ULTIMATE

TEST DRIVE
Next-Generation Firewall
(NGFW)

Workshop Guide
PAN-OS 8.0

UTD-NGFW 3.4  2017 Palo Alto Networks, Inc. | Confidential and Proprietary Last Update:20171212
Table of Contents
How to use this guide ..................................................................................................................... 4
Activity 0 – Log in to the UTD Workshop ...................................................................................... 5
Task 1 – Log in to your Ultimate Test Drive class environment ........................................................................... 5
Task 2 – Log in to the student desktop ................................................................................................................ 6
Task 3 – Log in to the UTD virtual firewall ........................................................................................................... 9
Task 4 (Very Important) – Bring up interface “ethernet1/1” ............................................................................ 10
Activity 1 – Granular control on Social Media and Enabling Sanctioned SaaS Applications .. 12
Task 1 – Check connectivity to Facebook .......................................................................................................... 12
Task 2 – Enable Facebook Application ............................................................................................................... 13
Task 2a (Optional) – Enable Facebook Application by Function ........................................................................ 14
Task 3 – Review traffic logs ................................................................................................................................ 15
Task 4 – Enable Sanctioned SaaS Applications .................................................................................................. 16
Activity 2 – Controlling Evasive Applications ............................................................................. 17
Task 1 – Attempt to use anon-approved web application................................................................................. 17
Task 2 – Attempt to use an anonymizer site...................................................................................................... 17
Task 3 – Attempt to download and install evasive application ......................................................................... 17
Task 4 - Review URL log ..................................................................................................................................... 18
Activity 3 – Applications on Non-standard Ports ....................................................................... 21
Task 1 – Create a new security policy ................................................................................................................ 21
Task 2 – Check application connectivity ............................................................................................................ 22
Task 3 – Modify Security Policy .......................................................................................................................... 23
Task 4 – Re-check applications on non-standard ports ..................................................................................... 23
Activity 4 – Decryption ................................................................................................................. 24
Task 0 – Check connectivity to lab web server .................................................................................................. 24
Task 1 – Download test ...................................................................................................................................... 24
Task 2 – Add a new decryption policy................................................................................................................ 25
Task 3 – Retest secure download ...................................................................................................................... 26
Task 4 – Review traffic logs ................................................................................................................................ 26
Activity 5 – Modern Malware Protection ...................................................................................... 28
Task 1 – Review default WildFire analysis profile .............................................................................................. 28
Task 2 – Enable WildFire analysis on a security policy....................................................................................... 28
Task 3 – Test WildFire modern malware protection ......................................................................................... 29
Task 4 – WildFire portal review ......................................................................................................................... 29
Task 5 – Review the WildFire analysis results .................................................................................................... 30
Activity 6 – URL Filtering .............................................................................................................. 32
Task 0 – Check connectivity ............................................................................................................................... 32
Task 1 – Modify URL Filtering............................................................................................................................. 32
Task 2 – Apply URL Filtering to the security policy ............................................................................................ 33
Task 3 – Review URL Filtering logs ..................................................................................................................... 34
Activity 7 – GlobalProtect: Safely Enable Mobile Devices ......................................................... 35
Task 1 – Identify the GlobalProtect Gateway URL ............................................................................................. 35
Task 2 – Complete the GlobalProtect Gateway configuration .......................................................................... 36
Task 3 – Log into GlobalProtect from the Mobile PC (GlobalProtect) ............................................................... 38
Task 4 – Review traffic on the VM-Series firewall ............................................................................................. 39

UTD-NGFW 3.4 2
Activity 8 – Control Application Usage with User-ID .................................................................. 41
Task 1 – Validate access to SSH server............................................................................................................... 41
Task 2 – Enable applications based on User-ID ................................................................................................. 42
Task 3 – Confirm access with User-ID ................................................................................................................ 42
Activity 9 – Clientless VPN ........................................................................................................... 45
Task 1 – Identify the Clientless VPN Gateway Hostname .................................................................................. 45
Task 2 – Configure Clientless VPN...................................................................................................................... 46
Task 3 – Test the Clientless VPN access from Mobile PC ................................................................................... 48
Task 4 – Verify the log file entries on the firewall ............................................................................................. 49
Activity 10 – ACC and Custom Reports....................................................................................... 50
Task 1 – Review Application Command Center (ACC) ....................................................................................... 50
Task 2 – SaaS Application Usage Report ............................................................................................................ 53
Task 3 – Setting up a custom report .................................................................................................................. 54
Task 4 – What’s new in PAN-OS 8.0 ................................................................................................................... 55
Activity 11 - Feedback on Ultimate Test Drive ............................................................................ 56
Task 1 – Take the online survey ......................................................................................................................... 56
Appendix 1: Support for Non-U.S. Keyboards ............................................................................ 57
Add a new international keyboard .................................................................................................................... 57
Use the on-screen keyboard .............................................................................................................................. 58

UTD-NGFW 3.4 3
How to use this guide
The activities outlined in this Ultimate Test Drive (UTD) Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the UTD environment. This guide is meant to be used in conjunction with the information and
guidance provided by your facilitator.

Once these activities are completed

You should be able to:
1. Navigate the Palo Alto Networks GUI
2. Review portions of the firewall configuration
3. Change the configuration to affect the behavior of traffic across the firewall

This workshop covers only basic topics and is not a substitute for the training classes conducted by Palo Alto
Networks Authorized Training Centers (ATC). Please contact your partner or regional sales manager for more
training information.

Terminology

Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.

Note: Unless specified, the Google® Chrome™ web browser will be used to perform any tasks
outlined in the following activities (Chrome is pre-installed on the student desktop of the
workshop PC).

UTD-NGFW 3.4 4
Activity 0 – Log in to the UTD Workshop

In this activity, you will:

• Log in to the Ultimate Test Drive Workshop from your laptop
• Understand the layout of the environment and its various components
• Enable the Firewall to facilitate connectivity

Task 1 – Log in to your Ultimate Test Drive class environment

Step 1: First, make sure your laptop is installed with a modern browser that supports HTML 5.0. We recommend
using the latest version of Firefox®, Chrome and Internet Explorer. We also recommend you install the latest
Java® client for your browser.

Step 2: Go to class URL. Enter your email address and the passphrase (if you have an invitation email, you can
find the class URL and passphrase in the invitation email; or the instructor will provide you with the class URL and
passphrase).

Step 3: Complete the registration form and click Register and Login at the bottom.

Step 4: Depending on your browser, you may be asked to install a plugin. Please click Yes to allow the plugin to
be installed, then continue the login process.

UTD-NGFW 3.4 5
Step 5: Once you log in, the environment will be created automatically for you. The upper left hand corner will
show you the progress of the preparation. You will see the lab availability time when it is ready for use.

