PAN-OS Web Interface Help

Version 10.1

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2021-2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
October 6, 2021

2 PAN-OS WEB INTERFACE HELP |

Table of Contents
Web Interface Basics.......................................................................................13
Firewall Overview..................................................................................................................................... 15
Features and Benefits..............................................................................................................................16
Last Login Time and Failed Login Attempts.......................................................................................17
Message of the Day................................................................................................................................. 18
Task Manager.............................................................................................................................................19
Language......................................................................................................................................................21
Alarms.......................................................................................................................................................... 22
Commit Changes....................................................................................................................................... 23
Save Candidate Configurations............................................................................................................. 27
Revert Changes......................................................................................................................................... 31
Lock Configurations..................................................................................................................................35
Global Find..................................................................................................................................................37
Threat Details.............................................................................................................................................38
AutoFocus Intelligence Summary......................................................................................................... 40
Configuration Table Export.................................................................................................................... 42
Change Boot Mode.................................................................................................................................. 43

Dashboard...........................................................................................................45
Dashboard Widgets..................................................................................................................................47

ACC.......................................................................................................................49
A First Glance at the ACC......................................................................................................................51
ACC Tabs.................................................................................................................................................... 53
ACC Widgets..............................................................................................................................................54
ACC Actions............................................................................................................................................... 56
Working with Tabs and Widgets............................................................................................. 56
Working with Filters—Local Filters and Global Filters........................................................ 57

Monitor................................................................................................................59
Monitor > Logs.......................................................................................................................................... 61
Log Types....................................................................................................................................... 61
Log Actions.................................................................................................................................... 66
Monitor > External Logs......................................................................................................................... 69
Monitor > Automated Correlation Engine..........................................................................................70
Monitor > Automated Correlation Engine > Correlation Objects.................................... 70
Monitor > Automated Correlation Engine > Correlated Events....................................... 71
Monitor > Packet Capture......................................................................................................................73
Packet Capture Overview.......................................................................................................... 73
Building Blocks for a Custom Packet Capture...................................................................... 74
Enable Threat Packet Capture.................................................................................................. 76
Monitor > App Scope.............................................................................................................................. 78
App Scope Overview...................................................................................................................78
App Scope Summary Report..................................................................................................... 78
App Scope Change Monitor Report........................................................................................ 79
App Scope Threat Monitor Report.......................................................................................... 81
App Scope Threat Map Report.................................................................................................83

TABLE OF CONTENTS iii

 App Scope Network Monitor Report......................................................................................84
App Scope Traffic Map Report.................................................................................................85
Monitor > Session Browser....................................................................................................................88
Monitor > Block IP List........................................................................................................................... 89
Block IP List Entries.....................................................................................................................89
View or Delete Block IP List Entries....................................................................................... 90
Monitor > Botnet......................................................................................................................................91
Botnet Report Settings............................................................................................................... 91
Botnet Configuration Settings.................................................................................................. 91
Monitor > PDF Reports...........................................................................................................................94
Monitor > PDF Reports > Manage PDF Summary.............................................................. 94
Monitor > PDF Reports > User Activity Report...................................................................95
Monitor > PDF Reports > SaaS Application Usage............................................................. 97
Monitor > PDF Reports > Report Groups............................................................................. 99
Monitor > PDF Reports > Email Scheduler........................................................................... 99
Monitor > Manage Custom Reports..................................................................................................101
Monitor > Reports..................................................................................................................................103

Policies...............................................................................................................105
Policy Types............................................................................................................................................. 107
Move or Clone a Policy Rule...............................................................................................................108
Audit Comment Archive....................................................................................................................... 109
Audit Comments........................................................................................................................ 109
Config Logs (between commits).............................................................................................109
Rule Changes.............................................................................................................................. 110
Rule Usage Hit Count Query.............................................................................................................. 111
Device Rule Usage for Rule Hit Count Query....................................................................112
Policies > Security.................................................................................................................................. 113
Security Policy Overview.........................................................................................................113
Building Blocks in a Security Policy Rule.............................................................................114
Creating and Managing Policies.............................................................................................123
Overriding or Reverting a Security Policy Rule..................................................................126
Applications and Usage............................................................................................................ 128
Security Policy Optimizer........................................................................................................ 132
Policies > NAT.........................................................................................................................................135
NAT Policies General Tab........................................................................................................135
NAT Original Packet Tab......................................................................................................... 136
NAT Translated Packet Tab.................................................................................................... 137
NAT Active/Active HA Binding Tab..................................................................................... 139
NAT Target Tab......................................................................................................................... 140
Policies > QoS......................................................................................................................................... 141
Policies > Policy Based Forwarding................................................................................................... 145
Policy Based Forwarding General Tab................................................................................. 145
Policy Based Forwarding Source Tab................................................................................... 146
Policy Based Forwarding Destination/Application/Service Tab.....................................147
Policy Based Forwarding Forwarding Tab...........................................................................147
Policy Based Forwarding Target Tab....................................................................................149
Policies > Decryption............................................................................................................................ 150
Decryption General Tab...........................................................................................................150
Decryption Source Tab.............................................................................................................151
Decryption Destination Tab....................................................................................................152
Decryption Service/URL Category Tab................................................................................152
Decryption Options Tab.......................................................................................................... 153
Decryption Target Tab............................................................................................................. 154

iv TABLE OF CONTENTS
 Policies > Network Packet Broker..................................................................................................... 155
Network Packet Broker General Tab....................................................................................155
Network Packet Broker Source Tab..................................................................................... 156
Network Packet Broker Destination Tab.............................................................................157
Network Packet Broker Application/Service/Traffic Tab................................................ 157
Network Packet Broker Path Selection Tab....................................................................... 158
Network Packet Broker Policy Optimizer Rule Usage......................................................158
Policies > Tunnel Inspection................................................................................................................160
Building Blocks in a Tunnel Inspection Policy.................................................................... 160
Policies > Application Override.......................................................................................................... 166
Application Override General Tab.........................................................................................166
Application Override Source Tab...........................................................................................167
Application Override Destination Tab..................................................................................168
Application Override Protocol/Application Tab.................................................................168
Application Override Target Tab........................................................................................... 168
Policies > Authentication......................................................................................................................170
Building Blocks of an Authentication Policy Rule..............................................................170
Create and Manage Authentication Policy..........................................................................175
Policies > DoS Protection.................................................................................................................... 176
DoS Protection General Tab...................................................................................................176
DoS Protection Source Tab.....................................................................................................177
DoS Protection Destination Tab............................................................................................178
DoS Protection Option/Protection Tab............................................................................... 178
DoS Protection Target Tab..................................................................................................... 180
Policies > SD-WAN................................................................................................................................181
SD-WAN General Tab.............................................................................................................. 181
SD-WAN Source Tab................................................................................................................182
SD-WAN Destination Tab....................................................................................................... 183
SD-WAN Application/Service Tab........................................................................................ 183
SD-WAN Path Selection Tab..................................................................................................184
SD-WAN Target Tab.................................................................................................................185

Objects.............................................................................................................. 187
Move, Clone, Override, or Revert Objects...................................................................................... 189
Move or Clone an Object........................................................................................................189
Override or Revert an Object.................................................................................................189
Objects > Addresses..............................................................................................................................191
Objects > Address Groups................................................................................................................... 193
Objects > Regions.................................................................................................................................. 195
Objects > Dynamic User Groups........................................................................................................196
Objects > Applications.......................................................................................................................... 198
Applications Overview..............................................................................................................198
Actions Supported on Applications.......................................................................................202
Defining Applications................................................................................................................205
Objects > Application Groups............................................................................................................. 209
Objects > Application Filters............................................................................................................... 210
Objects > Services..................................................................................................................................211
Objects > Service Groups.....................................................................................................................213
Objects > Tags........................................................................................................................................ 214
Create Tags................................................................................................................................. 214
View Rulebase as Groups........................................................................................................ 215
Manage Tags............................................................................................................................... 218
Objects > Devices.................................................................................................................................. 221
Objects > External Dynamic Lists...................................................................................................... 222

TABLE OF CONTENTS v
 Objects > Custom Objects...................................................................................................................227
Objects > Custom Objects > Data Patterns....................................................................... 227
Objects > Custom Objects > Spyware/Vulnerability.....................................................................233
Objects > Custom Objects > URL Category....................................................................................237
Objects > Security Profiles.................................................................................................................. 239
Actions in Security Profiles..................................................................................................... 239
Objects > Security Profiles > Antivirus.............................................................................................243
Objects > Security Profiles > Anti-Spyware Profile.......................................................................246
Objects > Security Profiles > Vulnerability Protection................................................................. 251
Objects > Security Profiles > URL Filtering..................................................................................... 255
URL Filtering General Settings............................................................................................... 255
URL Filtering Categories.......................................................................................................... 256
URL Filtering Settings............................................................................................................... 258
User Credential Detection.......................................................................................................259
HTTP Header Insertion............................................................................................................ 261
URL Filtering Inline ML............................................................................................................ 262
Objects > Security Profiles > File Blocking......................................................................................264
Objects > Security Profiles > WildFire Analysis............................................................................. 266
Objects > Security Profiles > Data Filtering.................................................................................... 268
Objects > Security Profiles > DoS Protection.................................................................................270
Objects > Security Profiles > Mobile Network Protection...........................................................274
Objects > Security Profiles > SCTP Protection...............................................................................280
Objects > Security Profile Groups..................................................................................................... 285
Objects > Log Forwarding....................................................................................................................286
Objects > Authentication..................................................................................................................... 289
Objects > Decryption Profile...............................................................................................................291
Decryption Profile General Settings..................................................................................... 291
Settings to Control Decrypted Traffic..................................................................................292
Settings to Control Traffic that is not Decrypted..............................................................297
Settings to Control Decrypted SSH Traffic.........................................................................298
Objects > Packet Broker Profile......................................................................................................... 300
Objects > SD-WAN Link Management.............................................................................................303
Objects > SD-WAN Link Management > Path Quality Profile....................................... 303
Objects > SD-WAN Link Management > SaaS Quality Profile.......................................304
Objects > SD-WAN Link Management > Traffic Distribution-Profile...........................305
Objects > SD-WAN Link Management > Error Correction Profile................................ 306
Objects > Schedules.............................................................................................................................. 308

Network............................................................................................................ 309
Network > Interfaces.............................................................................................................................311
Firewall Interfaces Overview.................................................................................................. 311
Common Building Blocks for Firewall Interfaces...............................................................312
Common Building Blocks for PA-7000 Series Firewall Interfaces................................. 313
Tap Interface............................................................................................................................... 314
HA Interface................................................................................................................................315
Virtual Wire Interface............................................................................................................... 315
Virtual Wire Subinterface........................................................................................................ 317
PA-7000 Series Layer 2 Interface......................................................................................... 317
PA-7000 Series Layer 2 Subinterface.................................................................................. 319
PA-7000 Series Layer 3 Interface......................................................................................... 319
Layer 3 Interface........................................................................................................................330
Layer 3 Subinterface................................................................................................................. 339
Log Card Interface.....................................................................................................................348
Log Card Subinterface.............................................................................................................. 349

vi TABLE OF CONTENTS
 Decrypt Mirror Interface......................................................................................................... 350
Aggregate Ethernet (AE) Interface Group........................................................................... 351
Aggregate Ethernet (AE) Interface........................................................................................ 354
Network > Interfaces > VLAN............................................................................................................ 360
Network > Interfaces > Loopback..................................................................................................... 368
Network > Interfaces > Tunnel...........................................................................................................370
Network > Interfaces > SD-WAN......................................................................................................372
Network > Zones....................................................................................................................................373
Security Zone Overview.......................................................................................................... 373
Building Blocks of Security Zones......................................................................................... 373
Network > VLANs.................................................................................................................................. 376
Network > Virtual Wires...................................................................................................................... 377
Network > Virtual Routers...................................................................................................................378
General Settings of a Virtual Router.....................................................................................378
Static Routes............................................................................................................................... 379
Route Redistribution................................................................................................................. 381
RIP..................................................................................................................................................383
OSPF..............................................................................................................................................385
OSPFv3.........................................................................................................................................390
BGP................................................................................................................................................395
IP Multicast..................................................................................................................................408
ECMP............................................................................................................................................ 412
More Runtime Stats for a Virtual Router............................................................................ 414
More Runtime Stats for a Logical Router............................................................................ 424
Network > Routing > Logical Routers...............................................................................................429
General Settings of a Logical Router.................................................................................... 429
Static Routes for a Logical Router.........................................................................................432
BGP Routing for a Logical Router......................................................................................... 434
Network > Routing > Routing Profiles > BGP....................................................................437
Network > IPSec Tunnels.....................................................................................................................441
IPSec VPN Tunnel Management............................................................................................441
IPSec Tunnel General Tab....................................................................................................... 441
IPSec Tunnel Proxy IDs Tab................................................................................................... 444
IPSec Tunnel Status on the Firewall..................................................................................... 445
IPSec Tunnel Restart or Refresh............................................................................................445
Network > GRE Tunnels.......................................................................................................................446
GRE Tunnels................................................................................................................................446
Network > DHCP................................................................................................................................... 448
DHCP Overview.........................................................................................................................448
DHCP Addressing...................................................................................................................... 448
DHCP Server...............................................................................................................................449
DHCP Relay.................................................................................................................................452
DHCP Client................................................................................................................................452
Network > DNS Proxy.......................................................................................................................... 454
DNS Proxy Overview................................................................................................................454
DNS Proxy Settings...................................................................................................................455
Additional DNS Proxy Actions............................................................................................... 457
Network > QoS.......................................................................................................................................458
QoS Interface Settings............................................................................................................. 458
QoS Interface Statistics............................................................................................................460
Network > LLDP.....................................................................................................................................461
LLDP Overview.......................................................................................................................... 461
Building Blocks of LLDP...........................................................................................................461
Network > Network Profiles............................................................................................................... 464
Network > Network Profiles > GlobalProtect IPSec Crypto...........................................464

TABLE OF CONTENTS vii

 Network > Network Profiles > IKE Gateways....................................................................464
Network > Network Profiles > IPSec Crypto..................................................................... 470
Network > Network Profiles > IKE Crypto......................................................................... 472
Network > Network Profiles > Monitor.............................................................................. 473
Network > Network Profiles > Interface Mgmt.................................................................473
Network > Network Profiles > Zone Protection............................................................... 475
Network > Network Profiles > QoS..................................................................................... 493
Network > Network Profiles > LLDP Profile...................................................................... 494
Network > Network Profiles > BFD Profile........................................................................495
Network > Network Profiles > SD-WAN Interface Profile............................................. 497

Device................................................................................................................501
Device > Setup........................................................................................................................................503
Device > Setup > Management.......................................................................................................... 504
Device > Setup > Operations..............................................................................................................529
Enable SNMP Monitoring........................................................................................................ 535
Device > Setup > HSM.........................................................................................................................538
Hardware Security Module Provider Settings.................................................................... 538
HSM Authentication..................................................................................................................539
Hardware Security Operations...............................................................................................539
Hardware Security Module Provider Configuration and Status..................................... 540
Hardware Security Module Status........................................................................................ 541
Device > Setup > Services................................................................................................................... 542
Configure Services for Global and Virtual Systems...........................................................542
Global Services Settings...........................................................................................................542
IPv4 and IPv6 Support for Service Route Configuration................................................. 545
Destination Service Route....................................................................................................... 548
Device > Setup > Interfaces................................................................................................................ 549
Device > Setup > Telemetry................................................................................................................552
Device > Setup > Content-ID............................................................................................................. 553
Device > Setup > WildFire.................................................................................................................. 559
Device > Setup > Session.................................................................................................................... 562
Session Settings..........................................................................................................................562
Session Timeouts....................................................................................................................... 566
TCP Settings................................................................................................................................568
Decryption Settings: Certificate Revocation Checking.....................................................570
Decryption Settings: Forward Proxy Server Certificate Settings................................... 571
Decryption Settings: SSL Decryption Settings................................................................... 572
VPN Session Settings................................................................................................................573
Device Setup Ace................................................................................................................................... 574
Device > Setup > DLP.......................................................................................................................... 575
Device > High Availability.................................................................................................................... 576
Important Considerations for Configuring HA................................................................... 576
HA General Settings..................................................................................................................577
HA Communications................................................................................................................. 580
HA Link and Path Monitoring.................................................................................................583
HA Active/Active Config......................................................................................................... 585
Cluster Config............................................................................................................................. 587
Device > Log Forwarding Card...........................................................................................................589
Device > Config Audit...........................................................................................................................591
Device > Password Profiles................................................................................................................. 592
Username and Password Requirements...............................................................................592
Device > Administrators....................................................................................................................... 594
Device > Admin Roles...........................................................................................................................597

viii TABLE OF CONTENTS

Device > Access Domain......................................................................................................................599
Device > Authentication Profile......................................................................................................... 600
Authentication Profile...............................................................................................................600
SAML Metadata Export from an Authentication Profile..................................................607
Device > Authentication Sequence................................................................................................... 609
Device > Data Redistribution.............................................................................................................. 611
Device > Data Redistribution > Agents............................................................................... 611
Device > Data Redistribution > Clients................................................................................612
Device > Data Redistribution > Collector Settings............................................................612
Device > Data Redistribution > Include/Exclude Networks............................................613
Device > Device Quarantine............................................................................................................... 614
Device > VM Information Sources.....................................................................................................615
Settings to Enable VM Information Sources for VMware ESXi and vCenter
Servers.......................................................................................................................................... 617
Settings to Enable VM Information Sources for AWS VPC............................................ 618
Settings to Enable VM Information Sources for Google Compute Engine...................619
Device > Troubleshooting.................................................................................................................... 621
Security Policy Match............................................................................................................... 621
QoS Policy Match...................................................................................................................... 622
Authentication Policy Match...................................................................................................624
Decryption/SSL Policy Match.................................................................................................624
NAT Policy Match..................................................................................................................... 625
Policy Based Forwarding Policy Match................................................................................627
DoS Policy Match...................................................................................................................... 628
Routing..........................................................................................................................................629
Test Wildfire............................................................................................................................... 630
Threat Vault................................................................................................................................ 630
Ping................................................................................................................................................ 631
Trace Route................................................................................................................................. 632
Log Collector Connectivity......................................................................................................634
External Dynamic List............................................................................................................... 634
Update Server.............................................................................................................................635
Test Cloud Logging Service Status........................................................................................635
Test Cloud GP Service Status.................................................................................................636
Device > Virtual Systems..................................................................................................................... 637
Device > Shared Gateways..................................................................................................................640
Device > Certificate Management..................................................................................................... 641
Device > Certificate Management > Certificates........................................................................... 642
Manage Firewall and Panorama Certificates...................................................................... 642
Manage Default Trusted Certificate Authorities................................................................647
Device > Certificate Management > Certificate Profile................................................................648
Device > Certificate Management > OCSP Responder................................................................ 650
Device > Certificate Management > SSL/TLS Service Profile.....................................................651
Device > Certificate Management > SCEP...................................................................................... 653
Device > Certificate Management > SSL Decryption Exclusion................................................. 656
Device > Certificate Management > SSH Service Profile............................................................ 659
Device > Response Pages.................................................................................................................... 661
Device > Log Settings........................................................................................................................... 664
Select Log Forwarding Destinations..................................................................................... 664
Define Alarm Settings...............................................................................................................666
Clear Logs.................................................................................................................................... 668
Device > Server Profiles....................................................................................................................... 669
Device > Server Profiles > SNMP Trap............................................................................................ 670
Device > Server Profiles > Syslog...................................................................................................... 672
Device > Server Profiles > Email........................................................................................................674

TABLE OF CONTENTS ix
 Device > Server Profiles > HTTP....................................................................................................... 676
Device > Server Profiles > NetFlow..................................................................................................679
Device > Server Profiles > RADIUS...................................................................................................681
Device > Server Profiles > TACACS+............................................................................................... 683
Device > Server Profiles > LDAP....................................................................................................... 684
Device > Server Profiles > Kerberos................................................................................................. 686
Device > Server Profiles > SAML Identity Provider...................................................................... 687
Device > Server Profiles > DNS......................................................................................................... 690
Device > Server Profiles > Multi Factor Authentication...............................................................691
Device > Local User Database > Users............................................................................................ 693
Device > Local User Database > User Groups............................................................................... 694
Device > Scheduled Log Export......................................................................................................... 695
Device > Software..................................................................................................................................697
Device > Dynamic Updates................................................................................................................. 699
Device > Licenses...................................................................................................................................702
Device > Support....................................................................................................................................704
Device > Master Key and Diagnostics..............................................................................................705
Deploy Master Key................................................................................................................... 707
Device > Policy Recommendation > IoT.......................................................................................... 709
Device > Policy > Recommendation SaaS........................................................................................711

User Identification..........................................................................................713
Device > User Identification > User Mapping.................................................................................715
Palo Alto Networks User-ID Agent Setup...........................................................................715
Monitor Servers..........................................................................................................................723
Include or Exclude Subnetworks for User Mapping..........................................................725
Device > User Identification > Connection Security..................................................................... 727
Device > User Identification > Terminal Server Agents............................................................... 728
Device > User Identification > Group Mapping Settings Tab......................................................730
Device > User Identification > Cloud Identity Engine...................................................................734
Device > User Identification > Authentication Portal................................................................... 736

GlobalProtect...................................................................................................739
Network > GlobalProtect > Portals................................................................................................... 741
GlobalProtect Portals General Tab........................................................................................742
GlobalProtect Portals Authentication Configuration Tab................................................ 744
GlobalProtect Portals Portal Data Collection Tab............................................................. 746
GlobalProtect Portals Agent Tab........................................................................................... 746
GlobalProtect Portals Clientless VPN Tab...........................................................................767
GlobalProtect Portal Satellite Tab......................................................................................... 770
Network > GlobalProtect > Gateways..............................................................................................774
GlobalProtect Gateways General Tab.................................................................................. 774
GlobalProtect Gateway Authentication Tab....................................................................... 776
GlobalProtect Gateways Agent Tab......................................................................................777
GlobalProtect Gateway Satellite Tab....................................................................................787
Network > GlobalProtect > MDM..................................................................................................... 790
Network > GlobalProtect > Device Block List................................................................................ 791
Network > GlobalProtect > Clientless Apps....................................................................................792
Network > GlobalProtect > Clientless App Groups.......................................................................793
Objects > GlobalProtect > HIP Objects............................................................................................794
HIP Objects General Tab.........................................................................................................794
HIP Objects Mobile Device Tab............................................................................................ 796
HIP Objects Patch Management Tab................................................................................... 797

x TABLE OF CONTENTS
 HIP Objects Firewall Tab.........................................................................................................798
HIP Objects Anti-Malware Tab.............................................................................................. 798
HIP Objects Disk Backup Tab................................................................................................ 799
HIP Objects Disk Encryption Tab..........................................................................................799
HIP Objects Data Loss Prevention Tab............................................................................... 800
HIP Objects Certificate Tab.................................................................................................... 800
HIP Objects Custom Checks Tab.......................................................................................... 801
Objects > GlobalProtect > HIP Profiles............................................................................................ 802
Device > GlobalProtect Client............................................................................................................ 804
Managing the GlobalProtect App Software........................................................................ 804
Setting Up the GlobalProtect App........................................................................................ 805
Using the GlobalProtect App..................................................................................................805

Panorama Web Interface............................................................................. 807

Use the Panorama Web Interface......................................................................................................809
Context Switch........................................................................................................................................813
Panorama Commit Operations............................................................................................................814
Defining Policies on Panorama........................................................................................................... 823
Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode.............................. 825
Panorama > Setup > Interfaces.......................................................................................................... 827
Panorama > High Availability.............................................................................................................. 830
Panorama > Managed WildFire Clusters..........................................................................................833
Managed WildFire Cluster Tasks........................................................................................... 833
Managed WildFire Appliance Tasks...................................................................................... 834
Managed WildFire Information.............................................................................................. 835
Managed WildFire Cluster and Appliance Administration...............................................839
Panorama > Administrators................................................................................................................. 849
Panorama > Admin Roles..................................................................................................................... 852
Panorama > Access Domains.............................................................................................................. 854
Panorama > Scheduled Config Push..................................................................................................856
Scheduled Config Push Scheduler.........................................................................................856
Scheduled Config Push Execution History.......................................................................... 857
Panorama > Managed Devices > Summary..................................................................................... 859
Managed Firewall Administration.......................................................................................... 859
Managed Firewall Information................................................................................................860
Firewall Software and Content Updates..............................................................................863
Firewall Backups........................................................................................................................ 865
Panorama > Device Quarantine.............................................................................................865
Panorama > Managed Devices > Health............................................................................. 866
Detailed Device Health on Panorama.................................................................................. 868
Panorama > Templates..........................................................................................................................872
Templates.....................................................................................................................................872
Template Stacks......................................................................................................................... 872
Panorama > Templates > Template Variables.................................................................... 874
Panorama > Device Groups.................................................................................................................877
Panorama > Managed Collectors....................................................................................................... 879
Log Collector Information........................................................................................................879
Log Collector Configuration.................................................................................................... 880
Software Updates for Dedicated Log Collectors............................................................... 889
Panorama > Collector Groups.............................................................................................................890
Collector Group Configuration............................................................................................... 890
Collector Group Information...................................................................................................895
Panorama > Plugins............................................................................................................................... 896
Panorama > SD-WAN........................................................................................................................... 897

TABLE OF CONTENTS xi
 SD-WAN Devices...................................................................................................................... 897
SD-WAN VPN Clusters............................................................................................................898
SD-WAN Monitoring................................................................................................................ 899
SD-WAN Reports.......................................................................................................................900
Panorama > VMware NSX................................................................................................................... 902
Configure a Notify Group........................................................................................................902
Create Service Definitions.......................................................................................................903
Configure Access to the NSX Manager............................................................................... 904
Create Steering Rules............................................................................................................... 905
Panorama > Log Ingestion Profile...................................................................................................... 907
Panorama > Log Settings......................................................................................................................908
Panorama > Server Profiles > SCP.....................................................................................................910
Panorama > Scheduled Config Export.............................................................................................. 911
Panorama > Software............................................................................................................................913
Manage Panorama Software Updates.................................................................................. 913
Display Panorama Software Update Information.............................................................. 914
Panorama > Device Deployment........................................................................................................915
Manage Software and Content Updates............................................................................. 915
Display Software and Content Update Information......................................................... 917
Schedule Dynamic Content Updates.................................................................................... 918
Revert Content Versions from Panorama............................................................................919
Manage Firewall Licenses........................................................................................................ 920
Panorama > Device Registration Auth Key..................................................................................... 922
Add a Device Registration Auth Key.................................................................................... 922

xii TABLE OF CONTENTS

Web Interface Basics
The following topics provide an overview of the firewall and describes basic administrative
tasks.

> Firewall Overview

> Features and Benefits
> Last Login Time and Failed Login Attempts
> Message of the Day
> Task Manager
> Language
> Alarms
> Commit Changes
> Save Candidate Configurations
> Revert Changes
> Lock Configurations
> Global Find
> Threat Details
> AutoFocus Intelligence Summary
> Change Boot Mode

13
14 PAN-OS WEB INTERFACE HELP | Web Interface Basics
© 2021 Palo Alto Networks, Inc.
Firewall Overview
Palo Alto Networks® next-generation firewalls inspect all traffic (including applications, threats, and
content), and tie that traffic to the user, regardless of location or device type. The user, application, and
content—the elements that run your business—become integral components of your enterprise security
policy. This allows you to align security with your business policies, as well as write rules that are easy to
understand and maintain.
As part of our Security Operating Platform, our next-generation firewalls provide your organization with the
ability to:
• Securely enable applications (including software-as-a-service applications), users, and content by
classifying all traffic (regardless of port).
• Reduce risk of an attack using a positive enforcement model, by allowing all desired applications and
blocking everything else.
• Apply security policies to block known vulnerability exploits, viruses, ransomware, spyware, botnets, and
other unknown malware, such as advanced persistent threats.
• Protect your data centers (including virtualized data centers) by segmenting data and applications, as
well as enforcing the Zero Trust principle.
• Apply consistent security across your on-premises and cloud environments.
• Embrace secure mobile computing by extending the Security Operating Platform to users and devices,
no matter where they are located.
• Get centralized visibility and streamline network security, making your data actionable so you can
prevent successful cyberattacks.
• Identify and prevent attempts to steal credentials by stopping the submission of valid corporate
credentials to illegitimate websites, and neutralizing an attacker’s ability to use stolen credentials for
lateral movement or network compromise by enforcing authentication policies at the network layer.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 15

© 2021 Palo Alto Networks, Inc.
Features and Benefits
The Palo Alto Networks next-generation firewalls provide granular control over the traffic allowed to access
your network. The primary features and benefits include:
• Application-based policy enforcement (App-ID™)—Access control according to application type is far
more effective when application identification is based on more than just protocol and port number. The
App-ID service can block high risk applications, as well as high risk behavior, such as file-sharing, and
traffic encrypted with the Secure Sockets Layer (SSL) protocol can be decrypted and inspected.
• User identification (User-ID™)—The User-ID feature allows administrators to configure and enforce
firewall policies based on users and user groups instead of or in addition to network zones and
addresses. The firewall can communicate with many directory servers, such as Microsoft Active
Directory, eDirectory, SunOne, OpenLDAP, and most other LDAP-based directory servers to provide
user and group information to the firewall. You can then use this information for secure application
enablement that can be defined per user or group. For example, the administrator could allow one
organization to use a web-based application but not allow any other organizations in the company to use
that same application. You can also configure granular control of certain components of an application
based on users and groups (see User Identification).
• Threat prevention—Threat prevention services that protect the network from viruses, worms, spyware,
and other malicious traffic can be varied by application and traffic source (see Objects > Security
Profiles).
• URL filtering—Outbound connections can be filtered to prevent access to inappropriate web sites (see
Objects > Security Profiles > URL Filtering).
• Traffic visibility—Extensive reports, logs, and notification mechanisms provide detailed visibility into
network application traffic and security events. The Application Command Center (ACC) in the web
interface identifies the applications with the most traffic and the highest security risk (see Monitor).
• Networking versatility and speed—The Palo Alto Networks firewall can augment or replace your existing
firewall and can be installed transparently in any network or configured to support a switched or routed
environment. Multigigabit speeds and a single-pass architecture provide these services to you with little
or no impact on network latency.
• GlobalProtect—The GlobalProtect™ software provides security for client systems, such as laptops that
are used in the field, by allowing easy and secure login from anywhere in the world.
• Fail-safe operation—High availability (HA) support provides automatic failover in the event of any
hardware or software disruption (see Device > Virtual Systems).
• Malware analysis and reporting—The WildFire™ cloud-based analysis service provides detailed analysis
and reporting on malware that passes through the firewall. Integration with the AutoFocus™ threat
intelligence service allows you to assess the risk associated with your network traffic at organization,
industry, and global levels.
• VM-Series firewall—A VM-Series firewall provides a virtual instance of PAN-OS® positioned for use in
a virtualized data center environment and is ideal for your private, public, and hybrid cloud computing
environments.
• Management and Panorama—You can manage each firewall through an intuitive web interface or
through a command-line interface (CLI) or you can centrally manage all firewalls through the Panorama™
centralized management system, which has a web interface very similar to the web interface on Palo
Alto Networks firewalls.

16 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Last Login Time and Failed Login Attempts
To detect misuse and prevent exploitation of a privileged account, such as an administrative account on a
Palo Alto Networks firewall or Panorama, the web interface and the command line interface (CLI) displays
your last login time and any failed login attempts for your username when you log in. This information
allows you to easily identify whether someone is using your administrative credentials to launch an attack.

After you log in to the web interface, the last login time information appears at the bottom left of the
window. If one or more failed logins occurred since the last successful login, a caution icon appears to
the right of the last login information. Hover over the caution symbol to view the number of failed login
attempts or click to view the Failed Login Attempts Summary window, which lists the administrative
account name, the source IP address, and the reason for the login failure.
If you see multiple failed login attempts that you do not recognize as your own, you should work with your
network administrator to locate the system that is performing the brute-force attack and then investigate
the user and host computer to identify and eradicate any malicious activity. If you see that the last login
date and time indicates an account compromise, you should immediately change your password and then
perform a configuration audit to determine if suspicious configuration changes were committed. Revert
the configuration to a known good configuration if you see that logs were cleared or if you have difficulty
determining if improper changes were made using your account.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 17

© 2021 Palo Alto Networks, Inc.
Message of the Day
If you or another administrator configured a message of the day or Palo Alto Networks embedded one as
part of a software or content release, a Message of the Day dialog displays automatically when users log
in to the web interface. This ensures that users see important information, such as an impending system
restart, that impacts the tasks they intend to perform.
The dialog displays one message per page. If the dialog includes the option to select Do not show again, you
can select it for each message that you don’t want the dialog to display after subsequent logins.

Anytime the Message of the Day changes, the message appears in your next session even
if you selected Do not show again during a previous login. You must then reselect this option
to avoid seeing the modified message in subsequent sessions.

To navigate the dialog pages, click the right ( ) and left ( ) arrows along the sides of the dialog or click a
page selector ( ) along the bottom of the dialog. After you Close the dialog, you can manually reopen it
by clicking messages ( ) at the bottom of the web interface.
To configure a message of the day, select Device > Setup > Management and edit the Banners and
Messages settings.

18 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Task Manager
Click Tasks at the bottom of the web interface to display the tasks that you, other administrators, or
PAN#OS initiated since the last firewall reboot (for example, manual commits or automatic FQDN
refreshes). For each task, the Task Manager provides the information and actions described in the table
below.

Some columns are hidden by default. To display or hide specific columns, open the drop-
down in any column header, select Columns, and select (display) or clear (hide) the column
names.

Field/Button Description

To filter the tasks, enter a text string based on a value in one of the
columns and Apply Filter ( ). For example, entering edl will filter
the list to display only EDLFetch (fetch external dynamic lists) tasks.
To remove filtering, Remove Filter ( ).

Type The type of task, such as log request, license refresh, or commit. If
the information related to the task (such as warnings) is too long to
fit in the Messages column, you can click the Type value to see all the
details.

Status Indicates whether the task is pending (such as commits with

Queued status), in progress (such as log requests with Active status),
completed, or failed. For commits in progress, the Status indicates the
percentage of completion.

Job ID A number that identifies the task. From the CLI, you can use the Job
ID to see additional details about a task. For example, you can see the
position of a commit task in the commit queue by entering:

> show jobs id <job-id>

This column is hidden by default.

End Time The date and time when the task finished. This column is hidden by
default.

Start Time The date and time when the task started. For commit tasks, the Start
Time indicates when the commit was added to the commit queue.

Messages Displays details about the task. If the entry indicates that there are too
many messages, you can click the task Type to see the messages.
For commit tasks, the Messages include the dequeued time to indicate
when PAN-OS started performing the commit. To see the description
an administrator entered for a commit, click Commit Description. For
details, see Commit Changes.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 19

© 2021 Palo Alto Networks, Inc.
 Field/Button Description

Action Click x to cancel a pending commit initiated by an administrator or

PAN-OS. This button is available only to administrators who have one
of the following predefined roles: superuser, device administrator,
virtual system administrator, or Panorama administrator.

Show Select the tasks you want to display:

• All Tasks (default)
• All tasks of a certain type (Jobs, Reports, or Log Requests)
• All Running tasks (in progress)
• All Running tasks of a certain type (Jobs, Reports, or Log Requests)
• (Panorama only) Use the second drop-down to display the tasks for
Panorama (default) or a specific managed firewall.

Clear Commit Queue Cancel all pending commits initiated by administrators or PAN-OS.
This button is available only to administrators who have one of the
following predefined roles: superuser, device administrator, virtual
system administrator, or Panorama administrator.

20 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Language
By default, the language that is set on the computer used to log in to the firewall determines the language
that is displayed on the management web interface. To manually change the language, click Language
(bottom right of the web interface), select the desired language from the drop-down and click OK. The web
interface refreshes and displays the web interface in the selected language.

Supported languages include: French, Japanese, Spanish, Simplified Chinese, and

Traditional Chinese.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 21

© 2021 Palo Alto Networks, Inc.
Alarms
An alarm is a firewall-generated message indicating that the number of events of a particular type (for
example, encryption and decryption failures) has exceeded the threshold configured for that event type (see
Define Alarm Settings). When generating an alarm, the firewall creates an Alarm log and opens the System
Alarms dialog to display the alarm. After closing the dialog, you can reopen it anytime by clicking Alarms
( ) at the bottom of the web interface. To prevent the firewall from automatically opening the
dialog for a particular alarm, select Unacknowledged Alarms and click Acknowledge to move the alarms to
the Acknowledged Alarms list.

22 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Commit Changes
Click Commit at the top right of the web interface and specify an operation for pending changes to
the firewall configuration: commit (activate), validate, or preview . You can filter pending changes by
administrator or location and then preview, validate, and commit only those changes. The location can be
specific virtual systems, shared policies and objects, or shared device and network settings.
The firewall queues commit requests so that you can initiate a new commit while a previous commit is in
progress. The firewall performs the commits in the order they are initiated but prioritizes auto-commits
that are initiated by the firewall (such as FQDN refreshes). However, if the queue already has the maximum
number of administrator-initiated commits, you must wait for the firewall to finish processing a pending
commit before initiating a new one.
Use the Task Manager to cancel commits or see details about commits that are pending, in progress,
completed, or failed.
The Commit dialog displays the options described in the following table.

Field/Button Description

Commit All Changes Commits all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that the firewall commits when you select this option.
Instead, the administrator role assigned to the account you used to log
in determines the commit scope:
• Superuser role—The firewall commits the changes of all
administrators.
• Custom role—The privileges of the Admin Role profile assigned to
your account determine the commit scope (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, the firewall commits changes configured by any and all
administrators. If your Admin Role profile does not include the
privilege to Commit For Other Admins, the firewall commits only
your changes and not those of other administrators.
If you have implemented access domains, the firewall automatically
applies those domains to filter the commit scope (see Device > Access
Domain). Regardless of your administrative role, the firewall commits
only the configuration changes in the access domains assigned to your
account.

Commit Changes Made By Filters the scope of the configuration changes the firewall commits.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the commit scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned to
your account determine your filtering options (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, you can limit the commit scope to changes configured by
specific administrators and to changes in specific locations. If your
Admin Role profile does not include the privilege to Commit For

PAN-OS WEB INTERFACE HELP | Web Interface Basics 23

© 2021 Palo Alto Networks, Inc.
 Field/Button Description
Other Admins, you can limit the commit scope only to the changes
you made in specific locations.
Filter the commit scope as follows:
• Filter by administrator—Even if your role allows committing
the changes of other administrators, the commit scope includes
only your changes by default. To add other administrators
to the commit scope, click the <usernames> link, select the
administrators, and click OK.
• Filter by location—Select the specific locations for changes to
Include in Commit.
If you have implemented access domains, the firewall automatically
filters the commit scope based on those domains (see Device > Access
Domain). Regardless of your administrative role and your filtering
choices, the commit scope includes only the configuration changes in
the access domains assigned to your account.

After you load a configuration (Device > Setup >

Operations), you must Commit All Changes.

When you commit changes to a virtual system, you must include the
changes of all administrators who added, deleted, or repositioned
rules for the same rulebase in that virtual system.

Commit Scope Lists the locations that have changes to commit. Whether the list
includes all changes or a subset of the changes depends on several
factors, as described for Commit All Changes and Commit Changes
Made By. The locations can be any of the following:
• shared-object—Settings that are defined in the Shared location.
• policy-and-objects—Policy rules or objects that are defined on a
firewall that does not have multiple virtual systems.
• device-and-network—Network and device settings that are global
(such as Interface Management profiles) and not specific to a
virtual system. This also applies to network and device settings on
a firewall that does not have multiple virtual systems.
• <virtual-system>—The name of the virtual system in which policy
rules or objects are defined on a firewall that has multiple virtual
systems. This also includes network and device settings that are
specific to a virtual system (such as zones).

Location Type This column categorizes the locations of pending changes:

• Virtual Systems—Settings that are defined in a specific virtual
system.
• Other Changes—Settings that are not specific to a virtual system
(such as shared objects).

Include in Commit Enables you to select the changes you want to commit. By default,
all changes within the Commit Scope are selected. This column
(Partial commit only)
displays only after you choose to Commit Changes Made By specific
administrators.

24 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Field/Button Description
There might be dependencies that affect the changes
you include in a commit. For example, if you add
an object and another administrator then edits that
object, you cannot commit the change for the other
administrator without also committing your own
change.

Group by Location Type Groups the list of configuration changes in the Commit Scope by
Location Type.

Preview Changes Enables you to compare the configurations you selected in the
Commit Scope to the running configuration. The preview window
uses color coding to indicate which changes are additions (green),
modifications (yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.

Because the preview results display in a new browser

window, your browser must allow pop-ups. If the
preview window does not open, refer to your browser
documentation for the steps to allow pop-ups.

Change Summary Lists the individual settings for which you are committing changes.
The Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Virtual
Systems.
• Location—The name of the virtual system where the setting is
defined. The column displays Shared for settings that are not
specific to a virtual system.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Committed—Indicates whether the commit currently
includes the setting.
• Previous Owners—Administrators who made changes to the
setting before the last change.
Optionally, you can Group By column name (such as Type).
Select an object in the change list to view the Object Level
Difference.

Validate Commit Validates whether the firewall configuration has correct syntax and
is semantically complete. The output includes the same errors and

PAN-OS WEB INTERFACE HELP | Web Interface Basics 25

© 2021 Palo Alto Networks, Inc.
 Field/Button Description
warnings that a commit would display, including rule shadowing and
application dependency warnings. The validation process enables
you to find and fix errors before you commit (it makes no changes to
the running configuration). This is useful if you have a fixed commit
window and want to be sure the commit will succeed without errors.

Description Allows you to enter a description (up to 512 characters) to help other
administrators understand what changes you made.

The System log for a commit event will truncate

descriptions longer than 512 characters.

Commit Starts the commit or, if other commits are pending, adds your commit
to the commit queue.

Commit Status Provides progress during the commit, then provides results after the
commit. Commit results include success or failure, details of commit
changes, and commit warnings. Warnings include:
• Commit—Lists general commit warnings.
• App Dependency—Lists any app dependencies required for
existing rules.
• Rule Shadow—Lists any shadow rules.

26 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Save Candidate Configurations
Select Config > Save Changes at the top right of the firewall or Panorama web interface to save a new
snapshot file of the candidate configuration or to overwrite an existing configuration file. If the firewall or
Panorama reboots before you commit your changes, you can then revert the candidate configuration to
the saved snapshot to restore changes you made after the last commit. To revert to the snapshot, select
Device > Setup > Operations and Load named configuration snapshot. If you don’t revert to the snapshot
after a reboot, the candidate configuration will be the same as the last committed configuration (the running
configuration).
You can filter which configuration changes to save based on administrator or location. The location can be
specific virtual systems, shared policies and objects, or shared device and network settings.

You should periodically save your changes so that you don’t lose them if the firewall or
Panorama reboots.

Saving your changes to the candidate configuration does not activate those changes; you
must Commit Changes to activate them.

The Save Changes dialog displays the options described in the following table:

Field/Button Description

Save All Changes Saves all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that the firewall saves when you select this option. Instead,
the administrator role assigned to the account you used to log in
determines the save scope:
• Superuser role—The firewall saves the changes of all
administrators.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine the save scope (see Device > Admin
Roles). If the profile includes the privilege to Save For Other
Admins, the firewall saves changes configured by any and all
administrators. If your Admin Role profile does not include the
privilege to Save For Other Admins, the firewall saves only your
changes and not those of other administrators.
If you have implemented access domains, the firewall automatically
applies those domains to filter the save scope (see Device > Access
Domain). Regardless of your administrative role, the firewall saves
only the configuration changes in the access domains assigned to your
account.

Save Changes Made By Filters the scope of the configuration changes the firewall saves.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the save scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine your filtering options (see Device >

PAN-OS WEB INTERFACE HELP | Web Interface Basics 27

© 2021 Palo Alto Networks, Inc.
 Field/Button Description
Admin Roles). If the profile includes the privilege to Save For Other
Admins, you can limit the save scope to changes configured by
specific administrators and to changes in specific locations. If your
Admin Role profile does not include the privilege to Save For
Other Admins, you can limit the save scope only to the changes
you made in specific locations.
Filter the save scope as follows:
• Filter by administrator—Even if your role allows saving the changes
of other administrators, the save scope includes only your changes
by default. To add other administrators to the save scope, click the
<usernames> link, select the administrators, and click OK.
• Filter by location—Select changes in specific locations to Include in
Save.
If you have implemented access domains, the firewall automatically
filters the save scope based on those domains (see Device > Access
Domain). Regardless of your administrative role and your filtering
choices, the save scope includes only the configuration changes in the
access domains assigned to your account.

Save Scope Lists the locations that have changes to save. Whether the list
includes all changes or a subset of the changes depends on several
factors, as described for the Save All Changes and Save Changes
Made By options. The locations can be any of the following:
• shared-object—Settings that are defined in the Shared location.
• policy-and-objects—(Firewall only) Policy rules or objects that are
defined on a firewall that does not have multiple virtual systems.
• device-and-network—(Firewall only) Network and device settings
that are global (such as Interface Management profiles) and not
specific to a virtual system.
• <virtual-system>—(Firewall only) The name of the virtual system
in which policy rules or objects are defined on a firewall that has
multiple virtual systems. This also includes network and device
settings that are specific to a virtual system (such as zones).
• <device-group>—(Panorama only) The name of the device group in
which the policy rules or objects are defined.
• <template>—(Panorama only) The name of the template or
template stack in which the settings are defined.
• <log-collector-group>—(Panorama only) The name of the Collector
Group in which the settings are defined.
• <log-collector>—(Panorama only) The name of the Log Collector in
which the settings are defined.

Location Type This column categorizes the locations where the changes were made:
• Virtual Systems—(Firewall only) Settings that are defined in a
specific virtual system.
• Device Groups—(Panorama only) Settings that are defined in a
specific device group.
• Templates—(Panorama only) Settings that are defined in a specific
template or template stack.

28 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Field/Button Description
• Collector Groups—(Panorama only) Settings that are specific to a
Collector Group configuration.

Include in Save Enables you to select the changes you want to save. By default, all
changes within the Save Scope are selected. This column displays only
(Partial save only)
after you choose to Save Changes Made By specific administrators.

There might be dependencies that affect the changes

you include in a save. For example, if you add an
object and another administrator then edits that
object, you cannot save the change for the other
administrator without also saving your own change.

Group by Location Type Groups the list of configuration changes in the Save Scope by
Location Type.

Preview Changes Enables you to compare the configurations you selected in the Save
Scope to the running configuration. The preview window uses color
coding to indicate which changes are additions (green), modifications
(yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.

Because the preview results display in a new window,

your browser must allow pop-up windows. If the
preview window does not open, refer to your browser
documentation for the steps to unblock pop-up
windows.

