Edu-201 - Lab Manual Pan-Os 5.0

Lab Manual
PAN-EDU-201
Firewall Installation, Configuration, and

Management
Essentials I
January, 2013
PAN-EDU-201
PAN-OS - 5.0 - Rev A
Lab Manual
education@paloaltonetworks.com
http://education.paloaltonetworks.com
2012 Palo Alto Networks. Proprietary and Confidential
PAN-EDU-201
Table of Contents
How to use this Lab Guide ................................................................................................ 4
Lab Equipment Setup ........................................................................................................ 5
Module 0 Introduction Lab Access and Review ............................................................ 6
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall ................................................................... 6
Task 2 Review PAN-OS software, Content, and Licenses ........................................................................... 6
Task 3 Disable Panorama sharing ............................................................................................................... 6
Module 1 Administration and Management .................................................................. 7

Task 1 Apply baseline configuration to your firewall ................................................................................. 7
Task 2 Clear the logs ................................................................................................................................... 7
Task 3 Add an Administrator Role .............................................................................................................. 7
Task 4 Add an administrator account......................................................................................................... 7
Task 5 Take a Transaction Lock and test the lock ...................................................................................... 8
Module 2 Interface Configuration .................................................................................. 9

Task 1 Create a new Security Zone............................................................................................................. 9
Task 2 Create Interface Management Profiles ......................................................................................... 10
Task 3 Configure a Tap interface .............................................................................................................. 10
Task 4 Configure a Vwire .......................................................................................................................... 11
Module 3 Layer 3 Configuration ....................................................................................12

Task 1 Configure Ethernet interfaces with Layer 3 info ........................................................................... 12
Task 2 Configure DHCP ............................................................................................................................. 13
Task 3 Create a Virtual Router.................................................................................................................. 14
Task 4 Create a Source NAT policy ........................................................................................................... 14
Task 5 Create a Destination NAT Policy.................................................................................................... 16
Module 4 App-ID...........................................................................................................17
Task 1 Create a basic Security Policy for outbound traffic ....................................................................... 17
Task 2 Create 2 basic policies to deny all inbound and outbound traffic ................................................ 17
Task 3 Create an Application Block Page.................................................................................................. 19
Task 5 Create Application Filter................................................................................................................ 19
Task 6 Create Application Group .............................................................................................................. 19
Task 7 Create three new Security Policies that match the following criteria: ......................................... 20
Task 8 Create a custom query in the Traffic Log ...................................................................................... 21
Module 5 Content ID .....................................................................................................22

Task 1 Configure a URL filtering Profile .................................................................................................... 22
Lab Manual
PAN-OS 5.0 Rev A
Page 2
PAN-EDU-201
Task 2 Configure a Custom URL Filtering Category .................................................................................. 22
Task 3 Configure an Antivirus Profile ....................................................................................................... 23
Task 4 Configure an Antispyware Profile ................................................................................................. 23
Task 5 Connect individual Profile to Policy .............................................................................................. 23
Task 6 Test connectivity ........................................................................................................................... 24
Task 7 Create a File Blocking Profile: Wildfire .......................................................................................... 25
Task 8 Configure a Security Profile Group................................................................................................ 26
Task 9 Connect Profile Group to Policy .................................................................................................... 26
Task 10 Create a Custom Report .............................................................................................................. 26
Module 6 User-ID ..........................................................................................................28

Task 1 Configure firewall to talk to User-ID Agent ................................................................................... 28
Task 2 Review user/IP information .......................................................................................................... 28
Task 3 User-ID Agent (optional) .............................................................................................................. 29
Module 7 Decryption ....................................................................................................30

Task 1 Pre setup and test ......................................................................................................................... 30
Task 2 Create an SSL self-signed Certificate ............................................................................................. 30
Task 3 Create SSL Outbound Decryption Policies .................................................................................... 31
Task 4 Set SSL exclude cache .................................................................................................................... 32
Task 5 Review Self-signed Certificate on StudentPC browser ................................................................. 32
Module 8 VPN ...............................................................................................................33

Task 1 Configure IPsec Tunnel Trust Zone ............................................................................................. 33
Task 2 Configure IPsec Tunnel Untrust Zone......................................................................................... 35
Module 9 High Availability (optional) ............................................................................36

Task 1 Configure HA Active/Passive ...................................................................................................... 36
Module 10 Panorama....................................................................................................38
Task 1 Pre setup and test ......................................................................................................................... 38
Task 2 Create a custom report - Panorama.............................................................................................. 38
Task 3 Create and Application Group Object ........................................................................................... 38
Task 4 Create Pre/Post Policy ................................................................................................................... 38
Task 5 Push config to student firewall ..................................................................................................... 39
Task 6 Switch context and review Policy on firewall................................................................................ 39
Lab Manual
PAN-OS 5.0 Rev A
Page 3
PAN-EDU-201
How to use this Lab Guide

The Lab Guide is lined out to follow the Modules in the Student Guide. There are multiple tasks for each
Module. For each Task where appropriate there are 3 sections. The first section is a diagram of what
the firewall configuration should look like. The second section contains the step to create the
configuration through the GUI. The third section contains the CLI commands to create the configuration.
You can either complete the Tasks by referencing the diagram and the material in the Student Guide. Or
you can follow the steps in the second section. If you have sufficient experience with the PAN-OS CLI, you
can type the commands in the CLI section.
NOTE:
Unless specified, the Chrome web browser and the Putty SSH client will be
used to perform any tasks outlined in the following labs. (These apps are preinstalled on the desktop of the StudentPC.)
Once these labs are completed you should

be able to:
1. Configure the basic operations of the firewall including: Interfaces, Security Zones, and
Security Policies
2. Configure basic Layer 3 operations including: IP addressing and NAT
3. Configure basic Content-ID functionality including: AV and URL filtering
4. Understand the basic operation of Logs and Reporting
5. Configure extended operations including: IPsec, SSL decryption, and HA
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
Lab Manual
PAN-OS 5.0 Rev A
Page 4
PAN-EDU-201
Lab Equipment Setup

