Professional Documents
Culture Documents
TEST DRIVE
Cybersecurity Portfolio
Workshop Guide
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 1
Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log In to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 - Enable Internet Access on the ML-Powered Next-Generation Firewall 7
Task 4 – Install Cortex XDR Agent on Protected Client 8
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 2
Task 4 – Your Guide to Security Orchestration Automation and Response (SOAR) 50
Task 5 – Quick Look at Cortex XSOAR 50
Activity 6 – Protection for Public Cloud with VM-Series and Prisma Cloud 52
Task 1 – VM-Series ML-Powered Next-Generation Firewall in Public Cloud 52
Task 2 – Manage VM-Series in Public Cloud with Panorama Plugins 55
Task 3 – Resources for VM-Series in Public Cloud 56
Task 4 – Prisma Cloud for Public Cloud Quick Look 58
Task 5 – Subscribe to Prisma Cloud Free Trial (Optional) 58
Activity 7 – Protecting SaaS Applications and Remote Users with Prisma SaaS
and Prisma Access 61
Task 1 - Sanctioned SaaS Applications 61
Task 2 - SaaS Application Security with Prisma SaaS 62
Task 3 - Prisma SaaS Dashboard 63
Task 4 - WildFire Analysis by Prisma SaaS and SaaS Risk Assessment Report 65
Task 5 – Prisma Access Overview 67
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 3
How to Use This Guide
The activities outlined in this Ultimate Test Drive Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any
potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.
Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in the
following activities (Chrome is pre-installed on the student desktop of the workshop PC).
Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 4
Activity 0 – Initiate the UTD Workshop
In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop.
• Learn the layout of the environment and its various components.
• Enable the firewall to facilitate connectivity.
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page.
This will display a list of all virtual systems that constitute the UTD environment.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 5
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops. There are more tabs on the righthand side, click on
the right arrow or the down arrow to see all the tabs.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 6
Task 3 - Enable Internet Access on the ML-Powered Next-Generation
Firewall
Step 1: Click the Security Admin tab to access that desktop in your browser. Click the Security Admin-
OpenKiosk icon to launch the browser. The VM-Series login page should already be loaded, if not,
click the VM-Series bookmark using the star icon next to the URL bar.
You can also use the “VM-Series GUI” tab to open a direct connection to the NGFW login page.
Close the Welcome message and you will be see the Dashboard view.
Step 2: Go to the Network tab. In the Interface node, note that the Link State of ethernet1/1 is red, click
on ethernet1/1.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 7
Step 3: Click the Advanced tab. Click the Link State drop-down menu to the right of the dialog box,
select up, then click OK to close the window. Click the Commit button in the top right-hand corner to
confirm the changes. Click Commit again in the Commit window to activate the configuration changes.
Step 4: Once the commit process has completed, you will see that the Link State of ethernet1/1 has
turned green now that the interface is up.
Step 2: Double-click the “Install Cortex XDR” icon on the desktop to launch the Cortex XDR Agent
installer.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 8
Step 3: The XDR agent will automatically install. Once completed, double-click the icon in the
system tray to bring up the Cortex XDR agent console. It may take a few minutes for the XDR agent to
connect to Cortex XDR.
Step 4: After the installation, open the Cortex XDR using the system tray icon, then click on Check in Now
to connect to the XDR Server. This will allow the newly installed XDR client to connect to the Cortex XDR
management.
End of Activity 0
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 9
Activity 1 – Conduct a Ransomware Attack
In this activity, you will:
• Become the attacker and launch a ransomware attack on the Victim system.
• Experience how the Victim system is compromised through a spear phishing attack.
• Launch a ransomware attack on the Protected Client.
In the next few tasks in this activity, you will play the roles of both the attacker and the victim and see the
ransomware in action.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 10
Task 2 - Check Attacker VM Status
Step 1: Click the Attacker tab to access that desktop in your browser.
Once you launch the Attacker VM, you will see a terminal window open on the desktop. (Login root /
toor).
Step 2: In the terminal window, type the following command and press the Enter/Return key:
root@kali:~# ./demo-attack
This will start the exploit program and configure the Attacker VM to listen for incoming connections and
serve the Flash Hacking Team zero-day exploit to the Victim VM. This process may take a while, so
please be patient.
When configuration is completed, the terminal should display the following prompt:
msf exploit(adobe_flash_hacking_team_uaf) >
The Attacker system is now ready and online, waiting for a connection from the Victim system.
Step 3: Enter “sessions” into the prompt to list the active sessions:
msf exploit(adobe_flash_hacking_team_uaf) > sessions
There should be no active sessions on the Attacker VM.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 11
Task 3 - Compromise Victim System via Exploit
In this task, you take on the role of the victim. As the victim, you have received a spear phishing email,
which includes a hidden link to the attacker’s listener service. You will click the link, and the VM will be
compromised by the exploit delivered by the attacker’s listener service.
Step 1: Go to the Victim desktop. Click the Victim tab to open the Victim VM.
Microsoft Outlook® will be open and running on the desktop. An email with the subject line “Someone has
your password” is displayed in the preview pane. This looks like a legitimate email from Google, informing
you that someone is trying to access your device. The email suggests you review the device to ensure
your password is safe.
Step 2: Click the Review Your Devices Now link in the email. This will open Internet Explorer and,
after a short delay, display a webpage that resembles the Google account login page.
If you see the Google page, the Attacker system has successfully compromised the Victim system. In the
next task, you will resume the role of the attacker and continue the next stage of the attack.
