PAN-OS 9 EDU-120 Palo - Alto - Networks

Palo Alto Networks
Panorama 9.0
Managing Firewalls at Scale
Lab Guide
PAN-OS® 9.0
EDU-120
Courseware Version A
Palo Alto Networks Technical Education

Palo Alto Networks, Inc.
https://www.paloaltonetworks.com
© 2007-2019 Palo Alto Networks, Inc.
Palo Alto Networks, PAN-OS, and WildFire are registered trademarks of Palo Alto Networks,
Inc. All other marks mentioned herein may be trademarks of their respective companies.
© 2019 Palo Alto Networks, Inc. Page 2

Table of Contents
Table of Contents ............................................................................................................................ 3
Typographical Conventions ............................................................................................................ 7
How to Use This Lab Guide ........................................................................................................... 8
Lab Guide Objectives ..................................................................................................................... 9
Lab 1 Scenario: Initial Configuration ........................................................................................... 10
Lab 1 Solution: Initial Configuration ............................................................................................ 12
1.0 Connect to the Class Desktop.............................................................................................. 12
1.1 Connect to the Panorama Appliance and Each of Your Student Firewalls ......................... 12
1.2 Navigate the Panorama Web Interface ................................................................................ 12
1.3 Load the Initial Lab Configuration...................................................................................... 13
1.4 Configure Panorama Interfaces ........................................................................................... 13
1.5 Configure Panorama Services ............................................................................................. 14
1.6 Configure General Settings ................................................................................................. 15
1.7 Commit Changes to Panorama ............................................................................................ 16
1.8 Configure a Scheduled Config Export ................................................................................ 17
Lab 2 Scenario: Adding Managed Firewalls to Panorama ........................................................... 21
Lab 2 Solution: Adding Managed Firewalls to Panorama ............................................................ 22
2.0 Connect firewall-a to Panorama .......................................................................................... 22
2.1 Connect firewall-b to Panorama .......................................................................................... 23
2.2 Load the Panorama Configuration and Add Firewalls ........................................................ 23
2.3 Verify Firewall Licenses in Panorama ................................................................................ 27
Lab 3 Scenario: Templates............................................................................................................ 29
Lab 3 Solution: Templates ............................................................................................................ 32
3.0 Load Lab Configurations .................................................................................................... 32
3.1 Create a Management Settings Template ............................................................................ 32
3.2 Configure the Management Settings Template ................................................................... 33
3.3 Create a Server Profiles Template ....................................................................................... 35
3.4 Create a Template Stack ...................................................................................................... 38

3.5 Commit ................................................................................................................................ 38
3.6 Confirm the Configuration Changes ................................................................................... 41
3.7 Create a Network Template................................................................................................. 43
3.8 Create Interface Management Profiles ................................................................................ 43
3.9 Configure the Zones ............................................................................................................ 44
3.10 Configure the Interfaces for the Firewalls ......................................................................... 46
3.11 Create a Virtual Router...................................................................................................... 49
3.12 Rename the Template Stack .............................................................................................. 50
3.13 Commit to Panorama ......................................................................................................... 51
3.14 Provide Device-Specific Values for firewall-a and firewall-b .......................................... 51
3.15 Commit to Panorama and Push to Devices ....................................................................... 56
3.16 Confirm the Configuration Changes ................................................................................. 57
Lab 4 Scenario: Device Groups .................................................................................................... 60
Lab 4 Solution: Device Groups..................................................................................................... 64
4.1 Configure Objects Setting ................................................................................................... 64
4.2 Create a Device Group for the Firewalls ............................................................................. 65
4.3 Configure an Address Object .............................................................................................. 66
4.4 Configure a Service Object ................................................................................................. 67
4.5 Create Security Profiles ....................................................................................................... 68
4.6 Configure a Schedule .......................................................................................................... 70
4.7 Commit the Configurations ................................................................................................. 72
4.8 Configure a Web-Browsing Security Policy Rule .............................................................. 73
4.9 Configure an FTP Security Policy Rule .............................................................................. 74
4.10 Configure a TFTP Security Policy Rule ........................................................................... 75
4.11 Configure the Default Security Policy Rule ...................................................................... 77
4.12 Configure a NAT Policy Rule for firewall-a ..................................................................... 78
4.13 Configure the Local NAT Policy for firewall-b ................................................................ 79
4.14 Confirm the Configuration ................................................................................................ 80
Lab 5 Scenario: User Administration ........................................................................................... 82
Lab 5 Solution: User Administration ............................................................................................ 83

5.1 Configure the LDAP Server Profile .................................................................................... 84
5.2 Configure the RADIUS Server Profile................................................................................ 85
5.3 Create an LDAP Authentication Profile.............................................................................. 86
5.4 Create a RADIUS Authentication Profile ........................................................................... 87
5.5 Create an Authentication Sequence ..................................................................................... 89
5.6 Configure an Admin Role Profile ....................................................................................... 90
5.7 Configure an Administrator Account .................................................................................. 92
5.8 Configure Another Administrator Account ......................................................................... 93
5.9 Create Access Domains ....................................................................................................... 95
5.10 Create Admin Roles .......................................................................................................... 97
5.11 Update the Administrator Account.................................................................................... 98
5.12 Demonstrate Use of the Commit Lock ............................................................................ 100
Lab 6 Scenario: Log Collection and Forwarding ........................................................................ 106
Lab 6 Solution: Log Collection and Forwarding ........................................................................ 107
6.0 Load Lab Configurations .................................................................................................. 107
6.1 Determine Available Log Storage and Adjust Values ...................................................... 108
6.2 Configure a Log Forwarding Profile to Send All Traffic and Threat Logs to Panorama . 109
6.3 Create an Allow All Rule .................................................................................................. 111
6.4 Enable Log Forwarding on Existing Security Rules ......................................................... 112
6.5 Configure System Log Forwarding ................................................................................... 113
6.6 Enable HTTPS on the Ethernet1/3 Interface ..................................................................... 115
6.7 Generate Traffic on firewall-a ........................................................................................... 116
6.8 Connect to Client B and Generate Traffic on firewall-b ................................................... 116
6.9 Confirm Traffic Generation and Log Forwarding ............................................................. 117
Lab 7 Scenario: Aggregated Monitoring and Reporting............................................................. 119
Lab 7 Solution: Aggregated Monitoring and Reporting ............................................................. 120
7.0 Load Lab Configurations .................................................................................................. 120
7.1 Review Operational Information Using the Dashboard .................................................... 121
7.2 Review Operational Information Using the ACC ............................................................. 121
7.3 Create a Custom Operational Report ................................................................................ 126

7.4 Explore App Scope............................................................................................................ 128
7.5 Identify and Respond to Threats ....................................................................................... 128
Lab 8 Scenario: Panorama Troubleshooting ............................................................................... 134
Lab 8 Solution: Panorama Troubleshooting ............................................................................... 135
8.0 Load Configuration and Push to Devices .......................................................................... 135
8.1 Troubleshoot the firewall-b Commit Failure .................................................................... 136
8.2 Troubleshoot the firewall-a Commit Issue ........................................................................ 138
8.3 Log In to firewall-a and Troubleshoot Connectivity ......................................................... 139
8.4 Troubleshoot Loss of Internet Connectivity...................................................................... 142
8.5 Review the Health of Managed Firewalls ......................................................................... 144
8.6 Configure Address Objects ............................................................................................... 146
8.7 Perform a Partial Revert of the Configuration .................................................................. 147

Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention Meaning Example

Bolding Names of selectable items Click Security to open the Security Rule page
in the web interface
Consolas Text that you enter, and Enter the following command:
font coding examples a:\setup
The show arp all command yields this output:
username@hostname> show arp <output>
Click Click the left mouse Click Administrators under the Device tab
button
Right-click Click the right mouse Right-click the number of a rule you want to
button copy, and select Clone Rule
< > (text Denotes a variable Click Add again and select <Internal Interface>
enclosed in parameter. Actual value to
angle use is defined in the Lab
brackets) Guide document.

How to Use This Lab Guide
The Lab Guide contains exercises that correspond to modules in the Student Guide. Each lab
exercise consists of a scenario and a solution.
The scenario describes the lab exercise in terms of objectives and customer requirements.
Minimal instructions are provided to encourage students to solve the problem on their own. If
appropriate, the scenario includes a diagram and information needed to complete the exercise.
The solution is designed to help students who prefer step-by-step, task-based labs.
Alternatively, students who start with the scenario can use the solution to check their work or
to provide help if they have a problem.

Lab Guide Objectives
After you have finished these labs, you should be able to complete these tasks:
 Perform an initial configuration of your Panorama appliance
 Connect your firewalls to the Panorama platform as managed devices
 Create templates and configure network and device settings
 Configure device groups and centrally manage your firewalls
 Create Panorama and device administrators
 Configure log forwarding to a Panorama appliance
 Use Panorama for aggregated reporting and monitoring
 Perform troubleshooting to resolve various issues with Panorama

Lab 1 Scenario: Initial Configuration
A third-party vendor has installed a new Panorama virtual appliance and two firewalls in your
data center. The only configuration that has been performed on these three devices is the
management IP addresses. Your company management has instructed you to take ownership
of these three devices and to perform the initial configuration of the newly installed Panorama
appliance. The network topology you will use follows:
Your instructor will provide login instructions about how to connect to the lab environment.
You will use Client A to initially connect to the Panorama appliance and to the two firewalls.
In this lab, you will perform the following tasks:
 In the lab environment, connect to Client A
 Use the Chrome browser to log in to the web interface for the Panorama appliance and
both firewalls
 Document configuration and license information of Panorama:
▪ Which version of Panorama software are you running?
▪ Is this a physical or a virtual Panorama appliance?
▪ In which System Mode is Panorama deployed?
▪ How many devices (or firewalls) can this installation of Panorama manage?
▪ When does support expire for this instance of Panorama?
 Provide an initial configuration of the Panorama appliance.
 Verify the management interface configuration:
▪ IP Address: 192.168.1.252
▪ Netmask: 255.255.255.0

▪ Default Gateway: 192.168.1.10
▪ Administrative Management Services: HTTPS and SSH
▪ Network Services: Ping and User-ID
 Verify Panorama services:
▪ Primary DNS Server: 4.2.2.2
▪ Secondary DNS Server: 8.8.8.8
▪ Primary NTP Server: pool.ntp.org
▪ Panorama Management General Settings: *** This is Panorama ***
 Perform a Config Audit on Panorama to verify your changes
 Commit your changes to the Panorama appliance
 Configure a scheduled configuration export using FTP:
▪ Use the 3CDaemon application on the Windows Desktop to configure the FTP server
(192.168.1.20)
▪ On the Panorama web interface, create a scheduled config export:
˗ Hostname: 192.168.1.20
˗ Protocol: FTP
˗ Username: anonymous
˗ Password: <No Password>

Lab 1 Solution: Initial Configuration
1.0 Connect to the Class Desktop
1. Connect to the Client A desktop using the login credentials and hostname provided by
your instructor.
1.1 Connect to the Panorama Appliance and Each of Your

Student Firewalls
2. Using Chrome, connect to the web interface of the Panorama appliance and each of your
firewalls, preferably one in each tab.
Note the use of HTTPS. (Click through any certificate warning messages.)
• Panorama: https://192.168.1.252. Username: admin Password: admin

• firewall-a: https://192.168.1.254. Username: admin Password: admin
• firewall-b: https://192.168.1.253. Username: admin Password: admin
To save time, you can create a bookmark for each of these hosts in the browser so you can more
easily select between them throughout the labs.
1.2 Navigate the Panorama Web Interface

3. Panorama initially will display only four tabs: Dashboard, ACC, Monitor, and
Panorama.
4. Explore these tabs to get familiar with the Panorama interface.
5. Click the Dashboard tab, and then review the information located in the General
Information section. Write the answers to the following questions in the space provided:
a. Which version of Panorama software are your running? _________
b. Is this a physical or virtual Panorama appliance? _________
c. In which System Mode is Panorama deployed? _________
6. Navigate to the Panorama tab. Locate the navigation tree on the left side of the screen.
Notice the small gray circle to the right of several options.
Hover the cursor over a circle to display specific information about the configuration.
7. Navigate to Panorama > Licenses.
a. How many devices can this installation of Panorama manage? __________
8. Navigate to Panorama > Support.
a. When does support expire for this instance of Panorama? _____________

1.3 Load the Initial Lab Configuration
9. Click Panorama > Setup > Operations.
10. Click Load named Panorama configuration snapshot:
11. Click the drop-down arrow next to the Name field, select edu-220-panorama-9-Start-
lab-01, and then click OK.
12. Click Close on the Loading Configuration message.
13. Click Commit in the upper-right corner, and then select Commit to Panorama.
14. When the Commit to Panorama window appears, click Commit in the bottom-right
corner of the window.
15. Monitor the status of the commit process. When the commit has completed, click Close.
1.4 Configure Panorama Interfaces

16. Select Panorama > Setup > Interfaces.
Note: Because this Panorama appliance was installed in Legacy mode, only a single interface is
available for all Panorama services.
17. Click the Management entry under the column titled Interface Name. The following
window opens:
18. Verify the entries for the Management Interface Settings.

Note: Device Management Services contains two grayed-out options. To leverage additional
interfaces, you should deploy Panorama in non-Legacy (Panorama) mode. Because this is a lab
environment, we will leave this deployment in Legacy mode.
19. To allow Panorama to redistribute user mapping, check the User-ID check box.
20. Click OK.
1.5 Configure Panorama Services

21. Navigate to Panorama > Setup > Services, and then click the gear icon, which
allows you to edit the services settings.
22. Confirm that Panorama already has been configured with the correct Update Server and
DNS settings shown in the following screenshot:
23. Click the NTP tab, and then enter pool.ntp.org in the NTP Server Address field for
the Primary NTP Server:

24. Leave the Secondary NTP Server blank and leave the Authentication Type set to None
for both values.
25. Click OK.
1.6 Configure General Settings

26. Navigate to Panorama > Setup > Management, and then click the gear icon in the
upper-right corner of the General Settings section, which allows you to edit the general
settings:
27. In the Login Banner field, enter: *** This is Panorama ***
Notice that the Serial Number field already is populated. (Your instructor provided the numbers
prior to the class.)
28. Leave the remaining settings unchanged, and then click OK to save them.