Student PC Setup
RDP: ___.___.___.___
Firewall
Interface:
Ethernet
1/2
EDU lab
firewall
Internet
Trust-L3
192.168.x.1 /24
Management
10.30.11.x /24
Student
Firewall
VSYS
Panorama
Firewall
Interface:
Management
Domain
Controller
Trunk
802.1q
Sw
itch
Router
E 1/6
E 1/8
E 1/7
HA
Trust-L3
192.168.x.y /24
E 1/2
Firewall Setup
Sw
itch
Lab Manual
Sw
itch
TAP Intf
E 1/5
E 1/4
Vwire
2x
Intf
E 1/1.2xx
EDU lab
firewall
E 1/3
Sw
itch
L3 Intf
Untrust-L3
172.16.x.1 /24
Sw
itch
PAN-OS 5.0 Rev A
Internet
Page 5
PAN-EDU-201
Module 0 Introduction Lab Access and Review

In this lab you will:
Test connectivity to your Student firewall over RDP

Test StudentPC to student firewall connectivity
Review the operating system and licensing
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall

Using the login credentials and IP information provided by the instructor:
Step 1: Open your local RDP client and open a session to your assigned RDP IP address.
Step 2: Once connected, use the Student PC web browser and putty client to test connectivity to the
student firewall.
Task 2 Review PAN-OS software, Content, and Licenses

Step 1: Click on the Device tab Software
Step 2: Review available, downloaded, and installed PAN-OS software
Question: What version of PANOS is running on your firewall?
__________________________________________________
Step 3: Click on the Device tab Dynamic Updates
Step 4: Review Applications, Viruses, and URL Filtering to check for date of last update
Step 5: Click on the Device tab Licenses
Step 6: Review licenses installed and their expiration dates
Step 7: in device|setup|management set the current data and timezone
Task 3 Disable Panorama sharing

Step 1: Click on the Device tab Setup Management tab
Step 2: Click on the Panorama Settings edit button:
Step 3: If the button in the pop-up windows says:
Click on it. There will be an
additional pop-up window that allows you to select Import shared config from Panorama before
disabling. DO NOT SELECT THIS BOX. Simply click Ok and then Ok in the Panorama Settings pop-up.
If there are no settings about Panorama, close the tab and go forward.
Lab Manual
PAN-OS 5.0 Rev A
Page 6
PAN-EDU-201
Module 1 Administration and Management

Apply a baseline configuration to build successive labs

Create a new admin role on the firewall
Create interface management profiles
Task 1 Apply baseline configuration to your firewall

Step 1: Open your Student PC web browser and login to your student firewall.
Step 2: Click on the Device tab Setup Operations tab
Step 3: Click Load Named Configuration Snapshot1
Step 4: Select the file after_reset_X (where X is your Student Number)
Step 5: Click Ok then click Commit
Task 2 Clear the logs

Step 1: Click Device Log Settings Manage Logs
Step 2: Click Clear Traffic Logs and Clear Threat, URL, and Data Logs
Task 3 Add an Administrator Role

Step 1: Click on the Device tab Admin Roles
Step 2: Click Add in the lower left
Step 3: Configure a new admin role with the name Policy Admins
Step 4: In the Webui box, click on the following major categories to disable them: Monitor, Network, and
Device. The remaining major categories of Dashboard, ACC, Policy, Objects, Privacy, and Commit should
be enabled.
Step 5: Leave the CLI option set to None. Click OK to continue.
Task 4 Add an administrator account

Step 1: Click on the Device tab Administrators
Step 2: Click Add in the lower left
Step 3: Configure a new administrator with the following parameters:
Lab Manual
PAN-OS 5.0 Rev A
Page 7
PAN-EDU-201
Name ip-admin
Authentication Profile: None
Password and Confirm Password: paloalto
Role: Role Based
Profile: Policy Admins from the dropdown menu
Step 4: Click Ok then Click Commit
Step 5: Log off the GUI, then log back in as ip-admin and explore functionality
Task 5 Take a Transaction Lock and test the lock

Step 1: Click on the transaction lock icon (to the right of the Commit button).
Step 2: Click Take Lock, set the Type to Config and click OK. Click Close to close the transaction
lock window
Step 3: Open a different browser and login with your admin account
Step 4: Click on the transaction lock icon to view the locks taken
Step 5: Attempt to add another user (Module 1 Task 3).
Question: At what point does the firewall block your action?
________________________________________________
(Answer: It will give you an error when you click the OK button.)
Step 6: Log out of the ip-admin account
Lab Manual
PAN-OS 5.0 Rev A
Page 8
PAN-EDU-201
Module 2 Interface Configuration

Create Security Zones

Create Interface Management Profiles
Configure basic interface types
Task 1 Create a new Security Zone

Step 1: Click on the Network tab Zones
Step 2: Click Add
Step 3: Set Type to Tap
Step 4: Set the Zone name Student-tap-zone
Step 5: Click Ok
Question: Why is the OK button disabled?
__________________________________
(Answer: the zone name is too long. Change the zone name to be no more than 15 characters.)
Step 6: Set the Zone name Trust-L3
Step 7: Set Type to Layer3
Step 8: Click Ok
Lab Manual
PAN-OS 5.0 Rev A
Page 9
PAN-EDU-201
Step 9: Click Add and Set the Zone name Untrust-L3
Step 10: Set Type to Layer3
Step 11: Click Ok
Step 12: Click Add
Step 13: Set the Zone name Vwire-zone-3
Step 14: Set Type to Virtual Wire
Step 15: Click Ok
Step 16: Click Add
Step 17: Set the Zone name Vwire-zone-4
Step 18: Set Type to Virtual Wire
Step 19: Click Ok
Task 2 Create Interface Management Profiles

Step 1: Click on the Network tab Network Profiles Interface Mgmt
Step 2: Click Add
Step 3: Set Name to allow_all
Step 4: Select all check boxes
Step 5: Click OK
Step 6: Create a second profile called allow_ping
Step 7: Click Ping check box
Step 8: Click OK then click Commit
Task 3 Configure a Tap interface

