Professional Documents
Culture Documents
Management:
Essentials I
Lab Manual
PAN-OS 6.0
PAN-EDU-101 Rev A.200
PANEDU101
Page 2
PANEDU101
Typographical Conventions
Thisguideusesthefollowingtypographicalconventionsforspecialtermsandinstructions.
Convention
Meaning
Example
Boldface
Italics
courier font
Click
Right-click
Lab Manual
Page 3
PANEDU101
Table of Contents
HowtousethisLabGuide...................................................................................................6
LabGuideObjectives...........................................................................................................6
LabEquipmentSetup..........................................................................................................7
LabAssumptions.................................................................................................................7
StudentFirewallInterfaceSettings......................................................................................7
Module1AdministrationandManagement.....................................................................8
Scenario............................................................................................................................................................................8
RequiredInformation.......................................................................................................................................................8
Module2InterfaceConfiguration(optional)....................................................................9
Scenario............................................................................................................................................................................9
RequiredInformation.......................................................................................................................................................9
Module3Layer3Configuration......................................................................................10
Scenario..........................................................................................................................................................................10
RequiredInformation.....................................................................................................................................................11
Module4AppID............................................................................................................12
Scenario1...................................................................................................................................................................12
RequiredInformation.....................................................................................................................................................12
Scenario2...................................................................................................................................................................13
RequiredInformation.....................................................................................................................................................14
LabNotes........................................................................................................................................................................14
Module5ContentID......................................................................................................15
Scenario..........................................................................................................................................................................15
RequiredInformation.....................................................................................................................................................16
LabNotes........................................................................................................................................................................16
Module6Decryption......................................................................................................17
Scenario..........................................................................................................................................................................17
RequiredInformation.....................................................................................................................................................18
LabNotes........................................................................................................................................................................18
Lab Manual
Page 4
PANEDU101
Solutions...........................................................................................................................19
Module1Introduction(LabAccess)............................................................................................................................19
Module2InterfaceConfiguration...............................................................................................................................21
Module3Layer3Configuration..................................................................................................................................23
Module4AppID..........................................................................................................................................................26
Module5ContentID......................................................................................................................................................36
Module6Decryption....................................................................................................................................................43
CLIReference....................................................................................................................47
Module1AdministrationandManagement...............................................................................................................47
Module2InterfaceConfiguration...............................................................................................................................47
Module3Layer3Configuration..................................................................................................................................48
Module4AppID..........................................................................................................................................................48
Module5ContentID......................................................................................................................................................48
Module6Decryption....................................................................................................................................................48
Lab Manual
Page 5
PANEDU101
NOTE:Unlessspecified,theGoogleChromewebbrowserandthePuTTYSSHclientwillbeusedtoperform
anytasksoutlinedinthefollowinglabs.
1. Configurethebasiccomponentsofthefirewall,includinginterfaces,securityzones,andsecurity
policies
2. ConfigurebasicLayer3settings,suchasIPaddressingandNATpolicies.
3. ConfigurebasicContentIDfunctionality,includingantivirusprotectionandURLfiltering.
4. ConfigureSSLdecryption.
WithspecialthankstoallofthosePaloAltoNetworksemployeesandATCpartnerswhoseinvaluablehelp
enabledthistrainingtobebuilt,tested,anddeployed.
Lab Manual
Page 6
PANEDU101
DHCPenabled
Network
Internet
Lab Assumptions
Theselabinstructionsassumethefollowingconditions:
1. ThestudentisusingaPA200firewallwhichhasbeenregisteredwithPaloAltoNetworksSupport.
2. ThePA200firewallisusingthedefaultIPaddressontheMGTinterface(192.168.1.1)andthedefault
password(admin)fortheadminaccount.
3. ThefirewallislicensedforSupport,ThreatPrevention,andURLFiltering.
4. AllnetworkconnectivityforthestudentlaptopusedforthelabhasbeendisabledexceptfortheEthernet
adapterwhichwillbeconnectedtothefirewall.
5. Thefirewallshouldhavenopoliciesdefinedonit.
6. ThenetworkthatthestudentwillconnecttohasaDHCPserverfromwhichthefirewallcanobtainanIP
addressandDNSinformation.
7. TherearenootherPaloAltoNetworksfirewallsbetweenthestudentsPA200andtheinternet.Thelabs
willstillworkifupstreamfirewallsexist,buttheresultswillvarybasedonthefirewallsettings.
StudentFirewall
PA200
Interface:
Type:
MGT
Ethernet1/1
Ethernet1/2
Ethernet1/3
Ethernet1/4
Management
Vwire
Vwire
Layer3
Layer3
Lab Manual
IPAddress:
Zone:
192.168.1.1
N/A
trust
untrust
UntrustL3
TrustL3
DHCP Client
192.168.2.1/24
Page 7
PANEDU101
ConnecttothefirewallthroughtheMGTinterface
Createnewadministratorrolesandaccountsonthefirewall
Scenario
Youhavebeentaskedwithintegratinganewfirewallintoyourenvironment.Thefirewallisconfigured
withthefactorydefaultIPaddressandadministratoraccount.YouwillneedtochangetheIPaddressof
yourlaptoptocommunicatewiththedefaultIPaddressoftheMGTport.
Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethecurrent
configurationsothatitcanbereloadedonthefirewall.Applyasavedconfigurationtothefirewallsothat
itisinaknownstate.
Inpreparationforthenewdeployment,createaroleforanassistantadministratorwhichallowsaccessto
allfirewallfunctionalitythroughtheWebUIexceptMonitor,Network,Privacy,andDevice.Theaccount
shouldhavenoaccesstotheXMLAPIortheCLI.Createanaccountusingthisrole.Additionally,changethe
passwordoftheadminaccounttodisablethewarningsaboutusingdefaultcredentials.
Required Information
NamedConfigurationSnapshot
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account
Lab Manual
PANEDU101Default
Policy Admins
ip-admin
paloalto
paloalto
PANOS 6.0 Rev A.200
Page 8
PANEDU101
CreateSecurityZones
Configurebasicinterfacetypes
Scenario:
Youarepreparingthefirewallforasimpleproofofconcept(POC).Inordertodemonstratefirewall
featureswithaminimumofchangestotheexistingnetwork,youhavedecidedtousevirtualwiretopass
trafficthroughthefirewallforonenetworksegmentandatapinterfacetomonitoradifferentnetwork
segment.
Configurethevirtualwireandcreatezonessothatpolicyrulescanbedefined.Createatapinterfaceand
theassociatedzone.
Note:DuetothelimitednumberofinterfacesavailableonaPA200,theconfigurationssetinthislabwillbe
immediatelyremovedsothattheinterfacesmaybereusedforlaterlabs.
Required Information
Lab Manual
Ethernet1/3
Ethernet1/3
Ethernet1/4
tap-zone
vwire-zone-3
vwire-zone-4
student-vwire
Page 9
PANEDU101
CreateInterfaceManagementProfiles
ConfigureEthernetinterfaceswithLayer3information
ConfigureDHCP
CreateaVirtualRouter
CreateSourceNATpolicy
Scenario:
ThePOCwentwellandthedecisionwasmadetousethePaloAltoNetworksfirewallinthenetwork.You
aretocreatetwozones,UntrustL3andTrustL3.TheexternalfacinginterfaceinUntrustL3willgetanIP
addressfromaDHCPserverontheexternalnetwork.TrustL3willbewheretheinternalclientsconnectto
thefirewallandsotheinterfaceinTrustL3willprovideDHCPaddressestotheseinternalclients.The
DHCPserveryouconfigureintheTrustL3zonewillinheritDNSsettingsfromtheexternalfacinginterface.
Boththeinternalandexternalinterfacesonthefirewallmustroutetrafficthroughtheexternalfacing
interfacebydefault.TheinterfaceinUntrustL3mustbeconfiguredtorespondtopingsandtheinterface
inTrustL3mustbeabletoprovideallmanagementservices.NOTE:Youwillnotbeabletotestwhether
theUntrustL3interfacerespondstopingsuntilthenextlab.
OnceyouhavecompletedtheLayer3configurations,youwillneedtomovethephysicalEthernetcable
fromtheMGTporttotheethernet1/4portofthePA200.YoumustalsochangethesettingsoftheLAN
interfaceonyourlaptoptouseDHCPsuppliednetworkinformation(IPaddressandDNSservers)instead
ofstaticsettings.
Whenthefirewallisfullyconfigured,aNATpolicymustexistsothatalltrafficoriginatingintheTrustL3
zoneappearstocomefromtheexternalfacingaddressofthefirewall.
Lab Manual
Page 10
PANEDU101
Required Information
Lab Manual
allow_all
allow_ping
192.168.2.1/24
Ethernet1/3
Ethernet1/4
192.168.2.1
Ethernet1/3
inherited
192.168.2.50-192.168.2.60
Student-VR
Page 11
PANEDU101
Module 4 AppID
Inthislabyouwill:
EnablethefirewalltocommunicationwiththePaloAltoNetworksupdateserver
UpdatethethreatdefinitionsandOSofthefirewall
Createasecuritypolicytoallowbasicinternetconnectivityandlogdroppedtraffic
EnableApplicationBlockpages
CreateApplicationFiltersandApplicationGroups
Scenario 1:
Inordertoupdatethesoftwareonthefirewall,youmustenabletheDNS,paloaltoupdates,andSSL
applicationstopassbetweenthezones.Theapplicationsshouldonlybepermittedonapplicationdefault
ports.ConfigurethefirewalltocommunicatewithDNSandPaloAltoNetworksupdateserversthroughthe
TrustL3interface.
Oncetheseconfigurationsarecomplete,licenseyourfirewall.UpdatetheThreatsandApplicationsdatafile
tothemostrecentversion.
