Professional Documents
Culture Documents
Management:
Essentials I
Lab Manual
PAN-OS 6.1
PAN-EDU-101 Rev A.200
PANEDU101
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Boldface Names of commands, keywords, and Click Security to open the Security
selectable items in the web interface Rule Page
Italics Name of parameters, files, directories, or The address of the Palo Alto Networks
Uniform Resource Locators (URLs) home page is
http://www.paloaltonetworks.com
courier font Coding examples and text that you enter Enter the following command:
at a command prompt a:\setup
Click Click the left mouse button Click Administrators under the
Device tab.
Right-click Click the right mouse button Right-click on the number of a rule
you want to copy, and select Clone
Rule.
Table of Contents
Contents
The scenario describes the lab exercise in terms of objectives and customer requirements. Minimal
instructions are provided to encourage students to solve the problem on their own. If appropriate, the
scenario includes a diagram and a table of required information needed to complete the exercise.
The solution is designed to help students who prefer stepbystep, taskbased labs. Alternatively, students
who start with the scenario can use the solution to check their work or to provide help if they get stuck on
a problem.
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform
any tasks outlined in the following labs.
1. Configure the basic components of the firewall, including interfaces, security zones, and security
policies
2. Configure basic Layer 3 settings, such as IP addressing and NAT policies.
3. Configure basic ContentID functionality, including antivirus protection and URL filtering.
4. Configure SSL decryption.
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
DHCP-
enabled
Network
Internet
Lab Assumptions
These lab instructions assume the following conditions:
1. The student is using a PA200 firewall which has been registered with Palo Alto Networks Support.
2. The firewall is licensed for Support, Threat Prevention, and URL Filtering.
3. The PA200 is running the latest version of 6.1 software and has all the latest updates for Antivirus, Applications
and Threats and URL Filtering.
4. The network that the student will connect to has a DHCP server from which the firewall can obtain an IP address
and DNS information.
5. There are no other Palo Alto Networks firewalls between the students PA200 and the internet. The labs will still
work if upstream firewalls exist, but the results will vary based on the firewall settings.
Scenario
You have been tasked with integrating a new firewall into your environment. The firewall is configured
with a MGT IP address and administrator account. You will need to change the IP address of your laptop
to communicate with the default IP address of the MGT port.
If your firewall has settings you would like to restore after the completion of this lab, save the current
configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that
it is in a known state.
In preparation for the new deployment, create a role for an assistant administrator which allows access to
all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account
should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the
password of the admin account to disable the warnings about using default credentials.
Required Information
Named Configuration Snapshot PANEDU101Default
New Administrator Role name Policy Admins
New Administrator Account name ip-admin
New Administrator Account password paloalto
New password for the admin account paloalto
30. Click the Commit link at the topright of the WebUI. Click OK and wait until the commit process
completes, then click Close.
31. Open a different browser and log onto the WebUI as ipadmin and explore the available
functionality. For example, if you originally connected to the WebUI using Chrome, open this
connection in Internet Explorer. Compare the displays for the admin and ipadmin accounts to
see the limitations of the newly created account.
32. When you are done exploring, log out of the ipadmin account connection.
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You
are to create two zones, UntrustL3 and TrustL3. The externalfacing interface in UntrustL3 will get an IP
address from a DHCP server on the external network. TrustL3 will be where the internal clients connect to
the firewall and so the interface in TrustL3 will provide DHCP addresses to these internal clients. The
DHCP server you configure in the TrustL3 zone will inherit DNS settings from the external facing interface.
Both the internal and external interfaces on the firewall must route traffic through the externalfacing
interface by default. The interface in UntrustL3 must be configured to respond to pings and the interface
in TrustL3 must be able to provide all management services.
Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable
coming from your PC from the MGT port to the ethernet1/4 port of the PA200. You must also change
the settings of the LAN interface on your laptop to use DHCPsupplied network information (IP address
and DNS servers) instead of static settings.
Required Information
allow all
Interface Management Profile Names
allow_ping
Internal-facing IP Address 192.168.2.1/24
External-facing interface Ethernet1/3
Internal-facing interface Ethernet1/4
DHCP Server: Gateway 192.168.2.1
DHCP Server: Inheritance Source Ethernet1/3
DHCP Server: Primary DNS inherited
DHCP Server: IP address range 192.168.2.50-192.168.2.60
Virtual Router Name Student-VR
7. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Configure DHCP
11. Click Network > DHCP > DHCP Server.
12. Click Add to define a new DHCP Server:
General tab
Name Enter Student-VR
Interfaces Click Add then select ethernet1/3
15. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
At this point, the firewall is configured but is unable to pass traffic between zones. NAT and Security Policies must be
defined before traffic will flow between zones. In this lab, you will create a Source NAT Policy using the UntrustL3 IP
address as the source address for all outgoing traffic. Then you will create a Security Policy to allow traffic from the
TrustL3 Zone to the UntrustL3 Zone, so that your workstation can access the outside world.