Step 1: Click on the Network tab Interfaces
Step 2: Click on interface ethernet1/5
Step 3: Select Type Tap
Lab Manual
PAN-OS 5.0 Rev A
Page 10
PAN-EDU-201
Step 4: Select Zone Student-Tap-Zon (or whatever you named it), then click Ok
Task 4 Configure a Vwire

Step 1: Click on the Network tab Interfaces
Step 3: Select Interface Type Virtual Wire
Step 4: In the Virtual Wire field, click the dropdown arrow and click New Virtual Wire
Step 5: In the pop-up window, set the Name to student-vwire and then click OK
Step 6: Click the arrow in the Security Zone field, and select Vwire-zone-3.
Step 7: Click OK
Step 9: Select Interface Type Virtual Wire
Step 10: In the Virtual Wire field, click the dropdown arrow and select student-vwire.
Step 11: Click the arrow in the Security Zone field, and select Vwire-zone-4.
Step 12: Click OK
Step 11: Back in the interface popup window, click OK and Commit all changes
Lab Manual
PAN-OS 5.0 Rev A
Page 11
PAN-EDU-201
Module 3 Layer 3 Configuration

Configure ethernet interfaces with Layer 3 information

Configure DHCP
Create a Virtual Router
Create a Source NAT policy
Create a Destination NAT policy
Task 1 Configure Ethernet interfaces with Layer 3 info

Step 1: Click on Network tab Interfaces Ethernet and select interface ethernet1/2
Step 2: In the pop-up, set Type to Layer3
Step 3: Set Security Zone to Trust-L3
Step 4: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:
192.168.__.1/24 (your student # is the 3rd octet)
Step 5: Select the Advanced tab , then Other info tab and set the Management Profile to allow_all
then click OK
Step 6: Click on the Network tab Interfaces and select interface ethernet1/1
Step 7: In the pop-up, set Type to Layer3 then click Ok
Step 8: Click Add Layer3 Subinterface at the bottom of the page
Step 9: Set Interface Name to ethernet1/1
Lab Manual
PAN-OS 5.0 Rev A
Page 12
PAN-EDU-201
Step 10: Set the sub-interface ID to 200 + Student #. (Example: Student-05 would be 205.)
Step 11: Set the Tag to match the sub-interface ID
Step 12: Click the dropdown arrow in the Security Zone field, and click New Zone
Step 13: In the popup window set the Name to Untrust-L3
Step 14: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:
172.16.___.1/24 (your student # is the 3rd octet)
Step 15: Select the Advanced tab and set the Management Profile to allow_ping then click OK
Task 2 Configure DHCP

Step 1: Click on the Network tab DHCP DHCP Server tab
Step 2: Click Add
Step 3: Select Interface ethernet1/2
Step 4: Set Gateway 192.168.___.1 (the 3rd octet is your student #)
Step 5: Set Primary DNS to 10.30.11.50
Step 6: Click the Add button in the IP Pools window, and enter an IP Pool of 192.168.___.50192.168.___.60 (the 3rd octet is your student #)
Step 7: Review and click OK
Lab Manual
PAN-OS 5.0 Rev A
Page 13
PAN-EDU-201
Task 3 Create a Virtual Router

Step 1: Click on the Network tab Virtual Routers
Step 2: Click Add
Step 3: Set the Name to Student-VR
Step 4: Click Add in the Interfaces window and select interface ethernet1/1.2__ and ethernet1/2
Step 5: Select the Static Route tab, click Add and add a default route with the following information:
Name default
Destination 0.0.0.0/0
Next Hop to IP Address and enter an IP address of 172.16.___(X)_.254 (where X is your
student #)
Step 6: Click OK to add the route, review your VR configuration, and then click OK
Step 7: Delete the object default-vwire object under Network| Virtual Wires
Step 8: Click Commit to make the changes active
Step 9: Open a StudentPC command prompt and release/renew the IP configuration (C:\> ipconfig
/release and C:\> ipconfig /renew and C:\> ipconfig /all) to check that DHCP configuration was
successful. You should be able to ping 192.168.___(X)_.1
NOTE: DO NOT MANUALLY CHANGE THE INTERFACE CONFIGURATIONS OF THE STUDENT

PC. If a DHCP address is not installed - review Student Firewall DHCP configuration first.
Task 4 Create a Source NAT policy

Step 1: Click on the Policies tab NAT
Step 2: Click Add, name it student source nat, then click on the Original Packet tab
Step 3: Click Add in the Source Zone box and select Trust-L3. Set the Destination Zone to Untrust-L3.
Step 4: Confirm that the Any checkbox for the Source Address and Destination Address are checked.
Step 5: Click on Translated Packet tab
Lab Manual
PAN-OS 5.0 Rev A
Page 14
PAN-EDU-201
Step 6: Select Translation Type of Dynamic IP and Port

Step 7: Set Address Type to Interface Address
Step 8: Select Interface ethernet1/1.x (where x is 200 + your student #)
Step 9: Select the 172.16.___(X)_.1 subnet from the pull-down immediately below IP Type, then press
OK.
Step 10: from the Policy|Security menu, select the policy and click the botton below delete.
Step 11: Create a new policy which allow any traffic from the Trust-L3 to Untrust-L3 zone.
The policy must now to be like the following:
Step 12: From Network|Zone menu, remove the zone trust and untrust, then commit
Lab Manual
PAN-OS 5.0 Rev A
Page 15
PAN-EDU-201
Task 5 Create a Destination NAT Policy

Step 1: Click on the Policies tab NAT
Step 2: Click Add, name it web nat, then click on the Original Packet tab
Step 3: Click Add (in the Source Zone box) and select Trust-L3
Step 4: Set the Destination Zone to Untrust-L3
Step 5: Click Any for the Source Address
Step 6: Click Add in the Destination Address box and enter the IP address of www.fortinet.com (youll
need to look up that IP address)
Step 7: Click on Translated Packet tab and check the Destination Address Translation box
Step 8: In the Destination Address Translation section add the IP address of www.exclusivenetworks.com (youll need to look up that IP address)
Step 9: In the Source Address Translation, set the Translation Type to Dynamic IP and Port
Step 10: Set Address Type to Interface Address
Step 11: Select Interface ethernet1/1.x (where x is 200 + your student #)
Step 12: Select the 172.16.___(X)_.1 subnet from the IP Address pull-down
Step 13: Move the rule to the top of the list, click OK then Commit all changes
Step 14: Open a new browser tab to www.fortinet.com. Can you connect? Why or why not?
Lab Manual
PAN-OS 5.0 Rev A
Page 16
PAN-EDU-201
Module 4 App-ID
Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
Task 1 Create a basic Security Policy for outbound traffic

