UTD NGFW Workshop Guide 4.1 20211206

ULTIMATE
TEST DRIVE
ML-Powered Next-Generation Firewall (NGFW)
Workshop Guide
PAN-OS 10.1
UTD-NGFW 4.1 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20220810 1
Table of Contents
How to use this guide ..................................................................................................................... 4
Activity 0 – Log in to the UTD Workshop ...................................................................................... 5
Task 1 – Log in to your Ultimate Test Drive class environment ........................................................................... 5
Task 2 – Log in to the student desktop ................................................................................................................ 6
Task 3 – Log in to the ML-Powered NGFW .......................................................................................................... 7
Task 4 (Very Important) – Bring up interface ethernet1/1 .................................................................................. 8
Activity 1 – Granular Control on Social Media and Enabling Sanctioned SaaS Applications . 10
Task 1 – Check connectivity to Facebook .......................................................................................................... 10
Task 2 – Enable Facebook application ............................................................................................................... 11
Task 3 – Review traffic logs ................................................................................................................................ 12
Task 4 – Enable sanctioned SaaS applications ................................................................................................... 12
Activity 2 – Applications on Non-Standard Ports ....................................................................... 14
Task 1 – Create a new security policy ................................................................................................................ 14
Task 2 – Check application connectivity ............................................................................................................ 15
Task 3 – Modify security policy .......................................................................................................................... 16
Task 4 – Re-check applications on non-standard ports ..................................................................................... 17
Activity 3 – Policy Optimizer ........................................................................................................ 18
Task 1 – Policy Optimizer helps you to convert port-based policy to application-based policy ....................... 18
Task 2 – Enhanced security in application-based policy .................................................................................... 19
Task 3 – Move other applications ...................................................................................................................... 20
Activity 4 – Decryption ................................................................................................................. 22
Task 0 – Check connectivity to lab web server .................................................................................................. 22
Task 1 – Download malicious files ..................................................................................................................... 22
Task 2 – Add a new decryption policy................................................................................................................ 23
Task 3 – Retest secure download ...................................................................................................................... 25
Task 4 – Review traffic logs ................................................................................................................................ 25
Activity 5 – Modern Malware Protection with ML-Powered Analysis ........................................ 27
Task 1 – Enable WildFire analysis on a security policy....................................................................................... 27
Task 2 – Configure real-time update of WildFire signatures ............................................................................. 28
Task 3 – Test WildFire modern malware protection ......................................................................................... 29
Task 4 – Review the WildFire analysis results .................................................................................................... 29
Task 5 – Enable WildFire Inline ML-Powered analysis ....................................................................................... 31
Task 6 – Test and review WildFire Inline ML-Powered analysis ........................................................................ 32
Activity 6 – ML-Powered URL Filtering ........................................................................................ 33
Task 1 – Modify URL Filtering profile and configure security-focused URL categories ..................................... 33
Task 2 – Apply URL Filtering to the security policy ............................................................................................ 34
Task 3 – Test URLs and review the URL filtering logs ........................................................................................ 35
Task 4 – Configure URL Filtering Inline ML-Powered analysis ........................................................................... 36
Task 5 – Test and review URL Filtering Inline ML-Powered analysis ................................................................. 36
Task 6 – External Dynamic List hosting service .................................................................................................. 38
Activity 7 – GlobalProtect: Safely Enable Mobile Devices ......................................................... 40
Task 1 – Review the GlobalProtect Portals and Gateways configuration.......................................................... 40
Task 2 – Log in to GlobalProtect from the Mobile PC (GlobalProtect) .............................................................. 41
Task 3 – Review logs on the VM-Series firewall................................................................................................. 42
Activity 8 – Control Application Usage with User-ID .................................................................. 44
Task 1 – Validate access to SSH server............................................................................................................... 44
Task 2 – Enable applications based on User-ID ................................................................................................. 45
Task 3 – Confirm access with User-ID ................................................................................................................ 45
Activity 9 – GlobalProtect Clientless VPN ................................................................................... 47
Task 1 – Configure Clientless VPN...................................................................................................................... 47
Task 2 – Test the Clientless VPN access from Mobile PC ................................................................................... 48
Task 3 – Review Logs on the VM-Series firewall ................................................................................................ 49
Activity 10 – Cloud Identity Engine.............................................................................................. 50
Task 1 – Video Demonstration of Cloud Identity Engine ................................................................................... 50
Task 2 – Review lab Cloud Identity Engine tenant ............................................................................................. 50
Task 3 – Cloud Identity Engine configuration for authentication ...................................................................... 51
Task 4 – Cloud Identity Engine configuration for User-ID.................................................................................. 54
Task 5 – Test and review Cloud Identity Engine for authentication and identity .............................................. 55
Activity 11 – ACC and Custom Reports....................................................................................... 56
Task 1 – Review Application Command Center (ACC) ....................................................................................... 57
Task 2 – SaaS Application Usage Report ............................................................................................................ 58
Task 3 – Setting up a custom report .................................................................................................................. 59
Activity 12 - Feedback on Ultimate Test Drive ............................................................................ 61
Task 1 – Take the online survey ......................................................................................................................... 61
Appendix 1: Support for Non-U.S. Keyboards ............................................................................ 62
Add a new international keyboard .................................................................................................................... 62
Use the on-screen keyboard .............................................................................................................................. 63
Appendix 2: How to resolve the connectivity issue ................................................................... 64
How to use this guide
The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the UTD environment. This guide is meant to be used in conjunction with the information and
guidance provided by your facilitator.
Once these activities are completed

You should be able to:
1. Navigate the Palo Alto Networks GUI
2. Review portions of the firewall configuration
3. Change the configuration to affect the behavior of traffic across the firewall
This workshop covers only basic topics and is not a substitute for the training classes conducted by Palo Alto
Networks Authorized Training Centers (ATC). Please contact your partner or regional sales manager for more
training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google Chrome web browser will be used to perform any
tasks outlined in the following activities (Chrome is pre-installed on the student desktop of
the workshop PC).
Activity 0 – Log in to the UTD Workshop
In this activity, you will:

• Log in to the Ultimate Test Drive Workshop from your laptop
• Understand the layout of the environment and its various components
• Enable the Firewall to facilitate connectivity
Task 1 – Log in to your Ultimate Test Drive class environment

Step 1. First, make sure your laptop is installed with a modern browser. We recommend using the latest version
of Firefox, Chrome, or Microsoft Edge.
Step 2. Go to class URL. Enter your email address and the passphrase (if you have an invitation email, you can
find the class URL and passphrase in the invitation email; or the instructor will provide you with the class
URL and passphrase).
Step 3. Complete the registration form and click Register and Login at the bottom.
Step 4. Depending on your browser, you may be asked to install a plugin. Please click yes to allow the plugin to
be installed, then continue the login process.
Step 5. Once you log in, the environment will be created automatically for you. The upper left-hand corner will
show you the progress of the preparation. You will see the lab availability time when it is ready for use.
The UTD NGFW lab environment consists of many VMs: Student Desktop, Mobile PC (Global Protect),
Mobile PC (Clientless VPN), VM-Series NGFW and more. You will start the lab by accessing the
Student Desktop.
Task 2 – Log in to the student desktop
Step 1. Click on the Student Desktop tab to connect to the student desktop.
Step 2. If the Student Desktop resolution is too high or low for your laptop display, you can adjust the resolution
from the left-hand pane. You can also click Fullscreen to maximize the display.
Step 3. To exit the full-screen mode, use the esc key on our keyboard or click the black arrow at the top of
window to open the dropdown menu; then click Exit.
Step 4. [Optional] If you encounter connection issues with the Student Desktop, click Reconnect to re-establish
the RDP or CON connection.
Step 5. [Optional] If the reconnect to the student desktop is unsuccessful, please verify your laptop connectivity
by clicking on Connectivity Test.
Step 6. [Optional] If the connectivity test passed, please close the browser and retry to reconnect to the RDP or
CON session to the Student Desktop. If the connectivity test failed, please inform the instructor and ask
for further assistance. Make sure you have disabled any VPN or proxy connections on your laptop.
Task 3 – Log in to the ML-Powered NGFW

