Escolar Documentos
Profissional Documentos
Cultura Documentos
Management:
Essentials I
Lab Manual
PAN-OS 7.0
PAN-EDU-101 Rev. A.200 v2
For PA-200
PANEDU101
Lab Manual
Page 2
PANEDU101
Table of Contents
Contents
Typographical Conventions ....................................................... Error! Bookmark not defined.
How to use this Lab Guide ................................................................................................... 6
Lab Guide Objectives ........................................................................................................... 6
Lab Equipment Setup........................................................................................................... 7
Lab Assumptions ................................................................................................................. 7
Scenario Initial Config ......................................................................................................... 8
Scenario ...........................................................................................................................................................................8
RequiredInformation........................................................................................................................................................8
Lab Manual
Page 3
PANEDU101
Solution AppID............................................................................................................... 20
Verify Internet Connectivity and Application Blocking ................................................................................................... 21
Scenario ContentID.......................................................................................................... 23
Scenario .........................................................................................................................................................................23
Required Information ....................................................................................................................................................24
Lab Notes .......................................................................................................................................................................24
Solution ContentID......................................................................................................... 25
Configure a Custom URL Filtering Category ....................................................................................................................25
Configure a URL filtering Profile ......................................................................................................................................25
Configure an Antivirus Profile .........................................................................................................................................25
Configure an AntiSpyware Profile ..................................................................................................................................26
Create a File Blocking Profile with Wildfire .....................................................................................................................30
Assign Profiles to a Policy ...............................................................................................................................................26
Test the Antivirus Profile ................................................................................................................................................26
Lab Manual
Page 4
PANEDU101
Modify the Antivirus Profile ...........................................................................................................................................27
Test the new Antivirus Profile .........................................................................................................................................27
Test the URL Filtering Profile ..........................................................................................................................................27
Test the File Blocking Profile with Wildfire ........................................................................ Error! Bookmark not defined.
Configure a Security Profile Group .................................................................................................................................28
Assign the Security Profile Group to a Policy...................................................................................................................30
Lab Manual
Page 5
PANEDU101
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform
any tasks outlined in the following labs.
Lab Manual
Page 6
PANEDU101
DHCP
enabled local
network
Internet
Mgt
Lab Assumptions
These lab instructions assume the following conditions:
1) The student is using a PA200 firewall which has been registered with Palo Alto Networks Support.
2) The firewall is licensed for Support, Threat Prevention, and URL Filtering.
3) The PA200 is running the latest version of 7.0 software and has all the latest updates for Antivirus, Applications and
Threats and URL Filtering.
4) There are no other Palo Alto Networks firewalls between the students PA200 and the internet. The labs will still work
if upstream firewalls exist, but the results will vary based on the firewall settings.
5) The labs will require two connections to a local network.
a) The connection from the Mgt network will require a static IP address and default gateway, and an entry for a DNS
server.
b) The connection from the Eth1/3 port will require a an IP address, default gateway and DNS server assigned by a
DHCP server.
c) These two connections do not have to be on separate subnets.
Lab Manual
Page 7
PANEDU101
Scenario
You have been tasked with integrating a new firewall into your environment. The firewall is configured
with a MGT IP address and administrator account. You will need to change the IP address of your laptop
to communicate with the default IP address of the MGT port.
If your firewall has settings you would like to restore after the completion of this lab, save the current
configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that
it is in a known state.
In preparation for the new deployment, create a role for an assistant administrator which allows access to
all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account
should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the
password of the admin account to disable the warnings about using default credentials.
Required Information
Named Configuration Snapshot
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account
Lab Manual
PANEDU10170Default
Policy Admins
ip-admin
paloalto
paloalto
Page 8
PANEDU101
Page 9
PANEDU101
Click OK to continue.
Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins
33) Click the Commit link at the topright of the WebUI. Click OK and wait until the commit process
completes, then click Close.
Lab Manual
Page
10
PANEDU101
34) Open a different browser and log onto the WebUI as ip-admin. For example, if you originally
connected to the WebUI using Chrome, open this connection in Internet Explorer.
