Professional Documents
Culture Documents
ULTIMATE
TEST DRIVE
Secure Access Service Edge
(SASE)
Workshop Guide
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 1
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log In to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 – Retrieve assigned Student-ID 7
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 2
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 3
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, a Chromium web browser will be used to perform any tasks outlined in the following
activities (Chromium is pre-installed on the Windows VMs).
Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 4
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page.
This will display a list of all virtual systems that constitute the UTD environment.
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 5
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Review the diagram below to better understand the UTD environment setup.
Each student will be assigned a unique Student-ID which will be used for the configuration of your ZTNA
1.0 user and ZTNA 2.0 user VMs.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 6
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: Click the Student-ID tab. Click the Student-ID icon to launch the browser. The UTD-SASE:
Student-ID page should load.
Step 2: Enter your email and for the Login key: use utd1234.
Click Join.
Step 3: Get Student-ID. Your Student-ID will be used throughout this workshop. It is important to use
your assigned value as to not interfere with others who are doing this workshop.
End of Activity 0
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 7
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Security isolation
• Customer A’s traffic is not mixed with customer B traffic – each has their own logical nodes.
Traffic is kept separate, including per-customer allocated public facing IP addresses. This is
useful to create SaaS IP policies that should not have cross-customer IP addresses.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 8
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Explicit proxy
• Used when a desktop agent is not an option. Uses PAC files on the host.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 9
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
End of Activity 1
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 10
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Zero Trust Network Access (ZTNA) 1.0 is built to restrict access with coarse-grained network access
controls. This violates the principles of least privilege by treating applications as a network construct at
layers 3 and 4 (IP and port), providing limited control and much more access to users than necessary.
The “allow and ignore” model trusts and rarely verifies. Once access to an application is granted, that
communication is implicitly trusted forever. This assumes the user and the application will always behave
in a trustworthy manner, which is never the case. 100% of breaches occur on allowed activity, which an
“allow and ignore” model cannot prevent.
In this activity, you will access the network as a ZTNA 1.0 user without all of the Prisma Access
capabilities.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 11
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: From the system tray, click the icon and then GlobalProtect .
Step 5: In the GlobalProtect Login window, sign in to the GlobalProtect application with the following
credentials:
Username: ztna1-user[X] where [X] is your assigned Student-ID (e.g. ztna1-user25)
Password: Password1!
This will establish a secure tunnel from the ZTNA 1.0 User VM to nearest available Prisma Access
gateway.
Note: You have been logged in based solely on the provided credentials and no security check of
your system has been done. In the ZTNA 1.0 model, the user does not get the benefit of
continuous trust verification based on ongoing user behavior. You could disable protections like
Anti-Virus and/or the firewall and would still be allowed to connect.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 12
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Depending on which CloudShare regional data center your workshop is originating from, you are likely to
see the Gateway as US-East, Netherlands Central, or Singapore.
Step 6: Click the Change Gateway drop-down to see the available gateways that are user selectable for
this Prisma Access tenant.
Note: You may get a notification regarding a new version of the GlobalProtect agent being available. You
may choose to update or not, it should not affect your lab.
Step 7: Click the hamburger icon then select Settings to bring up the GlobalProtect Settings
window.
From Connections see the details on this connection to the Prisma Access gateway.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 13
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: From the ZTNA 1.0 User VM, double-click the SMB batch file on the Desktop.
A cmd window will temporarily pop-up and execute the command to mount the remote SMB share.
Step 3: From File Explorer, double-click the SMB icon for share(\\192.168.251.50)(Z:).
Step 4: Click and drag the benign and malicious zip files from the remote share to your desktop.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 14
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Both files should copy over without being blocked. The ZTNA 1.0 user does not have the benefit of a full
security stack capable of inspecting all applications.
Step 5: Close the File Explorer window by clicking the X in the upper-right corner.
Step 1: From the ZTNA 1.0 User VM, click the PuTTY icon on the Taskbar.
Step 2: From the PuTTY Configuration window, select SSH over port 445 and then click the Load
button.
This will populate the IP of 192.168.251.100 for the IP address and 445 for the port.
Click Open.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 15
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: You have been allowed to connect to a SSH server over port 445.
Port-based rules leave you vulnerable and least privilege access is violated.
As there is nothing further needed to show, click the X icon in the upper-right corner to close the
connection.
Step 1: From the ZTNA 1.0 User VM, click the Command Prompt icon on the Taskbar.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 16
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 4: From Windows Security, click Virus & threat protection under Security at a glance.
Step 5: Click Manage Settings under Virus & threat protection settings.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 17
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Windows will inform you that virus protection has been turned off.
Step 7: From the Command Prompt window, type ping 8.8.8.8 again. The ping will go out uninterrupted.
This is due to the lack of continuous trust verification in the ZTNA 1.0 model.
End of Activity 2
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 18
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Prisma Access is built to secure all users and applications, with fine-grained user-app access controls.
This allows you to fully realize the principle of least privilege by operating at layer 3-7, providing the most
granular access control possible, at both app and sub-app levels.