1.7 Commit Changes to Panorama
29. Navigate to Panorama > Config Audit.
30. Notice at the bottom of the screen that the default is to compare the Running config with
the Candidate config. Click Go:
31. Notice that the changes you made to the candidate configuration are listed on the right
under the section for Candidate Configuration.
Changes displayed in the Config Audit section are color coded:
▪ Green indicates items in the configuration that have been added.
▪ Red indicates items that have been deleted.
▪ Yellow indicates that an existing item has been modified.
We have added items to the configuration only so you will not see any Yellow or Red entries.
To the right of each change are the name of the admin who made the change, the date, and the
timestamp:
32. Click the Commit option in the upper-right corner, and then select Commit to
Panorama.
33. When the Commit to Panorama window appears, click Commit.
34. Monitor the status of the commit. When the commit has completed, click Close.

1.8 Configure a Scheduled Config Export
35. On the Client A Windows desktop, locate and then double-click the icon to start
the 3CDaemon application.
This is a useful tool that provides FTP, TFTP, and Syslog services on the Client A host. We will use
this tool several times throughout the labs.
36. Click the FTP Server tab on the left side of the application.
37. Click the Configure FTP Server option.
38. Change the User Directory to C:\Users\lab-user\Desktop\lab\ and click OK.
39. Then check all check boxes in the This user can: section:
40. Click OK, and then click Yes in the 3CDaemon window to save your changes.
41. Click OK on the Profile saved message.
42. Notice that the FTP server now is listening for new requests on IP address 192.168.1.20,
Port 21.

43. Do not close the 3CDaemon application; just minimize the window.
44. Return to the Panorama web interface, and then select the Dashboard tab.
45. Look in the General Information section and note the current Panorama time. You will
schedule the FTP config export for 10 minutes from this time. For example, if the current
time shows 21:15:00, schedule the export for 21:25:00.
46. Navigate to Panorama > Scheduled Config Export, and then click the Add button at
the bottom of the screen.
47. Complete the configuration using the following values:
Parameter Value
Name DailyExport
Enable Ensure that the check box is checked
Scheduled Export Start Enter a value that is 10 minutes ahead of local Panorama
Time (Daily) time. (In this example, enter 21:25:00.)
Protocol FTP
Hostname 192.168.1.20
Port 21
Path Leave this field blank
Username anonymous
Password Leave this field blank
Confirm Password Leave this field blank
Enable FTP Passive Leave this unchecked
Mode
48. Verify that your configuration matches the following screenshot. (Note that the Start
Time should contain a value +10 minutes from the local Panorama time.)

49. Click OK.
Panorama.
53. Check your 3CDaemon FTP server after the time you scheduled the export to ensure that
the export succeeded:
54. Use Windows File Explorer to navigate to C:\Users\lab-user\Desktop\lab\ to see the

Panorama_yyyynnnn.tgz file that was exported.
This compressed tar file contains the Panorama configurations file. If you want to see what the
file contains, you can use the 7-Zip application to decompress this tar file and view its contents.

Stop. This is the end of the Initial Configuration lab.

Lab 2 Scenario: Adding Managed Firewalls to
Panorama
The two new firewalls have been deployed as unmanaged devices. Connectivity has been
verified to all devices, and you have been tasked to fully manage the new firewalls using
Panorama. You also have been instructed to ensure that external backups of configurations are
available. In this lab, you will perform the following tasks:
 Log in to the Panorama appliance and existing firewalls

 Configure both firewalls to communicate with Panorama:
▪ Provide the IP address of Panorama to each of the two firewalls
 Authorize Panorama to allow these two firewalls to connect:
▪ Import a CSV file that contains the serial number for firewall-a and for firewall-b
 Verify that the firewalls are connected to and communicating with Panorama
 Verify that the firewalls have been properly licensed

Lab 2 Solution: Adding Managed Firewalls to
Panorama
2.0 Connect firewall-a to Panorama
1. Open the Chrome browser and log in to firewall-a: https://192.168.1.254.
2. Use admin for the Username and admin for the Password.
3. Access the web interface for firewall-a, and then select Device > Setup > Operations.
4. Click Load named configuration snapshot:
5. Select edu-220-FW-A-9-Start-lab-02, and then click OK.

Be careful to select the appropriate file. Configuration files for several different courses may be
listed in the drop-down list, so make certain you pick the correct one for this lab and this course.
6. Click Close on the Loading Configuration confirmation box.
7. Commit the changes to the firewall.
8. After the commit process is complete, click Close on the Commit Status box.
9. Select Device > Setup > Management, and then click the gear icon in the Panorama
Settings section, which allows you to edit these settings.
10. In the Panorama Servers field, enter 192.168.1.252:
Leave the other settings unchanged.

11. Click OK.
12. Commit these changes to the firewall.
13. When the Commit window appears, click Commit.
14. When the commit status is complete, click Close.

2.1 Connect firewall-b to Panorama
15. Open a new tab in the Chrome browser and log in to firewall-b:
https://192.168.1.253.
16. Use admin for the Username and admin for the Password.
17. Select Device > Setup > Operations.
18. Click Load named configuration snapshot:
19. Select edu-220-FW-B-9-Start-lab-02, and then click OK.

Be careful to select the appropriate file for this lab.
20. Click Close.
21. Commit the changes to the firewall.
22. After the commit process is complete, click Close on the Commit Status dialog box.
23. Select Device > Setup > Management, and then click the gear icon in the Panorama
Settings section, which allows you to edit these settings.
24. In the Panorama Servers field, enter 192.168.1.252:
Leave the other settings unchanged.

25. Click OK.
26. Commit these changes to the firewall.
27. When the Commit window appears, click Commit.
28. When the commit status is complete, click Close.
2.2 Load the Panorama Configuration and Add Firewalls

29. Return to the Panorama web interface, and then select Panorama > Setup > Operations.

31. In the drop-down list for the name, select edu-220-panorama-9-Start-lab-02, and then
click OK.
32. Click Close on the Loading Configuration box.
33. Click Commit > Commit to Panorama.
34. Click Commit in the resulting window and then click Close when the commit status is
complete.
35. Select Panorama > Managed Devices > Summary.
36. Click the Add button in the bottom-left corner of the window.
37. In the Add Device window, click the Import button in the bottom-left corner:
The Import button allows you to add multiple firewalls to Panorama by importing a predefined
CSV file with the serial numbers of firewalls in your environment. You also can add devices by
copying the serial number from the Dashboard on the firewall and pasting it into this window. In
this lab, we will use the CSV import process.
38. In the Device Association window that opens, click the link for Download Sample CSV
so you can see the format for the file to import.

39. The file sample.csv will be saved in the Downloads folder of the Windows host.
40. Leave the Device Association window open.
41. Locate the sample.csv file in the Downloads folder of the Windows host and open it
using Notepad++.
Notepad++ formats new line entries correctly and makes working work with this CSV file easier
than working with simple Notepad.
The first line in this sample file contains the column descriptors. The next two lines are examples
of how to create entries to import.
The example lines show that not only can you import a firewall, but you also can place it in an
existing device group and into an existing template. The file also includes values for a Log
Collector Group and a specific Log Collector. We will discuss Log Collectors and Log Collector
Groups later in this course.
The final column, auto-push-on-first-connect, is set to either true or false. This value tells
Panorama to automatically push configuration changes to the firewall when the device first
connects to Panorama.
42. In Notepad++, use File open and locate the lab folder on the Desktop.
43. Open the firewall-import.csv file.

This is a preconfigured file you will import that contains the serial numbers for firewall-a and
firewall-b.
44. Note that the file does not contain text for device-group, template, collector-group, or
log-collector, but there still are commas that represent each of those columns.
Because no device groups or any other Panorama elements are set up yet, we are leaving these
items blank in this CSV file.
45. Close Notepad++.
46. In the Device Association window, click the Browse button in the upper right corner.
47. Open the Desktop\lab folder and select the firewall-import.csv file and click Open.
48. Panorama will import the file and display the serial number for both firewalls.

49. Click OK to close the Device Association window.
50. The Managed Devices > Summary window now displays both firewalls listed by serial
number.
Both firewalls will have a Device State of Disconnected until they connect to Panorama. You can
periodically click the refresh button in the upper right corner of the window until the Device
State of both firewalls changes to Connected.
Panorama.
53. Monitor the status of the commit. When the commit status is complete, click Close.
54. In the Panorama > Managed Devices > Summary window, periodically click the
refresh icon in the upper-right corner of the window, and after a few minutes verify
that the managed devices are Connected to Panorama:
You have now successfully added firewall-a and firewall-b to Panorama.
2.3 Verify Firewall Licenses in Panorama

55. Navigate to Panorama > Device Deployment > Licenses.
56. Here you can verify the license state of firewalls:

Note that the columns include details about the licensed features for each firewall and when
each license expires.
Stop. This is the end of the Adding Managed Firewalls to Panorama lab.

Lab 3 Scenario: Templates
The firewalls managed by Panorama contain several common settings. Rather than configure
these common settings separately on each firewall, you want to define them in Panorama
templates. You then can push a template stack to the firewalls and apply the common settings
across both devices.
As a part of the template deployment process, you also will use variables to define interface IP
addresses for both firewalls.
The parameters that will be used to complete this lab follow. Here are the main steps to
complete this lab exercise:
1. Create a template for management settings called Mgt Settings to include these values:
• Login banner: *** Authorized Access Only ***
• Change the header color of the firewalls to red.
• Domain: lab.local
• Logging syslog HOSTNAME format: ipv4-address
• SNMP Location and Contact: Santa Clara, CA; John Doe
• Use X-Forwarded-For Header in User-ID
• WildFire: Report Benign Files and Report Grayware Files
• For the NTP Server Address field, create a new template variable $NTP_Server and
assign the value pool.ntp.org to it.
2. Create a second template called Servers, and then create a template variable $Service_IP
for the IP address of 1.1.1.1. Assign this template variable to the following:
• SNMP: $Service_IP
• SyslogSrv: $Service_IP
3. Create a template stack called BaseDevice and assign the templates Mgt Settings and
Servers to it. Assign this template stack to the firewalls firewall-a and firewall-b. Commit
to Panorama and push the changes to the devices. Verify the changes on the firewalls.
4. Create a third template called InterfaceFW for Network settings.
5. Create Interface Management Profiles:
• allow-mgt: Include HTTPS, SSH, Ping, SNMP, and Response Pages
• allow-ping: Include Ping
6. Create Layer 3 zones:
• Trust-L3
• Untrust-L3
7. Configure interfaces for the firewalls:
• ethernet1/1 (for the zone Untrust-L3)

• ethernet1/2 (for the zone Trust-L3)
8. Create template variables $Firewall_Interface_Inside and $Firewall_Interface_Outside.
Import a CSV file that will apply firewall-specific values to each interface on each
firewall as follows:
• $Firewall_Interface_Inside: 192.168.1.1/24 (for firewall-a)
• $Firewall_Interface_Outside: 203.0.113.20/24 (for firewall-a)
• $Firewall_Interface_Inside: 192.168.1.5/24 (for firewall-b)
• $Firewall_Interface_Outside: 203.0.113.25/24 (for firewall-b)
9. Configure a virtual router with these values:
• Name: VR
• Default route 203.0.113.1
10. Configure the interface values as follows:
• External interface:
▪ ethernet1/1
▪ Untrust-L3
▪ Interface Mgmt: allow-ping
▪ Virtual Router: VR
• Internal interface:
▪ ethernet1/2
▪ Trust-L3
▪ Interface Mgmt: allow-mgt
▪ Virtual Router: VR
11. After the three templates are created, you will rename the template stack BaseDevice to
ConfigFW; add to it the template InterfaceFW.
The template stack ConfigFW will be applied to your firewalls. You will commit to Panorama and
devices, and then verify that the template settings are applied to both firewalls.
The following diagrams are included here for ease of reference. They show the template
configuration for this lab, among other information.

Lab 3 Solution: Templates
3.0 Load Lab Configurations
1. In the Panorama web interface, select Panorama > Setup > Operations.
3. Select edu-220-panorama-9-Start-lab-03, and then click OK.

