Palo Alto - CNSE - Panorama Part

2/3/2018 Palo Alto: CNSE - Panorama part
More Next Blog» Create Blog Sign In
S u n d a y, J a n u a r y 1 2 , 2 0 1 4 Blog Archive
▼ 2014 (2)
CNSE - Panorama part ▼ January (2)
CNSE -Palo Alto - Firewall configuration
Cisco Network Something Engineer.
essential...
Well NO. CNSE - Panorama part
► 2013 (2)
This is the Checkpoint Network Special Engineer.
Alright. About Me
saar harel
Certified Network Security Engineer - Courtesy of Palo Alto.
Follow 66
To be honest, i was hoping someone else had written a guide but no such luck. View my complete profile
A few random guys posted they passed it
and some random company or two mention they passed it.
If you are doing this to get ahead in life, I doubt you will.
The certification is unknown in the industry.
If you go on Indeed and type CNSE for the whole of the USA.
You'll get 48 hits and they will be for college of nanoscale science and engineering
and some other healthcare programs, but then again when I started in IT no one know what
a CCIE is.
Now, if you recall.

In the beginning god made the earth etc
Well eventually he made the internet and it was insecure.
So your first firewalls to protect you were stateless and basically blocked ports.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 1/45
Then your second firewalls were stateful and remembered to expect traffic back on some
port.
Well Palo Alto, technically doesn't care about ports.

Palo Alto is not even stateful. It simply cares about APPLICATIONS.
Now you can have 20 applications running on port 80.

AIM, messenger, facebook, youtube, chrome, salesforce, etc.
Palo Alto will use their signatures to recognize the application so you can apply rules to
APPLICATIONS.
Besides Palo Alto which is trying to break the mold you have Juniper
Mikonos/Mykonos/Secure web application something {they keep rebranding} but that is
for another blog .
So.
CNSE
Wow, where do I start.

well. I have no idea.
I googled and couldn't find any sort of guide.
The best is CNSE 5.1 study guide which looks more like a cheat sheet than a guide.
The themes for the exam are.

Have skill and knowledge in these subjects:
- Administration and Management
- Network Architecture
- Security Architecture
- Troubleshooting
- User-ID
- Content-ID
- App-ID
- Panorama
- GlobalProtect
So, I'll start with Panorama.
CNSE001
You are a serious guy, 3 kids and a bugaboo.

You manage the security for a big realestate agency.
You have two or ten datacenters with many servers.
So in each datacenter you have a firewall.
Now
You can't spend all day logging into 10 datacenters to collect and correlate logs
Also you can't have a stable security policy at all 10 locations if all you do is copy
rules manually.
Imagine a new rule, deny sales access facebook after 11:00 pm.
The reason for that rule is you don't want people to drunk post.
So now you have to copy it 10 times to each firewall, not going to happen.
So for "serious" people you have a management platform called Panorama.

Now this platform is great.
You can now justify to a client why he has to buy Palo Alto, because Palo Alto has a
management
platform, while Cisco has bobkes and Juniper is trying to fix their "junos space".
So what does Panorama do.

1. It accumulates the logs from the devices so you can correlate data centrally.
2. It centralizes the configuration of all the firewalls.
3. Centralizes the deployment of new firewalls.
You deploy it by using

1. Virtual Machine appliance - ESXi 3.5 or VM 1.0.6+
2. Appliance (M-100)
So let's start by viewing the appliances.

If ever you want pricing. Go to any site and there should be MSRP prices on each item.
PAN-M-100 M-100, 1TB RAID 1 storage (2 1TB RAID cer ﬁed drives $10,000
preinstalled)
PAN-M-100- M-100, 4TB RAID 1 storage (8 1TB RAID cer ﬁed drives $15,000
4TB preinstalled)
So, since you have two sizes. The first logical assumption you can make is that the TB
storage will depend on how many logs do you estimate you will have.
Unfortunately there is nothing on the partner portal to tell you how to size this.
So my recommendation is to by the first one.
Monitor the size of the drive increase over time and based on that you can make your
"retention" and future sizing of future purchases.
Now, do I think 6TB of storage is worth $5,000. No.
So, we have the device M-100.