Change Summary Lists the individual settings for which you are saving changes. The
Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Virtual
Systems.
• Location—The name of the virtual system where the setting is
defined. The column displays Shared for settings that are not
specific to a virtual system.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Saved—Indicates whether the save operation will include
the setting.
• Previous Owners—Administrators who made changes to the
setting before the last change.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 29

© 2021 Palo Alto Networks, Inc.
 Field/Button Description
Optionally, you can Group By column name (such as Type).

Save Saves the selected changes to a configuration snapshot file:

• If you selected Save All Changes, the firewall overwrites the
default configuration snapshot file (.snapshot.xml).
• If you selected Save Changes Made By, specify the Name of a new
or existing configuration file, and click OK.

30 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Revert Changes
Select Config > Revert Changes at the top right of the firewall or Panorama web interface to undo changes
made to the candidate configuration since the last commit. Reverting changes restores the settings to
the values of the running configuration. You can filter which configuration changes to revert based on
administrator or location. The location can be specific virtual systems, shared policies and objects, or shared
device and network settings.
You cannot revert changes until the firewall or Panorama finishes processing all commits that are pending
or in progress. After you initiate the revert process, the firewall or Panorama automatically locks the
candidate and running configurations so that other administrators cannot edit settings or commit changes.
After completing the revert process, the firewall or Panorama automatically removes the lock.
The Revert Changes dialog displays the options described in the following table:

Field/Button Description

Revert All Changes Reverts all changes for which you have administrative privileges
(default). You cannot manually filter the scope of the configuration
changes that the firewall reverts when you select this option. Instead,
the administrator role assigned to the account you used to log in
determines the revert scope:
• Superuser role—The firewall reverts the changes of all
administrators.
• Custom role—The privileges of the Admin Role profile assigned
to your account determine the revert scope (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, the firewall reverts changes configured by any and all
administrators. If your Admin Role profile does not include the
privilege to Commit For Other Admins, the firewall reverts only
your changes and not those of other administrators.

In Admin Role profiles, the privileges for committing

also apply to reverting.

If you implemented access domains, the firewall automatically

applies those domains to filter the revert scope (see Device > Access
Domain). Regardless of your administrative role, the firewall reverts
only the configuration changes in the access domains assigned to your
account.

Revert Changes Made By Filters the scope of configuration changes that the firewall reverts.
The administrative role assigned to the account you used to log in
determines your filtering options:
• Superuser role—You can limit the revert scope to changes that
specific administrators made and to changes in specific locations.
• Custom role—The privileges of the Admin Role profile assigned to
your account determine your filtering options (see Device > Admin
Roles). If the profile includes the privilege to Commit For Other
Admins, you can limit the revert scope to changes configured by
specific administrators and to changes in specific locations. If your
Admin Role profile does not include the privilege to Commit For

PAN-OS WEB INTERFACE HELP | Web Interface Basics 31

© 2021 Palo Alto Networks, Inc.
 Field/Button Description
Other Admins, you can limit the revert scope only to the changes
you made in specific locations.
Filter the revert scope as follows:
• Filter by administrator—Even if your role allows reverting the
changes of other administrators, the revert scope includes only
your changes by default. To add other administrators to the revert
scope, click the <usernames> link, select the administrators, and
click OK.
• Filter by location—Select the changes in specific locations to
Include in Revert.
If you have implemented access domains, the firewall automatically
filters the revert scope based on those domains (see Device > Access
Domain). Regardless of your administrative role and your filtering
choices, the revert scope includes only the configuration changes in
the access domains assigned to your account.

Revert Scope Lists the locations that have changes to revert. Whether the list
includes all changes or a subset of the changes depends on several
factors, as described for the Revert All Changes and Revert Changes
Made By options. The locations can be any of the following:
• shared-object—Settings that are defined in the Shared location.
• policy-and-objects—(Firewall only) Policy rules or objects that are
defined on a firewall that does not have multiple virtual systems.
• device-and-network—(Firewall only) Network and device settings
that are global (such as Interface Management profiles) and not
specific to a virtual system.
• <virtual-system>—(Firewall only) The name of the virtual system
in which policy rules or objects are defined on a firewall that has
multiple virtual systems. This also includes network and device
settings that are specific to a virtual system (such as zones).
• <device-group>—(Panorama only) The name of the device group in
which the policy rules or objects are defined.
• <template>—(Panorama only) The name of the template or
template stack in which the settings are defined.
• <log-collector-group>—(Panorama only) The name of the Collector
Group in which the settings are defined.
• <log-collector>—(Panorama only) The name of the Log Collector in
which the settings are defined.

Location Type This column categorizes the locations where the changes were made:
• Virtual Systems—(Firewall only) Settings that are defined in a
specific virtual system.
• Device Group—(Panorama only) Settings that are defined in a
specific device group.
• Template—(Panorama only) Settings that are defined in a specific
template or template stack.
• Log Collector Group—(Panorama only) Settings that are specific to
a Collector Group configuration.

32 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Field/Button Description
• Log Collector—(Panorama only) Settings that are specific to a Log
Collector configuration.
• Other Changes—Settings that are not specific to any of the
preceding configuration areas (such as shared objects).

Include in Revert Enables you to select the changes you want to revert. By default,
all changes within the Revert Scope are selected. This column
(Partial revert only)
displays only after you choose to Revert Changes Made By specific
administrators.

There might be dependencies that affect the changes

you include in a revert. For example, if you add an
object and another administrator then edits that object,
you cannot revert your change without also reverting
the change for the other administrator.

Group by Location Type Lists the configuration changes in the Revert Scope by Location Type.

Preview Changes Enables you to compare the configurations you selected in the Revert
Scope to the running configuration. The preview window uses color
coding to indicate which changes are additions (green), modifications
(yellow), or deletions (red).
To help you match the changes to sections of the web interface, you
can configure the preview window to display Lines of Context before
and after each change. These lines are from the files of the candidate
and running configurations that you are comparing.

Because the preview results display in a new window,

your browser must allow pop-up windows. If the
preview window does not open, refer to your browser
documentation for the steps to unblock pop-up
windows.

Change Summary Lists the individual settings for which you are reverting changes. The
Change Summary list displays the following information for each
setting:
• Object Name—The name that identifies the policy, object, network
setting, or device setting.
• Type—The type of setting (such as Address, Security rule, or Zone).
• Location Type—Indicates whether the setting is defined in Virtual
Systems.
• Location—The name of the virtual system where the setting is
defined. The column displays Shared for settings that are not
specific to a virtual system.
• Operations—Indicates every operation (create, edit, or delete)
performed on the setting since the last commit.
• Owner—The administrator who made the last change to the
setting.
• Will Be Reverted—Indicates whether the revert operation will
include the setting.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 33

© 2021 Palo Alto Networks, Inc.
 Field/Button Description
• Previous Owners—Administrators who made changes to the
setting before the last change.
Optionally, you can Group By column name (such as Type).

Revert Reverts the selected changes.

34 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Lock Configurations
To help you coordinate configuration tasks with other firewall administrators during concurrent login
sessions, the web interface enables you to apply a configuration or commit lock so that other
administrators cannot change the configuration or commit changes until the lock is removed.
At the top right of the web interface, a locked padlock ( ) indicates that one or more locks are set (with
the number of locks in parentheses); an unlocked padlock ( ) indicates that no locks are set. Clicking
either padlock opens the Locks dialog, which provides the following options and fields.

To configure the firewall to automatically set a commit lock whenever an administrator

changes the candidate configuration, select Device > Setup > Management, edit the General
Settings, enable Automatically Acquire Commit Lock, and then click OK and Commit.
When you revert changes (Config > Revert Changes), the firewall automatically locks the
candidate and running configuration so that other administrators cannot edit settings or
commit changes. After completing the revert process, the firewall automatically removes the
lock.

Field/Button Description

Admin The username of the administrator who set the lock.

Location On a firewall with more than one virtual system (vsys), the scope of
the lock can be a specific vsys or the Shared location.

Type The lock type can be:

• Config Lock—Blocks other administrators from changing the
candidate configuration. Only a superuser or the administrator who
set the lock can remove it.
• Commit Lock—Blocks other administrators from committing
changes made to the candidate configuration. The commit
queue does not accept new commits until all locks are released.
This lock prevents collisions that can occur when multiple
administrators make changes during concurrent login sessions and
one administrator finishes and initiates a commit before the other
administrators have finished. The firewall automatically removes
the lock after completing the commit for which the administrator
set the lock. A superuser or the administrator who set the lock can
also manually remove it.

Comment Enter up to 256 characters of text. This is useful for other

administrators who want to know the reason for the lock.

Created At The date and time when an administrator set the lock.

Logged In Indicates whether the administrator who set the lock is currently
logged in.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 35

© 2021 Palo Alto Networks, Inc.
 Field/Button Description

Take a Lock To set a lock, Take a Lock, select the Type, select the Location
(multiple virtual system firewalls only), enter optional Comments, click
OK, and then Close.

Remove Lock To release a lock, select it, Remove Lock, click OK, and then Close.

36 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Global Find
Global Find enables you to search the candidate configuration on a firewall or on Panorama for a particular
string, such as an IP address, object name, policy name, threat ID, rule UUID, or application name. The
search results are grouped by category and provide links to the configuration location in the web interface
so that you can easily find all of the places where the string exists or is referenced.

To launch global find, click the Search icon on the upper right side of the web interface. Global Find is
available from all web interface pages and locations. The following is a list of Global Find features to help
you perform successful searches:
• If you initiate a search on a firewall that has multiple virtual systems enabled or if administrative roles
are defined, Global Find will return results only for areas of the firewall for which you have permission to
access. The same applies to Panorama device groups; you will see search results only for device groups
to which you have administrative access.
• Spaces in search text are handled as AND operations. For example, if you search on corp policy, both
corp and policy must exist in the configuration item for it to be included in the search results.
• To find an exact phrase, surround the phrase in quotes.
• To re-run a previous search, click Global Find and a list of the last 20 searches are displayed. Click any
item in the list to re-run that search. The search history list is unique to each administrative account.
Global Find is available for each field that is searchable. For example, in the case of a Security policy,
you can search on the following fields: Name, Tags, Zone, Address, User, HIP Profile, Application, UUID,
and Service. To perform a search, click the drop-down next to any of these fields and click Global Find.
For example, if you click Global Find on a zone named l3-vlan-trust, Global Find will search the entire
configuration for that zone name and return results for each location where the zone is referenced. The
search results are grouped by category and you can hover over any item to view details or you can click an
item to navigate to the configuration page for that item.
Global Find does not search dynamic content that the firewall allocates to users (such as logs, address
ranges, or individual DHCP addresses). In the case of DHCP, you can search on a DHCP server attribute,
such as the DNS entry, but you cannot search for individual addresses issued to users. Another example is
usernames that the firewall collects when you enable the User-ID™ feature. In this case, a username or user
group that exists in the User-ID database is only searchable if the name or group exists in the configuration,
such as when a user group name is defined in a policy. In general, you can only search for content that the
firewall writes to the configuration.
Looking for more?
Learn more about using Global Find to search the firewall or Panorama configuration.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 37

© 2021 Palo Alto Networks, Inc.
Threat Details
• Monitor > Logs > Threat
• ACC > Threat Activity
• Objects > Security Profiles > Anti-Spyware/Vulnerability Protection
Use the Threat Details dialog to learn more about the threat signatures with which the firewall is equipped
and the events that trigger those signatures. Threat details are provided for:
• Threat logs that record the threats that the firewall detects (Monitor > Logs > Threat)
• The top threats found in your network (ACC > Threat Activity)
• Threat signatures that you want to modify or exclude from enforcement (Objects > Security Profiles >
Anti-Spyware/Vulnerability Protection)
When you find a threat signature you want to learn more about, hover over the Threat Name or the threat
ID and click Exception to review the threat details. The threat details allow you to easily check whether
a threat signature is configured as an exception to your security policy and to find the latest Threat Vault
information about a specific threat. The Palo Alto Networks Threat Vault database is integrated with the
firewall, allowing you to view expanded details about threat signatures in the firewall context or launch a
Threat Vault search in a new browser window for a logged threat.
Depending on the type of threat you’re viewing, the details include all or some of the threat details
described in the following table.

Threat Details Description

Name Threat signature name.

ID Unique threat signature ID. Select View in Threat Vault to open a Threat Vault
search in a new browser window and look up the latest information that the Palo
Alto Networks threat database has for this signature. The Threat Vault entry for
the threat signature might include additional details, including the first and last
content releases to include updates to the signature and the minimum PAN-OS
version required to support the signature.

Description Information about the threat that triggers the signature.

Severity The threat severity level: informational, low, medium, high, or critical.

CVE Publicly known security vulnerabilities associated with the threat. The Common
Vulnerabilities and Exposures (CVE) identifier is the most useful identifier for
finding information about unique vulnerabilities as vendor-specific IDs commonly
encompass multiple vulnerabilities.

Bugtraq ID The Bugtraq ID associated with the threat.

Vendor ID The vendor-specific identifier for a vulnerability. For example, MS16-148 is the
vendor ID for one or more Microsoft vulnerabilities and APBSB16-39 is the vendor
ID for one or more Adobe vulnerabilities.

Reference Research sources you can use to learn more about the threat.

38 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Threat Details Description

Exempt Profiles Security profiles that define a different enforcement action for the threat signature
than the default signature action. The threat exception is only active when exempt
profiles are attached to a security policy rule (check if the exception is Used in
current security rule).

Used in current security Active threat exceptions—A check mark in this column indicates that the firewall is
rule actively enforcing the threat exception (the Exempt Profiles that define the threat
exception are attached to a security policy rule).
If this column is clear, the firewall is enforcing the threat based only on the
recommended default signature action.

Exempt IP Addresses Exempt IP addresses—You can add an IP address on which to filter the threat
exception or view existing Exempt IP Addresses. This option enforces a threat
exception only when the associated session has either a source or destination IP
address that matches the exempt IP address. For all other sessions, the threat is
enforced based on the default signature action.

If you’re having trouble viewing threat details, check for the following conditions:
• The firewall Threat Prevention license is active (Device > Licenses).
• The latest Antivirus and Threats and Applications content updates are installed.
• Threat Vault access is enabled (select Device > Setup > Management and edit the
Logging and Reporting setting to Enable Threat Vault Access).
• The default (or custom) Antivirus, Anti-Spyware, and Vulnerability Protection security
profiles are applied to your security policy.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 39

© 2021 Palo Alto Networks, Inc.
AutoFocus Intelligence Summary
You can view a graphical overview of threat intelligence that AutoFocus compiles to help you assess the
pervasiveness and risk of the following firewall artifacts:
• IP Address
• URL
• Domain
• User agent (found in the User Agent column of Data Filtering logs)
• Threat name (only for threats of the subtypes virus and wildfire-virus)
• Filename
• SHA-256 hash (found in the File Digest column of WildFire Submissions logs)
To view the AutoFocus Intelligence Summary window, you must first have an active AutoFocus subscription
and enable AutoFocus threat intelligence (select Device > Setup > Management and edit the AutoFocus
settings).
After you’ve enabled AutoFocus intelligence, hover over a log or external dynamic list artifact to open the
drop-down ( ) and then click AutoFocus:
• View Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, and Unified logs (Monitor >
Logs).
• View external dynamic list entries .
You can also launch an AutoFocus search from the firewall, to further investigate interesting or suspicious
artifacts that you find.

Field/Button Description

Search AutoFocus for... Click to launch an AutoFocus search for the artifact.

Analysis Information Tab

Sessions The number of private sessions in which WildFire detected the artifact. Private
sessions are sessions running only on firewalls associated with your support
account. Hover over a session bar to view the number of sessions per month.

Samples Organization and global samples (files and email links) associated with the artifact
and grouped by WildFire verdict (benign, grayware, malware, phishing). Global
refers to samples from all WildFire submissions, while organization refers only to
samples submitted to WildFire by your organization.
Click on a WildFire verdict to launch an AutoFocus search for the artifact filtered
by scope (organization or global) and WildFire verdict.

Matching Tags AutoFocus tags matched to the artifact:

• Private Tags—Visible only to AutoFocus users associated with your support
account.
• Public Tags—Visible to all AutoFocus users.
• Unit 42 Tags—Identify threats and campaigns that pose a direct security risk.
These tags are created by Unit 42 (the Palo Alto Networks threat intelligence
and research team).
• Informational Tags—Unit 42 tags that identify commodity threats.

40 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Field/Button Description
Hover over a tag to view the tag description and other tag details.
Click a tag to launch an AutoFocus search for that tag.
To view more matching tags for an artifact, click the ellipsis ( ... ) to launch an
AutoFocus search for that artifact. The Tags column in the AutoFocus search
results displays more matching tags for the artifact.

Passive DNS Tab

The Passive DNS tab displays passive DNS history associated with the artifact. This tab only displays matching
information if the artifact is an IP address, domain, or URL.

Request The domain that submitted a DNS request. Click the domain to launch an
AutoFocus search for it.

Type The DNS request type (example: A, NS, CNAME).

Response The IP address or domain to which the DNS request resolved. Click the IP address
or domain to launch an AutoFocus search.

The Response column does not display private IP addresses.

Count The number of times the request was made.

First Seen The date and time that the Request, Response, and Type combination was first
seen based on passive DNS history.

Last Seen The date and time that the Request, Response, and Type combination was most
recently seen based on passive DNS history.

Matching Hashes Tab

The Matching Hashes tab displays the five most recent private samples where WildFire detected the artifact.
Private samples are samples detected only on firewalls associated with your support account.

SHA256 The SHA-256 hash for a sample. Click the hash to launch an AutoFocus search for
that hash.

File Type The file type of the sample.

Create Date The date and time that WildFire analyzed a sample and assigned a WildFire verdict
to it.

Update Date The date and time that WildFire updated the WildFire verdict for a sample.

Verdict The WildFire verdict for a sample: benign, grayware, malware, or phishing.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 41

© 2021 Palo Alto Networks, Inc.
Configuration Table Export
Administrative users can export the data on policy rulebase, objects, managed devices, and interfaces in
tabular format in either a PDF file or a CSV file. The data that is exported is the visible data on the web
interface. For filtered data, only data matching the filter is exported. If you don’t apply any filter, then all
data is exported.
All sensitive data, such as a password, is hidden with wildcard (*) symbols.
A system log and download link are generated on successful configuration table export. Use the download
link to save the PDF or CSV file locally. After you close the window that contains the download link, the
download link for that specific export is no longer available.
To export table data, click PDF/CSV and configure the following settings:

Export Settings Description

File Name Enter a name (maximum of 200 characters) to identify the exported data. This name
becomes the name of the downloaded file that is generated by the export.

File Type Select the type of export output to generate. You can choose either PDF or CSV
format.

Page Size The default page size is Letter (8.5 by 11.0 inches). You cannot change the page size.
By default, the PDF is generated in portrait orientation and changes to landscape
orientation to accommodate the maximum number of columns.

Description Enter a description (maximum of 255 characters) to provide context and additional
information about the export.
(PDF only)

Table Data Shows the table data that will be exported. If you need to clear the filtering settings
that you set previously, click Show All Columns to show all policy rules under the
selected policy type. Then you can add or remove columns and apply filters as
needed.

Show All Remove all filters and show all table columns.
Columns

Click Export to generate the configuration table download link.

42 PAN-OS WEB INTERFACE HELP | Web Interface Basics

© 2021 Palo Alto Networks, Inc.
Change Boot Mode
Some firewalls boot into Zero Touch Provisioning (ZTP) mode by default. No input is required during startup
if opting for a ZTP configuration. If you are deploying a non-ZTP (standard) firewall, you must access the CLI
to exit ZTP mode.

You must have the ZTP plugin installed on your Panorama management server to access
ZTP functionality.

STEP 1 | After powering on the firewall, use a terminal emulator such as PuTTY to watch for the
following CLI prompt:

Do you want to exit ZTP mode and configure your firewall in standard mode
(yes/no)[no]?

Enter yes. The system then asks you to confirm. Enter yes again to boot the firewall in standard mode.

STEP 2 | (If you miss the above CLI prompt) You can also change your boot mode using the web interface.
Go to the firewall login screen at any point before or during the startup process. A prompt asks
if you want to continue booting in ZTP mode or if you want to switch to standard mode. Select
Standard Mode and the firewall begins rebooting in standard mode.

STEP 3 | Set up the firewall manually if using standard mode. If using ZTP mode, the device group and
template configuration defined on the Panorama management server are automatically pushed
to the firewall by the ZTP service.
• (Standard mode) Change the IP address on your computer to an address in the 192.168.1.0/24
network, such as 192.168.1.2. From a web browser, go to https://192.168.1.1. When prompted, log
in to the web interface using the default username and password (admin/admin).
• (ZTP mode) Follow the instructions provided by your Panorama administrator to register your ZTP
firewall. You must enter the serial number (12-digit number identified as S/N) and claim key (8-digit
number). These numbers are on stickers attached to the back of the device.

PAN-OS WEB INTERFACE HELP | Web Interface Basics 43

© 2021 Palo Alto Networks, Inc.
44 PAN-OS WEB INTERFACE HELP | Web Interface Basics
Dashboard
The Dashboard widgets show general firewall or Panorama™ information, such as the software
version, status of each interface, resource utilization, and up to 10 entries for each of several
log types; log widgets display entries from the last hour.
The Dashboard Widgets topic describes how to use the Dashboard and describes the available
widgets.

45
46 PAN-OS WEB INTERFACE HELP | Dashboard
© 2021 Palo Alto Networks, Inc.
Dashboard Widgets
By default, the Dashboard displays widgets in a Layout of 3 Columns but you can customize the Dashboard
to display only 2 Columns, instead.
You can also decide which widgets to display or hide so that you see only those you want to monitor. To
display a widget, select a widget category from the Widgets drop-down and select a widget to add it to the
Dashboard (widget names that appear in faded grayed-out text are already displayed). Hide (stop displaying)
a widget by closing the widget ( in the widget header). The firewalls and Panorama save your widget
display settings across logins (separately for each administrator).
Refer to the Last updated timestamp to determine when the Dashboard data was last refreshed. You can
manually refresh the entire Dashboard ( in the top right corner of the Dashboard) or you can refresh
individual widgets ( within each widget header). Use the unlabeled drop-down next to the manual
Dashboard refresh option ( ) to select the automatic refresh interval for the entire Dashboard (in
minutes): 1 min, 2 mins, or 5 mins; to disable automatic refresh for the entire Dashboard, select Manual.

Dashboard Widgets Description

Application Widgets

Top Applications Displays the applications with the most sessions. The block size indicates the
relative number of sessions (mouse over the block to view the number), and
the color indicates the security risk—from green (lowest) to red (highest). Click
an application to view its application profile.

Top High Risk Similar to Top Applications except that it displays the highest-risk applications
Applications with the most sessions.

ACC Risk Factor Displays the average risk factor (1-5) for the network traffic processed over
the past week. Higher values indicate higher risk.

System Widgets

General Information Displays the firewall or Panorama name and model, the Panorama CPU and
RAM, the Panorama system mode, the PAN-OS® or Panorama software
version, the IPv4 and IPv6 management IP information, the serial number, the
CPU ID and UUID, the application, threat, and URL filtering definition versions,
the current date and time, and the length of time since the last restart.

Interfaces Indicates whether each interface is up (green), down (red), or in an unknown

state (gray).
(Firewall only)

System Resources Displays the Management CPU usage, Data Plane usage, and the Session
Count (the number of sessions established through the firewall or Panorama).

High Availability Indicates—when high availability (HA) is enabled—the HA status of the

local and peer firewall/Panorama—green (active), yellow (passive), or black
(other). For more information about HA, refer to Device > Virtual Systems or
Panorama > High Availability.

PAN-OS WEB INTERFACE HELP | Dashboard 47

© 2021 Palo Alto Networks, Inc.
 Dashboard Widgets Description

Locks Shows configuration locks that administrators have set.

Logged In Admins Displays the source IP address, session type (web interface or CLI), and session
start time for each administrator who is currently logged in.

Logs Widgets

Threat Logs Displays the threat ID, application, and date and time for the last 10 entries in
the Threat log. The threat ID is a malware description or URL that violates the
URL filtering profile. Displays only entries from the last 60 minutes.

URL Filtering Logs Displays the description and date and time for the last 60 minutes in the URL
Filtering log.

Data Filtering Logs Displays the description and date and time for the last 60 minutes in the Data
Filtering log.

Config Logs Displays the administrator username, client (web interface or CLI), and date
and time for the last 10 entries in the Configuration log. Displays only entries
from the last 60 minutes.

System Logs Displays the description and date and time for the last 10 entries in the System
log.

A “Config installed” entry indicates configuration changes were

committed successfully. Displays only entries from the last 60
minutes.

48 PAN-OS WEB INTERFACE HELP | Dashboard

ACC
The Application Command Center (ACC) is an analytical tool that provides actionable
intelligence about the activity within your network. The ACC uses the firewall logs to
graphically depict traffic trends on your network. The graphical representation allows you to
interact with the data and visualize the relationships between events on the network including
network usage patterns, traffic patterns, and suspicious activity and anomalies.

> A First Glance at the ACC

> ACC Tabs
> ACC Widgets
> ACC Actions
> Working with Tabs and Widgets
> Working with Filters—Local Filters and Global Filters

Looking for more?

See Use the Application Command Center .

49
50 PAN-OS WEB INTERFACE HELP | ACC
© 2021 Palo Alto Networks, Inc.
A First Glance at the ACC
The following table shows the ACC tab and describes each component.

A First Glance at the ACC

1 Tabs The ACC includes predefined tabs that provide visibility into network traffic,
threat activity, blocked activity, tunnel activity, and mobile network activity (if
GTP security is enabled). For information on each tab, see ACC Tabs.

2 Widgets Each tab includes a default set of widgets that best represent the events and
trends associated with the tab. The widgets allow you to survey the data using
the following filters: bytes (in and out), sessions, content (files and data), URL
categories, applications, users, threats (malicious, benign, grayware, phishing), and
count. For information on each widget, see ACC Widgets.

3 Time The charts and graphs in each widget provide a real-time and historic view. You
can choose a custom range or use the predefined time periods that range from the
last 15 minutes up to the last 90 days or last 30 calendar days.
The time period used to render data, by default, is the last hour. The date and time
interval are displayed on screen. For example:

11/11 10:30:00-01/12 11:29:59

4 Global Filters The global filters allow you to set the filter across all tabs. The charts and graphs
apply the selected filters before rendering the data. For information on using the
filters, see ACC Actions.

5 Application The application view allows you filter the ACC view by either the sanctioned
View and unsanctioned applications in use on your network, or by the risk level of the
applications in use on your network. Green indicates sanctioned applications, blue

PAN-OS WEB INTERFACE HELP | ACC 51

© 2021 Palo Alto Networks, Inc.
 A First Glance at the ACC
unsanctioned applications, and yellow indicates applications that have different
sanctioned state across different virtual systems or device groups.

6 Risk Meter The risk meter (1=lowest to 5=highest) indicates the relative security risk on your
network. The risk meter uses a variety of factors such as the type of applications
seen on the network and the risk levels associated with the applications, the
threat activity and malware as seen through the number of blocked threats, and
compromised hosts or traffic to malware hosts and domains.

7 Source The data used for the display varies between the firewall and Panorama™. You
have the following options to select what data is used to generate the views on
the ACC:
Virtual System: On a firewall that is enabled for multiple virtual systems, you can
use the Virtual System drop-down to change the ACC display to include all virtual
systems or just a selected virtual system.
Device Group: On Panorama, you can use the Device Group drop-down to
change the ACC display to include data from all device groups or just a selected
device group.
Data Source: On Panorama, you can also change the display to use Panorama or
Remote Device Data (managed firewall data). When the data source is Panorama,
you can filter the display for a specific device group.

8 Export You can export the widgets displayed in the current tab as a PDF.

52 PAN-OS WEB INTERFACE HELP | ACC

© 2021 Palo Alto Networks, Inc.
ACC Tabs
• Network Activity—Displays an overview of traffic and user activity on your network. This view focuses
on the top most-used applications, the top users who generate traffic with a drill down into the bytes,
content, threats, and URLs accessed by the user, and the most used Security policy rules against which
traffic matches occur. In addition, you can view network activity by source or destination zone, region, or
IP address; by ingress or egress interfaces; and by host information, such as the operating systems of the
devices most commonly used on the network.
• Threat Activity—Displays an overview of the threats on the network. It focuses on the top threats—
vulnerabilities, spyware, viruses, hosts visiting malicious domains or URLs, top WildFire submissions by
file type and application, and applications that use non-standard ports. The Compromised Hosts widget
supplements detection with better visualization techniques. It uses the information from the correlated
events tab (Monitor > Automated Correlation Engine > Correlated Events) to present an aggregated
view of compromised hosts on your network by source users or IP addresses, sorted on severity.
• Blocked Activity—Focuses on traffic that was prevented from coming into the network. The widgets in
this tab allow you to view activity denied by application name, username, threat name, content (files and
data), and the top security rules with a deny action that blocked traffic.
• Mobile Network Activity—Displays a visual representation of mobile traffic on your network using
GTP logs generated from your Security policy rule configuration. This view includes interactive and
customizable GTP Events, Mobile Subscriber Activity, and GTP Rejection Cause widgets to which
you can apply ACC Filters and drill down to isolate the information you need. When you enable SCTP
Security, widgets on this tab display a visual representation and details of SCTP events on the firewall, as
well as the number of chunks sent and received per SCTP Association ID.
• Tunnel Activity—Displays the activity of tunnel traffic that the firewall inspected based on your tunnel
inspection policies. Information includes tunnel usage based on tunnel ID, monitor tag, user, and tunnel
protocols such as Generic Routing Encapsulation (GRE), General Packet Radio Service (GPRS) tunneling
protocol for user data (GTP-U), and non-encrypted IPSec.
• GlobalProtect Activity—Displays an overview of user activity in your GlobalProtect deployment.
Information includes the number of users and number of times users connected, the gateways to which
users connected, the number of connection failures and the failure reason, a summary of authentication
methods and GlobalProtect app versions used, and the number of endpoints that are quarantined.
• SSL Activity—Displays the activity of decrypted and undecrypted TLS/SSL traffic based on your
Decryption policies and profiles. You can see TLS activity compared to non-TLS activity, the amount
of decrypted traffic versus the amount of undecrypted traffic, reasons for decryption failures, and
successful TLS version and key exchange activity. Use this information to identify traffic that causes
decryption issues and then use the Decryption Log and custom Decryption report templates to drill
down into details and gain context about that traffic so that you can diagnose and fix issues accurately.

You can also customize tabs and widgets as described in Working with Tabs and Widgets.

PAN-OS WEB INTERFACE HELP | ACC 53

© 2021 Palo Alto Networks, Inc.
ACC Widgets
The widgets on each tab are interactive. You can set filters and drill down into the display to customize the
view and focus on the information you need.

Each widget is structured to display the following information:

1 View You can sort the data by bytes, sessions, threats, count, users, content,
applications, URLs, malicious, benign, grayware, phishing, file(name)s, data,
profiles, objects, portals, gateways, and profiles. The available options vary by
widget.

2 Graph The graphical display options are treemap, line graph, horizontal bar graph,
stacked area graph, stacked bar graph, pie chart, and map. The available options
vary by widget and the interaction experience varies with each graph type. For
example, the widget for Applications using Non-Standard Ports allows you to
choose between a treemap and a line graph.
To drill down into the display, click on the graph. The area you click on becomes
a filter and allows you to zoom in and view more granular information about that
selection.

3 Table The detailed view of the data used to render the graph displays in a table below
the graph.
You can click and set a local filter or a global filter for elements in the table. With a
local filter, the graph is updated and the table is sorted by that filter.
With a global filter, the view across the ACC pivots to display only the information
specific to your filter.

4 Actions The following are actions available in the title bar of a widget:

54 PAN-OS WEB INTERFACE HELP | ACC

© 2021 Palo Alto Networks, Inc.
 • Maximize view—Allows you to enlarge the widget and view it in a larger screen
space. In the maximized view, you can see more than the top ten items that
display in the default widget view.
• Set up local filters—Allows you to add filters that refine the display within the
widget. See Working with Filters—Local Filters and Global Filters.
• Jump to logs—Allows you to directly navigate to the logs (Monitor > Logs >
<log-type>). The logs are filtered using the time period for which the graph is
rendered.
If you set local and global filters, the log query concatenates the time period and
filters and displays only logs that match your filter set.
• Export—Allows you to export the graph as a PDF.

For a description of each widget, see the details on using the ACC.

PAN-OS WEB INTERFACE HELP | ACC 55

© 2021 Palo Alto Networks, Inc.
ACC Actions
To customize and refine the ACC display, you can add and delete tabs, add and delete widgets, set local and
global filters, and interact with the widgets.
• Working with Tabs and Widgets
• Working with Filters—Local Filters and Global Filters

Working with Tabs and Widgets

The following options describe how to use and customize tabs and widgets.

• Add a custom tab.

1.
Select Add ( ) along the list of tabs.
2. Add a View Name. This name will be used as the name for the tab. You can add up to 10 custom tabs.

• Edit a tab.
Select the tab and click edit next to the tab name to edit the tab.

Example: .

• Set a tab as default

1. Edit a tab.
2.
Select to set the current tab as the default. Each time you log in to the firewall, this tab will
display.

• Save a tab state

1. Edit a tab.
2.
Select to save your preferences in the current tab as the default.
The tab state including any filters that you may have set are synchronized across HA peers.

• Export a tab
1. Edit a tab.
2.
Select to export the current tab. The tab downloads to your computer as a .txt file. You must
enable pop-ups to download the file.

• Import a tab
1. Add a custom tab.
2.
Select to import a tab.
3. Browse to the text (.txt) file and select it.

• See which widgets are included in a view.

1.
Select the view and click edit ( ).
2. Select the Add Widgets drop-down to review selected widgets.

56 PAN-OS WEB INTERFACE HELP | ACC

© 2021 Palo Alto Networks, Inc.
 • Add a widget or a widget group.
1. Add a new tab or edit a predefined tab.
2. Select Add Widget and then select the widget you want to add. You can select a maximum of 12
widgets.
3. (Optional) To create a two-column layout, select Add Widget Group. You can drag and drop widgets
into the two-column display. As you drag the widget into the layout, a placeholder will display for you
to drop the widget.

You cannot name a widget group.

• Delete a tab, widget, or widget group.

•
To delete a custom tab, select the tab and click delete ( ).

You cannot delete a predefined tab.

• To delete a widget or widget group, edit the tab and then click delete ( [X] ). You cannot undo a
deletion.

• Reset the default view.

On a predefined view, such as the Blocked Activity view, you can delete one or more widgets. If you
want to reset the layout to include the default set of widgets for the tab, edit the tab and Reset View.

Working with Filters—Local Filters and Global Filters

To hone the details and finely control what the ACC displays, you can use filters:
• Local Filters—Local filters are applied on a specific widget. A local filter allows you to interact with the
graph and customize the display so that you can dig in to the details and access the information you
want to monitor on a specific widget. You can apply a local filter in two ways: click into an attribute in
the graph or table; or select Set Filter within a widget. Set Filter allows you to set a local filter that is
persistent across reboots.
• Global filters—Global filters are applied across the ACC. A global filter allows you to pivot the display
around the details you care most about and exclude the unrelated information from the current display.
For example, to view all events related to a specific user and application, you can apply the user’s IP
address and specify the application to create a global filter that displays only information pertaining to
that user and application through all the tabs and widgets on the ACC. Global filters are not persistent
across logins.
Global filters can be applied in three ways:
• Set a global filter from a table—Select an attribute from a table in any widget and apply the attribute as a
global filter.
• Add a widget filter to be a global filter—Hover over the attribute and click the arrow icon to the right
of the attribute. This option allows you to elevate a local filter used in a widget and apply the attribute
globally to update the display across all tabs on the ACC.
• Define a global filter—Define a filter using the Global Filters pane on the ACC.

• Set a local filter.

PAN-OS WEB INTERFACE HELP | ACC 57

© 2021 Palo Alto Networks, Inc.
 You can also click an attribute in the table below the graph to apply it as a local filter.

1.
Select a widget and click Filter ( ).
2.
Add ( ) filters you want to apply.
3. Click Apply. These filters are persistent across reboots.

The number of local filters applied on a widget are indicated next to the widget name.

• Set a global filter from a table.

Hover over an attribute in a table and click the arrow that appears to the right of the attribute.

• Set a global filter using the Global Filters pane.

Add ( ) filters you want to apply.

• Promote a local filter to as global filter.

1. On any table in a widget, select an attribute. This sets the attribute as a local filter.
2. To promote the filter to a global filter, hover over the attribute and click the arrow to the right of the
attribute.

• Remove a filter.

Click Remove ( ) to remove a filter.

• Global filters—Located in the Global Filters pane.
•
Local filters—Click Filter ( ) to bring up the Set Local Filters dialog and then select the filter and
remove it.

• Clear all filters.

• Global filters—Clear all Global Filters.
•
Local filters—Select a widget and click Filter ( ). Then Clear all in the Set Local Filters widget.

• Negate filters.

Select an attribute and Negate ( ) a filter.

• Global filters—Located in the Global Filters pane.
•
Local filters—Click Filter ( ) to bring up the Set Local Filters dialog add a filter, and then negate it.

• View what filters are in use.

• Global filters—The number of global filters applied are displayed on the left pane under Global Filters.
• Local filters—The number of local filters applied on a widget are displayed next to the widget name.
To view the filters, click Set Local Filters.

58 PAN-OS WEB INTERFACE HELP | ACC

Monitor
The following topics describe the firewall reports and logs you can use to monitor activity on
your network:

> Monitor > Logs

> Monitor > External Logs
> Monitor > Automated Correlation Engine
> Monitor > Packet Capture
> Monitor > App Scope
> Monitor > Session Browser
> Monitor > Block IP List
> Monitor > Botnet
> Monitor > PDF Reports
> Monitor > Manage Custom Reports
> Monitor > Reports

59
60 PAN-OS WEB INTERFACE HELP | Monitor
© 2021 Palo Alto Networks, Inc.
Monitor > Logs
The following topics provide additional information about monitoring logs.

What do you want to know? See:

Tell me about the different types of logs. Log Types

Filter logs. Log Actions

Export logs.
View details for individual log entries.
Modify the log display.

Looking for more? Monitor and manage logs.

Log Types
• Monitor > Logs
The firewall displays all logs so that role-based administration permissions are respected. Only the
information that you are permitted to see is visible, which varies depending on the types of logs you are
viewing. For information on administrator permissions, see Device > Admin Roles.

Log Type Description

Traffic Displays an entry for the start and end of each session. Each
entry includes the date and time, source and destination zones,
addresses and ports, application name, security rule name applied
to the flow, rule action (allow, deny, or drop), ingress and egress
interface, number of bytes, and session end reason.
The Type column indicates whether the entry is for the start or
end of the session, or whether the session was denied or dropped.
A “drop” indicates that the security rule that blocked the traffic
specified “any” application, while a “deny” indicates the rule
identified a specific application.
If traffic is dropped before the application is identified, such as
when a rule drops all traffic for a specific service, the application is
shown as “not-applicable”.
Drill down in traffic logs for more details on individual entries,
artifacts, and actions:
•
Click Details ( ) to view additional details about the session,
such as whether an ICMP entry aggregates multiple sessions
between the same source and destination (the Count value will
be greater than one).
• On a firewall with an active AutoFocus™ license, hover next to
an IP address, filename, URL, user agent, threat name, or hash

PAN-OS WEB INTERFACE HELP | Monitor 61

© 2021 Palo Alto Networks, Inc.
 Log Type Description

contained in a log entry and click the drop-down ( ) to open

the AutoFocus Intelligence Summary for that artifact.
• To add a device to the quarantine list (Device > Device
Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).

Threat Displays an entry for each security alarm generated by the firewall.
Each entry includes the date and time, a threat name or URL, the
source and destination zones, addresses, and ports, the application
name, security rule name applied to the flow, and the alarm action
(allow or block) and severity.
The Type column indicates the type of threat, such as “virus” or
“spyware;” the Name column is the threat description or URL; and
the Category column is the threat category (such as “keylogger”) or
URL category.
Drill down in threat logs for more details on individual entries,
artifacts, and actions:
•
Click Details ( ) to view additional details about the threat,
such as whether the entry aggregates multiple threats of the
same type between the same source and destination (the Count
value will be greater than one).
• On a firewall with an active AutoFocus license, hover next to
an IP address, filename, URL, user agent, threat name, or hash
contained in a log entry and click the drop-down ( ) to open
the AutoFocus Intelligence Summary for that artifact.
•
If local packet captures are enabled, click Download ( ) to
access captured packets. To enable local packet captures, refer
to the subsections under Objects > Security Profiles.
• To view more details about a threat or to quickly configure
threat exemptions directly from the threat logs, click the threat
name in the Name column. The Exempt Profiles list shows all
custom Antivirus, Anti-spyware, and Vulnerability protection
profiles. To configure an exemption for a threat signature,
select the check box to the left of the security profile name and
save your change. To add exemptions for IP Addresses (up to
100 IP addresses per signature), highlight the security profile,
add the IP address(es) in the Exempt IP Addresses section and
click OK to save. To view or modify the exemption, go to the
associated security profile and click the Exceptions tab. For
example, if the threat type is vulnerability, select Objects >
Security Profiles > Vulnerability Protection, click the associated
profile then click the Exceptions tab.
• To add a device to the quarantine list (Device > Device
Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).

URL Filtering Displays logs for URL filters, which control access to websites and
whether users can submit credentials to websites.

62 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Log Type Description
Select Objects > Security Profiles > URL Filtering to define URL
filtering settings, including which URL categories to block or allow
and to which you want to grant or disable credential submissions.
You can also enable logging of the HTTP header options for the
URL.
On a firewall with an active AutoFocus license, hover next to an IP
address, filename, URL, user agent, threat name, or hash contained
in a log entry and click the drop-down ( ) to open the AutoFocus
Intelligence Summary for that artifact.

WildFire Submissions Displays logs for files and email links that the firewall forwarded
for WildFire™ analysis. The WildFire cloud analyzes the sample
and returns analysis results, which include the WildFire verdict
assigned to the sample (benign, malware, grayware, or phishing).
You can confirm if the firewall allowed or blocked a file based on
Security policy rules by viewing the Action column.
On a firewall with an active AutoFocus license, hover next to an IP
address, filename, URL, user agent, threat name, or hash (in the File
Digest column) contained in a log entry and click the drop-down
( ) to open the AutoFocus Intelligence Summary for the artifact.

Data Filtering Displays logs for the security policies with attached Data Filtering
profiles, to help prevent sensitive information such as credit card
or social security numbers from leaving the area protected by the
firewall, and File Blocking profiles, that prevent certain file types
from being uploaded or downloaded.
To configure password protection for access the details for a log
entry, click . Enter the password and click OK. Refer to Device >
Response Pages for instructions on changing or deleting the data
protection password.

The system prompts you to enter the password

only once per session.

HIP Match Displays all HIP matches that the GlobalProtect™ gateway
identifies when comparing the raw HIP data reported by the agent
to the defined HIP objects and HIP profiles. Unlike other logs, a
HIP match is logged even when it does not match a security policy.
For more information, refer to Network > GlobalProtect > Portals.
To add a device to the quarantine list (Device > Device
Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).

GlobalProtect Displays GlobalProtect connection logs. Use this information to

identify your GlobalProtect users and their client OS version,
troubleshoot connection and performance issues, and identify the
portal and gateways to which users connect.

PAN-OS WEB INTERFACE HELP | Monitor 63

© 2021 Palo Alto Networks, Inc.
 Log Type Description
To add a device to the quarantine list (Device > Device
Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).

IP-Tag Displays information about how and when a tag was applied to a
particular IP address. Use this information to determine when and
why a particular IP address was placed in an address group and
what policy rules impact that address. The log includes Receive
Time (the date and time when the first and last packet of the
session arrived), Virtual System, Source IP-Address, Tag, Event,
Timeout, Source Name, and Source Type.

User-ID™ Displays information about IP address-to-username mappings,

such as the source of the mapping information, when the User-
ID agent performed the mapping, and the remaining time before
mappings expire. You can use this information to help troubleshoot
User-ID issues. For example, if the firewall is applying the wrong
policy rule for a user, you can view the logs to verify whether that
user is mapped to the correct IP address and whether the group
associations are correct.

Decryption Displays information about decryption sessions and undecrypted

sessions for traffic that a No Decryption profile controls, including
GlobalProtect sessions.
By default, the logs show information about unsuccessful SSL
Decryption handshakes. You can enable logging for successful
SSL Decryption handshakes in Decryption Policy rules Options.
Logs display a wealth of information that enables you to identify
weak protocols and cipher suites (key exchange, encryption,
and authentication algorithms), bypassed decryption activity,
decryption failures and their causes (e.g., incomplete certificate
chain, client authentication, pinned certificates), session end
reasons, and more. For example, use the information to determine
whether you want to allow sites that use weak protocols and
algorithms. It may be better to block weak sites that you don’t
need to access for business purposes.
For traffic the firewall doesn’t decrypt and to which you apply a
No Decryption profile, the log shows sessions blocked because of
server certificate verification issues.
The default Decryption Log size is 32 MB. However, if you decrypt
a lot of traffic or if you enable logging successful SSL Decryption
handshakes, you will probably need to increase the log size
(Device > Setup > Management > Logging and Reporting Settings
and edit the Log Storage quotas). If you don’t have unallocated log
space, consider tradeoffs between Decryption Log size and other
log sizes. The more you log, the more resources the logs consume.

GTP Displays event-based logs that include information on the wide

range of GTP attributes. These include GTP event type, GTP event
message type, APN, IMSI, IMEI, End User IP address, in addition to

64 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Log Type Description
the TCP/IP information that the next-generation firewall identifies
such as application, source and destination address and timestamp.

Tunnel Inspection Displays an entry for the start and end of each inspected tunnel
session. The log includes the Receive Time (date and time the first
and last packet in the session arrived), Tunnel ID, Monitor Tag,
Session ID, Security rule applied to the tunnel traffic, and more.
See Policies > Tunnel Inspection for more information.

SCTP Displays SCTP events and associations based on logs generated

by the firewall while it performs stateful inspection, protocol
validation, and filtering of SCTP traffic. SCTP logs include
information on the wide range of SCTP and its payload protocol
attributes, such as SCTP event type, chunk type, SCTP cause
code, Diameter Application ID, Diameter Command Code, and
chunks. This SCTP information is provided in addition to the
general information that the firewall identifies, such as source
and destination address, source and destination port, rule, and
timestamp. See Objects > Security Profiles > SCTP Protection for
more information.

Configuration Displays an entry for each configuration change. Each entry

includes the date and time, the administrator username, the IP
address from where the change was made, the type of client (web
interface or CLI), the type of command executed, whether the
command succeeded or failed, the configuration path, and the
values before and after the change.

System Displays an entry for each system event. Each entry includes the
date and time, the event severity, and an event description.

Alarms The alarms log records detailed information on alarms that are
generated by the system. The information in this log is also
reported in Alarms. Refer to Define Alarm Settings.

