This is the main CLI command to view detailed HA status.

show session all filter ...

This command filters the session table (active traffic sessions) and shows details including:

• Source/Destination IP & port

• Application, protocol, and action

• Security policy name that was matched

> show session all filter source <source-ip> destination <destination-ip>

You can add optional filters for fine-tuning:

> show session all filter source <src-ip> destination <dst-ip> destination-port <port>
> show session all filter application <app-name>
> show session all filter rule <rule-name>

This command simulates traffic (without generating real packets) and tells you exactly which policy rule would match that traffic, along with the action taken.

test security-policy-match source <source-ip> destination <destination-ip> protocol <protocol> destination-port <port>


Optional Parameters

from <zone> – Source zone

to <zone> – Destination zone

application <app-name> – Optional

category <url-category> – Optional

1. Single-Pass Architecture

"Classify once, apply many"

The firewall inspects traffic only once, extracting all the necessary information in a single pass through the data plane. Instead of having separate engines for App-ID, Threat-ID, and Content-ID each scan the traffic independently, the SP3 architecture processes it just once.

🔹 What happens during a single pass:

• Packet decoding

• Application identification (App-ID)

• User identification (User-ID)

• Content inspection (Content-ID)

• Threat prevention (Threat-ID)

• URL filtering

• Data Loss Prevention (DLP)

All these services use the same stream of data — no redundant processing.

Benefits:

• Lower latency — no need to reprocess traffic for each feature

• Higher throughput — efficient resource usage

• Consistent security — all engines work on the same extracted metadata

2. Parallel Processing (Multi-Core Architecture)

"Do many things at the same time"

The firewall uses a multi-core CPU architecture, where different processing engines run in parallel on separate cores. Each function is optimized and assigned to its own processor or processing group.

🔹 Key planes involved:

Within the Data Plane, parallel processors handle:

• Networking (routing, switching, NAT)

• Security (App-ID, Content-ID, Threat-ID)

• Decryption (SSL/TLS)

• Forwarding (session handling, traffic shaping)

 Benefits:

• Scalability — can handle more traffic by adding more cores

• Efficiency — each core does a specific job, avoiding bottlenecks

• High performance — enables full-feature inspection at line rate

There are  four primary deployment modes:

1. Layer 2 Mode (Transparent Switching)
2. Layer 3 Mode (Routing)
3. Virtual Wire Mode (Transparent Inline)
4. Tap Mode (Passive Monitoring)

1. Layer 2 Mode (Transparent Switching)

🔹 Description:

• The firewall acts like a switch or bridge.

• Interfaces are assigned to a VLAN, and traffic is forwarded based on MAC addresses.

🔹 Use Cases:

• When you want the firewall to inspect traffic within the same subnet (east-west traffic).

• Adding security between devices on the same VLAN without changing IP addressing.

🔹 Key Points:

• No routing — just switching/bridging.

• Still allows App-ID, Content-ID, User-ID, etc.

• Interfaces are part of a Layer 2 zone.

🔹 Example:

• Filtering traffic between hosts in the same VLAN (e.g., between user PCs and printers).

2. Layer 3 Mode (Routing)

🔹 Description:

• The most common deployment mode.

• The firewall routes traffic between different subnets.

• Each interface has its own IP address, and participates in routing.

🔹 Use Cases:

• When the firewall is your gateway/router between networks (e.g., internal to DMZ, or LAN to WAN).

• Full control of traffic with routing protocols, NAT, and security policies.

🔹 Key Points:

• Supports static and dynamic routing (OSPF, BGP, RIP).

• Most flexible and powerful deployment.

• Interfaces are part of a Layer 3 zone.

🔹 Example:

• Firewall sits between your LAN and Internet, performing routing, NAT, and inspection.

3. Virtual Wire Mode (Transparent Inline)

🔹 Description:

• The firewall is deployed transparently between two network devices (like a bump-in-the-wire).

• No IP addressing or MAC changes — traffic is just passed through.

🔹 Use Cases:

• When you need inline inspection without changing the existing network topology.

• Ideal for stealth deployment — often used in data centers or testing environments.

🔹 Key Points:

• Interfaces are paired as virtual wires.

• No need to configure IP addresses on the firewall interfaces.

• Still supports App-ID, Threat Prevention, etc.

• Interfaces are part of a Virtual Wire zone.

🔹 Example:

• Inserted between a router and a switch to monitor and control traffic without disrupting the network.

