test drive micr osoft azur e

TEST DRIVEMicrosoft Azure

Workshop Guide

TestDrive-Azure 2.0 ©2021 Palo Alto Networks, Inc. | Confidential and Proprietary 20210628 1

Table of Contents

How to use this guide 3

Activity 0 – Login to Microsoft Azure Test Drive 5Task 1 – Login to Palo Alto Networks Azure Test Drive Environment 5Task 2 – Watch the Pre-lab Video 6

Activity 1 – Access and Review VM-Series Firewall 7Task 1 – Login and Dashboard summary 7Task 2 – Review VM-Series Firewall WebUI – Application Command Center (ACC) 9Task 3 – Review VM-Series Firewall WebUI – Security Policies 10Task 4 – Review VM-Series Firewall WebUI – Monitor tab 11Task 5 – Review VM-Series Firewall WebUI – Object, Network, Device Tabs 12

Activity 2 – Safely Enable Applications 14Task 1 – Verify Static Content on Web Server 14Task 2 – Verify Dynamic Content on Web Server 14Task 3 – Allow MySQL on the VM-Series Firewall 15Task 4 – Re-verify Dynamic Content on Web Server 17

Activity 3 – Safe Application Enablement 19Task 1 – Attempt to SSH from the web server to the DB server 19Task 2 – Review the threat protection profile 19Task 3 – Trigger the SQL brute force attack and review logs 20

Appendix 1: How to Install Dynamic Updates 22


How to use this guide

The activities outlined in this Test Drive Guide are meant to contain all the information necessary tonavigate the Palo Alto Networks VM-Series Firewall Graphical User Interface (GUI), complete the labactivities and troubleshoot any potential issues with the lab.

Once These Activities Have Been CompletedYou should be able to:

1. Navigate the Palo Alto Networks VM-Series Firewall GUI.2. Review portions of the Firewall configuration.3. Change the configuration to safely secure a public facing cloud application

This Test Drive covers only basic topics and is not a substitute for training classes conducted by Palo AltoNetworks Authorized Training Centers. Interested to learn more about the VM-Series, CN-Series andPrisma Cloud on Azure, please refer to the link below to register in the upcoming Hands-on workshopsessions.

https://www.paloaltonetworks.com/resources/test-drives?topic=vm-series-azure

In this guide:Tab refers to the seven tabs along the top of the screen in the VM-Series firewall GUI.

Node refers to the options associated with each Tab found in the left-hand column of the screen.

Note: Unless specified, the Google Chrome web browser will be used to perform any tasks outlined in thefollowing activities.


https://www.paloaltonetworks.com/resources/test-drives?topic=vm-series-azure

About the Test Drive EnvironmentThis test drive will have you working on securing a two-tiered application environment where tier one is aWordPress server and tier two is a MySQL database server. This is a simulation of a real-world scenariowhere WordPress is used to host dynamic content in the cloud but requires protection with Palo AltoNetworks next generation security.

In this test drive, all traffic inbound from the Internet to the web WordPress server goes through aVM-Series firewall – i.e. North/South traffic. In addition, all traffic between the web server and thedatabase server is also secured by the VM-Series firewall – i.e. East/West traffic.


Activity 0 – Login to Microsoft Azure Test Drive

In this activity you will:

● Login to the Azure test drive● Watch the short pre-lab video

Task 1 – Login to Palo Alto Networks Azure Test Drive Environment

Step 1: Go to the Palo Alto Networks VM-Series product page on Azure Marketplace

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Overview

NOTE: If the above link doesn’t work, you can go to the Azure Marketplace and search for thePalo Alto Networks VM-Series product page.

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/

Step 2: Click on Test Drive

Step 3: You will need to login to your Azure account or create a free Azure account if you don’t haveone.

Step 4: Once you have logged the Test Drive will automatically start creating a test drive environmentfor you.

NOTE: It can take up to 15 to 20 mins to deploy an on-demand test drive environment for you.The progress bar will tell you how much longer before the test drive environment is ready.




Task 2 – Watch the Pre-lab Video

Step 1: While your on-demand test environment is being created, please watch the “About this TestDrive” introductory video.

End of Activity 0.


Activity 1 – Access and Review VM-Series Firewall

In this activity you will:

● Log in to the VM-Series firewall● Review key portions of the firewall configurations

Task 1 – Login and Dashboard summary

After the Azure test drive has finished creating your Palo Alto Networks test drive environment, you willsee two URLs to access your test drive. The VM-Series Next-Generation Firewall Management interfaceURL is the URL you will use to access the Palo Alto Networks next-generation firewall instance. The WebServer URL is used to access the web server instance for the test drive.

