Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Table of Contents
Important Message Before Proceeding ............................................................................. 3
Important Message Before Proceeding.................................................................... 4
Lab Overview - HOL-PRT-1672 - Palo Alto Networks Next-Generation Security Platform
with VMware NSX.............................................................................................................. 5
Lab Guidance .......................................................................................................... 6
Lab Objectives and Development Notes ................................................................. 7
Palo Alto Networks VM-Series and VMware NSX Dynamic Security Policy Configuration .. 8
Module Descriptions................................................................................................ 9
Key Concepts and Terms ................................................................................................. 10
Some Components and Concepts of VMware and Palo Alto Networks .................. 11
Lab Components and Topologies..................................................................................... 17
Lab Components ................................................................................................... 18
Lab Topologies....................................................................................................... 19
Important Message Before Proceeding With Module 1:................................................... 23
Important Message Before Proceeding.................................................................. 24
Module 1: Palo Alto Networks VM-Series and VMware NSX dynamic security policy
configuration (30 Min)..................................................................................................... 25
Module 1 Overview: Palo Alto Networks VM-Series and VMware NSX dynamic
security policy configuration (30 minutes) ............................................................ 26
Environment Setup ............................................................................................... 27
Examining the NSX Security Groups within NSX Manager .................................... 30
Examine your Dynamic Address Groups ............................................................... 32
Examine the Security Policies ............................................................................... 35
Generate Traffic from your Web Server to the Database....................................... 36
Troubleshoot Traffic Steering Problem ................................................................... 40
Prepare to Generate Database Traffic With Logging.............................................. 55
Generate Database Table Calls ............................................................................. 56
App-ID by Palo Alto Networks................................................................................ 59
App-ID for SSH ...................................................................................................... 60
Module 1 Lab 1 - Conclusion ................................................................................. 62
Important Message Before Proceeding with Module 2 .................................................... 63
Important Message Before Proceeding.................................................................. 64
Module 2: Deploying Palo Alto Networks VM-Series with VMware NSX to protect a multi-
tier application (45 Min) .................................................................................................. 65
Securing the Data Center with the Palo Alto Networks VM-Series Firewall............ 66
Module Overview .................................................................................................. 69
Module Objectives and Development Notes ......................................................... 70
Review Security Tags for Legal Servers ................................................................. 71
Create NSX Security Groups and Configure Traffic Steering.................................. 75
Create Steering Policy for all Web Server to Database Server Traffic.................... 84
Create Dynamic Address Groups (DAG) ................................................................ 94
Create a Security Policy within Panorama ........................................................... 100
HOL-PRT-1672 Page 1
HOL-PRT-1672
HOL-PRT-1672 Page 2
HOL-PRT-1672
Important Message
Before Proceeding
HOL-PRT-1672 Page 3
HOL-PRT-1672
Before getting started, conduct a quick lab status check to make sure the "Lab Status"
state is set to "Ready" mode. If the lab status state is set to a mode other than
"Ready", end this lab and restart a new lab session.
Continuing this lab while in a Lab Status State of anything other than "Ready" may
result in a poor lab experience due to latency, unexpected errors, and lost work.
HOL-PRT-1672 Page 4
HOL-PRT-1672
HOL-PRT-1672 Page 5
HOL-PRT-1672
Lab Guidance
How do you accelerate the deployment of business-critical applications without
compromising security? How do you define dynamic security policies to protect against
advanced threats while keeping pace with data center virtualization? VMware and Palo
Alto Networks have partnered to deliver a solution that combines fast provisioning of
network and security services with next-generation security in the data center. In this
lab, learn how to configure the Palo Alto Networks virtualized next-generation firewall
VM-1000-HV with VMware NSX to secure VM to VM communications.
Network virtualization provides speed and flexibility when provisioning network and
network services in the virtualized datacenter. But what is more important than speed
and flexibility when provisioning such virtualized networks? Security and the securing
of your virtualized networks!
Securing your VMs, your databases, your webservers, your file servers, and your data
stores should be of paramount importance to you, and to the reputation of your
company. Therefore, here within this hands-on-lab, you will learn how to do just that
using the latest in next-generation enterprise security The Palo Alto Networks VM-
Series Firewall platform as integrated with VMware NSX.
Throughout this lab we will demonstrate how to secure the datacenter using the Palo
Alto Networks virtualized next-generation firewall VM-1000-HV with VMware NSX
protecting VM to VM communications from todays advanced threats.
HOL-PRT-1672 Page 6
HOL-PRT-1672
HOL-PRT-1672 Page 7
HOL-PRT-1672
HOL-PRT-1672 Page 8
HOL-PRT-1672
Module Descriptions
Module 1: Palo Alto Networks VM-Series and VMware NSX dynamic security
policy configuration (30 Minutes)
This module provides an overview of the Palo Alto Networks VM-Series integration
with VMware NSX and the configuration of dynamic security policies based on
context from VMware NSX.
In this module, both the VMware NSX Service Composer and the Palo Alto
Networks VM-Series firewall are deployed to secure a 3-tier application.
Specifically, this module covers the creation of Security Groups and traffic
redirection using Service Composer. This module also shows you how to define
dynamic security policies on Panorama based on context from VMware NSX.
In this module VMware NSX DFW is configured to secure intra-tier traffic between
web front-end servers. This module shows you how to define dynamic Security
Groups (based on VM name and based on Logical Switch) and then how to use
them in DFW policy configuration.
In this module, the Palo Alto Networks VM-Series firewalls are configured with
advanced vulnerability protections to prevent against code injection technique
(SQL injection) or brute-force attack. Using the virtual firewalls, the student will
create a security profile, attaching it to the security policy, then simulate some
attacks and afterward, verify those attacks were successfully blocked by the VM-
Series firewall.
HOL-PRT-1672 Page 9
HOL-PRT-1672
HOL-PRT-1672 Page 10
HOL-PRT-1672
VMware NSX
VMware NSX is the leading network virtualization platform that delivers the operational
model of a virtual machine for the network. Just as server virtualization provides flexible
control of virtual machines running on a pool of server hardware, network virtualization
with NSX provides a centralized API to provision and configure many isolated logical
networks that run on a single physical network.
Logical networks decouple virtual machine connectivity and network services from the
physical network, giving cloud providers and enterprises the flexibility to place or
migrate virtual machines anywhere in the data center while still supporting layer-2 /
layer-3 connectivity and layer 4-7 network services.
When defining a Security Group, a user can select between dynamic inclusion, static
inclusion and static exclusion.
HOL-PRT-1672 Page 11
HOL-PRT-1672
A Security Policy (SP) defines the network and security policy to be applied for a
particular Security Group (SG). For instance, a Security Policy can be created to define
traffic redirection to the Palo Alto Networks VM-Series firewall for all types of traffic (i.e.
all TCP or UDP ports) [traffic from a user defined SG to a specific SG]. To make this
Security Policy operational, the next and last step is to attach the Security Policy to a
Security Group or to a set of Security Groups.
VMware NSX DFW is a distributed L2-L4 firewall component provided within the NSX
solution. It provides stateful firewalling capability down to each vNIC of a VM and
operates at the hypervisor kernel layer delivering near line rate performance. Global
management of DFW is performed though the vCenter UI under the NSX Home tab.
Security Policy rules can be written using vCenter objects like VM, cluster, DVS port-
group, logical switch and so on. NSX DFW fully supports vMotion and current active
connections remain intact during the workload mobility event.
Security Group (SG) is a container that can include any vCenter objects like VM,
cluster, logical switch, vAPP, DVS and port group.
HOL-PRT-1672 Page 12
HOL-PRT-1672
Decoupled logical networks consist of a physical network and a virtual network. Within
each you will find a number of networks, sub-networks, servers and systems. In our case
here we are viewing one physical network made up of 3 subnets that is decoupled by
VMware NSX from 2 virtual networks.
HOL-PRT-1672 Page 13
HOL-PRT-1672
This VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and
VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-
generation firewalls and Panorama with VMware ESXi servers to provide comprehensive
visibility and safe application enablement of all datacenter traffic including intra-host
virtual machine communications.
Logical networks decouple virtual machine connectivity and network services from the
physical network, giving cloud providers and enterprises the flexibility to place or
migrate virtual machines anywhere in the data center while still supporting layer-2 /
layer-3 connectivity and layer 4-7 network services.
The VM-1000-HV is deployed as a network introspection service with VMware NSX and
Panorama. This deployment is ideal for east-west traffic inspection, and it also can
secure north-south traffic.
HOL-PRT-1672 Page 14
HOL-PRT-1672
Your Palo Alto Networks Panorama enables you to manage your distributed network of
physical and/or virtual Palo Alto Networks firewalls from a centralized location while
providing the ability to: View the traffic of each deployed firewall; manage all aspects for
device configuration; push global policies; and generate reports on traffic patterns or
security incidents, all from one central location.
HOL-PRT-1672 Page 15
HOL-PRT-1672
The PAN-OS by Palo Alto Networks is the software managing the computer hardware and
software resources of the Palo Alto Networks Next-generation firewall. In addition, the
PAN-OS provides a long list of functions, features, and services to ensure a safe and
secure environment. The PAN-OS is the same OS used throughout all Palo Alto Networks
firewalls.
HOL-PRT-1672 Page 16
HOL-PRT-1672
HOL-PRT-1672 Page 17
HOL-PRT-1672
Lab Components
VMware NSX Manager 6.1.4, vCenter and ESXi vSphere 6.0.
Palo Alto Networks VM-1000-HV, PAN-OS 7.0.1 and Panorama 7.0.1
Specific server pre-configurations. See individual module for details.
