Pan-Edu-101 - Lab Manual Pan-Os 6 0 - Rev C

Firewall Installation, Configuration, and
Management:
Essentials I
Lab Manual
PAN-OS 6.0
PAN-EDU-101 Rev C.200
PANEDU101
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2007-2014 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners.
Lab Manual
PANOS 6.0 Rev C.200
Page 2
PANEDU101
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
Meaning
Example
Boldface
Names of commands, keywords, and

selectable items in the web interface
Click Security to open the Security

Rule Page
Italics
Name of parameters, files, directories, or

Uniform Resource Locators (URLs)
The address of the Palo Alto Networks

home page is
http://www.paloaltonetworks.com
courier font
Coding examples and text that you enter

at a command prompt
Enter the following command:

a:\setup
Click
Click the left mouse button
Click Administrators under the

Device tab.
Right-click
Click the right mouse button
Right-click on the number of a rule

you want to copy, and select Clone
Rule.
Lab Manual
PANOS 6.0 Rev C.200
Page 3
PANEDU101
Table of Contents
How to use this Lab Guide ........................................................................................................ 6
Lab Guide Objectives ..................................................................................................................... 6
Lab Equipment Setup ................................................................................................................ 7
Lab Assumptions ....................................................................................................................... 7
Student Firewall Interface Settings .......................................................................................... 7
Module 1 Administration and Management ......................................................................... 8
Scenario ................................................................................................................................................................................ 8
Required Information .......................................................................................................................................................... 8
Module 2 Interface Configuration (optional)......................................................................... 9

Scenario ................................................................................................................................................................................ 9
Required Information .......................................................................................................................................................... 9
Module 3 Layer 3 Configuration .............................................................................................. 10

Scenario .............................................................................................................................................................................. 10
Required Information ........................................................................................................................................................ 11
Module 4 AppID....................................................................................................................... 12
Scenario 1.................................................................................................................................................................... 12
Scenario 2.................................................................................................................................................................... 13
Lab Notes............................................................................................................................................................................ 14
Module 5 ContentID ................................................................................................................ 15

Scenario .............................................................................................................................................................................. 15
Lab Notes............................................................................................................................................................................ 16
Module 6 Decryption................................................................................................................ 17
Scenario .............................................................................................................................................................................. 17
Lab Notes............................................................................................................................................................................ 18
Lab Manual
PANOS 6.0 Rev C.200
Page 4
PANEDU101
Solutions.................................................................................................................................. 19
Module 1 Introduction (Lab Access) ......................................................................................................................... 19
Module 2 Interface Configuration .................................................................................................................................. 21
Module 3 Layer 3 Configuration ..................................................................................................................................... 23
Module 4 AppID ............................................................................................................................................................. 26
Module 5 ContentID ...................................................................................................................................................... 36
Module 6 Decryption ................................................................................................................................................ 43
CLI Reference........................................................................................................................... 47
Module 1 Administration and Management.................................................................................................................. 47
Module 2 Interface Configuration .................................................................................................................................. 47
Module 3 Layer 3 Configuration ..................................................................................................................................... 48
Module 4 AppID ............................................................................................................................................................. 48
Module 5 ContentID ...................................................................................................................................................... 48
Module 6 Decryption ................................................................................................................................................ 48
Lab Manual
PANOS 6.0 Rev C.200
Page 5
PANEDU101
How to use this Lab Guide

The Lab Guide contains lab exercises which correspond to modules in the lecture. Each lab exercise consists of
two parts: a scenario and a solution.
The scenario describes the lab exercise in terms of objectives and customer requirements. Minimal
instructions are provided to encourage students to solve the problem on their own. If appropriate, the
scenario includes a diagram and a table of required information needed to complete the exercise.
The solution is designed to help students who prefer stepbystep, taskbased labs. Alternatively, students
who start with the scenario can use the solution to check their work or to provide help if they get stuck on
a problem.
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform
any tasks outlined in the following labs.
Lab Guide Objectives

This lab guide is designed specifically for a single student attending the selfpaced version of the Essentials
I course. The instructorled version of the course includes additional exercises which can only be
completed in a classroom environment with other students and additional equipment.
Once these labs are completed, you should be able to:
1. Configure the basic components of the firewall, including interfaces, security zones, and security
policies
2. Configure basic Layer 3 settings, such as IP addressing and NAT policies.
3. Configure basic ContentID functionality, including antivirus protection and URL filtering.
4. Configure SSL decryption.
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
Lab Manual
PANOS 6.0 Rev C.200
Page 6
PANEDU101
Lab Equipment Setup

DHCPenabled
Network
Internet
Lab Assumptions
These lab instructions assume the following conditions:
1. The student is using a PA200 firewall which has been registered with Palo Alto Networks Support.
2. The firewall is licensed for Support, Threat Prevention, and URL Filtering.
3. The PA200 is running the latest version of 6.0 software and has all the latest updates for Antivirus, Applications
and Threats and URL Filtering.
4. The network that the student will connect to has a DHCP server from which the firewall can obtain an IP address
and DNS information.
5. There are no other Palo Alto Networks firewalls between the students PA200 and the internet. The labs will still
work if upstream firewalls exist, but the results will vary based on the firewall settings.
Lab Manual
PANOS 6.0 Rev C.200
Page 7
PANEDU101
Module 1 Scenario Administration and Management

