Sie sind auf Seite 1von 48

Firewall Installation, Configuration, and

Management:
Essentials I

Lab Manual
PAN-OS 6.0
PAN-EDU-101 Rev A.200

PANEDU101

Palo Alto Networks, Inc.


www.paloaltonetworks.com
2007-2014 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners.
Lab Manual

PANOS 6.0 Rev A.200

Page 2

PANEDU101

Typographical Conventions
Thisguideusesthefollowingtypographicalconventionsforspecialtermsandinstructions.

Convention

Meaning

Example

Boldface

Names of commands, keywords, and


selectable items in the web interface

Click Security to open the Security


Rule Page

Italics

Name of parameters, files, directories, or


Uniform Resource Locators (URLs)

The address of the Palo Alto Networks


home page is
http://www.paloaltonetworks.com

courier font

Coding examples and text that you enter


at a command prompt

Enter the following command:


a:\setup

Click

Click the left mouse button

Click Administrators under the


Device tab.

Right-click

Click the right mouse button

Right-click on the number of a rule


you want to copy, and select Clone
Rule.

Lab Manual

PANOS 6.0 Rev A.200

Page 3

PANEDU101

Table of Contents

HowtousethisLabGuide...................................................................................................6
LabGuideObjectives...........................................................................................................6
LabEquipmentSetup..........................................................................................................7
LabAssumptions.................................................................................................................7
StudentFirewallInterfaceSettings......................................................................................7
Module1AdministrationandManagement.....................................................................8
Scenario............................................................................................................................................................................8
RequiredInformation.......................................................................................................................................................8

Module2InterfaceConfiguration(optional)....................................................................9
Scenario............................................................................................................................................................................9
RequiredInformation.......................................................................................................................................................9

Module3Layer3Configuration......................................................................................10
Scenario..........................................................................................................................................................................10
RequiredInformation.....................................................................................................................................................11

Module4AppID............................................................................................................12
Scenario1...................................................................................................................................................................12
RequiredInformation.....................................................................................................................................................12
Scenario2...................................................................................................................................................................13
RequiredInformation.....................................................................................................................................................14
LabNotes........................................................................................................................................................................14

Module5ContentID......................................................................................................15
Scenario..........................................................................................................................................................................15
RequiredInformation.....................................................................................................................................................16
LabNotes........................................................................................................................................................................16

Module6Decryption......................................................................................................17
Scenario..........................................................................................................................................................................17
RequiredInformation.....................................................................................................................................................18
LabNotes........................................................................................................................................................................18

Lab Manual

PANOS 6.0 Rev A.200

Page 4

PANEDU101

Solutions...........................................................................................................................19
Module1Introduction(LabAccess)............................................................................................................................19
Module2InterfaceConfiguration...............................................................................................................................21
Module3Layer3Configuration..................................................................................................................................23
Module4AppID..........................................................................................................................................................26
Module5ContentID......................................................................................................................................................36
Module6Decryption....................................................................................................................................................43

CLIReference....................................................................................................................47
Module1AdministrationandManagement...............................................................................................................47
Module2InterfaceConfiguration...............................................................................................................................47
Module3Layer3Configuration..................................................................................................................................48
Module4AppID..........................................................................................................................................................48
Module5ContentID......................................................................................................................................................48
Module6Decryption....................................................................................................................................................48

Lab Manual

PANOS 6.0 Rev A.200

Page 5

PANEDU101

How to use this Lab Guide


TheLabGuidecontainslabexerciseswhichcorrespondtomodulesinthestudentguide.Eachlabexercise
consistsofthreeparts:ascenario,asolution,andaCLIreference.
Thescenariodescribesthelabexerciseintermsofobjectivesandcustomerrequirements.Minimal
instructionsareprovidedtoencouragestudentstosolvetheproblemontheirown.Ifappropriate,the
scenarioincludesadiagramandatableofrequiredinformationneededtocompletetheexercise.
Thesolutionisdesignedtohelpstudentswhopreferstepbystep,taskbasedlabs.Alternatively,students
whostartwiththescenariocanusethesolutiontochecktheirworkortoprovidehelpiftheygetstuckon
aproblem.
TheCLIreferenceisintendedasastartingpointforstudentsinterestedintheCLIcommands.Apartialset
ofCLIcommandsareprovidedforstudentstoresearchfurtherinthePaloAltoNetworksCommandLine
ReferenceGuide.

NOTE:Unlessspecified,theGoogleChromewebbrowserandthePuTTYSSHclientwillbeusedtoperform
anytasksoutlinedinthefollowinglabs.

Lab Guide Objectives


ThislabguideisdesignedspecificallyforasinglestudentattendingtheselfpacedversionoftheEssentials
Icourse.Theinstructorledversionofthecourseincludesadditionalexerciseswhichcanonlybe
completedinaclassroomenvironmentwithotherstudentsandadditionalequipment.
Oncetheselabsarecompleted,youshouldbeableto:

1. Configurethebasiccomponentsofthefirewall,includinginterfaces,securityzones,andsecurity
policies
2. ConfigurebasicLayer3settings,suchasIPaddressingandNATpolicies.
3. ConfigurebasicContentIDfunctionality,includingantivirusprotectionandURLfiltering.
4. ConfigureSSLdecryption.

WithspecialthankstoallofthosePaloAltoNetworksemployeesandATCpartnerswhoseinvaluablehelp
enabledthistrainingtobebuilt,tested,anddeployed.
Lab Manual

PANOS 6.0 Rev A.200

Page 6

PANEDU101

Lab Equipment Setup

DHCPenabled
Network

Internet

Lab Assumptions
Theselabinstructionsassumethefollowingconditions:

1. ThestudentisusingaPA200firewallwhichhasbeenregisteredwithPaloAltoNetworksSupport.
2. ThePA200firewallisusingthedefaultIPaddressontheMGTinterface(192.168.1.1)andthedefault
password(admin)fortheadminaccount.
3. ThefirewallislicensedforSupport,ThreatPrevention,andURLFiltering.
4. AllnetworkconnectivityforthestudentlaptopusedforthelabhasbeendisabledexceptfortheEthernet
adapterwhichwillbeconnectedtothefirewall.
5. Thefirewallshouldhavenopoliciesdefinedonit.
6. ThenetworkthatthestudentwillconnecttohasaDHCPserverfromwhichthefirewallcanobtainanIP
addressandDNSinformation.
7. TherearenootherPaloAltoNetworksfirewallsbetweenthestudentsPA200andtheinternet.Thelabs
willstillworkifupstreamfirewallsexist,buttheresultswillvarybasedonthefirewallsettings.

Student Firewall Interface Settings

StudentFirewall

PA200

Interface:

Type:

MGT
Ethernet1/1
Ethernet1/2
Ethernet1/3
Ethernet1/4

Management
Vwire
Vwire
Layer3
Layer3

Lab Manual

IPAddress:

Zone:

192.168.1.1

N/A
trust
untrust
UntrustL3
TrustL3

DHCP Client
192.168.2.1/24

PANOS 6.0 Rev A.200

Page 7

PANEDU101

Module 1 Administration and Management


Inthislabyouwill:

ConnecttothefirewallthroughtheMGTinterface
Createnewadministratorrolesandaccountsonthefirewall

Scenario
Youhavebeentaskedwithintegratinganewfirewallintoyourenvironment.Thefirewallisconfigured
withthefactorydefaultIPaddressandadministratoraccount.YouwillneedtochangetheIPaddressof
yourlaptoptocommunicatewiththedefaultIPaddressoftheMGTport.
Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethecurrent
configurationsothatitcanbereloadedonthefirewall.Applyasavedconfigurationtothefirewallsothat
itisinaknownstate.
Inpreparationforthenewdeployment,createaroleforanassistantadministratorwhichallowsaccessto
allfirewallfunctionalitythroughtheWebUIexceptMonitor,Network,Privacy,andDevice.Theaccount
shouldhavenoaccesstotheXMLAPIortheCLI.Createanaccountusingthisrole.Additionally,changethe
passwordoftheadminaccounttodisablethewarningsaboutusingdefaultcredentials.