35) Explore the available functionality. Compare the displays for the admin and ip-admin accounts
to see the limitations of the newly created account.
36) When you are done exploring, log out of the ipadmin account connection.
37) Log back into the PA200 WebUI as user admin password paloalto.
Lab Manual
Page
11
PANEDU101
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You
are to create two zones, UntrustL3 and TrustL3. The externalfacing interface in UntrustL3 will get an IP
address from a DHCP server on the external network. TrustL3 will be where the internal clients connect to
the firewall and so the interface in TrustL3 will provide DHCP addresses to these internal clients. The
DHCP server you configure in the TrustL3 zone will inherit DNS settings from the external facing interface.
Both the internal and external interfaces on the firewall must route traffic through the externalfacing
interface by default. The interface in UntrustL3 must be configured to respond to pings and the interface
in TrustL3 must be able to provide all management services.
Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable
coming from your PC from the MGT port to the ethernet1/4 port of the PA200. You must also change
the settings of the LAN interface on your laptop to use DHCPsupplied network information (IP address
and DNS servers) instead of static settings. You will then cable the eth1/3 port and the Mgt port to your
local network. The eth1/3 port will receive DHCP addressing from your local network. The Mgt port will
require a local static address.
Lab Manual
Page 10
PANEDU101
Required Information
Interface Management Profile Names
Internal-facing IP Address
Internal-facing interface
External-facing interface
DHCP Server: Gateway
DHCP Server: Inheritance Source
DHCP Server: Primary DNS
DHCP Server: IP address range
Virtual Router Name
Lab Manual
allow all
allow_ping
192.168.2.1/24
Ethernet1/4
Ethernet1/3
192.168.2.1
Ethernet1/3
inherited
192.168.2.50-192.168.2.60
Student-VR
Page 11
PANEDU101
Select Layer 3
Keep default (none)
Select UntrustL3
PANOS 7.0 Rev A.200
Page 12
PANEDU101
IPv4 tab
Select DHCP Client
Type
Advanced > Other Info tab
Management Profile
Select allow_ping
Click OK to close the interface configuration window.
10. Click the interface name ethernet1/4. Configure the interface:
Interface Type
Select Layer 3
Config tab
Keep default (none)
Virtual Router
Security Zone
Select TrustL3
IPv4 tab
Keep default (Static)
Type
IP
Click Add then enter 192.168.2.1/24
Advanced > Other Info tab
Management Profile
Select allow_mgt
Click OK to close the interface configuration window.
Configure DHCP
11. Click Network > DHCP > DHCP Server.
12. Click Add to define a new DHCP Server:
Interface Name
Select ethernet1/4
Lease tab
IP Pools
Click Add then enter 192.168.2.50-192.168.2.60
Options tab
Inheritance Source
Select ethernet1/3
Gateway
Enter 192.168.2.1
Ippool Subnet
255.255.255.0
Primary DNS
Select inherited
Secondary DNS
4.2.2.2
Click OK to close the DHCP Server configuration window.
Enter Student-VR
Click Add then select ethernet1/3
Click Add again and select ethernet1/4
Page 13
PANEDU101
Configure the physical LAN interface on your laptop (the one connected to the 4
interface) to use a DHCP address.
Verify that your laptop is receiving DHCP address from the firewall. The displayed
IP address should be in the range 192.168.2.50-192.168.2.60 if the DHCP Server is
configured correctly.
You should also be able to ping 192.168.2.1 from your laptop.
From your laptop, open an SSH session (using putty or some other SSH program) to
192.168.2.1. Login with username admin password paloalto.
22. Plug a cable connected to your local network into the 3 interface on the firewall.
Lab Manual
Click on DynamicDHCP Client to see the DHCP information that has been received
from the local DHCP server.
PANOS 7.0 Rev A.200
Page 14
PANEDU101
At this point, the firewall is configured but is unable to pass traffic between zones. NAT and Security Policies must be
defined before traffic will flow between zones. In this lab, you will create a Source NAT Policy using the UntrustL3 IP
address as the source address for all outgoing traffic. Then you will create a Security Policy to allow traffic from the
TrustL3 Zone to the UntrustL3 Zone, so that your workstation can access the outside world.