In this lab you will:
Connect to the firewall through the MGT interface

Create new administrator roles and accounts on the firewall
Scenario
You have been tasked with integrating a new firewall into your environment. The firewall is configured
with a MGT IP address and administrator account. You will need to change the IP address of your laptop
to communicate with the default IP address of the MGT port.
If your firewall has settings you would like to restore after the completion of this lab, save the current
configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that
it is in a known state.
In preparation for the new deployment, create a role for an assistant administrator which allows access to
all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account
should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the
password of the admin account to disable the warnings about using default credentials.
Required Information
Named Configuration Snapshot
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account
Lab Manual
PANEDU101Default
Policy Admins
ip-admin
paloalto
paloalto
PANOS 6.0 Rev C.200
Page 8
PANEDU101
Module 1 Solution Introduction (Lab Access)

Prepare your laptop for the lab
1. While connected to the internet, download the file PANEDU60101Default to your laptop
you will be using for the lab exercises.
2. Configure the physical Ethernet interface of your laptop with an IP address on the same
subnet as the MGT port of your firewall.
If your firewall is at default config, the IP address of the MGT port is 192.168.1.1/24. Give
your laptop Ethernet port an address of 192.168.1.100/24.
If your firewall is not at default config, give your laptop an IP address on the same subnet as
the MGT port IP address.
3. Connect an Ethernet cable between your laptop Ethernet port and the MGT port of your
firewall.
4. Open a command prompt on your laptop and verify you can ping the MGT port IP address.
5. Disable any other active interfaces on your laptop, including the wireless interface, so the
Ethernet port connected to the firewall is your only active port.
Log on to the Firewall

6. Open a browser and connect to the firewall at https://<MGT_port_IP_address>. If your
firewall is at default config, the IP address of the MGT port is 192.168.1.1/24. A warning message
since the firewall is using an untrusted selfsigned certificate.
7. Dismiss the warning and continue to the web page.
8. Log on with the PAN firewall user name and password. If the firewall is at default config, the
username is admin and the password is admin. A warning about the default admin credentials
appears.
9. Click OK to dismiss the warning. The PAN firewall GUI appears.
Save the current configuration on your firewall (optional)

10. Click Device > Setup > Operations.
11. Click Save named configuration snapshot.
12. Enter pre-101-labs in the Name field.
13. Click OK to complete the save.
14. Click OK to dismiss the success window.
Upload and apply baseline configuration to your firewall

15. Click Device > Setup > Operations.
16. Click Import named configuration snapshot.
17. Click Browse to select the PANEDU60101Default file from your laptop.
18. Click Open then OK to upload the file to the firewall.
20. Click Load Named Configuration Snapshot.
Lab Manual
PANOS 6.0 Rev C.200
Page 9
PANEDU101
21. Select PANEDU101Default. Click OK.

23. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes, then click Close.
24. The PA200 MGT port IP address has changed to 192.168.1.1. If your PCs Ethernet port is
on a different subnet, you will lose connectivity. To reestablish connectivity,
Put your PCs Ethernet port on the 192.168.1.0/24 subnet
Open a browser to https://192.168.1.1
Login to the PA200 firewall with username admin password admin
Add an Administrator Role

25. Click Device > Admin Roles.
26. Click Add in the lower left of the panel and create a new admin role:
Name
Web UI tab
Enter Policy Admins

Click the following major categories to disable them:
Monitor
Network
Device
Privacy
The remaining major categories should remain enabled.
Click OK to continue.
Manage administrator accounts

27. Click Device > Administrators.
28. Click admin in the list of users. Change the password from admin to paloalto. Click OK
to close the configuration window.
29. Click Add in the lower left corner of the panel. Configure a new administrator account:
Name
Password/Confirm Password
Role
Profile
Click OK.
Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins
30. Click the Commit link at the topright of the WebUI. Click OK and wait until the commit process
completes, then click Close.
31. Open a different browser and log onto the WebUI as ipadmin and explore the available
functionality. For example, if you originally connected to the WebUI using Chrome, open this
connection in Internet Explorer. Compare the displays for the admin and ipadmin accounts to
see the limitations of the newly created account.
32. When you are done exploring, log out of the ipadmin account connection.
33. Log back into the PA200 WebUI as user admin password paloalto.
Lab Manual
PANOS 6.0 Rev C.200
Page
10
PANEDU101
Module 2 Scenario Interface Configuration (optional)

Create Security Zones

Configure basic interface types
Scenario:
You are preparing the firewall for a simple proof of concept (POC). In order to demonstrate firewall
features with a minimum of changes to the existing network, you have decided to use virtual wire to pass
traffic through the firewall for one network segment and a tap interface to monitor a different network
segment.
Configure the virtual wire and create zones so that policy rules can be defined. Create a tap interface and
the associated zone.
Note: Due to the limited number of interfaces available on a PA200, the configurations set in this lab will be
immediately removed so that the interfaces may be reused for later labs.
Interface to use for tap interface
Interfaces to use for virtual wire
Name for the tap zone
Name for the virtual wire zones
Name for the virtual wire object
Lab Manual
Ethernet1/3
Ethernet1/3
Ethernet1/4
tap-zone
vwire-zone-3
vwire-zone-4
student-vwire
PANOS 6.0 Rev C.200
Page
11
PANEDU101
Module 2 Solution Interface Configuration

Create new Security Zones
1. If necessary, log into the WebUI using your admin account
2. Click Add and create the first virtual wire zone:
Name
Enter vwire-zone-3
Type
Select Virtual Wire
Click OK to close the zone creation window.
3. Click Add and create the second virtual wire zone:
Name
Enter vwire-zone-4
Type
Select Virtual Wire
Creating a Virtual Wire Setup

