Palo Alto Networks

Firewall
Debug and Troubleshoot

Lab Guide
PAN-OS 8.0
EDU-311
Courseware Version A

Palo Alto Networks Technical Education

Palo Alto Networks, Inc.
https://www.paloaltonetworks.com
2007-2017, Palo Alto Networks, Inc.
Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc. All other
marks mentioned herein may be trademarks of their respective companies.

2017, Palo Alto Networks, Inc. Page 2

Table of Contents
Table of Contents.............................................................................................................................3
Typographical Conventions.............................................................................................................5
How to Use This Lab Guide............................................................................................................6
Lab Guide Objectives......................................................................................................................7
Lab 1 Scenario: Administrative Troubleshooting............................................................................8
Scenario........................................................................................................................................8
Lab Notes.....................................................................................................................................8
Lab 1 Solution: Administrative Troubleshooting..........................................................................10
Import the Configuration Files...................................................................................................10
Load the Configuration Files.....................................................................................................12
View the Configuration from the CLI and the WebUI...............................................................13
Gather Basic System Information..............................................................................................14
Gather Advanced Information....................................................................................................14
Lab 2 Scenario: Firewall Troubleshooting....................................................................................16
Scenario Details.........................................................................................................................16
Lab 2 Solution: Firewall Troubleshooting.....................................................................................18
Troubleshoot Administrative Access..........................................................................................18
As student Admin, Create a New DMZ Security Zone..........................................................19
Troubleshoot User Authentication Issues...................................................................................20
Perform a Dynamic Update........................................................................................................20
Lab 3 Scenario: Layer 3 Troubleshooting.....................................................................................23
Lab Details.................................................................................................................................23
Tunnel Configuration Information.............................................................................................24
Ethernet 1/3 Interface Specification.......................................................................................24
DMZ Security Zone Specification.........................................................................................24
IKE Gateway Specification....................................................................................................24
IKE Crypto Profile Specification...........................................................................................25

2017, Palo Alto Networks, Inc. Page 3

 IPsec Crypto Profile Specification.........................................................................................25
IPsec Tunnel Configuration Specification..............................................................................25
Test Tunnel Connectivity...........................................................................................................26
Lab 3 Solution: Layer 3 Troubleshooting......................................................................................27
Troubleshoot Loss of Connectivity to the Internet....................................................................27
Troubleshoot HTTP/HTTP Access to Websites.........................................................................27
Investigate the Activity and Relevance of Legacy Policies.......................................................28
Troubleshoot Connectivity to a Specific Address......................................................................28
Troubleshoot VPN Tunnel Configuration..................................................................................28
Lab 4 Scenario: SSL Decryption Policy Troubleshooting.............................................................30
Lab Details.................................................................................................................................30
Lab 4 Solution: SSL Decryption Policy Troubleshooting.............................................................31
SSL Websites Are Not Decrypted..............................................................................................31
Lab 5 Scenario: Policy and Performance Troubleshooting...........................................................33
Lab Details.................................................................................................................................33
Lab 5 Solution: Policy and Performance Troubleshooting............................................................35
Troubleshoot an Inability to Access Allowed Media Services...................................................35
Failure to Block Infected Files...................................................................................................36
Troubleshoot a Problem with User-ID.......................................................................................36
Why Some Web Pages Are Timing Out.....................................................................................36
Create and Review a Video Stream Packet Capture..................................................................37

2017, Palo Alto Networks, Inc. Page 4

Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention Meaning
Bolding Names of selectable items
in the web interface
Courier font Text that you enter and
coding examples
Click Click the left mouse button
Right-click Click the right mouse
button
< > (text enclosed Parameter in the Lab
in angle brackets Settings Handout
2017, Palo Alto Networks, Inc.
Example
Click Security to open the Security Rule
Page
Enter the following command:
a:\setup
The show arp all command yields this
output:
username@hostname> show arp
<output>
Click Administrators under the Device
tab
Right-click the number of a rule you want
to copy, and select Clone Rule
Click Add again and select <Internal
Interface>
Page 5
How to Use This Lab Guide
The lab guide presents five high-level troubleshooting scenarios, with each followed by a
solution section that provides step-by-step guidance on at least one possible way to solve the
problems presented by the scenario. The information provided in the scenario sections is
intentionally minimal, typically providing you only an outline of what you need to do.
Your goal is to define, document, diagnose and resolve the problems that each scenario presents
using the tools discussed during the workshop lecturesand, to the best of your ability, to do so
without relying on the solution sections of the book.
If you do require procedural guidance beyond what is provided in the scenario sections,
first seek input from other participants and your instructor. Use the information in the
solution sections only as a last resort.
Note that some lab scenarios may not correspond to any specific lecture module and may
instead be designed to validate your understanding of the tools and techniques discussed
across multiple lectures.
Attempt the lab scenarios in the order specified by the instructor so that the class can
discuss its findings as a group to further enhance the learning experience.

