Palo Alto Trial



What kinds of searches can you expect in an NW1 Trial? How should you prepare, as you train in K9 Nose Work? What will you and your dog be expected to do? Are you ready? Do you and your dog have what it takes, to compete in an NW1 Trial?

The Elements

NW1, NW2, and NW3 Nose Work Trials consist of four Elements:

By Palo Alto Networks Buy Now Free Trial. Prisma Cloud dynamically discovers cloud resources and sensitive data across AWS, Azure, and Google Cloud Platform to detect risky configurations and identify network threats, suspicious user behavior, malware, data leakage, and host vulnerabilities. Start a 30-day trial now. Public cloud threat. Theranos founder Elizabeth Holmes’ twice-delayed trial to start in March: judge Theranos destroyed patient test data, prosecutor alleges. East Palo Alto gets free public Wi-Fi access points. A Palo Alto Networks representative will contact you shortly to schedule a personalized online demonstration. Please note that all fields are required. You may also register for one of our weekly Live Demo Webinars, which consist of a live product demo and extended Q&A.

  • Containers
  • Exteriors
  • Interiors
  • Vehicles

The Certifying Official (CO) sets the search areas, and then sets each hide. In the NW1 Trial, the CO sets one search in each Element, and one Birch hide in each search.

The CO also sets a time limit for each search: generally about two to three minutes per search. The fastest dogs may complete the search in well under 30 seconds. In fact, the fastest dogs in an NW1 Trial sometimes have a combined time, for all four searches, of a minute or two. Times vary for each Trial, depending on hide placement, search area characteristics, and weather conditions. Dave and Bodie, and Tigger and I, had combined search times of just under two minutes, in our NW1 Trials.

All NW1 Trial Elements

For each search in an NW1 Trial, the CO will set a Start Line, with cones, flags, or blue tape. Your dog should pass over the Start Line; you may get a fault if your dog veers off to either side, like mine did in our NW1 Containers Search. My dog Tigger veered left too soon, chasing odor, so I took a tight circle with him, to get him over the actual Start Line. This wasted time and probably confused him. Speaking from experience, I recommend that you choke up so that your dog is on a very short leash, or hold on to the harness, until after you cross the Start Line.

Your dog needs to find the Birch odor, and communicate that to you, with either a natural or trained Alert. Then you say ALERT! If the Judge says YES, reward your dog! Congratulations! Party time! You've passed that element! If the Judge says NO... better luck next time.

In an NW1 Trial (but not at higher level Trials), if your dog times out, or you Alert in the wrong place, the Judge will tell you where the hide is, so you can reward your dog at source. If this happens, you should take your dog directly to the hide; don't make everyone wait while you tell your dog to Search again.

Once you finish your search, volunteers will help guide you and your dog back to the competitor parking lot. While you don't need to race, please don't hang around in the Search Area, once you're done. Move on, to allow the next competitor to enter the area.

Containers

In an NW1 Trial, you and your dog will search cardboard boxes of any size or shape, or any combination of sizes and/or shapes. The CO will place Birch odor in one box; the other boxes will be blank. Leashes are generally required in a Containers search.

I don't have my own NW1 Trial Containers video to share with you, so I encourage you to check out these examples from the NACSW website.

To prepare for Containers, make sure your dog gets practice searching for a single hide in up to about 20 closed cardboard boxes. Practice on various surfaces if you can (carpeting, tile, linoleum, wood, dirt, etc) because odor will behave differently in each of those cases. If you can, arrange to have air movement blow down the row of boxes, so your dog learns to go all the way to the Source box, without Alerting on a nearby box which merely has odor blowing onto it. Be aware, it is very possible that your Containers search will feature slippery floors.

In Containers, you can get a fault for dropping food in the search area, or for touching any of the Containers. Your dog can get a fault for excessively damaging a Container. By the way, dog slobber is NOT considered a fault! Whew!

Exteriors

If the search area is not entirely enclosed by fencing or walls, volunteers will clearly mark the search area with cones, flags, or tape. The hide will be inside the search area. You and/or your dog may leave the search area without penalty; after all, your dog may wish to follow the odor plume outside of the search area. If the area is completely enclosed, you may have the option to run this search on or off leash. Most Exteriors searches are not safe for off-leash searches, however, so leashes are almost always required.

I don't have my own NW1 Trial Exteriors video to share with you, so I encourage you to check out these examples from the NACSW website.

To prepare for Exteriors, your dog should be familiar with doing Nose Work on various outdoor surfaces, from wooden decks to concrete and pavement, from lawns to dirt/gravel. There may be trees and/or bushes in your Exteriors search area. Your dog should also be familiar with searching benches and picnic tables.