4. Click Network > Virtual Wires.
5. Click Add and create a new virtual wire object named student-vwire. Keep all other
settings at the default values and click OK.
6. Click Network > Interfaces > Ethernet.
7. Click the interface name ethernet1/3. Configure the interface:
Interface Type
Select Virtual Wire
Config tab
Select studentvwire
Virtual Wire
Security Zone
Select vwirezone3
Click OK to close the interface configuration window.
Interface Type
Select Virtual Wire
Config tab
Select studentvwire
Virtual Wire
Security Zone
Select vwirezone4
Normally, you would commit your changes at this point. However, for the selfpaced labs you will
be reusing these interfaces so you must undo some of the changes you just implemented.
9. Click Network >Virtual Wires.
10. Select the studentvwire object and click Delete.
(Note: you will set the interfaces to a different type in the next module.)
Lab Manual
PANOS 6.0 Rev A.200
Page 10
PANEDU101
Module 3 Scenario Layer 3 Configuration

Create Interface Management Profiles

Configure Ethernet interfaces with Layer 3 information
Configure DHCP
Create a Virtual Router
Create Source NAT policy
Create a pair of simple Security Policies
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You
are to create two zones, UntrustL3 and TrustL3. The externalfacing interface in UntrustL3 will get an IP
address from a DHCP server on the external network. TrustL3 will be where the internal clients connect to
the firewall and so the interface in TrustL3 will provide DHCP addresses to these internal clients. The
DHCP server you configure in the TrustL3 zone will inherit DNS settings from the external facing interface.
Both the internal and external interfaces on the firewall must route traffic through the externalfacing
interface by default. The interface in UntrustL3 must be configured to respond to pings and the interface
in TrustL3 must be able to provide all management services. NOTE: You will not be able to test whether
the UntrustL3 interface responds to pings until the next lab.
Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable
coming from your PC from the MGT port to the ethernet1/4 port of the PA200. You must also change
the settings of the LAN interface on your laptop to use DHCPsupplied network information (IP address
and DNS servers) instead of static settings.
When the firewall is fully configured, a NAT policy must exist so that all traffic originating in the TrustL3
zone appears to come from the externalfacing address of the firewall.
Lab Manual
PANOS 6.0 Rev A.200
Page 11
PANEDU101
Interface Management Profile Names
Internal-facing IP Address
External-facing interface
Internal-facing interface
DHCP Server: Gateway
DHCP Server: Inheritance Source
DHCP Server: Primary DNS
DHCP Server: IP address range
Virtual Router Name
Lab Manual
allow all
allow_ping
192.168.2.1/24
Ethernet1/3
Ethernet1/4
192.168.2.1
Ethernet1/3
inherited
192.168.2.50-192.168.2.60
Student-VR
PANOS 6.0 Rev A.200
Page 12
PANEDU101
Module 3 Solution Layer 3 Configuration

Create new Security Zones
1. Go to the WebUI and click Network > Zones.
2. Click Add and create the UntrustL3 zone:
Name
Enter Untrust-L3
Type
Verfy that Layer 3 is selected
3. Click Add and create the TrustL3 zone:
Name
Enter Trust-L3
Type
Select Layer 3
Create Interface Management Profiles

4. Click Network > Network Profiles > Interface Mgmt.
5. Click Add and create an interface management profile:
Name
Enter allow_all
Permitted Services
Select all check boxes
Permitted IP Addresses
Do not add any addresses
Click OK to close the interface management profile creation window.
6. Click Add and create another interface management profile:
Name
Enter allow_ping
Permitted Services
Select only the Ping check box
Permitted IP Addresses
Do not add any addresses
Click OK to close the interface management profile creation window.
process completes before continuing.
Configure Ethernet interfaces with Layer 3 info

8. Click Network > Interfaces > Ethernet.
Interface Type
Config tab
Virtual Router
Security Zone
Lab Manual
Select Layer 3
Keep default (none)
Select UntrustL3
PANOS 6.0 Rev A.200
Page 13
PANEDU101
IPv4 tab
Select DHCP Client
Type
Advanced > Other Info tab
Management Profile
Select allow_ping
Interface Type
Select Layer 3
Config tab
Keep default (none)
Virtual Router
Security Zone
Select TrustL3
IPv4 tab
Keep default (Static)
Type
IP
Click Add then enter 192.168.2.1/24
Advanced > Other Info tab
Management Profile
Select allow_all
Configure DHCP
11. Click Network > DHCP > DHCP Server.
12. Click Add to define a new DHCP Server:
Interface Name
Select ethernet1/4
Inheritance Source
Select ethernet1/3
Gateway
Enter 192.168.2.1
Primary DNS
Select inherited
IP Pools
Click Add then enter 192.168.2.50-192.168.2.60
Click OK to close the DHCP Server configuration window.
Create a Virtual Router

13. Click Network > Virtual Routers.
14. Click Add to define a new virtual router:
General tab
Name
Interfaces
Enter Student-VR
Click Add then select ethernet1/3
Click Add again and select ethernet1/4

Click OK to close the virtual router configuration window.
Lab Manual
PANOS 6.0 Rev A.200
Page 14
PANEDU101
Recable and then test the network configuration