The UTD NGFW lab environment consists of many VMs: Student Desktop, Mobile PC (Global Protect), Mobile
PC (Clientless VPN), VM-Series Virtual Firewall, Linux Server and more. You will start the lab by accessing
the Student Desktop.

Task 2 – Log in to the student desktop

Step 1: Click on the Student Desktop tab to connect to the student desktop.

Step 2: You will be connected to the student desktop through your browser

UTD-NGFW 3.4 6
Step 3: If the Student Desktop resolution is too high or too low for your laptop display, you can adjust the
resolution from the left-hand pane. You can also click the Full screen icon to maximize the display.

Step 4: To exit the full-screen mode, use the esc key on our keyboard or click the black arrow at the top of
window to open the dropdown menu; then click Exit.

Note: The default connection to the student desktop uses an RDP over HTML5 protocol through the
browser. You can also use CON (Console) remote access which in may help in the event where RDP
access is blocked locally.

Optional Step 5: If you encounter connection issues with the student desktop, click Reconnect to re-establish
the RDP or CON connection.

UTD-NGFW 3.4 7
Optional Step 6: If reconnection to the student desktop is unsuccessful, please verify your laptop connectivity
using the following link. [Note that a Java client is required on your browser for this test site to function.]

https://use.cloudshare.com/test.mvc
This test site will validate the RDP-based and Java-based connections to your browser. Click “Allow” to allow the
Java applet to be installed and run on your browser.

Optional Step 8: If the connectivity test passed, please close the browser and retry to reconnect to the RDP or
CON session to the VM per Task2, Optional Step 5. If the connectivity test failed, please inform the instructor
and ask for further assistance.

UTD-NGFW 3.4 8
Task 3 – Log in to the UTD virtual firewall

Step 1: Click the “UTD-NGFW-PAVM” bookmark in the Chrome browser, then log in to the firewall using the
following name and password:

Name: student
Password: utd135

Step 2: You are now logged in to the firewall. Take a look at the welcome page to see some of the features
introduced in the latest release of PAN-OS. Click “Close” to close the welcome page.

UTD-NGFW 3.4 9
Task 4 (Very Important) – Bring up interface “ethernet1/1”
Step 1: The firewall is not connected to the Internet by default. Click the “Network” tab, and then click the
“Interfaces” node on the left-hand side.

Step 2: Click the interface “ethernet1/1” under “Ethernet,” then click the “Advanced” tab to change the link state.

Step 3: Select “up” in the “Link State” option; then click “OK”.

Step 4: Click “Commit” (in the upper right-hand corner of the GUI), then click “Commit All Changes” in the pop-up
window.

UTD-NGFW 3.4 10
Step 5: Click “Close” in the pop-up window once the commit has completed. The Link Status of “ethernet1/1”
should turn green after the interface is up.

Step 6: Open a new tab in the Chrome browser window and confirm Internet connectivity by selecting CNN from
the Labs – Bookmark > Activity-0 folder.

Step 7: Here is a quick look at how the student desktop and the virtual firewall are connected:

End of Activity 0

UTD-NGFW 3.4 11
Activity 1 – Granular control on Social Media and
Enabling Sanctioned SaaS Applications
Background: Every organization is trying to determine how to appropriately control social media and
SaaS (Software as a Service) applications. Allowing them all is highly risky, while blocking them all can
cripple the business. Policy considerations, including who can use which social media channels and
SaaS applications, require a granular level of control at the firewall.

PAN-OS® features to be used:

• App-ID™ and function control.
• Logging and reporting for verification.

In this activity you will:

• Modify the existing firewall configuration to control the behavior of the Facebook application.
• Review Traffic logs to confirm activity.

Task 1 – Check connectivity to Facebook

Step 1: (Please complete Task-4 in the previous activity (Activity-0) before you continue.) On your desktop,
open a browser and select the www.facebook.com from the Lab – Bookmarks folder > Activity-1 folder.
• Question: What appears in the browser window?
• Answer: You should get blocked and see a screen that looks like this:

Note: If you see a SSL decryption message, click

continue to accept the SSL message. You will
need to reload the Facebook page to see the
blocked message.

Step 2: On the firewall GUI, click on the “Monitor” tab and “Traffic” node under “Logs” to review the traffic logs to
under why Facebook is being blocked. In the search bar, enter “(subtype eq deny)” the click “Apply filter” to
filter by deny policies, you should see that “facebook-base” application is not allowed by default. You will enable
Facebook application in the next task. Click “Clear Filter” to remove the filter and see all the logs.

UTD-NGFW 3.4 12
Task 2 – Enable Facebook Application
Step 1: On the firewall GUI, click the “Policies” tab, then click the “Security” node.

Step 2: Highlight the rule #1, named “UTD-Policy-00” (currently greyed out).

Step 3: Click “Enable” in the bottom bar of the GUI. You can see below the rule enabled (change of color)

Step 4: Double click on “UTD-Policy-00” to open up the policy details window, go to the “Application” and
“Actions” tab to confirm the policy is configured to allow Facebook application. Click “OK” to close the policy
window.

UTD-NGFW 3.4 13
Step 5: Click “Commit” in the upper right-hand corner of the GUI.

Step 6: Click “Commit All Changes” in the pop-up window.

Step 7: Click “Close” in the pop-up window once the commit has completed.

Step 8: Open a new browser tab and select www.facebook.com from the Lab – Bookmarks > Activity-1 folder.
You may get a warning message; you can ignore this. You should now be able to access www.facebook.com.

Task 2a (Optional) – Enable Facebook Application by Function

Note: Optional Task – the task below requires the use of your Facebook account, if you do not wish to log into
your account in this lab environment or you do not have a Facebook account, you can skip to the next task. The
Ultimate Test Drive lab environment is deleted at the end of the lab.

Step 1: Log in your own Facebook account.

Step 2: Open a new tab and select Candy Crush FB from the Lab – Bookmarks > Activity-1 folder and verify you
can use it.

Step 3: Create a new post on your timeline. Change to “Only me” in the “Who should see this” field, so it will not
change your timeline.

Step 4: In the VM-Series firewall, go to Policies > Security, click the rule name “UTD-Policy-00” A “Security Policy
Rule” pop-up will appear, click on the Application tab, and Delete Facebook.

UTD-NGFW 3.4 14
Step 5: Add a new application start typing facebook-posting. Click OK and close the Policy pop-up.

Step 6: Click “Commit” in the upper right-hand corner of the GUI.

Step 7: Click “Commit All Changes” in the pop-up window.

Step 8: Go to Facebook and create a new post, also try to go to Candy Crush again, and sending a message via
the chat window.
What are the results?
You should be blocked from Candy Crush and from private chat
You should be allowed to post to Facebook.

Step 9: Log out of Facebook

Task 3 – Review traffic logs

Step 1: Click the “Monitor” tab. The “Traffic” node (under the “Logs” section) will be selected.

