Hol-Prt-1672 PDF en

HOL-PRT-1672
Table of Contents
Important Message Before Proceeding ............................................................................. 3
Important Message Before Proceeding.................................................................... 4
Lab Overview - HOL-PRT-1672 - Palo Alto Networks Next-Generation Security Platform
with VMware NSX.............................................................................................................. 5
Lab Guidance .......................................................................................................... 6
Lab Objectives and Development Notes ................................................................. 7
Palo Alto Networks VM-Series and VMware NSX Dynamic Security Policy Configuration .. 8
Module Descriptions................................................................................................ 9
Key Concepts and Terms ................................................................................................. 10
Some Components and Concepts of VMware and Palo Alto Networks .................. 11
Lab Components and Topologies..................................................................................... 17
Lab Components ................................................................................................... 18
Lab Topologies....................................................................................................... 19
Important Message Before Proceeding With Module 1:................................................... 23
Important Message Before Proceeding.................................................................. 24
Module 1: Palo Alto Networks VM-Series and VMware NSX dynamic security policy
configuration (30 Min)..................................................................................................... 25
Module 1 Overview: Palo Alto Networks VM-Series and VMware NSX dynamic
security policy configuration (30 minutes) ............................................................ 26
Environment Setup ............................................................................................... 27
Examining the NSX Security Groups within NSX Manager .................................... 30
Examine your Dynamic Address Groups ............................................................... 32
Examine the Security Policies ............................................................................... 35
Generate Traffic from your Web Server to the Database....................................... 36
Troubleshoot Traffic Steering Problem ................................................................... 40
Prepare to Generate Database Traffic With Logging.............................................. 55
Generate Database Table Calls ............................................................................. 56
App-ID by Palo Alto Networks................................................................................ 59
App-ID for SSH ...................................................................................................... 60
Module 1 Lab 1 - Conclusion ................................................................................. 62
Important Message Before Proceeding with Module 2 .................................................... 63
Important Message Before Proceeding.................................................................. 64
Module 2: Deploying Palo Alto Networks VM-Series with VMware NSX to protect a multi-
tier application (45 Min) .................................................................................................. 65
Securing the Data Center with the Palo Alto Networks VM-Series Firewall............ 66
Module Overview .................................................................................................. 69
Module Objectives and Development Notes ......................................................... 70
Review Security Tags for Legal Servers ................................................................. 71
Create NSX Security Groups and Configure Traffic Steering.................................. 75
Create Steering Policy for all Web Server to Database Server Traffic.................... 84
Create Dynamic Address Groups (DAG) ................................................................ 94
Create a Security Policy within Panorama ........................................................... 100
HOL-PRT-1672 Page 1
HOL-PRT-1672
Review NSX Security Group and DAG Membership ............................................. 112

Generate Traffic................................................................................................... 121
Inspect Panorama Traffic Logs............................................................................. 123
Lab 2 Conclusion ................................................................................................. 124
Important Message Before Proceeding with Module 3 .................................................. 125
Important Message Before Proceeding................................................................ 126
Module 3: Using Distributed FireWall (DFW) to Protect Intra-tier Traffic (30 Min) .......... 127
Module Overview ................................................................................................ 128
Create NSX Security Groups................................................................................ 129
Create NSX DFW Security Policies ....................................................................... 143
Enable Flow Collection for NSX DFW Statistics.................................................... 153
Checking NSX DFW Policies................................................................................. 155
Lab 3 Conclusion - Summary of What Was Learned ............................................ 168
Important Message Before Proceeding with Module 4 .................................................. 169
Important Message Before Proceeding................................................................ 170
Module 4: Using Advanced Palo Alto Networks Security Policy to Protect Application Tiers
(45 Minutes).................................................................................................................. 171
Module Overview ................................................................................................ 172
Create Traffic Redirection to VM-Series Firewall .................................................. 173
Configure VM-Series Firewalls Using Panorama .................................................. 189
Create Security Policy Rules ............................................................................... 192
Create Security Policy Rules Continued............................................................... 198
Implementing Vulnerability Protection ................................................................ 210
Vulnerability Attacks - SQL Injection Attack ........................................................ 221
Lab 4 Summary Conclusion................................................................................. 227
Overall Conclusion ........................................................................................................ 228
Summary of what we've learned......................................................................... 229
Appendix - Lab Check ................................................................................................... 230
Introduction......................................................................................................... 231
NSX - Check Controllers Status ........................................................................... 232
NSX - Check Logical Network Preparation ........................................................... 233
NSX - Check VM-Series Service Deployment ....................................................... 234
vCenter - Check the VM-Series............................................................................ 235
ESXi Host - dvFilter Slowpaths............................................................................. 236
Panorama - Managed Devices ............................................................................. 237
VM-Series - Serial Number .................................................................................. 238
VM-Series - Configuration Deployment ............................................................... 239
HOL-PRT-1672 Page 2
HOL-PRT-1672
Important Message
Before Proceeding
HOL-PRT-1672 Page 3
HOL-PRT-1672
Important Message Before Proceeding

Check to Make Sure the Lab Status State is Set to Ready. If Not, Restart a
New Lab Session.
Conduct a Lab Status Check
Before getting started, conduct a quick lab status check to make sure the "Lab Status"
state is set to "Ready" mode. If the lab status state is set to a mode other than
"Ready", end this lab and restart a new lab session.
Continuing this lab while in a Lab Status State of anything other than "Ready" may
result in a poor lab experience due to latency, unexpected errors, and lost work.
HOL-PRT-1672 Page 4
HOL-PRT-1672
Lab Overview - HOL-

PRT-1672 - Palo Alto
Networks Next-
Generation Security
Platform with VMware
NSX
HOL-PRT-1672 Page 5
HOL-PRT-1672
Lab Guidance
How do you accelerate the deployment of business-critical applications without
compromising security? How do you define dynamic security policies to protect against
advanced threats while keeping pace with data center virtualization? VMware and Palo
Alto Networks have partnered to deliver a solution that combines fast provisioning of
network and security services with next-generation security in the data center. In this
lab, learn how to configure the Palo Alto Networks virtualized next-generation firewall
VM-1000-HV with VMware NSX to secure VM to VM communications.
Network virtualization provides speed and flexibility when provisioning network and
network services in the virtualized datacenter. But what is more important than speed
and flexibility when provisioning such virtualized networks? Security and the securing
of your virtualized networks!
Securing your VMs, your databases, your webservers, your file servers, and your data
stores should be of paramount importance to you, and to the reputation of your
company. Therefore, here within this hands-on-lab, you will learn how to do just that
using the latest in next-generation enterprise security The Palo Alto Networks VM-
Series Firewall platform as integrated with VMware NSX.
Throughout this lab we will demonstrate how to secure the datacenter using the Palo
Alto Networks virtualized next-generation firewall VM-1000-HV with VMware NSX
protecting VM to VM communications from todays advanced threats.
HOL-PRT-1672 Page 6
HOL-PRT-1672
Lab Objectives and Development Notes

The lab objective is to demonstrate the capabilities of the Palo Alto Networks VM-Series
firewall working in conjunction with Panorama, and how both integrate with VMware
NSX. In addition, a main objective of this lab is to provide you with valuable hands-on
experience for the purpose of learning how to deploy and configure this joint solution.
This lab uses the following components:
VMware NSX Manager 6.1.4, vCenter and ESXi vSphere 6.0

Palo Alto Networks VM-1000-HV, 7.0.1
Palo Alto Networks Panorama 7.0.1
HOL-PRT-1672 Page 7
HOL-PRT-1672
Palo Alto Networks VM-

Series and VMware NSX
Dynamic Security Policy
Configuration
HOL-PRT-1672 Page 8
HOL-PRT-1672
Module Descriptions
Module 1: Palo Alto Networks VM-Series and VMware NSX dynamic security
policy configuration (30 Minutes)
This module provides an overview of the Palo Alto Networks VM-Series integration
with VMware NSX and the configuration of dynamic security policies based on
context from VMware NSX.
Module 2: Configuring Palo Alto Networks VM-Series with VMware NSX to

protect a multi-tier application (45 Minutes)
In this module, both the VMware NSX Service Composer and the Palo Alto
Networks VM-Series firewall are deployed to secure a 3-tier application.
Specifically, this module covers the creation of Security Groups and traffic
redirection using Service Composer. This module also shows you how to define
dynamic security policies on Panorama based on context from VMware NSX.
Module 3: Using Distributed Firewall (DFW) to Protect Intra-tier Traffic (30

Minutes)
In this module VMware NSX DFW is configured to secure intra-tier traffic between
web front-end servers. This module shows you how to define dynamic Security
Groups (based on VM name and based on Logical Switch) and then how to use
them in DFW policy configuration.
Module 4: Using advanced Palo Alto Networks security policy to protect

application tiers (45 Minutes)
In this module, the Palo Alto Networks VM-Series firewalls are configured with
advanced vulnerability protections to prevent against code injection technique
(SQL injection) or brute-force attack. Using the virtual firewalls, the student will
create a security profile, attaching it to the security policy, then simulate some
attacks and afterward, verify those attacks were successfully blocked by the VM-
Series firewall.
Lab Captains: Warby Warburton/ Francis Guillier
HOL-PRT-1672 Page 9
HOL-PRT-1672
Key Concepts and Terms
HOL-PRT-1672 Page 10
HOL-PRT-1672
Some Components and Concepts of

VMware and Palo Alto Networks
Before jumping into the modules it will be helpful to learn more about some of the key
components, concepts and terms that you will be working with. Here are overviews and
descriptions of important components.
VMware NSX
VMware NSX is the leading network virtualization platform that delivers the operational
model of a virtual machine for the network. Just as server virtualization provides flexible
control of virtual machines running on a pool of server hardware, network virtualization
with NSX provides a centralized API to provision and configure many isolated logical
networks that run on a single physical network.
Logical networks decouple virtual machine connectivity and network services from the
physical network, giving cloud providers and enterprises the flexibility to place or
migrate virtual machines anywhere in the data center while still supporting layer-2 /
layer-3 connectivity and layer 4-7 network services.
VMware NSX Service Composer
When defining a Security Group, a user can select between dynamic inclusion, static
inclusion and static exclusion.
A Dynamic inclusion provides the capability to automatically include objects based on

the VM Name or Security Tag.
HOL-PRT-1672
A Security Policy (SP) defines the network and security policy to be applied for a
particular Security Group (SG). For instance, a Security Policy can be created to define
traffic redirection to the Palo Alto Networks VM-Series firewall for all types of traffic (i.e.
all TCP or UDP ports) [traffic from a user defined SG to a specific SG]. To make this
Security Policy operational, the next and last step is to attach the Security Policy to a
Security Group or to a set of Security Groups.
VMware NSX Distributed FireWall (DFW)
VMware NSX DFW is a distributed L2-L4 firewall component provided within the NSX
solution. It provides stateful firewalling capability down to each vNIC of a VM and
operates at the hypervisor kernel layer delivering near line rate performance. Global
management of DFW is performed though the vCenter UI under the NSX Home tab.
Security Policy rules can be written using vCenter objects like VM, cluster, DVS port-
group, logical switch and so on. NSX DFW fully supports vMotion and current active
connections remain intact during the workload mobility event.
NSX DFW is a key component of micro segmentation.
VMware NSX Service Composer is a framework containing 2 major constructs: Security

Groups and Security Policy.
Security Group (SG) is a container that can include any vCenter objects like VM,
cluster, logical switch, vAPP, DVS and port group.
HOL-PRT-1672
Decoupled Logical Networks
Decoupled logical networks consist of a physical network and a virtual network. Within
each you will find a number of networks, sub-networks, servers and systems. In our case
here we are viewing one physical network made up of 3 subnets that is decoupled by
VMware NSX from 2 virtual networks.
HOL-PRT-1672
Palo Alto Networks VM-1000-HV
This VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and
VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-
generation firewalls and Panorama with VMware ESXi servers to provide comprehensive
visibility and safe application enablement of all datacenter traffic including intra-host
virtual machine communications.
Logical networks decouple virtual machine connectivity and network services from the
physical network, giving cloud providers and enterprises the flexibility to place or
migrate virtual machines anywhere in the data center while still supporting layer-2 /
layer-3 connectivity and layer 4-7 network services.
The VM-1000-HV is deployed as a network introspection service with VMware NSX and
Panorama. This deployment is ideal for east-west traffic inspection, and it also can
secure north-south traffic.
HOL-PRT-1672
Panorama by Palo Alto Networks
Your Palo Alto Networks Panorama enables you to manage your distributed network of
physical and/or virtual Palo Alto Networks firewalls from a centralized location while
providing the ability to: View the traffic of each deployed firewall; manage all aspects for
device configuration; push global policies; and generate reports on traffic patterns or
security incidents, all from one central location.
Panorama is available as either a dedicated management appliance or as a virtual

machine.
HOL-PRT-1672
The Palo Alto Networks Operating System (PAN-OS)
The PAN-OS by Palo Alto Networks is the software managing the computer hardware and
software resources of the Palo Alto Networks Next-generation firewall. In addition, the
PAN-OS provides a long list of functions, features, and services to ensure a safe and
secure environment. The PAN-OS is the same OS used throughout all Palo Alto Networks
firewalls.
Dynamic Address Groups
Provide the ability to maintain awareness of changes in the virtual machines/

applications and ensures that security policy stays in tandem with the changes in the
network. This awareness provides visibility and protection of applications in an agile
environment. This is made possible because Dynamic Address Groups are used as a
source or destination object within security policies. Additionally, because IP addresses
are constantly changing in a datacenter environment, Dynamic Address Groups offer a
way to automate the process of referencing source and/or destination addresses within
security policies. Unlike static address objects that must be manually updated in
configuration and committed whenever there is an address change (addition, deletion,
or move), Dynamic Address Groups automatically adapt to these changes.
HOL-PRT-1672
Lab Components and