General tab
Name Enter Student Source NAT
Original Packet tab
Source Zone Click Add and select TrustL3
Destination Zone Select UntrustL3
Destination Interface Select ethernet1/3
Translated Packet > Source
Address Translation tab
Translation Type Select Dynamic IP and Port
Address Type Select Interface Address
Interface Select ethernet1/3
Click OK to close the NAT policy configuration window.
General tab
Name Enter Allow All Out
Source tab
Source Zone Click Add and select TrustL3
Source Address Select Any
Destination tab
Destination Zone Click Add and select UntrustL3
Destination Address Select Any
Application tab
Applications Select Any
Service/URL Category tab
Service Select applicationdefault from the pulldown
Actions tab
Action Setting Select Allow
Log Setting Select Log at Session End
4. Click OK to close the security policy configuration window.
5. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
Now that you have confirmed that your workstation has connectivity to the Internet, you will delete the
Allow All Out Security Rule and replace it with a more restrictive Security Rule. By default, the PAN
Firewall will block any traffic between different Security Zones. You will create a Security Policy to
selectively enable specific applications to pass from the TrustL3 to the UntrustL3 Zone. All other
applications will be blocked.
Create a Rule named General Internet which allows users in the TrustL3 zone to use a set of
commonly used applications to access the internet. The applications should only be permitted on an
applications default port. All other traffic (inbound and outbound) between Zones will be blocked and
logged so that you can identify what other applications are being used.
Next, you will configure the firewall to notify users when applications are blocked by a Rule.
Required Information
General Internet
Security Policy name
dns
fileserve
flash
ftp
Members of the Known-Good application
paloalto-updates
group
ping
web-browsing
ssl
Lab Notes
Test your connectivity by connecting to http//www.depositfiles.com (login paneduc, password paloalto).
Because you have not specified depositfiles as an allowed application, the firewall should block the
appliction, even if you attempt to use a proxy.
General tab
Name Enter General Internet
Source tab
Source Zone Click Add and select TrustL3
Source Address Select Any
Destination tab
Destination Zone Click Add and select UntrustL3
Destination Address Select Any
Application tab
Applications Click Add and select the KnownGood Application Group
Service/URL Category tab
Service Select applicationdefault from the pulldown
Actions tab
Action Setting Select Allow
Log Setting Select Log at Session End
Click OK to close the security policy configuration window.
19. Go to Monitor > Logs > Traffic to review the traffic logs. Find the entries where the depositfiles
application has been blocked. You may want to put (action eq deny) in the filter text box. The
site has been blocked because the depositfiles application is not listed in the allowed applications in
the General Internet Policy.
20. Now try to work around the application block by using a proxy. From the RDP desktop, go to the
proxy site http//www.avoidr.com.
21. Enter www.depositfiles.com in the text box and click Go. An Application Blocked page
appears showing that the phproxy application was blocked.
22. Go to Monitor > Logs > Traffic to find the corresponding entry in the Traffic Logs. It indicates that
Lab Manual PANOS 6.0 Rev A.200 Page 21
PANEDU101
the phproxy application has been blocked.
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with
Security Profiles. The specific security requirements for general internet traffic are:
Log all URLs accessed by users in the TrustL3 zone. In particular, you need to track access to a set
of specified technology websites.
Access to all hacking and government sites should be set to Continue.
Block the following URL categories:
o adult and pornography
o questionable
o unknown
Log, but do not block, all viruses detected and maintain packet captures of these events for
analysis.
Log spyware of severity levels critical and high detected in the traffic. Ignore all other spyware.
Configure exe files to be blocked.
After all of these profiles are configured, send test traffic to verify that the protection behaves as
expected.
After the initial testing is complete, you are asked to change the Antivirus protection to block viruses.
Make the changes and verify the difference in behavior.
Once the individual profiles are created and tested, combine the profiles into a single group for ease of
management. Attach the group to the appropriate security policies.
Required Information
www.slashdot.org
www.cnet.com
Custom Technology sites to track
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
Location of files for testing antivirus 3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
1. Navigate to the web site http://www.opera.com
Procedure for testing file blocking
2. Download the installer to your local system
Lab Notes
Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall
from seeing the packet contents so the viruses contained will not be detected by the profile.
Decryption will be covered in a later module.
Search the Category field for hacking and government. Set the Action to
Continue for both categories.
