Edu-201 - Lab Manual Pan-os 5.0

Lab Manual PAN-EDU-201

Firewall Installation, Configuration, and

Management

Essentials I

January, 2013

PAN-EDU-201

PAN-OS - 5.0 - Rev A

Lab Manual

[email protected]

http://education.paloaltonetworks.com

2012 Palo Alto Networks. Proprietary and Confidential

PAN-EDU-201

Lab Manual PAN-OS 5.0 Rev A Page 2

Table of Contents How to use this Lab Guide ................................................................................................ 4 Lab Equipment Setup ........................................................................................................ 5 Module 0 Introduction Lab Access and Review ............................................................ 6

Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall ................................................................... 6

Task 2 Review PAN-OS software, Content, and Licenses ........................................................................... 6

Task 3 Disable Panorama sharing ............................................................................................................... 6

Module 1 Administration and Management .................................................................. 7 Task 1 Apply baseline configuration to your firewall ................................................................................. 7

Task 2 Clear the logs ................................................................................................................................... 7

Task 3 Add an Administrator Role .............................................................................................................. 7

Task 4 Add an administrator account......................................................................................................... 7

Task 5 Take a Transaction Lock and test the lock ...................................................................................... 8

Module 2 Interface Configuration .................................................................................. 9 Task 1 Create a new Security Zone............................................................................................................. 9

Task 2 Create Interface Management Profiles ......................................................................................... 10

Task 3 Configure a Tap interface .............................................................................................................. 10

Task 4 Configure a Vwire .......................................................................................................................... 11

Module 3 Layer 3 Configuration .................................................................................... 12 Task 1 Configure Ethernet interfaces with Layer 3 info ........................................................................... 12

Task 2 Configure DHCP ............................................................................................................................. 13

Task 3 Create a Virtual Router .................................................................................................................. 14

Task 4 Create a Source NAT policy ........................................................................................................... 14

Task 5 Create a Destination NAT Policy.................................................................................................... 16

Module 4 App-ID ........................................................................................................... 17 Task 1 Create a basic Security Policy for outbound traffic ....................................................................... 17

Task 2 Create 2 basic policies to deny all inbound and outbound traffic ................................................ 17

Task 3 Create an Application Block Page .................................................................................................. 19

Task 5 Create Application Filter................................................................................................................ 19

Task 6 Create Application Group .............................................................................................................. 19

Task 7 Create three new Security Policies that match the following criteria: ......................................... 20

Task 8 Create a custom query in the Traffic Log ...................................................................................... 21

Module 5 Content ID ..................................................................................................... 22 Task 1 Configure a URL filtering Profile .................................................................................................... 22

PAN-EDU-201


Task 2 Configure a Custom URL Filtering Category .................................................................................. 22

Task 3 Configure an Antivirus Profile ....................................................................................................... 23

Task 4 Configure an Antispyware Profile ................................................................................................. 23

Task 5 Connect individual Profile to Policy .............................................................................................. 23

Task 6 Test connectivity ........................................................................................................................... 24

Task 7 Create a File Blocking Profile: Wildfire .......................................................................................... 25

Task 8 Configure a Security Profile Group ................................................................................................ 26

Task 9 Connect Profile Group to Policy .................................................................................................... 26

Task 10 Create a Custom Report .............................................................................................................. 26

Module 6 User-ID .......................................................................................................... 28 Task 1 Configure firewall to talk to User-ID Agent ................................................................................... 28

Task 2 Review user/IP information .......................................................................................................... 28

Task 3 User-ID Agent (optional) .............................................................................................................. 29

Module 7 Decryption .................................................................................................... 30 Task 1 Pre setup and test ......................................................................................................................... 30

Task 2 Create an SSL self-signed Certificate ............................................................................................. 30

Task 3 Create SSL Outbound Decryption Policies .................................................................................... 31

Task 4 Set SSL exclude cache .................................................................................................................... 32

Task 5 Review Self-signed Certificate on StudentPC browser ................................................................. 32

Module 8 VPN ............................................................................................................... 33 Task 1 Configure IPsec Tunnel Trust Zone ............................................................................................. 33

Task 2 Configure IPsec Tunnel Untrust Zone ......................................................................................... 35

Module 9 High Availability (optional) ............................................................................ 36 Task 1 Configure HA Active/Passive ...................................................................................................... 36

Module 10 Panorama .................................................................................................... 38 Task 1 Pre setup and test ......................................................................................................................... 38

Task 2 Create a custom report - Panorama .............................................................................................. 38

Task 3 Create and Application Group Object ........................................................................................... 38

Task 4 Create Pre/Post Policy ................................................................................................................... 38

Task 5 Push config to student firewall ..................................................................................................... 39

Task 6 Switch context and review Policy on firewall................................................................................ 39

PAN-EDU-201


How to use this Lab Guide The Lab Guide is lined out to follow the Modules in the Student Guide. There are multiple tasks for each

Module. For each Task where appropriate there are 3 sections. The first section is a diagram of what

the firewall configuration should look like. The second section contains the step to create the

configuration through the GUI. The third section contains the CLI commands to create the configuration.

You can either complete the Tasks by referencing the diagram and the material in the Student Guide. Or

you can follow the steps in the second section. If you have sufficient experience with the PAN-OS CLI, you

can type the commands in the CLI section.

NOTE:

Unless specified, the Chrome web browser and the Putty SSH client will be

used to perform any tasks outlined in the following labs. (These apps are pre-

installed on the desktop of the StudentPC.)