Lab Manual
Page 15
PANEDU101
Lab Manual
Page 16
PANEDU101
Lab Manual
Page 17
PANEDU101
Scenario AppID
In this lab you will:
Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
Now that you have confirmed that your workstation has connectivity to the Internet, you will delete the
Allow All Out Security Rule and replace it with a more restrictive Security Rule. By default, the PAN
Firewall will block any traffic between different Security Zones. You will create a Security Policy to
selectively enable specific applications to pass from the Trust-L3 to the Untrust-L3 Zone. All other
applications will be blocked.
Create a Rule named General Internet which allows users in the Trust-L3 zone to use a set of commonly
used applications to access the internet. The applications should only be permitted on an applications
default port. All other traffic (inbound and outbound) between Zones will be blocked and logged so that
you can identify what other applications are being used.
Next, you will configure the firewall to notify users when applications are blocked by a Rule.
Lab Manual
Page 18
PANEDU101
Required Information
General Internet
dns
flash
ftp
paloalto-updates
ping
web-browsing
ssl
Lab Notes
Test your connectivity by connecting to http//www.depositfiles.com (login paneduc,
password paloalto). Because you have not specified depositfiles as an allowed application, the firewall
should block the application, even if you attempt to use a proxy.
Lab Manual
Page 19
PANEDU101
Solution AppID
Create an Application Group
1. Click Objects > Application Groups.
2. Click Add to define the Known-Good application group:
Name
Applications
Enter Known-Good
Click Add and select each of the following:
dns
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing
Page 20
PANEDU101
8. Click Cancel.
9. Select the interzonedefault policy row, without opening the policy, and click Override. The Security
Policy Rule predefined window opens.
10. Click the Actions tab.
11. Check Log at Session End.
12. Click OK.
19. Go to Monitor > Logs > Traffic to review the traffic logs. Find the entries where the depositfiles
application has been blocked. You may want to put ( app eq depositfiles ) in the filter text
box. The site has been blocked because the depositfiles application is not listed in the allowed
applications in the General Internet Policy.
20. Now try to work around the application block by using a proxy. From the RDP desktop, go to the
proxy site http//www.avoidr.com.
21. Enter www.depositfiles.com in the text box and click Go. An Application Blocked page
appears showing that the phproxy application was blocked.
22. Go to Monitor > Logs > Traffic to find the corresponding entry in the Traffic Logs. It indicates that
Lab Manual
Page 21
PANEDU101
Lab Manual
Page 22
PANEDU101
Scenario ContentID
In this lab you will:
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with
Security Profiles. The specific security requirements for general internet traffic are:
Log all URLs accessed by users in the TrustL3 zone. In particular, you need to track access to a set
of specific technology websites.
Log, but do not block, all viruses detected and maintain packet captures of these events for
analysis.
Log spyware of severity levels medium, critical and high detected in the traffic. Ignore all other
spyware.
Lab Manual
Page 23
PANEDU101
After all of these profiles are configured, send test traffic to verify that the protection behaves as
expected.
After the initial testing is complete, you are asked to change the Antivirus protection to resetboth for
viruses. Make the changes and verify the difference in behavior.
Once the individual profiles are created and tested, combine the profiles into a single group for ease of
management. Attach the group to the appropriate security policies.
Required Information
Custom Technology sites to track
www.newegg.org
www.cnet.com
www.zdnet.com
1.
2.
3.
4.
Browse to http://www.eicar.org
Click Anti-Malware Testfile.
Click Download
Download any of the files using http only.
Do not use the SSL links.
Lab Notes
Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall
from seeing the packet contents so the viruses contained will not be detected by the profile.
Decryption will be covered in a later module.
Lab Manual
Page 24
PANEDU101
Solution ContentID
Configure a Custom URL Filtering Category
1. Go to the WebUI and click Objects > Custom Objects > URL Category.
2. Click Add to create a custom URL category:
Name
Sites
Enter TechSites
Click Add and add each of the following URLs:
www.newegg.org
www.cnet.com
www.zdnet.com
Click OK to close the Custom URL Category profile window.
