Escolar Documentos
Profissional Documentos
Cultura Documentos
PAN-EDU-201
PAN-EDU-201
Table of Contents
How to use this Lab Guide ................................................................................................ 4
Lab Equipment Setup ........................................................................................................ 5
Module 0 Introduction Lab Access and Review ............................................................ 6
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall ................................................................... 6
Task 2 Review PAN-OS software, Content, and Licenses ........................................................................... 6
Task 3 Disable Panorama sharing ............................................................................................................... 6
Module 4 App-ID...........................................................................................................17
Task 1 Create a basic Security Policy for outbound traffic ....................................................................... 17
Task 2 Create 2 basic policies to deny all inbound and outbound traffic ................................................ 17
Task 3 Create an Application Block Page.................................................................................................. 19
Task 5 Create Application Filter................................................................................................................ 19
Task 6 Create Application Group .............................................................................................................. 19
Task 7 Create three new Security Policies that match the following criteria: ......................................... 20
Task 8 Create a custom query in the Traffic Log ...................................................................................... 21
Page 2
PAN-EDU-201
Task 2 Configure a Custom URL Filtering Category .................................................................................. 22
Task 3 Configure an Antivirus Profile ....................................................................................................... 23
Task 4 Configure an Antispyware Profile ................................................................................................. 23
Task 5 Connect individual Profile to Policy .............................................................................................. 23
Task 6 Test connectivity ........................................................................................................................... 24
Task 7 Create a File Blocking Profile: Wildfire .......................................................................................... 25
Task 8 Configure a Security Profile Group................................................................................................ 26
Task 9 Connect Profile Group to Policy .................................................................................................... 26
Task 10 Create a Custom Report .............................................................................................................. 26
Module 10 Panorama....................................................................................................38
Task 1 Pre setup and test ......................................................................................................................... 38
Task 2 Create a custom report - Panorama.............................................................................................. 38
Task 3 Create and Application Group Object ........................................................................................... 38
Task 4 Create Pre/Post Policy ................................................................................................................... 38
Task 5 Push config to student firewall ..................................................................................................... 39
Task 6 Switch context and review Policy on firewall................................................................................ 39
Lab Manual
Page 3
PAN-EDU-201
NOTE:
Unless specified, the Chrome web browser and the Putty SSH client will be
used to perform any tasks outlined in the following labs. (These apps are preinstalled on the desktop of the StudentPC.)
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
Lab Manual
Page 4
PAN-EDU-201
Firewall
Interface:
Ethernet
1/2
EDU lab
firewall
Internet
Trust-L3
192.168.x.1 /24
Management
10.30.11.x /24
Student
Firewall
VSYS
Panorama
Firewall
Interface:
Management
Domain
Controller
Trunk
802.1q
Sw
itch
Router
E 1/6
E 1/8
E 1/7
HA
Trust-L3
192.168.x.y /24
E 1/2
Firewall Setup
Sw
itch
Lab Manual
Sw
itch
TAP Intf
E 1/5
E 1/4
Vwire
2x
Intf
E 1/1.2xx
EDU lab
firewall
E 1/3
Sw
itch
L3 Intf
Untrust-L3
172.16.x.1 /24
Sw
itch
Internet
Page 5
PAN-EDU-201
Lab Manual
Page 6
PAN-EDU-201
Page 7
PAN-EDU-201
Name ip-admin
Authentication Profile: None
Password and Confirm Password: paloalto
Role: Role Based
Profile: Policy Admins from the dropdown menu
Step 4: Click Ok then Click Commit
Step 5: Log off the GUI, then log back in as ip-admin and explore functionality
Lab Manual
Page 8
PAN-EDU-201
Page 9
PAN-EDU-201
Step 9: Click Add and Set the Zone name Untrust-L3
Step 10: Set Type to Layer3
Step 11: Click Ok
Step 12: Click Add
Step 13: Set the Zone name Vwire-zone-3
Step 14: Set Type to Virtual Wire
Step 15: Click Ok
Step 16: Click Add
Step 17: Set the Zone name Vwire-zone-4
Step 18: Set Type to Virtual Wire
Step 19: Click Ok
Page 10
PAN-EDU-201
Step 4: Select Zone Student-Tap-Zon (or whatever you named it), then click Ok
Lab Manual
Page 11
PAN-EDU-201
Lab Manual
Page 12
PAN-EDU-201
Step 10: Set the sub-interface ID to 200 + Student #. (Example: Student-05 would be 205.)
