Palo Alto Firewall Training in Urdu/Hindi

Palo Alto firewalls are Next Generation firewalls. A great way to start the Palo Alto Networks Certified Network Security Engineer (PCNSE ) preparation is to begin by properly following and understanding each topic in the syllabus. This course follows the syllabus in the Palo Alto. Also, the course concentrates on the "learn by doing", therefore, it is a course with a lot of labs and configuration. Not just boring Power Points presentations. This course guide is an instrument to get you on the same page with Palo Alto and understand the nature of the Palo Alto PCNSE exam.

Common Network Security Terms:

Key Network Security technical terms are Asset, Vulnerability, Exploit, Threat, Attack, Risk and Countermeasures.

Firewall Technologies:

o The word firewall commonly describes a system or device or Software.

o Firewall is placed between a trusted network and an untrusted network.

o A firewall is security devices used to stop or mitigate unauthorized access.

o The only traffic allowed on the network is defined via the firewall policies.

o It grants or rejects access to traffic flows between untrusted & trusted zone.

o A firewall monitors and check incoming and outgoing network related traffic.

o It decides to allow or block specific traffic based on defined set of security rules.

o A firewall can be hardware, software, or both or can be Cloud-based or Virtual.

o The first generation of firewall technology consisted of packet filters techniques.

o The second generation of firewall started with application layers technologies.

o The third generation of firewall had “Stateful” filters inspection also called NGFW.

o Firewalls are relied upon to secure home and corporate networks from any attacks.

About Palo Alto Networks:

o Palo Alto is a City in California’s San Francisco Bay Area in USA.

o This Next-Generation Firewall is named by this City of USA.

o PA is USA Multinational cybersecurity company headquarters in California.

o Palo Alto Networks was founded in 2005 by Israeli-American Nir Zuk.

o Nir Zuk is former engineer from Check Point and NetScreen Technologies.

o World-class team with strong security and networking experience.

o Innovations of Palo Alto Firewall are App-ID, User-ID and Content-ID.

o Builds next-generation firewalls that identify & control more than 900 applications.

o Palo Alto Network is Global footprint presence in 50+ countries, 24/7 support.

o The company serves over 60,000 organizations in over 150 countries.

o Palo Alto Next-Generation firewall named Gartner Cool Vendor in the Year 2008.

o Former Google executive Nikesh Arora joined company as Chairman & CEO 2018.

o Palo Alto has been named Leader in Gartner Magic for Network Firewalls 8 time in a row.

PA Initial Configuration:

o To configure and access first time Palo Alto Networks Next-Generation Firewalls.

o PA Firewalls can be accessed by either out-of-band management port labelled as MGT.

o Or Palo Alto Firewalls can be accessed by a Serial Console port (similar to Cisco devices).

o MGT port, separate management functions of firewall from data processing functions.

o All initial configurations be performed either on out-of-band management interface.

o Or all initial configurations of firewall be performed by using a serial console port.

o The serial port need standard roll over cable to used to connect to Palo Alto Firewall.

o To access the Palo Alto Networks Firewall for the first time through the MGT port,

o You need to connect a laptop to the MGT port using a straight-thru Ethernet cable.

o By default, the web GUI interface is accessed through 192.168.1.1 /24 IP Address.

o By default, Web GUI & CLI login credentials Username: admin and Password: admin.

In this video we gonna install Palo Alto Firewall in GNS3 Step by Step.

In this video we gonna install Palo Alto Firewall in EVE NG Step by Step.

Dashboard Tab:

The Dashboard widgets show general firewall information, such as the software version, status of each interface, resource utilization, and up to 10 entries for each of several log types; log widgets display entries from the last hour. By default, the Dashboard displays widgets in a Layout of 3 Columns, but you can customize the Dashboard to display only 2 Columns, instead.

CLI Access Modes:

Operational Mode:

o Use operational mode to view information about firewall & the traffic running through.

o Use to perform operations such as restarting, loading configuration, or shutting down.

o When log in to Firewall , the Command Line Interface (CLI) opens in operational mode.

o Palo Alto Firewall Operational Mode, command prompt sign is a greater then sing ( >).

Configuration Mode:

o Use configuration mode to view and modify the Palo Alto Firewall configuration.

o You can switch between operational mode and configuration mode at any time.

o Command prompt changes from a > to a #, indicating that successfully changed modes.

o Switch from configuration mode to operational mode, use either quit or exit command.

o To enter operational mode command while in configuration mode, use the run command.

