PCNSA: Palo Alto Networks Certified Network Security Administrator Certification Video Training Course Outline
Chapter 1 – PAN-Security Archite...
Chapter 2 - Initial Device Confi...
Chapter 3 - Security and NAT Pol...
Chapter 4 - App-ID
Chapter 5 - Content-ID
Chapter 6 -URL Filtering
Chapter 7 - Decryption
Chapter 8 - WildFire
Chapter 9 - User-ID
Chapter 10 - Global Protect (Rem...
Chapter 10 - Site-to-site-VPN
Chapter 11 - Monitoring and Repo...
Chapter 12 - HA (High Availability)
Chapter 1 – PAN-Security Architecture
PCNSA: Palo Alto Networks Certified Network Security Administrator Certification Video Training Course Info
Gain in-depth knowledge for passing your exam with Exam-Labs PCNSA: Palo Alto Networks Certified Network Security Administrator certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Palo Alto Networks PCNSA practice test questions and answers, study guide and exam practice test questions. Unlike any other PCNSA: Palo Alto Networks Certified Network Security Administrator video training course for your certification exam.
Chapter 2 - Initial Device Configuration
3. 2.3 Configuration management
On this video we are gonna cover chapter twoinitial device configuration and this is third video ofthat chapter 2.3 configuration Management configuration types. The walls in the Palo Alto network file are not like other vendor firewalls. where as soon as you do theconfiguration the configuration will take effect automatically. In here, any changes that we make will go to the candidate configuration, so all configuration changes have been made but not committed. When we are satisfied with all of the configuration that we have created, we can click the commit button to make the changes permanent. So the router starts with the running configuration, so that's the router that's actually working at the moment, and when you make changes, they will go to the candidate configuration unless you press the commit button. When you press the commit button, those changes will move from the candidate configuration into the running configuration and will be active on the firewall. So for example, I'll show you again if we go to my firewall and say that I have made the changes. I can see that I made the changes because the commit icon is enabled. That is already telling me there is a change there waiting to be made and enforced. For example, sometimes I made changes but I don't wantto commit them but I want to save them maybefor later if I come back and I want toconfigure them, continue configure them later, I will do that. So, for example, if you've made some changes but you're not ready to commit them but you want to continue tomorrow because it's getting late or whatever you have to go home for or so on, then you can save those changes and then come back the next day, load the changes, and then continue them and commit them. The way we can do that if you have togo to device device setup and then operations and letme just zoom in this a bit here. In the operation we have our operations, we havefew options we can revert to lost save configuration. So for example, if we made changes and you want to revert somewhere, you can actually make whatever changes you made now and save them as they are now without committing them, and you can come back later and have a look at them or load them later, or we can load these configurations from old saved configurations, so we have three versions we can revert to. Save or load. We can also export our configuration in XMLformat and then once we export that configurationwe can import them somewhere else as wellin this place we can reboot the device. the firewall, or we can shut down the whole thing. the configuration, for example. if you don't want to save them. If you don't want them to be active on the firewall and you're going to continue for tomorrow but next week, but you want to save them that way and load them later on, what we can do here is well, we can say save changes and save changes is now going to go on the name configuration that's going to be changed; they're going to be saved in the override existing snapshot, and then you can reload them. Say I create the policy and I'm happy with it, and I'll save that change and I'll continue, right? And later on I say, "Oh no." That was wrong actually what I did but until whatever Isaved was good I can revert those changes go back to what it was before now if we commit, for example, saying that I want to just commit the changes I made the changes.I'm all happy with it and I wanted them to takeeffect I'll press the commit icon here now that's going toshow me what administrator has made changes so for example Ican see the admin has made changes and those are thechanges device and network and shared object and if I'm allhappy with that I can just press commit here. Press "commit" and then they will be committed. I can also view them, for example: what are the changes? So if I'm not sure what changes are going to happen, I can check by pressing this icon here preview changes So I'll press ten in there line of context, and then I'll press okay, and it'll open another browser of another webpage and show me what are they for example we have three legend iconsor colours added are in green. Modified are in yellow and red deleted or light redso for example we can see that in green here This is the last local device change, so running configuration And this is the candidate configuration on the candidate configuration—there are some new changes, right? I was just playing around, and I think that's my account, and then we have some more changes, but nothing has been deleted, right? So if I go and just try to delete something, so I'm going to click here and I'm going to show you that if you delete something or modify it, it turns yellow; if you delete it, it turns red. So if I go there and cancel this, and I say go to policies, if I create a new one and then delete