CNSE - Panorama part

Cisco Network Something Engineer.

Well NO.

This is the Checkpoint Network Special Engineer.

Alright.

Certified Network Security Engineer  -  Courtesy of Palo Alto.

To be honest, i was hoping someone else had written a guide but no such luck.
A few random guys posted they passed it
and some random company or two mention they passed it.
If you are doing this to get ahead in life, I doubt you will.
The certification is unknown in the industry.
If you go on Indeed and type CNSE for the whole of the USA.
You'll get 48 hits and they will be  for college of nanoscale science and engineering
and some other healthcare programs, but then again when I started in IT no one know what a CCIE is.


Now, if you recall.
In the beginning god made the earth etc
Well eventually he made the internet and it was insecure.
So your first firewalls to protect you were stateless and basically blocked ports.
Then your second firewalls were stateful and remembered to expect traffic back on some port.

Well Palo Alto, technically doesn't care about ports.
Palo Alto is not even stateful. It simply cares about APPLICATIONS.

Now you can have 20 applications running on port 80.
AIM, messenger, facebook, youtube, chrome, salesforce, etc.
Palo Alto will use their signatures to recognize the application so you can apply rules to
APPLICATIONS.

Besides Palo Alto which is trying to break the mold you have Juniper Mikonos/Mykonos/Secure web application something {they keep rebranding}   but that is for another blog .


So.
CNSE

Wow, where do I start.
well. I have no idea.
I googled and couldn't find any sort of guide.
The best is CNSE 5.1 study guide  which looks more like a cheat sheet than a guide.

The themes for the exam are.
Have skill and knowledge in these subjects:
- Administration and Management
- Network Architecture
- Security Architecture
- Troubleshooting
- User-ID
- Content-ID
- App-ID
- Panorama
- GlobalProtect


So, I'll start with Panorama.

CNSE001

You are a serious guy, 3 kids and a bugaboo.
You manage the security for a big realestate agency.
You have two or ten datacenters with many servers.
So in each datacenter you have a firewall.
Now
You can't spend all day logging into 10 datacenters to collect and correlate logs
Also you can't have a stable security policy at all 10 locations if all you do is copy
rules manually.

Imagine a new rule,  deny sales access facebook after 11:00 pm.
The reason for that rule is you don't want people to drunk post.
So now you have to copy it 10 times to each firewall, not going to happen.

So for "serious" people you have a management platform called Panorama.
Now this platform is great.
You can now justify to a client why he has to buy Palo Alto, because Palo Alto has a management
platform, while Cisco has bobkes  and Juniper is trying to fix their "junos space".

So what does Panorama do.
1. It accumulates the logs from the devices so you can correlate data centrally.
2. It centralizes the configuration of all the firewalls.
3. Centralizes the deployment of new firewalls.

You deploy it by using
1. Virtual Machine appliance  -  ESXi 3.5   or  VM 1.0.6+
2. Appliance  (M-100)

So let's start by viewing the appliances.
If ever you want pricing. Go to any site  and there should be MSRP prices on each item.

PAN-M-100	M-100, 1TB RAID 1 storage (2 1TB RAID certified drives preinstalled)	$10,000
PAN-M-100-4TB	M-100, 4TB RAID 1 storage (8 1TB RAID certified drives preinstalled)	$15,000

So, since you have two sizes. The first logical assumption you can make is that the TB storage will depend on how many logs do you estimate you will have.

Unfortunately there is nothing on the partner portal to tell you how to size this.
So my recommendation is to by the first one.
Monitor the size of the drive increase over time and based on that you can make your "retention" and future sizing of future purchases.
Now, do I think 6TB of storage is worth $5,000. No.

So, we have the device  M-100.
Now we need to license each of the firewalls we have.
The licensing starts at.

PAN-M-P-25	Panorama central management software license, 25 devices or log collector for the M-series	$10,000
PAN-M-P-100	Panorama central management software license, 100 devices for the M-series	$25,000
PAN-M-P-1K	Panorama central management software license, 1000 devices for the M-series	$75,000

So using MSRP. The lowest cost Panorama will be $20,000
10000 hardware
10000 licensing.

Wait, still not done.
You have to add the yearly support costs.

PAN-SVC-4HR-M-100-P-100	4-Hour Premium support year 1, Panorama M-100 100 devices	$7,350
PAN-SVC-PREM-M-100-P-100	Premium support year 1, Panorama M-100 100 devices	$5,600

4 hour means within 4 hours of them determining the problem is the hardware they will send a replacement.
Premium just means Next business day.