At times you will need to enter commands, usernames, and passwords using Command
Line Interface (CLI) commands. Therefore, a text file named README.txt has been
placed on the desktop of the environment so that you can easily reference these
commands which will allow you copy and paste complex commands or passwords in the
associated utilities CMD, Putty, console, etc., as necessary.
This README.txt file is divided into Module Sections and numbered. The manual will
have a number associated with every CLI command. That command will be numbered in
the README.txt file for you to copy and paste.
Certain characters are often not present on keyboards throughout the world. This
README.txt file also includes keyboard layouts which do not provide those characters.
HOL-PRT-1672 Page 18
HOL-PRT-1672
Lab Topologies
The following diagrams illustrate physical and logical topologies implemented for this
Lab:
Physical Topology
Two ESXi clusters will be deployed: Cluster site A and Mgmt Cluster.
Cluster site A is a compute cluster where workloads will be instantiated and connected
to a logical switch. VMs from HR and Legal organizations will be deployed there.
Mgmt Cluster is a management cluster where control plane components of NSX will be
instantiated. NSX controller is typically hosted there (NSX controller controls VXLAN
operations on compute clusters).
Three VMs from HR organization (two web servers and one DB server) are instantiated
and connected to the same logical switch (VXLAN).
HOL-PRT-1672 Page 19
HOL-PRT-1672
-Inter-tier traffic (web server to DB server) is protected by the Palo Alto Networks VM-
series firewall which provides advanced security capabilities with its single pass
architecture in the form of App-ID, Content-ID, and User-ID.
-Intra-tier traffic (web server to web server) is protected by NSX DFW which provides
near line rate performance for L2-L4 security functions.
HOL-PRT-1672 Page 20
HOL-PRT-1672
Three VMs from the HR organization (two web servers and one DB server) are
instantiated and connected to the same logical switch (VXLAN).
-Inter-tier traffic (web server to DB server) is protected by the Palo Alto Networks VM-
series firewall which provides advanced security capabilities with its single pass
architecture in the form of App-ID, Content-ID, and User-ID.
-Intra-tier traffic (web server to web server) is protected by NSX DFW which provides
near line rate performance for L2-L4 security functions.
Two VMs from the Marketing organization (one web server and one DB server) are
instantiated and connected to the same logical switch (VXLAN).
-Inter-tier traffic (web server to DB server) is protected by the Palo Alto Networks VM-
series firewall which provides advanced security capabilities with its single pass
architecture in the form of App-ID, Content-ID, and User-ID.
HOL-PRT-1672 Page 21
HOL-PRT-1672
-Intra-tier traffic (web server to web server) is protected by NSX DFW which provides
near line rate performance for L2-L4 security functions.
HOL-PRT-1672 Page 22
HOL-PRT-1672
Important Message
Before Proceeding With
Module 1:
HOL-PRT-1672 Page 23
HOL-PRT-1672
The following is not applicable for current sessions. If you are simply transitioning
from the previous section to the next module you may proceed as normal to the next
screen. However, if you just launched this lab seconds ago, follow these Lab Status
Check instructions.
Before getting started, conduct a quick lab status check to make sure the "Lab Status"
state is set to "Ready" mode. If the lab status state is set to a mode other than
"Ready", end this lab and restart a new lab session.
Continuing this lab while in a Lab Status State of anything other than "Ready" may
result in a poor lab experience due to latency, unexpected errors, and lost work.
HOL-PRT-1672 Page 24
HOL-PRT-1672
HOL-PRT-1672 Page 25
HOL-PRT-1672
To successfully complete this module you will need to identify and correct ill configured
settings within your policies, tags, and/or grouping.
Provide a short overview of the Palo Alto Networks and VMware NSX integration, and
dynamic security policies in a software defined datacenter. Compared to Module 2, this
module focuses on the security policies rather than the backed configuration of VMware
NSX and the registration and installation of the Palo Alto Networks VM-Series firewall.
HOL-PRT-1672 Page 26
HOL-PRT-1672
Environment Setup
vCenter Login: Make sure the environment and all its systems, are up and running by
checking within vCenter. To do so launch and login to vCenter.
Launch a browser and click on the vSphere Web Client bookmark. Then to login to
vCenter, simply check the box high-lighted and click Login. You will not need to enter
any credential values within either field for User name or Password.
HOL-PRT-1672 Page 27
HOL-PRT-1672
When logged into the vSphere web client, to view your datacenter 1) click on the Home
tab and then select 2) Hosts and Clusters.
vCenter View
1) Expand the vcsa-01a.corp.local > Datacenter Site A > Cluster Site A tree view
on the left side of your screen so that you can see a listing of all of your running virtual
systems running within this Datacenter Site A.
Each of the high-lighted systems above should have an illuminated green arrow
indicating the specified system is up and running. At this time take a moment to click
on some of these virtual systems to make sure they are indeed up and running.
2) In addition, check the Summary tab for a few of them to see the information available
such as CPU information, memory allocation, disk space, etc., for these VMs. In the
example here, the Summary tab information of the hr-web-02 web server is
displayed.
Please Note: It is likely your Tree view listing is slightly different than what you see here.
If so, that is ok. The other VMs you are seeing will be used later during the last labs
found in modules 3 and 4. At this time we are just checking to make sure all of the
virtual systems are up and running as reflected by the green arrow preceding the name
of each VM. Once that is done please continue ignoring the other VMs listed.
HOL-PRT-1672 Page 28
HOL-PRT-1672
HOL-PRT-1672 Page 29
HOL-PRT-1672
1) Go back to the "Home" page and then 2) click on "Network & Security" from either
the left menu tree panel, or from the "Inventories" section of the Home tab.
HOL-PRT-1672 Page 30
HOL-PRT-1672
Security Groups
1) From the left tree panel click on "Service Composer" and then select "Security
Groups" tab in the center.
Notice the two specific Security Groups for the HR Team servers. These are the HR-DB-
Servers security group for the database servers and a HR-Web-Servers Security
Group for the web servers. This confirms the Security Groups. At this time minimize your
browser page and proceed to the next step.
HOL-PRT-1672 Page 31
HOL-PRT-1672
Now login to Panorama to take a look at the Dynamic Address Groups. To do so, go to
your desktop to find and launch the Panorama desktop icon. Or you may open a new
browser page within your current Chrome browser and click on the Panorama bookmark.
Panorama Login
After launching the "Panorama" desktop icon, your browser will display the Panorama
login screen. The credentials to login are:
Username = admin
Password = VMware1!
HOL-PRT-1672 Page 32
HOL-PRT-1672
Once logged into Panorama you'll be taken to the "Dashboard" view. Among your menu
tabs at the top you'll have an "Objects" tab. Click on this tab to view your Address
Groups.
Address Groups
Select "Address Groups" from the left tree panel and then click on "HR-Web-Servers"
from under the Name column. After doing so you will launch the settings display box.
HOL-PRT-1672 Page 33
HOL-PRT-1672
Now that we've verified the Address Group settings, click "Cancel" to exit without
making any changes.
HOL-PRT-1672 Page 34
HOL-PRT-1672
While still logged into Panorama, examine the security policy. To do so click on the 1)
Policies tab. Then 2) make sure you're viewing the Pre-Rules of your Security policies
from the left tree panel. Then looking to the right under the "Name" column notice you
have three rules. Verify you have a policy rule for your HR web-server to HR database
server traffic. This rule is called "HR Web to DB". Familiarize yourself with this rule by
looking at the field headers for each of the configurations. Notice your Source and
Destination Address settings and that this policy allows mysql traffic between the two.
Let's now do some testing of these rules by generating some traffic. Without making
any changes here move on to the next step.
HOL-PRT-1672 Page 35
HOL-PRT-1672
Since you've just checked our security policies, you already know the types of traffic
that will be allowed, or denied, between these two servers. Now generate some traffic
for the purpose of testing to make sure everything works as expected. If so, great! But
if not, then you will need to troubleshoot to find out why the tests failed. Then once you
know the reason why, you'll need to implement the solution to resolve.
HOL-PRT-1672 Page 36
HOL-PRT-1672
To generate some traffic let's begin by logging into the web server using "putty.exe".
You'll notice you already have a desktop icon and so simply click on the "hr-web-01"
desktop icon.
You will be logged in automatically as the username and password have been entered
and saved for you. In the event you need to manually enter the username and
password to login, please see the README.txt file on the desktop for the credentials.
HOL-PRT-1672 Page 37
HOL-PRT-1672
Now that you are logged into the HR webserver attempt to ping the HR database using
the "ping -c 5 hr-db-01" command.
Notice the ping to the HR database server is successful. Now check the VM-Series
traffic logs to confirm the traffic was steered to the firewall. To check these traffic logs
go back into Panorama by clicking on your Panorama browser tab again.
Access your browser tab again and click on the Panorama tab. If prompted for
credentials use "admin" and "VMware1!" for the username and password.
HOL-PRT-1672 Page 38
HOL-PRT-1672
1) From within Panorama click on the "Monitor" tab followed by the 2) "Traffic" tab under
"Logs". 3) Next adjust your log filter to reflect "Last 15 Minutes" by using the circled
drop down arrow. This way you will be sure to filter view any logs older than the
previous 15 minutes.
Notice the logs are empty even though traffic was successfully generated during the
successful PING test. This indicates the traffic was not successfully steered to, and
through, the VM-Series firewall. You will need to find out why and so troubleshoot to find
out and then implement the resolution.
HOL-PRT-1672 Page 39
HOL-PRT-1672
1) From within Panorama click on the Objects tab. 2) Then make sure the left tree panel
selection is "Address Groups". Note there are currently two Dynamic Address Groups
listed. Check the HR-Web-Servers group first. Specifically, check the IP addresses of the
"HR-Web-Servers" Dynamic Address Group (DAG). 3) To see these IP addresses you will
need to click on "more" under the Addresses column.