Topologies
HOL-PRT-1672
Lab Components
VMware NSX Manager 6.1.4, vCenter and ESXi vSphere 6.0.
Palo Alto Networks VM-1000-HV, PAN-OS 7.0.1 and Panorama 7.0.1
Specific server pre-configurations. See individual module for details.
At times you will need to enter commands, usernames, and passwords using Command
Line Interface (CLI) commands. Therefore, a text file named README.txt has been
placed on the desktop of the environment so that you can easily reference these
commands which will allow you copy and paste complex commands or passwords in the
associated utilities CMD, Putty, console, etc., as necessary.
This README.txt file is divided into Module Sections and numbered. The manual will
have a number associated with every CLI command. That command will be numbered in
the README.txt file for you to copy and paste.
Certain characters are often not present on keyboards throughout the world. This
README.txt file also includes keyboard layouts which do not provide those characters.
Thank you and enjoy the labs!
HOL-PRT-1672
Lab Topologies
The following diagrams illustrate physical and logical topologies implemented for this
Lab:
Physical Topology
Two ESXi clusters will be deployed: Cluster site A and Mgmt Cluster.
Cluster site A is a compute cluster where workloads will be instantiated and connected
to a logical switch. VMs from HR and Legal organizations will be deployed there.
Mgmt Cluster is a management cluster where control plane components of NSX will be
instantiated. NSX controller is typically hosted there (NSX controller controls VXLAN
operations on compute clusters).
Logical Topology for HR Organization
Three VMs from HR organization (two web servers and one DB server) are instantiated
and connected to the same logical switch (VXLAN).
Traffic protection is enforced as follows:
HOL-PRT-1672
-Inter-tier traffic (web server to DB server) is protected by the Palo Alto Networks VM-
series firewall which provides advanced security capabilities with its single pass
architecture in the form of App-ID, Content-ID, and User-ID.
-Intra-tier traffic (web server to web server) is protected by NSX DFW which provides
near line rate performance for L2-L4 security functions.
HOL-PRT-1672
Logical Topology for Legal Organization
Three VMs from the HR organization (two web servers and one DB server) are
instantiated and connected to the same logical switch (VXLAN).
Traffic protection is enforced as following:
Logical Topology for Marketing Organization
Two VMs from the Marketing organization (one web server and one DB server) are
instantiated and connected to the same logical switch (VXLAN).
Traffic protection is enforced as follows:
HOL-PRT-1672
HOL-PRT-1672
Important Message
Before Proceeding With
Module 1:
HOL-PRT-1672

New Lab Session. This is only applicable if you have just launched the lab
itself.
Conduct a Lab Status Check - If Applicable
The following is not applicable for current sessions. If you are simply transitioning
from the previous section to the next module you may proceed as normal to the next
screen. However, if you just launched this lab seconds ago, follow these Lab Status
Check instructions.
HOL-PRT-1672
Module 1: Palo Alto

Networks VM-Series and
VMware NSX dynamic
security policy
configuration (30 Min)
HOL-PRT-1672
Module 1 Overview: Palo Alto Networks

VM-Series and VMware NSX dynamic
security policy configuration (30
minutes)
During this first lab you will focus on how to create dynamic security policies on the Palo
Alto Networks VM-1000-HV based on context from VMware NSX. Specific tasks will
include:
Introducing you to Palo Alto Networks Next Generation Firewall policy

management
Overview of VMware NSX and VM-1000-HV integration
Understanding Dynamic Address Groups
Creating dynamic security policies based on Dynamic Address Groups
To successfully complete this module you will need to identify and correct ill configured
settings within your policies, tags, and/or grouping.
Module Objectives and Development Notes
Provide a short overview of the Palo Alto Networks and VMware NSX integration, and
dynamic security policies in a software defined datacenter. Compared to Module 2, this
module focuses on the security policies rather than the backed configuration of VMware
NSX and the registration and installation of the Palo Alto Networks VM-Series firewall.
HOL-PRT-1672
Environment Setup
vCenter Login: Make sure the environment and all its systems, are up and running by
checking within vCenter. To do so launch and login to vCenter.
vSphere Web Client to access vCenter
Launch a browser and click on the vSphere Web Client bookmark. Then to login to
vCenter, simply check the box high-lighted and click Login. You will not need to enter
any credential values within either field for User name or Password.
HOL-PRT-1672
vSphere Web Client to access vCenter
When logged into the vSphere web client, to view your datacenter 1) click on the Home
tab and then select 2) Hosts and Clusters.
vCenter View
1) Expand the vcsa-01a.corp.local > Datacenter Site A > Cluster Site A tree view
on the left side of your screen so that you can see a listing of all of your running virtual
systems running within this Datacenter Site A.
Each of the high-lighted systems above should have an illuminated green arrow
indicating the specified system is up and running. At this time take a moment to click
on some of these virtual systems to make sure they are indeed up and running.
2) In addition, check the Summary tab for a few of them to see the information available
such as CPU information, memory allocation, disk space, etc., for these VMs. In the
example here, the Summary tab information of the hr-web-02 web server is
displayed.
Please Note: It is likely your Tree view listing is slightly different than what you see here.
If so, that is ok. The other VMs you are seeing will be used later during the last labs
found in modules 3 and 4. At this time we are just checking to make sure all of the
virtual systems are up and running as reflected by the green arrow preceding the name
of each VM. Once that is done please continue ignoring the other VMs listed.
HOL-PRT-1672
HOL-PRT-1672
Examining the NSX Security Groups

within NSX Manager
View the existing Security Groups by navigating to Networking & Security.
Networking & Security
1) Go back to the "Home" page and then 2) click on "Network & Security" from either
the left menu tree panel, or from the "Inventories" section of the Home tab.
HOL-PRT-1672
Security Groups
1) From the left tree panel click on "Service Composer" and then select "Security
Groups" tab in the center.
Notice the two specific Security Groups for the HR Team servers. These are the HR-DB-
Servers security group for the database servers and a HR-Web-Servers Security
Group for the web servers. This confirms the Security Groups. At this time minimize your
browser page and proceed to the next step.
HOL-PRT-1672
Examine your Dynamic Address Groups

It's now time to introduce you to Panorama by Palo Alto Networks. As previously
mentioned, Panorama provides centralized management for all of your physical and/or
virtual Palo Alto Networks firewalls. Panorama itself is available as either a dedicated
management appliance or as a virtual machine.
Now login to Panorama to take a look at the Dynamic Address Groups. To do so, go to
your desktop to find and launch the Panorama desktop icon. Or you may open a new
browser page within your current Chrome browser and click on the Panorama bookmark.
Panorama Login
After launching the "Panorama" desktop icon, your browser will display the Panorama
login screen. The credentials to login are:
Username = admin
Password = VMware1!
HOL-PRT-1672
Panorama Dashboard > Objects Tab
Once logged into Panorama you'll be taken to the "Dashboard" view. Among your menu
tabs at the top you'll have an "Objects" tab. Click on this tab to view your Address
Groups.
Address Groups
Select "Address Groups" from the left tree panel and then click on "HR-Web-Servers"
from under the Name column. After doing so you will launch the settings display box.
HOL-PRT-1672
Address Group Settings
Notice the NSX Security Group name is listed as "HR-Web-Servers-securitygroup-11"

within your "Match" value display. Panorama learned this NSX Security Group
information automatically from the NSX Manager.
Now that we've verified the Address Group settings, click "Cancel" to exit without
making any changes.
HOL-PRT-1672
Examine the Security Policies

Security policies play a crucial role on firewalls. As you know, these security policies
state what can and cannot traverse the firewall. Applications like ping, SSH, FTP, etc.,
(among many others), going to and from various zones, while running on various ports,
can be permitted or denied. Take a look at what security policies are in place here
within our environment.
Policies Tab > Security Pre Rules
While still logged into Panorama, examine the security policy. To do so click on the 1)
Policies tab. Then 2) make sure you're viewing the Pre-Rules of your Security policies
from the left tree panel. Then looking to the right under the "Name" column notice you
have three rules. Verify you have a policy rule for your HR web-server to HR database
server traffic. This rule is called "HR Web to DB". Familiarize yourself with this rule by
looking at the field headers for each of the configurations. Notice your Source and
Destination Address settings and that this policy allows mysql traffic between the two.
Let's now do some testing of these rules by generating some traffic. Without making
any changes here move on to the next step.
HOL-PRT-1672
Generate Traffic from your Web Server

to the Database
At this time you are ready to do some testing. Do so by generating certain types of
traffic from the Web server to the Database server.
Since you've just checked our security policies, you already know the types of traffic
that will be allowed, or denied, between these two servers. Now generate some traffic
for the purpose of testing to make sure everything works as expected. If so, great! But
if not, then you will need to troubleshoot to find out why the tests failed. Then once you
know the reason why, you'll need to implement the solution to resolve.
HOL-PRT-1672
Generating Traffic from hr-web-01
To generate some traffic let's begin by logging into the web server using "putty.exe".
You'll notice you already have a desktop icon and so simply click on the "hr-web-01"
desktop icon.
You will be logged in automatically as the username and password have been entered
and saved for you. In the event you need to manually enter the username and
password to login, please see the README.txt file on the desktop for the credentials.
HOL-PRT-1672
Generate Traffic - ping Test.
Now that you are logged into the HR webserver attempt to ping the HR database using
the "ping -c 5 hr-db-01" command.
Notice the ping to the HR database server is successful. Now check the VM-Series
traffic logs to confirm the traffic was steered to the firewall. To check these traffic logs
go back into Panorama by clicking on your Panorama browser tab again.
Checking the Logs within Panorama
Access your browser tab again and click on the Panorama tab. If prompted for
credentials use "admin" and "VMware1!" for the username and password.
HOL-PRT-1672
Monitoring the Logs
1) From within Panorama click on the "Monitor" tab followed by the 2) "Traffic" tab under
"Logs". 3) Next adjust your log filter to reflect "Last 15 Minutes" by using the circled
drop down arrow. This way you will be sure to filter view any logs older than the
previous 15 minutes.
Notice the logs are empty even though traffic was successfully generated during the
successful PING test. This indicates the traffic was not successfully steered to, and
through, the VM-Series firewall. You will need to find out why and so troubleshoot to find
out and then implement the resolution.
HOL-PRT-1672
Troubleshoot Traffic Steering Problem

You need to determine what is preventing the VM-Series firewall from seeing the traffic
generated during the PING test. Start by checking the Dynamic Address Groups for both
the HR web server and the HR database server.
Dynamic Address Groups as Listed and Configured within

Panorama
1) From within Panorama click on the Objects tab. 2) Then make sure the left tree panel
selection is "Address Groups". Note there are currently two Dynamic Address Groups
listed. Check the HR-Web-Servers group first. Specifically, check the IP addresses of the
"HR-Web-Servers" Dynamic Address Group (DAG). 3) To see these IP addresses you will
need to click on "more" under the Addresses column.
HOL-PRT-1672
Address Group for the HR-Web-Servers
Notice there are two registered IPv4 addresses. Note these IP addresses then click
"Close".
Now do the same for the HR-DB-Servers Dynamic Address

