Professional Documents
Culture Documents
Panorama 9.0
Managing Firewalls at Scale
Lab Guide
PAN-OS® 9.0
EDU-120
Courseware Version A
Your instructor will provide login instructions about how to connect to the lab environment.
You will use Client A to initially connect to the Panorama appliance and to the two firewalls.
In this lab, you will perform the following tasks:
In the lab environment, connect to Client A
Use the Chrome browser to log in to the web interface for the Panorama appliance and
both firewalls
Document configuration and license information of Panorama:
▪ Which version of Panorama software are you running?
▪ Is this a physical or a virtual Panorama appliance?
▪ In which System Mode is Panorama deployed?
▪ How many devices (or firewalls) can this installation of Panorama manage?
▪ When does support expire for this instance of Panorama?
Provide an initial configuration of the Panorama appliance.
Verify the management interface configuration:
▪ IP Address: 192.168.1.252
▪ Netmask: 255.255.255.0
11. Click the drop-down arrow next to the Name field, select edu-220-panorama-9-Start-
lab-01, and then click OK.
12. Click Close on the Loading Configuration message.
13. Click Commit in the upper-right corner, and then select Commit to Panorama.
14. When the Commit to Panorama window appears, click Commit in the bottom-right
corner of the window.
15. Monitor the status of the commit process. When the commit has completed, click Close.
23. Click the NTP tab, and then enter pool.ntp.org in the NTP Server Address field for
the Primary NTP Server:
27. In the Login Banner field, enter: *** This is Panorama ***
Notice that the Serial Number field already is populated. (Your instructor provided the numbers
prior to the class.)
28. Leave the remaining settings unchanged, and then click OK to save them.
31. Notice that the changes you made to the candidate configuration are listed on the right
under the section for Candidate Configuration.
Changes displayed in the Config Audit section are color coded:
▪ Green indicates items in the configuration that have been added.
▪ Red indicates items that have been deleted.
▪ Yellow indicates that an existing item has been modified.
We have added items to the configuration only so you will not see any Yellow or Red entries.
To the right of each change are the name of the admin who made the change, the date, and the
timestamp:
32. Click the Commit option in the upper-right corner, and then select Commit to
Panorama.
33. When the Commit to Panorama window appears, click Commit.
34. Monitor the status of the commit. When the commit has completed, click Close.
35. On the Client A Windows desktop, locate and then double-click the icon to start
the 3CDaemon application.
This is a useful tool that provides FTP, TFTP, and Syslog services on the Client A host. We will use
this tool several times throughout the labs.
36. Click the FTP Server tab on the left side of the application.
37. Click the Configure FTP Server option.
38. Change the User Directory to C:\Users\lab-user\Desktop\lab\ and click OK.
39. Then check all check boxes in the This user can: section:
40. Click OK, and then click Yes in the 3CDaemon window to save your changes.
41. Click OK on the Profile saved message.
42. Notice that the FTP server now is listening for new requests on IP address 192.168.1.20,
Port 21.
Parameter Value
Name DailyExport
Enable Ensure that the check box is checked
Scheduled Export Start Enter a value that is 10 minutes ahead of local Panorama
Time (Daily) time. (In this example, enter 21:25:00.)
Protocol FTP
Hostname 192.168.1.20
Port 21
Path Leave this field blank
Username anonymous
Password Leave this field blank
Confirm Password Leave this field blank
Enable FTP Passive Leave this unchecked
Mode
48. Verify that your configuration matches the following screenshot. (Note that the Start
Time should contain a value +10 minutes from the local Panorama time.)
The Import button allows you to add multiple firewalls to Panorama by importing a predefined
CSV file with the serial numbers of firewalls in your environment. You also can add devices by
copying the serial number from the Dashboard on the firewall and pasting it into this window. In
this lab, we will use the CSV import process.
38. In the Device Association window that opens, click the link for Download Sample CSV
so you can see the format for the file to import.
The first line in this sample file contains the column descriptors. The next two lines are examples
of how to create entries to import.
