UTD CDSS 4.1 Workshop Guide 20210422

Ultimate Test Drive – Cloud-Delivered Security Services
ULTIMATE
TEST DRIVE
Cloud-Delivered
Security Services
Workshop Guide
UTD-CDSS 4.1 / PAN-OS 10.0
https://www.paloaltonetworks.com
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary Last Update: 20210422
Table of Contents
Table of Contents 2
Activity 0 – Log in to the UTD Workshop 5
Task 1 – Log in to your Ultimate Test Drive class environment 5
Task 2 – Log in to the student desktop 7
Task 3 – Log in to UTD NGFW Firewall 10
Task 4 (Very Important) – Bring up interface “ethernet1/1” 11
Activity 1 – Prevent Known Threats 13

Task 0 – Review the Security Profiles 13
Task 1 – Modify the Antivirus Profile 14
Task 2 – Review Threat Logs 16
Task 3 – Enable Vulnerability Protection 17
Task 4 – Run threat replay samples 19
Task 5 – Review Threat Logs and ACC 20
Activity 2 – Control Unknown Malware with WildFire 23

Task 1 – Configure WildFire threat analysis 23
Task 2 – Modify Security Policy to enable WildFire 24
Task 3 – Test WildFire modern malware protection 25
Task 4 – Review the WildFire Submissions log 27
Activity 3 – Modern Malware Protection with ML-Powered Analysis 29

Task 1 – Download Malware 29
Task 2 – Review Threat Logs and Create Antivirus Exception 30
Task 3 – Enable WildFire Inline ML-Powered Analysis 31
Task 4 – Test WildFire Inline ML Analysis 32
Activity 4 - DNS Security 34

Task 1 – Create an Address Object for DNS Sinkhole 34
Task 2 – Modify and apply the Anti-Spyware profile 35
Task 3 – Verify the DNS Sinkhole configuration 36
Task 4 – DNS Sinkhole Using DNS Security Signatures 39
Task 5 – Domain Generation Algorithm (DGA) Detection 40
Task 6 – DNS Tunneling Detection 41
Task 7 – Insight with DNS Security Analytics 42
UTD-CDSS 4.1 © 2021 Palo Alto Networks, Inc. | Confidential and Proprietary 2
Activity 5 – Decryption 43
Task 1 – Modify the Decryption Profile 43
Task 2 – Edit the Decryption Policy 43
Task 3 – Enable decrypted traffic 44
Task 4 – Connect to the SSL-enabled web server 44
Activity 6 – URL Filtering 46

Task 1 – Create a URL filter to block all malware sites and enforce safe search 46
Task 2 – Apply URL filter to a Security Policy 47
Task 3 – Detecting a phishing site. 49
Task 4 – Enable URL Filtering Inline ML Analysis 51
Task 5 – Test Inline ML URLs 52
Task 6 – Review URL Filtering Logs 52
Activity 7 – Enterprise DLP 53

Task 1 – Review Enterprise DLP on Panorama 53
Task 2 – Modify Security Policy to enable Enterprise DLP 56
Task 3 – Attempt Upload of Sensitive Content 57
Task 4 – Review Logs in Panorama 60
Activity 8 – Introduction to IoT Security 62

Task 1 – Log in to the IoT Security Portal 62
Task 2 – Review Dashboard 63
Task 3 – Review Devices 67
Task 4 – Review Applications 71
Task 5 – Review Alerts 72
Task 6 – Review Vulnerabilities 73
Task 7 – Review Profiles 74
Task 8 – Review Policy Sets 75
Activity 9 – IoT Security Enforcement 78

Task 1 – Import Policy Set into NGFW 78
Task 2 – Review Imported Policy and Objects 79
Task 3 – Configure Device-ID 81
Activity 10 – Tools to Help Improve Security Posture 83

Task 1 – Overview: Best Practice Assessment (BPA) 83
Task 2 – Overview: IronSkillet 84
Task 3 – Overview: Expedition 85
Task 4 – Use Expedition to Accelerate IronSkillet and BPA Adoption. 85
Activity 11 - Feedback on Ultimate Test Drive 89

Task 1 – Take the online survey 89
Appendix-1: Network Diagram 90
How to use this guide

The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the
information necessary to navigate the workshop interface, complete the workshop activities, and
troubleshoot any potential issues with the UTD environment. This guide is meant to be used in
conjunction with the information and guidance provided by your facilitator.
Note: This workshop covers only basic topics and is not a substitute for training classes
conducted at a Palo Alto Networks Authorized Training Center (ATC). Please contact your
partner or regional sales manager for more training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any
tasks outlined in the following activities (Chrome is pre-installed on the student desktop VM).
Activity 0 – Log in to the UTD Workshop

In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop
• Test student desktop connectivity to the firewall
• Review the workshop network
Task 1 – Log in to your Ultimate Test Drive class environment

Step 1: First, make sure your laptop is installed with a modern browser that supports HTML5.
Step 2: Go to the class URL. Enter your email address and the passphrase. (If you have an invitation
email, you can find the class URL and passphrase in the invitation email. Or the instructor will provide
them for you.)
Step 3: Complete the registration form and click “Register and Login” at the bottom.
Step 4: Depending on your browser, you may be asked to install a plugin. Please click “Yes” to allow the
plugin to be installed and continue the log in process.
Step 5: Once you log in, the environment will be automatically created for you.
Step 6: The UTD-CDSS environment consists of a few components: a “Student Desktop” and a “VM-
Series Security Platform”. The “VM List” tab shows all the VMs used in this lab environment.
Task 2 – Log in to the student desktop

Step 1: Click the “Student Desktop” tab to connect to the Student Desktop.
Step 2: You will be connected to the “Student Desktop” through your browser.
Step 3: If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust
the resolution from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
Optional Step 4: If you encounter connection issues with the “Student Desktop”, click the “Reconnect”
icon to re-establish the connection.
Optional Step 5: If the reconnect to the “Student Desktop” remains unsuccessful, please verify your
laptop connectivity using the following link.
https://use.cloudshare.com/Ent/Machine.mvc/testpage#/
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task-1, Step-1.
If the connectivity test failed, please ask the instructor for further assistance.
Task 3 – Log in to UTD NGFW Firewall

Step 1: Click the “NGFW-UI” tab.
This will open a new tab in your laptop browser with the login page for the NGFW VM. Log in to the
firewall using the following name and password:
Username: student
Password: utd135
Step 2: You are now logged in to the VM-Series firewall and should see the main dashboard.
Task 4 (Very Important) – Bring up interface “ethernet1/1”

Step 1: The firewall is not connected to the Internet by default. Click the “Network” tab, and then click the
“Interfaces” node on the left-hand side.
Step 2: Click the interface “ethernet1/1” under “Ethernet,” then click the “Advanced” tab to change the
link state.
Step 3: Select “up” in the “Link State” option; then click “OK”.
Step 4: Click “Commit” (in the upper right-hand corner of the GUI), then click “Commit All Changes” in
the pop-up window.
Step 5: Click “Close” in the pop-up window once the commit has completed. The “Link Status” of
“ethernet1/1” should turn green after the interface is up.
Step 6: Open a new tab in the Chrome browser window and confirm Internet connectivity by going to any
URL.
Step 7: Here is a quick look at how the student desktop and the virtual firewall are connected.
End of Activity 0.
Activity 1 – Prevent Known Threats

Background: Network-based threat prevention has evolved to include many disciplines ranging
from the prevention of vulnerability exploits (IPS), a wide range of malware, outbound malware
command and control traffic, hacking and surveillance tools, as well as a range of applications
and tools used by attackers that persist in the network during long, coordinated attacks. We will
begin by getting you acquainted with the core threat prevention capabilities of the Palo Alto
Networks platform and how to configure the system to proactively prevent a broad cross-section
of threats in a simple, coordinated policy.
PAN-OS® features used in this activity:

• Profile: Antivirus, and Vulnerability Protection
• Application Command Center – ACC
• Understanding and applying different security profiles
• Cloud-Delivered Security Service: Threat Prevention

• Review and learn how to configure security profiles and apply them
• Review security profile options
• Investigate security events through logs and ACC
Task 0 – Review the Security Profiles

Step 1: In your browser, go back to the VM-Series GUI.
Step 2: Click the “Objects” tab.
Step 3: Click the “Security Profiles” node on the left to review the security profiles.
Step 4: Ask your instructor to explain the difference between the various security profiles.
Task 1 – Modify the Antivirus Profile

Step 1: Click the Antivirus Profile “UTDTP-AV-Profile01”
Step 2: In the “Antivirus Profile” window, under “Decoders”, confirm that the action for HTTP decoder is
set as “default (reset-both)”. Review the options under Signature Action for the different decoders and
note that “WildFire Signature Action” is set independently (more on WildFire in a later activity).
Step 3: Click “Cancel” to close the Antivirus profile.