Step 1: Click on the Policies tab Security and delete any other policy.
Step 2: Click Add
Step 3: Create a new rule named General Internet
Step 4: Configure the following information:
Source Zone: Trust-L3

Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: flash, dns, web-browsing, ssl, ping
Service: application-default
Action: Allow
Task 2 Create 2 basic policies to deny all inbound and

outbound traffic
Question: Why would you want to create 2 rules inbound and outbound rather than a single
deny all rule?
Lab Manual
PAN-OS 5.0 Rev A
Page 17
PAN-EDU-201
__________________________________
Step 1: Click Add
Step 2: Create a new rule named Deny Outbound

Source Address: Any
Application: Any
Service: Any
Action: Deny
Step 4: Create a rule named Deny Inbound

Source Zone: Untrust-L3

Source Address: Any
Destination Zone: Trust-L3
Application: Any
Service: Any
Action: Deny
Step 6: Ensure your Security Policy looks like this:
Step 7: Commit your changes

Question: In the General Internet rule, why do you use application-default as the service,
whereas you use Any as the service in the two deny rules?
__________________________________
Lab Manual
PAN-OS 5.0 Rev A
Page 18
PAN-EDU-201
Once complete, your Student PC should have access to the Internet.

Step 8: You will now test your new policies. Test internet connectivity by pinging 4.2.2.2 from your
workstation. Does web surfing over ports 80 and 443 work?
Step 9: Use a browser to try to connect to the site http://www.box.net. The browser should not be able
to display the site. Why is that? Take a look at the log message in the traffic logs to find out. What is
special about that application?
Step 10: Also attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com.
Why can you bring up that web site? (Hint: look at the traffic logs)
Task 3 Create an Application Block Page

Step 1: Go to www.facebook.com: what is the browser response?
Step 2: Ensure the Interface Management Profile, applied to your ethernet1/2 interface (Trust-L3), has
Response Pages checked
Step 3: Click on the Device tab Response Pages Application Block Page
Step 4: Enable by clicking Enable
Step 5: Click OK then commit your changes
Step 6: Go to www.facebook.com: what is the browser response?
Task 5 Create Application Filter

Step 1: Delete all current rules in your security policy
Step 2: Click on the Objects tab Application Filters and create a new filter name Proxies
Step 3: Set the Subcategory to proxy
Step 4: Create a second filter named Web-Based-File-Share and set the Subcategory to file-sharing
and set the Technology to browser-based
Task 6 Create Application Group

Step 1: Click on the Objects tab Application Groups
Step 2: Create a new group named Known-Good and add the applications ssl, web-browsing, ping,
dns, and flash
Step 3: Create a second group called Known-Bad and add the application filters Proxies and Webbased-file-share to it
Lab Manual
PAN-OS 5.0 Rev A
Page 19
PAN-EDU-201
Task 7 Create three new Security Policies that match the

following criteria:
Configure the policies with the following information:
Step 1: The first policy allows the known good applications.
Rule 1 Name: Known-Good

Source Address: Any
Application: The Application Group Known-Good
Service: application-default
Action: Allow
Step 2: The second policy blocks all of your known bad applications
Rule 2 Name: Known-Bad

Source Address: Any
Application: Application Group Known-Bad
Service: Any
Action: Deny
Step 3: The third policy allows all other traffic
Rule 3 Name: Log All

Source Address: Any
Application: Any
Service: Any
Action: Allow
Step 4: Confirm that your security rulebase looks like this, and then commit your changes:
Lab Manual
PAN-OS 5.0 Rev A
Page 20
PAN-EDU-201
Step 5: You will now test your new policies. Ping from your student PC out to the Internet. That should
work. Also, web surfing should work, over port 80 and 443.
Step 6: Use a browser to try to connect to the site www.box.net. The browser should not be able to
display the site. Why is that? Take a look at the log message in the traffic log to find out. What is special
about that application?
Step 7: Now attempt to reach www.box.net using the proxy site www.avoidr.com. Go to
www.avoidr.com. You should not be allowed to browse it, why? (HINT: look at the traffic logs).
Step 8: Select the ACC tab to access the Application Command Center. Use the drop-down menu in the
application section of the ACC to select different ways of viewing the traffic that you have generated. What
is the total risk level for all traffic that has passed through the firewall thus far? Notice that the URL
Filtering, Threat Prevention, and Data Filtering sections within the ACC contain no matching records.
Task 8 Create a custom query in the Traffic Log

Step 1: Click the Monitor tab Traffic Logs
Step 2: Click on 1 attribute in the following 3 columns: From Zone, Destination, Application
Step 3: Click the run button () or push Enter
Step 4: Click the query writer button (+) and select and, Bytes, <=, 100
Step 5: Click Add, click close, then click the run button () or push Enter
Lab Manual
PAN-OS 5.0 Rev A
Page 21
PAN-EDU-201
Module 5 Content ID
Configure Security Profiles and connect them to Security Policy
Task 1 Configure a URL filtering Profile

Step 1: Click on Objects tab Security Profiles URL Filtering
Step 2: Click Add
Step 3: Set Name Student-url-filtering and set the following:
Check the box next to Dynamic URL Filtering
Set the Action for all Categories to Alert
Place paloaltonetworks.com and *.paloaltonetworks.com into the Allow list
Task 2 Configure a Custom URL Filtering Category

Step 1: Click on Objects tab Custom URL Categories
Step 2: Click Add
Step 3: Set Name to BadFW and set the following:
Add sites: www.watchguard.com, www.juniper.net, www.fortinet.com, www.mcafee.com,
www.cisco.com, www.netgear.com, www.sonicwall.com, www.barracudanetworks.com,
www.checkpoint.com
Step 4: Click Ok
Lab Manual
PAN-OS 5.0 Rev A
Page 22
PAN-EDU-201
Task 3 Configure an Antivirus Profile

