Firewall Essentials: Configuration and Management (EDU-210)

Module 1 – Palo Alto Networks Portfolio and Architecture

• Securing the Transformed Enterprise
• Key Elements
• Securing the Cloud
• Securing the Future
• Palo Alto Networks Single-Pass Architecture
• Palo Alto Networks Firewall Architecture
• Zero Trust Architecture
• Flexible Architecture
• PA-Series Next-Generation Firewalls
• Virtual Systems
• VM-Series Models and Capacities
• CN-Series Firewall
• K2-Series Next-Generation Firewall: 5G Network
• Prisma Access: Secure Access Service Edge (SASE)

Module 2 – Configuring Initial Firewall Settings

• Initial Access to the Firewall
• Administrative Access Tools
• Initial Login to the Web Interface
• Reset to Factory Configuration
• Web Interface
• Web Interface Editing Guidance
• MGT Interface Configuration: Web Interface
• Other Initial Configuration Settings
• Configure Access to DNS and NTP Services
• Service Routes
• Configure Service Routes
• Activate a Firewall
• Manage Firewall Licenses
• PAN-OS Software Updates
• Dynamic Updates

Lab 2: Configuring Initial Firewall Settings

• Connect to Your Student Firewall
• Configure the DNS and NTP Servers
• Configure General Settings
• Modify Management Interface
• Check for New PAN-OS Software

Module 3 – Managing Firewall Configurations

• Firewall Configuration Types
• Firewall Configuration Actions
• Running and Candidate Configuration Interactions
• Configuration Operations
• Full Commit
• Per-Admin Commit
• Commit Status Window
• Per-Administrator Save and Revert
• Preview and Validate Configuration Changes
• Transaction Locks and Multiple Administrators
• Accessing Firewall Logs
• View and Filter a Log
• Filter a Log Using the Filter Builder

Lab 3: Managing Firewall Configurations

• Save a Named Configuration Snapshot
• Export a Named Configuration Snapshot
• Revert Ongoing Configuration Changes
• Preview Configuration Changes
• Modify System Log File Columns
• Create a System Log File Filter
• Use the Filter Builder

Module 4 – Managing Firewall Administrator Accounts

• Administrator Accounts and Roles
• PAN-OS Supported Authentication Services
• When Are Users Authenticated?
• Configure Authentication “to” the Firewall
• Configure Authentication “Through” the Firewall
• User Authorization “to” and “Through” the Firewall
• Dynamic Admin Roles
• Create Custom Role-Based Admin Roles
• Create a Local (Non-Database) Administrator Account
• Create a User in the User Database
• Create a Local Database Authentication Profile
• Authentication Profile: Advanced Tab
• Create an Administrator Account from a Local Database User
• Create a Non-Local Administrator Account
• Firewall Authentication of Non-Local Passwords
• Configure Server Profiles
• Configure Authentication Profiles
• Configure an Authentication Sequence
• Administrator Authentication Methods
• User Certificate
• Configure a Certificate Profile
• Configure Firewall Authentication Settings
• Create an Administrator Account for Non-Interactive Login

Lab 4: Managing Firewall Administrator Accounts

• Create a Local Database Authentication Profile
• Create a Local User Database Account
• Create an Administrator Account
• Log in With New Admin Account
• Configure LDAP Authentication
• Log in With New Admin Account
• Configure RADIUS Authentication
• Log in With New Admin Account
• Configure an Authentication Sequence

Module 5 – Connecting the Firewall to Production Networks with Security Zones

• Network Segmentation
• Network Segmentation and Security Zones
• Configure Security Policy to Support Segmentation
• Zero Trust Architecture
• Network Interfaces
• Interface Types and Zone Types
• Create a Security Zone
• Flexible Deployment Options for Ethernet Interfaces
• Tap Interfaces
• Configure a Tap Interface
• Virtual Wire Interfaces
• Configure a Virtual Wire Object
• Configure a Virtual Wire Interface
• Layer 3 Interfaces
• Enable IPv4 and IPv6 Support
• Configure a Layer 3 Interface: Config
• Configure a Layer 3 Interface: IPv4
• Configure a Layer 3 Interface: Advanced
• Interface Management Profile
• Layer 3 Subinterfaces
• Configure a Layer 3 Subinterface
• Virtual Routers
• Virtual Router General Settings
• Add a Static Default Route
• Multiple Static Default Routes
• Static Route Path Monitoring
• Troubleshoot Routing

