introducing the PA-5000 Series High performance Next Gen Firewall 3 Models, up to 20Gbps throughput, 10Gbps threat

7. Decoders

8. Session setup and tear-down

9. Session table

10. Segment reassembly, normalization

11. 100k URL filtering cache

13. Fast-path flows

14. Zone Protection Profiles

15. QOS

16. PBFControl Plane Data Plane

18. High speed logging and route update

23. Hardware accelerated per-packet route lookup, MAC lookup and NATSwitch Fabric QoS Data Plane Switch Fabric

24. PA-5000 Series Features Redundant, hot swap AC or DC power supplies SFP+ transceivers Hard Disks Two disk bays Solid State Drives Single 120GB included, additional 120 or 240GB drives are available. RAID 1 when two drives installed (must be identical) Hot-swappable fan tray

25. Global Protect

26. What is Global Protect? Global Protect applies security policy to end points regardless of their location Runs as a client on Windows PC Gathers host information (OPSWAT based) Creates VPN for remote clients Locates nearest portal for VPN connection Transparent operation to user

27. GP Architecture The Portal authenticates the user and directs them to a gateway where policy is Enforced. Portal 2 1 Gateway Gateway 2

28. Initial GP connection Laptop user makes an initial connection to the Portal and authenticates. Portal provides the software, HIP configuration, and gateway list. The downloaded Agent is installed and configured. Agent gathers host information, and finds closest Gateway If the closest Gateway is "internal” then no VPN If the closest Gateway is "external” then builds VPN HIP data is sent to Gateway The Gateway enforces security policy based on user, application, content AND the HIP submitted from the client.

29. HIP – Host Information Profile HIP Objects define an end point “Does the client have AV and is it enabled?” “Does the client have updated Microsoft patches?” “Is the client running notepad.exe?” End points return this information to the gateway HIP Profiles are defined by the objects an endpoint matches Security policy can be defined based on HIP profile “VPN clients who are members of HR can only access the HR database if they have disk encryption enabled”

30. HIP Object options Patch Management IsEnabled? LastScanTime MissingPatchList Vendor/Product Disk Encryption DiskState for each volume Vendor/Product Antivirus DataFileTime Vendor/Product LastFullScanTime RealTimeScanEnabled? Anti-Spyware DataFileTime Vendor/Product LastFullScanTime Firewall IsFirewallEnabled? Vendor/Product Host Info Machine Name Domain Organization

31. HIP Objects and Profile examples

32. Configuring Global Protect Portal Portal has many of the same authentication configuration of a SSL VPN Portal They can interoperate with some 3rd party VPN clients 3rd party clients can be set to override the GP tunnel Administrator can control what HIP objects are returned to the portal The portal determine what settings the UI of the client will use

33. Configuring Global Protect Gateway Gateway provides client addressing information Can provide basic messages to clients that pass / fail HIP profiles Contains all client VPN configuration

34. Policy Example using GP

35. PAN-OS 4.0: A Significant Milestone

37. PDF virus scanning

38. Drive by download protection

39. Hold-down time scan detection

40. Time attribute for IPS and custom signatures

42. Seamless URL activation

43. “Full” URL logging

45. Dynamic log storage via NFS

46. Panorama HA

47. UAR from Panorama

48. Exportable config backups

50. Configurable log storage by log type

51. Configurable event/log format (including CEF for ArcSight)

52. Configuration transactions

53. SNMPv3 support

54. Extended reporting for VSYS admins (scheduler, UAR, summary reports, email forwarding)

56. Networking Enhancements

59. Heartbeat Backup Link – Split Brain Protection <Heartbeat/Hello> <Heartbeat/Hello> Redundant path Data Plane status confirmation Supported on full product line

60. DNS Proxy Firewall acts as DNS server for clients Firewall uses DNS based on: Priority (Primary, Secondary) Domain Name ( xxx.local uses internal DNS, xxx.com uses public DNS) Static entry Is enabled by interface

61. IPv6 Support IPv6 Layer 3 interfaces IPv6 addresses in all policy IPv6 static routes in Virtual Routers ICMPv6 support DHCPv6 support Support for Neighbor Discovery

62. Networking enhancements Virtual Systems as routing targets Used in Virtual routers Used in PBF DNS based Address book entries Allow www.apple.com Country based Address book entries Block everything from Canada