Required Information
Lab Manual
4.2.2.2
192.168.2.1/24
General Internet
Page 12
PANEDU101
Scenario 2:
Atthispoint,thefirewallisconfiguredbutnotpassingtraffic.Securitypoliciesmustbedefinedbefore
trafficwillflowbetweenzones.Tofacilitatetestingandpresenttheminimalamountofrisktothenetwork
traffic,thepolicieswillbeestablishedinathreephasedeployment:
Phase1:ModifytheGeneralInternetpolicytoallowusersintheTrustL3zonetouseasetof
commonlyusedapplicationstoaccesstheinternet.Theapplicationsshouldonlybepermittedon
applicationdefaultports.Allothertraffic(inboundandoutbound)shouldbeblockedandloggedso
thatyoucanidentifywhatotherapplicationsarebeingused.Thiswillhelpgeneratelistsofgood
andbadapplicationstobemanagedinthelaterphases.
Phase2:Configurethefirewalltonotifyuserswhenblockedapplicationsareusedsothatthe
helpdeskdoesnotgetcalledforconnectionissuesthatareactuallyblockedapplications.
Phase3:Theresultsfromthefirsttwophasesoftestingresultinthefollowingdiscoveries:
Thelogsfromphase1showheavyuseofavarietyofinternetproxiesandclientserver
gamingapplicationsbyusersintheTrustL3zone.Managementmandatesthatyou
explicitlypreventuseoftheseapplications.
Foreaseofconfiguration,yourteamdecidestocreategroupsfortheallowedanddenied
applicationstoreducethenumberofpoliciesrequiredonthefirewall.
Therulesblockingallunmatchedtrafficweretoorestrictiveforyourenvironment.The
testingdeniedaccesstonumerousvitalapplications,causingasurgeinsupportcalls. Any
trafficwhichdoesnotmatchtheallowedordeniedlistsshouldbeallowedbutloggedfor
futurepolicydecisions.
ModifyGeneralInternetandcreatenewpolicies(BlockKnownBadandLogAll)tomeetthesenew
requirements.RemovetheotherpoliciescreatedinPhase1.
Lab Manual
Page 13
PANEDU101
Required Information
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
General
Internet Deny
Inbound Deny
Proxies
Web-Based-File-Sharing
General Internet
Deny Inbound BlockKnown-Bad Log-All
Subcategory: Proxies
Subcategory: file-sharing
Technology: browser-based
Known-Good
Known-Bad
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
Proxies
Web-Based-File-Sharing
Lab Notes
DuringPhase1,testyourconnectivitybyconnectingtohttp://www.box.net(login:student@pan
edu.com,password:paloalto1).Usethetrafficlogstodeterminehowthefirewallhandlesthat
connection.
DuringPhase2,checktoseewhathappenswhenyoubrowsetowww.facebook.combeforeand
afteryoumakeyourchanges.
Thelabsolutionsusethebuttonsatthebottomofthepolicyscreenstochangetheorderofthe
rules.Rulescanalsobereorderedbyclickinganddraggingtherulestothedesiredlocation.
Lab Manual
Page 14
PANEDU101
Module 5 ContentID
Inthislabyouwill:
ConfigureSecurityProfiles
CreateaSecurityProfilegroup
AssociateSecurityProfilesandSecurityProfileGroupstoSecurityPolicy
Generateacustomreport
Scenario
Nowthattrafficispassingthroughthefirewall,youdecidetofurtherprotecttheenvironmentwith
SecurityProfiles.Thespecificsecurityrequirementsforgeneralinternettrafficare:
LogallURLsaccessedbyusersintheTrustL3zone.Inparticular,youneedtotrackaccesstoaset
ofspecifiedtechnologywebsites.
AccesstoallhackingandgovernmentsitesshouldbesettoContinue.
BlockthefollowingURLcategories:
o Adultandpornography
o questionable
o Unknown
Log,butdonotblock,allvirusesdetectedandmaintainpacketcapturesoftheseeventsfor
analysis.
Logspywareofseveritylevelscriticalandhighdetectedinthetraffic.Ignoreallotherspyware.
ConfigurefilestobeautomaticallyforwardedtoWildFirewithnouserinteraction.
Lab Manual
Page 15
PANEDU101
Afteralloftheseprofilesareconfigured,sendtesttraffictoverifythattheprotectionbehavesas
expected.TestingparameterswillbeincludedintheRequiredInformationsectionofthislab.
Aftertheinitialtestingiscomplete,youareaskedtochangetheAntivirusprotectiontoblockviruses.
Makethechangesandverifythedifferenceinbehavior.
Oncetheindividualprofilesarecreatedandtested,combinetheprofilesintoasinglegroupforeaseof
management.Attachthegrouptotheappropriatesecuritypolicies.
Yourmanagerwantstoseedailyreportswhichdetailthethreatsencounteredbythefirewall.Configurea
customreporttoshowathreatsummaryforalltrafficallowedinthepast24hours.Itshouldincludethe
threatname,theapplication(includingtechnologyandsubcategoryforreference),andthenumberof
timesthatthreatwasencountered.ExportthefileasaPDF.
