Ultimate Test Drive: Network Security Management With Panorama

Ultimate Test Drive
Network Security
Management with Panorama
Workshop Guide
Panorama 10.0 & PAN-OS 10.0
http://www.paloaltonetworks.com
UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220107
How to use this guide
The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the UTD environment. This guide is meant to be used in conjunction with the information and guidance
provided by your facilitator.
This workshop covers only basic topics and is not a substitute for training classes conducted at a Palo Alto
Networks Authorized Training Center (ATC). Please contact your partner or regional sales manager for more
training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in the
following activities (Chrome is pre-installed on the student desktop of the workshop PC).

Table of Contents
How to use this guide 2
Activity 0 – Log in to UTD Workshop 5
Task 1 – Log in to your Hands-on Workshop class environment 5
Task 2 – Log in to the Windows Desktop 6
Task 3 – Lab Setup 8
Activity 1 – Centralized Management with Panorama 9
Task 1 – Log in to Panorama 9
Task 2 – Application Command Center (ACC) in Panorama 11
Task 3 – Device Management in Panorama 12
Task 4 – Device Monitoring in Panorama 13
Task 5 – Panorama Plugins 13
Activity 2 – Introduction to Device Groups and Context Switching 15
Task 1 – Review Device Groups 15
Task 2 – Create a Device Group Hierarchy 17
Task 3 – Context Switch between Panorama and Firewalls 19
Activity 3 – Pre, Post and Local Rules 21
Task 1 – Panorama Rules Quick Overview 21
Task 2 – Create and Review Pre-Rules 22
Task 3 – Create with Policy Optimizer 24
Task 4 – Push rules to the firewalls 26
Task 5 – Adding Local Rules 27
Activity 4 – Templates, Template Stacks and Variables 29
Task 1 – Review a Template and Template Stack 29
Task 2 – Create and Configure a New Template 30
Task 3 – Create and Configure a New Template Stack 32
Task 4 – Override Template Setting 34
Task 5 – Template Variables 35
Activity 5 – Administrator-Level Commit and Revert 41
Task 1 – Create New Administrator Account 41
Task 2 – Modify Configuration (without commit) 41
Task 3 – Modify Configuration with Different Administrator Account 42
Task 4 – Confirm Configuration Changes by Account 44
Task 5 – Revert Configuration. 45
Activity 6 – Role-Based Access Control 47
Task 1 – Review Admin Role and Access Domain 47
Task 2 – Create New User Account on Panorama 48
Task 3 – Verify Account Access on Panorama 49
Activity 7 – Onboarding Firewall to Panorama 52

Task 1 – Setup firewall for Panorama 52
Task 2 – Onboard firewall to Panorama 54
Task 3 – Update Antivirus Content on all the firewalls 56
Activity 8 – Deploy new PAN-OS with Panorama 58
Task 1 – Deploy New PAN-OS to a firewall 58
Task 2 – Cortex Data Lake with Panorama 59
Activity 9 - Feedback on Ultimate Test Drive 62
Task 1 – Take the Online Survey 62
Lab Setup 64

Activity 0 – Log in to UTD Workshop
In this activity, you will:
● Log in to the Hands-on Workshop from your laptop
● Understand the layout of the environment and its various components
● Enable the Firewall to facilitate connectivity
Task 1 – Log in to your Hands-on Workshop class environment

Step 1: First, make sure your laptop is installed with a modern browser that supports HTML5. We recommend
using the latest version of Firefox®, Chrome or Internet Explorer®. We also recommend you install the latest
Java® client for your browser.
Step 2: Go to the class URL. Enter your email address and the passphrase. If you have an invitation email, you
can find the class URL and passphrase in the invitation email, otherwise, the instructor will provide you with this
information.
Step 3: Complete the registration form and click “Register and Login” at the bottom.

Step 4: Once logged in, the environment will be automatically created for you. Click “Start Using This Environment”
when the environment is ready.
Step 5: The UTD environment consists of different components: a Windows® desktop, VM-Series virtual
firewalls and Panorama. You will access the lab through your browser and the Desktop VM.
Task 2 – Log in to the Windows Desktop

Step 1: Click the “Desktop” tab at the top of the page to connect to the Windows desktop.
Step 2: You will be connected to the Windows desktop VM through your browser.

Step 3: If the “Desktop” resolution is too high or too low for your laptop display, you can adjust the resolution
from the left-hand menu. Click on the open or collapse the left menu using the 3 line icon next to the first tap.
You can also click the “Full screen” icon to maximize the display.
Note: The default connection to the Windows desktop uses RDP over HTML5 protocol through the browser. In
case your browser does not support HTML5, you can switch to the “Console” connection by clicking “CON”.
Optional Step 4: If you encounter connection issues with the “Desktop”, click the “Reconnect” under
“Connectivity” to re-establish the connection.
Optional Step 5: If the reconnection to the “Desktop” remains unsuccessful, please verify your laptop connectivity
using the “Connectivity Test”.
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task1, Step1. If the
connectivity test failed, please ask the instructor for further assistance.

Task 3 – Lab Setup
Here is a quick look at the lab environment. The Desktop VM is connected to the management interfaces of
Panorama™ network security management and the VM-Series firewalls. You will be using your browser and the
Desktop VM to access and configure Panorama and the VM-Series firewall in this lab.
End of Activity 0

Activity 1 – Centralized Management with Panorama
Background: Panorama enables you to control your distributed network of Palo Alto Networks firewalls
from one central location. View all the applications in your network, manage all aspects of firewall
configurations, push global policies, and generate reports on traffic patterns or security incidents – all
from a single console. Panorama is available as both an appliance as well as virtual machines. This lab
uses a virtual Panorama. For more information on private and public cloud support for virtual Panorama
visit here.

