-
Lab Manual PAN-EDU-201
Firewall Installation, Configuration, and
Management
Essentials I
January, 2013
PAN-EDU-201
PAN-OS - 5.0 - Rev A
Lab Manual
[email protected]
http://education.paloaltonetworks.com
2012 Palo Alto Networks. Proprietary and Confidential
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 2
Table of Contents How to use this Lab Guide
................................................................................................
4 Lab Equipment Setup
........................................................................................................
5 Module 0 Introduction Lab Access and Review
............................................................ 6
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall
...................................................................
6
Task 2 Review PAN-OS software, Content, and Licenses
...........................................................................
6
Task 3 Disable Panorama sharing
...............................................................................................................
6
Module 1 Administration and Management
..................................................................
7 Task 1 Apply baseline configuration to your firewall
.................................................................................
7
Task 2 Clear the logs
...................................................................................................................................
7
Task 3 Add an Administrator Role
..............................................................................................................
7
Task 4 Add an administrator
account.........................................................................................................
7
Task 5 Take a Transaction Lock and test the lock
......................................................................................
8
Module 2 Interface Configuration
..................................................................................
9 Task 1 Create a new Security
Zone.............................................................................................................
9
Task 2 Create Interface Management Profiles
.........................................................................................
10
Task 3 Configure a Tap interface
..............................................................................................................
10
Task 4 Configure a Vwire
..........................................................................................................................
11
Module 3 Layer 3 Configuration
....................................................................................
12 Task 1 Configure Ethernet interfaces with Layer 3 info
...........................................................................
12
Task 2 Configure DHCP
.............................................................................................................................
13
Task 3 Create a Virtual Router
..................................................................................................................
14
Task 4 Create a Source NAT policy
...........................................................................................................
14
Task 5 Create a Destination NAT
Policy....................................................................................................
16
Module 4 App-ID
...........................................................................................................
17 Task 1 Create a basic Security Policy for outbound traffic
.......................................................................
17
Task 2 Create 2 basic policies to deny all inbound and outbound
traffic ................................................ 17
Task 3 Create an Application Block Page
..................................................................................................
19
Task 5 Create Application
Filter................................................................................................................
19
Task 6 Create Application Group
..............................................................................................................
19
Task 7 Create three new Security Policies that match the
following criteria: .........................................
20
Task 8 Create a custom query in the Traffic Log
......................................................................................
21
Module 5 Content ID
.....................................................................................................
22 Task 1 Configure a URL filtering Profile
....................................................................................................
22
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 3
Task 2 Configure a Custom URL Filtering Category
..................................................................................
22
Task 3 Configure an Antivirus Profile
.......................................................................................................
23
Task 4 Configure an Antispyware Profile
.................................................................................................
23
Task 5 Connect individual Profile to Policy
..............................................................................................
23
Task 6 Test connectivity
...........................................................................................................................
24
Task 7 Create a File Blocking Profile: Wildfire
..........................................................................................
25
Task 8 Configure a Security Profile Group
................................................................................................
26
Task 9 Connect Profile Group to Policy
....................................................................................................
26
Task 10 Create a Custom Report
..............................................................................................................
26
Module 6 User-ID
..........................................................................................................
28 Task 1 Configure firewall to talk to User-ID Agent
...................................................................................
28
Task 2 Review user/IP information
..........................................................................................................
28
Task 3 User-ID Agent (optional)
..............................................................................................................
29
Module 7 Decryption
....................................................................................................
30 Task 1 Pre setup and test
.........................................................................................................................
30
Task 2 Create an SSL self-signed Certificate
.............................................................................................
30
Task 3 Create SSL Outbound Decryption Policies
....................................................................................
31
Task 4 Set SSL exclude cache
....................................................................................................................
32
Task 5 Review Self-signed Certificate on StudentPC browser
.................................................................
32
Module 8 VPN
...............................................................................................................
33 Task 1 Configure IPsec Tunnel Trust Zone
.............................................................................................
33
Task 2 Configure IPsec Tunnel Untrust Zone
.........................................................................................
35
Module 9 High Availability (optional)
............................................................................
36 Task 1 Configure HA Active/Passive
......................................................................................................
36
Module 10 Panorama
....................................................................................................
38 Task 1 Pre setup and test
.........................................................................................................................
38
Task 2 Create a custom report - Panorama
..............................................................................................
38
Task 3 Create and Application Group Object
...........................................................................................
38
Task 4 Create Pre/Post Policy
...................................................................................................................
38
Task 5 Push config to student firewall
.....................................................................................................
39
Task 6 Switch context and review Policy on
firewall................................................................................
39
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 4
How to use this Lab Guide The Lab Guide is lined out to follow
the Modules in the Student Guide. There are multiple tasks for
each
Module. For each Task where appropriate there are 3 sections.
The first section is a diagram of what
the firewall configuration should look like. The second section
contains the step to create the
configuration through the GUI. The third section contains the
CLI commands to create the configuration.
You can either complete the Tasks by referencing the diagram and
the material in the Student Guide. Or
you can follow the steps in the second section. If you have
sufficient experience with the PAN-OS CLI, you
can type the commands in the CLI section.
NOTE:
Unless specified, the Chrome web browser and the Putty SSH
client will be
used to perform any tasks outlined in the following labs. (These
apps are pre-
installed on the desktop of the StudentPC.)