Step 1: Click on Objects tab Antivirus
Step 2: Click Add
Step 3: Set Name Student-antivirus and set the following:
Change all Actions to alert
Step 4: Click the Packet Capture check box
Step 5: Click Ok
Task 4 Configure an Antispyware Profile

Step 1: Click on Objects tab Anti-Spyware and set the profile name to Student-antispyware
Step 2: Click Add (under the Rules tab in the popup) and set the following:
Set Rule Name to rule-1
Set Action to Allow
Set Severity: Low and Informational
Step 3: Click Ok and then click Add again (under the Rules tab in the popup)
Set Rule Name to rule-2
Set Action to Alert
Set Severity: Critical and High
Task 5 Connect individual Profile to Policy

Step 1: Click on the Policies tab Security
Step 2: Click on none in the Profile column of the Known_Good rule (you may have to scroll to the
right in this screen to see this column).
Step 3: Set Profile Type to Profiles
Step 4: Set Anti-virus to Student-antivirus, set Anti-spyware to Student-antispyware and URL to
Student-url-filtering
Step 5: Click OK
Lab Manual
PAN-OS 5.0 Rev A
Page 23
PAN-EDU-201
Step 6: Do the same thing for the Log_All rule, then Commit all changes
Task 6 Test connectivity

Step 1: On your student PC, go to http://www.eicar.org , then click on download antivirus test file
hyperlink and then click download on the left of the page.
Step 2: in the middle of the page a list of links should appear
Step 3: Download the eicar test virus (eicar.com, eicar.com.txt, eicar_com.zip, eicarcom2.zip)
using http.
Step 4: Click on the Monitor tab Threat log, and look for the log message that detects the eicar file.
Scroll to the Action column to verify the alert for each file download.
Step 5: Click on the green down arrow in the left-hand column. This brings up a view of the packets that
were captured.
Those packets captured could be exported in pcap format, and examined with a protocol analyzer
offline for further investigation.
Step 6: Modify the anti-virus security profile (from MOD 5, Task 3) to BLOCK all viruses
Step 7: Click Commit
Step 8: In a new browser tab or window, attempt to download eicar (Step 3). A block page should appear:
Lab Manual
PAN-OS 5.0 Rev A
Page 24
PAN-EDU-201
Step 9: On the firewall, click on the Monitor tab Threat Logs. You will see log entries there stating
that the eicar virus was detected
Step 10: After 15 minutes, the threats you just generated will appear on the ACC tab, under the Threats
section.
Step 11: Browse to various websites. The URL filtering profile is recording each website that you go to.
Step 12: Go to a web site that is a directory of other hacking sites: http://neworder.box.sk
Step 13: On the firewall, click on the Monitor tab URL Filtering Logs. You will see log entries that
match the web sites you went to. What category was that site?
Step 14: Edit the URL filtering profile (from MOD 5, Task 1) to block access to hacking sites
Step 15: Commit the changes
Step 16: In a new browser window, attempt to go to http://neworder.box.sk .You should not be able to.
You should see a block page similar to the following:
Task 7 Create a File Blocking Profile: Wildfire

Step 1: Remove the Anti-Virus Profile from the Security Policies
Step 2: Click on Objects tab Security Profiles File Blocking
Step 3: Click Add and name the profile Wildfire-test-1
Step 4: Click Add and name the rule type-1
Step 5: Set Action to forward
Step 6: Click Ok
Step 7: Add the Profile to the Known_Good and Log_All Security Policies
Step 8: Add the applications ftp and fileserve to the Known_Good Policy
Lab Manual
PAN-OS 5.0 Rev A
Page 25
PAN-EDU-201
Step 9: Commit all changes
Step 10: Navigate to \\10.30.11.50\students\student_tools_labs_205 and copy the file named
fiddler2Setup.exe to your desktop.
Step 11: Open a new browser window to http://www.fileserve.com
Step 12: Log in with the credentials Login: panedu / Passwd: paloalto
Step 13: Click the Upload tab (in the Fileserve web site) and upload the file setup.exe file
Step 14: Review the Data Filtering log the file should be sent to the sandbox for analysis. Your teacher
will show you the verdict of the file into the sandbox system
Task 8 Configure a Security Profile Group

Step 1: Click on Objects tab Security Profile Groups
Step 2: Click Add
Step 3: Set Name Student-profile-group and set the following:
Antivirus to Student-antivirus
Anti-spyware to student-antispyware
URL Filtering to student-url-filtering
Step 4: Click Ok
Task 9 Connect Profile Group to Policy

Step 1: Click on the Policies tab Security
Step 2: Click on none in the Profile column of the Known-Good rule
Step 3: In the pull-down list of the pop-up, set Profile Type to Group
Step 4: Set Group Profile to student-profile-group
Step 5: Click OK then Commit all changes
Task 10 Create a Custom Report

Step 1: Click the Monitor tab Manage Custom Reports and click Add with the following:
Report name: Top unclassified traffic by day
Database: Traffic Summary
Period: Last 24 hours
Lab Manual
PAN-OS 5.0 Rev A
Page 26
PAN-EDU-201
Sort By : Bytes
Select Top 5
Group By: None
Remove the existing column headings before adding the following columns
Selected columns (in the following order): application, application technology, application
subcategory, bytes
Add a Query where the filter condition is:
Attribute: Rule
Operation: =
Value: (use the name you gave to the rule in your security policies: it should be called
Known_Good. Make sure to use the same capitalization).
Step 2: Save the report and then run the report.
Lab Manual
PAN-OS 5.0 Rev A
Page 27
PAN-EDU-201
Module 6 User-ID
Connect your firewall to connect to a User-ID Agent
Task 1 Configure firewall to talk to User-ID Agent

Step 1: Click on Device tab User Identification User-ID Agents tab
Step 2: Click Add and name to pan-training-X (where X is your student number)
Step 3: Set IP address to 10.30.11.50 (Instructor may provide different IP information)
Step 4: Set Port to 5000 (Instructor may provide different port information)
Step 5: Click OK then Commit all changes
Task 2 Review user/IP information

