Pass Palo Alto Networks PCNSA Exam in First Attempt Easily

Chapter 1 – PAN-Security Architecture

1. 1.1 Security platform overview

In this video, we are going to cover PC and SA 210. This is chapter one of Palo Alto Networks' security architecture. First video of this chapter: One Security Platform Overview Cyber Kill Chain Methodology The cyber kill chain and its seven phases are a sequence of events that a threat actor or attacker has to go through to infiltrate the network and exfiltrate data from it. A block of just one stage in this lifecycle will protect the company's network from an attack. So, as you can see on the screen, we have seven steps on the cybercrime chain. As long as you can block one of them, that's it. Our network is protected. The first step is reconnaissance. Now in the reconnaissance step, attackers or threat actors carefully plan their attacks, just as burglars and thieves do. They research, identify, and select targets, often using phishing tactics or extracting public information from the employee's LinkedIn profile or from corporate websites or from social media. They want to know who works for that company, the names of the executives, their emails, and any other information they can get. Reconnaissance attack. These criminals also scan for network vulnerabilities and services or applications that they can exploit. The second step in cyberculture methodology is called weaponization. After the attacker or threat actor has gathered all the information from their reconnaissance, they then build a weapon. That's step two, called weaponization. They chose the best weapon to cover the best vulnerabilities that they found. So use the vulnerabilities of the assets that were discovered and build them into a tool that can be deployed. Step three is delivery. So somehow we need to use that weapon that we developed. Attacker, not us, because we are not attacking, but attacker or threat actor will take that weapon and deliver it in some way, either as an email attachment or as a code inside a PDF file or possibly a Word document, or even in removable USB media. But one way or another, they're going to have to deliver that weapon to the target network. Step four is called exploitation. Now, an attacker deploys an exploit against a vulnerable application or system, typically using an exploit kit or weaponized document. Deploying an exploit allows the attacker to gain an initial entry point into the organization. Step Five is installation. Attackers will seek to establish privileged operations such as maintaining access, persisting, and escalating the privileges. Step six: command and control. The attackers will now establish a command channel back through the Internet into a specific server, allowing them to communicate and pass data between the infected device and their own infrastructure. As a result, they establish a CNC or C-2 command and control system with the target system. Step seven: action on objectives Now the attacker has persistence and ongoing communication. They will act upon their motivation in order to achieve their goals. Their motivation could be data exfiltration, destruction of critical infrastructure, or maybe encrypting the data and asking for ransom. Now, Palo Alto Security's Operating Platform is a prevention-focused architecture that provides visibility into all traffic and prevents known and unknown cyber threats for all users on any device on any network. Now, there are some big boards here, so we have to talk about visibility into all traffic. So Palo Alto Networks firewalls will see all the traffic. Whether the traffic is encrypted or unencrypted, they will still be able to see it. Because if you don't see, say, encrypted traffic, that means you don't know half of the traffic that's going around the network. As a result, the Palo Alto Network Security operating platform provides network security within the network. Security can identify all network traffic based on application, users, content, and devices. So you can find out who's using any application, and then you can create the security rules to allow or deny this application, or maybe just alert that there's not that sort of application, or maybe that user is using some sort of application, so you can see an alert or deny or allow advanced endpoint protection. This provides endpoint multimedia prevention for both known and unknown threats. Cloud Security Now, Palo Alto Network Security's operating platform can run on a virtual machine as well. So the VM series Firewalls are designed for use in a virtualized or cloud environment. Then we have a panorama. Panorama, it's a firewall. It's like centralised management. Imagine that you have all these Palo Alto Firewalls around your network and you want to manage them instead of managing them one by one. You can manage them from Panorama. So it's consolidated policy creation and centralised management. Aperture is software as a service that protects cloud-based applications such as Box, SalesForce, and Dropbox. Aperture is focused on data loss prevention on these applications, or DLP for personally identified information (PII) or payment card industry (PCI) information. Then we have a global policy. The global protection is from, like, a remote access VPN. The Global Protect offers network security for endpoints, inspects all traffic, and uses internet gateways. Next-generation firewalls have an autofocus service that is part of the Threat Intelligent Cloud. It has direct access to all of the threat intelligence that Palo Alto Networks gathers from customers and the new 42 Threat Research team. Then we have mine. Melt. Mine Melt allows you to aggregate threat intelligence across public, private, and commercial intelligence sources. After the indicators are collected, MindMail can filter, unduplicate, and consolidate data across all sources, which allows the security teams to analyse a more actionable set of data. And then we have an application framework and login. A common application framework can be used to create and deploy application framework apps. Login Services offers a central cloud-based repository for all application data and logs. As a result, you don't need any additional processing power or storage space to use Login Services.