It secures all the applications, all of the time. This works consistently for all the applications, including
modern cloud-native apps, SaaS apps, and legacy private apps. This includes applications that use
dynamic ports and apps that leverage server-initiated connections.
In this activity, you will access the network as a ZTNA 2.0 user with the additional Prisma Access security
protections.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 19
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: From the system tray, click the icon and then GlobalProtect .
Step 5: In the GlobalProtect Login window, sign in to the GlobalProtect application with the following
credentials:
Username: ztna2-user[X] where [X] is your Student-ID (e.g. ztna2-user25) – be sure to do ztna2
Password: Password1!
This will establish a secure tunnel from the ZTNA 2.0 User VM to nearest available Prisma Access
gateway.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 20
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Note: You have been logged in based on your credentials as well as your system having been
verified that its HIP (Host Information Profile) is compliant with company policy.
Step 7: Click the hamburger icon then select Settings to bring up the GlobalProtect Settings
window.
From Connections see the details on this connection to the Prisma Access gateway.
Step 8: Click Host Information Profile to learn more about what system information was collected.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 21
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: From the ZTNA 2.0 User VM, double-click the SMB batch file on the Desktop.
A cmd window will temporarily pop-up and execute the command to mount the remote SMB share.
Step 3: From File Explorer, double-click the SMB icon for share(\\192.168.251.50)(Z:).
Step 4: Click and drag the benign and malicious zip files from the remote share to your desktop.
This time only the benign file will copy over. You will see an Interrupted Action pop-up as Prisma Access
is providing security inspection for the SMB protocol and has detected the malicious file and prevents its
copy to your local file system.
Step 5: Close the File Explorer window by clicking the X in the upper-right corner.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 22
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: From the ZTNA 2.0 User VM, click the PuTTY icon on the Taskbar.
Step 2: From the PuTTY Configuration window, select SSH over port 445 and then click the Load
button.
This will populate the IP of 192.168.251.100 for the IP address and 445 for the port.
Click Open.
Step 3: Since you are only allowed to use the SSH protocol over its default port (22), you are not able to
connect to a SSH server on port 445. Least privilege access assures that App-ID inspects the traffic and
only allows SMB over port 445.
The connection will eventually time out and you will see the below message.
Click the OK button and then X icon in the upper-right corner to exit PuTTY.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 23
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: From the ZTNA 2.0 User VM, click the Command Prompt icon on the Taskbar.
Step 4: From Windows Security, click Virus & threat protection under Security at a glance.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 24
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 5: Click Manage Settings under Virus & threat protection settings.
Windows will inform you that virus protection has been turned off.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 25
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 7: A GlobalProtect Notification window will pop-up informing you that your system is no longer
compliant with company policy.
Step 8: From the Command Prompt window, type ping 8.8.8.8 again.
Step 9: Return to the Windows Security window and reenable Real-time protection and Cloud-
delivered protection.
Step 10: The GlobalProtect Notification window will now inform you that your system is compliant again
as the HIP check has met company policy again.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 26
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 11: From the Command Prompt window, ping 8.8.8.8 again.
Step 12: From the Windows Security window, click the X to close it.
End of Activity 3
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 27
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
• Explore the limited user and application controls provided by the ZTNA 1.0 model
In this activity, the ZTNA 1.0 user is given a basic security posture with features such as URL filtering and
inline antivirus. The ZTNA 1.0 user can view sites such as espn.com but unable to access gambling sites
based on company policy. Malware downloads using standard web applications are also blocked. SSL
decryption is also implemented.
Step 1: From the ZTNA 1.0 User VM, open the Chrome/Chromium browser from the Taskbar.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 28
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 5: From the Certificate window, note that Issued to: is the current site you are on, Issued by: is
from Prisma Access due to SSL decryption taking place.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 29
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Note: If prompted with a This website uses cookies pop-up, just click the X in the upper right-hand
corner.
Step 2: Scroll down to the section Download are using the secure, SSL enabled protocol HTTPS.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 30
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: Attempt to download any of the provided samples. The malware file is blocked.
Note that SSL decryption is taking place. You cannot protect what you cannot inspect.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 31
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: Once the connection is established, the default page will be displayed.
Step 5: Where this site was previously blocked due to URL filtering, it is successfully loaded with the Tor
Browser.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 32
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 6: Click on the lock icon to view the Tor circuit that was built in order to access this site.
Note: If prompted with a This website uses cookies pop-up, just click the X in the upper right-hand
corner.
Step 8: Scroll down to the section Download are using the secure, SSL enabled protocol HTTPS.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 33
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
The same evasive techniques used by Tor can also bypass antivirus inspection. The ZTNA 1.0 user
represents a higher level of security risk without continuous trust validation, stronger application controls,
and security measures.
End of Activity 4
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 34
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
• Enterprise DLP
The ZTNA 2.0 user is subject to fine-grained user-app access controls. This allows you to fully realize the
principle of least privilege access.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 35
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Bridges are Tor relays that are not publicly listed so they cannot be identified easily.
