PALO ALTO 110: FOUNDATIONS OF NEXT

GENERATION FIREWALL LAB GUIDE

Module 1: Platform and Architecture
Module 2: Getting Started
Lab 0: Lab Access
Cloud Harmonics has a ‘virtual lab’ that consists of lab devices accessed through an HTML5 capable
browser over SSL. All students will be required to connect into the lab from their systems for the
duration of the class. Local system user permissions or corporate network security policies may
interfere with this remote access. To connect to our training environment, please use the following
instructions:

1. Log on to https://www.cloudharmonics.com/ with the e-mail you used to register for the class.
2. Click the LABS tab.
3. Click the screen of the Student PC in the network diagram.

Click here Click here

to access to access
GUI CLI

Click here to
access
student PC
desktop

4. The browser opens a separate tab with a connection to a Windows virtual machine.
5. If you see a windows installer, close it.
6. You can do all of the labs on that virtual machine, or do some with your browser connecting to
the firewall's user interface.

CHLS-PANW-110 Lab Guide – Page 1

Lab 1: Modify the Administrator's Password
In this lab you perform the initial configuration of a Palo Alto Networks firewall.

1. Return to the lab diagram and click the icon to connect to the firewall's web interface ( ).
2. Log on as admin with the password admin (the default credentials) and click OK to dismiss
the warning.
3. Select Do not show again and click Close to close the "what is new" window.
4. Click the Device tab.
5. Click the Administrators node (the link in the side bar).
6. Click admin.
7. Change the password from admin to Knowledge4u!.

There is no need to commit after this step. Password changes happen immediately.

Lab 2: Modify the Management Interface's Configuration

To enable labs, the firewall's management interface is already configured for you. In this lab you see
what it is and make a meaningless change.
1. Click the Device tab, the Setup node, and then the internal tab Management (written
henceforth as Device > Setup > Management).
2. See the management interface settings and click the gear icon ( ).

1a

1b 1c

3. If you change the IP address, the lab will stop working. So instead, change the netmask to
255.0.0.0. The change is meaningless in this environment, because the firewall never needs
to access a 10.<not thirty>.<x>.<y> IP address.
4. Click OK.
5. Click Commit, and confirm with another Commit.
6. Click Close.

CHLS-PANW-110 Lab Guide – Page 2

Lab 3: Update the License
1. Click the Device > Licenses node on the sidebar.
2. Click Retrieve license keys from license server on the bottom.
3. See that the licenses are all valid.

CHLS-PANW-110 Lab Guide – Page 3

Module 3: Basic Administration
Lab 4: Create a Restricted Administrator
In this lab you create a role for operators. Operators are allowed to view the firewall information, but
not change it. This lets them identify if the firewall is the cause of an outage, but not open the firewall
for intrusions.
Create the role
1. Click Device > Admin Roles (you might need to log on again).
2. Click Add. Note that in Palo Alto Networks' web interfaces, the add and delete are always at
the bottom of the window.
3. Name the new role operator.
4. Scroll down and click Policies > Security to restrict the role to read only (the lock icon). Do the
same for all the categories under Policies and Objects.
5. Click Network, Device, Privacy, Commit, and Global to disable those parts of the user
interface.

6. Click the XML API and Command Line tabs to see there is no access allowed through those
interfaces.
7. Click OK.

Create an operator
8. Click Device > Administrator.
9. Click Add.
10. Create an administrator with these parameters:

Name operator
Password Knowledge4u!
Administrator Type Role Based
Profile operator

11. Click the Commit icon ( ) in the top right of the window.
12. Click Commit and then OK.
13. After the commit process, click Close.

CHLS-PANW-110 Lab Guide – Page 4

Become the operator
14. Click Logout at the bottom left corner of the browser window.
15. Log on as operator with the password Knowledge4u!.
16. Select Do not show again and click Close to close the "what is new" window.
17. See that you only have access to some of the tabs, and in those you do you cannot click OK to
make any changes.

Synchronize work with locks

As an operator, you investigate network issues. Now, lock the configuration so nobody will change
the policy while you are working on it.
18. Click the lock icon between Validate and Search on the top right corner.

