Ultimate Test Drive: Virtualized Data Center

Ultimate Test Drive – VDC
ULTIMATE
TEST DRIVE
Virtualized Data Center
Securing the Software Defined Data Center
Workshop Guide
Panorama, VM-Series (PAN-OS 8.0), vCenter 6.0 with

NSX Manager 6.2
http://www.paloaltonetworks.com
UTD-VDC 3.0 © 2017 Palo Alto Networks, Inc. | Confidential and Proprietary 20171011
Table of Contents
Activity 0 – Log in to UTD Workshop 5

Task 1 – Log in to your Ultimate Test Drive class environment 5
Task 2 – Log in to the Student Desktop 6
Task 3 – Perform connectivity check 9
Activity 1 – Explore VM-Series on VMware NSX Integration Components 10

Task 1 – Log in and review Panorama Management System 11
Task 2 – Log in and review vSphere Web Client 13
Task 3 – Review the VMware VXLAN Configuration 16
Task 4 – Isolation/port based segmentation of guest VM’s with VMware Distributed Firewall 17
Activity 2 – Enable Application Control 19

Task 1 – Log in to guest VM 19
Task 2 – Review traffic logs in Panorama 20
Task 3 – Modify the firewall policy 21
Task 4 – Verify the firewall policy 23
Activity 3 – Enable Dynamic Security Policies 24

Task 1 – Create Dynamic Address Group in VM-Series 24
Task 2 – Modify Security Group on vCenter 26
Task 3 – Modify Security Tag on Guest VMs 28
Activity 4 – Panorama Managed Security Policy Rules 30

Task 1 – Modify the VM-Series Firewall Policy 30
Task 2 – Create Steering Rules 31
Task 3 – Review the vSphere Security Policy 32
Task 4 – Review Dynamic Address Group 33
Task 5 – Verify Application Visibility on VM-Series 33
Activity 5 – Enable Advanced Threat Protections 34

Task 1 – Enable Security Profile 34
Task 2 – Review Security Profiles 35
Task 3 – Verify the firewall policy and protection profile 36
Activity 6 – Automate Security Actions: Quarantine Infected Guest VMs 37

Task 1 – Review DAG for Quarantined Hosts 37
Task 2 – Review Panorama Server Profile and Log Settings 38
Task 3 – Dynamically Quarantine Infected Host 40
UTD-VDC 3.0 2
Task 4 – Remediate Quarantined Host 42
Activity 7 – Enable Secure Multi-tenancy 43

Task 1 – Review second tenant configuration 43
Task 2 – Review traffic steering rule 44
Task 3 – Review Dynamic Address Groups 45
Task 4 – Review overlapping IP addresses 45
Task 5 – Review firewall from CLI 46
Activity 8 – Build Custom Security Reports 48

Task 1 – Review Application Command Center (ACC) 48
Task 2 – Creating a custom report 49
Activity 9 - Feedback on Ultimate Test Drive 50

Task 1 – Take the online survey 50
Appendix-2: Network Diagram 52
UTD-VDC 3.0 3
How to use this guide

The activities outlined in this Ultimate Test Drive guide are meant to contain all the information necessary to
navigate the Palo Alto Networks graphical user interface (GUI). This guide is meant to be used in
conjunction with the information and guidance provided by your facilitator.
Once these activities are completed:

You should be able to:
1. Navigate the Palo Alto Networks GUI

2. Review portions of the security platform configuration
3. Change the configuration to affect the behavior of traffic across the security platform
This workshop covers only basic topics and is not a substitute for training classes conducted at a Palo Alto
Networks Authorized Training Center (ATC). Please contact your partner or regional sales manager for
more training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the “Chrome” web browser will be used to perform any tasks outlined in the
following Activities. (These apps are pre-installed on the desktop of the workshop PC.)
UTD-VDC 3.0 4
Activity 0 – Log in to UTD Workshop

In this activity, you will:
• Log in to the Ultimate Test Drive Workshop from your laptop
• Connect to the student desktop and verify connectivity to other lab devices
• Review the workshop network
Task 1 – Log in to your Ultimate Test Drive class environment

Step 1: First, make sure your laptop is installed with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome or Internet Explorer®. We also recommend you
install the latest Java® client for your browser.
Step 2: Go to the class URL. Enter your email address and the passphrase. If you have an invitation email,
you can find the class URL and passphrase in the invitation email, or the instructor will provide you with the
class URL and passphrase.
Step 3: Complete the registration form and click “Register and Login” at the bottom.
Step 4: Depending on your browser, you will be asked to install a plugin; please click “Yes” to allow the
plugin to be installed and continue the login process.
UTD-VDC 3.0 5
Step 5: Once you log in, the environment will be automatically created for you. Click on “Start Using This
Environment” when the Environment is ready.
Step 6: The UTD NSX Environment consists of the following core components: “Student Desktop”,
“Panorama”, “vCenter”, “NSX Manager”, “ESXi-Host1” and “ESXi-Host2”. You will access all these
components through the “Student Desktop”.
Task 2 – Log in to the Student Desktop

Step 1: Click the “Student Desktop” tab at the top of the page to connect to the Windows desktop.
Step 2: You will be connected to the “Student Desktop” through your browser.
UTD-VDC 3.0 6
Step 3: If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust the
resolution from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
Note: The default connection to the “Student Desktop” uses RDP over HTML5 protocol through the
browser.
Optional Step 4: If you encounter connection issues with the “Student Desktop”, click the “Reconnect” icon
to re-establish the connection.
UTD-VDC 3.0 7
Optional Step 5: If the reconnect to the “Student Desktop” remains unsuccessful, please verify your laptop
connectivity using the following link.
http://test.cloudshare.com/
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task1, Step 1. If
the connectivity test failed, please ask the instructor for further assistance.
UTD-VDC 3.0 8
Task 3 – Perform connectivity check
Step 1: Once logged in to the Student Desktop, you can run the “PingCheck” script at the lower left corner
of the desktop.
Step 2: The “PingCheck” script will ping the management interfaces of all the major components in the lab
environment. If there is a failure in the ping check, you can go to the “VM List” tab and reboot the VM. Note
that it may take some time for the VM to reboot.
End of Activity 0.
UTD-VDC 3.0 9
Activity 1 – Explore VM-Series on VMware NSX