2. 1.2 Next-generation firewall architecture

In this video, we are covering PCNSA 210. This is chapter one of Palo Alto Networks' security architecture. This is the second video of Chapter One: Next Generation Firewall Architecture. Now. Palo Alto Network. single-path architecture. The strength of Palo Alto Network Firewall. It is the single-path parallel processor, or SP-3 engine for short. The Palo Alto Network Firewall allows you to specify security policy rules based on more accurate identification of each application seeking access to your network. It is unlike traditional firewalls that identify applications only by protocol and port number. It uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port and be able to identify potential malicious applications that are on nonstandard ports and use nonstandard ports. So on a single pass, it's Astream-based signature format checks for antivirus protection, spyware, data filtering, and vulnerability protection on a single policy per type. The advantage of providing a stream-based engine is that the traffic is scanned as it crosses the box with a minimal amount of buffering. Now, Palo Alto Network Firewall architecture like usual, like the other architecture, we have a control plane and a data plane. A control plane can be accessed from the management interface as well as from console port. In the control plane, we have management tools so we can manage our device configuration, login reporting, and so on. In there. We're going to see CPUs, RAM, and SSDs. On the data plane, we have a data interface. Signature matching is now possible in the data plane. That's a stream-based uniform signature match including exploits, viruses, and spyware, as well as security processing. We can use app ID and user ID URLmatching policies to match SSL, IPsec, and decompression. We're going to be learning about all of these During our course with Palo Alto network firewalls and in the database, we have network processing, i.e. flow control, mac address stable lookup, root lookup, call to service, and network address translation.

3. 1.3 Zero Trust security model

On this video we are covering PCNSA 210. This is Chapter One. Pan Security Architecture This is the third video of Chapter 1130. Trust Security Model Dataflow secured by Palo Alto Networks' solution Palo Alto Networks solution is to go with the bundle zero Trust Never trust, always verify with Security bundle. If we always verify, this requires continuous monitoring and inspection of the traffic network. Traffic is increasingly being encrypted. Now if security teams have no true visibility, they can't control the users and applications traversing their network. The lack of full visibility means that the organisation is vulnerable to attacks from both within the organisation and from the public. Internet protection is needed from traffic that enters the network from external locations, as it's coming up from, for example, the internet to our inside network. Or it could be going to the demilitarised zone, so that traffic is known as the north-south traffic. This has always been about protection. But protection is also needed for traffic within the network because this is where the malicious lateral movement techniques will take place. This traffic is referred to as east-west traffic. So we have east-west, which is the lateral movement, and north-south traffic. In most cases, hackers will first infiltrate a device within your network and endpoints before moving on to the data centers. So like we said, Palo Alto goes with a model of "zero trust," never trust, always verify, and it will check every single packet, making sure and verifying it. Integrated Approach to Threat Prevention Now, if you remember from lesson 1.1, we looked at the Cyber Kill Chain, which had seven phases. So we had reconnaissance and weaponization, which we don't. We can't really do anything about that. But then we have delivery, exploitation, installation, command and control, and acting on objectives. And this is what Palo Alto Security's operating platform offers, and we're going to go through it in our lessons and talk about all of them first. For example, I think this is the lesson four appID, which blocks high-risk applications, blocks command and control on nonstandard ports, and prevents exfiltration and lateral movement. Then we're going to be talking about URL filtering, which is lesson six. This blocks known malware sites that are in delivery, command, and control, and blocks malware Fastflow domains. And then we're going to talk about vulnerability. So vulnerability here we are talking about thesis more, this is more like content ID which we're going to check it on. Chapter Five prevents lateral movement and blocks exploits. antispyware again, chapter five Chapter Five: Blocking malware blocks firm command and control traffic traps, monitors allowed processes and executables, prevents exploits and malicious executables from running, and blocks files, denies service, and zones. and a wildfire, which is going to be our chapter eight. Wildfire will identify malware, detect unknown malware and detect new commander control traffic, thus prevents evasion and file blocking, prevents drive by downloads and as well as prevents exfiltration and lateral movement. And as well, does our denial service prevent denial service attacks? But again, we're going to be talking about all of them in depth. Adolescence program.