Required Information
www.slashdot.org
www.cnet.com
www.phys.org
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
www.2600.org
www.neworder.box.sk
1. Navigate to the web site http://www.opera.com
2. Download the installer to your local system
Lab Notes
Youdonotneedtoassignprofilestoallofthesecuritypoliciesyouhavecreatedinthelab.The
KnownBadpolicyhasanactionofdenysoprofileswilldonothingforthatrule.
Onlytesttheantivirusprofileusinghttp,nothttps.HTTPSconnectionswillpreventthefirewall
fromseeingthepacketcontentssothevirusescontainedwillnotbedetectedbytheprofile.
Decryptionwillbecoveredinalatermodule.
Lab Manual
Page 16
PANEDU101
Module 6 Decryption
Inthislabyouwill:
CreateaselfsignedSSLcertificate
Configurethefirewallasaforwardproxyusingdecryptionrules
Scenario
Yoursecurityteamisconcernedabouttheresultsofthetestingperformedaspartofthesecurityprofile
configurations.TheteamobservedthattheantivirusprofileonlyidentifiedviruswhichwerenotSSL
encrypted.Theconcernisthatfilestransferredfromencryptedsources(e.g.,https://www.facebook.com)
couldescapedetectionandcauseissues.Fortestingpurposes,youwillneedtochangetheantivirusprofile
toalertinsteadofblockingthefile.Verifythathttpsdownloadsofvirusfilesfromwww.eicar.orgare
detectedbytheantivirusprofile.
YouwanttoevaluateusingaforwardproxyconfigurationonthePaloAltoNetworksfirewall.Onlytraffic
fromTrustL3toUntrustL3needstobedecrypted.Sincethisisnotproduction,youdecidetouseself
signedSSLcertificatesgeneratedonthefirewallforthisimplementation.Thelegaldepartmenthasadvised
youthatcertaintrafficshouldnotbedecryptedforliabilityreasons.Specifically,youmaynotdecrypt
trafficfromhealthrelated,shopping,orfinancialwebsites.
Testthedecryptiontwoways:
Attempttodownloadtestfilesfromwww.eicar.orgusinghttpsandverifythattheyaredetectedby
thefirewall
ConnecttovariouswebsitesusinghttpsandusethelogstoverifythatthecorrectURLcategories
arebeingdecrypted
Lab Manual
Page 17
PANEDU101
Afteryourinitialtestingoftheforwardproxy,thepenetrationtestingteamcallsyoutorequestan
exceptiontothedecryptionrules.Theteamasksthatwww.eicar.orgbeexcludedfromdecryptionsothat
theywillstillbeabletodownloadthefilestheyneedtoperformtheirevaluations.Changethe
implementationtoallowthisexception.
Required Information
student-ssl-cert
192.168.2.1
no-decrypt-traffic
decrypt-all-traffic
Lab Notes
Youwillgetcertificateerrorswhenbrowsingafterdecryptionisenabled.Thisisexpectedbecause
theselfsignedcertificateshavenotbeenaddedtothetrustedcertificatesoftheclientbrowser. In
aproductionenvironmentyouwouldresolvethisbyaddingthefirewallcertificatetotheclientsas
trustedorbyusingacommercialcertificatefromaknownCAsuchasVeriSign.
Ordermatterswithpoliciesmakesurethatthedecryptandnodecryptpoliciesareevaluated
inthecorrectorder.
TofindURLstotestthenodecryptrule,gotohttp://www.brightcloud.com/andentervarious
URLsthatyoubelievefallintothecategoriesyouaretesting.
Lab Manual
Page 18
PANEDU101
Solutions
Module 1 Introduction (Lab Access)
192.168.1.100
IPaddress
SubnetMask
255.255.255.0
3. ConnectanEthernetcablebetweentheinterfaceyoujustconfiguredandtheMGTportofyour
firewall.
4. OpenacommandpromptandverifyyoucanpingtheIPaddress192.168.1.1.
7. ClickDevice>Setup>Operations.
8. ClickSavenamedconfigurationsnapshot.Enterpre-101-labs intheNamefield. ClickOK
tocompletethesave.ClickOKtodismissthesuccesswindow.
Lab Manual
Page 19
PANEDU101
Name
WebUI tab
ClickOKtocontinue.
Name
Password/ConfirmPassword
Role
Profile
ClickOK.
Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins
19. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completes,thenclickClose.
20. UseanSSHclient(e.g.,PuTTY)toattempttologintotheCLIasipadmin.Becausetherole
assignedtothisaccountwasnotassignedCLIaccess,theconnectionshouldreset.
21. OpendifferentbrowserandlogontotheWebUIasipadminandexploretheavailable
functionality.Forexample,ifyouoriginallyconnectedtotheWebUIusingChrome,openthis
connectioninInternetExplorer. Comparethedisplaysfortheadminandipadminaccountsto
seethelimitationsofthenewlycreatedaccount.
22. Logoutoftheipadminaccountconnectionwhenyouaredoneexploring.
Lab Manual
Page 20
PANEDU101
Name
Enter tap-zone
Type
Select Tap
ClickOKtoclosethezonecreationwindow.
3. ClickAddandcreatethefirstvirtualwirezone:
Name
Enter vwire-zone-3
Type
Select Virtual Wire
ClickOKtoclosethezonecreationwindow.
