Beruflich Dokumente
Kultur Dokumente
Lab Guide
PAN-OS® 9.0
EDU-210
Courseware Version B
Bolding Names of selectable items in Click Security to open the Security Rule
the web interface Page
Consolas font Text that you enter and Enter the following command:
coding examples a:\setup
The show arp all command yields this
output:
username@hostname> show arp
<output>
Click Click the left mouse button Click Administrators under the Device
tab
Right-click Click the right mouse button Right-click the number of a rule you want
to copy, and select Clone Rule
< > (text enclosed Denotes a variable parameter. Click Add again and select <Internal
in angle brackets) Actual value to use is defined Interface>
in the Lab Guide document.
Lab Objectives
Load a configuration.
Create an administrator role.
Create a new administrator account and apply an administrator role.
Observe the newly created role permissions via the CLI and web interface.
Create and test a commit lock.
Configure DNS servers for the firewall.
Schedule dynamic updates.
Parameter Value
Monitor
Network
Device
Privacy
Note: You will need to scroll down in the window to locate Network, Device, and Privacy.
14. Click the XML/REST API tab and verify that all items are disabled.
22. Click the Commit link at the upper right of the web interface:
A Commit window should appear.
23. Click Commit and wait until the commit process is complete.
A Commit Status window should appear that confirms the configuration was committed
successfully.
24. Click Close to continue.
Parameter Value
Name policy-admin
Password paloalto
34. Close the Welcome window if one is presented.
Notice that several tabs and some functions are missing from the web interface. The admin role
assigned to the user account controls which tasks the user can perform in the web interface.:
Although you could add a new administrator account, you are not allowed to commit the
changes because of the Commit lock set by the policy-admin user.
46. Click Close.
47. Click the transaction lock icon in the upper-right corner:
Note: The user that initially took the lock or any superuser can remove a lock.
A Remove lock window appears.
49. Click OK to remove the lock.
The lock should be removed from the list.
50. Click Close to close the Locks window.
51. Commit all changes.
Now that the lock is removed, you can commit your changes.
52. Select the test-lock administrator account and then click Delete to delete the test-lock
user.
The test-lock account was created to show the Error message generated when a lock is present,
and a commit is issued. The test-lock account will not be used in later sections of the lab. In
general, you should remove any administrator accounts that no longer are valid accounts.
53. Click Yes to confirm the deletion.
54. Commit all changes.
64. Locate and click the Schedule hyperlink on the far right of Application and Threats:
67. Locate and click the Schedule hyperlink on the far right of WildFire:
Lab Objectives
Create security zones two different ways and observe the time saved.
Create Interface Management Profiles to allow ping and responses pages.
Configure Ethernet interfaces to observe DHCP client options and static configuration.
Create a virtual router and attach configured Ethernet interfaces.
Test connectivity with automatic default route configuration and static configuration.
The Zone configuration window opens. Selection of New Zone from the Security Zone drop-
down list is an alternate way to create security zones. You can either create them all at once or
you can create them as you are defining your network interfaces.
25. Configure the following:
Parameter Value
Name Type inside
Type Verify that Layer3 is selected
Remember that the Management Profile you select here determines which network services
(ping, SNMP, SSH) an interface will answer. You must define a Management Profile before you
can assign it to an interface.
31. Click OK to close the Ethernet Interface configuration window.
32. Click ethernet1/3 to configure the interface.
The Ethernet Interface window should appear.
33. Configure the following:
Note: This step also can be completed via each Ethernet Interface configuration window.
65. Click OK to close the Virtual Router - default window.
The command output should show you the firewall’s default route that was installed as part of
the DHCP lease.
72. From the CLI, enter the command ping source 203.0.113.21 host 8.8.8.8.
Because a default route automatically was added to your route table, you should receive replies
from 8.8.8.8:
Note: The host you are pinging from is the firewall itself. The ping command is used to verify
the firewall’s connectivity to the internet.
73. Press Ctrl+C to stop the ping.
Do not exit out of the PuTTY window. You will use the session again in the next section of the
lab.
