Add to collection(s) Add to saved
  1. No category
Uploaded by Mantap Apalah

UTD-NGFW-Workshop-Guide-4.0-20210607

advertisement 
ULTIMATE
TEST DRIVE
ML-Powered Next-Generation Firewall (NGFW)
Workshop Guide
PAN-OS 10.0
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
1
Table of Contents
How to use this guide ..................................................................................................................... 4
Activity 0 – Log in to the UTD Workshop ...................................................................................... 5
Task 1 – Log in to your Ultimate Test Drive class environment ........................................................................... 5
Task 2 – Log in to the student desktop ................................................................................................................ 6
Task 3 – Log in to the UTD ML-Powered NGFW .................................................................................................. 7
Task 4 (Very Important) – Bring up interface ethernet1/1 .................................................................................. 7
Activity 1 – Granular control on Social Media and Enabling Sanctioned SaaS Applications .... 9
Task 1 – Check connectivity to Facebook ............................................................................................................ 9
Task 2 – Enable Facebook Application ............................................................................................................... 10
Task 3 – Review traffic logs ................................................................................................................................ 11
Task 4 – Enable Sanctioned SaaS Applications .................................................................................................. 11
Activity 2 – Applications on Non-standard Ports ....................................................................... 13
Task 1 – Create a new security policy ................................................................................................................ 13
Task 2 – Check application connectivity ............................................................................................................ 14
Task 3 – Modify Security Policy .......................................................................................................................... 15
Task 4 – Re-check applications on non-standard ports ..................................................................................... 15
Activity 3 – Policy Optimizer ........................................................................................................ 16
Task 1 – Policy Optimizer Helps you to Convert Port-Based Policy to Application-Based Policy ...................... 16
Task 2 – Enhanced Security in Application-Based Policy ................................................................................... 17
Task 3 – Move Other Application....................................................................................................................... 18
Activity 4 – Decryption ................................................................................................................. 20
Task 0 – Check connectivity to lab web server .................................................................................................. 20
Task 1 – Download test ...................................................................................................................................... 20
Task 2 – Add a new decryption policy................................................................................................................ 21
Task 3 – Retest secure download ...................................................................................................................... 22
Task 4 – Review traffic logs ................................................................................................................................ 23
Activity 5 – Modern Malware Protection with ML-Powered Analysis ........................................ 24
Task 1 – Enable WildFire analysis on a security policy....................................................................................... 24
Task 2 – Configure Real-Time Update of Wildfire Signature ............................................................................. 25
Task 3 – Test WildFire modern malware protection ......................................................................................... 26
Task 4 – Review the WildFire analysis results .................................................................................................... 27
Task 5 – Enable WildFire Inline ML-Powered analysis ....................................................................................... 28
Activity 6 – ML-Powered URL Filtering ........................................................................................ 30
Task 0 – Check connectivity ............................................................................................................................... 30
Task 1 – Modify URL Filtering Profile and Configure Security-Focus URL Categories........................................ 30
Task 2 – Configure Inline ML-Powered Analysis ................................................................................................ 32
Task 3 – Apply URL Filtering to the security policy ............................................................................................ 32
Task 4 – Test URL’s and Review the URL-Filtering Logs ..................................................................................... 33
Activity 7 – GlobalProtect: Safely Enable Mobile Devices ......................................................... 35
Task 1 – Review the GlobalProtect Portals and Gateways configuration.......................................................... 35
Task 2 – Log into GlobalProtect from the Mobile PC (GlobalProtect) ............................................................... 36
Task 3 – Review Logs on the VM-Series firewall ................................................................................................ 37
Task 4 – Enable Identification and Quarantine of Compromised Devices......................................................... 38
Task 5 – Review Log Forwarding Policy and Device Quarantine List ................................................................. 39
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
2
Activity 8 – Control Application Usage with User-ID .................................................................. 41
Task 1 – Validate access to SSH server............................................................................................................... 41
Task 2 – Enable applications based on User-ID ................................................................................................. 41
Task 3 – Confirm access with User-ID ................................................................................................................ 42
Activity 9 – Clientless VPN ........................................................................................................... 44
Task 1 – Configure Clientless VPN...................................................................................................................... 44
Task 2 – Test the Clientless VPN access from Mobile PC ................................................................................... 45
Task 3 – Review Logs on the VM-Series firewall ................................................................................................ 46
Activity 10 – ACC and Custom Reports....................................................................................... 47
Task 1 – Review Application Command Center (ACC) ....................................................................................... 47
Task 2 – SaaS Application Usage Report ............................................................................................................ 48
Task 3 – Setting up a custom report .................................................................................................................. 49
Activity 11 - Feedback on Ultimate Test Drive ............................................................................ 51
Task 1 – Take the online survey ......................................................................................................................... 51
Appendix 1: Support for Non-U.S. Keyboards ............................................................................ 52
Add a new international keyboard .................................................................................................................... 52
Use the on-screen keyboard .............................................................................................................................. 53
Appendix 2: How to resolve the connectivity issue ................................................................... 54
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
3
How to use this guide
The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the UTD environment. This guide is meant to be used in conjunction with the information and
guidance provided by your facilitator.
Once these activities are completed
You should be able to:
1. Navigate the Palo Alto Networks GUI
2. Review portions of the firewall configuration
3. Change the configuration to affect the behavior of traffic across the firewall
This workshop covers only basic topics and is not a substitute for the training classes conducted by Palo Alto
Networks Authorized Training Centers (ATC). Please contact your partner or regional sales manager for more
training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any
tasks outlined in the following activities (Chrome is pre-installed on the student desktop of
the workshop PC).
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
4
Activity 0 – Log in to the UTD Workshop
In this activity, you will:
•
Log in to the Ultimate Test Drive Workshop from your laptop
•
Understand the layout of the environment and its various components
•
Enable the Firewall to facilitate connectivity
Task 1 – Log in to your Ultimate Test Drive class environment
Step 1. First, make sure your laptop is installed with a modern browser that supports HTML 5.0. We recommend
using the latest version of Firefox®, Chrome and Internet Explorer. We also recommend you install the
latest Java® client for your browser.
Step 2. Go to class URL. Enter your email address and the passphrase (if you have an invitation email, you can
find the class URL and passphrase in the invitation email; or the instructor will provide you with the class
URL and passphrase).
Step 3. Complete the registration form and click Register and Login at the bottom.
Step 4. Depending on your browser, you may be asked to install a plugin. Please click yes to allow the plugin to
be installed, then continue the login process.
Step 5. Once you log in, the environment will be created automatically for you. The upper left-hand corner will
show you the progress of the preparation. You will see the lab availability time when it is ready for use.
The UTD NGFW lab environment consists of many VMs: Student Desktop, Mobile PC (Global Protect),
Mobile PC (Clientless VPN), VM-Series NGFW and more. You will start the lab by accessing the
Student Desktop.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
5
Task 2 – Log in to the student desktop
Step 1. Click on the Student Desktop tab to connect to the student desktop.