CNSE002

So, lets break it up with some images.
Above is the Palo Alto M-100 appliance with 8 HD and the license.
sss

CNSE003

Let's review the equipment.
There is 1 10/100/1000 port at the front.  (9)


CNSE004


There is a console port at the front. (8)
There is a port not in use   (10)   future use maybe.
There are two ports in the back that are reserved for future use.
The power is in the back. Single power.

A neat feature.
This M-100 has a UID   Unique ID   this is a button  (5) you press.
It will make the device LED blink. Then when you go to the other side of the rack you can easily recognize
the device and avoid unplugging the wrong this.

So let's summarize their slides.
Either Vmware or Appliance.
Licenses are required for the endpoint firewalls   25,100,1000 increments.
You can take a 25 license and convert the M-100 into a "collector" , this will help offload processing from the main M-100 in this scenario. {Slide CNSE001 references this}

Installation.
The device comes with the rack rails.
Either 4 post or 2 post and threaded or not.
If you have no idea what I am talking about.
Then try www.apc.com or www.tripplite.com 

M-100 Vmware.
Here you can avoid paying $10000 per appliance.
Minimum.
Quad Core VM
4GB DRAM
ESX 4.1    each document they say something else, so double check and try it first before deploying.
remember, hard in training easy in combat.
2 TB maximum HD on the VM for logs.

Security.
For both it is a Radius or local
Active / passive  is the HA
Up to 1000 devices is the maximum.

References
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/datasheets/panorama/panorama.pdf

Panorama hardware installation guide.

Templates.
https://live.paloaltonetworks.com/docs/DOC-4125
In Panorama.
Well, let's say you have 500 firewall and you want to replace the NTP server with a new IP.
So either you QTP {script using GUI} Perl it  or use a "template"
Since Panorama is mainly for security administrators who are more GUI orientated
the template has been offered.
Templates control the NETWORK settings
For example I can configure the template  DMZ_template

Now when ever I have a new router. I apply the template   DMZ_template and I get a router
configured with the right interfaces.
Saved myself some time. So now I can go slack off and update my blog and learn something new.

Now I can totally add to that.
For example I can say on the WAN interface don't allow ping
on the DMZ don't allow telnet
etc.
Basically you bundle up all the settings. This way you don't have to repeat it every time which is an
action that is prone to errors.



s


an example of configuring the mgmt interface in the template.


How to create templates.
First, templates are supported in version 5.0 and later.
Option 1
Create a template as a place holder, commit, get new device,  apply the template to the device.

Option 2
Create a template, assign devices, commit to the devices.

OK,
I'll switch a little
In the Palo Alto Portal you can get a Panorama training
Panorama Management Software 121 PAN-OS v.5.1
So let's try summarizing it.