DNS Server:

o DNS Stands for Domain Name System or Domain Name Server.

o DNS is a large database, which resides on various computers.

o DNS contains names & IP addresses of hosts on Internet & various domains.

o DNS servers match domain names to their associated IP addresses.

o The Domain Name Systems (DNS) is the phonebook of the Internet.

o DNS convert IP Address to domain name & domain name into IP address.

o DNS names are assigned through the Internet Registries by the IANA.

o There are 13 root name servers from a.root-server.net to m.root-server.net.

o 13 DNS root name servers can be check on this link http://www.root-servers.org.

o DNS primarily uses User Datagram Protocol on port number 53 to serve requests.

o Domain name system of the Internet works in an inverted tree structure.

o The TLD is the letters immediately following the final dot in an Internet address.

o In Internet address, http://mail.google.com, com is the top-level domain name.

o Google is the second-level domain name and mail is a subdomain name.

o Altogether, http://mail.google.com is fully qualified domain name (FQDN).

o Addition of HTTP:// makes a fully qualified domain name FQDN complete URL.

Available licenses and subscriptions include the following:

Threat Prevention:

Provides Antivirus, Anti-Spyware, and Vulnerability Protection.

Decryption Mirroring:

Provides the ability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures.

URL Filtering:

Provides the ability to create security policy that allows or blocks access to the web based on dynamic URL categories.

Virtual Systems:

This license is required to enable support for multiple virtual systems on PA-3000 Series firewalls. VM-Series firewalls do not support virtual systems.

WildFire:

Although basic WildFire support is included as part of the Threat Prevention license, the WildFire subscription service provides enhanced services for organizations.

GlobalProtect:

Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use advanced GlobalProtect features (HIP checks and related content updates, the GlobalProtect Mobile App, IPv6 connections, or a GlobalProtect Clientless VPN) you will need a GlobalProtect license (subscription) for each gateway.

AutoFocus:

Provides a graphical analysis of firewall traffic logs and identifies potential risks to your network using threat intelligence from the AutoFocus portal.

In this Video we gonna create small basic initial Lab in GNS3.

Firewall Interfaces:

o Interface configurations of firewall data ports enable traffic to enter & exit Firewall.

o Firewall interfaces (Ports) enable a Firewall to connect with other network devices.

o Firewall interfaces also enable Firewall to connect with other interfaces within Firewall.

o Palo Alto Networks Firewall can operate in multiple deployments simultaneously.

o You can Configure the PA Interfaces to support different deployments methods.

o Can configure Ethernet interfaces for Virtual-Wire, Layer 2, 3, & tap mode deployment.

o The interfaces that the Firewall supports are Physical Interfaces and Logical Interfaces.

o The Firewall supports two kinds of Physical Interfaces media—Copper and Fiber Optic.

o Logical Interfaces include VLAN interfaces, loopback interfaces, and tunnel interfaces.

o The Physical interface name is predefined, and you cannot change the name it is fix.

o Interface Type, Tap, HA, Decrypt Mirror, Virtual Wire, L2, L3 and Aggregate Ethernet.

Administrator Accounts:

o Administrators can configure, manage & monitor Palo Alto Networks Firewalls.

o The Administrator accounts control access to Palo Alto Networks Firewalls.

o Administrative accounts specify roles & authentication methods for Administrators.

o Each Palo Alto Firewall has a predefined default administrative account (Admin).

o That provides full read-write access also known as superuser access to the firewall.

o Other administrative accounts can be created as needed have full or read-only access.

o Palo Alto Network Firewalls have a predefined admin account that has full access.

Routed Protocols:

o Routed protocols are the actual data that is transferred from router to router.

o Examples of routed protocols are Internet Protocol (IP) such as IPV4 and IPV6.

o Routed Protocol is used to send user data from one network to another network.

o Routed Protocol carries user traffic such as e-mails, file transfers, web traffic etc.

o Used between routers to direct user traffic, it is also called network protocols.

That are signs at intersections that point to nearby cities, giving mileage to each

Dynamic Routing:

o Dynamic routing protocols can dynamically respond to changes in the network.

o Routing protocol is configured on each device & device learn about both each other.

o Dynamic routing table is created, maintained and updates by routing protocol.

o Examples of Dynamic routing protocols includes RIPv2, OSPFV3 and OSPF and BGP.

o Dynamic routing protocols share routing updates with neighbors and find best path.

o Dynamically choose a different route if a link goes also updates are dynamically.

o Also, Dynamic Protocols has the ability to load balance between multiple links.

o Dynamic Routing protocols put additional load on devices CPU and RAM.

o The choice of the best route is on the hands of the Dynamic Routing Protocol.