Once these labs are completed you should be able to:

1. Configure the basic operations of the firewall including: Interfaces, Security Zones, and

Security Policies

2. Configure basic Layer 3 operations including: IP addressing and NAT

3. Configure basic Content-ID functionality including: AV and URL filtering

4. Understand the basic operation of Logs and Reporting

5. Configure extended operations including: IPsec, SSL decryption, and HA

With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help

enabled this training to be built, tested, and deployed.

PAN-EDU-201


Lab Equipment Setup Student PC Setup

Firewall

Interface:

Management

Management10.30.11.x /24

Trust-L3192.168.x.1 /24

Internet

Student

Firewall

Firewall

Interface:

Ethernet

1/2

ED

U lab

fire

wall

RDP: ___.___.___.___

Panorama Domain

Controller

VSYS

Firewall Setup

HA

TA

P Intf

Trunk

802.1q

Switch

Vwire

2 x

Intf

Switch

L3 Intf

Trust-L3192.168.x.y /24

E 1

/2

E 1/1.2xx

E 1

/3

E 1

/4

E 1

/5

E 1

/6

E 1

/7

E 1

/8

Switch

Switch Internet

ED

U la

b

firew

all

Switch

Untrust-L3172.16.x.1 /24

Router

PAN-EDU-201


Module 0 Introduction Lab Access and Review In this lab you will:

Test connectivity to your Student firewall over RDP

Test StudentPC to student firewall connectivity

Review the operating system and licensing

Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall Using the login credentials and IP information provided by the instructor:

Step 1: Open your local RDP client and open a session to your assigned RDP IP address.

Step 2: Once connected, use the Student PC web browser and putty client to test connectivity to the

student firewall.

Task 2 Review PAN-OS software, Content, and Licenses Step 1: Click on the Device tab Software

Step 2: Review available, downloaded, and installed PAN-OS software

Question: What version of PANOS is running on your firewall?

__________________________________________________

Step 3: Click on the Device tab Dynamic Updates

Step 4: Review Applications, Viruses, and URL Filtering to check for date of last update

Step 5: Click on the Device tab Licenses

Step 6: Review licenses installed and their expiration dates

Step 7: in device|setup|management set the current data and timezone

Task 3 Disable Panorama sharing Step 1: Click on the Device tab Setup Management tab

Step 2: Click on the Panorama Settings edit button:

Step 3: If the button in the pop-up windows says: Click on it. There will be an

additional pop-up window that allows you to select Import shared config from Panorama before

disabling. DO NOT SELECT THIS BOX. Simply click Ok and then Ok in the Panorama Settings pop-up.

If there are no settings about Panorama, close the tab and go forward.

PAN-EDU-201


Module 1 Administration and Management In this lab you will:

Apply a baseline configuration to build successive labs

Create a new admin role on the firewall

Create interface management profiles

Task 1 Apply baseline configuration to your firewall Step 1: Open your Student PC web browser and login to your student firewall.

Step 2: Click on the Device tab Setup Operations tab

Step 3: Click Load Named Configuration Snapshot1

Step 4: Select the file after_reset_X (where X is your Student Number)

Step 5: Click Ok then click Commit

Task 2 Clear the logs Step 1: Click Device Log Settings Manage Logs

Step 2: Click Clear Traffic Logs and Clear Threat, URL, and Data Logs

Task 3 Add an Administrator Role Step 1: Click on the Device tab Admin Roles

Step 2: Click Add in the lower left

Step 3: Configure a new admin role with the name Policy Admins

Step 4: In the Webui box, click on the following major categories to disable them: Monitor, Network, and

Device. The remaining major categories of Dashboard, ACC, Policy, Objects, Privacy, and Commit should

be enabled.

Step 5: Leave the CLI option set to None. Click OK to continue.

Task 4 Add an administrator account Step 1: Click on the Device tab Administrators

Step 2: Click Add in the lower left

Step 3: Configure a new administrator with the following parameters:

PAN-EDU-201


Name ip-admin

Authentication Profile: None

Password and Confirm Password: paloalto

Role: Role Based

Profile: Policy Admins from the dropdown menu

Step 4: Click Ok then Click Commit

Step 5: Log off the GUI, then log back in as ip-admin and explore functionality

Task 5 Take a Transaction Lock and test the lock Step 1: Click on the transaction lock icon (to the right of the Commit button).

Step 2: Click Take Lock, set the Type to Config and click OK. Click Close to close the transaction

lock window

Step 3: Open a different browser and login with your admin account

Step 4: Click on the transaction lock icon to view the locks taken

Step 5: Attempt to add another user (Module 1 Task 3).

Question: At what point does the firewall block your action?

________________________________________________

(Answer: It will give you an error when you click the OK button.)

Step 6: Log out of the ip-admin account

PAN-EDU-201


Module 2 Interface Configuration In this lab you will:

Create Security Zones

Create Interface Management Profiles

Configure basic interface types

Task 1 Create a new Security Zone Step 1: Click on the Network tab Zones

Step 2: Click Add

Step 3: Set Type to Tap

Step 4: Set the Zone name Student-tap-zone

Step 5: Click Ok

Question: Why is the OK button disabled?

__________________________________

(Answer: the zone name is too long. Change the zone name to be no more than 15 characters.)

