Cortex XSOAR Training

The Big Picture – Functionality Overview in a Real World Use Case

• Visibility – Application & User Identification, URL Categorization, SSL Decryption
• Control – Policies, QoS, Data Filtering, File Blocking, VPN & Remote Access
• Threat Prevention – Anti-Spyware/-Virus Scanning, Vulnerability & DoS Protection, 0-Day Protection and WildFire

Palo Alto Networks Portfolio overview

Next-generation firewall architecture

Firewall offerings

Initial system access

• Overview
• Web Interface Overview

Configure management network settings

• Management, Service & Interface config
• Service Route

Activate a firewall, and manage licenses and software

• License Activation
• Licenses
• Support
• Software updates
• dynamic updates

IronSkillet

 

Lab

• Connect to the firewall web interface
• Load a starting lab configuration
• Set DNS servers for the firewall
• Set NTP servers for the firewall
• Configure a login banner for the firewall
• Set Latitude and Longitude for the firewall
• Configure permitted IP addresses for firewall management
• Schedule dynamic updates

Configuration management

• Configuration Interaction
• Auto-commit
• Configuration Actions
• Config Audit
• Commit operations
• Commit per administrator
• Commit Lock
• Factory Reset

View firewall logs

 

Lab

• Export a named configuration snapshot
• Save ongoing configuration changes before a commit
• Revert ongoing configuration changes
• Preview configuration changes
• Examine log files
• Create a log file filter
• Use the Filter Builder

Firewall authentication and authorization

Create a local firewall administrator account

Create a non-local firewall administrator account

Create a firewall administrator account for non-interactive login

Lab

• Create a local firewall administrator account
• Configure an LDAP Server Profile & Authentication Profile
• Configure a RADIUS Server Profile & Authentication Profile
• Create non-local firewall administrator accounts for LDAP and RADIUS
• Configure an Authentication Sequence

Block threats by using network segmentation

Network interfaces and security zones

Layer 3 interfaces

Layer 3 sub-interfaces

Virtual wire interfaces

Tap interfaces

Virtual routers

• Inter VR Routing
• Configuration
• Multiple Static Default Routes and path monitoring
• Troubleshoot Routing

Interface Management profile

Loopback interfaces

Lab

• Create Layer 3 interfaces
• Create a virtual router
• Segment your production network using security zones
• Test connectivity from firewall to hosts in each security zone
• Create Interface Management Profiles

Security policy fundamental concepts

• Flow Logic
• Security Policy Match
• Rule types

Security policy administration

• Rule elements
• Managing policy ruleset
• Rule hit counter and unused rules
• Test policy match & policy match troubleshooting
• Global Find

Network address translation

• Source NAT configuration
  • Source NAT Overview
  • Source NAT Policy
  • Source NAT Configuration
  • Source NAT Types
  • Bidirectional Source NAT
  • DIPP NAT Oversubscription
• Destination NAT configuration
• • Destination NAT Policy
  • Destination NAT Configuration
  • Destination NAT Port translation

Lab

• Configure a Security policy rule to allow access from Users_Net to Extranet
• Test access from client to Extranet servers
• View the Traffic log
• Examine policy Rule Hit Count
• Reset rule hit counts
• Customize policy tables
• Manage the Policy Ruleset
• Enable intrazone and interzone logging
• Configure source NAT
• Configure destination NAT

Denial of Service Attack Types

• DoS vs DDoS
• SYN Flood and SYN Cookies
• Application-based DoS Attack
• Amplification Attack

Zone Protection

• Flood Protection
  • Configuration
  • RED vs SYN Cookie
  • Flood Protection impact
  • Protection Lab Demo
• Reconnaissance Protection
  • Port scan vs Host Sweep
• Packet Based Attack Protection
• Protocol Protection

DoS Protection Policy

• Overview
• Configuration
• Aggregate vs Classified
• Resource Protection
• Protection Lab Demo

Zone Protection vs DoS Protection Policy

Block threats using packet buffer protection

Lab

• Configure a Zone Protection Profile to detect and control SYN floods
• Configure a Zone Protection Profile to detect and control reconnaissance scans
• Configure a Zone Protection Profile to detect and control specific IP header options
• Configure a Zone Protection Profile to perform spoofed IP address checking
• Configure a DoS Protection Profile to protect firewall and node resource consumption
• Configure a DoS Protection Profile to detect and control SYN floods

Block access to or from known-bad IP addresses

• Overview
• Dynamic Address Group
• EDL Overview
• EDL configuration example
• External Dynamic List Monitoring

Block access to or from known-bad domains

• Security profiles overview
• DNS Sinkhole

Block access to or from known-bad URLs

• Overview
• URL categories in Security Policy Deny Rule
• Custom URL category

Other URL filtering features

• Response Pages
• Customize Response pages
• URL Filtering Profile
• URL Log including Recategorization request

Lab

• Block access to malicious IP addresses using Address objects
• Block access to malicious IP addresses using Address Groups
• Block access to malicious IP addresses using geographic regions
• Block access to malicious IP addresses using an External Dynamic List (EDL)
• Block access to malicious domains using an EDL
• Block access to malicious URLs using the Security policy
• Block access to a malicious URL using a URL Filtering Profile

App-ID reduces the attack surface

• What is an App vs URL Filtering
• Evasive Applications

App-ID concepts and operation

• Application Identification of a TCP Flow
• App-ID Flow
• Application Dependencies
• Control Applications on SSL-Secure Ports
• Application Default Port
• App-ID and UDP
• Differentiating Between Known and Unknown Applications
• Application Block Page

Configure App-ID objects

• Application Groups
• Application tagging for SaaS
• Application Filters
• Nested Application Groups and Filters