Step 2: Type the search string into the query box (directly above the “Receive Time” column):
(app eq facebook)
Then hit the “Enter” key or click the icon.

Questions:
• What was the action associated with the log entries?
• What was the port number associated with the log entries?

UTD-NGFW 3.4 15
Task 4 – Enable Sanctioned SaaS Applications
The need for business efficiency and flexibility is driving the use of SaaS applications in many organizations. Palo
Alto Networks Next-Generation Firewall with App-ID provides the industry-leading granular control to and from
SaaS applications. We will show you how to enable a selected set of sanctioned SaaS applications.

Step 1: Go to “Application Groups” in the “Objects” tab, then select “Sanctioned-SaaS-Apps” and review the SaaS
applications in this application group.

Step 2: Add “ms-office365”to this application group by clicking the “Add” icon, then select “ms-office365.”Click
“OK” to close the application-group window.

Step 3: Go back to the security rule, “UTD-Policy-00,” and then add the “Sanctioned-SaaS-Apps” application
group to the policy. On the same tab delete facebook-posting. Click “OK” to close the policy window.

Step 4: Click “Commit” to commit the changes. In one policy, you have enabled basic Facebook applications and
a group of sanctioned SaaS applications.
Enabling a group of SaaS applications will allow us to see a more interesting SaaS application usage report in the
later lab activity.

Step 5: In your browser right click the SAAS bookmark folder in “Lab – Bookmarks > Activity-1”, select “open all
bookmarks”, let the pages load (or fail) and close the tabs again.

End of Activity 1

UTD-NGFW 3.4 16
Activity 2 – Controlling Evasive Applications
Background: Evasive applications are found on almost every network. Some are purposely evasive,
making every effort to hide and avoid controls. Examples include anonymizer, Tor and P2P. Policy
considerations for controlling evasive applications include protection from RIAA threats, data loss
(inadvertent or otherwise) and malware propagation.

PAN-OS features to be used:

• App-ID and URL Filtering to prevent evasive applications.
• Logging and reporting for verification.

In this activity you will:

• Use App-ID and URL Filtering to control proxy sites.
• Review the logs.

Task 1 – Attempt to use anon-approved web application

Step 1: Open a new browser tab select Google Drive from the Lab – Bookmarks > Activity-2 folder
• You should not be able to go to Google Drive.

The Google Drive web application is not explicitly allowed by the firewall, so it is blocked.
To bypass the firewall, some users may try to use an anonymizer site.

Task 2 – Attempt to use an anonymizer site

Step 1: Open a new browser window and select one of these anonymizer sites from the Lab – Bookmarks >
Activity-2 folder:
“Proxify.com”, “Anonymouse.org” or “Hide My Ass!”.

Step 2: You should see the anonymizer site being blocked by URL Filtering.

Task 3 – Attempt to download and install evasive application

Step 1: To circumvent the firewall, some users may try to download and install an evasive application, such as
Tor.

UTD-NGFW 3.4 17
Step 2: Attempt to download the Tor browser from the Tor project website from the Lab – Bookmarks > Activity-2
folder. You should see that it also has been blocked.

Task 4 - Review URL log

Visibility is the key to build and maintain a secure policy. Explore the possibilities to work with the log files.
Questions:
• Can you determine which policy is blocking Google Drive?
• Can you determine which policy is blocking the anonymizer sites?
• Which application is used to access the anonymizer sites?
• Which application is used to access Tor download sites?

Step 1: Click the “Monitor” tab, then the “Unified” node under the “Logs” section.

Step 2: Click the green plus for “Add Filter” in the upper right corner.

Step 3: Select Category > equal > proxy-avoidance-and-anonymizers and click “Add” without closing

Step 4: Select Connector “or” > Application > equal > google-drive-web and click “Add” without closing

Step 5: Select Connector “or” > URL > contains > enter value “mouse” without quotes and click “Add” and “Close”

UTD-NGFW 3.4 18
This is what you should see in the query bar:
(app eq google-drive-web) or (category eq proxy-avoidance-and-anonymizers) or (url contains mouse)
Hit the “Enter” key or click the icon.
Note: You can also save your filter and load it again later

What do you see in the column Log Type?

Questions:
• Can you determine which policy is blocking Google Drive?
• Can you determine which policy is blocking the anonymizer sites?
• Which application is used to access the anonymizer sites?
• Which application is used to access Tor download sites?

Step 6: Click on the magnifier icon on the left side of a log entry and explore the details.

UTD-NGFW 3.4 19
Step 7: Click the “Monitor” tab, then the “URL Filtering” node under the “Logs” section.

Step 8: You can click any entry under the “URL” column and it will automatically enter the filtering string in the
search bar. In example “( category eq proxy-avoidance-and-anonymizers )”

Step 9: Click the “Monitor” tab, then the “Traffic” node under the “Logs” section.

Step 10: Click on a “allow” in the Action column, go to the query bar and add “!” in front of the parentheses, it
should look like this “!( action eq allow )”
This will negate the filter and display everything that is not matching the action allow.

End of Activity 2

UTD-NGFW 3.4 20
Activity 3 – Applications on Non-standard Ports
Background: Many applications can use, either by default or through user control, a non-standard port.
Oftentimes, the use of non-standard ports is done as a means of evading controls. Tech-savvy users are
accessing their home PCs from work by directing SSH to a non-standard port in order to bypass
corporate firewalls. This activity will show you how to allow applications to run only on the standard port
and prevent the same applications from running on any non-standard port.

PAN-OS features to be used:

• Logging and reporting to show SSH, RDP and Telnet on non-standard ports.
• App-ID, groups function and service (port).
• Logging and reporting for verification.

In this activity you will:

• Add a new security policy for the IT organization.
• Re-order the policies.

Task 1 – Create a new security policy

Step 1: Click the “Policies” tab, then the “Security” node.

Step 2: Click “Add” in the lower left-hand corner.

Step 3: Name the policy “Allow-IT-apps” then select “Activity3” for Tags using the drop-down list.

Step 4: Click the “Source” tab.

Step 5: Click “Add” in the “Source Zone” box, then select “Trust.”

Step 6: Click the “Destination” tab. Click “Add” in the “Destination Zone” box, then select “Untrust.”

Step 7: Click the “Application” tab, then click “Add.” Type “IT-apps,” then select it.

Step 8: Click the “Service/URL Category” tab, then click the drop-down menu above “Service;” change the default
setting from “Application Default” to “Any”.

Step 9: Click the “Action” tab. Check that the action is set to “Allow,” then click “OK.”

UTD-NGFW 3.4 21
Step 10: Click and drag the policy “Allow-IT-apps” above the “UTD-Policy-04” rule.