Step 6: Set the Zone name Trust-L3

Step 7: Set Type to Layer3

Step 8: Click Ok

PAN-EDU-201


Step 9: Click Add and Set the Zone name Untrust-L3

Step 10: Set Type to Layer3

Step 11: Click Ok

Step 12: Click Add

Step 13: Set the Zone name Vwire-zone-3

Step 14: Set Type to Virtual Wire

Step 15: Click Ok

Step 16: Click Add

Step 17: Set the Zone name Vwire-zone-4

Step 18: Set Type to Virtual Wire

Step 19: Click Ok

Task 2 Create Interface Management Profiles Step 1: Click on the Network tab Network Profiles Interface Mgmt

Step 2: Click Add

Step 3: Set Name to allow_all

Step 4: Select all check boxes

Step 5: Click OK

Step 6: Create a second profile called allow_ping

Step 7: Click Ping check box

Step 8: Click OK then click Commit

Task 3 Configure a Tap interface Step 1: Click on the Network tab Interfaces

Step 2: Click on interface ethernet1/5

Step 3: Select Type Tap

PAN-EDU-201


Step 4: Select Zone Student-Tap-Zon (or whatever you named it), then click Ok

Task 4 Configure a Vwire Step 1: Click on the Network tab Interfaces


Step 3: Select Interface Type Virtual Wire

Step 4: In the Virtual Wire field, click the dropdown arrow and click New Virtual Wire

Step 5: In the pop-up window, set the Name to student-vwire and then click OK

Step 6: Click the arrow in the Security Zone field, and select Vwire-zone-3.

Step 7: Click OK


Step 9: Select Interface Type Virtual Wire

Step 10: In the Virtual Wire field, click the dropdown arrow and select student-vwire.

Step 11: Click the arrow in the Security Zone field, and select Vwire-zone-4.

Step 12: Click OK

Step 11: Back in the interface popup window, click OK and Commit all changes

PAN-EDU-201


Module 3 Layer 3 Configuration In this lab you will:

Configure ethernet interfaces with Layer 3 information

Configure DHCP

Create a Virtual Router

Create a Source NAT policy

Create a Destination NAT policy

Task 1 Configure Ethernet interfaces with Layer 3 info Step 1: Click on Network tab Interfaces Ethernet and select interface ethernet1/2

Step 2: In the pop-up, set Type to Layer3

Step 3: Set Security Zone to Trust-L3

Step 4: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:

192.168.__.1/24 (your student # is the 3rd octet)

Step 5: Select the Advanced tab , then Other info tab and set the Management Profile to allow_all

then click OK

Step 6: Click on the Network tab Interfaces and select interface ethernet1/1

Step 7: In the pop-up, set Type to Layer3 then click Ok

Step 8: Click Add Layer3 Subinterface at the bottom of the page

Step 9: Set Interface Name to ethernet1/1

PAN-EDU-201


Step 10: Set the sub-interface ID to 200 + Student #. (Example: Student-05 would be 205.)

Step 11: Set the Tag to match the sub-interface ID

Step 12: Click the dropdown arrow in the Security Zone field, and click New Zone

Step 13: In the popup window set the Name to Untrust-L3

Step 14: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:

172.16.___.1/24 (your student # is the 3rd octet)

Step 15: Select the Advanced tab and set the Management Profile to allow_ping then click OK

Task 2 Configure DHCP Step 1: Click on the Network tab DHCP DHCP Server tab

Step 2: Click Add

Step 3: Select Interface ethernet1/2

Step 4: Set Gateway 192.168.___.1 (the 3rd octet is your student #)

Step 5: Set Primary DNS to 10.30.11.50

Step 6: Click the Add button in the IP Pools window, and enter an IP Pool of 192.168.___.50-

192.168.___.60 (the 3rd octet is your student #)

Step 7: Review and click OK

PAN-EDU-201


Task 3 Create a Virtual Router Step 1: Click on the Network tab Virtual Routers

Step 2: Click Add

Step 3: Set the Name to Student-VR

Step 4: Click Add in the Interfaces window and select interface ethernet1/1.2__ and ethernet1/2

Step 5: Select the Static Route tab, click Add and add a default route with the following information:

Name default

Destination 0.0.0.0/0

Next Hop to IP Address and enter an IP address of 172.16.___(X)_.254 (where X is your

student #)

Step 6: Click OK to add the route, review your VR configuration, and then click OK

Step 7: Delete the object default-vwire object under Network| Virtual Wires

Step 8: Click Commit to make the changes active

Step 9: Open a StudentPC command prompt and release/renew the IP configuration (C:\> ipconfig

/release and C:\> ipconfig /renew and C:\> ipconfig /all) to check that DHCP configuration was

successful. You should be able to ping 192.168.___(X)_.1

NOTE: DO NOT MANUALLY CHANGE THE INTERFACE CONFIGURATIONS OF THE STUDENT

PC. If a DHCP address is not installed - review Student Firewall DHCP configuration first.

Task 4 Create a Source NAT policy Step 1: Click on the Policies tab NAT

Step 2: Click Add, name it student source nat, then click on the Original Packet tab

Step 3: Click Add in the Source Zone box and select Trust-L3. Set the Destination Zone to Untrust-L3.

Step 4: Confirm that the Any checkbox for the Source Address and Destination Address are checked.

Step 5: Click on Translated Packet tab

PAN-EDU-201


Step 6: Select Translation Type of Dynamic IP and Port

Step 7: Set Address Type to Interface Address

Step 8: Select Interface ethernet1/1.x (where x is 200 + your student #)

Step 9: Select the 172.16.___(X)_.1 subnet from the pull-down immediately below IP Type, then press

OK.