it, it's not going to show, right? So I'm just going to can't do that try anddelete something very quickly administrators Yeah, I'm going to delete. myself Oh okay, let's delete those Click Yes now if I want to press Commit and preview the changes. That's going to show me a few things that are going to be deleted. You can see them in red; they are deleted. You can also commit all changes. So if you are the administrator and if you have rights, You can commit all changes or only changes made by the administrator himself. Or if you have someone else, for example. Astrid as well. I can commit the changes from Astrid as well. Whoever is the administrator You can commit as long as you have, for example. Privileges to do that can be obtained from other administrators as well. Obviously, if you don't have privileges, you can't commit them. So you can commit here, which will commit all of your changes, or you can commit changes from other administrators as well. Here is a list of the changes that will be made. You can preview them. So it was green; it said "add in yellow," "change," and "delete.You can validate the commit, making sure that it will work once you commit. I'm going to cancel all this now for some reason—maybe you do want to because, as you can see, there could be more than one administrator making changes at the same time, and then there could be conflicting changes, and so on, and you want to make sure it's only you actually making changes. Then we have to click on this padlock here. I'll show you all this in the lab to see how it gets done. So I click on the padlock, and then I can take over the commit. So nobody else can commit except me, for example. So I can either take the padlock or, if it's already been taken by someone, as long as you have privileges, you can remove the padlock. But I'm going to just show you how to take the lock first. So, click on the padlock, and we'll have to take a look, or should I say, take a look. So we can have a commit lock or we can have a configuration log. So, for example, you can say, "Okay, nobody else but myself can commit." and config look will prevent other administrators from changing the configuration of the candidate. Okay, so I'm going to take a look. So click here and you can use a type description, for example, and you can see admin commit lock. There's a comment and it's created and it loggedin when I press okay, you can see thecommit commit icon and you can see the padlock,which means that other people cannot commit, only me. I will demonstrate this when we do the lab on the 2.7. Okay, so I'll go back to the slides now. So minimise all this reverse save and load.This is the configuration in which you don't want to commit them. You can export or import through XML, and to do that, you go to devices or Device, then setup, then operations, and then you have those choices. And I told you you can reboot or shutdown; this will come back later. Then for example, if you want to save the changes or revert the changes, whatever you have configured, you don't want to name save them; you just want to save the candidate configuration and then revert to the last save. Do you have we told you that we can commit? If you press commit, you commit everything from yourself and then press "I can commit here" to commit them, or you can commit everything from everyone else if you have enough privileges. So for example, for Admin and Astrid, I can commit them. I can preview the changes. For example, if you select the commit, you can preview the changes, change the summary, or validate the commit. They're going to show you the validity and the change. Whatever has changed, we can just preview the changes. We have added on green, modified on yellow, sorry, and deleted on red. And then you can obviously take over the lock so we can commit. Lock will block other admins from committing the candidate's configuration, or the config logo will block other admins from changing the candidate's configuration.
4. 2.4 Licensing and software updates
On this video, we are covering PCNSA 210. This is chapter two, initial device configuration. And this is the fourth video of chapter two, which is about licencing and software updates. Activate the file. Now, before we can start using our firewall that we just purchased to secure the data in our network, we need to register it, and then we need to activate it. And then we can activate every other subscription that we have purchased. So we have two types of firewall. We have a hardware firewall, and we have a virtual machine-based firewall. So with the hardware firewall, we use the serial number on the dashboard, and then we receive a licence key from the licence server. If we have a virtual machine-based firewall, which I do, use the email authorization code and purchase order number to register and then activate it using the authorization code. And after that, we have to make sure we verify our DNS servers. We verify and update the DNS servers and then manage the content update and the software update. I'm going to show you how to do it in the virtual machine, but the steps are going to be very similar for the hardware as well. The first thing is that I'm going to show you how to do it on the virtual machine. Okay, so I already have my firewall running here on my virtual machine (Firewall Em 50), and I'll open the Google Home browser and access it securely using the FirewallHttps URL. I can just press Enter here. Now that we are connected to my firewall, I click close here, and if I want to activate my firewall, I need to go to devices, and at the end, towards the end, we have licenses, and then this will be populated once the device is activated. However, Management will provide you with this window license. Now, in the licence management, that's where we're going to find the key to activate our machine. So activate the feature. Using authorization codes, we can manually upload