Palo Alto PCNSA – Chapter 11 – Monitoring and Reporting part 1

1. 11.1 Dashboard and Monitor

In this video we are covering Pcnsa 210, and this is our chapter eleven, monitoring and reporting. Now this is the first video of chapter eleven, which is 11. 1, dashboard and monitor. Now for this video, I’m going to straight go into our firewall and we’re going to look at the dashboard first, which is the landing page. When you log on to your firewall, you’re going to log in to the dashboard. When you log in through GUI and you’re going to see the dashboard and that’s something good information here. Let me just get rid of these interfaces because by default it’s not there. And what we can see here is the general information. First, and this is important stuff, is self explanatory information. For example, device name, the management IP address.

So that’s the IP address I’m connecting to my firewall and if I can circle it, and if I can circle it correctly, that’s a firewall and that’s the Mac address and so on. Some important information here is the software version and this is going to be important. For example, when we do the high availability, we need to match the software version so we can see the software version that we have there and other stuff, VM license and so on. You can see this information here, but software information is under general information. Then who’s logged in? So logged in and admins the config logs. So what they did, the configs logs, do they have any logs? And then we have an application command center risk factor in the last 60 minutes.

So this risk factor is getting up because I’m doing some of the traffic just so we can see something on the monitor. But there’s some good information here. If I scroll down a little bit here, by default we will see, for example, the data logs and very important the system logs here what’s happening with your network and as well as the system resources, the system logs. For example, you can see the admin logged in from this IP address at this time. Auto update agent found, no new wildfire updates and so on, important information. Anyway, if I change something here, for example, if I remove this and let’s remove the logs, and when I’ll come back and logged in again with the same account admin, I will see exactly the same. So it kind of like remembers whoever logged in, what changes they made.

If you come in and log in with a different account, it will remember your changes. So it’s not like what I’m trying to say is not as one view for everybody. Yeah, okay. Then for example, we have widgets. First we have the layout. The layout, three columns or two columns, leave it as three, I will leave it to three or you can leave it as two. But anyway, three is better. You can see more stuff. Okay, then we have a widget. So there are some other widgets that you can actually add. So for example, we can add push. I like to see the interfaces so we can see the interfaces, for example, see that everything is gone. Now you have to move them around how it was anyway, and we’re missing the ACC here, but anyway, ACC is here.

I took out a lock interfaces that like to have them here to see my interfaces are operational. Other widgets that we can add, which is important, for example, is the threat logs. And this will display you the ten most recent threat log threads found. And see there’s some of the stuff that I did, for example, because I’m doing some threats so I can generate some traffic. I’m doing the vulnerability testing from Kali Linux and let me run that again just so there’s more traffic, there’s more threats coming in. Anyway, this is not the real what you will see on your firewall because this is not a production firewall. Yeah, it’s only one firewall and two PCs and two servers.

Anyway, important stuff we see is a server, a software version, the operational status of the interfaces, the thread logs, the ten most recent threat logs. And now with the update, like for example, we can refresh all this stuff either manually, so if I click here, that will refresh them manually, all of the tabs, or I can refresh them every 1 minute, two minutes or five minutes. And these sort of small things are important for exams when you’re coming up. So you need to know refresh 1 minute, two minutes, five minutes only, or manual. Okay, so I’m going to leave it five minutes or manual. The next thing that I’m going to show you is if I go to monitor and the first thing we’re going to look at is something called session browser.

So if I monitor and just scroll a little bit down and you see a session browser, this will show you what’s happening around your firewall, right, all the traffic that is actually current at your firewall. Okay, so I’m going to generate some more traffic. So if I go to my PCA and just run this from what we did from chapter six, six or five, I can’t actually remember. But anyway, I’m generating some, I’m trying to access some viruses that nobody know allowed and so on, just to generate some traffic. And this PC’s IP address is 200 at the end. So if I refresh this, you see everything else. It doesn’t have the refresh automatically, you have to do it manually. So you can see this is our session browser. So at the moment the PCA for example, is the 200, I told you 192-1681. 200 is trying to access.

So there’s quite a lot of information, the time, the inside from inside zone to outside zone, source IP address, destination IP address, source port number, destination port number, protocol ID and what application is it and what rule, security rule is hitting and then the interfaces as well. Okay. Other more information that we can see. Like for example, if you want to drill down deeper into this information here or this packet, this kind of flow is happening. I can click on the plus here and give you a bit more detailed information, especially the session ID. What we get in the net rule. For example, is it going to be net source? True? Yes. Nat destination. Well, it’s not Nat destination, it’s not source. And then we can see the flow one direction, client to server. So we can see that.

Let me just mark this information. That’s very good information here. Flow one, we’re coming from client to server. And then flow two, that’s returning from server to client, right? And from zone to inside to outside source IP address 192-1681 PCA 200 destination IP address now returning traffic source address, same as becomes source.The destination becomes source and the destination address is not this address because the server doesn’t know it’s Natted yet. So the server looks at the Nat address only and then we look at the port numbers and the state is active and this is going to move on. So if I refresh, this might disappear because the states as they are at the moment, the sessions that are happening at the moment, right.

So if I refresh this, see, there’s nothing left there. There’s only one session left at the moment. If I create more so if I go here, sorry, let me just create some more traffic, right. And threats is going to look very bad because all of these are going to be treated as threats. So if I go to Kali Linux and store that again and go back here and refresh it, you’ll see the more sessions are coming up. Okay, good. The next thing we’re going to look at is we go to monitor and we look at this app scope, this summary change monitor, threat monitor and so on, right? So if I go to summary and this will show you the gainers and losers. Well, the top five gainers and losers and bandwidth consumption apps, bandwidth consumption sources, app categories and threats.

And again, what I’m trying to show you here, it’s not a production network, so there’s not going to be a lot of stuff here to be displayed last 60 minutes against yesterday, no data to display. So some of the traffic here that’s happening in our firewall and we can see that the gainers and losers, five gainers, well, we’re not seeing that much here. And again, we can export this to our PDF file. For example, if I click export on PDF file, we want to see it, we’re going to see it on PDF and later we can show that as a PDF. So let me show you here what how PDF looks like. Well, summary report, top five bandwidth consuming apps last 24 hours, top five consuming apps, categories, threats, and maybe I should have run this firewall since last night and we’ll see more.

Okay, the next thing is we’re going to see the change in monitor and this is going to show you the changes over a specific time period. For example. And again, because it’s not production, we don’t see that much gainers, losers, and we can see them at last hour, last 24 hours, for example. And we can go down to four weeks period, right? So this is going to see the gainers and losers. And the next thing is the threat monitor. The threat monitor will report the count of top threats over the specific period. So these are some of the threats that I’ve done last 6 hours I just started and you can do it last 12 hours or you can do it last 24/7 days or 30 days, right? We haven’t done that many views or videos about threats. But anyway, we can see some of the threats here.

And again you can export these and you can see top ten threats or top 25. And again, for exam purposes, we need to remember these numbers. So top five, top sorry, top 25 threats or top ten threats. And then we can look at the traffic or threat map which will show you the threat map of geographical view of threats, including the severity. Now this is your firewall and firewall, your firewall is down here. It’s not being seen, but these are some of the 96 threats that we see there. Average risk 2. 8. So if you just hover it and if you actually want to see your firewall and locate it correctly, which I’m in London and I want to see my firewalls all around the world, everywhere where they’re located.

You need to add geographical location or geographical coordinates of your firewall. And to do that we need to go to device and under the setup and then management and on general settings we need to add latitude and longitude. And I don’t really know of London, so I can just search for it here. There we go. And that’s it. So I’ll just put these coordinates in my firewall. So that’s very longitude and longitude. There we go. And click. OK, now when I go back, sorry, when I go back under the thread monitor, I can see that my firewall is correctly located in London. So it will be good to enter all your firewalls and you will see them on the thread map where they’re located.

Anyway, the next one is the network monitor. This will display the bandwidth dedicated to different network function. And again, it’s like 6 hours, 1224, 730 days. So these are some of the bandwidth and top ten, top 25, top 50 and top 100 of different applications. And then the traffic map, what’s happening around the network. Again, geographically we can look at the traffic. Okay, so we looked at the dashboard, we looked at the monitor, we looked at the session browser and we looked at the app scope. So if I go back to my slides so we looked at the dashboard, so important information software version, the operational status of each interface and that you had to put it through the widget. It was not default. Resource users turned the top ten most recent entries in the thread log and that again the thread log.

You have to enter it through the widget configuration system logs and refresh intervals. And then we look at the session browser, whatever the current sessions are happening and if there’s no session, you won’t see anything in there. And then we looked at the app scope. So the first we looked at for us there was nothing in here, but in the summary we’ll display the five gainers and losers. Bandwidth consuming app band with consuming sources, app categories and threats. Then we looked at the change monitor, which we looked at, for example, changes over a specific time period, the threat monitor, the next one up, then the threat map and we fixed the firewall to be in the correct location. And we looked at the network monitor and the traffic map.

Last thing is, for example, if you want to export your tables, so for example, say that you have an external auditor, that they want to see how your policies are and so on. So instead of them giving them access to your firewall, we can export this information. So if I want to export the information, just select anything and any of their policies here and then click on the export here export table. You can either export them as PDF or CSV and you can give a file name, the page size for example, let’s just say file name as with export, okay? And I’m going to export them as PDF so we can look at them or we can give them to external auditors. Okay, that’s done. So I’m opening them and you can see the configuration report here. And this is our security policies. So instead of just to give them access to our firewall, we can export them this way.

2. 11.2 Application Command Center (ACC)

In this video we are covering Pcnsa 210 and this is our Chapter Eleven Monitoring and Reporting. Now this is the second video of Chapter Eleven, which is 11. 2, Application Command Center, or ACC for short. For this video as well. What I’m going to do is I’m going to jump in straight into my firewall and we’re going to look at the Application Command Center. So when we log into the firewall through graphical User Interface or GUI, the first functional category that we met with is the Dashboard and dashboard we covered on the lesson 11. 1 on previous lesson. So what’s the widgets in there? And update time and so on. The next functional category that we need to look at is the Application Command Center. Now. Application Command Center. It’s interactive.

This is a graphical summary of the applications, users, URLs, threats and contents traversed in our firewall. What it’s going to do is going to take firewall logs to provide the visibility into traffic patterns and information about threats that maybe we can act upon to for example, the Application Command Center, we need to know that by default it has four tabs. It has a network tab. Threat activity tab. Blocked Activities app and tunnel activity tab. Now this is the only steps. You can add your own tabs if you click on this plus and you can add your own widget, for example, give it a name, whatever you want and add it there. And by default the Application Command Center will show you the last hour activities. We can change that.

For example, say that I want to see it last 30 days or maybe last seven calendar days. Let’s have a look at that. Now that’s going to show us everything in the last seven calendar days. So the first tab that we need to look at is the Network activity and this is going to show us the application usage. For example, there’s lots of information, application usage, user activity. If you scroll down Source IP, destination IP activity regions, destination Source and Destination Regions and the global Protect and as well as down here towards the end. So if I zoom out a little bit so we can see it better towards the end here, we can see the rule usage, what rules are being used at the moment? Okay, I’m going to show you these four. Each tab has got the different subcategories that you can have here.

But let’s go first on the network activity, on the network activity. So first thing is application usage. I’m not going to go each activity here, so I’m not going to look at all of them, but I’m just going to show you for example, in application usage, we can see different application being used by bytes, session threats, for example. Then we go to content and so on. You can go if you have a hands to your firewall. You can have a look at these for example stuff, but for the exam purposes, we need to remember there are four tabs network, Threat Blocked and Tunnel. So Network is showing us application usage, user activity source, IP address, destination, IP address, and very important towards the end you can see what rules are being used.

Then we have a threat activity. If I go to Threat activity, we can see the only different threats. The first thing that we see is the threats, vulnerability threats, viruses, spyware and so on. Here are threats as well, including the ID. And we can look at the wildfire. There’s nothing in the wildfire. Malicious, malicious URLs, there’s nothing in there. Then obviously this is not a production file, otherwise you will have everything, you will have filled up. Then we have an application using nonstandard ports and rules allowing those nonstandard ports. So you can see here application using nonstandard ports and rules are allowing these nonstandard ports and then we can have a blocked activity under threats, contents and URLs.

So we can see under threats. We have a web browsing the viruses under content we see again, obligation is web browsing only. So if I go, for example, here, and we look at the change in the time and say that I want this threat activity, but I want to show it to someone as a report, right? We can click here and we can export this threat activity as PDF report, and later on then maybe we can show it to someone, okay, that’s generating a threat report. And if I just click on it and that’s our threat report application command center risk factor, we can see it here. And that’s vulnerability we have 658. I’m doing vulnerability testing from my Kali Linux and so let me just start again.

So I’m just trying to generate some traffic here and this is a script I’m using to generate some vulnerability testing to my Dimmer trip zone server and from PCA I’m using these just to generate some traffic, some threats, for example, from chapter six, we covered these. Okay, the next thing is I want to show you is that you can use something called a local filter and a global filter. So say that we’re looking at let me go to Network activity again and say in application usage we have here something called local filter. So I can see a local filter of this application usage. And if I click here, I’m going to set the local filter. So maybe I can do other stuff.

For example, for application address, let’s just say one address. I want to particularly want to see what’s happening with that and my inside address is playing up maybe, and that’s all my PCA inside, so I can apply that and that will show you on this widget only about that IP address. Only what’s happening in that IP address. So only the filter, if I just hover it, see everything on this application usage, I can see only that IP address and say maybe that I do want that to actually go to my death threat. Okay, so let me clear that local filter, there’s something else as well as global filter. So if I put something here that will take effect on all the tabs, right?

So let me clear that local filter, so clear that apply now it doesn’t have a filter if I put a global filter here, right? And that’s going to apply on all the tabs. So if I add address here, 192-1681, 200, that will be on all the tabs on application news tab, user activity and source IP address, destination IP address, anything with that IP address type of, right? And yeah, the rule is well being used. If I click, for example, say that I have it here, right, that’s that IP address, I see it client server, okay? And from the local filter, I want to add this to the global filter. I can just click here and this will transfer to global filter and then all the tabs will be populated.

So local filter, again, if I just show you the local filter is about individual widget. So for example, here, if I put individual widget, it’s a local filter here and Global Filter will be applying to all of them. I can maximize to view more data on that source IP address or source IP activity. I can jump to logs. So for example, I want to see logs of a source IP activity. So I go straight from here, I can jump to a log which will take me to monitor and then log. So for example, I go to traffic logs and I will go straight look at the logs for that time. And here, for example, and if I click here, I can export this to PDF and look at the source IP activity or print source IP activity on PDF and I can open that PDF and have a look. Okay?