pan-edu-101 - lab manual pan-os 6.0 - rev a.pdf
TRANSCRIPT
-
Firewall Installation, Configuration, and Management: Essentials I Lab Manual PAN-OS 6.0 PAN-EDU-101 Rev A.200
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 2
Palo Alto Networks, Inc. www.paloaltonetworks.com 2007-2014 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 3
TypographicalConventionsThisguideusesthefollowingtypographicalconventionsforspecialtermsandinstructions.
Convention Meaning Example
Boldface Names of commands, keywords, and selectable items in the web interface
Click Security to open the Security Rule Page
Italics Name of parameters, files, directories, or Uniform Resource Locators (URLs)
The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com
courier font Coding examples and text that you enter at a command prompt
Enter the following command: a:\setup
Click Click the left mouse button Click Administrators under the Device tab.
Right-click Click the right mouse button Right-click on the number of a rule you want to copy, and select Clone Rule.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 4
TableofContentsHowtousethisLabGuide...................................................................................................6LabGuideObjectives...........................................................................................................6LabEquipmentSetup..........................................................................................................7LabAssumptions.................................................................................................................7StudentFirewallInterfaceSettings......................................................................................7
Module1AdministrationandManagement.....................................................................8Scenario............................................................................................................................................................................8
RequiredInformation.......................................................................................................................................................8
Module2InterfaceConfiguration(optional)....................................................................9Scenario............................................................................................................................................................................9
RequiredInformation.......................................................................................................................................................9
Module3Layer3Configuration......................................................................................10Scenario..........................................................................................................................................................................10
RequiredInformation.....................................................................................................................................................11
Module4AppID............................................................................................................12Scenario1...................................................................................................................................................................12
RequiredInformation.....................................................................................................................................................12
Scenario2...................................................................................................................................................................13
RequiredInformation.....................................................................................................................................................14
LabNotes........................................................................................................................................................................14
Module5ContentID......................................................................................................15Scenario..........................................................................................................................................................................15
RequiredInformation.....................................................................................................................................................16
LabNotes........................................................................................................................................................................16
Module6Decryption......................................................................................................17Scenario..........................................................................................................................................................................17
RequiredInformation.....................................................................................................................................................18
LabNotes........................................................................................................................................................................18
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 5
Solutions...........................................................................................................................19Module1Introduction(LabAccess)............................................................................................................................19
Module2InterfaceConfiguration...............................................................................................................................21
Module3Layer3Configuration..................................................................................................................................23
Module4AppID..........................................................................................................................................................26
Module5ContentID......................................................................................................................................................36
Module6Decryption....................................................................................................................................................43
CLIReference....................................................................................................................47Module1AdministrationandManagement...............................................................................................................47
Module2InterfaceConfiguration...............................................................................................................................47
Module3Layer3Configuration..................................................................................................................................48
Module4AppID..........................................................................................................................................................48
Module5ContentID......................................................................................................................................................48
Module6Decryption....................................................................................................................................................48
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 6
HowtousethisLabGuideTheLabGuidecontainslabexerciseswhichcorrespondtomodulesinthestudentguide.Eachlabexerciseconsistsofthreeparts:ascenario,asolution,andaCLIreference.
Thescenariodescribesthelabexerciseintermsofobjectivesandcustomerrequirements.Minimalinstructionsareprovidedtoencouragestudentstosolvetheproblemontheirown.Ifappropriate,thescenarioincludesadiagramandatableofrequiredinformationneededtocompletetheexercise.
Thesolutionisdesignedtohelpstudentswhopreferstepbystep,taskbasedlabs.Alternatively,studentswhostartwiththescenariocanusethesolutiontochecktheirworkortoprovidehelpiftheygetstuckonaproblem.
TheCLIreferenceisintendedasastartingpointforstudentsinterestedintheCLIcommands.ApartialsetofCLIcommandsareprovidedforstudentstoresearchfurtherinthePaloAltoNetworksCommandLineReferenceGuide.
NOTE:Unlessspecified,theGoogleChromewebbrowserandthePuTTYSSHclientwillbeusedtoperformanytasksoutlinedinthefollowinglabs.
LabGuideObjectivesThislabguideisdesignedspecificallyforasinglestudentattendingtheselfpacedversionoftheEssentialsIcourse.Theinstructorledversionofthecourseincludesadditionalexerciseswhichcanonlybecompletedinaclassroomenvironmentwithotherstudentsandadditionalequipment.
Oncetheselabsarecompleted,youshouldbeableto:1. Configurethebasiccomponentsofthefirewall,includinginterfaces,securityzones,andsecurity
policies2. ConfigurebasicLayer3settings,suchasIPaddressingandNATpolicies.3. ConfigurebasicContentIDfunctionality,includingantivirusprotectionandURLfiltering.4. ConfigureSSLdecryption.
WithspecialthankstoallofthosePaloAltoNetworksemployeesandATCpartnerswhoseinvaluablehelpenabledthistrainingtobebuilt,tested,anddeployed.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 7
LabEquipmentSetup
DHCP- enabled Network
Internet
LabAssumptionsTheselabinstructionsassumethefollowingconditions:
1. ThestudentisusingaPA200firewallwhichhasbeenregisteredwithPaloAltoNetworksSupport.2. ThePA200firewallisusingthedefaultIPaddressontheMGTinterface(192.168.1.1)andthedefault
password(admin)fortheadminaccount.3. ThefirewallislicensedforSupport,ThreatPrevention,andURLFiltering.4. AllnetworkconnectivityforthestudentlaptopusedforthelabhasbeendisabledexceptfortheEthernet
adapterwhichwillbeconnectedtothefirewall.5. Thefirewallshouldhavenopoliciesdefinedonit.6. ThenetworkthatthestudentwillconnecttohasaDHCPserverfromwhichthefirewallcanobtainanIP
addressandDNSinformation.7. TherearenootherPaloAltoNetworksfirewallsbetweenthestudentsPA200andtheinternet.Thelabs
willstillworkifupstreamfirewallsexist,buttheresultswillvarybasedonthefirewallsettings.
StudentFirewallInterfaceSettings
StudentFirewall PA200
Interface: Type: IPAddress: Zone:
MGT Management 192.168.1.1 N/AEthernet1/1 Vwire trustEthernet1/2 Vwire untrustEthernet1/3 Layer3 DHCP Client UntrustL3Ethernet1/4 Layer3 192.168.2.1/24 TrustL3
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 8
Module1AdministrationandManagementInthislabyouwill:
ConnecttothefirewallthroughtheMGTinterface Createnewadministratorrolesandaccountsonthefirewall
ScenarioYouhavebeentaskedwithintegratinganewfirewallintoyourenvironment.ThefirewallisconfiguredwiththefactorydefaultIPaddressandadministratoraccount.YouwillneedtochangetheIPaddressofyourlaptoptocommunicatewiththedefaultIPaddressoftheMGTport.
Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethecurrentconfigurationsothatitcanbereloadedonthefirewall.Applyasavedconfigurationtothefirewallsothatitisinaknownstate.
Inpreparationforthenewdeployment,createaroleforanassistantadministratorwhichallowsaccesstoallfirewallfunctionalitythroughtheWebUIexceptMonitor,Network,Privacy,andDevice.TheaccountshouldhavenoaccesstotheXMLAPIortheCLI.Createanaccountusingthisrole.Additionally,changethepasswordoftheadminaccounttodisablethewarningsaboutusingdefaultcredentials.
RequiredInformation
NamedConfigurationSnapshot PANEDU101DefaultNew Administrator Role name Policy AdminsNew Administrator Account name ip-adminNew Administrator Account password paloaltoNew password for the admin account paloalto
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 9
Module2InterfaceConfiguration(optional)Inthislabyouwill:
CreateSecurityZones Configurebasicinterfacetypes
Scenario:
Youarepreparingthefirewallforasimpleproofofconcept(POC).Inordertodemonstratefirewallfeatureswithaminimumofchangestotheexistingnetwork,youhavedecidedtousevirtualwiretopasstrafficthroughthefirewallforonenetworksegmentandatapinterfacetomonitoradifferentnetworksegment.
Configurethevirtualwireandcreatezonessothatpolicyrulescanbedefined.Createatapinterfaceandtheassociatedzone.
Note:DuetothelimitednumberofinterfacesavailableonaPA200,theconfigurationssetinthislabwillbeimmediatelyremovedsothattheinterfacesmaybereusedforlaterlabs.
RequiredInformation
Interface to use for tap interface Ethernet1/3
Interfaces to use for virtual wire Ethernet1/3 Ethernet1/4Name for the tap zone tap-zoneName for the virtual wire zones vwire-zone-3 vwire-zone-4Name for the virtual wire object student-vwire
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 10
Module3Layer3ConfigurationInthislabyouwill:
CreateInterfaceManagementProfiles ConfigureEthernetinterfaceswithLayer3information ConfigureDHCP CreateaVirtualRouter CreateSourceNATpolicy
Scenario:
ThePOCwentwellandthedecisionwasmadetousethePaloAltoNetworksfirewallinthenetwork.Youaretocreatetwozones,UntrustL3andTrustL3.TheexternalfacinginterfaceinUntrustL3willgetanIPaddressfromaDHCPserverontheexternalnetwork.TrustL3willbewheretheinternalclientsconnecttothefirewallandsotheinterfaceinTrustL3willprovideDHCPaddressestotheseinternalclients.TheDHCPserveryouconfigureintheTrustL3zonewillinheritDNSsettingsfromtheexternalfacinginterface.Boththeinternalandexternalinterfacesonthefirewallmustroutetrafficthroughtheexternalfacinginterfacebydefault.TheinterfaceinUntrustL3mustbeconfiguredtorespondtopingsandtheinterfaceinTrustL3mustbeabletoprovideallmanagementservices.NOTE:YouwillnotbeabletotestwhethertheUntrustL3interfacerespondstopingsuntilthenextlab.
OnceyouhavecompletedtheLayer3configurations,youwillneedtomovethephysicalEthernetcablefromtheMGTporttotheethernet1/4portofthePA200.YoumustalsochangethesettingsoftheLANinterfaceonyourlaptoptouseDHCPsuppliednetworkinformation(IPaddressandDNSservers)insteadofstaticsettings.
Whenthefirewallisfullyconfigured,aNATpolicymustexistsothatalltrafficoriginatingintheTrustL3zoneappearstocomefromtheexternalfacingaddressofthefirewall.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 11
RequiredInformation
Interface Management Profile Names allow_all allow_pingInternal-facing IP Address 192.168.2.1/24External-facing interface Ethernet1/3Internal-facing interface Ethernet1/4DHCP Server: Gateway 192.168.2.1DHCP Server: Inheritance Source Ethernet1/3DHCP Server: Primary DNS inheritedDHCP Server: IP address range 192.168.2.50-192.168.2.60Virtual Router Name Student-VR
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 12
Module4AppIDInthislabyouwill:
EnablethefirewalltocommunicationwiththePaloAltoNetworksupdateserver UpdatethethreatdefinitionsandOSofthefirewall Createasecuritypolicytoallowbasicinternetconnectivityandlogdroppedtraffic EnableApplicationBlockpages CreateApplicationFiltersandApplicationGroups
Scenario1:
Inordertoupdatethesoftwareonthefirewall,youmustenabletheDNS,paloaltoupdates,andSSLapplicationstopassbetweenthezones.Theapplicationsshouldonlybepermittedonapplicationdefaultports.ConfigurethefirewalltocommunicatewithDNSandPaloAltoNetworksupdateserversthroughtheTrustL3interface.
Oncetheseconfigurationsarecomplete,licenseyourfirewall.UpdatetheThreatsandApplicationsdatafiletothemostrecentversion.
RequiredInformation
DNS Server for the MGT functions 4.2.2.2Address to use for Service Routes 192.168.2.1/24Name to use for Security Policy General Internet
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 13
Scenario2:
Atthispoint,thefirewallisconfiguredbutnotpassingtraffic.Securitypoliciesmustbedefinedbeforetrafficwillflowbetweenzones.Tofacilitatetestingandpresenttheminimalamountofrisktothenetworktraffic,thepolicieswillbeestablishedinathreephasedeployment:
Phase1:ModifytheGeneralInternetpolicytoallowusersintheTrustL3zonetouseasetofcommonlyusedapplicationstoaccesstheinternet.Theapplicationsshouldonlybepermittedonapplicationdefaultports.Allothertraffic(inboundandoutbound)shouldbeblockedandloggedsothatyoucanidentifywhatotherapplicationsarebeingused.Thiswillhelpgeneratelistsofgoodandbadapplicationstobemanagedinthelaterphases.
Phase2:Configurethefirewalltonotifyuserswhenblockedapplicationsareusedsothatthehelpdeskdoesnotgetcalledforconnectionissuesthatareactuallyblockedapplications.
Phase3:Theresultsfromthefirsttwophasesoftestingresultinthefollowingdiscoveries:
Thelogsfromphase1showheavyuseofavarietyofinternetproxiesandclientservergamingapplicationsbyusersintheTrustL3zone.Managementmandatesthatyouexplicitlypreventuseoftheseapplications.
Foreaseofconfiguration,yourteamdecidestocreategroupsfortheallowedanddeniedapplicationstoreducethenumberofpoliciesrequiredonthefirewall.