Once these labs are completed you should be able to:
1. Configure the basic operations of the firewall including:
Interfaces, Security Zones, and
Security Policies
2. Configure basic Layer 3 operations including: IP addressing
and NAT
3. Configure basic Content-ID functionality including: AV and
URL filtering
4. Understand the basic operation of Logs and Reporting
5. Configure extended operations including: IPsec, SSL
decryption, and HA
With special thanks to all of those Palo Alto Networks employees
and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 5
Lab Equipment Setup Student PC Setup
Firewall
Interface:
Management
Management10.30.11.x /24
Trust-L3192.168.x.1 /24
Internet
Student
Firewall
Firewall
Interface:
Ethernet
1/2
ED
U lab
fire
wall
RDP: ___.___.___.___
Panorama Domain
Controller
VSYS
Firewall Setup
HA
TA
P Intf
Trunk
802.1q
Switch
Vwire
2 x
Intf
Switch
L3 Intf
Trust-L3192.168.x.y /24
E 1
/2
E 1/1.2xx
E 1
/3
E 1
/4
E 1
/5
E 1
/6
E 1
/7
E 1
/8
Switch
Switch Internet
ED
U la
b
firew
all
Switch
Untrust-L3172.16.x.1 /24
Router
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 6
Module 0 Introduction Lab Access and Review In this lab you
will:
Test connectivity to your Student firewall over RDP
Test StudentPC to student firewall connectivity
Review the operating system and licensing
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall Using
the login credentials and IP information provided by the
instructor:
Step 1: Open your local RDP client and open a session to your
assigned RDP IP address.
Step 2: Once connected, use the Student PC web browser and putty
client to test connectivity to the
student firewall.
Task 2 Review PAN-OS software, Content, and Licenses Step 1:
Click on the Device tab Software
Step 2: Review available, downloaded, and installed PAN-OS
software
Question: What version of PANOS is running on your firewall?
__________________________________________________
Step 3: Click on the Device tab Dynamic Updates
Step 4: Review Applications, Viruses, and URL Filtering to check
for date of last update
Step 5: Click on the Device tab Licenses
Step 6: Review licenses installed and their expiration dates
Step 7: in device|setup|management set the current data and
timezone
Task 3 Disable Panorama sharing Step 1: Click on the Device tab
Setup Management tab
Step 2: Click on the Panorama Settings edit button:
Step 3: If the button in the pop-up windows says: Click on it.
There will be an
additional pop-up window that allows you to select Import shared
config from Panorama before
disabling. DO NOT SELECT THIS BOX. Simply click Ok and then Ok
in the Panorama Settings pop-up.
If there are no settings about Panorama, close the tab and go
forward.
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 7
Module 1 Administration and Management In this lab you will:
Apply a baseline configuration to build successive labs
Create a new admin role on the firewall
Create interface management profiles
Task 1 Apply baseline configuration to your firewall Step 1:
Open your Student PC web browser and login to your student
firewall.
Step 2: Click on the Device tab Setup Operations tab
Step 3: Click Load Named Configuration Snapshot1
Step 4: Select the file after_reset_X (where X is your Student
Number)
Step 5: Click Ok then click Commit
Task 2 Clear the logs Step 1: Click Device Log Settings Manage
Logs
Step 2: Click Clear Traffic Logs and Clear Threat, URL, and Data
Logs
Task 3 Add an Administrator Role Step 1: Click on the Device tab
Admin Roles
Step 2: Click Add in the lower left
Step 3: Configure a new admin role with the name Policy
Admins
Step 4: In the Webui box, click on the following major
categories to disable them: Monitor, Network, and
Device. The remaining major categories of Dashboard, ACC,
Policy, Objects, Privacy, and Commit should
be enabled.
Step 5: Leave the CLI option set to None. Click OK to
continue.
Task 4 Add an administrator account Step 1: Click on the Device
tab Administrators
Step 2: Click Add in the lower left
Step 3: Configure a new administrator with the following
parameters:
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 8
Name ip-admin
Authentication Profile: None
Password and Confirm Password: paloalto
Role: Role Based
Profile: Policy Admins from the dropdown menu
Step 4: Click Ok then Click Commit
Step 5: Log off the GUI, then log back in as ip-admin and
explore functionality
Task 5 Take a Transaction Lock and test the lock Step 1: Click
on the transaction lock icon (to the right of the Commit
button).
Step 2: Click Take Lock, set the Type to Config and click OK.
Click Close to close the transaction
lock window
Step 3: Open a different browser and login with your admin
account
Step 4: Click on the transaction lock icon to view the locks
taken
Step 5: Attempt to add another user (Module 1 Task 3).
Question: At what point does the firewall block your action?
________________________________________________
(Answer: It will give you an error when you click the OK
button.)
Step 6: Log out of the ip-admin account
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 9
Module 2 Interface Configuration In this lab you will:
Create Security Zones
Create Interface Management Profiles
Configure basic interface types
Task 1 Create a new Security Zone Step 1: Click on the Network
tab Zones
Step 2: Click Add
Step 3: Set Type to Tap
Step 4: Set the Zone name Student-tap-zone
Step 5: Click Ok
Question: Why is the OK button disabled?
__________________________________
(Answer: the zone name is too long. Change the zone name to be
no more than 15 characters.)
