Workshop Guide

Ultimate Test Drive –

Virtualized Datacenter

UTD-VDC-2.1 /
Panorama, VM-Series (PAN-OS 7.0) and vCenter 5.5 with NSX
Manager 6.2

http://www.paloaltonetworks.com

© 2016 Palo Alto Networks. Proprietary and Confidential

Last Update: 20160603

 Ultimate Test Drive – VDC

Table of Contents
Activity 0 – Login to UTD Workshop .................................................................................. 5
Task 1 – Login to your Ultimate Test Drive Class Environment .................................................................... 5
Task 2 – Login to the student desktop .......................................................................................................... 6
Task 3 – Perform connectivity check............................................................................................................. 9
Activity 1 – Introduction to the VM-Series Firewall, Panorama and NSX Integration ........10
Task 1 – Login and review Panorama Management System ...................................................................... 11
Task 2 – Login and review vSphere Web Client .......................................................................................... 13
Task 3 – Review the VMware VXLAN Configuration ................................................................................... 16
Task 4 – Use the NSX Distributed Firewall for intra-tier traffic protection................................................. 17
Activity 2 – Enable Application Control ............................................................................20
Task 1 – Login to guest VM ......................................................................................................................... 20
Task 2 – Review traffic logs in Panorama .................................................................................................... 21
Task 3 – Modify the firewall policy.............................................................................................................. 22
Task 4 – Verify the firewall policy................................................................................................................ 24
Activity 3 – Integrating Dynamic Address Groups with vCenter........................................25
Task 1– Create Dynamic Address Group in VM-Series................................................................................ 25
Task 2 – Review Security Group on vCenter ............................................................................................... 26
Task 3 – Modify Security Tag on Guest VMs ............................................................................................... 28
Task 4 – Review Dynamic Address Group ................................................................................................... 29
Activity 4 – Applications Visibility with the VM-Series .....................................................30
Task 1 – Modify the vSphere Security Policy .............................................................................................. 30
Task 2 – Modify the VM-Series Firewall Policy ........................................................................................... 32
Task 3 – Verify Application Visibility on VM-Series ..................................................................................... 33
Activity 5 – Safely Enable Applications .............................................................................34
Task 1 – Enable Security Profile .................................................................................................................. 34
Task 2 – Review Security Profiles ................................................................................................................ 35
Task 3 – Verify the firewall policy and protection profile ........................................................................... 36
Activity 6 –VM-Series for Non-NSX Environment .............................................................37
Task 1 – Review the PA-VM-Series firewall ................................................................................................. 37

UTD-VDC 2.1 Page 2

 Ultimate Test Drive – VDC

Task 2 – Connect the VM-Series firewall to virtual networks ..................................................................... 38

Task 3 – Login to the Ubuntu-Desktop ........................................................................................................ 40
Task 4 – Review the logs on the VM-Series firewall ................................................................................... 42
Activity 7 – Modern Malware Protection .........................................................................43
Task 1 – Enable WildFire sandbox threat analysis ...................................................................................... 43
Task 2 – Test WildFire Modern Malware Protection .................................................................................. 46
Activity 8 – ACC and Custom Reports ...............................................................................48
Task 1 – Review Application Command Center (ACC) ................................................................................ 48
Task 2 – Creating a custom report .............................................................................................................. 49
Activity 9 - Feedback on Ultimate Test Drive ....................................................................50
Task 1 – Take the online survey .................................................................................................................. 50
Appendix-1: Alternative Login Method to Student Desktop .............................................52
Login to the student desktop using Java Console (Java client required) .................................................... 52
Login to the student desktop with RDP client............................................................................................. 54
Appendix-2: Support for Non-US keyboards ....................................................................56
Add new international keyboard ................................................................................................................ 57
Use the on-screen keyboard ....................................................................................................................... 58
Appendix-3: Network Diagram ........................................................................................60

UTD-VDC 2.1 Page 3

 Ultimate Test Drive – VDC

How to use this Guide:

The activities outlined in this Ultimate Test Drive guide are meant to contain all the
information necessary to navigate the Palo Alto Networks graphical user interface (GUI).
This guide is meant to be used in conjunction with the information and guidance provided
by your facilitator.

Once these activities are completed:

You should be able to:
1. Navigate the Palo Alto Networks GUI
2. Review portions of the security platform configuration
3. Change the configuration to affect the behavior of traffic across the security platform

This workshop covers only basic topics and is not a substitute for training classes conducted
at a Palo Alto Networks Authorized Training Center (ATC). Please contact your partner or
regional sales manager for more training information.

Terminology:
“Tab” refers to the 5 tabs along the top of each screen in the GUI.

“Node” refers to the options associated with each “Tab” found in the left-hand column on each screen.

*NOTE*
Unless specified, the “Chrome” web browser will be used to perform any tasks outlined in
the following Activities. (These apps are pre-installed on the desktop of the workshop PC.)

UTD-VDC 2.1 Page 4

 Ultimate Test Drive – VDC

Activity 0 – Login to UTD Workshop

In this activity you will:
 Login to the Ultimate Test Drive Workshop from your laptop
 Connect to the student desktop and verify connectivity to other lab devices
 Review the workshop network

Task 1 – Login to your Ultimate Test Drive Class Environment

Step 1: First, make sure your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox, Chrome or Internet Explorer. We also recommend you
install the latest Java client for your browser.

Step 2: Go to class URL. Enter your email address and the Passphrase. (If you have an invitation email, you
can find the Class URL and Passphrase in the invitation email. Or the instructor will provide you with the
class URL and Passphrase.)

Step 3: Complete the Registration form and click “Register and Login” at the bottom.

Step 4: This step depends on your browser of choice, you will be asked to install a plugin, please click yes
to allow the plugin to be installed and continue the login process.

UTD-VDC 2.1 Page 5

 Ultimate Test Drive – VDC

Step 5: Once you login, the environment will be automatically created for you. Click on “Start Using This
Environment” when the Environment is ready.