Security Policy Concepts:

o Palo Alto Firewalls uses security policies to either allow or deny an access.

o It allow to enforce rules and take action and can be as general or specific.

o The policy rules are compared against the incoming traffic in sequence.

o Traffic is processed by the security policy in a top-down, left to right flow.

o For traffic that does not match any user-defined rules, the default rules apply.

o The default rules displayed at the bottom of the security rulebase are predefined.

o Palo Alto Firewalls Security Policies comprises of a list of security policy rules.

o Palo Alto Firewalls basics Security Policy only includes source & destination zone.

o Advance includes Source/Destination Address, ports, application, URL Categories etc.

o Palo Alto Firewalls Security Policy, Sessions are established for bidirectional data flow.

o Columns of Security Policy page can be customized for preferred information to display.

o In PA Firewall there are three types of security rules Intrazone, Interzone and Universal.

o Intrazone – All traffic within a zone. this traffic is allowed by default in Palo Alto Firewall.

o Interzone – All traffic between zones. This traffic is blocked by default in Palo Alto Firewall.

o Universal – Allowing all traffic between source & destination any Intrazone or Interzone.

o In Palo Alto Firewalls, any created Security policy rules have traffic logged by default.

o System created rules Intrazone and Interzone at the end are not the traffic logged.

o For pre-defined allow/deny rules, choose override to set logging or other profile settings.

o Rules are evaluated from top to bottom, when match is found, no further eval is done.

o If not, Palo Alto Firewall keeps on looking for match until the last rule is evaluated.

o In Palo Alto Firewall if there were no matches found the session will be dropped.

o Rule Shadowing is when multiple security policy rules match the same scope of traffic.

o Security policy rule can be reordered, disabled, deleted, added and can be cloned.

o Unused rules can be shown by clicking the ‘Highlight Unused Rules’ checkbox at bottom.

o In every Security Policy must include, Source Zone, Destination Zone, and Action.

o Security policies also include: Source IP, Destination IP, User, Application, Service & URL’s.

o Security rules additional actions (logging, vuln/av/malware profiles, scheduling and QoS).

o Palo Alto Firewalls, in Security Policy Rules, Scheduling can set times when a rule is allowed.

o There is limit to number of security profiles as well as security rules that can be configured.

o All traffic pass through dataplane of Palo Alto firewall is matched against a security policy.

o This doesn't include traffic originating from the management interface of the firewall.

Shadows Rule:

o When committing configuration, warning may appear that one rule "shadows" another rule.

o Shadow rule warning generally indicates more broad rule matching criteria is configured.

o Avoid "Rule Shadowing" by placing more specific rules above the larger scope rules.

o When committing the shadow rule can also appear if there are unresolved FQDNs.

o Policy-1 is configured which indicates more broad rule matching criteria, application is any.

o Policy-2 is configured which indicates more specific rule application is web-browsing only.

Objects Tab:

o Palo Alto Firewall, Object is a container that groups specific policy filter values.

o Example of Object are such as IP addresses, URLs, applications, or services etc.

o Palo Alto Network Firewall, the Object are used for simplified rule definition.

o Address object might contain specific IP address definitions for web in DMZ zone.

o Palo Alto Firewall is Object Based device where Objects are configuration elements.

Security Profiles:

o Palo Alto firewall Security Profiles are added to the end of security policy rules.

o After a packet has been allowed by the security policy, security profiles are used.

o Security Profile scan packets for threats, vulnerabilities, viruses, and spyware.

o Security Profile also scan packets for malicious URLs, and exploitation software.

o Security Profile check and scanned the traffic for suspicious file uploads also.

o Allowed traffic is analyzed for virus, spyware or content using security profile.

o Threat log keeps records of vulnerability, AV, Anti-Spyware that can be reviewed.

Anti-Spyware Profiles:

o Anti-Spyware Profiles help to control spyware, contains own ruleset.

o Anti-Spyware Profile contains its own ruleset to detect & process threats.

o There are already two included predefined read only profiles default & strict.

o These can be cloned for making custom, or new profile can be built from scratch.

o Default action will be applied to traffic, generally used for the initial deployments.

o Strict implementation of the profiles used for the ‘out of the box’ protection.

o Best Practice is to create to network design, deployment & company security policy.

o Each profile can contain several rules to apply policy based on severity or type of spyware.

Vulnerability Protection Profiles:

o Vulnerability is security weakness which is going to get compromised by Hackers.

o Vulnerability protection detects attempts to exploit known software vulnerabilities.

o It determines the level of protection against buffer overflows, illegal code execution.

o It determines level of protection other attempts to exploit system vulnerabilities.

o There are already two included predefined read only profiles default & strict.

o These can be cloned for making custom, or new profile can be built from scratch.

o Default action will be applied to traffic, generally used for the initial deployments.

o Default profile applies default action critical, high & medium severity vulnerabilities.

o Default profile does not detect low and informational vulnerability protection events.

o Strict implementation of the profiles used for the ‘out of the box’ protection.

o It applies block response to critical, high and medium severity spyware events.

o It uses the default action for low and informational vulnerability protection events.

o In Vulnerability Protection Exceptions can be set to override the actions on rules.

o In Vulnerability Protection this can be used to override false detection being detected.

