Documente Academic
Documente Profesional
Documente Cultură
Firewall
Debug and Troubleshoot
Lab Guide
PAN-OS 8.0
EDU-311
Courseware Version A
Bolding Names of selectable items Click Security to open the Security Rule
in the web interface Page
Courier font Text that you enter and Enter the following command:
coding examples a:\setup
The show arp all command yields this
output:
username@hostname> show arp
<output>
Click Click the left mouse button Click Administrators under the Device
tab
Right-click Click the right mouse Right-click the number of a rule you want
button to copy, and select Clone Rule
< > (text enclosed Parameter in the Lab Click Add again and select <Internal
in angle brackets Settings Handout Interface>
Note: Unless specified, use the Chrome web browser and the PuTTY SSH client to perform the
tasks required. These applications are pre-installed, and shortcuts to them have been added to the
Windows desktop of the management workstation within the lab.
Scenario
Lab Notes
Use the CLI and the GUI of the firewall to perform these exercises. Some actions may be
available only from the CLI.
Use both SSH and HTTPS to access the firewall through its management interface. The
management interface is 192.168.1.254. Log in to the firewall with the default username
(admin) and password (admin).
4. Launch the program 3CDaemon to configure and start a TFTP server service.
a. In the navigation pane, click the TFTP Server > Configure TFTP Server icon.
b. On the TFTP Configuration tab, specify and/or verify the Upload/Download
directory value. Use C:\Users\lab-user\Desktop\lab\. Then click OK:
7. You also can import configurations using the WebUI. Open a browser and go to
https://192.168.1.254 to load the GUI of your firewall:
Device > Setup > Operations > Import
4. Complete the command by entering the name of the target configuration (edu-311-
lab-01) and pressing Enter to load the configuration.
A commit operation will be required. Note that in a real environment, you should make
any administrative changes to the firewall (updating of accounts, passwords, IP
addresses, or interfaces) before running the commit operation. Log in via the CLI and
review basic navigation of the CLI, looking at software versions and specific license
information.
5. You can load the configuration files using the GUI. Click Device > Setup > Operations
> Load and select the target configuration:
3. When you are done, log out of the firewall and close the browser.
Scenario Details
During this lab, you will be instructed to log in to the firewall using various accounts. Each
account will have its own set of problems to fix.
1. Load the configuration file edu-311-lab-02 to the firewall. Commit. (There is no
password for access to the file itself.)
2. Attempt to log in to the firewall using both SSH and HTTPS. Discover, define, and
resolve any issues that you may encounter using and/or logging on to the WebUI after
loading the new configuration. (Hint: Use the CLI to discover the services that are
running, or are not running, on the firewall.)
3. Firewall administrator student needs to make certain changes to the firewall.
Specifically, the administrator needs to create a DMZ security zone and assign a tunnel
interface to this newly created zone. However, the admin who logs in with the
username/password of student/pan123 is unable to manage the firewall as expected.
Troubleshoot and resolve this problem by attempting to log in via both SSH and HTTPS.
Then make corrections so that the student administrator account may create the new
zone. Proceed once the student account can successfully create the new zone.
4. Two of your global firewall administrators no longer can log in to this firewall. Both
continually receive an Invalid username or password error message, yet both users can
log in successfully, using the same credentials, to the other firewalls in your organization.
Both accounts use the same password of Password1!.
Without changing any passwords, use the following information and the network
diagram in the Lab 1 Scenario section of this guide to troubleshoot and resolve this
issue.
User student07 should authenticate using LDAP, and student08 should authenticate
using RADIUS. Fix the authentication issue for student07 and student08.
Hint: To troubleshoot and resolve the issues, log in as admin/admin.
3. To correct the problem that HTTPS is disabled, use the following CLI commands:
# configure
# set deviceconfig system service disable-https no
# show deviceconfig system service
# commit
admin@lab-firewall> configure
Entering configuration mode
admin@lab-firewall# commit
Commit job 3845 is in progress. Use Ctrl+C to return to command prompt
...55% 75% 99%......100%
Configuration committed successfully
admin@lab-firewall#
4. When the commit completes, launch a browser and reattempt to log in to the WebUI
using the student admin account with the password pan123. You should expect a
successful login.
2. Attempt as the student administrator to give yourself the rights necessary to create a
new zone. Click Device > Admin Roles > students.
3. Log out, and log in to the WebUI as admin/admin.
5. Commit the change. Log out from the default admin account. Log back in as
student/pan123 and create the new zone.
6. Create the new security zone from Network > Zones > Add. Name the zone DMZ and
specify the type as Layer3. Do not assign any interfaces to this zone. Click OK to close.