Step 4: Click the “Policies” tab, then click the “Security” node on the left-hand side.
Step 5: Click the “UTDTP-Policy01a” policy to open the “Security Policy Rule” window.
Step 6: Click the “Actions” tab and select “Profiles” under “Profile Type” below “Profile Setting”.
Step 7: For the Antivirus setting, select “UTDTP-AV-Profile01”, then click “OK”.
Step 8: Click “Commit” (in the upper right-hand corner of the GUI) and complete the commit process.
Step 9: Click “Close” in the pop-up window once the commit has completed.
Step 10: From the Student Desktop, open a new browser tab, then go to http://10.80.2.213 (or use the
“UTD-CDSS Web Server” bookmark under Lab Bookmarks > Activity 1). Click “UTD-CDSS Threat
Samples”.
Step 11: Click one of the EICAR samples to download it.
Step 12: Are you able to download the EICAR sample? Did you see a “Virus Download Blocked” page?
Task 2 – Review Threat Logs

Step 1: From the NGFW-UI, click the “Monitor” tab, select the “Threat” node (under the “Logs” section).
Step 2: Click “virus” under “Type” to automatically filter out threat logs, or enter in the search bar:
(subtype eq virus)
Then hit the “Enter” key or click the icon:
Note: You can add other columns to see more info on the logs. Mouse over any header and click the
white arrow next to the header name, then click “Columns” and select the columns you want to add.
Task 3 – Enable Vulnerability Protection

Step 1: Click the “Network” tab, click the “Interfaces” node on the left-hand side.
Step 2: Check that the “Interface Type” ethernet1/4 is set as “Tap” mode.
Step 3: Click the “Policies” tab, click the “Security” node on the left-hand side.
Step 4: Click “UTDTP-Policy01b” to open the “Security Policy Rule” window.
Step 5: Click the “Actions” tab, select “Profiles” under the “Profile Type” below “Profile Setting.”
Step 6: Click the drop-down menu for “Vulnerability Protection” and select “New Vulnerability Protection”.
Step 7: Enter “UTDTP-Alert” in the “Name” field of the new vulnerability protection profile.
Step 8: Click “Add” under “Rules”, then name the rule “Alert-All”.
Step 9: Set “Action” to “Alert” and set “Packet Capture” to “Extended-capture”.
Step 10: Click “OK”, then click “OK” to save the profile.
Step 11: For “Anti-Spyware”, select “strict”.
Step 12: For “URL Filtering”, select “UTDTP-URL-Profile01”, then click “OK” to save the policy.
Step 13: Click “Commit” (in the upper right-hand corner of the GUI), then click “Commit All Changes” in
the pop-up window.
Step 14: Click “Close” in the pop-up window once the commit has completed.
Task 4 – Run threat replay samples

Step 1: On the student desktop, open application “putty”.
Step 2: Load the saved session “TrafficReplayServer” and SSH to the traffic replay server.
TrafficReplayServer
10.30.21.173
Step 3: Log in as:

User name: lab
Password: paloalto
Step 4: Run the “ReplayThreats” script to send threats out on the tap ports.
./ReplayThreats [Note: case sensitive]
You will be prompted for a password; enter “paloalto”.
Task 5 – Review Threat Logs and ACC

Step 1: From the NGFW-UI, click the “Monitor” tab, then select the “Threat” node (under the “Logs”
section).
Step 2: Click the icon on the top right corner to clear the filter, if there is one. Change the “Manual”
update to “60 Seconds”
Step 3: Hover over any name of the attack and click on the down arrow. You will see a new menu that
says “Exception”, click on it to review the details.
Click “Cancel” to exit.
Step 4: Click the detail log and review the “Application” that the threat is detected on.
Step 5: A green arrow indicates there is a packet capture for the traffic sample. You can click the green
arrow to review the packets in detail or export it for further analysis.
Step 6: Jump to the ACC tab and review the “User Activity” widget under the “Network Activity” subtab.
By using User-ID™, you are able to see individual users, not just IP addresses. If you see a user “None”,
then that means it is an IP address that has no User-ID mapping. This could be an external IP, a Zone
that doesn’t have User-ID enabled or even a rogue IP.
Step 7: Click the “Threat Activity” subtab to review the threats that were detected in the “Threat Activity”
widget. Scroll down to see the various data available to you.
Note: The ACC is not in real time and uses summary data from the logs. It may take a while for
this data to appear.
End of Activity 1.
Activity 2 – Control Unknown Malware with WildFire

Background: For the past decade, adversaries have been dramatically evolving, blending multiple
advanced attack techniques to evade traditional security solutions. WildFire™ automatically
prevents and detects targeted and unknown malware through direct observation in a virtual
environment, while Palo Alto Networks Next-Generation Security Platform ensures full visibility
and control of all traffic, including tunneled, evasive, encrypted and even unknown traffic. We will
review policy considerations, including which applications and file types to apply the WildFire file
blocking/upload profile.
PAN-OS features used in this activity:

• Profile: WildFire Analysis
• WildFire Activity Report and online WildFire portal
• Logging and reporting for verification
• Cloud-Delivered Security Service: WildFire

• Modify the existing file-blocking policy to enable the WildFire service
• Review the built-in WildFire Activity Report and online portal
Task 1 – Configure WildFire threat analysis

Step 1: On the VM-Series security platform GUI, click the “Objects” tab, click the “WildFire Analysis”
node (found under the Security Profiles section).
Step 2: Click “Add” to create a new WildFire Analysis profile.
Step 3: In the “WildFire Analysis Profile” pop-up window, name this profile “UTDTP-WildFire”.
Step 4: Click “Add” in the profile window to add a rule in this profile, name it “Download-PE-PDF”.
Step 5: Under “File Types”, click “any”, click the “+” button, and add “pe” and “pdf”. Then change the
“Direction” to “download”, and click “OK” to save the new profile.
In addition to Windows executables (pe) and PDF files (pdf), WildFire also supports the following file
types: Android (apk), Adobe Flash (flash), Java (jar), Microsoft Office (ms-office), Mac OS (MacOSX),
Linux (elf), RAR and 7-Zip (archive) and BAT, JS, VBS, PS1 Scripts (script). With “email-link” configured
for the WildFire profile, the security platform will extract HTTP/HTTPS links contained in SMTP and POP3
email messages and forward the links to the WildFire public cloud for analysis. It does not receive, store,
forward, or view the email message.
Task 2 – Modify Security Policy to enable WildFire

Step 1: Click the “Policies” tab, then click the “Security” node.
Step 2: Click the rule name “UTDTP-Policy01a”, then a “Security Policy Rule” pop-up will appear.
Step 3: Click the “Application” tab (within the pop-up), then add the “IT-Apps” application group. The “IT-
Apps” application group includes the WildFire-update-service and some common applications often used
by the IT team. You may go to the “Objects” tab, then the “Applications Groups” node to review what
applications are included in the IT-Apps group.
Step 4: Click the “Actions” tab (within the pop-up).
Step 5: In the “Profile Setting” section, select the drop-down menu next to “WildFire Analysis”.
Step 6: Select “UTDTP-WildFire”.
Step 7: Click “OK”.
Step 8: Click “Commit” (in the upper right-hand corner of the web browser).
Step 9: Click “Commit All Changes” in the pop-up window, and then click “Commit”.
Step 10: Click “Close” once the commit has completed.
Task 3 – Test WildFire modern malware protection

Step 1: Download a WildFire test sample file in a separate tab on the Student Desktop browser using the
“WildFire-Test-File” shortcut or go to the following
URL:http://wildfire.paloaltonetworks.com/publicapi/test/pe (bookmarked under Lab Bookmarks Activity 2 ->
Wildfire-Test-File)
Note: Click “Proceed anyway” if you receive a certification error message.
Step 2: The browser will automatically download a “wildfire-test-pe-file.exe” sample file. Check your
“Downloads” folder to confirm the download. (You can see the file downloaded on the bottom of the
screen, click on keep)
Step 3: To view that the sample has been sent to WildFire, go back to the VM-Series security platform
GUI, click the “Monitor” tab, then click the “WildFire Submissions” node (under the “Logs” section) and
review the log entry for the file being uploaded to the WildFire service.
Note: It may take about 5-10 minutes for the WildFire log to appear. You can continue to
Step 4 to review the online WildFire portal.
Step 4: Click the “Security Admin” tab in CloudShare to access that desktop in your browser. Click the
“Security Admin” icon to launch the browser. If not present, enter the email utd-tp@pan-labs.net and
click “Next” then click “Sign In” on the next page. You are now logged into the WildFire Dashboard.
Step 5: In the portal you can see a summary of all the files that have been submitted for analysis and
other features that come with the WildFire service. The WildFire portal can manage multiple Palo Alto
Networks NGFWs in one account.
Note: In this lab environment, there is only one security platform managed by this account.
Step 6: Click the “Reports” tab. Here you can see the verdict of the file that you just submitted. The
WildFire analysis is in progress if the verdict is “Pending”.
Step 7: Click the document icon (on the left side) for your submission to bring up the “WildFire Analysis
Report”.
Note: In The “Session Information”

indicates both the IP address and User-ID
for the “Student Desktop” VM.
Step 8: You can manually upload files for analysis to WildFire by using the “Upload Sample” tab.
Task 4 – Review the WildFire Submissions log
Note: It may take some time for the firewall to receive the WildFire Analysis update; you
can come back to this task upon finishing other activities.
Step 1: Go back to the VM-Series GUI, click the “Monitor” tab, then click the “WildFire Submissions”
node. You should see a new log entry there. When you see the entry, click the “Details” icon on the
left-hand side of the log entry. In the “Log Info” tab, you can view the basic information on the file and the
application that carries that file.
Step 2: Click “WildFire Analysis Report” to view the details of the analysis results. Under the “WildFire
Analysis Summary”, the “Verdict” indicates that the submitted file is a malware sample and you can
download the malware file from the “Sample File” directly.
Step 3: Keep scrolling down in this tab until you find “Dynamic Analysis”, you can see the behavior of the
malware under different operating systems. “Virtual Machine 1” is configured with Windows XP. Review
the behavior and activity of the malware. Click “Virtual Machine 2” to review the malware behavior and
activity in Windows 7.
Step 4: Explore the other features and functions offered in the WildFire Analysis Report, such as
downloading the PCAP file of the malware network activity and downloading the WildFire analysis report
in PDF format.
End of Activity 2.
Activity 3 – Modern Malware Protection with ML-