Note: Unless specified, use the Chrome web browser and the PuTTY SSH client to perform the
tasks required. These applications are pre-installed, and shortcuts to them have been added to the
Windows desktop of the management workstation within the lab.

2017, Palo Alto Networks, Inc. Page 6

Lab Guide Objectives
When you have finished these labs, you will be able to complete these tasks:
Use the CLI to load configurations and commit changes
Use the CLI to view system status, identify potential problems, and change settings
Review system configuration and policy details using the WebUI and CLI
Identify the potential impact of configuration options and settings on reported symptoms
Identify known problems with sample configurations and fix them

2017, Palo Alto Networks, Inc. Page 7

Lab 1 Scenario: Administrative Troubleshooting
In this lab, you will:
Import configuration files from the CLI interface using TFTP
Load configuration file edu-311-lab-01 and log in with the admin user credentials
Review the lab architecture and addressing scheme

Scenario

Lab Notes
Use the CLI and the GUI of the firewall to perform these exercises. Some actions may be
available only from the CLI.
Use both SSH and HTTPS to access the firewall through its management interface. The
management interface is 192.168.1.254. Log in to the firewall with the default username
(admin) and password (admin).

2017, Palo Alto Networks, Inc. Page 8

 1. Import the course configuration files:
a. First look in the lab folder on your Windows desktop for the courses configuration
files. Ask your instructor for guidance if this folder and/or the files do not exist.
b. Import all edu-311-lab-## configuration files into the firewall. Use both the CLI
TFTP import method and the import method of the GUI.
2. Load the first configuration file, edu-311-lab-01, and commit the changes.
3. View the running configuration from the CLI and the WebUI:
a. Configure the firewall to display the configuration in set mode when viewed from
the configuration prompt. Review the format differences between displaying
configuration information in JSON, XML, and set (set-command) format.
b. View the configuration of the newly loaded file.
4. Display and review basic system information:
a. View overall system information.
b. Document the architecture, noting the configured zones, interfaces, and virtual routes.
c. Analyze the Security policies and NAT policies, and explain:
- Why can you launch a browser and freely browse the internet?
- What enables the firewall to allow all applications to pass?
5. Gather advanced information
a. Generate a Tech Support (TS) File.
b. View the details of the newly generated TS File.
c. Compare the process of reviewing log files externally with the functionality available
directly on the firewall.
d. Review services and processes running on the system and examine the overall system
load.

Stop. This is the end of the Administrative Troubleshooting lab scenario.

2017, Palo Alto Networks, Inc. Page 9

Lab 1 Solution: Administrative Troubleshooting
Import the Configuration Files
1. Copy the five configuration files to your student desktop:
edu-311-lab-01
edu-311-lab-02
edu-311-lab-03
edu-311-lab-04
edu-311-lab-05
2. Import all five of these config files to the firewall.
3. Open an SSH session with the firewall using PuTTY, and log in using the administrator
credentials admin and admin:

4. Launch the program 3CDaemon to configure and start a TFTP server service.
a. In the navigation pane, click the TFTP Server > Configure TFTP Server icon.
b. On the TFTP Configuration tab, specify and/or verify the Upload/Download
directory value. Use C:\Users\lab-user\Desktop\lab\. Then click OK:

2017, Palo Alto Networks, Inc. Page 10

 c. In the navigation pane, click TFTP Server > Go to start the TFTP service.
5. From the CLI (via SSH) on the firewall, use TFTP to download configuration files from
your workstation via the TFTP server. Use the command tftp import
configuration from <Desktop IP Address> file <Configuration
file [0-3]>:

6. Review the log output showing the successful TFTP transfer:

7. You also can import configurations using the WebUI. Open a browser and go to
https://192.168.1.254 to load the GUI of your firewall:
Device > Setup > Operations > Import

2017, Palo Alto Networks, Inc. Page 11

Load the Configuration Files
Throughout the lab, you will need to load each of the five configuration files to the firewall at
different times, following the directions provided in this guide. You can load these configuration
files from the CLI or from the WebUI. The CLI method is displayed first.
1. Load the edu-311-lab-01 file.
2. Switch to configuration mode. Enter the command configure.
3. Once in configuration mode, type load config from and then press the Tab key to
display the list of configuration files that currently reside on the firewall:

