Professional Documents
Culture Documents
When
we
first
sign
into
the
user
interface
we
see
the
Dashboard,
which
shows
a
summary
of
configuration
and
user
information.
We
want
to
start
out
our
demo
today
by
clicking
on
the
ACC
tab.
There
is
an
old
saying
that
knowledge
is
power.
This
is
one
of
the
benefits
the
ability
to
classify
all
application
traffic,
inspect
the
content
within,
and
identify
users
provides.
Throughout
our
product,
the
contextual
link
between
application,
content
and
user
is
consistent.
The
ACC
provides
this
knowledge
in
an
interactive,
easy-‐to-‐use,
and
visual
way,
providing
you
with
the
ability
to
make
informed
security
decisions.
The
first
thing
we
notice
in
the
ACC
is
a
graphical
depiction
of
all
applications
traversing
the
network,
the
applications
usage
section.
But
we
also
can
see
user
activity
by
traffic
sent
and
received.
If
we
scroll
down
(scroll
down
the
page),
additional
widgets
show
source
and
destination
IP
activity,
source
and
destination
regions
with
world
maps
visually
highlighting
where
traffic
comes
from
and
goes
to.
Further
down
we
have
Global
Protect
host
information
for
Global
Protect
users
as
well
as
a
widget
showing
rule
usage.
Consider
the
ACC
as
a
10,000
foot
view
of
your
network,
with
the
ability
to
quickly
dive
down
to
a
more
granular
view.
The
ACC
is
a
standard
feature
that
does
not
require
any
additional
licensing.
Using
the
ACC
-‐
The
Story/Example
Lets
walk
through
an
example
of
how
an
administrator
would
use
the
ACC
to
gain
important
insights
into
network
and
threat
activity.
This
will
show
you
the
true
power
of
the
ACC
and
how
it
connects
all
of
the
capabilities
of
the
Next
Generation
Security
Platform
to
provide
actionable
and
intuitive
data.
The
application
usage
graph
at
the
top
is
at
front
and
center
in
the
ACC.
It
shows
all
traffic
grouped
by
applications.
The
tree
map
displays
the
applications
by
category
(hover
mouse
around
the
dark
grey)
and
subcategory
(hover
mouse
around
light
grey),
and
the
applications
themselves
are
color
coded
by
risk.
Red
means
risky
and
green
means
ok.
Below
you
see
the
top
applications
sorted
by
bytes.
If
you
change
the
view,
the
applications
shown
in
this
widget
will
change
as
well.
We
can
click
on
any
category
or
application
to
drill
down
in
more
detail.
(Click
on
General
Internet).
Now
we
can
see
all
applications
associated
with
this
category.
We
see
web
browsing
taking
up
the
majority
of
bandwidth,
which
is
expected
in
a
perimeter
deployment
like
this,
but
rapid
share
taking
up
a
large
portion
as
well.
You
may
ask
yourself
“What
is
rapid
share?”
especially
if
you
are
unfamiliar
with
the
application.
A
quick
look
at
“Value”
in
the
drop
down
menu
next
to
the
app
provides
the
answers.
This
pop-‐up
window
provides
us
with
a
description
of
the
application,
provides
a
category,
lists
the
standard
ports,
a
risk
level,
as
well
as
things
to
look
out
for
when
dealing
with
this
application.
Palo
Alto
Networks
can
identify
all
applications
regardless
of
port
thanks
to
our
App-‐ID
technology.
Let’s
drill
down
a
little
more
(Click
on
“Rapid
Share”).
Now
we
can
see
in
detail
all
the
traffic
associated
with
Rapidshare
in
this
widget.
The
large
amount
of
bytes
sent
and
received
in
this
graph
might
grab
your
attention.
With
another
click
on
the
little
left
pointing
arrow
next
to
“Rapidshare”
we
can
promote
the
filter
for
further
analysis.
(Click
on
the
arrow
next
to
“Rapidshare”
in
the
table)
To
promote
a
filter
means
to
filter
all
global
network
traffic
by
this
application.
So
what
we
have
done
now
is
apply
this
filter
to
all
widgets
in
the
ACC.
The
little
“promote”
ACC
Training
arrows
are
distributed
across
the
user
interface,
and
appear
behind
any
item
that
can
be
used
as
a
global
filter.
You
can
see
your
filter
string
up
here
in
the
top
left
corner
of
the
UI.
(scroll
down
as
you
describe
each
widget
for
the
conversation
below).