Authentication Displays information about authentication events that occur

when end users try to access network resources for which access
is controlled by Authentication policy rules. You can use this
information to help troubleshoot access issues and to adjust your
Authentication policy as needed. In conjunction with correlation
objects, you can also use Authentication logs to identify suspicious
activity on your network, such as brute force attacks.
Optionally, you can configure Authentication rules to Log
Authentication Timeouts. These timeouts relate to the period of
time when a user need authenticate for a resource only once but
can access it repeatedly. Seeing information about the timeouts
helps you decide if and how to adjust them.

System logs record authentication events relating

to GlobalProtect and to administrator access to the
web interface.

PAN-OS WEB INTERFACE HELP | Monitor 65

© 2021 Palo Alto Networks, Inc.
 Log Type Description

Unified Displays the latest Traffic, Threat, URL Filtering, WildFire

Submissions, and Data Filtering log entries in a single view. The
collective log view enables you to investigate and filter these
different types of logs together (instead of searching each log set
separately). Or, you can choose which log types to display: click
the arrow to the left of the filter field and select traffic, threat, url,
data, and/or wildfire to display only the selected log types.
On a firewall with an active AutoFocus license, hover next to an IP
address, filename, URL, user agent, threat name, or hash contained
in a log entry and click the drop-down ( ) to open the AutoFocus
Intelligence Summary for that artifact.
The firewall displays all logs so that role-based administration
permissions are respected. When viewing Unified logs, only the
logs that you have permission to see are displayed. For example,
an administrator who does not have permission to view WildFire
Submissions logs will not see WildFire Submissions log entries
when viewing Unified logs. For information on administrator
permissions, refer to Device > Admin Roles.

You can use the Unified log set with the AutoFocus
threat intelligence portal. Set up an AutoFocus
search to add AutoFocus search filters directly to
the Unified log filter field.

To add a device to the quarantine list (Device > Device

Quarantine), open the Host ID drop-down for the device and
Block Device (in the pop-up dialog).

Log Actions
The following table describes log actions.

Action Description

Filter Logs Each log page has a filter field at the top of the page. You can add artifacts to the field,
such as an IP address or a time range, to find matching log entries. The icons to the
right of the field enable you to apply, clear, create, save, and load filters.

• Create a filter:
• Click an artifact in a log entry to add that artifact to the filter.
•
Click Add ( ) to define new search criteria. For each criterion, select the
Connector that defines the search type (and or or), the Attribute on which to
base the search, an Operator to define the scope of the search, and a Value for
evaluation against log entries. Add each criterion to the filter field and Close
when you finish. You can then apply ( ) the filter.

66 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Action Description
If the Value string matches an Operator (such as has or in),
enclose the string in quotation marks to avoid a syntax error.
For example, if you filter by destination country and use IN
as a Value to specify INDIA, enter the filter as ( dstloc eq
"IN" ).

The log filter (receive_time in last-60-seconds) causes the

number of log entries (and log pages) displayed to grow or shrink
over time.
•
Apply filters—Click Apply Filter ( ) to display log entries that match the current
filter.
•
Delete filters—Click Clear Filter ( ) to clear the filter field.
•
Save a filter—Click Save Filter ( ), enter a name for the filter, and click OK.
•
Use a saved filter—Click Load Filter ( ) to add a saved filter to the filter field.

Export Logs
Click Export to CSV ( ) to export all logs matched to the current filter to a CSV-
formatted report and continue to Download file. By default, the report contains up to
2,000 lines of logs. To change the line limit for generated CSV reports, select Device >
Setup > Management > Logging and Reporting Settings > Log Export and Reporting
and enter a new Max Rows in CSV Export value.

Highlight Select to highlight log entries that match the action. The filtered logs are highlighted in
Policy Actions the following colors:
• Green—Allow
• Yellow—Continue, or override
• Red—Deny, drop, drop-icmp, rst-client, reset-server, reset-both, block-continue,
block-override, block-url, drop-all, sinkhole

Change Log To customize the log display:

Display
• Change the automatic refresh interval—Select an interval from the interval drop-
down (60 seconds, 30 seconds, 10 seconds, or Manual).
• Change the number and order of entries displayed per page—Log entries are
retrieved in blocks of 10 pages.
• Use the paging controls at the bottom of the page to navigate through the log
list.
• To change the number of log entries per page, select the number of rows from
the per page drop-down (20, 30, 40, 50, 75, or 100).
• To sort the results in ascending or descending order, use the ASC or DESC drop-
down.
• Resolve IP addresses to domain names—Select Resolve Hostname to begin resolving
external IP addresses to domain names.
• Change the order in which logs are displayed—Select DESC to display logs in
descending order beginning with log entries with the most recent Receive Time.
Select ASC to display logs in ascending order beginning with log entries with the
oldest Receive Time.

PAN-OS WEB INTERFACE HELP | Monitor 67

© 2021 Palo Alto Networks, Inc.
 Action Description

View Details To view information about individual log entries:

for Individual
• To display additional details, click Details ( ) for an entry. If the source or
Log Entries
destination has an IP address to domain or username mapping defined in the
Addresses page, the name is presented instead of the IP address. To view the
associated IP address, move your cursor over the name.
• On a firewall with an active AutoFocus license, hover next to an IP address,
filename, URL, user agent, threat name, or hash contained in a log entry and click the
drop-down ( ) to open the AutoFocus Intelligence Summary for the artifact.

68 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > External Logs
Use this page to view logs ingested from the Traps™ Endpoint Security Manager (ESM) into Log Collectors
that are managed by Panorama™. To view Traps ESM logs on Panorama, do the following:
• On the Traps ESM server, configure Panorama as a Syslog server and select the logging events to
forward to Panorama. The events can include security events, policy changes, agent and ESM Server
status changes, and changes to configuration settings.
• On a Panorama that is deployed in Panorama mode with one or more Managed Log Collectors, set up
a log ingestion profile (Panorama > Log Ingestion Profile) and attach the profile to a Collector Group
(Panorama > Collector Groups) in which to store the Traps ESM logs.
External logs are not associated with a device group and are visible only when you select Device Group: All
because the logs are not forwarded from firewalls.

Log Type Description

Monitor > External These threat events include all prevention, notification, provisional, and post-
Logs > Traps ESM > detection events that are reported by the Traps agents.
Threat

Monitor > External ESM Server system events include changes related to ESM status, licenses,
Logs > Traps ESM > ESM Tech Support files, and communication with WildFire.
System

Monitor > External Policy change events include changes to rules, protection levels, content
Logs > Traps ESM > updates, hash control logs, and verdicts.
Policy

Monitor > External Agent change events occur on the endpoint and include changes to content
Logs > Traps ESM > updates, licenses, software, connection status, one-time action rules,
Agent processes and services, and quarantined files.

Monitor > External ESM configuration change events include system-wide changes to licensing,
Logs > Traps ESM > administrative users and roles, processes, restriction settings, and conditions.
Config

Panorama can correlate discrete security events on the endpoints with events on the network to trace any
suspicious or malicious activity between the endpoints and the firewall. To view correlated events that
Panorama identifies, see Monitor > Automated Correlation Engine > Correlated Events.

PAN-OS WEB INTERFACE HELP | Monitor 69

© 2021 Palo Alto Networks, Inc.
Monitor > Automated Correlation Engine
The automated correlation engine tracks patterns on your network and correlates events that indicate an
escalation in suspicious behavior or events that amount to malicious activity. The engine functions as your
personal security analyst who scrutinizes isolated events across the different sets of logs on the firewall,
queries the data for specific patterns, and connects the dots so that you have actionable information.
The correlation engine uses correlation objects that generate correlated events. Correlated events collate
evidence to help you trace commonality across seemingly unrelated network events and provide the focus
for incident response.
The following models support the automated correlation engine:
• Panorama—M-Series appliances and virtual appliances
• PA-3200 Series firewalls
• PA-5200 Series firewalls
• PA-7000 Series firewalls

What do you want to know? See:

What are correlation objects? Monitor > Automated Correlation Engine > Correlation Objects

What is a correlated event? Monitor > Automated Correlation Engine > Correlated Events
Where do I see the match
evidence for a correlation match?

How can I see a graphical view of See the Compromised Hosts widget in ACC.
correlation matches?

Looking for more? Use the Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Objects

To counter the advances in exploits and malware distribution methods, correlation objects extend the
signature-based malware detection capabilities on the firewall. They provide the intelligence for identifying
suspicious behavior patterns across different sets of logs and they gather the evidence required to
investigate and promptly respond to an event.
A correlation object is a definition file that specifies patterns for matching, the data sources to use for
performing the lookups, and the time period within which to look for these patterns. A pattern is a boolean
structure of conditions that query the data sources, and each pattern is assigned a severity and a threshold,
which is number of time the pattern match occurs within a defined time limit. When a pattern match occurs,
a correlation event is logged.
The data sources used for performing lookups can include the following logs: application statistics, traffic,
traffic summary, threat summary, threat, data filtering, and URL filtering. For example, the definition for a
correlation object can include a set of patterns that query the logs for evidence of infected hosts, evidence
of malware patterns, or for lateral movement of malware in the traffic, url filtering, and threat logs.
Correlation objects are defined by Palo Alto Networks® and are packaged with content updates. You must
have a valid threat prevention license to get content updates.
By default, all correlation objects are enabled. To disable an object, select the object and Disable it.

70 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
 Correlation Description
Object Fields

Name and Title The label indicates the type of activity that the correlation object detects.

ID A unique number identifies the correlation object. This number is in the 6000 series.

Category A summary of the kind of threat or harm posed to the network, user, or host.

State The state indicates whether the correlation object is enabled (active) or disabled
(inactive).

Description The description specifies the match conditions for which the firewall or Panorama will
analyze logs. It describes the escalation pattern or progression path that will be used
to identify malicious activity or suspicious host behavior.

Monitor > Automated Correlation Engine > Correlated Events

Correlated events expand the threat detection capabilities on the firewall and Panorama; the correlated
events gather evidence of suspicious or unusual behavior of users or hosts on the network.
The correlation object makes it possible to pivot on certain conditions or behaviors and trace commonalities
across multiple log sources. When the set of conditions specified in a correlation object are observed on the
network, each match is logged as a correlated event.
The correlated event includes the details listed in the following table.

Field Description

Match Time The time the correlation object triggered a match.

Update Time The timestamp when the match was last updated.

Object Name The name of the correlation object that triggered the match.

Source Address The IP address of the user from whom the traffic originated

Source User The user and user group information from the directory server, if User-ID™ is
enabled.

Severity A rating that classifies the risk based on the extent of damage caused.

Summary A description that summarizes the evidence gathered on the correlated event.

Host ID The Host ID of the device.

To add a device to the quarantine list (Device > Device Quarantine), click the down
arrow next to the device’s Host ID and select Block Device in the pop-up window
that displays.

To view the detailed log view, click Details ( ) for an entry. The detailed log view includes all the evidence
for a match:

PAN-OS WEB INTERFACE HELP | Monitor 71

© 2021 Palo Alto Networks, Inc.
 Tab Description

Match Object Details—Presents information on the correlation object that triggered the
Information match. For information on correlation objects, see Monitor > Automated Correlation
Engine > Correlation Objects.

Match Details—A summary of the match details that includes the match time, last
update time on the match evidence, severity of the event, and an event summary.

Match This tab includes all the evidence that corroborates the correlated event. It lists detailed
Evidence information on the evidence collected for each session.

See a graphical display of the information in the Correlated Events tab, see the Compromised Hosts widget
on the ACC > Threat Activity tab. In the Compromised Hosts widget, the display is aggregated by source
user and IP address and sorted by severity.
To configure notifications when a correlated event is logged, go to the Device > Log Settings or
Panorama > Log Settings tab.

72 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > Packet Capture
All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets
that traverse the network interfaces on the firewall. You can then use the captured data for troubleshooting
purposes or to create custom application signatures.

The packet capture feature is CPU-intensive and can degrade firewall performance. Only
use this feature when necessary and make sure to turn it off after you collect the required
packets.

What do you want to know? See:

What are the different methods Packet Capture Overview

the firewall can use to capture
packets?

How do I generate a custom Building Blocks for a Custom Packet Capture

packet capture?

How do I generate packet Enable Threat Packet Capture

captures when the firewall detects
a threat?

Where do I download a packet Packet Capture Overview

capture?

Looking for more?

• Turn on extended packet Device > Setup > Content-ID

capture for security profiles.

• Use packet capture to write See Custom Signatures.

custom application signatures.

• Prevent a firewall admin from Define Web Interface Administrator Access.

viewing packet captures.

• See an example. See Take Packet Captures.

Packet Capture Overview

You can configure a Palo Alto Networks firewall to perform a custom packet capture or a threat packet
capture.
• Custom Packet Capture—Capture packets for all traffic or traffic based on filters you define. For
example, you can configure the firewall to capture only packets to and from a specific source and
destination IP address or port. Use these packet captures to troubleshoot network traffic-related issues
or to gather application attributes to write custom application signatures (Monitor > Packet Capture).
You define the file name based on the stage (Drop, Firewall, Receive, or Transmit) and, after the PCAP is
complete, you download the PCAP in the Captured Files section.

PAN-OS WEB INTERFACE HELP | Monitor 73

© 2021 Palo Alto Networks, Inc.
 • Threat Packet Capture—Capture packets when the firewall detects a virus, spyware, or vulnerability.
You enable this feature in Antivirus, Anti-Spyware, and Vulnerability Protection security profiles. These
packet captures provide context around a threat to help you determine if an attack is successful or to
learn more about the methods used by an attacker. The action for the threat must be set to either allow
or alert; otherwise, the threat is blocked and packets cannot be captured. You configure this type of
packet capture in the Objects > Security Profiles. To download ( ) pcaps, select Monitor > Threat.

Building Blocks for a Custom Packet Capture

The following table describes the components of the Monitor > Packet Capture page that you use to
configure packet captures, enable packet capture, and to download packet capture files.

Custom Packet Configured In Description

Capture Building
Blocks

Manage Filters Configure Filtering When enabling custom packet captures, you should
define filters so that only the packets that match the
filters are captured. This will make it easier to locate the
information you need in the pcaps and will reduce the
processing power required by the firewall to perform
the packet capture.
Click Add to add a new filter and configure the
following fields:
• Id—Enter or select an identifier for the filter.
• Ingress Interface—Select the ingress interface on
which you want to capture traffic.
• Source—Specify the source IP address of the traffic
to capture.
• Destination—Specify the destination IP address of
the traffic to capture.

74 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Custom Packet Configured In Description
Capture Building
Blocks
• Src Port—Specify the source port of the traffic to
capture.
• Dest Port—Specify the destination port of the traffic
to capture.
• Proto—Specify the protocol number to filter (1-255).
For example, ICMP is protocol number 1.
• Non-IP—Choose how to treat non-IP traffic (exclude
all IP traffic, include all IP traffic, include only IP
traffic, or do not include an IP filter). Broadcast and
AppleTalk are examples of Non-IP traffic.
• IPv6—Select this option to include IPv6 packets in
the filter.

Filtering Configure Filtering After defining filters, set the Filtering to ON. If filtering
is OFF, then all traffic is captured.

Pre-Parse Configure Filtering This option is for advanced troubleshooting purposes.

Match After a packet enters the ingress port, it proceeds
through several processing steps before it is parsed for
matches against pre#configured filters.
It is possible for a packet, due to a failure, to not reach
the filtering stage. This can occur, for example, if a route
lookup fails.
Set the Pre-Parse Match setting to ON to emulate a
positive match for every packet entering the system.
This allows the firewall to capture packets that do not
reach the filtering process. If a packet is able to reach
the filtering stage, it is then processed according to
the filter configuration and discarded if it fails to meet
filtering criteria.

Packet Capture Configure Capturing Click the toggle switch to turn packet capture ON or
OFF.
You must select at least one capture stage. Click Add
and specify the following:
• Stage—Indicate the point at which to capture
packets:
• drop—When packet processing encounters an
error and the packet is dropped.
• firewall—When the packet has a session match
or a first packet with a session is successfully
created.
• receive—When the packet is received on the
dataplane processor.
• transmit—When the packet is transmitted on the
dataplane processor.

PAN-OS WEB INTERFACE HELP | Monitor 75

© 2021 Palo Alto Networks, Inc.
 Custom Packet Configured In Description
Capture Building
Blocks
• File—Specify the capture file name. The file name
should begin with a letter and can include letters,
digits, periods, underscores, or hyphens.
• Packet Count—Specify the maximum number of
packets, after which capturing stops.
• Byte Count—Specify the maximum number of bytes,
after which capturing stops.

Captured Files Captured Files Contains a list of custom packet captures previously
generated by the firewall. Click a file to download it to
your computer. To delete a packet capture, select the
packet capture and then Delete it.
• File Name—Lists the packet capture files. The file
names are based on the file name you specify for the
capture stage
• Date—Date the file was generated.
• Size (MB)—The size of the capture file.
After you turn on packet capture and then turn it off,
you must click Refresh ( ) before any new PCAP files
display in this list.

Clear All Settings Click Clear All Settings to turn off packet capture and to
Settings clear all packet capture settings.

This does not turn off packet capture set

in a security profile. For information on
enabling packet capture on a security
profile, see Enable Threat Packet
Capture.

Enable Threat Packet Capture

• Objects > Security Profiles
To enable the firewall to capture packets when it detects a threat, enable the packet capture option in the
security profile.
First select Objects > Security Profiles and then modify the desired profile as described in the following
table:

Packet Capture Location

Options in
Security Profiles

Antivirus Select a custom antivirus profile and, in the Antivirus tab, select Packet Capture.

76 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Packet Capture Location
Options in
Security Profiles

Anti-Spyware Select a custom Anti-Spyware profile, click the DNS Signatures tab and, in the
Packet Capture drop-down, select single-packet or extended-capture.

Vulnerability Select a custom Vulnerability Protection profile and, in the Rules tab, click Add to
Protection add a new rule or select an existing rule. Then select the Packet Capture drop-down
and select single-packet or extended-capture.

In Anti-Spyware and Vulnerability Protection profiles, you can also enable packet capture on
exceptions. Click the Exceptions tab and in the Packet Capture column for a signature, click
the drop-down and select single-packet or extended-capture.

(Optional) To define the length of a threat packet capture based on the number of packets captured (which
is based on a global setting), select Device > Setup > Content-ID and, in the Content-ID™ Settings section,
modify the Extended Packet Capture Length (packets) field (range is 1-50; default is 5).
After you enable packet capture on a security profile, you need to verify that the profile is part of a security
rule. For information on how to add a security profile to a security rule, see Security Policy Overview.
Each time the firewall detects a threat when packet capture is enabled on the security profile, you can
download ( ) or export the packet capture.

PAN-OS WEB INTERFACE HELP | Monitor 77

© 2021 Palo Alto Networks, Inc.
Monitor > App Scope
The following topics describe App Scope features.
• App Scope Overview
• App Scope Summary Report
• App Scope Change Monitor Report
• App Scope Threat Monitor Report
• App Scope Threat Map Report
• App Scope Network Monitor Report
• App Scope Traffic Map Report

App Scope Overview

The App Scope reports provide graphical visibility into the following aspects of your network:
• Changes in application usage and user activity
• Users and applications that take up most of the network bandwidth
• Network threats
With the App Scope reports, you can quickly see if any behavior is unusual or unexpected, and helps
pinpoint problematic behavior; each report provides a dynamic, user-customizable window into the
network. The reports include options to select the data and ranges to display. On Panorama, you can also
select the Data Source for the information that is displayed. The default data source (on new Panorama
installations) uses the local database on Panorama, which stores logs forwarded by the managed firewalls;
on an upgrade, the default data source is the Remote Device Data (managed firewall data). To fetch and
display an aggregated view of the data directly from the managed firewalls, you now have to switch the
source from Panorama to Remote Device Data.
Hovering the mouse over and clicking either the lines or bars on the charts switches to the ACC and
provides detailed information about the specific application, application category, user, or source.

Application Command Description

Center Charts

Summary App Scope Summary Report

Change Monitor App Scope Change Monitor Report

Threat Monitor App Scope Threat Monitor Report

Threat Map App Scope Threat Map Report

Network Monitor App Scope Network Monitor Report

Traffic Map App Scope Traffic Map Report

App Scope Summary Report

The Summary report displays charts for the top five gainers, losers, and bandwidth consuming applications,
application categories, users, and sources.

78 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
 To export the charts in the summary report as a PDF, click Export ( ). Each chart is saved as a page in the
PDF output.
App Scope Summary Report

App Scope Change Monitor Report

The Change Monitor report displays changes over a specified time period. For example, the figure below
displays the top applications that gained in use over the last hour as compared with the last 24-hour period.
The top applications are determined by session count and sorted by percentage.
App Scope Change Monitor Report

PAN-OS WEB INTERFACE HELP | Monitor 79

© 2021 Palo Alto Networks, Inc.
 This report contains the following options.

Change Monitor Report Options Description

Top Bar

Top 10 Determines the number of records with the highest

measurement included in the chart.

Application Determines the type of item reported: Application,

Application Category, Source, or Destination.

Gainers Displays measurements of items that have increased

over the measured period.

Losers Displays measurements of items that have decreased

over the measured period.

New Displays measurements of items that were added over

the measure period.

80 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
 Change Monitor Report Options Description

Dropped Displays measurements of items that were

discontinued over the measure period.

Filter Applies a filter to display only the selected item. None

displays all entries.

Count Sessions and Count Bytes Determines whether to display session or byte
information.

Sort Determines whether to sort entries by percentage or

raw growth.

Export Exports the graph as a .png image or as a PDF.

Bottom Bar

Compare (interval) Specifies the period over which the change

measurements are taken.

App Scope Threat Monitor Report

The Threat Monitor report displays a count of the top threats over the selected time period. For example,
the figure below shows the top 10 threat types for the past 6 hours.
App Scope Threat Monitor Report

PAN-OS WEB INTERFACE HELP | Monitor 81

© 2021 Palo Alto Networks, Inc.
 Each threat type is color-coded as indicated in the legend below the chart. This report contains the
following options.

Threat Monitor Report Options Description

Top Bar

Top 10 Determines the number of records with the highest

measurement included in the chart.

Threat Determines the type of item measured: Threat, Threat

Category, Source, or Destination.

Filter Applies a filter to display only the selected item.

Determines whether the information is presented in a stacked

column chart or a stacked area chart.

Export Exports the graph as a .png image or as a PDF.

Bottom Bar

82 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
 Threat Monitor Report Options Description

Specifies the period over which the measurements are taken.

App Scope Threat Map Report

The Threat Map report shows a geographical view of threats, including severity.
App Scope Threat Map Report

Each threat type is color-coded as indicated in the legend below the chart. Click a country on the map to
Zoom In and then Zoom Out as needed. This report contains the following options.

Threat Map Report Options Description

Top Bar

Top 10 Determines the number of records with the highest

measurement included in the chart.

Incoming threats Displays incoming threats.

PAN-OS WEB INTERFACE HELP | Monitor 83

© 2021 Palo Alto Networks, Inc.
 Threat Map Report Options Description

Outgoing threats Displays outgoing threats.

Filter Applies a filter to display only the selected item.

Zoom In and Zoom Out Zoom in and zoom out of the map.

Export Exports the graph as a .png image or as a PDF.

Bottom Bar

Indicates the period over which the measurements are taken.

App Scope Network Monitor Report

The Network Monitor report displays the bandwidth dedicated to different network functions over
the specified period of time. Each network function is color-coded as indicated in the legend below the
chart. For example, the image below shows application bandwidth for the past 7 days based on session
information.
App Scope Network Monitor Report

84 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
 The report contains the following options.

Network Monitor Report Options Description

Top Bar

Top 10 Determines the number of records with the highest

measurement included in the chart.

Application Determines the type of item reported: Application, Application

Category, Source, or Destination.

Filter Applies a filter to display only the selected item. None displays
all entries.

Count Sessions and Count Bytes Determines whether to display session or byte information.

Determines whether the information is presented in a stacked

column chart or a stacked area chart.

Export Exports the graph as a .png image or as a PDF.

Bottom Bar

Indicates the period over which the change measurements are

taken.

App Scope Traffic Map Report

The Traffic Map report shows a geographical view of traffic flows according to sessions or flows.
App Scope Traffic Map Report

PAN-OS WEB INTERFACE HELP | Monitor 85

© 2021 Palo Alto Networks, Inc.
 Each traffic type is color-coded as indicated in the legend below the chart. This report contains the
following options.

Traffic Map Report Options Description

Top Bar

Top 10 Determines the number of records with the

highest measurement included in the chart.

Incoming traffic Displays incoming traffic.

Outgoing traffic Displays outgoing traffic.

Count Sessions and Count Bytes Determines whether to display session or byte
information.

Zoom In and Zoom Out Zoom in and zoom out of the map.

Export Export the graph as a .png image or as a PDF.

Bottom Bar

86 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Traffic Map Report Options Description

Indicates the period over which the change

measurements are taken.

PAN-OS WEB INTERFACE HELP | Monitor 87

© 2021 Palo Alto Networks, Inc.
Monitor > Session Browser
Select Monitor > Session Browser to browse and filter current running sessions on the firewall. For
information on filtering options for this page, see Log Actions.

88 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > Block IP List
You can configure the firewall to place IP addresses on the block list in several ways, including the
following:
• Configure a DoS Protection policy rule with the Action to Protect and apply a Classified DoS Protection
profile to the rule. The profile includes the Block Duration.
• Configure a Security policy rule with a Vulnerability Protection profile that uses a rule with the Action to
Block IP and apply the rule to a zone.
The Block IP List is supported on PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls.

What do you want to know? See:

What do the Block IP List fields Block IP List Entries

indicate?

How do I filter, navigate, or delete View or Delete Block IP List Entries

Block IP List entries?

Looking for more? Set Up Antivirus, Anti-Spyware, and VulnerabilityProtection

DoS Protection Against Flooding of New Sessions
Monitor Blocked IP Addresses

Block IP List Entries

• Monitor > BlockIPList
The following table explains the block list entry for a source IP address that the firewall is blocking.

Field Description

Block Time Month/day and hours:minutes:seconds when the IP address went on the
Block IP List.

Type Type of block action: whether the hardware (hw) or software (sw) blocked the
IP address.
When you configure a DoS Protection policy or a Security policy that uses
a Vulnerability Protection profile to block connections from source IPv4
addresses, the firewall automatically blocks that traffic in hardware before
those packets use CPU or packet buffer resources. If attack traffic exceeds
the blocking capacity of the hardware, the firewall uses software to block the
traffic.

Source IP Address Source IP address of the packet that the firewall blocked.

Ingress Zone Security zone assigned to the interface where the packet entered the firewall.

Time Remaining Number of seconds remaining for the IP address to be on the Block IP List.

PAN-OS WEB INTERFACE HELP | Monitor 89

© 2021 Palo Alto Networks, Inc.
 Field Description

Block Source Name of the classified DoS Protection profile or Vulnerability protection
object name where you specified the Block IP action.

Total Blocked IPs: x out Count of blocked IP addresses (x) out of the number of blocked IP addresses
of y (z% used) the firewall supports (y), and the corresponding percentage of blocked IP
addresses used (z).

View or Delete Block IP List Entries

Navigate the Block IP list entries, view detailed information, and delete an entry if desired.

View or Delete Block IP List Entries

Search for specific Select a value in a column, which enters a filter in the Filters field, and click the
Block IP List right arrow to initiate the search for entries with that value.
information
Click the X to remove the filter.

View Block IP List Enter a page number in the Page field or click the single arrows to see the Next
entries beyond the Page or Previous Page of entries. Click the double arrows to view the Last Page
current screen or First Page of entries.

View detailed Click on a Source IP Address of an entry, which links to Network Solutions Who
information about Is with information about the address.
an IP address on the
Block IP List

Delete Block IP List Select an entry and click Delete.

entries
Only deletion of Hardware entries is supported from the web
interface. However, deleting both Hardware and Software
entries is supported from the CLI.

Clear the entire Block Click Clear All to permanently delete all entries, which means those packets are
IP List no longer blocked.

Only clearing the Block IP list of Hardware entries is supported

from the web interface. However, clearing both Hardware and
Software entries is supported from the CLI.

90 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > Botnet
The botnet report enables you to use behavior-based mechanisms to identify potential malware- and
botnet-infected hosts in your network. The report assigns each host a confidence score of 1 to 5 to indicate
the likelihood of botnet infection, where 5 indicates the highest likelihood. Before scheduling the report
or running it on demand, you must configure it to identify types of traffic as suspicious. The PAN-OS®
Administrator’s Guide provides details on interpreting botnet report output.
• Botnet Report Settings
• Botnet Configuration Settings

Botnet Report Settings

• Monitor > Botnet > Report Setting
Before generating the botnet report, you must specify the types of traffic that indicate potential botnet
activity (see Configuring the Botnet Report). To schedule a daily report or run it on demand, click Report
Setting and complete the following fields. To export a report, select it and Export to PDF, Export to CSV, or
Export to XML.

Botnet Report Settings Description

Test Run Time Frame Select the time interval for the report—Last 24 Hours (default) or Last
Calendar Day.

Run Now Click Run Now to manually and immediately generate a report. The report
displays in a new tab within the Botnet Report dialog.

No. of Rows Specify the number of rows to display in the report (default is 100).

Scheduled Select this option to automatically generate the report daily. By default, this
option is enabled.

Query Builder (Optional) Add queries to the Query Builder to filter the report
output by attributes such as source/destination IP addresses, users,
or zones. For example, if you know that traffic initiated from the IP
address 192.0.2.0 contains no potential botnet activity, you can add
not (addr.src in 192.0.2.0) as a query to exclude that host from
the report output.
• Connector—Select a logical connector (and or or). If you select Negate,
the report will exclude the hosts that the query specifies.
• Attribute—Select a zone, address, or user that is associated with the
hosts that the firewall evaluates for botnet activity.
• Operator—Select an operator to relate the Attribute to a Value.
• Value—Enter a value for the query to match.

Botnet Configuration Settings

• Monitor > Botnet > Configuration

PAN-OS WEB INTERFACE HELP | Monitor 91

© 2021 Palo Alto Networks, Inc.
 To specify the types of traffic that indicate potential botnet activity, click Configuration on the right side of
the Botnet page and complete the following fields. After configuring the report, you can run it on demand
or schedule it to run daily (see Monitor > PDF Reports > Manage PDF Summary).

The default Botnet report configuration is optimal. If you believe the default values identify
false positives, create a support ticket so Palo Alto Networks can reevaluate the values.

Botnet Configuration Description

Settings

HTTP Traffic Enable and define the Count for each type of HTTP Traffic that the report
will include. The Count values you enter are the minimum number of events
of each traffic type that must occur for the report to list the associated host
with a higher confidence score (higher likelihood of botnet infection). If the
number of events is less than the Count, the report will display the lower
confidence score or (for certain traffic types) won’t display an entry for the
host.
• Malware URL visit (range is 2–1000; default is 5)—Identifies users
communicating with known malware URLs based on malware and
botnet URL filtering categories.
• Use of dynamic DNS (range is 2–1000; default is 5)—Looks for dynamic
DNS query traffic that might indicate malware, botnet communications,
or exploit kits. Generally, using dynamic DNS domains is very risky.
Malware often uses dynamic DNS to avoid IP address block lists.
Consider using URL filtering to block such traffic.
• Browsing to IP domains (range is 2–1000; default is 10)—Identifies users
who browse to IP domains instead of URLs.
• Browsing to recently registered domains (range is 2–1000; default is 5)
—Looks for traffic to domains that were registered within the past 30
days. Attackers, malware, and exploit kits often use newly registered
domains.
• Executable files from unknown sites (range is 2–1000; default is 5)—
Identifies executable files downloaded from unknown URLs. Executable
files are a part of many infections and, when combined with other types
of suspicious traffic, can help you prioritize host investigations.

Unknown Applications Define the thresholds that determine whether the report will include traffic
associated with suspicious Unknown TCP or Unknown UDP applications.
• Sessions Per Hour (range is 1–3600; default is 10)—The report includes
traffic that involves up to the specified number of application sessions
per hour.
• Destinations Per Hour (range is 1–3600; default is 10)—The report
includes traffic that involves up to the specified number of application
destinations per hour.
• Minimum Bytes (range is 1–200; default is 50)—The report includes
traffic for which the application payload equals or exceeds the specified
size.
• Maximum Bytes (range is 1–200; default is 100)—The report includes
traffic for which the application payload is equal to or less than the
specified size.

92 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Botnet Configuration Description
Settings

IRC Select this option to include traffic involving IRC servers.

PAN-OS WEB INTERFACE HELP | Monitor 93

© 2021 Palo Alto Networks, Inc.
Monitor > PDF Reports
The following topics describe PDF reports.
• Monitor > PDF Reports > Manage PDF Summary
• Monitor > PDF Reports > User Activity Report
• Monitor > PDF Reports > SaaS Application Usage
• Monitor > PDF Reports > Report Groups
• Monitor > PDF Reports > Email Scheduler

Monitor > PDF Reports > Manage PDF Summary

PDF summary reports contain information compiled from existing reports, based on data for the top 5 in
each category (instead of top 50). They also contain trend charts that are not available in other reports.
PDF Summary Report

To create PDF summary reports, click Add. The PDF Summary Report page opens to show all of the
available report elements.
Managing PDF Reports

94 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
 Use one or more of these options to design the report:
• To remove an element from the report, click delete ( [X] ) or clear the item from the appropriate drop-
down.
• Select additional elements by selecting them in the appropriate drop-down.
• Drag and drop an element to move it to another area of the report.

There is a maximum of 18 report elements allowed. If you have 18 already, you must
delete existing elements before you can add new ones.
To Save the report, enter a report name, and click OK.
To display PDF reports, select Monitor > Reports, click PDF Summary Report to select a report, and click a
day in the calendar to download a report for that day.

New PDF summary reports will not appear until after the report runs, which will occur
automatically every 24 hours at 2 a.m.

Monitor > PDF Reports > User Activity Report

Use this page to create reports that summarize the activity of individual users or user groups. Click Add and
specify the following information.

User/Group Activity Description

Report Settings

Name Enter a name to identify the report (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.

Type For User Activity Report: Select User and enter the Username or IP address
(IPv4 or IPv6) of the user who will be the subject of the report.

For Group Activity Report: Select Group and enter the Group Name.

PAN-OS WEB INTERFACE HELP | Monitor 95

© 2021 Palo Alto Networks, Inc.
 User/Group Activity Description
Report Settings

Additional Filters Select Filter Builder to create filters for the User/Group Activity Report.

Time Period Select the time frame for the report from the drop-down.

Include Detailed (Optional) Select this option to include detailed URL logs in the report.
Browsing
The detailed browsing information can include a large volume
of logs (thousands) for the selected user or user group and
cause a report to be very large.

The Group Activity Report does not include Browsing Summary by URL Category; all other
information is common across the User Activity Report and the Group Activity Report.

To run the report on demand, click Run Now. To change the maximum number of rows that display in the
report, see Logging and Reporting Settings.
To save the report, click OK. You can then schedule the report for email delivery (Monitor > PDF Reports >
Email Scheduler).

Add a Log Filter

Build log filters to the User Activity and Group Activity Reports to customize reports. You can filter
activity reports based on application, application characteristics and more. For example, if you have are
interested in a SaaS application that don’t have certifications, you can build a filter based on this application
characteristic.

Add Log Filter Field Description

Log Filter Text Box Write the filter you would like to apply to the log.
You can write multiple filters.

Connector Append the filter with an additional filtering

option. Check the Negate box to not apply a
connector the filter you wrote.

Attribute Select the attribute you wold like to append from

the menu.

Operator Select whether Attribute should equal or not equal

the Value.

Value Set the Value for the attribute. When available,

a drop-down menu with possible values will be
available.

Select Apply to apply the built filter to the User Activity or Group Activity Report.

96 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > PDF Reports > SaaS Application Usage
Use this page to generate a SaaS application usage report that summarizes the security risks associated
with the SaaS applications traversing your network. This predefined report presents a comparison of the
sanctioned versus unsanctioned applications, summarizes the risky SaaS applications with unfavorable
hosting characteristics, and highlights the activity, usage, and compliance of the applications by listing
the top applications for each category on the detailed pages. You can use this detailed risk information to
enforce policy for SaaS applications that you want to allow or block on your network.
For generating an accurate and informative report, you must tag the sanctioned applications on your
network (see Generate the SaaS Application Usage Report). The firewall and Panorama consider any
application without this predefined tag as unsanctioned for use on the network. It is important to know
about the sanctioned applications and unsanctioned applications that are prevalent on your network
because unsanctioned SaaS applications are a potential threat to information security; they are not
approved for use on your network and can cause an exposure to threats and loss of private and sensitive
data.

Make sure you tag applications consistently across all firewalls or device groups. If the same
application is tagged as sanctioned in one virtual system and is not sanctioned in another—
or on Panorama, if an application is unsanctioned in a parent device group but is tagged as
sanctioned in a child device group (or vice versa)—the SaaS Application Usage report will
produce overlapping results.
On the ACC, set the Application View to By Sanctioned State to visually identify applications
that have different sanctioned state across virtual systems or device groups. Green
indicates sanctioned applications, blue is for unsanctioned applications, and yellow indicates
applications that have a different sanctioned state across different virtual systems or device
groups.

To configure the report, click Add and specify the following information:

SaaS Application Usage Description

Report Settings

Name Enter a name to identify the report (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.

Time Period Select the time frame for the report from the drop-down. The report includes
data from the current day (the day on which the report is generated).

Include logs from From the drop-down, select whether you want to generate the report on
a selected user group, on a selected zone, or for all user groups and zones
configured on the firewall or Panorama.
• For a selected user group—Select the User Group for which the firewall or
Panorama will filter the logs.
• For a selected zone—Select the Zone for which the firewall or Panorama
will filter the logs.
• For all user groups and zones—You can report on all groups or choose
up to 25 user groups for which you want visibility. If you have more than
25 groups, the firewall or Panorama will display the top 25 groups in the
report and assign all remaining user groups to the Others group.

PAN-OS WEB INTERFACE HELP | Monitor 97

© 2021 Palo Alto Networks, Inc.
 SaaS Application Usage Description
Report Settings

Include user group This option filters the logs for the user groups you want to include in the
information in the report. Select the manage groups or the manage groups for the selected zone
report link to choose up to 25 user groups for which you want visibility.
(Not available if you When you generate a report for specific user groups on a selected zone, users
choose to generate the who are not a member of any of the selected groups are assigned to a user
report on a Selected group called Others.
User Group.)

User group Select the user group(s) for which you want to generate the report. This
option displays only when you choose Selected User Group in the Include
logs from drop-down.

Zone Select the zone for which you want to generate the report. This option
displays only when you choose Selected Zone in the Include logs from drop-
down.
You can then select include user group information in the report.

Include detailed The SaaS Application Usage PDF report is a two-part report. By default, both
application category parts of the report are generated. The first part of the report (ten pages)
information in report focuses on the SaaS applications used on your network during the reporting
period.
Clear this option if you do not want the second part of the report that
includes detailed information for SaaS and non-SaaS applications for each
application subcategory listed in the first part of the report. This second part
of the report includes the names of the top applications in each subcategory
and information about users, user groups, files, bytes transferred, and threats
generated from these applications.
Without the detailed information, the report is ten-pages long.

Limit max subcategories Select whether you want to use all application subcategories in the SaaS
in the report to Application Usage report or whether you want to limit the maximum number
to 10, 15, 20, or 25 subcategories.
When you reduce the maximum number of subcategories, the detailed
report is shorter because you limit the SaaS and non-SaaS application activity
information included in the report.

Click Run Now to generate the report on demand.

You can generate this report on demand or you can schedule it to run on a daily, weekly, or monthly
cadence. To schedule the report, see schedule reports for email delivery.
On PA-220 and PA-220R firewalls, the SaaS Application Usage report is not sent as a PDF attachment in
the email. Instead, the email includes a link you use to open the report in a web browser.
For more information on the report, see Manage Reporting.

98 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > PDF Reports > Report Groups
Report groups allow you to create sets of reports that the system can compile and send as a single
aggregate PDF report with an optional title page and all the constituent reports included.

Report Group Settings Description

Name Enter a name to identify the report group (up to 31 characters). The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.

Title Page Select this option to include a title page in the report.

Title Enter the name that will appear as the report title.

Report selection / For each report to include in the group, select the report in the left column
Widgets and Add it to the right column. You can select the following report types:
• Predefined Report
• Custom Report
• PDF Summary Report
• CSV
• Log View—Whenever you create a custom report, the firewall
automatically creates a Log View report with the same name. The Log
View report shows the logs that the firewall used to build the contents of
the custom report. To include the log view data, when creating a report
group, add your Custom Reports and then add the matching Log View
reports. The aggregate report generated for the report group displays the
custom report data followed by the log data.
After you save the report group, the Widgets column of the Report Groups
page lists the reports you added to the group.

To use the report group, refer to Monitor > PDF Reports > Email Scheduler.

Monitor > PDF Reports > Email Scheduler

Use the Email scheduler to schedule reports for delivery by email. Before adding a schedule, you must
define report groups and an email profile. Refer to Monitor > PDF Reports > Report Groups and Device >
Server Profiles > Email.
Scheduled reports begin running at 2:00 AM, and email forwarding occurs after all scheduled reports have
finished running.

Email Scheduler Settings Description

Name Enter a name to identify the schedule (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.

PAN-OS WEB INTERFACE HELP | Monitor 99

© 2021 Palo Alto Networks, Inc.
 Email Scheduler Settings Description

Report Group Select the report group (Monitor > PDF Reports > Report Groups) or the SaaS
Application Usage report (Monitor > PDF Reports > SaaS Application Usage)
you want to schedule.

Email Profile Select the profile that defines the email settings. Refer to Device > Server
Profiles > Email for information on defining email profiles.

Recurrence Select the frequency at which to generate and send the report.

Override Email Enter an optional email address to use instead of the recipient specified in the
Addresses email profile.

Send test email Click to send a test email to the email address defined in the selected Email
Profile.

100 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > Manage Custom Reports
You can create custom reports to run on demand or on schedule (each night). For predefined reports, select
Monitor > Reports.

After the firewall has generated a scheduled custom report, you risk invalidating the past
results of that report if you modify its configuration to change its future output. If you need to
modify a scheduled report configuration, the best practice is to create a new report.

Add a custom report to create a new one. To base the report on an existing template, Load Template and
select the template. To generate a report on demand, instead of or in addition to the Scheduled time, click
Run Now. Specify the following settings to define the report.

Custom Report Settings Description

Name Enter a name to identify the report (up to 31 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.

Description Enter a description for the custom report.

Database Choose the database to use as the data source for the report.

Scheduled Select this option to run the report each night. The report then becomes
available by selecting Monitor > Reports.

Time Frame Choose a fixed time frame or choose Custom and specify a date and time
range.

Sort By Choose sorting options to organize the report, including the amount of
information to include in the report. The available options depend on the
choice of database.

Group By Choose grouping options to organize the report, including the amount of
information to include in the report. The available options depend on the
choice of database.

Columns Select Available Columns to include in the custom report and add (
) them to Selected Columns. Select Up, Down, Top, and Bottom to
reorder selected columns. As needed, you can also select and remove ( )
previously selected columns.

Query Builder To build a report query, specify the following and click Add. Repeat as
needed to construct the full query.
• Connector—Choose the connector (and or or) to precede the expression
you are adding.
• Negate—Select this option to interpret the query as a negation. In the
previous example, the negate option causes a match on entries that are
not in the past 24 hours or are not from the untrust zone.
• Attribute—Choose a data element. The available options depend on the
choice of database.

PAN-OS WEB INTERFACE HELP | Monitor 101

© 2021 Palo Alto Networks, Inc.
 Custom Report Settings Description
• Operator—Choose the criterion to determine whether the attribute
applies (such as =). The available options depend on the choice of
database.
• Value—Specify the attribute value to match.

For more information, see Generate Custom Reports.

102 PAN-OS WEB INTERFACE HELP | Monitor

© 2021 Palo Alto Networks, Inc.
Monitor > Reports
The firewall provides various “top 50” reports of the traffic statistics for the previous day or a selected day
in the previous week.
To view a report, expand a report category (such as Custom Reports) on the right side of the page and
select a report name. The page lists reports in sections. You can view the information in each report for the
selected time period.
By default, the firewall displays all reports for the previous calendar day. To view reports for other dates,
select a report generation date in the calendar at the bottom right of the page.
To view reports on a system other than the firewall, select an export option:
• Export to PDF
• Export to CSV
• Export to XML

PAN-OS WEB INTERFACE HELP | Monitor 103

© 2021 Palo Alto Networks, Inc.
104 PAN-OS WEB INTERFACE HELP | Monitor
Policies
The following topics describe firewall policy types, how to move or clone policies, and
describes policy settings:

> Policy Types

> Move or Clone a Policy Rule
> Audit Comment Archive
> Rule Usage Hit Count Query
> Policies > Security
> Policies > NAT
> Policies > QoS
> Policies > Policy Based Forwarding
> Policies > Decryption
> Policies > Tunnel Inspection
> Policies > Application Override
> Policies > Authentication
> Policies > DoS Protection
> Policies > SD-WAN

105
106 PAN-OS WEB INTERFACE HELP | Policies
© 2021 Palo Alto Networks, Inc.
Policy Types
Policies enable you to control firewall operation by enforcing rules and automating actions. The firewall
supports the following policy types:
• Basic security policies to block or allow a network session based on the application, the source and
destination zones and addresses, and—optionally—based on the service (port and protocol). Zones
identify the physical or logical interfaces that send or receive the traffic. See Policies > Security.
• Network Address Translation (NAT) policies to translate addresses and ports. See to Policies > NAT.
• Quality of Service (QoS) policies to determine how traffic is classified for treatment when it passes
through an interface with QoS enabled. See Policies > QoS.
• Policy-based forwarding policies to override the routing table and specify an egress interface for traffic.
See Policies > Policy Based Forwarding.
• Decryption policies to specify traffic decryption for security policies. Each policy can specify the
categories of URLs for the traffic you want to decrypt. SSH decryption is used to identify and control
SSH tunneling in addition to SSH shell access. See Policies > Decryption.
• Tunnel Inspection policies to enforce Security, DoS Protection, and QoS policies on tunneled traffic, and
to view tunnel activity. See Policies > Tunnel Inspection.
• Override policies to override the application definitions provided by the firewall. See Policies >
Application Override.
• Authentication policies to define authentication for end users who access network resources. See
Policies > Authentication.
• Denial of service (DoS) policies to protect against DoS attacks and take protective action in response to
rule matches. See Policies > DoS Protection.
• SD-WAN policies to determine link path management between the source and destination zones when
link path health degrades below the approved, configured health metrics. See Policies > SD-WAN.
Shared polices pushed from Panorama™ display in orange on the firewall web interface. You can edit these
shared policies only on Panorama; you cannot edit them on the firewall.
View Rulebase as Groups to view all the tag groups used in a rulebase. In rule bases with many rules,
viewing the rulebase as groups simplifies the display by presenting the tags, color code, and the number of
rules in each group while preserving the established rule hierarchy.

