PAN-201-4.1A Palo Alto Installation, Configuration and Management

Starting January 01, 2012, the newest version of the PAN-EDU-201 class will become available, during the 3-day course, students will experience through the process of installing, configuring, managing and many added features of Palo Alto Networks' next-generation firewalls.

Students will be introduced to deployment scenarios and the configuration steps for the networking, security, threat prevention, reporting and logging features of PAN-OS, the security-specific operating system that controls every Palo Alto Networks next-generation firewall. Additional PAN-OS subjects include SSL decryption, H/A, Panorama and IPSec VPNs.

• GUI, CLI, and API
• Configuration Management
• Account Administration
• SNMP and Netflow
• Interface and Security Zones
• Sub-interfaces: Layer 2 and Layer 3
• Virtual Wire (“Vwire”)
• Interface Management Profiles
• Security Zones
• Layer 3 Interfaces
• DHCP
• Virtual Routers
• Policy Based Forwarding
• NAT
• IPv6
• App-ID and Security Policy
• Security Policies
• Security Policy administration
• Content-ID and Profiles
• Security Profiles
• Zone Protection
• User Identification
• Enumerating users and groups
• Mapping users to IP addresses
• Captive Portal
• Decryption
• SSHv2 decryption
• IPSEC and GlobalProtect
• PANOS Implementation
• Configuring site-to-site tunnels
• Global Protect Interface and Client Configuration
• High Availability
• Panorama
• Device Groups
• Shared Policy
• Configuration Management/Operations
• Logging and Reporting

Day 1

Module 0: Introduction

• Single Pass Architecture
• Course Overview

Module 1: Administration

• GUI, CLI, and API
• Initial Configuration
• GUI Overview
• GUI Application Command Center
• CLI Overview
• CLI Operational Mode
• CLI Operational Commands
• Scripting | API
• Configuration Management
• Config Management: Transaction Locks
• Config Management: Snapshot Mgmt
• Config Management: Auditing
• PAN-OS and Dynamic Updates

Module 2: Interface Configuration

• Interface Overview
• Flexible Deployment Options
• Interface Configuration
• Sub-Interfaces
• Virtual Wire (“Vwire”) Interface Overview
• Vwire Interfaces Configuration
• Tunnel and Loopback Interfaces Configuration
• Security Zones Policies
• Security Zones Interfaces
• Security Zones Types
• Security Zones Configuration

Module 3: Layer 3 Configuration

• Layer 3 Interfaces
• Interface Configuration Layer 3
• Layer 3 Interface | Sub-Interface
• Layer 3 DHCP
• Virtual Routers | Configuration
• Network Address Translation
• Source NAT
• Destination NAT
• Flow Logic Specific to NAT
• NAT Policy “Original Packet”
• NAT Policy “Translated Packet”
• NAT Policy Source NAT
• NAT Policy | Destination NAT
• Policy-Based Forwarding Overview
• Routing Protocol Overview
• IPv6
• IPv6 | Feature Matrix
• IPv6 | Interface configuration

Day 2

Module 4: App-ID

• Evasive Applications
• DNS Traffic
• Bittorrent w/ App Blade
• 0-day Malware with App Blade
• App-ID Process
• App-ID Protocol Decoders
• App-ID Signatures
• App-ID Decryption
• App-ID Heuristics
• App-ID UDP Session
• App-ID TCP Session
• Security Policy Configuration
• Security Policy | App-ID filter vs. URL Filtering
• Address Objects | FQDN-Based
• Source and Destination Port Filtering
• Security Policy URL Category
• Security Policy Building Blocks
• Security Policy Administration
• Security Policy Admin | Tags
• Security Policy Admin | Filters and Groups
• App-ID Filters | Example: web-browsing apps
• App-ID Groups
• Security Policy Admin | Response Pages
• Logs and Reporting
• Customize Application Settings

