Hands-on Workshop

Expedition:
Migration and Security
Assessment

http://www.paloaltonetworks.com

© 2019 Palo Alto Networks. Proprietary and Confidential

Introduction
Why this workshop, what’s in it for me?

When customers understand and leverage the value of “everything-on” L7 policies on our NGFW, we have
found that these customers purchase more solutions, quicker, and our product becomes deeply “sticky” in
their environment.

Why? The product works. The API is beautiful. Plus with tools like Expedition no other competitor can
achieve what we can. The more a customer enables in the platform the more secure they are and the
easier it can become to manage even a large environment. This widens the gap between us and the
competition. So, what’s getting in the way here? Why is this perceived to be so hard?

Most likely, it’s a combination of a few things:

• Many customers don’t know what they can and cannot do with the tool [education]*
• Many customers are used to the “old” way, and habits [and business processes]* are hard to break
[entropy]*
• Many customers are simply averse to change [fear]*

There are many tools and techniques that can mitigate, alleviate or even elimination the above obstacles;
time spent on the system with the SE and the customer, Best Practice Assessments, PS engagements,
automation and templating, etc. However, there is one tool that does perhaps the best job of eliminating
these obstacles, antidotally speaking, that many SEs are either not familiar with or are but are unaware of
how to use the tool in the most effective, playbook-oriented way. That tool is Expedition, and this session
is designed to educate you on how to use it to its optimum effectiveness in the sales engagement.

Given the context from the above statements, we would assume that we have helped more customers
(either during the initial sales process or after they have entered deployment) achieve a state of deep,
ubiquitous use of our NGFW technologies and solutions…but as we all know, for many if not most of our
customers, this is decidedly NOT the case.

We have also [tagged] each activity with a use identifier. Each case may be useful to either [white-space]*
accounts or [existing accounts]* or in some cases both. Look for those tags, Expedition has strong features
for even the longest existing customers.
*Throughout the guide you will see the above [<context>] anchored in various places. These are to call out reference points back to the above 3 atomic bullet
points. Use this as part of your POC planning to drive certain points with your customers.

Page 2
Activity 0 – Prepare The Environment
In this activity, you will:
• Start up or login to the lab environment

Task 1 – Log in to your Workshop Environment

Step 1

• If you are performing this lab in a classroom with an instructor, ask your instructor what URL to go
to, and the login credentials. Browse to that URL and login.
• If you are performing this lab on your own time, follow the steps in Appendix A to request a lab
environment. Login to that lab environment, and proceed with the next step.

Step 2 You will be prompted to login to a Windows 10 machine. Login as acme\administrator, with
password of “paloalto”. Now open Chrome on the Windows 10 client to bring up GUIs for:
• VM-50 at 192.168.55.10 (admin/paloalto)
• Expedition at 192.168.55.120 (admin/paloalto)
Login to both. Keep those two tabs open. You will be completing this lab via those two GUIs.

Page 3
Activity 1 – Creating a Project

Activity Introduction

At the heart of any activity with Expedition is “the Project.” This simple start exercise will take you
step by step through creating a project and identify possible ‘why isn’t this working’ situations that
may arise during “Proof of Concepts” or “Evaluations.”

Task 1 – Creating a Project

Step 1: Within Expedition, navigate in the Expedition GUI to the tab called Devices. Confirm that there is a
firewall already listed there. If not, add the VM-50 device now.

Step 2: Navigate to the tab called PROJECTS and click on the plus icon located at the end of the header
called LIBRARY to create a new project.

Page 4
Step 3: Fill the fields with the following information to create the project:

Field Value
Name SESummit2019
Source device Select the firewall pan-panos-vm50
Purpose of this project Workshop (this is only statistical)

Note: With these steps we have created the project and attached the firewall to it. We can modify
these settings by clicking on “settings” on the selected Project.

Step 4: Double click on the project called SESummit2019 to get access to it.