Now we need to license each of the firewalls we have.
The licensing starts at.
PAN-M-P- Panorama central management so ware license, 25 devices or $10,000
25 log collector for the M-series
PAN-M-P- Panorama central management so ware license, 100 devices for $25,000
100 the M-series
PAN-M-P- Panorama central management so ware license, 1000 devices $75,000

1K for the M-series
So using MSRP. The lowest cost Panorama will be $20,000

10000 hardware
10000 licensing.
Wait, still not done.

You have to add the yearly support costs.
PAN-SVC-4HR-M-100-P- 4-Hour Premium support year 1, Panorama M-100 $7,350
100 100 devices
PAN-SVC-PREM-M-100-P- Premium support year 1, Panorama M-100 100 $5,600

100 devices
4 hour means within 4 hours of them determining the problem is the hardware they will
send a replacement.
Premium just means Next business day.
CNSE002
So, lets break it up with some images.

Above is the Palo Alto M-100 appliance with 8 HD and the license.
sss
CNSE003
Let's review the equipment.

There is 1 10/100/1000 port at the front. (9)
CNSE004
There is a console port at the front. (8)

There is a port not in use (10) future use maybe.
There are two ports in the back that are reserved for future use.
The power is in the back. Single power.
A neat feature.
This M-100 has a UID Unique ID this is a button (5) you press.
It will make the device LED blink. Then when you go to the other side of the rack you can
easily recognize
the device and avoid unplugging the wrong this.
So let's summarize their slides.

Either Vmware or Appliance.
Licenses are required for the endpoint firewalls 25,100,1000 increments.
You can take a 25 license and convert the M-100 into a "collector" , this will help offload
processing from the main M-100 in this scenario. {Slide CNSE001 references this}
Installation.
The device comes with the rack rails.
Either 4 post or 2 post and threaded or not.
If you have no idea what I am talking about.
Then try www.apc.com or www.tripplite.com
M-100 Vmware.
Here you can avoid paying $10000 per appliance.
Minimum.
Quad Core VM
4GB DRAM
ESX 4.1 each document they say something else, so double check and try it first before
deploying.
remember, hard in training easy in combat.
2 TB maximum HD on the VM for logs.
Security.
For both it is a Radius or local
Active / passive is the HA
Up to 1000 devices is the maximum.
References
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/datasheets/panorama/panorama.pdf
Panorama hardware installation guide.
Templates.
https://live.paloaltonetworks.com/docs/DOC-4125
In Panorama.
Well, let's say you have 500 firewall and you want to replace the NTP server with a new IP.
So either you QTP {script using GUI} Perl it or use a "template"
Since Panorama is mainly for security administrators who are more GUI orientated
the template has been offered.
Templates control the NETWORK settings
For example I can configure the template DMZ_template
Now when ever I have a new router. I apply the template DMZ_template and I get a router
configured with the right interfaces.
Saved myself some time. So now I can go slack off and update my blog and learn something
new.
Now I can totally add to that.

For example I can say on the WAN interface don't allow ping
on the DMZ don't allow telnet
etc.
Basically you bundle up all the settings. This way you don't have to repeat it every time
which is an
action that is prone to errors.
an example of configuring the

mgmt interface in the template.
How to create templates.

First, templates are supported in version 5.0 and later.
Option 1
Create a template as a place holder, commit, get new device, apply the template to the
device.
Option 2
Create a template, assign devices, commit to the devices.
OK,
I'll switch a little
In the Palo Alto Portal you can get a Panorama training
Panorama Management Software 121 PAN-OS v.5.1
So let's try summarizing it.
Panorama PAN-OS v5.1
Image text
Managing many firewalls
becomes complex.
High availability of
centralized management.
cetralized configuration and
software maintenance
allows you to configure
once and share it among the
devices.
Centralized logging.
HA can be done
active/passive
Different people will need
different permissions on the
Panorama management.
responsibility or geography
Panorama provides
visibility and control
through an easy GUI.
You can aggregate logs from
many devices into a central
location.
Management is done
through templates, device
groups, role based
administration and update
management.
You can store configuration
backups on Panorama.
Panorama can be converted
into a dedicated log
collector.
Updates and licenses can be
managed and deployed
centrally.
This is basically a slide for