HOL-PRT-1672 Page 40
HOL-PRT-1672
Notice there are two registered IPv4 addresses. Note these IP addresses then click
"Close".
As before click on "more" under the Addresses column but this time doing so for the
"HR-DB-Servers" group.
HOL-PRT-1672 Page 41
HOL-PRT-1672
Notice there are no addresses listed. In fact it's all blank. This is a problem in need of
resolution, but first you must do more troubleshooting to see what else you may need to
resolve. To proceed, click "Close" without making any changes here.
HOL-PRT-1672 Page 42
HOL-PRT-1672
To continue troubleshooting move over to the NSX Manager to check the Security
Groups listed there. To do so go back to the vSphere Client.
1) Click on the vSphere Web Client tab of your browser. Making sure you're still within
"Networking & Security", 2) Click on Service Composer and 3) select the Security
Groups tab in the middle.
At this time notice the Virtual Machines column on the right. Note there is a value of 1
for the HR-Web-Servers which is listed as a Virtual Machine. 4) Now take a look at that
value by clicking on the high-lighted 1.
HOL-PRT-1672 Page 43
HOL-PRT-1672
At this point you may need to wait approximately 45 seconds before anything
populates. What you are looking for is under the "Virtual Machines" tab. You should see
the HR web server "hr-web-01" listed as a member of the virtual machine. After
confirming the presence of the VM close by clicking on the X in the upper right corner
of the display box.Then take a look at the HR-DB-Servers security group by attempting
to do the same.
This time select the HR-DB-Servers Security Group. Notice the virtual machine
membership for this Security Group is zero. In fact, if you click on the blue (0) zero, a
display box won't even open for you. This indicates a problem here within the NSX
Security Group configurations and something in need of resolution. For now though,
investigate further and so please continue.
HOL-PRT-1672 Page 44
HOL-PRT-1672
Click on "Define dynamic membership" and notice the criteria is set to " Security Tag
Equals to HR-DB-Server". This is correct and so do not make any changes. Instead just
click Cancel to exit and continue to troubleshoot.
HOL-PRT-1672 Page 45
HOL-PRT-1672
To continue checking configurations and settings go to the Home tab and then click on
Hosts and Clusters.
HOL-PRT-1672 Page 46
HOL-PRT-1672
From the far left tree panel, expand the datacenter view by clicking on the expand arrow
to list the VMs of the Data Center.
Check the settings for the hr-db-01 server by selecting it. Note on the right side of the
screen under "Security Tags", the wrong Security Tag has been applied. This is the
Security Tag for the Legal-DB-Server when it should be for the HR-DB-Server. This is
what you must correct. To do so click "Manage". (Repositioning of the Security Tags
widget may be necessary).
HOL-PRT-1672 Page 47
HOL-PRT-1672
To fix the problem un-check the Legal-DB-Server check box and then check the HR-DB-
Server check box and click OK.
HOL-PRT-1672 Page 48
HOL-PRT-1672
Notice your Security Tag value has changed and is now specifying your HR-DB-Server
which is what it should say at this time. Now go back and view the NSX Security Group
identification and settings.
HOL-PRT-1672 Page 49
HOL-PRT-1672
Continue by verifying the NSX Security Group Membership. To do so, view the Security
Group settings by clicking on Home and then Networking & Security.
1) Click on Service Composer and then 2) click on the Security Groups tab and note the
number of "Virtual Machines" that are listed which is now 1.
The Security Groups now include a virtual machine for both the HR-DB-Servers and the
HR-Web-Servers group as opposed to before when there was only a virtual machine for
the HR-Web-Servers security group.
To view the server for this virtual machine, click on the high-lighted number 1 for HR-DB-
Servers.
HOL-PRT-1672 Page 50
HOL-PRT-1672
Again you may need to wait approximately 45 seconds for this display box to populate.
After it does populate you should see the hr-db-01 server listed as a member of the
Security Group "HR-DB-Servers". After confirming the presence of the newly added VM,
close by clicking on the X in the upper right corner of the display box.
Go back to Panorama via the Panorama browser tab. When back in Panorama, click the
Objects tab and then click on "more" under Addresses for the HR-DB-Servers group.
HOL-PRT-1672 Page 51
HOL-PRT-1672
Notice the two registered IPv4 addresses for this Dynamic Address Group (DAG).
Success! Go ahead and click Close and then proceed on to the re-testing phase.
HOL-PRT-1672 Page 52
HOL-PRT-1672
Once again generate traffic from the HR web server to the HR database server. To do so
go back to the putty.exe utility for "hr-web-01". From the hr-web-01 web server initiate
a ping to the hr-db-01 database server using the "ping -c 5 hr-db-01" command.
The output should indicate another successful ping. Now proceed back into Panorama
to check the logs.
HOL-PRT-1672 Page 53
HOL-PRT-1672
Panorama Logs
After the successful ping you should expect to see that the traffic did indeed go through
the VM-Series Firewall. Check the log file by 1) clicking on the "Monitor" tab and 2)
selecting "Traffic" from the Logs tree menu on the left. 3) Do a Manual refresh of the
logs.
Notice the ping activity was logged as expected. This verifies you correctly resolved the
problem and that the groups, policies, and traffic steering rules are all working properly.
Great job! Now move on to the next portion of this lab.
HOL-PRT-1672 Page 54
HOL-PRT-1672
1) Notice the logs within the last 15 minutes of which there should be very few. Most
likely there will be only two log entries such as is displayed here. Of the logs listed
there should only be entries for the ping test that was run successfully.
Remember, you can always change the filter and you can always do a manual refresh.
Here the filter is set to the minimum setting of "Last 15 Minutes" and so set yours to
the same if not already done so and then do a "Manual refresh".
Now continue to generate more log traffic but this time generate some database table
calls. To do so proceed to the next step.
HOL-PRT-1672 Page 55
HOL-PRT-1672
Database Query
For this step use the README.txt file located on the desktop. Open this file and under
Module 1, look for the high-lighted command circled in red above. Copy this command
to the clipboard from within the README.txt.
HOL-PRT-1672 Page 56
HOL-PRT-1672
Using putty go back into the hr-web-01 server and run the command as found within the
README.txt file. To do so simply "paste" the command you copied from within the
README.txt file into your SSH session at the CLI prompt by "right clicking" to paste the
command at the prompt.
Within the output notice the table call was successful. Is this what you expected? Why?
If you said yes, this is what was expected and the reason why is because the policy is
set to allow MySQL traffic, you are correct! In fact you can even see this traffic was
logged within the VM-Series firewall as shown in our next step.
HOL-PRT-1672 Page 57
HOL-PRT-1672
Panorama Logs
Ensure the VM-Series firewall logged the generated traffic. To do so go back into
Panorama and click on the 1) Monitor tab and select 2) Traffic logs and then do a 3)
manual refresh of your log.
Notice the two entries identifying, and allowing, the mysql application.
Before moving further ahead take a moment to pause to learn about Application
Identification and the ability of the VM-Series firewall to allow or deny various types of
traffic between the VMs within the datacenter based upon application type.
HOL-PRT-1672 Page 58
HOL-PRT-1672
App-ID is a patented traffic classification system developed by Palo Alto Networks. App-
ID provides the ability to determine what application is traversing through the VM-Series
firewall irrespective of the port, protocol, encryption (SSH or SSL) or any other evasive
tactic that may be used by a suspect application.
App-ID has the ability to identify encrypted traffic determining the type of encryption
(SSL or SSH) in use. If a decryption policy is in place the session is decrypted and the
application signatures are applied again on the decrypted flow. Decoders for known
protocols are then used to apply additional context-based signatures to detect other
applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger
used across HTTP). Afterwards decoders validate that the traffic conforms to the
protocol specification and provide support for NAT traversal and opening dynamic
pinholes for applications such as SIP and FTP.
Now that you know more about App-ID see how it works in action within the last
remaining steps of this lab.
HOL-PRT-1672 Page 59
HOL-PRT-1672
Go back to your browser and select the Panorama tab. If necessary, login into
Panorama.
1) Once logged into Panorama review the current policy settings by clicking on the
Policies tab.
2) From within the left tree panel view, make sure you are looking at the "Pre Rules" of
the Security policy.
3) Note the three policy rules which only allow the ping and mysql applications while
denying everything else.
HOL-PRT-1672 Page 60
HOL-PRT-1672
Test App-ID
Try doing so from the hr-web-01 server and so use the putty desktop icon to access this
server.
Using the "ssh ubuntu@hr-db-01" command, attempt to ssh into the hr-db-01 server.
After 30 seconds, during which the ssh attempt will fail, break out of the command with
the "CTL-C" option.
Then move on to check the logs within Panorama to see what was captured.
1) Go to the Monitor tab and then select the 2) Traffic log. After doing so do a 3) manual
refresh of the Traffic log. Then notice, as expected, the denied SSH on port 22 attempts
that were blocked. This demonstrates successful inter-tier VM protection at the
application layer.
HOL-PRT-1672 Page 61
HOL-PRT-1672
Free VM-Series Firewall Raffle: To say thank you for sitting our lab exercises, wed
like to invite you to participate in our daily raffle where we will be giving away free, one
Palo Alto Networks VM-100 series firewall. This daily raffle will be available during
VMworld 2015 Europe beginning Monday, 12 October through Thursday, 15 October. To
enter this daily drawing, fill out an entry form here Palo Alto Networks VM-Series Firewall
Raffle with your complete contact information. All winners will be contacted via email
following the VMworld 2015 Europe event.