Required Information

NamedConfigurationSnapshot
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account
Lab Manual

PANEDU101Default
Policy Admins
ip-admin
paloalto
paloalto
PANOS 6.0 Rev A.200

Page 8

PANEDU101

Module 2 Interface Configuration (optional)


Inthislabyouwill:

CreateSecurityZones
Configurebasicinterfacetypes

Scenario:

Youarepreparingthefirewallforasimpleproofofconcept(POC).Inordertodemonstratefirewall
featureswithaminimumofchangestotheexistingnetwork,youhavedecidedtousevirtualwiretopass
trafficthroughthefirewallforonenetworksegmentandatapinterfacetomonitoradifferentnetwork
segment.
Configurethevirtualwireandcreatezonessothatpolicyrulescanbedefined.Createatapinterfaceand
theassociatedzone.
Note:DuetothelimitednumberofinterfacesavailableonaPA200,theconfigurationssetinthislabwillbe
immediatelyremovedsothattheinterfacesmaybereusedforlaterlabs.

Required Information

Interface to use for tap interface


Interfaces to use for virtual wire
Name for the tap zone
Name for the virtual wire zones
Name for the virtual wire object

Lab Manual

Ethernet1/3
Ethernet1/3
Ethernet1/4
tap-zone
vwire-zone-3
vwire-zone-4
student-vwire

PANOS 6.0 Rev A.200

Page 9

PANEDU101

Module 3 Layer 3 Configuration


Inthislabyouwill:

CreateInterfaceManagementProfiles
ConfigureEthernetinterfaceswithLayer3information
ConfigureDHCP
CreateaVirtualRouter
CreateSourceNATpolicy

Scenario:

ThePOCwentwellandthedecisionwasmadetousethePaloAltoNetworksfirewallinthenetwork.You
aretocreatetwozones,UntrustL3andTrustL3.TheexternalfacinginterfaceinUntrustL3willgetanIP
addressfromaDHCPserverontheexternalnetwork.TrustL3willbewheretheinternalclientsconnectto
thefirewallandsotheinterfaceinTrustL3willprovideDHCPaddressestotheseinternalclients.The
DHCPserveryouconfigureintheTrustL3zonewillinheritDNSsettingsfromtheexternalfacinginterface.
Boththeinternalandexternalinterfacesonthefirewallmustroutetrafficthroughtheexternalfacing
interfacebydefault.TheinterfaceinUntrustL3mustbeconfiguredtorespondtopingsandtheinterface
inTrustL3mustbeabletoprovideallmanagementservices.NOTE:Youwillnotbeabletotestwhether
theUntrustL3interfacerespondstopingsuntilthenextlab.
OnceyouhavecompletedtheLayer3configurations,youwillneedtomovethephysicalEthernetcable
fromtheMGTporttotheethernet1/4portofthePA200.YoumustalsochangethesettingsoftheLAN
interfaceonyourlaptoptouseDHCPsuppliednetworkinformation(IPaddressandDNSservers)instead
ofstaticsettings.
Whenthefirewallisfullyconfigured,aNATpolicymustexistsothatalltrafficoriginatingintheTrustL3
zoneappearstocomefromtheexternalfacingaddressofthefirewall.

Lab Manual

PANOS 6.0 Rev A.200

Page 10

PANEDU101

Required Information

Interface Management Profile Names


Internal-facing IP Address
External-facing interface
Internal-facing interface
DHCP Server: Gateway
DHCP Server: Inheritance Source
DHCP Server: Primary DNS
DHCP Server: IP address range
Virtual Router Name

Lab Manual

allow_all
allow_ping
192.168.2.1/24
Ethernet1/3
Ethernet1/4
192.168.2.1
Ethernet1/3
inherited
192.168.2.50-192.168.2.60
Student-VR

PANOS 6.0 Rev A.200

Page 11

PANEDU101

Module 4 AppID
Inthislabyouwill:

EnablethefirewalltocommunicationwiththePaloAltoNetworksupdateserver
UpdatethethreatdefinitionsandOSofthefirewall
Createasecuritypolicytoallowbasicinternetconnectivityandlogdroppedtraffic
EnableApplicationBlockpages
CreateApplicationFiltersandApplicationGroups

Scenario 1:

Inordertoupdatethesoftwareonthefirewall,youmustenabletheDNS,paloaltoupdates,andSSL
applicationstopassbetweenthezones.Theapplicationsshouldonlybepermittedonapplicationdefault
ports.ConfigurethefirewalltocommunicatewithDNSandPaloAltoNetworksupdateserversthroughthe
TrustL3interface.
Oncetheseconfigurationsarecomplete,licenseyourfirewall.UpdatetheThreatsandApplicationsdatafile
tothemostrecentversion.

Required Information

DNS Server for the MGT functions


Address to use for Service Routes
Name to use for Security Policy

Lab Manual

4.2.2.2
192.168.2.1/24
General Internet

PANOS 6.0 Rev A.200

Page 12

PANEDU101

Scenario 2:

Atthispoint,thefirewallisconfiguredbutnotpassingtraffic.Securitypoliciesmustbedefinedbefore
trafficwillflowbetweenzones.Tofacilitatetestingandpresenttheminimalamountofrisktothenetwork
traffic,thepolicieswillbeestablishedinathreephasedeployment:
Phase1:ModifytheGeneralInternetpolicytoallowusersintheTrustL3zonetouseasetof
commonlyusedapplicationstoaccesstheinternet.Theapplicationsshouldonlybepermittedon
applicationdefaultports.Allothertraffic(inboundandoutbound)shouldbeblockedandloggedso
thatyoucanidentifywhatotherapplicationsarebeingused.Thiswillhelpgeneratelistsofgood
andbadapplicationstobemanagedinthelaterphases.
Phase2:Configurethefirewalltonotifyuserswhenblockedapplicationsareusedsothatthe
helpdeskdoesnotgetcalledforconnectionissuesthatareactuallyblockedapplications.
Phase3:Theresultsfromthefirsttwophasesoftestingresultinthefollowingdiscoveries:

Thelogsfromphase1showheavyuseofavarietyofinternetproxiesandclientserver
gamingapplicationsbyusersintheTrustL3zone.Managementmandatesthatyou
explicitlypreventuseoftheseapplications.
Foreaseofconfiguration,yourteamdecidestocreategroupsfortheallowedanddenied
applicationstoreducethenumberofpoliciesrequiredonthefirewall.
Therulesblockingallunmatchedtrafficweretoorestrictiveforyourenvironment.The
testingdeniedaccesstonumerousvitalapplications,causingasurgeinsupportcalls. Any
trafficwhichdoesnotmatchtheallowedordeniedlistsshouldbeallowedbutloggedfor
futurepolicydecisions.

