Pass Palo Alto Networks PCNSE Certification Exams in First Attempt Easily
Latest Palo Alto Networks PCNSE Certification Exam Dumps, Practice Test Questions
Accurate & Verified Answers As Experienced in the Actual Test!
- Premium File 510 Questions & Answers
Last Update: May 31, 2023
- Training Course 142 Lectures
- Study Guide 122 Pages
Check our Last Week Results!
Download Free Palo Alto Networks PCNSE Practice Test, PCNSE Exam Dumps Questions
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
|palo alto networks
Free VCE files for Palo Alto Networks PCNSE certification practice test questions and answers are uploaded by real users who have taken the exam recently. Sign up today to download the latest Palo Alto Networks PCNSE certification exam dumps.
Palo Alto Networks PCNSE Certification Practice Test Questions, Palo Alto Networks PCNSE Exam Dumps
Want to prepare by using Palo Alto Networks PCNSE certification exam dumps. 100% actual Palo Alto Networks PCNSE practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. Palo Alto Networks PCNSE exam dumps questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with Palo Alto Networks PCNSE certification practice test questions and answers with Exam-Labs VCE files.
Palo alto Intro and Deployment Options
7. Layer 2 Features and Limitations with demonstration
So, continuing to talk a little bit more about layer two, One limitation of layer two is that you cannot do that between interfaces in layer two mode. So, for example, if you have the firewall here and it has split the segment into two and is sitting in the middle and you want to net, you will not be able to do destination net from one interface to the other or source net from one interface to the other or any type of net between interfaces and layer two. The net and layer two rely on having a layer three virtual interface. If you don't have a layer three virtual interface, you cannot do the net between layer two interfaces. However, pretty much all the other features like the ContentID feature in layer two work like Contact ID, URL filtering, prep prevention, AV, and environment protection, and that's what we want to demonstrate in this lecture. Here are the limitations of layer two and how it works by showing you a demo of exactly what happens with layer two. If I look at the net and layer two If I go to the net policies and try to find the security zones in the netsource and destination, I will not find those. You will only find the layer's three zones. And the reason why is that layer-two zones do not support netting. So that's one limitation. Pretty much all the other features work. So I'm going to demonstrate this by introducing two new machines here, Windows XP machines, and placing them on the network and basically connecting them to my switches. And I can restart the switch, stop and restart it so that the connection takes effect, and then basically start the two XP machines. And then I'm going to create URL filtering on Unit Lab. You can run URL filtering and limited URL filtering on the VM. We're basically going to add a new policy here; we'll call it "Test Block," and then we're going to blockcnn.com. Then we add this to our policy, and we'll talk about those features also in later sections. But this is just for testing and showing you. And then under Action, I'm going to specify profiles, then choose the URL filtering policy that I created, and then click Commit. I'm going to go to my Windows XP machine here, and I see I'm connected. I'm going to try to go to CNN.com. So we need to enable a response page on the management profile so we can give the user a response page and commit that. Then, under Device response pages, select enableAction, Block page, and finally click Commit. Then now I'm going to try to go to CNN.com, and we see here we're getting a blog page, so it works. What about the VLAN itself? Does this work? So we're going to go ahead and install Apache on one of the machines here. Go to Google Apache, and I'm just going to download and install Apache 132. See, this is how I can run an Apache server. I'm going to call this test lab local and basically install it. And the reason why is that I want to test between servers in the same segment. So that's purely layer two. So the block page goes to CNN.com. It's a layer 3 because it's going through the layer 3 interface, right? So right now I'm testing layer two content ID inspection. So that's why I'm installing Apache here. And then on my other machine, I'm going to go ahead and create a host entry in the host file. So this way I can test reaching that web server, see Windows systems, 32 drivers, etc. And then open the host file. And what's the IP address of the other machine? The IP address is 212. So I'm going to here add the hostentry for 68 two twelvetest lab local. Then I'm going to try to access that to make sure it works. Test Lab Local, and it works. I want to test the Threat Prevention feature. So I'm going to add a custom signature here really quickly under an object's vulnerability. I'm going to add a signature here, test, and then add a condition. Basically, I'm checking for an Uri pattern match and an HTTP request Uri, and checking to see if it has been done in the past as something like testing Asterisk. And then I'm going to add this to my policy. I'm going to use the strict protection and then commit, and then I'm going to go back to my machine here. I'm going to go ahead and try and connect tothat and try to get to URL that has fictitiousURL testing one, two, three and then test. And then you see here that the connection was reset. Because I have this as a vulnerability signature, if I go to Yahoo.Comdesting test and get the same result, my vulnerability protection is working. What about URL filtering in there too? If I'm going to go ahead and add to my URL filtering policy, blocking that URL, let's say I want to block between the servers in the same segment. I want to block the URL at this site. And then I'm going to try to make those test labs local on the same network, the layer 2 network. See if you are all working there. Okay, I'll try testing Lab locally now. Because the web page is locked, even layer 2 URLs work to demonstrate this. So in layer two, you have all the features except for netting. The next lecture will talk about the other deployment, which is virtual wire, and what's the difference between virtual wire and that too?