Step 2. If the Student Desktop resolution is too high or too low for your laptop display, you can adjust the
resolution from the left-hand pane. You can also click the Full screen icon to maximize the display.
Step 3. To exit the full-screen mode, use the esc key on our keyboard or click the black arrow at the top of
window to open the dropdown menu; then click Exit.
Step 4. [Optional] If you encounter connection issues with the student desktop, click reconnect to re-establish the
RDP or CON connection.
Step 5. [Optional] If reconnection to the student desktop is unsuccessful, please verify your laptop connectivity
using the following link. [Note that a Java client is required on your browser for this test site to function.]
https://use.cloudshare.com/test.mvc
This test site will validate the RDP-based and Java-based connections to your browser. Click Allow to
allow the Java applet to be installed and run on your browser.
Step 6. [Optional] If the connectivity test passed, please close the browser and retry to reconnect to the RDP or
CON session to the VM per Task2, Optional Step 5. If the connectivity test failed, please inform the
instructor and ask for further assistance.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
6
Task 3 – Log in to the UTD ML-Powered NGFW
Step 1. In the Student Desktop click the chrome browser icon to launch the browser. The VM-Series login page
should already be loaded, If not, click the “UTD-NGFW-PAVM” bookmark in the Chrome browser.
Note: You can also use the “NGFW GUI” tab to open a direct connection to the NGFW login page.
Log in to the firewall using the following Username and Password:
Username: student
Password: utd135
Step 2. You are now logged in to the firewall. Take a look at the welcome page to see some of the features
introduced in the latest release of PAN-OS.
Step 3. Click “Close” to close the welcome page and you will see the Dashboard view.
Task 4 (Very Important) – Bring up interface ethernet1/1
Step 1. The firewall is not connected to the Internet by default. Select the Network > Interfaces and then click
the interface ethernet1/1 under Ethernet.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
7
Step 2. Select the Advanced tab to change the link state. Select up in the Link State option; then click OK.
Step 3. Click Commit (in the upper right-hand corner of the GUI), then select Commit All Changes and click
Commit in the pop-up window.
Step 4. Click Close in the pop-up window once the commit has completed. Click on refresh button in the upper
right corner. The Link Status of ethernet1/1 should turn green after the interface is up.
Step 5. Open a new tab in the Chrome browser window and confirm Internet connectivity by selecting CNN from
the Labs – Bookmark > Activity-0 folder.
Note: If you experience any connectivity issue then please refer to Appendix 2.
Step 6. Here is a quick look at how the student desktop and the virtual firewall are connected:
End of Activity 0
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
8
Activity 1 – Granular control on Social Media and
Enabling Sanctioned SaaS Applications
Background: Every organization is trying to determine how to appropriately control social media and
SaaS (Software as a Service) applications. Allowing them all is highly risky, while blocking them all can
cripple the business. Policy considerations, including who can use which social media channels and
SaaS applications, require a granular level of control at the firewall.
PAN-OS® features to be used:
• App-ID™ and function control.
• Logging and reporting for verification.
In this activity you will:
• Modify the existing firewall configuration to control the behavior of the Facebook application.
• Review Traffic logs to confirm activity.
Task 1 – Check connectivity to Facebook
Step 1. (Please complete Task-4 in the previous activity (Activity-0) before you continue.) On your desktop,
open a browser and select the www.facebook.com from the Lab – Bookmarks folder > Activity-1 folder.
•
•
Question: What appears in the browser window?
Answer: You should get blocked and see a screen that looks like this:
Note: If you see a SSL decryption message, click
continue to accept the SSL message. You will
need to reload the Facebook page to see the
blocked message.
Step 2. On the firewall GUI, Select Monitor > Logs > Traffic to review the traffic logs to understand why
Facebook is being blocked.
Step 3. In the search bar, enter subtype eq deny the click Apply filter to filter by deny policies, you should see
that “facebook-base” application is not allowed by default. You will enable Facebook application in the
next task. Click Clear Filter to remove the filter and see all the logs.
Note: You can adjust the number of columns displayed by hovering the mouse over any header and click
the white arrow next to the header name, then click Columns and select the columns you want to add or
remove.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
9
Task 2 – Enable Facebook Application
Step 1. On the firewall GUI, click the Policies tab, then click the Security node.
Step 2. Highlight the rule #1, named UTD-Policy-00 (currently greyed out).
Step 3. Click Enable in the bottom bar of the GUI. You can see below the rule enabled (change of color)
Step 4. Click on UTD-Policy-00 to open up the policy details window, go to the Application and Actions tab to
confirm the policy is configured to allow Facebook and its dependent applications. Click OK to close the
policy window.
Step 5. Click Commit (in the upper right-hand corner of the GUI), then select Commit All Changes and click
Commit in the pop-up window.
Note: You may ignore the application dependency warning that happens during the commit.
Step 6. Click Close once the commit has completed.
Step 7. Open a new browser tab and select www.facebook.com from the Lab – Bookmarks > Activity-1 folder.
You may get SSL decryption warning message. Click on Yes to continue. You should now be able to
access www.facebook.com.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
10
Task 3 – Review traffic logs
Step 1. Select Monitor > Logs > Traffic to review the traffic logs.
Step 2. Type the search string app eq facebook-base into the query box. Then hit the Enter key or click the
arrow icon.
Note: If you see any error while typing the search string then you can simply click on the app name in
application column and that will populate the filter.
Questions:
•
•
What was the action associated with the log entries?
What was the port number associated with the log entries?
Task 4 – Enable Sanctioned SaaS Applications
The need for business efficiency and flexibility is driving the use of SaaS applications in many organizations. Palo
Alto Networks ML-Powered NGFW with App-ID provides the industry-leading granular control to and from SaaS
applications. We will show you how to enable a selected set of sanctioned SaaS applications.
Step 1. Select Objects > Application Groups and then click “Sanctioned-SaaS-Apps” and review the SaaS
applications in this application group.
Step 2. Add “ms-office365”to this application group by clicking the Add icon, then select “ms-office365”. Click OK
to close the application-group window.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
11
Step 3. Go back to the security rule, “UTD-Policy-00,” and then add the “Sanctioned-SaaS-Apps” application
group to the policy. Click OK to close the policy window.
Step 4. Click Commit to commit the changes.
In one policy, you have enabled basic Facebook applications and a group of sanctioned SaaS
applications. Enabling a group of SaaS applications will allow us to see a more interesting SaaS
application usage report in the later lab activity.
Step 5. In your browser right click the SAAS bookmark folder in “Lab – Bookmarks > Activity-1”, select “open all
bookmarks”, let the pages load (or fail) and close the tabs again.
End of Activity 1
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
12
Activity 2 – Applications on Non-standard Ports
Background: Many applications can use, either by default or through user control, a non-standard port.
Oftentimes, the use of non-standard ports is done as a means of evading controls. Tech-savvy users are
accessing their home PCs from work by directing SSH to a non-standard port in order to bypass
corporate firewalls. This activity will show you how to allow applications to run only on the standard port
and prevent the same applications from running on any non-standard port.
