Professional Documents
Culture Documents
Ultimate Test Drive Azure Workshop Guide
Ultimate Test Drive Azure Workshop Guide
TEST DRIVE
Microsoft Azure
Workshop Guide
UTD-Azure 2.1 | VM-Series | CN-Series | Prisma Cloud
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 1
Table of Contents
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 2
Task 1 - Policy Optimizer Helps You Convert a Policy to an Application-Based Policy 38
Task 2 - Enhanced Security in Application-Based Policy 39
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 3
Purpose of This Workshop Guide
This workshop guide describes deploying Palo Alto Networks VM-Series firewall in the Microsoft Azure
public cloud to provide visibility and protection for the VNet inbound and outbound traffic
The activities outlined in this Workshop Guide are meant to contain all the information necessary to
navigate the workshop interface, complete the workshop activities, and troubleshoot any potential issues
with the lab environment. This guide is meant to be used in conjunction with the information and guidance
provided by your facilitator.
This workshop guide covers only basic topics and is not a substitute for training classes conducted by
Palo Alto Networks Authorized Training Centers. Please contact your partner or regional sales manager
for more information on available training and how to register for one near you.
In this guide:
Tab refers to the seven tabs along the top of the screen in the VM-Series firewall GUI.
Node refers to the options associated with each Tab found in the left-hand column of the screen.
Cautions warning
Note: Unless specified, the Google Chrome web browser will be used to perform any tasks outlined in the
following activities.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 4
Activity 0: Log In to the UTD Workshop
In this activity, you will:
Step 1: Open a browser window and navigate to the class URL. If you have an invitation email, you
will find the class URL and passphrase there. Otherwise, your instructor will provide them.
Step 2: Complete the registration form and click Register and Login at the bottom.
Step 3: Make a note of your email and password to login on UTD lab environment. You might need
email and password to re-login in the lab environment in case you logged out.
Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please
note that this process may take a while, as indicated by the progress bar at the top of the
screen.
Step 5: Click on the Workshop Guide tab to open the lab guide in a new tab.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 5
Task 2 - Sign-on Azure account
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or
demo environment. It does so by giving you new, temporary credentials that you use to sign in and
access the Azure portal for the duration of the lab.
Step 1: Go to the CloudShare lab environment and click on the Student Desktop tab at the top of the
page.
Step 2: In the left-hand side Action panel under the Virtual Keyboard, click on the key icon to log in
on Student Desktop.
Step 3: If the Student Desktop resolution is too high or too low for your laptop display, you can adjust
the resolution by right clicking on the desktop and then select the Display Settings. Select
the resolution from Resolution drop drown. The recommended resolution is 1280 x 768
(16:10).
Step 4: From the left-hand Action panel. You can also click the Full screen icon to maximize the
display.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 6
Step 5: To exit the full-screen mode, use the esc key on our keyboard or click the black arrow at the
top of the window to open the dropdown menu; then click Exit.
Step 6: In the Student Desktop window click on the Firefox Web browser icon.
Step 7: Click on Azure Portal bookmark tab to open a Azure portal login page. Follow the below
steps to copy and paste the login credentials from the left-hand Action panel to login on Azure
portal.
A. Under the Azure Credentials click on the User and then click on the Send Text icon,
paste the copied user name and click Send. On the Azure Sign page click Next.
B. Repeat step A to copy and paste the Password.
C. Finally Click Sign-in.
NOTE: You can also access the Azure portal from your laptop browser and login using the
credentials provided by the Cloudshare lab environment.
End of Activity-0
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 7
Activity 1: Deploy Lab Environment with ARM Template
In this activity, you will
Bootstrapping is a feature of the VM-Series firewall that allows you to load a pre-defined configuration into
the firewall during boot-up. This ensures that the firewall is configured and ready at initial boot-up, thereby
removing the need for manual configuration. The bootstrapping feature also enables automated
deployment of the VM-Series.
The VM-Series firewall on Azure supports Azure Files service for bootstrapping. To manage the bootstrap
package for the VM-Series firewall on Azure, you will create a file share and directory objects that contain
the folder structure required for the bootstrap package. You can share an Azure file share across many
virtual machines so that all firewalls deployed in the same region as the storage account that hosts the file
share can access the files concurrently.
The management interface of the VM-Series firewall must be able to access the file share that holds the
bootstrap package so that it can complete bootstrapping. For details on bootstrap the vm-series firewall
please refer to following doc:
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/bootstrap-the-vm-series-firewall/
bootstrap-the-vm-series-firewall-in-azure.html
Step 1: Go to Azure portal and navigate to Storage accounts and click on storage account name.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 8
Step 3: Click the bootstrap file share. You will see 4 directories. These directories are pre-created
during the lab setup and required to bootstrap the firewall.
A. config
B. content
C. license
D. software
NOTE: If you have logged in on Azure portal from your laptop browser instead of lab
environment Student desktop then you need to download the lab files, from Overview tab, on
your laptop and unzip the downloaded zip file in order to upload the bootstrap files in config
directory.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 9
Step 5: Go back to the Storage account. Select the Access Keys from the left panel and click on
Show keys.
Step 6: Copy either key1 or key2 to a text editor. Also copy the Storage account name. You will need
one of the keys and storage account name later.
Step 1: In the Azure portal, type template in global search box and select Deploy a custom
template.
Step 3: Click on the Load file and Navigate to Desktop/UTD-Azure-Lab-Files/ and s elect the
azureDeploy.json file and click on Save.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 10
Step 4: On the deployment page, enter the parameters as follows:
● Subscription: Select existing subscription
● Resource Group: Select existing resource group name
● Bootstrap Storage Account: Paste your bootstrap Storage Account name
● Bootstrap Access Key: Paste your Storage Account Access Key
● Bootstrap File Share Name: bootstrap
Step 5: Click on Review + Create and then click Create t o deploy the template.
Step 6: Click the bell icon in the top right of the Azure Portal. Click D
eployment in Progress. Wait
for the deployment to complete. Deployment might take 10-15 minutes.
Step 7: While ARM is deploying the resources, you can refer to the link below to get to know more
about Palo Alto Networks Azure cloud offerings.
https://live.paloaltonetworks.com/Azure
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 11
Task 3 - Review the Palo Alto Networks Products Offerings from Azure
Marketplace
This lab has deployed the Palo Alto Networks 300 VM-Series firewall with bundle2 license
from Azure marketplace using the ARM template. There are various other products offered by
Palo Alto Networks from Azure marketplace. Let’s take a look.
Step 1: Type market in resource and products search box and select marketplace.
Step 2: Type “palo alto networks” in the Search the Marketplace search box and press enter.
Step 3: On Azure, the VM-Series firewall is available in the bring your own license (BYOL) model or in
the pay-as-you-go (PAYG) bundle 1 and bundle 2 hourly model.
For the differences in the BYOL (bring your own license) and PAYG (pay as you go) models,
see this link for more information on VM-Series Firewall Licenses for Public Clouds.
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-serie
s-firewall/license-typesvm-series-firewalls/vm-series-firewall-licenses-for-public-clouds.html
Step 4: The other products offerings include Cortex XSOAR and Prisma Cloud Compute.
Step 5: Prisma Cloud is a cloud security platform and provides threat protection, governance &
compliance to workloads running in Azure, AWS, GCP and Alibaba cloud. You will learn more
about Prisma Cloud in later activities.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 12
Task 4 - [Optional] Subscribe to Prisma Cloud Free Trial Version
Prisma Cloud is a SaaS service and it’s subscription is available from Palo Alto Networks, GCP and AWS
Marketplace. The free trial version is currently offered only from Palo Alto Networks marketplace. In this
task we will show, how you can subscribe to the Prisma Cloud free trial version from Palo Alto Networks
Marketplace. After completing the trial account registration process, your trial tenant will be ready for you
in a few hours. You can use your new trial tenant to learn more about Prisma Cloud.