8. Virtual Wire deployment
I hope you liked the class so far. I would really appreciate it if you posted the review. It will be great if you put a paragraph or something explaining why you like the class. And if there's something I can improve on, please send me a note and I'll do my best to fix any issues you have. So in this lecture we will talk about "virtual wires" and "virtual wires." Basically, it's similar to layer-two deployment. The difference is virtual wire; you cannot attach a layer three interface. So the firewall puts itself in the middle of the communication in the segment, and you basically create a virtual wire. the same thing that we did in layer two. We created a sub-interface and connected it to a virtual wire. Layer 2, we put those in a VLAN, the same thing we did in layer 2 when we created the top interfaces and put those in a VLAN. You can accomplish the same thing by putting those in a virtual wire. So you can have the physical interface on a virtual wire and the sub-interface on a virtual wire. The only significant difference and benefit of Virtual Wire is that it supports the Internet. So if you need to do net, layer two is not the way to go for you. You need to use a virtual wire. And because Virtual Wire supports doing network address translation, we'll go ahead and create a lab environment for Virtual Wire and Unit Lab and test this out. So you go to Action and then add a new lab, then call it Virtual Wire, and then I'll open it up and we'll add the PaloAlto nodes, add node, Palo Alto Em 100, and we'll add the firewall, and we'll create our network bridge interface so we can connect the management. Go ahead and connect the management, and I'm going to change the interfaces to eight interfaces like I did previously. And then the next thing we need to do is connect the Ethernet one. The first test I'm going to do is just bridge my Windows machine to my home network. So I'm going to connect Ethernet one to the bridge, and then I'm going to add a Windows machine here and add this. Once connected, I'm going to go ahead and connect it directly to the Palo Alto. For now, I'll go ahead and boot it up. So the Virtual Wire is basically going to bridge the two networks together. And in Virtual Wire, you cannot have a layer-three interface, so you are not going to be able to do layer-three routing. That's a major difference between layer 2 and virtual wire. Layer two allows you to connect a layer three interface and perform routing and virtual wiring. The firewall is bump and wire, and it will not be able to do any routing relating to the traffic. However, the difference is that it can dot, which layer two could not do. So there's give and take between the two options. But what I like about Palo Alto is the flexibility of different options in your implementation to fit your needs. Basically, they thought about pretty much everything. I should have the firewall booted up already. Go ahead and give it an IP address. So now that it's booted up, I'm going to go ahead and log in and set my IP address. So you basically create a virtual wire between the two interfaces and create a security policy. Attach the zone, create the virtual wire, and give the security zones. And then the firewall is in the middle of the traffic. So we'll go ahead and log into the firewall. And then we're going to go to network and change the interface mode to virtual wire. We're going to create a new virtual wire, test the wire, and then create a security zone. That's going to be the outside security zone, or Untrust, and then click, okay, break the interface up. And then this is the second leg of the virtual wire. And then we're going to create a new zone, called Trust, and then, if we're advanced, bring the interface up. Then we'll make a security policy and add basically everything for now: any source, any destination, and an increment Windows machine here. I'm going to start it up, and it should be able to get an IP address from my home network. Okay, I've got an IP address. I'm going to go ahead and try to access the Internet, and it's good. So the firewall is a bump on the wire. You can control the traffic. You can have URL filtering, thread inspection, and pretty much all the features in the Palo Alto firewall. You cannot do routing, of course, because there's a bump in the wire. You cannot do the layer three features, but everything else is available for you. And we're going to basically test like we did the last time. I'm going to create a URL filtering policy and add this for testing purposes. So I'm going to create an object here for URL filtering and then block and then blockcnn.com.Then I'm going to create a vulnerability signature test ($41,000 for both critical and non-critical) and then add the signature test, a condition pattern match http requestUripad asterisk testing one, two, and three. And then I'm going to add this to my policy. You're all filtering tests for lawblock and vulnerability protection with strictness. and we'll try the URL filtering and thread inspection. So we'll go ahead, and here the Web page is blocked. So if I go to prove the threat prevention works and the connection was reset, I have my threat prevention, your filtering, the content, and the protection. Now we're going to add to Createan Acrocour. We have sub interfaces.I'm going to put an IOL, layer two, create two of those switches there, and I'm going to create a trunk, create two VLANs, default VLAN and VLAN 100, and put machines. I'm going to shut down this one so I don't overtax my machine, create two Windows XP machines again so we can prove out the okay, so I have four machines here to test out things, and I'm going to put the firewall in the middle. So we have a trunk interface, and we're trucking two VLANs, and we will see the