63. Active/Active HA

64. Active/Active HA Both devices in the cluster are active and passing traffic Devices back each other, taking over primary ownership if either one fails Both devices load share the traffic BUT REMEMBER No increase in session capacity Not designed to increase throughput Supported modes L3 and vwire

65. Packet handling within the cluster Session ownership and session setup can be two different devices in the cluster It is atypical to implement it in this way Session setup Session setup maybe distributed among devices in HA group using IP modulo or hash Layer2 to Layer4 processing is handled by the session setup device This requires a dedicated HA interface- HA3 link Session ownership This device is responsible for all layer 7 processing

66. Session setup options IP modulo One device sets sessions for even numbered IP address and the peer sets sessions for odd numbered IP address This is preferred as it is deterministic IP hash Hash of either source or combination source/destination IP address is used for distributing session setup

67. Deployment topologies: Floating IP address Redundancy of IP address is accomplished using floating IP address Each interface on device is configured with floating IP addresses Floating IP address ownership is determined based on the device priority Load sharing is done externally via ECMP or configuring the clients with different default gateways RED- BACK GREEN-ACTIVE

68. Deployment topologies: ARP load sharing Firewalls share a virtual IP address Unique Virtual MAC per device is generated for the virtual IP address ARP load sharing is used for load balancing incoming traffic Hash or modulo of the source address of ARP requests to determine which device should handle the requests

69. Security Enhancements

70. Agenda - Security Enhancements Client cert auth for Captive Portal Botnet Detection and DDoS policy IPS action enhancements SSH Decryption Updated URL logging and reporting Global Protect Authentication Sequence Kerberos support

71. Client Certificate in Captive Portal Formerly available for SSL VPN and device authentication Now can be used in captive portal configuration Client Certificate can be configured as the only authentication option No Auth profile required Unlike client certs with admin authentication, this will be transparent. Uses the 3.1 “Client Certificate Profile” object

72. Drive-by Download Protection Warn end users about file transfer events New ‘Continue’ file blocking action Customizable response page The response page has a ‘continue’ button. If the user clicks ‘continue’, the file transfer will continue

73. Customizable Brute Force Attack Settings User defined thresholds for brute force signatures. Defined in the profile

74. Custom Combination Signatures Combine multiple signatures to create custom combination signatures Take individual spyware or vulnerability threat IDs and group them into one custom signature Take individual signatures and apply thresholds for number of hits over specified time period

75. Block IP Action (Blackhole) Block all future traffic from a host after triggering a security condition Spyware and vulnerability signatures DoS protection rulebase Zone protection Block time in seconds Max 21600 seconds in DoS protection rulebase Max 3600 seconds in spyware and vulnerability profiles Block method: Based on sourceIP or source-and-destination IP

76. DoS Protection Rulebase Extends existing DoS protections that are currently configurable on a per-zone basis Rules based on source/dest zone, source/dest IP, country, service, and user Two types of profiles are supported: Aggregate: Thresholds apply to all traffic Classified: Thresholds apply either on basis of source IP, destination IP or a combination of both.

77. Behavior-based Botnet Detection Collate information from Traffic, Threat, URL logs to identify potentially botnet-infected hosts A report will be generated each day list of infected hosts, description (why we believe the host to be infected) Confidence level Following parameters (configurable) to detect botnets Unknown TCP/UDP IRC HTTP traffic (malware sites, recently registered, IP domains, Dynamic Domains) Users can configure a query for specific traffic

78. Updated URL Logging Can log just container pages Previously cnn.com created 26 URL logs Can filter to have just one Uses the Container Page setting in the device tab Full URL logging Now logs up to 1023 bytes of the URL Previous max was 256

79. SSH Decryption Uses same tactic as SSL decryption No additional configuration required New “Block if failed to decrypt” option User certificates Unsupported crypto system Can now block the connection Previously we would allow it

80. Authentication Sequence Can configure multiple authentication profiles If the first one in the list fails the next will be attempted Can be used to cycle through multiple RADIUS or Active Directory Forest designs The Authentication Sequence object can be used in the same locations as a regular Authentication profile

81. Native Kerberos Authentication Firewall can now authenticate to AD without the use of an Agent Can be used like RADIUS or LDAP authentication servers Does not retrieve group membership – AD Agent or LDAP server required.

82. Questions Questions?