Powered Analysis
Background: Powered by threat models continually honed in the cloud, the WildFire subscription
enables an inline ML-based engine, delivered within our hardware and virtual NGFWs. This
capability prevents malicious file-based content, such as portable executable files and dangerous
fileless attacks stemming from PowerShell, completely inline with no cloud analysis step. The ML
models are updated daily for the most up-to-date detection capabilities.
While ML-based prevention is instant, scanned files are simultaneously routed to WildFire for
analysis. This not only builds in a feedback loop for false positives, but also drives rapid
prevention. Threats for which inline prevention would not have visibility (e.g., net-new threats
delivered in different formats, such as PDFs or Office/Microsoft 365™ files; customized, highly
evasive threats targeting a specific organization) are addressed with zero-delay signature
updates. These innovative signatures are delivered continuously and in real time from the cloud
to enable rapid prevention actions by cloud-based, near-real-time processes. Whether an
unknown file matches an existing signature or is classified by ML models on the NGFW, WildFire
always performs full analysis, extracting valuable intelligence and data to provide context for
security analysts, training updates for the ML models, and intelligence sharing with other
subscriptions to prevent other attack vectors
• Profile: Antivirus
• WildFire Inline ML-Powered Analysis
• Cloud-Delivered Security Service: Threat Prevention and WildFire

• Modify the existing Antivirus policy to enable WildFire Inline ML
• Attempt to download malware
Task 1 – Download Malware

Step 1: From the Student Desktop browser, open a new tab, then use the “Inline ML Test Files”
bookmark under Lab Bookmarks > Activity 3.
Step 2: Click on one of the “ML-PE-sample*.exe” files to attempt to download these live malware sample
files. You only need to pick one. Do not download “ML-AV-sample.exe” at this time.
The file is blocked by the current Antivirus signatures.
Task 2 – Review Threat Logs and Create Antivirus Exception

Step 1: From the VM-Series GUI, click the “Monitor” tab, then click the “Threat” node.
You may also see an entry for “wildfire-virus” on these samples. This is due to how the NGFW processes
threats in parallel. The above sample was caught by both threat and WildFire virus signatures.
Step 2: For the sample you attempted to download, hover in the “Threat ID/Name” area and click the
down arrow. Then click “Exception”.
Step 3: The “Threat Details” window will pop up showing you the threat name and security object profile
that triggered. Select “UTDTP-AV-Profile01” and then click “OK”
By creating the exception, these threats will be allowed through the NGFW with the current security
settings.
Task 3 – Enable WildFire Inline ML-Powered Analysis

Step 1: Click the “Objects” tab and then “Antivirus” under “Security Profiles”.
Step 2: Click the Antivirus Profile “UTDTP-AV-Profile01”
Step 3: Note the “WildFire Inline ML Action” for “http” is listed as “default (reset-both)”. This is the action
the NGFW will take when “WildFire Inline ML” has been enabled.
Step 4: Click the “Signature Exceptions” tab to view the exception you created in the previous task.
Step 5: Click the “WildFire Inline ML” tab. Note that all ML models are currently disabled.
Step 6: Set the “Action Setting” to “enable” for all ML models.
Step 7: Click “OK” to save the Antivirus profile.
Step 9: Click “Commit All Changes” and then click “Commit” in the pop-up window.
Task 4 – Test WildFire Inline ML Analysis

Step 1: From the Student Desktop browser, open a new tab, then use the “Inline ML Test Files”
bookmark under Lab Bookmarks > Activity 3.
Step 2: Click on the same malware sample you previously attempted to download and created the
exception for. Click “Keep” if asked to save the file. You may also attempt to download “ML-AV-
sample.exe”
Step 3: Note that you may see the file start to download before it stalls and then times out.
WildFire inline ML inspects files at line speed and blocks malware variants of portable executables as well
as PowerShell files, which account for a disproportionate share of malicious content. ML-based engine
can prevent up to 95% of threats inline without requiring cloud-based analysis from WildFire. For the rest,
protections are delivered in seconds from the world’s largest cloud native detection and prevention
engines.
Note: The WildFire machine learning model is trained with over 20 million new malware
samples on a daily basis. Due to the manner in which the inline machine learning models
are continually retrained and tuned to adapt to the changing threat real-world threat
landscape, specific point-in-time test samples may not yield consistent results.
If any of these files are able to download, please inform your instructor.

Step 1: Click the “Monitor” tab, then click the “Threat” node.
Step 2: Note that “ml-virus” is listed under the “Type” column for the threat.
Step 3: Click on the magnifying glass and scroll down to the “Details” section. The “Threat ID/Name”
indicates “Machine Learning found virus”.
Even though you disabled the antivirus signature for this malware, WildFire was able to stop it without any
signatures due to Inline ML.
End of Activity 3.
Activity 4 - DNS Security

Background: Attackers around the world leverage DNS as a way to avoid detection and to take
over targeted devices. These attackers will set up command-and-control centers to connect to
computers and mobile devices that are already hosting their malicious files or botnets. The device
owners usually have no clue that an attack is taking place. Attackers pre-program random
malicious URLs or domains into the bot and only activate those URLs or domains at specific
intervals. The bot is programmed to connect back to the command center for those URLs or
domains at the same interval (usually irregularly so as to avoid detection) to upload data it has
stolen or to receive instructions for its next move. This is what’s known as a command-and-
control, abbreviated as CnC or C2, to operate and manage an on-going or persistent attack. By
setting up a DNS sinkhole, instead of sending the infected clients outbound DNS requests to the
malicious domains, the Palo Alto Networks Next-Generation Security Platform redirects the DNS
requests to a pre-configured internal IP of your choice, effectively stopping the bot’s attempts to
contact its command center and capturing useful data about the attack.
The firewall has two sources of DNS signatures that it can use to identify malicious and C2
domains:
• (Requires Threat Prevention subscription) Local DNS signatures—This is an on-box set of DNS
signatures that the firewall can use to identify malicious domains. The firewall gets new DNS
signatures as part of daily antivirus updates.
• (Requires DNS Security subscription) DNS Security signatures—The firewall accesses the Palo
Alto Networks DNS Security cloud service to check for malicious domains against the complete
database of DNS signatures. Certain signatures—that only DNS Security provides—can uniquely
detect C2 attacks that use machine learning techniques, like domain generation algorithms
(DGAs) and DNS tunneling.

• Profile: Anti-Spyware with DNS sinkhole
• Address object
• DNS Security Dashboard
• Cloud-Delivered Security Service: Threat Prevention & DNS Security

• Setup and enable DNS sinkhole with Anti-spyware security profile
• Review logs from suspicious DNS request
• Insights into your DNS trends with the DNS Security Dashboard
Task 1 – Create an Address Object for DNS Sinkhole

Step 1: Go to the “Objects” tab and click the “Addresses” node on the top left-hand corner.
Step 2: Click “Add”, then create the address object name “Sinkhole” and give it an IP address of
“10.80.2.199”.
Step 3: Click “OK” to complete the creation of the address object.
Task 2 – Modify and apply the Anti-Spyware profile

Step 1: In the same “Objects” tab, go to the “Anti-Spyware” profile under the “Security Profiles” node.
Step 2: Click the “DNS-Sinkhole” Anti-Spyware profile, then click the “DNS Policies” tab. The current
“Signature Source” for “Palo Alto Networks Content” is set to use local DNS signatures from the Threat
Prevent subscription. The “Policy Action” is already set to sinkhole.
Step 3: Change the “Sinkhole IPv4” address to “10.80.2.199” but leave the “Sinkhole IPv6” address
unchanged.
Step 4: Click ‘OK” to save the changes to the Anti-Spyware security profile.
Step 5: Go to the “Policies” tab, then click the “Security” node.
Step 6: Click “UTDTP-Policy02” to safely enable the DNS application. Go to the “Actions” tab, select
“Profiles” for “Profile Type”. Change the Anti-Spyware security profile to “DNS-Sinkhole”.
Step 7: Click “OK” to save the changes. Then click “Commit” and “Commit All Changes” and then click
“Commit”. After the commit process is completed, click “Close”.
Step 8: You have completed the setup for DNS Sinkhole; the VM-Series device will redirect a
“Suspicious DNS request” to the above sinkhole address. Note that there is no server setup at the
sinkhole address in this lab so there will be no response coming from the sinkhole address. In the
production network, a network forensic analysis tool could be set up on the sinkhole address to record
potential C&C conversations or other valuable forensic evidence.
Task 3 – Verify the DNS Sinkhole configuration