As
you
can
see,
we
show
all
users
of
RapidShare,
IPs
associated
with
the
traffic,
source
and
destination
regions
of
the
world,
as
well
as
rules
associated
with
Rapidshare.
(Scroll
back
up)
But
for
now,
let’s
look
at
some
user
activity
that
catches
our
eye.
Marsha
Wirth
is
the
number
one
user
of
Rapidshare
in
the
last
hour.
Our
user
ID
capabilities
enable
us
to
identify
users
by
name
rather
than
just
IP
addresses.
Let’s
take
a
closer
look
at
Marsha’s
usage
of
Rapidshare
by
promoting
this
filter
as
well
(Click
on
the
arrow
next
to
Marsha’s
name)
Now
we
are
filtering
everything
by
Rapidshare
and
Marsha
Wirth.
(Scroll
down
to
Source
IP
Activity
widget)
When
we
are
looking
at
Source
IP
Activity
we
can
see
that
all
the
Rapidshare
traffic
is
from
a
desktop
computer
in
the
lab
–
I’m
curious.
Lets
look
at
regions.
(scroll
down
to
Destination
region)
The
traffic
is
going
from
headquarters
office
to
UK,
EU,
US.
Providing
us
with
more
data
points.
Lets
find
out
more.
Look
at
rules
(Scroll
to
Rule
Usage).
A
large
amount
of
this
traffic
came
from
a
rule
called
“watch
risky
apps.”
We
now
can
do
a
Global
Search
to
find
the
instance
of
the
“watch
risky
apps”
rule
in
the
rule-‐base.
(Click
on
the
down
arrow
next
to
watch
risky
apps
and
select
Global
Search)
We
see
that
1
security
rule
is
impacted.
If
we
hover
over
the
name
of
the
“Watch
Risky
Apps”
rule,
we
can
see
the
definition
of
the
rule
without
ever
leaving
the
ACC
tab.
Looking
at
this
definition,
we
can
see
that
this
is
obviously
an
allow
rule.
But
you
may
ask
yourself
if
we
should
modify
this
rule
to
change
the
handling
of
any
RapidShare
traffic.
(Click
away
from
GlobalFind
to
close
the
pop
up
window)
Let’s
do
a
quick
re-‐cap:
So
far
we
have
established
a
lot
of
knowledge
that
will
help
us
make
an
informed
decision:
Marsha
has
been
using
rapidshare,
she
transferred
a
lot
of
data
from
headquarters
to
UK,
EU,
US
from
a
lab
desktop
and
it
passed
through
a
rule
called
watch
risky
apps.
Of
course
it
would
also
be
interesting
to
see
what
else
Marsha
has
been
doing
outside
of
RapidShare.
As
you
can
see
we
have
our
filter
string
from
our
activity
on
the
left
hand
side
of
the
screen.
We
filtered
first
by
“Rapidshare”,
then
by
“Marsha
Wirth”.
It
is
very
easy
to
remove
any
part
of
a
filter
string.
By
removing
“Rapidshare”
we
can
quickly
see
all
the
activity
of
Marsha
across
all
applications.
(Select
the
Check
box
next
to
“Rapidshare”
then
click
the
“-‐“
button
below)
Now
we
can
see
her
application
usage.
(Click
“Home”
on
Application
Usage
widget)
Within
this
application
usage
widget,
we
can
see
in
the
“Threats”
column
that
Marsha
has
encountered
several
threats.
This
is
worth
exploring.
At
this
point
we
have
only
been
using
the
“Network
Activity”
tab.
But
there
are
other
tabs
available
as
well.
By
default,
the
ACC
will
display
the
network,
threat
and
blocked
activity
tab.
So,
let’s
take
a
look
at
the
“Threat
Activity”
Tab
to
see
threat
activity
by
Marsha.
Threat
activity
Tab
In
this
tab
we
can
see
information
about
threat
behavior
across
the
network,
such
as
hosts
that
are
visiting
malicious
domains,
threat
activity
and
Wildfire
activity,
and
information
about
applications
using
non-‐standard
ports.
The
same
design
convention
empowers
you
to
drill
down
into
more
detail,
promote
any
item,
or
utilize
Global
Filters
to
help
find
other
instances
of
an
event,
host
name
or
rule.
It
is
in
this
section
where
you
can
see
our
Content
ID
in
action,
providing
valuable
information
about
all
kinds
of
threat
activity
in
the
network.
