UTD-SASE-2.0 Workshop Guide-20221212

infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
ULTIMATE
TEST DRIVE
Secure Access Service Edge
(SASE)
Workshop Guide
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 1
Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log In to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 – Retrieve assigned Student-ID 7
Activity 1 – Prisma Access Introduction 8

Task 1 - Cloud Scale 8
Task 2 - Dataplane Isolation 8
Task 3 - Consuming the SASE Service 9
Task 4 - Always-On Security with Pre-Logon 10
Activity 2 – Securing Private Application Access with ZTNA 1.0 11

Task 1 – Log in to GlobalProtect 11
Task 2 – No Security Inspection 14
Task 3 – Can’t Secure All Applications 15
Task 4 – No Continuous Trust Verification 16
Activity 3 – Securing Private Application Access with ZTNA 2.0 19

Task 1 – Log in to GlobalProtect 19
Task 2 – Continuous Security Inspection 22
Task 3 – Secures All Applications 23
Task 4 – Continuous Trust Verification 24
Activity 4 – Securing Internet and SaaS Access with ZTNA 1.0 28

Task 1 – Standard Controls – SSL Decryption 28
Task 2 – Standard Controls – URL Filtering 29
Task 3 – Standard Controls – Inline Antivirus 30
Task 4 – Bypass Standard Controls 31
Activity 5 – Securing Internet and SaaS Access with ZTNA 2.0 35

Task 1 – Continuous Security Inspection - Block Tor 35
Task 2 – Log in to Prisma Access 38
Task 3 – Continuous Trust Verification - Dynamic User Groups 42
Task 4 – Consistent Control of Data with Enterprise DLP 46
Activity 6 – Modern Threat Protection with ML-Powered Analysis 52

Task 1 – Test WildFire Inline ML 52
Task 2 – Test URL Filtering Inline ML 54
Activity 7 – Explore Prisma Access Cloud Management 56
Task 1 – Log in to Prisma Access Cloud Management 57

Task 2 – Easy Onboarding 58
Task 3 – Best Practice Policy Checks 59
Task 4 – Simplified Day-to-Day Configuration Management 64
Task 5 – Visibility 67
Task 6 – Reporting 68
Task 7 – Prisma Access Insights 69
Task 8 – Autonomous Digital Experience Management 70
Activity 8 – Prisma SD-WAN: Actionable Analytics - Identify & Measure 71

Task 1 – Log in to Prisma SD-WAN Portal 71
Task 2 – Network Analytics 73
Task 3 – Media Analytics 78
Task 4 – Link Quality 81
Task 5 – Flow Browser 82
Activity 9 – Prisma SD-WAN: Application Policy 86

Task 1 – Application Definitions 86
Task 2 – Path Policies 89
Task 3 – QoS Policies 92
Activity 10 – Prisma SD-WAN: Application Defined 96

Task 1 – Topology 96
Task 2 – Site Review 98
Task 3 – Physical Connectivity 99
Task 4 – Secure Fabric 101
Task 5 – Devices 103
Activity 11 - Feedback on Ultimate Test Drive 105

Task 1 – Take the online survey 105
Appendix-1: Network Diagram 106
How to Use This Guide

The activities outlined in this Ultimate Test Drive Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any
potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.
Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, a Chromium web browser will be used to perform any tasks outlined in the following
activities (Chromium is pre-installed on the Windows VMs).
Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.
Activity 0 – Initiate the UTD Workshop

In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop.
• Learn the layout of the environment and its various components.
• Retrieve your assigned Student-ID
Task 1 – Log In to Your Ultimate Test Drive Class Environment

Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox, Chrome, or Edge.
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Enter your email address and the class passphrase.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops.
Task 2 - Understand the UTD Environment Setup

This UTD environment consists of the following components:
A. Prisma Access: Prisma Access Cloud Management used for hands-on activities.
B. ZTNA 1.0 User: Windows VM for ZTNA 1.0 model user.
C. ZTNA 2.0 User: Windows VM for ZTNA 2.0 model user.
Review the diagram below to better understand the UTD environment setup.
Each student will be assigned a unique Student-ID which will be used for the configuration of your ZTNA
1.0 user and ZTNA 2.0 user VMs.
Your student environment is part of a shared Prisma Access tenant.
Task 3 – Retrieve assigned Student-ID

These are pre-requisite steps necessary to get your environment ready for the workshop. These are
specific to your personal workshop environment and not related to Prisma Access.
Step 1: Click the Student-ID tab. Click the Student-ID icon to launch the browser. The UTD-SASE:
Student-ID page should load.
Step 2: Enter your email and for the Login key: use utd1234.
Click Join.
Step 3: Get Student-ID. Your Student-ID will be used throughout this workshop. It is important to use
your assigned value as to not interfere with others who are doing this workshop.
End of Activity 0
Activity 1 – Prisma Access Introduction

• Review Prisma Access highlights
Task 1 - Cloud Scale

Prisma Access is built in the cloud to secure at cloud scale – leveraging the largest cloud providers in the
world, enabling elastic scale and the highest performance multi-cloud network backbone. This offers best-
in-class security, auto scaling to absorb surges in workload, while delivering best-in-class end-user
experience.
A list of more than 100 Prisma Access locations can be found here.
Task 2 - Dataplane Isolation

Deployments for each customer are completely separate. This is what we call dataplane isolation. In this
model, the customer selects their deployment locations. Dedicated virtual infrastructure is spun up in
those locations to support that specific customer’s needs.
Dataplane isolation ensures high performance. Multi-tenant end-to-end, with a unique dedicated
dataplane for each customer, ensures that all customers are isolated from each other and receive
consistent high-performance.
The benefits are:
Performance isolation
• Customer A’s traffic does not impact customer B – each performs, and scales based on their
individual performance requirements.
Performance scale benefits are also helpful for SSL decryption. It is essential that the Internet-
bound traffic be decrypted and inspected by a full featured security stack to prevent outbound
command-and-control from any infected endpoints in the branch, to stop drive-by downloads,
access to malicious sites, and to ensure compliance with corporate policies.
Security isolation
• Customer A’s traffic is not mixed with customer B traffic – each has their own logical nodes.
Traffic is kept separate, including per-customer allocated public facing IP addresses. This is
useful to create SaaS IP policies that should not have cross-customer IP addresses.
Task 3 - Consuming the SASE Service

Prisma Access is based on the Palo Alto Networks industry leading security stack that is delivered as a
cloud service.
Once deployed, customers have multiple connectivity and service options:
Desktop Agent
• The most common deployment model. Agents can be installed on a multiple of endpoint types
including Windows, Mac, Linux, Chrome, and Android.
Network hardware integration

• For security reasons, Prisma Access exclusively uses IPsec as a branch integration solution.
With the GRE integration used by some SASE solutions, internal IP addresses are sent in
cleartext, enabling an attacker to potentially read internal IPs and identity targets for exploitation.
Prisma Access infrastructure runs on a dedicated virtual infrastructure, sized for IPsec use, so
customers realize the benefits of encryption over others who favor GRE due to performance
degradation concerns.
Explicit proxy
• Used when a desktop agent is not an option. Uses PAC files on the host.
Task 4 - Always-On Security with Pre-Logon

From the time a client boots and is online, it is connected to the SASE service using certificate-based
authentication. The client is protected, and traffic is inspected, even before the user logs in.
An always-on security posture is important for not only keeping clients up to date from a patch
management perspective, it also makes the client available for software deployments for upgrades and
new packages as well. With pre-logon you can allow clients to connect making them available for
software deployments, updates, group policy changes, etc. Endpoints deploy with the always-on security
model are secured from boot time against malicious activity, even before a user logs on. Since traffic is
continuously inspected at all times, any C2 (command-and-control) that may have embedded itself on the
host can also be blocked.
End of Activity 1
Activity 2 – Securing Private Application Access with

ZTNA 1.0
• Review Zero Trust Network Access (ZTNA) 1.0
• Transfer a malicious file over a Windows file share
• Try to connect to a SSH server over a non-standard port
• Observe what happens when a client becomes non-compliant
Zero Trust Network Access (ZTNA) 1.0 is built to restrict access with coarse-grained network access
controls. This violates the principles of least privilege by treating applications as a network construct at
layers 3 and 4 (IP and port), providing limited control and much more access to users than necessary.
The “allow and ignore” model trusts and rarely verifies. Once access to an application is granted, that
communication is implicitly trusted forever. This assumes the user and the application will always behave
in a trustworthy manner, which is never the case. 100% of breaches occur on allowed activity, which an
“allow and ignore” model cannot prevent.
In this activity, you will access the network as a ZTNA 1.0 user without all of the Prisma Access
capabilities.
Task 1 – Log in to GlobalProtect

