PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A.PDF

Firewall Installation, Configuration, and Management: Essentials I Lab Manual PAN-OS 6.0 PAN-EDU-101 Rev A.200

PANEDU101

LabManual PANOS 6.0 Rev A.200 Page 2

Palo Alto Networks, Inc. www.paloaltonetworks.com 2007-2014 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.

PANEDU101


TypographicalConventionsThisguideusesthefollowingtypographicalconventionsforspecialtermsandinstructions.

Convention Meaning Example

Boldface Names of commands, keywords, and selectable items in the web interface

Click Security to open the Security Rule Page

Italics Name of parameters, files, directories, or Uniform Resource Locators (URLs)

The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com

courier font Coding examples and text that you enter at a command prompt

Enter the following command: a:\setup

Click Click the left mouse button Click Administrators under the Device tab.

Right-click Click the right mouse button Right-click on the number of a rule you want to copy, and select Clone Rule.

PANEDU101


TableofContentsHowtousethisLabGuide...................................................................................................6LabGuideObjectives...........................................................................................................6LabEquipmentSetup..........................................................................................................7LabAssumptions.................................................................................................................7StudentFirewallInterfaceSettings......................................................................................7

Module1AdministrationandManagement.....................................................................8Scenario............................................................................................................................................................................8

RequiredInformation.......................................................................................................................................................8

Module2InterfaceConfiguration(optional)....................................................................9Scenario............................................................................................................................................................................9

RequiredInformation.......................................................................................................................................................9

Module3Layer3Configuration......................................................................................10Scenario..........................................................................................................................................................................10

RequiredInformation.....................................................................................................................................................11

Module4AppID............................................................................................................12Scenario1...................................................................................................................................................................12


Scenario2...................................................................................................................................................................13


LabNotes........................................................................................................................................................................14

Module5ContentID......................................................................................................15Scenario..........................................................................................................................................................................15


LabNotes........................................................................................................................................................................16

Module6Decryption......................................................................................................17Scenario..........................................................................................................................................................................17


LabNotes........................................................................................................................................................................18

PANEDU101


Solutions...........................................................................................................................19Module1Introduction(LabAccess)............................................................................................................................19

Module2InterfaceConfiguration...............................................................................................................................21

Module3Layer3Configuration..................................................................................................................................23

Module4AppID..........................................................................................................................................................26

Module5ContentID......................................................................................................................................................36

Module6Decryption....................................................................................................................................................43

CLIReference....................................................................................................................47Module1AdministrationandManagement...............................................................................................................47

Module2InterfaceConfiguration...............................................................................................................................47

Module3Layer3Configuration..................................................................................................................................48

Module4AppID..........................................................................................................................................................48

Module5ContentID......................................................................................................................................................48

Module6Decryption....................................................................................................................................................48

PANEDU101


HowtousethisLabGuideTheLabGuidecontainslabexerciseswhichcorrespondtomodulesinthestudentguide.Eachlabexerciseconsistsofthreeparts:ascenario,asolution,andaCLIreference.

Thescenariodescribesthelabexerciseintermsofobjectivesandcustomerrequirements.Minimalinstructionsareprovidedtoencouragestudentstosolvetheproblemontheirown.Ifappropriate,thescenarioincludesadiagramandatableofrequiredinformationneededtocompletetheexercise.

Thesolutionisdesignedtohelpstudentswhopreferstepbystep,taskbasedlabs.Alternatively,studentswhostartwiththescenariocanusethesolutiontochecktheirworkortoprovidehelpiftheygetstuckonaproblem.

TheCLIreferenceisintendedasastartingpointforstudentsinterestedintheCLIcommands.ApartialsetofCLIcommandsareprovidedforstudentstoresearchfurtherinthePaloAltoNetworksCommandLineReferenceGuide.

NOTE:Unlessspecified,theGoogleChromewebbrowserandthePuTTYSSHclientwillbeusedtoperformanytasksoutlinedinthefollowinglabs.

LabGuideObjectivesThislabguideisdesignedspecificallyforasinglestudentattendingtheselfpacedversionoftheEssentialsIcourse.Theinstructorledversionofthecourseincludesadditionalexerciseswhichcanonlybecompletedinaclassroomenvironmentwithotherstudentsandadditionalequipment.

Oncetheselabsarecompleted,youshouldbeableto:1. Configurethebasiccomponentsofthefirewall,includinginterfaces,securityzones,andsecurity

policies2. ConfigurebasicLayer3settings,suchasIPaddressingandNATpolicies.3. ConfigurebasicContentIDfunctionality,includingantivirusprotectionandURLfiltering.4. ConfigureSSLdecryption.

WithspecialthankstoallofthosePaloAltoNetworksemployeesandATCpartnerswhoseinvaluablehelpenabledthistrainingtobebuilt,tested,anddeployed.

PANEDU101


LabEquipmentSetup

DHCP- enabled Network

Internet

LabAssumptionsTheselabinstructionsassumethefollowingconditions:

1. ThestudentisusingaPA200firewallwhichhasbeenregisteredwithPaloAltoNetworksSupport.2. ThePA200firewallisusingthedefaultIPaddressontheMGTinterface(192.168.1.1)andthedefault

password(admin)fortheadminaccount.3. ThefirewallislicensedforSupport,ThreatPrevention,andURLFiltering.4. AllnetworkconnectivityforthestudentlaptopusedforthelabhasbeendisabledexceptfortheEthernet

adapterwhichwillbeconnectedtothefirewall.5. Thefirewallshouldhavenopoliciesdefinedonit.6. ThenetworkthatthestudentwillconnecttohasaDHCPserverfromwhichthefirewallcanobtainanIP

addressandDNSinformation.7. TherearenootherPaloAltoNetworksfirewallsbetweenthestudentsPA200andtheinternet.Thelabs

willstillworkifupstreamfirewallsexist,buttheresultswillvarybasedonthefirewallsettings.

StudentFirewallInterfaceSettings

StudentFirewall PA200

Interface: Type: IPAddress: Zone:

MGT Management 192.168.1.1 N/AEthernet1/1 Vwire trustEthernet1/2 Vwire untrustEthernet1/3 Layer3 DHCP Client UntrustL3Ethernet1/4 Layer3 192.168.2.1/24 TrustL3

PANEDU101


Module1AdministrationandManagementInthislabyouwill:

ConnecttothefirewallthroughtheMGTinterface Createnewadministratorrolesandaccountsonthefirewall

ScenarioYouhavebeentaskedwithintegratinganewfirewallintoyourenvironment.ThefirewallisconfiguredwiththefactorydefaultIPaddressandadministratoraccount.YouwillneedtochangetheIPaddressofyourlaptoptocommunicatewiththedefaultIPaddressoftheMGTport.

Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethecurrentconfigurationsothatitcanbereloadedonthefirewall.Applyasavedconfigurationtothefirewallsothatitisinaknownstate.

Inpreparationforthenewdeployment,createaroleforanassistantadministratorwhichallowsaccesstoallfirewallfunctionalitythroughtheWebUIexceptMonitor,Network,Privacy,andDevice.TheaccountshouldhavenoaccesstotheXMLAPIortheCLI.Createanaccountusingthisrole.Additionally,changethepasswordoftheadminaccounttodisablethewarningsaboutusingdefaultcredentials.

RequiredInformation

NamedConfigurationSnapshot PANEDU101DefaultNew Administrator Role name Policy AdminsNew Administrator Account name ip-adminNew Administrator Account password paloaltoNew password for the admin account paloalto

PANEDU101


Module2InterfaceConfiguration(optional)Inthislabyouwill:

CreateSecurityZones Configurebasicinterfacetypes

Scenario:

Youarepreparingthefirewallforasimpleproofofconcept(POC).Inordertodemonstratefirewallfeatureswithaminimumofchangestotheexistingnetwork,youhavedecidedtousevirtualwiretopasstrafficthroughthefirewallforonenetworksegmentandatapinterfacetomonitoradifferentnetworksegment.

Configurethevirtualwireandcreatezonessothatpolicyrulescanbedefined.Createatapinterfaceandtheassociatedzone.

Note:DuetothelimitednumberofinterfacesavailableonaPA200,theconfigurationssetinthislabwillbeimmediatelyremovedsothattheinterfacesmaybereusedforlaterlabs.

RequiredInformation

Interface to use for tap interface Ethernet1/3

Interfaces to use for virtual wire Ethernet1/3 Ethernet1/4Name for the tap zone tap-zoneName for the virtual wire zones vwire-zone-3 vwire-zone-4Name for the virtual wire object student-vwire

PANEDU101


Module3Layer3ConfigurationInthislabyouwill:

CreateInterfaceManagementProfiles ConfigureEthernetinterfaceswithLayer3information ConfigureDHCP CreateaVirtualRouter CreateSourceNATpolicy

Scenario:

ThePOCwentwellandthedecisionwasmadetousethePaloAltoNetworksfirewallinthenetwork.Youaretocreatetwozones,UntrustL3andTrustL3.TheexternalfacinginterfaceinUntrustL3willgetanIPaddressfromaDHCPserverontheexternalnetwork.TrustL3willbewheretheinternalclientsconnecttothefirewallandsotheinterfaceinTrustL3willprovideDHCPaddressestotheseinternalclients.TheDHCPserveryouconfigureintheTrustL3zonewillinheritDNSsettingsfromtheexternalfacinginterface.Boththeinternalandexternalinterfacesonthefirewallmustroutetrafficthroughtheexternalfacinginterfacebydefault.TheinterfaceinUntrustL3mustbeconfiguredtorespondtopingsandtheinterfaceinTrustL3mustbeabletoprovideallmanagementservices.NOTE:YouwillnotbeabletotestwhethertheUntrustL3interfacerespondstopingsuntilthenextlab.

OnceyouhavecompletedtheLayer3configurations,youwillneedtomovethephysicalEthernetcablefromtheMGTporttotheethernet1/4portofthePA200.YoumustalsochangethesettingsoftheLANinterfaceonyourlaptoptouseDHCPsuppliednetworkinformation(IPaddressandDNSservers)insteadofstaticsettings.

Whenthefirewallisfullyconfigured,aNATpolicymustexistsothatalltrafficoriginatingintheTrustL3zoneappearstocomefromtheexternalfacingaddressofthefirewall.

PANEDU101


RequiredInformation

Interface Management Profile Names allow_all allow_pingInternal-facing IP Address 192.168.2.1/24External-facing interface Ethernet1/3Internal-facing interface Ethernet1/4DHCP Server: Gateway 192.168.2.1DHCP Server: Inheritance Source Ethernet1/3DHCP Server: Primary DNS inheritedDHCP Server: IP address range 192.168.2.50-192.168.2.60Virtual Router Name Student-VR

PANEDU101


Module4AppIDInthislabyouwill:

EnablethefirewalltocommunicationwiththePaloAltoNetworksupdateserver UpdatethethreatdefinitionsandOSofthefirewall Createasecuritypolicytoallowbasicinternetconnectivityandlogdroppedtraffic EnableApplicationBlockpages CreateApplicationFiltersandApplicationGroups

Scenario1:

Inordertoupdatethesoftwareonthefirewall,youmustenabletheDNS,paloaltoupdates,andSSLapplicationstopassbetweenthezones.Theapplicationsshouldonlybepermittedonapplicationdefaultports.ConfigurethefirewalltocommunicatewithDNSandPaloAltoNetworksupdateserversthroughtheTrustL3interface.

Oncetheseconfigurationsarecomplete,licenseyourfirewall.UpdatetheThreatsandApplicationsdatafiletothemostrecentversion.

RequiredInformation

DNS Server for the MGT functions 4.2.2.2Address to use for Service Routes 192.168.2.1/24Name to use for Security Policy General Internet

PANEDU101


Scenario2:

Atthispoint,thefirewallisconfiguredbutnotpassingtraffic.Securitypoliciesmustbedefinedbeforetrafficwillflowbetweenzones.Tofacilitatetestingandpresenttheminimalamountofrisktothenetworktraffic,thepolicieswillbeestablishedinathreephasedeployment:

Phase1:ModifytheGeneralInternetpolicytoallowusersintheTrustL3zonetouseasetofcommonlyusedapplicationstoaccesstheinternet.Theapplicationsshouldonlybepermittedonapplicationdefaultports.Allothertraffic(inboundandoutbound)shouldbeblockedandloggedsothatyoucanidentifywhatotherapplicationsarebeingused.Thiswillhelpgeneratelistsofgoodandbadapplicationstobemanagedinthelaterphases.

Phase2:Configurethefirewalltonotifyuserswhenblockedapplicationsareusedsothatthehelpdeskdoesnotgetcalledforconnectionissuesthatareactuallyblockedapplications.

Phase3:Theresultsfromthefirsttwophasesoftestingresultinthefollowingdiscoveries:

Thelogsfromphase1showheavyuseofavarietyofinternetproxiesandclientservergamingapplicationsbyusersintheTrustL3zone.Managementmandatesthatyouexplicitlypreventuseoftheseapplications.

Foreaseofconfiguration,yourteamdecidestocreategroupsfortheallowedanddeniedapplicationstoreducethenumberofpoliciesrequiredonthefirewall.