The two biggest concerns people usually have about Exteriors are:

  1. Your dog may eliminate during the search (in which case, you will be eliminated from the search)
  2. Your dog may be distracted by outdoor odors, and/or outdoor wildlife
Alto

Work with your Instructor until you are fairly confident in both areas.

In Exteriors, you can get a fault for dropping food in the search area, or touching or moving anything in the search area. Your dog can get a fault for damaging the search area, but this is extremely rare in an Exterior search.

Interiors

In an NW1 Trial, sometimes the search area is the entire room; other times, cones or tape will mark your the search area within the room. Interiors searches frequently offer the on-leash or off-leash option. If you have an off-leash option, you may take the leash on or off as often as you like, during the search.

I don't have my own NW1 Trial Interiors video to share with you, so I encourage you to check out these examples from the NACSW website.

To prepare for Interiors, make sure your dog gets practice searching in a variety of indoor spaces. Practice on various surfaces if you can (carpeting, tile, linoleum, wood, etc) because odor will behave differently in each of those cases. If you can, arrange to have air movement sometimes, and no air movement others. Opening windows can be enough to create a small breeze. Practice in big rooms and small rooms; cluttered rooms and nearly empty rooms. Be aware, it is very possible that your Interiors search will feature slippery floors.

Trial

In Interiors, you can get a fault for dropping food in the search area, or for touching anything. Your dog can get a fault for excessively damaging anything in the room.

Vehicles

The CO will place one birch hide on a vehicle, in an NW1 Trial. There may be up to 5 vehicles in a Vehicles search. The vehicles may be cars, trucks, SUVs, golf carts, tractors... almost anything with at least 3 wheels. The dogs never go inside the Vehicles. The search may be indoors, or more frequently outdoors. Almost always, leashes will be required.

I don't have my own NW1 Trial Vehicles video to share with you, so I encourage you to check out these examples from the NACSW website.

To prepare for Vehicles, your dog should have experienced finding hides behind license plates, around the bumper area and running boards (depending on the type of vehicle), and in and around the wheel wells. Practice from upwind, and from downwind, of the Vehicles; and practice when there is no wind at all. Practice having your dog go around the Vehicle to get to the hide.

In Vehicles, you can get a Fault for dropping food in the search area, or for touching a Vehicle. Your dog can get a fault for:

  • Diving too far underneath a Vehicle (safety concerns), or
  • Damaging a vehicle by
    • Jumping up on it, or
    • A too-vigorous Alert with a paw

Weather

You and your dog should have practice searching in the kind of weather that you will expect at the Trial. So, that means you have to get out and practice in heat, cold, wind, and rain, if your Trial will be at the time of year that you're likely to encounter those conditions. Weather conditions can vastly change the movement of odor. Your dog should have experience finding odor in Trial day weather, before arriving at the Trial. And you should know what it looks like when your dog searches in those weather conditions.

Perfection

The NW1 Trial demands perfection, all in one day. To receive your NW1 Trial Title, you and your dog must find all of the hides within the time limits, but no 'extras' (calling Alert where there is actually no source of odor).

The NW1 Trial showcases your dog's skills:

  • Ignore the environmental distractions, in a new and unfamiliar location
  • Solve a simple odor puzzle
  • Find and alert on odor within the time limit

You must be able to read your dog well enough to call the Alert; other than that, the NW1 is mostly about the dog.

Entry Process

The entry process for all NACSW Trials is the same. The NACSW will announce an Entry Date. Starting on the Entry Date at 9AM Pacific Time, you'll have 48 hours to submit your entry. After those 48 hours, the NACSW holds a lottery draw to determine who will compete. If you are one of the lucky ones, the Trial Host will send you an acceptance email, including payment instructions. To hold your spot, you will need to pay by the deadline included in the email. Some hosts ask for a check to be mailed; others accept payment over the internet. If you didn't get in, you will be put on the wait-list. Don't give up hope: sometimes the wait list moves quite a bit, and you might get in, after all.

The NW1 Trial: The Day Before

Palo

Review everything else you need to know about a Trial. Make sure you read the Rule Book again -- even if you've already read it many time before. Review your Trial notification email to verify the times, and any special instructions. Calculate how long it will take to get there, and what time you should get on the road. Put together everything you'll want with you at the Trial, so you won't get there and realize some things you need are still at home. Set your wake-up alarm. Then, get a good night's sleep.

Plan to wear something comfortable and weather-appropriate. Almost all NW1 Trials have one or more official photographers, and/or professional videographers, so it's wise to avoid wearing your least flattering outfits. I feel more confident when I wear my jalapeño hot pepper earrings as a good luck charm; perhaps you have something lucky to wear as well.

The NW1 Trial: The Day Is Here!