4. ClickAddandcreatethesecondvirtualwirezone:
Name
Enter vwire-zone-4
Type
Select Virtual Wire
ClickOKtoclosethezonecreationwindow.
InterfaceType
Select Tap
Configtab
SecurityZone
Select tapzone
ClickOKtoclosetheinterfaceconfigurationwindow.
Lab Manual
Page 21
PANEDU101
10. Clicktheinterfacenameethernet1/3.Configuretheinterface:
InterfaceType
Select Virtual Wire
Configtab
VirtualWire
Select studentvwire
SecurityZone
Select vwirezone3
ClickOKtoclosetheinterfaceconfigurationwindow.
11. Clicktheinterfacenameethernet1/4.Configuretheinterface:
InterfaceType
Select Virtual Wire
Configtab
VirtualWire
Select studentvwire
SecurityZone
Select vwirezone4
ClickOKtoclosetheinterfaceconfigurationwindow.
Normally,youwouldcommityourchangesatthispoint.However,fortheselfpacedlabsyouwill
bereusingtheseinterfacessoyoumustundosomeofthechangesyoujustimplemented.
12. ClickNetwork>VirtualWires.
13. SelectthestudentvwireobjectandclickDelete.
(Note:youwillsettheinterfacestoadifferenttypeinthenextmodule.)
Lab Manual
Page 22
PANEDU101
Name
Enter Untrust-L3
Type
Verfy thatLayer3 is selected
ClickOKtoclosethezonecreationwindow.
3. ClickAddandcreatetheTrustL3 zone:
Name
Enter Trust-L3
Type
Select Layer 3
ClickOKtoclosethezonecreationwindow.
Name
Enter allow_all
PermittedServices
Select all check boxes
PermittedIPAddresses
Do not add anyaddresses
ClickOKtoclosetheinterfacemanagementprofilecreationwindow.
6. ClickAddandcreateanotherinterfacemanagementprofile:
Name
Enter allow_ping
PermittedServices
Select only the Ping check box
PermittedIPAddresses
Do not add anyaddresses
ClickOKtoclosetheinterfacemanagementprofilecreationwindow.
7. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
InterfaceType
Configtab
VirtualRouter
SecurityZone
Lab Manual
Select Layer 3
Page 23
PANEDU101
IPv4tab
Type
Select DHCP Client
Advanced >OtherInfotab
Select allow_ping
ManagementProfile
ClickOKtoclosetheinterfaceconfigurationwindow.
10. Clicktheinterfacenameethernet1/4.Configuretheinterface:
InterfaceType
Select Layer 3
Configtab
VirtualRouter
Keep default (none)
SecurityZone
Select TrustL3
IPv4tab
Type
Keep default (Static)
IP
Click Add thenenter 192.168.2.1/24
Advanced >OtherInfotab
Select allow_all
ManagementProfile
ClickOKtoclosetheinterfaceconfigurationwindow.
Configure DHCP
11. ClickNetwork>DHCP>DHCPServer.
12. ClickAddtodefineanewDHCPServer:
InterfaceName
Select ethernet1/4
InheritanceSource
Select ethernet1/3
Gateway
Enter 192.168.2.1
PrimaryDNS
Select inherited
IPPools
Click Add thenenter 192.168.2.50-192.168.2.60
ClickOKtoclosetheDHCPServerconfigurationwindow.
Generaltab
Name
Interfaces
Enter Student-VR
ClickAddthenselectethernet1/3
15. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Lab Manual
Page 24
PANEDU101
Generaltab
Name
Enter Student Source NAT
OriginalPacket tab
Click Add andselect TrustL3
SourceZone
DestinationZone
Select UntrustL3
DestinationInterface
Select ethernet1/3
TranslatedPacket>Source
AddressTranslation tab
Translation Type
SelectDynamic IP and Port
AddressType
Select Interface Address
Interface
Select ethernet1/3
ClickOKtoclosetheNATpolicyconfigurationwindow.
24. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Note:Atthispoint,youstillwillnothaveaccesstotheinternet.Asecuritypolicyisrequired,
whichwillbeconfiguredinthenextlab.
Lab Manual
Page 25
PANEDU101
Module 4 AppID
Scenario 1
Create the General Internet Policy
1. GototheWebUIandclickPolicies>Security.
2. ClickAddtodefineasecuritypolicy:
Generaltab
Name
Source tab
SourceZone
SourceAddress
Destination tab
DestinationZone
DestinationAddress
Application tab
Applications
ClickAddandselect eachofthefollowing:
dns
paloaltoupdates
ssl
Service/URLCategory tab
Service
Select applicationdefault from the pulldown
Actions tab
ActionSetting
Select Allow
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
DNS
Verify thatServers is selected
PrimaryDNSServer
Enter 4.2.2.2
UpdateServer
Keep the default (updates.paloaltonetworks.com)
ClickOKtoclosetheconfigurationwindow.
