Ultimate Test Drive NGFW Workshop Guide 3.0-20150616

Workshop
Guide

Ultimate Test Drive

Next-Generation Firewall
(NGFW)
PAN-OS 6.1/UTD 3.0
http://www.paloaltonetworks.com

© 2015 Palo Alto Networks. Proprietary and Confidential
Last Update: 20150616

Ultimate Test Drive -‐ NGFW
Table of Contents

Activity 0 – Login to UTD Workshop ................................................................................. 5
Task 1 – Login to your Ultimate Test Drive Class Environment .................................................................... 5
Task 2 – Login to the student desktop ......................................................................................................... 7
Task 3 – Login to UTD Virtual Firewall ........................................................................................................ 10
Activity 1 – Enabling Social Media .................................................................................. 12
Task 0 – Check connectivity to Facebook ................................................................................................... 12
Task 1 – Modify an existing Security Policy to allow Facebook .................................................................. 12
Task 2 – Review Traffic Logs ....................................................................................................................... 13
Activity 2 – Controlling Evasive Applications ................................................................... 14
Task 1– Attempt to use a non-‐approved web application ......................................................................... 14
Task 2– Attempt to use an anonymizer site ............................................................................................... 14
Task 3– Attempt to download and install evasive application ................................................................... 14
Task 4– Review URL log .............................................................................................................................. 15
Activity 3 – Applications on Non-‐standard Ports ............................................................. 16
Task 1 – Create a new Security Policy ........................................................................................................ 16
Task 2 – Check application connectivity ..................................................................................................... 17
Task 3 – Modify Security Policy .................................................................................................................. 17
Task 4 – Re-‐check applications on non-‐standard ports .............................................................................. 18
Activity 4 – Decryption ................................................................................................... 19
Task 0 – Check connectivity to LinkedIn ..................................................................................................... 19
Task 1 – Modify existing Security Policy ..................................................................................................... 19
Task 2 – Add a new Decryption Policy ........................................................................................................ 20
Task 3 – Log into LinkedIn .......................................................................................................................... 20
Task 4 – Review Traffic Logs ....................................................................................................................... 21
Activity 5 – Modern Malware Protection ........................................................................ 22
Task 1 – Enable file forwarding to WildFire Service ................................................................................... 22
Task 2 – Modify Security Policy with File Blocking Profile .......................................................................... 22
Task 3 – Test WildFire Modern Malware Protection .................................................................................. 23
Task 4 – Wildfire Portal Review .................................................................................................................. 25
UTD-‐NGFW 3.0 Page 2

Activity 6 – URL Filtering ................................................................................................ 26

Task 0 – Check connectivity ....................................................................................................................... 26
Task 1 – Modify URL filter .......................................................................................................................... 26
Task 2 – Apply URL filter to Security Policy ................................................................................................ 27
Task 3 – Review URL Filtering Logs ............................................................................................................. 27
Activity 7 – GlobalProtect: Safely Enable Mobile Devices ................................................ 28
Task 1 – Identify the Gateway URL ............................................................................................................. 28
Task 2 – Complete the GlobalProtect Gateway Configuration ................................................................... 30
Task 3 – Log in to GlobalProtect from the Mobile PC ................................................................................ 31
Task 4 – Review Traffic on the VM-‐Series Firewall ..................................................................................... 34
Activity 8 – ACC and Custom Reports .............................................................................. 36
Task 1 – Review Application Command Center (ACC) ................................................................................ 36
Task 2 – Setting up custom report ............................................................................................................. 37
Activity 9 -‐ Feedback on Ultimate Test Drive .................................................................. 38
Task 1 – Take the online survey ................................................................................................................. 38
Appendix-‐1: Alternative Login Method to Student Desktop ............................................ 40
Login to the student desktop using Java Console (Java client required) .................................................... 40
Login to the student desktop with RDP client ............................................................................................ 42
Appendix-‐2: Support for Non-‐US keyboards ................................................................... 45
Add new international keyboard ............................................................................................................... 46
Use the on-‐screen keyboard ...................................................................................................................... 47


How to use this Guide:

The activities outlined in this Ultimate Test Drive guide are meant to contain all the
information necessary to navigate the Palo Alto Networks graphical user interface (GUI).
This guide is meant to be used in conjunction with the information and guidance provided
by your facilitator.
Once these activities are completed:

You should be able to:
1. Navigate the Palo Alto Networks GUI
2. Review portions of the firewall configuration
3. Change the configuration to affect the behavior of traffic across the firewall
This workshop covers only basic topics and is not a substitute for the training classes
conducted by Palo Alto Networks’ Authorized Training Centers (ATC). Please contact your
partner or regional sales manager for more training information.
Terminology:
“Tab” refers to the 5 tabs along the top of each screen in the GUI.
“Node” refers to the options associated with each “Tab” found in the left-‐hand column on each screen.
*NOTE*
Unless specified, the “Chrome” web browser will be used to perform any tasks outlined in
the following Activities. (Chrome is pre-‐installed on the student desktop of the workshop
PC.)

Activity 0 – Login to UTD Workshop

In this activity you will:
• Login to the Ultimate Test Drive Workshop from your laptop
• Test student desktop connectivity to the firewall
• Review the workshop network
Task 1 – Login to your Ultimate Test Drive Class Environment

Step 1: First, make sure your laptop is installed with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox, Chrome and Internet Explorer. We also recommend you
install the latest Java client for your browser.
Step 2: Go to class URL. Enter your email address and the Passphrase. (If you have an invitation email, you
can find the Class URL and Passphrase in the invitation email. Or the instructor will provide you with the
class URL and Passphrase.)

