PNSCE - Firewall 10.0: WildFire Versus Malware
Wildfire file submission rule:
If the file has been sent to WildFire, then the previous verdict is used by the firewall. If the file has not been sent to WildFire, then the firewall determines whether the file's size is less than the maximum firewall-to-WildFire transmission size configured on the firewall. If the file exceeds the maximum size, then the firewall allows the file to be delivered and the file is not sent to WildFire. If the file size is less than the configured maximum, then the file is sent to WildFire for analysis. WildFire analyzes the file and generates a verdict. The firewall is informed of the verdict. WildFire then updates its file list and generates a malware signature. The signature is made available within minutes to WildFire-licensed firewalls around the world. Unlicensed firewalls can retrieve the new signature within 24 to 48 hours through normally scheduled content updates.
Checking the Certificate Revocation Status
If the signatures are valid, then the SSL client must check the revocation status of each certificate in the chain. In an SSL Forward Proxy configuration, the firewall acts as an SSL client. The two methods available to check certificate revocation status are OCSP and CRLs. A firewall can use OCSP, CRLs, or both to verify certificate revocation status for SSL decryption. *If you configure both methods on a firewall, the firewall FIRST TRIES OCSP. If the OCSP responder is unavailable, the firewall uses the CRL method.
Hybrid Cloud Example(WF-500)
If you use a WF-500 appliance, you can configure a WildFire hybrid cloud that enables the WF-500 to analyze sensitive file types locally, while other less sensitive file types such as PE files are forwarded to the WildFire public cloud. You also can forward file types that are not supported on the WF-500, such as APK files, to the WildFire public cloud. If the public and private cloud solutions are used together, the private-cloud analysis prevails when overlapping configurations exist.
Malware Verdict
Indicates that WildFire has determined that the file or URL is malicious in nature and intent and can pose a security threat to your organization. If a current signature does not exist, WildFire will create one and make it available to firewalls around the world. WildFire also will update the PAN-DB URL Filtering database with malicious URLs.
Greyware Verdict
Introduced in PAN-OS 7.0 to clearly identify executables that behave similarly to malware but are not malicious in nature or intent. The verdict enables a security incident responder to quickly distinguish grayware from malicious files and to prioritize accordingly. Antivirus signatures are not generated for grayware, but you can configure your firewall to log grayware events to assess whether such events warrant further action
Unsigned Certificate(SSL-Fwd-Untrust-Cert)
Notice that the SSL-Fwd-Untrust-Cert certificate is not signed by the FW-CA-Cert certificate and therefore is not indented beneath it. The SSL-Fwd-Untrust-Cert certificate is used to sign and decrypt SSL connections whose certificates could not be validated. This certificate will generate warnings in the user's browser window.
Forward Proxy Decryption Profile
Objects>Decryption Profile To apply to rule: Policy> Decryption> (Open rule)>Options>Decryption Profile
OCSP
Online Certificate Status Protocol
PAN-OS Software(Decryption Limitations)
PAN-OS software does not support decryption for SSH passwordless, key-authenticated sessions. However, any password-authenticated SSH connections can be decrypted.
Wildfire Global Threat Intelligence Cloud
Palo Alto Networks firewalls across the world automatically forward unknown files and URL links found in emails to the WildFire global threat intelligence cloud or to one of three WildFire regional clouds in Europe, Japan, and Singapore for analysis. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. WildFire signatures and verdicts then are shared globally, which enables WildFire users worldwide to benefit from malware coverage regardless of the location where the malware was first detected.
PKI
Private Key Infrastructure: PKI is the set of hardware, software, policies, and standards used to create, manage, distribute, and revoke public keys and digital certificates. A PKI digital certificate is a method of packaging and distributing public keys in such a way that proves the identity of their owners. Palo Alto Networks firewalls support X.509-format certificates
WildFire Portal
Results of the detailed analysis of the submitted files are available through the WildFire portal. To access the WildFire portal, go to the Palo Alto Networks WildFire website and log in using your Palo Alto Networks Support credentials or your WildFire account.
For which firewall feature should you create forward trust and forward untrust certificates?
SSL Forward Proxy Decryption
Policy Action(Disable)
The traffic is blocked, and the user will see a response page. The user will not be able to continue to the website, and a log entry is generated in the URL Filtering log.
