implementing-next-generation-firewall-with-palo-alto

配置和部署 Palo Alto Networks 下一代防火墙(NGFW),实现 App-ID 应用识别、User-ID 用户身份、基于区域的策略、SSL 解密以及威胁防御配置文件,为企业网络安全提供全面保护。

9 stars

Best use case

implementing-next-generation-firewall-with-palo-alto is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

配置和部署 Palo Alto Networks 下一代防火墙(NGFW),实现 App-ID 应用识别、User-ID 用户身份、基于区域的策略、SSL 解密以及威胁防御配置文件,为企业网络安全提供全面保护。

Teams using implementing-next-generation-firewall-with-palo-alto should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-next-generation-firewall-with-palo-alto/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-next-generation-firewall-with-palo-alto Compares

Feature / Agentimplementing-next-generation-firewall-with-palo-altoStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

配置和部署 Palo Alto Networks 下一代防火墙(NGFW),实现 App-ID 应用识别、User-ID 用户身份、基于区域的策略、SSL 解密以及威胁防御配置文件,为企业网络安全提供全面保护。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Palo Alto 实施下一代防火墙

## 概述

Palo Alto Networks 下一代防火墙(NGFW)超越了传统的基于端口的规则执行,实现了应用感知、身份驱动的安全策略。通过利用 App-ID 进行流量分类、User-ID 进行身份驱动执行、Content-ID 进行威胁检测,以及 SSL 解密提升加密流量可见性,组织可获得对网络流量的全面控制。本技能涵盖从初始配置到高级威胁防御配置文件的端到端部署。

## 前置条件

- Palo Alto Networks PA 系列设备或 VM-Series 虚拟防火墙
- PAN-OS 10.2 或更高版本
- 有效的威胁防御、URL 过滤和 WildFire 许可证
- 包含区域定义的网络拓扑文档
- 用于 User-ID 的 LDAP/Active Directory 集成凭据
- 用于 SSL Forward Proxy 解密的内部 CA 证书

## 核心概念

### App-ID 技术

App-ID 无论端口、协议或加密情况如何,都能按应用程序对网络流量进行分类。分类引擎按顺序使用多种识别技术:

1. **应用签名** - 与已知应用签名进行模式匹配
2. **SSL/TLS 解密** - 解密流量以识别加密隧道中隐藏的应用
3. **应用协议解码** - 解码协议以发现其中隧道传输的应用
4. **启发式分析** - 对规避其他方法的应用进行行为分析

Policy Optimizer 工具通过分析流量日志并推荐特定应用替代规则,帮助从旧式基于端口的规则迁移到 App-ID 规则。

### User-ID 集成

User-ID 通过多种方式将 IP 地址映射到用户身份:

- **服务器监控** - 解析 Windows 安全事件日志(事件 ID 4624、4768、4769)
- **Syslog 监听** - 接收来自 RADIUS、802.1X、代理的认证事件
- **GlobalProtect** - 自动映射 VPN 用户
- **强制门户(Captive Portal)** - 对未知用户进行 Web 认证
- **XML API** - 从自定义来源程序化映射用户

### 基于区域的架构

区域代表网络的逻辑分段。安全策略控制区域间(inter-zone)和区域内(intra-zone)的流量:

| 区域 | 用途 | 信任级别 |
|------|------|---------|
| Trust | 企业内部 LAN | 高 |
| Untrust | 面向互联网 | 无 |
| DMZ | 公开服务器 | 中 |
| Guest | 访客无线 | 低 |
| DataCenter | 服务器基础设施 | 高 |

## 实施步骤

### 步骤 1:初始系统配置

配置管理接口、DNS、NTP 和系统设置:

```
set deviceconfig system hostname PA-FW01
set deviceconfig system domain corp.example.com
set deviceconfig system dns-setting servers primary 10.0.1.10
set deviceconfig system dns-setting servers secondary 10.0.1.11
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org
set deviceconfig system timezone US/Eastern
set deviceconfig system login-banner "仅授权访问。所有活动均受监控。"
```

