Which is the correct order of severity from least severity to greatest severity for log levels

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Management Strategy

Perform Initial Configuration

Set Up Network Access for External Services

Register the Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Best Practices for Securing Administrative Access

Subscriptions

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Authentication

Authentication Types

External Authentication Services

Multi-Factor Authentication

SAML

Kerberos

TACACS+

RADIUS

LDAP

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Captive Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Overview

HA Concepts

HA Modes

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

Failover

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

HA Timers

Session Owner

Session Setup

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

What Settings Don’t Sync in Active/Passive HA?

What Settings Don’t Sync in Active/Active HA?

Synchronization of System Runtime Information

Monitoring

Use the Dashboard

Use the Application Command Center

ACC—First Look

ACC Tabs

ACC Widgets

Widget Descriptions

ACC Filters

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Summary Report

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

Traffic Logs

Threat Logs

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

Config Logs

System Logs

HIP Match Logs

GlobalProtect Logs

IP-Tag Logs

User-ID Logs

Alarms Logs

Authentication Logs

Unified Logs

View Logs

Filter Logs

Export Logs

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Report Types

View Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Custom Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

GlobalProtect Log Fields for PAN-OS 9.1.0 Through 9.1.2

GlobalProtect Log Fields for PAN-OS 9.1.3 and Later Releases

IP-Tag Log Fields

User-ID Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

GTP Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

SNMP Monitoring and Traps

SNMP Support

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Walk a MIB

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

Supported MIBs

MIB-II

IF-MIB

HOST-RESOURCES-MIB

ENTITY-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

LLDP-V2-MIB.my

BFD-STD-MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-LC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

PAN-TRAPS.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

User-ID

User-ID Overview

User-ID Concepts

Group Mapping

User Mapping

Server Monitoring

Port Mapping

XFF Headers

Username Header Insertion

Authentication Policy and Captive Portal

Syslog

GlobalProtect

XML API

Client Probing

Enable User-ID

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Captive Portal

Captive Portal Authentication Methods

Captive Portal Modes

Configure Captive Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute User Mappings and Authentication Timestamps

Firewall Deployment for User-ID Redistribution

Configure User-ID Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID

App-ID Overview

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Apply Tags to an Application Filter

Create Custom Application Tags

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Threat Prevention

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

DNS Security

About DNS Security

Domain Generation Algorithm (DGA) Detection

DNS Tunneling Detection

Cloud-Delivered DNS Signatures and Protections

Enable DNS Security

Use DNS Queries to Identify Infected Hosts on the Network

How DNS Sinkholing Works

Configure DNS Sinkholing

Configure DNS Sinkholing for a List of Custom Domains

Configure the Sinkhole IP Address to a Local Server on Your Network

See Infected Hosts that Attempted to Connect to a Malicious Domain

Data Filtering

Create a Data Filtering Profile

Predefined Data Filtering Patterns

Set Up File Blocking

Prevent Brute Force Attacks

Customize the Action and Trigger Conditions for a Brute Force Signature

Enable Evasion Signatures

Prevent Credential Phishing

Methods to Check for Corporate Credential Submissions

Configure Credential Detection with the Windows User-ID Agent

Set Up Credential Phishing Prevention

Monitor Blocked IP Addresses

Threat Signature Categories

Create Threat Exceptions

Custom Signatures

Monitor and Get Threat Reports

Monitor Activity and Create Custom Reports Based on Threat Categories

Learn More About Threat Signatures

AutoFocus Threat Intelligence for Network Traffic

AutoFocus Intelligence Summary

Enable AutoFocus Threat Intelligence

View and Act on AutoFocus Intelligence Summary Data

Share Threat Intelligence with Palo Alto Networks

What Telemetry Data Does the Firewall Collect?