ModifyGeneralInternetandcreatenewpolicies(BlockKnownBadandLogAll)tomeetthesenew
requirements.RemovetheotherpoliciescreatedinPhase1.
Lab Manual

PANOS 6.0 Rev A.200

Page 13

PANEDU101

Required Information

dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
General
Internet Deny
Inbound Deny
Proxies
Web-Based-File-Sharing
General Internet
Deny Inbound BlockKnown-Bad Log-All

Phase 1 Allowed Applications

Phase 1 Security Policy names


Phase 3 Application Filter names

Phase 3 Security Policy names


Setting for Proxies application filter
Settings for Web-Based-File-Sharing application
filter
Phase 3 Application Group names

Members of the Known-Good application group

Members of the Known-Bad application group

Subcategory: Proxies
Subcategory: file-sharing
Technology: browser-based
Known-Good
Known-Bad
dns
fileserve
flash
ftp
paloalto-updates
ping
web-browsing
ssl
Proxies
Web-Based-File-Sharing

Lab Notes

DuringPhase1,testyourconnectivitybyconnectingtohttp://www.box.net(login:student@pan
edu.com,password:paloalto1).Usethetrafficlogstodeterminehowthefirewallhandlesthat
connection.
DuringPhase2,checktoseewhathappenswhenyoubrowsetowww.facebook.combeforeand
afteryoumakeyourchanges.
Thelabsolutionsusethebuttonsatthebottomofthepolicyscreenstochangetheorderofthe
rules.Rulescanalsobereorderedbyclickinganddraggingtherulestothedesiredlocation.

Lab Manual

PANOS 6.0 Rev A.200

Page 14

PANEDU101

Module 5 ContentID
Inthislabyouwill:

ConfigureSecurityProfiles
CreateaSecurityProfilegroup
AssociateSecurityProfilesandSecurityProfileGroupstoSecurityPolicy
Generateacustomreport

Scenario

Nowthattrafficispassingthroughthefirewall,youdecidetofurtherprotecttheenvironmentwith
SecurityProfiles.Thespecificsecurityrequirementsforgeneralinternettrafficare:

LogallURLsaccessedbyusersintheTrustL3zone.Inparticular,youneedtotrackaccesstoaset
ofspecifiedtechnologywebsites.
AccesstoallhackingandgovernmentsitesshouldbesettoContinue.
BlockthefollowingURLcategories:
o Adultandpornography
o questionable
o Unknown
Log,butdonotblock,allvirusesdetectedandmaintainpacketcapturesoftheseeventsfor
analysis.
Logspywareofseveritylevelscriticalandhighdetectedinthetraffic.Ignoreallotherspyware.
ConfigurefilestobeautomaticallyforwardedtoWildFirewithnouserinteraction.

Lab Manual

PANOS 6.0 Rev A.200

Page 15

PANEDU101

Afteralloftheseprofilesareconfigured,sendtesttraffictoverifythattheprotectionbehavesas
expected.TestingparameterswillbeincludedintheRequiredInformationsectionofthislab.
Aftertheinitialtestingiscomplete,youareaskedtochangetheAntivirusprotectiontoblockviruses.
Makethechangesandverifythedifferenceinbehavior.
Oncetheindividualprofilesarecreatedandtested,combinetheprofilesintoasinglegroupforeaseof
management.Attachthegrouptotheappropriatesecuritypolicies.
Yourmanagerwantstoseedailyreportswhichdetailthethreatsencounteredbythefirewall.Configurea
customreporttoshowathreatsummaryforalltrafficallowedinthepast24hours.Itshouldincludethe
threatname,theapplication(includingtechnologyandsubcategoryforreference),andthenumberof
timesthatthreatwasencountered.ExportthefileasaPDF.

Required Information

Custom Technology sites to track

Location of files for testing antivirus

Hacking sites for testing URL Filtering


Procedure for testing file blocking

www.slashdot.org
www.cnet.com
www.phys.org
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
www.2600.org
www.neworder.box.sk
1. Navigate to the web site http://www.opera.com
2. Download the installer to your local system

Lab Notes

Youdonotneedtoassignprofilestoallofthesecuritypoliciesyouhavecreatedinthelab.The
KnownBadpolicyhasanactionofdenysoprofileswilldonothingforthatrule.
Onlytesttheantivirusprofileusinghttp,nothttps.HTTPSconnectionswillpreventthefirewall
fromseeingthepacketcontentssothevirusescontainedwillnotbedetectedbytheprofile.
Decryptionwillbecoveredinalatermodule.

Lab Manual

PANOS 6.0 Rev A.200

Page 16

PANEDU101

Module 6 Decryption
Inthislabyouwill:

CreateaselfsignedSSLcertificate
Configurethefirewallasaforwardproxyusingdecryptionrules

Scenario
Yoursecurityteamisconcernedabouttheresultsofthetestingperformedaspartofthesecurityprofile
configurations.TheteamobservedthattheantivirusprofileonlyidentifiedviruswhichwerenotSSL
encrypted.Theconcernisthatfilestransferredfromencryptedsources(e.g.,https://www.facebook.com)
couldescapedetectionandcauseissues.Fortestingpurposes,youwillneedtochangetheantivirusprofile
toalertinsteadofblockingthefile.Verifythathttpsdownloadsofvirusfilesfromwww.eicar.orgare
detectedbytheantivirusprofile.
YouwanttoevaluateusingaforwardproxyconfigurationonthePaloAltoNetworksfirewall.Onlytraffic
fromTrustL3toUntrustL3needstobedecrypted.Sincethisisnotproduction,youdecidetouseself
signedSSLcertificatesgeneratedonthefirewallforthisimplementation.Thelegaldepartmenthasadvised
youthatcertaintrafficshouldnotbedecryptedforliabilityreasons.Specifically,youmaynotdecrypt
trafficfromhealthrelated,shopping,orfinancialwebsites.
Testthedecryptiontwoways:

Attempttodownloadtestfilesfromwww.eicar.orgusinghttpsandverifythattheyaredetectedby
thefirewall
ConnecttovariouswebsitesusinghttpsandusethelogstoverifythatthecorrectURLcategories
arebeingdecrypted

Lab Manual

PANOS 6.0 Rev A.200

Page 17

PANEDU101

Afteryourinitialtestingoftheforwardproxy,thepenetrationtestingteamcallsyoutorequestan
exceptiontothedecryptionrules.Theteamasksthatwww.eicar.orgbeexcludedfromdecryptionsothat
theywillstillbeabletodownloadthefilestheyneedtoperformtheirevaluations.Changethe
implementationtoallowthisexception.

Required Information

Self-signed Certificate name


Common Name of the SSL Certificate
Decryption Policies

student-ssl-cert
192.168.2.1
no-decrypt-traffic
decrypt-all-traffic

Lab Notes

Youwillgetcertificateerrorswhenbrowsingafterdecryptionisenabled.Thisisexpectedbecause
theselfsignedcertificateshavenotbeenaddedtothetrustedcertificatesoftheclientbrowser. In
aproductionenvironmentyouwouldresolvethisbyaddingthefirewallcertificatetotheclientsas
trustedorbyusingacommercialcertificatefromaknownCAsuchasVeriSign.
Ordermatterswithpoliciesmakesurethatthedecryptandnodecryptpoliciesareevaluated
inthecorrectorder.
TofindURLstotestthenodecryptrule,gotohttp://www.brightcloud.com/andentervarious
URLsthatyoubelievefallintothecategoriesyouaretesting.

