Академический Документы
Профессиональный Документы
Культура Документы
ULTIMATE
TEST DRIVE
Virtualized Data Center
Securing the Software Defined Data Center
Workshop Guide
http://www.paloaltonetworks.com
UTD-VDC 3.0 © 2017 Palo Alto Networks, Inc. | Confidential and Proprietary 20171011
Ultimate Test Drive – VDC
Table of Contents
UTD-VDC 3.0 2
Ultimate Test Drive – VDC
UTD-VDC 3.0 3
Ultimate Test Drive – VDC
This workshop covers only basic topics and is not a substitute for training classes conducted at a Palo Alto
Networks Authorized Training Center (ATC). Please contact your partner or regional sales manager for
more training information.
Terminology
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each Tab found in the left-hand column of each screen.
Note: Unless specified, the “Chrome” web browser will be used to perform any tasks outlined in the
following Activities. (These apps are pre-installed on the desktop of the workshop PC.)
UTD-VDC 3.0 4
Ultimate Test Drive – VDC
Step 2: Go to the class URL. Enter your email address and the passphrase. If you have an invitation email,
you can find the class URL and passphrase in the invitation email, or the instructor will provide you with the
class URL and passphrase.
Step 3: Complete the registration form and click “Register and Login” at the bottom.
Step 4: Depending on your browser, you will be asked to install a plugin; please click “Yes” to allow the
plugin to be installed and continue the login process.
UTD-VDC 3.0 5
Ultimate Test Drive – VDC
Step 5: Once you log in, the environment will be automatically created for you. Click on “Start Using This
Environment” when the Environment is ready.
Step 6: The UTD NSX Environment consists of the following core components: “Student Desktop”,
“Panorama”, “vCenter”, “NSX Manager”, “ESXi-Host1” and “ESXi-Host2”. You will access all these
components through the “Student Desktop”.
Step 2: You will be connected to the “Student Desktop” through your browser.
UTD-VDC 3.0 6
Ultimate Test Drive – VDC
Step 3: If the “Student Desktop” resolution is too high or too low for your laptop display, you can adjust the
resolution from the left-hand pane. You can also click the “Full screen” icon to maximize the display.
Note: The default connection to the “Student Desktop” uses RDP over HTML5 protocol through the
browser.
Optional Step 4: If you encounter connection issues with the “Student Desktop”, click the “Reconnect” icon
to re-establish the connection.
UTD-VDC 3.0 7
Ultimate Test Drive – VDC
Optional Step 5: If the reconnect to the “Student Desktop” remains unsuccessful, please verify your laptop
connectivity using the following link.
http://test.cloudshare.com/
Optional Step 6: If the connectivity test passed, please close the browser and retry from Task1, Step 1. If
the connectivity test failed, please ask the instructor for further assistance.
UTD-VDC 3.0 8
Ultimate Test Drive – VDC
Step 1: Once logged in to the Student Desktop, you can run the “PingCheck” script at the lower left corner
of the desktop.
Step 2: The “PingCheck” script will ping the management interfaces of all the major components in the lab
environment. If there is a failure in the ping check, you can go to the “VM List” tab and reboot the VM. Note
that it may take some time for the VM to reboot.
End of Activity 0.
UTD-VDC 3.0 9
Ultimate Test Drive – VDC
Network topology
UTD-VDC 3.0 10
Ultimate Test Drive – VDC
Step 2: Click on the “Panorama” (IP: 10.30.51.23) bookmark in the Chrome browser, using the following
login and password:
Login: vdcstudent
Password: utdvdc135
Step 2: You are now logged into to Panorama Management System and should see the main dashboard.
Notice the “Device Name” under “General Information” is “Panorama”. This indicates that you are looking at
the Panorama web interface.
Step 3: Click on the “Panorama” tab on top and “Managed Devices” node on the left-hand side to review the
VM-Series firewalls that are managed by Panorama.