PAN-OS WEB INTERFACE HELP | Policies 107

© 2021 Palo Alto Networks, Inc.
Move or Clone a Policy Rule
When moving or cloning policies , you can assign a Destination (a virtual system on a firewall or a device
group on Panorama) for which you have access permissions, including the Shared location.
To move a policy rule, select the rule in the Policies tab, click Move, select Move to other vsys (firewalls
only) or Move to different rulebase or device group (Panorama only), specify the fields in the following
table, and then click OK.
To clone a policy rule, select the rule in the Policies tab, click Clone, specify the fields in the following table,
and then click OK.

Move/Clone Settings Description

Selected Rules Displays the Name and current Location (virtual system or device group) of
the policy rules you selected for the operation.

Destination Select the new location for the policy or object: a virtual system, device
group, or Shared. The default value is the Virtual System or Device Group
that you selected in the Policies or Objects tab.

Rule order Select the rule position relative to other rules:

• Move top—The rule will precede all other rules.
• Move bottom—The rule will follow all other rules.
• Before rule—In the adjacent drop-down, select the subsequent rule.
• After rule—In the adjacent drop-down, select the preceding rule.

Error out on first detected error Select this option (selected by default) to make the firewall or Panorama
in validation display the first error it finds and stop checking for more errors. For
example, an error occurs if the Destination doesn’t include an object that is
referenced in the policy rule you are moving. If you clear this selection, the
firewall or Panorama will find all errors before displaying them.

108 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Audit Comment Archive
Select the Audit Comment Archive to view the audit comment history, configuration logs, and the rule
change history of a selected rule.

• Audit Comments
• Config Logs (between commits)
• Rule Changes

Audit Comments
View the Audit Comment history for a selected policy rule. Apply and save filters to quickly identify specific
audit comments and to export the displayed audit comments in CSV format.

Field Description

Commit Time Time when the audit comment was committed.

Audit Contents of the audit comment.

Comment

Administrator User who committed the audit comment.

Config Version Configuration revision version. 0 indicates the first time the policy rule was created
and committed to Panorama.

Config Logs (between commits)

View the configuration log generated by the selected policy rule between commits. Apply and save filters to
quickly identify specific config logs and to export the displayed config logs in CSV format.

Field Description

Time Time when the audit comment was committed.

PAN-OS WEB INTERFACE HELP | Policies 109

© 2021 Palo Alto Networks, Inc.
 Field Description

Administrator Contents of the audit comment.

Command Type of command executed.

Before Change Rule information before the change occurred. For example; if you rename a rule, the
previous name is displayed.

After Change Rule information after the change occurred. For example, if you rename a rule, the
new name is displayed.

Device Name Name of the device before audit comment change.

Rule Changes
View and compare configuration version of the selected policy rule to analyze what changes occurred. In
the drop-down, select the two policy rule config versions you want to compare.

110 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Rule Usage Hit Count Query
• Policies > Rule Usage
Use the rule usage query to filter the selected rulebase over a specified period of time. The rule usage query
allows you to quickly filter your policy rulebase to identify unused rules for removal so that you can reduce
open entry points for an attacker. Click PDF/CSV to export the filtered rules in PDF or CSV format. To
use the Rule Usage Hit Count Query, you must enable the Policy Rule Hit Count setting (Device > Setup >
Management).
By default, the Name, Location, Created, Modified, and Rule Usage columns are displayed when you query
the rule usage in your policy rule base. You can add more columns to view additional information about the
policy rules.

Task Description

Hit Count

Timeframe Indicate the time frame to query the selected rulebase. Select from the predetermined
time frames or set a Custom time frame.

Usage Select the rule usage to query: Any, Unused, Used, or Partially Used (Panorama only).

Since (Custom Timeframe only) Select the date and time from which to query the policy
rulebase.

Exclude rules Select this option to exclude any rules that were manually reset by a user within the
reset during specified number of days.
the last _ days

Actions

Delete Delete one or more selected policy rules.

Enable Enable one or more selected policy rules when disabled.

Disable Disable one or more selected policy rules.

PDF/CSV Export the filtered policy rules currently displayed in PDF or CSV format.

Reset Rule Hit Reset the rule usage data for the Selected rules or for All rules that have been filtered
Counter and are currently displayed.

Tag Apply one or more group tags to one or more selected policy rules. The group tag must
already exist in order to tag the policy rule(s).

Untag Remove one or more group tags from one or more selected policy rules.

PAN-OS WEB INTERFACE HELP | Policies 111

© 2021 Palo Alto Networks, Inc.
Device Rule Usage for Rule Hit Count Query
You can view the device and virtual system rule usage when you viewing the rule usage for a policy rule
from the Panorama management server. Reset Rule Hit Counter to reset the Hit Count, First Hit, and Last
Hit.
Click PDF/CSV to export the filtered rules in PDF or CSV format.

Field Description

Device Group Device group that device or virtual system belongs to.

Device Name of the device group or virtual system.

Name/Virtual
System

Hit Count Total number of traffic matches for the policy rule.

Last Hit Date and time of the latest traffic match for the policy rule.

First Hit Date and time of the first traffic match for the policy rule.

Last Update Date and time of the last received rule usage information from the device to the
Received Panorama management server.

Created Date and time the policy rule was created.

Modified Date and time the policy rule was last modified. Column is blank if the policy rule has
not been modified.

State Connection status of the device: Connected, or Disconnected.

112 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policies > Security
Security policy rules reference security zones and enable you to allow, restrict, and track traffic on your
network based on the application, user or user group, and service (port and protocol). By default, the
firewall includes a security rule named rule1 that allows all traffic from the Trust zone to the Untrust zone.

What do you want to know? See:

What is a Security policy? Security Policy Overview

For Panorama, see Move or Clone a Policy Rule

What are the fields available to Building Blocks in a Security Policy Rule
create a Security policy rule?

How can I use the web interface to Creating and Managing Policies
manage Security policy rules?
Overriding or Reverting a Security Policy Rule
Applications and Usage
Security Policy Optimizer

Looking for more? Security Policy

Security Policy Overview

Security policies allow you to enforce rules and take action, and can be as general or specific as needed. The
policy rules are compared against the incoming traffic in sequence, and because the first rule that matches
the traffic is applied, the more specific rules must precede the more general ones. For example, a rule for a
single application must precede a rule for all applications if all other traffic-related settings are the same.

To ensure that end users authenticate when they try to access your network resources, the
firewall evaluates Authentication policy before Security policy. For details, see Policies >
Authentication.

For traffic that doesn’t match any user-defined rules, the default rules apply. The default rules—displayed at
the bottom of the security rulebase—are predefined to allow all intrazone traffic (within the zone) and deny
all interzone traffic (between zones). Although these rules are part of the predefined configuration and are
read-only by default, you can Override them and change a limited number of settings, including the tags,
action (allow or deny), log settings, and security profiles.
The interface includes the following tabs for defining Security policy rules.
• General—Select the General tab to configure a name and description for the Security policy rule.
• Source—Select the Source tab to define the source zone or source address from which the traffic
originates.
• User—Select the User tab to enforce policy for individual users or a group of users. If you are using
GlobalProtect™ with host information profile (HIP) enabled, you can also base the policy on information
collected by GlobalProtect. For example, the user access level can be determined HIP that notifies the
firewall about the user's local configuration. The HIP information can be used for granular access control
based on the security programs that are running on the host, registry values, and many other checks
such as whether the host has antivirus software installed.

PAN-OS WEB INTERFACE HELP | Policies 113

© 2021 Palo Alto Networks, Inc.
 • Destination—Select the Destination tab to define the destination zone or destination address for the
traffic.
• Application—Select the Application tab to have the policy action occur based on an application or
application group. An administrator can also use an existing App-ID™ signature and customize it to
detect proprietary applications or to detect specific attributes of an existing application. Custom
applications are defined in Objects > Applications.
• Service/URL Category—Select the Service/URL Category tab to specify a specific TCP and/or UDP port
number or a URL category as match criteria in the policy.
• Actions—Select the Actions tab to determine the action that will be taken based on traffic that matches
the defined policy attributes.
• Target—Select the Target tab to specify devices or tags for the security policy rule.
• Usage—Select the Usage tab to view a rule’s usage, including the number of applications seen on a rule,
when the last new applications was seen on the rule, hit count data, traffic over the past 30 days, and
when the rule was created and last edited.

Building Blocks in a Security Policy Rule

• Policies > Security
The following section describes each component in a Security policy rule. When you create a Security policy
rule, you can configure the options described here.

Building Blocks in a Configured In Description

Security Rule

Rule number N/A The firewall automatically numbers each rule and the order
of the rules will change as rules are moved. When you filter
rules to match specific filters, each rule displays with its
number in the context of the complete set of rules in the
rulebase and its place in the evaluation order.
Panorama independently numbers pre-rules and post-rules.
When Panorama pushes rules to a managed firewall, the
rule numbering incorporates hierarchy in pre-rules, firewall
rules, and post-rules within a rulebase and reflects the rule
sequence and its evaluation order.

Name General Enter a name to identify the rule. The name is case-sensitive
and can have up to 63 characters, which can be letters,
numbers, spaces, hyphens, and underscores. The name must
be unique on a firewall and, on Panorama, unique within its
device group and any ancestor or descendant device groups.

Rule Type Specifies whether the rule applies to traffic within a zone,
between zones, or both:
• universal (default)—Applies the rule to all matching
interzone and intrazone traffic in the specified source
and destination zones. For example, if you create a
universal rule with source zones A and B and destination
zones A and B, the rule would apply to all traffic within
zone A, all traffic within zone B, and all traffic from zone
A to zone B and all traffic from zone B to zone A.
• intrazone—Applies the rule to all matching traffic
within the specified source zones (you cannot specify a

114 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Security Rule
destination zone for intrazone rules). For example, if you
set the source zone to A and B, the rule would apply to
all traffic within zone A and all traffic within zone B, but
not to traffic between zones A and B.
• interzone—Applies the rule to all matching traffic
between the specified source and destination zones. For
example, if you set the source zone to A, B, and C and
the destination zone to A and B, the rule would apply
to traffic from zone A to zone B, from zone B to zone A,
from zone C to zone A, and from zone C to zone B, but
not traffic within zones A, B, or C.

Description Enter a description for the policy (up to 1,024 characters).

Tags Specify the tag for the policy.

A policy tag is a keyword or phrase that allows you to sort
or filter policies. This is useful when you have defined
many policies and want to view those that are tagged
with a particular keyword. For example, you may want
to tag certain rules with specific words like Decrypt and
No-decrypt, or use the name of a specific data center for
policies associated with that location.
You can also add tags to the default rules.

Source Zone Source Add source zones (default is Any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire). To define new
zones, refer to Network > Zones.
Multiple zones can be used to simplify management.
For example, if you have three different internal zones
(Marketing, Sales, and Public Relations) that are all directed
to the untrusted destination zone, you can create one rule
that covers all cases.

Source Address Source Add source addresses, address groups, or regions (default
is Any). Select from the drop-down or select Address
object, Address Group, or Regions (bottom of the drop-
down) to specify the settings. Objects>Addresses and
Objects>AddressGroups describe the types of address
objects and address groups, respectively, that a Security
policy rule supports.
Selecting the Negate option will apply the rule to source
addresses from the specified zone except for the addresses
specified.

Source User Source Add the source users or groups of users subject to the
policy:
• any—Includes any traffic regardless of user data.
• pre-logon—Includes remote users that are connected to
the network using GlobalProtect, but are not logged into

PAN-OS WEB INTERFACE HELP | Policies 115

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Security Rule
their system. When the Pre-logon option is configured
on the Portal for GlobalProtect endpoints, any user
who is not currently logged into their machine will be
identified with the username pre-logon. You can then
create policies for pre-logon users and although the user
is not logged in directly, their machines are authenticated
on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which
means any IP address with user data mapped. This option
is equivalent to the domain users group on a domain.
• unknown—Includes all unauthenticated users, which
means IP addresses that are not mapped to a user. For
example, you could use unknown for guest level access
to something because they will have an IP address on
your network but will not be authenticated to the domain
and will not have IP address-to-user mapping information
on the firewall.
• Select—Includes selected users as determined by the
selection in this window. For example, you may want
to add one user, a list of individuals, some groups, or
manually add users.

If the firewall collects user information from

a RADIUS, TACACS+, or SAML identity
provider server and not from the User-ID™
agent, the list of users does not display; you
must enter user information manually.

Source Device Source Add the host devices subject to the policy:
• any—Includes any device.
• no-hip—HIP information is not required. This setting
enables access from third-party devices that cannot
collect or submit HIP information.
• quarantine—Includes any device that is in the quarantine
list (Device > Device Quarantine).
• select—Includes selected devices as determined by your
configuration. For example, you can add a device object
based on model, OS, OS family, or vendor.

Source HIP Profile Source Add host information profiles (HIP) to enable you to collect
information about the security status of your end hosts,
such as whether they have the latest security patches
and antivirus definitions installed. Using host information
profiles for policy enforcement enables granular security
that ensures that the remote hosts accessing your critical
resources are adequately maintained and in adherence with
your security standards before they are allowed to access
your network resources. The following source HIP profiles
are supported:

116 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Security Rule
• any—Includes any endpoint, regardless of HIP
information.
• select—Includes selected HIP profiles as determined by
your configuration. For example, you can add one HIP
profile, a list of HIP profiles, or you can add HIP profiles
manually.
• no-hip—HIP information is not required. This setting
enables access from third-party clients that cannot
collect or submit HIP information.

Source Subscriber Source Add one or more source subscribers in a 5G or 4G network

using the following formats:
• Any
• (5G only) 5G Subscription Permanent Identifier (SUPI)
including IMSI
• IMSI (14 or 15 digits)
• Range of IMSI values from 11 to 15 digits, separated by a
hyphen
• IMSI prefix of six digits, with an asterisk (*) as a wildcard
after the prefix
• EDL that specifies IMSIs

Source Equipment Add one or more source equipment IDs in a 5G or 4G

network using the following formats:
• Any
• (5G only) 5G Permanent Equipment Identifier (PEI)
including International Mobile Equipment Identity (IMEI)
• IMEI (11 to 16 digits long)
• IMEI prefix of eight digits for Type Allocation Code (TAC)
• EDL that specifies IMEIs

Network Slice Source Add one or more source network slices based on network
slice service type (SST) in a 5G network, as follows:
• Standardized (predefined) SST
• eMBB (enhanced Mobile Broadband)—For faster
speeds and high data rates, such as video streaming.
• URLLC (Ultra-Reliable Low-Latency Communications)
—For mission-critical applications that are sensitive
to latency, such as critical IoT (healthcare, wireless
payments, home control, and vehicle communication).
• MIoT (Massive Internet of Things)—For example,
smart metering, smart waste management, anti-theft,
asset management, and location tracking.
• Network Slice SST - Operator-Specific—You name and
specify the slice. The format of the slice name is text
followed by a comma (,) and a number (range is 128 to
255). For example, Enterprise Oil2,145.

PAN-OS WEB INTERFACE HELP | Policies 117

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Security Rule

Destination Zone Destination Add destination zones (default is any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire). To define new
zones, refer to Network > Zones.
Multiple zones can be used to simplify management.
For example, if you have three different internal zones
(Marketing, Sales, and Public Relations) that are all directed
to the untrusted destination zone, you can create one rule
that covers all cases.

On intrazone rules, you cannot define a

Destination Zone because these types of
rules match only traffic with a source and a
destination within the same zone. To specify
the zones that match an intrazone rule, you
need to specify only the Source Zone.

Destination Address Add destination addresses, address groups, or regions

(default is Any). Select from the drop-down or click Address
object, Address Group, or Regions (bottom of the drop-
down) to specify address settings. Objects>Addresses and
Objects>AddressGroups describe the types of address
objects and address groups, respectively, that a Security
policy rule supports.
Selecting the Negate option will apply the rule to destination
addresses in the specified zone except for the addresses
specified.

Destination Device Add the host devices subject to the policy:

• any—Includes any device.
• quarantine—Includes any device that is in the quarantine
list (Device > Device Quarantine).
• select—Includes selected devices as determined by your
configuration. For example, you can add a device object
based on model, OS, OS family, or vendor.

Application Application Add specific applications for the Security policy rule. If an
application has multiple functions, you can select the overall
application or individual functions. If you select the overall
application, all functions are included and the application
definition is automatically updated as future functions are
added.
If you are using application groups, filters, or containers
in the Security policy rule, you can view details of these
objects by hovering over the object in the Application
column, opening the drop-down, and selecting Value. This
allows you to view application members directly from the
policy without having to navigate to the Object tab.

118 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Security Rule
Always specify one or more applications
so that only applications you want on your
network are allowed, which reduces the
attack surface and gives you greater control
over network traffic. Don’t set the application
to any, which allows any application’s traffic
and increases the attack surface.

Service Service/URL Select the services that you want to limit to specific TCP or
Category UDP port numbers. Choose one of the following from the
drop-down:
• any—The selected applications are allowed or denied on
any protocol or port.
• application-default—The selected applications are
allowed or denied only on their default ports defined
by Palo Alto Networks®. This option is recommended
for allow policies because it prevents applications
from running on unusual ports and protocols which, if
unintentional, can be a sign of undesired application
behavior and usage.

When you use this option, the firewall still

checks for all applications on all ports, but
applications are allowed only on their default
ports and protocols.

For most applications, use application-

default to prevent the application from
using non-standard ports or exhibiting
other evasive behaviors. If the default port
for the application changes, the firewall
automatically updates the rule to the correct
default port. For applications that use non-
standard ports, such as internal custom
applications, either modify the application or
create a rule that specifies the non-standard
ports and apply the rule only to the traffic
that requires the application.

• Select—Add an existing service or choose Service or

Service Group to specify a new entry. (Or select Objects
> Services and Objects > Service Groups).

URL Category Select URL categories for the security rule.

• Choose any to allow or deny all sessions regardless of the
URL category.
• To specify a category, Add one or more specific
categories (including custom categories) from the drop-

PAN-OS WEB INTERFACE HELP | Policies 119

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Security Rule
down. Select Objects > External Dynamic Lists to define
custom categories.

Action Setting Actions Select the Action the firewall takes on traffic that matches
the attributes defined in a rule:
• Allow (default)—Allows the matched traffic.
• Deny—Blocks matched traffic and enforces the default
Deny Action defined for the application that is denied.
To view the deny action defined by default for an
application, view the application details (Objects >
Applications).
Because the default deny action varies by application, the
firewall could block the session and send a reset for one
application while it silently drops the session for another
application.
• Drop—Silently drops the application. A TCP reset is not
sent to the host or application unless you select Send
ICMP Unreachable.
• Reset client—Sends a TCP reset to the client-side device.
• Reset server—Sends a TCP reset to the server-side
device.
• Reset both client and server—Sends a TCP reset to both
the client-side and server-side devices.
• Send ICMP Unreachable—Available only for Layer 3
interfaces. When you configure Security policy rule to
drop traffic or to reset the connection, the traffic does
not reach the destination host. In such cases, for all UDP
traffic and for TCP traffic that is dropped, you can enable
the firewall to send an ICMP Unreachable response to
the source IP address from where the traffic originated.
Enabling this setting allows the source to gracefully
close or clear the session and prevents applications from
breaking.
To view the ICMP Unreachable Packet Rate configured
on the firewall, view Session Settings (Device > Setup >
Session).
To override the default action defined on the predefined
interzone and intrazone rules: see Overriding or Reverting a
Security Policy Rule.

Profile Setting Actions To specify the additional checking that the firewall performs
on packets that match the Security profile rule, select
individual Antivirus, Vulnerability Protection, Anti-Spyware,
URL Filtering, File Blocking, Data Filtering, WildFire Analysis,
Mobile Network Protection, and SCTP Protection profiles.
To specify a profile group rather than individual profiles,
select the Profile Type to be Group and then select a Group
Profile.

120 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Security Rule
To define new profiles or profile groups, click New next to
the appropriate profile or select New Group Profile.
You can also attach Security Profiles (or profile groups) to
the default rules.

Log Setting and Actions To generate entries in the local traffic log for traffic that
Other Settings matches this rule, select the following options:
• Log At Session Start (disabled by default)—Generates a
traffic log entry for the start of a session.

Don’t enable Log at Session Start except

for troubleshooting purposes or for tunnel
session logs to show active GRE tunnels
in the ACC. Logging at the session
end consumes fewer resources and
identifies the exact application if the
application changes after a few packets,
for example, from facebook-base to
facebook-chat.
• Log At Session End (enabled by default)—Generates a
traffic log entry for the end of a session.

If the session start or end entries are logged,

drop and deny entries are also logged.

• Log Forwarding Profile—To forward the local traffic log

and threat log entries to remote destinations, such as
Panorama and syslog servers, select a Log Forwarding
Profile.

The generation of threat log entries is

determined by the Security Profiles. Define
New log profiles as needed (refer to Objects
> Log Forwarding).

Create and enable Log Forwarding profiles

to send logs to dedicated external storage
devices. This preserves the logs because
the firewall has limited log storage space
and when the space is consumed, the
firewall purges the oldest logs.

You can also modify the log settings on the default rules.
Specify any combination of the following options:
• Schedule—To limit the days and times when the rule is
in effect, select a schedule from the drop-down. Define
New schedules as needed (refer to Settings to Control
Decrypted SSL Traffic).
• QoS Marking—To change the Quality of Service (QoS)
setting on packets matching the rule, select IP DSCP or

PAN-OS WEB INTERFACE HELP | Policies 121

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Security Rule
IP Precedence and enter the QoS value in binary form or
select a predefined value from the drop-down. For more
information on QoS, refer to Quality of Service .
• Disable Server Response Inspection—Disables packet
inspection from the server to the client. The option is
disabled by default.

For the best security posture, do not

enable Disable Server Response
Inspection. With this option selected, the
firewall only inspects the client-to-server
flows. It does not inspect the server-to-
client flows and therefore cannot identify
if there are any threats in these traffic
flows.

Basics Rule Usage • Rule Created—Creation date and time of the rule.
• Last Edited—The last date and time the rule was edited.

Activity Rule Usage • Hit Count—The total number of times traffic matched
(hit) the rule.
• First Hit—Time of the first rule match.
• Last Hit—Time of the last rule match.

Applications Rule Usage • Applications Seen—The number of applications the rule

allows.
• Last App Seen—The number of days since the last new
application (an application that wasn’t previously seen)
was seen on the rule.
• Compare Applications & Applications Seen—Click
to compare the applications configured on the rule
against the applications seen on the rule. Use this tool to
discover the applications that match the rule and to add
applications to the rule.

Traffic (past 30 days) Rule Usage • Bytes—The amount of traffic on the rule over the past 30
days in bytes.

A time period longer than 30 days would

result in the oldest rules remaining at the
top of the list because they are likely to
have the most cumulative traffic. This can
result in newer rules being listed below
older rules even if the newer rules see
heavy traffic.

Any (target all Target Enable (check) to push the policy rule to all managed
devices) firewalls in the device group.
Panorama only

122 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Security Rule

Devices Select one or more managed firewalls associated with the

device group to push the policy rule to.
Panorama only

Tags Add one or more tags to push the policy rule to managed
firewalls in the device group with the specified tag.
Panorama only

Target to all but Enable (check) to push the policy rule to all managed
these specified firewalls associated with the device group except for the
devices and tags selected device(s) and tag(s).
Panorama only

Creating and Managing Policies

Select the Policies > Security page to add, modify, and manage security policies:

Task Description

Add Add a new policy rule or select a rule on which to base a new rule and Clone Rule. The
copied rule, “rulen” is inserted below the selected rule, where n is the next available
integer that makes the rule name unique. For details on cloning, see Move or Clone a
Policy Rule.

Modify Select a rule to modify its settings.

If the rule is pushed from Panorama, the rule is read-only on the firewall and you
cannot edit it locally.

Override and Revert actions pertain only to the default rules displayed at the bottom
of the Security rulebase. These predefined rules—allow all intrazone traffic and
deny all interzone traffic—instruct the firewall about how to handle traffic that does
not match any other rule in the rulebase. Because they are part of the predefined
configuration, you must Override them to edit select policy settings. If you are using
Panorama, you can also Override the default rules and then push them to firewalls
in a Device Group or Shared context. You can also Revert the default rules, which
restores the predefined settings or the settings pushed from Panorama. For details,
see Overriding or Reverting a Security Policy Rule.

Move Rules are evaluated from the top down and as they are enumerated on the Policies
page. To change the order in which the rules are evaluated against network traffic,
select a rule and Move Up, Move Down, Move Top, Move Bottom, or Move to a
different rulebase or device group. For details, see Move or Clone a Policy Rule.

Copy UUID Copy the UUID of the rule to the clipboard for use when searching the configuration
or the logs.

Delete Select and Delete an existing rule.

PAN-OS WEB INTERFACE HELP | Policies 123

© 2021 Palo Alto Networks, Inc.
 Task Description

Enable/Disable To disable a rule, select and Disable it; to enable a rule that is disabled, select and
Enable it.

Monitor Rule To identify rules that have not been used since the last time the firewall was restarted,
Usage Highlight Unused Rules. Unused rules have a dotted background. You can then decide
whether to Disable a rule or Delete it. Rules not currently in use are displayed with a
dotted yellow background. When policy rule hit count is enabled, the Hit Count data is
used to determine whether a rule is unused.

Each firewall maintains a traffic flag for the rules that have a match.
Because the flag is reset when a dataplane reset occurs on a reboot
or a restart, it is best practice to monitor this list periodically to
determine whether the rule had a match since the last check before
you delete or disable it.

Reset rule Hit The Hit Count tracks the total traffic hits for the policy rule. The total traffic hit count
count persists through reboot, upgrade, and data plane restart.
Alternatively, Reset Rule Hit Counter (bottom menu). To clear the hit count statistics,
select All Rules or select specific rules and reset hit count statistics only for the
Selected rules.

View the First Hit to identify when the Security policy was first hit. The date is
formated as date hh:mm:ss year. You cannot reset this value.
View the Last Hit to identify when the Security policy was last used. The date is
formated as date hh:mm:ss year. You cannot reset this value.

Show/Hide Show or hide the columns that display under Policies. Select the column name to
columns toggle the display.

124 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Task Description

Apply filters To apply a filter to the list, select from the Filter Rules drop-down. To define a filter,
choose Filter from the item drop-down.

The default rules are not part of rulebase filtering and always show up
in the list of filtered rules.

To view the network sessions that were logged as matches against the policy, choose
Log Viewer from the rule name drop-down.

To display the current value, choose Value from the entry drop-down. You can also
edit, filter, or remove items directly from the column menu. For example, to view
addresses included in an address group, hover over the object in the Address column
and select Value from the drop-down. This allows you to quickly view the members
and the corresponding IP addresses for the address group without having to navigate
to the Object tab.

To find objects used within a policy based on their name or IP address, use the filter.
After you apply the filter, you will see only the items that match the filter. The filter
also works with embedded objects. For example, when you filter on 10.1.4.8, only the
policy that contains that address is displayed:

Preview rules Preview Rules to view a list of the rules before you push the rules to the managed
(Panorama firewalls. Within each rulebase, the hierarchy of rules is visually demarcated for each
only) device group (and managed firewall) to make it easier to scan through a large numbers
of rules.

Export Administrative roles with a minimum of read-only access can export the policy
Configuration rulebase as PDF/CSV. You can apply filters to create more specific table configuration
Table

PAN-OS WEB INTERFACE HELP | Policies 125

© 2021 Palo Alto Networks, Inc.
 Task Description
outputs as needed, such as for audits. Only visible columns in the web interface will be
exported. See Configuration Table Export.

Highlight Highlight any policy rule with no traffic matches in the Rule Usage column.
Unused Rule

Group Manage tag groups when you have the View Rulebase as Groups box checked. You
can perform the following actions:
• Move rules in group to different rulebase or device group—Move the selected tag
group to a different device group.
• Change group of all rules—Move the rules in the selected tag group to a different
tag group in the rulebase.
• Delete all rules in group—Deletes all rules in the selected tag group.
• Clone all rules in group—Clones the rules in the selected tag group to a device
group.

View Rulebase View Rulebase as Groups to view the policy rulebase using the tag used in Group
as Groups Rules by Tag . The visible policy rules are those which belong to the selected tag
group.

Test Policy Perform a test of the protection policies for the selected policy rulebase to verify that
Match the correct traffic is denied and allowed.

Overriding or Reverting a Security Policy Rule

The default security rules—interzone-default and intrazone-default—have predefined settings that you
can override on a firewall or on Panorama. If a firewall receives the default rules from a device group, you
can also override the device group settings. The firewall or virtual system where you perform the override
stores a local version of the rule in its configuration. The settings you can override are a subset of the full
set (the following table lists the subset for security rules). For details on the default security rules, see
Policies > Security.
To override a rule, select Policies > Security on a firewall or Policies > Security > Default Rules on
Panorama. The Name column displays the inheritance icon ( ) for rules you can override. Select the rule,
click Override, and edit the settings in the following table.
To revert an overridden rule to its predefined settings or to the settings pushed from a Panorama device
group, select Policies > Security on a firewall or Policies > Security > Default Rules on Panorama. The
Name column displays the override icon ( ) for rules that have overridden values. Select the rule, click
Revert, and click Yes to confirm the operation.

Fields to Override a Default Description

Security Rule

General Tab

Name The Name that identifies the rule is read-only; you cannot override it.

Rule Type The Rule Type is read-only; you cannot override it.

126 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Fields to Override a Default Description
Security Rule

Description The Description is read-only; you cannot override it.

Tag Select Tags from the drop-down.

A policy tag is a keyword or phrase that enables you to sort or filter
policies. This is useful when you have defined many policies and want
to view those that are tagged with a particular keyword. For example,
you might want to tag certain security policies with Inbound to DMZ,
tag specific decryption policies with the words Decrypt or No-decrypt,
or use the name of a specific data center for policies associated with
that location.

Actions Tab

Action Setting Select the appropriate Action for traffic that matches the rule.
• Allow—(default) Allows the traffic.
• Deny—Blocks traffic and enforces the default Deny Action that is
defined for the application that the firewall is denying. To view the
deny action that is defined by default for an application, view the
application details in Objects > Applications.
• Drop—Silently drops the application. The firewall does not send a
TCP reset message to the host or application.
• Reset client—Sends a TCP reset message to the client-side device.
• Reset server—Sends a TCP reset message to the server-side
device.
• Reset both—Sends a TCP reset message to both the client-side and
server-side devices.

Profile Setting Profile Type—Assign profiles or profile groups to the security rule:
• To specify the checking that the default security profiles perform,
select Profiles and then select one or more of the individual
Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering,
File Blocking, Data Filtering, WildFire Analysis, SCTP Protection,
and Mobile Network Protection profiles.
• To assign a profile group rather than individual profiles, select
Group and then select a Group Profile from the drop-down.
• To define new profiles ( Objects > Security Profiles) or profile
groups, click New in the drop-down for the corresponding profile
or group profile.

Log Setting Specify any combination of the following options:

• Log Forwarding—To forward the local traffic log and threat log
entries to remote destinations, such as Panorama and syslog
servers, select a Log Forwarding profile from the drop-down.
Security profiles determine the generation of Threat log entries.
To define a new Log Forwarding profile, select Profile in the drop-
down (see Objects > Log Forwarding).
• To generate entries in the local traffic log for traffic that matches
this rule, select the following options:

PAN-OS WEB INTERFACE HELP | Policies 127

© 2021 Palo Alto Networks, Inc.
 Fields to Override a Default Description
Security Rule
• Log at Session Start—Generates a traffic log entry for the start
of a session (selected by default).
• Log at Session End—Generates a traffic log entry for the end of
a session (cleared by default).

If you configure the firewall to include session

start or session end entries in the Traffic log, it
will also include drop and deny entries.

Applications and Usage

• Policies > Security > Policy Optimizer > New App Viewer and then click the number in Apps Seen or
click Compare.

You must have a SaaS Inline Security subscription to see the New App Viewer in the
interface. The New App Viewer includes cloud-delivered applications in addition to
content-delivered applications and if you don’t have a SaaS Inline Security subscription,
you don’t receive cloud-delivered applications.
• Policies > Security > Policy Optimizer > Rules Without App Controls and then click the number in Apps
Seen or click Compare.
• Policies > Security > Policy Optimizer > Unused Apps and then click the number in Apps Seen or click
Compare.
• Policies > Security and then click the number in Apps Seen
On the Usage tab of the Security policy rule, you can also Compare Applications & Applications Seen to
access tools that help you to migrate from port-based Security policy rules to application-based Security
policy rules and to eliminate unused applications from rules in Applications & Usage.

Field Description

Timeframe The time period for the application information:

• Anytime—Displays applications seen over the lifetime of the
rule.
• Past 7 days—Displays only applications seen over the last 7
days.
• Past 15 days—Displays only applications seen over the last 15
days.
• Past 30 days—Displays only applications seen over the last 30
days.

Apps on Rule The applications configured on the rule or Any if no specific

applications are configured on the rule. You can Browse, Add, and
Delete applications as needed, and applications are configured
on a rule, the circled number next to Apps on Rule indicates how
many. Adding applications from this location is the same as adding
applications on the Security policy rule Application tab.

128 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Field Description

Apps Seen All applications seen and allowed on the firewall that matched
the rule. The number next to Apps Seen indicates how many
applications were seen on the rule.
• Applications—The applications seen on the rule. For example,
if a rule allows web-browsing traffic (as seen in Apps on Rule),
you may see many applications in the Apps Seen list because
there are many applications identified as web-browsing.
• Subcategory—The subcategory of the application.
• Risk—The risk rating of the application.
• First Seen—The first day the application was seen on the
network.
• Last Seen—The most recent day the application was seen on
the network.

The granularity of measurement for First Seen

and Last Seen is one day, so on the day you
define a rule, the First Day and Last Day are
the same day.
• Traffic (30 days)—The amount of traffic in bytes seen during
the last 30-day period.

A longer time period would result in the oldest

rules remaining at the top of the list because
they are likely to have the most cumulative
traffic. This can result in newer rules being
listed below older rules even if the newer rules
see heavy traffic.

Apps Seen Actions Actions you can perform on Apps Seen:

• Create Cloned Rule—Clones the current rule. When migrating
from port-based rules to application-based rules, clone the
port-based rule first and then edit the clone to create the
application-based rule that allows the traffic. The cloned rule
is inserted above the port-based rule in the policy list. Use
this migration method to ensure that you don’t inadvertently
deny traffic that you want to allow—if the cloned rule doesn’t
allow all the applications you need, the port-based rule that
follows allows them. Monitor the port-based rule and adjust
the (cloned) application-based rule as needed. When you’re
sure the application-based rule allows the traffic you want and
only unwanted traffic filters through to the port-based rule,
you can safely remove the port-based rule.
Cloning offers similar advantages for applications seen in the
New App Viewer and enables you to move newly identified
cloud applications as well as content-provided applications
into Security policy rules that enable you to control the
application and access.
You can select adding applications to a cloned rule individually,
in an Application Group, or in an Application Filter.

PAN-OS WEB INTERFACE HELP | Policies 129

© 2021 Palo Alto Networks, Inc.
 Field Description
• Add to This Rule (Not available for New App Viewer)—Adds
applications from Apps Seen to the rule. Adding applications to
the rule transforms a rule configured to match Any application
(a port-based rule) to an application-based rule that allows
the applications you specify (the new application-based rule
replaces the port-based rule). The rule denies any applications
that you don’t add just as with any other application-based
rule. Be sure to identify all applications you want to allow
and add them to the rule so you don’t accidentally deny an
application.
• Add to Existing Rule—Adds applications from Apps Seen to
an existing application-based (App-ID) rule. For example, this
enables you to clone an App-ID-based rule from a port-based
rule and then add more applications seen on port-based rules
to that App-ID rule later.
For applications seen in the New App Viewer, you can
organize newly identified cloud-based and content-based
applications into sensible Security policy rules as new apps are
discovered.
You can select adding applications to an existing rule
individually, in an Application Group, or in an Application Filter.
• Match Usage (Not available for New App Viewer)—Moves all
Apps Seen into the rule (they are listed under Apps on Rule
after you Match Usage). If you are certain that the rule should
allow all listed applications, Match Usage is very convenient.
However, you must be certain that all listed applications are
applications you want to allow on your network. If many
applications have been seen on the rule (for example, on a
rule that allows web-browsing), it’s better to clone the rule
and transition to an application-based rule. Match Usage
works well for simple rules with well-known applications. For
example, if a port-based rule for port 22 has only seen SSH
traffic (and that’s all it should see), it’s safe to Match Usage.
The Clone, Add to Rule, and Add Apps to Existing Rule dialogs
help to ensure that applications don’t break and enable you to
future-proof the rule by including relevant individual applications
that are related to the applications you’re cloning or adding to a
rule.

Create Cloned Rule > Applications Select applications and then clone or add individual applications
to a rule:
Add to This Rule
• Name (Clone and Add Apps to Existing Rule dialogs only).
Add to Existing Rule > Applications
• Clone: Enter the name of the new cloned rule.
• Add Apps to Existing Rule: Select the rule to which to add
applications or enter the name of the rule.
• Applications:
• Add container app (default): Selects all apps in the
container, apps seen on the rule, and container apps that
have not been seen on the rule. Future apps seen for the

130 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Field Description
container will match the rule, thus future-proofing it as the
app changes.
• Add specific apps seen: Selects only apps that have actually
been seen on the rule. (You can also manually select
container apps and functional apps.)
• Application:
• The selected applications seen on the rule, highlighted
green.
• Container apps, highlighted gray, with their functional
applications listed below.
• Functional applications in a container that have been seen
on the rule but were not selected in Applications & Usage
(not highlighted).
• Functional applications in a container that has not been
seen on the rule (italicized).
• The date applications were Last Seen on the rule.
• Dependent Applications:
• Applications required for the selected applications to run.
• Depends On—The dependent applications that the selected
applications require to run.
• Required By—The application that requires the dependent
application. (Sometimes a dependent application has
dependent applications.)

Create Cloned Rule > Application Select applications and then clone or add applications to a rule in
Group an Application Group in the Create Cloned Rule or Add Apps to
Existing Rule dialog box:
Add to Existing Rule > Application
Group • Cloned Rule Name or Name:
• Cloned Rule Name: Enter the name of the new cloned rule.
• Name: Select the rule to which to add the Application
Group or enter the name of the rule.
• Policy Action (Cloned rule only)—Select whether to allow or
deny the traffic in the cloned rule.
• Add to Application Group—Select an existing group or type a
new name to create a new Application Group.
• Applications:
• Add container app (default): Selects all apps in the
container, apps seen on the rule, and container apps that
have not been seen on the rule. Future apps seen for the
container will match the rule, thus future-proofing it as the
app changes.
• Add specific apps seen: Selects only apps that have actually
been seen on the rule. (You can also manually select
container apps and functional apps.)
• Application:
• The selected applications seen on the rule, highlighted
green.

PAN-OS WEB INTERFACE HELP | Policies 131

© 2021 Palo Alto Networks, Inc.
 Field Description
• Container apps, highlighted gray, with their functional
applications listed below.
• Functional applications in a container that have been seen
on the rule but were not selected in Applications & Usage
(not highlighted).
• Functional applications in a container that has not been
seen on the rule (italicized).
• The date applications were Last Seen on the rule.
• Dependent Applications:
• Applications required for the selected applications to run.
• Depends On—The dependent applications that the selected
applications require to run.
• Required By—The application that requires the dependent
application. (Sometimes a dependent application has
dependent applications.)

Create Cloned Rule > Application Select applications and then clone or add applications to a rule in
Filter an Application Filter in the Create Cloned Rule or Add Apps to
Existing Rule dialog box:
Add to Existing Rule > Application
Filter • Cloned Rule Name or Existing Rule Name:
• Cloned Rule Name: Enter the name of the new cloned rule.
• Existing Rule Name: Select the rule to which to add the
Application Filter or enter the name of the rule.
• Policy Action (Cloned rule only)—Select whether to allow or
deny the traffic in the cloned rule.
• Application Filter Name—Select an existing filter or type a new
name to create a new Application Filter.
The Application Filter works the same way as Objects >
Application Filters (see Create an Application Filter). You can
filter cloud-based (with a SaaS Inline Security subscription) and
content-based applications and add them to existing or new
filters.

Security Policy Optimizer

• Policies > Security > Policy Optimizer
Policies > Security > Policy Optimizer displays:
• New App Viewer—New cloud applications downloaded from the Application Control Engine if the
firewall has a SaaS Security subscription.
• Rules Without App Controls—Rules that have the application set to any, so you can identify port-based
rules to convert to application-based rules.
• Unused Apps—Rules that include applications that have never matched the rule.
• Rule Usage—Rule usage information over different periods of time, including rules not used over
different periods of time.

132 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Field Description

Name The name of the Security policy rule.

Service Any services associated with the Security policy rule.

Traffic (Bytes, 30 days) Traffic (30 days)—The amount of traffic in bytes seen during the
last 30-day period.

A longer time period would result in the oldest

rules remaining at the top of the list because they
are likely to have the most cumulative traffic. This
can result in newer rules being listed below older
rules even if the newer rules see heavy traffic.

Apps Allowed The applications that the rule allows. Open the Application dialog,
from which you can add and delete applications on the rule.

Application (New App Viewer only) The applications that the rule allows.

Apps Seen The number of applications seen on the rule. Click the number
to open the Applications & Usage dialog, which enables you
to compare the applications configured on the rule against the
applications seen on the rule and to modify the applications.

Day with No New Apps The number of days since the last new application was seen on
the rule.

Compare Opens the Applications & Usage dialog to compare the

applications configured on the rule against the applications seen
on the rule and modify the rule.

(Rule Usage) Last Hit The most recent time that traffic matched the rule.

(Rule Usage) First Hit The first time that traffic matched the rule.

(Rule Usage) Hit Count The number of times that traffic matched the rule.

Modified The date and time that the rule was last modified.

Created The date and time that the rule was created.

Timeframe The time period (number of days) for which data is displayed.

Usage Displays:
• Any (all) rules on the firewall over the specified Timeframe,
regardless of whether traffic matched the rules (used rules) or
not (unused rules).
• Unused rules that traffic has not matched over the specified
Timeframe.
• Used rules that traffic has matched over the specified
Timeframe.

PAN-OS WEB INTERFACE HELP | Policies 133

© 2021 Palo Alto Networks, Inc.
 Field Description

Exclude rules reset during the last Does not display rules for which you Reset Rule Hit Counter
xx days within the specified number of days (from 1-5,000 days). For
example, this enables you to examine older rules that have not
matched traffic over a Timeframe while excluding newer rules
that may not have had time to match traffic.

Reset Date The last date on which the rule’s hit counter was reset.

134 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policies > NAT
If you define Layer 3 interfaces on the firewall, you can configure a Network Address Translation (NAT)
policy to specify whether source or destination IP addresses and ports are converted between public and
private addresses and ports. For example, private source addresses can be translated to public addresses on
traffic sent from an internal (trusted) zone to a public (untrusted) zone. NAT is also supported on virtual wire
interfaces.
NAT rules are based on source and destination zones, source and destination addresses, and application
service (such as HTTP). Like security policies, NAT policy rules are compared against incoming traffic in
sequence, and the first rule that matches the traffic is applied.
As needed, add static routes to the local router so that traffic to all public addresses is routed to the firewall.
You may also need to add static routes to the receiving interface on the firewall to route traffic back to the
private address.
The following tables describe the NAT and NPTv6 (IPv6-to-IPv6 Network Prefix Translation) settings:
• NAT Policies General Tab
• NAT Original Packet Tab
• NAT Translated Packet Tab
• NAT Active/Active HA Binding Tab
• (Panorama only) NAT Target Tab
Looking for more?
See NAT

NAT Policies General Tab

• Policies > NAT > General
Select the General tab to configure a name and description for the NAT or NPTv6 policy. You can configure
a tag to allow you to sort or filter policies when many policies exist. Select the type of NAT policy you are
creating, which affects which fields are available on the Original Packet and Translated Packet tabs.

NAT Rule - Description

General Settings

Name Enter a name to identify the rule. The name is case-sensitive and can have up to 63
characters, which can be letters, numbers, spaces, hyphens, and underscores. The
name must be unique on a firewall and, on Panorama, unique within its device group
and any ancestor or descendant device groups.

Description Enter a description for the rule (up to 1024 characters).

Tag If you want to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies. This is
useful when you have defined many policies and want to view those that are tagged
with a particular keyword.

Group Rules by Enter a tag with which to group similar policy rules. The group tag allows you to
Tag view your policy rule base based on these tags. You can group rules based on a Tag.

PAN-OS WEB INTERFACE HELP | Policies 135

© 2021 Palo Alto Networks, Inc.
 NAT Rule - Description
General Settings

NAT Type Specify the type of translation:

• ipv4—translation between IPv4 addresses.
• nat64—translation between IPv6 and IPv4 addresses.
• nptv6—translation between IPv6 prefixes.
You cannot combine IPv4 and IPv6 address ranges in a single NAT rule.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The audit
comment is case-sensitive and can have up to 256 characters, which can be letters,
numbers, spaces, hyphens, and underscores.

Audit Comment View previous Audit Comments for the policy rule. You can export the Audit
Archive Comment Archive CSV format.

NAT Original Packet Tab

• Policies > NAT > Original Packet
Select the Original Packet tab to define the source and destination zones of packets that the firewall will
translate and, optionally, specify the destination interface and type of service. You can configure multiple
source and destination zones of the same type and you can apply the rule to specific networks or specific IP
addresses.

NAT Rule - Original Description

Packet Settings

Source Zone / Select one or more source and destination zones for the original (non-NAT)
Destination Zone packet (default is Any). Zones must be of the same type (Layer 2, Layer 3, or
virtual wire). To define new zones, refer to Network > Zones.
You can specify multiple zones to simplify management. For example, you can
configure settings so that multiple internal NAT addresses are directed to the
same external IP address.

Destination Interface Specify the destination interface of packets the firewall translates. You can
use the destination interface to translate IP addresses differently in the case
where the network is connected to two ISPs with different IP address pools.

Service Specify the service for which the firewall translates the source or destination
address. To define a new service group, select Objects > Service Groups.

Source Address / Specify a combination of source and destination addresses for the firewall to
Destination Address translate.
For NPTv6, the prefixes configured for Source Address and Destination
Address must be in the format xxxx:xxxx::/yy. The address cannot have an
interface identifier (host) portion defined. The range of supported prefix
lengths is /32 to /64.

136 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
NAT Translated Packet Tab
• Policy > NAT > Translated Packet
For Source Address Translation, select the Translated Packet tab to determine the type of translation to
perform on the source, the address, and possibly the port to which the source is translated.
You can also enable Destination Address Translation for an internal host to make it accessible by a public IP
address. In this case, you define a public source address and destination address in the Original Packet tab
for an internal host and, on the Translated Packet tab, you configure Static IP or Dynamic IP (with session
distribution) and enter the Translated Address. Then, when the public address is accessed, it is translated to
the internal (destination) address of the internal host.