dummies
Showing how Panorama
gives you flexibility.
Sizing. - This is key for the

exam.
< 10 you can use VM
panorama
<100 devices you are fine

with 1
> 100 you should look into

scaling it out
the reasons are the log

collection and geographical
distances between
collectors and firewalls.
The VM <10 devices is.
64 bit so you can add more

memory to VM.
ESXi 5.0 64 bit must be used
The file is OVF and you
downlaod it.
A snapshot will return the

system to what it was when
the snapshot was taken.
M-100 same or better than

the VM.
Provides Log collection
capability, which means you
can take a Panorama and
dedicate it to log
collection.
Only M-100 can do log
collection.
Collector Group :
Panorama allows you the
option to set up a
collector group.
The reason is that you can
set up different storage
retention and SNMP.
Panorama and the firewall

will talk SSL
TCP port 3978
You can download updates

to Panorama
and then send them to the
firewalls.
This allows you to download
the updates once and do
this in a central fashion.
You can also apply licenses

from a central location.
You can aggregate the

reporting.
Instead of seeing per device

the reports.
Panorama aggregates them
which allows you to defend
the whole network and
correlate data.
Panorama admins
Dynamic
Superuser - full access.
Superuser read only - read
only
Panoarama administrator -
can't create other admins
Role based - more granular

control.
Local admin can only get

Dashboard and Security

policies access.
Management IP
192.168.1.1/24
admin
admin
After you register your

Panorama online.
You click on licenses --
>retrieve license from
This will activate the
license.
Later on you can add more

licenses using the
"activate feature using
authorization code".
On the Management port.

You can enable which
services will be enabled.
Permitted IP range also

helps.
Need to add the Source

Subnet of the admin PC
Either add them from

Panorama.
Panorama --> managed
devices.
Or add them from the

device.
Firewall Setup --> device -
-> management
Add the devices.

Put them into your logical
device groups
Create templates.
Add the IP of the Panorama

or FQDN
Like we said.
Device > Setup >
management > program
settings.
If you are managed by an
HA pair, then add both of
their IPs
Panoramas should be
accessible via the MGT
interface. If you are not
using the MGT interfaces
then set up a route.
enable buttons in Yellow,

will allow Panorama to
PUSH configurations.
Policy and object can't be
overriden.
Local admin can override
templates.
Creating a Role.
Select Panorama to create a
Role for Panorama.
Select Device Group to

create a role for the
Firewalls.
Enable - Read only -

Disable.
Now when you create the

new user.
You select a radio button.
Dynamic - these are built
in.
{Superuser}
{Superuser - read only}
{Panorama administrator-
can't create other admins}
or
Role Based - which relies
on the role you created
above.
When you set up a user, you
have the selection
Of the "Authentication
profile".
You can use this or use an
"Authentication sequence".
The sequence will let you
run through a list of
authentication profiles.
Password complexity is for

all of the panorama admin
accounts.
The password profile is per

user.
This is applied under the
authentication
TAB of the user you just
created.
Authentication profile can

be that or
authentication sequence.
SSH can be turned on.

Role being Dynamic and
Role based.
Profile is the Role based

progile.
The password profile
Pending commits can be

seen by other Panorama
administrators.
If you see a LOCK, that

means someone else is
working on that part of the
configuration.
Click on it to see who.
The location of the admin

and which of the records
are locked.
Commit to Panorama
Commit template changes
to devices
Commit them to a device
group.
Commit then to a collector

group.
Commit to Panorama.
From Panorama push the
configuration to
Device groups
Templates --> then apply
to devices
Collector groups.
Filters allow you to limit