Step 1: Update and retrieve the release notes of the latest Antivirus (AV) signature pack. Go to the
“Device” tab. To verify the DNS Sinkhole feature, we will use one of the suspicious domains identified by
Palo Alto Networks in the release notes. This suspicious domain is unlikely to be active during the
workshop, but the verification should still work.
Step 2: Go to the “Dynamic Updates” node near the bottom left-hand side under the “Device” tab. Click
“Check Now” at the bottom to update the signatures list. Then click the “Download” button next to the
latest AV signature to download the latest signature package.
Step 3: Click “Install” to install the latest AV signature. After the latest signature is installed, click the
“Release Notes” button for that Antivirus signature and the release notes will be opened in a new tab in
the browser.
Step 4: Identify a malicious domain in the release notes. Look for one with “generic:xyz” under the “New
Spyware DNS C2 Signatures”. For example, here we used “marchpart.com” based on the release notes
information highlighted below.
Step 5: Go to the student desktop and open a command prompt by clicking the “Start” button, then
clicking the “Command Prompt” icon.
Step 6: Clear all DNS cache entries using “ipconfig /flushdns”.
Step 7: Then perform the DNS lookup using the command “nslookup” with the suspicious URL found
from the AV release notes. You should see the nslookup response return the Sinkhole address
(10.80.2.199) that you configured in the previous tasks.
Step 8: Review the Threat logs on the PA-VM Series. Go back to GUI of the VM-Series Security Platform
in the browser, then go to the “Monitor” tab.
Step 9: Go to the “Threat” logs where you will see all the “Suspicious DNS Query” logs generated by the
nslookup command from Step 7.
Note: In the “Source User” column, we have user information provided by User-ID. In this case, the
source of the DNS query is “john_doe15” which maps to your “Student Desktop” IP address. If you had
internal DNS servers in your environment, they would show up here. We can track down the
compromised clients in the next steps.
Also note the “Action” is “sinkhole” which was set in the Anti-Spyware profile and the “Threat Category”
column that shows this came from the local DNS signatures.
Step 10: Go back to the “Command Prompt” and ping the suspicious URL. You will not get a ping
response as there is no server using that sinkhole address.
Step 11: You can see the ping traffic under the “Traffic” log on the firewall. Click “Resolve hostname” at
the bottom of the page to see the destination hostname “Sinkhole” reflected in the traffic logs. By filtering
the destination hostname “Sinkhole” in a production network, you can easily identify all the clients that are
trying to access the sinkhole address.
Task 4 – DNS Sinkhole Using DNS Security Signatures

As a cloud-based service, DNS Security allows you to access an infinitely scalable DNS signature and
protections source to defend your organization from malicious domains. Domain signatures and
protections generated by Palo Alto Networks are derived from a multitude of sources, including WildFire
traffic analysis, passive DNS, active web crawling & malicious web content analysis, URL sandbox
analysis, Honeynet, DGA reverse engineering, telemetry data, whois, the Unit 42 research organization,
and third-party data sources such as the Cyber Threat Alliance. This on-demand cloud database provides
users with access to the complete Palo Alto Network’s DNS signature set, including signatures generated
using advanced analysis techniques, as well as real-time DNS request analysis. Locally available,
downloadable DNS signature sets (packaged with the antivirus and WildFire updates) come with a hard-
coded capacity limitation of 100k signatures and do not include signatures generated through advanced
analysis. To better accommodate the influx of new DNS signatures being produced on a daily basis, the
cloud-based signature database provides users with instant access to newly added DNS signatures
without the need to download updates.
Step 1: Go to the “Objects” tab, then the “Anti-Spyware” profiles under the “Security Profiles” node.
Step 2: Click the “DNS-Sinkhole” Anti-Spyware profile, then click the “DNS Policies” tab. As previously
seen, the current “Signature Source” for “Palo Alto Networks Content” is set to use local DNS signatures
from the Threat Prevent subscription.
Step 3: Under “DNS Security” are the covered DNS threat categories.
Step 4: Set the “Policy Action” for categories “Command and Control Domains”, and “Malware Domains”
to “sinkhole”.
Step 5: Click ‘OK” to save the changes to the Anti-Spyware security profile.
Step 7: Click “Commit All Changes” in the pop-up window, and then click “Commit”.
Task 5 – Domain Generation Algorithm (DGA) Detection

Domain generation algorithms (DGAs) are used to auto-generate domains, typically in large numbers
within the context of establishing a malicious command-and-control (C2) communications channel. DGA-
based malware limits the number of domains from being blacklisted by hiding the location of their active
C2 servers within a large number of possible suspects and can be algorithmically generated based on
factors such as time of day, cryptographic keys, or other unique values. While most domains generated
by a DGA do not resolve as a valid domain, they must all be identified to fully defend against a given
threat. DGA analysis determines whether a domain is likely to have been generated by a machine, rather
than a person, by reverse-engineering and analyzing other frequently used techniques found in DGAs.
Palo Alto Networks then uses these characteristics to identify and block previously unknown DGA-based
threats in real-time.
Step 1: From the desktop of your “Student Desktop” VM, right-click on the “DGA” script and select “Run
with PowerShell”.
A PowerShell window will pop-up and will execute a nslookup on a number of randomly generated
domain names. It might take a moment for PowerShell to initialize before you start to see the queries
being generated.
Step 2: Click the “Monitor” tab, select the “Threat” node (under the “Logs” section).
Note that the “Threat ID/Name” of starts with “DGA:”, the “Action” is “sinkhole” and the “Threat Category”
is “dns-c2” which is the DNS Security subscription for the “Command and Control Domains”.
Task 6 – DNS Tunneling Detection

DNS tunneling can be used by attackers to encode data of non-DNS programs and protocols within DNS
queries and responses. This provides attackers with an open back channel with which they can transfer
files or remotely access the system. DNS tunnel detection uses machine learning to analyze the
behavioral qualities of DNS queries, including n-gram frequency analysis of domains, entropy, query rate,
and patterns to determine if the query is consistent with a DNS tunneling-based attack. Combined with
the firewall’s automated policy actions, this allows you to quickly detect C2 or data theft hidden in DNS
tunnels and to automatically block it, based on your defined policy rules.
Step 1: From the desktop of your “Student Desktop” VM, right-click on the “DNS-tunnel” script and select
“Run with PowerShell”.
A PowerShell window will pop-up and will execute a nslookup on a number of seemingly random domain
names. In reality, this is an attempt to exfiltrate data out via DNS.
Step 2: Click the “Monitor” tab, select the “Threat” node (under the “Logs” section).
Note that the “Thread ID/Name” of starts with “Tunneling:”, the “Action” is “sinkhole” and the “Threat
Category” is “dns-c2” which is the DNS Security subscription for the “Command and Control Domains”.
Step 3: From the desktop of your “Student Desktop” VM, right-click on the “DNS-tunnel” script and select
“Open with…”.
An “Open with” window will pop-up and should have “Notepad” selected. Click “OK”.
Step 4: From Notepad, you will see the exact nslookup queries made. Notice that the host part of the
FQDN appears to be a random string. Scroll down to the comment block to show what data was trying to
be exfiltrated out.
Step 5: (Optional). From the student desktop, open a command prompt and do a nslookup on “bad-
site.xyz” and “lateto.work”.
What do you see for the “Thread ID/Name”, “Action”, and “Threat Category”?
Task 7 – Insight with DNS Security Analytics

Step 1: Return to the “Security Admin” tab that you used in the previous activity. Open a new tab and
click the “DNS Security Dashboard” bookmark on the browser toolbar. You should be automatically
logged into the site.
Switch the “Period” to “30 days” for more data.
You can view your organization’s DNS statistics data generated by the DNS Security Cloud service. This
provides a fast, visual assessment describing the breakdown of DNS requests passing through your
network based on the available DNS categories.
Step 2: Scroll through the AutoFocus DNS Security dashboard to view and drill down into various DNS
trends discovered in your network by AutoFocus. Each dashboard widget provides a unique view into
how DNS requests are processed and categorized. Clicking on widgets allow you to change the context
of the dashboard or view more information about a specific trend, domain, or statistic.
From the DNS Security dashboard page, you can:
• View DNS request statistics and trends
• View DNS activity associated with malicious domains
• View the breakdown of DNS-based malware and request types
• View your organization's coverage (number of firewalls with a DNS Security license)
End of Activity 4.
Activity 5 – Decryption
Background: More and more traffic is encrypted with SSL by default, making it difficult to allow
and scan that traffic. Yet blindly allowing it is highly risky. Using policy-based SSL decryption will
allow you to enable encrypted applications, apply policy, then re-encrypt and send the traffic to its
final destination. Policy considerations include which applications to decrypt, protection from
malware propagation and data/file transfer.