4. Click Close in the Loading Configuration window.
5. Click Commit, and then click Commit to Panorama.
6. Click Commit in the resulting window.
7. When the commit process is complete, click Close in the Commit Status window.
3.1 Create a Management Settings Template

In this section, you will create the first of several templates. This template will contain general
settings such as a Login Banner to be applied to both firewalls.
8. Select Panorama > Templates.
9. In the bottom-left corner of the window, click Add. The Template window opens.
10. In the Name field, enter Mgt Settings:
11. Click OK. Notice that the Network tab and Device tab now appear:

3.2 Configure the Management Settings Template
12. In Panorama, select the new tab under the TEMPLATES heading for Device and then
select Setup.
13. Select the Management tab:
a. Click the gear icon to edit General Settings, and then enter the following values:
• Domain: lab.local
• Login Banner: *** Authorized Access Only ***
• Leave the remaining settings unchanged.
• Click OK.
b. Below the General Settings section, click the gear icon to edit Authentication
Settings, and then enter (or select) the following values:
• Idle Timeout: 0 (never)
Note: This value is a helpful setting for the lab exercise but is not recommended in a
production environment.
• Failed Attempts: 3
• Click OK.
c. In the right column of the Management settings, locate and edit Banners and
Messages, and then enter (or select) the following values:
• Type the following text in the Header Banner box: This is a firewall
• Click the drop-down list next to Header Color.
• Choose Red (or whichever color you prefer) to differentiate your firewall web
interface from the Panorama web interface.
• Click OK.
14. Scroll down in the Management window and edit Logging and Reporting Settings, and
then enter (or select) the following values:

• Select the Log Export and Reporting tab.
• Change the Syslog HOSTNAME Format to ipv4-address.
• Click OK.
15. Under Device > Setup, select the Operations tab:
a. Click SNMP Setup:
• Physical Location: Santa Clara, CA
• Contact: John Doe
• Click OK.
16. Under Device > Setup, select the Services tab:
a. Modify the Services configuration by clicking the gear icon.
b. Click the NTP tab. In the NTP Server Address field, click the drop-down list:
c. Click the New X Variable to create a template variable.

d. Enter $NTP_Server as the Name and FQDN for the Type field.
e. Enter pool.ntp.org in the field adjacent to the Type field:
We are creating a new template variable called $NTP_Server and setting a default value for it of
pool.ntp.org. The value for NTP Server automatically will be populated with the default value of
pool.ntp.org wherever this template is used (in any template stack, for example).
However, because this is a variable, we can replace the value in multiple firewalls easily by
importing a file that provides different values for this variable.
We will use variables in several other places later in this lab.

f. Click OK to close the Variable window.
g. Click OK to close the Services window.
17. Under Device > Setup, select the Content-ID tab:
a. Open the X-Forwarded-For Headers section:
• Check the Use X-Forwarded-For Header in User-ID check box.
• Click OK.
18. Under Device > Setup, select the WildFire tab:
a. Edit the General Settings panel:
• Check the Report Benign Files check box.
• Check the Report Grayware Files check box.
• Click OK.
Panorama.
3.3 Create a Server Profiles Template

In this section, you will create another template that contains settings for hosts such as an SNMP
trap receiver and a syslog server.
23. Click Add.
24. Create a template named Servers.
25. Click OK.
26. Select Device > Server Profiles > SNMP Trap.
27. Ensure that the Servers template is selected from the drop-down list:

When you have multiple templates in Panorama, always make certain to select the correct one
from the drop-down list at the top of the interface before creating new elements. In this case,
we will add a new SNMP server to the Servers template.
a. Click Add to configure a new SNMP Trap Server Profile:

• Name: SNMPRcv
• Location: Shared
• Version: V2c
b. Click Add and then configure a new SNMP Trap Server Profile:
• Name: DC
c. Click inside the SNMP Manager field. Now click New X Variable:
d. Enter the following values for the X Variable:

• Name: $Service_IP
• Type: IP Netmask
• Value: 1.1.1.1
e. Verify that your configuration looks like the following screenshot and then click OK:
f. Enter the following value for Community: public.

g. Verify that your configuration matches the following screenshot and then click OK:

28. Select Device > Server Profiles > Syslog:
a. Click Add:
• Name: SyslogSrv
• Keep the Location as Shared.
b. Click Add:
• Name: Syslog
• Syslog Server: $Service_IP
c. Verify that your configuration matches the following screenshot and then click OK:
Panorama.

3.4 Create a Template Stack

In this section, you will create a template stack, add templates to it, and then assign firewalls to
the stack.
33. Click Add Stack at the bottom of the pane and enter (or select) the following values:
a. Name: BaseDevice
b. In the Templates window, click Add to add the Mgt Settings and Servers templates
to the stack.
c. Check the box next to firewall-a and next to firewall-b.
34. Verify that your configuration matches the following screenshot and then click OK:
35. Verify that the template stack is listed, with both firewalls in the Devices column:
3.5 Commit
36. Select Commit:
a. Select Commit to Panorama.
b. Click the Commit button. Wait until the commit status is complete and then click
Close.

37. Select Commit > Push to Devices, and then select the Edit Selections button in the
lower left of the screen:
38. Ensure that the Merge with Device Candidate Config and Include Device and
Network Templates are checked.
39. Check the box for Force Template Values.

Panorama presents a warning dialog box about the effects of enabling the force template
option.
The warning is a reminder that when you force template values from Panorama to one or more
firewalls, the process overwrites any of the Network and Device settings in place on the target
firewalls. We will consistently enable the Force Template Values throughout these labs, but in a
production environment, you should make certain that you do not overwrite Network or Device
settings on firewalls unless you intend to do so.
40. Click Yes.
41. Select the Templates tab.
42. Ensure that the check box for BaseDevice is checked:

43. Click OK and then click Push.
44. In the Task Manager for the Commit All task, wait until the status shows as completed.
(To see the details of the commit task, click the link for Commit All.)
45. Click Close.
46. Click Panorama > Templates. All templates and template stacks display.
47. Highlight the entry for the BaseDevice template stack, and then click Manage… in the
Variables column:
The following screen appears:

Notice the template variable $Service_IP, which is defined within the Servers template. Its value
is 1.1.1.1 and its type is IP Netmask. Similarly, the template variable $NTP_Server has a value
pool.ntp.org and its type is FQDN. These are the default values assigned to the template
variables, and they can be overridden.
48. Click Close.
3.6 Confirm the Configuration Changes

49. In Panorama, select the Panorama tab.
50. Navigate to Managed Devices > Summary.
51. Both firewall-a and firewall-b now show that the commit succeeded and the Template
column shows as In sync:
Note that the columns in this table have been rearranged to fit in this image. You will need to
scroll to the right in order to locate the Template column or the commit succeeded message.
52. Select the Browser tab for firewall-a.
53. Use the Logout link in the bottom-left corner of the browser window.
54. Log back in to the firewall using admin and admin for the Username and Password.
You immediately can tell that the firewall has a red banner around the frame of the browser.
Setting of the banner color is a useful way to distinguish a firewall interface from the Panorama
interface.
55. On firewall-a, select the Device > Setup > Management tab, click the gear icon, and
confirm that the configuration changes have been pushed to the firewall. You might need
to refresh the web interface.
Notice the green gear icon next to the configurations that have been pushed from the
Panorama appliance. Examine the General Settings pane of the web interface to verify
configuration items pushed from Panorama, as shown in the following image:

You can tell which elements specifically have been pushed down from Panorama to the firewall
because those fields are yellow. You can change a Template element pushed down from
Panorama by clicking the small green gear first. After you make the change, the single green
icon changes to an overlapping pair of gears – one green and one yellow.
56. Click OK to close the General Settings window.
57. Under Device > Setup > Management, confirm that the banner, authentication settings,
and logging and reporting settings have changed.
All these changes were pushed to the firewall by Panorama.
58. Under Device > Setup > Management > General Settings, hover your mouse over one
of the green gear icons. The name of the template containing that configuration appears:
59. Select Device > Server Profiles > SNMP Trap, and confirm that the SNMPRcv server
has been added.

60. Select Device > Server Profiles > Syslog and confirm that the SyslogSrv server has been
added.
61. Select Device > Setup > Services.
62. Open Services.
63. Select the NTP tab and ensure that the NTP Server Address is pool.ntp.org.
64. Click OK to close the Services window.
65. Repeat the steps in this section (starting with step 52) for firewall-b to verify that the
settings have been pushed down from Panorama.
3.7 Create a Network Template

This template will contain elements related to the network settings for the firewalls: Interface
settings, Security Zones, Virtual Routers, and other network-related items.
66. In the Panorama web interface, select Panorama > Templates.
67. Click Add to create a template named InterfaceFW, and then click OK:
3.8 Create Interface Management Profiles

68. Select Network > Network Profiles > Interface Mgmt.
69. Select InterfaceFW from the Template drop-down list near the top of the window:
We want to make certain that we create these settings in the correct template. Always check
the drop-down list for Template to make certain you have selected the appropriate one.
70. Click Add:
• Name: allow-mgt
• Check the HTTPS, SSH, Ping, SNMP, and Response Pages check boxes.
• Click OK.
71. Click Add:
• Name: allow-ping
• Select Ping.

• Click OK.
72. When you finish creating these Interface Management Profiles, your Interface Mgmt list
should look like the following:
Management Interface Profiles define which services a firewall interface will respond to. After
the services are defined, you can assign an interface profile to a specific firewall interface
(ethernet1/1 or ethernet1/2, for example) to allow that interface to respond to certain types of
network traffic (ping, for example).
3.9 Configure the Zones

73. Ensure that the template selected from the drop-down list is InterfaceFW. Select
Network > Zones.
74. Add a zone:
• Name: Trust-L3
• Type: Layer3
• Check the Enable User Identification check box:

• Click OK.
75. Add another zone:
• Name: Untrust-L3
• Type: Layer3
• Click OK.
76. After you have completed this process, you should have two zones defined in the
InterfaceFW template:

Note that zone names are case-sensitive. Trust-L3 and trust-L3 are two different entries. Be
consistent and be exact when you create zone names in your firewalls and Panorama so that
you do not have later problems as you build your configurations up.
3.10 Configure the Interfaces for the Firewalls

77. Ensure that the Template selected from the drop-down list is InterfaceFW.
78. Select Network > Interfaces, and then go to the Ethernet tab.
79. Click Add Interface:
• Slot: Slot 1
• Interface Name: ethernet1/2
• Interface Type: Layer3
• Security Zone: Trust-L3
Note: A best practice is to add an appropriate comment in the Comment field of the dialog box.
80. Click the IPv4 tab.
81. Click Add under the IP section. The following window appears:

82. Click the New X Variable. The following window appears:
83. Now you will create a template variable and assign a default value to the template
variable. In the Name field, enter $Firewall_Interface_Inside.
84. Enter 2.2.2.2/24 in the blank field to the right of the Type field. (This is the default
value for the template variable $Firewall_Interface_Inside.)
85. Verify that the window you are working on matches the preceding screen, and then click
OK.
86. Click the Advanced tab and locate the section for Other Info.
87. For Management Profile, select allow-mgt:

88. Click OK.
89. The following Warning dialog box appears:
Recall that the allow-mgt interface profile contains ping, SSH, HTTPS, SNMP, and Response
Pages. Because this interface (ethernet1/2) is attached to the internal network Security Zone
(Trust-L3), we can access the firewall itself using these different services.
90. Click Yes.
91. Click Add Interface:
• Slot: Slot 1
• Interface Name: ethernet1/1
• Interface Type: Layer3
• Security Zone: Untrust-L3
92. Select the IPv4 tab, click Add under the IP section, and then click New X Variable.
93. Enter $Firewall_Interface_Outside in the Name field.
94. Enter 1.1.1.1/24 in the blank field to the right of the Type field.
This will be the default value for the template variable $Firewall_Interface_Outside.
95. Click OK.
96. Click the Advanced tab, and then select the tab for Other Info.
97. For Management Profile, select allow-ping.
98. Click OK and verify that your settings match the following screenshot:

You will have Panorama apply IP addresses to ethernet1/1 and ethernet1/2 later in this lab by
importing and referencing a variable file that contains specific values to replace
$Firewall_Interface_Outside and $Firewall_Interface_Inside.
3.11 Create a Virtual Router

A firewall that works with Layer 3 interfaces requires a virtual router. In this section, you will
add a virtual router to your InterfaceFW template.
99. Ensure that the template selected from the drop-down list is InterfaceFW.
100. Select Network > Virtual Routers. The Virtual Router window opens.
101. Click Add:
• Name: VR
• In the Interfaces section, add ethernet1/1 and ethernet1/2, which you created
earlier.
102. Select the Static Routes tab:

103. Click Add:
• Name: Default Route
• For Interface, select ethernet1/1.
• In the Destination field, enter 0.0.0.0/0.
• In the Next Hop field, select IP Address, and then enter 203.0.113.1 in the next
field.

104. Leave the remaining settings unchanged.
105. Click OK to close the Static Route window.
106. The Static Routes tab of the Virtual Router window should match the following:
Note: Both firewalls are in the same subnets, so only a single virtual router is necessary.
107. Click OK to close the Virtual Router window.
109. Click Commit in the resulting window and then click Close in the next window when
the commit status is complete.
3.12 Rename the Template Stack

Instead of having you create a completely new template stack, this section will show you how to
reuse the template stack (BaseDevice) that you created earlier. You also could accomplish this
same process by cloning the BaseDevice template stack and making modifications to the clone.
111. Open the BaseDevice template stack, and then change the name to ConfigFW.

112. Click Add in the Templates section and select the InterfaceFW template to be added to
the ConfigFW stack.
113. Ensure that the check boxes for firewall-a and firewall-b are checked:
114. Click OK.
3.13 Commit to Panorama

116. Click Commit in the resulting window and then click Close in the next window when
the commit status is complete.
3.14 Provide Device-Specific Values for firewall-a and

firewall-b
Now you need to assign the device-specific IP addresses to the firewalls by assigning device-
specific IP addresses to the template variables. Instead of defining specific values in the
templates themselves, you used variables for interfaces ($Firewall_Interface_Inside and
$Firewall_Interface_Outside). When you defined the variables, you assigned each one a
default value. You need to override the default value for these variables with values specific to
each firewall.
In this section, you will assign default values for these variables by importing a predefined CSV
file that contains the appropriate values for the interface IP addresses of firewall-a and firewall-b.

117. Open the Desktop > lab folder on the Windows lab workstation and examine the
variables_ConfigFW.csv file to see how it is constructed.
118. Open variables_ConfigFW.csv with Notepad++:
This example illustrates how you would build a CSV file to apply specific values to variables that
you create inside templates:
▪ The first row of the file contains the field names including the hostname and serial number
of the managed firewalls that will use the template stack in Panorama.
▪ Each subsequent row lists a variable, the type of variable, and then specific values for each
firewall.
▪ The term #inherited indicates that the value for that variable will be pulled from another
template within the stack.
Because most people use a spreadsheet application to create CSV files, an example follows of
what the variables_ConfigFW.csv looks like when you open it in Excel:
During the lab, you will import the variables_ConfigFW.csv file and Panorama will apply the
device-specific values for firewall-a and firewall-b the interface variables.
119. Close Notepad ++.
120. Select Panorama > Templates. Highlight the ConfigFW template stack without
opening it.
121. Import the predefined variables_ConfigFW.csv file by clicking X Variable CSV >
Import:

122. The following dialog box appears:
123. Click the Browse… link.

124. Click Desktop, double-click the lab folder, and then select the file
variables_ConfigFW.csv.
125. Click Open.
126. On the Import Variables screen, click OK:
127. Click OK in the confirmation message box:

128. The variables_ConfigFW.csv file allows Panorama to apply specific values to variables
in the templates. Go to Panorama > Templates to see how these variables are applied:
129. Click the Manage… link for the Mgt Settings template to see the $NTP_Server
variable and its value of pool.ntp.org:
130. Click Close.

131. Click the Manage… link for the Servers template to see the $Service_IP variable and
its value of 1.1.1.1:
132. Click Close.