Step 3: Complete the Registration form and click “Register and Login” at the bottom.
Step 4: Depends on your browser of choice, you will be asked to install a plugin, please click yes to allow
the plugin to be installed and continue the login process.


Step 5: Once you login, the environment will be automatically created for you. Click on “Start Using This
Environment” when the Environment is ready.

Step 6: The UTD NGFW Environment consists of three core components: a “Student Desktop”, “VM-‐Series
Virtual Firewall” and an “Ubuntu Server”. You will access the lab through the “Student Desktop”.


Task 2 – Login to the student desktop

Step 1: Click on the “Student Desktop” tab on top to connect to the Student Desktop.

Step 2: You will be connected to the “Student Desktop” through your browser.

Step 3: Click on the blue arrow on the top left hand corner to collapse the navigation bar. This will make
more room for the “Student Desktop”.


Step 4: If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust
the resolution on the upper right hand corner.

[Note: The default connection to the “Student Desktop” uses RDP over HTML5 protocol through the
browser. In case your browser does not support HTML5 or you find that the student desktop is too small to
use in the browser, please refer to Appendix-‐1 : Alternative Login Method to connect to the student
desktop using Java or RDP client. ]

Optional Step 5: If you encounter connection issues with the “Student Desktop”, click on “Reconnect” to
re-‐establish the connection.


Optional Step 6: If re-‐connection to the “Student Desktop” remains unsuccessful, please verify your laptop
connectivity using the following link. Note that a Java client is required on your browser for this test site to
function.
https://use.cloudshare.com/test.mvc
This test site will validate the RDP-‐based and Java-‐based connections to your browser. Click “Allow” to
allow the “Java Applet” to be installed and run on your browser.

Optional Step 7: If the connectivity test passed, please close the browser and retry from Task-‐1 Step-‐1. If
the connectivity test failed, please inform the instructor for further assistance.


Task 3 – Login to UTD Virtual Firewall

Step 1: Click on the “UTD-‐NGFW-‐PAVM-‐CS” bookmark in the Chrome browser, login to the firewall using
the following name and password:
Name: student
Password: utd135
“student” -‐>
<-‐ “utd135”

Step 2: You are now logged in to the firewall and should see the main dashboard.


Step 3: Open a new tab in the Chrome browser window and confirm Internet connectivity to some URL
(e.g. http://www.cnn.com)

Step 4: Here is a quick look at how the student desktop and the virtual firewall are connected.


Activity 1 – Enabling Social Media

Background: Every organization is trying to determine how to appropriately control social media
applications. Allowing them all is high risk, while blocking them all can be business crippling. Policy
considerations include who can use social media, what are the risks of data loss/data transfer, and how to
eliminate the propagation of malware.

PAN-‐OS features to be used:
• App-‐ID and function control
• Logging and reporting for verification


• Modify the existing firewall configuration to control the behavior of the Facebook
• Review Traffic logs to confirm activity
Task 0 – Check connectivity to Facebook

Step 1: On your session desktop, open a browser and enter the URL: http://www.facebook.com
ü Question: What is the response seen in the browser window?
Ø Answer: You should get blocked and see a screen that looks like this:

Task 1 – Modify an existing Security Policy to allow Facebook

Step 1: Click on the “Policies” tab à “Security” node
Step 2: Click on the rule name “UTD-‐Policy-‐03” à a “Security Policy Rule” pop-‐up will appear
Step 3: Click on the “Application” tab (within the pop-‐up)

Step 4: Click “Add” and type “facebook” and select “facebook-‐base” from the list
Step 5: Click “Ok” in the pop-‐up window
Step 6: Click “Enable” (in the bottom bar of the GUI)
Step 7: Click “Commit” (in the upper right hand corner of the GUI)
[NOTE: There will be a pop-‐up window with messages regarding the Commit. Any warning messages can
be safely ignored.]
Step 9: Click “Close” in the pop-‐up window once the Commit has completed
Step 10: Open a new browser tab and surf to http://www.facebook.com. (You may get a warning
message that you can ignore.)
Step 11: Log into facebook using the account:
Username/Email: ultimatetestdrive@gmail.com
Password: paloalto123
Note: If you have trouble passing the @ symbol to the VM please follow the directions in the Appendix for
accessing the on-‐screen keyboard.
Task 2 – Review Traffic Logs

Step 1: Click on the “Monitor” tab and the “Traffic” node (under the “Logs” section) will be selected
Step 2: Type into the query box (directly above the “Receive Time” column) the search string:
(app eq facebook)
Then hit the Enter key or click the icon:
Questions:
ü What was the action associated with the log entries?

ü What was the port number associated with the log entries?
End of Activity 1

Activity 2 – Controlling Evasive Applications

Background: Evasive applications are found on almost every network. Some are purposely evasive, making
every effort to avoid controls and hide. Examples include anonymizer, Tor and P2P. Policy considerations
for controlling evasive applications include protection from RIAA threats, data loss (inadvertent or
otherwise) and malware propagation.


• App-‐ID and URL filters to prevent evasive applications


• Use Application and URL Filter to control Proxy sites
• Review the logs
Task 1– Attempt to use a non-‐approved web application

Step 1: Open a new browser tab and go to http://drive.google.com.
Ø You should not be able to go to Google drive.