4. Tap Mode (Passive Monitoring)

🔹 Description:

• The firewall receives a copy of network traffic (via SPAN/mirror port).

• It is not inline, so it can't block traffic — only monitor and analyze it.

🔹 Use Cases:

• For passive threat detection, visibility, or evaluation before moving inline.

• Useful in audit or test environments.

🔹 Key Points:

• No traffic control (no NAT, no policy enforcement).

• Great for logging, visibility, and learning network behavior.

• Interfaces are part of a Tap zone.

🔹 Example:

• Connect the firewall to a mirrored port on a switch to monitor web traffic for malware.

App-ID stands for Application Identification. It is a mechanism that classifies network traffic by application, rather than relying on traditional methods like:

• Port numbers (e.g., HTTP = port 80)

• Protocol types (e.g., TCP, UDP)

• IP addresses

Traditional firewalls may allow traffic based on ports/protocols, assuming that traffic over port 80 is web traffic (HTTP). But many modern applications can use non-standard ports, encryption, tunneling, or port hopping to avoid detection.

App-ID identifies the actual application, even if it’s using:

• A non-default port

• An encrypted tunnel

• Common services like HTTP, HTTPS, or DNS to mask its behavior

App-ID uses a multi-step process to identify applications accurately:

1. Initial Packet Inspection (Signatures)

• As soon as traffic hits the firewall, it inspects the first few packets.

• Uses protocol decoders and application signatures (like a fingerprint) to match known applications.

2. Application Decoding

• If the traffic isn't identifiable by early signatures, the firewall decodes the protocol and looks deeper into the session.

• For example, it may decode HTTP headers or SSL certificates to find identifying data.

3. Heuristics and Behavioral Analysis

• If the application still isn't known, it analyzes traffic patterns, payload size, timing, etc.

• This helps detect evasive or unknown apps, like proxy tools or tunnels.

4. SSL Decryption (Optional)

• If the traffic is encrypted, App-ID can decrypt SSL/TLS traffic (if SSL decryption is enabled) to inspect the content.

5. Continuous Identification

• App-ID continues to monitor the session.

• Some apps may "morph" during a session (e.g., Facebook starts as HTTPS, then loads embedded chat, video, etc.).

• App-ID dynamically reclassifies the application mid-session if needed.

Here's a step-by-step guide to configure URL Filtering in Palo Alto Networks firewalls to block certain websites or categories:

1. Create or Modify a URL Filtering Profile

A URL Filtering Profile is a set of rules that defines how the firewall will filter URLs (i.e., which websites and categories to allow or block).

Steps to Create a URL Filtering Profile:

1. Log into the Web Interface: Open a browser and log into the Palo Alto firewall's web interface using the administrator credentials.

2. Navigate to URL Filtering Profile Settings:

   • Go to Objects > Security Profiles > URL Filtering.

3. Create a New URL Filtering Profile:

   • Click on the Add button to create a new URL filtering profile.
   • Provide a Name for the profile (e.g., BlockSocialMedia).

4. Configure URL Filtering Settings:

   • Under the Actions tab, you can specify how to handle specific URL categories or individual URLs.
   • In the Category section, you can either:
     • Allow: Permit access to websites in this category.
     • Block: Deny access to websites in this category.
     • Override: Let users request an override if they need access to a blocked category (this requires proper configuration for override permissions).
     • Alert: Generate an alert for traffic involving these websites, without blocking it.

Example Configuration for Blocking Social Media:

• Under Category, find categories like Social Networking, Instant Messaging, and Blogs.

  • For each of these, select Block.

• For Custom URL Entries:

  • If you want to block specific websites not categorized, go to the Custom URLs section.
  • Click Add and enter the URLs you wish to block (e.g., www.facebook.com, www.twitter.com, etc.).
  • Choose the action as Block.

5. Commit the Profile: After making the changes, click OK to save the profile. You'll need to Commit the configuration for it to take effect. Click on Commit in the upper right corner and confirm.

2. Apply the URL Filtering Profile to a Security Policy

Once the URL Filtering profile is created, it needs to be applied to a Security Policy that controls the traffic flow through the firewall.

Steps to Apply the URL Filtering Profile to a Security Policy:

1. Go to Security Policies:

   • Navigate to Policies > Security.

2. Select or Create a Security Policy:

   • If you want to apply the URL filtering profile to an existing rule, select the rule from the list.
   • If you need to create a new rule to specifically apply URL filtering, click Add.