Group (DAG).
As before click on "more" under the Addresses column but this time doing so for the
"HR-DB-Servers" group.
HOL-PRT-1672
Address Group for the HR-DB-Servers
Notice there are no addresses listed. In fact it's all blank. This is a problem in need of
resolution, but first you must do more troubleshooting to see what else you may need to
resolve. To proceed, click "Close" without making any changes here.
HOL-PRT-1672
NSX Manager - Security Groups
To continue troubleshooting move over to the NSX Manager to check the Security
Groups listed there. To do so go back to the vSphere Client.
1) Click on the vSphere Web Client tab of your browser. Making sure you're still within
"Networking & Security", 2) Click on Service Composer and 3) select the Security
Groups tab in the middle.
At this time notice the Virtual Machines column on the right. Note there is a value of 1
for the HR-Web-Servers which is listed as a Virtual Machine. 4) Now take a look at that
value by clicking on the high-lighted 1.
HOL-PRT-1672
Virtual Machine Memberships - "HR-Web-Servers".
At this point you may need to wait approximately 45 seconds before anything
populates. What you are looking for is under the "Virtual Machines" tab. You should see
the HR web server "hr-web-01" listed as a member of the virtual machine. After
confirming the presence of the VM close by clicking on the X in the upper right corner
of the display box.Then take a look at the HR-DB-Servers security group by attempting
to do the same.
Virtual Machine Memberships - "HR-DB-Servers".
This time select the HR-DB-Servers Security Group. Notice the virtual machine
membership for this Security Group is zero. In fact, if you click on the blue (0) zero, a
display box won't even open for you. This indicates a problem here within the NSX
Security Group configurations and something in need of resolution. For now though,
investigate further and so please continue.
HOL-PRT-1672
Checking NSX Security Group Membership
1) Select the HR-DB-Servers Security Group.
2) Click on the "edit" icon.
Define Dynamic Membership
Click on "Define dynamic membership" and notice the criteria is set to " Security Tag
Equals to HR-DB-Server". This is correct and so do not make any changes. Instead just
click Cancel to exit and continue to troubleshoot.
HOL-PRT-1672
Checking Settings and Configurations Continued
To continue checking configurations and settings go to the Home tab and then click on
Hosts and Clusters.
HOL-PRT-1672
Security Tag Assignments
From the far left tree panel, expand the datacenter view by clicking on the expand arrow
to list the VMs of the Data Center.
Check the settings for the hr-db-01 server by selecting it. Note on the right side of the
screen under "Security Tags", the wrong Security Tag has been applied. This is the
Security Tag for the Legal-DB-Server when it should be for the HR-DB-Server. This is
what you must correct. To do so click "Manage". (Repositioning of the Security Tags
widget may be necessary).
HOL-PRT-1672
To fix the problem un-check the Legal-DB-Server check box and then check the HR-DB-
Server check box and click OK.
HOL-PRT-1672
Notice your Security Tag value has changed and is now specifying your HR-DB-Server
which is what it should say at this time. Now go back and view the NSX Security Group
identification and settings.
HOL-PRT-1672
Continue by verifying the NSX Security Group Membership. To do so, view the Security
Group settings by clicking on Home and then Networking & Security.
Security Group Settings
1) Click on Service Composer and then 2) click on the Security Groups tab and note the
number of "Virtual Machines" that are listed which is now 1.
The Security Groups now include a virtual machine for both the HR-DB-Servers and the
HR-Web-Servers group as opposed to before when there was only a virtual machine for
the HR-Web-Servers security group.
To view the server for this virtual machine, click on the high-lighted number 1 for HR-DB-
Servers.
HOL-PRT-1672
Virtual Machine Memberships
Again you may need to wait approximately 45 seconds for this display box to populate.
After it does populate you should see the hr-db-01 server listed as a member of the
Security Group "HR-DB-Servers". After confirming the presence of the newly added VM,
close by clicking on the X in the upper right corner of the display box.
Confirming Registration in Panorama
Go back to Panorama via the Panorama browser tab. When back in Panorama, click the
Objects tab and then click on "more" under Addresses for the HR-DB-Servers group.
HOL-PRT-1672
Successful IPv4 Address Registration Confirmed
Notice the two registered IPv4 addresses for this Dynamic Address Group (DAG).
Success! Go ahead and click Close and then proceed on to the re-testing phase.
HOL-PRT-1672
Generating Traffic Re-Test
Once again generate traffic from the HR web server to the HR database server. To do so
go back to the putty.exe utility for "hr-web-01". From the hr-web-01 web server initiate
a ping to the hr-db-01 database server using the "ping -c 5 hr-db-01" command.
The output should indicate another successful ping. Now proceed back into Panorama
to check the logs.
HOL-PRT-1672
Panorama Logs
After the successful ping you should expect to see that the traffic did indeed go through
the VM-Series Firewall. Check the log file by 1) clicking on the "Monitor" tab and 2)
selecting "Traffic" from the Logs tree menu on the left. 3) Do a Manual refresh of the
logs.
Notice the ping activity was logged as expected. This verifies you correctly resolved the
problem and that the groups, policies, and traffic steering rules are all working properly.
Great job! Now move on to the next portion of this lab.
HOL-PRT-1672
Prepare to Generate Database Traffic

With Logging
Logs are an effective tool that can be used not only for reporting purposes, but for also
enabling you to track and see what's taking place on the network. Then based upon
what you're seeing, you can adjust accordingly to ensure a safe and secure network.
Additionally, you can use logs for troubleshooting purposes as well which is what you
will continue to do next. So in preparation for the next set of tests you will want to do
some minor maintenance to the logs. This will ensure the logs you are seeing are both
current and accurate.
Checking Traffic Logs
1) Notice the logs within the last 15 minutes of which there should be very few. Most
likely there will be only two log entries such as is displayed here. Of the logs listed
there should only be entries for the ping test that was run successfully.
Remember, you can always change the filter and you can always do a manual refresh.
Here the filter is set to the minimum setting of "Last 15 Minutes" and so set yours to
the same if not already done so and then do a "Manual refresh".
Now continue to generate more log traffic but this time generate some database table
calls. To do so proceed to the next step.
HOL-PRT-1672
Generate Database Table Calls

For this step generate more traffic through the firewall using a database table call. To do
so run a mysql command from one of the Web servers to the database.
Database Query
For this step use the README.txt file located on the desktop. Open this file and under
Module 1, look for the high-lighted command circled in red above. Copy this command
to the clipboard from within the README.txt.
The command to enter is: mysqlshow --user=root --password=VMware1! --

host=hr-db-01 employees employees
HOL-PRT-1672
Database Query from "hr-web-01"
Using putty go back into the hr-web-01 server and run the command as found within the
README.txt file. To do so simply "paste" the command you copied from within the
README.txt file into your SSH session at the CLI prompt by "right clicking" to paste the
command at the prompt.
Within the output notice the table call was successful. Is this what you expected? Why?
If you said yes, this is what was expected and the reason why is because the policy is
set to allow MySQL traffic, you are correct! In fact you can even see this traffic was
logged within the VM-Series firewall as shown in our next step.
HOL-PRT-1672
Panorama Logs
Ensure the VM-Series firewall logged the generated traffic. To do so go back into
Panorama and click on the 1) Monitor tab and select 2) Traffic logs and then do a 3)
manual refresh of your log.
Notice the two entries identifying, and allowing, the mysql application.
Before moving further ahead take a moment to pause to learn about Application
Identification and the ability of the VM-Series firewall to allow or deny various types of
traffic between the VMs within the datacenter based upon application type.
HOL-PRT-1672
App-ID by Palo Alto Networks

What is App-ID?
App-ID is a patented traffic classification system developed by Palo Alto Networks. App-
ID provides the ability to determine what application is traversing through the VM-Series
firewall irrespective of the port, protocol, encryption (SSH or SSL) or any other evasive
tactic that may be used by a suspect application.
How does App-ID work?
App-ID applies multiple classification mechanisms, application signatures, application

protocol decoding, and heuristics to your network traffic stream to accurately identify
applications. All traffic is then matched against policy to check whether this type of
traffic is allowed or not on the network or between your VMs. Signatures are then
applied to the allowed traffic identifying the application based on its unique application
properties and its related transaction characteristics. These signatures also determine if
the application is being used on its default port or is using a non-standard port. If the
traffic is allowed by policy, the traffic is then scanned for threats and further analyzed
for identifying the application in more detail.
What if the traffic is encrypted?
App-ID has the ability to identify encrypted traffic determining the type of encryption
(SSL or SSH) in use. If a decryption policy is in place the session is decrypted and the
application signatures are applied again on the decrypted flow. Decoders for known
protocols are then used to apply additional context-based signatures to detect other
applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger
used across HTTP). Afterwards decoders validate that the traffic conforms to the
protocol specification and provide support for NAT traversal and opening dynamic
pinholes for applications such as SIP and FTP.
Now that you know more about App-ID see how it works in action within the last
remaining steps of this lab.
HOL-PRT-1672
App-ID for SSH

Within this step you'll see how, and why, ssh is blocked between the two VMs (hr-
web-01 and hr-db-01).
Policies within Panorama
Go back to your browser and select the Panorama tab. If necessary, login into
Panorama.
1) Once logged into Panorama review the current policy settings by clicking on the
Policies tab.
2) From within the left tree panel view, make sure you are looking at the "Pre Rules" of
the Security policy.
3) Note the three policy rules which only allow the ping and mysql applications while
denying everything else.
HOL-PRT-1672
Test App-ID
To test App-ID try to ssh between the two VM servers.
Try doing so from the hr-web-01 server and so use the putty desktop icon to access this
server.
Using the "ssh ubuntu@hr-db-01" command, attempt to ssh into the hr-db-01 server.
After 30 seconds, during which the ssh attempt will fail, break out of the command with
the "CTL-C" option.
Then move on to check the logs within Panorama to see what was captured.
Examine Traffic Logs
1) Go to the Monitor tab and then select the 2) Traffic log. After doing so do a 3) manual
refresh of the Traffic log. Then notice, as expected, the denied SSH on port 22 attempts
that were blocked. This demonstrates successful inter-tier VM protection at the
application layer.
HOL-PRT-1672
Module 1 Lab 1 - Conclusion

During this lab it was demonstrated how to go about the protecting of inter-tier
application traffic - also referred to as east-west traffic. To do so you used the VM-Series
firewall and the Panorama management station to integrate Palo Alto Networks security
with VMware NSX. This stateful synchronization is possible through the Palo Alto
Networks VM-1000 HVs ability to maintain constant awareness of the changes made
within the datacenter as it pertains to the ever adding, moving, and deleting of virtual
machines, their applications AND their dynamic IP addressing. But thats only half of the
story. The other half includes the capabilities of the VMware NSX Manager which enables
the synchronization that takes place between the Palo Alto Networks Dynamic Address
Groups, and the VMware NSX Managers Security Groups, providing full datacenter
awareness, and datacenter protection like no other. Because it all takes place
automatically. In fact, during the next module you walk you through a lab where youll
see just how automatic everything is and how easily everything integrates to ensure an
ever aware and secure datacenter.
Free VM-Series Firewall Raffle: To say thank you for sitting our lab exercises, wed
like to invite you to participate in our daily raffle where we will be giving away free, one
Palo Alto Networks VM-100 series firewall. This daily raffle will be available during
VMworld 2015 Europe beginning Monday, 12 October through Thursday, 15 October. To
enter this daily drawing, fill out an entry form here Palo Alto Networks VM-Series Firewall
Raffle with your complete contact information. All winners will be contacted via email
following the VMworld 2015 Europe event.
HOL-PRT-1672
Important Message
Before Proceeding with
Module 2
HOL-PRT-1672

itself.
The following is not applicable for currentsessions. If you are simply transitioning
Check instructions.
HOL-PRT-1672
Module 2: Deploying Palo

Alto Networks VM-Series
with VMware NSX to
protect a multi-tier
application (45 Min)
HOL-PRT-1672
Securing the Data Center with the Palo

Alto Networks VM-Series Firewall
VMware NSX DFW and Palo Alto Networks VM-Series are extremely complementary to
one another in that both are designed to protect Virtual Data Center East-West traffic.
DFW provides in-kernel, stateful, port-based inspection while VM-Series provides next-
generation firewall functionality which includes the advanced threat prevention
capabilities of; IPS, anti-virus, anti-malware, data/file filtering, and DOS protection
services, to name a few.
Within a data center a typical application structure is composed of multiple tiers. In a

3-tier application, VMs are partitioned across WEB, APP, and DB tiers. Each tier can be
instantiated by a logical switch (VXLAN) or by a DVS port-group (VLAN). This L2
broadcast domain is connected to a DLR (Distributed Logical Router) to enable inter-tier
communications (the IP address of the DLR logical interface becomes the default GW for
guest VMs).
DFW and VM-Series co-exist extremely well with both devices performing
complementary roles to one another. To properly design the security services
architecture in a virtual data center environment, follow these recommendations:
Use DFW to protect intra-tier traffic

Use VM-Series to protect inter-tier traffic
Optional use of the VM-Series is that it may be used to secure and protect the
traffic coming from the outside that is destined for the front-end web tier (in the
event your perimeter firewall is unable to provide all of the advanced security
features required by your security team).
Complementary use of DFW and VM-Series for Intra-Tier

and Inter-Tier Traffic Protection
The diagram above shows the repartition of roles between the two components. Notice
the traffic between the WEB servers is protected by DFW (with the same behavior for
traffic between the APP servers as well for traffic between the DB servers).
With DFW, access control based on L2/L3 services and L2/L3 addresses is sufficient to
prevent any lateral movement, or attack, from hackers. For instance, L2 rules may
control the ARP protocol while L3 rules can control the communications on specific TCP/
UDP ports.
HOL-PRT-1672
Also notice the traffic from the WEB server to the APP server (as well as traffic from the
APP server to the DB server) is also protected by the VM-Series firewall. This Inter-Tier
traffic also contains critical data that must be deeply analyzed (up to layer 7) to prevent
any threats or the propagation of malware across the different systems. This is how the
VM-Series firewall reduces the attack surface by safely enabling only the applications
that are allowed between the tiers while blocking everything else.
VM-Series sits off the data path. This significantly reduces the need to design a complex
virtual network topology as no change is required when inserting security services for
VM to VM communications. In order to leverage VM-Series, workload traffic must be
redirected to the virtual appliance. NSX provides a successful, granular, method for
specifying the traffic that must be redirected to the VM-Series.
A traffic redirection rule is based on Source/Destination/Service attributes (Source and

Destination field can use any vCenter objects such as; VM name, Cluster, Resource Pool,
or Security Groups. The Service field can use any TCP/UDP port). In consequence, it is
very easy to define traffic from a specific Source VM to a specific Destination VM (with
destination TCP port 443 for instance) while making sure that traffic is redirected to the
VM-Series firewall for inspection. In the same way, it is just as easy (as before) to
specify traffic from a group of WEB VMs to a group of APP VMs (with the same
destination TCP port) while making sure that traffic is also redirected to the VM-Series.
HOL-PRT-1672
HOL-PRT-1672
Module Overview
Within this in-depth module, VMware NSX and the Palo Alto Networks VM-Series platform
are configured to secure a multi-tier application with web front-end servers and
database back-end servers. Throughout the module itself we will show how to define
dynamic security policies on the VM-1000-HV virtual firewalls based on context from
VMware NSX. Take a look at the learning objectives where you will be focusing on how to
deploy the Palo Alto Networks VM-Series platform while walking through each Lesson.
These lessons will enable you to gain an understanding of, as well as perform, the
following:
Understanding Palo Alto Networks next-generation security technologies