Here's some advice that easy to give and hard to follow:

  • Try to relax. You won't be able to think straight if you're tense. Your dog may be worried about your anxiety, and that may interfere with his desire to search.
  • Have fun with your dog. You get to spend the whole day with your dog, doing something that hopefully both of you love: Nose Work.
  • Be supportive of your fellow competitors. In Nose Work, you essentially compete only against yourself. Every single canine/handler team there can get a Title if they have a perfect day.
  • If you don't have that perfect day, think of it as a learning experience, instead of as a disappointment. You learned where there may be a hole in your training.

And some advice that's easy to follow: Volunteer at as many Trials as you can. It's a terrific educational opportunity that's completely free. You meet new people who are also crazy about Nose Work. You get free food. You'll be more prepared for your own Trials. Dave and I volunteer at every Trial we can, and we're always glad that we did.

Logging Your Trials

After the Trial, record your impressions. Discuss them with your Instructor. What went well? What would you like to work on? Did the Trial reveal any holes in your training? One option is the NACSW's Competition Log Book, designed specifically to keep track of all of your NACSW Trial results. You can record information about you and your dog, your ORT details, and search details and results from all of your Nose Work Trials.

Copyright 2017 by Linda Fletcher

-->

In this tutorial, you learn how to integrate Palo Alto Networks - Admin UI with Azure Active Directory (Azure AD).Integrating Palo Alto Networks - Admin UI with Azure AD provides you with the following benefits:

  • You can control in Azure AD who has access to Palo Alto Networks - Admin UI.
  • You can enable your users to be automatically signed-in to Palo Alto Networks - Admin UI (Single Sign-On) with their Azure AD accounts.
  • You can manage your accounts in one central location - the Azure portal.

Prerequisites

To configure Azure AD integration with Palo Alto Networks - Admin UI, you need the following items:

  • An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
  • Palo Alto Networks - Admin UI single sign-on enabled subscription
Alto

Scenario description

In this tutorial, you configure and test Azure AD single sign-on in a test environment.

  • Palo Alto Networks - Admin UI supports SP initiated SSO
  • Palo Alto Networks - Admin UI supports Just In Time user provisioning

Adding Palo Alto Networks - Admin UI from the gallery

To configure the integration of Palo Alto Networks - Admin UI into Azure AD, you need to add Palo Alto Networks - Admin UI from the gallery to your list of managed SaaS apps.

Palo Alto Vm Trial

  1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
  2. On the left navigation pane, select the Azure Active Directory service.
  3. Navigate to Enterprise Applications and then select All Applications.
  4. To add new application, select New application.
  5. In the Add from the gallery section, type Palo Alto Networks - Admin UI in the search box.
  6. Select Palo Alto Networks - Admin UI from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test Azure AD SSO

In this section, you configure and test Azure AD single sign-on with Palo Alto Networks - Admin UI based on a test user called B.Simon.For single sign-on to work, a link relationship between an Azure AD user and the related user in Palo Alto Networks - Admin UI needs to be established.

To configure and test Azure AD single sign-on with Palo Alto Networks - Admin UI, perform the following steps:

  1. Configure Azure AD SSO - to enable your users to use this feature.
    • Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
    • Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
  2. Configure Palo Alto Networks - Admin UI SSO - to configure the single sign-on settings on application side.
    • Create Palo Alto Networks - Admin UI test user - to have a counterpart of B.Simon in Palo Alto Networks - Admin UI that is linked to the Azure AD representation of user.
  3. Test SSO - to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

  1. In the Azure portal, on the Palo Alto Networks - Admin UI application integration page, find the Manage section and select single sign-on.

  2. On the Select a single sign-on method page, select SAML.

  3. On the Set up single sign-on with SAML page, click the edit/pen icon for Basic SAML Configuration to edit the settings.

  4. On the Basic SAML Configuration section, perform the following steps:

    a. In the Sign-on URL text box, type a URL using the following pattern:https://<Customer Firewall FQDN>/php/login.php

    b. In the Identifier box, type a URL using the following pattern:https://<Customer Firewall FQDN>:443/SAML20/SP

    c. In the Reply URL text box, type the Assertion Consumer Service (ACS) URL in the following format:https://<Customer Firewall FQDN>:443/SAML20/SP/ACS

    Note

    These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact Palo Alto Networks - Admin UI Client support team to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

    Port 443 is required on the Identifier and the Reply URL as these values are hardcoded into the Palo Alto Firewall. Removing the port number will result in an error during login if removed.

    Port 443 is required on the Identifier and the Reply URL as these values are hardcoded into the Palo Alto Firewall. Removing the port number will result in an error during login if removed.