Note: You should not need the credentials for the user associated with the Victim VM. However, if
the system does present you with a login screen, click the icon associated with the user “Jen” and
use the password “Password1”.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 12
Task 4 - Attacker to Upload and Execute the Ransomware on Victim
In this task, you will return to the role of the Attacker and continue the next stage of the attack by
uploading and executing ransomware on the Victim system.
Step 1: Go back to the Attacker VM. You should see the Metasploit listener service received a request,
sent a SWF file in reply, and opened a “Meterpreter” session to the Victim VM.
Step 2: To verify the session between the Attacker and Victim is open, use the “sessions” command to list
the active sessions (hit Enter/Return to get the command prompt):
msf exploit(adobe_flash_hacking_team_uaf) > sessions
An open session indicates that the Attacker has an active, direct connection to the Victim VM, which can
be used to further compromise the system.
Note the Id of the active session connected to the Victim VM. This is the “Session Id” you will need to
enter in the next step. It should be session “1”.
Note: this number may be different if you refreshed the browser on the Victim VM at any point.
Step 3: Initiate an interactive session with the Victim by entering “sessions –i <id>” at the Metasploit
prompt. Remember to substitute your “Session Id” for the number “1” in this command if you have a
different ID number.
msf exploit(adobe_flash_hacking_team_uaf) > sessions –i 1
This will initiate the interactive session, display the message “Starting interaction with 1…” and change
the prompt to a Meterpreter prompt.
At this point, you have connected to the Victim VM and can execute any number of available commands
to exploit the system. For a list of available commands, type “?” and press Enter/Return at the
Meterpreter prompt (We will not explore the available Meterpreter commands in this exercise.). The
Attacker VM has taken control on the Victim VM at this point.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 13
Step 4: The Attacker VM will now upload the ransomware executable file (happy.exe) to the Victim
VM. Enter the following command at the prompt:
meterpreter > cd /Temp
meterpreter > dir (the directory should be empty)
meterpreter > upload happy.exe
You should see messages confirming that “happy.exe” has been successfully uploaded to the Victim VM.
You can enter > “dir” to check that the file has been uploaded.
The Attacker VM is now ready to launch a ransomware attack on the Victim VM.
Note: The Petya ransomware is used in in this exercise.
The ransomware will simulate the process of checking the disk on the Victim VM (the CHKDSK process).
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 14
However, the counter that indicates the progress will never stop counting.
Step 3: Click on the Send Ctrl-Alt-Delete button on the left side of Victim VM window.
The Victim VM will display a flashing, red and grey “skull and cross bones” image and prompt the user to
“PRESS ANY KEY!”
Step 4: Click inside the “skull and cross bones” image and press the space bar. This should change the
image to a ransomware warning page, with a list of demands and instructions to submit payment in order
to unlock the system.
Note: Leave the Attacker browser tab open. We will return to it in the next activity.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 15
Task 6 - Test Ransomware on the Protected Client
In this task, we repeat the same attack on the Protected Client VM and see what happens.
Step 1: Click the Protected Client tab. Click the Outlook icon . You will see the same email in the
Outlook window. Also note the Cortex XDR window behind it, which we will use in Activity 3.
Step 2: Click the Review Your Device Now link in the phishing email, as you did on the Victim VM.
You should see a “Web Page Blocked” message. It looks like the Protected Client is protected against
compromise from the Stage 1 attack.
You can also see on the Attacker VM that no session was set up for exploit delivery.
In the next activity, we will take a closer look at how the next-generation firewall prevents the Protected
Client from the Stage 1 attack.
End of Activity 1
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 16
Activity 2 – Protection with the ML-Powered Next-
Generation Firewall
In this activity, you will:
• Access the firewall and see how it helps to prevent a ransomware attack.
• Learn about the various layer of protections provided by the Palo Alto Networks ML-Powered
Next-Generation firewall.
• Witness Cortex XDR preventing a ransomware attack.
Step 2: Click on the ACC tab. This takes you to the Application Command Center, where you can get a
look at the applications and threats the firewall sees.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 17
The Policies tab is where all firewall policies are configured. There are various policies, from Security
policies that configure all firewall policies to NAT or Decryption policies that define other functions of the
next-generation firewall. Feel free to examine the different policy nodes on the left.
Step 3: Click on the Security node. The first policy, Victim to Attacker, is configured with a port-based
firewall policy. Click on Victim to Attacker to open the Security Policy Rule configuration window. Make
sure the Source is set to Victim and the destination is set to Attacker.
Step 4: Victim to Attacker policy is described as a port-based policy because it allows all applications to
run on ports 80, 443 and 8080. Review the Application and Service/URL Category tabs to confirm the
policy configuration.
While port 80 and 443 are open for both HTTP and SSL traffic, port 8080 is often opened for internal web
servers supporting internal webpages.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 18
Step 5: Go to the Actions tab and note that Profile Setting is set to None, meaning no next-generation
protection is applied on this policy. This explains why the firewall did not provide any protection to the
Victim VM. Close the policy window.
Step 1: Click on the Protected Client to Attacker policy to open the Security Policy Rule configuration
window. Note that source and destination are set to Protected Client and Attacker.
Step 2: Go to the Application tab. Note that only selected applications (web-browsing, SSL and Flash)
are allowed.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 19
Step 3: Go to the Service/URL Category tab. Note that application-default is selected, so those
applications are only allowed to run on the default ports. Note that you do not need to know which ports
are needed for the applications selected. The Palo Alto Networks ML-Powered Next-Generation Firewall
keeps track of the default port for each application.