Step 5: Click Use a bridge and the select obfs4 from the drop-down for Select a built-in bridge.
Step 6: Click Try Connecting Again from the top of the settings page.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 36
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 7: Another Tor failed to establish a Tor network connection. message will appear.
Snowflake leverages other user’s systems that have installed a plugin to a browser such as Chrome or
Firefox. That plugin allows other Tor users tunnel traffic through their browser to obscure the source
address of their traffic and evade enterprise security controls.
Step 8: Click Try Connecting Again from the top of the settings page.
Step 9: After some time, the connection will fail again. If you do not wish to wait, click the cancel button.
Step 10: Click Try Connecting Again from the top of the settings page.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 37
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click Next.
Step 4: You should be on the Overview page. If not, click Manage > Service Setup > Overview
Note: If you have a problem logging in, please try the Prisma Access-alternative tab.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 38
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: Navigate to Manage > Service Setup > GlobalProtect. Then click the GlobalProtect App tab.
Step 3: Scroll down to the User Status section and click on the number next to Current Users.
Step 4: All the currently logged in users can be found here. You can Search for your assigned student-id
as well.
From the logged in user, this is mapped to what is known as User-ID. These users can also be
associated with group mappings as we have done for the ZTNA 1.0 and ZTNA 2.0 users. These User-IDs
and group mappings can then be applied to security policies.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 39
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 5: Navigate to Manage > Configuration > Security Services > Security Policy
Step 7: Scroll down to the Security Policy Rules section. Then look for Mobile Users Container.
These are the security policies used in this lab. Under User you can see the ztna1.0 and ztna2.0 groups.
This is also reflected in the Name of the policy as well.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 40
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 8: Let us explore the security policies that were responsible for blocking the Tor Browser in the
previous task.
ZTNA-2.0 Deny traffic to known Tor nodes – Palo Alto Networks maintains and publishes an External
Dynamic List (EDL) of known Tor exit nodes. The destination IP address matches the EDL named Palo
Alto Networks – Tor exit IP addresses and is blocked. This EDL is constantly updated by Palo Alto
Networks. There are other built-in EDLs that can be found under Configuration > Objects > External
Dynamic Lists.
ZTNA-2.0 Deny evasive apps – This policy blocks applications known to employ evasive techniques.
You will see more in the next step.
ZTNA-2.0 Deny unwanted apps – Prohibited applications like BitTorrent and unknown TCP/UDP are
matched on this rule. This goes back to the least privilege model and these categories of apps should not
be allowed.
ZTNA-2.0 Outbound traffic to WAN – This is the standard security policy for the ZTNA 2.0 user to allow
traffic out to the Internet. All allowed traffic is subject to best-practice security profiles.
Step 9: Navigate to Manage > Configuration > Objects > Application Filters. The evasive-apps filter
matches on applications that fall under the category of networking and subcategory of encrypted-tunnel.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 41
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: From the ZTNA 2.0 User VM, click the Command Prompt icon on the Taskbar.
Step 5: This will simulate botnet “phone home” traffic and will be blocked.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 42
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 6: From the Command Prompt window, type ping 8.8.8.8 again.
Your user has been added to the malicious-user DUG and this traffic has been blocked.
Step 7: There is a 5-minute expiration timer configured for this DUG. You can wait or trigger another
action by typing ping 1.1.1.1
Step 9: From the Prisma Access tab, navigate to Activity > Logs > Log Viewer
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 43
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
You can search on source_user = 'ztna2-user[X]@pan-labs.net' where [X] is your assigned student-id.
This was the threat event that triggered the rest of the automated actions.
The malicious-user tag will be identifying object used in the next steps.
Step 12: Go to Manage > Configuration > Objects > Auto-Tag Actions.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 44
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
The tagging rule indicate that when a botnet threat is detected to add the malicious-user tag to that user.
Review the Remove malicious-user tag action for what happened when you ping 1.1.1.1.
Step 14: Go to Manage > Configuration > Objects > Dynamic User Groups.
The dynamic user group adds any user with the malicious-user tag associated with it.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 45
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 16: Navigate to Manage > Configuration > Security Services > Security Policy. Scroll down to
the Mobile Users Container and review the security policy ZTNA-2.0 Deny ping for malicious-user.
Step 1: From the Prisma Access tab, navigate to Manage > Configuration > Security Services > Data
Loss Prevention.
Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data profiles have data patterns that
include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning,
regular expressions, and checksums for legal and financial data patterns. When you use the data filtering
profile in a Data Filtering policy rule, the firewall can inspect the content for a match and take action.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 46
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: Click ZTNA-2.0 DLP to see the Data Patterns being used in this profile.
Step 3: Go to Data Loss Prevention > Detection Methods > Data Patterns.
Predefined data patterns and built-in settings make it easy for you to protect files that contain certain file
properties (such as a document title or author), credit card numbers, regulated information from different
countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for
the sensitive data in your organization supplement the predefined data patterns, you can define custom
data patterns that are specific to your content inspection and data protection requirements. In a custom
data pattern, you can also define regular expressions and file properties to look for metadata or attributes
in the file's custom or extended properties and use it in a data filtering profile.