PAN-OS features to be used:
• Logging and reporting to show SSH, RDP and Telnet on non-standard ports.
• App-ID, groups function and service (port).
• Logging and reporting for verification.
In this activity you will:
• Add a new security policy for the IT organization.
• Re-order the policies.
Task 1 – Create a new security policy
Step 1. Select the Policies > Security and then click Add in the lower left-hand corner.
Step 2. Name the policy “Allow-IT-apps” then select “Activity2” for Tags using the drop-down list.
Step 3. Select the Source tab. Click Add in the “Source Zone” box, then select Trust.
Note in PAN-OS latest release now you can add the Device ID, in Source Device, to control the traffic
from a particular source device.
Step 4. Select the Destination tab. Click Add in the “Destination Zone” box, then select Untrust.
Step 5. Click the Application tab, then click Add. Type “IT-apps,” then select it.
“IT-apps” is a predefined application group that includes SSH, MS-RDP and other applications.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
13
Step 6. Click the Service/URL Category tab, then click the drop-down menu above Service change the default
setting from Application Default to Any.
Step 7. Click the Actions tab. Check that the action is set to Allow, then click OK.
Step 8. Click and drag the policy “Allow-IT-apps” above the “UTD-Policy-04” rule.
Step 9. Click Commit to commit all the changes. Click Close once the commit has completed.
Step 10. Select Object > Application Groups to review which applications are included in “IT-apps” application
group. There are some industrial specific application groups that are created to highlights some of the
common applications used in those industries. Review those application groups to learn about the
applications that are supported by the Palo Alto Networks Next-Generation Firewall for the specific
industries.
You can hover pointer over “IT-apps” and then click on the down arrow, then value to review what is in
the “IT-apps”.
Task 2 – Check application connectivity
Step 1. Use the PUTTY application on the desktop.
Step 2. Load the “SSH server (standard port 22)” profile and SSH to the “SSH-Server” (172.16.1.101)
using the standard port 22. Log in with:
Login: student
Password: utd135
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
14
Question:
•
•
Can you log in?
Yes – you should be able to log in.
Step 3. Close the SSH session. Load the SSH server again (172.16.1.101) using the non-standard port 443.
Question:
•
•
Can you log in using the non-standard port?
Yes – you should be able to log in.
Step 4. Close the PUTTY application.
Step 5. Click the Monitor tab, then click the Traffic log on the firewall GUI. Search for application SSH on port 22
or 443.
Questions:
• What query string did you type into the search box?
• Was the application allowed?
Task 3 – Modify Security Policy
Step 1. Select the Policies > Security. Click the “Allow-IT-apps” security policy created in Task 1.
Step 2. Click the Service/URL Category tab, then click the drop-down menu above Service Change Any to
Application Default then click OK (The “Application Default” option only allows applications over the
default port and protocol; it prevents applications from running on non-standard port or protocol).
Step 3. Click Commit and Close once the commit has completed.
Task 4 – Re-check applications on non-standard ports
Step 1. Use the PUTTY application on the student desktop.
Step 2. SSH to 172.16.1.101 again on port 443 using PUTTY. Did you get a login prompt?
•
You should not get the login prompt this time.
Step 3. Close the PUTTY application and click the “Monitor” tab, then click the “Traffic” log on the firewall GUI.
Step 4. Search for application SSH on port 443.
Questions:
•
•
What query string did you type into the search box?
Was the application allowed?
End of Activity 2
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
15
Activity 3 – Policy Optimizer
Background: If you just migrated your port-based policy to Pan-OS, you may still have many port-based
policies in your Pan-OS configuration. Policy Optimizer is a new feature introduced in PAN-OS 9.0 that
identifies port-based rules, show you the applications are seen by this rule so you can convert them to
application-based whitelist rules or add applications to existing rules without compromising application
availability.
In this activity you will:
• Review what applications are passing through the port-based policy
• Enhance your security posture by creating application-based policy with Policy Optimizer
Task 1 – Policy Optimizer Helps you to Convert Port-Based Policy to
Application-Based Policy
Step 1. In the “Policies” tab, click on the “Security”, note the “Policy Optimizer” window on the lower left.
Step 2. Click “No App Specified” to open the window that shows security policies that have no application
specified. In our lab, the “Port-based-Policy” rule is configured with any applications with a list of open
ports. Can you tell what common-ports are open for this rule?
Step 3. Click on the “Port-base-Policy” under Name to open the rule window to review the rule.
Step 4. Review the “Application” tab and the “Service/URL Category” tab. This rule is configured with “Any” for
Applications and “common ports” in Service/URL Category. Close the policy rule window.
Step 5. In the “No App Specified” window, in the “App Usage / App Seen” column, you can see how many
applications this policy has seen or allowed. Click on “Compare” to open the Applications & Usage
window.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
16
Note that you can change the “Timeframe” to see when these applications were seen.
Step 6. Select an application (eg, google-base) with the check box, note that now you have option to decide what
to do, either to “Create Cloned Rule” with this application, “Add to This Rule” or “Add to Exiting Rule”.
Step 7. As an example, in this lab we will use “Create Cloned Rule” which will allow us to keep the original rule.
Click on the “Create Cloned Rule” and enter “Port-2-App-Rule”, click “OK”.
Step 8. Go back to Policies > Security, notice the new “Port-2-App-Rule” is added on top for the original “Portbased-policy”. More importantly, the new rule is an application-based policy, not a port-based policy.
Task 2 – Enhanced Security in Application-Based Policy
Step 1. Open the “Port-2-App-Rule” created in the previous task, note that the policy is identical with the original
“Port-based-Policy” so it has the same Source, Destination zone, with an added application selected
through Policy Optimizer.
Step 2. Go to the “Service/URL Category”, notice that “common-ports” is still selected per the original policy.
Step 3. Remove “common-ports” using the checkbox and “application default” will selected by default. This will
restrict the applications selected be allowed to run on just the application-default port and greatly improve
the security of this policy.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
17
Step 4. In the “Actions” tab, select “Profiles” in “Profile Type” and select “default” for Antivirus, Vulnerability
Protection and Anti-Spyware.
Step 5. Commit the changes and now you have created an application-based policy and applied additional
security policies to enhance the protection for this application.
Task 3 – Move Other Application
Now that you have started creating an application-based policy with enhanced security protection, you can easily
move the other applications to this policy.
Step 1. Go to back “No App Specified” window, click “Compare” for the “Port-based-policy”.
Step 2. Select the application “dns” and “ms-update” using the check box.
Step 3. Then click “Add to Existing Rule” and select “Port-2-App-Rule” from Name drop down list that you have
created in task-1, click ‘OK” to add these two apps to the rule.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
18
Step 4. Go to Security node and review the “Port-2-App-Rule”, you should see the two applications are now
added to the application-based policy.