4. 1.4 Firewall offerings

In this video, we are going to cover PCNSA 210. This is chapter one, Palo Alto Network Security Architecture. And this is fourth video of chapter one which is Firewall offering one four firewall offering. These are the physical platforms of Palo Alto's next-generation firewall: PA 220, RPA 220, PA 800 Series, Palo Alto 3200 Series, and Palo Alto 5200 Series. Now, these are quite powerful devices; even the lowest one, the PA 220, is going to be quite powerful, and all of them are next generation hardware with the release of Panos. Pan eight, one that was released, 52 80 serieswas released and this is very similar to 5260, which was previous one, but it was just doubled up on the data playing memory which doublesup the session capacity of the Firewall. Now, the latest panel that we use—and this is what you're studying now for—is Panos 9.0. That's the latest one. And the thing is that when you manage these devices, the good thing is that they all have the same look and feel of the interface. So you will be able to navigate through any of them; it doesn't matter which one you're running it from. Well, I'm going to do my lessons on lessons on virtual machine which pretty much is going to be the same, the look and the field is going to be the same on any Firewall. Then after that, we have the chassis series. The chassis series are the PA 7000 series, and this has been the release of 9.0. We have three new chassis cards: network processing cards, switch management cards, and dedicated login cards. And after that and the more powerful ones, we have the Panoramas, Panorama, M 200, and M 500. These are the centralised management tools for all of your Palo Alto Firewalls. So we can manage any of these devices from we can manage any of these devices from Panorama. So these are your physical platforms for Palo Alto's next-generation Fowl. Then we have a virtual machine or virtual machine series with models and capacities. We start with VM 50. The VM 50 is the virtual machine that I will be using in our lessons. And you can see the dedicated memory that we have we need for this virtual machine. It does support 3000 sessions per second, and it has dedicated CPU cores. You need two, you can see the Firewall throughput and threat prevention throughput as well. Then, we have a VM 100. VM 100, for example, if you look at the dedicated memory that we need for that6.5 GB, two dedicated CPU cores. The new session for seconds has gone from 3000 in VM 50 up to 15,000 in VM 100. And then the next one is VM300, which we look at 9GB memory. We have dedicated CPU core four, and then the new session per second again is doubled up, and you can see the throughput and threat prevention throughput as well, which kind of just doubles up on those. Then we have a VM 500. On the VM 500, we look at the dedicated memory. 16 GB, eight dedicated CPU cores, and 60,000 sessions per second. I just doubled up on 300 as well. And the last one is your VM 700. Now, VM 700 has 56 GB of dedicated memory, 16 dedicated CPU cores, and 1200 sessions per second. very powerful virtual machine. Virtual systems (or VCs) are separate logical firewall instances within a single physical Palo Alto Network. Firewall. Each virtual system is independent, separately managed by a firewall, with its traffic kept separate. This would be used, for example, by service providers to separate firewalls for their customers. Virtual systems are supported on the PA 3000s, PA Five Thousand S, and PA 7000 series firewalls. Each Firewall series supports abase number of virtual systems. The number varies by platform. You do need a virtual system license. It is required to support multiple virtual systems on the PA 3000 Series Firewall.