Step 4: Enter the personal and company information requested in the form. Required fields are
indicated with red asterisks. Accept the privacy agreement and click on Create an account.
NOTE: Personal email like gmail is not allowed to create a new account. You need to use your
company email ID to create an account.
Step 5: It will take a couple of hours to provision the Prisma Cloud tenant. You will receive a welcome
email that includes a link to log in to the Prisma Cloud tenant once it’s ready.
Step 6: Here is the video link to give you an overview of Prisma Cloud:
https://www.paloaltonetworks.com/prisma/comprehensive-cloud-native-security-demo
NOTE: You will do hands-on lab by accessing the Prisma Cloud demo portal in the lab
activities 10-11.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 13
Task 5 - Check Deployment Status and Review What Has Been Deployed
Step 1: When the lab ARM template deployment completes you will see below screen.
NOTE: If there is any issue with deployment and ARM template deployment failed, delete the
current deployment and repeat the Task 2 steps. Delete only the deployment and DO NOT
delete the resource group.
Step 2: Right click on Outputs and select Open Link in New Tab. Keep the output page open. You
will need the url from this page in next lab activities.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 14
Before looking at the resources deployed by ARM template let’s first review the lab topology. The below
lab diagram describes how different resources are deployed and connected to each other.
To review all the resources deployed by the template Go to Azure portal. Right click on All resources
and select open in a new tab. Depending on the browser type you might have to re-login to Azure portal.
You can group all the resources by clicking on Type.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 15
Here is a high level break down of resources:
Virtual Machine
Four virtual machines deployed by the template. A Web and DB server and two VM-Series firewalls.
Network interfaces
For the firewall: vmseries-vm1-nic0 and vmseries-vm2-nic0 is the management interface,
vmseries-vm1-nic1 is in the untrust zone and vmseries-vm1-nic2 is in the trust zone.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 16
Route Table: User defined Routes (UDRs)
The UDRs enable the VM-Series firewall to secure the Azure resource group. For the four
subnets—Trust, Untrust, Web, and DB —included in the template, you have three routes, one for routing
traffic from the web to the FW, the DB to the FW and the default route. Each route ensures that the traffic
flows through the VM-Series firewall.
Public IPs
End of Activity-1
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 17
Activity 2: Access and Review VM-Series Firewall
In this activity, you will:
Step 1: To access the firewall login page, go back to the Outputs tab in your browser. If you have
closed the browser Output tab then go to Resource groups > Deployments > Microsoft
Template to access the deployment template output.
Step 2: Click the blue box to the right of fw1-mgmt to copy.
Step 3: Open a new browser tab and navigate to the fw1-mgmt link copied in the previous step.
Username: paloalto
Password: Pal0Alt0@123
NOTE: If you get a security exception, please ignore it for this lab and proceed to the firewall
login page. We are using a self-signed certificate, which causes the exception.
If the message "Your connection is not private" opens, click Advanced, and then Proceed to
<IP address> (unsafe).
Step 4: You are now logged in to the firewall. Take a look at the welcome page to see some of the
features introduced in the latest release of PAN-OS. Click Close to close the welcome page
and that will bring you to the default dashboard view.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 18
Step 5: The dashboard provides a visual summary of the device status. It is widget-based and can be
customized to fulfill your specific requirements.
In the General Information widget, you can see this VM is a Microsoft Azure instance under
the VM Mode.
The Monitor tab is where you can perform log analysis and generate reports on all of the traffic flowing
through the VM-Series. Logs are stored on box and can also be forwarded to either Panorama, our
centralized management solution, or forwarded to a syslog server for analysis and reporting by 3rd party
offerings.
Step 1: Click the Monitor tab. Navigate through the various log viewers.
Step 2: Click Reports to see the various pre-defined reports you can use.
NOTE: Your firewall is new and doesn’t have any data yet so any reports you create at this
point will likely be blank. You can return to this step at the end of the lab and create a new
report.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 19
Task 3 - Review the Security Policies
The Policies tab is where you will define all of your policies. The default view will be your security
policies, all of which can be based on the application, the content within, and the user.
Step 1: Click the Policies tab. As shown along the left side of the image, additional policies can be
defined for actions such as NAT, Decryption, and DoS.
Step 2: Mouse over the column header Tag, click on the drop down and select Adjust Columns. This
will allow you to see the information much easier.
Step 3: In the WEB-TO-DB rule (rule 4) and under the Application c olumn, click on the small arrow
next to mysql. Then click on value to see the details for the mysql AppID. You will see details
about the application including the standard ports.
The VM-Series is a next generation firewall. It does not simply assume all traffic on TCP port
3306 is MySQL. It inspects the traffic and ensures that it truly is MySQL.
Step 4: On the left-hand side, under NAT you can also inspect the translation rules that allow the web
and db servers to be accessed from the outside world via SSH. A NAT rule that allows http
access to the web server and a default outbound NAT rule to allow the web and db servers to
access external resources.
And the NAT policies allow for ssh access to the web and db servers as well as directing web
traffic to the web server only.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 20
Task 4 - Review the Object, Network and Device Tabs
The Objects, Network, and Device tabs provide you with the various management capabilities.
Step 1: Click the Objects tab. The Objects tab allows you to manage the building blocks for creating
policies such as address objects, custom applications, and security profiles.
Step 2: Click the Network tab. The Network tab allows you to create and manage interfaces, security
zones, VLANs and other elements that enable connectivity.
The interface ethernet 1/2 in the Trust zone is the layer3 interface where the assets that need
to be protected reside (in this case the web and database servers).
The interface ethernet 1/1 in the Unturst z one is the layer3 interface that is exposed to the
outside world. All traffic enters through this interface.
Step 3: Click the Device tab. The Device tab is where configuration items like DNS, service routes,
etc. are managed. The device tab also allows you to manage high availability, users, software
and content updates.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 21
End of Activity-2
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 22
Activity 3: Enable Applications with App based Policy
In this activity, you will:
Step 1: Go to Azure portal Output tab. If the Output tab is closed then navigating to Resource
groups > Deployments > Microsoft Template > Output and copy the ssh-web-vm.
Before making a http request to web server let’s first check if webserver-vm is up and running.
Step 2: Open a terminal in the Student Desktop tab. Click the terminal icon on the left side ribbon.
Step 3: Execute the following ssh command in the terminal to ssh webserver-vm.
Note: You can also paste the ssh command copied in the previous step.
Step 4: Now go back to Azure portal Output section of the deployments, copy the web-server-url,
open a new browser tab and paste it. You should see the Apache2 default page.
Step 5: Return to firewall UI and navigate to Monitor -> Logs -> Traffic. You should see
web-browsing logs. If there is so much traffic that you cannot see your web-browsing logs,
type an application filter ( app eq web-browsing ) and c lick on the Apply Filter arrow.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 23
Task 2 - Verify Dynamic Content on Web Server
In this task, you will generate a WordPress content request from your web browser that will trigger a
database query to the MySQL server. Like many web-based applications, WordPress uses a backend
database to create, store, and retrieve dynamic content. You will use the WordPress application to show
exactly this type of behavior and demonstrate how the VM-Series firewall will secure this traffic.
Step 1: Go back to Azure portal Output section of the deployment summary, copy the
web-server-url-wordpress, open a new browser tab and paste it.
NOTE: This will eventually time out but it will take a while. You can proceed with the next step
without waiting for the timeout.
Step 2: Return to the firewall Monitor tab and check the firewall logs to troubleshoot the problem.
(Remove the last filter by clicking on the X if needed).