Integration Components
Background: The VM-Series firewall extends safe application enablement to virtualized and cloud
environments using the same PAN-OSTM feature set that is available in physical security appliances.
The core of the VM-Series is the next-generation firewall, which natively classifies all traffic,
inclusive of applications, threats and content, then ties that traffic to the user, regardless of location
or device type. Panorama, the centralized management solution, provides you with the ability to
manage the Palo Alto Networks virtual and physical firewalls from a centralized location. This means
you will be able to view all your firewall traffic; manage all aspects of device configuration; push
global policies; and generate reports on traffic patterns or security incidents - all from one central
location. This activity introduces the integration between VM-Series firewall, Panorama, VMware
vCenter and the NSX solution.
Panorama and vCenter overview:

• Overview of Panorama, VM-Series virtual firewall, vCenter and NSX Manager
• Log in to the management interface of the major components

• Review the Panorama centralized management system
• Learn about context switching in Panorama
• Log in and review the configuration needed for NSX integration on Panorama, vCenter and
NSX Manager
• Review VXLAN configuration and Distributed Firewall on NSX manager
Network topology
UTD-VDC 3.0 10
Task 1 – Log in and review Panorama Management System

Step 1: Launch the Chrome browser by clicking on the taskbar shortcut. The login pages should
automatically be loaded.
Step 2: Click on the “Panorama” (IP: 10.30.51.23) bookmark in the Chrome browser, using the following
login and password:
Login: vdcstudent
Password: utdvdc135
Step 2: You are now logged into to Panorama Management System and should see the main dashboard.
Notice the “Device Name” under “General Information” is “Panorama”. This indicates that you are looking at
the Panorama web interface.
Step 3: Click on the “Panorama” tab on top and “Managed Devices” node on the left-hand side to review the
VM-Series firewalls that are managed by Panorama.
UTD-VDC 3.0 11
Step 4: You can manage individual Palo Alto Networks firewalls (physical and virtual) by selecting them
from the context drop-down menu. Click on the drop-down menu under “Context” on the upper left-hand
corner, and change it from “Panorama” to “PA-VM:10.30.51.11” to switch context to the firewall PA-
VM:10.30.51.11.
Step 5: After the context is loaded, notice the device name is shown under “Context”. The device name is
also shown in “General Information” in the “Dashboard” tab. Notice that the management GUI of a single
firewall is very similar to Panorama Central management GUI, this makes it easy for the administrators to
switch from device management to centralized management.
Step 6: Switch the “Context” back to “Panorama” to view the Panorama web interface.
Step 7: After switching context back to Panorama, click on the “Panorama” tab on top, click on the “Service
Managers” and “Service Definitions” nodes on the left (under “VMware NSX) to review the configuration to
integrate Panorama with
UTD-VDC 3.0 12
VMware NSX Manager. Important: Do not change anything here.
Task 2 – Log in and review vSphere Web Client

Step 1: On the Chrome browser, click on the “vSphere Web Client” bookmark to open the “vSphere Web
Client” to vCenter (IP: 10.30.51.21).
Step 2: Log in to vCenter using the following login and password:
Login: administrator@utd.local
Password: Password1!
Note: If you get an error or invalid login when trying to log in, refresh the browser page.
Step 3: On the Home page, click on “Host and Clusters”.
UTD-VDC 3.0 13
Step 4: Review the hosts and the guest VMs managed by this vCenter. The “UTD-NSX-Service-Definition
(1) / (2)” guest VMs installed in the UTD-VDC-Cluster are the PA-VM:10.30.51.12 and PA-VM:10.30.51.11
hypervisor firewalls managed by Panorama.
Note The VM-Series firewall is installed as a guest service VM on the host, the icon for the service VM is
different from the regular guest VM.
Step 5: Click on the “DB-Server-1a” VM and review which host the guest VM is installed on. Review the VM
summary for “DB-Server-1b” and “Web-Server-1”. It is important that VMware-Tools are running on the guest
VMs. If VMware-Tools is not running, reboot the guest VMs to restart VMware-Tools.
Step 6: Click on the “Home” icon on the top to go back to the home page.
UTD-VDC 3.0 14
Step 7: Click on “Networking & Security” and click on “NSX Managers” at the bottom of the list on the left-
hand side.
Step 8: Review that NSX Managers (10.30.51.22) is installed and registered with this vCenter.
Step 9: Go to “Networking & Security” > “Service Definitions” > “Services” to verify that the VM-Series
firewall is registered as a service on NSX Manager.
Step 10: In a production environment, there are some other steps required to prepare the ESXi hosts for
service deployment. These steps have been performed for you in this environment.
UTD-VDC 3.0 15
Task 3 – Review the VMware VXLAN Configuration

Step 1: Go to “Networking & Security” and “Installation”, click “Management” and review that the “NSX-
Controller-1” is installed under “NSX Controller nodes”
Step 2: Go to “Networking & Security” and “Installation”, click on “Logical Network Preparation” and verify
that the “VXLAN transport” is installed on all the hosts in the cluster. Click the triangle icon to expand the
cluster.
Step 3: Finally verify that the “Logical Switches”, “UTD-VXLAN-tenant1” and “UTD-VXLAN-tenant2” are
present and “Status” reports as “Normal”.
UTD-VDC 3.0 16
Task 4 – Isolation/port based segmentation of guest VM’s with VMware