Step 10: from the Policy|Security menu, select the policy and click the botton below delete.

Step 11: Create a new policy which allow any traffic from the Trust-L3 to Untrust-L3 zone.

The policy must now to be like the following:

Step 12: From Network|Zone menu, remove the zone trust and untrust, then commit

PAN-EDU-201


Task 5 Create a Destination NAT Policy Step 1: Click on the Policies tab NAT

Step 2: Click Add, name it web nat, then click on the Original Packet tab

Step 3: Click Add (in the Source Zone box) and select Trust-L3

Step 4: Set the Destination Zone to Untrust-L3

Step 5: Click Any for the Source Address

Step 6: Click Add in the Destination Address box and enter the IP address of www.fortinet.com (youll

need to look up that IP address)

Step 7: Click on Translated Packet tab and check the Destination Address Translation box

Step 8: In the Destination Address Translation section add the IP address of www.exclusive-

networks.com (youll need to look up that IP address)

Step 9: In the Source Address Translation, set the Translation Type to Dynamic IP and Port

Step 10: Set Address Type to Interface Address

Step 11: Select Interface ethernet1/1.x (where x is 200 + your student #)

Step 12: Select the 172.16.___(X)_.1 subnet from the IP Address pull-down

Step 13: Move the rule to the top of the list, click OK then Commit all changes

Step 14: Open a new browser tab to www.fortinet.com. Can you connect? Why or why not?

PAN-EDU-201


Module 4 App-ID In this lab you will:

Create a security policy to allow basic internet connectivity and log dropped traffic

Enable Application Block pages

Create Application Filters and Application Groups

Task 1 Create a basic Security Policy for outbound traffic Step 1: Click on the Policies tab Security and delete any other policy.

Step 2: Click Add

Step 3: Create a new rule named General Internet

Step 4: Configure the following information:

Source Zone: Trust-L3

Source Address: Any

Destination Zone: Untrust-L3

Destination Address: Any

Application: flash, dns, web-browsing, ssl, ping

Service: application-default

Action: Allow

Task 2 Create 2 basic policies to deny all inbound and

outbound traffic Question: Why would you want to create 2 rules inbound and outbound rather than a single

deny all rule?

PAN-EDU-201


__________________________________

Step 1: Click Add

Step 2: Create a new rule named Deny Outbound



Source Address: Any



Application: Any

Service: Any

Action: Deny

Step 4: Create a rule named Deny Inbound


Source Zone: Untrust-L3

Source Address: Any

Destination Zone: Trust-L3


Application: Any

Service: Any

Action: Deny

Step 6: Ensure your Security Policy looks like this:

Step 7: Commit your changes

Question: In the General Internet rule, why do you use application-default as the service,

whereas you use Any as the service in the two deny rules?

__________________________________

PAN-EDU-201


Once complete, your Student PC should have access to the Internet.

Step 8: You will now test your new policies. Test internet connectivity by pinging 4.2.2.2 from your

workstation. Does web surfing over ports 80 and 443 work?

Step 9: Use a browser to try to connect to the site http://www.box.net. The browser should not be able

to display the site. Why is that? Take a look at the log message in the traffic logs to find out. What is

special about that application?

Step 10: Also attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com.

Why can you bring up that web site? (Hint: look at the traffic logs)

Task 3 Create an Application Block Page Step 1: Go to www.facebook.com: what is the browser response?

Step 2: Ensure the Interface Management Profile, applied to your ethernet1/2 interface (Trust-L3), has

Response Pages checked

Step 3: Click on the Device tab Response Pages Application Block Page

Step 4: Enable by clicking Enable

Step 5: Click OK then commit your changes

Step 6: Go to www.facebook.com: what is the browser response?

Task 5 Create Application Filter Step 1: Delete all current rules in your security policy

Step 2: Click on the Objects tab Application Filters and create a new filter name Proxies

Step 3: Set the Subcategory to proxy

Step 4: Create a second filter named Web-Based-File-Share and set the Subcategory to file-sharing and set the Technology to browser-based

Task 6 Create Application Group Step 1: Click on the Objects tab Application Groups

Step 2: Create a new group named Known-Good and add the applications ssl, web-browsing, ping, dns, and flash

Step 3: Create a second group called Known-Bad and add the application filters Proxies and Web-based-file-share to it

PAN-EDU-201


Task 7 Create three new Security Policies that match the

following criteria: Configure the policies with the following information:

Step 1: The first policy allows the known good applications.

Rule 1 Name: Known-Good


Source Address: Any



Application: The Application Group Known-Good

Service: application-default

Action: Allow

Step 2: The second policy blocks all of your known bad applications

Rule 2 Name: Known-Bad


Source Address: Any



Application: Application Group Known-Bad

Service: Any

Action: Deny

Step 3: The third policy allows all other traffic

Rule 3 Name: Log All


Source Address: Any



Application: Any

Service: Any

Action: Allow

Step 4: Confirm that your security rulebase looks like this, and then commit your changes:

PAN-EDU-201


Step 5: You will now test your new policies. Ping from your student PC out to the Internet. That should work. Also, web surfing should work, over port 80 and 443.

Step 6: Use a browser to try to connect to the site www.box.net. The browser should not be able to display the site. Why is that? Take a look at the log message in the traffic log to find out. What is special about that application?

Step 7: Now attempt to reach www.box.net using the proxy site www.avoidr.com. Go to www.avoidr.com. You should not be allowed to browse it, why? (HINT: look at the traffic logs).