The example lines show that not only can you import a firewall, but you also can place it in an
existing device group and into an existing template. The file also includes values for a Log
Collector Group and a specific Log Collector. We will discuss Log Collectors and Log Collector
Groups later in this course.
The final column, auto-push-on-first-connect, is set to either true or false. This value tells
Panorama to automatically push configuration changes to the firewall when the device first
connects to Panorama.
42. In Notepad++, use File open and locate the lab folder on the Desktop.
43. Open the firewall-import.csv file.
44. Note that the file does not contain text for device-group, template, collector-group, or
log-collector, but there still are commas that represent each of those columns.
Because no device groups or any other Panorama elements are set up yet, we are leaving these
items blank in this CSV file.
45. Close Notepad++.
46. In the Device Association window, click the Browse button in the upper right corner.
47. Open the Desktop\lab folder and select the firewall-import.csv file and click Open.
48. Panorama will import the file and display the serial number for both firewalls.
Stop. This is the end of the Adding Managed Firewalls to Panorama lab.
11. Click OK. Notice that the Network tab and Device tab now appear:
We are creating a new template variable called $NTP_Server and setting a default value for it of
pool.ntp.org. The value for NTP Server automatically will be populated with the default value of
pool.ntp.org wherever this template is used (in any template stack, for example).
However, because this is a variable, we can replace the value in multiple firewalls easily by
importing a file that provides different values for this variable.
We will use variables in several other places later in this lab.
29. Click the Commit option in the upper-right corner, and then select Commit to
Panorama.
30. When the Commit to Panorama window appears, click Commit.
35. Verify that the template stack is listed, with both firewalls in the Devices column:
3.5 Commit
36. Select Commit:
a. Select Commit to Panorama.
b. Click the Commit button. Wait until the commit status is complete and then click
Close.
38. Ensure that the Merge with Device Candidate Config and Include Device and
Network Templates are checked.
The warning is a reminder that when you force template values from Panorama to one or more
firewalls, the process overwrites any of the Network and Device settings in place on the target
firewalls. We will consistently enable the Force Template Values throughout these labs, but in a
production environment, you should make certain that you do not overwrite Network or Device
settings on firewalls unless you intend to do so.
40. Click Yes.
41. Select the Templates tab.
42. Ensure that the check box for BaseDevice is checked:
Note that the columns in this table have been rearranged to fit in this image. You will need to
scroll to the right in order to locate the Template column or the commit succeeded message.
52. Select the Browser tab for firewall-a.
53. Use the Logout link in the bottom-left corner of the browser window.
54. Log back in to the firewall using admin and admin for the Username and Password.
You immediately can tell that the firewall has a red banner around the frame of the browser.
Setting of the banner color is a useful way to distinguish a firewall interface from the Panorama
interface.
55. On firewall-a, select the Device > Setup > Management tab, click the gear icon, and
confirm that the configuration changes have been pushed to the firewall. You might need
to refresh the web interface.
Notice the green gear icon next to the configurations that have been pushed from the
Panorama appliance. Examine the General Settings pane of the web interface to verify
configuration items pushed from Panorama, as shown in the following image:
59. Select Device > Server Profiles > SNMP Trap, and confirm that the SNMPRcv server
has been added.
We want to make certain that we create these settings in the correct template. Always check
the drop-down list for Template to make certain you have selected the appropriate one.
70. Click Add:
• Name: allow-mgt
• Check the HTTPS, SSH, Ping, SNMP, and Response Pages check boxes.
• Click OK.
71. Click Add:
• Name: allow-ping
• Select Ping.
Management Interface Profiles define which services a firewall interface will respond to. After
the services are defined, you can assign an interface profile to a specific firewall interface
(ethernet1/1 or ethernet1/2, for example) to allow that interface to respond to certain types of
network traffic (ping, for example).
Note: A best practice is to add an appropriate comment in the Comment field of the dialog box.
80. Click the IPv4 tab.
81. Click Add under the IP section. The following window appears:
83. Now you will create a template variable and assign a default value to the template
variable. In the Name field, enter $Firewall_Interface_Inside.
84. Enter 2.2.2.2/24 in the blank field to the right of the Type field. (This is the default
value for the template variable $Firewall_Interface_Inside.)