Step 1. In the Student Desktop, click the Chrome browser icon to launch the browser. The VM-Series login page
should already be loaded, if not, click the UTD-NGFW-PAVM bookmark in the browser.
Note: You can also use the NGFW GUI tab to open a direct connection to the NGFW login page.
Log in to the firewall using the following Username and Password:

Username: student
Password: utd135
Step 2. You are now logged in to the firewall. Take a look at the welcome page to see some of the features
introduced in the latest release of PAN-OS.
Step 3. Click Close to close the welcome page and you will see the Dashboard view.
Task 4 (Very Important) – Bring up interface ethernet1/1
Step 1. The firewall is not connected to the Internet by default. Select the Network > Interfaces and then click
the interface ethernet1/1 under Ethernet.
Step 2. Select the Advanced tab to change the link state. Select up in the Link State option, then click OK.
Step 3. Click Commit (in the upper right-hand corner of the GUI), then select Commit All Changes and click
Commit in the pop-up window.
Step 4. Click Close in the pop-up window once the commit has completed. Click on refresh button in the upper
right corner. The Link Status of ethernet1/1 should turn green after the interface is up.
Step 5. From the Student Desktop, open a new tab in the Chrome browser window and confirm Internet
connectivity by selecting CNN from the Lab – Bookmarks > Activity-0 folder.
Note: If you experience any connectivity issue then please refer to Appendix 2.
Step 6. Here is a quick look at how the student desktop and the virtual firewall are connected:
End of Activity 0
Activity 1 – Granular Control on Social Media and
Enabling Sanctioned SaaS Applications
Background: Every organization is trying to determine how to appropriately control social media and
SaaS (Software as a Service) applications. Allowing them all is highly risky, while blocking them all can
cripple the business. Policy considerations, including who can use which social media channels and
SaaS applications, require a granular level of control at the firewall.
PAN-OS® features to be used:

• App-ID™ and function control.
• Logging and reporting for verification.
In this activity you will:

• Modify the existing firewall configuration to control the behavior of the Facebook application.
• Review Traffic logs to confirm activity.
Task 1 – Check connectivity to Facebook

Step 1. Please complete Activity 0, Task 4 before you continue. From the Student Desktop, use Chrome and
select www.facebook.com bookmark from the Lab – Bookmarks > Activity-1 folder.
• Question: What appears in the browser window?
• Answer: You should get blocked and see a screen that looks like this:
Note: If you see an SSL decryption message, click

continue to accept the SSL message. You will
need to reload the Facebook page to see the
blocked message.
Step 2. On the firewall GUI, Select Monitor > Logs > Traffic to review the traffic logs to understand why
Facebook is being blocked.
Step 3. In the search bar, enter (app eq facebook-base) the click Apply filter, you should see that facebook-
base application is not allowed by default. You will enable Facebook application in the next task. Click
Clear Filter to remove the filter and see all the logs.
Note: You can adjust the number of columns displayed by hovering the mouse over any header and click
the white arrow next to the header name, then click Columns and select the columns you want to add or
remove.
Task 2 – Enable Facebook application

Step 1. On the firewall GUI, go Policies > Security.
Step 2. Click to highlight the first rule, named UTD-Policy-00 (currently greyed out).
Step 3. Click Enable in the bottom bar of the GUI. Notice that the color of the text changes.
Step 4. Click on UTD-Policy-00 to open the policy details window, go to the Application, and the Actions tab to
confirm the policy is configured to allow Facebook and its dependent applications. Click OK to close the
policy window.
Step 5. Click Commit (in the upper right-hand corner of the GUI), then select Commit All Changes and click
Commit in the pop-up window.
Note: You may ignore any application dependency warning that happens during the commit.
Step 6. Click Close once the commit has completed.
Step 7. Open a new browser tab and select www.facebook.com from the Lab – Bookmarks > Activity-1 folder.
You may get SSL decryption warning message. Click on Yes to continue. You should now be able to
access Facebook.
Task 3 – Review traffic logs
Step 1. Select Monitor > Logs > Traffic to review the traffic logs.
Step 2. Type the search string (app eq facebook-base) into the query box. Then hit the Enter key or click the
arrow icon.
Note: If you see any error while typing the search string then you can simply click on the app name in
application column and that will populate the filter.
Questions:
• What was the action associated with the log entries?
• What was the port number associated with the log entries?
Task 4 – Enable sanctioned SaaS applications

The need for business efficiency and flexibility is driving the use of SaaS applications in many organizations. Palo
Alto Networks ML-Powered NGFW with App-ID provides the industry-leading granular control to and from SaaS
applications. We will show you how to enable a selected set of sanctioned SaaS applications.
Step 1. Select Objects > Application Groups and then click Sanctioned-SaaS-Apps and review the SaaS
applications in this application group.
Step 2. Add ms-office365 to this application group by clicking the Add icon, then select ms-office365. Click OK
to close the application-group window.
Step 3. Go back to Policies > Security > UTD-Policy-00. Add the Sanctioned-SaaS-Apps application group to
the policy. Click OK to close the policy window.
Step 4. Click Commit to commit the changes.
In one policy, you have enabled basic Facebook applications and a group of sanctioned SaaS
applications. Enabling a group of SaaS applications will allow us to see a more interesting SaaS
application usage report in the later lab activity.
Step 5. In your browser right click the SaaS bookmark folder in Lab – Bookmarks > Activity-1, select open all,
and let the pages load (or fail).
Which sites are allowed? Which fail? Review the Sanctioned-SaaS-Apps application group to determine
why.
Close the tabs.
End of Activity 1
Activity 2 – Applications on Non-Standard Ports
Background: Many applications can use, either by default or through user control, a non-standard port.
Oftentimes, the use of non-standard ports is done as a means of evading controls. Tech-savvy users are
accessing their home PCs from work by directing SSH to a non-standard port in order to bypass
corporate firewalls. This activity will show you how to allow applications to run only on the standard port
and prevent the same applications from running on any non-standard port.
PAN-OS features to be used:

• Logging and reporting to show SSH, RDP and Telnet on non-standard ports.
• App-ID, groups function and service (port).