Step 8: Select the ACC tab to access the Application Command Center. Use the drop-down menu in the application section of the ACC to select different ways of viewing the traffic that you have generated. What is the total risk level for all traffic that has passed through the firewall thus far? Notice that the URL Filtering, Threat Prevention, and Data Filtering sections within the ACC contain no matching records.

Task 8 Create a custom query in the Traffic Log Step 1: Click the Monitor tab Traffic Logs

Step 2: Click on 1 attribute in the following 3 columns: From Zone, Destination, Application

Step 3: Click the run button () or push Enter

Step 4: Click the query writer button (+) and select and, Bytes,

PAN-EDU-201


Module 5 Content ID In this lab you will:

Configure Security Profiles and connect them to Security Policy

Task 1 Configure a URL filtering Profile Step 1: Click on Objects tab Security Profiles URL Filtering

Step 2: Click Add

Step 3: Set Name Student-url-filtering and set the following:

Check the box next to Dynamic URL Filtering

Set the Action for all Categories to Alert

Place paloaltonetworks.com and *.paloaltonetworks.com into the Allow list

Task 2 Configure a Custom URL Filtering Category Step 1: Click on Objects tab Custom URL Categories

Step 2: Click Add

Step 3: Set Name to BadFW and set the following:

Add sites: www.watchguard.com, www.juniper.net, www.fortinet.com, www.mcafee.com,

www.cisco.com, www.netgear.com, www.sonicwall.com, www.barracudanetworks.com,

www.checkpoint.com

Step 4: Click Ok

PAN-EDU-201


Task 3 Configure an Antivirus Profile Step 1: Click on Objects tab Antivirus

Step 2: Click Add

Step 3: Set Name Student-antivirus and set the following:

Change all Actions to alert

Step 4: Click the Packet Capture check box

Step 5: Click Ok

Task 4 Configure an Antispyware Profile Step 1: Click on Objects tab Anti-Spyware and set the profile name to Student-antispyware

Step 2: Click Add (under the Rules tab in the popup) and set the following:

Set Rule Name to rule-1

Set Action to Allow

Set Severity: Low and Informational

Step 3: Click Ok and then click Add again (under the Rules tab in the popup)

Set Rule Name to rule-2

Set Action to Alert

Set Severity: Critical and High

Task 5 Connect individual Profile to Policy Step 1: Click on the Policies tab Security

Step 2: Click on none in the Profile column of the Known_Good rule (you may have to scroll to the

right in this screen to see this column).

Step 3: Set Profile Type to Profiles

Step 4: Set Anti-virus to Student-antivirus, set Anti-spyware to Student-antispyware and URL to

Student-url-filtering

Step 5: Click OK

PAN-EDU-201


Step 6: Do the same thing for the Log_All rule, then Commit all changes

Task 6 Test connectivity Step 1: On your student PC, go to http://www.eicar.org , then click on download antivirus test file

hyperlink and then click download on the left of the page.

Step 2: in the middle of the page a list of links should appear

Step 3: Download the eicar test virus (eicar.com, eicar.com.txt, eicar_com.zip, eicarcom2.zip)

using http.

Step 4: Click on the Monitor tab Threat log, and look for the log message that detects the eicar file.

Scroll to the Action column to verify the alert for each file download.

Step 5: Click on the green down arrow in the left-hand column. This brings up a view of the packets that

were captured.

Those packets captured could be exported in pcap format, and examined with a protocol analyzer

offline for further investigation.

Step 6: Modify the anti-virus security profile (from MOD 5, Task 3) to BLOCK all viruses

Step 7: Click Commit

Step 8: In a new browser tab or window, attempt to download eicar (Step 3). A block page should appear:

PAN-EDU-201


Step 9: On the firewall, click on the Monitor tab Threat Logs. You will see log entries there stating

that the eicar virus was detected

Step 10: After 15 minutes, the threats you just generated will appear on the ACC tab, under the Threats

section.

Step 11: Browse to various websites. The URL filtering profile is recording each website that you go to.

Step 12: Go to a web site that is a directory of other hacking sites: http://neworder.box.sk

Step 13: On the firewall, click on the Monitor tab URL Filtering Logs. You will see log entries that

match the web sites you went to. What category was that site?

Step 14: Edit the URL filtering profile (from MOD 5, Task 1) to block access to hacking sites

Step 15: Commit the changes

Step 16: In a new browser window, attempt to go to http://neworder.box.sk .You should not be able to.

You should see a block page similar to the following:

Task 7 Create a File Blocking Profile: Wildfire Step 1: Remove the Anti-Virus Profile from the Security Policies

Step 2: Click on Objects tab Security Profiles File Blocking

Step 3: Click Add and name the profile Wildfire-test-1

Step 4: Click Add and name the rule type-1

Step 5: Set Action to forward

Step 6: Click Ok

Step 7: Add the Profile to the Known_Good and Log_All Security Policies

Step 8: Add the applications ftp and fileserve to the Known_Good Policy

PAN-EDU-201


Step 9: Commit all changes

Step 10: Navigate to \\10.30.11.50\students\student_tools_labs_205 and copy the file named

fiddler2Setup.exe to your desktop.