133. Click the Manage… link for the InterfaceFW template to see the
$Firewall_Interface_Inside and $Firewall_Interface_Outside variables and their
default values:

These are default values you assigned when you created the variables. Think of them as
temporary placeholders because you cannot leave the value of a variable blank when you define
it.
134. Click Close.
135. Click the Manage… link for the ConfigFW template stack.
136. Because this is a template stack, Panorama has combined the variables from each
template contained in the stack:
You can see the source Template for each variable along with the Type and default Value.
137. Click Close.
138. To see how Panorama applies the variables along with their values in the template stack,
click the View link in the row for ConfigFW:
139. This table displays details about the variables and the value for each one when they are
applied to specific firewalls in the ConfigFW template stack:

▪ The Key Name column shows the name of the variables as they are defined in the
templates.
▪ The firewall-a and firewall-b columns displays the individual devices and the exact values
that will be applied to those firewalls for each variable.
When this template stack is pushed down to firewall-a and firewall-b, these values will be
applied to each firewall. The use of variables along with CSV files can be a helpful way to push
down configurations with small variations in different settings to multiple firewalls.
140. Click Close.
3.15 Commit to Panorama and Push to Devices

complete.
143. Click Commit > Push to Devices, and then select the Edit Selections button in the
lower left of the screen:
144. Ensure that the Merge with Device Candidate Config and Include Device and
Network Templates are checked.

Panorama presents a warning dialog box about the effects of enabling the force template
option.

146. Click Yes.
147. Select the tab for Templates and verify that the boxes for firewall-a and firewall-b are
checked:
148. Click OK, and then click Push.

149. In the Panorama web interface for the Commit All task, wait until the Status shows as
completed. Ignore any commit warnings you may receive.
150. Click Close.
3.16 Confirm the Configuration Changes

151. Now go to the web interface of each firewall (firewall-a and then firewall-b).
152. Log out of each device and log back in using admin as the username and password.
153. Select Network > Interfaces > Ethernet.
154. Verify that each firewall has the appropriate IP address for ethernet1/1 and ethernet1/2:

This image shows the interface IP addresses for firewall-a.
This image shows the interface IP addresses for firewall-b.

155. Select Network > Zones, and verify that the Trust-L3 and Untrust-L3 zones have the
appropriate interface assigned (both firewalls will have ethernet1/2 assigned to Trust-L3
and ethernet1/1 assigned to Untrust-L3):
This image shows the security zones and interface assignments for both firewall-a and firewall-b.

156. Select Virtual Routers and verify that ethernet1/1 and ethernet1/2 are attached to the
VR entry:
This image shows the virtual router for firewall-a and firewall-b.
157. Click the entry for VR and select the tab for Static Routes.
158. Verify that the entry for Default Route has been pushed down to both firewalls:
This image shows the Default Route entry for firewall-a and firewall-b.
Stop. This is the end of the Templates lab.

Lab 4 Scenario: Device Groups
 Create device groups
 Configure device group settings
We have identified common settings among our managed firewalls and want to capture them
in device groups.
You will create two device groups to keep policy and object configurations separated. You
will create a device group named NorthAm, and then add the first firewall, firewall-a. Next
you will create a device group called Chicago that is subordinate to the NorthAm device
group, and then add the second firewall, firewall-b.
Use the following parameters to complete this lab.
 Address object:
▪ Device Group: NorthAm
▪ Name: DomCntlr
▪ Type: IP Netmask
 IP Address: 1.1.1.1
Address object:
▪ Device Group: Chicago
▪ Name: External-FTP
▪ Type: IP Netmask
 IP Address: 3.3.3.3
Service object:
▪ Name: service-ftp
▪ Destination Port: TCP 2100
 Service object:
▪ Name: service-tftp
▪ Destination Port: UDP 2101
 Security Profile:
▪ NAME: AV-Alert-All
▪ Antivirus: Set Actions to “alert” on all signatures

 Security Profile:
▪ Name: IDS-Alert-All
▪ Vulnerability Protection, Set Actions to “alert” on all signatures
 Schedule:
▪ Device Group: NorthAm / Chicago
▪ Name: Business-Hours
▪ Recurring Daily:
˗ Time Range: 1:00 a.m. to 11:00 p.m. (for the Device Group NorthAm)
˗ Time Range: 1:00 a.m. to 11:30 p.m. (for the Device Group Chicago)
The Security policy on the Panorama appliance will use the following rules:
 (Pre-Rule) Security policy:
▪ Name: Allow Web
▪ From Trust-L3 zone to Untrust-L3 zone
▪ Application: web-browsing, ssl, ping, dns, flash, google-base
▪ Service: application-default
▪ Action:
˗ Allow
˗ Schedule: Business-Hours
▪ Profiles:
˗ Antivirus: Alert All
˗ Vulnerability Protection: Alert All
▪ Name: Outbound FTP
▪ Application: FTP
▪ Service: service-ftp
▪ Action:
˗ Allow
▪ Profiles:
˗ Antivirus: AV-Alert-All
˗ Vulnerability Protection: IDS-Alert-All

▪ Name: Outbound TFTP
▪ Application: TFTP
▪ Service: service-tftp
▪ Action:
˗ Allow
▪ Profiles:
˗ Antivirus: AV-Alert-All
˗ Vulnerability Protection: IDS-Alert-All
The source NAT policy on each firewall on the web interface of Panorama will use the
following rules:
 NAT policy:
▪ Name: Student Source NAT
▪ Source Zone: Trust-L3
▪ Destination Zone: Untrust-L3
▪ Destination Interface: Select ethernet1/1
▪ Translation Type: Select Dynamic IP and Port
▪ Address Type: Select Interface Address
▪ Interface: Select ethernet1/1
▪ IP Address: 203.0.113.20 or 203.0.113.25

The following diagram is included here for ease of reference:

Lab 4 Solution: Device Groups

4. Click Close.
5. Commit the changes to Panorama.
6. In the Panorama web interface, select Commit > Push to Devices.
7. Select Edit Selections:
8. Check the Force Template Values check box at the bottom:
9. Click Yes on the Force Template Values warning message.

10. On the Templates tab, ensure that the boxes for firewall-a and firewall-b are checked.
11. Click OK, and then click Push to start the process of pushing to devices.
12. Monitor the tasks for commit success:
13. Close the Task Manager window when the Status is Completed.
4.1 Configure Objects Setting

14. In the Panorama web interface, select Panorama > Setup > Management.
15. Open Panorama Settings:

16. Ensure that the Share Unused Address and Service Objects with Devices check box is
checked.
17. Ensure that the Objects defined in ancestors will take higher precedence check box is
not checked.
Share Unused Address and Service Objects with Devices instructs Panorama to push down
Address and Service objects that you define to firewalls, even if those objects are not currently
used on the target firewall.
Enablement of Objects defined in ancestors will take higher precedence reverses the
inheritance order of Device Groups.
18. Click OK.
4.2 Create a Device Group for the Firewalls

19. Select Panorama > Device Groups.
20. Click Add, and then create a new device group named NorthAm.
21. Check the check box next to firewall-a.
22. Click OK:
Notice that the Policies and Objects tabs now appear in the web interface.
23. Select the line listing NorthAm without opening it, and then click Add.

24. Enter the name Chicago.
25. Select firewall-b.
26. At the bottom of the window, ensure that the Parent Device Group is set to NorthAm.
27. Click OK.
28. The device group you just created is listed as a subordinate of NorthAm:
Items you create in the NorthAm device group will be inherited in the Chicago device group.
NorthAm and Chicago also will inherit any elements you create in the Shared group.
4.3 Configure an Address Object

29. Select the Objects tab and then select Addresses.
30. Select the device group NorthAm in the Device Group drop-down list near the top of
the window:
When you work with device groups, always make certain you have selected the correct one
from the Device Group drop-down list before creating a new entry.
31. Click Add, and then create a new Address object:
• Name: DomCntlr
• IP Address: 1.1.1.1
• Leave the other settings unchanged
• Click OK.
32. Select the device group Chicago in the Device Group drop-down list near the top of the
window:

• Name: External-FTP
• Click OK.
34. Toggle the drop-down list for Device Group between NorthAm and Chicago.
35. Notice that when you select NorthAm in the Device Group drop-down list, only
DomCntlr is listed:
36. When you select Chicago, the DomCntlr and the External-FTP are listed:
Also notice the green gear icon next to the entry for DomCntlr when you are looking at the
Chicago device group. This icon indicates that the object was inherited from an ancestor group –
in this case, from the NorthAm group.
4.4 Configure a Service Object

37. Select Objects > Services.
38. Ensure that you have the NorthAm device group selected in the Device Group drop-
down list near the top of the window:
39. Click Add and create a new Service object:

• Name: service-ftp
• Protocol: TCP
• Destination Port: 2100

• Click OK:
Note that this is not the standard TCP port for FTP. We are defining an alternative port for the
service – you can perform this action if you intend to run a server application on a non-standard
port. We are illustrating definition of new services as part of Device Groups.
40. Select Chicago from the Device Group drop-down list.
41. Click Add, and then create a new Service object:

• Name: service-tftp
• Protocol: UDP
• Destination Port: 2101
• Click OK.
This is another alternate service definition we are creating just for this lab environment.
42. Toggle the drop-down list for Device Group between NorthAm and Chicago to view
the objects and their inheritance in each group.
4.5 Create Security Profiles

43. Ensure that you have the NorthAm device group selected in the Device Group drop-
down list near the top of the window:

44. Select Objects > Security Profiles > Antivirus.
45. Click Add, and then create a new Antivirus Profile:
• Name: AV-Alert-All
• Select alert as the Action for all Decoders.
• Leave the other settings unchanged
46. Verify that your settings match those in the following screenshot, and then click OK:
47. Select the device group Chicago from the Device Group drop-down list near the top of
the window:
48. Select Objects > Security Profiles > Vulnerability Protection.

49. Click Add, and then create a new Vulnerability Protection Profile:
• Name: IDS-Alert-All
• Click the Exceptions tab.
• Check the Show all signatures check box.
• Click Enable for the four items at the top.
• Place your cursor in the Action column cell in the top row, and then click the arrow
that appears on the far right of the cell. A drop-down list appears.

• Select Update Action > alert.
Note that the Threat Names you see as the top four items in this profile may differ from the
screenshot shown. We are setting exemptions to a few of the signatures in this profile only as a
part of this lab exercise so the specific threats you select are not important.
4.6 Configure a Schedule

the window:
52. Select Objects > Schedules.

53. Click Add, and then create a new Schedule Profile:
• Name: Business-Hours
• Recurrence: Daily
• Click Add:
▪ Start Time: 01:00
▪ End Time: 23:00

55. Select Chicago as the device group:
56. The Business-Hours schedule still is listed along with a green gear icon indicating that
the schedule has been inherited from an ancestor.
57. Click the link for the Business-Hours schedule to open it.
58. Notice that the heading for this schedule indicates Read Only:
59. Click Cancel.

60. Highlight the Business-Hours schedule without opening it.
61. Click Override (located at the bottom of the window):
62. The schedule opens for editing.

63. Change the end time to 23:30.
64. Click OK.
65. Note that the icon for this schedule is now a pair of overlaid gears – yellow on top of
green, which indicates that the object was inherited from an ancestor group (green) but
overridden in the current group (yellow):

66. Switch back and forth between the Chicago and the NorthAm device groups.
Notice that the same schedule title is listed, but that the end times are different.
4.7 Commit the Configurations

68. Click Commit in the resulting window and then click Close in the next window after the
Status shows as completed.
69. Select Commit > Push to Devices.
70. Click Edit Selections.
71. Select the tab for Device Groups and verify that the check boxes for firewall-a and
firewall-b are checked:
75. Click OK.
76. Click Push to start the process.
77. Wait until the Commit All jobs are complete.
78. Click Close.
79. Examine firewall-a and firewall-b to observe the results.

80. The Address objects and Service objects that you have just created will be visible in the
web interface of each firewall because you selected Share Unused Address and Service
Objects with Devices in the Panorama Management Setting on the Device tab:
• Notice that firewall-a in the NorthAm has only the DomCntlr server listed in Objects
> Addresses, but that DomCntlr and External-FTP are listed in the Chicago device
group firewall-b.
• Notice that firewall-a in NorthAm has only service-ftp available in Objects >
Services, and the firewall-b in Chicago has service-ftp and service-tftp available.
• Notice that the firewalls in NorthAm and Chicago have the AV-Alert-All Profile
available in Objects > Security Profiles > Antivirus, but only firewall-b in Chicago
has the new Vulnerability Protection Profile IDS-Alert-All listed.
• Notice that each firewall has different times shown for the Business-Hours schedule
listed in Objects > Schedules.
4.8 Configure a Web-Browsing Security Policy Rule

81. In the Panorama web interface, select Policies > Security > Pre Rules.
82. Select the NorthAm device group:
83. Click Add and enter the following values:

Parameter Value
General tab
Name Allow Web
Source tab
Source Zone Trust-L3
Destination tab
Destination Zone Untrust-L3
Application tab
Applications web-browsing, ssl, ping, dns, flash, google-base
Service/URL Category tab
Service application-default
Actions tab

Parameter Value
Action Setting Allow
Profile Type Profiles
Antivirus AV-Alert-All
Log Setting Log at Session End
Schedule Business-Hours
84. Click OK.
4.9 Configure an FTP Security Policy Rule

85. Select NorthAm as the device group:
86. In the Panorama web interface, select Policies > Security > Pre Rules.
Parameter Value
General tab
Name Outbound FTP
Source tab
Destination tab
Application tab
Applications ftp
Service Click Add. Select service-ftp.
Actions tab

Parameter Value
88. Click OK.
4.10 Configure a TFTP Security Policy Rule

89. Select Policies > Security > Pre Rules.
90. Select Chicago as the device group:

Parameter Value
General tab
Name Outbound TFTP
Source tab
Destination tab
Application tab
Applications tftp
Service Click Add. Select service-tftp.
Actions tab

Parameter Value
Vulnerability IDS-Alert-All
Protection
92. Click OK.
93. Toggle back to the NorthAm device group and notice that you have two rules defined
here: Allow Web and Outbound FTP:
Note that your rule display table may look different from this example. You can add or remove
columns and rearrange them to suit your preferences as the example illustrates.
94. From the Device Group drop-down list, select the Chicago group.
95. Notice that you have the Allow Web and Outbound FTP rules inherited from the
NorthAm group (the green gear indicates inheritance) and the Outbound TFTP rule
(which exists only in the Chicago group):

4.11 Configure the Default Security Policy Rule
96. Select NorthAm as the device group:
97. Select Policies > Security > Default Rules:

• Select the interzone-default policy rule without opening it.
• Click Override.
• Select the Actions tab.
• Check the Log at Session End check box.