• Add a new security policy for the IT organization.
• Re-order the policies.
Task 1 – Create a new security policy

Step 1. Select the Policies > Security and then click Add in the lower left-hand corner.
Step 2. Name the policy Allow-IT-apps then select Activity-2 for Tags using the drop-down list.
Step 3. Select the Source tab. Click Add in the Source Zone box, then select LAN.
Note in PAN-OS you can add the Device ID, in Source Device, to control the traffic from a particular
source device.
Step 4. Select the Destination tab. Click Add in the Destination Zone box, then select WAN.
Step 5. Click the Application tab, then click Add. Type IT-apps then select it.
IT-apps is an application group that includes SSH, MS-RDP and other applications.
Step 6. Click the Service/URL Category tab, then click the drop-down menu above Service change the default
setting from Application Default to Any.
Step 7. Click the Actions tab. Check that the action is set to Allow, then click OK.
Step 8. Click and drag the policy Allow-IT-apps above the UTD-Policy-04 rule.
Step 9. Click Commit to commit all the changes. Click Close once the commit has completed.
Step 10. Go to Objects > Application Groups to review which applications are included in IT-apps application
group. There are some industrial specific application groups that are created to highlights some of the
common applications used in those industries. Review those application groups to learn about the
applications that are supported by the Palo Alto Networks Next-Generation Firewall for the specific
industries.
You can hover pointer over IT-apps and then click on the down arrow, then Value to review what is in the
IT-apps object.
Task 2 – Check application connectivity

Step 1. From the Student Desktop, launch the PuTTY application.
Step 2. Select the SSH server (standard port 22) profile then click the Load button. Click Open to SSH to the
SSH-Server (172.16.1.101) using the standard port 22. Click Accept if prompted for the server’s host
key.
Log in with:
Login: student
Password: utd135
Question:
• Can you log in?
• Yes – you should be able to log in.
Step 3. Type exit to close the SSH session. Load the SSH server again (172.16.1.101) using the non-standard
port 443.
Question:
• Can you log in using the non-standard port?
• Yes – you should be able to log in.
Step 4. Close the PuTTY application.
Step 5. From the NGFW, go to Monitor > Logs > Traffic. Search for application SSH on port 22 or 443.
Questions:
• What query string did you type into the search box?
• Was the application allowed?
Task 3 – Modify security policy

Step 1. Go to Policies > Security. Click the Allow-IT-apps security policy created in Task 1.
Step 2. Click the Service/URL Category tab, then click the drop-down menu above Service Change Any to
application-default then click OK. The application-default option only allows applications over the
default port and protocol; it prevents applications from running on non-standard port or protocol.
Step 3. Click Commit and Close once the commit has completed.
Task 4 – Re-check applications on non-standard ports
Step 1. From the Student Desktop, launch the PuTTY application.
Step 2. SSH to 172.16.1.101 again on port 443 using PuTTY. Did you get a login prompt?
• You should not get the login prompt this time.
Step 3. Close the PuTTY application. Go to Monitor > Logs > Traffic firewall GUI.
Step 4. Search for application SSH on port 443.
Questions:
• What query string did you type into the search box?
• Was the application allowed?
End of Activity 2
Activity 3 – Policy Optimizer
Background: If you just migrated your port-based policy to PAN-OS, you may still have many port-based
policies in your PAN-OS configuration. Policy Optimizer is a feature that identifies port-based rules, show
you the applications are seen by this rule so you can convert them to application-based whitelist rules or
add applications to existing rules without compromising application availability.

• Review what applications are passing through the port-based policy
• Enhance your security posture by creating application-based policy with Policy Optimizer
Task 1 – Policy Optimizer helps you to convert port-based policy to

application-based policy
Step 1. Go to Policies > Security and note the Policy Optimizer window on the lower left.
Step 2. Click Rules Without App Controls to see the security policies that have no application specified. In our
lab, the Port-based-policy rule is configured to allow any application running over a list of certain ports.
Can you tell what common ports are open for this rule?
Step 3. Click Port-based-policy under Name to open the Security Policy Rule.
Step 4. Review the Application tab and the Service/URL Category tab. This rule is configured with Any for
Application and common-ports in Service/URL Category. Click Cancel to close the policy rule
window.
Step 5. From Rules Without App Controls, in the App Usage > App Seen column, you can see how many
applications this policy has seen or allowed. Click on Compare to open the Applications & Usage
window.
Note that you can change the Timeframe to see when these applications were seen.
Step 6. Select an application (eg, google-base) with the check box, note that now you have option to decide
what to do, either to Create Cloned Rule with this application, Add to This Rule or Add to Existing
Rule.
Step 7. As an example, in this lab we will use Create Cloned Rule which will allow us to keep the original rule.
Click on the Create Cloned Rule > Applications and enter Port-2-App-Rule, click OK.
Step 8. Go back to Policies > Security, notice the new Port-2-App-Rule is added on top for the original Port-
based-policy. More importantly, the new rule is an application-based policy, not a port-based policy.
Task 2 – Enhanced security in application-based policy

Step 1. Open the Port-2-App-Rule created in the previous task, note that the policy is identical with the original
Port-based-policy, so it has the same Source, and Destination zone with an added application selected
through Policy Optimizer.
Step 2. Go to the Service/URL Category, notice that common-ports is still present per the original policy.
Step 3. Remove common-ports using the checkbox then click Delete. application-default will be selected by
default. This will restrict the applications listed to be allowed to run on just the application-default port
and greatly improve the security of this policy.
Step 4. From the Actions tab, select Profiles in Profile Setting > Profile Type. Then select default for
Antivirus, Vulnerability Protection, and Anti-Spyware. Click OK.
Task 3 – Move other applications

Now that you have started creating an application-based policy with enhanced security protection, you can easily
move the other applications to this policy.
Step 1. Go to back to Rules Without App Controls, click Compare for the Port-based-policy.
Step 2. Select the applications dns and ms-update using the checkbox.
Step 3. Click Add to Existing Rule > Applications and select Port-2-App-Rule from the Name drop-down list.
click OK to add these two apps to the rule.
If an application depends on other applications, you will see that in the Dependent Applications section.
You can choose whether or not to add those.
Step 4. Go to Policies > Security and review the Port-2-App-Rule. You should see the two applications are now
added to the application-based policy.
Step 5. Commit to save the changes. Notice that you don’t need to know what the default port for dns is, the
application-default setting in the policy will take care of that.
Over time, you should be able to move all the applications that you want to allow and protect them using
application-based policy and remove all the unnecessary port-based policies.
Note: you can use Policy Optimizer to create rule to block specific application if you have discovered unwanted
application passing through the port-based policy.
End of Activity 3
Activity 4 – Decryption
Background: More and more traffic is being encrypted with SSL by default. This makes it difficult to allow
and scan that traffic, yet blindly allowing it is very risky. Policy-based SSL decryption allows you to
decrypt applications, apply security policy, then re-encrypt and send the traffic to its final destination.
Policy considerations include which applications or web traffic to decrypt and then applying the
appropriate protection to prevent malware propagation and data/file transfers.

• Decryption policy.