Step 11: Open a new browser window to http://www.fileserve.com

Step 12: Log in with the credentials Login: panedu / Passwd: paloalto

Step 13: Click the Upload tab (in the Fileserve web site) and upload the file setup.exe file

Step 14: Review the Data Filtering log the file should be sent to the sandbox for analysis. Your teacher

will show you the verdict of the file into the sandbox system

Task 8 Configure a Security Profile Group Step 1: Click on Objects tab Security Profile Groups

Step 2: Click Add

Step 3: Set Name Student-profile-group and set the following:

Antivirus to Student-antivirus

Anti-spyware to student-antispyware

URL Filtering to student-url-filtering

Step 4: Click Ok

Task 9 Connect Profile Group to Policy Step 1: Click on the Policies tab Security

Step 2: Click on none in the Profile column of the Known-Good rule

Step 3: In the pull-down list of the pop-up, set Profile Type to Group

Step 4: Set Group Profile to student-profile-group

Step 5: Click OK then Commit all changes

Task 10 Create a Custom Report Step 1: Click the Monitor tab Manage Custom Reports and click Add with the following:

Report name: Top unclassified traffic by day

Database: Traffic Summary

Period: Last 24 hours

PAN-EDU-201


Sort By : Bytes

Select Top 5

Group By: None

Remove the existing column headings before adding the following columns

Selected columns (in the following order): application, application technology, application

subcategory, bytes

Add a Query where the filter condition is:

Attribute: Rule

Operation: =

Value: (use the name you gave to the rule in your security policies: it should be called

Known_Good. Make sure to use the same capitalization).

Step 2: Save the report and then run the report.

PAN-EDU-201


Module 6 User-ID In this lab you will:

Connect your firewall to connect to a User-ID Agent

Task 1 Configure firewall to talk to User-ID Agent Step 1: Click on Device tab User Identification User-ID Agents tab

Step 2: Click Add and name to pan-training-X (where X is your student number)

Step 3: Set IP address to 10.30.11.50 (Instructor may provide different IP information)

Step 4: Set Port to 5000 (Instructor may provide different port information)

Step 5: Click OK then Commit all changes

Task 2 Review user/IP information Step 1: Open an SSH session, log in and issue the following commands:

show user user-id-agent statistics

show user user-IDs

show user ip-user-mapping all

show user ip-user-mapping ip

Note the mappings are from AD and the IP addresses associated with the student accounts.

PAN-EDU-201


Task 3 User-ID Agent (optional) Step 1: Navigate to \\10.30.11.50\students\software and import the file named UaInstall-4.1.1-7.msi to

your desktop. (Instructor may direct you to a different file.)

Step 2: Double-click the file on your desktop. Click Next 3 times. The installation should begin.

Step 3: Navigate to the following: C:\Program Files\Palo Alto Networks\User-ID Agent and double-click

UaController.exe

Step 4: In the window click Setup (in the left-hand column)

Step 5: In the window click Edit (directly above the box Access Control List) and review the tabs in the

pop-up window

Step 6: Click the Authentication tab and enter the Username/Password provided by the instructor

Step 7: Click the Agent Service tab. (You will need the User-ID Service TCP Port number.) Click Ok

Step 8: Click Discovery in the left-hand column, then click Auto Discover below the Server section

Step 9: Then click Commit in the first window (no further response will occur)

Step 10: Click Logs in the left-hand column to review that the service started

Step 11: Open a StudentPC command prompt and issue C:\> ipconfig /all. Look for the IP address

associated with the Ethernet adapter Management DO NOT CONFIGURE. (This IPv4 address should be

in the range 10.30.11.66-105).

Step 12: With the StudentPC IP address (10.30.11.___) and the Port number from Step 7 repeat Task 1

Configure firewall to talk to User-ID Agent

Step 13: Confirm connectivity with the CLI command show user user-id-agent statistics

Step 14: Review Agent configuration with the CLI command show user user-id-agent config name

PAN-EDU-201


Module 7 Decryption In this lab you will:

In this part, you will create and test SSL certificates and decryption rules.

Task 1 Pre setup and test Step 1: Modify your anti-virus profile (from MOD 5, Task 3) to Alert

Step 2: Apply the AV profile to the Known-good and Log All Security Policies

Step 3: Remove the file-blocking profiles from the Security Policies

Step 4: Commit the changes

Step 5: Go to the eicar.org site and find the Download AntiMalware testfiles.

Step 6: Test downloading (without SSL decryption) one of the eicar test files

Step 7: From the same web page, test downloading (this time using the SSL protocol) the eicar.com or

eicar.com.txt

Step 8: Look at the Monitor tabs Threat logs. Was the virus detected? It should not have been as

the connection was encrypted. We will now enable SSL decryption, such that the virus inside the SSL

connection will be decrypted

Task 2 Create an SSL self-signed Certificate Step 1: Click the Device tab Certificates screen

Step 2: Click Generate along the bottom of the screen.

Step 3: Set the certificate fields as follows:

PAN-EDU-201


Certificate Name: Student-ssl-cert

Common Name: 192.168.X.1 (where X is your student number)

Country: US (or other 2-letter country code)

State, Locality, Organization, Department, Email, Host Name, and IP with values as desired.

Step 4: select Certificate Authority below the Signed By field.

Step 5: Click Generate

Step 6: Once the certificate has successfully been generated, click on it to bring up the certificate

properties, and select Forward Trust Certificate and Forward Untrust Certificate

Step 7: Click OK

Task 3 Create SSL Outbound Decryption Policies Step 1: Click the Policies tab Decryption.

