Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Management:
Essentials I
Lab Manual
PAN-OS 6.0
PAN-EDU-101 Rev C.200
PANEDU101
Lab Manual
Page 2
PANEDU101
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention
Meaning
Example
Boldface
Italics
courier font
Click
Right-click
Lab Manual
Page 3
PANEDU101
Table of Contents
How to use this Lab Guide ........................................................................................................ 6
Lab Guide Objectives ..................................................................................................................... 6
Lab Equipment Setup ................................................................................................................ 7
Lab Assumptions ....................................................................................................................... 7
Student Firewall Interface Settings .......................................................................................... 7
Module 1 Administration and Management ......................................................................... 8
Scenario ................................................................................................................................................................................ 8
Required Information .......................................................................................................................................................... 8
Module 4 AppID....................................................................................................................... 12
Scenario 1.................................................................................................................................................................... 12
Required Information ........................................................................................................................................................ 12
Scenario 2.................................................................................................................................................................... 13
Required Information ........................................................................................................................................................ 14
Lab Notes............................................................................................................................................................................ 14
Module 6 Decryption................................................................................................................ 17
Scenario .............................................................................................................................................................................. 17
Required Information ........................................................................................................................................................ 18
Lab Notes............................................................................................................................................................................ 18
Lab Manual
Page 4
PANEDU101
Solutions.................................................................................................................................. 19
Module 1 Introduction (Lab Access) ......................................................................................................................... 19
Module 2 Interface Configuration .................................................................................................................................. 21
Module 3 Layer 3 Configuration ..................................................................................................................................... 23
Module 4 AppID ............................................................................................................................................................. 26
Module 5 ContentID ...................................................................................................................................................... 36
Module 6 Decryption ................................................................................................................................................ 43
CLI Reference........................................................................................................................... 47
Module 1 Administration and Management.................................................................................................................. 47
Module 2 Interface Configuration .................................................................................................................................. 47
Module 3 Layer 3 Configuration ..................................................................................................................................... 48
Module 4 AppID ............................................................................................................................................................. 48
Module 5 ContentID ...................................................................................................................................................... 48
Module 6 Decryption ................................................................................................................................................ 48
Lab Manual
Page 5
PANEDU101
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform
any tasks outlined in the following labs.
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
Lab Manual
Page 6
PANEDU101
Internet
Lab Assumptions
These lab instructions assume the following conditions:
1. The student is using a PA200 firewall which has been registered with Palo Alto Networks Support.
2. The firewall is licensed for Support, Threat Prevention, and URL Filtering.
3. The PA200 is running the latest version of 6.0 software and has all the latest updates for Antivirus, Applications
and Threats and URL Filtering.
4. The network that the student will connect to has a DHCP server from which the firewall can obtain an IP address
and DNS information.
5. There are no other Palo Alto Networks firewalls between the students PA200 and the internet. The labs will still
work if upstream firewalls exist, but the results will vary based on the firewall settings.
Lab Manual
Page 7
PANEDU101
Scenario
You have been tasked with integrating a new firewall into your environment. The firewall is configured
with a MGT IP address and administrator account. You will need to change the IP address of your laptop
to communicate with the default IP address of the MGT port.
If your firewall has settings you would like to restore after the completion of this lab, save the current
configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that
it is in a known state.
In preparation for the new deployment, create a role for an assistant administrator which allows access to
all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account
should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the
password of the admin account to disable the warnings about using default credentials.
Required Information
Named Configuration Snapshot
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account
Lab Manual
PANEDU101Default
Policy Admins
ip-admin
paloalto
paloalto
Page 8
PANEDU101
Page 9
PANEDU101
Click OK to continue.
Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins
30. Click the Commit link at the topright of the WebUI. Click OK and wait until the commit process
completes, then click Close.
31. Open a different browser and log onto the WebUI as ipadmin and explore the available
functionality. For example, if you originally connected to the WebUI using Chrome, open this
connection in Internet Explorer. Compare the displays for the admin and ipadmin accounts to
see the limitations of the newly created account.
32. When you are done exploring, log out of the ipadmin account connection.
33. Log back into the PA200 WebUI as user admin password paloalto.
Lab Manual
Page
10
PANEDU101
Scenario:
You are preparing the firewall for a simple proof of concept (POC). In order to demonstrate firewall
features with a minimum of changes to the existing network, you have decided to use virtual wire to pass
traffic through the firewall for one network segment and a tap interface to monitor a different network
segment.
