Lab Manual
PAN-EDU-201
Firewall Installation, Configuration, and Management – Essentials I January, 2013 PAN-EDU-201 PAN-OS - 5.0 - Rev A Lab Manual
[email protected] http://education.paloaltonetworks.com
© 2012 Palo Alto Networks. Proprietary and Confidential
PAN-EDU-201
Table of Contents How to use this Lab Guide ................................................................................................ 4 Lab Equipment Setup ........................................................................................................ 5 Module 0 – Introduction – Lab Access and Review ............................................................ 6 Task 1 – RDP to StudentPC, HTTPS and SSH to Student firewall ................................................................... 6 Task 2 – Review PAN-OS software, Content, and Licenses ........................................................................... 6 Task 3 – Disable Panorama sharing ............................................................................................................... 6
Module 1 – Administration and Management .................................................................. 7 Task 1 – Apply baseline configuration to your firewall ................................................................................. 7 Task 2 – Clear the logs ................................................................................................................................... 7 Task 3 – Add an Administrator Role .............................................................................................................. 7 Task 4 – Add an administrator account......................................................................................................... 7 Task 5 – Take a Transaction Lock and test the lock ...................................................................................... 8
Module 2 – Interface Configuration .................................................................................. 9 Task 1 – Create a new Security Zone............................................................................................................. 9 Task 2 – Create Interface Management Profiles ......................................................................................... 10 Task 3 – Configure a Tap interface .............................................................................................................. 10 Task 4 – Configure a Vwire .......................................................................................................................... 11
Module 3 – Layer 3 Configuration ....................................................................................12 Task 1 – Configure Ethernet interfaces with Layer 3 info ........................................................................... 12 Task 2 – Configure DHCP ............................................................................................................................. 13 Task 3 – Create a Virtual Router.................................................................................................................. 14 Task 4 – Create a Source NAT policy ........................................................................................................... 14 Task 5 – Create a Destination NAT Policy.................................................................................................... 16
Module 4 – App-ID...........................................................................................................17 Task 1 – Create a basic Security Policy for outbound traffic ....................................................................... 17 Task 2 – Create 2 basic policies to deny all inbound and outbound traffic ................................................ 17 Task 3 – Create an Application Block Page.................................................................................................. 19 Task 5 – Create Application Filter................................................................................................................ 19 Task 6 – Create Application Group .............................................................................................................. 19 Task 7 – Create three new Security Policies that match the following criteria: ......................................... 20 Task 8 – Create a custom query in the Traffic Log ...................................................................................... 21
Module 5 – Content ID .....................................................................................................22 Task 1 – Configure a URL filtering Profile .................................................................................................... 22 Lab Manual
PAN-OS – 5.0 – Rev A
Page 2
PAN-EDU-201 Task 2 – Configure a Custom URL Filtering Category .................................................................................. 22 Task 3 – Configure an Antivirus Profile ....................................................................................................... 23 Task 4 – Configure an Antispyware Profile ................................................................................................. 23 Task 5 – Connect individual Profile to Policy .............................................................................................. 23 Task 6 – Test connectivity ........................................................................................................................... 24 Task 7 – Create a File Blocking Profile: Wildfire .......................................................................................... 25 Task 8 – Configure a Security Profile Group................................................................................................ 26 Task 9 – Connect Profile Group to Policy .................................................................................................... 26 Task 10 – Create a Custom Report .............................................................................................................. 26
Module 6 – User-ID ..........................................................................................................28 Task 1 – Configure firewall to talk to User-ID Agent ................................................................................... 28 Task 2 – Review user/IP information .......................................................................................................... 28 Task 3 – User-ID Agent (optional) .............................................................................................................. 29
Module 7 – Decryption ....................................................................................................30 Task 1 – Pre setup and test ......................................................................................................................... 30 Task 2 – Create an SSL self-signed Certificate ............................................................................................. 30 Task 3 – Create SSL Outbound Decryption Policies .................................................................................... 31 Task 4 – Set SSL exclude cache .................................................................................................................... 32 Task 5 – Review Self-signed Certificate on StudentPC browser ................................................................. 32
Module 8 – VPN ...............................................................................................................33 Task 1 – Configure IPsec Tunnel – Trust Zone ............................................................................................. 33 Task 2 – Configure IPsec Tunnel – Untrust Zone......................................................................................... 35
Module 9 – High Availability (optional) ............................................................................36 Task 1 – Configure HA – Active/Passive ...................................................................................................... 36
Module 10 – Panorama....................................................................................................38 Task 1 – Pre setup and test ......................................................................................................................... 38 Task 2 – Create a custom report - Panorama.............................................................................................. 38 Task 3 – Create and Application Group Object ........................................................................................... 38 Task 4 – Create Pre/Post Policy ................................................................................................................... 38 Task 5 – Push config to student firewall ..................................................................................................... 39 Task 6 – Switch context and review Policy on firewall................................................................................ 39
Lab Manual
PAN-OS – 5.0 – Rev A
Page 3
PAN-EDU-201
How to use this Lab Guide The Lab Guide is lined out to follow the Modules in the Student Guide. There are multiple tasks for each Module. For each Task – where appropriate – there are 3 sections. The first section is a diagram of what the firewall configuration should look like. The second section contains the step to create the configuration through the GUI. The third section contains the CLI commands to create the configuration. You can either complete the Tasks by referencing the diagram and the material in the Student Guide. Or you can follow the steps in the second section. If you have sufficient experience with the PAN-OS CLI, you can type the commands in the CLI section.