Step 4: Go to the Actions tab. Note that protection profiles are configured for Antivirus, Vulnerability
Protection, Anti-Spyware, URL Filtering, Data Filtering and WildFire Analysis. These enable many
protections offered by the firewall.
Step 5: Change the URL Filtering protection to None. Let’s see if disabling URL Filtering will let the
Attacker VM exploit the Protected Client. Click OK to close the policy window.
Step 6: Click the Commit button in the top right-hand corner to confirm the changes. Click Commit again
in the Commit window to activate the configuration changes.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 20
allow the attacker to exploit the system.
Step 1: Go back to the Protected Client and close the Web Page Blocked window. Then click on the
Review Your Devices Now link in the phishing email again.
This time, the Google page will be allowed to open, which shows that the Protected Client VM is not
protected by URL Filtering. Let’s go to the Attacker VM and see if the exploit succeeds.
Step 2: Go to the Attacker browser tab. Note there is no listener session open. Hit enter to get back to
the prompt. Enter “sessions” to see if there are any open sessions. There should be none.
This indicates the Attacker VM was not successful in exploiting the Protected Client VM.
Step 3: Go to back to the Security Admin VM. Go to the firewall and review the traffic logs under
Monitor > Logs > Traffic. At the bottom, click Resolve hostname to enable it.
Step 4: Let’s review the traffic logs. Under the Source column, click on Protected Client. This will
populate the search window with the Protected Client VM’s source address. Then, under the Destination
column, click on Attacker to add the Attacker VM’s destination address to the filter.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 21
Step 5: Click on the Apply Filter icon (an arrow pointing to the right) to apply the filter string.
Note that the traffic from the Protected Client VM on port 8080 is blocked by the firewall.
Does this mean all traffic on port 8080 is blocked? Let’s go to the firewall policy and find out.
Step 6: Go to the Policies tab > Security node and look at the Internal-Web-Servers-on-8080 policy.
This policy only allows web browsing applications on port 8080 for all internal web servers supported in
the policy. Since the Attacker VM is not in the Internal-Web-Servers-on-8080 group, traffic from the
Protected Client VM is blocked.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 22
Step 7: Let’s allow the Attacker on this policy and see if we can compromise the Protected Client VM.
Click on the Internal-Web-Servers-on-8080 policy. In the Destination tab, add Attacker to the
Destination Address.
This policy is meant to allow only web browsing on the internal web servers, but if we also want to enable
Flash to run on the internal web servers, or in this case let the Attacker to attack the client over flash, we
will need to add Flash to this policy to allow it.
Step 9: Click the Commit button in the upper righthand corner to confirm the changes.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 23
Step 3: Hit Enter/Return in the Metasploit prompt, then enter the “sessions” command to look for open
sessions. You should not see any, meaning Metasploit still failed to deliver the Flash exploit.
Step 4: Go to the Threat logs to review more about the threat that was detected. You can see that, once
again, the next-generation firewall protected the Protected Client VM from the attack.
Step 1: From Security Admin, Go to Policies > Security > Victim-to-Attacker policy > Source tab and add
the Protected Client to this port-based policy.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 24
Step 2: Commit the changes. Once the commit is completed, the “Protected Client” will just have the
same port-based protection like the “Victim”.
Step 3: Go to the Protected Client and close the Google page. Next, go to the phishing email and click
on the Review Your Devices Now link again. The webpage will open, but after a moment, you will see a
Cortex XDR notification that a malicious activity has been blocked.
Even though you have removed all next-generation firewall protections from the Protected Client VM, it is
still protected by Cortex XDR endpoint protection. We will see how Cortex XDR works to prevent the
ransomware attack on the Protected Client in the next activity.
Before we look at Cortex XDR, feel free to back to the Attacker VM and check for an open attack session
to the Protected Client VM. Use the “sessions” command in the Metasploit prompt, and you should see
no open sessions.
End of Activity 2
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 25
Activity 3 - Cortex XDR Detection and Response
Platform
In this activity, you will:
• See how Cortex XDR Prevent advanced endpoint protection prevents the ransomware attack.
• Take a quick look at Cortex XDR Pro
Step 2: If the Cortex XDR client console is not open, click the Cortex XDR icon on the Windows
taskbar at the bottom of the desktop. This should display the Cortex XDR client console, which will read
“Advanced Endpoint Protection is Enabled.”
Note the date and time of the last check-in, indicated in the bottom left of the Cortex XDR client console.
Step 3: Click the Check In Now link to connect to the Cortex XDR management service and retrieve any
updated security policies. These updates are normally done on a set heartbeat schedule.
The link will change momentarily to Connecting. Once the Cortex XDR client has completed the check-in
process, it will return to Check In Now.
Step 4: Go to the Events tab, select the event to see the details about the protection event triggered by
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 26
the exploit hosted by the Attacker VM.
Cortex XDR is a lightweight client that is centrally managed by the Cortex XDR management service. We
will review this in the next task.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 27
The following describes the different licensing tier that are available for Cortex XDR. Cortex XDR Prevent
focus on Endpoint prevention and Cortex XDR Pro extends the data sources ingestion capability to
include network, cloud and third-party products, and added automated investigation and integrated
response.
In this next task, we will take a quick look at the Cortex XDR web management interface with Cortex XDR
Prevent license.
If you see an expired page, you can click on the Home icon in Remote Access Control under the
Virtual Keyboard on the left to refresh the login page.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 28
Step 2: Click “LOGIN” on the Single Sign On page to be logged in with the supplied credentials.
You can use the Virtual keyboard under Remote Access Controls on the left hand side to move
forward or back in the browser window. Or click on the Home icon to get back to the login page.