NAT Rule - Description

Translated Packet
Settings

Source Address Select the Translation Type (dynamic or static address pool) and enter an IP address
Translation or address range (address1—address2) to which the source address is translated
(Translated Address). The size of the address range is limited by the type of address
pool:
• Dynamic IP and Port—Address selection is based on a hash of the source IP
address. For a given source IP address, the firewall uses the same translated
source address for all sessions. Dynamic IP and Port (DIPP) source NAT supports
approximately 64,000 concurrent sessions on each IP address in the NAT pool.
Some models support oversubscription, which allows a single IP to host more
than 64,000 concurrent sessions.
Palo Alto Networks® DIPP NAT supports more NAT sessions than are supported
by the number of available IP addresses and ports. With oversubscription, the
firewall can use IP address and port combinations two times simultaneously on
PA-220, PA-820, PA-850, VM-50, VM-300, and VM-1000-HV firewalls, four
times simultaneously on PA-5220 firewall and PA-3200 Series firewalls, and
eight times simultaneously on PA-5250, PA-5260, PA-5280, PA-7050, PA-7080,
VM-500, and VM-700 firewalls when destination IP addresses are unique.
• Dynamic IP—Translates to the next available address in the specified range but
the port number remains unchanged. Up to 32,000 consecutive IP addresses are
supported. A dynamic IP pool can contain multiple subnets, so you can translate
your internal network addresses to two or more separate public subnets.
• Advanced (Dynamic IP/Port Fallback)—Use this option to create a fallback pool
that performs IP and port translation and is used if the primary pool runs out
of addresses. You can define addresses for the pool by using the Translated
Address option or the Interface Address option; the latter option is for interfaces
that receive an IP address dynamically. When creating a fallback pool, make sure
addresses do not overlap with addresses in the primary pool.

Source Address • Static IP—The same address is always used for the translation and the port is
Translation (cont) unchanged. For example, if the source range is 192.168.0.1—192.168.0.10
and the translation range is 10.0.0.1—10.0.0.10, address 192.168.0.2 is always
translated to 10.0.0.2. The address range is virtually unlimited.
You must use Static IP translation for NPTv6 Source Address Translation. For
NPTv6, the prefixes configured for Translated Address must be in the format
xxxx:xxxx::/yy and the address cannot have an interface identifier (host) portion
defined. The range of supported prefix lengths is /32 to /64.

PAN-OS WEB INTERFACE HELP | Policies 137

© 2021 Palo Alto Networks, Inc.
 NAT Rule - Description
Translated Packet
Settings
• None—Translation is not performed.

Bi-directional (Optional) Enable bidirectional translation for a Static IP source address translation
if you want the firewall to create a corresponding translation (NAT or NPTv6) in the
opposite direction of the translation you configure.

If you enable bidirectional translation, you must ensure that you

have security policies in place to control the traffic in both directions.
Without such policies, the bidirectional feature allows packets to be
translated automatically in both directions.

Destination Configure the following options to have the firewall perform destination NAT. You
Address typically use Destination NAT to allow an internal server, such as an email server, to
Translation be accessible from the public network.

Translation Type Select the type of translation the firewall performs on the destination address:
and Translated
• None (default)
Address
• Static IP—Enter a Translated Address as an IP address or range of IP addresses
and a Translated Port number (1 to 65535) to which the original destination
address and port number are translated. If the Translated Port field is blank, the
destination port is not changed.
For NPTv6, the prefixes configured for the Destination prefix Translated
Address must be in the format xxxx:xxxx::/yy. The address cannot have an
interface identifier (host) portion defined. The range of supported prefix lengths
is /32 to /64.

Translated Port is not supported for NPTv6 because NPTv6 is

strictly prefix translation. The Port and Host address section is
simply forwarded unchanged.

Static IP translation for IPv4 also allows you to Enable DNS

Rewrite (described below).
• Dynamic IP (with session distribution)—Select or enter a Translated Address
that is an FQDN, an address object, or an address group from which the firewall
selects the translated address. If the DNS server returns more than one address
for an FQDN or if the address object or address group translates into more than
one IP address, the firewall distributes sessions among those addresses using the
specified Session Distribution Method.

Session If you select the destination NAT translation to be to Dynamic IP (with session
Distribution distribution), it’s possible that the destination translated address (to an FQDN,
Method address object, or address group) can resolve to more than one address. You can
choose how the firewall distributes (assigns) sessions among those addresses to
provide more balanced session distribution:
• Round Robin—(default) Assigns new sessions to IP addresses in rotating order.
Unless your environment dictates that you choose one of the other distribution
methods, use this method.

138 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 NAT Rule - Description
Translated Packet
Settings
• Source IP Hash—Assigns new sessions based on a hash of source IP addresses. If
you have incoming traffic from a single source IP address, then select a method
other than Source IP Hash.
• IP Modulo—The firewall takes into consideration the source and destination IP
address from the incoming packet; the firewall performs an XOR operation and a
modulo operation; the result determines to which IP address the firewall assigns
new sessions.
• IP Hash—Assigns new sessions using a hash of the source and destination IP
addresses.
• Least Sessions—Assigns new sessions to the IP address that has the fewest
concurrent sessions. If you have many short-lived sessions, Least Sessions
provides you with a more balanced distribution of sessions.

Enable DNS In PAN-OS 9.0.2 and later 9.0 releases, if the destination NAT policy rule type
Rewrite is ipv4 and the destination address translation type is Static IP, the Enable DNS
Rewrite option is available. You can enable DNS rewrite if you use destination
NAT and also use DNS services on one side of the firewall to resolve FQDNs for
a client on the other side of the firewall. When the DNS response traverses the
firewall, the firewall rewrites the IP address in the DNS response, relative to the
original destination address or translated destination address that the DNS response
matches in the NAT policy rule. A single NAT policy rule has the firewall perform
NAT on packets that match the rule and perform NAT on IP addresses in DNS
responses that match the rule. You must specify how the firewall performs NAT on
an IP address in a DNS response relative to the NAT rule—reverse or forward:
• reverse—(default) If the packet is a DNS response that matches the translated
destination address in the rule, translate the DNS response using the reverse
translation that the rule uses. For example, if the rule translates 1.1.1.10 to
192.168.1.10, the firewall rewrites a DNS response of 192.168.1.10 to 1.1.1.10.
• forward—If the packet is a DNS response that matches the original destination
address in the rule, translate the DNS response using the same translation
the rule uses. For example, if the rule translates 1.1.1.10 to 192.168.1.10, the
firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.

NAT Active/Active HA Binding Tab

• Policies > NAT > Active/Active HA Binding
The Active/Active HA Binding tab is available only if the firewall is in a high availability (HA) active/active
configuration. In this configuration, you must bind each source NAT rule (whether static or dynamic NAT)
to Device ID 0 or Device ID 1; you must bind each destination NAT rule to either Device ID 0, Device ID 1,
both (Device ID 0 and Device ID 1), or to the active-primary firewall.
Select an Active/Active HA Binding setting to bind the NAT rule to an HA firewall as follows:
• 0—Binds the NAT rule to the firewall that has HA Device ID 0.
• 1—Binds the NAT rule to the firewall that has HA Device ID 1.
• both—Binds the NAT rule to both the firewall that has HA Device ID 0 and the firewall that has HA
Device ID 1. This setting does not support Dynamic IP or Dynamic IP and Port NAT.
• primary—Binds the NAT rule to the firewall that is in HA active-primary state. This setting does not
support Dynamic IP or Dynamic IP and Port NAT.

PAN-OS WEB INTERFACE HELP | Policies 139

© 2021 Palo Alto Networks, Inc.
 You typically configure device-specific NAT rules when the two HA peers have unique NAT IP address
pools.
When the firewall creates a new session, the HA binding determines which NAT rules the session can
match. The binding must include the session owner for the rule to match. The session setup firewall
performs the NAT rule matching but the session is compared to NAT rules that are bound to the session
owner and translated according to one of the rules. For device-specific rules, the firewall skips all NAT
rules that are not bound to the session owner. For example, suppose the firewall with Device ID 1 is the
session owner and the session setup firewall. When Device ID 1 attempts to match a session to a NAT rule,
it ignores all rules bound to Device ID 0.
If one peer fails, the second peer continues to process traffic for the synchronized sessions from the
failed peer, including NAT translations. Palo Alto Networks recommends you create a duplicate NAT
rule that is bound to the second Device ID. Therefore, there are two NAT rules with the same source
translation addresses and the same destination translation addresses—one rule bound to each Device ID.
This configuration allows the HA peer to perform new session setup tasks and perform NAT rule matching
for NAT rules that are bound to its Device ID. Without a duplicate NAT rule, the functioning peer will try to
perform the NAT policy match but the session won’t match the firewall’s own device-specific rules and the
firewall skips all other NAT rules that are not bound to its Device ID.
Looking for more?
See NAT in Active/Active HA Mode

NAT Target Tab

• (Panorama only) Policies > NAT > Target
Select the Target tab to select which managed firewalls in the device group to push the policy rule to. You
can specify which managed firewalls to push to by select the managed firewalls or by specifying a tag.
Additionally, you can configure the policy rule target to push to all managed firewalls except for those
specified.

NAT Rule - Target Description

Settings

Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)

Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.

Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.

Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags

140 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policies > QoS
Add QoS policy rules to define the traffic that receives specific QoS treatment and assign a QoS class
for each QoS policy rule to specify that the assigned class of service applies to all traffic matched to the
associated rule as it exits a QoS-enabled interface.
QoS policy rules pushed to a firewall from Panorama are shown in orange and cannot be edited at the
firewall level.
Additionally, to fully enable the firewall to provide QoS:
Set bandwidth limits for each QoS class of service (select Network > Network Profiles > QoS to add or
modify a QoS profile).
Enable QoS on an interface (select Network > QoS).
Refer to Quality of Service for complete QoS workflows, concepts, and use cases.
Add a new rule or clone an existing rule and then define the following fields.

QoS Policy Rule Settings

General Tab

Name Enter a name to identify the rule (up to 63 characters). The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.

Description Enter an optional description.

Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies.
This is useful when you have defined many policies and want to view those
that are tagged with a particular keyword. For example, you may want
to tag certain security policies with Inbound to DMZ, decryption policies
with the words Decrypt and No-decrypt, or use the name of a specific data
center for policies associated with that location.

Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag allows
you to view your policy rule base based on these tags. You can group rules
based on a Tag.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters, which
can be letters, numbers, spaces, hyphens, and underscores.

Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.

Source Tab

Source Zone Select one or more source zones (default is any). Zones must be of the same
type (Layer 2, Layer 3, or virtual wire).

PAN-OS WEB INTERFACE HELP | Policies 141

© 2021 Palo Alto Networks, Inc.
 QoS Policy Rule Settings

Source Address Specify a combination of source IPv4 or IPv6 addresses for which the
identified application can be overridden. To select specific addresses,
choose select from the drop-down and do any of the following:
•
Select this option next to the appropriate addresses and/or address
groups in the Available column, and click Add to add your selections
to the Selected column.
• Enter the first few characters of a name in the search field to list all
addresses and address groups that start with those characters. Selecting
an item in the list enables this option in the Available column. Repeat
this process as often as needed, and then click Add.
• Enter one or more IP addresses (one per line), with or without a network
mask. The general format is: <ip_address>/<mask>
• To remove addresses, select them (Selected column) and click Delete or
select any to clear all addresses and address groups.
To add new addresses that can be used in this or other policies, click New
Address. To define new address groups, select Objects > Address Groups.

Source User Specify the source users and groups to which the QoS policy will apply.

Negate Select this option to have the policy apply if the specified information on
this tab does NOT match.

Destination Tab

Destination Zone Select one or more destination zones (default is any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire).

Destination Address Specify a combination of source IPv4 or IPv6 addresses for which the
identified application can be overridden. To select specific addresses,
choose select from the drop-down and do any of the following:
•
Select this option next to the appropriate addresses and/or address
groups in the Available column, and Add your selections to the
Selected column.
• Enter the first few characters of a name in the search field to list all
addresses and address groups that start with those characters. Selecting
an item in the list enables this option in the Available column. Repeat
this process as often as needed, and then click Add.
• Enter one or more IP addresses (one per line), with or without a network
mask. The general format is: <ip_address>/<mask>.
• To remove addresses, select them (Selected column) and click Delete or
select any to clear all addresses and address groups.
To add new addresses that can be used in this or other policies, click New
Address.

Negate Select this option to have the policy apply if the specified information on
this tab does not match.

142 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
QoS Policy Rule Settings

Application Tab

Application Select specific applications for the QoS rule. To define new applications or
application groups, select Objects > Applications.
If an application has multiple functions, you can select the overall
application or individual functions. If you select the overall application,
all functions are included, and the application definition is automatically
updated as future functions are added.
If you are using application groups, filters, or container in the QoS rule, you
can view details on these objects by holding your mouse over the object in
the Application column, click the down arrow and select Value. This enables
you to easily view application members directly from the policy without
having to go to the Objects tab.

Service/URL Category Tab

Service Select services to limit to specific TCP and/or UDP port numbers. Choose
one of the following from the drop-down:
• any—The selected applications are allowed or denied on any protocol or
port.
• application-default—The selected applications are allowed or denied
only on their default ports defined by Palo Alto Networks. This option is
recommended for allow policies.
• Select—Click Add. Choose an existing service or choose Service or
Service Group to specify a new entry.

URL Category Select URL categories for the QoS rule.

• Select Any to ensure that a session can match this QoS rule regardless
of the URL category.
• To specify a category, click Add and select a specific category (including
a custom category) from the drop-down. You can add multiple
categories. Refer to Objects > External Dynamic Lists for information on
defining custom categories.

DSCP/TOS Tab

Any Select Any (default) to allow the policy to match to traffic regardless of the
Differentiated Services Code Point (DSCP) value or the IP Precedence/Type
of Service (ToS) defined for the traffic.

Codepoints Select Codepoints to enable traffic to receive QoS treatment based on

the DSCP or ToS value defined a packet’s IP header. The DSCP and ToS
values are used to indicate the level of service requested for traffic, such as
high priority or best effort delivery. Using codepoints as matching criteria
in a QoS policy allows a session to receive QoS treatment based on the
codepoint detected at the beginning of the session.
Continue to Add codepoints to match traffic to the QoS policy:
• Give codepoint entries a descriptive Name.

PAN-OS WEB INTERFACE HELP | Policies 143

© 2021 Palo Alto Networks, Inc.
 QoS Policy Rule Settings
• Select the Type of codepoint you want to use as matching criteria for
the QoS policy and then select a specific Codepoint value. You can also
create a Custom Codepoint by entering a Codepoint Name and Binary
Value.

Other Settings Tab

Class Choose the QoS class to assign to the rule, and click OK. Class
characteristics are defined in the QoS profile. Refer to Network > Network
Profiles > QoS for information on configuring settings for QoS classes.

Schedule • Select None for the policy rule to remain active at all times.
• From the drop-down, select Schedule (calendar icon) to set a single time
range or a recurring time range during which the rule is active.

Target Tab (Panorama only)

Any (target all devices) Enable (check) to push the policy rule to all managed firewalls in the device
group.

Devices Select one or more managed firewalls associated with the device group to
push the policy rule to.

Tags Add one or more tags to push the policy rule to managed firewalls in the
device group with the specified tag.

Target to all but these Enable (check) to push the policy rule to all managed firewalls associated
specified devices and tags with the device group except for the selected device(s) and tag(s).

144 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policies > Policy Based Forwarding
Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route that
determines the outgoing interface and destination security zone based on destination IP address. By
creating a policy-based forwarding (PBF) rule , you can specify other information to determine the
outgoing interface, including source zone, source address, source user, destination address, destination
application, and destination service. The initial session on a given destination IP address and port that is
associated with an application will not match an application-specific rule and will be forwarded according
to subsequent PBF rules (that do not specify an application) or the virtual router’s forwarding table.
All subsequent sessions on that destination IP address and port for the same application will match an
application-specific rule. To ensure forwarding through PBF rules, application-specific rules are not
recommended.
When necessary, PBF rules can be used to force traffic through an additional virtual system using the
Forward-to-VSYS forwarding action. In this case, it is necessary to define an additional PBF rule that will
forward the packet from the destination virtual system out through a particular egress interface on the
firewall.
The following tables describe the policy-based forwarding settings:
• Policy Based Forwarding General Tab
• Policy Based Forwarding Source Tab
• Policy Based Forwarding Destination/Application/Service Tab
• Policy Based Forwarding Forwarding Tab
• (Panorama only) Policy Based Forwarding Target Tab
Looking for more?
Refer to Policy-Based Forwarding

Policy Based Forwarding General Tab

Select the General tab to configure a name and description for the PBF policy. A tag can also be configured
to allow you to sort or filter policies when a large number of policies exist.

Field Description

Name Enter a name to identify the rule. The name is case-sensitive and can have
up to 63 characters, which can be letters, numbers, spaces, hyphens, and
underscores. The name must be unique on a firewall and, on Panorama,
unique within its device group and any ancestor or descendant device
groups.

Description Enter a description for the policy (up to 1024 characters).

Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies.
This is useful when you have defined many policies and want to view those
that are tagged with a particular keyword. For example, you may want
to tag certain security policies with Inbound to DMZ, decryption policies
with the words Decrypt and No-decrypt, or use the name of a specific data
center for policies associated with that location.

PAN-OS WEB INTERFACE HELP | Policies 145

© 2021 Palo Alto Networks, Inc.
 Field Description

Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag allows
you to view your policy rule base based on these tags. You can group rules
based on a Tag.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters, which
can be letters, numbers, spaces, hyphens, and underscores.

Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.

Policy Based Forwarding Source Tab

Select the Source tab to define the source zone or source address that defines the incoming source traffic
to which the forwarding policy will be applied.

Field Description

Source Zone To choose source zones (default is any), click Add and select from the drop-
down. To define new zones, refer to Network > Zones.
Multiple zones can be used to simplify management. For example, if you
have three different internal zones (Marketing, Sales, and Public Relations)
that are all directed to the untrusted destination zone, you can create one
rule that covers all cases.

Only Layer 3 type zones are supported for policy-based

forwarding.

Source Address Click Add to add source addresses, address groups, or regions (default
is any). Select from the drop-down, or click Address, Address Group, or
Regions at the bottom of the drop-down, and specify the settings.

Source User Click Add to choose the source users or groups of users subject to the
policy. The following source user types are supported:
• any—Include any traffic regardless of user data.
• pre-logon—Include remote users that are connected to the network
using GlobalProtect™, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps, any
user who is not currently logged into their machine will be identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP with
user data mapped. This option is equivalent to the “domain users” group
on a domain.
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could use unknown for
guest level access to something because they will have an IP on your

146 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description
network, but will not be authenticated to the domain and will not have
IP address-to-user mapping information on the firewall.
• Select—Includes selected users as determined by the selection in
this window. For example, you may want to add one user, a list of
individuals, some groups, or manually add users.

If the firewall collects user information from a RADIUS,

TACACS+, or SAML identity provider server and not from
the User-ID™ agent, the list of users does not display; you
must enter user information manually.

Policy Based Forwarding Destination/Application/Service Tab

Select the Destination/Application/Service tab to define the destination settings that will be applied to
traffic that matches the forwarding rule.

Field Description

Destination Address Click Add to add destination addresses or address groups (default is any).
By default, the rule applies to Any IP address. Select from the drop-down,
or click Address or Address Group at the bottom of the drop-down, and
specify the settings.

Application/Service Select specific applications or services for the PBF rule. To define new
applications, refer to Defining Applications. To define application groups,
refer to Objects > Application Groups.

Application-specific rules are not recommended for use

with PBF. Whenever possible, use a service object, which
is the Layer 4 port (TCP or UDP) used by the protocol or
application.

You can view details on these applications by holding your mouse over the
object in the Application column, clicking the down arrow, and selecting
Value. This enables you to easily view application information directly from
the policy without having to go to the Object tabs.

You cannot use custom applications, application filters, or

application groups in PBF rules.

Policy Based Forwarding Forwarding Tab

Select the Forwarding tab to define the action and network information that will be applied to traffic that
matches the forwarding policy. Traffic can be forwarded to a next-hop IP address, a virtual system, or the
traffic can be dropped.

PAN-OS WEB INTERFACE HELP | Policies 147

© 2021 Palo Alto Networks, Inc.
 Field Description

Action Select one of the following options:

• Forward—Specify the next hop IP address and egress interface (the
interface that the packet takes to get to the specified next hop).
• Forward To VSYS—Choose the virtual system to forward to from the
drop-down.
• Discard—Drop the packet.
• No PBF—Do not alter the path that the packet will take. This option,
excludes the packets that match the criteria for source/destination/
application/service defined in the rule. Matching packets use the route
table instead of PBF; the firewall uses the route table to exclude the
matched traffic from the redirected port.

Use Forward or Forward to VSYS as the Action so you

can apply a Monitor profile to the traffic. (You can’t apply a
Monitor profile when the Action doesn’t forward the traffic.)
Monitor profiles monitor the IP address. If connectivity to
the IP address fails, Monitor profiles specify the action.

Egress Interface Directs the packet to a specific Egress Interface

Next Hop If you direct the packet to a specific interface, specify the Next Hop for the
packet in one of the following ways:
• IP Address—Select IP Address and select an address object (or create a
new address object) that uses an IPv4 or IPv6 address.
• FQDN—Select FQDN and select an address object (or create a new
address object) that uses an FQDN.
• None—There is no next hop; the packet is dropped.

Monitor Enable Monitoring to verify connectivity to a target IP Address or to the

Next Hop IP address. Select Monitor and attach a monitoring Profile
(default or custom, Network > Network Profiles > Monitor) that specifies
the action when the IP address is unreachable.

Configure Monitor profiles and enable monitoring so that

if the egress interface fails or the route goes down, the
firewall takes the action in the profile and minimizes or
prevents the service interruption.

Enforce Symmetric (Required for asymmetric routing environments) Select Enforce Symmetric
Return Return and enter one or more IP addresses in the Next Hop Address List.
Enabling symmetric return ensures that return traffic (such as from the
Trust zone on the LAN to the Internet) is forwarded out through the same
interface through which traffic ingresses from the internet.

Schedule To limit the days and times when the rule is in effect, select a schedule
from the drop-down. To define new schedules, refer to Settings to Control
Decrypted SSL Traffic.

148 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policy Based Forwarding Target Tab
• (Panorama only) Policies > Policy Based Forwarding > Target
Select the Target tab to select which managed firewalls in the device group to push the policy rule to. You
can specify which managed firewalls to push to by select the managed firewalls or by specifying a tag.
Additionally, you can configure the policy rule target to push to all managed firewalls except for those
specified.

NAT Rule - Target Description

Settings

Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)

Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.

Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.

Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags

PAN-OS WEB INTERFACE HELP | Policies 149

© 2021 Palo Alto Networks, Inc.
Policies > Decryption
You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption
policies can apply to Secure Sockets Layer (SSL) including SSL encapsulated protocols such as IMAP(S),
POP3(S), SMTP(S), and FTP(S), and Secure Shell (SSH) traffic. SSH decryption can be used to decrypt
outbound and inbound SSH traffic to assure that secure protocols are not being used to tunnel disallowed
applications and content.
Add a decryption policy rule to define traffic that you want to decrypt (for example, you can decrypt traffic
based on URL categorization). Decryption policy rules are compared against the traffic in sequence, so more
specific rules must precede the more general ones.
SSL forward proxy decryption requires the configuration of a trusted certificate that is presented to the
user if the server to which the user is connecting possesses a certificate signed by a CA trusted by the
firewall. Create a certificate on the Device > Certificate Management > Certificates page and then click the
name of the certificate and select Forward Trust Certificate.

The firewall doesn’t decrypt applications that break decryption technically, for example
because they use pinned certificates or client authentication.
Refer to the List of Applications Excluded from SSL Decryption.

The following tables describe the decryption policy settings:

• Decryption General Tab
• Decryption Source Tab
• Decryption Destination Tab
• Decryption Service/URL Category Tab
• Decryption Options Tab
• (Panorama only) Decryption Target Tab
Looking for more?
See Decryption

Decryption General Tab

Select the General tab to configure a name and description for the decryption policy. You can also configure
a tag to allow you to sort or filter policies when a large number of policies exist.

Field Description

Name Enter a name to identify the rule. The name is case-sensitive and
can have up to 63 characters, which can be letters, numbers, spaces,
hyphens, and underscores. The name must be unique on a firewall
and, on Panorama, unique within its device group and any ancestor or
descendant device groups.

Description Enter a description for the rule (up to 1024 characters).

Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want

150 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description
to view those that are tagged with a particular keyword. For example,
you may want to tag certain security policies with Inbound to DMZ,
decryption policies with the words Decrypt and No-decrypt, or use the
name of a specific data center for policies associated with that location.

Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag
allows you to view your policy rule base based on these tags. You can
group rules based on a Tag.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters,
which can be letters, numbers, spaces, hyphens, and underscores.

Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.

Decryption Source Tab

Select the Source tab to define the source zone or source address that defines the incoming source traffic
to which the decryption policy will be applied.

Field Description

Source Zone Click Add to choose source zones (default is any). Zones must be of the
same type (Layer 2, Layer 3, or virtual wire). To define new zones, refer to
Network > Zones.
Multiple zones can be used to simplify management. For example, if you
have three different internal zones (Marketing, Sales, and Public Relations)
that are all directed to the untrusted destination zone, you can create one
rule that covers all cases.

Source Address Click Add to add source addresses, address groups, or regions (default
is any). Select from the drop-down, or click Address, Address Group, or
Regions at the bottom of the drop-down, and specify the settings. Select
Negate to choose any address except the configured ones.

Source User Click Add to choose the source users or groups of users subject to the
policy. The following source user types are supported:
• any—Include any traffic regardless of user data.
• pre-logon—Include remote users that are connected to the network
using GlobalProtect, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps, any
user who is not currently logged into their machine will be identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP with
user data mapped. This option is equivalent to the “domain users” group
on a domain.

PAN-OS WEB INTERFACE HELP | Policies 151

© 2021 Palo Alto Networks, Inc.
 Field Description
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could use unknown for
guest level access to something because they will have an IP on your
network, but will not be authenticated to the domain and will not have
IP to user mapping information on the firewall.
• Select—Includes selected users as determined by the selection in
this window. For example, you may want to add one user, a list of
individuals, some groups, or manually add users.

If the firewall collects user information from a RADIUS,

TACACS+, or SAML identity provider server and not from
the User-ID™ agent, the list of users does not display; you
must enter user information manually.

Decryption Destination Tab

Select the Destination tab to define the destination zone or destination address that defines the destination
traffic to which the policy will be applied.

Field Description

Destination Zone Click Add to choose destination zones (default is any). Zones must
be of the same type (Layer 2, Layer 3, or virtual wire). To define
new zones, refer to Network > Zones.
Multiple zones can be used to simplify management. For example,
if you have three different internal zones (Marketing, Sales, and
Public Relations) that are all directed to the untrusted destination
zone, you can create one rule that covers all cases.

Destination Address Click Add to add destination addresses, address groups, or regions
(default is any). Select from the drop-down, or click Address,
Address Group, or Regions at the bottom of the drop-down, and
specify the settings. Select Negate to choose any address except
the configured ones.

Decryption Service/URL Category Tab

Select the Service/URL Category tab to apply the decryption policy to traffic based on TCP port number or
to any URL category (or a list of categories).

Field Description

Service Apply the decryption policy to traffic based on specific TCP port
numbers. Choose one of the following from the drop-down:
• any—The selected applications are allowed or denied on any
protocol or port.

152 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description
• application-default—The selected applications are decrypted
(or are exempt from decryption) only on the default ports
defined for the applications by Palo Alto Networks.
• Select—Click Add. Choose an existing service or specify a new
Service or Service Group. (Or select Objects > Services and
Objects > Service Groups).

URL Category Tab Select URL categories for the decryption rule.
• Choose any to match any sessions regardless of the URL
category.
• To specify a category, click Add and select a specific category
(including a custom category) from the drop-down. You can
add multiple categories. Refer to for information on defining
custom categories.

Decryption Options Tab

Select the Options tab to determine if the matched traffic should be decrypted or not. If Decrypt is set,
specify the decryption type. You can also add additional decryption features by configuring or selecting a
decryption profile.

Field Description

Action Select decrypt or no-decrypt for the traffic.

Type Select the type of traffic to decrypt from the drop-down:

• SSL Forward Proxy—Specifies that the policy will decrypt client
traffic destined for an external server.
• SSH Proxy—Specifies that the policy will decrypt SSH traffic. This
option allows you to control SSH tunneling in policies by specifying
the ssh-tunnel App-ID.
• SSL Inbound Inspection—Specifies that the policy will decrypt SSL
inbound inspection traffic.

Decryption Profile Attach a decryption profile to the policy rule in order to block
and control certain aspects of the traffic. For details on creating a
decryption profile, select Objects > Decryption Profile.

Log Settings

Log Successful SSL (Optional) Creates detailed logs of successful SSL Decryption
Handshake handshakes. Disabled by default.

Logs consume storage space. Before you log

successful SSL handshakes, ensure you have the
resources available to store the logs. Edit Device >
Setup > Management > Logging and Reporting

PAN-OS WEB INTERFACE HELP | Policies 153

© 2021 Palo Alto Networks, Inc.
 Field Description
Settings to check the current log memory allocation to
and re-allocate log memory among log types.

Log Unsuccessful SSL Creates detailed logs of unsuccessful SSL Decryption handshakes so
Handshake you can find the cause of decryption issues. Enabled by default.

Logs consume storage space. To allocate more (or

less) log storage space to Decryption logs, edit the log
memory allocation (Device > Setup > Management >
Logging and Reporting Settings).

Log Forwarding Specify the method and location to forward GlobalProtect SSL
handshake (decryption) logs.

Decryption Target Tab

• (Panorama only) Policies > Decryption > Target
Select the Target tab to select which managed firewalls in the device group to push the policy rule to. You
can specify which managed firewalls to push to by select the managed firewalls or by specifying a tag.
Additionally, you can configure the policy rule target to push to all managed firewalls except for those
specified.

NAT Rule - Target Description

Settings

Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)

Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.

Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.

Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags

154 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policies > Network Packet Broker
Network Packet Broker policy rules define the traffic to forward to an external chain of third-party security
appliances (a security chain) based on applications, users, zones, devices, and IP addresses. Network Packet
Broker can forward decrypted TLS, non-decrypted TLS, and non-TLS traffic to a security chain. You attach
a Packet Broker profile to each Network Packet Broker policy rule. The policy rule defines the traffic to
forward to the security chain and the profile defines how to forward that traffic, including the firewall
forwarding interfaces, health monitoring, session distribution among multiple chains, and choosing whether
the chain is routed (Layer 3) or Transparent Bridge (Layer 1).
The following tables describe policy rule settings and Policy Optimizer options for Network Packet Broker:
• Network Packet Broker General Tab
• Network Packet Broker Source Tab
• Network Packet Broker Destination Tab
• Network Packet Broker Application/Service/Traffic Tab
• Network Packet Broker Path Selection Tab
• Network Packet Broker Policy Optimizer Rule Usage

Network Packet Broker General Tab

Select the General tab to configure a name and description for the policy. You can also configure a tag to
allow you to sort or filter policies when a large number of policies exist.

Field Description

Name Enter a name to identify the rule. The name is case-sensitive and can have
up to 63 characters, which can be letters, numbers, spaces, hyphens, and
underscores. The name must be unique on a firewall and, on Panorama,
unique within its device group and any ancestor or descendant device
groups.

Description Enter a description for the policy (up to 1024 characters).

Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies.
This is useful when you have defined many policies and want to view
policies that are tagged with a particular keyword. For example, the tag
could indicate network location, Layer 3 security chains, or Layer 1 security
chains.

Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag allows
you to view groups of policy rules base based on these tags.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters, which
can be letters, numbers, spaces, hyphens, and underscores.

Audit Comment Archive View previous Audit Comments for the policy rule. You can export the
Audit Comment Archive in CSV format.

PAN-OS WEB INTERFACE HELP | Policies 155

© 2021 Palo Alto Networks, Inc.
Network Packet Broker Source Tab
Select the Source tab to define the source zones, IP addresses, users, and devices of traffic to forward to a
Network Packet Broker security chain.

Field Description

Source Zone To choose source zones (default is any), click Add and select from the drop-
down. To define new zones, refer to Network > Zones.
You can add multiple zones to simplify management.

Source Address Add source addresses, address groups, or regions (default is Any). Select
from the drop-down or select Address object, Address Group, or Regions
(bottom of the drop-down) to specify the settings. Objects > Addresses
and Objects > Address Groups describe the types of address objects and
address groups, respectively, that a policy rule supports.
Selecting the Negate option applies the rule to source addresses from the
specified zone except for the addresses specified.

Source User Click Add to choose the source users or groups of users subject to the
policy. The following source user types are supported:
• any—Include any traffic regardless of user data.
• pre-logon—Include remote users that are connected to the network
using GlobalProtect™, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps,
any user who is not currently logged into their machine is identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP with
user data mapped. This option is equivalent to the “domain users” group
on a domain.
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could use unknown for
guest level access to something because they will have an IP on your
network, but are not authenticated to the domain and do not have IP
address-to-user mapping information on the firewall.
• Select—Includes selected users as determined by the selection in
this window. For example, you may want to add one user, a list of
individuals, some groups, or manually add users.

If the firewall collects user information from a RADIUS,

TACACS+, or SAML identity provider server and not from
the User-ID™ agent, the list of users does not display; you
must enter user information manually.

Source Device Add the host devices subject to the policy:

• any—Includes any device.
• no-hip—HIP information is not required. This setting enables access
from third-party devices that cannot collect or submit HIP information.

156 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description
• select—Includes selected devices as determined by your configuration.
For example, you can add a device object based on model, OS, OS
family, or vendor.

Network Packet Broker Destination Tab

Select the Destination tab to define the destination zones, IP addresses, and devices of traffic to forward to
a Network Packet Broker security chain.

Field Description

Destination Zone To choose source zones (default is any), click Add and select from the drop-
down. To define new zones, refer to Network > Zones.
You can add multiple zones to simplify management.

Destination Address Add destination addresses, address groups, or regions (default is Any).
Select from the drop-down or click Address object, Address Group, or
Regions (bottom of the drop-down) to specify address settings. Objects
> Addresses and Objects > Address Groups describe the types of address
objects and address groups, respectively, that a policy rule supports.
Selecting the Negate option applies the rule to destination addresses in the
specified zone except for the addresses specified.

Destination Device Add the host devices subject to the policy individually or select Any to
include all devices.

Network Packet Broker Application/Service/Traffic Tab

Select the Application/Service/Traffic tab to define the type of traffic, the applications, and the services
to forward to a Network Packet Broker security chain. You can forward any combination of decrypted TLS,
non-decrypted TLS, and non-TLS traffic to a security chain.

Field Description

Traffic Type Select the traffic type or traffic types to forward to the security chain. You
can select one, some, or all of the traffic types in one rule:
• Forward TLS(Decrypted) Traffic—(Default) Forwards decrypted TLS
traffic to the security chain specified by the Packet Broker profile
attached to the Network Packet Broker policy.
• Forward TLS(Non-Decrypted) Traffic—Forwards undecrypted TLS
traffic to the security chain specified by the Packet Broker profile
attached to the Network Packet Broker policy.
• Forward Non-TLS Traffic—Forwards cleartext (non-TLS) traffic to the
security chain specified by the Packet Broker profile attached to the
Network Packet Broker policy.

PAN-OS WEB INTERFACE HELP | Policies 157

© 2021 Palo Alto Networks, Inc.
 Field Description

Application Add specific applications for the Network Packet Broker policy rule. If an
application has multiple functions, you can select the container application
or individual functional applications. If you select the container application,
all functional applications are included and the application definition is
automatically updated as future functional apps are added to the container
app.

Service Select the services that you want to limit to specific TCP or UDP port
numbers. Choose one of the following from the drop-down:
• any—(Default) The selected applications are forwarded on any protocol
or port.
• application-default—The selected applications are forwarded only if
they are on their default ports as defined by Palo Alto Networks®.
(Applications that run on non-standard ports and protocols, if
unintentional, can be a sign of undesired application behavior and
usage, and if intentional, can be a sign of malicious behavior. However,
internal custom applications may use non-standard ports and require
exceptions.)
• Select—Add an existing service or choose Service or Service Group to
specify a new entry. (Or select Objects > Services and Objects > Service
Groups).

Network Packet Broker Path Selection Tab

Select the Path Selection Tab to choose the Packet Broker profile to apply to the traffic defined by the
Network Packet Broker policy. The policy defines what traffic to forward to a security chain and the profile
defines how to forward the traffic (which firewall forwarding interfaces to use, whether the security chain is
a routed Layer 3 chain or a Transparent Bridge Layer 1 chain, health monitoring methods, and more).
Use the drop-down to select a previously configured profile or to create a new Packet Broker profile for the
policy rule.

Network Packet Broker Policy Optimizer Rule Usage

For Network Packet Broker policy rules, Policy Optimizer displays Rule Usage statistics that you can use
to determine whether a policy is in use. You can view rule usage over different time frames and investigate
why a rule hasn’t been used as expected and delete unused or outdated rules.

Field Description

Timeframe The time period (number of days) for which data is displayed.

Usage • Any all Network Packet Broker policy rules on the firewall over the
specified Timeframe, regardless of whether traffic matched the rules
(used rules) or not (unused rules).
• Unused rules that traffic has not matched over the specified Timeframe.
• Used rules that traffic has matched over the specified Timeframe.

158 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Field Description

Exclude rules reset during Omits displaying rules for which you Reset Rule Hit Counter within the
the last “n” days specified number of days (from 1-5,000 days). For example, this enables
you to examine older rules that have not matched traffic over a particular
Timeframe while excluding newer rules that may not have had time to
match traffic.

Name The name of the Network Packet Broker policy rule.

Packet Broker • Profile—The name of the Packet Broker profile associated with the
policy rule.
• Traffic Type—The type or types of traffic the rule controls (one or more
of decrypted TLS, non-decrypted TLS, and non-TLS traffic).

Rule Usage • Hit Count—The number of times that traffic matched the rule.
• Last Hit—The most recent time that traffic matched the rule.
• First Hit—The first time that traffic matched the rule.
• Reset Date—The last date on which the rule’s hit counter was reset.

Modified The date and time that the rule was last modified.

Created The date and time that the rule was created.

PAN-OS WEB INTERFACE HELP | Policies 159

© 2021 Palo Alto Networks, Inc.
Policies > Tunnel Inspection
You can configure the firewall to inspect the traffic content of the following cleartext tunnel protocols:
• Generic Routing Encapsulation (GRE)
• General Packet Radio Service (GPRS) Tunneling Protocol for User Data (GTP-U); supported only on
firewalls that support GTP.
• Non-encrypted IPSec traffic (NULL Encryption Algorithm for IPSec and transport mode AH IPSec)
• Virtual Extensible LAN (VXLAN)
You can use tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in
these types of tunnels and on traffic nested within another cleartext tunnel (for example, Null Encrypted
IPSec inside a GRE tunnel).
Create a Tunnel Inspection policy that, when matching an incoming packet, determines which tunnel
protocols in the packet the firewall will inspect and that specifies the conditions under which the firewall
drops or continues to process the packet. You can view tunnel inspection logs and tunnel activity in the
ACC to verify that tunneled traffic complies with your corporate security and usage policies.
The firewall supports tunnel content inspection on Ethernet interfaces and subinterfaces, AE interfaces,
VLAN interfaces, and VPN and LSVPN tunnels. The feature is supported in Layer 3, Layer 2, virtual wire,
and tap deployments. Tunnel content inspection works on shared gateways and on virtual system-to-virtual
system communications.

What do you want to know? See:

What are the fields available to Building Blocks in a Tunnel Inspection Policy
create a Tunnel Inspection policy?

How can I view tunnel inspection Log Types and Severity Levels
logs?

Looking for more? Tunnel Content Inspection

Building Blocks in a Tunnel Inspection Policy

Select Policies > Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to
inspect content of cleartext tunnel protocols (GRE, GTP-U, non-encrypted IPSec, and VXLAN) and leverage
tunnel content inspection to enforce Security, DoS Protection, and QoS policies on traffic in these types of
tunnels. All firewall models support tunnel content inspection of GRE and non-encrypted IPSec tunnels, but
only firewalls that support GTP support tunnel content inspection of GTP-U tunnels. The following table
describes the fields you configure for a Tunnel Inspection policy.

Building Blocks in a Configured In Description

Tunnel Inspection
Policy

Name General Enter a name for the Tunnel Inspection policy beginning
with an alphanumeric character and containing zero or
more alphanumeric, underscore, hyphen, period, or space
characters.

160 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Tunnel Inspection
Policy

Description (Optional) Enter a description for the Tunnel Inspection

policy.

Tags (Optional) Enter one or more tags for reporting and

logging purposes that identify the packets that are
subject to the Tunnel Inspection policy.

Group Rules by Tag Enter a tag with which to group similar policy rules. The
group tag allows you to view your policy rule base based
on these tags. You can group rules based on a Tag.

Audit Comment Enter a comment to audit the creation or editing of the

policy rule. The audit comment is case-sensitive and
can have up to 256 characters, which can be letters,
numbers, spaces, hyphens, and underscores.

Audit Comment View previous Audit Comments for the policy rule. You
Archive can export the Audit Comment Archive in CSV format.

Source Zone Source Add one or more source zones of packets to which the
Tunnel Inspection policy applies (default is Any).

Source Address (Optional) Add source IPv4 or IPv6 addresses, address

groups, or Geo Region address objects of packets to
which the Tunnel Inspection policy applies (default is
Any).

Source User (Optional) Add source users of packets to which the

Tunnel Inspection policy applies (default is any).

Negate (Optional) Select Negate to choose any addresses except

those specified.

Destination Zone Destination Add one or more destination zones of packets to which
the Tunnel Inspection policy applies (default is Any).

Destination Address (Optional) Add destination IPv4 or IPv6 addresses,

address groups, or Geo Region address objects of
packets to which the Tunnel Inspection policy applies
(default is Any).

Negate (Optional) Select Negate to choose any addresses except

those specified.

Tunnel Protocol Inspection Add one or more tunnel Protocols that you want the
firewall to inspect:
• GRE—Firewall inspects packets that use Generic
Route Encapsulation in the tunnel.

PAN-OS WEB INTERFACE HELP | Policies 161

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Tunnel Inspection
Policy
• GTP-U—Firewall inspects packets that use the
General Packet Radio Service (GPRS) tunneling
protocol for user data (GTP-U) in the tunnel.
• Non-encrypted IPSec—Firewall inspects packets that
use non-encrypted IPSec (Null Encrypted IPSec or
transport mode AH IPSec) in the tunnel.
• VXLAN—Firewall inspects a VXLAN payload to find
the encapsulated content or applications within the
tunnel.
To remove a protocol from your list, select the protocol
and Delete it.

Maximum Tunnel Inspection > Inspect Specify whether the firewall will inspect One
Inspection Levels Options Level (default) or Two Levels (Tunnel In Tunnel)
of encapsulation. For VXLAN, select One Level, as
inspection only occurs on the outer layer.

Drop packet if over (Optional) Drop packets that contain more levels of
maximum tunnel encapsulation than you specified for Maximum Tunnel
inspection level Inspection Levels.

Drop packet if (Optional) Drop packets that contain a tunnel protocol

tunnel protocol fails that uses a header that is non-compliant with the RFC for
strict header check that protocol. Non-compliant headers indicate suspicious
packets. This option causes the firewall to verify GRE
headers against RFC 2890.

Do not enable this option if your firewall

is tunneling GRE with a device that
implements a version of GRE older than
RFC 2890.

Drop packet if (Optional) Drop packets that contain a protocol inside the
unknown protocol tunnel that the firewall cannot identify.
inside tunnel

Return Scanned (Optional) Enable this option to return the traffic to the
VXLAN Tunnel to originating VXLAN tunnel endpoint (VTEP). For example,
Source use this option to return the encapsulated packet to
the source VTEP. Supported only on Layer 3, Layer 3
subinterface, aggregate-interface Layer 3, and VLAN.

Enable Security Inspection > (Optional) Enable Security Options to assign security
Options Security Options zones for separate Security policy treatment of tunnel
content. The inner content source will belong to the
Tunnel Source Zone you specify and the inner content
destination will belong to the Tunnel Destination Zone
you specify.

162 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Tunnel Inspection
Policy
If you do not Enable Security Options, by default the
inner content source belongs to the same zone as the
outer tunnel source, and the inner content destination
belongs to the same zone as the outer tunnel destination.
Therefore, both the inner content source and destination
are subject to the same Security policies that apply to the
source and destination zones of the outer tunnel.

Tunnel Source Zone If you Enable Security Options, select a tunnel zone that
you created, and the inner content will use this source
zone for the purpose of policy enforcement.
Otherwise, by default the inner content source belongs
to the same zone as the outer tunnel source, and the
policies of the outer tunnel source zone apply to the
inner content source zone also.

Tunnel Destination If you Enable Security Options, select a tunnel zone

Zone that you created, and the inner content will use this
destination zone for the purpose of policy enforcement.
Otherwise, by default the inner content destination
belongs to the same zone as the outer tunnel destination,
and the policies of the outer tunnel destination zone
apply to the inner content destination zone also.

Monitor Name Inspection > (Optional) Enter a monitor name to group similar traffic
Monitor Options together for monitoring the traffic in logs and reports.

Monitor Tag (Optional) Enter a monitor tag number that can group
(number) similar traffic together for logging and reporting (range is
1 to 16,777,215). The tag number is globally defined.

This field does not apply to the VXLAN

protocol. VXLAN logs automatically use
the VXLAN Network Identifier (VNI) from
the VXLAN header.

Log at Session Start (Optional) Select this option to generate a log at the
start of a cleartext tunnel session that matches the
Tunnel Inspection policy. This setting overrides the Log
at Session Start setting in the Security Policy rule that
applies to the session.
Tunnel logs are stored separately from traffic logs. The
information with the outer tunnel session (GRE, non-
encrypted IPSec, or GTP-U) is stored in the Tunnel logs
and the inner traffic flows are stored in the Traffic logs.
This separation allows you to easily report on tunnel
activity (as opposed to inner content activity) with the
ACC and reporting features.

PAN-OS WEB INTERFACE HELP | Policies 163

© 2021 Palo Alto Networks, Inc.
 Building Blocks in a Configured In Description
Tunnel Inspection
Policy
The best practice for Tunnel logs is to
Log at Session Start and Log at Session
End because, for logging, tunnels can
be very long-lived. For example, GRE
tunnels can come up when the router
boots and never terminate until the router
is rebooted. If you don’t select Log at
Session Start, you will never see that
there is an active GRE tunnel in the ACC.