Module 5: Content-ID

• String Match Process
• Security Profiles | Anti-Virus
• Anti-Virus Exceptions
• Security Profiles | Anti-Spyware
• Anti-Spyware Exceptions
• Security Profiles | Vulnerability
• Vulnerability Exceptions
• Threat Log
• Security Profiles | URL Filtering
• URL Filtering Configuration
• URL Filtering Cache
• URL Filtering Cloud Categorization Service
• URL Filtering Response Pages
• Security Profiles | File Blocking
• File Blocking Configuration
• File Blocking Drive-by-download Protection
• Security Profiles | File Blocking: Wildfire
• File Blocking | Wildfire Configuration
• File Blocking | Wildfire Portal
• File Blocking | Wildfire Dashboard
• Data Filtering Log
• Zone Protection
• Security Profiles Administration
• Security Profile Groups
• DSRI

Module 6: User-ID

• User-ID Overview | Session Information
• User-ID Flow
• User-ID Domains
• User-ID | Enable User-ID by Zone
• Task 1 Enumerate Users and Groups
• Task 2 Map User to IP address
• User-ID Agent
• User-ID Agent | Shared Server sessions
• User-ID Agent | WMI Query
• User-ID Agent | Firewall Configuration
• Captive Portal | NTLM Authentication
• Captive Portal | Configuration Steps
• Captive Portal Configuration | Redirect
• User-ID Agent | NTLM Authentication
• Captive Portal Configuration Policy
• XML API
• Users / Groups in Security Policy
• Security Policy: Selecting Users
• Security Policy: Users and Groups
• Troubleshooting
• GUI | Agent
• CLI commands

Day 3

Module 7: Decryption

• Decryption | Overview
• Secure Socket Layer Overview
• Certificates
• Certificates: Self-signed or Certificate Authority
• Certificates: Chains of Trust
• Inspection and Policy
• Outbound SSL Inspection | Forward Proxy
• Inbound SSL Inspection
• Decryption Policy Types
• Troubleshooting
• Basic SSLD troubleshooting flow
• Unsupported applications

Module 8: VPN

• IPsec Overview
• Internet Key Exchange (IKE) Phase 1
• Internet Key Exchange (IKE) Phase 2
• VPN Tunnel Configuration
• VPN Tunnel Interface
• IKE Phase 1 IKE Cryptographic Profiles
• IKE Phase 1 IKE Gateway Configuration
• IKE Phase 2 IPsec Cryptographic Profiles
• IKE Phase 2 IPsec Tunnel
• Static Route for VPN IPsec Troubleshooting
• IKE Debugging - PCAPS
• GlobalProtect Base
• GlobalProtect Overview
• Connection Sequence: Step 1 – Agent
• Connection Sequence: Step 2 – Portal
• Connection Sequence: Step 3 – Gateway
• GlobalProtect Required Certificates
• Certificates Validation
• Troubleshooting
• GlobalProtect Portal Overview
• Portal Configuration
• GlobalProtect Gateway | Overview
• Gateway | External Configuration
• Gateway | Internal Configuration
• Gateway | Client Configuration

Module 9: High Availability

• Active/Passive
• Active/Passive Links
• Active/Passive Device States
• Active/Passive Failure States
• Active/Passive Deployment
• Active/Passive Configuration Setup
• Active/Passive “Split Brain”
• Active/Passive Path Monitoring
• Active/Passive Link Monitoring
• Troubleshooting
• Active/Active
• Changes from Active/Passive
• Active/Active Links

Module 10: Panorama

• Management Model
• Centralized Maintenance
• Add Firewall on Panorama
• RBA
• Components
• Device Groups Example 1 | Flat List
• Device Groups Example 2 | Functional Groups
• Device Groups Example 3 | Geography
• Object Types
• Object Precedence
• Shared Policy
• Configuration Management & Operations
• Access Control
• Commit Workflow
• Logging and Reporting
• CLI Commands | Panorama

Students must have a basic familiarity with networking concepts including routing, switching and IP addressing. Students should also be familiar with the traditional role of a firewall in network security. Experience with other security technologies (IPS, Proxy and content filtering) can be a plus.

This course is available as open-enrollment Classroom event, instructor-led Live Virtual Class, REAL-ILT™ or as part of a custom Onsite Training for up to 16 students.