UTD-VDC 3.0 11
Ultimate Test Drive – VDC
Step 4: You can manage individual Palo Alto Networks firewalls (physical and virtual) by selecting them
from the context drop-down menu. Click on the drop-down menu under “Context” on the upper left-hand
corner, and change it from “Panorama” to “PA-VM:10.30.51.11” to switch context to the firewall PA-
VM:10.30.51.11.
Step 5: After the context is loaded, notice the device name is shown under “Context”. The device name is
also shown in “General Information” in the “Dashboard” tab. Notice that the management GUI of a single
firewall is very similar to Panorama Central management GUI, this makes it easy for the administrators to
switch from device management to centralized management.
Step 6: Switch the “Context” back to “Panorama” to view the Panorama web interface.
Step 7: After switching context back to Panorama, click on the “Panorama” tab on top, click on the “Service
Managers” and “Service Definitions” nodes on the left (under “VMware NSX) to review the configuration to
integrate Panorama with
UTD-VDC 3.0 12
Ultimate Test Drive – VDC
Login: administrator@utd.local
Password: Password1!
Note: If you get an error or invalid login when trying to log in, refresh the browser page.
UTD-VDC 3.0 13
Ultimate Test Drive – VDC
Step 4: Review the hosts and the guest VMs managed by this vCenter. The “UTD-NSX-Service-Definition
(1) / (2)” guest VMs installed in the UTD-VDC-Cluster are the PA-VM:10.30.51.12 and PA-VM:10.30.51.11
hypervisor firewalls managed by Panorama.
Note The VM-Series firewall is installed as a guest service VM on the host, the icon for the service VM is
different from the regular guest VM.
Step 5: Click on the “DB-Server-1a” VM and review which host the guest VM is installed on. Review the VM
summary for “DB-Server-1b” and “Web-Server-1”. It is important that VMware-Tools are running on the guest
VMs. If VMware-Tools is not running, reboot the guest VMs to restart VMware-Tools.
Step 6: Click on the “Home” icon on the top to go back to the home page.
UTD-VDC 3.0 14
Ultimate Test Drive – VDC
Step 7: Click on “Networking & Security” and click on “NSX Managers” at the bottom of the list on the left-
hand side.
Step 8: Review that NSX Managers (10.30.51.22) is installed and registered with this vCenter.
Step 9: Go to “Networking & Security” > “Service Definitions” > “Services” to verify that the VM-Series
firewall is registered as a service on NSX Manager.
Step 10: In a production environment, there are some other steps required to prepare the ESXi hosts for
service deployment. These steps have been performed for you in this environment.
UTD-VDC 3.0 15
Ultimate Test Drive – VDC
Step 2: Go to “Networking & Security” and “Installation”, click on “Logical Network Preparation” and verify
that the “VXLAN transport” is installed on all the hosts in the cluster. Click the triangle icon to expand the
cluster.
Step 3: Finally verify that the “Logical Switches”, “UTD-VXLAN-tenant1” and “UTD-VXLAN-tenant2” are
present and “Status” reports as “Normal”.
UTD-VDC 3.0 16
Ultimate Test Drive – VDC
Login: student
Password: Password1!
Step 2: From the “DB-Server-1a” ping “DB-Server-1b” at 172.16.5.182. Did you get a ping response? (Yes,
you should get a ping response.)
Step 3: From the vSphere Web Client, go to “Firewall” under “Networking &Security”. Click the arrow to
expand the section “UTD-NSX (Rule 1)” to see the rule “Block-Between-DB” in the “Configuration” tab under
“General”
Step 4: Under the “Action” column, click the pencil icon in the upper right-hand corner. Change the Action
from “Allow” to “Block” and select ‘Log” to enable logging, then click “Save”. Also, notice that “Any” is
selected in the “Service” column, so this rule will block traffic on all ports.
