Palo Alto Networks NGFW

Palo Alto Networks NGFW

List view

Quick Start
Welcome
Console & Settings
Release Notes
October 9, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Copy August 12, 2025: WitnessAI Update
Supported Applications & LLMs
User Guide
Lists - OLD
Private Applications
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Witness Anywhere with Stunnel
Witness Anywhere: Azure VDI - Intune
Witness Anywhere: CrowdStrike (Windows)
Witness Anywhere: GPO (Windows)
Witness Anywhere: Jamf (macOS) (Beta)
Witness Anywhere: SentinelOne
Witness Anywhere: FAQ
Witness Attack
Witness Attack: AI Red TeamingΒ 
Administrator Guide
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption

Palo Alto Networks NGFW Configuration

πŸ’‘
Network device integrations have been updated in WitnessAI v2.0. Devices configured for WitnessAI v1.5 will need a minor update to support v2.0. Some new features will not activate until your devices are updated.
Existing v1.5 network devices will continue to work without interruption in v2.0.
See the network integration guides in the Integrations menu for details.
Have questions? Our support team will be happy to assist.

Prerequisites

Backup Your Configuration

Always create a backup of the firewall configurations before implementing new changes. For instructions on how to backup the configs, please refer to:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-configuration-backups/save-and-export-firewall-configurations.

Verify licenses

WitnessAI requires Palo Alto NGFW have licenses for Advanced URL Filtering (1), and Threat Prevention (2).
Verify licenses and check expiration dates in the configuration console.
notion image

Install WitnessAI Root Certificate

  1. Go to Device β†’ Certificate Management β†’ Certificates
  1. Click Import β†’ Import cert provided by Account Team
notion image
notion image
3. Once the cert is imported, Click on it and Select Trusted Root CA and click OK
notion image
Β 

Setup EDL Certificate Profile

  1. Certificate will be provided by support.
  1. Go to Device β†’ Certificates and click on Import
  1. Give the certificate name as Witness-AI-CA and upload the CA certificate by clicking on Browse
  1. Go to Device β†’ Certificate Profile Β and click on Add
  1. Give the name as Witness-AI-CP and click on the Add button under CA Certificates
  1. Select the Witness-AI-CA certificate and click OK
  1. Use this certificate Profile for the EDL Configuration.

Create External Dynamic List

This section will focus on creating the WitnessForwardDomainList, which are LLM projects that traffic will be forwarded to WitnessAI.
1. Go to Objects β†’ External Dynamic Lists β†’ Add
notion image
Β 
2. Click Add and enter the following configurations:
Name β†’ WitnessForwardDomainList
Type β†’ Domain List
Source β†’ https://api.[tenantID].[region].witness.ai/v1/edls/forwardlist.txt
Check for Updates β†’ Every five minutes
Click OK

Create Custom Application for Office

Create a Custom Application for traffic towards augloop.office.com as Palo Alto Firewall identifies this as a WebSocket connection and fails to insert HTTP headers.
  1. Go to Objects β†’ Applications
  1. Click Add and name the application augloop
  1. Select the basic properties as per the below values:
      2. a. Category β†’ general-internet
      b. Subcategory β†’ internet-utility
      c. Technology β†’ browser-based
      d. Parent App β†’ ms-office365-copilot
      e. Risk β†’ 1
  1. Go to the Advanced tab and select Port
  1. Add the port information as below:
      2. a. tcp/443
      b. tcp/80
  1. Go to the Signatures tab and click Add
  1. Configure the following settings:
      2. a. Name β†’ AugloopSig
      b. Scope β†’ Session
      c. Select Add Or Condition
      d. Operator β†’ Pattern Match
      e. Context β†’ http-req-headers
      f. Pattern β†’ (augloop.office.com)
      g. Click OK and Click OK again