Distributed Firewall
Step 1: On the student desktop, use the “putty” application to SSH into the “DB-Server-1a” management
interface (10.30.51.181). (You can load the IP address from the “Saved Sessions” in putty or use the
shortcut on the desktop)
Login: student
Step 2: From the “DB-Server-1a” ping “DB-Server-1b” at 172.16.5.182. Did you get a ping response? (Yes,
you should get a ping response.)
Step 3: From the vSphere Web Client, go to “Firewall” under “Networking &Security”. Click the arrow to
expand the section “UTD-NSX (Rule 1)” to see the rule “Block-Between-DB” in the “Configuration” tab under
“General”
Step 4: Under the “Action” column, click the pencil icon in the upper right-hand corner. Change the Action
from “Allow” to “Block” and select ‘Log” to enable logging, then click “Save”. Also, notice that “Any” is
selected in the “Service” column, so this rule will block traffic on all ports.
UTD-VDC 3.0 17
Step 5: Click the pencil icon in the “Applied To” column. In the “Block-Between-DB – Specify Applied To”
window, uncheck “Apply this rule on all clusters on which Distributed Firewall is installed.” and then choose
"Virtual Machine” in the “Object Type” pull-down. Note that “Object Type” is not visible until the checkbox is
deselected. Under the “Available Objects” box, select “DB-Server-1a” and click the blue right-hand arrow to
move it to the “Selected Objects” box. Repeat for “DB-Server-1b”. Click “OK” to finish.
Step 6: Click on “Publish Changes” to deploy the changes.
Step 7: Go back to the “DB-Server-1a” SSH session and try to ping “DB-Server-1b” on 172.16.5.182 again.
Did you get a ping response? (You should not get a response from the ping because you have successfully
blocked traffic between DB-Servers using the NSX distributed firewalls.)
End of Activity 1.
UTD-VDC 3.0 18
Activity 2 – Enable Application Control

Background: Many organizations use virtual local area networks (VLANs) to segment their network.
Though VLANs do isolate network traffic within the layer-2 domain, they cannot enforce the control
of privileged information. Specifically, VLANs cannot control applications within the same VLAN.
True network segmentation - which happens at the application layer - requires a firewall that
understands your applications, users, and content without being limited by the network topology.
Panorama and PAN-OS features:
• Enabling an application in the firewall policy
• Application-ID and application-default ports
• Logging and reporting for verification
• Modify VM-Series firewall policy on Panorama to use application names (App-ID)
• Commit the firewall policy to device group through Panorama
Task 1 – Log in to guest VM

Step 1: Return to your SSH session to “DB-Server-1a”. If logged out, use the “putty” application to SSH into
the “DB-Server-1a” management interface (10.30.51.181) on ESXi-Host1. (You can load the IP address from
the “Saved Sessions” in putty or use the shortcut on the desktop)
Login: student
UTD-VDC 3.0 19
Step 2: DB-Server-1a has two network interfaces, one for management (10.30.51.181) and one for data
(172.16.5.181). Our policies will focus on enabling an application on the data interface. Ping the data
interface of Web-Server-1 (172.16.5.191) on ESXi-Host-2 from DB-Server-1a. You should see a ping
response from the Web-Server-1. Note that both DB-Server-1a and Web-Server-1 data interfaces are on
the same network.
Step 3: SSH from DB-Server-1a (172.16.5.181) to Web-Server-1 (172.16.5.191) using the command “ssh
student@172.16.5.191” with password “Password1!”. Did you get a SSH response from Web-Server-1?
(Web-Server-1 should not be responding to the SSH request.) Control+C to stop the SSH attempt.
Task 2 – Review traffic logs in Panorama

Step 1: On the student desktop, use the Chrome browser to log in to the Panorama Web interface and go to
the “Monitor” tab.
Step 2: Click on the “Traffic” node under “Logs” on the left-hand side to review the firewall policies log.
Make sure the “Context” on top is set at “Panorama”.
Step 3: Click on the “Refresh” button on the upper right corner if necessary to display the latest log entries.
Step 4: You can search the log by clicking on any field to add the search text and modify it accordingly.
Search the logs for the SSH application by entering the search text “(app eq ssh)” (without the quotations).
Step 5: See that SSH application is being denied by the firewall policy.
UTD-VDC 3.0 20
Task 3 – Modify the firewall policy

Step 1: Click on the “Policies” tab on top and click on “Pre-Rules” under “Security” node on the left. Make
sure that Device Group “UTD-NSX-FW-DG” is selected.
(If the subject has not been covered by now, please ask the instructor to explain the differences between
“Pre Rules” and “Post Rules” in Panorama.)
Step 2: Click on the “From Database Group1a” policy to open the “Security Policy Rule” and then click on
the “Application” tab.
Step 3: Add “ssh” to “Applications”.
Step 4: In the “Service / URL Category” tab, change the “Service” from “any” to “application default”. (This
will allow the applications to only run on its default ports.)
Step 5: Click “Ok” on the Security Policy Rule window.
UTD-VDC 3.0 21
Step 6: Click “Commit” on the top right-hand corner to commit the policy changes.
Step 7: Select “Commit to Panorama” and click “Commit” to commit the changes to Panorama. (This saves
the changes to the Panorama configuration file)
Step 8: Click “Close” when the commit process is completed.
Step 9: Click “Commit” again on the top right-hand corner.
Step 10: This time, select “Push to Devices”. Then click “Push”. (This commits the policy changes to the
firewalls.)
Step 11: The “Task Manager” window will appear. The “Commit All” task will then appear. First in a status of
Pending and then Completed. Click “Close” when the commit process is finished.
UTD-VDC 3.0 22
Task 4 – Verify the firewall policy

Step 1: Go back to the putty application in Task 1 and SSH to the Web-Server-1 (172.16.5.191) again from
DB-Server-1a. You should be able to SSH to the Web-Server-1 now. Use “student / Password1!” as login.
Note: Exit from the Web-Server-1 SSH session after the verification is completed.
Note: DB-Server-1a and Web-Server-1 are installed on different ESXi hosts in this example, the NSX
and VM-Series integrated solution works the same no matter where the VMs are installed.
Step 2: Go back to Panorama and refresh the traffic log. You should see traffic logs that shows ssh
application is now allowed.
Step 3: Clear the text in the search field to see the other logs.
End of Activity 2.
UTD-VDC 3.0 23
Activity 3 – Enable Dynamic Security Policies