Step 5. Commit to save the changes. Notice that you don’t need to know what is the default port for “dns”, the
“application default” setting in the policy will take care of that.
Over time, you should be able to move all the applications that you want to allow and protect them using
application-based policy and remove all the unnecessary port-based policies.
Note: you can use policy optimizer to create rule to “block” specific application if you have discovered unwanted
application passing through the port-based policy.
End of Activity 3
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
19
Activity 4 – Decryption
Background: More and more traffic is being encrypted with SSL by default. This makes it difficult to allow
and scan that traffic, yet blindly allowing it is very risky. Policy-based SSL decryption allows you to
decrypt applications, apply security policy, then re-encrypt and send the traffic to its final destination.
Policy considerations include which applications or web traffic to decrypt and then applying the
appropriate protection to prevent malware propagation and data/file transfers.
PAN-OS features to be used:
• Decryption policy.
• Logging and reporting for verification.
In this activity you will:
• Add a new decryption policy to decrypt SSL traffic.
Task 0 – Check connectivity to lab web server
Step 1. On your desktop, open a browser select “UTD Lab Web Server” from the Lab – Bookmarks > Activity-4
folder.
This website looks like a legitimate lab web server. Let’s download files from this site and see download is
working.
Task 1 – Download test
Step 1. Download the Apache configuration file, under the “Configuration Overview” section by clicking the “here”
hyperlink.
Step 2. Are you able to download the configuration file?
The download should fail because the file is infected, and the NGFW antivirus inspection has stopped the
download.
Step 3. Try to download the full manual from the “manual” link.
Are you able to download the manual file?
The download should fail because the file is infected, and the NGFW antivirus inspection has stopped the
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
20
download.
Step 4. Mouse over the “Configuration file (secure download)” hyperlink; notice that the download is using
“https://” instead of “http://”. Click the hyperlink to download the file.
Are you able to download the configuration file?
The download should succeed because the download channel (https) is encrypted. This browser will
open the file and show you the content.
Task 2 – Add a new decryption policy
We will create a decryption policy that decrypts web (SSL/TLS) traffic going to an unknown site.
Step 1. Go to the firewall management GUI, click the “Policies” tab, then click the “Decryption” node.
Step 2. Click “Add” in the lower left-hand corner.
Step 3. In the “Decryption Policy Rule” pop-up; name the policy “UTD-Decryption-02”, then select “Activity4”
under “Tags.”
Step 4. Click the “Source” tab. Click “Add” in the box labeled “Source Zone.” Then select “Trust”.
Step 5. Click the “Destination” tab. Click “Add” in the box labeled “Destination Zone.” Then select “Untrust.”
Step 6. In the “Service/URL Category” tab, add “unknown” under the URL Category.
Step 7. Click the “Options” tab, then select “decrypt” for “Action.” Leave the “Type” selection as “SSL Forward
Proxy”. Click on the Decryption Profile drop down menu and select new Decryption Profile.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
21
Step 8. In the Decryption Profile window, click in the Name field and give the profile a name Decrypt-TLS-1.3.
Step 9. Click on the SSL Protocol Settings tab. In Protocol Version section click on Max Version drop down
menu and select TLSv1.3.
The Palo Alto Networks firewall now supports TLSv1.3 decryption in all modes (SSL Forward Proxy, SSL
Inbound Inspection, SSL Decryption Broker, and SSL Decryption Port Mirroring). TLSv1.3 is the latest
version of the TLS protocol, which provides application security and performance improvements.
Note: For websites that don’t support TLSv1.3, the firewall selects an older version of the TLS protocol
that the server supports.
Step 10. Click OK to save the Decryption Profile settings.
Step 11. Click OK to close the Decryption Policy Rule window. Your decryption policy should be similar to below
screen.
Step 12. Commit all changes and click “Close” once the commit is completed.
Task 3 – Retest secure download
Step 1. In the browser, go back to the UTD lab web server; then click the “Configuration file (secure download)”
link again. You will need to click “Yes” on the SSL Inspection prompt to continue with the download.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
22
Step 2. Are you able to download through the secure download?
The download should fail because the file is infected, and the antivirus inspection can now stop the
download after the session is decrypted.
Task 4 – Review traffic logs
Step 1. Navigate “Monitor > Logs > Threat.
Step 2. Select the latest entry in the “Threat” log, then click the spyglass icon next to the log entry to view the log
details.
Notice that under the “Flags” category, there is a checkmark to indicate this particular session is
decrypted.
Step 3. To view the SSL activity in Application Command Center (ACC), select ACC tab and click on SSL
Activity to view the amount decrypted and non-decrypted traffic by sessions or bytes.
Note: SSL activity widgets in ACC tab is a new feature added in PAN-OS latest release to provide
enhanced visibility into SSL/TLS traffic, which enables you to troubleshoot decryption issues and identify
traffic that uses weak algorithms and protocols.
We will deep dive into ACC toward the end of lab.
End of Activity 4
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
23
Activity 5 – Modern Malware Protection with ML-Powered
Analysis
Background: Modern malware is at the heart of many of today's most sophisticated network attacks and
is increasingly customized to avoid traditional security solutions. WildFire™ exposes targeted and
unknown malware through direct observation in a virtual environment, while the ML-Powered NGFW
ensures full visibility and control of all traffic, including tunneled, evasive, encrypted and even unknown
traffic. Policy considerations include which applications to apply to the WildFire file blocking/upload
profile.
PAN-OS features to be used:
• Profiles: anti-virus, spyware, file blocking, and WildFire.
• WildFire signatures real-time update and WildFire portal.
• Logging and reporting for verification.
In this activity you will:
• Review the existing WildFire analysis profile.
• Add the WildFire Analysis profile to an existing security policy.
• Enable the Wildfire Inline ML-Powered analysis
Task 1 – Enable WildFire analysis on a security policy
Step 1. Select the Policies > Security and then click UTD-Policy-01 to update the security rule.
Step 2. Click the Actions tab within the Security Policy Rule pop-up.
Step 3. In the Profile Setting section, select the default from the drop-down menu next to WildFire Analysis.
Step 4. Click OK to close the pop window.
Step 5. Now, let’s review the Wildfire analysis default profile
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
24
Step 6. Click the Objects tab, then click the WildFire Analysis node (found under Security Profiles).
Step 7. Click the Profile name Default, then review the default WildFire analysis profile. Notice that the default
profile sends any file types from any applications to the WildFire public cloud service.
NOTE: With Wildfire subscription ML-Powered NGFW can forward unknown files and email links to the
WildFire public global cloud or to the WildFire regional clouds (Europe, UK and Japan) that Palo Alto
Networks owns and maintains. In this lab, we are using the default profile and send unknown files to the
WildFire public global cloud for analysis.
Step 8. Click Cancel to close the WildFire analysis profile.
Task 2 – Configure Real-Time Update of Wildfire Signature
The Palo Alto Networks PAN-OS latest release now supports real-time retrieval of WildFire signatures. That
means when a new signature is created, the signature content is streamed down to the firewall in a single-digit
seconds. This allows access to the signatures as soon as they are generated, greatly minimizing the window in
which malware can infiltrate the network.