Step 5: From the new view select the IMPORT tab and double click on the device called pan-panos-vm50
to start the import process. (Note: you can also click the green import button, both are correct.)

Page 5
Step 6: After importing, Expedition will show you a Global Summary screen about the objects and rules
imported. Scroll down on the Global Summary to see the results.

App-ID and User-ID charts show the percentage of rules found using them and the third chart is
related to the Best Practices Assessment Tool.

End of Activity 1

Page 6
Activity 2 – PAN-OS Traffic Logs (The Core of
the Magic)

Activity Introduction

The Palo Alto Networks traffic logs are the most powerful data records generated by a network
security device, they come with such level of details about who was the user, what was the
application used, when it happened. That makes our logs key to evaluate risks and propose new
rules based on a multitude of indicators. This is why Expedition needs the logs generated by our
technology to provide better security suggestions.

Expedition is capable of ingesting CSV files generated directly from our firewalls. This exercise will
use pan-panos-vm50.

In larger environments with heavy logging requirements, it may be more effective to use a Syslog
server, however that is out of scope for our uses of Expedition in sales.

In this activity you will:

• Configure your VM-Series firewall to export traffic logs every day to your Expedition VM
• Configure Expedition to import the VM-Series firewall config and bind with the exported logs
• Use sample logs for machine learning

Task 1 – VM-Series: Configure Scheduled Log Export

You will now configure your VM-Series for log export. This is the procedure your customers will use
during a Proof of Concept (POC). This task will show you how to configure your NGFW to export
daily the logs to Expedition by using SCP (using a secure channel). With this process you don’t
need to worry about doing any addition tasks to get the logs out from your PanOS device. Some of
you may have already performed this step, if so, read through to the next task.

Step 1: Log in to the NGFW GUI (admin / paloalto) if you are not already logged in.

Step 2: Go to Device tab and select from the left panel “Scheduled Log Export”. Click on Add button and fill
the fields with the information in the screenshot (Note: All passwords are paloalto unless otherwise
indicated):

Page 7
Step 3: Click on Test SCP Server connection to retrieve the SSH keys, click on Confirm.

If this fails, check your password and logging location. Those are the most common issues.

Page 8
Step 4: Click again on Test SCP Server connection to validate we can write on that folder

/PALogs

Click OK. Commit your configuration. Ignore any warnings.

Note: With this our VM-Series Firewall will start sending logs every day at the time you selected to Expedition.
For this Lab we have already uploaded some log files to that folder, and we don’t need to wait to start working
on this next activity.

Page 9
Task 2 – Update Policy for Devices
Expedition allow us to connect to a PanOS device using API keys. When it connects to the device and
retrieves the configuration, it keeps that configuration encrypted on the hard drive. That said if you make
changes in the PanOS device and you want to update the configuration we had stored in Expedition you
have to repeat the process to retrieve the running or candidate config again. This is a useful process during
a Proof of Concept as well. When you make changes to the ‘eval’ config, this procedure below can be used
to update the candidate configuration.

Page 10
Step 1: Within the Expedition GUI, exit your project.

Step 2: Go to the DASHBOARD tab. Do you see an exclamation mark in a red circle on the left side? If yes,
click the green START button underneath to start the PANAgent service.

Page 11
Step 3: Go to the DEVICES tab. Edit the Device by double-click on it or clicking on the Edit icon located
near the row’s end. Go to the CONTENTS TAB. On this screen you can download the configuration
of the firewall. To do that, at the bottom, click on Retrieve Contents and select Running Configuration

Click on Save after the process ends, and you will be returned to this screen:

Page 12
Step 4: Edit the pan-panos-vm50 again. Go to M.LEARNING TAB located at the end of the Device Edit
Window.

Enter into the Search Files field /PALogs/* and click Search Files. This field tells Expedition where
to look for your firewall logs. In our case we are configured for the directory /PALogs/*. The asterisk
is important, as this tells the search to “look through all files for a match.”