HOL-PRT-1672 Page 62
HOL-PRT-1672
Important Message
Before Proceeding with
Module 2
HOL-PRT-1672 Page 63
HOL-PRT-1672
The following is not applicable for currentsessions. If you are simply transitioning
from the previous section to the next module you may proceed as normal to the next
screen. However, if you just launched this lab seconds ago, follow these Lab Status
Check instructions.
Before getting started, conduct a quick lab status check to make sure the "Lab Status"
state is set to "Ready" mode. If the lab status state is set to a mode other than
"Ready", end this lab and restart a new lab session.
Continuing this lab while in a Lab Status State of anything other than "Ready" may
result in a poor lab experience due to latency, unexpected errors, and lost work.
HOL-PRT-1672 Page 64
HOL-PRT-1672
HOL-PRT-1672 Page 65
HOL-PRT-1672
DFW provides in-kernel, stateful, port-based inspection while VM-Series provides next-
generation firewall functionality which includes the advanced threat prevention
capabilities of; IPS, anti-virus, anti-malware, data/file filtering, and DOS protection
services, to name a few.
DFW and VM-Series co-exist extremely well with both devices performing
complementary roles to one another. To properly design the security services
architecture in a virtual data center environment, follow these recommendations:
The diagram above shows the repartition of roles between the two components. Notice
the traffic between the WEB servers is protected by DFW (with the same behavior for
traffic between the APP servers as well for traffic between the DB servers).
With DFW, access control based on L2/L3 services and L2/L3 addresses is sufficient to
prevent any lateral movement, or attack, from hackers. For instance, L2 rules may
control the ARP protocol while L3 rules can control the communications on specific TCP/
UDP ports.
HOL-PRT-1672 Page 66
HOL-PRT-1672
Also notice the traffic from the WEB server to the APP server (as well as traffic from the
APP server to the DB server) is also protected by the VM-Series firewall. This Inter-Tier
traffic also contains critical data that must be deeply analyzed (up to layer 7) to prevent
any threats or the propagation of malware across the different systems. This is how the
VM-Series firewall reduces the attack surface by safely enabling only the applications
that are allowed between the tiers while blocking everything else.
VM-Series sits off the data path. This significantly reduces the need to design a complex
virtual network topology as no change is required when inserting security services for
VM to VM communications. In order to leverage VM-Series, workload traffic must be
redirected to the virtual appliance. NSX provides a successful, granular, method for
specifying the traffic that must be redirected to the VM-Series.
HOL-PRT-1672 Page 67
HOL-PRT-1672
HOL-PRT-1672 Page 68
HOL-PRT-1672
Module Overview
Within this in-depth module, VMware NSX and the Palo Alto Networks VM-Series platform
are configured to secure a multi-tier application with web front-end servers and
database back-end servers. Throughout the module itself we will show how to define
dynamic security policies on the VM-1000-HV virtual firewalls based on context from
VMware NSX. Take a look at the learning objectives where you will be focusing on how to
deploy the Palo Alto Networks VM-Series platform while walking through each Lesson.
These lessons will enable you to gain an understanding of, as well as perform, the
following:
HOL-PRT-1672 Page 69
HOL-PRT-1672
Management:
Panorama
vCenter
NSX Manager
ESXi 1,2
Application Servers:
Two Webservers
One Database
Pre-configuration is required for the NSX Manager, vCenter, Panorama, hosts, and
application servers
HOL-PRT-1672 Page 70
HOL-PRT-1672
Using the Google Chrome browser desktop icon, launch Chrome and select the
bookmark titled, "Site A Web Client" within the favorites bar. After being directed to the
VMware vCenter Single Sign-on page, check the "Use Windows session authentication"
option and click "Login".
HOL-PRT-1672 Page 71
HOL-PRT-1672
Once logged in, and from the 2) Home screen, click on 3) Hosts and Clusters.
HOL-PRT-1672 Page 72
HOL-PRT-1672
1) Within the Tree panel view at the left notice the listing of all the connected servers.
In this case you want to review both of the legal servers to ensure they're properly
registered and assigned to the appropriate Security Tag.
Start with the Legal Web server, "legal-web-01" first by clicking on "legal-web-01". Take
note that this server is correctly assigned with the 2) "Legal-Web-Server" Security Tag.
Next check the Security Tag status of the other Legal server.
HOL-PRT-1672 Page 73
HOL-PRT-1672
2) Notice that this server is assigned to the appropriate Security Tag dubbed, "Legal-DB-
Server".
Now that you know both of the Legal Dept. servers have Security Tag assignments,
move on to the next step.
Note: Within this module you will only be using these two Legal Team servers: legal-
web-01 and legal-db-01.
HOL-PRT-1672 Page 74
HOL-PRT-1672
Go back to your browser and click on the vSphere Web Client tab. If necessary login
again using the Single-Sign-On Authentication.
Once logged and from the Home page of the vSphere Web Client click 1) Home and 2)
Networking & Security.
HOL-PRT-1672 Page 75
HOL-PRT-1672
2) Click the Security Groups tab in the center. Notice there are Security Groups for the
HR Teams but none for the Legal Teams. Therefore, create additional NSX Security
Groups for the Legal Teams.
HOL-PRT-1672 Page 76
HOL-PRT-1672
1) Next click on Define dynamic membership in order to set the values for this Security
Group. NOTE: If after clicking on "Define dynamic membership" from within the left tree
panel, you do not see the options listed as reflected within the screenshot, click on the
green plus sign that is circled in blue.
2) Define the dynamic membership as a Security Tag. To do so click on the drop down
arrow next to "Security Tag" and select Security Tag.
HOL-PRT-1672 Page 77
HOL-PRT-1672
2) Then populate by entering the designated name of " Legal-Web-Server" and 3) click
Finish.
HOL-PRT-1672 Page 78
HOL-PRT-1672
HOL-PRT-1672 Page 79
HOL-PRT-1672
Once created you will see the "Legal-Web-Servers" Security Group listed.
1) Expand to check the Virtual Machine name this Security Group is applied to by
clicking on the high-lighted number 1 under the " Virtual Machines" column. Notice the
proper name of "legal-web-01" has been applied.
Great job in creating your Legal-Web-Servers" NSX Security Group! To close this display
box click on the "X" located in the upper right corner of the display box.
2) Proceed by doing the same for the Legal-DB-Servers NSX Group by clicking on the
"New Security Group" icon circled in blue.
HOL-PRT-1672 Page 80
HOL-PRT-1672
1) As before name the new NSX Security Group. Name this one "Legal-DB-Servers".
1) Click on Define dynamic membership in order to set the values for this Security
Group. NOTE: If after clicking on "Define dynamic membership" from within the left tree
panel, you do not see the options listed as reflected, click on the green plus sign that is
circled in blue.
2) Define the dynamic membership as a Security Tag. To do so click on the drop down
arrow next to "Security Tag" and select Security Tag.
HOL-PRT-1672 Page 81
HOL-PRT-1672
Next define the value by selecting "Equals to". Then populate by entering the
designated name of "Legal-DB-Server" and click Finish.
HOL-PRT-1672 Page 82
HOL-PRT-1672
Once created you will see the new "Legal-DB-Servers" Security Group listed. Expand to
check the Virtual Machine that is assigned to this Security Group by clicking on the high-
lighted number 1 under the "Virtual Machines" column.
Great job in creating the "Legal-DB-Servers" NSX Security Group! Continue on to the
next step to begin creating the steering policies. Close the display box by clicking on
the "X" located in the upper right corner.
HOL-PRT-1672 Page 83
HOL-PRT-1672
Before beginning we wanted to let you know that there are two methods for configuring
traffic steering. We will use one method here in lab 2 and the other method in lab 4.
1) Set the policies via the "Security Policies" tab and so click on that tab now. After
doing so notice that one entry already exists - a policy that is only for HR. Therefore,
create a broader policy that will steer all Webserver to Database traffic. Then limit the
HR traffic versus the Legal traffic from within PAN-OS.
2) Continue by clicking on the "Create Security Policy" icon that is circled in blue and
labeled as sub-step 2.
HOL-PRT-1672 Page 84
HOL-PRT-1672
After a brief initialization phase to load the policies, the system will be prepared for you
to create a new one.
2) Next click on "Network Introspection Services" on the left side of the screen.
HOL-PRT-1672 Page 85
HOL-PRT-1672
3) After doing so a display box will appear. Enter the name of the service calling it
"Legal-Web-to-DB".
HOL-PRT-1672 Page 86
HOL-PRT-1672
A "Select Source" display box will appear which will enable you to:
HOL-PRT-1672 Page 87
HOL-PRT-1672
1) Complete this step by clicking OK. (If you don't see the OK button, you can just hit
enter to complete the configuration. Or you may scroll down until the OK button is
viewable).
HOL-PRT-1672 Page 88
HOL-PRT-1672
At this time there should be 1 item listed which is the Network Introspection Service just
created for the Source.
1) Repeat the same process for the Destination by creating another item by clicking on
the green plus icon.
2) Under Destination click Change to specify. Leave all other settings as they are.
HOL-PRT-1672 Page 89
HOL-PRT-1672
HOL-PRT-1672 Page 90
HOL-PRT-1672
Notice under Destination that you now have the Legal-Web-Servers specified.
1) Click OK to complete this step. (If you don't see the OK button, you can just hit enter
to complete the configuration. Or you may scroll down until the OK button is viewable).
HOL-PRT-1672 Page 91
HOL-PRT-1672
There should now be two Network Introspection Services listed, both of which will
redirect the traffic to the Palo Alto Networks next-generation firewall of the "Palo Alto
Networks profile 1".
1) Proceed by clicking Finish, after which the security policies will be created.