Google-‐drive-‐web application is not explicitly allowed by the firewall so it is blocked.
To get around the firewall some users may try to use an anonymizer site to by-‐pass the firewall
Task 2– Attempt to use an anonymizer site

Step 1: Open a new browser tab and go to one of these anonymizer sites: http://www.anonymouse.org
and http://www.hidemyass.com.
Step 2: You should see the anonymizer site being blocked:

Task 3– Attempt to download and install evasive application
Step 1: To circumvent the firewall, some students may try to download and install an evasive application
such as Tor.

Step 2: Attempt to download Tor from the web site https://www.torproject.org in the browser. You
should see that it has been blocked too.
Task 4– Review URL log

Step 1: Click on the “Monitor” tab and the “URL Filtering” node (under the “Logs” section)
Step 2: You can click on any entry under the “URL” column and it will automatically enter the filtering
string in the search bar
Questions:
ü Can you determine what policy is blocking google-‐drive?

ü Can you determine what policy is blocking the anonymizer sites?
ü What is the application used to access the anonymizer sites?
ü What is the application used to access the Tor download sites?

End of Activity 2

Activity 3 – Applications on Non-‐standard Ports

Background: Many applications can use, either by default or through user control, a non-‐standard port.
Often times, the use of non-‐standard ports is done as a means of evading controls. Tech savvy users are
accessing their home PC from work by directing SSH to a non-‐standard port.
A Verizon Data Breach Report shows that of the 855 breaches analyzed, 812 (95%) were attributed to
hacking of some type. And 715 (88%) of those 812 were remote access tool related. More simply put, 84%
of the 855 breaches were attributable to remote access tool exploitation. Policy considerations include
which applications and users should be allowed to use these applications.


• Logging and reporting to show SSH, RDP and Telnet on non-‐standard ports
• App-‐ID, groups function and service (port)
• User-‐ID (groups)


• Add a new Security Policy for the IT organization
• Re-‐order the Policies
Task 1 – Create a new Security Policy

Step 1: Click on the “Policies” tab then the “Security” node
Step 2: Click “Add” in the lower left-‐hand corner
Step 3: Name the Policy “IT-‐usage” and select “Activity-‐3” for Tags using the drop down list
Step 4: Click on the “Source” tab
Step 5: Click “Add” in the “Source Zone” box and select “Trust”
Step 6: Click on the “Destination” tab and click “Add” in the “Destination Zone” box and select “Untrust”
Step 7: Click on the “Application” tab and click “Add” à type “IT-‐apps” and select it
Step 8: Click on the “Service/URL Category” tab and click on the pull down menu above “Service”, change
the default setting from “application-‐default” to “any” and then click “Ok”.
Step 9: Click “Ok”

Step 10: Click and drag the Policy “IT-‐usage” so it is above the “UTD-‐Policy-‐05” rule.
Step 11: Click “Commit” (in the upper right hand corner of the web browser)
Step 13: Click “Close” once the commit has completed
Step 14: “IT-‐apps” is a predefined application group that includes SSH, MS-‐RDP and other applications. Go
to the “Object” tab and “Application Groups” node to review what applications are included in this
application group.
Task 2 – Check application connectivity

Step 1: Use the PUTTY application on the desktop
Step 2: SSH to the “SSH-‐Server” (172.16.1.101) using the default port “22”, login with
Login: student
Password: utd135
Question:
ü Can you login?
Ø Yes – you should be able to login.
Step 3: Close the SSH session. SSH again to “172.16.1.101” using the non-‐standard port “443”
Question:
ü Can you login using the non-‐standard port?
Ø Yes – you should be able to login.
Step 4: Close the putty application and click the “Monitor” tab à “Traffic” log on the firewall GUI.
Step 5: Search for application SSH on port 22 or 443
Questions:
ü What query string did you type into the search box?
ü Was the application allowed?
Task 3 – Modify Security Policy

Step 1: Click on the “Policies” tab à “Security”
Step 2: Click on the “IT-‐usage” Security Policy created in Task 1

Step 3: Click on the “Service/URL Category” tab and click on the pull down menu above “Service”, change
“any” to “application-‐default” and then click “Ok” (The “Application-‐default” option only allows
applications over the default port and protocol, it prevents applications from running on non-‐standard
port or protocol.)
Task 4 – Re-‐check applications on non-‐standard ports

Step 1: Use the PUTTY application on the student desktop
Step 2: SSH to 172.16.1.101 again on port 443 using putty. Did you get a login prompt?
Ø You should not get the login prompt this time
Step 3: Close the putty application and click the “Monitor” tab à “Traffic” log on the firewall GUI
Step 4: Search for application SSH on port 443
Questions:
ü What query string did you type into the search box?
ü Was the application allowed?
End of Activity 3

Activity 4 – Decryption
Background: More and more traffic is encrypted with SSL by default, making it difficult to allow and scan
that traffic, yet blindly allowing it is high risk. Policy based SSL decryption will allow you to enable
encrypted applications, apply policy, then re-‐encrypt and send the traffic to its final destination. Policy
considerations include which applications to decrypt, protection from malware propagation and data/file
transfer.