Background: In a data center, virtual machines are added, moved or deleted in a matter of minutes
creating an ever-changing environment that is very difficult for security administrators to manage
and maintain without an automated security workflow. Through the integration with NSX Manager,
the Dynamic Address Groups (DAG) feature on VM-Series firewall provides the ability to tie security
policies to a virtual machine’s IP address changes and movement instantaneously. It allows you to
keep track of the IP addresses assigned to your guest VMs.
Panorama, PAN-OS and vCenter features:
• Dynamic Address Groups(DAG)

• Guest VM Security Tags in vCenter
• Security Groups in vCenter
• Create DAG on Panorama and link it to a Security Group in vCenter

• Create a dynamic NSX Security Group with Security Tags in vCenter
Task 1 – Create Dynamic Address Group in VM-Series

Step 1: From Panorama, click on the “Objects” tab.
Step 2: Click on the “Address Groups” node on the left-hand side. Make sure the “Panorama” is shown
under “Context” and “UTD-NSX-FW-DG” is shown under “Device Group”.
Step 3: Click “Add” at the bottom of the “Address Group” page to create another Dynamic Address Group
for the DB-server-1b group.
Step 4: Enter “DB-Server-DAG1b” under Name on new “Address Group” page
UTD-VDC 3.0 24
Step 5: Select “Dynamic” under “Type”.
Step 6: In the “Match” text area, enter the following, exactly as shown:
'_nsx_DB-Server-DAG1b'
The single quotes (and _nsx_) are required for Panorama to push the DAG to NSX. The rest of the field
must match the “Name” of the DAG.
Click “OK”.
Step 7: Log in to vSphere Web Client, on the home page, click on “Networking and Security”.
Step 8: Click the “Service Composer” node on the left and then click the “Security Groups” tab on the right.
These Security Groups were automatically generated from Panorama previously and match the existing
dynamic address groups. Note that the Security Group for “DB-Server-DAG1b” is not present as we have not
done a commit on Panorama.
Step 9: Return to Panorama. Click on “Commit” and select “Commit to Panorama” to commit changes to
Panorama, and then commit again, select “Push to Devices” and “Push” to commit the changes to all the
firewalls.
UTD-VDC 3.0 25
Step 10: Review the address entry in the new “DB-Server-DAG1b” by clicking on “more...” in the
“Addresses” column. There should be no address in new Dynamic Address Group at this point.
Task 2 – Modify Security Group on vCenter

Step 1: From the vSphere Web Client, go to “Networking and Security” > “Service Composer” > “Security
Groups”. ”UTD-NSX-Service-Definition_DB-Server-DAG1b” was just generated from Panorama after the
commit.
Step 2: Notice that “DB-Server-DAG1b” security group shows “0” under “Virtual Machines” indicating that
there are currently no virtual machines in this security group. (You may need to adjust the column width to
see the column entries.)
UTD-VDC 3.0 26
Step 3: Select and right-click “UTD-NSX-Service-Definition_DB-Server-DAG1b” security group and click on

the “Edit Security Group”.
Step 4: In the “Edit Security Group” window, select “2 Define dynamic membership”. Click the green “+” to
see the “Membership criteria 1” window. Click “Add”
Step 5: Set the first drop-down to “Security Tag”, the second to “Equals to” and enter “DB-Server-Group1b”
in the text box on the right-hand side.
Step 6: Click “Finish”.

Notice the “Virtual Machine” count has not changed. We need to tag the appropriate VM first.
UTD-VDC 3.0 27
Task 3 – Modify Security Tag on Guest VMs

Step 1: Click on “Home” to return to the home page and then click on “Hosts and Clusters” to view the guests.
Step 2: Click on “DB-Server-1b” and click on the “Summary” tab on the right.
Step 3: Scroll down then click “Manage” under “Security Tags”. (If you don’t see any widgets in “Summary”
page, you may need to logout and log back in to vCenter to refresh the display.)
Step 4: Select “DB-Server-Group1b” under “Filter” and click “OK”.
UTD-VDC 3.0 28
Step 5: Repeat Task 2, Step 1 to review the “DB-Server-DAG1b” security group now. You should see that is
one virtual machine added to the security group now. You can click on the number to see the VM in this
group.
Note: The “DB-Server-DAG1b” DAG is not populated on the Panorama side at this time. NSX pushes this
information once a steering rule using that DAG is in use on the NSX side. We will do this in the next activity.
End of Activity 3.
UTD-VDC 3.0 29
Activity 4 – Panorama Managed Security Policy Rules

Background: Panorama serves as the single point of configuration that provides the NSX Manager
with the contextual information required to redirect traffic from the guest virtual machines to the VM-
Series firewall. The traffic steering rules are defined on Panorama and pushed to NSX Manager;
these determine what traffic from which guests in the cluster are steered to the Palo Alto Networks
NGFW service. Security enforcement rules are also defined on Panorama and pushed to the VM-
Series firewalls for the traffic that is steered to the Palo Alto Networks NGFW service.
Panorama and vCenter features:

• Firewall policy with Dynamic Address Group (DAG)
• Panorama auto-generated steering rules
• NSX Partner Security Services

• Setup security policy to redirect the traffic between guest VMs to the VM-Series firewall
• Generate steering rules that will be automatically pushed to NSX
Note: you must complete Activity 3 before you continue to Activity 4 and 5.
Task 1 – Modify the VM-Series Firewall Policy

Step 1: Log in to Panorama, go to the “Policies” tab. Make sure the “UTD-NSX-FW-DG” Device Group is
selected.
Step 2: Go to the “Pre Rules” under “Security” on the left-hand side.
Step 3: Select the rule “From Database Group1b” and click on “Enable” at the bottom to enable this policy.
UTD-VDC 3.0 30
Step 4: The color of the policy will change to light blue to indicate that it is enabled. Click on the policy name
to edit the policy.
Step 5: Click the rule name “From Database Group1b” to edit the policy. In the “Source” tab in the “Security
Policy Rule” window and add “DB-Server-DAG1b” to the “Source Address”.
Step 6: Click the “Destination” tab in the “Security Policy Rule” window and add “Web-Server-DAG1” to the
“Destination Address”.
Step 7: Click the “Application” tab and review that “Any” application is allowed by this policy.
Step 8: Click the “Actions” tab and make sure “Allow” is checked under “Action Setting”. Click “OK” to close
the Rule windows.
Task 2 – Create Steering Rules