Step 1: Click the ZTNA 1.0 User tab to access that desktop in your browser.
Step 2: You will be connected to the ZTNA 1.0 User desktop.
Step 3: From the system tray, click the icon and then GlobalProtect .
Step 4: Click the Connect button.
Step 5: In the GlobalProtect Login window, sign in to the GlobalProtect application with the following
credentials:
Username: ztna1-user[X] where [X] is your assigned Student-ID (e.g. ztna1-user25)
Password: Password1!
Click Sign In.
This will establish a secure tunnel from the ZTNA 1.0 User VM to nearest available Prisma Access
gateway.
Note: You have been logged in based solely on the provided credentials and no security check of
your system has been done. In the ZTNA 1.0 model, the user does not get the benefit of
continuous trust verification based on ongoing user behavior. You could disable protections like
Anti-Virus and/or the firewall and would still be allowed to connect.
Depending on which CloudShare regional data center your workshop is originating from, you are likely to
see the Gateway as US-East, Netherlands Central, or Singapore.
Step 6: Click the Change Gateway drop-down to see the available gateways that are user selectable for
this Prisma Access tenant.
Click into the GlobalProtect window to dismiss the drop-down list.
Note: You may get a notification regarding a new version of the GlobalProtect agent being available. You
may choose to update or not, it should not affect your lab.
Step 7: Click the hamburger icon then select Settings to bring up the GlobalProtect Settings
window.
From Connections see the details on this connection to the Prisma Access gateway.
Click the icon to close the window.
Task 2 – No Security Inspection

The ZTNA 1.0 model assumes traffic is secure and provides no to little inspection. Security through
obscurity, with no ability to detect or prevent malware or lateral movement across connections once
application access for a user is allowed.
An example of such an application is the Server Message Block (SMB) protocol, a network file sharing
protocol that allows applications on a computer to read and write files, and to request services from
server programs in a computer network. SMB serves as the basis for Microsoft’s Distributed File System
implementation.
Malware distribution is not limited to web and FTP traffic, it can also use SMB, especially for transferring
files within a Windows environment. This adds a key requirement for a SASE solution to be able to
inspect SMB application traffic to find and block malicious files.
Step 1: From the ZTNA 1.0 User VM, double-click the SMB batch file on the Desktop.
A cmd window will temporarily pop-up and execute the command to mount the remote SMB share.
Step 2: Click the File Explorer icon on the Taskbar.
Step 3: From File Explorer, double-click the SMB icon for share(\\192.168.251.50)(Z:).
Step 4: Click and drag the benign and malicious zip files from the remote share to your desktop.
Both files should copy over without being blocked. The ZTNA 1.0 user does not have the benefit of a full
security stack capable of inspecting all applications.
Step 5: Close the File Explorer window by clicking the X in the upper-right corner.
Task 3 – Can’t Secure All Applications

ZTNA 1.0 secures some of the applications, some of the time – only a subset of private apps that use
static ports can be addressed. Let’s see what can happen when applications are controlled by port
numbers instead of identifying the actual application.
The SSH protocol runs on port 22 by default. Here we will see what can happen when we try to access a
SSH server over port 445, which is the default for SMB.
Step 1: From the ZTNA 1.0 User VM, click the PuTTY icon on the Taskbar.
Step 2: From the PuTTY Configuration window, select SSH over port 445 and then click the Load
button.
This will populate the IP of 192.168.251.100 for the IP address and 445 for the port.
Click Open.
If prompted with a PuTTY Security Alert, click the Accept button.
Step 3: You have been allowed to connect to a SSH server over port 445.
Port-based rules leave you vulnerable and least privilege access is violated.
As there is nothing further needed to show, click the X icon in the upper-right corner to close the
connection.
Task 4 – No Continuous Trust Verification

Once you are granted access, ZTNA 1.0 continues to provide that access even if the client becomes non-
compliant.
Step 1: From the ZTNA 1.0 User VM, click the Command Prompt icon on the Taskbar.
Step 2: From the Command Prompt window, type ping 8.8.8.8
Step 3: Click the Windows Security icon on the Taskbar.
Step 4: From Windows Security, click Virus & threat protection under Security at a glance.
Step 5: Click Manage Settings under Virus & threat protection settings.
Step 6: Disable Real-time protection and Cloud-delivered protection.
Click Yes when prompted by the User Account Control pop-up.
Click the X icon to close the Windows Security window.
Windows will inform you that virus protection has been turned off.
Step 7: From the Command Prompt window, type ping 8.8.8.8 again. The ping will go out uninterrupted.
This is due to the lack of continuous trust verification in the ZTNA 1.0 model.
Click the X icon to close the Command Prompt window.
End of Activity 2
Activity 3 – Securing Private Application Access with

ZTNA 2.0
• Review Zero Trust Network Access (ZTNA) 2.0
• Transfer a malicious file over a Windows file share
• Try to connect to a SSH server over a non-standard port
• Observe what happens when a client becomes non-compliant
Prisma Access is built to secure all users and applications, with fine-grained user-app access controls.
This allows you to fully realize the principle of least privilege by operating at layer 3-7, providing the most
granular access control possible, at both app and sub-app levels.
It secures all the applications, all of the time. This works consistently for all the applications, including
modern cloud-native apps, SaaS apps, and legacy private apps. This includes applications that use
dynamic ports and apps that leverage server-initiated connections.
In this activity, you will access the network as a ZTNA 2.0 user with the additional Prisma Access security
protections.
Task 1 – Log in to GlobalProtect

Step 1: Click the ZTNA 2.0 User tab to access that desktop in your browser.
Step 2: You will be connected to the ZTNA 2.0 User desktop.
Step 3: From the system tray, click the icon and then GlobalProtect .
Step 4: Click the Connect button.
Step 5: In the GlobalProtect Login window, sign in to the GlobalProtect application with the following
credentials:
Username: ztna2-user[X] where [X] is your Student-ID (e.g. ztna2-user25) – be sure to do ztna2
Password: Password1!
Click Sign In.
This will establish a secure tunnel from the ZTNA 2.0 User VM to nearest available Prisma Access
gateway.
Note: You have been logged in based on your credentials as well as your system having been
verified that its HIP (Host Information Profile) is compliant with company policy.
Click the X to close the window.
Step 7: Click the hamburger icon then select Settings to bring up the GlobalProtect Settings
window.
From Connections see the details on this connection to the Prisma Access gateway.
Step 8: Click Host Information Profile to learn more about what system information was collected.
Click the icon to close the window.
Task 2 – Continuous Security Inspection

The ZTNA 1.0 user was mapped into port-based access controls without full stack security. Now, as a
ZTNA 2.0 user, you get the advantage of App-ID least privilege controls for SMB including full stack
security to monitor and protect against malware delivery over even non-web app protocols like SMB.
Step 1: From the ZTNA 2.0 User VM, double-click the SMB batch file on the Desktop.
A cmd window will temporarily pop-up and execute the command to mount the remote SMB share.
Step 2: Click the File Explorer icon on the Taskbar.
Step 3: From File Explorer, double-click the SMB icon for share(\\192.168.251.50)(Z:).
Step 4: Click and drag the benign and malicious zip files from the remote share to your desktop.
This time only the benign file will copy over. You will see an Interrupted Action pop-up as Prisma Access
is providing security inspection for the SMB protocol and has detected the malicious file and prevents its
copy to your local file system.
Step 5: Close the File Explorer window by clicking the X in the upper-right corner.
Task 3 – Secures All Applications

App-ID was invented to ensure that there is complete visibility to applications regardless of their ports and
at the same time provide the inspection necessary to ensure true protection that full stack security was
intended for. This capability - based on deep packet inspection as opposed to destination IP/Domain
approximations - is natively built in, not relying on 3rd party technologies.
Step 1: From the ZTNA 2.0 User VM, click the PuTTY icon on the Taskbar.
Step 2: From the PuTTY Configuration window, select SSH over port 445 and then click the Load
button.
This will populate the IP of 192.168.251.100 for the IP address and 445 for the port.
Click Open.
Step 3: Since you are only allowed to use the SSH protocol over its default port (22), you are not able to
connect to a SSH server on port 445. Least privilege access assures that App-ID inspects the traffic and
only allows SMB over port 445.
The connection will eventually time out and you will see the below message.
Click the OK button and then X icon in the upper-right corner to exit PuTTY.
Task 4 – Continuous Trust Verification