Therulesblockingallunmatchedtrafficweretoorestrictiveforyourenvironment.Thetestingdeniedaccesstonumerousvitalapplications,causingasurgeinsupportcalls. Anytrafficwhichdoesnotmatchtheallowedordeniedlistsshouldbeallowedbutloggedforfuturepolicydecisions.
ModifyGeneralInternetandcreatenewpolicies(BlockKnownBadandLogAll)tomeetthesenewrequirements.RemovetheotherpoliciescreatedinPhase1.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 14
RequiredInformation
Phase 1 Allowed Applications
dns fileserve flash ftp paloalto-updates ping web-browsing ssl
Phase 1 Security Policy names
General Internet Deny Inbound Deny
Phase 3 Application Filter names Proxies Web-Based-File-Sharing Phase 3 Security Policy names
General Internet Deny Inbound Block-Known-Bad Log-All
Setting for Proxies application filter Subcategory: Proxies Settings for Web-Based-File-Sharing application filter
Subcategory: file-sharing Technology: browser-based
Phase 3 Application Group names Known-Good Known-BadMembers of the Known-Good application group
dns fileserve flash ftp paloalto-updates ping web-browsing ssl
Members of the Known-Bad application group Proxies Web-Based-File-Sharing
LabNotes DuringPhase1,testyourconnectivitybyconnectingtohttp://www.box.net(login:student@pan
edu.com,password:paloalto1).Usethetrafficlogstodeterminehowthefirewallhandlesthatconnection.
DuringPhase2,checktoseewhathappenswhenyoubrowsetowww.facebook.combeforeandafteryoumakeyourchanges.
Thelabsolutionsusethebuttonsatthebottomofthepolicyscreenstochangetheorderoftherules.Rulescanalsobereorderedbyclickinganddraggingtherulestothedesiredlocation.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 15
Module5ContentIDInthislabyouwill:
ConfigureSecurityProfiles CreateaSecurityProfilegroup AssociateSecurityProfilesandSecurityProfileGroupstoSecurityPolicy Generateacustomreport
Scenario
Nowthattrafficispassingthroughthefirewall,youdecidetofurtherprotecttheenvironmentwithSecurityProfiles.Thespecificsecurityrequirementsforgeneralinternettrafficare:
LogallURLsaccessedbyusersintheTrustL3zone.Inparticular,youneedtotrackaccesstoasetofspecifiedtechnologywebsites.
AccesstoallhackingandgovernmentsitesshouldbesettoContinue. BlockthefollowingURLcategories:
o Adultandpornographyo questionableo Unknown
Log,butdonotblock,allvirusesdetectedandmaintainpacketcapturesoftheseeventsforanalysis.
Logspywareofseveritylevelscriticalandhighdetectedinthetraffic.Ignoreallotherspyware. ConfigurefilestobeautomaticallyforwardedtoWildFirewithnouserinteraction.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 16
Afteralloftheseprofilesareconfigured,sendtesttraffictoverifythattheprotectionbehavesasexpected.TestingparameterswillbeincludedintheRequiredInformationsectionofthislab.
Aftertheinitialtestingiscomplete,youareaskedtochangetheAntivirusprotectiontoblockviruses.Makethechangesandverifythedifferenceinbehavior.
Oncetheindividualprofilesarecreatedandtested,combinetheprofilesintoasinglegroupforeaseofmanagement.Attachthegrouptotheappropriatesecuritypolicies.
Yourmanagerwantstoseedailyreportswhichdetailthethreatsencounteredbythefirewall.Configureacustomreporttoshowathreatsummaryforalltrafficallowedinthepast24hours.Itshouldincludethethreatname,theapplication(includingtechnologyandsubcategoryforreference),andthenumberoftimesthatthreatwasencountered.ExportthefileasaPDF.
RequiredInformation
Custom Technology sites to track
www.slashdot.org www.cnet.com www.phys.org www.zdnet.com
Location of files for testing antivirus
1. Browse to http://www.eicar.org 2. Click Anti-Malware Testfile. 3. Click Download 4. Download any of the files using http only.
Do not use the SSL links.
Hacking sites for testing URL Filtering www.2600.org www.neworder.box.sk
Procedure for testing file blocking 1. Navigate to the web site http://www.opera.com2. Download the installer to your local system
LabNotes Youdonotneedtoassignprofilestoallofthesecuritypoliciesyouhavecreatedinthelab.The
KnownBadpolicyhasanactionofdenysoprofileswilldonothingforthatrule. Onlytesttheantivirusprofileusinghttp,nothttps.HTTPSconnectionswillpreventthefirewall
fromseeingthepacketcontentssothevirusescontainedwillnotbedetectedbytheprofile.Decryptionwillbecoveredinalatermodule.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 17
Module6DecryptionInthislabyouwill:
CreateaselfsignedSSLcertificate Configurethefirewallasaforwardproxyusingdecryptionrules
ScenarioYoursecurityteamisconcernedabouttheresultsofthetestingperformedaspartofthesecurityprofileconfigurations.TheteamobservedthattheantivirusprofileonlyidentifiedviruswhichwerenotSSLencrypted.Theconcernisthatfilestransferredfromencryptedsources(e.g.,https://www.facebook.com)couldescapedetectionandcauseissues.Fortestingpurposes,youwillneedtochangetheantivirusprofiletoalertinsteadofblockingthefile.Verifythathttpsdownloadsofvirusfilesfromwww.eicar.orgaredetectedbytheantivirusprofile.
YouwanttoevaluateusingaforwardproxyconfigurationonthePaloAltoNetworksfirewall.OnlytrafficfromTrustL3toUntrustL3needstobedecrypted.Sincethisisnotproduction,youdecidetouseselfsignedSSLcertificatesgeneratedonthefirewallforthisimplementation.Thelegaldepartmenthasadvisedyouthatcertaintrafficshouldnotbedecryptedforliabilityreasons.Specifically,youmaynotdecrypttrafficfromhealthrelated,shopping,orfinancialwebsites.
Testthedecryptiontwoways:
Attempttodownloadtestfilesfromwww.eicar.orgusinghttpsandverifythattheyaredetectedbythefirewall
ConnecttovariouswebsitesusinghttpsandusethelogstoverifythatthecorrectURLcategoriesarebeingdecrypted
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 18
Afteryourinitialtestingoftheforwardproxy,thepenetrationtestingteamcallsyoutorequestanexceptiontothedecryptionrules.Theteamasksthatwww.eicar.orgbeexcludedfromdecryptionsothattheywillstillbeabletodownloadthefilestheyneedtoperformtheirevaluations.Changetheimplementationtoallowthisexception.