Step 1: From the vSphere Web Client, go to “Networking & Security” > “Firewall” > “Partner security
services”. Expand the “PAN_UTD-NSX-Service-Definition_UTD-tenant-1” and “…tenant-2” rules by clicking
the right-facing arrow. These are the same rules that were previously enabled on Panorama.
UTD-VDC 3.0 31
Step 2: Go back to Panorama. From the “Panorama” tab, click the “Steering Rules” node under “VMware
NSX”. These are the steering rules previously created from the NGFW security rules and match the rules in
the NSX “Partner security services”.
Step 3: Click “Auto-Generate Steering Rules” at the bottom to create a new steering rule based on the
security rule we just did in the previous task. Click “Yes” in the “Confirm Generation” window.
Step 4: Commit the policy changes to “Panorama” and then “Push to Devices”.
Task 3 – Review the vSphere Security Policy

Step 1: Return to the vSphere Web Client, go to “Networking & Security” > “Firewall” > “Partner security
services”.
Step 2: Expand the “PAN_UTD-NSX-Service-Definition_UTD-tenant-1” and “…tenant-2” rules. These are

the same rules from Task 2, Step 3. Note that the original “From Database Group1b” security policy is now
present.
Note: The rules have been automatically pushed from Panorama to NSX. No further configuration is
necessary on the NSX side.
UTD-VDC 3.0 32
Task 4 – Review Dynamic Address Group

Step 1: From Panorama, go to the “Panorama” tab, then click the “Service Managers” node under “VMware
NSX”. Click the “Synchronize Dynamic Objects” link. Click “Yes” on the pop-up window. This step is needed
in our CloudShare environment.
Step 2: From the “Objects” tab, go to “Address Groups”.
Step 3: Click on “more…” in “Addresses” column for “DB-Server-DAG1b” and you should see the IP
addresses of the DB-Server-1b automatically added to the DAG.
Task 5 – Verify Application Visibility on VM-Series

Step 1: Use the putty application shortcut “DB-Server-1b” to open a SSH session to DB-Server-1b
(10.30.51.182).
Step 2: From DB-Server-1b, ping the data interface of Web-Server-1 (172.16.5.191), the ping session
should go through. You can also do that for SSH “ssh student@172.16.5.191 / Password1!” and SSH should
go through.
Step 3: Go back to the Panorama web interface, click on the “Monitor” tab and the “Traffic” node under
“Logs”.
Step 4: You should be able to see the application sessions between the “Web-Server-1” and “DB-Server-1b”
on Panorama. You can filter the logs from the policy you enabled in Task 1 by entering “( rule eq ‘From
Database Group1b’) in the search box on top of the logs. (Logs can take a couple of minutes before it shows
up.)
Note: DB-Server-1b and Web-Server-1 are installed on the same ESXi host in this example, the NSX
and VM-Series integrated solution works the same no matter where the VMs are installed.
End of Activity 4.
UTD-VDC 3.0 33
Activity 5 – Enable Advanced Threat Protections

Background: Network-based threat protection has evolved to include many disciplines from the
prevention of vulnerability exploits (IPS) to a wide range of malware protection, botnet detection and
protection. We will demonstrate the core threat prevention capabilities of the Palo Alto Networks
platform and how it can be used to protect guest VMs.
Panorama and PAN-OS features:

• Security Profile
• Antivirus, Vulnerability Protection and Anti-spyware
• Threat Logs

• Enable Antivirus, Vulnerability Protection and Anti-Spyware profiles to protect application
between guest VMs
• Review the threat logs on Panorama
Note: You must complete Activity 3 and 4 before you continue on to Activity 5.
Task 1 – Enable Security Profile

Step 1: In Panorama GUI, click “Policies” tab and click on the policy “From-Database-Group1b” to edit the policy.
Step 2: Click on the “Actions” tab in the “Security Policy Rule” window.
Step 3: Under “Profile Setting”, select “Profiles” in the “Profile Type” drop-down menu.
Step 4: Select “default” profile for “Antivirus”.
UTD-VDC 3.0 34
Step 5: Select “strict” profile for “Vulnerability Protection”
Step 6: Select “strict” profile for “Anti-Spyware” and click “OK” to close the “Security Policy Rule” window.
Step 7: Commit the policy changes to “Panorama” and “Push to Devices”.
Task 2 – Review Security Profiles

Step 1: In Panorama, go to “Objects” tab and click the “Antivirus” node under the “Security Profiles” on the
left-hand side.
Step 2: Click on the name of the Antivirus security profile, to review the profile setting
Step 3: Review the profile settings for “strict” Anti-Spyware profile and the “strict” Vulnerability Protection
profile.
UTD-VDC 3.0 35
Task 3 – Verify the firewall policy and protection profile

Step 1: Use the putty application shortcut “DB-Server-1b” to open a SSH session to DB-Server-1b
(10.30.51.182).
Step 2: From “DB-Server-1b” ping “Web-Server-1” data interface at “172.16.5.191”, you should get a valid
ping response back.
Step 3: Use the “wget-sample1” script file with command: “./wget-sample1” to perform wget file“sample1”
from the “Web-Server-1” over http.
Step 4: You should be able to get file “sample1” from Web-Server-1. “sample1” is a basic html file and you
can review the content with the “more” command: “more sample1”.
Step 5: Use the “wget-sample2” script file with command “./wget-sample2” to perform wget file “sample2”
from the “Web-Server-1” over http.
Step 6: The wget command should fail this time and the connection is closed.
Step 7: Go to Panorama GUI, click on “Monitor” tab, node “Logs” > “Threat”. Review the “Eicar” entry.
“sample2” file is actually an EICAR virus test file and it is blocked by the VM-Series firewall antivirus
protection. (If you don’t see the log entries, wait for about 30 sec and refresh to “Threat” log view.)
Note: wget is essentially a HTTP GET command, therefore the VM-Series firewall treats it as a Web-
browsing application.
End of Activity 5.
UTD-VDC 3.0 36
Activity 6 – Automate Security Actions: Quarantine