• Add a new decryption policy to decrypt SSL traffic.
Task 0 – Check connectivity to lab web server

Step 1. From the Student Desktop, open the browser select UTD Lab Web Server from the Lab – Bookmarks
> Activity-4 folder.
This website looks like a legitimate lab web server. Let’s download files from this site and see if the
download is working.
Task 1 – Download malicious files

Step 1. Download the Apache configuration file, under the Configuration Overview section by clicking the here
hyperlink.
Step 2. Are you able to download the configuration file?
The download should fail because the file is infected, and the NGFW antivirus inspection has stopped the
download.
Step 3. Try to download the full manual from the manual link.
Are you able to download the manual file?
The download should fail because the file is infected, and the NGFW antivirus inspection has stopped the
download.
Step 4. Mouse over the Configuration file (secure download) hyperlink; notice that the download is using
https:// instead of http://. Click the hyperlink to download the file.
Are you able to download the configuration file?
The download should succeed because the download channel (https) is encrypted. This browser will
open the file and show you the content. You cannot prevent what you cannot see.
Task 2 – Add a new decryption policy

We will create a decryption policy that decrypts web (SSL/TLS) traffic going to an unknown site.
Step 1. From the NGFW GUI, go to Policies > Decryption.
Step 2. Click Add in the lower left-hand corner.
Step 3. In the Decryption Policy Rule pop-up, name the policy UTD-Decryption-02, then select Activity-4
under Tags.
Step 4. Click the Source tab. Click Add in the box labeled Source Zone, then select LAN.
Step 5. Click the Destination tab. Click Add in the box labeled Destination Zone, then select WAN.
Step 6. In the Service/URL Category tab, add unknown under URL Category.
We are using unknown as the lab web server has not been classified by URL filtering.
Step 7. Click the Options tab, then select Decrypt for Action. Leave Type as SSL Forward Proxy. Click on the
Decryption Profile drop-down menu and select New Decryption Profile.
Step 8. In the Decryption Profile window, click in the Name field, and give the profile a name Decrypt-TLS-1.3.
Step 9. Click on the SSL Protocol Settings tab. In Protocol Versions section, click on the Max Version drop-
down menu and select TLSv1.3.
The Palo Alto Networks firewall supports TLSv1.3 decryption in all modes (SSL Forward Proxy, SSL
Inbound Inspection, SSL Decryption Broker, and SSL Decryption Port Mirroring). TLSv1.3 is the latest
version of the TLS protocol, which provides application security and performance improvements.
Note: For websites that don’t support TLSv1.3, the firewall selects an older version of the TLS protocol
that the server supports.
Step 10. Click OK to save the Decryption Profile settings.
Step 11. Click OK to close the Decryption Policy Rule window. Your decryption policy should look similar to
below screen.
Step 12. Commit all changes and click Close once the commit has completed.
Task 3 – Retest secure download
Step 1. In the browser, go back to the UTD lab web server then click the Configuration file (secure download)
link again. If prompted, click Yes on the SSL Inspection prompt to continue with the download.
Step 2. Are you able to download through the secure download?
The download should fail because the file is infected, and the antivirus inspection can now stop the
download after the session is decrypted.
Task 4 – Review traffic logs

Step 1. From the NGFW UI, go to Monitor > Logs > Threat.
Step 2. Select the latest entry in the Threat log, then click the magnifying glass icon next to the log entry to
view the log details.
Notice that under the Flags category, there is a checkmark to indicate this particular session is decrypted.
Step 3. To view the SSL activity in Application Command Center (ACC), select the ACC tab and click on SSL
Activity to view the amount decrypted and non-decrypted traffic by sessions or bytes.
Note: The SSL activity widget in ACC tab is a feature added to provide enhanced visibility into SSL/TLS
traffic, which enables you to troubleshoot decryption issues and identify traffic that uses weak algorithms
and protocols.
End of Activity 4
Activity 5 – Modern Malware Protection with ML-Powered
Analysis
Background: Modern malware is at the heart of many of today's most sophisticated network attacks and
is increasingly customized to avoid traditional security solutions. WildFire™ exposes targeted and
unknown malware through direct observation in a virtual environment, while the ML-Powered NGFW
ensures full visibility and control of all traffic, including tunneled, evasive, encrypted and even unknown
traffic. Policy considerations include which applications to apply to the WildFire file blocking/upload
profile.

• Profiles: anti-virus, spyware, file blocking, and WildFire.
• WildFire signatures real-time update.

• Review the existing WildFire analysis profile.
• Add the WildFire Analysis profile to an existing security policy.
• Enable the Wildfire Inline ML-Powered analysis
Task 1 – Enable WildFire analysis on a security policy

Step 1. Go to Policies > Security and then click UTD-Policy-01 to update the security rule.
Step 2. Click the Actions tab within the Security Policy Rule pop-up.
Step 3. In the Profile Setting section, select default from the drop-down menu next to WildFire Analysis.
Step 4. Click OK to close the window.
Step 5. Navigate to Objects > Security Profiles > WildFire Analysis.
Step 6. Click the Profile named default, then review the default WildFire Analysis Profile. Notice that the
default profile sends any File Types from any Applications to the WildFire public-cloud service.
NOTE: With the WildFire service, the ML-Powered NGFW can forward unknown files and email links to
the WildFire public global cloud or to the WildFire regional clouds (Europe, UK and Japan) that Palo Alto
Networks owns and maintains. In this lab, we are using the default profile and send unknown files to the
WildFire public global cloud for analysis.
Step 7. Click Cancel to close the WildFire Analysis Profile window.
Task 2 – Configure real-time update of WildFire signatures

The Palo Alto Networks PAN-OS 10.0 and later supports the real-time retrieval of WildFire signatures. That
means when a new signature is created, the signature content is streamed down to the firewall in a single-digit
seconds. This allows access to the signatures as soon as they are generated, greatly minimizing the window in
which malware can infiltrate the network.
To enable real-time WildFire signature updates:
Step 1. Click on the Device tab and then Dynamic Updates towards the bottom left.
Step 2. Click on Check Now to retrieve the latest signature update packages.
Step 3. Click on None (Manual) next to Schedule: in the Wildfire section.
Step 4. Select Real-time from the drop-down next to recurrence.
Step 5. Click OK to close the pop-up window.
Step 6. Commit all the changes and click Close once the commit has completed.
Task 3 – Test WildFire modern malware protection

Step 1. From the Student Desktop, open the browser select WildFire Test File from the Lab – Bookmarks >
Activity-5 folder.
Note: Ignore the Chrome browser warning message for downloading an .exe file by clicking the Keep
button.
http://wildfire.paloaltonetworks.com/publicapi/test/pe
Step 2. The browser will automatically download a wildfire-test-pe-file.exe sample file. Check your Download
folder to confirm the download.
Note that this sample changes every time it is downloaded, and it should bypass most antivirus scans.
Task 4 – Review the WildFire analysis results

Step 1. To view the file verdict that has been sent to WildFire, go back to the firewall GUI, then navigate to
Monitor > WildFire Submissions. Review the results returned from the WildFire service.
NOTE: It may take about 5-10 mins for the WildFire Submissions log to appear.
Step 2. When you see the entry, click the Details icon next to the top log entry. In the Log Info tab, you can
view the basic info of the file and the application that carries that file.
Task 5 – Enable WildFire Inline ML-Powered analysis
Palo Alto Networks PAN-OS has Inline machine learning prevention capabilities to stop the unknown weaponized
files and malicious scripts instantly inline on the ML-Powered NGFW without having to hold the files and all this is
powered by Wildfire.
Step 1. Navigate to Objects > Security Profiles > Antivirus, then click UTD-AV-01 profile.
Step 2. Select the WildFire Inline ML tab.
Step 3. Change the Windows Executables, PowerShell script 1 and PowerShell script 2 Action Setting from
disable to enable.
Note: WildFire inline ML inspects files at line speed and blocks malware variants of portable executables
as well as PowerShell files, which account for a disproportionate share of malicious content. ML-based
engine can prevent up to 95% of threats inline without requiring analysis from the WildFire cloud. For the
rest, protections are delivered in seconds from the world’s largest cloud native detection and prevention
engines.
Step 4. Click OK to exit the Antivirus Profile configuration window.
Step 5. Commit all the changes and click Close once the commit is completed.
Note: The WildFire machine learning model is trained with over 20 million new malware samples on a
daily basis. Due to the manner in which the inline machine learning models are continually retrained and
tuned to adapt to the changing threat real-world threat landscape, specific point-in-time test samples may
not yield consistent results.
Task 6 – Test and review WildFire Inline ML-Powered analysis
Step 1. From the Student Desktop, open the browser select WildFire Inline ML test file from the Lab –
Bookmarks > Activity-5 folder.
Click Keep, confirming the download.
Step 2. The file will start to download. As soon as WildFire Inline ML detects the threat, the connection is reset,
and the download fails. You will notice that the download will stall and then eventually time out.
Note: If the file downloads, it is coming from Chrome cache and you might have attempted it in the earlier
task. In the browser, type about:history and Clear browsing data. You may try the download again after
that.
Step 3. From the NGFW, navigate to Monitor > Logs > Threat.
Note that ml-virus is listed under the Type column for the threat.
Step 4. Click on the magnifying glass to open the Detailed Log View.
Scroll down to the Details section. The Threat/ID Name indicates Machine Learning found virus.
Click Close.
End of Activity 5
Activity 6 – ML-Powered URL Filtering
Application control and URL Filtering complement each other, providing you with the ability to deliver
varied levels of control that are appropriate for your security profile. Policy considerations include URL
category access; which users can (or cannot) access the URL category; and the prevention of malware
propagation.

