Professional Documents
Culture Documents
ULTIMATE
TEST DRIVE
Cloud-Delivered
Security Services
Workshop Guide
UTD-CDSS 4.1 / PAN-OS 10.0
https://www.paloaltonetworks.com
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary Last Update: 20210422
Ultimate Test Drive – Cloud-Delivered Security Services
Table of Contents
Table of Contents 2
Activity 0 – Log in to the UTD Workshop 5
Task 1 – Log in to your Ultimate Test Drive class environment 5
Task 2 – Log in to the student desktop 7
Task 3 – Log in to UTD NGFW Firewall 10
Task 4 (Very Important) – Bring up interface “ethernet1/1” 11
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 2
Ultimate Test Drive – Cloud-Delivered Security Services
Activity 5 – Decryption 43
Task 1 – Modify the Decryption Profile 43
Task 2 – Edit the Decryption Policy 43
Task 3 – Enable decrypted traffic 44
Task 4 – Connect to the SSL-enabled web server 44
Task 5 – Review Threat Logs 45
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 3
Ultimate Test Drive – Cloud-Delivered Security Services
Note: This workshop covers only basic topics and is not a substitute for training classes
conducted at a Palo Alto Networks Authorized Training Center (ATC). Please contact your
partner or regional sales manager for more training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any
tasks outlined in the following activities (Chrome is pre-installed on the student desktop VM).
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 4
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Go to the class URL. Enter your email address and the passphrase. (If you have an invitation
email, you can find the class URL and passphrase in the invitation email. Or the instructor will provide
them for you.)
Step 3: Complete the registration form and click “Register and Login” at the bottom.
Step 4: Depending on your browser, you may be asked to install a plugin. Please click “Yes” to allow the
plugin to be installed and continue the log in process.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 5
Ultimate Test Drive – Cloud-Delivered Security Services
Step 5: Once you log in, the environment will be automatically created for you.
Step 6: The UTD-CDSS environment consists of a few components: a “Student Desktop” and a “VM-
Series Security Platform”. The “VM List” tab shows all the VMs used in this lab environment.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 6
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: You will be connected to the “Student Desktop” through your browser.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 7
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust
the resolution from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
Optional Step 4: If you encounter connection issues with the “Student Desktop”, click the “Reconnect”
icon to re-establish the connection.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 8
Ultimate Test Drive – Cloud-Delivered Security Services
Optional Step 5: If the reconnect to the “Student Desktop” remains unsuccessful, please verify your
laptop connectivity using the following link.
https://use.cloudshare.com/Ent/Machine.mvc/testpage#/
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task-1, Step-1.
If the connectivity test failed, please ask the instructor for further assistance.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 9
Ultimate Test Drive – Cloud-Delivered Security Services
This will open a new tab in your laptop browser with the login page for the NGFW VM. Log in to the
firewall using the following name and password:
Username: student
Password: utd135
Step 2: You are now logged in to the VM-Series firewall and should see the main dashboard.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 10
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click the interface “ethernet1/1” under “Ethernet,” then click the “Advanced” tab to change the
link state.
Step 3: Select “up” in the “Link State” option; then click “OK”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 11
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: Click “Commit” (in the upper right-hand corner of the GUI), then click “Commit All Changes” in
the pop-up window.
Step 5: Click “Close” in the pop-up window once the commit has completed. The “Link Status” of
“ethernet1/1” should turn green after the interface is up.
Step 6: Open a new tab in the Chrome browser window and confirm Internet connectivity by going to any
URL.
Step 7: Here is a quick look at how the student desktop and the virtual firewall are connected.
End of Activity 0.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 12
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Click the “Security Profiles” node on the left to review the security profiles.
Step 4: Ask your instructor to explain the difference between the various security profiles.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 13
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: In the “Antivirus Profile” window, under “Decoders”, confirm that the action for HTTP decoder is
set as “default (reset-both)”. Review the options under Signature Action for the different decoders and
note that “WildFire Signature Action” is set independently (more on WildFire in a later activity).
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 14
Ultimate Test Drive – Cloud-Delivered Security Services
Step 5: Click the “UTDTP-Policy01a” policy to open the “Security Policy Rule” window.
Step 6: Click the “Actions” tab and select “Profiles” under “Profile Type” below “Profile Setting”.
Step 7: For the Antivirus setting, select “UTDTP-AV-Profile01”, then click “OK”.
Step 8: Click “Commit” (in the upper right-hand corner of the GUI) and complete the commit process.
Step 9: Click “Close” in the pop-up window once the commit has completed.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 15
Ultimate Test Drive – Cloud-Delivered Security Services
Step 10: From the Student Desktop, open a new browser tab, then go to http://10.80.2.213 (or use the
“UTD-CDSS Web Server” bookmark under Lab Bookmarks > Activity 1). Click “UTD-CDSS Threat
Samples”.
Step 12: Are you able to download the EICAR sample? Did you see a “Virus Download Blocked” page?
Step 2: Click “virus” under “Type” to automatically filter out threat logs, or enter in the search bar:
(subtype eq virus)
Then hit the “Enter” key or click the icon:
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 16
Ultimate Test Drive – Cloud-Delivered Security Services
Note: You can add other columns to see more info on the logs. Mouse over any header and click the
white arrow next to the header name, then click “Columns” and select the columns you want to add.
