Scribd
Upload
183 views145 pages

5.1 Cnse Study Guide v2.1

Cnse Study Guide v2.1

Uploaded by

Marc Guichaoua
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
183 views145 pages

5.1 Cnse Study Guide v2.1

Cnse Study Guide v2.1

Uploaded by

Marc Guichaoua
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 145

CNSE 5.

1 Study Guide
Version 2.1
Palo Alto Networks
Education Services

2013 Palo Alto Networks

the network security company


tm
CNSE Study Guide & Tech Documents

COZ 5Zb ASbe Ya 9RcQObW FS dWQSa aWbS1


Vbb a1 eee% OZ OZb Sbe Ya%Q aS dWQSa SRcQObW %Vb Z

7AF9 ,%( FbcRg ;cWRS R e Z OR1


Vbb a1 eee% OZ OZb Sbe Ya%Q Q bS b RO OZ OZb Sbe Ya Q
S NHF OaaSba RT RObOaVSSba SRcQObW ,%( Q aS abcRg UcWRS% RT

7AF9 ,%( GSQV 8 Qc S ba R e Z OR1


Vbb a1 eee% OZ OZb Sbe Ya%Q Q bS b RO OZ OZb Sbe Ya Q
S NHF OaaSba hW ,%( Q aS bSQV R Qa%hW

Page 2 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
CNSE 5.1 Exam Overview
9fO TTS SR Ob > gbS W bSabW U QS bS a
ESUWabS Ob bVWa aWbS1
Vbb 1 eee%eSPOaaSaa %Q OZ OZb Sbe Ya

ESdWSe 7AF9 :5Da1


Vbb a1 eee% OZ OZb Sbe Ya%Q aS dWQSa SRcQObW Q aS TO_%Vb Z

9fO W T ObW 1
6OaSR C5A BF ,% O R CO O O ,%(
( _cSabW a
)%, V c a Rc ObW
- W W c OaaW U aQ S
Page 3 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Exam Preparation Suggestions
<OdS aYWZZ O R Y eZSRUS W bVSaS acPXSQba1
- 5R W Wab ObW O R O OUS S b
- ASbe Y 5 QVWbSQbc S
- FSQc Wbg 5 QVWbSQbc S
- G cPZSaV bW U
- HaS 8
- 7 bS b 8
- 5 8
- CO O O
- ;Z POZC bSQb

Page 4 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
PA appliances as of PAN-OS 5.0: 4000, 2000, 500 Series

Page 5 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
PA appliances as of PAN-OS 5.0: PA-3000 Series

Page 6 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
PA appliances as of PAN-OS 5.0: PA-5000 Series

Page 7 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
PA appliances as of PAN-OS 5.0: PA-200 Series

Page 8 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Centralized Management

Page 9 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Security Subscriptions

Threat Prevention

URL Filtering

Global Protect

WildFire

Page 10 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Flow Logic

Initial Source Zone/ PBF/ NAT Policy


Destination
Packet Address/ Forwarding Zone
User-ID Lookup Evaluated*
Processing

Security Check
Session
Allowed
Pre Policy Ports
Created

Check for Application


Decryption
Application Encrypted
Policy
Override App ID
traffic Policy

Security Check Check


Security Security
Policy Policy Profiles

Post Policy Re-Encrypt NAT Policy Packet


Processing traffic Applied Forwarded

Page 11 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Packet Flow

ESTS b bVWa R Qc S b bVS OQYSb TZ e W C5A BF1


COQYSb :Z e% RT
<OdS O US S OZ c RS abO RW U T V e OQYSb O S
QSaaSR Pg bVS COZ 5Zb ASbe Ya TW SeOZZ
8SbS W S eVWQV T bVS T ZZ eW U Wa QVSQYSR TW ab1 A5G cZSa
aSQc Wbg cZSa C6: cZSa O 8
C W b bVS aSaaW PSW U SabOPZWaVSR O T eO R Z Yc Wa
ST SR b RSbS W S eVOb bVS ab A5GSR h S eWZZ PS%
GVS OQYSb TZ e QSaa Wa W b W aWQOZZg bWSR b bVS FW UZS COaa
CO OZZSZ C QSaaW U FC* VO ReO S O QVWbSQbc S T bVS
COZ 5Zb ASbe Ya Sfb US S ObW TW SeOZZ
5 ZWQObW O S W RS bWTWSR QS O aSaaW Wa Q SObSR O
OZZ eSR b

Page 12 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
5 Physical Interface Types
(% GO RS W bS TOQSa aW Zg ZWabS b O a O W b T O aeWbQV
)% IW bcOZ eW S
9K57G L be W bS TOQSa eVOb Q Sa W S U Sa cb bVS bVS
7O PS O g Q P Q S Q S TWPS TWPS Q S TWPS
57 ORR Saa C ORR Saa bVS W bS TOQSa
bVS RSdWQS Wa abWZZ O abObSTcZ TW SeOZZ O R QO PZ QY b OTTWQ
*% )
cZbW ZS W bS TOQSa QO PS Q TWUc SR W b O kdW bcOZ aeWbQVl I 5A W
) RS% ) W bS TOQSa R b O bWQW ObS W FGC Oa F O W U G SS
C b Q Z Wa b ac bSR
% *
C ORR Saa Wa S_cW SR OZZ ZOgS * S ObW OdOWZOPZS%
,% <5 OZZ RSdWQSa SfQS b bVS * O R, aS WSa g c cab
Q TWUc S be b OTTWQ ba Oa bVS <5 ba
. . , . .
Page 13 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Logical Interfaces Supported
FcPW bS TOQSa / )%(_
H b 0 I 5A ac bSR S b
Of T 0 I 5A S agabS
5UU SUObS W bS TOQSa / )%*OR
PA-200 PA-500 PA-2000 PA-3000,4000,5000
Not Supported 4 6 8
H b / VgaWQOZ ( ;WU W bS TOQSa QO PS ZOQSR W b O
OUU SUObS U c
Of Fc bSR 5UU SUObS U c 1
9OQV W bS TOQS W O U c cab PS bVS aO S VgaWQOZ SRWO OZZ
Q S OZZ TWPS
Gc SZ W bS TOQSa T CFSQ FF ICAa
POQY W bS TOQSa

Page 14 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Multicast Support

Fc bT cZbWQOab :WZbS W U
OdOWZOPZS W IW bcOZ WSO R *
cZbWQOab C ORR SaaSa QO e PS caSR W TW SeOZZ
cZSa caSR eWbV IW bcOZ W Sa O R *

cZbWQOab cbW U Wa ac bSR W C5A BF ,% T C F


a O aS RS O R ; C b Q Za

5RRWbW OZ W T ObW QO PS T c R W bVS T ZZ eW U


ac b R Qc S b1
COZ 5Zb ASbe Ya 8SaWU a ;cWRS ESd6% RT

Page 15 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Available Features in Different Interface Modes
IeW S
A ICA
A kOcb l aSbbW U T <5 OaaWdS ZW Y
)
A ICA
A A5G :L FbO bW U C5A BF %( g c QO R A5G W IeW S RS
T Cd- Wa OaaW U aSQc Wbg ZWQWSa QO PS e WbbS T bVWa b OTTWQ
A cZbWQOab ac b
*
T Cd- Wa OaaW U aSQc Wbg ZWQWSa QO PS e WbbS T bVWa b OTTWQ