Step 6: Set the Zone name Trust-L3
Step 7: Set Type to Layer3
Step 8: Click Ok
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 10
Step 9: Click Add and Set the Zone name Untrust-L3
Step 10: Set Type to Layer3
Step 11: Click Ok
Step 12: Click Add
Step 13: Set the Zone name Vwire-zone-3
Step 14: Set Type to Virtual Wire
Step 15: Click Ok
Step 16: Click Add
Step 17: Set the Zone name Vwire-zone-4
Step 18: Set Type to Virtual Wire
Step 19: Click Ok
Task 2 Create Interface Management Profiles Step 1: Click on the
Network tab Network Profiles Interface Mgmt
Step 2: Click Add
Step 3: Set Name to allow_all
Step 4: Select all check boxes
Step 5: Click OK
Step 6: Create a second profile called allow_ping
Step 7: Click Ping check box
Step 8: Click OK then click Commit
Task 3 Configure a Tap interface Step 1: Click on the Network
tab Interfaces
Step 2: Click on interface ethernet1/5
Step 3: Select Type Tap
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 11
Step 4: Select Zone Student-Tap-Zon (or whatever you named it),
then click Ok
Task 4 Configure a Vwire Step 1: Click on the Network tab
Interfaces
Step 2: Click on interface ethernet1/3
Step 3: Select Interface Type Virtual Wire
Step 4: In the Virtual Wire field, click the dropdown arrow and
click New Virtual Wire
Step 5: In the pop-up window, set the Name to student-vwire and
then click OK
Step 6: Click the arrow in the Security Zone field, and select
Vwire-zone-3.
Step 7: Click OK
Step 8: Click on interface ethernet1/4
Step 9: Select Interface Type Virtual Wire
Step 10: In the Virtual Wire field, click the dropdown arrow and
select student-vwire.
Step 11: Click the arrow in the Security Zone field, and select
Vwire-zone-4.
Step 12: Click OK
Step 11: Back in the interface popup window, click OK and Commit
all changes
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 12
Module 3 Layer 3 Configuration In this lab you will:
Configure ethernet interfaces with Layer 3 information
Configure DHCP
Create a Virtual Router
Create a Source NAT policy
Create a Destination NAT policy
Task 1 Configure Ethernet interfaces with Layer 3 info Step 1:
Click on Network tab Interfaces Ethernet and select interface
ethernet1/2
Step 2: In the pop-up, set Type to Layer3
Step 3: Set Security Zone to Trust-L3
Step 4: Select the IPv4 tab, click Add and enter the following
IP address and subnet mask:
192.168.__.1/24 (your student # is the 3rd octet)
Step 5: Select the Advanced tab , then Other info tab and set
the Management Profile to allow_all
then click OK
Step 6: Click on the Network tab Interfaces and select interface
ethernet1/1
Step 7: In the pop-up, set Type to Layer3 then click Ok
Step 8: Click Add Layer3 Subinterface at the bottom of the
page
Step 9: Set Interface Name to ethernet1/1
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 13
Step 10: Set the sub-interface ID to 200 + Student #. (Example:
Student-05 would be 205.)
Step 11: Set the Tag to match the sub-interface ID
Step 12: Click the dropdown arrow in the Security Zone field,
and click New Zone
Step 13: In the popup window set the Name to Untrust-L3
Step 14: Select the IPv4 tab, click Add and enter the following
IP address and subnet mask:
172.16.___.1/24 (your student # is the 3rd octet)
Step 15: Select the Advanced tab and set the Management Profile
to allow_ping then click OK
Task 2 Configure DHCP Step 1: Click on the Network tab DHCP DHCP
Server tab
Step 2: Click Add
Step 3: Select Interface ethernet1/2
Step 4: Set Gateway 192.168.___.1 (the 3rd octet is your student
#)
Step 5: Set Primary DNS to 10.30.11.50
Step 6: Click the Add button in the IP Pools window, and enter
an IP Pool of 192.168.___.50-
192.168.___.60 (the 3rd octet is your student #)
Step 7: Review and click OK
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 14
Task 3 Create a Virtual Router Step 1: Click on the Network tab
Virtual Routers
Step 2: Click Add
Step 3: Set the Name to Student-VR
Step 4: Click Add in the Interfaces window and select interface
ethernet1/1.2__ and ethernet1/2
Step 5: Select the Static Route tab, click Add and add a default
route with the following information:
Name default
Destination 0.0.0.0/0
Next Hop to IP Address and enter an IP address of
172.16.___(X)_.254 (where X is your
student #)
Step 6: Click OK to add the route, review your VR configuration,
and then click OK
Step 7: Delete the object default-vwire object under Network|
Virtual Wires
Step 8: Click Commit to make the changes active
Step 9: Open a StudentPC command prompt and release/renew the IP
configuration (C:\> ipconfig
/release and C:\> ipconfig /renew and C:\> ipconfig /all)
to check that DHCP configuration was
successful. You should be able to ping 192.168.___(X)_.1
NOTE: DO NOT MANUALLY CHANGE THE INTERFACE CONFIGURATIONS OF THE
STUDENT
PC. If a DHCP address is not installed - review Student Firewall
DHCP configuration first.
Task 4 Create a Source NAT policy Step 1: Click on the Policies
tab NAT
Step 2: Click Add, name it student source nat, then click on the
Original Packet tab
Step 3: Click Add in the Source Zone box and select Trust-L3.
Set the Destination Zone to Untrust-L3.
Step 4: Confirm that the Any checkbox for the Source Address and
Destination Address are checked.
Step 5: Click on Translated Packet tab
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 15
Step 6: Select Translation Type of Dynamic IP and Port
Step 7: Set Address Type to Interface Address
Step 8: Select Interface ethernet1/1.x (where x is 200 + your
student #)
Step 9: Select the 172.16.___(X)_.1 subnet from the pull-down
immediately below IP Type, then press
OK.
