Professional Documents
Culture Documents
Ultimate Test Drive: Network Security Management With Panorama
Ultimate Test Drive: Network Security Management With Panorama
Network Security
Management with Panorama
Workshop Guide
Panorama 10.0 & PAN-OS 10.0
http://www.paloaltonetworks.com
UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220107
How to use this guide
The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the UTD environment. This guide is meant to be used in conjunction with the information and guidance
provided by your facilitator.
This workshop covers only basic topics and is not a substitute for training classes conducted at a Palo Alto
Networks Authorized Training Center (ATC). Please contact your partner or regional sales manager for more
training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in the
following activities (Chrome is pre-installed on the student desktop of the workshop PC).
Step 2: Go to the class URL. Enter your email address and the passphrase. If you have an invitation email, you
can find the class URL and passphrase in the invitation email, otherwise, the instructor will provide you with this
information.
Step 3: Complete the registration form and click “Register and Login” at the bottom.
Step 5: The UTD environment consists of different components: a Windows® desktop, VM-Series virtual
firewalls and Panorama. You will access the lab through your browser and the Desktop VM.
Step 2: You will be connected to the Windows desktop VM through your browser.
Note: The default connection to the Windows desktop uses RDP over HTML5 protocol through the browser. In
case your browser does not support HTML5, you can switch to the “Console” connection by clicking “CON”.
Optional Step 4: If you encounter connection issues with the “Desktop”, click the “Reconnect” under
“Connectivity” to re-establish the connection.
Optional Step 5: If the reconnection to the “Desktop” remains unsuccessful, please verify your laptop connectivity
using the “Connectivity Test”.
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task1, Step1. If the
connectivity test failed, please ask the instructor for further assistance.
End of Activity 0
Note that in this lab, Panorama VM is the only VM that provides direct connection to its WebUI. The other firewall
VMs such as PA-VM-1, PA-VM-2 and PA-VM-3 are not configured with direct connections.
Step 1 (Optional): Click on the Desktop tab to go to the Desktop virtual machine, open the Chrome browser
and click the “Panorama” bookmark to go to the Panorama URL. The internal IP address of the Panorama
management interface is 10.30.61.11. This allows you to
Step 3: You will see a Welcome to Panorama pop-up and some of the new features available on this version of
Panorama. Select Do not show again and close the pop-up so this window will not open again at the next login.
Step 4: On the Panorama Dashboard tab, you can gather some basic information about this Panorama device
from the different widgets on the dashboard. You can change the layout of the dashboard using the “Layout”
pull-down and add more widgets using the “Widgets” functions.
Panorama can be deployed either as a hardware or virtual appliance. This lab uses a virtual appliance deployed
in VMware ESXi mode. You can identify the VM Mode under the “General Information” widget. Panorama virtual
appliance is also available on Amazon Web Services (AWS) or Microsoft Azure.
Step 5: If you are familiar with the Palo Alto Networks® Next-Generation Firewall management GUI, you will notice
that the Panorama GUI is very similar to the firewall management GUI. Tabs such as Dashboard, ACC, Monitor,
Policies, and others are also available on the firewall Management GUI.
The Panorama tab is unique to the Panorama device. Click the Panorama tab to review some of the Panorama
Step 1: Click the ACC tab on Panorama. The ACC on Panorama offers the same application and threat visibility
as the ACC on our Next-Generation Firewall by aggregating all the information from all the firewalls that it
manages. It provides a bird’s eye view of all the network, application and threat activity across all the devices.
Note that this Panorama is not showing any data in ACC as it is not currently configured to do so.
Step 2: You can group multiple firewalls together to form a device group in Panorama. Once a device group is
created, you can select the specific device group in the ACC window to view the activities for that specific group.
select the UTD-DeviceGroup-1 in the Device Group drop-down. We will go into more details on Device Group
later in this lab.
Step 4: When you are done, change the device group back to “All” to make sure we are viewing all the firewalls
managed by Panorama.
Step 2: There are two firewalls, PA-VM-1 and PA-VM-2, managed by Panorama. They are grouped together in
the UTD-DeviceGroup-1 device group. Click any of the IP addresses for the firewall to open a login page. You
don’t need to log in to the firewall using the new tabs as we will show you an easier way to do so in the next activity.