The
widget
on
the
top
right
highlights
most
likely
compromised
hosts
based
on
automatic
correlation
of
indicators
of
compromise.
This
means
our
Next
Generation
Firewall
looks
for
signs
of
compromise
that,
when
they
appear
together
can
confirm
that
a
host
has
been
compromised.
(Read
Red
words
shaded
in
green
below
only
if
NO
correlation
trigger
are
shown)
[Currently
we
don’t
see
any
correlation
triggers
within
the
last
hour,
but
let’s
just
expand
the
timeframe
for
our
search
to
“Last
Calendar
Day”
to
see
if
there
are
any
triggers
associated
with
Marsha
over
the
last
day]
(Select
“Last
Calendar
Day”
from
top
left
)
As
we
can
see,
Marsha
most
likely
has
a
compromised
host.
It
looks
like
the
following
things
happened:
(Click
on
the
magnifying
glass
of
any
correlation
event
under
“match
count”
and
read
the
detailed
description
in
the
pop-‐up
windows.
Close
window
after
reading)
The
“RapidShare”
activity
we
are
witnessing
may
be
a
direct
result
of
the
malware
installed
on
the
lab
desktop.
We
will
have
to
follow
up
on
this
later.
(Read
green
shaded
test
only
if
you
have
extended
the
time
frame
to
show
a
correlation
object)
[For
now
let’s
go
back
to
looking
at
a
1
hour
time
frame.]
(Select
1
hour
as
the
timeframe
in
the
top
left)
We
can
see
the
there
were
several
incidents
with
“code
execution”
associated
with
Marsha
Wirth,
all
of
them
with
Microsoft
applications.
This
is
a
further
sign
that
Marsha
may
have
been
compromised.
If
you
want
to
learn
more
about
these
vulnerabilities,
you
can
follow
the
same
process
we
used
earlier
with
applications.
Clicking
on
the
drop
down
next
to
the
threat
name
and
selecting
“Value
will
show
important
details
about
the
threat.
Block
activity
Tab
In
this
tab
you
can
find
information
about
blocked
applications,
users,
and
content,
as
well
as
information
about
which
policies
are
most
actively
blocking
access.
We
can
see
Marsha’s
email
and
web
activity
was
blocked
quite
a
few
times.
(Scroll
down
to
show
“Blocked
Threats”),
because
the
traffic
was
identified
as
a
threat
and
the
session
was
terminated.
Tab
Customisation
At
this
point
I
want
to
show
you
how
you
can
customize
the
tabs
we
just
used.
You
can
add,
move
or
remove
widgets
from
each
of
the
tabs
and
you
can
create
a
fully
custom
tab.
All
the
widgets
displayed
in
the
3
default
tabs
can
be
used
interchangeably,
meaning
you
can
tailor
what
the
ACC
displays
for
each
user
and
role.
The
network
operations
team
can
tailor
a
tab
to
show
what
they
are
interested
in,
and
the
security
team
can
tailor
a
threat-‐focused
tab
in
the
same
manner.
You
might
even
want
to
create
a
widget
dedicated
to
watching
Marsha’s
behavior
or
RapidShare.
Just
click
on
“+”
button
next
to
your
tabs.
(Hover
around
the
“+”
button)
Now
we
are
in
the
Policy
tab,
and
are
looking
at
the
“Watch
Risky
Apps”
rule.
Of
course
there
are
other
rules
in
the
Policy
tab.
We
are
currently
only
seeing
this
one
rule,
because
we
did
a
search
for
it.
Let’s
bring
up
the
other
rules.(Highlight
the
“Watch
Risky
Apps
rule
by
clicking
on
the
number
in
the
front,
then
click
on
the
“x”
behind
the
search
string
above.)
Now
we
can
see
this
rule
in
evaluation
order
together
with
other
rules.
In
the
policy
Tab
we
empower
you
to
manage
and
control
applications
in
a
single
security
rule
base
for
NGFW,
URL
filtering,
threat
prevention,
sandboxing,
data
filtering
and
file
blocking.
This
means
you
don’t
have
to
create
and
manage
many
different
rule
bases
for
all
of
these
functions.
Note
that
our
rules
are
human
readable
improving
manageability
significantly.
You
can
read
each
rule
from
left
to
right
and
make
sense
of
it.
You
can
see
which
users
have
access
to
which
destinations,
applications,
and
how
content
is
inspected.
(Scroll
from
left
to
right)
This
simplicity
translates
directly
into
fewer
errors
and
improved
security.