Page 16 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Interface Management
5 W bS TOQS O OUS S b TWZS a SQWTWSa eVWQV b Q Za QO PS caSR b
O OUS bVS TW SeOZZ
O OUS S b TWZS QO PS OaaWU SR b 1
* W bS TOQSa
POQY W bS TOQSa
I 5A W bS TOQSa

7 TWUc SR c RS
ASbe Y bOP 4 ASbe Y C TWZS 4 bS TOQS O OUS S b

Page 17 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Device Management
O OUW U bVS TW SeOZZ dWO ;H FF< abQ% Wa S T SR dWO bVS ;G
W bS TOQS bVS C5A Pg RSTOcZb
L c QO a SQWTg RWTTS S b VgaWQOZ W bS TOQS b caS T a SQWTWQ
O OUS S b aS dWQSa dWO 8SdWQS bOP 4 FSbc 4 FS dWQS E cbS
7 TWUc ObW %

Page 18 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Role-based Administration
5R W Wab Ob QO PS UWdS WUVba caW U bVS PcWZb W bW Pg Q SObW U
Se OR W Wab ObWdS ZSa
GVS S O S - S RSTW SR OR W Wab ObW ZSa1
Fc S caS i 5ZZ OQQSaa b OZZ bW a T OZZ dW bcOZ agabS a%
Fc S caS SOR Zg
8SdWQS 5R W i :cZZ OQQSaa b bVS RSdWQS SfQS b T Q SObW T dW bcOZ
agabS O R OR W Wab ObWdS OQQ c ba%
8SdWQS OR W SOR Zg
Iaga 5R W i :cZZ OQQSaa b O a SQWTWQ dW bcOZ agabS %
Iaga OR W SOR Zg
G dWRS O S U O cZO ZSdSZ T Q b Z ORRWbW OZ ZSa QO PS
Q SObSR%

Page 19 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Application Identification
5 8 dWRSa bVS OPWZWbg b WRS bWTg O ZWQObW O R O ZWQObW Tc QbW a% 5
8 Wa O Q S Tc QbW T bVS COZ 5Zb ASbe Ya RSdWQS%
5 8 caSa dO W ca SbV Ra b RSbS W S eVOb SfOQbZg Wa c W U W bVS
aSaaW 1
C b Q Z RSQ RS a
C b Q Z RSQ g bW
5 ZWQObW aWU Obc Sa
<Sc WabWQa O S caSR eVS bVS OP dS SbV Ra QO b WRS bWTg bVS O ZWQObW %
GVWa Wa bVS SbV R Pg eVWQV O ZWQObW acQV Oa bVS WSbO WZg S Q g bSR
6WbG S b O R HZb OFc T O S W RS bWTWSR
5 8 SdS e Ya W bVSaS aQS O W a1
T bVS O ZWQObW Wa c W U O RWTTS S b b bVO Sf SQbSR
T bVS O ZWQObW Wa PSW U b O a WbbSR W O FF bc SZ bVS TW SeOZZ QO
T eO R fg bVS FF Q SQbW WT Wb S Z ga FF<d)
T bVS O ZWQObW Wa U W U bV cUV O <GGC fg

Page 20 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Application Selection Window
WbVW SOQV ZWQg g c QO a SQWTg eVOb O ZWQObW a g c eO b b
Q b Z% L c QO a SQWTg W RWdWRcOZ O ZWQObW a U c T O ZWQObW a%
F S O ZWQObW a acQV 5 W abO b SaaS US O R :OQSP Y UWdS
g c Q b Z dS a SQWTWQ Tc QbW a% 5 ZWQObW a eWbV 5 ZWQObW
:c QbW 7 b Z O S S SaS bSR VWS O QVWQOZZg%

Page 21 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Dynamic Application Filters
5 Rg O WQ O ZWQObW TWZbS Wa Q TWUc SR Pg a SQWTgW U O bWQcZO Q WbS WO%
GVS SfO ZS PSZ e Wa O Rg O WQ TWZbS b OZZ P eaS POaSR TWZS aVO W U
O a%

5RdO bOUS T Rg O WQ O ZWQObW TWZbS 1 O g Se O ZWQObW a bVOb TWb W b


bV aS QObSU WSa eWZZ Ocb ObWQOZZg PS ORRSR b bVOb Rg O WQ TWZbS
Page 22 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Application Group and Application Filters
5 ZWQObW ; c O S abObWQ% 5 ZWQObW OS O cOZZg ORRSR O R
OW bOW SR Pg TW SeOZZ OR W Wab Ob a%
5 ZWQObW :WZbS a O S Rg O WQ% 5 ZWQObW O S TWZbS SR Pg b OWba acQV
Oa WaY acPQObSU g bSQV Z Ug QVO OQbS WabWQ SbQ%
T g c Q SObS O 5 ZWQObW :WZbS O a SQWTWQ Q WbS WO acQV Oa bVS
acPQObSU g T UO Sa Wb eWZZ W QZcRS OZZ O ZWQObW a eVWQV O S RSTW SR
Oa O UO S% 5 g Se UO Sa RSTW SR Pg O 5CC 8 aWU Obc S eWZZ
Ocb ObWQOZZg PS W QZcRSR Oa O b T bVWa TWZbS %
Security Policy

Page 23 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Security Policy Operation
5ZZ b OTTWQ T ZZ eW U T S aSQc Wbg h Sb O bVS S_cW Sa O ZWQg b OZZ e
bVS b OTTWQ
GVS ZWQg ZWab Wa SdOZcObSR T bVS b R e
GVS TW ab cZS bVOb ObQVSa bVS b OTTWQ Wa caSR
A Tc bVS cZSa O S SdOZcObSR OTbS bVS ObQV

VS Q TWUc W U O aSQc Wbg b OZZ e O O ZWQObW bV cUV bVS TW SeOZZ bVS aS dWQS TWSZR
aV cZR PS aSb b kO ZWQObW RSTOcZbl T W P c R aS dWQSa% GVOb eWZZ Sab WQb bVS
O ZWQObW b Zg caS Wba abO RO R ba SfO ZS1 8AF eWZZ PS Sab WQbSR b Zg caS
b ,* % b Wa O PSab OQbWQS b Q TWUc S O ZWQObW RSTOcZb O Sf ZWQWb ba T
W Q SOaSR Q b Z T bVS Q c WQObW bVS Sbe Y
A bS bVOb W b O h S b OTTWQ Wa OZZ eSR Pg RSTOcZb
T g c Q SObS O cZS Ob bVS S R T bVS ZWab bVOb aOga b RS g O R Z U OZZ b OTTWQ bVOb eWZZ
PZ QY W b O h S b OTTWQ eVWQV Og b PS g c W bS bW
Page 24 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Security Policy Dependencies
Parent applications must also be allowed by security policy
for the dependent applications to function.

web-browsing Allow | Deny

Application shift

Google-translate-base Allow | Deny

Page 25 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Implicit Application Dependencies

PAN-OS implicitly allows parent applications for a set of


commonly used applications

In this example, Facebook access will work even if the


Allow WebBrowsing policy were removed.