Panorama  PAN-OS v5.1

Image	text
	Managing many firewalls becomes complex. High availability of centralized management. cetralized configuration and software maintenance allows you to configure once and share it among the devices. Centralized logging. HA can be done active/passive
	Different people will need different permissions on the Panorama management. responsibility or geography
	Panorama provides visibility and control through an easy GUI. You can aggregate logs from many devices into a central location. Management is done through templates, device groups, role based administration  and update management. You can store configuration backups on Panorama. Panorama can be converted into a dedicated log collector. Updates and licenses can be managed and deployed centrally.
	This is basically a slide for dummies Showing how Panorama gives you flexibility.
	Sizing. - This is key for the exam. < 10  you can use VM panorama <100 devices you are fine with 1 > 100   you should look into scaling it out the reasons are the log collection and geographical distances between collectors and firewalls.
	The VM  <10 devices is. 64 bit so you can add more memory to VM. ESXi 5.0 64 bit must be used The file is OVF and you downlaod it. A snapshot will return the system to what it was when the snapshot was taken.
	M-100 same or better than the VM. Provides Log collection capability, which means you can take a Panorama and dedicate it to log collection. Only M-100 can do log collection.
	Collector Group :  Panorama allows you the option to set up a collector group. The reason is that you can set up different storage retention and SNMP.
	Panorama and the firewall will talk SSL TCP port   3978
	You can download updates to Panorama and then send them to the firewalls. This allows you to download the updates once and do this in a central fashion. You can also apply licenses from a central location.
	You can aggregate the reporting. Instead of seeing per device the reports. Panorama aggregates them which allows you to defend the whole network and correlate data.
	Panorama admins Dynamic Superuser - full access. Superuser read only -  read only Panoarama administrator - can't create other admins Role based - more granular control. Local admin can only get Dashboard and Security policies access.
	Management IP 192.168.1.1/24 admin admin
	After you register your Panorama online. You click on licenses -->retrieve license from This will activate the license. Later on you can add more licenses using the "activate feature using authorization code".
	On the Management port. You can enable which services will be enabled. Permitted IP range also helps. Need to add the Source Subnet of the admin PC
	Either add them from Panorama. Panorama --> managed devices. Or add them from the device. Firewall  Setup -->  device --> management
	Add the devices. Put them into your logical device groups Create templates.
	Add the IP of the Panorama or FQDN Like we said. Device > Setup > management > program settings. If you are managed by an HA pair, then add both of their IPs Panoramas should be accessible via the MGT interface. If you are not using the MGT interfaces then set up a route. enable buttons in Yellow, will allow Panorama to PUSH configurations. Policy and object can't be overriden. Local admin can override templates.
	Creating a Role. Select Panorama to create a Role for Panorama. Select Device Group to create a role for the Firewalls. Enable - Read only - Disable.
	Now when you create the new user. You select a radio button. Dynamic - these are built in. {Superuser} {Superuser - read only} {Panorama administrator- can't create other admins} or Role Based -  which relies on the role you created above.
	When you set up a user, you have the selection Of the "Authentication profile". You can use this or use an "Authentication sequence". The sequence will let you run through a list of authentication profiles.
	Password complexity is for all of the panorama admin accounts. The password profile is per user. This is applied under the authentication TAB of the user you just created.
	Authentication profile can be that or authentication sequence. SSH can be turned on. Role being  Dynamic and Role based. Profile is the Role based progile. The password profile
	Pending commits can be seen by other Panorama administrators.
	If you see a LOCK, that means someone else is working on that part of the configuration. Click on it to see who. The location of the admin and which of the records are locked.
	Commit to Panorama Commit template changes to devices Commit them to a device group. Commit then to a collector group.
	Commit to Panorama. From Panorama push the configuration to Device groups Templates  --> then apply to devices Collector groups.
	Filters allow you to limit who will it be applied on.
	Merge with the candidate config Force Template to override the local changes by the admin Include Device group + Network templates in a single commit
	This allows you to TAG  a device with an administrative label. Like the location name, or something else. This is only in the panorama and is not retained in the device itself.
	State will show if it is in sync or not. Platform will be the device type. Device groups Templates members Tags You can press preview to see the propsed changes in the candidate config. Color coding. Green is added     Yellow modified red -deleted
	Template commit. This allows you to set the changes to the commit them to the template.
	Allows you the third item. Committing to a group of devices.
	apply to a group of collectors....
Device Groups
	Device group = logical grouping of devices. Devices are added to the group. A device can belong to a single device group. Devices are either physical firewalls or virtual systems.
	The Shared group contains all of the device groups in it.
	The GUI will look different till you create the first device group
	Creating a device group. Name Description -  device group saar You select the firewalls on the right. You can use the filters to see less options.
	Alright, Let's say you have a client - That client has an IP pool. 82.35.35.0/24 Now you want to create an object client002 =  ip pool 82.35.35.0/24 Now you can use that in the firewall rules. If  client002  to DMZ  then allow. Now instead of creating this client in each of your 50 firewalls. You create a shared object in Panorama which will be pushed to all the firewalls.
	So, apparently each firewall has a different number of maximum shared objects. For example small firewall = small number. Palo Alto recommends leaving the checkbox on "Share unused address ...." This won't send an object to a firewall if it is not in their policy. If you want to over-write objects that have the same name.  Use "shared objects take precedence". This will over-write the local admins object {must be same name}
