PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A PDF

Firewall Installation, Configuration, and
Management:
Essentials I
Lab Manual
PAN-OS 6.0
PAN-EDU-101 Rev A.200
PANEDU101
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2007-2014 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners.
Lab Manual
PANOS 6.0 Rev A.200
Page 2
PANEDU101
Typographical Conventions
Thisguideusesthefollowingtypographicalconventionsforspecialtermsandinstructions.
Convention
Meaning
Example
Boldface
Names of commands, keywords, and

selectable items in the web interface
Click Security to open the Security

Rule Page
Italics
Name of parameters, files, directories, or

Uniform Resource Locators (URLs)
The address of the Palo Alto Networks

home page is
http://www.paloaltonetworks.com
courier font
Coding examples and text that you enter

at a command prompt
Enter the following command:

a:\setup
Click
Click the left mouse button
Click Administrators under the

Device tab.
Right-click
Click the right mouse button
Right-click on the number of a rule

you want to copy, and select Clone
Rule.
Lab Manual
PANOS 6.0 Rev A.200
Page 3
PANEDU101
Table of Contents
HowtousethisLabGuide...................................................................................................6
LabGuideObjectives...........................................................................................................6
LabEquipmentSetup..........................................................................................................7
LabAssumptions.................................................................................................................7
StudentFirewallInterfaceSettings......................................................................................7
Module1AdministrationandManagement.....................................................................8
Scenario............................................................................................................................................................................8
RequiredInformation.......................................................................................................................................................8
Module2InterfaceConfiguration(optional)....................................................................9
Scenario............................................................................................................................................................................9
RequiredInformation.......................................................................................................................................................9
Module3Layer3Configuration......................................................................................10
Scenario..........................................................................................................................................................................10
RequiredInformation.....................................................................................................................................................11
Module4AppID............................................................................................................12
Scenario1...................................................................................................................................................................12
Scenario2...................................................................................................................................................................13
LabNotes........................................................................................................................................................................14
Module5ContentID......................................................................................................15
Scenario..........................................................................................................................................................................15
LabNotes........................................................................................................................................................................16
Module6Decryption......................................................................................................17
Scenario..........................................................................................................................................................................17
LabNotes........................................................................................................................................................................18
Lab Manual
PANOS 6.0 Rev A.200
Page 4
PANEDU101
Solutions...........................................................................................................................19
Module1Introduction(LabAccess)............................................................................................................................19
Module2InterfaceConfiguration...............................................................................................................................21
Module3Layer3Configuration..................................................................................................................................23
Module4AppID..........................................................................................................................................................26
Module5ContentID......................................................................................................................................................36
Module6Decryption....................................................................................................................................................43
CLIReference....................................................................................................................47
Module1AdministrationandManagement...............................................................................................................47
Module2InterfaceConfiguration...............................................................................................................................47
Module3Layer3Configuration..................................................................................................................................48
Module4AppID..........................................................................................................................................................48
Module5ContentID......................................................................................................................................................48
Module6Decryption....................................................................................................................................................48
Lab Manual
PANOS 6.0 Rev A.200
Page 5
PANEDU101
How to use this Lab Guide

TheLabGuidecontainslabexerciseswhichcorrespondtomodulesinthestudentguide.Eachlabexercise
consistsofthreeparts:ascenario,asolution,andaCLIreference.
Thescenariodescribesthelabexerciseintermsofobjectivesandcustomerrequirements.Minimal
instructionsareprovidedtoencouragestudentstosolvetheproblemontheirown.Ifappropriate,the
scenarioincludesadiagramandatableofrequiredinformationneededtocompletetheexercise.
Thesolutionisdesignedtohelpstudentswhopreferstepbystep,taskbasedlabs.Alternatively,students
whostartwiththescenariocanusethesolutiontochecktheirworkortoprovidehelpiftheygetstuckon
aproblem.
TheCLIreferenceisintendedasastartingpointforstudentsinterestedintheCLIcommands.Apartialset
ofCLIcommandsareprovidedforstudentstoresearchfurtherinthePaloAltoNetworksCommandLine
ReferenceGuide.
NOTE:Unlessspecified,theGoogleChromewebbrowserandthePuTTYSSHclientwillbeusedtoperform
anytasksoutlinedinthefollowinglabs.
Lab Guide Objectives

ThislabguideisdesignedspecificallyforasinglestudentattendingtheselfpacedversionoftheEssentials
Icourse.Theinstructorledversionofthecourseincludesadditionalexerciseswhichcanonlybe
completedinaclassroomenvironmentwithotherstudentsandadditionalequipment.
Oncetheselabsarecompleted,youshouldbeableto:
1. Configurethebasiccomponentsofthefirewall,includinginterfaces,securityzones,andsecurity
policies
2. ConfigurebasicLayer3settings,suchasIPaddressingandNATpolicies.
3. ConfigurebasicContentIDfunctionality,includingantivirusprotectionandURLfiltering.
4. ConfigureSSLdecryption.
WithspecialthankstoallofthosePaloAltoNetworksemployeesandATCpartnerswhoseinvaluablehelp
enabledthistrainingtobebuilt,tested,anddeployed.
Lab Manual
PANOS 6.0 Rev A.200
Page 6
PANEDU101
Lab Equipment Setup
DHCPenabled
Network
Internet
Lab Assumptions
Theselabinstructionsassumethefollowingconditions:
1. ThestudentisusingaPA200firewallwhichhasbeenregisteredwithPaloAltoNetworksSupport.
2. ThePA200firewallisusingthedefaultIPaddressontheMGTinterface(192.168.1.1)andthedefault
password(admin)fortheadminaccount.
3. ThefirewallislicensedforSupport,ThreatPrevention,andURLFiltering.
4. AllnetworkconnectivityforthestudentlaptopusedforthelabhasbeendisabledexceptfortheEthernet
adapterwhichwillbeconnectedtothefirewall.
5. Thefirewallshouldhavenopoliciesdefinedonit.
6. ThenetworkthatthestudentwillconnecttohasaDHCPserverfromwhichthefirewallcanobtainanIP
addressandDNSinformation.
7. TherearenootherPaloAltoNetworksfirewallsbetweenthestudentsPA200andtheinternet.Thelabs
willstillworkifupstreamfirewallsexist,buttheresultswillvarybasedonthefirewallsettings.
Student Firewall Interface Settings
StudentFirewall
PA200
Interface:
Type:
MGT
Ethernet1/1
Ethernet1/2
Ethernet1/3
Ethernet1/4
Management
Vwire
Vwire
Layer3
Layer3
Lab Manual
IPAddress:
Zone:
192.168.1.1
N/A
trust
untrust
UntrustL3
TrustL3
DHCP Client
192.168.2.1/24
PANOS 6.0 Rev A.200
Page 7
PANEDU101
Module 1 Administration and Management