firewall protecting traffic between the same VLAN and the firewall. But, however, I cannot get to the Internet because that's a virtual wire. In order for me to get to the Internet, I have to basically route the traffic on that segment through a different means. Right now I have two Windows machines, and I have a switch. I'm going to connect that switch to the firewall, put this Ethernet cable in slot 4, and this is Ethernet. So those two interfaces are going to be trunk interfaces, and I'm going to connect to a Windows machine here. It's going to do it on the Cmdlet as well. So I'm going to go ahead and start the switches and configure them. And I'll start the machines as well, and we'll configure this interface as trunked and have this VLAN 100. And this is VLAN one switchport trunk encapsulation; one Q switchboard mode trunk; and then entertainment two switchboard access. And on this switch, I'm going to do the same. Okay, I'm going to change the span and tree mode to rapid PBST, and I'm going to make this switch three priorities. So I'm going to go ahead and configure Ethernet B, a virtual wire—another virtual wire. So Ethernet 1, 2, and 3 set this to VirtualWire. I'm going to create a new virtual wire here. Examine our two to see how your link state paths through. Meaning, if the interface fails, if this was a physical interface, if the interface fails on one side, it will fail on the other. To simulate the failure and replicate the failure security zone, we'll select advanced and bring it up, followed by Ethernet and do the same thing. And now we're going to add the subinterface so that we can trunk VLAN 100. We can add a sub-interface and VLAN 100 for their 100, and we'll talk about IP classifiers in a little bit. Click on Virtual Wire to add a new virtual wire here; we'll call this V wire VLAN 100, and then click OK. And then skill zone. This is the untrust. And then we'll make this here; select virtualwire 100 security zone; and this is the trust. And then click Okay. And then now the sub-interfaces are on a virtual wire. And then go ahead and commit, and then commit. On the Windows XP host, I'm going to give them a static IP address. Windows One and Windows Seven are on the same virtual wire now. And then I should be able to ping the other side. And if I cannot ping, that means I need to restart the firewall. So let me restart the file here because the connectivity was done after the firewall was set up so very started.Well, I had the wrong interface configured with the IP address after I realised that. So let me ping right now. So I can ping across and see if the other virtual machine here is running Windows 6 or Windows 8. I'm going to put them on Vlad 163, so that's three, one, and then this is two, and see if I can ping that one. I can ping it. So the VLANs are getting trunks across, and right now I'm going to focus a little bit on spanning trees. I'm going to make this switch the root of the spanning tree's span. I'm going to check and see if we can connect switch four here and see if we see the spanning tree. So the spanning tree is RSTP and the priority of the route is one, so we see her showspending fee as RSTP, so I'm going to change this to "here's our RSTP and here's our E." I'll see priority mode rapid PVSTshows spanning trees so it can still see it. So the key here is to recognise that a span and a tree are passing through. You can disable span and tree from passing through by going to the configuration set session. It is not required to configure it in mode session and then drop STP packets, yes or no. So you can drop STP if you want. Obviously, it's not advisable to drop STP, and if you do show a vlan, you should see all the vlans. So here we see PBST plus is running onnative VLAN one set session drop STP package. You can drop it by default. If you do show a VLAN, all the drop STP is disabled, so you have that ability as well. We'll talk more in the next lecture.
9. Virtual Wire IP Classify
Welcome in this lecture will talk aboutIP classifier and classify in virtual wire. So the purpose of the IP classifier is to identify a situation where you are using virtual systems. A virtual system is like a virtual context in the world of Cisco. If you're coming from the Cisco world, what happens? The virtual system is you partition thefirewall logically into multiple virtual systems. So you have Palo Alto Firewall, and you partition it into multiple virtual machines. You default virtual system one. So virtual system one exists on all firewalls, and then you can add additional virtual systems if you have the platform that supports it. The PA 200, 500, and VM do not support multiple visual systems. Your 2003 thousand requires a license. 4005 and 7000 come with default numbers of virtual systems you can have. So in our case, we're using a VM, the Unit Club one. We cannot really test the virtual systems. But the main idea is that the way it works, you would have, for example, a main firewall, and you would have that main firewall with it. And then you configure subinterfaces and sub-interfaces, right? So typically what you would have is like youassign the sub interfaces to different virtual systems andthen you give that virtual systems, it's like itsown individual firewall and the user would log into that virtual system and they can manage theactual interfaces that is allocated to the virtual systems. However, in a situation where you have the same VLAN and the same virtual wire, and you want to basically have that same village available to multiple virtual systems, that's where IP classifiers come in. So one other note that we need to be aware of is that when you bridge virtual wires, you cannot bridge sub interfaces on different VLANs. They have to be on the same VLAN. I can bridge those two together if I