Lab 5: Connecting the Firewall to Production Networks with Security Zones

• Create Layer 3 Network Interfaces
• Create a Layer 3 Interface on ethernet1/1
• Create a Layer 3 Interface on ethernet1/2
• Create a Layer 3 Interface on ethernet1/3
• Create a Virtual Router
• Segment Your Production Network Using Security Zones
• Test Connectivity to Each Zone
• Test Interface Access before Management Profiles
• Define Interface Management Profiles
• Apply Allow-ping to ethernet1/1
• Apply Allow-mgt to ethernet1/2
• Apply Allow-mgt to ethernet1/3
• Test Interface Access after Management Profiles

Module 6 – Creating and Managing Security Policies

• Flow Logic of the Next-Generation Firewall
• Inspect and Control Network Traffic
• Sessions and Flows
• Display Security Policy Rules
• Manage the Policy Ruleset
• Security Policy Rule Types
• Custom and Predefined Rules
• Security Policy Rule Match
• Policy Rule Hit Count
• Rule Shadowing
• Configure a Security Policy Rule: General Tab
• Rule Changes Archive
• Configure a Security Policy Rule: Source Tab
• Configure a Security Policy Rule: Destination Tab
• Configure a Security Policy Rule: Application Tab
• Unresolved Dependencies Reported During a Commit
• Configure a Security Policy Rule: Service/URL Category Tab
• Configure a New Service Definition
• Configure a Security Policy Rule: Actions Settings
• Schedule Security Policy Rules
• Configure a Security Policy Rule: Usage Settings
• Enable Intrazone and Interzone Logging
• Find Unused Security Policy Rules
• Rule Usage Filter
• Create an Address Object
• Create a Static Address Group
• Create a Dynamic Address Group
• Tags
• Tag-Based Rule Groups
• Test Policy Functionality
• Use Global Find

Lab 6: Creating and Managing Security Policy Rules

• Create Security Policy Rule
• Modify Security Policy Table Columns
• Test New Security Policy Rule
• Examine Rule Hit Count
• Reset the Rule Hit Counter
• Examine the Traffic Log
• Enable Logging for Default Interzone Rule
• Create Block Rules for Known-Bad IP Addresses
• Create Security Rules for Internet Access
• Create Users to Internet Security Policy Rule
• Create Extranet to Internet Security Policy Rule

Module 7 – Creating and Managing NAT Policy Rules Flow Logic of the Next-Generation Firewall

• NAT Types
• Source NAT
• Source NAT Types
• Source NAT and Security Policies
• Configure Source NAT
• Source NAT Examples
• Source NAT Examples (Cont.)
• DIPP NAT Oversubscription
• Destination NAT
• Destination NAT Attributes
• Dynamic IP Address Support for Destination NAT
• Destination NAT and Security Policies
• Example: Destination NAT and Security Policies
• Configure Destination NAT
• Destination NAT Port Translation Configuration
• Configure Bidirectional Source NAT

Lab 7: Creating and Managing NAT Policy Rules

• Create a Source NAT Policy Rule
• Verify Internet Connectivity
• Create a Destination NAT Policy
• Test the Destination NAT Rule

Module 8 – Controlling Application Usage with App-ID

• What Is an Application?
• What Is App-ID?
• App-ID Application Identification
• Port-Based Versus Next-Generation Firewalls
• Zero-Day Malware: IPS Versus App-ID
• App-ID and TCP
• Classifying (Labeling) TCP Traffic
• App-ID and UDP
• Classifying (Labeling) UDP Traffic
• Application Shifts
• Application Dependencies
• View Application Dependencies Before Modifying a Rule
• View Unresolved Dependencies Reported After a Commit
• Implicit Applications
• Determine Implicitly Used Applications
• Application Groups
• Application Filters
• Nested Application Groups and Filters
• Predefined and Custom Application Tags
• App-ID in Policy Rules Reduces the Attack Surface
• Application Block Page
• View Applications used in the Traffic Log
• Differentiating Between Known and Unknown Applications
• Control Unknown Applications
• Control Applications on SSL-Secure Ports
• Control Applications on Non-Standard Ports
• Identify Applications in Decrypted SSL Traffic