Security considerations for a multi-tier application deployment
Create NSX Security Groups and configure traffic steering
Create Dynamic Address Groups
Creating security policies for MySQL using Dynamic Address Groups
Review NSX Security Group and DAG membership, generate traffic and check
logs
HOL-PRT-1672
Module Objectives and Development

Notes
This is an in-depth module focusing on how to deploy Palo Alto Networks VM-Series
while walking through each step from registration to security policy configuration. Steps
related to VMware NSX traffic steering are not included, i.e. student is assumed to have
basic understanding of VMware NSX. For this module the following servers will be used:
Management:
Panorama
vCenter
NSX Manager
ESXi 1,2
Application Servers:
Two Webservers
One Database
Pre-configuration is required for the NSX Manager, vCenter, Panorama, hosts, and
application servers
HOL-PRT-1672
Review Security Tags for Legal Servers

Begin by ensuring the security tags for the servers of the Legal department are in order:
vSphere Web Client
Using the Google Chrome browser desktop icon, launch Chrome and select the
bookmark titled, "Site A Web Client" within the favorites bar. After being directed to the
VMware vCenter Single Sign-on page, check the "Use Windows session authentication"
option and click "Login".
HOL-PRT-1672
Hosts and Clusters
Once logged in, and from the 2) Home screen, click on 3) Hosts and Clusters.
HOL-PRT-1672
Assigned Security Tags
1) Within the Tree panel view at the left notice the listing of all the connected servers.
In this case you want to review both of the legal servers to ensure they're properly
registered and assigned to the appropriate Security Tag.
Start with the Legal Web server, "legal-web-01" first by clicking on "legal-web-01". Take
note that this server is correctly assigned with the 2) "Legal-Web-Server" Security Tag.
Next check the Security Tag status of the other Legal server.
HOL-PRT-1672
Assigned Security Tags
1) Now check the Legal Database server by selecting "legal-db-01".
2) Notice that this server is assigned to the appropriate Security Tag dubbed, "Legal-DB-
Server".
Now that you know both of the Legal Dept. servers have Security Tag assignments,
move on to the next step.
Note: Within this module you will only be using these two Legal Team servers: legal-
web-01 and legal-db-01.
HOL-PRT-1672
Create NSX Security Groups and

Configure Traffic Steering
During this stage you need to create and define the additional NSX Security Groups that
you will be using. These will include the Web-Servers and Database Servers of the Legal
Department. Therefore, simply call these Security Groups "Legal-Web-Servers" and
"Legal-DB-Servers". After these two new Security Groups are created, create a traffic
steering policy for all of the Web server to Database server traffic.
Creating NSX Security Groups
Go back to your browser and click on the vSphere Web Client tab. If necessary login
again using the Single-Sign-On Authentication.
Once logged and from the Home page of the vSphere Web Client click 1) Home and 2)
Networking & Security.
HOL-PRT-1672
From within Networking & Security:
1) Select Service Composer.
2) Click the Security Groups tab in the center. Notice there are Security Groups for the
HR Teams but none for the Legal Teams. Therefore, create additional NSX Security
Groups for the Legal Teams.
3) To do so click the "Add" icon which is circled and labeled as sub-step 3.
Name the new security group, "Legal-Web-Servers".
HOL-PRT-1672
1) Next click on Define dynamic membership in order to set the values for this Security
Group. NOTE: If after clicking on "Define dynamic membership" from within the left tree
panel, you do not see the options listed as reflected within the screenshot, click on the
green plus sign that is circled in blue.
2) Define the dynamic membership as a Security Tag. To do so click on the drop down
arrow next to "Security Tag" and select Security Tag.
HOL-PRT-1672
1) Define the value by selecting "Equals to".
2) Then populate by entering the designated name of " Legal-Web-Server" and 3) click
Finish.
HOL-PRT-1672
At this stage you'll see the Security Group is being created.
HOL-PRT-1672
NSX Security Groups Created
Once created you will see the "Legal-Web-Servers" Security Group listed.
1) Expand to check the Virtual Machine name this Security Group is applied to by
clicking on the high-lighted number 1 under the " Virtual Machines" column. Notice the
proper name of "legal-web-01" has been applied.
Great job in creating your Legal-Web-Servers" NSX Security Group! To close this display
box click on the "X" located in the upper right corner of the display box.
2) Proceed by doing the same for the Legal-DB-Servers NSX Group by clicking on the
"New Security Group" icon circled in blue.
HOL-PRT-1672
1) As before name the new NSX Security Group. Name this one "Legal-DB-Servers".
2) Then click on Define dynamic membership.
Creating Security Groups
1) Click on Define dynamic membership in order to set the values for this Security
Group. NOTE: If after clicking on "Define dynamic membership" from within the left tree
panel, you do not see the options listed as reflected, click on the green plus sign that is
circled in blue.
2) Define the dynamic membership as a Security Tag. To do so click on the drop down
arrow next to "Security Tag" and select Security Tag.
HOL-PRT-1672
Next define the value by selecting "Equals to". Then populate by entering the
designated name of "Legal-DB-Server" and click Finish.
HOL-PRT-1672
NSX Security Groups Created
Once created you will see the new "Legal-DB-Servers" Security Group listed. Expand to
check the Virtual Machine that is assigned to this Security Group by clicking on the high-
lighted number 1 under the "Virtual Machines" column.
Notice the proper name of "legal-db-01" has been applied.
Great job in creating the "Legal-DB-Servers" NSX Security Group! Continue on to the
next step to begin creating the steering policies. Close the display box by clicking on
the "X" located in the upper right corner.
HOL-PRT-1672
Create Steering Policy for all Web

Server to Database Server Traffic
In this step create policies to steer traffic from the Web servers to the Database servers
through the NSX Manager.
Security Policy for Traffic Steering
Before beginning we wanted to let you know that there are two methods for configuring
traffic steering. We will use one method here in lab 2 and the other method in lab 4.
1) Set the policies via the "Security Policies" tab and so click on that tab now. After
doing so notice that one entry already exists - a policy that is only for HR. Therefore,
create a broader policy that will steer all Webserver to Database traffic. Then limit the
HR traffic versus the Legal traffic from within PAN-OS.
2) Continue by clicking on the "Create Security Policy" icon that is circled in blue and
labeled as sub-step 2.
HOL-PRT-1672
After a brief initialization phase to load the policies, the system will be prepared for you
to create a new one.
1) Name the new security policy "Module2_Legal-Web-to-DB".
2) Next click on "Network Introspection Services" on the left side of the screen.
HOL-PRT-1672
1) From Network Introspection Services:
2) Click on the green plus sign to add a new service.
3) After doing so a display box will appear. Enter the name of the service calling it
"Legal-Web-to-DB".
4) Click on Change in order to specify the Source.
HOL-PRT-1672
A "Select Source" display box will appear which will enable you to:
1) Select the radio button option for "Select Security Groups".
2) Of the options displayed check Legal-Web-Servers.
3) Click OK to complete this configuration.
HOL-PRT-1672
Notice under "Source" it lists "Legal-Web-Servers".
1) Complete this step by clicking OK. (If you don't see the OK button, you can just hit
enter to complete the configuration. Or you may scroll down until the OK button is
viewable).
HOL-PRT-1672
At this time there should be 1 item listed which is the Network Introspection Service just
created for the Source.
1) Repeat the same process for the Destination by creating another item by clicking on
the green plus icon.
1) Name the new service "Legal-DB-to-Web".
2) Under Destination click Change to specify. Leave all other settings as they are.
1) Select the radio button option for "Select Security Groups".
HOL-PRT-1672
2) Of the available options displayed select and check Legal-Web-Servers.
HOL-PRT-1672
Notice under Destination that you now have the Legal-Web-Servers specified.
1) Click OK to complete this step. (If you don't see the OK button, you can just hit enter
to complete the configuration. Or you may scroll down until the OK button is viewable).
HOL-PRT-1672
There should now be two Network Introspection Services listed, both of which will
redirect the traffic to the Palo Alto Networks next-generation firewall of the "Palo Alto
Networks profile 1".
1) Proceed by clicking Finish, after which the security policies will be created.
You should see the two newly created Security Policies. You must now apply these
policies to their respective Security Groups. In this case that would be the database
servers. To do so, make sure the first rule "Module2_Legal-Web-to-DB" is high-lighted as
shown here. 1) Click the "Apply Security Policy" icon (circled in blue) to proceed.
HOL-PRT-1672
1) To apply to the database group, select and check "Legal-DB-Servers".
2) Click OK. You should receive a brief display box as the security policy is applied.
At this point you should be able to verify all your actions by seeing the Applied policy for
"Module2_Legal-Web-to-DB" and its two Network Introspect Services. If so, great job!
You just created the Traffic Steering Security Policies. Please proceed to the next lesson
of this module.
HOL-PRT-1672
Create Dynamic Address Groups (DAG)

Dynamic Address Groups (DAG) and the purpose they serve, was covered in Module 1.
In Module 2 you will walk you through the creation of said groups from within Panorama
by Palo Alto Networks. Before getting started, here's a recap on both Dynamic Address
Groups (DAG) and Panorama.
Dynamic Address Groups (DAG) - Provide the ability to maintain awareness of

changes in the virtual machines/applications and ensures that security policy stays in
tandem with the changes in the network. This awareness provides visibility and
protection of applications in an agile environment. This is made possible because
Dynamic Address Groups are used as a source or destination object within security
policies. Additionally, because IP addresses are constantly changing in a datacenter
environment, Dynamic Address Groups offer a way to automate the process of
referencing source and/or destination addresses within security policies. This is unlike
static Address Objects that must be manually updated in configuration and committed
whenever there is an address change (addition, deletion, or move), Dynamic Address
Groups automatically adapt to these changes.
Panorama - Enables you to manage your distributed network of physical and/or virtual
Palo Alto Networks firewalls from a centralized location while providing the ability to:
View the traffic of each deployed firewall; manage all aspects for device configuration;
push global policies; and generate reports on traffic patterns or security incidents all
from one central location. Panorama is available as either a dedicated management
appliance or as a virtual machine.
Back into Panorama
If Panorama is still up and running, access Panorama via the browser bookmark tab. If
Panorama is no longer running, open the Chrome browser and click on the Panorama
bookmark. Or you may launch the Panorama desktop icon to launch and login to
Panorama.
Username = admin
Password = VMware1!
HOL-PRT-1672
Panorama
The credentials for Panorama are username = "admin" with password = "VMware1!"
Note: The README.txt file on the desktop will contain the credentials for Panorama, as
well as for all of the servers to be used within this module.
HOL-PRT-1672
Creating Dynamic Address Groups
When logged into Panorama:
1) Click on the Objects tab
2) Go to Address Groups
3) Click on the +Add icon at the bottom of the screen to create your Legal team
Dynamic Address Groups.
In this portion of the lab there are six sub-steps to complete and so please follow along
closely. Start by:
1) Naming this Dynamic Address Group, "Legal-Web-Servers". (Note: Be sure to enter

the name as seen here. For the purpose of this lab do not use the space character when
naming the Dynamic Address Group).
2) Designate the "Type" of DAG by hitting the drop down arrow and selecting "Dynamic".
3) Click on Add Match Criteria. At this point another display box will appear adjacent
and on the left. You may need to expand the Name field of the display box to see the full
name of the available options.
HOL-PRT-1672
4) Look for the "Legal-Web-Servers-securitygroup-ID#" and click on the green plus mark
to add it. Note: The Security Group ID number may be different than what you see here -
this is ok and so continue. Notice the "Match" field within the display box on the right
listing the Security Group as indicated by the blue arrow.
5) Next assign a color coded tag to this DAG by clicking on the drop down arrow and
selecting the tag, "Legal Web Server".
6) Click OK to complete the configuration.
HOL-PRT-1672
Notice the newly created DAG of Legal-Web-Servers. Now repeat the same process to
create the Legal-DB-Servers Dynamic Address Group.
1) To do so click the +Add icon at the bottom of the screen.
As before there are six sub-steps. Begin by:
1) Naming this Dynamic Address Group, "Legal-DB-Servers". (Note: Be sure to enter the
name as seen here. For the purpose of this lab do not use the space character when
naming the Dynamic Address Group).
2) Designate the "Type" of DAG by hitting the drop down arrow and selecting
"Dynamic".
3) Click Add Match Criteria. At this point another display box will appear adjacent and
on the left. You may need to expand the Name portion of the display box to see the full
name of the available options.
4) Look for the "Legal-DB-Servers-securitygroup-ID#" and click on the green plus mark
to add it. Note: The Security Group ID number may be different than what you see here -
this is ok and so continue. Notice the "Match" field within the display box on the right
listing the selected Security Group as indicated by the blue arrow.
HOL-PRT-1672
5) Assign a color coded tag to this Dynamic Address Group (DAG) by clicking on the drop
down arrow and selecting the tag, "Legal DB Server".
At this point there should be two Legal Team Dynamic Address Groups, one DAG for the
Web servers and another DAG for the DB servers.
Now move on to policy creation.
HOL-PRT-1672
Create a Security Policy within

Panorama
Create a security policy that will only allow web-browsing between the Web servers and
the Database servers. This will be done in Panorama.
Creating Security Policies
In Panorama:
1) Click on the Policies tab.
2) Click on the 2nd policy listed so that the next policy created will follow immediately.
3) Click on the +Add icon at the bottom left side of your screen.