RequiredInformation
Self-signed Certificate name student-ssl-cert Common Name of the SSL Certificate 192.168.2.1Decryption Policies no-decrypt-traffic decrypt-all-traffic
LabNotes Youwillgetcertificateerrorswhenbrowsingafterdecryptionisenabled.Thisisexpectedbecause
theselfsignedcertificateshavenotbeenaddedtothetrustedcertificatesoftheclientbrowser. InaproductionenvironmentyouwouldresolvethisbyaddingthefirewallcertificatetotheclientsastrustedorbyusingacommercialcertificatefromaknownCAsuchasVeriSign.
Ordermatterswithpoliciesmakesurethatthedecryptandnodecryptpoliciesareevaluatedinthecorrectorder.
TofindURLstotestthenodecryptrule,gotohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallintothecategoriesyouaretesting.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 19
SolutionsModule1Introduction(LabAccess)
Prepareyourlaptopforthelab1. Whileconnectedtotheinternet,downloadthefilePANEDU101Defaulttoyourlaptopyou
willbeusingforthelabexercises.2. ConfigurethephysicalLANinterfaceonyourlaptopwithanIPaddresstocommunicatewith
thefirewall.
IPaddress 192.168.1.100 SubnetMask 255.255.255.0
3. ConnectanEthernetcablebetweentheinterfaceyoujustconfiguredandtheMGTportofyourfirewall.
4. OpenacommandpromptandverifyyoucanpingtheIPaddress192.168.1.1.
LogontotheFirewall5. Openabrowserandconnecttothefirewallathttps://192.168.1.1.Note:Youwillgetawarning
messagesincethefirewallisusinganuntrustedselfsignedcertificate.Dismissthewarningandcontinuetothewebpage.
6. Logonwiththedefaultusernameandpassword.ClickOKtodismissthewarningaboutthedefaultadmincredentials.
Savethecurrentconfigurationonyourfirewall(optional)Note:Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savetheconfigurationsothatitcanbereloadedonthefirewall.
7. ClickDevice>Setup>Operations.8. ClickSavenamedconfigurationsnapshot.Enterpre-101-labs intheNamefield. ClickOK
tocompletethesave.ClickOKtodismissthesuccesswindow.
Uploadandapplybaselineconfigurationtoyourfirewall9. ClickDevice>Setup>Operations.10. ClickImportnamedconfigurationsnapshot.ClickBrowsetoselectthePANEDU101Default
filefromyoursystem.ClickOpenthenOKtouploadthefiletothefirewall.ClickOKtodismissthesuccesswindow.
11. ClickLoadNamedConfigurationSnapshot.12. SelectPANEDU101Default.ClickOK.ClickOKtodismissthesuccesswindow.13. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletes,thenclickClose.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 20
AddanAdministratorRole14. ClickDevice>AdminRoles.15. ClickAddinthelowerleftofthepanelandcreateanewadminrole:
Name Enter Policy AdminsWebUI tab Clickthefollowingmajorcategoriestodisablethem:
Monitor Network Device Privacy
The remaining major categories shouldremainenabled.ClickOKtocontinue.
Manageadministratoraccounts
16. ClickDevice>Administrators.17. Clickadmininthelistofusers.Changethepasswordtopaloalto.ClickOKtoclosethe
configurationwindow.18. ClickAddinthelowerleftcornerofthepanel.Configureanewadministratoraccount:
Name Enter ip-adminPassword/ConfirmPassword Enter paloaltoRole Select Role BasedProfile Select Policy AdminsClickOK.
19. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completes,thenclickClose.20. UseanSSHclient(e.g.,PuTTY)toattempttologintotheCLIasipadmin.Becausetherole
assignedtothisaccountwasnotassignedCLIaccess,theconnectionshouldreset.21. OpendifferentbrowserandlogontotheWebUIasipadminandexploretheavailable
functionality.Forexample,ifyouoriginallyconnectedtotheWebUIusingChrome,openthisconnectioninInternetExplorer. Comparethedisplaysfortheadminandipadminaccountstoseethelimitationsofthenewlycreatedaccount.
22. Logoutoftheipadminaccountconnectionwhenyouaredoneexploring.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 21
Module2InterfaceConfiguration
CreatenewSecurityZones1. Ifnecessary,logintotheWebUIusingyouradminaccount2. ClickNetwork>Zones. ClickAddandcreatethetapzone:
Name Enter tap-zoneType Select TapClickOKtoclosethezonecreationwindow.
3. ClickAddandcreatethefirstvirtualwirezone:
Name Enter vwire-zone-3Type Select Virtual WireClickOKtoclosethezonecreationwindow.
4. ClickAddandcreatethesecondvirtualwirezone:
Name Enter vwire-zone-4Type Select Virtual WireClickOKtoclosethezonecreationwindow.
ConfigureaTapinterface
5. ClickNetwork>Interfaces>Ethernet.6. Clicktheinterfacenameethernet1/3.Configuretheinterface:
InterfaceType Select TapConfigtab
SecurityZone Select tapzoneClickOKtoclosetheinterfaceconfigurationwindow.
CreatingaVirtualWireSetup
7. ClickNetwork>VirtualWires.8. ClickAddandcreateanewvirtualwireobjectnamedstudent-vwire.Keepallother
settingsatthedefaultvaluesandclickOK.9. ClickNetwork>Interfaces>Ethernet.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 22
10. Clicktheinterfacenameethernet1/3.Configuretheinterface:
InterfaceType Select Virtual WireConfigtab
VirtualWire Select studentvwireSecurityZone Select vwirezone3
ClickOKtoclosetheinterfaceconfigurationwindow.
11. Clicktheinterfacenameethernet1/4.Configuretheinterface:
InterfaceType Select Virtual WireConfigtab
VirtualWire Select studentvwireSecurityZone Select vwirezone4
ClickOKtoclosetheinterfaceconfigurationwindow.
Normally,youwouldcommityourchangesatthispoint.However,fortheselfpacedlabsyouwillbereusingtheseinterfacessoyoumustundosomeofthechangesyoujustimplemented.
12. ClickNetwork>VirtualWires.13. SelectthestudentvwireobjectandclickDelete.
(Note:youwillsettheinterfacestoadifferenttypeinthenextmodule.)
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 23
Module3Layer3Configuration
CreatenewSecurityZones1. GototheWebUIandclickNetwork>Zones.2. ClickAddandcreatetheUntrustL3zone:
Name Enter Untrust-L3Type Verfy thatLayer3 is selectedClickOKtoclosethezonecreationwindow.
3. ClickAddandcreatetheTrustL3 zone:
Name Enter Trust-L3Type Select Layer 3ClickOKtoclosethezonecreationwindow.
CreateInterfaceManagementProfiles
4. ClickNetwork>NetworkProfiles>InterfaceMgmt.5. ClickAddandcreateaninterfacemanagementprofile:
Name Enter allow_allPermittedServices Select all check boxesPermittedIPAddresses Do not add anyaddressesClickOKtoclosetheinterfacemanagementprofilecreationwindow.