4. Complete the command by entering the name of the target configuration (edu-311-
lab-01) and pressing Enter to load the configuration.
A commit operation will be required. Note that in a real environment, you should make
any administrative changes to the firewall (updating of accounts, passwords, IP
addresses, or interfaces) before running the commit operation. Log in via the CLI and
review basic navigation of the CLI, looking at software versions and specific license
information.
5. You can load the configuration files using the GUI. Click Device > Setup > Operations
> Load and select the target configuration:

2017, Palo Alto Networks, Inc. Page 12

 6. After loading the configuration file, perform a commit, using the CLI or WebUI. The CLI
process is as follows:

View the Configuration from the CLI and the WebUI

1. Two methods for viewing the running configuration are available from the CLI:
> show config running from the main prompt
# show from the configuration prompt
2. To view the configuration in set mode, rather than the default JSON format, enter set
cli config-output-format set from the main prompt. This command then
will change the output shown in configuration mode.
3. From the main prompt (not in configuration mode), you can see the difference between
the running and candidate configs with the command show config diff.
4. In configuration mode, use the commit command to apply changes.

2017, Palo Alto Networks, Inc. Page 13

Gather Basic System Information
1. Review the configuration settings of your firewall.
2. Use both the CLI and the WebUI to familiarize yourself with the current configurations.
Useful commands include the following:
> show system info
> show interface all
> show running {security-policy | pbf-policy | nat-policy}
> show routing summary
Key questions to consider are as follows:
Which version of PAN-OS software are you running?
Which Threat Version is loaded, and what is the threat release date?
What is the App-ID version, and what is the Antivirus version?
Which URL database is the firewall configured for?
What is the WildFire version and its release date?
Is the firewall licensed?
What is the hostname of your firewall?
How many security zones are there?
Which interface is in which security zone?
Does each interface have an IP address?
What is the interface type (TAP, Virtual Wire, HA, Layer 2, or Layer 3), and why?
Is a NAT policy configured?
How many static routes and how many connected routes are there?

Gather Advanced Information

You can create a Tech Support File from the CLI with the scp export tech-support
command or by using the WebUI. Within this lab environment a server may not be available to
perform the secure copy. If this is the case, dont perform an SCP download.
Note: The command request tech-support dump will generate a TS File, but you
cannot download this file from the CLI. You can download it via the WebUI; click Device >
Support > Tech Support File and find the download link in the Tech Support File section of
the page:

2017, Palo Alto Networks, Inc. Page 14

 1. To extract the contents of the TS File, you will require a tool that can open a TAR
archive. 7-Zip is one such program and is provided for the lab. After you extract all the
files, find and note the different directories that have been created.
The generated TS File is in the \pcaps\tmp\cli directory; a \pcaps\tmp\cli\logs directory
displays various system logs.
Review some logs for confirmations and other interesting data.
2. Use the show running resource-monitor and show system resources
commands to display system processes. Use the show system disk-space
command to display the disk space:

3. When you are done, log out of the firewall and close the browser.

Stop. This is the end of the Administrative Troubleshooting lab solution.

2017, Palo Alto Networks, Inc. Page 15

Lab 2 Scenario: Firewall Troubleshooting
In this lab, you will:
Load configuration file edu-311-lab-02
Troubleshoot user authentication issues
Create a new zone on the firewall
Perform a dynamic update

Scenario Details
During this lab, you will be instructed to log in to the firewall using various accounts. Each
account will have its own set of problems to fix.
1. Load the configuration file edu-311-lab-02 to the firewall. Commit. (There is no
password for access to the file itself.)
2. Attempt to log in to the firewall using both SSH and HTTPS. Discover, define, and
resolve any issues that you may encounter using and/or logging on to the WebUI after
loading the new configuration. (Hint: Use the CLI to discover the services that are
running, or are not running, on the firewall.)
3. Firewall administrator student needs to make certain changes to the firewall.
Specifically, the administrator needs to create a DMZ security zone and assign a tunnel
interface to this newly created zone. However, the admin who logs in with the
username/password of student/pan123 is unable to manage the firewall as expected.
Troubleshoot and resolve this problem by attempting to log in via both SSH and HTTPS.
Then make corrections so that the student administrator account may create the new
zone. Proceed once the student account can successfully create the new zone.
4. Two of your global firewall administrators no longer can log in to this firewall. Both
continually receive an Invalid username or password error message, yet both users can
log in successfully, using the same credentials, to the other firewalls in your organization.
Both accounts use the same password of Password1!.
Without changing any passwords, use the following information and the network
diagram in the Lab 1 Scenario section of this guide to troubleshoot and resolve this
issue.
User student07 should authenticate using LDAP, and student08 should authenticate
using RADIUS. Fix the authentication issue for student07 and student08.
Hint: To troubleshoot and resolve the issues, log in as admin/admin.