7. Commit the changes.
The update attempt will fail. This issue may be resolved through the CLI or the WebUI.
3. Display the currently configured update-server setting using the command > show
config running | match update.
4. Use updates.paloaltonetworks.com (instead of 192.168.50.10) as the update server.
Helpful CLI commands for specifying an update server and performing checks for
updates, downloads, and installations of update files include the following:
# configure
# set deviceconfig system update-server <Update Server>
# commit
> request anti-virus upgrade check
> request anti-virus upgrade download latest
> request anti-virus upgrade install commit yes version
latest
> request content upgrade check
> request content upgrade download latest
> request content upgrade install commit yes version latest
> request wildfire upgrade check
> request wildfire upgrade download latest
> request wildfire upgrade install commit yes version latest
Lab Details
Users report that they cannot connect to internet websites. Identify and correct the problem to
restore normal internet connectivity.
1. Load configuration file edu-311-lab-03 and commit.
2. Use the network diagram in the first section of this guide and any other associated
information to troubleshoot any possible routing issues.
3. After you find and fix the basic routing issues, users can still not access the internet:
a. Analyze all the policy rules to troubleshoot this problem.
b. Find the issue and fix it.
4. The network topology has changed in recent months. You notice what looks like a legacy
OSPF configuration for an interface that you believe is no longer active:
a. Discover whether the interface and configuration are still active.
b. Discover whether traffic is currently being routed to this interface.
c. If there is no perceivable active use of the current OSPF configuration, reconfigure
the firewall to remove this configuration.
5. Unfortunately, you now realize that your student PC cannot ping an important server on
the internet:
a. The public IP address of the server you are trying to ping is 4.2.2.2.
b. Analyze all the policy rules to identify the problem, and then resolve the connectivity
issue.
c. Remember to use best practices in the creation of additional NAT policies and
Security policy rules, as needed.
6. Troubleshoot VPN connectivity:
Parameter Value
Comment (optional) dmz interface
Parameter Value
Name DMZ
Parameter Value
Name tunnel-to-peer
Local ID None
Peer ID None
Advanced > IKE Crypto AES256-DH2-SHA2
Profile
Parameter Value
Name AES256-DH2-SHA2
DH Group Group 2
Authentication sha256
Encryption aes-256-cbc
Parameter Value
Name AES256-SHA256
IPSec Protocol ESP
Encryption Add aes-256-cbc
Authentication Add sha256
DH Groups Select group2
Parameter Value
Name vpn-to-peer
Local 172.16.2.0/24
Remote 172.16.2.0/24
Lab Details
1. An administrator in your organization recently added some new policy rules to the
firewall. You have just learned that your users cannot load any websites:
a. Diagnose the problem and implement a solution to restore a basic level of internet
access.
b. You can consider this task complete when you can successfully load the website
http://www.example.com in a browser from your client machine.
2. SSL websites are not being decrypted:
a. Corporate policy requires that all traffic be decrypted by the firewall.
b. You go to the website www.ssllabs.com and receive the error message, This site
cant provide a secure connection. Determine why and resolve the problem.
Stop. This is the end of the SSL Decryption Policy Troubleshooting lab scenario.
Lab Details
1. Load configuration file edu-311-lab-05.
2. Commit the configuration and note the dependency warnings.
3. You notice that you cannot browse the web. You need to establish web-browsing access
to sites such as wikipedia.org and eicar.org. Troubleshoot the problem and enable access.
4. Corporate policy allows access to media services Deezer and Google Music. Many of
your users report that they cannot use these applications from within the various regions.
Determine why and resolve the problem.
5. The firewall is supposed to be configured to block all antivirus, work, and virus
downloads. However, during tests on a users system, you discover the ability to
successfully download a file containing a virus from the EICAR test site at eicar.org.
Troubleshoot and resolve the issue.
6. Your firewall maps IP addresses to usernames for use in Security policy rules and
logging:
a. One of your firewall administrators has enabled and configured the integrated User-
ID on the firewall.
b. A legacy configuration (that is not working) for an instance of the standalone agent
has been removed from the target server.
c. Unfortunately, users are not being successfully mapped to IP addresses as expected.
d. Identify and fix the problem to ensure that your companys users are successfully
mapped to the correct IP addresses for use in Security policy rules and logs.
Hint: In this lab, the correct port number for communication with the LDAP server
that the integrated agent uses to communicate with the Active Directory server is 389.
Stop. This is the end of the Policy and Performance Troubleshooting lab scenario.
Stop. This is the end of the Policy and Performance Troubleshooting lab solution.