Configures and deploys Palo Alto Networks NGFW using App-ID for app identification, User-ID integration, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Palo Alto Networks 下一代防火墙(NGFW)超越了传统的基于端口的规则执行,实现了应用感知、身份驱动的安全策略。通过利用 App-ID 进行流量分类、User-ID 进行身份驱动执行、Content-ID 进行威胁检测,以及 SSL 解密提升加密流量可见性,组织可获得对网络流量的全面控制。本技能涵盖从初始配置到高级威胁防御配置文件的端到端部署。
Configure and deploy Palo Alto Networks NGFWs using App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention for enterprise network security.
Configure and deploy Palo Alto Networks NGFWs using App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.
Configures pfSense firewall rules, NAT policies, VPN tunnels, and traffic shaping for network segmentation, traffic control, and protecting SMB/enterprise internal networks.
Share bugs, ideas, or general feedback.
Palo Alto Networks 下一代防火墙(NGFW)超越了传统的基于端口的规则执行,实现了应用感知、身份驱动的安全策略。通过利用 App-ID 进行流量分类、User-ID 进行身份驱动执行、Content-ID 进行威胁检测,以及 SSL 解密提升加密流量可见性,组织可获得对网络流量的全面控制。本技能涵盖从初始配置到高级威胁防御配置文件的端到端部署。
App-ID 无论端口、协议或加密情况如何,都能按应用程序对网络流量进行分类。分类引擎按顺序使用多种识别技术:
Policy Optimizer 工具通过分析流量日志并推荐特定应用替代规则,帮助从旧式基于端口的规则迁移到 App-ID 规则。
User-ID 通过多种方式将 IP 地址映射到用户身份:
区域代表网络的逻辑分段。安全策略控制区域间(inter-zone)和区域内(intra-zone)的流量:
| 区域 | 用途 | 信任级别 |
|---|---|---|
| Trust | 企业内部 LAN | 高 |
| Untrust | 面向互联网 | 无 |
| DMZ | 公开服务器 | 中 |
| Guest | 访客无线 | 低 |
| DataCenter | 服务器基础设施 | 高 |
配置管理接口、DNS、NTP 和系统设置:
set deviceconfig system hostname PA-FW01
set deviceconfig system domain corp.example.com
set deviceconfig system dns-setting servers primary 10.0.1.10
set deviceconfig system dns-setting servers secondary 10.0.1.11
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org
set deviceconfig system timezone US/Eastern
set deviceconfig system login-banner "仅授权访问。所有活动均受监控。"
定义安全区域并分配接口:
set zone Trust network layer3 ethernet1/1
set zone Untrust network layer3 ethernet1/2
set zone DMZ network layer3 ethernet1/3
set zone Guest network layer3 ethernet1/4
set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping
set network interface ethernet ethernet1/2 layer3 dhcp-client
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ]
在区域级别防范侦察和 DoS 攻击:
set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes
set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100
set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500
set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000
set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes
set network profiles zone-protection-profile Strict-ZP flood udp enable yes
set network profiles zone-protection-profile Strict-ZP flood icmp enable yes
set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip
set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2
set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100
创建防病毒、反间谍软件、漏洞防护和 URL 过滤配置文件:
# 反间谍软件配置文件
set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet
set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip
# 漏洞防护配置文件
set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip
# URL 过滤配置文件
set profiles url-filtering Strict-URL credential-enforcement mode ip-user
set profiles url-filtering Strict-URL block [ command-and-control malware phishing ]
set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ]
# 文件阻断配置文件
set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block
# WildFire 分析配置文件
set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud
为出站流量检测设置 SSL Forward Proxy:
# 生成 Forward Trust CA 证书
request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes
# 创建解密配置文件
set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes
# 创建解密策略
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any
set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt
# 排除敏感类别(金融、医疗)
set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust
set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ]
set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt
创建带安全配置文件的应用感知安全策略:
# 允许来自 Trust 区到互联网的业务应用
set rulebase security rules Allow-Business from Trust to Untrust
set rulebase security rules Allow-Business source-user any
set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ]
set rulebase security rules Allow-Business service application-default
set rulebase security rules Allow-Business action allow
set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles
# 允许带 URL 过滤的 Web 浏览
set rulebase security rules Allow-Web from Trust to Untrust
set rulebase security rules Allow-Web application [ web-browsing ssl ]
set rulebase security rules Allow-Web action allow
set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL
# 阻断高风险应用
set rulebase security rules Block-HighRisk from any to any
set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ]
set rulebase security rules Block-HighRisk action deny
set rulebase security rules Block-HighRisk log-end yes
# 默认拒绝规则(明确设置)
set rulebase security rules Deny-All from any to any source any destination any
set rulebase security rules Deny-All application any service any action deny
set rulebase security rules Deny-All log-end yes
将日志转发至 SIEM 进行关联分析:
# 配置 Syslog 服务器配置文件
set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100
set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER
# 配置日志转发配置文件
set shared log-settings profiles SIEM-Forward match-list Threats log-type threat
set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic
set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list URL log-type url
set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server
show running security-policy 检查并排查被遮蔽的规则# 验证活动会话
show session all filter application web-browsing
# 检查威胁日志条目
show log threat direction equal backward
# 验证 App-ID 分类
show running application-override
# 检查系统资源
show system resources
validate full