• App-‐ID
• SSL decryption
• User-‐ID (Challenge Task)


• Modify existing Security Policy to allow Linkedin application for the Exec Team
• Add new Decryption Policy to decrypt SSL traffic
Task 0 – Check connectivity to LinkedIn

Step 1: On your Java Applet session desktop, open a browser and enter the URL: http://www.linkedin.com
ü Question: What is the response seen in the browser window?
Ø Answer: You should get blocked and see a screen that looks like this:

Task 1 – Modify existing Security Policy

Step 1: Click on the “Policies” tab à “Security” node will be selected
Step 2: Click on the rule “UTD-‐Policy-‐04” à a “Security Policy Rule” pop-‐up will appear

Step 3: Click on the “Application” tab (within the pop-‐up)
Step 4: Click “Add” and type “linkedin-‐base” à select it
Step 6: Click “Enable” (in the lower bar of the GUI)
NOTE: You don’t need to click “Commit” until after the next Task
Task 2 – Add a new Decryption Policy

Step 1: Click on the “Policies” tab then the “Decryption” node
Step 2: Click “Add” in the lower left-‐hand corner
Step 3: In the “Decryption Policy Rule” pop-‐up: name the Policy “UTD-‐Decryption-‐02” and select “Activity-‐
4” in “Tags”
Step 4: Click on the “Source” tab
Step 5: Click “Add” in the box labeled “Source Zone” and select “Trust”
Step 6: Click on the “Destination” tab
Step 7: Click “Add” in the box labeled “Destination Zone” and select “Untrust”
Step 8: Click on the “Options” tab and select “decrypt” for “Action” -‐ leave the “Type” selection as “SSL
Forward Proxy”

Task 3 – Log into LinkedIn
Step 1: Open a new browser tab and enter http://www.linkedin.com
Step 2: Log into LinkedIn using your personal account.
[Note: LinkedIn User Agreement 8.2 prevents us from providing a generic account for the lab. Please login
with your personal account to continue with the lab. If you do not wish to use your own account or do not
have an account to continue on with the lab, please move on to the next activity.]


Step 3: Attempt to post a status update.

Question:
ü Was your post update blocked by the firewall?

ü You should see the following block page (note the application that is being blocked).
Task 4 – Review Traffic Logs

Step 1: Click on the “Monitor” tab and the “Traffic” node (under the “Logs” section) will be selected
Step 2: Type into the query box (directly above the “Receive Time” column) the search string:
( app eq linkedin )
Questions:
ü Can you find the log entry associated with the application you just used?
Then click the Details icon next to the top log entry:
Questions:
ü Did the log entry show the traffic was decrypted?
End of Activity 4


Activity 5 – Modern Malware Protection

Background: Modern malware is at the heart of many of today's most sophisticated network attacks, and
is increasingly customized to avoid traditional security solutions. WildFire exposes targeted and unknown
malware through direct observation in a virtual environment, while the next-‐generation firewall ensures
full visibility and control of all traffic including tunneled, evasive, encrypted and even unknown traffic.
Policy considerations include which applications to apply the WildFire file blocking/upload profile.


• Profiles: Virus, Spyware, file blocking & WildFire
• WildFire portal


• Modify existing file blocking policy to use the Wildfire service
• Add the modified file blocking policy to other Security Policy
Task 1 – Enable file forwarding to WildFire Service

Step 1: Click on the “Objects” tab à “File Blocking” node (found under “Security Profiles”)
Step 2: Click on the Profile name “UTD-‐File-‐Blocking-‐01”
Step 3: On the “Enable WildFire” entry, change the “File Types” from “Any” to “exe”, “pdf”, “docx” and
“PE”,
Step 4: Change “Action” from “alert” to “forward”
Step 5: Click “Ok” – this now allows the File Blocking Profile to forward files to WildFire Modern Malware
Protection services
Task 2 – Modify Security Policy with File Blocking Profile

Step 1: Click on the “Policies” tab à “Security” node
Step 2: Click on the rule name “UTD-‐Policy-‐01” à a “Security Policy Rule” pop-‐up will appear
Step 3: Click on the “Actions” tab (within the pop-‐up)
Step 4: In the “Profile Setting” section, select the pull-‐down menu next to “File Blocking”
Step 5: Select “UTD-‐File-‐Blocking-‐01”

Optional Step 7: Click on the rule name “UTD-‐Policy-‐04” à a “Security Policy Rule” pop-‐up will appear
Optional Step 8: Click on the “Actions” tab (within the pop-‐up)
Optional Step 9: In the “Profile Setting” section, select the pull-‐down menu next to “Profile Type” and
select “Profiles”
Optional Step 10: Select the pull-‐down menu next to “File Blocking” and select “UTD-‐File-‐Blocking-‐01”
Question:
ü Should you apply any other Security Profiles to this Security Rule?
Optional Step 11: Click “Ok”
Optional Step 12: If this policy is not enabled, click “Enable” at the bottom of the policy screen to enable
the policy
Task 3 – Test WildFire Modern Malware Protection

Step 1: To download a WildFire test file, open the browser and enter the following to the address bar or
click on the bookmark “WildFire Test File”
http://wildfire.paloaltonetworks.com/publicapi/test/pe
Step 2: The browser will automatically download a “wildfire-‐test-‐pe-‐file.exe” sample file. Check your
“Download” folder to confirm the download. [Note that this sample changes every time it is downloaded
and it should by-‐pass most Antivirus scans.]

Step 3: To view that the sample file has been sent to WildFire, go back to the firewall GUI, click on the
“Monitor” tab, then click on “Data Filtering” node (under the “Logs” section), you should see log entries
that the test sample file is uploaded to WildFire. Click on the “WildFile Submissions” node and review the
results return from the WildFire service. [Note: It may take about 10 mins for the Wildfire Submissions log
to appear. It is a good time to take a short break before you continue. Please do not skip ahead to the next
task.]