85. Verify that the window you are working on matches the preceding screen, and then click
OK.
86. Click the Advanced tab and locate the section for Other Info.
87. For Management Profile, select allow-mgt:
Recall that the allow-mgt interface profile contains ping, SSH, HTTPS, SNMP, and Response
Pages. Because this interface (ethernet1/2) is attached to the internal network Security Zone
(Trust-L3), we can access the firewall itself using these different services.
90. Click Yes.
91. Click Add Interface:
• Slot: Slot 1
• Interface Name: ethernet1/1
• Interface Type: Layer3
• Security Zone: Untrust-L3
92. Select the IPv4 tab, click Add under the IP section, and then click New X Variable.
93. Enter $Firewall_Interface_Outside in the Name field.
94. Enter 1.1.1.1/24 in the blank field to the right of the Type field.
This will be the default value for the template variable $Firewall_Interface_Outside.
95. Click OK.
96. Click the Advanced tab, and then select the tab for Other Info.
97. For Management Profile, select allow-ping.
98. Click OK and verify that your settings match the following screenshot:
Note: Both firewalls are in the same subnets, so only a single virtual router is necessary.
107. Click OK to close the Virtual Router window.
108. Click Commit > Commit to Panorama.
109. Click Commit in the resulting window and then click Close in the next window when
the commit status is complete.
This example illustrates how you would build a CSV file to apply specific values to variables that
you create inside templates:
▪ The first row of the file contains the field names including the hostname and serial number
of the managed firewalls that will use the template stack in Panorama.
▪ Each subsequent row lists a variable, the type of variable, and then specific values for each
firewall.
▪ The term #inherited indicates that the value for that variable will be pulled from another
template within the stack.
Because most people use a spreadsheet application to create CSV files, an example follows of
what the variables_ConfigFW.csv looks like when you open it in Excel:
During the lab, you will import the variables_ConfigFW.csv file and Panorama will apply the
device-specific values for firewall-a and firewall-b the interface variables.
119. Close Notepad ++.
120. Select Panorama > Templates. Highlight the ConfigFW template stack without
opening it.
121. Import the predefined variables_ConfigFW.csv file by clicking X Variable CSV >
Import:
129. Click the Manage… link for the Mgt Settings template to see the $NTP_Server
variable and its value of pool.ntp.org:
You can see the source Template for each variable along with the Type and default Value.
137. Click Close.
138. To see how Panorama applies the variables along with their values in the template stack,
click the View link in the row for ConfigFW:
139. This table displays details about the variables and the value for each one when they are
applied to specific firewalls in the ConfigFW template stack:
144. Ensure that the Merge with Device Candidate Config and Include Device and
Network Templates are checked.
This image shows the security zones and interface assignments for both firewall-a and firewall-b.
This image shows the virtual router for firewall-a and firewall-b.
157. Click the entry for VR and select the tab for Static Routes.
158. Verify that the entry for Default Route has been pushed down to both firewalls:
This image shows the Default Route entry for firewall-a and firewall-b.
13. Close the Task Manager window when the Status is Completed.
Share Unused Address and Service Objects with Devices instructs Panorama to push down
Address and Service objects that you define to firewalls, even if those objects are not currently
used on the target firewall.
Enablement of Objects defined in ancestors will take higher precedence reverses the
inheritance order of Device Groups.
18. Click OK.
Notice that the Policies and Objects tabs now appear in the web interface.
23. Select the line listing NorthAm without opening it, and then click Add.
Items you create in the NorthAm device group will be inherited in the Chicago device group.
NorthAm and Chicago also will inherit any elements you create in the Shared group.
When you work with device groups, always make certain you have selected the correct one
from the Device Group drop-down list before creating a new entry.
31. Click Add, and then create a new Address object:
• Name: DomCntlr
• Type: IP Netmask
• IP Address: 1.1.1.1
• Leave the other settings unchanged
• Click OK.
