infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

ULTIMATE
TEST DRIVE
Secure Access Service Edge
(SASE)

Workshop Guide

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 1
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Table of Contents
How to Use This Guide 4
Activity 0 – Initiate the UTD Workshop 5
Task 1 – Log In to Your Ultimate Test Drive Class Environment 5
Task 2 - Understand the UTD Environment Setup 6
Task 3 – Retrieve assigned Student-ID 7

Activity 1 – Prisma Access Introduction 8

Task 1 - Cloud Scale 8
Task 2 - Dataplane Isolation 8
Task 3 - Consuming the SASE Service 9
Task 4 - Always-On Security with Pre-Logon 10

Activity 2 – Securing Private Application Access with ZTNA 1.0 11

Task 1 – Log in to GlobalProtect 11
Task 2 – No Security Inspection 14
Task 3 – Can’t Secure All Applications 15
Task 4 – No Continuous Trust Verification 16

Activity 3 – Securing Private Application Access with ZTNA 2.0 19

Task 1 – Log in to GlobalProtect 19
Task 2 – Continuous Security Inspection 22
Task 3 – Secures All Applications 23
Task 4 – Continuous Trust Verification 24

Activity 4 – Securing Internet and SaaS Access with ZTNA 1.0 28

Task 1 – Standard Controls – SSL Decryption 28
Task 2 – Standard Controls – URL Filtering 29
Task 3 – Standard Controls – Inline Antivirus 30
Task 4 – Bypass Standard Controls 31

Activity 5 – Securing Internet and SaaS Access with ZTNA 2.0 35

Task 1 – Continuous Security Inspection - Block Tor 35
Task 2 – Log in to Strata Cloud Manager 38
Task 3 – Continuous Trust Verification - Dynamic User Groups 42

Activity 6 – Modern Threat Protection with ML-Powered Analysis 46

Task 1 – Test WildFire Inline ML 46
Task 2 – Test URL Filtering Inline ML 48

Activity 7 – Unified SASE with Strata Cloud Manager 50

Task 1 – Log in to Strata Cloud Manager 50

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 2
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Dashboards 51
Task 2 – Incidents & Alerts 56
Task 3 – Monitor 57
Task 4 – Manage 60
Task 5 – Workflows 61
Task 6 – Reports 62

Activity 8 – Autonomous Digital Experience Management (ADEM) 63

Task 1 – ADEM Application Experience Dashboard 63
Task 2 – Monitored Applications 66
Task 3 – Monitored Users 68
Task 4 – Monitored Branch Sites 72

Activity 9 – ADEM for Mobile Users 74

Task 1 – WAN Quality Issues Affect End-User Application Experience 74
Task 2 – Enterprise-Wide Application Performance Issue with Dropbox 76
Task 3 – High CPU Causes Poor App Experience 77
Task 4 – High Latency in Home Router Causes Poor Application Experience 79

Activity 10 – ADEM for Branch Sites 81

Task 1 – SaaS Application Performance Degradation Due to Application Server 81
Task 2 – SaaS Application Performance Degradation over Prisma Access and Secure Fabric Paths due
to ISP Network 83

Activity 11 – Prisma Access 85

Task 1 – Easy Onboarding 86
Task 2 – Best Practice Policy Checks 87
Task 3 – Simplified Day-to-Day Configuration Management 92
Task 4 – Visibility 94

Activity 12 – Prisma SD-WAN 96

Task 1 – Prisma SD-WAN Dashboard 96
Task 2 – Application Monitoring 98
Task 3 – Site Visibility 100
Task 3 – Configuration 103
Task 5 – CloudBlades 106

Activity 13 - Feedback on Ultimate Test Drive 108

Task 1 – Take the online survey 108

Appendix-1: Network Diagram 109

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 3
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

How to Use This Guide

The activities outlined in this Ultimate Test Drive Workshop Guide are meant to contain all the information
necessary to navigate the workshop interface, complete the workshop activities, and troubleshoot any
potential issues with the UTD environment. This guide is meant to be used in conjunction with the
information and guidance provided by your facilitator.

Notes:
This workshop covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.
Unless specified, a Chromium web browser will be used to perform any tasks outlined in the following
activities (Chromium is pre-installed on the Windows VMs).

Terminology:
Tab refers to the seven tabs along the top of each screen in the GUI.
Node refers to the options associated with each tab, found in the left-hand column of each screen.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 4
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 0 – Initiate the UTD Workshop

In this activity, you will:

• Log in to the Ultimate Test Drive Workshop from your laptop.

• Learn the layout of the environment and its various components.

• Retrieve your assigned Student-ID

Task 1 – Log In to Your Ultimate Test Drive Class Environment

Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox, Chrome, or Edge.

Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.

Enter your email address and the class passphrase.

Step 3: Complete the registration form and click Login at the bottom.

Step 4: Once you have logged in, the system will create a unique UTD environment for you. Please note
that this process may take a while, as indicated by the progress bar at the top of the screen.

Once the environment has been created, the system will display a welcome page.

This will display a list of all virtual systems that constitute the UTD environment.

Take note of the shortcut menu at the top of your browser window. You will use this menu throughout the
workshop to switch between the available desktops.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 5
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 - Understand the UTD Environment Setup

This UTD environment consists of the following components:
A. ZTNA SCM: Strata Cloud Manager used for hands-on activities.
B. ZTNA 1.0 User: Windows VM for ZTNA 1.0 model user.
C. ZTNA 2.0 User: Windows VM for ZTNA 2.0 model user.
D. Unified SCM: Strata Cloud Manager used for unified SASE walk-through.

Review the diagram below to better understand the UTD environment setup.

Each student will be assigned a unique Student-ID which will be used for the configuration of your ZTNA
1.0 user and ZTNA 2.0 user VMs.

Your student environment is part of a shared Prisma Access tenant.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 6
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 – Retrieve assigned Student-ID

These are pre-requisite steps necessary to get your environment ready for the workshop. These are
specific to your personal workshop environment and not related to Prisma Access.

Step 1: Click the Student-ID tab. Click the Student-ID icon to launch the browser. The UTD-SASE:
Student-ID page should load.

Step 2: Enter your email and for the Login key: use utd1234.

Click Join.

Step 3: Get Student-ID. Your Student-ID will be used throughout this workshop. It is important to use
your assigned value so as to not interfere with others who are doing this workshop.

End of Activity 0

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 7
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 1 – Prisma Access Introduction

In this activity, you will:

• Review Prisma Access highlights

Task 1 - Cloud Scale

Prisma Access is built in the cloud to secure at cloud scale – leveraging the largest cloud providers in the
world, enabling elastic scale and the highest performance multi-cloud network backbone. This offers best-
in-class security, auto scaling to absorb surges in workload, while delivering best-in-class end-user
experience.
A list of more than 100 Prisma Access locations can be found here.

Task 2 - Dataplane Isolation

Deployments for each customer are completely separate. This is what we call dataplane isolation. In this
model, the customer selects their deployment locations. Dedicated virtual infrastructure is spun up in
those locations to support that specific customer’s needs.
Dataplane isolation ensures high performance. Multi-tenant end-to-end, with a unique dedicated
dataplane for each customer, ensures that all customers are isolated from each other and receive
consistent high-performance.
The benefits are:
Performance isolation
• Customer A’s traffic does not impact customer B – each performs, and scales based on their
individual performance requirements.
Performance scale benefits are also helpful for SSL decryption. It is essential that the Internet-
bound traffic be decrypted and inspected by a full featured security stack to prevent outbound
command-and-control from any infected endpoints in the branch, to stop drive-by downloads,
access to malicious sites, and to ensure compliance with corporate policies.

Security isolation
• Customer A’s traffic is not mixed with customer B traffic – each has their own logical nodes.
Traffic is kept separate, including per-customer allocated public facing IP addresses. This is
useful to create SaaS IP policies that should not have cross-customer IP addresses.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 8
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 - Consuming the SASE Service

Prisma Access is based on the Palo Alto Networks industry leading security stack that is delivered as a
cloud service.
Once deployed, customers have multiple connectivity and service options:
Desktop Agent
• The most common deployment model. Agents can be installed on a multiple of endpoint types
including Windows, Mac, Linux, Chrome, and Android.

Network hardware integration

• For security reasons, Prisma Access exclusively uses IPsec as a branch integration solution.
With the GRE integration used by some SASE solutions, internal IP addresses are sent in
cleartext, enabling an attacker to potentially read internal IPs and identity targets for exploitation.
Prisma Access infrastructure runs on a dedicated virtual infrastructure, sized for IPsec use, so
customers realize the benefits of encryption over others who favor GRE due to performance
degradation concerns.

Explicit proxy
• Used when a desktop agent is not an option. Uses PAC files on the host.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 9
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 4 - Always-On Security with Pre-Logon

From the time a client boots and is online, it is connected to the SASE service using certificate-based
authentication. The client is protected, and traffic is inspected, even before the user logs in.
An always-on security posture is important for not only keeping clients up to date from a patch
management perspective, it also makes the client available for software deployments for upgrades and
new packages as well. With pre-logon you can allow clients to connect making them available for
software deployments, updates, group policy changes, etc. Endpoints deploy with the always-on security
model are secured from boot time against malicious activity, even before a user logs on. Since traffic is
continuously inspected at all times, any C2 (command-and-control) that may have embedded itself on the
host can also be blocked.

End of Activity 1

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 10
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 2 – Securing Private Application Access with

ZTNA 1.0
In this activity, you will:
• Review Zero Trust Network Access (ZTNA) 1.0
• Transfer a malicious file over a Windows file share
• Try to connect to a SSH server over a non-standard port
• Observe what happens when a client becomes non-compliant

Zero Trust Network Access (ZTNA) 1.0 is built to restrict access with coarse-grained network access
controls. This violates the principles of least privilege by treating applications as a network construct at
layers 3 and 4 (IP and port), providing limited control and much more access to users than necessary.

The “allow and ignore” model trusts and rarely verifies. Once access to an application is granted, that
communication is implicitly trusted forever. This assumes the user and the application will always behave
in a trustworthy manner, which is never the case. 100% of breaches occur on allowed activity, which an
“allow and ignore” model cannot prevent.

In this activity, you will access the network as a ZTNA 1.0 user without all of the Prisma Access
capabilities.

Task 1 – Log in to GlobalProtect

Step 1: Click the ZTNA 1.0 User tab to access that desktop in your browser.

Step 2: You will be connected to the ZTNA 1.0 User desktop.

NOTE: If the Okta window is already present, close it by clicking the X in the upper right-hand corner.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 11
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From the system tray, click the icon and then GlobalProtect .

Step 4: Click the Connect button.

Step 5: In the GlobalProtect Login window, sign in to the GlobalProtect application with the following
credentials:
Username: ztna1-user[X] where [X] is your assigned Student-ID (e.g. ztna1-user25)
Password: Password1!

Click Sign In.

This will establish a secure tunnel from the ZTNA 1.0 User VM to nearest available Prisma Access
gateway.

Note: You have been logged in based solely on the provided credentials and no security check of
your system has been done. In the ZTNA 1.0 model, the user does not get the benefit of
continuous trust verification based on ongoing user behavior. You could disable protections like
Anti-Virus and/or the firewall and would still be allowed to connect.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 12
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Depending on which CloudShare regional data center your workshop is originating from, you are likely to
see the Gateway as US-East, Netherlands Central, or Singapore.