Step 10: from the Policy|Security menu, select the policy and
click the botton below delete.
Step 11: Create a new policy which allow any traffic from the
Trust-L3 to Untrust-L3 zone.
The policy must now to be like the following:
Step 12: From Network|Zone menu, remove the zone trust and
untrust, then commit
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 16
Task 5 Create a Destination NAT Policy Step 1: Click on the
Policies tab NAT
Step 2: Click Add, name it web nat, then click on the Original
Packet tab
Step 3: Click Add (in the Source Zone box) and select
Trust-L3
Step 4: Set the Destination Zone to Untrust-L3
Step 5: Click Any for the Source Address
Step 6: Click Add in the Destination Address box and enter the
IP address of www.fortinet.com (youll
need to look up that IP address)
Step 7: Click on Translated Packet tab and check the Destination
Address Translation box
Step 8: In the Destination Address Translation section add the
IP address of www.exclusive-
networks.com (youll need to look up that IP address)
Step 9: In the Source Address Translation, set the Translation
Type to Dynamic IP and Port
Step 10: Set Address Type to Interface Address
Step 11: Select Interface ethernet1/1.x (where x is 200 + your
student #)
Step 12: Select the 172.16.___(X)_.1 subnet from the IP Address
pull-down
Step 13: Move the rule to the top of the list, click OK then
Commit all changes
Step 14: Open a new browser tab to www.fortinet.com. Can you
connect? Why or why not?
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 17
Module 4 App-ID In this lab you will:
Create a security policy to allow basic internet connectivity
and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
Task 1 Create a basic Security Policy for outbound traffic Step
1: Click on the Policies tab Security and delete any other
policy.
Step 2: Click Add
Step 3: Create a new rule named General Internet
Step 4: Configure the following information:
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: flash, dns, web-browsing, ssl, ping
Service: application-default
Action: Allow
Task 2 Create 2 basic policies to deny all inbound and
outbound traffic Question: Why would you want to create 2 rules
inbound and outbound rather than a single
deny all rule?
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 18
__________________________________
Step 1: Click Add
Step 2: Create a new rule named Deny Outbound
Step 3: Configure the following information:
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: Any
Service: Any
Action: Deny
Step 4: Create a rule named Deny Inbound
Step 5: Configure the following information:
Source Zone: Untrust-L3
Source Address: Any
Destination Zone: Trust-L3
Destination Address: Any
Application: Any
Service: Any
Action: Deny
Step 6: Ensure your Security Policy looks like this:
Step 7: Commit your changes
Question: In the General Internet rule, why do you use
application-default as the service,
whereas you use Any as the service in the two deny rules?
__________________________________
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 19
Once complete, your Student PC should have access to the
Internet.
Step 8: You will now test your new policies. Test internet
connectivity by pinging 4.2.2.2 from your
workstation. Does web surfing over ports 80 and 443 work?
Step 9: Use a browser to try to connect to the site
http://www.box.net. The browser should not be able
to display the site. Why is that? Take a look at the log message
in the traffic logs to find out. What is
special about that application?
Step 10: Also attempt to reach the site http://www.box.net using
the proxy site http://www.avoidr.com.
Why can you bring up that web site? (Hint: look at the traffic
logs)
Task 3 Create an Application Block Page Step 1: Go to
www.facebook.com: what is the browser response?
Step 2: Ensure the Interface Management Profile, applied to your
ethernet1/2 interface (Trust-L3), has
Response Pages checked
Step 3: Click on the Device tab Response Pages Application Block
Page
Step 4: Enable by clicking Enable
Step 5: Click OK then commit your changes
Step 6: Go to www.facebook.com: what is the browser
response?
Task 5 Create Application Filter Step 1: Delete all current
rules in your security policy
Step 2: Click on the Objects tab Application Filters and create
a new filter name Proxies
Step 3: Set the Subcategory to proxy
Step 4: Create a second filter named Web-Based-File-Share and
set the Subcategory to file-sharing and set the Technology to
browser-based
Task 6 Create Application Group Step 1: Click on the Objects tab
Application Groups
Step 2: Create a new group named Known-Good and add the
applications ssl, web-browsing, ping, dns, and flash
Step 3: Create a second group called Known-Bad and add the
application filters Proxies and Web-based-file-share to it
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 20
Task 7 Create three new Security Policies that match the
following criteria: Configure the policies with the following
information:
Step 1: The first policy allows the known good applications.
Rule 1 Name: Known-Good
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: The Application Group Known-Good
Service: application-default
Action: Allow
Step 2: The second policy blocks all of your known bad
applications
Rule 2 Name: Known-Bad
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: Application Group Known-Bad
Service: Any
Action: Deny
Step 3: The third policy allows all other traffic
Rule 3 Name: Log All
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: Any
Service: Any
Action: Allow
Step 4: Confirm that your security rulebase looks like this, and
then commit your changes:
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 21
Step 5: You will now test your new policies. Ping from your
student PC out to the Internet. That should work. Also, web surfing
should work, over port 80 and 443.
Step 6: Use a browser to try to connect to the site www.box.net.
The browser should not be able to display the site. Why is that?
Take a look at the log message in the traffic log to find out. What
is special about that application?
Step 7: Now attempt to reach www.box.net using the proxy site
www.avoidr.com. Go to www.avoidr.com. You should not be allowed to
browse it, why? (HINT: look at the traffic logs).
