Palo Alto Authorized Global Training Partner Logo

Firewall Training

Troubleshooting (EDU-330)

Palo Alto Networks Authorized Global Training Partner Logo

Award-winning live online course

Experienced Instructors

Virtual Labs Access

Video Recordings

Get a taste for the course by watching the video in this blog post where one of our instructors teaches a sample module on Demystifying the FireWall Flow Logic.

 

The “Firewall Troubleshooting” (EDU-330) course covers the following content:

Tools and Resources

Troubleshooting Enablement

 

Basic Troubleshooting Methodologies

 

Options for Information and Support

 

Status Monitoring Tools

 

Maintenance Mode

 

Lab – Tech Support Files

  • Validate the basic functionality of your lab environment
  • Use the web interface to get a Tech Support File
  • Decompress the Tech Support File
  • Explore the Tech Support File

Lab – Use the CLI to Export a Tech Support File Lab

  • Use the CLI to generate a Tech Support File
  • Use the CLI to export a Tech Support File
  • Validate the exported Tech Support File

CLI Primer

Scope and Structure of the CLI

  • Operational vs Configuration Mode
  • Network discovery use case
  • Configuration Mode
  • Data Displayed Through less
  • Syntax and feedback for invalid commands

Displaying and navigating command output

 

Using the CLI as a troubleshooting tool

 

Lab – CLI Fundamentals

  • Import, Load, and Commit a Configuration File
  • Confirm the Current Device Configuration
  • Explore Options for Changing Other Device Settings
  • Change the Current Device Setting

Lab – Use the CLI to Modify Policy Objects

  • Review the Existing Policy Configuration
  • Examine a Configuration and Discover Options for How to Modify It
  • Modify Object Parameters
  • Review Changes and Commit the Configuration
  • Test URL Filtering Profile Changes

Flow Logic

Session Flow and App-ID

 

Flow Logic Overview

 

TCP Sessions and States

 

Flow Logic Details

  • Key terms
  • Data flows per processing stage

Lab – Tracing Packet Flow

  • Open an existing packet-diagnostics file
  • Trace the first packet through the firewall
  • Trace the second packet
  • Trace the content inspection of a packet
  • Identify firewall-generated packets
  • Identify dropped packets and the session end

Packet Captures

Packet Capture Concepts

 

Configuring Packet Captures

  • Using the web interface
  • Using the CLI

Lab

  • Test baseline functionality
  • Configure a packet filter
  • Test session marking
  • Configure capture stages
  • Turn on packet capture and capture packets
  • Analyze the pcaps
  • Add a Security policy configuration to drop traffic
  • Reconfigure the filter
  • Capture and analyze the pcaps

Packet-Diagnostics Logs

Debug-level Diagnostic Log Features

 

Usage Best Practices

 

Interpreting flow-basic output

 

Hardware assistance and offloading

 

Lab

  • Start-up and verify external connectivity to the FTP server
  • Verify the problem with the internal client
  • Examine firewall Traffic logs and Threat logs
  • Configure the packet filter
  • Check global counters
  • Configure and run packet capture and flow basic
  • Interpret the flow-basic log and pcaps
  • Implement a solution and verify it
  • Check logs and enable logging for increased visibility

Transit Traffic

Troubleshoot Transit Traffic

  • Re-create the issue
  • Discover the network – check interface IPs, routing, ARP
  • Traffic logs
  • Session table
  • Set filter and check global counter
  • Debug flow basic and packet captures

Lab – App-ID and Torrents

  • Apply a baseline configuration to the firewall
  • Torrent sites
  • Traffic log: Application data
  • Enable traffic
  • Test policy rule “deny”
  • Policy rule to block torrents
  • Add a File Blocking Profile

Lab – Blocking Tor

  • Lab challenge and checklist
  • Solution: Security policy to block Tor App-ID
  • Solution: Use application filters
  • Solution: Block risky URL categories
  • Solution: Deny unknown applications
  • Solution: Block untrusted and expired certificates with a Decryption Profile
  • Solution: Turn on SSL decryption
  • Solution: Implement an External Dynamic List (EDL)