You should see deny l ogs. If there is so much traffic that you cannot see your deny logs, type
an application filter ( action eq deny ) and ( port.dst eq 3306 ) and click on the Apply Filter
arrow.
As you can see, the MySQL traffic (TCP port 3306) is being blocked between. Let’s look at
the security policy to determine the cause.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 24
Step 1: Go to the Policies tab and click on Security on the left-hand pane. Look at WEB-TO-DB rule
(rule 4) and note the source and destination address.
As you can see, the Source and Destination addresses are reversed and need to be
corrected. The Source address should be web-vm and the destination address should be
db-vm.
Step 4: Next, click on the Destination tab and then click on web-vm to bring up the pull-down menu
and change the selection to db-vm.
Step 6: Verify your security rule now resembles the snapshot below. This rule should allow traffic
from the web to the db server.
Step 7: Click on Commit in the upper right. With “Commit All Changes” selected, click on Commit to
commit the changes.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 25
Step 8: Verify the commit was successful and then click Close.
Step 1: Return to your WordPress browser tab and click refresh. You should see the initial WordPress
welcome screen.
NOTE: You don’t need to actually configure the new WordPress server for the purpose of the
test drive. In its initial, un-configured state, it will generate the traffic we need to test the
VM-Series firewall.
Step 2: Now, head back to the firewall Monitor tab and verify that the traffic did indeed go through the
firewall from WEB-TO-DB (Remove the last filter by clicking on the X if needed).
You should be able to see the initial web request, the subsequent MySQL request and the
additional web traffic.
If you have trouble seeing the log entries for traffic that you generated, you can create a traffic
log filter as above with the entry ( app eq mysql ) and apply the new filter by c licking on the
Apply Filter arrow.
End of Activity-3
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 26
Activity 4: Enhance Protection for Applications with Threats
Prevention Profile
In this activity, you will:
This task will simulate a compromised web server that is being used to attack the database. This is a
common attack strategy of getting a foothold on the web front-end server and then expanding to the other
application tiers with the ultimate goal of accessing all data in the database.
Because the Palo Alto Networks VM-Series firewall has visibility of traffic between the web and database
server (east/west traffic), it can detect and automatically block the attacker’s attempt to compromise other
resources.
Step 1: Go to Azure portal Output section of the deployment summary, copy the
web-server-url-sql-attack, open a new browser tab and paste it.
Step 2: Click on LAUNCH WEB TO DB SSH ATTEMPT to simulate a web to db ssh attempt. This
launches a CGI script that attempts to ssh as root to the db server from the web server.
Step 3: Now return to the firewall’s Monitor tab to note the failed traffic. If you have trouble seeing the
log entries apply the log filter with the entry (port dst eq 22).
The above log entries indicate that firewall has successfully prevented the DB attack and has
secured the E/W traffic.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 27
Task 2 - Review the Threat Protection Profile
In this task, we will look at the Vulnerability Protection profile. This profile is used to prevent
exploits of vulnerabilities – in the case of MySQL. There are many other components of Palo Alto
Networks threat protection that are beyond the scope of this lab and are not included in the
firewall configuration.
Step 1: On the firewall’s security policies tab, under Security, WEB-TO-DB rule, you will notice that
the web to db traffic is protected further by a vulnerability profile.
Step 2: Click on the icon in the Profile column and you will see all the threat protection profiles.
Step 3: Note the Test Drive Vulnerability Protection profile. This is a custom profile created just for
this lab. It is part of the default vulnerability protection profile but is called out separately for
the purpose of this lab environment.
Step 4: To take a closer look at the vulnerability protection profile go to Objects > Security Profiles >
Vulnerability Protection and click on “Test Drive”.
Task 3 - Trigger the SQL brute force attack and review logs
For this task, you will launch some scripted attacks on the SQL server and use the pre-configured
threat protection to show and block those attacks on the VM-Series firewall. As noted above,
these are simple, scripted attacks and blocking configurations – there are many other threat
protections features available on the Palo Alto Networks VM-Series that are beyond the scope of
this demo.
NOTE: This task requires Applications and Threats content installed on VM-Series firewall to
evice > Dynamic
detect the attack. Please make sure content is installed by navigating to D
Updates.
If content is not installed please refer to Appendix-1 (at the end of workshop guide) to install the
Application and Threat content.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 28
Step 1: Let’s finally trigger the attack. Head back to the Azure portal Output section of the deployment
summary, copy the web-server-url-sql-attack, open a new browser tab and paste it.
Step 2: Click on LAUNCH BRUTE FORCE SQL ROOT PASSWORD GUESSING t o start a script that
will generate multiple failed MySQL authentication attempts. This will launch some scripted
attacks on the SQL server and use the pre-configured threat protection to show and block
those attacks on the VM-Series firewall.
Step 3: Now return to the firewall and click the Monitor tab and then click on Threats in the left-hand
pane under Logs and notice the new vulnerability log message regarding the failed MySQL
events:
Step 4: The CGI script you launched above attempted to login to the MySQL database multiple times
with an incorrect password. The VM-Series firewall saw this activity and using the
vulnerability profile, reset the connection and logged the activity.
End of Activity-4
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 29
Activity 5: VM-Series Integration with Azure Application
Insights
Step 1: On the Azure console, type Application Insights in the search box and then select the
Application Insights listed under the Services.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 30
Step 3: Review the entered information and click Create.
Application Insights instance deployment will take a few minutes to complete. To check the
progress of the deployment, navigate to the top of the screen and click the bell icon. When the
deployment is complete, the notification tab will say “Deployment succeeded”.
Step 4: Once the deployment is complete click on Go to resource and then select the Overview and
click on Copy to clipboard icon to copy the Instrumentation Key. The firewall needs this key
to authenticate to the Application Insights instance and publish metrics to it.
In this task, you will configure the firewall VM-Series plugin to enable the integration with Azure
Application Insight.
Step 1: In the VM-Series firewall, click the Device tab t hen scroll down in the left panel and select
VM-Series and then click on Azure Application Insights gear to edit.
Step 2: Select Enable Application Insights by clicking on the checkbox and enter the
Instrumentation Key you copied earlier. You can also change Update Interval to 1 minutes
(default is 5 min). Update Interval is the frequency at which firewall publishes the metrics to
Application Insights.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 31
Step 3: Click OK to close the window.
Step 4: From the top right click Commit to save the changes. Disregard any commit warnings. When
the commit is complete, click Close.
The firewall generates a system log to record the success or failure to authenticate to Azure
Application Insights.
Task 3 - Verify that you can view the metrics on the Azure
In this task, you will select the specific metrics published by firewall to Azure Application Insights.
Step 1: On the Azure portal, select the Application Insights, and select Metrics > metric to view the
PanOS custom metrics. Select the metric(s) that you want to monitor.
Step 2: Select Add Metrics to add multiple metrics. To change the graph, click on Aggregation and
select count.
The PanOS metrics allow us to monitor the firewalls directly from the Azure portal. These
metrics allow you to assess performance and usage patterns that you can use to set alarms
and take actions to automate events such as launching or terminating instances of the
VM-Series firewalls.
End of Activity-5
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 32
Activity 6: Outbound Access During Failover with Azure Load
Balancer
● Update the UDR to redirect traffic from web and db servers to Internal load
balancer
● Run the wget command from web server vm
● Check the firewall traffic logs to see which firewall is passing traffic
● Release DHCP lease on trust-zone interface of the firewall passing traffic
● Check traffic logs of the second firewall to verify traffic is picked up after failover
The goal of this test is to provide fault tolerance and secured access to the internet. The internal load
balancer handles the fault tolerance and decides when a firewall is no longer suitable to receive traffic.
The last step is to test failover using wget. Failover is simulated by releasing the DHCP assigned IP
address on the trust interface of the firewall that is passing traffic. Once DHCP is released the load
balancer will send traffic to the next available firewall.