16. Close the browser.
17. Move the Ethernet cable from the MGT interface to the 4 interface on the firewall.
18. Plug the cable connected to your network into the 3 interface on the firewall.
19. Configure the physical LAN interface on your laptop (the one connected to the 4 interface) to
use a DHCP address.
20. Verify that your laptop is receiving DHCP address from the firewall. The displayed IP address
should be in the range 192.168.2.50192.168.2.60 if the DHCP Server is configured correctly.
You should also be able to ping 192.168.2.1.
21. Connect to the WebUI by launching a browser to https://192.168.2.1 and logging in with
the admin account password paloalto.
Create a Source NAT policy

22. Click Policies > NAT.
23. Click Add to define a new source NAT policy:
General tab
Name
Enter Student Source NAT
Original Packet tab
Source Zone
Click Add and select TrustL3
Destination Zone
Select UntrustL3
Destination Interface
Select ethernet1/3
Translated Packet > Source
Address Translation tab
Translation Type
Select Dynamic IP and Port
Address Type
Select Interface Address
Interface
Select ethernet1/3
Click OK to close the NAT policy configuration window.
You will still not be able to access the Internet from your PC. The final step will be to create
the Security Policies to allow traffic to flow from the TrustL3 to the UntrustL3 zone.
Lab Manual
PANOS 6.0 Rev A.200
Page 15
PANEDU101
Module 4 Scenario AppID

Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
At this point, the firewall is configured but not passing traffic. Security policies must be defined before
traffic will flow between zones. To facilitate testing and present the minimal amount of risk to the network
traffic, the policies will be established in a threephase deployment:
Phase 1: Configure a Policy to allow all outbound traffic, and to block and log any incoming traffic. This
will allow employees to surf the Internet, and will log which applications they use.
Phase 2: Create a General Internet policy to restrict users to a set of commonly used applications. The
applications should only be permitted on application default ports. All other traffic (inbound and
outbound) should be blocked and logged.
Configure the firewall to notify users when blocked applications are used so that the help desk does
not get called for connection issues that are actually blocked applications.
Phase 3: The results from the first two phases of testing result in the following discoveries:
Lab Manual
The logs from phase 1 show heavy use of a variety of internet proxies and webbased
file sharing services by users. Management mandates that you create a Deny list
explicitly preventing use of these applications.
The rules blocking all unmatched traffic were too restrictive for your environment. The
testing denied access to numerous vital applications, causing a surge in support calls. Any
traffic which does not match the Deny list should be allowed but logged for future policy
decisions.
PANOS 6.0 Rev A.200
Page 16
PANEDU101
Allow All Out
Deny and Log Inbound
Phase 1 Security Policy names

Members of the Known-Good application

group
Phase 3 Application Filter names
General Internet
Deny and Log Outbound
Deny and Log Inbound
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
Setting for Proxies application filter
Proxies
Web-Based-File-Sharing
Block-Known-Bad
Allow and Log Outbound
Deny-and-Log-Inbound
Subcategory:
Proxies
Settings for Web-Based-File-Sharing

application filter
Subcategory: file-sharing
Technology: browser-based
Members of the Known-Bad application

group
Proxies
Web-Based-FileSharing
Lab Notes
During Phase 1, test your connectivity by connecting to http://www.box.net and facebook. Use
the traffic logs to determine how the firewall handles that connection.
During Phase 2, check to see what happens when you browse to www.facebook.com and box.net
after you make your changes.
The lab solutions use the buttons at the bottom of the policy screens to change the order of the
rules. Rules can also be reordered by clicking and dragging the rules to the desired location.
Lab Manual
PANOS 6.0 Rev A.200
Page 17
PANEDU101
Module 4 Solution AppID

Phase 1
Create the Allow All Out Policy
1. Go to the WebUI and click Policies > Security.
2. Delete the exisiting rule1 security policy.
3. Click Add to define a security policy:
General tab
Name
Enter Allow All Out
Source tab
Source Zone
Source Address
Select Any
Destination tab
Click Add and select UntrustL3
Destination Zone
Destination Address
Select Any
Application tab
Select Any
Applications
Service/URL Category tab
Select Any from the pulldown
Service
Actions tab
Select Allow
Action Setting
Log Setting
Select Log at Session End
4. Click OK to close the security policy configuration window.
Create a Deny and Log Inbound Policy

5. Click Add to define the Deny Inbound security policy:
General tab
Name
Source tab
Source Zone
Source Address
Destination tab
Destination Zone
Destination Address
Application tab
Applications
Service
Actions tab
Action Setting
Log Setting
Lab Manual
Enter Deny and Log Inbound

Select Any
Click Add and select Trust L3
Select Any
Check the Any box
Select any from the pulldown
Select Deny
PANOS 6.0 Rev A.200
Page 18
PANEDU101
6. Click OK to close the security policy configuration window.