To enable real-time WildFire signature updates:
Step 1. Click on the Device tab and then click on Dynamic Updates on the bottom left.
Step 2. Click on Check Now to retrieve the latest signature update packages.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
25
Step 3. Click on None (Manual) next to schedule in the Wildfire section
Step 4. Select Real-time from the drop-down next to recurrence.
Step 5. Click OK to close the pop-up window.
Step 6. Commit all the changes and click Close once the commit is completed.
Task 3 – Test WildFire modern malware protection
Step 1. To download a WildFire test file, open the browser and enter the following in the address bar or click on
the bookmark WildFire Test File
Note: Ignore the Chrome browser warning message for downloading an .exe file by clicking the “Keep”
button.
http://wildfire.paloaltonetworks.com/publicapi/test/pe
Repeat the download a few times. Each file is different and will trigger a new upload to the WildFire
Cloud.
Step 2. The browser will automatically download a “wildfire-test-pe-file.exe” sample file. Check your “Download”
folder to confirm the download.
Note that this sample changes every time it is downloaded, and it should bypass most antivirus scans.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
26
Task 4 – Review the WildFire analysis results
Step 1. To view the sample file that has been sent to WildFire, go back to the firewall GUI, then click the Monitor
tab. Click on the WildFire Submissions node and then review the results returned from the WildFire
service.
NOTE: It may take about 5-10 mins for the WildFire Submissions log to appear.
Step 2. When you see the entry, click the “Details” icon next to the top log entry. In the “Log Info” tab, you can
view the basic info of the file and the application that carries that file.
Step 3. Click the WildFire Analysis Report tab to view the details on the analysis results. Under WildFire
Analysis Summary, the “Verdict” indicates that the submitted file is malware, and you can download the
malware file directly from the “Sample File” tab.
Step 4. Under Wildfire Analysis Report tab you can scroll down to see the behavior of the malware when it’s
associated with different operating systems. “Virtual Machine 1” is configured with Microsoft® Window
XP; you can review the behavior and activity of the malware. Click “Virtual Machine 2” to review the
malware behavior and activity in Windows 7.
Step 5. Click the VirusTotal link under Coverage Status on the report, and it will bring you to the VirusTotal
home page. Since this malware has never been seen before because the hash has been changed,
VirusTotal will not have any information on this virus.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
27
Step 6. Explore the other features and functions offered in the WildFire Analysis Report such as download the
sample file or download the WildFire Analysis report in pdf.
Task 5 – Enable WildFire Inline ML-Powered analysis
The Palo Alto Networks PAN-OS latest release now has Inline ML prevention capabilities to stop the unknown
weaponized files and malicious scripts instantly inline on the ML-Powered NGFW without having to hold the files
and all this is powered by Wildfire.
Step 1. Navigate to Objects > Security Profiles > Antivirus, then click UTD-AV-01” profile.
Step 2. Select the WildFire Inline ML tab.
Step 3. Change the Windows Executable, PowerShell script 1 and PowerShell script 2 Action Setting from
disable to enable.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
28
Note: The WildFire inline ML inspects files at line speed and blocks malware variants of portable
executables as well as PowerShell files, which account for a disproportionate share of malicious content.
ML-based engine can prevent up to 95% of threats inline without requiring analysis from the WildFire. For
the rest, protections are delivered in seconds from the world’s largest cloud native detection and
prevention engines.
Step 4. Click OK to exit the Antivirus Profile configuration window.
Step 5. Commit all the changes and click Close once the commit is completed.
Note: The WildFire machine learning model is trained with over 20 million new malware samples on a
daily basis. Due to the manner in which the inline machine learning models are continually retrained and
tuned to adapt to the changing threat real-world threat landscape, specific point-in-time test samples may
not yield consistent results.
Here is an example of Threat log and detailed log view of a malicious PE and PS file detected by the
ML-Powered NGFW.
End of Activity 5
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
29
Activity 6 – ML-Powered URL Filtering
Application control and URL Filtering complement each other, providing you with the ability to deliver
varied levels of control that are appropriate for your security profile. Policy considerations include URL
category access; which users can (or cannot) access the URL category; and the prevention of malware
propagation.
PAN-OS features to be used:
• URL Filtering category match.
• Logging and reporting for verification.
In this activity you will:
• Modify the behavior of the URL Filtering functionality.
Task 0 – Check connectivity
Step 1. Open a new tab and select Gambling.com from the Lab – Bookmarks > Activity-6 folder (you should be
able to open this page)
Task 1 – Modify URL Filtering Profile and Configure Security-Focus URL
Categories
Security-focused URL categories enable you to implement simple security and decryption policies based on
website safety, without requiring you to research and individually assess the sites that are likely to expose you to
web-based threats. These categories help to reduce attack surface by providing targeted decryption and
enforcement for sites that pose varying levels of risk, but are not confirmed malicious. Websites are classified with
a security-related category only so long as they meet the criteria for that category; as site content changes, policy
enforcement dynamically adapts. The security-focus categories include: High-Risk, Medium-Risk, Low-Risk and
Newly-Registered-Domains.
Step 1. Go to the firewall web GUI. Select the Objects > URL Filtering (in the “Security Profiles” section) and
then click UTD-URL-filter-01 to update the security rule.
Step 2. Search for the “Gambling” category, then change the Site Access from “Alert” to “Continue”.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
30
Note that you have the option to control if “User Credential Submission” is allowed as part of the PAN-OS
credential theft prevention feature. We will not dive into that in this lab but please talk to your instructor if
you want to learn more about credential theft prevention.
Step 3. Search for the “high-risk” category, then change Site Access and User Credential Submission to
“continue”.
“Continue” action prompted user with a response page indicating that the site has been blocked due to
company policy, but the user is prompted with the option to continue to the website.
The continue action improve the user experience by giving them the option to continue if they feel the site
is incorrectly categorized.
Step 4. Search for the “newly-registered-domain”category, then change Site Access and User Credential
Submission to “alert”.
“Alert” action allows user access to the sites in this category, but a log entry is generated in the URL
filtering log. “Allow” action does not generate log entry in the URL filtering log.
Step 5. As a best practice, the “UTD-URL-filter-01” profile has configured “block” action for the following URL
categories: “malware”, “phishing”, “command-and-control”, “proxy-avoidance-and-anonymizers”,
“unknown”. You can review the setting for these categories.
Step 6. An explicit custom “allow” and “block” list can be configured in URL Filtering profile. To see the two
preconfigured, allow and block lists, please go to the “URL Category” in “Custom Objects” to review the
URL’s in the lists.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
31
Task 2 – Configure Inline ML-Powered Analysis
The URL filtering in PAN-OS latest release is now powered with Machine learning (ML) based inline prevention to
instantly Identify and prevent new and never-before-seen phishing sites and Javascript-based attacks.