● Get familiar with the Panorama GUI.
● View the centralized Application Command Center (ACC) across all the VM-series firewalls.
● Review the VM-series firewalls managed by Panorama in this lab.
Task 1 – Log in to Panorama

Step 1: Connect to the Panorama VM directly on your browser by clicking on the Panorama-WebUI tab. This
will open up a new tab in your browser using the external URL of the Panorama instance. This will provide you
with the best view of the Panorama UI.
Note that in this lab, Panorama VM is the only VM that provides direct connection to its WebUI. The other firewall
VMs such as PA-VM-1, PA-VM-2 and PA-VM-3 are not configured with direct connections.
Step 1 (Optional): Click on the Desktop tab to go to the Desktop virtual machine, open the Chrome browser
and click the “Panorama” bookmark to go to the Panorama URL. The internal IP address of the Panorama
management interface is 10.30.61.11. This allows you to

Step 2: Use the following credential to log in to the Panorama GUI:
Name: student
Password: utd246
Step 3: You will see a Welcome to Panorama pop-up and some of the new features available on this version of
Panorama. Select Do not show again and close the pop-up so this window will not open again at the next login.
Step 4: On the Panorama Dashboard tab, you can gather some basic information about this Panorama device
from the different widgets on the dashboard. You can change the layout of the dashboard using the “Layout”
pull-down and add more widgets using the “Widgets” functions.
Panorama can be deployed either as a hardware or virtual appliance. This lab uses a virtual appliance deployed
in VMware ESXi mode. You can identify the VM Mode under the “General Information” widget. Panorama virtual
appliance is also available on Amazon Web Services (AWS) or Microsoft Azure.
Step 5: If you are familiar with the Palo Alto Networks® Next-Generation Firewall management GUI, you will notice
that the Panorama GUI is very similar to the firewall management GUI. Tabs such as Dashboard, ACC, Monitor,
Policies, and others are also available on the firewall Management GUI.
The Panorama tab is unique to the Panorama device. Click the Panorama tab to review some of the Panorama

device configuration options. Many of the configuration options are very similar to our Next-Generation Firewall.
We will be using this tab to configure this Panorama device in the activities that follow.
Task 2 – Application Command Center (ACC) in Panorama

The application command center (ACC) from Panorama provides you with a highly interactive, graphical view of
the application, URL, threat and data traffic across your entire Palo Alto Networks Next-Generation Firewall
deployment. The ACC includes a tabbed view of network activity, threat activity, and blocked activity. Each tab
includes pertinent widgets for better visualization of traffic patterns on your network.
Step 1: Click the ACC tab on Panorama. The ACC on Panorama offers the same application and threat visibility
as the ACC on our Next-Generation Firewall by aggregating all the information from all the firewalls that it
manages. It provides a bird’s eye view of all the network, application and threat activity across all the devices.
Note that this Panorama is not showing any data in ACC as it is not currently configured to do so.
Step 2: You can group multiple firewalls together to form a device group in Panorama. Once a device group is
created, you can select the specific device group in the ACC window to view the activities for that specific group.
select the UTD-DeviceGroup-1 in the Device Group drop-down. We will go into more details on Device Group
later in this lab.

Step 3: Use the Time drop-down to select the range of data the ACC is showing for the device group. Review the
different filtering functions under Global Filters.
Step 4: When you are done, change the device group back to “All” to make sure we are viewing all the firewalls
managed by Panorama.
Task 3 – Device Management in Panorama

Step 1: To view the firewalls managed by Panorama, you can go to the Panorama tab, then go to the Managed
Devices > Summary node on the left.
Step 2: There are two firewalls, PA-VM-1 and PA-VM-2, managed by Panorama. They are grouped together in
the UTD-DeviceGroup-1 device group. Click any of the IP addresses for the firewall to open a login page. You
don’t need to log in to the firewall using the new tabs as we will show you an easier way to do so in the next activity.
Step 3: The Status columns show you the various statuses of each firewall. We will explain what they mean in
the next few activities. Scroll to the right-hand side, where you can get a quick view of the PAN-OS® security
operating system version, application and threat signatures, and other subscriptions that are running on these
firewalls.

Task 4 – Device Monitoring in Panorama
When a device is managed by Panorama, device status is accessible from Panorama with no additional
configuration required. This information is mostly performance statistics that allows an administrator to
proactively monitor firewall device health and performance.
Step 1: Go to Panorama > Managed Devices > Health. Here you will find performance monitoring data for all
managed devices.
Step 2: Choose the device with the highest Session Count and click on its name to see more details.
Step 3: Click on the Resources tab and examine the data available. This data provides a good overview of how
much of the device resources is utilized. Notice the “Print PDF” button on the left that renders a PDF document
of the data being displayed.
Task 5 – Panorama Plugins

Panorama supports an extensible plugin architecture that enables support for third-party integrations and
additional management features such as managing VM-Series in VMWare NSX, Amazon Web Services (AWS),
Google Cloud Platform (GCP) and other Palo Alto Networks Products. With this modular architecture, you can
take advantage of new capabilities without waiting for a new PAN-OS version.

Step 1: Click on Plugins node in the Panorama tab to review the available plugins.
Step 2: Click Check Now at the button to update the latest plugin from Palo Alto Networks. You can use the
search bar to search for the different plugins, try to search for aws, gcp, dlp or sd_wan. Note that aws,
cloud_services and kubernetes plugins are already installed, hence you can see those nodes available below
the Plugins.
IPS Signature Converter is one of the newer plugins for Panorama that provides an automated solution for
converting rules from third-party intrusion prevention systems—Snort and Suricata—into custom Palo Alto
Networks threat signatures. You can then register these signatures on firewalls that belong to device groups you
specify and use them to enforce policy in Vulnerability Protection and Anti-Spyware Security Profiles. Search for
ips in the plug-in search bar, and you can find the latest IPS Signature Converter plugin.
Step 3: Click on one of the plug-in names, you can choose to download, install or delete any available plugin.
We do not need to install or delete any plugins in this lab.
End of Activity 1

Activity 2 – Introduction to Device Groups and Context
Switching
Background: You can group the firewalls in your networks into logical units using a device group. Device
groups can be created based on geographic location, organizational function, network segmentation or
any other common aspect of firewalls. Using a device group, you can configure and share policies and
objects that are common between the groups of firewalls.

● Review devices in a device group.
● Create a device group hierarchy.
● Learn about context switching between Panorama and VM-Series firewalls.
Task 1 – Review Device Groups

Step 1: Go to the Device Groups node in the Panorama tab. The device group UTD-DeviceGroup-1 has
already been created in Panorama.
Shared is the top parent device group for all device groups. Device group hierarchy is supported in Panorama,
and we will cover that in the next task.
A device group is a great way to group firewalls in an active-passive high availability (HA) configuration, so that
Panorama can push the same policies and objects to the firewalls in the HA pair.
Step 2: Click UTD-DeviceGroup-1 to open up the device group window. In this window, you can add or remove
devices from the device group. You can use the filters to quickly find the firewalls that you want to include in the
device group.
Step 3: Under Master Device, select PA-VM-1 to be the master device for this device group, then click “OK”. The
master device is the firewall from which Panorama gathers information for User-ID™ user identification technology
to be used in policies for the devices in that group.