Step 1: Click on VM-Series Next-Generation Firewall Management interface URL to log in to the PaloAlto Networks VM-Series WebGUI.

NOTE: Please make a note of these two URLs, you will need to use these two URLs throughoutthe lab. You should also receive an Azure test drive email on the email account registered toyour Azure account that contains the two URLs.


Step 2: If you get a security exception, please ignore it for this lab and proceed to the firewall loginpage. We are using a self-signed certificate, which causes the exception.

If the message "Your connection is not private" opens, click Advanced, and then Proceed to<IP address> (unsafe):

This opens the VM-Series Firewall management console to login.

Step 3: Log in to the firewall with the following username and password.

Username: pan-testdrive

Password: paloalto@123

Step 4: Upon login, you will see the dashboard for the VM-Series. The dashboard provides a visualsummary of the device status. It is widget-based and can be customized to fulfill your specificrequirements.

In the General Information widget, you can see this VM is a Microsoft Azure instance underthe VM Mode.

Step 5: [Optional] Select one of the widgets and move it to a different screen location. Select the widgeticon and add an Application, System or Logs widget.

NOTE: Since this firewall is brand new, it likely doesn’t have any traffic yet and your screenwon’t match the screenshot below. You can return to the dashboard at the end of the lab to seereal data.


Task 2 – Review VM-Series Firewall WebUI – Application Command Center (ACC)

The ACC provides you with a widget-based summary of the applications, the content within, and who theuser is over a given time period [default is 1 hour]. With the ACC, you can see the contextual linkagebetween the application and the content, which allows you to make more informed security decisions.

Step 1: Select the ACC Tab. The default ACC view will show you the network, threat, blocked andtunnel activity in four separate tabs for the past hour. As shown in the image below, the timeframe and each tab can be customized to display the relevant application, threat, and useractivity depending upon the user role.

Additional tabs can be added via the + sign on the right side of the Blocked Activity tab.

Step 2: Within each of the widgets, you can select the relevant data point to learn more about what it isand what it means.

You can “Promote” that data point as a filter by clicking on the arrow to the right of the filter,which in turn will force all other widgets to be updated based on that context.

Because you are viewing a brand new firewall, there won’t be much data in this view yet.


Step 3: [Optional] Scroll through the information displayed in the Network Activity Tab. Customize oneof the tabs, create/add a new tab.

Task 3 – Review VM-Series Firewall WebUI – Security Policies

Step 1: Select the Policies tab.

The Policies tab is where you will define all of your policies. The default view will be yoursecurity policies, all of which can be based on the application, the content within, and the user.

Step 2: Mouse over the column header NAME or TAGS, click on the drop down and select AdjustColumns. This will allow you to see the information much easier.

Step 3: From the left side panel, additional policies can be defined for actions such as NAT, Decryption,and DoS.

Step 4: In the Web to DB rule (rule 6) and under the Application column, click on the small arrow nextto mysql.

Step 5: Then click on value to see the details for the mysql AppID. You will see details about theapplication including the standard ports.


NOTE: The VM-Series is a next generation firewall. It does not simply assume all traffic on TCPport 3306 is MySQL. It inspects the traffic and ensures that it truly is MySQL.

Step 6: On the left-hand side, under NAT you can also inspect the translation rules that allow the weband db servers to be accessed from the outside world via SSH. A NAT rule that allows httpaccess to the web server and a default outbound NAT rule to allow the web and db servers toaccess external resources.

The NAT policies allow for ssh access to the web and db servers as well as directing webtraffic to the web server only.

Task 4 – Review VM-Series Firewall WebUI – Monitor tab

The Monitor tab is where you can perform log analysis and generate reports on all of the traffic flowingthrough the VM-Series. Logs are stored on the box and can also be forwarded to either Panorama, ourcentralized management solution, or forwarded to a syslog server for analysis and reporting by 3rd partyofferings.

Step 1: Click on the Monitor tab.

Step 2: [Optional] Navigate through the various log viewers,

Step 3: Click Reports to see the various pre-defined reports you can use.

NOTE: Your firewall is new and doesn’t have any data yet so any reports you create at thispoint will likely be blank. You can return to this step at the end of the lab and create newreports.


Task 5 – Review VM-Series Firewall WebUI – Object, Network, Device TabsThe Objects, Network, and Device tabs provide you with the various management capabilities. TheObjects tab allows you to manage the building blocks for creating policies such as address objects,custom applications, and security profiles. The network tab allows you to create and manage interfaces,security zones, VLANs and other elements that enable connectivity. The device tab allows you to managehigh availability, users, software and content updates.