99. Click OK.
101. Click Commit in the resulting window and then click Close when the commit Status is
completed.

102. Select Commit > Push to Devices.
103. Select Edit Selections in the resulting window.
104. Under the Device Groups tab, verify that the boxes for firewall-a and firewall-b are
checked.
105. Check the Force Template Values check box at the bottom.
108. Click OK on the Push Scope Selection window.
109. Click Push in the Push to Devices window.
110. Wait until the Commit process is complete and then click Close.
4.12 Configure a NAT Policy Rule for firewall-a

111. In the Panorama web interface, select Policies > NAT > Pre Rules.
112. Ensure that the device group at the upper-left corner is NorthAm:

Parameter Value
General tab
Name FWASourceNAT
NAT Type ipv4
Original Packet tab
Source Zone Click Add and select Trust-L3
Destination Zone Select Untrust-L3; select the Any check box in the
Destination Address and the Source Address
Translated Packet tab
Source Address Set Translation Type to Dynamic IP and Port

Translation Section
Address Type Select Interface Address
Interface ethernet1/1
IP Type IP

Parameter Value
Field below IP Type $Firewall_Interface_Outside
Target tab
Name Select firewall-a

114. Click OK.
The variable $Firewall_Interface_Outside will be resolved to 203.0.113.20/24, for firewall-a.
115. Click Commit > Commit to Panorama to save the changes in Panorama. Click
Commit in the resulting window and then click Close in the next window.
116. Click Commit > Push to Devices.
117. Click the Edit Selections button.
118. Make certain that the Merge with Device Candidate Config box and the Include
Device and Network Templates box are both checked.
120. Click Yes to confirm the warning message for Force Template Values.
121. In the Device Groups tab, make certain that the boxes for firewall-a and firewall-b are
checked.
122. Under the Templates tab, check the boxes for both firewall-a and firewall-b.
123. Click OK to close the Push Scope Selection window.
124. Click Push.
125. When the Commit All status indicates Completed, click Close in the Task Manager
window.
4.13 Configure the Local NAT Policy for firewall-b

126. In the Panorama web interface, ensure that the Device Group is set to Chicago:
127. Select Policies > NAT > Pre Rules.

Parameter Value
General tab
Name FWBSourceNAT
NAT Type ipv4

Parameter Value
Original Packet tab
Source Zone Click Add and select Trust-L3
Destination Zone Select Untrust-L3; select the Any check box in the
Destination Address and the Source Address
Translated Packet tab
Source Address Set Translation Type to Dynamic IP and Port

Translation Type
Address Type Select Interface Address
Interface ethernet1/1
IP Type IP
Field below IP Type $Firewall_Interface_Outside
Target tab
Name Select firewall-b

129. Click OK.
The $Firewall_Interface_Outside will be resolved to 203.0.113.25/24.
130. Click Commit > Commit to Panorama to save the changes in Panorama. Click
Commit in the resulting window and then click Close in the next window.
131. Click Commit > Push to Devices.
132. Click the Edit Selections button.
135. On the Device Groups tab, make certain that firewall-b is checked.
137. Click OK.
138. Click Push.
139. When the Commit All status indicates Completed, click Close in the Task Manager
window.
4.14 Confirm the Configuration

140. In the web interface of each firewall, navigate to Policies > Security.
141. You will see the Security policy rules you just created.

▪ Both firewalls will have security rules for allow web, outbound FTP, intrazone-default, and
interzone-default. These rules were pushed down to the NorthAm Device Group (which
includes the Chicago Device Group).
▪ Firewall-b has an additional security rule for outbound TFTP. This rule was pushed down
only to the Chicago device group.
142. On firewall-a, select Policies > NAT.
143. Verify that FWASourceNAT policy rule is created properly on firewall-a: It shows the
IP address of 203.0.113.20/24 under Source Translation.
Panorama set the variable for $Firewall_Interface_Outside to 203.0.113.20/24 for this firewall.
144. On firewall-b, select Policies > NAT.
145. Verify that FWBSourceNAT policy rule is created properly on firewall-b: It shows the
IP address of 203.0.113.25/24 under Source Translation:
Panorama set the variable for $Firewall_Interface_Outside to 203.0.113.25/24 for this firewall.
Stop. This is the end of the Device Groups lab.

Lab 5 Scenario: User Administration
 Configure LDAP and RADIUS server profiles
 Configure LDAP and RADIUS authentication profiles
 Configure admin roles
 Configure admin accounts
 Configure access domains
 Demonstrate the use of the commit lock
Your systems team has installed the Panorama platform in the network environment. It now is
ready for you to deploy. You will configure a local admin account and use a restricted admin
role.
You will configure an admin role called Intern with the following access rights:
 Objects tab: Disabled
 Network tab: Disabled
 No XML API access
 CLI Access: None
Then you will configure the following admin accounts with the following authentication
mechanisms and Admin Roles:
 Account: student08, Authentication: LDAP, and Admin Role: Intern
 Account: student07, Authentication: RADIUS, and Admin Role: Intern
To provide proper role-based access, you will configure two access domains and two more
admin roles. Assign two different sets of access domains and admin roles to the same
administrator, student08.
To verify your configuration, you will log in as student08, create a network zone, take the
commit lock, and then log out. Then you will log in as a different administrator, student07,
create a device group, and then attempt to commit. The commit will fail because another
administrator has obtained the commit lock.

Lab 5 Solution: User Administration

4. Click Close.
8. On the Device Groups tab, ensure that all groups are selected.
10. Click Yes on the Force Templates Value warning message.

11. On the Templates tab, check the check boxes for firewall-a and firewall-b.
14. If you click one of the top two entries for Commit All in the Task Manager window, you
can see the details of the commit task.
15. Click Close on the Task Manager.

5.1 Configure the LDAP Server Profile
In this section, you create an LDAP Server Profile that will be used later to authenticate
Panorama administrators.
16. In the Panorama web interface, select Panorama > Server Profiles > LDAP.
The lab has a preconfigured LDAP server running on 192.168.1.20 (Client-A).
17. Click Add, and then configure the LDAP Server Profile using the following value:
Parameter Value
Profile Name lab-active-directory
18. Under the Server List on the left side of the window, click Add.
19. Configure the following:
Parameter Value
Name lab-server
LDAP Server 192.168.1.20
Port 389
20. Under the Server Settings on the right side of the window, configure the following.
Be sure to deselect the check box Require SSL/TLS Secured Connection.
Parameter Value
Type active-directory
Base DN DC=lab,DC=local
Bind DN lab-user-id@lab.local
Password Pal0Alt0
Confirm Password Pal0Alt0
Require SSL/TLS Deselect the check box
secured connection

21. Click OK to close the LDAP Server Profile configuration window.
5.2 Configure the RADIUS Server Profile

22. In this section you configure a RADIUS Server Profile that will be used later to
authenticate Panorama administrators.
A preconfigure RADIUS server also is running on the Client-A host (192.168.1.20).
23. In the Panorama web interface, select Panorama > Server Profiles > RADIUS.
24. Click Add, and then configure the RADIUS Server Profile using the following values:
Parameter Value
Profile Name RADIUS Profile
Timeout (sec) 3
Retries 3
Authentication Protocol PAP
25. Below the Servers section, click Add.
26. Configure the following:
Parameter Value
Name lab-radius
RADIUS Server 192.168.1.20
Secret paloalto
Port 1812

27. Click OK to close the RADIUS Server Profile configuration window.
5.3 Create an LDAP Authentication Profile

28. Here you will create an LDAP Authentication Profile and include the LDAP Server
Profile you just created.
29. Select Panorama > Authentication Profile.
30. Click Add, and then create an Authentication Profile using the following values:
Parameter Value
Authentication tab
Name LDAP Auth Profile
Type Select LDAP
Server Profile Select lab-active-directory
Advanced tab
Allow List Click Add and then select all

31. Verify your LDAP Authentication Profile configuration:

32. Click OK to close the Authentication Profile configuration window.
5.4 Create a RADIUS Authentication Profile

33. In this section, you will define a RADIUS Authentication Profile and include the
RADIUS Server Profile you just created.
34. Select Panorama > Authentication Profile.

35. Click Add, and then create an Authentication Profile using the following values:
Parameter Value
Authentication tab
Name RADIUS Auth Profile
Type Select RADIUS
Server Profile Select RADIUS Profile
Advanced tab
Allow List Click Add and then select all

36. Verify your RADIUS Authentication Profile configuration:

37. Click OK to close the Authentication Profile configuration window.
5.5 Create an Authentication Sequence

38. Here you will create an authentication sequence.
39. Select Panorama > Authentication Sequence.
40. Click Add at the bottom of the window.
41. For Name, enter Auth Sequence.
42. Click Add, and then select the LDAP Auth Profile.
43. Click Add again and select the RADIUS Auth Profile.
44. Verify that your Authentication Sequence is as shown:

The Authentication Sequence instructs Panorama to check the LDAP Authentication Profile first
when an administrator attempts to log in to Panorama.
If Panorama cannot find the administrator credentials in LDAP (or if it cannot connect to LDAP),
the Authentication Sequence you created instructs Panorama to check RADIUS to see if the
credentials reside there.
This sequence is optional but could be useful in some situations such as a company acquisition
or merger where each company has administrator accounts stored in different locations (one in
RADIUS and the other in LDAP).
45. Click OK to close the Authentication Sequence configuration window.
5.6 Configure an Admin Role Profile

Admin Role Profiles define a set of permissions for access to Panorama configuration options.
Individual administrator accounts are assigned to a specific Admin Role Profile so that an
administrator will have the permissions applied through the Role Profile.
46. In this section, you will create an admin role profile called Intern.
You will define this role so that any administrator account assigned to it will have limited access
to the Panorama configuration but will be able to examine log files, the Dashboard and the ACC.
47. Select Panorama > Admin Roles.
48. Click Add, and then create an Admin Role Profile using the following values:
Parameter Value
Name Intern

Parameter Value
Role Panorama
Web UI tab In the Web UI column (ignore the Context Switch UI in the
right column), set:
 Policies: Mark all settings disabled (red)
 Objects: Mark all settings disabled (red)
 Network: Mark all settings disabled (red)
 Device: Mark all settings disabled (red)
 Panorama: Mark all settings disabled (red)
 Privacy: Mark all settings disabled (red)
 Validate: Mark all settings disabled (red)
 Save: Mark all settings disabled (red)
 Commit: Mark all settings disabled (red)
XML API tab Ensure that all objects are disabled (red)
Command Line tab From the drop-down list, select None
49. Verify your settings as shown in the following screenshots:

50. Click OK to close the Admin Role Profile configuration window.
5.7 Configure an Administrator Account

In this section, you will create an administrator account called student08 and assign it to the
Intern Administrator Role Profile. Someone who logs in with the credentials for this account will
have restricted access to elements of the Panorama web interface. This account also will use the
LDAP Authentication Profile.
51. From the web interface, select Panorama > Administrators.
52. Click Add, and then create an Administrator account using the following values:
Parameter Value
Name student08
Authentication Profile LDAP Auth Profile
Administrator Type Custom Panorama Admin
Profile Select Intern

Note: When you use external authentication (LDAP in this configuration), you do not need to
provide the password for student08 because the firewall will rely on the LDAP server to validate
the password.
A student08 account is preconfigured on the LDAP server in our lab environment.
53. Click OK to close the Administrator configuration window.
5.8 Configure Another Administrator Account

Here you will configure an administrator account called student07, which will use the RADIUS
Authentication Profile that you created. You also will assign student07 to the Intern
Administrator Role Profile.
54. From the web interface, select Panorama > Administrators.
55. Click Add, and then create an Administrator account using the following values:
Parameter Value
Name student07
Authentication Profile RADIUS Auth Profile
Administrator Type Custom Panorama Admin
Profile Select Intern
Note: When you use external authentication (like RADIUS in this configuration), you do not need
to provide the password for student08 because Panorama will rely on the RADIUS Server to
validate the password.