Step 11: Click “Commit” in the upper right-hand corner of the web browser.

Step 12: Click “Commit All Changes” in the pop-up window.

Step 13: Click “Close” once the commit has completed.

Step 14: “IT-apps” is a predefined application group that includes SSH, MS-RDP and other applications. Go to the
“Object” tab and “Application Groups” node to review which applications are included in this application group.
There are some industrial specific application groups that are created to highlights some of the common
applications used in those industries. Review those application groups to learn about the applications that are
supported by the Palo Alto Networks Next-Generation Firewall for the specific industries.

Task 2 – Check application connectivity

Step 1: Use the PuTTY application on the desktop.

Step 2: Load the SSH server (standard port 22) profile and the SSH to the “SSH-Server” (172.16.1.101)
using the standard port 22. Log in with:

Login: student

Password: utd135

Question:
• Can you log in?
• Yes – you should be able to log in.

Step 3: Close the SSH session. Load the SSH server again (172.16.1.101) using the non-standard port 443.
Question:
• Can you log in using the non-standard port?
• Yes – you should be able to log in.

Step 4: Close the PuTTY application. Click the “Monitor” tab, then click the “Traffic” log on the firewall GUI.

Step 5: Search for application SSH on port 22 or 443

Questions:
• What query string did you type into the search box?
• Was the application allowed?

UTD-NGFW 3.4 22
Task 3 – Modify Security Policy

Step 1: Click the “Policies,” then click “Security.”

Step 2: Click the “Allow-IT-apps” security policy created in Task 1.

Step 3: Click the “Service/URL Category” tab, then click the drop-down menu above “Service.” Change “Any” to
“Application Default,” then click “OK” (The “Application Default” option only allows applications over the default
port and protocol; it prevents applications from running on non-standard port or protocol).

Step 4: Click “Commit” in the upper right-hand corner of the web browser.

Step 5: Click “Commit All Changes” in the pop-up window.

Step 6: Click “Close” once the commit has completed.

Task 4 – Re-check applications on non-standard ports

Step 1: Use the PuTTY application on the student desktop.

Step 2: SSH to 172.16.1.101again on port 443 using PuTTY. Did you get a login prompt?

• You should not get the login prompt this time.

Step 3: Close the PuTTY application and click the “Monitor” tab, then click the “Traffic” log on the firewall GUI.

Step 4: Search for application SSH on port 443.

Questions:
• What query string did you type into the search box?
• Was the application allowed?

End of Activity 3

UTD-NGFW 3.4 23
Activity 4 – Decryption
Background: More and more traffic is being encrypted with SSL by default. This makes it difficult to allow
and scan that traffic, yet blindly allowing it is very risky. Policy-based SSL decryption allows you to
decrypt applications, apply security policy, then re-encrypt and send the traffic to its final destination.
Policy considerations include which applications or web traffic to decrypt and then applying the
appropriate protection to prevent malware propagation and data/file transfers.

PAN-OS features to be used:

• Decryption policy.
• Logging and reporting for verification.

In this activity you will:

• Add a new decryption policy to decrypt SSL traffic.

Task 0 – Check connectivity to lab web server

Step 1: On your desktop, open a browser select “UTD Lab Web Server” from the Lab – Bookmarks > Activity-4
folder.

Task 1 – Download test

This website looks like a legitimate lab web server. Let’s download a file from this site and see if the site is
working.

Step 1: Download the Apache configuration file, under the “Configuration Overview” tab by clicking the “here”
hyperlink.

UTD-NGFW 3.4 24
Step 2: Are you able to download the configuration file? The download should fail because the file is infected and
the antivirus inspection has stopped the download.

Step 3: Try to download the full manual from the “manual” link. Are you able to download the manual file? The
download should fail because the file is infected and the antivirus inspection has stopped the download.

Step 4: Mouse over the “Configuration file (secure download)” hyperlink; notice that the download is using
“https://” instead of “http://”. Click the hyperlink to download the file. Are you able to download the configuration
file? The download should succeed because it is encrypted. This browser will open the file and show you the
content.

Task 2 – Add a new decryption policy

We will create a decryption policy that decrypts web traffic going to an unknown site.
Step 1: Go to the firewall management GUI, click the “Policies” tab, then click the “Decryption” node.

UTD-NGFW 3.4 25
Step 2: Click “Add” in the lower left-hand corner.

Step 3: In the “Decryption Policy Rule” pop-up; name the policy “UTD-Decryption-02,”then select “Activity4”
under “Tags.”

Step 4: Click the “Source” tab.

Step 5: Click “Add” in the box labeled “Source Zone.” Then select “Trust.

Step 6: Click the “Destination” tab.

Step 7: Click “Add” in the box labeled “Destination Zone.” Then select “Untrust.”

Step 8: In the “Service/URL Category” tab, add “Unknown” under the URL Category.

Step 9: Click the “Options” tab, then select “decrypt” for “Action.” Leave the “Type” selection as “SSL Forward
Proxy” then select “default” for the “Decryption Profile.”

Step 10: Click “OK.”

Step 11: Click “Commit” (in the upper right-hand corner of the web browser).

Step 12: Click “Commit All Changes” in the pop-up window.

Step 13: Click “Close” once the commit has completed.

Task 3 – Retest secure download

Step 1: In the browser, go back to the UTD lab web server; then click the “Configuration file (secure download)”
link again. You will need to click “Yes” on the certificate-error prompt to continue with the download.

Step 2: Are you able to download through the secure download? The download should fail because the file is
infected and the antivirus inspection can now stop the download after the session is decrypted.

Task 4 – Review traffic logs

Step 1: Click the “Monitor” tab; then go to the “Threat” node under the “Logs” section.

UTD-NGFW 3.4 26
Step 2: Select the latest entry in the “Threat” log, then click the Details icon next to the log entry to view the log
details. Notice that under the “Flags” category, there is a checkmark to indicate this particular session is
decrypted.

End of Activity 4

UTD-NGFW 3.4 27
Activity 5 – Modern Malware Protection
Background: Modern malware is at the heart of many of today's most sophisticated network attacks and
is increasingly customized to avoid traditional security solutions. WildFire™ exposes targeted and
unknown malware through direct observation in a virtual environment, while the Next-Generation Firewall
ensures full visibility and control of all traffic, including tunneled, evasive, encrypted and even unknown
traffic. Policy considerations include which applications to apply to the WildFire file blocking/upload
profile.

PAN-OS features to be used:

• Profiles: virus, spyware, file blocking, and WildFire.
• WildFire portal.
• Logging and reporting for verification.

In this activity you will:

• Review the existing WildFire analysis profile.
• Add the WildFire Analysis profile to an existing security policy.

Task 1 – Review default WildFire analysis profile

Step 1: Click the “Objects” tab, then click the “WildFire Analysis” node (found under “Security Profiles”).