3. Configure the Security Policy:

   • In the security policy, specify the Source Zone, Destination Zone, and Applications as needed (e.g., you may choose to apply it to all traffic or restrict it to specific users, IP addresses, or applications).
   • Under the Actions tab of the security policy rule, find the Security Profiles section.

4. Enable URL Filtering:

   • In the Security Profiles section, click Add and select the URL Filtering Profile you created earlier (e.g., BlockSocialMedia).

5. Commit the Configuration: After applying the URL filtering profile, click OK to save the changes. Then, commit the configuration by clicking the Commit button in the top right.

3. Test the Configuration

After committing the changes, it’s essential to test the URL Filtering configuration to ensure that the websites or categories you intended to block are indeed blocked.

Testing Steps:

1. Access Blocked Websites:

   • From a client machine within the scope of the policy, try to access a website that should be blocked (e.g., www.facebook.com).
   • You should receive a block page or a custom error message indicating that the access is denied.

2. Verify Logs:

   • Go to Monitor > Logs > URL Filtering in the web interface.
   • Review the logs to see if traffic to blocked websites is being logged correctly. You should see logs for blocked requests, which will include information about the URLs being accessed, the source IP, and the action (Blocked).

4. Customizing the Block Page (Optional)

You can customize the block page users see when they try to access a blocked website. For instance, you might want to display a company-specific message explaining why access to certain categories or sites is restricted.

Steps to Customize the Block Page:

1. Navigate to Device > Shared > Custom Block Page.
2. You can edit the default block page or upload a custom HTML page.
3. Once you've configured the block page, go to Objects > Security Profiles > URL Filtering.
4. Under the Block Page section of the URL filtering profile, select the custom block page you configured.

5. Additional URL Filtering Settings

Blocking Custom URLs:

If there are specific websites that fall outside of standard categories, you can block individual URLs by adding them to the Custom URL Blocking list.

• Under the URL Filtering Profile, in the Custom URLs section, click Add.
• Enter the Domain Name or URL (e.g., www.example.com).
• Set the action to Block.

Allowing Specific URLs:

If you want to allow specific sites even if they are part of a blocked category, you can create exceptions:

• Under Custom URLs, add the URL you want to allow (e.g., www.example.com) and set the action to Allow.

Override Feature:

You can enable override for users to request access to a blocked site by creating an override rule. This requires additional configuration to allow users to submit override requests, which may involve logging in with credentials or providing a justification.

Purpose of Threat Vault

The primary purpose of Threat Vault is to provide detailed, real-time intelligence about threats detected in the network. This allows security professionals to understand the nature of the threat, track its history, and take appropriate actions to prevent future incidents. It helps security teams enhance their incident response and prevention strategies by offering comprehensive insights into various types of threats, including:

• Malware (e.g., viruses, trojans, ransomware)
• Exploits (e.g., zero-day vulnerabilities)
• Command and Control (C2) communication
• Phishing and social engineering attempts
• Botnets and advanced persistent threats (APT)

Key Features of Threat Vault

1. Centralized Threat Intelligence Repository

• Threat Vault aggregates threat intelligence across Palo Alto Networks products, including Firewalls, Cortex XDR, and WildFire, into one centralized location.
• It stores detailed information about threats, including metadata, signatures, attack techniques, and behavior analysis.

2. Detailed Threat Information

• Threat Details: Threat Vault offers detailed insights into threats, including:
  • Description and analysis of the malicious activity
  • Affected applications or systems
  • Indicators of compromise (IoCs) such as IP addresses, domain names, file hashes, and URLs
  • Risk level and severity assessment
• This information is used to identify and mitigate future threats effectively.

3. Threat Indicators and Signatures

• Threat Vault allows security teams to view, search, and retrieve threat indicators (IoCs) that help in detecting malicious activity.
• These indicators include:
  • File hashes
  • IP addresses
  • Domain names
  • URLs
  • Registry keys or file paths
• By leveraging these IoCs, security teams can identify malicious content or behavior in their network and apply countermeasures more swiftly.

4. WildFire Integration

• WildFire is Palo Alto Networks’ advanced cloud-based malware analysis engine. Threat Vault integrates closely with WildFire, allowing users to analyze malware samples, track their evolution, and see how those samples are categorized.
• WildFire helps identify and analyze unknown, evasive, or new threats and provides actionable threat intelligence to help defend against them.