You should see the two newly created Security Policies. You must now apply these
policies to their respective Security Groups. In this case that would be the database
servers. To do so, make sure the first rule "Module2_Legal-Web-to-DB" is high-lighted as
shown here. 1) Click the "Apply Security Policy" icon (circled in blue) to proceed.
HOL-PRT-1672 Page 92
HOL-PRT-1672
2) Click OK. You should receive a brief display box as the security policy is applied.
At this point you should be able to verify all your actions by seeing the Applied policy for
"Module2_Legal-Web-to-DB" and its two Network Introspect Services. If so, great job!
You just created the Traffic Steering Security Policies. Please proceed to the next lesson
of this module.
HOL-PRT-1672 Page 93
HOL-PRT-1672
Panorama - Enables you to manage your distributed network of physical and/or virtual
Palo Alto Networks firewalls from a centralized location while providing the ability to:
View the traffic of each deployed firewall; manage all aspects for device configuration;
push global policies; and generate reports on traffic patterns or security incidents all
from one central location. Panorama is available as either a dedicated management
appliance or as a virtual machine.
If Panorama is still up and running, access Panorama via the browser bookmark tab. If
Panorama is no longer running, open the Chrome browser and click on the Panorama
bookmark. Or you may launch the Panorama desktop icon to launch and login to
Panorama.
Username = admin
Password = VMware1!
HOL-PRT-1672 Page 94
HOL-PRT-1672
Panorama
The credentials for Panorama are username = "admin" with password = "VMware1!"
Note: The README.txt file on the desktop will contain the credentials for Panorama, as
well as for all of the servers to be used within this module.
HOL-PRT-1672 Page 95
HOL-PRT-1672
2) Go to Address Groups
3) Click on the +Add icon at the bottom of the screen to create your Legal team
Dynamic Address Groups.
In this portion of the lab there are six sub-steps to complete and so please follow along
closely. Start by:
2) Designate the "Type" of DAG by hitting the drop down arrow and selecting "Dynamic".
3) Click on Add Match Criteria. At this point another display box will appear adjacent
and on the left. You may need to expand the Name field of the display box to see the full
name of the available options.
HOL-PRT-1672 Page 96
HOL-PRT-1672
4) Look for the "Legal-Web-Servers-securitygroup-ID#" and click on the green plus mark
to add it. Note: The Security Group ID number may be different than what you see here -
this is ok and so continue. Notice the "Match" field within the display box on the right
listing the Security Group as indicated by the blue arrow.
5) Next assign a color coded tag to this DAG by clicking on the drop down arrow and
selecting the tag, "Legal Web Server".
HOL-PRT-1672 Page 97
HOL-PRT-1672
Notice the newly created DAG of Legal-Web-Servers. Now repeat the same process to
create the Legal-DB-Servers Dynamic Address Group.
1) Naming this Dynamic Address Group, "Legal-DB-Servers". (Note: Be sure to enter the
name as seen here. For the purpose of this lab do not use the space character when
naming the Dynamic Address Group).
2) Designate the "Type" of DAG by hitting the drop down arrow and selecting
"Dynamic".
3) Click Add Match Criteria. At this point another display box will appear adjacent and
on the left. You may need to expand the Name portion of the display box to see the full
name of the available options.
4) Look for the "Legal-DB-Servers-securitygroup-ID#" and click on the green plus mark
to add it. Note: The Security Group ID number may be different than what you see here -
this is ok and so continue. Notice the "Match" field within the display box on the right
listing the selected Security Group as indicated by the blue arrow.
HOL-PRT-1672 Page 98
HOL-PRT-1672
5) Assign a color coded tag to this Dynamic Address Group (DAG) by clicking on the drop
down arrow and selecting the tag, "Legal DB Server".
At this point there should be two Legal Team Dynamic Address Groups, one DAG for the
Web servers and another DAG for the DB servers.
HOL-PRT-1672 Page 99
HOL-PRT-1672
In Panorama:
2) Click on the 2nd policy listed so that the next policy created will follow immediately.
3) Click on the +Add icon at the bottom left side of your screen.
When the Security Policy Rule display box appears multiple tabs will be displayed, many
of which will need to be configured. Start on the General Tab by naming the new policy
"Legal Web to DB".
1) Click on the Source tab and check the "Any" box as the for Source Zone
2) For the Source Address, click on the green + icon and when the display options
appear, choose the "Legal-Web-Servers" address group which is sub-step 3.
1) After clicking on the Destination tab specify the Destination Zone by 2) clicking on
the drop down arrow and choosing "any".
3) Then again click on the green + plus icon and for Destination Address select "Legal-
DB-Servers".
After 1) clicking on the "Application" tab 2) click on the green + plus sign on the bottom
left to Add, then specify the allowed application. You can refine the listing of available
applications by typing in "mysql" in the field high-lighted. Then select "mysql" to
populate. The next tab will be the Actions tab.
1) For the Action Setting, using the drop down arrow select "Allow".
3) For Log Forwarding, using the drop down arrow select the "Panorama Logging Profile".
Commit Configurations
At this time there should be four security policy rules listed. Before proceeding make
sure these rules are listed in the order that you see here. Specifically, make sure the
"Default Deny with Logging" rule is the last rule listed. If this is not the case, simply
click on the rule without opening it and then drag and drop this rule to the bottom of the
list. Alternatively, you could also use the Move command which is located on the bottom
task bar to move this rule to the bottom. Either way, when ready please proceed to the
next step.
1) Commit Operations: In order for the new configurations to be applied a series of two
"Commits" will be required. First you will need to Commit to Panorama. To do so click on
the "Commit" command in the upper right hand corner.
Commit to Panorama
For Commit Type select the radio button for Panorama and click OK. The commit will
begin of which you will see the following:
Commit to Panorama
After the pending Commit operation is complete, you should receive a "Configuration
committed successfully" message. Proceed by clicking the Close button but only after
you have received this "Configuration committed successfully" message. Then proceed
to the second commit type.
For the Commit Type: 1) select the "Device Group" radio button and when presented
with the full display 2) check the "VM-Series-DG" check box and then 3) check the
"Force Template Values" option and then 4) click the Commit tab.
The commit action will begin to the two VM-Series firewalls and may take a few minutes.
Please be patient until the Progress bar and its status indicate 100% completion.
Notice the Progress of 100% and the Status stating the commit operation succeeded.
Note: Ignore the warning messages under the Status column as this is expected
behavior due to other settings that are in place for logging purposes.
Launch the Chrome browser, if necessary. Click on the "Site A Web Client" bookmark to
access the VMware vCenter Single Sign-on page. Check the "Use Windows session
authentication" box and click Login.
1) Check the Legal Web servers first by selecting the "legal-web-01" server.
2) Near the center of the screen click on "View all 4 IP addresses" to ensure IP address
registration. Take a moment to note the IP Address 15.0.0.202. You will need to ensure
this IP address is the same IP address as found within Panorama. You will also want to
ensure it is listed within the respective Security Group of the NSX Manager.
Before doing so, conduct the same review for the "legal-db-01" server.
Like before, to review your Legal Database servers 1) click on "legal-db-01" from the left
hand tree panel and then 2) click on "View all 4 IP addresses".
Again take note of the 15.0.0.204 address as you will be checking for this IP address in
both Panorama and the NSX Security Groups to ensure it is registered.
Go back to Panorama. From within Panorama 1) go to the Objects tab and under
Address Groups, look for both of the Legal servers (Legal-Web and Legal-DB).
Check the Legal-Web server first by clicking "more" under the Addresses column for
"Legal-Web-Servers".
Click Close and then proceed to conduct the same check for the Database servers.
Like before click "more" under Addresses column for the "Legal-DB-Servers".
For the Legal Database Servers notice the same 15.0.0.204 IP address for this "legal-
db-01" server. This verifies successful IP registration for the Legal Database Servers
Address Group.
Click Close.
From the browser tab click on the vSphere Web Client tab to verify these same IP
addresses are within the Security Groups for these two verified servers.
To do so when you're back in vSphere, 1) click Home and then 2) Networking & Security.
1) Click on Service Composer from the left tree panel and 2) select the Security Groups
tab in the middle.
3) Now you can check the registered Virtual Machines and their IP addresses by clicking
on the high-lighted for both your Legal Web and Database Servers.
Check the "Legal-Web-Servers" Security Group first of which you see the "legal-web-01"
server that is the 15.0.0.202 IP Address. Click the "X" in the upper right corner to close.
Next check the "Legal-DB-Servers" Security Group of which you see the "legal-db-01"
server which is the 15.0.0.204 IP address.
You have verified both of the Legal servers are registered and recognized as expected.
Click the "X" to close the window and proceed to the next step.
Generate Traffic
To check your work and to ensure all of the groups, policies, and configurations have
been correctly configured, test by generating traffic through the firewalls.
Login to "legal-web-01"
You will need Module 2 command from the README.txt file on the desktop and so 1)
open this file and 2) scroll down to the Module 2 section and copy the first mysql
command listed, copying it to the clipboard.
Within the SSH session "paste" the copied command at the prompt to run the mysql
command. Notice the output received and then proceed.
Go back to the browser and go back into Panorama. From within Panorama:
3) Do a manual refresh.
Notice the Traffic Logs indicate a successful test as you see the source and destination
IP addresses, and the mysql application, which was properly allowed by the firewall. This
verifies a successful test and a successful lab. Great job!
Lab 2 Conclusion
In this lab many activities were carried out and in doing so, you gained an awareness
and appreciation of how easy it is to deploy, integrate, and manage this joint solution by
VMware and Palo Alto Networks. For instance, recall how quickly and easily you were
able to deploy new VMs, and groups of VMs, using VMware NSX. Or how easy it was for
VMware NSX to perform traffic steering so that ALL traffic went through the Palo Alto
Networks VM-Series firewall for the purpose of ensuring an ever aware and secure
datacenter. All with just a few clicks via a practically seamless integration between the
Palo Alto Networks VM-Series firewall and VMwares NSX. And all while not having to
make any changes to the infrastructure of the datacenter itself.