Let’s
check
for
“RapidShare”
in
the
“Watch
Risky
Apps”
rule
first.
Let’s
look
at
the
applications
column
for
this
rule
(scroll
right
to
“Applications”
column)
We
can
see
here
in
the
applications
column
three
application
filters.
One
of
them
is
the
filter
including
all
“FileSharing”
apps.
(Click
drop
down
arrow
next
to
“FileSharing”
in
the
applications
column,
and
select
“Value”
and
then
“Show
Application
Filter”)
This
file-‐sharing
filter
is
what
we
call
a
“Dynamic
Application
group”
that
is
defined
by
any
application
that
has
the
attribute
of
file-‐sharing.
By
using
a
“dynamic
application
group”
as
a
filter
we
don’t
have
to
worry
about
missing
apps
that
may
be
added
as
part
of
future
content
updates.
This
means
any
new
file-‐
sharing
application
will
be
automatically
included
in
this
group
without
us
having
to
touch
the
rule.
We
can
see
that
this
rule
monitors
groups
of
applications
considered
“high
risk”
such
as
filesharing
activity
without
denying
users
access.
However,
based
on
Marsha
Wirth’s
activity
we
actually
want
to
add
RapidShare
to
a
rule
that
blocks
specific
applications
that
are
too
risky.
We
could
create
a
brand
new
rule
to
block
“RapidShare”,
But
first
let’s
see
what
other
rules
we
have
available
to
us.
I
can
see
a
“Block
Bad
Apps”
rule
just
above,
that
would
be
the
right
rule
to
ensure
employees
are
not
encountering
Rapidshare
anymore.
Let’s
open
up
the
“Block
bad
apps”
rule.
(Click
on
“Block
Bad
Apps”)
We can see this rule applies to all users (Click on “User” tab)
and
currently
blocks
several
apps.
(Click
on
“Application”
tab).
(As
it
is
unable
to
click
on
“Add”
button,
just
hover
around
“Add”
Button
to
show)
To
add
RapidShare
to
this
list
of
blocked
apps,
we
can
click
on
the
“Add”
button
and
search
for
“Rapidshare”
in
the
menu.
But
for
the
purposes
of
this
demonstration
I
will
click
“Cancel”.
This
is
how
simple
it
is
to
apply
app
control
to
the
Palo
Alto
Networks
Next
Generation
Security
Platform.
Let’s
re-‐cap:
We
were
looking
at
our
overall
network
activity
in
the
ACC
or
Application
Command
Center,
realized
that
RapidShare
was
creating
a
significant
amount
of
traffic.
With
just
a
few
clicks
we
learned
more
about
RapidShare
thanks
to
our
App-‐ID
technology.
We
also
found
that
Marsha
Wirth
was
the
primary
user
of
the
application.
We
were
quickly
able
to
identify
Marsha
by
name
thanks
to
our
user-‐ID
capabilities.
From
the
lab
desktop
computer
she
was
sending
information
to
three
regions.
We
also
found
that
Marsha’s
computer
was
generating
quite
a
bit
of
threat
traffic
and
in
fact
her
laptop
most
likely
was
compromised.
This
was
made
possible
with
our
Content-‐ID
functionality.
With
just
a
few
more
clicks
we
were
able
to
examine
the
security
rules
and
modify
them
appropriately
to
ensure
RapidShare
was
no
longer
creating
a
problem
for
the
network.
Panorama
Let
me
point
out
one
last
thing.
If
you
have
more
than
just
a
couple
of
firewalls
to
manage
there
is
another
tab
in
this
user
interface
called
‘Panorama”.
Panorama
is
our
powerful
Network
Security
Management
product,
which
allows
for
central
management,
superior
visibility,
and
streamlined
operations
of
your
entire
network.
With
Panorama
you
have
the
same
powerful
visibility
and
policy
control
you
have
with
an
individual
Nest
Generation
Firewall
deployment,
with
added
management
functionality
designed
for
distributed
environments.
I
encourage
you
to
view
our
Panorama
demo
if
you
are
interested
in
learning
more
about
Panorama.
So
that
concludes
the
demo
portion
of
the
presentation.
Thank
you
for
your
time
today.
I
hope
we
showed
you
a
very
clear
view
of
how
you
can
gain
visibility
and
control
over
applications,
users,
and
content,
using
the
Palo
Alto
Networks
Next-‐Generation
Security
Platform.