Once you are granted access, ZTNA 2.0 continues to examine your security posture in the case that the
client becomes non-compliant.
Step 3: Click the Windows Security icon on the Taskbar.
Step 4: From Windows Security, click Virus & threat protection under Security at a glance.
Step 5: Click Manage Settings under Virus & threat protection settings.
Step 6: Disable Real-time protection and Cloud-delivered protection.
Windows will inform you that virus protection has been turned off.
Step 7: A GlobalProtect Notification window will pop-up informing you that your system is no longer
compliant with company policy.
Step 8: From the Command Prompt window, type ping 8.8.8.8 again.
Step 9: Return to the Windows Security window and reenable Real-time protection and Cloud-
delivered protection.
Step 10: The GlobalProtect Notification window will now inform you that your system is compliant again
as the HIP check has met company policy again.
Step 11: From the Command Prompt window, ping 8.8.8.8 again.
Click the X icon to close the Command Prompt window.
Step 12: From the Windows Security window, click the X to close it.
End of Activity 3
Activity 4 – Securing Internet and SaaS Access with

ZTNA 1.0
• Explore the limited user and application controls provided by the ZTNA 1.0 model
• Bypass those controls with the Tor Browser
In this activity, the ZTNA 1.0 user is given a basic security posture with features such as URL filtering and
inline antivirus. The ZTNA 1.0 user can view sites such as espn.com but unable to access gambling sites
based on company policy. Malware downloads using standard web applications are also blocked. SSL
decryption is also implemented.
Task 1 – Standard Controls – SSL Decryption

By default, Prisma Access is able decrypt SSL traffic. By leveraging cloud scale, the is no performance
degradation.
Step 1: From the ZTNA 1.0 User VM, open the Chrome/Chromium browser from the Taskbar.
Step 2: Click the ESPN bookmark.
Step 3: Click the lock icon, then click Connection is secure.
Step 4: Click Certificate is valid.
Step 5: From the Certificate window, note that Issued to: is the current site you are on, Issued by: is
from Prisma Access due to SSL decryption taking place.
Click OK to close the window.
Task 2 – Standard Controls – URL Filtering

Step 1: Click the Gambling.com bookmark.
Step 2: Due to URL filtering, this site blocked.
Task 3 – Standard Controls – Inline Antivirus

Step 1: Click the Eicar bookmark.
Note: If prompted with a This website uses cookies pop-up, just click the X in the upper right-hand
corner.
Step 2: Scroll down to the section Download are using the secure, SSL enabled protocol HTTPS.
Step 3: Attempt to download any of the provided samples. The malware file is blocked.
Note that SSL decryption is taking place. You cannot protect what you cannot inspect.
Task 4 – Bypass Standard Controls

Common security measures such as URL filtering and antivirus can be utilized to block access to
malicious websites and the distribution of malware.
Malware and malicious actors do not like to play by the rules. It is adaptable and evasive using various
techniques such as Tor to remain undetected by basic security measures. The Tor browser uses
encrypted, evasive tunnels to punch through proxies, IPS solutions, and firewalls. Appearing as
innocuous web traffic, the Tor nodes are used to exfiltrate data and perform command-and-control using
tor2web.
When a ZTNA 1.0 user, or compromised host, activates Tor, those standard security features are no
longer effective. Malware and malicious traffic are undetected.
Step 1: Open the Tor Browser from the Taskbar.
Step 2: Click the Connect button to initiate a circuit to a Tor relay.
Step 3: Once the connection is established, the default page will be displayed.
Step 4: Click the Gambling.com bookmark.
Step 5: Where this site was previously blocked due to URL filtering, it is successfully loaded with the Tor
Browser.
Step 6: Click on the lock icon to view the Tor circuit that was built in order to access this site.
Click the lock icon again to dismiss the pop-up.
Step 7: Click the Eicar bookmark.
Note: If prompted with a This website uses cookies pop-up, just click the X in the upper right-hand
corner.
Step 8: Scroll down to the section Download are using the secure, SSL enabled protocol HTTPS.
Step 9: Attempt to download any of the provided samples.
Click Save File. The file is saved to the Desktop.
Close the Tor Browser.
The same evasive techniques used by Tor can also bypass antivirus inspection. The ZTNA 1.0 user
represents a higher level of security risk without continuous trust validation, stronger application controls,
and security measures.
End of Activity 4
Activity 5 – Securing Internet and SaaS Access with

ZTNA 2.0
• See the benefits of continuous security inspection
• Explore how Prisma Access security policies are configured
• Perform auto-tagging based on user behavior
• Enterprise DLP
The ZTNA 2.0 user is subject to fine-grained user-app access controls. This allows you to fully realize the
principle of least privilege access.
Task 1 – Continuous Security Inspection - Block Tor

Step 1: From the ZTNA 2.0 User VM, open the Tor Browser from the Taskbar.
Step 2: Click the Connect button to initiate a circuit to a Tor relay.
Step 3: This time the connection is blocked.
Click Tor Network Settings.
Step 4: Scroll down to the Bridges section.
Bridges are Tor relays that are not publicly listed so they cannot be identified easily.
Step 5: Click Use a bridge and the select obfs4 from the drop-down for Select a built-in bridge.
Step 6: Click Try Connecting Again from the top of the settings page.
Step 7: Another Tor failed to establish a Tor network connection. message will appear.
Select snowflake from Select a built-in bridge.
Snowflake leverages other user’s systems that have installed a plugin to a browser such as Chrome or
Firefox. That plugin allows other Tor users tunnel traffic through their browser to obscure the source
address of their traffic and evade enterprise security controls.
Step 9: After some time, the connection will fail again. If you do not wish to wait, click the cancel button.
Select meek-azure from Select a built-in bridge.
Meek-azure leverages other evasive techniques
Step 11: The connection attempt should quickly fail.
Close the Tor Browser.
Task 2 – Log in to Prisma Access

Step 1: Click the Prisma Access tab
It can take a minute to connect and display the login page.
Step 2: The username, utd-sase-viewer@pan-labs.net should already be filled in.
Click Next.
Step 3: The password will automatically fill-in.
Click Sign In.
Step 4: You should be on the Overview page. If not, click Manage > Service Setup > Overview
Note: If you have a problem logging in, please try the Prisma Access-alternative tab.
Step 2: Navigate to Manage > Service Setup > GlobalProtect. Then click the GlobalProtect App tab.
Step 3: Scroll down to the User Status section and click on the number next to Current Users.
Step 4: All the currently logged in users can be found here. You can Search for your assigned student-id
as well.
From the logged in user, this is mapped to what is known as User-ID. These users can also be
associated with group mappings as we have done for the ZTNA 1.0 and ZTNA 2.0 users. These User-IDs
and group mappings can then be applied to security policies.
Step 5: Navigate to Manage > Configuration > Security Services > Security Policy
Step 6: Set the Security Policy to Mobile Users
Step 7: Scroll down to the Security Policy Rules section. Then look for Mobile Users Container.
These are the security policies used in this lab. Under User you can see the ztna1.0 and ztna2.0 groups.
This is also reflected in the Name of the policy as well.
Step 8: Let us explore the security policies that were responsible for blocking the Tor Browser in the
previous task.
ZTNA-2.0 Deny traffic to known Tor nodes – Palo Alto Networks maintains and publishes an External
Dynamic List (EDL) of known Tor exit nodes. The destination IP address matches the EDL named Palo
Alto Networks – Tor exit IP addresses and is blocked. This EDL is constantly updated by Palo Alto
Networks. There are other built-in EDLs that can be found under Configuration > Objects > External
Dynamic Lists.
ZTNA-2.0 Deny evasive apps – This policy blocks applications known to employ evasive techniques.
You will see more in the next step.
ZTNA-2.0 Deny unwanted apps – Prohibited applications like BitTorrent and unknown TCP/UDP are
matched on this rule. This goes back to the least privilege model and these categories of apps should not
be allowed.
ZTNA-2.0 Outbound traffic to WAN – This is the standard security policy for the ZTNA 2.0 user to allow
traffic out to the Internet. All allowed traffic is subject to best-practice security profiles.
Step 9: Navigate to Manage > Configuration > Objects > Application Filters. The evasive-apps filter
matches on applications that fall under the category of networking and subcategory of encrypted-tunnel.
Step 10: Click evasive-apps to see the matching applications.
Task 3 – Continuous Trust Verification - Dynamic User Groups