5. IntheServicesFeaturespanel,clicktheServiceRouteConfiguration linktoconfigurehowthe
firewallaccessesnetworkservices.ClicktheradiobuttonforSelect.FortheDNS,PaloAlto
Updates,andURLUpdatesservices,gototheSourceAddresscolumnandselect192.168.2.1/24.
ClickOKtoclosetheconfigurationwindow.
Lab Manual
Page 26
PANEDU101
6. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completesbeforecontinuing.
Page 27
PANEDU101
12. VerifythatyourfirewallisrunningthemostrecentApplicationsandThreats.
13. Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefile
downloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethe
definitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperations
tocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.
16. Ifthefirewallisnotrunningversion6.0.0,updatethefirewalltothatversion.
a. ClickDownloadonthelineforversion6.0.0.ClickClosewhenthefiledownloadcompletes.
b. IfyourfirewalliscurrentlyrunningaversionofPANOSolderthan6.0.0(e.g.,5.0.x),you must
alsodownload(butnotinstall)version5.1.0.ClickDownloadonthelineforversion
5.1.0.ClickClosewhenthefiledownloadcompletes.
Lab Manual
Page 28
PANEDU101
c. Onthelinefor6.0.0,theDownloadlinkwillhavebeenreplacedwiththeInstalllink.Click
InstalltoupdatePANOSonyourfirewall.
d. Rebootthefirewallwhenprompted.Waituntilyourbrowserreconnectswiththefirewall and
loginagainusingyouradminaccount.
Lab Manual
Page 29
PANEDU101
Scenario 2 (Phase 1)
Modify the General Internet Policy
17. GototheWebUIandclickPolicies>Security.
18. ClicktheGeneralInternetpolicyyoupreviouslycreatedandmodifytheallowedapplications:
Application tab
Applications
ClickAddandselect eachofthefollowing:
fileserve
flash
ftp
ping
webbrowsing
ClickOKtoclosethesecuritypolicyconfigurationwindow.
Create Policies Block and Log All Inbound and Outbound Traffic
19. ClickPolicies>Security.
20. ClickAddtodefinetheDenyOutboundsecuritypolicy:
Generaltab
Name
Enter Deny Outbound
Source tab
Click Add andselect TrustL3
SourceZone
SourceAddress
Select Any
Destination tab
Click Add and select UntrustL3
DestinationZone
DestinationAddress
Select Any
Application tab
Applications
Check the Any box
Service/URLCategory tab
Service
Select any fromthe pulldown
Actions tab
ActionSetting
Select Deny
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
21. ClickAddtodefinetheDenyInboundsecuritypolicy:
Generaltab
Name
Source tab
SourceZone
SourceAddress
Lab Manual
Page 30
PANEDU101
Destination tab
DestinationZone
Click Add andselect Trust L3
DestinationAddress
Select Any
Application tab
Applications
Check the Any box
Service/URLCategory tab
Service
Select any fromthe pulldown
Actions tab
ActionSetting
Select Deny
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
22. EnsureyourSecurityPolicylookslikethis:
Note:Thedefaultrule1affectsvirtualwireconnectionsandwillnotaffectthelabexercises.
23. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Page 31
PANEDU101
Scenario 2 (Phase 2)
Create an Application Block Page
1. FromtheRDPdesktop,openabrowserandnavigatetohttp://www.facebook.com.Leavethe
browseropentotheerrorpage.
2. ReturntotheWebUIandclickDevice>ResponsePages.
3. FindtheApplicationBlockPagelineandclickDisabled.
4. ChecktheEnableApplicationBlockPagebox,andthenclickOK.
5. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
6. Openadifferentbrowserwindowandgotohttp://www.facebook.com.Comparethepage
displayedtotheonegeneratedinStep1oftheCreateanApplicationBlockPagesectionofthelab.
Note:AnInterfaceManagementProfileDOESNOTneedtobesetforapplicationblockpages.Fromthe
adminguide(p.176):TheResponsePagescheckboxcontrolswhethertheportsusedtoservecaptive
portalandURLfilteringresponsepagesareopenonLayer3interfaces.Ports6080and6081areleftopenif
thissettingisenabled.
Lab Manual
Page 32
PANEDU101
Scenario 2 (Phase 3)
Create Application Filters
1. GototheWebUIandclickObjects>ApplicationFilters.
2. ClickAddtodefinetheProxiesapplicationfilter:
Name
Enter Proxies
Subcategorycolumn
Select proxy
ClickOKtoclosetheapplicationfilterconfigurationwindow.
3. ClickAddtodefinetheWebBasedFileSharingapplicationfilter:
Name
Enter Web-Based-File-Sharing
Subcategorycolumn
Select filesharing
Technologycolumn
Select browserbased
ClickOKtoclosetheapplicationfilterconfigurationwindow.
Name
Applications
Enter Known-Good
ClickAddandselect eachofthefollowing:
dns
fileserve
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing
ClickOKtoclosetheapplicationgroupconfigurationwindow.
6. ClickAddtodefinetheKnownBadapplicationgroup:
Name
Applications
Enter Known-Bad
ClickAddandselect eachofthefollowing:
Proxies
WebBasedFileSharing
ClickOKtoclosetheapplicationgroupconfigurationwindow.