Step 8: Select the ACC tab to access the Application Command
Center. Use the drop-down menu in the application section of the
ACC to select different ways of viewing the traffic that you have
generated. What is the total risk level for all traffic that has
passed through the firewall thus far? Notice that the URL
Filtering, Threat Prevention, and Data Filtering sections within
the ACC contain no matching records.
Task 8 Create a custom query in the Traffic Log Step 1: Click
the Monitor tab Traffic Logs
Step 2: Click on 1 attribute in the following 3 columns: From
Zone, Destination, Application
Step 3: Click the run button () or push Enter
Step 4: Click the query writer button (+) and select and,
Bytes,
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 22
Module 5 Content ID In this lab you will:
Configure Security Profiles and connect them to Security
Policy
Task 1 Configure a URL filtering Profile Step 1: Click on
Objects tab Security Profiles URL Filtering
Step 2: Click Add
Step 3: Set Name Student-url-filtering and set the
following:
Check the box next to Dynamic URL Filtering
Set the Action for all Categories to Alert
Place paloaltonetworks.com and *.paloaltonetworks.com into the
Allow list
Task 2 Configure a Custom URL Filtering Category Step 1: Click
on Objects tab Custom URL Categories
Step 2: Click Add
Step 3: Set Name to BadFW and set the following:
Add sites: www.watchguard.com, www.juniper.net,
www.fortinet.com, www.mcafee.com,
www.cisco.com, www.netgear.com, www.sonicwall.com,
www.barracudanetworks.com,
www.checkpoint.com
Step 4: Click Ok
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 23
Task 3 Configure an Antivirus Profile Step 1: Click on Objects
tab Antivirus
Step 2: Click Add
Step 3: Set Name Student-antivirus and set the following:
Change all Actions to alert
Step 4: Click the Packet Capture check box
Step 5: Click Ok
Task 4 Configure an Antispyware Profile Step 1: Click on Objects
tab Anti-Spyware and set the profile name to
Student-antispyware
Step 2: Click Add (under the Rules tab in the popup) and set the
following:
Set Rule Name to rule-1
Set Action to Allow
Set Severity: Low and Informational
Step 3: Click Ok and then click Add again (under the Rules tab
in the popup)
Set Rule Name to rule-2
Set Action to Alert
Set Severity: Critical and High
Task 5 Connect individual Profile to Policy Step 1: Click on the
Policies tab Security
Step 2: Click on none in the Profile column of the Known_Good
rule (you may have to scroll to the
right in this screen to see this column).
Step 3: Set Profile Type to Profiles
Step 4: Set Anti-virus to Student-antivirus, set Anti-spyware to
Student-antispyware and URL to
Student-url-filtering
Step 5: Click OK
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 24
Step 6: Do the same thing for the Log_All rule, then Commit all
changes
Task 6 Test connectivity Step 1: On your student PC, go to
http://www.eicar.org , then click on download antivirus test
file
hyperlink and then click download on the left of the page.
Step 2: in the middle of the page a list of links should
appear
Step 3: Download the eicar test virus (eicar.com, eicar.com.txt,
eicar_com.zip, eicarcom2.zip)
using http.
Step 4: Click on the Monitor tab Threat log, and look for the
log message that detects the eicar file.
Scroll to the Action column to verify the alert for each file
download.
Step 5: Click on the green down arrow in the left-hand column.
This brings up a view of the packets that
were captured.
Those packets captured could be exported in pcap format, and
examined with a protocol analyzer
offline for further investigation.
Step 6: Modify the anti-virus security profile (from MOD 5, Task
3) to BLOCK all viruses
Step 7: Click Commit
Step 8: In a new browser tab or window, attempt to download
eicar (Step 3). A block page should appear:
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 25
Step 9: On the firewall, click on the Monitor tab Threat Logs.
You will see log entries there stating
that the eicar virus was detected
Step 10: After 15 minutes, the threats you just generated will
appear on the ACC tab, under the Threats
section.
Step 11: Browse to various websites. The URL filtering profile
is recording each website that you go to.
Step 12: Go to a web site that is a directory of other hacking
sites: http://neworder.box.sk
Step 13: On the firewall, click on the Monitor tab URL Filtering
Logs. You will see log entries that
match the web sites you went to. What category was that
site?
Step 14: Edit the URL filtering profile (from MOD 5, Task 1) to
block access to hacking sites
Step 15: Commit the changes
Step 16: In a new browser window, attempt to go to
http://neworder.box.sk .You should not be able to.
You should see a block page similar to the following:
Task 7 Create a File Blocking Profile: Wildfire Step 1: Remove
the Anti-Virus Profile from the Security Policies
Step 2: Click on Objects tab Security Profiles File Blocking
Step 3: Click Add and name the profile Wildfire-test-1
Step 4: Click Add and name the rule type-1
Step 5: Set Action to forward
Step 6: Click Ok
Step 7: Add the Profile to the Known_Good and Log_All Security
Policies
Step 8: Add the applications ftp and fileserve to the Known_Good
Policy
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 26
Step 9: Commit all changes
Step 10: Navigate to
\\10.30.11.50\students\student_tools_labs_205 and copy the file
named
fiddler2Setup.exe to your desktop.