A student07 account is preconfigured on the RADIUS server in our lab environment.
56. Click OK to close the Administrator configuration window.
completed.
59. Log out of Panorama by clicking Logout in the lower-left corner of the web interface:
60. Log in to the Panorama appliance using the student08 account that you just created.
Enter Password1! for the password.
61. Close the Welcome window if one appears.
62. Note that you see only three tabs based on the settings for the Intern Admin Role Profile:
63. Check the System log to verify that the student08 account was authenticated against the
LDAP profile.
64. Select the Monitor tab.
65. From the Device Group drop-down list at the top of the window, select All.
66. Select Logs > System.
67. In the filter field, enter ( subtype eq auth ) and press Enter.
68. You can see an auth-success event along with the details for student08:

69. Log out of student08 by clicking the Logout hyperlink in the bottom left of the web
interface.
70. Log in to the Panorama appliance using the student07 account that you just created.
Enter Password1! for the password.
72. Note that this account has access only to the Dashboard, ACC, and Monitor tabs (as
defined in the Intern Admin Role Profile).
73. From the Device Group drop-down list at the top of the window, select All.
74. Select Logs > System.
75. Search the System Log again for ( subtype eq auth ) to verify that the student07
account was authenticated against the RADIUS Profile:
76. Log out of student07 by clicking the Logout hyperlink in the bottom left of the web
interface.
77. Log in again with admin as the username and password.
5.9 Create Access Domains

Access domains allow you to define different sets of permissions for an individual administrator
account. For example, admin-1 might have unlimited access to configuration settings for
firewalls in Access Domain-A but the same admin-1 might have only read-access to firewalls in
Access Domain-B.
78. Create two access domains called Domain-A and Domain-B.
79. From the web interface, select Panorama > Access Domain.
80. Click Add to create an Access Domain.
81. In the Name field, enter Domain-A.
82. Select write for the Shared Objects field.
83. Click the Device Context tab.
84. Select the check box for firewall-a:

85. Click OK.
86. Click Add to create another Access Domain.
87. In the Name field, enter Domain-B.
88. Select write for the Shared Objects field.
89. Click the Device Context tab.
90. Select the check box for firewall-b, and then click OK:

5.10 Create Admin Roles
Here you create two new Device Group and Template admin roles, and then define what each
role can do.
91. Select Panorama > Admin Roles.
92. Click Add, and then create an Admin Role using the following values:
Parameter Value
Name Monitor
Description Restricted role
Role Device Group and Template
right column), set:
 Policies: Mark all settings disabled (red)
 Objects: Mark all settings disabled (red)
 Network: Mark all settings disabled (red)
 Device: Mark all settings disabled (red)
 Tasks: Mark all settings disabled (red)
 Global: Mark all settings disabled (red)

94. Click Add to create another Admin Role using the following values:
Parameter Value
Name No-Panorama
Description Panorama access disabled
Role Device Group and Template
right column), set:
 Monitor: Mark all settings disabled (red)
 Panorama: Mark all settings disabled (red)
 Tasks: Mark all settings disabled (red)
 Global: Mark all settings disabled (red)
5.11 Update the Administrator Account

96. Here you assign the domains to the administrator account called student08.
97. Select Panorama > Administrators.

98. Click student08 to edit this administrator account.
99. Change the Administrator Type to Device Group and Template Admin.
100. Click Add under Access Domain.
101. Provide the Access Domain and Admin Role as follows:
102. Click OK.

103. Click Commit > Commit to Panorama. Click Commit in the resulting window and
then click Close in the next window.
104. Log out of Panorama by clicking Logout in the lower-left corner.
105. Log in to the Panorama appliance using the student08 account that you just updated.
You need to provide Password1! for the password.
106. Close any message windows that appear.
107. Verify that the Access Domain for student08 is Domain-A in the field in the lower-left
corner:
108. You will see only the following tabs in the web interface: Dashboard, ACC, Monitor,
and Panorama:

109. Select the Context drop-down list in the upper-left corner of the window and note that
you can choose to switch only between Panorama and firewall-a.
This limitation is because you defined Access Domain-A with only firewall-a.
110. Change the Access Domain to Domain-B by clicking the drop-down list to the right of
Domain-A, and selecting Domain-B:
This Access Domain provides limited access for student08. Notice that the Panorama tab and
other tabs are missing:
111. Select the Context drop-down in the upper left corner of the window and note that you
can choose to switch only between Panorama and firewall-b:
This limitation is because you defined Access Domain-B with only firewall-b.
112. Log out of student08, and then log back in with admin as the username and password.
5.12 Demonstrate Use of the Commit Lock

If two administrators simultaneously want to make changes to Panorama and then commit at the
same time, Panorama will queue these changes in the order it receives them, which means that
Admin-1 might make changes and commit them. Admin-2 might undo those changes when those
changes are committed.

To prevent this kind of problem, administrators can employ a Configuration Lock or a Commit
Lock (or both at the same time).
In this section, you will create two new admin accounts (admin-1 and admin-2). You will log in
as admin-1, take a Config Lock, and then log out. You will log in as admin-2 and try to make a
change to see the effect a Config Lock has.
113. While logged in to Panorama as admin, select Panorama > Administrators.
114. Click Add.
115. Create a new Administrator called admin-1 with a password of paloalto.
116. Set the Administrator Type to Dynamic.
117. Set the Admin Role to Superuser.
118. Leave the Password Profile set to None.
119. Click OK.
120. Click Add again and create another new Administrator called admin-2, also with a
password of paloalto.
121. Set the Administrator Type to Dynamic.
122. Set the Admin Role to Superuser.
123. Leave the Password Profile set to None.
124. Click OK.
126. Click the Commit button and click Close when the commit status is completed.
127. Log out of Panorama by clicking the Logout link in the bottom-left corner of the
interface.
128. Log in with the admin-1 account. Use the password paloalto.
130. Take a Configuration Lock by clicking the padlock icon in the upper-right corner of the
window:
131. In the Locks window, click the Take Lock button in the bottom-left corner.
132. Change the Type to Config.
133. Leave the Location drop-down list set to All Configuration, but click the arrow for
the field to see that you can select different aspects of the configuration to lock:

134. For Comment, enter your initials and a short message that would let other
administrators know why you have locked the configuration:
135. Click OK on the Take lock window.

136. Click Close on the Locks window.
Notice that you do not have to commit your changes to Panorama when you take a config or
commit lock.
137. Log out of Panorama.
138. Log back in to Panorama with the admin-2 account.
139. For password, use paloalto.
141. Select the Objects > Addresses.
142. From the Device Group list, select NorthAm.
143. Click Add.
144. For Name, enter DNS.
145. Leave Type set to IP Netmask and enter 4.2.2.2:

146. Click OK.
147. Note the message you receive indicating that another administrator has locked the
configuration:
148. Click Close and then Cancel.

149. Click the icon for the locked padlock icon in the upper-right corner:
150. The Locks window shows you who has taken the lock, when they took it, and any
comments they have entered:
Note that a Superuser can remove a lock that someone else has put in place; however, this
practice somewhat defeats the purpose of locking a configuration. A better operating procedure

would be to contact the admin who took the lock rather than taking it away without letting
them know.
151. Click Close.
152. Log out of Panorama.
153. Log in using admin-1 as the username and paloalto as the password.
154. Close the Welcome screen if one appears.
155. Make a slight change to the Login Banner under Panorama > Setup > Management >
General Settings by adding Unauthorized Access Prohibited:
156. Click OK.

Note that you are not blocked from making this change because you are logged in with the
admin-1 account that took the Configuration Lock.
158. Click Commit. The commit should succeed.
159. After the successful commit, check the status of the lock icon at the top right of the
screen. It should be open (unlocked):
160. Click the Lock icon and note that there are no longer any Locks in place.
If you take a Configuration or Commit Lock and commit your changes, Panorama automatically
releases the lock and removes the entry from the Lock window.
161. Log out of Panorama and log back in with the admin/admin account.

Stop. This is the end of the User Administration lab.

Lab 6 Scenario: Log Collection and Forwarding
Your organization has decided to forward firewall events to Panorama to provide a single
location for operational and security analysis of network traffic. You will configure firewalls
to forward copies of Traffic log and Threat log events to Panorama.
Our current Panorama deployment is configured for Legacy mode, which supports firewalls
forwarding logs directly to the Panorama appliance. Before you begin forwarding traffic from
your firewalls to Panorama, you need to determine how much log storage space is available to
ensure that your retention requirements can be met.
After you have determined storage requirements, you will configure the appropriate Log
Forwarding Profiles to send all Traffic logs from both firewalls to Panorama.
To complete this lab, you will need to connect to Client A and Client B desktops. Client A
sends all traffic through firewall-a, and Client B sends all traffic through firewall-b, as
follows:

 Configure log forwarding on the firewalls
 Configure log settings on the firewalls
 Confirm log forwarding

Lab 6 Solution: Log Collection and Forwarding

4. Click Close.
10. Click Yes on the Force Template Values warning.

11. On the Templates tab, select all devices.
14. If you click the Commit All link in the window shown in the screenshot, you will see the
details of the commit task. Click Close on the Task Manager.

6.1 Determine Available Log Storage and Adjust Values
Your organization states that you must maintain logs for at least 90 days. Your calculations
for this requirement show that you will need 7GB for Traffic logs and 3GB for Threat logs.
15. Navigate to Panorama > Setup > Management.
16. Locate the Logging and Reporting Settings section, and then click the to edit the
settings.
Note how much total space is available for log collection. Notice that the current quotas do not
allow us to meet our retention requirements.
17. Modify the Traffic quota to 30 and the Threat quota to 13 to allow us to meet our
retention requirements and to add a small buffer.

As more firewalls are added, and/or as the number of logs being forwarded from existing
firewalls increase, more storage will be needed. The following options are available to increase
storage.
▪ In Legacy mode, you could add a virtual disk in the VM to have up to 8GB.
▪ Migrate to Panorama mode, allowing you to have to up 24GB.
▪ Deploy Dedicated Log Collectors, allowing you to scale beyond 24GB.
▪ Leverage the Logging Service and provision the required amount of storage.
▪ Use a combination of the preceding options.
19. Click OK.
6.2 Configure a Log Forwarding Profile to Send All Traffic

and Threat Logs to Panorama
20. Select Objects > Log Forwarding.
21. Ensure that the Device Group is NorthAm:

22. Click Add, and then create a new Log Forwarding Profile.
23. Name it Analyst-Alerts.
24. Click the Shared check box to create a Log Forwarding Profile that is available to all
device groups.
25. Within the Log Forwarding Profile window, click Add:
26. In the Log Forwarding Profile Match List, enter Traffic Log Event Forwarding
for the Name.
27. Ensure that the Log Type is set to traffic and that the Filter shows All Logs.
28. Check the Panorama/Logging Service check box.
29. Click OK.
30. While you are still in the Log Forwarding Profile window, click Add again to create
another Log Forwarding Profile Match List.
31. For Name, enter Threat Log Event Forwarding.
32. Under Log Type, select threat and leave the Filter set to All Logs.
33. Check the Panorama/Logging Service check box.
34. Click OK.
35. Verify your configuration:

36. Click OK.
6.3 Create an Allow All Rule

To see the effects of this Log Forwarding profile, you will generate traffic through both
firewalls. You will create a new Security Rule that allows all traffic so that you can see a large
number of log events in Panorama. After testing, you will delete this rule.
We do not recommend creating a security rule that allows all traffic in a production environment.
37. Navigate to Policies > Security > Post Rules.
38. In the Device Group drop-down list, ensure that the device group NorthAm is selected:
39. Click Add to create a new Security policy rule. Configuring the following values:
Parameter Value
General tab
Name Allow All
Source tab
Destination tab
Application tab

Parameter Value
Applications Any
Service application-default
Actions tab
Log Forwarding Analyst-Alerts
40. Click OK.
6.4 Enable Log Forwarding on Existing Security Rules

In this section, you will apply the Analysts-Alerts Log Forwarding Profile to the existing Pre
Rules.
41. Navigate to Policies > Security > Pre Rules.
42. Click the Allow Web rule to edit it.
43. Click the Actions tab, click the drop-down arrow next to Log Forwarding, and then
select Analyst-Alerts.
44. Click OK.
45. Click the Danger rule to edit it.
46. Click the Actions tab, click the drop-down arrow next to Log Forwarding, and then
select Analyst-Alerts.
47. Click OK.
48. Click , which is at the bottom of the screen. Maximize the preview rules
window, and then verify the rule order for firewall-a and firewall-b.
(Note that you need to change the Device Group to Chicago to see the Preview Rules for
firewall-b.) Notice that this view also shows the number of times a rule has been used and the
date and time when the rules were used:

Note that in this image, some of the columns are hidden. You can customize many of the table
displays in Panorama by adding or removing columns.
49. Close the Combined Rules Preview window.
6.5 Configure System Log Forwarding

In addition to forwarding log events when a Security policy rule is matched, firewalls can
forward non-traffic-related log events to Panorama such as system, configuration, and
correlation. You now will build a filtered Log Forwarding Profile to send only critical system
log events to Panorama.
50. Select Device > Log Settings.
51. In the Template drop-down list, ensure that the template Servers is selected:
52. Under System, click Add to create a new Log Settings-System entry.
53. Name the entry Alert Operations.
54. Under the Filter section, click the down-arrow, and then select Filter Builder:
55. Select the following settings:

Parameter Value
Connector or
Attribute Severity
Operator greater than or equal
Value medium
56. Click Add (located in the column on the far right):
57. Before you click OK, click the View Filtered Logs tab, which allows you to preview the
query:
Note that what you see in the View Filtered Logs tab may be different from the example shown.
58. Click OK.

59. Check the Panorama/Logging Service check box, and then click OK.
60. Your configuration should match the following:
6.6 Enable HTTPS on the Ethernet1/3 Interface

As preparation to run the traffic generator on firewall-a, you need to enable HTTPS on the
ethernet1/3 interface for the DMZ-L3 zone.
61. In the Template drop-down list, ensure that the template InterfaceFW is selected.
62. Select Network > Interfaces and then click ethernet1/3.
63. Click the Advanced tab.
64. Under the Other Info tab, select allow-mgt from the drop-down list for the
Management Profile.
65. Click OK. Then click Yes in the Warning dialog box.
You are applying a preconfigured Interface Management Profile called allow-mgt to interface
ethernet1/3. This profile allows you to connect to the IP address on ethernet1/3 using HTTPS to
manage the firewall.
Panorama.
69. Click the Commit option in the upper-right corner, and then select Push to Devices.
71. Check the check boxes for all Device Groups and firewalls.
73. Click Yes on the warning box for Force Template Values.
74. Select the Templates tab and verify that the boxes for firewall-a and firewall-b are
checked.
75. Click OK.
76. Click Push.
77. When the Commit All process is completed, click Close.

6.7 Generate Traffic on firewall-a
78. On the Client A Windows desktop, open PuTTY, and then double-click traffic-
generator.
79. For the Password field, enter Pal0Alt0.
80. After you have logged in, type the sh /tg/panorama/traffic.sh command and
press Enter on your keyboard:
81. After a few minutes, you should see that traffic is being generated:
82. Allow this script to run and generate traffic through firewall-a.
83. While you wait, generate traffic through firewall-b in the next section.
6.8 Connect to Client B and Generate Traffic on firewall-b

84. On your local computer (not inside the Remote Desktop lab environment), open a new
tab in your browser, and then connect to the Client B desktop using the login credentials
and IP address provided by your instructor.
85. After you are connected to the Client B desktop, connect to firewall-b by launching the
Chrome web browser inside the Client B session, and then connect to
https://192.168.1.253. (Click through any certificate warning messages.)
86. Log in to the firewall with admin as the username and password.
87. Open additional tabs inside the Chrome web browser of Client B, and then visit various
sites to generate traffic. After you have browsed to several different sites, remember to
close the tabs (because you are logging at session end) to complete the sessions.