Step 4: From the ZTNA 2.0 User VM, open the DLP > DLP website upload bookmark from the browser.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 47
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 6: From the File Explorer pop-up, click Desktop on the left-hand column and select
Customer_data.
Click Open.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 48
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 9: Open the DLP > DLP OneDrive upload bookmark from the browser.
Step 11: From the File Explorer pop-up, click Desktop on the left-hand column and select
Customer_data.
Click Open.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 49
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 13: From the Prisma Access tab, go to Activity > Logs > DLP Incidents.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 50
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 14: Click on one of the Customer_data.docx entries to bring up the details of that incident.
Enterprise DLP extracts a snippet of the sensitive data that caused the alert or block notification. A
snippet enables forensics by allowing you to verify why an uploaded file generated an alert notification or
was blocked. By default, Enterprise DLP uses data masking to partially mask the snippets to prevent the
sensitive data from being exposed. You can configure this behavior from Panorama to completely mask
the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
End of Activity 5
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 51
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Millions of new cyberthreats emerge every year, with organizations constantly racing to prevent them.
Leveraging cloud-scale resources, automation, and other techniques, today’s adversaries enjoy some
inherent advantages: the ability to spread their attacks more quickly than ever, and the ability to deploy
polymorphic malware and malicious content that evades detection by constantly changing its identifiable
features.
Palo Alto Networks has delivered the world’s first ML-Powered Next-Generation Firewall (NGFW),
providing inline machine learning (ML) to block unknown file- and web-based threats. Using a patented
signatureless approach, WildFire and URL Filtering proactively prevent weaponized files, credential
phishing, and malicious scripts without compromising business productivity. Palo Alto Networks hardware,
virtual NGFW, and Prisma Access can apply new ML-based prevention capabilities:
• WildFire inline ML inspects files at line speed and blocks malware variants of portable executables,
PowerShell files, as well as Linux executables, which account for a disproportionate share of
malicious content.
• URL Filtering inline ML inspects unknown URLs at line speed. This feature can identify phishing
pages and malicious JavaScript in milliseconds, stopping them inline so nobody in your network ever
sees them.
Step 2: The file will start to download. As soon as WildFire Inline ML detects the threat, the connection is
reset, and the download fails.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 52
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: From the Prisma Access tab, go to Activity > Logs > Log Viewer > Firewall/Threat.
To help filter for your result, search for sub_type.value = 'ml-av' AND source_user = 'ztna2-
user[X]@pan-labs.net' where [X] is your assigned student-id.
Step 4: Click on the details icon to get more information on this entry. Expand this by clicking Log
Details >.
Note that the subtype is ml-av which indicates this file was determined to be malicious due to WildFire
Inline ML. You can explore the many other details available.
Step 5: You can review the other associated logs by clicking on the log type / timestamp on the left. It is
easy to pivot from the threat log to the traffic log.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 53
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: The page will start to display. Once the URL Filtering Inline ML engine detects the content as a
phishing site, the connection is reset.
Step 3: From the Prisma Access tab, go to Activity > Logs > Log Viewer > Firewall/URL.
To help filter for your result, search for inline_ml_verdict.value = 'phishing' AND source_user =
'ztna2-user[X]@pan-labs.net' where [X] is your assigned student-id.
Step 4: Click on the details icon to get more information on this entry. Expand this by clicking Log
Details >.
Note that the Inline ML Verdict is phishing which indicates this site was determined to be malicious due
to URL Filtering Inline ML.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 54
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 5: As before, you can pivot to any associated logs from here.
End of Activity 6
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 55
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Prisma Access Cloud Management is a simple yet powerful cloud-delivered solution that enables
comprehensive security management through a single security rule base, with simplified workflows to
address use cases in threat prevention, URL filtering, application awareness, user identification,
sandboxing, file blocking, and access control. It provides complete visibility into the entire deployment
alongside actionable insights to help improve the end user experience. This crucial simplification of
security management and continuous assessment of Palo Alto Networks-defined best practices allow you
to improve your organization’s security posture. Key features include:
Configuration
• Intuitive workflows to quickly onboard remote users and locations to Prisma Access
• Out-of-the-box defaults to simplify configuration and accelerate time to value
• Cloud native platform with a unified management experience
Automation
• Alerts and notifications for service outages
• Proactive assistance capabilities to maintain the health of the deployment
• Autonomous Digital Experience Management (ADEM) for insights across the entire service
delivery path
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 56
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click Next.
Step 4: You should be on the Overview page. If not, click Manage > Service Setup > Overview.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 57
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Streamlined workflows and intuitive navigation let you complete complex configuration tasks with ease.
You can onboard mobile users and remote networks using predefined configuration and templates. For
example, pre-built tunnel configuration is available to easily onboard remote sites and branches.