Therulesblockingallunmatchedtrafficweretoorestrictiveforyourenvironment.Thetestingdeniedaccesstonumerousvitalapplications,causingasurgeinsupportcalls. Anytrafficwhichdoesnotmatchtheallowedordeniedlistsshouldbeallowedbutloggedforfuturepolicydecisions.

ModifyGeneralInternetandcreatenewpolicies(BlockKnownBadandLogAll)tomeetthesenewrequirements.RemovetheotherpoliciescreatedinPhase1.

PANEDU101


RequiredInformation

Phase 1 Allowed Applications

dns fileserve flash ftp paloalto-updates ping web-browsing ssl

Phase 1 Security Policy names

General Internet Deny Inbound Deny

Phase 3 Application Filter names Proxies Web-Based-File-Sharing Phase 3 Security Policy names

General Internet Deny Inbound Block-Known-Bad Log-All

Setting for Proxies application filter Subcategory: Proxies Settings for Web-Based-File-Sharing application filter

Subcategory: file-sharing Technology: browser-based

Phase 3 Application Group names Known-Good Known-BadMembers of the Known-Good application group

dns fileserve flash ftp paloalto-updates ping web-browsing ssl

Members of the Known-Bad application group Proxies Web-Based-File-Sharing

LabNotes DuringPhase1,testyourconnectivitybyconnectingtohttp://www.box.net(login:student@pan

edu.com,password:paloalto1).Usethetrafficlogstodeterminehowthefirewallhandlesthatconnection.

DuringPhase2,checktoseewhathappenswhenyoubrowsetowww.facebook.combeforeandafteryoumakeyourchanges.

Thelabsolutionsusethebuttonsatthebottomofthepolicyscreenstochangetheorderoftherules.Rulescanalsobereorderedbyclickinganddraggingtherulestothedesiredlocation.

PANEDU101


Module5ContentIDInthislabyouwill:

ConfigureSecurityProfiles CreateaSecurityProfilegroup AssociateSecurityProfilesandSecurityProfileGroupstoSecurityPolicy Generateacustomreport

Scenario

Nowthattrafficispassingthroughthefirewall,youdecidetofurtherprotecttheenvironmentwithSecurityProfiles.Thespecificsecurityrequirementsforgeneralinternettrafficare:

LogallURLsaccessedbyusersintheTrustL3zone.Inparticular,youneedtotrackaccesstoasetofspecifiedtechnologywebsites.

AccesstoallhackingandgovernmentsitesshouldbesettoContinue. BlockthefollowingURLcategories:

o Adultandpornographyo questionableo Unknown

Log,butdonotblock,allvirusesdetectedandmaintainpacketcapturesoftheseeventsforanalysis.

Logspywareofseveritylevelscriticalandhighdetectedinthetraffic.Ignoreallotherspyware. ConfigurefilestobeautomaticallyforwardedtoWildFirewithnouserinteraction.

PANEDU101


Afteralloftheseprofilesareconfigured,sendtesttraffictoverifythattheprotectionbehavesasexpected.TestingparameterswillbeincludedintheRequiredInformationsectionofthislab.

Aftertheinitialtestingiscomplete,youareaskedtochangetheAntivirusprotectiontoblockviruses.Makethechangesandverifythedifferenceinbehavior.

Oncetheindividualprofilesarecreatedandtested,combinetheprofilesintoasinglegroupforeaseofmanagement.Attachthegrouptotheappropriatesecuritypolicies.

Yourmanagerwantstoseedailyreportswhichdetailthethreatsencounteredbythefirewall.Configureacustomreporttoshowathreatsummaryforalltrafficallowedinthepast24hours.Itshouldincludethethreatname,theapplication(includingtechnologyandsubcategoryforreference),andthenumberoftimesthatthreatwasencountered.ExportthefileasaPDF.

RequiredInformation

Custom Technology sites to track

www.slashdot.org www.cnet.com www.phys.org www.zdnet.com

Location of files for testing antivirus

1. Browse to http://www.eicar.org 2. Click Anti-Malware Testfile. 3. Click Download 4. Download any of the files using http only.

Do not use the SSL links.

Hacking sites for testing URL Filtering www.2600.org www.neworder.box.sk

Procedure for testing file blocking 1. Navigate to the web site http://www.opera.com2. Download the installer to your local system

LabNotes Youdonotneedtoassignprofilestoallofthesecuritypoliciesyouhavecreatedinthelab.The

KnownBadpolicyhasanactionofdenysoprofileswilldonothingforthatrule. Onlytesttheantivirusprofileusinghttp,nothttps.HTTPSconnectionswillpreventthefirewall

fromseeingthepacketcontentssothevirusescontainedwillnotbedetectedbytheprofile.Decryptionwillbecoveredinalatermodule.

PANEDU101


Module6DecryptionInthislabyouwill:

CreateaselfsignedSSLcertificate Configurethefirewallasaforwardproxyusingdecryptionrules

ScenarioYoursecurityteamisconcernedabouttheresultsofthetestingperformedaspartofthesecurityprofileconfigurations.TheteamobservedthattheantivirusprofileonlyidentifiedviruswhichwerenotSSLencrypted.Theconcernisthatfilestransferredfromencryptedsources(e.g.,https://www.facebook.com)couldescapedetectionandcauseissues.Fortestingpurposes,youwillneedtochangetheantivirusprofiletoalertinsteadofblockingthefile.Verifythathttpsdownloadsofvirusfilesfromwww.eicar.orgaredetectedbytheantivirusprofile.

YouwanttoevaluateusingaforwardproxyconfigurationonthePaloAltoNetworksfirewall.OnlytrafficfromTrustL3toUntrustL3needstobedecrypted.Sincethisisnotproduction,youdecidetouseselfsignedSSLcertificatesgeneratedonthefirewallforthisimplementation.Thelegaldepartmenthasadvisedyouthatcertaintrafficshouldnotbedecryptedforliabilityreasons.Specifically,youmaynotdecrypttrafficfromhealthrelated,shopping,orfinancialwebsites.

Testthedecryptiontwoways:

Attempttodownloadtestfilesfromwww.eicar.orgusinghttpsandverifythattheyaredetectedbythefirewall

ConnecttovariouswebsitesusinghttpsandusethelogstoverifythatthecorrectURLcategoriesarebeingdecrypted

PANEDU101


Afteryourinitialtestingoftheforwardproxy,thepenetrationtestingteamcallsyoutorequestanexceptiontothedecryptionrules.Theteamasksthatwww.eicar.orgbeexcludedfromdecryptionsothattheywillstillbeabletodownloadthefilestheyneedtoperformtheirevaluations.Changetheimplementationtoallowthisexception.