HOL-PRT-1672
When the Security Policy Rule display box appears multiple tabs will be displayed, many
of which will need to be configured. Start on the General Tab by naming the new policy
"Legal Web to DB".
After entering the name, click on the "Source" tab.

HOL-PRT-1672
1) Click on the Source tab and check the "Any" box as the for Source Zone
2) For the Source Address, click on the green + icon and when the display options
appear, choose the "Legal-Web-Servers" address group which is sub-step 3.
Next click the Destination tab.

HOL-PRT-1672
1) After clicking on the Destination tab specify the Destination Zone by 2) clicking on
the drop down arrow and choosing "any".
3) Then again click on the green + plus icon and for Destination Address select "Legal-
DB-Servers".
The next tab to configure will be the Application tab.

HOL-PRT-1672
After 1) clicking on the "Application" tab 2) click on the green + plus sign on the bottom
left to Add, then specify the allowed application. You can refine the listing of available
applications by typing in "mysql" in the field high-lighted. Then select "mysql" to
populate. The next tab will be the Actions tab.

HOL-PRT-1672
From the Actions tab make sure to:
1) For the Action Setting, using the drop down arrow select "Allow".
2) Under Log Setting check the option to "Log at Session Start".
3) For Log Forwarding, using the drop down arrow select the "Panorama Logging Profile".
4) Click OK to finish the creation of this Security Policy.

HOL-PRT-1672
Commit Configurations
At this time there should be four security policy rules listed. Before proceeding make
sure these rules are listed in the order that you see here. Specifically, make sure the
"Default Deny with Logging" rule is the last rule listed. If this is not the case, simply
click on the rule without opening it and then drag and drop this rule to the bottom of the
list. Alternatively, you could also use the Move command which is located on the bottom
task bar to move this rule to the bottom. Either way, when ready please proceed to the
next step.
1) Commit Operations: In order for the new configurations to be applied a series of two
"Commits" will be required. First you will need to Commit to Panorama. To do so click on
the "Commit" command in the upper right hand corner.

HOL-PRT-1672
Commit to Panorama
For Commit Type select the radio button for Panorama and click OK. The commit will
begin of which you will see the following:

HOL-PRT-1672
Commit to Panorama
After the pending Commit operation is complete, you should receive a "Configuration
committed successfully" message. Proceed by clicking the Close button but only after
you have received this "Configuration committed successfully" message. Then proceed
to the second commit type.
Commit to VM-Series Firewalls
Again click the Commit command.

HOL-PRT-1672
For the Commit Type: 1) select the "Device Group" radio button and when presented
with the full display 2) check the "VM-Series-DG" check box and then 3) check the
"Force Template Values" option and then 4) click the Commit tab.

HOL-PRT-1672
The commit action will begin to the two VM-Series firewalls and may take a few minutes.
Please be patient until the Progress bar and its status indicate 100% completion.

HOL-PRT-1672
Notice the Progress of 100% and the Status stating the commit operation succeeded.
Note: Ignore the warning messages under the Status column as this is expected
behavior due to other settings that are in place for logging purposes.
At this stage simply click Close.

HOL-PRT-1672
Review NSX Security Group and DAG

Membership
Review and verify the NSX Security Group and DAG Membership by ensuring successful
registration. Do this within vSphere Web Client.
VSphere Web Client
Launch the Chrome browser, if necessary. Click on the "Site A Web Client" bookmark to
access the VMware vCenter Single Sign-on page. Check the "Use Windows session
authentication" box and click Login.

HOL-PRT-1672
vSphere Web Client
1) Click on Home and then go to 2) Hosts and Clusters.

HOL-PRT-1672
Review NSX Security Group and DAG Membership
1) Check the Legal Web servers first by selecting the "legal-web-01" server.
2) Near the center of the screen click on "View all 4 IP addresses" to ensure IP address
registration. Take a moment to note the IP Address 15.0.0.202. You will need to ensure
this IP address is the same IP address as found within Panorama. You will also want to
ensure it is listed within the respective Security Group of the NSX Manager.
Before doing so, conduct the same review for the "legal-db-01" server.

HOL-PRT-1672
Like before, to review your Legal Database servers 1) click on "legal-db-01" from the left
hand tree panel and then 2) click on "View all 4 IP addresses".
Again take note of the 15.0.0.204 address as you will be checking for this IP address in
both Panorama and the NSX Security Groups to ensure it is registered.
Go back to Panorama. From within Panorama 1) go to the Objects tab and under
Address Groups, look for both of the Legal servers (Legal-Web and Legal-DB).
Check the Legal-Web server first by clicking "more" under the Addresses column for
"Legal-Web-Servers".

HOL-PRT-1672
Notice the 15.0.0.202 IP Addresses is indeed a registered address for "legal-web-01"

verifying the Legal Web Servers.
Click Close and then proceed to conduct the same check for the Database servers.
Like before click "more" under Addresses column for the "Legal-DB-Servers".

HOL-PRT-1672
For the Legal Database Servers notice the same 15.0.0.204 IP address for this "legal-
db-01" server. This verifies successful IP registration for the Legal Database Servers
Address Group.
Click Close.

HOL-PRT-1672
Review NSX Security Groups
From the browser tab click on the vSphere Web Client tab to verify these same IP
addresses are within the Security Groups for these two verified servers.
To do so when you're back in vSphere, 1) click Home and then 2) Networking & Security.
1) Click on Service Composer from the left tree panel and 2) select the Security Groups
tab in the middle.
3) Now you can check the registered Virtual Machines and their IP addresses by clicking
on the high-lighted for both your Legal Web and Database Servers.

HOL-PRT-1672
Check the "Legal-Web-Servers" Security Group first of which you see the "legal-web-01"
server that is the 15.0.0.202 IP Address. Click the "X" in the upper right corner to close.

HOL-PRT-1672
Next check the "Legal-DB-Servers" Security Group of which you see the "legal-db-01"
server which is the 15.0.0.204 IP address.
You have verified both of the Legal servers are registered and recognized as expected.
Click the "X" to close the window and proceed to the next step.

HOL-PRT-1672
Generate Traffic
To check your work and to ensure all of the groups, policies, and configurations have
been correctly configured, test by generating traffic through the firewalls.
Login to "legal-web-01"
Click the "legal-web-01" desktop icon to login to this server.
mysql command from README.txt
You will need Module 2 command from the README.txt file on the desktop and so 1)
open this file and 2) scroll down to the Module 2 section and copy the first mysql
command listed, copying it to the clipboard.
The command to enter is: mysqlshow --user=root --password=VMware1! --

host=legal-db-01 customers customer_list

HOL-PRT-1672
Run the Command from "legal-web-01"
Within the SSH session "paste" the copied command at the prompt to run the mysql
command. Notice the output received and then proceed.

HOL-PRT-1672
Inspect Panorama Traffic Logs

Checking the Traffic Logs from within Panorama
Panorama Traffic Logs
Go back to the browser and go back into Panorama. From within Panorama:
1) Click on the Monitor tab.
2) Go to Logs > Traffic log.
3) Do a manual refresh.
Notice the Traffic Logs indicate a successful test as you see the source and destination
IP addresses, and the mysql application, which was properly allowed by the firewall. This
verifies a successful test and a successful lab. Great job!
This completes Module 2. Please proceed to the conclusion.

HOL-PRT-1672
Lab 2 Conclusion
In this lab many activities were carried out and in doing so, you gained an awareness
and appreciation of how easy it is to deploy, integrate, and manage this joint solution by
VMware and Palo Alto Networks. For instance, recall how quickly and easily you were
able to deploy new VMs, and groups of VMs, using VMware NSX. Or how easy it was for
VMware NSX to perform traffic steering so that ALL traffic went through the Palo Alto
Networks VM-Series firewall for the purpose of ensuring an ever aware and secure
datacenter. All with just a few clicks via a practically seamless integration between the
Palo Alto Networks VM-Series firewall and VMwares NSX. And all while not having to
make any changes to the infrastructure of the datacenter itself.
As with the previous lab, you saw the power, benefit, and efficiency when it came to
ease of deployment; ease of integration; ease of configuration; ease of overall
management, and ease of synchronization between the Dynamic Address Groups within
the Palo Alto Networks firewalls, and the Security Groups within the VMware NSX
Manager. Both of which provide a stateful synchronization to ensure all changes in the
form of VM additions, deletions, moves, and dynamic IP addressing, which means no
manual changes in the infrastructure and/or reconfiguration on your part required!
Reason being, all datacenter changes were automatically recognized and registered
within the NSX Manager and so the datacenter is always secure, even when the traffic is
intra-datacenter traffic among VMs.
On behalf of Palo Alto Networks and VMware, we thank you for sitting our labs. We hope
you enjoyed each lab as much as we enjoyed preparing each one of them for you. It is
our sincere hope that we successfully demonstrated how easy it is to manage and
secure the ever changing datacenter!

HOL-PRT-1672
Important Message
Module 3

HOL-PRT-1672

itself.
Check instructions.

HOL-PRT-1672
Module 3: Using
Distributed FireWall
(DFW) to Protect Intra-
tier Traffic (30 Min)

HOL-PRT-1672
Module Overview
In this module VMware NSX DFW is configured to secure intra-tier traffic between web
front-end servers. This module shows how to define dynamic Security Groups (based on
VM name and based on Logical Switch) and how to use them in DFW policy
configuration.
During this module (30 minutes) the focus will be on the various NSX DFW features and
functions. The lessons learned will enable you to gain an understanding of, as well as
perform, the following:
Understanding NSX DFW component

Security considerations for a multi-tier application deployment (inter-tier and
intra-tier traffic protection)
Create NSX Security Groups and how to use them in DFW security policies
Review NSX Security Group, DFW UI, generate traffic and check stats.

HOL-PRT-1672
Create NSX Security Groups

Create two new NSX Security Groups using dynamic inclusion based on VM name (for
Legal web servers) and using static inclusion based on Logical Switch / static exclusion
based on VM (for HR web servers).
vSphere Web Client
Log into the vSphere Web Client. To do so launch the Chrome browser and click on the
vSphere Web Client bookmark named "Site A Web Client". At the VMware vCenter
Single Sign-on page, click the "Use Windows session authentication" box to login using
Single Sign-on.

HOL-PRT-1672
Once logged in, and from the 1) Home screen, click on 2) Networking & Security.

HOL-PRT-1672
Service Composer / Security Groups
Click on 1) Service Composer and then on 2) Security Groups.
Note: If you have previously performed modules 1 and 2 of this Hands-on-Lab you will
have a similar view and screenshot. However, if you have just started here at module 3
you will not see some of the Security Groups that are displayed here.
Create new Security Groups for Legal Web Servers
1) Click on the New Security Group icon to create a new Security Group.

HOL-PRT-1672
Security Group Name
1) On the "Name and description" page, name this new security group, "Legal-Web-
Servers-Module-3".
2) Click Next.

HOL-PRT-1672
Security Group Dynamic Inclusion using VM Name
Select 1) VM Name and then 2) enter 'legal-web' keyword.
Click 3) Finish to complete the operation.

HOL-PRT-1672
Security Group Check
At this time the new security group has been created and should be displayed within the
Security Group listing. The characteristics of this new security group will also be
displayed. For example, note the number of Virtual Machines (2) under the
corresponding column.

HOL-PRT-1672
Security Group - VM
Check which virtual machines are contained within this new Security Group. Do so by
clicking on the link of the Virtual Machines column for this security group "Legal-Web-
Servers-Module-3". At this time both of the legal team web servers should be reflected.
Click the "X" in the upper right corner of the box to close.

HOL-PRT-1672
Create new Security Groups for HR Web Servers
1) Click on the New Security Group icon to create a new Security Group.

HOL-PRT-1672
Security Group Name
1) On the "Name and description" page, name this new security group, "HR-Web-
Servers-Module-3".
2)Click Next.

HOL-PRT-1672
Security Group Dynamic Inclusion - Skip
Dynamic membership will not be used and so click 1) Next.

HOL-PRT-1672
Security Group Static Inclusion - Logical Switch
1) For "Object Type", use the drop down arrow to select "Logical Switch".
2) Select LS-HR-01. This is the Logical Switch (VXLAN) that all of the VM servers of the
HR organization connect to.
3) Using the "move to arrow", move the "LS-HR-01 object to the "Selected Objects" box.
4) Click Next.

HOL-PRT-1672
Security Group Static Exclusion - DB server
1) For "Object Type", use the drop down arrow and scroll down and select "Virtual
Machine".
2) Select the "hr-db-01" object.
3) Use the "move to arrow" to move the selected object over to the "Selected Objects"
box.
4) Click Finish to complete the operation.

HOL-PRT-1672
Security Group Check
At this time the new security group has been created and should be displayed within the
Security Group listing. The characteristics of this new security group will also be
displayed. For example note the number of Virtual Machines (2) under the
corresponding column.

HOL-PRT-1672
Security Group - VM
Check which virtual machines are contained within this new Security Group. Do so by
clicking on the link of the Virtual Machines column for this security group "HR-Web-
Servers-Module-3". At this time both of the HR team web servers should be reflected.
Click the "X" in the upper right corner of the box to close.