have a firewall here and the main interface, as well as the sub interface that is VLAN on VLAN 100, the sub interface on VLAN 100. But if you have a sub-interface on VLAN 200, I cannot bridge the sub-interface of VLAN 200 with the sub-interface of VLAN 100. You cannot do that in a virtual world. It has to be in the same vlan. So, in the corner case scenario that we're going to discuss now, a service provider typically has multiple customers who all use the same VLAN to connect to the Internet. So you'd have visas two for customer A, visas three for customer B, and visas four for customer C. They all have egress Internet access, and they're all on the same VLAN. They're all on VLAN 100. And here at VLAN 100, the firewall is in the middle. Okay? So you can classify which virtual systems or zones it goes into in our case, because we're going to have a firewall virtual system that determines which zone it's going to go into based on IP address, and you specify based on IP address. So you can say 182-168-3024 for this subinterval, and customer three is going to be 40, and customer four is going to be 500:24. When the firewall receives traffic, it's going to look at the source IP of the packet and say, "Oh well, that's sourcing from three." Then it's going to go to this sub interface.In our case, this sub-interface, in the case of having multiple virtual systems, is this virtual system, and if the source of the traffic is coming from 400:24, it's going to go to VisasFour or Ethernet 1/1/3, for example. So in our case, because we don't have virtual systems, we're going to provision; not each classifier will have this. This is going to be, for example, customer B. Customer A is going to be two; customer A is going to be two; customer C is going to be three. Customer C is going to be four and two, three, and four. And then you're going to basically bridge those virtual wires together. So you'd have multiple virtual wires, but each would have the same VLAN: multiple virtual wires, multiple subinterfaces, but they're all in the same VLAN. However, you need an all-encompassing VLAN-sub interface that encompasses traffic that doesn't have any IP classifier. Clear up the screen here and write itout in a way that see better. So I have my firewall here, and this is one and this is two. So this will go on, and basically you have to restrict this to tags 0 and untagged. And then we will have one 10, which is the sub-interface for villain 100. And then you virtually wire those together. This has no IP classifier. Then it'll be one, one VLAN 100, still VLAN 100 for customers A and B. And then one, two, three—that's VLAN 100—and that's going to be another virtual wire. So when the traffic comes in, it's going to first come in to the one that doesn't have IP classification, and then the firewall will look at it and say, "Oh well, this has a source IP address that's in my classification list." I'm going to send it out to this sub interface. And this sub-interface is associated with trusting this zone, trusting customer A, and exiting untrusting customer A. So that's going to be looking at the rules that have source trust, customer aid, destination trust, and untrust customer aid zones. And then another IP packet comes in andit has the source one nine, 2116, 40. So it will send it to this subinterface, Trust customerb, and here on Trust customerb. As a result, the firewall will examine rules with the source zone trust customer B. Untrustworthy customer B Okay, if this was to be a firewall that's capable of multiple virtual systems, you would basically put those two subinterfaces of this virtual wire on Visa Two and then give management access to Customer Eight. This way, customer A can control their own policy, and then put those two sub-interfaces in Visa 3 and give access to customer B to manage this Visa 3. So because we don't have three visas, we're going to just restrict it to zones only. So let's take a look at this in the lab. Okay, so let's take a look at this in the lab. So I have Paolo's firewall here. Ethernet is facing the customer A, then Ethernet is a trunk port, and then VLAN 100 is on that trunk port, and that same VLAN, VLAN 100, is on the other side that gets the customer to the Internet router. So this port is a trunk, and this port is a trunk, and it's trunking VLAN 100. Okay, so let's create those. So the first thing we have to do is under the network; we're going to basically create Ethernet one, switch this to a virtual wire, and then basically here we're going to create a virtual wire. We'll just call this the default. We have to make sure that the default does not have anything except VLAN zero because we don't want this to be, you know, restricted to that. It's not going to work without having this in place. And for the security zone, we'll specify security zone. This is the general distrust, okay, and we'll click okay, and then Ethernet, we'll put this, switch this to virtual wire, and then put this on a new virtual wire here while making an existing virtual wire the default. And then we're going to callthe security zone General Trust, okay? And then we'll go ahead and click OK. And now we're going to create a general-sub interface that's basically for all general traffic, all traffic without any IP classification. This will be called 100, tag100, and then no IP classifier. And then, basically, here we're going to create a virtual wire and say default. And then we'll call this general untrust. And then here we're going to create another one. At sub interface we're going to also put $100 andthen virtual wire is default VLAN 100, default VLAN 100. A security zone is one of general trust. Then click Okay, and then we're going to create one for customer B and one for customer A. And then the classification will happen