Search the Category field for the following categories and set the Action
to block for each of them:
adult (or adultandpornography)
government
hacking
questionable
TechSites
unknown
Actions tab
Profile Type Select Profiles
Antivirus Select studentantivirus
AntiSpyware Select studentantispyware
URL Filtering Select studenturlfiltering
File Blocking Select studentfileblock
Click OK to close the policy window.
13. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline
for further investigation.
Actions tab
Lab Manual PANOS 6.1 Rev A.200 Page 29
PANEDU101
Profile Type Select Group
Group Profile Select studentprofilegroup
Click OK to close the policy window.
42. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Scenario
Your security team is concerned about the results of the testing performed as part of the security profile
configurations. The team observed that the antivirus profile only identified virus which were not SSL
encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com)
could escape detection and cause issues.
You want to evaluate using a forwardproxy configuration on the Palo Alto Networks firewall. Only traffic
from TrustL3 to UntrustL3 needs to be decrypted. Since this is not production, you decide to use self
signed SSL certificates generated on the firewall for this implementation.
Once an application is decrypted and identified by the PAN firewall, it may be denied if you have set the
Security Policy to only allow applications that arrive on their standard default ports. For example, if FTP
traffic encrypted by SSL is decrypted and recognized by the firewall, the firewall will see it as FTP traffic
arriving on Port 443. Because this is not the standard FTP port, it may be denied. Therefore, in this
exercise, when you are using decryption, you will set your Security Rules to allow any port instead of using
applicationdefault.
The legal department has advised you that certain traffic should not be decrypted for liability reasons.
Specifically, you may not decrypt traffic from healthrelated, shopping, or financial web sites.
Attempt to download test files from www.eicar.org using https and verify that they are detected by
the firewall
You will receive certificate errors when browsing after decryption is enabled. This is expected because the
selfsigned certificates have not been added to the Trusted certificates of the client browser. Resolve this
by adding the firewall certificate to the clients as a Trusted Root Certificate.
After your initial testing of the forwardproxy, the penetration testing team calls you to request an
exception to the decryption rules. The team asks that www.eicar.org be excluded from decryption so that
they will still be able to download the files that they need to perform their evaluations. Change the
implementation to allow this exception.
Required Information
Self-signed Certificate name student-ssl-cert
Common Name of the SSL Certificate 192.168.2.1
no-decrypt-traffic
Decryption Policies
decrypt-all-traffic
Lab Notes
You will get certificate errors when browsing after decryption is enabled. This is expected because
the selfsigned certificates have not been added to the trusted certificates of the client browser. In
a production environment you would resolve this by adding the firewall certificate to the clients as
trusted or by using a commercial certificate from a known CA such as VeriSign.
Order matters with policies make sure that the decrypt and nodecrypt policies are evaluated
in the correct order.
8. Click CAXsslcert in the list of certificates to edit the certificate properties. Check the boxes for
Forward Trust Certificate and Forward Untrust Certificate. Click OK to confirm the changes.
11. Click Add to create the SSL decryption rule for general decryption:
General tab
Name Enter decrypt-all-traffic
Source tab
Source Zone Click Add then select TrustL3
Destination tab
Destination Zone Click Add then select UntrustL3
URL Category tab
URL Category Verify that the Any box is checked
Options tab
Action Select decrypt
Type Select SSL Forward Proxy
Click OK to close the configuration window.
12. Confirm that your decryption policy list looks like this:
28. In a separate browser window, browse to the following URLs using https:
financialservices: www.bankofamerica.com
healthandmedicine: www.deltadental.com
shopping: www.macys.com
29. Now use https:// to browse to sites like bing.com or yahoo.com which are not excluded.
30. Return to the traffic log at Monitor > Traffic > Logs.
31. If the URL Category column is not displayed, click the drop down arrow next to one of the
columns and select URL Category.
32. Find an entry for one of the excluded categories by looking at the value in the URL Category
column.
33. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is unchecked.
34. Find an entry for one of the nonexcluded categories by looking at the value in the URL Category
column.
35. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is checked.
> configure
# commit
58. When the configuration has finished committing, log out of the PuTTY session.
Lab Manual PANOS 6.0 Rev A.200 Page 37
PANEDU101
Module 10 Scenario Management and Reporting
In this lab you will:
Generate Reports
Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a
custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the
threat name, the application (including technology and subcategory for reference), and the number of
times that threat was encountered. Export the file as a PDF.
12. Click the name of your custom report to reopen the custom report window. Click Run Now to
generate the report.
13. The report will appear in a new tab in the window. Click Export to PDF to save it to your RDP
desktop.
14. Click OK to close the Custom Report window
Lab Manual PANOS 6.0 Rev A.200 Page 39