Enterprises are looking to deliver more automated responses to network risks. This includes
pivoting information derived from user activity into actionable data to deliver more agile and
faster responses to possible threats. Prisma Access can deliver behavioral based controls to
mitigate risks and re-enforce the security posture.
Access control for users can be enforced through the use of Dynamic User Groups (DUGs), allowing
enterprises to dynamically respond to user behavior. Tags are used as matching criteria in order to
populate DUGs with users. Users can be auto-tagged through multiple methods, providing enterprises
flexible integration options.
This task will show how a user can be prevented from communicating further on the network when
malicious behavior is detected.
Step 3: Open the Chrome/Chromium browser from the Taskbar.
Step 4: Open the DUG > Botnet trigger bookmark.
Step 5: This will simulate botnet “phone home” traffic and will be blocked.
Step 6: From the Command Prompt window, type ping 8.8.8.8 again.
Your user has been added to the malicious-user DUG and this traffic has been blocked.
Step 7: There is a 5-minute expiration timer configured for this DUG. You can wait or trigger another
action by typing ping 1.1.1.1
This will remove your user from the malicious-user DUG.
Step 8: ping 8.8.8.8 once more.
Step 9: From the Prisma Access tab, navigate to Activity > Logs > Log Viewer
Step 10: Switch the log to Firewall/Threat from the drop-down.
You can search on source_user = 'ztna2-user[X]@pan-labs.net' where [X] is your assigned student-id.
This was the threat event that triggered the rest of the automated actions.
Step 11: Go to Manage > Configuration > Objects > Tags
The malicious-user tag will be identifying object used in the next steps.
Step 12: Go to Manage > Configuration > Objects > Auto-Tag Actions.
Step 13: Open Add malicious-user tag.
The tagging rule indicate that when a botnet threat is detected to add the malicious-user tag to that user.
Review the Remove malicious-user tag action for what happened when you ping 1.1.1.1.
Step 14: Go to Manage > Configuration > Objects > Dynamic User Groups.
Step 15: Open DUG-malicious-user.
The dynamic user group adds any user with the malicious-user tag associated with it.
Step 16: Navigate to Manage > Configuration > Security Services > Security Policy. Scroll down to
the Mobile Users Container and review the security policy ZTNA-2.0 Deny ping for malicious-user.
Task 4 – Consistent Control of Data with Enterprise DLP

Data loss prevention (DLP) is a set of tools and processes that allow you to protect sensitive information
against unauthorized access, misuse, extraction, or sharing. Enterprise DLP enables you to enforce your
organization’s data security standards and prevent the loss of sensitive data across mobile users and
remote networks.
Enterprise DLP is a cloud-based service that uses supervised machine learning algorithms to sort
sensitive documents into Financial, Legal, Healthcare, and other categories for document classification to
guard against exposures, data loss and data exfiltration. These patterns can identify the sensitive
information in your cloud apps and protect them from exposure.
Enterprise DLP offers hundreds of data patterns and many predefined data filtering profiles, and it is
designed to automatically make new patterns and profiles available to you for use in Data Filtering
policies, as soon as they are added to the cloud service.
Step 1: From the Prisma Access tab, navigate to Manage > Configuration > Security Services > Data
Loss Prevention.
Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data profiles have data patterns that
include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning,
regular expressions, and checksums for legal and financial data patterns. When you use the data filtering
profile in a Data Filtering policy rule, the firewall can inspect the content for a match and take action.
Step 2: Click ZTNA-2.0 DLP to see the Data Patterns being used in this profile.
Step 3: Go to Data Loss Prevention > Detection Methods > Data Patterns.
Predefined data patterns and built-in settings make it easy for you to protect files that contain certain file
properties (such as a document title or author), credit card numbers, regulated information from different
countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for
the sensitive data in your organization supplement the predefined data patterns, you can define custom
data patterns that are specific to your content inspection and data protection requirements. In a custom
data pattern, you can also define regular expressions and file properties to look for metadata or attributes
in the file's custom or extended properties and use it in a data filtering profile.
Step 4: From the ZTNA 2.0 User VM, open the DLP > DLP website upload bookmark from the browser.
Note that this site is being accessed over HTTPS.
Step 5: Click the Choose File button.
Step 6: From the File Explorer pop-up, click Desktop on the left-hand column and select
Customer_data.
Click Open.
Step 7: Click the Upload button.
Step 8: The upload of the file containing sensitive data is blocked.
Step 9: Open the DLP > DLP OneDrive upload bookmark from the browser.
In the Enter password box, type utd1234 and click Verify.
Step 10: Click Upload > Files.
Step 11: From the File Explorer pop-up, click Desktop on the left-hand column and select
Customer_data.
Click Open.
Step 12: The file is blocked.
Step 13: From the Prisma Access tab, go to Activity > Logs > DLP Incidents.
Step 14: Click on one of the Customer_data.docx entries to bring up the details of that incident.
Enterprise DLP extracts a snippet of the sensitive data that caused the alert or block notification. A
snippet enables forensics by allowing you to verify why an uploaded file generated an alert notification or
was blocked. By default, Enterprise DLP uses data masking to partially mask the snippets to prevent the
sensitive data from being exposed. You can configure this behavior from Panorama to completely mask
the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
End of Activity 5
Activity 6 – Modern Threat Protection with ML-

Powered Analysis
• Review Inline ML security profiles
• Observe real-time detection of malware files and malicous web sites
Millions of new cyberthreats emerge every year, with organizations constantly racing to prevent them.
Leveraging cloud-scale resources, automation, and other techniques, today’s adversaries enjoy some
inherent advantages: the ability to spread their attacks more quickly than ever, and the ability to deploy
polymorphic malware and malicious content that evades detection by constantly changing its identifiable
features.
Palo Alto Networks has delivered the world’s first ML-Powered Next-Generation Firewall (NGFW),
providing inline machine learning (ML) to block unknown file- and web-based threats. Using a patented
signatureless approach, WildFire and URL Filtering proactively prevent weaponized files, credential
phishing, and malicious scripts without compromising business productivity. Palo Alto Networks hardware,
virtual NGFW, and Prisma Access can apply new ML-based prevention capabilities:
• WildFire inline ML inspects files at line speed and blocks malware variants of portable executables,
PowerShell files, as well as Linux executables, which account for a disproportionate share of
malicious content.
• URL Filtering inline ML inspects unknown URLs at line speed. This feature can identify phishing
pages and malicious JavaScript in milliseconds, stopping them inline so nobody in your network ever
sees them.
Task 1 – Test WildFire Inline ML

Step 1: From ZTNA 2.0 User, open the Inline ML > WildFire Inline ML bookmark from the browser.
Step 2: The file will start to download. As soon as WildFire Inline ML detects the threat, the connection is
reset, and the download fails.
Step 3: From the Prisma Access tab, go to Activity > Logs > Log Viewer > Firewall/Threat.
To help filter for your result, search for sub_type.value = 'ml-av' AND source_user = 'ztna2-
user[X]@pan-labs.net' where [X] is your assigned student-id.
Step 4: Click on the details icon to get more information on this entry. Expand this by clicking Log
Details >.
Note that the subtype is ml-av which indicates this file was determined to be malicious due to WildFire
Inline ML. You can explore the many other details available.
Step 5: You can review the other associated logs by clicking on the log type / timestamp on the left. It is
easy to pivot from the threat log to the traffic log.
Task 2 – Test URL Filtering Inline ML

Step 1: From ZTNA 2.0 User, open the Inline ML > URL Filtering Inline ML bookmark from the
browser.
Step 2: The page will start to display. Once the URL Filtering Inline ML engine detects the content as a
phishing site, the connection is reset.
Step 3: From the Prisma Access tab, go to Activity > Logs > Log Viewer > Firewall/URL.
To help filter for your result, search for inline_ml_verdict.value = 'phishing' AND source_user =
'ztna2-user[X]@pan-labs.net' where [X] is your assigned student-id.
Step 4: Click on the details icon to get more information on this entry. Expand this by clicking Log
Details >.
Note that the Inline ML Verdict is phishing which indicates this site was determined to be malicious due
to URL Filtering Inline ML.
Step 5: As before, you can pivot to any associated logs from here.
End of Activity 6
Activity 7 – Explore Prisma Access Cloud

Management
• Review Prisma Access Cloud Management
Prisma Access Cloud Management is a simple yet powerful cloud-delivered solution that enables
comprehensive security management through a single security rule base, with simplified workflows to
address use cases in threat prevention, URL filtering, application awareness, user identification,
sandboxing, file blocking, and access control. It provides complete visibility into the entire deployment
alongside actionable insights to help improve the end user experience. This crucial simplification of
security management and continuous assessment of Palo Alto Networks-defined best practices allow you
to improve your organization’s security posture. Key features include:
Configuration
• Intuitive workflows to quickly onboard remote users and locations to Prisma Access
• Out-of-the-box defaults to simplify configuration and accelerate time to value
• Cloud native platform with a unified management experience
Security Visualization and Reporting

• Centralized visibility and insights across Prisma Access
• Interactive, comprehensive reports and dashboards
• Detailed logs across applications, users, threats, and device posture
Security Posture Improvement

• Built-in Best Practice Assessments
• Inline validation to easily improve security posture
• Reporting based on the Center for Internet Security’s CIS Critical Security Controls® to better
mitigate risks
Automation
• Alerts and notifications for service outages
• Proactive assistance capabilities to maintain the health of the deployment
• Autonomous Digital Experience Management (ADEM) for insights across the entire service
delivery path
Task 1 – Log in to Prisma Access Cloud Management