• Identify Applications in Encrypted SSL Traffic
• Policy Optimizer
• Moving to Application-Based Policies
• Phase 1: Migrate Port-Based Rules
• Phase 2: View Data of Port-Based Rules
• Phase 2: Discover Applications Matching a Port-Based Rule
• Phase 2: Clone a Port-Based Rule Using “Create Cloned Rule”
• Result of “Create Cloned Rule”
• Phase 2: Replace a Port-Based Rule Using “Add to This Rule”
• Result of “Add to This Rule”
• Phase 2: Replace a Port-Based Rule Using “Add to Existing
Rule”
• Result of “Add to Existing Rule”
• Phase 2: Replace a Port-Based Rule Using “Match Usage”
• Result of “Match Usage”
• Prioritize Port-Based Rules to Convert
• Phase 3: Review Port-Based Rules
• Phase 3: Disable Port-Based Rules
• Phase 3: Remove Port-Based Rules
• App-ID and Content-ID Depend on Content Updates
• Schedule Download and Install
• Review Content Update Release Notes
• Review New and Updated Application Details
• Review Policies

Lab 8: Controlling Application Usage with App-ID

• Configure an Application Group
• Configure a Security Policy Rule to Allow Update Traffic
• Test the Allow-PANW-Apps Security Policy Rule
• Examine the Tasks list to see Shadowed message
• Modify the Security Policy to Function Properly
• Test the Modified Security Policy Rule
• Generate Application Traffic
• Research Applications
• Update Security Policy Rules
• Test the Updated Security Policy Rules
• Enable the Application Block Page
• Test the Application Block Page

Module 9 – Blocking Known Threats Using Security Profiles

• Flow Logic of the Next-Generation Firewall
• Introducing Content-ID
• Security Policy with Security Profiles
• Security Profile Types
• Threat Log
• Default Vulnerability Protection Security Profiles
• Vulnerability Protection Profile Rules
• Vulnerability Exceptions
• Default Antivirus Security Profile
• Creating a New Antivirus Profile
• Antivirus Profile Signature Exceptions
• Antivirus Profile WildFire Inline Machine Learning
• Default Anti-Spyware Security Profiles
• Configuring Anti-Spyware Profile Rules
• Anti-Spyware Exceptions
• Configure DNS Signature Match Protection
• Sinkhole Operation
• View Malicious Domains in the Threat Log
• File Blocking Overview
• Creating a New File Blocking Profile
• Continue Response Page
• Blocking Multi-Level Encoded Files
• View Blocked Files in the Data Filtering Log
• Creating a Data Pattern
• Creating a Data Filtering Profile
• View the Data Filtering Log
• Assigning Security Profiles to Security Rules
• Security Profile Groups
• Security Policy Rules
• Denial-of-Service Attacks
• PAN-OS Denial-of-Service Protections
• Flood Protection Thresholds
• Zone Protection: Network Reconnaissance
• Enabling Reconnaissance Protection
• Packet-Based Attacks
• Zone Protection: IP Drop
• Zone Protection: TCP Drop
• Zone Protection: Non-SYN TCP
• Zone Protection: ICMP Drop
• Zone Protection: ICMPv6 Drop
• Zone Protection: Protocol Protection
• Zone Protection: Ethernet SGT Protection
• Enable Zone Protection

Lab 9: Blocking Known Threats Using Security Profiles

• Generate Traffic Without Security Profiles
• Create a Corporate Antivirus Profile
• Create A Corporate Vulnerability Security Profile
• Create a Corporate File Blocking Profile
• Create a Corporate Data Filtering Profile
• Create a Corporate Anti-Spyware Security Profile
• Create an External Dynamic List for Malicious Domains
• Update the Anti-Spyware Profile with EDL
• Create a Security Profile Group
• Apply the Corp-Profiles-Group to Security Policy Rules
• Generate Attack Traffic to Test Security Profiles