74. On the Windows desktop, double-click CMD to open a command-prompt window.
75. Type the command ping 192.168.1.1:
This step is very important! As with any other network host using IP, the firewall itself must have
a default gateway. Without this entry, the firewall can send only traffic to networks to which it
has interface connections (192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24).
89. Click OK to add the static route.
90. Click OK to close the Virtual Router – lab-vr configuration window.
91. Commit all changes.
92. Make the PuTTY window that was used to ping 8.8.8.8 the active window.
93. Type the command ping source 203.0.113.20 host 8.8.8.8:
You should be able to successfully ping 8.8.8.8 from the firewall itself.
94. Close the PuTTY window.
Lab Objectives
Create tags for later use with Security policy rules.
Create a basic source NAT rule to allow outbound access and an associated Security
policy rule to allow the traffic.
Create a destination NAT rule for the FTP server and an associated Security policy rule
to allow the traffic.
The firewall allows you to create tags based on existing security zones, which is why danger,
dmz, outside, and inside already appear in the drop-down list.
12. Click OK to close the Tag configuration window.
A new danger tag should appear in the web interface.
13. Click Add to define another new tag.
The Tag configuration window should appear.
14. Configure the following:
Parameter Value
Name Type egress
Color Select Blue from the drop-down list
Comments Type Egress Tag
If you create a Tag and use the same name you used for a security zone, the firewall will apply
that tag to the appropriate security zone in any tables where zones are displayed. Note that the
label you create for a zone must match exactly, including lowercase and uppercase.
This section defines what the packet will look like when it reaches the firewall.
27. Click the Translated Packet tab and configure the following under the section for
Source Address Translation:
Parameter Value
Translation Type Select Dynamic IP And Port from the drop-down list
This section defines how the firewall will translate the packet.
Note: You are configuring only the Source Address Translation part of this window. Leave the
Destination Address Translation set to None.
28. Click OK to close the NAT Policy Rule configuration window.
A new NAT policy should appear in the web interface.
You will not be able to access the internet yet. You will need to configure a Security policy to
allow traffic to flow between zones.
29. Verify that your configuration is like the following:
35. Click the Application tab and verify that the Any check box is selected above
Applications:
The “application-default” setting and the URL Category section will be discussed later in the
course.
37. Click the Actions tab and verify the following:
Parameter Value
Action Setting Verify that Action is set to Allow
Log Setting Verify that the Log at Session End check box is selected
The setting for Log at Session End instructs the firewall to write an entry in the Traffic log after a
session has dropped from the Session table. If you enable Log at Session Start, the firewall will
create an entry when a session is established in the session table. Log at Session End is the
recommended setting, though you can enable both simultaneously to help troubleshoot a
specific rule.
38. Click OK to close the Security Policy Rule configuration window.
A new Security policy should appear in the web interface.
39. Verify that your configuration is like the following:
Traffic log entries should be present based on the internet test. This process may take a minute
or two for the log files to be updated. If the entries are not present, click the refresh icon next to
the ?Help option.
By Addition of an Audit Comment creates an audit trail where you can track the history of
changes to the NAT policy rule.
53. Click the Original Packet tab and configure the following:
Parameter Value
Source Zone Click Add and select inside
Destination Zone Select inside from the drop-down list
Destination Interface Select ethernet1/2 from the drop-down list
Service Select service-ftp from the drop-down list
Destination Address Click Add and manually enter 192.168.1.1
The Translated Packet tab defines how the firewall will translate a matching packet. Leave the
Source Address Translation section set to None because we are performing only destination
translation in this exercise.
55. Click OK to close the NAT Policy configuration window.
A new NAT policy should appear in the web interface.
56. Verify that your configuration is like the following:
For this part of the lab, you will create a schedule and apply that schedule to a new security rule.
This section allows you to see how schedules can be used to apply security rules at different
times of the day.
59. In the web interface, select Policies > Security.
60. Click Add to define a new Security policy rule.
The Security Policy Rule configuration window should appear.