Lab Manual
Page 33
PANEDU101
Generaltab
Name
Change to Log-All
Actions tab
Select Allow
ActionSetting
ClickOKtoclosethesecuritypolicyconfigurationwindow.
10. ClickAddtodefinetheBlockKnownBadsecuritypolicy:
Generaltab
Name
Enter Block-Known-Bad
Source tab
Click Add andselect TrustL3
SourceZone
SourceAddress
Select Any
Destination tab
DestinationZone
Click Add and select Untrust L3
DestinationAddress
Select Any
Application tab
Applications
Click Add and select KnownBad
Service/URLCategory tab
Service
Select any fromthe pulldown
Actions tab
ActionSetting
Select Deny
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.
27. Usethemovebuttonsatthebottomofthepagetoarrangethepoliciesinalogicalorder.Confirm
thatyoursecurityrulelist lookslikethis:
Youcanalsorearrangetherulebyclickinganddraggingthemintothecorrectorder.
28. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Lab Manual
Page 34
PANEDU101
applicationsectionoftheACCtoselectdifferentwaysofviewingthetrafficthatyouhave
generated.Whatisthetotalrisklevelforalltrafficthathaspassedthroughthefirewallthusfar?
NoticethattheURLFiltering,ThreatPrevention,andDataFilteringsectionswithintheACCcontain
nomatchingrecords.
Lab Manual
Page 35
PANEDU101
Module 5 ContentID
Note:ThepresenceoffirewallsbetweenyourPA200andtheinternetwillcausethelabresultstovary.
ClickDevice>DynamicUpdates.
ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.
VerifythatyourfirewallisrunningthemostrecentAntivirusdefinitionfile.
Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefile
downloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethe
definitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperations
tocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.
Name
Sites
Enter TechSites
ClickAddandaddeachofthefollowingURLs:
www.slashdot.org
www.cnet.com
www.zdnet.com
ClickOKtoclosetheURLFilteringprofilewindow.
Lab Manual
Page 36
PANEDU101
Name
Category/Action
Enterstudent-url-filtering
ClicktherightsideoftheActionheadertoaccessthepulldownmenu.
ClickSetAllActions>Alert.
SearchtheCategoryfieldforhackingandgovernment. SettheActionto
Continueforbothcategories.
SearchtheCategoryfieldforthefollowingcategoriesandsettheAction
toblockforeachofthem:
adultandpornography
questionable
unknown
Name
Enter student-antivirus
Antivirustab
Check the Packet Capture box
PacketCapture
Decoders
Set the Actioncolumn to Alert for alldecoders
ClickOKtoclosetheantivirusprofilewindow.
Lab Manual
Page 37
PANEDU101
Name
Rulestab
Enter student-antispyware
ClickAddandcreatearulewiththeparameters:
RuleName:Enterrule-1
Action:SelectAllow
Severity:ChecktheboxesforLowandInformational
only
ClickOKtosavetherule
ClickAddandcreateanotherrulewiththeparameters:
RuleName:Enterrule-2
Action:SelectAlert
Severity:ChecktheboxesforCriticalandHighonly
ClickOKtosavetherule
ClickOKtoclosetheantispywareprofilewindow.
Name
Rules list
Enter student-file-block
ClickAddandcreatearulewiththeparameters:
RuleName:Entertype-1
Action: Select Forward
ClickOKtoclosethefileblockingprofilewindow.
Actionstab
ProfileType
Antivirus
AntiSpyware
URLFiltering
FileBlocking
ClickOKtoclosethepolicywindow.
Lab Manual
Select Profiles
Select studentantivirus
Select studentantispyware
Select studenturlfiltering
Select studentfileblock
Page 38
PANEDU101
13. RepeatthepreviousstepandaddtheprofilestotheLogAllpolicy.
14. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
CapturedpacketscanbeexportedinPCAPformatandexaminedwithaprotocolanalyzeroffline
forfurtherinvestigation.
20. Modifytheantivirusprofiletoblockvirusesusingftp,http,andsmb.ClickObjects>Security
Profiles>Antivirus.ChangetheActioncolumnfortheftp,http,andsmbdecoderstoBlock.
21. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
22. Openanewbrowserwindowtowww.eicar.organdattempttodownloadavirusfileagain.Since
theantivirusprofileissettoblock,aresponsepageshouldappear:
Lab Manual
Page 39
PANEDU101
23. ReturntotheWebUIandverifythatlogentriesstatingthattheEicarviruswasdetectedappearin
thethreatlog.
24. After15minutes,thethreatsyoujustgeneratedwillappearontheACCtabundertheThreats
section.
Lab Manual
Page 40
PANEDU101
Name
Enter student-profile-group
AntivirusProfile
Select studentantivirus
AntiSpywareProfile
Select studentantispyware
URLFilteringProfile
Select studenturlfiltering
FileBlockingProfile
Select studentfileblock
ClickOKtoclosethesecurityprofilegroupwindow.
Actionstab
ProfileType
Select Group
GroupProfile
Select studentprofilegroup
ClickOKtoclosethepolicywindow.