What are User Defined Routes? UDR are used to send traffic to a desired next hop and this will be
demonstrated in this lab activity.
In previous lab activities the route table is configured to route the traffic to vm-series-vm1 trust interface.
In this task you will update the Web, DB and default route to point to the Internal load balancer. After UDR
update the topology will looks like below diagram:
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 33
Step 1: Go to Azure portal and select the Load balancers. Click on Overview and copy the internal
load balancer Private IP address. You will use this IP to update the route.
Step 2: Internal load balancer is pre-configured with the backend pool IP address of vmseries-vm1
and vmseries-vm2.
Step 3: To update the routes. Click on All resources and type route in filter-by-name search box.
From the search list click on vm-route-table.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 34
Step 4: On the expansion tab under Settings, select Routes. You will see three UDR pointing to
vmseries-vm1 trust interface as a next hop.
Step 5: To forward the traffic to the internal load balancer click on db-udr and replace the Next hop
address with internal load balancer address.
Step 7: Repeat steps 4-6 on default-udr and web-udr. The route will look like the picture below once
all three UDR next hop addresses are updated.
For this task you will need to be logged into webserver-vm via SSH, and both firewalls simultaneously via
https. If you are not already logged into these virtual machines, please do so now.
Username: paloalto
Password: Pal0Alt0@123
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 35
Step 2: Execute the following ssh command in the Student Desktop terminal to login on
webserver-vm.
Step 3: From webserver-vm, run the sudo wget www.google.com command. Hit the up arrow
and press enter to run this command multiple times.
Alternatively, you can also run below commands to generate multiple wget requests.
sudo su
for i in {1..30}; do wget www.google.com -O index.html; sleep 5; done
Step 4: From vm-series-vm1, go to the Monitor tab, select Traffic, and filter by ( port.dst eq 80 ).
Here you should see google-base traffic in the logs. If you don’t see the traffic in
vm-series-vm1, then check vm-series-vm2.
Step 5: From vm-series-vm2, go to the Monitor tab, select Traffic, and filter by ( port.dst eq 80 ).
Now you know vm-series-vm2 is passing traffic.
Step 6: Back on webserver-vm, re-run the wget script if it has stopped or run the sudo wget
www.google.com command multiple times using the up-arrow + enter key sequence.
Step 7: From vm-series-vm1 or the firewall that is passing traffic, Navigate to the Network >
Interfaces. Select the ethernet1/2 interface and click the D
ynamic-DHCP Client link, then
click Release. The release should be instantaneous.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 36
Step 8: On webserver-vm, continue to run the wget script or the wget www.google.com command
multiple times using the up-arrow + enter key sequence.
Step 9: On vm-series-vm2, navigate to the Monitor > Traffic. Notice the private IP address of
webserver-vm in the traffic logs. This shows that the load balancer has successfully failed
over traffic to vm-series-vm2.
Please remember to check the other firewall if you don’t see any traffic.
Step 10: Renew the DHCP lease on the ethernet/2 interface of the firewall that you released the
DHCP lease.
In this task you used wget to test internet access. This test was performed to demonstrate
how Azure based high availability handles outbound traffic during a failover.
End of Activity-6
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 37
Activity 7: Strengthen Security Rule with Policy Optimizer
In this activity, you will:
Policy Optimizer identifies port-based rules and shows you the applications are seen by this rule, so you
can convert them to application-based whitelist rules, or add applications to existing rules, without
compromising application availability.
Step 1: Go to the VM-Series firewall console and navigate to the Policie > Security, noting the “Policy
Optimizer” window in the lower left.
Step 2: Click No App Specified to open the window that shows security policies that have no
application specified. In our lab, the “allow-inbound-web” rule is configured with “Any”
applications.
Step 3: Click on the “allow-inbound-web” under Name to open the rule window to review the rule.
Review the Application tab and the S ervice/URL Category tab. This rule is configured with
“Any” for Applications and “service-http” and “service-https” in Service/URL Category. Click
Cancel to close the policy rule window.
Step 4: In the “Apps Allowed / Apps Seen” column of the No App Specified window, you can see how
many applications this policy has seen or allowed. Click on Compare to open the Applications
& Usage window.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 38
Step 5: Select the web-browsing application with the checkbox; note that now you have the option to
decide what to do, either to Create Cloned Rule or Add to This Rule.
Note that you can change the Timeframe to see when these applications were seen.
Step 6: As an example, in this lab, we will use the Create Cloned Rule, which will allow us to keep
the original rule. Click on the Create Cloned Rule.
Step 8: Go back to Policies > Security, notice the new “allow-inbound-web-app-rule” is added on top
for the original “allow-inbound-web”. More importantly, the new rule is an application-based
policy.
Step 1: Open the “allow-inbound-web-app-rule” created in the previous task, note that the policy is
identical with the original “allow-inbound-web” so it has the same Source, Destination zone,
with an added application selected through Policy Optimizer.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 39
Step 2: Go to the “Service/URL Category”, notice that “service-http” is still selected per the original
policy.
Step 3: Select “service-http” using the checkbox and click on Delete. The “application default” will be
selected by default. This will restrict the applications selected from being allowed to run on just
the application-default port and greatly improve the security of this policy.
Step 4: In the “Actions” tab, select “Profiles” in “Profile Type” and select “default” for Antivirus and
Anti-Spyware.
Step 5: Commit the changes and now you have created an application-based policy and applied
additional security policies to enhance the protection for this application.
Now that you have started creating an application-based policy with enhanced security
protection, you can easily move the other applications to this policy. Over time, you should be
able to move all the applications that you want to allow and protect them using
application-based policy.
NOTE: You can use Policy Optimizer to create a rule to “block” a specific application if you
have discovered an unwanted application passing through the non-application-based policy.
● Find all the rules in your policy that have no applications configured.
● Report on applications that have been defined in a rule but have not been seen using the
rule in the past 90 days.
● Report rule usage statistics and highlight which rules have not been hit with sessions in
the past 30 or 90 days, or since the last restart.
End of Activity-7
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 40
Activity 8: Deploy CN-Series Containerized Firewall
In this activity you will deploy the Palo Alto Networks CN-Series Containerized firewall to
enforce security at specific security boundaries within a Azure Kubernetes Services (AKS)
Cluster. The CN-Series firewall is composed of a Management Plane (MP) service and a Data
Plane (DP) daemonset. Panorama, the Palo Alto Networks centralized security management
platform, is also required for the deployment of the CN-Series firewall. The solution uses a
Panorama plugin to make API calls into Kubernetes to pull various items such as tags and
namespaces.
Topology:
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 41
Task 1 - Deploy Kubernetes Cluster in Azure Kubernetes Service (AKS)
In this task you will access the Student Desktop terminal and execute the commands to build the
kubernetes cluster.
Note: If you are already using Student Desktop to access the Azure Portal then you can skip Step 1-5.
Step 1: Go to the CloudShare lab environment and click on the Student Desktop tab at the top of the
page.
Step 2: In the left-hand side Action panel under the Virtual Keyboard, click on the key icon to log in
on Student Desktop.
Step 3: If the Student Desktop resolution is too high or too low for your laptop display, you can adjust
the resolution by right clicking on the desktop and then select the Display Settings. Select
the resolution from Resolution drop drown. The recommended resolution is 1280 x 768
(16:10).
Step 4: From the left-hand Action panel. You can also click the Full screen icon to maximize the
display.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 42
Step 5: To exit the full-screen mode, use the esc key on our keyboard or click the black arrow at the
top of the window to open the dropdown menu; then click Exit.
Step 6: In the Student Desktop window click on the Text Editor icon. You can use this text editor to
copy and paste the commands and make a note.