Step 2: Check that the “Interface Type” ethernet1/4 is set as “Tap” mode.
Step 3: Click the “Policies” tab, click the “Security” node on the left-hand side.
Step 5: Click the “Actions” tab, select “Profiles” under the “Profile Type” below “Profile Setting.”
Step 6: Click the drop-down menu for “Vulnerability Protection” and select “New Vulnerability Protection”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 17
Ultimate Test Drive – Cloud-Delivered Security Services
Step 7: Enter “UTDTP-Alert” in the “Name” field of the new vulnerability protection profile.
Step 8: Click “Add” under “Rules”, then name the rule “Alert-All”.
Step 10: Click “OK”, then click “OK” to save the profile.
Step 12: For “URL Filtering”, select “UTDTP-URL-Profile01”, then click “OK” to save the policy.
Step 13: Click “Commit” (in the upper right-hand corner of the GUI), then click “Commit All Changes” in
the pop-up window.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 18
Ultimate Test Drive – Cloud-Delivered Security Services
Step 14: Click “Close” in the pop-up window once the commit has completed.
Step 2: Load the saved session “TrafficReplayServer” and SSH to the traffic replay server.
TrafficReplayServer
10.30.21.173
Step 4: Run the “ReplayThreats” script to send threats out on the tap ports.
./ReplayThreats [Note: case sensitive]
You will be prompted for a password; enter “paloalto”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 19
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click the icon on the top right corner to clear the filter, if there is one. Change the “Manual”
update to “60 Seconds”
Step 3: Hover over any name of the attack and click on the down arrow. You will see a new menu that
says “Exception”, click on it to review the details.
Step 4: Click the detail log and review the “Application” that the threat is detected on.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20
Ultimate Test Drive – Cloud-Delivered Security Services
Step 5: A green arrow indicates there is a packet capture for the traffic sample. You can click the green
arrow to review the packets in detail or export it for further analysis.
Step 6: Jump to the ACC tab and review the “User Activity” widget under the “Network Activity” subtab.
By using User-ID™, you are able to see individual users, not just IP addresses. If you see a user “None”,
then that means it is an IP address that has no User-ID mapping. This could be an external IP, a Zone
that doesn’t have User-ID enabled or even a rogue IP.
Step 7: Click the “Threat Activity” subtab to review the threats that were detected in the “Threat Activity”
widget. Scroll down to see the various data available to you.
Note: The ACC is not in real time and uses summary data from the logs. It may take a while for
this data to appear.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 21
Ultimate Test Drive – Cloud-Delivered Security Services
End of Activity 1.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 22
Ultimate Test Drive – Cloud-Delivered Security Services
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 23
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: In the “WildFire Analysis Profile” pop-up window, name this profile “UTDTP-WildFire”.
Step 4: Click “Add” in the profile window to add a rule in this profile, name it “Download-PE-PDF”.
Step 5: Under “File Types”, click “any”, click the “+” button, and add “pe” and “pdf”. Then change the
“Direction” to “download”, and click “OK” to save the new profile.
In addition to Windows executables (pe) and PDF files (pdf), WildFire also supports the following file
types: Android (apk), Adobe Flash (flash), Java (jar), Microsoft Office (ms-office), Mac OS (MacOSX),
Linux (elf), RAR and 7-Zip (archive) and BAT, JS, VBS, PS1 Scripts (script). With “email-link” configured
for the WildFire profile, the security platform will extract HTTP/HTTPS links contained in SMTP and POP3
email messages and forward the links to the WildFire public cloud for analysis. It does not receive, store,
forward, or view the email message.
Step 2: Click the rule name “UTDTP-Policy01a”, then a “Security Policy Rule” pop-up will appear.
Step 3: Click the “Application” tab (within the pop-up), then add the “IT-Apps” application group. The “IT-
Apps” application group includes the WildFire-update-service and some common applications often used
by the IT team. You may go to the “Objects” tab, then the “Applications Groups” node to review what
applications are included in the IT-Apps group.
Step 5: In the “Profile Setting” section, select the drop-down menu next to “WildFire Analysis”.
Step 8: Click “Commit” (in the upper right-hand corner of the web browser).
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 24
Ultimate Test Drive – Cloud-Delivered Security Services
Step 9: Click “Commit All Changes” in the pop-up window, and then click “Commit”.
Step 2: The browser will automatically download a “wildfire-test-pe-file.exe” sample file. Check your
“Downloads” folder to confirm the download. (You can see the file downloaded on the bottom of the
screen, click on keep)
Step 3: To view that the sample has been sent to WildFire, go back to the VM-Series security platform
GUI, click the “Monitor” tab, then click the “WildFire Submissions” node (under the “Logs” section) and
review the log entry for the file being uploaded to the WildFire service.
Note: It may take about 5-10 minutes for the WildFire log to appear. You can continue to
Step 4 to review the online WildFire portal.