Once logged into Cortex XRD, you can get a quick glance of all connected Cortex XDR clients. The
Incident Management Dashboard provides a high-level view about the status of the incidents related to
the Cortex XDR agents managed by your Cortex XDR management service.
Step 3: Cortex XDR provide three different Dashboards to allow administrator quick access to different
information. We will take a closer look at the incident with the Incident Management Dashboard.
Step 4: Under the Top Incidents (Top 10) in the Incident Management Dashboard, Cortex XDR agents
report security events when the file or process matches your applied policy rules (either default policy
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 29
rules or custom rules you define). When the event occurs, Cortex XDR applies the action specified in the
applied security profile, either block the malicious activity, or allow and report the malicious activity.
The Cortex XDR management service ranks all events in order of severity, so you can quickly and easily
see the most important events when you log in to the Cortex XDR management service. You can then
drill down into the security events to determine if a security event is a real threat and, if so, you can
remediate it. In some cases, you may determine that a security event does not pose a real threat and can
create an exception for it.
Note: In your lab environment, all the VMs are cloned, this includes the Protected Client. The Cortex XDR
agent is also cloned, all events will show the same Endpoint name.
Click on the Memory Corruption Exploit incident to review the events when the Cortex XDR agent
identifies an attempt to run a malicious file or process. This will bring you the details of the that event in
the Investigation / Incidents.
Step 5: In the Incident window, you can review the details the selected incident, such as, the Key
Artifacts, Time of the event, host and username and more.
Step 6: Under Key Artifacts, click on WF Benign under Threat Intelligence to open the WildFire Analysis
report.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 30
Step 7: Palo Alto Networks WildFire is a cloud-delivered malware analysis service uses data and threat
intelligence from the industry’s largest global community. In this case, this incident is trigger by the
Windows Internet Explorer process “iexplore.exe”, which is a benign on its own. If this incident is trigger
by malware or other unknown process, you will be able to get details about that malware or unknow
process here. Now close the WildFire Analysis Report.
Step 8: Now take a closer look under Alert, you can learn a great deal from the records displayed in the
Alert table by scrolling to the right of the table. You can see that the incident is triggered by an exploit on
the Windows Internet Explorer. This is a good indication to investigate further in this this exploit and apply
the latest patch or software upgrade if applicable.
Step 9: Cortex XDR agents provides multiple prevention methods, each of which include multiple
purpose-built prevention techniques tuned for maximum performance and accuracy.
These malware prevention capabilities include:
• WildFire Inspection and Analysis
• Static Analysis
• Execution Restrictions
• Trusted Publisher Identification
• Admin Override Policies
• Malware Quarantine
Please ask your instructor for more in-depth discussion of the malware prevention capabilities of Cortex
XDR agent.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 31
Step 10: Click the Endpoints > Policy Management, then click on Profiles on the left node to view the
security profiles available to Windows, macOS, Linux and Android.
Cortex XDR management service provides default security profiles that you can use out of the box to
begin protecting your endpoints from threats immediately. While security rules enable you to block or
allow files to run on your endpoints, security profiles help you customize and reuse settings across
different groups of endpoints.
• Exploit – Exploit profiles block attempts to exploit system flaws in browsers, and in the operating
system. Exploit profiles are supported for Windows, Mac, and Linux.
• Malware – Malware profiles protect against the execution of malware including trojans, viruses,
worms, and grayware. Malware profiles are supported for all platforms.
• Restriction – Restrictions profiles limit where executables can run on the endpoint. Restriction
profiles are supported for Windows platform.
• Agent Settings – Agent Settings profiles enable you to customize settings that apply to the Cortex
XDR app such as the disk space quota for log retention.
Step 11: Click the Policy Rules node to view the assigned Profiles based on operating system type.
The Cortex XDR management service provides out-of-the-box protection for all registered endpoints with
a default security policy for each type of platform. To fine-tune your security policy, you customize settings
in a security profile and attach that profile to a policy rule.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 32
Note: You have logged into a Cortex Prevent account in this lab activity. In the next task, you will take a
quick look at the Cortex XDR Pro features, but you will not be able to see the same screenshots in the
Cortex XDR Prevent account that you have logged into.
Cortex XDR Pro offers addition capability to build customized queries and scheduled them to be executed
to all for more in-depth investigations.
Cortex XDR
Prevent
The Query Builder is a powerful search tool at the heart of Cortex XDR that you can use to investigate
any lead quickly, expose the root cause of an alert, perform damage assessment, and hunt for threats
from your data sources. With Query Builder, you can build complex queries for entities and entity
attributes so that you can surface and identify connections between them. The Query Builder also
provides flexibility for both on-demand query generation and scheduled queries.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 33
An attack event can affect several users or hosts and raise different types of alerts caused by a single
event. You can track incidents, assign analysts to investigate, and document the resolution.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 34
When you identify a threat, you can define specific indicators for which you want Cortex XDR to raise
alerts. You can define rules for the following types of indicators:
Identifying threats based on their behaviors can be quite complex. As you identify specific network,
process, file, or registry activity that indicates a threat, you create BIOCs that can alert you when the
behavior is detected.
Known artifacts that are considered malicious or suspicious. IOCs are static and based on criteria such as
SHA256 hashes, IP addresses and domains, file names, and paths. You create IOC rules based on
information that you gather from various threat-intelligence feeds or that you gather as a result of an
investigation within Cortex XDR.
