EDU-210-90b-Lab Guide

Palo Alto Networks
Firewall 9.0 Essentials:

Configuration and Management
Lab Guide
PAN-OS® 9.0
EDU-210
Courseware Version B
Palo Alto Networks Technical Education

Palo Alto Networks, Inc.
https://www.paloaltonetworks.com
© 2007-2019, Palo Alto Networks, Inc.
Palo Alto Networks, PAN-OS, WildFire, RedLock, and Demisto are registered trademarks of
Palo Alto Networks, Inc. All other marks mentioned herein may be trademarks of their
respective companies.
© 2019 Palo Alto Networks, Inc. Page 2

Table of Contents
Table of Contents ............................................................................................................................ 3
Typographical Conventions ............................................................................................................ 9
How to Use This Lab Guide ......................................................................................................... 10
1. Lab: Security Operating Platform and Architecture ................................................................. 11
2. Lab: Initial Configuration ......................................................................................................... 12
Lab Objectives........................................................................................................................... 12
2.0 Connect to Your Student Firewall ....................................................................................... 12
2.1 Apply a Baseline Configuration to the Firewall.................................................................. 13
2.2 Add an Admin Role............................................................................................................. 14
2.3 Add an Administrator Account ........................................................................................... 15
2.4 Test the policy-admin User ................................................................................................. 16
2.5 Take a Commit Lock and Test the Lock ............................................................................. 18
2.6 Verify the Update and DNS Servers ................................................................................... 20
2.7 Schedule Dynamic Updates ................................................................................................ 21
3. Lab: Interface Configuration..................................................................................................... 25
Lab Objectives........................................................................................................................... 25
3.0 Load a Lab Configuration ................................................................................................... 25
3.1 Create a New Security Zone................................................................................................ 26
3.2 Create Interface Management Profiles ................................................................................ 27
3.3 Configure Ethernet Interfaces ............................................................................................. 29
3.4 Create a Virtual Wire .......................................................................................................... 36
3.5 Create a Virtual Router ....................................................................................................... 37
3.6 Test Connectivity ................................................................................................................ 38
3.7 Modify Outside Interface Configuration ............................................................................. 40
4. Lab: Security and NAT Policies ............................................................................................... 44
Lab Objectives........................................................................................................................... 44
4.1 Create Tags .......................................................................................................................... 45
4.2 Create a Source NAT Policy ............................................................................................... 48

4.3 Create Security Policy Rules ............................................................................................... 50
4.4 Verify Internet Connectivity ............................................................................................... 54
4.5 Create an FTP Service ......................................................................................................... 54
4.6 Create a Destination NAT Policy ........................................................................................ 55
4.7 Create a Security Policy Rule.............................................................................................. 58
4.8 Test the Connection ............................................................................................................. 62
5. Lab: App-ID .............................................................................................................................. 66
Lab Objectives........................................................................................................................... 66
5.1 Verify an FTP Service Object ............................................................................................. 67
5.2 Create an FTP Port-Based Security Policy Rule ................................................................. 68
5.3 Test the Port-Based Security Policy .................................................................................... 72
5.4 Create an App-ID Security Policy Rule .............................................................................. 73
5.5 Enable Interzone Logging ................................................................................................... 75
5.6 Enable the Application Block Page ..................................................................................... 76
5.7 Test Application Blocking .................................................................................................. 77
5.8 Review the Logs .................................................................................................................. 78
5.9 Test Application Blocking .................................................................................................. 78
5.10 Review the Logs ................................................................................................................ 79
5.11 Modify the App-ID Security Policy Rule ......................................................................... 79
5.12 Test the App-ID Changes .................................................................................................. 80
5.13 Observe the Application Command Center ...................................................................... 81
5.14 Create an FTP Application-Based Security Policy Rule ................................................... 82
5.15 Test the Application-Based Security Policy...................................................................... 85
6. Lab: Content-ID ........................................................................................................................ 87
Lab Objectives........................................................................................................................... 87
6.1 Create a Security Policy Rule with an Antivirus Profile ..................................................... 88
6.2 Test the Security Policy Rule .............................................................................................. 91
6.3 Review the Logs .................................................................................................................. 92
6.4 Create a Security Policy Rule with an Anti-Spyware Profile ............................................. 93

6.5 Create a DMZ-Access Security Policy................................................................................ 98
6.6 Configure a DNS-Sinkhole External Dynamic List .......................................................... 100
6.7 Create an Anti-Spyware Profile with DNS Sinkhole ........................................................ 102
6.8 Test the Security Policy Rule ............................................................................................ 103
6.9 Review the Logs ................................................................................................................ 104
6.10 Create a Security Policy Rule with a Vulnerability Protection Profile ........................... 106
6.11 Test the Security Policy Rule .......................................................................................... 108
6.12 Review the Logs .............................................................................................................. 109
6.13 Update the Vulnerability Profile ..................................................................................... 109
6.14 Create a Security Profile Group ...................................................................................... 111
6.15 Create a File Blocking Profile ......................................................................................... 115
6.16 Modify a Security Profile Group ..................................................................................... 116
6.17 Test the File Blocking Profile ......................................................................................... 117
6.18 Create a File Blocking Profile to Block Multi-Level Encoded Files .............................. 117
6.19 Modify the Security Policy Rule ..................................................................................... 118
6.20 Test the File Blocking Profile with Multi-Level Encoding............................................. 119
6.21 Modify the Security Policy Rule ..................................................................................... 119
6.22 Test the File Blocking Profile with Multi-Level Encoding............................................. 119
6.23 Create a Danger Security Policy Rule ............................................................................. 120
6.24 Generate Threats ............................................................................................................. 123
6.25 Modify a Security Profile Group ..................................................................................... 124
6.26 Generate Threats ............................................................................................................. 125
7. Lab: URL Filtering ................................................................................................................. 126
Lab Objectives......................................................................................................................... 126
7.0 Load a Lab Configuration ................................................................................................. 126
7.1 Create a Security Policy Rule with a Custom URL Category........................................... 127
7.2 Test a Security Policy Rule ............................................................................................... 131
7.3 Review the Logs ................................................................................................................ 132
7.4 Configure an External Dynamic List ................................................................................ 133
7.5 Test a Security Policy Rule ............................................................................................... 136
7.6 Review the Logs ................................................................................................................ 136

7.7 Create a Security Policy Rule with a URL Filtering Profile ............................................. 137
7.8 Test a Security Policy Rule with a URL Filtering Profile................................................. 138
7.9 Review the Logs ................................................................................................................ 139
8. Lab: Decryption ...................................................................................................................... 140
Lab Objectives......................................................................................................................... 140
8.1 Test the Firewall Behavior Without Decryption ............................................................... 142
8.2 Create Two Self-Signed Certificates ................................................................................. 144
8.3 Create a Custom Decryption URL Category..................................................................... 146
8.4 Create a Decryption Policy ............................................................................................... 147
8.5 Test an AV Security Profile with the Decryption Policy .................................................. 150
8.6 Export the Firewall Certificate .......................................................................................... 151
8.7 Import the Firewall Certificate .......................................................................................... 152
8.8 Test the Decryption Policy ................................................................................................ 153
8.9 Review the Logs ................................................................................................................ 156
8.10 Test URL Filtering with Decryption ............................................................................... 157
9. Lab: WildFire .......................................................................................................................... 159
Lab Objectives......................................................................................................................... 159
9.1 Create a WildFire Analysis Profile ................................................................................... 160
9.2 Modify a Security Profile Group ....................................................................................... 161
9.3 Test the WildFire Analysis Profile .................................................................................... 162
10. Lab: User-ID ......................................................................................................................... 166
Lab Objectives......................................................................................................................... 166
10.0 Load a Lab Configuration ............................................................................................... 166
10.1 Enable User-ID on the Inside Zone ................................................................................. 167
10.2 Configure the LDAP Server Profile ................................................................................ 167
10.3 Configure User-ID Group Mapping ................................................................................ 169
10.4 Configure an Integrated Firewall Agent.......................................................................... 170
10.5 Verify the User-ID Configuration ................................................................................... 172
10.6 Review the Logs .............................................................................................................. 173

10.7 Create a Security Policy Rule.......................................................................................... 174
10.8 Review the Logs .............................................................................................................. 177
11. Lab: GlobalProtect ................................................................................................................ 179
Lab Objectives......................................................................................................................... 179
11.0 Load the Lab Configuration ............................................................................................ 179
11.1 Configure a Subinterface ................................................................................................. 180
11.2 Generate Self-Signed Certificates ................................................................................... 183
11.3 Configure the SSL-TLS Service Profile.......................................................................... 185
11.4 Configure the LDAP Server Profile ................................................................................ 187
11.5 Configure the Authentication Profile .............................................................................. 188
11.6 Configure the Tunnel Interface ....................................................................................... 189
11.7 Configure the Internal Gateway ...................................................................................... 190
11.8 Configure the External Gateway ..................................................................................... 192
11.9 Configure the Portal ........................................................................................................ 196
11.10 Host the GlobalProtect Agent on the Portal .................................................................. 201
11.11 Create a Security Policy Rule........................................................................................ 202
11.12 Create a No-NAT Rule .................................................................................................. 204
11.13 Download the GlobalProtect Agent .............................................................................. 206
11.14 Connect to the External Gateway .................................................................................. 207
11.15 View the User-ID Information ...................................................................................... 211
11.16 Disconnect the Connected User .................................................................................... 211
11.17 Configure a DNS Proxy ................................................................................................ 212
11.18 Connect to the Internal Gateway ................................................................................... 214
11.19 Reset the DNS ............................................................................................................... 216
12. Lab: Site-to-Site VPN ........................................................................................................... 219
Lab Objectives......................................................................................................................... 219
12.1 Configure the Tunnel Interface ....................................................................................... 220
12.2 Configure the IKE Gateway ............................................................................................ 222
12.3 Create an IPSec Crypto Profile ....................................................................................... 224
12.4 Configure the IPsec Tunnel ............................................................................................. 225

12.5 Test the Connectivity ...................................................................................................... 227
13. Lab: Monitoring and Reporting ............................................................................................ 229
Lab Objectives......................................................................................................................... 229
13.1 Generate Traffic .............................................................................................................. 230
13.2 Explore the Session Browser........................................................................................... 230
13.3 Explore the App Scope Reports ...................................................................................... 232
13.4 Explore the ACC ............................................................................................................. 236
13.5 Investigate the Traffic ..................................................................................................... 241
13.6 Generate a User Activity Report ..................................................................................... 244
13.7 Create a Custom Report .................................................................................................. 245
13.8 Create a Report Group..................................................................................................... 248
13.9 Schedule a Report Group Email ...................................................................................... 248
14. Lab: Active/Passive High Availability ................................................................................. 250
Lab Objectives......................................................................................................................... 250
14.1 Display the HA Widget ................................................................................................... 251
14.2 Configure the HA Interface ............................................................................................. 252
14.3 Configure Active/Passive HA ......................................................................................... 253
14.4 Configure HA Monitoring ............................................................................................... 255
14.5 Observe the Behavior of the HA Widget ........................................................................ 258
15. Lab: Capstone ....................................................................................................................... 260
15.1 Configure Interfaces and Zones ...................................................................................... 261
15.2 Configure Security and NAT Policy Rules ..................................................................... 261
15.3 Create and Apply Security Profiles ................................................................................. 262
15.4 Configure GlobalProtect ................................................................................................. 263

Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention Meaning Example
Bolding Names of selectable items in Click Security to open the Security Rule
the web interface Page
Consolas font Text that you enter and Enter the following command:
coding examples a:\setup
The show arp all command yields this
output:
username@hostname> show arp
<output>
Click Click the left mouse button Click Administrators under the Device
tab
Right-click Click the right mouse button Right-click the number of a rule you want
to copy, and select Clone Rule
< > (text enclosed Denotes a variable parameter. Click Add again and select <Internal
in angle brackets) Actual value to use is defined Interface>
in the Lab Guide document.

How to Use This Lab Guide
The Lab Guide contains exercises that correspond to modules in the Student Guide. Each lab
exercise consists of step-by-step, task-based labs. The final lab is based on a scenario that you
will interpret and use to configure a comprehensive firewall solution.
The following diagram provides a basic overview of the lab environment:

1. Lab: Security Operating Platform and
Architecture
There is no lab exercise associated with this module.

2. Lab: Initial Configuration
Lab Objectives
Load a configuration.
Create an administrator role.
Create a new administrator account and apply an administrator role.
Observe the newly created role permissions via the CLI and web interface.
Create and test a commit lock.
Configure DNS servers for the firewall.
Schedule dynamic updates.
2.0 Connect to Your Student Firewall

1. Launch the Chrome browser and connect to https://192.168.1.254.
Move past any security warnings until you see the web interface login window.
2. Log in to the Palo Alto Networks firewall using the following:

Parameter Value
Username admin
Password admin
2.1 Apply a Baseline Configuration to the Firewall

To start this lab exercise, you will load a preconfigured firewall configuration file.
3. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
4. Click Load named configuration snapshot:
A Load Named Configuration dialog box appears.

5. Click the drop-down list next to the Name text box and select edu-210-lab-02.
Note: Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers:
6. Click OK to close the Load Named Configuration window.

A window should appear that confirms that the configuration is being loaded.
7. Click Close to close the Loading Configuration window.
8. Click the Commit link at the upper right of the web interface:

A Commit window should appear.
9. Click Commit and wait until the commit process is complete.
A Commit Status window should appear that confirms the configuration was committed
successfully.
10. Click Close to continue.
2.2 Add an Admin Role

Admin roles determine the access privileges and responsibilities of administrative users. The
firewall is preconfigured with three predefined admin roles that you can use for common
purposes. You can create custom admin roles to define the privileges and responsibilities for
your administrative users.
In this section, you will create a new admin role called the policy-admins-role. You will
configure this role so that any administrators who belong to this role will not have access to
certain areas of the firewall’s web interface.
11. In the web interface, select Device > Admin Roles.
12. Click Add in the lower-left corner of the panel and create a new administrator role using
the following:
Parameter Value
Name Type policy-admins-role
Description Type Policy Administrators
The web interface provides a Description or Comment field for most of the configuration
options available. You should get into the habit of providing details about each object that you
create as a normal part of your configuration. By adding a comment or description to your
objects, you or other firewall administrators easily can determine the purpose of an entry by
reading the field.
13. Click the Web UI tab. Click the icon to disable the following:
Parameter Value
Monitor
Network
Device
Privacy
Note: You will need to scroll down in the window to locate Network, Device, and Privacy.
14. Click the XML/REST API tab and verify that all items are disabled.

The XML/REST API tab is used to assign permissions to roles to send information to or receive
information from the firewall through the XML API. If you will use the XML API, you should
create a specific account for that process and define permissions through a specific admin role.
15. Click the Command Line tab and verify that the selection is None.
In this role, you are explicitly restricting the role from using the command line interface, or CLI.
Any account associated with this role will not be able to access the firewall through the CLI.
16. Click OK to continue.
A new admin role should appear in the web interface.
17. Verify that your configuration is like the following:
2.3 Add an Administrator Account

Administrator accounts control access to the firewalls. A firewall administrator can have full
access or read-only access to a single firewall or a virtual system on a single firewall. The
firewall has a predefined admin account that has full access to the firewall.
In this section, you will create a new admin account and assign it to the policy-admins-role
you created in the previous section.
18. In the web interface, select Device > Administrators.
19. Click Add in the lower-left corner of the panel to open the Administrator configuration
window and configure the following:
Parameter Value
Name Type policy-admin
Authentication Profile Verify that None is selected
Password Type paloalto
Administrator Type Select the Role Based radio button
Profile Select policy-admins-role from the drop-down list
Password Profile Verify that None is selected

20. Click OK to create the policy-admin administrator user.
A new administrator account should appear in the web interface. The Profiles setting allows you
to place this new administrator account into the role you defined for Policy Administrators. This
account now will be limited to accessing only those tabs in the web interface that you set in the
policy-admins-role.
successfully.
2.4 Test the policy-admin User

25. On the Windows desktop, double-click the PuTTY icon.
26. Double-click firewall-management:

27. Log in using the following information:
Parameter Value
Name admin
Password admin
The role assigned to this account is allowed CLI access, so the connection should succeed.
28. Close the PuTTY window.
This action will end the admin user session.
29. Again open PuTTY from the Windows desktop.
30. Double-click firewall-management.
Parameter Value
Name policy-admin
Password paloalto
The PuTTY window immediately closes because the admin role assigned to this account denies
CLI access.
32. Open the Internet Explorer browser in private/incognito mode and browse to
https://192.168.1.254.
A Certificate Warning dialog might appear. Click through any certificate warnings.
The Palo Alto Networks firewall login page opens.
This action must be done in a different browser.
Parameter Value
Name policy-admin
Password paloalto
34. Close the Welcome window if one is presented.
Notice that several tabs and some functions are missing from the web interface. The admin role
assigned to the user account controls which tasks the user can perform in the web interface.:

2.5 Take a Commit Lock and Test the Lock
The web interface supports multiple concurrent administrator sessions. An administrator can
lock the candidate or running configuration so that other administrators cannot change the
configuration until the lock is removed.
35. From the web interface where you are logged in as policy-admin, click the transaction
lock icon to the right of the Commit link:
The Locks window should appear.

36. Click Take Lock in the lower-left corner of the panel and configure the following:
Parameter Value
Type Select Commit from the drop-down list
Comments Type Policy Admin Lock
37. Click OK to close the Take lock window.

The policy-admin lock is listed in the Locks window.
38. Click Close to close the Locks window.
Notice that you do not need to Commit your changes for the Lock to take effect.
39. Click the Logout button in the lower-left corner of the web interface.
40. Close the policy-admin browser window.
41. Return to the web interface where you are logged in as the admin account.
Refresh the web interface. Notice the lock icon in the upper-right corner of the web interface.

42. In the web interface, select Device > Administrators.
43. Click Add to add another administrator account and configure the following:
Parameter Value
Name Type test-lock
Authentication Profile Verify that None is selected
Password Type paloalto

Administrator Type Select the Role Based radio button
Profile Select policy-admins-role from the drop-down list
Password Profile Verify that None is selected
44. Click OK to create the test-lock administrator account.