Step 7: In the Student Desktop window open the terminal by clicking on the terminal icon.
Step 8: Execute the following az command into the terminal window. This command authenticates to
the Azure account.
az login
Step 9: The above command will open a firefox browser or a new tab in an already opened browser.
NOTE: If you are already logged into Azure portal from the Student Desktop browser then use
the signed-in account to login and skip the Steps A and B.
Follow the below steps to copy and paste the login credentials from the left-hand Action pane
to login on Azure portal.
A. Under the Azure Credentials click on the User and then click on the Send Text icon to
paste the user name into the Azure Sign in email or phone box and click Next.
B. Click on the Password and then click on the Send Text icon to paste the password to
complete the login.
Step 10: Go back to the terminal window and change the directory to the ~ /utd-cn-series/aks. The
/aks folder contains a Terraform plan that deploys a Kubernetes cluster in Azure Kubernetes
Services (AKS). This cluster meets the minimum requirements to support a CN-Series firewall
and will deploy regionally to span across multiple availability zones for maximum redundancy
and scalability.
cd ~/utd-cn-series/aks
Step 11: Execute the below command to review the terraform.tfvars file.
cat terraform.tfvars
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 43
Step 12: Execute the following az command to get the Azure resource group name.
az group list
Step 13: Double click on resource group name and right click to copy. We will use the resource group
name in following steps.
Step 14: Execute the following sed command to update the terraform.tfvars file.
NOTE: If you are more comfortable with an editor, such as vi and nano, feel free to use it
instead of sed.
Step 15: Verify the resource group name is replaced correctly by executing cat terraform.tfvars
command.
Step 16: Now execute the following Terraform commands to deploy the kubernetes cluster.
terraform init
terraform plan
C. Once validated use the following command to execute the deployment of the Terraform
script. Note we are using the -auto-approve flag so you will not need to approve the
terraform apply.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 44
terraform apply -auto-approve
NOTE: Cluster node deployment usually takes about ~7 minutes, but can take longer
depending on the lab and Azure resources used.
Step 17: Go to firefox browser and click on Azure Portal bookmark tab.
Step 18: In the Azure portal, go to Kubernetes Services. You will see the cluster name
student-k8s-cluster is spinning up.
Step 19: While the cluster is getting ready let's move to the next task to understand the core building
blocks of CN-Series firewall. AKS will take around ~7 minutes to complete the cluster
deployment.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 45
The core building blocks to Deploy the CN-Series Firewalls are:
A. Distributed PAN-OS architecture with CN-MGMT and CN-NGFW pods - The management
plane (CN-MGMT) and data plane (CN-NGFW) of the containerized firewall are separate to
enable better runtime protection for applications and to support a smaller footprint. This
architecture enables you to place the CN-NGFW DaemonSet pod on each node that you want to
protect workloads in a cluster, and a pair of CN-MGMT pods can connect to and manage up to 30
CN-NGFW pods within a cluster.
a. CN-MGMT runs as a StatefulSet to ensure that it has persistent volume and is exposed
as a K8s service that can be discovered using DNS in the Kubernetes environment. The
CN-MGMT provides fault tolerance and a single CN-MGMT pod can manage the existing
CN-NGFW pods in the event of a restart or a failure of a CN-MGMT pod.
b. CN-NGFW runs as a DaemonSet. Each instance of the CN-NGFW pod can secure 30
application pods deployed within the cluster.
B. PAN-CNI plugin for network insertion - The PAN-CNI plugin is responsible for the allocation of
network interfaces on every Pod, which enables network connectivity to the Containerized NGFW
Pod. The PAN-CNI plugin is inserted into the CNI plugin chain within each node on the cluster by
the PAN-CNI DaemonSet. The plugin reads the annotation on each application pod as it comes
up to determine whether to enable security and redirect traffic to the Containerized NGFW Pod
for inspection as it ingresses and egresses the Pod.
C. Panorama for centralized management - Panorama functions as the hub for managing the
configuration and licensing of the containerized firewalls. It also hosts the Kubernetes plugin,
which enables monitoring of the Kubernetes clusters, and centralized Security policy
management.
D. Kubernetes Plugin on Panorama - The Kubernetes plugin manages the licenses for the
CN-Series firewall. Licensing is based on the number of nodes within a cluster. Each CN-NGFW
pod uses a license token, and the tokens are managed locally on Panorama after you activate the
auth code and retrieve the specified number of tokens from the Palo Alto Networks license
server. As each CN-NGFW comes up on the Kubernetes nodes, Panorama distributes the license
tokens locally. The Kubernetes plugin on Panorama also enables you to monitor your clusters
and leverage Kubernetes labels that you use to organize Kubernetes objects such as pods,
services, deployments and the associated identifying attributes, so that you can create
context-aware Security policy rules.
You can refer to the link below to get to know more about Palo Alto Networks CN-Series:
https://live.paloaltonetworks.com/CN-Series
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 46
Task 3 - Connect to the Kubernetes Cluster
In this task you will check the kubernetes cluster status by executing commands and from Azure portal.
Step 1: Go back to the terminal window and review the status of Terraform apply command.
Step 2: Once the Terraform command successfully deploy the cluster node you will see below
output:
Step 3: [Important] Execute the following az command to update the kubeconfig file with the new
cluster's information.
Step 4: Now execute the following kubectl commands to verify the number of nodes, their status,
and the default services running on your Kubernetes cluster:
Step 5: Verify the cluster nodes have been built and are in a Ready status.
Step 7: Click on the Kubernetes cluster name student-k8s-cluster to review the cluster and configured
nodes information.
Step 8: Make a note of the API server address. You will use this address while configuring
kubernetes plugin on Panorama.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 47
The API server address is also available from the terraform outputs.
cd ~/utd-cn-series/cn-series
Step 2: Execute the below command to review the terraform.tfvars file containing the variables
and their associated values. The panorama_ip is the External IP address of the Panorama.
cat terraform.tfvars
Step 3: From the lab environment top ribbon select the Panorama CLI tab. In the Action panel click
on the Connection Details, and click on the External Address to copy in the clipboard.
Step 4: Go back to the Student Desktop terminal window and follow below steps to update the
terraform.tfvars file.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 48
nslookup <panorama external address>
NOTE: Remember to use the Send Text icon from the Action panel.
D. Execute the cat terraform.tfvars c ommand to verify the address has been
replaced.
Step 5: Now lets verify the Panorama auth key in terraform.tfvars file is matching with key
available on Panorama VM.
Step 6: Select the Panorama CLI tab and login into Panorama CLI mode using below credentials:
Username: student
Password: utd135
Step 7: Run the below CLI. Verify the output with step 2 terraform.tfvars panorama_auth_key
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 49
request bootstrap vm-auth-key show
Step 8: [Optional] If you don’t see any output of the above command then generate a new auth using
below command and update the terraform.tfvars file with a new key.
Step 9: Now execute the following Terraform commands from the Student Desktop terminal
window to create the necessary resources to deploy the CN-Series.
terraform init
B. Validate the Terraform plan. The plan leverages the Terraform Helm provider to deploy
the cn-series Helm chart.
terraform plan
C. Once validated use the following command to execute the deployment of the Terraform
script. Note we are using the -auto-approve flag so you will not need to approve the
terraform apply.
NOTE: Do you see an error. Seems like you have missed a step. Go back to task 3, step
3 and execute the command.
The Terraform apply command will create the service account, PAN-CNI plugin and
deploy the CN-Series firewall Management Plane (MP) Service and Data Plane (DP)
Daemonset pods.
