Palo Alto Networks NGFW

Palo Alto Networks NGFW

List view

Quick Start
Welcome
Console & Settings
Release Notes
October 28, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 9, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Copy August 12, 2025: WitnessAI Update
Supported Applications & LLMs
User Guide
Lists - OLD
Private Applications
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Stunnel
Azure Intune: Single-User VDI
Azure Intune: Multi-User VDI
CrowdStrike (Windows)
GPO (Windows)
Jamf (macOS) (Beta)
SentinelOne
Witness Anywhere: FAQ
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption

Palo Alto Networks NGFW Configuration

💡
Network device integrations have been updated in WitnessAI v2.0. Devices configured for WitnessAI v1.5 will need a minor update to support v2.0. Some new features will not activate until your devices are updated.
Existing v1.5 network devices will continue to work without interruption in v2.0.
See the network integration guides in the Integrations menu for details.
Have questions? Our support team will be happy to assist.

Prerequisites

Backup Your Configuration

Always create a backup of the firewall configurations before implementing new changes. For instructions on how to backup the configs, please refer to:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.

Verify licenses

WitnessAI requires Palo Alto NGFW have licenses for Advanced URL Filtering (1), and Threat Prevention (2).
Verify licenses and check expiration dates in the configuration console.
notion image

Install WitnessAI Root Certificate

  1. Go to DeviceCertificate ManagementCertificates
  1. Click ImportImport cert provided by Account Team
notion image
notion image
3. Once the cert is imported, Click on it and Select Trusted Root CA and click OK
notion image
 

Setup EDL Certificate Profile

  1. Certificate will be provided by support.
  1. Go to DeviceCertificates and click on Import
  1. Give the certificate name as Witness-AI-CA and upload the CA certificate by clicking on Browse
  1. Go to DeviceCertificate Profile  and click on Add
  1. Give the name as Witness-AI-CP and click on the Add button under CA Certificates
  1. Select the Witness-AI-CA certificate and click OK
  1. Use this certificate Profile for the EDL Configuration.

Create External Dynamic List

This section will focus on creating the WitnessForwardDomainList, which are LLM projects that traffic will be forwarded to WitnessAI.
1. Go to Objects → External Dynamic Lists → Add
notion image
 
2. Click Add and enter the following configurations:
Name WitnessForwardDomainList
Type Domain List
Source https://api.[tenantID].[region].witness.ai/v1/edls/forwardlist.txt
Check for Updates Every five minutes
Click OK

Create Custom Application for Office

Create a Custom Application for traffic towards augloop.office.com as Palo Alto Firewall identifies this as a WebSocket connection and fails to insert HTTP headers.
  1. Go to Objects → Applications
  1. Click Add and name the application augloop
  1. Select the basic properties as per the below values:
      2. a. Category general-internet
      b. Subcategory internet-utility
      c. Technology browser-based
      d. Parent App ms-office365-copilot
      e. Risk 1
  1. Go to the Advanced tab and select Port
  1. Add the port information as below:
      2. a. tcp/443
      b. tcp/80
  1. Go to the Signatures tab and click Add
  1. Configure the following settings:
      2. a. Name → AugloopSig
      b. Scope Session
      c. Select Add Or Condition
      d. Operator Pattern Match
      e. Context http-req-headers
      f. Pattern (augloop.office.com)
      g. Click OK and Click OK again

Redirect AI Traffic to WitnessAI

Create an Anti-Spyware Profile to redirect any DNS request from the WitnessForwardDomainList to WitnessAI.
  1. Go to Objects Security Profiles Anti-Spyware → Click Add
  1. Set the following settings:
      2. Name WitnessAI_Sinkhole
      DNS Policies Set the Policy Action as sinkhole for WitnessForwardDomains EDL.
      Sinkhole IPv4 See instructions below:
      Note: To obtain the sinkhole IPv4 address, ping the following:
      connect.[tenantID].[region].witness.ai
      Click OK
notion image

URL Filtering Profile to add User Info

Create a URL Filtering Profile and configure HTTP Header Insertion to add the user email address in the X- Authenticated-User Header field.
  1. Go to Objects Security Profiles URL Filtering → Add
  1. Configure the following settings:
    1. Name WitnessAI_URL-Filtering
    2. Under External Dynamic URL Lists, select WitnessURLs and change Site Access to alert.
        • Note: This will ensure that URL filtering logs are created for any traffic matching these URLs.
  1. Click on the HTTP Header Insertion tab and click Add
  1. Configure the following settings:
    1. Name X-Auth-User
    2. Type Dynamic Fields
    3. Domain
    4. Header X-Authenticated-User
    5. Value ($user)@($domain)
    6. Check the Log box
notion image

Create Decryption Profile & Policy

  1. Go to Object → Decryption → Decryption Profile → Add
  1. Set the following configurations:
    1. Name → Witness-Decrypt
    2. Enable Strip ALPN
notion image
3. Click SSL Protocol Settings and configure the following:
  1. Min Version → TLSv1.0
  1. Max Version → TLSv1.2
notion image
4. Go to PoliciesDecryption
5. Create a new decryption policy for decrypting all SSL traffic going towards the AI URLs maintained by Witness AI.
  1. Source Zone LAN/GP Zone
  1. Destination Zone WAN
  1. URL Category   WitnessURLs
  1. Action Decrypt
  1. Type SSL Forward Proxy
  1. Decryption Profile Witness-Decrypt
      2. Note: Create a new Profile and make sure that the Strip ALPN checkbox on the Decryption Profile is enabled
notion image
notion image

Create Security Policy for DNS Sinkhole

Use the URL Filtering Profile and Anti-Spyware Profile in a security Policy created for allowing access to AI URLs maintained by Witness AI.
  1. Go to Policies Security
  1. Create a new security policy for allowing traffic towards AI URLs maintained by WitnessAI.
    1. Source Zone LAN/GP Zone
    2. Destination Zone WAN
    3. Action Allow
    4. Anti-Spyware Profile WitnessAI_Sinkhole
      5. notion image

Create Security Policy for URL Filtering

Use the URL Filtering Profile and Anti-Spyware Profile in a security Policy created for allowing access to AI URLs maintained by Witness AI.
  1. Go to Policies Security
  1. Create a new security policy for allowing traffic towards AI URLs maintained by WitnessAI.
    1. Source Zone LAN/GP Zone
    2. Destination Zone WAN
    3. URL Category WitnessURLs
    4. URL Filtering WitnessAI_URL-Filtering
      5. notion image

Implement Block for Quic Protocol

Quic is a Google developed protocol which uses UDP for web connections and limits the firewall visibility and ability to analyze and apply security actions.
  • Note: If the Quic protocol is not already blocked, please perform this step.
  1. Go to Policies → Security
  1. Click Add to create a new security policy for blocking quic protocol.
  1. Name the rule Quic Block.
notion image
4. Block any quic protocol traffic from LAN/GP Zone towards the internet.
  1. Source Zone → LAN/GP Zone
  1. Destination Zone → WAN
  1. Application → quic
  1. Action → Deny
5. Click OK
6. Move the Quic Block rule to the top.

Commit Change

The last step is to commit the change to the firewall. This will implement and enable the configuration changes made.
  1. Click Commit
  1. Review changes and implement the configuration changes.