32. Select the device group Chicago in the Device Group drop-down list near the top of the
window:
36. When you select Chicago, the DomCntlr and the External-FTP are listed:
Also notice the green gear icon next to the entry for DomCntlr when you are looking at the
Chicago device group. This icon indicates that the object was inherited from an ancestor group –
in this case, from the NorthAm group.
Note that this is not the standard TCP port for FTP. We are defining an alternative port for the
service – you can perform this action if you intend to run a server application on a non-standard
port. We are illustrating definition of new services as part of Device Groups.
40. Select Chicago from the Device Group drop-down list.
47. Select the device group Chicago from the Device Group drop-down list near the top of
the window:
Note that the Threat Names you see as the top four items in this profile may differ from the
screenshot shown. We are setting exemptions to a few of the signatures in this profile only as a
part of this lab exercise so the specific threats you select are not important.
56. The Business-Hours schedule still is listed along with a green gear icon indicating that
the schedule has been inherited from an ancestor.
57. Click the link for the Business-Hours schedule to open it.
58. Notice that the heading for this schedule indicates Read Only:
72. Check the Force Template Values check box at the bottom:
73. Click Yes on the Force Template Values warning message.
74. On the Templates tab, ensure that the boxes for firewall-a and firewall-b are checked.
75. Click OK.
76. Click Push to start the process.
77. Wait until the Commit All jobs are complete.
78. Click Close.
79. Examine firewall-a and firewall-b to observe the results.
General tab
Source tab
Destination tab
Application tab
Service application-default
Actions tab
Antivirus AV-Alert-All
Schedule Business-Hours
84. Click OK.
86. In the Panorama web interface, select Policies > Security > Pre Rules.
87. Click Add and enter the following values:
Parameter Value
General tab
Source tab
Destination tab
Application tab
Applications ftp
Actions tab
Antivirus AV-Alert-All
Schedule Business-Hours
88. Click OK.
General tab
Source tab
Destination tab
Application tab
Applications tftp
Actions tab
Antivirus AV-Alert-All
Vulnerability IDS-Alert-All
Protection
Schedule Business-Hours
92. Click OK.
93. Toggle back to the NorthAm device group and notice that you have two rules defined
here: Allow Web and Outbound FTP:
Note that your rule display table may look different from this example. You can add or remove
columns and rearrange them to suit your preferences as the example illustrates.
94. From the Device Group drop-down list, select the Chicago group.
95. Notice that you have the Allow Web and Outbound FTP rules inherited from the
NorthAm group (the green gear indicates inheritance) and the Outbound TFTP rule
(which exists only in the Chicago group):
General tab
Name FWASourceNAT
Destination Zone Select Untrust-L3; select the Any check box in the
Destination Address and the Source Address
Interface ethernet1/1
IP Type IP
Target tab
General tab
Name FWBSourceNAT
Destination Zone Select Untrust-L3; select the Any check box in the
Destination Address and the Source Address
Interface ethernet1/1
IP Type IP
Target tab
Panorama set the variable for $Firewall_Interface_Outside to 203.0.113.20/24 for this firewall.
144. On firewall-b, select Policies > NAT.
145. Verify that FWBSourceNAT policy rule is created properly on firewall-b: It shows the
IP address of 203.0.113.25/24 under Source Translation:
Panorama set the variable for $Firewall_Interface_Outside to 203.0.113.25/24 for this firewall.
8. On the Device Groups tab, ensure that all groups are selected.
9. Check the Force Template Values check box at the bottom:
14. If you click one of the top two entries for Commit All in the Task Manager window, you
can see the details of the commit task.
15. Click Close on the Task Manager.
Parameter Value
Type active-directory
Base DN DC=lab,DC=local
Bind DN lab-user-id@lab.local
Password Pal0Alt0
Confirm Password Pal0Alt0
Require SSL/TLS Deselect the check box
secured connection
Authentication tab
Advanced tab
Authentication tab
Advanced tab
Parameter Value
Name Intern
Note: When you use external authentication (like RADIUS in this configuration), you do not need
to provide the password for student08 because Panorama will rely on the RADIUS Server to
validate the password.
60. Log in to the Panorama appliance using the student08 account that you just created.
Enter Password1! for the password.