Step 1: Open an SSH session, log in and issue the following commands:
show user user-id-agent statistics

show user user-IDs
show user ip-user-mapping all
show user ip-user-mapping ip <ip/netmask>
Note the mappings are from AD and the IP addresses associated with the student accounts.
Lab Manual
PAN-OS 5.0 Rev A
Page 28
PAN-EDU-201
Task 3 User-ID Agent (optional)

Step 1: Navigate to \\10.30.11.50\students\software and import the file named UaInstall-4.1.1-7.msi to
your desktop. (Instructor may direct you to a different file.)
Step 2: Double-click the file on your desktop. Click Next 3 times. The installation should begin.
Step 3: Navigate to the following: C:\Program Files\Palo Alto Networks\User-ID Agent and double-click
UaController.exe
Step 4: In the window click Setup (in the left-hand column)
Step 5: In the window click Edit (directly above the box Access Control List) and review the tabs in the
pop-up window
Step 6: Click the Authentication tab and enter the Username/Password provided by the instructor
Step 7: Click the Agent Service tab. (You will need the User-ID Service TCP Port number.) Click Ok
Step 8: Click Discovery in the left-hand column, then click Auto Discover below the Server section
Step 9: Then click Commit in the first window (no further response will occur)
Step 10: Click Logs in the left-hand column to review that the service started
Step 11: Open a StudentPC command prompt and issue C:\> ipconfig /all. Look for the IP address
associated with the Ethernet adapter Management DO NOT CONFIGURE. (This IPv4 address should be
in the range 10.30.11.66-105).
Step 12: With the StudentPC IP address (10.30.11.___) and the Port number from Step 7 repeat Task 1
Configure firewall to talk to User-ID Agent
Step 13: Confirm connectivity with the CLI command show user user-id-agent statistics
Step 14: Review Agent configuration with the CLI command show user user-id-agent config name
<name>
Lab Manual
PAN-OS 5.0 Rev A
Page 29
PAN-EDU-201
Module 7 Decryption
In this part, you will create and test SSL certificates and decryption rules.
Task 1 Pre setup and test

Step 1: Modify your anti-virus profile (from MOD 5, Task 3) to Alert
Step 2: Apply the AV profile to the Known-good and Log All Security Policies
Step 3: Remove the file-blocking profiles from the Security Policies
Step 4: Commit the changes
Step 5: Go to the eicar.org site and find the Download AntiMalware testfiles.
Step 6: Test downloading (without SSL decryption) one of the eicar test files
Step 7: From the same web page, test downloading (this time using the SSL protocol) the eicar.com or
eicar.com.txt
Step 8: Look at the Monitor tabs Threat logs. Was the virus detected? It should not have been as
the connection was encrypted. We will now enable SSL decryption, such that the virus inside the SSL
connection will be decrypted
Task 2 Create an SSL self-signed Certificate

Step 1: Click the Device tab Certificates screen
Step 2: Click Generate along the bottom of the screen.
Step 3: Set the certificate fields as follows:
Lab Manual
PAN-OS 5.0 Rev A
Page 30
PAN-EDU-201
Certificate Name: Student-ssl-cert

Common Name: 192.168.X.1 (where X is your student number)
Country: US (or other 2-letter country code)
State, Locality, Organization, Department, Email, Host Name, and IP with values as desired.
Step 4: select Certificate Authority below the Signed By field.

Step 5: Click Generate
Step 6: Once the certificate has successfully been generated, click on it to bring up the certificate
properties, and select Forward Trust Certificate and Forward Untrust Certificate
Step 7: Click OK
Task 3 Create SSL Outbound Decryption Policies

Step 1: Click the Policies tab Decryption.
Step 2: Click Add and create an SSL decryption rule with the following parameters:
General tab: Name No-Decrypt
Source tab: Source Zone Trust-L3
Destination tab: Destination Zone Untrust-L3
Options tab: Action no-decrypt and URL Categories: Health and medicine, Shopping,
Financial Services
Step 3: Click Add and create an SSL decryption rule with the following parameters:
General tab: Name Decrypt-all-traffic
Source tab: Source Zone Trust-L3
Destination tab: Destination Zone Untrust-L3
Options tab: Action decrypt, Type SSL Forward Proxy and URL Categories: Any
Step 4: Confirm that No-Decrypt rule is before the Decrypt-all-traffic rule, then click Commit.
Step 5: To test the No-Decrypt rule, first determine what URLs fall into the financial services, shopping,
or health and medicine categories. Go to http://www.brightcloud.com/ and enter various URLs that you
believe fall into those categories.
Step 6: Once you have found a couple web sites that are classified as you expect, use a browser to go to
those sites. You should not see a certificate error when you go to those sites.
Step 7: To test the SSL decryption rule, go to the www.eicar.org downloads page and download the virus
using SSL. You will get a certificate error. This is an expected behavior, and you can proceed. (The
certificate error is manifested because the firewall is intercepting the SSL connection and performing manin-the-middle decryption.)
Lab Manual
PAN-OS 5.0 Rev A
Page 31
PAN-EDU-201
HINT: If the download doesnt proceed, review firewall Traffic Log and URL Filtering log. (You may need
the IP address of the Eicar site.)
Step 8: Examine the Threat logs. The virus should have been detected, since the SSL connection was
decrypted. To the left of the log entry, click on the magnifying class icon. Scroll to the bottom, and look for
the field Decrypted. The value should say yes.
Step 9: Examine the Traffic logs. Find the entry with the SSL application that corresponds to the eicar
download. Examine the details view. The Decrypted box should be checkd
Task 4 Set SSL exclude cache

Step 1: Open an SSH connection to the student firewall
Step 2: Set the exclude cache for the eicar.org domain. From configure type : set shared ssl-decrypt sslexclude-cert eicar.org , then press commit
Step 3: Repeat the Steps 7, 8, and 9 from the previous Task
Question: what entries are now in the Traffic and Threat logs?
Task 5 Review Self-signed Certificate on StudentPC browser