UTD-VDC 3.0 17
Ultimate Test Drive – VDC
Step 5: Click the pencil icon in the “Applied To” column. In the “Block-Between-DB – Specify Applied To”
window, uncheck “Apply this rule on all clusters on which Distributed Firewall is installed.” and then choose
"Virtual Machine” in the “Object Type” pull-down. Note that “Object Type” is not visible until the checkbox is
deselected. Under the “Available Objects” box, select “DB-Server-1a” and click the blue right-hand arrow to
move it to the “Selected Objects” box. Repeat for “DB-Server-1b”. Click “OK” to finish.
Step 7: Go back to the “DB-Server-1a” SSH session and try to ping “DB-Server-1b” on 172.16.5.182 again.
Did you get a ping response? (You should not get a response from the ping because you have successfully
blocked traffic between DB-Servers using the NSX distributed firewalls.)
End of Activity 1.
UTD-VDC 3.0 18
Ultimate Test Drive – VDC
Login: student
Password: Password1!
UTD-VDC 3.0 19
Ultimate Test Drive – VDC
Step 2: DB-Server-1a has two network interfaces, one for management (10.30.51.181) and one for data
(172.16.5.181). Our policies will focus on enabling an application on the data interface. Ping the data
interface of Web-Server-1 (172.16.5.191) on ESXi-Host-2 from DB-Server-1a. You should see a ping
response from the Web-Server-1. Note that both DB-Server-1a and Web-Server-1 data interfaces are on
the same network.
Step 3: SSH from DB-Server-1a (172.16.5.181) to Web-Server-1 (172.16.5.191) using the command “ssh
student@172.16.5.191” with password “Password1!”. Did you get a SSH response from Web-Server-1?
(Web-Server-1 should not be responding to the SSH request.) Control+C to stop the SSH attempt.
Step 2: Click on the “Traffic” node under “Logs” on the left-hand side to review the firewall policies log.
Make sure the “Context” on top is set at “Panorama”.
Step 3: Click on the “Refresh” button on the upper right corner if necessary to display the latest log entries.
Step 4: You can search the log by clicking on any field to add the search text and modify it accordingly.
Search the logs for the SSH application by entering the search text “(app eq ssh)” (without the quotations).
Step 5: See that SSH application is being denied by the firewall policy.
UTD-VDC 3.0 20
Ultimate Test Drive – VDC
(If the subject has not been covered by now, please ask the instructor to explain the differences between
“Pre Rules” and “Post Rules” in Panorama.)
Step 2: Click on the “From Database Group1a” policy to open the “Security Policy Rule” and then click on
the “Application” tab.
Step 4: In the “Service / URL Category” tab, change the “Service” from “any” to “application default”. (This
will allow the applications to only run on its default ports.)
UTD-VDC 3.0 21
Ultimate Test Drive – VDC
Step 6: Click “Commit” on the top right-hand corner to commit the policy changes.
Step 7: Select “Commit to Panorama” and click “Commit” to commit the changes to Panorama. (This saves
the changes to the Panorama configuration file)
Step 10: This time, select “Push to Devices”. Then click “Push”. (This commits the policy changes to the
firewalls.)
Step 11: The “Task Manager” window will appear. The “Commit All” task will then appear. First in a status of
Pending and then Completed. Click “Close” when the commit process is finished.
UTD-VDC 3.0 22
Ultimate Test Drive – VDC
Note: DB-Server-1a and Web-Server-1 are installed on different ESXi hosts in this example, the NSX
and VM-Series integrated solution works the same no matter where the VMs are installed.
Step 2: Go back to Panorama and refresh the traffic log. You should see traffic logs that shows ssh
application is now allowed.
Step 3: Clear the text in the search field to see the other logs.
End of Activity 2.
UTD-VDC 3.0 23
Ultimate Test Drive – VDC
Step 2: Click on the “Address Groups” node on the left-hand side. Make sure the “Panorama” is shown
under “Context” and “UTD-NSX-FW-DG” is shown under “Device Group”.