As with the previous lab, you saw the power, benefit, and efficiency when it came to
ease of deployment; ease of integration; ease of configuration; ease of overall
management, and ease of synchronization between the Dynamic Address Groups within
the Palo Alto Networks firewalls, and the Security Groups within the VMware NSX
Manager. Both of which provide a stateful synchronization to ensure all changes in the
form of VM additions, deletions, moves, and dynamic IP addressing, which means no
manual changes in the infrastructure and/or reconfiguration on your part required!
Reason being, all datacenter changes were automatically recognized and registered
within the NSX Manager and so the datacenter is always secure, even when the traffic is
intra-datacenter traffic among VMs.
On behalf of Palo Alto Networks and VMware, we thank you for sitting our labs. We hope
you enjoyed each lab as much as we enjoyed preparing each one of them for you. It is
our sincere hope that we successfully demonstrated how easy it is to manage and
secure the ever changing datacenter!
Free VM-Series Firewall Raffle: To say thank you for sitting our lab exercises, wed
like to invite you to participate in our daily raffle where we will be giving away free, one
Palo Alto Networks VM-100 series firewall. This daily raffle will be available during
VMworld 2015 Europe beginning Monday, 12 October through Thursday, 15 October. To
enter this daily drawing, fill out an entry form here Palo Alto Networks VM-Series Firewall
Raffle with your complete contact information. All winners will be contacted via email
following the VMworld 2015 Europe event.
Important Message
Before Proceeding with
Module 3
The following is not applicable for current sessions. If you are simply transitioning
from the previous section to the next module you may proceed as normal to the next
screen. However, if you just launched this lab seconds ago, follow these Lab Status
Check instructions.
Before getting started, conduct a quick lab status check to make sure the "Lab Status"
state is set to "Ready" mode. If the lab status state is set to a mode other than
"Ready", end this lab and restart a new lab session.
Continuing this lab while in a Lab Status State of anything other than "Ready" may
result in a poor lab experience due to latency, unexpected errors, and lost work.
Module 3: Using
Distributed FireWall
(DFW) to Protect Intra-
tier Traffic (30 Min)
Module Overview
In this module VMware NSX DFW is configured to secure intra-tier traffic between web
front-end servers. This module shows how to define dynamic Security Groups (based on
VM name and based on Logical Switch) and how to use them in DFW policy
configuration.
During this module (30 minutes) the focus will be on the various NSX DFW features and
functions. The lessons learned will enable you to gain an understanding of, as well as
perform, the following:
Log into the vSphere Web Client. To do so launch the Chrome browser and click on the
vSphere Web Client bookmark named "Site A Web Client". At the VMware vCenter
Single Sign-on page, click the "Use Windows session authentication" box to login using
Single Sign-on.
Once logged in, and from the 1) Home screen, click on 2) Networking & Security.
Note: If you have previously performed modules 1 and 2 of this Hands-on-Lab you will
have a similar view and screenshot. However, if you have just started here at module 3
you will not see some of the Security Groups that are displayed here.
1) Click on the New Security Group icon to create a new Security Group.
1) On the "Name and description" page, name this new security group, "Legal-Web-
Servers-Module-3".
2) Click Next.
At this time the new security group has been created and should be displayed within the
Security Group listing. The characteristics of this new security group will also be
displayed. For example, note the number of Virtual Machines (2) under the
corresponding column.
Security Group - VM
Check which virtual machines are contained within this new Security Group. Do so by
clicking on the link of the Virtual Machines column for this security group "Legal-Web-
Servers-Module-3". At this time both of the legal team web servers should be reflected.
Click the "X" in the upper right corner of the box to close.
1) Click on the New Security Group icon to create a new Security Group.
1) On the "Name and description" page, name this new security group, "HR-Web-
Servers-Module-3".
2)Click Next.
1) For "Object Type", use the drop down arrow to select "Logical Switch".
2) Select LS-HR-01. This is the Logical Switch (VXLAN) that all of the VM servers of the
HR organization connect to.
3) Using the "move to arrow", move the "LS-HR-01 object to the "Selected Objects" box.
4) Click Next.
1) For "Object Type", use the drop down arrow and scroll down and select "Virtual
Machine".
3) Use the "move to arrow" to move the selected object over to the "Selected Objects"
box.
At this time the new security group has been created and should be displayed within the
Security Group listing. The characteristics of this new security group will also be
displayed. For example note the number of Virtual Machines (2) under the
corresponding column.
Security Group - VM
Check which virtual machines are contained within this new Security Group. Do so by
clicking on the link of the Virtual Machines column for this security group "HR-Web-
Servers-Module-3". At this time both of the HR team web servers should be reflected.
Click the "X" in the upper right corner of the box to close.
Note: There are two methods to configure traffic steering. We used one method in lab 2
and so now we will use the other method here in lab 3.
Legal:
source: Legal Web Servers | destination: Legal Web Servers | Services: ICMP | action:
allow
source: Legal Web Servers | destination: Legal Web Servers | Services: ANY | action:
block
HR:
source: HR Web Servers | destination: HR Web Servers | Services: ICMP | action: allow
source: HR Web Servers | destination: HR Web Servers | Services: ANY | action: block
DFW Menu
1) Click on the Add section icon and then 2) enter as the section name, "INTRA-TIER
protection".
Click the 1) Add rule icon and then click on 2) the arrow to expand Section in order to
see all the defined policy rules.
1) Put your cursor in the "Name" column and click. After doing so a small + icon will
appear.Click this + icon and within the Rule Name field enter the following string:
"Legal-Web to Legal-Web ICMP". After doing so, click OK to continue.
1) Move your cursor into the "Source" column and click. A small + icon will
appear. Click on this + icon and a new window will appear.
2) For "Object Type", use the drop down arrow to scroll down to select Security
Group. Then select Security Group and all available Security Groups will be listed.
4) Then using the "move to arrow", click this arrow to move it over to the "Selected
Objects" box.
1) Move your cursor into the "Destination" column and click. A small + icon will
appear. Click on this + icon and a new window will appear.
2) For "Object Type", use the drop down arrow to scroll down to select Security
Group. Then select Security Group and all available Security Groups will be listed.
4) Then using the "move to arrow", click this arrow to move it over to the "Selected
Objects" box.
1) Move your cursor into the "Service" column and click. A small + icon will
appear. Click on this + icon and a new window will appear.
2) For "Object Type", use the drop down arrow to scroll down to select Service. In the
filter search field enter "icmp" as a keyword. All services related to ICMP will appear.
3) Find and select "ICMP Echo" and using the "move to arrow", 4) move it over to the
"Selected Objects" box.
Repeat the same procedure for the "ICMP Echo Reply" object. After doing so you will
have two selected ICMP objects.
1) Place your cursor in the "Action" column. A small + icon will appear. Click on this
+ icon and an Action box will appear. By default, the Action setting is set to Allow for a
newly created security policy. This is the desired action to enforce the rule and so there
is nothing that needs to be modified here. 2) Therefore, click Cancel.
At this stage this window should be presented. Review your rule and ensure you have
the same values and settings entered. If so, click 1) Publish Changes to enforce the
new created security policy.
A message should be displayed at the top of the page showing the successful publish
operation. Note: The message may take some time to arrive depending on the CPU load
of the HOL infrastructure.
By following step-by-step procedures you successfully created a DFW policy rule using
Security Groups. In fact, you successfully created the INTRA-TIER protection rule
number 1. This rules permits ICMP.
Continue now on your own, by repeating the steps you have just performed, to create
three additional rules. These three remaining rules are required in order to secure the
environment.
The three remaining rules are named below and each contain the specific values
required for each rule:
Services: Any
Action: Block
Action: Allow
Services: Any
Action: Block
IMPORTANT NOTE: click on 1) + icon (as shown in the diagram above) to add these
three new rules. New rules should always be created at the bottom of the previously
created rules because the order of rule definition is important with DFW (as is the case
with all firewalls). Reason being, rule evaluation is always performed from top to bottom
and then acting upon the first rule that matches the packet pattern. If necessary, using
the Move Rule Down icon to move your rule down or use the Move Rule Up icon to
move your selected rule up. These icons are encircled in red.
Note: If the rule set is displayed in a different order than what is shown in the
screenshot you will need to re-order the rules. To perform this operation, select the rule
that needs to be re-ordered and then click on the up or down arrow as shown.
A publish operation success message should be displayed at the top of the page (there
may be a slight delay before appearing). Great job, proceed to the next step.
From NSX Home, click on 1) Flow Monitoring. Then click on 2) Configuration tab.
As you can see, global flow collection is disabled by default. 3) Click Enable to turn it
on.
You should obtain the same window once Global Flow Collection has been enabled.
Click on 1) legal-web-01 icon. A new SSH window will appear with automatic login to
legal-web-01.
2) Type the command ping -c 5 legal-web-02 to test for an ICMP response from the
legal-web-02 server back to the legal-web-01 server.
Notice the "5 packets transmitted, 5 received, 0% packet loss" response indicating that
ICMP is indeed allowed on the DFW.
Within the same SSH window and session, enter the clear command. Then enter the
ssh legal-web-02 command.
After few seconds, you should see the error message: connection timed out (hit Ctrl-C to
terminate the ssh command if the wait time is too long).
This failed SSH attempt is the expected behavior as the NSX DFW does not allow SSH
between these two web servers. Continue to test the HR Web Servers.