To enable the Inline ML in URL Filtering profile:
Step 1. select the Inline ML tab and in Action column change the Phishing and Javascript Exploit Detection
settings from allow to block.
Step 2. Click OK to close URL Filtering Profile window.
Task 3 – Apply URL Filtering to the security policy
Step 1. Select the Policies > Security and click the rule “UTD-Policy-01”, the “Security Policy Rule” pop-up will
appear.
Step 2. Click the Actions tab within the pop-up.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
32
Step 3. In the “Profile Setting” section, select the UTD-URL-filter-01 from drop-down menu next to “URL
Filtering”.
Step 4. Click OK.
Step 5. Commit all the changes and click Close once the commit is completed.
Task 4 – Test URL’s and Review the URL-Filtering Logs
Step 1. Open a new browser tab (on the Student Desktop), then select Bookmarks > Activity folder and click
Top Bet If the cached page appears, use the CTRL + F5 keys to reload the page.
The web page is blocked, but you will have the option to continue to open the page.
Step 2. Click “Continue” to open the web page.
Step 3. To review the URL filtering logs go to Firewall WebUI and Click the “Monitor” tab, then click the “URL
Filtering” node under the “Logs” section.
Step 4. Locate a recent log entry with Action “continue”.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
33
Step 5. Click on the spyglass icon to review the details of the detected URL.
Step 6. In the “Details” section, you can view the details.
Step 7. Check Close to go back to URL Filtering log page.
To learn more about how Palo Alto Networks delivers inline machine learning, you can
download the: Inline Machine Learning Solution Brief from Palo Alto Networks:
https://www.paloaltonetworks.com/resources/techbriefs/inline-machine-learning
End of Activity 6
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
34
Activity 7 – GlobalProtect: Safely Enable Mobile Devices
Mobile computing is one of the most disruptive forces in information technology. It is revolutionizing how
and where employees work, and the tools they use to perform their jobs. GlobalProtect™ from Palo Alto
Networks safely enables mobile devices for business use by providing a unique solution to manage the
device, protect the device and control the data.
PAN-OS features to be used:
• GlobalProtect Portal and Gateway.
• GlobalProtect Client Application.
In this activity you will:
• Complete the GlobalProtect Portal configuration in the lab environment to allow GlobalProtect
clients to connect to the GlobalProtect Gateway.
• Use the GlobalProtect client application to connect to the GlobalProtect Gateway and verify the
traffic is being protected by the ML-Powered NGFW.
Task 1 – Review the GlobalProtect Portals and Gateways configuration
Step 1. From VM-Series firewall web GUI select Network > Portals (under the “GlobalProtect” node) and then
click the UTD-GP-Portal to open the GlobalProtect Portal configuration window.
Step 2. Select the Agent tab on the left-hand side of the window and then click the UTD-GP-Portal-ClientCfg.
Step 3. In the “Configs” window, go to the External tab.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
35
Notice the “Address” field in “External Gateways” section. In our lab, VM-Series firewall ethernet1/1
interface IP address is configured as an external Gateway.
Step 4. Click Cancel twice to go back to Portals page.
Step 5. Select Gateways (under the “GlobalProtect” node) and then click the UTD-GP-GW to open the
GlobalProtect Gateway configuration window.
Step 6. Select the Authentication tab on the left-hand side of the window.
Notice the Block login for quarantined devices checkbox is enable. In PAN-OS latest release this
setting will block the GlobalPortect user attempts to connect to GlobalProtect gateway if user device is
identified as compromised and has been quarantined. You will learn more about device quarantine in
later activities.
Step 7. Click Cancel to go back to Gateways page.
Task 2 – Log into GlobalProtect from the Mobile PC (GlobalProtect)
Step 1. Click the “Mobile PC (GlobalProtect)” tab at the top of the page to go to the mobile PC console.
Step 2. Open the Chrome browser and test the Internet connectivity using public websites from the Labs, like
CNN or Facebook. You should be able to connect to the internet directly from this device.
Note: This device is not sitting behind the
VM-Series firewall. You can test this by going
to the website (www.gambling.com) that was
blocked in Activity7. You should not see the
block page.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
36
Step 3. Open the GlobalProtect client from the system tray.
Step 4. In the GlobalProtect window, enter the GlobalProtect Portal IP 172.16.1.1. [You can use the “Send Text”
feature paste the external gateway IP 172.16.1.1 in the “Send Text” window, then send it to the
GlobalProtect window.]
Note: If you encountered connection problems,
check to ensure the external gateway IP is
entered correctly in the “Portal” field.
Step 5. In the “Sign In” window, enter the following username and password.
Username: joe
Password: utd135
Step 6. Once connected, you can see the GlobalProtect welcome page. To verify that GlobalProtect is connected
to the Portal, click the gear icon then select “Settings”. Go to the “Connection” tab.
Step 7. Check your Internet connectivity in the “Mobile PC (GlobalProtect)” by selecting some web pages from
the Labs – Bookmarks folder in the browser. When you try to go to www.gambling.com again, you should
see the blocked page.
Task 3 – Review Logs on the VM-Series firewall
Step 1. To view the “Mobile PC (w GlobalProtect)” VPN connection to the VM-Series firewall, go to the VM-Series
firewall web GUI.
Step 2. Select Monitor > Logs > GlobalProtect. Look for GP logs from “joe” user. The GP logs shows that “joe”
user is successfully authenticated to GP Portal and Gateway.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
37
Step 3. Now look for traffic logs from the “GP-VPN” zone where you can see the traffic logs from the “Mobile PC
(GlobalProtect)”.
This traffic logs demonstrates that traffic from the “Mobile PC (GlobalProtect)” is now protected by the
firewall.
Notice that the username is also visible from the traffic log, indicating which user-based firewall policy can
be created based on the user’s login info.
Note: the firewall policy, in this case “UTD-Policy-04” can be modified to safely enable the necessary
applications for remote users.
Step 4. Select Network > GlobalProtect > Gateways and click the Remote Users link under “Info” column to
open the user information window.
Step 5. Under the Current User tab in the “User Information” window. Notice that the GlobalProtect client in the
Mobile-PC can collect host information such as computer name, operating system used and more.
Note: The host-information profile (HIP) in GlobalProtect provides details about the condition
of the mobile laptop, smartphone or tablet, which can be used to make policy decisions about
the resources that the device can access. Please talk to your instructor for more information
about mobile security management through GlobalProtect.
Task 4 – Enable Identification and Quarantine of Compromised Devices
In PAN-OS latest release, GlobalProtect now can block compromised devices from your network.
GlobalProtect identifies a compromised device with its Host ID and serial number instead of its source IP
address.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
38
In this task we will show you how you can enable the Host ID in traffic and threat logs and auto
quarantine a compromised device.
Step 1. To add Host ID information to the traffic and threat logs, navigate to Policies > Security and click the
policy name UTD-Policy-04 to open the policy window.
Step 2. Select the Action tab and click the drop-down menu next to Log Forwarding in Log Setting section then
select the GP-Auto-Quarantine-LFP.