Step 4: Click the “Security Admin” tab in CloudShare to access that desktop in your browser. Click the
“Security Admin” icon to launch the browser. If not present, enter the email utd-tp@pan-labs.net and
click “Next” then click “Sign In” on the next page. You are now logged into the WildFire Dashboard.
Step 5: In the portal you can see a summary of all the files that have been submitted for analysis and
other features that come with the WildFire service. The WildFire portal can manage multiple Palo Alto
Networks NGFWs in one account.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 25
Ultimate Test Drive – Cloud-Delivered Security Services
Note: In this lab environment, there is only one security platform managed by this account.
Step 6: Click the “Reports” tab. Here you can see the verdict of the file that you just submitted. The
WildFire analysis is in progress if the verdict is “Pending”.
Step 7: Click the document icon (on the left side) for your submission to bring up the “WildFire Analysis
Report”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 26
Ultimate Test Drive – Cloud-Delivered Security Services
Step 8: You can manually upload files for analysis to WildFire by using the “Upload Sample” tab.
Note: It may take some time for the firewall to receive the WildFire Analysis update; you
can come back to this task upon finishing other activities.
Step 1: Go back to the VM-Series GUI, click the “Monitor” tab, then click the “WildFire Submissions”
node. You should see a new log entry there. When you see the entry, click the “Details” icon on the
left-hand side of the log entry. In the “Log Info” tab, you can view the basic information on the file and the
application that carries that file.
Step 2: Click “WildFire Analysis Report” to view the details of the analysis results. Under the “WildFire
Analysis Summary”, the “Verdict” indicates that the submitted file is a malware sample and you can
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 27
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Keep scrolling down in this tab until you find “Dynamic Analysis”, you can see the behavior of the
malware under different operating systems. “Virtual Machine 1” is configured with Windows XP. Review
the behavior and activity of the malware. Click “Virtual Machine 2” to review the malware behavior and
activity in Windows 7.
Step 4: Explore the other features and functions offered in the WildFire Analysis Report, such as
downloading the PCAP file of the malware network activity and downloading the WildFire analysis report
in PDF format.
End of Activity 2.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 28
Ultimate Test Drive – Cloud-Delivered Security Services
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 29
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click on one of the “ML-PE-sample*.exe” files to attempt to download these live malware sample
files. You only need to pick one. Do not download “ML-AV-sample.exe” at this time.
You may also see an entry for “wildfire-virus” on these samples. This is due to how the NGFW processes
threats in parallel. The above sample was caught by both threat and WildFire virus signatures.
Step 2: For the sample you attempted to download, hover in the “Threat ID/Name” area and click the
down arrow. Then click “Exception”.
Step 3: The “Threat Details” window will pop up showing you the threat name and security object profile
that triggered. Select “UTDTP-AV-Profile01” and then click “OK”
By creating the exception, these threats will be allowed through the NGFW with the current security
settings.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 30
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Note the “WildFire Inline ML Action” for “http” is listed as “default (reset-both)”. This is the action
the NGFW will take when “WildFire Inline ML” has been enabled.
Step 4: Click the “Signature Exceptions” tab to view the exception you created in the previous task.
Step 5: Click the “WildFire Inline ML” tab. Note that all ML models are currently disabled.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 31
Ultimate Test Drive – Cloud-Delivered Security Services
Step 8: Click “Commit” (in the upper right-hand corner of the web browser).
Step 9: Click “Commit All Changes” and then click “Commit” in the pop-up window.
Step 2: Click on the same malware sample you previously attempted to download and created the
exception for. Click “Keep” if asked to save the file. You may also attempt to download “ML-AV-
sample.exe”
Step 3: Note that you may see the file start to download before it stalls and then times out.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 32
Ultimate Test Drive – Cloud-Delivered Security Services
WildFire inline ML inspects files at line speed and blocks malware variants of portable executables as well
as PowerShell files, which account for a disproportionate share of malicious content. ML-based engine
can prevent up to 95% of threats inline without requiring cloud-based analysis from WildFire. For the rest,
protections are delivered in seconds from the world’s largest cloud native detection and prevention
engines.
Note: The WildFire machine learning model is trained with over 20 million new malware
samples on a daily basis. Due to the manner in which the inline machine learning models
are continually retrained and tuned to adapt to the changing threat real-world threat
landscape, specific point-in-time test samples may not yield consistent results.
If any of these files are able to download, please inform your instructor.
Step 2: Note that “ml-virus” is listed under the “Type” column for the threat.
Step 3: Click on the magnifying glass and scroll down to the “Details” section. The “Threat ID/Name”
indicates “Machine Learning found virus”.
Even though you disabled the antivirus signature for this malware, WildFire was able to stop it without any
signatures due to Inline ML.
End of Activity 3.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 33
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click “Add”, then create the address object name “Sinkhole” and give it an IP address of
“10.80.2.199”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 34
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click the “DNS-Sinkhole” Anti-Spyware profile, then click the “DNS Policies” tab. The current
“Signature Source” for “Palo Alto Networks Content” is set to use local DNS signatures from the Threat
Prevent subscription. The “Policy Action” is already set to sinkhole.
Step 3: Change the “Sinkhole IPv4” address to “10.80.2.199” but leave the “Sinkhole IPv6” address
unchanged.