2017, Palo Alto Networks, Inc. Page 16

 5. Ensure that the firewall has the latest Antivirus and Application and Threats content by
attempting a dynamic update:
Attempt the Antivirus update via the CLI.
Attempt the Application and Threats update via the WebUI.
Resolve any issues. The update server for this firewall is
updates.paloaltonetworks.com.

Stop. This is the end of the Firewall Troubleshooting lab scenario.

2017, Palo Alto Networks, Inc. Page 17

Lab 2 Solution: Firewall Troubleshooting
Troubleshoot Administrative Access
1. After you load the configuration file edu-311-lab-02 and commit it to the firewall, the
WebUI becomes dysfunctional. Close the browser, open it, and attempt to reconnect to
the HTTP/HTTPS management interface at 192.168.1.254. The attempt will fail.
a. Open an SSH connection and attempt to log in using the student admin account
with the password pan123. The firewall will terminate the connection.
b. Open a new SSH connection, and log in using the admin account with
admin/admin credentials. The attempt should succeed.
2. In this configuration, the management interface settings for HTTP and HTTPS have been
disabled, which prevents anyone from connecting and logging in to the WebUI.
To display information about which management services are enabled or disabled, use the
command show system services:

admin@lab-firewall> show system services

HTTP : Disabled
HTTPS : Disabled
Telnet : Disabled
SSH : Enabled
Ping : Enabled
SNMP : Disabled

3. To correct the problem that HTTPS is disabled, use the following CLI commands:
# configure
# set deviceconfig system service disable-https no
# show deviceconfig system service
# commit

admin@lab-firewall> configure
Entering configuration mode

admin@lab-firewall# set deviceconfig system service disable-https no

2017, Palo Alto Networks, Inc. Page 18

 admin@lab-firewall# show deviceconfig system service
service {
disable-http yes;
disable-https no;
disable-telnet yes;
disable-ssh no;
disable-icmp no;
disable-snmp yes;
}

admin@lab-firewall# commit
Commit job 3845 is in progress. Use Ctrl+C to return to command prompt
...55% 75% 99%......100%
Configuration committed successfully

admin@lab-firewall#

4. When the commit completes, launch a browser and reattempt to log in to the WebUI
using the student admin account with the password pan123. You should expect a
successful login.

As student Admin, Create a New DMZ Security Zone

1. While attempting to create the new DMZ security zone, you discover that this account is
unable to create security zones. This is a custom Admin Roles problem that you must fix
before you can create the new zone.

2. Attempt as the student administrator to give yourself the rights necessary to create a
new zone. Click Device > Admin Roles > students.
3. Log out, and log in to the WebUI as admin/admin.

2017, Palo Alto Networks, Inc. Page 19

 4. Review the existing admin roles on the system. Assign the student admin account to the
Students admin role (or another one that you create or that is otherwise sufficient to
accomplish the task):

5. Commit the change. Log out from the default admin account. Log back in as
student/pan123 and create the new zone.
6. Create the new security zone from Network > Zones > Add. Name the zone DMZ and
specify the type as Layer3. Do not assign any interfaces to this zone. Click OK to close.
7. Commit the changes.

Troubleshoot User Authentication Issues

Two other firewall administrators cannot log in to this firewall:
student07/Password1!
student08/Password1!
Both student07 and student08 administrators receive an Invalid username or password error
message, yet both can log in successfully, using these same credentials, to the other firewalls
deployed throughout your organization.
Without changing any passwords, resolve this authentication issue.
1. Consult the lab diagram to determine the misconfigurations on the firewall related to the
authentication servers.
2. Fix the LDAP and RADIUS admin accounts student07 and student08 so that each is
assigned to a separate Authentication Profile. Both accounts on the LDAP and RADIUS
authentication server already exist and are configured with the password Password1!:

2017, Palo Alto Networks, Inc. Page 20

 Both LDAP services (via Active Directory) and RADIUS services (via Network Policy
Server) are running on the same Domain Controller (192.168.1.20).

Perform a Dynamic Update

1. Attempt to perform a dynamic update on the firewall. Attempt the update from both the
CLI and the Web UI.
Output from the CLI command request system software check will
demonstrate connectivity breakage.
2. Review the system log. Look for information regarding the updates.
show log system | match update
Device > Dynamic Updates

The update attempt will fail. This issue may be resolved through the CLI or the WebUI.
3. Display the currently configured update-server setting using the command > show
config running | match update.
4. Use updates.paloaltonetworks.com (instead of 192.168.50.10) as the update server.
Helpful CLI commands for specifying an update server and performing checks for
updates, downloads, and installations of update files include the following:
# configure
# set deviceconfig system update-server <Update Server>
# commit
> request anti-virus upgrade check
> request anti-virus upgrade download latest
> request anti-virus upgrade install commit yes version
latest
> request content upgrade check
> request content upgrade download latest
> request content upgrade install commit yes version latest
> request wildfire upgrade check
> request wildfire upgrade download latest
> request wildfire upgrade install commit yes version latest

2017, Palo Alto Networks, Inc. Page 21

 5. Use the > show system info command to review current software versions and to
validate the completion of update tasks.

