Professional Documents
Culture Documents
S u n d a y, J a n u a r y 1 2 , 2 0 1 4 Blog Archive
▼ 2014 (2)
CNSE - Panorama part ▼ January (2)
CNSE -Palo Alto - Firewall configuration
Cisco Network Something Engineer.
essential...
► 2013 (2)
This is the Checkpoint Network Special Engineer.
Alright. About Me
saar harel
Certified Network Security Engineer - Courtesy of Palo Alto.
Follow 66
To be honest, i was hoping someone else had written a guide but no such luck. View my complete profile
A few random guys posted they passed it
and some random company or two mention they passed it.
If you are doing this to get ahead in life, I doubt you will.
The certification is unknown in the industry.
If you go on Indeed and type CNSE for the whole of the USA.
You'll get 48 hits and they will be for college of nanoscale science and engineering
and some other healthcare programs, but then again when I started in IT no one know what
a CCIE is.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 1/45
2/3/2018 Palo Alto: CNSE - Panorama part
Then your second firewalls were stateful and remembered to expect traffic back on some
port.
Besides Palo Alto which is trying to break the mold you have Juniper
Mikonos/Mykonos/Secure web application something {they keep rebranding} but that is
for another blog .
So.
CNSE
CNSE001
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 2/45
2/3/2018 Palo Alto: CNSE - Panorama part
Imagine a new rule, deny sales access facebook after 11:00 pm.
The reason for that rule is you don't want people to drunk post.
So now you have to copy it 10 times to each firewall, not going to happen.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 3/45
2/3/2018 Palo Alto: CNSE - Panorama part
PAN-M-100 M-100, 1TB RAID 1 storage (2 1TB RAID cer fied drives $10,000
preinstalled)
PAN-M-100- M-100, 4TB RAID 1 storage (8 1TB RAID cer fied drives $15,000
4TB preinstalled)
So, since you have two sizes. The first logical assumption you can make is that the TB
storage will depend on how many logs do you estimate you will have.
Unfortunately there is nothing on the partner portal to tell you how to size this.
So my recommendation is to by the first one.
Monitor the size of the drive increase over time and based on that you can make your
"retention" and future sizing of future purchases.
Now, do I think 6TB of storage is worth $5,000. No.
PAN-M-P- Panorama central management so ware license, 100 devices for $25,000
100 the M-series
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 4/45
2/3/2018 Palo Alto: CNSE - Panorama part
4 hour means within 4 hours of them determining the problem is the hardware they will
send a replacement.
Premium just means Next business day.
CNSE002
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 5/45
2/3/2018 Palo Alto: CNSE - Panorama part
CNSE004
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 6/45
2/3/2018 Palo Alto: CNSE - Panorama part
A neat feature.
This M-100 has a UID Unique ID this is a button (5) you press.
It will make the device LED blink. Then when you go to the other side of the rack you can
easily recognize
the device and avoid unplugging the wrong this.
Installation.
The device comes with the rack rails.
Either 4 post or 2 post and threaded or not.
If you have no idea what I am talking about.
Then try www.apc.com or www.tripplite.com
M-100 Vmware.
Here you can avoid paying $10000 per appliance.
Minimum.
Quad Core VM
4GB DRAM
ESX 4.1 each document they say something else, so double check and try it first before
deploying.
remember, hard in training easy in combat.
2 TB maximum HD on the VM for logs.
Security.
For both it is a Radius or local
Active / passive is the HA
Up to 1000 devices is the maximum.
References
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/datasheets/panorama/panorama.pdf
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 7/45
2/3/2018 Palo Alto: CNSE - Panorama part
Templates.
https://live.paloaltonetworks.com/docs/DOC-4125
In Panorama.
Well, let's say you have 500 firewall and you want to replace the NTP server with a new IP.
So either you QTP {script using GUI} Perl it or use a "template"
Since Panorama is mainly for security administrators who are more GUI orientated
the template has been offered.
Templates control the NETWORK settings
For example I can configure the template DMZ_template
Now when ever I have a new router. I apply the template DMZ_template and I get a router
configured with the right interfaces.
Saved myself some time. So now I can go slack off and update my blog and learn something
new.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 8/45
2/3/2018 Palo Alto: CNSE - Panorama part
Option 2
Create a template, assign devices, commit to the devices.
OK,
I'll switch a little
In the Palo Alto Portal you can get a Panorama training
Panorama Management Software 121 PAN-OS v.5.1
So let's try summarizing it.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 9/45
2/3/2018 Palo Alto: CNSE - Panorama part
Image text
Managing many firewalls
becomes complex.
High availability of
centralized management.
cetralized configuration and
software maintenance
allows you to configure
once and share it among the
devices.
Centralized logging.
HA can be done
active/passive
Different people will need
different permissions on the
Panorama management.
responsibility or geography
Panorama provides
visibility and control
through an easy GUI.
You can aggregate logs from
many devices into a central
location.
Management is done
through templates, device
groups, role based
administration and update
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 10/45
2/3/2018 Palo Alto: CNSE - Panorama part
management.
You can store configuration
backups on Panorama.
Panorama can be converted
into a dedicated log
collector.
Updates and licenses can be
managed and deployed
centrally.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 11/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 12/45
2/3/2018 Palo Alto: CNSE - Panorama part
Collector Group :
Panorama allows you the
option to set up a
collector group.
The reason is that you can
set up different storage
retention and SNMP.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 13/45
2/3/2018 Palo Alto: CNSE - Panorama part
Panorama admins
Dynamic
Superuser - full access.
Superuser read only - read
only
Panoarama administrator -
can't create other admins
Management IP
192.168.1.1/24
admin
admin
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 15/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 16/45
2/3/2018 Palo Alto: CNSE - Panorama part
Like we said.
Device > Setup >
management > program
settings.
If you are managed by an
HA pair, then add both of
their IPs
Panoramas should be
accessible via the MGT
interface. If you are not
using the MGT interfaces
then set up a route.
Creating a Role.
Select Panorama to create a
Role for Panorama.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 17/45
2/3/2018 Palo Alto: CNSE - Panorama part
or
Role Based - which relies
on the role you created
above.
When you set up a user, you
have the selection
Of the "Authentication
profile".
You can use this or use an
"Authentication sequence".
The sequence will let you
run through a list of
authentication profiles.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 18/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 19/45
2/3/2018 Palo Alto: CNSE - Panorama part
Commit to Panorama
Commit template changes
to devices
Commit them to a device
group.
Commit to Panorama.
From Panorama push the
configuration to
Device groups
Templates --> then apply
to devices
Collector groups.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 20/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 21/45
2/3/2018 Palo Alto: CNSE - Panorama part
sync or not.
Platform will be the device
type.
Device groups
Templates members
Tags
Template commit.
Committing to a group of
devices.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 22/45
2/3/2018 Palo Alto: CNSE - Panorama part
apply to a group of
collectors....
Device Groups
Device group = logical
grouping of devices.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 23/45
2/3/2018 Palo Alto: CNSE - Panorama part
Name
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 24/45
2/3/2018 Palo Alto: CNSE - Panorama part
Alright,
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 26/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 27/45
2/3/2018 Palo Alto: CNSE - Panorama part
Template commit
Network settings
Device config
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 28/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 29/45
2/3/2018 Palo Alto: CNSE - Panorama part
template workflow.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 30/45
2/3/2018 Palo Alto: CNSE - Panorama part
Select TEMPLATE
Then apply it on the devices
or "commit" it.
ADMIN tools
So devices will send logs
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 31/45
2/3/2018 Palo Alto: CNSE - Panorama part
context.
Select the time frame.
Ondemand or scheduled.
SAev or expert as CSV.
You can schedule a report
and email it.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 33/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 34/45
2/3/2018 Palo Alto: CNSE - Panorama part
Panorama >>device
deployment - license
Panorama >>device
deployment - dynamic
updates
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 35/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 36/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 37/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 38/45
2/3/2018 Palo Alto: CNSE - Panorama part
If a disk fails.
request system raid add
disk
force no-format.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 39/45
2/3/2018 Palo Alto: CNSE - Panorama part
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 41/45
2/3/2018 Palo Alto: CNSE - Panorama part
Configure management IP
retrieve licenses
On panorama run CLI to
swap serial.
Build the device
Import config.
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 42/45
2/3/2018 Palo Alto: CNSE - Panorama part
8 comments:
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 43/45
2/3/2018 Palo Alto: CNSE - Panorama part
If you can't even get that basic part right, what else in your guide is wrong?
Reply
Replies
So at the time the guide was written. Palo Alto marketing refused applying the
"stateful" firewall term in their documentation.
Reply
industry expert trainer. We provide Training Material and Software Support. MaxMunus has
successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar,
Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Sangita Mohanty
MaxMunus
E-mail: sangita@maxmunus.com
Skype id: training_maxmunus
Ph:(0) 9738075708 / 080 - 41103383
http://www.maxmunus.com/
Reply
Publish Preview
http://palo-alto-firewall.blogspot.ca/2014/01/cnse.html 45/45