• URL Filtering category match.

• Modify the behavior of the URL Filtering functionality.
Task 1 – Modify URL Filtering profile and configure security-focused URL

categories
Security-focused URL categories enable you to implement simple security and decryption policies based on
website safety, without requiring you to research and individually assess the sites that are likely to expose you to
web-based threats. These categories help to reduce attack surface by providing targeted decryption and
enforcement for sites that pose varying levels of risk but are not confirmed malicious. Websites are classified with
a security-related category only so long as they meet the criteria for that category; as site content changes, policy
enforcement dynamically adapts. The security-focus categories include High-Risk, Medium-Risk, Low-Risk and
Newly-Registered-Domains.
Step 1. Go to the firewall web GUI. Select the Objects > Security Profiles > URL Filtering and then click UTD-
URL-filter-01 to update the security rule.
Step 2. Search for the Gambling category, then change Site Access from Alert to Continue.
Note that you have the option to control if User Credential Submission is allowed as part of the PAN-OS
credential theft prevention feature. We will not dive into that in this lab but please talk to your instructor if
you want to learn more about credential theft prevention.
Step 3. Search for the high-risk category, then change Site Access and User Credential Submission to
continue.
The Continue action prompts the user with a response page indicating that the site has been blocked
due to company policy. The user is prompted with the option to continue to the website.
The continue action improves the user experience by giving them the option to continue if they feel the
site is incorrectly categorized.
Step 4. Search for the newly-registered-domain category, then change Site Access and User Credential
Submission to alert.
The Alert action allows the user access to the sites in this category, but a log entry is generated in the
URL filtering log. The Allow action does not generate log entry in the URL filtering log.
Click OK.
Step 5. As a best practice, the UTD-URL-filter-01 profile has configured block action for the following URL
categories: malware, phishing, command-and-control, proxy-avoidance-and-anonymizers, and
unknown. You can review the setting for these categories.
Step 6. An explicit, custom allow and block list can be configured in the URL Filtering profile. To see the two pre-
configured allow and block lists, go to Objects > Custom Objects > URL Category to review the URLs
in the list.
Task 2 – Apply URL Filtering to the security policy

Step 1. Navigate to Policies > Security and open UTD-Policy-01. The Security Policy Rule pop-up will appear.
Step 2. Click the Actions tab within the pop-up.
Step 3. In the Profile Setting section, select the UTD-URL-filter-01 from drop-down menu for URL Filtering.
Step 4. Click OK.
Step 5. Commit all the changes and click Close once the commit is completed.
Task 3 – Test URLs and review the URL filtering logs

Step 1. From the Student Desktop, open a new browser tab, then select Lab - Bookmarks > Activity-6 folder
and click Top Bet. If a cached page appears, use the CTRL + F5 keys to reload the page.
The web page is blocked, but you will have the option to continue to open the page.
Step 2. Click Continue to proceed to the website.
Step 3. From the NGFW, navigate to Monitor > Logs > URL Filtering.
Step 4. Locate a recent log entry with Action continue.
Step 5. Click on the magnifying glass icon to review the details of the detected URL.
Step 6. In the Details section, you can view the details.
Step 7. Check Close to go back to URL Filtering log page.
Task 4 – Configure URL Filtering Inline ML-Powered analysis

URL filtering in PAN-OS is powered with Machine learning (ML) based inline prevention to instantly Identify and
prevent new and never-before-seen phishing sites and JavaScript-based attacks.
To enable the Inline ML in URL Filtering profile:
Step 1. From Objects > Security Profiles > URL Filtering, open the UTD-URL-filter-01 profile and click the
Inline ML tab. From the Action column, change the Phishing, and Javascript Exploit Detection
settings from allow to block.
Step 2. Click OK to close URL Filtering Profile window.
Step 3. Commit your changes.
Task 5 – Test and review URL Filtering Inline ML-Powered analysis

Step 1. From the Student Desktop, open the browser click the URL Filtering Inline ML bookmark from the Lab
– Bookmarks > Activity-6 folder.
Step 2. Click Continue as this page has been classified as high-risk.
Step 3. The page will start to display. Once the URL Filtering Inline ML engine detects the content as a phishing
site, the connection is reset.
Step 4. From the NGFW, navigate to Monitor > Logs > URL Filtering.
Step 5. In the search box type ( category eq high-risk )
Step 6. Click the magnifying glass icon for the more recent log entry where Action is block. Scroll down to the
Details section to review that the Inline ML Verdict indicates that this URL is phishing.
Step 7. Let’s review the series of events that happened.

• The user went to a URL categorized as high-risk. A block page was displayed.
• The user opted to continue to that web site.
• URL Filtering Inline ML detected the contents of that site as phishing and blocked the page.
Task 6 – External Dynamic List hosting service
Some Software-as-a-Service (SaaS) providers publish lists of IP addresses and URLs as destination endpoints
for their SaaS applications. SaaS providers frequently update the SaaS applications destination endpoint lists as
support grows and the service expands. This requires you to manually monitor the SaaS application endpoints for
changes and manually update your policy configuration to ensure connectivity to these critical SaaS applications
or set up an external tool to monitor and update your EDLs.
Configure an EDL using the EDL Hosting Service maintained by Palo Alto Networks to ease the operational
burden of maintaining an EDL for a SaaS application. The EDL Hosting Service provides publicly available Feed
URLs for SaaS application endpoints published by the SaaS application provider. Leveraging a Feed URL as the
source in an EDL allows for dynamic enforcement of SaaS application traffic without the need for you to host and
maintain your own EDL source.
Step 1. Go to Objects > External Dynamic Lists. Note that a number of predefined built-in EDLs are present.
You may review the description field for what each of them cover.
Step 2. Click EDL-microsoft365-url-list to open.
This particular Feed URL is for Microsoft 365 worldwide URL endpoints.
A list of Feed URLs can be found here.
Click Cancel.
Step 3. Go to Policies > Security and open the UTD-Policy-00 policy.
Step 4. Click the Service/URL Category tab and then Add under the URL Category column. Select the EDL-
microsoft365-url-list EDL.
Click OK to save the policy.
Step 5. Click Commit and Close once it is complete.
Step 6. Navigate back to Objects > External Dynamic Lists and open EDL-microsoft365-url-list again. Select
the List Entries And Exceptions tab to review the entries.
End of Activity 6
Activity 7 – GlobalProtect: Safely Enable Mobile Devices
Mobile computing is one of the most disruptive forces in information technology. It is revolutionizing how
and where employees work, and the tools they use to perform their jobs. GlobalProtect™ from Palo Alto
Networks safely enables mobile devices for business use by providing a unique solution to manage the
device, protect the device and control the data.