Page 26 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Address Objects & Dynamic Block Lists
Objects > Addresses
Address Object - Available types:
- IP Netmask, IP Range, FQDN
- Dynamic ( New in 5.0)

FQDN type changes automatically if DNS entry updates

Allows the import of external lists of URL/IP block lists


Objects > Dynamic Block Lists

Page 27 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Dynamic Block Lists
Allows the import of external lists - URL/IP block lists

Objects > Dynamic Block Lists

Page 28 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Scheduling Security Policies
C ZWQWSa QO PS aQVSRcZS b QQc Ob O bWQcZO bW Sa T ROg PS O
S bW S QQc S QS
FQVSRcZS O S RSTW SR c RS BPXSQb bOP 4 FQVSRcZSa B QS RSTW SR
bVSaS FQVSRcZS QO PS ScaSR OQ aa cZbW ZS cZSa

C aaWPZS aQVSRcZS QV WQSa1


FQVSRcZS O S OaaWU SR c RS C ZWQWSa bOP 4 FSQc Wbg C ZWQg 4 B bW Q Zc
Page 29 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Blocking Skype
GVS aYg S O ZWQObW Wa QZOaaWTWSR bVS C5A RSdWQS Oa be aS O ObS
O ZWQObW 1 aYg S PS O R aYg S%
US S OZ bVW Y T bVS aYg S PS O ZWQObW Oa bVS Q b Z QVO SZ
O R kaYg Sl O ZWQObW Oa bVS RObO QVO SZ%
FW QS aYg S Wa a SdOaWdS bVS eOg g c SdS b aYg S T aS RW U
SQSWdW U d WQS dWRS Wa Pg OZZ eW U aYg S PS Pcb PZ QYW U
aYg S%
GVWa T QSa aYg S b caS O Q c WQObW bVOb Wa SOag b SRWQb O R
PZ QY dWO 5 8%

Page 30 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Monitoring Traffic
GVS RSTOcZb b OTTWQ Z U PSVOdW Wa b Z U OZZ Ob aSaaW QZ aS% B O S
cZS POaWa bVS Tc QbW OZWbg Z UUW U Ob aSaaW abO b aSaaW S R QO PS
aSZSQbWdSZg b UUZSR RWaOPZSR Q ZSbSZg
G OTTWQ Z U QO PS dWSeSR c RS Wb bOP 4 Ua 4 G OTTWQ%
GVS O ZWQObW bVOb eOa RSbSQbSR Wa aV e W bVS Z U%

:WZbS a QO PS Q SObSR caW U O ag bOf aW WZO b W SaVO Y


<S S Wa O SfO ZS eVS S g c O S dWSeW U OZZ b OTTWQ PSbeSS (%)%*% O R
*%*%*%(%(1

Page 31 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Monitoring Traffic (2)
F SQWOZ 5 ZWQObW O Sa O S caSR b RSTW S b OTTWQ b Sf ZWQWbZg W RS bWTWSR
Pg 5 8% GVSaS O ZWQObW eWZZ PS RWa ZOgSR W bVS G OTTWQ Z U Oa T ZZ ea1
kW Q ZSbSl
FLA FLA FLA57> 57> Wa aSS Pcb RObO OQYSba O S aSS
kW acTTWQWS b RObOl SO a bVOb SWbVS 1
GVS TW SeOZZ RWR jb aSS bVS Q ZSbS G7C * eOg VO RaVOYS
GVS S eS S RObO OQYSba SfQVO USR OTbS bVS VO RaVOYS
kc Y e bQ l
5 ZWQObW Q aWab T c Y e bQ b OTWQ%
c Y e cR l
5 ZWQObW Q aWab T c Y e cR b OTWQ%
kc Y e ) l
5 ZWQObW ObQVSa US S WQ ) VSc WabWQa
k b O ZWQOPZSl
FSaaW Wa PZ QYSR Pg bVS TW SeOZZ
Page 32 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Log Forwarding
GVS Z Ua bVS TW SeOZZ QO PS T eO RSR b cZbW ZS Z QObW % H
US S ObW T O Z U SaaOUS bVOb SaaOUS QO PS W SRWObSZg
T eO R b 1
FgaZ U aS dS
FA C O OUS
9 OWZ
CO O O
L c Q TWUc S bVS Z U SaaOUS RSabW ObW dWO O U : eO RW U
C TWZS1

Page 33 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Unknown Applications
FQS O W 1 O Sbe Y VOa O O bWQcZO O ZWQObW bVOb c a O a SQWTWQ
b gSb bVS COZ 5Zb TW SeOZZ WRS bWTWSa Wb Oa kc Y e bQ l
kc Y e cR l

G Q TWUc S bVS TW SeOZZ b WRS bWTg bVWa O g c eWZZ SSR b R bV SS


bVW Ua1
(% 7 SObS O Se O ZWQObW
)% 7 SObS O O ZWQObW dS WRS ZWQg
*% OYS ac S bVS S Wa O aSQc Wbg ZWQg bVOb S Wba bVS b OTTWQ

Page 34 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Steps to Define a New Application
(% BPXSQba 4 5 ZWQObW a QZWQY ASe
F SQWTg bVS O ZWQObW O SO R S bWSa
B ORdO QSR bOP S bS bVS b c PS bVOb c W_cSZg WRS bWTWSa bVS O
A bVW U SZaS S_cW SR QZWQY Y
)% C ZWQWSa 4 5 ZWQObW BdS WRS 4 5RR EcZS
F SQWTg b c PS
7 TWU O ZWQObW b PS
bVS S g c Xcab Q SObSR
*% C ZWQWSa 4 FSQc Wbg 4 5RR EcZS
7 TWUc S Oa O WObS1 a Q h S RSab h S a Q ORR RSab ORR a Q
caS
FSZSQb bVS Se O W bVS O ZWQObW Q Zc
: aS dWQS aSZSQb kO ZWQObW RSTOcZbl
FSZSQb bVS OQbW g c eO b S Wb RS g
% 7 Wb

Page 35 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
More on Unknown Applications

5 dS WRS ZWQWSa O S QVSQYSR PST S aSQc Wbg ZWQWSa% GVS O


dS WRS ZWQg eWZZ PS caSR W ZOQS T c 5 8 S UW S b WRS bWTg bVS
b OTTWQ

FSQc Wbg TWZSa 75AABG PS OaaWU SR b 5 ZWQObW BdS WRS


ZWQWSa% 5 ZWQObW BdS WRS ZWQWSa Pg Oaa bVS FWU Obc S ObQV
9 UW S S bW SZg eVWQV SO a bVOb bVWa OZa SZW W ObSa bVS bW T
ST W U 7 bS b 8 bVWa b OTTWQ% 6SQOcaS T bVWa TOQb bVS
5 ZWQObW BdS WRS TSObc S aV cZR PS caSR eWbV W bS OZ b OTTWQ Zg%