A new administrator account should appear in the web interface.
45. Commit all changes.
An Error window should appear that tells you that someone else has taken a commit lock.
Although you could add a new administrator account, you are not allowed to commit the
changes because of the Commit lock set by the policy-admin user.
46. Click Close.
47. Click the transaction lock icon in the upper-right corner:

48. Select the policy-admin lock and click Remove Lock:
Note: The user that initially took the lock or any superuser can remove a lock.
A Remove lock window appears.
49. Click OK to remove the lock.
The lock should be removed from the list.
50. Click Close to close the Locks window.
Now that the lock is removed, you can commit your changes.
52. Select the test-lock administrator account and then click Delete to delete the test-lock
user.
The test-lock account was created to show the Error message generated when a lock is present,
and a commit is issued. The test-lock account will not be used in later sections of the lab. In
general, you should remove any administrator accounts that no longer are valid accounts.
53. Click Yes to confirm the deletion.
2.6 Verify the Update and DNS Servers

The DNS server configuration settings are used for all DNS queries that the firewall initiates
in support of FQDN Address objects, logging, and firewall management.
55. In the web interface, select Device > Setup > Services.
56. Open the Services window by clicking the gear icon in the upper-right corner of the
Services panel:

57. Verify that the Primary DNS Server is configured as 4.2.2.2 and the Secondary DNS
Server is configured as 8.8.8.8.
The DNS server settings that you configure do not have to be public servers, but the firewall
needs to be able to resolve hostnames such as updates.paloaltonetworks.com and
wildfire.paloaltonetworks.com to provide various services such as WildFire® or URL filtering.
58. Verify that the Update Server is configured to updates.paloaltonetworks.com.
59. Click OK to close the Services window.
2.7 Schedule Dynamic Updates

Palo Alto Networks regularly posts updates for new and modified application detection, threat
protection, and GlobalProtect data files through dynamic updates. Even though these
definitions are published at predefined intervals (daily or weekly), Palo Alto Networks often
releases emergency updates to address newly discovered threats. These definitions should be
downloaded and applied to the firewall as soon as possible. If you set schedules, you can
automate this process so that the firewall has the most recent protection definitions.
60. In the web interface, select Device > Dynamic Updates.
61. Locate and click the Schedule hyperlink on the far right of Antivirus:
The Antivirus Update Schedule window should open.

New antivirus signatures are released daily.
62. Configure the following:
Parameter Value

Recurrence Select Daily from the drop-down list
Time Select 01:00 from the drop-down list
Action Select download-and-install from the drop-down list
63. Click OK to close the Antivirus Update Schedule window:
64. Locate and click the Schedule hyperlink on the far right of Application and Threats:
The Applications and Threats Update Schedule window should open.

New threat signatures are published weekly, and application updates are published monthly.
Parameter Value
Time Select 01:15 from the drop-down list

66. Click OK to close the Applications and Threats Update Schedule window:
67. Locate and click the Schedule hyperlink on the far right of WildFire:
The WildFire Update Schedule window opens.

WildFire signatures updates are made available every five minutes.
Parameter Value
Choice Select Every Minute from the drop-down list
69. Click OK to close the WildFire Update Schedule window.

Stop. This is the end of the Initial Configuration lab.

3. Lab: Interface Configuration
Lab Objectives
Create security zones two different ways and observe the time saved.
Create Interface Management Profiles to allow ping and responses pages.
Configure Ethernet interfaces to observe DHCP client options and static configuration.
Create a virtual router and attach configured Ethernet interfaces.
Test connectivity with automatic default route configuration and static configuration.
3.0 Load a Lab Configuration

1. In the web interface, select Device > Setup > Operations.

configuration files for other course numbers.


successfully.
8. Click Close to continue
3.1 Create a New Security Zone

Security zones are a logical way to group physical and virtual interfaces on the firewall to
control and log the traffic that traverses your network through the firewall. An interface on the
firewall must be assigned to a security zone before the interface can process traffic. A zone
can have multiple interfaces of the same type (for example, Tap, Layer 2, or Layer 3
interfaces) assigned to it, but an interface can belong to only one zone.
9. In the web interface, select Network > Zones.
10. Click Add to create a new zone.
The Zone configuration window should appear.
Parameter Value
Name Type outside
Type Select Layer3 from the drop-down list

12. Click OK to close the Zone configuration window.
A new outside zone should appear in the web interface.
The outside zone is the only zone created in this task. You will add an Ethernet interface to this
zone in a later lab step.
3.2 Create Interface Management Profiles

An Interface Management Profile protects the firewall from unauthorized access by defining
the services and IP addresses that a firewall interface permits. You can assign an Interface
Management Profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical
interfaces (aggregate, VLAN, loopback, and tunnel interfaces).
13. In the web interface, select Network > Network Profiles > Interface Mgmt.
14. Click Add to create an Interface Management Profile.
The Interface Management Profile configuration window should appear.
Parameter Value
Name Type ping-and-response-pages
Network Services Select Ping and Response Pages check boxes

16. Click OK to close the Interface Management Profile configuration window.
A new Interface Management Profile should appear in the web interface.
17. Click Add to create another Interface Management Profile.
The Interface Management Profile configuration window should appear.
Parameter Value
Name Type ping-only
Network Services Select the Ping check box

19. Click OK to close the Interface Management Profile configuration window.
A new Interface Management Profile should appear in the web interface.
3.3 Configure Ethernet Interfaces

Firewall interfaces, or ports, enable a firewall to connect with other network devices and other
interfaces within the firewall. The interface configuration of the firewall ports enables traffic
to enter and exit the firewall. You can configure the firewall interfaces for virtual wire, Layer
2, Layer 3, and tap mode deployments.
21. In the web interface, select Network > Interfaces > Ethernet.
In the next few steps, you will configure ethernet1/2 as a Layer 3 interface and assign it a static
IP address. This interface is logically connected to the Windows workstation and will operate as
the workstation’s default gateway (192.168.1.1).

22. Click ethernet1/2 to configure the interface.
The Ethernet Interface window should appear.
Parameter Value
Comment Type inside interface
Interface Type Select Layer3 from the drop-down list
Virtual Router Verify that None is selected
24. Click the Security Zone drop-down list and select New Zone:
The Zone configuration window opens. Selection of New Zone from the Security Zone drop-
down list is an alternate way to create security zones. You can either create them all at once or
you can create them as you are defining your network interfaces.
Parameter Value
Name Type inside
Type Verify that Layer3 is selected
26. Click OK to close the Zone configuration window:

27. Click the Ethernet Interface IPv4 tab.
Parameter Value
Type Verify that the Static radio button is selected
IP Click Add and type 192.168.1.1/24
Be sure to include the CIDR mask for the interface IP address.
29. Click the Advanced tab.

30. Click the Management Profile drop-down list and select ping-and-response-pages:
Remember that the Management Profile you select here determines which network services
(ping, SNMP, SSH) an interface will answer. You must define a Management Profile before you
can assign it to an interface.
31. Click OK to close the Ethernet Interface configuration window.
The Ethernet Interface window should appear.

Parameter Value
Comment Type dmz interface
34. Click the Security Zone drop-down list and select New Zone.
Parameter Value
Name Type dmz
Type Verify that Layer3 is selected
37. Click the IPv4 tab.

Parameter Value
Type Verify that the Static radio button is selected

40. Click the Management Profile drop-down list and select ping-only.

Parameter Value
Comment Type outside interface
Security Zone Select outside from the drop-down list
44. Click the IPv4 tab and configure the following:

Parameter Value
Type Select the DHCP Client radio button

Note the Automatically create default route pointing to default gateway provided by server
option. This option automatically will install a default route based on DHCP-option 3.
We are setting the external interface (ethernet1/1) on the firewall to obtain an IP address from
an external DHCP server. You might need to use this feature if you are installing a firewall at a
branch location and the ISP does not offer static IP addresses. Later in this lab you will change
the IP address from a dynamic or DHCP assigned address to a static IP address.
You will configure ethernet1/4 and ethernet1/5 as vwire interfaces and then configure a virtual
wire using each of these interfaces.
Parameter Value
Comment Type vWire zone named danger
Interface Type Select Virtual Wire from the drop-down list
Virtual Wire Verify that None is selected
48. Click the Security Zone drop-down list and select New Zone.
Parameter Value
Name Type danger
Type Verify that Virtual Wire is selected


52. Click ethernet1/5 to open the interface.
Parameter Value
Comment Type vWire zone named danger
Interface Type Select Virtual Wire from the drop-down list
Virtual Wire Verify that None is selected
Security Zone Select danger from the drop-down list

3.4 Create a Virtual Wire

A virtual wire interface binds two Ethernet ports. A virtual wire interface allows all traffic or
just selected VLAN traffic to pass between the ports. No other switching or routing services
are available.
56. In the web interface, select Network > Virtual Wires.
57. Click Add and configure the following:
Parameter Value
Name Type danger
Interface 1 Select ethernet1/4 from the drop-down list
Interface 2 Select ethernet1/5 from the drop-down list
Note: Even though you set ethernet1/4 and ethernet1/5 to Virtual Wire mode in the interface
settings, you must still create a virtual wire and select the appropriate interface.
58. Click OK to create your virtual wire.

A new virtual wire should appear in the web interface.

3.5 Create a Virtual Router

The firewall requires a virtual router to obtain routes to other subnets either using static routes
that you manually define or through participation in Layer 3 routing protocols that provide
dynamic routes. The firewall has a predefined virtual router named default.
A virtual router is a separate routing instance that allows the firewall to route traffic from one
network to another through its Layer 3 interfaces. In our environment, we have three networks
– 192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24. You will modify the default virtual
router and add the firewall’s interfaces from each of these networks to the virtual router.
Because we are using Layer 3 interfaces, the firewall must have a way to route traffic from
one network to another; this process is done with a virtual router. However, because each
interface is in a different security zone, the Security rules will prevent traffic in one network
from going to another network through the firewall.
60. In the web interface, select Network > Virtual Routers.
61. Click default to open the default virtual router.
The Virtual Router - default configuration window should appear.
62. Rename the default router lab-vr.
63. Locate the General tab > Interfaces box and click Add.
64. Add the following interfaces: ethernet1/1, ethernet1/2, and ethernet1/3:
Note: This step also can be completed via each Ethernet Interface configuration window.
65. Click OK to close the Virtual Router - default window.

The lab-vr virtual router should appear in the web interface.
3.6 Test Connectivity

67. On the Windows desktop, double-click the PuTTY icon
69. Log in using the following:

Parameter Value
Name admin
Password admin
70. In the CLI, enter the command show interface ethernet1/1.
The CLI command output should be like the following:

From the command output, you should be able to see the IP address obtained by DHCP. It
should be 203.0.113.21/24.
71. From the CLI, enter the command show routing route.
The CLI command output should be like the following:
The command output should show you the firewall’s default route that was installed as part of
the DHCP lease.
72. From the CLI, enter the command ping source 203.0.113.21 host 8.8.8.8.
Because a default route automatically was added to your route table, you should receive replies
from 8.8.8.8:
Note: The host you are pinging from is the firewall itself. The ping command is used to verify
the firewall’s connectivity to the internet.
73. Press Ctrl+C to stop the ping.
Do not exit out of the PuTTY window. You will use the session again in the next section of the
lab.
74. On the Windows desktop, double-click CMD to open a command-prompt window.
75. Type the command ping 192.168.1.1:

In this task, you are pinging from the Windows host to its default gateway, which is ethernet1/2
on the firewall. Verify that you get a reply before proceeding.
Note: If you try to ping 8.8.8.8 from the Windows host, you will not receive a response. You
currently do not have Security rules or NAT rules in place on the firewall to allow internal traffic
out to the Internet.
76. Type Exit to close the command-prompt window.
3.7 Modify Outside Interface Configuration

In this section, you will reconfigure Ethernet Interface 1/1 to use a static IP address and add a
static route to your virtual router. Under most conditions you will configure the firewall’s
Layer 3 interfaces with static IP addresses. We initially configured ethernet1/1 to use the
DHCP client function only to illustrate the feature should you ever need it.
78. Select but do not open ethernet1/1:
79. Click Delete, then click Yes.

This action will force the interface to release the former DHCP-assigned IP address.
The Ethernet Interface window should appear
Parameter Value
Comment Type outside interface
Virtual Router Select lab-vr from the drop-down list
Security Zone Select outside from the drop-down list

Parameter Value
Type Verify that Static radio button is selected

85. In the web interface, select Network > Virtual Routers.
86. Click the lab-vr virtual router to open.
The Virtual Router – lab-vr configuration window should appear.
87. Click the Static Routes vertical tab:
88. Click Add and configure the following static route:

Parameter Value
Name Type default-route
Interface Select ethernet1/1 from the drop-down list

Parameter Value
Destination Type 0.0.0.0/0
Next Hop Verify that IP Address is selected
Next Hop IP Address Type 203.0.113.1
This step is very important! As with any other network host using IP, the firewall itself must have
a default gateway. Without this entry, the firewall can send only traffic to networks to which it
has interface connections (192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24).
89. Click OK to add the static route.
90. Click OK to close the Virtual Router – lab-vr configuration window.
92. Make the PuTTY window that was used to ping 8.8.8.8 the active window.
93. Type the command ping source 203.0.113.20 host 8.8.8.8:
You should be able to successfully ping 8.8.8.8 from the firewall itself.

Stop. This is the end of the Interface Configuration lab.

4. Lab: Security and NAT Policies
Lab Objectives
Create tags for later use with Security policy rules.
Create a basic source NAT rule to allow outbound access and an associated Security
policy rule to allow the traffic.
Create a destination NAT rule for the FTP server and an associated Security policy rule
to allow the traffic.




successfully.
4.1 Create Tags

Tags are color-coded labels and enable you to group, sort, and filter objects using keywords or
phrases. Tags can be applied to Address objects, Address Groups (static and dynamic),
services, Service Groups, and policy rules. Tags can be assigned a color that makes the results
of a search easier to find in the web interface.
When used with Comments or Descriptions, Tags can help administrators to more easily
determine how a firewall has been configured and the purpose of its various rules, objects, and
entries. In the following steps, you will assign a description to a tag, assign the tag a color,
and apply the tag to different policies.

9. In the web interface, select Objects > Tags.
Two default tags are available, empty and Sanctioned, which cannot be deleted or modified.
10. Click Add to define a new tag.
The Tag configuration window should appear.
Parameter Value
Name Select danger from the drop-down list
Color Select Purple from the drop-down list
Comments Type Danger Tag
The firewall allows you to create tags based on existing security zones, which is why danger,
dmz, outside, and inside already appear in the drop-down list.
12. Click OK to close the Tag configuration window.
A new danger tag should appear in the web interface.
13. Click Add to define another new tag.
Parameter Value
Name Type egress
Color Select Blue from the drop-down list
Comments Type Egress Tag

A new egress tag should appear in the web interface.
16. Click Add to define another new tag.
Parameter Value
Name Select dmz from the drop-down list
Color Select Orange from the drop-down list
Comments Type DMZ Tag

A new dmz tag should appear in the web interface.
19. Click Add to define the final new tag.
Parameter Value
Name Type internal
Color Select Yellow from the drop-down list
Comments Type Internal Tag

A new internal tag should appear in the web interface.

If you create a Tag and use the same name you used for a security zone, the firewall will apply
that tag to the appropriate security zone in any tables where zones are displayed. Note that the
label you create for a zone must match exactly, including lowercase and uppercase.
4.2 Create a Source NAT Policy

The firewall typically uses Source NAT to translate traffic from internal hosts (often on
private networks) to a public, routable address (often an interface on the firewall itself). NAT
rules provide address translation and are different from Security policy rules, which allow and
deny packets. You can configure a NAT Policy rule to match a packet’s source and
destination zone, destination interface, source and destination address, and service.
23. In the web interface, select Policies > NAT.
24. Click Add to define a new source NAT policy.
The NAT Policy Rule configuration window should appear.
Parameter Value
Name Type source-egress-outside
Tags Select egress from the drop-down list
Group Rules By Tag Select egress from the drop-down list
NAT Type Verify that ipv4 is selected
Audit Comment Type Created egress NAT Policy on <date> by
<Your-Role>

26. Click the Original Packet tab and configure the following:
Parameter Value
Source Zone Click Add and select the inside zone
Destination Zone Select outside from the drop-down list
Destination Interface Select ethernet1/1 from the drop-down list
Service Verify that the any is selected
Source Address Verify that the Any check box is selected
Destination Address Verify that the Any check box is selected
This section defines what the packet will look like when it reaches the firewall.
27. Click the Translated Packet tab and configure the following under the section for
Source Address Translation:
Parameter Value
Translation Type Select Dynamic IP And Port from the drop-down list

Parameter Value
Address Type Select Interface Address from the drop-down list
IP Address Select 203.0.113.20/24 from the drop-down list. (Make sure
that you select the interface IP address from the drop-down
list and do not type it.)
This section defines how the firewall will translate the packet.
Note: You are configuring only the Source Address Translation part of this window. Leave the
Destination Address Translation set to None.
28. Click OK to close the NAT Policy Rule configuration window.
A new NAT policy should appear in the web interface.
You will not be able to access the internet yet. You will need to configure a Security policy to
allow traffic to flow between zones.
4.3 Create Security Policy Rules

Security policy rules reference security zones and enable you to allow, restrict, and track traffic
on your network based on the application, user or user group, and service (port and protocol).
30. In the web interface, select Policies > Security.
31. Click Add to define a Security policy rule.
The Security Policy Rule configuration window should appear.

Parameter Value
Name Type egress-outside
Rule Type Verify that universal (default) is selected
Audit Comment Type Created egress-outside Security Policy
on <date> by <Your-Role>
33. Click the Source tab and configure the following:

Parameter Value
Source Zone Click Add and select inside

34. Click the Destination tab and configure the following:
Parameter Value
Destination Zone Click Add and select outside
35. Click the Application tab and verify that the Any check box is selected above
Applications:

We will use the Any setting for this rule now because we have not discussed applications yet.
Typically, your security rules will allow only those applications that you sanction for use in your
network. We will discuss applications later in the course.
36. Click the Service/URL Category tab and verify that application-default is selected
above Service.
The “application-default” setting and the URL Category section will be discussed later in the
course.
37. Click the Actions tab and verify the following:
Parameter Value
Action Setting Verify that Action is set to Allow
Log Setting Verify that the Log at Session End check box is selected
The setting for Log at Session End instructs the firewall to write an entry in the Traffic log after a
session has dropped from the Session table. If you enable Log at Session Start, the firewall will
create an entry when a session is established in the session table. Log at Session End is the
recommended setting, though you can enable both simultaneously to help troubleshoot a
specific rule.
38. Click OK to close the Security Policy Rule configuration window.
A new Security policy should appear in the web interface.