Step 3. Click OK to close the Security Policy Rule.
Step 4. Click Commit to commit all the changes. Click Close once the commit has completed.
Step 5. Take a look at UTD-GP-Quarantine-Deny policy Source tab. The “Source Device” field is configured to
“quarantine”. This configuration is required to add the Host ID information to the traffic and threat logs.
Step 6. Click Cancel to close the Security Policy Rule window.
Step 7. Select the Mobile PC (GlobalProtect) tab and open a new browser tab then click on CnC-1/CnC-2 from
the Lab – Bookmarks folder.
The connection to CnC will not work and eventually will timeout.
Step 8. Wait for few seconds and check the GlobalProtect connection status.
Step 9. The “Mobile PC” is identified as a compromised device and the connection is automatically terminated by
VM-Series firewall GlobalProtect gateway.
Step 10. Close the browser.
Step 11. Now let’s take a look at why the Mobile PC(GlobalProtect) is quarantine.
Task 5 – Review Log Forwarding Policy and Device Quarantine List
Step 1. To understand why the Mobile PC is quarantine navigate to Object > Log Forwarding and click on GPAuto-Quarantine-LFP.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
39
This log profile defines built-in action quarantine based on filter. That means if Mobile PC is sending traffic
to URL’s or IP’s defined in filter then it will be quarantine and added to quarantine list.
Step 2. Click Cancel to close the Log Forwarding Profile window.
Step 3. To view the list of devices added in quarantine list select Device > Device Quarantine.
Notice the reason field. Auto Quarantine – that mean device matched filter in a log forwarding profile
attached to policy.
Step 4. To remove the device from quarantine list, select the check box and click Delete and then click Yes.
Note: No commit is required to delete the entry from a Device Quarantine list.
Step 5. Take a look at GlobalProtect log by navigating to Monitor > Logs > GlobalProtect.
Do you see quarantined event type log entries?
Step 6. Go back to Mobile PC tab and check the GlobalProtect connection status.
NOTE: Make sure you have closed the browser window in previous task.
Step 7. GlobalProtect automatically restore the connection once the Mobile PC is removed from the device
quarantine list.
End of Activity 7
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
40
Activity 8 – Control Application Usage with User-ID
Understanding which users are related to which traffic on your network is more useful than just knowing
ports and IP addresses. Visibility and reporting based on users is more intuitive, and policies expressed
in terms of users (or groups) are a better match for expressing business-relevant security policies. You
will create a security policy using User-ID™ in this activity. You must successfully complete Activity 7
before you can continue with this activity.
PAN-OS features to be used:
• Create a security policy using User-ID
• Using GlobalProtect to validate the security policy
In this activity you will:
• Create a security policy to enable applications based on User-ID
• Ensure that access to the application is determined by individual user-IDs, even when multiple
users log in from the same device.
Task 1 – Validate access to SSH server
Step 1. On the “Mobile PC (GlobalProtect)”, connect to the SSH server used in Activity3 using ssh. Open the
PuTTY application, then load the “SSH server (standard port 22)” from the saved sessions to ssh into
172.16.1.101.
Click “Open.” Can you ssh to 172.16.1.101?
You should not be able to SSH to the server.
Step 2. From VM-Series firewall Web GUI select Monitor > Logs > Traffic. You should be able to see that traffic
on port 22 was being dropped.
Task 2 – Enable applications based on User-ID
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
41
Step 1. We will enable the security policy on the firewall to allow the user “joe” to use the SSH application. Select
the Policies > Security > UTD-Policy-05, and click Enable to enable the policy.
Once enabled, the policy will turn from light grey to blue.
Step 2. Click the policy name UTD-Policy-05 to open the policy window, then click on the “Source” tab (note that
the only user is “joe” is in this policy).
Step 3. Click the “Application” tab. (Note: “Ping” and “SSH” are enabled in this policy.)
You can check the “Application Default setting in the “Service/URL Category,” so SSH can only run on its
standard port.
Step 4. Click “Commit” to commit the changes.
Task 3 – Confirm access with User-ID
Step 1. Go back to the “Mobile PC (GlobalProtect)” (and remember that you are logged in as “joe” in the
GlobalProtect client). Verify the SSH access to the server on 172.16.1.101 by using:
Login: student
Password: utd135
You should be able to login to the SSH sever now. End the SSH session after you are logged in.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
42
Step 2. Go back to the GlobalProtect client window. Click on “Sign Out” in the upper right corner of the window.
Click “OK” in the “Remove User Credential” window.
Step 3. When the “Sign In” window appears, use the following credentials:
Username: peter
Password: utd135
Note that the user is now “peter” as logged in user.
Step 4. Use the PUTTY application to reconnect to the SSH server. You will see that the connection is being
denied.
Step 5. Review the traffic log on the firewall to confirm that the source user is “peter” instead of “joe,” hence
access to the SSH is being denied.
End of Activity 8
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
43
Activity 9 – Clientless VPN
Clientless VPN provides secure remote access to common enterprise web applications that use HTML,
HTML5, and JavaScript technologies. Users have the advantage of secure access from SSL-enabled web
browsers without installing GlobalProtect client software. This is useful when you need to enable partner
or contractor access to applications, and to safely enable unmanaged assets, including personal devices.
In this activity you will:
• Configure Clientless VPN access for accessing web applications
• Test the access from a mobile PC without VPN client installed
Task 1 – Configure Clientless VPN
Step 1. Select Network > GlobalProtect > Portals” and then click on “UTD-GP-Portals”.
Step 2. Go to “Clientless VPN” and the “General” tab, activate the “Clientless VPN” checkbox and configure it
with the following values:
Hostname: 172.16.1.1
Security Zone: Select “Trust” from the drop-down list
DNS Proxy: Select “Google-Public-DNS” from the drop-down list
Login Lifetime: 3 Hours
Inactivity Timeout: 30 Minutes
The result should look like this:
Step 3. Continue to the “Applications” tab, click “Add” at the bottom left.
Step 4. Configure the “Applications To User Mapping” with the following values:
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
44
Name: SSL-Portal-Apps
User/User Group: Any
Applications: Click Add at the bottom left to add these applications
Google Docs, Intranet, Office 365
Step 5. Click “Commit” to commit the changes.
Task 2 – Test the Clientless VPN access from Mobile PC
Step 1. Click the “Mobile PC (Clientless VPN” tab at the top of the page to go to the mobile PC console.
Step 2. Open a web browser and enter the IP address “172.16.1.1” of Globlal Protect Portal.
Note: Make sure to precede the IP with “https:// “
Step 3. Login to the GlobalProtect Portal with the following credentials:
Name: joe
Password: utd135
Step 4. Test the applications by clicking on the “Intranet” icons.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
45
Step 5. The web application should open, please notice the URL showing that you are connected to the
Clientless VPN hostname.