Step 6: The UTD NSX Environment consists of the following core components: “Student Desktop”,
“Panorama”, “vCenter”, “NSX Manager”, “ESXi-Host1” and “ESXi-Host2”. You will access all these
components through the “Student Desktop”.

Task 2 – Login to the student desktop

Step 1: Click on the “Student Desktop” tab on top to connect to the Student Desktop.

Step 2: You will be connected to the “Student Desktop” through your browser.

UTD-VDC 2.1 Page 6

 Ultimate Test Drive – VDC

Step 3: Click on the blue arrow on the top left hand corner to collapse the navigation bar. This will make
more room for the “Student Desktop”.

Step 4: If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust
the resolution on the upper right hand corner. Click on the “Fullscreen RDP” to utilize the entire browser
space and use the drop down menu on the top right hand corner for more control.

[Note: The default connection to the “Student Desktop” uses RDP over HTML5 protocol through the
browser. In case that your browser does not support HTML5 please refer to Appendix-1: Alternative Login
Method to connect to the student desktop using Java or RDP client.]

Optional Step 5: If you encounter connection issue with the “Student Desktop”, click on “Reconnect” to re-
establish the connection.

UTD-VDC 2.1 Page 7

 Ultimate Test Drive – VDC

Optional Step 6: If re-connection to the “Student Desktop” remains unsuccessful, please verify your laptop
connectivity using the following link. Note that Java client is required on your browser for this test site to
function.

https://use.cloudshare.com/test.mvc
This test site will validate the RDP-based and Java-based connections to your browser. Click “Allow” to
allow the “Java Applet” to be installed and run on your browser.

Optional Step 7: If the connectivity test passed, please close the browser and retry from Activity-0 Task-1
Step-1. If the connectivity test failed, please inform the instructor and ask for further assistance.

UTD-VDC 2.1 Page 8

 Ultimate Test Drive – VDC

Task 3 – Perform connectivity check

Step 1: Once logged in to the Student Desktop, you can run the “PingCheck” script at the lower left corner
of the desktop.

Step 2: The “PingCheck” script will ping the management interfaces of all the major components in the lab
environment. If there is a failure in the ping check, you can go to the “Virtual Machine” tab and reboot the
VM. Note that it may take some time for the VM to reboot.

End of Activity 0.

UTD-VDC 2.1 Page 9

 Ultimate Test Drive – VDC

Activity 1 – Introduction to the VM-Series

Firewall, Panorama and NSX Integration
Background: The VM-Series firewall extends safe application enablement to virtualized and cloud
environments using the same PAN-OSTM feature set that is available in physical security appliances. The
core of the VM-Series is the next-generation firewall, which natively classifies all traffic, inclusive of
applications, threats and content, then ties that traffic to the user, regardless of location or device type.
Panorama, the centralized management solution, provides you with the ability to manage the Palo Alto
Networks virtual and physical firewalls from a centralized location. This means you will be able to view all
your firewall traffic; manage all aspects of device configuration; push global policies; and generate reports
on traffic patterns or security incidents - all from one central location. This activity introduces the
integration between VM-Series firewall, Panorama, VMware vCenter and the NSX solution.

Panorama and vCenter overview:

 Overview of Panorama, VM-Series virtual firewall (Hypervisor), vCenter and NSX Manager
 Login to the management interface of the major components

In this activity you will:

 Review the Panorama centralized management solution
 Learn about context switching in Panorama
 Login and review the configuration needed for NSX integration on Panorama, vCenter and NSX
Manager
 Review VXLAN configuration and Distributed Firewall on NSX manager

Below is the network topology of the UTD NSX lab environment.

UTD-VDC 2.1 Page 10

 Ultimate Test Drive – VDC

Task 1 – Login and review Panorama Management System

Step 1: On your Chrome browser, the management interfaces of the core components are bookmarked.

Step 2: Click on the “Panorama” (IP: 10.30.51.23) bookmark in the Chrome browser, using the following
login and password:
Login: vdcstudent
Password: utdvdc135

“vdcstudent” ->
<- “utdvdc135”

Step 2: You are now logged into to Panorama Management System and should see the main dashboard.
Notice the “Device Name” under “General Information” is “Panorama”. This indicates that you are looking
at the Panorama web interface.

UTD-VDC 2.1 Page 11

 Ultimate Test Drive – VDC

Step 3: Click on the “Panorama” tab on top and “Managed Devices” node on the left hand side to review
the VM-Series firewalls that are managed by Panorama.

Step 4: You can manage each firewall through Panorama through “Context” switching. Click on the drop
down menu under “Context” on the upper left hand corner, and change it from “Panorama” to “PA-VM-
HV01” to switch context to the firewall PA-VM-HV01.

Step 5: After the context is loaded, notice the device name is shown under “Context”. The device name is
also shown in “General Information” in the “Dashboard” tab. Notice that the management GUI of a single
firewall is very similar to Panorama Central management GUI, this makes it easy for the administrators to
switch from device management to centralized management.

UTD-VDC 2.1 Page 12

 Ultimate Test Drive – VDC

Step 6: Switch the “Context” back to “Panorama” to view the Panorama web interface.

Step 7: After switching context back to Panorama, click on the “Panorama” tab on top, click on the
“VMware Service Manager” node on the left to review the configuration to integrate Panorama with
VMware NSX manager. Important: Do not change anything here. Notice that the “Status” displays as
“Registered” when the connection between Panorama and NSX Manager is successful.

Task 2 – Login and review vSphere Web Client

Step 1: On the Chrome browser, click on the “vSphere Web Client” bookmark to open the “vSphere Web
Client” to vCenter (IP: 10.30.51.21).

Step 2: Login to vCenter using the following login and password:

Login: root
Password: vmware
Step 3: On the Home page, click on “Host and Clusters”.

UTD-VDC 2.1 Page 13

 Ultimate Test Drive – VDC

Step 4: Review the hosts and the guest VMs managed by this vCenter. The “Palo Alto Networks NGFW (3) /
(4)” guest VMs installed in the UTD-Cluster are the PA-VM-HV01 and -HV02 hypervisor firewalls managed
by Panorama.