6.9 Confirm Traffic Generation and Log Forwarding
88. While you still are logged in to firewall-b, click Monitor > Logs > Traffic.
89. Verify that you see entries in the traffic log passing from the Trust-L3 zone to the
Untrust-L3 zone:
90. Return to your Client A desktop.

91. Click the firewall-a tab in the Chrome browser.
92. Navigate to Monitor > Logs > Traffic.
93. Verify that you see entries in the Traffic log passing through the Danger-VWire zone:
94. Return to Panorama and navigate to Monitor > Logs > Traffic.
95. Filter the Traffic log to show only firewall-a traffic by clicking firewall-a in the Device
Name column (scroll to the far right of the display to locate the column).
96. Click the Apply Filter icon at the top of the screen. Verify that traffic is being
forwarded to Panorama from firewall-a:
97. Modify the filter to firewall-b. Note: The fastest way to change the filter is to edit the
existing filter by replacing the firewall-a value with firewall-b.
98. Click in the query section to apply the updated filter and verify that traffic is being
forwarded to Panorama from firewall-b:

99. Navigate to Monitor > Logs > Threat. Verify that threats are being forwarded to
Panorama from firewall-a:
Note that the Threat log entries you see will differ from the examples shown above.
Stop. This is the end of the Log Collection and Forwarding lab.

Lab 7 Scenario: Aggregated Monitoring and
Reporting
You are responsible for operations and security analysis of your organization’s firewalls. Each
morning you use Panorama to show managed firewall health and to summarize threats over
the last 24 hours. You use Panorama reporting to analyze and characterize threats that were
logged in the previous 24 hours.
In this lab, you will use various tools to review the operational status of your managed
firewalls. Use this information to update Security policy rules to block access to various high-
risk applications, and then create an operational report to use for ongoing monitoring of these
risky applications.
Then you will review Threat logs and reports to identify and respond to threats that have been
detected in your environment.
Note that you must complete Lab 6, “Log Collection and Forwarding.” before you start this
lab to see any useful data in the logs, graphs, and widgets referenced in this section.
 Examine Panorama ACC data
 Run reports on Panorama
 Identify and respond to threats

Lab 7 Solution: Aggregated Monitoring and
Reporting

4. Click Close.
5. to Panorama.

11. On the Templates tab, make certain that all devices are selected.
14. If you click the Commit All link in the window shown in the screenshot, you will see the
details of the commit task. Click Close on the Task Manager.

7.1 Review Operational Information Using the Dashboard
15. To gain additional insight into the operational state of the firewalls, you need to enable
additional widgets.
16. Click the Dashboard tab, and then click the drop-down arrow.
17. From the drop-down list, enable all Application, System, and Log widgets.
18. Now arrange the various widgets on the Dashboard by dragging and dropping them to
suit your needs.
Note: This view is specific to your login. Other administrators can arrange the Dashboard to fit
their individual needs. Widgets automatically will update during the next summary database
refresh.
19.
18. Review the information displayed on the Dashboard to discover any areas of concern
(High Risk Applications, Threat Logs, etc.).
Notice that the default Dashboard view is set to All Device Groups, which aggregates data from
all connected firewalls.
19. Click the Device Group drop-down arrow, and then toggle between the NorthAm and
Chicago groups:
20. As you toggle between the two device groups, notice how the Dashboard refreshes to
display only data from firewalls in the respective group.
Remember, the Dashboard displays summary data for the last 60 minutes.
7.2 Review Operational Information Using the ACC

To see operational information older than the last 60 minutes, we will use the Application
Command Center (ACC).
21. Click the ACC tab.
22. To ensure that we are reviewing network activity for the last 24 hours, click the drop-
down arrow on the left of the ACC, and then change the time to Last 24 Hrs.
23. Select the tab for Network Activity.
24. Select All from the Device Group drop-down list:

25. To narrow the scope, we want to focus on high-risk applications that are being allowed
through the firewalls.
26. Start by creating a global filter that displays risk level 5 applications.
27. Click the green plus sign (+) in the Global Filters section in the navigation pane at the
left, and then add risk 5 applications by selecting Application > Risk > risk 5, as shown
in the following screenshot.
Note: After you build the filter, you will need to click your mouse anywhere outside of the filter
so that the ACC refreshes with the new filter.
28. Notice that several high-risk applications are flowing through the firewalls:

The applications you see may differ from the examples here.
Palo Alto Networks ranks applications based on their relative risk. Risk 1 is low, and Risk 5 is
high. These risk levels also are color-coded: Risk level 1 is green; Risk level 2 is blue; Risk level 3
is yellow; Risk level 4 is orange; and Risk level 5 is red.
29. To further narrow the scope and focus on the peer-to-peer traffic, add the BitTorrent
application to your global filter by hovering your cursor over the application name, and
then clicking the symbol next to it:

30. To see the detailed Traffic logs associated with BitTorrent traffic, click the Jump to
Logs icon , and then select Traffic Log:
31. Panorama switches the view to Monitor > Logs > Traffic:
Notice that Panorama automatically builds a filter for the Traffic log based on the filter from the
ACC. The filter includes the date/time range, Risk Level 5, and application of BitTorrent.
32. Toggle between the NorthAm and Chicago device groups using the Device Group drop-
down arrow directly above the query.
33. Notice that the BitTorrent traffic seems to be a problem with the NorthAm devices. No
BitTorrent traffic is observed originating from the Chicago devices.
34. To stop this high-risk traffic through the Danger-VWire zone in the NorthAm firewall,
you now will create a policy to block the peer-to-peer traffic including BitTorrent.
35. Click Policies > Security > Pre Rules.
36. Select the NorthAm device group from the drop-down list:
37. Click the Add button at the bottom of the pane to create a policy.
38. Use the following values:
Parameter Value
General tab
Name Deny Peer-Peer

Parameter Value
Source tab
Source Zone Danger-VWire
Destination tab
Destination Zone any (use the drop-down list)
Application tab
Applications bittorrent
gnutella
Service any
Actions tab
Action Setting Deny
Log Forwarding Analyst-Alerts
39. Click OK.
40. Highlight the newly created Deny Peer-Peer rule, and then drag it to the top so that your
security pre-rules for the NorthAm group match the following screenshot:
Note that some of the default columns have been hidden or moved in this example image.
Panorama.

44. Click the Commit option in the upper-right corner, and then select Push to Devices.
46. Check the check boxes for all Device Groups and firewalls.
47. Click OK.
48. Click Push.
Note that we are not using the Force Template Values option in this case since we have only
made changes to Device Groups and nothing in the Templates has changed.
49. When the Commit All process is completed, click Close.
7.3 Create a Custom Operational Report

You now will create a scheduled report that will run automatically each night and monitor high-
risk applications.
50. Navigate to the Monitor > Manage Custom Reports option (toward the bottom of the
list on the left side of the window).
51. Change the Device Group to All:
52. Click Add to begin the process of creating the report.

53. Enter the following values:
Parameter Value
Name High Risk Apps
Description Risk 4 and 5 Applications
Database Traffic (under Remote Device Data toward the top of the
list)
Scheduled Leave this unchecked for now
Time Frame Last 24 Hrs
Sort By Sessions, Top 25
Group By Application, 25 Groups
Query Builder Enter the following information:
(risk-of-app eq 4) or (risk-of-app eq 5)

Available Columns Add the following columns. Select an item and then click the
plus sign (+). Continue until you have added each item to
the Selected Columns list:
Action, Application, Bytes Received, Bytes Sent,
Destination Zone, Device Name, Risk of App and Source
Zone
The Filter Builder link allows you to structure queries based on various factors. As you become
familiar with the process of creating filters, you can enter the syntax manually as we have shown
here.
54. Before you click OK, preview the report by clicking the Run Now button at the top of
the custom report screen.

The results of your report may differ from the example shown.
55. After you are satisfied with the report, select the tab for Report Settings.
56. Check the box for Scheduled.
57. Click OK.
7.4 Explore App Scope

You have used the ACC to help modify Security policy rules to reduce risk, and you have
created a custom report to monitor any other high-risk applications. Explore other tools that
will help you monitor and manage firewall traffic throughout the enterprise.
58. Navigate to Monitor > App Scope > Summary.
59. Notice that the selection allows you to toggle between available Device Groups and to
use the Panorama or Remote Device Data as the Data Source.
60. Navigate to Monitor > App Scope > Change Monitor.
61. This view also allows you to toggle between available Device Groups and to use the
Panorama or Remote Device Data as the data source.
62. Notice that several options allow you to view various aspects of change. Explore this tool
and the options available at the top of the pane.
63. Continue to explore the various charts and graphs found in the Monitor > App Scope
section, including the Threat Monitor, Threat Map, Network Monitor, and Traffic
Map. All these views are designed to help you to determine if any rules and/or policies
should be modified.
7.5 Identify and Respond to Threats

Earlier we used the ACC to help us understand which types of traffic and applications are
flowing through the firewalls. The ACC also is a good starting point for getting insight into
threats being detected throughout the enterprise.

64. Navigate to the ACC tab, and then click the Threat Activity tab. This is the default
view, but it is customizable to meet your needs.
65. Notice that the Device Group is set to All and that the Data Source is Panorama.
This view is the default view that shows all threat activity across the entire enterprise.
66. To clear global filters that were created earlier, click the Clear all button on the left side
of the screen:
67. Verify that the display filter is set to Last 24 Hrs:
68. Click the pencil icon on the Threat Activity tab to edit the widget:
69. Move the Applications Using Non Standard Ports and the Rules Allowing Apps On
Non Standard Ports widgets from the bottom toward the top:

70. Click OK. Notice the updated view.
You can use this process to customize the available widgets in any of the tabs in the ACC.
71. Click the Pencil icon again on the Threat Activity tab.
72. Click the Red Pushpin icon.
This selection will make the Threat Activity tab the default view the next time you select the
ACC tab.
73. Notice how the Threat Activity tab is moved to the first position.
74. Click the Device Group drop-down arrow, and then select Chicago.
75. After the ACC refreshes, notice that there is no data to display.
You can navigate to individual device groups to narrow the scope of your threat research to a
subset of managed firewalls. There is no threat data in the Chicago device group, which
indicates that the threats are associated with the NorthAm firewalls.
76. Click the Device Group drop-down arrow again, and then select NorthAm.
77. Add a global filter from the left column for the device firewall-a:

When a device group contains multiple firewalls, you can narrow the scope of the investigation
by adding criteria to the Global Filters on the left, and then selecting a specific Device Name.
78. Scroll down below the graphs for Applications Using Non-Standard Ports and the
Rules Allowing Apps On Non Standard Ports section.
79. Notice that the Danger rule is allowing many applications to run on non-standard ports.
This security rule generally is not recommended because it presents a potential security threat.
Next you will modify the rule that allows the applications to run on non-standard ports.
80. Navigate to Policies > Security > Pre Rules.
81. Ensure that the NorthAm device group is selected in the drop-down list at the top:
82. Click the Danger rule to edit it.

83. Click the Service/URL Category tab, and then change the service from any to
application-default.

This change to the rule will block any traffic for applications that are not running on the defined,
standard TCP or UDP port.
84. Click OK.
85. To push the updated policies to the managed devices, click Commit in the upper-right
corner, and then select Commit and Push.
This is a shortcut to the process we have used throughout the other labs. You can instruct
Panorama to save the changes and to push the configuration out to firewalls with the Commit
and Push option.
86. When the Commit and Push window appears, click Commit and Push.
87. Click Close after the Status has changed to Completed.
88. To verify that the updated Security rules are now blocking BitTorrent and Gnutella
applications, run the traffic generator again by completing the steps in Section 6.7
(Generate Traffic on firewall-a) of this Lab Guide.
89. After the traffic generator script has finished, navigate to Monitor > Logs > Traffic and
view the traffic logs on firewall-a.
Be sure to clear any previous filters you may have in place by clicking the red X icon in the filter
row.
90. Verify that the updated policies now are blocking high-risk traffic by creating various
filters such as (action neq allow). Only the traffic blocked by Deny Peer-Peer
policy rule in firewall-a shows here:

Stop. This is the end of the Aggregated Monitoring and Reporting lab.

Lab 8 Scenario: Panorama Troubleshooting
 Troubleshoot connectivity issues with firewall-a
 Troubleshoot various commit failure issues
 Troubleshoot a successful commit that has caused a network outage for users
 Review the health of the managed firewalls
You arrive at the office to discover that firewall-a has lost connectivity with Panorama. You
have been asked to troubleshoot the issue and to get this firewall reconnected. You also notice
that firewall-b is failing when a commit is pushed to it. You will need to troubleshoot and
resolve the errors preventing the configuration push.
After both firewalls are reconnected, and commits and pushes succeed without errors, you
receive an urgent message that no one can connect to the internet. You must troubleshoot this
issue and resolve it as quickly as possible.
After all issues have been resolved, you will review the overall health of the managed
firewalls to determine if any additional troubleshooting is required.

Lab 8 Solution: Panorama Troubleshooting
8.0 Load Configuration and Push to Devices

4. Click Close.
5. Click the Commit button in the upper-right corner, and then select Commit to
Panorama.
8. Click the Commit button again in the upper-right corner, and then select Push to
Devices.
9. When the Push to Devices window appears, click Edit Selections.
10. Ensure that the Merge with Device Candidate Config, Include Device and Network
Templates, and Force Template Values check boxes all are selected:
11. When you check Force Template Values, click Yes on the warning box.
12. Under the Device Group tab, make certain the boxes for firewall-a and firewall-b are
checked.
14. Make certain that the boxes for firewall-a and firewall-b are checked.
16. Click Close on the Task Manager window.
17. In the bottom-right corner of Panorama, click the Tasks button:
18. Monitor the status of the commit.