Step 4: Click Commit on the top right-hand corner and you have a few options. Select Commit to Panorama to
activate the changes made in Panorama. On the next screen you will be able to commit changes made by you or
commit the changes by all administrators. Select Commit All Changes, then click Commit to fully execute the
commit action. Note that you also have the option to Preview Changes or Validate Commit before finalizing your
commit action.

Step 5: There are different commit types when committing changes in Panorama, Commit to Panorama, Push
to Devices or Commit and Push to the firewalls. It is recommended to commit all changes to Panorama first
before committing changes to firewalls. You can also commit all pending changes or only commit the changes
made by you. We will discuss more details in Activity 5. Close the Commit Status window when the commit action
is completed.
Task 2 – Create a Device Group Hierarchy

A device group hierarchy enables you to organize devices based on common policy requirements without
redundant configurations. You can create nested device groups in a tree hierarchy of up to four levels.
All device groups inherit settings from the top of the hierarchy for configurations that are common to all device
groups. In the above example, Datacenters and Branches device groups share the configuration from the
“Shared” location. We will demonstrate how to a create device group hierarchy but will not go into the details of
the configuration.
Step 1: To create a device group, go to Panorama > Device Groups and click Add at the bottom to create a new
device group.
Step 2: Name the device group NewOnboard-DeviceGroup, the default Parent Device Group is Shared. Click
OK to save the device group. We will use this device group later during the lab.

Step 3: To create a child device group, select the UTD-DeviceGroup-1 by clicking the check box next to it, then
click Add at the bottom to create a new device group.
Step 4: Name the device group Child-DeviceGroup, and the UTD-DeviceGroup-1 should have been selected
as the Parent Device Group. If not, select UTD-DeviceGroup-1 as the parent device group. Click OK to close
the device group window.
Step 5: You can see a new device group created under UTD-DeviceGroup-1. Commit the changes to
Panorama.
Step 6: Go to Policies tab, notice the new device groups that you have created and their hierarchy. Select UTD-
DeviceGroup1 and select Pre-Rules under the Security Nodes. You should see some policies there.
Step 7: Now select the Child-DeviceGroup, note that you still see the same policies in this device group but the
background color is different and it has a green gear next to the policy names. This indicates that the policies are
inherited from the parent device group.

Step 8: Now select the NewOnboard-DeviceGroup in Device Group, you should see no policy in this device
group as there is no policy from the Shared device group to inherit from.
Notice the text Device Group on top of the Policies and Objects tab, that reminds you that these tags are
applicable only to the device group selected in the Device Group drop down.
Step 9: While you are in the new NewOnboard-DeviceGroup device group, go to Objects > Address, create a
new address object with the following, then commit the changes to Panorama.
Name: Panorama-IP
Value: 10.30.61.11
Task 3 – Context Switch between Panorama and Firewalls

The Panorama web interface enables you to toggle between a Panorama-centric view and a firewall-centric view
by using the Context drop-down at the top-left corner. You can swtich the context to Panorama to manage firewalls
centrally or switch the context to a specific firewall to review or configure through the firewall GUI.
Step 1: Go to the Dashboard tab on Panorama, then click Context drop-down. Click on the PA-VM-1 on the right
to switch context to this firewall.
Note: You can use the filters to identify the firewalls by platforms, devices groups, templates, etc.

Step 2: After switching the context to the PA-VM-1 firewall, you will see the GUI of the firewall.
Note: The MGT IP address of PA-VM-1 is 10.30.61.21, but the IP address or the URL in the browser address
bar remained as the Panorama device , so we have not left Panorama but just switched context. Also note that
there is no Device Groups, or Panorama tab .
Here, you can move among tabs as you normally would on the Pan-OS GUI. You can also make configuration
changes (though we will not do that now).
Step 3: Go back to the Dashboard tab, then click the Context drop-down and select Panorama to context
switch back to Panorama.
After context switch back to Panorama, you should see Panorama under the Context drop-down. Notice that
you will see the Device Groups on top of the Policies and Objects tabs and the Panorama tab.
End of Activity 2

Activity 3 – Pre, Post and Local Rules
Background: Rules in Panorama can be added as “Pre-” or “Post-” rules within each device group.
Administrators can decide to manage rules as pre-, post-, or use a combination of both.

● Learn about the different types of rules in Panorama.
● Configure the firewall using pre and local rules.
Task 1 – Panorama Rules Quick Overview

Rules in Panorama can be added as Pre- or Post- rules within each device group. Administrators can decide to
manage rules as pre-, post-, or use a combination of both, including the insertion of locally added rules, which are
placed in order between the Pre and Post rules managed from Panorama. Rules are checked from top to bottom,
with the pre-rules checked first in order, followed by the local rules, then the post-rules.
Pre-rules: Pre-rules are inserted at the top of the rule order and are checked first in the configuration, before the
post or locally defined rules.
Post-rules: Post-rules are inserted at the bottom of the rule order and are checked last in the configuration, after
the pre- and locally defined rules.
Once the pre- and post-rules are set up, they can be pushed to the firewalls from Panorama. Note that pre- and
post-rules created on Panorama cannot be modified by the firewall, and local rules created on the firewall cannot
be modified by Panorama. The display above includes local firewall rules which are only visible when examining
the firewall’s display. Panorama does not display locally created firewall rules of any type.

