PCNSE: Palo Alto Networks Certified Network Security Engineer Certification Video Training Course Outline
Paloalto Intro and Deployment Op...
Lab and AWS Palo Alto instance(s...
Basic Administrative Tasks
Security Policy Configuration
User ID integration
Network Address Translation
Basic and Intermediate Networking
VPN IPSec configuration details
Azure Palo Alto VM Deployment
Optional - Installing PaloAlto 8...
Paloalto Intro and Deployment Options
PCNSE: Palo Alto Networks Certified Network Security Engineer Certification Video Training Course Info
Gain in-depth knowledge for passing your exam with Exam-Labs PCNSE: Palo Alto Networks Certified Network Security Engineer certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Palo Alto Networks PCNSE practice test questions and answers, study guide and exam practice test questions. Unlike any other PCNSE: Palo Alto Networks Certified Network Security Engineer video training course for your certification exam.
Lab and AWS Palo Alto instance(s) Setup
3. AWS VPC setup, routing setup, route traffic through the AWS instance
So in the previous lecture we created an activedirectory domain controller and we put it on theinside land and also we assign the Firewall interface,Ethernet to be on inside land. So we have a domain controller here, and then Ethernet One was assigned to the outside land. In order for the traffic to get routed through the firewall, you have to put that inside land, which is a subnet. You have to put it in the routing table. And in this routing table, you're going to specify that zero (0) goes to Ethernet. So you pick the Internet one two interfaceand that's going to be the zero zerogoes to there and then Ethernet One. In order for traffic to get routed from the firewall directly to the Internet and not go directly to the host, the outside land has to be in a different routing table. And the outside land interface would be in a different routing table here. And then in the routing table, you're going to point the zero to the Internet gateway. So each VPC has an Internet gateway assigned. So the Internet gateway being assigned will take the traffic and say, "Okay, I want to go to eight dot eight dot eight dot eight. I need to find and get out to the Internet gateway having two different routing tables." We have a routing table outside, and we're going to have a routing table inside. There's also something called source and destination checks. So the host will check the source of the trafficand the destination to make sure that the destination isitself and the source is known as the actual source. It was sent the traffic. So when the traffic comes in from Ethernet Two and goes out to the DC, Internet Two does not have the address of the Internet IP address. So, for example, the domain controller is trying to talk to 8/8 and we have our routing table pointing to Ethernet 2. The source will be the DC, the destination will be Ethernet 2, and eight does not belong to this IP address. So here's the Internet too. We have to remove the Source and Destination Checkdisable that feature and when traffic comes back, sotraffic is coming back, the source is eight eightand the destination is the domain controller. You must also disable this feature because traffic will be arriving from Ethernet 2 and heading to DC. Ethernet Two does not have eight. So you have to disable Source-and-Destination Check as well. same with the outside interface. So the first couple of steps are to create a routing table. So we're going to create an inside land routing table and the outside land routing table, and then we're going to remove the source distance track. Since we have a firewall, we'll remove this on all the interfaces to be sure it's not going to cause any issues. And then on the routing table on the inside We're going to point to the inside interface of the firewall as our destination for Lost Resort. And on the outside, we're going to choose the Internet gateway as the routing table for Lost Resort. So let's do that. So under Services, VPC, routing tables, and then here we are going to create a new routing table and call this an outside routing table. And now you see here there's a tab for routes, and we're going to click on Edit and then add another route. And we're going to specify that this is default route zero, zero, zero, and the target will be the Internet gateway. It just popped up right away. That's the Internet gateway, and then we'll select the outside subnet, subnet associated with edit, and then check the outside subnet and save. Also, I will add the management subnet. This way I can manage thefirewall from the domain controller. So I'm going to add that as well. So we'll add the management of that. So now that I have my route, I'm going to create that route again and then specify the Internet gateway and then save. Okay, now I need to create another routing table. We call this the inside land, and the subnetwork just needs to be the outside I'm sorry, the management needs to be on the inside. So we're just going to specify here that it's only the outside network that's going to be eaten up at one on the firewall, and that's going to take the traffic to the Internet. Then we click on inside land for the associated subnet; we're going to edit and then select the management and insightsave, and then we're going to choose the default route to go to Ethernet 2 of the firewall. In order for us to do that, we need to find the interface identifier for the firewall. So we're going to go to the EC Two first. Before we go to EC2, we save or save-service EC2, and then we are going to go to instances and then find the firewall instance. Ethernet Two is the inside interface. That's how traffic is going to get routed to the Internet. We'll copy the interface ID, return to VPC, then the routing table, outside click on Routes, inside click on Routes, edit, and then add another