61. Configure the following:
Parameter Value
Name Type internal-dmz-ftp
Rule Type Verify that universal (default) is selected
Tags Select internal from the drop-down list
Group Rules By Tag Select internal from the drop-down list
Audit Comment Type Created internal-dmz-ftp Security
Policy on <date> by <Your-Role>
64. Click the Service/URL Category tab and configure the following:
Parameter Value
Service Click Add and select service-ftp from the drop-down menu
URL Category Verify that the Any check box is selected
65. Click the Actions tab and verify that Allow is selected.
66. Under the Actions tab, locate the Schedule drop-down list and select New Schedule:
76. In the web interface, select Monitor > Logs > Traffic.
77. Find the entries where the application ftp has been allowed by rule “internal-dmz-ftp.”
Notice the Destination address and rule matching.
This process will open the Traffic log and a log filter will automatically be applied to the Traffic
log to display only those entries that match the security rule “internal-dmz-ftp.”
Lab Objectives
Create an application-aware Security policy rule.
Enable interzone logging.
Enable the Application Blocked page for blocked applications.
Test application blocking with different applications.
Find the categories that match to the signature web-browsing.
Migrate older port-based rules to application-aware policies.
Review logs associated with the traffic and browse the Application Command Center
(ACC).
19. Click the Service/URL Category tab and verify the following:
Parameter Value
Service Click Add and select service-ftp from the drop-down menu
URL Category Verify that the Any check box is selected
.
Notice that the internal-dmz-ftp rule now is grayed out and in italics:
Which Security policy rule matched the session and allowed the FTP traffic?
It should be “migrated-ftp-port-based.”
The Clone configuration window should appear. Note that you do not have to use Clone to
create new rules. You always can create them using the Add button.
35. On the Rule order drop-down list, select Move top:
Remember that rule order is important! The firewall compares a packet’s characteristics to each
rule in the Security Policy starting in order.
36. Click OK to close the Clone configuration window:
Notice that the egress-public rule now is grayed out and in italics:
The firewall matches traffic to the list of applications in a Security policy rule. If the firewall
detects a change in an application, or an application shift, the firewall will rematch the traffic to
the list of applications in the Security policy.
41. Click OK to close the Security Policy Rule configuration window.
51. Click the Disabled link to the right of the Application Block Page.
The Application Block Page window should appear.
The firewall can present the Application Block Page only if it detects and blocks a web-based
application. Blocked applications that do not use a web browser will be stopped but the user will
not necessarily know why.
53. Click OK to close the Application Block Page configuration window.
Why could you browse to Facebook and MSN but not to Shutterfly or metacafe? MSN currently
does not have a unique and specific Application signature. Therefore, App-ID identifies it using
62. Close all browser windows except for the firewall web interface.
Based on the information from the Traffic log, Shutterfly and kproxy are denied by the
“interzone-default”: Security policy rule.
Note: If the logging function of your “interzone-default” rule is not enabled, no information
would be provided via the Traffic log.
72. Close all browser windows except for the firewall web interface.
Note: The web-browsing Application signature applies only to browsing that does not match any
other Application signature.
74. Note that the upper-right corner of the ACC displays the total risk level for all traffic that
has passed through the firewall thus far:
76. You can click any application listed in the Application Usage pane; google-base is used
in this example:
Notice that the Application Usage pane updates to present only google-base information.
After the Traffic Log is selected, a link automatically is made to the applicable log information
with the filter set for a relevant time frame and for the google-base application:
81. How many applications have been seen by the “migrated-ftp-port-based” rule?
The number 1 in the Apps Seen column indicates that only a single application has been seen by
this port-based rule. However, this window does not tell you which application.
82. Click Compare in the “migrated-ftp-port-based” rule’s row.
The Applications & Usage – migrated-ftp-port-based window should open.
83. Which application has been seen by the “migrated-ftp-port-based” rule?
It should have been the ftp application.
The number should be 0 because the firewall has moved the ftp application from the migrated-
ftp-port-based rule to the new ftp-application-based rule.
89. Select Policies > Security to redisplay the Security policy.
The No App Specified window should close.
90. Has a new “ftp-application-based” rule been added to your Security policy?
It should have been.
91. To which location in the Security policy rule hierarchy did the Policy Optimizer tool
move the new “ftp-application-based” rule?