Step 1: Open the browser used to test the SSL Outbound Decryption policy created in Task 3. Find the
certificate that was generated (in Task 2) that should now be in the StudentPC browser.
Lab Manual
PAN-OS 5.0 Rev A
Page 32
PAN-EDU-201
Module 8 VPN
Configure an IPsec tunnel to another Student firewall Trust Zone

Configure an IPsec tunnel to another Student firewall Untrust Zone
Task 1 Configure IPsec Tunnel Trust Zone

Step 1: Pick another student firewall and fill in the following:
Your Student Number: ..............................................(X) ____

Partners Student Number: .......................................(Y) ____
Partners Ethernet1/1.2xx IP Address: .....................172.16.____(Y).1
Partners Trusted Network: .....................................192.168.____(Y).0
Partners Ehternet1/2 IP address: ............................192.168.____(Y).1
Step 2: Click Network tab Interface Tunnel tab

Step 3: Select Add
Step 4: Create a new tunnel interface. Configure the Tunnel Interface with the following:
Tunnel Interface Name: .............................................tunnel.____(X)
Virtual Routers: ..........................................................Student-VR
Zone: ..........................................................................Trust-L3
Step 5: Click Network tab IKE Gateway
Step 6: Click Add and configure with the following:
Name: .........................................................................Student-____ (Y)
Interface: ....................................................................ethernet1/1.2xx
Lab Manual
PAN-OS 5.0 Rev A
Page 33
PAN-EDU-201
Local IP Address: ........................................................172.16.____(X).1
Peer IP Address: .........................................................172.16.____(Y).1
Pre-shared Key: ..........................................................paloalto
Step 7: Click Network tab IPsec Tunnels
Step 8: Click Add and configure with the following:
Name: .........................................................................Tunnel-to-____ (Y)
Tunnel Interface: ........................................................tunnel.____(X)
IKE Gateway: ..............................................................Student-____(Y)
Step 9: Click Network tab Virtual Routers
Step 10: Click on Student-VR
Step 11: Click Static Route tab
Step 12: Click Add to add a route with the following information:
Name student(Y)
Destination 192.168.____(Y).0/24
Interface tunnel.____(X)
Step 14: Test VPN tunnel connectivity by opening a command prompt window and typing:
C:\Documents and Settings\student> ping 192.168.____(Y).1
Question: do you need to modify your security policy? Why or why not?
_____________________________________________________________
(Answer: Since the tunnel interface is in the TrustL3 zone, no policy changes are required.)
Lab Manual
PAN-OS 5.0 Rev A
Page 34
PAN-EDU-201
Reference:
admin@PA-500> show vpn tunnel
o Shows current tunnels (has a tunnel ID as first column TnID)
admin@PA-500> show vpn flow tunnel-id <TnID>
o Shows detailed info on specific tunnel (will show packets and bytes through the tunnel)
admin@PA-500> clear vpn ike-sa gateway all
o Tears down all tunnels and gateway SAs
admin@PA-500> test vpn ipsec-sa tunnel <tunnel_name>
Initiate Phase 1 and 2 SAs for specified tunnel
Task 2 Configure IPsec Tunnel Untrust Zone

Step 1: Edit your tunnel interface and change the Security Zone to UntrustL3
Step 3: Attempt to ping the remote students internal gateway interface IP address (192.168._Y_.1).
Question: Does the ping work? If not, why?
________________________________
Answer: It should not work, because there is no policy to allow the traffic.
Step 4: Create a new Security Policy Rule from your Trust zone to your Untrust zone. You should create
address objects for your network and your partners network and use them to make your policy more
Lab Manual
PAN-OS 5.0 Rev A
Page 35
PAN-EDU-201
restrictive. You will also need to build a policy from Untrust to Trust to allow the inbound traffic from your
partners network.
Module 9 High Availability (optional)

Configure an Active/Passive with another Student firewall
Task 1 Configure HA Active/Passive

Step 1: Click the Dashboard tab High Availability Dashboard Widget
Step 2: Click on Network tab Interfaces
Step 3: Set interfaces ethernet1/7 and ethernet1/8 to Type HA, then click Commit
Step 4: Work with another student firewall and fill in the following:
Your Student Number: ..............................................(X) ____
Partners Student Number: .......................................(Y) ____
Step 5: Agree upon IP and device information to fill in the following:
Group ID:.............................................................._____ (Pick one of your Student numbers)
Control Link: ........................................................ethernet1/7
Your Control Link IP:............................................10.10.____.____(X)
(3rd octet is lower student number)
Partner Control Link IP: .......................................10.10.____.____(Y)
(3rd octet is lower student number)
Data Link: .............................................................ethernet1/8
Your Data Link IP: ................................................10.10.____.____(X)
Lab Manual
PAN-OS 5.0 Rev A
Page 36
PAN-EDU-201
(3rd octet is higher student number)
Partner Data Link IP: ...........................................10.10.____.____(Y)
(3rd octet is higher student number)
Your Device Priority: ...........................................____(X)
Partner Device Priority: .......................................____(Y)
Step 6: Click on the Device tab High Availability and configure the following with the information
collected in Step 5
Step 7: Click Edit in the Setup box
HA Enabled: .........................................................click check box
Group ID:..............................................................Determined in Step 5
Peer HA IP Address: .............................................Partner Control Link IP
Step 8: Click Edit in the Control Link (HA1) box and configure with the following:
Control Link Port: ................................................ethernet1/7
Control Link IP address:.......................................Your Control Link IP
Control Link Netmask: ........................................./24
Step 9: Click Edit in the Data Link (HA2) box
Data Link Port: .....................................................ethernet1/8
Data Link IP address: ...........................................Your Data Link IP
Data Link Netmask: ............................................./24
Step 10: Click Edit in the Election Settings box
Device Priority: ....................................................Your Student Number
Heartbeat Backup:...............................................Enabled
Step 11: Click the Link and Path Monitoring tab and enter the following in the Link Monitoring section
(ON LOWER DEVICE PRIORITY FIREWALL ONLY)
Enabled: ...............................................................click check box