route. So that's going to be copy the interface sothen save that so it populated for you. So now the traffic that's going to go from the inside to the outside is going to go through the Ethernet 2 of the firewall. Now we're going to go to security groups. We're going to remove or create a security group that does not have any restrictions because we're going to rely on the firewall for that. So we're going to go ahead now and assign that restriction to the interfaces. So you go to services, EC two network interfaces, and we're going to select our network interfaces here. Then action, change security group unrestricted change securitygroup unrestricted, change security group unrestricted and we'lldo this for all of them. So now I want to configure the interface. So when you configure an interface on the firewall, it basically picks the IP address from the SAP server. I'm going to go back to our instance here on my Windows machine and RDP into my domain controller server. Oh well, I made a mistake here. I can't do the route until the firewall is provisioned. So I am going to put the land inside. I'm going to put the inside land and theoutside routing table for now until I finished myconfiguration routing tables, route tables and outside I'm goingto put this pretty much the management and insidefor now there until I finish configuring my firewall. This way that we will treat each other andI'll be able to get to my server. So I'm going there; I'm going to get Google Chrome here as soon as possible because IE won't let you. So, now that it's up and running, I'm going to add HTTPS to the firewall 231, 10 and advanced proceed, and I'm going to configure the trust and trust. Okay, so we're going to go to network and then Ethernet one; that's going to be the untrusted layer three up. configure the virtual router default screen zone. Then in IPV4, we're going to select the GCP client and go to the checkbox to automatically create the Ford route pointing to the default gateway so we can get the default route. And then Ethernet 1 and 2, we're going to select Ethernet Layer 3 and then IPV 4 with a DSP client. We're going to uncheck "Automatically create default route" because we don't want it to point to the gateway on the inside. And then we'll create policies, we'll create policies here that allow everything for now, source any destination, any, and then we'll add to our server. So we're going to connect to our IP address. This way we can do RDP through thefirewall status detail 12, 31, 20, 15. So I'm going to create a service, and then we're going to point that destination IP to the original packet destination. We're going to put the destination IP address of the outside interface, which is, and there's going to be another translation on the Palo Alto Firewall. Destination is going to be 7231215, and we're not changing the port. So that should allow us to RDP into our server through the firewall here. I want to make sure that the interface is a virtual router. I forgot about the virtual router default. This is trust and click okay, IPV fouryou have it enabled and then advanced. We need to bring the interface up and then commit. So now the commitment is done. I'm going to switch back to the inside land to be on the inside routing table I'm going to go to, so I can basically pour the traffic through the firewall. And now I've created an RDP net. So I'm going to be able to RDP into my server and assign the IP address to the firewall itself instead of to the server directly. As a result, the internet gateway routing table is located outside of the country. I'll do the subnet association for management and inside. And then now I am going to go to "Services EC 2," then reassign the elasticIP to my interface for the firewall. So I'm going to do this associate, and I'm going to associate to the firewall and then associate, okay, and then now I should be able to RDP again to the server, but it's going to be going through the firewall. I forgot to do the source and destination checks for removal. So we need to go and do that. We talked about it earlier. So here we're going to doaction, change source and check disable. We do this for all the interfacesbecause we have a firewall now youdon't want to interfere with the firewall. So I'm disabling all those. Now I'm going to try again. Now I'm able to connect, and if I connect now, I'm going directly to the Palo Alto powerwall. It's a little bit slow here. Give it a minute to load. Okay, it's back. So, when I look at monitor traffic, I see that it is coming in from untrust to untrust. However, in order for the firewall to be able to get to the Internet, I need to create a dynamic network, which we talk about in the net lecture. So I need to create another net here, and that net is inside out, the original packet is inside trust, and the destination is on trust. The translated packet is a dynamic IP import, and we're going to choose the interface Ethernet one one.If I try to get to the Internet right now, I won't be able to get there because I'm not netting my IP address. So traffic is not going to be audible. So I need to do that, push that configuration, and once I commit, I should be able to access the image. There you go. If I do, what is my IP? 118. So the traffic is going from the domain controller to Ethernet 2 and then to the outside, getting added, and then it's coming from the outside. Port 3389 goes to the domain controller, and this way I'm able to access the domain controller. So I'm using one IP, and my domain controller is protected now behind the firewall with all the features that we're going to talk about in the next lecture. So that shows you how to get up and running with the domain controller, get the routing table set up, get the firewall in the path of the traffic, and start using it for testing the different features. We're going to talk about it in the lecture.