the licence key. We can deactivate or upgrade the virtual machine's capacity. But if we want to activate the device, we need to click here and then enter the authorization code. I'm not sure; they're quite expensive to buy, but if you want to use the firewall as well as for training, I would recommend activating it, and then all the licences will be activated for you as well. Now we need to make sure, before we actually go and do the dynamic update or software update, that we have the DNS correctly configured. So for that, we go to Setup Services and then click on this gear here. And to make sure that DNS is all working, we can also ping them. For example, from our firewall, we can go and ping the DNS service just to make sure that they are working, but I know they are working. So then I need to go and schedule the dynamic updates. So I have an antivirus application and threats VPN GlobalProtect VPN Class List Wildfire and Global Protect DataFile Here you can see right away what the schedules already are. I can see that Antivirus has none, no schedule for each one. And this is the last check. Every Wednesday at 100, Application and Threats has already occurred. Nothing else has been set to do that. So I'll go and just maximise this. Expand these so you can see that all available antivirus updates are there; I have nothing in there, so I can just click on one of them. So for example, if I want to schedule my antivirus to be checked, then I would press here: Schedule. And on the schedule I can say manuallyor schedule it hourly, daily or weekly. Assume we schedule it for every day at, say, 01:00 a.m. And in the action, we can tell what we want to do. Do we want to just do nothing? Download only, or download and install? Okay, so the antivirus schedule is done every day at 01:00 a.m. Download and install further down. I can go down to maybe checkApplication and Threats already download it justnow and the latest Application and Threats. But I can set the schedule here as well, which is set for every Wednesday. The setup is exactly the same. For example, every 30 minutes, every day, every week, and every day of the week.
5. 2.5 Account administration
On this video, we are covering PC NSA 210, and this is chapter two, initial device configuration. This is fifth video on that chapter whichis two five account administration, administrators account androle repositories, palo Alto network Firewall. They come with a default admin account. But you shouldn't be using that. You should be creating your own administrators or administrator accounts. the admin user. Once you create an admin user, you must assign them an admin role, and the method of authentication can be local authentication, but this is not scalable because you must go to each device and create an administrator on each one. And if, for some reason, you lose Palo Alto Networks firewalls in your network, then the scalability is not there. Or we can have a remote account. So instead of authenticating locally, we can authenticate remotely. We have LDAP, radio, techs, and others that we cannot see, but we can have local or remote authentication. As far as roles go, you can create a dynamic role. You can give exactly what you want,privileges for the administrator, exactly what youneed once you create the admin user. Or you can use one of the custom roles. Now the custom roles we have a super user. This is in the Linux world youwill think of as a root user. We have a read only, same type super user. Now we have a system administrator and a system administrator with read-only access. Now the system administrator has similar privileges to the system user. It has the same one except for one thing. He can't create other administrators, and he can't manage administrators. He can do everything else, everything but thesuper user can do apart from administrator administrators. If your device actually supports a virtual system, then you have a virtual system administrator with read-only access. Like we said, we have two types of role-defined administrative privileges. On the firewall we have adynamic and role based dynamic. You have a super user, super user read onlyand device administrator and device administrator read only. Now I'm going to show you. I'm going to go to my firewall, and I'm going to create one administrator role. And then we can create one administrator user, which I'll mark with an asterisk, and I already have a connection to my firewall. So to create administrator accounts, you need to go to devices and then administrators. But before I create, you can see the administrator by default. It's a super user. Before I create an administrator, I need to create an administrator role. So the admin role So I'll go to the admin role. We already have three read-only predefined admin roles, or you can create one from scratch. So I'm going to create one. So I click "add here," then I'm going to say "junior admin," and here is like, "What is this role?" Or whoever puts in this group kind of likethink of the group or role they can do. We have enabled it, right? So anything that you can see, like a green tick, that's enabled. If you see just a padlock, that means read only, or you can have it disabled. So, for example, if I don't want the junior admin to see the ACC, I click that, and that disables it. I don't want them to see policies, objects, or policies that can be seen; they can read them but not change them. Right? So I put them as "read only." I don't want them to see the objects, networks, devices, privacy, or anything else. I want to click; everything else is closed. As you can see, the junior admin role has access to the dashboard, the monitor, everything is enabled, and they can read the policies. XML, Rest, APIs: nothing is enabled, and junior admins cannot use the command line. So in the description, which is always recommended, you can put "enable monitor"; read only security policies. Okay, so