Infected Guest VMs
Background: Threat and traffic logs in PAN-OS include the source or destination universally unique
identifier (UUID) of guest VMs in your NSX deployment. This allows the VM-Series for NSX to support
the tagging of guest VMs with NSX security tags. With the guest VMs’ UUID now included in the log
events, the firewall, based on the filtered log events, can tag the affected guest VM via NSX Manager
API. This allows for automatic location of compromised VMs in the NSX environments. NSX can then
put all associated UUIDs under policies to quarantine those VMs from the rest of the network.
Panorama includes predefined payload formats for threat and traffic logs in the HTTP Server Profile.
These payload formats correspond to predefined security tags in NSX. When a guest VM is found in
the threat or traffic logs, Panorama makes an API call to NSX Manager telling NSX Manager to tag the
guest VM with the tag specified in the HTTP Server Profile. When the guest VM becomes tagged, NSX
Manager dynamically moves the tagged guest VM into the quarantine security group, which places
the guest VM into the quarantine dynamic address group.
• Dynamic Address Groups (DAG)
• Security Groups in vCenter
• Panorama HTTP Server Profile and Log Settings
• Review DAG for Quarantined Hosts
• Review Panorama Server Profile and Log Settings
• Observe Automatic Quarantine of Infected Host
• Remediate Quarantined Host
Task 1 – Review DAG for Quarantined Hosts

Step 1: In Panorama, go to “Objects” > “Address Groups” and look for the “NSX_Quarantine” DAG. You
may click “more…” to see that it empty at this point.
UTD-VDC 3.0 37
Step 2: On the VMware vSphere Web Client, go to “Networking & Security” > “Service Composer” >
“Security Groups”. Look for “UTD-NSX-Service-Definition_NSX_Quarantine”. It is also currently empty.
Step 3: Right click on the group, select “Edit Security Group” and click “Next”. Note that the security tag is
“DATA_SECURITY.violationsFound”. This is a built-in tag from NSX.
Step 4: Click “Cancel” to exit.
Task 2 – Review Panorama Server Profile and Log Settings

Step 1: In Panorama, go to “Panorama” > “Server Profiles” > “HTTP”.
Step 2: Click “UTD-Panorama-NSX” to bring up the HTTP Server Profile. Under the “Servers” tab, this
contains the IP and login information of the NSX Manager.
UTD-VDC 3.0 38
Step 3: Click “Payload Format”. Notice that for the “Threat” log type that it uses the “NSX Data Violation”
format. This is the same tag that was seen in the previous task.
Step 4: Click “Threat” to bring up the “Payload Format” window then click the arrow at the right of “Pre-
defined Formats” to see the list of available NSX tags.
Step 5: Click “Cancel” and “Cancel” again.
Step 6: Go to “Panorama” > “Log Settings” and scroll down to the “Threat” section.
UTD-VDC 3.0 39
Step 7: Click “UTD-NSX-Data-Violation” to bring up the “Log Settings – Threat” window. Notice, under
HTTP, the “UTD-Panorama-NSX” HTTP Server Profile is assigned. Also, note that in the “Filter” section that
a filter of “(severity eq critical) or (severity eq high)” has been set. This means that when the threat log has
an entry with a severity of high or critical that Panorama will tag the compromised VM via NSX. With the
Filter Builder, you may construct simple or complex matching criteria.
Step 8: Click “Cancel”.
Task 3 – Dynamically Quarantine Infected Host

Step 1: On the student desktop, use putty or the desktop shortcut to SSH to “DB-Server-1b”.
Step 2: From “DB-Server-1b”, type “./trigger-attacker-traffic”. This will make several requests that simulate
malicious traffic coming from Web-Server-1 and will result in an error due to the NGFW blocking the request.
UTD-VDC 3.0 40
Step 3: On Panorama, review Threat logs. Note that the severity of the entries is “critical” and the attacker
(compromised host) is 172.16.5.191 (Web-Server-1).
Step 4: Go to “Objects” > “Address Groups” and click “more…” on “NSX_Quarantine” to see that Web-
Server-1 has been dynamically added.
Step 5: From your SSH session on DB-Server-1b, “ping 172.16.5.191”. The traffic will be blocked as that
host is now quarantined.
Step 6: Review the Traffic logs to see that the ping has been dropped due to the security policy rule
“Quarantined hosts”.
Step 8: Go to “Policies” > “Security” > “Pre Rules” and review the “Quarantined hosts” policy. Note that it will
drop any traffic to the “NSX_Quarantine” DAG.
Note: No manually interaction was required to quarantine the infected VM. As soon as the
compromised host was detected, Panorama and NSX worked together to block further access to it.
UTD-VDC 3.0 41
Task 4 – Remediate Quarantined Host

Step 1: On the VMware vSphere Web Client, go to “Networking & Security” > “Service Composer” >
“Security Groups”. Look for “UTD-NSX-Service-Definition_NSX_Quarantine”. “Web-Server-1” is now part of
this Security Group.
Step 2: Click “Home” > “Hosts and Clusters”, then click “Web-Server-1”.
Step 3: From the “Summary” tab, review the “Security Tags”. Notice that the
“DATA_Security.violationsFound” tag is present.
Step 4: Click “Manage” and find the “DATA_SECURITY.violationsFound” tag in the list. Uncheck it to clear
this VM.
Step 5: Go back to “Networking & Security” > “Service Composer” > “Security Groups”. Notice “UTD-NSX-
Service-Definition_NSX_Quarantine” is now empty again.
Step 6: On Panorama, go to “Objects” > “Address Groups” and click “more…” on “NSX_Quarantine” to see
that Web-Server-1 has removed from the DAG.
Step 7: From your SSH session on DB-Server-1b, “ping 172.16.5.191”. The traffic will be allowed through.
UTD-VDC 3.0 42
Activity 7 – Enable Secure Multi-tenancy