HOL-PRT-1672
Create NSX DFW Security Policies

Use the two Security Groups previously created in the DFW policy rules to enable, or
disable, intra-tier traffic between the web servers of the Legal organization. Then do the
same for the servers of the HR organization.
Note: There are two methods to configure traffic steering. We used one method in lab 2
and so now we will use the other method here in lab 3.
The following security policies will be implemented:
Legal:
source: Legal Web Servers | destination: Legal Web Servers | Services: ICMP | action:
allow
source: Legal Web Servers | destination: Legal Web Servers | Services: ANY | action:
block
HR:
source: HR Web Servers | destination: HR Web Servers | Services: ICMP | action: allow
source: HR Web Servers | destination: HR Web Servers | Services: ANY | action: block
DFW Menu
Click on 1) NSX Home and then on 2) Firewall.

HOL-PRT-1672
Create a New Section
1) Click on the Add section icon and then 2) enter as the section name, "INTRA-TIER
protection".
3) Click OK to complete the operation.
Create new Policy Rule
Click the 1) Add rule icon and then click on 2) the arrow to expand Section in order to
see all the defined policy rules.

HOL-PRT-1672
Policy Rule Name
1) Put your cursor in the "Name" column and click. After doing so a small + icon will
appear.Click this + icon and within the Rule Name field enter the following string:
"Legal-Web to Legal-Web ICMP". After doing so, click OK to continue.

HOL-PRT-1672
Policy Rule Source Field
1) Move your cursor into the "Source" column and click. A small + icon will
appear. Click on this + icon and a new window will appear.
2) For "Object Type", use the drop down arrow to scroll down to select Security
Group. Then select Security Group and all available Security Groups will be listed.
3) Scroll down while looking for "Legal-Web-Servers-Module-3" and select it.
4) Then using the "move to arrow", click this arrow to move it over to the "Selected
Objects" box.
Policy Rule Destination Field
1) Move your cursor into the "Destination" column and click. A small + icon will
2) For "Object Type", use the drop down arrow to scroll down to select Security
Group. Then select Security Group and all available Security Groups will be listed.
3) Scroll down while looking for "Legal-Web-Servers-Module-3" and select it.

HOL-PRT-1672
4) Then using the "move to arrow", click this arrow to move it over to the "Selected
Objects" box.

HOL-PRT-1672
Policy Rule Service Field
1) Move your cursor into the "Service" column and click. A small + icon will
2) For "Object Type", use the drop down arrow to scroll down to select Service. In the
filter search field enter "icmp" as a keyword. All services related to ICMP will appear.
3) Find and select "ICMP Echo" and using the "move to arrow", 4) move it over to the
"Selected Objects" box.
Repeat the same procedure for the "ICMP Echo Reply" object. After doing so you will
have two selected ICMP objects.

HOL-PRT-1672
Policy Rule Action Field
1) Place your cursor in the "Action" column. A small + icon will appear. Click on this
+ icon and an Action box will appear. By default, the Action setting is set to Allow for a
newly created security policy. This is the desired action to enforce the rule and so there
is nothing that needs to be modified here. 2) Therefore, click Cancel.
Policy Rule Publish Operation
At this stage this window should be presented. Review your rule and ensure you have
the same values and settings entered. If so, click 1) Publish Changes to enforce the
new created security policy.

HOL-PRT-1672
Policy Rule Publish Status
A message should be displayed at the top of the page showing the successful publish
operation. Note: The message may take some time to arrive depending on the CPU load
of the HOL infrastructure.
Create Remaining Policy Rules
By following step-by-step procedures you successfully created a DFW policy rule using
Security Groups. In fact, you successfully created the INTRA-TIER protection rule
number 1. This rules permits ICMP.
Continue now on your own, by repeating the steps you have just performed, to create
three additional rules. These three remaining rules are required in order to secure the
environment.
The three remaining rules are named below and each contain the specific values
required for each rule:
Name: Legal-Web to Legal-Web ANY
Source: (Security Group) Legal-Web-Servers-Module-3
Destination: (Security Group) Legal-Web-Servers-Module-3
Services: Any
Action: Block
Name: HR-Web to HR-Web ICMP

HOL-PRT-1672
Source: (Security Group) HR-Web-Servers-Module-3
Destination: (Security Group) HR-Web-Servers-Module-3
Services: ICMP Echo, ICMP Reply
Action: Allow
Name: HR-Web to HR-Web ANY
Source: (Security Group) HR-Web-Servers-Module-3
Destination: (Security Group) HR-Web-Servers-Module-3
Services: Any
Action: Block
IMPORTANT NOTE: click on 1) + icon (as shown in the diagram above) to add these
three new rules. New rules should always be created at the bottom of the previously
created rules because the order of rule definition is important with DFW (as is the case
with all firewalls). Reason being, rule evaluation is always performed from top to bottom
and then acting upon the first rule that matches the packet pattern. If necessary, using
the Move Rule Down icon to move your rule down or use the Move Rule Up icon to
move your selected rule up. These icons are encircled in red.

HOL-PRT-1672
Publish Changes to Enforce all Rules
This window should be presented at the end of the configuration.
Note: If the rule set is displayed in a different order than what is shown in the
screenshot you will need to re-order the rules. To perform this operation, select the rule
that needs to be re-ordered and then click on the up or down arrow as shown.
Click 1) Publish Changes to commit all the rules.
Publish Changes Status
A publish operation success message should be displayed at the top of the page (there
may be a slight delay before appearing). Great job, proceed to the next step.

HOL-PRT-1672
Enable Flow Collection for NSX DFW

Statistics
To receive information and statistics for the NSX DFW operations, Global Flow Collection
must be enabled.
Flow Monitoring - Configuration
From NSX Home, click on 1) Flow Monitoring. Then click on 2) Configuration tab.
As you can see, global flow collection is disabled by default. 3) Click Enable to turn it
on.

HOL-PRT-1672
Global Flow Collection Enabled
You should obtain the same window once Global Flow Collection has been enabled.

HOL-PRT-1672
Checking NSX DFW Policies

Test 1: Check the configurations and their impact to the NSX DFW by running a series of
ICMP and SSH connection tests between the VMs.
Legal Web Server to Legal Web Server - ICMP Test
Click on 1) legal-web-01 icon. A new SSH window will appear with automatic login to
legal-web-01.
2) Type the command ping -c 5 legal-web-02 to test for an ICMP response from the
legal-web-02 server back to the legal-web-01 server.
Notice the "5 packets transmitted, 5 received, 0% packet loss" response indicating that
ICMP is indeed allowed on the DFW.
Legal Web Server to Legal Web Server - SSH Test
Within the same SSH window and session, enter the clear command. Then enter the
ssh legal-web-02 command.
After few seconds, you should see the error message: connection timed out (hit Ctrl-C to
terminate the ssh command if the wait time is too long).

HOL-PRT-1672
This failed SSH attempt is the expected behavior as the NSX DFW does not allow SSH
between these two web servers. Continue to test the HR Web Servers.

HOL-PRT-1672
HR Web Server to HR Web Server - ICMP Test
Click on 1) hr-web-01 icon. A new SSH window will appear with automatic login to hr-
web-01.
2) Type the command ping -c 5 hr-web-02 to test for an ICMP response from the hr-
web-02 server back to the hr-web-01 server.
Notice the "5 packets transmitted, 5 received, 0% packet loss" response indicating that
ICMP is indeed allowed on the DFW.

HOL-PRT-1672
HR Web Server to HR Web Server - SSH
Within the same SSH window and session, enter the clear command. Then enter the
ssh hr-web-02 command.
After few seconds, you should see the error message: connection timed out (hit Ctrl-C to
terminate the ssh command if the wait time is too long).
This failed SSH attempt is the expected behavior as the NSX DFW does not allow SSH
between these two web servers.

HOL-PRT-1672
Check the NSX DFW Policy Rule Statistics
Launch the Chrome browser and click on the Site A Web Client bookmark to launch and
login to the vSphere web client. Again use the "Use Windows session authentication"
Single Sign-on method.
1) Once logged in, and from the Home screen, navigate to Networking & Security >
Firewall menu (sub-step 2).
By default the NSX DFW per policy rule statistics are not displayed. 3) Perform the
following action under the Column Headers menu to display the " Stats".
Once done, notice the new column appearing in the policy rule window with the column
heading of Stats.

HOL-PRT-1672
Statistics for Policy Rule 1
1) Expand the rules 1-4 for your INTRA-TIER protection.
2) For Rule1, Legal-Web to Legal-Web ICMP traffic, move to the far right over to the
diagram icon under the Stats column.
Under the Stats column, click on the diagram icon to see the flow statistics (number of
packets and bytes) processed by the NSX DFW for this Rule 1.

HOL-PRT-1672
1) For Rule2, Legal-Web to Legal-Web ANY traffic, move to the far right over to the
1) For Rule3, HR-Web to HR-Web ICMP traffic, move to the far right over to the

HOL-PRT-1672
1) For Rule4, HR-Web to HR-Web ANY traffic, move to the far right over to the
Modify the NSX DFW Rules to Enable SSH
SSH is blocked by rule 2 for the Legal organization and by rule 4 for the HR organization.
The task is to enable SSH. To do so add this protocol to Rule 1 and to Rule 3.

HOL-PRT-1672
Modify Rule 1 to Include SSH
In the NSX DFW policy table, select Rule Number 1. Then move your cursor to the
Service Column field and hover until the + icon appears.
1) Click this + icon to modify content of Service field. A new window will appear.
2) Type ssh as the search keyword and select SSH.
3) Click on the move to right arrow to add SSH as a selected object.
Modify Rule 3 to Include SSH
In the NSX DFW policy table, select Rule Number 3. Then move your cursor to the
Service Column field and hover until the + icon appears.
1) Click this + icon to modify content of Service field. A new window will appear.
2) Type ssh as the search keyword and select SSH.
3) Click on the move to right arrow to add SSH as a selected object.

HOL-PRT-1672

HOL-PRT-1672
Publish Changes
Click on 1) Publish Changes to enforce the modified NSX DFW policy configuration.
Publish Changes Status
"Last publish operation succeeded" message will appear upon successful operation.

HOL-PRT-1672
Test 2: Connectivity Test - SSH
Now test the configuration changes by running a series of SSH connections between the
VMs checking for successful connectivity.
Legal Web Server to Legal Web Server - SSH Test
1) Double click on the legal-web-01 icon for automatic login to legal-web-01.
2) Enter the command ssh legal-web-02 to begin an SSH session to thelegal-

web-02server.
An ECDSA key Fingerprint Authenticity message will be displayed. Type yes to continue
the connection.
The Remote system will prompt for a password; enter VMware1!
A welcome message on legal-web-02 will be displayed upon successful authentication.

Notice the prompt is now for legal-web-02. Success verified!

HOL-PRT-1672
HR Web Server to HR Web Server - SSH Test
1) Double click on the hr-web-01 icon for automatic login to hr-web-01.
2) Enter the command ssh hr-web-02 to begin an SSH session to thehr-web-02server.
An ECDSA key Fingerprint Authenticity message will be displayed. Type yes to continue
the connection.
The Remote system will prompt for a password; enter VMware1!
A welcome message on hr-web-02 will be displayed upon successful authentication.

Notice the prompt is now for hr-web-02. Success verified!

HOL-PRT-1672
Lab 3 Conclusion - Summary of What

Was Learned
By now you have an increased awareness and appreciation of how easy it is to deploy,
integrate, and manage this joint solution. You witnessed how quickly and easily youre
able to deploy new VMs, and groups of VMs, via VMware NSX. In addition, you witnessed
how easy it is for VMware NSX to provide traffic steering so that ALL traffic goes through
the Palo Alto Networks firewall ensuring an ever aware and secure datacenter. You also
experienced how easy this was done with just a few clicks while using an almost
seamless integration solution between the Palo Alto Networks VM-Series firewall and
VMwares NSX. And all without having to make any kind of changes to the infrastructure
of the datacenter itself.
As in the previous lab, you saw the benefits of: ease of deployment, ease of integration,
ease of configuration and management, and ease of synchronization between the all of
the components of this joint solution. You also experienced how quickly and seamlessly
you can secure all of the servers within your datacenter, by inspecting and managing
the east-west traffic taking place within your datacenter.
On behalf of Palo Alto Networks and VMware, wed like to thank you for sitting our labs.
We hope you enjoyed our labs, as much as we enjoyed preparing them for you, and we
hope we successfully demonstrated how easy it is to manage and secure your ever
changing datacenter!

HOL-PRT-1672
Important Message
Module 4

HOL-PRT-1672

itself.
Check instructions.

HOL-PRT-1672
Module 4: Using
Advanced Palo Alto
Networks Security Policy
to Protect Application
Tiers (45 Minutes)

HOL-PRT-1672
Module Overview
Objectives and Development Notes
In this module, the Palo Alto Networks VM-Series firewalls are configured to protect the
introduction and spread of malware in an NSX datacenter. Using the virtual firewalls the
student will create security policy rules to monitor for threats and to prevent the spread
of malware.
During this module you will gain an understanding of advanced threat protection and
how to protect the spread of malware between application tiers in a virtualized
datacenter.

