Panorama: Managing Firewalls at Scale (EDU- 220)

The Palo Alto Networks Firewall 10.2 Essentials: Configuration and Management (EDU-210) course is five days of instructor- led training that will help you to: 1. Configure and manage the essential features of Palo Alto Networks next-generation firewalls 2. Configure and manage Security and NAT policies to enable approved traffic to and from zones 3. Configure and manage Threat Prevention strategies to block traffic from known and unknown IP addresses, domains, and URLs 4.Monitor network traffic using the interactive web interface and firewall reports.

Successful completion of this five-day, instructor-led course should enhance the student’s understanding of how to configure and manage Palo Alto Networks Next Generation Firewalls. The course includes hands-on experience configuring, managing, and monitoring a firewall in a lab environment.

The technical curriculum developed and authorized by Palo Alto Networks and delivered by Palo Alto Networks Authorized Training Partners helps provide the knowledge and expertise that prepare you to protect our digital way of life. Our trusted certifications validate your knowledge of the Palo Alto Networks product portfolio and your ability to help prevent successful cyberattacks and safely enable applications.

Virtual Classroom Live

Prerequisites

Students must have a basic familiarity with networking concepts including routing, switching, and IP addressing. Students also should be familiar with basic security concepts. Experience with other security technologies (IPS, proxy, and content filtering) is a plus.

Target Audience

Course Outline

Module 1 – Initial Configuration

• What Is Panorama?
• Flexible Deployment Options
• Modes in Panorama
• Panorama in the Cloud
• Connecting to Panorama
• Panorama Web Interface: Initial View
• Licensing Panorama
• Applying a Support License to Panorama
• Upgrading Panorama
• Downloading Panorama Dynamic Updates
• Scheduling Panorama Dynamic Updates
• Panorama Plugin Architecture
• Configure Management Interface Settings
• Configure Services
• Panorama Commit
• Committing to Panorama
• Committing to Panorama (Cont.)
• Pushing Changes to Managed Firewalls
• Scheduling a Configuration Push
• Editing Push Scope Selection
• Device Commit Monitoring
• Device Commit Monitoring (Cont.)
• Panorama Configuration Management
• Scheduled Panorama Configuration Export
• Firewall Configuration Backups on Panorama

Lab 1 Scenario: Initial Configuration

• Connect to the Class Desktop
• Connect to Panorama and Each Firewall
• Use the Panorama Web Interface to Verify License and System Information
• Configure Panorama Management Interface
• Verify Panorama DNS and Update Servers
• Verify Panorama NTP Servers
• Configure General Settings
• Schedule Panorama Config Export
• Configure Dynamic Updates for Panorama
• Save the Named Panorama Configuration Snapshot
• Export the Named Panorama Configuration Snapshot

Module 2 – Add Firewalls

• Adding New Firewalls to Panorama
• Configure Panorama to Connect to the Firewalls
• Configure the Firewall to Connect to Panorama
• Validating Firewall Connectivity
• Organizing Summary Information
• Manage Device Licenses
• Deploy PAN-OS Software to Firewalls from Panorama
• Pushing Content Updates from Panorama to Firewalls
• Schedule Dynamic Updates to Firewalls from Panoram

Lab 2 Scenario: Adding Managed Firewalls to Panorama

• Copy the Serial Number from firewall-a
• Copy the Serial Number from firewall-bAdd the Firewalls to Panorama
• Configure firewall-a to Communicate with Panorama
• Set the Location of firewall-a
• Configure firewall-b to Communicate with Panorama
• Set the Location of firewall-b
• Verify Both Firewalls are Connected to Panorama
• Modify Columns in the Summary Window
• Verify Firewall Licenses in Panorama
• Schedule Dynamic Updates to Firewalls

Module 3 – Templates

• Templates Overview
• Template Stacks
• Template Stack Examples
• Template Components Example
• Common Template Organization Strategies
• Example Template Structure
• Creating a Template
• Templates List
• Adding Elements to Templates
• Cloning a Template
• Creating Template Stacks
• Pushing Template Stack to Devices
• Overriding Template Settings on Firewall
• Overview of Template Variables
• Variable Use Case Example
• Template Variables
• Defining a Template Variable
• Creating a CSV File to Apply Template Variable Values
• Importing a CSV File to Apply Template Variable Values

Lab 3 Scenario: Templates

• Create a Global-Settings Template
• Configure the Global-Settings Template – General Settings
• Configure the Global-Settings Template – Log Settings
• Commit the Changes to Panorama
• Configure the Global-Settings Template – Administrator
• Create Interface Management Profiles
• Create Interfaces Variables
• Create Network Interfaces
• Modify Firewall Management Interface Settings
• Create a Virtual Router
• Create Security Zones
• Create a Template for the Americas Region
• Create a Syslog Server Profile in the Region-Americas Template
• Create an Email Server Profile in the Region-Americas Template
• Clone Region-Americas Template to Create Region-Europe Template
• Edit Settings in the Region-Europe Template
• Change the Header Banner
• Create Template Stacks
• Create a Template Stack for Germany Firewalls
• Create a Template Stack for US Firewalls
• Modify Variables for Firewalls
• Verify the Variables for Each Template Stack
• Push the Template Stacks to Firewalls
• Verify Template Settings on the Chicago Firewall
• Verify Template Settings on the Berlin Firewall