Step 3: Click “Add” at the bottom of the “Address Group” page to create another Dynamic Address Group
for the DB-server-1b group.
UTD-VDC 3.0 24
Ultimate Test Drive – VDC
Step 6: In the “Match” text area, enter the following, exactly as shown:
'_nsx_DB-Server-DAG1b'
The single quotes (and _nsx_) are required for Panorama to push the DAG to NSX. The rest of the field
must match the “Name” of the DAG.
Click “OK”.
Step 7: Log in to vSphere Web Client, on the home page, click on “Networking and Security”.
Step 8: Click the “Service Composer” node on the left and then click the “Security Groups” tab on the right.
These Security Groups were automatically generated from Panorama previously and match the existing
dynamic address groups. Note that the Security Group for “DB-Server-DAG1b” is not present as we have not
done a commit on Panorama.
Step 9: Return to Panorama. Click on “Commit” and select “Commit to Panorama” to commit changes to
Panorama, and then commit again, select “Push to Devices” and “Push” to commit the changes to all the
firewalls.
UTD-VDC 3.0 25
Ultimate Test Drive – VDC
Step 10: Review the address entry in the new “DB-Server-DAG1b” by clicking on “more...” in the
“Addresses” column. There should be no address in new Dynamic Address Group at this point.
Step 2: Notice that “DB-Server-DAG1b” security group shows “0” under “Virtual Machines” indicating that
there are currently no virtual machines in this security group. (You may need to adjust the column width to
see the column entries.)
UTD-VDC 3.0 26
Ultimate Test Drive – VDC
Step 4: In the “Edit Security Group” window, select “2 Define dynamic membership”. Click the green “+” to
see the “Membership criteria 1” window. Click “Add”
Step 5: Set the first drop-down to “Security Tag”, the second to “Equals to” and enter “DB-Server-Group1b”
in the text box on the right-hand side.
UTD-VDC 3.0 27
Ultimate Test Drive – VDC
Step 2: Click on “DB-Server-1b” and click on the “Summary” tab on the right.
Step 3: Scroll down then click “Manage” under “Security Tags”. (If you don’t see any widgets in “Summary”
page, you may need to logout and log back in to vCenter to refresh the display.)
UTD-VDC 3.0 28
Ultimate Test Drive – VDC
Step 5: Repeat Task 2, Step 1 to review the “DB-Server-DAG1b” security group now. You should see that is
one virtual machine added to the security group now. You can click on the number to see the VM in this
group.
Note: The “DB-Server-DAG1b” DAG is not populated on the Panorama side at this time. NSX pushes this
information once a steering rule using that DAG is in use on the NSX side. We will do this in the next activity.
End of Activity 3.
UTD-VDC 3.0 29
Ultimate Test Drive – VDC
Note: you must complete Activity 3 before you continue to Activity 4 and 5.
Step 3: Select the rule “From Database Group1b” and click on “Enable” at the bottom to enable this policy.
UTD-VDC 3.0 30
Ultimate Test Drive – VDC
Step 4: The color of the policy will change to light blue to indicate that it is enabled. Click on the policy name
to edit the policy.
Step 5: Click the rule name “From Database Group1b” to edit the policy. In the “Source” tab in the “Security
Policy Rule” window and add “DB-Server-DAG1b” to the “Source Address”.
Step 6: Click the “Destination” tab in the “Security Policy Rule” window and add “Web-Server-DAG1” to the
“Destination Address”.
Step 7: Click the “Application” tab and review that “Any” application is allowed by this policy.
Step 8: Click the “Actions” tab and make sure “Allow” is checked under “Action Setting”. Click “OK” to close
the Rule windows.
UTD-VDC 3.0 31
Ultimate Test Drive – VDC
Step 2: Go back to Panorama. From the “Panorama” tab, click the “Steering Rules” node under “VMware
NSX”. These are the steering rules previously created from the NGFW security rules and match the rules in
the NSX “Partner security services”.