Your list of files may not match the below screenshot. This is OKAY. As long as you have at least
one CSV file, you have what you need for the rest of the workshop.

Click Save.

Page 13
Task 3 – Process Log Files

Step 1: From the DEVICE tab click the tiny play button in the upper right in between the edit button and
the trash button. This tells the panAgents engine to process any logs it has waiting.

This process can take up to 5 minutes. Edit the device and go to the M LEARNING tab. The screen
will now show this, which means it is processing:

Please note, log parsing is processor intensive. The larger and more complex the traffic logs, the
longer and more CPU intensive the process. In practice, more logs = better results.

Click the refresh icon. You will see a green checkmark at the end when the file has been processed
correctly.

Page 14
POC Note: During PoC or production use, it is good to note log files match on the device serial number
(SN). If logs are not appearing, chances are the SN does not match and your source may be a different
firewall than what is being matched. Logs MUST match SN.

This process can be tracked from the cli as well, just enter via cli to Expedition and run as root.

# tail -f /tmp/error_logCoCo

This process will convert the CSV logs into a new file called PARQUET and will be stored in the folder
“/datastore”. This directory is already configured. This process will reduce the amount of disk we need
for the data analysis. Example: A log file with 100MB, if we compress to zip it will be reduced to 10MB,
after ingesting the data and store as PARQUET format the same data will only occupy 1MB approx. We
create a new dataset from the large logfile and in the example above reduce a 100MB log file to 1MB
for processing. This allows us to both reuse the log data and go through it much faster.

Click Save when the process is completed.

Page 15
Activity 3 – Rule Enrichment

Activity Introduction

For both [existing customer] and [white-space] rule enrichment is a key area. Imagine a POC in which
using customer log data you could take a Layer 4 tcp port 80 and 443 rule and turn it into the vast amount
of applications we know are present? Using the following activity as a demo and or process in your POC is
one way to ‘change the customers mind’ when it comes to App-ID.

In this activity you will:

• Create a Log Connector. This is used to tell Expedition which Firewall we want to read the logs
imported from.
• Run the Rule Enrichment functionality to learn all the missing parameters from our security policies
and update them to reduce the Attack Surface starting with the security Zones.

Task 1 – The Log Connector

A Log Connector is a way to filter the information from all the logs we have stored in the PARQUET format
(the parsed CSV). When we create a Log Connector we are focusing only in some data and focusing on a
specific period of time. If you attempt to create a log connector and it fails, this is likely due to not importing
the PANOS device into the project.

Step 1: From inside the SESummit2019 Project, navigate to PLUGINS tab. Under PAN-OS
CONNECTORS click on the plus button of the LOG grid.

Page 16
Step 2: Fill the fields with this information

Field Value
Connector Name pan-panos-vm50-connector
Device Select the firewall
Virtual System vsys1
Period Custom
Start Date 2018/12/01
End Date 2019/02/01

Step 3: Click on Save. This will automatically create the Log connector and make it active.

Note: You can see the active log Connector from the bar below the grid. It’s mandatory to have one Active
in order to use Rule Enrichment.

Page 17
Task 2 – Set Rules for Enrichment

In this task we will set three rules to monitor for rule enrichment [existing customer] [white-space]
[business process] [fear]. This procedure can be used in POC on customer’s existing rules using their traffic
for log analysis. This should be considered for both POC and existing customer app onboarding process.

Step 1: In Expedition, navigate to the POLICIES tab

Step 2: In the bottom bar, change the vsys to vsys1. This will enable the Security Policies view. Make sure
the config is the pan-panos config.

Step 3: Select the following Rule Names, use the Ctrl + click to do it:

• Northbound-DNS

• Northbound-Web

• Northbound-SSH

Step 4: With the Rules selected right click over one and select Rule Enrichment -> Monitor (Selection)

This will tag all the Selected Rules to be analyzed by the Rule Enrichment functionality

Note that a new TAG called “RE Enabled” has been added.