Configure the virtual wire and create zones so that policy rules can be defined. Create a tap interface and
the associated zone.
Note: Due to the limited number of interfaces available on a PA200, the configurations set in this lab will be
immediately removed so that the interfaces may be reused for later labs.
Required Information
Interface to use for tap interface
Interfaces to use for virtual wire
Name for the tap zone
Name for the virtual wire zones
Name for the virtual wire object
Lab Manual
Ethernet1/3
Ethernet1/3
Ethernet1/4
tap-zone
vwire-zone-3
vwire-zone-4
student-vwire
Page
11
PANEDU101
Page 10
PANEDU101
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You
are to create two zones, UntrustL3 and TrustL3. The externalfacing interface in UntrustL3 will get an IP
address from a DHCP server on the external network. TrustL3 will be where the internal clients connect to
the firewall and so the interface in TrustL3 will provide DHCP addresses to these internal clients. The
DHCP server you configure in the TrustL3 zone will inherit DNS settings from the external facing interface.
Both the internal and external interfaces on the firewall must route traffic through the externalfacing
interface by default. The interface in UntrustL3 must be configured to respond to pings and the interface
in TrustL3 must be able to provide all management services. NOTE: You will not be able to test whether
the UntrustL3 interface responds to pings until the next lab.
Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable
coming from your PC from the MGT port to the ethernet1/4 port of the PA200. You must also change
the settings of the LAN interface on your laptop to use DHCPsupplied network information (IP address
and DNS servers) instead of static settings.
When the firewall is fully configured, a NAT policy must exist so that all traffic originating in the TrustL3
zone appears to come from the externalfacing address of the firewall.
Lab Manual
Page 11
PANEDU101
Required Information
Interface Management Profile Names
Internal-facing IP Address
External-facing interface
Internal-facing interface
DHCP Server: Gateway
DHCP Server: Inheritance Source
DHCP Server: Primary DNS
DHCP Server: IP address range
Virtual Router Name
Lab Manual
allow all
allow_ping
192.168.2.1/24
Ethernet1/3
Ethernet1/4
192.168.2.1
Ethernet1/3
inherited
192.168.2.50-192.168.2.60
Student-VR
Page 12
PANEDU101
Select Layer 3
Keep default (none)
Select UntrustL3
PANOS 6.0 Rev A.200
Page 13
PANEDU101
IPv4 tab
Select DHCP Client
Type
Advanced > Other Info tab
Management Profile
Select allow_ping
Click OK to close the interface configuration window.
10. Click the interface name ethernet1/4. Configure the interface:
Interface Type
Select Layer 3
Config tab
Keep default (none)
Virtual Router
Security Zone
Select TrustL3
IPv4 tab
Keep default (Static)
Type
IP
Click Add then enter 192.168.2.1/24
Advanced > Other Info tab
Management Profile
Select allow_all
Click OK to close the interface configuration window.
Configure DHCP
11. Click Network > DHCP > DHCP Server.
12. Click Add to define a new DHCP Server:
Interface Name
Select ethernet1/4
Inheritance Source
Select ethernet1/3
Gateway
Enter 192.168.2.1
Primary DNS
Select inherited
IP Pools
Click Add then enter 192.168.2.50-192.168.2.60
Click OK to close the DHCP Server configuration window.
Enter Student-VR
Click Add then select ethernet1/3
Lab Manual
Page 14
PANEDU101
Lab Manual
Page 15
PANEDU101
Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
At this point, the firewall is configured but not passing traffic. Security policies must be defined before
traffic will flow between zones. To facilitate testing and present the minimal amount of risk to the network
traffic, the policies will be established in a threephase deployment:
Phase 1: Configure a Policy to allow all outbound traffic, and to block and log any incoming traffic. This
will allow employees to surf the Internet, and will log which applications they use.
Phase 2: Create a General Internet policy to restrict users to a set of commonly used applications. The
applications should only be permitted on application default ports. All other traffic (inbound and
outbound) should be blocked and logged.
Configure the firewall to notify users when blocked applications are used so that the help desk does
not get called for connection issues that are actually blocked applications.
Phase 3: The results from the first two phases of testing result in the following discoveries:
Lab Manual
The logs from phase 1 show heavy use of a variety of internet proxies and webbased
file sharing services by users. Management mandates that you create a Deny list
explicitly preventing use of these applications.