NOTE: Unless specified, the “Chrome” web browser and the “Putty” SSH client will be used to perform any tasks outlined in the following labs. (These apps are preinstalled on the desktop of the StudentPC.)
Once these labs are completed – you should be able to: 1. Configure the basic operations of the firewall including: Interfaces, Security Zones, and Security Policies 2. Configure basic Layer 3 operations including: IP addressing and NAT 3. Configure basic Content-ID functionality including: AV and URL filtering 4. Understand the basic operation of Logs and Reporting 5. Configure extended operations including: IPsec, SSL decryption, and HA
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help enabled this training to be built, tested, and deployed. Lab Manual
PAN-OS – 5.0 – Rev A
Page 4
PAN-EDU-201
Lab Equipment Setup Student PC Setup RDP: ___.___.___.___
Firewall Interface: Ethernet 1/2
EDU lab firewall
Internet
“Trust-L3” 192.168.x.1 /24
“Management” 10.30.11.x /24
Student Firewall VSYS Panorama
Firewall Interface: Management
Domain Controller
Trunk 802.1q
Sw
itch
Router
E 1/6
E 1/8
E 1/7
HA
“Trust-L3” 192.168.x.y /24
E 1/2
Firewall Setup
Sw itch
Lab Manual
Sw itch
TAP Intf E 1/5
E 1/4
Vwire 2x Intf
E 1/1.2xx
EDU lab firewall
E 1/3
Sw itch
L3 Intf “Untrust-L3” 172.16.x.1 /24
Sw itch
PAN-OS – 5.0 – Rev A
Internet
Page 5
PAN-EDU-201
Module 0 – Introduction – Lab Access and Review In this lab you will:
Test connectivity to your Student firewall over RDP Test StudentPC to student firewall connectivity Review the operating system and licensing
Task 1 – RDP to StudentPC, HTTPS and SSH to Student firewall Using the login credentials and IP information provided by the instructor: Step 1: Open your local RDP client and open a session to your assigned RDP IP address. Step 2: Once connected, use the Student PC web browser and putty client to test connectivity to the student firewall.
Task 2 – Review PAN-OS software, Content, and Licenses Step 1: Click on the “Device” tab “Software” Step 2: Review available, downloaded, and installed PAN-OS software Question: What version of PANOS is running on your firewall? __________________________________________________ Step 3: Click on the “Device” tab “Dynamic Updates” Step 4: Review Applications, Viruses, and URL Filtering to check for date of last update Step 5: Click on the “Device” tab “Licenses” Step 6: Review licenses installed and their expiration dates Step 7: in device|setup|management set the current data and timezone
Task 3 – Disable Panorama sharing Step 1: Click on the “Device” tab “Setup” “Management” tab Step 2: Click on the “Panorama Settings” edit button: Step 3: If the button in the pop-up windows says: Click on it. There will be an additional pop-up window that allows you to select “Import shared config from Panorama before disabling”. DO NOT SELECT THIS BOX. Simply click “Ok” and then “Ok” in the “Panorama Settings” pop-up. If there are no settings about Panorama, close the tab and go forward.
