Pass Your Palo Alto Networks PCNSE Exam Easy!

Palo Alto Networks PCNSE Palo Alto Networks Certified Network Security Engineer exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Palo Alto Networks PCNSE Palo Alto Networks Certified Network Security Engineer exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Palo Alto Networks PCNSE certification exam dumps & Palo Alto Networks PCNSE practice test questions in vce format.

Basic Administrative Tasks

2. Changes and Committing changes

So in this lecture, we'll continue talking about some of the basic administrative tasks. If you come in from the Cisco world,what you gonna be, what you used tois when you make a change is instantaneous. There is not such a case in Palo Alto. Palo Alto: When you make a change on the firewall, this change is saved in the candidate configuration. When you make changes on the PaloAlto firewall web interface, these changes are saved in the Canada configuration. So let me create an Address object here as an example test address, and if I give it an IPaddress here, that's the change that I made. If I go under the device and click on configuration audit, as we saw in the last lecture, you have the running configuration and the calendar configuration. You can do a comparison between the two, and we'll show you what was added. The green is what was added, and this is the Address object that I created. Now if you want to basically move that configuration to the running configuration, you have to commit. When you click on commit, this will commit the configuration to the running configuration. It's going to be used by the firewall. So if you go ahead and click Commit, that will take effect. Every change that you have on the firewallis kept in history of the changes. So if you go under set up operation youcan load a configuration version and the configuration versionare saved by the date of the configuration. See if we can go back in time to when the firewall was created and see the various changes that we have made. You can roll back to any differences, any previous configuration, from the dates allowed, and I can go back to the configuration versions that I have. So I'm going to go back, and if I click Go Back, load the confirmation version before the last commit. If I do a conflict audit I should see that "address object" getting deleted. So the Address object will get deleted from the Canada configuration. So you can also name your configurationin the way that you remember. So let's say you're doing a major change, adding IPsec tunnels, and adding a lot of features. You can save the configuration,save the configuration by name. So instead of looking at the configuration version dates, which have the configuration dates, it can go back and easily spot it this way. So in my case, I've assured you that I loaded the configuration based on the date, and I know now that, hey, this will get deleted. So I changed my mind. I'm going to go back under operation and then revert to the running configuration. So that will revert to the running configuration that we have on the firewall. So let's say I'm about to make a lot of changes, so I'm going to make a lot of changes, and I want to remember those changes. I'm going to, let's say, add this test address too, and I want to remember this configuration by name, the same as the configuration set snapshot, and then give it a name. Please change this way I can easily go back to it. So I saved a name configuration snapshot, so I did that, and now if I want to revert to run configuration, I can revert to run configuration, and if I go back to objects, I should see the object disappear. If I load a name configuration snapshot, I should see it come back. So you can basically do a lot of changes on the GUIand you don't have to commit them, you can save them asa name and then this way when you're ready to do thechange you can just load it and commit it. You can also do this from the CLI if youlog into the CLI and you can make changes onthe CLI and commit them on the CLI. So, let's say I go to the CLI and type configure, which will put you in configuration mode, and then I'll add an address object set address and name it Test Address 3 Ipnot Mask, okay? So I modified the CLI so that if I return to the exact mode and see a conflict, it will tell me exactly what the differences are. Same like I did from the CLI, cando show conflict differential and will show mewhat are the differences in the config. Another task you can do is create So under administrator, you can create local admin accounts, but by default, you have an admin account, and you can create accounts locally and give them different rules. So here you can specify the actual username; let's say admin too. So you enter the password and assign the role of super user. You can give a password profile. The passport profile basically dictates how many expiration days are required, whether to change it every 90 days, and so on. So you can set up an account locally here on the firewall, give it a password, and basically put it in a specific administrative type rule. The default rules that are common for the Firewall are "super users," and a super user will have full redirect. Super user read only would havejust access to read only. All configurations cannot be any changes.So those are some of the settings and committing changesthat you need to be aware of when you startworking once you start working with the Paul Alto.

3. Local Administrator Account with External Authentication

In this lecture, we'll talk about administrators and admin roles. There are preconfigured admin roles in place on our wall's panel. Audit admins have specific permissions. If you click on the role itself, it has access to the Monitor tab, which is the Monitor tab. Here does not have access to certain things in the Monitor tab like capture, traffic, run PDF, reports, and policies. It has access to the Device tab, but with limited settings like lock settings. If you click on XML API, it does not have access to the XML API. If you click on Command Line, it doesn't have any access to the command line. Then there's Crypto Admin, Crypto Administrator for Common Criteria; that's the role that has been defined. And then you have the security. Admin pretty much has access to everything except IPsec tunnels, crypto profiles, certificate management, and some other stuff that he doesn't have access to. If you click on Administrators here, you see Admin. By default, admin is the account that comes with the firewall, and it has the super user role. Typically, what happens in a production environment is that you want to centralise the management of the appliances and have a unique login for each administrator that logs into the system for accountability. In that case, you typically would use an LDAP system or server to authenticate the users against Active Directory and give them the proper permissions that they would require. In order for you to, for example, authenticate against an external server like LDAP Radius, you have to create the LDAP or TechX too. You could support TechX as well. You have to basically set up the server profile. So we're going to start by looking at how to create the radius functionality. And in order for us to kind of see an example here, It's better that we set up our Windows 2012 server instance so that we have an Amazon. or if you have a new test lab configured for Radius Server in Windows 2012. to add the Radius Server. You can click on Add Rules and Features. Click Next. Choose Rules and Features, and we're going to find the Network Policy and Access Services. Okay, so we're going to click on that and then click "Add Feature" and then click "Next," and then click "Next," and then click "Next." So network policy server That's the one we need. The MPS 2012 replaces the previous version of Windows and IAS. Choose the Natural Policy Server, which provides Radius functionality, and then close. Okay, now it's installed. We're going to find the MPs and, under Radius Clients and Servers, we need to add the firewall as a Radius Client. You're going to go to Radius Clients and then click New, and then we're going to enable RadiusClient and we'll give it a friendly name. Follow firewall directions, and we need to use the IP address of the management interface. In the case of our firewall, the IP address of the management interface is 123110, and then select an existing share structure key template. You can put the share ticket key there. That's the password that is used to communicate between the lady client and your server. So we'll give it any password you wish. And then under Advanced, we can choose Standard, and then click Okay. So now we've set up the Redis client. We'll now move on to Policies. And then, under Policies, we'll add a condition. So the Condition request policies tell the Radius server that any authentication requests are going to be authenticated against Active Directory. And here we use Windows Authentication for all users under Settings. Under Authentication, authenticate the request on this server because this server is the main controller. So we should be able to authenticate the request against the service. And then click Okay. And then underneath, policies. By default, all the policies are denied. So we need to create a policy that allows And then we're going to call this Palo Admin and click Next. Then include a select condition. You can set the condition based on the IP address of the client. Client IPV 4 address This is the client IPV4 address. So you can make your condition based on that client's IP address. We'll start by giving an example of this based on the client's IP address. The next request is granted. You don't have to check the dial-in permissions. Click Next. And then we're going to need to allow It's not Ms. Chef Version Two. It's not, Miss Chef. We're going to need to allow unencrypted I'm going to complain that this is an insecure authentication method because we have PAP selected and PAP doesn't encrypt the traffic. Then Next is the current default. And then click Finish. Okay, so that's enabled Grant Access, and we're going to test it out here. I'm going to start the server. Stop, start, and start. And then now I'm going to add a user in my Active Directory. active directory users. I'm going to create a user account under Users as "Palo" palo admin.And then next and then give him password. Next, and then finish. Okay, so now that this is done, I'm going to add the Radius server and DC Radius. I'm going to specify that this is used for administrator use only. The name is Ad DC Server. And the shared secret you put in "shared secret," like you put in "client settings" and "MPS Server," And then click Okay. And then, under Authentication Profile, we'll click Add, then give this admin off a name. To specify Radius, select the service profile that you created and then click Advanced. And then allow everything for now. And then click Okay. And then we need to create the same account. We have an active Active Directory. Follow admin. We're going to need to create the same account authentication profile. You're going to select the profile we created. So basically, because I selected the radius, the password is not asking me for a password. So this method will basically get the password from the radius and then click Okay. And we're going to go ahead and commit. So the role I'm giving them super user," so they should be able to connect to SSH as well. We'll go ahead and commit, and then I'm going to open a new browser, then use Palo admin for the password that I put in my account. And there you go. I'm connected. I'm connected using the account. If I look at the actual requests coming into the MPs server, event viewer, custom view server, role network, and policy server, So here we see the request. So it appears that I have chosen NASA's IPaddress admin as the client-friendly name. This is the client that I gave And then it's actually authenticating you. It's using authentication. And as we see here, the result is full access. So it did authenticate the user, and the user was able to get in. However, I had to create the user account on the firewall itself. So that's one example of setting authentication using Radius. Next lecture, we're going to see other examples.

4. External Authentication Using Radius Server

In the first lecture, we saw how to create an admin account using Radius for authentication. And we assigned one of the dynamic roles There are four dynamic roles that are set up. device administrator, device administrator only, super user, super user reader only And then there is a role-based aspect, which we saw earlier. Audit admin, crypto admin, security admin—those are custom roles created for you. You can create your own custom roles. We're going to look at this and see how to create our own custom role here.So here we're going to create a full access that gives the user a role that has access to pretty much all the tabs, all the features, and also the XML API. If you click on the line, it's goingto turn to green, means enable, log, configuration,pretty much all the XML API stuff. We look at the XML API and future lectures. And then here, in the command line, we're going to give them superuser access. You can have a superuser, a superreader, a device admin, and a device reader. We're going to choose the super user, which gives them full access to the CLI. This is a custom rule that we created. So I don't want to create an account for each administrator that's going to log in to my firewalls. Let's say I have 30 or 40 firewalls to set up for a new administrator, even if that person is one of ten that's coming in to help the company for a week or something. I don't want to set up an account for them on each of the firewalls. And then now I have to remove them from each of the firewalls. So I want to rely on the Radius server to do the full authentication and rule assignment. And this can be done using the Radius server. So I want to be able to push the admin role, have the user authenticate from the Radius server, and also get the role that they should get from the Radius server. So we're going to see how to do that. Going back to our example, we need to change the policy and modify it. So the first thing we have to do is basically create a group in Active Directory. So we're going to create a group here and call this group Full Follow Admin, and we're going to click Okay. And then we're going to add a user to that group. We're going to add a new user and add a user to that group. Let's call this user "admin" and give her your password. And I'm going to add this user to the group. Okay. Now I'm going to need to configure the MPS server. So I'm going to restrict whoever can log into the firewall based on being a member of the group. So my condition in the previous lecture was the client IP address, which is the firewall IP address. I'm going to add a group here and then specify that the user group is going to be the full auto admin. So only the users that belong to that group will be allowed to log in. And then under the settings, I'm going to need to send some vendor-specific Radius attributes, and the vendor-specific Radius attributes I'm going to add here We selected the vendor specifics we're going to add, and we're going to choose Enter the Quote. And the quote for the Palo Alto Firewall is: 25, four, six, one, select yes, hit confirm, and configure attribute." And then we're going to configure three attributes. The first attribute provides the role, which is the Palo Alto admin rule. And this will be the admin role. We created that as full access. Okay. And then the second attribute is also "same vendor." And we're going to choose number two. And this is the virtual system. So if you have multiple virtual systems, you can set the attribute to restrict them to a specific virtual system. This is not required, so I'm going to leave this without it. And then the other attribute is attribute number three: string attributes, and this will be the role again. So I push two attributes: Attribute one is the full access role. And attribute three, which is the full access rule, And then I have to go to the Palo Alto firewall, go to the setup tab, and click on the authentication settings, and only Radius is supported to push the settings, accept the username, and get the rollback. Radius is the only authentication method that can do this, but it only tells you your authentication profile. Radius method is supported non local admin. So those are administrators you didn't create locally on the firewall. So we're going to click on "Admin Auth" and then click "Okay," and then we'll go ahead and commit login as that admin. We don't have an account set up locally for that user. I'm going to go to my Internet Explorer and use that account to go ahead and log in. And I'm logged in, but I don't have an account set up on the firewall. So I'm relying on the Radius server for the account information and the Radius information. And that gives me the flexibility of placing users dynamically in Active Directory. So let's say I have a new security admin. I'm just going to put them in that group, and they will automatically have access to all the firewalls. This guy gets a better job and leaves, and we remove him from that group, and he no longer has access to the firewall. So that gives you flexibility in getting pretty much all of your usage and your accounts handled by Active Directory, which is the way it should be because you don't want to create accounts manually. and all the firewalls.

5. System software Upgrade / Downgrade, global protect client install

In this lecture, we will talk about how to look at your licencing and the software on the Palo Alto appliances. To find out your licenses, you go under Device and then Licenses, and then you can click on Check licences at the bottom. If you don't see licenses, you can click on Checklicenses, and that will pull out the information from the Palo Alto network and bring it down to your firewall and give you the licences that you purchased. The other thing is the software updates. If you go to "Devices Software," which you can install here, I have seven programmes installed. You can install the software. I'm going to show you how to install now. You basically go ahead and click on "Download" and that will download the software version that you want to use. It's going to go ahead and download the software, and you can click on Close here and click on Tasks. You will see what is going on. So right now, right now, I have seven, one, and six installed. I'm going to install seven and fifteen. This is a downgrade. It's the same process to downgrade or upgrade. You click Install, and it's going to go through the install process from the CLI. You can use show jobs all to see what jobs are currently running, and software installation is currently underway. So you can see it from here, or you can see it from the CLI as well. A global Protect client is also available for download. You can click on Check now to get the latest software that is available in the system, and you can also click Download on that. So I'm going to go ahead and download that once the device is up and running with the new version. So it shows jobs. All you can see here spending 82% 83%,I'm going to pause until it finished downloading. So once it's finished downloading, it's going to ask you to reboot your device for the new software to be effective. You can click yes and wait for itto come up again on the new version. Okay, so I've finished rebooting; I'm going to go ahead and log in. I'm going to go ahead and go to Network Device, Software, Device, and Global Protect Client, and I'm going to download the global Protect client. Once you download the global Protect Client, you need to activate it. So here, click Close, download it, and then go ahead and activate. Okay, so that's also the step to download theglobal Protect client and activate it to reboot. Also you can do it fromthe command line request restart system. That's also a way to reboot it. You can reboot from under Setup Operations and then reboot Device or shut down Device; that's also a method to reboot the firewall. So this lecture showed you some of the software and licence administration on the ballot.

6. Dynamic Updates

In this lecture, we will see how to update your databases to make sure that they stay up to date. The Paul Alto Firewall gets application and threat database updates from Paul Alto, and you need to maintain this to make sure it stays up to date in your environment. So in order for you to make sure that your firewall is up to date, you need to go to Device under Dynamic Updates. You need to make sure that you have a schedule for the dynamic updates. In this case, I have a schedule for application and threats. So my firewall has applications and threats, then it has Wildfire, and it has Global Protect for global protected data files. has the global "Protect host information" capability so that you can make host policies based on the application and threats? has the application database and threats database, and the Wildfire is basically the signature of files that are detected as malicious, and you want to make sure you get those frequently enough to protect yourself from any recent threats. So, under application and threats, it's best to do this on a daily basis. So we'll do it daily, basically at 15:00 a.m. And you can specify actions such as "download only" or "only download and install the application." You can choose to disable new apps and content updates if you want to research the new apps and ensure they won't break anything in your environment. You can disable those new apps that are getting pushed in the updates if your environment is pretty sensitive and make sure that you don't break any existing applications, and that will make sure that these applications and threats get updated daily. In the global protect data file, you can do it hourly or daily. I'm going to do it hourly here so we can see the update in action, as well as download and install, and then Wildfire the frequency of downloading. The Wildfire can be downloaded every minute. Even so, I'm going to show you how to download every 15 minutes, and you can specify download and install as well. It ensures that your firewall stays up to date with the latest applications and threats, globalProtect data files, and Wildfire information. When you're finished with the schedule, click Commit, and from then on, your updates will be downloaded and installed in the background on your firewall every day and every day, global Protect every hour, and Wildfire every 15 minutes.

Go to testing centre with ease on our mind when you use Palo Alto Networks PCNSE vce exam dumps, practice test questions and answers. Palo Alto Networks PCNSE Palo Alto Networks Certified Network Security Engineer certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Palo Alto Networks PCNSE exam dumps & practice test questions and answers vce from ExamCollection.