Step 1: Click the Objects tab. The Objects tab allows you to manage the building blocks for creatingpolicies such as address objects, custom applications, and security profiles.

Step 2: Click the Network tab. The Network tab allows you to create and manage interfaces, securityzones, VLANs and other elements that enable connectivity.

The interface ethernet 1/2 in the Trust zone is the layer3 interface where the assets that needto be protected reside (in this case the web and database servers).

The interface ethernet 1/1 in the Unturst zone is the layer3 interface that is exposed to theoutside world. All traffic enters through this interface.

Step 3: Click the Device tab. The Device tab is where configuration items like DNS, service routes, etc.are managed. The device tab also allows you to manage high availability, users, software andcontent updates.


End of Activity 1


Activity 2 – Safely Enable Applications

In this activity, you will:

● Generate traffic on the firewall and review the traffic log● Edit the security policy to allow inter-tier application traffic

Task 1 – Verify Static Content on Web Server

Step 1: Using the second URL you have on the test drive page from Activity 0, open a browser tab andbrowse to the below URL

http://<Web Server URL>>/

Step 2: Return to the firewall UI and navigate to Monitor -> Logs -> Traffic. Change the refresh rate to30 Seconds on the upper right. You should see web-browsing logs.

If there is so much traffic that you cannot see your web-browsing logs, type an application filter (app eq web-browsing ) and click on the Apply Filter arrow.

Task 2 – Verify Dynamic Content on Web ServerIn this task, you will generate a WordPress content request from your web browser that will trigger adatabase query to the MySQL server. Like many web-based applications, WordPress uses a backenddatabase to create, store, and retrieve dynamic content. You will use the WordPress application to showexactly this type of behavior and demonstrate how the VM-Series firewall will secure this traffic.


Step 1: Open a new browser tab and browse to WordPress server at

http://<Web Server URL>/wordpress/wp-admin/install.php

NOTE: This will eventually time out but it will take a while. You can proceed with the next stepwithout waiting for the timeout.

Step 2: Return to the firewall Monitor tab and check the firewall logs to troubleshoot the problem.(Remove the last filter by clicking on the X if needed).

Step 3: You should see deny logs. If there is so much traffic that you cannot see your deny logs, typean application filter ( action eq deny ) and ( port.dst eq 3306 ) and click on the Apply Filterarrow.

As you can see, the MySQL traffic (TCP port 3306) is being blocked. Let’s look at the securitypolicy to determine the cause.

Task 3 – Allow MySQL on the VM-Series Firewall

Step 1: Click on the Policies tab and then click on Security on the left hand pane if not there already.Look at the Web to DB rule (rule 6) and note the Source and Destination Address.

As you can see, the Source and Destination address are reversed and need to be corrected.The Source Address should be web-object and the destination address should be db-object.


Step 2: Click on Web to DB rule and then click on the Source.

Step 3: Click on db-object to bring up the pull down menu and change the selection to web-object.

Step 4: Next, click on the Destination tab and then click on web-object to bring up the pull-down menuand change the selection to db-object.

Step 5: Click OK to close the Security Policy Rule window.

Step 6: Verify your security rule now resembles the snapshot below. This rule should allow traffic fromthe web-object address to the db-object address.


Step 7: Click on Commit in the upper right. With “Commit All Changes” selected, click on Commit tocommit the changes.

Step 8: Verify the commit was successful and then click Close.

Task 4 – Re-verify Dynamic Content on Web Server

Step 1: Return to your WordPress browser tab and click refresh. You should see the initial WordPresswelcome screen.

NOTE: You don’t need to actually configure the new WordPress server for the purpose of thetest drive. In its initial, un-configured state, it will generate the traffic we need to test theVM-Series firewall.

Step 2: Now, head back to the Firewall Monitor tab and verify that the traffic did indeed go through thefirewall from web to db rule (Remove the last filter by clicking on the X if needed).

You should be able to see the initial web request, the subsequent MySQL request and theadditional web traffic.

If you have trouble seeing the log entries for traffic that you generated, you can create a trafficlog filter as above with the entry ( action eq allow ) and apply the new filter by clicking on theApply filter arrow.


Step 3: Check the Resolve Hostname box at the bottom and the address will be resolved to anyknown name or URL to the system.

End of Activity 2


Activity 3 – Safe Application Enablement

In this activity, you will:

● Generate two simulated east/west (web tier to database tier) attacks● Monitor the firewall logs to see the results of the attacks

Task 1 – Attempt to SSH from the web server to the DB server

This task will simulate a compromised web server that is being used to attack the database. This is acommon attack strategy of getting a foothold on the web front-end server and then expanding to the otherapplication tiers with the ultimate goal of accessing all data in the database.

