OpenSkillIndex← back to search
claude-code

Asi implementing-next-generation-firewall-with-palo-alto

Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.

install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/implementing-next-generation-firewall-with-palo-alto" ~/.claude/skills/plurigrid-asi-implementing-next-generation-firewall-with-palo-alto && rm -rf "$T"
manifest: plugins/asi/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md
tags
#palo-alto#ngfw#firewall#app-id#user-id#threat-prevention#network-security#ssl-decryption#zone-protection
source content

Implementing Next-Generation Firewall with Palo Alto

Overview

Palo Alto Networks Next-Generation Firewalls (NGFWs) move beyond traditional port-based rule enforcement to application-aware, identity-driven security policies. By leveraging App-ID for traffic classification, User-ID for identity-based enforcement, Content-ID for threat inspection, and SSL decryption for encrypted traffic visibility, organizations gain comprehensive control over network traffic. This skill covers end-to-end deployment from initial configuration through advanced threat prevention profiles.

When to Use

  • When deploying or configuring implementing next generation firewall with palo alto capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Palo Alto Networks PA-series appliance or VM-Series virtual firewall
  • PAN-OS 10.2 or later
  • Valid Threat Prevention, URL Filtering, and WildFire licenses
  • Network topology documentation with zone definitions
  • LDAP/Active Directory integration credentials for User-ID
  • Internal CA certificate for SSL Forward Proxy decryption

Core Concepts

App-ID Technology

App-ID classifies network traffic by application regardless of port, protocol, or encryption. The classification engine uses multiple identification techniques in sequence:

  1. Application Signatures - Pattern matching against known application signatures
  2. SSL/TLS Decryption - Decrypt traffic to identify applications hidden in encrypted tunnels
  3. Application Protocol Decoding - Decode protocols to find applications tunneled within them
  4. Heuristic Analysis - Behavioral analysis for applications that evade other methods

The Policy Optimizer tool assists migration from legacy port-based rules to App-ID rules by analyzing traffic logs and recommending application-specific replacements.

User-ID Integration

User-ID maps IP addresses to user identities through multiple methods:

  • Server Monitoring - Parses Windows Security Event Logs (Event IDs 4624, 4768, 4769)
  • Syslog Listening - Receives authentication events from RADIUS, 802.1X, proxies
  • GlobalProtect - Maps VPN users automatically
  • Captive Portal - Web-based authentication for unknown users
  • XML API - Programmatic user mapping from custom sources

Zone-Based Architecture

Zones represent logical segments of the network. Security policies control traffic between zones (inter-zone) and within zones (intra-zone):

ZonePurposeTrust Level
TrustInternal corporate LANHigh
UntrustInternet-facingNone
DMZPublic-facing serversMedium
GuestGuest wirelessLow
DataCenterServer infrastructureHigh

Workflow

Step 1: Initial System Configuration

Configure management interface, DNS, NTP, and system settings:

set deviceconfig system hostname PA-FW01
set deviceconfig system domain corp.example.com
set deviceconfig system dns-setting servers primary 10.0.1.10
set deviceconfig system dns-setting servers secondary 10.0.1.11
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org
set deviceconfig system timezone US/Eastern
set deviceconfig system login-banner "Authorized access only. All activity is monitored."

Step 2: Configure Network Zones and Interfaces

Define security zones and assign interfaces:

set zone Trust network layer3 ethernet1/1
set zone Untrust network layer3 ethernet1/2
set zone DMZ network layer3 ethernet1/3
set zone Guest network layer3 ethernet1/4

set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping
set network interface ethernet ethernet1/2 layer3 dhcp-client

set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ]

Step 3: Configure Zone Protection Profiles

Protect against reconnaissance and DoS attacks at the zone level:

set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes
set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100
set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500
set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000
set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes

set network profiles zone-protection-profile Strict-ZP flood udp enable yes
set network profiles zone-protection-profile Strict-ZP flood icmp enable yes

set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip
set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2
set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100

Step 4: Configure Threat Prevention Profiles

Create Anti-Virus, Anti-Spyware, Vulnerability Protection, and URL Filtering profiles:

# Anti-Spyware Profile
set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet
set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip

# Vulnerability Protection Profile
set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip

# URL Filtering Profile
set profiles url-filtering Strict-URL credential-enforcement mode ip-user
set profiles url-filtering Strict-URL block [ command-and-control malware phishing ]
set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ]

# File Blocking Profile
set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block

# WildFire Analysis Profile
set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud

Step 5: Configure SSL Decryption

Set up SSL Forward Proxy for outbound traffic inspection:

# Generate Forward Trust CA certificate
request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes

# Create Decryption Profile
set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes

# Create Decryption Policy
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any
set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt

# Exclude sensitive categories (financial, healthcare)
set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust
set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ]
set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt

Step 6: Build Security Policies

Create application-aware security policies with security profiles:

# Allow business applications from Trust to Internet
set rulebase security rules Allow-Business from Trust to Untrust
set rulebase security rules Allow-Business source-user any
set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ]
set rulebase security rules Allow-Business service application-default
set rulebase security rules Allow-Business action allow
set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles

# Allow web browsing with URL filtering
set rulebase security rules Allow-Web from Trust to Untrust
set rulebase security rules Allow-Web application [ web-browsing ssl ]
set rulebase security rules Allow-Web action allow
set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL

# Block high-risk applications
set rulebase security rules Block-HighRisk from any to any
set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ]
set rulebase security rules Block-HighRisk action deny
set rulebase security rules Block-HighRisk log-end yes

# Default deny rule (explicit)
set rulebase security rules Deny-All from any to any source any destination any
set rulebase security rules Deny-All application any service any action deny
set rulebase security rules Deny-All log-end yes

Step 7: Configure Logging and SIEM Integration

Forward logs to a SIEM for correlation:

# Configure Syslog Server Profile
set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100
set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER

# Configure Log Forwarding Profile
set shared log-settings profiles SIEM-Forward match-list Threats log-type threat
set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic
set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list URL log-type url
set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server

Validation and Testing

  1. Policy Audit - Review with 
    show running security-policy
    and check for shadowed rules
  2. Traffic Verification - Monitor Traffic logs for application classification accuracy
  3. Threat Simulation - Use EICAR test file and known-bad URLs to validate threat profiles
  4. SSL Decryption Test - Verify certificate chain in browser matches Forward Trust CA
  5. Zone Protection Test - Run controlled SYN flood to verify SYN cookie activation
  6. Policy Optimizer - Run Policy Optimizer to identify remaining port-based rules
# Verify active sessions
show session all filter application web-browsing

# Check threat log entries
show log threat direction equal backward

# Verify App-ID classification
show running application-override

# Check system resources
show system resources

Best Practices

  • Least Privilege - Start with deny-all and explicitly allow only required applications
  • App-ID Over Port - Replace port-based rules with application-specific rules using Policy Optimizer
  • Decryption Coverage - Decrypt at least 80% of SSL traffic with appropriate privacy exclusions
  • Security Profile Groups - Apply Anti-Virus, Anti-Spyware, Vulnerability, URL Filtering, File Blocking, and WildFire as a group
  • Signature Updates - Enable automatic daily content updates for Applications and Threats
  • HA Configuration - Deploy in active/passive HA pair for production environments
  • Commit Validation - Always validate configuration before committing: 
    validate full

References