Certificate Signing Request
To submit a CSR, the device generates a public/private key pair and identity information, and then submits the public key and identity information to a CA using a CSR file. The CA uses the information in the CSR file to create a certificate signed with the CA's signature. The signed certificate is sent back to the device. - Advantages: The advantages of using CSRs are that the device becomes part of the existing PKI infrastructure and its certificate chain of trust. Another advantage is that the device's private key never leaves the device. - Disadvantages: The primary disadvantages are that the device must be capable of generating a CSR and that there is some administrative overhead compared to a device using a self-signed certificate.
Verify Submissions and View Reports
To verify successful file upload to WildFire, use the CLI and enter the command debug wildfire upload-log show. *CLI - Wildfire Submissions can be seen using command: debug wildfire upload-log show *GUI - Wildfire Submissions that have been analyzed may be viewed here via Monitor > WildFire Submissions To view report columns: Device > Setup > Wildfire > Session Information Settings
Root CA
Top-most CA in the hierarchy and consequently, the most trusted authority in the hierarchy. Contains certificate DB.
Static Server Certificate Pinning
With static server certificate pinning, the software developer writes the code for the SSL server and client. The developer also preconfigures the server certificate and configures the SSL client to recognize the server certificate.
SSL Decryption Troubleshooting
With the release of PAN-OS 10.0, a new Decryption log and new Application Command Center (ACC) widgets provide enhanced visibility into SSL/TLS traffic, which enables you to troubleshoot decryption issues and identify traffic that uses weak algorithms and protocols. Monitor>Logs>Decryption
Configure Real-Time WildFire Analysis
With the release of PAN-OS 10.0, you can configure real-time WildFire analysis on the firewall. Real-time WildFire analysis prevents malware variants of portable executables from entering your network in real time by using a firewall-based classification engine built on the WildFire Cloud analysis technology. The real-time WildFire analysis classification engines are configured through an Antivirus Profile and require an active WildFire subscription. The real-time classification engines supports PowerShell scripts and Windows executables. Steps: 1. Create a new or update an existing Antivirus Security Profile to use the WildFire analysis classification engine. 2. Next, you define a policy action for each classification engine that you added to the Antivirus Profile. *WildFire real-time analysis is not supported on the VM-50 and VM-50 lite virtual appliances.
Custom Decryption Exclusions
You also can create custom decryption exclusions based on domain names. Domain names are compared against the Server Name Indication (SNI) in the SSL client request or against the Common Name (CN) presented in the server certificate.
WildFire Appliance Cluster
You can configure and manage up to 20 WildFire appliances as a WildFire appliance cluster on a single network. WildFire appliance clusters are especially useful in environments where you cannot use the WildFire public cloud. WildFire appliance clusters can support a larger firewall deployment on a single network than a standalone WildFire appliance supports. Clusters also provide fault tolerance and a single signature package that is distributed to all firewalls connected to the cluster. Beginning with PAN-OS 8.1, you can enable encryption in WildFire appliance clusters to maintain the confidentiality of transmitted content, including user samples. Enablement of encryption allows you to configure custom and predefined client certificates, and server certificates, to establish encrypted appliance-to-appliance communication. You also can operate clusters in a FIPS/CC-compliant environment when they are configured using FIPS/CC-compliant certificates.
Opt Out of SSL Decryption
You can enable the SSL opt-out feature. This firewall-global setting applies to all virtual systems you might have configured. If you enable the feature, then the firewall displays a response page the first time a user attempts to browse to an SSL-enabled website that matches your Decryption policy. The response page offers the user the choice to proceed or not. T he user can click Yes to allow decryption and continue to the website or click No to opt out of decryption and terminate the session. The firewall does not create a log entry if the user selects No. A Yes choice to allow decryption is applied to all SSL-enabled websites that a user tries to access for the next 24 hours, after which the firewall redisplays the response page. A user who opts out of SSL decryption cannot access the requested webpage, or any other SSL-enabled website, for the next minute. After the minute elapses, the firewall redisplays the response page the next time the user attempts to access an SSL-enabled website.