Log at Session End (Optional) Select this option to capture a log at the end
of a cleartext tunnel session that matches the Tunnel
Inspection policy. This setting overrides the Log at
Session End setting in the Security Policy rule that
applies to the session.

Log Forwarding (Optional) Select a Log Forwarding profile from the drop-
down to specify where to forward tunnel inspection logs.
(This setting is separate from the Log Forwarding setting
in a Security policy rule, which applies to traffic logs.)

Name Tunnel ID (Optional) A name beginning with an alphanumeric

character and containing zero or more alphanumeric,
By default, if you
underscore, hyphen, period, and space characters. The
do not configure a
Name describes the VNIs you are grouping. The name is
VXLAN ID, all traffic
a convenience, and is not a factor in logging, monitoring,
is inspected.
or reporting.
If you configure a
VXLAN ID (VNI) VXLAN ID you can (Optional) Enter a single VNI, a comma-separated list of
use it as a matching VNIs, a range of up to 16 million VNIs (with a hyphen as
criteria to restrict the separator), or a combination of these. For example:
traffic inspection to
1-54,1024,1677011-1677038,94
specific VNIs.
The maximum VXLAN IDs per policy is 4,096. To
preserve configuration memory, use ranges where
possible.

Any (target all Target Enable (check) to push the policy rule to all managed
devices) firewalls in the device group.
Panorama only

Devices Select one or more managed firewalls associated with the

device group to push the policy rule to.
Panorama only

Tags Add one or more tags to push the policy rule to managed
firewalls in the device group with the specified tag.
Panorama only

164 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Blocks in a Configured In Description
Tunnel Inspection
Policy

Target to all but Enable (check) to push the policy rule to all managed
these specified firewalls associated with the device group except for the
devices and tags selected device(s) and tag(s).
Panorama only

PAN-OS WEB INTERFACE HELP | Policies 165

© 2021 Palo Alto Networks, Inc.
Policies > Application Override
To change how the firewall classifies network traffic into applications, you can specify application override
policies. For example, if you want to control one of your custom applications, an application override
policy can be used to identify traffic for that application according to zone, source and destination address,
port, and protocol. If you have network applications that are classified as “unknown,” you can create new
application definitions for them (refer to Defining Applications).

If possible, avoid using application override policies because they prevent the firewall from
using App-ID to identify applications and from performing layer 7 inspection for threats. To
support internal proprietary applications, it’s better to create custom applications that include
the application signature so the firewall performs layer 7 inspection and scans the application
traffic for threats. If a commercial application doesn’t have an App-ID, submit a request for
a new App-ID. If a public application definition (default ports or signature) changes so the
firewall no longer identifies the application correctly, create a support ticket so Palo Alto
Networks can update the definition. In the meantime, create a custom application so the
firewall continues to perform layer 7 inspection of the traffic.

Like security policies, application override policies can be as general or specific as needed. The policy rules
are compared against the traffic in sequence, so the more specific rules must precede the more general
ones.
Because the App-ID engine in PAN-OS classifies traffic by identifying the application-specific content
in network traffic, the custom application definition cannot simply use a port number to identify an
application. The application definition must also include traffic (restricted by source zone, source IP address,
destination zone, and destination IP address).
To create a custom application with application override:
• Create a custom application (see Defining Applications). It is not required to specify signatures for the
application if the application is used only for application override rules.
• Define an application override policy that specifies when the custom application should be invoked. A
policy typically includes the IP address of the server running the custom application and a restricted set
of source IP addresses or a source zone.
Use the following tables to configure an application override rule.
• Application Override General Tab
• Application Override Source Tab
• Application Override Destination Tab
• Application Override Protocol/Application Tab
• (Panorama only) Application Override Target Tab
Looking for more?
See Use Application Objects in Policy

Application Override General Tab

Select the General tab to configure a name and description for the application override policy. A tag can
also be configured to allow you to sort or filter policies when a large number of policies exist.

166 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description

Name Enter a name to identify the rule. The name is case-sensitive and
can have up to 63 characters, which can be letters, numbers, spaces,
hyphens, and underscores. The name must be unique on a firewall
and, on Panorama, unique within its device group and any ancestor or
descendant device groups.

Description Enter a description for the rule (up to 1024 characters).

Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want
to view those that are tagged with a particular keyword. For example,
you may want to tag certain security policies with Inbound to DMZ,
decryption policies with the words Decrypt and No-decrypt, or use the
name of a specific data center for policies associated with that location.

Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag
allows you to view your policy rule base based on these tags. You can
select to group rules based on a Tag.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment s case-sensitive and can have up to 256 characters,
which can be letters, numbers, spaces, hyphens, and underscores.

Audit Comment Archive View previous Audit Comments for the policy rule. Audit Comment
Archive can be exported in CSV format.

Application Override Source Tab

Select the Source tab to define the source zone or source address that defines the incoming source traffic
to which the application override policy will be applied.

Field Description

Source Zone Add source zones (default is any). Zones must be of the same type
(Layer 2, Layer 3, or virtual wire). To define new zones, refer to
Network > Zones.
Multiple zones can be used to simplify management. For example,
if you have three different internal zones (Marketing, Sales, and
Public Relations) that are all directed to the untrusted destination
zone, you can create one rule that covers all cases.

Source Address Add source addresses, address groups, or regions (default is any).
Select from the drop-down, or click Address, Address Group, or
Regions at the bottom of the drop-down, and specify the settings.
Select Negate to choose any address except the configured ones.

PAN-OS WEB INTERFACE HELP | Policies 167

© 2021 Palo Alto Networks, Inc.
Application Override Destination Tab
Select the Destination tab to define the destination zone or destination address that defines the destination
traffic to which the policy will be applied.

Field Description

Destination Zone Click Add to choose destination zones (default is any). Zones must
be of the same type (Layer 2, Layer 3, or virtual wire). To define
new zones, refer to Network > Zones.
Multiple zones can be used to simplify management. For example,
if you have three different internal zones (Marketing, Sales, and
Public Relations) that are all directed to the untrusted destination
zone, you can create one rule that covers all cases.

Destination Address Click Add to add destination addresses, address groups, or regions
(default is any). Select from the drop-down, or click Address,
Address Group, or Regions at the bottom of the drop-down, and
specify the settings.
Select Negate to choose any address except the configured ones.

Application Override Protocol/Application Tab

Select the Protocol/Application tab to define the protocol (TCP or UDP), port, and application that further
defines the attributes of the application for the policy match.

Field Description

Protocol Select the protocol (TCP or UDP) for which to allow an application override.

Port Enter the port number (0 to 65535) or range of port numbers (port1-port2)
for the specified destination addresses. Multiple ports or ranges must be
separated by commas.

Application Select the override application for traffic flows that match the above
rule criteria. When overriding to a custom application, there is no threat
inspection that is performed. The exception to this is when you override to
a pre-defined application that supports threat inspection.
To define new applications, refer to Objects > Applications).

Application Override Target Tab

• (Panorama only) Policies > Application Override > Target
Select the Target tab to select which managed firewalls in the device group to push the policy rule to. You
can specify which managed firewalls to push to by select the managed firewalls or by specifying a tag.
Additionally, you can configure the policy rule target to push to all managed firewalls except for those
specified.

168 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
NAT Rule - Target Description
Settings

Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)

Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.

Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.

Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags

PAN-OS WEB INTERFACE HELP | Policies 169

© 2021 Palo Alto Networks, Inc.
Policies > Authentication
Your Authentication policy enables you to authenticate end users before they can access network
resources.

What do you want to know? See:

What are the fields available to Building Blocks of an Authentication Policy Rule
create an Authentication rule?

How can I use the web interface Create and Manage Authentication Policy
to manage Authentication policy?
For Panorama, see Move or Clone a Policy Rule

Looking for more? Authentication Policy

Building Blocks of an Authentication Policy Rule

Whenever a user requests a resource (such as when visiting a web page), the firewall evaluates
Authentication policy. Based on the matching policy rule, the firewall then prompts the user to respond
to one or more challenges of different factors (types), such as login and password, voice, SMS, push, or
one-time password (OTP) authentication. After the user responds to all the factors, the firewall evaluates
Security policy (see Policies > Security) to determine whether to allow access to the resource.

The firewall does not prompt users to authenticate if they access non-web-based resources
(such as a printer) through a GlobalProtect™ gateway that is internal or in tunnel mode.
Instead, the users will see connection failure messages. To ensure users can access these
resources, set up an authentication portal and train users to visit it when they see connection
failures. Consult your IT department to set up an authentication portal.

The following table describes each building block or component in an Authentication policy rule. Before you
Add a rule, complete the prerequisites described in Create and Manage Authentication Policy.

Building Configured In Description

Blocks in an
Authentication
Rule

Rule number N/A Each rule is automatically numbered and the order
changes as rules are moved. When you filter rules to
match specific filters, the Policies > Authentication
page lists each rule with its number in the context of the
complete set of rules in the rulebase and its place in the
evaluation order. For details, see rule sequence and its
evaluation order .

Name General Enter a name to identify the rule. The name is case-
sensitive and can have up to 63 characters, which can
be letters, numbers, spaces, hyphens, and underscores.
The name must be unique on a firewall and, on

170 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Configured In Description
Blocks in an
Authentication
Rule
Panorama, unique within its device group and any
ancestor or descendant device groups.

Description Enter a description for the rule (up to 1024 characters).

Tag Select a tag for sorting and filtering rules (see Objects >
Tags).

Group Rules by Enter a tag with which to group similar policy rules. The
Tag group tag allows you to view your policy rule base based
on these tags. You can group rules based on a Tag.

Audit Enter a comment to audit the creation or editing of the

Comment policy rule. The audit comment is case-sensitive and
can have up to 256 characters, which can be letters,
numbers, spaces, hyphens, and underscores.

Audit View previous Audit Comments for the policy rule. You
Comment can export the Audit Comment Archive in CSV format.
Archive

Source Zone Source Add zones to apply the rule only to traffic coming from
interfaces in the zones that you specify (default is any).
To define new zones, see Network > Zones.

Source Add addresses or address groups to apply the rule only

Address to traffic originating from the sources that you specify
(default is any).
Select Negate to choose any address except the
selected ones.
To define new address or address groups, see Objects >
Addresses and Objects > Address Groups.

Source User User Select the source users or user groups to which the rule
applies:
• any—Includes any traffic regardless of source user.
• pre-logon—Includes remote users who are not
logged into their client systems but whose client
systems connect to the network through the
GlobalProtect pre-logon feature .
• known-user—Includes all users for whom the firewall
already has IP address-to-username mappings before
the rule evokes authentication.
• unknown—Includes all users for whom the firewall
does not have IP address-to-username mappings.
After the rule evokes authentication, the firewall

PAN-OS WEB INTERFACE HELP | Policies 171

© 2021 Palo Alto Networks, Inc.
 Building Configured In Description
Blocks in an
Authentication
Rule
creates user mappings for unknown users based on
the usernames they entered.
• Select—Includes only the users and user groups that
you Add to the Source User list.

If the firewall collects user information

from a RADIUS, TACACS+, or SAML
identity provider server and not from
the User-ID™ agent, the list of users
does not display; you must enter user
information manually.

Source HIP Add host information profiles (HIP) to enable you to

Profile collect information about the security status of your
end hosts, such as whether they have the latest security
patches and antivirus definitions. For details and to
define new HIPs, see Objects > GlobalProtect > HIP
Profiles.

Destination Destination Add zones to apply the rule only to traffic going to
Zone interfaces in the zones that you specify (default is any).
To define new zones, see Network > Zones.

Destination Add addresses or address groups to apply the rule only

Address to the destinations that you specify (default is any).
Select Negate to choose any address except the
selected ones.
To define new address or address groups, see Objects >
Addresses and Objects > Address Groups.

Service Service/URL Category Select from the following options to apply the rule only
to services on specific TCP and UDP port numbers:
• any—Specifies services on any port and using any
protocol.
• default—Specifies services only on the default ports
that Palo Alto Networks defines.
• Select—Enables you to Add services or service
groups. To create new services and service groups,
see Objects > Services and Objects > Service
Groups.

The default selection is service-http.

When you use the Authentication
policy for Authentication Portal, also
enable service-https to ensure that
the firewall learns user-to-ip-address
mapping for all web traffic.

172 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Building Configured In Description
Blocks in an
Authentication
Rule

URL Category Select the URL categories to which the rule applies:
• Select any to specify all traffic regardless of the URL
category.
• Add categories. To define custom categories, see
Objects > Custom Objects > URL Category.

Authentication Actions Select the authentication enforcement object (Objects

Enforcement > Authentication) that specifies the method (such
as Authentication Portal or browser challenge)
and authentication profile that the firewall uses to
authenticate users. The authentication profile defines
whether users respond to a single challenge or to multi-
factor authentication (see Device > Authentication
Profile). You can select a predefined or custom
authentication enforcement object.

If you must exclude hosts or servers

from a Authentication Portal policy,
add them to an Authentication Profile
that specifies no-captive-portal as the
Authentication Enforcement. However,
Authentication Portal policies help
the firewall learn user-to-IP-address
mapping and should be used when
possible.

Timeout To reduce the frequency of authentication challenges

that interrupt the user workflow, you can specify the
interval in minutes (default is 60) when the firewall
prompts the user to authenticate only once for repeated
access to resources.
If the Authentication Enforcement object specifies
multi-factor authentication, the user must authenticate
once for each factor. The firewall records a timestamp
and reissues a challenge only when the timeout for a
factor expires. Redistributing the timestamps to other
firewalls enables you to apply the timeout even if the
firewall that initially allows access for a user is not the
same firewall that later controls access for that user.

Timeout is a tradeoff between

tighter security (less time between
authentication prompts) and the
user experience (more time between
authentication prompts). More frequent
authentication is often the right choice
for access to critical systems and

PAN-OS WEB INTERFACE HELP | Policies 173

© 2021 Palo Alto Networks, Inc.
 Building Configured In Description
Blocks in an
Authentication
Rule
sensitive areas such as a data center.
Less frequent authentication is often the
right choice at the network perimeter
and for businesses for which the user
experience is key.
For perimeter resources, set the value
to 480 minutes (8 hours) and for data
center resources and critical systems,
set a lower value such as 60 minutes to
tighten security. Monitor and adjust the
values as necessary.

Log Select this option (disabled by default) if you want the

Authentication firewall to generate Authentication logs whenever
Timeouts the Timeout associated with an authentication factor
expires. Enabling this option provides more data
to troubleshoot access issues. In conjunction with
correlation objects, you can also use Authentication logs
to identify suspicious activity on your network (such as
brute force attacks).

Enabling this option increases log traffic.

Log Select a Log Forwarding profile if you want the firewall

Forwarding to forward Authentication logs to Panorama or to
external services such as a syslog server (see Objects >
Log Forwarding).

Any (target all Target Enable (check) to push the policy rule to all managed
devices) firewalls in the device group.
Panorama only

Devices Select one or more managed firewalls associated with

the device group to push the policy rule to.
Panorama only

Tags Add one or more tags to push the policy rule to

managed firewalls in the device group with the specified
Panorama only
tag.

Target to all Enable (check) to push the policy rule to all managed
but these firewalls associated with the device group except for
specified the selected device(s) and tag(s).
devices and
tags
Panorama only

174 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Create and Manage Authentication Policy
Select the Policies > Authentication page to create and manage Authentication policy rules:

Task Description

Add Perform the following prerequisites before creating Authentication policy rules:
Configure the User-ID™ Authentication Portal settings (see Device > User
Identification > Authentication Portal Settings). The firewall uses Authentication
Portal to display the first authentication factor that the Authentication rule
requires. Authentication Portal also enables the firewall to record the timestamps
associated with authentication Timeout periods and to update user mappings.
Configure a server profile that specifies how the firewall can access the service that
will authenticate users (see Device > Server Profiles).
Assign the server profile to an authentication profile that specifies authentication
settings (see Device > Authentication Profile).
Assign the authentication profile to an authentication enforcement object that
specifies the authentication method (see Objects > Authentication).
To create a rule, perform one of the following steps and then complete the fields
described in Building Blocks of an Authentication Policy Rule:
• Click Add.
• Select a rule on which to base the new rule and click Clone Rule. The firewall
inserts the copied rule, named <rulename>#, below the selected rule, where # is
the next available integer that makes the rule name unique, and generates a new
UUID for the cloned rule. For details, see Move or Clone a Policy Rule.

Modify To modify a rule, click the rule Name and edit the fields described in Building Blocks of
an Authentication Policy Rule.

If the firewall received the rule from Panorama, the rule is read-only;
you can edit it only on Panorama.

Move When matching traffic, the firewall evaluates rules from top to bottom in the order
that the Policies > Authentication page lists them. To change the evaluation order,
select a rule and Move Up, Move Down, Move Top, or Move Bottom. For details, see
Move or Clone a Policy Rule.

Delete To remove an existing rule, select and Delete it.

Enable/Disable To disable a rule, select and Disable it. To re-enable a disabled rule, select and Enable
it.

Highlight To identify rules that have not matched traffic since the last time the firewall was
Unused Rules restarted, Highlight Unused Rules. You can then decide whether to disable or delete
unused rules. The page highlights unused rules with a dotted yellow background.

Preview rules Click Preview Rules to view a list of the rules before you push the rules to the
(Panorama managed firewalls. Within each rulebase, the page visually demarcates the rule
only) hierarchy for each device group (and managed firewall) to facilitate scanning of
numerous rules.

PAN-OS WEB INTERFACE HELP | Policies 175

© 2021 Palo Alto Networks, Inc.
Policies > DoS Protection
A DoS Protection policy allows you to protect individual critical resources against DoS attacks by specifying
whether to deny or allow packets that match a source interface, zone, address or user and/or a destination
interface, zone, or user.
Alternatively, you can choose the Protect action and specify a DoS profile where you set the thresholds
(sessions or packets per second) that trigger an alarm, activate a protective action, and indicate the
maximum rate above which all new connections are dropped. Thus, you can control the number of
sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/
or destination IP addresses. For example, you can control traffic to and from certain addresses or address
groups, or from certain users and for certain services.
The firewall enforces DoS Protection policy rules before Security policy rules to ensure the firewall uses its
resources in the most efficient manner. If a DoS Protection policy rule denies a packet, that packet never
reaches a Security policy rule.
The following tables describe the DoS Protection policy settings:
• DoS Protection General Tab
• DoS Protection Source Tab
• DoS Protection Destination Tab
• DoS Protection Option/Protection Tab
• (Panorama only) DoS Protection Target Tab
Looking for more?
See DoS Protection Profiles and Objects > Security Profiles > DoS Protection.

DoS Protection General Tab

• Policies > DoS Protection > General
Select the General tab to configure a name and description for the DoS Protection policy. You can also
configure a tag to allow you to sort or filter policies when many policies exist.

Field Description

Name Enter a name to identify the DoS Protection policy rule. The name is case-sensitive
and can have up to 63 characters, which can be letters, numbers, spaces, hyphens, and
underscores. The name must be unique on a firewall and, on Panorama, unique within
its device group and any ancestor or descendant device groups.

Description Enter a description for the rule (up to 1024 characters).

Tags If you want to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter policies. A tag is
useful when you have defined many policies and want to view those that are tagged
with a particular keyword. For example, you may want to tag certain security policies
with Inbound to DMZ, decryption policies with the words Decrypt or No-decrypt, or
use the name of a specific data center for policies associated with that location.

Group Rules by Enter a tag with which to group similar policy rules. The group tag allows you to view
Tag your policy rule base based on these tags. You can group rules based on a Tag.

176 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description

Audit Enter a comment to audit the creation or editing of the policy rule. The audit comment
Comment is case-sensitive and can have up to 256 characters, which can be letters, numbers,
spaces, hyphens, and underscores.

Audit View previous Audit Comments for the policy rule. You can export the Audit
Comment Comment Archive in CSV format.
Archive

DoS Protection Source Tab

Select the Source tab to define the source interface(s) or source zone(s), and optionally the source
address(es) and source user(s) that define the incoming traffic to which the DoS policy rule applies.

Field Description

Type Select the type of source to which the DoS Protection policy rule applies:
• Interface —Apply the rule to traffic coming from the specified interface or group of
interfaces.
• Zone—Apply the rule to traffic coming from any interface in a specified zone.
Click Add to select multiple interfaces or zones.

Source Select Any or Add and specify one or more source addresses to which the DoS
Address Protection policy rule applies.
(Optional) Select Negate to specify that the rule applies to any addresses except those
specified.

Source User Specify one or more source users to which the DoS Protection policy rule applies:
• any—Includes packets regardless of the source user.
• pre-logon—Includes packets from remote users that are connected to the network
using GlobalProtect, but are not logged into their system. When pre-logon is
configured on the Portal for GlobalProtect apps, any user who is not currently
logged into their machine will be identified with the username pre-logon. You can
then create policies for pre-logon users and although the user is not directly logged
in, their machines are authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP address with
user data mapped. This option is equivalent to the “domain users” group on a
domain.
• unknown—Includes all unauthenticated users, which means IP addresses that are
not mapped to a user. For example, you could use unknown for guest level access
to something because they will have an IP address on your network, but will not
be authenticated to the domain and will not have IP address-to-username mapping
information on the firewall.
• Select—Includes users specified in this window. For example, you can select one
user, a list of individuals, some groups, or manually add users.

If the firewall collects user information from a RADIUS, TACACS+,

or SAML identity provider server and not from the User-ID™ agent,

PAN-OS WEB INTERFACE HELP | Policies 177

© 2021 Palo Alto Networks, Inc.
 Field Description
the list of users does not display; you must enter user information
manually.

DoS Protection Destination Tab

Select the Destination tab to define the destination zone or interface and destination address that define
the destination traffic to which the policy applies.

Field Description

Type Select the type of destination to which the DoS Protection policy rule applies:
• Interface—Apply the rule to packets going to the specified interface or group of
interfaces. Click Add and select one or more interfaces.
• Zone—Apply the rule to packets going to any interface in the specified zone. Click
Add and select one or more zones.

Destination Select Any or Add and specify one or more destination addresses to which the DoS
Address Protection policy rule applies.
(Optional) Select Negate to specify that the rule applies to any addresses except those
specified.

DoS Protection Option/Protection Tab

Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type
of service to which the rule applies, the action to take against packets that match the rule, and whether to
trigger log forwarding for matched traffic. You can define a schedule for when the rule is active.
You can also select an aggregate DoS Protection profile and/or a classified DoS Protection profile, which
determine the threshold rates that, when exceeded, cause the firewall to take protective actions, such as
trigger an alarm, activate an action such as Random Early Drop, and drop packets that exceed the maximum
threshold rate.

Field Description

Service Click Add and select one or more services to which the DoS Protection policy applies.
The default is Any service. For example, if the DoS policy protects web servers, specify
HTTP, HTTPS, and any other appropriate service ports for the web applications.

For critical servers, create separate DoS Protection rules to protect

the unused service ports to help prevent targeted attacks.

Action Select the action the firewall performs on packets that match the DoS Protection
policy rule:
• Deny—Drop all packets that match the rule.
• Allow—Permit all packets that match the rule.

178 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Field Description
• Protect—Enforce the protections specified in the specified DoS Protection profile
on packets that match the rule. Packets that match the rule are counted toward
the threshold rates in the DoS Protection profile, which in turn trigger an alarm,
activate another action, and trigger packet drops when the maximum rate is
exceeded.

The object of applying DoS Protection is to protect against DoS

attacks, so you should use usually Protect. Deny drops legitimate
traffic along with DoS traffic and Allow doesn’t stop DoS attacks. Use
Deny and Allow only to make exceptions within a group. For example,
you can deny the traffic from most of a group but allow a subset of that
traffic, or allow the traffic from most of a group but deny a subset of
that traffic.

Schedule Specify the schedule when the DoS Protection policy rule is in effect. The default
setting of None indicates no schedule; the policy is always in effect.
Alternatively, select a schedule or create a new schedule to control when the DoS
Protection policy rule is in effect. Enter a Name for the schedule. Select Shared to
share this schedule with every virtual system on a multiple virtual system firewall.
Select a Recurrence of Daily, Weekly, or Non-recurring. Add a Start Time and End
Time in hours:minutes, based on a 24-hour clock.

Log If you want to trigger forwarding of threat log entries for matched traffic to an
Forwarding external service, such as to a syslog server or Panorama, select a Log Forwarding
profile or click Profile to create a new one.

The firewall logs and forwards only traffic that matches an action in the
rule.

For easier management, forward DoS logs separately from other

Threat logs, both directly to administrators via email and to a log
server.

Aggregate Aggregate DoS Protection profiles set thresholds that apply to combined group of
devices specified in the DoS Protection rule to protect those server groups. For
example, an Alarm Rate threshold of 10,000 CPS means that when the total new CPS
to the entire group exceeds 10,000 CPS, the firewall triggers an alarm message.
Select an Aggregate DoS Protection profile that specifies the threshold rates at which
the incoming connections per second trigger an alarm, activate an action, and exceed a
maximum rate. All incoming connections (the aggregate) count toward the thresholds
specified in an Aggregate DoS Protection profile.
An Aggregate profile setting of None means there are no threshold settings in place
for the aggregate traffic. See Objects > Security Profiles > DoS Protection.

Classified Classified DoS Protection profiles set thresholds that apply to each individual device
specified in the DoS Protection rule to protect individual or small groups of critical
servers. For example, an Alarm Rate threshold of 10,000 CPS means that when the
total new CPS to any individual server specified in the rule exceeds 10,000 CPS, the
firewall triggers an alarm message.

PAN-OS WEB INTERFACE HELP | Policies 179

© 2021 Palo Alto Networks, Inc.
 Field Description
Select this option and specify the following:
• Profile—Select a Classified DoS Protection profile to apply to this rule.
• Address—Select whether incoming connections count toward the thresholds in the
profile if they match the source-ip-only, destination-ip-only, or src-dest-ip-both.

The firewall consumes more resources to track src-dest-ip-both

counters than to track only the source IP or only the destination IP
counters.
If you specify a Classified DoS Protection profile, only the incoming connections
that match a source IP address, destination IP address, or source and destination IP
address pair count toward the thresholds specified in the profile. For example, you can
specify a Classified DoS Protection profile with a Max Rate of 100 cps, and specify
an Address setting of source-ip-only in the rule. The result would be a limit of 100
connections per second for that particular source IP address.

Don’t use source-ip-only or src-dest-ip-both for internet-facing zones

because the firewall can’t store counters for all possible internet IP
addresses. Use destination-ip-only in perimeter zones.
Use destination-ip-only to protect individual critical devices.
Use source-ip-only and the Alarm threshold to monitor suspect hosts
in non-internet-facing zones.

See Objects > Security Profiles > DoS Protection.

DoS Protection Target Tab

• (Panorama only) Policies > DoS Protection > Target
Select the Target tab to select which managed firewalls in the device group to push the policy rule to. You
can specify which managed firewalls to push to by select the managed firewalls or by specifying a tag.
Additionally, you can configure the policy rule target to push to all managed firewalls except for those
specified.

NAT Rule - Target Description

Settings

Any (target all Enable (check) to push the policy rule to all managed firewalls in the device group.
devices)

Devices Select one or more managed firewalls associated with the device group to push the
policy rule to.

Tags Add one or more tags to push the policy rule to managed firewalls in the device
group with the specified tag.

Target to all but Enable (check) to push the policy rule to all managed firewalls associated with the
these specified device group except for the selected device(s) and tag(s).
devices and tags

180 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
Policies > SD-WAN
Add a SD-WAN policy to configure the link path management settings on a per-application, or for a group
of applications that traverse the same link, based on health jitter, latency, and packet loss health metrics
you configure. When certain paths between the source and destination for critical applications experience
degradation, the SD-WAN policy rule selects a new optimal path to ensure that the sensitive and critical
applications perform according to the path quality profile assigned to it in the SD-WAN policy rule.
• SD-WAN General Tab
• SD-WAN Source Tab
• SD-WAN Destination Tab
• SD-WAN Application/Service Tab
• SD-WAN Path Selection Tab
• (Panorama Only) SD-WAN Target Tab

SD-WAN General Tab

• Policies > SD-WAN > General
Select the General tab to configure a name and description for the SD-WAN policy. A tag can also be
configured to allow you to sort or filter policies when a large number of policies exist.

Field Description

Name Enter a name to identify the rule. The name is case-sensitive and
can have up to 63 characters, which can be letters, numbers, spaces,
hyphens, and underscores. The name must be unique on a firewall
and, on Panorama, unique within its device group and any ancestor or
descendant device groups.

Description Enter a description for the rule (up to 1,024 characters).

Tag If you need to tag the policy, Add and specify the tag.
A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want
to view those that are tagged with a particular keyword. For example,
you may want to tag certain SD-WAN policies with unique tags that
identify specific hubs or branches that the rules applies to.

Group Rules by Tag Enter a tag with which to group similar policy rules. The group tag
allows you to view your policy rule base based on these tags. You can
select to group rules based on a Tag.

Audit Comment Enter a comment to audit the creation or editing of the policy rule. The
audit comment is case-sensitive and can have up to 256 characters,
which can be letters, numbers, spaces, hyphens, and underscores.

Audit Comment Archive View previous Audit Comments for the policy rule. Audit Comment
Archive can be exported in CSV format.

PAN-OS WEB INTERFACE HELP | Policies 181

© 2021 Palo Alto Networks, Inc.
SD-WAN Source Tab
• Policies > SD-WAN > Source
Select the Source tab to define the source zones, source addresses, and source users that define the
incoming packets to which the SD-WAN policy applies.

Field Description

Source Zone To specify a source zone, select Add and select one or more zones, or select
Any zone.
Specifying multiple zones can simplify management. For example, if you
have three branches in different zones and you want the remaining match
criteria and path selection to be the same for the three branches, you can
create one SD-WAN rule and specify the three source zones to cover the
three branches.

Only Layer 3 type zones are supported for SD-WAN policy

rules.

Source Address To specify source addresses, Add source addresses or external dynamic
lists (EDL), select from the drop-down, or select Address and create a new
address object. Alternatively, select Any source address (default).

Source User To specify certain users, select Add (the type then indicates select) and
enter a user, list of users, or groups of users. Alternatively, select a type of
user:
• any—(default) Include any user, regardless of user data.
• pre-logon—Include remote users who are connected to the network
using GlobalProtect™, but are not logged into their system. When the
Pre-logon option is configured on the Portal for GlobalProtect apps, any
user who is not currently logged into their machine will be identified
with the username pre-logon. You can then create policies for pre-logon
users and although the user is not logged in directly, their machines are
authenticated on the domain as if they were fully logged in.
• known-user—Includes all authenticated users, which means any IP
address with user data mapped. This option is equivalent to the “domain
users” group on a domain.
• unknown—Includes all unauthenticated users, which means IP addresses
that are not mapped to a user. For example, you could select unknown
for guest-level access to something because they will have an IP address
on your network, but will not be authenticated to the domain and will
not have IP address-to-user mapping information on the firewall.

If the firewall collects user information from a RADIUS,

TACACS+, or SAML identity provider server and not from
the User-ID™ agent, the list of users does not display; you
must enter user information manually.

182 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
SD-WAN Destination Tab
• Policies > SD-WAN > Destination
Select the Destination tab to define the destination zone(s) or destination address(es) that define the traffic
to which the SD-WAN policy rule applies.

Field Description

Destination Zone Add destination zones (default is any). Zones must be Layer 3. To
define new zones, refer to Network > Zones.
Add Multiple zones to simplify management. For example, if you have
three different internal zones (Marketing, Sales, and Public Relations)
that are all directed to the untrusted destination zone, you can create
one rule that covers all cases.

Destination Address Add destination addresses, address groups, External Dynamic Lists
(EDL), or regions (default is Any). Select from the drop-down, or click
Address or Address Group at the bottom of the drop-down, and
specify the settings.
Select Negate to choose any address except the configured ones.

SD-WAN Application/Service Tab

• Policies > SD-WAN > Application/Service
Select the Application/Service tab to specify the applications or services to which the SD-WAN policy rule
applies and to specify profiles (Path Quality, SaaS Quality, and Error Correction profiles) that apply to the
applications or services.

Field Description

Path Quality Profile Select a path quality profile that determines the maximum jitter,
latency and packet loss percentage thresholds you want to apply to the
specified applications and services. If a path quality profile has not yet
been created, you can create a New SD-WAN Path Quality Profile.

SaaS Quality Profile Select a SaaS quality profile to specify the path quality thresholds for
latency, jitter, and packet loss for a hub or branch firewall that has
Direct Internet Access (DIA) link to a Software-as-a-Service (SaaS)
application. If a SaaS quality profile has not yet been created, you can
create a New SaaS Quality Profile. Default is None (disabled).

Error Correction Profile Select an Error Correction Profile or create a new Error Correction
Profile, which specifies the parameters to control forward error
correction (FEC) or path duplication for the applications or services
specified in the rule. This profile can be used by either hub or branch
firewall. Default is None (disabled).

Applications Add specific applications for the SD-WAN policy rule, or select Any. If
an application has multiple functions, select the overall application or
individual functions. If you select the overall application, all functions

PAN-OS WEB INTERFACE HELP | Policies 183

© 2021 Palo Alto Networks, Inc.
 Field Description
are included and the application definition is automatically updated as
future functions are added.
If you are using application groups, filters, or containers in the SD-
WAN policy rule, view details of these objects by hovering over the
object in the Application column, opening the drop-down, and selecting
Value. This allows you to view application members directly from the
policy without having to navigate to the Object tab.

Add only business-critical applications that are

affected by latency, jitter, or packet loss. Avoid adding
application categories or sub-categories as these are
too broad and do not allow for per-application control.

Service Add specific services for the SD-WAN policy rule and select on which
ports packets from these services are allowed or denied:
• any—The selected services are allowed or denied on any protocol or
port.
• application-default—The selected services are allowed or denied
only on their default ports defined by Palo Alto Networks®. This
option is recommended for policies that specify the allow action
because it prevents services from running on unusual ports and
protocols which, if unintentional, can be a sign of undesired service
behavior and usage.

When you use this option, only the default port

matches the SD-WAN policy and action is enforced.
Other services not on the default port may be allowed
depending on the Security policy rule, but do not match
the SD-WAN policy, and no SD-WAN policy rule action
is taken.

For most services, use application-default to prevent

the service from using non-standard ports or exhibiting
other evasive behaviors. If the default port for the
service changes, the firewall automatically updates the
rule to the correct default port. For services that use
non-standard ports, such as internal custom services,
either modify the service or create a rule that specifies
the non-standard ports and apply the rule only to the
traffic that requires the service.

• Select—Add an existing service or choose Service or Service Group

to specify a new entry. (Or select Objects > Services and Objects >
Service Groups).

SD-WAN Path Selection Tab

• Policies > SD-WAN > Path Selection
Select the Path Selection tab to define paths for applications or services traffic to swap to if the primary
path quality exceeds the configured path quality thresholds in the Path Quality Profile.

184 PAN-OS WEB INTERFACE HELP | Policies

© 2021 Palo Alto Networks, Inc.
 Field Description

Traffic Distribution Profile From the drop-down select a traffic distribution profile, which
determines how the firewall selects an alternate path for the
application or service traffic when one of the path health metrics for
the preferred path exceeds the threshold configured in the path quality
profile for the rule.

SD-WAN Target Tab

• Policies > SD-WAN > Target
Select the Target tab to select the managed devices to push the SD-WAN policy rules to. This tab is
supported only on the Panorama management server.

Field Description

Any (target all devices) Enable (check) to push the SD-WAN policy rule to all devices by the
Panorama management server.

Devices Select one or more devices to which to push the SD-WAN policy rule.
You can filter devices based on device state, platform, device group,
templates, tags, or HA status.

Tags Specify the tag for the policy.

A policy tag is a keyword or phrase that allows you to sort or filter
policies. This is useful when you have defined many policies and want
to view those that are tagged with a particular keyword. For example,
you may want to tag certain rules with specific words like Decrypt
and No-decrypt, or use the name of a specific data center for policies
associated with that location.
You can also add tags to the default rules.

Target to all but these Enable (check) to target and push the policy rule to all devices except
specified devices and tags for the selected Devices and Tags.

PAN-OS WEB INTERFACE HELP | Policies 185

© 2021 Palo Alto Networks, Inc.
186 PAN-OS WEB INTERFACE HELP | Policies
Objects
Objects are the elements that enable you to construct, schedule, and search for policy rules,
and Security Profiles provide threat protection in policy rules.
This section describes how to configure the Security Profiles and objects that you can use with
Policies:

> Move, Clone, Override, or Revert Objects

> Objects>Addresses
> Objects>Address Groups
> Objects>Regions
> Objects>Applications
> Objects>Application Groups
> Objects>Application Filters
> Objects>Services
> Objects>ServiceGroups
> Objects>Tags
> Objects > Devices
> Objects>GlobalProtect> HIP Objects
> Objects>GlobalProtect> HIP Profiles
> Objects>External Dynamic Lists
> Objects>Custom Objects
> Objects>Security Profiles
> Objects > Security Profiles > Mobile Network Protection
> Objects > Security Profiles > SCTP Protection
> Objects>Security Profile Groups
> Objects>Log Forwarding
> Objects>Authentication
> Objects>Decryption Profile
> Objects > SD-WAN Link Management
> Objects>Schedules

187
188 PAN-OS WEB INTERFACE HELP | Objects
© 2021 Palo Alto Networks, Inc.
Move, Clone, Override, or Revert Objects
See the following topics for options to modify existing objects:
• Move or Clone an Object
• Override or Revert an Object

Move or Clone an Object

When moving or cloning objects, you can assign a Destination (a virtual system on a firewall or a device
group on Panorama™) for which you have access permissions, including the Shared location.
To move an object, select the object in the Objects tab, click Move, select Move to other vsys (firewall only)
or Move to other device group (Panorama only), complete the fields in the following table, and then click
OK.
To clone an object, select the object in the Objects tab, click Clone, complete the fields in the following
table, and then click OK.

Move/Clone Settings Description

Selected Objects Displays the Name and current Location (virtual system or device
group) of the policies or objects you selected for the operation.

Destination Select the new location for the policy or object: a virtual system,
device group, or Shared. The default value is the Virtual System or
Device Group that you selected in the Policies or Objects tab.

Error out on first detected Select this option (selected by default) to make the firewall or
error in validation Panorama display the first error it finds and stop checking for more
errors. For example, an error occurs if the Destination doesn’t include
an object that is referenced in the policy rule you are moving. If you
clear this selection, the firewall or Panorama will find all errors before
displaying them.

Override or Revert an Object

In Panorama, you can nest device groups in a tree hierarchy of up to four levels. At the bottom level, a
device group can have parent, grandparent, and great-grandparent device groups at successively higher
levels—collectively called ancestors—from which the bottom-level device group inherits policies and
objects. At the top level, a device group can have child, grandchild, and great-grandchild device groups—
collectively called descendants. You can override an object in a descendant so that its values differ from
those in an ancestor. This override capability is enabled by default. However, you cannot override shared or
default (preconfigured) objects. The web interface displays the icon to indicate an object has inherited
values and displays the icon to indicate an inherited object has overridden values.
• Override an object—Select the Objects tab, select the descendant Device Group that will have the
overridden version, select the object, click Override, and edit the settings. You cannot override Name or
Shared settings for an object.
• Revert an overridden object to its inherited values—Select the Objects tab, select the Device Group
that has the overridden version, select the object, click Revert, and click Yes to confirm the operation.

PAN-OS WEB INTERFACE HELP | Objects 189

© 2021 Palo Alto Networks, Inc.
 • Disable overrides for an object—Select the Objects tab, select the Device Group where the object
resides, click the object Name to edit it, select Disable override, and click OK. Overrides for that object
are then disabled in all device groups that inherit the object from the selected Device Group.
• Replace all object overrides across Panorama with the values inherited from the Shared location or
ancestor device groups—Select Panorama > Setup > Management, edit the Panorama Settings, select
Ancestor Objects Take Precedence, and click OK. You must then commit to Panorama and to the device
groups containing overrides to push the inherited values.

190 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Addresses
An address object can include either IPv4 or IPv6 addresses (a single IP address, a range of addresses, or a
subnet), an FQDN, or a wildcard address (IPv4 address followed by a slash and wildcard mask). An address
object allows you to reuse that same address or group of addresses as a source or destination address in
policy rules, filters, and other firewall functions without adding each address manually for each instance.
You create an address object using the web interface or CLI; changes require a commit operation to make
the object a part of the configuration.
First Add a new address object and then specify the following values:

Address Object Settings Description

Name Enter a name (up to 63 characters) that describes the addresses you will
include as part of this object. This name appears in the address list when
defining security policy rules. The name is case-sensitive, must be unique,
and can contain only letters, numbers, spaces, hyphens, and underscores.

Shared Select this option if you want to share this address object with:
• Every virtual system (vsys) on a multi-vsys firewall—If you do not
select this option, the address object will be available only to the Virtual
System selected in the Objects tab.
• Every device group on Panorama—If you do not select this option, the
address object will be available only to the Device Group selected in the
Objects tab.

Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this address object in device groups that inherit this object. By default, this
selection is disabled, which means administrators can override the settings
for any device group that inherits the object.

Description Enter a description for the object (up to 1,023 characters).

Type Specify the type of address object and the entry:

• IP Netmask—Enter the IPv4 or IPv6 address or IP address range using
the following notation: ip_address/mask or ip_address where the mask
is the number of significant binary digits used for the network portion
of the address. Ideally, for IPv6 addresses, you specify only the network
portion, not the host portion. For example:
• 192.168.80.150/32—Indicates one address.
• 192.168.80.0/24—Indicates all addresses from 192.168.80.0 through
192.168.80.255.
• 2001:db8::/32
• 2001:db8:123:1::/64
• IP Range—Enter a range of addresses using the following
format: ip_address-ip_address where both ends of the range
are IPv4 addresses or both are IPv6 addresses. For example:
2001:db8:123:1::1-2001:db8:123:1::22
• IP Wildcard Mask—Enter an IP wildcard address in the format of an
IPv4 address followed by a slash and a mask (which must begin with

PAN-OS WEB INTERFACE HELP | Objects 191

© 2021 Palo Alto Networks, Inc.
 Address Object Settings Description
a zero); for example, 10.182.1.1/0.127.248.0. In the wildcard mask, a
zero (0) bit indicates that the bit being compared must match the bit
in the IP address that is covered by the 0. A one (1) bit in the mask is a
wildcard bit, meaning the bit being compared need not match the bit in
the IP address that is covered by the 1. Convert the IP address and the
wildcard mask to binary. To illustrate the matching: on binary snippet
0011, a wildcard mask of 1010 results in four matches (0001, 0011,
1001, and 1011).

You can use an address object of type IP Wildcard Mask

only in a Security policy rule.
• FQDN—Enter the domain name. The FQDN initially resolves at commit
time. An FQDN entry is subsequently refreshed based on the TTL of
the FQDN if the TTL is greater than or equal to the Minimum FQDN
Refresh Time; otherwise the FQDN entry is refreshed at the Minimum
FQDN Refresh Time. The FQDN is resolved by the system DNS server
or a DNS proxy object if a proxy is configured.

Resolve After selecting the address type and entering an IP address or FQDN, click
Resolve to see the associated FQDN or IP addresses, respectively (based on
the DNS configuration of the firewall or Panorama).
You can change an address object from an FQDN to an IP Netmask or vice
versa. To change from an FQDN to an IP Netmask, click Resolve to see
the IP addresses that the FQDN resolves to, then select one and Use this
address. The address object Type dynamically changes to IP Netmask and
the IP address you selected appears in the text field.
Alternatively, to change an address object from an IP Netmask to an FQDN,
click Resolve to see the DNS name that the IP Netmask resolves to, then
select the FQDN and Use this FQDN. The Type changes to FQDN and the
FQDN appears in the text field.

Tags Select or enter the tags that you want to apply to this address object. You
can define a tag here or use the Objects > Tags tab to create new tags.

192 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Address Groups
To simplify the creation of security policies, addresses that require the same security settings can be
combined into address groups. An address group can be static or dynamic.
• Dynamic Address Groups: A dynamic address group populates its members dynamically using looks ups
for tags and tag-based filters. Dynamic address groups are very useful if you have an extensive virtual
infrastructure where changes in virtual machine location/IP address are frequent. For example, you have
a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy
to traffic from or to the new machine without modifying the configuration/rules on the firewall.
To use a dynamic address group in policy you must complete the following tasks:
• Define a dynamic address group and reference it in a policy rule.
• Notify the firewall of the IP addresses and the corresponding tags, so that members of the dynamic
address group can be formed. You can do this using external scripts that use the XML API on the
firewall or, for a VMware-based environment, you can select Device > VM Information Sources to
configure settings on the firewall.
Dynamic address groups can also include statically defined address objects. If you create an address
object and apply the same tags that you have assigned to a dynamic address group, that dynamic
address group will include all static and dynamic objects that match the tags. You can, therefore use tags
to pull together both dynamic and static objects in the same address group.
• Static Address Groups: A static address group can include address objects that are static, dynamic
address groups, or it can be a combination of both address objects and dynamic address groups.
To create an address group, click Add and fill in the following fields:

Address Group Settings Description

Name Enter a name that describes the address group (up to 63 characters). This
name appears in the address list when defining security policies. The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.

Shared Select this option if you want the address group to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the address group will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the address
group will be available only to the Device Group selected in the Objects
tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this address group object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.

Description Enter a description for the object (up to 1023 characters).

Type Select Static or Dynamic.

PAN-OS WEB INTERFACE HELP | Objects 193

© 2021 Palo Alto Networks, Inc.
 Address Group Settings Description
To create a dynamic address group, use the match criteria is assemble the
members to be included in the group. Define the Match criteria using the
AND or OR operators.

To view the list of attributes for the match criteria, you

must have configured the firewall to access and retrieve
the attributes from the source/host. Each virtual machine
on the configured information source(s) is registered
with the firewall and the firewall can poll the machine to
retrieve changes in IP address or configuration without any
modifications on the firewall.

For a static address group, click Add and select one or more Addresses.
Click Add to add an object or an address group to the address group. The
group can contain address objects, and both static and dynamic address
groups.

Tags Select or enter the tags that you wish to apply to this address group. For
information on tags, see Objects > Tags.

Members Count and After you add an address group, the Members Count column on the
Address Objects > Address Groups page indicates whether the objects in the group
are populated dynamically or statically.
• For a static address group, you can view the count of the members in
the address group.
• For an address group that uses tags to dynamically populate members
or has both static and dynamic members, to view the members, click the
More... link in the Address column. You can now view the IP addresses
that are registered to the address group.
• Type indicates whether the IP address is a static address object or
being dynamically registered and displays the IP address.
• Action allows you to Unregister Tags from an IP address. Click the
link to Add the registration source and specify the tags to unregister.

194 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Regions
The firewall supports creation of policy rules that apply to specified countries or other regions. The region is
available as an option when specifying source and destination for security policies, decryption policies, and
DoS policies. You can choose from a standard list of countries or use the region settings described in this
section to define custom regions to include as options for Security policy rules.
The following tables describe the region settings:

Region Settings Description

Name Select a name that describes the region. This name appears in the address
list when defining security policies.