Step 1: This Prisma Access tenant has already been on-boarded. Please review the short videos at
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-cloud-managed-admin.html
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 58
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Best practice guidance aims to help you bolster your security posture, but also to help you manage your
environment efficiently and to best enable user productivity. Continually assess your configuration against
these inline checks - and when you see an opportunity to improve your security, take action then and
there.
This provides a high-level view of how you are doing and to help pinpoint areas where you might want to
start taking action.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 59
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: Go to Manage > Configuration > Security Services > Security Policy. Make sure Rulebase is
selected.
Best practice scores are displayed on a feature dashboard (security policy, decryption, or URL Access
Control, for example). These scores give you a quick view into your best practice progress. At a glance,
you can identify areas for further investigation or where you want to take action to improve your security
posture.
Step 3: Click Failed Rulebase Checks. Expand the Best Practice Check Name to get more details
and the recommended action to take.
Where applicable, references to Center for Internet Security and National Institute of Standards and
Technology controls are listed.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 60
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 4: Field-level checks show you exactly where your configuration does not align with a best practice.
Best practice guidance is provided inline, so you can immediately take action.
Hover the cursor over the BPA Verdict to get the recommended action.
Step 5: Click on any policy name with a Fail for BPA Verdict.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 61
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Field-level checks show you exactly where your configuration does not align with a best practice. Best
practice guidance is provided inline, so you can immediately take action.
Step 7: Go to Manage > Configuration > Security Services > Security Policy. Then click Best
Practices.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 62
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 8: Here you can get a comprehensive view into how your implementation of feature aligns with best
practices. Examine failed checks to see where you can make improvements (you can also review passed
checks). Rule base checks highlight configuration changes you can make outside of individual rules, for
example to a policy object that is used across several rules.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 63
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Enable security features with ease by efficiently configuring security policies, services, and other
capabilities within a single flow.
Step 1: Navigate to Manage > Configuration > Security Services > Vulnerability Protection. Make
sure Configuration is selected.
Profiles are how you enable security services - like Threat Prevention, WildFire, and URL Filtering - for
your network traffic. Profiles perform advanced inspection for traffic that a security rule allows; they scan
for and prevent threats, attacks, misuse, and abuse.
Best practice security profiles are built-in to Prisma Access and enabled by default. Best practice checks
are also provided inline, so that you can continuously assess your configuration and improve your
security posture. For customization, management, and visibility into each security profile type, you can
visit the profile dashboard.
Profile dashboards consolidate profile configuration; everything you need to set up and manage profiles is
in one place. The dashboards also give you access to all the features a profile offers and resources you
can use to inform profile updates (for example, content release updates, the Threat Vault, and PAN-DB
site classifications).
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 64
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
You can see that the latest Application and Threats Content release notes are easily accessible.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 65
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click Cancel.
Step 6: Navigate to Manage > Configuration > Security Services > Decryption.
Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption
policy rules allow you to define traffic to decrypt and the type of decryption you want to perform on the
indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access
requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice
decryption settings, including settings to exclude sensitive content from decryption, as well as sites that
are known to not work well when decrypted. Everything you need is in a single location.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 66
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Task 5 – Visibility
Prisma Access Cloud Management provides comprehensive visibility across the entire deployment. In the
Logs tab, you can view and query across all the Prisma Access logs, including traffic, threat,
authentication, and system logs. You can filter on specific entries and view related logs to troubleshoot
any issues. The solution also provides proactive health assurance for the entire Prisma Access
deployment.
Step 1: From the left-hand navigation pane, click on Activity > Logs > Log Viewer.
Prisma Access Cloud Management provides Network logs (Traffic, Threat, URL, File, HIP Match) and
Common logs (System and Configuration).
You can view details for each log entry, and for threat logs, you can review threat details and see if there
are any threat overrides in place.
Step 2: Click the icon to bring up the Log Details for that entry.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 67
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Task 6 – Reporting
In the Dashboards tab, you can view application usage, Prisma Access usage, and user activity reports.
You can email or even schedule these reports to share with your stakeholders.
Step 1: From the left-hand navigation pane, click on Activity > Dashboards.
• Application Usage - Know the security challenges associated with the applications traversing your
network. Key findings here can help you to refine your security policy to control unsanctioned and
risky applications.
• Prisma Access Usage - See how you’re leveraging what’s available to you with your Prisma Access
license and get a high-level view into the health and performance of your environment.
• User Activity - Get visibility into an individual users’ browsing patterns: their most frequently visited
sites, the sites with which they’re transferring data, and attempts to access high-risk sites.
• Best Practices - Assess your security posture against Palo Alto Networks’ best practice guidance.
Best practices include checks for the Center for Internet Security’s Critical Security Controls (CSC).
Take action based on these finding to optimize your security posture.
• Executive Summary - Surfaces key security takeaways – see how your subscriptions are protecting
you and where subscriptions you’re not using could close security gaps.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 68
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
• Proactive Assistance
• More than 20 alerts of varying severity - contextualized alerts that warn of service-related issues,
such as tunnel failures.