It should directly precede the “migrated-ftp”-port-based rule and match FTP traffic before the
“migrated-ftp”-port-based rule.
94. Select the service-ftp check box and then click Delete to delete the service.
95. Which service now is listed?
96. Click OK to close the Service window.
It should be application-default.
97. Commit your configuration changes.
Note: In a real migration, you would disable the port-based rule for a short period and wait to see
if any FTP sessions are affected. After you are confident that the new application-based rule is
matching all required FTP traffic, you would delete the port-based rule.
Lab Objectives
Configure and test an Antivirus Security Profile.
Configure and test an Anti-Spyware Security Profile.
Configure and test the DNS Sinkhole feature with an External Dynamic List.
Configure and test a Vulnerability Security Profile.
Configure and test a File Blocking Security Profile.
Use the Virtual Wire mode and configure the danger zone.
Generate threats and observe the actions taken.
24. Within the Download area using the standard protocol http at the bottom of the page,
click either the eicar.com or the eicar.com.txt file to download the file using standard
HTTP and not SSL-enabled HTTPS.
28. Notice the icon on the left side of the entry for the Eicar Test File. It indicates that
there is a packet capture (pcap):
29. To display the packet capture through the Detailed Log View, first click the Detailed
Log View icon to open the Detailed Log View of the threat entry:
Captured packets can be exported in pcap format and examined with an offline analyzer for
further investigation.
31. After viewing the pcap, click Close to close the packet capture window.
32. Click Close to close the Detailed Log View window.
Rules tab Click Add and create another rule with these parameters:
§ Rule Name: Type crit-high
§ Action: Select Drop from the drop-down list
§ Severity: Select only the critical and high check
boxes
Click OK to save the rule.
Confirm that the firewall reports that the “Source URL is accessible” and click Close. If the
firewall reports a “URL access error,” check the source address, correct any errors, and rerun the
test.
63. Click Close to close the Test Source URL dialog box.
64. Click Cancel to close the External Dynamic Lists configuration window.
71. Verify that the Sinkhole IPv4 is set to Palo Alto Networks Sinkhole IP
(sinkhole.paloaltonetworks.com) in the DNS Sinkhole Settings box.
77. At the nslookup, type reddit.com. and press the Enter key:
Note: Make sure that you do not include “www.” in the URL, because “www.reddit.com” is not
in the EDL; “reddit.com” is currently the only entry in the list.
81. Close the browser window.
84. In the web interface, select Monitor > Logs > Traffic.
85. Type the following filter statement (addr.dst in 72.5.65.111) and press Enter:
In the Detailed Log View, you should notice the additional information that matches what you
previously viewed in the Threat log. Next, scroll down and review the information in the Details
section in the middle column of the main display area. Notice that the traffic log records only
one packet. This packet is the original DNS query sent from the client. The DNS response packet
with the sinkhole address is sent directly from the firewall itself.
88. Click Close to close the Detailed Log View window.
108. After viewing the pcap, click Close to close the Packet Capture window.
109. Click Close to close the Detailed Log View window.
128. Click the Application tab and verify that the Any check box is selected.
129. Click the Service/URL Category tab and verify that application-default is selected.
130. Click the Actions tab and configure the following:
Parameter Value
Action Setting Verify that Allow is selected
The egress-outside-content-id rule should be listed as the first Security policy rule to ensure
that the next sections of the lab work properly. If it is not listed as the first Security policy rule,
then highlight it and move the rule to the top of the list:
Note: If you get “failed to download pdf” and not the block page, then refresh the browser
window.
146. Close the browser window.
147. In the web interface, select Monitor > Logs > Data Filtering.
148. Find the log entry for the PDF file that has been blocked:
Note: The Action column is located on the far right. You can move the column by using the
mouse cursor to drag-and-drop it.
The file should be blocked in accordance with the new file blocking rule.
159. Close the browser window.
Note: The screenshot shows the recursive structure of the zip archive. You cannot produce this
view using Windows File Explorer.
168. Close the browser window.
Notice that the width of all the columns was adjusted to fit the text in the columns.