Stop. This is the end of the Firewall Troubleshooting lab solution.

2017, Palo Alto Networks, Inc. Page 22

Lab 3 Scenario: Layer 3 Troubleshooting
In this lab, you will:
Load configuration file edu-311-lab-03
Troubleshoot loss of connectivity to the internet
Troubleshoot user complaints about incomplete webpage loading
Verify that a legacy OSPF configuration is not currently resulting in traffic routing, and
eliminate the configuration
Troubleshoot a VPN issue

Lab Details
Users report that they cannot connect to internet websites. Identify and correct the problem to
restore normal internet connectivity.
1. Load configuration file edu-311-lab-03 and commit.
2. Use the network diagram in the first section of this guide and any other associated
information to troubleshoot any possible routing issues.
3. After you find and fix the basic routing issues, users can still not access the internet:
a. Analyze all the policy rules to troubleshoot this problem.
b. Find the issue and fix it.
4. The network topology has changed in recent months. You notice what looks like a legacy
OSPF configuration for an interface that you believe is no longer active:
a. Discover whether the interface and configuration are still active.
b. Discover whether traffic is currently being routed to this interface.
c. If there is no perceivable active use of the current OSPF configuration, reconfigure
the firewall to remove this configuration.
5. Unfortunately, you now realize that your student PC cannot ping an important server on
the internet:
a. The public IP address of the server you are trying to ping is 4.2.2.2.
b. Analyze all the policy rules to identify the problem, and then resolve the connectivity
issue.
c. Remember to use best practices in the creation of additional NAT policies and
Security policy rules, as needed.
6. Troubleshoot VPN connectivity:

2017, Palo Alto Networks, Inc. Page 23

 a. The current VPN configuration is badly formed, not working, and must be evaluated
thoroughly.
b. Use the network diagram in the first section of this lab guide and the following
configuration specification information to validate current parameters, identify
misconfigured parameters, add missing configuration elements, and resolve any other
issues related to the broken VPN connection.

Tunnel Configuration Information

Ethernet 1/3 Interface Specification

Parameter Value
Comment (optional) dmz interface

Interface Type Layer3

Virtual Router lab-vr
Security Zone DMZ
IPv4 Address Type Static
IP Address 192.168.50.1/24

Management Profile allow-ping

DMZ Security Zone Specification

Parameter Value
Name DMZ

Type Layer3 should be selected

IKE Gateway Specification

Parameter Value
Name tunnel-to-peer

Version IKEv1 only mode

Interface ethernet1/3
Local IP Address 192.168.50.1/24
Peer Type static
Peer IP Address 192.168.50.10

2017, Palo Alto Networks, Inc. Page 24

 Parameter Value
Pre-shared Key paloalto

Local ID None
Peer ID None
Advanced > IKE Crypto AES256-DH2-SHA2
Profile

IKE Crypto Profile Specification

Parameter Value
Name AES256-DH2-SHA2

DH Group Group 2
Authentication sha256
Encryption aes-256-cbc

IPsec Crypto Profile Specification

Parameter Value
Name AES256-SHA256
IPSec Protocol ESP
Encryption Add aes-256-cbc
Authentication Add sha256
DH Groups Select group2

IPsec Tunnel Configuration Specification

Parameter Value
Name vpn-to-peer

Tunnel Interface tunnel.1

Type Auto Key
IKE Gateway tunnel-to-peer
IPSec Crypto Profile AES256-SHA256
Show Advanced Options Select the check box

2017, Palo Alto Networks, Inc. Page 25

 Parameter Value
Tunnel Monitor Select the check box
Destination IP 172.16.2.11

Proxy ID [tab] dmztunnel-network

Local 172.16.2.0/24

Remote 172.16.2.0/24

Test Tunnel Connectivity

On Network > IPSec Tunnels, your goal is to see both status indicators green:

Stop. This is the end of the Layer 3 Troubleshooting lab scenario.