Geo Location To specify latitude and longitude, select this option and specify the values
(xxx.xxxxxx format). This information is used in the traffic and threat maps
for App-Scope. Refer to Monitor > Logs.

Addresses Specify an IP address, range of IP addresses, or subnet to identify the

region, using any of the following formats:
x.x.x.x
x.x.x.x-y.y.y.y
x.x.x.x/n

PAN-OS WEB INTERFACE HELP | Objects 195

© 2021 Palo Alto Networks, Inc.
Objects > Dynamic User Groups
To create a dynamic user group, select Objects > Dynamic User Groups, Add a new dynamic user group and
then configure the following settings:

Dynamic User Group Description

Settings

Name Enter a Name that describes the dynamic user group (up to 63 characters).
This name appears in the source user list when defining Security policy
rules. The name must be unique and use only alphanumeric characters,
spaces, hyphens, and underscores.

Description Enter a Description for the object (up to 1,023 characters).

Shared Select this option if you want the match criteria of the dynamic user group
to be available to every device group on Panorama.
(Panorama only)
Panorama does not share the members of the group with
device groups.

If you clear this option, the match criteria of the dynamic user group are
available only to the Device Group selected in the Objects tab.

Disable override Select this option to prevent administrators from overriding the settings
of this dynamic user group in device groups that inherit the object. This
(Panorama only)
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.

Match Add Match Criteria to define the members in the dynamic user group using
the AND or OR operators to include multiple tags.

When you Add Match Criteria, only existing tags display.

You can select an existing tag or create new tags.

Tags (Optional) Select or enter the static object tags that you want to apply to
the dynamic user group object. This tags the dynamic user group object
itself, not the members in the group. The tags you select allow you to group
related items and are not related to the match criteria. For information on
tags, see Objects > Tags.

After you add a dynamic user group, you can view the following information for the group:

Dynamic User Groups Column Description

Location Identifies whether the match criteria for the dynamic user
group is available to every device group on Panorama (Shared)
(Panorama only)
or to the selected device group.

Users Select more to see the list of users in the dynamic user group.

196 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Dynamic User Groups Column Description
• To add tags to users for inclusion in the group, Register
Users, then select the Registration Source and the Tags
you want to apply to the user. When the user’s tags match
the criteria for the group, the firewall adds the user to the
dynamic user group.
• (Optional) Specify a Timeout in minutes (default is 0; range
is 0 to 43,200) to remove users from the group when the
specified time expires.
• (Optional) Add Users to the group or Delete users from the
group.
• To remove tags from users and prevent them from
becoming members of the group, select the users, and
Unregister Users, and then select Registration Source and
Tags.
• When done reviewing or modifying the dynamic user group
list of users, click Close.

PAN-OS WEB INTERFACE HELP | Objects 197

© 2021 Palo Alto Networks, Inc.
Objects > Applications
The following topics describe the Applications page.

What are you looking for? See

Understand the application Applications Overview

settings and attributes displayed
Actions Supported on Applications
on the Applications page.

Add a new application or modify Defining Applications

an existing application.

Applications Overview
The Applications page lists various attributes of each application definition, such as the application’s relative
security risk (1 to 5). The risk value is based on criteria such as whether the application can share files, is
prone to misuse, or tries to evade firewalls. Higher values indicate higher risk.
The top application browser area of the page lists the attributes that you can use to filter the display
as follows. The number to the left of each entry represents the total number of applications with that
attribute.

Weekly content releases periodically include new decoders and contexts for which you can
develop signatures.

The following table describes application details—custom applications and Palo Alto® Networks applications
might display some or all of these fields.

Application Details Description

Name Name of the application.

Description Description of the application (up to 255 characters).

Additional Information Links to web sources (Wikipedia, Google, and Yahoo!) that contain
additional information about the application.

Standard Ports Ports that the application uses to communicate with the network.

Depends on List of other applications that are required for this application to run.
When creating a policy rule to allow the selected application, you

198 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Application Details Description
must also be sure that you are allowing any other applications that the
application depends on.

Implicitly Uses Other applications that the selected application depends on but
that you do not need to add to your Security policy rules to allow
the selected application because those applications are supported
implicitly.

Previously Identified As For a new App-ID™, or App-IDs that are changed, this indicates
what the application was previously identified as. This helps you
assess whether policy changes are required based on changes in the
application. If an App-ID is disabled, sessions associated with that
application will match policy as the previously identified as application.
Similarly, disabled App-IDs will appear in logs as the application they
were previous identified as.

Deny Action App-IDs are developed with a default deny action that dictates how
the firewall responds when the application is included in a Security
policy rule with a deny action. The default deny action can specify
either a silent drop or a TCP reset. You can override this default action
in Security policy.

Characteristics

Evasive Uses a port or protocol for something other than its originally
intended purpose with the hope that it will traverse a firewall.

Excessive Bandwidth Consumes at least 1 Mbps on a regular basis through normal use.

Prone to Misuse Often used for nefarious purposes or is easily set up to expose more
than the user intended.

SaaS On the firewall, Software as a Service (SaaS) is characterized as

a service where the software and infrastructure are owned and
managed by the application service provider but where you retain
full control of the data, including who can create, access, share, and
transfer the data.
Keep in mind that in the context of how an application is
characterized, SaaS applications differ from web services. Web
services are hosted applications where either the user doesn’t own
the data (for example, Pandora) or where the service is primarily
comprised of sharing data fed by many subscribers for social purposes
(for example, LinkedIn, Twitter, or Facebook).

Capable of File Transfer Has the capability to transfer a file from one system to another over a
network.

Tunnels Other Applications Is able to transport other applications inside its protocol.

Used by Malware Malware has been known to use the application for propagation,
attack, or data theft, or is distributed with malware.

PAN-OS WEB INTERFACE HELP | Objects 199

© 2021 Palo Alto Networks, Inc.
 Application Details Description

Has Known Vulnerabilities Has publicly reported vulnerabilities.

Pervasive Likely has more than 1,000,000 users.

Continue Scanning for Other Instructs the firewall to continue to try and match against other
Applications application signatures. If you do not select this option, the firewall
stops looking for additional application matches after the first
matching signature.

SaaS Characteristics

Data Breaches Applications that may have released secure information to an

untrusted source within the past three years.

Poor Terms of Service Applications with unfavorable terms of service that can compromise
enterprise data.

No Certifications Applications lacking current compliance to industry programs or

certifications such as SOC1, SOC2, SSAE16, PCI, HIPAA, FINRAA, or
FEDRAMP.

Poor Financial Viability Applications with the potential to be out of business within the next
18 to 24 months.

No IP Restrictions Applications without IP-based restrictions for user access.

Classification

Category The application category will be one of the following:

• business-systems
• collaboration
• general-internet
• media
• networking
• unknown

Subcategory The subcategory in which the application is classified. Different

categories have different subcategories associated with them.
For example, subcategories in the collaboration category include
email, file-sharing, instant-messaging, Internet-conferencing, social-
business, social-networking, voip-video, and web-posting. Whereas,
subcategories in the business-systems category include auth-service,
database, erp-crm, general-business, management, office-programs,
software-update, and storage-backup.

Technology The application technology will be one of the following:

• client-server: An application that uses a client-server model where
one or more clients communicate with a server in the network.

200 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Application Details Description
• network-protocol: An application that is generally used for system-
to-system communication that facilitates network operation. This
includes most of the IP protocols.
• peer-to-peer: An application that communicates directly with other
clients to transfer information instead of relying on a central server
to facilitate the communication.
• browser-based: An application that relies on a web browser to
function.

Risk Assigned risk of the application.

To customize this setting, click the Customize link, enter a value (1-5),
and click OK.

Tags Tags assigned to an application.

Edit Tags to add or remove tags for an application.

Options

Session Timeout Period of time, in seconds, required for the application to time out due
to inactivity (range is 1-604800 seconds). This timeout is for protocols
other than TCP or UDP. For TCP and UDP, refer to the next rows in
this table.
To customize this setting, click the Customize link, enter a value, and
click OK.

TCP Timeout (seconds) Timeout, in seconds, for terminating a TCP application flow (range is
1-604800).
To customize this setting, click the Customize link, enter a value, and
click OK.
A value of 0 indicates that the global session timer will be used, which
is 3600 seconds for TCP.

UDP Timeout (seconds): Timeout, in seconds, for terminating a UDP application flow (range is
1-604800 seconds).
To customize this setting, click the Customize link, enter a value, and
click OK.

TCP Half Closed (seconds) Maximum length of time, in seconds, that a session remains in the
session table between receiving the first FIN packet and receiving the
second FIN packet or RST packet. If the timer expires, the session is
closed (range is 1-604800).
Default: If this timer is not configured at the application level, the
global setting is used.
If this value is configured at the application level, it overrides the
global TCP Half Closed setting.

PAN-OS WEB INTERFACE HELP | Objects 201

© 2021 Palo Alto Networks, Inc.
 Application Details Description

TCP Time Wait (seconds) Maximum length of time, in seconds, that a session remains in the
session table after receiving the second FIN packet or a RST packet. If
the timer expires, the session is closed (range is 1-600).
Default: If this timer is not configured at the application level, the
global setting is used.
If this value is configured at the application level, it overrides the
global TCP Time Wait setting.

App-ID Enabled Indicates whether the App-ID is enabled or disabled. If an App-

ID is disabled, traffic for that application will be treated as the
Previously Identified As App-ID in both Security policy and in logs.
For applications added after content release version 490, you have
the ability to disable them while you review the policy impact of the
new app. After reviewing policy, you may choose to enable the App-
ID. You also have the ability to disable an application that you have
previously enabled. On a multi-vsys firewall, you can disable App-IDs
separately in each virtual system.

When the firewall is not able to identify an application using the App-ID, the traffic is classified as unknown:
unknown-tcp or unknown-udp. This behavior applies to all unknown applications except those that fully
emulate HTTP. For more information, refer to Monitor > Botnet.
You can create new definitions for unknown applications and then define security policies for the new
application definitions. In addition, applications that require the same security settings can be combined into
application groups to simplify the creation of security policies.

Actions Supported on Applications

You can perform any of the following actions on this page:

Actions Supported for Description

Applications

Filter by application • To search for a specific application, enter the application name or
description in the Search field and press Enter. The drop-down
allows you to search or filter for a specific application or view All
applications, Custom applications, Disabled applications, or Tagged
applications.
The application is listed and the filter columns are updated to show
statistics for the applications that matched the search. A search will
match partial strings. When you define security policies, you can write
rules that apply to all applications that match a saved filter. Such rules
are dynamically updated when a new application is added through a
content update that matches the filter.
• To filter by application attributes displayed on the page, click an item
to use as a basis for filtering. For example, to restrict the list to the
collaboration category, click collaboration and the list will display only
applications in this category.

202 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Actions Supported for Description
Applications

• To filter on additional columns, select an entry in the other columns.

The filtering is successive: Category filters are applied first, then
Subcategory filters, then Technology filters, then Risk filters, and
finally Characteristic filters. For example, if you apply a Category,
Subcategory, and Risk filter, the Technology column is automatically
restricted to the technologies that are consistent with the selected
Category and Subcategory even though a Technology filter is not
explicitly applied. Each time you apply a filter, the list of applications
automatically updates. To create a new application filter, see Objects
> Application Filters.

Add a new application. To add a new application, see Defining Applications.

View and/or customize Click the application name link, to view the application description
application details. including the standard port and characteristics of the application, risk
among other details. For details on the application settings, see Defining
Applications.

If the icon to the left of the application name has a yellow pencil ( ),
the application is a custom application.

Disable an applications You can Disable an application (or several applications) so that the
application signature is not matched against traffic. Security rules defined
to block, allow, or enforce a matching application are not applied to
the application traffic when the app is disabled. You might choose to
disable an application that is included with a new content release version
because policy enforcement for the application might change when the
application is uniquely identified. For example, an application that is
identified as web-browsing traffic is allowed by the firewall prior to a
new content version installation; after installing the content update, the
uniquely identified application no longer matches the Security rule that
allows web-browsing traffic. In this case, you could choose to disable the
application so that traffic matched to the application signature continues
to be classified as web-browsing traffic and is allowed.

Enable an application Select a disabled application and Enable it so that the firewall can manage
the application according to your configured security policies.

PAN-OS WEB INTERFACE HELP | Objects 203

© 2021 Palo Alto Networks, Inc.
 Actions Supported for Description
Applications

Import an application To import an application, click Import. Browse to select the file, and
select the target virtual system from the Destination drop-down.

Export an application To export an application, select this option for the application and click
Export. Follow the prompts to save the file.

Export an application Export the information on all applications in PDF/CSV format.

configuration table Only visible columns in the web interface are exported. See Export
Configuration Table Data.

Assess policy impact after Review Policies to assess the policy-based enforcement for applications
installing a new content before and after installing a content release version. Use the Policy
release Review dialog to review policy impact for new applications included
in a downloaded content release version. The Policy Review dialog
allows you to add or remove a pending application (an application that
is downloaded with a content release version but is not installed on
the firewall) to or from an existing Security policy rule; policy changes
for pending applications do not take effect until the corresponding
content release version is installed. You can also access the Policy Review
dialog when downloading and installing content release versions on the
Device > Dynamic Updates page.

Tag an application A predefined tag named sanctioned is available for you to tag SaaS
applications. While a SaaS application is an application that is identified
as Saas=yes in the details on application characteristics, you can use the
sanctioned tag on any application.

Tag applications as sanctioned to help differentiate

sanctioned SaaS application traffic from unsanctioned
SaaS application traffic, for example, when you examine
the SaaS Application Usage Report or when you evaluate
the applications on your network.

Select an application, click Edit Tags and from the drop-down, select
the predefined Sanctioned tag to identify any application that you want
to explicitly allow on your network. When you then generate the SaaS
Application Usage Report (see Monitor > PDF Reports > SaaS Application
Usage), you can compare statistics on the application that you have
sanctioned versus unsanctioned SaaS applications that are being used on
your network.
When you tag an application as sanctioned, the following restrictions
apply:
• The sanctioned tag cannot be applied to an application group.
• The sanctioned tag cannot be applied at the Shared level; you can tag
an application only per device group or per virtual system.
• The sanctioned tag cannot be used to tag applications included in a
container app, such as facebook-mail, which is part of the facebook
container app.

204 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
 Actions Supported for Description
Applications
You can also Remove tag or Override tag. The override option is only
available on a firewall that has inherited settings from a device group
pushed from Panorama.

Defining Applications
Select Objects > Applications to Add a new custom application for the firewall to evaluate when applying
policies.

New Application Settings Description

Configuration Tab

Name Enter the application name (up to 31 characters). This name appears in the
applications list when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, periods, hyphens,
and underscores. The first character must be a letter.

Shared Select this option if you want the application to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the application will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the
application will be available only to the Device Group selected in the
Objects tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this application object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.

Description Enter a description of the application for general reference (up to 255
characters).

Category Select the application category, such as email or database. The category is
used to generate the Top Ten Application Categories chart and is available
for filtering (refer to ACC).

Subcategory Select the application subcategory, such as email or database. The

subcategory is used to generate the Top Ten Application Categories chart
and is available for filtering (refer to ACC).

Technology Select the technology for the application.

Parent App Specify a parent application for this application. This setting applies when a
session matches both the parent and the custom applications; however, the
custom application is reported because it is more specific.

PAN-OS WEB INTERFACE HELP | Objects 205

© 2021 Palo Alto Networks, Inc.
 New Application Settings Description

Risk Select the risk level associated with this application (1=lowest to 5=highest).

Characteristics Select the application characteristics that may place the application at risk.
For a description of each characteristic, refer to Characteristics.

Advanced Tab

Port If the protocol used by the application is TCP and/or UDP, select Port and
enter one or more combinations of the protocol and port number (one
entry per line). The general format is:
<protocol>/<port>
where the <port> is a single port number, or dynamic for dynamic port
assignment.
Examples: TCP/dynamic or UDP/32.
This setting applies when using app-default in the Service column of a
Security rule.

IP Protocol To specify an IP protocol other than TCP or UDP, select IP Protocol, and
enter the protocol number (1 to 255).

ICMP Type To specify an Internet Control Message Protocol version 4 (ICMP) type,
select ICMP Type and enter the type number (range is 0-255).

ICMP6 Type To specify an Internet Control Message Protocol version 6 (ICMPv6) type,
select ICMP6 Type and enter the type number (range is 0-255).

None To specify signatures independent of protocol, select None.

Timeout Enter the number of seconds before an idle application flow is terminated
(range is 0-604800 seconds). A zero indicates that the default timeout of
the application will be used. This value is used for protocols other than TCP
and UDP in all cases and for TCP and UDP timeouts when the TCP timeout
and UDP timeout are not specified.

TCP Timeout Enter the number of seconds before an idle TCP application flow is
terminated (range is 0-604800 seconds). A zero indicates that the default
timeout of the application will be used.

UDP Timeout Enter the number of seconds before an idle UDP application flow is
terminated (range is 0-604800 seconds). A zero indicates that the default
timeout of the application will be used.

TCP Half Closed Enter the maximum length of time that a session remains in the session
table, between receiving the first FIN and receiving the second FIN or RST.
If the timer expires, the session is closed.
Default: If this timer is not configured at the application level, the global
setting is used (range is 1-604800 seconds).

206 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
New Application Settings Description
If this value is configured at the application level, it overrides the global TCP
Half Closed setting.

TCP Time Wait Enter the maximum length of time that a session remains in the session
table after receiving the second FIN or a RST. If the timer expires, the
session is closed.
Default: If this timer is not configured at the application level, the global
setting is used (range is 1-600 seconds).
If this value is configured at the application level, it overrides the global TCP
Time Wait setting.

Scanning Select the scanning types that you want to allow based on Security Profiles
(file types, data patterns, and viruses).

Signatures Tab

Signatures Click Add to add a new signature, and specify the following information:
• Signature Name—Enter a name to identify the signature.
• Comment—Enter an optional description.
• Ordered Condition Match—Select if the order in which signature
conditions are defined is important.
• Scope—Select whether to apply this signature only to the current
Transaction or to the full user Session.
Specify the conditions that identify the signature. These conditions are used
to generate the signature that the firewall uses to match the application
patterns and control traffic:
• To add a condition, select Add And Condition or Add Or Condition.
To add a condition within a group, select the group and then click Add
Condition.
• Select an Operator from the drop-down. The options are Pattern
Match, Greater Than, Less Than, and Equal To and specify the following
options:
(For Pattern Match only)
• Context—Select from the available contexts. These contexts are
updated using dynamic content updates.
• Pattern— Specify a regular expression to specify unique string
context values that apply to the custom application.

Perform a packet capture to identify the context. See

Pattern Rules Syntax for pattern rules for regular
expressions.
(For Greater Than, Less Than)
• Context—Select from the available contexts. These contexts are
updated using dynamic content updates
• Value—Specify a value to match on (range is 0-4294967295).
• Qualifier and Value—(Optional) Add qualifier/value pairs.
(For Equal To only)

PAN-OS WEB INTERFACE HELP | Objects 207

© 2021 Palo Alto Networks, Inc.
 New Application Settings Description
• Context—Select from unknown requests and responses for TCP or
UDP (for example, unknown-req-tcp) or additional contexts that are
available through dynamic content updates (for example, dnp3-req-
func-code).
For unknown requests and responses for TCP or UDP, specify
• Position—Select between the first four or second four bytes in the
payload.
• Mask—Specify a 4-byte hex value, for example, 0xffffff00.
• Value—Specify a 4-byte hex value, for example, 0xaabbccdd.
For all other contexts, specify a Value that is pertinent to the
application.
To move a condition within a group, select the condition and Move Up or
Move Down. To move a group, select the group and Move Up or Move
Down. You cannot move conditions from one group to another.

It is not required to specify signatures for the application if the application is used only for
application override rules.

208 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Application Groups
To simplify the creation of security policies, applications requiring the same security settings can be
combined by creating an application group. (To define a new application, refer to Defining Applications.)

New Application Group Description

Settings

Name Enter a name that describes the application group (up to 31 characters).
This name appears in the application list when defining security policies.
The name is case-sensitive and must be unique. Use only letters, numbers,
spaces, hyphens, and underscores.

Shared Select this option if you want the application group to be available to:
Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the application group will be available only to the Virtual System
selected in the Objects tab.
Every device group on Panorama. If you clear this selection, the application
group will be available only to the Device Group selected in the Objects
tab.

Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this application group object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.

Applications Click Add and select applications, application filters, and/or other
application groups to be included in this group.

PAN-OS WEB INTERFACE HELP | Objects 209

© 2021 Palo Alto Networks, Inc.
Objects > Application Filters
Application filters help to simplify repeated searches. To define an application filter, Add and enter a
name for your new filter. In the upper area of the window, click an item that you want to use as a basis for
filtering. For example, to restrict the list to the Collaboration category, click collaboration.

To filter on additional columns, select an entry in the columns. The filtering is successive: category filters
are applied first followed by subcategory filters, technology filters, risk filters, tags, and then characteristic
filters.
As you select filters, the list of applications that display on the page is automatically updated.

210 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Services
When you define Security policies for specific applications, you can select one or more services to limit the
port numbers the applications can use. The default service is any, which allows all TCP and UDP ports. The
HTTP and HTTPS services are predefined, but you can add additional service definitions. Services that are
often assigned together can be combined into service groups to simplify the creation of Security policies
(refer to Objects > Service Groups).
Additionally, you can use service objects to specify service-based session timeouts—this means that you can
apply different timeouts to different user groups even when those groups are using the same TCP or UDP
service, or, if you’re migrating from a port-based Security policy with custom applications to an application-
based Security policy, you can easily maintain your custom application timeouts.
The following table describes the service settings:

Service Settings Description

Name Enter the service name (up to 63 characters). This name appears in the
services list when defining Security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.

Description Enter a description for the service (up to 1023 characters).

Shared Select this option if you want the service object to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the service object will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the service
object will be available only to the Device Group selected in the Objects
tab.

Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this service object in device groups that inherit the object. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the object.

Protocol Select the protocol used by the service (TCP or UDP).

Destination Port Enter the destination port number (0 to 65535) or range of port numbers
(port1-port2) used by the service. Multiple ports or ranges must be
separated by commas. The destination port is required.

Source Port Enter the source port number (0 to 65535) or range of port numbers
(port1-port2) used by the service. Multiple ports or ranges must be
separated by commas. The source port is optional.

Session Timeout Define the session timeout for the service:

• Inherit from application (default)—No service-based timeouts are
applied; the application timeout is applied.

PAN-OS WEB INTERFACE HELP | Objects 211

© 2021 Palo Alto Networks, Inc.
 Service Settings Description
• Override—Define a custom session timeout for the service. Continue to
populate the TCP Timeout, TCP Half Closed, and TCP Wait Time fields.

The following settings display only if you choose to override application timeouts and create custom
session timeouts for a service:

TCP Timeout Set the maximum length of time in seconds that a TCP session can remain
open after data transmission has started. When this time expires, the
session closes.
Range is 1 - 604800. Default value is 3600 seconds.

TCP Half Closed Set the maximum length of time in seconds that a session remains
open when only one side of the connection has attempted to close the
connection.
This setting applies to:
• The time period after the firewall receives the first FIN packet (indicates
that one side of the connection is attempting to close the session) but
before it receives the second FIN packet (indicates that the other side of
the connection is closing the session).
• The time period before receiving an RST packet (indicating an attempt to
reset the connection).
If the timer expires, the session closes.
Range is 1 - 604800. Default value is 120 seconds.

TCP Wait Time Set the maximum length of time in seconds that a session remains open
after receiving the second of the two FIN packets required to terminate a
session, or after receiving an RST packet to reset a connection.
When the timer expires, the session closes.
Range is 1 - 600. Default value is 15 seconds.

212 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Service Groups
To simplify the creation of security policies, you can combine services that have the same security settings
into service groups. To define new services, refer to Objects > Services.
The following table describes the service group settings:

Service Group Settings Description

Name Enter the service group name (up to 63 characters). This name appears in
the services list when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.

Shared Select this option if you want the service group to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the service group will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the service
group will be available only to the Device Group selected in the Objects
tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this service group object in device groups that inherit the object. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.

Service Click Add to add services to the group. Select from the drop-down or click
Service at the bottom of the drop-down and specify the settings. Refer to
Objects > Services for a description of the settings.

PAN-OS WEB INTERFACE HELP | Objects 213

© 2021 Palo Alto Networks, Inc.
Objects > Tags
Tags allow you to group objects using keywords or phrases. You can apply tags to address objects, address
groups (static and dynamic), applications, zones, services, service groups, and to policy rules. You can also
use an SD-WAN Interface profile to apply a link tag to an Ethernet interface. You can use tags to sort or
filter objects and to visually distinguish objects by color. When you apply a color to a tag, the Policy tab
displays the object with a background color.
You must create a tag before you can group rules using that tag. After you assign grouped rules by a tag,
View Rulebase as Groups to see a visual representation of your policy rulebase based on the assigned tags.
While viewing your rulebase as groups, the policy order and priority is maintained. In this view, select the
group tag to view all rules grouped by that tag.
A predefined tag named Sanctioned is available for tagging applications (Objects > Applications). These tags
are required for accuracy (Monitor > PDF Reports > SaaS Application Usage).

What do you want to know? See:

How do I create tags? Create Tags

How do I view the rulebase as View Rulebase as Groups

groups?

Search for rules that are tagged. Manage Tags

Group rules using tags.
View tags used in policy.
Apply tags to policy.

Looking for more? • Use Tags to Group and Visually Distinguish Objects
• SD-WAN Link Tag

Create Tags
• Objects > Tags
Select Tags to create a tag, assign a color or to delete, rename, and clone tags. Each object can have up to
64 tags; when an object has multiple tags, it displays the color of the first tag applied.
On the firewall, the Tags tab displays the tags that you define locally on the firewall or push from Panorama
to the firewall. On Panorama, the Tags tab displays the tags that you define on Panorama. This tab does not
display the tags that are dynamically retrieved from the VM Information sources defined on the firewall for
forming dynamic address groups nor does it display tags that are defined using the XML or REST API.
When you create a new tag, the tag is automatically created in the Virtual System or Device Group that is
currently selected on the firewall or Panorama.

Tag Settings Description

Name Enter a unique tag name (up to 127 characters). The name is not case-
sensitive.

214 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
 Tag Settings Description

Shared Select this option if you want the tag to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the tag is available only to the Virtual System selected in the
Objects tab.
• Every device group on Panorama. If you disable (clear) this option, the
tag will be available only to the Device Group selected in the Objects
tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this tag in device groups that inherit the tag. This selection is cleared
by default, which means administrators can override the settings for any
device group that inherits the tag.

Color Select a color from the color palette in the drop-down (default is None).

Comments Add a label or description to describe for what the tag is used.

• Add a tag: Add a tag and then fill in the following fields:
You can also create a new tag when you create or edit policy in the Policies tab. The tag is automatically
created in the Device Group or Virtual System that is currently selected.
• Edit a tag: Click a tag to edit, rename, or assign a color to a tag.
• Delete a tag: Click Delete and select the tag. You cannot delete a predefined tag.
• Move or Clone a tag: The options to move or clone a tag allow you to copy a tag or move a tag to a
different Device Group or Virtual System on firewalls with multiple virtual systems enabled.
Move or Clone and select the tag. Select the Destination location—Device Group or Virtual System.
Disable (clear) this option to Error out on first detected error in validation if you want the validation
process to discover all errors for the object before displaying the errors. This option is enabled by default
and the validation process stops when the first error is detected and only displays the error.
• Override or Revert a tag (Panorama only): The Override option is available only if you did not select
the Disable override option when you created the tag. The Override option allows you to override the
color assigned to the tag that was inherited from a shared or ancestor device group. The Location is the
current device group. You can also Disable override to prevent future override attempts.
Revert changes to undo recent modifications of a tag. When you revert a tag, the Location field displays
the device group or virtual system from where the tag was inherited.

View Rulebase as Groups

• Policies > <Rulebase Type>
View Rulebase as Groups to display the policy rulebase using the group tag. While viewing your rulebase
as groups, the policy order and priority is maintained. In this view, select the group tag to view all rules
grouped by that tag.
When viewing your rulebase as groups, click Group to move, change, delete, or clone all rules in the
selected tag group. The following table describes the rule management options available when viewing your
rulebase as groups.

PAN-OS WEB INTERFACE HELP | Objects 215

© 2021 Palo Alto Networks, Inc.
 Option Description

Move Rules in Group to Move all policy rules in the selected tag group to a different rulebase or
Different Rulebase or device group.
Device Group

Change Group of All Move all rules in the selected tag group to a different tag group.
Rules

Move All Rules in Group Move all rules in the selected tag group within the rulebase.

Delete All Rules in Group Delete all rules in the selected tag group.

Clone All Rules in Group Clone all rules in the selected tag group.

Move Rules in Group to Different Rulebase or Device Group

If you need to organize your rulebase, select the tag group containing the rules you want to move and
Move Rules in Group to Different Rulesbase or Device Group to reassign them to a different rulebase or
device group (instead of moving each rule individually). The device group must already exist before (cannot
be created while) moving rules in a tag group to a different device group. Additionally, you can move the
rules in a tag group to a different rulebase within the same device group.
To move rules to a different rulebase or device group, enter the following:

Field Description

Destination The target device group to move the policy rules.

(Panorama only) Select whether to move the rules to the Pre-Rulebase or Post-Rulebase of
Destination Type the destination device group.

Rule Order Select where in the rulebase to move the rules. You can choose:
• Move Top—Move rules to the top of the rulebase of the destination
device group.
• Move Bottom—Move rules to the end of the rulebase of the destination
device group.
• Before Rule—Move rules before the selected rule in the rulebase of the
destination device group.
• After Rule—Move rules after the selected rule in the rulebase of the
destination device group.

Error out on first detected Check this box to determine how errors are displayed if encountered during
error in validation validation. If checked, each error is displayed individually. If unchecked, the
errors are aggregated and displayed as a single error.
Errors detected during validation cause the rule move job to fail, and no
rules are moved to the destination device group.

216 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Change Group of All Rules
Rather than editing each rule, Change Group of All Rules to move an entire policy rule set from one tag
group to another existing tag group. The rule order of the tag group rules is preserved when moved to the
new tag group, but you have the choice of placing the new rules either before the rules in the destination
tag group, or after.
To move rules to a different tag group, specify the destination tag group and whereto place the moved
rules.

Field Description

Select a Group for its Select the destination tag group.

appearance order

Move Top Move Top inserts the rules at the top of the destination tag group.

Move Bottom Move bottom inserts the rules at the bottom of the destination tag group.

Move All Rules in Group

Rather than reordering each rule individually, Move All Rules in Group to move all rules in the selected tag
group up or down the rule hierarchy. The rule order of the moved rules in the tag group rules is preserved
when moving the tag group, but you have the choice of placing the rules either before the rules in the
destination tag group, or after.
To move rules, specify the destination tag group and where to place the moved rules.

Field Description

Select a Group for its Select the destination tag group.

appearance order

Move Top Move Top inserts the rules at before the destination tag group.

Move Bottom Move bottom inserts the rules after the destination tag group.

Delete All Rules in Group

To simplify rule management, you can Delete All Rules in Group to reduce your security risks and keep your
policy rulebase organized by deleting unused or unwanted rules associated with a selected tag group.

Clone All Rules in Group

Rather than manually recreate existing policy rules in a tag group, Clone All Rules in Group to quickly
duplicate rules in the selected tag group in the device group and rulebase of your choice. The device group
must already exist before (cannot be created while) cloning rules in a tag group to a different device group.
Additionally, you can clone the rules in a tag group to a different rulebase within the same device group.
Cloned rules are appended with the rule name and the following format: <Rule Name>-1. If a rule
is cloned to the same location as the first cloned rule, and the name is not changed, then the name is
appended. For example, <Rule Name>-2, <Rule Name>-3, and so on.
To clone rules, configure the following fields.

PAN-OS WEB INTERFACE HELP | Objects 217

© 2021 Palo Alto Networks, Inc.
 Field Description

Destination The target device group of the cloned policy rules.

(Panorama only) Select whether to clone the rules to the Pre-Rulebase or Post-Rulebase of
Destination Type the destination device group.

Rule Order Select where in the rulebase to clone the rules. You can choose:
• Move Top—Insert cloned rules at the top of the rulebase of the
destination device group.
• Move Bottom—Insert cloned rules at the end of the rulebase of the
destination device group.
• Before Rule—Insert cloned rules before the selected rule in the rulebase
of the destination device group.
• After Rule—Inserted cloned rules after the selected rule in the rulebase
of the destination device group.

Error out on first detected Select this option to determine how errors are displayed if encountered
error in validation during validation. If enabled, each error is displayed individually. If disabled
(cleared), the errors are aggregated and displayed as a single error.
Errors detected during validation cause the rule clone job to fail, and no
rules are cloned to the destination device group.

Manage Tags
The following table lists the actions that you can perform when grouping rules by group tags.

• Tag a rule.
1. Select View Rules as Groups.
2. Select one or more rules on the right pane.
3. From the group tag drop-down, Apply Tag to the Selected Rules.

4. Add tags to the selected rules.

• View the rules assigned a group tag.

1. View Rulebase as Groups to view the group tags your rules are assigned to.
2. The right pane updates to display the group tags. rules that have any of the selected tags.

218 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
 3. Select the group tag to view the rules assigned to the group. Rules not assigned a group tag are listed
in the none group.

• Untag a rule.
1. View Rulebase as Groups to view the group tags your rules are assigned to.
2. Select one or more rules on the right pane.
3. From the group tag drop-down, Apply Tag to the Selected Rules.

4. Remove tags to the selected rules. Additionally, you may Delete All tags assigned to the rule.

• Reorder a rule using tags.

When you View Rulebase as Groups, select one or more rules in a group tag, hover over the rule number
and select Move Selected Rule(s) in the drop-down. Do not select any rules if you want to move all rules
in the selected group tag.

Select a group tag from the drop-down in the move rule window and select whether you want to Move
Before or Move After the tag selected in the drop-down.

• Add a new rule that applies the selected tags.

When you View Rulebase as Groups, hover over the group tag and select Append Rule in the drop-
down.
The new rule is appended to the end of the list of rules assigned to the group tag.

• Search for a group tag.

When you View Rulebase as Groups, hover over the group tag and from the drop-down select Global
Find.

PAN-OS WEB INTERFACE HELP | Objects 219

© 2021 Palo Alto Networks, Inc.
 • Export tag configuration table.
Administrative roles can export the object configuration table in PDF/CSV format and can apply filters
to customize the table output to include only the columns you need. Only the columns that are visible in
the Export dialogue exported. See Export Configuration Table Data.

220 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Devices
Also known as the Device Dictionary, this page contains metadata for device objects. Review information
for existing device objects or add a new device objects. Using device objects as match criteria in security
policy allows you to create device-based policy, where the firewall dynamically updates and applies security
policy to new and existing devices. Palo Alto Networks updates the Device Dictionary via dynamic updates,
which you can view in Device > Dynamic Updates > Device-ID Content.

Button/Field Description

Name The name of the device object.

Location The location of the device group for the device object.

Category The category of the device object (for example, Video

Audio Conference).

Profile The device profile for the device object.

Model The model of the device object.

OS Version The OS version of the device object.

OS Family The OS family of the device object.

Vendor The vendor for the device object.

Add Click Add to add a new device object. Enter a Name and
optionally, a Description. Select additional metadata for
the device, such as Category, OS, and Model. You can also
Browse the list of devices to select the device you want to
add. Click OK to confirm your changes.

Delete Select a device object you no longer need then Delete it.

Move Select the device object you want to move then Move it.

Clone Select the device object on which to base the new device
profile and Clone it.

PDF/CSV Export the list of devices in PDF/CSV format. You can

apply filters to create more specific outputs as needed.
Only visible columns in the web interface will be exported.
See Configuration Table Export.

PAN-OS WEB INTERFACE HELP | Objects 221

© 2021 Palo Alto Networks, Inc.
Objects > External Dynamic Lists
An external dynamic list is an address object based on an imported list of IP addresses, URLs, domain
names, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities
(IMSIs) that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web
server that is accessible by the firewall. By default, the firewall uses the management (MGT) interface to
retrieve this list.
With an active Threat Prevention license, Palo Alto Networks provides multiple built-in dynamic IP lists that
you can use to block malicious hosts. We update the lists daily based on our latest threat research.
You can use an IP address list as an address object in the source and destination of your policy rules; you
can use a URL List in a URL Filtering profile (Objects > Security Profiles > URL Filtering) or as a match
criteria in Security policy rules; and you can use a domain list (Objects > Security Profiles > Anti-Spyware
Profile) as a sinkhole for specified domain names.
On each firewall model, you can use up to 30 external dynamic lists with unique sources across all Security
policy rules. The maximum number of entries that the firewall supports for each list type varies based on
the firewall model (refer to the different firewall limits for each external dynamic list type). List entries
count toward the maximum limit only if the external dynamic list is used in a policy rule. If you exceed the
maximum number of entries that are supported on a firewall model, the firewall generates a System log
and skips the entries that exceed the limit. To check the number of IP addresses, domains, URLs, IMEIs, and
IMSIs currently used in policy rules and the total number supported on the firewall, select List Capacities
(firewall only).
The external dynamic lists are shown in the order they are evaluated from top to bottom. Use the
directional controls at the bottom of the page to change the list order. This enables you to reorder the lists
to make sure that the most important entries in an external dynamic list are committed before you reach
capacity limits.

You cannot change the external dynamic list order when lists are grouped by type.

To retrieve the latest version of the external dynamic list from the server that hosts it, select an external
dynamic list and Import Now.

You cannot delete, clone, or edit the settings of the Palo Alto Networks malicious IP address
feeds.

Add a new external dynamic list and configure the settings described in the table below.

External Dynamic List Settings Description

Name Enter a name to identify the external dynamic list (up to 32 characters).
This name identifies the list for policy rule enforcement.

Shared Enable this option if you want the external dynamic list to be available
to:
(Multiple virtual systems
(multi-vsys) and Panorama • Every virtual system (vsys) on a multi-vsys firewall.
only)
If you disable (clear) this option, then the external dynamic list is
available only to the Virtual System selected in the Objects tab.
• Every device group on Panorama.

222 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
External Dynamic List Settings Description
If you disable (clear) this option, the external dynamic list is available
only to the Device Group selected in the Objects tab.

Disable override (Panorama Enable this option to prevent administrators from overriding the
only) settings of this external dynamic list object in device groups that inherit
the object. This option is disabled (cleared) by default, which means
administrators can override the settings for any device group that
inherits the object.

Test Source URL (Firewall Test Source URL to verify that the firewall can connect to the server
only) that hosts the external dynamic list.

This test does not check whether the server

authenticates successfully.

Create List Tab

Type Select from the following types of external dynamic lists:

• Predefined IP List—Use a list that Palo Alto Networks identifies as
You
bulletproof IP addresses, known malicious IP addresses, or high risk
cannot mix
IP addresses as a source of list entries (requires an active Threat
IP addresses,
Prevention license).
URLs, and
domain names • Predefined URL List—Use a list of domains that Palo Alto Networks
in a single list. identifies as trusted to exclude these domains from Authentication
Each list must policy.
include entries • IP List (default)—Each list can include IPv4 or IPv6 addresses,
of only one address ranges, and subnets. The list must contain only one IP
type. address, range, or subnet per line. For example:

192.168.80.150/32
2001:db8:123:1::1 or 2001:db8:123:1::/64
192.168.80.0/24
2001:db8:123:1::1 - 2001:db8:123:1::22

In the example above, the first line indicates all addresses from
192.168.80.0 through 192.168.80.255. A subnet or an IP address
range, such as 92.168.20.0/24 or 192.168.20.40 – 192.168.20.50,
counts as one IP address entry and not as multiple IP addresses.
• Domain List—Each list can contain only one domain name entry per
line. For example:

www.p301srv03.paloalonetworks.com
ftp.example.co.uk
test.domain.net

For the list of domains included in the external dynamic list, the
firewall creates a set of custom signatures of the spyware type
with medium severity so that you can use the sinkhole action for a
custom list of domains.

PAN-OS WEB INTERFACE HELP | Objects 223

© 2021 Palo Alto Networks, Inc.
 External Dynamic List Settings Description
• URL List—Each list can have only one URL entry per line. For
example:

financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-
for-Success.aspx
*.example.com/*

For each URL list, the default action is set to Allow. To edit the
default action, see Objects > Security Profiles > URL Filtering.

Type (cont) • Subscriber Identity List—Each list contains subscriber IDs for a 3G,
4G, or 5G network. In the Source field, enter a URL for the firewall
to access the list.
• Equipment Identity List—Each list contains equipment IDs for a 3G,
4G, or 5G network. In the Source field, enter a URL for the firewall
to access the list.

Determine which firewall model to purchase based

on the total number of 3G, 4G, and 5G network
identifiers you need your dynamic external dynamic
list and static entries to support.

Description Enter a description for the external dynamic list (up to 255 characters).

Source • If the external dynamic list is a Predefined IP List, select Palo Alto
Networks - Bulletproof IP addresses, Palo Alto Networks - High
risk IP addresses, or Palo Alto Networks - Known malicious IP
addresses as the list source.
• If the external dynamic list is a Predefined URL List, the default
setting is panw-auth-portal-exclude-list.
• If the external dynamic list is an IP List, a Domain List, or a URL List,
enter an HTTP or HTTPS URL path that contains the text file (for
example, http://192.0.2.20/myfile.txt).
• If the external dynamic list is a Domain List, you can Automatically
®
expand to include subdomains. This option enables the PAN-OS
software to evaluate all lower-level components of the domain
names listed in the external dynamic list file. This option is disabled
by default.
• If the external dynamic list is a Subscriber Identity List or Equipment
Identity List, enter a URL path that contains the list.

If your external dynamic list contains subdomains,

these expanded entries count towards your appliance
model capacity count. You can disable this feature if
you want to manually define subdomains. However,
subdomains that are not explicitly defined in the list are
not evaluated by policy rules.

224 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
External Dynamic List Settings Description

Certificate Profile If the external dynamic list has an HTTPS URL, select an existing
certificate profile (firewall and Panorama) or create a new Certificate
(IP List, Domain List, or URL
Profile (firewall only) for authenticating the web server that hosts
List only)
the list. For more information on configuring a certificate profile, see
Device > Certificate Management > Certificate Profile.
Default: None (Disable Cert profile)

To maximize the number of external dynamic lists that

you can use to enforce policy, use the same certificate
profile to authenticate external dynamic lists that use
the same source URL so that the lists count as only
one external dynamic list. External dynamic lists from
the same source URL that use different certificate
profiles are counted as unique external dynamic lists.

Client Authentication Enable this option (disabled by default) to add a username and
password that the firewall will use when accessing an external dynamic
list source that requires basic HTTP authentication. This setting is
available only when the external dynamic list has an HTTPS URL.
• Username—Enter a valid username to access the list.
• Password/Confirm Password—Enter and confirm the password for
the username.

Check for updates Specify the frequency at which the firewall retrieves the list from
the web server. You can set the interval to every Every Five Minutes
(default), Hourly, Daily, Weekly, or Monthly, at which the firewall
retrieves the list. The interval is relative to the last commit. So, for the
five-minute interval, the commit occurs in 5 minutes if the last commit
was an hour ago. The commit updates all policy rules that reference the
list so that the firewall can successfully enforce policy rules.

You do not have to configure a frequency for a

predefined IP list because the firewall dynamically
receives content updates with an active Threat
Prevention license.

List Entries and Exceptions Tab

List Entries Displays the entries in the external dynamic list.

• Add an entry as a list exception—Select up to 100 entries and
Submit ( ).
• View an AutoFocus threat intelligence summary for an item—
Hover over an entry and select AutoFocus from the drop-down.
You must have an AutoFocus™ license and enable AutoFocus threat
intelligence to view an item summary (select Device > Setup >
Management and edit the AutoFocus settings).
• Check if an IP address, domain, or URL is in the external dynamic
list—Enter a value in the filter field and Apply Filter ( ). Clear
Filter ( [X] ) to go back to viewing the complete list.

PAN-OS WEB INTERFACE HELP | Objects 225

© 2021 Palo Alto Networks, Inc.
 External Dynamic List Settings Description

Manual Exceptions Displays exceptions to the external dynamic list.

• Edit an exception—Select an exception and make your changes.
• Manually enter an exception—Add a new exception manually.
• Remove an exception from the Manual Exceptions list—Select and
Delete an exception.
• Check if an IP address, domain, or URL is in the Manual Exceptions
list—Enter a value in the filter field and Apply Filter ( ). Clear
Filter ( [X] ) to go back to viewing the complete list. You cannot
save your changes to the external dynamic list if you have duplicate
entries in the Manual Exceptions list.

226 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Custom Objects
Create custom data patterns, vulnerability and spyware signatures, and URL categories to use with policies:
• Objects > Custom Objects > Data Patterns
• Objects > Custom Objects > Spyware/Vulnerability
• Objects > Custom Objects > URL Category

Objects > Custom Objects > Data Patterns

The following topics describe data patterns.

What are you looking for? See:

Create a data pattern. Data Pattern Settings

Learn more about syntax for regular Syntax for Regular Expression Data Patterns
expression data patterns and see some
Regular Expression Data Pattern Examples
examples.

Data Pattern Settings

Select Objects > Custom Objects > Data Patterns to define the categories of sensitive information that you
may want to filter. For information on defining data filtering profiles, select Objects > Security Profiles >
Data Filtering.
You can create three types of data patterns for the firewall to use when scanning for sensitive information:
• Predefined—Use the predefined data patterns to scan files for social security and credit card numbers.
• Regular Expression—Create custom data patterns using regular expressions.
• File Properties—Scan files for specific file properties and values.

Data Pattern Settings Description

Name Enter the data pattern name (up to 31 characters). The name case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, and
underscores.

Description Enter a description for the data pattern (up to 255 characters).

Shared Select this option if you want the data pattern to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the data pattern will be available only to the Virtual System
selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the data
pattern will be available only to the Device Group selected in the
Objects tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this data pattern object in device groups that inherit the object. This

PAN-OS WEB INTERFACE HELP | Objects 227

© 2021 Palo Alto Networks, Inc.
 Data Pattern Settings Description
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the object.

Pattern Type Select the type of data pattern you want to create:
• Predefined Pattern
• Regular Expression
• File Properties

Predefined Pattern Palo Alto Networks provides predefined data patterns to scan for certain
types of information in files, for example, for credit card numbers or social
security numbers. To configure data filtering based on a predefined pattern,
Add a pattern and select the following:
• Name—Select a predefined pattern to use to filter for sensitive data.
When you pick a predefined pattern, the Description populates
automatically.
• Select the File Type in which you want to detect the predefined pattern.