Inthislabyouwill:
ConnecttothefirewallthroughtheMGTinterface
Createnewadministratorrolesandaccountsonthefirewall
Scenario
Youhavebeentaskedwithintegratinganewfirewallintoyourenvironment.Thefirewallisconfigured
withthefactorydefaultIPaddressandadministratoraccount.YouwillneedtochangetheIPaddressof
yourlaptoptocommunicatewiththedefaultIPaddressoftheMGTport.
Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethecurrent
configurationsothatitcanbereloadedonthefirewall.Applyasavedconfigurationtothefirewallsothat
itisinaknownstate.
Inpreparationforthenewdeployment,createaroleforanassistantadministratorwhichallowsaccessto
allfirewallfunctionalitythroughtheWebUIexceptMonitor,Network,Privacy,andDevice.Theaccount
shouldhavenoaccesstotheXMLAPIortheCLI.Createanaccountusingthisrole.Additionally,changethe
passwordoftheadminaccounttodisablethewarningsaboutusingdefaultcredentials.
Required Information
NamedConfigurationSnapshot
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account
Lab Manual
PANEDU101Default
Policy Admins
ip-admin
paloalto
paloalto
PANOS 6.0 Rev A.200
Page 8
PANEDU101
Module 2 Interface Configuration (optional)

Inthislabyouwill:
CreateSecurityZones
Configurebasicinterfacetypes
Scenario:
Youarepreparingthefirewallforasimpleproofofconcept(POC).Inordertodemonstratefirewall
featureswithaminimumofchangestotheexistingnetwork,youhavedecidedtousevirtualwiretopass
trafficthroughthefirewallforonenetworksegmentandatapinterfacetomonitoradifferentnetwork
segment.
Configurethevirtualwireandcreatezonessothatpolicyrulescanbedefined.Createatapinterfaceand
theassociatedzone.
Note:DuetothelimitednumberofinterfacesavailableonaPA200,theconfigurationssetinthislabwillbe
immediatelyremovedsothattheinterfacesmaybereusedforlaterlabs.
Interface to use for tap interface

Interfaces to use for virtual wire
Name for the tap zone
Name for the virtual wire zones
Name for the virtual wire object
Lab Manual
Ethernet1/3
Ethernet1/3
Ethernet1/4
tap-zone
vwire-zone-3
vwire-zone-4
student-vwire
PANOS 6.0 Rev A.200
Page 9
PANEDU101
Module 3 Layer 3 Configuration

Inthislabyouwill:
CreateInterfaceManagementProfiles
ConfigureEthernetinterfaceswithLayer3information
ConfigureDHCP
CreateaVirtualRouter
CreateSourceNATpolicy
Scenario:
ThePOCwentwellandthedecisionwasmadetousethePaloAltoNetworksfirewallinthenetwork.You
aretocreatetwozones,UntrustL3andTrustL3.TheexternalfacinginterfaceinUntrustL3willgetanIP
addressfromaDHCPserverontheexternalnetwork.TrustL3willbewheretheinternalclientsconnectto
thefirewallandsotheinterfaceinTrustL3willprovideDHCPaddressestotheseinternalclients.The
DHCPserveryouconfigureintheTrustL3zonewillinheritDNSsettingsfromtheexternalfacinginterface.
Boththeinternalandexternalinterfacesonthefirewallmustroutetrafficthroughtheexternalfacing
interfacebydefault.TheinterfaceinUntrustL3mustbeconfiguredtorespondtopingsandtheinterface
inTrustL3mustbeabletoprovideallmanagementservices.NOTE:Youwillnotbeabletotestwhether
theUntrustL3interfacerespondstopingsuntilthenextlab.
OnceyouhavecompletedtheLayer3configurations,youwillneedtomovethephysicalEthernetcable
fromtheMGTporttotheethernet1/4portofthePA200.YoumustalsochangethesettingsoftheLAN
interfaceonyourlaptoptouseDHCPsuppliednetworkinformation(IPaddressandDNSservers)instead
ofstaticsettings.
Whenthefirewallisfullyconfigured,aNATpolicymustexistsothatalltrafficoriginatingintheTrustL3
zoneappearstocomefromtheexternalfacingaddressofthefirewall.
Lab Manual
PANOS 6.0 Rev A.200
Page 10
PANEDU101
Interface Management Profile Names

Internal-facing IP Address
External-facing interface
Internal-facing interface
DHCP Server: Gateway
DHCP Server: Inheritance Source
DHCP Server: Primary DNS
DHCP Server: IP address range
Virtual Router Name
Lab Manual
allow_all
allow_ping
192.168.2.1/24
Ethernet1/3
Ethernet1/4
192.168.2.1
Ethernet1/3
inherited
192.168.2.50-192.168.2.60
Student-VR
PANOS 6.0 Rev A.200
Page 11
PANEDU101
Module 4 AppID
Inthislabyouwill:
EnablethefirewalltocommunicationwiththePaloAltoNetworksupdateserver
UpdatethethreatdefinitionsandOSofthefirewall
Createasecuritypolicytoallowbasicinternetconnectivityandlogdroppedtraffic
EnableApplicationBlockpages
CreateApplicationFiltersandApplicationGroups
Scenario 1:
Inordertoupdatethesoftwareonthefirewall,youmustenabletheDNS,paloaltoupdates,andSSL
applicationstopassbetweenthezones.Theapplicationsshouldonlybepermittedonapplicationdefault
ports.ConfigurethefirewalltocommunicatewithDNSandPaloAltoNetworksupdateserversthroughthe
TrustL3interface.
Oncetheseconfigurationsarecomplete,licenseyourfirewall.UpdatetheThreatsandApplicationsdatafile
tothemostrecentversion.
DNS Server for the MGT functions

Address to use for Service Routes
Name to use for Security Policy
Lab Manual
4.2.2.2
192.168.2.1/24
General Internet
PANOS 6.0 Rev A.200
Page 12
PANEDU101
Scenario 2:
Atthispoint,thefirewallisconfiguredbutnotpassingtraffic.Securitypoliciesmustbedefinedbefore
trafficwillflowbetweenzones.Tofacilitatetestingandpresenttheminimalamountofrisktothenetwork
traffic,thepolicieswillbeestablishedinathreephasedeployment:
Phase1:ModifytheGeneralInternetpolicytoallowusersintheTrustL3zonetouseasetof
commonlyusedapplicationstoaccesstheinternet.Theapplicationsshouldonlybepermittedon
applicationdefaultports.Allothertraffic(inboundandoutbound)shouldbeblockedandloggedso
thatyoucanidentifywhatotherapplicationsarebeingused.Thiswillhelpgeneratelistsofgood
andbadapplicationstobemanagedinthelaterphases.
Phase2:Configurethefirewalltonotifyuserswhenblockedapplicationsareusedsothatthe
helpdeskdoesnotgetcalledforconnectionissuesthatareactuallyblockedapplications.
Phase3:Theresultsfromthefirsttwophasesoftestingresultinthefollowingdiscoveries:
Thelogsfromphase1showheavyuseofavarietyofinternetproxiesandclientserver
gamingapplicationsbyusersintheTrustL3zone.Managementmandatesthatyou
explicitlypreventuseoftheseapplications.
Foreaseofconfiguration,yourteamdecidestocreategroupsfortheallowedanddenied
applicationstoreducethenumberofpoliciesrequiredonthefirewall.
Therulesblockingallunmatchedtrafficweretoorestrictiveforyourenvironment.The
testingdeniedaccesstonumerousvitalapplications,causingasurgeinsupportcalls. Any
trafficwhichdoesnotmatchtheallowedordeniedlistsshouldbeallowedbutloggedfor
futurepolicydecisions.
ModifyGeneralInternetandcreatenewpolicies(BlockKnownBadandLogAll)tomeetthesenew
requirements.RemovetheotherpoliciescreatedinPhase1.
Lab Manual
PANOS 6.0 Rev A.200
Page 13
PANEDU101
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
General
Internet Deny
Inbound Deny
Proxies
Web-Based-File-Sharing
General Internet
Deny Inbound BlockKnown-Bad Log-All
Phase 1 Allowed Applications
Phase 1 Security Policy names