Certificate Creation
You can get certificate authority-signed certificates or generate self-signed certificates. The use of a CA-signed certificate is preferred because it simplifies SSL configuration. If the CA certificate that signs the SSL certificates already is known and trusted by all devices in your organization, then trusted SSL connections are more easily configured between the firewall and those devices. 1. Buy a Certificate: You can buy a CA-signed certificate and public/private key pair from a public CA. The primary disadvantage is that you must pay for this certificate. The primary limitation is that public CAs typically do not sell signing certificates, which are certificates that can sign other certificates. Signing certificates are required for SSL Forward Proxy decryption. 2. Use an Internal Certificate: You can get a CA-signed certificate and public/private key pair from an internal CA, if one exists. The primary advantage is that these certificates are free of cost. An internal CA also can issue signing certificates, which are required for SSL Forward Proxy decryption.
Report Incorrect Verdict: WildFire Portal
You can request a new verdict using the WildFire portal. Click the details icon next to a WildFire report. Scroll down in the browser page that opens and click the report an incorrect verdict link. In the window that opens, add information to the fields in the form and click Submit.
Which WildFire verdict might indicate obtrusive behavior but not a security threat?
Greyware
Which file type can a firewall send to WildFire when the firewall does not have a WildFire subscription?
.exe
SSL Forward Proxy Review
*Before you configure SSL Forward Proxy, you must deploy the certificates that are used by SSL to confirm the identity of an endpoint. *The firewall and SSL server must share a common CA for the firewall to validate the identity of the server. *The SSL client and the firewall must have access to a common CA for the client to validate the identity of the firewall.
Configuring SSL Decryption Certificate Revocation Checking
*Certificate revocation status checking for SSL decryption is not enabled by default, because for some websites the additional time required to perform the checks might cause SSL connection failure.
Standard and Licensed Functionality(Standard Subscription Service)
*Every type of Palo Alto Networks firewall with a Threat Prevention license has access to the standard WildFire subscription service. Standard Subscription Service: The standard subscription service includes file and URL analysis on a variety of virtual machine-based operating systems. If WildFire detects that malware is attempting to detect the presence of a virtual machine, WildFire also can perform analysis in a bare-metal machine environment. The standard service enables firewalls to automatically submit unknown Windows Portable Executable (or PE) files for analysis. Windows PE file types include EXE, DLL, SCR, and FON. New signatures and protections are made available daily to the firewalls through the normal dynamic content updates. - Analysis available in Windows XP, 7, 10, macOS, Android, Linux, and bare metal - Antivirus signatures delivered via daily dynamic content updates (requires Threat Prevention license) - Automatic file submission
Standard and Licensed Functionality(Wildfire License Service)
*Every type of Palo Alto Networks firewall with a Threat Prevention license has access to the standard WildFire subscription service. Wildfire License Service: Palo Alto Networks firewalls with a WildFire license are entitled to the standard subscription features and additional features. More file types may be submitted by a firewall for analysis. Additional file types are Microsoft Office files, PDF files, Java JAR and CLASS files, Adobe Flash SWF and SWC files, RAR, 7-Zip, Linux ELF, and Android APK files. The macOS Mach-O, DMG, and PKG files also are supported. WildFire also can analyze JS, VBS, and PS1 files. WildFire can create new signatures EVERY 5 MINUTES. WildFire licensed firewalls have access to those signatures, which enables near real-time protection against the latest threats detected anywhere in the world. *The 5-minute WildFire content update time applies to PAN-OS 7.1 and later. In previous versions, the content update time was 15 minutes. There are two different content package formats for WildFire content updates: content packages for 7.1 and later, and content packages for 7.0 and earlier. These content packages contain the same set of signatures. A license also enables users to programmatically submit files for analysis to WildFire using the WildFire XML API. For more information about the WildFire XML API, see WildFire API Reference Guide. A WildFire license entitles a firewall to use the WF-500 appliance as a WildFire private cloud service.
Which two protocols can be configured in a Certificate Profile to verify that a certificate is still valid? (Choose two.)
- CRL - OSP Certificate Revocation List (CRL) - A CRL is a list of revoked certificates that is downloaded from the Certificate Authority (CA). Online Certificate Status Protocol (OCSP) - OCSP is a protocol for checking revocation of a single certificate interactively using an online service called an OCSP responder.
When you use SSL Decryption policy, you should consider the following:
- Certificate or key pinning can affect SSL decryption configuration. - Client is preconfigured to know which certificate or keys to expect or accept. - Defeats use of counterfeit or MiTM keys or certificates - Static server and static CA are two types of certificate pinning. - HTTP Public Key Pinning (HPKP) is a dynamic key pinning.