Step 4: Click ‘OK” to save the changes to the Anti-Spyware security profile.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 35
Ultimate Test Drive – Cloud-Delivered Security Services
Step 6: Click “UTDTP-Policy02” to safely enable the DNS application. Go to the “Actions” tab, select
“Profiles” for “Profile Type”. Change the Anti-Spyware security profile to “DNS-Sinkhole”.
Step 7: Click “OK” to save the changes. Then click “Commit” and “Commit All Changes” and then click
“Commit”. After the commit process is completed, click “Close”.
Step 8: You have completed the setup for DNS Sinkhole; the VM-Series device will redirect a
“Suspicious DNS request” to the above sinkhole address. Note that there is no server setup at the
sinkhole address in this lab so there will be no response coming from the sinkhole address. In the
production network, a network forensic analysis tool could be set up on the sinkhole address to record
potential C&C conversations or other valuable forensic evidence.
Step 2: Go to the “Dynamic Updates” node near the bottom left-hand side under the “Device” tab. Click
“Check Now” at the bottom to update the signatures list. Then click the “Download” button next to the
latest AV signature to download the latest signature package.
Step 3: Click “Install” to install the latest AV signature. After the latest signature is installed, click the
“Release Notes” button for that Antivirus signature and the release notes will be opened in a new tab in
the browser.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 36
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: Identify a malicious domain in the release notes. Look for one with “generic:xyz” under the “New
Spyware DNS C2 Signatures”. For example, here we used “marchpart.com” based on the release notes
information highlighted below.
Step 5: Go to the student desktop and open a command prompt by clicking the “Start” button, then
clicking the “Command Prompt” icon.
Step 7: Then perform the DNS lookup using the command “nslookup” with the suspicious URL found
from the AV release notes. You should see the nslookup response return the Sinkhole address
(10.80.2.199) that you configured in the previous tasks.
Step 8: Review the Threat logs on the PA-VM Series. Go back to GUI of the VM-Series Security Platform
in the browser, then go to the “Monitor” tab.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 37
Ultimate Test Drive – Cloud-Delivered Security Services
Step 9: Go to the “Threat” logs where you will see all the “Suspicious DNS Query” logs generated by the
nslookup command from Step 7.
Note: In the “Source User” column, we have user information provided by User-ID. In this case, the
source of the DNS query is “john_doe15” which maps to your “Student Desktop” IP address. If you had
internal DNS servers in your environment, they would show up here. We can track down the
compromised clients in the next steps.
Also note the “Action” is “sinkhole” which was set in the Anti-Spyware profile and the “Threat Category”
column that shows this came from the local DNS signatures.
Step 10: Go back to the “Command Prompt” and ping the suspicious URL. You will not get a ping
response as there is no server using that sinkhole address.
Step 11: You can see the ping traffic under the “Traffic” log on the firewall. Click “Resolve hostname” at
the bottom of the page to see the destination hostname “Sinkhole” reflected in the traffic logs. By filtering
the destination hostname “Sinkhole” in a production network, you can easily identify all the clients that are
trying to access the sinkhole address.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 38
Ultimate Test Drive – Cloud-Delivered Security Services
Step 1: Go to the “Objects” tab, then the “Anti-Spyware” profiles under the “Security Profiles” node.
Step 2: Click the “DNS-Sinkhole” Anti-Spyware profile, then click the “DNS Policies” tab. As previously
seen, the current “Signature Source” for “Palo Alto Networks Content” is set to use local DNS signatures
from the Threat Prevent subscription.
Step 3: Under “DNS Security” are the covered DNS threat categories.
Step 4: Set the “Policy Action” for categories “Command and Control Domains”, and “Malware Domains”
to “sinkhole”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 39
Ultimate Test Drive – Cloud-Delivered Security Services
Step 5: Click ‘OK” to save the changes to the Anti-Spyware security profile.
Step 6: Click “Commit” (in the upper right-hand corner of the web browser).
Step 7: Click “Commit All Changes” in the pop-up window, and then click “Commit”.
A PowerShell window will pop-up and will execute a nslookup on a number of randomly generated
domain names. It might take a moment for PowerShell to initialize before you start to see the queries
being generated.
Step 2: Click the “Monitor” tab, select the “Threat” node (under the “Logs” section).
Note that the “Threat ID/Name” of starts with “DGA:”, the “Action” is “sinkhole” and the “Threat Category”
is “dns-c2” which is the DNS Security subscription for the “Command and Control Domains”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 40
Ultimate Test Drive – Cloud-Delivered Security Services
Step 1: From the desktop of your “Student Desktop” VM, right-click on the “DNS-tunnel” script and select
“Run with PowerShell”.
A PowerShell window will pop-up and will execute a nslookup on a number of seemingly random domain
names. In reality, this is an attempt to exfiltrate data out via DNS.
Step 2: Click the “Monitor” tab, select the “Threat” node (under the “Logs” section).
Note that the “Thread ID/Name” of starts with “Tunneling:”, the “Action” is “sinkhole” and the “Threat
Category” is “dns-c2” which is the DNS Security subscription for the “Command and Control Domains”.