6. ClickAddandcreateanotherinterfacemanagementprofile:
Name Enter allow_pingPermittedServices Select only the Ping check boxPermittedIPAddresses Do not add anyaddressesClickOKtoclosetheinterfacemanagementprofilecreationwindow.
7. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
ConfigureEthernetinterfaceswithLayer3info8. ClickNetwork>Interfaces>Ethernet.9. Clicktheinterfacenameethernet1/3.Configuretheinterface:
InterfaceType Select Layer 3Configtab
VirtualRouter Keep default (none)SecurityZone SelectUntrustL3
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 24
IPv4tab Type Select DHCP Client
Advanced >OtherInfotab ManagementProfile Select allow_ping
ClickOKtoclosetheinterfaceconfigurationwindow.
10. Clicktheinterfacenameethernet1/4.Configuretheinterface:
InterfaceType Select Layer 3Configtab
VirtualRouter Keep default (none)SecurityZone Select TrustL3
IPv4tab Type Keep default (Static)IP Click Add thenenter 192.168.2.1/24
Advanced >OtherInfotab ManagementProfile Select allow_all
ClickOKtoclosetheinterfaceconfigurationwindow.
ConfigureDHCP11. ClickNetwork>DHCP>DHCPServer.12. ClickAddtodefineanewDHCPServer:
InterfaceName Select ethernet1/4InheritanceSource Select ethernet1/3Gateway Enter 192.168.2.1PrimaryDNS Select inheritedIPPools Click Add thenenter 192.168.2.50-192.168.2.60ClickOKtoclosetheDHCPServerconfigurationwindow.
CreateaVirtualRouter
13. ClickNetwork>VirtualRouters.14. ClickAddtodefineanewvirtualrouter:
Generaltab
Name Enter Student-VRInterfaces ClickAddthenselectethernet1/3
Click Add again and select ethernet1/4
ClickOKtoclosethevirtualrouterconfigurationwindow.
15. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommitprocesscompletesbeforecontinuing.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 25
TesttheNetworkConfiguration16. LogoutoftheWebUI.17. MovetheEthernetcablefromtheMGTinterfacetothe4interfaceonthefirewall.18. Plugthecableconnectedtoyournetworkintothe3interfaceonthefirewall.19. ConfigurethephysicalLANinterfaceonyourlaptop(theoneconnectedtothe4interface)to
useaDHCPaddress.20. VerifythatyourlaptopisreceivingDHCPaddressfromthefirewall.ThedisplayedIPaddress
shouldbeintherange192.168.2.50192.168.2.60iftheDHCPServerisconfiguredcorrectly.Youshouldalsobeabletoping192.168.2.1.
21. ConnecttotheWebUIbylaunchingabrowsertohttps://192.168.2.1andlogginginwithyouradminaccount.
CreateaSourceNATpolicy
22. ClickPolicies>NAT.23. ClickAddtodefineanewsourceNATpolicy:
Generaltab
Name Enter Student Source NATOriginalPacket tab
SourceZone Click Add andselect TrustL3DestinationZone SelectUntrustL3DestinationInterface Select ethernet1/3
TranslatedPacket>SourceAddressTranslation tab
Translation Type SelectDynamic IP and PortAddressType Select Interface AddressInterface Select ethernet1/3
ClickOKtoclosetheNATpolicyconfigurationwindow.
24. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommitprocesscompletesbeforecontinuing.
Note:Atthispoint,youstillwillnothaveaccesstotheinternet.Asecuritypolicyisrequired,whichwillbeconfiguredinthenextlab.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 26
Module4AppID
Scenario1CreatetheGeneralInternetPolicy
1. GototheWebUIandclickPolicies>Security.2. ClickAddtodefineasecuritypolicy:
Generaltab
Name Enter General InternetSource tab
SourceZone Click Add andselect TrustL3SourceAddress Select Any
Destination tab DestinationZone Click Add and select UntrustL3DestinationAddress Select Any
Application tab Applications ClickAddandselect eachofthefollowing:
dns paloaltoupdates ssl
Service/URLCategory tab Service Select applicationdefault from the pulldown
Actions tab ActionSetting Select AllowLogSetting Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.ConfiguretheFirewalltoCommunicatewiththeUpdateServer
3. IntheWebUI,clickDevice>Setup>Services.4. ClicktheiconintheupperrightcorneroftheServicespaneltoconfigureDNSlookups:
DNS Verify thatServers is selectedPrimaryDNSServer Enter 4.2.2.2UpdateServer Keep the default (updates.paloaltonetworks.com)
ClickOKtoclosetheconfigurationwindow.
5. IntheServicesFeaturespanel,clicktheServiceRouteConfiguration linktoconfigurehowthefirewallaccessesnetworkservices.ClicktheradiobuttonforSelect.FortheDNS,PaloAltoUpdates,andURLUpdatesservices,gototheSourceAddresscolumnandselect192.168.2.1/24.ClickOKtoclosetheconfigurationwindow.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 27
6. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocesscompletesbeforecontinuing.
ReviewPANOSLicenses7. ClickDevice>Licenses.8. Ifnolicensesappear,clickRetrievelicensekeysfromlicenseserver.9. Reviewlicensesinstalledandtheirexpirationdates.
UpdatetheApplicationsandThreatsDefinitionFile
Note:UpgradingPANOSrequiresthatthefirewallberunningthemostrecentApplicationsandThreatsdefinitionfile.Allotherdynamicupdatescanbehandledlater.
10. ClickDevice>DynamicUpdates.11. ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 28
12. VerifythatyourfirewallisrunningthemostrecentApplicationsandThreats.13. Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefiledownloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethedefinitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperationstocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.
VerifythePANOSversion14. ClickDevice>Software.15. Reviewavailable,downloaded,andinstalledPANOSsoftware.Ifnosoftwareversionsare
displayed,clickCheckNowatthebottomofthepaneltorefreshthelist.
WhatversionofPANOSisrunningonyourfirewall?