7. Make sure that the Allow All Out is above the Deny and Log Inbound policy in the list of Security
Policies.
Test the configuration

8. Test internet connectivity by browsing websites from your laptop. You should be able to surf the
Web on http and https sites.
9. Connect to the site facebook.com.
10. Connect to the site box.net.
11. Go to Monitor > Logs > Traffic to see a record of your Internet browsing. Especially notice the
Application column.
Phase 2
Create an Application Group
1. Click Objects > Application Groups.
2. Click Add to define the KnownGood application group:
Name
Applications
Enter Known-Good
Click Add and select each of the following:
dns
fileserve
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing
Click OK to close the application group configuration window.
Disable the Allow All Out Policy

3. Select the Allow All Out Policy and click Disable.
Create the General Internet Policy

4. Go to the WebUI and click Policies > Security.
5. Click Add to define a security policy:
General tab
Name
Source tab
Source Zone
Source Address
Destination tab
Destination Zone
Lab Manual
Enter General Internet

Select Any
PANOS 6.0 Rev A.200
Page 19
PANEDU101
Destination Address
Select Any
Application tab
Applications
Click Add and select the KnownGood Application Group
Select applicationdefault from the pulldown
Service
Actions tab
Select Allow
Action Setting
Log Setting
Click OK to close the security policy configuration window.
Create Policies to Deny and Log All Outbound Traffic

6. Click Policies > Security.
7. Click Add to define the Deny and Log Outbound security policy:
General tab
Name
Enter Deny and Log Outbound
Source tab
Source Zone
Source Address
Select Any
Destination tab
Destination Zone
Destination Address
Select Any
Application tab
Check the Any box
Applications
Service
Actions tab
Select Deny
Action Setting
Log Setting
8. Rearrange the Security Policies in the following order:
a. General Internet
b. Deny and Log Outbound
c. Deny and Log Inbound
Make sure any other Security Policies are disabled.
9. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit process
completes before continuing.
Verify Internet Connectivity and Application Blocking

10. Test internet connectivity by browsing websites from your laptop. Does web surfing over ports 80 and
443 work? You may notice some difficulty reaching sites that you were able to reach before you
implemented a stricter Security Policy.
11. Attempt to browse to Facebook. The browser should not be able to display the site.
12. Use a browser to connect to the site http://www.box.net. The browser should not be able to
Lab Manual
PANOS 6.0 Rev A.200
Page 20
PANEDU101
display the site.

13. Go to Monitor > Logs > Traffic to review the traffic logs to determine why this site is not reachable.
You can see that the boxnetbase and facebookbase applications are not allowed by the configured
policies.
14. Attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com. The site
fails to load.
15. Check the traffic logs again and you will find that the application phproxy has been blocked. This is
why the avoidr site failed.
Enable the Application Block Page

16. Return to the WebUI and click Device > Response Pages.
17. Find the Application Block Page line and click Disabled.
18. Check the Enable Application Block Page box, and then click OK.
20. Open a browser window and go to http://www.facebook.com. This time you see an Application
Block Page explaining why the site was blocked.
Phase 3
Disable previous Security Policies
1. Click the Deny and Log Outbound rule and click the Disable button
2. Click the General Internet rule and click Disable button.
Create Application Filters and Groups

3. Go to the WebUI and click Objects > Application Filters.
4. Click Add to define the Proxies application filter:
Name
Enter Proxies
Subcategory column
Select proxy
Click OK to close the application filter configuration window.
5. Click Add to define the WebBasedFileSharing application filter:
Name
Enter Web-Based-File-Sharing
Subcategory column
Select filesharing
Technology column
Select browserbased
Click OK to close the application filter configuration window.
6. Click Objects > Application Groups
7. Click Add to define the KnownBad application group:
Name
Lab Manual
Enter Known-Bad
PANOS 6.0 Rev A.200
Page 21
PANEDU101
Applications
Click Add and select each of the following:

Proxies
WebBasedFileSharing
Click OK to close the application group configuration window.
Update Security Policies

9. Click Add to define the BlockKnownBad security policy:
General tab
Name
Enter Block-Known-Bad
Source tab
Source Zone
Source Address
Select Any
Destination tab
Click Add and select Untrust L3
Destination Zone
Destination Address
Select Any
Application tab
Click Add and select KnownBad
Applications
Service
Actions tab
Select Deny
Action Setting
Log Setting
10. Add the Allow and Log Outbound Security Policy with the following values:
General tab
Name
Enter Allow and Log Outbound
Source tab
Source Zone
Source Address
Select Any
Destination tab
Destination Zone
Destination Address
Select Any
Application tab
Check the Any box
Applications
Service
Actions tab
Select Allow
Action Setting
Log Setting
11. Use the Move buttons at the bottom of the page to arrange the policies in a logical order. You can
also rearrange the rule by clicking and dragging them into the correct order. Confirm that your
security rule list looks like this:
Lab Manual
PANOS 6.0 Rev A.200
Page 22
PANEDU101
BlockKnownBad
AllowandLogAllOut
DenyandLogInbound
Make sure any other policies are disabled
12. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit process
completes before continuing.
Verify Internet Connectivity and Application Blocking

13. Confirm that you can surf the Internet, except for being blocked from webbased filesharing sites like
box.com.
14. Confirm that you cannot reach box.com or other filesharing sites using avoidr.com.
15. Click the ACC tab to access the Application Command Center. Use the dropdown menu in the
application section of the ACC to select different ways of viewing the traffic that you have generated.
16. Click on one of the Applications to get more information. A detailed view appears.
17. Click the x in the box in the upper right hand corner to close the detailed view.
18. Notice that the Threat Prevention and Data Filtering sections within the ACC contain no matching
records yet.
Lab Manual
PANOS 6.0 Rev A.200
Page 23
PANEDU101
Module 5 Scenario ContentID