GVS a ZcbW bVS SdW ca OUS Wa O aV b bS a ZcbW % T bVS


O ZWQObW Wa O Q caS O ZWQObW Wb Wa SQ S RSR bVOb bVS
Qcab S acP Wb QO a T bVS O ZWQObW b COZ 5Zb Fc b% GVS
c S UW SS W U bSO QO Q SObS O Se aWU Obc S T bVS O bWQcZO
O %

Page 36 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Source Address Translation
A5G cZSa O S W O aS O ObS cZSPOaS bVO bVS aSQc Wbg ZWQWSa%
COZ 5Zb TW SeOZZ QO ST a c QS ORR Saa b O aZObW O R RSabW ObW
ORR Saa b O aZObW %
FV e PSZ e Wa bVS A5G cZS Oa eSZZ Oa bVS aSQc Wbg cZS b ST a c QS
b O aZObW

Page 37 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Destination Address Translation
Refer to Slides Notes for scenario details

Source Pre-NAT Destination Post-NAT Destination


65.124.57.5 172.16.15.1 192.168.15.47
Untrust-L3 Untrust-L3 Trust-L3

Policies > NAT Pre-NAT Pre-NAT Post-NAT

Notice the destination zone is same as source zone

Policies > Security


Pre-NAT Post-NAT Pre-NAT

Notice the destination zone is based upon the post-NAT address


Page 38 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Security Profile

FSQc Wbg C TWZS Z YT OZWQW ca caS T OZZ eSR O ZWQObW a


FSQc Wbg C ZWQWSa RSTW S eVWQV O ZWQObW O S OZZ eSR
C TWZS O S O ZWSR b ZWQWSa bVOb OZZ e b OTTWQ

Page 39 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Using Security Profiles

GVS TWZS caSR T b OTTWQ Wa POaSR bVS ZWQg bVOb OZZ ea bVS b OTTWQ
9fO ZS1

8WaOPZS :61 5 8 PZ QY :OQS6 YT FbcRS b caS a HE


TWZbS W U TWZS
;S S OZ 5QQSaa1 5ZZ bVS caS a HE TWZbS W U b a SQWTWQ :OQS6 Y
HE ja

Page 40 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Anti Virus Profiles

5 RSQ RS Wa O
a TbeO S QSaa
bVS TW SeOZZ bVOb
W bS Sba bVS b Q Z%

bVS O bWdW ca O R
O bW a geO S aSQc Wbg
TWZSa g c QO
a SQWTg OQbW a POaSR
c bVS - OW
RSQ RS a W bVS
agabS aV e b bVS
ZSTb%

Page 41 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuring Exceptions
T g c VOdS O bV SOb dW ca bVOb g c R b eO b b PS RSbSQbSR g c QO
Q TWUc S O SfQS bW
Ge eOga b Q TWUc S O SfQS bW 1
(% B bVS aSQc Wbg TWZS U b bVS SfQS bW a bOP S bS bVS bV SOb 8 bVS S

)% bVS bV SOb Z U QZWQY bVS bV SOb dW ca O S% bVS c eW R e


Sfb b SfQS bW a QZWQY kaV el bVS aSZSQb bVS TWZS b ORR bVS SfQS bW
b %

Page 42 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Email Protocols and AV/Spyware Protection
T O COZ 5Zb ASbe Ya TW SeOZZ RSbSQba O dW ca a geO S W F GC O , (
Sa aS Wa aS b b bVS aS RW U F GC aS dS b W RWQObS bVOb bVS
SaaOUS eOa SXSQbSR% GVWa OZZ ea bVS COZ 5Zb ASbe Ya TW SeOZZ b
STTSQbWdSZg PZ QY dW caSa RWab WPcbSR dS F GC%
: CBC* 5C bVS Zg OQbW bVS COZ 5Zb ASbe Ya RSdWQS QO SdS
bOYS Wa kOZS bl% GVS RSdWQS eWZZ SdS PZ QY R T bVSaS b Q Za
SdS WT g c Q TWUc S O OQbW T kPZ QYl%
GVS SOa T bVWa Wa PSQOcaS CBC* 5C b Q Za eWZZ Q bW cS b
SaS R bVS S OWZ SaaOUS OUOW O R OUOW WT O W bS SRWObS RSdWQS b WSa
b QZ aS bVS aSaaW % GVWa Wa O ZW WbObW T bVS CBC* 5C b Q Za%

Page 43 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Vulnerability Protection

C dWRSa CF Tc QbW OZWbg


8SbSQba ObbS ba b caS Y e Sf Z Wba bVS Sbe Y

Page 44 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Custom Response Pages
ESa aS OUSa O S Q TWUc SR c RS 8SdWQS bOP 4
ESa aS OUSa
L c QO SfbS OZZg SRWb O R c Z OR bV aS Sa aS OUSa
b bVS RSdWQS
B Zg bVS Vb Z TWZS QO PS c Z ORSR b bVS RSdWQS W OUSa
QO b PS c Z ORSR
ESa aS OUSa O S RWa ZOgSR W bVS eSP P eaS Zg
O R S bOW Zg b eSP POaSR O ZWQObW
GVca WT O bV SOb Wa RSbSQbSR Rc W U aOg O 6WbG S b
aSaaW bVS Sa aS OUS eWZZ b O SO
ESa aS COUSa T eSP POaSR O ZWQObW OS b
S OPZSR Pg RSTOcZb

Page 45 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Disable Server Response Inspection

GVS dcZ S OPWZWbg bSQbW


TWZS Pg RSTOcZb aQO a
b OTTWQ U W U W P bV
RW SQbW a T QZWS b b
aS dS O R T aS dS b
QZWS b
ab CFa Zg SfO W S
bVS b OTTWQ T bVS QZWS b b
aS dS %
GVS eOg b SfO W S b OTTWQ
T Zg QZWS b b aS dS
bVS COZ 5Zb TW SeOZZ Wa b
QVSQY bVS P f b kRWaOPZS
aS dS Sa aS W a SQbW l
bVS aSQc Wbg ZWQg
bW Q Zc %

Page 46 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
URL Filtering Profile
5QbW a QO PS RSTW SR T
SOQV QObSU g
A bWTWQObW OUS T caS
QO PS Qcab WhSR
5ZZ e Wab O R 6Z QY Wab
OQQS b eWZR QO Ra
G a SQWTg OZZ aS dS a W O
R OW QOZZSR fgh% U be
S b WSa cab PS Q SObSR1
!fgh% U
! fgh% U
H HE ZWQS aS
Sf W ObW HE RObOPOaS Wa
Z US caSR2 b OTTWQ Wa
OZZ eSR PZ QYSR POaSR
c bVS kOQbW ZWQS aS
Sf W ObW l TWSZR aV e VS S%
Page 47 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
URL Filtering Actions
5ZZ e i G OTTWQ Wa OaaSR Z U US S ObSR
6Z QY i G OTTWQ Wa PZ QYSR% 6Z QY Z U US S ObSR
5ZS b i G OTTWQ Wa OZZ eSR% 5ZZ e Z U US S ObSR
7 bW cS i HaS Wa eO SR bVOb bVS aWbS Wa _cSabW OPZS%
6Z QY 7 bW cS Z U US S ObSR
T caS QZWQYa bV cUV bVS b OTTWQ Wa OZZ eSR O R O
7 bW cS Z U Wa US S ObSR
BdS WRS i G OTTWQ Wa PZ QYSR% HaS Wa TTS SR QVO QS b
S bS dS WRS Oaae R% 6Z QY BdS WRS Z U US S ObSR
T caS S bS a Oaae R bVS b OTTWQ Wa OZZ eSR O R O
BdS WRS Z U Wa US S ObSR