• GlobalProtect Portal and Gateway.
• GlobalProtect Client Application.

• Complete the GlobalProtect Portal configuration in the lab environment to allow GlobalProtect
clients to connect to the GlobalProtect Gateway.
• Use the GlobalProtect client application to connect to the GlobalProtect Gateway and verify the
traffic is being protected by the ML-Powered NGFW.
Task 1 – Review the GlobalProtect Portals and Gateways configuration

Step 1. From the NGFW, go to Network > GlobalProtect > Portals. Click UTD-GP-Portal to open the
GlobalProtect Portal Configuration window.
Step 2. Select the Agent tab on the left-hand side of the window and then click the UTD-GP-Portal-ClientCfg.
Step 3. In the Configs window, go to the External tab.
Notice the Address field in the External Gateways section. In our lab, the NGFW ethernet1/1 interface
IP address is configured as an external gateway.
Step 4. Click Cancel twice to go back to Portals page.
Step 5. From Network > GlobalProtect > Gateway, click UTD-GP-GW to open the GlobalProtect Gateway
Configuration window.
Step 6. Select the Authentication tab on the left-hand side of the window.
Notice the Block login for quarantined devices checkbox is enabled. This setting will block the
GlobalPortect user attempting to connect to the GlobalProtect gateway if user device is identified as
compromised.
Step 7. Click Cancel to go back to Gateways page.
Task 2 – Log in to GlobalProtect from the Mobile PC (GlobalProtect)

Step 1. Click the Mobile PC (GlobalProtect) tab at the top of the page to go to the mobile PC console.
Step 2. Open the Chrome browser and test the Internet connectivity using the Gambling bookmark. You should
be able to connect to the internet directly from this device.
Note: This device is not sitting behind the

VM-Series firewall. You can test this by going
to the website (www.topbet.eu) that was
blocked in Activity 6. You should not see the
block page.
Step 3. Open the GlobalProtect client from the system tray.
Step 4. In the GlobalProtect window, enter the GlobalProtect Portal IP 172.16.1.1. Click Connect.
Note: If you encountered connection problems,

check to ensure the external gateway IP is
entered correctly in the “Portal” field.
Step 5. In the Sign In window, enter the following username and password.
Username: joe
Password: utd135
Step 6. Once connected, you can see the GlobalProtect welcome page. To verify that GlobalProtect is connected
to the portal, click the icon then select Settings > Connection.
Step 7. Check your Internet connectivity in the Mobile PC (GlobalProtect) by selecting the Gambling bookmark
again. You should see the block page. If the page displays from cache, refresh the browser.
Task 3 – Review logs on the VM-Series firewall

Step 1. To view the Mobile PC (GlobalProtect) VPN connection to the VM-Series firewall, go to the NGFW GUI.
Step 2. Select Monitor > Logs > GlobalProtect. Look for logs under the Source User column for joe. The GP
logs shows that joe has successfully authenticated to the GP Portal and Gateway.
Step 3. Now look for Traffic logs from the GP-VPN zone where you can see the traffic logs from joe and the
Source IP address you saw assigned from the GlobalProtect agent in Task 2.
This traffic logs demonstrates that traffic from the Mobile PC (GlobalProtect) is now protected by the
firewall.
Notice that the username is also visible from the traffic log, indicating which user-based firewall policy can
be created based on the user’s login info.
Note: the firewall policy, in this case UTD-Policy-04 can be modified to safely enable the necessary
applications for remote users.
Step 4. Go to Network > GlobalProtect > Gateways and click the Remote Users link under Info column to
open the User Information window.
Step 5. Under the Current User tab in the User Information window, notice that the GlobalProtect client in the
Mobile-PC can collect host information such as computer name, operating system used and more.
Note: The host-information profile (HIP) in GlobalProtect provides details about the condition
of the mobile laptop, smartphone or tablet, which can be used to make policy decisions about
the resources that the device can access. Please talk to your instructor for more information
about mobile security management through GlobalProtect.
End of Activity 7
Activity 8 – Control Application Usage with User-ID
Understanding which users are related to which traffic on your network is more useful than just knowing
ports and IP addresses. Visibility and reporting based on users is more intuitive, and policies expressed
in terms of users (or groups) are a better match for expressing business-relevant security policies. You
will create a security policy using User-ID™ in this activity. You must successfully complete Activity 7
before you can continue with this activity.

• Create a security policy using User-ID
• Using GlobalProtect to validate the security policy

• Create a security policy to enable applications based on User-ID
• Ensure that access to the application is determined by individual user-IDs, even when multiple
users log in from the same device.
Task 1 – Validate access to SSH server

Step 1. From the Mobile PC (GlobalProtect) VM, connect to the SSH server used in Activity 3 with SSH. Open
the PuTTY application, then load the SSH server (standard port 22) from the saved sessions to SSH
into 172.16.1.101.
Click Open. Can you ssh to 172.16.1.101?
You should not be able to SSH to the server.
Step 2. From the NGFW UI select Monitor > Logs > Traffic. You should be able to see that traffic on port 22 was
being dropped.
Task 2 – Enable applications based on User-ID
Step 1. We will enable the security policy on the firewall to allow the user joe to use the SSH application. Select
the Policies > Security > UTD-Policy-05 and click Enable to enable the policy.
Once enabled, the policy will turn from light grey to blue.
Step 2. Click the policy name UTD-Policy-05 to open the policy window, then click on the Source tab (note that
the only user is joe is in this policy).
Step 3. Click the Application tab. Note that applications ping and ssh are enabled in this policy.
You can check the application-default setting in the Service/URL Category. SSH can only run on its
standard port.
Task 3 – Confirm access with User-ID

Step 1. Go back to the Mobile PC (GlobalProtect) – recall that you are logged in as joe in the GlobalProtect
client. Verify the SSH access to the server on 172.16.1.101 by using:
Login: student
Password: utd135
You should be able to log in to the SSH sever now. End the SSH session after you are logged in by
typing exit.
Step 2. Go back to the GlobalProtect client window. Click on Sign Out button in the upper-right corner of the
window. Click OK in the Remove User Credential window.
Step 3. When the Sign In window appears, use the following credentials:
Username: peter
Password: utd135
Note that the User is now peter.
Step 4. Use the PuTTY application to reconnect to the SSH server. You will see that the connection is denied.
Step 5. Review the traffic log on the firewall to confirm that the source user is peter instead of joe, hence access
to the SSH server is being denied.
End of Activity 8
Activity 9 – GlobalProtect Clientless VPN
Clientless VPN provides secure remote access to common enterprise web applications that use HTML,
HTML5, and JavaScript technologies. Users have the advantage of secure access from SSL-enabled web
browsers without installing GlobalProtect client software. This is useful when you need to enable partner
or contractor access to applications, and to safely enable unmanaged assets, including personal devices.

