Stats
Actions
Tags
Configures and deploys Palo Alto Networks NGFW using App-ID for app identification, User-ID integration, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-next-generation-firewall-with-palo-altoThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Palo Alto Networks 下一代防火墙(NGFW)超越了传统的基于端口的规则执行,实现了应用感知、身份驱动的安全策略。通过利用 App-ID 进行流量分类、User-ID 进行身份驱动执行、Content-ID 进行威胁检测,以及 SSL 解密提升加密流量可见性,组织可获得对网络流量的全面控制。本技能涵盖从初始配置到高级威胁防御配置文件的端到端部署。
Palo Alto Networks 下一代防火墙(NGFW)超越了传统的基于端口的规则执行,实现了应用感知、身份驱动的安全策略。通过利用 App-ID 进行流量分类、User-ID 进行身份驱动执行、Content-ID 进行威胁检测,以及 SSL 解密提升加密流量可见性,组织可获得对网络流量的全面控制。本技能涵盖从初始配置到高级威胁防御配置文件的端到端部署。
App-ID 无论端口、协议或加密情况如何,都能按应用程序对网络流量进行分类。分类引擎按顺序使用多种识别技术:
Policy Optimizer 工具通过分析流量日志并推荐特定应用替代规则,帮助从旧式基于端口的规则迁移到 App-ID 规则。
User-ID 通过多种方式将 IP 地址映射到用户身份:
区域代表网络的逻辑分段。安全策略控制区域间(inter-zone)和区域内(intra-zone)的流量:
| 区域 | 用途 | 信任级别 |
|---|---|---|
| Trust | 企业内部 LAN | 高 |
| Untrust | 面向互联网 | 无 |
| DMZ | 公开服务器 | 中 |
| Guest | 访客无线 | 低 |
| DataCenter | 服务器基础设施 | 高 |
配置管理接口、DNS、NTP 和系统设置:
set deviceconfig system hostname PA-FW01
set deviceconfig system domain corp.example.com
set deviceconfig system dns-setting servers primary 10.0.1.10
set deviceconfig system dns-setting servers secondary 10.0.1.11
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.pool.ntp.org
set deviceconfig system timezone US/Eastern
set deviceconfig system login-banner "仅授权访问。所有活动均受监控。"
定义安全区域并分配接口:
set zone Trust network layer3 ethernet1/1
set zone Untrust network layer3 ethernet1/2
set zone DMZ network layer3 ethernet1/3
set zone Guest network layer3 ethernet1/4
set network interface ethernet ethernet1/1 layer3 ip 10.10.0.1/24
set network interface ethernet ethernet1/1 layer3 interface-management-profile allow-ping
set network interface ethernet ethernet1/2 layer3 dhcp-client
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ]
在区域级别防范侦察和 DoS 攻击:
set network profiles zone-protection-profile Strict-ZP flood tcp-syn enable yes
set network profiles zone-protection-profile Strict-ZP flood tcp-syn alert-rate 100
set network profiles zone-protection-profile Strict-ZP flood tcp-syn activate-rate 500
set network profiles zone-protection-profile Strict-ZP flood tcp-syn maximal-rate 2000
set network profiles zone-protection-profile Strict-ZP flood tcp-syn syn-cookies enable yes
set network profiles zone-protection-profile Strict-ZP flood udp enable yes
set network profiles zone-protection-profile Strict-ZP flood icmp enable yes
set network profiles zone-protection-profile Strict-ZP scan 8003 action block-ip
set network profiles zone-protection-profile Strict-ZP scan 8003 interval 2
set network profiles zone-protection-profile Strict-ZP scan 8003 threshold 100
创建防病毒、反间谍软件、漏洞防护和 URL 过滤配置文件:
# 反间谍软件配置文件
set profiles spyware Strict-AS botnet-domains lists default-paloalto-dns packet-capture single-packet
set profiles spyware Strict-AS botnet-domains sinkhole ipv4-address pan-sinkhole-default-ip
set profiles spyware Strict-AS rules Block-Critical severity critical action block-ip
# 漏洞防护配置文件
set profiles vulnerability Strict-VP rules Block-Critical-High vendor-id any severity [ critical high ] action block-ip
# URL 过滤配置文件
set profiles url-filtering Strict-URL credential-enforcement mode ip-user
set profiles url-filtering Strict-URL block [ command-and-control malware phishing ]
set profiles url-filtering Strict-URL alert [ hacking proxy-avoidance-and-anonymizers ]
# 文件阻断配置文件
set profiles file-blocking Strict-FB rules Block-Dangerous application any file-type [ bat exe msi ps1 vbs ] direction both action block
# WildFire 分析配置文件
set profiles wildfire-analysis Strict-WF rules Forward-All application any file-type any direction both analysis public-cloud