• Profile: Decryption
• SSL decryption
• Cloud-Delivered Security Service: Threat Prevention (not needed for SSL decryption)

• Enable decryption on SSL traffic
• Use decryption policy to decrypt the traffic with validated certification and block the
others
Task 1 – Modify the Decryption Profile

Step 1: Click the “Objects” tab, then click the “Decryption Profile” node under the “Decryption” section, on
the lower-left side.
Step 2: Click the profile “UTDTP-Decryption-Profile01”.
Step 3: Under “Unsupported Mode Checks”, check “Block sessions with unsupported version” and “Block
sessions with unsupported cipher suites”.
Step 4: Click “OK”. Note: You don’t need to click “Commit” until after the next task.
Task 2 – Edit the Decryption Policy

Step 1: Click the “Policies” tab, then click the “Decryption” node.
Step 2: Click the “UTDTP-Decryption-Policy01”.
Step 3: Click “Options”, then click “Decrypt” on action.
Step 4: Click “Decryption Profile”, then select “Decryption-Profile-01” from the drop-down menu.
Step 6: Click “Enable” located at the bottom of the browser window. The policy should turn from gray to
blue.
Task 3 – Enable decrypted traffic

Step 1: Click the “Policies” tab, then click the “Security” node.
Step 2: Select “UTDTP-Policy03”.
Step 3: Click “Enable” at the bottom to enable the policy. The security policy should turn from gray to
blue.
Step 5: Click “Commit All Changes” in the pop-up window.
Task 4 – Connect to the SSL-enabled web server

Step 1: Clear the Student Desktop Chrome browser date by entering “chrome://history” in the address
bar.
Step 2: Click “Clear browsing data …” to empty the cache.
Step 3: Exit Chrome and restart the browser.
Step 4: Open a browser tab and go https://10.80.2.213 (make sure you are using https://). You might
see a “SSL Inspection” message that will inform you that traffic is being decrypted. You also have a
bookmark you can use (Activity-5 > UTD-CDSS Web Server – SSL).
Note: Click “Advanced”, then click “Proceed anyway” if you receive a certification error message. Click
“Yes” to an SSL Inspection page.
Step 5: Try to download an EICAR sample file by clicking the “UTD-CDSS Threat Samples” link. Are you
able to download the virus file on the subsequent page? You will get an error page saying “This site can’t
be reached. The connection was reset when the threat was detected.

Step 1: Click the “Monitor” tab; the “Threat” node (under the “Logs” section) will then be selected.
Step 2: Type into the query box (directly above the “Receive Time” column) the search string:
(subtype eq virus)
Then hit the “Enter” key or click the icon:
Question:
✓ Did the log entry show that the traffic was decrypted?
Note: The column for decryption may not be showing.

You can always hover to the columns, then click on the
down arrow and add the missing columns.
End of Activity 5.
Activity 6 – URL Filtering

Background: Application control and URL filtering complement each other, providing you with the
ability to deliver varied levels of control that are appropriate for your security profile. Policy
considerations include URL category access; identifying which users can or cannot access the
URL category, and prevention of malware propagation.

• Profile: URL Filtering
• URL filtering category match
• Enable Safe Search Enforcement
• Cloud-Delivered Security Service: URL Filtering

• Modify the behavior of the URL filtering functionality
• Use the URL category in a security policy
Task 1 – Create a URL filter to block all malware sites and enforce safe
search
Step 1: Click the “Objects” tab, then click the “URL Filtering” node (in the Security Profiles section).
Step 2: Highlight, on the profile name, “UTDTP-URL-Profile01”. Then click “clone” to clone the profile.
The cloned profile is named “UTDTP-URL-Profile01-1”.
Step 3: Rename the policy “UTDTP-URL-Profile02”.
Step 4: Under “Category”, select “dynamic DNS”, “hacking”, “parked”, “peer-to-peer”, “proxy-avoidance”
and “questionable”. Change the “Action” under “Site Access” from “alert” to “block”. You can do this by
clicking the down arrow next to “Site Access” > “Set Selected Actions” > “block”.
Note: The action for the “gambling” and “malware” categories are already set as “block” from UTDTP-
URL-Profile01.
Step 5: Find under “Category”: “games”, “not-resolved” and “unknown”. Change the “Action” from “alert”
to “continue”.
Step 6: Click “URL Filter Settings”, then click the check box for “Safe Search Enforcement” to enforce the
search option on the browser.
Task 2 – Apply URL filter to a Security Policy

Step 1: Click the “Policies” tab, then the “Security” node.
Step 2: Click the rule “UTDTP-Policy01a”, then a “Security Policy Rule” pop-up will appear.
Step 3: Click the “Actions” tab (within the pop-up).
Step 4: In the “Profile Setting” section, select “Profiles”, and select the drop-down menu next to “URL
Filtering”.
Step 5: Select “UTDTP-URL-Profile02”, then click “OK”.
Step 9: From the Student Desktop, open a new browser tab and enter the URL http://thepiratebay.org (a
popular torrent site, you can also use the Lab Bookmarks for Activity-6)
Step 10: You should see a “Web Page Blocked” message. Notice that the category “peer-to-peer” was
set to block in the URL profile.
Step 11: Open a new browser tab, then enter the URL http://www.ign.com
Step 12: You should see “Web Page Blocked” with the option to click “Continue” to continue to the web
page. Click “Continue” to go to the www.ign.com home page.
Step 13: Open a new browser tab, then enter www.bing.com.
Step 14: Search for “picture” in Bing.
Step 15: Notice that the search is being blocked because the safe-search setting in the browser is not
setup correctly.
Step 16: You can click the link in the blocked page to change the search setting for Bing.
Step 17: Review the URL log entries under the “Monitor” tab and the “Logs > URL Filtering” node. (If
needed, clear the filter by clicking the red “x” to the right of the filter text box.)
Note: “Action” column entries for the visited URLs.
Task 3 – Detecting a phishing site.

In the real world, phishing sites are typically short lived, changing weekly, even daily. You may also want
to test your own URL filtering rules without having to visit potentially dangerous sites. You can test how
an URL will be categorized by going to http://urlfiltering.paloaltonetworks.com/test-<category>. Some
examples: http://urlfiltering.paloaltonetworks.com/test-malware or
https://urlfiltering.paloaltonetworks.com/test-web-based-email
Step 1: Go to the phishing site: https://urlfiltering.paloaltonetworks.com/test-phishing
Step 2: Modify the previously created “UTDTP-URL-Profile02” and block another category. This time we
will be adding the “phishing” category. Change the “Site Access” and “User Credential Submission” from
“alert” to “block” and then click “OK”.
Step 3: “Commit” the configuration. Since the “UTDTP-URL-Profile02” it’s already applied to the security
policy we do not need to do anything else other than commit the configuration.
Step 4: Now try to go to the same phishing site: https://urlfiltering.paloaltonetworks.com/test-phishing.

You should see a block page like this one:
Note that without SSL decryption being enabled, this site would have not been blocked. You cannot
protect against threats you cannot see.
Task 4 – Enable URL Filtering Inline ML Analysis
Step 1: Click the “Objects” tab, then click the “URL Filtering” node.
Step 2: Click “UTDTP-URL-Profile02” to open it.
Step 3: Click the “Inline ML” tab.
Step 4: Set the “Action” to “block” for both ML models.
Step 5: Click “OK”
Step 6: Click “Commit”.
Task 5 – Test Inline ML URLs

Step 1: From the Student Desktop browser, open a new tab, then use the “ML Phishing URL” bookmark
under Lab Bookmarks > Activity 6.
The page should start to display before being stopped. Once the page is determined to be phishing, the
connection is blocked.
Step 2: From the Student Desktop browser, open a new tab, then use the “ML JavaScript URL” bookmark
under Lab Bookmarks > Activity 6.
Task 6 – Review URL Filtering Logs

Step 1: From the VM-Series GUI, click the “Monitor” tab then the “URL Filtering” node.
Step 2: Note the “Action” is “block” and the “Inline ML Verdict” is listed as “phishing” or “malicious-
javascript”.
End of Activity 6.
Activity 7 – Enterprise DLP

Background: Data loss prevention (DLP) is a set of tools and processes that allow you to protect
sensitive information against unauthorized access, misuse, extraction, or sharing. Enterprise DLP
enables you to enforce your organization’s data security standards and prevent the loss of
sensitive data across mobile users and remote networks.
Enterprise DLP is a cloud-based service that uses supervised machine learning algorithms to sort
sensitive documents into Financial, Legal, Healthcare, and other categories for document
classification to guard against exposures, data loss and data exfiltration. These patterns can
identify the sensitive information in your cloud apps and protect them from exposure.
Enterprise DLP offers hundreds of data patterns and many predefined data filtering profiles, and it
is designed to automatically make new patterns and profiles available to you for use in Data
Filtering policies, as soon as they are added to the cloud service.