Failure Condition: ................................................Any
Link Group Name:................................................Student HA
Interfaces: ............................................................ethernet1/7, ethernet1/8
Step 12: Commit all changes
Lab Manual
PAN-OS 5.0 Rev A
Page 37
PAN-EDU-201
Module 10 Panorama
Identify the student firewall logs on the Panorama
Create and push policy to the student firewall
Conduct a Config Audit
Task 1 Pre setup and test

Step 1: Remove the HA configuration from the Module 9 lab
Step 2: Click the Device tab Setup Management Panorama Settings and add the IP
address (provided by the instructor) of the Panorama server
Step 3: Make sure Enabled Shared Config is selected (this is indicated when the button reads Disable
Shared Config) then Commit all changes
Task 2 Create a custom report - Panorama

Step 1: Log into Panorama server.
IP Address: .....................................................https://____.____.____.____
Login:..............................................................Student____(X) (X = student number)
Password: ......................................................paneduX
Step 2: Click on Monitor tab Manage Custom Reports
Step 3: Create the report with the following:
Name:.................................................Student.____(X) (X = student number)

Database: ...........................................Device Traffic Log
Selected Columns: .............................Action, Application, Rule, Source User, Day, Hour
Time Frame: .......................................Last 7 Days
Query Builder: ...................................(serial eq _________) You can find the serial number of your
student firewall on the Dashboard tab
Step 4: Save the template, then Run Now to confirm
Task 3 Create and Application Group Object

Step 1: Click Objects tab Application Group
Step 2: Create a new group called Pano-app-group-1
Step 3: Add the application facebook-base
Task 4 Create Pre/Post Policy

Step 1: Click the Policies tab DoS Protection Post Rules.
Lab Manual
PAN-OS 5.0 Rev A
Page 38
PAN-EDU-201
Step 2: Click Add and create a rule called Pano-DoS-Student___(X) (X = student number) with the
following criteria:
Source Zone: ..................................................Untrust-L3
Destination Zone: ..........................................Trust-L3
Action:............................................................Protect
Step 3: Click the Policies tab Security Pre Rules.
Step 4: Click Add and create a rule called Pano-Sec-Student___(X) (X = student number) with the
following criteria:
Source Zone: ..................................................Trust-L3

Destination Zone: ..........................................Untrust-L3
Application: ...................................................use the Application Group built in Task 3
Action:............................................................Deny
Task 5 Push config to student firewall

Step 1: Click Panorama tab Managed Devices.
Step 2: Scroll to your Student number and click the Click to see the config changes icon (in the Device
Group column):
Step 3: Select Lines of context All and review the Additions, Modifications, and Deletions.
HINT: If for some reason the Config Audit window doesnt appear, the browser may be blocking pop-ups.
You will need to allow pop-ups then close and reopen the browser.
Step 4: Close the Config Audit window and click the Click to commit all to device Student(X) icon (in the
Device Group column): (This action will cause a commit on the Student firewall.
Do NOT select the Merge with Candidate Config check box.
Task 6 Switch context and review Policy on firewall

Step 1: On the Student firewall, click the Tasks in the lower right-hand corner and wait for the commit
Step 2: Click the Context drop-down in the upper left corner of the Panorama select student firewall
Step3: Review the configuration pushed from the Panorama
Step 4: Open a new browser window and connect to an external web site
Lab Manual
PAN-OS 5.0 Rev A
Page 39

Edu-201 - Lab Manual Pan-Os 5.0

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Edu-201 - Lab Manual Pan-Os 5.0

Enviado por

Direitos autorais:

Formatos disponíveis

Lab Manual

Firewall Installation, Configuration, and

2012 Palo Alto Networks. Proprietary and Confidential

Module 1 Administration and Management .................................................................. 7

Module 2 Interface Configuration .................................................................................. 9

Module 3 Layer 3 Configuration ....................................................................................12

Module 5 Content ID .....................................................................................................22

PAN-OS 5.0 Rev A

Module 6 User-ID ..........................................................................................................28

Module 7 Decryption ....................................................................................................30

Module 8 VPN ...............................................................................................................33

Module 9 High Availability (optional) ............................................................................36

PAN-OS 5.0 Rev A

How to use this Lab Guide

Once these labs are completed you should

PAN-OS 5.0 Rev A

Lab Equipment Setup

PAN-OS 5.0 Rev A

Module 0 Introduction Lab Access and Review

Test connectivity to your Student firewall over RDP

Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall

Task 2 Review PAN-OS software, Content, and Licenses

Task 3 Disable Panorama sharing

PAN-OS 5.0 Rev A

Module 1 Administration and Management

Apply a baseline configuration to build successive labs

Task 1 Apply baseline configuration to your firewall

Task 2 Clear the logs

Task 3 Add an Administrator Role

Task 4 Add an administrator account

PAN-OS 5.0 Rev A

Task 5 Take a Transaction Lock and test the lock

PAN-OS 5.0 Rev A

Module 2 Interface Configuration

Create Security Zones

Task 1 Create a new Security Zone

PAN-OS 5.0 Rev A

Task 2 Create Interface Management Profiles

Task 3 Configure a Tap interface

PAN-OS 5.0 Rev A

Task 4 Configure a Vwire

PAN-OS 5.0 Rev A

Module 3 Layer 3 Configuration

Configure ethernet interfaces with Layer 3 information

Task 1 Configure Ethernet interfaces with Layer 3 info

PAN-OS 5.0 Rev A

Task 2 Configure DHCP

PAN-OS 5.0 Rev A

Task 3 Create a Virtual Router

NOTE: DO NOT MANUALLY CHANGE THE INTERFACE CONFIGURATIONS OF THE STUDENT

Task 4 Create a Source NAT policy

PAN-OS 5.0 Rev A

Step 6: Select Translation Type of Dynamic IP and Port

PAN-OS 5.0 Rev A

Task 5 Create a Destination NAT Policy

PAN-OS 5.0 Rev A

Task 1 Create a basic Security Policy for outbound traffic

Source Zone: Trust-L3

Task 2 Create 2 basic policies to deny all inbound and

PAN-OS 5.0 Rev A

Source Zone: Trust-L3

Step 4: Create a rule named Deny Inbound

Source Zone: Untrust-L3