Step 3: Click “Auto-Generate Steering Rules” at the bottom to create a new steering rule based on the
security rule we just did in the previous task. Click “Yes” in the “Confirm Generation” window.
Step 4: Commit the policy changes to “Panorama” and then “Push to Devices”.
Note: The rules have been automatically pushed from Panorama to NSX. No further configuration is
necessary on the NSX side.
UTD-VDC 3.0 32
Ultimate Test Drive – VDC
Step 2: From DB-Server-1b, ping the data interface of Web-Server-1 (172.16.5.191), the ping session
should go through. You can also do that for SSH “ssh student@172.16.5.191 / Password1!” and SSH should
go through.
Step 3: Go back to the Panorama web interface, click on the “Monitor” tab and the “Traffic” node under
“Logs”.
Step 4: You should be able to see the application sessions between the “Web-Server-1” and “DB-Server-1b”
on Panorama. You can filter the logs from the policy you enabled in Task 1 by entering “( rule eq ‘From
Database Group1b’) in the search box on top of the logs. (Logs can take a couple of minutes before it shows
up.)
Note: DB-Server-1b and Web-Server-1 are installed on the same ESXi host in this example, the NSX
and VM-Series integrated solution works the same no matter where the VMs are installed.
End of Activity 4.
UTD-VDC 3.0 33
Ultimate Test Drive – VDC
Note: You must complete Activity 3 and 4 before you continue on to Activity 5.
Step 2: Click on the “Actions” tab in the “Security Policy Rule” window.
Step 3: Under “Profile Setting”, select “Profiles” in the “Profile Type” drop-down menu.
UTD-VDC 3.0 34
Ultimate Test Drive – VDC
Step 6: Select “strict” profile for “Anti-Spyware” and click “OK” to close the “Security Policy Rule” window.
Step 2: Click on the name of the Antivirus security profile, to review the profile setting
Step 3: Review the profile settings for “strict” Anti-Spyware profile and the “strict” Vulnerability Protection
profile.
UTD-VDC 3.0 35
Ultimate Test Drive – VDC
Step 2: From “DB-Server-1b” ping “Web-Server-1” data interface at “172.16.5.191”, you should get a valid
ping response back.
Step 3: Use the “wget-sample1” script file with command: “./wget-sample1” to perform wget file“sample1”
from the “Web-Server-1” over http.
Step 4: You should be able to get file “sample1” from Web-Server-1. “sample1” is a basic html file and you
can review the content with the “more” command: “more sample1”.
Step 5: Use the “wget-sample2” script file with command “./wget-sample2” to perform wget file “sample2”
from the “Web-Server-1” over http.
Step 6: The wget command should fail this time and the connection is closed.
Step 7: Go to Panorama GUI, click on “Monitor” tab, node “Logs” > “Threat”. Review the “Eicar” entry.
“sample2” file is actually an EICAR virus test file and it is blocked by the VM-Series firewall antivirus
protection. (If you don’t see the log entries, wait for about 30 sec and refresh to “Threat” log view.)
Note: wget is essentially a HTTP GET command, therefore the VM-Series firewall treats it as a Web-
browsing application.
End of Activity 5.
UTD-VDC 3.0 36
Ultimate Test Drive – VDC
UTD-VDC 3.0 37
Ultimate Test Drive – VDC
Step 2: On the VMware vSphere Web Client, go to “Networking & Security” > “Service Composer” >
“Security Groups”. Look for “UTD-NSX-Service-Definition_NSX_Quarantine”. It is also currently empty.
Step 3: Right click on the group, select “Edit Security Group” and click “Next”. Note that the security tag is
“DATA_SECURITY.violationsFound”. This is a built-in tag from NSX.