Page 18
Step 5: Let’s use the right-click from one of the rules to apply a predefined filter to show only the Rules with
the Rule Enrichment Tag

Step 6: Located on the bottom bar, click on the green button called “Discovery”

Step 7: A new window will show up. Select the TAB called RULE ENRICHMENT.

Step 8: Click on the Analyze Data blue button to start the analysis. (it can take up to 2 minutes and results
will appear in the window when completed).

This process will check for all the rules tagged with RE Enabled (Rule Enrichment) tag and start the
analysis in the backend. Rule Enrichment will group all the data seen by rule and show it grouped.

Step 9: (Optional) You can monitor the progress from the GUI or CLI:

• For CLI: tail -f /tmp/error_SecRulesEnrich

• From GUI: After click on Analyze a URL will show up in the middle of the progress bar. If
you click on that URL you will see the progress from another html page.

Page 19
Task 3 – Enrich App-ID

Let’s continue working with this Security Policies and reuse the analysis we did to reduce the attack surface
on the rule named Outbound DNS by adding the App-ID seen [existing customer] [white-space] [education].

Step 1: Return to the RULE ENRICHMENT TAB (unless you never left)

Step 2: Select the Rule named Northbound-DNS

Step 3: Click on the IMPORT INTO PROJECT panel

Step 4: Follow these instructions

a. Apply to: Selection

b. Check Application

c. Update to: replace rule

d. Validate the SOURCE is pan-panos-vm50_XXX.xml

e. Validate the VSYS/DG is vsys1

f. Click on Import button. The bar at the very bottom of the screen will say “pending…”. Click
Close.

Step 5: Close the Window review the updated policy.

Page 20
Step 6: Review the Security Rule called Northbound-DNS. Look for the application column to now have
the listed all of the APP-IDs discovered [Education] [Entropy].

Page 21
Activity 4 – Rule Suggestions by Machine
Learning

Activity Introduction

In this activity you will:

• Run the Machine Learning Analysis to get Security Policies Suggestions to reduce the Attack surface

During a Proof of Concept or in a Demo, having rules generate (accurately) from traffic on an ‘allow all’ policy
can be quite eye opening. Imagine a default TAP rule in place on a standard SLR eval, now go one step
further and imagine machine learning producing several policies based on customer traffic, with App-ID
[education] [entropy] [fear] [white-space].

Technical Difference: Machine Learning and Rule Enrichment

It’s important to understand the differences between Machine Learning and Rule Enrichment.

When we use Rule Enrichment Expedition will group all the data by Rule Name and it will create a rule with
all the traffic seen with Users, another one with the traffic seen without users, another one with the traffic
where the applications where found through their default-port and another one with the traffic where the
applications were found on a port different the default port.

That means with Rule Enrichment we will get a maximum of 4 rules created/suggested by each rule we are
analyzing.

In case to use Machine Learning, what Expedition will do is to create as much rules as consumptions models
we were able to identify from the traffic analyzed. That means we can get tons of rules from any rule selected
for the analysis.

Machine Learning must be used when a security policy can lead us to have like a new ruleset basically
because the rule itself was too wide open, like when we are on a Green Field and we have mostly one rule
that allows all the traffic from trust to untrust, there we want to know applications are present and who is
consuming what from the network.

To demonstrate this, we will show how a simple Rule that allows all the traffic between some Zones will be
transformed in many new Rules more specific to reduce the attack surface and create a new security ruleset.

Page 22
Task 1 – Set Rules for M. Learning

Step 1: Check we have a Log connector created and Active on the PLUGINS TAB:

Step 2: Navigate to the POLICIES Tab. Clear all filters such that you can see all 5 security policies.

Step 3: Now select the Rule Name 3) allow all. Right-click and select Machine Learning -> Monitor ->
Selection to enable the rule for being analyzed.