Step 11: Open a new browser window to
http://www.fileserve.com
Step 12: Log in with the credentials Login: panedu / Passwd:
paloalto
Step 13: Click the Upload tab (in the Fileserve web site) and
upload the file setup.exe file
Step 14: Review the Data Filtering log the file should be sent
to the sandbox for analysis. Your teacher
will show you the verdict of the file into the sandbox
system
Task 8 Configure a Security Profile Group Step 1: Click on
Objects tab Security Profile Groups
Step 2: Click Add
Step 3: Set Name Student-profile-group and set the
following:
Antivirus to Student-antivirus
Anti-spyware to student-antispyware
URL Filtering to student-url-filtering
Step 4: Click Ok
Task 9 Connect Profile Group to Policy Step 1: Click on the
Policies tab Security
Step 2: Click on none in the Profile column of the Known-Good
rule
Step 3: In the pull-down list of the pop-up, set Profile Type to
Group
Step 4: Set Group Profile to student-profile-group
Step 5: Click OK then Commit all changes
Task 10 Create a Custom Report Step 1: Click the Monitor tab
Manage Custom Reports and click Add with the following:
Report name: Top unclassified traffic by day
Database: Traffic Summary
Period: Last 24 hours
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 27
Sort By : Bytes
Select Top 5
Group By: None
Remove the existing column headings before adding the following
columns
Selected columns (in the following order): application,
application technology, application
subcategory, bytes
Add a Query where the filter condition is:
Attribute: Rule
Operation: =
Value: (use the name you gave to the rule in your security
policies: it should be called
Known_Good. Make sure to use the same capitalization).
Step 2: Save the report and then run the report.
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 28
Module 6 User-ID In this lab you will:
Connect your firewall to connect to a User-ID Agent
Task 1 Configure firewall to talk to User-ID Agent Step 1: Click
on Device tab User Identification User-ID Agents tab
Step 2: Click Add and name to pan-training-X (where X is your
student number)
Step 3: Set IP address to 10.30.11.50 (Instructor may provide
different IP information)
Step 4: Set Port to 5000 (Instructor may provide different port
information)
Step 5: Click OK then Commit all changes
Task 2 Review user/IP information Step 1: Open an SSH session,
log in and issue the following commands:
show user user-id-agent statistics
show user user-IDs
show user ip-user-mapping all
show user ip-user-mapping ip
Note the mappings are from AD and the IP addresses associated
with the student accounts.
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 29
Task 3 User-ID Agent (optional) Step 1: Navigate to
\\10.30.11.50\students\software and import the file named
UaInstall-4.1.1-7.msi to
your desktop. (Instructor may direct you to a different
file.)
Step 2: Double-click the file on your desktop. Click Next 3
times. The installation should begin.
Step 3: Navigate to the following: C:\Program Files\Palo Alto
Networks\User-ID Agent and double-click
UaController.exe
Step 4: In the window click Setup (in the left-hand column)
Step 5: In the window click Edit (directly above the box Access
Control List) and review the tabs in the
pop-up window
Step 6: Click the Authentication tab and enter the
Username/Password provided by the instructor
Step 7: Click the Agent Service tab. (You will need the User-ID
Service TCP Port number.) Click Ok
Step 8: Click Discovery in the left-hand column, then click Auto
Discover below the Server section
Step 9: Then click Commit in the first window (no further
response will occur)
Step 10: Click Logs in the left-hand column to review that the
service started
Step 11: Open a StudentPC command prompt and issue C:\>
ipconfig /all. Look for the IP address
associated with the Ethernet adapter Management DO NOT
CONFIGURE. (This IPv4 address should be
in the range 10.30.11.66-105).
Step 12: With the StudentPC IP address (10.30.11.___) and the
Port number from Step 7 repeat Task 1
Configure firewall to talk to User-ID Agent
Step 13: Confirm connectivity with the CLI command show user
user-id-agent statistics
Step 14: Review Agent configuration with the CLI command show
user user-id-agent config name
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 30
Module 7 Decryption In this lab you will:
In this part, you will create and test SSL certificates and
decryption rules.
Task 1 Pre setup and test Step 1: Modify your anti-virus profile
(from MOD 5, Task 3) to Alert
Step 2: Apply the AV profile to the Known-good and Log All
Security Policies
Step 3: Remove the file-blocking profiles from the Security
Policies
Step 4: Commit the changes
Step 5: Go to the eicar.org site and find the Download
AntiMalware testfiles.
Step 6: Test downloading (without SSL decryption) one of the
eicar test files
Step 7: From the same web page, test downloading (this time
using the SSL protocol) the eicar.com or
eicar.com.txt
Step 8: Look at the Monitor tabs Threat logs. Was the virus
detected? It should not have been as
the connection was encrypted. We will now enable SSL decryption,
such that the virus inside the SSL
connection will be decrypted
Task 2 Create an SSL self-signed Certificate Step 1: Click the
Device tab Certificates screen
Step 2: Click Generate along the bottom of the screen.
Step 3: Set the certificate fields as follows:
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 31
Certificate Name: Student-ssl-cert
Common Name: 192.168.X.1 (where X is your student number)
Country: US (or other 2-letter country code)
State, Locality, Organization, Department, Email, Host Name, and
IP with values as desired.
Step 4: select Certificate Authority below the Signed By
field.
Step 5: Click Generate
Step 6: Once the certificate has successfully been generated,
click on it to bring up the certificate
properties, and select Forward Trust Certificate and Forward
Untrust Certificate
Step 7: Click OK
Task 3 Create SSL Outbound Decryption Policies Step 1: Click the
Policies tab Decryption.