4.4 Verify Internet Connectivity

In this section, you will test the configuration of your NAT and Security policies by accessing
different websites on the internet.
41. To test internet connectivity, open a different browser in private/incognito mode and
browse to msn.com and shutterfly.com.
42. Close the browser window.
43. In the web interface, select Monitor > Logs > Traffic.
44. Verify that there is allowed traffic that matches the Security policy rule egress-outside:
Traffic log entries should be present based on the internet test. This process may take a minute
or two for the log files to be updated. If the entries are not present, click the refresh icon next to
the ?Help option.
4.5 Create an FTP Service

When you define Security policy rules for specific applications, you can select one or more
services that limit the port numbers that the applications can use.
45. In the web interface, select Objects > Services.
46. Click Add to define a service.
The Service configuration window should appear.
Parameter Value
Name Type service-ftp
Protocol Verify that the TCP radio button is selected

Parameter Value
Destination Port Type 20-21
Tags Select dmz from the drop-down list
A new service should appear in the web interface.

The host in the DMZ is preconfigured with an FTP server. This service matches the standard
control and data ports for FTP.
48. Click OK to close the Service configuration window.
4.6 Create a Destination NAT Policy

You are configuring destination NAT in the lab to become familiar with how destination NAT
works, not because it is necessary for the lab environment. You will connect from the Windows
host (192.168.1.20) to an interface address on the firewall (192.168.1.1). The firewall will
translate this connection to the DMZ server at 192.168.50.10.
51. Click Add to define a new destination NAT policy rule.
Parameter Value
Name Type destination-dmz-ftp
Tags Select internal from the drop-down list

Parameter Value
Group Rules By Tag Select internal from the drop-down list
Audit Comment Type Created destination-dmz-ftp NAT Policy
on <date> by <Your-Name>
By Addition of an Audit Comment creates an audit trail where you can track the history of
changes to the NAT policy rule.
Parameter Value
Destination Zone Select inside from the drop-down list
Service Select service-ftp from the drop-down list
Destination Address Click Add and manually enter 192.168.1.1

The Original Packet tab defines how the packet will look when it reaches the firewall.
54. Click the Translated Packet tab and configure the following:
Parameter Value
Destination Address Select Static IP from the drop-down list
Translation
Translation Type
Translated Address Type 192.168.50.10 (address of the DMZ server)
The Translated Packet tab defines how the firewall will translate a matching packet. Leave the
Source Address Translation section set to None because we are performing only destination
translation in this exercise.
55. Click OK to close the NAT Policy configuration window.
A new NAT policy should appear in the web interface.

4.7 Create a Security Policy Rule
57. In the web interface, select Dashboard.
58. Note the current time referenced by the firewall in the General Information box:
For this part of the lab, you will create a schedule and apply that schedule to a new security rule.
This section allows you to see how schedules can be used to apply security rules at different
times of the day.
60. Click Add to define a new Security policy rule.
Parameter Value
Name Type internal-dmz-ftp
Audit Comment Type Created internal-dmz-ftp Security
Policy on <date> by <Your-Role>

Addition of an Audit Comment creates an audit trail where you can track the history of changes
to the Security policy rule.
Parameter Value

Parameter Value
Destination Zone Click Add and select dmz

Parameter Value
Destination Address Click Add and manually enter 192.168.1.1
64. Click the Service/URL Category tab and configure the following:
Parameter Value
Service Click Add and select service-ftp from the drop-down menu
URL Category Verify that the Any check box is selected
65. Click the Actions tab and verify that Allow is selected.
66. Under the Actions tab, locate the Schedule drop-down list and select New Schedule:

The Schedule configuration window should appear.
By default, Security policy rules always are in effect (all dates and times). To limit a Security
policy to specific times, you can define schedules and then apply them to the appropriate policy
rules.
Parameter Value
Name Type ftp-transfer-schedule
Start Time Enter 5 minutes from the time noted in Step 58 (firewall
time)
End time Add 2 hours to the current firewall time and enter the value
Note: Input time in a 24-hour format.

68. Click OK to close the Schedule configuration window:

4.8 Test the Connection

72. Wait for the scheduled time to start for the internal-dmz-ftp Security policy rule.
73. Open a new Chrome browser window in private mode and browse to
ftp://192.168.1.1.
Note: The connection to the FTP server can take several minutes.
74. At the prompt for login information, enter the following:
Parameter Value
User Name lab-user
Password paloalto

Note: The connection to the FTP server can take several minutes.
The 192.168.1.1 address is the inside interface address on the firewall. The firewall is not
hosting the FTP server. The fact that you were prompted for a username indicates that FTP was
allowed through the firewall to the DMZ server using destination NAT.
75. Verify that you can view the directory listing, and then close the Chrome browser
window:
77. Find the entries where the application ftp has been allowed by rule “internal-dmz-ftp.”
Notice the Destination address and rule matching.

78. As an alternate method to access the Traffic log in the web interface, select Policies >
Security.
79. From the drop-down icon next to the rule name for “internal-dmz-ftp,” select Log
Viewer:
This process will open the Traffic log and a log filter will automatically be applied to the Traffic
log to display only those entries that match the security rule “internal-dmz-ftp.”

Stop. This is the end of the Security and NAT Policies lab.

5. Lab: App-ID
Lab Objectives
Create an application-aware Security policy rule.
Enable interzone logging.
Enable the Application Blocked page for blocked applications.
Test application blocking with different applications.
Find the categories that match to the signature web-browsing.
Migrate older port-based rules to application-aware policies.
Review logs associated with the traffic and browse the Application Command Center
(ACC).




successfully.
5.1 Verify an FTP Service Object

At the end of this lab you will use the Policy Optimizer tool to migrate an FTP port-based rule
to an FTP application-based rule. However, to prepare for that part of the lab exercise you
now will configure and use an FTP port-based Security policy rule. You will perform this
activity now because the Policy Optimizer tool processes logged traffic only at the beginning
of each hour. If you generate port-based traffic now, the Policy Optimizer tool should be
populated with data by the time you get to that portion of the lab.
In this section, you will start by verifying an FTP Service object that defines the FTP port.
You will use this Service object in the FTP port-based Security policy rule that you will create
in the next lab task.

9. In the web interface, select Objects > Services.
10. Click the service-ftp object to configure the service.
The Service configuration window should appear.
11. Verify the following configuration:
Parameter Value
Protocol Verify TCP radio button is selected
Destination Port Verify the destination port entry is set to 20-21
12. Click OK to close the Service configuration window.
5.2 Create an FTP Port-Based Security Policy Rule

In this section, you will create a port-based Security policy rule that will enable you to
simulate part of the process of migrating from a legacy, port-based Security policy to a next-
generation, application-based Security policy.
14. Click Add to create a new Security policy rule.
Parameter Value
Name Type migrated-ftp-port-based
Audit Comment Type Created migrated-ftp-port-based Security

You are creating a rule that will simulate a port-based rule that was migrated from another
vendor’s firewall.
16. Click the Source tab and verify the following configuration:
Parameter Value

Parameter Value
Destination Zone Click Add and select dmz

18. Click the Application tab and verify the following:
Parameter Value
Applications Verify that the Any check box is selected
19. Click the Service/URL Category tab and verify the following:
Parameter Value
Service Click Add and select service-ftp from the drop-down menu
URL Category Verify that the Any check box is selected

20. Click the Actions tab and verify the following:
Parameter Value
Action Verify that Allow is selected
Log Setting Verify that Log at Session End is selected

22. Select the internal-dmz-ftp Security policy rule without opening it and click Disable:
.
Notice that the internal-dmz-ftp rule now is grayed out and in italics:

24. Commit your configuration changes.
5.3 Test the Port-Based Security Policy

In this section, you will generate FTP traffic from the Windows host to the Linux host in the
dmz zone. Then you will examine the Traffic log to view how the firewall processed the FTP
traffic. After you complete this section, you will move on to other tasks related to App-ID. At
the end of this lab you will return to the task of migrating the FTP port-based rule to an
application-based rule. If the beginning of the next hour passes by the time you reach the end
of this lab, the Policy Optimizer tool will have been populated with information about the FTP
port-based rule.
25. On the Windows desktop, open a CMD window.
26. In the CMD window, type ftp 192.168.50.10
You should be connected to the FTP server.
Parameter Value
Name lab-user
Password paloalto
The login should succeed, although 30 seconds might pass until authentication completes.
28. Type bye at the FTP command prompt.

This command should end the FTP session. An FTP session will be logged on the firewall even
though no data was transferred.
29. Type exit to close the CMD window.
You may need to manually refresh the log to view the current log entries.

31. Locate the log entry for the FTP session.
Which Security policy rule matched the session and allowed the FTP traffic?
It should be “migrated-ftp-port-based.”
5.4 Create an App-ID Security Policy Rule

33. Select the egress-outside Security policy rule without opening it.
34. Click Clone:
The Clone configuration window should appear. Note that you do not have to use Clone to
create new rules. You always can create them using the Add button.
35. On the Rule order drop-down list, select Move top:
Remember that rule order is important! The firewall compares a packet’s characteristics to each
rule in the Security Policy starting in order.
36. Click OK to close the Clone configuration window:

A new Security policy rule named egress-outside-1 should be added to the top of the Policy
order.
37. With the original egress-outside Security policy rule still selected, click Disable:
Notice that the egress-public rule now is grayed out and in italics:
Be sure to disable this rule before proceeding.

38. Click the cloned Security policy rule egress-outside-1 to configure the policy.
Parameter Value
Name Rename policy to egress-outside-app-id
Audit Comment Type Created App-id Security Policy on
<date> by <Your-Role>
40. Click the Application tab and configure the following:

Parameter Value
Applications Click Add and select the following from the drop-down
list:
dns

Parameter Value
facebook-base
ssl
web-browsing
The firewall matches traffic to the list of applications in a Security policy rule. If the firewall
detects a change in an application, or an application shift, the firewall will rematch the traffic to
the list of applications in the Security policy.
5.5 Enable Interzone Logging

Two default security rules are in place: “intrazone-default” and “interzone-default.” Both
default security rules are read-only, but you can override them and make minimal changes.
One change you should make is to enable Log at Session End on the “interzone-default” rule.
42. Click the Security policy rule interzone-default to configure the policy.
The Security Policy Rule-predefined configuration window should appear.
43. Click the Actions tab.
Note that Security policy rule is in Read Only mode. In Read Only mode Log at Session Start and
Log at Session End are deselected and cannot be edited:

44. Click Cancel.
45. With the interzone-default policy rule selected but not opened, click Override:
The Security Policy Rule – predefined window should appear.

46. Click the Actions tab.
47. Select Log at Session End:
5.6 Enable the Application Block Page

In this section you will enable the Application Block Page.
49. In the web interface, select Device > Response Pages.
50. Select the Application Block Page without opening it:
51. Click the Disabled link to the right of the Application Block Page.
The Application Block Page window should appear.

52. Select the Enable Application Block Page check box:
The firewall can present the Application Block Page only if it detects and blocks a web-based
application. Blocked applications that do not use a web browser will be stopped but the user will
not necessarily know why.
53. Click OK to close the Application Block Page configuration window.
The Application Block Page now should be enabled.

5.7 Test Application Blocking

55. Open a new Internet Explorer browser window in private/incognito mode and browse to
www.facebook.com and www.msn.com.
You should be able to successfully connect to the Facebook and MSN websites.
56. Using the same browser, browse to www.shutterfly.com and www.metacafe.com.
An Application Blocked Page opens, which indicates that the shutterfly and metacafe
applications have been blocked
Why could you browse to Facebook and MSN but not to Shutterfly or metacafe? MSN currently
does not have a unique and specific Application signature. Therefore, App-ID identifies it using

the Application signature web-browsing. However, an Application signature exists for Shutterfly
and metacafe, and currently it is not allowed in any of the firewall Security policy rules.
57. Browse to www.google.com using Internet Explorer and verify that google-base also is
being blocked:
5.8 Review the Logs

59. In the log filter text box, type (app eq shutterfly) and press the Enter key.
Only log entries whose Application is shutterfly should be displayed.
5.9 Test Application Blocking

In this section, you will attempt to work around the firewall’s denial of access to Shutterfly by
using a web proxy.
60. In Internet Explorer, browse to kproxy.com.
Note: If kproxy.com is not available, try using php-proxy.com.
61. Enter www.shutterfly.com in the text box and click surf!:

An Application Blocked page opens that shows that the application was blocked:
62. Close all browser windows except for the firewall web interface.
5.10 Review the Logs

64. Clear the log filter text box and type (app eq kproxy) and press the Enter key.
The Traffic log entries indicate that the kproxy application has been blocked:
Based on the information from the Traffic log, Shutterfly and kproxy are denied by the
“interzone-default”: Security policy rule.
Note: If the logging function of your “interzone-default” rule is not enabled, no information
would be provided via the Traffic log.
5.11 Modify the App-ID Security Policy Rule

66. Click to open the egress-outside-app-id Security policy rule.
Parameter Value
Applications Add google-base and shutterfly
Applications Remove facebook-base

5.12 Test the App-ID Changes

70. Open a new Internet Explorer browser in private/incognito mode and browse to
www.shutterfly.com and www.google.com.
The Application Blocked Page no longer should be displayed.
71. Browse to www.facebook.com. (Skip this step)
The Application Blocked page is not displayed, facebook.com is now SSL
Note: Do not use any previously used browser windows because browser caching can cause
incorrect results.
The Application Blocked Page now appears for facebook-base.
Note: The web-browsing Application signature applies only to browsing that does not match any
other Application signature.

5.13 Observe the Application Command Center
The Application Command Center, or ACC, is an analytical tool that provides useful
intelligence on activity within your network. The ACC uses the firewall logs as the source for
graphically depicting traffic trends on your network. The graphical representation enables you
to interact with the data and visualize the relationships between events on the network,
including network use patterns, traffic patterns, and suspicious activity and anomalies.
73. Click the ACC tab to access the Application Command Center:
74. Note that the upper-right corner of the ACC displays the total risk level for all traffic that
has passed through the firewall thus far:
Your results may differ from the score shown.

75. On the Network Activity tab, the Application Usage pane shows application traffic
generated so far (because the ACC relies on log aggregation, you may need to wait 15
minutes before the ACC displays all applications):
76. You can click any application listed in the Application Usage pane; google-base is used
in this example:
Notice that the Application Usage pane updates to present only google-base information.

77. Click the icon and select Traffic Log:
After the Traffic Log is selected, a link automatically is made to the applicable log information
with the filter set for a relevant time frame and for the google-base application:
5.14 Create an FTP Application-Based Security Policy Rule

The goal of this exercise is to simulate the process of migrating from a port-based rule to an
application-based rule. At the beginning of this lab exercise you created a port-based rule that
allowed FTP traffic from the inside zone to the dmz zone and then opened an FTP session to
the dmz zone. By now the beginning of the hour has passed so the Policy Optimizer tool
should have recorded the FTP traffic through the port-based FTP rule, which will enable you
to use the Policy Optimizer tool to migrate from the port-based rule to an application-based
rule.
In this section, you will use the Policy Optimizer tool’s cloning method to create an
application-based rule to match and allow FTP traffic from the inside zone to the dmz zone.
79. If necessary, open the Policy Optimizer panel by clicking the up-arrow beneath the list
of policies on the left side of the web interface.

Click Up arrow to open Policy Optimizer →
80. Select Policy Optimizer > No App Specified.
The No App Specified window should open.
81. How many applications have been seen by the “migrated-ftp-port-based” rule?
The number 1 in the Apps Seen column indicates that only a single application has been seen by
this port-based rule. However, this window does not tell you which application.
82. Click Compare in the “migrated-ftp-port-based” rule’s row.
The Applications & Usage – migrated-ftp-port-based window should open.
83. Which application has been seen by the “migrated-ftp-port-based” rule?
It should have been the ftp application.
84. Click the ftp check box to select the application:
85. Click Create Cloned Rule to create an application-based FTP rule:

A Clone window should open.
Parameter Value
Name Type ftp-application-based
Applications Verify ftp is selected
87. Click OK to close the Clone window.

88. In the No App Specified window, now how many applications are listed in the Apps
Seen column of the “migrated-ftp-port-based” rule?
The number should be 0 because the firewall has moved the ftp application from the migrated-
ftp-port-based rule to the new ftp-application-based rule.
89. Select Policies > Security to redisplay the Security policy.
The No App Specified window should close.
90. Has a new “ftp-application-based” rule been added to your Security policy?
It should have been.
91. To which location in the Security policy rule hierarchy did the Policy Optimizer tool
move the new “ftp-application-based” rule?
It should directly precede the “migrated-ftp”-port-based rule and match FTP traffic before the
“migrated-ftp”-port-based rule.

92. Which service is listed in the Service column of the “ftp-application-based” rule?
It should be the service-ftp service.
93. On the “ftp-application-based” rule, click “service-ftp” in the Service column.
A Service window should open.
94. Select the service-ftp check box and then click Delete to delete the service.
95. Which service now is listed?
96. Click OK to close the Service window.
It should be application-default.
97. Commit your configuration changes.
5.15 Test the Application-Based Security Policy

In this section, you will generate FTP traffic from the Windows host to the Linux host. Then
you will examine the Traffic log to view how the firewall processed the FTP traffic. The FTP
traffic should match the application-based rule and not the port-based rule.
98. On the Windows desktop, open a CMD window.
99. In the CMD window, type ftp 192.168.50.10.
You should be connected to the FTP server.

Parameter Value
Name lab-user
Password paloalto
The login should succeed, although 30 seconds might pass until authentication completes.
101. Type bye at the FTP command prompt.

This command should end the FTP session. An FTP session should be logged on the firewall even
though no data was transferred.
102. Type exit to close the CMD window.
104. Clear any existing log filters. Locate the log entry for the FTP session.
You also can apply a new log filter (app eq ftp) to help you find it.
Which Security policy rule matched and allowed the FTP traffic?
It should be the “ftp-application-based” rule.
Note: In a real migration, you would disable the port-based rule for a short period and wait to see
if any FTP sessions are affected. After you are confident that the new application-based rule is
matching all required FTP traffic, you would delete the port-based rule.
Stop. This is the end of the App-ID lab.

6. Lab: Content-ID
Lab Objectives
Configure and test an Antivirus Security Profile.
Configure and test an Anti-Spyware Security Profile.
Configure and test the DNS Sinkhole feature with an External Dynamic List.
Configure and test a Vulnerability Security Profile.
Configure and test a File Blocking Security Profile.
Use the Virtual Wire mode and configure the danger zone.
Generate threats and observe the actions taken.




successfully.
6.1 Create a Security Policy Rule with an Antivirus Profile

Use an Antivirus Profile object to configure options to have the firewall scan for viruses on
traffic matching a Security policy rule. Set the applications that should be inspected for
viruses and the action to take when a virus is detected.
9. In the web interface, select Objects > Security Profiles > Antivirus.
10. Click Add to create an Antivirus Profile.
An Antivirus Profile configuration window should appear.