Click on 1) hr-web-01 icon. A new SSH window will appear with automatic login to hr-
web-01.
2) Type the command ping -c 5 hr-web-02 to test for an ICMP response from the hr-
web-02 server back to the hr-web-01 server.
Notice the "5 packets transmitted, 5 received, 0% packet loss" response indicating that
ICMP is indeed allowed on the DFW.
Within the same SSH window and session, enter the clear command. Then enter the
ssh hr-web-02 command.
After few seconds, you should see the error message: connection timed out (hit Ctrl-C to
terminate the ssh command if the wait time is too long).
This failed SSH attempt is the expected behavior as the NSX DFW does not allow SSH
between these two web servers.
Launch the Chrome browser and click on the Site A Web Client bookmark to launch and
login to the vSphere web client. Again use the "Use Windows session authentication"
Single Sign-on method.
1) Once logged in, and from the Home screen, navigate to Networking & Security >
Firewall menu (sub-step 2).
By default the NSX DFW per policy rule statistics are not displayed. 3) Perform the
following action under the Column Headers menu to display the " Stats".
Once done, notice the new column appearing in the policy rule window with the column
heading of Stats.
2) For Rule1, Legal-Web to Legal-Web ICMP traffic, move to the far right over to the
diagram icon under the Stats column.
Under the Stats column, click on the diagram icon to see the flow statistics (number of
packets and bytes) processed by the NSX DFW for this Rule 1.
1) For Rule2, Legal-Web to Legal-Web ANY traffic, move to the far right over to the
diagram icon under the Stats column.
Under the Stats column, click on the diagram icon to see the flow statistics (number of
packets and bytes) processed by the NSX DFW for this Rule 2.
1) For Rule3, HR-Web to HR-Web ICMP traffic, move to the far right over to the
diagram icon under the Stats column.
Under the Stats column, click on the diagram icon to see the flow statistics (number of
packets and bytes) processed by the NSX DFW for this Rule 3.
1) For Rule4, HR-Web to HR-Web ANY traffic, move to the far right over to the
diagram icon under the Stats column.
Under the Stats column, click on the diagram icon to see the flow statistics (number of
packets and bytes) processed by the NSX DFW for this Rule 4.
SSH is blocked by rule 2 for the Legal organization and by rule 4 for the HR organization.
The task is to enable SSH. To do so add this protocol to Rule 1 and to Rule 3.
In the NSX DFW policy table, select Rule Number 1. Then move your cursor to the
Service Column field and hover until the + icon appears.
1) Click this + icon to modify content of Service field. A new window will appear.
In the NSX DFW policy table, select Rule Number 3. Then move your cursor to the
Service Column field and hover until the + icon appears.
1) Click this + icon to modify content of Service field. A new window will appear.
Publish Changes
Click on 1) Publish Changes to enforce the modified NSX DFW policy configuration.
"Last publish operation succeeded" message will appear upon successful operation.
Now test the configuration changes by running a series of SSH connections between the
VMs checking for successful connectivity.
An ECDSA key Fingerprint Authenticity message will be displayed. Type yes to continue
the connection.
An ECDSA key Fingerprint Authenticity message will be displayed. Type yes to continue
the connection.
As in the previous lab, you saw the benefits of: ease of deployment, ease of integration,
ease of configuration and management, and ease of synchronization between the all of
the components of this joint solution. You also experienced how quickly and seamlessly
you can secure all of the servers within your datacenter, by inspecting and managing
the east-west traffic taking place within your datacenter.
On behalf of Palo Alto Networks and VMware, wed like to thank you for sitting our labs.
We hope you enjoyed our labs, as much as we enjoyed preparing them for you, and we
hope we successfully demonstrated how easy it is to manage and secure your ever
changing datacenter!
Free VM-Series Firewall Raffle: To say thank you for sitting our lab exercises, wed
like to invite you to participate in our daily raffle where we will be giving away free, one
Palo Alto Networks VM-100 series firewall. This daily raffle will be available during
VMworld 2015 Europe beginning Monday, 12 October through Thursday, 15 October. To
enter this daily drawing, fill out an entry form here Palo Alto Networks VM-Series Firewall
Raffle with your complete contact information. All winners will be contacted via email
following the VMworld 2015 Europe event.
Important Message
Before Proceeding with
Module 4
The following is not applicable for current sessions. If you are simply transitioning
from the previous section to the next module you may proceed as normal to the next
screen. However, if you just launched this lab seconds ago, follow these Lab Status
Check instructions.
Before getting started, conduct a quick lab status check to make sure the "Lab Status"
state is set to "Ready" mode. If the lab status state is set to a mode other than
"Ready", end this lab and restart a new lab session.
Continuing this lab while in a Lab Status State of anything other than "Ready" may
result in a poor lab experience due to latency, unexpected errors, and lost work.
Module 4: Using
Advanced Palo Alto
Networks Security Policy
to Protect Application
Tiers (45 Minutes)
Module Overview
Objectives and Development Notes
In this module, the Palo Alto Networks VM-Series firewalls are configured to protect the
introduction and spread of malware in an NSX datacenter. Using the virtual firewalls the
student will create security policy rules to monitor for threats and to prevent the spread
of malware.
During this module you will gain an understanding of advanced threat protection and
how to protect the spread of malware between application tiers in a virtualized
datacenter.
1) Launch the Chrome browser and click on the vSphere Web Client bookmark.
2) Check the "Use Windows session authentication" box and click Login to login via
VMware vCenter Single Sign-On
Look for your two new virtual machines of the Marketing organization (mktg-db-01 &
mktg-web-01).
1) Select the mktg-db-01 VM by clicking on it. Then note this VM is already assigned
an NSX Security Tag of "Mktg-DB-Server". Also note this VM's Security Group
Membership as being assigned to the "Mktg-DB-Servers" group. Also see the IP
addresses for the servers of this VM. Now proceed to conduct the same review of the
mktg-web-01 VM.
1) Select the mktg-web-01 VM by clicking on it. Then note this VM is already assigned
an NSX Security Tag of "Mktg-Web-Server". Also note this VM's Security Group
Membership as being assigned to the "Mktg-Web-Servers" group. Also see the IP
addresses for the servers of this VM.
4) Click on the "Security Groups" tab and note the two Security Groups for the VMs of
the Marketing organization. There are two Security Groups each with one VM.
5) Click on the high-lighted "1" for each to see the name of the respective VM for each
Security Group. In the example here the "mktg-db-01" VM is being displayed as a
member of the "Mktg-DB-Servers" Security Group.
If you were to repeat the same check for the Security Group "Mktg-Web-Servers" you
would find the "mktg-web-01" VM.
6) After viewing the VM name click on the "X" in the upper right corner to close.
Now you can verify dynamic inclusion is being used for anything that is tagged with the
Security Tag of Mktg-Web-Server.
The same steps could be repeated to verity dynamic inclusion for Security Group Mktg-
DB-Servers where in that case anything with the Security Tag of Mktg-DB-Server will
be included within the Mktg-DB-Servers group.
1) Click on the Firewall setting of NSX and 2) go to the Partner Security Services
tab. Notice the two previously created, highlighted rules that were created in Modules 1
& 2.
3) Click on the Add Section icon to begin creating the security rules for this module,
module 4.
4) Name the rule "Module 4 Marketing". To make sure this new rule will be the first rule,
be sure to select the "Add section above" radio button so that it will be placed above
the rule created for Module 2.
1) Expand the Module 4 Marketing (Rule 1) by clicking on the arrow. Then move down to
the high-lighted row 1 and move over to the Name column.
2) From within the Name column click on the + create icon and when presented with
the Rule Name box, 3) enter the rule name of "Any to Web Server"
1) Move to the Destination field and click the + create icon. 2) For the Object Type
use the drop down arrow to select "Security Group". 3) Under Available Objects scroll
down and select "Mktg-Web-Servers".
4) Using the move to arrow, move over to the Selected Objects box. 5) Click OK to
complete.
1) Click the + create icon and 2) for the Redirect To: field use the drop down arrow to
select Palo Alto Networks.
3) Click OK to complete.
1) Still within the Action column, under the Redirect heading click on the Palo Alto
Networks link.
2) For Object Type use the drop down arrow to find and select Security Group.
4) Use the move to arrow to move over to the Selected Objects box. 5) Click OK to
complete.
1) Click the green Add Rule+ iconin the upper left corner.
2) For this new rule 2, within the Name column click on the + create icon.
3) Name this new rule "Web Server to DB Server" and then click OK to complete for
this action.
Specify Source
1) Under the Source column for this new rule 2, click on the + create icon.
2) For Object Type use the drop down arrow to find and select Security Group.
4) Use the move to arrow to move over to the Selected Objects box.
Specify Destination
1) Under the Destination column for this new rule 2, click on the + create icon.
2) For Object Type use the drop down arrow to find and select Security Group.
4) Use the move to arrow to move over to the Selected Objects box.
2) Make sure the Action is set to Redirect and the Redirect To: setting is Palo Alto
Networks.
1) Still within the Action column, under the Redirect heading click on the Palo Alto
Networks link.
2) For Object Type use the drop down arrow to find and select Security Group.
4) Use the move to arrow to move over to the Selected Objects box. 5) Click OK to
complete.
2) Click on the arrow to expand the rules for "Module 4 Marketing" and notice the
newly created firewall rules that will redirect the traffic to the Palo Alto Networks VM-
Series firewall.
Login to Panorama
There are nine steps in this configuration so be careful to complete each step:
6) For the Tags field use the drop down arrow to select the "Mktg Web Server" color
coded tag.
There are nine steps in this configuration so be careful to complete each step:
6) For the Tags field use the drop down arrow to select the "Mktg DB Server" color
coded tag.