Certificate Validity Status
- Current: Certificate is Valid - Expired: The SSL client cannot trust the identity of the server. - Unknown: OCSP or CRL was consulted, but the validity of the certificate could not be established. - Unavailable: If OCSP or CRL cannot be contacted, then the status is unavailable.
What are two benefits of attaching a Decryption Profile to a Decryption policy no decrypt rule? (Choose two.)
- Expired certificate checking - Untrusted certificate checking
Reasons to not configure SSL Decryption
- Local laws or company policy prohibit decryption - When a server requires a client certificate(Forward Proxy) - New CA cannot be added to client - Client software requires specific server certificates - Non-standard SSL implementation used. Decryption will fail if the client or server requires protocols or cipher suites that are not supported by the firewall.
WildFire analysis is used to update which three Palo Alto Networks information sources? (Choose three.)
- Malicious Domains - Malicious IP Addresses - PAN-DB Categories
The decryption broker feature is supported by which four Palo Alto Networks firewall series? (Choose four.)
- PA-3200 - PA-5200 - PA-7000 - VM-Series
The firewall acts as a proxy for which two types of traffic? (Choose two.)
- SSH - SSL Outbound
Which two types of activities does SSL/TLS decryption by the firewall help to block? (Choose two.)
- Sensitive data exfiltration - Malware introduction
SSL Inbound Inspection requires that the firewall be configured with which two components? (Choose two.)
- Server's Private Key - Server's Digital Certificate
Which two conditions must be met before the firewall can use a Security Profile to inspect network traffic for malicious activity? (Choose two.)
- Traffic must be decrypted(cleartext) - Traffic must match a security policy rule
Which two statements are true regarding how the firewall uses its master key? (Choose two.)
- Used to encrypt private keys - Used to encrypt local firewall account passwords
Which three objects can be sent to WildFire for analysis? (Choose three.)
-Email Attachments -URL links found in email -FIles traversing the firewall
Methods for Obtaining Certificates and Keys
1) You can create the certificate and public/private key pair on the CA server, regardless of whether you are working with a public or internal CA. Then use the web interface to IMPORT the signed certificate and key pair into the firewall. *A disadvantage of this method is that the private key is transferred over the network, where there is a small risk that it will be stolen 2) To avoid a network transfer of a private key, you can use the firewall web interface to generate the public/private key pair along with a certificate signing request (CSR). You export the CSR file off the firewall to the CA that signs and returns it. Then you use the web interface to import the file that contains the signed certificate into the firewall. *The private key never leaves the firewall if you use this method. 3) You also can use the web interface to create a self-signed certificate and a public/private key pair. The primary advantage is that this certificate is free of cost and can be obtained in minutes. The self-signed certificate can be a signing certificate too, so it can be used with SSL Forward Proxy decryption. *The primary disadvantage is that a self-signed certificate is, by default, not trusted by the other devices in your organization. You will need to export and install the self-signed certificate to the trusted root certificate stores on the other devices. After you have placed the self-signed certificate on the firewall and all devices, it can be used to establish trust between all the devices and the firewall.
SSL Forward Proxy Process:
1. Client Initiates SSL Handshake The SSL client establishes a session with the server by initiating an SSL handshake. 2. Firewall Re-Issues Its Own Request The firewall intercepts the handshake request and re-issues its own handshake request to the server. 3. Server Sends Its Own Certificate The SSL server responds with its certificate, which is signed by a CA common to the server and the firewall. The firewall uses the CA to validate the certificate and the identity of the server. 4. Forward Trust Certificate Verification The firewall copies the server certificate and signs it with its own forward trust certificate and public key. A forward trust certificate indicates to the SSL client that the firewall has verified and trusts the server certificate. The firewall then forwards the newly copied and signed server certificate to the client. 5. Client Validation The client then uses the forward trust certificate of the firewall to validate the firewall identity, using a CA common to the client and the firewall. 6. SSL Tunnels Established At this point, the two SSL tunnels have been established with one between the client and the firewall and another between the firewall and the server. The firewall acts as an SSL proxy between the client and server and can decrypt and inspect data flowing between the client and server. A firewall that cannot verify that the server certificate signs the server certificate with a forward untrust certificate indicates to the client that the SSL server certificate could not be verified.
What is the maximum number of WildFire appliances that can be grouped into a WildFire appliance cluster?