Parameter Value
Name Type lab-av
Description Type Antivirus profile for lab
Packet Capture Select Packet Capture check box
Decoder Set the Action column for http to reset-server
12. Click OK to close the Antivirus Profile configuration window.

A new Antivirus Profile should appear in the web interface.
14. Select the egress-outside-app-id Security policy rule.
Parameter Value
Name Rename policy to egress-outside-av
Audit Comment Type Created Antivirus Security Policy on
<date> by <Your-Role>

Parameter Value
Applications
Select the Applications check box and click
Applications Verify that the Any check box is selected.
17. Click the Actions tab and configure the following:

Parameter Value
Profile Type Select Profiles from the drop-down list
Antivirus Select lab-av from the drop-down list

6.2 Test the Security Policy Rule

In this section, you will test your Antivirus Security Profile.
21. On your desktop, open a new browser window in private/incognito mode and browse to
http://2016.eicar.org.
22. Click the DOWNLOAD ANTI MALWARE TESTFILE image in the upper-right
corner:
23. Click the Download link on the left of the webpage:
24. Within the Download area using the standard protocol http at the bottom of the page,
click either the eicar.com or the eicar.com.txt file to download the file using standard
HTTP and not SSL-enabled HTTPS.

The firewall will not be able to detect the viruses in an HTTPS connection until decryption is
configured.
An Virus/Spyware Download Blocked page opens that shows that the file download was
blocked:
6.3 Review the Logs

26. In the web interface, select Monitor > Logs > Threat.
27. Find the log message that detected the Eicar Test File. Notice that the action for the file
is reset-server:
28. Notice the icon on the left side of the entry for the Eicar Test File. It indicates that
there is a packet capture (pcap):
29. To display the packet capture through the Detailed Log View, first click the Detailed
Log View icon to open the Detailed Log View of the threat entry:

30. From the Detailed Log View, click the icon to open the packet capture.
Here is an example of what a pcap might look like:
Captured packets can be exported in pcap format and examined with an offline analyzer for
further investigation.
31. After viewing the pcap, click Close to close the packet capture window.
32. Click Close to close the Detailed Log View window.
6.4 Create a Security Policy Rule with an Anti-Spyware

Profile
Anti-Spyware profiles block spyware on compromised hosts from trying to phone home or
beacon out to external command-and-control (C2) servers, thus allowing you to detect malicious
traffic leaving the network from infected clients.
33. In the web interface, select Objects > Security Profiles > Anti-Spyware.
34. Click Add to create an Anti-Spyware Profile.

An Anti-Spyware Profile configuration window should appear.
Parameter Value
Name lab-as
Description Anti-spyware profile for lab
Rules tab Click Add and create a rule with these parameters:
§ Rule Name: Type med-low-info
§ Action: Select Alert from the drop-down list
§ Severity: Select only the medium, low, and
informational check boxes
Click OK to save the rule.
Rules tab Click Add and create another rule with these parameters:
§ Rule Name: Type crit-high
§ Action: Select Drop from the drop-down list
§ Severity: Select only the critical and high check
boxes
Click OK to save the rule.

Parameter Value
36. Click OK to close the Anti-Spyware Profile configuration window.


39. Select the egress-outside-av Security policy rule.
Parameter Value
Name Rename policy to egress-outside-av-as
Audit Comment Type Added anti-spyware profile to Security
41. Verify that the Source tab is configured as follows:

Parameter Value
Source Zone Verify that inside is selected

Parameter Value
Profile Type Verify that Profiles is selected
Anti-Spyware Select lab-as from the drop-down list


6.5 Create a DMZ-Access Security Policy
In the next task, you will configure the firewall to download an External Dynamic List (EDL)
of URLs from the DMZ server. You then will apply the EDL to the Anti-Spyware DNS
Sinkhole configuration. Before the EDL and DNS Sinkhole configurations can work, you
must create a Security policy that allows the management interface to connect to the DMZ
server. The management interface establishes connections from the inside zone. The DMZ
server responds to connection requests from the dmz zone.
45. In the web interface, select the internal-dmz-ftp Security policy rule.
Parameter Value
Name Rename the policy to internal-inside-dmz
Audit Comment Type Created internal to dmz security policy

Parameter Value
Destination Address Select the Destination Address check box and click

Parameter Value
Applications Click Add and select the following from the drop-down
list:
ftp
web-browsing
ssl
ssh


52. Select the destination-dmz-ftp NAT policy rule without opening it.
53. Click Disable.
6.6 Configure a DNS-Sinkhole External Dynamic List

An EDL is an object that references an external list of IP addresses, URLs, or domain names
that can be used in policy rules. You must create this list as a text file and save it to a web
server that the firewall can access. By default, the firewall uses its management port to
retrieve the list items.
56. In the web interface, select Objects > External Dynamic Lists.
57. Click Add to configure a new EDL.
The External Dynamic Lists configuration window should appear.
Parameter Value
Name Type lab-dns-sinkhole
Type Select Domain List from the drop-down list
Source Type http://192.168.50.10/dns-sinkhole.txt
(This sinkhole file is hosted on the DMZ server.)
Automatically expand Select the check box
to include subdomains
Check for updates Select Five Minute from the drop-down list

Note: This list currently contains “reddit.com” only.
59. Click OK to close the External Dynamic Lists configuration window.


62. Open the lab-dns-sinkhole configuration you just created and click Test Source
URL:
Confirm that the firewall reports that the “Source URL is accessible” and click Close. If the
firewall reports a “URL access error,” check the source address, correct any errors, and rerun the
test.
63. Click Close to close the Test Source URL dialog box.
64. Click Cancel to close the External Dynamic Lists configuration window.
6.7 Create an Anti-Spyware Profile with DNS Sinkhole

The DNS Sinkhole action provides administrators with a method of identifying infected hosts
on the network using DNS traffic, even when the firewall cannot see the originator of the
DNS query because the DNS server is not on the internal network.
65. In the web interface, select Objects > Security Profiles > Anti-Spyware.
66. Click lab-as to open the Anti-Spyware Profile.
The Anti-Spyware Profile configuration window should appear.
67. Click the DNS Signatures tab.
68. Locate the DNS Signature Source box and click Add.

69. Select lab-dns-sinkhole from the drop-down list.
70. Verify that the Action on DNS Queries is set to sinkhole:
71. Verify that the Sinkhole IPv4 is set to Palo Alto Networks Sinkhole IP
(sinkhole.paloaltonetworks.com) in the DNS Sinkhole Settings box.
72. Click OK to close the Anti-Spyware Profile configuration window.


74. From the Windows desktop, open a CMD window.
75. Type the nslookup command and press the Enter key.
76. Type the command server 8.8.8.8 and press Enter:
77. At the nslookup, type reddit.com. and press the Enter key:

Notice that the reply for reddit.com does not display an IP address. The request has been
sinkholed.
78. Type exit and press Enter to exit nslookup.
79. Type exit and press Enter again to exit the command-prompt window.
80. On your desktop, open a new Internet Explorer browser window in private/incognito
mode and browse to http://reddit.com. Wait for the connection to time out.
Note: Make sure that you do not include “www.” in the URL, because “www.reddit.com” is not
in the EDL; “reddit.com” is currently the only entry in the list.
6.9 Review the Logs

83. Identify the Suspicious Domain log entry:
Notice that the action is sinkhole and that the File Name column includes the DNS name that
was queried (reddit.com).
85. Type the following filter statement (addr.dst in 72.5.65.111) and press Enter:

Notice that the Application type is “incomplete.” This result occurs because the sinkhole
address does not reply to the connection attempt made by the browser to reach reddit.com.
The browser attempts to connect to the sinkhole address because the firewall is blocking the
original DNS request. The firewall then returns a firewall-generated DNS reply that tells the
browser that reddit.com is located at the sinkhole address.
86. To find the original DNS request in the Traffic log, use the following filter statement
(addr.dst in 8.8.8.8) and (session_end_reason eq threat):

87. Click the magnifying glass icon next to one of the entries to see the Detailed Log
View:
In the Detailed Log View, you should notice the additional information that matches what you
previously viewed in the Threat log. Next, scroll down and review the information in the Details
section in the middle column of the main display area. Notice that the traffic log records only
one packet. This packet is the original DNS query sent from the client. The DNS response packet
with the sinkhole address is sent directly from the firewall itself.
6.10 Create a Security Policy Rule with a Vulnerability

Protection Profile
A Security policy rule can include a Vulnerability Protection Profile that determines the level
of protection against buffer overflows, illegal code execution, and other attempts to exploit
system vulnerabilities.
89. In the web interface, select Objects > Security Profiles > Vulnerability Protection.
90. Click Add to create a Vulnerability Protection Profile.
The Vulnerability Protection Profile configuration window should appear.
Parameter Value
Name Type lab-vp

Parameter Value
Description Type Vulnerability Protection profile for
lab
92. On the Rules tab, click Add to create a rule.
The Vulnerability Protection Rule configuration window should appear.
Parameter Value
Name Type lab-vp-rule
Packet Capture Select single-packet from the drop-down list
Severity Verify that the any (All severities) check box is selected
94. Click OK to close the Vulnerability Protection Rule window:

95. Click OK to close the Vulnerability Protection Profile window.
97. Click to open the internal-inside-dmz Security policy rule.
Parameter Value
Vulnerability Select lab-vp from the drop-down list
Protection


101. On the Windows desktop, double-click the lab folder.
102. Double-click the bat files folder.
103. Double-click ftp-brute.bat file to launch the file.
Note: This action launches an FTP brute force attack at the DMZ FTP server. After one minute,
you can press Ctrl+C to terminate the batch file because sufficient log data will have been
collected. The entire script should take about 10 minutes to complete.

104. After the script completes, press any key to close the command-prompt window.

Notice that you now have logs reflecting the FTP brute force attempt. However, the firewall is
set only to alert:
106. Open the Detailed Log View by clicking the icon.

107. From the Detailed Log View, click the icon to open the packet capture.
Notice the username and password that were attempted, along with the 530 responses from
the FTP server.
108. After viewing the pcap, click Close to close the Packet Capture window.
6.13 Update the Vulnerability Profile

110. In the web interface, select Objects > Security Profiles > Vulnerability Protection.
111. Click lab-vp to open the profile.
The Vulnerability Protection Profile configuration window should appear.
112. Click lab-vp-rule to open the rule.

The Vulnerability Protection Rule configuration window should appear.
Parameter Value
Action Select the Reset Both from the drop-down list
Severity Select the high check box
114. Click OK to close the Vulnerability Protection Rule window:
115. Click OK to close the Vulnerability Protection Profile window.

117. Rerun ftp-brute.bat and review the logs to confirm that the new FTP brute force
attempts are reset.

Note: This action launches an FTP brute force attack at the DMZ FTP server. After one minute,
you can press Ctrl+C to terminate the batch file because sufficient log data will have been
collected. The entire script should take about 10 minutes to complete.
6.14 Create a Security Profile Group

The firewall supports the ability to create Security Profile Groups, which specify sets of
Security Profiles that can be treated as a unit and then added to Security policy rules.
118. In the web interface, select Objects > Security Profile Groups.
119. Click Add to create a Security Profile Group.
The Security Profile Group configuration window should appear.
Parameter Value
Name Type lab-spg
Profiles
121. Click OK to close the Security Profile Group window.

The new Security Profile Group now should be listed.
123. Delete the following rule:
Parameter Value
Security Policy Rules egress-outside-av-as
124. Click Add to define a new Security policy rule.
The Security Profile Rule configuration window should appear.

Parameter Value
Name Type egress-outside-content-id
Audit Comment Type Created Security policy rule for
Security Profile Group on <date> by <Your-
Role>

Parameter Value
Source Zone Click Add and select inside from the drop-down list

Parameter Value
Destination Zone Click Add and select outside from the drop-down list
128. Click the Application tab and verify that the Any check box is selected.
129. Click the Service/URL Category tab and verify that application-default is selected.
Parameter Value
Action Setting Verify that Allow is selected

Parameter Value
Log Setting Verify that Log at Session End is selected
Profile Type Select Group from the drop-down list
Group Profile Select lab-spg from the drop-down list

The new Security Policy Rule now should be listed.
The egress-outside-content-id rule should be listed as the first Security policy rule to ensure
that the next sections of the lab work properly. If it is not listed as the first Security policy rule,
then highlight it and move the rule to the top of the list:

6.15 Create a File Blocking Profile
A Security policy rule can include specification of a File Blocking Profile that blocks selected
file types from being uploaded or downloaded or generates an alert when the specified file
types are detected.
133. In the web interface, select Objects > Security Profiles > File Blocking.
134. Click Add to open the File Blocking Profile configuration window.
The File Blocking Profile configuration window should appear.
Parameter Value
Name Type lab-file-blocking
Description Type File Blocking profile for lab
136. Click Add and configure the following.
Parameter Value
Name Type block-pdf
Applications Verify that any is selected
File Types Click Add and select pdf from the drop-down list
Direction Verify that both is selected
Action Select block from the drop-down list
Parameter Value
Name Type block-exe
File Types Click Add and select the following from the drop-down
list:
dll
exe
PE

138. Click OK to close the File Blocking Profile configuration window.
The new File Blocking Profile now should be listed.
6.16 Modify a Security Profile Group

140. Click lab-spg to open the Security Profile Group.
141. Add the newly created File Blocking Profile:
142. Click OK to close the Security Profile Group configuration window.


6.17 Test the File Blocking Profile
http://www.panedufiles.com/.
Note: Some updates to Google Chrome may allow the files to be successfully downloaded. If the
files are not blocked, then use a different browser such as IE or Firefox, or do not open Google
Chrome in incognito mode.
145. Click the Panorama_AdminGuide.pdf link. The download fails:
Note: If you get “failed to download pdf” and not the block page, then refresh the browser
window.
147. In the web interface, select Monitor > Logs > Data Filtering.
148. Find the log entry for the PDF file that has been blocked:
Note: The Action column is located on the far right. You can move the column by using the
mouse cursor to drag-and-drop it.
6.18 Create a File Blocking Profile to Block Multi-Level

Encoded Files
A file that is encoded five or more times cannot be inspected by the firewall. Multi-Level
Encoding can be used to block this type of content.
150. Click lab-file-blocking to open the File Blocking Profile.
Parameter Value
Name Type block-multi-level

Parameter Value
File Types Click Add and select Multi-Level-Encoding from the
drop-down list
6.19 Modify the Security Policy Rule

154. Click to open the internal-inside-dmz Security policy rule.
Parameter Value
File Blocking Select lab-file-blocking from the drop-down list

6.20 Test the File Blocking Profile with Multi-Level Encoding

http://192.168.50.10/mle.zip.
The URL links to a zip file that was compressed five times.
The file should be blocked in accordance with the new file blocking rule.
6.21 Modify the Security Policy Rule

161. Click lab-file-blocking to open the File Blocking Profile.
162. Select the block-multi-level rule.
163. Change the Action to alert.

6.22 Test the File Blocking Profile with Multi-Level Encoding

http://192.168.50.10/mle.zip.
The URL links to a file that was compressed five times. The file no longer is blocked.

167. Save and open the file to examine the contents:
Note: The screenshot shows the recursive structure of the zip archive. You cannot produce this
view using Windows File Explorer.
6.23 Create a Danger Security Policy Rule

Create a Security policy rule that references the danger security zone for threat and traffic
generation.
170. Click Add to create a Security policy rule.
Parameter Value
Name Type danger-simulated-traffic
Tags Select danger from the drop-down list
Group Rules By Tag Select danger from the drop-down list
Audit Comment Type Created danger simulated traffic rule

Parameter Value
Source Zone Click Add and select danger from the drop-down list

Parameter Value
Destination Zone Click Add and select danger from the drop-down list

Parameter Value
Profile Type Select Group from the drop-down list
Group Profile Select lab-spg from the drop-down list

The new Security Policy Rule now should be listed.
176. Hover the mouse over the Name column header and select Adjust Columns from the
drop-down list:
Notice that the width of all the columns was adjusted to fit the text in the columns.

6.24 Generate Threats
179. Double-click traffic-generator:
180. Enter the following information when prompted:

Parameter Value
Password Pal0Alt0
181. In the PuTTY window, type the sh /tg/malware.sh command:
Wait for the shell script to complete.

182. Leave the PuTTY window open.
Notice the threats currently listed from the generated traffic:

Note: The Threat log entries that you see in your lab may not match exactly the image shown.
Threat signatures, names, categorizations, and verdicts may change over time to ensure that the
firewall will consistently detect the packet captures. Two custom Vulnerability signatures are
included in the lab configuration that you loaded at the start of this lab. In your lab, at a
minimum, you should see the Vulnerability detections named Trojan-Win32.swrort.dfap and
Ransom-Win32.locky.pe.
184. In the web interface, select Monitor > Logs > Data Filtering.
Notice the blocked files:

186. Click to open the lab-spg Security Profile Group.
187. Remove the File Blocking Profile:

6.26 Generate Threats

190. In the PuTTY window named root@pod-dmz, type the command sh
/tg/malware.sh.
Wait for the shell script to complete.
Notice the blocked files and whether any new threats were detected with file blocking turned
off. Some files that were being blocked based on file type alone now may be blocked based on
the detection of malicious content:
Note: Because threat signatures, names, categorizations, and verdicts may change over time,
the log entries that you see in your lab may not match exactly the image shown.
Stop. This is the end of the Content-ID lab.

7. Lab: URL Filtering
Lab Objectives
Create a custom URL category and use it as a Security policy rule match criterion and as
part of a URL Filtering Profile.
Configure and use an EDL as a URL block list.
Create a URL Filtering Profile and observe the difference between using url-categories in
a Security policy versus a profile.
Review firewall log entries to identify all actions and changes.




successfully.
7.1 Create a Security Policy Rule with a Custom URL

Category
Use a custom URL Category object to create your custom list of URLs and use it in a URL
Filtering Profile or as match criteria in Security policy rules. In a custom URL Category, you
can add URL entries individually, or import a text file that contains a list of URLs.
9. In the web interface, select Objects > Custom Objects > URL Category.
10. Click Add to create a Custom URL Category.
The Custom URL Category configuration window should appear.

Parameter Value
Name Type news-sites
Description Type Blocked news sites
Sites Click Add and type the following news sites:
foxnews.com
bbc.com
msnbc.com
*.foxnews.com
*.bbc.com
*.msnbc.com
12. Click OK to close the Custom URL Category configuration window.

The new Custom URL Category should appear in the web interface.
14. Select the egress-outside-content-id Security policy rule.
Parameter Value
Name Rename the policy to egress-outside-url

Parameter Value
Audit Comment Type Created URL Security policy on <date>
by <Your-Role>

Parameter Value
Applications Verify that the Any check box is selected
Parameter Value
URL Category Click Add and select news-sites from the drop-down list

Parameter Value
Action Setting Select Reset both client and server from the drop-down
list
Log Setting Verify that Log at Session end is selected
Profile Type Select None from the drop-down list

The egress-outside-url rule should be listed as the first Security policy rule to ensure that the
next sections of the lab work properly. If it is not listed as the first Security policy rule, then
highlight it and move the rule to the top of the list.

20. Hover the mouse over the Name column and click the down-arrow:
21. Expand the Columns list using the right-arrow and verify that the URL Category check
box is selected:
22. Select the egress-outside Security policy rule without opening it.
23. Click Enable.
Note: Because you created a rule that resets traffic, you need to enable the “egress-outside”
rule to allow everything else.
7.2 Test a Security Policy Rule

bbc.com: (Steve’s Note: This will no longer work, as the websites are now 443 vs 80,
so the lab may not work correctly.
The URL is blocked by the Security policy rule named “egress-outside-url.”

26. In the same browser window, verify that foxnews.com is blocked.
27. In the same browser window, determine if https://www.msnbc.com also is blocked.
Note that this is an SSL connection. Because the firewall is not decrypting traffic, the firewall
resets the connection but does not generate a URL block page. If the firewall intercepted this
connection and generated a URL block page, the browser (depending on the type) would
assume and possibly report a man-in-the-middle attack.
7.3 Review the Logs

29. In the web interface, select Polices > Security.
30. Hover the pointer over the egress-outside-url Security policy rule, click the Down arrow,
and select Log Viewer to open the Traffic log:
Notice that the firewall adds (rule eq ‘egress-outside-url’) to the Traffic log filter text
box:

31. Click the down-arrow on any column header to add the URL Category column to the
Traffic log display:
32. In the web interface, select Monitor > Logs > URL Filtering.
Notice that the URL Filtering log includes the Category and URL columns by default:
7.4 Configure an External Dynamic List

An EDL is an object that references an external list of IP addresses, URLs, or domain names
that can be used in policy rules.
33. On the Windows desktop, double-click the WinSCP icon.

34. Double-click the list menu item edl-webserver:
35. Locate the text file named block-list.txt in the right window pane.
36. Right-click the block-list.txt file and select Edit.
37. Verify that the following URLs exist, each followed by a line break:
38. Click Save to save any modifications to the file that you might have made.
39. Click to close the file.
40. Close the WinSCP window.
41. In the web interface, select Objects > External Dynamic Lists.

42. Click Add to configure a new EDL.
The External Dynamic Lists configuration window should appear.
Parameter Value
Name Type url-block-list
Type Select URL List from the drop-down list
Source Type http://192.168.50.10/block-list.txt
Check for updates Select Five Minute from the drop-down list
44. Click OK to close the External Dynamic Lists configuration window.

46. Click the egress-outside-url Security policy rule to configure the policy.
Parameter Value
URL Category Click Add and select url-block-list from the drop-down list

7.5 Test a Security Policy Rule

avsforum.com:
The URL is blocked by the Security policy rule named “egress-outside-url.”

51. In the same browser window, verify that gizmodo.com and lifehacker.com also are
blocked.
7.6 Review the Logs


Notice that the Category column should display the name of the EDL you created and that the
Action column shows that the URL is blocked:
7.7 Create a Security Policy Rule with a URL Filtering Profile

54. In the web interface, select Objects > Security Profiles > URL Filtering.
55. Click Add to define a URL Filtering Profile.
The URL Filtering Profile configuration window should appear.
Parameter Value
Name Type lab-url-filtering
Description Type Block shopping, government, and hacking
websites
57. Click the Categories tab.
58. Search the Category field for the following three categories and set the Site Access to
block:
shopping
government
hacking
59. Search for url-block-list and news-sites.

Notice that your custom URL categories also are listed, and they are set to a Site Access of
“allow.” Leave them set to “allow.”
60. Click OK to close the URL Filtering Profile window.
62. Click egress-outside-url to configure the policy.
63. Click the Service/URL Category tab.
64. Select the Any check box above the URL Category list.
Parameter Value
Action Select Allow from the drop-down list
URL Filtering Select lab-url-filtering from the drop-down list

67. Disable the egress-outside rule.
Note: You can disable the “egress-outside” rule because the URL Filtering Profile is being used
and the “egress-outside-url” Security policy rule now allows traffic.
7.8 Test a Security Policy Rule with a URL Filtering Profile

69. Open a different browser (not a new tab) in private/incognito mode and browse to
www.newegg.com.

The URL www.newegg.com belongs to the shopping URL category. Based on the Security policy
rule named “egress-outside-url,” the URL now is allowed even though you chose to block the
shopping category because your custom URL category has newegg.com listed and is set to
“allow,” and your custom category is evaluated before the Palo Alto Networks URL categories.
70. In the same browser window, verify that http://www.transportation.gov
(government) and http://www.2600.org (hacking) are blocked.
7.9 Review the Logs

Review the actions taken on the following log entries:
Stop. This is the end of the URL Filtering lab.

8. Lab: Decryption
Lab Objectives
Observe firewall behavior without decryption.
Create Forward Trust and Untrust certificates.
Create a custom decryption category.
Create a decryption policy.
Observe firewall behavior after decryption is enabled.
Review logs.




successfully.
Verify the Result reported is “Successful” and the Details include “Configuration committed
successfully.” Warnings about two EDLs that are part of the new configuration may appear. The
messages report “no valid entries” for the EDLs. However, to have no valid entries for newly
loaded EDLs is normal, because the firewall previously did not use these EDLs. EDL entries are
possible only after the configuration is committed.

If the commit fails, load the edu-210-lab-07 config file and commit the config file again. The
commit should now be successful.
8.1 Test the Firewall Behavior Without Decryption

10. Click egress-outside-content-id to open the Security policy rule.
11. Click the Service/URL Category tab.
Parameter Value
Service Select any from the drop-down list

15. On the Windows desktop, open a browser in private/incognito mode and browse to
http://2016.eicar.org.
16. Click the DOWNLOAD ANTIMALWARE TESTFILE image in the upper-right
corner:

18. Within the Download area using the standard protocol http at the bottom of the page,
click either the eicar.com or the eicar.com.txt file to download the file using the
standard HTTP protocol and not the SSL-encrypted HTTPS protocol.
The firewall will not be able to detect the viruses in an HTTPS connection until decryption is
configured.
You should get a block page:
19. Go back in the browser and download one of the test files using HTTPS:
Notice that the download is not blocked because the connection is encrypted, and the virus is
hidden.

8.2 Create Two Self-Signed Certificates
In this section, you will generate certificates so that the firewall can decrypt the traffic.
21. In the web interface, select Device > Certificate Management > Certificates:
22. Click at the bottom of the page to create a new CA certificate.

Parameter Value
Certificate Name Type trusted-ca
Common Name Type 192.168.1.1
Certificate Authority Select the Certificate Authority check box
24. Click Generate to create the certificate.

A Generate Certificate status window should appear that confirms the certificate and key pair
were successfully generated.
25. Click OK to close the Generate Certificate success window.
26. Click at the bottom of the page to create a second CA certificate.

Parameter Value
Certificate Name Type untrusted-ca
Common Name Type untrusted
Certificate Authority Select the Certificate Authority check box

28. Click Generate to create the certificate.
A Generate Certificate status window should appear that confirms the certificate and key pair
were successfully generated.
29. Click OK to close the Generate Certificate success window.
30. Click trusted-ca from the list of certificates to edit the certificate information.
A Certificate Information window should appear.
31. Select the Forward Trust Certificate check box.
32. Click OK to close the Certificate Information configuration window.

33. Click untrusted-ca from the list of certificates to edit the certificate information.
34. Select the Forward Untrust Certificate check box:

35. Click OK to close the Certificate Information configuration window.
8.3 Create a Custom Decryption URL Category

In this section, you will create a custom URL Category to ensure that only intended traffic is
being decrypted.
37. In the web interface, select Objects > Custom Objects > URL Category.
38. Click Add to open the Custom URL Category configuration window.
Parameter Value
Name Type lab-decryption
Description Type Decryption URL Category for lab
Type Verify that URL List is selected.
Sites Click Add and type the following websites:
eicar.org
paloaltonetworks.com
badssl.com
*.eicar.org
*.paloaltonetworks.com
*.badssl.com

40. Click OK to close the Custom URL Category configuration window.
The new Custom URL Category now should be listed.
8.4 Create a Decryption Policy

In this section, you will create a Decryption Policy to decrypt traffic that matches the Custom
URL Category you created in the previous task.
41. In the web interface, select Policies > Decryption.
42. Click Add to create a decryption policy rule.
A Decryption Policy Rule window should appear.
Parameter Value
Name Type decrypt-url-cat
Audit Comment Type Created Decryption policy on <date> by
<Your-Role>

Parameter Value
Source User Verify that any is selected

Parameter Value

Parameter Value
Service Verify that any is selected
URL Category Click Add and select lab-decryption from the drop-down
list
47. Click the Options tab and configure the following:

Parameter Value
Action Select the Decrypt radio button
Type Verify that SSL Forward Proxy is selected

Parameter Value
Decryption Policy Verify that None is selected
48. Click OK to close the Decryption Policy Rule configuration window.

A new decryption policy should appear.
8.5 Test an AV Security Profile with the Decryption Policy

51. On the Windows desktop, open a new browser window in private/incognito mode and
browse to http://2016.eicar.org.
corner:
54. Within the Download area using the secure, SSL-enabled protocol https at the bottom of
the page, click either the eicar.com or the eicar.com.txt file to download the file using
HTTPS:

A certificate issue is presented:
Note: The endpoint (Windows desktop) does not trust the certificate generated by the firewall.
If you are using Chrome as your web browser, you should see the following message:
8.6 Export the Firewall Certificate

56. In the web interface, select Device > Certificate Management > Certificates.
57. Select but do not open trusted-ca.

58. Click Export Certificate to open the Export Certificate configuration window.
59. Leave all settings at the default and click OK to export the trust-ca certificate.
60. You may see a warning that this type of file can harm your computer. Click Keep:

8.7 Import the Firewall Certificate
61. On your desktop, double-click the certificates icon.

A User Account Control message should appear. Click the Yes button to continue.
62. Under Certificates (Local Computer), expand Trusted Root Certification Authorities
and select the Certificates folder:
63. Select Action > All Tasks > Import:
The Certificate Import Wizard should appear.

64. Click Next to continue.
65. Browse to the Downloads folder and select the exported cert_trusted-ca certificate and
click Open:

67. Verify that the following is configured:

69. Click Finish to import the certificate.
A Certificate Import Wizard status window should appear that states the import was successful.
70. Click OK to close the status window.
The trusted-ca certificate now should be imported and should be the first certificate listed:
71. Close the Microsoft Management Console.

72. Click No when asked to save the console settings.
8.8 Test the Decryption Policy

73. On the Windows desktop, open an Internet Explorer browser window in private/incognito
mode and browse to http://2016.eicar.org.
corner.
75. Click the Download link on the left of the webpage.

76. Within the Download area at the bottom of the page, click either the eicar.com or the
eicar.com.txt file to download the file using HTTPS:
The Eicar Test File is detected, and the connection gets reset.
77. In the same browser, browse to https://www.paloaltonetworks.com.

There is no certificate warning and the page is displayed correctly.
78. Click the lock icon next to the URL in the browser (Internet Explorer).
79. Notice that the signer is the firewall 192.168.1.1:

81. On the Windows desktop, open an Internet Explorer browser window in private/incognito
mode and browse to https://www.badssl.com.
If you receive the following certificate warning message, select Continue to this website (not
recommended) to continue to the badssl website.
82. Click untrusted-root:
Notice that a certificate warning now is displayed.

83. Choose to Continue to this website (not recommended).
84. Click the icon near the URL and then click View Certificates:
Notice that the certificate is still signed by the firewall. However, it was signed with the
untrusted certificate.
8.9 Review the Logs

Notice that there is an entry for when the connection was reset in the browser:

87. Select Monitor > Logs > Traffic.
88. Clear any existing filters and type (flags has proxy) in the search field.
This filter flags only traffic entries that were decrypted.
If the Decrypted column is not present, hover the mouse over Receive Time and click the down-
arrow.
Add the column.
8.10 Test URL Filtering with Decryption

89. In the web interface, select Objects > Security Profiles > URL Filtering.
90. Click to open the lab-url-filtering object.
A URL Filtering Profile window should appear.
91. Click the Categories tab and type tech-sites in the search criteria.
92. Move your mouse pointer to the far-right side of the Site Access column to locate the
down arrow. Change Site Access to block:
93. Click OK to close the URL Filtering Profile configuration window.

95. Open an Internet Explorer browser window in private mode and browse to
https://engadget.com.
Engadget is blocked because the site can be identified and blocked per the URL Filtering Profile:

Stop. This is the end of the Decryption lab.

9. Lab: WildFire
Lab Objectives
Configure and test a WildFire Analysis Security Profile.




successfully.
9.1 Create a WildFire Analysis Profile

9. In the web interface, select Objects > Security Profiles > WildFire Analysis.
10. Click Add to open the WildFire Analysis Profile configuration window.
A WildFire Analysis Profile window should appear.
Parameter Value
Name Type lab-wildfire
Description Type WildFire Analysis profile for lab
12. Click Add in the bottom left corner and configure the following:
Parameter Value
Name Type pe
File Types Click Add and select pe from the drop-down list

Parameter Value
Analysis Verify that public-cloud is selected
Note: The file type pe includes .cpl, .dll, .drv, .efi, .exe, .fon, .ocx, .pif, .scr, and .sys file types.
13. Click OK to close the WildFire Analysis Profile configuration window.
The new WildFire Analysis Profile now should be listed.

15. Click lab-spg to open the Security Profile Group.
A Security Profile Group window should appear.
16. Add the newly created lab-wildfire WildFire Analysis Profile:

9.3 Test the WildFire Analysis Profile

19. Open a new Chrome browser in private/incognito mode and browse to
http://wildfire.paloaltonetworks.com/publicapi/test/pe.
Do not open the file.
This site generates an attack file with a unique signature that simulates a zero-day attack.
A wildfire-test-pe-file.exe file automatically is downloaded to the Downloads directory.
21. On the Windows desktop, double-click the PuTTY icon

Parameter Value
Name admin
Password admin
24. From the CLI, enter the command debug wildfire upload-log show.
The command should display the output log: 0, filename: wildfire-test-pe-
file.exe processed….
This output verifies that the file was uploaded to the WildFire public cloud. The message might
take a minute or two to appear:
25. Type exit to close the PuTTY session.

26. In the web interface, select Monitor > Logs > WildFire Submissions:
After five minutes have passed, find the entry for wildfire-test-pe-file.exe that has been
submitted to WildFire and identified as Malicious.
27. Click the magnifying glass icon next to the entry to see the Detailed Log View of the
WildFire entry:

28. On the Log Info tab, review the information within the General, Source, and
Destination panels.
29. Click the WildFire Analysis Report tab.
The verdict for this file is Malware.
30. Scroll down the WildFire Analysis Report tab to see Static Analysis, Dynamic
Analysis, Network Activity, Host Activity (by process), and Report Incorrect
Verdict:

Stop. This is the end of the WildFire lab.

10. Lab: User-ID
Lab Objectives
Enable User-ID technology on the inside zone.
Configure the LDAP Server Profile to be used in group mapping.
Configure group mapping for User-ID.
Configure and test the PAN-OS integrated User-ID agent.
Leverage User-ID information in a Security policy rule.




successfully.
10.1 Enable User-ID on the Inside Zone

9. In the web interface, select Network > Zones.
10. Click inside to open the Zone configuration window.
11. Enable User-ID by selecting the Enable User Identification check box:
12. Click OK to close the Zone configuration window.
10.2 Configure the LDAP Server Profile

In this section, you will create a Server Profile so the firewall can pull user and group
information from Active Directory.

13. In the web interface, select Device > Server Profiles > LDAP.
14. Click Add to open the LDAP Server Profile configuration window.
An LDAP window should appear.
Parameter Value
Profile Name Type lab-active-directory

16. Locate the Server List on the left side of the window and click Add.
Parameter Value
Name Type lab-client
LDAP Server Type 192.168.1.20
Port Verify that port 389 is selected

18. Locate Server Settings on the right side of the window and configure the following:
Parameter Value
Require SSL/TLS Deselect the check box

secured connection (Make sure to do this task first.)
Type Select active-directory from the drop-down list
Base DN Select DC=lab,DC=local from the drop-down list
Bind DN Type lab-user-id@lab.local
Password Type Pal0Alt0

19. Click OK to close the LDAP Server Profile configuration window.
The new LDAP Server Profile now should be listed.
10.3 Configure User-ID Group Mapping

In this section, you will define which users and groups will be available when policy rules are
created.
21. In the web interface, select Device > User Identification > Group Mapping Settings.
22. Click Add to open the Group Mapping configuration window.
A Group Mapping window should appear.
Parameter Value
Name Type lab-group-mapping
Server Profile Select lab-active-directory from the drop-down list

(All other necessary fields should autopopulate.)

24. Click the Group Include List tab and configure the following:
Parameter Value
Search box Type lab users
25. From the Available Groups box, select lab users and click the green + button to add the
group to the Included Groups box.
26. Click OK to close the Group Mapping configuration window.
The new Group Mapping now should be listed.
10.4 Configure an Integrated Firewall Agent

27. In the web interface, select Device > User Identification > User Mapping.
28. Click the icon in the upper-right corner of the Palo Alto Networks User-ID Agent
Setup pane.
The Palo Alto Networks User-ID Agent Setup window should appear.
29. On the Server Monitor Account tab, configure the following:
Parameter Value
User Name Type lab.local\lab-user-id
Password Type Pal0Alt0

30. Click the Server Monitor tab and verify the following configuration:
Parameter Value
Windows Server
Monitoring
31. Click the Client Probing tab.