• Consolidated alert views - a centralized view of all network alerts, with in-app and email
notifications.
• Capacity Planning
• License consumption - current and projected consumption for remote networks and mobile users
compared with allocated and purchased bandwidth.
• Consumption trends - current and projected trends for bandwidth consumption and mobile user
deployment.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 69
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
End of Activity 7
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 70
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
It is not enough for network administrators to set it and forget it. They need visibility to verify that their
intended policy actually took effect, as well as be able to profile the application from the perspective of
Layer 7 reachability and verify its performance.
Typically, other solutions require a third party NetFlow collector to gain these types of insights, which is
yet another system to manage and maintain just to gain visibility into the applications on your network.
Even if such a system was properly configured to collect and analyze the data, because the information is
being collected from a packet-based architecture, a book-ended solution is required. Otherwise, key
performance indicators will be missing.
With Prisma SD-WAN, you gain immediate visibility into the changes made to the policy and application
performance from a variety of perspectives. All of this without having to set up a third party NetFlow
collector or some add-on to the base platform.
Let's explore the analytics captured and displayed for the top applications.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 71
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click Login.
Step 4: Click into the Password field. Select your assigned login.
Click Login.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 72
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Network analytics will be shown. The default Time Frame is last day (1D).
Step 2: In the left-hand column, under Quick Filters, click Clear Filters then click the pencil icon for
Sites.
Select Branch 1.
Click Done.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 73
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: Again, under Quick Filters, click the pencil icon for Apps.
In the drop-down box for VIEWING > Top Apps by…, select Traffic Volume.
Click Done.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 74
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click Update
Step 4: Both the Bandwidth Utilization and Transaction Stats graphs have updated with new
information.
The Bandwidth Utilization graph details the how much bandwidth each of the top 10 applications are
using over the course of the past 1 day, measured at 5-minute increments.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 75
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Transaction (TXN) Failures usually represent loss somewhere in the network path, inside or outside of
the direct control of the app-fabric.
Step 5: Click Apps on the Transaction Stats window and select WebPoS.
Prisma SD-WAN also captures and aggregates transaction stats on a per app, per server basis.
Note: WebPoS is a user-defined custom L7 application. We'll explore what this means in the next activity.
Click the blue lightning bolt in the top-left of the Transaction Stats window. A new page is displayed
with accounting of transaction statistics for WebPoS on a per prefix (server) basis.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 76
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click anywhere outside the window to return to the Network Analytics page.
Step 6: Click Apps on the App Response Time window and select WebPoS.
Prisma SD-WAN measures application performance as close as possible to the user, which is at the
branch. In fact, many Prisma SD-WAN customers refer to this graph as their Time to Innocence graph.
Application Performance is measured across several key metrics including:
• Server Response Time (SRT) - SRT represents the amount of time the server is waiting to fetch
data before putting it on the wire.
• Round Trip Time (RTT) - RTT represents the round trip time of the TCP traffic while on the wire.
• Network Transmission Time, Normalized (NTTn) - Time consumed by the network for processing
application requests normalized to an iMIX packet size.
• UDP Transaction Round Trip (UDP-TRT) - If DNS is the selected application, this metric is used to
gauge the DNS response time.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 77
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 4: From Quick Filters, click the checkbox for WANs. Select Update when prompted to update
charts.
Step 5: From the top of the page, confirm scope is set to viewed by WANs.
Step 6: Under Quick Filters, click the pencil icon for Sites.
Step 7: Under Quick Filters, click the pencil icon for Media Apps.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 78
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click Done.
Step 8: Media analytics for the RTP audio sessions are now displayed.
Audio Bandwidth - The amount of bandwidth that the RTP audio streams are consuming.
Audio Jitter - The variance in delay (ms) of the RTP audio traffic.
Audio Packet Loss - The packet loss % of the RTP audio traffic.
Note that extreme network conditions have been introduced into this environment to cause Prisma SD-
WAN to react to quality issues.
Audio MOS Score - The Mean Opinion Score of the audio traffic calculated using industry standard
metrics.
Note that the above metrics default to displaying the Ingress metrics, which are measured on the traffic
coming into the branch site from the WAN. Egress traffic is measured from the branch LAN going to the
WAN. The view can easily be changed between Ingress and Egress on each individual graph.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 80
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: Under Quick Filters, click the pencil icon for Sites.
Step 5: The graphs are now populated with detailed link quality metrics.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 81
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
• Overall Link Quality - A simple chart representing whether the link is generally good enough (or not)
to support a real-time media session. By default, a good link is defined as have less than 150ms of
latency, 50ms of jitter, and 3% packet loss. This can be tuned on a per app / per connection basis.
• Link Latency - The round-trip latency between Branch 1 and DC 1.
• Link Jitter - The uni-directional jitter between Branch 1 and DC 1.
• Link Packet Loss - The uni-directional packet loss between Branch 1 and DC 1.
• Link MoS - A synthetic calculation of the Mean Opinion Score based upon the link metrics.
Step 3: Under Quick Filters, click the pencil icon for Sites.