Lab Manual

PANOS 6.0 Rev A.200

Page 18

PANEDU101

Solutions
Module 1 Introduction (Lab Access)

Prepare your laptop for the lab


1. Whileconnectedtotheinternet,downloadthefilePANEDU101Defaulttoyourlaptopyou
willbeusingforthelabexercises.
2. ConfigurethephysicalLANinterfaceonyourlaptopwithanIPaddresstocommunicatewith
thefirewall.

192.168.1.100
IPaddress
SubnetMask
255.255.255.0
3. ConnectanEthernetcablebetweentheinterfaceyoujustconfiguredandtheMGTportofyour
firewall.
4. OpenacommandpromptandverifyyoucanpingtheIPaddress192.168.1.1.

Log on to the Firewall


5. Openabrowserandconnecttothefirewallathttps://192.168.1.1.Note:Youwillgetawarning
messagesincethefirewallisusinganuntrustedselfsignedcertificate.Dismissthewarningand
continuetothewebpage.
6. Logonwiththedefaultusernameandpassword.ClickOKtodismissthewarningaboutthe
defaultadmincredentials.

Save the current configuration on your firewall (optional)


Note:Ifyourfirewallhassettingsyouwouldliketorestoreafterthecompletionofthislab,savethe
configurationsothatitcanbereloadedonthefirewall.

7. ClickDevice>Setup>Operations.
8. ClickSavenamedconfigurationsnapshot.Enterpre-101-labs intheNamefield. ClickOK
tocompletethesave.ClickOKtodismissthesuccesswindow.

Upload and apply baseline configuration to your firewall


9. ClickDevice>Setup>Operations.
10. ClickImportnamedconfigurationsnapshot.ClickBrowsetoselectthePANEDU101Default
filefromyoursystem.ClickOpenthenOKtouploadthefiletothefirewall.ClickOKtodismiss
thesuccesswindow.
11. ClickLoadNamedConfigurationSnapshot.
12. SelectPANEDU101Default.ClickOK.ClickOKtodismissthesuccesswindow.
13. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletes,thenclickClose.

Lab Manual

PANOS 6.0 Rev A.200

Page 19

PANEDU101

Add an Administrator Role


14. ClickDevice>AdminRoles.
15. ClickAddinthelowerleftofthepanelandcreateanewadminrole:

Name
WebUI tab

Enter Policy Admins


Clickthefollowingmajorcategoriestodisablethem:
Monitor
Network
Device
Privacy
The remaining major categories shouldremainenabled.

ClickOKtocontinue.

Manage administrator accounts


16. ClickDevice>Administrators.
17. Clickadmininthelistofusers.Changethepasswordtopaloalto.ClickOKtoclosethe
configurationwindow.
18. ClickAddinthelowerleftcornerofthepanel.Configureanewadministratoraccount:

Name
Password/ConfirmPassword
Role
Profile
ClickOK.

Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins

19. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completes,thenclickClose.
20. UseanSSHclient(e.g.,PuTTY)toattempttologintotheCLIasipadmin.Becausetherole
assignedtothisaccountwasnotassignedCLIaccess,theconnectionshouldreset.
21. OpendifferentbrowserandlogontotheWebUIasipadminandexploretheavailable
functionality.Forexample,ifyouoriginallyconnectedtotheWebUIusingChrome,openthis
connectioninInternetExplorer. Comparethedisplaysfortheadminandipadminaccountsto
seethelimitationsofthenewlycreatedaccount.
22. Logoutoftheipadminaccountconnectionwhenyouaredoneexploring.

Lab Manual

PANOS 6.0 Rev A.200

Page 20

PANEDU101

Module 2 Interface Configuration

Create new Security Zones


1. Ifnecessary,logintotheWebUIusingyouradminaccount
2. ClickNetwork>Zones. ClickAddandcreatethetapzone:

Name
Enter tap-zone
Type
Select Tap
ClickOKtoclosethezonecreationwindow.

3. ClickAddandcreatethefirstvirtualwirezone:

Name
Enter vwire-zone-3
Type
Select Virtual Wire
ClickOKtoclosethezonecreationwindow.

4. ClickAddandcreatethesecondvirtualwirezone:

Name
Enter vwire-zone-4
Type
Select Virtual Wire
ClickOKtoclosethezonecreationwindow.

Configure a Tap interface


5. ClickNetwork>Interfaces>Ethernet.
6. Clicktheinterfacenameethernet1/3.Configuretheinterface:

InterfaceType
Select Tap

Configtab
SecurityZone
Select tapzone
ClickOKtoclosetheinterfaceconfigurationwindow.

Creating a Virtual Wire Setup


7. ClickNetwork>VirtualWires.
8. ClickAddandcreateanewvirtualwireobjectnamedstudent-vwire.Keepallother
settingsatthedefaultvaluesandclickOK.
9. ClickNetwork>Interfaces>Ethernet.

Lab Manual

PANOS 6.0 Rev A.200

Page 21

PANEDU101

10. Clicktheinterfacenameethernet1/3.Configuretheinterface:

InterfaceType
Select Virtual Wire

Configtab
VirtualWire
Select studentvwire
SecurityZone
Select vwirezone3
ClickOKtoclosetheinterfaceconfigurationwindow.

11. Clicktheinterfacenameethernet1/4.Configuretheinterface:

InterfaceType
Select Virtual Wire

Configtab
VirtualWire
Select studentvwire
SecurityZone
Select vwirezone4
ClickOKtoclosetheinterfaceconfigurationwindow.

Normally,youwouldcommityourchangesatthispoint.However,fortheselfpacedlabsyouwill
bereusingtheseinterfacessoyoumustundosomeofthechangesyoujustimplemented.
12. ClickNetwork>VirtualWires.
13. SelectthestudentvwireobjectandclickDelete.

(Note:youwillsettheinterfacestoadifferenttypeinthenextmodule.)

Lab Manual

PANOS 6.0 Rev A.200

Page 22

PANEDU101

Module 3 Layer 3 Configuration

Create new Security Zones


1. GototheWebUIandclickNetwork>Zones.
2. ClickAddandcreatetheUntrustL3zone:

Name
Enter Untrust-L3
Type
Verfy thatLayer3 is selected
ClickOKtoclosethezonecreationwindow.

3. ClickAddandcreatetheTrustL3 zone:

Name
Enter Trust-L3
Type
Select Layer 3
ClickOKtoclosethezonecreationwindow.

Create Interface Management Profiles


4. ClickNetwork>NetworkProfiles>InterfaceMgmt.
5. ClickAddandcreateaninterfacemanagementprofile:

Name
Enter allow_all
PermittedServices
Select all check boxes
PermittedIPAddresses
Do not add anyaddresses
ClickOKtoclosetheinterfacemanagementprofilecreationwindow.

6. ClickAddandcreateanotherinterfacemanagementprofile:

Name
Enter allow_ping
PermittedServices
Select only the Ping check box
PermittedIPAddresses
Do not add anyaddresses
ClickOKtoclosetheinterfacemanagementprofilecreationwindow.

7. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.

Configure Ethernet interfaces with Layer 3 info


8. ClickNetwork>Interfaces>Ethernet.
9. Clicktheinterfacenameethernet1/3.Configuretheinterface:

InterfaceType
Configtab
VirtualRouter
SecurityZone
Lab Manual

Select Layer 3

Keep default (none)


Select UntrustL3
PANOS 6.0 Rev A.200

Page 23

PANEDU101

IPv4tab
Type
Select DHCP Client
Advanced >OtherInfotab
Select allow_ping
ManagementProfile
ClickOKtoclosetheinterfaceconfigurationwindow.