now I created that admin role called the junior admin, and they were enabled to only look at the monitor but read only the security policies. To create an administrator, I have to goto administrator and then I already have asuper user click add and name. For example, say Astrid's authentication profile. We don't have any authentication profiles. We're going to talk a bit later about that. For a password, I'll just put the password here. Palo Alto. We don't have any public key authentication, and here we can choose: do we want to authenticate Astrid through dynamic authentication type, which is already predefined (super user, read-only device admin, or device admin read-only), because it doesn't support, well, virtualization because it's already virtualized? Or I can create a role base, which I already did, so role-based, and then I select a profile, junioradmin, and click okay; that's all there is to it. So I click commit, commit again. Okay, the committee has completed its work successfully. I have some warnings about antivirus and such, but this is due to the different lab here. So, to test that, let me just open another Google home browser in Cognito this time, and I'll see if I can log in as an Asterisk user. So Astrid and the password were Palo Alto and Login. Okay, so I'm in. Now let me see when it loads up. What do we see? Okay, it has loaded up. Now the first thing to check is the user that's locked in, and the user you can see is Astrid. And that's me logged in. And here you don't see all the tabs—the functional category tabs. There are seven of them, but we don't see them. We just see the dashboard, we see the monitor, and we see the policies. We don't see anything else. So if I go to, for example, the policies, all these policies are read only; I can't change them. So, for example, if I click on this, it's going to say read only. I can't change it. so I can't make any differences. So any policies I have are only read.Monitor is fine; monitor. I can monitor the whole traffic, and everything is fine. Okay? So that proves that I just created an account. Let me log off from that account. So log out and close this window. Now I showed you how to create a role-based custom permission set and how to create an administrator using the junior admin role. It doesn't matter. You can name it whatever you want. That is how to create a local administrator account. If you want to create a non-local administrator account, which means it will authenticate externally rather than through the local firewall, Well, there are a few things that we have to do, which we're going to cover later on in our lessons, to configure a server profile that's going to authenticate us. For example, radios, Tacx, LDAP boroughs, and so on, right? So if I configure the authentication profile, or, sorry, several profiles to authenticate, this is the server; it's going to authenticate us, right? And then I have to create—for example, here I have to create an authentication profile and an authentication sequence. Authentication sequence is an example. Let's say that LDAP is the first server who's going to authenticate us, and maybe the radius is the second server who's going to authenticate us. So in the authentication sequence, for example, it will say, "Okay, I need to authenticate through LDAP first." and then another server is the radio server. When a user wants to authenticate to thefirewall, wants to authenticate the firewall, the serveris going to read the authentication sequence. It's going to say, "Okay, first I'm going to try the LDAP LDAP first, and then if the LDAP doesn't work, then I'll try the radius second." If only LDAP doesn't work, right? And then I go on like this. The second thing is to read the authentication profile. The authentication profile says how we authenticate our administrators. So what do we choose, like form factors and so on? There's going to be a bit more than one video. We can actually do this. We can configure this. For example, the firewall, when this administrator wants to authenticate, will read the authentication profile, which will tell us how to authenticate, and we have the sequence as well. If the service is found, then it will check that, and if the account is found, it will authenticate that. If the account is not found in LDAP, you will go and check the radius only if the account is not found, not if the username and password are entered incorrectly. But for non-local passwords, the firewall authentication was needed to configure the server profiles. Like I said, the server profile needs to configure the authentication sequence, maybe one, two, three, and so on. That's the sequence and authentication profile. How do we authenticate form factors and so on? So to create a server profile we needto click on the device and then onthe server profile we select for example LDAP. Then we put the name, whatever we want to call it. Now, this name doesn't have to be the same as the Active Directory name and then the IP address. And you can see the LDAP port numberis three, eight, nine and authentication type. We have an active directory, and the base distinguished name is bound to the distinguished name that the account is going to communicate with. active directory passwords, bind timeout, search timeout, and retry interval. And don't worry about this because we're actually going to do one lab on configuring this. And then we have an authentication profile. Authentication profile. An authentication profile tells who we authenticate with and who we are going to authenticate with. So the LDAP server profile, followed by the factors we can use to authenticate, such as two form factors, and so on. And then the authentication sequence Authentication sequence inside there.If you click inside there, it will tell us what server profiles we have. Enable authentication. This is if you have multiple external services. For example, LDAP radius.