who will it be applied on.
Merge with the candidate

config
Force Template to override

the local changes by the
admin
Include Device group +

Network templates
in a single commit
This allows you to TAG a

device with an
administrative label. Like
the location name, or
something else.
This is only in the panorama
and is not retained in the
device itself.
State will show if it is in
sync or not.
Platform will be the device
type.
Device groups
Templates members
Tags
You can press preview to

see the propsed changes in
the candidate config.
Color coding. Green is
added
Yellow modified
red -deleted
Template commit.
This allows you to set the

changes to the commit
them to the template.
Allows you the third item.
Committing to a group of
devices.
apply to a group of
collectors....
Device Groups
Device group = logical
grouping of devices.
Devices are added to the

group.
A device can belong to a
single device group.
Devices are either physical

firewalls or virtual systems.
The Shared group contains

all of the device groups in
it.
The GUI will look different

till you create the first
device group
Creating a device group.
Name
Description - device group

saar
You select the firewalls on

the right.
You can use the filters to
see less options.
Alright,
Let's say you have a client -

That client has an IP pool.
82.35.35.0/24
Now you want to create an
object
client002 = ip pool
82.35.35.0/24
Now you can use that in the
firewall rules.
If client002 to DMZ then
allow.
Now instead of creating this

client in each of your 50
firewalls. You create a
shared object in Panorama
which will be pushed to all
the firewalls.
So, apparently each firewall
has a different number of
maximum shared objects.
For example small firewall =
small number.
Palo Alto recommends

leaving the checkbox on

"Share unused address ...."
This won't send an object to
a firewall if it is not in their
policy.
If you want to over-write

objects that have the same
name. Use
"shared objects take
precedence". This will over-
write the local admins
object {must be same
name}
This looks complex at first.
Remember, all the firewalls
are in the SHARED group.
So logically the first pre-
policy is SHARED pre-
policy.
There you will put items all
firewalls should allow, like
DNS.
remember you can logically

split into "device" groups.
Local firewall policies are

done by local admin.
SHARED post policy is simply

any any deny!
Panorama GUI configuring
the
Panorama shared pre rules
and post.
Notice the context

:Panorama:
Zone names don't auto

populate.
Zone names in the local
firewalls are unknown to
the Panorama.
To make it easier, you can

create zone names in the
templates. This will allow
them to auto populate.
If you type a zone name

manually a mistake in
upper/lower case or letter
will prevent the firewall
from committing.
Once you finish creating a
policy.
You can push it to the
"targets".
If you want you can exclude

devices
or pick specific devices to
target.
As usual, you can use the

filters to limit the choices.
Preview rules will allow you
to
see a preview of the
accumulated rules.
You can run this before

applying the rules.
Shared Pre
Device group
Local
Post device group
Post shared.
This is another time the

"Device group" commit.
You can filter and select
specific firewalls.
You can also merge

Include device + Network
templates
and FORCE the template
value.{overide local}
Running a Device Commit to

two VSYS on the same
device will cause a fail
firewall_51.
Each physical firewall can

have a few "virtual"
firewalls. Like vSYS 1 ,
vSYS2, vSYS3.
If there is a device commit

running on one of the vSYS
then when you try to run
one on a different vSYS you
get that error.
Template commit
Network settings
Device config
You select to apply a

template on a device or
devices.
There is a tag you can add

to the devices.
Normal
FIPS compliant
CC government compliance.
Then you choose it too on

the template.
In order to become applies
the TAG on the template
must match the one on the
firewall.
This allows you to set up for

example a FIPS template
that will apply only to your
FIPS firewalls.
After you add a template it
will add a TAB for them.
TEMPLATE
Network/|/ Device
As you recall this is the
template workflow.
Either assign devices then

create it
Or create it then assign it to
devices.
Push the config to the

devices.
You can remove a setting

from a template
by clicking the remove X
thing.
Select TEMPLATE
Then apply it on the devices
or "commit" it.
Icon changes to override