16. Ifthefirewallisnotrunningversion6.0.0,updatethefirewalltothatversion.a. ClickDownloadonthelineforversion6.0.0.ClickClosewhenthefiledownloadcompletes.b. IfyourfirewalliscurrentlyrunningaversionofPANOSolderthan6.0.0(e.g.,5.0.x),you must
alsodownload(butnotinstall)version5.1.0.ClickDownloadonthelineforversion5.1.0.ClickClosewhenthefiledownloadcompletes.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 29
c. Onthelinefor6.0.0,theDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoupdatePANOSonyourfirewall.
d. Rebootthefirewallwhenprompted.Waituntilyourbrowserreconnectswiththefirewall andloginagainusingyouradminaccount.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 30
Scenario2(Phase1)ModifytheGeneralInternetPolicy
17. GototheWebUIandclickPolicies>Security.18. ClicktheGeneralInternetpolicyyoupreviouslycreatedandmodifytheallowedapplications:
Application tab
Applications ClickAddandselect eachofthefollowing: fileserve flash ftp ping webbrowsing
ClickOKtoclosethesecuritypolicyconfigurationwindow.CreatePoliciesBlockandLogAllInboundandOutboundTraffic
19. ClickPolicies>Security.20. ClickAddtodefinetheDenyOutboundsecuritypolicy:
Generaltab
Name Enter Deny OutboundSource tab
SourceZone Click Add andselect TrustL3SourceAddress Select Any
Destination tab DestinationZone Click Add and select UntrustL3DestinationAddress Select Any
Application tab Applications Check the Any box
Service/URLCategory tab Service Select any fromthe pulldown
Actions tab ActionSetting Select DenyLogSetting Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
21. ClickAddtodefinetheDenyInboundsecuritypolicy:
Generaltab Name Enter Deny Inbound
Source tab SourceZone Click Add and select UntrustL3SourceAddress Select Any
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 31
Destination tab DestinationZone Click Add andselect Trust L3DestinationAddress Select Any
Application tab Applications Check the Any box
Service/URLCategory tab Service Select any fromthe pulldown
Actions tab ActionSetting Select DenyLogSetting Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
22. EnsureyourSecurityPolicylookslikethis:
Note:Thedefaultrule1affectsvirtualwireconnectionsandwillnotaffectthelabexercises.
23. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommitprocesscompletesbeforecontinuing.
VerifyInternetConnectivityandApplicationBlocking24. Testinternetconnectivitybybrowsingwebsitesfromyourlaptop. Doeswebsurfingoverports80
and443work?25. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeableto
displaythesite. Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checktheapplicationslistedinthelog.)Theboxnetbaseapplicationisnotallowedbytheconfiguredpolicies.
26. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com. Youwillnotbeabletoconnectbecausetheavoidrwebsitealsousesacustomapplicationwhichisnotallowedbyyourpolicies.Usethetrafficlogstoverifythisstatement.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 32
Scenario2(Phase2)CreateanApplicationBlockPage
1. FromtheRDPdesktop,openabrowserandnavigatetohttp://www.facebook.com.Leavethebrowseropentotheerrorpage.
2. ReturntotheWebUIandclickDevice>ResponsePages.3. FindtheApplicationBlockPagelineandclickDisabled.4. ChecktheEnableApplicationBlockPagebox,andthenclickOK.5. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.6. Openadifferentbrowserwindowandgotohttp://www.facebook.com.Comparethepage
displayedtotheonegeneratedinStep1oftheCreateanApplicationBlockPagesectionofthelab.
Note:AnInterfaceManagementProfileDOESNOTneedtobesetforapplicationblockpages.Fromtheadminguide(p.176):TheResponsePagescheckboxcontrolswhethertheportsusedtoservecaptiveportalandURLfilteringresponsepagesareopenonLayer3interfaces.Ports6080and6081areleftopenifthissettingisenabled.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 33
Scenario2(Phase3)CreateApplicationFilters
1. GototheWebUIandclickObjects>ApplicationFilters.2. ClickAddtodefinetheProxiesapplicationfilter:
Name Enter ProxiesSubcategorycolumn Select proxyClickOKtoclosetheapplicationfilterconfigurationwindow.
3. ClickAddtodefinetheWebBasedFileSharingapplicationfilter:
Name Enter Web-Based-File-Sharing Subcategorycolumn Select filesharingTechnologycolumn Select browserbasedClickOKtoclosetheapplicationfilterconfigurationwindow.
CreateApplicationGroups
4. ClickObjects>ApplicationGroups.5. ClickAddtodefinetheKnownGoodapplicationgroup:
Name Enter Known-GoodApplications ClickAddandselect eachofthefollowing:
dns fileserve flash ftp paloaltoupdates ping ssl webbrowsing
ClickOKtoclosetheapplicationgroupconfigurationwindow.
6. ClickAddtodefinetheKnownBadapplicationgroup:
Name Enter Known-BadApplications ClickAddandselect eachofthefollowing:
Proxies WebBasedFileSharing
ClickOKtoclosetheapplicationgroupconfigurationwindow.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 34
UpdateSecurityPolicies7. ClickPolicies>Security.8. ClickGeneralInternettoedittheexistingrule.GototheApplicationtab.Deleteallofthelisted
applicationsandaddtheKnownGoodapplicationgroup.ClickOKtoclosethewindow.9. ClicktheDenyOutboundruleandmodifywiththefollowingvalues:
Generaltab
Name Change to Log-AllActions tab
ActionSetting Select AllowClickOKtoclosethesecuritypolicyconfigurationwindow.
10. ClickAddtodefinetheBlockKnownBadsecuritypolicy:
Generaltab
Name Enter Block-Known-BadSource tab
SourceZone Click Add andselect TrustL3SourceAddress Select Any
Destination tab DestinationZone Click Add and select Untrust L3DestinationAddress Select Any
Application tab Applications Click Add and select KnownBad
Service/URLCategory tab Service Select any fromthe pulldown
Actions tab ActionSetting Select DenyLogSetting Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
27. Usethemovebuttonsatthebottomofthepagetoarrangethepoliciesinalogicalorder.Confirmthatyoursecurityrulelist lookslikethis:
Youcanalsorearrangetherulebyclickinganddraggingthemintothecorrectorder.
28. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 35
VerifyInternetConnectivityandApplicationBlocking29. Verifythatyourpolicieshavenotbrokennetworkconnectivity.Testinternetconnectivitybybrowsing
websitesfromyourlaptop.Doeswebsurfingoverports80and443work?30. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeabletodisplaythesite.
Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checktheapplicationlistedinthelog.)
31. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com.Whycantyoubringupthatwebsite? (Hint:thetrafficlogswillhelpyousolvethisproblem.)
32. ClicktheACCtabtoaccesstheApplicationCommandCenter.UsethedropdownmenuintheapplicationsectionoftheACCtoselectdifferentwaysofviewingthetrafficthatyouhavegenerated.Whatisthetotalrisklevelforalltrafficthathaspassedthroughthefirewallthusfar?NoticethattheURLFiltering,ThreatPrevention,andDataFilteringsectionswithintheACCcontainnomatchingrecords.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 36
Module5ContentIDNote:ThepresenceoffirewallsbetweenyourPA200andtheinternetwillcausethelabresultstovary.
ConfigureDynamicUpdates
1. ClickDevice>DynamicUpdates.2. ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.3. VerifythatyourfirewallisrunningthemostrecentAntivirusdefinitionfile.4. Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefiledownloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethedefinitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperationstocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.