Step 10: Execute the following kubectl command to get the status of cni, mgmt (MP) and ngfw (DP)
pods:
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 50
NOTE: With the CPU and Memory configuration of the student-k8s-cluster the CN-Series
takes ~ 5-9 minutes for the pods to be up and fully running, check pod status. . Even though
the Pods are Running they are not fully up and accessible until the state is 1/1 for each of the
Pods. You will see 1/1 under the READY heading. During this time many processes are
happening, including panos bootup, auto-provisioning onto Panorama, Panorama
provisioning, auto-commit, etc.
Step 20: While the pods are getting ready let's move the next task to configure the Panorama
kubernetes plugin.
The Panorama plugin creates the Interfaces and vwires and associates the template named
K8S-Network-Setup. The template has 30 Vwires; a pair of interfaces that are part of a Vwire to secure
an application. A Containerized firewall can secure a maximum of 30 application pods on a node. Without
any initial configuration the traffic will be terminated at the Data Plane (DP) pod since there is no allowed
connection between the two interfaces by default.
The following steps are needed to complete the integration of the Panorama with the Kubernetes API.
This is done using the Kubernetes plugin for Panorama. It's purpose is to learn new labels and propagate
those labels to Panorama device groups. These labels may include Kubernetes labels, services,
namespaces, and other metadata from which Dynamic Address Groups (DAG) match criteria may be
defined. Other configuration steps have been completed for you in advance - such as the creation of
Panorama Templates, Template Stacks, Device Groups, and vwire interface.
Step 1: Copy and paste the following kubectl command into the terminal window. This command
fetch the secret name for the service account created in the previous task and place that in
MY_TOKEN.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 51
NOTE: Use the Send Text from the Virtual Keyboard to paste the above command into the
terminal window.
A Service account is a special type of Google account that will grant permissions to virtual
machines instead of end users. Service accounts are primarily used to ensure safe, managed
connections to APIs and Google Cloud services. This Service account will be used to allow
the Panorama Kubernetes plugin to access the AKS Cluster.
Step 2: Copy and paste the following kubectl command into the terminal window. This command to
download the json credential file. The credential file will be created in the Downloads
directory. You will use this file to configure the kubernetes plugin on Panorama.
Step 3: In the Student Desktop open a Firefox browser, click on + to add a new tab and then click on
the Panorama GUI bookmark tab.
NOTE: You can also access the Panorama console directly from your laptop browser by
clicking on the Panorama GUI tab in the lab environment. Because the json credentials file is
downloaded on the Student Desktop so in this task you will access the Panorama from the
Student Desktop browser.
If you get a security exception, please ignore it for this lab and proceed to the firewall login
page. We are using a self-signed certificate, which causes the exception.
If the message “Your connection is not private” opens, click Advanced, and then Proceed to
<IP address> (unsafe):
Step 6: Once logged in click on the Panorama at the top of the page, then in the left menu navigate to
Setup > Interfaces and click on Management.
Step 7: In the Student Desktop go to the terminal window and run the nslookup command to get the
public IP address of Panorama.
Note: Select the Panorama CLI tab. In the Action panel click on the Connection Details, and
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 52
click on the External Address to copy in the clipboard.
Step 8: Copy the address from nslookup output and go to the Panorama console and paste the
address in the Public IP Address box.
Step 10: In the left menu scroll down and navigate to Kubernetes > Setup > Cluster.
There are two screenshots below. The first screenshot is of the Panorama plugin setup.
The second screenshot shows where to find the API server address in the Kubernetes
cluster you are using for this lab. The API server address is a required field in the Panorama
Kubernetes Plugin.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 53
clipboard icon. Make sure when you copy and paste that there are no spaces on the front
or back.
B. Credential: Click on the word C
redentials and then Browse to upload the
pan-plugin-user.json file you downloaded earlier. This file should be present in the
Download folder.
Step 12: Click on the Notify Groups > aks-ng. The Notify Group is pre-configured and allows you to
segment which Device Group receives notification for changes to a given cluster. This allows
for very granular rules. Click Cancel to close the window.
Step 13: Now configure the Monitoring Definition and specify the cluster you created in the previous
step. Navigate to Kubernetes > Monitoring Definition and click +Add.
Field Value
Name aks-md
Cluster aks-cluster
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 54
Notify Group aks-ng
Step 15: Now that you have created the Monitoring Definition you can see that the status is
Initializing. You need to commit the configuration to Panorama.
In the upper right corner select the commit icon then choose Commit to Panorama. Once
the commit completes click Close.
Step 16: After the commit is complete refresh the screen and you will see the status is now
Connected.
Step 17: Scroll up and select the Managed Devices > Summary. You will see the mgmt (MP) pod is
successfully connected to the Panorama.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 55
NOTE: If the MP pod isn't listed in the aks-dg then please make sure the Panorama public IP
is correctly updated in the terraform.tfvars file and Panorama management interface.
Step 18: From the terminal window execute the below command to view the pods deployed by the
Terraform script.
End of Activity 8
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 56
Activity 9: Deploy and Secure Applications Pods
As with any deployment in the real world, things will change. Unfortunately, in many cases this
happens without the knowledge or consent of the devops team that performed the initial
installation. Closing all of these potential security holes is a challenge, and in some cases
exploits go unknown for long periods of time. With the CN-Series firewall, you receive the ability
to block unknown exploits and zero days after deployments.
After all components of the CN-Series firewall are deployed and your application is also deployed, the
CN-Series firewall can inspect all north-south, east-west, pod-to-pod, or pod-to-service application traffic
within the containerized application because it is directly connected via a virtual wire configuration to the
interface of each pod in the namespace.
This is a three-tiered application, pods are dedicated to front-end web services and backend DB services.
Only one tier (the frontend service) is exposed to the outside world via a load balancer.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 57
Step 1: Click on the terminal window and change the directory to the sample-application. This
folder contains Terraform plan files to deploy the Guestbook and Redis application to an
existing Kubernetes cluster.
cd ~/utd-cn-series/sample-application
Step 2: Execute the following kubectl command to deploy the Guestbook, Redis pod and frontend
load balancer service:
Step 3: Execute the following kubectl command to get the status of deployed application pods:
NOTE: Re-run the above command a few times until pods will be running.
Step 4: Make sure the newly deployed frontend load balancer service is running and it has an
External-IP:
Note: The Guestbook pod is exposed by the frontend load balancer service
Step 5: Re-run the command until the External-IP of the frontend pod is populated. Upon successful
deploy, you should see something similar to:
Step 6: Open a new browser tab and access the Guestbook pod by typing the
http://<EXTERNAL-IP> in the search box.
Browsing to the External-IP address will NOT bring up any web pages because everything is
currently blocked by the CN-Series firewall Deny policy.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 58
Groups (DAG) and enforce Security policy for the underlying IP addresses associated with each tag. You
will create a DAG in the next step.
Step 1. In the Panorama GUI, go to Objects > Address Groups. In this lab we have pre-configured
the Guestbook-pod and Redis-pod address group. In the next step you will add the tags to
these address groups.
A. Click on Add Match Criteria, you will see that the criteria window is now filled with
namespaces, labels and tags, along with other metadata information from the AKS
cluster.
B. In the criteria window, mouse over the column header Name, click on the drop down and
select Adjust Columns. This will allow you to see the information much easier.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 59
C. Filter on label guestbook, select OR and select the sample-app.app.guestbook by
clicking on the + at the end, this will add this object to this dynamic address group (DAG).
Step 4. From within the newly created Guestbook and Redis Address Group select more under
Addresses. Here you will see all of the pod IPs associated with the Address Group tag.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 60
Task 3 - Create Policy with Dynamic Address Groups
Once the Dynamic Address Groups (DAG) is created successfully, you can apply specific security policies
using them. We will modify an existing security policy to use the DAG created in the last task.
Step 1. In the Panorama GUI, select the Policies tab then select the Device Group aks-dg then
Security > Pre Rules.