Green and Orange
when you change something
to make it different from
the template.
ADMIN tools
So devices will send logs
All the logs will be

aggregated.
Based on the aggregated

logs and logs you can create
reports for managers.
You CAN'T forward logs from

a log collector or a
panorama to a third party
device.
You CAN forward them to
3rd party from the firewall.
Sending logs to SNMP
EMAIL
SYSLOG
this is from the firewall

itself.
Generate log is when the

action happened.
Receive is when it arrived

at the panorama.
So there might be a delay.
Data is send to the ACC and

dashboard.
The dashboard shows

health.
The ACC will show you
details.
Select Panorama or device

context.
Select the time frame.
Summary reports will give

you charts.
You can look at them to try
to get patterns.
Panorama reports for you.
Ondemand or scheduled.
SAev or expert as CSV.
You can schedule a report
and email it.
User Activity is used for

summary of URL.
PDF Summary will aggregate

a number of smaller PDF
reports into a big one.
Custom reports allows you

to filter.
This is the screen where you

export reports.
PDF
CSV
XML
Application , traffic, threat,

URL
Then summary of the
above.
This is the user report.

You can select a specific
user when generating the
report.
This is for creating a custom

report using
a custom string.
You can also use TEMPLATES

to start
you off.
Panorama >>device
deployment - license
Will allow you to see the

licenses and when they are
set to expire.
This allows you to quickly
view and purchase the
necessary licenses to keep
secure.
Panorama >>device
deployment - dynamic
updates
allows you to download and

install updates centrally
you can select to upload to

device
or
upload and install then
reboot
Palo Alto best practice is to

have one
Collector for every group of
devices.
If you have two or more

collectors a hash will decide
where to store the data.
This is only needed if more
than 4TB of logging.
This does not replace SIEM
If you are running version 4
firewalls
then they can't send the
logs to the log collector.
They will send it to

Panorama that can then
forward it to the log
collector.
On a panorama VM you can

use
the space on the VM by
adding a 2TB storage.
This will make it redundant.
You can also mount an NFS

Share and store it outside of
the VM.
NFS will be mounted on the
active device only.
Request system logger-

mode logger will make it a
collector.
Request system logger-

mode panorama will make
it both a manager and a
logger.
>show system info |match

logger_mode
> logger_mode : TRUE is a
dedicated.
This helps determine the
logging rate.
You can also see the
statistics.
This will allow you to plan

for growth.
Similar to the panorama
statistics you can look at

the Default collector group
statistics.
You can change retention

settings.
This will affect how much
data is being logged to the
collectors.
Another view of the log

collection.
Pan 4.0 goes to panorama.

Pan 5.0 can go to log
collectors if needed.
50000 per second

if you have more then you
need to add new collectors
or change the amount of
logging.
You add disks in pairs.

You format them, which can
take 2 hours.
Palo alto disks.
show system raid detail
If a disk fails.
request system raid add
disk
force no-format.
The no-format is so the old

data won't be overwritten.
This is the Panorama HA

pair.
They talk over the

management port.
TCP port 28 encrypted
2869 when not encrypted.
So to enable HA click the

checkbox.
Then put the IP of the other
Panorama.
Encryption enabled will

encrypt the data.
You will need to import the

HA key for encrypted.
Panorama > Certificate
management > certificates.
If you enable PREEMPTIVE
then the primary can take
back
the role when it is powered
back up.
If you don't the other one

will remain primary till he
fails.
Path monitoring will ping an

IP to see it is alive.
the HA status will monitor

the
HA between the devices.
If something is wrong you

will get a RED LED.
usually versions or
mismatch
On version PAN 5.0

panorama
does backup of the changes.
Then you can schedule

panorama to export the
backups to a share.
You can push versions of the

OS to the firewalls.
To move Panorama from

one device to another.
Use the Export snapshot.
Commit it to the new

device with the same IP
and check the firewalls can
be managed
from the new panorama.
Configure management IP
retrieve licenses
On panorama run CLI to
swap serial.
Build the device
Import config.
If the serial has changed

then you need to search the
logs with both serials
as you can't change past
data.
Posted by saar harel at 12:04 PM
8 comments:
Rodolfo Nützmann April 26, 2014 at 12:54 AM