Step 3: From the desktop of your “Student Desktop” VM, right-click on the “DNS-tunnel” script and select
“Open with…”.
An “Open with” window will pop-up and should have “Notepad” selected. Click “OK”.
Step 4: From Notepad, you will see the exact nslookup queries made. Notice that the host part of the
FQDN appears to be a random string. Scroll down to the comment block to show what data was trying to
be exfiltrated out.
Step 5: (Optional). From the student desktop, open a command prompt and do a nslookup on “bad-
site.xyz” and “lateto.work”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 41
Ultimate Test Drive – Cloud-Delivered Security Services
What do you see for the “Thread ID/Name”, “Action”, and “Threat Category”?
You can view your organization’s DNS statistics data generated by the DNS Security Cloud service. This
provides a fast, visual assessment describing the breakdown of DNS requests passing through your
network based on the available DNS categories.
Step 2: Scroll through the AutoFocus DNS Security dashboard to view and drill down into various DNS
trends discovered in your network by AutoFocus. Each dashboard widget provides a unique view into
how DNS requests are processed and categorized. Clicking on widgets allow you to change the context
of the dashboard or view more information about a specific trend, domain, or statistic.
From the DNS Security dashboard page, you can:
• View DNS request statistics and trends
• View DNS activity associated with malicious domains
• View the breakdown of DNS-based malware and request types
• View your organization's coverage (number of firewalls with a DNS Security license)
End of Activity 4.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 42
Ultimate Test Drive – Cloud-Delivered Security Services
Activity 5 – Decryption
Background: More and more traffic is encrypted with SSL by default, making it difficult to allow
and scan that traffic. Yet blindly allowing it is highly risky. Using policy-based SSL decryption will
allow you to enable encrypted applications, apply policy, then re-encrypt and send the traffic to its
final destination. Policy considerations include which applications to decrypt, protection from
malware propagation and data/file transfer.
Step 3: Under “Unsupported Mode Checks”, check “Block sessions with unsupported version” and “Block
sessions with unsupported cipher suites”.
Step 4: Click “OK”. Note: You don’t need to click “Commit” until after the next task.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 43
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: Click “Decryption Profile”, then select “Decryption-Profile-01” from the drop-down menu.
Step 6: Click “Enable” located at the bottom of the browser window. The policy should turn from gray to
blue.
Step 3: Click “Enable” at the bottom to enable the policy. The security policy should turn from gray to
blue.
Step 4: Click “Commit” (in the upper right-hand corner of the web browser).
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 44
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: Open a browser tab and go https://10.80.2.213 (make sure you are using https://). You might
see a “SSL Inspection” message that will inform you that traffic is being decrypted. You also have a
bookmark you can use (Activity-5 > UTD-CDSS Web Server – SSL).
Note: Click “Advanced”, then click “Proceed anyway” if you receive a certification error message. Click
“Yes” to an SSL Inspection page.
Step 5: Try to download an EICAR sample file by clicking the “UTD-CDSS Threat Samples” link. Are you
able to download the virus file on the subsequent page? You will get an error page saying “This site can’t
be reached. The connection was reset when the threat was detected.
Step 2: Type into the query box (directly above the “Receive Time” column) the search string:
(subtype eq virus)
Then hit the “Enter” key or click the icon:
Question:
✓ Did the log entry show that the traffic was decrypted?
End of Activity 5.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 45
Ultimate Test Drive – Cloud-Delivered Security Services
Task 1 – Create a URL filter to block all malware sites and enforce safe
search
Step 1: Click the “Objects” tab, then click the “URL Filtering” node (in the Security Profiles section).
Step 2: Highlight, on the profile name, “UTDTP-URL-Profile01”. Then click “clone” to clone the profile.
The cloned profile is named “UTDTP-URL-Profile01-1”.
Step 4: Under “Category”, select “dynamic DNS”, “hacking”, “parked”, “peer-to-peer”, “proxy-avoidance”
and “questionable”. Change the “Action” under “Site Access” from “alert” to “block”. You can do this by
clicking the down arrow next to “Site Access” > “Set Selected Actions” > “block”.
Note: The action for the “gambling” and “malware” categories are already set as “block” from UTDTP-
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 46
Ultimate Test Drive – Cloud-Delivered Security Services
URL-Profile01.
Step 5: Find under “Category”: “games”, “not-resolved” and “unknown”. Change the “Action” from “alert”
to “continue”.
Step 6: Click “URL Filter Settings”, then click the check box for “Safe Search Enforcement” to enforce the
search option on the browser.
Step 2: Click the rule “UTDTP-Policy01a”, then a “Security Policy Rule” pop-up will appear.
Step 4: In the “Profile Setting” section, select “Profiles”, and select the drop-down menu next to “URL
Filtering”.
Step 6: Click “Commit” (in the upper right-hand corner of the web browser).
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 47
Ultimate Test Drive – Cloud-Delivered Security Services
Step 9: From the Student Desktop, open a new browser tab and enter the URL http://thepiratebay.org (a
popular torrent site, you can also use the Lab Bookmarks for Activity-6)
Step 10: You should see a “Web Page Blocked” message. Notice that the category “peer-to-peer” was
set to block in the URL profile.
