Pass Your Palo Alto Networks PCNSA Exam Easy!

Palo Alto Networks PCNSA Palo Alto Networks Certified Network Security Administrator exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Palo Alto Networks PCNSA Palo Alto Networks Certified Network Security Administrator exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Palo Alto Networks PCNSA certification exam dumps & Palo Alto Networks PCNSA practice test questions in vce format.

Chapter 2 - Initial Device Configuration

8. 2.8 Security zones and interfaces

In this video, we are covering PC NSA 210. This chapter covers initial device configuration. And this is episode eight of that chapter. 2.8 security zone and interfaces Now, chapter two is the biggest chapter of this course. It has twelve videos in total. All of the chapters, they have somethingbetween four to seven eight videos. But this chapter is one of the biggest ones. Well, that's the biggest. Okay, so we start with the 2.8 Security Zone and interfaces. Security Zone and Security Policy Rules palo In AltoNetwork Firewalls, they use the concept of "security zones" to secure and manage the networks. Systems with similar security needs are grouped into the same zones. So zones are a logical grouping of traffic on the network. Zone names have no security policy associations. So you can call them whatever you want. They don't mean anything, but it's just good for you to identify where they are. So we have something called an intrazone. So for example, if we put out all devices that communicate in the same zone or have similar security needs, we'll put them in the same zone. Now that's intrazone. intrazone traffic. Traffic within a zone is allowed by default. So you don't have to have one already. There is a security policy, which is a default intra zone, and traffic is allowed. The traffic from one zone to another zone, for example, from inside to the data centre zone, is called inter-zone traffic. Now, interzone traffic is denied by default. So there are already two security policies by default in our firewall. So if I go to my firewall, I can show you. So we have two. Let me just remove this stuff. So if I go to policies and then security policy, you can see that there is already one by default. There are two policies There are two types of defaults: intra-zone and inter-zone. So intrazone traffic is traffic within the zone, while interzone traffic is traffic from one zone to another. These are read-only security policies. Any device, any source, to any destination in the travel zone So within the zone, it is allowed. As you can see, there is a read-only attribute. If you go to action, it will tell you to allow right and enter zone. That is from one zone to another zone, where the default is deny and it's read only.We can override this. We'll see that later. Now, in band interfaces, a physical interface or a sub-interface can be assigned to only a single security zone. To process traffic, an interface has to be assigned to a zone. A zone can have one or more physical or logical interfaces. The zone name is case sensitive.So, for example, if we call an inside zone an inside zone, I can put only one interface there. This interface cannot belong to another zone. So I can't put it in inside zoneand I can't put it to outside zone. For example, that is not allowed. So one interface has to be one zone buta zone can have more than one interface. So for example, data centre zone as you can seedata centre zone has got interface e one three ande four, single slot firewall and multi slot firewall. Now when you see a single slot firewall interfaces aremarked with ethernet one so that's a single slot one. For example, for the first interface, as you can see there, that's the first interface ethernet one, forward2 is the next one up, and so on. If you configure sub interfaces, for example, they marklike ethernet one, two three and so on. You can configure sub interfaces.Now a multi-slot firewall has, for example, Ethernet 1, one for the first slot, Ethernet 2, one for the second slot, and so on. Then this will be three, one, or three, two. You select that, then it will be four, and so on. Zone types and supported interfaces Different zonetypes only support specific interface types. So we have, for example, a tap zone that supports only tap interfaces, or at least we can explain it later on in the upcoming videos, but for a tab zone, what I want you to think of is a span switch port analyzer. The following video will go over what a tap zone is and how tap interfaces work. For example, the next one is a virtual wire zone. For example, if we had a switch here communicating with another switch on this side and we wanted to use our firewall to see what was happening between them but we didn't want to change the topology, For example, we can just put a firewall here, and it will find out what this port for ingress and egress is, what they communicate, and whether we allow that traffic or not. That's a virtual wire. But again we're going to talk inthe next video more about virtual wire. Next is the tunnel zone. There are no interfaces assigned to tunnels on, and tunnels on are available beginning with Panos 8.0, using a technique known as tunnel internal encapsulation. We're going to be using a tunnel zone four, and then we have a layer two zone where we put layer two interfaces. Now in layer two zones or layer two interfaces, they don't have an IP address, and then we have a layer three zone. In layer three zones, we have three types of interfaces: VLAN interfaces, loopback interfaces, and tunnel interfaces. All of these are going to be assigned via the IP address management interface, and high availability interfaces are not assigned to any zones. To create a security zone, we need to navigate to network zones, then click "add" and then choose what zone we have. We need to put the name so we need toprovide that information, it's required and then we need tosay the type of zone is it and then wehave to add the interfaces zone protection for example, andenables user identification and all of these upcoming videos, we'regoing to be talking more so in my network. For example, this is what I'm going to create. I'm going to create four zones. So I'm going to create an inside zone. I'm not going to put any interfaces in yet because we have not talked about them. I'm just going to create a zone. It's very simple and straightforward, but I'm going to create inside zones, outside zones, a DMZ zone, and a virtual wire zone. so I need to go to network zones. And then by default, you see there is no zone. So we're just going to create an inside zone. And I can type the log settings here. I can do log forwarding, whichyou can talk again later. These are the available zones. So we have a tab, virtual wire, layer two, layer three, or tunnel. One thing that we have to remember is that the names are case sensitive.So if I type inside, it's not the same. And if I just type insight So these are two different zones, so whether they use the capital letter I or just the lower letter i, they're going to be treated as two different zones. So that was the first zone created. I haven't put any interfaces on it because we're going to do that later. The second zone I'm going to create is called outside. So outside, and this is again a layer-three zone, And the third zone I'm going to create is the DMZ. I'm going to delete these zones. I'm just creating them for demonstrations. So layer three And then another zone I'm going to create is a "virtual wire," and this is a virtual wire zone. So I created three zones: layer three and one virtual wire zone. I'm going to remove these anyway; it's not part of our job. Thank you for watching Lesson 20 of NIT Security Zone and Interfaces, Chapter 2: Initial Device Conference.