Step 3: The Status columns show you the various statuses of each firewall. We will explain what they mean in
the next few activities. Scroll to the right-hand side, where you can get a quick view of the PAN-OS® security
operating system version, application and threat signatures, and other subscriptions that are running on these
firewalls.
Step 1: Go to Panorama > Managed Devices > Health. Here you will find performance monitoring data for all
managed devices.
Step 2: Choose the device with the highest Session Count and click on its name to see more details.
Step 3: Click on the Resources tab and examine the data available. This data provides a good overview of how
much of the device resources is utilized. Notice the “Print PDF” button on the left that renders a PDF document
of the data being displayed.
Step 2: Click Check Now at the button to update the latest plugin from Palo Alto Networks. You can use the
search bar to search for the different plugins, try to search for aws, gcp, dlp or sd_wan. Note that aws,
cloud_services and kubernetes plugins are already installed, hence you can see those nodes available below
the Plugins.
IPS Signature Converter is one of the newer plugins for Panorama that provides an automated solution for
converting rules from third-party intrusion prevention systems—Snort and Suricata—into custom Palo Alto
Networks threat signatures. You can then register these signatures on firewalls that belong to device groups you
specify and use them to enforce policy in Vulnerability Protection and Anti-Spyware Security Profiles. Search for
ips in the plug-in search bar, and you can find the latest IPS Signature Converter plugin.
Step 3: Click on one of the plug-in names, you can choose to download, install or delete any available plugin.
We do not need to install or delete any plugins in this lab.
End of Activity 1
Shared is the top parent device group for all device groups. Device group hierarchy is supported in Panorama,
and we will cover that in the next task.
A device group is a great way to group firewalls in an active-passive high availability (HA) configuration, so that
Panorama can push the same policies and objects to the firewalls in the HA pair.
Step 2: Click UTD-DeviceGroup-1 to open up the device group window. In this window, you can add or remove
devices from the device group. You can use the filters to quickly find the firewalls that you want to include in the
device group.
Step 3: Under Master Device, select PA-VM-1 to be the master device for this device group, then click “OK”. The
master device is the firewall from which Panorama gathers information for User-ID™ user identification technology
to be used in policies for the devices in that group.
All device groups inherit settings from the top of the hierarchy for configurations that are common to all device
groups. In the above example, Datacenters and Branches device groups share the configuration from the
“Shared” location. We will demonstrate how to a create device group hierarchy but will not go into the details of
the configuration.
Step 1: To create a device group, go to Panorama > Device Groups and click Add at the bottom to create a new
device group.
Step 2: Name the device group NewOnboard-DeviceGroup, the default Parent Device Group is Shared. Click
OK to save the device group. We will use this device group later during the lab.
Step 4: Name the device group Child-DeviceGroup, and the UTD-DeviceGroup-1 should have been selected
as the Parent Device Group. If not, select UTD-DeviceGroup-1 as the parent device group. Click OK to close
the device group window.
Step 5: You can see a new device group created under UTD-DeviceGroup-1. Commit the changes to
Panorama.
Step 6: Go to Policies tab, notice the new device groups that you have created and their hierarchy. Select UTD-
DeviceGroup1 and select Pre-Rules under the Security Nodes. You should see some policies there.
Step 7: Now select the Child-DeviceGroup, note that you still see the same policies in this device group but the
background color is different and it has a green gear next to the policy names. This indicates that the policies are
inherited from the parent device group.
Notice the text Device Group on top of the Policies and Objects tab, that reminds you that these tags are
applicable only to the device group selected in the Device Group drop down.
Step 9: While you are in the new NewOnboard-DeviceGroup device group, go to Objects > Address, create a
new address object with the following, then commit the changes to Panorama.
Name: Panorama-IP
Value: 10.30.61.11
Note: You can use the filters to identify the firewalls by platforms, devices groups, templates, etc.
Note: The MGT IP address of PA-VM-1 is 10.30.61.21, but the IP address or the URL in the browser address
bar remained as the Panorama device , so we have not left Panorama but just switched context. Also note that
there is no Device Groups, or Panorama tab .
Here, you can move among tabs as you normally would on the Pan-OS GUI. You can also make configuration
changes (though we will not do that now).
