implementing-next-generation-firewall-with-palo-alto
配置和部署 Palo Alto Networks 下一代防火墙(NGFW),实现 App-ID 应用识别、User-ID 用户身份、基于区域的策略、SSL 解密以及威胁防御配置文件,为企业网络安全提供全面保护。
Best use case
implementing-next-generation-firewall-with-palo-alto is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
配置和部署 Palo Alto Networks 下一代防火墙(NGFW),实现 App-ID 应用识别、User-ID 用户身份、基于区域的策略、SSL 解密以及威胁防御配置文件,为企业网络安全提供全面保护。
Teams using implementing-next-generation-firewall-with-palo-alto should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-next-generation-firewall-with-palo-alto Compares
| Feature / Agent | implementing-next-generation-firewall-with-palo-alto | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
配置和部署 Palo Alto Networks 下一代防火墙(NGFW),实现 App-ID 应用识别、User-ID 用户身份、基于区域的策略、SSL 解密以及威胁防御配置文件,为企业网络安全提供全面保护。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 使用 Palo Alto 实施下一代防火墙 ## 概述 Palo Alto Networks 下一代防火墙(NGFW)超越了传统的基于端口的规则执行,实现了应用感知、身份驱动的安全策略。通过利用 App-ID 进行流量分类、User-ID 进行身份驱动执行、Content-ID 进行威胁检测,以及 SSL 解密提升加密流量可见性,组织可获得对网络流量的全面控制。本技能涵盖从初始配置到高级威胁防御配置文件的端到端部署。 ## 前置条件 - Palo Alto Networks PA 系列设备或 VM-Series 虚拟防火墙 - PAN-OS 10.2 或更高版本 - 有效的威胁防御、URL 过滤和 WildFire 许可证 - 包含区域定义的网络拓扑文档 - 用于 User-ID 的 LDAP/Active Directory 集成凭据 - 用于 SSL Forward Proxy 解密的内部 CA 证书 ## 核心概念 ### App-ID 技术 App-ID 无论端口、协议或加密情况如何,都能按应用程序对网络流量进行分类。分类引擎按顺序使用多种识别技术: 1. **应用签名** - 与已知应用签名进行模式匹配 2. **SSL/TLS 解密** - 解密流量以识别加密隧道中隐藏的应用 3. **应用协议解码** - 解码协议以发现其中隧道传输的应用 4. **启发式分析** - 对规避其他方法的应用进行行为分析 Policy Optimizer 工具通过分析流量日志并推荐特定应用替代规则,帮助从旧式基于端口的规则迁移到 App-ID 规则。 ### User-ID 集成 User-ID 通过多种方式将 IP 地址映射到用户身份: - **服务器监控** - 解析 Windows 安全事件日志(事件 ID 4624、4768、4769) - **Syslog 监听** - 接收来自 RADIUS、802.1X、代理的认证事件 - **GlobalProtect** - 自动映射 VPN 用户 - **强制门户(Captive Portal)** - 对未知用户进行 Web 认证 - **XML API** - 从自定义来源程序化映射用户 ### 基于区域的架构 区域代表网络的逻辑分段。安全策略控制区域间(inter-zone)和区域内(intra-zone)的流量: | 区域 | 用途 | 信任级别 | |------|------|---------| | Trust | 企业内部 LAN | 高 | | Untrust | 面向互联网 | 无 | | DMZ | 公开服务器 | 中 | | Guest | 访客无线 | 低 | | DataCenter | 服务器基础设施 | 高 | ## 实施步骤 ### 步骤 1:初始系统配置 配置管理接口、DNS、NTP 和系统设置: ``` set deviceconfig system hostname PA-FW01 set deviceconfig system domain corp.example.com set deviceconfig system dns-setting servers primary 10.0.1.10 set deviceconfig system dns-setting servers secondary 10.0.1.11 set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org set deviceconfig system timezone US/Eastern set deviceconfig system login-banner "仅授权访问。所有活动均受监控。" ``` ### 步骤 2:配置网络区域和接口 定义安全区域并分配接口: ``` set zone Trust network layer3 ethernet1/1 set zone Untrust network layer3 ethernet1/2 set zone DMZ network layer3 ethernet1/3 set zone Guest network layer3 ethernet1/4 set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24 set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping set network interface ethernet ethernet1/2 layer3 dhcp-client set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ] ``` ### 步骤 3:配置区域保护配置文件 在区域级别防范侦察和 DoS 攻击: ``` set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100 set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500 set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000 set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes set network profiles zone-protection-profile Strict-ZP flood udp enable yes set network profiles zone-protection-profile Strict-ZP flood icmp enable yes set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2 set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100 ``` ### 步骤 4:配置威胁防御配置文件 创建防病毒、反间谍软件、漏洞防护和 URL 过滤配置文件: ``` # 反间谍软件配置文件 set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip # 漏洞防护配置文件 set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip # URL 过滤配置文件 set profiles url-filtering Strict-URL credential-enforcement mode ip-user set profiles url-filtering Strict-URL block [ command-and-control malware phishing ] set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ] # 文件阻断配置文件 set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block # WildFire 分析配置文件 set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud ``` ### 步骤 5:配置 SSL 解密 为出站流量检测设置 SSL Forward Proxy: ``` # 生成 Forward Trust CA 证书 request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes # 创建解密配置文件 set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes # 创建解密策略 set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt # 排除敏感类别(金融、医疗) set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ] set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt ``` ### 步骤 6:构建安全策略 创建带安全配置文件的应用感知安全策略: ``` # 允许来自 Trust 区到互联网的业务应用 set rulebase security rules Allow-Business from Trust to Untrust set rulebase security rules Allow-Business source-user any set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ] set rulebase security rules Allow-Business service application-default set rulebase security rules Allow-Business action allow set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles # 允许带 URL 过滤的 Web 浏览 set rulebase security rules Allow-Web from Trust to Untrust set rulebase security rules Allow-Web application [ web-browsing ssl ] set rulebase security rules Allow-Web action allow set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL # 阻断高风险应用 set rulebase security rules Block-HighRisk from any to any set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ] set rulebase security rules Block-HighRisk action deny set rulebase security rules Block-HighRisk log-end yes # 默认拒绝规则(明确设置) set rulebase security rules Deny-All from any to any source any destination any set rulebase security rules Deny-All application any service any action deny set rulebase security rules Deny-All log-end yes ``` ### 步骤 7:配置日志记录和 SIEM 集成 将日志转发至 SIEM 进行关联分析: ``` # 配置 Syslog 服务器配置文件 set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100 set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER # 配置日志转发配置文件 set shared log-settings profiles SIEM-Forward match-list Threats log-type threat set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server set shared log-settings profiles SIEM-Forward match-list URL log-type url set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server ``` ## 验证与测试 1. **策略审计** - 使用 `show running security-policy` 检查并排查被遮蔽的规则 2. **流量验证** - 监控流量日志以验证应用分类准确性 3. **威胁模拟** - 使用 EICAR 测试文件和已知恶意 URL 验证威胁配置文件 4. **SSL 解密测试** - 验证浏览器中的证书链是否匹配 Forward Trust CA 5. **区域保护测试** - 运行受控 SYN Flood 验证 SYN Cookie 激活 6. **Policy Optimizer** - 运行 Policy Optimizer 识别剩余的基于端口的规则 ```bash # 验证活动会话 show session all filter application web-browsing # 检查威胁日志条目 show log threat direction equal backward # 验证 App-ID 分类 show running application-override # 检查系统资源 show system resources ``` ## 最佳实践 - **最小权限** - 从全部拒绝开始,仅明确允许所需应用 - **App-ID 优先于端口** - 使用 Policy Optimizer 将基于端口的规则替换为特定应用规则 - **解密覆盖率** - 在适当隐私排除的前提下,至少解密 80% 的 SSL 流量 - **安全配置文件组** - 将防病毒、反间谍软件、漏洞防护、URL 过滤、文件阻断和 WildFire 作为组应用 - **签名更新** - 启用应用和威胁的每日自动内容更新 - **HA 配置** - 在生产环境中以主备 HA 对部署 - **提交前验证** - 提交前始终验证配置:`validate full` ## 参考资料 - [PAN-OS 管理指南](https://docs.paloaltonetworks.com/pan-os) - [NGFW 部署最佳实践](https://docs.paloaltonetworks.com/best-practices) - [NIST SP 800-41 Rev 1 - 防火墙和策略指南](https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final)
Related Skills
performing-web-application-firewall-bypass
使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。
implementing-zero-trust-with-hashicorp-boundary
使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。
implementing-zero-trust-with-beyondcorp
使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。
implementing-zero-trust-network-access
通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。
implementing-zero-trust-network-access-with-zscaler
使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构
implementing-zero-trust-in-cloud
本技能指导组织按照 NIST SP 800-207 和 Google BeyondCorp 原则在云环境中实施零信任(Zero Trust)架构,涵盖以身份为中心的访问控制、微分段(Micro-Segmentation)、持续验证、设备信任评估,以及部署身份感知代理(Identity-Aware Proxy)以消除 AWS、Azure 和 GCP 环境中的隐式网络信任。
implementing-zero-trust-for-saas-applications
使用 CASB、SSPM、条件访问策略、OAuth 应用治理和会话控制,为 SaaS 应用实施零信任访问控制, 对云托管服务强制执行身份验证、设备合规性检查和数据保护。
implementing-zero-trust-dns-with-nextdns
将 NextDNS 实施为零信任 DNS 过滤层,提供加密解析、威胁情报阻断、隐私保护,以及跨所有端点的组织策略执行。
implementing-zero-standing-privilege-with-cyberark
部署 CyberArk Secure Cloud Access,通过基于时间、权限和审批控制的即时访问,在混合云和多云环境中消除常设权限。
implementing-zero-knowledge-proof-for-authentication
零知识证明(ZKP)允许证明者在不泄露秘密本身的情况下证明对某个秘密(如密码或私钥)的了解。本技能实现 Schnorr 身份识别协议和使用离散对数问题的简化 ZKPP,使服务器永远不需要获取用户密码即可完成认证。
implementing-web-application-logging-with-modsecurity
配置带有 OWASP 核心规则集(CRS)的 ModSecurity WAF,实现 Web 应用程序日志记录, 调整规则以减少误报,分析审计日志进行攻击检测,并为应用程序特定威胁实现自定义 SecRules。 分析师配置 SecRuleEngine、SecAuditEngine 和 CRS 偏执级别,以在安全覆盖范围和运营稳定性之间取得平衡。 适用于涉及 WAF 配置、ModSecurity 规则调整、Web 应用审计日志或 CRS 部署的场景。
implementing-vulnerability-sla-breach-alerting
为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。