RequiredInformation

Self-signed Certificate name student-ssl-cert Common Name of the SSL Certificate 192.168.2.1Decryption Policies no-decrypt-traffic decrypt-all-traffic

LabNotes Youwillgetcertificateerrorswhenbrowsingafterdecryptionisenabled.Thisisexpectedbecause

theselfsignedcertificateshavenotbeenaddedtothetrustedcertificatesoftheclientbrowser. InaproductionenvironmentyouwouldresolvethisbyaddingthefirewallcertificatetotheclientsastrustedorbyusingacommercialcertificatefromaknownCAsuchasVeriSign.

Ordermatterswithpoliciesmakesurethatthedecryptandnodecryptpoliciesareevaluatedinthecorrectorder.

TofindURLstotestthenodecryptrule,gotohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallintothecategoriesyouaretesting.

PANEDU101


SolutionsModule1Introduction(LabAccess)

Prepareyourlaptopforthelab1. Whileconnectedtotheinternet,downloadthefilePANEDU101Defaulttoyourlaptopyou

willbeusingforthelabexercises.2. ConfigurethephysicalLANinterfaceonyourlaptopwithanIPaddresstocommunicatewith

thefirewall.

IPaddress 192.168.1.100 SubnetMask 255.255.255.0

3. ConnectanEthernetcablebetweentheinterfaceyoujustconfiguredandtheMGTportofyourfirewall.

4. OpenacommandpromptandverifyyoucanpingtheIPaddress192.168.1.1.

LogontotheFirewall5. Openabrowserandconnecttothefirewallathttps://192.168.1.1.Note:Youwillgetawarning

messagesincethefirewallisusinganuntrustedselfsignedcertificate.Dismissthewarningandcontinuetothewebpage.

6. Logonwiththedefaultusernameandpassword.ClickOKtodismissthewarningaboutthedefaultadmincredentials.

Savethecurrentconfigurationonyourfirewall(optional)Note:Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savetheconfigurationsothatitcanbereloadedonthefirewall.

7. ClickDevice>Setup>Operations.8. ClickSavenamedconfigurationsnapshot.Enterpre-101-labs intheNamefield. ClickOK

tocompletethesave.ClickOKtodismissthesuccesswindow.

Uploadandapplybaselineconfigurationtoyourfirewall9. ClickDevice>Setup>Operations.10. ClickImportnamedconfigurationsnapshot.ClickBrowsetoselectthePANEDU101Default

filefromyoursystem.ClickOpenthenOKtouploadthefiletothefirewall.ClickOKtodismissthesuccesswindow.

11. ClickLoadNamedConfigurationSnapshot.12. SelectPANEDU101Default.ClickOK.ClickOKtodismissthesuccesswindow.13. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit

processcompletes,thenclickClose.

PANEDU101


AddanAdministratorRole14. ClickDevice>AdminRoles.15. ClickAddinthelowerleftofthepanelandcreateanewadminrole:

Name Enter Policy AdminsWebUI tab Clickthefollowingmajorcategoriestodisablethem:

Monitor Network Device Privacy

The remaining major categories shouldremainenabled.ClickOKtocontinue.

Manageadministratoraccounts

16. ClickDevice>Administrators.17. Clickadmininthelistofusers.Changethepasswordtopaloalto.ClickOKtoclosethe

configurationwindow.18. ClickAddinthelowerleftcornerofthepanel.Configureanewadministratoraccount:

Name Enter ip-adminPassword/ConfirmPassword Enter paloaltoRole Select Role BasedProfile Select Policy AdminsClickOK.

19. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess

completes,thenclickClose.20. UseanSSHclient(e.g.,PuTTY)toattempttologintotheCLIasipadmin.Becausetherole

assignedtothisaccountwasnotassignedCLIaccess,theconnectionshouldreset.21. OpendifferentbrowserandlogontotheWebUIasipadminandexploretheavailable

functionality.Forexample,ifyouoriginallyconnectedtotheWebUIusingChrome,openthisconnectioninInternetExplorer. Comparethedisplaysfortheadminandipadminaccountstoseethelimitationsofthenewlycreatedaccount.

22. Logoutoftheipadminaccountconnectionwhenyouaredoneexploring.

PANEDU101


Module2InterfaceConfiguration

CreatenewSecurityZones1. Ifnecessary,logintotheWebUIusingyouradminaccount2. ClickNetwork>Zones. ClickAddandcreatethetapzone:

Name Enter tap-zoneType Select TapClickOKtoclosethezonecreationwindow.

3. ClickAddandcreatethefirstvirtualwirezone:

Name Enter vwire-zone-3Type Select Virtual WireClickOKtoclosethezonecreationwindow.

4. ClickAddandcreatethesecondvirtualwirezone:

Name Enter vwire-zone-4Type Select Virtual WireClickOKtoclosethezonecreationwindow.

ConfigureaTapinterface

5. ClickNetwork>Interfaces>Ethernet.6. Clicktheinterfacenameethernet1/3.Configuretheinterface:

InterfaceType Select TapConfigtab

SecurityZone Select tapzoneClickOKtoclosetheinterfaceconfigurationwindow.

CreatingaVirtualWireSetup

7. ClickNetwork>VirtualWires.8. ClickAddandcreateanewvirtualwireobjectnamedstudent-vwire.Keepallother

settingsatthedefaultvaluesandclickOK.9. ClickNetwork>Interfaces>Ethernet.

PANEDU101


10. Clicktheinterfacenameethernet1/3.Configuretheinterface:

InterfaceType Select Virtual WireConfigtab

VirtualWire Select studentvwireSecurityZone Select vwirezone3

ClickOKtoclosetheinterfaceconfigurationwindow.


InterfaceType Select Virtual WireConfigtab

VirtualWire Select studentvwireSecurityZone Select vwirezone4


Normally,youwouldcommityourchangesatthispoint.However,fortheselfpacedlabsyouwillbereusingtheseinterfacessoyoumustundosomeofthechangesyoujustimplemented.

12. ClickNetwork>VirtualWires.13. SelectthestudentvwireobjectandclickDelete.

(Note:youwillsettheinterfacestoadifferenttypeinthenextmodule.)

PANEDU101


Module3Layer3Configuration

CreatenewSecurityZones1. GototheWebUIandclickNetwork>Zones.2. ClickAddandcreatetheUntrustL3zone:

Name Enter Untrust-L3Type Verfy thatLayer3 is selectedClickOKtoclosethezonecreationwindow.

3. ClickAddandcreatetheTrustL3 zone:

Name Enter Trust-L3Type Select Layer 3ClickOKtoclosethezonecreationwindow.

CreateInterfaceManagementProfiles

4. ClickNetwork>NetworkProfiles>InterfaceMgmt.5. ClickAddandcreateaninterfacemanagementprofile:

Name Enter allow_allPermittedServices Select all check boxesPermittedIPAddresses Do not add anyaddressesClickOKtoclosetheinterfacemanagementprofilecreationwindow.