Lab Manual
PAN-OS – 5.0 – Rev A
Page 6
PAN-EDU-201
Module 1 – Administration and Management In this lab you will:
Apply a baseline configuration to build successive labs Create a new admin role on the firewall Create interface management profiles
Task 1 – Apply baseline configuration to your firewall Step 1: Open your Student PC web browser and login to your student firewall. Step 2: Click on the “Device” tab “Setup” “Operations” tab Step 3: Click “Load Named Configuration Snapshot”1 Step 4: Select the file “after_reset_X” (where “X” is your Student Number) Step 5: Click “Ok” then click “Commit”
Task 2 – Clear the logs Step 1: Click “Device” “Log Settings” “Manage Logs” Step 2: Click “Clear Traffic Logs” and “Clear Threat, URL, and Data Logs”
Task 3 – Add an Administrator Role Step 1: Click on the “Device” tab “Admin Roles” Step 2: Click “Add” in the lower left Step 3: Configure a new admin role with the name “Policy Admins” Step 4: In the Webui box, click on the following major categories to disable them: Monitor, Network, and Device. The remaining major categories of Dashboard, ACC, Policy, Objects, Privacy, and Commit should be enabled. Step 5: Leave the CLI option set to “None”. Click “OK” to continue.
Task 4 – Add an administrator account Step 1: Click on the “Device” tab “Administrators” Step 2: Click “Add” in the lower left Step 3: Configure a new administrator with the following parameters: Lab Manual
PAN-OS – 5.0 – Rev A
Page 7
PAN-EDU-201 Name “ip-admin” Authentication Profile: “None” Password and Confirm Password: “paloalto” Role: “Role Based” Profile: “Policy Admins” from the dropdown menu Step 4: Click “Ok” then Click “Commit” Step 5: Log off the GUI, then log back in as “ip-admin” and explore functionality
Task 5 – Take a Transaction Lock and test the lock Step 1: Click on the transaction lock icon (to the right of the Commit button). Step 2: Click “Take Lock”, set the Type to “Config” and click “OK”. Click “Close” to close the transaction lock window Step 3: Open a different browser and login with your admin account Step 4: Click on the transaction lock icon to view the locks taken Step 5: Attempt to add another user (Module 1 Task 3). Question: At what point does the firewall block your action? ________________________________________________ (Answer: It will give you an error when you click the “OK” button.) Step 6: Log out of the ip-admin account
Lab Manual
PAN-OS – 5.0 – Rev A
Page 8
PAN-EDU-201
Module 2 – Interface Configuration In this lab you will:
Create Security Zones Create Interface Management Profiles Configure basic interface types
Task 1 – Create a new Security Zone Step 1: Click on the “Network” tab “Zones” Step 2: Click “Add” Step 3: Set “Type” to “Tap” Step 4: Set the Zone name “Student-tap-zone” Step 5: Click “Ok” Question: Why is the OK button disabled? __________________________________ (Answer: the zone name is too long. Change the zone name to be no more than 15 characters.) Step 6: Set the Zone name “Trust-L3” Step 7: Set “Type” to “Layer3” Step 8: Click “Ok” Lab Manual
PAN-OS – 5.0 – Rev A
Page 9
PAN-EDU-201 Step 9: Click “Add” and Set the Zone name “Untrust-L3” Step 10: Set “Type” to “Layer3” Step 11: Click “Ok” Step 12: Click “Add” Step 13: Set the Zone name “Vwire-zone-3” Step 14: Set “Type” to “Virtual Wire” Step 15: Click “Ok” Step 16: Click “Add” Step 17: Set the Zone name “Vwire-zone-4” Step 18: Set “Type” to “Virtual Wire” Step 19: Click “Ok”
Task 2 – Create Interface Management Profiles Step 1: Click on the “Network” tab “Network Profiles” “Interface Mgmt” Step 2: Click “Add” Step 3: Set “Name” to “allow_all” Step 4: Select all check boxes Step 5: Click “OK” Step 6: Create a second profile called “allow_ping” Step 7: Click “Ping” check box Step 8: Click “OK” then click “Commit”
Task 3 – Configure a Tap interface Step 1: Click on the “Network” tab “Interfaces” Step 2: Click on interface “ethernet1/5” Step 3: Select Type “Tap” Lab Manual
PAN-OS – 5.0 – Rev A
Page 10
PAN-EDU-201 Step 4: Select Zone “Student-Tap-Zon” (or whatever you named it), then click “Ok”