The rules blocking all unmatched traffic were too restrictive for your environment. The
testing denied access to numerous vital applications, causing a surge in support calls. Any
traffic which does not match the Deny list should be allowed but logged for future policy
decisions.
PANOS 6.0 Rev A.200
Page 16
PANEDU101
Required Information
Allow All Out
Deny and Log Inbound
General Internet
Deny and Log Outbound
Deny and Log Inbound
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
Proxies
Web-Based-File-Sharing
Block-Known-Bad
Allow and Log Outbound
Deny-and-Log-Inbound
Subcategory:
Proxies
Subcategory: file-sharing
Technology: browser-based
Proxies
Web-Based-FileSharing
Lab Notes
During Phase 1, test your connectivity by connecting to http://www.box.net and facebook. Use
the traffic logs to determine how the firewall handles that connection.
During Phase 2, check to see what happens when you browse to www.facebook.com and box.net
after you make your changes.
The lab solutions use the buttons at the bottom of the policy screens to change the order of the
rules. Rules can also be reordered by clicking and dragging the rules to the desired location.
Lab Manual
Page 17
PANEDU101
Page 18
PANEDU101
Phase 2
Create an Application Group
1. Click Objects > Application Groups.
2. Click Add to define the KnownGood application group:
Name
Applications
Enter Known-Good
Click Add and select each of the following:
dns
fileserve
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing
Click OK to close the application group configuration window.
Page 19
PANEDU101
Destination Address
Select Any
Application tab
Applications
Click Add and select the KnownGood Application Group
Service/URL Category tab
Select applicationdefault from the pulldown
Service
Actions tab
Select Allow
Action Setting
Log Setting
Select Log at Session End
Click OK to close the security policy configuration window.
Page 20
PANEDU101
Phase 3
Disable previous Security Policies
1. Click the Deny and Log Outbound rule and click the Disable button
2. Click the General Internet rule and click Disable button.
Lab Manual
Enter Known-Bad
Page 21
PANEDU101
Applications
Page 22
PANEDU101
BlockKnownBad
AllowandLogAllOut
DenyandLogInbound
Make sure any other policies are disabled
12. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit process
completes before continuing.
Lab Manual
Page 23
PANEDU101
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with
Security Profiles. The specific security requirements for general internet traffic are:
Log all URLs accessed by users in the TrustL3 zone. In particular, you need to track access to a set
of specified technology websites.
Access to all hacking and government sites should be set to Continue.
Block the following URL categories:
o adult and pornography
o questionable
o unknown
Log, but do not block, all viruses detected and maintain packet captures of these events for
analysis.
Log spyware of severity levels critical and high detected in the traffic. Ignore all other spyware.
Configure exe files to be blocked.
Lab Manual
Page 24
PANEDU101
After all of these profiles are configured, send test traffic to verify that the protection behaves as
expected. Testing parameters will be included in the Required Information section of this lab.
After the initial testing is complete, you are asked to change the Antivirus protection to block viruses.
Make the changes and verify the difference in behavior.
Once the individual profiles are created and tested, combine the profiles into a single group for ease of
management. Attach the group to the appropriate security policies.
Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a
custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the
threat name, the application (including technology and subcategory for reference), and the number of
times that threat was encountered. Export the file as a PDF.
Required Information
Custom Technology sites to track
www.slashdot.org
www.cnet.com
www.phys.org
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
www.cia.gov
1. Navigate to the web site http://www.opera.com
2. Download the installer to your local system
Lab Notes
You do not need to assign profiles to all of the security policies you have created in the lab. The
KnownBad policy has an action of deny so profiles will do nothing for that rule.
Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall
from seeing the packet contents so the viruses contained will not be detected by the profile.
Decryption will be covered in a later module.
Lab Manual
Page 25
PANEDU101
Enter TechSites
Click Add and add each of the following URLs:
www.slashdot.org
www.cnet.com
www.zdnet.com
Click OK to close the Custom URL Category profile window.
Enter student-url-filtering
Click the right side of the Action header to access the pulldown menu.
Click Set All Actions > Alert.
Search the Category field for hacking and government. Set the Action to
Continue for both categories.
Search the Category field for the following categories and set the Action
to block for each of them:
adult
questionable
unknown
Verify that your custom category Techsites appears in the Category
column.