6. ClickAddandcreateanotherinterfacemanagementprofile:

Name Enter allow_pingPermittedServices Select only the Ping check boxPermittedIPAddresses Do not add anyaddressesClickOKtoclosetheinterfacemanagementprofilecreationwindow.

7. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit

processcompletesbeforecontinuing.

ConfigureEthernetinterfaceswithLayer3info8. ClickNetwork>Interfaces>Ethernet.9. Clicktheinterfacenameethernet1/3.Configuretheinterface:

InterfaceType Select Layer 3Configtab

VirtualRouter Keep default (none)SecurityZone SelectUntrustL3

PANEDU101


IPv4tab Type Select DHCP Client

Advanced >OtherInfotab ManagementProfile Select allow_ping



InterfaceType Select Layer 3Configtab

VirtualRouter Keep default (none)SecurityZone Select TrustL3

IPv4tab Type Keep default (Static)IP Click Add thenenter 192.168.2.1/24

Advanced >OtherInfotab ManagementProfile Select allow_all


ConfigureDHCP11. ClickNetwork>DHCP>DHCPServer.12. ClickAddtodefineanewDHCPServer:

InterfaceName Select ethernet1/4InheritanceSource Select ethernet1/3Gateway Enter 192.168.2.1PrimaryDNS Select inheritedIPPools Click Add thenenter 192.168.2.50-192.168.2.60ClickOKtoclosetheDHCPServerconfigurationwindow.

CreateaVirtualRouter

13. ClickNetwork>VirtualRouters.14. ClickAddtodefineanewvirtualrouter:

Generaltab

Name Enter Student-VRInterfaces ClickAddthenselectethernet1/3

Click Add again and select ethernet1/4

ClickOKtoclosethevirtualrouterconfigurationwindow.

15. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommitprocesscompletesbeforecontinuing.

PANEDU101


TesttheNetworkConfiguration16. LogoutoftheWebUI.17. MovetheEthernetcablefromtheMGTinterfacetothe4interfaceonthefirewall.18. Plugthecableconnectedtoyournetworkintothe3interfaceonthefirewall.19. ConfigurethephysicalLANinterfaceonyourlaptop(theoneconnectedtothe4interface)to

useaDHCPaddress.20. VerifythatyourlaptopisreceivingDHCPaddressfromthefirewall.ThedisplayedIPaddress

shouldbeintherange192.168.2.50192.168.2.60iftheDHCPServerisconfiguredcorrectly.Youshouldalsobeabletoping192.168.2.1.

21. ConnecttotheWebUIbylaunchingabrowsertohttps://192.168.2.1andlogginginwithyouradminaccount.

CreateaSourceNATpolicy

22. ClickPolicies>NAT.23. ClickAddtodefineanewsourceNATpolicy:

Generaltab

Name Enter Student Source NATOriginalPacket tab

SourceZone Click Add andselect TrustL3DestinationZone SelectUntrustL3DestinationInterface Select ethernet1/3

TranslatedPacket>SourceAddressTranslation tab

Translation Type SelectDynamic IP and PortAddressType Select Interface AddressInterface Select ethernet1/3

ClickOKtoclosetheNATpolicyconfigurationwindow.


Note:Atthispoint,youstillwillnothaveaccesstotheinternet.Asecuritypolicyisrequired,whichwillbeconfiguredinthenextlab.

PANEDU101


Module4AppID

Scenario1CreatetheGeneralInternetPolicy

1. GototheWebUIandclickPolicies>Security.2. ClickAddtodefineasecuritypolicy:

Generaltab

Name Enter General InternetSource tab

SourceZone Click Add andselect TrustL3SourceAddress Select Any

Destination tab DestinationZone Click Add and select UntrustL3DestinationAddress Select Any

Application tab Applications ClickAddandselect eachofthefollowing:

dns paloaltoupdates ssl

Service/URLCategory tab Service Select applicationdefault from the pulldown

Actions tab ActionSetting Select AllowLogSetting Select Log atSession End

ClickOKtoclosethesecuritypolicyconfigurationwindow.ConfiguretheFirewalltoCommunicatewiththeUpdateServer

3. IntheWebUI,clickDevice>Setup>Services.4. ClicktheiconintheupperrightcorneroftheServicespaneltoconfigureDNSlookups:

DNS Verify thatServers is selectedPrimaryDNSServer Enter 4.2.2.2UpdateServer Keep the default (updates.paloaltonetworks.com)

ClickOKtoclosetheconfigurationwindow.

5. IntheServicesFeaturespanel,clicktheServiceRouteConfiguration linktoconfigurehowthefirewallaccessesnetworkservices.ClicktheradiobuttonforSelect.FortheDNS,PaloAltoUpdates,andURLUpdatesservices,gototheSourceAddresscolumnandselect192.168.2.1/24.ClickOKtoclosetheconfigurationwindow.

PANEDU101


6. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocesscompletesbeforecontinuing.

ReviewPANOSLicenses7. ClickDevice>Licenses.8. Ifnolicensesappear,clickRetrievelicensekeysfromlicenseserver.9. Reviewlicensesinstalledandtheirexpirationdates.

UpdatetheApplicationsandThreatsDefinitionFile

Note:UpgradingPANOSrequiresthatthefirewallberunningthemostrecentApplicationsandThreatsdefinitionfile.Allotherdynamicupdatescanbehandledlater.

10. ClickDevice>DynamicUpdates.11. ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.

PANEDU101


12. VerifythatyourfirewallisrunningthemostrecentApplicationsandThreats.13. Ifthedefinitionfileisoutofdate,installthelatestversion.

a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefiledownloadcompletes.

b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethedefinitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperationstocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.

VerifythePANOSversion14. ClickDevice>Software.15. Reviewavailable,downloaded,andinstalledPANOSsoftware.Ifnosoftwareversionsare

displayed,clickCheckNowatthebottomofthepaneltorefreshthelist.

WhatversionofPANOSisrunningonyourfirewall?

16. Ifthefirewallisnotrunningversion6.0.0,updatethefirewalltothatversion.a. ClickDownloadonthelineforversion6.0.0.ClickClosewhenthefiledownloadcompletes.b. IfyourfirewalliscurrentlyrunningaversionofPANOSolderthan6.0.0(e.g.,5.0.x),you must

alsodownload(butnotinstall)version5.1.0.ClickDownloadonthelineforversion5.1.0.ClickClosewhenthefiledownloadcompletes.

PANEDU101


c. Onthelinefor6.0.0,theDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoupdatePANOSonyourfirewall.

d. Rebootthefirewallwhenprompted.Waituntilyourbrowserreconnectswiththefirewall andloginagainusingyouradminaccount.