URL Filtering Profile:

o Using URL filtering to block outbound communication to known malicious URLs.

o Reduction of the risk of infection from dangerous websites and protection of users

o In PA Firewall URL filtering classifies and controls web browsing based on content.

o URL filtering automatically prevents attacks that leverage web as an attack vector.

o Including phishing links in emails, phishing sites, HTTP‐based command and control.

o URL Filtering prevents attacks includes malicious sites & pages that carry exploit kits.

o Palo Alto Networks URL filtering solution supports both BrightCloud and PAN-DB.

o URL Filtering with enables safe web access, protecting users from dangerous websites.

o PAN-DB is our URL & IP database, designed to fulfill an enterprise’s web security needs.

o URL Filtering protecting users from malware sites, credential-phishing pages & threats.

o To do URL Filtering, Application should be allowed in PA Firewall Security Policy Rule.

o There is already one included predefined read only profiles with name default.

o This can be cloned for making custom, or new profile can be built from scratch.

o Custom profile can be created based on your company’s internal security policies.

o URL filtering should be customized to meet the unique needs of your organization.

o A URL filtering profile can be configured to take specific actions per each category.

o Allow list and block lists can be used to add sites you don’t want the users to access.

o User’s name will be displayed on the page if UserID is enabled; otherwise the IP add.

o If Continue or Override is used, 15-minute timer is set to allow access to that category.

o Transparent mode can be used make block pages look to originate from blocked website.

o Redirect will send request to specified IP; this IP must be an L3 interface on the firewall.

This video is all about File Blocking profile.

This video is all about WildFire Analysis Profile configuration and verification.

This video is all about  Data Filtering Profile configuration and verification. 

All about Security Profile Group how to create and apply.

This video is all about SSL Forwarding Proxy configuration and Theory

This video is all about Network Address Translation NAT their type etc.

How to deploy Palo Alto Firewall as Layer 2.

Tap Mode Deployment:

o TAP Mode deployment allows passive monitoring of the traffic flow across a network.

o TAP mode using the Switch Port Analyzer (SPAN) feature also known as mirroring.

o A typical deployment involve the configuration of SPAN on Cisco Switches.

o Destination SPAN port is the switch port to which our Palo Alto Firewall connects.

o The advantage of this deployment model to closely monitor traffic to their servers.

o Other advantage is network without requiring any changes to network infrastructure.

o Palo Alto Firewall Tap Mode offers visibility of application, user and content.

o In Tap mode, firewall is unable to control the traffic as no security rules can be applied.

o Palo Alto Tap mode deployment simply offers visibility in the ACC tab of the dashboard.

o The catch here is to ensure that the tap interface is assigned to a security zone.

About Virtual Wire Deployment

This is Service Route Configuration.

User-ID (User Identification):

o Security infrastructure is based on three pillars application, user and content.

o The User Identification is a Palo Alto Networks next-generation firewall feature.

o User-ID, as opposed to IP address, is integral component of security infrastructure.

o User-ID, knowing which who is using each of the applications on your network.

o Who have transmitted threat or transferring files can strengthen security policies.

o User-Id technology not only identifies users with usernames but also IP Address.

o Create policies & display logs and reports based on usernames and group names.

o User-ID technology provide Visibility, Policy control, & Logging, reporting, forensics.

o Firewall collects Group Mapping info by connecting directly to LDAP directory server.

o Visibility into what users are doing on the network becomes increasingly important.

o Full visibility into user activity on the network & user-based policy control & reporting.

o Improved visibility into application usage and more relevant picture of network activity.

o Configuring User-ID enables ACC, App Scope, reports, and logs to include usernames.

o User-ID enables you to identify all users on your network using a variety of techniques.

o User-ID, when tied to the application activity, provides you with more complete visibility.

o Greater policy control, and more granular logging, reporting and forensics capabilities.

o Main things provide by User-ID is Visibility, Policy control & Logging, reporting, forensics.

o User-ID integrates Palo Alto firewall functionality with wide range of user repositories.

How to integrate Palo Alto firewall with Active Directory

In this video will learn about Palo Alto Firewall App ID

In this video student will learn about VPN theory

In this video student will learn how deploy site to site VPN

In this video student will learn how to deploy Remote Access VPN.

In this video student will learn about how to configure HA and verify HA.

All about backup and restore in Palo Alto firewall

In this video student will learn about how to configure Syslog and verify.

All about log types in Palo Alto firewall.

Packet Capture through GUI and CLI and verification

Monitoring Reports and App Scope

In this video student will learn about Application Command Center ACC tab

Student will learn how to configure and verify NetFlow in Palo Alto Firewall

In part of lecture student will learn about SNMP configuration in Palo Alto Firewall

How to configure RADIUS authentication