(Note: The VM-Series firewall is installed as a guest service VM on the host, the icon for the service VM is
different from the regular guest VM.)

Step 5: Click on the “DB-Server-1” VM and review which host the guest VM is installed on. Review the VM
summary for “DB-Server-2” and “Web-Server”. It is important that VMware-Tools are running on the guest
VMs. If VMware-Tools is not running, reboot the guest VMs to restart VMware-Tools.

Step 6: Click on the “Home” icon on the top to go back to the home page.

UTD-VDC 2.1 Page 14

 Ultimate Test Drive – VDC

Step 7: Click on “Networking & Security” and click on “NSX Managers” at the bottom of the list on the left
hand side.

Step 8: Review that NSX Managers (10.30.51.22) is installed and registered with this vCenter.

Step 9: Go to the “Services” tab under “Networking & Security” and “Service Definitions” to verify that the
VM-Series firewall is registered as a service on NSX Manager.

Step 10: In a production environment, there are some other steps required to prepare the ESXi-hosts for
service deployment. These steps have been performed for you in this environment.

UTD-VDC 2.1 Page 15

 Ultimate Test Drive – VDC

Task 3 – Review the VMware VXLAN Configuration

Step 1: Go to “Networking & Security” and “Installation”, click on “Management”, review the “NSX
Controller – controller-2” is installed under “NSX Controller nodes”

Step 2: Go to “Networking & Security” and “Installation”, click on “Logical Network Preparation” and
verify that the “VXLAN transport” is installed on all the hosts in the cluster. Click the triangle icon to
expand the cluster.

Step 3: Finally verify that the logical switch “UTD-VXLAN-LSwitch” is installed.

UTD-VDC 2.1 Page 16

 Ultimate Test Drive – VDC

Task 4 – Use the NSX Distributed Firewall for intra-tier traffic

protection
Step 1: On the student desktop, use the “putty” application to SSH into the “DB-Server-1” management
interface (10.30.51.181). (You can load the IP address from the “Saved Sessions” in putty or use the
shortcut on the desktop)
Login: utdadmin
Password: utdadmin135

Step 2: From the “DB-Server-1” ping “DB-Server-2” at 172.16.5.182. Did you get a ping response? (Yes, you
should get a ping response.)

Step 3: From the vSphere Web Client, go to “Firewall” under “Networking Security”. Select on the rule
“Block-Between-DB” in “Configuration” tab under “General”

UTD-VDC 2.1 Page 17

 Ultimate Test Drive – VDC

Step 4: Under the “Action” column, click the pencil icon in the upper-right hand corner. Change the
Action from “Allow” to “Block” and select ‘Log” to enable logging, then click “OK”. Also, notice that “Any”
is selected in the “Service” column, so this rule will block traffic on all ports.

Step 5: Click the pencil icon the “Applied To” column. In the “Block-Between-DB – Specify Applied To”
window, uncheck “Apply this rule on all clusters on which Distributed Firewall is installed.” and then
choose "Virtual Machine” in the “Object Type” pull-down. Note that “Object Type” is not visible until the
checkbox is deselected. Under the “Available Objects” box, select “DB-Server2” and click the blue right-
hand arrow to move it to the “Selected Objects” box. Repeat for “DB-Server1”. Click “OK” to finish.

UTD-VDC 2.1 Page 18

 Ultimate Test Drive – VDC

Step 6: Click on “Publish Changes” to deploy the changes.

Step 7: Go back to “DB-Server-1” SSH session and try to ping “DB-Server-2” on 172.16.5.182 again. Did you
get a ping response? (You should get no response from the ping because you have successfully blocked
traffic between DB-Servers using the NSX distributed firewalls.)

End of Activity 1.

UTD-VDC 2.1 Page 19

 Ultimate Test Drive – VDC

Activity 2 – Enable Application Control

Background: Many organizations use virtual local area networks (VLANs) to segment their network.
Though VLANs do isolate network traffic within the layer-2 domain, they cannot enforce the control of
privileged information. Specifically, VLANs cannot control applications within the same VLAN. True
network segmentation - which happens at the application layer - requires a firewall that understands your
applications, users, and content without being limited by the network topology.
Panorama and PAN-OS features:
 Enabling an application in the firewall policy
 Application-ID and application-default ports
 Logging and reporting for verification
In this activity you will:
 Modify firewall policy to enable an application using App-ID
 Commit the firewall policy to device group through Panorama

Task 1 – Login to guest VM

Step 1: On the student desktop, use “putty” application to SSH into the “DB-Server-1” management
interface (10.30.51.181) on ESXi-Host1. (You can load the IP address from the “Saved Sessions” in putty or
use the shortcut on the desktop)
Login: utdadmin
Password: utdadmin135

UTD-VDC 2.1 Page 20

 Ultimate Test Drive – VDC

Step 2: DB-Server-1 has two network interfaces, one for management (10.30.51.181) and one for data
(172.16.5.181). Our policies will focus on enabling an application on the data interface. Ping the data
interface of Web-Server (172.16.5.191) on ESXi-Host-2 from DB-Server-1. You should see a ping response
from the Web-Server. [Note that both DB-Server-1 and Web-Server data interface are on the same
network.]

Step 3: SSH from DB-Server-1 (172.16.5.181) to Web-Server (172.16.5.191) using the command “ssh
[email protected]” with password “utdadmin135”. Did you get a SSH response from Web-Server?
(Web-Server should not be responding to the SSH request.)

Task 2 – Review traffic logs in Panorama

Step 1: On the student desktop, use the Chrome browser to login to the Panorama Web interface and go
to the “Monitor” tab.

Step 2: Click on the “Traffic” node under “Logs” on the left hand side to review the firewall policies log.
Make sure the “Context” on top is set at “Panorama”.

Step 3: Click on the “Refresh” button on the upper right corner if necessary to display the latest log
entries.