PANEDU101


Scenario2(Phase1)ModifytheGeneralInternetPolicy

17. GototheWebUIandclickPolicies>Security.18. ClicktheGeneralInternetpolicyyoupreviouslycreatedandmodifytheallowedapplications:

Application tab

Applications ClickAddandselect eachofthefollowing: fileserve flash ftp ping webbrowsing

ClickOKtoclosethesecuritypolicyconfigurationwindow.CreatePoliciesBlockandLogAllInboundandOutboundTraffic

19. ClickPolicies>Security.20. ClickAddtodefinetheDenyOutboundsecuritypolicy:

Generaltab

Name Enter Deny OutboundSource tab


Destination tab DestinationZone Click Add and select UntrustL3DestinationAddress Select Any

Application tab Applications Check the Any box

Service/URLCategory tab Service Select any fromthe pulldown

Actions tab ActionSetting Select DenyLogSetting Select Log atSession End

ClickOKtoclosethesecuritypolicyconfigurationwindow.

21. ClickAddtodefinetheDenyInboundsecuritypolicy:

Generaltab Name Enter Deny Inbound

Source tab SourceZone Click Add and select UntrustL3SourceAddress Select Any

PANEDU101


Destination tab DestinationZone Click Add andselect Trust L3DestinationAddress Select Any

Application tab Applications Check the Any box




22. EnsureyourSecurityPolicylookslikethis:

Note:Thedefaultrule1affectsvirtualwireconnectionsandwillnotaffectthelabexercises.


VerifyInternetConnectivityandApplicationBlocking24. Testinternetconnectivitybybrowsingwebsitesfromyourlaptop. Doeswebsurfingoverports80

and443work?25. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeableto

displaythesite. Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checktheapplicationslistedinthelog.)Theboxnetbaseapplicationisnotallowedbytheconfiguredpolicies.

26. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com. Youwillnotbeabletoconnectbecausetheavoidrwebsitealsousesacustomapplicationwhichisnotallowedbyyourpolicies.Usethetrafficlogstoverifythisstatement.

PANEDU101


Scenario2(Phase2)CreateanApplicationBlockPage

1. FromtheRDPdesktop,openabrowserandnavigatetohttp://www.facebook.com.Leavethebrowseropentotheerrorpage.

2. ReturntotheWebUIandclickDevice>ResponsePages.3. FindtheApplicationBlockPagelineandclickDisabled.4. ChecktheEnableApplicationBlockPagebox,andthenclickOK.5. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit

processcompletesbeforecontinuing.6. Openadifferentbrowserwindowandgotohttp://www.facebook.com.Comparethepage

displayedtotheonegeneratedinStep1oftheCreateanApplicationBlockPagesectionofthelab.

Note:AnInterfaceManagementProfileDOESNOTneedtobesetforapplicationblockpages.Fromtheadminguide(p.176):TheResponsePagescheckboxcontrolswhethertheportsusedtoservecaptiveportalandURLfilteringresponsepagesareopenonLayer3interfaces.Ports6080and6081areleftopenifthissettingisenabled.

PANEDU101


Scenario2(Phase3)CreateApplicationFilters

1. GototheWebUIandclickObjects>ApplicationFilters.2. ClickAddtodefinetheProxiesapplicationfilter:

Name Enter ProxiesSubcategorycolumn Select proxyClickOKtoclosetheapplicationfilterconfigurationwindow.

3. ClickAddtodefinetheWebBasedFileSharingapplicationfilter:

Name Enter Web-Based-File-Sharing Subcategorycolumn Select filesharingTechnologycolumn Select browserbasedClickOKtoclosetheapplicationfilterconfigurationwindow.

CreateApplicationGroups

4. ClickObjects>ApplicationGroups.5. ClickAddtodefinetheKnownGoodapplicationgroup:

Name Enter Known-GoodApplications ClickAddandselect eachofthefollowing:

dns fileserve flash ftp paloaltoupdates ping ssl webbrowsing

ClickOKtoclosetheapplicationgroupconfigurationwindow.

6. ClickAddtodefinetheKnownBadapplicationgroup:

Name Enter Known-BadApplications ClickAddandselect eachofthefollowing:

Proxies WebBasedFileSharing

ClickOKtoclosetheapplicationgroupconfigurationwindow.

PANEDU101


UpdateSecurityPolicies7. ClickPolicies>Security.8. ClickGeneralInternettoedittheexistingrule.GototheApplicationtab.Deleteallofthelisted

applicationsandaddtheKnownGoodapplicationgroup.ClickOKtoclosethewindow.9. ClicktheDenyOutboundruleandmodifywiththefollowingvalues:

Generaltab

Name Change to Log-AllActions tab

ActionSetting Select AllowClickOKtoclosethesecuritypolicyconfigurationwindow.

10. ClickAddtodefinetheBlockKnownBadsecuritypolicy:

Generaltab

Name Enter Block-Known-BadSource tab


Destination tab DestinationZone Click Add and select Untrust L3DestinationAddress Select Any

Application tab Applications Click Add and select KnownBad




27. Usethemovebuttonsatthebottomofthepagetoarrangethepoliciesinalogicalorder.Confirmthatyoursecurityrulelist lookslikethis:

Youcanalsorearrangetherulebyclickinganddraggingthemintothecorrectorder.

28. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit


PANEDU101


VerifyInternetConnectivityandApplicationBlocking29. Verifythatyourpolicieshavenotbrokennetworkconnectivity.Testinternetconnectivitybybrowsing

websitesfromyourlaptop.Doeswebsurfingoverports80and443work?30. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeabletodisplaythesite.

Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checktheapplicationlistedinthelog.)

31. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com.Whycantyoubringupthatwebsite? (Hint:thetrafficlogswillhelpyousolvethisproblem.)

32. ClicktheACCtabtoaccesstheApplicationCommandCenter.UsethedropdownmenuintheapplicationsectionoftheACCtoselectdifferentwaysofviewingthetrafficthatyouhavegenerated.Whatisthetotalrisklevelforalltrafficthathaspassedthroughthefirewallthusfar?NoticethattheURLFiltering,ThreatPrevention,andDataFilteringsectionswithintheACCcontainnomatchingrecords.

PANEDU101


Module5ContentIDNote:ThepresenceoffirewallsbetweenyourPA200andtheinternetwillcausethelabresultstovary.

ConfigureDynamicUpdates

1. ClickDevice>DynamicUpdates.2. ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.3. VerifythatyourfirewallisrunningthemostrecentAntivirusdefinitionfile.4. Ifthedefinitionfileisoutofdate,installthelatestversion.

a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefiledownloadcompletes.

b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethedefinitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperationstocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.