Step 1: Click the Cloud Management tab.
It can take a minute to connect and display the login page.
Step 2: The username, utd-sase@pan-labs.net should already be filled in.
Click Next.
Step 3: The password will automatically fill-in.
Click Sign In.
Step 4: You should be on the Overview page. If not, click Manage > Service Setup > Overview.
For day-to-day management, you can check in here to:

• Get at-a-glance configuration status
• Restore an earlier configuration version, to recover from a configuration push with unintended
impacts to traffic flow or security
• Identify unused objects and rules and clean up your configuration
• Pinpoint areas where you can make configuration changes that would strengthen your security
posture
Task 2 – Easy Onboarding

Accelerate time to value from Prisma Access with out-of-the box default configuration and simplified
onboarding workflows built into the core of Cloud Management.
Streamlined workflows and intuitive navigation let you complete complex configuration tasks with ease.
You can onboard mobile users and remote networks using predefined configuration and templates. For
example, pre-built tunnel configuration is available to easily onboard remote sites and branches.
Step 1: This Prisma Access tenant has already been on-boarded. Please review the short videos at
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin.html
Task 3 – Best Practice Policy Checks

The threat landscape is evolving, and your organization needs to keep up. Prisma Access Cloud
Management continuously assesses the configuration of your entire deployment against Palo Alto
Networks recommended best practices. You can leverage this information and take action to improve
your organization’s security posture as configuration changes in your environment over time. These best
practices are integrated into the flows to detect offending configurations and help administrators
remediate issues.
Best practice checks are available for:
• Security policy rule base – how security policy is organized and managed, including configuration
settings that apply across many rules
• Security rules
• Security profiles
• Authentication
• Decryption
Best practice guidance aims to help you bolster your security posture, but also to help you manage your
environment efficiently and to best enable user productivity. Continually assess your configuration against
these inline checks - and when you see an opportunity to improve your security, take action then and
there.
Step 1: Navigate to Manage > Service Setup > Overview.
This provides a high-level view of how you are doing and to help pinpoint areas where you might want to
start taking action.
Step 2: Go to Manage > Configuration > Security Services > Security Policy. Make sure Rulebase is
selected.
Best practice scores are displayed on a feature dashboard (security policy, decryption, or URL Access
Control, for example). These scores give you a quick view into your best practice progress. At a glance,
you can identify areas for further investigation or where you want to take action to improve your security
posture.
Step 3: Click Failed Rulebase Checks. Expand the Best Practice Check Name to get more details
and the recommended action to take.
Where applicable, references to Center for Internet Security and National Institute of Standards and
Technology controls are listed.
Click the icon.
Step 4: Field-level checks show you exactly where your configuration does not align with a best practice.
Best practice guidance is provided inline, so you can immediately take action.
Hover the cursor over the BPA Verdict to get the recommended action.
Step 5: Click on any policy name with a Fail for BPA Verdict.
Step 6: Click Best Practices Check.
Field-level checks show you exactly where your configuration does not align with a best practice. Best
practice guidance is provided inline, so you can immediately take action.
Step 7: Go to Manage > Configuration > Security Services > Security Policy. Then click Best
Practices.
Step 8: Here you can get a comprehensive view into how your implementation of feature aligns with best
practices. Examine failed checks to see where you can make improvements (you can also review passed
checks). Rule base checks highlight configuration changes you can make outside of individual rules, for
example to a policy object that is used across several rules.
Task 4 – Simplified Day-to-Day Configuration Management

Prisma Access Cloud Management keeps enterprise users in mind by providing consistent management
for all users, applications, and locations. Manage Prisma Access with a single security rule base for all
types of traffic, inbound, and internet-bound (SWG). Threat prevention, URL filtering, sandboxing, file
blocking, and data filtering are additional capabilities on the same rule.
Enable security features with ease by efficiently configuring security policies, services, and other
capabilities within a single flow.
Step 1: Navigate to Manage > Configuration > Security Services > Vulnerability Protection. Make
sure Configuration is selected.
Profiles are how you enable security services - like Threat Prevention, WildFire, and URL Filtering - for
your network traffic. Profiles perform advanced inspection for traffic that a security rule allows; they scan
for and prevent threats, attacks, misuse, and abuse.
Best practice security profiles are built-in to Prisma Access and enabled by default. Best practice checks
are also provided inline, so that you can continuously assess your configuration and improve your
security posture. For customization, management, and visibility into each security profile type, you can
visit the profile dashboard.
Profile dashboards consolidate profile configuration; everything you need to set up and manage profiles is
in one place. The dashboards also give you access to all the features a profile offers and resources you
can use to inform profile updates (for example, content release updates, the Threat Vault, and PAN-DB
site classifications).
Step 2: Click Current Threat Content.
You can see that the latest Application and Threats Content release notes are easily accessible.
Step 3: From Threat Search, search for CVE-2021-26855.
Step 4: Review the matching threat coverage by Threat ID.
Step 5: Click on a Threat ID to get more details.
Click Cancel.
Step 6: Navigate to Manage > Configuration > Security Services > Decryption.
Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption
policy rules allow you to define traffic to decrypt and the type of decryption you want to perform on the
indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access
requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice
decryption settings, including settings to exclude sensitive content from decryption, as well as sites that
are known to not work well when decrypted. Everything you need is in a single location.
Task 5 – Visibility
Prisma Access Cloud Management provides comprehensive visibility across the entire deployment. In the
Logs tab, you can view and query across all the Prisma Access logs, including traffic, threat,
authentication, and system logs. You can filter on specific entries and view related logs to troubleshoot
any issues. The solution also provides proactive health assurance for the entire Prisma Access
deployment.
Step 1: From the left-hand navigation pane, click on Activity > Logs > Log Viewer.
Prisma Access Cloud Management provides Network logs (Traffic, Threat, URL, File, HIP Match) and
Common logs (System and Configuration).
You can view details for each log entry, and for threat logs, you can review threat details and see if there
are any threat overrides in place.
Step 2: Click the icon to bring up the Log Details for that entry.
Click the to return.
Task 6 – Reporting
In the Dashboards tab, you can view application usage, Prisma Access usage, and user activity reports.
You can email or even schedule these reports to share with your stakeholders.
Step 1: From the left-hand navigation pane, click on Activity > Dashboards.
There are multiple reports available:
• Application Usage - Know the security challenges associated with the applications traversing your
network. Key findings here can help you to refine your security policy to control unsanctioned and
risky applications.
• Prisma Access Usage - See how you’re leveraging what’s available to you with your Prisma Access
license and get a high-level view into the health and performance of your environment.
• User Activity - Get visibility into an individual users’ browsing patterns: their most frequently visited
sites, the sites with which they’re transferring data, and attempts to access high-risk sites.
• Best Practices - Assess your security posture against Palo Alto Networks’ best practice guidance.
Best practices include checks for the Center for Internet Security’s Critical Security Controls (CSC).
Take action based on these finding to optimize your security posture.
• Executive Summary - Surfaces key security takeaways – see how your subscriptions are protecting
you and where subscriptions you’re not using could close security gaps.
Task 7 – Prisma Access Insights

Prisma Access Insights provides a comprehensive platform for global visibility and monitoring with our
Prisma Access service. Using advanced end user-level monitoring and role-based access rights, it offers
a seamless, latency-free network experience tailored to users’ specific network demands and work
responsibilities. This allows administrators to pinpoint network and user experience issues - whether
caused by end user devices, network configuration, or applications - from a single-pane, cloud-delivered
management interface.
Prisma Access Insights introduces a number of powerful capabilities:
• Advanced Visibility
• Deployment status - detailed views of remote networks, tunnels, mobile users, and service
connections.
• Network utilization - the ability to monitor bandwidth utilization in the aggregate, over time, and by
branch.
• User connectivity - current user connections and use trends, as well as GlobalProtect and OS
application versions.
• Executive summary view - overall deployment status, alerts, and capacity planning trends.
• Proactive Assistance
• More than 20 alerts of varying severity - contextualized alerts that warn of service-related issues,
such as tunnel failures.
• Consolidated alert views - a centralized view of all network alerts, with in-app and email
notifications.
• Capacity Planning
• License consumption - current and projected consumption for remote networks and mobile users
compared with allocated and purchased bandwidth.
• Consumption trends - current and projected trends for bandwidth consumption and mobile user
deployment.
Step 1: Please view the demo video at https://www.youtube.com/watch?v=k3GIyldbMMI
Step 2: Explore on your own. Navigate to Insights > Summary.
Task 8 – Autonomous Digital Experience Management