177. Commit all changes.
Note: Because threat signatures, names, categorizations, and verdicts may change over time,
the log entries that you see in your lab may not match exactly the image shown.
Lab Objectives
Create a custom URL category and use it as a Security policy rule match criterion and as
part of a URL Filtering Profile.
Configure and use an EDL as a URL block list.
Create a URL Filtering Profile and observe the difference between using url-categories in
a Security policy versus a profile.
Review firewall log entries to identify all actions and changes.
17. Click the Service/URL Category tab and configure the following:
Parameter Value
URL Category Click Add and select news-sites from the drop-down list
21. Expand the Columns list using the right-arrow and verify that the URL Category check
box is selected:
22. Select the egress-outside Security policy rule without opening it.
23. Click Enable.
Note: Because you created a rule that resets traffic, you need to enable the “egress-outside”
rule to allow everything else.
24. Commit all changes.
Notice that the firewall adds (rule eq ‘egress-outside-url’) to the Traffic log filter text
box:
32. In the web interface, select Monitor > Logs > URL Filtering.
Notice that the URL Filtering log includes the Category and URL columns by default:
35. Locate the text file named block-list.txt in the right window pane.
36. Right-click the block-list.txt file and select Edit.
37. Verify that the following URLs exist, each followed by a line break:
38. Click Save to save any modifications to the file that you might have made.
39. Click to close the file.
40. Close the WinSCP window.
41. In the web interface, select Objects > External Dynamic Lists.
shopping
government
hacking
59. Search for url-block-list and news-sites.
Lab Objectives
Observe firewall behavior without decryption.
Create Forward Trust and Untrust certificates.
Create a custom decryption category.
Create a decryption policy.
Observe firewall behavior after decryption is enabled.
Review logs.
Verify the Result reported is “Successful” and the Details include “Configuration committed
successfully.” Warnings about two EDLs that are part of the new configuration may appear. The
messages report “no valid entries” for the EDLs. However, to have no valid entries for newly
loaded EDLs is normal, because the firewall previously did not use these EDLs. EDL entries are
possible only after the configuration is committed.
19. Go back in the browser and download one of the test files using HTTPS:
Notice that the download is not blocked because the connection is encrypted, and the virus is
hidden.
20. Close all browser windows except for the firewall web interface.
54. Within the Download area using the secure, SSL-enabled protocol https at the bottom of
the page, click either the eicar.com or the eicar.com.txt file to download the file using
HTTPS:
Note: The endpoint (Windows desktop) does not trust the certificate generated by the firewall.
If you are using Chrome as your web browser, you should see the following message:
55. Close all browser windows except for the firewall web interface.
The Eicar Test File is detected, and the connection gets reset.
Notice that the certificate is still signed by the firewall. However, it was signed with the
untrusted certificate.
85. Close all browser windows except for the firewall web interface.
If the Decrypted column is not present, hover the mouse over Receive Time and click the down-
arrow.
Lab Objectives
Configure and test a WildFire Analysis Security Profile.
Note: The file type pe includes .cpl, .dll, .drv, .efi, .exe, .fon, .ocx, .pif, .scr, and .sys file types.
13. Click OK to close the WildFire Analysis Profile configuration window.
The new WildFire Analysis Profile now should be listed.
After five minutes have passed, find the entry for wildfire-test-pe-file.exe that has been
submitted to WildFire and identified as Malicious.
27. Click the magnifying glass icon next to the entry to see the Detailed Log View of the
WildFire entry:
30. Scroll down the WildFire Analysis Report tab to see Static Analysis, Dynamic
Analysis, Network Activity, Host Activity (by process), and Report Incorrect
Verdict:
Lab Objectives
Enable User-ID technology on the inside zone.
Configure the LDAP Server Profile to be used in group mapping.
Configure group mapping for User-ID.
Configure and test the PAN-OS integrated User-ID agent.
Leverage User-ID information in a Security policy rule.
25. From the Available Groups box, select lab users and click the green + button to add the
group to the Included Groups box.
26. Click OK to close the Group Mapping configuration window.
The new Group Mapping now should be listed.