Step 2: Click the Profile name “Default”, then review the default WildFire analysis profile. Notice that the default
profile sends any file types from any applications to the WildFire public cloud service.

Note: WildFire analysis profile provides the option to enable hybrid deployment (public cloud and private cloud).
WildFire hybrid deployment enables you to maintain privacy or regulatory concerns, select between public cloud
or private cloud analysis (using WF-500) based on security rules, content sensitivity, and regulatory concerns. A
Palo Alto Networks firewall can forward unknown files and email links to the WildFire public global cloud or to
one of two WildFire regional clouds (Europe and Japan) that Palo Alto Networks owns and maintains. In this
lab, we will use the default profile and send unknown files to the WildFire public global cloud for analysis.

Step 3: Click “Cancel” to close the WildFire analysis profile.

Task 2 – Enable WildFire analysis on a security policy

Step 1: Click the “Policies” tab, then click the “Security” node.

Step 2: Click the rule name “UTD-Policy-01, the “Security Policy Rule” pop-up will appear.

Step 3: Click the “Actions” tab within the pop-up.

UTD-NGFW 3.4 28
Step 4: In the “Profile Setting” section, select the drop-down menu next to “WildFire Analysis.”

Step 5: Select “Default.”

Step 6: Click “OK.”

Step 7: Click “Commit” in the upper right-hand corner of the web browser.

Step 8: Click “Commit All Changes” in the pop-up window.

Step 9: Click “Close” once the commit has completed.

Task 3 – Test WildFire modern malware protection

Step 1: To download a WildFire test file, open the browser and enter the following in the address bar or click on
the bookmark “WildFire Test File.” [Note: Ignore the Chrome browser warning message for downloading an .exe
file by clicking the “Keep” button.]
http://wildfire.paloaltonetworks.com/publicapi/test/pe

Repeat the download a few times. Each file is different and will trigger a new upload to the WildFire Cloud.

Step 2: The browser will automatically download a “wildfire-test-pe-file.exe” sample file. Check your “Download”
folder to confirm the download. [Note that this sample changes every time it is downloaded and it should bypass
most antivirus scans.]

Task 4 – WildFire portal review

Step 1: Use the “WildFire Portal” bookmark to go to the login page (or enter the URL:
http://wildfire.paloaltonetworks.com )

Step 2: Login using the following credentials:

Username: ngfw.utd@gmail.com
Password: utd135

UTD-NGFW 3.4 29
Step 3: In the portal, click the “Reports” tab. You will see a summary of all the files that have been submitted for
analysis. You can review the WildFire analysis report by clicking the report icon on the left-hand side of the
entry. A WildFire account can manage multiple Palo Alto Networks firewalls. (Note: In this lab environment, there
is only one firewall managed by this account.)

Step 4: You can also upload suspicious files manually for analysis using the “Upload Sample,” click the “Upload
Sample” tab at the top of the page to review the various upload options.

Task 5 – Review the WildFire analysis results

Step 1: To view the sample file that has been sent to WildFire, go back to the firewall GUI, then click the “Monitor”
tab. Click on the “WildFire Submissions” node and then review the results returned from the WildFire service.
[Note: It may take about 5-10 mins for the WildFire Submissions log to appear.]

Step 2: When you see the entry, click the “Details” icon next to the top log entry. In the “Log Info” tab, you
can view the basic info of the file and the application that carries that file.

Step 3: Click the “WildFire Analysis Report” tab to view the details on the analysis results. Under “WildFire
Analysis Summary”, the “Verdict” indicates that the submitted file is malware, and you can download the malware
file directly from the “Sample File” tab.

Step 4: Under “Wildfire Analysis Report tab” you can scroll down to see the behavior of the malware when it’s
associated with different operating systems. “Virtual Machine 1” is configured with Microsoft® Window XP; you
can review the behavior and activity of the malware. Click “Virtual Machine 2” to review the malware behavior and
activity in Windows 7.

UTD-NGFW 3.4 30
Step 5: Click the “VirusTotal” link under “Coverage Status” on the report, and it will bring you to the VirusTotal
home page. Since this malware has never been seen before because the hash has been changed, VirusTotal will
not have any information on this virus.

Step 6: Explore the other features and functions offered in the WildFire Analysis Report such as download the
sample file or download the WildFire Analysis report in pdf.

End of Activity 5

UTD-NGFW 3.4 31
Activity 6 – URL Filtering
Application control and URL Filtering complement each other, providing you with the ability to deliver
varied levels of control that are appropriate for your security profile. Policy considerations include URL
category access; which users can (or cannot) access the URL category; and the prevention of malware
propagation.

PAN-OS features to be used:

• URL Filtering category match.

• Logging and reporting for verification.

In this activity you will:

• Modify the behavior of the URL Filtering functionality.

Task 0 – Check connectivity

Step 1: Open a new tab and select Gambling.com from the Lab – Bookmarks > Activity-6 folder (you should be
able to open this page).

Task 1 – Modify URL Filtering

Step 1: Go back to the firewall GUI. Click the “Objects” tab, then click the “URL Filtering” node found in the
“Security Profiles” section.

Step 2: Click the Profile name “UTD-URL-filter-01.”

Step 3: Search for the “Gambling” category, then change the action from “Alert” to “Continue” on the Site Access
Column.

Step 4: An explicit block-and-allow list is available in the URL Filtering profile. See the preconfigured example,
then click “OK” to save the changes.

UTD-NGFW 3.4 32
Task 2 – Apply URL Filtering to the security policy
Step 1: Click the “Policies” tab, then click the “Security” node.

Step 2: Click the rule “UTD-Policy-01”, the “Security Policy Rule” pop-up will appear.

Step 3: Click the “Actions” tab within the pop-up.

Step 4: In the “Profile Setting” section, select the drop-down menu next to “URL Filtering.”

Step 5: Select “UTD-URL-filter-01,” then click “OK.”

Step 6: Click “Commit” in the upper right-hand corner of the web browser.

Step 7: Click “Commit All Changes” in the pop-up window.

Step 8: Click “Close” once the commit has completed.

Step 9: Open a new browser tab (on the Student Desktop), then select Top Bet from the Lab – Bookmarks >
Activity-6 folder If the cached page appears, use the CTRL + F5 keys to reload the page.

The web page is blocked, but you will have the option to continue to open the page.

Step 10: Click “Continue” to open the web page.

UTD-NGFW 3.4 33
Task 3 – Review URL Filtering logs

Step 1: Click the “Monitor” tab, then click the “URL Filtering” node under the “Logs” section.

Questions:
• What was the action associated with the log entries?
• What was the application associated with the log entries?

