paloaltonetworks:new_setup
This is an old revision of the document!
Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed).
set deviceconfig setting ssl-decrypt url-proxy yes
You can check a configuration to see if this is set by searching for
<url-proxy>yes</url-proxy>
Secure SSL on the management interface
set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no
Secure SSH on the management interface On PAN-OS 9.1 and earlier
configure delete deviceconfig system ssh set deviceconfig system ssh ciphers mgmt aes256-ctr set deviceconfig system ssh ciphers mgmt aes256-gcm set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 set deviceconfig system ssh session-rekey mgmt interval 3600 set deviceconfig system ssh mac mgmt hmac-sha2-256 set deviceconfig system ssh mac mgmt hmac-sha2-512 commit run set ssh service-restart mgmt
Enable more detailed logging in Threat logs for Zone Protection Profile events. Details here.
set system setting additional-threat-log on
paloaltonetworks/new_setup.1613568817.txt.gz · Last modified: (external edit)