Task 2 – Create and Review Pre-Rules
Step 1: In Panorama, go to the Policies tab, then select UTD-DeviceGroup-1 under Device Group.
Step 2: Select Pre-Rules under the Security node, then add a new rule below Allow-Web-Traffic.
Step 3: Click the Add command at the bottom and name the new rule Allow-Corp-Sanctioned-Apps.
Step 4: In the Source tab, add L3-Trust to the Source Zone and Windows_Devices to Source Device using
the Add button; in the Destination tab, add L3-Untrust to the Destination Zone.
Note: New in Pan-OS 10.0, Device-ID provides policy rules that are based on the device type, regardless of
changes to its IP address or location. By providing traceability for devices and associating network events with
specific types of devices, Device-ID allows you to gain context for how events relate to devices and write policies
that are associated with devices. Device-ID requires an Internet of Things (IoT) Security and a Cortex Data Lake
(CDL) license. To learn more about the new IoT Security Service and Device-ID, please visit here or participate
in one of the Cloud-Delivered Security Services (CDSS) Ultimate Test Drive.
Step 5: In the Application tab, click Add to add Corp-Sanctioned-Apps application group. Type the name in
the field to find the application group name, and check the box next to it.
Step 6: In the Actions tab, select Profiles under Profile Type, then select default for Antivirus, Vulnerability
Protection, Anti-Spyware, and WildFire Analysis profile. Then select To-Panorama for Log Forwarding.
Click “OK” to accept the new policy. Move it if required between the existing rules using the move command at
the bottom.

Step 7: Commit all changes to Panorama. This will save the policy changes to Panorama, but the changes will not
be committed to the firewalls yet.
Step 8: To preview how the new rule will look in the firewall, click Preview Rules at the bottom to preview the
policies in the firewall.
Step 9: Switch to different firewalls using the Device drop-down list, click Arrow after selecting the new device
to refresh the screen. Notice the new policy is added in the preview, then close the preview window.
Step 10: Context switch to the PA-VM-1 firewall and see that the Allow-Corp-Sanctioned-Apps policy has not
been committed to the firewalls at this point. You can review PA-VM-2 policies as well.

Task 3 – Create with Policy Optimizer
We will create one more policy using the policy optimizer feature to easily change a port-based policy to
application-based policy. Policy optimizer is available in PAN-OS 9.0 in Panorama and it can be used on
firewalls running earlier versions of Pan-OS.
Step 1: Context switch back to Panorama, with UTD-DeviceGroup-1 as the device group, select Pre Rules
under Security.
Step 2: Click on the Monitor-Tap policy to open up the policy window, click the last tab Usage, and then click
the Compare Applications & Applications As Seen to open the Application Usage window.
Step 3: We are using the tap policy in this lab that is configured with active traffic. You can use the policy
optimizer on any layer-3, layer-2 or v-wire policy. Scroll down the Apps Seen window to see what applications
this policy is seeing and the volume of data seen for that application.

Step 4: In the Apps Seen window, select the hotmail application, or any application, then click on Create
Cloned Rule at the bottom.
Step 5: In the Create Cloned Rule window, enter Allow-hotmail in the Name, or any name that matches your
selected application. Notice that the Dependent Applications window will show the dependencies on other
applications based on the selected application, we will leave it checked to include them in our policy. Click OK to
close the window. Click “OK” again to close the policy window.
Step 6: Notice that you have a new app-based policy created for you. Scroll to the left to see the applications
including the dependent applications selected in the last step are added to this policy.
Step 7: Commit to Panorama to save the changes.

The policy optimizer in Panorama enables you to easily create application-based rules using an existing port-
based policy. Once you have whitelisted all the applications you want to, you can remove the port base policy to
prevent unwanted applications on those ports, which improves your security posture.
Task 4 – Push rules to the firewalls

Step 1: Go to Panorama > Managed Devices > Summary. Notice that the Shared Policy under Status is out
of sync. That is because the policy changes have not been committed on the firewalls yet.
Step 2: Commit the changes again. This time select Push to Devices. In the Push to Devices window, click
Edit Selections under Push Scope and select UTD-DeviceGroup-1. Click Push to execute the commit.
Ensure its status is “Completed” click the “Close” button.
Step 3: After the changes are committed, wait about 30 secs while the configuration is pushed to the firewalls.

Go back to Managed Devices and you will see that Shared Policy is now in sync. Keep in mind that when the
commit is completed in Panorama, it still needs to send the configuration to the firewall. If this screen has not
refreshed, click on the refresh button.
Step 4: Context switch to the PA-VM-1 or PA-VM-2 firewall, then go to Policies > Security to confirm that the
new rules are added.
Task 5 – Adding Local Rules

Local rules are rules that are locally defined on the specific firewall. Local rules can be configured directly
through the firewall management GUI or by Panorama via context switching. We will change the local firewall
rule through Panorama context switching in this exercise.
Note: Local rules cannot be managed through device group in Panorama.
Step 1: In Panorama, switch context to PA-VM-2.

Step 2: Go to Policies > Security. Notice there is one local rule. (Local rules are those with the white
background.)
Step 3: Add a new rule below the current local rule with the following:
Name: Allow-Local-Sanctioned-Apps
Source: L3-Trust
Destination: L3-Untrust

Application: Local-Sanctioned-Apps
Actions: Allow.
Profile Type: Profiles
antivirus, vulnerability protection and WildFire Analysis set them on “Default”
Log Forwarding: To-Panorama
Click “OK”
Step 4: Now let’s move the policy above ping-allow. First select the rule by clicking on the number in the left
column but do not open it. The rule will turn gray. Then go to “Move” on the lower tab of the firewall and select
Move up.
Step 5: Commit the change to the firewall. Notice that there is no option to commit to Panorama when context is
switched to the firewall.
Step 6: Context switch back to Panorama, go Panorama > Managed Devices > Summary. Notice the status of
the shared policy is not affected by the changes in the local policy.
End of Activity 3

Activity 4 – Templates, Template Stacks and Variables
Background: Templates and template stacks enable you to define a common base configuration defined
in the “Network” and “Device” tabs on Panorama. For example, you can use templates to manage interface
and zone configurations, server profiles for logging and syslog access, and network profiles for
controlling access to zones and IKE gateways. Template stacks provide the ability to layer multiple
templates and create a combined configuration. Firewalls receive settings from all Templates in their
assigned stack. Template Variables can be defined to store values that are common among devices but
need customized values for each device.

Review Templates feature in Panorama
Modify configurations using templates and template stacks for the firewalls
Create specific firewall settings using Template Variables
Task 1 – Review a Template and Template Stack

Step 1: On the Panorama GUI, make sure the context is switched to Panorama. Go to the Panorama tab, then
the Templates node. You can add, delete or clone templates and template stacks in the “Template” window.
Step 2: You can see which firewalls are assigned to the template stack; click the template stack UTD-
TemplateStack-1 to review it. Multiple templates can be added to a template stack and devices can be assigned
or removed to a template stack. Click “Cancel” to close the template window without making any changes.