• Profile: Data Filtering
• Cloud-Delivered Security Service: Enterprise DLP

• Review Enterprise DLP on Panorama
• Attempt to upload sensitive content
Task 1 – Review Enterprise DLP on Panorama

Step 1: Click the “Panorama-UI” tab.
This will open a new tab in your laptop browser with the login page for the Panorama VM. Log in to the
firewall using the following name and password:
Username: student
Password: utd135
Step 2: You are now logged in to Panorama and should see the main dashboard.
Step 3: Navigate to “Objects” > “DLP” > “Data Filtering Patterns”.
Predefined data patterns and built-in settings make it easy for you to protect files that contain certain file
properties (such as a document title or author), credit card numbers, regulated information from different
countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for
the sensitive data in your organization supplement the predefined data patterns, you can define custom
data patterns that are specific to your content inspection and data protection requirements. In a custom
data pattern, you can also define regular expressions and file properties to look for metadata or attributes
in the file's custom or extended properties and use it in a data filtering profile.
Step 4: Navigate to “Objects” > “DLP” > “Data Filtering Profiles”.
Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data profiles have data patterns that
include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning,
regular expressions, and checksums for legal and financial data patterns. When you use the data filtering
profile in a Data Filtering policy rule, the firewall can inspect the content for a match and take action.
Step 5: Scroll down and click on “UTD-Data-Filtering” to open the profile.
Using the predefined Data Patterns, a custom Data Filtering profile has been created. Note that the
Action is set to Block.
Click “Cancel”.
Note: As the NGFW in this lab is locally managed, you will be adding the Enterprise DLP data filtering
profile directly from within the NGFW UI.
Task 2 – Modify Security Policy to enable Enterprise DLP

Step 1: From the NGFW UI, navigate to “Policies” > “Security”.
Step 2: Click on “UTDTP-Policy01a” to open the Security Policy profile.
Step 3: Click on the “Actions” tab. Select “UTD-Data-Filtering” for the “Data Filtering” profile. This is the
same profile you review on Panorama.
Step 5: Click “Commit”. Click “Commit All Changes” in the pop-up window.
Task 3 – Attempt Upload of Sensitive Content

Step 1: From the Student Desktop, open a new browser and go to “Lab Bookmarks” > “Activity-7” > “DLP
Upload Website Test”.
Step 2: Click the “Choose File” button.
Step 3: From the File Explorer pop-up, click Desktop on the left-hand column and select
“Customer_data.docx”.
Click Open.
Step 4: Click the Upload button.
Step 5: The upload of the file containing sensitive data is blocked.
Step 6: Use the Chrome browser bookmark to go to go to “Lab Bookmarks” > “Activity-7” > “DLP Upload
OneDrive Test”.
In the “Enter password” box, type “utd1234” and click “Verify”.
Step 7: Click “Upload” > “Files”.
Step 8: From the File Explorer pop-up, click Desktop on the left-hand column and select
“Customer_data.docx”.
Click Open.
Step 9: The file containing sensitive is blocked.
Task 4 – Review Logs in Panorama

Step 1: From the Panorama-UI browser tab, navigate to “Monitor” > “Logs” > “Data Filtering”.
Note the “Application” for each of these events.
Step 2: Click on the magnifying glass to open the Detailed Log View.
Click the “DLP” tab.
Step 3: Click “Show Snippet” on any entry that has a Medium or High Confidence.
Enterprise DLP extracts a snippet of the sensitive data that caused the alert or block notification. A
snippet enables forensics by allowing you to verify why an uploaded file generated an alert notification or
was blocked. By default, Enterprise DLP uses data masking to partially mask the snippets to prevent the
sensitive data from being exposed. You can configure this behavior from Panorama to completely mask
the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
Click “Close”.
End of Activity 7
Activity 8 – Introduction to IoT Security

IoT Security is an on-demand cloud subscription service designed to discover and protect the
growing number of connected “things” on your network. Unlike IT devices such as laptop
computers that perform a wide variety of tasks, IoT devices tend to be purpose-built with a
narrowly defined set of functions. As a result, IoT devices generate unique, identifiable patterns of
network behavior. Using machine learning and AI, IoT Security recognizes these behaviors and
identifies every device on the network, creating a rich, context-aware inventory that’s dynamically
maintained and always up to date.
After it identifies a device and establishes a baseline of its normal network activities, it continues
monitoring its network activity so it can detect any unusual behavior indicative of an attack or
breach. If it detects such behavior, IoT Security notifies administrators through security alerts in
the portal and, depending on each administrator’s notification settings, through email and SMS
notifications.
IoT Security also uses those behaviors and device identities to automatically generate security
policy rule recommendations that allow IoT devices to continue doing normal network activities
and block them from doing anything unusual. Panorama or next-generation firewalls can then
import these policy rules and enforce them.

• IoT Security Portal
• Cloud-Delivered Security Service: IoT Security

• Review the IoT Security Portal
Task 1 – Log in to the IoT Security Portal

Step 1: From CloudShare, click the “IoT Security” tab.
Step 2: Enter “utd-tp@pan-labs.net” for “Email (Username)” and click “Next”
Step 3: Enter the email address again, if needed, otherwise, click “Next”
Step 4: The password should already be filled in. Click “Sign In”.
Step 5: Click “Advanced” and then “Proceed to pingid-sso-proxy-prod.zingbox.com”. Click “Continue” on

the pop-up if it comes up.
Task 2 – Review Dashboard

Step 1: The “Executive Summary” provides a high-level summary of your IoT devices, applications,
network segments, risk overview, alerts, and vulnerabilities. Make sure the time is set to “1 Year”.
Clicking any of these will navigate to the relevant page. At the top of the page are global data filters.
Step 2: “Devices” provides a list of all devices that have been discovered and the classification type of
those devices.
Click on any “Type” to see a further breakdown of that group.
Step 3: “Applications” provides a list of all applications seen and the number of devices that are using that
application.
Step 4: “Network Segments” show how many subnets are being monitored and the number of subnets
found in each device type.
Step 5: “Risk Overview” provides an understanding of how your organization is performing over time
when it comes to security of the IoT attack surface. The risk score is a composite breakdown of multiple
components including weak security posture, alerts based on abnormal or anomalous behaviors, and
vulnerabilities.
Hover into any month to see a list of alerts and vulnerabilities for that time period.
Step 6: “Alerts” show an overview of all generated alerts and the category they belong to.
Step 7: “Vulnerabilities” provides an overview of the vulnerabilities and vulnerable devices that IoT
Security detected.
Step 8: Click on the “Inventory” tab, which provides another high-level summary of devices, device
categories, subnets, endpoint protection, and devices with external destinations.
Step 9: “Device Categories” is a list by category and the number of devices in that category. It can be
sorted by risk score, device count, or alphabetical.
Step 10: “Subnets” show a list by subnet and the number of device types found in each subnet.
Step 11: “Endpoint Protection” provides a summary by device category and their endpoint protection
status.
Step 12: “Devices with External Destinations” is a world map showing a summary of how many devices
are connecting to that country.
Task 3 – Review Devices

Step 1: Click on “Devices” from the left-hand column and scroll down to “Inventory”
Step 2: Click on “Awair-4594” (third device from the top if sorted by risk). The device details page has
content grouped into sections for identity, security summary, alerts, network traffic, applications, and
network usage.
Step 3: “Identity” - The Identity section at the top of the page provides identifying data such as the
category and profile of a device, its vendor and model, its OS, and various network-specific details.
Step 4: “Security (summary)” - The information in the next section relates to security and includes the
individual risk score for the device and whether baseline modeling is complete or still in progress. The
current behaviors diagram shows evaluations for five types of behavior ranging from normal (near the
center) to anomalous (near or beyond the edge).
Step 5: “Risks” - The Risks section contains the alerts, vulnerabilities, and anomalies that occurred to the
device during the time range set at the top of the page. The events are displayed along a timeline and in
a list with detailed information about each one.
Step 6: “Alerts” - This section contains only the alerts that the device raised during the specified time
range. Alerts are a subset of risks, and IoT Security generates them when it detects irregular behavior
and activity matching an alert rule. You can see when alerts occurred along a timeline, read details about
them, and take action to resolve them.
Step 7: “Security” - The Security section contains three subsections that show how a device connects to
other devices on the network and which applications it’s using.
Step 8: “Network Traffic” - View a conceptual network topology displaying the nodes with which the
device has formed connections. Use filters to display inbound or outbound connections; nodes with
various alert levels; connections to nodes within the same VLAN, same intranet, same country (domestic),
or in other countries (international); and so on.
Step 9: “Applications” - This section shows the applications the device uses, and how many other devices
and device profiles use the same application. Click a number in the Used by Devices column to open the
Devices page with its contents filtered by the corresponding application. Hovering your cursor over the
blue text of an entry in the Profiles column displays a list of all profiles that use that application.
Step 10: “Network Usage” - The last section shows a Sankey diagram with lines indicating network
connections. A red line would indicate it’s involved in an alert of high severity.
Step 11: “Alert Creation” – In the Sankey diagram alert notifications can be configured. This provides an
additional ability to create alerts driven by anomalous behavior or device inactivity.
Task 4 – Review Applications

Step 1: Click on “Applications” from the left-hand column.
The Applications page shows the total number of unique applications detected for devices matching the
site, device-type, and time-range filters set at the top of the page.
As can be seen, DNS is the top application used. Given that most IoT devices have hard-coded DNS
servers, the DNS Security service can defend against an array of threats using DNS.
Step 2: Click on the value under the “Number of Devices” column for “dns” to be taken to the “Devices”
page filtered on that application.
Task 5 – Review Alerts

Step 1: Click on “Alerts” then “Security Alerts” from the left-hand column. The Alerts and Alert Details
pages in the IoT Security Portal provide an overview of all generated alerts and detailed information about
individual alerts for analysis and follow-up.
IoT Security examines network traffic in real time, analyzing communications from and to every device on
the network. It generates alerts if it detects irregular behavior or activity matching a policy.
Step 2: Each alert entry contains one or more occurrences of the alert. If there is more than one
occurrence, a number in parentheses indicating how many there are appears after the alert name. To
expand an alert and view its occurrences, click the alert name.
Task 6 – Review Vulnerabilities