6. 2.6 Viewing and filtering logs
On this video we are covering PCN SA 210. This is chapter two, initial device configuration. And this is the 6th video of that chapter, which is two viewing and filtering logs. Now it's important to be able to view,view and filter logs to find out whatinformation is going through our firewall. Now, for example, if I go to my firewall to view the logs, I click on "monitor," then "logs," and then "traffic." And this will show you information about what's going on in our firewall. So for example, we can see the source and destination zones. So, from the source zone to the destination zone, the source IP address, and the destination IP address We don't have a user ID; otherwise, this user ID will appear here, along with the destination port and what application and action are allowed, denied, or maybe alerted, and so on, right? So if I can continue, what do we see after the action? The rule session end reasonbytes and HTTP to connection session id are visible. Another item we have is a magnifying glass with a note inside. That means that if you want to go in detail and find out information about that packet, click on that, and that's going to open some information in detail. You can see the general source, destination flags, and details, right? This is important. For example, if you want to see if a packet is being decrypted, you can see it will be here; there will be a flag ticked, or maybe we have some packet captures so we can look at Wireshark or something like that. Then we have a packet capture. If we do have a package capture, it's going to be in this column here.Let me see, there is one already. you see there. So this tells us that there is a package capture. We can look at this communication as well. Now I already have a PC on my virtual machine, which is in my inside network, and that PC's IP address is 201 92168 1200. So what I'm going to do is I'm going to actually go to some kind of website, say Facebook, to check and see if we can see that traffic in our network. So open a browser and navigate to www.facebook.com. Okay, now don't log in to Facebook. So, if I go there right now and check, I can update my traffic monitoring traffic with this as well. Let's set it to update every 10 seconds, 30 seconds, 60 seconds, or manually. If you want to update the manual, you can click on this, and that should show us information. But that PC who has been communicating withso you can see the IP address 192-1681,200 is being communicating with these devices. But if I want to actually just see that IP address instead of just looking for it, what I can do is create a filter. So if I just click on that, that's going to create a filter and show source addresses 192.168.1.200 and 192.168.1.201, and I click the apply filter, that's going to show me only what that address has actually accessed. and you can see this access on Facebook. If I already have that as a source, I can click somewhere else, and that will be on Facebook. So I can see when this IP address accesses Facebook, so I can apply the filter. And now it'll just show me that IP address and the Facebook okay, so you can see when they accessed it and so on. You can apply your own filter. Like this, it's very easy to make the filter. So you can even click the destination address, for example, destination address.And that's it. Now that's a Facebook destination address. Maybe I'll just click the Facebook base and then apply filter. Now you can see who is accessing Facebook and what IP addresses are accessing it, and you can see that there are only a few. That's my physical machine, no, my client's machine. And that's the server accessing Facebook. If you want to click "create your own filter," you click "add filter," right? This will allow you to create your own filter. For example, for the source address, I don't want to type it, so let me just copy this copy, and then I create an infinite source. You can say and, or you can say, for example, destination, destination address. These are alphabetically ordered so that you can find it, for example, its destination address. And then you can enter the value. not in, you can enter the value, but this is where you create your own filter if you're happy. For example, I have the filter because I have created a filter.So I created a filter, and I want to save it. You click on "Save," and I want to save it. I can click on this, so you don't have to recreate the same filter again. These filters can get very complicated. So instead of rewriting it again and again, you can save it. You can also use this monitoring website that we have or the monitoring page that we have for traffic. We can have traffic, we can have threats, and so on, but later on we can populate this as well. We can create threads, URL filtering, wildfire submissions, and so on. You can export it in CSV format. So click on "export to" and that will let you export it. So you can say "download file." And then you have an Excel format file that you can view. You can see all the activity on your network. For example, in the Excel format, after you create a filter and say that you do want to, for example, we create the filter from this source. "I don't know; it's gone to say here destination; I create the filter; I save the filter," we said from this source. And then, after you save the filter, you can load the same filter by clicking this icon here. So obviously, just to recap here, once you create a filter, you write a filter here. And then this is to run the filter, apply the filter, close the filter, and cancel that filter. You can build your own filter. You can save the filter and load the filter. And if you want to export anything in the CSV format, then you click on that icon there. Okay? To monitor, go to monitor, then logs, and then traffic. To create a filter, simply click on the items and then click create a filter. Or you can create your own filter. Okay? That's creating your filter, and that's making the same one effective.