Step 11: Open a new browser tab, then enter the URL http://www.ign.com
Step 12: You should see “Web Page Blocked” with the option to click “Continue” to continue to the web
page. Click “Continue” to go to the www.ign.com home page.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 48
Ultimate Test Drive – Cloud-Delivered Security Services
Step 15: Notice that the search is being blocked because the safe-search setting in the browser is not
setup correctly.
Step 16: You can click the link in the blocked page to change the search setting for Bing.
Step 17: Review the URL log entries under the “Monitor” tab and the “Logs > URL Filtering” node. (If
needed, clear the filter by clicking the red “x” to the right of the filter text box.)
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 49
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Modify the previously created “UTDTP-URL-Profile02” and block another category. This time we
will be adding the “phishing” category. Change the “Site Access” and “User Credential Submission” from
“alert” to “block” and then click “OK”.
Step 3: “Commit” the configuration. Since the “UTDTP-URL-Profile02” it’s already applied to the security
policy we do not need to do anything else other than commit the configuration.
Note that without SSL decryption being enabled, this site would have not been blocked. You cannot
protect against threats you cannot see.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 50
Ultimate Test Drive – Cloud-Delivered Security Services
Step 1: Click the “Objects” tab, then click the “URL Filtering” node.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 51
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: From the Student Desktop browser, open a new tab, then use the “ML JavaScript URL” bookmark
under Lab Bookmarks > Activity 6.
Step 2: Note the “Action” is “block” and the “Inline ML Verdict” is listed as “phishing” or “malicious-
javascript”.
End of Activity 6.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 52
Ultimate Test Drive – Cloud-Delivered Security Services
This will open a new tab in your laptop browser with the login page for the Panorama VM. Log in to the
firewall using the following name and password:
Username: student
Password: utd135
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 53
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: You are now logged in to Panorama and should see the main dashboard.
Predefined data patterns and built-in settings make it easy for you to protect files that contain certain file
properties (such as a document title or author), credit card numbers, regulated information from different
countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for
the sensitive data in your organization supplement the predefined data patterns, you can define custom
data patterns that are specific to your content inspection and data protection requirements. In a custom
data pattern, you can also define regular expressions and file properties to look for metadata or attributes
in the file's custom or extended properties and use it in a data filtering profile.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 54
Ultimate Test Drive – Cloud-Delivered Security Services
Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data profiles have data patterns that
include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning,
regular expressions, and checksums for legal and financial data patterns. When you use the data filtering
profile in a Data Filtering policy rule, the firewall can inspect the content for a match and take action.
Using the predefined Data Patterns, a custom Data Filtering profile has been created. Note that the
Action is set to Block.
Click “Cancel”.
Note: As the NGFW in this lab is locally managed, you will be adding the Enterprise DLP data filtering
profile directly from within the NGFW UI.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 55
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Click on the “Actions” tab. Select “UTD-Data-Filtering” for the “Data Filtering” profile. This is the
same profile you review on Panorama.
Step 5: Click “Commit”. Click “Commit All Changes” in the pop-up window.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 56
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: From the File Explorer pop-up, click Desktop on the left-hand column and select
“Customer_data.docx”.
Click Open.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 57
Ultimate Test Drive – Cloud-Delivered Security Services
Step 6: Use the Chrome browser bookmark to go to go to “Lab Bookmarks” > “Activity-7” > “DLP Upload
OneDrive Test”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 58
Ultimate Test Drive – Cloud-Delivered Security Services
Step 8: From the File Explorer pop-up, click Desktop on the left-hand column and select
“Customer_data.docx”.
Click Open.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 59
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click on the magnifying glass to open the Detailed Log View.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 60
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Click “Show Snippet” on any entry that has a Medium or High Confidence.
Enterprise DLP extracts a snippet of the sensitive data that caused the alert or block notification. A
snippet enables forensics by allowing you to verify why an uploaded file generated an alert notification or
was blocked. By default, Enterprise DLP uses data masking to partially mask the snippets to prevent the
sensitive data from being exposed. You can configure this behavior from Panorama to completely mask
the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
Click “Close”.
End of Activity 7
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 61
Ultimate Test Drive – Cloud-Delivered Security Services
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 62
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Enter the email address again, if needed, otherwise, click “Next”
Step 4: The password should already be filled in. Click “Sign In”.
Clicking any of these will navigate to the relevant page. At the top of the page are global data filters.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 63
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: “Devices” provides a list of all devices that have been discovered and the classification type of
those devices.
Step 3: “Applications” provides a list of all applications seen and the number of devices that are using that
application.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 64
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: “Network Segments” show how many subnets are being monitored and the number of subnets
found in each device type.
Step 5: “Risk Overview” provides an understanding of how your organization is performing over time
when it comes to security of the IoT attack surface. The risk score is a composite breakdown of multiple
components including weak security posture, alerts based on abnormal or anomalous behaviors, and
vulnerabilities.
Hover into any month to see a list of alerts and vulnerabilities for that time period.