Step 2. Highlight the rule #1, named Guestbook-Inbound (currently greyed out).
Step 3. Click Enable in the bottom bar. Once the rule is enabled, the rule color will change from grey
to blue.
B. In the Actions tab, in the Log Setting make sure Log at Session Start and Log at
Session End are checked and set the L og Forwarding option to
log-forwarding-to-panorama
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 61
C. In the Target tab select aks-dg > pan-mgmt-sts-0
D. click OK
Step 5. Highlight the rule #3, named Outbound (currently greyed out).
Step 7. In the upper right corner of Panorama select the commit icon and select Commit and Push
to commit these changes to the CN-Series firewall.
Step 8. Now select Commit and Push. T he configuration commit completes first but you will see a
notice that two additional commit jobs are in progress. Click Tasks in the lower right corner
to see the completion percentage.
During the commit process the Panorama pushes security policy rules to the CN-Series
firewalls. The rules are applied to secure pod traffic passing through the CN-Series firewall.
The CN-Series firewall security policy allows appropriate traffic from the pods in the same or
different namespaces within the same Kubernetes cluster.
Step 9. Click Close and proceed to the next section once all of the commit jobs complete.
Step 1. Go to the Guestbook web page and refresh it. You should be able to reach the Guestbook
pod web page as shown below:
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 62
If you have closed the browser guestbook tab then open a new tab and type the
http://External IP to access the guestbook webpage.
Reminder, to retrieve the Guestbook pod External-IP execute the following command:
Step 2. Return to the Panorama GUI and navigate to Monitor > Traffic > Logs. You should see
guestbook pod web-browsing logs.
If there is so much traffic that you cannot see web-browsing logs, type a rule filter above the
logs with the text (rule eq Guestbook-Inbound) and then click on the Apply Filter arrow.
Notice the Destination Dynamic Address Group column has a Guestbook-pod DAG.
The traffic log entry indicates the guestbook pod is now protected by the CN-Series firewall.
Step 3. Now go to the Guestbook webpage and enter a message “test1” in the message box and
click Submit.
Questions:
● Why did the test message submission fail?
● Is there a policy configured to allow traffic between Guestbook and Redis (E/W traffic)
**The “test1” submission failed because the CN-Series firewall doesn't have an active
security policy rule to allow traffic between the guestbook frontend and the redis pod.
Let’s now allow access between the frontend and the redis database to illustrate how the
CN-Series firewall can manage traffic at a more granular level.
Step 4. Go to Panorama console and navigate to Policies > Security > Pre Rules.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 63
Step 7. Click on Guestbook-Redis.
A. Go to Source tab, click Add under the Source Address, select the Guestbook-pod
address group.
B. Go to the Destination t ab, click Add under the Destination Address, select the
Redis-pod address group.
C. In the Actions tab, in the Log Setting select Log at Session Start.
D. In the Target tab select aks-dg > pan-mgmt-sts-0 and
E. click OK.
Step 8. In the upper right corner click the commit icon and select Commit and Push to commit
these changes.
Step 9. Now go to the Guestbook webpage, refresh the webpage and enter a message “test2” in the
message box and click Submit.
Step 10. Return to the Panorama console and navigate to Monitor > Traffic > Logs. You should see
Redis application traffic logs.
Remember to apply the filter above the logs with the text (app eq redis) a
nd then click on
the Apply Filter arrow.
Questions:
● What is the action associated with the log entries?
● What is the port number associated with the log entries?
Congratulations!!! You have now successfully deployed Palo Alto Networks CN-Series firewall to gain
visibility and secure your AKS Kubernetes cluster.
End of Activity 9
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 64
Activity 10: Prisma Cloud Overview
Prisma Cloud is a comprehensive cloud-native security platform with the industry’s broadest
security and compliance coverage. It protects cloud native applications, data, network, compute,
storage, users, and higher-level PaaS services across cloud platforms. It dynamically discovers
resources as they are deployed and correlates cloud-service-provided data to enable security
and compliance insights into your cloud applications and workloads.
We recommended you sign up for a Prisma Cloud trial account at the beginning of this workshop. If your
trial account is ready, you can follow “Task 4” in this activity to learn how to connect your Azure account
to your Prisma Cloud trial account.
Step 1: Go to the CloudShare lab environment and click on the Prisma Cloud Console tab at the top
of the page.
Step 2: Follow the screen to login and then click on the Prisma Cloud icon.
NOTE: If you see a page expired message then refresh the web page by clicking on the Home
button as highlighted in below screen capture.
NOTE: You can also access Prisma Cloud demo tenant directly from your laptop browser.
Please refer to Appendix 2 to create the login credentials.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 65
Step 3: Use the icons from the Action panel virtual keyboard to go back, forward and home screen
while using the Prisma Cloud console.
Step 4: To check the on-boarded public cloud accounts click on the Settings on the left-hand side and
select Cloud Accounts from the drop down list. You can see the public cloud accounts
connected to this Prisma Cloud demo account.
We have already connected an AWS, Azure and GCP account to this Prisma Cloud service,
and this demo account can be used for testing across all three public cloud providers
Step 5: Click on +Add New and you will get an access denied message.
NOTE: The Prisma Cloud demo account used in this lab is a read-only account, it does not
have full access to the Prisma Cloud Service and access to some functions is denied. This
account cannot make changes to the configuration of the associated Prisma Cloud Services.
Step 1: The Dashboard provides a summarized and graphical view of all assets deployed across
multiple public cloud environments.
You can use the predefined or custom time range to view current trends or historical data.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 66
Step 2: The Inventory dashboard provides visibility into all the assets contained within the onboarded
cloud accounts. From this view, you will be able to find out which assets passed and which
ones failed to comply with the current policies.
Step 3: A Policy is a set of one or more constraints or conditions that must be adhered to. Any new or
existing resources that violate these policies are automatically detected.
A. Predefined policies for configurations and access controls that adhere to established
security best practices such as PCI, GDPR, HIPAA, and NIST. These Prisma Cloud
default policies cannot be modified.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 67
B. Custom policies to monitor for violations and enforce your own organizational
standards.
Step 4: The Compliance dashboard enables you to view, access, report, monitor and review their
cloud infrastructure health compliance posture.
You can also create compliance reports and run them immediately, or schedule them on a
recurring basis to measure your compliance over time.
Step 5: Prisma Cloud offers a rich set of cloud workload protection capabilities. Collectively, these
features are called Compute.
The Compute tab enables cloud native assets anywhere they operate - regardless of whether
running as a containers, serverless functions, non-container hosts, or any combination of
them.
Step 6: Investigation tab help in identifying security threats and vulnerabilities, create and save
investigative queries, and analyze impacted resources
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 68
Step 7: Alert tab allows admin to view the list of discovered violations and anomalies, drill into the
details and look up remediation options, and create alert rules and notification templates.
You will learn more about the Investigation and Alerts tab in the next activity.
In this task, you will learn how to use the Prisma Cloud “Help Center” to find information about “What’s
New” in the product, “Find Answers” to commonly asked questions, “Get Help” from the public community,
and locate the product’s “API Docs” for integration.
The information provided can be as simple as showing the latest blog posts, asking questions to the
community site, or accessing documentation to help answer any of your Prisma Cloud questions.
Step 1: Click the “Help” icon in the bottom right corner of the console to get to the online Prisma
Cloud help, quick start guides etc.
Step 2: Click on What’s New, and you can review what are the newest updates or feature
enhancements in the Prisma Cloud Service.
Step 3: Click on Docs > Product will bring you to the Prisma Cloud online documentation site and
Other Resources > Get Help will bring you to the Prisma Cloud Live Community site.