primarily on those sub interfaces.So here is customer A; we'll call it One and still tag it 100. And then I'm not going to put the IP classifier. The IP classifier can only be put on one direction, not both, where the source of the traffic is. So, we have a virtual wire here, we're going to create a virtual wire, we're going to call this customer A, and then we're going to create a security zone. We're going to call this untrust, and then we're going to create another one here for Ethernet 2 and then VLAN 100. I'm not going to put the IP classification here, and then I'm going to create another virtual customer B security zone, which will be untrusted customer B. And then, basically, on the trust interface, I'm going to add two sub-interfaces, VLAN 100, still here, and I'm going to put the IP classifier. I'm going to say this is for the customer. This is for traffic coming in from 1721-921-6834. That's customer A security zone, trust A ad,no fees, that's not two villain 100. Now this is for IP classify for the zero star 24and then VirtualWire is customer B and then security zone isand I'm going to create a security policy here and thissecurity policy is going to be allow everything. For the time being, it doesn't matter; we'll just look at the rule, see which zone it falls into, and then allow. So here I have one, four, that's customerA and I basically configured the interface staticallyto 18268 310 defaultgateway three one and thenthe other windows machine that's customer B. I configured them for default gateways for that one. And then the traffic will go tothe router and the router has basicallythe router configuration looks like this. I have the ethernet IP address. It has two IP addresses: one for customer A, one for customer B, and then it has the ethernet. And then the Ethernet is the outside interface—that's the iPad outside, that's the IP network inside, and I'm basically overloading that to the Internet. This is connecting ethernet vert isconnecting to my home network. Okay, so now that this is done, let's go ahead and test it out and see if I can ping the Internet. I can ping it. And let's take a look here at the Firewall Show session. Let's see the show set here, everyone, and I see ping. The rule is that any is fine, but the most important factor is where it is coming from. So it's coming from trusted customer B. So the traffic was classified correctly: it's coming from trust customer B, and the destination is untrust customer B. Okay, so even though I have three sub-interfaces, they're all in the same VLAN, and I was able to put each traffic stream on its own zone. And if I go to the other machine, let's go to Google Show Sessions. All. I see Google here. I see traffic from four. I don't see any traffic from three. We should have some traffic from three right now. So I see traffic here from three sources. So if I do this, session 127 shows session ID 127. I see that this source is trusted customer A. Destination is an untrustworthy customer A.So basically to save time on the lectures, I'm going to export this configuration, the actual configuration of the lab, to the file share, and then this way you guys can download it. This way I don't have to go through all the connectivity, which is important in unit lab, and then you have the lab. You can practice. If something is not pointing correctly to the VMs images on your side, go to edit and point it to the correct image. So let's say you didn't callyour VM image Palo Alto 7110. You call it Palo Alto. Seven 10. It's not going to work. You have to go into edit and then change the image name, or you have to redo it, but at least you will have the connectivity. If you are listening to this lecture and you're not getting it from Udemy, this class is exclusive to Udemy, so you're going to be missing a lot of things. If you don't have it from Udemy, please drop me a message and let me know. To access this class, go to www.freedom.compolofowerwalls. Thank you, and we'll talk, please. Also, if you haven't put a review yet, please do that. I would really appreciate if you put a short paragraph explaining why you liked the class; I would really appreciate it greatly, and it would help me expand on the class more. Thank you so much.
10. Tap Mode deployment
In this lecture, we'll see an example on how to run the firewall in tab mode. In this hypothetical scenario, a company is using an ESA firewall for their current firewalling solution, and they want to try out the Palo Alto firewall to see how it fits in their environment and to evaluate its capabilities. So basically, what happens is the company monitors the interface of the current firewall. What monitoring does is copy the packets that are coming in and going out to the ASA firewall and send them out to the interface connected to the Palo Alto firewall. And when the Palo Alto firewall gets this traffic, it will look at threats, user ID, and pretty much all the features in the solution. The only disadvantage is that you cannot block that traffic. Let's see how to configure that. So on the switch itself, is this an example of using the Cisco switch? We want to monitor the interface going into the firewall in both directions and send that traffic out to the Palo Alto firewall. I'm going to monitor session one source Fastenethernet10, which is this interface connected to the existing firewall that's going to be the source interface. Both monitor sessions have one destination interface—that's going to be the interface connected to the Palo Alto firewall. FA one, followed by show monitor, show monitor session one, will indicate that you are monitoring the source. Ports are receive and transmit for FastConnect 10, and the destination is faster than ever. Now that this is set up, we need to configure our firewall. We need