Phase 3 Application Filter names
Phase 3 Security Policy names

Setting for Proxies application filter
Settings for Web-Based-File-Sharing application
filter
Phase 3 Application Group names
Members of the Known-Good application group
Members of the Known-Bad application group
Subcategory: Proxies
Subcategory: file-sharing
Technology: browser-based
Known-Good
Known-Bad
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
Proxies
Web-Based-File-Sharing
Lab Notes
DuringPhase1,testyourconnectivitybyconnectingtohttp://www.box.net(login:student@pan
edu.com,password:paloalto1).Usethetrafficlogstodeterminehowthefirewallhandlesthat
connection.
DuringPhase2,checktoseewhathappenswhenyoubrowsetowww.facebook.combeforeand
afteryoumakeyourchanges.
Thelabsolutionsusethebuttonsatthebottomofthepolicyscreenstochangetheorderofthe
rules.Rulescanalsobereorderedbyclickinganddraggingtherulestothedesiredlocation.
Lab Manual
PANOS 6.0 Rev A.200
Page 14
PANEDU101
Module 5 ContentID
Inthislabyouwill:
ConfigureSecurityProfiles
CreateaSecurityProfilegroup
AssociateSecurityProfilesandSecurityProfileGroupstoSecurityPolicy
Generateacustomreport
Scenario
Nowthattrafficispassingthroughthefirewall,youdecidetofurtherprotecttheenvironmentwith
SecurityProfiles.Thespecificsecurityrequirementsforgeneralinternettrafficare:
LogallURLsaccessedbyusersintheTrustL3zone.Inparticular,youneedtotrackaccesstoaset
ofspecifiedtechnologywebsites.
AccesstoallhackingandgovernmentsitesshouldbesettoContinue.
BlockthefollowingURLcategories:
o Adultandpornography
o questionable
o Unknown
Log,butdonotblock,allvirusesdetectedandmaintainpacketcapturesoftheseeventsfor
analysis.
Logspywareofseveritylevelscriticalandhighdetectedinthetraffic.Ignoreallotherspyware.
ConfigurefilestobeautomaticallyforwardedtoWildFirewithnouserinteraction.
Lab Manual
PANOS 6.0 Rev A.200
Page 15
PANEDU101
Afteralloftheseprofilesareconfigured,sendtesttraffictoverifythattheprotectionbehavesas
expected.TestingparameterswillbeincludedintheRequiredInformationsectionofthislab.
Aftertheinitialtestingiscomplete,youareaskedtochangetheAntivirusprotectiontoblockviruses.
Makethechangesandverifythedifferenceinbehavior.
Oncetheindividualprofilesarecreatedandtested,combinetheprofilesintoasinglegroupforeaseof
management.Attachthegrouptotheappropriatesecuritypolicies.
Yourmanagerwantstoseedailyreportswhichdetailthethreatsencounteredbythefirewall.Configurea
customreporttoshowathreatsummaryforalltrafficallowedinthepast24hours.Itshouldincludethe
threatname,theapplication(includingtechnologyandsubcategoryforreference),andthenumberof
timesthatthreatwasencountered.ExportthefileasaPDF.
Custom Technology sites to track
Location of files for testing antivirus
Hacking sites for testing URL Filtering

Procedure for testing file blocking
www.slashdot.org
www.cnet.com
www.phys.org
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
www.2600.org
www.neworder.box.sk
1. Navigate to the web site http://www.opera.com
2. Download the installer to your local system
Lab Notes
Youdonotneedtoassignprofilestoallofthesecuritypoliciesyouhavecreatedinthelab.The
KnownBadpolicyhasanactionofdenysoprofileswilldonothingforthatrule.
Onlytesttheantivirusprofileusinghttp,nothttps.HTTPSconnectionswillpreventthefirewall
fromseeingthepacketcontentssothevirusescontainedwillnotbedetectedbytheprofile.
Decryptionwillbecoveredinalatermodule.
Lab Manual
PANOS 6.0 Rev A.200
Page 16
PANEDU101
Module 6 Decryption
Inthislabyouwill:
CreateaselfsignedSSLcertificate
Configurethefirewallasaforwardproxyusingdecryptionrules
Scenario
Yoursecurityteamisconcernedabouttheresultsofthetestingperformedaspartofthesecurityprofile
configurations.TheteamobservedthattheantivirusprofileonlyidentifiedviruswhichwerenotSSL
encrypted.Theconcernisthatfilestransferredfromencryptedsources(e.g.,https://www.facebook.com)
couldescapedetectionandcauseissues.Fortestingpurposes,youwillneedtochangetheantivirusprofile
toalertinsteadofblockingthefile.Verifythathttpsdownloadsofvirusfilesfromwww.eicar.orgare
detectedbytheantivirusprofile.
YouwanttoevaluateusingaforwardproxyconfigurationonthePaloAltoNetworksfirewall.Onlytraffic
fromTrustL3toUntrustL3needstobedecrypted.Sincethisisnotproduction,youdecidetouseself
signedSSLcertificatesgeneratedonthefirewallforthisimplementation.Thelegaldepartmenthasadvised
youthatcertaintrafficshouldnotbedecryptedforliabilityreasons.Specifically,youmaynotdecrypt
trafficfromhealthrelated,shopping,orfinancialwebsites.
Testthedecryptiontwoways:
Attempttodownloadtestfilesfromwww.eicar.orgusinghttpsandverifythattheyaredetectedby
thefirewall
ConnecttovariouswebsitesusinghttpsandusethelogstoverifythatthecorrectURLcategories
arebeingdecrypted
Lab Manual
PANOS 6.0 Rev A.200
Page 17
PANEDU101
Afteryourinitialtestingoftheforwardproxy,thepenetrationtestingteamcallsyoutorequestan
exceptiontothedecryptionrules.Theteamasksthatwww.eicar.orgbeexcludedfromdecryptionsothat
theywillstillbeabletodownloadthefilestheyneedtoperformtheirevaluations.Changethe
implementationtoallowthisexception.
Self-signed Certificate name

Common Name of the SSL Certificate
Decryption Policies
student-ssl-cert
192.168.2.1
no-decrypt-traffic
decrypt-all-traffic
Lab Notes
Youwillgetcertificateerrorswhenbrowsingafterdecryptionisenabled.Thisisexpectedbecause
theselfsignedcertificateshavenotbeenaddedtothetrustedcertificatesoftheclientbrowser. In
aproductionenvironmentyouwouldresolvethisbyaddingthefirewallcertificatetotheclientsas
trustedorbyusingacommercialcertificatefromaknownCAsuchasVeriSign.
Ordermatterswithpoliciesmakesurethatthedecryptandnodecryptpoliciesareevaluated
inthecorrectorder.
TofindURLstotestthenodecryptrule,gotohttp://www.brightcloud.com/andentervarious
URLsthatyoubelievefallintothecategoriesyouaretesting.
Lab Manual
PANOS 6.0 Rev A.200
Page 18
PANEDU101
Solutions
Module 1 Introduction (Lab Access)
Prepare your laptop for the lab