4. Create a DMZ segment in Amazon AWS, add a server to DMZ segment
We are going to create a DMG server that we will use to explain what needs to be done to secure services that are offered to public users. So I'm going to go ahead and go to the ECT instance, and I'm going to create a new instance here and launch an instance. I'm going to create an Ubuntu machine and place this in my DMZ environment, and we'll use the free tier eligibility, and we're going to click on the next configure instance detail button. We're going to specify that this is the DMZ for the subnet. Give it an IP address of 172 and click Next; we'll use the default storage. Eight gigs is fine; we're just not doing much with it. Just test some web services and an FTP server, and soon click on "review and launch." So I basically created the menu that you want to serve and then clicked on "launch." It's going to ask you if you have the key pair. We have Keeper technology; you have it. Click Launch. So this Instant will be created and put in the DMZ segment. I basically need to configure the firewall to have an interface on the DMZ. So we're going to go to EC 2 and we're going to create a network interface for the DMZ. Click on Network Interfaces, and there's no DMZ interface right now. We're going to create one and associate it with our Palo Alto Firewall action, Create Network Interface. We're going to call this PAVM DMZ, and we're going to select the subnet DMZ, and I'm going to choose no restrictions security group, and then I'm going to check that in Network Interface and change source destination check, disable that feature, and now the interface is available. I'm going to go ahead and go to instances, go to my Paw to Firewall instance, and we're going to associate the network interface action. A network interface is connected to another network interface. I'm going to attach the PAVM DMZ interface. Let me go back to the network interfaces here that are given an IP address. Well, it's the default interface here. I'm going to change that to something different here because I don't want to use something that is this high. Let me delete it and recreate it here. I'm going to delete it and just give it an IP address that I know, Pabmdmz, and we choose subnet DMZ, and then the IP address is 172, 31, 310, and there is no restriction. And then I'm going to go back here and specify that the Change source destination check feature is disabled, save that, and then go to the instance. Go to the Pairwall ActionNetworking interface and attach a network interface. Attach the PAV and DMG attached. So now that it's attached, I should be able to go to my Palo Alto Firewall and create the configuration for this interface. So let's go ahead and do that. I'm going to go back and assign my elastic IP address here, locate a new address, and choose this network interface, Associates. And then now I'm going to go to my VM here and connect RDP to my server and Amazon instance. Well, when you create Winter Machine, you need to connect using SSH and using the key file that we created way back in an earlier lecture. So first thing, I'm going to show you how to configure the firewall. Now that the firewall has a DMZ interface, we need to configure it. So the first thing you have to do is configure that interface on the firewall. So this is the third interface, and then I'm going to go to the network interface. I am going to specify that this is layer three, and then the configuration of the virtual routers will default. The security zone is the DMZ, and then IPV4 follows. I'm going to select the SAP client, but I want to uncheck automatic creation of a default route pointing to the default gateway, and then I'm going to go ahead and assign the trust profile for management so I can ping it and bring the interface up, and then click okay, and then click commit. So now that this is created, I need to be able to route the traffic on the DMZ segment through the interface of the Internet. One three. I'm going to first verify that I have an IP address. So I'm going to click on dynamic DSPclient and I see that 17231 310. So the next thing I need to do is go to my instance and get the interface. Get the interface ID from here. So, this interface ID is this guy here that I created. Okay, so this is the DMZ interface for the Palata Firewall. So that needs to be my routing interface on the VPC for the DMG subnet. So I'm going to go to VPC and then subnets, and then click the DMG subnet and then click on routing tables, and I'm going to choose edit, and I'm going to choose routes and then edit, and then I'm going to put the interface in, so I'm going to put the DMG subnet DMG.The default fold-out for this subnet is the interface of the Palata firewall. This allows them to send traffic to the Palo Alto firewall. And now the next thing that I need to do is basically configure my firewall. I need to create some netting so I can SSH to my Ubuntu server. And first thing I need to do is go on thepolicies net and I'm going to create a net entry. So I need to net the SSH traffic to that Ubuntu server. So I'm going to go ahead and put a rule in place for that