Step 4: The Flow Browser will display the most recent 1000 flows.
Each column can be clicked to sort the data. Click the PKTS (packets) column twice to sort by the
number of packets from highest to lowest.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 82
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Each row provides detailed information about the flow. We'll cover some of the top used information:
• Flow Decision Bitmap - A detailed accounting of why a flow decision was made.
• Hovering over the Flow Decision Data (click Advanced Info) will reveal additional information about
the path selection determination for the flow.
• Source IP (Port)
• Destination (Port)
• Application name
• Path Information - What Path policy criteria was matched to.
• QoS Information - What QoS policy criteria was matched to.
• Security Information - What Security policy (ZBFW) criteria was matched.
• Chosen WAN Path - What path did App-fabric chose for the application session.
• EndPoint - Which DC or Service Group was chosen to send the traffic to (if applicable).
• Domain Detected - What domain (if any) was detected for the flow.
• Start and end time of the flow.
• DSCP Fields Detected
• TCP Specific Fields - Similar to wireshark, the app-fabric provides TCP accounting for each flow. This
includes OOO, SACK, Retransmits, RST, SYN, and FIN counts. This information is useful when
troubleshooting application / network issues.
• VLAN ID
• Application Performance Metrics - Just like at the application/site level, the App-Fabric provides
performance accounting on a per application session basis. This information is crucial in separating
server issues from network issues.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 83
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 6: Under Quick Filters, click the pencil icon for Apps.
Click Done.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 84
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Just like a TCP application you will have detailed information about the RTP call. However, instead of
TCP specific metrics there will be real-time media specific metrics including:
• Flow Decision Bitmap - A detailed accounting of why a flow decision was made.
• Hovering over the Flow Decision Data will reveal additional information about the path selection
determination for the flow.
• Source IP (Port)
• Destination (Port)
• Application name
• Path Information - What Path policy criteria was matched to.
• QoS Information - What QoS policy criteria was matched to.
• Security Information - What Security policy (ZBFW) criteria was matched to.
• Chosen WAN Path - What path did App-fabric chose for the application session.
• EndPoint - Which DC or Service Group was chosen to send the traffic to (if applicable).
• Domain Detected - What domain (if any) was detected for the flow.
• Start and end time of the flow
• DSCP Fields Detected
• Codec - The detected codecs used throughout the life of the call in each direction.
• VLAN ID
• RTM Performance - Bidirectionally measure Min/Max/Average
o Packet loss
o Jitter
o MoS
End of Activity 8
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 85
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Prisma SD-WAN provides a complete policy framework designed to fit the needs of the user and the
application. This is achieved by applying Path, QoS, Security, and NAT (if applicable) rules on a per-
application basis.
Consider an organization that has recently made the shift to adopt cloud services such as Microsoft Office
365 and Salesforce. To date its security policy dictated that all traffic destined for the Internet must transit
through the centralized data center firewalls via the private WAN. After numerous complaints about
application performance for Office 365 and Salesforce, the security team grants an exception to allow
both of these applications to go direct to the Internet since they are encrypted and trusted applications.
Given that Prisma SD-WAN is an application-defined architecture that operates at the application-session
level, the network administrator is enabled to easily accomplish the task of selectively sending Office 365
and Salesforce traffic direct to the Internet.
In this activity we'll verify that the operations team has correctly configured the system to achieve the user
intent by reviewing:
• Application Definitions
• Path Policies
• QoS Policies
As the name suggests, Prisma SD-WAN is an application-based system. Not only does Prisma SD-WAN
use a purpose-built application ID engine to perform app identification, but it is also an essential
component of the system. In other words, it's not a feature that can be turned on or off, but a core part of
how the system works.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 86
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
System Apps
• These are applications maintained by the Palo Alto Networks team for commonly used applications.
• There are over 500 applications out of the box.
• Application definitions are automatically updated as needed, typically 1-2 times per quarter.
• Users can optionally add overrides to the default system applications.
Custom Apps
• These are applications created and maintained by the customer.
Both System Apps and Custom Apps can match on many criteria
• L7 Rule - Use a domain name to match the application.
• L3/L4 Rule - Use a combination of Prefix filters (source and/or destination), protocols, and port
numbers to match the application.
• Signature - Some system applications also leverage deep packet inspect and a subsequent
signature to identify the application.
Each application definition includes configuration options that help the system determine how to handle
the traffic. These options are:
• App Category - Used primarily for organizational purposes.
• Transfer Type - The designated transfer type has an impact on how QoS is applied to any app
sessions that match the application definition.
• Ingress Traffic Percentage - During the path selection process this helps the system determine if
the application is upload heavy or download heavy and it will place the session on the appropriate
link.
• Connection Idle Timeout - The amount of time that a session will stay active in the system with no
packets observed on the wire.
• Path Affinity - Enable the system to group sessions of a like application onto the same link.
• Using App Reachability Detection - The Prisma SD-WAN system is capable of detecting brown-out
conditions for all TCP applications. This detection can be disabled selectively on a per-application
basis.