61. Close the Welcome window if one appears.
62. Note that you see only three tabs based on the settings for the Intern Admin Role Profile:
63. Check the System log to verify that the student08 account was authenticated against the
LDAP profile.
64. Select the Monitor tab.
65. From the Device Group drop-down list at the top of the window, select All.
66. Select Logs > System.
67. In the filter field, enter ( subtype eq auth ) and press Enter.
68. You can see an auth-success event along with the details for student08:
76. Log out of student07 by clicking the Logout hyperlink in the bottom left of the web
interface.
77. Log in again with admin as the username and password.
108. You will see only the following tabs in the web interface: Dashboard, ACC, Monitor,
and Panorama:
This limitation is because you defined Access Domain-A with only firewall-a.
110. Change the Access Domain to Domain-B by clicking the drop-down list to the right of
Domain-A, and selecting Domain-B:
This Access Domain provides limited access for student08. Notice that the Panorama tab and
other tabs are missing:
111. Select the Context drop-down in the upper left corner of the window and note that you
can choose to switch only between Panorama and firewall-b:
This limitation is because you defined Access Domain-B with only firewall-b.
112. Log out of student08, and then log back in with admin as the username and password.
131. In the Locks window, click the Take Lock button in the bottom-left corner.
132. Change the Type to Config.
133. Leave the Location drop-down list set to All Configuration, but click the arrow for
the field to see that you can select different aspects of the configuration to lock:
150. The Locks window shows you who has taken the lock, when they took it, and any
comments they have entered:
Note that a Superuser can remove a lock that someone else has put in place; however, this
practice somewhat defeats the purpose of locking a configuration. A better operating procedure
160. Click the Lock icon and note that there are no longer any Locks in place.
If you take a Configuration or Commit Lock and commit your changes, Panorama automatically
releases the lock and removes the entry from the Lock window.
161. Log out of Panorama and log back in with the admin/admin account.
8. On the Device Groups tab, ensure that all groups are selected.
9. Check the Force Template Values check box at the bottom:
14. If you click the Commit All link in the window shown in the screenshot, you will see the
details of the commit task. Click Close on the Task Manager.
17. Modify the Traffic quota to 30 and the Threat quota to 13 to allow us to meet our
retention requirements and to add a small buffer.
26. In the Log Forwarding Profile Match List, enter Traffic Log Event Forwarding
for the Name.
27. Ensure that the Log Type is set to traffic and that the Filter shows All Logs.
28. Check the Panorama/Logging Service check box.
29. Click OK.
30. While you are still in the Log Forwarding Profile window, click Add again to create
another Log Forwarding Profile Match List.
31. For Name, enter Threat Log Event Forwarding.
32. Under Log Type, select threat and leave the Filter set to All Logs.
33. Check the Panorama/Logging Service check box.
34. Click OK.
35. Verify your configuration:
39. Click Add to create a new Security policy rule. Configuring the following values:
Parameter Value
General tab
Name Allow All
Source tab
Source Zone Trust-L3
Destination tab
Destination Zone Untrust-L3
Application tab
52. Under System, click Add to create a new Log Settings-System entry.
53. Name the entry Alert Operations.
54. Under the Filter section, click the down-arrow, and then select Filter Builder:
57. Before you click OK, click the View Filtered Logs tab, which allows you to preview the
query:
Note that what you see in the View Filtered Logs tab may be different from the example shown.
58. Click OK.
81. After a few minutes, you should see that traffic is being generated:
82. Allow this script to run and generate traffic through firewall-a.
83. While you wait, generate traffic through firewall-b in the next section.
94. Return to Panorama and navigate to Monitor > Logs > Traffic.
95. Filter the Traffic log to show only firewall-a traffic by clicking firewall-a in the Device
Name column (scroll to the far right of the display to locate the column).
96. Click the Apply Filter icon at the top of the screen. Verify that traffic is being
forwarded to Panorama from firewall-a:
97. Modify the filter to firewall-b. Note: The fastest way to change the filter is to edit the
existing filter by replacing the firewall-a value with firewall-b.