HOL-PRT-1672
Create Traffic Redirection to VM-Series

Firewall
Secure the webserver database server of the Marketing organization by redirecting all
traffic to the VM-Series Firewall for traffic inspection.
Login to vSphere Web Client
1) Launch the Chrome browser and click on the vSphere Web Client bookmark.
2) Check the "Use Windows session authentication" box and click Login to login via
VMware vCenter Single Sign-On

HOL-PRT-1672
Two New Marketing Virtual Machines (mktg-db-01 & mktg-

web-01)
Look for your two new virtual machines of the Marketing organization (mktg-db-01 &
mktg-web-01).
1) From the Home screen click on Hosts and Clusters.

HOL-PRT-1672
Cluster Site A: mktg-db-01 VM
1) Select the mktg-db-01 VM by clicking on it. Then note this VM is already assigned
an NSX Security Tag of "Mktg-DB-Server". Also note this VM's Security Group
Membership as being assigned to the "Mktg-DB-Servers" group. Also see the IP
addresses for the servers of this VM. Now proceed to conduct the same review of the
mktg-web-01 VM.

HOL-PRT-1672
Cluster Site A: mktg-web-01
1) Select the mktg-web-01 VM by clicking on it. Then note this VM is already assigned
an NSX Security Tag of "Mktg-Web-Server". Also note this VM's Security Group
Membership as being assigned to the "Mktg-Web-Servers" group. Also see the IP
addresses for the servers of this VM.

HOL-PRT-1672
Verify Security Group Membership in NSX
1) Click on the Home icon to move back to the Home menu.
2) Navigate to Networking & Security.
3) Select Service Composer.
4) Click on the "Security Groups" tab and note the two Security Groups for the VMs of
the Marketing organization. There are two Security Groups each with one VM.
5) Click on the high-lighted "1" for each to see the name of the respective VM for each
Security Group. In the example here the "mktg-db-01" VM is being displayed as a
member of the "Mktg-DB-Servers" Security Group.
If you were to repeat the same check for the Security Group "Mktg-Web-Servers" you
would find the "mktg-web-01" VM.
6) After viewing the VM name click on the "X" in the upper right corner to close.
Verify Dynamic Inclusion Is Being Used.
1) Select the Mktg-Web-Servers Security Group.
2) Click on the Edit Security Group icon.
3) Select Define dynamic membership.
Now you can verify dynamic inclusion is being used for anything that is tagged with the
Security Tag of Mktg-Web-Server.

HOL-PRT-1672
The same steps could be repeated to verity dynamic inclusion for Security Group Mktg-
DB-Servers where in that case anything with the Security Tag of Mktg-DB-Server will
be included within the Mktg-DB-Servers group.
4) Do not make any changes here. Click Cancel.

HOL-PRT-1672
Create Traffic Redirection to VM-Series Firewall - Create

Two Security Rules in NSX.
1) Click on the Firewall setting of NSX and 2) go to the Partner Security Services
tab. Notice the two previously created, highlighted rules that were created in Modules 1
& 2.
3) Click on the Add Section icon to begin creating the security rules for this module,
module 4.
4) Name the rule "Module 4 Marketing". To make sure this new rule will be the first rule,
be sure to select the "Add section above" radio button so that it will be placed above
the rule created for Module 2.

HOL-PRT-1672
Create the "Any to Web Server" rule.
1) Expand the Module 4 Marketing (Rule 1) by clicking on the arrow. Then move down to
the high-lighted row 1 and move over to the Name column.
2) From within the Name column click on the + create icon and when presented with
the Rule Name box, 3) enter the rule name of "Any to Web Server"

HOL-PRT-1672
Specify the Destination
1) Move to the Destination field and click the + create icon. 2) For the Object Type
use the drop down arrow to select "Security Group". 3) Under Available Objects scroll
down and select "Mktg-Web-Servers".
4) Using the move to arrow, move over to the Selected Objects box. 5) Click OK to
complete.

HOL-PRT-1672
Set Action to Redirect to Palo Alto Networks
1) Click the + create icon and 2) for the Redirect To: field use the drop down arrow to
select Palo Alto Networks.
3) Click OK to complete.
Specify Service Profile Bindings
1) Still within the Action column, under the Redirect heading click on the Palo Alto
Networks link.
2) For Object Type use the drop down arrow to find and select Security Group.
3) Under Available Objects scroll down to find and select "Mktg-Web-Servers".
4) Use the move to arrow to move over to the Selected Objects box. 5) Click OK to
complete.

HOL-PRT-1672
Create the Second Rule - Web Server to DB Server
1) Click the green Add Rule+ iconin the upper left corner.
2) For this new rule 2, within the Name column click on the + create icon.
3) Name this new rule "Web Server to DB Server" and then click OK to complete for
this action.

HOL-PRT-1672
Specify Source
1) Under the Source column for this new rule 2, click on the + create icon.
3) For Available Objects scroll down to find and select "Mktg-Web-Servers"
4) Use the move to arrow to move over to the Selected Objects box.
5) Click OK to complete for this action.

HOL-PRT-1672
Specify Destination
1) Under the Destination column for this new rule 2, click on the + create icon.
3) For Available Objects scroll down to find and select "Mktg-DB-Servers"
4) Use the move to arrow to move over to the Selected Objects box.
5) Click OK to complete for this action.

HOL-PRT-1672
Action - Redirect to Palo Alto Networks
1) Under the Action column click the + icon.
2) Make sure the Action is set to Redirect and the Redirect To: setting is Palo Alto
Networks.
3) Click OK to complete this action.

HOL-PRT-1672
Specify Service Profile Bindings
1) Still within the Action column, under the Redirect heading click on the Palo Alto
Networks link.
3) Under Available Objects scroll down to find and select "Mktg-DB-Servers".
4) Use the move to arrow to move over to the Selected Objects box. 5) Click OK to
complete.

HOL-PRT-1672
Publish Changes to the NSX Firewall
1) Click Publish Changes.
Published Changes Success Message
1) A Last publish operation succeeded message should be displayed.
2) Click on the arrow to expand the rules for "Module 4 Marketing" and notice the
newly created firewall rules that will redirect the traffic to the Palo Alto Networks VM-
Series firewall.

HOL-PRT-1672
Configure VM-Series Firewalls Using

Panorama
Login to Panorama to manage and configure the VM-Series firewall.
Login to Panorama
1) Within the browser open another browser window.
2) Click on the Panorama bookmark.
3) Log into Panorama with username = "admin" and password "VMware1!".
Create the Mktg-Web-Servers Dynamic Address Group
There are nine steps in this configuration so be careful to complete each step:
1) Click on the Objects tab.
2) Make sure you are in Address Groups.
3 Click the + Add icon to create a new Dynamic Address Group.
4) Name the new Address Group "Mktg-Web-Servers".

HOL-PRT-1672
5) For Type use the drop down arrow to select Dynamic.
6) For the Tags field use the drop down arrow to select the "Mktg Web Server" color
coded tag.
7) Click the + Add Match Criteria icon. 8) Select the "Mktg-Web-Servers-

securitygroup-13" and click the green + icon.
9) Click close to complete this configuration.
Create the Mktg-DB-Servers Dynamic Address Group
There are nine steps in this configuration so be careful to complete each step:
1) Click on the Objects tab.
2) Make sure you are in Address Groups.
3) Click the + Add icon to create a new Dynamic Address Group.

HOL-PRT-1672
4) Name the new Address Group "Mktg-DB-Servers".
5) For Type use the drop down arrow to select Dynamic.
6) For the Tags field use the drop down arrow to select the "Mktg DB Server" color
coded tag.
7) Click the + Add Match Criteria icon.
8) Select the "Mktg-DB-Servers-securitygroup-14" and click the green + icon.
9) Click close to complete this configuration.

HOL-PRT-1672
Create Security Policy Rules

Create Security Policy Rules for the VM-Series firewall using Panorama.
Create First Policy Rule "Allow Mktg Any to Web".
2) Make sure you are on the Security > Pre Rules page. 3) Click the + Add icon at the
bottom of the screen.
4) On the General tab name the new rule "Allow Mktg Any to Web".
5) Click the Source tab.

HOL-PRT-1672
Specify Source
1) From the Source tab select Any.
2) Click the Destination tab.

HOL-PRT-1672
Specify Destination
1) From the Destination tab and for the Destination Zone, 2) select any.
3) Move over to the Destination Address section and Click the + Add icon.
4) Scroll until you find Address Group> "Mktg-Web-Servers" and select it.
5) Click on the Application tab.
Specify the Application
1) From the Application tab click the + Add icon.

HOL-PRT-1672
2) Enter the key words "web-brows" to do a search and then click on "Web-browsing"
to select it and have it populate the field.
3) Move over and click on the Actions tab (for Service/URL Category keep the default
setting and so there is no need to make changes there).

HOL-PRT-1672
Specify the Actions
1) From the Actions tab set the Log Setting to include "Log at Session Start".
2) For Log Forwarding use the drop down arrow to select the "Panorama Logging
Profile" option. This will forward the logs of the VM-Series firewall to Panorama.
3) Click OK.

HOL-PRT-1672
Re-Order the Newly Created Rule
After the new rule was created, it was most likely added to the bottom of the rule set as
the last. However, this new rule should be the 4th in the rule set 1-5 and so move this
rule so it is as such.
To do so, 1) click on the new rule "Allow Mktg Any to Web" to highlight. Then drag and
drop this rule in place so it is the 4th rule. Or, 2) click on Move and select the "Move
Up" option placing it in the 4th order.
It may be a good idea to make sure all five rules are listed in the order displayed above.

HOL-PRT-1672
Create Security Policy Rules Continued

Create Security Policy Rules for the VM-Series firewall using Panorama.
Create Second Policy Rule "Mktg Web to DB Server".
2) Make sure you are on the Security > Pre Rules page. 3) Click the + Add icon at the
bottom of the screen.
4) On the General tab, name this new rule "Marketing Web to DB Server".
5) Click the Source tab.

HOL-PRT-1672
Specify Source Zone and Source Address
1) From the Source tab check the Any box for the Source Zone.
2) Move to Source Address box and click the + Add icon, then 3) scroll and select the
Address Group "Mktg-Web-Servers".
4) Select the Destination tab.
Specify Destination Zone and Destination Address
1) From the Destination tab and for the Destination Zone, 2) select any.
3) Move over to the Destination Address section and Click the + Add icon.

HOL-PRT-1672
4) Scroll until you find Address Group> "Mktg-DB-Servers" and select it.
5) Click on the Application tab.

HOL-PRT-1672
Specify the Application
1) From the Application tab click the + Add icon.
2) Enter the key words "mysq" to do a search and then click on "mysql" to select it and
have it populate the field.
3) Move over and click on the Actions tab (for Service/URL Category keep the default
setting and so there is no need to make changes there).

HOL-PRT-1672
Specify the Actions
1) From the Actions tab set the Log Setting to include "Log at Session Start".
2) For Log Forwarding use the drop down arrow to select the "Panorama Logging
Profile" option. This will forward the logs of the VM-Series firewall to Panorama.
3) Click OK.

HOL-PRT-1672
Re-Order the Newly Created Rule
After the new rule was created, it was most likely added to the bottom of the rule set as
the last. However, this new rule should be the 5th in the rule set 1-6 and so move this
rule so it is as such. If it is indeed the 5th rule, then proceed to the next step.
To do so, 1) click on the new rule "Marketing Web to DB Server" to highlight. Then
drag and drop this rule in place so it is the 5th rule. Or, 2) click on Move and select the
"Move Up" option. Either way when you are done make sure this new rule is listed 5th.
It is also a good idea to pause to make sure your six rules are ordered as displayed
above.
3) When the rules are in place click the Commit icon in the upper right corner.

HOL-PRT-1672
Commit the Changes to Panorama.
1) Select Commit Type of Panorama.
2) Click the Commit tab to commit to Panorama.

HOL-PRT-1672
Commit Successful Message
After the Commit operation completes the success message displayed above should
appear. If so click Close and proceed to the next step.

HOL-PRT-1672
Commit the Changes to Device Groups
1) Select Commit Type of Device Group.
2) Check the "VM-Series-DG" box to commit to both VM-Series firewalls.
3) Click the Commit tab to commit to Device Group.

HOL-PRT-1672
Successful Commit Operation
After some time the commit operation will complete. When it does the progress status
will be 100% and the message should state the commit succeeded on both VM firewalls
(ignore the warning message).
1) Click Close and proceed to the testing phase in the next step.

HOL-PRT-1672
Test in WordPress
The test requires that you generate web traffic to your web server. To do so 1) open
another browser window and click on the "wordpress" bookmark icon.
Now proceed to the next step which is to check the logs of the Panorama server to
ensure this web-browsing application and request was sent through the VM-Series
firewall. If so, the logs will reflect this web activity.

HOL-PRT-1672
Verify web-browsing activity within the Traffic Logs
1) Click the Panorama tab to go back into Panorama.
2) Click the Monitor tab and 3) click the Traffic log.
4) Modify the settings to "Last 15 Minutes" and do a Manual refresh.
Notice the successful and allowed actions for the applications, mysql and web-browsing.
Also note the rule names. This verifies the traffic was successfully redirected to the
Palo Alto Networks VM-Series firewall.

HOL-PRT-1672
Implementing Vulnerability Protection

Create a Vulnerability Protection Profile to secure and protect the MYSQL environment
from a SQL Injection attack and also from a brute force attack.
Create a Vulnerability Protection Profile
Begin to create the Vulnerability Protection Security Profile by cloning the Default
Profile. To do so:
1) Click on the Objects tab. 2) Navigate to Security Profiles > Vulnerability

Protection.
3) Select the existing "default" profile and check the box.
4) Click Clone and then 5) click OK to complete this action.
Mktg-Vulnerability-Protection Security Profile Settings
1) Select the newly created, copied profile that is currently named default-1. Double-
click on it to open the settings.