Task 4 – Configure a Vwire Step 1: Click on the “Network” tab “Interfaces” Step 2: Click on interface “ethernet1/3” Step 3: Select Interface Type “Virtual Wire” Step 4: In the Virtual Wire field, click the dropdown arrow and click New “Virtual Wire” Step 5: In the pop-up window, set the “Name” to “student-vwire” and then click “OK” Step 6: Click the arrow in the Security Zone field, and select “Vwire-zone-3”. Step 7: Click “OK” Step 8: Click on interface “ethernet1/4” Step 9: Select Interface Type “Virtual Wire” Step 10: In the Virtual Wire field, click the dropdown arrow and select “student-vwire”. Step 11: Click the arrow in the Security Zone field, and select “Vwire-zone-4”. Step 12: Click “OK” Step 11: Back in the interface popup window, click “OK” and Commit all changes
Lab Manual
PAN-OS – 5.0 – Rev A
Page 11
PAN-EDU-201
Module 3 – Layer 3 Configuration In this lab you will:
Configure ethernet interfaces with Layer 3 information Configure DHCP Create a Virtual Router Create a Source NAT policy Create a Destination NAT policy
Task 1 – Configure Ethernet interfaces with Layer 3 info Step 1: Click on “Network” tab “Interfaces” “Ethernet” and select interface “ethernet1/2” Step 2: In the pop-up, set “Type” to “Layer3” Step 3: Set “Security Zone” to “Trust-L3” Step 4: Select the “IPv4” tab, click “Add” and enter the following IP address and subnet mask: “192.168.__.1/24” (your student # is the 3rd octet) Step 5: Select the “Advanced” tab , then “Other info” tab and set the “Management Profile” to “allow_all” then click “OK” Step 6: Click on the “Network” tab “Interfaces” and select interface “ethernet1/1” Step 7: In the pop-up, set “Type” to “Layer3” then click “Ok” Step 8: Click “Add Layer3 Subinterface” at the bottom of the page Step 9: Set “Interface Name” to “ethernet1/1”
Lab Manual
PAN-OS – 5.0 – Rev A
Page 12
PAN-EDU-201
Step 10: Set the sub-interface ID to 200 + Student #. (Example: Student-05 would be “205”.) Step 11: Set the “Tag” to match the sub-interface ID Step 12: Click the dropdown arrow in the “Security Zone” field, and click New “Zone” Step 13: In the popup window set the Name to “Untrust-L3” Step 14: Select the “IPv4” tab, click “Add” and enter the following IP address and subnet mask: “172.16.___.1/24” (your student # is the 3rd octet) Step 15: Select the “Advanced” tab and set the “Management Profile” to “allow_ping” then click “OK”
Task 2 – Configure DHCP Step 1: Click on the “Network” tab “DHCP” “DHCP Server” tab Step 2: Click “Add” Step 3: Select Interface “ethernet1/2” Step 4: Set Gateway “192.168.___.1” (the 3rd octet is your student #) Step 5: Set Primary DNS to “10.30.11.50” Step 6: Click the “Add” button in the IP Pools window, and enter an IP Pool of “192.168.___.50192.168.___.60” (the 3rd octet is your student #) Step 7: Review and click “OK”
Lab Manual
PAN-OS – 5.0 – Rev A
Page 13
PAN-EDU-201
Task 3 – Create a Virtual Router Step 1: Click on the “Network” tab “Virtual Routers” Step 2: Click “Add” Step 3: Set the Name to “Student-VR” Step 4: Click “Add” in the Interfaces window and select interface “ethernet1/1.2__” and “ethernet1/2” Step 5: Select the “Static Route” tab, click “Add” and add a default route with the following information: Name “default” Destination “0.0.0.0/0” Next Hop to “IP Address” and enter an IP address of “172.16.___(X)_.254” (where “X” is your student #) Step 6: Click “OK” to add the route, review your VR configuration, and then click “OK” Step 7: Delete the object default-vwire object under Network| Virtual Wires Step 8: Click “Commit” to make the changes active Step 9: Open a StudentPC command prompt and release/renew the IP configuration (“C:\> ipconfig /release” and “C:\> ipconfig /renew” and “C:\> ipconfig /all”) to check that DHCP configuration was successful. You should be able to ping 192.168.___(X)_.1
NOTE: DO NOT MANUALLY CHANGE THE INTERFACE CONFIGURATIONS OF THE STUDENT PC. If a DHCP address is not installed - review Student Firewall DHCP configuration first.