Task 3 – Review Logs on the VM-Series firewall
Step 1. To review the logs on the firewall, select Monitor > Logs > GlobalProtect. Look for GP logs from user
“joe”. The GP logs shows that user “joe” is successfully login on GP Portal.
Step 2. Now click on Traffic and filter the log “(user.src eq joe)”. The log entries should show the Clientless VPN
traffic.
End of Activity 9
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
46
Activity 10 – ACC and Custom Reports
Background: Informative visualization tools and reports are very important to network and security
administrators, which enable them to monitor and identify potential network problems and attacks.
Comprehensive built-in visualization tools and reporting features in the firewall can provide visibility into
the network without requiring a complex logging infrastructure.
PAN-OS features to be used:
• Application Command Center (ACC).
o Built-in visualization tools that provide a clear view of the application, user and threat data
on your network.
o ACC in PAN-OS has been upgraded to reduce response time based on visual and
actionable data.
• Manage custom reports.
o Create a custom report using traffic stats logs.
Task 1 – Review Application Command Center (ACC)
Step 1. Click the “ACC” tab. The ACC is configured to automatically show data collected in the last hour. Change
the time range to “Last 6 Hrs” in the “Time” drop-down window to include all the data generated during
your lab session.
Step 2. There are six pre-defined tabs: the “Network Activity”, “Threat Activity”, “Blocked Activity” and “Tunnel
Activity”, “GlobalProtect Activity” and “SSL Activity” tabs. Under the “Network Activity” tab, you can see
the most used applications in the “Application Usage” widget. Please take a moment to review the other
widgets such as “User Activity,” “Source IP Activity,” “Destination Regions,” etc.
Step 3. In the “Application Usage” widget, you can click any tile to zoom into a group of applications or a single
application by clicking the “General Internet” category or the “Networking” category.
The selection in the widget applies only to that specific widget. Mouse over the “App Category [generalinternet]” selection, and the “Add Global Filter” option will appear.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
47
Step 4. Click “Add Global Filter” to apply the selection to all the widgets.
Step 5. To remove the global filter, click “Clear all,” or select a filter, then click the red “-” button to remove it.
Step 6. To customize a time range, go to the “User Activity” widget. Then select a start time and drag it through
the time axis to the end of the time range. Apply this to the widget. You can apply this time range to the
other widgets by clicking “Add Global Filter.”
Step 7. To remove the customized time, range from the global filter, select a new time from the “Time” drop-down
menu in Step1 to reset the time range.
Task 2 – SaaS Application Usage Report
To maintain network security and ensure compliance with corporate policy, you must identify and monitor the use
of SaaS applications on your network. To meet this challenge, the Palo Alto Networks ML-Powered NGFW
includes a new SaaS Application Usage Report in PDF format to give you visibility into the SaaS applications. The
new report helps you identify the ratio of sanctioned versus unsanctioned SaaS applications in use on the
network. It also includes details on the top SaaS application subcategories by number of applications, by number
of users, and more. You can use the data from this report to define or refine security policy rules on the firewall to
block or monitor the use of unsanctioned SaaS applications on your network. This task will show you how to get
started with the SaaS Application Usage Report on the firewall.
Step 1. Click the “Monitor” tab, then click the “SaaS Application Usage” node under the “PDF Reports.”
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
48
Step 2. Click “Add” at the bottom of the window to open a new SaaS Application Usage report configuration
window.
Step 3. Name the report “SaaS App Usage Report,” then select “Last 7 Days,” and click “OK” to save it.
Step 4. You should see a new entry created. Click it again to re-open the report window; then click “Run Now” to
create the report.
Step 5. It will take a bit of time to create the report. When the report is done, you should see a new browser tab
open with the report. (You may need to disable the pop-up blocker in your browser to allow the report to
be opened in a new browser tab.)
Step 6. Take a closer look at the SaaS Application Usage Report; it contains a lot of useful data. Close the SaaS
Usage Report window after the report is created. (You can export the report as a PDF.)
Task 3 – Setting up a custom report
Step 1. Click the “Monitor” tab, then click the “Manage Custom Reports” node (second from last).
Step 2. Click “Add” (in the lower left), then name the report “Session Stats” (in the “Custom Report” pop-up).
Step 3. Use the following information to create this report:
o
Database
o
Scheduled ……
UTD-NGFW 4.0
Application Statistics
Not Checked
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
49
o
Time Frame Last 6 Hrs
o
Selected Columns
Sessions
o Sort By
Application Name, App Category, App Sub Category, Risk of App,
Sessions: Top 10
Step 4. Click “Run Now” (at the top of the pop-up). A tab “Session Stats” will be created; review the report and
export the results as a PDF file.
Reports may also be scheduled by selecting the “Scheduled” checkbox in the “Custom Report” window.
These reports will run automatically at 2:00 a.m. daily.
End of Activity 10
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
50
Activity 11 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and the labs
that we have prepared for you. Please take a few minutes to complete the online survey form to tell us
what you think about this event.
Task 1 – Take the online survey
Step 1. In your lab environment, click on the “Survey” tab.
Step 2. Please complete the survey and let us know what you think about this event.
End of Activity 11
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
51
Appendix 1: Support for Non-U.S. Keyboards
If you are using a non-U.S. keyboard and have difficulties entering characters and special keys, you can add a
keyboard to the student desktop to support what you have or use the on-screen keyboard. This appendix shows
you how to add, select an international keyboard or use the on-screen keyboard.
By default, the “English (United Sates)” and “French (France)” keyboards are added to the student desktop. Click
the bottom left-hand corner to switch between them.
Add a new international keyboard
To add other keyboards, go to Start > Control Panel. Click “Change Keyboards or other input methods.”
Click “Change keyboard.”
Click “Add” to add a new international keyboard. Then switch to the new keyboard per the instructions on the
previous page.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
52
Use the on-screen keyboard
To use the on-screen keyboard:
Step 1: Click “Start ->All Programs”.
Step 2: Click on “Accessories”
Step 3: Click “Ease of Access,” then click “On-Screen Keyboard.”
Step 4: You should see the Windows On-Screen Keyboard. To bypass keys inside the VM image that do not work
on your keyboard, select the key.
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
53
Appendix 2: How to resolve the connectivity issue
If you experience any connectivity issue during the lab from Student Desktop then follow these steps to restore
the connection:
Step 1: Reboot the Student Desktop VM by navigating to Start > Log off (click on arrow) and then click on Restart
Step 2: Wait for the VM to restart and come up.
Step 3: Browse to CNN page by clicking the Lab – Bookmarks > Activity-0.
Step 4: If restart doesn’t solve the problem then configure the Student Desktop interface IP using the below
command from command prompt window:
netsh interface ip set address "Local Area Connection 3" static 192.168.11.101 255.255.255.0 192.168.11.1
UTD-NGFW 4.0
©2021 Palo Alto Networks, Inc. | Confidential and Proprietary
20210607
54
Related documents
Study research 2021
Study research 2021
Invoice Template
Invoice Template
Elizabeth Rochin
Elizabeth Rochin
Download
advertisement