Step 6: Click the Change Gateway drop-down to see the available gateways that are user selectable for
this Prisma Access tenant.

Click into the GlobalProtect window to dismiss the drop-down list.

Note: You may get a notification regarding a new version of the GlobalProtect agent being available. You
may choose to update or not, it should not affect your lab.

Step 7: Click the hamburger icon then select Settings to bring up the GlobalProtect Settings
window.

From Connections see the details on this connection to the Prisma Access gateway.

Click the icon to close the window.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 13
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – No Security Inspection

The ZTNA 1.0 model assumes traffic is secure and provides no to little inspection. Security through
obscurity, with no ability to detect or prevent malware or lateral movement across connections once
application access for a user is allowed.
An example of such an application is the Server Message Block (SMB) protocol, a network file sharing
protocol that allows applications on a computer to read and write files, and to request services from
server programs in a computer network. SMB serves as the basis for Microsoft’s Distributed File System
implementation.
Malware distribution is not limited to web and FTP traffic, it can also use SMB, especially for transferring
files within a Windows environment. This adds a key requirement for a SASE solution to be able to
inspect SMB application traffic to find and block malicious files.

Step 1: From the ZTNA 1.0 User VM, double-click the SMB batch file on the Desktop.

A cmd window will temporarily pop-up and execute the command to mount the remote SMB share.

Step 2: Click the File Explorer icon on the Taskbar.

Step 3: From File Explorer, double-click the SMB icon for share(\\192.168.251.50)(Z:).

Step 4: Click and drag the benign and malicious zip files from the remote share to your desktop.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 14
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Both files should copy over without being blocked. The ZTNA 1.0 user does not have the benefit of a full
security stack capable of inspecting all applications.

Step 5: Close the File Explorer window by clicking the X in the upper-right corner.

Task 3 – Can’t Secure All Applications

ZTNA 1.0 secures some of the applications, some of the time – only a subset of private apps that use
static ports can be addressed. Let’s see what can happen when applications are controlled by port
numbers instead of identifying the actual application.
The SSH protocol runs on port 22 by default. Here we will see what can happen when we try to access a
SSH server over port 445, which is the default for SMB.

Step 1: From the ZTNA 1.0 User VM, click the PuTTY icon on the Taskbar.

Step 2: From the PuTTY Configuration window, select SSH over port 445 and then click the Load
button.

This will populate the IP of 192.168.251.100 for the IP address and 445 for the port.

Click Open.

If prompted with a PuTTY Security Alert, click the Accept button.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 15
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: You have been allowed to connect to a SSH server over port 445.

Port-based rules leave you vulnerable and least privilege access is violated.

As there is nothing further needed to show, click the X icon in the upper-right corner to close the
connection.

Task 4 – No Continuous Trust Verification

Once you are granted access, ZTNA 1.0 continues to provide that access even if the client becomes non-
compliant.

Step 1: From the ZTNA 1.0 User VM, click the Command Prompt icon on the Taskbar.

Step 2: From the Command Prompt window, type ping 8.8.8.8

Step 3: Click the Windows Security icon on the Taskbar.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 16
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: From Windows Security, click Virus & threat protection under Security at a glance.

Step 5: Click Manage Settings under Virus & threat protection settings.

Step 6: Disable Real-time protection and Cloud-delivered protection.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 17
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Click Yes when prompted by the User Account Control pop-up.

Click the X icon to close the Windows Security window.

Windows will inform you that virus protection has been turned off.

Step 7: From the Command Prompt window, type ping 8.8.8.8 again. The ping will go out uninterrupted.

This is due to the lack of continuous trust verification in the ZTNA 1.0 model.

Click the X icon to close the Command Prompt window.

End of Activity 2

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 18
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 3 – Securing Private Application Access with

ZTNA 2.0
In this activity, you will:
• Review Zero Trust Network Access (ZTNA) 2.0
• Transfer a malicious file over a Windows file share
• Try to connect to a SSH server over a non-standard port
• Observe what happens when a client becomes non-compliant

Prisma Access is built to secure all users and applications, with fine-grained user-app access controls.
This allows you to fully realize the principle of least privilege by operating at layer 3-7, providing the most
granular access control possible, at both app and sub-app levels.

It secures all the applications, all of the time. This works consistently for all the applications, including
modern cloud-native apps, SaaS apps, and legacy private apps. This includes applications that use
dynamic ports and apps that leverage server-initiated connections.

In this activity, you will access the network as a ZTNA 2.0 user with the additional Prisma Access security
protections.

Task 1 – Log in to GlobalProtect

Step 1: Click the ZTNA 2.0 User tab to access that desktop in your browser.

Step 2: You will be connected to the ZTNA 2.0 User desktop.

NOTE: If the Okta window is already present, close it by clicking the X in the upper right-hand corner.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 19
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From the system tray, click the icon and then GlobalProtect .

Step 4: Click the Connect button.

Step 5: In the GlobalProtect Login window, sign in to the GlobalProtect application with the following
credentials:
Username: ztna2-user[X] where [X] is your Student-ID (e.g. ztna2-user25) – be sure to do ztna2
Password: Password1!

Click Sign In.

This will establish a secure tunnel from the ZTNA 2.0 User VM to nearest available Prisma Access
gateway.

Note: You have been logged in based on your credentials as well as your system having been
verified that its HIP (Host Information Profile) is compliant with company policy.

Click the X to close the window.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 20
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 7: Click the hamburger icon then select Settings to bring up the GlobalProtect Settings
window.

From Connections see the details on this connection to the Prisma Access gateway.

Step 8: Click Host Information Profile to learn more about what system information was collected.

Click the icon to close the window.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 21
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Continuous Security Inspection

The ZTNA 1.0 user was mapped into port-based access controls without full stack security. Now, as a
ZTNA 2.0 user, you get the advantage of App-ID least privilege controls for SMB including full stack
security to monitor and protect against malware delivery over even non-web app protocols like SMB.

Step 1: From the ZTNA 2.0 User VM, double-click the SMB batch file on the Desktop.

A cmd window will temporarily pop-up and execute the command to mount the remote SMB share.

Step 2: Click the File Explorer icon on the Taskbar.

Step 3: From File Explorer, double-click the SMB icon for share(\\192.168.251.50)(Z:).

Step 4: Click and drag the benign and malicious zip files from the remote share to your desktop.

This time only the benign file will copy over. You will see an Interrupted Action pop-up as Prisma Access
is providing security inspection for the SMB protocol and has detected the malicious file and prevents its
copy to your local file system.

Step 5: Close the File Explorer window by clicking the X in the upper-right corner.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 22
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 – Secures All Applications

App-ID was invented to ensure that there is complete visibility to applications regardless of their ports and
at the same time provide the inspection necessary to ensure true protection that full stack security was
intended for. This capability - based on deep packet inspection as opposed to destination IP/Domain
approximations - is natively built in, not relying on 3rd party technologies.

Step 1: From the ZTNA 2.0 User VM, click the PuTTY icon on the Taskbar.

Step 2: From the PuTTY Configuration window, select SSH over port 445 and then click the Load
button.

This will populate the IP of 192.168.251.100 for the IP address and 445 for the port.

Click Open.

Step 3: Since you are only allowed to use the SSH protocol over its default port (22), you are not able to
connect to a SSH server on port 445. Least privilege access assures that App-ID inspects the traffic and
only allows SMB over port 445.

The connection will eventually time out and you will see the below message.

Click the OK button and then X icon in the upper-right corner to exit PuTTY.
UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 23
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 4 – Continuous Trust Verification

Once you are granted access, ZTNA 2.0 continues to examine your security posture in the case that the
client becomes non-compliant.

Step 1: From the ZTNA 2.0 User VM, click the Command Prompt icon on the Taskbar.

Step 2: From the Command Prompt window, type ping 8.8.8.8

Step 3: Click the Windows Security icon on the Taskbar.

Step 4: From Windows Security, click Virus & threat protection under Security at a glance.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 24
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 5: Click Manage Settings under Virus & threat protection settings.

Step 6: Disable Real-time protection and Cloud-delivered protection.

Click Yes when prompted by the User Account Control pop-up.

Windows will inform you that virus protection has been turned off.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 25
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 7: A GlobalProtect Notification window will pop-up informing you that your system is no longer
compliant with company policy.

Click the X to close the window.

Step 8: From the Command Prompt window, type ping 8.8.8.8 again.

Step 9: Return to the Windows Security window and reenable Real-time protection and Cloud-
delivered protection.

Click Yes when prompted by the User Account Control pop-up.

Step 10: The GlobalProtect Notification window will now inform you that your system is compliant again
as the HIP check has met company policy again.

Click the X to close the window.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 26
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 11: From the Command Prompt window, ping 8.8.8.8 again.

Click the X icon to close the Command Prompt window.

Step 12: From the Windows Security window, click the X to close it.

End of Activity 3

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 27
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 4 – Securing Internet and SaaS Access with

ZTNA 1.0
In this activity, you will:

• Explore the limited user and application controls provided by the ZTNA 1.0 model

• Bypass those controls with the Tor Browser

In this activity, the ZTNA 1.0 user is given a basic security posture with features such as URL filtering and
inline antivirus. The ZTNA 1.0 user can view sites such as espn.com but unable to access gambling sites
based on company policy. Malware downloads using standard web applications are also blocked. SSL
decryption is also implemented.

Task 1 – Standard Controls – SSL Decryption

By default, Prisma Access is able decrypt SSL traffic. By leveraging cloud scale, the is no performance
degradation.

Step 1: From the ZTNA 1.0 User VM, open the Chrome/Chromium browser from the Taskbar.

Step 2: Click the ESPN bookmark.

Step 3: Click the lock icon, then click Connection is secure.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 28
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: Click Certificate is valid.

Step 5: From the Certificate window, note that Issued to: is the current site you are on, Issued by: is
from Prisma Access due to SSL decryption taking place.

Click OK to close the window.

Task 2 – Standard Controls – URL Filtering

Step 1: Click the Gambling.com bookmark.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 29
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: Due to URL filtering, this site blocked.

Task 3 – Standard Controls – Inline Antivirus

Step 1: Click the Eicar bookmark.

Note: If prompted with a This website uses cookies pop-up, just click the X in the upper right-hand
corner.

Step 2: Scroll down to the section Download are using the secure, SSL enabled protocol HTTPS.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 30
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: Attempt to download any of the provided samples. The malware file is blocked.

Note that SSL decryption is taking place. You cannot protect what you cannot inspect.

Task 4 – Bypass Standard Controls

Common security measures such as URL filtering and antivirus can be utilized to block access to
malicious websites and the distribution of malware.
Malware and malicious actors do not like to play by the rules. It is adaptable and evasive using various
techniques such as Tor to remain undetected by basic security measures. The Tor browser uses
encrypted, evasive tunnels to punch through proxies, IPS solutions, and firewalls. Appearing as
innocuous web traffic, the Tor nodes are used to exfiltrate data and perform command-and-control using
tor2web.
When a ZTNA 1.0 user, or compromised host, activates Tor, those standard security features are no
longer effective. Malware and malicious traffic are undetected.

Step 1: Open the Tor Browser from the Taskbar.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 31
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: Click the Connect button to initiate a circuit to a Tor relay.

Step 3: Once the connection is established, the default page will be displayed.

Step 4: Click the Gambling.com bookmark.