Thanks a bunch for this! :-)
Reply
Rana Kr Dey April 28, 2014 at 12:07 AM

Thanks a lot for the Panorama study tour ... !!
Reply
QUOC LE July 4, 2014 at 1:00 AM

Thanks for your post !
Reply
jake george September 29, 2014 at 8:54 PM

This comment has been removed by a blog administrator.
Reply
Michael McCorkle January 21, 2016 at 5:05 PM

This comment has been removed by the author.
Reply
Michael McCorkle January 21, 2016 at 5:05 PM

I had to stop reading at 'Palo Alto is not even stateful. It simply cares about APPLICATIONS.'
If you can't even get that basic part right, what else in your guide is wrong?
Reply
Replies
saar harel January 24, 2016 at 1:18 PM

Palo Alto runs APP-ID which works based on applications.
Not the session and port state of the past.
So at the time the guide was written. Palo Alto marketing refused applying the
"stateful" firewall term in their documentation.
Palo alto is a NGFW next generation firewall according to marketing and

guidelines from them.
Up to you if you want to read the guide.

It's not perfect but you won't find much on the subject elsewhere.
Reply
Guru Prasad April 19, 2017 at 11:35 PM

I really appreciate information shared above. It’s of great help. If someone want to learn
Online (Virtual) instructor lead live training in TECHNOLOGY , kindly contact us
http://www.maxmunus.com/contact
MaxMunus Offer World Class Virtual Instructor led training on TECHNOLOGY. We have
industry expert trainer. We provide Training Material and Software Support. MaxMunus has
successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar,
Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Sangita Mohanty
MaxMunus
E-mail: sangita@maxmunus.com
Skype id: training_maxmunus
Ph:(0) 9738075708 / 080 - 41103383
http://www.maxmunus.com/
Reply
Enter your comment...
Comment as: Select profile...
Publish Preview
Newer Post Home Older Post
Subscribe to: Post Comments (Atom)
Simple theme. Powered by Blogger.

Palo Alto - CNSE - Panorama Part

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Palo Alto - CNSE - Panorama Part

Uploaded by

Copyright:

Available Formats

2/3/2018 Palo Alto: CNSE - Panorama part

More Next Blog» Create Blog Sign In

Well NO. CNSE - Panorama part

Now, if you recall.

Well Palo Alto, technically doesn't care about ports.

Now you can have 20 applications running on port 80.

Wow, where do I start.

The themes for the exam are.

So, I'll start with Panorama.

You are a serious guy, 3 kids and a bugaboo.

So for "serious" people you have a management platform called Panorama.

So what does Panorama do.

You deploy it by using

So let's start by viewing the appliances.

So, we have the device M-100.

PAN-M-P- Panorama central management so ware license, 1000 devices $75,000

So using MSRP. The lowest cost Panorama will be $20,000

Wait, still not done.

PAN-SVC-PREM-M-100-P- Premium support year 1, Panorama M-100 100 $5,600

So, lets break it up with some images.

Let's review the equipment.

There is a console port at the front. (8)

The power is in the back. Single power.

So let's summarize their slides.

Panorama hardware installation guide.

Now I can totally add to that.

an example of configuring the

How to create templates.

Panorama PAN-OS v5.1

This is basically a slide for

Sizing. - This is key for the

<100 devices you are fine

> 100 you should look into

the reasons are the log

The VM <10 devices is.

64 bit so you can add more

A snapshot will return the

M-100 same or better than

Panorama and the firewall

You can download updates

You can also apply licenses

You can aggregate the

Instead of seeing per device

Role based - more granular

Local admin can only get

Dashboard and Security

After you register your

Later on you can add more

On the Management port.

Permitted IP range also

Need to add the Source

Either add them from

Or add them from the

Add the devices.

Add the IP of the Panorama

enable buttons in Yellow,

Select Device Group to

Enable - Read only -

Now when you create the

Password complexity is for

The password profile is per

Authentication profile can

SSH can be turned on.