Palo Alto Networks - Tags, Dynamic Address Objects, and Policy Automation

Palo Alto Networks offers a variety of ways to automate configuration tasks. One of these ways is through the concept of tags. Tags allow administrators to group and visually distinguish objects within the PAN-OS GUI. A simple, real-world example would be when you manage multiple networks that may dynamically change, and don't want to have to update configuration information in multiple areas.

• Navigate to Objects -> Tags, and create a tag that references an address group.

• Navigate to Objects -> Address Groups, and create a Dynamic Address Group that references the tag created in the previous step.

• Navigate to Objects -> Addresses, and create address objects that reference the tag created in the first step.

You can now create policies that reference the Dynamic Address Group as a source or destination address. This means that moving forward, any policy changes (from an address object perspective) will be updated automatically via how tags are applied.

Palo Alto Networks - Bing Safe Search Options

Safe Search allows administrators to block explicit content. This especially important in educational institutions (i.e. K-12). Palo Alto Networks offers multiple ways to enforce this feature. However, each of these options require implementing SSL Forward Proxy, as most search engines now leverage SSL. That being said, Bing does not adhere to the safe search settings over SSL, so it is recommended in the Palo Alto Networks documentation to disable SSL for Bing searches. For some organizations, this may not be a viable option. Luckily, Bing currently offers a DNS method that can be leveraged to ensure that safe search is enforced over SSL. It is recommended to leverage SSL Forward Proxy on the Palo Alto Networks firewall in conjunction with this method so that you have full control and visibility into user searches. Below are the DNS Proxy configuration steps for the firewall if public DNS servers are in use in the environment. Keep in mind that the same objective can be accomplished via an internally managed DNS server, outside of the firewall configuration.

Navigate to Network -> DNS Proxy. Define your servers and the interfaces on which you would like to leverage DNS Proxy.

In the Static Entries tab, define specific FQDNs that you would like to map to specific IP addresses. As you will see below, Bing has an IP specified to enforce Safe Search (you can do an nslookup to verify the current IP that maps to restrict.bing.com).

Navigate to Device -> Setup -> Services -> Service Route Configuration, and select DNS. Verify the interface that is assigned. In my case, it is my trust interface.

Navigate to Policies -> Security. Create a security policy that only allows DNS for the source address specified in the Service Route Configuration. This will ensure that an end user will not be able to enter other DNS servers and successfully bypass your static entries. We are explicitly allowing only the firewall, and all else is denied (assuming you don't have an "allow all" policy configured below this rule).

Upon testing you will find that safe search is enforced. It should be noted that as part of my configuration I have followed Palo Alto Networks best practice of blocking all search engines except for Google, Bing, and Yahoo, so that I can be more granular with how users on my networks are performing searches. This step is optional, but I recommend it because it will make things easier to control.