2) Make sure you are on the Security > Pre Rules page. 3) Click the + Add icon at the
bottom of the screen.
4) On the General tab name the new rule "Allow Mktg Any to Web".
Specify Source
Specify Destination
1) From the Destination tab and for the Destination Zone, 2) select any.
3) Move over to the Destination Address section and Click the + Add icon.
4) Scroll until you find Address Group> "Mktg-Web-Servers" and select it.
2) Enter the key words "web-brows" to do a search and then click on "Web-browsing"
to select it and have it populate the field.
3) Move over and click on the Actions tab (for Service/URL Category keep the default
setting and so there is no need to make changes there).
1) From the Actions tab set the Log Setting to include "Log at Session Start".
2) For Log Forwarding use the drop down arrow to select the "Panorama Logging
Profile" option. This will forward the logs of the VM-Series firewall to Panorama.
3) Click OK.
After the new rule was created, it was most likely added to the bottom of the rule set as
the last. However, this new rule should be the 4th in the rule set 1-5 and so move this
rule so it is as such.
To do so, 1) click on the new rule "Allow Mktg Any to Web" to highlight. Then drag and
drop this rule in place so it is the 4th rule. Or, 2) click on Move and select the "Move
Up" option placing it in the 4th order.
It may be a good idea to make sure all five rules are listed in the order displayed above.
2) Make sure you are on the Security > Pre Rules page. 3) Click the + Add icon at the
bottom of the screen.
4) On the General tab, name this new rule "Marketing Web to DB Server".
1) From the Source tab check the Any box for the Source Zone.
2) Move to Source Address box and click the + Add icon, then 3) scroll and select the
Address Group "Mktg-Web-Servers".
1) From the Destination tab and for the Destination Zone, 2) select any.
3) Move over to the Destination Address section and Click the + Add icon.
4) Scroll until you find Address Group> "Mktg-DB-Servers" and select it.
2) Enter the key words "mysq" to do a search and then click on "mysql" to select it and
have it populate the field.
3) Move over and click on the Actions tab (for Service/URL Category keep the default
setting and so there is no need to make changes there).
1) From the Actions tab set the Log Setting to include "Log at Session Start".
2) For Log Forwarding use the drop down arrow to select the "Panorama Logging
Profile" option. This will forward the logs of the VM-Series firewall to Panorama.
3) Click OK.
After the new rule was created, it was most likely added to the bottom of the rule set as
the last. However, this new rule should be the 5th in the rule set 1-6 and so move this
rule so it is as such. If it is indeed the 5th rule, then proceed to the next step.
To do so, 1) click on the new rule "Marketing Web to DB Server" to highlight. Then
drag and drop this rule in place so it is the 5th rule. Or, 2) click on Move and select the
"Move Up" option. Either way when you are done make sure this new rule is listed 5th.
It is also a good idea to pause to make sure your six rules are ordered as displayed
above.
3) When the rules are in place click the Commit icon in the upper right corner.
After the Commit operation completes the success message displayed above should
appear. If so click Close and proceed to the next step.
After some time the commit operation will complete. When it does the progress status
will be 100% and the message should state the commit succeeded on both VM firewalls
(ignore the warning message).
1) Click Close and proceed to the testing phase in the next step.
Test in WordPress
The test requires that you generate web traffic to your web server. To do so 1) open
another browser window and click on the "wordpress" bookmark icon.
Now proceed to the next step which is to check the logs of the Panorama server to
ensure this web-browsing application and request was sent through the VM-Series
firewall. If so, the logs will reflect this web activity.
Notice the successful and allowed actions for the applications, mysql and web-browsing.
Also note the rule names. This verifies the traffic was successfully redirected to the
Palo Alto Networks VM-Series firewall.
Begin to create the Vulnerability Protection Security Profile by cloning the Default
Profile. To do so:
1) Select the newly created, copied profile that is currently named default-1. Double-
click on it to open the settings.
3) From on the Rules tab select, the rule name "simple-client-high" and click on it to
open the settings.
Vulnerability Settings
1) From on the Rules tab select, the rule name "simple-client-medium" and click on it
to open the settings.
Your display should look like the above which shows the two modified rules with Action
settings of reset-both.
3) Select and click on the Allow Mktg Any to Web (rule 4) to configure its settings.
5) For the setting Profile Type, use the drop down arrow to select "Profiles".
6) For the Vulnerability setting, use the drown down arrow to select the "Mktg-
Vulnerability-Protection" profile
3) Select and click on the Marketing Web to DB Server (rule 5) to configure its
settings.
5) For the setting Profile Type, use the drop down arrow to select "Profiles".
6) For the Vulnerability setting, use the drown down arrow to select the "Mktg-
Vulnerability-Protection" profile
Notice under the Profile column the new recently applied profiles indicated by the icons
present.
The SSH application must be added to the Allow All Pingrule. To do so:
2) Rename the rule to Allow Ping and SSH and then move to the Application tab.
1) Notice the modified rule 1 with both the ping and ssh applications listed.
4) Click Commit tab and wait for the commit function to complete. After receiving the
Commit OK result stating the commit was successful click the Close tab when it is
presented.
4) Click the Commit tab and wait for the commit function to complete.
Notice the summary Progress of 100% and the Status messages stating success
ignoring the message. 1) After verifying click Close.
1) Open a new browser window and 2) click on the SQL Injection bookmark
3) The web request will begin and take note of the IP Address of the HTTP Web server.
Also, if you would like put your cursor in the address bar and scroll to the end where
you will see SQL commands such as
"group_concat%28user_login,0xa,user_pass%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
To be sure, reload the page multiple times to be persistent with the attack by sending
the SQL Injection attack multiple times.
When you feel ready, check the logs within Panorama to ensure alert of the attack.
4) Do a Manual refresh to get the latest logs. Then notice the log entry for the HTTP
SQL Injection Attempt with the Severity level of medium.
1) Click and launch the mktg-web-01 desktop icon to launch a Putty session to this
server.
Notice the mysql-brute-force-attack.sh shell script that is present. Enter the more
command for this filename to view the script. The script itself shows that it will loop
forever and will send bad user and bad password attempts to the host=mktg-db-01
server.
1) Move back to Panorama to check the Monitor Tab > Logs > Threat log.
2) Conduct a Manual Refresh to refresh the logs. Notice all of the "MySQL
Authentication Brute-force Attempt" attacks from the web server to the
database server. Also note the Severity level of high.
1) Open another browser tab and 2) click on the wordpress bookmark icon.
Take notice that even though multiple attacks are taking place, one to the mktg-
web-01 server and another to the mktg-db-01 server, there is no impact as the web
page still launches as expected.
This is a clear indication of the Palo Alto Networks VM-Series firewall negating these
attacks, providing protection to both of these VM servers!
At this time you may now cease the ssh brute force attack by going back to the putty
session and entering the ctl-c command to stop the script. And you may also close the
browser session that is spawning the SQL injection attack.
Then by creating a Vulnerability Projection Security Profile and applying it to the existing
Security Policy Rules, you experienced how fast and easy it was to trigger Layer 7
Application inspection for the purpose of preventing malicious attacks, such as the SQL
Injection and Brute Force attacks employed during this lab.
At this time we'd like to extend our congratulations for successfully completing this lab.
We hope you have enjoyed this module and have gained a richer understanding of
Advanced Threat Prevention as provided by Palo Alto Networks VM-Series firewall.
Free VM-Series Firewall Raffle: To say thank you for sitting our lab exercises, wed
like to invite you to participate in our daily raffle where we will be giving away free, one
Palo Alto Networks VM-100 series firewall. This daily raffle will be available during
VMworld 2015 Europe beginning Monday, 12 October through Thursday, 15 October. To
enter this daily drawing, fill out an entry form here Palo Alto Networks VM-Series Firewall
Raffle with your complete contact information. All winners will be contacted via email
following the VMworld 2015 Europe event.
Overall Conclusion
As in the previous lab, you saw the benefits of: ease of deployment, ease of integration,
ease of configuration and management, and ease of synchronization between the all of
the components of this joint solution. You also experienced how quickly and seamlessly
you can secure all of the servers within your datacenter, by inspecting and managing
the east-west traffic taking place within your datacenter.
On behalf of Palo Alto Networks and VMware, wed like to thank you for sitting our labs.
We hope you enjoyed our labs, as much as we enjoyed preparing them for you, and we
hope we successfully demonstrated how easy it is to manage and secure your ever
changing datacenter!
Free VM-Series Firewall Raffle: To say thank you for sitting our lab exercises, wed
like to invite you to participate in our daily raffle where we will be giving away free, one
Palo Alto Networks VM-100 series firewall. This daily raffle will be available during
VMworld 2015 Europe beginning Monday, 12 October through Thursday, 15 October. To
enter this daily drawing, fill out an entry form here Palo Alto Networks VM-Series Firewall
Raffle with your complete contact information. All winners will be contacted via email
following the VMworld 2015 Europe event.
Introduction
This appendix section provides information to check status of all LAB components - in
order to ensure both NSX and Palo Alto Networks solutions are working properly.
Note: if a red exclamation point icon appears instead of the green check mark icon, click
on the icon and then click on resolve to correct the issue.
Note: if a red exclamation point icon appears instead of the green check mark icon, click
on the icon and then click on resolve to correct the issue.
Slowpaths Check:
Check to make sure the Serial Number field is different from 0 (this validates VM-Series
has a proper license and will be able to function properly. This license is based on a VM
UUID).
1) Run the show interface all command to display the two Ethernet interfaces
(ethernet 1/1 and ethernet1/2). Both should be in vwire mode.
1) The show jobs all command should display the first job-id (1) with Status = FIN and
Result = OK.
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Version: 20151216-074126