Step 3: Go back to the Dashboard tab, then click the Context drop-down and select Panorama to context
switch back to Panorama.
After context switch back to Panorama, you should see Panorama under the Context drop-down. Notice that
you will see the Device Groups on top of the Policies and Objects tabs and the Panorama tab.
End of Activity 2
Once the pre- and post-rules are set up, they can be pushed to the firewalls from Panorama. Note that pre- and
post-rules created on Panorama cannot be modified by the firewall, and local rules created on the firewall cannot
be modified by Panorama. The display above includes local firewall rules which are only visible when examining
the firewall’s display. Panorama does not display locally created firewall rules of any type.
Step 2: Select Pre-Rules under the Security node, then add a new rule below Allow-Web-Traffic.
Step 3: Click the Add command at the bottom and name the new rule Allow-Corp-Sanctioned-Apps.
Step 4: In the Source tab, add L3-Trust to the Source Zone and Windows_Devices to Source Device using
the Add button; in the Destination tab, add L3-Untrust to the Destination Zone.
Note: New in Pan-OS 10.0, Device-ID provides policy rules that are based on the device type, regardless of
changes to its IP address or location. By providing traceability for devices and associating network events with
specific types of devices, Device-ID allows you to gain context for how events relate to devices and write policies
that are associated with devices. Device-ID requires an Internet of Things (IoT) Security and a Cortex Data Lake
(CDL) license. To learn more about the new IoT Security Service and Device-ID, please visit here or participate
in one of the Cloud-Delivered Security Services (CDSS) Ultimate Test Drive.
Step 5: In the Application tab, click Add to add Corp-Sanctioned-Apps application group. Type the name in
the field to find the application group name, and check the box next to it.
Step 6: In the Actions tab, select Profiles under Profile Type, then select default for Antivirus, Vulnerability
Protection, Anti-Spyware, and WildFire Analysis profile. Then select To-Panorama for Log Forwarding.
Click “OK” to accept the new policy. Move it if required between the existing rules using the move command at
the bottom.
Step 8: To preview how the new rule will look in the firewall, click Preview Rules at the bottom to preview the
policies in the firewall.
Step 9: Switch to different firewalls using the Device drop-down list, click Arrow after selecting the new device
to refresh the screen. Notice the new policy is added in the preview, then close the preview window.
Step 10: Context switch to the PA-VM-1 firewall and see that the Allow-Corp-Sanctioned-Apps policy has not
been committed to the firewalls at this point. You can review PA-VM-2 policies as well.
Step 1: Context switch back to Panorama, with UTD-DeviceGroup-1 as the device group, select Pre Rules
under Security.
Step 2: Click on the Monitor-Tap policy to open up the policy window, click the last tab Usage, and then click
the Compare Applications & Applications As Seen to open the Application Usage window.
Step 3: We are using the tap policy in this lab that is configured with active traffic. You can use the policy
optimizer on any layer-3, layer-2 or v-wire policy. Scroll down the Apps Seen window to see what applications
this policy is seeing and the volume of data seen for that application.
Step 5: In the Create Cloned Rule window, enter Allow-hotmail in the Name, or any name that matches your
selected application. Notice that the Dependent Applications window will show the dependencies on other
applications based on the selected application, we will leave it checked to include them in our policy. Click OK to
close the window. Click “OK” again to close the policy window.
Step 6: Notice that you have a new app-based policy created for you. Scroll to the left to see the applications
including the dependent applications selected in the last step are added to this policy.
Step 2: Commit the changes again. This time select Push to Devices. In the Push to Devices window, click
Edit Selections under Push Scope and select UTD-DeviceGroup-1. Click Push to execute the commit.
Ensure its status is “Completed” click the “Close” button.
Step 3: After the changes are committed, wait about 30 secs while the configuration is pushed to the firewalls.
Step 4: Context switch to the PA-VM-1 or PA-VM-2 firewall, then go to Policies > Security to confirm that the
new rules are added.
Step 3: Add a new rule below the current local rule with the following:
Name: Allow-Local-Sanctioned-Apps
Source: L3-Trust
Destination: L3-Untrust
Step 5: Commit the change to the firewall. Notice that there is no option to commit to Panorama when context is
switched to the firewall.