Enter student-url-filtering
Click the right side of the Action header to access the pulldown menu.
Click Set All Actions > Alert.
Search the Category field for the following categories and set the Action
to block for each of them:
adult (or adult-and-pornography)
government
hacking
questionable
TechSites
Set the unknown category to continue.
Click OK to close the URL Filtering profile window.
Page 25
PANEDU101
Name
Antivirus tab
Packet Capture
Decoders
Enter student-antivirus
Check the Packet Capture box
Set the Action column to Alert for all decoders.
Enter student-antispyware
Click Add and create a rule with the parameters:
Rule Name: Enter rule-1
Action: Select Allow
Severity: Check the boxes for Medium, Low and
Informational only
Click OK to save the rule
Click Add and create another rule with the parameters:
Rule Name: Enter rule-2
Action: Select Alert
Severity: Check the boxes for Critical and High only
Click OK to save the rule
Page 26
PANEDU101
15. Click the Download link to access the virus test files.
16. Download any of the Eicar test files listed under the banner Download area using the standard
protocol http. (Do not use the SSLencrypted downloads. The firewall will not be able to detect the
viruses in an HTTPS connection unless decryption is configured.)
17. Click Monitor > Logs > Threat to view the threat log. Find the log messages which detect the Eicar
files. Scroll to the Action column to verify the alerts for each file download.
18. Click on the green down arrow at on the left side of the line for the Eicar file detection to view the
packet capture (PCAP). Here is an example of what a PCAP might look like:
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline
for further investigation.
Page 27
PANEDU101
Select Group
Group Profile
Select studentprofilegroup
Lab Manual
Page 28
PANEDU101
Add the security profile to the security profile groups associated with the security policy rule.
Now that traffic is passing through the firewall, you decide to further protect the environment with some more security
profiles. The additional security requirements for general Internet traffic are:
Lab Manual
Page 29
PANEDU101
Enter student-file-block
Click Add and create a rule with the parameters:
Rule Name: Enter blockPDF
File Types: Add pdf
Action: Select block
Click OK to close the file blocking profile window.
Return to the WebUI and click Objects > Security Profile Groups.
Open studentprofilesgroup.
Choose studentfileblocking as the file blocking profile.
Click OK.
10. Select Monitor > Logs > Data Filtering and find the entry for the pdf file that has been
Lab Manual
Page 30
PANEDU101
blocked.
Lab Manual
Page 31
PANEDU101
Scenario Decryption
In this lab you will:
Scenario
Your security team is concerned about the results of the testing performed as part of the security profile
configurations. The team observed that the antivirus profile only identified virus which were not SSL
encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com)
could escape detection and cause issues.
You want to evaluate using a forwardproxy configuration on the Palo Alto Networks firewall. Only traffic
from TrustL3 to UntrustL3 needs to be decrypted. Since this is not production, you decide to use self
signed SSL certificates generated on the firewall for this implementation.
Once an application is decrypted and identified by the PAN firewall, it may be denied if you have set the
Security Policy to only allow applications that arrive on their standard default ports. For example, if FTP
traffic encrypted by SSL is decrypted and recognized by the firewall, the firewall will see it as FTP traffic
arriving on Port 443. Because this is not the standard FTP port, it may be denied. Therefore, in this
exercise, when you are using decryption, you will set your Security Rules to allow any port instead of using
application-default.
The legal department has advised you that certain traffic should not be decrypted for liability reasons.
Specifically, you may not decrypt traffic from healthrelated, shopping, or financial web sites.
Test the decryption two ways:
Attempt to download test files from www.eicar.org using https and verify that they are detected by
the firewall
Lab Manual
Page 32
PANEDU101
Connect to various websites using https and use the logs to verify that the correct URL categories
are being decrypted
You will receive certificate errors when browsing after decryption is enabled. This is expected because the
selfsigned certificates have not been added to the Trusted certificates of the client browser. Resolve this
by adding the firewall certificate to the clients as a Trusted Root Certificate.