Step 2: Click “UTD-Panorama-NSX” to bring up the HTTP Server Profile. Under the “Servers” tab, this
contains the IP and login information of the NSX Manager.
UTD-VDC 3.0 38
Ultimate Test Drive – VDC
Step 3: Click “Payload Format”. Notice that for the “Threat” log type that it uses the “NSX Data Violation”
format. This is the same tag that was seen in the previous task.
Step 4: Click “Threat” to bring up the “Payload Format” window then click the arrow at the right of “Pre-
defined Formats” to see the list of available NSX tags.
Step 6: Go to “Panorama” > “Log Settings” and scroll down to the “Threat” section.
UTD-VDC 3.0 39
Ultimate Test Drive – VDC
Step 7: Click “UTD-NSX-Data-Violation” to bring up the “Log Settings – Threat” window. Notice, under
HTTP, the “UTD-Panorama-NSX” HTTP Server Profile is assigned. Also, note that in the “Filter” section that
a filter of “(severity eq critical) or (severity eq high)” has been set. This means that when the threat log has
an entry with a severity of high or critical that Panorama will tag the compromised VM via NSX. With the
Filter Builder, you may construct simple or complex matching criteria.
Step 2: From “DB-Server-1b”, type “./trigger-attacker-traffic”. This will make several requests that simulate
malicious traffic coming from Web-Server-1 and will result in an error due to the NGFW blocking the request.
UTD-VDC 3.0 40
Ultimate Test Drive – VDC
Step 3: On Panorama, review Threat logs. Note that the severity of the entries is “critical” and the attacker
(compromised host) is 172.16.5.191 (Web-Server-1).
Step 4: Go to “Objects” > “Address Groups” and click “more…” on “NSX_Quarantine” to see that Web-
Server-1 has been dynamically added.
Step 5: From your SSH session on DB-Server-1b, “ping 172.16.5.191”. The traffic will be blocked as that
host is now quarantined.
Step 6: Review the Traffic logs to see that the ping has been dropped due to the security policy rule
“Quarantined hosts”.
Step 8: Go to “Policies” > “Security” > “Pre Rules” and review the “Quarantined hosts” policy. Note that it will
drop any traffic to the “NSX_Quarantine” DAG.
Note: No manually interaction was required to quarantine the infected VM. As soon as the
compromised host was detected, Panorama and NSX worked together to block further access to it.
UTD-VDC 3.0 41
Ultimate Test Drive – VDC
Step 2: Click “Home” > “Hosts and Clusters”, then click “Web-Server-1”.
Step 3: From the “Summary” tab, review the “Security Tags”. Notice that the
“DATA_Security.violationsFound” tag is present.
Step 4: Click “Manage” and find the “DATA_SECURITY.violationsFound” tag in the list. Uncheck it to clear
this VM.
Step 5: Go back to “Networking & Security” > “Service Composer” > “Security Groups”. Notice “UTD-NSX-
Service-Definition_NSX_Quarantine” is now empty again.
Step 6: On Panorama, go to “Objects” > “Address Groups” and click “more…” on “NSX_Quarantine” to see
that Web-Server-1 has removed from the DAG.
Step 7: From your SSH session on DB-Server-1b, “ping 172.16.5.191”. The traffic will be allowed through.
UTD-VDC 3.0 42
Ultimate Test Drive – VDC
Step 2: Review the “From Database Group2” rule under “Policies” > “Security” > “Pre Rules”. Notice that the
source and destination zones are “UTD-tenant-2”. Compare this to the other firewall rules you previously
edited.
Step 3: On the VMware vSphere Web Client, go to “Networking & Security” and “Logical Switches”. Each
tenant belongs to a unique VXLAN which segments the traffic from members of the other VXLAN. Later you
will see how this will allow IP addresses to overlap between the VXLANs.