9. 2.9 Tap VirtualWire Layer2

On this video, we are covering PC and SA 210, and this is our chapter two initial device configuration. This is a nice video of Chapter 2, and on this video, we're going to cover 2.9, we're going to cover tab interfaces, we're going to cover virtual wire interfaces, layer two interfaces, and tap interfaces. Now the firewall can use a TAP interface to connect to a span or mirror port. So switch port analyzer feature is used tomirror traffic from one or more source switchports of VLAN to destination port and destinationport will be a Tap interface. A TAP interface passively collects and logs monitored traffic to the firewall. A traffic lock and tap interface that cannot control traffic or perform traffic shaping must be assigned to a tap zone. So for example, if we're talking about a switch here, the switch will have a TAP interface as a destination span port. So for example, the span or switch port analyzerwhat will be is that it will monitor ports. You can monitor one or more ports; we can monitor this; we can monitor this and this and this. They all will have a source-span port. Then we're going to send it somewhere for monitoring, i.e., to the firewall to monitor the traffic and display the traffic look; that will be the destination for it. We can monitor ingress or egress or both. The Tap interface on the firewall will be used after we send it to the destination SharePoint. To configure it, we will have to go to network interfaces and then pick the interface that we want, and then select the interface type as TAP. It has to belong to a security zone. So like the monitor tap zone, it will belong there. Now I don't have on my network a TAP interface; I don't know if it's running in the switch port analyzer, but it's going to demonstrate to you how you do that. You just go to interfaces, and you'll pick one interface that's going to be your Tap interface. Say 19 here, and in the comments, you meant to write your comment configured for span, for example, or switchboard analyzer interface type. You can see the default is Tap, and we can choose other types of interfaces, but we are talking about Tap. We haven't got a network profile, and it has to belong to a security zone as well. So if we don't, we have not hit anything here. We would have to create one, and then under "Advance," there's nothing here to select the speedlink speed duplex and link state, and that's it. That's how we configure our TAP interface. Now just remember the TAP interface. What was the TAP interface? It was just like a collector, something similar to an intrusion detection system. So just collect the information, and then it will notify—either through email, SNMP, or syslog or something, or log messages somehow—if there is some sort of malicious traffic detected or something. Virtual Wire Interfaces Virtual Wire will be able to bind two firewall interfaces together through a Virtual Wire object. This can be inserted into an existing topology without configuration changes. For JSON network devices, firewalls can examine, shape, and block traffic used when no switching or routing is required. No IP addresses are configured, so noroutine or firewall management traffic is supported. So, for example, in our networks, imagine there was a network between these two switches and we just wanted to see what kind of traffic was happening; did we want to shape it or even block it so we could put our firewall in between the line? So this is pretty much like an intrusion prevention system (IPS).So it kind of detects the traffic and prevents an intrusion. So a Virtual Wire interface on one side is going to have two Virtual Wire interfaces, and we don't need to put an IP address or Mac address unless we need to have a Virtual Wire object. So to configure it, it's a two-step process. So first you create a Virtual Wire object that will connect the two interfaces, and then you configure two interfaces as Virtual Wire interfaces. Either way, it's fine whether you do the objects first or you do the interfaces second. It's fine, but it's going to be a two-step project. So, for example, I'll make a virtual wire out of numbers seven and eighteen. Just imagine that one seven is connected to switch one and one eight is connected to switch two. And I'm putting in the virtual wire to find out what traffic is going through those two switches. So there's an Ethernet connection to switch one. And this is going to be a virtual wire interface. We don't have a network profile; I don't yet have a virtual wire object or security zone. But I'm just going to create a virtual wire interface. Click okay. And then in eight, I have a connection to switch to, for example, and this is on my second virtual wire. So what I'm doing here is, if we go back, I'm creating this interface and this interface. So, Ethernet 17, switch one in this virtual interface. I think it was, and then EthernetA was connected to this switch, for example. And then I will be able to see what traffic is going through those two switches. And then you can shape it, examine it, or even block the traffic. I created the interfaces, two interfaces, and the virtual wire. Now I need to create a virtual wire object. So for that again, I need to go to a network, and then in the network, I go to a Virtual Wire object. So click here name for example, switch one two. Switch two. And not only interfaces; that will do, for example, one seven on one side and one eight on the other side. In the virtual wire, we can now specify what traffic is allowed to be tagged and what traffic is not. So we're looking at an eight-to-one Q tagging system here. So we can choose, for example, which tag we allow. So for example, 100 to 200 So if we leave anything out or don't put anything, then it's going to accept all the VLANs. The multi-car firewalling will allow only multi-car traffic. Massive security policy rules The link state pass-through will allow you to pass the state of the device between them. So, for example, if this switch sends traffic, we have the firewall in the middle here. So we have a firewall here, and this will say they send CDP messages or LLDP. And then link state pass through allowsus traffic to just go through. So that's what the link state pass through is, and I click okay, and now I have my virtual wire object and my interfaces as virtual wires. And those two interfaces are connected to a virtual wire object. Because the firewall security policy rules are based on zones, each virtual wire interface will require a zone, and when we configure a zone, for example, because we don't have anything here, then I have to select a virtual wire zone and click okay, okay. So two step process to configure a virtual wire. First was to create a virtual wire object and thatwas the network and then virtual wire object and thenwe give it a name and we put our twointerfaces by default all the VLAN traffic is allowed andwe can allow multicast firewalling link state passthrough allows topass the state of the one device to another deviceand same we can configure. The second step is to configure the interfaces and add them to the virtual wire object and the virtual wire zone. Now virtual wire sub interfaces will read and classify traffic according to the administrator-defined VLAN tag, IP classifiers, or both. An IP classifier can be a specific address, a range of addresses, or a subnet address. more granular security rule, logically splitting the network traffic. To configure a sub interface, you need to go to your interface, and then let me just show you that. So I go to the interface, do not select that interface, I just highlight it, and then click the add sub-interface button. And then on the sub-interface, the name, you can't change it. That's read only.Dot whatever your subinterface is called. So for example, 100 Now this doesn't really mean anything; it's not linked to any VLAN tag or anything or whatever. But usually if it's for VLAN 100, then we put VLANV 100 there, and then this sub-interface for VLAN 100, and then on the tag, this is going to be the actually identified tag, and then we can add the IP classifier. So an IP classifier, this couldbe a specific single address. It could be a range of addresses or a subnet address. So for example, we could put 1921-6810-1921-6812; this is the range of addresses. Or you could have a single address, for example, 1921-681-5424. We could even have an entire subnet. So say 192-16-8204; that's your IP classifier, and click okay. Layer two interfaces switch between two or more interfaces through a VLAN object. Now, the VLAN object connects the interface into a single Ethernet broadcast domain, typically used when no routine is needed. Firewall again can examine trafficshape and block traffic. No IP addresses are configured, so no routing or firewall management traffic is supported. to configure it. Again, it's a two-step process. So first we have to configure the VLAN object and then configure the layer 2 interfaces on those VLANs. So if I go to my firewall, the first thing I need to do is configure a VLAN object, which is under a network. So we have a network here, and then we have VLAN. And then we're going to put those two interfaces in our VLAN network, a network VLAN, and I'm going to create a VLAN object. So there are VLAN objects, VLAN interfaces, and an interface, such as a layer 2 interface. I don't have anything on layer two right now. So I'm going to cancel that and click Okay. And then onto the interfaces. So for example, Ethernet is a type of interface at Layer 2. And this is going to go on the VLAN VLAN object, and again, we have to put it on the security zone and click OK. And then I can create another layer-two interface there too. And, once again, this one will be added to our VLAN object and clicked okay. Now that I've committed all of these, I can commit them to take effect once I'm finished.