19. Click Take Lock.

20. Select the type Config, type the comment please do not change the security
policy and click OK and then Close.
21. Log out and log on again as admin (same password, Knowledge4u!).
22. Click Device > Administrators and attempt to create a new administrator.
23. When you click OK, see that the configuration is locked

24. Click Close and then Cancel.

25. Click the lock icon in the top right corner.
26. See in the comment the reason that operator does not want you to change the security policy.
27. Decide what you want is more important, click the lock line and then Remove Lock and OK.
28. Click Close.

CHLS-PANW-110 Lab Guide – Page 5

Lab 5: Configuration Management
In this lab you manage configurations the way you might in a production environment.
1. Click Device > Setup.
2. Click the Operations tab.

Export a configuration
In this portion of the lab you act as the administrator, having just finished quality assurance on a new
firewall policy. Uptime is extremely important to your organization, so you have a separate QA setup
from your production network.
3. Click Save named configuration snapshot.
4. Name the configuration passed-qa and click OK and then Close.
5. Click Export named configuration snapshot.
6. Select passed-qa and click OK.
7. If you'd like, open the downloaded XML file in Internet Explorer to see it.

Import a configuration
Now you need to upload the verified configuration to your production firewall. Pretend you logged out
of the QA firewall and gone to the production one.
8. Before you modify the configuration, save the current production configuration into prod-
conf-old.
9. Click Import named configuration snapshot. Select passed-qa from the Downloads folder.
Click OK and then Close.
10. Click Load named configuration snapshot.
11. Select passed-qa. Click OK and then Close.

Revert to the previous snapshot

Pretend that despite your QA, the new configuration causes an outage. You need to get back to the
old configuration.
12. Click Load named configuration snapshot.
13. Select conf-old. Click OK and then Close.

CHLS-PANW-110 Lab Guide – Page 6

Lab 6: Software Updates and Dynamic Updates
Security is a moving target, because there are always new attacks. In this lab you learn how to
update the security software and the content security definitions.
Update the software
1. Click Device > Software.
2. Click the refresh icon ( ). It is on the bottom left, where you would find the Add and
Delete icons.
3. Click the top Download action to download the latest version of the software.
4. Click Install (in the Action column).
5. When asked for a reboot, click Yes.
6. Wait until asked to log on, and log on as admin with the password Knowledge4u!.

Update the content security definitions

7. Click Device > Dynamic Updates.
8. See the schedule for updates and the time of the last check.

9. Click the refresh icon ( ).

10. If there is any new content, click Download and then Install.

CHLS-PANW-110 Lab Guide – Page 7

Module 4: Connectivity
Lab 7: Configure a Tap Interface
In this lab you configure an interface (ethernet1/5) as a tap to analyze traffic in read only mode.
1. Click Network > Zones (the Network tab and then the Zones node on the sidebar).
2. Click the Add icon ( ). In the Palo Alto Networks user interface, add and delete are at the
bottom of the window.
3. Name the zone tap-zone and select the type Tap.
4. Click OK.
5. Click Network > Interfaces.
6. Click ethernet1/5.
7. Set the interface type to Tap and the security zone to tap-zone.
8. Click OK.

Lab 8: Configure a Virtual Wire

In this lab you configure a virtual wire between ethernet1/3 and ethernet1/4.
1. Click Network > Interfaces.
2. Click ethernet1/3.
3. Select the interface type Virtual Wire.
4. Expand the virtual wire. Click New Virtual Wire.
5. Name the virtual wire vwire-34 and click OK. Note that you cannot specify the interfaces yet.
6. Expand the security zone. Click New Zone.
7. Name the new zone ether-3. Select the type Virtual Wire and click OK.
8. Click OK to finish configuring the interface.
9. Click ethernet1/4.
10. Select the interface type Virtual Wire.
11. Select the virtual wire vwire-34.
12. Expand the security zone. Click New Zone.
13. Name the new zone ether-4. Select the type Virtual Wire and click OK.
14. Click OK to finish configuring the interface.

Lab 9: Examine Internet Connectivity

The student system is already configured for Internet access. In this lab you see all the relevant
definitions for routing between the LAN segment that has the student PC, and the LAN segment that
is routed to the Internet.
1. Click Network > Interfaces.
2. Click ethernet1/1.
3. See that it is connected to the Student-VR, and the zone is Untrust-L3.
4. Click the IPv4 tab to see the IP address is 172.16.1.<n>/24.
5. Click Cancel.
6. Repeat steps 2-5 for ethernet1/2 to see that it is the trusted interface, with the IP address
192.168.<n>.254/24.
7. To see the routing table, click Network > Virtual Routers.
8. Click Student-VR.
9. See that the only interfaces on the virtual router are those you expect.
10. Click Static Routes to see the gateway to the Internet is 172.16.1.254.