  5. The Palo Alto Networks - Admin UI application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

    Note

    Because the attribute values are examples only, map the appropriate values for username and adminrole. There is another optional attribute, accessdomain, which is used to restrict admin access to specific virtual systems on the firewall.

  6. In addition to above, the Palo Alto Networks - Admin UI application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.

    NameSource Attribute
    usernameuser.userprincipalname
    adminrolecustomadmin

    Note

    The adminrole value should be same as the role name which is configured in the Palo Alto Networks as mentioned in step 9.

    Note

    For more information about the attributes, see the following articles:

  7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Federation Metadata XML from the given options as per your requirement and save it on your computer.

  8. On the Set up Palo Alto Networks - Admin UI section, copy the appropriate URL(s) as per your requirement.

Create an Azure AD test user

In this section, you'll create a test user in the Azure portal called B.Simon.

  1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
  2. Select New user at the top of the screen.
  3. In the User properties, follow these steps:
    1. In the Name field, enter B.Simon.
    2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Click Create.

Assign the Azure AD test user

In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Palo Alto Networks - Admin UI.

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Palo Alto Networks - Admin UI.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, then select Users and groups in the Add Assignment dialog.
  5. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
  6. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see 'Default Access' role selected.
  7. In the Add Assignment dialog, click the Assign button.

Configure Palo Alto Networks - Admin UI SSO

  1. Open the Palo Alto Networks Firewall Admin UI as an administrator in a new window.

  2. Select the Device tab.

  3. In the left pane, select SAML Identity Provider, and then select Import to import the metadata file.

  4. In the SAML Identify Provider Server Profile Import window, do the following:

    a. In the Profile Name box, provide a name (for example, AzureAD Admin UI).

    b. Under Identity Provider Metadata, select Browse, and select the metadata.xml file that you downloaded earlier from the Azure portal.

    c. Clear the Validate Identity Provider Certificate check box.

    d. Select OK.

    e. To commit the configurations on the firewall, select Commit.

  5. In the left pane, select SAML Identity Provider, and then select the SAML Identity Provider Profile (for example, AzureAD Admin UI) that you created in the preceding step.

  6. In the SAML Identity Provider Server Profile window, do the following:

    a. In the Identity Provider SLO URL box, replace the previously imported SLO URL with the following URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

    b. Select OK.

  7. On the Palo Alto Networks Firewall's Admin UI, select Device, and then select Admin Roles.

  8. Select the Add button.

  9. In the Admin Role Profile window, in the Name box, provide a name for the administrator role (for example, fwadmin). The administrator role name should match the SAML Admin Role attribute name that was sent by the Identity Provider. The administrator role name and value were created in User Attributes section in the Azure portal.

  10. On the Firewall's Admin UI, select Device, and then select Authentication Profile.

  11. Select the Add button.

  12. In the Authentication Profile window, do the following:

    a. In the Name box, provide a name (for example, AzureSAML_Admin_AuthProfile).

    b. In the Type drop-down list, select SAML.

    c. In the IdP Server Profile drop-down list, select the appropriate SAML Identity Provider Server profile (for example, AzureAD Admin UI).

    c. Select the Enable Single Logout check box.

    d. In the Admin Role Attribute box, enter the attribute name (for example, adminrole).

    e. Select the Advanced tab and then, under Allow List, select Add.

    f. Select the All check box, or select the users and groups that can authenticate with this profile.
    When a user authenticates, the firewall matches the associated username or group against the entries in this list. If you don’t add entries, no users can authenticate.

    g. Select OK.

  13. To enable administrators to use SAML SSO by using Azure, select Device > Setup. In the Setup pane, select the Management tab and then, under Authentication Settings, select the Settings ('gear') button.

  14. Select the SAML Authentication profile that you created in the Authentication Profile window(for example, AzureSAML_Admin_AuthProfile).

  15. Select OK.

  16. To commit the configuration, select Commit.

Create Palo Alto Networks - Admin UI test user

Palo Alto Networks - Admin UI supports just-in-time user provisioning. If a user doesn't already exist, it is automatically created in the system after a successful authentication. No action is required from you to create the user.

Test SSO

Palo Alto Panorama Trial

In this section, you test your Azure AD single sign-on configuration with following options.

  1. Click on Test this application in Azure portal. This will redirect to Palo Alto Networks - Admin UI Sign-on URL where you can initiate the login flow.

  2. Go to Palo Alto Networks - Admin UI Sign-on URL directly and initiate the login flow from there.

  3. You can use Microsoft Access Panel. When you click the Palo Alto Networks - Admin UI tile in the Access Panel, you should be automatically signed in to the Palo Alto Networks - Admin UI for which you set up the SSO. For more information about the Access Panel, see Introduction to the Access Panel.

Next Steps

Once you configure Palo Alto Networks - Admin UI you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.