2017, Palo Alto Networks, Inc. Page 26

Lab 3 Solution: Layer 3 Troubleshooting
Troubleshoot Loss of Connectivity to the Internet
You receive multiple reports that users can no longer access the internet. Identify and correct the
problem to restore normal internet connectivity.
1. Load the configuration file edu-311-lab-03 and commit.
2. In this scenario, the desktop can ping its own default gateway (192.168.1.1) and the next
hop at 203.0.113.1 (the internet access point) in the network diagram.
3. You can identify and correct the problem only after looking at the addressing of the actual
network topology and discovering that the next hop for the default route of the virtual
router is misconfigured.

Troubleshoot HTTP/HTTP Access to Websites

After you restore internet connectivity, you can ping internet addresses (8.8.8.8) and get DNS
resolutions (such as for google.com), but you still cannot access internet websites.
1. Analyze all the Security policy rules.
2. Review all the other types of policies, such as NAT, QoS, and policy-based forwarding
(PBF).
3. Find the Policy Based Forwarding policy that is configured to route all applications to a
next hop that is unreachable:
a. One solution is to put the correct gateway into the PBF policy. However, if you keep
the PBF policy and correct the next hop, you may experience problems with the VPN.
b. You could also delete or disable the PBF rule, or use a Monitor Profile, so that if the
next hop is not reachable, the routing table will be used.
c. The traffic logs will show the web-browsing and SSL traffic as application
incomplete.
d. Logs are useful for this exercise. General searching of log files groups can be
performed (grep mp-log * pattern [word]) to find which log files contain
which concepts. System logs can provide important details.
This level of log detail would not be visible in the GUI (a packet capture would be
required).

2017, Palo Alto Networks, Inc. Page 27

Investigate the Activity and Relevance of Legacy Policies
Find the current OSPF configuration and itemize all its various elements, including zone,
interface, protocol configuration, and so forth.
1. Review the current routing table. Determine whether any active routes are related to the
OSPF network.
2. Ping any peers or other routers to which you may find references. Do any of the devices
referenced within the configuration respond? Is the interface up?
3. If there is no discernible activity or other related elements to the OSPF configuration,
remove the OSPF configuration components and commit the configuration.
4. Test to verify that no mistakes were made.

Troubleshoot Connectivity to a Specific Address

You cannot ping a specific server on the internet. In this case, the IP address of the server you are
trying to ping is 4.2.2.2.
1. Analyze all policy rules to identify the problem, and then resolve the connectivity issue.
2. Check Layer 3 connectivity with NAT.
3. Use best practices in editing the existing NAT policies and Security policy rules.
4. The NAT policy for 4.2.2.2 is configured as Destination NAT instead of Source NAT.

Troubleshoot VPN Tunnel Configuration

Troubleshoot and resolve the issue and restore VPN connectivity.
1. Use the specification data provided to work through the VPN configuration.
2. Track your changes. Commit updated configuration parameters at key points.
3. Consider saving your configuration periodically and/or at key points of change so that
you will be able to revert the firewall to one of those prior states without having to start
from the beginning if you make a significant mistake.
4. Review the VPN log entries:

2017, Palo Alto Networks, Inc. Page 28

 5. Use these CLI commands to review the VPN configuration:
show vpn ike-sa
show vpn ipsec-sa tunnel dmz-tunnel-network
show vpn flow name dmz-tunnel
show running tunnel flow

Stop. This is the end of the Layer 3 Troubleshooting lab solution.

2017, Palo Alto Networks, Inc. Page 29

Lab 4 Scenario: SSL Decryption Policy
Troubleshooting
In this lab, you will:
Load configuration file edu-311-lab-04
Troubleshoot broken internet access
Troubleshoot SSL Decryption policy

Lab Details
1. An administrator in your organization recently added some new policy rules to the
firewall. You have just learned that your users cannot load any websites:
a. Diagnose the problem and implement a solution to restore a basic level of internet
access.
b. You can consider this task complete when you can successfully load the website
http://www.example.com in a browser from your client machine.
2. SSL websites are not being decrypted:
a. Corporate policy requires that all traffic be decrypted by the firewall.
b. You go to the website www.ssllabs.com and receive the error message, This site
cant provide a secure connection. Determine why and resolve the problem.

Stop. This is the end of the SSL Decryption Policy Troubleshooting lab scenario.