	This looks complex at first. Remember, all the firewalls are in the SHARED group. So logically the first pre-policy is  SHARED pre-policy. There you will put items all firewalls should allow, like DNS. remember you can logically split into "device" groups. Local firewall policies are done by local admin. SHARED post policy is simply  any any deny!
	Panorama GUI  configuring the Panorama shared pre rules and  post. Notice the context :Panorama:
	Zone names don't auto populate. Zone names in the local firewalls are unknown to the Panorama. To make it easier, you can create zone names in the templates. This will allow them to auto populate. If you type a zone name manually a mistake in upper/lower case or letter will prevent the firewall from committing.
	Once you finish creating a policy. You can push it to the "targets". If you want you can exclude devices or pick specific devices to target. As usual, you can use the filters to limit the choices.
	Preview rules will allow you to see a preview of the accumulated rules. You can run this before applying the rules. Shared Pre Device group Local Post device group Post shared.
	This is another time the "Device group" commit. You can filter and select specific firewalls. You can also merge Include device + Network templates and FORCE the template value.{overide local}
	Running a Device Commit to two VSYS on the same device will cause a fail firewall_51. Each physical firewall can have a few "virtual" firewalls. Like vSYS 1  , vSYS2, vSYS3. If there is a device commit running on one of the vSYS  then when you try to run one on a different vSYS you get that error.
Template commit
	Network settings Device config You select to apply a template on a device or devices.
	There is a tag you can add to the devices. Normal FIPS compliant CC government compliance. Then you choose it too on the template. In order to become applies the TAG on the template must match the one on the firewall. This allows you to set up for example a FIPS template that will apply only to your FIPS firewalls.
	After you add a template it will add a TAB for them. TEMPLATE Network/|/ Device
	As you recall this is the template workflow. Either assign devices then create it Or create it then assign it to devices.
	Push the config to the devices.
	You can remove a setting from a template by clicking the remove X thing.
	Select TEMPLATE Then apply it on the devices or "commit" it.
	Icon changes to override    Green and Orange when you change something to make it different from the template.
ADMIN tools
	So devices will send logs All the logs will be aggregated. Based on the aggregated logs and logs you can create reports for managers. You CAN'T forward logs from a log collector or a panorama to a third party device. You CAN forward them to 3rd party from the firewall.
	Sending logs to SNMP EMAIL SYSLOG this is from the firewall itself.
	Generate log is when the action happened. Receive is when it arrived at the panorama. So there might be a delay.
	Data is send to the ACC and dashboard. The dashboard shows health. The ACC will show you details.
	Select Panorama or device context. Select the time frame.
	Summary reports will give you charts. You can look at them to try to get patterns.
	Panorama reports for you. Ondemand or scheduled. SAev or expert as CSV. You can schedule a report and email it. User Activity is used for summary of URL. PDF Summary will aggregate a number of smaller PDF reports into a big one. Custom reports allows you to filter.
	This is the screen where you export reports. PDF CSV XML Application , traffic, threat, URL Then summary of the above.
	This is the user report. You can select a specific user when generating the report.
	This is for creating a custom report using a custom string. You can also use TEMPLATES to start you off.
	Panorama >>device deployment - license Will allow you to see the licenses and when they are set to expire. This allows you to quickly view and purchase the necessary licenses to keep secure.
	Panorama >>device deployment - dynamic updates allows you to download and install updates centrally you can select to upload to device or upload and install   then reboot
	Palo Alto best practice is to have one Collector  for every group of devices. If you have two or more collectors a hash will decide where to store the data. This is only needed if more than 4TB of logging. This does not replace SIEM
	If you are running  version 4 firewalls then they can't send the logs to the log collector. They will send it to Panorama that can then forward it to the log collector.
	On a panorama VM you can use the space on the VM by adding a 2TB storage. This will make it redundant. You can also mount an NFS Share and store it outside of the VM. NFS will be mounted on the active device only.
	Request system logger-mode   logger will make it a collector. Request system logger-mode panorama will make it both a manager and a logger. >show system info  |match logger_mode > logger_mode : TRUE    is a dedicated.
	This helps determine the logging rate. You can also see the statistics. This will allow you to plan for growth.
	Similar to the panorama statistics you can look at the  Default collector group statistics.
	You can change retention settings. This will affect how much data is being logged to the collectors.
	Another view of the log collection. Pan 4.0 goes to panorama. Pan 5.0 can go to log collectors if needed. 50000 per second if you have more then you need to add new collectors or change the amount of logging.
	You add disks in pairs. You format them, which can take 2 hours. Palo alto disks.
	show system raid detail If a disk fails. request system raid add   disk force   no-format. The no-format is so the old data won't be overwritten.
	This is the Panorama HA pair. They talk over the management port. TCP port 28  encrypted 2869  when not encrypted.
	So to enable HA click the checkbox. Then put the IP of the other Panorama. Encryption enabled will encrypt the data. You will need to import the HA key for encrypted. Panorama > Certificate management > certificates.
	If you enable  PREEMPTIVE then the primary can take back the role when it is powered back up. If you don't the other one will remain primary till he fails.
	Path monitoring will ping an IP to see it is alive.
	the HA status will monitor the HA between the devices. If something is wrong you will get a RED LED. usually versions or mismatch
	On version PAN 5.0  panorama does backup of the changes. Then you can schedule panorama to export the backups to a share.
	You can push versions of the OS to the firewalls.
	To move Panorama from one device to another. Use the Export snapshot. Commit it to the new device with the same IP and check the firewalls can be managed from the new panorama.
	Configure management IP retrieve licenses On panorama run CLI to swap serial. Build the device Import config.
	If the serial has changed then you need to search the logs with both serials as you can't change past data.