ConfigureaCustomURLFilteringCategory1. GototheWebUIandclickObjects>CustomURLCategory.2. ClickAddtocreateacustomURLcategory:
Name Enter TechSitesSites ClickAddandaddeachofthefollowingURLs:
www.slashdot.org www.cnet.com www.zdnet.com
ClickOKtoclosetheURLFilteringprofilewindow.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 37
ConfigureaURLfilteringProfile3. ClickObjects>SecurityProfiles>URLFiltering.4. ClickAddtodefineaURLFilteringprofile:
Name Enterstudent-url-filteringCategory/Action ClicktherightsideoftheActionheadertoaccessthepulldownmenu.
ClickSetAllActions>Alert.
SearchtheCategoryfieldforhackingandgovernment. SettheActiontoContinueforbothcategories.
SearchtheCategoryfieldforthefollowingcategoriesandsettheActiontoblockforeachofthem:
adultandpornography questionable unknown
Verifythatyour custom category appears in the Categorycolumn.
ClickOKtoclosetheURLFilteringprofilewindow.ConfigureanAntivirusProfile
5. ClickObjects>SecurityProfiles>Antivirus.6. ClickAddtocreateanantivirusprofile:
Name Enter student-antivirusAntivirustab
PacketCapture Check the Packet Capture boxDecoders Set the Actioncolumn to Alert for alldecoders
ClickOKtoclosetheantivirusprofilewindow.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 38
ConfigureanAntiSpywareProfile7. ClickObjects>SecurityProfiles>AntiSpyware.8. ClickAddtocreateanantispywareprofile:
Name Enter student-antispywareRulestab ClickAddandcreatearulewiththeparameters:
RuleName:Enterrule-1 Action:SelectAllow Severity:ChecktheboxesforLowandInformational
onlyClickOKtosavetherule
ClickAddandcreateanotherrulewiththeparameters:
RuleName:Enterrule-2 Action:SelectAlert Severity:ChecktheboxesforCriticalandHighonly
ClickOKtosavetherule
ClickOKtoclosetheantispywareprofilewindow.CreateaFileBlockingProfilewithWildfire
9. ClickObjects>SecurityProfiles>FileBlocking.10. ClickAddtocreateafileblockingprofile:
Name Enter student-file-blockRules list ClickAddandcreatearulewiththeparameters:
RuleName:Entertype-1 Action: Select Forward
ClickOKtoclosethefileblockingprofilewindow.AssignProfilestoaPolicy
11. ClickPolicies>Security.12. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoincludethenewlycreated
profiles:
Actionstab ProfileType Select ProfilesAntivirus Select studentantivirusAntiSpyware Select studentantispywareURLFiltering Select studenturlfilteringFileBlocking Select studentfileblock
ClickOKtoclosethepolicywindow.
-
PANEDU101
LabManual PANOS 6.0 Rev A.200 Page 39
13. RepeatthepreviousstepandaddtheprofilestotheLogAllpolicy.14. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
TesttheAntivirusProfile15. Onyourlocalsystem,openabrowsertohttp://www.eicar.organdclickAntiMalwareTestfile.16. ClicktheDownloadlinktoaccessthevirustestfiles.17. DownloadanyoftheEicartestfilesusinghttp.DonotusetheSSLencrypteddownloads.The
firewallwillnotbeabletodetectthevirusesinanHTTPSconnectionuntildecryptionisconfigured.18. ClickMonitor>Logs>Threattoviewthethreatlog.FindthelogmessageswhichdetecttheEicar
files.ScrolltotheActioncolumntoverifythealertsforeachfiledownload.19. ClickonthegreendownarrowatontheleftsideofthelinefortheEicarfiledetectiontoviewthe
packetcapture(PCAP).HereisanexampleofwhataPCAPmightlooklike:
CapturedpacketscanbeexportedinPCAPformatandexaminedwithaprotocolanalyzerofflineforfurtherinvestigation.
20. Modifytheantivirusprofiletoblockvirusesusingftp,http,andsmb.ClickObjects>SecurityProfiles>Antivirus.ChangetheActioncolumnfortheftp,http,andsmbdecoderstoBlock.
21. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommitprocesscompletesbeforecontinuing.
22. Openanewbrowserwindowtowww.eicar.organdattempttodownloadavirusfileagain.Sincetheantivirusprofileissettoblock,aresponsepageshouldappear:
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 40
23. ReturntotheWebUIandverifythatlogentriesstatingthattheEicarviruswasdetectedappearinthethreatlog.
24. After15minutes,thethreatsyoujustgeneratedwillappearontheACCtabundertheThreatssection.
TesttheURLFilteringProfile
25. Openabrowserandbrowsetovariouswebsites.TheURLfilteringprofilerecordseachwebsitethatyouvisit.
26. IntheWebUI,clickMonitor>Logs>URLFiltering.Verifythatthelogentriestrackthesitesthatyouvisitedduringyourtests.
27. Testthecontinueconditionyoucreatedbyvisitingasitewhichispartofthehackingcategory.Inanewbrowserwindow,attempttobrowsetohttp://neworder.box.skandhttp://www.2600.org.Theprofilewillblockthisactionandyouwillseearesponsepagesimilartothefollowing:
TesttheFileBlockingProfilewithWildfire
28. Openanewbrowserwindowtohttp://www.opera.com.DownloadtheOperabrowserinstallertoyourlocalsystem.
29. ClickMonitor>Logs>DataFilteringtodeterminehowthefilewashandledbytheprofile.
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 41
ConfigureaSecurityProfileGroup30. ReturntotheWebUIandclickObjects>SecurityProfileGroups.31. ClickAddtodefineasecurityprofilegroup:
Name Enter student-profile-groupAntivirusProfile Select studentantivirusAntiSpywareProfile Select studentantispywareURLFilteringProfile Select studenturlfilteringFileBlockingProfile Select studentfileblockClickOKtoclosethesecurityprofilegroupwindow.
AssigntheSecurityProfileGrouptoaPolicy
32. ClickPolicies>Security.33. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoreplacetheprofileswiththe
profilegroup:
Actionstab ProfileType Select GroupGroupProfile Select studentprofilegroup
ClickOKtoclosethepolicywindow.
34. RepeatthepreviousstepandaddtheprofilegrouptotheLogAllpolicy.35. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 42
CreateaCustomReport36. ClickMonitor>ManageCustomReports.37. ClickAddtodefineanewcustomthreatreport:
Name Enter Top Threats by DayDatabase Select Threat SummaryTimeFrame Select Last 24 HrsSortby SelectCount and Top 10Groupby SelectNone and 10 GroupsSelectedColumns PopulatetheSelectedColumnsfieldwiththefollowingvalues,
inthisorder: Threat/ContentName Application AppTechnology AppSubCategory Count
QueryBuilder Buildaqueryusingthefollowingparameters:
Connector:Selectand Attribute:SelectRule Operator:Select= Value:EnterGeneral Internet ClickAdd
Connector:Selector Attribute:SelectRule Operator:Select= Value:EnterLog-All Click Add
ClickOKtosavethecustomreportdefinition.