Behavioral analytics are essential for stopping attacks. Machine learning enables you to detect low and
slow behaviors accurately and automatically, which is not possible with static rules that look for known
patterns and are not accurate for behavioral detection. XDR obtains data from multiple sources (network,
endpoint and cloud) and stitches them together to create a picture of what is happening.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 35
XDR behavioral analytics enable security teams to detect and stop advanced attacks. XDR analyzes
endpoint, network and cloud data with machine learning. XDR accurately identifies behavior anomalies
that indicate an attack. This integrated analysis helps security analysts identify which apps or tools, such
as PowerShell or WMI, were used for attacks.
XDR analyzes data stored in the Cortex Data Lake Service (data from Palo Alto Networks endpoints, the
cloud, and the next-generation firewalls), including information on users, devices and applications. XDR
examines multiple logs, including Enhanced Application Logs, which provide data specifically designed
for analytics, allowing XDR to track attributes that are nearly impossible to ascertain from traditional threat
logs or high-level network flow data.
The analysis that XDR performs is based on a combination of unsupervised and supervised machine-
learning techniques. XDR uses unsupervised machine learning to model user and device behavior,
perform peer-group analysis, and cluster devices into relevant groups of behavior.With supervised
machine learning, XDR recognizes deviations from expected behavior based on the type of user or
device, reducing false positives manually.
To learn more about Cortex XDR, you can download the e-book XDR: Enterprise-scale Detection and
Response from Palo Alto Networks:
https://www.paloaltonetworks.com/resources/ebooks/xdr-enterprise-scale-detection-and-response
End of Activity 3
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 36
Activity 4 - Prevent Unknown Threat with WildFire
and Cortex XDR
WildFire™ cloud-based threat analysis service is the industry’s most advanced analysis and
prevention engine for highly evasive zero-day malware and exploits. A unique, multi-method
approach combines dynamic and static analysis, machine learning techniques, and
groundbreaking bare metal analysis to detect and prevent even the most evasive threats.
In this activity, you will:
• Learn about WildFire and how it works with the ML-Powered Next-Generation Firewall and Cortex
XDR.
Step 3: Go Device > Dynamic Updates to review how often the Pan-OS will retrieve WildFire updates.
In the latest Pan-OS release, real time Wildfire update is support and configured here. Click on the Real-
time next to Schedule to review the available options.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 37
Step 4: Close the window and click Commit to commit the changes.
In the new Pan-OS 10.0, WildFire includes an inline machine learning-based engine delivered within the
NGFWs. This signatureless capability prevents malicious content in common file types—such as portable
executable files and fileless attacks stemming from PowerShell®—completely inline, with no required
cloud analysis, no damage to content, and no loss of user productivity.
We will take a quick look how you will enable this new inline machine learning WildFire prevention.
Step 5: Go to Objects > Security Profiles > Antivirus node, click on the default-with-wildfire antivirus
profiles.
Step 6: In the Action tab, you can see the new Wildfire Inline ML Action option for each protocol.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 38
Step 7: In the WildFire Inline ML tab, you can see more details for each supported model and its action
setting.
This antivirus profile is already applied in the Protected-Client To Internet security policy.
Step 2: Click on the EndPoints > Policy Management, then select the Profiles click the Windows
profile.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 39
Step 3: Select a Malware type profile under the Windows Platform, then hold down the right mouse
button, then select View to review the details for the malware type.
Step 4: Click on Portable Executable and DLL Examination, scroll down, notice under Portable
Executable and DLL Examination, you have the option to Upload Unknown Files to WildFire. It is gray
out because you have read only access. Same as Office Files with Macros Examination.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 40
Task 3 - Download and Execute a Zero-Day Malware Sample File
Step 1: On the Protected Client, open Internet Explorer.
Step 3: Ignore the warning message, select Save to download a “wildfire-test-pe-file.exe” sample file.
Check your Downloads folder to confirm the download.
Step 5: Even though this is a sample file and does not contain any exploit methods, Cortex XDR prevents
it from executing because WildFire does not recognize the file initially. This behavior is controlled by the
Block files with unknown verdict setting in the previous task.
Step 2: Select the incident with Incident Description [‘Local Analysis Malware’ generated by XDR Agent
…..] , then right click to View Incident.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 41
Step 3: In the Incident details view, you can more details for this incidents, such as the machine and user
name. Scroll to right in Alerts to see more details of this incidents.
Step 4: Select the alert, then right click Analysis to open the analysis view of the alert. Here you will be
able the see the Wildfire score or verdict after the Wildfire has completed it analysis.
Step 5: You can open the Wildfire Analysis report by clicking on the report icon under WildFire Score.
Note: It may take around 5 – 10 minutes for a verdict to be returned. You may process to the next task
and return to this step later.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 42
Step 6: In the WildFire Analysis Report, you review all the test and analysis WildFire has done on this file
submitted by the Cortex XDR agent.
Note that this can take 5-10 minutes before the entry shows up.
Step 2: Expand the latest entry in the Logs, click the magnifying glass
Step 3: Note the Verdict of the WildFire analysis. It will be shown as “malicious.”
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 43
Step 4: Review the WildFire Analysis Report on the firewall by clicking on the WildFire Analysis Report
tab. Scroll down you will see detailed information about this malicious file.
WildFire will store this verdict and the full results of the analysis in the Threat Intelligence Cloud, making it
available to all Palo Alto Networks ML-Powered Next-Generation Firewalls that subscribe to the WildFire
service, anywhere in the world.