Step 4: You can search the log by clicking on any field to add the search text and modify it accordingly.
Search the logs for the SSH application by entering the search text “(app eq ssh)” (without the quotations).

Step 5: See that SSH application is being denied by the firewall policy.

UTD-VDC 2.1 Page 21

 Ultimate Test Drive – VDC

Task 3 – Modify the firewall policy

Step 1: Click on the “Policies” tab on top and click on “Pre-Rules” under “Security” node on the left. Make
sure that Device Group “UTD-NSX-FW-DG” is selected.

(If the subject has not been covered by now, please ask the instructor to explain the differences between
“Pre Rules” and “Post Rules” in Panorama.)

Step 2: Click on the “From Database Group1” policy to open the “Security Policy Rule” and then click on
the “Application” tab.

Step 3: Add “ssh” to “Applications”.

Step 4: In the “Service / URL Category” tab, change the “Service” from “any” to “application default”. (This
will allow the applications to only run on its default ports.)

UTD-VDC 2.1 Page 22

 Ultimate Test Drive – VDC

Step 5: Click “Ok” on the Security Policy Rule window.

Step 6: Click “Commit” on the top right hand corner to commit the policy changes.

Step 7: Select “Panorama” and click “Commit” to commit the changes to Panorama. (This saves the
changes to the Panorama configuration file)

Step 8: Click “Close” when the commit process is completed.

Step 9: Click “Commit” again on the top right hand corner.

Step 10: This time, select “Device Group” under Commit Type and select “UTD-NSX-FW-DG”. Then click
“Commit”. (This commits the policy changes to the firewalls.)

UTD-VDC 2.1 Page 23

 Ultimate Test Drive – VDC

Step 11: Click “Close” when the commit process is completed.

Task 4 – Verify the firewall policy

Step 1: Go back to the putty application in Task 1 and SSH to the Web-Server (172.16.5.191) again from
DB-Server-1. You should be able to SSH to the Web-Server now. Use “utdadmin / utdadmin135” as login.
(Note: Exit from the Web-Server SSH session after the verification is completed.)

(Note: DB-Server-1 and Web-Server are installed on different hosts in this example, the NSX and VM-Series
integrated solution works the same no matter where the VMs are installed.)

Step 2: Go back to Panorama and refresh the traffic log. You should see traffic logs that shows ssh
application is now allowed.
Step 3: Clear the text in the search field to see the other logs.

End of Activity 2.

UTD-VDC 2.1 Page 24

 Ultimate Test Drive – VDC

Activity 3 – Integrating Dynamic Address

Groups with vCenter
Background: In a datacenter, virtual machines are added, moved or deleted in a matter of minutes creating
an ever-changing environment that is very difficult for security administrators to manage and maintain
without an automated security workflow. Through the integration with NSX Manager, Dynamic Address
Groups (DAG) provides the ability to tie security policies to a virtual machine’s changes and movement
instantaneously. DAG enables the VM-Series firewall to automatically keep track of the IP addresses
assigned to your guest VMs.

Panorama, PAN-OS and vCenter features:

 Dynamic Address Groups (DAG)
 Guest VM Security Tags in vCenter
 Security Groups in vCenter

In this activity you will:

 Create DAG on Panorama and link it to a Security Group in vCenter
 Create a dynamic NSX Security Group with Security Tags in vCenter

Task 1– Create Dynamic Address Group in VM-Series

Step 1: Login to Panorama, click on the “Objects” tab.

Step 2: Click on the “Address Groups” node on the left hand side. Make sure the “Panorama” is shown
under “Context” and “UTD-NSX-FW-DG” is shown under “Device Group”.

Step 3: Click “Add” at the bottom of the “Address Group” page to create another Dynamic Address Group
for the second DB-server group.

Step 4: Enter “DB-Server-DAG2” under Name on new “Address Group” page

UTD-VDC 2.1 Page 25

 Ultimate Test Drive – VDC

Step 5: Select “Dynamic” under “Type”.

Step 6: Click on “Add Match Criteria” and select “DB-Server-SG2-securitygroup-xx” by clicking on the “ “
and then click OK. (xx is the group number assigned by NSX and can change depending on the NSX
configuration.)

Step 7: Click on “Commit” and select “Panorama” to commit changes to Panorama, and then commit
again select “Device Group” and “UTD-NSX-FW-DG” to commit the changes to all the firewalls.

Step 8: Review the address entry in the new “DB-Server-DAG2” by clicking on “more...” in the “Addresses”
column. There should be no address in new Dynamic Address Group at this point.

Task 2 – Review Security Group on vCenter

Step 1: Login to vSphere Web Client, on the home page, click on “Networking and Security”.

UTD-VDC 2.1 Page 26

 Ultimate Test Drive – VDC

Step 2: Click on “Service Composer” node on the left and then click on “Security Groups” tab on the right.

Step 3: Notice that “DB-Server-SG2” security group shows “0” under “Virtual Machines” indicating that
there are currently no virtual machines in this security group. (You will need to adjust the column width to
see the column entries.)
Step 4: Select and right-click “DB-Server-SG2” security group and click on the “Edit Security Group”.

Step 5: In the “Edit Security Group” window, select “2 Define dynamic membership”. Review that this
security group selects dynamic members based on “Security Tag” contains “DB-Server-Group2”.

Step 6: Click on “Cancel” to exit without making any changes.

UTD-VDC 2.1 Page 27

 Ultimate Test Drive – VDC

Task 3 – Modify Security Tag on Guest VMs

Step 1: Click on “Home” to return to the home page and then click on “Hosts and Cluster” to view the
guests.
Step 2: Click on “DB-Server-2” and click on the “Summary” tab on the right.

Step 3: Click “Manage” under “Security Tags”. [If you don’t see any widgets in “Summary” page, you may
need to logout and log back in to vCenter to refresh the display.]

Step 4: Select “DB-Server-Group2” under “Filter” and click “OK”.