Task 4 – Create a Source NAT policy Step 1: Click on the “Policies” tab “NAT” Step 2: Click “Add”, name it “student source nat”, then click on the “Original Packet” tab Step 3: Click “Add” in the Source Zone box and select “Trust-L3”. Set the Destination Zone to “Untrust-L3”. Step 4: Confirm that the “Any” checkbox for the Source Address and Destination Address are checked. Step 5: Click on “Translated Packet” tab
Lab Manual
PAN-OS – 5.0 – Rev A
Page 14
PAN-EDU-201
Step 6: Select Translation Type of “Dynamic IP and Port” Step 7: Set “Address Type” to “Interface Address” Step 8: Select Interface “ethernet1/1.x” (where “x” is 200 + your student #) Step 9: Select the “172.16.___(X)_.1” subnet from the pull-down immediately below “IP Type”, then press OK. Step 10: from the Policy|Security menu, select the policy and click the botton below “delete”. Step 11: Create a new policy which allow any traffic from the Trust-L3 to Untrust-L3 zone. The policy must now to be like the following:
Step 12: From Network|Zone menu, remove the zone trust and untrust, then commit
Lab Manual
PAN-OS – 5.0 – Rev A
Page 15
PAN-EDU-201
Task 5 – Create a Destination NAT Policy Step 1: Click on the “Policies” tab “NAT” Step 2: Click “Add”, name it “web nat”, then click on the “Original Packet” tab Step 3: Click “Add” (in the “Source Zone” box) and select “Trust-L3” Step 4: Set the Destination Zone to “Untrust-L3” Step 5: Click “Any” for the Source Address Step 6: Click “Add” in the ‘Destination Address” box and enter the IP address of www.fortinet.com (you’ll need to look up that IP address) Step 7: Click on “Translated Packet” tab and check the “Destination Address Translation” box Step 8: In the “Destination Address Translation” section add the IP address of www.exclusivenetworks.com (you’ll need to look up that IP address) Step 9: In the “Source Address Translation”, set the “Translation Type” to “Dynamic IP and Port” Step 10: Set “Address Type” to “Interface Address” Step 11: Select Interface “ethernet1/1.x” (where “x” is 200 + your student #) Step 12: Select the “172.16.___(X)_.1” subnet from the “IP Address” pull-down Step 13: Move the rule to the top of the list, click “OK” then Commit all changes Step 14: Open a new browser tab to www.fortinet.com. Can you connect? Why or why not?
Lab Manual
PAN-OS – 5.0 – Rev A
Page 16
PAN-EDU-201
Module 4 – App-ID In this lab you will:
Create a security policy to allow basic internet connectivity and log dropped traffic Enable Application Block pages Create Application Filters and Application Groups
Task 1 – Create a basic Security Policy for outbound traffic Step 1: Click on the “Policies” tab “Security” and delete any other policy. Step 2: Click “Add” Step 3: Create a new rule named “General Internet” Step 4: Configure the following information:
Source Zone: “Trust-L3” Source Address: “Any” Destination Zone: “Untrust-L3” Destination Address: “Any” Application: “flash, dns, web-browsing, ssl, ping” Service: “application-default” Action: “Allow”
Task 2 – Create 2 basic policies to deny all inbound and outbound traffic Question: Why would you want to create 2 rules – inbound and outbound – rather than a single deny all rule? Lab Manual
PAN-OS – 5.0 – Rev A
Page 17
PAN-EDU-201 __________________________________ Step 1: Click “Add” Step 2: Create a new rule named “Deny Outbound” Step 3: Configure the following information:
Source Zone: “Trust-L3” Source Address: “Any” Destination Zone: “Untrust-L3” Destination Address: “Any” Application: “Any” Service: “Any” Action: “Deny”
Step 4: Create a rule named “Deny Inbound” Step 5: Configure the following information:
Source Zone: “Untrust-L3” Source Address: “Any” Destination Zone: “Trust-L3” Destination Address: “Any” Application: “Any” Service: “Any” Action: “Deny”
Step 6: Ensure your Security Policy looks like this:
Step 7: Commit your changes Question: In the “General Internet” rule, why do you use “application-default” as the service, whereas you use “Any” as the service in the two “deny” rules? __________________________________ Lab Manual
PAN-OS – 5.0 – Rev A
Page 18
PAN-EDU-201
Once complete, your Student PC should have access to the Internet. Step 8: You will now test your new policies. Test internet connectivity by pinging 4.2.2.2 from your workstation. Does web surfing over ports 80 and 443 work? Step 9: Use a browser to try to connect to the site http://www.box.net. The browser should not be able to display the site. Why is that? Take a look at the log message in the traffic logs to find out. What is special about that application? Step 10: Also attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com. Why can you bring up that web site? (Hint: look at the traffic logs)
Task 3 – Create an Application Block Page Step 1: Go to www.facebook.com: what is the browser response? Step 2: Ensure the Interface Management Profile, applied to your ethernet1/2 interface (Trust-L3), has “Response Pages” checked Step 3: Click on the “Device” tab “Response Pages” “Application Block Page” Step 4: Enable by clicking “Enable” Step 5: Click “OK” then commit your changes Step 6: Go to www.facebook.com: what is the browser response?