End of Activity 6

UTD-NGFW 3.4 34
Activity 7 – GlobalProtect: Safely Enable Mobile Devices
Mobile computing is one of the most disruptive forces in information technology. It is revolutionizing how
and where employees work, and the tools they use to perform their jobs. GlobalProtect™ from Palo Alto
Networks safely enables mobile devices for business use by providing a unique solution to manage the
device, protect the device and control the data.

PAN-OS features to be used:

• GlobalProtect Portal and Gateway.
• GlobalProtect Client Application.

In this activity you will:

• Complete the GlobalProtect Portal configuration in the lab environment to allow GlobalProtect
clients to connect to the GlobalProtect Gateway.
• Use the GlobalProtect client application to connect to the GlobalProtect Gateway and verify the
traffic is being protected by the firewall.

Task 1 – Identify the GlobalProtect Gateway URL

Step 1: Locate the public URL for the GlobalProtect Gateway running on VM-Series. This is the URL we will use
to configure both the GlobalProtect Gateway and the client. Go to the “Virtual Machines” tab at the top of the
page. You will see a list of all the virtual machines used in this lab.

Step 2: Identify the “VM-Series Next-Generation Firewall” virtual machine, then click “More Details.” The external
address for the virtual firewall will revert to the public IP address, which you will need to use.
[Note that the external address is unique to each lab environment and it is different from what is shown below.]

UTD-NGFW 3.4 35
(Optional) Step 3a: Make note of this external address. Alternatively, you can use “Cloudshare –Clipboard” to
copy the text to the VM in the environment. To use “Cloudshare – Clipboard,” click the blue icon next to the URL
to copy it to the clipboard. Go back to the student desktop, then click the “Edit Clipboard” button. (If you are using
“Fullscreen RDP” you will need to exit to see the “Edit Clipboard” button.

(Optional) Step 3b: In the clipboard window, right-click, then paste the URL here.

(Optional) Step 3c: Close the clipboard by clicking save in the Cloudshare clipboard. Now you should be able to
paste this text in the VM when you right click in any text field. The URL should have a format of “*.vm.cld.sr”.

Note: You may want to paste the URL into a text file on your laptop– it
may come in handy later in this activity.

Task 2 – Complete the GlobalProtect Gateway configuration

Step 1: Go back to the student desktop, then login to the VM-Series firewall web GUI.

UTD-NGFW 3.4 36
Step 2: Go to the “Network” tab at the top of the page, then click the “GlobalProtect” node. Click portals”

Step 3: Click the “UTD-GP-Portal” to open the GlobalProtect Portal configuration window; then click the “Agent”
tab on the left-hand side of the window.

Step 4: Click the “UTD-GP-Portal-ClientCfg” in the “Client Configuration” window.

Step 5: In the “Config” window of the “UTD-GP-Portal-ClientCfg,” go to the “External” tab to configure the
gateway information that will be provided to the client.

Step 6: In our lab, we will use one external Gateway. We will enter your lab gateway URL for the client. Click the
“Address” field under “External Gateways” tab, then replace the “replace.this.url” with the “External Address URL”
from Task1 of this activity.

Note: If you have completed Optional Step3 in Task1, you can right click and paste the URL in the address field.

UTD-NGFW 3.4 37
Step 7: Click “OK” twice to save and commit the configuration changes in the “UTD-GP-Portal.”

Task 3 – Log into GlobalProtect from the Mobile PC (GlobalProtect)

Step 1: Click the “Mobile PC (GlobalProtect)” tab at the top of the page to go to the mobile PC console.

Step 2: Open the Chrome browser and test the Internet connectivity using public websites from the Labs –
Bookmarks > Activity-6 folder like CNN or facebook. You should be able to connect to the internet directly from
this device.
Note: This device is not sitting behind the VM-Series firewall. You can test this by going to the
website (www.gambling.com) that was blocked in Activity6. You should not see the block page.

Step 3: Start GlobalProtect from the “Start” menu or Desktop

Step 4: In the GlobalProtect window, on the “Home” tab to enter the GlobalProtect Portal URL. [You can use the
“Send Text” feature to cut and paste the external gateway URL in the “Send Text” window, then send it to the
GlobalProtect “Settings” window.]

Step 5: In the “Settings” window, enter the following username and password, then copy the external gateway
URL from Task1 of this activity into the “Portal” field.
[You can use the “Send Text” feature to cut and paste the external gateway URL in the “Send Text” window, then
send it to the GlobalProtect “Settings” window.

Note: If you encountered connection problems,

check to ensure the external gateway URL is
entered correctly in the “Portal” field.

UTD-NGFW 3.4 38
(Optional) Step 5a: You can validate the external gateway URL by testing it in a browser with the HTTPS
protocol. It will open the “GlobalProtect Portal” page on your gateway. You are not required to login to this portal.

Step 6: Click “Connect” and enter credentials when prompted.

Username: joe
Password: utd135

Step 6: Once connected, you can see the GlobalProtect welcome page. To verify that GlobalProtect is connected
to the Portal, go to the “Details” window in the GlobalProtect application to confirm
the “Connected” status.

Step 7: Check your Internet connectivity in the “Mobile PC (w GlobalProtect)” by selecting some web pages from
the Labs – Bookmarks folder in the browser. When you try to go to www.gambling.com again, you should see the
blocked page from Activity6.

Step 8: In your browser right click the SAAS bookmark folder from the Activity-1 folder, select “open all
bookmarks”, let the pages load (or fail) and close the tabs again.

Task 4 – Review traffic on the VM-Series firewall

Step 1: To view the “Mobile PC (w GlobalProtect)” VPN connection to the VM-Series firewall, go back to the
student desktop, then log in to the VM-Series firewall web GUI.

UTD-NGFW 3.4 39
Step 2: Go to the “Monitor” tab, then to the “Traffic” logs monitor page under the “Logs” node on the left side of
the page.

Step 3: Look for traffic logs from the “GP-VPN” zone where you can see the traffic logs from the “Mobile PC (w
GlobalProtect)”. This demonstrates that traffic from the the “Mobile PC (w GlobalProtect)” is now protected by the
firewall. [Note: the firewall policy, in this case “UTD-Policy-04” can be modified to safely enable the necessary
applications for remote users.]

Step 4: Notice that the username is also visible from the traffic log, indicating which user-based firewall policy can
be created based on the user’s login info.

Step 5: Now go to the “Network” tab, then go to the “GlobalProtect” > “Gateway” node.

Step 6: Click the “Remote Users” link under “Info” column to open the remote users information window.

Step 7: Under the “Current User” tab in the “User Information” window. Notice that the GlobalProtect client in the
Mobile-PC can collect host information such as computer name, operation system used and more.

Note: The host-information profile (HIP) in

GlobalProtect provides details about the
condition of the mobile laptop, smartphone or
tablet, which can be used to make policy
decisions about the resources that the device
can access. Please talk to your instructor for
more information about mobile security
management through GlobalProtect.