1. Whileconnectedtotheinternet,downloadthefilePANEDU101Defaulttoyourlaptopyou
willbeusingforthelabexercises.
2. ConfigurethephysicalLANinterfaceonyourlaptopwithanIPaddresstocommunicatewith
thefirewall.
192.168.1.100
IPaddress
SubnetMask
255.255.255.0
3. ConnectanEthernetcablebetweentheinterfaceyoujustconfiguredandtheMGTportofyour
firewall.
4. OpenacommandpromptandverifyyoucanpingtheIPaddress192.168.1.1.
Log on to the Firewall

5. Openabrowserandconnecttothefirewallathttps://192.168.1.1.Note:Youwillgetawarning
messagesincethefirewallisusinganuntrustedselfsignedcertificate.Dismissthewarningand
continuetothewebpage.
6. Logonwiththedefaultusernameandpassword.ClickOKtodismissthewarningaboutthe
defaultadmincredentials.
Save the current configuration on your firewall (optional)

Note:Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethe
configurationsothatitcanbereloadedonthefirewall.
7. ClickDevice>Setup>Operations.
8. ClickSavenamedconfigurationsnapshot.Enterpre-101-labs intheNamefield. ClickOK
tocompletethesave.ClickOKtodismissthesuccesswindow.
Upload and apply baseline configuration to your firewall

9. ClickDevice>Setup>Operations.
10. ClickImportnamedconfigurationsnapshot.ClickBrowsetoselectthePANEDU101Default
filefromyoursystem.ClickOpenthenOKtouploadthefiletothefirewall.ClickOKtodismiss
thesuccesswindow.
11. ClickLoadNamedConfigurationSnapshot.
12. SelectPANEDU101Default.ClickOK.ClickOKtodismissthesuccesswindow.
13. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletes,thenclickClose.
Lab Manual
PANOS 6.0 Rev A.200
Page 19
PANEDU101
Add an Administrator Role

14. ClickDevice>AdminRoles.
15. ClickAddinthelowerleftofthepanelandcreateanewadminrole:
Name
WebUI tab
Enter Policy Admins

Clickthefollowingmajorcategoriestodisablethem:
Monitor
Network
Device
Privacy
The remaining major categories shouldremainenabled.
ClickOKtocontinue.
Manage administrator accounts

16. ClickDevice>Administrators.
17. Clickadmininthelistofusers.Changethepasswordtopaloalto.ClickOKtoclosethe
configurationwindow.
18. ClickAddinthelowerleftcornerofthepanel.Configureanewadministratoraccount:
Name
Password/ConfirmPassword
Role
Profile
ClickOK.
Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins
19. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completes,thenclickClose.
20. UseanSSHclient(e.g.,PuTTY)toattempttologintotheCLIasipadmin.Becausetherole
assignedtothisaccountwasnotassignedCLIaccess,theconnectionshouldreset.
21. OpendifferentbrowserandlogontotheWebUIasipadminandexploretheavailable
functionality.Forexample,ifyouoriginallyconnectedtotheWebUIusingChrome,openthis
connectioninInternetExplorer. Comparethedisplaysfortheadminandipadminaccountsto
seethelimitationsofthenewlycreatedaccount.
22. Logoutoftheipadminaccountconnectionwhenyouaredoneexploring.
Lab Manual
PANOS 6.0 Rev A.200
Page 20
PANEDU101
Module 2 Interface Configuration
Create new Security Zones

1. Ifnecessary,logintotheWebUIusingyouradminaccount
2. ClickNetwork>Zones. ClickAddandcreatethetapzone:
Name
Enter tap-zone
Type
Select Tap
ClickOKtoclosethezonecreationwindow.
3. ClickAddandcreatethefirstvirtualwirezone:
Name
Enter vwire-zone-3
Type
Select Virtual Wire
4. ClickAddandcreatethesecondvirtualwirezone:
Name
Enter vwire-zone-4
Type
Select Virtual Wire
Configure a Tap interface

5. ClickNetwork>Interfaces>Ethernet.
6. Clicktheinterfacenameethernet1/3.Configuretheinterface:
InterfaceType
Select Tap
Configtab
SecurityZone
Select tapzone
ClickOKtoclosetheinterfaceconfigurationwindow.
Creating a Virtual Wire Setup

7. ClickNetwork>VirtualWires.
8. ClickAddandcreateanewvirtualwireobjectnamedstudent-vwire.Keepallother
settingsatthedefaultvaluesandclickOK.
Lab Manual
PANOS 6.0 Rev A.200
Page 21
PANEDU101
InterfaceType
Select Virtual Wire
Configtab
VirtualWire
Select studentvwire
SecurityZone
Select vwirezone3
InterfaceType
Select Virtual Wire
Configtab
VirtualWire
Select studentvwire
SecurityZone
Select vwirezone4
Normally,youwouldcommityourchangesatthispoint.However,fortheselfpacedlabsyouwill
bereusingtheseinterfacessoyoumustundosomeofthechangesyoujustimplemented.
12. ClickNetwork>VirtualWires.
13. SelectthestudentvwireobjectandclickDelete.
(Note:youwillsettheinterfacestoadifferenttypeinthenextmodule.)
Lab Manual
PANOS 6.0 Rev A.200
Page 22
PANEDU101
Create new Security Zones

1. GototheWebUIandclickNetwork>Zones.
2. ClickAddandcreatetheUntrustL3zone:
Name
Enter Untrust-L3
Type
Verfy thatLayer3 is selected
3. ClickAddandcreatetheTrustL3 zone:
Name
Enter Trust-L3
Type
Select Layer 3
Create Interface Management Profiles

4. ClickNetwork>NetworkProfiles>InterfaceMgmt.
5. ClickAddandcreateaninterfacemanagementprofile:
Name
Enter allow_all
PermittedServices
Select all check boxes
PermittedIPAddresses
Do not add anyaddresses
ClickOKtoclosetheinterfacemanagementprofilecreationwindow.
6. ClickAddandcreateanotherinterfacemanagementprofile:
Name
Enter allow_ping
PermittedServices
Select only the Ping check box
PermittedIPAddresses
Do not add anyaddresses
ClickOKtoclosetheinterfacemanagementprofilecreationwindow.
processcompletesbeforecontinuing.
Configure Ethernet interfaces with Layer 3 info

InterfaceType
Configtab
VirtualRouter
SecurityZone
Lab Manual
Select Layer 3
Keep default (none)