UTD-VDC 2.1 Page 28

 Ultimate Test Drive – VDC

Step 5: Repeat Task 2, Step 2 to review the “DB-Server-SG2” security group now. You should see that is
one virtual machine added to the security group now. You can click on the number to see the VM in this
group.

Task 4 – Review Dynamic Address Group

Step 1: Go back to Panorama GUI and review the IP address in the Dynamic Address Group “DB-Server-
DAG2”.

Step 2: Click on “more…” in “Addresses” column for “DB-Server-DAG2” and you should see the IP
addresses of the DB-Server-2 automatically added to the DAG.

End of Activity 3.

UTD-VDC 2.1 Page 29

 Ultimate Test Drive – VDC

Activity 4 – Applications Visibility with the VM-

Series
Background: Visibility is an important step in controlling network traffic and applications in the datacenter.
In order to take a proactive approach to managing accessibility and risk in the datacenter, network and
security administrators must have full visibility into the application mix on the physical and virtual
networks. With the integration between NSX Security Policies, Palo Alto Networks VM-Series firewall can
provide full visibility at the hypervisor layer, providing complete application visibility and control between
guest VMs on the same or different hosts.

Panorama and vCenter features:

 Firewall policy with Dynamic Address Group (DAG)
 NSX Security Policy

In this activity you will:

 Setup security policy to redirect the traffic between guest VMs to the VM-Series firewall
 Use VM-Series firewall policy to enable applications and utilize built-in log monitor function to
monitor applications between guest VMs

[Note: you must complete Activity 3 before you continue on to Activity 4 and 5.]

Task 1 – Modify the vSphere Security Policy

Step 1: Login to the vSphere Web Client, from the “Home” page, click on “Networking & Security” and
then click on “Service Composer”.

Step 2: Click on the “Security Policies” tab on the right and select the “DB-Server-Group2 to Web-Server”
policy then right click the pencil icon to and select “Edit” to edit the policy.

UTD-VDC 2.1 Page 30

 Ultimate Test Drive – VDC

Step 3: Click on “Network Introspection Services” in the Edit Security Policy window.

Step 4: Select the “DB-Group2 to Web” rule and click the edit icon to edit.

Step 5: Change the Action to “Redirect to service”. Click “OK” and then “Finish” to save the change.

Step 6: With the “DB-Server-Group2 to Web-Server” policy selected, right click and select “Apply Policy”.

UTD-VDC 2.1 Page 31

 Ultimate Test Drive – VDC

Step 7: Under “Filter”, the “Web-Server-SG” object should be selected, click “OK” to apply the security
policy.

Task 2 – Modify the VM-Series Firewall Policy

Step 1: Login to Panorama, go to the “Policies” tab.

Step 2: Go to the “Pre Rules” under “Security” on the left hand side.

Step 3: Select the rule “From Database Group2” and click on “Enable” at the bottom to enable this policy.

Step 4: The color of the policy will change to light blue to indicate that it is enabled. Click on the policy
name to edit the policy.

Step 5: Click on the rule name “From Database Group2” to edit the policy. In the “Source” tab in the
“Security Policy Rule” window and add “DB-Server-DAG2” to the “Source Address”.

Step 6: Click on the “Destination” tab in the “Security Policy Rule” window and add “Web-Server-DAG” to
the “Destination Address”.

Step 7: Click on the “Application” tab and review that “Any” application is allowed by this policy.

Step 8: Click on the “Actions” tab and make sure “Allow” is checked under “Action Setting”. Click “OK” to
close the Rule windows.

Step 9: Commit the policy changes to “Panorama” and the Device Group “UTD-NSX-FW-DG”.

UTD-VDC 2.1 Page 32

 Ultimate Test Drive – VDC

Task 3 – Verify Application Visibility on VM-Series

Step 1: Use putty application shortcut “DB-Server-2” to SSH to DB-Server-2 (10.30.51.182).

Step 2: From DB-Server-2, ping the data interface of Web-Server (172.16.5.191), the ping session should
go through. You can also do that for SSH “ssh [email protected] / utdadmin135”and SSH should go
through.
Step 3: Go back to the Panorama web interface, click on the “Monitor” tab and the “Traffic” node under
“Logs”.
Step 4: You should be able to see the application sessions between the “Web-Server-SG” and “DB-Server-
DG2” on Panorama. You can filter the logs from the policy you enabled in Task 2 by entering “( rule eq
‘From Database Group2’) in the search box on top of the logs. (Logs can take a couple of minutes before it
shows up.)

(Note: DB-Server-2 and Web-Server are installed on the same host in this example, the NSX and VM-Series
integrated solution works the same no matter where the VMs are installed.)

End of Activity 4.

UTD-VDC 2.1 Page 33

 Ultimate Test Drive – VDC

Activity 5 – Safely Enable Applications

Background: Network-based threat protection has evolved to include many disciplines from the prevention
of vulnerability exploits (IPS) to a wide range of malware protection, botnet detection and protection. We
will demonstrate the core threat prevention capabilities of the Palo Alto Networks platform and how it can
be used to protect guest VMs.

Panorama and PAN-OS features:

 Security Profile
 Antivirus, Vulnerability Protection and Anti-spyware
 Threat Logs

In this activity you will:

 Enable Antivirus, Vulnerability Protection and Anti-Spyware profiles to protect application between
guest VMs
 Review the threat logs on Panorama

[Note: you must complete Activity 3 before you continue on to Activity 4 and 5.]

Task 1 – Enable Security Profile

Step 1: In Panorama GUI, click “Policies” tab and click on the policy “From-Database-Group2” to edit the
policy.
Step 2: Click on the “Actions” tab in the “Security Policy Rule” window.
Step 3: Under “Profile Setting”, select “Profile” in the “Profile Type” drop down menu.

Step 4: Select “default” profile for “Antivirus”.

UTD-VDC 2.1 Page 34

 Ultimate Test Drive – VDC

Step 5: Select “strict” profile for “Vulnerability Protection”

Step 6: Select “strict” profile for “Anti-Spyware” and click “OK” to close the “Security Policy Rule” window.