Step 1: Click on “Risks” then “Vulnerabilities” from the left-hand column.
IoT Security considers a vulnerability to be potential when it applies to a specific device type, model, and
version number and one or more devices match the specified device type but their model and/or version
number are unknown.
A vulnerability can also be considered potential if it only applies to devices with certain serial numbers
and there are devices whose serial numbers are unknown but match the vulnerability description in all
other regards.
Step 2: Hover your cursor over an entry in the Vulnerability column, a panel pops up with showing its
description and impact.
Step 3: Click on the vulnerability name to be taken to the “Vulnerability Details” page.
Task 7 – Review Profiles

Step 1: Click on “Profiles” from the left-hand column.
Step 2: Click on the “Amazon Echo” profile.
The device profile shows the number of devices that fall under this profile, the applications used, total
internal and external destinations and if there are alerts and vulnerabilities increasing the risk score.
Step 3: Click “View Behaviors” to see a summary of network behaviors organized into internal and
external destinations.
Task 8 – Review Policy Sets

Step 1: Click on “Policy Sets” from the left-hand column.
IoT Security provides the automatic generation of policy rule recommendations to control IoT device
traffic. The recommendations are based on device profiles.
Step 2: Click on “Netatmo Device” that is listed under “Profiles with Policy Sets”.
This will take you to the “Netatmo Device” Profile.
Step 3: Click on “View Behaviors”.
Step 4: Note that the “Profile Behaviors” indicate 3 applications (dns, dhcp, and ping) used on internal
networks.
Step 5: Click “External”.
Note that there is one external application, “unknown-tcp” destined to a single URL/IP Address,
“netcom.netatmo.net”.
Step 6: Click the link to “Netatmo Device” which will take you back to the profile. Then click “Netatmo
Device” under “Policy Set”.
Step 7: The “Policy Set” has previously been created and activated.
For the lab internal network, we are not doing any additional segmentation and enforcement. Due to this,
you will see no applications or destinations for “Internal Destinations”
Step 8: Click “External Destinations”.
Here, we will allow “unknown-tcp” externally, this is something that would, normally, not be a good idea.
We are further restricting it to “netcom.netatmo.net”. Also note that we have assigned security profiles for
antivirus, vulnerability protection, and anti-spyware. This “Policy Set” will be used on the NGFW in the
next activity.
Feel free to explore more of the “IoT Security Portal”. Learn more about IoT Security at
https://www.paloaltonetworks.com/network-security/iot-security
For a free trial of IoT Security go to https://start.paloaltonetworks.com/iot-security-evaluation
End of Activity 8.
Activity 9 – IoT Security Enforcement

IoT Security provides the automatic generation of policy rule recommendations to control IoT
device traffic. The recommendations are based on device profiles. When a firewall administrator
imports a policy set—that is, a set of recommended policy rules—from IoT Security, the import
operation automatically creates device objects from the source and destination profiles in the
recommended policy rules and uses those objects in the security policy rules it constructs. For
the firewall to identify which IoT devices to apply its policy rules to, it uses IP address-to-device
mappings. The firewall learns the device profile of an IoT device from the mapping and applies
rules with matching device objects as a source or destination.
• Profile: Security Policy
• Policy Recommendations
• Device-ID
• Cloud-Delivered Security Service: IoT Security

• Create a NGFW security policy from IoT Policy Recommendations
• Create a Device-ID group
Task 1 – Import Policy Set into NGFW

Step 1: From the NGFW GUI, click the “Device” tab and then scroll down to the bottom and click “Policy
Recommendation”
Step 2: Click “Sync Policy Rules” to make sure the “Policy Recommendation” is up-to-date.
Step 3: Click “OK” on the “Sync Policy Rules” pop-up window.
Step 4: Click “OK” on the “Status” window. If any policy rules were updated, it will be reflected here.
Step 5: Note that the “Device Profile”, “FQDN”, “Security Profiles”, and “Applications” are those in the
Netatmo Policy Set from the IoT Security Portal.
Step 6: Select the checkbox for the “Netatmo Device” and click “Import Policy Rules”.
Step 7: For “Name”, enter “Netatmo Device” and select “UTDTP-Policy1a” for “After Rule”.
Step 8: Click “OK” and then “OK” on the “Status” window.
Task 2 – Review Imported Policy and Objects

Step 1: While still on the “Policy Recommendation” node, click the magnifying glass.
The details from when this policy was imported can be viewed here.
Step 2: Click on the “Policies” tab and then “Security”.
Step 3: Click the “Netatmo Device” rule to open it up.
Step 4: Click “Source” and examine that the “Source Device” has been set to “Netatmo-Device”. Under
“Source Zone”, click “Add” and select “TP-Trust”.
Step 5: Click “Destination”. Notice that “Destination Address” has already been set to “iot.addr…”. Under
“Destination Zone”, click “Add” and select “TP-Untrust”.
Step 6: Click “Application”. “unknown-tcp” has already been added.
Step 7: Click “Actions”. Note that the “Profile Settings” for antivirus, vulnerability protection, and anti-
spyware have already been selected. All of the NGFW cloud-delivered security services are also
available to protect your IoT devices.
Click “OK” to save the profile.
Step 8: Click the “Objects” tab and then the “Addresses” node.
As seen in the security policy, the address object has been created automatically and references the
FQDN for netcom.netatmo.net.
Step 9: While still on the “Objects” tab, click the “Devices” node.
Also, as seen in the security policy, the source device, using Device-ID, for Netatmo-Device has been
created for you.
Task 3 – Configure Device-ID
Step 1: While still on the “Devices” node, click “Add”.
Step 2: Enter “WindowsXP” for “Name” and select the following (just start typing to filter):
OS: Windows XP
OSfamily: Windows
Vendor: Microsoft
Step 3: Click “Browse” to bring up “Browse Devices” as an alternate way of adding objects.
Step 4: Click “OK” to save the device object.
Step 5: This “WindowsXP” object could then be used in a security policy that would further restrict what
access it had.
Device objects are used in policy as a match criteria, in much the same way IP addresses are. The
granular nature of the device object definition allows for very specific policies to be created. For example,
it is possible to allow an iPhone 11 running iOS 12.3 to run Zoom but disallow other iOS/model
combinations.
Step 6: Click “Commit” and “Commit All Changes”.
End of Activity 9.
Activity 10 – Tools to Help Improve Security Posture

Palo Alto Networks has many resources to assist you in your security journey. Here are a few of
the tools.
• Best Practice Assessment
• IronSkillet
• Expedition
Task 1 – Overview: Best Practice Assessment (BPA)

The prevention-driven customer success methodology of Palo Alto Networks helps customers get a
holistic view of your environments through the lens of the cyberattack lifecycle, enabling you to set
expectations and plan for the future. The Best Practice Assessment for NGFW and Panorama
management is one step in this methodology, allowing you to understand how well your environments
align with prevention best practices.
Best Practice Assessment (BPA) Tool - The BPA evaluates a device’s configuration by measuring the
adoption of capabilities, validating whether the policies adhere to best practices, and providing
recommendations and instructions for how to remediate failed best practice checks. It consists of two
components: the Best Practice Assessment itself and the Security Policy Capability Adoption Heatmap.
The BPA assesses configurations, identifies risks, and provides recommendations on how a you can
remediate issues. It compares your current configuration against best practices and produces a guide to
which best practices you are and are not following, including detailed recommendations per feature. The
report’s summary view covers security controls aligned with various best practice checks, such as the CIS
Critical Security Controls and NIST Framework.
The Security Policy Capability Adoption Heatmap analyzes Panorama and individual NGFW
configurations to determine how you are leveraging our prevention capabilities. The tool analyzes the rule
base to identify whether our capabilities are applied where relevant. Shown in a matrix form with color
coding, the Adoption Heatmap can help drive effective capability adoption on existing infrastructure. The
Adoption Heatmap offers different ways to consume the information, such as filtering data by device
groups, serial numbers, zones, areas of architecture, tags, and other categories. It also provides various
filter options to narrow the data search to specific device groups, specific traffic between source and
destination zones, to or from an area of architecture, one or more tags, etc. The Adoption Heatmap also
shows trending information that tracks historical capability adoption, which helps to identify progress and
rate of improvement in security posture.
You can access the Best Practice Assessment (BPA) from the Customer Support Portal. Super User
accounts automatically have access to the BPA and can assign the BPA User role to a Standard User’s
profile so that the Standard User can run the BPA. BPA reports are created from a Tech Support File that
is generated from your NGFW or Panorama.
After you run the BPA, download and store the full BPA HTML report to get the detailed assessment, links
to technical documentation so you can configure security best practices, and so you can compare it to
past and future reports to measure best practice adoption. You can also print the Executive Summary to a
PDF.
Where to get more information:
http://customersuccess.paloaltonetworks.com/bpa
https://live.paloaltonetworks.com/t5/Best-Practice-Assessment/ct-p/Best_Practice_Assessment
Step 1: From the Desktop, open the “BPA samples” folder.
Step 2: Double-click each of the “BPA-sample”, “BPA-sample-summary” and “BPA-sample-executive-

summary” files to open them in Chrome.
Step 3: Review the available information. For the “BPA-sample” report, you may click around this HTML
report.
Task 2 – Overview: IronSkillet