20
SSL Forward Proxy Decryption Policy
A Decryption Profile enables the firewall to perform checks on decrypted traffic. After you create a Decryption Profile, you attach it to a Decryption policy rule. The firewall enforces the Decryption Profile settings on traffic matched to the Decryption policy rule. *Any 'no-decrypt' rules should come 1st at the top of the Decryption rule-set.
PEM file
A PEM file containing the certificate will not contain the private key. The private key would have to be transferred in a separate file.
PKCS12 file
A PKCS12 file contains both the certificate and private key in the same file.
Encrypted Versus Unencrypted Traffic
A Palo Alto Networks firewall can decrypt SSHv2 and SSL/TLS inbound and outbound network traffic. *Encryption OSI Layers are Application and Presentation
Certificate Invalidation:
A certificate might need to be invalidated before its expiration date for one of several reasons: 1) The private key of the certificate owner might have been compromised 2) The hostname or username of the certificate owner might change 3) A host could be decommissioned or a user can leave the company, or a counterfeit key might need to be invalidated. CAs store the list of revoked certificates in their certificate database.
Import a CA Certificate:
A firewall CA certificate and public/private key pair can be created on an internal CA and imported into the firewall. Ensure that you have a secure network because the firewall's private key will be transferred over the network. You can permanently block the export of private keys for certificates that have been generated in or imported into PAN-OS software. Blockage of the export of private keys from your PAN-OS appliances hardens your security posture because it prevents rogue administrators from misusing keys. ***With a CA certificate configured on the firewall, you can use the web interface to create any other required certificates, and they can be signed by the firewall's CA certificate.
Hardware Security Modules (HSMs)
A hardware security module (HSM) is a physical device that generates, stores, and manages digital keys. It provides logical and physical protection of the firewall's private keys from unauthorized use and potential adversaries. Use dedicated HSMs to manage the certificate signing functions for SSL Forward Proxy, SSL Inbound Inspection, and master key storage functions. HSM support generally is required when FIPS 140-2 Level 3 protection for CA keys is required. HSM use is supported on the PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM-Series firewalls. It also is supported on the Panorama M-100 and M-500 appliances, and on the Panorama VM.
Policy Actions(Enable)
Allows the traffic to pass without any policy action
Certificate Checking and Revocation
An SSL client must check all certificates in the chain of trust before an SSL connection can be considered secure. Before an SSL client can check a certificate, it must determine the chain of trust. Then the SSL client must validate each certificate in the chain.
Dynamic Pinning Risks
An attacker who gains access to a server could configure HPKP. In an HPKP attack, the attacker configures all clients to expect a specific CA signature on the server certificate, and then the attacker removes that certificate from the server. An attacker can use this type of attack as a denial-of-service attack or can demand ransom to return the server certificate.
Forward Trust and Forward Untrust Certificates
As a trusted third party, the firewall uses its forward trust or forward untrust certificates to inform the SSL client whether the firewall has verified the validity of the web server's certificate. 1) Firewall Makes Server Request: firewall intercepts the SSL request and forwards its own SSL request to the server. 2)If trusted, the firewall creates a copy of the server's certificate signed by the firewall's forward trust certificate. If untrusted, the firewall creates a copy of the server's certificate and signs it with its forward untrust certificate. 3) In either case, the firewall sends the signed certificate to the SSL client. If a forward untrust certificate was used, the SSL client sees a block page warning that the website it is trying to connect to is not trusted by the firewall that is acting as an SSL Proxy. The user can choose to proceed or to terminate the session.
Content Packages and WildFire Updates
Available 24-48 hrs: - Antivirus Signatures Antivirus signatures are made available within 24 to 48 hours as content UPDATES TO THE ANTIVIRUS content database. You can schedule daily downloads of the Antivirus content database. Firewall access to the Antivirus content database is enabled by a Threat Prevention license. Available Real-Time: - URL Updates URL updates are made available within 5 minutes as content updates to the PAN-DB URL Filtering database. You do not need to schedule PAN-DB downloads, because new URL information is downloaded dynamically by the firewall as needed. Firewall access to the PAN-DB URL Filtering database is enabled by a URL Filtering license. - Antivirus Signatures Antivirus signatures are made available in real-time as content UPDATES TO THE WILDFIRE SIGNATURES content database on the firewall. You can schedule a firewall to check for new WildFire Antivirus signatures in real-time. Firewall access to the WildFire Antivirus signatures is enabled by a WildFire license.