Step 3: To review the settings for the template, go to the Network tab, select the UTD-Template-1 the
Template drop-down and select the Interfaces node. The displayed values have been previously entered into
this template. Notice the IP Address of the interfaces are set to Template variable names. We’ll examine those
later.
Step 4: Select UTD-TemplateStack-1 in the Template drop-down. This displays the settings from all templates
in the stack that will be collectively pushed to the assigned devices. The green gear icon indicates settings that
have been inherited from one of the templates assigned to the stack.
Task 2 – Create and Configure a New Template

Step 1: Go back to Panorama > Template. Click Add at the bottom to create a new template, name it UTD-
Template-2. You can add your description in the Description field if you like to.

Step 2: Go to the Network tab. Make sure the context is set to Panorama. Select the new UTD-Template-2 in
Template drop-down. Then go to the Zone node, this is a new template that there is no configuration here. Click
Add to add a new zone.
Step 3: Name the new zone New-Tap-Zone, then select Tap for Type. Click OK to close the zone window.
Step 4: Then, go to the Interfaces node, there is no interface configuration in this new template, click Add
Interface at the bottom to add a new interface.
Step 5: Select the following in the Ethernet Interface window.
Slot: Slot 1
Interface Name: ethernet1/5
Interface Type: Tap
Security Zone: New-Tap-Zone
Link State (Advanced): Down
Note: We skipped the interface “ethernet1/4” to make it easier to see after the changes are committed to the firewall

Step 6: Click “OK” to close the interface window. You should see one interface ethernet1/5 configuration in UTD-
Template-2.
Step 7: Change to UTD-Template-1 in the Template drop down, to see the other interfaces configurations.
Step 8: Commit all changes to Panorama.
Task 3 – Create and Configure a New Template Stack

Step 1: Go to Panorama > Templates node, click on UTD-TemplateStack-1, uncheck PA-VM-2 to remove this
device from this template stack.
Step 3: Close the Template Stack window, make sure only PA-VM-1 is associated with UTD-TemplateStack-1.

Step 4: Click Add Stack to create a new template stack. Name it UTD-TemplateStack-2.
Step 5: Add UTD-Template-1 and UTD-Template-2 to this template stack. Select PA-VM-2 in the Devices
section and add your own description. Click “OK” to close the template stack window.
Step 6: Now, you have UTD-TemplateStack-1 that includes UTD-Template-1 and applies to PA-VM-1, and the
new UTD-TemplateStack-2 that includes UTD-Template-1 and UTD-Template-2 and it applies to PA-VM-2.
Step 7: Commit all changes to Panorama.
Step 8: When the Commit to Panorama is done, do Commit > Push to Devices, with Push Scope set to UTD-
TemplateStack-2, click Push to push the configuration.

Step 9: After the successful commit, close the commit window. Switch context to PA-VM-1 and then go to the
Network > Interface node. You can see three of the interfaces (ethernet1/1, ethernet1/2 and ethernet1/3) are
configured, as per UTD-Template-1.
Step 8: Then context switch to PA-VM-2, you can see four of the interfaces (ethernet1/1, ethernet1/2,
ethernet1/3 and ethernet1/5) are configured, as per both UTD-Template-1 and UTD-Template-2 combined.
Hope this example shows how you can layer multiple templates and create a combined configuration.
Task 4 – Override Template Setting

In Task 2, we created a new tap interface in PA-VM-2 and committed that change to all the firewalls using
template stack. The link state of that interface is set as Down after it is deployed to the firewall. In this task, we
will demonstrate how to make changes locally to the firewall by overriding the template setting.

Step 1: While context is PA-VM-2 in Network > Interfaces. Notice that the link state of the new tap interface on
ethernet1/5 is down.
Step 2: Select ethernet1/5 (don’t click the name), then click Override at the bottom of the window. If you click
the interface name to open the Ethernet Interface window, you will see it is Read Only and will not be able to
make changes.
Step 3: Change the Link State to up in the Advanced tab. Click OK to close the widow.
Step 4: Now commit the changes directly on PA-VM-2. You should see the interface icon change to green.
Notice the Override icon next to the interface name. This indicates that the template configuration is overridden
by local changes.
You have successfully changed the configuration on firewall PA-VM-2, based on the template configuration from
Panorama.
Task 5 – Template Variables

Template Variables are defined in Templates and Template Stacks. They can have individual values stored for
specific devices that are assigned to the Template Stack. This allows you to create common configuration data
for multiple devices while being able to customize and manage individual values in Panorama.

Step 1: Context switch to Panorama, then go to the Panorama > Templates node. Click on Manage… in the
Variables column for the UTD-Template-1 template.
Notice the three existing variables and their default values that will be assigned to all devices attached to the
Template Stack this template is assigned to. The values must be provided at variable creation time. These are
temporary and will be modified later. Click “Close”.
Step 2: Go to the Panorama > Managed Devices > Summary node. Click on Edit for the PA-VM-1 device.

Notice this device has overridden values for each of these variables noted by the Override symbol. Check one of
the variable names and you will have the option to Revert the value at the bottom. Click on the name to review
the value of the variable. Click OK and Close the window.
Step 3: Go to the Panorama > Templates node. Click on Manage… for the UTD-Template-1 template. Click
“Add” at the bottom to add a new variable with the information shown below. Click OK and Close when
complete.
Name: $Address- CorpEmailServer
( $ sign is needed)
Type: IP Netmask
Value: 10.160.100.53
Description: Add any
description
We just defined a new variable for the Template containing the address for the organization’s email server.
We’ve provided the address as a default setting. Notice all template variable names must begin with a “$”.