Step 6: Context switch back to Panorama, go Panorama > Managed Devices > Summary. Notice the status of
the shared policy is not affected by the changes in the local policy.
End of Activity 3
Step 2: You can see which firewalls are assigned to the template stack; click the template stack UTD-
TemplateStack-1 to review it. Multiple templates can be added to a template stack and devices can be assigned
or removed to a template stack. Click “Cancel” to close the template window without making any changes.
Step 4: Select UTD-TemplateStack-1 in the Template drop-down. This displays the settings from all templates
in the stack that will be collectively pushed to the assigned devices. The green gear icon indicates settings that
have been inherited from one of the templates assigned to the stack.
Step 3: Name the new zone New-Tap-Zone, then select Tap for Type. Click OK to close the zone window.
Step 4: Then, go to the Interfaces node, there is no interface configuration in this new template, click Add
Interface at the bottom to add a new interface.
Slot: Slot 1
Interface Name: ethernet1/5
Interface Type: Tap
Security Zone: New-Tap-Zone
Link State (Advanced): Down
Note: We skipped the interface “ethernet1/4” to make it easier to see after the changes are committed to the firewall
Step 7: Change to UTD-Template-1 in the Template drop down, to see the other interfaces configurations.
Step 3: Close the Template Stack window, make sure only PA-VM-1 is associated with UTD-TemplateStack-1.
Step 5: Add UTD-Template-1 and UTD-Template-2 to this template stack. Select PA-VM-2 in the Devices
section and add your own description. Click “OK” to close the template stack window.
Step 6: Now, you have UTD-TemplateStack-1 that includes UTD-Template-1 and applies to PA-VM-1, and the
new UTD-TemplateStack-2 that includes UTD-Template-1 and UTD-Template-2 and it applies to PA-VM-2.
Step 8: When the Commit to Panorama is done, do Commit > Push to Devices, with Push Scope set to UTD-
TemplateStack-2, click Push to push the configuration.
Step 8: Then context switch to PA-VM-2, you can see four of the interfaces (ethernet1/1, ethernet1/2,
ethernet1/3 and ethernet1/5) are configured, as per both UTD-Template-1 and UTD-Template-2 combined.
Hope this example shows how you can layer multiple templates and create a combined configuration.
Step 2: Select ethernet1/5 (don’t click the name), then click Override at the bottom of the window. If you click
the interface name to open the Ethernet Interface window, you will see it is Read Only and will not be able to
make changes.
Step 3: Change the Link State to up in the Advanced tab. Click OK to close the widow.
Step 4: Now commit the changes directly on PA-VM-2. You should see the interface icon change to green.
Notice the Override icon next to the interface name. This indicates that the template configuration is overridden
by local changes.
You have successfully changed the configuration on firewall PA-VM-2, based on the template configuration from
Panorama.
Notice the three existing variables and their default values that will be assigned to all devices attached to the
Template Stack this template is assigned to. The values must be provided at variable creation time. These are
temporary and will be modified later. Click “Close”.
Step 2: Go to the Panorama > Managed Devices > Summary node. Click on Edit for the PA-VM-1 device.
Step 3: Go to the Panorama > Templates node. Click on Manage… for the UTD-Template-1 template. Click
“Add” at the bottom to add a new variable with the information shown below. Click OK and Close when
complete.
Name: $Address- CorpEmailServer
( $ sign is needed)
Type: IP Netmask
Value: 10.160.100.53
Description: Add any
description
We just defined a new variable for the Template containing the address for the organization’s email server.
We’ve provided the address as a default setting. Notice all template variable names must begin with a “$”.
Step 5: Click Add at the bottom and enter details to match the screen below. Under Email Gateway pop down
the list of variable choices and select the new variable $Address-CorpEmailServer.
Step 7: Check the box next to $Address-CorpEmailServer and click the Override button at the bottom. Enter a
new address of 123.54.67.128. Click OK.
We have overridden the inherited address with one appropriate for this device (a fictional address chosen at
random for this lab). Notice the icon has changed to indicate an overridden value. Click Close.