End of Activity 4
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 44
Activity 5 – Introduction to Cortex Data Lake and
Cortex XSOAR
Palo Alto Networks Cortex Data Lake, is a cloud-based offering for context-rich enhanced network
logs generated by our security offerings, including those of our ML-Powered Next-Generation
Firewalls, Prisma Access and Cortex XDR. The Cortex Data Lake is the cornerstone of the Palo
Alto Networks Cortex platform which provides a scalable ecosystem of security applications that
can apply advanced analytics in concert with Palo Alto Networks enforcement points to prevent
the most advanced attacks.
Cortex XSOAR is the industry-leading Security Orchestration, Automation & Response (SOAR)
technology that can automate many response actions requiring human review and allow
overloaded security teams to focus on the actions that really require their attention.
In this activity, we will take a quick look on how to enable Cortex Data Lake on the Palo Alto
Networks ML-Powered Next-Generation Firewall and begin your journey to security orchestration
and automation through Cortex XSOAR.
To enable the Next-Generation Firewalls to send logs to the Cortex Data Lake, they need to be managed
by a Panorama device with the Cortex Data Lake license. The next few activities will show you the
configuration screens and their settings related to the NGFW and Panorama.
Username: student
Password: utd246
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 45
Step 2: In your Panorama, across the upper right, navigate to the Panorama tab, then on the bottom left
the Licenses node. Check that the Premium Support license and the Cortex Data Lake license exists.
Step 3: In your Panorama, navigate to the Panorama tab > Managed Devices node > Summary sub-
node and check that the Firewall is a managed device. You will see your NGFW device here.
Note this step and the following step verifies that Managed Firewalls inherit the Logging Service license
from Panorama.
Step 4: In your Panorama, navigate to the Panorama tab > Device Deployment node > and Licenses
sub-node to check that the Firewall is licensed for the Cortex Data Lake.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 46
Task 2 – Check the Panorama cloud services plugin and the Cloud
Services status
Step 1: In your Panorama, navigate to the Panorama tab > Plugins node and check that the
cloud_services plugin is uploaded and installed. Note, since you have a read-only account, this screen
will not load.
Note that these plugins are normally downloaded from the Customer Support Portal.
Step 2: In your Panorama, navigate to the Panorama tab > Cloud Services node > Status sub-node
and check Status color and the amount of Storage Used by Cortex Data Lake, and the estimated Log
Retention. For this lab environment, the number you see may fluctuate.
Note that the screenshot above is available because the Panorama has a cloud services plugin
installed and authenticated with Palo Alto Networks using a One Time Password generated through the
Support Portal. These steps were performed prior to this lab.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 47
Step 1: Click on Device and select the Setup node, make sure Cortex_Data_Lake_Template is
selected under Template.
Step 2: Navigate to the Management tab scroll down to Cortex Data Lake and view the configuration.
Both Enable Logging Service and Enable Enhanced Application Logging are enabled, and the
Region is americas.
Note that enhanced application logs in PAN-OS 8.1 and above allow the Firewall to send DHCP logs,
DNS logs, and additional HTTP headers directly to Cortex Data Lake, without saving them to disk. Cortex
XDR and other applications in the Cortex platform/App Framework can leverage these logs for further
analysis.
Step 3: Navigate to the Objects tab > Log Forwarding node. Make sure
Cortex_Data_Lake_Device_Group is selected under Device Group.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 48
Step 4: Click on Cortex_Data_Lake_Profile to review the Forward Method is set to Panorama/Cortex
Data Lake for various log type.
Step 5: Navigate to the Policies tab > Security node > Post Rules subnode. Make sure Device Group is
set to Cortex_Data_Lake_Device_Group.
Step 6: Review that Example_policy rule has Log Forwarding set to Cortex_Data_Lake_Profile under
Log Setting. The Profile Setting for URL Filtering should be set to URL_Alert_All.
Once you push the rules set to use the Cortex_Data_Lake_Profile to the firewall, they will send logs to the
Cortex Data Lake.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 49
Task 4 – Your Guide to Security Orchestration Automation and
Response (SOAR)
Security orchestration involves interweaving people, processes, and technology in the most effective
manner to strengthen the security posture of an organization. By streamlining security processes,
connecting disparate security tools and technologies, and maintaining the right balance of machine-
powered security automation and human intervention, security orchestration empowers security
professionals to effectively and efficiently carry out incident response.
If Security Orchestration Automation and Response (SOAR) is new to you, you can learn about the
basics of security orchestration, its underlying needs, implementation best practices and more from this
free eBook from Palo Alto Networks.
https://start.paloaltonetworks.com/your-guide-to-security-orchestration
To learn about Cortex XSOAR, we invite you to take a quick look at this short video.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 50
https://www.youtube.com/watch?v=DYJX9KFnJNo&feature=youtu.be
If you would like to give Cortex XSAOR a try, you can register to be the Community Edition user where
you will get a 30-days free trail of the full-featured version. Please visit the follow site to learn more an
sign up for the Cortex XSOAR Community Edition.
https://start.paloaltonetworks.com/sign-up-for-community-edition.html
End of Activity 5
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 51
Activity 6 – Protection for Public Cloud with VM-
Series and Prisma Cloud
Network protection must be adapted for cloud native environments while still enforcing consistent
policies across hybrid environments. Leveraging a single security tool with consistent control, the
VM-Series virtual firewalls provide comprehensive network visibility and advanced threat
protection across multi-cloud and hybrid cloud environment. The VM-Series virtual firewalls can
be deployed in many public cloud environments such as Microsoft Azure, Amazon Web Services
(AWS), Google Cloud Platform (GCP) and Oracle Cloud, so the same advanced security policies
and control can be applied across different cloud services and managed from the same user
interface.