Windows Server
Monitoring
Enable User
Identification Timeout
Note: Ensure that the timeout option is not enabled. You do not need to time out the IP address
associated with the lab-user-id because the IP never changes. In a production environment, the
timeout is recommended to be half the DHCP lease time.
34. Click the Ignore User List tab.
35. Click Add and configure the following:
Parameter Value
42. On the Windows desktop, double-click the lab folder and then double-click the bat files
folder.
Note: lab\lab-user must have the IP address of 192.168.1.20. If that IP address is not listed, do
not proceed. Contact your instructor or lab partner for assistance.
49. Type exit to close the PuTTY session.
50. Open a new browser window in private mode and browse to msn.com and google.com
to generate some traffic.
51. Close all browser windows except for the firewall web interface.
Note: This User-ID reference may take up to three minutes to show on the logs. Click
refresh to update the log entries:
69. Close all browser windows except for the firewall web interface.
70. In the web interface, select Monitor > Logs > Traffic.
71. Clear any existing filters and type the filter (rule eq ‘egress-outside-user-
id’) in the search criteria.
72. Notice that the Source User column shows the lab\lab-user and the Action is reset-both:
Lab Objectives
Create and configure a subinterface.
Create certificates for the GlobalProtect portal, internal gateway, and external gateway.
Attach certificates to an SSL-TLS Service Profile.
Configure the Server Profile and Authentication Profile to be used when authenticating
users.
Create and configure the tunnel interface to be used with the external gateway.
Configure the internal gateway, external gateway, and portal.
Host the GlobalProtect agent on the portal for download.
Create a No-NAT policy rule to ensure that portal traffic is not subjected to network
address translation.
Test the external gateway and internal gateway.
17. Click the Advanced tab and select ping for the Management Profile:
Addition of a management profile is not a requirement for GlobalProtect but can make
troubleshooting easier if you need to verify that the IP address on the subinterface is available.
18. Click OK to close the Layer3 Subinterface configuration window.
You will use this certificate to sign the external and internal gateway certificates.
23. Click Generate.
A Generate Certificate window should appear that shows the GlobalProtect certificate and key
pair were successfully generated.
24. Click OK to close the status window.
Note that we are signing this new certificate with the GlobalProtect certificate.
27. Click Generate.
A Generate Certificate window should appear that shows the external-gw-portal certificate and
key pair were successfully generated.
28. Click OK to close the status window.
A new certificate should appear in the web interface.
29. Click Generate and create the internal-gw certificate.
The Generate Certificate window should appear.
30. Configure the following:
Parameter Value
Certificate Name Type internal-gw
Common Name Type 192.168.2.1
Signed By Select GlobalProtect from the drop-down list
This SSL-TLS Service Profile defines the certificate to present to the GlobalProtect client agent
when the agent connects to an internal GlobalProtect gateway.
40. Click OK to close the SSL/TLS Service Profile configuration window.
A new SSL/TLS profile should appear in the web interface.
41. Verify that your configuration looks like the following:
Name lab-client
Port 389
47. Locate Server Settings on the right side of the window and verify the following:
Parameter Value
Type active-directory
Base DN DC=lab,DC=local
Bind DN lab-user-id@lab.local
Password Pal0Alt0
The logical tunnel interface is connected to a virtual router and assigned to a security zone just
as are other interfaces.
57. Click OK to close the Tunnel Interface configuration window.
A new tunnel interface should appear in the web interface.
This setting defines the certificates to present to the client when it connects to the gateway.
Remember that we created a single SSL/TLS Service Profile for the portal and for the external
gateway.
71. Locate the Client Authentication list box.
72. Click Add to configure Client Authentication.
The Client Authentication configuration window should appear.
73. Configure the following:
Parameter Value
Name Type lab-ad
OS Verify that Any is selected
Authentication Profile Select gp-authentication-profile from the drop-down list
This section tells the firewall how to establish a tunnel with a client and which interface to use.
76. Click the Client Settings subtab.
77. Click Add to configure.
The Configs configuration window should appear.
