Palo Alto Suite

 Palo Alto 

Firewalls
Panorama
Prisma Access  SESE 
Service Connection
Global Protect
Remote Network
Explicit Proxy
ZTNA - Zero Trust Network Architecture 
Browser

Build Site to Site tunnel

Lab: Service Connections 

Service Connections Setup  
Verify Service Connection Status  

1. IKE Crypto Profile      (Phase 1)
2. IPSec Crypto Profile   (Phase 2)
3. IKE Gateway   (Phase 1)
4. Zones  
5. Tunnel Interface  
6. IPSec Tunnel  (Phase 2)
7. Virtual Router 
8. Static Routes  
9. Security Policy

Troubleshooting

Platforms and Architecture
Single pass ARctecture
Flow Logic 

Initial Configuration
Initial Access to the System
Configuration Management
Licensing and Software Updates
Account Administration
Account Administration using Radius
Admin Roles
Interface Configuration
Security Zones
Layer 2, Layer 3, Virtual Wire, and Tap
Sub-Interface
DHCP
Virutal Routers
Multi VR Setup and Use Case

Security and NAT Policies
Security Policy Configuration
Policy Administration
NAT (Source and Destination

App-ID
App-ID Overview
Application Groups and Filters
Content-ID Overview
AntiVirus
Anti-Spyware
Vulnerability
URL Filtering

External Dynamic List
File Blocking Wildfire
Security Profiles File Blocking
WildFire
Zone Protection and DOS Protection
Decryption

Certificate Management
SSL Handshake
Outbound SSL Decryption
Inbound SSL Decryption

VPN Virtual Private Nework
Allow a secure communication over public Network.
VPN try to maintain CIA (Confidentiality, Integrity and Authentication)

Types of VPN
1. Site to Site VPN  (IPSec s2s)
2. Remote Access VPN ( SSL VPN or Global Protect)

IPSec Site to Site VPN requires CIA
Confidentiality:  Encryption
Integrity: HASH
Authentication: PSA/PKI

It will also provide Antireplay protection
Encryption: IT will convert Plain text in to cipher text by using the key.
Decryption: It will convert Cipher Text into the plan text by using the key

Symmetric Encryption
1. DES (56 bit) 3DES (168 bit) ASE (128, 192. 256 bit) RC4 (128bit_
2. Same key used for encryption and decryption
3. Block Cipher ( DES, 3DES, block the data ex 64 bit block, ASE - Same data block whatever size of Key)
4. Stream Cipher: (RC4: Bit by Bit Encryption)

Asymmetric Encryption
1. RSA (SSH), DH
2. Both sites have 2 keys Private and Public key. Share public key with each other
When ever data is encryped with private key, you can use public key to decrypt it and visa versa

You create IKE-Crypto-Profile, IPSec-Crypto-Profile
IKE Gateway (use the IKE-Crypto-Profile)
IPSec Tunnel (use IKE Gateway and IPSec-Crypto-Profile)

IKE Crypto Profile    (IKE Phase 1) 
Name: pa-lab-ike-crypto-profile
DH Group: Group20
Authentication: non-auth
Encryption:  aes-256-gcm
Timers: 1 Hour

IPSec Crypto Profile    (IKE Phase 2) 
Name: pa-lab-IPSec-crypto-profile
ESP - Encapsulating Security Payload
AH - Authentication Header 
Encryption:  aes-256-gcm
Authentication: sha256
DH Group: Group 
Life Time: 1 Hour

IKE Gateway
Name: pa-lab-service-connection-IKE-gateway
Version: IKEv2 only Mode
Address Type: IPv4
Interface: Ethernet1/2
Local IP Address 172.16.17.1/24

Peer IP address Type:  IP
Peer IP address: 203.1.113.1

Pre-shared Key: PaloAlto!
Confirm Pre-shared Key: PaloAlto!
Local Identification: User FQDN (Email address) Site-a@prisma-access.lab

Advance Tab
Enable NAT Traversal
IKE Crypto Profile: pa-lab-ike-crypto-profile

IPsec Tunnel

Name: pa-lab-service-connection-IPsec-tunnel

Tunnel Interface: tunnel.11

Type: auto Key

Address Type: IPV4

IKE Gateway: pa-lab-service-connection-IKE-Gateway

IPsec Crypto Profile: pa-lab-IPSec-crypto-profile

Show advanced Option

Enable Replay Protection

IPsec Mode: Tunnel

Tunnel Monitor:

Destination IP 192.168.255.254

Profile: Default

HQ Head Office in Delhi
Branch Office BLR Bangalore 

1. 
     

Prisma Access SEE 06 Browser

 

https://www.virustotal.com/gui/home/upload