Configure Security Profiles

Create a Security Profile group
Associate Security Profiles and Security Profile Groups to Security Policy
Generate a custom report
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with
Security Profiles. The specific security requirements for general internet traffic are:
Log all URLs accessed by users in the TrustL3 zone. In particular, you need to track access to a set
of specified technology websites.
Access to all hacking and government sites should be set to Continue.
Block the following URL categories:
o adult and pornography
o questionable
o unknown
Log, but do not block, all viruses detected and maintain packet captures of these events for
analysis.
Log spyware of severity levels critical and high detected in the traffic. Ignore all other spyware.
Configure exe files to be blocked.
Lab Manual
PANOS 6.0 Rev A.200
Page 24
PANEDU101
After all of these profiles are configured, send test traffic to verify that the protection behaves as
expected. Testing parameters will be included in the Required Information section of this lab.
After the initial testing is complete, you are asked to change the Antivirus protection to block viruses.
Make the changes and verify the difference in behavior.
Once the individual profiles are created and tested, combine the profiles into a single group for ease of
management. Attach the group to the appropriate security policies.
Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a
custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the
threat name, the application (including technology and subcategory for reference), and the number of
times that threat was encountered. Export the file as a PDF.
Custom Technology sites to track
Location of files for testing antivirus
Government site for testing URL Filtering

Procedure for testing file blocking
www.slashdot.org
www.cnet.com
www.phys.org
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
www.cia.gov
1. Navigate to the web site http://www.opera.com
2. Download the installer to your local system
Lab Notes
You do not need to assign profiles to all of the security policies you have created in the lab. The
KnownBad policy has an action of deny so profiles will do nothing for that rule.
Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall
from seeing the packet contents so the viruses contained will not be detected by the profile.
Decryption will be covered in a later module.
Lab Manual
PANOS 6.0 Rev A.200
Page 25
PANEDU101
Module 5 Solution ContentID

Note: The presence of other firewalls between your PA200 and the internet will cause the lab results to vary.
Configure a Custom URL Filtering Category

1. Go to the WebUI and click Objects > Custom Objects > URL Category.
2. Click Add to create a custom URL category:
Name
Sites
Enter TechSites
Click Add and add each of the following URLs:
www.slashdot.org
www.cnet.com
www.zdnet.com
Click OK to close the Custom URL Category profile window.
Configure a URL filtering Profile

3. Click Objects > Security Profiles > URL Filtering.
4. Click Add to define a URL Filtering profile:
Name
Category/Action
Enter student-url-filtering
Click the right side of the Action header to access the pulldown menu.
Click Set All Actions > Alert.
Search the Category field for hacking and government. Set the Action to
Continue for both categories.
Search the Category field for the following categories and set the Action
to block for each of them:
adult
questionable
unknown
Verify that your custom category Techsites appears in the Category
column.
Click OK to close the URL
Filtering profile window.
Lab Manual
PANOS 5.0 Rev A.200
Page 26
PANEDU101
Configure an Antivirus Profile

5. Click Objects > Security Profiles > Antivirus.
6. Click Add to create an antivirus profile:
Name
Antivirus tab
Packet Capture
Decoders
Enter student-antivirus
Check the Packet Capture box
Set the Action column to Alert for all decoders
Leave the WildFire Actions at default
Click OK to close the antivirus profile window.
Configure an AntiSpyware Profile

7. Click Objects > Security Profiles > AntiSpyware.
8. Click Add to create an antispyware profile:
Name
Rules tab
Enter student-antispyware
Click Add and create a rule with the parameters:
Rule Name: Enter rule-1
Action: Select Allow
Severity: Check the boxes for Low and Informational
only
Click OK to save the rule
Click Add and create another rule with the parameters:
Rule Name: Enter rule-2
Action: Select Alert
Severity: Check the boxes for Critical and High only
Click OK to save the rule
Click OK to close the antispyware profile window.
Create a File Blocking Profile with Wildfire

9. Click Objects > Security Profiles > File Blocking.
10. Click Add to create a file blocking profile:
Name
Rules list
Enter student-file-block
Click Add and create a rule with the parameters:
Rule Name: Enter blockexe
File Types: Enter exe
Action: Select block
Click OK to close the file blocking profile window.
Assign Profiles to a Policy

Lab Manual
PANOS 5.0 Rev A.200
Page 27
PANEDU101
12. Click Allow and Log Outbound in the list of policy names. Edit the policy to include the newly
created profiles:
Actions tab
Profile Type
Select Profiles
Antivirus
Select studentantivirus
AntiSpyware
Select studentantispyware
URL Filtering
Select studenturlfiltering
File Blocking
Select studentfileblock
Click OK to close the policy window.
Test the Antivirus Profile

14. Open a browser to http://www.eicar.org.
15. Click AntiMalware Testfile.
16. You may want to temporarily disable any antivirus programs you have running on your PC.
17. Click the Download link to access the virus test files.
18. Download any of the Eicar test files listed under the banner Download area using the standard
protocol http. (Do not use the SSLencrypted downloads. The firewall will not be able to detect the
viruses in an HTTPS connection unless decryption is configured.)
19. Click Monitor > Logs > Threat to view the threat log. Find the log messages which detect the Eicar
files. Scroll to the Action column to verify the alerts for each file download.
20. Click on the green down arrow at on the left side of the line for the Eicar file detection to view the
packet capture (PCAP). Here is an example of what a PCAP might look like:
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline
for further investigation.
Modify the Antivirus Profile

21. In the PA200 GUI, go to Objects > Security Profile > Antivirus.
22. Open the studentantivirus profile.
23. Under the Action column, select the block action for ftp, http, and smb.
24. Click OK to close the Antivirus Profile
Lab Manual
PANOS 5.0 Rev A.200
Page 28
PANEDU101
Test the new Antivirus Profile