Page 48 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 49 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Misc. URL Filtering Topics
B RS T QVSQYW U eWbVW O TWZS1
(% 6Z QY ZWab
)% 5ZZ e ZWab
*% 7cab 7ObSU WSa
% 7OQVSR
,% C S RSTW SR QObSU WSa
k8g O WQ HE TWZbS W Ul
7O PS S OPZSR SOQV HE TWZbS W U TWZS
T S OPZSR bVS C5 RSdWQS eWZZ _cS g bVS QZ cR b Sa ZdS
HE a bVOb O S b QObSU WhSR Pg bVS P f HE RObOPOaS
G RSbS W S bVS QObSU g T O HE T bVS 7 1
bSab c Z 3T_R 4
Page 50 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Data Filtering Overview
FQO b OTTWQ T bS bWOZZg aS aWbWdS ab W Ua T RObO
8ObO ab W Ua RSTW SR Pg SUcZO Sf SaaW a
8ObO ObbS cab PS Ob ZSOab . PgbSa W ZS UbV
8STOcZb ab W Ua O S RSTW SR T FFA O R Q SRWb QO R c PS a
9OQV RObO abW U Wa OaaWU SR O eSWUVb
5ZS b bV SaV ZR O R PZ QY bV SaV ZR Wa POaSR c eSWUVba

Page 51 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 52 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Data Filtering Password Setup
C75Ca RObO TWZbS a S_cW Sa O Oaae R b PS Q TWUc SR W
FW UZS Oaae R T TW SeOZZ ab SR Z QOZZg Q TWUc SR 8SdWQS
bOP 4 FSbc aQ SS
FSS C eS C W b bSa PSZ e T SW T

Page 53 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Zone Protection
: SOQV aSQc Wbg h S g c QO RSTW S O h S bSQbW TWZS bVOb
a SQWTWSa V e bVS aSQc Wbg UObSeOg Sa Ra b ObbOQYa T bVOb h S%
GVS aO S TWZS QO PS OaaWU SR b cZbW ZS h Sa%
GVS T ZZ eW U bg Sa T bSQbW O S ac bSR1
:Z R C bSQbW i C bSQba OUOW ba FLA 7 C H8C O R bVS C
POaSR TZ RW U ObbOQYa%
ESQ OWaaO QS RSbSQbW i 5ZZ ea g c b RSbSQb O R PZ QY Q Zg
caSR ba aQO a O R C ORR Saa aeSS a bVOb ObbOQYS a c b TW R
bS bWOZ ObbOQY bO USba%
COQYSb POaSR ObbOQY bSQbW i C bSQba OUOW ab ZO US 7 C OQYSba
O R 7 C T OU S b ObbOQYa%
7 TWUc S c RS ASbe Ya bOP 4 ASbe Ya C TWZSa 4 M S bSQbW

Page 54 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
WildFire
WZR:W S SZWSa c be OW bSQV Z UWSa1 O dW bcOZ aO RP f S dW S b
O R O OZeO S aWU Obc S US S Ob
WZR:W S Wa S OPZSR dWO bVS k: eO Rl O R k7 bW cS O R : eO Rl TWZS
PZ QYW U OQbW a

Page 55 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
WildFire
C dWRSa O dW bcOZ aO P f S dW S bT W R e C9 TWZSa
5 VOaV T SOQV TWZS Wa aS b b bVS WZR:W S QZ cR% T SfWabW U aWU Obc S SfWab
bVS TWZS Wa c Z ORSR% GVS Se aWU Obc S eWZZ PS ORS OdOWZOPZS Oa O b T bVS
Sfb 5I H RObS
:WZSa c b ( 6 W aWhS QO PS O cOZZg c Z ORSR b bVS WZR:W S bOZ T
W a SQbW

Page 56 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
User-ID: Enterprise Directory Integration

HaS Z US RSTW SR a ZSZg Pg C ORR Saa


SdS OUS SfWabW U 5QbWdS 8W SQb g 8C5 W T Oab cQbc S eWbV cb Q ZSf OUS b
ZZ cb
RS bWTg 7Wb Wf caS a O R bWS ZWQWSa b caS O R U c b Xcab bVS C ORR Saa
H RS abO R caS O ZWQObW O R bV SOb PSVOdW POaSR OQbcOZ caS O S b Xcab
C
O OUS O R S T QS ZWQg POaSR caS O R 58 U c
dSabWUObS aSQc Wbg W QWRS ba US S ObS Qcab S ba

Page 57 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Where are Usernames Used?
(% Fb SR W Z Ua
F b Z U RObO Pg HaS ; c
:WZbS Z Ua Pg HaS

)% 5a O IOZcS b ObQV W FSQc Wbg C ZWQg


7 b ZO ZWQObW caS Pg U c
FS O ObS c Y e caS b OTTWQ T Y e caS b OTTWQ

*% HE :WZbS W U ESa aS OUSa HaS AO S eWZZ PS RWa ZOgSR


Page 58 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
User-ID Agent Setup and Upgrade Procedure

B S OUS b Wa caSR T OZZ RW SQb g aS dWQSa 58 85C


S8W SQb g
GVS OUS b aSbc QSaa Wa cbZW SR VS S1
HaS 8 5US bNFSbc ,% RT
GVS ab SQS b dS aW T HaS 8 OUS b aV cZR OZeOga PS
caSR% C5A BF eWZZ Ocb RSbSQb bVS OUS b dS aW O R QVO US
Wbja PSVOdW OQQ RW UZg%
GVS HaS 8 5C QO PS S Z gSR eVS Q SQbWdWbg b
O bVS WRS bWbg O OUS S b agabS Wa S_cW SR

Page 59 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Installing the User-ID agent

A bS bVOb O PSab OQbWQS e cZR PS b W abOZZ be HaS 8 5US ba T SOQV


R OW W bVS T Sab T SRc RO Qg
ORRWbW b O W U C ORR Saa bVS HaS 8 OUS b QO OZa OQb Oa O
85C fg b OaaWab W bVS S c S ObW QSaa% GVWa PSVOdW Wa S OPZSR
bV cUV bVS aSZSQbW T bVS kHaS Oa 85C C fgl QVSQYP f1

Dont forget to enable user-ID in the zone which contains the users!
Page 60 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Terminal Server Agent
Ec a bVS GS W OZ 7Wb Wf SbOT O S aS dS
GF 5US b RWTWSa bVS QZWS b b c PS T SOQV caS
:W SeOZZ b OQYa caS Pg a c QS b b Pg C ORR Saa