Step 4: When you see the entry, click the “Details” icon next to the top log entry. In the “Log Info”
tab, you can view the basic info of the file and the application that carries that file.
Step 5: Click on the “WildFire Analysis Report” tab to view the details on the analysis results. Under
“WildFire Analysis Summary”, the “Verdict” indicates that the submitted file is a Malware and you can
download the malware file from the “Sample File” directly.
Step 6: Under “Dynamic Analysis”, you can see the behavior of the malware under different operating
systems. “Virtual Machine 1” is configured with Window XP, review the behavior and activity of the
malware. Click on “Virtual Machine 2” to review the malware behavior and activity in Window 7.


Step 7: Click on “VirusTotal Information” on the report, and it will bring you to the VirusTotal home page.
Since this malware has never been seen before, VirusTotal will not have any information on this virus.
Step 8: Explore the other features and functions offered in the WildFire Analysis Report such as download
the sample file or download the WildFire Analysis report in pdf.
Task 4 – Wildfire Portal Review

Step 1: In the Chrome browser and use the “WildFire Portal” bookmark to go to the login page (or enter
the URL: http://wildfire.paloaltonetworks.com )
Step 2: Login using the following credentials
Username: ngfw.utd@gmail.com
Password: utd135

Step 3: In the portal, click on the “Reports” tab, you can see a summary of all the files that are summited
for analysis. You can review the WildFire Analysis Report by clicking on the Report icon on the left hand
side of the entry. A WildFire account can manage multiple Palo Alto Networks firewalls. (Note: In this lab
environment, there is only one firewall managed by this account.)
Step 4: You can also upload suspicious files manually for analysis using the “Upload Sample”, click on
“Upload Sample” tab on top to review the various upload options.

End of Activity 5

Activity 6 – URL Filtering

Application control and URL filtering complement each other, providing you with the ability to deliver
varied levels of control that are appropriate for your security profile. Policy considerations include URL
category access, which users can (or cannot) access the URL category, and prevention of malware
propagation.


• URL filtering category match


• Modify the behavior of URL filtering functionality
Task 0 – Check connectivity

Step 1: Open http://www.gambling.com in the browser – you should be able to open this page with the
base workshop configuration
Task 1 – Modify URL filter

Step 1: Click on the “Objects” tab then the “URL Filtering” node (found in the Security Profiles section)
Step 2: Click on the Profile name “UTD-‐URL-‐filter-‐01”
Step 3: Find the Category “gambling” and change the Action from “allow” to “continue”


Task 2 – Apply URL filter to Security Policy

Step 1: Click on the “Policies” tab then the “Security” node
Step 2: Click on the rule “UTD-‐Policy-‐01” à a “Security Policy Rule” pop-‐up will appear
Step 3: Click on the “Actions” tab (within the pop-‐up)
Step 4: In the “Profile Setting” section, select the pull-‐down menu next to “URL Filtering”
Step 5: Select “UTD-‐URL-‐filter-‐01” and then click “Ok”
Step 9: Open a new browser tab (on the workshop PC desktop) and enter the URL
http://www.gambling.com
The Web page is blocked but the block page will have an option to continue to open the page
Step 10: Click “Continue” to open the web page
Task 3 – Review URL Filtering Logs

Step 1: Click on the “Monitor” tab à “URL Filtering” node (under the “Logs” section)
Questions:
ü What was the action associated with the log entries?
ü What was the application associated with the log entries?
End of Activity 6

Activity 7 – GlobalProtect: Safely Enable Mobile

Devices
Mobile computing is one of the most disruptive forces in information technology. It is revolutionizing how
and where employees work, and the tools that they use to perform their jobs. GlobalProtect from Palo
Alto Networks safely enables mobile devices for business use by providing a unique solution to manage the
device, protect the device and control the data.

• GlobalProtect Portal and Gateway
• GlobalProtect Client Applicaiton

• Complete the GlobalProtect Portal configuration in the lab environment to allow GlobalProtect
clients to connect to the GlobalProtect Gateway
• Use the GlobalProtect Client application to connect to the GlobalProtect gateway and verify the
traffic are being protected by the firewall

Task 1 – Identify the Gateway URL
Step 1: Locate the public URL for your GlobalProtect gateway running on your VM-‐Series. This is the URL
for gateway that we will use to configure both the GlobalProtect gateway and the client. Go to the “Virtual
Machines” tab on top. You will see a list of all the Virtual Machines used in this lab.


Step 2: Identify the “VM-‐Series Next Generation Firewall” virtual machine, click on “More details”. The
“External Address” for the virtual firewall will resolve to the public IP address that you will need to use.
Note that the External Address is unique to each lab environment and it is different from what is shown
below.

(Optional) Step 3a: You can copy this URL down on paper or you can use “Cloudshare –Clipboard” to copy
text to the VM in the environment. To use the Cloudshare – Clipboard, click on the little blue icon next to
the URL to copy it to the clipboard. In order to paste this URL in the window, you will need to put it in the
Cloudshare clipboard. Go back to the “Student Desktop”, click on the “Edit Clipboard” button. (If you are
using “Fullscreen RDP”, you will need to exit it to see the “Edi Clipboard” button.
(Optional) Step 3b: In the Clipboard window, right click and paste the URL here.