Because the Palo Alto Networks VM-Series firewall has visibility of traffic between the web and databaseserver (east/west traffic), it can detect and automatically block the attacker’s attempt to compromise otherresources.

Step 1: Browse to the SQL attack web page at

http://<<Web Server URL>>/sql-attack.html

Step 2: Simulate a compromised web tier by clicking on LAUNCH WEB TO DB SSH ATTEMPT. Thiswill launch a CGI script that attempts to connect as root to the database server.

Step 3: Now return to the firewall’s Monitor tab to note the failed traffic. If you have trouble seeing thelog entries apply the log filter with the entry (action eq deny) and (port dst eq 22)

(Remember to remove the last filter by clicking on the X if needed).

The VM-Series uses safe application enablement to allow only the correct applications betweentiers and SSH is denied between the web and database server.

Step 4: The above log entries indicate that the firewall has successfully prevented the DB attack andhas secured the E/W traffic.

Task 2 – Review the threat protection profileIn this task, we will look at the Vulnerability Protection profile. This profile is used to prevent exploits ofvulnerabilities – in the case MySQL. There are many other components of Palo Alto Networks threatprotection that are beyond the scope of this lab and are not included in the firewall configuration.


Step 1: Return to the firewall management interface and navigate to the Policies > Security. Take alook at the Web to DB rule. You will notice that the web to db traffic is protected further by avulnerability profile.

Step 2: For the Web to DB rule, hover over the icon in the Profile column and note the Test Drivevulnerability profile in use.

Step 3: Now click on the icon in the Profile column and you will see all the threat protection profiles.

Note the Test Drive Vulnerability Protection profile. This is a custom profile created just for thistest drive lab. It is part of the default vulnerability protection profile but is called out separatelyfor the purpose of this demo environment.

Step 4: To take a closer look at the vulnerability protection profile go to Objects > Security Profiles >Vulnerability Protection and click on “Test Drive”.

Task 3 – Trigger the SQL brute force attack and review logs

For this task, you will launch some scripted attacks on the SQL server and use the pre-configured threatprotection to show and block those attacks on the VM-Series firewall. As noted above, these are simple,scripted attacks and blocking configurations – there are many other threat protection features available onthe Palo Alto Networks VM-Series that are beyond the scope of this demo.

NOTE: This task requires Applications and Threats content installed on the VM-Series firewall todetect the attack. Please make sure content is installed by navigating to Device > DynamicUpdates.

If content is not installed please refer to Appendix-1 (at the end of workshop guide) to install theApplication and Threat content.

Step 1: Open a new browser tab and browse to the below URL:

http://<<Web Server IP>>/sql-attack.html


Step 2: Click on LAUNCH BRUTE FORCE SQL ROOT PASSWORD GUESSING to start a script thatwill generate multiple failed MySQL authentication attempts. This will launch some scriptedattacks on the SQL server and use the pre-configured threat protection to show and block thoseattacks on the VM-Series firewall.

Step 3: Return to the firewall and click the Monitor tab and then click on Threats in the left hand paneunder Logs.

Step 4: Note the new vulnerability log message regarding the failed MySQL events.

Step 5: The CGI script you launched above attempted to login to the MySQL database multiple timeswith an incorrect password. The VM-Series firewall saw this activity and using the vulnerabilityprofile, reset the connection and logged the activity.

Step 6: Click on the glass icon to view the detailed log.

End of Activity 3


Congratulations! You have now successfully completed the Azure Test Drive. Interested to learn moreabout the VM-Series, CN-Series and Prisma Cloud on AWS and GCP cloud, please refer to the link belowto register in the upcoming Hands-on workshop sessions.

https://www.paloaltonetworks.com/resources/test-drives


https://www.paloaltonetworks.com/resources/test-drives

Appendix 1: How to Install Dynamic Updates

The steps outlined in Appendix 1 will guide you to install the application and threat content.

Step 1: Click on the Device tab. Click on Dynamic Updates on the bottom left and click on CheckNow on the bottom.

Step 2: Under Application and Threats in the center pane, select the latest update and clickDownload in the Action column. Downloading will take some time. Close the DownloadApplication and Threat dialog box once download is complete.

Step 3: Once the download is complete, click Install in the Action column and then click ContinueInstallation.

Step 4: Once content is installed you should see a check mark in the currently installed column.


test drive micr osoft azur e

Documents