Step 6: “Alerts” show an overview of all generated alerts and the category they belong to.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 65
Ultimate Test Drive – Cloud-Delivered Security Services
Step 7: “Vulnerabilities” provides an overview of the vulnerabilities and vulnerable devices that IoT
Security detected.
Step 8: Click on the “Inventory” tab, which provides another high-level summary of devices, device
categories, subnets, endpoint protection, and devices with external destinations.
Step 9: “Device Categories” is a list by category and the number of devices in that category. It can be
sorted by risk score, device count, or alphabetical.
Step 10: “Subnets” show a list by subnet and the number of device types found in each subnet.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 66
Ultimate Test Drive – Cloud-Delivered Security Services
Step 11: “Endpoint Protection” provides a summary by device category and their endpoint protection
status.
Step 12: “Devices with External Destinations” is a world map showing a summary of how many devices
are connecting to that country.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 67
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click on “Awair-4594” (third device from the top if sorted by risk). The device details page has
content grouped into sections for identity, security summary, alerts, network traffic, applications, and
network usage.
Step 3: “Identity” - The Identity section at the top of the page provides identifying data such as the
category and profile of a device, its vendor and model, its OS, and various network-specific details.
Step 4: “Security (summary)” - The information in the next section relates to security and includes the
individual risk score for the device and whether baseline modeling is complete or still in progress. The
current behaviors diagram shows evaluations for five types of behavior ranging from normal (near the
center) to anomalous (near or beyond the edge).
Step 5: “Risks” - The Risks section contains the alerts, vulnerabilities, and anomalies that occurred to the
device during the time range set at the top of the page. The events are displayed along a timeline and in
a list with detailed information about each one.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 68
Ultimate Test Drive – Cloud-Delivered Security Services
Step 6: “Alerts” - This section contains only the alerts that the device raised during the specified time
range. Alerts are a subset of risks, and IoT Security generates them when it detects irregular behavior
and activity matching an alert rule. You can see when alerts occurred along a timeline, read details about
them, and take action to resolve them.
Step 7: “Security” - The Security section contains three subsections that show how a device connects to
other devices on the network and which applications it’s using.
Step 8: “Network Traffic” - View a conceptual network topology displaying the nodes with which the
device has formed connections. Use filters to display inbound or outbound connections; nodes with
various alert levels; connections to nodes within the same VLAN, same intranet, same country (domestic),
or in other countries (international); and so on.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 69
Ultimate Test Drive – Cloud-Delivered Security Services
Step 9: “Applications” - This section shows the applications the device uses, and how many other devices
and device profiles use the same application. Click a number in the Used by Devices column to open the
Devices page with its contents filtered by the corresponding application. Hovering your cursor over the
blue text of an entry in the Profiles column displays a list of all profiles that use that application.
Step 10: “Network Usage” - The last section shows a Sankey diagram with lines indicating network
connections. A red line would indicate it’s involved in an alert of high severity.
Step 11: “Alert Creation” – In the Sankey diagram alert notifications can be configured. This provides an
additional ability to create alerts driven by anomalous behavior or device inactivity.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 70
Ultimate Test Drive – Cloud-Delivered Security Services
The Applications page shows the total number of unique applications detected for devices matching the
site, device-type, and time-range filters set at the top of the page.
As can be seen, DNS is the top application used. Given that most IoT devices have hard-coded DNS
servers, the DNS Security service can defend against an array of threats using DNS.
Step 2: Click on the value under the “Number of Devices” column for “dns” to be taken to the “Devices”
page filtered on that application.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 71
Ultimate Test Drive – Cloud-Delivered Security Services
IoT Security examines network traffic in real time, analyzing communications from and to every device on
the network. It generates alerts if it detects irregular behavior or activity matching a policy.
Step 2: Each alert entry contains one or more occurrences of the alert. If there is more than one
occurrence, a number in parentheses indicating how many there are appears after the alert name. To
expand an alert and view its occurrences, click the alert name.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 72
Ultimate Test Drive – Cloud-Delivered Security Services
IoT Security considers a vulnerability to be potential when it applies to a specific device type, model, and
version number and one or more devices match the specified device type but their model and/or version
number are unknown.
A vulnerability can also be considered potential if it only applies to devices with certain serial numbers
and there are devices whose serial numbers are unknown but match the vulnerability description in all
other regards.
Step 2: Hover your cursor over an entry in the Vulnerability column, a panel pops up with showing its
description and impact.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 73
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Click on the vulnerability name to be taken to the “Vulnerability Details” page.
The device profile shows the number of devices that fall under this profile, the applications used, total
internal and external destinations and if there are alerts and vulnerabilities increasing the risk score.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 74
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Click “View Behaviors” to see a summary of network behaviors organized into internal and
external destinations.
IoT Security provides the automatic generation of policy rule recommendations to control IoT device
traffic. The recommendations are based on device profiles.
Step 2: Click on “Netatmo Device” that is listed under “Profiles with Policy Sets”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 75
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: Note that the “Profile Behaviors” indicate 3 applications (dns, dhcp, and ping) used on internal
networks.
Note that there is one external application, “unknown-tcp” destined to a single URL/IP Address,
“netcom.netatmo.net”.