Page 61 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Captive Portal
7O bWdS bOZ Wa O TSObc S T bVS COZ 5Zb ASbe Ya TW SeOZZ bVOb
OcbVS bWQObSa caS a dWO O OZbS ObS a c QS acQV Oa O E58 HF aS dS %
HaS QO bWdS bOZ eVS 1
L c VOdS W R e caS a bVOb O S b Z UUW U W b bVS 58 R OW
!5cbVS bWQObW QO PS b O a O S b WT caW U AG OcbVS bWQObW
L c VOdS OQ H Wf e YabObW a
!HaS a eWZZ aSS O Z UW b
!HaS a caW U QO bWdS bOZ eWbV cb
b O a O S b AG OcbVS bWQObW
QO PS OcbVS bWQObSR OUOW ab E58 HF
YS PS a 85C 58 bVS Z QOZ TW SeOZZ%
L c eWaV b W d YS caS WRS bTWQObW
T caS a bVOb eS S b WRS bWTWSR dWO S T bVS bVS caS WRS bWTWQObW
SbV Ra
B QS caS a OcbVS bWQObS eWbV bVS TW SeOZZ caS POaSR ZWQWSa QO PS
O ZWSR b bVS caS ja b OTTWQ%
Page 62 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Captive Portal (2)
T ObW 7O bWdS C bOZ1 HaW U 7O bWdS C bOZ% RT
5 bW T bVWa R Q STS S QSa QS bWTWQObS OcbVS bWQObW 2 QS bWTWQObSa O S
OdOWZOPZS eWbV C5A BF ,% VWUVS % GVS Sab T bVS R Q Wa O ZWQOPZS b
C5A BF ,%(
7O bWdS C bOZ AG OcbVS bWQObW S_cW Sa bVS HaS 8 5US b b PS
W abOZZSR% GVS HaS 8 OUS b cab VOdS bVS kHaS T AG 5cbVS bWQObW l
QVSQYP f aSZSQbSR%

Page 63 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
SSL Decryption
GVS COZ 5Zb TW SeOZZ QO S T FF RSQ g bW
Q SQbW bVOb O S W WbWObSR W P c R cbP c R a bVOb bVS
b OTTWQ QO PS W a SQbSR T bV SOba Sab WQbSR O a
P c R RSQ g bW 1
HaS eVS g c eO b b W bS QS b O R RSQ g b caS a b OTTWQ Q W UT
bVS bS Sb b g c 8 M aS dS a
L c cab Z OR b bVS TW SeOZZ aO S QS bWTWQObSa bVOb O S g c 8 M
aS dS a
BcbP c R RSQ g bW 1
HaS eVS g c eO b b RSQ g b caS a b OTTWQ Q W UT bVS W bS OZ
Sbe Y O R U W U b bVS SfbS OZ Sbe Y
L c SSR b VOdS O C> W T Oab cQbc S W ZOQS T bVWa b PS b O a O S b
b bVS caS
GVWa Wa STS SR b Oa kT eO R fgl
Page 64 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuring SSL Inbound Decryption Certificate
5ZZ QS bWTWQObSa bVS RSdWQS W P c R cbP c R OR W H SbQ O S QS b OZZg
O OUSR c RS bVS k7S bWTWQObSal RS bVS k8SdWQSl bOP

L c QO ORR SRWb O QS bWTWQObS b SabOPZWaV Wb Oa O FF W P c R QS bWTWQObS%


L c aV cZR Q SObS S QS bWTWQObS T SOQV 8 M aS dS bVOb g c eWZZ PS
RSQ g bW U b OTTWQ T
L c QO SabOPZWaV RWTTS S b FF W P c R QS bWTWQObSa T RWTTS S b W P c R
FF RSQ g bW cZSa%
Page 65 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuring SSL Outbound Decryption Certificate
L c QO SWbVS US S ObS O aSZT aWU SR QS bWTWQObS U RT bSabW U c aSa W b
O QS bWTWQObS T g c Q O gja QS bWTWQObS aS dS %

RS b SdS b caS T aSSYW U O P eaS QS bWTWQObS S Wb Wa SQ S RSR


bVOb g c VOdS O C> W T Oab cQbc S RS Z gSR W g c UO WhObW % GVS ST S g c eWZZ PS
OPZS b W b W b bVS TW SeOZZ O QS bWTWQObS bVOb Wa b cabSR Pg bVS caS ja P eaS a%
VS W bS OZ C> W T Oab cQbc S Wa OdOWZOPZS Wb Wa aaWPZS b RWab WPcbS bVS TW SeOZZ
75 QS bWTWQObS b QZWS ba S%U% caW U ; c C ZWQg BPXSQba Tc QbW OZWbg W 5QbWdS 8W SQb g

Page 66 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuring SSL Inbound or Outbound Policies
B QS bVS O WObS QS bWTWQObSa O S W bSR Q SObSR FF 8SQ g bW
ZWQWSa QO PS Q SObSR% : SWbVS W P c R cbP c R RSQ g bW bVS
ZWQWSa O S Q TWUc SR c RS C ZWQWSa bOP 4 FF 8SQ g bW
: cbP c R RSQ g bW ORR be cZSa bVOb Z Y ZWYS bVWa1

! GVS TW ab cZS eWZZ b RSQ g b O g b OTTWQ U W U b bVS HE QObSU WSa


T TW O QS VSOZbV O R aV W U%
!GVS FSQ R cZS eWZZ RSQ g b fg OZZ bVS Q SQbW a% OYS ac S
b QV aS OQbW kRSQ g bl bVS aSQ R cZS

Page 67 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Misc. SSL Decryption
VS FF Wa RSQ g bSR bVS O c W U W aWRS bVS FF
aSaaW eWZZ O SO W bVS b OTTWQ Z U% : SfO ZS1
Vbb 1 TOQSP Y%Q FF RSQ g bW ABG S OPZSR b OTTWQ Z U eWZZ aV e
O ZWQObW W FF
Vbb a1 TOQSP Y%Q FF RSQ g bW S OPZSR b OTTWQ Z U eWZZ aV e
O ZWQObW Wa TOQSP Y
GVS TW SeOZZ eWZZ ABG aS R O Sa aS OUS T O dW ca
RSbSQbSR eWbV RSQ g bSR FF b OTTWQ

Page 68 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 69 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 70 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 71 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 72 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Misc HA
<5 TOWZ dS QO PS b WUUS SR Pg bVS T ZZ eW U bV SS SQVO Wa a 1
W Y TOWZc S
CObV TOWZc S
<SO bPSOb Z aa
7 O R b dWSe bVS <5 aSbbW Ua abObca1
aV e VWUV i OdOWZOPWZWbg abObS
H U ORW U O C5A BF <5 QZcabS
Vbb a1 ZWdS% OZ OZb Sbe Ya%Q R Qa 8B7 *
T C S S bWdS RS Wa S OPZSR bVS TW SeOZZ eWbV bVS Z eSab W Wbg aSbbW U
eWZZ PSQ S OabS % C S S bWdS RS cab PS S OPZSR P bV TW SeOZZa%