Module 4 – Device Groups

• Device Group Overview
• Common Device Group Organization Strategies
• Device Group Example
• Device Group Hierarchy
• Device Group Inheritance
• Device Group Inheritance Example
• Conflicting Object Values
• Adding Device Groups
• Device Groups, Templates, and Security Zones: Problem
• Device Groups, Templates, and Security Zones: Solution
• Example Objects
• Creating an Object
• Shared Group
• Inherited Objects
• Changing Inherited Object Values
• Override Inherited Object Values
• Managing Device Groups
• Moving an Object to Another Device Group
• Overview of Policies
• Policy Rule Order
• Policy Rules Hierarchy
• Viewing Inherited Rules
• Creating a Policy Rule
• Managing Policy Rules
• Verify Rulebase on Firewalls with Preview Rules
• Policy Rule Usage Counters
• Policy Rule Usage: Per-Device-Group Basis
• Policy Rule Targets
• Enforce Change Documentation for Policy Rules
• Rule Changes Archive

Lab 4 Scenario: Device Groups

• Create a Device Group Called Corp-DG
• Create a Device Group Called Branch-DG
• Create a Device Group called HQ-DG
• Create Security Profiles in the Corp-DG Device Group
• Create an Antivirus Security Profile
• Create an Anti-Spyware Security Profile
• Create a Vulnerability Security Profile
• Create a URL Filtering Security Profile
• Create a File Blocking Security Profile
• Create a WildFire Analysis Security Profile
• Create a Security Profile Group in the Corp-DG Device Group
• Configure Security Policy Pre-Rules
• Configure Security Policy Post-Rules
• Modify the intrazone-default Security Policy Rule
• Modify the interzone-default Security Policy Rule
• Create a Security Policy Post-Rule for Users to Extranet
• Create a Security Policy Rule for Extranet Traffic
• Create a NAT Post-Rule for Users_Net Traffic
• Create a NAT Post-Rule for Extranet Traffic
• Preview the Rules in Panorama
• Push the Configuration to the Firewalls
• Test Internet Access from User Hosts
• Confirm the Configurations on Each Firewall

Module 5 – Log Collection and Forwarding

• Standard Deployment Using Panorama in an HA Pair
• Distributed Log Collection Deployment
• Design Considerations for Log Storage
• Distributed Deployment Using Cortex Data Lake
• Log Redundancy
• Why Forward Log Events to Panorama?
• Log Event Forwarding Options: Firewalls
• Log Forwarding Options
• Log Forwarding Profile Components
• Log File Profile Components
• Log Forwarding Profile: Summary
• Creating a Log Forwarding Profile: Panorama Only Example
• Creating a Log Forwarding Profile: Syslog and SNMP Example
• Log Forwarding Profile: Traffic Log Example
• Forwarding Panorama Log Events
• Defining Panorama Server Profiles
• Defining Log Forwarding Profiles for Panorama

Lab 5 Scenario: Log Collection and Forwarding

• Push the Configuration to Firewalls
• Create a Default Log Forwarding Profile
• Modify Security Rules to Use the Default Log Forwarding Profile
• Create a New Security Policy Rule
• Create Panorama Server Profiles
• Forward Panorama System Log Events to Syslog
• Forward Panorama Commit Log Events to Email
• Verify Panorama Commit Email
• Generate Log Entries on Chicago Firewall
• Run the Traffic Script on the Berlin Firewall
• Verify That Firewalls Forward Traffic Logs Events to Panorama
• Verify That Firewalls Forward Threat Events to Panorama
• Verify That Firewalls Forward URL Filtering Logs to Panorama
• Verify Threat Email from Firewalls

Module 6 – Using Panorama Logs

• Customize Log File Views in Panorama
• Reorganizing Columns
• Filters Overview
• Creating Search Filters
• Using the Filter Builder
• Export Filtered Data

Lab 6 Scenario: Using Panorama Logs
• Push the Configuration to Firewalls
• Generate Traffic Through Both Firewalls
• Identify Inappropriate Web Browsing
• Use the Filter Builder
• Save This Filter
• Identify Unauthorized Online Storage Traffic
• Export the Filtered Traffic to CSV
• Modify Security Policy Rules to Block Dropbox
• Modify the URL Filtering Profile to Block Categories
• Generate Traffic
• Examine the Traffic Log
• Examine the URL Filtering Log
• Create a Combined Filter