End of Activity 7

UTD-NGFW 3.4 40
Activity 8 – Control Application Usage with User-ID

Understanding which users are related to which traffic on your network is more useful than just knowing
ports and IP addresses. Visibility and reporting based on users is more intuitive, and policies expressed
in terms of users (or groups) are a better match for expressing business-relevant security policies. You
will create a security policy using User-ID™ in this activity. You must successfully complete Activity 7
before you can continue with this activity.

PAN-OS features to be used:

• Createa security policy using User-ID
• Using GlobalProtect to validate the security policy

In this activity you will:

• Create a security policy to enable applications based on User-ID
• Ensure that access to the application is determined by individual userIDs, even when multiple
users log in from the same device.

Task 1 – Validate access to SSH server

Step 1: On the “Mobile PC (GlobalProtect)”, connect to the SSH server used in Activity3 using ssh. Open the
PuTTY application, then load the “SSH server (standard port 22)” from the saved sessions to ssh into
172.16.1.101. Click “Open.” Can you ssh to 172.16.1.101?

You should not be able to ssh to the server.

Step 2: Go back to the firewall GUI in the student desktop. Go to the “Traffic” logs in the “Monitor” tab. You
should be able to see that traffic on port 22 was being dropped.

UTD-NGFW 3.4 41
Task 2 – Enable applications based on User-ID
Step 1: We will enable the security policy on the firewall to allow the user “joe” to use the SSH application. Click
the “Security” node in the “Policies” tab, then select “UTD-Policy-05”, and click “Enable” to enable the policy.

Once enabled, the policy will turn from light grey to blue.
Step 2: Click the policy name to open the policy window, then click on the “User” tab (note that the only user is
“joe” is in this policy). Then click the “Application” tab.(Note: “Ping” and “SSH” are enabled in this policy.)

You can check the “Application Default setting in the “Service/URL Category,” so SSH can only run on its
standard port.

Step 3: Click “Commit” to commit the changes.

Task 3 – Confirm access with User-ID

Step 1: Go back to the mobilePC (and remember that you are logged in as “joe” in the GlobalProtect client).
Verify the SSH access to the server on 172.16.1.101 by using:

Login: student
Password: utd135

You should be able to login to the SSH sever now. End the SSH session after you are logged in.

UTD-NGFW 3.4 42
Step 2: Go back to the GlobalProtect client window and 1. Click on “joe” in the upper right corner of the window.
That will open the dialog 2. And allow you to remove the current credentials.

Step 3: to “peter” in the “Home” tab(we have set the password for both accounts to utd135 so you don’t need to
re-enter the password). Then click “Connect” and “OK” to reconnect to the GlobalProtect Gateway.

Step 4: Now click “Connect” and enter credentials when prompted. This time use
Username: peter
Password: utd135

You will see the Welcome message and “peter” will show in the upper right comer as logged in user.

Step 5: Use the PuTTY application to reconnect to the SSH server. You will see that the connection is being
denied.

Note: This demonstrates that the access to the application is controlled based on the user’s
ID, rather than the IP address of the device.

UTD-NGFW 3.4 43
Step 6: Review the traffic log on the firewall to confirm that the source user is “peter” instead of “joe,” hence
access to the SSH is being denied.

End of Activity 8

UTD-NGFW 3.4 44
Activity 9 – Clientless VPN

Clientless VPN provides secure remote access to common enterprise web applications that use HTML,
HTML5, and Javascript technologies. Users have the advantage of secure access from SSL-enabled web
browsers without installing GlobalProtect client software. This is useful when you need to enable partner
or contractor access to applications, and to safely enable unmanaged assets, including personal devices.

In this activity you will:

• Configure Clientless VPN access for accessing web applications
• Test the access from a mobile PC without VPN client installed

Task 1 – Identify the Clientless VPN Gateway Hostname

Step 1: Locate the external address for the Clientless VPN Gateway running on VM-Series. This is the hostname
we will use to configure the Clientless VPN Gateway and use it to connect with the web browser to the VPN. Go
to the “Virtual Machines” tab at the top of the page. You will see a list of all the virtual machines used in this lab.

Step 2: Identify the “VM-Series Next-Generation Firewall” virtual machine, and then click “More Details.” The
external address for the virtual firewall will revert to the public IP address, which you will need to use.
[Note that the external address is unique to each lab environment and it is different from what is shown below.]

UTD-NGFW 3.4 45
Task 2 – Configure Clientless VPN
Step 1: Go to the “Network” tab at the top of the page, then click the “GlobalProtect” node. Click on “UTD-GP-
Portals”.

Step 2: Go to “Clientless VPN’ and the “General” tab, activate the “Clientless VPN” checkbox and configure it with
the following values:
Hostname: Use the hostname we obtained in Task 1 (will look different from the screenshot)
Security Zone: Select “Trust” from the dropdown list
DNS Proxy: Select “Google-Public-DNS” from the dropdown list
Login Lifetime: 3 Hours
Inactivity Timeout: 30 Minutes

The result should look like this:

UTD-NGFW 3.4 46
Step 2: Continue on the “Applications” tab, click “Add” at the bottom left.

Step 3: Configure the “Application To User Mapping” with the following values:
Name: SSL-Portal-Apps
User/User Group: Any
Applications: Google Docs, Intranet, Office 365

Step 3: Commit all changes

UTD-NGFW 3.4 47
Task 3 – Test the Clientless VPN access from Mobile PC
Step 1: Click the “Mobile PC” tab at the top of the page to go to the mobile PC console.

Step 2: Open a web browser and use the hostname that we captured in Task 1. You can use the “Send Text”
button to paste it into the browser.

Step 3: Make sure to precede the hostname with “https:// “

Step 4: Login to the GlobalProtect Portal with the following credentials:

Name: joe
Password: utd135

Step 5: Test the applications by clicking on the icons.

UTD-NGFW 3.4 48
Step 6: The web application should open, please notice the URL showing that you are connected to the
Clientless VPN hostname.

Task 4 – Verify the log file entries on the firewall

Step 1: On the “Student PC: Go to the “Monitor” tab, then to the “Traffic” logs monitor page under the “Logs” node
on the left side of the page. Filter for “(user src eq joe)”. The log entries show the Clientless VPN traffic.

End of Activity 9

UTD-NGFW 3.4 49
Activity 10 – ACC and Custom Reports
Background: Informative visualization tools and reports are very important to network and security
administrators, which enable them to monitor and identify potential network problems and attacks.
Comprehensive built-in visualization tools and reporting features in the firewall can provide visibility into
the network without requiring a complex logging infrastructure.

PAN-OS features to be used:

• Application Command Center (ACC).
o Built-in visualization tools that provide a clear view of the application, user and threat data
on your network.
o ACC in PAN-OS has been upgraded to reduce response time based on visual and
actionable data.
• Manage custom reports.
o Create a custom report using traffic stats logs.