Page 73 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 74 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Steps to configure an IPSec site-to-site VPN
(% 7 SObS O bc SZ W bS TOQS
H RS bVS ASbe Ya bOP 4 ASe Gc SZ bS TOQS
5aaWU Wb b O * M S O R O IW bcOZ E cbS
)% 7 TWUc S bVS CFSQ Gc SZ
H RS ASbe Ya bOP C FSQ Gc SZ
T aWbS b aWbS eWbV O bVS C5A BF RSdWQS caS aW ZS Q TWUc ObW
FSb ORdO QS bW WT S_cW SR
*% 5RR abObWQ cbS b bVS O WObS IW bcOZ E cbS S OPZS Rg O WQ
cbW U b Q Z
H RS ASbe Ya bOP IW bcOZ E cbS
7 SObS O cbS T bVS S bS WdObS Sbe Y caW U bVS bc SZ
W bS TOQS
8g O WQ cbW U b Q Za eWZZ b OdS aS bVS bc SZ WT g c OaaWU O abObWQ C b
bVS bc SZ W bS TOQS
Page 75 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Notes about IPSec site-to-site VPNs
Possible IKE phase 1 authentication methods:
- Pre-shared key only

It is possible to configure multiple phase 2 IPSec tunnels to


use the same phase 1 gateway, as long as each phase 2
config uses different proxy IDs on that same tunnel
interface.

You can attempt to bring up all IPSec tunnels on the


device via:
- test vpn ipsec-sa <multiple arguments follow>
Page 76 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GlobalProtect

2013 Palo Alto Networks

the network security company


tm
GlobalProtect | Overview
License & Components
Connection Sequence
GlobalProtect Configuration
1. Gateways
2. Portal
3. Agents
Host Checks
Logs

Page 78 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GlobalProtect Licensing

Licensing based on Portals and Gateways (firewall), not users

Portal Gateway
License Subscription Portal one-time perpetual license
- Required on the device that would run Portal
Single - Required for multi-gateway deployments
Gateway

Multiple
Gateway Gateway annual subscription
- Required on the devices that would check host
Internal profile
Gateway - Provides ongoing content updates to check the
host profile
HIP check

Page 79 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GlobalProtect Components
GlobalProtect Portal
- Central authority for GlobalProtect
Portal and
- Provides list of known gateways Gateway
- Provides certificates to validate gateways
Gateway Gateway
- Hosts GlobalProtect agent for initial download
- May be installed on same device as a GlobalProtect
Gateway
GlobalProtect Gateway
- Provides tunnel termination points
- Enforces security policy for connected users
Agent
GlobalProtect Agent Endpoint with
GlobalProtect Agent
- Software that runs on endpoint
- Supported on Windows 8, Windows 7, Windows Vista
32/64bit
- Mac OS X 10.6/10.7/10.8 ( PAN OS 4.1)
Third Party IPSec Client Support iOS 4.3+ Android 4.0.3+
IPsec Client IPsec Client
- iOS 4.3+
- Android 4.0.3+
- Linux vpnc

Page 80 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Agent Software on the Portal

Device > GlobalProtect Client

Page 81 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Connection Sequence:

2013 Palo Alto Networks

the network security company


tm
External User Sequence - Step 1
LDAP
Radius
Kerberos

Gateway

Portal and Gateway

Gateway

Remote User
authenticates to portal

Portal pushes
Certificates
List of Gateways
Agent software updates
Host internal/external
detection parameters
Host check requirements

Page 83 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
External User Sequence - Step 2

LDAP
Radius
Kerbero
s
Gateway

Portal and Gateway

Gateway

Agent determines if it is
inside or outside the
corporate network

Site to Site IPSec tunnel

Page 84 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
External User Sequence - Step 3

LDAP
Radius
Kerbero
s
Gateway

Portal and Gateway


Gateway

Agent checks available


GWs
Automatically connects
SSL/IPsec VPN tunnel to the best gateway

Site to Site IPSec tunnel

Page 85 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
External User Sequence - Step 4
User moves to new
location
LDAP
Automatically connects
to the new best gateway
Radius
Kerbero
s
Gateway

Portal and Gateway


Gateway

SSL/IPsec VPN tunnel

Site to Site IPSec tunnel

Page 86 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Security Policy Enforcement - Example
Policy for Teachers

Facebook Allow
Teacher and Always-On Read/Post
Students using GlobalProtect
laptop at home
Facebook
Chat Block

Facebook Scan for


Short URLs threats
Teachers and
Students using
laptops at school
Policy for Students

URL Category Block


Adult

Peer-to-Peer
Personal Devices Captive Portal & Proxy Block

Streaming QoS
Video

Page 87 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Preparing the Firewall
for GlobalProtect

2013 Palo Alto Networks

the network security company


tm
Configuration Components

HIP'Object' HIP'Prole' Tunnel'


interfaces'
Cer;cates' Gateway'
L3'interfaces'
Client'SoFware'
Server'Prole' Portal'
Authen;ca;on'
Local'User' Prole'
Database'
Client'
Response'Pages'

Page 89 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GlobalProtect Required Certificates

Certificate Authority (CA) certificate


GlobalProtect Portal certificate

GlobalProtect Gateway certificate


GlobalProtect Client certificate*

*optional
Page 90 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Certificate Profile
Device > Certificate Management > Certificate Profile

Page 91 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuration:
GlobalProtect Gateway

2013 Palo Alto Networks

the network security company


tm
GlobalProtect Gateway

GlobalProtect Portal

GlobalProtect Gateway

Provides security enforcement for traffic from GlobalProtect clients


Requires a tunnel interface for external clients
Tunnel interfaces are optional for internal gateways

Page 93 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Gateway | General Tab

Network > GlobalProtect > Gateways

Page 94 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Gateway | Tunnel Settings
Network > GlobalProtect > Gateways

Default:
SSL-VPN

Page 95 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Gateway | Network Settings
Network > GlobalProtect > Gateways

Routes installed on
IP addresses distributed Clients VPN
to Clients connection

Page 96 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuration:
GlobalProtect Portal

2013 Palo Alto Networks

the network security company


tm
GlobalProtect Portal

GlobalProtect Portal

GlobalProtect Gateway

Authenticates users initiating connections to GlobalProtect


Stores client configurations
Maintains lists of internal and external gateways
Manages CA certificates for client validations of gateways

Page 98 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Portal | Portal Configuration tab
Network > GlobalProtect > Portals

Interface hosting
the Portal

Profiles and
Certificates are
created in advance

Pages loaded in
Device > Response Pages

Page 99 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Portal | Client Configuration - Certificates
Network > GlobalProtect > Portals

CA certificate

Page 100 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Portal | Client Configurations General tab

Client VPN interfaces


that take precedence
over the GlobalProtect
interface
If Hostname resolves
to IP Address, then
Internal Gateway is
used

Page 101 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
GP-Portal | Client Configuration Gateways Tab

Page 102 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Client Configuration Agent Tab

Can view the


Troubleshooting
tab in the Agent

End-user can
disable the
installed Agent

Page 103 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Disabling the GlobalProtect Agent - Ticket
On the Client system

Network > GlobalProtect Portal

On the portal firewall

Page 104 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuration:
GlobalProtect Agent

2013 Palo Alto Networks

the network security company


tm
GlobalProtect Agent

GlobalProtect Portal

GlobalProtect Gateway

Authenticates connection against the portal


Establishes connection with gateways
Sends HIP reports
Allows users varying levels of control over the connections

Page 106 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Client Configuration

Can be left blank


if using single
sign-on

Do not include HTTP:// or


HTTPS:// in the portal
name!