Module 10 – Blocking inappropriate web traffic with URL filtering

• Challenges with Preventing Web-Based Threats
• URL Filtering Features
• URL Filtering Profiles
• URL Category: Policy Versus Profile
• URL Filtering Log
• URL Filtering Security Profile
• URL Filtering Security Default Categories
• Multi-Category and Risk-Based URL Filtering
• Configure Per-URL Category Actions
• Configure a Custom URL Category
• URL Filtering Response Pages
• URL Admin Settings
• Configure Safe Search and Logging Options
• HTTP Header Insertion and Modification
• Real-Time Webpage Analysis
• Recommendations for Unknown URL Category
• Recommendations for Not-Resolved URL Category
• URL Filtering Action Precedence
• URL Filtering Precedence Example
• Recategorization Request: Via Log Entries
• Recategorization Requests: Via Webpage
• Use a URL Filtering Profile
• Assigning URL Profile to Security Rules

Lab 10: Blocking Inappropriate Web Traffic with URL Filtering

• Test Access to Inappropriate Web Content
• Create a Security Policy Rule to Block Categories
• Test Access to URLs Blocked by the Security Policy
• Block Access to Inappropriate Web Content Using Security Profile
• Add the URL Profile to the Corp-Profiles-Group
• Disable Block-Bad-URLs Rule
• Test Access to URLs Blocked by a URL Filtering Profile
• Create a Custom URL Category
• Use Custom Category to Block URL Access in Security Policy Rule
• Test Access to Custom URLs Blocked by the Security Policy
• Add Custom URL Category to URL Filtering Profile

• Test Access to Custom URLs Blocked by the URL Filtering Profile
• Create an EDL to Block Malicious URL Access
• Block Access to the URL List with a Security Policy Rule
• Test Access to URLs Blocked by the EDL in the Security Policy

Module 11 – Blocking Unknown Threats with WildFire

• WildFire Threat Intelligence Cloud
• WildFire Operation Overview
• WildFire Verdict Descriptions
• WildFire Protects Email
• Content Packages and WildFire Updates
• Standard and Licensed Functionality
• Hybrid Cloud Example
• Configure WildFire Settings
• Submission Settings
• WildFire Analysis
• WildFire Analysis Profile
• Creating a WildFire Analysis Profile
• Configure Real-Time WildFire Analysis
• Attach WildFire Analysis Profiles to Security Rules
• WildFire Update Schedule
• WildFire Reporting
• Verify Submissions and View Reports
• WildFire Analysis Verdict Example
• Report Incorrect Verdict: Web Interface
• WildFire Portal
• WildFire Dashboard Reports
• Report Incorrect Verdict: WildFire Portal

Lab 11: Blocking Unknown Threats with WildFire

• Create a WildFire Analysis Profile
• Apply WildFire Profile to Security Profile Group
• Update WildFire Settings
• Remove EXE File Type from File Blocking Profile
• Test the WildFire Analysis Profile
• Examine WildFire Analysis Details
• Add EXE File Type from File Blocking Profile

Module 12 – Controlling Access to Network Resources with User-ID

• User-ID Purposes
• User-ID Main Functions
• User-ID Components
• Integrated Agent Versus Windows-Based Agent
• User Mapping Methods
• User Mapping Using GlobalProtect
• User-ID Syslog Monitoring
• User-ID Operation Overview: Domain Controllers
• User-ID Domain Controller Monitoring
• User-ID Windows Session Monitoring
• User-ID Mapping Recommendations
• Configure User-ID
• Enable User-ID Per Zone
• Configure the PAN-OS Integrated User-ID Agent
• Define the Monitored Server(s)
• Define the User-ID Agent Account
• Optional Session Monitoring
• Optional WMI Client Probing
• Verify Connection Status
• LDAP Server Profile
• Create User-ID Group Mapping Filters
• Filter Groups Sent to the Firewall
• Custom Groups Based on LDAP Filters
• Select Users and Groups for a Security Policy
• Dynamic User Groups (DUGs)
• Two Example Use Cases