Task 5 – Create Application Filter Step 1: Delete all current rules in your security policy Step 2: Click on the “Objects” tab “Application Filters” and create a new filter name “Proxies” Step 3: Set the “Subcategory” to “proxy” Step 4: Create a second filter named “Web-Based-File-Share” and set the “Subcategory” to “file-sharing” and set the “Technology” to “browser-based”
Task 6 – Create Application Group Step 1: Click on the “Objects” tab “Application Groups” Step 2: Create a new group named “Known-Good” and add the applications “ssl”, “web-browsing”, “ping”, “dns”, and “flash” Step 3: Create a second group called “Known-Bad” and add the application filters “Proxies” and “Webbased-file-share” to it Lab Manual
PAN-OS – 5.0 – Rev A
Page 19
PAN-EDU-201
Task 7 – Create three new Security Policies that match the following criteria: Configure the policies with the following information: Step 1: The first policy allows the known good applications.
Rule 1 Name: “Known-Good” Source Zone: “Trust-L3” Source Address: “Any” Destination Zone: “Untrust-L3” Destination Address: “Any” Application: The Application Group “Known-Good” Service: “application-default” Action: “Allow”
Step 2: The second policy blocks all of your known bad applications
Rule 2 Name: “Known-Bad” Source Zone: “Trust-L3” Source Address: “Any” Destination Zone: “Untrust-L3” Destination Address: “Any” Application: Application Group “Known-Bad” Service: “Any” Action: “Deny”
Step 3: The third policy allows all other traffic
Rule 3 Name: “Log All” Source Zone: “Trust-L3” Source Address: “Any” Destination Zone: “Untrust-L3” Destination Address: “Any” Application: “Any” Service: “Any” Action: “Allow”
Step 4: Confirm that your security rulebase looks like this, and then commit your changes:
Lab Manual
PAN-OS – 5.0 – Rev A
Page 20
PAN-EDU-201
Step 5: You will now test your new policies. Ping from your student PC out to the Internet. That should work. Also, web surfing should work, over port 80 and 443. Step 6: Use a browser to try to connect to the site www.box.net. The browser should not be able to display the site. Why is that? Take a look at the log message in the traffic log to find out. What is special about that application? Step 7: Now attempt to reach www.box.net using the proxy site www.avoidr.com. Go to www.avoidr.com. You should not be allowed to browse it, why? (HINT: look at the traffic logs). Step 8: Select the ACC tab to access the Application Command Center. Use the drop-down menu in the application section of the ACC to select different ways of viewing the traffic that you have generated. What is the total risk level for all traffic that has passed through the firewall thus far? Notice that the URL Filtering, Threat Prevention, and Data Filtering sections within the ACC contain no matching records.
Task 8 – Create a custom query in the Traffic Log Step 1: Click the “Monitor” tab “Traffic” Logs Step 2: Click on 1 attribute in the following 3 columns: “From Zone”, “Destination”, “Application” Step 3: Click the run button (“”) or push “Enter” Step 4: Click the query writer button (“+”) and select “and”, “Bytes”, “ ipconfig /all”. Look for the IP address associated with the Ethernet adapter “Management – DO NOT CONFIGURE”. (This IPv4 address should be in the range 10.30.11.66-105). Step 12: With the StudentPC IP address (10.30.11.___) and the Port number from Step 7 – repeat Task 1 “Configure firewall to talk to User-ID Agent” Step 13: Confirm connectivity with the CLI command “show user user-id-agent statistics” Step 14: Review Agent configuration with the CLI command “show user user-id-agent config name ”
Lab Manual
PAN-OS – 5.0 – Rev A
Page 29
PAN-EDU-201
Module 7 – Decryption In this lab you will:
In this part, you will create and test SSL certificates and decryption rules.