ConfigureaCustomURLFilteringCategory1. GototheWebUIandclickObjects>CustomURLCategory.2. ClickAddtocreateacustomURLcategory:

Name Enter TechSitesSites ClickAddandaddeachofthefollowingURLs:

www.slashdot.org www.cnet.com www.zdnet.com

ClickOKtoclosetheURLFilteringprofilewindow.

PANEDU101


ConfigureaURLfilteringProfile3. ClickObjects>SecurityProfiles>URLFiltering.4. ClickAddtodefineaURLFilteringprofile:

Name Enterstudent-url-filteringCategory/Action ClicktherightsideoftheActionheadertoaccessthepulldownmenu.

ClickSetAllActions>Alert.

SearchtheCategoryfieldforhackingandgovernment. SettheActiontoContinueforbothcategories.

SearchtheCategoryfieldforthefollowingcategoriesandsettheActiontoblockforeachofthem:

adultandpornography questionable unknown

Verifythatyour custom category appears in the Categorycolumn.

ClickOKtoclosetheURLFilteringprofilewindow.ConfigureanAntivirusProfile

5. ClickObjects>SecurityProfiles>Antivirus.6. ClickAddtocreateanantivirusprofile:

Name Enter student-antivirusAntivirustab

PacketCapture Check the Packet Capture boxDecoders Set the Actioncolumn to Alert for alldecoders

ClickOKtoclosetheantivirusprofilewindow.

PANEDU101


ConfigureanAntiSpywareProfile7. ClickObjects>SecurityProfiles>AntiSpyware.8. ClickAddtocreateanantispywareprofile:

Name Enter student-antispywareRulestab ClickAddandcreatearulewiththeparameters:

RuleName:Enterrule-1 Action:SelectAllow Severity:ChecktheboxesforLowandInformational

onlyClickOKtosavetherule

ClickAddandcreateanotherrulewiththeparameters:

RuleName:Enterrule-2 Action:SelectAlert Severity:ChecktheboxesforCriticalandHighonly

ClickOKtosavetherule

ClickOKtoclosetheantispywareprofilewindow.CreateaFileBlockingProfilewithWildfire

9. ClickObjects>SecurityProfiles>FileBlocking.10. ClickAddtocreateafileblockingprofile:

Name Enter student-file-blockRules list ClickAddandcreatearulewiththeparameters:

RuleName:Entertype-1 Action: Select Forward

ClickOKtoclosethefileblockingprofilewindow.AssignProfilestoaPolicy

11. ClickPolicies>Security.12. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoincludethenewlycreated

profiles:

Actionstab ProfileType Select ProfilesAntivirus Select studentantivirusAntiSpyware Select studentantispywareURLFiltering Select studenturlfilteringFileBlocking Select studentfileblock

ClickOKtoclosethepolicywindow.

PANEDU101


13. RepeatthepreviousstepandaddtheprofilestotheLogAllpolicy.14. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit


TesttheAntivirusProfile15. Onyourlocalsystem,openabrowsertohttp://www.eicar.organdclickAntiMalwareTestfile.16. ClicktheDownloadlinktoaccessthevirustestfiles.17. DownloadanyoftheEicartestfilesusinghttp.DonotusetheSSLencrypteddownloads.The

firewallwillnotbeabletodetectthevirusesinanHTTPSconnectionuntildecryptionisconfigured.18. ClickMonitor>Logs>Threattoviewthethreatlog.FindthelogmessageswhichdetecttheEicar

files.ScrolltotheActioncolumntoverifythealertsforeachfiledownload.19. ClickonthegreendownarrowatontheleftsideofthelinefortheEicarfiledetectiontoviewthe

packetcapture(PCAP).HereisanexampleofwhataPCAPmightlooklike:

CapturedpacketscanbeexportedinPCAPformatandexaminedwithaprotocolanalyzerofflineforfurtherinvestigation.

20. Modifytheantivirusprofiletoblockvirusesusingftp,http,andsmb.ClickObjects>SecurityProfiles>Antivirus.ChangetheActioncolumnfortheftp,http,andsmbdecoderstoBlock.


22. Openanewbrowserwindowtowww.eicar.organdattempttodownloadavirusfileagain.Sincetheantivirusprofileissettoblock,aresponsepageshouldappear:

PANEDU101


23. ReturntotheWebUIandverifythatlogentriesstatingthattheEicarviruswasdetectedappearinthethreatlog.

24. After15minutes,thethreatsyoujustgeneratedwillappearontheACCtabundertheThreatssection.

TesttheURLFilteringProfile

25. Openabrowserandbrowsetovariouswebsites.TheURLfilteringprofilerecordseachwebsitethatyouvisit.

26. IntheWebUI,clickMonitor>Logs>URLFiltering.Verifythatthelogentriestrackthesitesthatyouvisitedduringyourtests.

27. Testthecontinueconditionyoucreatedbyvisitingasitewhichispartofthehackingcategory.Inanewbrowserwindow,attempttobrowsetohttp://neworder.box.skandhttp://www.2600.org.Theprofilewillblockthisactionandyouwillseearesponsepagesimilartothefollowing:

TesttheFileBlockingProfilewithWildfire

28. Openanewbrowserwindowtohttp://www.opera.com.DownloadtheOperabrowserinstallertoyourlocalsystem.

29. ClickMonitor>Logs>DataFilteringtodeterminehowthefilewashandledbytheprofile.

PANEDU101


ConfigureaSecurityProfileGroup30. ReturntotheWebUIandclickObjects>SecurityProfileGroups.31. ClickAddtodefineasecurityprofilegroup:

Name Enter student-profile-groupAntivirusProfile Select studentantivirusAntiSpywareProfile Select studentantispywareURLFilteringProfile Select studenturlfilteringFileBlockingProfile Select studentfileblockClickOKtoclosethesecurityprofilegroupwindow.

AssigntheSecurityProfileGrouptoaPolicy

32. ClickPolicies>Security.33. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoreplacetheprofileswiththe

profilegroup:

Actionstab ProfileType Select GroupGroupProfile Select studentprofilegroup

ClickOKtoclosethepolicywindow.

34. RepeatthepreviousstepandaddtheprofilegrouptotheLogAllpolicy.35. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit


PANEDU101


CreateaCustomReport36. ClickMonitor>ManageCustomReports.37. ClickAddtodefineanewcustomthreatreport:

Name Enter Top Threats by DayDatabase Select Threat SummaryTimeFrame Select Last 24 HrsSortby SelectCount and Top 10Groupby SelectNone and 10 GroupsSelectedColumns PopulatetheSelectedColumnsfieldwiththefollowingvalues,

inthisorder: Threat/ContentName Application AppTechnology AppSubCategory Count

QueryBuilder Buildaqueryusingthefollowingparameters:

Connector:Selectand Attribute:SelectRule Operator:Select= Value:EnterGeneral Internet ClickAdd

Connector:Selector Attribute:SelectRule Operator:Select= Value:EnterLog-All Click Add

ClickOKtosavethecustomreportdefinition.

38. Clickthenameofyourcustomreporttoreopenthecustomreportwindow.ClickRunNowtogeneratethereport.

39. Thereportwillappearinanewtabinthewindow.ClickExporttoPDFtosaveittoyourRDPdesktop.

PANEDU101


Module6Decryption

Verifyfirewallbehaviorwithoutdecryption1. Fromyourlaptop,browsetothewww.eicar.comandattempttodownloadtheoneofthetestfiles

usinghttp.2. Repeatthepreviousstepbutattempttodownloadoneofthefilesusinghttps.3. GototheGUIandclickMonitor>Logs>Threattoviewthelog.Onlythenonencrypteddownload

shouldappearinthelog.SSLdecryptionhidthecontentsofthefirewallandsothetestfilewasnotdetectedasathreat.

CreateanSSLselfsignedCertificate4. ClickDevice>CertificateManagement>Certificates.5. ClickGenerateatthebottomofthescreentocreateanewselfsignedcertificate:

CertificateName Enter student-ssl-certCommonName Enter 192.168.2.1CertificateAuthority Check the boxClickGeneratetocreatethecertificate.ClickOKtodismissthecertificategenerationsuccesswindow.

6. Clickstudentsslcertinthelistofcertificatestoeditthecertificateproperties.ChecktheboxesforForwardTrustCertificateandForwardUntrustCertificate.ClickOKtoconfirmthechanges.

CreateSSLDecryptionPolicies

7. ClickPolicies>Decryption.8. ClickAddtocreateanSSLdecryptionrulefortheexceptioncategories:

Generaltab Name Enter no-decrypt-traffic

Sourcetab SourceZone Click Add then select TrustL3

Destinationtab DestinationZone Click Add then select UntrustL3

URLCategorytab URLCategory ClickAddandaddeachofthefollowingURLcategories:

healthandmedicine shopping financialservices

Optionstab Action Select nodecryptType SelectSSL Forward Proxy


PANEDU101


9. ClickAddtocreatetheSSLdecryptionruleforgeneraldecryption:Generaltab

Name Enter decrypt-all-trafficSourcetab

SourceZone Click Add then select TrustL3Destinationtab

DestinationZone Click Add then select UntrustL3URLCategorytab

URLCategory Verify that the Any box is checkedOptionstab

Action Select decryptType SelectSSL Forward Proxy


10. Confirmthatyourdecryptionpolicylist lookslikethis:


TesttheSSLDecryptionPolicies

12. Openabrowsertothewww.eicar.orgdownloadspage.DownloadatestfileusingSSL.Ignorethecertificateerror.ThisisexpectedbehaviorbecausethefirewallisinterceptingtheSSLconnectionandperformingmaninthemiddledecryption.Closethebrowserwindow.

13. IntheWebUI,examinethethreatlogs. Thevirusshouldhavebeendetected,sincetheSSLconnectionwasdecrypted.ClickthemagnifyingglassiconatthebeginningofthelinetoshowtheLogDetailswindow.VerifythattheDecryptedboxhasacheckmark.

14. Openabrowsertohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallintothecategoriesexcludedbythenodecryptrule.MakealistofURLsthatfallintothesecategoriestotestagainst.Forexample:

financialservices:www.bankofamerica.com healthandmedicine:www.deltadental.com shopping:www.macys.com

15. IntheWebUI,clickMonitor>Logs>Traffic.Setthetrafficlogtodisplayonlyport443trafficona10secondrefresh.Enter( port.dst eq 443 ) inthefilterfield.Select10Secondsfromthe

PANEDU101


pulldownmenusothatthedisplaywillrefreshautomatically.Leavethiswindowopensoyoucanmonitorthetraffic.

16. Inaseparatebrowserwindow,useSSL(https://)tonavigatetothewebsitesyoufoundintheexcludedURLcategories.Navigatetootherwebsitesaswell(e.g.,www.facebook.com,www.google.com)forcomparisonpurposes.

17. Returntothetrafficlog.FindanentryforoneoftheexcludedcategoriesbylookingatthevalueintheURLCategorycolumn.ClickthemagnifyingglassiconatthebeginningofthelinetoshowtheLogDetailswindow.VerifythattheDecryptedboxintheMiscpanelisunchecked.

18. RepeatthepreviousstepforaURLinanonexcludedcategory.VerifythattheDecryptedboxhasacheckmark.

PANEDU101


PANEDU101


CLIReferenceThissectionprovidesasubsetofthecommandsneededtocompletethetasksintheassociatedlabmodules.ThecommandsareintendedtoprovidecommandsetsforyoutoresearchfurtherinthePANOSCommandLineInterfaceReferenceGuide.

Module1AdministrationandManagement# load config from PAN-EDU-201-Default-1.xml

> request license info

> request system software info

> request anti-virus upgrade info

# set shared admin-role "Policy Admins" role device webui acc enable

# set mgt-config users ip-admin permissions role-based custom profile "Policy Admins"

> request config-lock add

> request commit-lock add

> request config-lock remove

> request commit-lock remove

Module2InterfaceConfiguration# set zone tap-zone network tap

# set network interface ethernet ethernet1/3 virtual-wire

# set zone vwire-zone-3 network virtual-wire ethernet1/3

# set network virtual-wire student-vwire interface1 ethernet1/3

PANEDU101


Module3Layer3Configuration# set network profiles interface-management-profile allow_all telnet yes

# set network dhcp interface ethernet1/2 server ip-pool 192.168.15.50- 192.168.15.60

# set network virtual-router Student-VR interface ethernet1/2

# set rulebase nat rules "student source nat" to Untrust-L3

Module4AppID# set rulebase security rules "General Internet" action allow

# set application-filter Proxies subcategory proxy

# set application-group Known-Good web-browsing

Module5ContentID# set profiles url-filtering Student-url-filtering alert bot-nets

# set profiles custom-url-category TrustedCompanies list www.paloaltonetworks.com

# set profiles virus Student-antivirus decoder ftp action alert

# set profiles spyware Student-antispyware rules simple-low severity low

# set profile-group "Student Profile" virus Student-antivirus

# set rulebase security rules "General Internet" profile-setting group "Student Profile"

Module6Decryption> request certificate generate ca yes name 192.168.15.1 certificate-name student15-cert

# set rulebase decryption rules No-Decrypt source any

PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A.PDF

Documents

palo alto networks home

panedu101labmanual panos

security rule page italics

right mouse button

clone rule

lab manual panos

left mouse button

following command