Step 4: Click on Other Resources > Get Help will bring you to the Prisma Cloud Live Community
site.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 69
https://live.paloaltonetworks.com/t5/Prisma-Cloud/ct-p/PrismaCloud
Prisma Cloud tenant provisioning takes a couple of hours. It’s very likely your free trial version tenant is
not ready during this workshop. You can note down the below steps and can use the Azure demo project
name and related information mentioned here to learn the on-boarding process on Prisma Cloud when
your free trial version tenant is provisioned and ready.
Step 1: Access your Prisma Cloud tenant console and select Settings > Cloud Accounts > Add
New.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 70
Step 5: Enter below Application ID, Application Key and Service Principal Object ID and click
Next.
Step 6: Select Ingest and Monitor Network Security Group Flow Logs and click Next.
Step 7: Select the account groups to associate to your project and click Next.
Step 8: Verify the onboarding Status and click Done and then click Close.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 71
End of Activity 10
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 72
Activity 11: Prisma Cloud Security Alert Investigation and
Remediation
Prisma Cloud provides alerts generated by policy violations. These alerts can be arranged in
many ways such as from High to low severity. The alerts are extremely useful as they will
indicate if a security group has been misconfigured, if the cloud workloads are exposed to the
internet or they may become vulnerable to external threats.
Step 1: Go to the Prisma Cloud console and click the Alert > Overview and Set the Time Range to
“All Time”.
Step 2: Select High in the Policy Severity section from the middle pane of the console.
Step 3: Click the “Internet Exposed Instances” alert in the Alert Overview pane.
Step 4: Move the mouse over any of the workloads listed in the alert view, and click the “investigate”
button.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 73
Step 5: You’ll now see a network map with the workloads (virtual machines) that has received traffic
from public IP addresses within the time range selected in the top right corner of the console.
(change the time range to “Past 7 days” in the top left corner if you don’t see traffic in the
network map).
Step 6: Single-click on the workloads in the network map and you will see the “instance summary”,
“network summary” and “ Alert Summary” sections on the right side.
Step 7: Click the “Network Summary” section on the right side and you can see the Traffic
Summary and Security Group rules (local virtual firewall rules) applied to the selected
workload.
Step 1: Click the Alert > Overview and Set the Time Range to “All Time” .
Step 2: Uncheck High in Policy Severity section and click the “root user activities” alert.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 74
Step 3: You’ll now see all the alerts related to root user activities such as addition, deletion, and
modification.
Move the mouse over any of the workloads listed in the alert view, and click the “investigate”
button.
Step 4: Set the custom time range since the beginning of this year.
Step 5: Click the “Search” option in the console, which will show you all the users login on the
console.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 75
Task 3 - Locate and remediate a security event
Certain Prisma Cloud alerts would allow the user to execute a remediation by clicking on the resolve
button. This feature is extremely useful as the Prisma Cloud user won’t have to leave the console to login
into GCP, AWS or Azure. The incident could be resolved from the console, providing a platform agnostic
solution and an expedited way to close the alert.
Step 1: Click the Alert > Overview and Set the Time Range to “All Time” .
Step 2: Select High in the Policy Severity section from the middle pane of the console and click the
“GCP Firewall rule allows internet traffic to RDP port (3389)” alert.
Step 4: Click the “View Details” option to see the resource configuration.
You’ll now see the sourceRanges for ingress rules are set to 0.0.0.0/0, which is why this alert
was generated.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 76
Step 5: Click outside of the resource browser to close the pop-up window.
Step 6: Move your mouse over the “default-allow-rdp” in the alerts view, and you’ll see options on
the right side (Dismiss, Snooz, Remediate and Investigate).
Step 7: Click the “Remediate” button, which will bring up the remediation command for this security
finding.
The remediation command can be executed as a single click operation from the console, or it can
be configured to run as an automated action.
You are currently logged into the Prisma Cloud demo environment with a read-only user and can’t
run the command.
Step 8: Click outside of the resource browser to close the pop-up window.
Congratulations! You have now successfully completed the Azure Ultimate Test Drive workshop!!!
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 77
Activity 12: Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive workshop. We hope you have enjoyed
the presentation and lab activities that we have prepared for you. Please take a few
minutes to complete the online survey form to tell us what you think.
Step 2: Please complete the survey and let us know what you think about this workshop.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 78
Appendix 1: How to Install Dynamic Updates
The steps outlined in Appendix 1 will guide you to install the application and threat content.
Step 2: Under Application and Threats in the center pane, select the latest update and click
Download in the Action column. Download will take some time. Close the Download
Application and Threat dialog box once download is complete.
Step 3: Once the download is complete, click Install in the Action column and then click Continue
Installation.
Step 4: Once content is installed you should see a check mark in the currently installed column.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 79
Appendix 2: Prisma Cloud Demo Tenant access
To access the Prima Cloud demo tenant the first thing you need to do is create
credentials in the Prisma Cloud environment and provide those credentials to workshop
attendees.
https://www.paloaltonetworks.com/partners/nextwave-partner-portal/help-me-learn/demo-syst
ems/prisma-cloud
Step 2: Click Request System Access and then click Start, if needed, provide the passcode to
continue.
Passcode: GoPaloAltoNetworks
Step 3: Follow the instructions and fill out the information, making sure to enter a valid email address.
Step 4: You will receive an email with the subject “PANW Labs Environment: Prisma Cloud Demot”
that contains a link to the Prisma Cloud tenant as well as the credentials needed for both the
instructor and attendees to access the Prisma Cloud environment.
NOTE: Username and password is valid only for 24 hours. You have to repeat the steps 1 to 3
to regenerate the login credentials.
Step 5: Log in to the Prisma Cloud tenant using the credentials received in email.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 80
Appendix 3: How to Re-Activate Azure Account
The steps outlined in Appendix 2 will guide you to re-activate Azure account if your
account is suspended due to lab environment inactivity timer.
If your Azure session has expired and account has been locked then follow below steps to re-activate the
account.
Step 1: Go to the UTD class environment webpage and Click on Ultimate Test Drive – Microsoft Azure
Workshop.
Note: If you have closed the lab environment browser tab then open a new browser tab and either type or
paste the below url:
https://use.cloudshare.com/
Step 2: [optional] If you are redirected to the login page then enter your Cloudshare login email and
password created in Activity 0 and Task 1.
Step 3: Once you have logged in, it may take a while to re-activate Azure user credentials and resume
the lab resource.
Step 4: Open a new browser tab and either type or paste the below url and then sign in using the
Azure user account credentials from the lab environment.
https://portal.azure.com/
Step 5: One you are logged in to Azure portal you should be able to continue the rest of the lab
activities.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 81
Appendix 4: Download configuration file and configure the
firewall
This lab environment is dynamic so there could be a possibility that VM-Series NGFW
bootup without an issue but failed to load the configuration.
If you are one of the students who is experiencing the firewall is missing configuration
then please follow the steps to configure the firewall.
https://cs-azure-utd-lab-files.s3-us-west-2.amazonaws.com/UTD-Azure-2.1-fw1-cfg.xml
Note: If configuration file is not downloaded automatically and file contents is displayed in the
browser window then right click and select Save as… to save the file. Make sure the file is
saved with .xml extension.
Step 2: Now navigate the firewall Device > Setup > Operations and click on Import named
configuration snapshot.
Step 4: Next click on Load named configuration snapshot and select the configuration file from
Name drop down.
Step 5: Click OK to close the window. From the top right click Commit to save the changes. When the
commit is complete, click Close.
Step 6: Logout and login back using the below credentials to confirm the firewall has correct
configuration.
https://cs-azure-utd-lab-files.s3-us-west-2.amazonaws.com/UTD-Azure-2.1-fw2-cfg.xml
Step 8: Go back to the lab activity to continue the rest of the lab.
UTD-Azure 2.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210210 82