26. Open a new browser window to www.eicar.org
29. Download any of the Eicar test files listed under the banner Download area using the
standard protocol http again. This time, since the antivirus profile is set to block, the
download fails and a response page appears.
30. Return to the Monitor > Logs > Threat in the WebUI and find that log entries stating that the
Eicar virus was detected and blocked.
31. After 15 minutes, the threats you just generated will appear on the ACC tab under the
Threats section.
Test the URL Filtering Profile

32. Open a browser and browse to various websites.
33. In the WebUI, click Monitor > Logs > URL Filtering. Verify that the URL filtering profile records
each website that you visit.
34. Test the continue condition you created by visiting a site which is part of the government
category. In a new browser window, attempt to browse to http://cia.gov. The profile will block
this action and you will see a response page with a Continue button available.
Test the File Blocking Profile with Wildfire

35. Open a new browser window to http://www.opera.com.
36. Download the Opera browser installer to your local system. The download should fail.
37. Click Monitor > Logs > Data Filtering and find the log entry where the exe file was denied.
Configure a Security Profile Group

38. Return to the WebUI and click Objects > Security Profile Groups.
39. Click Add to define a security profile group:
Name
Enter student-profile-group
Antivirus Profile
Select studentantivirus
AntiSpyware Profile
Select studentantispyware
URL Filtering Profile
Select studenturlfiltering
File Blocking Profile
Select studentfileblock
Click OK to close the security profile group window.
Assign the Security Profile Group to a Policy

41. Click Allow and Log Outbound in the list of policy names. Edit the policy to replace the profiles
Lab Manual
PANOS 5.0 Rev A.200
Page 29
PANEDU101
with the profile group:

Actions tab
Select Group
Profile Type
Group Profile
Select studentprofilegroup
Click OK to close the policy window.
Create a Custom Report

43. Click Monitor > Manage Custom Reports.
44. Click Add to define a new custom threat report:
Name
Database
Time Frame
Sort by
Group by
Selected Columns
Query Builder
Enter Top Threats by Day

Select Summary Databases Threat
Select Last 24 Hrs
Select Count and Top 10
Select None and 10 Groups
Populate the Selected Columns field with the following values,
in this order:
Threat/Content Name
Application
App Technology
App Sub Category
Count
Build a query using the following parameters:
Connector: Select and

Attribute: Select Rule
Operator: Select =
Value: Enter Allow and Log Outbound
Click Add
Click OK to save the custom report definition.

45. Click the name of your custom report to reopen the custom report window. Click Run Now to
generate the report.
46. The report will appear in a new tab in the window. Click Export to PDF to save it to your RDP
desktop.
process completes before clicking Close to continue.
Lab Manual
PANOS 5.0 Rev A.200
Page 30
PANEDU101
Module 6 Scenario Decryption

Create a selfsigned SSL certificate

Configure the firewall as a forwardproxy using decryption rules
Scenario
Your security team is concerned about the results of the testing performed as part of the security profile
configurations. The team observed that the antivirus profile only identified virus which were not SSL
encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com)
could escape detection and cause issues.
You want to evaluate using a forwardproxy configuration on the Palo Alto Networks firewall. Only traffic
from TrustL3 to UntrustL3 needs to be decrypted. Since this is not production, you decide to use self
signed SSL certificates generated on the firewall for this implementation.
The legal department has advised you that certain traffic should not be decrypted for liability reasons.
Specifically, you may not decrypt traffic from healthrelated, shopping, or financial web sites.
Test the decryption two ways:
Attempt to download test files from www.eicar.org using https and verify that they are detected by
the firewall
Connect to various websites using https and use the logs to verify that the correct URL categories
are being decrypted
Self-signed Certificate name
Common Name of the SSL Certificate
Lab Manual
student-ssl-cert
192.168.2.1
PANOS 5.0 Rev A.200
Page 31
PANEDU101
Decryption Policies
no-decrypt-traffic
decrypt-all-traffic
Lab Notes
You will get certificate errors when browsing after decryption is enabled. This is expected because
the selfsigned certificates have not been added to the trusted certificates of the client browser. In
a production environment you would resolve this by adding the firewall certificate to the clients as
trusted or by using a commercial certificate from a known CA such as VeriSign.
Order matters with policies make sure that the decrypt and nodecrypt policies are evaluated
in the correct order.
Lab Manual
PANOS 5.0 Rev A.200
Page 32
PANEDU101
Module 6 Solution Decryption

Verify firewall behavior without decryption
4. Download any of the Eicar test zip files listed under the banner Download area using the secure,
SSL enabled protocol https. The download succeeds.
5. Go to the PA200 GUI and click Monitor > Logs > Threat to view the log. Notice that SSL decryption
hid the contents of the firewall and so the test file was not detected as a threat.
Create an SSL selfsigned Certificate

6. Click Device > Certificate Management > Certificates.
7. Click Generate at the bottom of the screen to create a new selfsigned certificate:
Certificate Name
Enter student-ssl-cert
Common Name
Enter 192.168.2.1
Certificate Authority
Check the box
Click Generate to create the certificate. Click OK to dismiss the certificate generation success
window.
8. Click studentsslcert in the list of certificates to edit the certificate properties. Check the boxes for
Forward Trust Certificate and Forward Untrust Certificate. Click OK to confirm the changes.
Create SSL Decryption Policies