Phishing Verdict
Beginning with PAN-OS 8.0, this verdict was introduced to classify phishing links found in emails separately from emailed links found to be exploits or malware. When the firewall detects an unknown link in an email, it forwards the link to WildFire for analysis. WildFire classifies the link as phishing based on properties and behaviors that the accompanying website displays, and Palo Alto Networks security researchers also manually review certain links to check for phishing activity. Phishing links are added to the PAN-DB database and are used to block future phishing attacks.
PKI Hierarchical Trust Model
CAs are arranged in a hierarchical fashion, similar to a file system: - Root CA - Intermediate CA - Device
CRL
Certificate Revocation List
SSL Decryption Policy Considerations
Certificate or key pinning affects how you configure the Decryption policy of your firewall. When certificate or key pinning is used, the SSL client is preconfigured to know which certificate or key it should expect and accept from the SSL server. ***The purpose of certificate or key pinning is to prevent the successful use of counterfeit certificates or man-in-the-middle (MiTM) attacks in SSL sessions.
Benign Verdict
Given by WildFire to files or URLs that have been found to be safe and pose no threat to your organization. Safe and does not exhibit malicious behavior.
Import Server Certificate and Private Key
Creation of an SSL Inbound Inspection policy is a two-step process, with an optional third step. 1) The first step is to import the certificate and private key of the internal server into the firewall, which enables the firewall to decrypt and inspect SSL traffic to and from the internal SSL server. 2)The second step is to create the actual Decryption policy rule.
Generate a CSR for the CA-Signed Certificate
Device > Certificate Management > Certificates and clicking Add. 1 - Generate the Certificate *Configuring this certificate as a subordinate certificate authority enables the firewall to use this certificate to sign SSL server certificates. *With the release of PAN-OS 10.0, you can permanently block the export of private keys for certificates that have been generated in or imported into PAN-OS. 2 - Exporting the Certificate *Send this .csr file to your external or internal CA. The CA will sign the certificate and create a .pem file. Use the web interface to import the .pem file into the firewall. After the import, the newly signed certificate is available for use.
Certificate Chain of Trust
Device: The chain begins with the device's certificate. Each certificate in the chain is digitally signed by the entity identified by the next-higher certificate in the chain. Root CA: The chain terminates with a root CA certificate. The root CA certificate always is self-signed by the root CA itself. A root certificate is a self-signed certificate because the issuing authority is itself. These root CAs form the basis for all PKI deployments.
Dynamic Key Pinning
Dynamic key pinning relies on HTTP Public Key Pinning (HPKP). HPKP breaks SSL Forward Proxy decryption, unless you can update the valid CA list to include the firewall forward trust certificate. When HPKP is used, the software developer does not have to preconfigure the SSL client with a list of acceptable CA certificates and public keys that can be used to validate the certificate of the SSL server. Instead, the list of acceptable CA certificates and public keys is sent from the SSL server to the client the first time that the client connects to the server. The acceptable CA certificate information is sent in an HTTP response header named Public-Key-Pins. The client must establish at least one HTTPS connection to the server to receive the list of acceptable CA certificates and public keys.
No Decryption
Even if the Decryption policy rule action is "no-decrypt," the Decryption Profile attached to the rule still can be configured to block sessions with expired or untrusted certificates.
Firewall Master Key
Every firewall has a default master key that encrypts all the private keys and local user passwords in the configuration. For the best security posture, configure a new master key and change it periodically. *In a firewall high availability configuration, you must use the same master key on both firewalls in the pair. Otherwise, HA synchronization will not work properly.
Trusted Root Certificate(On the Firewall)
FW-CA-Cert is a trusted root CA certificate and is used to sign and validate subordinate certificates. This CA certificate has signed certificates for the GlobalProtect Portal and Gateway machines, an SSL forward trust certificate to use to decrypt SSL connections where the server certificate was validated, and a certificate that proves the identity of the firewall's web interface.
True or false? When a malicious file or link is detected in an email, WildFire can update antivirus signatures in the PAN-DB database.
False - PAN-DB—the URL Filtering cloud database - contains URLs, not antivirus signatures
True or false? If OCSP and CRL are configured on a firewall, CRL is consulted first.
False. OCSP is consulted first.
SSL Forward Proxy and HPKP
SSL Forward Proxy decryption can fail with HPKP because the firewall cannot perform the decryption unless it modifies the CA signature on the server certificate. The modified server certificate might not match the list of acceptable server certificates unless you also configure a client to accept the forward trust certificate and public key of the firewall as an accepted CA certificate.
