Security – Kieran Drain

When studying for the Palo Alto PCSNA exam I had formal training and experience with the PA firewalls themselves. That said; Not all of the PA firewalls I supported used all of the features required for the exam and so self study was essential. Now that I’m beginning my studies for PCSNE I’ve discovered that this not only requires experience of PanOS on the firewalls but also experience of Panorama.

This guide will discuss the options available to someone studying for PCSNA or PCSNE to get some hands on training before sitting the exams.

Palo Alto Learning Centre

Palo alto have an education page explaining the certification process and explaining what resources are available to help you study. The most useful of this is the Learning center. The learning centre provides access to some training courses and training materials however what you get access to is dependent on you or your companies relationship with Palo Alto. Palo Alto partners also get additional learning resouces and courses such as EDU-110. As part of these training courses there are virtual labs available that give access to the physical kit however these courses won’t be available for everyone

Virtual Appliance / EVE-NG

The Palo Alto firewall can be deployed as a virtual appliance in most hypervisors. Even in production these virtual appliances can be utilised. The VM Series appliances can be deployed without being licensed or registered in an ‘evaluation’ type state. This allows us to configure and get used to the GUI/CLI but comes with some major drawbacks. The ‘secret sauce’ of Palo Alto firewalls heavily relies on it’s cloud connected features. These features require licenses. Another drawback is that without the base/throughput license on a Palo Alto firewall we don’t get the monitor logs which makes troubleshooting much more difficult. That said for PCSNA/PCSNE this is a fantastic way to get hands on a real device without any physical hardware. I particularly recommened using EVE-NG to run the PA virtual images in.

EVE-NG is a clientless multi-vendor network emulation platform. Similar to GNS3, It allows us to virtualise a variety of network devices including but not limited to Cisco switches/routers/firewalls and Palo Alto firewalls. This can run on bare metal or on any hypervisor as a VM. It also provides a full HTML5 GUI for interaction meaning that only a web browser is required to use it. It’s very easy to set up and build custom topologies. There exists and free and a professional edition.

EVE-NG Basic topology of 2 x Palo Alto VMs, 1 Layer 3 switch and a docker client of Firefox

The professional edition costs about £108/$112 per year (at time of writing) for individuals and is definetely worth it if you’re studying for Cisco or Palo Alto certifications. The professional edition provides ‘docker’ based images for things like Web Browsers and Wireshark with makes connecting to the GUI on the Palo Alto firewalls much easier and it also allows for interfaces to be connected/disconnected while the devices are switched on.

Example of the EVE-NG Docket firefox node and CLI via the HTML5 GUI

AWS / Amazon Web Services

As I illuded to earlier; The secret sauce for Palo Alto comes from it’s cloud based features such as Wildfire/PanDB URL lookups and APP-ID services. These all require licenses to function and so for study the cost of a dedicated device (even with NFR/LAB licenses) may be too high for an individual. Another issue is the requirement for PCSNE candidates to have experience of Panorama as this also requires licensing for the Firewall.

This is where Amazon Web Services comes in. AWS allows us to spin up virtual Palo Alto firewalls or Panorama in an EC2 instance and to pay by the hour for the use of the devices. As well as the EC2 compute/S3 Storage cost for these we also pay a small fee which covers the licensing and subscriptions for the various advanced features. As we only want this for non-production purposes we can lower the EC2 instances resources to the lowest possible to reduce the cost of running.

AWS has in it’s market place the following options for Palo Alto:

VM-Series Next-Generation Firewall Bundle 1 – From $0.87 per hour

Palo Alto VM Series firewall
Threat Prevention (IDS/IPS) subscription
Premium Support
Panorama subscription

VM-Series Next-Generation Firewall Bundle 2 – From $1.14 per hour

Palo Alto VM Series firewall
Threat Prevention (IDS/IPS) subscription
PanDB URL filtering subscription
Wildfire
Global Protect & DNS filtering subscriptions
Premium Support
Panorama subscription

Palo Alto Networks Panorama – From $0.19 per hour

The Panorama server is slightly different in that the license is applied to the firewall so there is only compute costs.

Other virtual machines can also be spun up in AWS and integrated into your topologies for testing. While this method isn’t free it provides a low cost alternative to an NFR (Not for resale) or Lab licensed device. This allows an individual to have access to the full range of Palo Alto capabilities for a small fee. If this were for a team or company I’d suggest getting the NFR or Lab licensed physical kit as this would be cheaper and more effective in the long run.

I intend to put together a guide on building a PCSNE study environment in AWS at a later date.

What is KeePass?

KeePass is a free and open-source password manager. The application allows for usernames, passwords and other information such as strings and files to be stored in a secure database. Where KeePass differs from many commercial solutions for password management is that it stores these in a single encrypted file rather than utilising anything storage in the cloud.This credential database is secured using a master password.

Why use KeePass?

It is best practice to use a unique username and/or password for each service we create credentials for. This practice prevents a scenario whereby if one service is compromised (e.g. Email) that the same credentials are compromised by virtue of being used for other services (e.g. Online banking). It is also good practice to pick a strong password which would be infeasible for a computer to crack. The problem is that doing this gives an unreasonable amount of credentials to memorise. KeePass allows for the storage of credentials and creation of cryptographically secure passwords meaning that we need only remember the master password. It is also free and open source and so open to scrutiny and comes at zero cost.

I personally use KeePass because I’m too forgetful to remember all of these usernames and passwords and too lazy to manually type them in.

Getting started with KeePass

As stated before KeePass stores the passwords in a database file. If you have multiple devices you may need access to this file from multiple locations. To achieve this you can store the KeePass file on cloud storage such as Google Drive, OneDrive, Dropbox or iCloud.

KeePass Clients

As KeePass is free and open-source there are multiple clients across the different platforms. These are the clients I have used and can personally recommend. Simply install the applications to get started.

KeePass official Client
- Available for Windows, Linux, MacOS etc here
- This is the official application for KeePass. Be sure to download version 2.X as this has much more features
- If you use this application I’d recommend donating something to keeping the project alive.

Keepass2Android
- Available from the android app store
- Created by Philipp Crocoll. There are no advertisements with the exception of an annual prompt asking for kind donations.
- Supports a number of cloud locations for the database, autofill integration and fingerprint login.
- If you use this application I’d recommend supporting the project by buying the developer a beer.

Creating the KeePass database

Inside the application choose to create a new database. You’ll then be prompted for the login credentials.

Ensure that you set a strong password as this will protect all of your other passwords. You can also use a key file to provide additional security. Another option is to use your computers login account in place of the authentication. I do not recommend this approach due to the extra risks involved.

In addition to the default settings I recommend making the KeePass database stronger by using the key transformation options. This makes checking the password more computationally difficult and therefore take longer. Before this is enabled we can see how long a guess would take:

This means a computer could guess 500 passwords per second if it were to try to brute force the password. By selecting 1 second delay it will modify the key transformation such that it takes much longer.

This now means a computer could guess less than 1 password per second and is therefore more resistant to brute forcing. The rest of the default settings are good enough.

There are a number of options in the settings to change how KeePass operates; Things like whether or not it opens on startup, minimizes to the tray or the start menu or default usernames for entries. These are largely personal preference however I’d recommend setting the following options.

Enable “Enter Master key on secure desktop”. This option uses the secure desktop (like when UAC dims the screen when asking for an admin prompt) when entering your password thereby preventing applications from intercepting the key strokes. The other option I recommend changing is the autotype features.

I personally recommend using F4 for Global Autotype and Control + Alt + P for the Autotype selected entry. The auto type feature is something I’ll explore in a later blog post.

Once the KeePass file is created and saved it’s just a matter of pointing whatever client you use to the file wherever the file is and enter the master password.

Category: Security

Guide: How to get experience of Palo Alto without physical kit