Step 4: Go to Device > Server Profiles > Email, select UTD-Template1 in the Template. Click Add at the
bottom. Enter Corp-EmailServer as the profile’s name.
Step 5: Click Add at the bottom and enter details to match the screen below. Under Email Gateway pop down
the list of variable choices and select the new variable $Address-CorpEmailServer.
Name: Corp Email

Email Display Name: Firewall
From: firewall@corp.com
To: admins@corp.com
Email Gateway: select [$Address-
CorpEmailServer]

Step 6: Go to the Panorama > Managed Devices > Summary node. Click on Edit in the Variables column for
the PA-VM-1 device. Notice the new template variable in the list.
Step 7: Check the box next to $Address-CorpEmailServer and click the Override button at the bottom. Enter a
new address of 123.54.67.128. Click OK.
We have overridden the inherited address with one appropriate for this device (a fictional address chosen at
random for this lab). Notice the icon has changed to indicate an overridden value. Click Close.
Step 8: Commit changes using Commit and Push. Check that Commit All Changes is selected, then click
Commit and Push. When the commit and push is completed, wait about 30 seconds for the local device
commits to complete and context switch to each device to examine the Device > Server Profiles > Email server
definition for the results. Notice that PA-VM-1 email gateway has the edited ip address and PA-VM-2 email
gateway has the default template address.

PA-VM-1
PA-VM-2
End of Activity 4

Activity 5 – Administrator-Level Commit and Revert
Background: Each administrator can commit, validate, preview, save, and revert changes in Panorama
or firewall configuration independent of changes that other administrators have made. This simplifies
the configuration workflow because administrators don't have to coordinate commits with one another
when changes are unrelated.

● Create a second Admin Role.
● Make partial changes under one admin, and under the second admin, commit those changes
only.
● Revert a configuration.
Task 1 – Create New Administrator Account

Step 1: Within Panorama go to the Panorama > Administrators node.
Step 2: Click the Add button at the bottom to create another user called student-1 the password will be utd246.
Leave the rest of the fields as default. Click OK to close the window.
Step 3: Commit to Panorama, once the commit is done close the window.
Task 2 – Modify Configuration (without commit)

Step 1: In Panorama, go to the Policies > Security node. Be sure to select the UTD-DeviceGroup-1 device
group at the top. Add a new security Pre-rule with the following information:
Name: Allow-Salesforce
Source > Source Zone: L3-Trust
Destination > Destination Zone: L3-Untrust
Actions > Action: Allow
Actions > Profiles: Select default for Antivirus, Vulnerability protection and Wildfire Analysis
Note that in this new policy, we missed adding the salesforce application, under the Application tab, so this

policy is not complete.
Step 2: Click OK to close the policy window, and move the rule to the top, but do not commit the changes.
Step 3: Logout of the GUI, click on the bottom left corner of the window.
Task 3 – Modify Configuration with Different Administrator Account
Step 1: Log back into Panorama using student-1 with password utd246.
Step 2: Go to the Network > Interfaces node, with UTD-Template-1 selected in the Template, open interface
Ethernet1/3. Create a new Security Zone called New-Tap-Zone, using the New Zone option under Security
Zone. Enter the new zone name in the Zone window and accept the defaults for the rest. Click OK to close the
window..

Step 3: Commit > Commit and Push, instead of selecting the default Commit All Changes at the top left, select
Commit Changes Made By (1) student-1. Look at the differences in commit scope when switching between
those two options. Once you finish comparing both screens, make sure your selection stays on Commit Changes
Made By (1) student-1, and click Commit and Push.
Step 4: Look at the Commit and Push Status window and note that under Details, it shows that only partial
changes were committed by student-1. Close the commit window.

Task 4 – Confirm Configuration Changes by Account
Step 1: In Panorama change the context and go to either PA-VM-1 or PA-VM-2
Step 2: Go to the Policies > Security node. Check if the Allow-Salesforce rule created in Task 2 is in either
firewall. (Hint: it is not).
Step 3: Go to the Network tab and under the Interfaces node, check if the ethernet1/3 interface is assigned to
the New-Tap-Zone (Hint: yes, it should). This new zone is also added under the Network > Zones.
This means that configuration made by user student-1 was committed, whereas configuration made by the user
student is not.
Step 4: Switch context back to Panorama (still as user student-1) and we will show how we can commit the
other users configuration. If you are logged out by the browser, please log back in as student-1 / utd246.
Step 5: Go to the Policies > Security > Pre Rules node, select the UTD-DeviceGroup-1 Device Group, and click
the Allow-Salesforce policy under Pre Rules that we created under the user student. Go to the Application tab,
add salesforce as an application and click OK to close the window. We have modified the configuration made by
the user student but as student-1. We will push all changes.
Step 6: Execute a Commit > Commit and Push, but this time select Commit All Changes and complete the
commit.
Step 7: Switch context to PA-VM-1 or PA-VM-2 and make sure the new rule shows up.

Task 5 – Revert Configuration.
Revert operations replace settings in the current candidate configuration with settings from another configuration.
Reverting changes are useful when you want to undo changes to multiple settings in a single operation instead of
manually reconfiguring each setting.
Step 1: Switch to the Panorama context and logout of student-1. Log back in as student / utd246.
Step 2: In Panorama go to the Policies > Security > Pre Rules node and ensure the Device Group is set to
UTD-DeviceGroup-1.
Step 3: Select the first security Policy, which should be Allow-Salesforce by clicking on the number next to it,
then click Delete at the bottom and make sure the rule is no longer on the policies list.
Step 4: Oops! we have accidentally deleted a policy that was not meant to be deleted. Fortunately, nothing is
lost. Go to the config menu in the upper right hand corner, next to the search icon, and click Revert Changes
and then on the pop-up screen, make sure you are reverting your changes only by selecting Revert Changes
Made By …, click Revert and the policy should return.

End of Activity 5.

Activity 6 – Role-Based Access Control
Background: Role-based access control (RBAC) enables you to define the privileges and responsibilities
of administrative users (administrators). Every administrator must have a user account that specifies a
role and authentication method. RBAC is supported on both the firewall and Panorama. When RBAC is
used in the firewall, Administrative roles define access to specific configuration settings, logs, and reports
within the firewall. When RBAC is used in Panorama, “Administrative Roles” define access to specific
configuration settings within both Panorama and firewall contexts. We will demonstrate some basic role-
based access control through Panorama in this activity.

● Review the defined Admin Role and Access Domain.
● Create a new user with the specific Admin Role and Access Domain.
Task 1 – Review Admin Role and Access Domain

Step 1: Admin Role profiles are custom administrative roles that enable you to define granular administrative
access privileges. Make sure the context is set to Panorama and go to Panorama > Admin Roles, then open
the FW-Rules-Admin profile.
Step 2: The Device Group and Template role assign read-write, read-only or no access specific to the
functional area within the device group, templates, and firewall context. The list under Web UI defines access in
the Panorama GUI. Note Click Cancel to close the profile window without making any changes.