Chapter 3 - Security and NAT Policies

1. 3.1 Security policy fundamental concepts

On this video, we are covering PC NSA210, and this is chapter three security and Nat policies, or network address translation policies. This is the first video of chapter three, which is Security Policy Fundamental Concepts Controlling Network Traffic. Now, all traffic traversing or going through the data plane of the Palo Alto Network Firewall is matched against the security policy. It does not include the traffic that originates from itself in the security policy we can define; the traffic allowed to go through may be denounced. We want to drop it, maybe, or maybe we want to reset the client, reset the server, or reset the boss. When we control traffic through the security policy rules, wecan have a basic criteria like where is the sourcezone of the traffic, where is the destination zone? That's the basic criteria. Or we can go to more granular criteria where you can match the source IP address, destination IP address, port numbers, application, URL category, source user, or host information profile session and Flows Each packet is matched to a session, and then each session is matched to a security policy rule. For example, I have on the left here the traffic initiator, which, on the firewall definition, is known as the client. Now this flow is considered a client to serve a flow, and it will be checked against the security policy rule. If the traffic is allowed, then the firewall will create a session or unique ID. When the responder sends traffic back through the firewall, it is referred to as the server. Then this is known as a server-to-client flow, and returning traffic is allowed. A session can consist of one or two flows, for example, a single flow for multicast traffic or two floor examples. TCP Traffic Security Policy Rule Types There are three types of rules in a security policy. The first one is intrazone. intrazone rule means that the source or the trafficinitiator of the client, it's in the same zoneas the destination, that is intra zone. It's called intrazone traffic, and that traffic is allowed by default if the source is in one zone and the destination is in a different zone; that's known as interzone traffic. Interzone traffic is denied by default. So we can have intrazone, interzone, or the third type, which is universal. Now universal you could have traffic going within thezone between the zone or anything you want. Usually we create a universal security policy ruletype, but you could create an intrazone or interzone as well if you want. You have the option, but the universal is "default," and that's what we created by default. Displaying and Managing Security Policy Rules Now this is what I'm going to show you on my firewall. I already have it running on my network. I already have the firewall running. So I connected to another PC on my network, and I'm going to use Google Chrome to access that firewall. So open it; it is a secure connection. So I need to type HTTPS. It's already there. Column 192-168-1254 logs onto the firewall. Now that I'm logged on to the firewall, I'm going to press F11 so we can see it better. To view the policy security policy or manage our security policy rules, we must first navigate to policies, security, and then security policy rules. Now every user that logs in on the firewall or has access to this firewall can rearrange this web interface display. They can rearrange the columns the way they want. For example, say that I want the action to be next to my name in the name column. So I will just click on it, drag it to where I want it, and then just drop it. So you can see that the action is now right next to the name. For example, sometimes you don't want something to appear—say, maybe you don't want the tax to appear. So I can click anywhere. Any column has an arrow pointing down. You can click anywhere you want and then select a column, and then just the one that you don't want. You see there's ticks the ones that you wantto see them and they are unequal the onesthat you don't want to see them. So for example, if I don't want to see the tags, I will just unpack that, and then I don't see the tag. Maybe I don't want to see the name. That would be crazy. But there is, so get rid of the name as well. Anyway, let's see the names back, and we can adjust the columns as well to fit correctly. I'm just going to move this to the left a little bit so we can see them nicely here. Okay? By default, we have two implicit rules. They're going to be there as soon as you enable the firewall. They're going to be there. There are intrazone rules and interzone defaults. So intra zone default and interzoneis traffic within the same zone. Interzone traffic is between the zones. So in an intra-zone, same-zone situation, the traffic by default is allowed; in an enter-zone situation, the traffic between the zones is denied. That's the default. We can go and change them or override them if we want to. For example, let's say that I want to change something on this intrazone, and by default the login is not enabled on these two implicit rules. And usually, it's recommended that you go to those rules and enable the login. So I will go to the interest zone, for example, and go to the actions, and you can change the actions as well if you want. But you see, I can't do it this way. If I want to change something, I need to click on this icon here, "overwrite," and then select the role and then select "overwrite," and then you can change it to "action" if you want. It's also common practise to place the login at the end of the session. We can enable login at start, but usually it's not recommended because it's going to generate more logs, and it is recommended only when you do troubleshooting. Right now, once I do that, you can see the icon has changed. I think it was just green here and here. Now we have this override icon, and if I say, "Okay, I made a mistake, and I want to go back to how it was," I can select the rule again and then just revert, and that will revert back to what it was, how the rule used to be at the start. And you can see the icon change to "normal" and "same." You can see the interzone has been overwritten, and if you want to revert, you select it and then you say revert. So just to recap, we have two rules. There are implicit rules. So these are implicit rules. Now, anything we create here that will be on top, and these are referred to as explicit rules, Explicit rules. And we usually create explicit rules to control the traffic on our firewall. The firewall is going to match traffic as it goes through the data plane. It's going to try and match one of these rules. And there has to be a match. One way or another, there's going to be a match. Either then is either going to allowthe traffic or maybe deny the traffic. The way he's going to do that, the firewall is going to look at it from the top down or from top to bottom. So it's going to go this way. It's going to read the first rule and try to match it. If there's not a match, then it's going to read the second one. Then it's going to read this until it gets to these two rules. These two rules will pretty much match all the traffic, any traffic.If there's a match, say that it's reading the rules down and there is a match on the third row; there's a match here, and it's going to read the action. Is it allow or deny? And then after it reads the action, it stops. Further rules are not evaluated; they are not looked at because we have a match and can do whatever the match is. And if, for example, the traffic is allowed, then the returning traffic will be allowed as well. It is recommended to minimise the use of any column-specified value in the values, if possible. So, for anything that isn't specifically recommended, we should use more specific values. The next thing that you should look at in the security policy role is this hit count. Hit count. Now hit count to identify rules that are frequently used. Also identify rules that are seldomly used. Now rule hit account also shows the first time the rulewas hit and the last time the rule was used. So for example, you can see the rule hit count for this. We have 549, and this is the last hit of that rule; that's the first hit of that role. Plus, we can see how many applications have been made for that role. Later on when we talk about app ID, we're going to come back here and see what application we see it in. This can be used to verify configuration and changes, as well as sometimes to see what rules are not being used. Assume this rule has received no hits, no heads at all. Maybe we can either disable those rules or, later, maybe even delete them. Another thing is, when we create the rules, we're going to go a bit more in depth in the next lesson about the creation of these rules. But another rule that we should be concerned with is the rule of shadowing. Now rule shadowing, which is very important, is, for example, if one rule shadows another rule. I have one rule here that inside to outside," right?" And this means that any address on the inside network can connect to any address on the outside network. It's allowed. But then later on, I'll say "deny hostor 19216 eight," which is on the inside. I want to deny this host with this address, 192-16-8125. Going anywhere outside is an inside zone. But that's a problem because this rule here actually overrides or shadows this rule. So like we said, the firewall reads from bottom to top this way, and when it reaches up to here, that's a match, and then it will allow it. So, even though we want to deny it going outside, this rule or this PC allows it. So it will never get to that point. So the best thing to do in this case is to actually move the more specific rules to the top. And we can do that by not clicking on the hyperlink. You just select the rule, and it says "move." You can say move to the top, move up, move down, or move to the bottom. You can't go any further. It's at the end, or you can drag and drop. So you can click on it and then just drag and drop. As it stands, you can put the right at the top. Now you can see the number just numbering of the rules. They have no understanding of this. They don't have any meaning in the actual security policy. These are just the numbers in the rules. However, you can see that this is now better because the previous rule will no longer cast a shadow on this one. So, inside, your outside rule will not prevent this host from being accessed from the outside. Okay? So if we go back to the slides and we have a look at how to display and manage security policy rules, we use the web interface, and any user can customise the security policy web interface by dragging and dropping, hiding or unhiding some of the tabs, and you can modify the number of columns. We talked about implicit and explicit rules. So we'll have two implicit rules by default, and any rules you create will be in explicit rules. Implicit rules for intrazone traffic are that traffic within the zone is allowed and interzone traffic is denied by default. Security policy rules match those that we said are evaluated from top to bottom. Further rules are not evaluated after we have a match, and policy rules are unidirectional. Avoid using any of the words, any in any columns, specify a value if possible, and discuss the rules. hit count Identify rules are used frequently; identified rules are used infrequently. Rule hit count also shows the first and last time a rule was used and the view number of applications seen by a rule. It can be used to verify config changes, and we talked about rule shattering as well as the more specific rules we want to put at the top. If we create some policy that has rule shadowing in it, for example, when you commit it you're going to get a warning, and if you read the warning and it says rule A shadows rule B, rule A shadows rule C. So B and C will never be understood because rule A is shadowing.

2. 3.2 Security policy administration

On this video, we are covering PC, NSA 210, and this is chapter three, security and net policies. Now this is a second video of chapter three, three, two, security policy administration. Now, for this video, I'm going to show you how to configure pretty much this PC. Now that we have it configured, you can watch the other videos on how to configure the zones, how to put the interfaces on that zone, and how to configure them with IP addresses. So I have an outside zone and an inside zone. All the basic configuration is done. But now we need to configure a security policy. Now in security policy, what it's going to say is that these inside zone users will be allowed to go outside, and then the returning traffic will be allowed anyway. And then I'm going to create another security policy from inside the zone, going to the demilitarised zone. Now, we can have two security policies. We're going to be able to test the outside and test the demilitarised zone. But in a demilitarised zone, we can actually do it and test it once we configure that for future videos as well. Now for this video, I already have a network address translation configured, and that's going to be the next video. I'm going to delete it and then reconfigure again for you to see it. But this time, because these two work hand in hand, you can't have one without the other. So as the packets go to this firewall, the firewall will check the security policy. Are they allowed to go outside? Yes. And then it's going to do the network address translation and then check it again. Okay, well, you'll get to see it when we talk about the network address translation. Okay, so what we do is—I already have one—show you that I already have a connection to my PC. So PCA is like Windows 7. So if I open the command line and you can see Ipconfig, let me write it with lowercase letters, Ipconfig, and you can see the IP address of that PC. So that is the same as what we have here and the gateway 192-1681 one, which is there. And I should be able to ping my gateway, so ping the 192.168.1.1 one. But I'm not going to be able to ping anything outside. So I'm going to try and ping the Google DNS server, which is eight, eight, eight. That's not going to work. The reason is that we don't have any security policy. We're going to create a security policy and then come back and test it again. Or I'm going to set continuous ping sominus T, which will just try to ping it, right? So now I'm going to go back to my firewall. So if I show you the lab again, the idea is to create a security policy from the inside zone to go to the outside, and then the returning traffic is going to be allowed. So to create a security policy, you need to go to policies and then security. As you can see, we only have two default security policies intrazone: communication within the zone, which is allowed, and communication between the zones, which is denied. So I need to create a new security policy. To create a new security policy, we click Add, and then we have to define the name. The only required field on this section is the name. So we're going to say "inside to outside." For example, now you remember there was three different typeof rule type three rule types that we could use. We could use universal, which by default applies to both interzone and intrazone traffic. intrazone or interzone, well, let it default. We can put a description, which is very important that you write descriptions all the time for yourself, like later on if you come back after six months to know what you're doing, or for the next administrator tags as well; they are very helpful individually. So, for example, you can see them as internal, so I can see the tag and group this rule or this security rule by a tag. So internal maybe an audit comment AR importantas well you can write the audit commentso who changed rule or who created? So, for example, now that I'm creating a brand new instance of the type I created, but then when you come later on, maybe after a month, and somebody changes something on this rule, they need to write this audit comment. So it's a nice track of who did what and so on, right? So this rule description for this rule is "inside land," for example; maybe "outside land" is something more descriptive than that, but that's just so you know. Now in the audit comment, I'll say created by asterisk date and time. You would put it here, and then it will be in the audit trail, okay? And then I will click on the source, so that's the source of the traffic initiator, so who's creating? I could do any zone, but that will be any zone. but no, my traffic is actually coming from inside zoneso I click it from inside zone. So source add inside, followed by source address. I can even enter this address correctly. I can leave it anywhere, so anything that is inside will work. Or I can just say a single address, for example, 192-1681-200, which is the PC's address, or I can just say the whole network, maybe that's the whole of my internal network, and say that I don't want this rule to apply to these dresses. I can negate it here. So if I click that, that will negate the enabled option and not match the traffic. Now, for users, I can choose, for example, any user that says any user of any type before login. These are remote users using global protection who are not logged into the system. For example, unknown users are users that have already been mapped. Their IP address and the user ID have been mapped. Unknown Users: The user ID and IP address have not been mapped yet. Or you have a list of these selected users or groups that have been added using an ad link, right? For example, select I can put selectthem here, add them this way. Or you can say any: I'm going to leave it to any right now." Host Information Profile I can specify any no host information profile or select and add them in this manner. so any will be fine. Now the next role, like the basic criteria, is source and destination. So we have to actually type source, and now I need to type destination. The destination could be a multi cost anyor select select is whatever I add here. So I'm going to add "actually outside." So, if I show you again, if you remember that the source is inside and the destination is outside, I can put the destination IP address, for example, here, but since it's everywhere on the internet, I'm not going to put an IP address. So I'm just going to put anything and everything I can negate, so for example, if I put an IP address, I can negate that and say, okay, you can't go anywhere else maybe except there. And then the application I can use any or add applications that I have already created. So for example, I will show you how to add applications with application filters or application groups when we're talking about the app ID, not now, right? So any application and service can have an application default, and any service and URL category can exist. All these we're going to talk in the future lessons. And then, in the end, we have an action. Action settings could be enabled. That's our default. Or we can say "deny"; maybe we don't want this user inside to go outside. Or we can say drop. If we say "drop," we can send the man an ICMP unreachable message as well as all resets, reset client, reset server, or reset both. You can send them an ICMP Unreachable message, but now this time we want to allow them, and you can see that by default we have a log at the session end. We can enable logging at sessionstart, but it's not recommended. This is only recommended if you actually, for example, want to do troubleshooting or something. We don't have any log forward in we canenable log profile, for example, log forwarding profile. So where we can send logs, for example, if we have a syslog server or SNMP or something like that, we can create it here in the future, and we can leave the profile settings to none. But later on, we can have a different profile. either groups or profiles, for example, an antivirus profile, and so on. But this is the next chapter, chapter four, as known here, this one.We now have the option of changing the settings. For example, this can be scheduledto run at a certain time. After I finish this, after I press okay, I'll commit him, and then we'll come back to do the scheduling as well, right? And we have a quality service mark as well. Click. Okay, now that a roller screen is being created, that means the address is anything on the network, 1921 dot zero. It's allowed to go to any address in outside zone" from inside to outside. We don't have any hits or anything because we have not committed. So we need to commit to this. Now that the rules have been successfully implemented, the hit counts have already begun to rise. The reason is that because I have my machine on, I'm having continuous pinging. So that's why you can see that there's a commit, there is a hit count, and you can also see a first hit, last hit, and the application scene; we have not seen any application of that rule. I can open the rule again. And now you can see that there is a new tab by default. Previously, there were seven tabs, 123-4567. Now there's eight tab there onthe 8th tab, which is usage. We can see the basic when was the rule created,when was the rule lost, edited and the activity. So when was the first hit, last hit andhow many hits do we have so far? And if we see any applications on there as well as the traffic invitations, So, for example, if you refresh, you can see this keep going; it keeps getting hits. So, for example, if I open the browser on my machine and let me go to Facebook and some applications, some websites, perhaps we can see some web browsing applications anyway. So go to Facebook. Maybe Palo Alto Network So maybe we're going to see some applications of that rule that we just saw. Okay, they won't appear right away. Applications are not going to show right away. The next thing is, for example, to do is to schedule. Imagine that we don't want thisrule to run all the time. Maybe we want to run it only Monday to Friday, nine to five, right? So I need to go to objects to configure that. You need to go to objects, and then at the end you have schedules. So create a schedule first, and then we can apply the schedule to the rule or to the security policy rule. As you can see, no schedule has been created. Let's create one. So add that, and I'm going to create a schedule to run not daily but weekly, right? And the days of the week are going to be, say, Monday and Wednesday, nine to five. This rule is going to run from Monday to Wednesday, from nine to five. So I need to add the day of the week, which is Monday. The start time will be the start time. Assume the start time is 9:00 and the end time is 5:00. I could have done Monday, Tuesday, and Wednesday, but this is going to take a long time, so add another day, say Wednesday, which is today. That's why I'm adding Wednesday. 900 to 05:00 p.m. Actually, it's a bit later at the moment. I mean, it's 07:00. So I'm going to have to put this bit off. So otherwise I'm going to be locked out. So let's say 10:00, right? So I'll change the schedule from nine to ten. Okay, so 9:00 a.m. to 10:00 p.m., right? That's my roof of my schedule. Now I can go to the policy that we created earlier, and I can apply the schedule to that policy. So security inside to outside and go there, and I can apply the schedule in the action. So click on that and you seethe schedule that I just created. Commit this to take effect, and at 10:00 p.m., that's it. I'm going to be logged off from that PC. Okay. Now the policy has been committed. We have a commit successful. I'm going to create another policy rule or securitypolicy rule that says insight to military zone. So it's just taking time, but you would fill all of them. So source is going to beinside, anyone from inside user? Not yet. Destination will be in a dim zone until we discuss user ID. And the address on the destination is going to be 192-1685. That's the IP address of my DMZ. Okay, if you see it So we're going to that IP address and application from the inside to the diminutrite zone. I can put the application, for example, FTPapplications, so it can be an FTP. And I'll discuss the next chapter about application filter application groups, possibly FTP. Maybe I can add another application for Web browsing. All right. The action will then be to possibly allow a click. Okay, now I have two rules. I have an inside to outsideand inside to demonstrate zone. And you see that on the inside I didn't put the IP address of my network. I just put "any right word," and any is not recommended. You should stay away from it anyway. But what we can do here, and I want to show you this management of the policy rule set down here, is have a ticket that says "highlight unused rules." So any rule that hasn't been used yet I can just ticket, and then it will highlight all the rules that haven't been used. So you can see the inside. The DMZ zone has gotten no hits and is not being used. So maybe you can disable it, or maybe you can delete this rule later on, and you've already troubleshooted. If you want to, you can see why this rule is not being followed. For example, we looked at the hit counts on the rules. So we can see that they increase on the main one that we type because we have it configured and because we have that continuous ping. So if I refresh it, these numbers are going to keep going up. And perhaps I should check, and you can see the two apps they've already seen for that role. And maybe I want to reset this because somehow I'm not sure if these numbers are hitting here or at the top. So you can reset them. You can reset all the hit counts, all the rules, or just selected rules. So for example, maybe I just want the top one. So I'll select the top one, and I'll say "Reset selected rule." So now the hit count goes to zero, and then I can check maybe what rule is coming into that or is being hit on that policy rule or what traffic is hitting that policy rule. So if I refresh, it will appear; you can see it right away. Okay, next is the rule usage filter. Now, this little arrow here is a faint one, but if you click on it, it will open the policy optimizer. And we can see any rules that haven't been used for 30 days. So I can click on that, and it will show you all the rules that haven't been hit in 30 days. Okay, I have not committed that one that I created, so let me just create another one. And I'm just going to do test source.Source is going to be, say, outside, and destination isgoing to be DMZ and click okay, now this isnot very good rule, but anyway, that's what I did. But you would actually make sure, when you create traffic coming from outside to your demonstration zone, that you configure only specific applications. They should be seen from the outside to the inside or from the outside to the DMZ. Okay, now the policy rule has been completed successfully. I can have a look at that. You can see on the policy optimizer that I can already see two rules that haven't been used in 30 days. And if I click on it, then it will show me the two rules inside DMZ and TEST. I can say that. Okay, for example, in fasting, one day, seven days, 30 days, and 90 days of the whole year These two rules have never been hit, as wellas I can use something called no apps specified. Right. So I have one role that hasn't got any apps specified, which is inside to outside, and there are two apps in there. The next thing that we can do is, well, minimise this to see it better and say that we want to see For example, instead of just seeing a single IP address or maybe the network IP address, we can represent them with the address object. To create an object, I say object, and then at the top you have addresses. And in there I can create an address. For example, you can write descriptions inside sidePCs. Now that you have an address, you can have an IP address. So for example, it will be 1921-681-0424, or we can have an example range of IPS. So one, nine, two, one, six, eight, one, up to one, nine, two, one, six, eight, one, one hundred. That's your range of IPS. Or you can have, for example, a wildcard mask. If you remember the wildcard mask 192-0025-5, that's your wildcard mask for this. Or you can have a fully qualified domain name. You can resolve that name as well. But let's just say IP netmask and hit OK; that'll be inside PCs. Now if I go to Policies and Security Policy and you update it, this is the address here. We could add that inside piece and remove this, right? So now it says "actually inside PCs" instead of just the IP address. Also, we can use tags to visually search or use tags to filter or find objects. So we can create tags and filter from that, or we can use them to find objects. So, for example, I already have a few tags here, but creating them is very easy. Simply click "new add inside to outside," for example, and then enter the tag's color. So, for example, if red and okay are available, then you can use these tags. We can also use the tag to create policy rules or display them. So if I click on the policy and let me just change this policy that I created, So inside to outside, and I'll put the tag, for example, instead of internal, I'll put my tag that just created it, say, into us. That's in my tag, and I can put it here into us. And now I can display the security policy by using tags. So, if I just narrowly minimise it, you can see the view rule base as a group. Now if I click that, then it's going to group them into tags. You can see inside and outside that there is a tag one and the other three. They don't have a tag. So, for example, say I'll put them on a tag on the inside of the DMZ, say DMZ click okay, and maybe for testing I'll put a tag on this as well. So Egress says, and now I can look at them as a group based on a rule. I can group them. You can see them here. Now let me zoom in a little bit so we can see it nicely. Sometimes you have a service that is not running on the default port, or maybe it's running on the default port but it's also running on a non-default port. So say that maybe you have an SSH that's running on port 22, but also port 2022. Maybe you could have that, and we could create it from the object and services There are two services by default, and we already created one. They can see the FTP, but those two services are by default. There the service Http, which is 80 and80 80, and service Https which is 443. Now, I want you to imagine that we already havea service that is running on nondefault port as well. So I'll click Add, and I'll type SSH. And SSH is running on port 22, but also on 2022's destination port. And it's in TCP. I can enable UDP or SCTP for you guys who are not familiar with SCTP. It's a stream control transmission protocol. It's a protocol for transmission streams—multiple streams. So destination ports 20 and 22 are 20 and 2022. Source force. We can leave it there or, if we don't type anything, it's going to be any source port. So all 65,535 ports Session timeout. Through SSH, we can inherit from an application or override it. If you override it, then we can choose our session timeout, but if you just leave an inherit, then we can configure the tags. So now we have another service object, which is SSH, and that's running on ports 20 and 22. Now, if we, for example, want to search something, say that I want to search that SSH that I just created. What we can have is this global find. Now, with Global Find, if you click on that and start searching something, it doesn't matter what you search something.Well, it matters, whatever you're searching for. However, it will go through the firewall and match whatever you type there. So say that I'm searching for SSH, right? and then it's going to go and find out exactly where SSH appears. It does appear in anti-spyware applications' vulnerabilities, but also in one service. So let me open that. And that is where I actually created my service object. So you can see SSH Okay, now that I've shown you our policies, both explicit and implicit, for interzone and intrazone, And I showed you that by default you can see it if you say, for example, if you see it, let me just mark it. If you see an icon like this one, that means that this one is not enabled. It's already the default. If you want to change something from the default, you have to select the policy and then select Override. So, for example, if I do want to change maybe the intrazone for login or something, then I have to click overwrite. You can see the revert button is not selected. It's greyed out. So, at the end of the session, overwrite and possibly log. Okay, now you can see the icon has changed. These are two distinct things, and if I choose the intra zone, the revert option is enabled. I can actually press "revert" to put it back to what it was. And I told you about the archive audit comments. So, for example, if anybody changes or makes changes to this policy, they need to write it down in the archive. So for example, let me just change something. So I got rid of this and then updated the date and time. Date and time here right click. Okay. And then, if I want to check it, I will have to go back and have a look at that archive. So click on the audit comment archive andyou can see whatever has been changed. The first is created by an asterisk The reason why we don't see the other one is because I haven't committed. If I commit, then I'll see the next change that we have. And sometimes we want to test the functionality of some policies that we have created, and for that, I'm going to zoom out all the way out, and you'll see at the end we have a test policy match. So if I select that, then on this I can select a policy to match. So for example, from inside, I want to use "going to outside," and the source might be 192-1681. It doesn't have to be that I'm using something—it could be something that I don't even have. So, for example, say two five two, and the destination could be Google or Port Authority. Or you can just leave it empty; it could be anything if I leave it empty. I have nothing TCP yet; execute, source users. Now this is going to try to match a policy. Okay, well, since we said TCP, we have to put the destination port. So let's say ICMP. Then we don't have to put the destination port and then execute, and this is going to match. OK, well, this is inside or outside; it's matching the policy. So if you want to check what policy is going to match, you can use "test policy." And the last thing that we need to check is the viewing log. So to view anything, you go to monitorlogs and then traffic, and you can see, for example, from the log what's happening. So I have this machine 200 going from that source to that destination, and it's usually pink. Let me just do something else and then stop that pink anyway, so stop this pink and maybe I'll try on Facebook again. We just refresh it, maybe duplicate it, and then if I go and see the log, it should say that it's actually going from the PC to 100 and is going to Facebook. I'm going to repeat again. So you can see what's happening with our logs—with the time and the source address, destination address, the port number they're using, the action to be allowed, and what security policy rules are being used. If you want to see more details about a certain log, then use the magnifying glass with the paper in the background. So if you click on that, that's going to open more details about some packet, for example, the general, the source, the destination, the flags, and so on. And when we do the decryption, for example, that's going to be ticked, or maybe if we have a packet capture, that's going to be ticked as well. So, as you can see, Facebook has arrived. from the PC to Facebook. You can actually go into more detail when filtering the log. If I select that PC and I want to select Facebook, then every time that PC has access to Facebook, I can apply this filter so we can see only the PC accessing Facebook, how many times, and so on. But this is a bit more information when we actually go into monitoring.

3. 3.3 Network address translation, Source NAT configuration

On this video, we are covering PCNSA 210, which is our chapter three security and national security policies. This is the third video in that chapter, and it consists of three, three network address translations. source Nat Configuration Net configuration can take two forms: either a source net or a destination net. It all depends on the device that's doing the translation, i.e., the net device or the firewall in this case. So the form is directional and is described from the perspective of the net device. The firewall Sourcenet is commonly used for private internal users or internal IP addresses to access the public internet's outbound traffic. Then we have a destination net that is often used to provide hosts on the public external network access to private internal services. Sourcenet will translate the internal, original private-source IP address to an alternate, usually public-source IP address. So it translates the source address and leaves the destination address alone; it only translates the source address. Usually it's used to provide the internal host access to the Internet, depending on the firewall configuration. Source code might also change the source port number. So you can have a different type of net, and we're going to see there are three different types of nats. First, you can just translate the source IP address to a different source IP address, but you can translate the source IP address and source port number to a different source IP address and source port number. So for example, we have a device in the inside zone with an IP address of 192.168.1.2. That would be the source IP address, and then it wants to go to an IP address in the outside zone with IP address 19202, and it will put it there as a destination IP address. When that packet arrives at the router, the router will change the source IP address to an alternate IP address. Usually a source IP address will become a public IP address, which is routable. There are three types of source nets. We have source translations of network address translations.The first is static IP. So static address translation is one to one.A fixed translation changes the source IP address while leaving the source port number unchanged. Support the implicit bi-directional rule feature. What this means is as follows: I've got the picture there with the IP address. The original IP address of this server is 192-1168-510. and it will be translated to this address: 200 01132 1. Now, any user from our site trying to access the server usually does this if we have a web server, maybe an email server, or other servers that will be accessed from our site. If that web server needs to be accessed from outside by someone on the Internet, they will actually access this IP address, and that IP address will be translated to our server's IP address. So the bi-directional rule is similar to the destination net. So every time this server wants to access theinternet or wants to access the Internet, then thisaddress will always be changed to this address andthat address will be always constant on the table. The second type of that is called dynamic IP, or dynamic address translation. This is still a one-to-one translation of the source IP address only. It does not translate the port numbers. So private source addresses translate to thenext available address in the range. That means that it's first come, first served. For example, I have it on the screen here: two available public IP addresses that we have, numbered 20 to 23. But on the left I have four internal PCs that need to go outside. Now the first PC that wants to access it will be lucky; it will have the first address. Then it's fine. And imagine that one of three wants to access the second, and he gets the second IP address. Now the one or two, the second PC, and the one or four can't get outside. They have to wait for the other two to release that translation or finish the translation. It's in the idea of "first come, first served." So that's why it says private source addresses translate to the next available addresses in the range. So we're not translating the port numbers, just the IP address. And the last, which gets used the most, is dynamic IP and port. Here, we allow multiple clients to use the same public IP address with different source port numbers. The sign address can be set to the interface address or the transient data address. Now, what is said here is that all these PCs can go and access only a single available IP address. The reason is because it's going to translate the IP address and the port number to this address, including the port number. So the IP address and port are different, so many devices can access the same single IP address only.And the last statement here says interface addresses. The sign address can be set to the interface address or translated address. What that means is that, for example, the device has an interface address. Imagine that this is your public address, public address.When we do a dynamic IP network, we can translate to that public address or we can translate to different addresses. Imagine that we have purchased different addresses. These are just NAT addresses; they are not the interface address. So when we do the NAT and when we configure the NAT, we have to configure security policies to go with it. First thing is we start by creating a Nat policy rule. A Nat policy rule will match the packet based on the original pre-Nat source and destination addresses and PreNet source and destination zones. So for example, we have the herePreNet zone and PreNet addresses. And that will match the Nat. It's going to match it. While the security policy we continueby