5. Behavioral Analysis

• In addition to static indicators, Threat Vault may also offer insights into behavioral analysis of malware and attacks.
• This includes Tactics, Techniques, and Procedures (TTPs) of cyber adversaries. It helps detect and block attacks based on their behavior (rather than relying solely on known signatures).

6. Contextual Threat Visibility

• Threat Vault provides visibility into the context surrounding detected threats. For example:
  • When the threat was first observed
  • Where it came from (e.g., country, region, IP addresses)
  • Which organizations or industries were targeted
• This information is vital for security teams to understand the potential impact and scope of an attack.

7. Collaboration and Data Sharing

• Threat Vault supports data sharing and collaboration between security teams within an organization or across different entities.
• By using threat intelligence feeds and reports, different departments or teams can align on how to handle specific threats.

8. Threat Intelligence Feeds

• Threat Vault often pulls data from external threat intelligence sources, including open-source threat intelligence (OSINT) and commercial threat feeds, giving you a broader view of the threat landscape.
• The platform helps correlate external threat intelligence with your network data to identify common attack patterns.

9. Search and Query Capabilities

• Security professionals can use advanced search and query capabilities to quickly find specific threats or indicators of compromise.
• Searches can be based on multiple criteria, such as threat type, IoCs, attack techniques, or severity.

10. Real-time and Historical Analysis

• Threat Vault allows for both real-time and historical analysis of threats. You can investigate current active threats or dive into past incidents to understand trends, reoccurring patterns, and root causes of threats.
• This is particularly helpful for post-incident investigations and for identifying latent threats that may have been missed in previous security assessments.

Use Cases for Threat Vault

1. Incident Response and Investigation

• During a security incident, Threat Vault can be used to gather threat intelligence to aid in investigation and response.
• It allows security teams to identify the nature of the threat, trace its origin, understand the scope of the attack, and look for additional signs of compromise.

2. Threat Detection and Prevention

• Threat Vault's threat intelligence can help prevent attacks by providing early warnings of new or emerging threats.
• It enables security teams to apply appropriate prevention measures, such as:
  • Blocking suspicious IP addresses or domains
  • Updating firewall rules to block traffic related to specific threats
  • Deploying updated signatures to detect and block specific malware

3. Threat Hunting

• Threat Vault is useful for proactive threat hunting. Security teams can use threat intelligence from the vault to search for indicators of compromise (IoCs) or signs of malicious activity in their environment, even if no alerts have been triggered.
• This helps in identifying threats that may have evaded detection by traditional security controls.

4. Security Posture and Risk Assessment

• Organizations can assess their security posture by reviewing past threats and understanding the types of attacks they were exposed to.
• Threat Vault can help track patterns, identify common attack vectors, and gauge the organization’s vulnerability to different types of threats.

5. Integration with SIEM and SOAR

• Threat Vault integrates with SIEM (Security Information and Event Management) systems and SOAR (Security Orchestration, Automation, and Response) platforms, enabling automated threat detection and incident response workflows.
• This integration helps security operations teams streamline their response to detected threats.

Benefits of Using Threat Vault

• Comprehensive Threat Intelligence: Access to a vast repository of data, including attack metadata, IoCs, and analysis of known threats, enhancing overall detection and response.
• Proactive Defense: By understanding threat patterns and using threat intelligence, organizations can implement proactive defense mechanisms to block known malicious activities before they cause harm.
• Faster Incident Response: With contextual information about threats, organizations can identify root causes and scope more quickly, reducing response times.
• Improved Security Operations: Threat Vault integrates with various security systems (like firewalls, SIEM, and SOAR), improving collaboration and efficiency across security operations teams.

The key differences between Virtual Wire and Layer 3 mode in Palo Alto firewalls:

1. Network Topology and Configuration

Virtual Wire Mode:

• Topology: Virtual Wire mode acts like a "bump in the wire" or transparent bridge between two network segments. It doesn’t require IP addresses on the firewall interfaces.
• Interfaces: The firewall is deployed between two network segments, and its interfaces are simply connected to the existing network without any routing.
• No Routing: There is no need for IP routing. The firewall simply forwards packets between two network interfaces as if it were a layer-2 device (like a switch or bridge).
• Use Case: Typically used for deployments where you want to insert the firewall into an existing network without making significant changes to the IP addressing or routing.