Autonomous Digital Experience Management (ADEM) is natively integrated into Prisma Access. With
ADEM, you can monitor end user experience and provide segment-wise insights across the entire
application delivery path. IT teams can determine whether issues with a user’s laptop are causing
performance problems or poor WiFi signal strength, poor broadband WAN connectivity, middle mile
Internet Service Provider (ISP) issues, cloud or data center connectivity or a SaaS provider issue. With
unparalleled insights and the ability to proactively address issues, IT teams can hold their connectivity,
SaaS and cloud providers accountable to their SLAs.
Prisma Access ADEM provides native end-to-end visibility and insights into the entire service delivery
path. It provides customers with the following capabilities and benefits:
• SASE Native Digital Experience Monitoring - Prisma Access ADEM enables organizations to
understand user experience with deep contextual awareness of SASE connectivity. ADEM
accomplishes this by integrating visibility from GlobalProtect clients and the Prisma Access cloud.
This integrated approach results in superior visibility with operational simplicity— no need to manage
a separate endpoint agent.
• Segment-Wise Insights - Gives IT and network teams detailed performance insights into their
deployed endpoint devices, WiFi, network paths, SASE connectivity, and applications. This speeds
problem domain identification when users are having difficulties with their business-critical
applications, and improves help desk productivity.
• Comprehensive Visibility - ADEM offers intelligence from endpoint devices, synthetics, and real user
traffic analysis in a single solution. This allows IT teams to reduce monitoring tool sprawl, reduce
operational costs, and gain user experience, application performance and traffic utilization in a single
view.
Step 1: Overview video at https://www.youtube.com/watch?v=jYv8VhH4I4o&t=115s
Step 2: Try it yourself. Navigate to Autonomous DEM > Summary.
Change the Time Range to Past 30 days to see more data.
End of Activity 7
Activity 8 – Prisma SD-WAN: Actionable Analytics -

Identify & Measure
• Observe the way Prisma SD-WAN identifies, measures, and prioritizes application traffic
It is not enough for network administrators to set it and forget it. They need visibility to verify that their
intended policy actually took effect, as well as be able to profile the application from the perspective of
Layer 7 reachability and verify its performance.
Typically, other solutions require a third party NetFlow collector to gain these types of insights, which is
yet another system to manage and maintain just to gain visibility into the applications on your network.
Even if such a system was properly configured to collect and analyze the data, because the information is
being collected from a packet-based architecture, a book-ended solution is required. Otherwise, key
performance indicators will be missing.
With Prisma SD-WAN, you gain immediate visibility into the changes made to the policy and application
performance from a variety of perspectives. All of this without having to set up a third party NetFlow
collector or some add-on to the base platform.
Let's explore the analytics captured and displayed for the top applications.
Task 1 – Log in to Prisma SD-WAN Portal

Step 1: Click the Student-ID tab.
Retrieve your assigned Prisma SD-WAN Login.
Step 2: Click the Prisma SD-WAN tab.
Step 3: Enter your assigned login.
Click Login.
Step 4: Click into the Password field. Select your assigned login.
Click Login.
Task 2 – Network Analytics

Step 1: Navigate to Monitor > Activity. Click Network if not already selected.
Network analytics will be shown. The default Time Frame is last day (1D).
Step 2: In the left-hand column, under Quick Filters, click Clear Filters then click the pencil icon for
Sites.
Select Branch 1.
Click Done.
Click Not yet on the window prompting you to update charts.
Step 3: Again, under Quick Filters, click the pencil icon for Apps.
In the drop-down box for VIEWING > Top Apps by…, select Traffic Volume.
Click Select All.
Verify WebPoS is selected.
Click Done.
Click Update
Step 4: Both the Bandwidth Utilization and Transaction Stats graphs have updated with new
information.
The Bandwidth Utilization graph details the how much bandwidth each of the top 10 applications are
using over the course of the past 1 day, measured at 5-minute increments.
Transaction Stats provides full accounting for TCP applications.
Init Successful - Quantity of successful TCP 3-way handshakes.

TXNs Successful - The number of successful TCP transactions after a 3-way handshake is established.
Init Failure - Quantity of failed TCP 3-way handshakes.
TXNs Failure - The number of failed TCP transactions after a 3-way handshake is established.
Init Failures can be indicative of a few issues:

• Application Issues - The application could be down or experiencing intermittent issues
• Firewall Issues - Incorrect firewall rules may be blocking traffic
• Network issues beyond the reach of SD-WAN (ie in the data center)
Transaction (TXN) Failures usually represent loss somewhere in the network path, inside or outside of
the direct control of the app-fabric.
Step 5: Click Apps on the Transaction Stats window and select WebPoS.
Prisma SD-WAN also captures and aggregates transaction stats on a per app, per server basis.
Note: WebPoS is a user-defined custom L7 application. We'll explore what this means in the next activity.
Click the blue lightning bolt in the top-left of the Transaction Stats window. A new page is displayed
with accounting of transaction statistics for WebPoS on a per prefix (server) basis.
Application health event definitions:

• App Unreachable Events - The number of periods (10 second interval) the given prefix is
unreachable
• Failed Connection Events - The number of failed flows (3-Way Handshake) in the given time period
• Failed Transaction Events - The number of failed transactions (Retransmission required) in the
given time period
Click anywhere outside the window to return to the Network Analytics page.
Step 6: Click Apps on the App Response Time window and select WebPoS.
The App Response Time details for WebPoS will be displayed.
Prisma SD-WAN measures application performance as close as possible to the user, which is at the
branch. In fact, many Prisma SD-WAN customers refer to this graph as their Time to Innocence graph.
Application Performance is measured across several key metrics including:
• Server Response Time (SRT) - SRT represents the amount of time the server is waiting to fetch
data before putting it on the wire.
• Round Trip Time (RTT) - RTT represents the round trip time of the TCP traffic while on the wire.
• Network Transmission Time, Normalized (NTTn) - Time consumed by the network for processing
application requests normalized to an iMIX packet size.
• UDP Transaction Round Trip (UDP-TRT) - If DNS is the selected application, this metric is used to
gauge the DNS response time.
Task 3 – Media Analytics

Due to the sensitive nature of real-time media applications, Prisma SD-WAN measures and treats them
separately out of the box. For example, the system measures the quality of each voice and video call in
high detail - no synthetic probes are used.
Let's explore this by reviewing actual RTP audio traffic at Branch 1.
Step 1: Under Quick Filters, click Clear Filters.
Step 2: Click Media to display the media analytics.
Step 3: Select 1H from the Time Frame selector.
Step 4: From Quick Filters, click the checkbox for WANs. Select Update when prompted to update
charts.
Step 5: From the top of the page, confirm scope is set to viewed by WANs.
Step 6: Under Quick Filters, click the pencil icon for Sites.
Select Branch 1 and then click Done.
Click Not yet when prompted to update charts.
Step 7: Under Quick Filters, click the pencil icon for Media Apps.
Under Filter, type rtp and then select rtp.
Click Done.
Click Update when prompted to update charts.
Step 8: Media analytics for the RTP audio sessions are now displayed.
Audio Bandwidth - The amount of bandwidth that the RTP audio streams are consuming.
Audio Jitter - The variance in delay (ms) of the RTP audio traffic.
Note there is no jitter in this environment.

Audio Packet Loss - The packet loss % of the RTP audio traffic.
Note that extreme network conditions have been introduced into this environment to cause Prisma SD-
WAN to react to quality issues.
Audio MOS Score - The Mean Opinion Score of the audio traffic calculated using industry standard
metrics.
Note that the above metrics default to displaying the Ingress metrics, which are measured on the traffic
coming into the branch site from the WAN. Egress traffic is measured from the branch LAN going to the
WAN. The view can easily be changed between Ingress and Egress on each individual graph.
Next, we'll explore how Prisma SD-WAN measures link quality.
Task 4 – Link Quality

Step 2: Click Link Quality to display the media analytics.
Select Branch 2 and click Done.
Step 4: Under Quick Filters, next to Paths, click Active.
Select the VPN between Branch 2 and CGX AllStars DC1.
Step 5: The graphs are now populated with detailed link quality metrics.
• Overall Link Quality - A simple chart representing whether the link is generally good enough (or not)
to support a real-time media session. By default, a good link is defined as have less than 150ms of
latency, 50ms of jitter, and 3% packet loss. This can be tuned on a per app / per connection basis.
• Link Latency - The round-trip latency between Branch 1 and DC 1.
• Link Jitter - The uni-directional jitter between Branch 1 and DC 1.
• Link Packet Loss - The uni-directional packet loss between Branch 1 and DC 1.
• Link MoS - A synthetic calculation of the Mean Opinion Score based upon the link metrics.
Task 5 – Flow Browser