为出站流量检测设置 SSL Forward Proxy:
# 生成 Forward Trust CA 证书
request certificate generate certificate-name SSL-FP-CA algorithm RSA digest sha256 ca yes
# 创建解密配置文件
set profiles decryption Strict-Decrypt ssl-forward-proxy block-expired-certificate yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-untrusted-issuer yes
set profiles decryption Strict-Decrypt ssl-forward-proxy block-unknown-cert yes
set profiles decryption Strict-Decrypt ssl-forward-proxy restrict-cert-exts yes
# 创建解密策略
set rulebase decryption rules Decrypt-Outbound from Trust to Untrust source any destination any
set rulebase decryption rules Decrypt-Outbound action decrypt type ssl-forward-proxy
set rulebase decryption rules Decrypt-Outbound profile Strict-Decrypt
# 排除敏感类别(金融、医疗)
set rulebase decryption rules No-Decrypt-Sensitive from Trust to Untrust
set rulebase decryption rules No-Decrypt-Sensitive category [ financial-services health-and-medicine ]
set rulebase decryption rules No-Decrypt-Sensitive action no-decrypt
创建带安全配置文件的应用感知安全策略:
# 允许来自 Trust 区到互联网的业务应用
set rulebase security rules Allow-Business from Trust to Untrust
set rulebase security rules Allow-Business source-user any
set rulebase security rules Allow-Business application [ office365-enterprise salesforce-base slack-base zoom ]
set rulebase security rules Allow-Business service application-default
set rulebase security rules Allow-Business action allow
set rulebase security rules Allow-Business profile-setting group Strict-Security-Profiles
# 允许带 URL 过滤的 Web 浏览
set rulebase security rules Allow-Web from Trust to Untrust
set rulebase security rules Allow-Web application [ web-browsing ssl ]
set rulebase security rules Allow-Web action allow
set rulebase security rules Allow-Web profile-setting profiles url-filtering Strict-URL
# 阻断高风险应用
set rulebase security rules Block-HighRisk from any to any
set rulebase security rules Block-HighRisk application [ bittorrent tor anonymizer ]
set rulebase security rules Block-HighRisk action deny
set rulebase security rules Block-HighRisk log-end yes
# 默认拒绝规则(明确设置)
set rulebase security rules Deny-All from any to any source any destination any
set rulebase security rules Deny-All application any service any action deny
set rulebase security rules Deny-All log-end yes
将日志转发至 SIEM 进行关联分析:
# 配置 Syslog 服务器配置文件
set shared log-settings syslog SIEM-Server server SIEM transport UDP port 514 server 10.0.5.100
set shared log-settings syslog SIEM-Server server SIEM facility LOG_USER
# 配置日志转发配置文件
set shared log-settings profiles SIEM-Forward match-list Threats log-type threat
set shared log-settings profiles SIEM-Forward match-list Threats send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list Traffic log-type traffic
set shared log-settings profiles SIEM-Forward match-list Traffic send-syslog SIEM-Server
set shared log-settings profiles SIEM-Forward match-list URL log-type url
set shared log-settings profiles SIEM-Forward match-list URL send-syslog SIEM-Server
show running security-policy 检查并排查被遮蔽的规则# 验证活动会话
show session all filter application web-browsing
# 检查威胁日志条目
show log threat direction equal backward
# 验证 App-ID 分类
show running application-override
# 检查系统资源
show system resources
validate fullnpx claudepluginhub killvxk/cybersecurity-skills-zhConfigures and deploys Palo Alto Networks NGFWs with App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.
Configure and deploy Palo Alto Networks NGFWs using App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention for enterprise network security.
Configure and deploy Palo Alto Networks NGFWs using App-ID, User-ID, zone-based policies, SSL decryption, and threat prevention profiles for enterprise network security.