Which type of firewall decryption requires the administrator to import a server certificate and a private key into the firewall?
SSL Inbound Inspection Decryption
Firewall SSL Decryption Benefits
SSL decryption on the firewall helps to prevent the introduction of malware. The traffic is decrypted so that it can be identified and inspected for malware by App-ID and Content-ID. SSL decryption on the firewall also helps to prevent the exfiltration of sensitive and valuable information. SSL decryption by the firewall is a primary feature used to block the cyberattack lifecycle.
SSL/TLS Operation Review
SSL/TLS uses a digital certificate to validate the identity of a communication partner: 1. Client Request - Client sends a request for an SSL connection. 2. Server sends a certificate - The server responds with its certificate, which contains its identity and public key. 3. Client verifies certificate - The client uses the public key infrastructure (PKI) to validate the server certificate and the server public key. 4. Server sends encrypted session key - If the certificate is valid, THE CLIENT USES THE SERVER'S PUBLIC KEY to encrypt a symmetric session key and send it to the server. 5. Server decrypts session key - The server uses its private key to decrypt the copy of the session key that the client sent to the server. 6. Begin encrypted communication - Both sides use the session key to encrypt communications for privacy.
SSH Decryption
Secure Shell (SSH) supports secure remote login. SSH also enables other applications to be carried in encrypted SSH tunnels. SSH tunnels are a common way to subvert firewalls and breach Security policies. SSH does not require digital certificates, as SSL does. The firewall can decrypt, inspect, and re-encrypt inbound and outbound SSHv2 connections passing through the firewall. With SSH Proxy, separate SSH sessions are created between the client and the firewall, and the firewall and the server.
Decryption Exclusions
Starting with PAN-OS 8.0, you have centralized management for decryption exclusions. Decryption exclusions prevent the firewall from attempting to decrypt traffic to specific websites. You can view predefined decryption exclusions that identify applications that decryption is known to break.
Decryption Broker
The Decryption Broker enables the firewall to forward plain, cleartext traffic to a security chain for additional enforcement, which provides complete visibility into network traffic. A security chain is a set of inline, third-party appliances dedicated to perform a specific security function such as an Intrusion Prevention System.
Importance of SSL/TLS
The SSL/TLS protocols, commonly referred to as just SSL, are important for the secure operation of a data center. SSL secures communication between network nodes by encrypting cleartext data for privacy before it is sent across the network. SSL also uses hashes to maintain data integrity and digital certificates to authenticate the communication end nodes.
WildFire Private Cloud
The WF-500 appliance is a WildFire private cloud solution. With the release of PAN-OS 10.0, the WF-500 supports Windows XP, Windows 7, and Windows 10 virtual environments. With the addition of Windows 10 support, the WF-500 increases the threat prevention coverage of the appliance by enabling it to detect threats crafted for Windows 10 environments. - Analyzes Files from Palo Alto Networks Firewalls or WildFire XML API - Provides Additional Cloud Intelligence
Decryption Port Mirroring
The decryption port mirroring feature enables a firewall to forward packet captures of decrypted traffic to a traffic collection tool, such as NetWitness or Solera, for archiving and analysis.
The Chain of Trust(CA Certificates)
The device can verify the owner of a public key if the device's list of trusted CAs includes a root CA in the chain of trust. For example, a browser can check to determine which authority issued an intermediary certificate, retrieve the intermediary's certificate from that higher authority, and verify the intermediary certificate. This process continues until a root CA is encountered in the chain. In practice, this process is rarely more than two or three hops.
Decryption Keys
The key used to decrypt SSH sessions is generated automatically on the firewall during bootup. The same key is used to decrypt all SSH sessions across all virtual systems configured on the firewall. The key also is automatically synchronized between HA partner firewalls.
Policy Action(Alert-Only)
The traffic is allowed and a log entry is generated in the threat logs.
True or false? The SSL forward untrust certificate should not be trusted by the client but should still be a CA certificate.
True
True or false? The firewall still can check for expired or untrusted certificates even if the SSL traffic is not being decrypted.
True
Device-level CA
Trusted CAs, certificates, and private keys are located in the Certificate Store. Devices use a certificate store to store their private keys and the certificates they have been issued. They also maintain a list of trusted CAs. This list of trusted CAs can be updated by a user or by a device software update. If the certificate of the issuing CA is not added to a client's certificate store, the client receives a warning message when browsing to secure sites verified by that CA.