Step 3: Go to Access Domain node then open the VM-1-Only profile. Click the Device Context tab and notice
that only PA-VM-1 is selected here. Click “Cancel” to close the window without any changes.
Task 2 – Create New User Account on Panorama

Step 1: Go to Panorama > Administrators. Click Add to add a new user account. Name the new user student-
2 with password utd246. Don’t click “OK” yet!
Step 2: Select Device Group and Template Admin in Administrator Type.
Step 3: Under the Access Domain to Administrator Role, add VM-1-Only under Access Domain and FW-
Rules-Admin under Admin Role. Click OK to close the window.

You might need to press the tab key to accept your changes.
Step 4: Commit changes to Panorama.
Task 3 – Verify Account Access on Panorama
Step 1: Log out of the user student using the Logout button at the bottom.
Step 2: Log in using the account created in the previous task: student-2 / utd246. With this new account, you
can see that access to Panorama features are limited.
Step 3: Notice that there is no device group in the Device Group drop-down. Switch context to PA-VM-1.
Notice that PA-VM-2 is not accessible from this account.

Step 4: After the context is switched to PA-VM-1 you will have access to more tabs in the device.
Step 5: This user account is created to have access to manage firewall rules on the PA-VM-1 firewall. You can
go to Policy > Security to create a new test policy and commit the necessary changes.
Step 6: Add a new test security policy of your own design and commit the change. This student-2 account can
access PA-VM-1 local policy but not the pre- or post-policy Managed by Panorama.
Step 7: Log out of the student-2 account.
Step 8: Log back into Panorama using the student account:
Name: student
Password: utd246
You should have access again to all the Panorama features as the user student.
Step 9: Go to Device > Admin Roles, ensure UTD-Template-1 is selected under Template.
Step 10: Click on FW-Rules-DeviceAdmin and you can review the role configurations for the user after context
switching.
Step 11: Go back to the Panorama tab, in the Admin Roles, open the FW-Rules-Admin role. You will find
reference to the admin role used for Context Switch.

By combining Access Domain with Admin Role in Panorama and Templates, you can enforce very granular
separation of access among the functional or regional areas of your organization all through Panorama.
End of Activity 6

Activity 7 – Onboarding Firewall to Panorama
Background: Now that you are familiar with some of the features in Panorama, we will demonstrate how
to configure a firewall to be managed by Panorama. We will also show you update the content for the
managed firewalls.
● Learn how to set up a firewall to be managed by Panorama.
● Apply a template and put the new device in a device group.
● Perform content update on the managed firewalls through Panorama.
Task 1 – Setup firewall for Panorama

Step 1: Go to the Desktop tab in the lab environment. Use the chrome browser and go to PA-VM-3 using the
bookmark or https://10.30.61.23. Log in to the firewall using the student account: student / utd246. This firewall
is not currently managed by Panorama. Also notice that this firewall is running an older Pan-OS.
Step 2: In PA-VM-3 go to Device > Setup > Management. Edit the Panorama Settings using the edit button.

Step 3: Enter the management IP address of Panorama: 10.30.61.11, then click OK to save the changes.
Commit the change in PA-VM-3.
Step 4: Go to Policies > Security node and you can see there are no rules except the two pre-defined
intrazone-default and interzone-default rules.
Step 5: This firewall is not configured, check Objects > Address node, Networks > Interfaces or Networks >
Zones and you should not see any configuration there.
Step 6: Go back to Dashboard. Note the Serial Number in the General Information widget. You can copy it to
the clipboard.

Task 2 – Onboard firewall to Panorama
Step 1: Go back to the Panorama GUI, be sure you are logged in as user: student. Go to Panorama >
Managed Devices > Summary then click Add (at the bottom) and paste the serial number of PA-VM-3 in the
window. Commit the changes to Panorama.
Step 2: Note, the Associate Devices box is checked, click OK, you will see the Device Association screen.
Step 3: Select NewOnboard-DeviceGroup under Device Group and UTD-Template-Stack1 under Template
Stack for this new device. Click OK.

Step 4: You should see the new PA-VM-3 device is added to the NewOnboard-DeviceGroup. When you see
the Device State is Connected (it may take a minute or two), that means Panorama is now connected with PA-
VM-3.
Step 5: Execute a Commit > Commit and Push, when it is done, you should see the green In Sync icon under
Shared Policy and Template for PA-VM-3.
Step 6: Now, context switch to PA-VM-3. You should see the Panorama-IP address object in Object >
Addresses and the Interfaces and Zones in Networks from the NewOnboard-DeviceGroup and UTD-
Template-Stack-1 configuration.
Notes:
Palo Alto Networks provides Zero Touch Provisioning (ZTP) service to save time and resources when deploying
new firewalls at branches or remote offices. Zero Touch Provisioning (ZTP) is designed to simplify and automate
the on-boarding of new firewalls to the Panorama™ management server. ZTP allows network administrators to
ship managed firewalls directly to their branches and automatically add the firewalls to the Panorama™
management server after the ZTP firewall successfully connects to the Palo Alto Networks ZTP service. ZTP is
supported on selected ZTP firewalls running PAN-OS 9.13 and later releases.
To learn more about Zero Touch Provisioning (ZTP), visit here for more details on the configuration elements
required by the ZTP service. You can also take a look at the ZTP plugin that is already installed in the Panorama
in this lab. Note that ZTP is not configured in this lab.

Task 3 – Update Antivirus Content on all the firewalls
Step 1: Context switch to Panorama and go to Panorama > Device Deployment > Dynamic Updates. Click
Check Now at the bottom to update the list with the most recent contents.
Step 2: Locate the latest available antivirus update and click Download in the Action column.
Step 3: Once the download is completed, click Install in the Action column to install the antivirus package.
Step 4: Select all the three firewalls to install the content, click OK to deploy the latest package to all the
selected firewalls.

Step 5: The progress of the deployment is shown. The Progress bar in the lower left shows the progress of the
entire operation. There is an upload and installation progress for each firewall too. Once completed successfully,
you have upgraded the antivirus packages on all three firewalls. Close the window when completed. We’ve
completed a manual upgrade, a scheduled automatic update can be configured using templates and template
stacks.
End of Activity 7

Activity 8 – Deploy new PAN-OS with Panorama
Background: Panorama allows firewall administrators to deploy PAN-OS updates to all the managed
firewalls from the Panorama GUI. We will show you the different options available after the new PAN-OS
is installed.