10. Clicktheinterfacenameethernet1/4.Configuretheinterface:

InterfaceType
Select Layer 3

Configtab
VirtualRouter
Keep default (none)
SecurityZone
Select TrustL3

IPv4tab
Type
Keep default (Static)
IP
Click Add thenenter 192.168.2.1/24
Advanced >OtherInfotab
Select allow_all
ManagementProfile
ClickOKtoclosetheinterfaceconfigurationwindow.

Configure DHCP
11. ClickNetwork>DHCP>DHCPServer.
12. ClickAddtodefineanewDHCPServer:

InterfaceName
Select ethernet1/4
InheritanceSource
Select ethernet1/3
Gateway
Enter 192.168.2.1
PrimaryDNS
Select inherited
IPPools
Click Add thenenter 192.168.2.50-192.168.2.60
ClickOKtoclosetheDHCPServerconfigurationwindow.

Create a Virtual Router


13. ClickNetwork>VirtualRouters.
14. ClickAddtodefineanewvirtualrouter:

Generaltab
Name
Interfaces

Enter Student-VR
ClickAddthenselectethernet1/3

Click Add again and select ethernet1/4


ClickOKtoclosethevirtualrouterconfigurationwindow.

15. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Lab Manual

PANOS 6.0 Rev A.200

Page 24

PANEDU101

Test the Network Configuration


16. LogoutoftheWebUI.
17. MovetheEthernetcablefromtheMGTinterfacetothe4interfaceonthefirewall.
18. Plugthecableconnectedtoyournetworkintothe3interfaceonthefirewall.
19. ConfigurethephysicalLANinterfaceonyourlaptop(theoneconnectedtothe4interface)to
useaDHCPaddress.
20. VerifythatyourlaptopisreceivingDHCPaddressfromthefirewall.ThedisplayedIPaddress
shouldbeintherange192.168.2.50192.168.2.60iftheDHCPServerisconfiguredcorrectly.
Youshouldalsobeabletoping192.168.2.1.
21. ConnecttotheWebUIbylaunchingabrowsertohttps://192.168.2.1andlogginginwithyour
adminaccount.

Create a Source NAT policy


22. ClickPolicies>NAT.
23. ClickAddtodefineanewsourceNATpolicy:

Generaltab
Name
Enter Student Source NAT

OriginalPacket tab
Click Add andselect TrustL3
SourceZone
DestinationZone
Select UntrustL3
DestinationInterface
Select ethernet1/3
TranslatedPacket>Source
AddressTranslation tab
Translation Type
SelectDynamic IP and Port
AddressType
Select Interface Address
Interface
Select ethernet1/3
ClickOKtoclosetheNATpolicyconfigurationwindow.

24. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
Note:Atthispoint,youstillwillnothaveaccesstotheinternet.Asecuritypolicyisrequired,
whichwillbeconfiguredinthenextlab.

Lab Manual

PANOS 6.0 Rev A.200

Page 25

PANEDU101

Module 4 AppID

Scenario 1
Create the General Internet Policy
1. GototheWebUIandclickPolicies>Security.
2. ClickAddtodefineasecuritypolicy:

Generaltab
Name
Source tab
SourceZone
SourceAddress
Destination tab
DestinationZone
DestinationAddress
Application tab
Applications

Enter General Internet

Click Add andselect TrustL3


Select Any

Click Add and select UntrustL3


Select Any

ClickAddandselect eachofthefollowing:
dns
paloaltoupdates
ssl

Service/URLCategory tab
Service
Select applicationdefault from the pulldown

Actions tab
ActionSetting
Select Allow
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.

Configure the Firewall to Communicate with the Update Server


3. IntheWebUI,clickDevice>Setup>Services.
4. ClicktheiconintheupperrightcorneroftheServicespaneltoconfigureDNSlookups:

DNS
Verify thatServers is selected
PrimaryDNSServer
Enter 4.2.2.2
UpdateServer
Keep the default (updates.paloaltonetworks.com)
ClickOKtoclosetheconfigurationwindow.

5. IntheServicesFeaturespanel,clicktheServiceRouteConfiguration linktoconfigurehowthe
firewallaccessesnetworkservices.ClicktheradiobuttonforSelect.FortheDNS,PaloAlto
Updates,andURLUpdatesservices,gototheSourceAddresscolumnandselect192.168.2.1/24.
ClickOKtoclosetheconfigurationwindow.

Lab Manual

PANOS 6.0 Rev A.200

Page 26

PANEDU101

6. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKandwaituntilthecommitprocess
completesbeforecontinuing.

Review PANOS Licenses


7. ClickDevice>Licenses.
8. Ifnolicensesappear,clickRetrievelicensekeysfromlicenseserver.
9. Reviewlicensesinstalledandtheirexpirationdates.

Update the Applications and Threats Definition File


Note:UpgradingPANOSrequiresthatthefirewallberunningthemostrecentApplicationsand
Threatsdefinitionfile.Allotherdynamicupdatescanbehandledlater.
10. ClickDevice>DynamicUpdates.
11. ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.
Lab Manual

PANOS 6.0 Rev A.200

Page 27

PANEDU101

12. VerifythatyourfirewallisrunningthemostrecentApplicationsandThreats.
13. Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefile
downloadcompletes.

b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethe
definitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperations
tocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.

Verify the PANOS version


14. ClickDevice>Software.
15. Reviewavailable,downloaded,andinstalledPANOSsoftware.Ifnosoftwareversionsare
displayed,clickCheckNowatthebottomofthepaneltorefreshthelist.
WhatversionofPANOSisrunningonyourfirewall?

16. Ifthefirewallisnotrunningversion6.0.0,updatethefirewalltothatversion.
a. ClickDownloadonthelineforversion6.0.0.ClickClosewhenthefiledownloadcompletes.
b. IfyourfirewalliscurrentlyrunningaversionofPANOSolderthan6.0.0(e.g.,5.0.x),you must
alsodownload(butnotinstall)version5.1.0.ClickDownloadonthelineforversion
5.1.0.ClickClosewhenthefiledownloadcompletes.

Lab Manual

PANOS 6.0 Rev A.200

Page 28

PANEDU101

c. Onthelinefor6.0.0,theDownloadlinkwillhavebeenreplacedwiththeInstalllink.Click
InstalltoupdatePANOSonyourfirewall.
d. Rebootthefirewallwhenprompted.Waituntilyourbrowserreconnectswiththefirewall and
loginagainusingyouradminaccount.

Lab Manual

PANOS 6.0 Rev A.200

Page 29

PANEDU101

Scenario 2 (Phase 1)
Modify the General Internet Policy
17. GototheWebUIandclickPolicies>Security.
18. ClicktheGeneralInternetpolicyyoupreviouslycreatedandmodifytheallowedapplications:

Application tab
Applications

ClickAddandselect eachofthefollowing:
fileserve
flash
ftp
ping
webbrowsing
ClickOKtoclosethesecuritypolicyconfigurationwindow.

Create Policies Block and Log All Inbound and Outbound Traffic
19. ClickPolicies>Security.
20. ClickAddtodefinetheDenyOutboundsecuritypolicy:

Generaltab
Name
Enter Deny Outbound

Source tab
Click Add andselect TrustL3
SourceZone
SourceAddress
Select Any

Destination tab
Click Add and select UntrustL3
DestinationZone
DestinationAddress
Select Any

Application tab
Applications
Check the Any box
Service/URLCategory tab
Service
Select any fromthe pulldown

Actions tab
ActionSetting
Select Deny
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.