The Palo Alto Networks Next-Generation Firewall contains an extensive set of cybersecurity prevention
features in a single platform. For new users to this platform the initial configuration can be a daunting
task. There is a wide array of best-practice and configuration guide documentation available yet these still
require extensive and time-consuming GUI clicks to implement even a basic recommended Day One
configuration.
As a way to fast track initial deployments using best practices, the IronSkillet program was developed to
not document ‘how to configure’ but instead provide the configuration itself. This starter configuration is
designed to be deployment-agnostic without zones, interfaces, or other deployment-specific elements.
Instead the focus is on fundamental operational aspects of the platform including device hardening,
dynamic content updates, logging and alerts, reports, and security profiles and profile-groups to be
referenced in user-provided security policies.
IronSkillet configurations are available for PAN-OS and Panorama with usage options including:
• Set commands for CLI copy/paste
• Set commands in Excel format to adjust variable values
• Full xml configuration files to import and load as a candidate configuration
• Snippet xml configurations leveraging API utilities and config merge
After IronSkillet is loaded, next steps include:

• Completing the configuration specific to the deployment use case
• Capture a baseline Best Practice Assessment (BPA) – usually a 50-60% rating

https://iron-skillet.readthedocs.io
https://github.com/PaloAltoNetworks/iron-skillet/
https://support.paloaltonetworks.com/SupportAccount/Day1Config/
Task 3 – Overview: Expedition

The Expedition transformation and best practices adoption tool helps to improve your security posture by
comparing your device and policy configurations against Palo Alto Networks best practices, and then
automatically identifying and providing remediation recommendations. Expedition has the unique ability to
employ machine learning from traffic logs your Palo Alto Networks devices generate and suggest new
security policies based on analysis of application behavior and consumption. Expedition is free for
customers and partners to download.
Security Policy Transformation
• Transform Layer 3/4 (port-based) security policies from third-party vendors to Layer 7 (app-
based) policies enabled by Palo Alto Networks technologies
• Import from Cisco, Fortinet, Check Point, Forcepoint, Juniper and IBM XGS
• Optimize migrated configurations by reducing the number of rules
• Remove unused objects
The Power of Machine Learning

• Learn from PAN-OS logs to refine security policies
• Leverage the power of machine learning to create security policies from scratch based on
application consumption analysis made by users and servers
• Enrich your security policies and reduce the attack surface by replacing objects to open with the
current users, applications and zones seen in traffic logs
Achieve Maximum Protection

• Compare device and policy configurations against Palo Alto Networks best practices to ensure
adoption of critical features and functionality of Palo Alto Networks next-generation firewalls,
including App-ID, Content-ID, User-ID and SSL Decryption
• Run the Best Practices Assessment tool directly from Expedition to understand how many
functions can be safely enabled automatically and how many need to be fixed manually
• Identify and remediate rules that are not following best practices and speed up remediation with
the multi-edit function
• Create Day 1 config with built-in access to IronSkillet

https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
Task 4 – Use Expedition to Accelerate IronSkillet and BPA Adoption.

You can use Expedition to generate a Day One configuration from IronSkillet and perform a Best Practice
Assessment.
Step 1: Open a new browser tab and go to https://10.30.21.200 (Lab Bookmarks > Activity-10 >
Expedition)
Step 2: Log in as:

User Name: admin
Password: paloalto
Step 3: You will be presented with the Dashboard
Step 4: Click “PROJECTS”.
Step 5: Double-click “Day1withIronSkillet”.
Step 6: Click “IMPORT” then “IRON SKILLET”
Step 7: Choose “NG-Firewall” for “Configuration Type” and “9.0” for “PanOS Version”.
Step 8: The default values may be changed for your environment. We will leave them as-is here. Click
“GENERATE CONFIG AND IMPORT”.
You now have a Day One configuration based on IronSkillet.
Step 9: Click on “BEST PRACTICES” then “Start Analysis”.
This runs against the Best Practice Assessment (BPA) and generates an overall score.
Step 10: You will see a “Current % Adoption” of approximately 59%. There is also a value, “% Adoption
after Auto-Remediation”. This value represents items that Expedition can correct automatically.
Step 11: Click on “Analysis” and then select the “device” tree.
Step 12: This shows all the items that have passed or failed from the BPA. In the right-most column,
there is a suitcase icon – the dark grey one is a check that Expedition can auto-remediate.
Step 13: Select any item in the list and then Control + A to select everything. The list items will have a
yellow background. Click “Remediate”.
Step 14: Return to the “BEST PRACTICES” > “Dashboard” to see that adoption percentage has
increased.
Step 15: From here, this initial configuration can put exported to an XML file (which can be imported to
your NGFW) or sent via XML-API.
End of Activity 10.
Activity 11 - Feedback on Ultimate Test Drive

Thank you for attending the Ultimate Test Drive workshop. We hope you enjoyed the presentation
and the labs that we have prepared for you. Please take a few minutes to complete the online
survey form to tell us what you think.
Task 1 – Take the online survey

Step 1: In your lab environment, click the “Survey” tab.
Step 2: Please complete the survey and let us know what you think about this workshop.
End of Activity 11.
Appendix-1: Network Diagram
LAB SETUP
Security UTD-CDSS-PAVM
Platform
Interface: Int Type: IP Address: Connects to Zone:

Ethernet 1/0 Management 10.30.21.1/ 24 Management
Ethernet 1/1 L3 172.16.2.1 /24 TP-wan
Ethernet 1/2 L3 10.80.2.1 /24 TP-Intranet
Ethernet 1/3 L3 192.168.21.1 /24 TP-lan
Ethernet 1/4 Tap None Tap-Traffic

UTD CDSS 4.1 Workshop Guide 20210422

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UTD CDSS 4.1 Workshop Guide 20210422

Uploaded by

Copyright:

Available Formats

Ultimate Test Drive – Cloud-Delivered Security Services

Activity 1 – Prevent Known Threats 13

Activity 2 – Control Unknown Malware with WildFire 23

Activity 3 – Modern Malware Protection with ML-Powered Analysis 29

Activity 4 - DNS Security 34

Activity 6 – URL Filtering 46

Activity 7 – Enterprise DLP 53

Activity 8 – Introduction to IoT Security 62

Activity 9 – IoT Security Enforcement 78

Activity 10 – Tools to Help Improve Security Posture 83

Task 4 – Use Expedition to Accelerate IronSkillet and BPA Adoption. 85

Activity 11 - Feedback on Ultimate Test Drive 89

Appendix-1: Network Diagram 90

How to use this guide

Activity 0 – Log in to the UTD Workshop

Task 1 – Log in to your Ultimate Test Drive class environment

Task 2 – Log in to the student desktop

Task 3 – Log in to UTD NGFW Firewall

Task 4 (Very Important) – Bring up interface “ethernet1/1”

Activity 1 – Prevent Known Threats

PAN-OS® features used in this activity:

In this activity, you will:

Task 0 – Review the Security Profiles

Step 2: Click the “Objects” tab.

Task 1 – Modify the Antivirus Profile

Step 3: Click “Cancel” to close the Antivirus profile.

Step 11: Click one of the EICAR samples to download it.

Task 2 – Review Threat Logs

Task 3 – Enable Vulnerability Protection

Step 4: Click “UTDTP-Policy01b” to open the “Security Policy Rule” window.

Step 9: Set “Action” to “Alert” and set “Packet Capture” to “Extended-capture”.

Step 11: For “Anti-Spyware”, select “strict”.

Task 4 – Run threat replay samples

Step 3: Log in as:

Task 5 – Review Threat Logs and ACC

Click “Cancel” to exit.

Activity 2 – Control Unknown Malware with WildFire

PAN-OS features used in this activity:

In this activity, you will:

Task 1 – Configure WildFire threat analysis

Step 2: Click “Add” to create a new WildFire Analysis profile.

Task 2 – Modify Security Policy to enable WildFire

Step 4: Click the “Actions” tab (within the pop-up).

Step 6: Select “UTDTP-WildFire”.

Step 7: Click “OK”.

Step 10: Click “Close” once the commit has completed.

Task 3 – Test WildFire modern malware protection

Note: Click “Proceed anyway” if you receive a certification error message.

Note: In The “Session Information”

Task 4 – Review the WildFire Submissions log

download the malware file from the “Sample File” directly.

Activity 3 – Modern Malware Protection with ML-

In this activity, you will:

Task 1 – Download Malware

The file is blocked by the current Antivirus signatures.

Task 2 – Review Threat Logs and Create Antivirus Exception

Task 3 – Enable WildFire Inline ML-Powered Analysis

Step 2: Click the Antivirus Profile “UTDTP-AV-Profile01”

Step 6: Set the “Action Setting” to “enable” for all ML models.

Step 7: Click “OK” to save the Antivirus profile.

Task 4 – Test WildFire Inline ML Analysis

Task 5 – Review Threat Logs

Activity 4 - DNS Security

PAN-OS features used in this activity: