Palo Alto Networks VM-Series Advanced Threat Detection

Join Sign in

Palo Alto Networks VM-Series Advanced Threat Detection

1 hour 30 minutes 1 Credit

This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.


Google Cloud selp-paced labs logo


In this lab you will use the Palo Alto Networks VM-Series deployed as an Intrusion Detection System (IDS) in Google Cloud.

Google Cloud Packet Mirroring clones the network packets of specific instances in your Virtual Private Cloud (VPC) network and forwards that cloned network packet to the VM-Series for examination. Packet Mirroring captures all ingress and egress traffic and packet data, such as payloads and headers.

IDS is a primary use case for Packet Mirroring in Google Cloud. You can use the VM-Series as an IDS to analyze mirrored traffic to detect all threats or anomalies, and provide an additional layer of security protections. Additionally, you can inspect the full traffic flow to detect application performance issues.

What you'll do

  • Review Google Cloud Packet Mirroring setup for VM-Series
  • Monitor the malicious activities at the VM-Series
  • Browse to a juice-shop web page
  • Perform SQL Injection attacks at the juice-shop website
  • Exploit a Jenkins instance from a Linux instance
  • Test two more security features of VM-Series
  • Antivirus - Download a test virus file from an Linux instance
  • URL Filtering - access a hacking website from a Linux instance



The VM-Series firewall, Google Cloud VPC Packet Mirroring, Jenkins Server, Juice Shop web server and Kali Linux server will be pre configured for you.

Setup and and requirements

If you are running your own VPN, please shut it down prior to starting this lab to avoid generating an error.

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Browse Juice Shop

OWASP (OWASP Foundation, the Open Source Foundation for Application Security) Juice Shop is probably the most modern and sophisticated insecure web application. It can be used in security training, awareness demos, CTFs and as a guinea pig for security tools. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten, along with many other security flaws found in real-world applications.

  1. In the Cloud Console, go to Navigation menu > Compute Engine.
  2. Copy the External IP address is found in the Console under Compute Engine > juice-shop.


  1. Open a new browser tab and navigate to http://<External IP>, replacing <External IP> with the External IP of Juice-shop. It can take up to 5 minutes for the Juice-shop website to come up. Click Dismiss if required.


  1. Click on Account > Login > Not yet a customer? and enter some fake details.


  1. Use any (real or fake) email to create an account, just remember the email and password you used! When you're finishsed click Register.


Now log in with the credentials you just created.

  1. Go ahead to buy some juice! Then click the Your basket (basket like icon), then Checkout.


  1. Click Add New Address then fill out the form. When you're done, click Submit.


  1. Click into the circle to select the address you just created then click Continue.


  1. Choose your Delivery Speed, then click Continue.

  2. Click Add New Card and enter some fake credit card information. Click Submit.


  1. Click into the circle to select the card you just entered, then click Continue.

  2. Click Place your order and pay.


Review Configuration of the VM-Series

  1. The External IP address is found in the Console under Compute Engine > VM Instances > VM-Series-xxx. Click on the name and scroll down to the Network interfaces.


  1. You will see nic1 is assigned to the management VPC. Copy to use the External IP provided to access the VM-Series.


  1. Open a new browser tab and navigate to https://<External IP>, replacing <External IP> with the External IP of VM Series. Note it can take up to 10 minutes for the firewall to spin up.

If the message "Your connection is not private" opens, click Advanced, and then Proceed to <IP address> (unsafe):


This opens the VM Series management console.

  1. Log in to VM Series management console using the following credentials:






  1. For Welcome window, click Close.


  1. For Telemetry Data Collection, click Remind me later.


  1. Once you login to the firewall, you will see the dashboard:


Get your IP address

Open another browser tab and go to to find the IP address of your laptop. Leave this tab open, you'll need it throughout this lab.

Review the web browsing activities in Traffic log

On the PA-VM dashboard, click the Monitor tab. Click on Traffic in the left panel.

Add a filter addr.src in {*your IP address*} into the search field to only see the traffic from your laptop, then press Enter.


You should now see the web browsing traffic to the Juice shop (Destination at port 80).


Attack the Juice Shop

Juice Shop has built-in challenges for security professionals to practice. You earn a score once you solve a challenge. For example, you earn a score by discovering the hidden scoreboard.Go to http://{*external IP of Juice Shop*}/#/score-board

Click on Dismiss for Welcome to OWASP Juice Shop! prompt.


Using SQL Injection to obtain administrator's credentials is one of the challenges. Uses this challenge to observe an attack in the VM Series Firewall logs.

Login as administrator via SQL Injection

You don't have the username and password of the administrator user, so you will login as admin via SQL Injection.

  1. Logout from juice shop.


  1. Login back in using the following credentials


'or 1=1--




Click on Account and verify you are logged in as administrator.


Review the attack in VM Series Firewall logs

  1. On the PA-VM dashboard, click the Monitor tab then click Threat in the left panel.
  2. Add a filter addr.src in {*your IP address*} into the search field to only see the threat from your laptop, then press Enter.

In the Threat ID/Name column, notice the log the entry Suspicious HTTP Evasion Found. The Source Address matches the IP of your laptop, and the Destination Address matches the IP of the Juice Shop.


Click on magnifying glass in the left column to review the log details.


Observe random attacks to Juice Shop and Jenkins

Juice Shop has a vast number of intended vulnerabilities. Jenkins server is an older version with known vulnerabilities as well. Once they are exposed on the internet, they become attractive targets for hackers. As the Juice Shop and Jenkins runs for a while you will likely see high severity attacks occurring.

Still on the Threat page, use the filter below to see if high severity attacks have occurred.

( severity neq informational )

You may not see any logs for severities higher than Low at this point in the lab.


But when there are issues, you'll see them marked clearly:


About Jenkins

Jenkins is an open source automation server written in Java. Jenkins is the most popular open source CI/CD tool on the market today. Jenkins allows developers to automatically build, integrate, and test code as soon as they commit it to the source repository. This allows developers to catch bugs quickly and ultimately deploy much faster.

Jenkins is the oldest player in the industry, its vulnerabilities have been a popular target for hackers.

Bad actors generally follow a well-known sequence of steps when attempting to infiltrate a network. This starts with identifying what is on the network and what vulnerabilities are associated with deployed assets.

It completes with a successful exploit followed by network persistence.

The bad guys have to get every step correct, while the defender only has to prevent one step in the chain to be successful. Defenders have a number of tools available at the environment, network, and host level, some of which are enumerated here.

Not all tools are applicable in all circumstances, but knowing what is available can help you make informed decisions based upon risk.

Exploit Jenkins

  1. Return to the Cloud Console, Compute Engine > VM instances.
  2. Copy the Jenkins Server external IP address.
Note: you may need to disconnect from your Corporate VPN.


  1. Open a new browser tab and go to http://{external IP Address of jenkins server}:8080. You will see the Jenkins page open.


Next you will return to the Cloud Console and SSH into the Kali Linux server.

Note: If you are not able to access the Jenkins website, restart your instance.

Check the Jenkins instance checkbox, then click the Stop button at the top of the screen.


Then click the Start / Resume button.


Next you will return to the Cloud Console and SSH into the Kali Linux server.

Activate Cloud Shell

From Cloud Console, click the Activate Cloud Shell icon in the upper right corner.


Click Continue to access Cloud Shell


Obtain the external IP Address of instance kali, the Kali Linux Server.


Run the following to ssh to Kali Linux server.

ssh kali@{external IP Address of kali server}

Type yes to connect.

Enter the password:




Launch the attack scripts

Run the scripts from the kali shell to start the exploit to the jenkins server:

msfconsole -r jenkins.rc




Enter the command to access the shell of Jenkins server:

python -c 'import pty; pty.spawn("/bin/bash")'



Now you are at the shell of the Jenkins server.

Issue a few commands to check the file system:

cd .. ls



Check which account you're using:



Examine the session established by the exploit:

netstat -an



Review the processes associated with the exploit:

ps -ef ps -aux



You have the access to the etc/passwd file:

head /etc/passwd



Type "exit" and "exit" to exit from Jenkins server root prompt. You'll be returned to the kali prompt.


Review VM Series firewall logs

On the PA-VM dashboard, click the Monitor tab. Click on Traffic in the left panel.

Add this filter to review all the traffic to jenkins and kali, then press Enter:

( addr.dst in ) or ( addr.dst in )



Click Check my progress to verify the objective. Review VM Series firewall logs

Review the attack in threat log

Still on the PA-VM dashboard, click on Threat in the left panel and add this filter that will display the destination, jenkins or kali instance, and the severity is not informational:

(( addr.dst in ) or ( addr.dst in ) ) and ( severity neq informational )

Notice in log the entry of Shell Command Access, Severity is critical.


Click on the magnifying glass sign in the left column of the first entry to review the log details.


Click on the magnifying glass sign in the left column of the second entry to review the log details.


Test VM Series Security Feature:

URL Filtering

Palo Alto Networks URL Filtering allows you to monitor and control the sites users can access, to prevent phishing attacks by controlling the sites to which users can submit valid corporate credentials, and to enforce safe search for search engines

In Cloud Shell you should still be at the kali prompt (kali@kali:~$ ). Access a test hacking website by issue the command:


On the PA-VM dashboard, click on Traffic in the left panel and add this filter to see the traffic from the kali instance, then press Enter:

( addr.src in )

You see web browsing traffic initiated from kali instance.


Click Check my progress to verify the objective. Test VM Series Security Feature

Now check if accessing the hacking website triggers any URLFiltering logs.

On the PA-VM dashboard, click on URLfiltering in the left panel. You'll see that the website is categorized as hacking.


Click on magnifying glass sign on left to review the log details.


You have performed SQL Inject attacks on a juice-shop web service, exploited a Jenkins Server from a Linux instance, and gained the root access. This demonstrated a hacker's ability to move around inside the cloud and exploit other cloud instances. You have also tested the URLFiltering security feature. This demonstrated the risk that could be caused by an authenticated user.

VM Series firewall was deployed as an IDS system that has visibility to the network traffic as well as the malicious activities, through VPC Packet Mirroring. You have reviewed the network traffic log, threat log, and URLFiltering log. You have observed the network traffic and the threat events caused by the attacks. With VM-series and Packet Mirroring, you have full visibility to the malicious activities. In the real world, security teams would be able to implement prevention and remediation based on the detection of the malicious activities by VM-Series.


Finish Your Quest

This self-paced lab is part of the Qwiklabs Public Cloud Security by Palo Alto Networks Quest. A Quest is a series of related labs that form a learning path. Completing this Quest earns you the badge above, to recognize your achievement. You can make your badge (or badges) public and link to them in your online resume or social media account. Enroll in this Quest and get immediate completion credit if you've taken this lab. See other available Qwiklabs Quests.

Take Your Next Lab

Continue your quest with the next lab in the series, Palo Alto Networks: VM-Series AutoScale in Google Cloud.

Next Steps / Learn More

Google Cloud Training & Certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated: August 30, 2021
Lab Last Tested: January 20, 2021

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.