• Configure Clientless VPN access for accessing web applications
• Test the access from a mobile PC without VPN client installed
Task 1 – Configure Clientless VPN

Step 1. Go to Network > GlobalProtect > Portals and then click on UTD-GP-Portal.
Step 2. Click Clientless VPN and then the General tab. Activate the Clientless VPN checkbox and configure it
with the following values:
Hostname: 172.16.1.1
Security Zones: Select LAN from the drop-down list
DNS Proxy: Select Google-Public-DNS from the drop-down list
Login Lifetime: 3 Hours
Inactivity Timeout: 30 Minutes
The result should look like this:
Step 3. Continue to the Applications tab, click Add at the bottom left.
Step 4. Configure the Applications To User Mapping window with the following values:
Name: SSL-Portal-Apps
User/User Group: Any
Applications: Click Add at the bottom left to add these applications
Google Docs, Intranet, Office 365
Task 2 – Test the Clientless VPN access from Mobile PC

Step 1. Click the Mobile PC (Clientless VPN) tab at the top of the page to go to the mobile PC console.
Step 2. Open a web browser and click the GlobalProtect Portal bookmark (https://172.16.1.1).
Step 3. Log in to the GlobalProtect Portal with the following credentials:

Username: joe
Password: utd135
Step 4. Test the applications by clicking on the Intranet icon.
Step 5. The web application should open, please notice the URL showing that you are connected to the
Clientless VPN hostname.
Task 3 – Review Logs on the VM-Series firewall

Step 1. To review the logs on the firewall, go to Monitor > Logs > GlobalProtect. Look for GP logs from user
joe. The GP logs shows that user joe is successfully logged in to the GP Portal.
Step 2. Now click on Traffic and filter the log (user.src eq joe). The log entries should show the Clientless VPN
traffic.
End of Activity 9
Activity 10 – Cloud Identity Engine
The Cloud Identity Engine provides both user identification and user authentication for a centralized
cloud-based solution in on-premise, cloud-based, or hybrid network environments. The Cloud Identity
Engine allows you to write security policy based on users and groups, not IP addresses, and helps
secure your assets by enforcing behavior-based security actions. It also provides the flexibility to adapt
to changing security needs and users by making it simpler to configure an identity source or provider in a
single unified source of user identity, allowing scalability as needs change. By continually syncing the
information from your directories, whether they are on-premise, cloud-based, or hybrid, ensures that your
user information is accurate and up to date and policy enforcement continues based on the mappings
even if the cloud identity provider is temporarily unavailable.

• Review configured Cloud Identity Engine tenant
• Review and configure Cloud Identity Engine for authentication
• Review and configure Cloud Identity Engine for identity/User-ID
Task 1 – Video Demonstration of Cloud Identity Engine

Step 1. Review a walk-through demo setting up Cloud Identity Engine at https://youtu.be/fZWMP5Bp_Go?t=170
Task 2 – Review lab Cloud Identity Engine tenant

Step 1. Our lab Cloud Identity Engine tenant consolidates directories from both Azure Active Directory and
Okta. Note: there is no student access to this tenant.
Step 2. We also have both set-up as identity providers.
Task 3 – Cloud Identity Engine configuration for authentication

Step 1. Navigate to Device > Authentication Profile. We have already configured Authentication Profiles for
Azure Active Directory and Okta from our Cloud Identity Engine tenant.
Step 2. Click to open UTD-NGFW-CIE-Okta.
Note the Profile is the same as seen from Identity Providers in Task 2, step 2.
Step 3. Go to Device > User Identification > Authentication Portal Settings.
Step 4. Click on the gear icon to open the Authentication Portal window.
Step 5. Change the following settings:

• Authentication Profile: UTD-NGFW-CIE-Okta
• Mode: Redirect
• Redirect Host: 192.168.11.1
Click OK.
Step 6. Navigate to Objects > Authentication.
UTD-NGFW-CIE will be using the UTD-NGFW-CIE-Okta Authentication Profile for a captive portal.
Step 7. Go to Policies > Authentication.
Step 8. Click to select the UTD-NGFW-CIE-bypass profile. Click Enable at the bottom of the page. The text
should change from grey to blue.
Step 9. Click to select the UTD-NGFW-CIE profile. Click Enable at the bottom of the page. The text should
change from grey to blue.
Step 10. Click to open UTD-NGFW-CIE. Select the Destination tab. Click Add under the Destination Address
column. Enter 172.16.1.121 for the IP address. This will force the user to authenticate with their Okta
account via a captive portal when trying to access the server at 172.16.1.121.
Click the Actions tab. Note that the UTD-NGFW-CIE profile is being used for Authentication
Enforcement.
Click OK.
Task 4 – Cloud Identity Engine configuration for User-ID
Step 1. Navigate to Device > User Identification > Cloud Identity Engine tab.
Step 2. Click to open UTD-NGFW-CIE-Okta. Review the attributes that can be set in User Attributes, and
Group Attributes. These populate from the configured directory provider.
Click Cancel.
Step 3. Go to Policies > Security and locate the UTD-CIE-policy near the bottom. Select it then click Enable
at the bottom of the page. The text will change from grey to blue.
Step 4. Click to open UTD-CIE-policy and select the Source tab.
Click Add under the Source User column. Select the utd-ngfw-cie.okta.com\it group.
As we have the Cloud Identity Engine configured for both Azure AD and Okta, we see a list of all the
groups that are available. We can now use User-ID for enforcement once the user is authenticated.
Click OK.
Step 5. While the policy is still selected, click Move > Move Top from the bottom menu.
Verify that UTD-CIE-policy is at the top of the list.
Step 6. Commit your changes.
Task 5 – Test and review Cloud Identity Engine for authentication and
identity
Step 1. From the Student Desktop, selected the Lab – Bookmarks > Activity-10 > UTD Lab Web Server
bookmark. If the server page appears due to browser cache, refresh the page.
Step 2. The browser will be redirected to the Okta sign-in page. The credentials for okta-user1@pan-labs.net
will populate for you. This user is a member of the group utd-ngfw-cie.okta.com\it. Click Sign In.
Step 3. Once authenticated, you will be sent to your destination.
Step 4. From the NGFW GUI, go to Monitor > Authentication. Note that the user has been authenticated from
the Cloud Authentication Service.
End of Activity 10
Activity 11 – ACC and Custom Reports
Background: Informative visualization tools and reports are very important to network and security
administrators, which enable them to monitor and identify potential network problems and attacks.
Comprehensive built-in visualization tools and reporting features in the firewall can provide visibility into
the network without requiring a complex logging infrastructure.