After your initial testing of the forwardproxy, the penetration testing team calls you to request an
exception to the decryption rules. The team asks that www.eicar.org be excluded from decryption so that
they will still be able to download the files that they need to perform their evaluations. Change the
implementation to allow this exception.
Required Information
Self-signed Certificate name
Common Name of the SSL Certificate
Decryption Policies
CA-ssl-cert
192.168.2.1
no-decrypt-traffic
decrypt-all-traffic
Lab Notes
Sequence order matters with policies: make sure that the decrypt and nodecrypt rules are evaluated
in the correct order.
To find URLs to test the nodecrypt rule, go to https://urlfiltering.paloaltonetworks.com/testASite.aspx
and enter various URLs that you think will fall into the categories that you are testing.
Lab Manual
Page 33
PANEDU101
Solution Decryption
Verify firewall behavior without decryption
For this lab, we will use the Internet Explorer browser. Chrome has its own virus detection
system, and Firefox has its own certificate repository.
1. From the desktop, open an Internet Explorer browser and browse to www.eicar.org/85-0Download.html.
2. Scroll to the bottom of the page and use HTTP to download one of the test files. The file will be
blocked and a warning page appears.
3. Click the Back button and use HTTPS to download one of the files. The file will download (but may be
deleted by the browser).
4. Go to the WebUI and click Monitor > Logs > Threat to view the log. Notice that SSL decryption hid
the contents of the firewall and so the test file was not detected as a threat.
Page 34
PANEDU101
Options tab
Select nodecrypt
Action
Click OK to close the configuration window.
12. Click Add to create the SSL decryption rule for general decryption:
General tab
Name
Enter decrypt-all-traffic
Source tab
Source Zone
Click Add then select TrustL3
Destination tab
Click Add then select UntrustL3
Destination Zone
URL Category tab
Verify that the Any box is checked
URL Category
Options tab
Select Decrypt
Action
Type
Select SSL Forward Proxy
Click OK to close the configuration window.
13. Confirm that your decryption policy list looks like this:
Page 35
PANEDU101
25. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify
that the Decrypted box has a check mark.
29. In a separate browser window, browse to the following URLs using https:
financialservices: www.bankofamerica.com
healthandmedicine: www.deltadental.com
shopping: www.macys.com
30. Now use https:// to browse to sites like bing.com or yahoo.com which are not excluded.
31. Return to the traffic log at Monitor > Traffic > Logs.
32. If the URL Category column is not displayed, click the drop down arrow next to one of the
columns and select URL Category.
33. Find an entry for one of the excluded categories by looking at the value in the URL Category
column.
34. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is unchecked.
35. Find an entry for one of the nonexcluded categories by looking at the value in the URL Category
column.
36. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is checked.
Lab Manual
Page 36
PANEDU101
Page 37
PANEDU101
48. Choose Trusted Root Certificate Authorities and click OK. The window closes.
49. Click Next. The Completing the Certificate Import window appears.
50. Click Finish. A Security Warning appears.
51. Click Yes. A box indicates that the import was successful. Click OK.
52. Close the certificate by clicking OK.
53. Doubleclick the certificate to open it. A Security Warning appears.
54. Click Open. The certificate opens.
55. In the certificate, click the Certification Path tab. Notice that the Certificate Status says This certificate is OK.
56. Close the certificate by clicking OK.
57. Use a new window in Chrome or Internet Explorer (NOT Firefox, which uses its own Certificate Store) to
browse https sites. Notice that you no longer receive the Certificate errors.
Lab Manual
Page 38
PANEDU101
61. Open a new Internet Expolrer window to http://www.eicar.org/85-0-Download.html.
62. Scroll to the bottom of the page and download a virus file encrypted by https. You should see that
now the file downloads without being blocked (though the browser may detect the virus and delete
the file). This is because files from eicar are now excluded from encryption.
Lab Manual
Page 39
PANEDU101
Generate Reports
Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a
custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the
threat name, the application (including technology and subcategory for reference), and the number of
times that threat was encountered. Export the file as a PDF.
Lab Manual
Page 40
PANEDU101
Query Builder
Page 41
PANEDU101
Lab Manual
Page 42