### 步骤 2:配置网络区域和接口

定义安全区域并分配接口:

```
set zone Trust network layer3 ethernet1/1
set zone Untrust network layer3 ethernet1/2
set zone DMZ network layer3 ethernet1/3
set zone Guest network layer3 ethernet1/4

set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping
set network interface ethernet ethernet1/2 layer3 dhcp-client

set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ]
```

### 步骤 3:配置区域保护配置文件

在区域级别防范侦察和 DoS 攻击:

```
set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes
set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100
set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500
set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000
set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes

set network profiles zone-protection-profile Strict-ZP flood udp enable yes
set network profiles zone-protection-profile Strict-ZP flood icmp enable yes

set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip
set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2
set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100
```

### 步骤 4:配置威胁防御配置文件

创建防病毒、反间谍软件、漏洞防护和 URL 过滤配置文件:

```
# 反间谍软件配置文件
set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet
set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip

# 漏洞防护配置文件
set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip

# URL 过滤配置文件
set profiles url-filtering Strict-URL credential-enforcement mode ip-user
set profiles url-filtering Strict-URL block [ command-and-control malware phishing ]
set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ]

# 文件阻断配置文件
set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block

# WildFire 分析配置文件
set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud
```

### 步骤 5:配置 SSL 解密

为出站流量检测设置 SSL Forward Proxy:

```
# 生成 Forward Trust CA 证书
request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes

# 创建解密配置文件
set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes

# 创建解密策略
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any
set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt

# 排除敏感类别(金融、医疗)
set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust
set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ]
set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt
```

### 步骤 6:构建安全策略

创建带安全配置文件的应用感知安全策略:

```
# 允许来自 Trust 区到互联网的业务应用
set rulebase security rules Allow-Business from Trust to Untrust
set rulebase security rules Allow-Business source-user any
set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ]
set rulebase security rules Allow-Business service application-default
set rulebase security rules Allow-Business action allow
set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles

# 允许带 URL 过滤的 Web 浏览
set rulebase security rules Allow-Web from Trust to Untrust
set rulebase security rules Allow-Web application [ web-browsing ssl ]
set rulebase security rules Allow-Web action allow
set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL

# 阻断高风险应用
set rulebase security rules Block-HighRisk from any to any
set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ]
set rulebase security rules Block-HighRisk action deny
set rulebase security rules Block-HighRisk log-end yes

# 默认拒绝规则(明确设置)
set rulebase security rules Deny-All from any to any source any destination any
set rulebase security rules Deny-All application any service any action deny
set rulebase security rules Deny-All log-end yes
```

### 步骤 7:配置日志记录和 SIEM 集成

将日志转发至 SIEM 进行关联分析:

```
# 配置 Syslog 服务器配置文件
set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100
set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER

# 配置日志转发配置文件
set shared log-settings profiles SIEM-Forward match-list Threats log-type threat
set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic
set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list URL log-type url
set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server
```

## 验证与测试

1. **策略审计** - 使用 `show running security-policy` 检查并排查被遮蔽的规则
2. **流量验证** - 监控流量日志以验证应用分类准确性
3. **威胁模拟** - 使用 EICAR 测试文件和已知恶意 URL 验证威胁配置文件
4. **SSL 解密测试** - 验证浏览器中的证书链是否匹配 Forward Trust CA
5. **区域保护测试** - 运行受控 SYN Flood 验证 SYN Cookie 激活
6. **Policy Optimizer** - 运行 Policy Optimizer 识别剩余的基于端口的规则

```bash
# 验证活动会话
show session all filter application web-browsing

# 检查威胁日志条目
show log threat direction equal backward

# 验证 App-ID 分类
show running application-override

# 检查系统资源
show system resources
```