Step 7: Commit the policy changes to “Panorama” and Device Group “UTD-NSX-FW-DG”.

Task 2 – Review Security Profiles

Step 1: In Panorama, go to “Objects” tab and click on “Security Profiles” node on the left hand side.

Step 2: Click on the name of the Antivirus security profile, to review the profile setting

Step 3: Review the profile settings for “strict” Anti-Spyware profile and the “strict” Vulnerability
Protection profile.

UTD-VDC 2.1 Page 35

 Ultimate Test Drive – VDC

Task 3 – Verify the firewall policy and protection profile

Step 1: Use putty application shortcut “DB-Server-2” to SSH to DB-Server-2 (10.30.51.182).

Step 2: From “DB-Server-2” ping “Web-Server” data interface at “172.16.5.191”, you should get a valid
ping response back.

Step 3: Use the “wget-sample1” script file with command: “./wget-sample1” to perform wget file
“sample1” from the “Web-Server” over http.
Step 4: You should be able to get file “sample1” from Web-Server. “sample1” is a basic html file and you
can review the content with the “more” command: “more sample1”.
Step 5: Use the “wget-sample2” script file with command “./wget-sample2” to perform wget file
“sample2” from the “Web-Server” over http.
Step 6: The wget command should fail this time as the connection is closed.
Step 7: Go to Panorama GUI, click on “Monitor” tab, node “Logs” > “Threat”. Review the “Eicar” entry.
“sample2” file is actually an EICAR test file and it is blocked by the VM-Series firewall antivirus protection.
(If you don’t see the log entries, wait for about 30 sec and refresh to “Threat” log view.)

(Note: wget is essentially a HTTP GET command therefore the VM-Series firewall treats is as a Web-
browsing application.)

End of Activity 5.

UTD-VDC 2.1 Page 36

 Ultimate Test Drive – VDC

Activity 6 –VM-Series for Non-NSX

Environment
Background: While Palo Alto Networks VM-Series (VM-1000-HV) seamlessly integrates with VMware
NSX solution, the VM-Series can also reside on the ESXi or other supported hypervisor as guest VM to
provide another flexible deployment options. By placing VM-Series in the path of the traffic using standard
virtualized networking tools, the VM-Series can easily integrates with the existing virtual networks and
provides application security and threat protection needed for the virtualized environments.

vCenter features:
 Connect VM-Series interfaces to virtual networks
 Review the VM-Series VM configuration

In this activity you will:

 Identify VM-Series interfaces that are disconnected and re-connect interfaces to the virtual networks
 Review traffic logs on Panorama to confirm traffic is passing through the firewall

Task 1 – Review the PA-VM-Series firewall

Step 1: Log in to Panorama GUI, switch context from “Panorama” to the “PA-VM-Series” firewall. Click on
the drop down menu below “Context” on the upper left hand corner, and change it from “Panorama” to
“PA-VM-Series”.

UTD-VDC 2.1 Page 37

 Ultimate Test Drive – VDC

Step 2: Click on the “Network” tab after context is switched to “PA-VM-Series”. Then click on the
“Interfaces” node on the left hand side. On the Ethernet tab, notice that “Link State” of Ethernet1/1 and
Ethernet1/2 are both down. This indicates the firewall interfaces are not connected to any networks. [Note
that the interfaces are configured as Layer-3 interfaces in this lab. More Interfaces can be added and
configured to support other deployment such as Layer-2, virtual-wire or tap mode.]

Task 2 – Connect the VM-Series firewall to virtual networks

Step 1: Login to the vSphere Web Client, click on “Home” and then click on “VMs and Templates”.

UTD-VDC 2.1 Page 38

 Ultimate Test Drive – VDC

Step 2: Notice that the “PA-VM-Series” VM is listed together with other VMs such as the DB-Server-1/2
and the Web-Server. Then right click on the “PA-VM-Series” VM, and select “Edit Settings…” option to
open the edit settings window. [Note: This VM is not the same as the VM-Series firewalls you used in the
previous activities, which were listed inside the “ESX Agents” folder. You can click on the ESX Agents folder
to see the VM-Series used in the previous activities.]

Step 3: In the “Edit Settings” Windows, click the “Connected” buttons to connect “Network adapter 2”
and “Network adapter 3”. Click “OK” to apply the changes. [Note: Do not change the vSwitch configuration
in the drop down menu. “Network adapter 2” should connect “vxw-dvs-36-virtualwire-1-sid-5000-UTD-
VXLAN-LSwitch” and “Network adapter 3” should connect to the “Management-
DPortGroup(Management-DSwitch).]

UTD-VDC 2.1 Page 39

 Ultimate Test Drive – VDC

Step 4: You can also review the other settings for the “PA-VM-Series VM”, such as CPU, memory and disk
storage. Please do not make changes to these settings.
Step 5: Once the interfaces are connected to the network, you should be able to ping the PA-VM-Series
interface “10.30.51.31” from the “Student Desktop”.

Step 6: Go back to the Panorama GUI to review the Link State of the “PA-VM-Series” firewall. Click on the
refresh button, the Link State should be now up.

Task 3 – Login to the Ubuntu-Desktop

Step 1: In the vSphere Web Client, under the “VMs and Templates”, click on the “Ubuntu-Desktop”. Then
click on the “Summary” tab on the right hand side.

UTD-VDC 2.1 Page 40

 Ultimate Test Drive – VDC

Step 2: Click on “Open with VMRC” to launch the console to access the ‘Ubuntu-Desktop”

Step 3: Login to the Ubuntu-Desktop using the following login:

User: student
Password: utd!35

Step 4: Open the terminal and you should be able to ping out to the Internet (4.2.2.2).

UTD-VDC 2.1 Page 41

 Ultimate Test Drive – VDC

Step 5: Open up the browser, you can use the Firefox that is on the dock. You should be able to browse to
the Internet in the Ubuntu-Desktop.