21. ClickAddtodefinetheDenyInboundsecuritypolicy:

Generaltab
Name
Source tab
SourceZone
SourceAddress
Lab Manual

Enter Deny Inbound

Click Add and select UntrustL3


Select Any
PANOS 6.0 Rev A.200

Page 30

PANEDU101

Destination tab
DestinationZone
Click Add andselect Trust L3
DestinationAddress
Select Any

Application tab
Applications
Check the Any box
Service/URLCategory tab
Service
Select any fromthe pulldown

Actions tab
ActionSetting
Select Deny
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.

22. EnsureyourSecurityPolicylookslikethis:

Note:Thedefaultrule1affectsvirtualwireconnectionsandwillnotaffectthelabexercises.

23. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.

Verify Internet Connectivity and Application Blocking


24. Testinternetconnectivitybybrowsingwebsitesfromyourlaptop. Doeswebsurfingoverports80
and443work?
25. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeableto
displaythesite. Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checkthe
applicationslistedinthelog.)Theboxnetbaseapplicationisnotallowedbytheconfiguredpolicies.
26. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com. You
willnotbeabletoconnectbecausetheavoidrwebsitealsousesacustomapplicationwhichisnot
allowedbyyourpolicies.Usethetrafficlogstoverifythisstatement.
Lab Manual

PANOS 6.0 Rev A.200

Page 31

PANEDU101

Scenario 2 (Phase 2)
Create an Application Block Page
1. FromtheRDPdesktop,openabrowserandnavigatetohttp://www.facebook.com.Leavethe
browseropentotheerrorpage.
2. ReturntotheWebUIandclickDevice>ResponsePages.
3. FindtheApplicationBlockPagelineandclickDisabled.
4. ChecktheEnableApplicationBlockPagebox,andthenclickOK.
5. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
6. Openadifferentbrowserwindowandgotohttp://www.facebook.com.Comparethepage
displayedtotheonegeneratedinStep1oftheCreateanApplicationBlockPagesectionofthelab.

Note:AnInterfaceManagementProfileDOESNOTneedtobesetforapplicationblockpages.Fromthe
adminguide(p.176):TheResponsePagescheckboxcontrolswhethertheportsusedtoservecaptive
portalandURLfilteringresponsepagesareopenonLayer3interfaces.Ports6080and6081areleftopenif
thissettingisenabled.

Lab Manual

PANOS 6.0 Rev A.200

Page 32

PANEDU101

Scenario 2 (Phase 3)
Create Application Filters
1. GototheWebUIandclickObjects>ApplicationFilters.
2. ClickAddtodefinetheProxiesapplicationfilter:

Name
Enter Proxies
Subcategorycolumn
Select proxy
ClickOKtoclosetheapplicationfilterconfigurationwindow.

3. ClickAddtodefinetheWebBasedFileSharingapplicationfilter:

Name
Enter Web-Based-File-Sharing
Subcategorycolumn
Select filesharing
Technologycolumn
Select browserbased
ClickOKtoclosetheapplicationfilterconfigurationwindow.

Create Application Groups


4. ClickObjects>ApplicationGroups.
5. ClickAddtodefinetheKnownGoodapplicationgroup:

Name
Applications

Enter Known-Good
ClickAddandselect eachofthefollowing:
dns
fileserve
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing
ClickOKtoclosetheapplicationgroupconfigurationwindow.

6. ClickAddtodefinetheKnownBadapplicationgroup:

Name
Applications

Enter Known-Bad
ClickAddandselect eachofthefollowing:
Proxies
WebBasedFileSharing
ClickOKtoclosetheapplicationgroupconfigurationwindow.

Lab Manual

PANOS 6.0 Rev A.200

Page 33

PANEDU101

Update Security Policies


7. ClickPolicies>Security.
8. ClickGeneralInternettoedittheexistingrule.GototheApplicationtab.Deleteallofthelisted
applicationsandaddtheKnownGoodapplicationgroup.ClickOKtoclosethewindow.
9. ClicktheDenyOutboundruleandmodifywiththefollowingvalues:

Generaltab
Name
Change to Log-All

Actions tab
Select Allow
ActionSetting
ClickOKtoclosethesecuritypolicyconfigurationwindow.

10. ClickAddtodefinetheBlockKnownBadsecuritypolicy:

Generaltab
Name
Enter Block-Known-Bad

Source tab
Click Add andselect TrustL3
SourceZone
SourceAddress
Select Any

Destination tab
DestinationZone
Click Add and select Untrust L3
DestinationAddress
Select Any

Application tab
Applications
Click Add and select KnownBad

Service/URLCategory tab
Service
Select any fromthe pulldown

Actions tab
ActionSetting
Select Deny
LogSetting
Select Log atSession End
ClickOKtoclosethesecuritypolicyconfigurationwindow.

27. Usethemovebuttonsatthebottomofthepagetoarrangethepoliciesinalogicalorder.Confirm
thatyoursecurityrulelist lookslikethis:

Youcanalsorearrangetherulebyclickinganddraggingthemintothecorrectorder.

28. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.

Lab Manual

PANOS 6.0 Rev A.200

Page 34

PANEDU101

Verify Internet Connectivity and Application Blocking


29. Verifythatyourpolicieshavenotbrokennetworkconnectivity.Testinternetconnectivitybybrowsing
websitesfromyourlaptop.Doeswebsurfingoverports80and443work?
30. Useabrowsertoconnecttothesitehttp://www.box.net.Thebrowsershouldnotbeabletodisplaythesite.
Reviewthetrafficlogstodeterminewhythissiteisnotreachable.(Hint:Checktheapplicationlistedinthe
log.)
31. Attempttoreachthesitehttp://www.box.netusingtheproxysitehttp://www.avoidr.com.Whycantyou
bringupthatwebsite? (Hint:thetrafficlogswillhelpyousolvethisproblem.)
32. ClicktheACCtabtoaccesstheApplicationCommandCenter.Usethedropdownmenuinthe

applicationsectionoftheACCtoselectdifferentwaysofviewingthetrafficthatyouhave
generated.Whatisthetotalrisklevelforalltrafficthathaspassedthroughthefirewallthusfar?
NoticethattheURLFiltering,ThreatPrevention,andDataFilteringsectionswithintheACCcontain
nomatchingrecords.

Lab Manual

PANOS 6.0 Rev A.200

Page 35

PANEDU101

Module 5 ContentID
Note:ThepresenceoffirewallsbetweenyourPA200andtheinternetwillcausethelabresultstovary.

Configure Dynamic Updates


1.
2.
3.
4.

ClickDevice>DynamicUpdates.
ClickCheckNowatthebottomofthepagetoretrievethelatestupdatesfromPaloAltoNetworks.
VerifythatyourfirewallisrunningthemostrecentAntivirusdefinitionfile.
Ifthedefinitionfileisoutofdate,installthelatestversion.
a. ClickDownloadonthelinefortheupdatefileyouplantoinstall.ClickClosewhenthefile
downloadcompletes.
b. TheDownloadlinkwillhavebeenreplacedwiththeInstalllink.ClickInstalltoactivatethe
definitionfile.Theinstallationwillautomaticallytriggeracommit.Waitforbothoperations
tocompletebeforecontinuing.ClickClosetoexittheinstallationwindow.