19. Notice that all four commits seem to have stalled or Failed:

20. What is the result of the push commits to firewall-a?
Both commit tasks for firewall-a appear to have stalled. The Progress indicator stays at 0% and
the status remains as “config sent to device.”)
21. What is the result of the push commits to firewall-b?
Both commit tasks have failed for firewall-b.
8.1 Troubleshoot the firewall-b Commit Failure

Because firewall-a and firewall-b are experiencing different issues during the commit process,
you will need to determine the root cause for each firewall separately.
22. Start with firewall-b by clicking one of the Commit All hyperlinks for firewall-b.
23. In the Job Status window, click the commit failed hyperlink to see the reason for the
commit failure:

24. Review the errors and warnings displayed for firewall-b. Notice that the issue is a
misconfiguration of the virtual router named “VR.” The error indicates that an interface
has not been assigned to one of the firewall routes.
25. Click Close three times to return to the web interface.
In a production environment with many templates configured, determination of exactly where
this misconfiguration exists can be a challenge.
26. In this case, you will use the global Find tool to locate the template and virtual router
misconfiguration.
27. Begin by clicking the button in the upper-right corner of the Panorama web
interface.
28. Enter 10.11.12.13, and then press Enter on your keyboard.
29. Panorama provides details about where this string occurs if you expand the Virtual
Router by clicking the +:
30. If you click directly on the entry for VR, Panorama automatically will navigate you to
Network > Virtual Router and narrow the scope of your available virtual routers to the
one that is misconfigured. In this case, it is the virtual router named VR.
31. Ensure that FWBSettings is selected in the Template drop-down list.

32. Click the VR hyperlink to open the virtual router configuration.
33. Click the Static Routes tab, and then click the Route to 10 Network link.
34. Notice that no interface is bound to this route, which is what is causing the error:
35. Edit the Route to 10 Network entry.

36. Click the drop-down arrow for the Interface, and then select ethernet1/3.
37. For Destination, enter 10.10.0.0/24.
38. For the field below the Next Hop field, enter 192.168.50.254.
39. Click OK to close the Virtual Router – Static Route – IPv4 window:
40. Click OK to close the Virtual Router - VR configuration window.

These steps should fix the issue with firewall-b.
8.2 Troubleshoot the firewall-a Commit Issue

Now return to the issue with firewall-a.
41. Navigate to Panorama > Managed Devices > Summary and review the current
operational status of your managed devices:

Notice that firewall-a shows Disconnected.
42. Because the Device State for firewall-b is Connected, the loss of connectivity issue
appears to be specific to firewall-a.
8.3 Log In to firewall-a and Troubleshoot Connectivity

Check the System log on firewall-a.
43. If you do not already have firewall-a open in another tab, open a new tab in the Chrome
browser, and then navigate to https://192.168.1.254.
44. Log in with the username admin and password admin.
45. Navigate to Monitor > Logs > System.
46. Create a filter to display only Panorama-related entries:
( description contains ‘Panorama’ )
47. Notice the entry indicating a failed connection.

48. Look closely and you will notice that the IP address of the Panorama server is incorrect.
49. You will need to modify the configuration so that the firewall can re-establish the
connection to the Panorama appliance.
50. While you still are logged in to firewall-a, navigate to Device > Setup > Management.
Click the in Panorama Settings.
You can see that this incorrect value was pushed down from Panorama because it has the green
gear next to the setting. Normally, you would correct the configuration in Panorama and then
push it to the firewall. However, in this case the firewall is not connected to Panorama, so you
will have to override this value and then perform a local commit.

51. The preceding screenshot indicates the green gear icon that you can click to enable you to
override the pushed value.
52. Enter 192.168.1.252, and then click OK.
53. Click the Commit button in the upper-right corner.
54. When the commit window appears, click Commit.
55. Monitor the status of the commit to verify that the commit is successful (ignore any
warnings for now), and then click Close.
56. Return to the tab in the Chrome browser that has the Panorama web interface open, and
then navigate to Panorama > Managed Devices > Summary.
57. Verify that firewall-a and firewall-b show Connected.
Note: A few minutes may pass before firewall-a reconnects. Refresh the screen until you see
that firewall-a has reconnected.
Before you commit and push, you must fix the misconfigured IP address of the Panorama
Settings on firewall-a, otherwise the next time you push to firewall-a, you will lose connectivity
again.
58. As you did earlier, use the global Find tool in Panorama to quickly locate the
misconfiguration.
59. Click the button in the upper-right corner of the web interface.
60. Enter 192.186.1.252, and then press Enter on your keyboard.
61. Expand Panorama Settings by clicking the +.
Notice that the setting is in the FWASettings template under the panorama-server settings:
62. Click panorama-server entry and Panorama will navigate you automatically to Device >
Setup > Management.
63. Verify that FWASettings is selected in the Template drop-down list:
64. Also make certain that firewall-a is selected from the Device drop-down list:
65. Click the in Panorama Settings.

66. Correct the misconfigured IP address by changing it to 192.168.1.252, and then click
OK.
67. Click Commit in the upper-right corner, and then select Commit to Panorama.
70. Click the Commit option again in the upper-right corner, and then select Push to
Devices.
71. When the Push to Devices window appears, click Edit Selections.
72. Ensure that the Merge with Device Candidate Config, Include Device and Network
Templates, and Force Template Values check boxes all are selected:
73. When you check the box for Force Template Values, click Yes on the warning box.
74. Under the Device Group tab, verify that the box for firewall-b is checked.
76. Verify that the boxes for both firewalls are checked.
78. Monitor the status of the commit. Notice that there are multiple commit jobs are running.
To monitor the status of each task, click the Commit All hyperlink for each job to verify
success.
Note: The commit jobs should succeed with warnings indicating potential issues with Security
policy rules.
79. Click Close when the commit tasks are completed.

8.4 Troubleshoot Loss of Internet Connectivity
Although the commit and push tasks were successful, users now are complaining that they are
experiencing a complete loss of internet connectivity.
80. Open additional tabs in the Chrome browser, and then attempt to navigate to various
sites. You should not be able to reach the sites.
81. Return to Panorama, and then navigate to Monitor > Logs > Traffic.
82. Clear any filters you have in place by clicking the red X button:
83. Because the firewalls are forwarding Traffic logs to Panorama, you can quickly
determine that a rule named BlockBad is blocking all traffic:
84. Click the button in the upper-right corner of the web interface. Enter BlockBad,
and then press Enter on your keyboard.
Expand Security Rules by clicking the +.
Notice that the setting is in the Shared device group.
85. Click BlockBad to automatically navigate to Policies > Security > Pre Rules.
86. Verify that Shared is selected in the Device Group drop-down list:
87. Click the BlockBad rule to edit it.

88. Check the Description:

See how helpful it is to use descriptions for rules? If the administrator had left the description
out of this rule, it would probably take deeper investigation to determine why this rule is here
and what the administrator intended it to accomplish.
89. Click the Destination tab. You should see that the administrator apparently forgot to
enter the destination address, and as a result all traffic is being blocked.
90. Click the Add button under Destination Address, and then add both Palo Alto Networks
preconfigured lists:
91. Select any from the drop-down list (just above the Destination Zone).
92. Click OK.
Panorama.
94. After the Commit to Panorama window appears, click Commit.
96. Click the Commit option again in the upper-right corner, and then select Push to
Devices.
97. Select Edit Selections in the resulting window.
98. Under the Device Groups tab, check the check boxes for firewall-a and firewall-b.
99. Click OK.
Since we have only modified a security rule in a Device Group, we do not need to use the Force
Template Values option.
100. Click Push in the next window.
101. When the commit process is completed, click Close.

102. Monitor the status of the commit jobs, and then verify that both jobs commit
successfully without any errors or warnings:
103. Test internet connectivity by opening additional tabs in the Chrome browser and
navigating to various sites.
8.5 Review the Health of Managed Firewalls

104. Return to the Panorama web interface, and then navigate to Panorama > Managed
Devices > Summary.
105. Verify that both devices show as Connected and In sync, and that there are no commit
errors and/or warnings:
106. Navigate to Panorama > Managed Devices > Health.

107. Examine the summary statistics for the health of the managed firewalls:
Also notice in the lower-right corner of the screen that there is an option to change the time
frame of the information being displayed.
108. Click the Deviating Devices tab.

Panorama centralizes time-trended performance monitoring information and correlates events
such as commits, content updates, and software upgrades to health data. Panorama determines
a metric health baseline by averaging the health performance for a given metric over seven
days, plus the standard deviation. A device that deviates from its calculated baseline will appear
as a deviating device to help you identify, diagnose, and resolve any potential issues.
The lab environment is unlikely to have any Deviating Devices listed.
109. Click the All Devices tab.
110. Click firewall-a to display device-specific detailed health data.
111. Click the maximize window button on the detailed view to expand the display:
112. The Actions section in the navigation pane at the left enables you to change the time
frame of the data being displayed. You also can click the Show Average drop-down
arrow to overlay average values onto the view. Explore these two options before moving
to the next step.
113. Click the Interfaces tab to get detailed information about interfaces, including any errors
or drops that might be occurring:
114. Examine the details of an interface that might be of interest by clicking its name.

115. Click the Logging tab and review the information to gain insight into the logging rates
of the firewall:
Remember to use the drop-down options in the Actions section to adjust the time period.
116. Click the Resources tab to examine the resource use of the firewall.
117. Scroll down and note the various graphs available.
These widgets help you to troubleshoot a firewall that might be experiencing performance
issues.
118. Close the Device: firewall-a display window.
8.6 Configure Address Objects

119. In Panorama, navigate to Objects > Addresses.
the window:

• Name: Server-a
• Click OK.
122. Select the device group Chicago in the Device Group drop-down list near the top of the
window:

• Name: Server-b
• Click OK.
8.7 Perform a Partial Revert of the Configuration

You have not yet committed the changes you made to the Address objects in the previous
section. You realize that you should not have created the Address object 6.6.6.6 in the Device
Group Chicago. Now you want to perform a partial revert to the candidate configuration.
124. Click Panorama > Setup > Operations.
125. Click Revert to running Panorama configuration.
126. The following window appears:
127. Check the check box Select Device Groups & Templates.
128. The following window appears:

129. Select Chicago in the Device Groups section.
130. Click OK to complete the revert operation.
131. Click Close.
132. In the Panorama web interface, navigate to Objects > Addresses.
133. Make sure the Device Group Chicago is selected:
134. Verify that the address object Server-b is gone.

135. Select NorthAm as the Device Group.
136. Verify that the address object Server-a is shown.
You have performed a partial revert to the running configuration. You were able to undo the
changes you made earlier to the device group Chicago. If you had chosen the device groups
NorthAm and Chicago, you would have performed a full revert to the running configuration.
Stop. This is the end of the Panorama Troubleshooting lab.

PAN-EDU-120 9.0 Version A

PAN-OS 9 EDU-120 Palo - Alto - Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN-OS 9 EDU-120 Palo - Alto - Networks

Uploaded by

Copyright:

Available Formats

Palo Alto Networks

Palo Alto Networks Technical Education

© 2019 Palo Alto Networks, Inc. Page 2

© 2019 Palo Alto Networks, Inc. Page 3

© 2019 Palo Alto Networks, Inc. Page 4

© 2019 Palo Alto Networks, Inc. Page 5

© 2019 Palo Alto Networks, Inc. Page 6

Convention Meaning Example

© 2019 Palo Alto Networks, Inc. Page 7

© 2019 Palo Alto Networks, Inc. Page 8

© 2019 Palo Alto Networks, Inc. Page 9

© 2019 Palo Alto Networks, Inc. Page 10

© 2019 Palo Alto Networks, Inc. Page 11

1.1 Connect to the Panorama Appliance and Each of Your

• Panorama: https://192.168.1.252. Username: admin Password: admin

1.2 Navigate the Panorama Web Interface

© 2019 Palo Alto Networks, Inc. Page 12

1.4 Configure Panorama Interfaces

18. Verify the entries for the Management Interface Settings.

© 2019 Palo Alto Networks, Inc. Page 13

1.5 Configure Panorama Services

© 2019 Palo Alto Networks, Inc. Page 14

1.6 Configure General Settings

© 2019 Palo Alto Networks, Inc. Page 15

© 2019 Palo Alto Networks, Inc. Page 16

© 2019 Palo Alto Networks, Inc. Page 17

© 2019 Palo Alto Networks, Inc. Page 18

54. Use Windows File Explorer to navigate to C:\Users\lab-user\Desktop\lab\ to see the

© 2019 Palo Alto Networks, Inc. Page 19

© 2019 Palo Alto Networks, Inc. Page 20

 Log in to the Panorama appliance and existing firewalls

© 2019 Palo Alto Networks, Inc. Page 21

5. Select edu-220-FW-A-9-Start-lab-02, and then click OK.

Leave the other settings unchanged.

© 2019 Palo Alto Networks, Inc. Page 22

19. Select edu-220-FW-B-9-Start-lab-02, and then click OK.

Leave the other settings unchanged.

2.2 Load the Panorama Configuration and Add Firewalls

© 2019 Palo Alto Networks, Inc. Page 23

© 2019 Palo Alto Networks, Inc. Page 24

© 2019 Palo Alto Networks, Inc. Page 25

© 2019 Palo Alto Networks, Inc. Page 26

You have now successfully added firewall-a and firewall-b to Panorama.

2.3 Verify Firewall Licenses in Panorama

© 2019 Palo Alto Networks, Inc. Page 27

© 2019 Palo Alto Networks, Inc. Page 28

© 2019 Palo Alto Networks, Inc. Page 29

© 2019 Palo Alto Networks, Inc. Page 30

3. Select edu-220-panorama-9-Start-lab-03, and then click OK.

3.1 Create a Management Settings Template

© 2019 Palo Alto Networks, Inc. Page 32

© 2019 Palo Alto Networks, Inc. Page 33

c. Click the New X Variable to create a template variable.

© 2019 Palo Alto Networks, Inc. Page 34

3.3 Create a Server Profiles Template

© 2019 Palo Alto Networks, Inc. Page 35

a. Click Add to configure a new SNMP Trap Server Profile:

d. Enter the following values for the X Variable:

f. Enter the following value for Community: public.

© 2019 Palo Alto Networks, Inc. Page 36

© 2019 Palo Alto Networks, Inc. Page 37

3.4 Create a Template Stack

© 2019 Palo Alto Networks, Inc. Page 38