32. Verify that the Enable Probing check box is deselected:
33. Click the Cache tab and configure the following:

Parameter Value
Enable User
Identification Timeout
Note: Ensure that the timeout option is not enabled. You do not need to time out the IP address
associated with the lab-user-id because the IP never changes. In a production environment, the
timeout is recommended to be half the DHCP lease time.
34. Click the Ignore User List tab.
Parameter Value
Ignore User Type lab\Administrator

Addition of the Administrator to the Ignore User list
prevents the firewall from assuming that Administrator is
associated with 192.168.1.20.
36. Click OK to close the Palo Alto Networks User-ID Agent Setup configuration window.
37. Scroll down to the Server Monitoring pane.
The User Identification Monitored Server window should appear.

Parameter Value
Name Type lab-client
Enabled Select the check box
Type Verify that Microsoft Active Directory is selected
Network Address Type 192.168.1.20

39. Click OK to close the User Identification Monitored Server window.
10.5 Verify the User-ID Configuration

41. Under the Server Monitoring section, verify that the status column shows Connected:
42. On the Windows desktop, double-click the lab folder and then double-click the bat files
folder.
43. Double-click the user-id.bat file icon.

Note: This action will force a login event for the firewall to parse.

Parameter Value
Name admin
Password admin
47. Type the CLI command show user group-mapping state all.
The output should be like the following:

48. Type the CLI command show user ip-user-mapping all.
The output should be like the following:
Note: lab\lab-user must have the IP address of 192.168.1.20. If that IP address is not listed, do
not proceed. Contact your instructor or lab partner for assistance.
50. Open a new browser window in private mode and browse to msn.com and google.com
to generate some traffic.

53. Clear any existing filters and type the filter (addr.src in 192.168.1.20 ) in the
filter text box.
54. Notice that the Source User column now shows the lab-user.
Note: This User-ID reference may take up to three minutes to show on the logs. Click
refresh to update the log entries:

56. Click Add to open the Security Policy Rule configuration window.
The Security Policy Rule window should appear.
Parameter Value
Name Type egress-outside-user-id
Audit Comment Type Created Security Policy Rule on <date>
by <Your-Name>

Parameter Value
59. Click the User tab and configure the following:

Parameter Value
Source User Click Add and select lab\lab users from the drop-down list
If the list of usernames does not appear from the drop-down
list, start to type the username and the list should then
populate.

Parameter Value

Parameter Value
Applications Click Add and select facebook-base from the drop-down
list

Parameter Value
Action Select Deny from the drop-down list

64. Select but do not open the egress-outside-user-id Security policy rule.
65. Click and select .

66. You might need to adjust columns:

68. Open a new Internet Explorer browser window in private/incognito mode and browse to
www.facebook.com.
The connection is denied based on the “egress-outside-user-id” Security policy rule:

(Steves Note: ) You don't see the facebook block page. This is because
facebook.com is now using SSL.
71. Clear any existing filters and type the filter (rule eq ‘egress-outside-user-
id’) in the search criteria.
72. Notice that the Source User column shows the lab\lab-user and the Action is reset-both:
Stop. This is the end of the User-ID lab.

11. Lab: GlobalProtect
Lab Objectives
Create and configure a subinterface.
Create certificates for the GlobalProtect portal, internal gateway, and external gateway.
Attach certificates to an SSL-TLS Service Profile.
Configure the Server Profile and Authentication Profile to be used when authenticating
users.
Create and configure the tunnel interface to be used with the external gateway.
Configure the internal gateway, external gateway, and portal.
Host the GlobalProtect agent on the portal for download.
Create a No-NAT policy rule to ensure that portal traffic is not subjected to network
address translation.
Test the external gateway and internal gateway.
11.0 Load the Lab Configuration





successfully.
11.1 Configure a Subinterface

By default, VLAN tags are required for subinterfaces. However, untagged interfaces can be used
to isolate traffic via zones on the same physical interface.
10. Click ethernet1/2 to open.
The Ethernet Interface configuration window should appear.
12. Select the Untagged Subinterface check box:

14. Verify that ethernet1/2 is still selected and click Add Subinterface:
The Layer3 Subinterface configuration window should appear.

Parameter Value
Interface Name
Comment Type internal gateway


Parameter Value
Security Zone Select inside from the drop-down list

Parameter Value
17. Click the Advanced tab and select ping for the Management Profile:
Addition of a management profile is not a requirement for GlobalProtect but can make
troubleshooting easier if you need to verify that the IP address on the subinterface is available.
18. Click OK to close the Layer3 Subinterface configuration window.

A new subinterface should appear in the web interface.
19. Verify that your configuration looks like the following:
11.2 Generate Self-Signed Certificates

GlobalProtect needs three certificates, one each for the portal, external gateway, and internal
gateway. These certificates typically are signed by a common CA certificate. This lab creates
a CA certificate and internal gateway certificate but combines the portal and external gateway
certificates because these GlobalProtect functions are combined on the same IP address.
20. In the web interface, select Device > Certificate Management > Certificates.
21. Click Generate to create a certificate.
The Generate Certificate window should appear.
Parameter Value
Certificate Name Type GlobalProtect
Common Name Type GlobalProtect
Signed By Leave blank
Certificate Authority Select the check box
You will use this certificate to sign the external and internal gateway certificates.
23. Click Generate.
A Generate Certificate window should appear that shows the GlobalProtect certificate and key
pair were successfully generated.

A new certificate should appear in the web interface.
25. Click Generate and create the external-gw-portal certificate.
The Generate Certificate window should appear
Parameter Value
Certificate Name Type external-gw-portal
Signed By Select GlobalProtect from the drop-down list
Note that we are signing this new certificate with the GlobalProtect certificate.
27. Click Generate.
A Generate Certificate window should appear that shows the external-gw-portal certificate and
key pair were successfully generated.
29. Click Generate and create the internal-gw certificate.
The Generate Certificate window should appear.
Parameter Value
Certificate Name Type internal-gw
Signed By Select GlobalProtect from the drop-down list

Again, we are signing this new certificate with the GlobalProtect certificate you created earlier.
31. Click Generate.
A Generate Certificate window should appear that shows the internal-gw certificate and key
pair were successfully generated.
11.3 Configure the SSL-TLS Service Profile

34. In the web interface, select Device > Certificate Management > SSL/TLS Service
Profile.
35. Click Add to create an SSL/TLS Service Profile.
The SSL/TLS Service Profile configuration window should appear.
Parameter Value
Name Type external-gw-portal
Certificate Select external-gw-portal from the drop-down list

This SSL-TLS Service Profile defines the certificate to present to the GlobalProtect client agent
when the agent initially connects to the GlobalProtect portal. The firewall will present this same
certificate when the agent software connects to an external gateway.
37. Click OK to close the SSL/TLS Service Profile configuration window.
A new SSL/TLS profile should appear in the web interface.
38. Click Add to create a second SSL/TLS Service Profile.
The SSL/TLS Service Profile configuration window should appear.
Parameter Value
Name Type internal-gw
Certificate Select internal-gw from the drop-down list
This SSL-TLS Service Profile defines the certificate to present to the GlobalProtect client agent
when the agent connects to an internal GlobalProtect gateway.
40. Click OK to close the SSL/TLS Service Profile configuration window.
A new SSL/TLS profile should appear in the web interface.

These entries instruct the firewall to use the appropriate certificate when communicating with
the GlobalProtect agent software. We have one certificate to use when the client connects to
the portal or to an external gateway; and a second certificate to use when the client connects to
an internal gateway.
11.4 Configure the LDAP Server Profile

In this section, you define the server that the firewall will use to authenticate users when they
invoke the GlobalProtect agent software. When the software agent connects to the portal, the
firewall must authenticate the user. Separately, when the software agent connects to a gateway to
establish a VPN, the firewall must authenticate the user.
In an earlier lab, you should have created an LDAP Server Profile for authentication that you
now will review to confirm the configuration.
42. In the web interface, select Device > Server Profiles > LDAP.
43. Click lab-active-directory to open the LDAP Server Profile.
The LDAP Server Profile configuration window should appear.
44. Verify the following:
Parameter Value
Profile Name lab-active-directory

45. Locate the Server list on the left side of the window.
46. Verify the following:
Parameter Value
Name lab-client
LDAP Server 192.168.1.20
Port 389
47. Locate Server Settings on the right side of the window and verify the following:
Parameter Value
Type active-directory
Base DN DC=lab,DC=local

Parameter Value
Bind DN lab-user-id@lab.local
Password Pal0Alt0
Require SSL/TLS Deselected check box

secured connection
48. Click OK to close the LDAP Server Profile configuration window.
11.5 Configure the Authentication Profile

In this section you will configure an Authentication Profile that contains the LDAP Server
Profile. You will reference this profile to tell the firewall how to authenticate users accessing
the GlobalProtect portal or the gateway.
49. In the web interface, select Device > Authentication Profile.
50. Click Add to create a new Authentication Profile.
An Authentication Profile configuration window should appear.
Parameter Value
Name Type gp-authentication-profile
Type Select LDAP from the drop-down list
Server Profile Select lab-active-directory from the drop-down list
User Domain Type lab.local

52. Click the Advanced tab and configure the following:
Parameter Value
Allow List Click Add and select all
53. Click OK to close the Authentication Profile configuration window.

A new Authentication Profile should appear in the web interface.
11.6 Configure the Tunnel Interface

The GlobalProtect client agent software uses a VPN tunnel when it establishes a secure
connection to the gateway, and the firewall uses a logical tunnel interface for encrypting and
decrypting traffic with the client.

54. In the web interface, select Network > Interfaces > Tunnel.
55. Click Add to create a new tunnel interface.
A Tunnel Interface configuration window should appear.
Parameter Value
Interface Name
Comment Type VPN Tunnel Interface

Security Zone Select inside from the drop-down list
The logical tunnel interface is connected to a virtual router and assigned to a security zone just
as are other interfaces.
57. Click OK to close the Tunnel Interface configuration window.
A new tunnel interface should appear in the web interface.
11.7 Configure the Internal Gateway

Internal gateways can be used for User-ID deployment and host information profile (HIP)
enforcement. They also can be used to encrypt traffic from the client to sensitive internal
resources through a VPN gateway.
58. In the web interface, select Network > GlobalProtect > Gateways.
59. Click Add to create a gateway.
The GlobalProtect Gateway Configuration window should appear.
Parameter Value
Name Type gp-int-gateway

Parameter Value
Interface Select ethernet1/2.2 from the drop-down list
IPv4 Address Select 192.168.2.1/24 from the drop-down list
61. Select the Authentication tab and configure the following:

Parameter Value
SSL/TLS Service Select internal-gw from the drop-down list
Profile
62. Locate the Client Authentication list box.

63. Click Add to configure Client Authentication.
The Client Authentication configuration window should appear.
Parameter Value
Name Type lab-ad
OS Verify that Any is selected
Authentication Profile Select gp-authentication-profile from the drop-down list

This area lets you configure different authentication methods for different sets of users based
on the operating system in use for the GlobalProtect client agent software.
65. Click OK to close the Client Authentication configuration window.
66. Click OK to close the GlobalProtect Gateway Configuration window.

A new GlobalProtect gateway should appear in the web interface.
11.8 Configure the External Gateway

In this section you will create the external GlobalProtect gateway.
67. Click Add to create a second gateway.
The external gateway is the VPN gateway that GlobalProtect clients connect to when they are
outside the local network.
68. The GlobalProtect Gateway configuration window opens.
The GlobalProtect Gateway Configuration window should appear.
Parameter Value
Name Type gp-ext-gateway

70. Select the Authentication tab and configure the following:
Parameter Value
SSL/TLS Service Select external-gw-portal from the drop-down list
Profile
This setting defines the certificates to present to the client when it connects to the gateway.
Remember that we created a single SSL/TLS Service Profile for the portal and for the external
gateway.
Parameter Value
Name Type lab-ad

This section allows you to select different authentication methods (Authentication Profiles)
based on the operating system of client hosts.
74. Click OK to close the Client Authentication list box.
75. Click the Agent tab and configure the following:

Parameter Value
Tunnel Mode Select the check box
Tunnel Interface Select tunnel.11 from the drop-down list
Enable IPSec Verify that the Enable IPSec check box is selected
This section tells the firewall how to establish a tunnel with a client and which interface to use.
76. Click the Client Settings subtab.
77. Click Add to configure.
The Configs configuration window should appear.
78. Click the Config Selection Criteria tab and configure the following:
Parameter Value
Name Type gp-client-config

After a client has been authenticated to establish a VPN with the gateway, these settings define
which IP address and other network elements the GlobalProtect client adapter will use.
79. Click the IP Pools tab and configure the following:
Parameter Value
IP Pool Click Add and type 192.168.100.200-
192.168.100.210
The firewall will assign an IP address to each GlobalProtect client from this range of addresses.
80. Click OK to close the Configs window.
The GlobalProtect Gateway configuration window should still be open on the Client Settings
subtab.
81. Click the Network Services subtab and configure the following:
Parameter Value
Primary DNS Type 4.2.2.2
Secondary DNS Type 8.8.8.8

The servers used in the lab are public, but in many cases the DNS servers that are assigned to
the GlobalProtect client adapter will be private, internal DNS hosts. This setting will allow the
client to resolve internal hostnames while connected to the VPN.
82. Click OK to close the GlobalProtect Gateway configuration window.
A new GlobalProtect gateway should appear in the web interface.
11.9 Configure the Portal

The GlobalProtect portal provides the management functions for the GlobalProtect
infrastructure. Every endpoint that participates in the GlobalProtect network receives its
configuration from the portal, including information about the available GlobalProtect
gateways and any optional client certificates that might be necessary for the client to connect
to a gateway.
84. In the web interface, select Network > GlobalProtect > Portals.
85. Click Add to create a new portal.
The GlobalProtect Portal configuration window opens.
Parameter Value
Name Type gp-portal
87. Click the Authentication tab and configure the following:

Parameter Value
SSL/TLS Service Select external-gw-portal from the drop-down list
Profile
Parameter Value
Name Type lab-ad
In this section, the portal is being configured to authenticate users against the auth-gp Profile
that contains our LDAP server.
91. Click OK to close the Client Authentication list box.
92. Click the Agent tab.
93. Locate Trusted Root CA in the lower-left corner.
94. Click Add and select the GlobalProtect certificate from the drop-down list.
This is the certificate we used to sign the portal certificate and the gateway certificate. By
placing it in this section, we can push this signing certificate down to the client’s trusted
certificate store through the GlobalProtect connection. This CA is at the top of the chain of trust,

so the client host will trust any certificate signed by this one, including the portal and gateway
certificates.
95. Locate the Agent list box:
96. Click Add to configure Agent.

The Configs configuration window should appear.
97. Click the Authentication tab and configure the following:
Parameter Value
Name Type portal-agent-config
98. Click the Internal tab.

99. Select the Internal Host Detection IPv4 check box.
Parameter Value
IP Address Type 192.168.2.1

Parameter Value
Hostname Type gp-int-gw.lab.local
When the client is inside the network, a reverse DNS lookup for 192.168.2.1 will resolve to gp-in-
gw.lab.local. If that lookup is successful, the GlobalProtect client will connect to an internal
gateway. If that reverse lookup fails (or returns a name other than gp-in-gw.lab.local), the
GlobalProtect client will connect to an external gateway.
101. Locate the Internal Gateways list box and click Add to configure:
The Internal Gateway configuration window should appear.

Parameter Value
Name Type int-gw-1
Address Select the IP radio button
IPv4 Type 192.168.2.1
103. Click OK to close the Internal Gateway configuration window.

104. Click the External tab.
105. Locate the External Gateways list box and click Add to configure.
The External Gateway configuration window should appear.
Parameter Value
Name Type ext-gw-1
Address Select the IP radio button
IPv4 Type 203.0.113.20
107. Locate the Source Region list box and click Add to configure the following:
Parameter Value
Source Region Select Any from the drop-down list
Priority Verify that Highest is selected

The Source Region options allow you to prioritize that the external gateway that a client
connects to be based on the geographic assignment of a client’s IP address. We have only a
single external gateway, so we are setting Source Region to Any so that all clients connect to
this gateway, regardless of their IP address.
108. Click OK to close the External Gateway configuration window.
109. Click OK to close the Configs configuration window.
110. Click OK to close the GlobalProtect Portal configuration window.
A new GlobalProtect gateway should appear in the web interface. Click the plus icon to expand
the entry and verify that your configuration looks like the following screenshot:
11.10 Host the GlobalProtect Agent on the Portal

To make the process of obtaining and installing the GlobalProtect agent software easier for users,
you will download a specific version and activate it on the portal. Activation of the GlobalProtect
Agent software allows users to connect to a webpage on the portal and download the appropriate
version of the client software for their host operating system.
111. In the web interface, select Device > GlobalProtect Client.
112. Click Check Now at the bottom of the page.
The Palo Alto Networks firewall checks for the latest version of the GlobalProtect agent.
113. Search for 5.0.0 version of GlobalProtect.
Even if there is a newer version of the client software, be sure to use the 5.0.0 version.

114. Click Download in the Action column:
After a new version of the GlobalProtect client software is released, you can download it
through this interface and activate it. Any users currently running an older version of the
GlobalProtect software will be upgraded to the new version when they connect to the portal.
A Download GlobalProtect Client status window should appear. Do not continue until the
download has completed successfully.
115. Clock Close to close the status window.

116. Click Activate in the Action column.
117. Click the Yes button to close the Activate GlobalProtect Client version message:
An Activate GlobalProtect Client message should appear that shows the client package was
successfully activated.
118. Click Close to close the Activate GlobalProtect Client status message.


120. Select the egress-outside Security policy rule.
Parameter Value
Name Rename the policy to inside-portal
Audit Comment Type Created GlobalProtect inside portal
Security policy rule on <date> by <Your-
Role>

Parameter Value
Destination Address Click Add and type 203.0.113.20

Parameter Value
Service Select any from the drop-down list
11.12 Create a No-NAT Rule

All traffic from the inside zone to the outside zone uses source NAT. In this section, you will
create a new NAT policy rule so that internal requests for the GlobalProtect portal
(203.0.113.20) will not get their address translated by the “source-egress-outside” rule. The
new NAT policy rule must be matched before the “source-egress-outside” rule, so you will
place it at the top of the NAT policy.