Hide

Chapter 2 - Initial Device Configuration

1. 2.1 Administrative controls

In this video we are covering PC and SA 210. This is our Chapter Two initial device configuration. This is the first video of Chapter 2, which is about administrative control and initial access to the Palo Alto Network firewalls. They offer dedicated autoband network management either using an Ethernet interface (this is labelled "Mgt") or using a SerialConsole connection (this is labelled "Console"). Now that's your management interface, the Ethernet management interface, or we can connect it through the console. Now, if I connect through the management interface, I have to put the PC in there and connect the Ethernet cable to that management interface port. Now by default that port as a defaultIP address 192-1681 one, that's your default. Now you must ensure that this PC has the same IP address—well, not the same IP address, but on the same subnet, for example, one to two. It will work, and then as long as you can pin, you'll be fine. The virtual machine series has the manager import it as configured as a DHCP client, and then you have to check from your virtual machine what IP addresses are going to be issued to the Palo Alto Networks firewall. On my virtual machine, which I'm using as VM 50, I have set an IP address to statistically. So, because 192-168-1254 is in the same subnet as the home PC, I should be able to ping it and then we can access it. Now, by default, the firewall has one single administrative account with the username and password admin. And that goes without saying, you have to change them. That's a default. So you have to go and change. A firewall will not let you forget. So once we log on through the web interface or CLI, you will get a message either through the web interface or the command line interface. Until the default password has been changed to the local administrative password, it is encrypted using the firewall master key. Now there are four ways we can manage or have administrative access to the firewall. First, we can access it through a Web interface, and that's what we're going to do. Most of the configuration is going to be done through the web interface. Another way we can access the firewall is using a command-line interface through the console port, either through SSH or Telnet. Well, telnet is not enabled bydefault because it is unsecured. Only SSH is enabled. Now, coming from Cisco background I love command line interface. It's so much easier for me to configure. I didn't like graphical user interfaces or web interfaces, but with Palo Alto, you have to do all the configuration that we can't do through the web interface. Not all. I'm going to show you some commands but most of the configuration is going to happen through web interface. Another way we can manage a Palo Alto firewall is through Panorama. Now, Panorama is like a centralised management system. If you have, for example, many Palo Alto network firewalls in your network, imagine having 2030, 40, and so on. You don't want to go and manage them one by one. You can manage them from a central location, like Panorama, and just push the configuration to them. Another way we can administratively access the PaloAlto network firewall is by using Rest XML APIs. This is useful if you, for example, export configuration and then don't import it, make some changes, and import them. You can use the XML APIs. This is my lab, where I'm going to be working, and, well, it's been more busy; it has more stuff on it. But for the moment, that's all we need. We're going to need the management interface, and we're going to need that PC connected to the virtual machine or the firewall. Now VM 50 is the firewall. They have downloaded, and I've got it running on my machine. Now that this virtual machine has more interfaces, we're going to bring them into play later when we do the more advanced stuff. At the moment, we're just going to do the initial configuration. So we'll connect to the firewall, to the management interface, and configure the basic settings. I don't want you to rush and think, oh, I want to do, I want to do this. You have to really read slowly to understand everything, especially for the exam as well. They can come up and ask you questions, and so on. So there's no point to jump and say, okay, well, what are the policies, what are the net policy and everything. We go slowly, right? So once we connect to the firewall, we're going to get security warnings. So once I connect to the firewall, I will get a certificate warning my PC, the firewall is going to issue a self-signed certificate, and my PC is not going to trust it. So I have to say, okay, well, I can connect to that. And then we're going to meet with different functional categories. Well, dashboard function category, but let's go through it anyway. So I already have a connection to my firewall, right? Let me just close this and show you. First, I'm going to show you the virtual machine. I already have the file running. 