2017, Palo Alto Networks, Inc. Page 30

Lab 4 Solution: SSL Decryption Policy
Troubleshooting
SSL Websites Are Not Decrypted
1. Load configuration file edu-311-lab-04 and commit.
2. DNS is missing from the policy that allows specified applications. Add DNS to the list of
permitted applications.
3. Test loading the website www.ssllabs.com. Notice the error message, This site cant
provide a secure connection. Determine the cause of the error and resolve the problem.
(Note that this message may appear only on your very first attempt to connect to the site,
with subsequent attempts resulting in a simple failure to connect.)
4. Check the Decryption Profile associated with the Decryption policy:
a. The firewall is configured to decrypt all SSL traffic. You again try to access the test
site (www.ssllabs.com). The page first looks broken, but when you refresh the page,
everything looks correct.
b. The current Decryption policy uses a Decryption Profile that decrypts traffic from
websites using SSL 3.0 protocol. The website www.ssllabs.com does not support the
SSL 3.0 protocol. This site uses only the TSL protocol.
This mismatch of protocols is causing the problem. To resolve the issue, select a
different profile or remove the Decryption Profile from the Decryption policy.
5. Go to the traffic logs and enable the Resolve hostname option. Create a filter for
www.ssllabs.com. Notice that the filter uses the IP address of the website.
Hint: Click to display the Decrypted column if you do not see it in the log file:

2017, Palo Alto Networks, Inc. Page 31

 6. The log entries for the destination address (64.41.200.100) show that the SSL traffic is
not being decrypted. Troubleshoot and resolve the issue.
Hint: View the browsers Trusted Root Store.
The certificate error requires the student to export the certificate from the firewall and
import the certificate into the students browser as a Trusted Root Store certificate.
7. After you have resolved the decryption problem, the SSL traffic is still not being
decrypted. What could cause a site to not be decrypted?
8. The site will not decrypt because the first time the student accessed the website, the site
was added to the exclude cache for SSL sites:
a. You can use the CLI command show system setting ssl-decrypt
exclude-cache to view all cached sites.
b. You will see that the website is cached.
9. You will need to clear the cache using the CLI command debug dataplane reset
ssl-decrypt exclude-cache.
10. Once the cache is clear, you can see that the site is now being decrypted.
Hint: the show system setting command has an additional option that will be
helpful to troubleshoot this issue.
Try clearing the SSL cache using the debug dataplane reset command.

2017, Palo Alto Networks, Inc. Page 32

 Stop. This is the end of the SSL Decryption Policy Troubleshooting lab solution.

2017, Palo Alto Networks, Inc. Page 33

Lab 5 Scenario: Policy and Performance
Troubleshooting
In this lab, you will:
Load configuration file edu-311-lab-05
Troubleshoot an inability to access allowed media services
Troubleshoot why malicious files were not blocked
Troubleshoot a problem with User-ID technology
Troubleshoot webpages that continue to time out
Create and review a video-stream packet capture

Lab Details
1. Load configuration file edu-311-lab-05.
2. Commit the configuration and note the dependency warnings.
3. You notice that you cannot browse the web. You need to establish web-browsing access
to sites such as wikipedia.org and eicar.org. Troubleshoot the problem and enable access.
4. Corporate policy allows access to media services Deezer and Google Music. Many of
your users report that they cannot use these applications from within the various regions.
Determine why and resolve the problem.
5. The firewall is supposed to be configured to block all antivirus, work, and virus
downloads. However, during tests on a users system, you discover the ability to
successfully download a file containing a virus from the EICAR test site at eicar.org.
Troubleshoot and resolve the issue.
6. Your firewall maps IP addresses to usernames for use in Security policy rules and
logging:
a. One of your firewall administrators has enabled and configured the integrated User-
ID on the firewall.
b. A legacy configuration (that is not working) for an instance of the standalone agent
has been removed from the target server.
c. Unfortunately, users are not being successfully mapped to IP addresses as expected.
d. Identify and fix the problem to ensure that your companys users are successfully
mapped to the correct IP addresses for use in Security policy rules and logs.
Hint: In this lab, the correct port number for communication with the LDAP server
that the integrated agent uses to communicate with the Active Directory server is 389.

2017, Palo Alto Networks, Inc. Page 34

 7. Users complain that they cannot view certain webpages because of timeouts. These users
are attempting to access unauthorized websites. Implement a solution to inform all users
that they are not allowed to access these unauthorized sites.
8. Stream a video from your student PC. Show session information for the video traffic
using the CLI. Then view and clear the system counters. Perform a packet capture and
examine the packets to validate that the firewall correctly captured all the expected data.
Export the pcap file to the student PC and view the data in Wireshark.

Stop. This is the end of the Policy and Performance Troubleshooting lab scenario.