78. Click the Config Selection Criteria tab and configure the following:
Parameter Value
Name Type gp-client-config
The firewall will assign an IP address to each GlobalProtect client from this range of addresses.
80. Click OK to close the Configs window.
The GlobalProtect Gateway configuration window should still be open on the Client Settings
subtab.
81. Click the Network Services subtab and configure the following:
Parameter Value
Primary DNS Type 4.2.2.2
Secondary DNS Type 8.8.8.8
In this section, the portal is being configured to authenticate users against the auth-gp Profile
that contains our LDAP server.
91. Click OK to close the Client Authentication list box.
92. Click the Agent tab.
93. Locate Trusted Root CA in the lower-left corner.
94. Click Add and select the GlobalProtect certificate from the drop-down list.
This is the certificate we used to sign the portal certificate and the gateway certificate. By
placing it in this section, we can push this signing certificate down to the client’s trusted
certificate store through the GlobalProtect connection. This CA is at the top of the chain of trust,
When the client is inside the network, a reverse DNS lookup for 192.168.2.1 will resolve to gp-in-
gw.lab.local. If that lookup is successful, the GlobalProtect client will connect to an internal
gateway. If that reverse lookup fails (or returns a name other than gp-in-gw.lab.local), the
GlobalProtect client will connect to an external gateway.
101. Locate the Internal Gateways list box and click Add to configure:
107. Locate the Source Region list box and click Add to configure the following:
Parameter Value
Source Region Select Any from the drop-down list
Priority Verify that Highest is selected
After a new version of the GlobalProtect client software is released, you can download it
through this interface and activate it. Any users currently running an older version of the
GlobalProtect software will be upgraded to the new version when they connect to the portal.
A Download GlobalProtect Client status window should appear. Do not continue until the
download has completed successfully.
An Activate GlobalProtect Client message should appear that shows the client package was
successfully activated.
118. Click Close to close the Activate GlobalProtect Client status message.
128. Click the Original Packet tab and configure the following:
Parameter Value
Source Zone Click Add and select inside from the drop-down list
Destination Zone Select outside from the drop-down list
Destination Interface Select ethernet1/1 from the drop-down list
Destination Address Click Add and type 203.0.113.20
Traffic that is not destined for the portal IP address (203.0.113.20) will be translated by the
“source-egress-outside” rule.
133. Commit all changes.
Note: A warning might appear about IPv6 not being enabled on the tunnel interface. You can
safely ignore it.
This is the version of the client software that you downloaded and activated under Device >
GlobalProtect Client.
137. After the GlobalProtect Agent has been successfully installed, close all browser windows
except for the firewall web interface.
145. Click the Troubleshooting tab and select the Network Configuration radio button.
Notice that the IP assigned is the first in the IP pool specified on the external gateway:
GlobalProtect is one of the ways that you can provide username and IP address mappings to the
firewall for User-ID. For more information about User-ID, see the “User-ID “module in this
course.
151. Type exit to close the PuTTY session.
Note: Do not continue if the DNS server is not 192.168.1.1. Contact the instructor.
Notice the Authenticated column now displays Yes for the int-gwy-1.
175. Close the GlobalProtect Settings window.
176. Click the GlobalProtect agent icon in the Windows desktop system tray.
177. Click the Gear icon in the top-right corner and select Disable from the drop-down list:
182. Close the Programs and Features window after GlobalProtect has been successfully
uninstalled.
183. On the Windows desktop, right-click the CMD icon, and select Run as administrator.
184. Type the command ipconfig /all.
185. Verify that the current DNS server is 127.0.0.1:
Lab Objectives
Create and configure a tunnel interface to use in the site-to-site VPN connection.
Configure the IKE gateway and IKE Crypto Profile.
Configure the IPsec Crypto Profile and IPsec tunnel.
Test connectivity.
Security Zone Create and assign a new Layer 3 zone named VPN
A red Status column indicator on the VPN tunnel means that the VPN tunnel is not connected.