Certificate Management in the Web Interface
Types of Operations: - Generate Certificates - View Certificates - Modify Certificate Use - Import/Export Certificates - Delete Certificates - Renew/Revoke Certificates
Intermediate CA
Used in a Hierarchical Trust Model. An intermediate CA is certified by a root CA to issue certificates or to certify additional lower-level intermediate CAs. Each CA issues and revokes certificates and has a certificate database that stores certificates.
Wildfire Email Protection
When WildFire detects a malicious file, it immediately creates a new antivirus signature that can be downloaded in real-time by Palo Alto Networks firewalls around the world. - Malicious URl Link: If WildFire determines that a URL link included in the email is malicious, it quickly updates the Antivirus content database and the PAN-DB database to prevent further compromise of other hosts around the world. If the URL link was found to be specifically a phishing website, the URL is added to the URL filtering phishing category in the PAN-DB database. If you have a WildFire and PAN-DB license, your firewall can block access to newly discovered malware and phishing sites as soon as signatures are generated. - Malicious File Attachment: If WildFire determines that a file attachment or URL link is malicious, it includes the email header information in the WildFire Submissions log that it returns to the firewall. If User-ID technology is enabled, you can use the log information to quickly find and remediate the threats received by your users. If User-ID matches a name in the WildFire log, the log's Email Header section contains a link. If you clink the link, the ACC tab opens, filtered by the user or group of users.
WildFire Analysis Profile
WildFire Analysis Profiles are objects that are added to Security policy rules that are configured with an action of "allow." WildFire Analysis Profiles are not necessary for Security policy rules configured with the "deny" action, because no further processing is needed if the network traffic will be blocked. As with Security policy rules, WildFire Analysis Profiles are applied to all packets over the life of a session. WildFire Analysis Profiles enable you to have more granular control over allowed traffic. For example, you can configure a firewall to submit files to WildFire only when they match specific file types and are transferred in a specific direction by a specific application. The files submitted to WildFire are logged to the log found at Monitor > Logs > WildFire Submissions.
Wildfire Verdict
WildFire is a cloud-based, virtual sandbox used to evaluate unknown files and URL links found in emails. The evaluation occurs for: Android Linux macOS Windows XP Windows 7 Windows 10 After analysis is complete, files and links are labeled as: benign grayware malware phishing If a malware or a phishing URL is found, WildFire creates a new antivirus signature or adds the URL to the PAN-DB Phishing URL category and then makes these updates available within minutes for download by firewalls around the world.
Report Incorrect Verdict: Web Interface
WildFire reports indicate whether WildFire analysis showed a file to be benign, grayware, or malware. If you think that a file was incorrectly categorized by WildFire, you can use the web interface or the WildFire portal to request a new verdict from Palo Alto Networks. Steps to Request New Verdict: 1. Monitor > Logs > Wildfire Submissions 2. Find entry and click its detailed view icon 3. Click Wildfire Analysis Report tab 4. Select Incorrect Verdict 5. Suggest new verdict
WildFire Reporting Overview
WildFire reports its findings to the firewall each time that its technology analyzes a file or URL link. You can configure both the types of information submitted to WildFire and the amount of information that is returned to the firewall in the report.
SSH Tunnel
With SSH decryption enabled, SSH, SCP, and SFTP are identified as the application ssh. After the firewall identifies SSH traffic, it further checks for an SSH tunnel. If the firewall identifies and labels traffic as the application ssh-tunnel, you can configure a Security policy rule to allow the ssh-tunnel application. SSH decryption does not provide any control of applications or inspection of threats within the SSH-tunneled application.
Static CA Certificate Pinning
With static CA certificate pinning, the software developer writes the code for the SSL server and client. The developer also preconfigures the server certificate, noting which CA signed the certificate. The developer also preconfigures the client with the list of acceptable CAs that can sign the server certificate.
Renew an SSL Forward Untrust Certificate
You can use the web interface to renew any CA or non-CA certificates issued by the firewall. Renewal of a certificate changes its expiration date to a later date. The default expiration date for certificates issued by the firewall is one year. This expiration date typically should be increased to two or more years.
SSL Inbound Inspection Review
he firewall uses SSL Inbound Inspection to decrypt and inspect SSL traffic when you do have access to the certificate and private key of the SSL server.