Select UntrustL3
PANOS 6.0 Rev A.200
Page 23
PANEDU101
IPv4tab
Type
Select DHCP Client
Advanced >OtherInfotab
Select allow_ping
ManagementProfile
InterfaceType
Select Layer 3
Configtab
VirtualRouter
Keep default (none)
SecurityZone
Select TrustL3
IPv4tab
Type
Keep default (Static)
IP
Click Add thenenter 192.168.2.1/24
Advanced >OtherInfotab
Select allow_all
ManagementProfile
Configure DHCP
11. ClickNetwork>DHCP>DHCPServer.
12. ClickAddtodefineanewDHCPServer:
InterfaceName
Select ethernet1/4
InheritanceSource
Select ethernet1/3
Gateway
Enter 192.168.2.1
PrimaryDNS
Select inherited
IPPools
Click Add thenenter 192.168.2.50-192.168.2.60
ClickOKtoclosetheDHCPServerconfigurationwindow.
Create a Virtual Router

13. ClickNetwork>VirtualRouters.
14. ClickAddtodefineanewvirtualrouter:
Generaltab
Name
Interfaces
Enter Student-VR
ClickAddthenselectethernet1/3
Click Add again and select ethernet1/4

ClickOKtoclosethevirtualrouterconfigurationwindow.
Lab Manual
PANOS 6.0 Rev A.200
Page 24
PANEDU101
Test the Network Configuration

16. LogoutoftheWebUI.
17. MovetheEthernetcablefromtheMGTinterfacetothe4interfaceonthefirewall.
18. Plugthecableconnectedtoyournetworkintothe3interfaceonthefirewall.
19. ConfigurethephysicalLANinterfaceonyourlaptop(theoneconnectedtothe4interface)to
useaDHCPaddress.
20. VerifythatyourlaptopisreceivingDHCPaddressfromthefirewall.ThedisplayedIPaddress
shouldbeintherange192.168.2.50192.168.2.60iftheDHCPServerisconfiguredcorrectly.
Youshouldalsobeabletoping192.168.2.1.
21. ConnecttotheWebUIbylaunchingabrowsertohttps://192.168.2.1andlogginginwithyour
adminaccount.
Create a Source NAT policy

22. ClickPolicies>NAT.
23. ClickAddtodefineanewsourceNATpolicy:
Generaltab
Name
Enter Student Source NAT
OriginalPacket tab
Click Add andselect TrustL3
SourceZone
DestinationZone
Select UntrustL3
DestinationInterface
Select ethernet1/3
TranslatedPacket>Source
AddressTranslation tab
Translation Type
SelectDynamic IP and Port
AddressType
Select Interface Address
Interface
Select ethernet1/3
ClickOKtoclosetheNATpolicyconfigurationwindow.
Note:Atthispoint,youstillwillnothaveaccesstotheinternet.Asecuritypolicyisrequired,
whichwillbeconfiguredinthenextlab.
Lab Manual
PANOS 6.0 Rev A.200
Page 25
PANEDU101
Module 4 AppID
Scenario 1
Create the General Internet Policy
1. GototheWebUIandclickPolicies>Security.
2. ClickAddtodefineasecuritypolicy:
Generaltab
Name
Source tab
SourceZone
SourceAddress
Destination tab
DestinationZone
DestinationAddress
Application tab
Applications
Enter General Internet

Select Any
Click Add and select UntrustL3

Select Any
ClickAddandselect eachofthefollowing:
dns
paloaltoupdates
ssl
Service/URLCategory tab
Service
Select applicationdefault from the pulldown
Actions tab
ActionSetting
Select Allow
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
Configure the Firewall to Communicate with the Update Server

3. IntheWebUI,clickDevice>Setup>Services.
4. ClicktheiconintheupperrightcorneroftheServicespaneltoconfigureDNSlookups:
DNS
Verify thatServers is selected
PrimaryDNSServer
Enter 4.2.2.2
UpdateServer
Keep the default (updates.paloaltonetworks.com)
ClickOKtoclosetheconfigurationwindow.
5. IntheServicesFeaturespanel,clicktheServiceRouteConfiguration linktoconfigurehowthe
firewallaccessesnetworkservices.ClicktheradiobuttonforSelect.FortheDNS,PaloAlto
Updates,andURLUpdatesservices,gototheSourceAddresscolumnandselect192.168.2.1/24.
Lab Manual
PANOS 6.0 Rev A.200
Page 26
PANEDU101
6. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completesbeforecontinuing.
Review PANOS Licenses

7. ClickDevice>Licenses.
8. Ifnolicensesappear,clickRetrievelicensekeysfromlicenseserver.
9. Reviewlicensesinstalledandtheirexpirationdates.
Update the Applications and Threats Definition File

Note:UpgradingPANOSrequiresthatthefirewallberunningthemostrecentApplicationsand
Threatsdefinitionfile.Allotherdynamicupdatescanbehandledlater.
10. ClickDevice>DynamicUpdates.
11. ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.
Lab Manual
PANOS 6.0 Rev A.200
Page 27
PANEDU101
12. VerifythatyourfirewallisrunningthemostrecentApplicationsandThreats.
13. Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefile
downloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethe
definitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperations
tocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.
Verify the PANOS version

14. ClickDevice>Software.
15. Reviewavailable,downloaded,andinstalledPANOSsoftware.Ifnosoftwareversionsare
displayed,clickCheckNowatthebottomofthepaneltorefreshthelist.
WhatversionofPANOSisrunningonyourfirewall?
16. Ifthefirewallisnotrunningversion6.0.0,updatethefirewalltothatversion.
a. ClickDownloadonthelineforversion6.0.0.ClickClosewhenthefiledownloadcompletes.
b. IfyourfirewalliscurrentlyrunningaversionofPANOSolderthan6.0.0(e.g.,5.0.x),you must
alsodownload(butnotinstall)version5.1.0.ClickDownloadonthelineforversion
5.1.0.ClickClosewhenthefiledownloadcompletes.
Lab Manual
PANOS 6.0 Rev A.200
Page 28
PANEDU101
c. Onthelinefor6.0.0,theDownloadlinkwillhavebeenreplacedwiththeInstalllink.Click
InstalltoupdatePANOSonyourfirewall.
d. Rebootthefirewallwhenprompted.Waituntilyourbrowserreconnectswiththefirewall and
loginagainusingyouradminaccount.
Lab Manual
PANOS 6.0 Rev A.200
Page 29
PANEDU101
Scenario 2 (Phase 1)
Modify the General Internet Policy
17. GototheWebUIandclickPolicies>Security.
18. ClicktheGeneralInternetpolicyyoupreviouslycreatedandmodifytheallowedapplications:
Application tab
Applications
fileserve
flash
ftp
ping
webbrowsing
Create Policies Block and Log All Inbound and Outbound Traffic
19. ClickPolicies>Security.
20. ClickAddtodefinetheDenyOutboundsecuritypolicy:
Generaltab
Name
Enter Deny Outbound
Source tab
SourceZone
SourceAddress
Select Any
Destination tab
DestinationZone
DestinationAddress
Select Any
Application tab
Applications
Check the Any box
Service
Select any fromthe pulldown
Actions tab
ActionSetting
Select Deny
LogSetting
21. ClickAddtodefinetheDenyInboundsecuritypolicy:
Generaltab
Name
Source tab
SourceZone
SourceAddress
Lab Manual
Enter Deny Inbound