• Network Scan App - In some networks customers leverage automated scanning utilities to discover
vulnerable systems. These systems sometimes flood the network with traffic across all ports. In order
to prioritize this traffic properly below that of production traffic, it can be defined as a Network Scan
App. This is typically done using source prefix filters in the application definition.
Step 1: Navigate to Manage > Policies > Stacked Policies > Bindings. The Policy Bindings are
now displayed.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 87
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: View the full list of all Application Definitions from Manage > Resources > Applications.
Under the Actions column, click the ellipses and then select View.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 88
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Path policies determine how the various paths available to Prisma SD-WAN are used to fulfill business
intent.
There is significant control in the path policy framework. Match criteria include:
• Context - An optional identifier applied at the device interface level used to signify certain types of
networks or users. Guest and PoS (point of sale) are commonly used Contexts.
• Prefixes - Global and local prefix filters can be optionally matched as source and/or destination
criteria.
• Apps - Both system and custom (user-defined) applications can be matched.
Since we have approval from the security team to send Salesforce and Office 365 traffic directly onto the
internet to maximize performance, we'll explore how to verify the change was made successfully by the
operations team.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 89
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: Navigate to Manage > Policies > Stacked Policies > Bindings. The Policy Bindings are now
displayed.
Step 2: The Branch Path Policy is at Manage > Policies > Stacked Policies > Path.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 90
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click on the Apps tab and then select the checkbox for Show X Selected Apps.
Note that, in this rule, both Salesforce and Office365 have been selected.
Step 6: Click on the Summary tab to view all the settings for the Trusted SaaS path policy rule.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 91
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 7: Click on the back arrow at the top left-hand corner of the page.
Each Priority (top-level queue) is allocated a configurable percentage share of the circuit bandwidth. This
value is leveraged to shape traffic in times of congestion.
Each Priority level has 4 sub-queues, one for each transfer type:
• Real-Time Audio
• Real-Time Video
• Transactional
• Bulk
The transfer type is specified in the application definition which was covered earlier in this task.
In our example the company uses a wide variety of applications to conduct business. Specifically, the
sales division uses the salesforce.com SaaS application as the primary CRM system. We will ensure that
the operations team has mapped both applications into the Gold queue.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 92
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 1: Navigate to Manage > Policies > Stacked Policies > Bindings. The Policy Bindings are now
displayed.
Step 2: The Branch QoS Policy is at Manage > Policies > Stacked Policies > QoS.
Step 4: In the Filter (by rule name, app) box, type salesforce.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 93
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click on the Apps tab and then select the checkbox for Show 1 Selected App.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 94
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 8: Click on the back arrow at the top left-hand corner of the page.
End of Activity 9
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 95
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
The foundation of the Prisma SD-WAN system is that it is application defined. It is comprised of the sites
and devices and is responsible for the identification of applications, application monitoring, inter-site VPN
connections, connections to 3rd party services, and policy instantiation.
In this section we'll explore how the logical application fabric is configured and built.
Let's get started by reviewing the topology.
Task 1 – Topology
Step 1: Navigate to Monitor > Sites.
The map is displayed. By default, all sites are visible but can be filtered.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 96
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: Click on the filter icon. Expand Types and select Branch.
Select Branch 2.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 97
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
You can search for sites by name or address as well as filter the list of sites using multiple criteria.
This panel provides a single point to configure and manage the branch.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 98
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
The ingress and egress underlay utilization of the Spectrum Cable connection will be displayed:
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 99
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 3: To view the measured bandwidth, click the drop-down for Chart and select Bandwidth Capacity.
The Prisma SD-WAN system performs automatic carrier bandwidth capacity measurements. This is done
in a manner that does not affect performance of the connection by using a custom algorithm. The system
provides a view of throughput over time on a per connection basis which can be utilized to hold your
carrier accountable.
Step 4: Click on the in the top right-hand corner of the WAN Link view to return to the Connectivity
view.
Click on the in the top right-hand corner of the Connectivity view to return to the Configurations
panel.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 100
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 101
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Click on the green line to view Bandwidth Use and Overall Link Quality.
Step 3: : Click on the in the top right-hand corner of the Secure Fabric Link view.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 102
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Task 5 – Devices
The physical or virtual devices are called IONs - Instant On Networks.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 103
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Note that the interface is used for Internet and there is an internet circuit label attached. When this is set,
the system automatically configures many parameters, including:
• Firewall rules are configured to only allow IPSEC and ESP inbound from the internet to the device.
• A NAT boundary is defined and any traffic that is configured (via policy) to go direct on the internet
will be automatically NATd to the interface IP address.
• Prisma SD-WAN VPN tunnels are automatically established to all hub nodes.
There are many more configuration options available including SNMP, Routing, Syslog, NTP, etc.
End of Activity 10
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 104
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
Step 2: Please complete the survey and let us know what you think about this workshop.
Drag the widget to the right to expand the window.
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 105
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS
LAB SETUP
UTD-SASE 2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20221212 106