Skill

implementing-next-generation-firewall-with-palo-alto

Configure and deploy Palo Alto Networks NGFWs using App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention for enterprise network security.

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Palo Alto Networks Next-Generation Firewalls (NGFWs) move beyond traditional port-based rule enforcement to application-aware, identity-driven security policies. By leveraging App-ID for traffic classification, User-ID for identity-based enforcement, Content-ID for threat inspection, and SSL decryption for encrypted traffic visibility, organizations gain comprehensive control over network traff...

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Implementing Next-Generation Firewall with Palo Alto

Overview

When to Use

When deploying or configuring implementing next generation firewall with palo alto capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Palo Alto Networks PA-series appliance or VM-Series virtual firewall
PAN-OS 10.2 or later
Valid Threat Prevention, URL Filtering, and WildFire licenses
Network topology documentation with zone definitions
LDAP/Active Directory integration credentials for User-ID
Internal CA certificate for SSL Forward Proxy decryption

Core Concepts

App-ID Technology

App-ID classifies network traffic by application regardless of port, protocol, or encryption. The classification engine uses multiple identification techniques in sequence:

Application Signatures - Pattern matching against known application signatures
SSL/TLS Decryption - Decrypt traffic to identify applications hidden in encrypted tunnels
Application Protocol Decoding - Decode protocols to find applications tunneled within them
Heuristic Analysis - Behavioral analysis for applications that evade other methods

The Policy Optimizer tool assists migration from legacy port-based rules to App-ID rules by analyzing traffic logs and recommending application-specific replacements.

User-ID Integration

User-ID maps IP addresses to user identities through multiple methods:

Server Monitoring - Parses Windows Security Event Logs (Event IDs 4624, 4768, 4769)
Syslog Listening - Receives authentication events from RADIUS, 802.1X, proxies
GlobalProtect - Maps VPN users automatically
Captive Portal - Web-based authentication for unknown users
XML API - Programmatic user mapping from custom sources

Zone-Based Architecture

Zones represent logical segments of the network. Security policies control traffic between zones (inter-zone) and within zones (intra-zone):

Zone	Purpose	Trust Level
Trust	Internal corporate LAN	High
Untrust	Internet-facing	None
DMZ	Public-facing servers	Medium
Guest	Guest wireless	Low
DataCenter	Server infrastructure	High

Workflow

Step 1: Initial System Configuration

Configure management interface, DNS, NTP, and system settings:

set deviceconfig system hostname PA-FW01
set deviceconfig system domain corp.example.com
set deviceconfig system dns-setting servers primary 10.0.1.10
set deviceconfig system dns-setting servers secondary 10.0.1.11
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org
set deviceconfig system timezone US/Eastern
set deviceconfig system login-banner "Authorized access only. All activity is monitored."

Step 2: Configure Network Zones and Interfaces

Define security zones and assign interfaces:

set zone Trust network layer3 ethernet1/1
set zone Untrust network layer3 ethernet1/2
set zone DMZ network layer3 ethernet1/3
set zone Guest network layer3 ethernet1/4

set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping
set network interface ethernet ethernet1/2 layer3 dhcp-client

set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ]

Step 3: Configure Zone Protection Profiles

Protect against reconnaissance and DoS attacks at the zone level:

set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes
set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100
set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500
set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000
set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes

set network profiles zone-protection-profile Strict-ZP flood udp enable yes
set network profiles zone-protection-profile Strict-ZP flood icmp enable yes

set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip
set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2
set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100

Step 4: Configure Threat Prevention Profiles

Create Anti-Virus, Anti-Spyware, Vulnerability Protection, and URL Filtering profiles:

# Anti-Spyware Profile
set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet
set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip

# Vulnerability Protection Profile
set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip

# URL Filtering Profile
set profiles url-filtering Strict-URL credential-enforcement mode ip-user
set profiles url-filtering Strict-URL block [ command-and-control malware phishing ]
set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ]

# File Blocking Profile
set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block

# WildFire Analysis Profile
set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud

Step 5: Configure SSL Decryption

Set up SSL Forward Proxy for outbound traffic inspection:

# Generate Forward Trust CA certificate
request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes

# Create Decryption Profile
set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes

# Create Decryption Policy
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any
set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt

# Exclude sensitive categories (financial, healthcare)
set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust
set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ]
set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt

Step 6: Build Security Policies

Create application-aware security policies with security profiles:

# Allow business applications from Trust to Internet
set rulebase security rules Allow-Business from Trust to Untrust
set rulebase security rules Allow-Business source-user any
set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ]
set rulebase security rules Allow-Business service application-default
set rulebase security rules Allow-Business action allow
set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles

# Allow web browsing with URL filtering
set rulebase security rules Allow-Web from Trust to Untrust
set rulebase security rules Allow-Web application [ web-browsing ssl ]
set rulebase security rules Allow-Web action allow
set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL

# Block high-risk applications
set rulebase security rules Block-HighRisk from any to any
set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ]
set rulebase security rules Block-HighRisk action deny
set rulebase security rules Block-HighRisk log-end yes

# Default deny rule (explicit)
set rulebase security rules Deny-All from any to any source any destination any
set rulebase security rules Deny-All application any service any action deny
set rulebase security rules Deny-All log-end yes

Step 7: Configure Logging and SIEM Integration

Forward logs to a SIEM for correlation:

# Configure Syslog Server Profile
set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100
set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER

# Configure Log Forwarding Profile
set shared log-settings profiles SIEM-Forward match-list Threats log-type threat
set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic
set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list URL log-type url
set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server

Validation and Testing

Policy Audit - Review with show running security-policy and check for shadowed rules
Traffic Verification - Monitor Traffic logs for application classification accuracy
Threat Simulation - Use EICAR test file and known-bad URLs to validate threat profiles
SSL Decryption Test - Verify certificate chain in browser matches Forward Trust CA
Zone Protection Test - Run controlled SYN flood to verify SYN cookie activation
Policy Optimizer - Run Policy Optimizer to identify remaining port-based rules

# Verify active sessions
show session all filter application web-browsing

# Check threat log entries
show log threat direction equal backward

# Verify App-ID classification
show running application-override

# Check system resources
show system resources

Best Practices

Least Privilege - Start with deny-all and explicitly allow only required applications
App-ID Over Port - Replace port-based rules with application-specific rules using Policy Optimizer
Decryption Coverage - Decrypt at least 80% of SSL traffic with appropriate privacy exclusions
Security Profile Groups - Apply Anti-Virus, Anti-Spyware, Vulnerability, URL Filtering, File Blocking, and WildFire as a group
Signature Updates - Enable automatic daily content updates for Applications and Threats
HA Configuration - Deploy in active/passive HA pair for production environments
Commit Validation - Always validate configuration before committing: validate full

implementing-next-generation-firewall-with-palo-alto

Tool Access

Preview

Supporting Assets

SKILL.md

Similar Skills

implementing-next-generation-firewall-with-palo-alto

Tool Access

Preview

Supporting Assets

SKILL.md

Implementing Next-Generation Firewall with Palo Alto

Overview

When to Use

Prerequisites

Core Concepts

App-ID Technology

User-ID Integration

Zone-Based Architecture

Workflow

Step 1: Initial System Configuration

Step 2: Configure Network Zones and Interfaces

Step 3: Configure Zone Protection Profiles

Step 4: Configure Threat Prevention Profiles

Step 5: Configure SSL Decryption

Step 6: Build Security Policies

Step 7: Configure Logging and SIEM Integration

Validation and Testing

Best Practices

References

Similar Skills

Implementing Next-Generation Firewall with Palo Alto

Overview

When to Use

Prerequisites

Core Concepts

App-ID Technology

User-ID Integration

Zone-Based Architecture

Workflow

Step 1: Initial System Configuration

Step 2: Configure Network Zones and Interfaces

Step 3: Configure Zone Protection Profiles

Step 4: Configure Threat Prevention Profiles

Step 5: Configure SSL Decryption

Step 6: Build Security Policies

Step 7: Configure Logging and SIEM Integration

Validation and Testing

Best Practices

References