• Application Command Center (ACC).
o Built-in visualization tools that provide a clear view of the application, user and threat data
on your network.
o ACC in PAN-OS has been upgraded to reduce response time based on visual and
actionable data.
• Manage custom reports.
o Create a custom report using traffic stats logs.
Task 1 – Review Application Command Center (ACC)

Step 1. From the NGFW UI, click the ACC tab. The ACC is configured to automatically show data collected in the
last hour. Change the time range to Last 6 Hrs in the Time drop-down window to include all the data
generated during your lab session.
Step 2. There are six pre-defined tabs: Network Activity, Threat Activity, Blocked Activity, Tunnel Activity,
GlobalProtect Activity, and SSL Activity. Under the Network Activity tab, you can see the most used
applications in the Application Usage widget. Please take a moment to review the other widgets such as
User Activity, Source IP Activity, Destination Regions, etc.
Step 3. In the Application Usage widget, you can click any tile to zoom into a group of applications or a single
application by clicking the general-internet category or the networking category.
The selection in the widget applies only to that specific widget. Mouse over the App Category [general-
internet] selection, and the Add Global Filter option will appear.
Step 4. Click Add Global Filter to apply the selection to all the widgets.
Step 5. To remove the global filter, click Clear all, or select a filter, then click the red button to remove it.
Step 6. To customize a time range, go to the User Activity widget. Then select a start time and drag it through
the time axis to the end of the time range. Apply this to the widget. You can apply this time range to the
other widgets by clicking Add Global Filter.
Step 7. To remove the customized time range from the global filter, select a new time from the Time drop-down
menu in step1.
Task 2 – SaaS Application Usage Report
To maintain network security and ensure compliance with corporate policy, you must identify and monitor the use
of SaaS applications on your network. To meet this challenge, the Palo Alto Networks ML-Powered NGFW
includes a SaaS Application Usage Report in PDF format to give you visibility into the SaaS applications. The
report helps you identify the ratio of sanctioned versus unsanctioned SaaS applications in use on the network. It
also includes details on the top SaaS application subcategories by number of applications, by number of users,
and more. You can use the data from this report to define or refine security policy rules on the firewall to block or
monitor the use of unsanctioned SaaS applications on your network. This task will show you how to get started
with the SaaS Application Usage Report on the firewall.
Step 1. Navigate to Monitor > PDF Reports > SaaS Application Usage.
Step 2. Click Add at the bottom of the window to open a new SaaS Application Usage report configuration
window.
Step 3. Name the report SaaS App Usage Report, then select Last 7 Days, and click OK to save it.
Step 4. You should see a new entry created. Click it to open the report window; then click Run Now to create the
report.
Step 5. It will take a bit of time to create the report. When the report is done, you should see a new browser tab
open with the report. You may need to disable the pop-up blocker in your browser to allow the report to
be opened in a new browser tab.
Step 6. Take a closer look at the SaaS Application Usage Report and the overview it contains. Close the SaaS
Usage Report window after the report is created. (You can export the report as a PDF)
Task 3 – Setting up a custom report
Step 1. Go to Monitor > Manage Custom Reports.
Step 2. Click Add (from the lower left). In the Custom Report window, name the report Session Stats.
Step 3. Use the following information to create this report:

• Database Application Statistics
• Scheduled Not Checked
• Time Frame Last 6 Hrs
• Selected Columns Application Name, App Category, App Sub Category, Risk of App,
Sessions
• Sort By Sessions | Top 10
Step 4. Click Run Now (at the top of the pop-up). A tab Session Stats will be created. Review the report and
export the results as a PDF file.
Reports may also be scheduled by selecting the Scheduled checkbox in the Custom Report window.
These reports will run automatically at 2:00 a.m. daily.
End of Activity 11
Activity 12 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and the labs
that we have prepared for you. Please take a few minutes to complete the online survey form to tell us
what you think about this event.
Task 1 – Take the online survey

Step 1. In your lab environment, click on the Survey link from the left-hand column.
Step 2. Please complete the survey and let us know what you think about this workshop.
Drag the widget to the right to expand the window.
End of Activity 12
Appendix 1: Support for Non-U.S. Keyboards
If you are using a non-U.S. keyboard and have difficulties entering characters and special keys, you can add a
keyboard to the student desktop to support what you have or use the on-screen keyboard. This appendix shows
you how to add, select an international keyboard or use the on-screen keyboard.
By default, the “English (United Sates)” and “French (France)” keyboards are added to the student desktop. Click
the bottom left-hand corner to switch between them.
Add a new international keyboard

To add other keyboards, go to Start > Control Panel. Click “Change Keyboards or other input methods.”
Click “Change keyboard.”
Click “Add” to add a new international keyboard. Then switch to the new keyboard per the instructions on the
previous page.
Use the on-screen keyboard
To use the on-screen keyboard:
Step 1: Click “Start ->All Programs”.
Step 2: Click on “Accessories”
Step 3: Click “Ease of Access,” then click “On-Screen Keyboard.”
Step 4: You should see the Windows On-Screen Keyboard. To bypass keys inside the VM image that do not work
on your keyboard, select the key.
Appendix 2: How to resolve the connectivity issue
If you experience any connectivity issue during the lab from Student Desktop then follow these steps to restore
the connection:
Step 1: Reboot the Student Desktop VM by navigating to Start > Log off (click on arrow) and then click on Restart
Step 2: Wait for the VM to restart and come up.
Step 3: Browse to CNN page by clicking the Lab – Bookmarks > Activity-0.
Step 4: If restart doesn’t solve the problem, then configure the Student Desktop interface IP using the below
command from command prompt window:
netsh interface ip set address "Local Area Connection 3" static 192.168.11.201 255.255.255.0 192.168.11.1

UTD NGFW Workshop Guide 4.1 20211206

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

UTD NGFW Workshop Guide 4.1 20211206

Uploaded by

Copyright:

Available Formats

ULTIMATE

Once these activities are completed

In this activity, you will:

Task 1 – Log in to your Ultimate Test Drive class environment

Task 3 – Log in to the ML-Powered NGFW

Log in to the firewall using the following Username and Password:

PAN-OS® features to be used:

In this activity you will:

Task 1 – Check connectivity to Facebook

Note: If you see an SSL decryption message, click

Task 2 – Enable Facebook application

Step 6. Click Close once the commit has completed.

Task 4 – Enable sanctioned SaaS applications

Step 4. Click Commit to commit the changes.

Close the tabs.

PAN-OS features to be used:

In this activity you will:

Task 1 – Create a new security policy

Task 2 – Check application connectivity

Step 4. Close the PuTTY application.

Task 3 – Modify security policy

• You should not get the login prompt this time.

Step 4. Search for application SSH on port 443.

In this activity you will:

Task 1 – Policy Optimizer helps you to convert port-based policy to

Task 2 – Enhanced security in application-based policy

Task 3 – Move other applications

PAN-OS features to be used:

In this activity you will:

Task 0 – Check connectivity to lab web server

Task 1 – Download malicious files

Step 2. Are you able to download the configuration file?

Are you able to download the manual file?

Are you able to download the configuration file?

Task 2 – Add a new decryption policy

Step 1. From the NGFW GUI, go to Policies > Decryption.

Step 2. Click Add in the lower left-hand corner.

Step 10. Click OK to save the Decryption Profile settings.

Step 2. Are you able to download through the secure download?

Task 4 – Review traffic logs

PAN-OS features to be used:

In this activity you will:

Task 1 – Enable WildFire analysis on a security policy

Step 4. Click OK to close the window.

Step 5. Navigate to Objects > Security Profiles > WildFire Analysis.

Step 7. Click Cancel to close the WildFire Analysis Profile window.

Task 2 – Configure real-time update of WildFire signatures

To enable real-time WildFire signature updates:

Step 3. Click on None (Manual) next to Schedule: in the Wildfire section.

Step 4. Select Real-time from the drop-down next to recurrence.

Task 3 – Test WildFire modern malware protection

Task 4 – Review the WildFire analysis results

Step 2. Select the WildFire Inline ML tab.

Step 4. Click OK to exit the Antivirus Profile configuration window.

Click Keep, confirming the download.

PAN-OS features to be used:

In this activity you will:

Task 1 – Modify URL Filtering profile and configure security-focused URL

Task 2 – Apply URL Filtering to the security policy

Step 2. Click the Actions tab within the pop-up.

Step 4. Click OK.

Task 3 – Test URLs and review the URL filtering logs

Step 2. Click Continue to proceed to the website.