Step 4: Check the Rule now is tagged with ML Enabled

Step 5: Click on the green button Discovery

Step 6: The first TAB is called ANALYSIS RESULT. On the right panel, there is a button named Analyze
Data. The button can be extended by clicking on the arrow.

• Cloud: Means Expedition will consider some applications as Cloud, when found in the
traffic the destination ip addresses will be considered as “any” since they can dynamically
change and doesn’t make sense to keep the ones the network resolved in the moment we
captured the traffic.

Page 23
 • Common: Are considered common applications those that are present in all the networks
and generates a huge volume of logs. Ex: ping, dns, ldap. In some cases, you won’t want
to waste resources to analyze logs related to those applications to speed up the analysis
for other applications. In case Expedition finds traffic regarding those applications will be
considered as source “any” and destination “any”. Ex: ping Rule suggested ANY – ANY –
ping – ALLOW

• Peer-to-Peer: All the applications classified as peer to peer by Palo Alto Networks.

• Global: All the other applications. Expedition will analyze sources, destinations, users,
service ports to suggest Rules based on how they are consumed.

Step 7: Click on Analyze Data to start the analysis. Wait until a URL is shown in the progress bar. Click on
the URL and see the Spark Job status. It will take a few minutes before you will see results in the
screen below.

This is the result of the analysis for a single rule. This is all the Rules suggested based on how the
applications have been consumed. In this case there are no users.

Tag tells you the container for the APP. In this case all were Global.
Page 24
Task 2 – Import Suggested Rules

While still viewing the ANALYSIS RESULT tab, do the following:

Step 1: Select all the Rules

Step 2: Click on the right panel called IMPORT INTO PROJECT.

Step 3: Validate the following options are checked:

a. Apply to: Selection

b. Objects: All Checked

c. Transform: Unchecked

d. SOURCE: pan-panos-vm50-XXX.xml

e. VSYS/DG: vsys1

Step 4: Click on Import.

Page 25
Step 5: Close the Discovery window

Step 6: Click on the button to Clear all to show all the Security Rules and remove the last filter
applied.

Step 7: After importing, scroll down on the Security Policy and review all the new policies.

Step 8: Rules can be edited both individually and Multi-Edit. In this import, there are some zones that don’t
match. If you look at the screenshot above and or in your import, the zone inconsistency pattern
should jump out at you (hint: it is L3-Trust and L3-Untrust). Highlight all the rules with L3-Trust and
L3-Untrust, then click Multi-Edit. Change the L3-Trust and L3-Untrust to match your current zones.

Page 26
 For bonus points, can anyone identify the Massive Multi-Player App-ID? During the class the first
SE to identify the MMO App-ID, the instructor will by them beverage of choice (e.g. Coffee, Beer,
etc).

Close the “Content learned from Expedition-ML" window.

Step 9: You should be viewing the list of all the security policies. After the importation of the new rules
from the allow all rule we can disable it by selecting and clicking on the options icon located at the
header of the view to the right.

End of Activity 4

Page 27
Activity 5 – Best Practices Adoption

Activity Introduction

Think of a conversation that could be had when talking about AUTOMATIC remediation? Keep in mind the
Best Practices Adoption (BPA) engine in Expedition has a limited subset of auto-remediated items. Pro
Services has nicked named those steps “No Brainer” changes. In our research, we’ve come to call them
“non-resume generating” changes [fear]. This tool will demonstrate some integrated automation and provide
trending and metrics [existing customer] [business process].

Palo Alto Networks has been working on having a collection of Best Practices to help our customers use the
most of our functionality in the best way as possible. In 2017, Palo Alto Networks created a tool called Best
Practices Assessment Tool to evaluate PanOS configurations and provide feedback to guide on how to
improve those configurations.

Expedition has gone one step beyond and has integrated the Best Practices Assessment Tool and
implemented some remediations inside to be automatically configured to be in compliant of the Assessment
Tool.