Host-inbound Traffic

Host-Inbound Traffic

 

Management Services

 

Lab – Host-Inbound Traffic NTP Example 

  • Apply a baseline configuration to the firewall
  • Review the System log
  • Use CLI commands to get more information
  • Use tcpdump to capture packets
  • Diagnose the problem
  • Questions for discussion

IPSEC VPN Troubleshooting

VPN Concept

 

VPN Troubleshooting

 

Lab – VPN Traffic Case A 

  • Review the network topology and verify the problem
  • Check routing and security policy rules
  • Change strategy: Try a top-down approach instead
  • Check the health of the VPN tunnel
  • Initiate VPN connection from the remote network
  • Troubleshoot as the responder
  • Check proxy ID settings and correct the problem

Lab – VPN Traffic Case B

  • Verify a problem with SFTP access to a web server
  • Review the Traffic logs and System logs
  • Check the high-level health indicators for the tunnel
  • Troubleshoot as the responder
  • Fix the problem and verify functionality

System Services

Identifying performance issues

 

Baseline service performance

 

Performance Troubleshooting use cases

 

System Services Daemons

 

Gathering more data

 

Lab

  • Check running services
  • Review the logs for a specific service
  • Change the debug log level for a service
  • Restart a service
  • Restart a service and monitor a data-plane session
  • Investigate the event

Certificate Management and SSL Decryption Troubleshooting

Verify that SSL decryption is applied via certificate chain

 

Accessing site via its IP vs FQDN

 

Intermediate CA missing

  • SSL Labs
  • Session end reason
  • Show session flag | count yes
  • Show counter global filter category proxy

Exclude URLs / certificates without pinching holes into the FireWall

 

Client authentication and SSL Decryption Exclusion

 

External factors that complicate SSL decryption

 

Lab

  • Apply a baseline configuration to the firewall
  • Verify the functionality of SSL decryption
  • Create a tag and a dynamic address group
  • Create a Decryption policy rule
  • Create custom Vulnerability signatures
  • Configure a Log Forwarding profile
  • Configure a Vulnerability Protection profile to generate alerts
  • Add the Log Forwarding profile to a Security policy rule
  • Test the configuration and confirm results

User-ID

User-ID Mapping Flow

 

User-ID Troubleshooting

  • Recreate the issue, no users showing log
  • System log, verify and fix user mapping issue
  • show user ip-user-mapping all
  • Event log
  • Verify ldap connectivity
  • Show user user-ids match-user xxx
  • Verify group mapping in security policy incl. ldap browser
  • Verify group users matches IP user

Lab

  • Apply a baseline configuration to the firewall
  • Diagnose and fix the problem
  • Review reference information
  • Solution: Enable User-ID on the correct zone
  • Solution: Fix the LDAP Server Profile
  • Solution: Fix the Authentication Profile Server type
  • Solution: Add the correct IP for server monitoring

GlobalProtect

Connection Sequence

 

GlobalProtect Troubleshooting

  • system log – check and fix group mapping
  • Verify certificate
  • Check internal host detection
  • Review support file

Lab

  • Apply a baseline configuration
  • Download the GlobalProtect agent
  • Connect to the external gateway
  • Disconnect the connected user
  • Advanced scenario: Pre-logon and certificates

Escalation and RMAs

Case management

 

Hardware failure and return merchandise authorizations (RMAs)

 

Escalation and support events

Palo Alto Training Excellence Award
Palo Alto Networks Online Training

Experience & Passion

The difference is made by our instructors who have many years of field experience which they bring with them into the classroom

Palo Alto Authorized Global Training Partner Logo

“All of my guys enjoyed and valued this course to the maximum.
You will simply love it”

Kamil Golombek at PWC

Kamil Golombek

NIS Cyber Defence Security Perimeter EMEA