Regular Expression Add a custom data pattern. Give the pattern a descriptive Name, set the
File Type you want to scan for the data pattern, and enter the regular
expression that defines the Data Pattern.
For regular expression data pattern syntax details and examples, see:
• Syntax for Regular Expression Data Patterns
• Regular Expression Data Pattern Examples

File Properties Build a data pattern to scan for file properties and the associated values.
For example, Add a data pattern to filter for Microsoft Word documents
and PDFs where the document title includes the words “sensitive”,
“internal”, or “confidential”.
• Give the data pattern a descriptive Name.
• Select the File Type that you want to scan.
• Select the File Property that you want to scan for a specific value.
• Enter the Property Value for which you want to scan.

Syntax for Regular Expression Data Patterns

The general pattern requirements and syntax for creating data patterns depends on the pattern-matching
engine that you enable: classic or enhanced (default).

Pattern Requirements Classic Enhanced

Pattern length Requires 7 literal characters, which Requires two literal characters.
cannot include a period (.), an
asterisk (*), a plus sign (+), or a range
([a-z]).

Case-insensitivity Requires you to define patterns Allows you to use the i option on a
for all possible strings to match all sub-pattern.
variations of a term.

228 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Pattern Requirements Classic Enhanced
Example: To match any documents Example: ((?i)\bconfidential
designated as confidential, you \b) matches ConfiDential
must create a pattern that includes
“confidential,” “Confidential,” and
“CONFIDENTIAL.”

®
The regular expression syntax in PAN-OS is similar to traditional regular expression engines but every
engine is unique. The Classic Syntax and Enhanced Syntax tables describe the syntax supported in the PAN-
OS pattern-matching engines.
Classic Syntax

Pattern Syntax Description

. Match any single character.

? Match the preceding character or expression 0 or one time. You must

include the general expression inside parentheses.
Example: (abc)?

* Match the preceding character or expression 0 or more times. You

must include the general expression inside parentheses.
Example: (abc)*

+ Match the preceding character or regular expression one or more

times. You must include the general expression inside parentheses.
Example: (abc)+

| Specify one “OR” another.

You must include alternative substrings in parentheses.

Example: ((bif)|(scr)|(exe)) matches bif, scr, or exe.

- Specify a range.
Example: [c-z] matches any character between c and z inclusive.

[] Match any specified character.

Example: [abz] matches any of the specified characters—a, b, or z.

^ Match any character except those specified.

Example: [^abz] matches any character except the specified
characters—a, b, or z.

{} Match a string that contains minimum and maximum.

PAN-OS WEB INTERFACE HELP | Objects 229

© 2021 Palo Alto Networks, Inc.
 Pattern Syntax Description
Example: {10-20} matches any string that is between 10 and 20 bytes
inclusive. You must specify this directly in front of a fixed string and
you can use only a hyphen (-).

\ Perform a literal match on any character. You must precede the

specified character with a backslash (\).

&amp The ampersand (& ) is a special character so, to look for & in a string,
you must use &amp.

Enhanced Syntax
The enhanced pattern-matching engine supports all of the Classic Syntax as well as the following syntax:

Pattern Syntax Description

Shorthand character classes

Symbols that stand for a character of a specific type, such as a digit or white space. You can negate any
of these shorthand character classes by using uppercase characters.

\s Match any whitespace character.

Example: \s matches a space, tab, line break, or form
feed.

\d Match a character that is a digit [0-9].

Example: \d matches 0.

\w Matches an ASCII character [A-Za-z0-9_].

Example: \w\w\w matches PAN.

\v Match a vertical white space character, which includes

all unicode line break characters.
Example: \v matches a vertical white space character.

\h Match horizontal white space, which includes the tab

and all of the “space separator” unicode characters.
Example: \h matches a horizontal white space
character.

Bounded repeat quantifiers

Specify how many times to repeat the previous item.

{n} Match exactly a number (n) of times.

Example: a{2} matches aa.

{n,m} {n,m} matches from n to m times.

230 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
 Pattern Syntax Description
Example: a{2,4} matches aa, aaa, and aaaa

{n, } {n,} matches at least n times.

Example: a{2,} matches aaaaa in aaaaab.

Anchor characters
Specify where to match an expression.

^ Match at the beginning of a string. Also matches after

every line break when multi-line mode (m) is enabled.
Example: Given the string abc, ^a matches a, but ^b
doesn’t match anything because b doesn’t occur at the
start of the string.

$ Match at the end of a string or before a newline

character at the end of a string. Also matches before
every line break when multi-line mode (m) is enabled.
Example: Given the string abc, c$ matches c, but a$
doesn’t match anything because a doesn’t occur at the
end of the string.

\A Match at the beginning of a string. Doesn’t match after

line breaks, even when multi-line mode (m) is enabled.

\Z Match at the end of a string and before the final line

break. Doesn’t match before other line breaks even
when multi-line mode (m) is enabled.

\z Match at the absolute end of a string. Doesn’t match

before line breaks.

Option modifiers
Change the behavior of a sub-pattern. Enter (?<option>) to enable or (?-<option>) to disable.

i Enable case-insensitivity.
Example: ((?i)\bconfidential\b) matches
ConfiDential.

m Make ^ and $ match at the beginning and end of lines.

s Make . match anything, including line break characters.

x Ignore whitespace between regex tokens.

Regular Expression Data Pattern Examples

The following are examples of valid custom patterns:
• .*((Confidential)|(CONFIDENTIAL))

PAN-OS WEB INTERFACE HELP | Objects 231

© 2021 Palo Alto Networks, Inc.
 • Looks for the word “Confidential” or “CONFIDENTIAL” anywhere
• “.*” at the beginning specifies to look anywhere in the stream
• Depending on the case-sensitivity requirements of the decoder, this may not match “confidential” (all
lower case)
• .*((Proprietary &amp Confidential)|(Proprietary and Confidential))
• Looks for either “Proprietary & Confidential” or “Proprietary and Confidential”
• More precise than looking for “Confidential”
• .*(Press Release).*((Draft)|(DRAFT)|(draft))
• Looks for “Press Release” followed by various forms of the word draft, which may indicate that the
press release isn't ready to be sent outside the company
• .*(Trinidad)
• Looks for a project code name, such as “Trinidad”

232 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Custom Objects > Spyware/
Vulnerability
The firewall supports the ability to create custom spyware and vulnerability signatures using the firewall
threat engine. You can write custom regular expression patterns to identify spyware phone home
communication or vulnerability exploits. The resulting spyware and vulnerability patterns become available
for use in any custom vulnerability profiles. The firewall looks for the custom-defined patterns in network
traffic and takes the specified action for the vulnerability exploit.

Weekly content releases periodically include new decoders and contexts for which you can
develop signatures.

You can optionally include a time attribute when defining custom signatures by specifying a threshold per
interval for triggering possible actions in response to an attack. Action is taken only after the threshold is
reached.
Use the Custom Spyware Signature page to define signatures for Anti-Spyware profiles. Use the Custom
Vulnerability Signature page to define signatures for Vulnerability Protection profiles.

Custom Vulnerability and Description

Spyware Signature Settings

Configuration Tab

Threat ID Enter a numeric identifier for the configuration (spyware signatures range
is 15000-18000 and 6900001 - 7000000; vulnerability signatures range is
41000-45000 and 6800001-6900000).

Name Specify the threat name.

Shared Select this option if you want the custom signature to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the custom signature will be available only to the Virtual
System selected in the Objects tab.
• Every device group on Panorama. If you clear this selection, the custom
signature will be available only to the Device Group selected in the
Objects tab.

Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this signature in device groups that inherit the signature. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the signature.

Comment Enter an optional comment.

Severity Assign a level that indicates the seriousness of the threat.

Default Action Assign the default action to take if the threat conditions are met. For a list
of actions, see Actions in Security Profiles.

PAN-OS WEB INTERFACE HELP | Objects 233

© 2021 Palo Alto Networks, Inc.
 Custom Vulnerability and Description
Spyware Signature Settings

Direction Indicate whether the threat is assessed from the client to server, server to
client, or both.

Affected System Indicate whether the threat involves the client, server, either, or both.
Applies to vulnerability signatures, but not spyware signatures.

CVE Specify the common vulnerability enumeration (CVE) as an external

reference for additional background and analysis.

Vendor Specify the vendor identifier for the vulnerability as an external reference
for additional background and analysis.

Bugtraq Specify the bugtraq (similar to CVE) as an external reference for additional
background and analysis.

Reference Add any links to additional analysis or background information. The

information is shown when a user clicks on the threat from the ACC, logs,
or vulnerability profile.

Signatures Tab

Standard Signature Select Standard and then Add a new signature. Specify the following
information:
• Standard—Enter a name to identify the signature.
• Comment—Enter an optional description.
• Ordered Condition Match—Select if the order in which signature
conditions are defined is important.
• Scope—Select whether to apply this signature only to the current
transaction or to the full user session.
Add a condition by clicking Add Or Condition or Add And Condition.
To add a condition within a group, select the group and then click Add
Condition. Add a condition to a signature so that the signature is generated
for traffic when the parameters you define for the condition are true.
Select an Operator from the drop-down. The operator defines the type
of condition that must be true for the custom signature to match to
traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match
operators.
• When choosing a Pattern Match operator, specify for the following to
be true for the signature to match to traffic:
• Context—Select from the available contexts.
• Pattern—Specify a regular expression. See Pattern Rules Syntax for
pattern rules for regular expressions.
• Qualifier and Value—Optionally, add qualifier/value pairs.
• Negate—Select Negate so that the custom signature matches to
traffic only when the defined Pattern Match condition is not true.
This allows you to ensure that the custom signature is not triggered
under certain conditions.

234 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Custom Vulnerability and Description
Spyware Signature Settings
A custom signature cannot be created with only
Negate conditions; at least one positive condition
must be included in order for a negate condition to
specified. Also, if the scope of the signature is set to
Session, a Negate condition cannot be configured as
the last condition to match to traffic.

You can define exceptions for custom vulnerability or spyware

signatures using the new option to negate signature generation when
traffic matches both a signature and the exception to the signature.
Use this option to allow certain traffic in your network that might
otherwise be classified as spyware or a vulnerability exploit. In this
case, the signature is generated for traffic that matches the pattern;
traffic that matches the pattern but also matches the exception to
the pattern is excluded from signature generation and any associated
policy action (such as being blocked or dropped). For example, you
can define a signature to be generated for redirected URLs; however,
you can now also create an exception where the signature is not
generated for URLs that redirect to a trusted domain.

• When choosing an Equal To, Less Than, or Greater Than operator,

specify for the following to be true for the signature to match to traffic:
• Context—Select from unknown requests and responses for TCP or
UDP.
• Position—Select between the first four or second four bytes in the
payload.
• Mask—Specify a 4-byte hex value, for example, 0xffffff00.
• Value—Specify a 4-byte hex value, for example, 0xaabbccdd.

Combination Signature Select Combination and specify the following information:

Select Combination Signatures to specify conditions that define signatures:
• Add a condition by clicking Add AND Condition or Add OR Condition.
To add a condition within a group, select the group and then click Add
Condition.
• To move a condition within a group, select the condition and click Move
Up or Move Down. To move a group, select the group and click Move
Up or Move Down. You cannot move conditions from one group to
another.
Select Time Attribute to specify the following information:
• Number of Hits—Specify the threshold that will trigger any policy-based
action as a number of hits (1-1000) in a specified number of seconds
(1-3600).
• Aggregation Criteria—Specify whether the hits are tracked by source
IP address, destination IP address, or a combination of source and
destination IP addresses.
• To move a condition within a group, select the condition and click Move
Up or Move Down. To move a group, select the group and click Move

PAN-OS WEB INTERFACE HELP | Objects 235

© 2021 Palo Alto Networks, Inc.
 Custom Vulnerability and Description
Spyware Signature Settings
Up or Move Down. You cannot move conditions from one group to
another.

236 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Custom Objects > URL Category
Use the custom URL category page to create your custom list of URLs and use it in a URL filtering profile or
as match criteria in policy rules. In a custom URL category, you can add URL entries individually or you can
import a text file that contains a list of URLs.

URL entries added to custom categories are case insensitive.

The following table describes the custom URL settings.

Custom URL Category Settings Description

Name Enter a name to identify the custom URL category (up to 31

characters). This name displays in the category list when defining URL
filtering policies and in the match criteria for URL categories in policy
rules. The name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.

Description Enter a description for the URL category (up to 255 characters).

Type Select the category type:

• Category Match—Select Category Match to define a new custom
category containing URLs matching all of the specified URL
categories (a URL has to match all categories in the list). Specify
between 2-4 categories.
• URL List—Select URL List to add or import a list of URLs for the
category. This category type also contains URLs added before PAN-
OS 9.0.

Shared Select this option if you want the URL category to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you disable
(clear) this option, the URL category is available only to the Virtual
System selected in the Objects tab.
• Every device group on Panorama. If you disable (clear) this option,
the URL category is available only to the Device Group selected in
the Objects tab.

Disable override (Panorama Select this option to prevent administrators from overriding the
only) settings of this custom URL object in device groups that inherit
the object. This selection is disabled by default, which means
administrators can override the settings for any device group that
inherits the object.

Sites Manage sites for the custom URL category (each URL added or
imported can have a maximum of 255 characters).
• Add—Add URLs, only one per row. Each URL can be in the
format “www.example.com” or can include wildcards, such as
“*.example.com”. For additional information on supported formats,
see Block List in Objects > Security Profiles > URL Filtering.

PAN-OS WEB INTERFACE HELP | Objects 237

© 2021 Palo Alto Networks, Inc.
 Custom URL Category Settings Description
• Import—Import and browse to select the text file that contains
the list of URLs. Enter only one URL per row. Each URL can be in
the format “www.example.com” or can include wildcards, such as
“*.example.com”. For additional information on supported formats,
see Block List in Objects > Security Profiles > URL Filtering.
• Export—Export custom URL entries included in the list (exported as
a text file).
• Delete—Delete an entry to remove the URL from the list.

To delete a custom category that you used in a URL

filtering profile, you must set the action to None before
you can delete the custom category. See Category
actions in Objects > Security Profiles > URL Filtering.

238 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Security Profiles
Security profiles provide threat protection in Security Policy. Each Security policy rule can include one or
more Security Profiles. The following are available profile types:
• Antivirus profiles to protect against worms, viruses, and trojans and to block spyware downloads. See
Objects > Security Profiles > Antivirus.
• Anti-Spyware profiles to block attempts from spyware on compromised hosts trying to phone-home
or beacon out to external command-and-control (C2) servers. See Objects > Security Profiles > Anti-
Spyware Profile.
• Vulnerability protection profiles to stop attempts to exploit system flaws or gain unauthorized access to
systems. See Objects > Security Profiles > Vulnerability Protection.
• URL filtering profiles to restrict users access to specific websites and/or website categories, such as
shopping or gambling. See Objects > Security Profiles > URL Filtering.
• File blocking profiles to block selected file types, and in the specified session flow direction (inbound/
outbound/both). See Objects > Security Profiles > File Blocking.
• WildFire™ analysis profiles to specify for file analysis to be performed locally on the WildFire appliance
or in the WildFire cloud. See Objects > Security Profiles > WildFire Analysis.
• Data filtering profiles that help prevent sensitive information such as credit card or social security
numbers from leaving a protected network. See Objects > Security Profiles > Data Filtering.
• DoS Protection profiles are used with DoS Protection policy rules to protect the firewall from high-
volume single-session and multiple-session attacks. See Objects > Security Profiles > DoS Protection.
• Mobile Network Protection profiles enable the firewall to inspect, validate and filter GTP traffic.
In additional to individual profiles, you can combine profiles that are often applied together, and create
Security Profile groups (Objects > Security Profile Groups).

Actions in Security Profiles

The action specifies how the firewall responds to a threat event. Every threat or virus signature that is
defined by Palo Alto Networks includes a default action, which is typically either set to Alert, which informs
you using the option you have enabled for notification, or to Reset Both, which resets both sides of the
connection. However, you can define or override the action on the firewall. The following actions are
applicable when defining Antivirus profiles, Anti-Spyware profiles, Vulnerability Protection profiles, custom
spyware objects, custom vulnerability objects, or DoS Protection profiles.

Action Description Antivirus Anti- Vulnerability Custom DoS

Profile Spyware Protection Object— Protection
profile Profile Spyware Profile
and
Vulnerability

Default Takes the default — Random

action that is specified Early Drop
internally for each
threat signature.
For antivirus profiles,
it takes the default
action for the virus
signature.

PAN-OS WEB INTERFACE HELP | Objects 239

© 2021 Palo Alto Networks, Inc.
 Action Description Antivirus Anti- Vulnerability Custom DoS
Profile Spyware Protection Object— Protection
profile Profile Spyware Profile
and
Vulnerability

Allow Permits the —

application traffic.

The
Allow
action
does
not
generate
logs
related
to the
signatures
or
profiles.

Alert Generates an alert

for each application
traffic flow. The alert Generates
is saved in the threat an alert
log. when
attack
volume
(cps)
reaches
the Alarm
threshold
set in the
profile.

Drop Drops the application —

traffic.

Reset For TCP, resets —

Client the client-side
connection.
For UDP, the
connection is dropped

Reset For TCP, resets —

Server the server-side
connection.
For UDP, the
connection is dropped

240 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Action Description Antivirus Anti- Vulnerability Custom DoS
Profile Spyware Protection Object— Protection
profile Profile Spyware Profile
and
Vulnerability

Reset Both For TCP, resets the —

connection on both
client and server ends.
For UDP, the
connection is dropped

Block IP Blocks traffic from —

either a source or a
source-destination
pair; Configurable for
a specified period of
time.

Sinkhole This action directs — — — — —

DNS queries for
malicious domains to
a sinkhole IP address.
The action is
available for Palo
Alto Networks DNS-
signatures and for
custom domains
included in Objects
> External Dynamic
Lists.

Random Causes the firewall — — — —

Early Drop to randomly drop
packets when
connections per
second reach the
Activate Rate
threshold in a DoS
Protection profile
applied to a DoS
Protection rule.

SYN Causes the firewall to — — — —

Cookies generate SYN cookies
to authenticate a
SYN from a client
when connections
per second reach
the Activate Rate
Threshold in a DoS
Protection profile

PAN-OS WEB INTERFACE HELP | Objects 241

© 2021 Palo Alto Networks, Inc.
 Action Description Antivirus Anti- Vulnerability Custom DoS
Profile Spyware Protection Object— Protection
profile Profile Spyware Profile
and
Vulnerability
applied to a DoS
Protection rule.

You cannot delete a profile that is used in a policy rule; you must first remove the profile from
the policy rule.

242 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Security Profiles > Antivirus
Use the Antivirus Profiles page to configure options to have the firewall scan for viruses on the defined
traffic. Set the applications that should be inspected for viruses and the action to take when a virus is
detected. The default profile inspects all of the listed protocol decoders for viruses, generates alerts for
Simple Mail Transport Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol
Version 3 (POP3), and takes the default action for other applications (alert or deny), depending on the
type of virus detected. The profile will then be attached to a Security policy rule to determine the traffic
traversing specific zones that will be inspected.
Customized profiles can be used to minimize antivirus inspection for traffic between trusted security zones,
and to maximize the inspection of traffic received from untrusted zones, such as the Internet, as well as the
traffic sent to highly sensitive destinations, such as server farms.
To add a new Antivirus profile, select Add and enter the following settings:

Field Description

Name Enter a profile name (up to 31 characters). This name appears in the list of
antivirus profiles when defining security policies. The name is case-sensitive
and must be unique. Use only letters, numbers, spaces, hyphens, periods, and
underscores.

Description Enter a description for the profile (up to 255 characters).

Shared Select this option if you want the profile to be available to:
(Panorama only) • Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile will
be available only to the Device Group selected in the Objects tab.

Disable override Select this option to prevent administrators from overriding the settings of
(Panorama only) this Antivirus profile in device groups that inherit the profile. This selection is
cleared by default, which means administrators can override the settings for
any device group that inherits the profile.

Action Tab
Specify the action for the different types of traffic, such as FTP and HTTP.

Enable Packet Capture Select this option if you want to capture identified packets.

Decoders and Actions For each type of traffic that you want to inspect for viruses, select an action
from the drop-down. You can define different actions for standard antivirus
signatures (Signature Action column), signatures generated by the WildFire
system (WildFire Signature Action column), and malicious threats detected
in real-time by the WildFire Inline ML models (WildFire Inline ML Action
column).
Some environments may have requirements for a longer soak time for
antivirus signatures, so this option enables the ability to set different actions
for the two antivirus signature types provided by Palo Alto Networks. For

PAN-OS WEB INTERFACE HELP | Objects 243

© 2021 Palo Alto Networks, Inc.
 Field Description
example, the standard antivirus signatures go through a longer soak period
before being released (24 hours), versus WildFire signatures, which can be
generated and released within 15 minutes after a threat is detected. Because
of this, you may want to choose the alert action on WildFire signatures
instead of blocking.

For the best security, clone the default Antivirus profile and
set the Action and WildFire Action for all the decoders to
reset-both and attach the profile to all Security policy rules
that allow traffic.

Application Exceptions The Applications Exceptions table allows you to define applications that will
and Actions not be inspected. For example, to block all HTTP traffic except for a specific
application, you can define an antivirus profile for which the application is
an exception. Block is the action for the HTTP decoder, and Allow is the
exception for the application. For each application exception, select the action
to be taken when the threat is detected. For a list of actions, see Actions in
Security Profiles.
To find an application, start typing the application name in the text box. A
matching list of applications is displayed, and you can make a selection.

If you believe a legitimate application is incorrectly identified

as carrying a virus (false positive), open a support case with
TAC so Palo Alto Networks can analyze and fix the incorrectly
identified virus. When the issue is resolved, remove the
exception from the profile.

Signature Exceptions Tab

Use the Signature Exception tab to define a list of threats that will be ignored by the antivirus profile.

Only create an exception if you are sure an identified virus is not a threat (false positive).
If you believe you have discovered a false positive, open a support case with TAC so
Palo Alto Networks can analyze and fix the incorrectly identified virus signature. When
the issue is resolved, remove the exception from the profile immediately.

Threat ID To add specific threats that you want to ignore, enter one Threat ID at a time
and click Add. Threat IDs are presented as part of the threat log information.
Refer to Monitor > Logs.

WildFire Inline ML Tab

Use the WildFire Inline ML tab to enable and configure real-time WildFire analysis of files using a
firewall-based machine learning model.

Palo Alto Networks recommends forwarding samples to the WildFire cloud when Wildfire
inline ML is enabled. This allows samples that trigger a false-positive to be automatically
corrected upon secondary analysis. Additionally, it provides data for improving ML
models for future updates.

244 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Field Description

Available Models For each available WildFire inline ML Model, you can select one of the
following action settings:
• enable (inherit per-protocol actions)—Traffic is inspected according to
your selections in the WildFire Inline ML Action column in the decoders
section of the Action tab.
• alert-only (override more strict actions to alert)—Traffic is inspected
according to your selections in the WildFire Inline ML Action column
in the decoders section of the Action tab. Any action with a severity
level higher than alert (drop, reset-client, reset-server, reset-both) will be
overridden to alert, allowing traffic to pass while generating and saving an
alert in the threat logs.
• disable (for all protocols)—Traffic is allowed to pass without any policy
action.

File Exceptions The File Exceptions table allows you to define specific files that you do not
want analyzed, such as false-positives.
To create a new file exception entry, Add a new entry and provide the partial
hash, filename, and description of the file that you want to exclude from
enforcement.
To find an existing file exception, start typing the partial hash value, file name,
or description in the text box. A list of file exceptions matching any of those
values are displayed.

You can find partial hashes in the threat logs (Monitor > Logs
> Threat).

PAN-OS WEB INTERFACE HELP | Objects 245

© 2021 Palo Alto Networks, Inc.
Objects > Security Profiles > Anti-Spyware
Profile
You can attach an Anti-Spyware profile to a Security policy rule to detect connections initiated by spyware
and various types of command-and-control (C2) malware installed on systems on your network. You can
choose between two predefined Anti-Spyware profiles to attach to a Security policy rule. Each profile has a
set of predefined rules (with threat signatures) organized by the severity of the threat; each threat signature
includes a default action that is specified by Palo Alto Networks.
• Default—The default profile uses the default action for every signature, as specified by the Palo Alto
Networks content package when the signature is created.
• Strict—The strict profile overrides the action defined in the signature file for critical, high, and
medium severity threats, and sets it to the reset-both action. The default action is taken with low and
informational severity threats.
• You can also create custom profiles. You can, for example, reduce the stringency for Anti-Spyware
inspection for traffic between trusted security zones, and maximize the inspection of traffic received
from the internet, or traffic sent to protected assets such as server farms.
The following tables describe the Anti-Spyware profile settings:

Anti-Spyware Profile Description

Settings

Name Enter a profile name (up to 31 characters). This name appears in the list of
Anti-Spyware profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
periods, and underscores.

Description Enter a description for the profile (up to 255 characters).

Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Anti-Spyware profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.

Signature Policies Tab

Anti-Spyware rules allow you to define a custom severity and action to take on any threat, a specific
threat name that contains the text that you enter, and/or by a threat category, such as adware.
Add a new rule, or you can select an existing rule to and select Find Matching Signatures to filter threat
signatures based on that rule.

Rule Name Specify the rule name.

246 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Anti-Spyware Profile Description
Settings

Threat Name Enter any to match all signatures, or enter text to match any signature
containing the entered text as part of the signature name.

Category Choose a category, or choose any to match all categories.

Action Choose an action for each threat. For a list of actions, see Actions in
Security Profiles.
The Default action is based on the pre-defined action that is part of each
signature provided by Palo Alto Networks. To view the default action for
a signature, select Objects > Security Profiles > Anti-Spyware and Add or
select an existing profile. Click the Exceptions tab and then click Show all
signatures to see a list of all signatures and the associated Action.

For the best security, use the Action settings in the

predefined strict profile.

Packet Capture Select this option if you want to capture identified packets.
Select single-packet to capture one packet when a threat is detected,
or select the extended-capture option to capture from 1 to 50 packets
(default is 5 packets). Extended-capture provides more context about the
threat when analyzing the threat logs. To view the packet capture, select
Monitor > Logs > Threat, locate the log entry you are interested in, and
then click the green down arrow in the second column. To define the
number of packets to capture, select Device > Setup > Content-ID and
then edit the Content-ID™ Settings.
If the action for a given threat is allow, the firewall does not trigger a
Threat log and does not capture packets. If the action is alert, you can
set the packet capture to single-packet or extended-capture. All blocking
actions (drop, block, and reset actions) capture a single packet. The content
package on the device determines the default action.

Enable extended-capture for critical, high, and medium

severity events. Use the default extended-capture value of
5 packets, which provides enough information to analyze
the threat in most cases. (Too much packet capture traffic
may result in dropping packet captures.) Don’t enable
extended-capture for informational and low severity
events because it’s not very useful compared to capturing
information about higher severity events and creates a
relatively high volume of low-value traffic.

Severity Choose a severity level (critical, high, medium, low, or informational).

Signature Exceptions Tab

Allows you to change the action for a specific signature. For example, you can generate alerts for a
specific set of signatures and block all packets that match all other signatures. Threat exceptions are
usually configured when false-positives occur. To make management of threat exceptions easier, you can
add threat exceptions directly from the Monitor > Logs > Threat list. Ensure that you obtain the latest

PAN-OS WEB INTERFACE HELP | Objects 247

© 2021 Palo Alto Networks, Inc.
 Anti-Spyware Profile Description
Settings
content updates so that you are protected against new threats and have new signatures for any false-
positives.

Exceptions Enable each threat for which you want to assign an action or select All
to respond to all listed threats. The list depends on the selected host,
category, and severity. If the list is empty, there are no threats for the
current selections.
Use IP Address Exemptions to add IP address filters to a threat exception.
If IP addresses are added to a threat exception, the threat exception action
for that signature overrides the action for a rule only when the signature is
triggered by a session with a source or destination IP address that matches
an IP address in the exception. You can add up to 100 IP addresses per
signature. With this option, you do not have to create a new policy rule and
new vulnerability profile to create an exception for a specific IP address.

Create an exception only if you are sure that a signature

identified as spyware is not a threat (it is a false positive). If
you believe you discovered a false positive, open a support
case with TAC so Palo Alto Networks can analyze and fix
the incorrectly identified signature. As soon as the issue is
resolved, remove the exception from the profile.

DNS Policies Tab

The DNS Policies settings provide an additional method of identifying infected hosts on a network.
These signatures detect specific DNS lookups for host names that have been associated with DNS-based
threats.

You can configure specific DNS signature sources with separate policy actions, log severity level, and
packet capture settings. Hosts that perform DNS queries for malware domains will appear in the botnet
report. Additionally, you can specify sinkhole IPs in the DNS Sinkhole Settings if you are sinkholing
malware DNS queries.

DNS Signature Source Allows you to select the lists for which you want to enforce an action when
a DNS query occurs. There are two default DNS signature policy options:
• Palo Alto Networks Content—A local downloadable signature list that is
updated through dynamic content updates.
• DNS Security—A cloud-based DNS security service that performs
pro-active analysis of DNS data and provides real-time access to the
complete Palo Alto Networks DNS signature database.

This service requires the purchase and activation of the

DNS Security license in addition to a Threat Prevention
license.
• External Dynamic Lists—EDLs operating as a domain list can be used
to enforce a specific action for a selection of domains, for example, as
an alert list. By default, policy actions for domain lists are configured to
Allow.

248 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Anti-Spyware Profile Description
Settings
An EDL allow list does not have precedence over the
domain policy action specified under DNS Security.
As a result, when there is a domain match to an entry
in the EDL and a DNS Security domain category, the
action specified under DNS Security is still applied, even
when the EDL is explicitly configured with an action of
allow. If you want to add DNS domain exceptions, either
configure an EDL with an Alert action or add them to
the DNS Domain/FQDN Allow List located in the DNS
Exceptions tab.
By default, the locally-accessed Palo Alto Networks Content DNS
signatures are sinkholed, while the cloud-based DNS Security is
set to allow. If you want to enable sinkholing using DNS Security,
you must configure the action on DNS queries to sinkhole. The
default address used for sinkholing belongs to Palo Alto Networks
(sinkhole.paloaltonetworks.com). This address is not static and can be
modified through content updates on the firewall or Panorama.
Add a new list and select the External Dynamic List of type Domain that
you created. To create a new list, see Objects > External Dynamic Lists.

Log Severity Allows you to specify the log severity level that is recorded when the
firewall detects a domain matching a DNS signature.

Policy Action Choose an action to take when DNS lookups are made to known malware
sites. The options are alert, allow, block, or sinkhole. The default action for
Palo Alto Networks DNS signatures is sinkhole.
The DNS sinkhole action provides administrators with a method of
identifying infected hosts on the network using DNS traffic, even when
the firewall is north of a local DNS server (for example, the firewall cannot
see the originator of the DNS query). When a threat prevention license
is installed and an Anti-Spyware profile is enabled in a Security Profile,
the DNS-based signatures trigger on DNS queries directed at malware
domains. In a typical deployment where the firewall is north of the local
DNS server, the threat log identifies the local DNS resolver as the source
of the traffic rather than the actual infected host. Sinkholing malware DNS
queries solves this visibility problem by forging responses to the queries
directed at malicious domains, so that clients attempting to connect to
malicious domains (for command-and-control, for example) instead attempt
connections to an IP address specified by the administrator. Infected
hosts can then be easily identified in the traffic logs because any host
that attempts to connect to the sinkhole IP are most likely infected with
malware.

Enable DNS sinkhole when the firewall can’t see the

originator of the DNS query (typically when the firewall is
north of the local DNS server) so you can identify infected
hosts. If you can’t sinkhole the traffic, block it.

PAN-OS WEB INTERFACE HELP | Objects 249

© 2021 Palo Alto Networks, Inc.
 Anti-Spyware Profile Description
Settings

Packet Capture Select this option for a given source if you want to capture identified
packets.

Enable packet capture on sinkholed traffic so you can

analyze it and get information about the infected host.

DNS Sinkhole Settings After sinkhole action is defined for a DNS signature source, specify an
IPv4 and/or IPv6 address that will be used for sinkholing. By default, the
sinkhole IP address is set to a Palo Alto Networks server. You can then
use the traffic logs or build a custom report that filters on the sinkhole IP
address and identify infected clients.
The following is the sequence of events that will occur when an DNS
request is sinkholed:
Malicious software on an infected client computer sends a DNS query to
resolve a malicious host on the Internet.
The client's DNS query is sent to an internal DNS server, which then
queries a public DNS server on the other side of the firewall.
The DNS query matches a DNS entry in the specified DNS signature
database source, so the sinkhole action will be performed on the query.
The infected client then attempts to start a session with the host, but uses
the forged IP address instead. The forged IP address is the address defined
in the Anti-Spyware profile DNS Signatures tab when the sinkhole action is
selected.
The administrator is alerted of a malicious DNS query in the threat log, and
can then search the traffic logs for the sinkhole IP address and can easily
locate the client IP address that is trying to start a session with the sinkhole
IP address.

DNS Exceptions Tab

The DNS signature exceptions allow you to exclude specific threat IDs from policy enforcement as well
as specify domain/FQDN allow lists for approved domain sources.
To add specific threats that you want to exclude from policy, select or search for a Threat ID and click
Enable. Each entry provides the threat Threat ID, Name, and FQDN of the object.
To Add a domain or FQDN allow list, provide the location of the allow list as well as an appropriate
description.

250 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Security Profiles > Vulnerability
Protection
A Security policy rule can include specification of a Vulnerability Protection profile that determines the
level of protection against buffer overflows, illegal code execution, and other attempts to exploit system
vulnerabilities. There are two predefined profiles available for the Vulnerability Protection feature:
• The default profile applies the default action to all client and server critical, high, and medium severity
vulnerabilities. It does not detect low and informational vulnerability protection events. The Palo Alto
Networks content package on the device determines the default action.
• The strict profile applies the block response to all client and server critical, high and medium severity
spyware events and uses the default action for low and informational vulnerability protection events.
Customized profiles can be used to minimize vulnerability checking for traffic between trusted security
zones, and to maximize protection for traffic received from untrusted zones, such as the Internet, as well
as the traffic sent to highly sensitive destinations, such as server farms. To apply Vulnerability Protection
profiles to Security policies, refer to Policies > Security.

Apply a Vulnerability Protection profile to every Security Policy rule that allows traffic to
protect against buffer overflows, illegal code execution, and other attempts to exploit client-
and server-side vulnerabilities.

The Rules settings specify collections of signatures to enable, as well as actions to be taken when a
signature within a collection is triggered.
The Exceptions settings allows you to change the response to a specific signature. For example, you
can block all packets that match a signature, except for the selected one, which generates an alert. The
Exception tab supports filtering functions.
The Vulnerability Protection page presents a default set of columns. Additional columns of information
are available by using the column chooser. Click the arrow to the right of a column header and select the
columns from the Columns sub-menu.
The following tables describe the Vulnerability Protection profile settings:

Vulnerability Protection Description

Profile Settings

Name Enter a profile name (up to 31 characters). This name appears in the list of
Vulnerability Protection profiles when defining security policies. The name
is case-sensitive and must be unique. Use only letters, numbers, spaces,
hyphens, periods, and underscores.

Description Enter a description for the profile (up to 255 characters).

Shared (Panorama only) Select this option if you want the profile to be available to:
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.

PAN-OS WEB INTERFACE HELP | Objects 251

© 2021 Palo Alto Networks, Inc.
 Vulnerability Protection Description
Profile Settings

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this Vulnerability Protection profile in device groups that inherit the
profile. This selection is cleared by default, which means administrators can
override the settings for any device group that inherits the profile.

Rules Tab

Rule Name Specify a name to identify the rule.

Threat Name Specify a text string to match. The firewall applies a collection of signatures
to the rule by searching signature names for this text string.

CVE Specify common vulnerabilities and exposures (CVEs) if you want to limit
the signatures to those that also match the specified CVEs.
Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx
is the unique identifier. You can perform a string match on this field. For
example, to find vulnerabilities for the year 2011, enter “2011”.

Host Type Specify whether to limit the signatures for the rule to those that are client
side, server side, or either (any).

Severity Select severities to match (informational, low, medium, high, or critical)

if you want to limit the signatures to those that also match the specified
severities.

Action Choose the action to take when the rule is triggered. For a list of actions,
see Actions in Security Profiles.
The Default action is based on the pre-defined action that is part of each
signature provided by Palo Alto Networks. To view the default action for
a signature, select Objects > Security Profiles > Vulnerability Protection
and Add or select an existing profile. Click the Exceptions tab and then click
Show all signatures to see a list of all signatures and the associated Action.

For the best security, set the Action for both client and
server critical, high, and medium severity events to reset-
both and use the default action for Informational and Low
severity events.

Packet Capture Select this option if you want to capture identified packets.
Select single-packet to capture one packet when a threat is detected,
or select the extended-capture option to capture from 1 to 50 packets
(default is 5 packets). Extended-capture provides more context to the
threat when analyzing the threat logs. To view the packet capture, select
Monitor > Logs > Threat and locate the log entry you are interested in
and then click the green down arrow in the second column. To define
the number of packets that should be captured, select Device > Setup >
Content-ID and then edit the Content-ID Settings.

252 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Vulnerability Protection Description
Profile Settings
If the action for a given threat is allow, the firewall does not trigger a
Threat log and does not capture packets. If the action is alert, you can
set the packet capture to single-packet or extended-capture. All blocking
actions (drop, block, and reset actions) capture a single packet. The content
package on the device determines the default action.

Enable extended-capture for critical, high, and medium

severity events and single-packet capture for low severity
events. Use the default extended-capture value of 5
packets, which provides enough information to analyze the
threat in most cases. (Too much packet capture traffic may
result in dropping packet captures.) Don’t enable packet
capture for informational events because it’s not very useful
compared to capturing information about higher severity
events and creates a relatively high volume of low-value
traffic.
Apply extended packet capture using the same logic you
use to decide what traffic to log—take extended captures of
the traffic you log, including traffic you block.

Exceptions Tab

Enable Select Enable for each threat for which you want to assign an action, or
select All to respond to all listed threats. The list depends on the selected
host, category, and severity. If the list is empty, there are no threats for the
current selections.

ID

Vendor ID Specify vendor IDs if you want to limit the signatures to those that also
match the specified vendor IDs.
For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy
is the two-digit year and xxx is the unique identifier. For example, to match
Microsoft for the year 2009, enter “MS09” in the Search field.

Threat Name
Only create a threat exception if you are sure an identified
threat is not a threat (false positive). If you believe you
have discovered a false positive, open a support case with
TAC so Palo Alto Networks can investigate the incorrectly
identified threat. When the issue is resolved, remove the
exception from the profile immediately.

The vulnerability signature database contains signatures that indicate a

brute force attack; for example, Threat ID 40001 triggers on an FTP brute
force attack. Brute-force signatures trigger when a condition occurs in a
certain time threshold. The thresholds are pre-configured for brute force
signatures, and can be changed by clicking edit ( ) next to the threat
name on the Vulnerability tab (with the Custom option selected). You

PAN-OS WEB INTERFACE HELP | Objects 253

© 2021 Palo Alto Networks, Inc.
 Vulnerability Protection Description
Profile Settings
can specify the number of hits per unit of time and whether the threshold
applies to source, destination, or source-and-destination.
Thresholds can be applied on a source IP, destination IP or a combination of
source IP and destination IP.
The default action is shown in parentheses.

IP Address Exemptions Click into the IP Address Exemptions column to Add IP address filters to
a threat exception. When you add an IP address to a threat exception, the
threat exception action for that signature will take precedence over the
rule's action only if the signature is triggered by a session with either a
source or destination IP address matching an IP address in the exception.
You can add up to 100 IP addresses per signature. You must enter a unicast
IP address (that is, an address without a netmask), such as 10.1.7.8 or
2001:db8:123:1::1. By adding IP address exemptions, you do not have to
create a new policy rule and new vulnerability profile to create an exception
for a specific IP address.

Rule

CVE The CVE column shows identifiers for common vulnerabilities and
exposures (CVE). These unique, common identifiers are for publicly known
information security vulnerabilities.

Host

Category Select a vulnerability category if you want to limit the signatures to those
that match that category.

Severity

Action Choose an action from the drop-down, or choose from the Action drop-
down at the top of the list to apply the same action to all threats.

Packet Capture Select Packet Capture if you want to capture identified packets.

Show all signatures Enable Show all signatures to list all signatures. If Show all signatures is
disabled, only the signatures that are exceptions are listed.

254 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Objects > Security Profiles > URL Filtering
You can use URL filtering profiles to not only control access to web content, but also to control how users
interact with web content.

What are you looking for? See:

Control access to websites based on URL URL Filtering Categories

category.

Detect corporate credential submissions, User Credential Detection

and then decide the URL categories to which
URL Filtering Categories
users can submit credentials.

Block search results if the end user is not URL Filtering Settings
using the strictest safe search settings.

Enable logging of HTTP headers. URL Filtering Settings

Control access to websites using custom HTTP Header Insertion

HTTP Headers.

Enable inline ML to analyze web pages in URL Filtering Inline ML

real-time to determine if it contains malicious
content.

Looking for more? • Learn more about how to configure URL Filtering.
• Use URL categories to prevent credential phishing.
• To create custom URL categories, select Objects >
Custom Objects > URL Category.
• To import a list of URLs that you want to enforce,
select Objects > External Dynamic Lists.

URL Filtering General Settings

The following table describes the general URL filtering settings.

General Settings Description

Name Enter a profile name (up to 31 characters). This name appears in the list
of URL filtering profiles when defining security policies. The name is case-
sensitive and must be unique. Use only letters, numbers, spaces, hyphens,
and underscores.

Description Enter a description for the profile (up to 255 characters).

Shared Select this option if you want the profile to be available to:

PAN-OS WEB INTERFACE HELP | Objects 255

© 2021 Palo Alto Networks, Inc.
 General Settings Description
• Every virtual system (vsys) on a multi-vsys firewall. If you clear this
selection, the profile will be available only to the Virtual System selected
in the Objects tab.
• Every device group on Panorama. If you clear this selection, the profile
will be available only to the Device Group selected in the Objects tab.

Disable override Select this option to prevent administrators from overriding the settings
(Panorama only) of this URL Filtering profile in device groups that inherit the profile. This
selection is cleared by default, which means administrators can override the
settings for any device group that inherits the profile.

URL Filtering Categories

Select Objects > Security Profiles > URL Filtering > Categories to control access to websites based on URL
categories.

Categories Settings Description

Category Displays the URL categories and lists for which you can define web access
and usage policy. By default, the Site Access and User Credential Submission
permissions for all categories are set to Allow.
URL categories and lists are grouped into three drop-downs:
• Custom URL Categories—Select Objects > Custom Objects > URL
Category to define a custom URL category. You can base custom URL
categories on a list of URLs or on multiple predefined categories.
• External Dynamic URL Lists— Select Objects > External Dynamic Lists to
enable the firewall to import a list of URLs from a web server.
• Pre-defined Categories—Lists all URL categories defined by PAN-DB, the
Palo Alto Networks URL, and the IP cloud database.

Block all known dangerous URL categories to protect

against exploit infiltration, malware download, command-
and-control activity, and data exfiltration: command-and-
control, copyright-infringement, dynamic-dns, extremism,
malware, phishing, proxy-avoidance-and-anonymizers,
unknown, newly-registered-domain, grayware, and parked.
To phase in a block policy, set categories to continue and
create a custom response page to educate users about
your use policy and alert them that they are visiting a site
that potentially poses a threat. After a suitable period of
time, transition to a policy that blocks these potentially
malicious sites.

Site Access For each URL category, select the action to take when a user attempts to
access a URL in that category:
• alert—Allows access to the web site but adds an alert to the URL log each
time a user accesses the URL.

256 PAN-OS WEB INTERFACE HELP | Objects

© 2021 Palo Alto Networks, Inc.
Categories Settings Description
Set alert as the Action for categories of traffic that you
don’t block so that it logs the access attempt and provides
visibility into the traffic.
• allow—Allows access to the web site.

Because allow doesn’t log unblocked traffic, set alert as

the Action for categories of traffic you don’t block if you
want to log the access attempts and provide visibility into
that traffic.
• block—Blocks access to the website. If the Site Access to a URL category
is set to block, then the User Credential Submission permissions are
automatically also set to block.
• continue—Displays a warning page to users to discourage them from
accessing the website. The user must then choose to Continue to the
website if they decide to ignore the warning.

The continue (warning) pages are not displayed properly on

client machines that are configured to use a proxy server.

• override—Displays a response page that prompts the user to enter a

valid password to gain access to the site. Configure URL Admin Override
settings (Device > Setup > Content ID) to manage password and other
override settings. (See also the Management Settings table in Device >
Setup > Content-ID).

The override pages are not displayed properly on client

machines that are configured to use a proxy server.

• none (custom URL category only)—If you created custom URL categories,
set the action to none to allow the firewall to inherit the URL filtering
category assignment from your URL database vendor. Setting the action to
none gives you the flexibility to ignore custom categories in a URL filtering
profile while allowing you to use the custom URL category as a match
criteria in policy rules (Security, Decryption, and QoS) to make exceptions
or to enforce different actions. To delete a custom URL category, you
must set the action to none in any profile where the custom category is
used. For information on custom URL categories, see Objects > Custom
Objects > URL Category.

User Credential For each URL category, select User Credential Submissions to allow or
Submission disallow users from submitting valid corporate credentials to a URL in that
category. Before you can control user credential submissions based on URL
category, you must enable credential submission detection (select the User
Credential Detection tab).
URL categories with the Site Access set to block are set to automatically also
block user credential submissions.
• alert—Allows users to submit credentials to the website, but generate
a URL Filtering log each time a user submits credentials to sites in this
category.
• allow (default)—Allows users to submit credentials to the website.

PAN-OS WEB INTERFACE HELP | Objects 257

© 2021 Palo Alto Networks, Inc.
 Categories Settings Description
• block—Blocks users from submitting credentials to the website. A default
anti-phishing response page blocks user credential submissions.
• continue—Displays a response page to users that prompts them to select
Continue to submit credentials to the site. By default, an anti-phishing
continue page displays to warn users when they attempt to submit
credentials to sites to which credential submissions are discouraged.
You can choose to create a custom response page to warn users against
phishing attempts or to educate them against reusing valid corporate
credentials on other websites.

Check URL Category Click to access the PAN-DB URL Filtering database, where you can enter a
URL or IP address to view categorization information.

Dynamic URL Filtering Select to enable cloud lookup for categorizing the URL. This option is invoked
(disabled by default) if the local database is unable to categorize the URL.
(Configurable for If the URL is unresolved after a 5 second timeout, the response is displayed as
BrightCloud only) Not resolved URL.

With PAN-DB, this option is enabled by default and is not

configurable.

URL Filtering Settings

Select Objects > Security Profiles > URL Filtering > URL Filtering Settings to enforce safe search settings,
and to enable logging of HTTP headers.

URL Filtering Settings Descriptions

Log container page only Select this opti