9. Click Policies > Decryption.
10. Click Add to create an SSL decryption rule for the exception categories:
General tab
Name
Enter no-decrypt-traffic
Source tab
Source Zone
Click Add then select TrustL3
Destination tab
Click Add then select UntrustL3
Destination Zone
URL Category tab
URL Category
Click Add and add each of the following URL categories:
healthandmedicine
shopping
financialservices
Options tab
Select nodecrypt
Action
Type
Select SSL Forward Proxy
Click OK to close the configuration window.
Lab Manual
PANOS 5.0 Rev A.200
Page 33
PANEDU101
11. Click Add to create the SSL decryption rule for general decryption:
General tab
Name
Enter decrypt-all-traffic
Source tab
Source Zone
Click Add then select TrustL3
Destination tab
Click Add then select UntrustL3
Destination Zone
URL Category tab
Verify that the Any box is checked
URL Category
Options tab
Select decrypt
Action
Type
Select SSL Forward Proxy
Click OK to close the configuration window.
12. Confirm that your decryption policy list looks like this:
process completes before clicking Close to continue.
Test the SSL Decryption Policies

4. Download any of the Eicar test zip files listed under the banner Download area using the secure,
SSL enabled protocol https. A certificate error occurs. This is expected behavior because the
firewall is intercepting the SSL connection and performing maninthemiddle decryption.
5. Ignore the certificate error. The download fails and a block page appears.
6. In the WebUI, examine the Threat logs under Monitor > Logs > Threat. The virus should have
been detected, since the SSL connection was decrypted.
7. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify
that the Decrypted box has a check mark.
8. Open a browser to http://www.brightcloud.com/tools/urliplookup.php
9. Enter various URLs that you believe fall into the categories excluded by the nodecrypt rule.
Make a list of some URLs that fall into these categories to test against. For example:
financialservices: www.bankofamerica.com
healthandmedicine: www.deltadental.com
Lab Manual
PANOS 5.0 Rev A.200
Page 34
PANEDU101
shopping: www.macys.com
10. In the WebUI, click Monitor > Logs > Traffic.
11. Set the traffic log to display only port 443 traffic by entering ( port.dst eq 443 ) in the
filter field.
12. Select 10 Seconds from the pulldown menu so that the display will refresh automatically.
13. In a separate browser window, use SSL (https://) to navigate to the websites you found in the
excluded URL categories.
14. Now use https:// to browse to sites like bing.com or yahoo.com which are not excluded.
15. Return to the traffic log at Monitor > Traffic > Logs.
16. If the URL Category column is not displayed, click the drop down arrow next to one of the
columns and select URL Category.
17. Find an entry for one of the excluded categories by looking at the value in the URL Category
column.
18. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is unchecked.
19. Find an entry for one of the nonexcluded categories by looking at the value in the URL Category
column.
20. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is checked.
Lab Manual
PANOS 5.0 Rev A.200
Page 35
PANEDU101
Lab Manual
PANOS 5.0 Rev A.200
Page 36
PANEDU101
Lab Manual
PANOS 5.0 Rev A.200
Page 37

Pan-Edu-101 - Lab Manual Pan-Os 6 0 - Rev C

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan-Edu-101 - Lab Manual Pan-Os 6 0 - Rev C

Uploaded by

Copyright:

Available Formats

Firewall Installation, Configuration, and

Palo Alto Networks, Inc.

PANOS 6.0 Rev C.200

Names of commands, keywords, and

Click Security to open the Security

Name of parameters, files, directories, or

The address of the Palo Alto Networks

Coding examples and text that you enter

Enter the following command:

Click the left mouse button

Click Administrators under the

Click the right mouse button

Right-click on the number of a rule

PANOS 6.0 Rev C.200

Module 2 Interface Configuration (optional)......................................................................... 9

Module 3 Layer 3 Configuration .............................................................................................. 10

Module 5 ContentID ................................................................................................................ 15

PANOS 6.0 Rev C.200

PANOS 6.0 Rev C.200

How to use this Lab Guide

Lab Guide Objectives

PANOS 6.0 Rev C.200

Lab Equipment Setup

PANOS 6.0 Rev C.200

Module 1 Scenario Administration and Management

Connect to the firewall through the MGT interface

PANOS 6.0 Rev C.200

Module 1 Solution Introduction (Lab Access)

Log on to the Firewall

Save the current configuration on your firewall (optional)

Upload and apply baseline configuration to your firewall

PANOS 6.0 Rev C.200

21. Select PANEDU101Default. Click OK.

Put your PCs Ethernet port on the 192.168.1.0/24 subnet

Open a browser to https://192.168.1.1

Login to the PA200 firewall with username admin password admin

Add an Administrator Role

Enter Policy Admins

Manage administrator accounts

PANOS 6.0 Rev C.200

Module 2 Scenario Interface Configuration (optional)

Create Security Zones

PANOS 6.0 Rev C.200

Module 2 Solution Interface Configuration

Creating a Virtual Wire Setup

PANOS 6.0 Rev A.200

Module 3 Scenario Layer 3 Configuration

Create Interface Management Profiles

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200

Module 3 Solution Layer 3 Configuration

Create Interface Management Profiles

Configure Ethernet interfaces with Layer 3 info

Create a Virtual Router

Click Add again and select ethernet1/4

PANOS 6.0 Rev A.200

Recable and then test the network configuration

Create a Source NAT policy

PANOS 6.0 Rev A.200

Module 4 Scenario AppID

Phase 1 Security Policy names

Members of the Known-Good application

Phase 3 Application Filter names