98. Click in the query section to apply the updated filter and verify that traffic is being
forwarded to Panorama from firewall-b:
Note that the Threat log entries you see will differ from the examples shown above.
Stop. This is the end of the Log Collection and Forwarding lab.
5. to Panorama.
6. In the Panorama web interface, select Commit > Push to Devices.
7. Select Edit Selections:
8. On the Device Groups tab, ensure that all groups are selected.
9. Check the Force Template Values check box at the bottom:
14. If you click the Commit All link in the window shown in the screenshot, you will see the
details of the commit task. Click Close on the Task Manager.
16. Click the Dashboard tab, and then click the drop-down arrow.
17. From the drop-down list, enable all Application, System, and Log widgets.
18. Now arrange the various widgets on the Dashboard by dragging and dropping them to
suit your needs.
Note: This view is specific to your login. Other administrators can arrange the Dashboard to fit
their individual needs. Widgets automatically will update during the next summary database
refresh.
19.
18. Review the information displayed on the Dashboard to discover any areas of concern
(High Risk Applications, Threat Logs, etc.).
Notice that the default Dashboard view is set to All Device Groups, which aggregates data from
all connected firewalls.
19. Click the Device Group drop-down arrow, and then toggle between the NorthAm and
Chicago groups:
20. As you toggle between the two device groups, notice how the Dashboard refreshes to
display only data from firewalls in the respective group.
Remember, the Dashboard displays summary data for the last 60 minutes.
28. Notice that several high-risk applications are flowing through the firewalls:
31. Panorama switches the view to Monitor > Logs > Traffic:
Notice that Panorama automatically builds a filter for the Traffic log based on the filter from the
ACC. The filter includes the date/time range, Risk Level 5, and application of BitTorrent.
32. Toggle between the NorthAm and Chicago device groups using the Device Group drop-
down arrow directly above the query.
33. Notice that the BitTorrent traffic seems to be a problem with the NorthAm devices. No
BitTorrent traffic is observed originating from the Chicago devices.
34. To stop this high-risk traffic through the Danger-VWire zone in the NorthAm firewall,
you now will create a policy to block the peer-to-peer traffic including BitTorrent.
35. Click Policies > Security > Pre Rules.
36. Select the NorthAm device group from the drop-down list:
37. Click the Add button at the bottom of the pane to create a policy.
38. Use the following values:
Parameter Value
General tab
Name Deny Peer-Peer
Applications bittorrent
gnutella
Service/URL Category tab
Service any
Actions tab
Action Setting Deny
Log Setting Log at Session End
Log Forwarding Analyst-Alerts
39. Click OK.
40. Highlight the newly created Deny Peer-Peer rule, and then drag it to the top so that your
security pre-rules for the NorthAm group match the following screenshot:
Note that some of the default columns have been hidden or moved in this example image.
41. Click the Commit option in the upper-right corner, and then select Commit to
Panorama.
42. When the Commit to Panorama window appears, click Commit.
Parameter Value
Name High Risk Apps
Description Risk 4 and 5 Applications
Database Traffic (under Remote Device Data toward the top of the
list)
Scheduled Leave this unchecked for now
Time Frame Last 24 Hrs
Sort By Sessions, Top 25
Group By Application, 25 Groups
Query Builder Enter the following information:
(risk-of-app eq 4) or (risk-of-app eq 5)
The Filter Builder link allows you to structure queries based on various factors. As you become
familiar with the process of creating filters, you can enter the syntax manually as we have shown
here.
54. Before you click OK, preview the report by clicking the Run Now button at the top of
the custom report screen.
63. Continue to explore the various charts and graphs found in the Monitor > App Scope
section, including the Threat Monitor, Threat Map, Network Monitor, and Traffic
Map. All these views are designed to help you to determine if any rules and/or policies
should be modified.
68. Click the pencil icon on the Threat Activity tab to edit the widget:
69. Move the Applications Using Non Standard Ports and the Rules Allowing Apps On
Non Standard Ports widgets from the bottom toward the top:
This security rule generally is not recommended because it presents a potential security threat.
Next you will modify the rule that allows the applications to run on non-standard ports.