● Learn how to perform a PAN-OS upgrade on managed devices.
● Brief look at Panorama integration with Cortex Data Lake
Task 1 – Deploy New PAN-OS to a firewall

Firewall upgrades can be a challenge, but Panorama can help ease the deployment by providing a centralized
view and control of the upgrade process. It is recommended that the PAN-OS version running on all the devices
be reviewed to ensure compatibility of the new PAN-OS before the upgrade process. Panorama’s PAN-OS
should be equal to or greater than the version on your managed devices. Remote Devices can run earlier
versions. The firewall will need to be rebooted for new PAN-OS deployment and PAN-OS upgrades should be
performed during a scheduled maintenance window. You can deploy the OS for one or groups of firewalls.
Step 1: Go to Panorama > Managed Devices > Summary to review PAN-OS on all the devices. Scroll the
display to the right to find this information.
Step 2: Click the Install button at the bottom.

Step 3: Select Software in Type and select PanOS_vm-10.0.0 in File to install. Select only PA-VM-3 and select
the Reboot device after Install option. This will update PA-VM-3 to version 10.0.
Step 4: Click OK to begin the installation process for the firewall.
Note: You have the option to Upload only to device or Reboot device after install. Select Reboot device after
install to reboot the devices and run the new PAN-OS. Upload only to device is often used when the
administrator wants to reboot and update the device in a Future Maintenance window.
Step 5: You can see the progress in the Install Software window. Since we have selected the Reboot device
after install option, it will take about 10 minutes for the device to complete the upgrade process.
Step 6: When the software installation is completed, close the Install Software window. PA-VM-3 will reboot,
you can go back to Panorama > Managed Devices to review the device status. The PA-VM-3 will initially
disconnect from Panorama when it’s rebooting; it will take a few minutes for it to complete the reboot and
reconnect to Panorama. After completing the boot-up process successfully, the device should be reconnected to
Panorama with the new software version. You can continue on the next task while waiting for the upgrade to be
completed.
Congratulations, you have successfully upgraded PAN-OS on the firewall.
Task 2 – Cortex Data Lake with Panorama

The Cortex Data Lake allows you to centralize the collection and storage of logs generated by apps on the cloud
services portal and your on-premise, public, and private cloud firewalls, and the GlobalProtect cloud service.
Cortex Data Lake is architected to seamlessly integrate with Panorama and once configured, you can view all
firewall logs from Panorama. We will take a quick look at some of the visibility in Cortex Data Lake from
Panorama here. Cortex Data Lake is previously known as Logging Service.

Step 1: Switch to the Panorama browser window and go to Panorama > Cloud Services > Status. Notice that
you can see the usage in your Cortex Data Lake subscription. Panorama also provides visibility to other cloud-
based services offered from Palo Alto Networks.
Step 2: Click on the Details, under Cortex Data Lake to review the status and connectivity.

Cortex Data Lake is a cloud-based offering for context-rich enhanced network logs generated by our security
offerings, including those of our Next-Generation Firewalls, GlobalProtect™ Cloud Service and more. The cloud-
based nature of Cortex Data Lake allows customers to collect ever expanding rates of data, without needing to
plan for local compute and storage. The Cortex Data Lake is the cornerstone of Palo Alto Networks Cortex open
and integrated AI-based continuous security platform.
Cortex Security Platform delivers radical simplicity and significantly improves security outcomes through
automation and unprecedented accuracy. The Cortex Security Platform provides a comprehensive suite of
services and applications to fully leverage the security intelligence offers in the platform. You can explore the
available services, applications and 3rd party integrations in the Cortex Hub.
[https://apps.paloaltonetworks.com/apps]
To learn more about Cortex, please visit the Palo Alto Networks Cortex site here.
[ https://www.paloaltonetworks.com/products/cortex]
End of Activity 8.

Activity 9 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event, and we hope you enjoy the presentation and the
labs that we have prepared for you. Please take a few minutes to complete the online survey form to tell
us what you think about this event.
Task 1 – Take the Online Survey

Step 1: In your lab environment, click the Survey on the left.
Step 2: Please complete the survey, and let us know what you think about this event.

End of Activity 9.

Lab Setup
Device: Interface: IP Address: Connects to Zone:
Panorama Management 10.30.61.11 Management

PA-VM-1 Management 10.30.61.21 Management

Ultimate Test Drive: Network Security Management With Panorama

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ultimate Test Drive: Network Security Management With Panorama

Uploaded by

Copyright:

Available Formats

Ultimate Test Drive

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 2

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 3

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 4

Task 1 – Log in to your Hands-on Workshop class environment

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 5

Task 2 – Log in to the Windows Desktop

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 6

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 7

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 8

In this activity, you will:

Task 1 – Log in to Panorama

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 9

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 10

Task 2 – Application Command Center (ACC) in Panorama

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 11

Task 3 – Device Management in Panorama

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 12

Task 5 – Panorama Plugins

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 13

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 14

In this activity, you will:

Task 1 – Review Device Groups

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 15

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 16

Task 2 – Create a Device Group Hierarchy

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 17

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 18

Task 3 – Context Switch between Panorama and Firewalls

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 19

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20

In this activity, you will:

Task 1 – Panorama Rules Quick Overview

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 21

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 22

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 23

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 24

Step 7: Commit to Panorama to save the changes.

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 25

Task 4 – Push rules to the firewalls

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 26

Task 5 – Adding Local Rules

Note: Local rules cannot be managed through device group in Panorama.

Step 1: In Panorama, switch context to PA-VM-2.

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 27

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 28

In this activity, you will:

Task 1 – Review a Template and Template Stack

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 29

Task 2 – Create and Configure a New Template

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 30

Step 5: Select the following in the Ethernet Interface window.

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 31

Step 8: Commit all changes to Panorama.

Task 3 – Create and Configure a New Template Stack

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 32

Step 7: Commit all changes to Panorama.

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 33

Task 4 – Override Template Setting

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 34

Task 5 – Template Variables

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 35

UTD-NSM-2.0 © 2022 Palo Alto Networks, Inc. | Confidential and Proprietary 36