Prisma SD-WAN keeps a record of every application session that passes through the system. This
provides the ability to view granular details about the session not possible with other solutions, all with no
increase in overhead.
Step 2: Click Flows to display the media analytics.
Select Branch 1 and click Done.
Step 4: The Flow Browser will display the most recent 1000 flows.
Each column can be clicked to sort the data. Click the PKTS (packets) column twice to sort by the
number of packets from highest to lowest.
Step 5: Click the SRC (source) IP of the top TCP flow.
A new scrollable window will display with the flow details.
Each row provides detailed information about the flow. We'll cover some of the top used information:
• Flow Decision Bitmap - A detailed accounting of why a flow decision was made.
• Hovering over the Flow Decision Data (click Advanced Info) will reveal additional information about
the path selection determination for the flow.
• Source IP (Port)
• Destination (Port)
• Application name
• Path Information - What Path policy criteria was matched to.
• QoS Information - What QoS policy criteria was matched to.
• Security Information - What Security policy (ZBFW) criteria was matched.
• Chosen WAN Path - What path did App-fabric chose for the application session.
• EndPoint - Which DC or Service Group was chosen to send the traffic to (if applicable).
• Domain Detected - What domain (if any) was detected for the flow.
• Start and end time of the flow.
• DSCP Fields Detected
• TCP Specific Fields - Similar to wireshark, the app-fabric provides TCP accounting for each flow. This
includes OOO, SACK, Retransmits, RST, SYN, and FIN counts. This information is useful when
troubleshooting application / network issues.
• VLAN ID
• Application Performance Metrics - Just like at the application/site level, the App-Fabric provides
performance accounting on a per application session basis. This information is crucial in separating
server issues from network issues.
Step 6: Under Quick Filters, click the pencil icon for Apps.
Under Search, type rtp and then select rtp.
Click Done.
Step 7: The list of RTP flows will be displayed.
Step 8: Click the SRC (source) IP of the top TCP flow.
A new scrollable window will display with the flow details.
Just like a TCP application you will have detailed information about the RTP call. However, instead of
TCP specific metrics there will be real-time media specific metrics including:
• Flow Decision Bitmap - A detailed accounting of why a flow decision was made.
• Hovering over the Flow Decision Data will reveal additional information about the path selection
determination for the flow.
• Source IP (Port)
• Destination (Port)
• Application name
• Path Information - What Path policy criteria was matched to.
• QoS Information - What QoS policy criteria was matched to.
• Security Information - What Security policy (ZBFW) criteria was matched to.
• Chosen WAN Path - What path did App-fabric chose for the application session.
• EndPoint - Which DC or Service Group was chosen to send the traffic to (if applicable).
• Domain Detected - What domain (if any) was detected for the flow.
• Start and end time of the flow
• DSCP Fields Detected
• Codec - The detected codecs used throughout the life of the call in each direction.
• VLAN ID
• RTM Performance - Bidirectionally measure Min/Max/Average
o Packet loss
o Jitter
o MoS
End of Activity 8
Activity 9 – Prisma SD-WAN: Application Policy

• Examine application policies that ensure performance and compliance
Prisma SD-WAN provides a complete policy framework designed to fit the needs of the user and the
application. This is achieved by applying Path, QoS, Security, and NAT (if applicable) rules on a per-
application basis.
Consider an organization that has recently made the shift to adopt cloud services such as Microsoft Office
365 and Salesforce. To date its security policy dictated that all traffic destined for the Internet must transit
through the centralized data center firewalls via the private WAN. After numerous complaints about
application performance for Office 365 and Salesforce, the security team grants an exception to allow
both of these applications to go direct to the Internet since they are encrypted and trusted applications.
Given that Prisma SD-WAN is an application-defined architecture that operates at the application-session
level, the network administrator is enabled to easily accomplish the task of selectively sending Office 365
and Salesforce traffic direct to the Internet.
In this activity we'll verify that the operations team has correctly configured the system to achieve the user
intent by reviewing:
• Application Definitions
• Path Policies
• QoS Policies
Task 1 – Application Definitions
As the name suggests, Prisma SD-WAN is an application-based system. Not only does Prisma SD-WAN
use a purpose-built application ID engine to perform app identification, but it is also an essential
component of the system. In other words, it's not a feature that can be turned on or off, but a core part of
how the system works.
The system has two main types of application definitions:
System Apps
• These are applications maintained by the Palo Alto Networks team for commonly used applications.
• There are over 500 applications out of the box.
• Application definitions are automatically updated as needed, typically 1-2 times per quarter.
• Users can optionally add overrides to the default system applications.
Custom Apps
• These are applications created and maintained by the customer.
Both System Apps and Custom Apps can match on many criteria
• L7 Rule - Use a domain name to match the application.
• L3/L4 Rule - Use a combination of Prefix filters (source and/or destination), protocols, and port
numbers to match the application.
• Signature - Some system applications also leverage deep packet inspect and a subsequent
signature to identify the application.
Each application definition includes configuration options that help the system determine how to handle
the traffic. These options are:
• App Category - Used primarily for organizational purposes.
• Transfer Type - The designated transfer type has an impact on how QoS is applied to any app
sessions that match the application definition.
• Ingress Traffic Percentage - During the path selection process this helps the system determine if
the application is upload heavy or download heavy and it will place the session on the appropriate
link.
• Connection Idle Timeout - The amount of time that a session will stay active in the system with no
packets observed on the wire.
• Path Affinity - Enable the system to group sessions of a like application onto the same link.
• Using App Reachability Detection - The Prisma SD-WAN system is capable of detecting brown-out
conditions for all TCP applications. This detection can be disabled selectively on a per-application
basis.
• Network Scan App - In some networks customers leverage automated scanning utilities to discover
vulnerable systems. These systems sometimes flood the network with traffic across all ports. In order
to prioritize this traffic properly below that of production traffic, it can be defined as a Network Scan
App. This is typically done using source prefix filters in the application definition.
Step 1: Navigate to Manage > Policies > Stacked Policies > Bindings. The Policy Bindings are
now displayed.
Step 2: View the full list of all Application Definitions from Manage > Resources > Applications.
Note that they can be sorted and filtered in many ways.
Step 3: In the Name filter box, type outlook.
Under the Actions column, click the ellipses and then select View.
The Outlook system application definition will be displayed.
Next, we will look how applications are used in path policies.
Task 2 – Path Policies
Path policies determine how the various paths available to Prisma SD-WAN are used to fulfill business
intent.
There is significant control in the path policy framework. Match criteria include:
• Context - An optional identifier applied at the device interface level used to signify certain types of
networks or users. Guest and PoS (point of sale) are commonly used Contexts.
• Prefixes - Global and local prefix filters can be optionally matched as source and/or destination
criteria.
• Apps - Both system and custom (user-defined) applications can be matched.
Path selection options include:

• Paths - Granular control of which site connections are used to forward traffic.
• Active - Paths that are actively used to forward traffic in a load-shared manner.
• Backup - Paths that are used when active paths are down or when quality issues occur.
• L3 Failure Path - Paths that are used only when all active and backup paths are down.
• Service and DC Groups
• Service Group - Used to direct traffic to a 3rd Party service group. A common example would be to
send untrusted traffic to Palo Alto Networks Prisma Access solution for further security inspection.
• DC Group - One or more Prisma SD-WAN Data Center locations that can be used as transit points.
Since we have approval from the security team to send Salesforce and Office 365 traffic directly onto the
internet to maximize performance, we'll explore how to verify the change was made successfully by the
operations team.
Step 1: Navigate to Manage > Policies > Stacked Policies > Bindings. The Policy Bindings are now
displayed.
Step 2: The Branch Path Policy is at Manage > Policies > Stacked Policies > Path.
Make sure Simple has been selected.
Step 3: Click Branch Path Policy to view the list of rules.
Step 4: Click on the Trusted SaaS policy.
Click on the Apps tab and then select the checkbox for Show X Selected Apps.
Note that, in this rule, both Salesforce and Office365 have been selected.
Step 5: Click on the Paths tab.
Note the path selection configuration:

• Active Path - Direct on Ethernet Internet
• Backup Path - Direct on Internet Cable
• L3 Failure Path - Direct on Metered 3G/4G/LTE
Step 6: Click on the Summary tab to view all the settings for the Trusted SaaS path policy rule.
Step 7: Click on the back arrow at the top left-hand corner of the page.
Next, we will look at how applications are used in QoS policies.
Task 3 – QoS Policies