126. Click Add to create a new source NAT policy rule.
Parameter Value
Name Type gp-portal-no-nat
Audit Comment Type Created GlobalProtect no NAT policy rule
Parameter Value
Destination Zone Select outside from the drop-down list
Destination Address Click Add and type 203.0.113.20

129. Select the Translated Packet tab and verify that the Translation Type for Source
Address Translation and Destination Address Translation are set to None.
This rule instructs the firewall to not perform network address translation of any kind for traffic
from the inside zone that has a destination address of 203.0.113.20 in the outside zone, which is
the IP address of the GlobalProtect portal and of the external gateway.
130. Click OK to close the NAT Policy Rule configuration window.
A new NAT policy rule should appear in the web interface.
131. Select but do not open the gp-portal-no-nat NAT policy rule.
132. Click Move and select Move Top:
Traffic that is not destined for the portal IP address (203.0.113.20) will be translated by the
“source-egress-outside” rule.
Note: A warning might appear about IPv6 not being enabled on the tunnel interface. You can
safely ignore it.
11.13 Download the GlobalProtect Agent

https://203.0.113.20.
Proceed past the certificate error.

After a few minutes, the GlobalProtect Portal login page is presented:
135. Log in with the following:

Parameter Value
Username lab-user
Password Pal0Alt0
136. Download the Windows 64-bit MSI install file and use it to install the 64-bit
GlobalProtect agent:
This is the version of the client software that you downloaded and activated under Device >
GlobalProtect Client.
137. After the GlobalProtect Agent has been successfully installed, close all browser windows
except for the firewall web interface.
11.14 Connect to the External Gateway

138. Click the GlobalProtect agent in the Windows desktop system tray:

Note: The GlobalProtect agent may take a minute or two to open.
139. In the Welcome to GlobalProtect box, enter 203.0.113.20 as the portal address:
140. Click Connect to connect to GlobalProtect:

You will see a warning message about the certificate.

141. Click Continue to close the Server Certificate Error message:
The GlobalProtect login screen should appear.

Parameter Value
Username lab-user
Password Pal0Alt0
143. Click the Gear icon in the top right corner and select Settings from the drop-down list.
After a moment, the status should update to Connected.

144. Click the Connection tab in the GlobalProtect window.
Notice the gateway is listed as 203.0.113.20, the gateway type is External, and a tunnel is
established:
145. Click the Troubleshooting tab and select the Network Configuration radio button.
Notice that the IP assigned is the first in the IP pool specified on the external gateway:

146. Close the GlobalProtect Settings window.
11.15 View the User-ID Information

148. Double-click firewall-management.
Parameter Value
Username admin
Password admin
150. Type the command show user ip-user-mapping all.
The IP addresses for lab-user have been updated to include the tunnel IP address. Notice that
the From column lists GP (GlobalProtect):
GlobalProtect is one of the ways that you can provide username and IP address mappings to the
firewall for User-ID. For more information about User-ID, see the “User-ID “module in this
course.
11.16 Disconnect the Connected User

You can manually disconnect a user from a GlobalProtect gateway. In some cases, disconnecting
a user and having the user attempt to reconnect can be useful if you are troubleshooting client
connections to a specific gateway.
152. In the web interface, select Network > GlobalProtect > Gateways.
153. Click Remote Users to the far right of the gp-ext-gateway:
The User Information–gp-ext-gateway configuration window should appear.
154. Click to disconnect the lab-user:

155. Click Close to close the User Information–gp-ext-gateway window.
156. Click the GlobalProtect agent icon in the Windows desktop system tray.
157. Click the Gear icon in the top right corner and select Disable from the drop-down list:
11.17 Configure a DNS Proxy

DNS servers resolve a hostname to an IP address and vice versa. When you configure the
firewall as a DNS proxy, the firewall acts as an intermediary between DNS clients and DNS
servers, and as a DNS server by resolving queries from its DNS cache or forwarding queries
to other DNS servers. Configuration of the firewall to be a DNS proxy is required so that
GlobalProtect internal host detection works correctly.
158. In the web interface, select Network > DNS Proxy.

159. Click Add to create a new DNS Proxy.
The DNS Proxy configuration window should appear.
Parameter Value
Name Type gp-dns-proxy
Interface Click Add and select ethernet1/2 from the drop-down list
Primary Type 4.2.2.2
Secondary Type 8.8.8.8
161. Click the Static Entries tab.

162. Click Add and to create a new Static Entry.
The Static Entries configuration window should appear.
Parameter Value
Name Type Internal Host Detection
FQDN Type gp-int-gw.lab.local
Address Click Add and type 192.168.2.1
164. Click OK to close the Static Entries window.

165. Click OK to close the DNS Proxy window.
167. On the Windows desktop, double-click the lab folder and then the bat files folder.
168. Right-click the set-dns-proxy.bat batch file and select Run as administrator.
You may see a User Account Control window appear that requests permissions to make changes
to this computer. If this message appears, click Yes to continue.
Allow the batch file to run and then press any key to continue.
We are using this batch file to change the workstation’s DNS server to the DNS proxy service on
the firewall. Changing of the workstations DNS server means that when the GlobalProtect client
software performs a reverse DNS lookup for gp-int-gw.lab.local, the hostname will be
resolved to 192.168.2.1. This entry matches our configuration that tells the client software to
connect to an internal GlobalProtect gateway.
169. On the Windows desktop, right-click the CMD icon and select Run as administrator.
170. Type the command ipconfig /all.
171. Verify that the current DNS server is 192.168.1.1 (the DNS proxy on the firewall):
Note: Do not continue if the DNS server is not 192.168.1.1. Contact the instructor.
11.18 Connect to the Internal Gateway

172. Double-click the GlobalProtect agent in the Windows desktop system tray and click
Enable:
After a moment, the status should update to Connected - Internal:

173. Click the Gear icon in the top right corner and select Settings from the drop-down list:
174. Click the Connection tab in the GlobalProtect Settings window:
Notice the Authenticated column now displays Yes for the int-gwy-1.
175. Close the GlobalProtect Settings window.
176. Click the GlobalProtect agent icon in the Windows desktop system tray.
177. Click the Gear icon in the top-right corner and select Disable from the drop-down list:

11.19 Reset the DNS
178. On the Windows desktop, double-click the lab folder and then the bat files folder.
179. Right-click the remove-dns-proxy.bat batch file and select Run as administrator.
A User Account Control window may appear that requests permissions to make changes to this
computer. If this message appears, click Yes to continue.
Allow the batch file to run and then press any key to continue.
Be sure you run this batch file and that you run it as Administrator! If you do not, your
workstation will not be able to access the internet for subsequent labs.
180. From the Windows Start menu, navigate to Control Panel > Programs and Features:

181. Highlight GlobalProtect and click Uninstall:
182. Close the Programs and Features window after GlobalProtect has been successfully
uninstalled.
183. On the Windows desktop, right-click the CMD icon, and select Run as administrator.
184. Type the command ipconfig /all.
185. Verify that the current DNS server is 127.0.0.1:

Note: Do not continue if the DNS server is otherwise. Contact the instructor.
Stop. This is the end of the GlobalProtect lab.

12. Lab: Site-to-Site VPN
Lab Objectives
Create and configure a tunnel interface to use in the site-to-site VPN connection.
Configure the IKE gateway and IKE Crypto Profile.
Configure the IPsec Crypto Profile and IPsec tunnel.
Test connectivity.




successfully.
12.1 Configure the Tunnel Interface

9. In the web interface, select Network > Interfaces.
10. Click the Tunnel tab.
11. Click Add to configure a tunnel interface:
Parameter Value
Interface Name In the text box to the right of tunnel, type 12
Comment Type Tunnel to DMZ
Security Zone Create and assign a new Layer 3 zone named VPN

Parameter Value
13. Click the Advanced tab and configure the following:

Parameter Value
Management Profile Select ping from the drop-down list

14. Click OK to close the Tunnel Interface configuration window.
12.2 Configure the IKE Gateway

15. In the web interface, select Network > Network Profiles > IKE Gateways.
16. Click Add to create the IKE gateway.
The IKE Gateway configuration window should appear.
Parameter Value
Name Type dmz-ike-gateway
Version Verify that IKEv1 only mode is selected
Local IP Address Select 192.168.50.1/24 from the drop-down list
Peer IP Address Type Verify that the IP radio button is selected
Peer Address Type 192.168.50.10
Pre-shared Key Type paloalto

18. Click the Advanced Options tab.
19. On the IKEv1 subtab configure the following:
Parameter Value
IKE Crypto Profile
Select
The IKE Crypto Profile configuration window should appear.
Parameter Value
Name Type AES256-DH2-SHA2
DH Group Click Add and select Group 2 from the drop-down list
Authentication Click Add and select sha256 from the drop-down list
Encryption Click Add and select aes-256-cbc from the drop-down list

21. Click OK to close the IKE Crypto Profile configuration window.
22. Click OK to close the IKE Gateway configuration window.
A new IKE gateway should appear in the web interface.
12.3 Create an IPSec Crypto Profile

23. In the web interface, select Network > Network Profiles > IPSec Crypto.
24. Click Add to open the IPSec Crypto Profile configuration window.
The IPSec Crypto Profile configuration window should appear.
Parameter Value
Name Type AES256-SHA256
IPSec Protocol Verify that ESP is selected
Encryption Click Add and select aes-256-cbc from the drop-down list
Authentication Click Add and select sha256 from the drop-down list
DH Groups Verify that group2 is selected

26. Click OK to close the IPSec Crypto Profile configuration window.
A new IPsec Crypto Profile should appear in the web interface.
12.4 Configure the IPsec Tunnel

27. In the web interface, select Network > IPSec Tunnels.
28. Click Add to define the IPSec Tunnel.
The IPSec Tunnel configuration window should appear.
29. On the General tab:
Parameter Value
Name Type dmz-tunnel
Tunnel Interface Select tunnel.12 from the drop-down list
Type Verify that the Auto Key radio button is selected
Address Type Verify that the IPv4 radio button is selected
IKE Gateway Select dmz-ike-gateway from the drop-down list
IPSec Crypto Profile Select AES256-SHA256 from the drop-down list
Show Advanced Select the check box
Options
Tunnel Monitor Select the check box
Destination IP Type 172.16.2.11
Profile Verify that None is selected

30. Click the Proxy IDs tab.
Parameter Value
Proxy ID Type dmz—tunnel-network
Local Type 192.168.1.0/24
Remote Type 172.16.2.0/24
Protocol Verify that Any is selected
32. Click OK to close the Proxy ID configuration window.

33. Click OK to close the IPSec Tunnel configuration windows:

A new IPsec tunnel should appear in the web interface.
12.5 Test the Connectivity

35. In the web interface, select Network > IPSec Tunnels:
A red Status column indicator on the VPN tunnel means that the VPN tunnel is not connected.
36. Refresh the Network > IPSec Tunnels page.

The Status column indicator now is green, which means that the VPN tunnel as connected:
37. In the web interface, select Monitor > Logs > System.
38. Review the VPN log entries:


Parameter Value
Name admin
Password admin
42. After the VPN tunnel is connected, type the following CLI commands and observe the
output:
show vpn ike-sa
show vpn ipsec-sa tunnel dmz-tunnel:dmz-tunnel-network
show vpn flow name dmz-tunnel:dmz-tunnel-network
show running tunnel flow
43. Type exit to close the PuTTY window.
Stop. This is the end of the Site-to-Site VPN lab.

13. Lab: Monitoring and Reporting
Lab Objectives
Explore the Session Browser, App-Scope, and Application Command Center (ACC).
Investigate traffic via the ACC and logs.
Generate a User Activity report.
Create a Custom report.
Create a Report group.
Configure an email schedule.




successfully.
13.1 Generate Traffic

Note: The metrics displayed in the lab screenshots may differ from the metrics displayed on
your lab firewall.
In this section, you will prepopulate the firewall with log entries and usernames that you can
observe and investigate in this lab.
9. On the Windows desktop, open PuTTY and double-click traffic-generator.
10. Enter the following information when prompted:
Parameter Value
Password Pal0Alt0
11. In the PuTTY window, type the command sh /tg/traffic.sh.
Note: After you execute the command, wait until the script finishes before proceeding to the
next step.
12. Type exit to close the PuTTY window.
13.2 Explore the Session Browser

The Session Browser enables you to browse and filter current running sessions on the firewall.
13. In the web interface, select Monitor > Session Browser to see any current sessions.
You might be able to see simulated sessions from the generated traffic. Notice that there is no
Source User column.
14. Clear any existing filters.
15. Click the icon at the upper right of the window to open the Filters pane.
16. Type lab\jamie in the From User field:

17. Click .
18. Notice that, even though there is no Source User column, you still can search for the
From User.
Note: You also can search for To User.
If a search for the user lab\jamie does not produce results, the session most likely has not
completed and you will need to rerun the traffic generator on Step 11
19. Locate a salesforce-base entry and click the Plus icon on the left to expand the display.
20. Notice the three sections labeled Detail, Flow 1, and Flow 2.
21. The Detail section shows various items of information.
Your information may look different. Important items that can help when troubleshooting are
Session ID, Application, Security Rule, QoS Rule, and QoS Class:

Notice c2s (client to server) and s2c (server to client) in Flow 1 and Flow 2:
These flows provide information about the request and response traffic.
You can end an active session by clicking the X icon at the far right of a session row:
13.3 Explore the App Scope Reports

App Scope reports help you to quickly see if any application behavior is unusual or unexpected,
which helps you to identify problematic behavior. Each report provides a dynamic, user-
customizable window into the network. Long-term trends are difficult to represent in a lab
environment. However, knowledge about where to look is important for finding potential issues.
22. In the web interface, select Monitor > App Scope > Summary.
The Summary report displays charts for the top five gainers, losers, bandwidth-consuming Apps,
bandwidth-consuming source, App categories, and threats.
23. In the web interface, select Monitor > App Scope > Change Monitor.

The Change Monitor report displays changes over a specified time period. For example, the
following figure displays the top applications that gained in use over the last hour as compared
with the last 24-hour period. The top applications are determined by session count and are
sorted by percentage.
The type of information displayed can be controlled from the menu bar at the top of the
window. The displayed graph can be exported as a PDF or PNG:
You can change the time period at the bottom of the screen:
24. In the web interface, select Monitor > App Scope > Threat Monitor.
The Threat Monitor report displays a count of the top threats over the selected time period. By
default, the figure shows the top 10 threat types for the past six hours.
You can filter the type of threat at the top of the screen:
The time period (shown at the bottom of the screen) can be changed to the Last 6 hours, Last
12 hours, Last 24 hours, Last 7 days, or Last 30 days:

25. In the web interface, select Monitor > App Scope > Threat Map.
The Threat Map report shows a geographical view of threats, including severity.
26. Click Last 30 Days at the bottom of the screen.
27. At the top of the screen, click Outgoing Threats.
You now should see the geographical locations with threats and their average risk level.
28. Click a geographical location that has a dot showing the threats from the firewall (for
example, Malaysia):
The ACC opens with a global filter referencing Malaysia (MY) or the geographical location you
clicked:
29. Click to clear the Global Filters.

30. In the web interface, select Monitor > App Scope > Network Monitor.

The Network Monitor report displays the bandwidth dedicated to different network functions
over the specified period of time. Each network function is color-coded, as indicated in the
legend below the chart. For example, the following diagram shows application bandwidth for
the past six hours based on session information.
31. Click the icon to display the information by Session Count and not Bytes:
Note: As is standard in all App Scope graph items, you can click an application color to switch
your view in the web interface to the ACC tab.
32. In the web interface, select Monitor > App Scope > Traffic Map.
33. Change the view to show the Last 7 days by clicking the option at the bottom of the
screen:
34. Click Outgoing Traffic at the top of the screen.

The Traffic Map report shows a geographical view of traffic flows according to sessions or flows:

13.4 Explore the ACC
The ACC is an analytical tool that provides useful intelligence about the activity within your
network. The ACC uses the firewall logs to graphically depict traffic trends on your network.
35. Click the ACC tab.
36. Click the Time drop-down list and select Last 7 Days:
37. Explore the information available on the Network Activity tab.

The Network Activity tab displays an overview of traffic and user activity on your network. It
focuses on the top applications being used; the top users who generate traffic with detailed
information about the bytes, content, threats, or URLs accessed by the user; and the most used
security rules against which traffic matches occur:

Notice that in every pane you can display data by bytes, sessions, threats, content, URLs, and
users:
38. Select the users option in the Application Usage widget.

Notice how the application use seems more consistent across all colors versus bytes:
This information indicates that one application does not supersede any other application in
overall use by users.
39. Select threats in the Application Usage widget:

Given the displayed information, what is the primary source of threats in this environment?
(Your results may differ from what is shown.)
40. Focus your attention on the User Activity widget.
Which user consumed the most bandwidth in the past seven days?
The graph in the example shows that Jamie has consumed the most bandwidth. Your user might
be different.
41. Focus your attention on the bottom-right Policy Optimizer widget.
42. Select the sessions radio button.
Which Security policy rule has been used the most?

The displayed information in the example shows that the most active rule based on session
count is “egress-outside.” Your results may differ.
43. Click the Threat Activity tab:
The Threat tab displays an overview of the threats on the network. It focuses on the top threats:
vulnerabilities, spyware, viruses, hosts visiting malicious domains or URLs, top WildFire
submissions by file type and application, and applications that use non-standard ports:

Notice that some informational entries might not be useful.
44. Locate Global Filters on the left side of the ACC.
45. Click the icon and go to Threat > Severity and add critical and medium to the
Global Filters:
Notice that the graph updates to display only critical and medium severities.
46. Scroll down to the bottom right and notice the Rules Allowing Apps On NonStandard
Ports widget:

This pane is helpful for identifying rules that need to enforce the application-default service
setting.
13.5 Investigate the Traffic

48. Clear any existing filters and type (severity neq informational) into the log
filter text box and press Enter.
Locate an entry referencing the source user sally and see which threat type and filename is
associated with user sally:

50. Select the Network Activity tab.
51. Remove any existing global filters, and ensure that the Time drop-down list is Last 7
Days:
52. Move to the User Activity pane.

53. Use the left-arrow to promote sally to a Global Filter:

If sally is not available, you can perform the same tasks with similar results using a different
user.
54. Ensure that sally was promoted to a Global Filter:
Notice that all window panes have updated to show only information based on sally:
Which traffic in the displayed information is associated with sally? In the example, sally is shown
to be associated only with SMTP traffic, which could indicate a possible infection and lateral
movement.
55. Scroll down and locate the Destination Regions pane.

Notice that this is an internal network, which could indicate that sally is using corporate e-mail
and not an external source, or that there might be a rogue SMTP relay:
56. Scroll down to the Policy Optimizer pane.