(Optional) Step 3c: Click “Save” to save the URL in the Cloudshare clipboard. Now you should be able to
paste this text in the VM when you right click in any text field.
[You may want to paste the URL into a text file on your laptop -‐ it may come in handy later in this activity.]
Task 2 – Complete the GlobalProtect Gateway Configuration

Step 1: Go back to the “Student Desktop” and log in to the VM-‐Series firewall Web GUI.
Step 2: Go to the “Network” tab on top, then click on the “GlobalProtect” node and then click on “Portals”
Step 3: Click on the ‘UTD-‐GP-‐Portal” to open up the GlobalProtect Portal configuration window, then click
on the “Client Configuration” tab on the left hand side of the window.
Step 4: Click on the “UTD-‐GP-‐Portal-‐ClientCfg” in the “Client Configuration” window.

Step 5: In the “Config” window of the “UTD-‐GP-‐Portal-‐ClientCfg”, go to the “Gateways” tab to configure
the gateway information that will be provided to the client.
Step 6: In our lab, we will use one External Gateway. We will enter the your lab gateway URL for the
client. Click on “Address” field under External Gateways, and replace the “replace.this.url” with the
“External Address URL” from Task-‐1 of this activity.

[If you have done Optional Step-‐3 in Task-‐1, you can right click and paste the URL in the Address field.]
Step 7: Click “OK” twice to close and save the configuration changes in the “UTD-‐GP-‐Portal” and commit
the changes.
Task 3 – Log in to GlobalProtect from the Mobile PC

Step 1: Click on the “Mobile PC – Windows” tab on top to go to the “Mobile PC” console.



Step 2: Open the chrome browser and test the internet connectivity using web pages such as
www.msn.com and www.cnn.com. You should be able to connect to the internet directly from this device.
[Note that this device is NOT sitting being the VM-‐Series firewall. You can test this by going to the web site
that was blocked in Activity-‐6. You should see not see the same block page.]
Step 3: Start the GlobalProtect application from the “Start” menu.

Step 4: On the GlobalProtect application window, go to the “Settings” tab to enter the login info for the
GlobalProtect Portal.

Step 5: In the setting window, enter the following Username and Password and copy the “External
Gateway” URL from Task-‐1 of this activity into the “Portal” field. [You can use the “Send Text” feature here
to cut and paste the External Gateway URL in the Send Text Window and send it to the GlobalProtect
Setting window.]
Username: joe
Password: utd135


[ Note: If you encountered connection problems, check to ensure the “External Gateway” URL is entered
correctly in the “Portal” field. ]
(Optional) Step 5a: You can validate the “External Gateway” URL by testing it in a browser with the HTTPS
protocol. It will open the “GlobalProtect Portal” page on your gateway. You are not required to login to
this portal.

Step 6: Once connected, you can see the GlobalProtect Welcome page. To verify that GlobalProtect is
connected to the Portal, go to the “Status” window in the GlobalProtect application to confirm the
“Connected” status.

Step 7: Check your internet connectivity in the mobile PC by visiting some web pages (e.g. www.msn.com
or www.cnn.com) via the browser. Now test www.facebook.com and www.linkedin.com. You should not
be able to get to those services.


Task 4 – Review Traffic on the VM-‐Series Firewall

Step 1: To view the Mobile-‐PC VPN connection to the VM-‐Series firewall, go back to the “Student
Desktop” and log in to the VM-‐Series firewall Web GUI.
Step 2: Go to the “Monitor” tab and “Traffic” logs monitor page under “Logs” node on the left.
Step 3: Look for traffic logs from the “GP-‐VPN” zone where you can see the traffic logs from the Mobile-‐
PC, which demonstrates that traffic from the Mobile-‐PC is now protect by the firewall. [Note: the firewall
policy, in this case “UTD-‐Policy-‐05” can be modified to safely enable the necessary applications for remote
users.]

Step 4: Notice that the user name is also visible from the traffic log, which indicates user based firewall
policy can be created based on the user login info.
Step 5: Now go to the “Network” tab, go to the “GlobalProtect” > “Gateway” node.
Step 6: Click on the “Remote Users” link under “Info” column to open the Remote Users information
window.

Step 7: Under the “Current User” tab in the “User Information” window. Notice that the GlobalProtect
client in the Mobile-‐PC can collect host information such as computer name, operation system used and
more.
[Note: GlobalProtect -‐ Host-‐Information-‐Profile (HIP) provides state details about the condition of the
mobile laptop, smartphone or tablet, which can be used for making policy decision about the resources
the device can access. Please talk to your instructor for more information on the GlobablProtect solution. ]
End of Activity 7


Activity 8 – ACC and Custom Reports

Informative visualization tools and reports are very important to network and security administrators to
monitor and identify potential network problems and attacks. Comprehensive built-‐in visualization tools
and reporting features in the firewall can provide visibility into network without requiring a complex
logging infrastructure.