Redirect AI Traffic to WitnessAI

Create an Anti-Spyware Profile to redirect any DNS request from the WitnessForwardDomainList to WitnessAI.
  1. Go to Objects β†’ Security Profiles β†’ Anti-Spyware β†’ Click Add
  1. Set the following settings:
      2. Name β†’ WitnessAI_Sinkhole
      DNS Policies β†’ Set the Policy Action as sinkhole for WitnessForwardDomains EDL.
      Sinkhole IPv4 β†’ See instructions below:
      Note: To obtain the sinkhole IPv4 address, ping the following:
      connect.[tenantID].[region].witness.ai
      Click OK
notion image

URL Filtering Profile to add User Info

Create a URL Filtering Profile and configure HTTP Header Insertion to add the user email address in the X- Authenticated-User Header field.
  1. Go to Objects β†’ Security Profiles β†’ URL Filtering β†’ Add
  1. Configure the following settings:
    1. Name β†’ WitnessAI_URL-Filtering
    2. Under External Dynamic URL Lists, select WitnessURLs and change Site Access to alert.
        • Note: This will ensure that URL filtering logs are created for any traffic matching these URLs.
  1. Click on the HTTP Header Insertion tab and click Add
  1. Configure the following settings:
    1. Name β†’ X-Auth-User
    2. Type β†’ Dynamic Fields
    3. Domain β†’
    4. Header β†’ X-Authenticated-User
    5. Value β†’ ($user)@($domain)
    6. Check the Log box
notion image

Create Decryption Profile & Policy

  1. Go to Object β†’ Decryption β†’ Decryption Profile β†’ Add
  1. Set the following configurations:
    1. Name β†’ Witness-Decrypt
    2. Enable Strip ALPN
notion image
3. Click SSL Protocol Settings and configure the following:
  1. Min Version β†’ TLSv1.0
  1. Max Version β†’ TLSv1.2
notion image
4. Go to Policies β†’ Decryption
5. Create a new decryption policy for decrypting all SSL traffic going towards the AI URLs maintained by Witness AI.
  1. Source Zone β†’ LAN/GP Zone
  1. Destination Zone β†’ WAN
  1. URL Category β†’Β  WitnessURLs
  1. Action β†’ Decrypt
  1. Type β†’ SSL Forward Proxy
  1. Decryption Profile β†’ Witness-Decrypt
      2. Note: Create a new Profile and make sure that the Strip ALPN checkbox on the Decryption Profile is enabled
notion image
notion image

Create Security Policy for DNS Sinkhole

Use the URL Filtering Profile and Anti-Spyware Profile in a security Policy created for allowing access to AI URLs maintained by Witness AI.
  1. Go to Policies β†’ Security
  1. Create a new security policy for allowing traffic towards AI URLs maintained by WitnessAI.
    1. Source Zone β†’ LAN/GP Zone
    2. Destination Zone β†’ WAN
    3. Action β†’ Allow
    4. Anti-Spyware Profile β†’ WitnessAI_Sinkhole
      5. notion image

Create Security Policy for URL Filtering

Use the URL Filtering Profile and Anti-Spyware Profile in a security Policy created for allowing access to AI URLs maintained by Witness AI.
  1. Go to Policies β†’ Security
  1. Create a new security policy for allowing traffic towards AI URLs maintained by WitnessAI.
    1. Source Zone β†’ LAN/GP Zone
    2. Destination Zone β†’ WAN
    3. URL Category β†’ WitnessURLs
    4. URL Filtering β†’ WitnessAI_URL-Filtering
      5. notion image

Implement Block for Quic Protocol

Quic is a Google developed protocol which uses UDP for web connections and limits the firewall visibility and ability to analyze and apply security actions.
  • Note: If the Quic protocol is not already blocked, please perform this step.
  1. Go to Policies β†’ Security
  1. Click Add to create a new security policy for blocking quic protocol.
  1. Name the rule Quic Block.
notion image
4. Block any quic protocol traffic from LAN/GP Zone towards the internet.
  1. Source Zone β†’ LAN/GP Zone
  1. Destination Zone β†’ WAN
  1. Application β†’ quic
  1. Action β†’ Deny
5. Click OK
6. Move the Quic Block rule to the top.

Commit Change

The last step is to commit the change to the firewall. This will implement and enable the configuration changes made.
  1. Click Commit
  1. Review changes and implement the configuration changes.
Β