Manual gateway selection

Page 107 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Advanced View

Page 108 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Troubleshooting GlobalProtect Agent

Page 109 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Host Checks

2013 Palo Alto Networks

the network security company


tm
Host Information Profile (HIP)

Portal

Gateway

HIP
Report

Agent

Page 111 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Portal: Client Configuration Data Collection

Reduces the amount of


information being passed by
the client to the gateway
Page 112 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Portal: Client Configuration Custom Checks

Page 113 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
HIP Objects

HIP Objects are used to define match criteria for


GlobalProtect Clients

Page 114 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Configuring HIP Objects

Objects > GlobalProtect > HIP Objects


Host Info
Patch Management

Firewall
Antivirus
Anti-Spyware

Disk Backup
Disk Encryption
Custom Checks

Page 115 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Custom Checks

HIP objects can check for specific Registry Keys (Windows)


or Plist values (Mac)

Page 116 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Example - HIP Objects and Profiles
Objects > GlobalProtect > HIP Objects

Objects > GlobalProtect > HIP Profiles

Page 117 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Security Policy with HIP Profile
Objects > GlobalProtect > HIP Profiles

Policies > Security

Page 118 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Gateway: HIP Notification
Network > GlobalProtect > Gateways

Link icon

Page 119 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
HIP Match Log
Monitor > Logs > HIP Match

Page 120 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Large-Scale VPNs with GlobalProtect Satellites

GlobalProtect Satellites connect to existing Portal and Gateways


Receive network and routing information from Portal like standard clients
Minimal deployment tasks on Satellite device
Satellites can be connected to multiple gateways simultaneously
Page 121 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Satellite Deployment

Satellite devices can be


easily deployed once
Network > IPSec Tunnels
Portal and Gateways are
in place
Deployment effort on the
Satellite side is minimal
- Get device connected to the
internet
- Create a tunnel interface
- Add GlobalProtect Portal
hostname to the IPSec
Tunnel satellite configuration

Page 122 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Panorama
CNSE Bootcamp
Panorama

2013 Palo Alto Networks

the network security company


tm
Panorama Benefits

Panorama is designed to provide three benefits:


Centralized configuration management
Centralized logging and reporting
Centralized deployment management
Page 124 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Deployment
Virtual Machine Appliance
- Simple installation and maintenance
- Allows for tailored hardware and operating system
- Disks and CPU can be sized to fit deployment requirements
- Minimum: VMware ESX(i) 3.5+ or VMware Server 1.0.6+
Physical Appliance (M-100)
- Simple, high-performance, dedicated appliance for Panorama
- Simplifies deployment and support for non-VMware environments
- Includes distributed log collection capability for large scale deployments
Licensed by number of managed devices: 25, 100, 1000

Page 125 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Device Groups and Templates
Device Groups manage shared Policies and Objects
Templates manage Network and Device configurations

Device'Congura;on'
Global'Shared'Group' Templates'
Device'Group'A' Device'Group'B'

Network'

Device'
Objects'
Objects'

Policy'
Policy'

Page 126 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Objects
Types of Objects
- Objects tab objects (e.g. Address groups)
- Server Profiles (SNMP, Syslog, Email, RADIUS, LDAP, Kerberos)
- Auth Profile/Sequence
- Client Cert Profile
- Certificates
- Block Pages

Page 127 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Objects | Precedence

Panorama! DG-2!
FW-B!
Firewall AddrA: 2.2.2.2!
DG-1!
s!FW-B!
Firewall!
FW-A! Shared Objects!
AddrA:
2.2.2.2!
DG1 Objects! FW-A!
AddrA: AddrA: 1.1.1.1!
1.1.1.1!

Higher Precedence Lower Precedence

Page 128 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Shared Policy | Pre and Post Policy Config
Device Groups manage shared Policy and Objects
Policy can be targeted to groups or specific firewalls
Pre/Post-rules cannot be edited inside firewall once pushed

Page 129 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Managing Shared Objects
Shared objects can be overridden by creating device group
objects with the same name
Use the Shared Objects Take Precedence option in the
Panorama WebUI to turn off the capability for a device
group administrator to override objects used in shared
policy
Panorama > Setup > Management > Panorama Settings

Page 130 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Managing Policy with Panorama
Panorama Policy are tied to Device Groups
- Policy can be targeted to be pushed to device groups or specific
firewalls
Panorama rules cannot be edited inside firewall once
pushed

Panorama Pre Rules


Policies > Security

Panorama Post Rule

Page 131 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Policy Evaluation Order

Shared Device Group Pre-Rules

Device Group Pre-Rules


Panorama&Admins&

Evaluation order
Local&Admin&

Device Group Post-Rules

Shared Device Group Post-Rules

Page 132 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Shared Policy | Zones
Zones are required to be manually entered once
- Commit All will fail if Zone does not exist on firewall
Deletion occurs when no references or wrong reference (e.g. Missing,
misspellings, case sensitivity) exists to a Zone string
- No Zone management table like other objects

Page 133 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
How to Use Templates

Device specific settings Common settings spread


applied to only one device across multiple devices
Page 134 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Select Template in Device and Network Tabs

Page 135 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Override Values on Managed Device
Individual fields can be overridden where granularity is needed
e.g., Device > Setup, User Identification, High Availability

Indicates overridden
value

Template name and


value upon revert

Indicates templated
value

Templated value

Page 136 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Context Switch
Device configuration editing is done through Context switch
- Controlled via Administrator and Access Domain
- Panorama proxies the management connection
Access can be given to admins based on Device[/VSYS]

Page 137 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Commit Workflow

A Panorama commit
must happen before
any other type of
commit can run

Page 138 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Logging and Reporting
Panorama'aggregates'logs'from'
en;re'deployment'
Device'log'buering'occurs'so'logs'
are'not'lost'
ACC'and'custom'reports'do'not'
require'log'forwarding''

Page 139 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Panorama Distributed Architecture
With the M-100, manager and log collector functions can be split
Deploy multiple log collectors to scale collection infrastructure
- Log collection can only be run on the M-100 platform

Page 140 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Aggregate Logging

Panorama

Firewall 1

Firewall 2

Page 141 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Logging and Reporting Configurations
Long term log storage and
local reporting require log
forwarding
ACC browsing and Reports
do not require explicit log
forwarding

Page 142 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Logging and Reporting Data Types

Scheduled reports (Built-in &


User defined)
- Utilize 60min statistics files
- Aggregate file data when schedule
is executed
Built-in reports database
selection
- Panorama vs. Firewall <logDB>
- Run Now with Firewall DB pulls
data dynamically
All logs are sent with serial
number of the individual
firewalls

Page 143 | CNSE 5.1 Study Guide


PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Page 144 | CNSE 5.1 Study Guide
PAN-OS 5.0 and Panorama 5.1 | 2013 Palo Alto Networks
Questions?

2013 Palo Alto Networks

the network security company


tm

You might also like