UTD-VDC 3.0 43
Ultimate Test Drive – VDC
Step 4: Click “Home”, then “VMs and Templates” and click “DB-Server-2”. Notice that “Network adapter 2”
(under “VM Hardware) belongs to the switch “vxw-dvs-39-virtualwire-2-sid-5001-UTD-VXLAN-tenant2”.
“Web-Server-2” belongs to the same switch.
Step 5: From “Networking & Security” > “Service Composer” > “Security Groups”, note the membership of
the “DB-Server-DAG2” and “Web-Server-DAG2” security groups.
Step 3: Hover the mouse over the entry to see the expanded text.
Notice the UTD-tenant-2 rules are separated from the UTD-tenant-1 rules making for better visibility.
UTD-VDC 3.0 44
Ultimate Test Drive – VDC
Step 2: Click “more…” for “DB-Server-DAG2” and notice the registered IP addresses. While the
management IP of 10.30.51.183 is unique, the data IP of 172.16.5.181 is the same as “DB-Server-DAG1a”.
Step 3: Repeat for “Web-Server-DAG2”. It has the same registered IP (172.16.5.191) as “Web-Server-DAG1”
Step 2: From “DB-Server-1a”, type “ifconfig eth1” and note the IP address.
UTD-VDC 3.0 45
Ultimate Test Drive – VDC
Step 3: Run the command “arp -n 172.16.5.191” and note the MAC address for that IP.
Step 4: SSH to 172.16.5.191. “ssh student@172.16.5.191” (Password1!). Which VM are you logged into –
Web-Server-1 or Web-Server-2?
Step 5: Without exiting the SSH session from the previous step, use putty, or the desktop shortcut, to SSH
to “DB-Server-2” and repeat Steps 1-4. Notice that while the IPs are the same, the MAC addresses are
different as we are on different VMs. Stay logged into this SSH session as well.
Step 6: On Panorama, review the Traffic logs and see that the Zone reflects “UTD-tenant-2” NSX service
profile for the latest ping and ssh traffic. “UTD-tenant-1” should be logged just before that. Also note that the
rules they match are “From Database Group2” or “From Database Group1a”.
Step 2: Use putty or the desktop shortcut to SSH to 10.30.51.1. The login is “admin / admin”.
Step 3: Run the command “show interface all”. Notice that a sub-interface has been created for each tenant.
UTD-VDC 3.0 46
Ultimate Test Drive – VDC
Step 3: Run the command “show session all”. Notice the two SSH sessions, while both the source and
destination IPs are the same, they are part of different Zones and their traffic is fully segmented from each
other.
End of Activity 7.
UTD-VDC 3.0 47
Ultimate Test Drive – VDC
Step 2: Under “Application Usage”, you can see the top applications based on usage in the network and
their respective risk levels. When the “Device Group” is set to “All”, ACC presents all the data from all the
devices Panorama manages. Click on any application such as “web-browsing” to review more details for that
application.
Step 3: To investigate further, click on any entry to further review the details associates with that particular
entry, for example, you can click on a destination address or URL category to drill down on the details
UTD-VDC 3.0 48
Ultimate Test Drive – VDC
Step 4: You can delete a filter by checking that item and clicking the “-“ icon. Click “Clear all” to remove all
filters.
Step 2: Click “Add” (in the lower left) and name the report “Traffic Stats” (in the “Custom Report” pop-up)
Step 4: Click “Run Now” (at the top of the pop-up), then click on newly create tab “Traffic Stats” to review
the report, then export the results to a PDF report.
End of Activity 8.
UTD-VDC 3.0 49
Ultimate Test Drive – VDC
Step 2: Please complete the survey and let us know what you think about this event.
End of Activity 9.
UTD-VDC 3.0 50
Ultimate Test Drive – VDC
Ask your Palo Alto Networks Sales Representative or Palo Alto Networks Partner for more
information
UTD-VDC 3.0 51
Ultimate Test Drive – VDC
Lab Setup
UTD-VDC 3.0 52