Task 1 – Review Application Command Center (ACC)

Step 1: Click the “ACC” tab. The ACC is configured to automatically show data collected in the last hour. Change
the time range to “Last 6 Hrs” in the “Time” drop-down window to include all the data generated during your lab
session.

Step 2: There are four pre-defined tabs: the “Network Activity”, “Threat Activity”, “Blocked Activity” and “Tunnel
Activity” tabs. Under the “Network Activity” tab, you can see the most used applications in the “Application Usage”
widget. Please take a moment to review the other widgets such as “User Activity,” “Source IP Activity,”
“Destination Regions,” etc.

UTD-NGFW 3.4 50
Step 3: In the “Application Usage” widget, you can click any tile to zoom into a group of applications or a single
application by clicking the “General Internet” category or the “Networking” category.
Step 4: The selection in the widget applies only to that specific widget. Mouse over the “App Category
[networking]” selection, and the “Add Global Filter” option will appear. Click “Add Global Filter” to apply the
selection to all the widgets.

Step 5: In the “Risk” column (shown below), mouse over risk level “4” and click the “Add Global Filter” icon to add
a risk-level-4 filter to the global filters. The widget will display only information on risk-level-4 applications in the
“networking” category.

Step 6: To remove the global filter, click “Clear all,” or select a filter, then click the red “-” button to remove it.

UTD-NGFW 3.4 51
Step 7: To customize a time range, go to the “User Activity” widget. Then select a start time and drag it through
the time axis to the end of the time range. Apply this to the widget. You can apply this time range to the other
widgets by clicking “Add Global Filter.”

UTD-NGFW 3.4 52
Step 8: To remove the customized time range from the global filter, select a new time from the “Time” drop-down
menu inStep1 to reset the time range.

Task 2 – SaaS Application Usage Report

To maintain network security and ensure compliance with corporate policy, you must identify and monitor the use
of SaaS applications on your network. To meet this challenge, the Palo Alto Networks firewall includes a new
SaaS Application Usage Report in PDF format to give you visibility into the SaaS applications. The new report
helps you identify the ratio of sanctioned versus unsanctioned SaaS applications in use on the network. It also
includes details on the top SaaS application subcategories by number of applications, by number of users, and
more. You can use the data from this report to define or refine security policy rules on the firewall to block or
monitor the use of unsanctioned SaaS applications on your network. This task will show you how to get started
with the SaaS Application Usage Report on the firewall.

Step 1: Click the “Monitor” tab, then click the “SaaS Application Usage” node under the “PDF Reports.”

Step 2: Click “Add” at the bottom of the window to open a new SaaS Application Usage report configuration
window.

Step 3: Name the report “SaaS App Usage Report,” then select “Last 7 Days,” and click “OK” to save it.

Step 4: You should see a new entry created. Click it again to re-open the report window; then click “Run Now” to
create the report.

Step 5: It will take a bit of time to create the report. When the report is done, you should see a new browser tab
open with the report. (You may need to disable the pop-up blocker in your browser to allow the report to be
opened in a new browser tab.)

UTD-NGFW 3.4 53
Step 6: Take a closer look at the SaaS Application Usage Report; it contains a lot of useful data. Close the SaaS
Usage Report window after the report is created. (You can export the report as a PDF.)

Task 3 – Setting up a custom report

Step 1: Click the “Monitor” tab, then click the “Manage Custom Reports” node (second from last).

Step 2: Click “Add” (in the lower left), then name the report “Session Stats” (in the “Custom Report” pop-up).

Step 3: Use the following information to create this report:

• Database ..................................... Application Statistics

• Scheduled …… ........................... Not Checked
• Time Frame ................................. Last 6 Hrs
• Selected Columns ....................... Application Name, App Category, App Sub Category, Risk of App,
Sessions
• Sort By ......................................... Sessions: Top 10

Step 4: Click “Run Now” (at the top of the pop-up). A tab “Session Stats” will be created; review the report and
export the results as a PDF file.
Reports may also be scheduled by selecting the “Scheduled” checkbox in the “Custom Report” window. These
reports will run automatically at 2:00 a.m. daily.

UTD-NGFW 3.4 54
Task 4 – What’s new in PAN-OS 8.0
To provide organizations with the best security capabilities to prevent successful cyberattacks, PAN-
OS® 8.0, includes a colossal amount of enhancements and capabilities, including:
• Secure any cloud! AWS, Azure and more
• Secure SaaS (Office 365®, Box, Slack®) with visibility and enforcement
• Prevent sandbox evasion, automate C2 detection, and leverage advanced intel sharing
• Prevent credential theft usage and abuse
• Simplify security operations with enhanced management, speed and automation
• New high-performance hardware models to tackle encrypted traffic and more

To learn more about the new features in the latest PAN-OS release, visit us at:

End of Activity 10

UTD-NGFW 3.4 55
Activity 11 - Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive event. We hope you enjoyed the presentation and the labs
that we have prepared for you. Please take a few minutes to complete the online survey form to tell us
what you think about this event.

Task 1 – Take the online survey

Step 1: In your lab environment, click on the “Survey” tab.

Step 2: Please complete the survey, and let us know what you think about this event.

End of Activity 11.

UTD-NGFW 3.4 56
Appendix 1: Support for Non-U.S. Keyboards
If you are using a non-U.S. keyboard and have difficulties entering characters and special keys, you can add a
keyboard to the student desktop to support what you have or use the on-screen keyboard. This appendix shows
you how to add, select an international keyboard or use the on-screen keyboard.
By default, the “English (United Sates)” and “French (France)” keyboards are added to the student desktop. Click
the bottom left-hand corner to switch between them.

Add a new international keyboard

To add other keyboards, go to Start > Control Panel. Click “Change Keyboards or other input methods.”

UTD-NGFW 3.4 57
Click “Change keyboard.”

Click “Add” to add a new international keyboard. Then switch to the new keyboard per the instructions on the
previous page.

Use the on-screen keyboard

To use the on-screen keyboard:
Step 1: Click “Start ->All Programs”.

Step 2: Click on “Accessories”

UTD-NGFW 3.4 58
Step 3: Click “Ease of Access,” then click “On-Screen Keyboard.”

Step 4: You should see the Windows On-Screen Keyboard. To bypass keys inside the VM image that do not work
on your keyboard, select the key.

UTD-NGFW 3.4 59
 Lab Setup

Firewall VM-Series

Interface: Int Type: IP Address: Connects to Zone:

Ethernet 1/1 L3 172.16.1.1 "Untrust"

Ethernet 1/2 L3 192.168.11.1 "Trust"
Management - 10.30.11.1

UTD-NGFW 3.4 60