The move to the cloud has changed all aspects of the application development lifecycle – security
being foremost among them. Security and DevOps teams face a growing number of entities to
secure as the organization adopts cloud native approaches. Ever-changing environments
challenge developers to build and deploy at a frantic pace, while security teams remain
responsible for the protection and compliance of the entire lifecycle. Prisma™ Cloud delivers
complete security across the development lifecycle on any cloud, enabling you to develop cloud
native applications with confidence.
In this activity, we will take a quick look at how the VM-Series for Public Cloud and Prisma Cloud
products offers comprehensive security for your journey to the public cloud.
You have experienced some of the VM-Series ML-Powered Next-Generation Firewall capability in
the previous lab activities. The same VM-Series NGFW can deployed in various public cloud to
protect your infrastructures in the same way it does in the data center. We will take a quick look
on how VM-Series can be deployed to protect your public cloud infrastructure.
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=Palo+Alto+Networks
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 52
Google Cloud Platform (GCP) Marketplace:
https://console.cloud.google.com/marketplace/browse?q=Palo%20Alto%20Networks
https://azuremarketplace.microsoft.com/en-
us/marketplace/apps?search=Palo%20Alto%20Networks&page=1
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 53
Various licensing models are available for VM-Series in the public cloud deployment. Bring Your Own
License (BYOL) or Enterprise License Agreement (ELA) model are available for customers with current
licenses. Or you can choose between the Bundle 1 or Bundle 2 Pay As You Go (PAYG) license that
offers different subscription bundles.
With a valid public cloud account, you can deploy a VM-Series in your public cloud account using the Pay
As You Go (PAYG) license even if you don’t have an existing license from Palo Alto Networks. Please
note frees are applicable to both license and other public cloud service charges.
Some public cloud providers offer free Test Drive where you can access a temporary deployed VM-series
at no charge. The access is typically limited to a few hours and with no access to the underlying pubic
cloud configuration such as network, route policy and etc.
Palo Alto Networks offers workshops where you can learn more on how to deploy the VM-Series in
different public clouds. Please discuss with your instructor to learn more about our offerings for the public
clouds.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 54
Task 2 – Manage VM-Series in Public Cloud with Panorama Plugins
Panorama offers easy-to-implement and centralized management features for the VM-Series NGFW so
you can implement the same security policy across different public cloud providers. The Panorama
extensible plugin architecture enables support for the various public cloud providers so you can select
what you need for your needs. We will take a quick look at the Panorama Plug-ins for the supposed
public cloud providers.
Step 1: Go to the Panorama GUI, go to the Panorama tab and scroll down on the left hand side and you
should see the AWS, Azure and Google Cloud Platform nodes under the Plugins node.
Step 2: Click on the AWS node to open to see the supported feature through the plugin.
Step 3: With the release of the new CN-Series container firewall, Panorama will be used to manage the
CN-Series in the respective public cloud container service using the plugins, see EKS Service Account
tab.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 55
Step 4: Review some of the other plugin options that are available in the Azure and Google Cloud
Platform plugins.
Step 5: After reviewing the public cloud plugins, click on Plugins node. Here is where you can download
and update to the latest plugin version access the latest features in the respective public cloud providers
in Panorama. We hope this gives you a quick look on how Panorama can help to manage your Palo Alto
Networks firewall across multiple Public Cloud servers. With the read-only Panorama account, you will not
be able update or refresh the plugins list.
https://live.paloaltonetworks.com/t5/Getting-Started-With-VM-series/ct-p/Getting-Started-Public-Clouds
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 56
Step 2: For example, select the AWS to visit the AWS Resource Page.
https://live.paloaltonetworks.com/t5/AWS/ct-p/AWS
Step 3: Palo Alto Networks also shared many deployment samples, script files, SDK and more through
GitHub. Feel free to explore our GitHub repositories for tools that could help your journey in the Public
Cloud.
https://github.com/PaloAltoNetworks
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 57
Task 4 – Prisma Cloud for Public Cloud Quick Look
Prisma Cloud is a security and compliance service that dynamically discovers cloud resources and
sensitive data, and subsequently detects risky configurations, network threats, suspicious user behavior,
malware, data leakage, and host vulnerabilities across GCP, AWS, and Azure. It combines the most
comprehensive collection of rule-based security policies and industry-leading machine learning to detect
threats.
Prisma™ Cloud continuously ingesting data using hundreds of cloud service provider APIs and threat
intelligence sources, creates a massive data lake on your public cloud deployment. It applies policy- and
machine learning-based analysis to discover and classify assets, flag compliance and governance
violations, detect suspicious activities, and identify data risk. Interactive reports and investigation
capabilities enable rapid incident investigations. Finally, issues are automatically remediated via API
integration with your favorite tools or directly within the Prisma Cloud console itself.
We invite you to take a quick look at a short demo video on Prisma Cloud.
https://www.youtube.com/watch?v=DyEDVWYuvCw
To get the most out of your investment in Prisma™ Cloud trial, you will need to onboard your public cloud
account of choice to Prisma Cloud. This process requires that you have the correct permissions to
authenticate and authorize the connection between Prisma Cloud and your public cloud account for
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 58
retrieval of data. We recommend you take quick look at the following onboarding requirement to ensure
you have the proper access to your public cloud account before subscribing to the Prisma Cloud trial.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-
to-prisma-cloud/cloud-account-onboarding.html#idd7795ef9-4841-43f1-8ce3-bc57cb5ce7bb
NOTE: You are required to use your company email or any non-personal email to create a new account
for the trail. Personal email with domain such as @gmail.com or @outlook.com is restricted from the free
trail.