Passive DNS Monitoring

Enable Telemetry

Threat Prevention Resources

Decryption

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy

SSH Proxy Decryption Profile

Decryption Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

High Availability Support for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Create a Policy-Based Decryption Exclusion

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Decryption Broker

How Decryption Broker Works

Decryption Broker Concepts

Decryption Broker: Forwarding Interfaces

Decryption Broker: Layer 3 Security Chain

Decryption Broker: Transparent Bridge Security Chain

Decryption Broker: Security Chain Session Flow

Decryption Broker: Multiple Security Chains

Decryption Broker: Security Chain Health Checks

Layer 3 Security Chain Guidelines

Configure Decryption Broker with One or More Layer 3 Security Chain

Transparent Bridge Security Chain Guidelines

Configure Decryption Broker with a Single Transparent Bridge Security Chain

Configure Decryption Broker with Multiple Transparent Bridge Security Chains

Activate Free Licenses for Decryption Features

URL Filtering

About Palo Alto Networks URL Filtering Solution

How Advanced URL Filtering Works

URL Filtering Use Cases

URL Categories

Security-Focused URL Categories

Malicious URL Categories

Verified URL Categories

Policy Actions You Can Take Based on URL Categories

Plan Your URL Filtering Deployment

URL Filtering Best Practices

Activate The Advanced URL Filtering Subscription

Configure URL Filtering

Test URL Filtering Configuration

Monitor Web Activity

Monitor Web Activity of Network Users

View the User Activity Report

Configure Custom URL Filtering Reports

Log Only the Page a User Visits

Create a Custom URL Category

URL Category Exceptions

Use an External Dynamic List in a URL Filtering Profile

Allow Password Access to Certain Sites

Safe Search Enforcement

Safe Search Settings for Search Providers

Block Search Results When Strict Safe Search Is Not Enabled

Transparently Enable Safe Search for Users

URL Filtering Response Pages

Customize the URL Filtering Response Pages

HTTP Header Logging

Request to Change the Category for a URL

Troubleshoot URL Filtering

Problems Activating Advanced URL Filtering

PAN-DB Cloud Connectivity Issues

URLs Classified as Not-Resolved

Incorrect Categorization

PAN-DB Private Cloud

M-600 Appliance for PAN-DB Private Cloud

Set Up the PAN-DB Private Cloud

Configure the PAN-DB Private Cloud

Configure the Firewalls to Access the PAN-DB Private Cloud

Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Quality of Service

QoS Overview

QoS Concepts

QoS for Applications and Users

QoS Policy

QoS Profile

QoS Classes

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure QoS

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

QoS Use Cases

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPNs

VPN Deployments

Site-to-Site VPN Overview

Site-to-Site VPN Concepts

IKE Gateway

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

IKE Phase 1

IKE Phase 2

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

IKEv2

Liveness Check

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-to-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-to-Site VPN Quick Configs

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

LSVPN Overview

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configs

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Networking

Configure Interfaces

Tap Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

NDP Monitoring

Enable NDP Monitoring

Configure an Aggregate Interface Group

Use Interface Management Profiles to Restrict Access

Virtual Routers

Service Routes

Static Routes

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF

OSPF Concepts

OSPFv3

OSPF Neighbors

OSPF Areas

OSPF Router Types

Configure OSPF

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

BGP Overview

MP-BGP

Configure BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

IP Multicast

IGMP

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

GRE Tunnels

GRE Tunnel Overview

Create a GRE Tunnel

DHCP

DHCP Overview

Firewall as a DHCP Server and Client

DHCP Messages

DHCP Addressing

DHCP Address Allocation Methods

DHCP Leases

DHCP Options

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Overview

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Source NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Configure NAT

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

NPTv6

NPTv6 Overview

NPTv6 Does Not Provide Security

Model Support for NPTv6

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NDP Proxy

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

NAT64

NAT64 Overview

IPv4-Embedded IPv6 Address

DNS64 Server

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP

ECMP Load-Balancing Algorithms

ECMP Model, Interface, and IP Routing Support

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Verify ECMP

LLDP

LLDP Overview

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

Configure LLDP

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Overview

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Configure BFD

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

ICMP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Policy

Policy Types

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Policy Objects

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

Modify Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Domain List

URL List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Identify Users Connected through a Proxy Server

Use XFF Values for Policies and Logging Source Users

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zone

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

Shared Gateway

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Certifications

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

What is the order of log levels from lowest to highest?

What is the logging severity level?

What are the five levels of logging?

What is the highest logging level?