34. RepeatthepreviousstepandaddtheprofilegrouptotheLogAllpolicy.
35. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Lab Manual
Page 41
PANEDU101
Name
Database
TimeFrame
Sortby
Groupby
SelectedColumns
QueryBuilder
Connector:Selectand
Attribute:SelectRule
Operator:Select=
Value:EnterGeneral Internet
ClickAdd
Connector:Selector
Attribute:SelectRule
Operator:Select=
Value:EnterLog-All
Click Add
ClickOKtosavethecustomreportdefinition.
38. Clickthenameofyourcustomreporttoreopenthecustomreportwindow.ClickRunNowto
generatethereport.
39. Thereportwillappearinanewtabinthewindow.ClickExporttoPDFtosaveittoyourRDP
desktop.
Lab Manual
Page 42
PANEDU101
Module 6 Decryption
CertificateName
Enter student-ssl-cert
CommonName
Enter 192.168.2.1
CertificateAuthority
Check the box
ClickGeneratetocreatethecertificate.ClickOKtodismissthecertificategenerationsuccess
window.
6. Clickstudentsslcertinthelistofcertificatestoeditthecertificateproperties.Checktheboxesfor
ForwardTrustCertificateandForwardUntrustCertificate.ClickOKtoconfirmthechanges.
Generaltab
Name
Enter no-decrypt-traffic
Sourcetab
Click Add then select TrustL3
SourceZone
Destinationtab
DestinationZone
Click Add then select UntrustL3
URLCategorytab
URLCategory
ClickAddandaddeachofthefollowingURLcategories:
healthandmedicine
shopping
financialservices
Optionstab
Action
Select nodecrypt
Type
SelectSSL Forward Proxy
ClickOKtoclosetheconfigurationwindow.
Lab Manual
Page 43
PANEDU101
9. ClickAddtocreatetheSSLdecryptionruleforgeneraldecryption:
Generaltab
Name
Enter decrypt-all-traffic
Sourcetab
Click Add then select TrustL3
SourceZone
Destinationtab
DestinationZone
Click Add then select UntrustL3
URLCategorytab
URLCategory
Verify that the Any box is checked
Optionstab
Action
Select decrypt
Type
SelectSSL Forward Proxy
ClickOKtoclosetheconfigurationwindow.
11. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
12. Openabrowsertothewww.eicar.orgdownloadspage.DownloadatestfileusingSSL.Ignorethe
certificateerror.ThisisexpectedbehaviorbecausethefirewallisinterceptingtheSSLconnection
andperformingmaninthemiddledecryption.Closethebrowserwindow.
13. IntheWebUI,examinethethreatlogs. Thevirusshouldhavebeendetected,sincetheSSL
connectionwasdecrypted.Clickthemagnifyingglassiconatthebeginningofthelinetoshowthe
LogDetailswindow.VerifythattheDecryptedboxhasacheckmark.
14. Openabrowsertohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallinto
thecategoriesexcludedbythenodecryptrule.MakealistofURLsthatfallintothesecategories
totestagainst.Forexample:
financialservices:www.bankofamerica.com
healthandmedicine:www.deltadental.com
shopping:www.macys.com
15. IntheWebUI,clickMonitor>Logs>Traffic.Setthetrafficlogtodisplayonlyport443trafficona
10secondrefresh.Enter( port.dst eq 443 ) inthefilterfield.Select10Secondsfromthe
Lab Manual
Page 44
PANEDU101
pulldownmenusothatthedisplaywillrefreshautomatically.Leavethiswindowopensoyoucan
monitorthetraffic.
16. Inaseparatebrowserwindow,useSSL(https://)tonavigatetothewebsitesyoufoundinthe
excludedURLcategories.Navigatetootherwebsitesaswell(e.g.,www.facebook.com,
www.google.com)forcomparisonpurposes.
17. Returntothetrafficlog.Findanentryforoneoftheexcludedcategoriesbylookingatthevaluein
theURLCategorycolumn.Clickthemagnifyingglassiconatthebeginningofthelinetoshowthe
LogDetailswindow.VerifythattheDecryptedboxintheMiscpanelisunchecked.
18. RepeatthepreviousstepforaURLinanonexcludedcategory.VerifythattheDecryptedboxhasa
checkmark.
Lab Manual
Page 45
Lab Manual
PANEDU101
Page 46
PANEDU101
CLI Reference
Thissectionprovidesasubsetofthecommandsneededtocompletethetasksintheassociatedlab
modules.ThecommandsareintendedtoprovidecommandsetsforyoutoresearchfurtherinthePANOS
CommandLineInterfaceReferenceGuide.
# set shared admin-role "Policy Admins" role device webui acc enable
Lab Manual
Page 47
PANEDU101
Module 4 AppID
# set rulebase security rules "General Internet" action allow
Module 5 ContentID
# set profiles url-filtering Student-url-filtering alert bot-nets
Module 6 Decryption
> request certificate generate ca yes name 192.168.15.1 certificatename student15-cert
Lab Manual
Page 48