Step 8: Commit changes using Commit and Push. Check that Commit All Changes is selected, then click
Commit and Push. When the commit and push is completed, wait about 30 seconds for the local device
commits to complete and context switch to each device to examine the Device > Server Profiles > Email server
definition for the results. Notice that PA-VM-1 email gateway has the edited ip address and PA-VM-2 email
gateway has the default template address.
PA-VM-2
End of Activity 4
Step 2: Click the Add button at the bottom to create another user called student-1 the password will be utd246.
Leave the rest of the fields as default. Click OK to close the window.
Step 3: Commit to Panorama, once the commit is done close the window.
Name: Allow-Salesforce
Source > Source Zone: L3-Trust
Destination > Destination Zone: L3-Untrust
Actions > Action: Allow
Actions > Profiles: Select default for Antivirus, Vulnerability protection and Wildfire Analysis
Note that in this new policy, we missed adding the salesforce application, under the Application tab, so this
Step 3: Logout of the GUI, click on the bottom left corner of the window.
Step 1: Log back into Panorama using student-1 with password utd246.
Step 2: Go to the Network > Interfaces node, with UTD-Template-1 selected in the Template, open interface
Ethernet1/3. Create a new Security Zone called New-Tap-Zone, using the New Zone option under Security
Zone. Enter the new zone name in the Zone window and accept the defaults for the rest. Click OK to close the
window..
Step 4: Look at the Commit and Push Status window and note that under Details, it shows that only partial
changes were committed by student-1. Close the commit window.
Step 2: Go to the Policies > Security node. Check if the Allow-Salesforce rule created in Task 2 is in either
firewall. (Hint: it is not).
Step 3: Go to the Network tab and under the Interfaces node, check if the ethernet1/3 interface is assigned to
the New-Tap-Zone (Hint: yes, it should). This new zone is also added under the Network > Zones.
This means that configuration made by user student-1 was committed, whereas configuration made by the user
student is not.
Step 4: Switch context back to Panorama (still as user student-1) and we will show how we can commit the
other users configuration. If you are logged out by the browser, please log back in as student-1 / utd246.
Step 5: Go to the Policies > Security > Pre Rules node, select the UTD-DeviceGroup-1 Device Group, and click
the Allow-Salesforce policy under Pre Rules that we created under the user student. Go to the Application tab,
add salesforce as an application and click OK to close the window. We have modified the configuration made by
the user student but as student-1. We will push all changes.
Step 6: Execute a Commit > Commit and Push, but this time select Commit All Changes and complete the
commit.
Step 7: Switch context to PA-VM-1 or PA-VM-2 and make sure the new rule shows up.
Step 1: Switch to the Panorama context and logout of student-1. Log back in as student / utd246.
Step 2: In Panorama go to the Policies > Security > Pre Rules node and ensure the Device Group is set to
UTD-DeviceGroup-1.
Step 3: Select the first security Policy, which should be Allow-Salesforce by clicking on the number next to it,
then click Delete at the bottom and make sure the rule is no longer on the policies list.
Step 4: Oops! we have accidentally deleted a policy that was not meant to be deleted. Fortunately, nothing is
lost. Go to the config menu in the upper right hand corner, next to the search icon, and click Revert Changes
and then on the pop-up screen, make sure you are reverting your changes only by selecting Revert Changes
Made By …, click Revert and the policy should return.
Step 2: The Device Group and Template role assign read-write, read-only or no access specific to the
functional area within the device group, templates, and firewall context. The list under Web UI defines access in
the Panorama GUI. Note Click Cancel to close the profile window without making any changes.
Step 3: Under the Access Domain to Administrator Role, add VM-1-Only under Access Domain and FW-
Rules-Admin under Admin Role. Click OK to close the window.
Step 1: Log out of the user student using the Logout button at the bottom.
Step 2: Log in using the account created in the previous task: student-2 / utd246. With this new account, you
can see that access to Panorama features are limited.
Step 3: Notice that there is no device group in the Device Group drop-down. Switch context to PA-VM-1.
Notice that PA-VM-2 is not accessible from this account.
Step 5: This user account is created to have access to manage firewall rules on the PA-VM-1 firewall. You can
go to Policy > Security to create a new test policy and commit the necessary changes.
Step 6: Add a new test security policy of your own design and commit the change. This student-2 account can
access PA-VM-1 local policy but not the pre- or post-policy Managed by Panorama.