## 最佳实践

- **最小权限** - 从全部拒绝开始,仅明确允许所需应用
- **App-ID 优先于端口** - 使用 Policy Optimizer 将基于端口的规则替换为特定应用规则
- **解密覆盖率** - 在适当隐私排除的前提下,至少解密 80% 的 SSL 流量
- **安全配置文件组** - 将防病毒、反间谍软件、漏洞防护、URL 过滤、文件阻断和 WildFire 作为组应用
- **签名更新** - 启用应用和威胁的每日自动内容更新
- **HA 配置** - 在生产环境中以主备 HA 对部署
- **提交前验证** - 提交前始终验证配置:`validate full`

## 参考资料

- [PAN-OS 管理指南](https://docs.paloaltonetworks.com/pan-os)
- [NGFW 部署最佳实践](https://docs.paloaltonetworks.com/best-practices)
- [NIST SP 800-41 Rev 1 - 防火墙和策略指南](https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final)

Related Skills

performing-web-application-firewall-bypass

9
from killvxk/cybersecurity-skills-zh

使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。

implementing-zero-trust-network-access-with-zscaler

9
from killvxk/cybersecurity-skills-zh

使用 Zscaler 实施零信任网络访问(Zero Trust Network Access,ZTNA),通过 Zscaler Private Access(ZPA)配置应用分段、访问策略和连接器,替代传统 VPN 架构

implementing-zero-trust-in-cloud

9
from killvxk/cybersecurity-skills-zh

本技能指导组织按照 NIST SP 800-207 和 Google BeyondCorp 原则在云环境中实施零信任(Zero Trust)架构,涵盖以身份为中心的访问控制、微分段(Micro-Segmentation)、持续验证、设备信任评估,以及部署身份感知代理(Identity-Aware Proxy)以消除 AWS、Azure 和 GCP 环境中的隐式网络信任。

implementing-zero-trust-for-saas-applications

9
from killvxk/cybersecurity-skills-zh

使用 CASB、SSPM、条件访问策略、OAuth 应用治理和会话控制,为 SaaS 应用实施零信任访问控制, 对云托管服务强制执行身份验证、设备合规性检查和数据保护。

implementing-zero-trust-dns-with-nextdns

9
from killvxk/cybersecurity-skills-zh

将 NextDNS 实施为零信任 DNS 过滤层,提供加密解析、威胁情报阻断、隐私保护,以及跨所有端点的组织策略执行。

implementing-zero-standing-privilege-with-cyberark

9
from killvxk/cybersecurity-skills-zh

部署 CyberArk Secure Cloud Access,通过基于时间、权限和审批控制的即时访问,在混合云和多云环境中消除常设权限。

implementing-zero-knowledge-proof-for-authentication

9
from killvxk/cybersecurity-skills-zh

零知识证明(ZKP)允许证明者在不泄露秘密本身的情况下证明对某个秘密(如密码或私钥)的了解。本技能实现 Schnorr 身份识别协议和使用离散对数问题的简化 ZKPP,使服务器永远不需要获取用户密码即可完成认证。

implementing-web-application-logging-with-modsecurity

9
from killvxk/cybersecurity-skills-zh

配置带有 OWASP 核心规则集(CRS)的 ModSecurity WAF,实现 Web 应用程序日志记录, 调整规则以减少误报,分析审计日志进行攻击检测,并为应用程序特定威胁实现自定义 SecRules。 分析师配置 SecRuleEngine、SecAuditEngine 和 CRS 偏执级别,以在安全覆盖范围和运营稳定性之间取得平衡。 适用于涉及 WAF 配置、ModSecurity 规则调整、Web 应用审计日志或 CRS 部署的场景。

implementing-vulnerability-sla-breach-alerting

9
from killvxk/cybersecurity-skills-zh

为漏洞修复 SLA 违规构建自动化告警,包含基于严重程度的时间线、升级工作流和合规性报告仪表板。