Step 2: Click Add and create an SSL decryption rule with the following parameters: General tab: Name No-Decrypt Source tab: Source Zone Trust-L3 Destination tab: Destination Zone Untrust-L3 Options tab: Action no-decrypt and URL Categories: Health and medicine, Shopping,

Financial Services

Step 3: Click Add and create an SSL decryption rule with the following parameters: General tab: Name Decrypt-all-traffic Source tab: Source Zone Trust-L3 Destination tab: Destination Zone Untrust-L3 Options tab: Action decrypt, Type SSL Forward Proxy and URL Categories: Any

Step 4: Confirm that No-Decrypt rule is before the Decrypt-all-traffic rule, then click Commit.

Step 5: To test the No-Decrypt rule, first determine what URLs fall into the financial services, shopping, or health and medicine categories. Go to http://www.brightcloud.com/ and enter various URLs that you believe fall into those categories.

Step 6: Once you have found a couple web sites that are classified as you expect, use a browser to go to those sites. You should not see a certificate error when you go to those sites.

Step 7: To test the SSL decryption rule, go to the www.eicar.org downloads page and download the virus using SSL. You will get a certificate error. This is an expected behavior, and you can proceed. (The certificate error is manifested because the firewall is intercepting the SSL connection and performing man-in-the-middle decryption.)

PAN-EDU-201


HINT: If the download doesnt proceed, review firewall Traffic Log and URL Filtering log. (You may need the IP address of the Eicar site.)

Step 8: Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. To the left of the log entry, click on the magnifying class icon. Scroll to the bottom, and look for the field Decrypted. The value should say yes.

Step 9: Examine the Traffic logs. Find the entry with the SSL application that corresponds to the eicar download. Examine the details view. The Decrypted box should be checkd

Task 4 Set SSL exclude cache Step 1: Open an SSH connection to the student firewall

Step 2: Set the exclude cache for the eicar.org domain. From configure type : set shared ssl-decrypt ssl-

exclude-cert eicar.org , then press commit

Step 3: Repeat the Steps 7, 8, and 9 from the previous Task

Question: what entries are now in the Traffic and Threat logs?

Task 5 Review Self-signed Certificate on StudentPC browser Step 1: Open the browser used to test the SSL Outbound Decryption policy created in Task 3. Find the

certificate that was generated (in Task 2) that should now be in the StudentPC browser.

PAN-EDU-201


Module 8 VPN In this lab you will:

Configure an IPsec tunnel to another Student firewall Trust Zone

Configure an IPsec tunnel to another Student firewall Untrust Zone

Task 1 Configure IPsec Tunnel Trust Zone Step 1: Pick another student firewall and fill in the following:

Your Student Number: ..............................................(X) ____

Partners Student Number: .......................................(Y) ____

Partners Ethernet1/1.2xx IP Address: .....................172.16.____(Y).1

Partners Trusted Network: .....................................192.168.____(Y).0

Partners Ehternet1/2 IP address: ............................192.168.____(Y).1

Step 2: Click Network tab Interface Tunnel tab

Step 3: Select Add

Step 4: Create a new tunnel interface. Configure the Tunnel Interface with the following:

Tunnel Interface Name: .............................................tunnel.____(X)

Virtual Routers: ..........................................................Student-VR

Zone: ..........................................................................Trust-L3

Step 5: Click Network tab IKE Gateway

Step 6: Click Add and configure with the following:

Name: .........................................................................Student-____ (Y)

Interface: ....................................................................ethernet1/1.2xx

PAN-EDU-201


Local IP Address: ........................................................172.16.____(X).1

Peer IP Address: .........................................................172.16.____(Y).1

Pre-shared Key: ..........................................................paloalto

Step 7: Click Network tab IPsec Tunnels

Step 8: Click Add and configure with the following:

Name: .........................................................................Tunnel-to-____ (Y)

Tunnel Interface: ........................................................tunnel.____(X)

IKE Gateway: ..............................................................Student-____(Y)

Step 9: Click Network tab Virtual Routers

Step 10: Click on Student-VR

Step 11: Click Static Route tab

Step 12: Click Add to add a route with the following information:

Name student(Y)

Destination 192.168.____(Y).0/24

Interface tunnel.____(X)


Step 14: Test VPN tunnel connectivity by opening a command prompt window and typing:

C:\Documents and Settings\student> ping 192.168.____(Y).1

Question: do you need to modify your security policy? Why or why not?

_____________________________________________________________

(Answer: Since the tunnel interface is in the TrustL3 zone, no policy changes are required.)

PAN-EDU-201


Reference:

admin@PA-500> show vpn tunnel

o Shows current tunnels (has a tunnel ID as first column TnID)

admin@PA-500> show vpn flow tunnel-id

o Shows detailed info on specific tunnel (will show packets and bytes through the tunnel)

admin@PA-500> clear vpn ike-sa gateway all

o Tears down all tunnels and gateway SAs

admin@PA-500> test vpn ipsec-sa tunnel

o Initiate Phase 1 and 2 SAs for specified tunnel

Task 2 Configure IPsec Tunnel Untrust Zone Step 1: Edit your tunnel interface and change the Security Zone to UntrustL3


Step 3: Attempt to ping the remote students internal gateway interface IP address (192.168._Y_.1).

Question: Does the ping work? If not, why?

________________________________

Answer: It should not work, because there is no policy to allow the traffic.

Step 4: Create a new Security Policy Rule from your Trust zone to your Untrust zone. You should create

address objects for your network and your partners network and use them to make your policy more

PAN-EDU-201


restrictive. You will also need to build a policy from Untrust to Trust to allow the inbound traffic from your

partners network.