Click OK to close the URL
Filtering profile window.
Lab Manual
Page 26
PANEDU101
Enter student-antivirus
Check the Packet Capture box
Set the Action column to Alert for all decoders
Leave the WildFire Actions at default
Enter student-antispyware
Click Add and create a rule with the parameters:
Rule Name: Enter rule-1
Action: Select Allow
Severity: Check the boxes for Low and Informational
only
Click OK to save the rule
Click Add and create another rule with the parameters:
Rule Name: Enter rule-2
Action: Select Alert
Severity: Check the boxes for Critical and High only
Click OK to save the rule
Enter student-file-block
Click Add and create a rule with the parameters:
Rule Name: Enter blockexe
File Types: Enter exe
Action: Select block
Click OK to close the file blocking profile window.
Page 27
PANEDU101
12. Click Allow and Log Outbound in the list of policy names. Edit the policy to include the newly
created profiles:
Actions tab
Profile Type
Select Profiles
Antivirus
Select studentantivirus
AntiSpyware
Select studentantispyware
URL Filtering
Select studenturlfiltering
File Blocking
Select studentfileblock
Click OK to close the policy window.
13. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline
for further investigation.
Page 28
PANEDU101
25. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Page 29
PANEDU101
Query Builder
Lab Manual
Page 30
PANEDU101
Scenario
Your security team is concerned about the results of the testing performed as part of the security profile
configurations. The team observed that the antivirus profile only identified virus which were not SSL
encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com)
could escape detection and cause issues.
You want to evaluate using a forwardproxy configuration on the Palo Alto Networks firewall. Only traffic
from TrustL3 to UntrustL3 needs to be decrypted. Since this is not production, you decide to use self
signed SSL certificates generated on the firewall for this implementation.
The legal department has advised you that certain traffic should not be decrypted for liability reasons.
Specifically, you may not decrypt traffic from healthrelated, shopping, or financial web sites.
Test the decryption two ways:
Attempt to download test files from www.eicar.org using https and verify that they are detected by
the firewall
Connect to various websites using https and use the logs to verify that the correct URL categories
are being decrypted
Required Information
Self-signed Certificate name
Common Name of the SSL Certificate
Lab Manual
student-ssl-cert
192.168.2.1
Page 31
PANEDU101
Decryption Policies
no-decrypt-traffic
decrypt-all-traffic
Lab Notes
You will get certificate errors when browsing after decryption is enabled. This is expected because
the selfsigned certificates have not been added to the trusted certificates of the client browser. In
a production environment you would resolve this by adding the firewall certificate to the clients as
trusted or by using a commercial certificate from a known CA such as VeriSign.
Order matters with policies make sure that the decrypt and nodecrypt policies are evaluated
in the correct order.
Lab Manual
Page 32
PANEDU101
Page 33
PANEDU101
11. Click Add to create the SSL decryption rule for general decryption:
General tab
Name
Enter decrypt-all-traffic
Source tab
Source Zone
Click Add then select TrustL3
Destination tab
Click Add then select UntrustL3
Destination Zone
URL Category tab
Verify that the Any box is checked
URL Category
Options tab
Select decrypt
Action
Type
Select SSL Forward Proxy
Click OK to close the configuration window.
12. Confirm that your decryption policy list looks like this:
13. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before clicking Close to continue.
Page 34
PANEDU101
shopping: www.macys.com
10. In the WebUI, click Monitor > Logs > Traffic.
11. Set the traffic log to display only port 443 traffic by entering ( port.dst eq 443 ) in the
filter field.
12. Select 10 Seconds from the pulldown menu so that the display will refresh automatically.
13. In a separate browser window, use SSL (https://) to navigate to the websites you found in the
excluded URL categories.
14. Now use https:// to browse to sites like bing.com or yahoo.com which are not excluded.
15. Return to the traffic log at Monitor > Traffic > Logs.
16. If the URL Category column is not displayed, click the drop down arrow next to one of the
columns and select URL Category.
17. Find an entry for one of the excluded categories by looking at the value in the URL Category
column.
18. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is unchecked.
19. Find an entry for one of the nonexcluded categories by looking at the value in the URL Category
column.
20. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is checked.
Lab Manual
Page 35
PANEDU101
Lab Manual
Page 36
PANEDU101
Lab Manual
Page 37