Select Any
PANOS 6.0 Rev A.200
Page 30
PANEDU101
Destination tab
DestinationZone
Click Add andselect Trust L3
DestinationAddress
Select Any
Application tab
Applications
Check the Any box
Service
Actions tab
ActionSetting
Select Deny
LogSetting
22. EnsureyourSecurityPolicylookslikethis:
Note:Thedefaultrule1affectsvirtualwireconnectionsandwillnotaffectthelabexercises.
Verify Internet Connectivity and Application Blocking

24. Testinternetconnectivitybybrowsingwebsitesfromyourlaptop. Doeswebsurfingoverports80
and443work?
25. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeableto
displaythesite. Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checkthe
applicationslistedinthelog.)Theboxnetbaseapplicationisnotallowedbytheconfiguredpolicies.
26. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com. You
willnotbeabletoconnectbecausetheavoidrwebsitealsousesacustomapplicationwhichisnot
allowedbyyourpolicies.Usethetrafficlogstoverifythisstatement.
Lab Manual
PANOS 6.0 Rev A.200
Page 31
PANEDU101
Create an Application Block Page
1. FromtheRDPdesktop,openabrowserandnavigatetohttp://www.facebook.com.Leavethe
browseropentotheerrorpage.
2. ReturntotheWebUIandclickDevice>ResponsePages.
3. FindtheApplicationBlockPagelineandclickDisabled.
4. ChecktheEnableApplicationBlockPagebox,andthenclickOK.
6. Openadifferentbrowserwindowandgotohttp://www.facebook.com.Comparethepage
displayedtotheonegeneratedinStep1oftheCreateanApplicationBlockPagesectionofthelab.
Note:AnInterfaceManagementProfileDOESNOTneedtobesetforapplicationblockpages.Fromthe
adminguide(p.176):TheResponsePagescheckboxcontrolswhethertheportsusedtoservecaptive
portalandURLfilteringresponsepagesareopenonLayer3interfaces.Ports6080and6081areleftopenif
thissettingisenabled.
Lab Manual
PANOS 6.0 Rev A.200
Page 32
PANEDU101
Create Application Filters
1. GototheWebUIandclickObjects>ApplicationFilters.
2. ClickAddtodefinetheProxiesapplicationfilter:
Name
Enter Proxies
Subcategorycolumn
Select proxy
ClickOKtoclosetheapplicationfilterconfigurationwindow.
3. ClickAddtodefinetheWebBasedFileSharingapplicationfilter:
Name
Enter Web-Based-File-Sharing
Subcategorycolumn
Select filesharing
Technologycolumn
Select browserbased
ClickOKtoclosetheapplicationfilterconfigurationwindow.
Create Application Groups

4. ClickObjects>ApplicationGroups.
5. ClickAddtodefinetheKnownGoodapplicationgroup:
Name
Applications
Enter Known-Good
dns
fileserve
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing
ClickOKtoclosetheapplicationgroupconfigurationwindow.
6. ClickAddtodefinetheKnownBadapplicationgroup:
Name
Applications
Enter Known-Bad
Proxies
WebBasedFileSharing
ClickOKtoclosetheapplicationgroupconfigurationwindow.
Lab Manual
PANOS 6.0 Rev A.200
Page 33
PANEDU101
Update Security Policies

8. ClickGeneralInternettoedittheexistingrule.GototheApplicationtab.Deleteallofthelisted
applicationsandaddtheKnownGoodapplicationgroup.ClickOKtoclosethewindow.
9. ClicktheDenyOutboundruleandmodifywiththefollowingvalues:
Generaltab
Name
Change to Log-All
Actions tab
Select Allow
ActionSetting
10. ClickAddtodefinetheBlockKnownBadsecuritypolicy:
Generaltab
Name
Enter Block-Known-Bad
Source tab
SourceZone
SourceAddress
Select Any
Destination tab
DestinationZone
Click Add and select Untrust L3
DestinationAddress
Select Any
Application tab
Applications
Click Add and select KnownBad
Service
Actions tab
ActionSetting
Select Deny
LogSetting
27. Usethemovebuttonsatthebottomofthepagetoarrangethepoliciesinalogicalorder.Confirm
thatyoursecurityrulelist lookslikethis:
Youcanalsorearrangetherulebyclickinganddraggingthemintothecorrectorder.
Lab Manual
PANOS 6.0 Rev A.200
Page 34
PANEDU101
Verify Internet Connectivity and Application Blocking

29. Verifythatyourpolicieshavenotbrokennetworkconnectivity.Testinternetconnectivitybybrowsing
websitesfromyourlaptop.Doeswebsurfingoverports80and443work?
30. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeabletodisplaythesite.
Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checktheapplicationlistedinthe
log.)
31. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com.Whycantyou
bringupthatwebsite? (Hint:thetrafficlogswillhelpyousolvethisproblem.)
32. ClicktheACCtabtoaccesstheApplicationCommandCenter.Usethedropdownmenuinthe
applicationsectionoftheACCtoselectdifferentwaysofviewingthetrafficthatyouhave
generated.Whatisthetotalrisklevelforalltrafficthathaspassedthroughthefirewallthusfar?
NoticethattheURLFiltering,ThreatPrevention,andDataFilteringsectionswithintheACCcontain
nomatchingrecords.
Lab Manual
PANOS 6.0 Rev A.200
Page 35
PANEDU101
Module 5 ContentID
Note:ThepresenceoffirewallsbetweenyourPA200andtheinternetwillcausethelabresultstovary.
Configure Dynamic Updates

1.
2.
3.
4.
ClickDevice>DynamicUpdates.
ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.
VerifythatyourfirewallisrunningthemostrecentAntivirusdefinitionfile.
Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefile
downloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethe
definitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperations
tocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.
Configure a Custom URL Filtering Category

1. GototheWebUIandclickObjects>CustomURLCategory.
2. ClickAddtocreateacustomURLcategory:
Name
Sites
Enter TechSites
ClickAddandaddeachofthefollowingURLs:
www.slashdot.org
www.cnet.com
www.zdnet.com
ClickOKtoclosetheURLFilteringprofilewindow.
Lab Manual
PANOS 6.0 Rev A.200
Page 36
PANEDU101
Configure a URL filtering Profile

3. ClickObjects>SecurityProfiles>URLFiltering.
4. ClickAddtodefineaURLFilteringprofile:
Name
Category/Action
Enterstudent-url-filtering
ClicktherightsideoftheActionheadertoaccessthepulldownmenu.
ClickSetAllActions>Alert.
SearchtheCategoryfieldforhackingandgovernment. SettheActionto
Continueforbothcategories.
SearchtheCategoryfieldforthefollowingcategoriesandsettheAction
toblockforeachofthem:
adultandpornography
questionable
unknown
Verifythatyour custom category appears in the Categorycolumn.