In this activity you will:

• Analyze your Firewall configuration against the Best Practices Assessment Tool from within
Expedition
• Enforce remediation automatically to increase the security on the Platform
• Export the Changes back to the firewall by using API Integration

Task 1 – Run the Best Practices Analysis

Introduction

This tool puts the power of a BPA in the hands of the Expedition user (e.g., Partner SE, Palo Alto Networks
SE, customer). This is an offline way to compare, trend and analyze configurations as compared to our
Best Practices and trend improvement.

Step 1: Navigate from within the Project to the BEST PRACTICES tab. Click on the Start Analysis green
button

Note: The BPAT will only work if we have one Base Configuration loaded in the Project. Remember the base
Configuration it’s a Palo Alto Networks configuration and can be set as Base Configuration from the EXPORT
tab.

Page 28
Step 2: After the process ends you can read the last Run date to confirm that was just executed

Let’s understand the charts:

The first charts are telling you the amount of best practices passed vs the failed ones by TOPIC. Take as
Topic Device for instance, that means all the checks we evaluated under the DEVICE Tab from a PANOS
device.

The next percentage is showing that, the percentage of the checks Passed, in this example 34.2% of the
total checks has been passed.

Take a look to the blue bag, that blue bar tells us there are 20 checks that Expedition can remediate
automatically. On summary we passed 40 checks and failed 59.

Next chart is showing us the amount of checks that Expedition can remediate by Topic, in our case all the
checks that can be remediated are under the Device Topic only and the percentage is telling us if we
remediate them we will increase the best practice adoption to 49.6% instead the 34.2% we have if we don’t
remediate them.

The Radar chart just shows us how we are doing the adoption by topic, our goal is always try to cover the
whole Radar chart with green (100% passed) but not all the environments are equal, in case we don’t need

Page 29
SSL Decrypt or HA those will stay in 0 so we will never reach 100% of the checks passed but it will be ok
because we don’t need them.

In this case we have a lot of room for improvement, starting with properly configure the Dynamic Updates for
instance.

Task 2 – Export Report to Excel

Step 1: From within the Project and keeping selected the Best Practices Tab, let’s select the next sub-tab
called Analysis.

Step 2: Open from the Tree located at the left the Device option and then select Administrators

This will show us two panels; the left panel shows the different topics (Device, Objects, Policies,
Network and Panorama in case the configuration comes from Panorama) and the right panel who
will show us the checks associated to the selected topic. The left panel will act as filter for the right’s
panel.

Page 30
Let’s Export all the Checks to an Excel file:

Step 3: Click on the Export Excel blue button located at the bottom right of the current view.

Step 4: Open it if you have Excel and review it.

You can use this Excel file to track your changes and review them before plan how to remediate all you
can.

Page 31
Task 3 – Apply remediation to the failed Checks

There is a common question that is asked by customers “why are there so few automatic remediations?”
Answer is simple, there are some things that cannot be decided for the customer. If the customer is looking
for a secure template, refer them to the Iron Skillet toolset (also included in Expedition!). The auto-
remediation items in Expedition are the “non-resume generating changes” or in other words “Safe, and no
brainer changes” that should be done every time. You will get these questions and it is good to know the
difference between BPA remediation and Iron Skillet (templated best practice).

Step 1: On the left hand side, click on Authentication Settings. In the right panel, examine the gray bag
icon at the right of the view. If it’s dark gray indicates that check can be automatically remediate.

In this case the last 3 checks can be remediated by the recommended values.

Step 2: Select “Idle Timeout” and “Lockout Time”

Step 3: Click on Remediate. Both will now show a green checkmark.

Page 32
We can add more information related to the Check itself and the recommendation by showing a hidden
column called references, in case there are any they will be web references that can be clicked to follow
the link

Point your mouse to one of the columns and when the arrow shows up click on Columns -> Reference

Step 4: Go back to the Dashboard and recheck the percentage of the Passed Checks

If we want to apply Remediation to the entire Devices Topic:

Step 5: From the Analysis tab click on the device option and select all the items that can be remediated
(look for the luggage icon with the medical symbol on them).