50 VM 50 virtual machine is my virtual machine. So from my physical machine I should be able to ping, which I did earlier and tested, but I can repeat again. So ping 192-168-1254 is my firewall address, and I'm able to ping, and then I can open a browser and access it. I like to use Google Chrome, but you can use pretty much any browser. You can use Firefox, Internet Explorer, and so on. The address that you need to access is a secure HTTP address, httpscordnam 192-168-1254.You're not seeing the first window, the warning that you have to access, because I already did access it. Maybe if I access it through Internet Explorer and see that window, because I want you to see the window where you'll click Next. So https, and I see in Internet Explorer that this site is not secure. The reason is because it is a self-signed certificate by the firewall. So more information go to the website and it says no recommended. Anyway, once we get in there and once we add access, then the username I'm going to use is admin and the password is admin. Okay, now that we've accessed the Palo Alto Network Firewall, we can see it's going to start populating the widgets, and we see a banner welcoming us. Okay, I'm just going to zoom out a little bit so we can see it nicely. Close this. The first thing about this that you need to remember is that these tabs are called Functional Category tabs, and there are seven of them. So the Functional Category tab and the network management are grouped into different tabs. So when we click on the different tab, we're going to see a different management widget. So for example, in ACC, we're going to be talking about all these tabs anyway, the Monitor Policy object, and so on. If I go back to the Dashboard Functional Categories tab, the first thing I want you to look at is who is logged in—what user is logged in. So both the administrator and the user can log out. As a result, we can see when that user lost their login time. Then we can see the task button here. The task button will display what is completed and what is actually running at the moment as well. So if I click on that, you'll see what has completed and what is running as well. The next thing is that when I make a change on the firewall, by default, those changes don't take effect right away. It's not like a Cisco router or firewall. As soon as you make changes, they take effect here. No, they will go into something called candidate configuration. After you configure, press this button here, "commit," and your changes will take effect. They will become the running configuration of the firewall. If for some reason you're not sure of something, you can always click on this button here. Help menu to show it will open a separate web browser. They will have a searchable manual to get information about the options shown in the window panel. So we can always click on it and see what happens. It just opens a new page, like a website, and it has a searchable database. Okay, let me close that. Next thing I want to show you is the web interface editing guide. So let me clear this stuff, and then if I, for example, say that I want to configure something, right? So I'm going to configure Nat's policy. It doesn't really matter. I'm just showing you this. It's not about the NAT. Later, Nat comes, like in the third chapter. But the first thing I want you to notice is this yellow squiggly line. That means there is information that you have to populate in there. And then, for example, at the moment we are in the General tab, and the General tab has a yellow highlight. And this yellow highlight tells us that this field is required. So if I just hover above it, it says that this field is required. So you do need to write something in there. And unless you populate everything, all the yellowhighlights, with something, This icon's okay button is not ready or it's not available. So for example, let me write something here. It doesn't matter here. And you can see when I go to the original package, there's another highlighted area in yellow, and it says it requires at least one entry. I have to add something in there. And the destination zone requires an entry as well. I have to add something in there, and then the okay button is ready for that to take effect. And as you can see, when I write it okay, when I press okay, that configuration, I did take effect there. And then I have to commit the changes because by default, it is not written right. And let me just delete that, select it, and delete it. Okay. For this lesson, we're going to leave it here now, right? And we're going to continue with other lessons. So what we're talking about here are functional tabs here. There are seven of them. Functional tabs who logged in When was the last time they logged in? the task being completed. ComEd icon will be you see here. It's greyed out. There were no changes when I took this screenshot and checked the help menu as well. We have, and then when we edit something, you should always pay attention to the red squiggly lines here. That means that some information needs to be filled. So when I click on General, you see the yellow highlight there. That means the information has to be filled in. all this stuff, you don't have to fill them. You should fill them even if they are recommended. We don't have to fill them. And then once you fill them, you press okay. Okay, I will be available.