CHLS-PANW-110 Lab Guide – Page 8

 11. Click Cancel to dismiss the virtual router details.

Lab 10: Configure a VLAN

In this lab you configure ethernet1/6 - ethernet1/8 to function as a switch. The first interface is in the
DMZ, and the other two are an internal network. This virtual switch should be connected to the
Internet through the virtual router.
1. Click Network > Interfaces.
2. Click ethernet1/6.
3. Select the Interface type Layer2.
4. Create a new VLAN called switch-678. You do not need to pick a vlan interface at this point.
5. Create a new zone called DMZ (layer 2, of course).
6. Repeat steps 2-5 with ethernet1/7 and ethernet1/8, using the same VLAN. The security zone
for both of them is internal-vlan (also layer 2, you need to create it).

Connect the VLAN to the virtual router

7. Click the VLAN tab within the Network > Interfaces user interface.
8. Click Add (remember that in Palo Alto Networks, add and delete are to the bottom of the
window).
9. Configure these parameters, leave the others on their default value.

Interface Name (after the dot) 1

VLAN switch-678
Virtual Router Student-VR

10. Click OK.

CHLS-PANW-110 Lab Guide – Page 9

Lab 11: View the NAT Configuration
The internal network's IP address subnet is 192.168.<n>.0/24. This network is for internal use only, to
be able to access the Internet you have to use address translation. Because Internet access is
already configured, the address translation has already been done - in this lab you see what it does
and how.
1. Click Policies > NAT.
2. Click the one rule in the policy, Student Source NAT.
3. Look in the Original Packet tab to see that the policy applies to any packet going from the
Trust-L3 zone to the Untrust-L3 zone, and routed to ethernet1/1.

This rule does not apply to the VLAN interfaces, because their zones are not in the
source zone field. In a real life implementation, you would need to add them.

4. Click Translated Packet.

5. See that the IP addresses are translated to the virtual router's "external" IP address,
172.16.1.<n>.

CHLS-PANW-110 Lab Guide – Page 10

Lab 12: Commit the Changes
So far, none of your changes in this module actually did anything. To change the configuration, you
need to commit the changes first.

1. Click the Commit icon ( ) in the top right of the window.

2. Click Commit and then OK.
3. After the commit process, click Close.

CHLS-PANW-110 Lab Guide – Page 11

Lab 13: Use the Command Line Interface (optional)
In this lab you use the command line interface to view and modify the firewall's configuration.
1. Return to the lab diagram and click the icon to connect to the student PC (see Module 2Lab 0:
Lab Access, p. 1).

2. Click the icon to run PuTTY, the Windows SSH client ( ).

3. Double-click the management interface of your firewall, student<n>-fw.
4. Click Yes to accept the certificate.
5. Log on as admin with the password Knowledge4u!.
6. Type a question mark to get the list of commands. Press space to get past the more prompt.
7. Run this command to see information about all the interfaces:

show interface all

8. Run this command to only see the logical interface information for interfaces that are part of a
VLAN:

show interface all | match vlan

Remember to use match and not grep. While a grep command exists in the command
line interface, it is used for searching in files, not in pipeline mode

9. See the system configuration:

show deviceconfig system

10. Modify the login banner:

configure
set deviceconfig system login-banner "Authorized users only"
commit

11. Close the PuTTY window.

12. Return to the firewall's web based interface.
13. If necessary, click Logout at the bottom left corner of the browser window.
14. See the new log on banner.

CHLS-PANW-110 Lab Guide – Page 12

Module 5: Security
Lab 14: View the Current Security Policy
The firewall is already configured to allow some access to the Internet from the student PC virtual
machine. In this lab you view that rule base.