Step 3: Click on Free Trial and then Create Account. (Note that the free trail is valid for 30 days)
Step 4: Enter the personal and company information requested in the form. Required fields are
indicated with red asterisks. Accept the privacy agreement and click on Create an account.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 59
NOTE: You are required to use your company email or any non-personal email to create a new account
for the trail. Personal email with domain such as @gmail.com or @outlook.com is restricted from the free
trail.
Step 5: After completing the trial account registration process, your trial tenant will be ready for you
within 24 hours. You will receive a welcome email that includes a link to log in to the Prisma
Cloud tenant once it’s ready.
Step 6: You can follow our Access Prisma Cloud guide here to begin accessing your instance of
Prisma Cloud.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/get-started-with-prisma-
cloud/access-prisma-cloud.html
End of Activity 6
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 60
Activity 7 – Protecting SaaS Applications and
Remote Users with Prisma SaaS and Prisma Access
Unsanctioned SaaS (Software as a Services) apps can expose sensitive data and propagate
malware, and even sanctioned SaaS adoption can increase the risk of data exposure, breaches
and noncompliance. Prisma SaaS reins in the risks by offering advanced data protection and
consistency across different SaaS applications.
Your organization’s cloud transformation is changing the way that your users access applications
and the way that you deliver security protection. You need to enable secure access, protect users
and applications, and control data – from anywhere. Prisma Access acts as a firewall service that
protects branch offices and remote users from threat while also providing the security services
expected from a next-generation firewall.
Sanctioned applications are those allowed by your corporate IT team. The Prisma SaaS service connects
to the sanctioned SaaS application using the SaaS application’s API. This API integration allows Prisma
SaaS service to discover and scan all assets retroactively when you first connect the SaaS application.
In this task, you will review how to configure sanction applications in the next-generation firewall and how
Prisma SaaS security service can protect the sanctioned application and prevent malicious files from
spreading in your SaaS environment.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 61
Step 2: Open the SaaS Application Report and click Run Now.
Step 3: Take a quick look at the SAAS Report, there may not be any SaaS application in this firewall as it
is used for lab.
(If you get an login error, click login again to retry with the same login name and password.)
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 62
Step 3: Use the saved name and password to log in to the Prisma SaaS console. The account you will
use in this lab is a read-only account, but we can use it to demonstrate many powerful features in the next
task.
Step 4: Your instructor will to tell you more about Prisma SaaS. You can also watch this introduction
video on Prisma SaaS to learn more about the service:
https://www.youtube.com/watch?v=sGksNF3mONE
Prisma SaaS supports a large and growing number of SaaS applications. Prisma SaaS Administrator can
easily add applications to be protected by the service.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 63
Step 2: As the Prisma SaaS service starts scanning the sanctioned SaaS applications, the Dashboard
presents a summary of the scan in six widgets: Assets, Content Types, Incidents, Users, Policy Violations
and Collaborators. Scroll down the Dashboard to see all the widgets.
Assets widget —The Assets widget displays the top violations by exposure, (public, external, company,
and internal) and the file types associated with the exposure.
Content Types widget — The Content Types widget displays the six predefined data pattern groups and
the total amount of content in the cloud. Click > to drill down into the details by content category.
Incidents widget —The Incidents widget displays the number of the active incidents detected against
data pattern and policy rule violations for each content type.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 64
Step 3: In the Dashboard , select WildFire rule in the Incidents widget. You will jump to the Incident tab
and filter the incidents triggered by the Wildfire rule.
Step 2: Click on any risk to view a detailed report. You will find more information about the detected risk,
which applications it was found in and its level of exposure.
Note: Since this is a demo account shared by all lab users, you will see many
WildFire sample files uploaded here. Prisma SaaS scanning is not instantaneous, so
you may not immediately be able to see the sample you have uploaded.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 65
Step 3: Go to the Reports tab and open the pre-generated sample SaaS Risk Assessment Report.
From here, you can also generate a SaaS Risk Assessment Report. Note that you are logged in as a
read-only user so the generate report option is not available.
Ask your instructor for more information about how Prisma SaaS works with next-generation firewalls to
protect your SaaS applications.
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 66
Task 5 – Prisma Access Overview
Prisma Access delivers a secure access service edge (SASE) that provides globally distributed
networking and security to all your users and applications. Whether at branch offices or on the go, your
users connect to Prisma Access to safely access cloud and data center applications as well as the
internet.
We invite you to take a quick look at the following short video to learn more about how this cloud-
delivered protection addresses requirements for secure access to applications with global coverage.
https://www.youtube.com/watch?v=robkJtn_g8Q
Palo Alto Networks offers Secure Access Service Edge (SASE) with Prisma Access workshop where you
can learn more about the different use cases with Prisma Access. Please talk with your instructor if you
are interested to learn more about Prisma Access.
You can find other events at https://events.paloaltonetworks.com/ and fitler the product of your interest
using the Product menu.
End of Activity 7
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 67
Activity 8 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and the
labs that we have prepared for you. Please take a few minutes to complete the online survey form to tell
us what you think about this event.
Step 2: Please complete the survey, and let us know what you think about this event.
End of Activity 8
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 68
Lab Setup
Firewall VM-Series
Management - 10.30.21.1
Ethernet 1/1 L3 172.16.2.1 "Untrust"
Ethernet 1/2 L3 10.80.2.1 "Intranet"
Ethernet 1/3 L3 192.168.21.1 “Trust”
Ethernet 1/4 Tap “Tap”
UTD-CP-2.0 © 2020 Palo Alto Networks, Inc. | Confidential and Proprietary 20200912 69