2. 2.2 Initial system access

On this video, we are covering PC and SA210, and this is chapter two, initial device configuration. Now, this is the second video of that chapter. Video two, initial system access, resets the factory configuration. So for some reason, if you want to reset your device or your Palo Alto Networks firewall to factory settings, then there are two ways. If you know the user name, if you know the password of the admin account, then you can just logon in there and then on the user mode you can say request system private data reset, which you can see the command there that's come on. This will return the firewall to its factory settings. And that's what I did here. I logged in as my admin, I knew my password, I logged in, and then I setup the command request system for private data reset. And the tab works here. So you just type "req" and hit the tab, and then "sys" hits the tab, and then "PR" hits the tab, and it will fill it for you. It will then display a warning message and ask you whether you want to set up or not. Then you click "why," and then it will reset it. If for some reason you don't know the administrator password, then the first thing you need to do is put the firewall into maintenance mode. So after the firewall boots up and starts booting, you type main in the command line interface through the console port, and after some time, you can choose to reset it to the factory default management interface configuration web interface. Now, if for some reason you want to change the IP address of the device that you want to manage or your firewall that you want to manage, by default, these firewalls come with an IP address other than the 192.168.1.1 one. That's the default firewall, not the default gateway either. So the netmask is the same. But if you want to change it, which I did in this case, we can go there. Okay, I'm going to show you how I did it. So I go to my firewall, and you need to access devices. So under the functional category tab, go to setup and then go to interfaces, and there's already a management interface. That's it. You can't add another one or anything like that. That's it. If you want to edit it, you just highlight it; you can see there's like a hyperlink. You highlight the selection and click on it by default. On a physical firewall, the IP address of the physical firewall would have been 19216 811-921-6811.I have changed it here to this address. Subject mask is the same as with the gateway as well. Now in here, you can actually configure how or what administrative management services are allowed on this firewall. We allow HTTP and SSH secure shell and HTTP by default, but we can also allow it through unsecure HTTP and Telnet if you want, but they are not enabled by default. By default. And then you can allow whatever network services you're allowed by default. Ping is allowed. You can ping the device. You can enable other stuff as well. Here, you can control who can connect to this firewall. So for example, create a static list. You have complete control over who is configured and who is allowed to connect to this firewall by default. However, if you choose this option, you can enter the IP address of your device or the IP address of your network. So it can be a network. So we can say "one nine, two," for example, and you can say that means that only those addresses are available from that network to connect to this IP address. If you don't do that, it's just going to connect. Everyone can connect through it. If you want your firewall to receive DHCP, and this is usually the default for virtual machines, It's a DHCP client, and it's going to get information through DHCP. The next thing we need to talk about is configuring general settings, i.e. For example, you want to change your name or configure a banner or something like that. Then we must go to the same place device function category tab and configure it. And then we go to management. And when we have management, this is your configuration. Here's what we need to do. If you want to make changes, you need to click on this like a gear icon here, and then that will open the general settings. If you want to configure the panorama settings, you configure this and it goes on like that, right? So that's what we're going to do. We're going to configure the general settings of these Palo Alto Network firewalls. If I click on it here, I can change the name, the hostname, and the domain name as I have now. Those two, "Accept DHCP server-provided hostname" and "Accept DHCP server-provided domain name," are greyed out, and I'm not able to tick them. The reason I'm not able to tick them is because you have configured IP addresses to be static. If you configure the IP address to be dynamic through the ACP, then those two are available. Then you can configure the banner to basically appear. Then obviously, the time zone and the language, the date, the time, and so on, the lattice used in longitude, are used to place the firewall on the map. On the acceptability side, you can have, for example, an SSL or TLS service profile. You can enable it here if the communication between the client and the firewall will be encrypted. But I haven't found anything there yet. We will do so in the future. By the moment I don't have any automatic require commit lock again later on we can talk about all the stuff here. So I'm going to