1. Return to the lab diagram and click the icon to connect to the firewall's web interface ( ).
2. Log on as admin with the password Knownledge4u!.
3. Click Policies > Security.
4. See the three rules. Rule #1 allows some applications access from the trusted zone to the
untrusted zone (this also includes replies going back to the trusted zone). The bottom two rules
are the defaults: anything within a zone that is not explicitly denied above is allowed, anything
between zones that is not explicitly allowed is denied.

5. Return to the lab diagram and click the icon to connect to the student PC.
6. Go to a news site, such as http://www.slashdot.org. See you have access.
7. Try to go to Google Drive (https:/drive.google.com) and see it is blocked.

Lab 15: Enable Google Drive

In this lab you enable access to Google drive.
1. Return to the Palo Alto user interface tab.
2. Click Policies > Security.
3. Click Add to add a new rule.
4. Configure a rule with these parameters:

Tab Field Value

General Name Enable Google Drive
Source Source Zone Trust-L3
Source Address Any (the default)
Destination Destination Zone Untrust-L3
Destination Address Any (the default)
Application Application google-drive-web

5. Click OK.
6. Click Commit.
7. Click Preview Changes and then OK.
8. If the popup is blocked by your browser, allow it. You might need to repeat the previous step.

CHLS-PANW-110 Lab Guide – Page 13

 9. See the textual representation of the new rule:

10. Close the preview pop-up.

11. Click Commit to approve the change.
12. Notice that some prerequisite applications are also allowed and then click Close.

Verify the change

13. Return to the tab with the Student PC's
14. Reload Google Drive (https:/drive.google.com) and see it is allowed.
15. Click Sign In.
16. Log on as student01@pool-cat.com with the password Knowledge4u!.
17. See you can view, download, and upload files. Note that any file you download goes to your
desktop.
18. Attempt to go to Microsoft OneDrive (https://onedrive.live.com) and see you are blocked.

CHLS-PANW-110 Lab Guide – Page 14

Lab 16: Prevent Access to Certain Web Site Categories
In this lab you use a URL filtering profile to restrict access to certain categories that HR had deemed
inappropriate for people to browse from the office.
1. Return to the Palo Alto user interface tab.
2. Click Objects > URL Filtering.
3. Click Add.
4. Name the new profile biz-inappropriate.
5. For each of the forbidden categories (games, news, and religion), click allow and select block
instead.

6. Click OK to create the object.

7. Click Policies > Security.
8. In the General Internet rule's row, in the Profile column, click the current value (none).
9. Select the profile type Profile and the URL filtering profile biz-inappropriate. Click OK.
10. Commit the new policy.

Verify the change

11. Return to the tab with the Student PC's
12. Attempt to access a game site (for example, http://www.kingdomofloathing.com), a news site
(for example, http://www.cnn.com), and a religious site (for example, http://www.torah.org).
See you are rejected.
13. Attempt to access a web site in a different category, for example http://www.slashdot.org, and
see you are allowed.

CHLS-PANW-110 Lab Guide – Page 15

Module 6: Monitoring
Lab 17: The Application Control Center (ACC)
In this lab you look in the application control center to see traffic statistics.
1. Click the ACC tab.
2. In the Network Activity tab, see how much data you transferred and when. Change the time
filter (top left) to Last 24 Hrs.
3. Look at your application categories: what is the highest risk level? Which application (or
applications) that you used have it?
4. Look in the destination regions, which countries did you contact?

Lab 18: Log Files

In this lab you look in the log files to see the traffic.
Verify traffic is logged
1. Click Policies > Security.
2. Scroll all the way to the right and click the first rule's options.
3. See that logging is enabled at the end of the session and click Cancel.

View the traffic log

4. Click Monitor > Traffic to see the traffic log.
5. Click Monitor > URL Filtering to see which URLs were blocked.
6. See all the other logs.
7. Click the App Scope Summary node and see the different options.

Lab 19: Create a Custom Report

Finally, create a custom report.
1. Click Monitor > Manage Custom Reports.
2. Create a report with these parameters:

Name App statistics

Database Summary Databases >
Application Statistics
Time Frame Last 24 Hrs
Sort by Sessions and Top 10
Group By None and 10 Groups
Selected Columns Application Name
App Category
App Sub Category
Risk of App
Sessions

3. Click App statistics and then Run Now.

4. Click the risk column to sort by risk.

CHLS-PANW-110 Lab Guide – Page 16

CHLS-PANW-110 Lab Guide – Page 17