Name: student
Password: utd246
You should have access again to all the Panorama features as the user student.
Step 9: Go to Device > Admin Roles, ensure UTD-Template-1 is selected under Template.
Step 10: Click on FW-Rules-DeviceAdmin and you can review the role configurations for the user after context
switching.
Step 11: Go back to the Panorama tab, in the Admin Roles, open the FW-Rules-Admin role. You will find
reference to the admin role used for Context Switch.
End of Activity 6
Step 2: In PA-VM-3 go to Device > Setup > Management. Edit the Panorama Settings using the edit button.
Step 4: Go to Policies > Security node and you can see there are no rules except the two pre-defined
intrazone-default and interzone-default rules.
Step 5: This firewall is not configured, check Objects > Address node, Networks > Interfaces or Networks >
Zones and you should not see any configuration there.
Step 6: Go back to Dashboard. Note the Serial Number in the General Information widget. You can copy it to
the clipboard.
Step 2: Note, the Associate Devices box is checked, click OK, you will see the Device Association screen.
Step 3: Select NewOnboard-DeviceGroup under Device Group and UTD-Template-Stack1 under Template
Stack for this new device. Click OK.
Step 5: Execute a Commit > Commit and Push, when it is done, you should see the green In Sync icon under
Shared Policy and Template for PA-VM-3.
Step 6: Now, context switch to PA-VM-3. You should see the Panorama-IP address object in Object >
Addresses and the Interfaces and Zones in Networks from the NewOnboard-DeviceGroup and UTD-
Template-Stack-1 configuration.
Notes:
Palo Alto Networks provides Zero Touch Provisioning (ZTP) service to save time and resources when deploying
new firewalls at branches or remote offices. Zero Touch Provisioning (ZTP) is designed to simplify and automate
the on-boarding of new firewalls to the Panorama™ management server. ZTP allows network administrators to
ship managed firewalls directly to their branches and automatically add the firewalls to the Panorama™
management server after the ZTP firewall successfully connects to the Palo Alto Networks ZTP service. ZTP is
supported on selected ZTP firewalls running PAN-OS 9.13 and later releases.
To learn more about Zero Touch Provisioning (ZTP), visit here for more details on the configuration elements
required by the ZTP service. You can also take a look at the ZTP plugin that is already installed in the Panorama
in this lab. Note that ZTP is not configured in this lab.
Step 2: Locate the latest available antivirus update and click Download in the Action column.
Step 3: Once the download is completed, click Install in the Action column to install the antivirus package.
Step 4: Select all the three firewalls to install the content, click OK to deploy the latest package to all the
selected firewalls.
End of Activity 7
Step 1: Go to Panorama > Managed Devices > Summary to review PAN-OS on all the devices. Scroll the
display to the right to find this information.
Note: You have the option to Upload only to device or Reboot device after install. Select Reboot device after
install to reboot the devices and run the new PAN-OS. Upload only to device is often used when the
administrator wants to reboot and update the device in a Future Maintenance window.
Step 5: You can see the progress in the Install Software window. Since we have selected the Reboot device
after install option, it will take about 10 minutes for the device to complete the upgrade process.
Step 6: When the software installation is completed, close the Install Software window. PA-VM-3 will reboot,
you can go back to Panorama > Managed Devices to review the device status. The PA-VM-3 will initially
disconnect from Panorama when it’s rebooting; it will take a few minutes for it to complete the reboot and
reconnect to Panorama. After completing the boot-up process successfully, the device should be reconnected to
Panorama with the new software version. You can continue on the next task while waiting for the upgrade to be
completed.
Step 2: Click on the Details, under Cortex Data Lake to review the status and connectivity.
Cortex Security Platform delivers radical simplicity and significantly improves security outcomes through
automation and unprecedented accuracy. The Cortex Security Platform provides a comprehensive suite of
services and applications to fully leverage the security intelligence offers in the platform. You can explore the
available services, applications and 3rd party integrations in the Cortex Hub.
[https://apps.paloaltonetworks.com/apps]
To learn more about Cortex, please visit the Palo Alto Networks Cortex site here.
[ https://www.paloaltonetworks.com/products/cortex]
End of Activity 8.
Step 2: Please complete the survey, and let us know what you think about this event.