Lab 12: Controlling Access to Network Resources with User-ID

• Examine Firewall Configuration
• Generate Traffic from the Acquisition Zone
• Enable User-ID on the Acquisition Zone
• Modify the Acquisition-Allow-All Security Policy Rule
• Create Marketing Apps Rule
• Create Deny Rule
• Generate Traffic from the Acquisition Zone
• Examine User-ID Logs
• Examine Firewall Traffic Log
• Examine Firewall Traffic Log

Module 13 – Using Decryption to Block Threats in Encrypted Traffic• Importance of SSL/TLS

• Why Decrypt Network Traffic?
• SSL/TLS Operation Review
• Firewall Decryption Types
• Public Key Infrastructure (PKI)
• Certificate Chain of Trust
• Certificate Management in the Web Interface
• Certificate Hierarchy
• Certificate Creation Overview
• Generate a Self-Signed Certificate
• Import a CA Certificate
• Certificate Signing Request (CSR)
• Generate a CSR for the CA-Signed Certificate
• Certificate Checking and Revocation
• Configuring SSL Decryption Certificate Revocation Checking
• SSL Forward Proxy Review
• Forward Trust and Forward Untrust Certificates
• Configure a Forward Trust Certificate
• Configure a Forward Untrust Certificate
• Renew an SSL Forward Untrust Certificate
• Configure SSL Forward Proxy Decryption Policy
• Forward Proxy Decryption Profile
• Create the Corresponding Security Policy Rules
• SSL Inbound Inspection Review
• Import Server Certificate and Private Key
• Configure an SSL Inbound Inspection Policy
• Configure an Inbound Inspection Decryption Profile
• Decryption Exclusions
• No Decryption
• SSL Decryption Troubleshooting
• Troubleshoot SSL Session Terminations
• Decryption in the Traffic Log
• SSH Decryption
• SSH Traffic and the Security Policy
• Reasons to Not Configure SSL Decryption
• Decryption Port Mirroring
• Decryption Broker
• Hardware Security Modules (HSMs)

Lab 13: Using Decryption to Block Threats in Encrypted Traffic

• Test the Firewall Behavior Without Decryption
• Create A Self-Signed Certificate for Trusted Connections
• Create a Decryption Policy Rule for Outbound Traffic
• Test Outbound Decryption Policy
• Export the Firewall Certificate
• Import the Firewall Certificate to Firefox
• Test Outbound Decryption Policy Again
• Review Firewall Logs
• Exclude URL Categories from Decryption
• Test the No-Decryption Rule

Module 14 – Locating Valuable Information Using Logs and Reports

• View Threat and Traffic Information
• The Dashboard
• Widgets for Viewing Threat Information
• Widgets for Viewing Application Information

• Application Command Center (ACC)
• Widgets on the ACC Network Activity and Threat Activity Tabs
• Example: Threat Activity Widget
• Firewall Logging Overview
• Example: Traffic Log
• Example: Threat Log
• Example: URL Filtering Log
• Example: WildFire Submissions Log
• Example: Data Filtering Log
• Example: Unified Log
• Correlation Engine, Objects, and Events
• App Scope Reports
• App Scope Reports: What’s Available?
• App Scope Reports: What’s Available? (Cont.)
• Example: App Scope Report
• Firewall Logging and Reporting Overview
• Predefined Reports
• Example: Threats Report
• Custom Reports
• Custom Report Example
• Custom Report with a Query Builder Filter
• Query Builder Report Example
• Device Telemetry
• Configure Device Telemetry
• Monitor Device Telemetry
• Firewall Log Forwarding Review
• Configure a Server Profile: Syslog Example
• Configure Logs to Forward: Example
• Apply Log Forwarding

Lab 14: Locating Valuable Information Using Logs and Reports

• Generate Traffic
• Display Recent Threat Information in the Dashboard
• Display Recent Application Information in the Dashboard
• View Threat Information in the ACC
• View Application Information in the ACC
• View Threat Information in the Threat Log
• View Application Information in the Traffic Log
• View Threats Using App Scope Reports
• View Threat Information Using Predefined Reports
• View Application Information Using Predefined Reports
• View Threat and Application Information Using Custom Reports