Notice that only one rule allowed this traffic. If we were in a production environment, inspection
should be done to ensure that this rule is operating effectively. For example, should the rule
allow SMTP? If not, is this a rogue SMTP relay?
57. Scroll to the upper-left Application Usage pane.

58. Click the Jump to Logs icon and select Traffic Log:
Notice that the web interface switched views to the Traffic log with a predefined filter.
59. Select the Detailed Log view icon.
At the bottom of the Detailed Log view should be the associated threat entries:

61. On the User Activity pane, click the Jump to Logs icon and select the Unified Log:

Notice that the Traffic and Threat logs now are in one unified display, which can help correlation
activities.
13.6 Generate a User Activity Report

The firewall can generate reports that summarize the activity of individual users or user groups.
62. In the web interface, select Monitor > PDF Reports > User Activity Report.
The User Activity Report configuration window should appear.
63. Click Add to define a new user activity report:
Parameter Value
Name Type mark
Type Verify that the User radio button is selected
Username / IP Address Type lab\mark
Time Period Select Last 7 days from the drop-down list

64. Click Run Now.
65. Click the Download User Activity Report link and open the report when it finishes:
66. Browse through the report to get familiar with the presented information.
You also can include detailed browsing history that will include an approximate time a user
spends on a website (this information is not available when a group is specified instead of an
individual user).
67. If a new browser tab was opened to display the report, close the browser tab.
68. Click Cancel to close the User Activity Report window.
69. Click OK to close the User Activity Report configuration window.
The new User Activity report should appear in the web interface.
13.7 Create a Custom Report

70. In the web interface, select Monitor > Manage Custom Reports.
71. Click Add to define a new Custom Report.
The Custom Report configuration window should appear.

Parameter Value
Name Rename to top-applications
Database Select Summary Databases > Traffic from the drop-down
list
Time Frame Select Last 7 Days from the drop-down list
Sort By Select Sessions and Top 10 from the drop-down list
Group By Select Application and 10 Groups from the drop-down list
Selected Columns
73. Click OK to save the Custom Report window.

The new Custom report should appear in the web interface.
74. Click the top-applications report to reopen the Custom Report window.
The Custom Report configuration window should appear.

75. Click Run Now to generate the report.
The report will appear in a new tab in the browser window:
76. Close the top-applications tab containing the report.

77. On the Report Setting tab, create the following query using the Query Builder: (rule
eq egress-outside) and (addr.src in 192.168.1.30)
78. Click Run Now to run the report again with the new query:
79. Click to save the report as a PDF.

You might need to disable your browsers popup blocker.
80. Click OK to close the Custom Report window.

13.8 Create a Report Group
81. In the web interface, select Monitor > PDF Reports > Report Groups.
82. Click Add to define a new Report group:
The Report Group configuration window should appear.
Parameter Value
Name Type lab-report-group
Reports
84. Click OK to close the Report Group configuration window.

The new Report group should appear in the web interface.
13.9 Schedule a Report Group Email

85. In the web interface, select Monitor > PDF Reports > Email Scheduler.
86. Click Add to define a new Email Schedule.
The Email Scheduler configuration window should appear.
Parameter Value
Name Type lab-email-schedule
Report Group Select lab-report-group from the drop-down list
Email Profile Select New Email Profile from the drop-down list

The Email Server Profile configuration window should appear.
88. Configure lab-smtp-profile as the Email Server Profile name.

Parameter Value
Name Type lab-smtp-profile
Email Display Type Palo Alto Networks EDU Admin
Name
From Type edu-lab-admin@paloaltonetworks.com
To Type <your-email-address>
Email Gateway Type 192.168.1.20
90. Click OK to close the Email Server Profile configuration window.

91. Click the Send test email button.
A test email will be sent to the address you provided. Wait for and confirm its arrival.
Note: Check your spam folder.
92. Click OK to close the Email Scheduler window.
Stop. This is the end of the Monitoring and Reporting lab.

14. Lab: Active/Passive High Availability
This is a configuration lab only.
Lab Objectives
Display the Dashboard HA widget.
Configure a dedicated HA interface.
Configure active/passive HA.
Configure HA monitoring.
Observe behavior in the HA widget.




successfully.
14.1 Display the HA Widget

If high availability (HA) is enabled, the High Availability widget on the Dashboard indicates
the HA status.
9. In the web interface, click the Dashboard tab to display current firewall information.
10. If the High Availability panel is not displayed, select Widgets > System > High
Availability to enable the display:

The High Availability widget now displays on the Dashboard:
14.2 Configure the HA Interface

Each HA interface has a specific function: One interface is for configuration synchronization and
heartbeats, and the other interface is for state synchronization (not configured in this lab).
12. Click ethernet1/6 to open the configuration window.
The Ethernet Interface configuration window should appear.
Parameter Value
Interface Type Select HA from the drop-down list

14.3 Configure Active/Passive HA
In this deployment, the active firewall continuously synchronizes its configuration and session
information with the passive firewall over two dedicated interfaces. If a hardware or software
disruption occurs on the active firewall, the passive firewall becomes active automatically
without loss of service. Active/passive HA deployments are supported by the interface modes
Virtual Wire, Layer 2, and Layer 3.
15. In the web interface, select Device > High Availability > General.
16. Click the icon of the Setup panel.
The Setup configuration window should appear.
Parameter Value
Enable HA
Group ID Type 60 (This field is required, and must be unique, if

multiple HA pairs reside on the same broadcast domain.)
Mode Verify that the Active Passive radio button is selected
Enable Config Sync
(Select this option to enable
synchronization of configuration settings between the
peers.)
Peer HA1 IP Address Type 172.16.3.11
18. Click OK to close the Setup configuration window.

19. Click the icon of the Active/Passive Settings panel:
The Active/Passive Settings configuration window should appear.

Parameter Value
Passive Link Select the Auto radio button
State
When Auto is selected, the links that have physical connectivity remain physically up but in a
disabled state. They do not participate in ARP or packet forwarding. This configuration helps
reduce convergence times during failover because no time is required to activate the links. To
avoid network loops, do not select this option if the firewall has any Layer 2 interfaces
configured.
21. Click OK to close the Active/Passive Settings configuration window.
22. Click the icon of the Election Settings panel to configure failover behavior:
Parameter Value
Device Priority Type 80
Enter a priority value (range is 0–255) to identify the active
firewall. The firewall with the lower value (higher priority)
becomes the active firewall when the Preemptive
capability is enabled on both firewalls in the pair.)
Preemptive
Enables the higher priority firewall to resume active

operation after recovering from a failure. This parameter
must be enabled on both firewalls but is not always a
recommended practice.
Heartbeat Backup
Uses the management ports on the HA firewalls to provide

a backup path for heartbeat and hello messages
23. Click OK to close the Election Settings configuration window.

24. Click the icon of the Control Link (HA1) configuration window to configure the
HA1 link. The firewalls in an HA pair use HA links to synchronize data and maintain
state information:
Parameter Value
Port Select ethernet1/6 from the drop-down list
IPv4/IPv6 address Type 172.16.3.10
Netmask Type 255.255.255.0
25. Click OK to close the Control Link (HA1) configuration window.

26. Click the icon of the Data Link (HA2) configuration window.
27. Deselect the Enable Session Synchronization check box:
28. Click OK to close the Data Link (HA2) configuration window.
14.4 Configure HA Monitoring

29. In the web interface, select Device > High Availability > Link and Path Monitoring.

30. Click the icon of the Link Monitoring panel to configure link failure detection.
The Link Monitoring configuration window should appear.
Link monitoring enables failover to be triggered when a physical link or group of physical links
fails.
Parameter Value
Enabled
Failure Condition Verify that the Any radio button is selected
32. Click OK to close the Link Monitoring configuration window.

33. Click Add in the Link Group panel to configure the traffic links to monitor.
The Link Group configuration window should appear.
Parameter Value
Name Type traffic-links

Enabled
(Note: Not supported on VM-Series on
ESXi.)
Interface Click Add and select the following from the drop-down list:
ethernet1/1
ethernet1/2

35. Click OK to close the Link Group configuration window.
36. Click the icon of the Path Monitoring panel to configure Path Failure detection.
The Path Monitoring configuration window should appear.
Path monitoring enables the firewall to monitor specified destination IP addresses by sending
ICMP ping messages to ensure that they are responsive.
Parameter Value
Enabled

38. Click OK to close the Path Monitoring configuration window.
39. Find the Path Group panel and click Add Virtual Router Path to configure the path
failure condition.
The HA Path Group Virtual Router configuration window should appear.
Parameter Value
Name Type lab-vr

Enabled

Parameter Value
Destination IP Click Add and type 8.8.8.8
41. Click OK to close the HA Path Group Virtual Router configuration window.
14.5 Observe the Behavior of the HA Widget

43. In the web interface, click the Dashboard tab and view the High Availability status
widget for the firewall.
Active-passive mode should be enabled, and the local firewall should be active (green). You may
need to refresh the High Availability pane if the local firewall still shows that it is initializing.
However, because there is no peer firewall, the status of most monitored items is unknown
(yellow). Because HA1 has no peer, its state is down (red):
44. If a peer was configured and was operating in passive mode, the High Availability
widget on the Dashboard would appear as follows.
To avoid overwriting the wrong firewall configuration, the firewalls are not automatically
synchronized. You must manually synchronize a firewall to the firewall with the “valid”
configuration by clicking Sync to peer.

Stop. This is the end of the Active/Passive High Availability lab.

15. Lab: Capstone
This comprehensive lab is meant to provide you with additional hands-on firewall experience
and to enable you to test your new knowledge and skills. You can to refer to your student guide
and previous lab exercises.
In this scenario, you are a network administrator and recently received a new Palo Alto Networks
VM-Series firewall. The firewall’s management IP address is 192.168.1.254. You can log in with
the default username and password. You also have been given permission to use your own
naming conventions for firewall objects such as security zones, Security profiles, address groups,
and tags.
You are being asked to meet multiple configuration objectives. These objectives are listed in the
lab exercise sections that follow.

Reset your lab environment before you begin to work through the scenario.
1. In the web interface, select Device > Setup > Operations.

3. Select edu-210-lab-15 and click OK.
4. Click Close.
15.1 Configure Interfaces and Zones

Complete the following objectives:
Configure three firewall interfaces using the following values:
Ethernet 1/1: 203.0.113.20/24 - Layer 3: Public network-facing interface
Ethernet 1/2: 192.168.1.1/24 - Layer 3: Internal network-facing interface
Ethernet 1/3: 192.168.50.1/24 - Layer 3: DMZ network-facing interface
Create security zones for each network area of interest: DMZ, internal, and public. Name
these zones whatever you like.
Create a virtual router for all configured firewall interfaces.
Create and assign an Interface Management Profile that enables 192.168.1.1 to respond to
ping requests.
Create and assign unique tags to important zones.
You can consider this objective complete when the following tests are successful:
Your internal host can ping 192.168.1.1.
From the firewall CLI the following commands are successful:
ping source 203.0.113.20 host 203.0.113.1
ping source 203.0.113.20 host 8.8.8.8
ping source 192.168.1.1 host 192.168.1.10
ping source 192.168.50.1 host 192.168.50.10
15.2 Configure Security and NAT Policy Rules

Create or modify the Security and NAT policy rules to address the following objectives:
Note: Optional tags can be helpful for identifying important rules.
IP addresses 192.168.1.1 and 192.168.1.254 require access to the internet.
A separate Security policy rule is required that allows the 192.168.1.0/24 network to
access the internet.
Only the DMZ host 192.168.50.10 requires access to the internet.
Facebook, Twitter, YouTube, 2600.org, and Reddit applications must be blocked for
users on the 192.168.1.0/24 network.

The URL categories web-advertisements, phishing, malware, and unknown must be
blocked by a Security policy rule match criterion.
Internal hosts 192.168.1.30 and 192.168.1.254 need to access the DMZ host for the
following applications: SSH, SSL, web-browsing, FTP, and ping. Access must be limited
to the applications’ default ports.
Traffic matching the interzone default Security policy rule must log all traffic at session
end.
The internal host can ping 8.8.8.8 and google.com.
The internal host cannot access twitter.com, youtube.com, reddit.com, and 2600.org.
The internal host can access http://192.168.50.10/block-list.txt.
The internal host can use FTP to access the DMZ host at 192.168.50.10 using the login
name lab-user and the password paloalto.
The internal host can use SSH to access the DMZ host at 192.168.50.10 using the login
name lab-user and the password paloalto.
The DMZ host can ping 8.8.8.8 and google.com.
15.3 Create and Apply Security Profiles

Create Security Profile Groups and apply them to the applicable Security policy rules to meet the
following objectives:
A three-tiered URL filtering scheme is required:
Tier 1: Allow access to only URL categories government, financial-services,
reference-and-research, and search-engines
Tier 2: Allow access to only the URL category online-storage-and-backup
Tier 3: Allow access to all URL categories
The Tier 3 URL filtering must apply to the internal host.
The Tier 2 URL filtering must apply to the DMZ host.
The Tier 1 URL filtering must apply to the network 192.168.1.0/24.
Note: The Security policy rule specifically matching 192.168.1.30 must be evaluated before
the entire network segment.
The Facebook, Twitter, YouTube, and Reddit applications must be blocked for everyone.
All Security policy rules allowing internet access must leverage Antivirus, Anti-Spyware,
and Vulnerability Protection profiles.
The firewall must reset the client and the server when a virus is detected in HTTP traffic.
The firewall must reset the client and the server when medium-, high-, or critical-level
spyware is detected.

The Anti-Spyware Security Profile must use the DNS Sinkhole feature for Palo Alto
Networks DNS Signatures and consult a custom External Dynamic List that references
http://192.168.50.10/dns-sinkhole.txt.
The dns-sinkhole.txt file must contain the domain name phproxy.org.
The firewall must reset the client and server when high- or critical-level vulnerabilities
are detected.
WildFire analysis must be enabled on all Security policy rules that allow internet access.
The File Blocking feature must block PE file types and any multi-level-encoded files for
access between the internet and the 192.168.1.0/24 network segment.
Three URL filtering configurations have been created and applied to the appropriate
Security policy rule(s).
The DMZ host can ping box.net.
The internal host can access box.net.
The internal host cannot download an Eicar test virus using HTTP.
A WildFire test file gets reported to the WildFire cloud when it is downloaded to the
internal host.
A DNS request to phproxy.org initiated by an nslookup command on the internal host
results in a sinkhole event recorded in the Threat log.
15.4 Configure GlobalProtect

Configure GlobalProtect to meet the requirements listed in the following objectives:
User access is provided through an external gateway.
The GlobalProtect portal and external gateway can authenticate users using either LDAP
or a local user group configured on the firewall.
The external gateway provides an IP address pool in the range 172.16.5.200 to
172.16.5.250.
The tunnel interface must be assigned to a new and separate security zone.
A Security policy rule must allow internet access for hosts using the external gateway IP
pool.
The external gateway requires the use of IPsec.
One or more certificates are required for the portal and external gateway.
A Security policy rule must be created to allow the internal host access to the portal and
external gateway. This access might require the use of a no-NAT rule.
The internal host can successfully connect to the portal and external gateway.
The internal host receives an IP pool address when connected to the external gateway.

The internal host can access paloaltonetworks.com when connected to the external
gateway.
Stop. This is the end of the Capstone lab.

© 2019 Palo Alto Networks, Inc. PAN-EDU-210 9.0 Version B Page 265

EDU-210-90b-Lab Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

EDU-210-90b-Lab Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Palo Alto Networks

Firewall 9.0 Essentials:

Palo Alto Networks Technical Education

© 2019 Palo Alto Networks, Inc. Page 2

© 2019 Palo Alto Networks, Inc. Page 3

© 2019 Palo Alto Networks, Inc. Page 4

© 2019 Palo Alto Networks, Inc. Page 5

© 2019 Palo Alto Networks, Inc. Page 6

© 2019 Palo Alto Networks, Inc. Page 7

© 2019 Palo Alto Networks, Inc. Page 8

© 2019 Palo Alto Networks, Inc. Page 9

© 2019 Palo Alto Networks, Inc. Page 10

There is no lab exercise associated with this module.

© 2019 Palo Alto Networks, Inc. Page 11

2.0 Connect to Your Student Firewall

© 2019 Palo Alto Networks, Inc. Page 12

2.1 Apply a Baseline Configuration to the Firewall

A Load Named Configuration dialog box appears.

6. Click OK to close the Load Named Configuration window.

© 2019 Palo Alto Networks, Inc. Page 13

2.2 Add an Admin Role

© 2019 Palo Alto Networks, Inc. Page 14

2.3 Add an Administrator Account

© 2019 Palo Alto Networks, Inc. Page 15

2.4 Test the policy-admin User

© 2019 Palo Alto Networks, Inc. Page 16

© 2019 Palo Alto Networks, Inc. Page 17

The Locks window should appear.

37. Click OK to close the Take lock window.

© 2019 Palo Alto Networks, Inc. Page 18

Password Type paloalto

44. Click OK to create the test-lock administrator account.

© 2019 Palo Alto Networks, Inc. Page 19

2.6 Verify the Update and DNS Servers

© 2019 Palo Alto Networks, Inc. Page 20

2.7 Schedule Dynamic Updates

The Antivirus Update Schedule window should open.

© 2019 Palo Alto Networks, Inc. Page 21

63. Click OK to close the Antivirus Update Schedule window:

The Applications and Threats Update Schedule window should open.

© 2019 Palo Alto Networks, Inc. Page 22

The WildFire Update Schedule window opens.

69. Click OK to close the WildFire Update Schedule window.

© 2019 Palo Alto Networks, Inc. Page 23

Stop. This is the end of the Initial Configuration lab.

© 2019 Palo Alto Networks, Inc. Page 24

3.0 Load a Lab Configuration

A Load Named Configuration dialog box appears.

© 2019 Palo Alto Networks, Inc. Page 25

A Commit window should appear.

3.1 Create a New Security Zone

© 2019 Palo Alto Networks, Inc. Page 26

3.2 Create Interface Management Profiles

© 2019 Palo Alto Networks, Inc. Page 27

© 2019 Palo Alto Networks, Inc. Page 28

3.3 Configure Ethernet Interfaces

© 2019 Palo Alto Networks, Inc. Page 29

26. Click OK to close the Zone configuration window:

© 2019 Palo Alto Networks, Inc. Page 30

29. Click the Advanced tab.

© 2019 Palo Alto Networks, Inc. Page 31

36. Click OK to close the Zone configuration window:

37. Click the IPv4 tab.