cancel there for a second now if you want to configure, for example, this firewall to communicate with a DNS server. Then again we have to create device set up and then services in here we have services for DNS server and services for NTP server. So again on the services tab, I have to click the gear icon here, and I can change my DNS server in here. Later on, we can come back here again, but we can have an update server. Where is our update? Palo Alto updates, where do we get them? And the default is to update Palo Alto Networks.com, and here we will add EU because we are in Europe, not America. So I'd say we can discuss this EU later when we talk about the update. But here I want to talk about the DNS server settings. As a result, we have a primary secondary DNS server with a minimum FQDN refresh time and a stale time. That's how you configure your DNS—the primary and secondary DNS servers. If you do want to configure the NTP server, click on this and then you can configure the NTP server. So, if you can't get the time from the NTP server address and you have authentication enabled, that's your primary NTP server and secondary entity server. Remember that NTP used UDP ports one, two, and three, and if you enable, for example, the authentication type, you can enable key authentication now by default management interface, this interface will go and communicate with other external services, such as the update server, for which we can use the management interface, the DNS server, and so on. But for some reason, and mainly because most people are not very happy with that, For example, you can actually configure one of the physical interfaces to go out and communicate with the external service. Not leave the management server, and for that, we must go, for example, if you want to change that, you must go to device setup services, and the same place where we were configuring the IP for the DNS server and NTP server is a service root configuration. a service route configuration. See, it says to use the management interface for all services, like the update server, MDP, DNS, and so on. But if you don't want to do it, for example, we can customise it; we can say, "Okay, well no, we want to use some interface, some physical interface," and you can see all these services by default in the management interface that will be used, and some people are not happy with this. So for example, on the NTP server, I can say NTPserver. Here, I can click on it and that will open another window, and here I can configure the source IP address and source interface. What interface am I using, I'm sorry, and what is the IP address of that interface? If I choose the source interface, for example, that will be Ethernet 1, and that's my source address, the IP address will be fully populated automatically. So for the NTP server, I'm using an in-band interface. Okay, so that's it for this demonstration. So we go back to the slides again. For example, the IP address we had to clickDevice, we had to click Setup and then interfaces and then click on the hyperlink and it will open this window and that will open. Then you can configure the static IP address, if that is something that you want. Then, if you want to configure something, for example, change the name of the firewall domain name or the banner and the time zone latitude and longitude. device set up in general settings. We click the gear icon here, and that opens this window, and then from there we can configure. Once we have it, click OK, and then we have to make sure that we commit for the changes to take effect. The next thing if you want to configure, for example, the DNS server is to change the DNS IP address, set up devices and services, and then click the gear icon, and then down here we have the DNS stuff. If you want to configure the NTP, click on the NTP tab, which is going to be the next slide anyway. But it's the same place through device set-up services: the gear icon and then the NTP tab, and then we put the IP address like I told you in the service routes. By default, the firewall will use the Management Interface to access remote DNS servers, content update services, licence retrieval services, NDP services, and all other external services. If you do not want to allow external network access to your management network, you must configure an inbound data connection to provide access to required external services, as well as a service route to tell the firewall which port to use to access the external services. So I went to Device, which is the same place where Device is configured, and then Services. And then down here, we have a service route configuration, and then we choose the default, which is management, we choose customize, and then we can click on what service we want to use and what interfaces we want to use for that service. If you want to change the IP address of the firewall manually through the command line interface, you can do it through the CLI using this command. So first you have to logon through the command-line interface. So you log in, type configure to enter configuration mode, and we can see that's our configuration mode, and then we say set Device config system IP address, and then the IP address if you want to change it to Net mask, and then the submit mask, default gateway, and DNS server primary settings if you do it through the command line.

Hide