Prisma SD-WAN system follows a simple QoS model utilizing shaping. There are four top level queues
called Priority levels:
• Platinum
• Gold
• Silver
• Bronze
Each Priority (top-level queue) is allocated a configurable percentage share of the circuit bandwidth. This
value is leveraged to shape traffic in times of congestion.
Each Priority level has 4 sub-queues, one for each transfer type:
• Real-Time Audio
• Real-Time Video
• Transactional
• Bulk
This is a view into how the bandwidth percentages are allocated:
The transfer type is specified in the application definition which was covered earlier in this task.
In our example the company uses a wide variety of applications to conduct business. Specifically, the
sales division uses the salesforce.com SaaS application as the primary CRM system. We will ensure that
the operations team has mapped both applications into the Gold queue.
Step 1: Navigate to Manage > Policies > Stacked Policies > Bindings. The Policy Bindings are now
displayed.
Step 2: The Branch QoS Policy is at Manage > Policies > Stacked Policies > QoS.
Make sure Simple is selected.
Step 3: Click on Branch QoS Policy to view the list of rules.
Step 4: In the Filter (by rule name, app) box, type salesforce.
Step 5: Click on salesforce-Policy.
Click on the Apps tab and then select the checkbox for Show 1 Selected App.
Note that, in this rule, only Salesforce has been selected.
Step 6: Click on the Priority tab.
Confirm that Gold is the selected priority.
Step 7: Click on the Summary tab to view the entire configuration.
Step 8: Click on the back arrow at the top left-hand corner of the page.
End of Activity 9
Activity 10 – Prisma SD-WAN: Application Defined

• Review the network infrastructure that enables policy enforcement
The foundation of the Prisma SD-WAN system is that it is application defined. It is comprised of the sites
and devices and is responsible for the identification of applications, application monitoring, inter-site VPN
connections, connections to 3rd party services, and policy instantiation.
In this section we'll explore how the logical application fabric is configured and built.
Let's get started by reviewing the topology.
Task 1 – Topology
Step 1: Navigate to Monitor > Sites.
The map is displayed. By default, all sites are visible but can be filtered.
Step 2: Click on the filter icon. Expand Types and select Branch.
Only branch sites are shown.
Step 3: In the Search site name or address box, type branch 2.
Select Branch 2.
Branch 2 is centered on the map.
Task 2 – Site Review

Step 1: From Monitor > Sites, select List View.
A list of sites is displayed.
You can search for sites by name or address as well as filter the list of sites using multiple criteria.
Step 2: Click on Branch 1.
The site overview panel will be displayed.
This panel provides a single point to configure and manage the branch.
Task 3 – Physical Connectivity

Each Prisma SD-WAN site is connected by one or more physical connections.
Step 1: To view the physical connection, click on Configuration > Physical.
Step 2: Click on Spectrum Cable.
The ingress and egress underlay utilization of the Spectrum Cable connection will be displayed:
Step 3: To view the measured bandwidth, click the drop-down for Chart and select Bandwidth Capacity.
The Prisma SD-WAN system performs automatic carrier bandwidth capacity measurements. This is done
in a manner that does not affect performance of the connection by using a custom algorithm. The system
provides a view of throughput over time on a per connection basis which can be utilized to hold your
carrier accountable.
Step 4: Click on the in the top right-hand corner of the WAN Link view to return to the Connectivity
view.
Click on the in the top right-hand corner of the Connectivity view to return to the Configurations
panel.
Task 4 – Secure Fabric

The Secure Fabric is the collection of VPNs between Prisma SD-WAN sites and services such as Prisma
Access for Remote Networks.
The fabric supports multiple topologies including hub and spoke (default), partial mesh, and full mesh.
Step 1: To view the secure fabric links, click on Secure Fabric.
The Secure Fabric Management is displayed.
Connectivity is organized into 3 tabs:

• Branch to DC - Tunnels to Prisma SD-WAN hub locations.
• Branch to Branch - Tunnels from one Prisma SD-WAN branch to another Prisma SD-WAN branch.
• Branch to Standard VPN - IPSEC Tunnels connecting to services such as Prisma Access.
Each tab will:

• Detail the state of the tunnels.
• Allow an administrator to build new tunnels (Branch to Branch only).
• Allow an administrator to control the admin state (Up / Down) of a tunnel.
• View additional information about the tunnel such as:
o Bandwidth Use
o Link Quality
Step 2: Click on CGX AllStars DC1 to view additional tunnel information.
Click on the green line to view Bandwidth Use and Overall Link Quality.
Step 3: : Click on the in the top right-hand corner of the Secure Fabric Link view.
Click the Configuration tab.
Task 5 – Devices
The physical or virtual devices are called IONs - Instant On Networks.
Step 1: To view the Device configuration, click on Branch 1 ION 3K.
The Basic Info is displayed for this ION device.
Step 2: Click on the Interfaces tab.
Interfaces are displayed in a visual and list format.
Step 3: Click on Port 1.
Note that the interface is used for Internet and there is an internet circuit label attached. When this is set,
the system automatically configures many parameters, including:
• Firewall rules are configured to only allow IPSEC and ESP inbound from the internet to the device.
• A NAT boundary is defined and any traffic that is configured (via policy) to go direct on the internet
will be automatically NATd to the interface IP address.
• Prisma SD-WAN VPN tunnels are automatically established to all hub nodes.
There are many more configuration options available including SNMP, Routing, Syslog, NTP, etc.
End of Activity 10
Activity 11 - Feedback on Ultimate Test Drive

Thank you for attending the Ultimate Test Drive workshop. We hope you enjoyed the presentation
and the labs that we have prepared for you. Please take a few minutes to complete the online
survey form to tell us what you think.
Task 1 – Take the online survey

Step 1: In your lab environment, click the Survey link from the left-hand column.
Step 2: Please complete the survey and let us know what you think about this workshop.
Drag the widget to the right to expand the window.
End of Activity 11.
Appendix-1: Network Diagram
LAB SETUP

UTD-SASE-2.0 Workshop Guide-20221212

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UTD-SASE-2.0 Workshop Guide-20221212

Uploaded by

Copyright:

Available Formats

infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 1 – Prisma Access Introduction 8

Activity 2 – Securing Private Application Access with ZTNA 1.0 11

Activity 3 – Securing Private Application Access with ZTNA 2.0 19

Activity 4 – Securing Internet and SaaS Access with ZTNA 1.0 28

Activity 5 – Securing Internet and SaaS Access with ZTNA 2.0 35

Activity 6 – Modern Threat Protection with ML-Powered Analysis 52

Activity 7 – Explore Prisma Access Cloud Management 56

Task 1 – Log in to Prisma Access Cloud Management 57

Activity 8 – Prisma SD-WAN: Actionable Analytics - Identify & Measure 71

Activity 9 – Prisma SD-WAN: Application Policy 86

Activity 10 – Prisma SD-WAN: Application Defined 96

Activity 11 - Feedback on Ultimate Test Drive 105

Appendix-1: Network Diagram 106

How to Use This Guide

Activity 0 – Initiate the UTD Workshop

• Log in to the Ultimate Test Drive Workshop from your laptop.

• Learn the layout of the environment and its various components.

• Retrieve your assigned Student-ID

Task 1 – Log In to Your Ultimate Test Drive Class Environment

Enter your email address and the class passphrase.

Task 2 - Understand the UTD Environment Setup

Your student environment is part of a shared Prisma Access tenant.

Task 3 – Retrieve assigned Student-ID

Activity 1 – Prisma Access Introduction

• Review Prisma Access highlights

Task 1 - Cloud Scale

Task 2 - Dataplane Isolation

Task 3 - Consuming the SASE Service

Network hardware integration

Task 4 - Always-On Security with Pre-Logon

Activity 2 – Securing Private Application Access with

Task 1 – Log in to GlobalProtect

Step 2: You will be connected to the ZTNA 1.0 User desktop.

Step 4: Click the Connect button.

Click Sign In.

Click into the GlobalProtect window to dismiss the drop-down list.

Click the icon to close the window.

Task 2 – No Security Inspection

Step 2: Click the File Explorer icon on the Taskbar.

Task 3 – Can’t Secure All Applications

If prompted with a PuTTY Security Alert, click the Accept button.

Task 4 – No Continuous Trust Verification

Step 2: From the Command Prompt window, type ping 8.8.8.8

Step 3: Click the Windows Security icon on the Taskbar.

Step 6: Disable Real-time protection and Cloud-delivered protection.

Click Yes when prompted by the User Account Control pop-up.

Click the X icon to close the Windows Security window.

Click the X icon to close the Command Prompt window.

Activity 3 – Securing Private Application Access with

Task 1 – Log in to GlobalProtect

Step 2: You will be connected to the ZTNA 2.0 User desktop.

Step 4: Click the Connect button.

Click Sign In.

Click the X to close the window.

Click the icon to close the window.

Task 2 – Continuous Security Inspection

Step 2: Click the File Explorer icon on the Taskbar.

Task 3 – Secures All Applications

Task 4 – Continuous Trust Verification

Step 2: From the Command Prompt window, type ping 8.8.8.8

Step 3: Click the Windows Security icon on the Taskbar.

Step 6: Disable Real-time protection and Cloud-delivered protection.

Click Yes when prompted by the User Account Control pop-up.