Module 9 High Availability (optional) In this lab you will:

Configure an Active/Passive with another Student firewall

Task 1 Configure HA Active/Passive Step 1: Click the Dashboard tab High Availability Dashboard Widget

Step 2: Click on Network tab Interfaces

Step 3: Set interfaces ethernet1/7 and ethernet1/8 to Type HA, then click Commit

Step 4: Work with another student firewall and fill in the following:

Your Student Number: ..............................................(X) ____

Partners Student Number: .......................................(Y) ____

Step 5: Agree upon IP and device information to fill in the following:

Group ID:.............................................................._____ (Pick one of your Student numbers)

Control Link: ........................................................ethernet1/7

Your Control Link IP: ............................................10.10.____.____(X)

(3rd octet is lower student number)

Partner Control Link IP: .......................................10.10.____.____(Y)

(3rd octet is lower student number)

Data Link: .............................................................ethernet1/8

Your Data Link IP: ................................................10.10.____.____(X)

PAN-EDU-201


(3rd octet is higher student number)

Partner Data Link IP: ...........................................10.10.____.____(Y)

(3rd octet is higher student number)

Your Device Priority: ...........................................____(X)

Partner Device Priority: .......................................____(Y)

Step 6: Click on the Device tab High Availability and configure the following with the information

collected in Step 5

Step 7: Click Edit in the Setup box

HA Enabled: .........................................................click check box

Group ID:..............................................................Determined in Step 5

Peer HA IP Address: .............................................Partner Control Link IP

Step 8: Click Edit in the Control Link (HA1) box and configure with the following:

Control Link Port: ................................................ethernet1/7

Control Link IP address:.......................................Your Control Link IP

Control Link Netmask: ........................................./24

Step 9: Click Edit in the Data Link (HA2) box

Data Link Port: .....................................................ethernet1/8

Data Link IP address: ...........................................Your Data Link IP

Data Link Netmask: ............................................./24

Step 10: Click Edit in the Election Settings box

Device Priority: ....................................................Your Student Number

Heartbeat Backup: ...............................................Enabled

Step 11: Click the Link and Path Monitoring tab and enter the following in the Link Monitoring section

(ON LOWER DEVICE PRIORITY FIREWALL ONLY)

Enabled: ...............................................................click check box

Failure Condition: ................................................Any

Link Group Name: ................................................Student HA

Interfaces: ............................................................ethernet1/7, ethernet1/8

Step 12: Commit all changes

PAN-EDU-201


Module 10 Panorama In this lab you will:

Identify the student firewall logs on the Panorama

Create and push policy to the student firewall

Conduct a Config Audit

Task 1 Pre setup and test Step 1: Remove the HA configuration from the Module 9 lab

Step 2: Click the Device tab Setup Management Panorama Settings and add the IP

address (provided by the instructor) of the Panorama server

Step 3: Make sure Enabled Shared Config is selected (this is indicated when the button reads Disable

Shared Config) then Commit all changes

Task 2 Create a custom report - Panorama Step 1: Log into Panorama server.

IP Address: .....................................................https://____.____.____.____

Login: ..............................................................Student____(X) (X = student number)

Password: ......................................................paneduX

Step 2: Click on Monitor tab Manage Custom Reports

Step 3: Create the report with the following:

Name:.................................................Student.____(X) (X = student number)

Database: ...........................................Device Traffic Log

Selected Columns: .............................Action, Application, Rule, Source User, Day, Hour

Time Frame: .......................................Last 7 Days

Query Builder: ...................................(serial eq _________) You can find the serial number of your

student firewall on the Dashboard tab

Step 4: Save the template, then Run Now to confirm

Task 3 Create and Application Group Object Step 1: Click Objects tab Application Group

Step 2: Create a new group called Pano-app-group-1

Step 3: Add the application facebook-base

Task 4 Create Pre/Post Policy Step 1: Click the Policies tab DoS Protection Post Rules.

PAN-EDU-201


Step 2: Click Add and create a rule called Pano-DoS-Student___(X) (X = student number) with the

following criteria:

Source Zone: ..................................................Untrust-L3

Destination Zone: ..........................................Trust-L3

Action: ............................................................Protect

Step 3: Click the Policies tab Security Pre Rules.

Step 4: Click Add and create a rule called Pano-Sec-Student___(X) (X = student number) with the

following criteria:

Source Zone: ..................................................Trust-L3

Destination Zone: ..........................................Untrust-L3

Application: ...................................................use the Application Group built in Task 3

Action: ............................................................Deny

Task 5 Push config to student firewall Step 1: Click Panorama tab Managed Devices.

Step 2: Scroll to your Student number and click the Click to see the config changes icon (in the Device

Group column):

Step 3: Select Lines of context All and review the Additions, Modifications, and Deletions.

HINT: If for some reason the Config Audit window doesnt appear, the browser may be blocking pop-ups.

You will need to allow pop-ups then close and reopen the browser.

Step 4: Close the Config Audit window and click the Click to commit all to device Student(X) icon (in the

Device Group column): (This action will cause a commit on the Student firewall.

Do NOT select the Merge with Candidate Config check box.

Task 6 Switch context and review Policy on firewall Step 1: On the Student firewall, click the Tasks in the lower right-hand corner and wait for the commit

Step 2: Click the Context drop-down in the upper left corner of the Panorama select student firewall

Step3: Review the configuration pushed from the Panorama

Step 4: Open a new browser window and connect to an external web site