creating a security policy. So every time we create an ad, we have to create a security policy to enforce the net policy. The security policy rule is enforced after the net policy rule is evaluated but before the net translation is applied, if that makes sense. Like what we have here, for example, when we apply the security policy rule, we look at the PreNet addresses. So this address is going to another pre-net address before it's been translated, but we look at the post-net address after the translation. So where is the destination of the packet that's closed on the security policy role? I'm going to configure that. I'm going to demonstrate how to configure that. I'm going to do two types of NATS. So I'm going to use a dynamic IP and port. And as well, I'm going to do static NAT for this server. So static NAT goes from that server to that IP address, and then everything else is going to go to this address, the interface address. We can have a translated address if we have purchased a single address just for that. But we're going to translate it to the interface address. In the next lesson, we can do a destination. That is where users will connect from the Internet to the DMZ zone. Okay? So to configure that, first thing I'm going to do is access my firewall, and I'm going to show you at the moment that I have a PC that is in the inside zone. So if you look at Windows 7, that's the IP address. So if I go to the PC and open a command prompt (CMD) and do IP configuration first, you can see the IP address 191 68, one dot 200, which is that IP address there. And the gateway is the firewall's IP address. So I should be able to ping the firewall. So I should be able to ping my gateway. And that's working, but because there's no net rule at all at the moment, I'm not able to ping outside the world. So if I ping, for example, the DNS server, I'm not able to ping it. Okay, now in this demonstration, I'm not going to show you how to create a security rule because it's already done. And if you want to see that, you have to look at the video 3.2 Security Policy Administration. So the security is already there, but I'm going to create an ad. So the first thing that I'm going to do is create, and before I do that, let me put this as a continuous ping. Yeah. So, ping eight, eight, eight minus T, and that will start just pinging continuous pinging.So I go to my settings to configure that; you need to go to policies, then add, and then add, and we have to put something on the general. So, in general, let's use this dynamic IP and port translation. So this is going to be our dynamic net. And I can create the tags and all that, along with the audit command and description. Make sure you type them. The only reason I'm not doing them is just to speed up the video a little bit, really. And the original packet is going to be the source zone. So if you look, for example, the source zone is inside the zone. So I need to put "inside" and then "destination zone." The destination zone is outside the zone. So how do I create these zones? Again, in previous videos, I've covered that. So the destination zone is outside, so from inside to outside, that's it. And now on the translated package, I can have a source address translation or a destination address translation. But that's going to be the next video's destination. So first, it's going to be the source translation type that we're going to create: dynamic IP import. We can have a dynamic IP without a port or a static IP. We're going to do it through the server. So, if we have purchased dynamic IP import and address type, we can translate it to different addresses. Alternatively, we can simply translate it to the outbound interface. The interface is, and the IP address of that interface is 23013 two.There we go. And click. Okay, that's the address, as indicated by the name "upper DIP," DIPP sources inside a destination outside destination interface, any source address, any destination address, any, and if this matches, we can translate it to this. We'll translate it dynamically and with an Ethernet port, one with that IP address. After we have committed this, we should see hits in our rule usage. So, if we go to ruled usage, we can see that we don't have any hits first, last, or anything at the moment, right? But first and foremost, we must go ahead and commit to it. So commit. Now that we have committed successfully, I'll close this and I'll go and have a look. You can see already that there's a hit count, so you can see the last hit and the first hit. And also, if I refresh the hit count, it should increase. And if I go back to my PC, you can see I have a reply now, right? because the net is actually working. So control C to break this, and if we go back to the firewall, my head counts should stop working. It should stop increasing, I should say. Okay, so that demonstrates how to configure the source network from this PC to the outside zone. Now it doesn't have to be from that PC. We could have said inside zone, original packet, source zone inside, and source address; we could have chosen here the IP address of our internal machine. So, instead of just doing anything that's inside, I can just limit it to that IP address. So if I commit that and see if it still works okay now that it's finished, if I go to my PC, I'm just going to think it's just going to see if it's still working. Yes, it's still working. Well, that's what I'm saying. instead of configuring any address. We can cite a source—just our network. The next thing I'm going to do is show you how to configure a static net. I'm not going to be able to test it because I haven't enabled the server. But the idea is the same. So click "Add" on the name. I'm just going to put "static." Make sure you put the description tag in for filtering, and you can use the tag important that you added in there. The original packet is the source zone is insidestill destination zone while it's outside and source addressbecause this is going to be static. So I'm going to put 192.168.1 as the source address, just to see what my server was. 220. That's the source address; it's a single address. Then, if I know where they're going, I can enter the destination address. Translated address. This is going to be a static net. The translated address is going to be 230-1132, right? So now we're going to have a one-to-one translation. This IP address is always going to be translated. And you see here I have an option forbi directional, which means the packet coming back. This will become source static address translation as well as destination static address translation, and I'll click okay. Now I have static NAT inside to outside destination interfaces for any source address and any destination address, and that's what's going to happen. And in the end, we are going to commit that it's okay to configure our source network. We went to policies, and then we chose net. And then in general, we put the name, make sure you put something in the description, and put the tags as well as the audit comments for the trailer. And then we put, for example, the original packet—how it looks like it's coming from inside—on the outside. And then we look at the translated stress. Now, dynamic IP and port number oversubscription You may occasionally run out of ports, which is extremely unlikely, but you are almost never going to run out of ports. But if you do, the firewall has the option of using the destination address as part of the net translation. So that's called over subscription.For example, if you do run out of port numbers, you can include the destination address as part of that as well. To enable the port over subscription, you need to navigate so that it will show you if you go to the firewall and navigate you to do that over subscription and enable it. You go to devices, then sessions, and then to session settings, where you click on the gearicon here to see the oversubscription rate. You can have a platform default or time one time twenty.

Go to testing centre with ease on our mind when you use Palo Alto Networks PCNSA vce exam dumps, practice test questions and answers. Palo Alto Networks PCNSA Palo Alto Networks Certified Network Security Administrator certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Palo Alto Networks PCNSA exam dumps & practice test questions and answers vce from ExamCollection.