to configure the interface that's currently connected to the switch, which is Ethernet. We need to configure this for tapping. So we're going to go under network interfaces and click on the interface that we have connected to the switch, set this interface to tap mode, and then give it a security zone and call the security zone tab inside. If you want to enable user identification, check Enable user identification. We talk about the user identification in a different section and then click okay. And then click Okay. that is configured there. Now we need to go under "policies" and then "add." We're going to create a policy called "tap inside," and the source interface will be "tap inside destination." It's going to be any, and the action will be "log" at the end of the log session end.This way, you can see the log session start and end and click okay. One thing to be clear on the tab interface is that the tab interface is not going to route any packets. Because traffic will be sourced from the tap inside and will essentially tap inside, the destination zone could be any. There's no routing done here. It gets a copy of the packet evaluated and looks at threats. We sent you an alert, and I'm going to create test URL policies. If we can see the URLs, I'm going to go under objects, URL filtering. I'm going to create one test URL. This entity is not licenced yet, so I cannot see the logs. So under the block list, if I specify any and the action is alert, that will help me log all the traffic with the URL. I'm going to attach this security profile to the policy that I created under action profiles, URL filtering, and test URL, and then click okay. Now, because this firewall is not licenced yet, what I can do is send this information to Syslogserver so I can see this traffic. I'm going to go to Device and then Syslog. When I create a Syslog server, I'm going to give you the name. I'm using Oak, which is an elasticsearch lockstaples cabana, to get this traffic. My port number for receiving traffic is 55, 46, and click OK. I created this log. Now I need to go under policy, open the policy, and take the action. I'm going to create a profile for lockforwarding and call this profile a Syslog profile. I'm going to specify that all the categories go to the Syslog server. Click okay. And then, now, go ahead and commit. Commit. So I have this Windows machine as a client in this hypothetical network, and I'm going to go to that machine and see if I can get the traffic on the actual Palo Alto firewall. Okay, there you go. So we see the traffic getting sent by the firewall, and we see the details of that traffic here. If this were a licenced VM, you'd see everything under monitor traffic and a custom object vulnerability, and you'd assign it the threat ID $41,000. We're going to go over the steps in the vulnerability action threat section, and I'm going to create a signature. Here, the direction of both signatures is "test." I'm going to add a signature to check for pattern match context something in the Uri http request uri path, so it will alert on the HTTP request traffic. With this Uri path, I'm going to create a vulnerability protection profile, and since this was set as critical, I'm going to specify that critical would send an action alert and click okay. And then click Okay. Then attach this to the policy; click OK to commit. Then I'm going to go back to my machine and try to access any website with testing. One, two, three. In the Uri, I'm going to go to www.cnn.com TestingTest.So let's see if we get this alert. We see the threat. There you go; here it is: a threat. The vulnerability was detected and its signature is 41,001. So even though it's in tap mode, you can still get the visibility you need, but you cannot block any intrusions.
11. Initial Configuration
In this lecture, we will discuss how to configure the Palo Alto Firewall out of the box. You have to connect to the console port using your preferred terminal software, like maybe Buddy or another terminal software that you're familiar with. You basically have to log in at the prompt with username admin and password admin. Once you are at the greater than sign, you would have to issue the command configure, and then that will put you in configuration mode. And then you will have to specify the device configuration system IP address and the IP address of your firewall. This is for the management interface. The management interface has its own IP address, and that's how you manage the firewall. You can hit the question mark, kind of like the Cisco mask and the subnet mask, and then gateway if you want to provide a gateway, all gateway, default gateway, and the IP address of the default gateway. And then once you do that, you hit Enter. If you want to show the configuration, you click on "Show, that will show you the configuration. This is a standard format that is used by vendors such as HP, Jennifer, and Palo Alto. You can use the Set commands to configure the firewall. If you want to show the configuration in a set format, you have to exit back to the well, first commit that will apply our changes to the firewall, and then exit back to the exact mode. And then you can do "set displayCLI" set CLI config output format to be set." This will change it to show you the configuration in a Set format, and this will allow you to see how you configure the device based on Set commands. Go back to Configure and do Show. This will show you the configuration in a set format. So this is the basic configuration that you need to set up to get the firewall to be manageable. The command is "set device config system IP address," then "IP address," "netmask," "subnet mask," and then "default gateway" if you want to specify a default gateway, and then the IP address of the default gateway."