Step 11: Set the Tag to match the sub-interface ID
Step 12: Click the dropdown arrow in the Security Zone field, and click New Zone
Step 13: In the popup window set the Name to Untrust-L3
Step 14: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:
172.16.___.1/24 (your student # is the 3rd octet)
Step 15: Select the Advanced tab and set the Management Profile to allow_ping then click OK
Lab Manual
Page 13
PAN-EDU-201
Lab Manual
Page 14
PAN-EDU-201
Step 12: From Network|Zone menu, remove the zone trust and untrust, then commit
Lab Manual
Page 15
PAN-EDU-201
Lab Manual
Page 16
PAN-EDU-201
Module 4 App-ID
In this lab you will:
Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
Page 17
PAN-EDU-201
__________________________________
Step 1: Click Add
Step 2: Create a new rule named Deny Outbound
Step 3: Configure the following information:
Page 18
PAN-EDU-201
Page 19
PAN-EDU-201
Step 2: The second policy blocks all of your known bad applications
Step 4: Confirm that your security rulebase looks like this, and then commit your changes:
Lab Manual
Page 20
PAN-EDU-201
Step 5: You will now test your new policies. Ping from your student PC out to the Internet. That should
work. Also, web surfing should work, over port 80 and 443.
Step 6: Use a browser to try to connect to the site www.box.net. The browser should not be able to
display the site. Why is that? Take a look at the log message in the traffic log to find out. What is special
about that application?
Step 7: Now attempt to reach www.box.net using the proxy site www.avoidr.com. Go to
www.avoidr.com. You should not be allowed to browse it, why? (HINT: look at the traffic logs).
Step 8: Select the ACC tab to access the Application Command Center. Use the drop-down menu in the
application section of the ACC to select different ways of viewing the traffic that you have generated. What
is the total risk level for all traffic that has passed through the firewall thus far? Notice that the URL
Filtering, Threat Prevention, and Data Filtering sections within the ACC contain no matching records.
Lab Manual
Page 21
PAN-EDU-201
Module 5 Content ID
In this lab you will:
Lab Manual
Page 22
PAN-EDU-201
Step 3: Click Ok and then click Add again (under the Rules tab in the popup)
Set Rule Name to rule-2
Set Action to Alert
Set Severity: Critical and High
Page 23
PAN-EDU-201
Step 6: Do the same thing for the Log_All rule, then Commit all changes
Those packets captured could be exported in pcap format, and examined with a protocol analyzer
offline for further investigation.
Step 6: Modify the anti-virus security profile (from MOD 5, Task 3) to BLOCK all viruses
Step 7: Click Commit
Step 8: In a new browser tab or window, attempt to download eicar (Step 3). A block page should appear:
Lab Manual
Page 24
PAN-EDU-201
Step 9: On the firewall, click on the Monitor tab Threat Logs. You will see log entries there stating
that the eicar virus was detected
Step 10: After 15 minutes, the threats you just generated will appear on the ACC tab, under the Threats
section.
Step 11: Browse to various websites. The URL filtering profile is recording each website that you go to.
Step 12: Go to a web site that is a directory of other hacking sites: http://neworder.box.sk
Step 13: On the firewall, click on the Monitor tab URL Filtering Logs. You will see log entries that
match the web sites you went to. What category was that site?
Step 14: Edit the URL filtering profile (from MOD 5, Task 1) to block access to hacking sites
Step 15: Commit the changes
Step 16: In a new browser window, attempt to go to http://neworder.box.sk .You should not be able to.
You should see a block page similar to the following:
Page 25
PAN-EDU-201
Step 9: Commit all changes
Step 10: Navigate to \\10.30.11.50\students\student_tools_labs_205 and copy the file named
fiddler2Setup.exe to your desktop.
Step 11: Open a new browser window to http://www.fileserve.com
Step 12: Log in with the credentials Login: panedu / Passwd: paloalto
Step 13: Click the Upload tab (in the Fileserve web site) and upload the file setup.exe file
Step 14: Review the Data Filtering log the file should be sent to the sandbox for analysis. Your teacher
will show you the verdict of the file into the sandbox system
Page 26
PAN-EDU-201
Sort By : Bytes
Select Top 5
Group By: None
Remove the existing column headings before adding the following columns
Selected columns (in the following order): application, application technology, application
subcategory, bytes
Add a Query where the filter condition is:
Attribute: Rule
Operation: =
Value: (use the name you gave to the rule in your security policies: it should be called
Known_Good. Make sure to use the same capitalization).
Step 2: Save the report and then run the report.
Lab Manual
Page 27
PAN-EDU-201
Module 6 User-ID
In this lab you will:
Note the mappings are from AD and the IP addresses associated with the student accounts.
Lab Manual
Page 28
PAN-EDU-201
Lab Manual
Page 29
PAN-EDU-201
Module 7 Decryption
In this lab you will:
In this part, you will create and test SSL certificates and decryption rules.