Step 5: Where this site was previously blocked due to URL filtering, it is successfully loaded with the Tor
Browser.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 32
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 6: Click on the lock icon to view the Tor circuit that was built in order to access this site.

Click the lock icon again to dismiss the pop-up.

Step 7: Click the Eicar bookmark.

Note: If prompted with a This website uses cookies pop-up, just click the X in the upper right-hand
corner.

Step 8: Scroll down to the section Download are using the secure, SSL enabled protocol HTTPS.

Step 9: Attempt to download any of the provided samples.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 33
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Click Save File. The file is saved to the Desktop.

Close the Tor Browser.

The same evasive techniques used by Tor can also bypass antivirus inspection. The ZTNA 1.0 user
represents a higher level of security risk without continuous trust validation, stronger application controls,
and security measures.

End of Activity 4

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 34
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 5 – Securing Internet and SaaS Access with

ZTNA 2.0
In this activity, you will:

• See the benefits of continuous security inspection

• Explore how Prisma Access security policies are configured

• Perform auto-tagging based on user behavior

• Enterprise DLP

The ZTNA 2.0 user is subject to fine-grained user-app access controls. This allows you to fully realize the
principle of least privilege access.

Task 1 – Continuous Security Inspection - Block Tor

Step 1: From the ZTNA 2.0 User VM, open the Tor Browser from the Taskbar.

Step 2: Click the Connect button to initiate a circuit to a Tor relay.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 35
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: This time the connection is blocked.

Click Tor Network Settings.

Step 4: Scroll down to the Bridges section.

Bridges are Tor relays that are not publicly listed so they cannot be identified easily.

Step 5: Click Use a bridge and the select obfs4 from the drop-down for Select a built-in bridge.

Step 6: Click Try Connecting Again from the top of the settings page.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 36
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 7: Another Tor failed to establish a Tor network connection. message will appear.

Click Tor Network Settings.

Select snowflake from Select a built-in bridge.

Snowflake leverages other user’s systems that have installed a plugin to a browser such as Chrome or
Firefox. That plugin allows other Tor users tunnel traffic through their browser to obscure the source
address of their traffic and evade enterprise security controls.

Step 8: Click Try Connecting Again from the top of the settings page.

Step 9: After some time, the connection will fail again. If you do not wish to wait, click the cancel button.

Click Tor Network Settings.

Select meek-azure from Select a built-in bridge.

Meek-azure leverages other evasive techniques

Step 10: Click Try Connecting Again from the top of the settings page.

Step 11: The connection attempt should quickly fail.

Close the Tor Browser.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 37
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Log in to Strata Cloud Manager

Step 1: Click the ZTNA SCM tab.

It can take a minute to connect and display the login page.

Step 2: The username, utd-sase-viewer@pan-labs.net should already be filled in.

Click Next.

Step 3: The password will automatically fill-in.

Click Sign In.

Step 4: If not already on the Dashboards page, click the Dashboards icon.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 38
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 5: Navigate to Workflows > Prisma Access Setup > GlobalProtect. Then click the
GlobalProtect App tab.

Step 6: Scroll down to the User Status section and click on the number next to Current Users.

Step 7: All the currently logged in users can be found here. You can Search for your assigned student-id
as well.

From the logged in user, this is mapped to what is known as User-ID. These users can also be
associated with group mappings as we have done for the ZTNA 1.0 and ZTNA 2.0 users. These User-IDs
and group mappings can then be applied to security policies.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 39
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 8: Navigate to Manage > Configuration > NGFW and Prisma Access.

Step 9: Set the Configuration Scope to Mobile Users Container.

Then navigate to Security Services > Security Policy.

Step 10: Scroll down to the Security Policy Rules section. Then look for Mobile Users Container.

These are the security policies used in this lab. Under User you can see the ztna1.0 and ztna2.0 groups.
This is also reflected in the Name of the policy as well.
UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 40
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 11: Let us explore the security policies that were responsible for blocking the Tor Browser in the
previous task.

ZTNA-2.0 Deny traffic to known Tor nodes – Palo Alto Networks maintains and publishes an External
Dynamic List (EDL) of known Tor exit nodes. The destination IP address matches the EDL named Palo
Alto Networks – Tor exit IP addresses and is blocked. This EDL is constantly updated by Palo Alto
Networks. There are other built-in EDLs that can be found under Configuration > Objects > External
Dynamic Lists.

ZTNA-2.0 Deny evasive apps – This policy blocks applications known to employ evasive techniques.
You will see more in the next step.

ZTNA-2.0 Deny unwanted apps – Prohibited applications like BitTorrent and unknown TCP/UDP are
matched on this rule. This goes back to the least privilege model and these categories of apps should not
be allowed.

ZTNA-2.0 Outbound traffic to WAN – This is the standard security policy for the ZTNA 2.0 user to allow
traffic out to the Internet. All allowed traffic is subject to best-practice security profiles.

Step 12: Navigate to Objects > Application > Application Filters. The evasive-apps filter matches on
applications that fall under the category of networking and subcategory of encrypted-tunnel.

Step 13: Click evasive-apps to see the matching applications.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 41
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 – Continuous Trust Verification - Dynamic User Groups

Enterprises are looking to deliver more automated responses to network risks. This includes
pivoting information derived from user activity into actionable data to deliver more agile and
faster responses to possible threats. Prisma Access can deliver behavioral based controls to
mitigate risks and re-enforce the security posture.
Access control for users can be enforced through the use of Dynamic User Groups (DUGs), allowing
enterprises to dynamically respond to user behavior. Tags are used as matching criteria in order to
populate DUGs with users. Users can be auto-tagged through multiple methods, providing enterprises
flexible integration options.
This task will show how a user can be prevented from communicating further on the network when
malicious behavior is detected.

Step 1: From the ZTNA 2.0 User VM, click the Command Prompt icon on the Taskbar.

Step 2: From the Command Prompt window, type ping 8.8.8.8

Step 3: Open the Chrome/Chromium browser from the Taskbar.

Step 4: Open the DUG > Botnet trigger bookmark.

Step 5: This will simulate botnet “phone home” traffic and will be blocked.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 42
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 6: From the Command Prompt window, type ping 8.8.8.8 again.

Your user has been added to the malicious-user DUG and this traffic has been blocked.

Step 7: There is a 5-minute expiration timer configured for this DUG. You can wait or trigger another
action by typing ping 1.1.1.1

This will remove your user from the malicious-user DUG.

Step 8: ping 8.8.8.8 once more.

Step 9: From the Strata Cloud Manager tab, navigate to Incidents & Alerts > Log Viewer

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 43
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 10: Switch the log to Firewall/Threat from the drop-down.

You can search on source_user = 'ztna2-user[X]@pan-labs.net' where [X] is your assigned student-id.

This was the threat event that triggered the rest of the automated actions.

Step 11: Navigate to Manage > Configuration > NGFW and Prisma Access. Configuration Scope
should be Mobile Users Container. Then go to Objects > Tags.

The malicious-user tag will be the identifying object used in the next steps.

Step 12: Go to Objects > Auto-Tag Actions.

Step 13: Open Add malicious-user tag.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 44
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

The tagging rule indicates that when a botnet threat is detected to add the malicious-user tag to that user.

To return to the previous page, click Cancel or click Mobile Users Container at the top of the current
page.

Review the Remove malicious-user tag action for what happened when you ping 1.1.1.1.

Step 14: Click Cancel and then navigate to Objects > Dynamic User Groups.

Step 15: Open the DUG-malicious-user object.

The dynamic user group adds any user with the malicious-user tag associated with it.

Click Cancel.

Step 16: Navigate to Security Services > Security Policy. Scroll down to the Mobile Users Container
and review the security policy ZTNA-2.0 Deny ping for malicious-user.

End of Activity 5

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 45
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 6 – Modern Threat Protection with ML-

Powered Analysis
In this activity, you will:

• Review Inline ML security profiles

• Observe real-time detection of malware files and malicous web sites

Millions of new cyberthreats emerge every year, with organizations constantly racing to prevent them.
Leveraging cloud-scale resources, automation, and other techniques, today’s adversaries enjoy some
inherent advantages: the ability to spread their attacks more quickly than ever, and the ability to deploy
polymorphic malware and malicious content that evades detection by constantly changing its identifiable
features.
Palo Alto Networks has delivered the world’s first ML-Powered Next-Generation Firewall (NGFW),
providing inline machine learning (ML) to block unknown file- and web-based threats. Using a patented
signatureless approach, WildFire and URL Filtering proactively prevent weaponized files, credential
phishing, and malicious scripts without compromising business productivity. Palo Alto Networks hardware,
virtual NGFW, and Prisma Access can apply new ML-based prevention capabilities:
• WildFire inline ML inspects files at line speed and blocks malware variants of portable executables,
PowerShell files, as well as Linux executables, which account for a disproportionate share of
malicious content.
• URL Filtering inline ML inspects unknown URLs at line speed. This feature can identify phishing
pages and malicious JavaScript in milliseconds, stopping them inline so nobody in your network ever
sees them.

Task 1 – Test WildFire Inline ML

Step 1: From ZTNA 2.0 User, open the Inline ML > WildFire Inline ML bookmark from the browser.

Step 2: The file will start to download. As soon as WildFire Inline ML detects the threat, the connection is
reset, and the download fails.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 46
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From the Strata Cloud Manager tab, go to Incidents & Alerts > Log Viewer >
Firewall/Threat.

To help filter for your result, search for sub_type.value = 'ml-virus' AND source_user = 'ztna2-
user[X]@pan-labs.net' where [X] is your assigned student-id.

Step 4: Click on the details icon to get more information on this entry. Expand this by clicking Log
Details >.

Note that the subtype is ml-virus which indicates this file was determined to be malicious due to
WildFire Inline ML. You can explore the many other details available.

Step 5: You can review the other associated logs by clicking on the log type / timestamp on the left. It is
easy to pivot from the threat log to the traffic log.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 47
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Test URL Filtering Inline ML

Step 1: From ZTNA 2.0 User, open the Inline ML > URL Filtering Inline ML bookmark from the
browser.

Step 2: The page will start to display. Once the URL Filtering Inline ML engine detects the content as a
phishing site, the connection is reset.

Step 3: From the Strata Cloud Manager tab, go to Incidents & Alerts > Log Viewer >
Firewall/URL.

To help filter for your result, search for inline_ml_verdict.value = 'local' AND source_user = 'ztna2-
user[X]@pan-labs.net' where [X] is your assigned student-id.

Step 4: Click on the details icon to get more information on this entry. Expand this by clicking Log
Details >.

Note that the Inline ML Verdict is local which indicates this site was determined to be malicious due to
URL Filtering Inline ML.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 48
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 5: As before, you can pivot to any associated logs from here.

End of Activity 6

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 49
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 7 – Unified SASE with Strata Cloud Manager

In this activity, you will:

• Get an introduction to Strata Cloud Manager

Palo Alto Networks Strata Cloud Manager is a new AI-powered Network Security platform. With Strata
Cloud Manager you can easily manage your Palo Alto Networks Network Security infrastructure – your
NGFWs and SASE environment - from a single, streamlined user interface. Strata Cloud Manager's
shared security policy ensures that all your enterprise traffic gets consistent policy enforcement, and
Strata Cloud Manager also leverages AI to maintain peak health for managed products, and to give you
the best possible security posture.
• Unified management and consistent security policy, delivered from the cloud - Strata Cloud Manager
seamlessly integrates your NetSec products, giving you a single interface that you can use to
centrally monitor, manage, and secure your network.
• Comprehensive and actionable visibility for your network traffic - Strata Cloud Manager optimizes
your network security with comprehensive AI-powered threat visibility, reducing the time required for
manual analysis and investigation. Strata Cloud Manager provides robust interactive dashboards and
reports that help you to achieve better security outcomes and improve security posture.
• Proactive security posture and health management, with inline remediation - Strata Cloud Manager
strengthens security posture with built-in best practices, and inline remediation features powered by
AIOps.

Task 1 – Log in to Strata Cloud Manager

Step 1: Click the Unified SCM tab.

It can take a minute to connect and display the login page.

Step 2: Enter utd-scm@pan-labs.net for the Email.

Click Next.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 50
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: The password will automatically fill-in.

Click Sign In.

Step 4: If not already on the Dashboards page, click the Dashboards icon.

Task 2 – Dashboards
Strata Cloud Manager provides a set of interactive dashboards that give you a comprehensive view of the
applications, ION devices, threats, users, and security subscriptions in your network. The dashboards
provide visibility into the health, security posture, and activity happening in your deployment that helps
you to prevent or address performance and security gaps in your network.

Step 1: If not already on the Dashboards page, click the Dashboards icon.

The SASE Health and Threat Insights dashboards are pinned by default. See the More Dashboards
menu for the others that are available. Select or clear the check box beside a dashboard name to pin or
unpin the dashboard to the Dashboard landing page.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 51
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: The SASE Health dashboard shows you the overall health of your Mobile Users, Remote Sites,
and Applications (if you have purchased an AI-Powered ADEM license) that are currently connected to
Prisma Access. The numbers in the circles represent the number of users or sites that are currently
connected from the Prisma Access Location where they appear. A dot represents a single user or site.
The areas on the map that have a blue background indicate that the numbers shown in that region are a
prediction or forecast.

Step 3: The Threat Insights dashboard provides a holistic view of all threats that the Palo Alto Networks
security services detected and blocked in your network. The dashboard shows threats identified across
these security subscriptions - DNS Security, WildFire, URL Filtering, and Threat Prevention. You can
examine threat trends, filter threats by threat categories, security services that allowed or blocked threats,
and actions taken on threats. You can also view the impacted applications, users, and security rules that
are allowing or blocking threats. You can also filter the information displayed on the dashboard by time
range, action taken, threat category, subscription services, and threat severity.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 52
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: The Application Experience data displayed in this dashboard will change and correspond to the
card that you select - Mobile User Experience or Remote Site Experience. If you are new to AI-Powered
ADEM, you may want to begin by surveying the applications that are in use across your organization and
use this information to identify which applications you want to create app tests for. In addition, if you have
users or remote sites reporting application issues, this dashboard is a good place to start isolating the
issue. The application usage data is pulled from the real user traffic traversing through Prisma Access. It
includes traffic from Mobile Users and Remote Sites.

Step 5: The Executive Summary dashboard shows you how your Palo Alto Networks security
subscriptions are protecting you. This report breaks down malicious activity in your network that these
subscriptions are detecting - WildFire, Advanced Threat Prevention, Advanced URL Filtering, and
Enterprise DLP. The dashboard shows data for each of these security services.

Step 6: The Best Practices dashboard measures your security posture against Palo Alto Networks’ best
practice guidance. Importantly, the best practices assessment includes checks for the Center for Internet
Security’s Critical Security Controls (CSC). CSC checks are called out separately from other best practice
checks, so you can easily pick out and prioritize updates that will bring you up to CSC compliance.

Step 7: The Prisma SD-WAN dashboard shows you a high-level and graphical view of the network,
device, and application metrics of Prisma SD-WAN. In addition, it shows you:
• The connectivity status of your branch and data center devices to the controller.

• The application utilization data for your ingress and egress traffic.

• Basic network insights and reports for all branch sites across a tenant from the past week.

• Information about the top branch and data center sites by the number of incidents generated.
• The link quality metrics across your sites like MOS score, packet loss, jitter, and latency.
• Predictive capacity utilization at a site level based on the previous three to six months of information.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 53
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 8: The Prisma Access dashboard allows you to see how you’re leveraging what’s available to you
with your license and get a high-level view into the health and performance of your Prisma Access
environment. The data includes:
• An overview of your Prisma Access usage—your licenses, Prisma Access locations, and mobile user
capacity and/or bandwidth utilization

• Top Prisma Access locations for mobile users and remote networks
• Overall bandwidth consumption for remote network and service connection sites, and the highest-
consuming remote network and service connection sites

• Tunnel disconnection trends, including the most impacted tunnels

Step 9: The Application Usage dashboard data includes an overview of the applications on your
network, including risk, sanction status, bandwidth consumed, and the top users of these applications.

Step 10: The Network Usage dashboard shows what’s driving your network traffic. Dive in to see who or
what is using your network (users, apps, IP addresses, and countries), and the apps and sites they’re
accessing and their threat exposure.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 54
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 11: The User Activity dashboard allows you to get visibility into an individual users’ browsing
patterns: their most frequently visited sites, the sites with which they’re transferring data, and attempts to
access high-risk sites.

Step 12: The DNS Security dashboard shows you how your DNS Security subscription is protecting you
from advanced threats and malware that use DNS.

Step 13: The Advanced Threat Prevention dashboard gives insight into threats detected in your
network and identifies opportunities to strengthen your security posture. Threats are detected using inline
cloud analysis models and threat signatures generated from malicious traffic data collected from various
Palo Alto Networks services. This dashboard provides a timeline view of threats allowed and blocked and
a list of hosts generating cloud-detected C2 traffic and hosts targeted by cloud-detected exploits.

Step 14: The WildFire dashboard shows you how WildFire is protecting you from net new malware that’s
concealed in files, executables, and email links.

Step 15: The DLP Dashboard gives insights into the applications to which most uploads are prevented
by DLP and the total number of files that are blocked by DLP in your network.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 55
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Incidents & Alerts

To help you maintain the ongoing health of your devices and deployments, and to avoid disruption to your
business, explore each of the incidents and alerts pages to:
• View incidents and alerts across your network, and drill down to investigate.
• Create and review rules that trigger incidents and alert notifications.

Step 1: Navigate to Incidents & Alerts > Prisma Access to see an overview of incidents and alerts in
your Prisma Access environment.

Step 2: Go to Incidents & Alerts > Prisma SD-WAN for incidents and alerts when the system reaches
system-defined or customer-defined thresholds or there is a fault in the system.

Step 3: Incidents & Alerts > Log Viewer provides an audit trail for system, configuration, and network
events. Jump from a dashboard to your logs to get details and investigate findings. A query field and time
range preferences help you narrow down the specific logs that are of interest to you.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 56
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 – Monitor
You can protectively monitor the health and connectivity status of your remote networks, applications,
NGFW devices, and mobile users in Prisma Access. Strata Cloud Manager also provides features to
monitor the performance of the common network services, consumption details of your subscription
licenses, and manage the tool used to analyze connectivity issues. The Prisma SD-WAN users can also
monitor the health and connectivity status of Prisma SD-WAN applications, ION devices, data centers
here all in one place.

Step 1: Navigate to Monitor > Applications to see the applications in your organization by usage
and application risk score. For monitored applications, you can see the user experience score.

Step 2: Monitor > Users shows users that connect to Prisma Access security services either through the
GlobalProtect agent on their devices or through Explicit Proxy through a web browser on their devices.

Securing mobile users from threats is often a complex mix of security and IT infrastructure procurement
and setup, bandwidth, and uptime requirements in multiple locations throughout the world. With Prisma
Access for users, the entire infrastructure is deployed for you and scales based on the number of active
users and their locations.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 57
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: Select Monitor > Branch Sites to view the health and connectivity of your remote networks and
the usage of all your remote networks.

The Prisma Access tab shows you the real-time connectivity status and bandwidth consumption details,
along with other deployment details. Mobile Users, branch offices, and retail locations connect to Remote
Networks. You can also view the health of the tunnels configured in your Remote Networks and Mobile
Users.

The Prisma SD-WAN tab gives a Map view of the branch site that provides the connectivity status of your
branch site devices to the controller and the alarm status for the site. The List view shows you how many
sites were active during the Time Range selected and the overall health metrics of the branch sites. The
Activity view presents key application analytics, the latest site health score and site health distribution
over time.

Step 4: Select Monitor > Data Centers > Service Connections to view aggregated data as well as
information about individual service connections. Service connections enable both mobile users and
remote networks.

ZTNA Connectors - The Zero Trust Network Access (ZTNA) Connector simplifies private application
access for all your applications. The ZTNA Connector VM in your environment automatically forms
tunnels between your private applications and Prisma Access.

Prisma SD-WAN sites include data centers that you wish to have in your wide area network.

Step 5: Monitor > Network Services to view the performance of common network services that affect
your user experience for accessing applications. Select the GlobalProtect Authentication tab to view
information about those network services. Select DNS to see DNS Proxy requests and responses with
respect to Prisma Access DNS Proxy

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 58
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 6: Select Monitor > Subscription Usage to view details about your Prisma Access Base
Subscriptions, including how many amount licenses you have consumed so far.

Step 7: Use Monitor > IOC Search to search on a security artifact to interact with data just for that
artifact.

Step 8: Monitor > ION Devices > Device List to view your Prisma SD-WAN devices. Device Activity to
view system information like CPU, memory, disk, and interface statistics.

Step 9: Monitor > Access Analyzer provides automatic monitoring of your SASE environment. It offers a
conversational AI tool for contextual troubleshooting and what-if analysis to analyze access and
connectivity issues in your SASE environment.

Step 10: Monitor > Prisma Access Locations to view the health of all your Prisma Access locations for
your remote networks and mobile users.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 59
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 4 – Manage
Step 1: Navigate to Manage > Configuration > NGFW and Prisma Access. Think of the Overview
page as your launching point in to NGFW and Prisma Access both for first time setup, and for day-to-day
configuration management.

With Strata Cloud Manager, you can apply configuration settings and enforce policy globally across your
entire environment, or target settings and policy to certain parts of your organization. When working in
your Strata Cloud Manager configuration management, the current Configuration Scope is always
visible to you, and you can toggle your view to manage a broader or more granular configuration.

From the Security Services tab, you can define how you want to enforce Prisma Access traffic with
Security Policy. Your security policy is where you define how you want to enforce traffic in your Prisma
Access and NGFW deployments. All traffic that passes through your Strata Cloud Manager environment
is evaluated against your security policy, and rules are applied from the top down.

SaaS Security Inline is built-in to Cloud Managed Prisma Access to give you a centralized view of
network and CASB security. It offers SaaS visibility—which includes advanced analytics and reporting—
so that your organization has the insights to understand the data security risks of sanctioned and
unsanctioned SaaS application usage on your network.

Data Loss Prevention protects sensitive information against unauthorized access, misuse, extraction, or
sharing. Enterprise DLP on Strata Cloud Manager enables you to enforce your organization’s data
security standards and prevent the loss of sensitive data across your NGFWs, and your Prisma Access
mobile users and remote networks.

Step 2: Manage > Operations to push configuration changes, review past configuration pushes, and
manage your configuration versions snapshots to load or revert them to a previous configuration version.

Step 3: Manage > Security Posture are tools to improve your security posture and verify that you're
protected against threats by following security policy best practices.
• Use Config Cleanup to identify and remove unused configuration objects and policy rules.
• Configure Policy Optimizer to hone and optimize overly permissive security rules so that they only
allow applications that are actually in use in your network.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 60
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

• Use Policy Analyzer to quickly ensure that updates you make to your security policy rules meet your
requirements and do not introduce errors or misconfigurations (such as changes that result in
duplicate or conflicting rules).

Step 4: Manage > Prisma SD-WAN to manage configurations for policies, resources, CloudBlades, and
system resources.

Task 5 – Workflows
Workflows are a collection of tasks to start onboarding your Prisma Access mobile users and remote
networks, and Prisma SD-WAN branches.

Step 1: Navigate to Workflows > Prisma Access Setup > GlobalProtect. Here you will find the
configuration tasks needed to enable your GlobalProtect infrastructure, Prisma Access locations,
application settings, and check against best practices.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 61
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: Workflows > Prisma SD-WAN > Devices to set up ION devices. The ION devices can be
deployed at a branch site or a data center site and are available in both hardware and software form
factors. You must connect, claim, assign, and configure the ION devices for your branch and data center
sites.

Task 6 – Reports
Get reports on the network traffic patterns, bandwidth utilization, and your security subscription data in
Strata Cloud Manager. Reports provide actionable insight into your network that you can use for planning
and monitoring purposes. Reports are supported on certain Prisma Access dashboards and Prisma SD-
WAN. Prisma Access users who have full access to use the dashboard can download dashboard data as
PDFs, share the report within their organization, and schedule reports to get delivered to their email inbox
at regular intervals. Reports are a licensed subscription service in Prisma SD-WAN. You can download
and view reports from controllers, across sites, and circuits in Prisma SD-WAN.

Step 1: Go to Reports > Prisma SD-WAN to get an aggregate view of traffic distribution and
bandwidth utilization in your network.

End of Activity 7

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 62
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 8 – Autonomous Digital Experience

Management (ADEM)
In this activity, you will:
• Review Autonomous Digital Experience Management (ADEM) features

Organizations have transformed their IT infrastructure to provide users access to workplace resources
and data from anywhere. Employees access applications from different locations, on various devices,
over countless unknown networks and Wi-Fi connections while expecting little or no interruptions in
application performance and availability. This new reality makes troubleshooting more complex for IT
teams. Administrators using legacy monitoring solutions to troubleshoot today’s user-to-application
experience find themselves overwhelmed by data from multiple siloed tools and managing and
maintaining different software/hardware solutions. Relying on this approach is time-consuming, complex,
and error prone. Without a way to identify and resolve an issue with ease and speed, IT teams risk losing
productivity and increasing downtime.
Autonomous Digital Experience Management (ADEM) empowers IT teams to deliver exceptional user
experience and optimal productivity. The SASE-native platform provides administrators with rich
multidomain analysis across endpoint devices, synthetic tests, and real-user traffic insights to immediately
uncover the root cause of experience issues without having to install any additional software or hardware.
An intuitive visualization of segment-wise insights from the user to their application, including the
underlying IT infrastructure, empowers teams to spot service degradation fast and drill down to the user,
branch site, or application with ease when troubleshooting.

Task 1 – ADEM Application Experience Dashboard

Autonomous Digital Experience Management (ADEM) is a service that provides native end-to-end
visibility and performance metrics for real application traffic in your Secure Access Service Edge (SASE)
environment. Autonomous DEM functionality is natively integrated into the GlobalProtect app, Prisma SD-
WAN device, and Prisma Access and therefore does not require you to deploy any additional appliances
or agents. Because of this native integration, the ADEM service enables synthetic tests for applications
you specify, from the endpoint, from the Prisma SD-WAN device, and from deployed Prisma Access
locations in your environment.
ADEM continuously monitors all the segments from the endpoint to the application for GlobalProtect
mobile users and monitors all segments on all WAN paths (active and backup) for Prisma SD-WAN
remote sites and identifies baseline metrics for each monitored application. In addition, ADEM provides
visibility into any deviations or events that degrade the user experience across each segment between
the end user and the application, whether it’s the endpoint, Wi-Fi, LAN, ISP, Prisma Access, or the
application (SaaS, IaaS, or data center). ADEM continuously monitors every segment in the service
delivery path and provides insights that help you quickly isolate the segment, which is causing digital
experience problems, and simplify remediation.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 63
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 1: From Dashboards, click the Application Experience tab. If you don’t see it, click on More
Dashboards, and select Application Experience.

The Experience Score is the weighted average of end-to-end application performance metrics for all
monitored applications across all users or remote sites. A fair or poor experience score lets you know
right away that there are performance issues impacting a large number of your users or remote sites.

The experience score will also give you an indication of the overall digital experience for the user. For
each application that is monitored per mobile user, ADEM calculates a score based on the 5 critical
metrics - application availability, DNS resolution time, TCP connect time, SSL connect time, and HTTP
latency. If the application fails the availability test (application is unavailable), then the experience score is
0. If the application is reachable, only then the remaining four metrics will be calculated.

Experience scores are color coded in widgets as follows:

• Good (green) - experience score >= 70
• Fair (orange) - experience score is 30-69
• Poor (red) - experience score is < 30

The remote site experience score is an average of all test sample results that are collected from individual
applications monitored for that remote site.

Step 2: The Application Experience Score Trend widget shows the digital experience trend across the
network for a specific app and allows you to pinpoint when the digital experience began to degrade. You
can visually see how this app is performing compared to the rest of the apps in the organization.

Get a sense of the distribution of app performance across all monitored apps, users, and remote sites
and view the network-wide score trend, and pinpoint when the digital experience began to degrade.

Step 3: The Experience Across the Network widget gives you a sense of the distribution of app
performance across all monitored apps, users, and remote sites and lets you drill-down into specific apps
or sites that are performing poorly. View the network-wide score trend and pinpoint where the digital
experience began to degrade. Identify the segment of the network that might be causing issues within
your organization from the endpoints (for Mobile Users) or branch (Remote Sites) all the way to the
applications.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 64
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

You can see what segment of the network might be causing issues within your organization from the
endpoints and Prisma SD-WAN remote sites all the way to the application. You can see what issues—
such as an ISP or compute location outage or a SaaS app outage—is impacting digital experience within
your organization.

Step 4: The Global Distribution of Application Experience Scores widget shows you the application
experience of Prisma Access Locations based on the total number of Mobile Users and applications
monitored or the total number of Remote Sites and applications monitored on a specific Prisma Access
Location on the map.

The Prisma Access locations are marked with circles that are color coded to represent the status of
application segment scores of all monitored mobile users and remote sites connected to the specific
Prisma Access Location where the circle appears. Hover your mouse cursor over a circle to see the
experience scores for the location, as well as the total number of Mobile User Devices or Remote Sites
monitored and the total number of apps that are monitored on them.

Step 5: The Top 20 applications widget displays the 20 applications with the highest experience score in
an ascending order. It gives you a sense of the distribution of app performance across all monitored apps,
users, and remote sites and lets you drill-down into specific apps or sites that are performing poorly.

The top border of each app card is color coded such that you can immediately identify which app has a
good (green) experience score, which one has a fair (yellow) score, or a bad (red) score.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 65
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 6: Select the Remote Site Experience card and review the Experience widgets for those
Experience Scores.

Task 2 – Monitored Applications

Step 1: Navigate to Monitor > Applications. The Prisma Access tab should be selected.

The Applications Dashboard gives you visibility into all of the applications that are running across your
organization as observed in real user traffic going through Prisma Access. For each application, you can
see the total traffic usage during the selected Time Range.

Applications by Risk Score allows you to view the health of your applications at a glance - the total
number of applications along with the number of applications that are doing Good, Fair, and Poor.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 66
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: The Prisma Access Applications widget, click on the up arrow on the User Experience column
to filter upwards. This score is aggregated across all users monitored for this application.

Step 3: Click on the dropbox application then on the Experience tab.

This is the application dashboard for dropbox. You can see the overall experience score and trend for
this application. The dotted line on the trend chart shows the average for all applications and the solid line
indicates the performance of the dropbox application.

It is important to highlight the possible scale of the issue. Is this a single application problem or is it
spread out further across multiple applications and locations?

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 67
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: Click the back arrow next to dropbox to return to Monitor > Applications. Then click Manage
Tests within the Prisma Access Applications widget.

After you’ve surveyed the applications running on your network and determined which applications you
want to monitor, you can create app tests and decide whether you want to run the test only for Mobile
Users, only for Remote Sites, or for both. After the app tests start running, the ADEM service collects
sample data from all assigned users every five minutes.

Task 3 – Monitored Users

Step 1: Navigate to Monitor > Users.

From here you get an overall view of the experiences and the experience trend for all of your ADEM
users, as well a per-user view of the digital experience across your SASE environment. You can drill
down into details for the specific user who is reporting performance issues. Immediately when you drill
down, alerts at the top of the page highlight any experience issues the specific user is having, such as
low device memory or high CPU usage.

Monitored Users allows you to view the total number of users that are being monitored by ADEM as well
as the total number of user devices that are being monitored. The average user experience score is the
experience score aggregated across all of the users monitored on ADEM.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 68
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: The Users | Devices widget allows you to view the details on each device that a Mobile User is
connected from along with their user experience score and the location from where they are connected.

Monitored Users are defined as the unique number of User/Device combination. For example, if 2 users
are logged in to 3 devices each, the Devices count will display as 6 and the Users count will display as 2.
Likewise, if 2 users are using the same device, the devices count will display 1 and the Users count will
display 2. The Users | Devices table displays each User/Device combination as a separate row, hence
the user name could be duplicated across multiple rows depending on the number of devices they are
logged in to. This table provides a summary view of all the user experiences in the network and shows
how the experience is trending during the selected Time Range.

Step 3: Under Users | Devices, click on a user to be taken to the User Details page. Select the
Experience tab.

The User Details page provides an individual user view. If a user is logged into more than one device,
the User Devices widget displays the number of devices that the user is logged in to along with one card
per device.

Step 4: The Application Experience Details widget allows you to view the overall application experience
score across the organization along with the experience score trend over the selected time range. Each
application in the organization is represented by a card. Clicking on the card takes you to that
application's details page.

Click on an application card to select it. The selected card is outlined in blue.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 69
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 5: Use the Application Experience Trend to view the trend lines for all apps as well as for the
selected app and see where the selected app stands in comparison to the rest of the apps running on the
device. This graph also shows you the status of your GlobalProtect connection along with visual markers
of the duration when the GlobalProtect connection was lost. You can see the GlobalProtect status by
hovering your mouse cursor over a Significant Event symbol.

The Path to <application> chart allows you to quickly pinpoint which segment of the end-to-end
experience is likely causing the issue for the user. Click on a segment, such as Device, Wi-Fi, Local
Network, Internet, Prisma Access, or the app name, to view the associated data for that segment in the
Trends, Path Visualization, or Device Details tabs below them.

Step 6: Under Trends, the Application Performance Metrics widget to track responsiveness and
availability metrics for all your monitored applications as well as the health of your devices in this widget.

You can select any or all of the following metrics by selecting their check boxes.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 70
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 7: Device Health Metrics allows you to view the metrics associated with the Memory and CPU of
your device. This section of the widget also displays the top 5 processes on your device that are
consuming the most memory and CPU power.