2017, Palo Alto Networks, Inc. Page 35

Lab 5 Solution: Policy and Performance
Troubleshooting
Troubleshoot an Inability to Access Allowed Media Services
1. Load configuration file edu-311-lab-05.
2. Commit the configuration and note the dependency warnings.
3. The current Security policy includes:
a. Explicit allows for the applications ping and ssl, and LinkedIn, Facebook, Pandora,
and Gmail.
b. Explicit denies for Gmail-chat (prior to Gmail).
c. Explicit deny all at the end.
4. Note that web browsing is not equivalent to port 80.
5. To see web-browsing denies, review the output of the show log traffic action
equal deny command:
a. Application dependency errors will be visible in the mp-log ms.log.
b. You can discover the specific log (ms.log) by grepping all of the mp-log files for the
keyword dependency.
Discussion topics and caveats:
You must understand the impact of application dependencies. Problems with
dependencies can be seen in the mp-log files.
The order of applications may not make a difference in control but can help with
readability.
Although the WebUI commit message can help you to understand the various
dependencies upon which App-ID processes rely, you cannot use this output alone to
resolve issues with complex configurations.
Copy and paste through CLI set mode works, but command ordering adds a challenge.
Key points:
Difference between web-browsing as an application type and port 80 as a source port
Applications change within a single session
Application dependency concept

2017, Palo Alto Networks, Inc. Page 36

Failure to Block Infected Files
The firewall is supposed to be configured to block all antivirus, work, and virus downloads. The
EICAR test file from eicar.org can currently be downloaded, which is against policy.
1. Examine the traffic logs
2. Examine the Security policies carefully
3. Examine the Security Profiles

Troubleshoot a Problem with User-ID

Your legacy User-ID agent has been uninstalled (and is currently misconfigured anyway), and
your integrated agent configuration isnt working right now.
1. Find the LDAP server configuration and correct port number used to connect to the
server. The correct port number is 389.
2. As you review user activity, you notice that they are associated with the management
interface of the student PC rather than the network address (network IP address with
mask in CIDR format):
a. Because the students user ID is not mapped to the inside interface, the student that
browses the web from the desktop will not be identified.
b. A Security policy is configured that will only allow traffic from student01 to go to
Facebook. The student will not be able to access Facebook until the firewall can
identify him or her.
3. An Authentication policy will correct this problem and properly map the users to the
network address.
Note: The multi-homed host issue (if it occurs) is not common. There are solutions to help
address this situation.
Helpful CLI commands for determining whether User-ID mapping and other functions are
working as expected are as follows:
> show user ip-user-mapping all
> show user user-id-agent statistics
> show user user-id-service status

Why Some Web Pages Are Timing Out

Users complain that they cannot view certain webpages because of timeouts. These users are
attempting to access unauthorized websites. Implement a solution to inform all users attempting
to access these unauthorized sites that these sites have been restricted by corporate policy:

2017, Palo Alto Networks, Inc. Page 37

 1. The application block page needs to be enabled for the user to see that the application has
been blocked.
2. Look at the output of the show log traffic action equal deny command to
see the application denies.
3. Use the # set shared response-page application-block-page
<value> command to add HTML, in base64 format, for a custom page.

Create and Review a Video Stream Packet Capture

Stream a video from your student PC. Then view and clear the system counters.
1. Before you stream the video, make sure that the Security policy rule will allow videos
from the site that you will use. For example, if you want to use YouTube, add the
applications YouTube and google-base. Also, enable Log at Session Start in the
appropriate Security policy rule.
2. Use show session to display session information. Use show session all to
show all current sessions. Use show session id [id] to display detailed
information about an individual session. Use show session info to display other
session statistics.
3. Perform a packet capture and examine the packets to validate that the firewall correctly
captured all the expected data. Export the pcap file to the student PC and display the data
in Wireshark.
4. Display counters with the show counter command. Look at the interface and global
counters.
5. Filters on the global counters can help restrict data to be viewed. Use the show
counter global filter delta yes command to provide a view that shows
only value changes since the last viewing.
6. Multiple steps may be required to properly perform the packet capture:
> debug dataplane packet-diag set filter match
(Optional, but recommended)
> debug dataplane packet-diag set filter on
(Optional, but recommended)
> debug dataplane packet-diag set capture stage [stage] file
[filename]
> debug dataplane packet-diag set capture on
You can display captures using the > view-pcap filter-pcap [filename]
command:

2017, Palo Alto Networks, Inc. Page 38

 Application of filters to packet capture is important for targeting the collection of data
and for limiting its potential to consume significant system resources.
Viewing pcap data within the WebUI is a good method to ensure the capture process is
working prior to attempting to move the file to an external system.
Pcap is an excellent tool but requires practice before you can use it with ease and
understand the impact of various operations.
Best practices for configuring packet captures include:
Capture what you need, then turn it off.
Use filters and use them properly.
Do not clear filters while capture is running. Turn off the capture before changing
filters.
Packet capture exists for six debug areas only: data plane, dhcpd, ike, l3svc, pppoed,
and routing.

Stop. This is the end of the Policy and Performance Troubleshooting lab solution.

2017, Palo Alto Networks, Inc. Page 39