Configure a Custom URL Filtering Category


1. GototheWebUIandclickObjects>CustomURLCategory.
2. ClickAddtocreateacustomURLcategory:

Name
Sites

Enter TechSites
ClickAddandaddeachofthefollowingURLs:
www.slashdot.org
www.cnet.com
www.zdnet.com
ClickOKtoclosetheURLFilteringprofilewindow.

Lab Manual

PANOS 6.0 Rev A.200

Page 36

PANEDU101

Configure a URL filtering Profile


3. ClickObjects>SecurityProfiles>URLFiltering.
4. ClickAddtodefineaURLFilteringprofile:

Name
Category/Action

Enterstudent-url-filtering
ClicktherightsideoftheActionheadertoaccessthepulldownmenu.
ClickSetAllActions>Alert.

SearchtheCategoryfieldforhackingandgovernment. SettheActionto
Continueforbothcategories.

SearchtheCategoryfieldforthefollowingcategoriesandsettheAction
toblockforeachofthem:
adultandpornography
questionable
unknown

Verifythatyour custom category appears in the Categorycolumn.


ClickOKtoclosetheURLFilteringprofilewindow.

Configure an Antivirus Profile


5. ClickObjects>SecurityProfiles>Antivirus.
6. ClickAddtocreateanantivirusprofile:

Name
Enter student-antivirus

Antivirustab
Check the Packet Capture box
PacketCapture
Decoders
Set the Actioncolumn to Alert for alldecoders
ClickOKtoclosetheantivirusprofilewindow.

Lab Manual

PANOS 6.0 Rev A.200

Page 37

PANEDU101

Configure an AntiSpyware Profile


7. ClickObjects>SecurityProfiles>AntiSpyware.
8. ClickAddtocreateanantispywareprofile:

Name
Rulestab

Enter student-antispyware
ClickAddandcreatearulewiththeparameters:
RuleName:Enterrule-1
Action:SelectAllow
Severity:ChecktheboxesforLowandInformational
only
ClickOKtosavetherule

ClickAddandcreateanotherrulewiththeparameters:
RuleName:Enterrule-2
Action:SelectAlert
Severity:ChecktheboxesforCriticalandHighonly
ClickOKtosavetherule
ClickOKtoclosetheantispywareprofilewindow.

Create a File Blocking Profile with Wildfire


9. ClickObjects>SecurityProfiles>FileBlocking.
10. ClickAddtocreateafileblockingprofile:

Name
Rules list

Enter student-file-block
ClickAddandcreatearulewiththeparameters:
RuleName:Entertype-1
Action: Select Forward
ClickOKtoclosethefileblockingprofilewindow.

Assign Profiles to a Policy


11. ClickPolicies>Security.
12. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoincludethenewlycreated
profiles:

Actionstab
ProfileType
Antivirus
AntiSpyware
URLFiltering
FileBlocking
ClickOKtoclosethepolicywindow.
Lab Manual

Select Profiles
Select studentantivirus
Select studentantispyware
Select studenturlfiltering
Select studentfileblock

PANOS 6.0 Rev A.200

Page 38

PANEDU101

13. RepeatthepreviousstepandaddtheprofilestotheLogAllpolicy.
14. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.

Test the Antivirus Profile


15. Onyourlocalsystem,openabrowsertohttp://www.eicar.organdclickAntiMalwareTestfile.
16. ClicktheDownloadlinktoaccessthevirustestfiles.
17. DownloadanyoftheEicartestfilesusinghttp.DonotusetheSSLencrypteddownloads.The
firewallwillnotbeabletodetectthevirusesinanHTTPSconnectionuntildecryptionisconfigured.
18. ClickMonitor>Logs>Threattoviewthethreatlog.FindthelogmessageswhichdetecttheEicar
files.ScrolltotheActioncolumntoverifythealertsforeachfiledownload.
19. ClickonthegreendownarrowatontheleftsideofthelinefortheEicarfiledetectiontoviewthe
packetcapture(PCAP).HereisanexampleofwhataPCAPmightlooklike:

CapturedpacketscanbeexportedinPCAPformatandexaminedwithaprotocolanalyzeroffline
forfurtherinvestigation.
20. Modifytheantivirusprofiletoblockvirusesusingftp,http,andsmb.ClickObjects>Security
Profiles>Antivirus.ChangetheActioncolumnfortheftp,http,andsmbdecoderstoBlock.
21. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.
22. Openanewbrowserwindowtowww.eicar.organdattempttodownloadavirusfileagain.Since
theantivirusprofileissettoblock,aresponsepageshouldappear:

Lab Manual

PANOS 6.0 Rev A.200

Page 39

PANEDU101

23. ReturntotheWebUIandverifythatlogentriesstatingthattheEicarviruswasdetectedappearin
thethreatlog.
24. After15minutes,thethreatsyoujustgeneratedwillappearontheACCtabundertheThreats
section.

Test the URL Filtering Profile


25. Openabrowserandbrowsetovariouswebsites.TheURLfilteringprofilerecordseachwebsitethat
youvisit.
26. IntheWebUI,clickMonitor>Logs>URLFiltering.Verifythatthelogentriestrackthesitesthat
youvisitedduringyourtests.
27. Testthecontinueconditionyoucreatedbyvisitingasitewhichispartofthehackingcategory.Ina
newbrowserwindow,attempttobrowsetohttp://neworder.box.skandhttp://www.2600.org.The
profilewillblockthisactionandyouwillseearesponsepagesimilartothefollowing:

Test the File Blocking Profile with Wildfire


28. Openanewbrowserwindowtohttp://www.opera.com.DownloadtheOperabrowserinstallerto
yourlocalsystem.
29. ClickMonitor>Logs>DataFilteringtodeterminehowthefilewashandledbytheprofile.

Lab Manual

PANOS 5.0 Rev A.200

Page 40

PANEDU101

Configure a Security Profile Group


30. ReturntotheWebUIandclickObjects>SecurityProfileGroups.
31. ClickAddtodefineasecurityprofilegroup:

Name
Enter student-profile-group
AntivirusProfile
Select studentantivirus
AntiSpywareProfile
Select studentantispyware
URLFilteringProfile
Select studenturlfiltering
FileBlockingProfile
Select studentfileblock
ClickOKtoclosethesecurityprofilegroupwindow.

Assign the Security Profile Group to a Policy


32. ClickPolicies>Security.
33. ClickGeneralInternetinthelistofpolicynames.Editthepolicytoreplacetheprofileswiththe
profilegroup:

Actionstab
ProfileType
Select Group
GroupProfile
Select studentprofilegroup
ClickOKtoclosethepolicywindow.

34. RepeatthepreviousstepandaddtheprofilegrouptotheLogAllpolicy.
35. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.

Lab Manual

PANOS 5.0 Rev A.200

Page 41

PANEDU101

Create a Custom Report


36. ClickMonitor>ManageCustomReports.
37. ClickAddtodefineanewcustomthreatreport:

Name
Database
TimeFrame
Sortby
Groupby
SelectedColumns

Enter Top Threats by Day


Select Threat Summary
Select Last 24 Hrs
SelectCount and Top 10
SelectNone and 10 Groups
PopulatetheSelectedColumnsfieldwiththefollowingvalues,
inthisorder:
Threat/ContentName
Application
AppTechnology
AppSubCategory
Count
Buildaqueryusingthefollowingparameters:

QueryBuilder

Connector:Selectand
Attribute:SelectRule
Operator:Select=
Value:EnterGeneral Internet
ClickAdd

Connector:Selector
Attribute:SelectRule
Operator:Select=
Value:EnterLog-All
Click Add
ClickOKtosavethecustomreportdefinition.