80. Navigate to Policies > Security > Pre Rules.
81. Ensure that the NorthAm device group is selected in the drop-down list at the top:
11. When you check Force Template Values, click Yes on the warning box.
12. Under the Device Group tab, make certain the boxes for firewall-a and firewall-b are
checked.
13. Select the Templates tab.
14. Make certain that the boxes for firewall-a and firewall-b are checked.
15. Click OK and then click Push.
16. Click Close on the Task Manager window.
17. In the bottom-right corner of Panorama, click the Tasks button:
30. If you click directly on the entry for VR, Panorama automatically will navigate you to
Network > Virtual Router and narrow the scope of your available virtual routers to the
one that is misconfigured. In this case, it is the virtual router named VR.
31. Ensure that FWBSettings is selected in the Template drop-down list.
Before you commit and push, you must fix the misconfigured IP address of the Panorama
Settings on firewall-a, otherwise the next time you push to firewall-a, you will lose connectivity
again.
58. As you did earlier, use the global Find tool in Panorama to quickly locate the
misconfiguration.
59. Click the button in the upper-right corner of the web interface.
60. Enter 192.186.1.252, and then press Enter on your keyboard.
61. Expand Panorama Settings by clicking the +.
Notice that the setting is in the FWASettings template under the panorama-server settings:
62. Click panorama-server entry and Panorama will navigate you automatically to Device >
Setup > Management.
63. Verify that FWASettings is selected in the Template drop-down list:
64. Also make certain that firewall-a is selected from the Device drop-down list:
73. When you check the box for Force Template Values, click Yes on the warning box.
74. Under the Device Group tab, verify that the box for firewall-b is checked.
75. Select the Templates tab.
76. Verify that the boxes for both firewalls are checked.
77. Click OK and then click Push.
78. Monitor the status of the commit. Notice that there are multiple commit jobs are running.
To monitor the status of each task, click the Commit All hyperlink for each job to verify
success.
Note: The commit jobs should succeed with warnings indicating potential issues with Security
policy rules.
83. Because the firewalls are forwarding Traffic logs to Panorama, you can quickly
determine that a rule named BlockBad is blocking all traffic:
84. Click the button in the upper-right corner of the web interface. Enter BlockBad,
and then press Enter on your keyboard.
Expand Security Rules by clicking the +.
Notice that the setting is in the Shared device group.
85. Click BlockBad to automatically navigate to Policies > Security > Pre Rules.
86. Verify that Shared is selected in the Device Group drop-down list:
91. Select any from the drop-down list (just above the Destination Zone).
92. Click OK.
93. Click the Commit option in the upper-right corner, and then select Commit to
Panorama.
94. After the Commit to Panorama window appears, click Commit.
95. Monitor the status of the commit. When the commit has completed, click Close.
96. Click the Commit option again in the upper-right corner, and then select Push to
Devices.
97. Select Edit Selections in the resulting window.
98. Under the Device Groups tab, check the check boxes for firewall-a and firewall-b.
99. Click OK.
Since we have only modified a security rule in a Device Group, we do not need to use the Force
Template Values option.
100. Click Push in the next window.
101. When the commit process is completed, click Close.
103. Test internet connectivity by opening additional tabs in the Chrome browser and
navigating to various sites.
Also notice in the lower-right corner of the screen that there is an option to change the time
frame of the information being displayed.
112. The Actions section in the navigation pane at the left enables you to change the time
frame of the data being displayed. You also can click the Show Average drop-down
arrow to overlay average values onto the view. Explore these two options before moving
to the next step.
113. Click the Interfaces tab to get detailed information about interfaces, including any errors
or drops that might be occurring:
114. Examine the details of an interface that might be of interest by clicking its name.
Remember to use the drop-down options in the Actions section to adjust the time period.
116. Click the Resources tab to examine the resource use of the firewall.
117. Scroll down and note the various graphs available.
These widgets help you to troubleshoot a firewall that might be experiencing performance
issues.
118. Close the Device: firewall-a display window.
127. Check the check box Select Device Groups & Templates.
128. The following window appears: