Ultimate Test Drive: Network Security Management With Panorama

ULTIMATE
TEST DRIVE
Network Security Management
With Panorama
Workshop Guide
Panorama 8.1 & PAN-OS 8.1

http://www.paloaltonetworks.com
Updated: 20180514
UTD-NSM 1.2 © 2018 Palo Alto Networks, Inc. | Confidential and Proprietary 1
How to use this guide
The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the UTD environment. This guide is meant to be used in conjunction with the information and guidance
provided by your facilitator.
This workshop covers only basic topics and is not a substitute for training classes conducted at a Palo Alto
Networks Authorized Training Center (ATC). Please contact your partner or regional sales manager for more
training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any tasks outlined in
the following activities (Chrome is pre-installed on the student desktop of the workshop PC).
Table of Contents
How to use this guide ............................................................................................................................................. 2
Activity 0 – Log in to UTD Workshop.................................................................................................................... 5
Task 1 – Log in to your Ultimate Test Drive class environment ............................................................................... 5
Task 2 – Log in to the Windows Desktop .................................................................................................................. 6
Task 3 – Lab Setup .................................................................................................................................................... 9
Activity 1 – Centralized Management with Panorama ...................................................................................... 10
Task 1 – Log in to Panorama ................................................................................................................................... 10
Task 2 – Application Command Center (ACC) in Panorama ................................................................................... 13
Task 3 – Device Management in Panorama ........................................................................................................... 14
Task 4 – Device Monitoring in Panorama ............................................................................................................... 15
Activity 2 – Introduction to Device Groups and Context Switching................................................................ 17
Task 1 – Review Device Groups .............................................................................................................................. 17
Task 2 – Create a Device Group Hierarchy ............................................................................................................. 19
Task 3 – Context Switch – Panorama or Firewall.................................................................................................... 20
Activity 3 – Pre, Post and Local Rules ............................................................................................................... 22
Task 1 – Panorama Rules Quick Overview .............................................................................................................. 22
Task 2 – Create and Review Pre-Rules .................................................................................................................... 23
Task 3 – Push rules to the firewalls ........................................................................................................................ 25
Task 4 – Adding Local Rules .................................................................................................................................... 26
Activity 4 – Templates .......................................................................................................................................... 28
Task 1 – Review a Template and Template Stack ................................................................................................... 28
Task 2 – Create a Zone and Interface Using Templates ......................................................................................... 30
Task 3 – Override Template Setting........................................................................................................................ 32
Task 4 – Template Variables ................................................................................................................................... 34
Activity 5 – Administrator-Level Commit and Revert ....................................................................................... 38
Task 1 – Create a second Administrator. ................................................................................................................ 38
Task 2 – Modify a configuration but don’t finish it. ............................................................................................... 38
Task 3 – Modify the configuration with a different administrator ........................................................................ 39
Task 4 – Confirm that the configuration from “student” was not committed. ...................................................... 40
Task 5 – Revert a Configuration. ............................................................................................................................. 42
Activity 6 – Role-Based Access Control ............................................................................................................ 44
Task 1 – Review Admin Role and Access Domain ................................................................................................... 44
Task 2 – Create New User Account on Panorama .................................................................................................. 45
Task 3 – Verify Account Access on Panorama ........................................................................................................ 46
Activity 7 – Migrate Existing firewall to Panorama ........................................................................................... 48
Task 1 – Configure firewall for Panorama .............................................................................................................. 48
Task 2 – Add firewall to Panorama ......................................................................................................................... 49
Task 3 – Import the Device Configuration to Panorama ........................................................................................ 50
Activity 8 – Action Oriented Log Forwarding .................................................................................................... 56
Task 1 – Configure the firewall ............................................................................................................................... 56
Task 2 – Configure the Syslog ................................................................................................................................. 60
Task 3 – Generate and review traffic ...................................................................................................................... 61
Task 4 – Review the Logging Service connection ................................................................................................... 63
Activity 9 – Deploy Content to Managed Devices ............................................................................................. 64
Task 1 – Update Antivirus Content on all the firewalls .......................................................................................... 64
Task 2 – Deploy New PAN-OS to a firewall ............................................................................................................. 65
Activity 10 - Feedback on Ultimate Test Drive ................................................................................................... 68
Task 1 – Take the Online Survey ............................................................................................................................. 68
Lab Setup ............................................................................................................................................................... 69
Activity 0 – Log in to UTD Workshop
In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop
• Understand the layout of the environment and its various components
• Enable the Firewall to facilitate connectivity
Task 1 – Log in to your Ultimate Test Drive class environment

Step 1: First, make sure your laptop is installed with a modern browser that supports HTML5. We recommend
using the latest version of Firefox®, Chrome or Internet Explorer®. We also recommend you install the latest
Java® client for your browser.
Step 2: Go to the class URL. Enter your email address and the passphrase. If you have an invitation email, you
can find the class URL and passphrase in the invitation email, otherwise, the instructor will provide you with this
information.
Step 3: Complete the registration form and click “Register and Login” at the bottom.
Step 4: Once logged in, the environment will be automatically created for you. Click “Start Using This Environment”
when the environment is ready.
Step 5: The UTD environment consists of different components: a Windows® desktop, VM-Series virtual
firewalls and Panorama. You will access the lab through the Windows desktop.
Task 2 – Log in to the Windows Desktop

Step 1: Click the “Desktop” tab at the top of the page to connect to the Windows desktop.
Step 2: You will be connected to the Windows desktop through your browser.
Step 3: If the “Desktop” resolution is too high or too low for your laptop display, you can adjust the resolution
from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
Note: The default connection to the Windows desktop uses RDP over HTML5 protocol through the browser.
In case your browser does not support HTML5, you can switch to the “Console” connection by clicking “CON”.
Optional Step 4: If you encounter connection issues with the “Desktop”, click the “Reconnect” icon to re-
establish the connection.
Optional Step 5: If the reconnection to the “Desktop” remains unsuccessful, please verify your laptop connectivity
using the following link.
http://test.cloudshare.com/
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task1, Step1. If the
connectivity test failed, please ask the instructor for further assistance.
Task 3 – Lab Setup
Here is a quick look at the lab environment. The desktop is connected to the management interfaces of
Panorama™ network security management and the VM-Series firewalls. You will be using the desktop to access
and configure Panorama and the VM-Series firewall in this lab.
Activity 1 – Centralized Management with Panorama
Background: Panorama enables you to control your distributed network of Palo Alto Networks firewalls
from one central location. View all the applications in your network, manage all aspects of firewall
configurations, push global policies, and generate reports on traffic patterns or security incidents – all
from a single console. Panorama is available as both an appliance as well as virtual machines. This lab
uses a virtual Panorama. For more information on private and public cloud support for virtual Panorama
visit this link.

• Get familiar with the Panorama GUI.
• View the centralized Application Command Center (ACC) across all the VM-series firewalls.
• Review the VM-series firewalls managed by Panorama in this lab.
Task 1 – Log in to Panorama

Step 1: On the desktop virtual machine, use the Chrome browser and click the “Panorama-UTD” bookmark to
go the Panorama GUI.
Step 2: The IP address of the Panorama management interface is 10.30.61.11. Enter the following to log in to
the Panorama GUI:
Name: student
Password: utd246
Step 3: You will see a “Welcome to Panorama” pop-up and some of the new features available on this version of
Panorama. Select “Do not show again” and close the pop-up so this window will not open again at the next login.
Step 4: On the Panorama “Dashboard” tab, you can gather some basic information about this Panorama device
from the different widgets on the dashboard. You can change the layout of the dashboard using the “Layout”
pull-down and add more widgets using the “Widgets” functions.
Step 5: If you are familiar with the Palo Alto Networks® Next-Generation Firewall management GUI, you will notice
that the Panorama GUI is very similar to the firewall management GUI. Tabs such as Dashboard, ACC, Monitor,
Polices, and others are also available on the firewall Management GUI.
The “Panorama” tab is unique to the Panorama device. Click the “Panorama” tab to review some of the Panorama
device configuration options. Many of the configuration options are very similar to our Next-Generation Firewall.
We will be using this tab to configure this Panorama device in the activities that follow.
Task 2 – Application Command Center (ACC) in Panorama
The application command center (ACC) from Panorama provides you with a highly interactive, graphical view of
the application, URL, threat and data traffic across your entire Palo Alto Networks Next-Generation Firewall
deployment. The ACC includes a tabbed view of network activity, threat activity, and blocked activity. Each tab
includes pertinent widgets for better visualization of traffic patterns on your network.
Step 1: Click the “ACC” tab on Panorama. The ACC on Panorama offers the same application and threat visibility
as the ACC on our Next-Generation Firewall by aggregating all the information from all the firewalls that it manages.
It provides a bird’s eye view of all the network, application and threat activity across all the devices.
Step 2: You can group multiple firewalls together to form a device group in Panorama. Once a device group is
created, you can select the specific device group in the ACC window to view the activities for that specific group.
Select the “UTD-DeviceGroup-1” in the “Device Group” drop-down.
Step 3: Since Panorama and the firewalls in this lab are created specifically for this lab, you are not likely to have
any log data in the last hour (using the “Time” drop-down to view the last 30 days of data in the ACC for the device
group or come back at the end of the lab). Review the different filtering functions with different widgets.
Step 4: When you are done, change the device group back to “All” to make sure we are viewing all the firewalls
managed by Panorama.
Task 3 – Device Management in Panorama

Step 1: To view the firewalls managed by Panorama, you can go to the “Managed Devices > Summary” node in
the “Panorama” tab.
Step 2: There are two firewalls, “PA-VM-1” and “PA-VM-2,” managed by Panorama. They are grouped together
in the “UTD-DeviceGroup-1” device group. Click any of the IP addresses for the firewall to open a login page. You
don’t need to log in to the firewall using the new tabs as we will show you an easier way to do so in the next activity.
Step 3: The “Status” columns show you the various statuses of each firewall. We will explain what they mean in
the next few activities. Scroll to the right-hand side, where you can get a quick view the PAN-OS® security
operating system version, application and threat signatures, and other subscriptions that are running on these
firewalls.
Task 4 – Device Monitoring in Panorama

When a device is managed by Panorama a large amount of device status is accessible from Panorama with no
additional configuration required. This information is mostly chassis and hardware related performance statistics
that allows an administrator to proactively monitor firewall device health and performance.
Step 1: Go to “Panorama > Managed Devices > Health”. Here you will find performance monitoring data for all
managed devices.
Step 2: Choose the device with the highest Session Count and click on its name to see more details.
Step 3: Click on the “Resources” tab and examine the data available. This data provides a good overview of
how hard a device is working and if there a likelihood of running out of resources. Notice the “Print PDF” button
on the left that renders a PDG document of the data being displayed.
End of Activity 1
Activity 2 – Introduction to Device Groups and Context
Switching
Background: You can group the firewalls in your networks into logical units using a device group. Device
groups can be created based on geographic location, organizational function, network segmentation or
any other common aspect of firewalls. Using a device group, you can configure and share policies and
objects that are common between the groups of firewalls.

• Review devices in a device group.
• Create a device group hierarchy.
• Learn about context switching between Panorama and VM-Series firewalls.
Task 1 – Review Device Groups

Step 1: Go to the “Device Groups” node in the “Panorama” tab. The device group “UTD-DeviceGroup-1” has
already been created in Panorama.
“Shared” is the top parent device group for all device groups. Device group hierarchy is supported in Panorama,
and we will cover that in next task.
A device group is also a great way to group firewalls in an active-passive high availability (HA) configuration, so
that Panorama can push the same policies and objects to the firewalls in the HA pair.
Step 2: Click “UTD-DeviceGroup-1” to open up the device group window. In this window, you can add or remove
devices from the device group. You can use the filters to quickly find the firewalls that you want to include in the
device group.
Step 3: Under “Master Device,” select “PA-VM-1” to be the master device for this device group, then click “OK”.
The master device is the firewall from which Panorama gathers information from User-ID™ user identification
technology for use in policies for the devices in that group.
Step 4: Click “Commit” on the top right-hand corner and click “Commit to Panorama”. On the next screen you will
be able to commit changes made by you or commit the changes by all administrators. Select “Commit All Changes”
Step 5: There are different commit types when committing changes in Panorama, either to Panorama, Push to
Devices or Commit and Push to the firewalls. It is recommended to commit all changes to Panorama first before
committing changes to firewalls. You can also commit all pending changes or commit the Changes being made
by you. We will discuss these Administrators commits on Activity 5.
Select “Commit to Panorama, click “Commit All Changes” then click “Commit” to commit the changes to
Panorama. Close the “Commit Status” window when it is completed. We will commit changes to the firewalls in
the next activity.
Task 2 – Create a Device Group Hierarchy

A device group hierarchy enables you to organize devices based on common policy requirements without
redundant configurations. You can create nested device groups in a tree hierarchy of up to four levels.
All device groups inherit settings from the top of the hierarchy for configurations that are common to all device
groups. In the above example, “Datacenters” and “Branches” device groups share the configuration from the
“Shared” location. We will demonstrate how to a create device group hierarchy but will not go into the details of
the configuration.
Step 1: To create a child device group go to “Panorama > Device Groups” and click ”Add” at the bottom to create
a new device group.
Step 2: Name the device group “Child-DeviceGroup,” and select “UTD-DeviceGroup-1” as the “Parent Device
Group”. As there is no unassigned device in this lab environment, you cannot select a device now.
Step 3: Click “OK” to close the device group window. You should see a new device group created under “UTD-
DeviceGroup-1”. Commit the changes to Panorama.
Task 3 – Context Switch – Panorama or Firewall

The Panorama web interface enables you to toggle between a Panorama-centric view and a firewall-centric view
by using the “Context” drop-down at the top-left of every tab. You can set the context to Panorama to manage
firewalls centrally or switch the context to the web interface of a specific firewall to configure it locally.
Step 1: Go to the “Dashboard” tab on Panorama, then click “Context” drop-down. Click on the blue link on the
right “PA-VM-1”.
Note: You can use the filters to identify the firewalls by platforms, devices groups, templates, etc.
Step 2: After switching the context to the PA-VM-1 firewall, you will see the GUI of the firewall.
Note: The MGT IP address of PA-VM-1 is 10.30.61.21, but the IP address in the browser address bar
remained as 10.30.61.11, which is the IP address of Panorama, so we have not left Panorama we just
switched context. Also note that the “Panorama” tab is not showing up in the far right.
Here, you can move among tabs as you normally would on the firewall GUI. You can also make configuration
changes (though we will not do that now)
Step 3: Go to the “Dashboard” tab on Panorama, then click the Context drop-down and select “Panorama”.
End of Activity 2
Activity 3 – Pre, Post and Local Rules
Background: Rules in Panorama can be added as “Pre-” or “Post-” rules within each device group.
Administrators can decide to manage rules as pre-, post-, or use a combination of both.

• Learn about the different types of rules in Panorama.
• Configure the firewall using pre and local rules.
Task 1 – Panorama Rules Quick Overview

Rules in Panorama can be added as “pre-” or “post-” rules within each device group. Administrators can decide to
manage rules as pre-, post-, or use a combination of both, including the insertion of locally added rules, which are
placed in order between the Pre and Post rules managed from Panorama. Rules are checked from top to bottom,
with the pre-rules checked first in order, followed by the local rules, then the post-rules.
Pre-rules: Pre-rules are inserted at the top of the rule order and are checked first in the configuration, before the
post or locally defined rules.
Post-rules: Post-rules are inserted at the bottom of the rule order and are checked last in the configuration, after
the pre- and locally defined rules.
Once the pre- and post-rules are set up, they can be pushed to the firewalls from Panorama. Note that pre- and
post-rules created on Panorama cannot be modified by the firewall, and local rules created on the firewall cannot
be modified by Panorama. The display above includes local firewall rules which are only visible when examining
the firewall’s display. Panorama does not display locally created firewall rules of any type.
Task 2 – Create and Review Pre-Rules
Step 1: In Panorama, go to the “Policies” tab, then select “UTD-DeviceGroup-1” under “Device Group”.
Step 2: Select “Pre-Rules” under the Security node, then add a new rule below “Allow-Web-Traffic”.
Step 3: Click the “Add” command at the bottom and name the new rule “Allow-Corp-Sanctioned-Apps”.
Step 4: In the “Source” tab, add “L3-Trust” to the “Source Zone” using the “Add” button; in the “Destination” tab,
add “L3-Untrust” to the “Destination Zone”.
Step 5: In the “Application” tab, click “Add,” to add “Corp-Sanctioned-Apps” application group. Type the name in
the add field to find the application group name.
Step 6: In the “Actions” tab, select “Profiles” under “Profile Type,” then select “default” for Antivirus, Vulnerability
Protection, Anti-Spyware, and WildFire Analysis profile. Then select “To-Panorama” for “Log Forwarding”. Click
“OK” to accept the new policy. Move it if required between the existing rules using the move command at the
bottom.
Step 7: Commit changes to Panorama, “Commit to Panorama”, then “Commit”. This will save the policy changes
to Panorama, but the changes will not be committed to the firewalls yet.
Step 8: To preview how the new rule will look in the firewall, click “Preview Rules” at the bottom to preview the
policies in the firewall.
Step 9: Switch to different firewalls using the “Device” drop-down list, click after selecting the new device
to refresh the screen.
Task 3 – Push rules to the firewalls
Step 1: Go to “Panorama > Managed Devices > Summary”. Notice that the “Shared Policy” under “Status” is out
of sync. That is because the policy changes have not been committed on the firewalls yet.
Step 2: Commit the changes again. This time select “Push to Devices”. Notice the Push Scope is “UTD-
DeviceGroup-1”, and the entities affected are PA-VM-1 & PA-VM-2. Click “Push” and monitor the push. When its
status is “Completed” click the “Close” button.
Step 3: After the changes are committed, wait about 30 secs while the configuration is pushed to the firewalls.
Go back to Managed Devices and you will see that “Shared Policy” is now in sync. Keep in mind that when the
commit is completed in Panorama, it still needs to send the configuration to the firewall. If this screen has not
refreshed, click on the refresh button.
Step 4: Context switch to the “PA-VM-2” firewall, then go to “Policies > Security” to confirm that the new rule is
installed.
Task 4 – Adding Local Rules

Local rules can be configured directly through the firewall management GUI or by Panorama via context
switching. We will change the firewall policy through Panorama context switching in this exercise.
Note: Local rules cannot be managed through device group in Panorama.
Step 1: In Panorama, switch context to “PA-VM-2”.

Step 2: Go to “Policies > Security”. Notice there is one local rule.
Step 3: Add a new rule that matches the following:

Name: Allow-Local-Sanctioned-Apps
Source: L3-Trust
Destination: L3-Untrust
Application: Local-Sanctioned-Apps
Actions: Allow.
Profile Type: Profiles
antivirus, vulnerability protection and WildFire Analysis set them on “Default”
Log Forwarding: To-Panorama
Click “OK”
Step 4: Now let’s move the policy above ping-allow. First select the rule by clicking on the number in the left
column but do not open it. The rule will turn gray. Then go to “Move” on the lower tab of the firewall and select
Move up.
Step 5: Click “Commit” and then “Commit” again. Notice the local rules are added between the pre- and post-
rule.
Step 6: Context switch back to Panorama, go “Panorama > Managed Devices > Summary” Notice the status of
the shared policy is not affected by the changes in the local policy.
End of Activity 3
Activity 4 – Templates
Background: Templates enable you to define a common base configuration defined in the “Network” and
“Device” tabs on Panorama. For example, you can use templates to manage interface and zone
configurations, server profiles for logging and syslog access, and network profiles for controlling access
to zones and IKE gateways. They are organized into Template Stacks to which firewalls are assigned.
Firewalls receive settings from all Templates in their assigned stack. Template Variables can be defined
to store values that are common among devices but need customized values for each device.

Review Templates feature in Panorama
Modify configurations base on the templates for the specific firewall
Create specific firewall settings using Template Variables
Task 1 – Review a Template and Template Stack

Step 1: On the Panorama GUI, make sure the context is switched to “Panorama”. Go to the “Panorama” tab,
then the “Templates” node. You can add, delete or clone templates and template stacks in the “Template”
window.
Step 2: You can see which firewalls are assigned to this template stack; click the template stack “UTD-
TemplateStack-1” to review the template stack. This is where templates are added to the stack and where
devices are added or removed. Click “Cancel” to close the template window without making any changes.
Step 3: To review the settings for the template, go to the “Network” tab, ensure that the “UTD-Template-1” is
selected in the “Template” drop-down and select the “Interfaces” node. The displayed values have been
previously entered into this template. Notice the “IP Address” are set to Template variable names. We’ll examine
those in a later step.
Step 4: Select “UTD-TemplateStack-1” in the “Template” drop-down. This displays the settings from all
templates in the stack that will be collectively pushed to the assigned devices. The green gear icon indicates
settings that have been inherited from one of the templates assigned to the stack.
Task 2 – Create a Zone and Interface Using Templates

Step 1: Go to “Network > Zones”. Make sure the context is set to Panorama. Be sure “UTD-Template-1” (not
the templated stack!) is selected in the “Template” drop-down. Click “Add” to add a new zone.
Step 2: Name the new zone “New-Tap-Zone,” then select “Tap” for Type. Click “OK” to close the zone window.
Step 3: Go to the “Network > Interfaces” node, then click “Add Interface” to add a new interface.
Step 4: Select the following in the “Ethernet Interface” window.
Slot: Slot 1
Interface Name: ethernet1/5
Interface Type: Tap
Security Zone: New-Tap-Zone
Link State (Advanced): Down
Step 5: Click “OK” to close the interface window.
Note: We skipped the interface “ethernet1/4” to make it easier to see after the changes are committed to the firewall.
Step 6: Commit changes to Panorama. “Commit to Panorama”, and then click “Commit”
Step 7: When the Commit is done, do “Commit > Push to Devices”, but on the “Push to Devices” window, click
on “Edit Selections” (lower left side). There you will be able to see where these changes are going. Click the
“Templates” tab to see queued template changes. If you want, you can click on the preview changes to confirm
they are in the ones you want to push. Click “Cancel” and then “Push”
Step 8: After the successful commit, close the commit window.
Task 3 – Override Template Setting

In Task 2, we created a new tap interface and committed that change to all the firewalls using “UTD-Template-
1”. The link state of that interface is set as “down” after it is deployed to the firewall. In Task 3, we will
demonstrate how to change the link state of the tap interface on a specific firewall.
Step 1: Switch the context to “PA-VM-1”, then go to “Network > Interfaces”. Notice that the link state of the new
tap interface on ethernet1/5 is down.
Step 2: Select “ethernet1/5” (don’t click the name), then click “Override” at the bottom of the window.
Step 3: Change the “Link State” to “up” in the “Advanced” tab. Click “OK” to close the widow.
Step 4: Now commit the changes directly on PA-VM-1. You should see the interface icon change to green.
Notice the “Override” icon next to the interface name. This indicates that the template configuration is overridden
by local changes.
You have successfully changed the template configuration on firewall “PA-VM-1”. You can review the
configuration on firewall “PA-VM-2,” and the interface should remain down.
Task 4 – Template Variables
Template Variables are defined in Templates and Template Stacks. They can have individual values stored for
specific devices that are assigned to the Template Stack. This allows you to create common configuration data
for multiple devices while being able to customize individual values when required.
Step 1: Context switch to “Panorama”, then go to the “Panorama > Templates” node. Click on “Manage…” for
the “UTD-Template-1” template.
Notice the three existing variables and their default values that will be assigned to all devices attached to the
Template Stack this template is assigned to. The values must be provided at variable creation time. These are
temporary and will be modified later. Click “Close”.
Step 2: Go to the “Panorama > Managed Devices > Summary” node. Click on “Edit” for the “PA-VM-1” device.
Notice this device has overridden values for each of these variables noted by the symbol. Clicking on a
variable name displays its value and allows editing. The Revert and Override controls at the bottom provide the
ability to create or revert a local value for the variables applied to this device. Click “Close”.
Step 3: Go to the “Panorama > Templates” node. Click on “Manage…” for the “UTD-Template-1” template. Click
“Add” at the bottom to add a new variable with the information shown below. Click “OK” and “Close” when
complete.
We’re defining a new variable for the Template containing the address for the organization’s email server. We’ve
provided the address as a default setting. Notice all template variable names must begin with a “$”.
Step 4: Go to “Device > Server Profiles > Email”. Click “Add” at the bottom. Enter “Corporate-Email-Server” as
the profile’s name.
Step 5: Click “Add” at the bottom and enter details to match the screen below. Under “Email Gateway” pop down
the list of variable choices and select the new variable “$Address-CorpEmailServer”.
You might need to press the tab key to accept the changes. Click “Ok”.
Step 6: Go to the “Panorama > Managed Devices > Summary” node. Click on “Edit” for the “PA-VM-2” device.
Notice the new template variable in the list.
Step 7: Check the box next to “$Address-CorpEmailServer” and click the “Override” button at the bottom. Enter
a new address of “123.54.67.128”. Click “OK”.
We have overridden the inherited address with one appropriate for this device (a fictional address chosen at
random for this lab). Notice the icon has changed to indicate an overridden value. Click “Close”.
Step 8: Commit changes to Panorama. Click “Commit > Commit and Push”. Press “Commit and Push” again.
When the commit and push is complete, wait about 30 seconds for the local device commits to complete and
context switch to each device to examine the “Device > Server Profiles > Email” server definition for the results.
End of Activity 4
Activity 5 – Administrator-Level Commit and Revert
Background: Each administrator can commit, validate, preview, save, and revert changes in Panorama
or firewall configuration independent of changes that other administrators have made. This simplifies
the configuration workflow because administrators don't have to coordinate commits with one another
when changes are unrelated.

• Create a second Admin Role.
• Make partial changes under one admin, and under the second admin, commit those changes
only.
• Revert a configuration.
Task 1 – Create a second Administrator.

Step 1: Within Panorama go to the “Panorama > Administrators” node.
Step 2: Click the “Add” button at the bottom to create another user called “student-1” the password will be
“utd246”. Leave the rest of the fields as default. Click “OK”.
Step 3: “Commit to Panorama”, once the commit is done close the window.
Task 2 – Modify a configuration but don’t finish it.

Step 1: In Panorama, go to the “Policies > Security > Security” node. Be sure to select the “UTD-DeviceGroup-
1” device group at the top. Add a new security rule with the following information:
Name: Allow-Salesforce
Source > Source Zone: L3-Trust
Destination > Destination Zone: L3-Untrust
Actions > Action: Allow
Actions > Profiles > Select default for Antivirus, Vulnerability protection and Wildfire Analysis.
Note that in this new policy, we missed adding the salesforce application, under the “Application” tab, so this
policy is not complete.
Step 2: Click “OK”, and move the rule to the top, but do not Commit.
Step 3: Logout of the GUI, click on the bottom left portion of the screen.
Task 3 – Modify the configuration with a different administrator
Step 1: Log back into Panorama using “student-1” with password “utd246”
Step 2: Go to the “Network > Interfaces” node and open interface Ethernet 1/3. Create a new Security Zone
called “Tap3-Zone” and assign the interface to this zone. You can create a Zone within the Ethernet Interface
menu, by selecting “New Zone”. Enter the new name and accept the defaults for the rest. Click “OK”.
Step 3: “Commit > Commit and Push”, but, instead of selecting the default “Commit All Changes” at the top left,
select “Commit Changes Made By (1) student-1”. Look at the differences in commit scope when switching between
those two options. Once you finish comparing both screens, make sure your section stayed on “Commit Changes
Made By (1) student-1”, and click “Commit and Push”
Step 4: Look at the “Commit and Push Status” window and note that the “Details” shows how partial changes
were committed by student-1. Click “Close”.
Task 4 – Confirm that the configuration from “student” was not committed.
Step 1: In Panorama change the context and go to either PA-VM-1 or PA-VM-2
Step 2: Go to the “Policies > Security” node. Check if the rule created in Task 2 “Allow-Salesforce” is in either
firewall. (Hint: it is not).
Step 3: Go to the “Network” tab and under the “Interfaces” node, check if the interface, ethernet1/3, is assigned
to the “Tap3-Zone” (Hint: yes, it should). There should be a new Zone under the Zones node.
This means that the “student-1” configuration was committed without committing the “student” configuration
Step 4: Switch back to the Panorama context (still as user “student-1”) and we will show how we can commit the
other Admin (“student”) configuration.
Step 5: Go to the “Policies > Security > Pre Rules” node, select the “UTD-DeviceGroup-1” Device Group, and click
the “Allow-Salesforce” policy under “Pre Rules” that we created under “student”. Go to the “Application” tab, add
“salesforce” as an application and click “OK”. We will be modifying the configuration “student” did and as “student-
1”. We will push all changes.
Step 6: Execute a “Commit > Commit and Push”, but this time select “Commit All Changes”. Click “Commit and
Push” to start the commit.
Step 7: Switch the context to PA-VM-1 or PA-VM-2 and make sure the new security rule shows up.
Task 5 – Revert a Configuration.
Revert operations replace settings in the current candidate configuration with settings from another configuration.
Reverting changes are useful when you want to undo changes to multiple settings in a single operation instead of
manually reconfiguring each setting.
Step 1: Switch to the Panorama context and logout of student-1. Log back in as student.
Step 2: In Panorama go to the “Policies > Security > Pre Rules” node and ensure the Device Group is set to
“UTD-DeviceGroup-1”.
Step 3: Select the first security Policy, which should be “Allow-Salesforce” by clicking on the number next to it,
then click “Delete” at the bottom and make sure the rule is no longer on the policies list.
Step 4: Oh no! we have deleted a policy that was not meant to be deleted. Fortunately, not everything is lost. Go
to the top right “Config” menu and click “Revert Changes” and then on the pop-up screen, make sure you are
reverting your changes only, click “Revert” and your policy should be back.
Step 5: Now let’s take it a step further. Go to the “Panorama > Setup” node. Under this node you will have a set
of tabs. Choose the “Operations” tab.
Step 6: From the “Operations” tab select “Load named Panorama configuration snapshot” and select “UTD-
Revert-Example”. Click “OK”
Step 7: We just reverted the configuration to the initial configuration of the lab, so it has no additional security
policies and the Administrator, “student-1”, we created before is gone.
Step 8: Perform a “Commit > Commit and Push”.
End of Activity 5.
Activity 6 – Role-Based Access Control
Background: Role-based access control (RBAC) enables you to define the privileges and responsibilities
of administrative users (administrators). Every administrator must have a user account that specifies a
role and authentication method. RBAC is supported on both the firewall and Panorama. When RBAC is
used in the firewall, Administrative roles define access to specific configuration settings, logs, and reports
within the firewall. When RBAC is used in Panorama, “Administrative Roles” define access to specific
configuration settings within both Panorama and firewall contexts. We will demonstrate some basic role-
based access control through Panorama in this activity.

• Review the defined Admin Role and Access Domain.
• Create a new user with the specific Admin Role and Access Domain.
Task 1 – Review Admin Role and Access Domain

Step 1: Admin Role profiles are custom Administrative Roles that enable you to define granular administrative
access privileges. Make sure the context is set to “Panorama” and go to “Panorama > Admin Roles”, then open
the “FW-Rules-Admin” profile.
Step 2: The list under “Web UI” on the left-hand side defines access in the GUI once you are logged in to
Panorama. The list under “Context Switch UI” defines the access in the GUI after the context is switched. Click
“Cancel” to close the profile window without making any changes.
Step 3: Go to “Access Domain” node then open the “VM-1-Only” profile. Click the “Device Context” tab and
notice that only “PA-VM-1” is selected here. Click “Cancel” to close the window without any changes.
Task 2 – Create New User Account on Panorama
Step 1: To create a new Panorama user account, go to “Panorama > Administrators”. Click “Add” to add a new
user account. Name the new user “student-2” with password “utd246”. Don’t click “OK” yet!
Step 2: Select “Device Group and Template Admin” for “Administrator Type”.
Step 3: Under the “Access Domain to Administrator Role,” add “VM-1-Only” under “Access Domain,” and enter
“FW-Rules-Admin” under “Admin Role”. Click “OK” to close the window.
You might need to press the tab key to accept your changes.
Step 4: Commit changes to Panorama.
Task 3 – Verify Account Access on Panorama
Step 1: Log out of the student account using the “Logout” button at the bottom.
Step 2: Log in using the account created in the previous task: student-2 / utd246. With this new account, you
can see that access to Panorama features are limited.
Step 3: Notice that there is no device group in the “Device Group” drop-down. Switch context to “PA-VM-1”.
Notice that “PA-VM-2” is not accessible from this account.
Step 4: After the context is switched to “PA-VM-1,” you will have access to more tabs.
Step 5: This test-user account is created to have access to manage firewall rules on the “PA-VM-1” firewall. You
can go to “Policy > Security” to create a new test policy and commit the necessary changes.
Step 6: Add a new test security policy of your own design and commit the change. This “student-2” account can
access PA-VM-1 local policy but not the policy in the device group.
Step 7: Log out of the “student-2” account.
Step 8: Log back into Panorama using the student account:
Name: student
Password: utd246
You should have access again to all the Panorama features with the student account.
Step 9: Perform and “Commit > Commit and Push”.
End of Activity 6
Activity 7 – Migrate Existing firewall to Panorama
Background: Now that you are familiar with some of the features in Panorama, we will demonstrate how
to migrate a firewall to Panorama.
• Learn how to configure a firewall to be managed by Panorama.
• How to migrate the configuration from an existing firewall and manage it from Panorama.
Task 1 – Configure firewall for Panorama

Step 1: Open a new tab in the browser and go to “PA-VM-3” using the bookmark or https://10.30.61.23. Log in to
the firewall using the student account: student / utd246.
Step 2: In “PA-VM-3,” go to “Device > Setup > Management”. Edit the “Panorama Settings” using the edit
button.
Step 3: Enter the management IP address of Panorama: “10.30.61.11”, then click “OK” to save the changes.
Commit the change in “PA-VM-3”.
Step 4: Go back to “Dashboard”. Note the serial number. You can copy it to the clipboard.
Task 2 – Add firewall to Panorama

Step 1: Go back to the Panorama GUI, be sure you are logged in as “student”. Go to “Panorama > Managed
Devices > Summary” then click “Add” (at the bottom) and paste the serial number of PA-VM-3 in the window.
Commit the changes to Panorama.
Step 2: After committing the changes to Panorama, refresh the “Managed Device” window. You should see the
new “PA-VM-3” with the Device State of “Connected” (it may take up to a minute before you to see it connected).
You have successfully added a new device to Panorama.
Task 3 – Import the Device Configuration to Panorama

Step 1: Go to “Panorama > Setup > Operations”, then click “Import device configuration to Panorama”.
Step 2: Select “PA-VM-3” in the “Device” drop-down. Notice that a new template and device group is created
based on the device name. Click “OK” to import then “Close” when complete.
Step 3: After the import, go to “Policies > Security > Pre Rules”. In the “Device Group” drop-down window select
“PA-VM-3”. Your display should match the following screen shot.
Step 4: Check the “Network” tab and ensure you have the “PA-VM-3” template selected. You should see two
defined interfaces.
Step 5: Commit the changes to Panorama. When importing device configurations into Panorama a copy of the
device’s configuration data is imported into the chosen device group and template. The original device data
remains unaltered in PA-VM-3. Before we can edit this data and push any updates to PA-VM-3, the local
configuration data in the remote device must be replaced by Panorama-managed data. This is done with a one-
time operation we’ll explore in the next step. Failing to replace the original configuration data with the Panorama-
managed data will result in future Panorama push errors.
Step 6: Go to “Panorama > Setup > Operations” and select the “Export or push device config bundle”.
Step 7: Select “PA-VM-3” from the “Device” pop-down. Click “OK”. Click “Push & Commit” to confirm. Click
“Close” when the operation is complete.
This operation removes duplicate rule or objects names which would cause future commit errors from a
Panorama push.
Step 8: Go to “Commit” and select “Push to Devices”. Click the “Edit selections” button on the lower left. Select
the “Device Groups” tab and ensure “PA-VM-3” is selected. Do NOT press OK yet!
Step 9: Check all three boxes at the bottom of the window. Press “OK” and “Push”.
Monitor the push operation until it is complete then allow about 30 seconds for the managed device commits to
complete.
Step 10: Context switch to the PA-VM-3 and go to “Policies > Security” and you will see the rules highlighted in
yellow. Try to modify them. You will not be able to do it. They are part of the Panorama-managed pre rules now.
Step 11: Close the second browser tab.
End of Activity 7
Activity 8 – Action Oriented Log Forwarding
Background: In the latest PAN-OS, specific logs can be forwarded to Panorama or to any syslog collector
using different rules. Logs forwarding rules can be configured through Panorama so different logs can
be collected differently depending on the needs. For example, you can send troubleshooting logs to a
syslog server that will only keep them for a couple of days while you do the troubleshooting and have
other compliance logs send to a different syslog server for longer retention period.

• Configure the firewall to send web browsing logs to a syslog server
• View the logs received from the NGFW
Task 1 – Configure the firewall

Step 1: Within Panorama, go to the “Device > Server Profiles > Syslog” node. Ensure “PA-VM-3” is selected in
the “Template” drop-down.
Step 2: Click on “Add” and name your profile “LogServer”. Press “Add” at the bottom and enter data to match
the picture below. Click “OK”
Step 3: Ensure have selected the Device Group “PA-VM-3”. Go to “Objects > Log Forwarding” and click “Add”
at the bottom. Enter “Log2Syslog” as the name of the profile.
Step 4: Click “Add” at the bottom. Enter “Log Web Browsing” as the name. Add “LogServer” in the “syslog”
selection at the lower left.
Step 5: Use the “Filter Builder” from the “Filter” drop down to create the filter text.
Select:
Attribute: Application
Operator: equal
Value: web-browsing
Click “Add” to add the text to the filter. (Missing this step will not save your filter!)
Repeat the above steps to add another filter with the “or” condition (app eq quic) since we are using the chrome
browser which uses quic for many web activities. Don’t forget the press the “Add” button to the right toyou’re
your new filter! Press “OK” to accept the changes. The final “Log Forwarding Profile” looks like the following:
Step 6: Click “OK” three times to accept and close the new Log Forwarding profile. Do a “Commit and Push”.
Step 7: Go to “Policies > Security > Pre Rules”. Ensure the Device Group is set to “PA-VM-3”. Clone the
“internet” rule. In order to Clone it select the rule to clone, and go to the lower tool bar and click “Clone”.
Step 8: In the same window, select “Move top” in the “Rule order” drop-down. Click “OK”
Step 9: Edit the new rule “internet-1” by clicking on its name. Go to the “Actions” tab and make sure you change
the Log Forwarding field to “Log2Syslog”.
Step 9: Click “OK” and then do a “Commit and Push”.
Task 2 – Configure the Syslog
Step 1: On the desktop, open “Putty” and select the LinuxServer profile by double-clicking it. Connect to the
server (if a warning shows up just click yes and continue). Log in as: lab / paloalto.
Step 2: Simulate a syslog server on port 514 by running the following commands. Notice the “nc -l”. This is a
letter, not the number one!
$sudo bash
>paloalto (password)
#while true; do nc -l 514; done
Cursor will stay on the left of the screen, this is ok, let’s go back to Panorama.
Task 3 – Generate and review traffic

Step 1: Open a new browser tab and go to https://drive.google.com. In Panorama, switch context to “PA-VM-3”
and go to “Monitor > Logs > Traffic”. The traffic has been detected by the firewall and the sessions are still open.
Our Security rule is set to log at session end so we must wait for the session(s) to time out before we see them
in the traffic log. Click the refresh button and you should see new traffic after a brief period. It might take as
long as two minutes for the sessions to expire and be logged. Look for quic in the Application column. Typically,
you may see one entry, sometimes none.
Step 3: When you see this traffic in the logs, go to the Linux Server. You should see entries being generated and
sent to this server. Note that the Traffic logs show other traffic other than quic. However, all the entries on the linux
server are for quic due to the filter we applied for the Log Forwarding Object.
This is how you can send different types of logs to different Syslog servers, depending on the needs of the
organization. You can now close the putty session.
Task 4 – Review the Logging Service connection
Step 1: Switch to the Panorama browser window and go to “Panorama > Cloud Services > Status”.
The “Cloud Services” node is present because this Panorama has been licensed for the Palo Alto Networks
Logging Service®. Palo Alto Networks Logging® Service is a cloud-based offering for context-rich enhanced
network logs generated by our security offerings, including those of our Next-Generation Firewalls and
GlobalProtect™ cloud service. The cloud-based nature of the Logging Service allows customers to collect ever
expanding rates of data, without needing to plan for local compute and storage.
The Logging Service is the cornerstone of Palo Alto Networks Application Framework, which provides a scalable
ecosystem of security applications that can apply advanced analytics in concert with Palo Alto Networks
enforcement points to prevent the most advanced attacks. You are no longer limited by how much hardware is
available nor by how quickly the sensors can be deployed.
End of Activity 8.
Activity 9 – Deploy Content to Managed Devices
Background: Panorama allows firewall administrators to deploy dynamic content and PAN-OS updates
to all the managed firewalls from the Panorama GUI. Firewall administrators also have the option to
schedule automatic content updates for each firewall using templates; centralized content deployment
can be used for unscheduled updates, when needed.