policy, Dmzsh DMZ Net, and the original package is from Untrust, just like we did in our policy, and our network lectures to Untrust service are going to be service TCP22, the service board object that I created for 22. The destination IP address is the destination IP address for the firewall (31, 2 5510, 32 and then that's going to be doing destination translation, which is going to be destination translation added to the IP address of the Ubuntu server. So also, I would like the Ubuntu server to be able to get out to get updates. So I'm going to modify the inside-out policy here that does the dynamic net. I'm going to add the DMZ to it so that the DMZ server can be able to reach the internet. It's going to be a dynamic IP import of the same network object. So this way, I don't have to add a second IP address to the firewall and have a different public IP address. I'm trying to minimise getting charged for another public IPaddress but I'm going to go ahead and need todo that later on so I can show you. But for now, I'm going to use the outbound traffic from DMZ. I'm going to add it to the outside interface of the firewall. I'm going to go ahead and click commit, and now that I'm committed, I need to be able to present to the DMZ. So I'm going to go ahead and start a new session here. I'm going to load my key into the key file, and I'm going to connect to the outside IP address of the firewall. 525-252-1123 The default username is Ubuntu. So basically the first time you log in, you're going to put Ubuntu at the IP address 22.214.171.124, and we should be able to get through here; we should be authenticating using the public key. And now I'm authenticated. So now that I'm authenticated, I should be able to look at the logs here and see my session. If I go to monitor, I have a session coming in. If I go to "traffic monitor" traffic port destination equal23," I'm getting connected to my SSH server. If I click on details, I'm able to connect to my SSH server using the public IP address of the firewall, and I'm able to basically get there. That's the first step. The next step we're going to look at is how to best secure your public-facing services. What is the best best practices. So we'll talk about it in the next lecture.
5. AWS routing issue to be aware of
And one thing you need to be awareof in Amazon AWS created multiple routing tables. We created one for the DMZ, one for inside, and one for outside. And the VPC in Amazon AWS, for example, has an overarching network segmentation of 172. And this is going to always be in your routing table. So you'll have in each routing tablethat there is 172 31, 00:16. And unfortunately, even though we have separate routing tables for each of the interfaces of the Palo Alto Powerwall, that route is still there. So it's kind of misleading a little bit, because if you want to route traffic and go to the firewall, if you don't put the default gateway, So, inside, we have all three in the routing table, and you have servers in each segment. Outside is basically the gateway to the Internet, and you have the PowerAtto Firewall. So once you created DMZ segment, inside segment andhave interface to the firewall for each of thesegments, you're going to make the default gateway, theinterface in DMZ, you're going to make it theinterface that connects to the parallel to Firewall. Inside, you're going to make it the interface for the Palo Alto Firewall. And this will be your primary interface, to which you will point your public IP address. Okay? However, when it comes time for the DMZ server to talk to the DMZ server to talk to the inside server, this route takes effect. So basically, the traffic is going to get routed through Amazon to the inside routing table. It's not going to use the Palo Alto Firewall interface, and the reason why there are overarching routes that exist is So to make sure that the traffic goes tothe Palo Alto Firewall, you need to have thedefault gateway, the IP address of the firewall. Otherwise, the traffic will basically bypass and go through AWS, and each of your servers will have the default gateway pointing to the interface. So if you're on the inside zone, you basically point the default gateway to the IP address of the file. your DMZ zone, you point the default gateway to the DMZ server. So Windows is pretty straightforward. You just basically right-click on the interfaces and put the IP address and netmask and the gateway, which points to the Palo Alto Firewall, and then put your DNS server pointing to your Windows server. This way, you get the resolution for the internal LAPD local domain. So that's something you need to be aware of even though the default route doesn't take effect because you have a route that is more specific. If you try to reach from the inside server, which is CMG 31 and 215, to the DMZ server, which is 315, the routing table would look at the route and say, "Okay, well, I have a route to 1, 7, 2, 3, 1, 0, 0, 16, so I'm going to use this." The next hospital up would be myAWS' default gateway, which is 172-3121. So that's why you have to point the default gateway to the actual parallel firewall interface IP address.