• Application Command Center (ACC)
o Built-‐in visualization tools that provides a clear view on the applications, users and threats
data on your network
• Manage custom reports
o Create a custom report using traffic stats logs
Task 1 – Review Application Command Center (ACC)

Step 1: Click on the “ACC” tab, the ACC is configured to show data collected in the last hr, change the time
to “Last 6 Hrs” in the Time drop down window to include all the data generated during your lab session

Step 2: Under “Top Applications”, you can see the top applications based on usage in the network and
their respective risk levels. Click on any application such as “web-‐browsing” to review more details for that
application
Step 3: To investigate further, click on any entry to further review the details associates with that
particular entry, Eg: you can click on a destination address or URL category to drill down on the details
Step 4: You can clear the selection by clicking on the cross for that element on the upper left corner

Step 5: To increase the entries displayed in ACC, you can increase the number in the “Top” entries drop
down window


Task 2 – Setting up custom report

Step 1: Click on the “Monitor” tab then the “Manage Custom Reports” node (second from last)
Step 2: Click “Add” (in the lower left) and name the report “Traffic Stats” (in the “Custom Report” pop-‐up)
Step 3: Use the following information to create this report:
ü Database ....................................... Application Statistics
ü Time Frame ................................... Last 6 Hrs
ü Selected Columns ......................... Application Name, App Category, App Sub Category, Risk of App,
Sessions
ü Sort By ........................................... Sessions : Top 10
Step 4: Click “Run Now” (at the top of the pop-‐up), then click on newly create tab “Traffic Stats” to review
the report, then export the results to a pdf report
Step 5: Click “Ok” to save this custom report

End of Activity 8


Activity 9 -‐ Feedback on Ultimate Test Drive

Thank you for attending the Ultimate Test Drive event and we hope you enjoy the presentation and the
labs that we have prepared for you. Please take a few minutes to complete the online survey form to tell
us what you think about this event.
Task 1 – Take the online survey

Step 1: In your lab environment, click on the “Survey” tab.

Step 2: Please complete the survey and let us know what you think about this event.
End of Activity 9.


Request a free evaluation/AVR Report and you’ll get

entered into today’s PA 200 drawing!

Ask you Palo Alto Networks Sales Representative or Palo Alto Networks Partner for more information


Appendix-‐1: Alternative Login Method to

Student Desktop
This appendix shows you how to login to the student desktop using other connectivity method. Please
complete the procedures outlined in Activity-‐0: Task-‐1 to login to the UTD Workshop before you continue.
There are two other methods that you can use to login to the student desktop:
-‐ Use “Console” feature in workshop (Java client required)

-‐ Use RDP client if it is installed on the laptop
Both methods are described below and you can select the one that best fit what you have installed on
your laptop. Note that RDP protocol may not be supported on all networks so please verify that RDP is
supported at your location.
Login to the student desktop using Java Console (Java client
required)
Step 1: Click on the “Student Desktop” after login to the UTD workshop

Step 2: Click on the Console link on “switch to Console’. This will run the Java client.

Step 3: Allow to Java to run VncViewer application. You may need to click “Run” a few times.


Step 2: Click on the “Don’t Block” on the Java Security Warning message.

Step 3: After allowing the Java client to run, you will see the student desktop display. Click the “Send Ctrl-‐
Alt-‐Del” to open the login window and use the Username and Password as indicated on your browser, not
the one indicated below. You should be login to the student desktop after entering the login name and
password.


Login to the student desktop with RDP client

If you have RDP client installed on your laptop, you have the option to connect directly to the student
desktop over RDP.
Step 1: Click on the “Virtual Machines” tap to the top to view all the Virtual Machines in the environment.
Step 2: Click on the “More details” in the “VM-‐Series Virtual Firewall”. Note: Not the one under “Student
Desktop”.
Step 3: Copy the URL in External Address under VM Details of the “VM-‐Series Virtual Firewall. You can
click on the blue icon next to the address to copy it to the clipboard.

Step 4: Open the RDP client on your laptop and paste URL to the host or PC field. (Note: Not the URL as
shown below.)

Step 5: On the browser, click on the “More details” link on the “Student Desktop”, then click on the “show
password” link under Credentials. Use the password to login to the student desktop.

Step 6: Use the username and password to login to the student desktop.


Step 7: Click “Connect” on the certificate error message.

Step 8: You should be connected to the student desktop after that.


Appendix-‐2: Support for Non-‐US keyboards

If you are using a Non-‐US keyboard and have difficulties entering any characters and special keys, you can
add a keyboard to the student desktop to support what you have or use the on-‐screen keyboard. This
appendix shows you how to add, select an international keyboards or use the on-‐screen keyboard.
By default, the “English (United Sates)” and “French (France)” keyboards are added to the student
desktop. Click on the bottom left corner to switch between them.


Add new international keyboard

To add other keyboards, go to Start > Control Panel. Click on “Change Keyboards or other input methods”
Click on change keyboard
Click “Add” to add a new international keyboard. Then switch to the new keyboard per the instruction on
the previous page.


Use the on-‐screen keyboard

To use the on-‐screen keyboard.
Step 1: Click on Start -‐>All Programs

Step 2: Click “Accessories”


Step 3: Click “Ease of Access” and then “On-‐Screen Keyboard”

Step 4: You should now see the windows On-‐Screen Keyboard. To pass keys inside the VM image that do
not work on your keyboard, simply select the key using a mouse.