Lab 15: Capstone

• Configure Networking
• Configure Security Zones
• Configure NAT Policy Rules
• Configure Security Policy Rules
• Create and Apply Security Profiles

Appendix A Securing Endpoints with GlobalProtect

• Modern Risks Presented by the Mobile Worker
• GlobalProtect
• Zero Trust Principles With GlobalProtect
• GlobalProtect Components
• GlobalProtect Connection Sequence
• GlobalProtect Simple Topology
• GlobalProtect Advanced Topology
• GlobalProtect for Internal User-Based Access
• Determining Internal or External Gateways
• GlobalProtect Certificates
• Authentication Server Profile Example
• Activate the Agent Software on the Portal
• GlobalProtect Portal
• Portal Configuration
• Portal Authentication
• Client Configuration: Agent Certificates

• Client Configuration: Authentication
• Client Configuration: Internal Gateways
• Client Configuration: External Gateways
• Client Configuration: App Connection Methods
• Portal Configuration: Clientless VPN
• Clientless VPN: Applications to User Mapping
• GlobalProtect Gateway
• Gateway: General Tab
• Gateway: Tunnel Settings Tab
• Gateway: Config Selection Criteria Tab
• Gateway: IP Pools Tab
• Gateway: Split Tunnel Tab
• Gateway: Enable Network Services
• GlobalProtect and User-ID
• GlobalProtect Agent
• Installing the Agent
• Client Configuration
• GlobalProtect Log
• GlobalProtect Log Forwarding
• GlobalProtect Activity in the ACC

Appendix B – Providing Firewall Redundancy with High Availability

• Firewall High Availability
• Active/Passive HA
• Active/Active HA
• HA Prerequisites
• Active/Passive HA Links
• Dedicated and Non-Dedicated HA Ports
• HA Backup Links
• Designating an Active Firewall
• Failure Detection
• HA Timer Profiles
• Heartbeat Backup on MGT Port
• Prepare In-Band Interfaces
• Configuring HA
• Enabling Active/Passive HA
• Configuring the Control Link
• Configuring the Backup Control Link
• Configuring the Data Link
• Configuring the Backup Data Link
• Configuring Election Settings
• Configuring Active/Passive Settings
• Link Group Monitoring
• Configuring Path Monitoring
• Active/Passive HA Pair Start-Up
• Active/Passive Firewall States
• Monitor Firewall States
• System Log

Appendix C – Connecting Remote Sites Using VPNs

• Site-to-Site VPN Overview
• IPSec Overview
• IKE Phase 1
• IKE Phase 2
• Route-Based Site-to-Site VPN
• VPN Tunnel Component Interaction
• Phase 1 Object: IKE Cryptographic Profiles
• Phase 1 Object: IKE Gateway – General Tab
• Phase 1 Object: IKE Gateway – Advanced Options
• Phase 2 Object: IPsec Cryptographic Profiles
• VPN Tunnel Interface
• Phase 2 Object: IPsec Tunnel
• Phase 2 Object: Proxy ID
• Static Route for VPN
• IPsec Tunnel Status: Check Connectivity
• IPSec Tunnel Status: Troubleshooting Connectivity
• VPN Error Messages
• Reading VPN Error Messages (System Log

Appendix D – Configuring User-ID Windows Agent

• Configure the Windows-Based User-ID Agent
• Select the Installation Location
• Download User-ID Agent Software
• Agent Setup Process
• Configure the User-ID Agent Account
• Configure Server Monitoring
• Configure Client Probing
• Configure the Monitored Servers
• Configure the Firewall to Connect to the Agent
• Confirm Connection to the User-ID Agent
• Display Mappings from the Windows Agent
• Display Mappings from the Firewall CLI
• Data Redistribution
• Configure the Firewall to Connect to the Redistribution Point
• Configure the Firewall to Connect to the Redistribution Point (Cont.)
• LDAP Server Profile
• Create User-ID Group Mapping Filters
• Filter Groups Sent to the Firewall
• Custom Groups Based on LDAP Filters
• Select Users and Groups for a Security Policy