Background: Multi-tenancy on the VM-Series firewall enables you to secure more than one tenant or
more than one sub-tenant. A tenant is a customer or an organization such as Palo Alto Networks. A
sub-tenant is a department or business unit within the organization such as Marketing, Accounting,
or Human Resources. To allow you to secure multiple tenants, Panorama provides the flexibility to
create multiple sets of security policy rules for each tenant, and multiple zones to isolate traffic from
each sub-tenant and redirect traffic to the appropriately configured VM-Series firewall. You can also
deploy more than one instance of the VM-Series firewall on each host within an ESXi cluster.
• Panorama Zones and vCenter VXLAN for segmentation
• NSX Partner Security Services
• Dynamic Address Groups (DAG)
• Firewall CLI commands
• Review the configuration of the second tenant in Panorama and vCenter
• Create a new steering rule under the NSX Partner Security Services
• Review overlapping IP addresses in Dynamic Address Groups and on individual VMs
• Review tenant configuration from firewall CLI
Task 1 – Review second tenant configuration

Step 1: In Panorama, click on the “Network” tab on top and “Zones” node on the left-hand side to review the
NSX service profile zones created for the two tenants. The previous activities have been within “UTD-tenant-
1”. In this activity, you will be using the “UTD-tenant-2” Zone which will identify traffic from the VMs in this
segment.
Step 2: Review the “From Database Group2” rule under “Policies” > “Security” > “Pre Rules”. Notice that the
source and destination zones are “UTD-tenant-2”. Compare this to the other firewall rules you previously
edited.
Step 3: On the VMware vSphere Web Client, go to “Networking & Security” and “Logical Switches”. Each
tenant belongs to a unique VXLAN which segments the traffic from members of the other VXLAN. Later you
will see how this will allow IP addresses to overlap between the VXLANs.
UTD-VDC 3.0 43
Step 4: Click “Home”, then “VMs and Templates” and click “DB-Server-2”. Notice that “Network adapter 2”
(under “VM Hardware) belongs to the switch “vxw-dvs-39-virtualwire-2-sid-5001-UTD-VXLAN-tenant2”.
“Web-Server-2” belongs to the same switch.
Step 5: From “Networking & Security” > “Service Composer” > “Security Groups”, note the membership of
the “DB-Server-DAG2” and “Web-Server-DAG2” security groups.
Task 2 – Review traffic steering rule

Step 1: On the vSphere Web Client, go to “Networking & Security” > “Firewall” > ”Partner security services”.
Step 2: Expand the “PAN_UTD-NSX-Service-Definition_UTD-tenant-2” rule by clicking the icon.
Step 3: Hover the mouse over the entry to see the expanded text.
Notice the UTD-tenant-2 rules are separated from the UTD-tenant-1 rules making for better visibility.
UTD-VDC 3.0 44
Task 3 – Review Dynamic Address Groups

Step 1: On Panorama, go to “Objects” > “Address Groups”.
Step 2: Click “more…” for “DB-Server-DAG2” and notice the registered IP addresses. While the
management IP of 10.30.51.183 is unique, the data IP of 172.16.5.181 is the same as “DB-Server-DAG1a”.
Step 3: Repeat for “Web-Server-DAG2”. It has the same registered IP (172.16.5.191) as “Web-Server-DAG1”
Task 4 – Review overlapping IP addresses

Step 1: On the student desktop, use putty or the desktop shortcut to SSH to “DB-Server-1a”.
Step 2: From “DB-Server-1a”, type “ifconfig eth1” and note the IP address.
Step 3: Ping 172.16.5.191.
UTD-VDC 3.0 45
Step 3: Run the command “arp -n 172.16.5.191” and note the MAC address for that IP.
Step 4: SSH to 172.16.5.191. “ssh student@172.16.5.191” (Password1!). Which VM are you logged into –
Web-Server-1 or Web-Server-2?
Step 5: Without exiting the SSH session from the previous step, use putty, or the desktop shortcut, to SSH
to “DB-Server-2” and repeat Steps 1-4. Notice that while the IPs are the same, the MAC addresses are
different as we are on different VMs. Stay logged into this SSH session as well.
Step 6: On Panorama, review the Traffic logs and see that the Zone reflects “UTD-tenant-2” NSX service
profile for the latest ping and ssh traffic. “UTD-tenant-1” should be logged just before that. Also note that the
rules they match are “From Database Group2” or “From Database Group1a”.
Task 5 – Review firewall from CLI

Step 1: If you were logged out of either of the SSH sessions of the previous task, log back in.
Step 2: Use putty or the desktop shortcut to SSH to 10.30.51.1. The login is “admin / admin”.
Step 3: Run the command “show interface all”. Notice that a sub-interface has been created for each tenant.
UTD-VDC 3.0 46
Step 3: Run the command “show session all”. Notice the two SSH sessions, while both the source and
destination IPs are the same, they are part of different Zones and their traffic is fully segmented from each
other.
End of Activity 7.
UTD-VDC 3.0 47
Activity 8 – Build Custom Security Reports

Background: Informative visualization tools and reports are very important to network and security
administrators to monitor and identify potential network problems and attacks. Comprehensive built-
in visualization tools and reporting features in the firewall can provide visibility into network activity,
which in turn can help you make more informed security decisions.
PAN-OS features to be used:

• Application Command Center (ACC) in Panorama
o Built-in visualization tools that provides a clear view on the applications, users and
threats data on your network
• Manage custom reports
o Create a custom report using traffic stats logs
Task 1 – Review Application Command Center (ACC)

Step 1: In Panorama, click on the “ACC” tab, make sure the “Panorama” is selected in “Context”. ACC is
configured to show data collected in the Last Hour, change the time to “Last 6 Hrs” in the Time drop-down
window to include all the data generated during your lab session.
Step 2: Under “Application Usage”, you can see the top applications based on usage in the network and
their respective risk levels. When the “Device Group” is set to “All”, ACC presents all the data from all the
devices Panorama manages. Click on any application such as “web-browsing” to review more details for that
application.
Step 3: To investigate further, click on any entry to further review the details associates with that particular
entry, for example, you can click on a destination address or URL category to drill down on the details
UTD-VDC 3.0 48
Step 4: You can delete a filter by checking that item and clicking the “-“ icon. Click “Clear all” to remove all
filters.
Task 2 – Creating a custom report