Module 7 – Administrative Accounts

• Authenticating Panorama Administrators
• Panorama Authentication: Local Database
• Creating a Local Administrator
• External Authentication Methods
• External Authentication Components
• External Authentication Components: Authentication Sequence
• Creating an External Server Profile: LDAP
• Creating an Authentication Profile for LDAP
• Creating an Authentication Sequence (Optional)
• Admin Types
• Admin Type: Dynamic
• Admin Roles: Panorama
• Panorama Administrator Role Examples
• Admin Roles: Device Group and Template
• Administrator Account Components
• Creating an Administrator Account
• Access Domains
• Concurrent Administration
• Configuration Locks
• Configuration Lock Messages
• Removing a Lock
• Committing Changes per Admin

Lab 7 Scenario: Panorama Administration Accounts

• Configure a RADIUS Server Profile
• Create a RADIUS Authentication Profile
• Test the RADIUS Authentication Profile from Panorama CLI
• Configure an Admin Role Profile
• Configure an Administrator Account
• Commit the Changes
• Validate Administrator Access

Module 8 – Reporting

• Panorama Data Sources
• Panorama Monitoring and Reporting Tools
• Panorama Centralized Reporting
• Panorama Reports
• Example Reports
• Building a Custom Report
• Create, Schedule, and Email Operational Reports

Lab 8 Scenario: Reporting

• Push Configuration to Firewalls
• Generate Traffic Through Firewalls
• Create a Custom Report for Threats Within the Last 24 Hours
• Create a Custom Report for Applications Used Within the Last 7 Days
• Create a Custom Report for URL Categories Blocked within the Last 7 Days
• Create a Weekly Report Group
• Create an Email Schedule

Module 9 – Troubleshooting

• Device Summary Information
• Panorama Fails to Communicate with a Firewall
• Panorama and the Firewall Are Not Communicating
• Panorama App-ID on the Firewall
• Ping to Test Connectivity
• tcpdump Command for Packet Captures
• Examine tcpdump Command Output
• Examine Commit Failure Messages
• Panorama Configuration Push Fails
• Determine the Root Cause of the Failure
• Test Policy Functionality
• Does Panorama Have Enough Horsepower?
• Symptoms of an Over-taxed Panorama
• Importance of Monitoring Panorama
• Configuring SNMP Settings on Panorama
• Solutions for an Overworked Panorama

Lab 9 Scenario: Troubleshooting

• Examine Commit Error Messages
• Verify that Berlin Firewall is Connected to Panorama
• Troubleshoot the Berlin Firewall Commit Failure
• Push the Configuration to the Firewalls
• Delete Unused Files from Panorama
• Configure SNMP on Panorama
• Poll Panorama for CPU Utilization
• Detailed Lab Steps
• Examine Commit Error Messages
• Verify that Berlin Firewall is Connected to Panorama
• Troubleshoot the Berlin Firewall Commit Failure
• Push the Configuration to the Firewalls
• Delete Unused Files from Panorama
• Configure SNMP on Panorama
• Poll Panorama for SNMP Data

Appendix
• Transition locally configured firewalls to Panorama
• Planning the Transition
• Transition Steps
• Importing the Local Firewall Configuration into Panorama
• Moving the Firewall to an Appropriate Device Group
• Moving the Firewall to an Appropriate Template Stack
• Modifying the Configuration and Pushing to the Firewall
• Adding Multiple Firewalls to Panorama Simultaneously
• Importing the CSV File
• Firewalls Imported
• Creating the CSV File
• Log Collector Groups Overview
• Maximum Log Collection Rate
• Collector Groups with Single or Multiple Log Collectors
• Determining the Log Rate: New Customer
• Determining the Log Rate: Existing Customer
• Determining the Logging Rate Using Panorama
• Logging Rate via SNMP
• Determine the Total Log Storage Required
• Deploying a Dedicated Log Collector
• Adding a Log Collector to Panorama
• Adding a Log Collector to the Collector Group
• Adding the Firewalls to a Collector Group
• Collector Log Forwarding
• Collector Log Forwarding Example
• Committing Changes and Pushing to Managed Devices
• Collector Group Status
• Steps to Replace a Managed Firewall
• Step 1: Configure the New Firewall
• Reassigning Licenses to the New Firewall
• Step 2: Export the Device State of the Old Firewall
• Steps 3 and 4: Import the Device State into the New Firewall
• Verifying Panorama Connectivity
• Step 5: Synchronize the New Firewall with Panorama
• Purpose and Benefit of a Panorama HA Pair
• Priority and Failover on Panorama in HA
• Steps to Configure High Availability
• Configuring Panorama High Availability
• HA Encryption
• Monitoring HA Devices
• Configuring Path Monitoring
• High Availability Status
• Testing Panorama HA Failover
• Migrating HA Peers to Panorama Management

Technologies

Panorama: Managing Firewalls at Scale (EDU- 220)