Task 1 – Pre setup and test Step 1: Modify your anti-virus profile (from MOD 5, Task 3) to “Alert” Step 2: Apply the AV profile to the “Known-good” and “Log All” Security Policies Step 3: Remove the file-blocking profiles from the Security Policies Step 4: Commit the changes Step 5: Go to the eicar.org site and find the “Download AntiMalware testfiles”. Step 6: Test downloading (without SSL decryption) one of the eicar test files Step 7: From the same web page, test downloading (this time using the SSL protocol) the eicar.com or eicar.com.txt Step 8: Look at the “Monitor” tabs “Threat” logs. Was the virus detected? It should not have been as the connection was encrypted. We will now enable SSL decryption, such that the virus inside the SSL connection will be decrypted
Task 2 – Create an SSL self-signed Certificate Step 1: Click the “Device” tab “Certificates” screen Step 2: Click “Generate” along the bottom of the screen. Step 3: Set the certificate fields as follows: Lab Manual
PAN-OS – 5.0 – Rev A
Page 30
PAN-EDU-201
Certificate Name: “Student-ssl-cert” Common Name: “192.168.X.1” (where X is your student number) Country: “US” (or other 2-letter country code) State, Locality, Organization, Department, Email, Host Name, and IP with values as desired.
Step 4: select “Certificate Authority” below the “Signed By” field. Step 5: Click “Generate” Step 6: Once the certificate has successfully been generated, click on it to bring up the certificate properties, and select “Forward Trust Certificate” and “Forward Untrust Certificate” Step 7: Click “OK”
Task 3 – Create SSL Outbound Decryption Policies Step 1: Click the “Policies” tab “Decryption”. Step 2: Click “Add” and create an SSL decryption rule with the following parameters: General tab: Name “No-Decrypt” Source tab: Source Zone “Trust-L3” Destination tab: Destination Zone “Untrust-L3” Options tab: Action “no-decrypt” and URL Categories: “Health and medicine”, “Shopping”, “Financial Services” Step 3: Click “Add” and create an SSL decryption rule with the following parameters: General tab: Name “Decrypt-all-traffic” Source tab: Source Zone “Trust-L3” Destination tab: Destination Zone “Untrust-L3” Options tab: Action “decrypt”, Type “SSL Forward Proxy” and URL Categories: Any Step 4: Confirm that “No-Decrypt” rule is before the “Decrypt-all-traffic” rule, then click “Commit”. Step 5: To test the “No-Decrypt” rule, first determine what URLs fall into the financial services, shopping, or health and medicine categories. Go to http://www.brightcloud.com/ and enter various URLs that you believe fall into those categories. Step 6: Once you have found a couple web sites that are classified as you expect, use a browser to go to those sites. You should not see a certificate error when you go to those sites. Step 7: To test the SSL decryption rule, go to the www.eicar.org downloads page and download the virus using SSL. You will get a certificate error. This is an expected behavior, and you can proceed. (The certificate error is manifested because the firewall is intercepting the SSL connection and performing manin-the-middle decryption.)
Lab Manual
PAN-OS – 5.0 – Rev A
Page 31
PAN-EDU-201 HINT: If the download doesn’t proceed, review firewall Traffic Log and URL Filtering log. (You may need the IP address of the Eicar site.) Step 8: Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. To the left of the log entry, click on the magnifying class icon. Scroll to the bottom, and look for the field “Decrypted”. The value should say “yes”. Step 9: Examine the Traffic logs. Find the entry with the SSL application that corresponds to the eicar download. Examine the details view. The “Decrypted” box should be checkd
Task 4 – Set SSL exclude cache Step 1: Open an SSH connection to the student firewall Step 2: Set the exclude cache for the eicar.org domain. From configure type : set shared ssl-decrypt sslexclude-cert eicar.org , then press commit Step 3: Repeat the Steps 7, 8, and 9 from the previous Task Question: what entries are now in the Traffic and Threat logs?