Task 4 – Review the logs on the VM-Series firewall

Step 1: Go back to the Panorama GUI, click on the “Monitor” tab and then click on the “Traffic” node
under “Logs”. Note that the “Context” setting is still set as “PA-VM-Series”.

Step 2: To filter out the logs from the Ubuntu-Desktop, enter (addr.sc in 172.16.5.201) in the search field
and then click the “Apply filter” button next to the search field. Review what applications are allowed and
denied. [172.16.5.201 is the IP address of the Ubuntu-Desktop]

End of Activity 6.

UTD-VDC 2.1 Page 42

 Ultimate Test Drive – VDC

Activity 7 – Modern Malware Protection

Background: For the past decade adversaries have been dramatically evolving, blending multiple advanced
attack techniques to evade traditional security solutions. WildFire automatically prevents and detects
targeted and unknown malware through direct observation in a virtual environment. If malware is present,
protection is created and delivered to you and to all other WildFire users within 15 minutes. WildFire is an
integral piece of the Palo Alto Networks enterprise security, platform which delivers full visibility and
control of all traffic including tunneled, evasive, encrypted and even unknown traffic. In this activity, we
will review policy considerations include which include applications and file types to apply the WildFire
file blocking/upload profile.

PAN-OS features used in this activity:

 Profile: WildFire
 WildFire Activity Report and online WildFire portal
 Logging and reporting for verification

In this lab you will:

 Modify existing Security Policy to enable the WildFire service
 Review built-in WildFire Activity Report

Task 1 – Enable WildFire sandbox threat analysis

Step 1: Go to the Panorama GUI, click on the “Context” menu to switch back to “Panorama” from “PA-
VM-Series”.

Step 2: Notice that when the Context is switched to “Panorama”, you will see a “Device Groups” on top of
the “Policies” and “Objects” tabs, and “TEMPLATES” on top of “Network” and “Device” tabs. This indicates
the “Device Groups” and ‘Templates” options are available when you click on those tabs.

UTD-VDC 2.1 Page 43

 Ultimate Test Drive – VDC

Step 3: Click on the “Polices” tab, then click on the “Device Group” drop down menu and select “UTD-FW-
DG” device group.

Step 4: Click on “Pre-Rules” under the “Security” node on the left hand side. Then click on the policy
“Allow-To-External” to edit the policy.

Step 5: Click on the “Action” tab, in the “Security Policy Rule” window, select the “Enable-WildFire” in the
“WildFire Analysis” profile.

UTD-VDC 2.1 Page 44

 Ultimate Test Drive – VDC

Step 6: Click on “OK” on the “Security Policy Rule” window to save the changes.
Step 7: Click “Commit” on the upper right hand corner to open the commit changes window. Select
“Panorama” and click “Commit”. Click “Close” once the commit has completed.

Step 8: When the Panorama commit is done, click “Commit” on the upper right hand corner again, this
time select “Device Group”, and then select the “UTD-FW-DG” device group. Notice that “Out of Sync” is
listed for the “PA-VM-Series” in the “Last Commit State” column. Click “Commit” to commit the change to
the “UTD-FW-DG” device group. Click “Close” once the commit has completed.

UTD-VDC 2.1 Page 45

 Ultimate Test Drive – VDC

Task 2 – Test WildFire Modern Malware Protection

Step 1: Go back to the “Ubuntu-Desktop” window, in the Firefox browser, click on the “WildFire Sample
File” link to download the WildFire test sample file. Click “Save File” to download the file.
http://wildfire.paloaltonetworks.com/publicapi/test/pe

Step 2: Once the file is downloaded, go back to the Panorama GUI. Click on the “Monitor” tab, and then
click on the “WildFire Submissions” node under “Logs” to review the logs. Review the log entry for the file
being uploaded to the WildFire service. [Note: It may take 5-10 minutes for the WildFire logs to appear.]

Step 3: When you see the log entry, click the “Details” icon on the left hand side of the log entry. In
the “Log Info” tab, you can view the basic info on the file and the application that carries that file.

UTD-VDC 2.1 Page 46

 Ultimate Test Drive – VDC

Step 4: Click on the “WildFire Analysis Report” to view the details on the analysis results. Under “WildFire
Analysis Summary”, the “Verdict” indicates that the submitted file is a Malware sample and you can
download the malware file from the “Sample File” directly.

Step 5: Under “Dynamic Analysis”, you can see the behavior of the malware under different operating
systems. “Virtual Machine 1” is configured with Window XP. Review the behavior and activity of the
malware. Click on “Virtual Machine 2” to review the malware behavior and activity in Window 7.

Step 6: Explore the other features and functions offered in the WildFire Analysis Report such as
downloading the WildFire Analysis Report in PDF.

End of Activity 7.

UTD-VDC 2.1 Page 47

 Ultimate Test Drive – VDC

Activity 8 – ACC and Custom Reports

Background: Informative visualization tools and reports are very important to network and security
administrators to monitor and identify potential network problems and attacks. Comprehensive built-in
visualization tools and reporting features in the firewall can provide visibility into network activity, which in
turn can help you make more informed security decisions.

PAN-OS features to be used:

 Application Command Center (ACC) in Panorama
o Built-in visualization tools that provides a clear view on the applications, users and threats
data on your network
 Manage custom reports
o Create a custom report using traffic stats logs

Task 1 – Review Application Command Center (ACC)

Step 1: In Panorama, click on the “ACC” tab, make sure the “Panorama” is selected in “Context”. ACC is
configured to show data collected in the Last Hour, change the time to “Last 6 Hrs” in the Time drop down
window to include all the data generated during your lab session.

Step 2: Under “Application Usage”, you can see the top applications based on usage in the network and
their respective risk levels. When the “Device Group” is set to “All”, ACC presents all the data from all the
devices Panorama manages. Click on any application such as “web-browsing” to review more details for
that application.
Step 3: To investigate further, click on any entry to further review the details associates with that
particular entry, for example, you can click on a destination address or URL category to drill down on the
details

UTD-VDC 2.1 Page 48

 Ultimate Test Drive – VDC

Step 4: You can delete a filter by checking that item and clicking the “-“ icon. Click “Clear all” to remove
all filters.