37. In the web interface, select Monitor > Logs > System.
38. Review the VPN log entries:
19. Locate a salesforce-base entry and click the Plus icon on the left to expand the display.
20. Notice the three sections labeled Detail, Flow 1, and Flow 2.
21. The Detail section shows various items of information.
Your information may look different. Important items that can help when troubleshooting are
Session ID, Application, Security Rule, QoS Rule, and QoS Class:
These flows provide information about the request and response traffic.
You can end an active session by clicking the X icon at the far right of a session row:
The type of information displayed can be controlled from the menu bar at the top of the
window. The displayed graph can be exported as a PDF or PNG:
You can change the time period at the bottom of the screen:
24. In the web interface, select Monitor > App Scope > Threat Monitor.
The Threat Monitor report displays a count of the top threats over the selected time period. By
default, the figure shows the top 10 threat types for the past six hours.
You can filter the type of threat at the top of the screen:
The time period (shown at the bottom of the screen) can be changed to the Last 6 hours, Last
12 hours, Last 24 hours, Last 7 days, or Last 30 days:
28. Click a geographical location that has a dot showing the threats from the firewall (for
example, Malaysia):
The ACC opens with a global filter referencing Malaysia (MY) or the geographical location you
clicked:
31. Click the icon to display the information by Session Count and not Bytes:
Note: As is standard in all App Scope graph items, you can click an application color to switch
your view in the web interface to the ACC tab.
32. In the web interface, select Monitor > App Scope > Traffic Map.
33. Change the view to show the Last 7 days by clicking the option at the bottom of the
screen:
This information indicates that one application does not supersede any other application in
overall use by users.
39. Select threats in the Application Usage widget:
The graph in the example shows that Jamie has consumed the most bandwidth. Your user might
be different.
41. Focus your attention on the bottom-right Policy Optimizer widget.
42. Select the sessions radio button.
Which Security policy rule has been used the most?
The Threat tab displays an overview of the threats on the network. It focuses on the top threats:
vulnerabilities, spyware, viruses, hosts visiting malicious domains or URLs, top WildFire
submissions by file type and application, and applications that use non-standard ports:
Notice that the graph updates to display only critical and medium severities.
46. Scroll down to the bottom right and notice the Rules Allowing Apps On NonStandard
Ports widget:
Notice that all window panes have updated to show only information based on sally:
Which traffic in the displayed information is associated with sally? In the example, sally is shown
to be associated only with SMTP traffic, which could indicate a possible infection and lateral
movement.
55. Scroll down and locate the Destination Regions pane.
Notice that the web interface switched views to the Traffic log with a predefined filter.
59. Select the Detailed Log view icon.
At the bottom of the Detailed Log view should be the associated threat entries:
66. Browse through the report to get familiar with the presented information.
You also can include detailed browsing history that will include an approximate time a user
spends on a website (this information is not available when a group is specified instead of an
individual user).
67. If a new browser tab was opened to display the report, close the browser tab.
68. Click Cancel to close the User Activity Report window.
69. Click OK to close the User Activity Report configuration window.
The new User Activity report should appear in the web interface.
78. Click Run Now to run the report again with the new query:
Lab Objectives
Display the Dashboard HA widget.
Configure a dedicated HA interface.
Configure active/passive HA.
Configure HA monitoring.
Observe behavior in the HA widget.
When Auto is selected, the links that have physical connectivity remain physically up but in a
disabled state. They do not participate in ARP or packet forwarding. This configuration helps
reduce convergence times during failover because no time is required to activate the links. To
avoid network loops, do not select this option if the firewall has any Layer 2 interfaces
configured.
21. Click OK to close the Active/Passive Settings configuration window.
22. Click the icon of the Election Settings panel to configure failover behavior:
Parameter Value
Device Priority Type 80
Enter a priority value (range is 0–255) to identify the active
firewall. The firewall with the lower value (higher priority)
becomes the active firewall when the Preemptive
capability is enabled on both firewalls in the pair.)
Preemptive
Enabled
44. If a peer was configured and was operating in passive mode, the High Availability
widget on the Dashboard would appear as follows.
To avoid overwriting the wrong firewall configuration, the firewalls are not automatically
synchronized. You must manually synchronize a firewall to the firewall with the “valid”
configuration by clicking Sync to peer.