Step 8: The Path Visualization tab shows you the hop-by-hop network details of the traffic flow from the
user to an application. Even if your VPN is disabled, it will provide visibility on all the internet hops from
the user to an application.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 71
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 4 – Monitored Branch Sites

Step 1: Navigate to Monitor > Branch Sites, then select the Prisma SD-WAN > List tab.

This page provides an experience score of all the remote sites in the Prisma Access Locations and shows
the experience trend during the selected Time Range. You can also see detailed experience information
for each remote site. This is often where you will want to start if you have remote sites reporting
performance issues.

The Prisma SD-WAN Branch Sites widget shows the connected sites and general health metrics.

Step 2: Click on Branch01-New York then select the Experience tab.

The Remote Site Experience score represents the end-to-end performance metric for the monitored
remote sites and applications for all devices across the service delivery path. The left border of the card is
color coded to show you the site health at a glance.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 72
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: The Application Experience Details widget allows you to view the detailed metrics for each
application running on your remote site. Each application card shows you the experience score for the
particular application on the remote site. The number enclosed in the square shows the end-to-end
experience for the active paths of the application. It is the average of all test samples collected on the
active paths for that specific application only. You can see how many applications you are monitoring and
how many active and backup paths are monitored. Each application card shows the number of paths that
are impacted. The red or yellow dots in the legend indicate that the path is impacted. Green stands for
good. Click an application card to see the metrics for that specific app.

Total Paths allows you to see the number of active and backup paths that are being monitored for the
selected application, the type of paths used. The number enclosed in the square is the experience score
for its active path as well as its backup path.

Step 4: The Application Experience Trend covers the same metrics as discussed previously.

End of Activity 8

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 73
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 9 – ADEM for Mobile Users

In this activity, you will:

• Review several ADEM use-cases for Mobile Users

Task 1 – WAN Quality Issues Affect End-User Application Experience

In this scenario, users in the US West region are complaining of application quality issues.
ADEM provides enormous value to enterprise organizations by measuring network and application
performance on both underlay and overlay paths.
Regardless of where the end application resides, cloud or on-prem data center, and regardless of the
path the application takes, through Prisma access or direct to cloud, ADEM is able to provide application
performance visibility.

Step 1: Navigate to Monitor > Users. Under Users | Devices, notice that the users in the US West
location are having a lower User Experience Score as noted by the orange color.

Step 2: Click on the User Name column to sort upwards, then click on alicecooper@vistoq.net.

Click on the Experience tab.

The overall Mobile User Experience score is fair, as is each of the Application Experience Details.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 74
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From the Path to Dropbox chart, click on the Internet icon. Notice that the internet circuit is
experiencing very high latency and packet loss.

This is likely a core Internet Service Provider issue in the US West region that is impacting all users in
that region.

Step 4: The Network Performance Metrics for Internet show that the network latency and packet loss
are near or above the upper threshold levels.

Step 5: Click the Path Visualization tab. This chart also shows that, beyond the LAN, the application
performance is experiencing a performance impact.

Click on an orange-colored hop to see that the latency is very high.

This shows that the network performance issue is on the Internet underlay. You can confirm that the US
West users are experiencing application issues due to an ISP issue.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 75
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Enterprise-Wide Application Performance Issue with

Dropbox
In this use-case, users across the organization are opening help-desk tickets because of slowness and
disconnects in accessing the Dropbox application.
ADEM offers instant visibility into an organization’s performance in addition to per-user, per-application
performance metrics. Use of this information reduces the MTTR for diagnosing and remediating
enterprise-wide issues, like delays introduced due to DNS problems or an end application server issue.

Step 1: Navigate to Monitor > Applications, then select the Prisma Access tab.

Under Prisma Access Applications, click on the User Experience Score to sort upwards.

Click on the dropbox application.

Step 2: Click on the Experience tab from the dropbox application details page.

The Mobile User Experience indicates all monitored users are having a fair experience with dropbox.

Step 3: The Application Experience Score Trend shows that this issue has been going on for a while.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 76
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: Click the Performance Metrics tab, and then select TCP Connect, SSL Connect, and HTTP
Latency.

The high TCP Connect and SSL Connect metrics indicate there could be a server-side TCP stack issue
or SSL transaction issue with the web server.

Task 3 – High CPU Causes Poor App Experience

In this scenario, a user calls the Network Admin complaining of App performance issues. He is
experiencing slowness and disconnects with all of his applications.
In order to isolate the root cause of application performance issues, support resources must review and
correlate data from various network and application performance monitoring tools as well as any available
desktop monitoring tools. In some cases, the root cause will have to be inferred based on lack of
monitoring data.
ADEM provides a central source of metrics related to the end-user experience, including health metrics
for the end user’s device.

Step 1: Navigate to Monitor > Users. From the Search bar at the top of the page, type
bobgreen@vistoq.net.

Then click on bobgreen@vistoq.net to be taken to the User Details page.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 77
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: Select the Experience tab. The experience widget shows bobgreen@vistoq.net is having only a
fair experience with one of his monitored applications and the overall experience is good.

Step 3: Under Path to Dropbox chart, ADEM has already isolated the Device segment – indicating the
endpoint device could be potentially contributing to his application performance issues. Hover over
Device to see the current CPU level.

Step 4: Click the Device icon and scroll down to the Device Health Metrics widget. You can see that
CPU levels are very high.

Step 5: Click to expand Top 5 Processes Consuming Most CPU to provide guidance on the source of
the problem.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 78
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 4 – High Latency in Home Router Causes Poor Application

Experience
In this use-case, a user calls the network administrator and complains of application performance issues.
She is experiencing slowness and session disconnects - with all of her applications.
An administrator would typically have to sort through various sources of monitoring data to isolate
performance issues to the local router of a user working from home.
With ADEM, an administrator can quickly confirm poor application performance from an end user’s
machine and can pinpoint where in the topology the problem is being introduced. In this case, the
problem is quickly seen as the end user’s internet connection.

Step 1: Navigate to Monitor > Users. From the Search bar at the top of the page, type
meenasehar@vistoq.net.

Then click on meenasehar@vistoq.net to be taken to the User Details page.

Step 2: Select the Experience tab. The experience widget shows meenasehar@vistoq.net is having a
fair experience score across all monitored applications.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 79
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: On the Path to chart, her Local Network, Internet, Prisma Access, and Application segments
are all highlighted in orange or red, showing a fair/poor performance. This indicates that her performance
issues are potentially originating from the LAN segment and are propagated across the app delivery path.

Step 4: Click on the Local Network segment to be taken to the Network Performance Metrics.

The high network latency, jitter, and packet loss indicates that her home router is the cause of the
performance issues, and it is propagating across her entire WAN path.

With Autonomous Digital Experience Management (ADEM), you can monitor end-user experience and
provide per-segment insights across the entire application delivery path.

With ADEM, your IT teams can determine whether end-user issues are caused by problems on the local
laptop itself, poor Wi-Fi signal strength, poor broadband WAN connectivity, middle mile Internet Service
Provider (ISP) issues, cloud or data center connectivity, or a SaaS provider issue.

With unparalleled insights and the ability to proactively address issues, IT teams also can hold providers
of connectivity, SaaS, and cloud services accountable to their SLAs.

End of Activity 9

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 80
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 10 – ADEM for Branch Sites

In this activity, you will:

• Review several ADEM use-cases for branch sites

Task 1 – SaaS Application Performance Degradation Due to

Application Server
In this scenario, users from multiple branch offices are opening help desk tickets complaining of
application performance issues with Dropbox.
ADEM offers instant visibility into an organization’s performance in addition to per-site, and per-
application performance metrics. Use of this information reduces the MTTR for diagnosing and
remediating enterprise-wide issues, like delays introduced due to DNS problems or an end application
server issue.

Step 1: Navigate to Monitor > Applications. Then select Prisma Access.

Click Add Filter and select Application. Click the Application box and enter dropbox then click Apply.

Step 2: Under the Prisma Access Applications widget, click dropbox.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 81
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From the dropbox application page, select the Experience tab, and then select Remote Site
Experience.

As seen in Activity 8, Task 2, the Application Experience Score and Performance Metrics indicate a
server issue.

Step 4: From the Experience Score Across Network for Remote Sites widget, click the 2 remote sites
link under the Dropbox icon.

Step 5: You are taken to the Monitor > Branch Sites page. If not already there, select the Prisma SD-
WAN > List tabs.

Click the Branch02-London link under Prisma SD-WAN Branch Sites.

Step 6: From the Branch02-London page, select the Experience tab.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 82
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

The Application Experience Details and Application Experience Trend allows you to confirm that this
branch site is only having an issue with the Dropbox application.

Task 2 – SaaS Application Performance Degradation over Prisma

Access and Secure Fabric Paths due to ISP Network
In this use-case, the New York branch office has two circuits, ISP-A and ISP-B. The ISP-B circuit is
experiencing intermittent latency and packet loss.
In order to isolate the root cause of application performance issues, support resources must review and
correlate data from various network and application performance monitoring tools as well as any available
desktop monitoring tools. In some cases, the root cause will have to be inferred based on lack of
monitoring data.
ADEM provides enormous value to enterprise organizations by measuring network and application
performance on both underlay and overlay paths.
Regardless of where the end application resides, cloud or on-prem data center, and regardless of the
path the application takes, through Prisma Access, SD-WAN overlay or direct to net, ADEM is able to
provide application performance visibility.

Step 1: Navigate to Monitor > Branch Sites, then select Prisma SD-WAN > List.

From Prisma SD-WAN Branch Sites, click Branch01-New York.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 83
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: From the Branch01-New York page, select the Experience tab.

From Application Experience Details, select Office 365.

As this is a business-critical application for the enterprise, there is a need to provide a consistent end user
application experience along with security services. The primary active path is configured to be on
Standard VPN and SD-WAN VPN on both the internet circuits, and the backup path is over Direct
Internet.

Under Total Paths, observe that the active and backup paths over the ISP-B circuit have a much lower
score compared to the VPNs paths over the ISP-A circuit.

Note that you can scroll left or right by clicking on the arrow to either side.

Step 3: Under Total Paths, click on Path 3, which is one of the ISP-B paths.

The Path to topology chart indicates that the Internet segment is experiencing complete packet loss.

Step 4: Click on the Internet segment icon to be taken to the Network Performance Metrics. The
timeline shows this is an ongoing issue.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 84
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 11 – Prisma Access

In this activity, you will:

• Review Prisma Access under Strata Cloud Manager

Prisma Access, as managed by Strata Cloud Manager, is a simple yet powerful cloud-delivered solution
that enables comprehensive security management through a single security rule base, with simplified
workflows to address use cases in threat prevention, URL filtering, application awareness, user
identification, sandboxing, file blocking, and access control. It provides complete visibility into the entire
deployment alongside actionable insights to help improve the end user experience. This crucial
simplification of security management and continuous assessment of Palo Alto Networks-defined best
practices allow you to improve your organization’s security posture. Key features include:
Configuration
• Intuitive workflows to quickly onboard remote users and locations to Prisma Access
• Out-of-the-box defaults to simplify configuration and accelerate time to value
• Cloud native platform with a unified management experience

Security Visualization and Reporting

• Centralized visibility and insights across Prisma Access
• Interactive, comprehensive reports and dashboards
• Detailed logs across applications, users, threats, and device posture

Security Posture Improvement

• Built-in Best Practice Assessments
• Inline validation to easily improve security posture
• Reporting based on the Center for Internet Security’s CIS Critical Security Controls® to better
mitigate risks

Automation
• Alerts and notifications for service outages
• Proactive assistance capabilities to maintain the health of the deployment
• Autonomous Digital Experience Management (ADEM) for insights across the entire service
delivery path

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 85
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 1 – Easy Onboarding

Accelerate time to value from Prisma Access with out-of-the box default configuration and simplified
onboarding workflows built into the core of Cloud Management.

Streamlined workflows and intuitive navigation let you complete complex configuration tasks with ease.
You can onboard mobile users and remote networks using predefined configuration and templates. For
example, pre-built tunnel configuration is available to easily onboard remote sites and branches.

Step 1: Navigate to Workflows > Prisma Access Setup > Prisma Access. This is where you
configure an infrastructure subnet. Prisma Access uses IP addresses within this subnet to establish a
network between your remote network locations, mobile users, headquarters, and data center (if
applicable). Prisma Access also uses service connections to access internal resources from your
headquarters or data center location.

Step 2: Workflows > Prisma Access Setup > Mobile Users. This is the starting point to enable
GlobalProtect and/or explicit proxy.

Step 3: Navigate to Workflows > Prisma Access Setup > GlobalProtect. GlobalProtect allows you to
protect mobile users by installing the GlobalProtect app on their endpoints and configuring GlobalProtect
settings in Prisma Access. GlobalProtect allows you to secure mobile users’ access to all applications,
ports, and protocols, and to get consistent security whether the user is inside or outside your network.

Here you will find the configuration tasks needed to enable your GlobalProtect infrastructure, Prisma
Access locations, application settings, user authentication, and check against best practices.

Step 4: Workflows > Prisma Access Setup > Remote Networks. As your business scales and your
office locations become geographically distributed, Prisma Access for networks allows you to speedily
onboard your remote network locations and deliver best-in-breed security for your users. It offers a
convenient option that removes the complexity in configuring and managing devices at every remote
location. The service provides an efficient way to easily add new remote network locations and minimize
the operational challenges with ensuring that users at these locations are always connected and secure,
and it allows you to manage policy centrally for consistent and streamlined security for your remote
network locations.

To connect your remote network locations to Prisma Access, you can use the Palo Alto Networks next-
generation firewall or a third-party, IPSec-compliant device including SD-WAN, that can establish an
IPSec tunnel to the service. Prisma SD-WAN lets you use a CloudBlade that you onboard as a remote
network to integrate the Prisma SD-WAN Controller and ION devices with Prisma Access.

Step 5: Workflows > Prisma Access Setup > Service Connections. A service connection, also known
as a Corporate Access Node (CAN), allows mobile users and users at remote networks access to private
apps and resources and lets your mobile users and remote networks communicate with each other.

In addition to Service Connections, Palo Alto Networks provides you with other services you can use to
access private apps:
• ZTNA Connector - The Zero Trust Network Access (ZTNA) Connector lets you connect Prisma
Access to your organization's private apps simply and securely. ZTNA Connector provides mobile
users and users at branch locations access to your private apps using an automated secure
tunnel.
• Prisma Access Colo-Connect - Colo-Connect allows you to use Prisma Access to secure private
apps using a cloud interconnect that can provide high-bandwidth service connections.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 86
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 2 – Best Practice Policy Checks

The threat landscape is evolving, and your organization needs to keep up. Strata Cloud Manager
continuously assesses the configuration of your entire deployment against Palo Alto Networks
recommended best practices. You can leverage this information and take action to improve your
organization’s security posture as configuration changes in your environment over time. These best
practices are integrated into the flows to detect offending configurations and help administrators
remediate issues.
Best practice checks are available for:
• Security policy rule base – how security policy is organized and managed, including configuration
settings that apply across many rules
• Security rules
• Security profiles
• Authentication
• Decryption

Best practice guidance aims to help you bolster your security posture, but also to help you manage your
environment efficiently and to best enable user productivity. Continually assess your configuration against
these inline checks - and when you see an opportunity to improve your security, take action then and
there.

Step 1: Dashboards > Best Practices measures your security posture against Palo Alto Networks’
best practice guidance. Importantly, the best practices assessment includes checks for the Center for
Internet Security’s Critical Security Controls (CSC). CSC checks are called out separately from other best
practice checks, so you can easily pick out and prioritize updates that will bring you up to CSC
compliance.

The Summary dashboard gives you comprehensive view of all the failed checks for a device across the
configuration types (Security, Network, Identity, and Service Setup), and assess your best practice
adoption rate for key feature areas.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 87
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

The Security dashboard shows the rules, rulebases, or profiles that are failing best practice and CSC
checks for the selected device and location.

Identity shows whether the authentication enforcement settings (authentication rule, authentication
profile, and authentication portal) for a device meet the best practices and comply with CSC checks.

Network checks whether the application override rules, and network settings align with best practice and
CSC checks.

Service Setup see how the subscriptions you have enabled on your devices are aligning with the best
practice and CSC checks. You can review the WildFire setup, GlobalProtect portal and GlobalProtect
gateway configurations here and fix the failed checks.

Step 2: Navigate to Manage > Configuration > NGFW and Prisma Access. Set the Configuration
Scope: to GlobalProtect. The configuration scope enables you to apply policy globally or provide
targeted enforcement to Prisma Access deployments.

This provides a high-level view of how you are doing and helps pinpoint areas where you might want to
start taking action.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 88
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From the top of the page, select Security Services > Security Policy. Make sure Rulebase is
selected.

Best practice scores are displayed on a feature dashboard (security policy, decryption, or URL Access
Control, for example). These scores give you a quick view into your best practice progress. At a glance,
you can identify areas for further investigation or where you want to take action to improve your security
posture.

Step 4: Click Failed Rulebase Checks. Expand the Best Practice Check Name to get more details
and the recommended action to take.

Where applicable, references to the Center for Internet Security and National Institute of Standards
and Technology controls are listed.

Click the icon.

Step 5: Field-level checks show you exactly where your configuration does not align with best practices.
Best practice guidance is provided inline, so you can immediately take action.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 89
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Hover the cursor over the BPA Verdict to get the recommended action.

Step 6: Click on any policy name with a Fail for the BPA Verdict.

Step 7: Click the Configuration Analysis icon.

Once again, checks at the field-level show where your configuration deviates from best practices.
Recommendations based on best practices are given, enabling you to take immediate corrective action.

Click Cancel.

Step 8: From Security Services > Security Policy, click Best Practices.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 90
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Here you can get a comprehensive view into how your implementation of features aligns with best
practices. Examine failed checks to see where you can make improvements (you can also review passed
checks). Rule base checks highlight configuration changes you can make outside of individual rules, for
example to a policy object that is used across several rules.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 91
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 – Simplified Day-to-Day Configuration Management

Strata Cloud Manager keeps enterprise users in mind by providing consistent management for all users,
applications, and locations. Manage Prisma Access with a single security rule base for all types of traffic,
inbound, and internet bound (SWG). Threat prevention, URL filtering, sandboxing, file blocking, and data
filtering are additional capabilities on the same rule.
Enable security features with ease by efficiently configuring security policies, services, and other
capabilities within a single flow.

Step 1: From Manage > Configuration > NGFW and Prisma Access, select Security Services >
Vulnerability Protection. Make sure the Configuration tab is selected.

Profiles are how you enable security services - like Threat Prevention, WildFire, and URL Filtering - for
your network traffic. Profiles perform advanced inspection for traffic that a security rule allows; they scan
for and prevent threats, attacks, misuse, and abuse.

Best practice security profiles are built-in to Prisma Access and enabled by default. Best practice checks
are also provided inline, so that you can continuously assess your configuration and improve your
security posture. For customization, management, and visibility into each security profile type, you can
visit the profile dashboard.

Profile dashboards consolidate profile configuration; everything you need to set up and manage profiles is
in one place. The dashboards also give you access to all the features a profile offers and resources you
can use to inform profile updates (for example, content release updates, the Threat Vault, and PAN-DB
site classifications).

Step 2: Click Current Threat Content. You can see that the latest Application and Threats Content
release notes are easily accessible.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 92
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: From Threat Search, search for CVE-2022-41040.

Review the matching threat coverage by Threat ID.

Click on the Threat ID to get more details.

Click Cancel.

Step 4: From Manage > Configuration > NGFW and Prisma Access, select Security Services >
Decryption.

Identify encrypted traffic that you want to inspect for visibility, control, and granular security. Decryption
policy rules allow you to define traffic to decrypt and the type of decryption you want to perform on the
indicated traffic. All you need to do to start decrypting traffic is set up the certificates Prisma Access
requires to act as a trusted third-party to a session. For everything else, we’ve built in best practice
decryption settings, including settings to exclude sensitive content from decryption, as well as sites that
are known to not work well when decrypted. Everything you need is in a single location.
UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 93
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 4 – Visibility
Strata Cloud Manager provides comprehensive visibility across the entire deployment. In the Logs tab,
you can view and query across all the Prisma Access logs, including traffic, threat, authentication, and
system logs. You can filter on specific entries and view related logs to troubleshoot any issues. The
solution also provides proactive health assurance for the entire Prisma Access deployment.

Step 1: Navigate to Incidents & Alerts > Log Viewer.

Strata Cloud Manager provides network logs (Traffic, Threat, URL, File, HIP Match) and common logs
(System and Configuration).

You can view details for each log entry, and for threat logs, you can review threat details and see if there
are any threat overrides in place.

Step 2: Click the icon to bring up the Log Details for that entry.

Click the X to return.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 94
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: Navigate to Monitor > Prisma Access Locations to view the overview of the health of all your
Prisma Access locations for your remote networks and mobile users.

• See the Top 5 Prisma Access Locations for Remote Networks, Service Connections, GlobalProtect
Mobile Users, or Explicit Proxy Mobile Users based on the total bandwidth consumed.
• View your Prisma Access Locations' status.
• View Cortex Data Lake Connectivity.
• View the Prisma Access Locations table, which lists all Prisma Access Locations, and select an
individual Prisma Access Location by name to view its details.

End of Activity 11

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 95
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 12 – Prisma SD-WAN

In this activity, you will:

• Review Prisma SD-WAN under Strata Cloud Manager

Prisma SD-WAN is a core component in delivering Secure Access Service Edge (SASE) for the modern
enterprise. At the core of the system is the application performance engine. Prisma SDWAN provides a
software-defined, wide area network (SD-WAN) solution that transforms legacy wide area networks
(WANs) into a radically simplified, secure, application fabric (AppFabric), virtualizing heterogeneous
underlying transports into a unified hybrid WAN.
Prisma SD-WAN controls network application performance based on application-performance service
level agreements (SLAs) and business priorities.
Through Instant-On Network (ION) devices, Prisma SD-WAN simplifies how WANs are designed, built,
and managed, securely extending data center-class security to the network edge. Prisma SD-WAN
leverages the x86 platform with a centralized controller-based model, enabling simple deployments at
remote offices and data centers. You can view granular application-driven analytics, build a robust policy,
and performance-based traffic management of the WAN.

Task 1 – Prisma SD-WAN Dashboard

Step 1: Navigate to Dashboards > Prisma SD-WAN.

The Device to Controller Connectivity widget shows the number of online and offline ION devices
connected to the Prisma SD-WAN controller for a Branch and Data Center. Using this interactive graph,
you can view the online or offline status for a claimed device for the corresponding branch and data
center.

The Applications widget displays information about the application utilization at the site during the
selected time range. The total application ingress and egress traffic for the time range is displayed. The
top 10 applications by traffic volume are displayed along with the other traffic.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 96
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 2: The Incidents by Sites widget shows the current incident count for each branch and data center
site. By default, the system will show the count for the number of standing (open) alarms. You can switch
to the number of alarms cleared in the last 3 hours.

The Overall Link Quality widget provides an overall snapshot of the current state of links for all your
sites for the selected time range. You can drill down to view the Link Performance, Link Packet Loss, Link
Jitter, and Link Latency and allows you to analyze information you want to view in greater detail in the
Link Quality Metrics dashboard.

Step 3: The Bandwidth Utilization widget displays the amount of bandwidth utilized on a trail in a
network. It is a visual representation of bandwidth spike, total bandwidth consumed by a particular site,
and the application; if the upload is in ingress, egress direction or both.

The Transaction Stats widget provides transaction statistics on TCP flows, including initiation/transaction
successes and failures for a specific application or all applications, a particular path or all paths, and all
health events. It measures the performance and availability of networks and applications that run on
network paths. For each request on a given path, Prisma SD-WAN monitors, in real-time, the transaction
error rates for initiation and data transfer transactions.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 97
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: The Predictive Analytics widget provides insight into the health of sites and applications and
proactive monitoring to identify critical issues and troubleshoot them faster, thus enhancing service levels.
It identifies critical sites, links, and applications and categorizes them as Good, Fair, and Poor at the
tenant level, based on the AI/ML health scores. The widget includes predicting capacity utilization at the
branch site level based on the previous three to six months of information.

Task 2 – Application Monitoring

View the top applications which are not performing well in Prisma SD-WAN. See the determined health
score of all poor applications, list of poor applications for a tenant based on health score, and the average
health score of poor applications.

Step 1: Navigate to Monitor > Applications. Select the Prisma SD-WAN tab.

Application Health Distribution: The distribution of Good, Fair, and Poor applications for a given tenant.

TCP Application Health Distribution Over Time: The distribution of Good, Fair, and Poor TCP
applications health distribution over a period of time. The time-series graph should be computed and
refreshed based on the selected duration.

Step 2: New Flows: Displays the new TCP and UDP flows for an application, a specific set of
applications, or all applications for a given period. A TCP flow is considered a new flow when it sees the
first SYN packet. A UDP flow is considered a new flow when it sees the first UDP packet in either
direction. A flow is a sequence of packets in both directions identified by the source and destination IP,
source and destination port, and the protocol.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 98
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Bandwidth Utilization: The Bandwidth Utilization chart displays the amount of bandwidth utilized on a
trail in a network. Use the chart to identify WAN congestion in a network that may hinder application
performance. It is a visual representation of bandwidth spike, total bandwidth consumed by a particular
site, and the application; if the upload is in ingress or egress direction.

Transaction Stats: Provides transaction statistics on TCP flows, including initiation/transaction successes
and failures for a specific application or all applications, a particular path or all paths, and all health
events.

Step 3: Applications: Lists all the applications details such as Name, Application Profile, Health Score,
Impacted Sites, Traffic Volume, Init/Failure, and Transaction/ Failure. When you click the application
name, you can see the individual App Details on a new page.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 99
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 3 – Site Visibility

Step 1: Navigate to Monitor > Branch Sites. Select the Prisma SD-WAN tab, then the Map sub-tab.
The Map view of the branch site provides the connectivity status of your branch site devices to the
controller and the alarm status for the site.

Step 2: Click the List tab. The List view shows you how many sites were active during the Time Range
selected and the overall health metrics of the branch sites. A poor site's average score is the average of
all the poor samples of sites identified as poor. The time-series graph is computed and refreshed based
on the selected duration.

Site Connectivity Health Distribution: The distribution of Good, Fair, and Poor sites graph for a given
tenant based on the latest site connectivity health distribution.

Site Connectivity Health Distribution Over Time: The time series graph of the health score.

Site Application Experience Score: The site application experience score.

Prisma SD-WAN Branch Sites: View the site health, site connectivity health, circuit health, secure fabric
health, and the approaching capacity threshold of a branch site. You can further drill down and filter a
branch site by site prediction, alarm status, and ADEM status.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 100
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: Click Branch01-New York to go to the Site Summary.

The Site Connectivity Health Overview contains the Current Best Circuit Health Score and the
Current Overall Consumed Bandwidth metrics.

The Current Best Health Score metric is determined by the Secure Fabric Link with the current highest
score. In the time series chart the score is determined in any given time sample by the healthiest Secure
Fabric Link at the site. This value will fluctuate as the health of the underlying network connectivity
changes.

The Current Overall Consumed Bandwidth metric displays current total bandwidth consumption,
ingress and egress bandwidth consumption as a raw value and as a percentage of the total available.

The Circuit Connectivity and Health widget displays the name of the circuit, its physical connectivity, its
tunnel connectivity, tunnel health, a time-series graph indicating the best-performing tunnel's health score
over a period of time, and current consumed bandwidth both in egress/ingress direction.

The Devices widget displays the device's name, status, software version installed, whether the Admin
interface is up, its routing peers, the HA status, consumed CPU, and consumed memory data.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 101
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

The Applications widget displays information about the application utilization at the site during the
selected time range. The total application ingress and egress traffic for the time range is displayed. The
top 10 applications by traffic volume are displayed along with the other traffic. For each application the
total bandwidth utilization, ingress, egress, and percentage of total traffic based on the bandwidth
utilization. By clicking the ellipses flow information or the time series utilization data can be viewed.

The Top Open Incidents by Priority widgets display the list of the top events by priority.

Step 4: Navigate to Monitor > Branch Sites, then click the Activity tab. The Activity view presents key
application analytics, the latest site health score and site health distribution over time.

Site Health Distribution: displays the distribution of Good, Fair, and Poor sites graph for a given tenant
based on the latest site health score.

Site Health Distribution Over Time: displays the time series graph of site health distribution over time
for a given tenant based on the health score for a branch site.

Bandwidth Utilization: displays bandwidth utilization of each application on a site and WAN path, with
data on the top ten apps that consume the most bandwidth in the network.

Transaction Stats: displays transaction statistics on TCP flows, including initiation/transaction successes
and failures for a specific application or all applications, a particular path or all paths, and all health
events.

New Flows: displays new TCP and UDP flows for an application, a specific set of applications, or all
applications for a given period.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 102
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Concurrent Flows: helps you understand how many connections are active on your network by
application.

Task 3 – Configuration
Each Prisma SD-WAN site is extremely simple to onboard, through the use of configuration abstraction
and re-using multiple configuration elements, a Branch or Data Center site can be onboarded in a matter
of minutes.

Step 1: Navigate to Workflows > Prisma SD-WAN Setup > Branch Sites. Select Branch02-
London. Select the Configuration tab.

The Configuration tab shows you the site connectivity information, deployment modes, policies, WAN
multicast peer group profiles, Internet and private WAN circuits, and IP Prefixes.

Under Devices, this site has two IONs configured in HA. Connectivity shows three physical connections
– click Physical to see more detail. Internet Circuits and Private WAN Circuits further show how these
connections are configured.

To enable advanced features like IoT, Multicast, and VRF, it is as simple as selecting an option from a
dropdown menu or enabling a slider.

Step 2: Note the Path, QOS, NAT, and Security Policy Set Stacks assigned. The first three are
required for each Prisma SD-WAN site. These are configured at set-up.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 103
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 3: Click Secure Fabric under Connectivity. This shows the status of all the Prisma SD-WAN VPN
types. The Branch – DC tab shows the tunnel that was auto-created from this branch to the data center.

You can see each of the Secure Fabric links to the data center.

Step 4: Navigate to Manage > Prisma SD-WAN > Policies > Bindings.
Some concepts:
• Policy Rule - A policy rule is used to describe intent and consists of two main parts. The input into
the rule is the match criteria, which can be any combination of Context, Prefix-List, Application, User,
etc. The output of the rule is some action.
• Policy Set - A Policy Set is a collection of rules in an ordered list.
• Policy Stack - A Policy Stack is a collection of Policy Sets used to form an overarching policy.
Multiple Policy Sets can be re-used together to form different combinations based on the intent.
• Policy Bindings - The bindings describe which policies (Path, QoS, NAT, and Security) are bound to
a site.

Step 5: Manage > Prisma SD-WAN > Policies > Path. The Path Policies configure stacked policies for
flow forwarding and traffic shaping operations.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 104
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Branch 1 Path Simple Stack is the default stack, as noted by the star.

Step 6: Click Branch 1 Path Simple Stack. Path policy rules define network paths for application
sessions to leverage. Path Policy Rules use network contexts, applications, destination zones, prefixes,
ports, and protocols. Layer 3 paths can be private or internet paths, VPN, or standard VPNs.

A simple path (or QoS Stack), at a minimum, consists of one policy set with two default policy rules.
Enterprise Default Rule will match all RFC1918 private addresses. The Default Rule will match all other
traffic.

Step 7: Manage > Prisma SD-WAN > Policies > QoS. The QoS Policies configure QoS policies for
specifying application business priorities.

Click the QoS Policy Stack to explore the associated QoS Policy Rules.

Step 8: Click on Default QoS Simple Stack.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 105
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Task 5 – CloudBlades
The Prisma SD-WAN platform enables the seamless integration of branch services into the SASE fabric
without needing to update your branch appliances or controllers, thus eliminating service disruptions and
complexity. This unique cloud-based API architecture automates deployments of third-party services,
enabling organizations to simplify network operations and multi-cloud connectivity and expedite
deployments. The platform also enables the seamless deployment of a Prisma SD-WAN Virtual Form
Factor device within a specific environment.

Step 1: Navigate to Manage > Prisma SD-WAN > CloudBlades to see the list of available CloudBlades.

Step 2: Under Prisma Access for Networks (Cloud Managed), click Monitor.

Step 3: Select the SDWAN Sites tab. This is a summary of the branches that have been on-boarded.

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 106
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Step 4: Navigate to Workflows > Prisma SD-WAN Setup > Branch Sites. Select Branch01-New York,
then the Configuration tab.

Note the TAGS: The prisma_access tag enables site-wide integration of Prisma Access. The
prisma_name tag allows for a custom name. These are added to indicate the intent to on-board this site.

Step 5: Under Devices, click branch01-3102v-01. Then select the Interfaces tab.

If you see an error regarding VRF data, that is due to the read-only account.

Here the tags indicate to the CloudBlade which region to on-board the tunnel for this interface to. As
shown here, it is the US East Prisma Access region.

Also note the AUTO-CGX_ tags. This is the result of the IPSec tunnel that was created by the
CloudBlade. In the Description you can see information about all of the corresponding Prisma Access
constructs that were created and associated with this Prisma SD-WAN tunnel.

End of Activity 12

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 107
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Activity 13 - Feedback on Ultimate Test Drive

Thank you for attending the Ultimate Test Drive workshop. We hope you enjoyed the presentation
and the labs that we have prepared for you. Please take a few minutes to complete the online
survey form to tell us what you think.

Task 1 – Take the online survey

Step 1: In your lab environment, click the Survey link from the left-hand column.

Step 2: Please complete the survey and let us know what you think about this workshop.
Drag the widget to the right to expand the window.

End of Activity 13

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 108
infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

Appendix-1: Network Diagram

LAB SETUP

UTD-SASE 2.1 © 2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20231026 109