Step 2: Click Add and create an SSL decryption rule with the
following parameters: General tab: Name No-Decrypt Source tab:
Source Zone Trust-L3 Destination tab: Destination Zone Untrust-L3
Options tab: Action no-decrypt and URL Categories: Health and
medicine, Shopping,
Financial Services
Step 3: Click Add and create an SSL decryption rule with the
following parameters: General tab: Name Decrypt-all-traffic Source
tab: Source Zone Trust-L3 Destination tab: Destination Zone
Untrust-L3 Options tab: Action decrypt, Type SSL Forward Proxy and
URL Categories: Any
Step 4: Confirm that No-Decrypt rule is before the
Decrypt-all-traffic rule, then click Commit.
Step 5: To test the No-Decrypt rule, first determine what URLs
fall into the financial services, shopping, or health and medicine
categories. Go to http://www.brightcloud.com/ and enter various
URLs that you believe fall into those categories.
Step 6: Once you have found a couple web sites that are
classified as you expect, use a browser to go to those sites. You
should not see a certificate error when you go to those sites.
Step 7: To test the SSL decryption rule, go to the www.eicar.org
downloads page and download the virus using SSL. You will get a
certificate error. This is an expected behavior, and you can
proceed. (The certificate error is manifested because the firewall
is intercepting the SSL connection and performing man-in-the-middle
decryption.)
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 32
HINT: If the download doesnt proceed, review firewall Traffic
Log and URL Filtering log. (You may need the IP address of the
Eicar site.)
Step 8: Examine the Threat logs. The virus should have been
detected, since the SSL connection was decrypted. To the left of
the log entry, click on the magnifying class icon. Scroll to the
bottom, and look for the field Decrypted. The value should say
yes.
Step 9: Examine the Traffic logs. Find the entry with the SSL
application that corresponds to the eicar download. Examine the
details view. The Decrypted box should be checkd
Task 4 Set SSL exclude cache Step 1: Open an SSH connection to
the student firewall
Step 2: Set the exclude cache for the eicar.org domain. From
configure type : set shared ssl-decrypt ssl-
exclude-cert eicar.org , then press commit
Step 3: Repeat the Steps 7, 8, and 9 from the previous Task
Question: what entries are now in the Traffic and Threat
logs?
Task 5 Review Self-signed Certificate on StudentPC browser Step
1: Open the browser used to test the SSL Outbound Decryption policy
created in Task 3. Find the
certificate that was generated (in Task 2) that should now be in
the StudentPC browser.
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 33
Module 8 VPN In this lab you will:
Configure an IPsec tunnel to another Student firewall Trust
Zone
Configure an IPsec tunnel to another Student firewall Untrust
Zone
Task 1 Configure IPsec Tunnel Trust Zone Step 1: Pick another
student firewall and fill in the following:
Your Student Number:
..............................................(X) ____
Partners Student Number:
.......................................(Y) ____
Partners Ethernet1/1.2xx IP Address:
.....................172.16.____(Y).1
Partners Trusted Network:
.....................................192.168.____(Y).0
Partners Ehternet1/2 IP address:
............................192.168.____(Y).1
Step 2: Click Network tab Interface Tunnel tab
Step 3: Select Add
Step 4: Create a new tunnel interface. Configure the Tunnel
Interface with the following:
Tunnel Interface Name:
.............................................tunnel.____(X)
Virtual Routers:
..........................................................Student-VR
Zone:
..........................................................................Trust-L3
Step 5: Click Network tab IKE Gateway
Step 6: Click Add and configure with the following:
Name:
.........................................................................Student-____
(Y)
Interface:
....................................................................ethernet1/1.2xx
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 34
Local IP Address:
........................................................172.16.____(X).1
Peer IP Address:
.........................................................172.16.____(Y).1
Pre-shared Key:
..........................................................paloalto
Step 7: Click Network tab IPsec Tunnels
Step 8: Click Add and configure with the following:
Name:
.........................................................................Tunnel-to-____
(Y)
Tunnel Interface:
........................................................tunnel.____(X)
IKE Gateway:
..............................................................Student-____(Y)
Step 9: Click Network tab Virtual Routers
Step 10: Click on Student-VR
Step 11: Click Static Route tab
Step 12: Click Add to add a route with the following
information:
Name student(Y)
Destination 192.168.____(Y).0/24
Interface tunnel.____(X)
Step 13: Commit your changes
Step 14: Test VPN tunnel connectivity by opening a command
prompt window and typing:
C:\Documents and Settings\student> ping 192.168.____(Y).1
Question: do you need to modify your security policy? Why or why
not?
_____________________________________________________________
(Answer: Since the tunnel interface is in the TrustL3 zone, no
policy changes are required.)
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 35
Reference:
admin@PA-500> show vpn tunnel
o Shows current tunnels (has a tunnel ID as first column
TnID)
admin@PA-500> show vpn flow tunnel-id
o Shows detailed info on specific tunnel (will show packets and
bytes through the tunnel)
admin@PA-500> clear vpn ike-sa gateway all
o Tears down all tunnels and gateway SAs
admin@PA-500> test vpn ipsec-sa tunnel
o Initiate Phase 1 and 2 SAs for specified tunnel
Task 2 Configure IPsec Tunnel Untrust Zone Step 1: Edit your
tunnel interface and change the Security Zone to UntrustL3
Step 2: Commit your changes
Step 3: Attempt to ping the remote students internal gateway
interface IP address (192.168._Y_.1).
Question: Does the ping work? If not, why?
________________________________
Answer: It should not work, because there is no policy to allow
the traffic.
Step 4: Create a new Security Policy Rule from your Trust zone
to your Untrust zone. You should create
address objects for your network and your partners network and
use them to make your policy more
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 36
restrictive. You will also need to build a policy from Untrust
to Trust to allow the inbound traffic from your
partners network.