Lab Setup

Firewall VM-‐Series

Interface: Int Type: IP Address: Connects to Zone:

Ethernet 1/1 L3
172.16.1.1 "Untrust"
Ethernet 1/2 L3 192.168.11.1 "Trust"
Management -‐ 10.30.11.1


Ultimate Test Drive NGFW Workshop Guide 3.0-20150616

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ultimate Test Drive NGFW Workshop Guide 3.0-20150616

Uploaded by

Copyright:

Available Formats

Workshop

Ultimate Test Drive

Last Update: 20150616

Table of Contents

UTD-­‐NGFW 3.0 Page 2

Activity 6 – URL Filtering ................................................................................................ 26

UTD-­‐NGFW 3.0 Page 3

How to use this Guide:

Once these activities are completed:

UTD-­‐NGFW 3.0 Page 4

Activity 0 – Login to UTD Workshop

Task 1 – Login to your Ultimate Test Drive Class Environment

UTD-­‐NGFW 3.0 Page 5

UTD-­‐NGFW 3.0 Page 6

Task 2 – Login to the student desktop

UTD-­‐NGFW 3.0 Page 7

UTD-­‐NGFW 3.0 Page 8

UTD-­‐NGFW 3.0 Page 9

Task 3 – Login to UTD Virtual Firewall

UTD-­‐NGFW 3.0 Page 10

UTD-­‐NGFW 3.0 Page 11

Activity 1 – Enabling Social Media

In this activity you will:

Task 0 – Check connectivity to Facebook

Task 1 – Modify an existing Security Policy to allow Facebook

UTD-­‐NGFW 3.0 Page 12

Step 5: Click “Ok” in the pop-­‐up window

Step 8: Click “Ok” in the pop-­‐up window

Step 11: Log into facebook using the account:

Task 2 – Review Traffic Logs

(app eq facebook)

Then hit the Enter key or click the icon:

ü What was the action associated with the log entries?

End of Activity 1

UTD-­‐NGFW 3.0 Page 13

Activity 2 – Controlling Evasive Applications

PAN-­‐OS features to be used:

In this activity you will:

Task 1– Attempt to use a non-­‐approved web application

Task 2– Attempt to use an anonymizer site

UTD-­‐NGFW 3.0 Page 14

Task 4– Review URL log

Then hit the Enter key or click the icon:

ü Can you determine what policy is blocking google-­‐drive?

End of Activity 2

UTD-­‐NGFW 3.0 Page 15

Activity 3 – Applications on Non-­‐standard Ports

PAN-­‐OS features to be used:

In this activity you will:

Task 1 – Create a new Security Policy

Step 2: Click “Add” in the lower left-­‐hand corner

Step 4: Click on the “Source” tab

Step 9: Click “Ok”

UTD-­‐NGFW 3.0 Page 16

Step 12: Click “Ok” in the pop-­‐up window

Step 13: Click “Close” once the commit has completed

Task 2 – Check application connectivity

Task 3 – Modify Security Policy

UTD-­‐NGFW 3.0 Page 17

Step 5: Click “Ok” in the pop-­‐up window

Step 6: Click “Close” once the commit has completed

Task 4 – Re-­‐check applications on non-­‐standard ports

Ø You should not get the login prompt this time

Step 4: Search for application SSH on port 443

UTD-‐NGFW 3.0 Page 2

UTD-‐NGFW 3.0 Page 3

UTD-‐NGFW 3.0 Page 4

UTD-‐NGFW 3.0 Page 5

UTD-‐NGFW 3.0 Page 6

UTD-‐NGFW 3.0 Page 7

UTD-‐NGFW 3.0 Page 8

UTD-‐NGFW 3.0 Page 9

UTD-‐NGFW 3.0 Page 10

UTD-‐NGFW 3.0 Page 11

UTD-‐NGFW 3.0 Page 12

Step 5: Click “Ok” in the pop-‐up window

Step 8: Click “Ok” in the pop-‐up window

UTD-‐NGFW 3.0 Page 13

PAN-‐OS features to be used:

Task 1– Attempt to use a non-‐approved web application

UTD-‐NGFW 3.0 Page 14

ü Can you determine what policy is blocking google-‐drive?

UTD-‐NGFW 3.0 Page 15

Activity 3 – Applications on Non-‐standard Ports

PAN-‐OS features to be used:

Step 2: Click “Add” in the lower left-‐hand corner

UTD-‐NGFW 3.0 Page 16

Step 12: Click “Ok” in the pop-‐up window

UTD-‐NGFW 3.0 Page 17

Step 5: Click “Ok” in the pop-‐up window

Task 4 – Re-‐check applications on non-‐standard ports

UTD-‐NGFW 3.0 Page 18

PAN-‐OS features to be used:

UTD-‐NGFW 3.0 Page 19

Step 2: Click “Add” in the lower left-‐hand corner

UTD-‐NGFW 3.0 Page 20

PAN-‐OS features to be used:

Step 2: Click on the Profile name “UTD-‐File-‐Blocking-‐01”

Step 5: Select “UTD-‐File-‐Blocking-‐01”

UTD-‐NGFW 3.0 Page 22

UTD-‐NGFW 3.0 Page 23

UTD-‐NGFW 3.0 Page 24

PAN-‐OS features to be used:

UTD-‐NGFW 3.0 Page 26

UTD-‐NGFW 3.0 Page 27

UTD-‐NGFW 3.0 Page 28

UTD-‐NGFW 3.0 Page 29

UTD-‐NGFW 3.0 Page 30

UTD-‐NGFW 3.0 Page 31

UTD-‐NGFW 3.0 Page 32

UTD-‐NGFW 3.0 Page 33

Task 4 – Review Traffic on the VM-‐Series Firewall

UTD-‐NGFW 3.0 Page 34

UTD-‐NGFW 3.0 Page 35

UTD-‐NGFW 3.0 Page 36

UTD-‐NGFW 3.0 Page 37

Activity 9 -‐ Feedback on Ultimate Test Drive

UTD-‐NGFW 3.0 Page 38

UTD-‐NGFW 3.0 Page 39

Appendix-‐1: Alternative Login Method to

-‐ Use “Console” feature in workshop (Java client required)