ClickOKtoclosetheURLFilteringprofilewindow.
Configure an Antivirus Profile

5. ClickObjects>SecurityProfiles>Antivirus.
6. ClickAddtocreateanantivirusprofile:
Name
Enter student-antivirus
Antivirustab
Check the Packet Capture box
PacketCapture
Decoders
Set the Actioncolumn to Alert for alldecoders
ClickOKtoclosetheantivirusprofilewindow.
Lab Manual
PANOS 6.0 Rev A.200
Page 37
PANEDU101
Configure an AntiSpyware Profile

7. ClickObjects>SecurityProfiles>AntiSpyware.
8. ClickAddtocreateanantispywareprofile:
Name
Rulestab
Enter student-antispyware
ClickAddandcreatearulewiththeparameters:
RuleName:Enterrule-1
Action:SelectAllow
Severity:ChecktheboxesforLowandInformational
only
ClickOKtosavetherule
ClickAddandcreateanotherrulewiththeparameters:
RuleName:Enterrule-2
Action:SelectAlert
Severity:ChecktheboxesforCriticalandHighonly
ClickOKtosavetherule
ClickOKtoclosetheantispywareprofilewindow.
Create a File Blocking Profile with Wildfire

9. ClickObjects>SecurityProfiles>FileBlocking.
10. ClickAddtocreateafileblockingprofile:
Name
Rules list
Enter student-file-block
ClickAddandcreatearulewiththeparameters:
RuleName:Entertype-1
Action: Select Forward
ClickOKtoclosethefileblockingprofilewindow.
Assign Profiles to a Policy

12. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoincludethenewlycreated
profiles:
Actionstab
ProfileType
Antivirus
AntiSpyware
URLFiltering
FileBlocking
ClickOKtoclosethepolicywindow.
Lab Manual
Select Profiles
Select studentantivirus
Select studentantispyware
Select studenturlfiltering
Select studentfileblock
PANOS 6.0 Rev A.200
Page 38
PANEDU101
13. RepeatthepreviousstepandaddtheprofilestotheLogAllpolicy.
Test the Antivirus Profile

15. Onyourlocalsystem,openabrowsertohttp://www.eicar.organdclickAntiMalwareTestfile.
16. ClicktheDownloadlinktoaccessthevirustestfiles.
17. DownloadanyoftheEicartestfilesusinghttp.DonotusetheSSLencrypteddownloads.The
firewallwillnotbeabletodetectthevirusesinanHTTPSconnectionuntildecryptionisconfigured.
18. ClickMonitor>Logs>Threattoviewthethreatlog.FindthelogmessageswhichdetecttheEicar
files.ScrolltotheActioncolumntoverifythealertsforeachfiledownload.
19. ClickonthegreendownarrowatontheleftsideofthelinefortheEicarfiledetectiontoviewthe
packetcapture(PCAP).HereisanexampleofwhataPCAPmightlooklike:
CapturedpacketscanbeexportedinPCAPformatandexaminedwithaprotocolanalyzeroffline
forfurtherinvestigation.
20. Modifytheantivirusprofiletoblockvirusesusingftp,http,andsmb.ClickObjects>Security
Profiles>Antivirus.ChangetheActioncolumnfortheftp,http,andsmbdecoderstoBlock.
22. Openanewbrowserwindowtowww.eicar.organdattempttodownloadavirusfileagain.Since
theantivirusprofileissettoblock,aresponsepageshouldappear:
Lab Manual
PANOS 6.0 Rev A.200
Page 39
PANEDU101
23. ReturntotheWebUIandverifythatlogentriesstatingthattheEicarviruswasdetectedappearin
thethreatlog.
24. After15minutes,thethreatsyoujustgeneratedwillappearontheACCtabundertheThreats
section.
Test the URL Filtering Profile

25. Openabrowserandbrowsetovariouswebsites.TheURLfilteringprofilerecordseachwebsitethat
youvisit.
26. IntheWebUI,clickMonitor>Logs>URLFiltering.Verifythatthelogentriestrackthesitesthat
youvisitedduringyourtests.
27. Testthecontinueconditionyoucreatedbyvisitingasitewhichispartofthehackingcategory.Ina
newbrowserwindow,attempttobrowsetohttp://neworder.box.skandhttp://www.2600.org.The
profilewillblockthisactionandyouwillseearesponsepagesimilartothefollowing:
Test the File Blocking Profile with Wildfire

28. Openanewbrowserwindowtohttp://www.opera.com.DownloadtheOperabrowserinstallerto
yourlocalsystem.
29. ClickMonitor>Logs>DataFilteringtodeterminehowthefilewashandledbytheprofile.
Lab Manual
PANOS 5.0 Rev A.200
Page 40
PANEDU101
Configure a Security Profile Group

30. ReturntotheWebUIandclickObjects>SecurityProfileGroups.
31. ClickAddtodefineasecurityprofilegroup:
Name
Enter student-profile-group
AntivirusProfile
Select studentantivirus
AntiSpywareProfile
Select studentantispyware
URLFilteringProfile
Select studenturlfiltering
FileBlockingProfile
Select studentfileblock
ClickOKtoclosethesecurityprofilegroupwindow.
Assign the Security Profile Group to a Policy

33. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoreplacetheprofileswiththe
profilegroup:
Actionstab
ProfileType
Select Group
GroupProfile
Select studentprofilegroup
ClickOKtoclosethepolicywindow.
34. RepeatthepreviousstepandaddtheprofilegrouptotheLogAllpolicy.
Lab Manual
PANOS 5.0 Rev A.200
Page 41
PANEDU101
Create a Custom Report

36. ClickMonitor>ManageCustomReports.
37. ClickAddtodefineanewcustomthreatreport:
Name
Database
TimeFrame
Sortby
Groupby
SelectedColumns
Enter Top Threats by Day

Select Threat Summary
Select Last 24 Hrs
SelectCount and Top 10
SelectNone and 10 Groups
PopulatetheSelectedColumnsfieldwiththefollowingvalues,
inthisorder:
Threat/ContentName
Application
AppTechnology
AppSubCategory
Count
Buildaqueryusingthefollowingparameters:
QueryBuilder
Connector:Selectand
Attribute:SelectRule
Operator:Select=
Value:EnterGeneral Internet
ClickAdd
Connector:Selector
Attribute:SelectRule
Operator:Select=
Value:EnterLog-All
Click Add
ClickOKtosavethecustomreportdefinition.
38. Clickthenameofyourcustomreporttoreopenthecustomreportwindow.ClickRunNowto
generatethereport.
39. Thereportwillappearinanewtabinthewindow.ClickExporttoPDFtosaveittoyourRDP
desktop.
Lab Manual
PANOS 5.0 Rev A.200
Page 42
PANEDU101
Module 6 Decryption
Verify firewall behavior without decryption

1. Fromyourlaptop,browsetothewww.eicar.comandattempttodownloadtheoneofthetestfiles
usinghttp.
2. Repeatthepreviousstepbutattempttodownloadoneofthefilesusinghttps.
3. GototheGUIandclickMonitor>Logs>Threattoviewthelog.Onlythenonencrypteddownload
shouldappearinthelog.SSLdecryptionhidthecontentsofthefirewallandsothetestfilewasnot
detectedasathreat.
Create an SSL selfsigned Certificate

4. ClickDevice>CertificateManagement>Certificates.
5. ClickGenerateatthebottomofthescreentocreateanewselfsignedcertificate:
CertificateName
Enter student-ssl-cert
CommonName
Enter 192.168.2.1
CertificateAuthority
Check the box
ClickGeneratetocreatethecertificate.ClickOKtodismissthecertificategenerationsuccess
window.
6. Clickstudentsslcertinthelistofcertificatestoeditthecertificateproperties.Checktheboxesfor
ForwardTrustCertificateandForwardUntrustCertificate.ClickOKtoconfirmthechanges.
Create SSL Decryption Policies

