Palo Alto Next Generation Firewall Workshop

1. Last
Update:
20140512
Workshop
Guide
Ultimate Test Drive
Next Generation
Firewall (NGFW)
PAN-OS 5.0.10/UTD 2.1CS
http://www.paloaltonetworks.com
©
2014
Palo
Alto
Networks.
Proprietary
and
Confidential

2. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
2
Table
of
Contents
Activity
0
–
Login
to
UTD
Workshop
.................................................................................
5
Task
1
–
Login
to
your
Ultimate
Test
Drive
Class
Environment
....................................................................
5
Task
2
–
Login
to
the
student
desktop
.........................................................................................................
7
Task
3
–
Login
to
UTD
Virtual
Firewall
........................................................................................................
10
Activity
1
–
Enabling
Social
Media
..................................................................................
12
Task
0
–
Check
connectivity
to
Facebook
...................................................................................................
12
Task
1
–
Modify
an
existing
Security
Policy
to
allow
Facebook
..................................................................
12
Task
2
–
Review
Traffic
Logs
.......................................................................................................................
13
Activity
2
–
Controlling
Evasive
Applications
...................................................................
14
Task
1–
Attempt
to
use
an
non-­‐approved
web
application
.......................................................................
14
Task
2–
Attempt
to
use
an
anonymizer
site
...............................................................................................
15
Task
3–
Attempt
to
download
and
install
evasive
application
...................................................................
15
Task
4–
Review
URL
log
..............................................................................................................................
16
Activity
3
–
Applications
on
Non-­‐standard
Ports
.............................................................
17
Task
1
–
Create
a
new
Security
Policy
........................................................................................................
17
Task
2
–
Check
application
connectivity
.....................................................................................................
18
Task
3
–
Modify
Security
Policy
..................................................................................................................
18
Task
4
–
Re-­‐check
applications
on
non-­‐standard
ports
..............................................................................
19
Activity
4
–
Decryption
...................................................................................................
20
Task
0
–
Check
connectivity
to
LinkedIn
.....................................................................................................
20
Task
1
–
Modify
existing
Security
Policy
.....................................................................................................
21
Task
2
–
Add
a
new
Decryption
Policy
........................................................................................................
21
Task
3
–
Log
into
LinkedIn
..........................................................................................................................
22
Task
4
–
Review
Traffic
Logs
.......................................................................................................................
22
Activity
5
–
Modern
Malware
Protection
........................................................................
24
Task
1
–
Enable
file
forwarding
to
WildFire
Service
...................................................................................
24
Task
2
–
Modify
Security
Policy
with
File
Blocking
Profile
..........................................................................
24
Task
3
–
Test
WildFire
Modern
Malware
Protection
..................................................................................
25
Task
4
–
Wildfire
Portal
Review
..................................................................................................................
26

3. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
3
Activity
6
–
URL
Filtering
................................................................................................
28
Task
0
–
Check
connectivity
.......................................................................................................................
28
Task
1
–
Modify
a
URL
filter
.......................................................................................................................
28
Task
2
–
Apply
the
URL
filter
to
a
Security
Policy
.......................................................................................
29
Task
3
–
Review
URL
Filtering
Logs
.............................................................................................................
29
Activity
7
–Event
Reporting
............................................................................................
31
Task
1
–
Running
pre-­‐defined
reports
........................................................................................................
31
Task
2
–
Setting
up
custom
reports
............................................................................................................
31
Task
3
–
SE
“Demo
Box”
review
.................................................................................................................
31
Appendix-­‐1:
Alternative
Login
Method
to
Student
Desktop
............................................
33
Login
to
the
student
desktop
using
Java
Console
(Java
client
required)
....................................................
33
Login
to
the
student
desktop
with
RDP
client
............................................................................................
35
Appendix-­‐2:
Support
for
Non-­‐US
keyboard
.....................................................................
38

4. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
4
How
to
use
this
Guide:
The
activities
outlined
in
this
Ultimate
Test
Drive
guide
are
meant
to
contain
all
the
information
necessary
to
navigate
the
Palo
Alto
Networks
graphical
user
interface
(GUI).
This
guide
is
meant
to
be
used
in
conjunction
with
the
information
and
guidance
provided
by
your
facilitator.
Once
these
activities
are
completed:
You
should
be
able
to:
1. Navigate
the
Palo
Alto
Networks
GUI
2. Review
portions
of
the
firewall
configuration
3. Change
the
configuration
to
affect
the
behavior
of
traffic
across
the
firewall
This
workshop
covers
only
basic
topics
and
is
not
a
substitute
for
the
training
classes
conducted
by
Palo
Alto
Networks’
Authorized
Training
Centers
(ATC).
Please
contact
your
partner
or
regional
sales
manager
for
more
training
information.
Terminology:
“Tab”
refers
to
the
5
tabs
along
the
top
of
each
screen
in
the
GUI.
“Node”
refers
to
the
options
associated
with
each
“Tab”
found
in
the
left-­‐hand
column
on
each
screen.
*NOTE*
Unless
specified,
the
“Chrome”
web
browser
will
be
used
to
perform
any
tasks
outlined
in
the
following
Activities.
(Chrome
is
pre-­‐installed
on
the
student
desktop
of
the
workshop
PC.)

5. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
5
Activity
0
–
Login
to
UTD
Workshop
In
this
activity
you
will:
• Login
to
the
Ultimate
Test
Drive
Workshop
from
your
laptop
• Test
student
desktop
connectivity
to
the
firewall
• Review
the
workshop
network
Task
1
–
Login
to
your
Ultimate
Test
Drive
Class
Environment
Step
1:
First,
make
sure
your
laptop
is
installed
with
a
modern
browser
that
supports
HTML
5.0.
We
recommend
using
the
latest
version
of
Firefox,
Chrome
and
Internet
Explorer.
We
also
recommend
you
install
the
latest
Java
client
for
your
browser.
Step
2:
Go
to
class
URL.
Enter
your
email
address
and
the
Passphrase.
(If
you
have
an
invitation
email,
you
can
find
the
Class
URL
and
Passphrase
in
the
invitation
email.
Or
the
instructor
will
provide
you
with
the
class
URL
and
Passphrase.)
Step
3:
Complete
the
Registration
form
and
click
“Register
and
Login”
at
the
bottom.
Step
4:
Depends
on
your
browser
of
choice,
you
will
be
asked
to
install
a
plugin,
please
click
yes
to
allow
the
plugin
to
be
installed
and
continue
the
login
process.

6. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
6
Step
5:
Once
you
login,
the
environment
will
be
automatically
created
for
you.
Click
on
“Start
Using
This
Environment”
when
the
Environment
is
ready.
Step
6:
The
UTD
NGFW
Environment
consists
of
two
core
components:
a
“Student
Desktop”
and
a
“VM-­‐
Series
Virtual
Firewall”.

7. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
7
Task
2
–
Login
to
the
student
desktop
Step
1:
Click
on
the
“Student
Desktop”
tab
on
top
to
connect
to
the
Student
Desktop.
Step
2:
You
will
be
connected
to
the
“Student
Desktop”
through
your
browser.
Step
3:
Click
on
the
blue
arrow
on
the
top
left
hand
corner
to
collapse
the
navigation
bar.
This
will
make
more
room
for
the
“Student
Desktop”.

8. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
8
Step
4:
If
the
“Student
Desktop”
resolution
is
too
high
or
too
low
for
your
laptop
display,
you
can
adjust
the
resolution
on
the
upper
right
hand
corner.
[Note:
The
default
connection
to
the
“Student
Desktop”
uses
RDP
over
HTML5
protocol
through
the
browser.
In
case
of
your
browser
does
not
support
HTML5
or
you
find
that
the
student
desktop
is
too
small
to
use
in
the
browser,
please
refer
to
Appendix-­‐1
:
Alternative
Login
Method
to
connect
to
the
student
desktop
using
Java
or
RDP
client.
]
Optional
Step
5:
If
you
encounter
connection
issue
with
the
“Student
Desktop”,
click
on
“Reconnect”
to
re-­‐
establish
the
connection.

9. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
9
Optional
Step
6:
If
re-­‐connection
to
the
“Student
Desktop”
remains
unsuccessful,
please
verify
your
laptop
connectivity
using
the
following
link.
Note
that
Java
client
is
required
on
your
browser
for
this
test
site
to
function.
https://use.cloudshare.com/test.mvc
This
test
site
will
validate
the
RDP-­‐based
and
Java-­‐based
connections
to
your
browser.
Click
“Allow”
to
allow
the
“Java
Applet”
to
be
installed
and
run
on
your
browser.
Optional
Step
7:
If
the
connectivity
test
passed,
please
close
the
browser
and
retry
from
Task-­‐1
Step-­‐1.
If
the
connectivity
test
failed,
please
inform
the
instructor
for
further
assistance.

10. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
10
Task
3
–
Login
to
UTD
Virtual
Firewall
Step
1:
Click
on
the
“UTD-­‐NGFW-­‐PAVM-­‐CS”
bookmark
in
the
Chrome
browser,
login
to
the
firewall
using
the
following
name
and
password:
Name:
student
Password:
utd135
Step
2:
You
are
now
login
to
the
firewall
and
should
see
the
main
dashboard.
“student”
-­‐>
<-­‐
“utd135”

11. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
11
Step
3:
Open
a
new
tab
in
Chrome
browser
window
and
confirm
Internet
connectivity
to
some
URL
(e.g.
http://www.cnn.com)
Step
4:
Here
is
a
quick
look
at
how
the
student
desktop
and
the
virtual
firewall
are
connected.

12. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
12
Activity
1
–
Enabling
Social
Media
Background:
Every
organization
is
trying
to
determine
how
to
exert
controls
over
social
media
applications
–
allowing
them
all
is
high
risk
while
blocking
them
all
can
be
business
crippling.
Policy
considerations
include
who
can
use
social
media,
what
are
the
risks
of
data
loss/data
transfer,
and
how
to
eliminate
the
propagation
of
malware.
PAN-­‐OS
features
to
be
used:
• App-­‐ID
and
function
control
• Logging
and
reporting
for
verification
In
this
activity
you
will:
• Modify
the
existing
firewall
configuration
to
control
the
behavior
of
the
Facebook
app
• Review
Traffic
logs
to
confirm
activity
Task
0
–
Check
connectivity
to
Facebook
Step
1:
On
your
session
desktop,
open
a
browser
and
enter
the
URL:
http://www.facebook.com
ü Question:
What
is
the
response
seen
in
the
browser
window?
Ø Answer:
You
should
get
blocked
and
see
a
screen
that
looks
like
this:
Task
1
–
Modify
an
existing
Security
Policy
to
allow
Facebook
Step
1:
Click
on
the
“Policies”
tab
à
“Security”
node
Step
2:
Click
on
the
rule
name
“UTD-­‐Policy-­‐03”
à
a
“Security
Policy
Rule”
pop-­‐up
will
appear
Step
3:
Click
on
the
“Application”
tab
(within
the
pop-­‐up)

13. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
13
Step
4:
Click
“Add”
and
type
“facebook”
and
select
“facebook-­‐base”
from
the
list
Step
5:
Click
“Ok”
in
the
pop-­‐up
window
Step
6:
Click
“Enable”
(in
the
bottom
bar
of
the
GUI)
Step
7:
Click
“Commit”
(in
the
upper
right
hand
corner
of
the
GUI)
Step
8:
Click
“Ok”
in
the
pop-­‐up
window
[NOTE:
There
will
be
a
pop-­‐up
window
with
messages
regarding
the
Commit.
Any
warning
messages
can
be
safely
ignored.]
Step
9:
Click
“Close”
in
the
pop-­‐up
window
once
the
Commit
has
completed
Step
10:
Open
a
new
browser
tab
and
surf
to
http://www.facebook.com.
(You
may
get
a
warning
message
that
you
can
ignore.)
Step
11:
Log
into
facebook
using
the
account:
Username/Email:
ultimatetestdrive@gmail.com
Password:
paloalto123
Note:
If
you
have
trouble
passing
the
@
symbol
to
the
VM
please
follow
the
directions
in
the
Appendix
for
accessing
the
on-­‐screen
keyboard.
Task
2
–
Review
Traffic
Logs
Step
1:
Click
on
the
“Monitor”
tab
and
the
“Traffic”
node
(under
the
“Logs”
section)
will
be
selected
Step
2:
Type
into
the
query
box
(directly
above
the
“Receive
Time”
column)
the
search
string:
(app
eq
facebook)
Then
hit
the
Enter
key
or
click
the
icon:
Questions:
ü How
many
log
entries
are
associated
with
the
traffic
you
just
generated?
ü What
was
the
action
associated
with
the
log
entries?
ü What
was
the
port
number
associated
with
the
log
entries?
End
of
Activity
1

14. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
14
Activity
2
–
Controlling
Evasive
Applications
Background:
Evasive
applications
are
found
on
almost
every
network.
Some
are
purposely
evasive,
making
every
effort
to
avoid
controls
and
hide.
Examples
include
Ultrasurf,
Tor
and
P2P.
Policy
considerations
for
controlling
applications
include
protection
from
RIAA
threats,
data
loss
–
either
inadvertent
or
otherwise
–
and
malware
propagation.
PAN-­‐OS
features
to
be
used:
• App-­‐ID
and
URL
filters
to
prevent
evasive
applications
• Logging
and
reporting
for
verification
In
this
activity
you
will:
• Use
Application
and
URL
Filter
to
control
Proxy
sites
• Review
the
logs
Task
1–
Attempt
to
use
an
non-­‐approved
web
application
Step
1:
Open
a
new
browser
tab
and
go
to
http://drive.google.com.
Ø You
should
get
blocked
and
see
a
screen
that
looks
like
this:
Google-­‐drive-­‐web
application
is
not
explicitly
allowed
by
the
firewall
so
it
is
blocked.
To
get
around
the
firewall
some
users
may
try
to
use
an
anonymizer
sites
to
by-­‐pass
the
firewall

15. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
15
Task
2–
Attempt
to
use
an
anonymizer
site
Step
1:
Open
a
new
browser
tab
and
go
to
one
of
these
anonymizer
sites:
http://www.anonymouse.org
and
http://www.hidemyass.com
.
Step
2:
You
should
see
the
anonymizer
site
being
blocked:
The
block-­‐page
indicates
that
site
access
is
blocked
based
on
URL
category.
Task
3–
Attempt
to
download
and
install
evasive
application
Step
1:
To
circumvent
the
firewalls,
some
students
may
try
to
download
and
install
an
evasive
application
such
as
ToR.
Step
2:
Attempt
to
download
ToR
from
the
web
site
https://www.torproject.org
in
the
browser.
You
should
see
that
it
has
been
block
too.

16. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
16
Task
4–
Review
URL
log
Step
1:
Click
on
the
“Monitor”
tab
and
the
“URL
Filtering”
node
(under
the
“Logs”
section)
Step
2:
You
can
click
on
any
entry
under
the
“URL”
column
and
it
will
automatically
enter
the
filtering
string
in
the
search
bar
Then
hit
the
Enter
key
or
click
the
icon:
Questions:
ü Can
you
determine
what
policy
is
blocking
google-­‐drive?
ü Can
you
determine
what
policy
is
blocking
the
anonymizer
sites?
ü What
is
the
application
used
to
access
the
anonymizer
sites?
ü What
is
the
application
used
to
access
the
Tor
download
sites?
End
of
Activity
2

17. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
17
Activity
3
–
Applications
on
Non-­‐standard
Ports
Background:
Many
applications
can
use,
either
by
default
or
through
user
control,
a
non-­‐standard
port.
Often
times,
the
use
of
non-­‐standard
ports
is
done
as
a
means
of
evading
controls.
Tech
savvy
users
are
accessing
their
home
PC
from
work
by
directing
SSH
to
a
non-­‐standard
port.
The
Verizon
Data
Breach
Report
released
in
March
of
2012
shows
that
the
list
of
hacking-­‐related
pathways
in
in
2012
tells
a
very
similar
story
to
years
past.
There
were
855
breaches
analyzed,
812
(95%)
were
attributed
to
hacking
some
type
and
715
(88%)
of
those
812
were
remote
access
tool
related.
More
simply
translated,
84%
of
the
855
breaches
were
attributable
to
remote
access
tool
exploitation.
Policy
considerations
include
which
applications
and
users
should
be
allowed
to
use
these
applications.
PAN-­‐OS
features
to
be
used:
• Logging
and
reporting
to
show
SSH,
Telnet,
RDP
on
non-­‐standard
ports
• App-­‐ID,
groups
function
and
service
(port)
• User-­‐ID
(groups)
• Logging
and
reporting
for
verification
In
this
activity
you
will:
• Add
a
new
Security
Policy
for
the
IT
organization
• Re-­‐order
the
Policies
Task
1
–
Create
a
new
Security
Policy
Step
1:
Click
on
the
“Policies”
tab
then
the
“Security”
node
Step
2:
Click
“Add”
in
the
lower
left-­‐hand
corner
Step
3:
Name
the
Policy
“IT-­‐usage”
Step
4:
Click
on
the
“Source”
tab
Step
5:
Click
“Add”
in
the
“Source
Zone”
box
and
select
“Trust”
Step
6:
Click
on
the
“Destination”
tab
and
click
“Add”
in
the
“Destination
Zone”
box
and
select
“Untrust”
Step
7:
Click
on
the
“Application”
tab
and
click
“Add”
à
type
“IT-­‐apps”
and
select
it
Step
8:
Click
“Ok”
(Optional)
Step
8-­‐1:
“IT-­‐apps”
is
a
predefine
application
group
that
includes
SSH,
MS-­‐RDP
and
other
applications.
Go
to
the
“Object”
tab
and
“Application
Groups”
node
to
review
what
applications
are
included
in
this
application
group.

18. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
18
Step
9:
Click
and
drag
the
Policy
“IT-­‐usage”
so
it
is
above
the
“UTD-­‐Policy-­‐05”
rule.
Step
10:
Click
“Commit”
(in
the
upper
right
hand
corner
of
the
web
browser)
Step
11:
Click
“Ok”
in
the
pop-­‐up
window
Step
12:
Click
“Close”
once
the
commit
has
completed
Task
2
–
Check
application
connectivity
Step
1:
Find
the
PUTTY
application
on
the
Java
Applet
desktop
Ø If
PUTTY
is
not
an
application
on
the
desktop,
Click
“Start”
Ø In
the
search
bar,
type
in
“Putty”
and
click
on
“Putty.exe”
Ø Select
the
first
one
on
the
list
Step
2:
Connect
using
SSH
to
“shell.cjb.net”
on
port
443
Question:
ü Did
you
get
a
login
prompt?
Ø Yes
–
you
should
see
a
login
prompt
that
looks
like
this:
Step
3:
Close
Connection
and
click
the
“Monitor”
tab
à
“Traffic”
log
Step
4:
Search
for
application
SSH
on
port
443
Questions:
ü What
query
string
did
you
type
into
the
search
box?
ü Was
the
application
allowed?
Task
3
–
Modify
Security
Policy
Step
1:
Click
on
the
“Policies”
tab
à
“Security”
Step
2:
Click
on
the
“IT-­‐usage”
Security
Policy
created
in
Task
1

19. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
19
Step
3:
Click
on
the
“Service/URL
Category”
tab
and
click
on
the
pull
down
menu
above
the
“Service”
box,
selecting
“application-­‐default”
and
then
click
“Ok”.
[Note:
Please
ask
the
instructor
to
explain
what
“application-­‐default”
in
the
service
box
means.]
Step
4:
Click
“Commit”
(in
the
upper
right
hand
corner
of
the
web
browser)
Step
5:
Click
“Ok”
in
the
pop-­‐up
window
Step
6:
Click
“Close”
once
the
commit
has
completed
Task
4
–
Re-­‐check
applications
on
non-­‐standard
ports
Step
1:
Find
the
PUTTY
application
on
the
student
desktop
Step
2:
Connect
using
SSH
to
shell.cjb.net
on
port
443
using
putty.
Did
you
get
a
login
prompt?
Ø You
should
not
get
the
login
prompt
Step
3:
Close
Connection
and
click
the
“Monitor”
tab
à
“Traffic”
log
Step
4:
Search
for
application
SSH
on
port
443
Questions:
ü What
query
string
did
you
type
into
the
search
box?
ü Was
the
application
allowed?
End
of
Activity
3

20. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
20
Activity
4
–
Decryption
Background:
More
and
more
traffic
is
decrypted
with
SSL
by
default,
making
it
difficult
to
allow
and
scan
that
traffic,
yet
blindly
allowing
it
is
high
risk.
Using
policy
based
SSL
decryption
will
allow
you
to
enable
encrypted
applications,
apply
policy,
then
re-­‐encrypt
and
send
the
traffic
to
its
final
destination.
Policy
considerations
include
which
applications
to
decrypt,
protection
from
malware
propagation
and
data/file
transfer.
PAN-­‐OS
features
to
be
used:
• App-­‐ID
• SSL
decryption
• Logging
and
reporting
for
verification
• User-­‐ID
(Challenge
Task)
In
this
activity
you
will:
• Modify
existing
Security
Policy
to
allow
Linkedin
application
for
the
Exec
Team
• Add
new
Decryption
Policy
to
decrypt
SSL
traffic
Task
0
–
Check
connectivity
to
LinkedIn
Step
1:
On
your
Java
Applet
session
desktop,
open
a
browser
and
enter
the
URL:
http://www.linkedin.com
ü Question:
What
is
the
response
seen
in
the
browser
window?
Ø Answer:
You
should
get
blocked
and
see
a
screen
that
looks
like
this:

21. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
21
Task
1
–
Modify
existing
Security
Policy
Step
1:
Click
on
the
“Policies”
tab
à
“Security”
node
will
be
selected
Step
2:
Click
on
the
rule
“UTD-­‐Policy-­‐04”
à
a
“Security
Policy
Rule”
pop-­‐up
will
appear
Step
3:
Click
on
the
“Application”
tab
(within
the
pop-­‐up)
Step
4:
Click
“Add”
and
type
“linkedin-­‐base”
à
select
it
Step
5:
Click
“Ok”
Step
6:
Click
“Enable”
(in
the
lower
bar
of
the
GUI)
NOTE:
You
don’t
need
to
click
“Commit”
until
after
the
next
Task
Task
2
–
Add
a
new
Decryption
Policy
Step
1:
Click
on
the
“Policies”
tab
then
the
“Decryption”
node
Step
2:
Click
“Add”
in
the
lower
left-­‐hand
corner
Step
3:
In
the
“Decryption
Policy
Rule”
pop-­‐up:
name
the
Policy
“UTD-­‐Decryption-­‐02”
Step
4:
Click
on
the
“Source”
tab
Step
5:
Click
“Add”
in
the
box
labeled
“Source
Zone”
and
select
“Trust”
Step
6:
Click
on
the
“Destination”
tab
Step
7:
Click
“Add”
in
the
box
labeled
“Destination
Zone”
and
select
“Untrust”
Step
8:
Click
on
the
“Options”
tab
and
select
Action
“decrypt”
–
leave
the
default
Type
selection
as
“SSL
Forward
Proxy”
Step
9:
Click
“Ok”
Step
10:
Click
“Commit”
(in
the
upper
right
hand
corner
of
the
web
browser)
Step
11:
Click
“Ok”
in
the
pop-­‐up
window
Step
12:
Click
“Close”
once
the
commit
has
completed

22. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
22
Task
3
–
Log
into
LinkedIn
Step
1:
Open
a
new
browser
tab
and
enter
http://www.linkedin.com
NOTE:
Click
to
confirm
any
security
warning.
You
should
see
a
confirmation
page
that
indicate
SSL
Inspection
is
enabled.
Step
2:
Log
into
LinkedIn
with
the
following
credentials:
Email
address:
ultimatetestdrive@gmail.com
Password:
paloalto123
Note:
If
you
have
trouble
passing
the
@
symbol
to
the
VM
please
follow
the
directions
in
the
Appendix
for
accessing
the
on-­‐screen
keyboard.
Step
3:
Attempt
to
post
a
status
update.
Question:
ü Did
your
post
update
block
by
the
firewall?
ü You
should
see
the
following
block
page
and
note
the
application
that
is
being
blocked.
Task
4
–
Review
Traffic
Logs
Step
1:
Click
on
the
“Monitor”
tab
and
the
“Traffic”
node
(under
the
“Logs”
section)
will
be
selected
Step
2:
Type
into
the
query
box
(directly
above
the
“Receive
Time”
column)
the
search
string:
(
app
eq
linkedin
)
and
(
port.dst
eq
443
)
Then
hit
the
Enter
key
or
click
the
icon:
Questions:
ü How
many
log
entries
are
associated
with
the
traffic
you
just
generated?

23. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
23
Then
click
the
Details
icon
next
to
the
top
log
entry:
Questions:
ü Did
the
log
entry
show
the
traffic
was
decrypted?
End
of
Activity
4

24. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
24
Activity
5
–
Modern
Malware
Protection
Background:
Modern
malware
is
at
the
heart
of
many
of
today's
most
sophisticated
network
attacks,
and
is
increasingly
customized
to
avoid
traditional
security
solutions.
WildFire
exposes
targeted
and
unknown
malware
through
direct
observation
in
a
virtual
environment,
while
the
next-­‐generation
firewall
ensures
full
visibility
and
control
of
all
traffic
including
tunneled,
evasive,
encrypted
and
even
unknown
traffic.
Policy
considerations
include
which
applications
to
apply
the
WildFire
file
blocking/upload
profile.
PAN-­‐OS
features
to
be
used:
• Profiles:
Virus,
Spyware,
file
blocking
&
WildFire
• WildFire
portal
• Logging
and
reporting
for
verification
In
this
activity
you
will:
• Modify
existing
file
blocking
policy
to
use
the
Wildfire
service
• Add
the
modified
file
blocking
policy
to
other
Security
Policy
Task
1
–
Enable
file
forwarding
to
WildFire
Service
Step
1:
Click
on
the
“Objects”
tab
à
“File
Blocking”
node
(found
in
the
Security
Profiles
section)
Step
2:
Click
on
the
Profile
name
“UTD-­‐File-­‐Blocking-­‐01”
Step
3:
In
the
pop-­‐up
window
find
the
name
“File-­‐Block-­‐01”
and
change
the
Action
from
“alert”
to
“forward”
Step
4:
Click
“Ok”
–
this
now
allows
the
File
Blocking
Profile
to
forward
files
to
WildFire
Modern
Malware
Protection
services
Task
2
–
Modify
Security
Policy
with
File
Blocking
Profile
Step
1:
Click
on
the
“Policies”
tab
à
“Security”
node
Step
2:
Click
on
the
rule
name
“UTD-­‐Policy-­‐01”
à
a
“Security
Policy
Rule”
pop-­‐up
will
appear
Step
3:
Click
on
the
“Actions”
tab
(within
the
pop-­‐up)
Step
4:
In
the
“Profile
Setting”
section,
select
the
pull-­‐down
menu
next
to
“File
Blocking”
Step
5:
Select
“UTD-­‐File-­‐Blocking-­‐01”
Step
6:
Click
“Ok”

25. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
25
Optional
Step
7:
Click
on
the
rule
name
“UTD-­‐Policy-­‐04”
à
a
“Security
Policy
Rule”
pop-­‐up
will
appear
Optional
Step
8:
Click
on
the
“Actions”
tab
(within
the
pop-­‐up)
Optional
Step
9:
In
the
“Profile
Setting”
section,
select
the
pull-­‐down
menu
next
to
“Profile
Type”
and
select
“Profiles”
Optional
Step
10:
Select
the
pull-­‐down
menu
next
to
“File
Blocking”
and
select
“UTD-­‐File-­‐Blocking-­‐01”
Question:
ü Should
you
apply
any
other
Security
Profiles
to
this
Security
Rule?
Optional
Step
11:
Click
“Ok”
Optional
Step
12:
If
this
policy
is
not
enabled,
click
“Enable”
at
the
bottom
of
the
policy
screen
to
enable
the
policy
Step
13:
Click
“Commit”
(in
the
upper
right
hand
corner
of
the
web
browser)
Step
14:
Click
“Ok”
in
the
pop-­‐up
window
Step
15:
Click
“Close”
once
the
commit
has
completed
Task
3
–
Test
WildFire
Modern
Malware
Protection
Step
1:
To
download
a
WildFire
test
sample
file,
open
the
browser
and
go
to
http://wildfire.paloaltonetworks.com/publicapi/test/pe
Step
2:
The
browser
will
automatically
download
a
“wildfire-­‐test-­‐pe-­‐file.exe”
sample
file.
Check
your
“Download”
folder
to
confirm
the
download.
[Note
that
this
sample
changes
every
time
it
is
downloaded
and
it
should
by-­‐pass
most
Antivirus
scans.]
Step
3:
To
view
that
the
sample
file
has
been
sent
to
WildFire,
go
back
to
the
firewall
GUI,
click
on
the
“Monitor”
tab
then
the
“WildFile”
node
(under
the
“Logs”
section)
and
review
the
log
entry
for
the
file
being
uploaded
to
the
WildFire
service.
[Note:
It
may
take
about
10
mins
for
the
Wildfire
log
to
appear.
It
is
a
good
time
to
take
a
short
break
before
you
continue.
Please
do
not
skip
ahead
to
the
next
task.]
Step
4:
Click
the
Details
icon
next
to
the
top
log
entry.
Look
at
“Action”
under
“General”
to
determine
if
upload
to
WildFire
was
successful.
Step
5:
Click
the
“View
WildFire
Report”
to
go
to
the
WildFire
portal
and
continue
with
the
next
task.

26. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
26
Task
4
–
Wildfire
Portal
Review
Step
1:
Open
a
browser
window
and
enter
the
URL:
http://wildfire.paloaltonetworks.com
Step
2:
Login
using
the
following
credentials
Username:
ngfw.utd@gmail.com
Password:
utd135
[Note:
If
you
have
trouble
entering
the
@
symbol
due
to
keyboard
issue,
please
follow
the
directions
in
the
Appendix-­‐2
for
accessing
other
international
keyboards
or
the
on-­‐screen
keyboard.]
Once
logged
in,
you
will
be
presented
with
a
report
if
you
have
clicked
on
“View
WildFire
Report”
in
Task
3
Steps
6.
Step
3:
Click
on
“VirusTotal
Information”
on
the
report,
and
it
will
bring
you
to
the
VirusTotal
home
page.
Since
this
malware
has
never
been
seen
before,
VirusTotal
will
show
a
“File
Not
Found”
message.

27. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
27
Step
4:
Scroll
through
the
rest
of
the
WildFire
report,
pay
special
attention
to
the
“Behavioral
Summary”
and
“Host
Activity”
section.
Step
5:
Go
to
the
WildFire
dashboard
to
review
other
features
from
the
WildFire
portal.
https://wildfire.paloaltonetworks.com/wildfire/dashboard
End
of
Activity
5

28. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
28
Activity
6
–
URL
Filtering
Application
control
and
URL
filtering
complement
each
other,
providing
you
with
the
ability
to
deliver
varied
levels
of
control
that
are
appropriate
for
your
security
profile.
Policy
considerations
include
URL
category
access;
which
users
can
or
cannot
access
the
URL
category,
and
prevention
of
malware
propagation.
PAN-­‐OS
features
to
be
used:
• URL
filtering
category
match
• Logging
and
reporting
for
verification
In
this
activity
you
will:
• Modify
the
behavior
of
URL
filtering
functionality
Task
0
–
Check
connectivity
Step
1:
Open
http://www.gambling.com
in
browser
–
you
should
be
able
to
open
this
page
with
the
base
workshop
configuration
Task
1
–
Modify
a
URL
filter
Step
1:
Click
on
the
“Objects”
tab
then
the
“URL
Filtering”
node
(found
in
the
Security
Profiles
section)
Step
2:
Click
on
the
Profile
name
“UTD-­‐URL-­‐filter-­‐01”
Step
3:
Find
the
Category
“gambling”
and
change
the
Action
from
“allow”
to
“continue”
Step
4:
Click
“Ok”

29. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
29
Task
2
–
Apply
the
URL
filter
to
a
Security
Policy
Step
1:
Click
on
the
“Policies”
tab
then
the
“Security”
node
Step
2:
Click
on
the
rule
“UTD-­‐Policy-­‐01”
à
a
“Security
Policy
Rule”
pop-­‐up
will
appear
Step
3:
Click
on
the
“Actions”
tab
(within
the
pop-­‐up)
Step
4:
In
the
“Profile
Setting”
section,
select
the
pull-­‐down
menu
next
to
“URL
Filtering”
Step
5:
Select
“UTD-­‐URL-­‐filter-­‐01”
and
then
click
“Ok”
Step
6:
Click
“Commit”
(in
the
upper
right
hand
corner
of
the
web
browser)
Step
7:
Click
“Ok”
in
the
pop-­‐up
window
Step
8:
Click
“Close”
once
the
commit
has
completed
Step
9:
Open
a
new
browser
tab
(on
the
workshop
PC
desktop)
and
enter
the
URL
http://www.gambling.com
The
Web
page
is
blocked
but
the
block
page
will
have
an
option
to
continue
to
open
the
page
Step
10:
Click
“Continue”
to
open
the
web
page
Task
3
–
Review
URL
Filtering
Logs
Step
1:
Click
on
the
“Monitor”
tab
à
“URL
Filtering”
node
(under
the
“Logs”
section)
Questions:
ü How
many
log
entries
are
associated
with
the
traffic
you
just
generated?

30. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
30
ü What
was
the
action
associated
with
the
log
entries?
ü What
was
the
port
number
associated
with
the
log
entries?
Step
2:
Click
the
Details
icon
next
to
the
top
log
entry:
Questions:
ü Can
you
see
the
full
URL?
ü Which
direction
is
the
traffic:
“client-­‐to-­‐server”
or
“server-­‐to-­‐client”?
End
of
Activity
6

31. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
31
Activity
7
–Event
Reporting
Informative
reports
are
very
important
to
network
and
security
administrators
to
monitor
and
identify
potential
network
problems
and
attacks.
Comprehensive
built-­‐in
reporting
features
in
the
firewall
can
provide
visibility
into
network
without
requiring
a
complex
logging
infrastructure.
PAN-­‐OS
features
to
be
used:
• Reporting
(pre-­‐defined)
o Top
applications,
threats,
URL
categories,
Etc.
• Manage
custom
reports
o Create
a
custom
report
using
traffic
stats
logs
Task
1
–
Running
pre-­‐defined
reports
Step
1:
Click
on
the
“Monitor”
tab
then
the
“Reports”
node
(last
node
on
the
list)
Step
2:
On
the
right-­‐hand
side
of
the
browser
window,
a
list
of
pre-­‐defined
reports
grouped
by
Application,
Traffic,
Threat,
URL
Filtering,
and
PDF
summary.
Click
on
any
of
those
reports
(in
any
group)
and
a
default
view
of
the
last
24
hours
of
traffic
will
display.
Task
2
–
Setting
up
custom
reports
Step
1:
Click
on
the
“Monitor”
tab
then
the
“Manage
Custom
Reports”
node
(second
from
last)
Step
2:
Click
“Add”
(in
the
lower
left)
and
name
the
report
“Traffic
Stats”
(in
the
“Custom
Report”
pop-­‐up)
Step
3:
Use
the
following
information
to
create
this
report:
ü Database
.......................................
Application
Statistics
ü Time
Frame
...................................
Last
24
Hrs
ü Selected
Columns
.........................
App
Category,
App
Sub
Category,
Risk
of
App,
Sessions
ü Sort
By
...........................................
Sessions
:
Top
10
Step
4:
Click
“Run
Now”
(at
the
top
of
the
pop-­‐up)
Step
5:
Click
“Ok”
when
done
reviewing
the
results
Task
3
–
SE
“Demo
Box”
review
The
facilitator
will
log
into
the
Palo
Alto
Networks’
SE
Demo
Box
to
review
a
fully
populated
firewall.
End
of
Activity
7

32. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
32
Request
a
free
evaluation/AVR
Report
and
you’ll
get
entered
into
today’s
PA
200
drawing!
Ask
you
Palo
Alto
Networks
Sales
Representative
or
Palo
Alto
Networks
Partner
for
more
information

33. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
33
Appendix-­‐1:
Alternative
Login
Method
to
Student
Desktop
This
appendix
shows
you
how
to
login
to
the
student
desktop
using
other
connectivity
method.
Please
complete
the
procedures
outlined
in
Activity-­‐0:
Task-­‐1
to
login
to
the
UTD
Workshop
before
you
continue.
There
are
two
other
methods
that
you
can
use
to
login
to
the
student
desktop:
-­‐ Use
“Console”
feature
in
workshop
(Java
client
required)
-­‐ Use
RDP
client
if
it
is
installed
on
the
laptop
Both
methods
are
described
below
and
you
can
select
the
one
that
best
fit
what
you
have
installed
on
your
laptop.
Note
that
RDP
protocol
may
not
be
supported
on
all
networks
so
please
verify
that
RDP
is
supported
at
your
location.
Login
to
the
student
desktop
using
Java
Console
(Java
client
required)
Step
1:
Click
on
the
“Student
Desktop”
after
login
to
the
UTD
workshop
Step
2:
Click
on
the
Console
link
on
“switch
to
Console’.
This
will
run
the
Java
client.

34. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
34
Step
3:
Allow
to
Java
to
run
VncViewer
application.
You
may
need
to
click
“Run”
a
few
times.
Step
2:
Click
on
the
“Don’t
Block”
on
the
Java
Security
Warning
message.
Step
3:
After
allowing
the
Java
client
to
run,
you
will
see
the
student
desktop
display.
Click
the
“Send
Ctrl-­‐
Alt-­‐Del”
to
open
the
login
window
and
use
the
Username
and
Password
as
indicated
on
your
browser,
not
the
one
indicated
below.
You
should
be
login
to
the
student
desktop
after
entering
the
login
name
and
password.

35. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
35
Login
to
the
student
desktop
with
RDP
client
If
you
have
RDP
client
installed
on
your
laptop,
you
have
the
option
to
connect
directly
to
the
student
desktop
over
RDP.
Step
1:
Click
on
the
“Virtual
Machines”
tap
to
the
top
to
view
all
the
Virtual
Machines
in
the
environment.
Step
2:
Click
on
the
“More
details”
in
the
“VM-­‐Series
Virtual
Firewall”.
Note:
Not
the
one
under
“Student
Desktop”.
Step
3:
Copy
the
URL
in
External
Address
under
VM
Details
of
the
“VM-­‐Series
Virtual
Firewall.
You
can
click
on
the
blue
icon
next
to
the
address
to
copy
it
to
the
clipboard.

36. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
36
Step
4:
Open
the
RDP
client
on
your
laptop
and
paste
URL
to
the
host
or
PC
field.
(Note:
Not
the
URL
as
shown
below.)
Step
5:
On
the
browser,
click
on
the
“More
details”
link
on
the
“Student
Desktop”,
then
click
on
the
“show
password”
link
under
Credentials.
Use
the
password
to
login
to
the
student
desktop.
Step
6:
Use
the
username
and
password
to
login
to
the
student
desktop.

37. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
37
Step
7:
Click
“Connect”
on
the
certificate
error
message.
Step
8:
You
should
be
connected
to
the
student
desktop
after
that.

38. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
38
Appendix-­‐2:
Support
for
Non-­‐US
keyboards
If
you
are
using
a
Non-­‐US
keyboard
and
have
difficulties
entering
any
characters
and
special
keys,
you
can
add
a
keyboard
to
the
student
desktop
to
support
what
you
have
or
use
the
on-­‐screen
keyboard.
This
appendix
shows
you
how
to
add,
select
an
international
keyboards
or
use
the
on-­‐screen
keyboard.
By
default,
the
“English
(United
Sates)”
and
“French
(France)”
keyboards
are
added
to
the
student
desktop.
Click
on
the
bottom
left
corner
to
switch
between
them.

39. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
39
Add
new
international
keyboard
To
add
other
keyboards,
go
to
Start
>
Control
Panel.
Click
on
“Change
Keyboards
or
other
input
methods”
Click
on
change
keyboard
Click
“Add”
to
add
a
new
international
keyboard.
Then
switch
to
the
new
keyboard
per
the
instruction
on
the
previous
page.

40. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
40
Use
the
on-­‐screen
keyboard
To
use
the
on-­‐screen
keyboard.
Step
1:
Click
on
Start
-­‐>All
Programs
Step
2:
Click
“Accessories”

41. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
41
Step
3:
Click
“Ease
of
Access”
and
then
“On-­‐Screen
Keyboard”
Step
4:
You
should
now
see
the
windows
On-­‐Screen
Keyboard.
To
pass
keys
inside
the
VM
image
that
do
not
work
on
your
keyboard,
simply
select
the
key
using
a
mouse.

42. Ultimate
Test
Drive
-­‐
NGFW
UTD
2.1CS
Page
42
Equipment
Setup
Firewall
VM-­‐Series
Interface:
Int
Type:
IP
Address:
Connects
to
Zone:
Ethernet
1/1
L3
172.16.1.1
"Untrust"
Ethernet
1/2
L3
192.168.11.1
"Trust"
Ethernet
1/3
Ethernet
1/4
Management
-­‐
10.30.11.1