Module 9 High Availability (optional) In this lab you will:
Configure an Active/Passive with another Student firewall
Task 1 Configure HA Active/Passive Step 1: Click the Dashboard
tab High Availability Dashboard Widget
Step 2: Click on Network tab Interfaces
Step 3: Set interfaces ethernet1/7 and ethernet1/8 to Type HA,
then click Commit
Step 4: Work with another student firewall and fill in the
following:
Your Student Number:
..............................................(X) ____
Partners Student Number:
.......................................(Y) ____
Step 5: Agree upon IP and device information to fill in the
following:
Group
ID:.............................................................._____
(Pick one of your Student numbers)
Control Link:
........................................................ethernet1/7
Your Control Link IP:
............................................10.10.____.____(X)
(3rd octet is lower student number)
Partner Control Link IP:
.......................................10.10.____.____(Y)
(3rd octet is lower student number)
Data Link:
.............................................................ethernet1/8
Your Data Link IP:
................................................10.10.____.____(X)
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 37
(3rd octet is higher student number)
Partner Data Link IP:
...........................................10.10.____.____(Y)
(3rd octet is higher student number)
Your Device Priority:
...........................................____(X)
Partner Device Priority:
.......................................____(Y)
Step 6: Click on the Device tab High Availability and configure
the following with the information
collected in Step 5
Step 7: Click Edit in the Setup box
HA Enabled:
.........................................................click
check box
Group
ID:..............................................................Determined
in Step 5
Peer HA IP Address:
.............................................Partner Control Link
IP
Step 8: Click Edit in the Control Link (HA1) box and configure
with the following:
Control Link Port:
................................................ethernet1/7
Control Link IP
address:.......................................Your Control Link
IP
Control Link Netmask:
........................................./24
Step 9: Click Edit in the Data Link (HA2) box
Data Link Port:
.....................................................ethernet1/8
Data Link IP address:
...........................................Your Data Link IP
Data Link Netmask:
............................................./24
Step 10: Click Edit in the Election Settings box
Device Priority:
....................................................Your Student
Number
Heartbeat Backup:
...............................................Enabled
Step 11: Click the Link and Path Monitoring tab and enter the
following in the Link Monitoring section
(ON LOWER DEVICE PRIORITY FIREWALL ONLY)
Enabled:
...............................................................click
check box
Failure Condition:
................................................Any
Link Group Name:
................................................Student HA
Interfaces:
............................................................ethernet1/7,
ethernet1/8
Step 12: Commit all changes
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 38
Module 10 Panorama In this lab you will:
Identify the student firewall logs on the Panorama
Create and push policy to the student firewall
Conduct a Config Audit
Task 1 Pre setup and test Step 1: Remove the HA configuration
from the Module 9 lab
Step 2: Click the Device tab Setup Management Panorama Settings
and add the IP
address (provided by the instructor) of the Panorama server
Step 3: Make sure Enabled Shared Config is selected (this is
indicated when the button reads Disable
Shared Config) then Commit all changes
Task 2 Create a custom report - Panorama Step 1: Log into
Panorama server.
IP Address:
.....................................................https://____.____.____.____
Login:
..............................................................Student____(X)
(X = student number)
Password:
......................................................paneduX
Step 2: Click on Monitor tab Manage Custom Reports
Step 3: Create the report with the following:
Name:.................................................Student.____(X)
(X = student number)
Database: ...........................................Device
Traffic Log
Selected Columns: .............................Action,
Application, Rule, Source User, Day, Hour
Time Frame: .......................................Last 7
Days
Query Builder: ...................................(serial eq
_________) You can find the serial number of your
student firewall on the Dashboard tab
Step 4: Save the template, then Run Now to confirm
Task 3 Create and Application Group Object Step 1: Click Objects
tab Application Group
Step 2: Create a new group called Pano-app-group-1
Step 3: Add the application facebook-base
Task 4 Create Pre/Post Policy Step 1: Click the Policies tab DoS
Protection Post Rules.
-
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 39
Step 2: Click Add and create a rule called
Pano-DoS-Student___(X) (X = student number) with the
following criteria:
Source Zone:
..................................................Untrust-L3
Destination Zone:
..........................................Trust-L3
Action:
............................................................Protect
Step 3: Click the Policies tab Security Pre Rules.
Step 4: Click Add and create a rule called
Pano-Sec-Student___(X) (X = student number) with the
following criteria:
Source Zone:
..................................................Trust-L3
Destination Zone:
..........................................Untrust-L3
Application:
...................................................use the
Application Group built in Task 3
Action:
............................................................Deny
Task 5 Push config to student firewall Step 1: Click Panorama
tab Managed Devices.
Step 2: Scroll to your Student number and click the Click to see
the config changes icon (in the Device
Group column):
Step 3: Select Lines of context All and review the Additions,
Modifications, and Deletions.
HINT: If for some reason the Config Audit window doesnt appear,
the browser may be blocking pop-ups.
You will need to allow pop-ups then close and reopen the
browser.
Step 4: Close the Config Audit window and click the Click to
commit all to device Student(X) icon (in the
Device Group column): (This action will cause a commit on the
Student firewall.
Do NOT select the Merge with Candidate Config check box.
Task 6 Switch context and review Policy on firewall Step 1: On
the Student firewall, click the Tasks in the lower right-hand
corner and wait for the commit
Step 2: Click the Context drop-down in the upper left corner of
the Panorama select student firewall
Step3: Review the configuration pushed from the Panorama
Step 4: Open a new browser window and connect to an external web
site