7. ClickPolicies>Decryption.
8. ClickAddtocreateanSSLdecryptionrulefortheexceptioncategories:
Generaltab
Name
Enter no-decrypt-traffic
Sourcetab
Click Add then select TrustL3
SourceZone
Destinationtab
DestinationZone
Click Add then select UntrustL3
URLCategorytab
URLCategory
ClickAddandaddeachofthefollowingURLcategories:
healthandmedicine
shopping
financialservices
Optionstab
Action
Select nodecrypt
Type
SelectSSL Forward Proxy
Lab Manual
PANOS 5.0 Rev A.200
Page 43
PANEDU101
9. ClickAddtocreatetheSSLdecryptionruleforgeneraldecryption:
Generaltab
Name
Enter decrypt-all-traffic
Sourcetab
Click Add then select TrustL3
SourceZone
Destinationtab
DestinationZone
Click Add then select UntrustL3
URLCategorytab
URLCategory
Verify that the Any box is checked
Optionstab
Action
Select decrypt
Type
SelectSSL Forward Proxy
10. Confirmthatyourdecryptionpolicylist lookslikethis:
Test the SSL Decryption Policies
12. Openabrowsertothewww.eicar.orgdownloadspage.DownloadatestfileusingSSL.Ignorethe
certificateerror.ThisisexpectedbehaviorbecausethefirewallisinterceptingtheSSLconnection
andperformingmaninthemiddledecryption.Closethebrowserwindow.
13. IntheWebUI,examinethethreatlogs. Thevirusshouldhavebeendetected,sincetheSSL
connectionwasdecrypted.Clickthemagnifyingglassiconatthebeginningofthelinetoshowthe
LogDetailswindow.VerifythattheDecryptedboxhasacheckmark.
14. Openabrowsertohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallinto
thecategoriesexcludedbythenodecryptrule.MakealistofURLsthatfallintothesecategories
totestagainst.Forexample:
financialservices:www.bankofamerica.com
healthandmedicine:www.deltadental.com
shopping:www.macys.com
15. IntheWebUI,clickMonitor>Logs>Traffic.Setthetrafficlogtodisplayonlyport443trafficona
10secondrefresh.Enter( port.dst eq 443 ) inthefilterfield.Select10Secondsfromthe
Lab Manual
PANOS 5.0 Rev A.200
Page 44
PANEDU101
pulldownmenusothatthedisplaywillrefreshautomatically.Leavethiswindowopensoyoucan
monitorthetraffic.
16. Inaseparatebrowserwindow,useSSL(https://)tonavigatetothewebsitesyoufoundinthe
excludedURLcategories.Navigatetootherwebsitesaswell(e.g.,www.facebook.com,
www.google.com)forcomparisonpurposes.
17. Returntothetrafficlog.Findanentryforoneoftheexcludedcategoriesbylookingatthevaluein
theURLCategorycolumn.Clickthemagnifyingglassiconatthebeginningofthelinetoshowthe
LogDetailswindow.VerifythattheDecryptedboxintheMiscpanelisunchecked.
18. RepeatthepreviousstepforaURLinanonexcludedcategory.VerifythattheDecryptedboxhasa
checkmark.
Lab Manual
PANOS 5.0 Rev A.200
Page 45
Lab Manual
PANEDU101
PANOS 5.0 Rev A.200
Page 46
PANEDU101
CLI Reference
Thissectionprovidesasubsetofthecommandsneededtocompletethetasksintheassociatedlab
modules.ThecommandsareintendedtoprovidecommandsetsforyoutoresearchfurtherinthePANOS
CommandLineInterfaceReferenceGuide.
Module 1 Administration and Management

# load config from PAN-EDU-201-Default-1.xml
> request license info
> request system software info
> request anti-virus upgrade info
# set shared admin-role "Policy Admins" role device webui acc enable
# set mgt-config users ip-admin permissions role-based custom profile

"Policy Admins"
> request config-lock add
> request commit-lock add
> request config-lock remove
> request commit-lock remove
Module 2 Interface Configuration

# set zone tap-zone network tap
# set network interface ethernet ethernet1/3 virtual-wire
# set zone vwire-zone-3 network virtual-wire ethernet1/3
# set network virtual-wire student-vwire interface1 ethernet1/3
Lab Manual
PANOS 5.0 Rev A.200
Page 47
PANEDU101

# set network profiles interface-management-profile allow_all telnet yes
# set network dhcp interface ethernet1/2 server ip-pool 192.168.15.50192.168.15.60
# set network virtual-router Student-VR interface ethernet1/2
# set rulebase nat rules "student source nat" to Untrust-L3
Module 4 AppID
# set rulebase security rules "General Internet" action allow
# set application-filter Proxies subcategory proxy
# set application-group Known-Good web-browsing
Module 5 ContentID
# set profiles url-filtering Student-url-filtering alert bot-nets
# set profiles custom-url-category TrustedCompanies list

www.paloaltonetworks.com
# set profiles virus Student-antivirus decoder ftp action alert
# set profiles spyware Student-antispyware rules simple-low severity low
# set profile-group "Student Profile" virus Student-antivirus
# set rulebase security rules "General Internet" profile-setting

group "Student Profile"
Module 6 Decryption
> request certificate generate ca yes name 192.168.15.1 certificatename student15-cert
# set rulebase decryption rules No-Decrypt source any
Lab Manual
PANOS 5.0 Rev A.200
Page 48

PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A PDF

Uploaded by

Copyright:

Available Formats

Firewall Installation, Configuration, and

Palo Alto Networks, Inc.

PANOS 6.0 Rev A.200

Names of commands, keywords, and

Click Security to open the Security

Name of parameters, files, directories, or

The address of the Palo Alto Networks

Coding examples and text that you enter

Enter the following command:

Click the left mouse button

Click Administrators under the

Click the right mouse button

Right-click on the number of a rule

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200

How to use this Lab Guide

Lab Guide Objectives

PANOS 6.0 Rev A.200

Lab Equipment Setup

Student Firewall Interface Settings

PANOS 6.0 Rev A.200

Module 1 Administration and Management

Module 2 Interface Configuration (optional)

Interface to use for tap interface

PANOS 6.0 Rev A.200

Module 3 Layer 3 Configuration

PANOS 6.0 Rev A.200

Interface Management Profile Names

PANOS 6.0 Rev A.200

DNS Server for the MGT functions

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200

Phase 1 Allowed Applications

Phase 1 Security Policy names

Phase 3 Security Policy names

Members of the Known-Good application group

Members of the Known-Bad application group

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200

Custom Technology sites to track

Location of files for testing antivirus

Hacking sites for testing URL Filtering

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200

Self-signed Certificate name

PANOS 6.0 Rev A.200

Prepare your laptop for the lab

Log on to the Firewall

Save the current configuration on your firewall (optional)

Upload and apply baseline configuration to your firewall

PANOS 6.0 Rev A.200

Add an Administrator Role

Enter Policy Admins

Manage administrator accounts

PANOS 6.0 Rev A.200

Module 2 Interface Configuration

Create new Security Zones

Configure a Tap interface

Creating a Virtual Wire Setup

PANOS 6.0 Rev A.200

PANOS 6.0 Rev A.200