Page 30
PAN-EDU-201
Lab Manual
Page 31
PAN-EDU-201
HINT: If the download doesnt proceed, review firewall Traffic Log and URL Filtering log. (You may need
the IP address of the Eicar site.)
Step 8: Examine the Threat logs. The virus should have been detected, since the SSL connection was
decrypted. To the left of the log entry, click on the magnifying class icon. Scroll to the bottom, and look for
the field Decrypted. The value should say yes.
Step 9: Examine the Traffic logs. Find the entry with the SSL application that corresponds to the eicar
download. Examine the details view. The Decrypted box should be checkd
Lab Manual
Page 32
PAN-EDU-201
Module 8 VPN
In this lab you will:
Page 33
PAN-EDU-201
Local IP Address: ........................................................172.16.____(X).1
Peer IP Address: .........................................................172.16.____(Y).1
Pre-shared Key: ..........................................................paloalto
Step 7: Click Network tab IPsec Tunnels
Step 8: Click Add and configure with the following:
Name: .........................................................................Tunnel-to-____ (Y)
Tunnel Interface: ........................................................tunnel.____(X)
IKE Gateway: ..............................................................Student-____(Y)
Step 9: Click Network tab Virtual Routers
Step 10: Click on Student-VR
Step 11: Click Static Route tab
Step 12: Click Add to add a route with the following information:
Name student(Y)
Destination 192.168.____(Y).0/24
Interface tunnel.____(X)
Step 13: Commit your changes
Step 14: Test VPN tunnel connectivity by opening a command prompt window and typing:
Question: do you need to modify your security policy? Why or why not?
_____________________________________________________________
(Answer: Since the tunnel interface is in the TrustL3 zone, no policy changes are required.)
Lab Manual
Page 34
PAN-EDU-201
Reference:
admin@PA-500> show vpn tunnel
o Shows current tunnels (has a tunnel ID as first column TnID)
admin@PA-500> show vpn flow tunnel-id <TnID>
o Shows detailed info on specific tunnel (will show packets and bytes through the tunnel)
admin@PA-500> clear vpn ike-sa gateway all
o Tears down all tunnels and gateway SAs
admin@PA-500> test vpn ipsec-sa tunnel <tunnel_name>
Page 35
PAN-EDU-201
restrictive. You will also need to build a policy from Untrust to Trust to allow the inbound traffic from your
partners network.
Page 36
PAN-EDU-201
(3rd octet is higher student number)
Partner Data Link IP: ...........................................10.10.____.____(Y)
(3rd octet is higher student number)
Your Device Priority: ...........................................____(X)
Partner Device Priority: .......................................____(Y)
Step 6: Click on the Device tab High Availability and configure the following with the information
collected in Step 5
Step 7: Click Edit in the Setup box
HA Enabled: .........................................................click check box
Group ID:..............................................................Determined in Step 5
Peer HA IP Address: .............................................Partner Control Link IP
Step 8: Click Edit in the Control Link (HA1) box and configure with the following:
Control Link Port: ................................................ethernet1/7
Control Link IP address:.......................................Your Control Link IP
Control Link Netmask: ........................................./24
Step 9: Click Edit in the Data Link (HA2) box
Data Link Port: .....................................................ethernet1/8
Data Link IP address: ...........................................Your Data Link IP
Data Link Netmask: ............................................./24
Step 10: Click Edit in the Election Settings box
Device Priority: ....................................................Your Student Number
Heartbeat Backup:...............................................Enabled
Step 11: Click the Link and Path Monitoring tab and enter the following in the Link Monitoring section
(ON LOWER DEVICE PRIORITY FIREWALL ONLY)
Lab Manual
Page 37
PAN-EDU-201
Module 10 Panorama
In this lab you will:
Identify the student firewall logs on the Panorama
Create and push policy to the student firewall
Conduct a Config Audit
Page 38
PAN-EDU-201
Step 2: Click Add and create a rule called Pano-DoS-Student___(X) (X = student number) with the
following criteria:
Source Zone: ..................................................Untrust-L3
Destination Zone: ..........................................Trust-L3
Action:............................................................Protect
Step 3: Click the Policies tab Security Pre Rules.
Step 4: Click Add and create a rule called Pano-Sec-Student___(X) (X = student number) with the
following criteria:
Step 3: Select Lines of context All and review the Additions, Modifications, and Deletions.
HINT: If for some reason the Config Audit window doesnt appear, the browser may be blocking pop-ups.
You will need to allow pop-ups then close and reopen the browser.
Step 4: Close the Config Audit window and click the Click to commit all to device Student(X) icon (in the
Device Group column): (This action will cause a commit on the Student firewall.
Page 39