-
Notifications
You must be signed in to change notification settings - Fork 0
/
PAN_Recommended.txt
152 lines (152 loc) · 9.79 KB
/
PAN_Recommended.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
set deviceconfig system ip-address 192.168.0.184
set deviceconfig system netmask 255.255.255.0
set deviceconfig system update-server updates.paloaltonetworks.com
set deviceconfig system update-schedule threats recurring weekly day-of-week wednesday
set deviceconfig system update-schedule threats recurring weekly at 01:02
set deviceconfig system update-schedule threats recurring weekly action download-only
set deviceconfig system timezone US/Pacific
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname PA-VM
set deviceconfig setting config rematch yes
set deviceconfig setting management hostname-type-in-syslog FQDN
set network interface ethernet ethernet1/1 layer3 ipv6 neighbor-discovery router-advertisement enable no
set network interface ethernet ethernet1/1 layer3 ndp-proxy enabled no
set network interface ethernet ethernet1/1 layer3 ip Outside
set network interface ethernet ethernet1/1 layer3 lldp enable no
set network interface ethernet ethernet1/2 layer3 ipv6 neighbor-discovery router-advertisement enable no
set network interface ethernet ethernet1/2 layer3 ndp-proxy enabled no
set network interface ethernet ethernet1/2 layer3 ip Inside
set network interface ethernet ethernet1/2 layer3 lldp enable no
set network profiles monitor-profile default interval 3
set network profiles monitor-profile default threshold 5
set network profiles monitor-profile default action wait-recover
set network ike crypto-profiles ike-crypto-profiles default encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ike-crypto-profiles default hash sha1
set network ike crypto-profiles ike-crypto-profiles default dh-group group2
set network ike crypto-profiles ike-crypto-profiles default lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 hash sha256
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 encryption aes-256-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 hash sha384
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp encryption aes-128-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp encryption aes-256-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 lifetime hours 1
set network ike crypto-profiles global-protect-app-crypto-profiles default encryption aes-128-cbc
set network ike crypto-profiles global-protect-app-crypto-profiles default authentication sha1
set network qos profile default class class1 priority real-time
set network qos profile default class class2 priority high
set network qos profile default class class3 priority high
set network qos profile default class class4 priority medium
set network qos profile default class class5 priority medium
set network qos profile default class class6 priority low
set network qos profile default class class7 priority low
set network qos profile default class class8 priority low
set network virtual-router default protocol bgp enable no
set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
set network virtual-router default protocol bgp dampening-profile default reuse 0.5
set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
set network virtual-router default protocol bgp dampening-profile default enable yes
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ]
set shared application
set shared application-group
set shared service
set shared service-group
set shared botnet configuration http dynamic-dns enabled yes
set shared botnet configuration http dynamic-dns threshold 5
set shared botnet configuration http malware-sites enabled yes
set shared botnet configuration http malware-sites threshold 5
set shared botnet configuration http recent-domains enabled yes
set shared botnet configuration http recent-domains threshold 5
set shared botnet configuration http ip-domains enabled yes
set shared botnet configuration http ip-domains threshold 10
set shared botnet configuration http executables-from-unknown-sites enabled yes
set shared botnet configuration http executables-from-unknown-sites threshold 5
set shared botnet configuration other-applications irc yes
set shared botnet configuration unknown-applications unknown-tcp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-tcp session-length minimum-bytes 50
set shared botnet configuration unknown-applications unknown-udp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-udp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-udp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-udp session-length minimum-bytes 50
set shared botnet report topn 100
set shared botnet report scheduled yes
set zone Outside network layer3 ethernet1/1
set zone Inside network layer3 ethernet1/2
set service-group
set service
set schedule
set rulebase security rules Permit_Any to any
set rulebase security rules Permit_Any from any
set rulebase security rules Permit_Any source any
set rulebase security rules Permit_Any destination any
set rulebase security rules Permit_Any source-user any
set rulebase security rules Permit_Any category any
set rulebase security rules Permit_Any application any
set rulebase security rules Permit_Any service any
set rulebase security rules Permit_Any hip-profiles any
set rulebase security rules Permit_Any action allow
set rulebase security rules Permit_Any log-end no
set rulebase security rules Permit_Any log-start no
set rulebase security rules Permit_Any rule-type interzone
set rulebase nat rules
set rulebase dos rules BlackNurse_Rule from zone Outside
set rulebase dos rules BlackNurse_Rule to zone Inside
set rulebase dos rules BlackNurse_Rule protection classified classification-criteria address source-ip-only
set rulebase dos rules BlackNurse_Rule protection classified profile BlackNurse
set rulebase dos rules BlackNurse_Rule source any
set rulebase dos rules BlackNurse_Rule destination any
set rulebase dos rules BlackNurse_Rule source-user any
set rulebase dos rules BlackNurse_Rule service any
set rulebase dos rules BlackNurse_Rule action protect
set rulebase dos rules BlackNurse_Rule disabled no
set profiles dos-protection BlackNurse flood tcp-syn red alarm-rate 10000
set profiles dos-protection BlackNurse flood tcp-syn red activate-rate 10000
set profiles dos-protection BlackNurse flood tcp-syn red maximal-rate 40000
set profiles dos-protection BlackNurse flood tcp-syn enable no
set profiles dos-protection BlackNurse flood icmp red block duration 300
set profiles dos-protection BlackNurse flood icmp red maximal-rate 100
set profiles dos-protection BlackNurse flood icmp red alarm-rate 100
set profiles dos-protection BlackNurse flood icmp red activate-rate 100
set profiles dos-protection BlackNurse flood icmp enable yes
set profiles dos-protection BlackNurse flood udp red maximal-rate 40000
set profiles dos-protection BlackNurse flood udp red alarm-rate 10000
set profiles dos-protection BlackNurse flood udp red activate-rate 10000
set profiles dos-protection BlackNurse flood udp enable no
set profiles dos-protection BlackNurse flood icmpv6 red maximal-rate 40000
set profiles dos-protection BlackNurse flood icmpv6 red alarm-rate 10000
set profiles dos-protection BlackNurse flood icmpv6 red activate-rate 10000
set profiles dos-protection BlackNurse flood icmpv6 enable no
set profiles dos-protection BlackNurse flood other-ip red maximal-rate 40000
set profiles dos-protection BlackNurse flood other-ip red alarm-rate 10000
set profiles dos-protection BlackNurse flood other-ip red activate-rate 10000
set profiles dos-protection BlackNurse flood other-ip enable no
set profiles dos-protection BlackNurse resource sessions enabled no
set profiles dos-protection BlackNurse type classified
set import network interface [ ethernet1/1 ethernet1/2 ]
set application-group
set application
set address Outside ip-netmask 1.1.1.1/24
set address Inside ip-netmask 10.1.1.1/24
set address Outside_Host ip-netmask 1.1.1.50
set address Inside_Host ip-netmask 10.1.1.100
set address 1.1.1.100 ip-netmask 1.1.1.100
set mgt-config users admin phash fnRL/G5lXVMug
set mgt-config users admin permissions role-based superuser yes