HOL-PRT-1672
2) Change the name of the profile to Mktg-Vulnerability Protection.
3) From on the Rules tab select, the rule name "simple-client-high" and click on it to
open the settings.
4) For the Action setting select Reset Both.

HOL-PRT-1672
Vulnerability Settings
Also reset the action for Rule Name > "simple-client-medium".
1) From on the Rules tab select, the rule name "simple-client-medium" and click on it
to open the settings.
2) For the Action setting select Reset Both.

HOL-PRT-1672
Verify Action Settings
Your display should look like the above which shows the two modified rules with Action
settings of reset-both.

HOL-PRT-1672
Vulnerability Protection Profile Created
Verify the Mktg-Vulnerability-Protection profile has been created then proceed to

the next steps to apply this new profile to the Security Policy.

HOL-PRT-1672
Apply Security Profile to the "Allow Mktg Any to Web"

Security Policy Rule.
1) Click on the Polices tab and 2) go to Security > Pre Rules.
3) Select and click on the Allow Mktg Any to Web (rule 4) to configure its settings.
4) Click the Actions tab.
5) For the setting Profile Type, use the drop down arrow to select "Profiles".
6) For the Vulnerability setting, use the drown down arrow to select the "Mktg-
Vulnerability-Protection" profile
7) Click OK to complete the settings configuration.
Apply Security Profile to the "Marketing Web to DB Server"

Security Policy Rule.
1) Click on the Polices tab and 2) go to Security > Pre Rules.
3) Select and click on the Marketing Web to DB Server (rule 5) to configure its
settings.
4) Click the Actions tab.
5) For the setting Profile Type, use the drop down arrow to select "Profiles".

HOL-PRT-1672
6) For the Vulnerability setting, use the drown down arrow to select the "Mktg-
Vulnerability-Protection" profile
7) Click OK to complete the settings configuration.
Security Profile Successfully Applied to the Two Rules
Notice under the Profile column the new recently applied profiles indicated by the icons
present.
Modify Allow All Ping (rule 1)
The SSH application must be added to the Allow All Pingrule. To do so:
1) Select and click on the Allow All Ping (rule 1).
2) Rename the rule to Allow Ping and SSH and then move to the Application tab.

HOL-PRT-1672
3) Click on the +Add icon to begin adding the SSH application.
4) Enter SSH to do a search and then select SSH

HOL-PRT-1672
Commit Configuration Changes to Panorama
1) Notice the modified rule 1 with both the ping and ssh applications listed.
2) Click the Commit function to commit the changes.
3) Select Commit Type Panorama.
4) Click Commit tab and wait for the commit function to complete. After receiving the
Commit OK result stating the commit was successful click the Close tab when it is
presented.

HOL-PRT-1672
Commit Configuration Changes to VM-Series Firewalls
1) Click the Commit function to commit the changes.
2) Select Commit Type Device Group.
3) Check the VM-Series-DG check box.
4) Click the Commit tab and wait for the commit function to complete.

HOL-PRT-1672
Commit Success Verified
Notice the summary Progress of 100% and the Status messages stating success
ignoring the message. 1) After verifying click Close.

HOL-PRT-1672
Vulnerability Attacks - SQL Injection

Attack
Test the Security Policy to ensure the proper defense of the web server from an SQL
Injection attack.
Launch a SQl Injection Attack
1) Open a new browser window and 2) click on the SQL Injection bookmark
3) The web request will begin and take note of the IP Address of the HTTP Web server.
Also, if you would like put your cursor in the address bar and scroll to the end where
you will see SQL commands such as
"group_concat%28user_login,0xa,user_pass%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22
To be sure, reload the page multiple times to be persistent with the attack by sending
the SQL Injection attack multiple times.
When you feel ready, check the logs within Panorama to ensure alert of the attack.

HOL-PRT-1672
Check the Threat Logs for Vulnerability Threats
1) Click the Panorama tab to go back into Panorama.
2) Go to the Monitor tab and 3) go to Logs > Threat
4) Do a Manual refresh to get the latest logs. Then notice the log entry for the HTTP
SQL Injection Attempt with the Severity level of medium.

HOL-PRT-1672
Attempt a Brute Force Attack Using SSH
1) Click and launch the mktg-web-01 desktop icon to launch a Putty session to this
server.
2) Enter the following commands:
Change directories to the /SCRIPTS directory with the cd /SCRIPTS command.
Do a listing of the directory contents with the ls command.
Notice the mysql-brute-force-attack.sh shell script that is present. Enter the more
command for this filename to view the script. The script itself shows that it will loop
forever and will send bad user and bad password attempts to the host=mktg-db-01
server.
3) Run this script with the ./mysql-brute-force-attack.sh command. Notice the

constant and excessive output once the command is run.

HOL-PRT-1672

HOL-PRT-1672
Check the Threat Logs For This Attack
1) Move back to Panorama to check the Monitor Tab > Logs > Threat log.
2) Conduct a Manual Refresh to refresh the logs. Notice all of the "MySQL
Authentication Brute-force Attempt" attacks from the web server to the
database server. Also note the Severity level of high.

HOL-PRT-1672
Ensure Protection in Place with No Impact From These

Attacks
1) Open another browser tab and 2) click on the wordpress bookmark icon.
Take notice that even though multiple attacks are taking place, one to the mktg-
web-01 server and another to the mktg-db-01 server, there is no impact as the web
page still launches as expected.
This is a clear indication of the Palo Alto Networks VM-Series firewall negating these
attacks, providing protection to both of these VM servers!
At this time you may now cease the ssh brute force attack by going back to the putty
session and entering the ctl-c command to stop the script. And you may also close the
browser session that is spawning the SQL injection attack.

HOL-PRT-1672
Lab 4 Summary Conclusion

During this lab you learned how to create traffic redirection rules to the VM-Series
firewall using NSX Distributed FireWall UI (Partner Security Services tab). You also
learned how to create Dynamic Address Groups and Security Policy Rules on Panorama.
Most importantly, you successfully implemented vulnerability protection to secure traffic

going to the Marketing web server as well as traffic going from the Marketing web server
to the Marketing database server.
Then by creating a Vulnerability Projection Security Profile and applying it to the existing
Security Policy Rules, you experienced how fast and easy it was to trigger Layer 7
Application inspection for the purpose of preventing malicious attacks, such as the SQL
Injection and Brute Force attacks employed during this lab.
At this time we'd like to extend our congratulations for successfully completing this lab.
We hope you have enjoyed this module and have gained a richer understanding of
Advanced Threat Prevention as provided by Palo Alto Networks VM-Series firewall.

HOL-PRT-1672
Overall Conclusion

HOL-PRT-1672
Summary of what we've learned

By now you have an increased awareness and appreciation of how easy it is to deploy,
integrate, and manage this joint solution. You witnessed how quickly and easily youre
able to deploy new VMs, and groups of VMs, via VMware NSX. In addition, how easy it is
for VMware NSX to provide traffic steering so that ALL traffic goes through the Palo Alto
Networks firewall ensuring an ever aware and secure datacenter. All within a few clicks
via a practically seamless integration between the Palo Alto Networks VM-Series firewall
and VMwares NSX, and all without having to make any kind of changes to the
infrastructure of the datacenter itself.
As in the previous lab, you saw the benefits of: ease of deployment, ease of integration,
ease of configuration and management, and ease of synchronization between the all of
the components of this joint solution. You also experienced how quickly and seamlessly
you can secure all of the servers within your datacenter, by inspecting and managing
the east-west traffic taking place within your datacenter.
On behalf of Palo Alto Networks and VMware, wed like to thank you for sitting our labs.
We hope you enjoyed our labs, as much as we enjoyed preparing them for you, and we
hope we successfully demonstrated how easy it is to manage and secure your ever
changing datacenter!

HOL-PRT-1672
Appendix - Lab Check

HOL-PRT-1672
Introduction
This appendix section provides information to check status of all LAB components - in
order to ensure both NSX and Palo Alto Networks solutions are working properly.

HOL-PRT-1672
NSX - Check Controllers Status

To check the status using the vCenter web UI, go to NSX Home --> Installation -->
Management and check status of the three NSX controllers.
NSX Controller Nodes Status Check - Normal

HOL-PRT-1672
NSX - Check Logical Network

Preparation
Using vCenter web UI, go to NSX Home -> Installation -> Logical Network
Preparation and check configuration status for the two clusters.
Logical Network Preparation Tab - Configuration Status

Check
Note: if a red exclamation point icon appears instead of the green check mark icon, click
on the icon and then click on resolve to correct the issue.

HOL-PRT-1672
NSX - Check VM-Series Service

Deployment
Using vCenter web UI, go to NSX Home -> Installation -> Service Deployments tab
and check status of the VM-Series deployment.
Service Deployments - Installation Status Check
Note: if a red exclamation point icon appears instead of the green check mark icon, click
on the icon and then click on resolve to correct the issue.

HOL-PRT-1672
vCenter - Check the VM-Series

Using vCenter UI, verify the VM-Series are all powered on.
Summary Tab - Power State Status Check

HOL-PRT-1672
ESXi Host - dvFilter Slowpaths

Open a SSH session on esx-01a (and esx-02a) and type the following command:
1) At the prompt enter the command: summarize-dvfilter
Check to make sure the Slowpaths section is populated as shown below.
Slowpaths Check:

HOL-PRT-1672
Panorama - Managed Devices

Using Panorama UI, check to make sure both VM-Series firewalls appear properly under
Panorama --> Managed Devices.
Managed Devices Check - Two VM-Series Firewalls

HOL-PRT-1672
VM-Series - Serial Number

Open a SSH session on the VM-Series and type the following command:
1) At the prompt enter the command: show system info
Check to make sure the Serial Number field is different from 0 (this validates VM-Series
has a proper license and will be able to function properly. This license is based on a VM
UUID).
VM-Series License Check

HOL-PRT-1672
VM-Series - Configuration Deployment

Open an SSH session on VM-Series and verify the configuration is properly deployed
using the following commands:
# show interface all
# show jobs all
Run each command separately.
Run the "show interface all" command
1) Run the show interface all command to display the two Ethernet interfaces
(ethernet 1/1 and ethernet1/2). Both should be in vwire mode.

HOL-PRT-1672
Run the "show jobs all" Command
1) The show jobs all command should display the first job-id (1) with Status = FIN and
Result = OK.

HOL-PRT-1672
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit
http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-PRT-1672
Version: 20151216-074126

Hol-Prt-1672 PDF en

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Hol-Prt-1672 PDF en

Cargado por

Copyright:

Formatos disponibles

HOL-PRT-1672

Review NSX Security Group and DAG Membership ............................................. 112

Important Message Before Proceeding

Conduct a Lab Status Check

Lab Overview - HOL-

Lab Objectives and Development Notes

This lab uses the following components:

VMware NSX Manager 6.1.4, vCenter and ESXi vSphere 6.0

Palo Alto Networks VM-

Module 2: Configuring Palo Alto Networks VM-Series with VMware NSX to

Module 3: Using Distributed Firewall (DFW) to Protect Intra-tier Traffic (30

Module 4: Using advanced Palo Alto Networks security policy to protect

Lab Captains: Warby Warburton/ Francis Guillier

Key Concepts and Terms

Some Components and Concepts of

VMware NSX Service Composer

A Dynamic inclusion provides the capability to automatically include objects based on

VMware NSX Distributed FireWall (DFW)

NSX DFW is a key component of micro segmentation.

VMware NSX Service Composer is a framework containing 2 major constructs: Security

Decoupled Logical Networks

Palo Alto Networks VM-1000-HV

Panorama by Palo Alto Networks

Panorama is available as either a dedicated management appliance or as a virtual

The Palo Alto Networks Operating System (PAN-OS)

Dynamic Address Groups

Provide the ability to maintain awareness of changes in the virtual machines/

Lab Components and

Thank you and enjoy the labs!

Logical Topology for HR Organization

Traffic protection is enforced as follows:

Logical Topology for Legal Organization

Traffic protection is enforced as following:

Logical Topology for Marketing Organization

Traffic protection is enforced as follows:

Important Message Before Proceeding

Conduct a Lab Status Check - If Applicable

Module 1: Palo Alto

Module 1 Overview: Palo Alto Networks

Introducing you to Palo Alto Networks Next Generation Firewall policy

Module Objectives and Development Notes

vSphere Web Client to access vCenter

vSphere Web Client to access vCenter

Examining the NSX Security Groups

Networking & Security

Examine your Dynamic Address Groups

Panorama Dashboard > Objects Tab

Address Group Settings

Notice the NSX Security Group name is listed as "HR-Web-Servers-securitygroup-11"

Examine the Security Policies

Policies Tab > Security Pre Rules

Generate Traffic from your Web Server

Generating Traffic from hr-web-01

Generate Traffic - ping Test.

Checking the Logs within Panorama

Monitoring the Logs

Troubleshoot Traffic Steering Problem

Dynamic Address Groups as Listed and Configured within

Address Group for the HR-Web-Servers

Now do the same for the HR-DB-Servers Dynamic Address

Address Group for the HR-DB-Servers

NSX Manager - Security Groups

Virtual Machine Memberships - "HR-Web-Servers".