Step 6: Click the link to “Netatmo Device” which will take you back to the profile. Then click “Netatmo
Device” under “Policy Set”.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 76
Ultimate Test Drive – Cloud-Delivered Security Services
Step 7: The “Policy Set” has previously been created and activated.
For the lab internal network, we are not doing any additional segmentation and enforcement. Due to this,
you will see no applications or destinations for “Internal Destinations”
Here, we will allow “unknown-tcp” externally, this is something that would, normally, not be a good idea.
We are further restricting it to “netcom.netatmo.net”. Also note that we have assigned security profiles for
antivirus, vulnerability protection, and anti-spyware. This “Policy Set” will be used on the NGFW in the
next activity.
Feel free to explore more of the “IoT Security Portal”. Learn more about IoT Security at
https://www.paloaltonetworks.com/network-security/iot-security
For a free trial of IoT Security go to https://start.paloaltonetworks.com/iot-security-evaluation
End of Activity 8.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 77
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Click “Sync Policy Rules” to make sure the “Policy Recommendation” is up-to-date.
Step 4: Click “OK” on the “Status” window. If any policy rules were updated, it will be reflected here.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 78
Ultimate Test Drive – Cloud-Delivered Security Services
Step 5: Note that the “Device Profile”, “FQDN”, “Security Profiles”, and “Applications” are those in the
Netatmo Policy Set from the IoT Security Portal.
Step 6: Select the checkbox for the “Netatmo Device” and click “Import Policy Rules”.
Step 7: For “Name”, enter “Netatmo Device” and select “UTDTP-Policy1a” for “After Rule”.
The details from when this policy was imported can be viewed here.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 79
Ultimate Test Drive – Cloud-Delivered Security Services
Step 4: Click “Source” and examine that the “Source Device” has been set to “Netatmo-Device”. Under
“Source Zone”, click “Add” and select “TP-Trust”.
Step 5: Click “Destination”. Notice that “Destination Address” has already been set to “iot.addr…”. Under
“Destination Zone”, click “Add” and select “TP-Untrust”.
Step 7: Click “Actions”. Note that the “Profile Settings” for antivirus, vulnerability protection, and anti-
spyware have already been selected. All of the NGFW cloud-delivered security services are also
available to protect your IoT devices.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 80
Ultimate Test Drive – Cloud-Delivered Security Services
Step 8: Click the “Objects” tab and then the “Addresses” node.
As seen in the security policy, the address object has been created automatically and references the
FQDN for netcom.netatmo.net.
Step 9: While still on the “Objects” tab, click the “Devices” node.
Also, as seen in the security policy, the source device, using Device-ID, for Netatmo-Device has been
created for you.
Step 2: Enter “WindowsXP” for “Name” and select the following (just start typing to filter):
OS: Windows XP
OSfamily: Windows
Vendor: Microsoft
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 81
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Click “Browse” to bring up “Browse Devices” as an alternate way of adding objects.
Step 5: This “WindowsXP” object could then be used in a security policy that would further restrict what
access it had.
Device objects are used in policy as a match criteria, in much the same way IP addresses are. The
granular nature of the device object definition allows for very specific policies to be created. For example,
it is possible to allow an iPhone 11 running iOS 12.3 to run Zoom but disallow other iOS/model
combinations.
End of Activity 9.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 82
Ultimate Test Drive – Cloud-Delivered Security Services
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 83
Ultimate Test Drive – Cloud-Delivered Security Services
Step 3: Review the available information. For the “BPA-sample” report, you may click around this HTML
report.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 84
Ultimate Test Drive – Cloud-Delivered Security Services
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 85
Ultimate Test Drive – Cloud-Delivered Security Services
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 86
Ultimate Test Drive – Cloud-Delivered Security Services
Step 7: Choose “NG-Firewall” for “Configuration Type” and “9.0” for “PanOS Version”.
Step 8: The default values may be changed for your environment. We will leave them as-is here. Click
“GENERATE CONFIG AND IMPORT”.
This runs against the Best Practice Assessment (BPA) and generates an overall score.
Step 10: You will see a “Current % Adoption” of approximately 59%. There is also a value, “% Adoption
after Auto-Remediation”. This value represents items that Expedition can correct automatically.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 87
Ultimate Test Drive – Cloud-Delivered Security Services
Step 11: Click on “Analysis” and then select the “device” tree.
Step 12: This shows all the items that have passed or failed from the BPA. In the right-most column,
there is a suitcase icon – the dark grey one is a check that Expedition can auto-remediate.
Step 13: Select any item in the list and then Control + A to select everything. The list items will have a
yellow background. Click “Remediate”.
Step 14: Return to the “BEST PRACTICES” > “Dashboard” to see that adoption percentage has
increased.
Step 15: From here, this initial configuration can put exported to an XML file (which can be imported to
your NGFW) or sent via XML-API.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 88
Ultimate Test Drive – Cloud-Delivered Security Services
Step 2: Please complete the survey and let us know what you think about this workshop.
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 89
Ultimate Test Drive – Cloud-Delivered Security Services
LAB SETUP
Security UTD-CDSS-PAVM
Platform
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 90