38. Clickthenameofyourcustomreporttoreopenthecustomreportwindow.ClickRunNowtogeneratethereport.
39. Thereportwillappearinanewtabinthewindow.ClickExporttoPDFtosaveittoyourRDPdesktop.
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 43
Module6Decryption
Verifyfirewallbehaviorwithoutdecryption1. Fromyourlaptop,browsetothewww.eicar.comandattempttodownloadtheoneofthetestfiles
usinghttp.2. Repeatthepreviousstepbutattempttodownloadoneofthefilesusinghttps.3. GototheGUIandclickMonitor>Logs>Threattoviewthelog.Onlythenonencrypteddownload
shouldappearinthelog.SSLdecryptionhidthecontentsofthefirewallandsothetestfilewasnotdetectedasathreat.
CreateanSSLselfsignedCertificate4. ClickDevice>CertificateManagement>Certificates.5. ClickGenerateatthebottomofthescreentocreateanewselfsignedcertificate:
CertificateName Enter student-ssl-certCommonName Enter 192.168.2.1CertificateAuthority Check the boxClickGeneratetocreatethecertificate.ClickOKtodismissthecertificategenerationsuccesswindow.
6. Clickstudentsslcertinthelistofcertificatestoeditthecertificateproperties.ChecktheboxesforForwardTrustCertificateandForwardUntrustCertificate.ClickOKtoconfirmthechanges.
CreateSSLDecryptionPolicies
7. ClickPolicies>Decryption.8. ClickAddtocreateanSSLdecryptionrulefortheexceptioncategories:
Generaltab Name Enter no-decrypt-traffic
Sourcetab SourceZone Click Add then select TrustL3
Destinationtab DestinationZone Click Add then select UntrustL3
URLCategorytab URLCategory ClickAddandaddeachofthefollowingURLcategories:
healthandmedicine shopping financialservices
Optionstab Action Select nodecryptType SelectSSL Forward Proxy
ClickOKtoclosetheconfigurationwindow.
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 44
9. ClickAddtocreatetheSSLdecryptionruleforgeneraldecryption:Generaltab
Name Enter decrypt-all-trafficSourcetab
SourceZone Click Add then select TrustL3Destinationtab
DestinationZone Click Add then select UntrustL3URLCategorytab
URLCategory Verify that the Any box is checkedOptionstab
Action Select decryptType SelectSSL Forward Proxy
ClickOKtoclosetheconfigurationwindow.
10. Confirmthatyourdecryptionpolicylist lookslikethis:
11. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommitprocesscompletesbeforecontinuing.
TesttheSSLDecryptionPolicies
12. Openabrowsertothewww.eicar.orgdownloadspage.DownloadatestfileusingSSL.Ignorethecertificateerror.ThisisexpectedbehaviorbecausethefirewallisinterceptingtheSSLconnectionandperformingmaninthemiddledecryption.Closethebrowserwindow.
13. IntheWebUI,examinethethreatlogs. Thevirusshouldhavebeendetected,sincetheSSLconnectionwasdecrypted.ClickthemagnifyingglassiconatthebeginningofthelinetoshowtheLogDetailswindow.VerifythattheDecryptedboxhasacheckmark.
14. Openabrowsertohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallintothecategoriesexcludedbythenodecryptrule.MakealistofURLsthatfallintothesecategoriestotestagainst.Forexample:
financialservices:www.bankofamerica.com healthandmedicine:www.deltadental.com shopping:www.macys.com
15. IntheWebUI,clickMonitor>Logs>Traffic.Setthetrafficlogtodisplayonlyport443trafficona10secondrefresh.Enter( port.dst eq 443 ) inthefilterfield.Select10Secondsfromthe
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 45
pulldownmenusothatthedisplaywillrefreshautomatically.Leavethiswindowopensoyoucanmonitorthetraffic.
16. Inaseparatebrowserwindow,useSSL(https://)tonavigatetothewebsitesyoufoundintheexcludedURLcategories.Navigatetootherwebsitesaswell(e.g.,www.facebook.com,www.google.com)forcomparisonpurposes.
17. Returntothetrafficlog.FindanentryforoneoftheexcludedcategoriesbylookingatthevalueintheURLCategorycolumn.ClickthemagnifyingglassiconatthebeginningofthelinetoshowtheLogDetailswindow.VerifythattheDecryptedboxintheMiscpanelisunchecked.
18. RepeatthepreviousstepforaURLinanonexcludedcategory.VerifythattheDecryptedboxhasacheckmark.
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 46
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 47
CLIReferenceThissectionprovidesasubsetofthecommandsneededtocompletethetasksintheassociatedlabmodules.ThecommandsareintendedtoprovidecommandsetsforyoutoresearchfurtherinthePANOSCommandLineInterfaceReferenceGuide.
Module1AdministrationandManagement# load config from PAN-EDU-201-Default-1.xml
> request license info
> request system software info
> request anti-virus upgrade info
# set shared admin-role "Policy Admins" role device webui acc enable
# set mgt-config users ip-admin permissions role-based custom profile "Policy Admins"
> request config-lock add
> request commit-lock add
> request config-lock remove
> request commit-lock remove
Module2InterfaceConfiguration# set zone tap-zone network tap
# set network interface ethernet ethernet1/3 virtual-wire
# set zone vwire-zone-3 network virtual-wire ethernet1/3
# set network virtual-wire student-vwire interface1 ethernet1/3
-
PANEDU101
LabManual PANOS 5.0 Rev A.200 Page 48
Module3Layer3Configuration# set network profiles interface-management-profile allow_all telnet yes
# set network dhcp interface ethernet1/2 server ip-pool 192.168.15.50- 192.168.15.60
# set network virtual-router Student-VR interface ethernet1/2
# set rulebase nat rules "student source nat" to Untrust-L3
Module4AppID# set rulebase security rules "General Internet" action allow
# set application-filter Proxies subcategory proxy
# set application-group Known-Good web-browsing
Module5ContentID# set profiles url-filtering Student-url-filtering alert bot-nets
# set profiles custom-url-category TrustedCompanies list www.paloaltonetworks.com
# set profiles virus Student-antivirus decoder ftp action alert
# set profiles spyware Student-antispyware rules simple-low severity low
# set profile-group "Student Profile" virus Student-antivirus
# set rulebase security rules "General Internet" profile-setting group "Student Profile"
Module6Decryption> request certificate generate ca yes name 192.168.15.1 certificate-name student15-cert
# set rulebase decryption rules No-Decrypt source any