7. 2.7 Lab Initial Configuration
In this video we are covering PC and SA 210. This is chapter two, initial device configuration. And this is the chapter's seventh video, which is the two-seven lab initial configuration. We're going to configure, and we're going to create an administrative role. We can create a new administrator and apply the administrative role that we have created. We can observe the newly created role permission via the command line interface and web user interface, create and test the commit lock, configure the DNS server for the firewall, and schedule dynamic updates. The first thing is to log on to the firewall. I already have a firewall running. So what I'm going to do is log in and open the Chrome browser. It could be any browser, really. It's going to be secure connection. So HTTPS is something they already have access to, and I'm going to log in as an administrator, so admin admin. Okay, now that we have connected to the firewall, I'm just going to click Okay here. The first thing was to create an administrative role. To do that, before we create an administrator, we have to create an administrative role and then apply that administrative role to the administrator. So to do that, we need to go to the devices or devices for which we have administrator roles and administrators. So as we can see, by default we have just one administrator, and that's given a superuser role. If you recall, we had a super user, superuser, read-only, system administrator, system administrator read-only, virtual system admin, and virtual system admin read-only if your device supports virtualization. But before we create an administrator, we have to create an admin role. So this is what the administrator can do. We already have three roles that are predefined, but we cannot create our own role. So click "Add Here." And for this role, I'm going to say junior administrator. Now here is what the junior admin can do: Anything that you see green tick, that means it'senabled and it's fully available for junior admin. If you see a padlock, that means the read only.And if you see a disabled user, obviously the junior administrator will not be able to see that. So for example, let's just say that the junior administrator can see the dashboard but cannot see the ACC or the monitor. That's fine with the monitoring. Again, the policies, he can viewthem, he can't change them. So just read only.So I put the padlock on them, and the rule hit counted for everything. You can't see objects, for example, but you can read them. If you click on it twice, that means it's going to be disabled. As a result, read only for the object. Okay, network. Now I can't see it on his devices; he's not going to be able to see it. Privacy validates everything. I'll just deny everything. disabled for the network. For example, let's just say that we want to see the network. But we only want to give the interfaces and zones, and that's just read only.The rest is not, so the user, the junior, or whoever I put in that group is not going to be able to see any of these. They will be able to see the interfaces and zones. But that's really about it really.And it's just read-only anyway. Okay, now we have configured that and made sure the API is not enabled and the command line is not enabled. So you can have a superuser, reader, device admin, or device admin reader. But we don't want to give it to the junior administrator online. So click Okay; now we have created that profile. Now I can go and create my administrator. As an example, as administrator, I'll add Astrid Jr. For an authentication profile, we have not configured anything. And for example, for Palo Alto's password, Now, if I just type "justsign in," the administrator type can be dynamic. It's already configured here, like Super User, and so on. Super user read only. Device administrator or read-only device administrator Or we can create a role based is theone that we just created, for example junior admin and click, okay, now that we have an administrator, we have configured that main role, and everything is done. So we're just going to click "commit" for that to take effect, and then we're going to go and test it, okay, to commit. It's done. result is successful. So close that I'm going to open my Chrome browser incognito, navigate to the same URL, and log in with an asterisk. Okay, so the username is Astrid and the password is Palo Alto. now that Astro is logged in. You can see that from here. That's the name who is logged in, I canlog out and last time since logged in andI can see not all the functional tabs. I can see in here; I can see the dashboard; I can see the monitor. Okay, that's great. I can see the policies, but everything on the policies was read only.So I can't change anything, right? There's not anything in that anyway. I can't really add you can see it's greyed out. I can't add it, I can't delete it, and I can't override these ones, same as the object. I can only see them, but I can't change them. And then the next thing we're going to see is the network. And for networking, we only left the interfaces and zones, and we took everything else off, right? We can't really do anything. We can't just change anything because it says it's read only.Okay, so that proves that we created a junior account. You can see some stuff, and he just views it; he can't really change anything, right? So the next thing is that we can actually test this account using a command-line interface. So this is how we observed it using a web user interface. now through the command-line interface. Now for the command line interface, I'm going to open up Patty. so open, Patty. And then I'm going to access my firewall management. If I load that, you can see it's very basic. So the IP address of my firewall port number is 22, and I'm accessing through SSH. Yeah, open. And the first thing is that I was going