Step 6: Click on Remediate, that will remediate all the options.

Page 33
Step 7: Go back to the Dashboard to check that the remediation was applied

So now both are equal. All the other checks can be fixed by hand now from Expedition or from your PanOS
device. Note the final % and the initial 49.6% differ because during the production of the lab, the author
clicked analyze once to many.

Page 34
Task 4 – Reviewing the Security Policies Best Practices

Step 1: Navigate to the next Tab named Security Policies

This view shows some checks against the security policies configuration best practices, you can see how
your security policies has been implemented. Goal is to follow the best practices at the time to manage the
Security rules like ensure all the rules have Description, or you are not abusing of the LOG START that can
create tons of logs.

Step 2: Expand the Rule under vsys1 to view all the checks.

Step 3: Point your mouse in the icon for pass / failed to see the check description

Step 4: Review check patterns and see if you can identify any PoC conversation points. (next to no log
forwarding jumps out rather quickly.)

Page 35
Note: The remediate function here allows you to correct Lot on Start and DSRI failed checks. In our
example we passed.

End Activity

Page 36
Activity 6 – Export changes via API
Activity Introduction
Getting your changes from Expedition to the platform is simple [fear] [education]. Even though we are
making bulk API based changes, this is no different than a major change and commit. Standard [business
process] applies here.

This process can also be useful for bulk changes using the multi-edit function (see appendix extras). Have
you ever had a customer ask: “Is there a way I can make a change to 121 rules at the same time?” Now you
can reply with “Yes, with the multi-edit and API export functions in Expedition, we can do that!
[education]”

This activity takes you through the steps of API export.

Step 1: Navigate to EXPORT tab and click on API Output Manager

Step 2: Check the Atomic option is selected from the bottom bar

• Atomic Calls are API calls that contains in a single call the whole list of elements,
example one API call will have all the address objects for a specific vsys

• SubAtomic: A single API call will contain a single object, so that means for the case of
the address if you have 100 address you will get 100 API calls.

Step 3: Click on [Step 1] Generate API Requests

This will try to generate the XML output using your Base configuration plus the changes we made from
the GUI, after that the API calls will be shown on the view

Page 37
 The Id tells you the order in case you want to be selective at the time to push the API calls back to your
firewall, remember if we have address Groups we need to send first the Address because them can be
members of the groups. So, the order on how you send the API calls matters. Expedition with the ID will
in case you select some API calls it will send in the right order automatically.

If you don’t select any API call but you press the [Step 2] Send API Request ALL the API calls will be
sent in the right order.

Step 4: Don’t select any Rule and click on the [Step 2] Send API Requests

Step 5: A new window will be shown, then you can select the devices where to push the API calls, in our
Case only the pan-panos-vm50 will be shown

Step 6: Select the pan-panos-vm50 and click on SEND

Step 7: Review if all the API calls were successfully exported by reading the Device Response column.
Did any fail? Which Ones? Why?

Page 38
Step 8: You can see the content of the API calls by double clicking on each one

Note: An API call is made by the Mode (EDIT, SET, DELETE, etc), the XPATH where to place the object
and the element that contains the XML schema.

End of Activity

Page 39
Appendix A
How to request the Expedition lab environment
1. Go to this URL https://demo.panwlabs.net , and click the link to request the Expedition lab
environment. Click Start:

2. You will be prompted for a password. The password is “GoPaloAltoNetworks”.

3. Enter your name, email address, and company name. Submit the information. A lab request will be
generated.
4. Check your email. You will first receive an email from [email protected] confirming the
request. A few minutes later, you will receive an email with the login information.
5. Go ahead and login to the environment with the provided information.
6. You can now return to page 3 of this lab.

Page 40