Layer 3 Mode:

• Topology: In Layer 3 mode, the firewall functions as a router. The firewall interfaces are assigned IP addresses, and it operates at Layer 3 (network layer) of the OSI model.
• Interfaces: Each interface on the firewall has its own IP address (just like a router), and the firewall is responsible for routing traffic between different network segments or subnets.
• Routing: The firewall performs IP routing and can make routing decisions based on IP addresses. You configure routing protocols (such as static routes or dynamic routing) to determine how traffic flows between different subnets.
• Use Case: Layer 3 mode is suitable for situations where the firewall needs to route traffic between different network segments or subnets, such as in perimeter security deployments or where you want the firewall to perform full network layer inspection.

2. IP Addressing

Virtual Wire Mode:

• No IP Addresses: Interfaces in Virtual Wire mode do not require IP addresses, as the firewall operates at Layer 2 (data link layer).
• Transparent Operation: The firewall acts transparently between two network segments, and it simply inspects and filters traffic based on Layer 2 information (MAC addresses), without the need for IP address assignments.

Layer 3 Mode:

• IP Addresses Required: Each interface on the firewall must have an IP address in Layer 3 mode. These addresses are used for routing traffic between network segments.
• Routing Protocols: In Layer 3 mode, you configure routing protocols (static or dynamic), and the firewall uses IP addresses to make forwarding decisions.

3. Traffic Processing and Inspection

Virtual Wire Mode:

• Layer 2 (Data Link) Operation: In Virtual Wire mode, the firewall operates transparently, and traffic is processed as a Layer 2 bridge. The firewall inspects traffic but does not modify the IP addresses or routing.
• Transparent Firewall: Since there’s no need for IP addressing, the firewall doesn’t make routing decisions. It simply passes traffic between interfaces while enforcing security policies (like firewall rules, application control, and threat prevention).
• No IP Configuration: No need for changes to existing IP configurations or routing in the network.

Layer 3 Mode:

• Layer 3 (Network Layer) Operation: In Layer 3 mode, the firewall operates as a router and makes decisions based on IP addresses, performing security inspection as it routes traffic between interfaces.
• Routing and Security: The firewall performs security inspections like filtering, NAT (Network Address Translation), and VPN (Virtual Private Network) as traffic passes through. It also applies security policies based on IP address, port, and protocol.
• Routing Decisions: Since the firewall is functioning as a router, it can route traffic between different subnets or VLANs.

4. Routing and NAT

Virtual Wire Mode:

• No Routing: Since Virtual Wire operates at Layer 2, there’s no routing involved. The firewall simply forwards traffic based on MAC addresses between its two interfaces.
• No NAT (Network Address Translation): NAT is typically not required or used in Virtual Wire mode because the firewall does not perform routing or IP address translation—it simply bridges traffic.

Layer 3 Mode:

• Routing: In Layer 3 mode, the firewall performs IP routing and can route traffic between different subnets or interfaces.
• NAT: The firewall can perform NAT (source and destination NAT) to modify the source or destination IP addresses in packets. This is useful for translating private IP addresses to public IP addresses and vice versa, or for isolating internal and external networks.

5. Deployment Scenarios and Use Cases

Virtual Wire Mode:

• Transparent Deployments: Ideal for environments where you want to add security to the network without reconfiguring the IP addressing or routing. It’s often used in transparent firewall deployments.
• Minimal Disruption: Since no IP addresses are needed on the firewall interfaces, Virtual Wire mode is often used when you want to insert the firewall into an existing network without disrupting existing IP configuration or network routing.
• DMZ Security: Virtual Wire mode can be used to provide security between two segments, such as between a trusted internal network and a DMZ.

Layer 3 Mode:

• Routing Between Subnets: Ideal when you need the firewall to route traffic between multiple subnets. This is common in perimeter security deployments where the firewall separates different network zones (internal, external, DMZ).
• Advanced Network Segmentation: Layer 3 mode is also used when you want to segment your network using VLANs and route between them while enforcing security policies.
• NAT and VPN: Layer 3 mode is necessary for configurations that require NAT (e.g., for internet access) or VPN (site-to-site, client VPN).

6. Performance Considerations

Virtual Wire Mode:

• Lower Overhead: Since Virtual Wire operates at Layer 2, the overhead may be lower compared to Layer 3, as there is no IP routing or NAT happening. This may result in slightly better performance when traffic simply needs to be passed through the firewall.

Layer 3 Mode:

• Routing and Inspection Overhead: Layer 3 mode involves more complex processing, as the firewall performs routing and may apply NAT, which can increase CPU load and processing time. However, this is necessary for environments where routing and more granular control over traffic are required.

Summary: Virtual Wire vs. Layer 3 Mode