Task 2 – Creating a custom report

Step 1: Click on the “Monitor” tab then the “Manage Custom Reports” node (second from last)
Step 2: Click “Add” (in the lower left) and name the report “Traffic Stats” (in the “Custom Report” pop-up)
Step 3: Use the following information to create this report:
 Name ............................................ Traffic Stats
 Database ....................................... Panorama Traffic Summary
 Time Frame ................................... Last 6 Hrs
 Selected Columns.......................... Application, App Category, App Sub Category, Risk of App,
Sessions
 Sort By ........................................... Sessions : Top 10

Step 4: Click “Run Now” (at the top of the pop-up), then click on newly create tab “Traffic Stats” to review
the report, then export the results to a PDF report
Step 5: Click “Ok” to save this custom report

End of Activity 8

UTD-VDC 2.1 Page 49

 Ultimate Test Drive – VDC

Activity 9 - Feedback on Ultimate Test Drive

Thank you for attending the Ultimate Test Drive event and we hope you enjoy the presentation and the labs
that we have prepared for you. Please take a few minutes to complete the online survey form to tell us what
you think about this event.

Task 1 – Take the online survey

Step 1: In your lab environment, click on the “Survey” tab.

Step 2: Please complete the survey and let us know what you think about this event.

End of Activity 9.

UTD-VDC 2.1 Page 50

 Ultimate Test Drive – VDC

Request a free evaluation/AVR Report

Ask your Palo Alto Networks Sales Representative or Palo Alto Networks Partner for more information

UTD-VDC 2.1 Page 51

 Ultimate Test Drive – VDC

Appendix-1: Alternative Login Method to

Student Desktop
This appendix shows you how to login to the student desktop using other connectivity method. Please
complete the procedures outlined in Activity-0: Task-1 to login to the UTD Workshop before you continue.

There are two other methods that you can use to login to the student desktop:

- Use “Console” feature in workshop (Java client required)

- Use RDP client if it is installed on the laptop

Both methods are described below and you can select the one that best fit what you have installed on
your laptop. Note that RDP protocol may not be supported on all networks so please verify that RDP is
supported at your location.

Login to the student desktop using Java Console (Java client

required)
Step 1: Click on the “Student Desktop” after login to the UTD workshop

Step 2: Click on the Console link on “switch to Console’. This will run the Java client.

Step 3: Allow to Java to run VncViewer application. You may need to click “Run” a few times.

UTD-VDC 2.1 Page 52

 Ultimate Test Drive – VDC

Step 2: Click on the “Don’t Block” on the Java Security Warning message.

Step 3: After allowing the Java client to run, you will see the student desktop display. Click the “Send Ctrl-
Alt-Del” to open the login window and use the Username and Password as indicated on your browser, not
the one indicated below. You should be login to the student desktop after entering the login name and
password.

UTD-VDC 2.1 Page 53

 Ultimate Test Drive – VDC

Login to the student desktop with RDP client

If you have RDP client installed on your laptop, you have the option to connect directly to the student
desktop over RDP. [Note actual screen may be a little different depends on the version of UTD you are
using.]

Step 1: Click on the “Virtual Machines” tap to the top to view all the Virtual Machines in the environment.

Step 2: Click on the “More details” under the “Student Desktop”.

Step 3: Copy the URL in External Address under VM Details for the “Student Desktop”. Click on “show
password” next to Credentials to reveal the Administrator password.

Step 4: Open the RDP client on your laptop and paste URL to the host or PC field. (Note: Not the URL as
shown below.)

UTD-VDC 2.1 Page 54

 Ultimate Test Drive – VDC

Step 5: Login as Administrator with the password from “Step 3”.

Step 6: Click “Connect” on the certificate error message.

Step 7: You should be connected to the student desktop after that.

UTD-VDC 2.1 Page 55

 Ultimate Test Drive – VDC

Appendix-2: Support for Non-US keyboards

If you are using a Non-US keyboard and have difficulties entering any characters and special keys, you can
add a keyboard to the student desktop to support what you have or use the on-screen keyboard. This
appendix shows you how to add, select an international keyboards or use the on-screen keyboard.

By default, the “English (United Sates)” and “French (France)” keyboards are added to the student
desktop. Click on the bottom left corner to switch between them.

UTD-VDC 2.1 Page 56

 Ultimate Test Drive – VDC

Add new international keyboard

To add other keyboards, go to Start > Control Panel. Click on “Change Keyboards or other input methods”

Click on change keyboard

Click “Add” to add a new international keyboard. Then switch to the new keyboard per the instruction on
the previous page.

UTD-VDC 2.1 Page 57

 Ultimate Test Drive – VDC

Use the on-screen keyboard

To use the on-screen keyboard.

Step 1: Click on Start ->All Programs

Step 2: Click “Accessories”

UTD-VDC 2.1 Page 58

 Ultimate Test Drive – VDC

Step 3: Click “Ease of Access” and then “On-Screen Keyboard”

Step 4: You should now see the windows On-Screen Keyboard. To pass keys inside the VM image that do
not work on your keyboard, simply select the key using a mouse.

UTD-VDC 2.1 Page 59

 Ultimate Test Drive – VDC

Appendix-3: Network Diagram

Lab Setup

Device Login Management IP Data IP

Administrator / 10.30.51.51 -
Student Desktop (refer to the guide)
vdcstudent / 10.30.51.23 -
Panorama utdvdc135
vCenter root / vmware 10.30.51.21 -
NSX Manager admin / default 10.30.51.22 -
utdadmin / 10.30.51.181 172.16.5.181
DB-Server-1 utdadmin135
utdadmin / 10.30.51.182 172.16.5.182
DB-Server-2 utdadmin135
utdadmin / 10.30.51.191 172.16.5.191
Web-Server utdadmin135
Ubuntu-Desktop student / utd!35 10.30.51.201 172.16.5.201

UTD-VDC 2.1 Page 60