Lab and AWS Palo Alto instance(s) Setup
1. Create an Amazon AWS instance to practice
In this lecture, we will see how to create ourselves. Amazon provides an instance to practise with the Palo Alto Firewalls. The instance on Amazon that has all the features is the VM 300 Series, Bundle 2. The first thing you have to do is create a key pair for this keeper, give it a name, and then create and then save the keeper. Then you're going to start the software called PuttyKey Generator and load the file that we generated in AWS, and then save the private key. And I'm going to go to Putty; you have to go to SSH and then authenticate with the key that you created, and then we are going to save that session under AWS. So I want to make sure you understand the Amazon. So VPC is kind of the routing domain on Amazon. When you go to Services VPC, a VPC is automatically created for you. And this is the VPC it uses. The current one that was created for me is 17230 00:16. If you go to subnets, that shows you the different subnets you have. So I have two subnets here that are created. I'm going to create my own subnets. This way, I know exactly where things go. Subnets that are created, I'm going to delete those deleted subnets. Okay, I'm going to delete this subnet as well. So I need to create a management subnet (inside and outside) and DMZ for testing. So I'm going to create a new subnet here. I'm going to call this management US1107, 23102, or "four call list management." So that's the first one I'm going to create. And then inside land 107, 231-204, Then, make a subnet called CMG 107 23132, four DMZ 3. Management is one. Inside land are two. And then I create a subnet for outside: 123-12550 slash 24, the highest one. So if you see the route table, they all have the same route table. So what we want to do is, once we're done creating the VM, create a route table for each segment. This way, they don't talk to each other directly. They go through the firewall—the management interface. The management network is where we're going to be putting the management interface and route tables. This is the current routing table in place. We look at the routing table under Routes. We see it's using the gateway for the Internet gateway, which basically maps your IP address to the outside and does it for you. and that's what we need first to be able to do the connectivity. So under Services, now we're going to create an instance, and then we're going to go to AWS Marketplace and do a search on Palo Alto. There is the Firewall bundle one and the Firewall bundle two. You're going to basically work hourly. So the hourly is one dollar, $28 per hour for the actual software, and then there are charges for the storage, which is a monthly charge, and then there are charges for the VM instance that you're running Palo Alto on. So we're going to select that as a free trial. VM Bundle 2 gives you pretty much all the IPS, AV, Mailwire, Prevention, Wildfire URL, Global Protect). So this is pretty much the bundle that has all the features that can help you practise for the PC and SC exams. I'm going to go ahead and click Continue, and then there are different instance types. The ones you can't use are greyed out, so I'll select this option and then click next to configure the instance details for number of instances one. The network VPC defaults the subnet we choose as the management subnet because that's the first interface to auto-assign; you don't want to stop the auto-assign public IP shutdown behaviour stop.Don't choose Terminate and then a new network interface, Ethernet 0. I'm going to give you an address so we know what it is, and then I'm going to add storage, general-purpose, and we'll pick this one general-purpose. I ops andthen Review and Launch SSH is enabled, so we're going to go ahead and click Launch. choosing the key pair. Choose the key pair that you created, and then click Acknowledge, and then launch the instance. So it's here that the EC 2 instance is initializing. If you click on the detail here, you can see the details of it on your Ethernet. Two is assigned 172-3110, and once it initializes, we're going to log into the next step. You have to go through the Palo Alto site and register for support so that you can get the subscriptions. Now that the instance is ready, we're going to go ahead and assign it a public IP. So you're going to go to Elastic IPS and then click Action to allocate a new address, yes, and then now we're going to associate it so that we can associate with it. So the instance is this, and that's the IP address that we can associate with it. So now that's associated. Now we're going to use Buddy to connect to it. We can load this, and then this gives us the keys, and then we're going to use admin to get the IP address, and then we connect it. Now the next thing you need to do is configure, and then we're going to go ahead and change the passwords: set Mgmt, configure users, and admin, and then put the new password in and then commit. And now, if we check, we should be able to see that we are licenced and we have pretty much everything available for us to play with. You can have multiple instances if you want to try out a lot of the scenarios that I'm going to be creating. But the issue is that you can only have H and layer three interfaces. You cannot have any other type of interface. Now that you've finished provisioning, you have to login to the portal, create an account, and then basically register the usage base PM and then click on submit. The Amazon instance ID will then agree and submit. So now you have the software attached to your account. You go home if you can go to software updates, have access to the VMs, the Palo Alto VMs, and have access to the KVM base, which can be used in the unit lab. So this is 71. Those images can be used in Unit Lab. So you download the image that you want, and you can use those in Unit Lab to practise the scenarios that I described in my lecture. getting access to the software. The KVM files. the QCATU files. Those are the ones that you'll use in your Uniclab instance.
2. Setup Amazon AWS for lab testing, add a windows AD server