to test this and promptly canceled. I didn't want to do that; I wanted to show you can see iSo if I'm opening through Putty and Patty is exchanging the certificate, the certificate or the key is not guaranteed because it's a self-signed key from Firewall. So it just says, Are you sure you want to connect to this? Or hit Cancel to abandon disconnection. But I'm sure I'm okay with it. So I'm just going to click yes. First we're going to log in as administrators and see that we can log in. And then I'm going to try and login, Astrid, and see if you can log in. So admin, and then admin. And you can see now that I'm logged in as an administrator. It's all fine. I can configure and exit from that, right? The next thing I'm going to try is to log on throughout Astrid. So click Patty and use the same firewall management. Load that so you can see it click open. And this time I'm going to use I'm logged iAnd the password was Palo Alto. You can see right away that it's not giving us access to that because you are not allowed to log in through the online interface. So, Astrid on the incometo, I'm going to login again. And then we're going to test the commit lock. So. Astrid, and the password is Palo Alto. Now we're going to check back. For example, pretend that this administrator is going to create a configuration, even though it's not allowed to configure anything. But imagine that he's allowed to configure, and it's going to take the commit lock because not only administrators can't, but you don't want them to configure the same time configuration. Maybe you just want to commit to this administrator. So I'm just going to close this o configure Now you see the commit lock—the padlock. If the administrator doesn't want to, he wants to only configure himself and not interfere with any other administrator. It can take the padlock. So if I click on that, that's going to open the lock. and here we can take a look. We can have either commit lock orwe can have a config lock. So I'm going to take a chance on committing, even though I'm not allowed to commit anything. I can still take the look. Okay, click Okay and close it. Now, if I go to, for example, access asmy main administrator and I'll try and do somethingright, so I'm trying to try and create, say,account and as a super user, click OK. And I want to go ahead and commit it; it will say yes, committed, and it will say error. Other administrators are holding the lock or devicewide commitlock, so we can't commit it. And as you can see here, we have a padlock that's closed. That means that some administrator has removed the lock. We can have a look at it, and if we have any privileges, we can remove them. So click on that, and I can say we have an Astrid Asterisk has taken the commit lock. And you can see the comment I made right there and the date. So I can remove the lock. If I have the privileges, I can just say "remove the lock." Are you sure? Yes. And that's it. You can see the padlock is gone. I can take my own lock and write it, but now that I have created a user, I can commit it fine because I've taken the look off. The next thing is that we're going to check the DNS service for the firewall, making sure that DNS is configured correctly. Okay, once this is finished, it's taking effect. As you can see, the commit has been greyed out. To make sure the DNS servers are correctly configured, we go to device setup and then services. And in the services, we can see the DNS service (primary and secondary) if we want to change it. For example, we can click on this gear icon here. We can edit it, change the numbers, whatever you want. We can put in the proxy service if you want it's.We can change the NTP for network time, protocol, and update service in the same location. So for example, let's say that we are in, because we are in the EU, so we have EU updates at Palo Alto Networks.com. These are the paths for the EU, and we can commit to them. And after this commit has finished, we're going to go and schedule dynamic updates. We have already authorised our machine. We have registered and authorised it. We have subscriptions with Palo Alto, like the antivirus programme Wildfire, and so on. Okay, that's done. So now if I go to the same place on devices, further down, we have a dynamic update. In the dynamic updates, you can see that we have an antivirus that hasn't been scheduled. So maybe for this one, I need to schedule it to download daily or hourly. And you can put the hours there, say daily, for example, and we want to download at 01:00 a.m., an action. We can say, for example, "none." Do nothing; just check "Download only" and download and install. So, for example, download and install. Okay, so that's going to be run at 01:00 a.m. today or everyday. And further down, we have application and threats. See, this is already downloaded. And for this, we have download only.We can change it. So if we click on that, we can change, download, and install. But the reason why we want the application address to be downloaded is only because we want to review the policies. if it's going to affect, interfere with, or create some kind of problem with our policies. same thing we can do for wildfire. Say we want to download it every minute, right in action, for this. We want to download and install. Wildfire will update any malicious software, malware, and customers discovered in Palo Alto Networks around the world. Palo Alto networks. They're going to make that available for their customers. Let's say we've done all the steps here that we had in this initial configuration lab.
Pay a fraction of the cost to study with Exam-Labs PCNSA: Palo Alto Networks Certified Network Security Administrator certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including PCNSA: Palo Alto Networks Certified Network Security Administrator certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.