Lab

• Create an FTP Service object and an FTP port-based Security policy rule
• Test the port-based Security policy
• Generate application traffic
• Configure an application group
• Configure a Security policy to allow update traffic
• Test the Allow-PANW-Apps Security policy rule
• Examine the tasks list to see shadowed message
• Modify the Security policy to function properly
• Test the modified Security policy rule

Migrate to an App-ID-based Security policy

• Moving to Application-Based Policies
• Migration Strategy
• Expedition
• Policy Optimizer

Maintain an App-ID Security policy

Maintain App-ID

• Applications and Threats Content Updates
• Review New and Updated Application Details

Lab

• Create a custom Service object for HTTP
• Add the new service to the Security policy
• Test Access to the web server on port 8080
• Revert the web server to port 80
• Create an FTP application-based Security policy rule
• Test the application-based Security policy
• Remove the FTP rules
• Scheduling App-ID updates

Unknown applications

Perform packet captures

Identify unique bit patterns

Create a custom application with a signature

Configure an Application Override policy

Lab

• Gather custom application information
• Configure a packet capture
• Capture application traffic
• Analyze the packet capture
• Create a custom application with a signature
• Add the custom application to the Security policy
• Test the custom application signature

User-ID overview

User mapping methods

• Overview
• AD Integration – UID Agent on FW
  • Concept
  • User-ID Configuration
  • Group Mapping Configuration
  • Troubleshooting
• Terminal Services Agent
• User-ID redistributing

Windows-based agent configuration

Configure group mapping

User-ID redistribution

• Concept
• Configuration

User-ID and Security policy

• Users and Groups for a Security Policy
• Dynamic User Groups

Lab

• Examine current configuration
• Enable User-ID technology on the Acquisition zone.
• Generate traffic
• Modify Security policy to meet requirements

Device-ID concepts

Configuration tasks

View and manage devices and policies

Monitoring devices

WildFire concepts

Configure and manage WildFire

WildFire reporting

Lab

• Create a WildFire Analysis Profile
• Apply WildFire Profile to security rules
• Test the WildFire Analysis Profile
• Examine WildFire analysis details

Overview of SSL session setup

SSL Outbound – Forward Proxy

Certificate Generation

Decryption Policy

Decryption Exclusion

SSL Inbound – Inspection

Decryption considerations

SSH decryption

Master key management

Other decryption methods and features

Lab

• Test the firewall without decryption
• Create a self-signed certificates for trusted connections
• Create a self-signed certificates for untrusted connections
• Create and test a Decryption policy rule for outbound traffic
• Test outbound Decryption policy rule
• Export the firewall certificate and import to Firefox
• Test outbound Decryption policy again
• Review firewall logs
• Exclude URL categories from decryption using a No-Decrypt rule
• Test the No-Decrypt rule

Credential Theft use case and solution overview

Firewall authentication and authorization

Creating user accounts

• Admin LDAP authentication
• FireWall Admin authentication against Azure AD

Preventing use of stolen credentials using multi-factor authentication

• Credential-Based Attacks
• Authentication Policy

Preventing credential theft

• Concept
• Configuration Options
• Configure Domain Credential Filtering

Lab

• Test the firewall behavior without credential detection
• Provide the firewall with User-ID information
• Test the firewall behavior with credential detection

Inspect allowed traffic

• Concept
• Security Profile Best Practices

Block threats detected by signatures

• AntiVirus
• AntiSpyware
• Vulnerability Protection

Control URL access

• Web Access Policy Best Practices

Block unauthorized file transfers

• File Blocking

Detect unknown threats

• Wildfire Profile Best Practices

Block sensitive data transfers

• Concept
• Data Filtering

Security policy modifications

• BPA (Demo Support Portal)
• Security Best Practices Worksheet (Demo)

Lab

• Generate traffic without profiles and examine logs
• Create Security Profiles
• Create a Security Group
• Apply the Security Group to existing Security policy rules
• Generate traffic with profiles and examine logs
• Create tags
• Enable policy rulebase settings and observe behavior

View threat and traffic information

• Dashboard, ACC
• Detailed Logs and Log Settings
• Session Browser
• Reporting
• Threat Investigation introduction

Forward threat and traffic information to external services

• Telemetry (Demo)
• Log Forwarding including scheduled log exports

Lab

• View threat information using the Dashboard
• View application information using the Dashboard
• View threat information using the ACC
• View application information using the ACC
• View threat information using the Threat log
• View application information using the Traffic log
• View threat information using App Scope reports
• View threat information using predefined reports
• View application information using predefined reports
• View threat and application information using custom reports

We provide students with the option for the instructor to cover these additional topics on Security Best Practices which are not part of the official course. They provide an overall view on how to put all of the threat prevention techniques discussed during the course together.

 

Network Security Framework

Heatmap and Best Practice Assessment

• BPA
• CIS Control
• Security Best Practice Worksheet
• Migration Strategy

Migration Tool

Designing a Web Access Policy

Palo Alto Networks removed IPSEC Site to Site VPNs from the official course to focus the training more on cybersecurity then connectivity. However, we recognise that this might be an essential topic for many customers and therefore give students the option for the instructor to cover this topic as part of the course.

 

IPsec Site to Site VPN

VPN Configuration 

VPN Troubleshooting

Palo Alto Networks removed GlobalProtect Remote Access VPN from the official course to focus the training more on cybersecurity then connectivity. However, we recognise that this might be an essential topic for many customers and therefore give students the option for the instructor to cover this topic as part of the course.

 

Overview

Connection Sequence

Configuration

Host Checks

Palo Alto Networks removed High Availability from the official course to focus the training more on cybersecurity. However, we recognise that this might be an essential topic for many customers and therefore give students the option for the instructor to cover this topic as part of the course.

 

Active/Passive and Active/Active HA overview

Active / Passive HA configuration