So now that you've created your Pen firewall, there's only one interface, which is the management interface, and we've created networks that go to the VPC, the security VPC, and we have some subnets, we have a DMZ outside management, and we have inside land. So we want to create an interface for the Palo Alto Firewall and the inside land. What we need to do is go to Services ECTwo, and then we will go ahead and go to Network Interfaces, and then we're going to create a network interface and then name it Pam inside interface, and then we're going to select the subnet, which is the inside land. Do you want to assign an IP? We're going to assign it an IP. We'll give it 172 31 Two. You have to select the group so we can click anything right now. We can change this later so that's that okay. This interface now shows up as available. So that's the first interface created for the inside land. Create a network interface and choose PAVM outside interface outside, and then once we do 312 and 5510, you can give it anything for now. Okay, so those two are available now because they're not attached. We need to attach them to the instance. So I'm going to go to Instance and then Action and then Networking and then attach the network interface. So I want to attach the PAVM inside and outside interfaces first. Ethernet One. I like to use Ethernet One as the outside interface. So I'm going to assign this to Ethernet One attached.Now that it's attached, you see here that it's going to be assigned 172-3124-510, and then I'm going to also attach the inside interface network. Attach network interface inside interface attached. So that's going to be Ethernet too. Okay, the one that's left is a DMZ, but it's not necessary right now because the first thing you have to do is create a Windows domain controller so that you can do all the functions for authentication certificates server and all. We'll go ahead now and create a Windows server andthis Windows server will be used for the internal authenticationthat we want to use on the power of firewall. So we're going to go ahead and go to AMI and then go to Quick Start. Windows 2012 R2 has two bases. This is a free-tier eligible standard edition. We can use that. Okay, this one is sufficient. Let's select it. The micro, which has one gig of memory, is eligible for the free tier. You can choose this one, but I like to choose something that is more beefy. So I'll go ahead and select Modern T; two x large or 16 gigs of memory is probably too much, probably medium. It has four gigs of memory. That should be sufficient. Two VPs on the CPU so low to moderate. We choose that, and then next we can configure instance details. Now we want to put it in the internal subnet, assign it an IP address, and then add storage. We're going to choose the general-purpose SSD. That's fine. So delete on termination is something that you have to be careful not to terminate, right? You simply need to end the instance. If you terminated, it's going to get deleted. And then next, review and launch. Choose the key pair. Launch instance view Instance instances. And now it should start building the instance. Right? Now initializing. So the instance is now operational. We're going to go ahead and click on Instance and Action. Get Windows' password, and then you can browse for your key pair. So this is the decryption of the password. So now you have the password. So the first time you log in, you're going to connect with the password. However, in order to connect from the outside, you must first assign an IP address, a public IP address. So we're going to start by assigning a public IP address. That's where you can get it initially set up. So I'm going to copy this first as the password. We're going to go to elastic. IP and action. Allocate a new address. And then I'm going to go ahead and assign an associate address. I'm going to associate it with the running instance, Associate. And now I should be able to RDP into it with no domain and connect to it. Now that I'm connected, I will go ahead and change the password. Go to the Control Panel, Administrative Tools, Computer Management, and then Local Users. and computer users. I'm going to go to Administratorand then Set Password proceed. And now that I changed the password, I'm going togo ahead and go to install Active Directory in DNS. Navigate to server manager, then to local. Add rules and features. still collecting data and features. Next time I use this feature, I need to change the computer name. This way, I know what I'm dealing with. So I'm going to go ahead and go to this PC, right click on it, and then choose Properties. And then I'm going to change the settings here. Change going to change the computer nameto ADDC and then click okay. This way, I know exactly what the name of the computer is. They want to use the random names. Close restart. It came back up again. Now I'm going to go to the Server Manager and then add rules and features. next role-based feature installation. Now the name I know the name. Click Next. I'm going to select Active Directory domain services, add features, and then click Next, and then Next, and then Next. So go ahead and install this. So the Windows 2012 instance cost $6 an hour for two mediums, including the software. So you don't have to worry about Windows software licensing. So now this is finished. Now we're going to go ahead and add and then click on "More." And we're going to go ahead and promote this server to a domain controller. So we're going to add a new forest. This is what we're going to call it in my case, Labad. So before we do that, we have to add DNS server functionality. So we're going to go back to dashboard,add rules and features, next rule based features. And we need to add DNS server,add feature, no static IP address. We're fine on this computer. That's fine. We don't need a static IP address. We just need to change the DNS name to point to its local server. And then, in the settings, we'll change the adapter settings because we need to resolve; it needs to resolve to its own DNS in order for control services to work. So here we're going to use the following DNS server. It's going to be one hundred and twenty-seven seven zero one.Okay, so that's finished. Now we go back to ads and then click more. I'm going to go ahead and promote this to a server. Add a new forest. Call it Labad, the next local lab local.Let's call it lab local. root domain is lab local. And then we're going to click "Next." Leave the default for now. Think about the directory services store pass netbuyers The name of the netizens will be Lab. Then click next. Default stuff. Then, okay, it should be installed right now. I'm going to accept this and click Install. Okay. It looks like it's going to reboot by itself. So let's reboot. Okay, it came back up. Let me log in. Okay, so now I have ActiveDirectory working on this machine. So that will help me because there's a DNS server that will help us with the authentication certificate server. all the other features that we'll be talking about in future lectures. We want to be able to route the traffic through the Palo Alto Firewall. So the Palata Firewall has Ethernet 1, which goes to the public side, and Ethernet 2, which goes to the private side. So we need to configure those. And this lecture is going along well. so I'm going to finish in the next lecture.
So when looking for preparing, you need Palo Alto Networks PCNSE certification exam dumps, practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, Palo Alto Networks PCNSE exam practice test questions in VCE format are updated and checked by experts so that you can download Palo Alto Networks PCNSE certification exam dumps in VCE format.
Palo Alto Networks PCNSE Certification Exam Dumps, Palo Alto Networks PCNSE Certification Practice Test Questions and Answers
Do you have questions about our Palo Alto Networks PCNSE certification practice test questions and answers or any of our products? If you are not clear about our Palo Alto Networks PCNSE certification exam dumps, you can read the FAQ below.
Purchase Palo Alto Networks PCNSE Certification Training Products Individually