• Learn how to manually update content on all the managed devices.
• Learn how to perform a PAN-OS upgrade on managed devices.
Task 1 – Update Antivirus Content on all the firewalls

Step 1: Context switch to Panorama and go to “Panorama > Device Deployment > Dynamic Updates”. Click
“Check Now” at the bottom to update the list with the most recent contents.
Step 2: Locate the latest available antivirus update and click “Download” in the “Action” column.
Step 3: Once the download is complete, click “Install” in the “Action” column to install the antivirus package.
Step 4: Select the three firewalls to install the content, click “OK” to deploy the latest package to all the selected
firewalls.
Step 5: The progress of the deployment is shown. Close the window when the deployment is complete. Watch
the “Progress” bar in the lower left. There is an upload and installation task for each firewall. Once completed
successfully, you have upgraded the antivirus packages on all three firewalls. Click “close” when completed.
We’ve completed a manual upgrade, a scheduled automatic upgrade can be created for each managed device if
desired.
Task 2 – Deploy New PAN-OS to a firewall

Firewall upgrades can be a challenge, but Panorama can help ease the deployment by providing a centralized view and
control of the upgrade process. It is recommended that the PAN-OS version running on all the devices be reviewed to
ensure compatibility of the new PAN-OS before the upgrade process. Panorama’s PAN-OS should be equal to or greater
than the version on your managed devices. Remote Devices can run earlier versions. The firewall will need to be rebooted
for new PAN-OS deployment, so PAN-OS upgrades should be performed during a scheduled maintenance window. You can
deploy the OS for one or all firewalls and it will be just as fast.
Step 1: Go to “Panorama” > “Managed Devices > Summary” to review PAN-OS on all the devices. Scroll the display to the
right to find this information.
Step 2: Click on “Install” at the bottom
Step 3: Select “Software” in “Type” and select “PanOS_vm-8.1.0” in “File” to install. Select only PA-VM-3 and select the
“Reboot device after Install” option. This will update PA-VM-3 to version 8.1.0 to match the other firewalls.
Step 4: Click “OK” to begin the installation process for the firewall. If more firewalls needed a new OS, you can push the
configuration to all at the same time.
Note: You have the option to “Upload only to device” or “Reboot device after install”. Select “Reboot
device after install” to reboot the devices and run the new PAN-OS. “Upload only to device” is often used
when the administrator wants to reboot and update the device in a “Future Maintenance” window.
Step 5: You can see the progress in the “Install Software” window. Since we have selected the “Reboot device after install”
option, it will take about 10 minutes for the device to complete the upgrade process.
Step 6: When the software installation is complete, and the firewall finishes the reboot, you can go back to “Panorama” >
“Managed Devices” to review the device status. The NGFW will be initially disconnected from Panorama when it’s
rebooting; it will take a few minutes for the firewall to boot up and reconnect to Panorama. After completing the boot-up
process successfully, the device should be reconnected to Panorama with the new software version.
Congratulations, you have successfully upgraded PAN-OS on the firewall.
End of Activity 9.
Activity 10 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event, and we hope you enjoy the presentation and the
labs that we have prepared for you. Please take a few minutes to complete the online survey form to tell
us what you think about this event.
Task 1 – Take the Online Survey

Step 1: In your lab environment, click the “Survey” tab.
Step 2: Please complete the survey, and let us know what you think about this event.
End of Activity 10.
Lab Setup
Device: Interface: IP Address: Connects to Zone:
Panorama Management 10.30.61.11 Management

PA-VM-1 Management 10.30.61.21 Management

Ultimate Test Drive: Network Security Management With Panorama

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ultimate Test Drive: Network Security Management With Panorama

Uploaded by

Copyright:

Available Formats

ULTIMATE

Panorama 8.1 & PAN-OS 8.1

Task 1 – Log in to your Ultimate Test Drive class environment

Task 2 – Log in to the Windows Desktop

In this activity, you will:

Task 1 – Log in to Panorama

Task 3 – Device Management in Panorama

Task 4 – Device Monitoring in Panorama

In this activity, you will:

Task 1 – Review Device Groups

Task 2 – Create a Device Group Hierarchy

Task 3 – Context Switch – Panorama or Firewall

In this activity, you will:

Task 1 – Panorama Rules Quick Overview

Task 4 – Adding Local Rules

Note: Local rules cannot be managed through device group in Panorama.

Step 1: In Panorama, switch context to “PA-VM-2”.

Step 3: Add a new rule that matches the following:

In this activity, you will:

Task 1 – Review a Template and Template Stack

Task 2 – Create a Zone and Interface Using Templates

Step 4: Select the following in the “Ethernet Interface” window.

Step 8: After the successful commit, close the commit window.

Task 3 – Override Template Setting

In this activity, you will:

Task 1 – Create a second Administrator.

Task 2 – Modify a configuration but don’t finish it.

Task 3 – Modify the configuration with a different administrator

Step 8: Perform a “Commit > Commit and Push”.

In this activity, you will:

Task 1 – Review Admin Role and Access Domain

Step 4: Commit changes to Panorama.

Step 7: Log out of the “student-2” account.

Step 8: Log back into Panorama using the student account:

Step 9: Perform and “Commit > Commit and Push”.

Task 1 – Configure firewall for Panorama

Task 2 – Add firewall to Panorama

You have successfully added a new device to Panorama.

Task 3 – Import the Device Configuration to Panorama

Step 11: Close the second browser tab.

In this activity, you will:

Task 1 – Configure the firewall

Step 9: Click “OK” and then do a “Commit and Push”.

Task 2 – Configure the Syslog

Task 3 – Generate and review traffic

In this activity, you will:

Task 1 – Update Antivirus Content on all the firewalls

Task 2 – Deploy New PAN-OS to a firewall

Step 2: Click on “Install” at the bottom

Congratulations, you have successfully upgraded PAN-OS on the firewall.

Task 1 – Take the Online Survey

End of Activity 10.

Device: Interface: IP Address: Connects to Zone:

Panorama Management 10.30.61.11 Management

You might also like