Step 1: Click on the “Monitor” tab then the “Manage Custom Reports” node (second from last)
Step 2: Click “Add” (in the lower left) and name the report “Traffic Stats” (in the “Custom Report” pop-up)
Step 3: Use the following information to create this report:
• Name ............................................ Traffic Stats

• Database ....................................... Panorama Traffic Summary
• Time Frame ................................... Last 6 Hrs
• Selected Columns.......................... Application, App Category, App Sub Category, Risk of
App, Sessions
• Sort By ........................................... Sessions: Top 10
Step 4: Click “Run Now” (at the top of the pop-up), then click on newly create tab “Traffic Stats” to review
the report, then export the results to a PDF report.
Step 5: Click “Ok” to save this custom report
End of Activity 8.
UTD-VDC 3.0 49
Activity 9 - Feedback on Ultimate Test Drive

Thank you for attending the Ultimate Test Drive event and we hope you enjoy the presentation and
the labs that we have prepared for you. Please take a few minutes to complete the online survey form
to tell us what you think about this event.
Task 1 – Take the online survey

Step 1: In your lab environment, click on the “Survey” tab.
Step 2: Please complete the survey and let us know what you think about this event.
End of Activity 9.
UTD-VDC 3.0 50
Request a free Security Lifecycle Review
Ask your Palo Alto Networks Sales Representative or Palo Alto Networks Partner for more
information
UTD-VDC 3.0 51
Appendix-2: Network Diagram
Lab Setup
Device Login Management IP Data IP ESXi Host

Administrator / (refer to 10.30.51.51 -
Student Desktop the guide)
Panorama vdcstudent / utdvdc135 10.30.51.23 -
administrator@utd.local 10.30.51.21 -
vCenter / Password1!
NSX Manager admin / default 10.30.51.22 -
DB-Server-1a student / Password1! 10.30.51.181 172.16.5.181 10.30.51.11
DB-Server-1b student / Password1! 10.30.51.182 172.16.5.182 10.30.51.12
DB-Server-2 student / Password1! 10.30.51.183 172.16.5.181 10.30.51.11
Web-Server-1 student / Password1! 10.30.51.191 172.16.5.191 10.30.51.12
Web-Server-2 student / Password1! 10.30.51.192 172.16.5.191 10.30.51.12
UTD-VDC 3.0 52

Ultimate Test Drive: Virtualized Data Center

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ultimate Test Drive: Virtualized Data Center

Загружено:

Авторское право:

Доступные форматы

Ultimate Test Drive – VDC

Panorama, VM-Series (PAN-OS 8.0), vCenter 6.0 with

Activity 0 – Log in to UTD Workshop 5

Activity 1 – Explore VM-Series on VMware NSX Integration Components 10

Activity 2 – Enable Application Control 19

Activity 3 – Enable Dynamic Security Policies 24

Activity 4 – Panorama Managed Security Policy Rules 30

Activity 5 – Enable Advanced Threat Protections 34

Activity 6 – Automate Security Actions: Quarantine Infected Guest VMs 37

Task 4 – Remediate Quarantined Host 42

Activity 7 – Enable Secure Multi-tenancy 43

Activity 8 – Build Custom Security Reports 48

Activity 9 - Feedback on Ultimate Test Drive 50

Appendix-2: Network Diagram 52

How to use this guide

Once these activities are completed:

1. Navigate the Palo Alto Networks GUI

Activity 0 – Log in to UTD Workshop

Task 1 – Log in to your Ultimate Test Drive class environment

Task 2 – Log in to the Student Desktop

Task 3 – Perform connectivity check

Activity 1 – Explore VM-Series on VMware NSX

Panorama and vCenter overview:

In this activity, you will:

Task 1 – Log in and review Panorama Management System

VMware NSX Manager. Important: Do not change anything here.

Task 2 – Log in and review vSphere Web Client

Step 2: Log in to vCenter using the following login and password:

Step 3: On the Home page, click on “Host and Clusters”.

Task 3 – Review the VMware VXLAN Configuration

Task 4 – Isolation/port based segmentation of guest VM’s with VMware

Step 6: Click on “Publish Changes” to deploy the changes.

Activity 2 – Enable Application Control

Task 1 – Log in to guest VM

Task 2 – Review traffic logs in Panorama

Task 3 – Modify the firewall policy

Step 3: Add “ssh” to “Applications”.

Step 5: Click “Ok” on the Security Policy Rule window.

Step 8: Click “Close” when the commit process is completed.

Step 9: Click “Commit” again on the top right-hand corner.

Task 4 – Verify the firewall policy

Activity 3 – Enable Dynamic Security Policies

Panorama, PAN-OS and vCenter features:

• Dynamic Address Groups(DAG)

In this activity, you will:

• Create DAG on Panorama and link it to a Security Group in vCenter

Task 1 – Create Dynamic Address Group in VM-Series

Step 4: Enter “DB-Server-DAG1b” under Name on new “Address Group” page

Step 5: Select “Dynamic” under “Type”.

Task 2 – Modify Security Group on vCenter

Step 3: Select and right-click “UTD-NSX-Service-Definition_DB-Server-DAG1b” security group and click on

Step 6: Click “Finish”.

Task 3 – Modify Security Tag on Guest VMs

Step 4: Select “DB-Server-Group1b” under “Filter” and click “OK”.

Activity 4 – Panorama Managed Security Policy Rules

Panorama and vCenter features:

In this activity, you will:

Task 1 – Modify the VM-Series Firewall Policy

Step 2: Go to the “Pre Rules” under “Security” on the left-hand side.

Task 2 – Create Steering Rules

Task 3 – Review the vSphere Security Policy

Step 2: Expand the “PAN_UTD-NSX-Service-Definition_UTD-tenant-1” and “…tenant-2” rules. These are

Task 4 – Review Dynamic Address Group