6. Unetlab EVE-NG name change
In this lecture, we'll talk about the Unit Lab. The Unit Lab software is free software that allows you to simulate an environment, including the power to firewalls, and you can install a lot of virtual machines from different vendors. the version that's required to run on a machine that runs Ubuntu. A lot of this stuff is outside the scope of my class, but I want to show you guys what needs to be done. So basically what you need to do is downloadthe software, which click on Download, and here youinstall basically Ubuntu first, and then you install thepackage from this URL, and then do Apptget Install,and then app get Install. This will install the full Unit Lab softwarethat allows you to add Palo Alto Firewallsand Cisco routers and other VMs. There's also an OVA available. So you can also download an OVA that hasthe software, but it doesn't have any VMs. So in the previous lecture, we saw that you were able to get the Qcal Two files, and those QcalTwo files are used to allow you to launch VMs for testing purposes in your unit lab environment. So basically, what steps are you taking to create an Ubuntu Server VM Irecommend having four Pcpu, 24 gig of Ram, log into theVM and then import the package for Unit Lab, and thendo app to update and app to install Unit Lab. After that, you simply download the Qcao Two file from Palo Alto, login as root, create a folder for the Palo Alto Firewall next year, optunaclub the kiomu, and put the folder's name, which is Palo Alto. Dash whatever version you want, and then upload the file, the QCATU file, to your server using Win, SCP, or any other copy utility. Copy that file to that folder; you create it, and then go to the directory Op Unit Lab, Umu, PaloAlto, and then rename the file to HDA. Once that's done, run this command to repair permissions. And then once you're done with that, you basically log in to the web interface, and then you can create any instances. So I want to create an instance of Palo Alto. I can click here, add a new node, choose PaloAlto VM, and then choose the version, and then add, click Save, and then it's going to add. To create connections between links, you just click Connect Node," and then you can connect stuff together by dragging and dropping it. So the guy who created Unit Lab has a lot of tutorials on YouTube. It is your best friend if you want to create an environment in which you can try new things, such as doing in lectures.
Basic Administrative Tasks
1. Basic Settings
The settings that you have to create off the bat to make sure all is set up correctly are that you have to give it the host name; by default, the host name is the platform name, which in this case is PAVM. You can receive the hostname from the HCP server if you'd like. I don't see this typically done if you want to secure the SSL traffic. By creating a certificate, you can create one specifically for the management interface and create that. You can specify the time zone and geocoordinates for this firewall and click okay. So this is one of the parts of the first settings, the "typical" settings, the "panorama settings." If you're using Panorama, you have to put the panoramaserver IP address and click Okay on that, and then Management Interface Settings You can restrict which networks can access the management interface by specifically putting IP addresses in this list here or network addresses, and you can put a banner when users log in that says "This is put in a message warning the user." You can also change the background. The text colour can be changed to something different, and those are kind of cosmetic changes. By logging in and reporting, you can restrict the number of blogs that the firewall keeps by default; there are default settings in place. In this case, traffic gets a 32% quota, and each type of category gets some quota. Under operations, okay, because I'm logged in as that full-access user, I'm not getting the full menu here. Let me go back to under operations.I'm getting more features, which I'm not sure why, when I log in using gradients so I can revert to the loss-saving configuration or the running configuration. Let's say you made some changes and now want to cancel them. You can revert to the running configuration, you can save the configuration snapshot, you can load the configuration snapshot, you can export the configuration, and we're going to see that in a future lecture. How to export the configuration and see the data inside the configuration You can boot the device or shut down the device. Under services, you have to specify a DNS server because otherwise the file will not be able to download updates, and you can specify an NTP server. You have to specify an NTP server; otherwise, the logs will not be accurate and the lock time will not be accurate. Under server features, pretty much all management traffic always goes to the management interface. But let's say there's some stuff that is not reachable from the management interface. You can customise and send some traffic for different features like DNS, email, Kerberos, and LDAP; you can send them over a different interface, or you can specify the destination. But you can say, like, if you're trying to reach this destination, use this source interface. You can also do complicated let's say you do changes. I made some changes, and I want to compare and see what the difference is. I can compare the running configuration with the candidate configuration. The running configuration is what I have running on the firewall right now. And the candidate configuration is pretty much all the changes that I've applied that are not committed, that I created on the file, but they're not permitted. So if I want to review what changes I've made, I click on "Go to compare" and it will tell me. I see that I changed the last name. This is new added, added a banner green. So orange is what changed. Green was added. So this is the Canadian configuration. This is the current running configuration. You can also specify the minimum password complexity here for administrators. When administrators change their passwords or create their own passwords, you can specify a little bit more complexity at the minimum length, including uppercase, lowercase, numeric, special characters, and so on. So the most important ones are that you must enter the domain when you first configure the firewall's general settings. So, in this case, it's Lab local. That's the default domain for resolution. So that's good to have a domain as well. And we're going to see this in the Kerberos lecture. In order to authenticate to Kerber, you must have a domain. So that's basically some of the settings that youhave to go through when you create the file.
Pay a fraction of the cost to study with Exam-Labs PCNSE: Palo Alto Networks Certified Network Security Engineer certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including PCNSE: Palo Alto Networks Certified Network Security Engineer certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.