38. Clickthenameofyourcustomreporttoreopenthecustomreportwindow.ClickRunNowto
generatethereport.
39. Thereportwillappearinanewtabinthewindow.ClickExporttoPDFtosaveittoyourRDP
desktop.

Lab Manual

PANOS 5.0 Rev A.200

Page 42

PANEDU101

Module 6 Decryption

Verify firewall behavior without decryption


1. Fromyourlaptop,browsetothewww.eicar.comandattempttodownloadtheoneofthetestfiles
usinghttp.
2. Repeatthepreviousstepbutattempttodownloadoneofthefilesusinghttps.
3. GototheGUIandclickMonitor>Logs>Threattoviewthelog.Onlythenonencrypteddownload
shouldappearinthelog.SSLdecryptionhidthecontentsofthefirewallandsothetestfilewasnot
detectedasathreat.

Create an SSL selfsigned Certificate


4. ClickDevice>CertificateManagement>Certificates.
5. ClickGenerateatthebottomofthescreentocreateanewselfsignedcertificate:

CertificateName
Enter student-ssl-cert
CommonName
Enter 192.168.2.1
CertificateAuthority
Check the box
ClickGeneratetocreatethecertificate.ClickOKtodismissthecertificategenerationsuccess
window.
6. Clickstudentsslcertinthelistofcertificatestoeditthecertificateproperties.Checktheboxesfor
ForwardTrustCertificateandForwardUntrustCertificate.ClickOKtoconfirmthechanges.

Create SSL Decryption Policies


7. ClickPolicies>Decryption.
8. ClickAddtocreateanSSLdecryptionrulefortheexceptioncategories:

Generaltab
Name
Enter no-decrypt-traffic

Sourcetab
Click Add then select TrustL3
SourceZone

Destinationtab
DestinationZone
Click Add then select UntrustL3

URLCategorytab
URLCategory
ClickAddandaddeachofthefollowingURLcategories:
healthandmedicine
shopping
financialservices

Optionstab
Action
Select nodecrypt
Type
SelectSSL Forward Proxy
ClickOKtoclosetheconfigurationwindow.

Lab Manual

PANOS 5.0 Rev A.200

Page 43

PANEDU101

9. ClickAddtocreatetheSSLdecryptionruleforgeneraldecryption:

Generaltab
Name
Enter decrypt-all-traffic

Sourcetab
Click Add then select TrustL3
SourceZone

Destinationtab
DestinationZone
Click Add then select UntrustL3

URLCategorytab
URLCategory
Verify that the Any box is checked

Optionstab
Action
Select decrypt
Type
SelectSSL Forward Proxy
ClickOKtoclosetheconfigurationwindow.

10. Confirmthatyourdecryptionpolicylist lookslikethis:

11. ClicktheCommitlinkatthetoprightoftheWebUI.ClickOKagainandwaituntilthecommit
processcompletesbeforecontinuing.

Test the SSL Decryption Policies

12. Openabrowsertothewww.eicar.orgdownloadspage.DownloadatestfileusingSSL.Ignorethe
certificateerror.ThisisexpectedbehaviorbecausethefirewallisinterceptingtheSSLconnection
andperformingmaninthemiddledecryption.Closethebrowserwindow.
13. IntheWebUI,examinethethreatlogs. Thevirusshouldhavebeendetected,sincetheSSL
connectionwasdecrypted.Clickthemagnifyingglassiconatthebeginningofthelinetoshowthe
LogDetailswindow.VerifythattheDecryptedboxhasacheckmark.
14. Openabrowsertohttp://www.brightcloud.com/andentervariousURLsthatyoubelievefallinto
thecategoriesexcludedbythenodecryptrule.MakealistofURLsthatfallintothesecategories
totestagainst.Forexample:
financialservices:www.bankofamerica.com
healthandmedicine:www.deltadental.com
shopping:www.macys.com
15. IntheWebUI,clickMonitor>Logs>Traffic.Setthetrafficlogtodisplayonlyport443trafficona
10secondrefresh.Enter( port.dst eq 443 ) inthefilterfield.Select10Secondsfromthe
Lab Manual

PANOS 5.0 Rev A.200

Page 44

PANEDU101

pulldownmenusothatthedisplaywillrefreshautomatically.Leavethiswindowopensoyoucan
monitorthetraffic.

16. Inaseparatebrowserwindow,useSSL(https://)tonavigatetothewebsitesyoufoundinthe
excludedURLcategories.Navigatetootherwebsitesaswell(e.g.,www.facebook.com,
www.google.com)forcomparisonpurposes.
17. Returntothetrafficlog.Findanentryforoneoftheexcludedcategoriesbylookingatthevaluein
theURLCategorycolumn.Clickthemagnifyingglassiconatthebeginningofthelinetoshowthe
LogDetailswindow.VerifythattheDecryptedboxintheMiscpanelisunchecked.
18. RepeatthepreviousstepforaURLinanonexcludedcategory.VerifythattheDecryptedboxhasa
checkmark.

Lab Manual

PANOS 5.0 Rev A.200

Page 45

Lab Manual

PANEDU101

PANOS 5.0 Rev A.200

Page 46

PANEDU101

CLI Reference
Thissectionprovidesasubsetofthecommandsneededtocompletethetasksintheassociatedlab
modules.ThecommandsareintendedtoprovidecommandsetsforyoutoresearchfurtherinthePANOS
CommandLineInterfaceReferenceGuide.

Module 1 Administration and Management


# load config from PAN-EDU-201-Default-1.xml

> request license info

> request system software info

> request anti-virus upgrade info

# set shared admin-role "Policy Admins" role device webui acc enable

# set mgt-config users ip-admin permissions role-based custom profile


"Policy Admins"

> request config-lock add

> request commit-lock add

> request config-lock remove

> request commit-lock remove

Module 2 Interface Configuration


# set zone tap-zone network tap

# set network interface ethernet ethernet1/3 virtual-wire

# set zone vwire-zone-3 network virtual-wire ethernet1/3

# set network virtual-wire student-vwire interface1 ethernet1/3

Lab Manual

PANOS 5.0 Rev A.200

Page 47

PANEDU101

Module 3 Layer 3 Configuration


# set network profiles interface-management-profile allow_all telnet yes

# set network dhcp interface ethernet1/2 server ip-pool 192.168.15.50192.168.15.60

# set network virtual-router Student-VR interface ethernet1/2

# set rulebase nat rules "student source nat" to Untrust-L3

Module 4 AppID
# set rulebase security rules "General Internet" action allow

# set application-filter Proxies subcategory proxy

# set application-group Known-Good web-browsing

Module 5 ContentID
# set profiles url-filtering Student-url-filtering alert bot-nets

# set profiles custom-url-category TrustedCompanies list


www.paloaltonetworks.com

# set profiles virus Student-antivirus decoder ftp action alert

# set profiles spyware Student-antispyware rules simple-low severity low

# set profile-group "Student Profile" virus Student-antivirus

# set rulebase security rules "General Internet" profile-setting


group "Student Profile"

Module 6 Decryption
> request certificate generate ca yes name 192.168.15.1 certificatename student15-cert

# set rulebase decryption rules No-Decrypt source any

Lab Manual

PANOS 5.0 Rev A.200

Page 48