Task 5 – Review Self-signed Certificate on StudentPC browser Step 1: Open the browser used to test the SSL Outbound Decryption policy created in Task 3. Find the certificate that was generated (in Task 2) that should now be in the StudentPC browser.
Lab Manual
PAN-OS – 5.0 – Rev A
Page 32
PAN-EDU-201
Module 8 – VPN In this lab you will:
Configure an IPsec tunnel to another Student firewall – Trust Zone Configure an IPsec tunnel to another Student firewall – Untrust Zone
Task 1 – Configure IPsec Tunnel – Trust Zone Step 1: Pick another student firewall and fill in the following:
Your Student Number: ..............................................(X) ____ Partner’s Student Number: .......................................(Y) ____ Partner’s Ethernet1/1.2xx IP Address: .....................172.16.____(Y).1 Partner’s Trusted Network: .....................................192.168.____(Y).0 Partner’s Ehternet1/2 IP address: ............................192.168.____(Y).1
Step 2: Click “Network” tab “Interface” “Tunnel” tab Step 3: Select “Add” Step 4: Create a new tunnel interface. Configure the Tunnel Interface with the following: Tunnel Interface Name: .............................................tunnel.____(X) Virtual Routers: ..........................................................“Student-VR” Zone: ..........................................................................“Trust-L3” Step 5: Click “Network” tab “IKE Gateway” Step 6: Click “Add” and configure with the following: Name: .........................................................................Student-____ (Y) Interface: ....................................................................“ethernet1/1.2xx” Lab Manual
PAN-OS – 5.0 – Rev A
Page 33
PAN-EDU-201 Local IP Address: ........................................................172.16.____(X).1 Peer IP Address: .........................................................172.16.____(Y).1 Pre-shared Key: ..........................................................paloalto Step 7: Click “Network” tab “IPsec Tunnels” Step 8: Click “Add” and configure with the following: Name: .........................................................................Tunnel-to-____ (Y) Tunnel Interface: ........................................................tunnel.____(X) IKE Gateway: ..............................................................Student-____(Y) Step 9: Click “Network” tab “Virtual Routers” Step 10: Click on “Student-VR” Step 11: Click “Static Route” tab Step 12: Click “Add” to add a route with the following information: Name “ student(Y)” Destination “192.168.____(Y).0/24” Interface “tunnel.____(X)” Step 13: Commit your changes Step 14: Test VPN tunnel connectivity by opening a command prompt window and typing:
C:\Documents and Settings\student> ping 192.168.____(Y).1
Question: do you need to modify your security policy? Why or why not? _____________________________________________________________ (Answer: Since the tunnel interface is in the TrustL3 zone, no policy changes are required.)
Lab Manual
PAN-OS – 5.0 – Rev A
Page 34
PAN-EDU-201
Reference: admin@PA-500> show vpn tunnel o Shows current tunnels (has a tunnel ID as first column “TnID”) admin@PA-500> show vpn flow tunnel-id o Shows detailed info on specific tunnel (will show packets and bytes through the tunnel) admin@PA-500> clear vpn ike-sa gateway all o Tears down all tunnels and gateway SA’s admin@PA-500> test vpn ipsec-sa tunnel
o
Initiate Phase 1 and 2 SA’s for specified tunnel
Task 2 – Configure IPsec Tunnel – Untrust Zone Step 1: Edit your tunnel interface and change the Security Zone to “UntrustL3” Step 2: Commit your changes Step 3: Attempt to ping the remote student’s internal gateway interface IP address (192.168._Y_.1). Question: Does the ping work? If not, why? ________________________________ Answer: It should not work, because there is no policy to allow the traffic. Step 4: Create a new Security Policy Rule from your Trust zone to your Untrust zone. You should create address objects for your network and your partner’s network and use them to make your policy more Lab Manual
PAN-OS – 5.0 – Rev A
Page 35
PAN-EDU-201 restrictive. You will also need to build a policy from Untrust to Trust to allow the inbound traffic from your partner’s network.
Module 9 – High Availability (optional) In this lab you will:
Configure an Active/Passive with another Student firewall
Task 1 – Configure HA – Active/Passive Step 1: Click the “Dashboard” tab “High Availability” Dashboard Widget Step 2: Click on “Network” tab “Interfaces” Step 3: Set interfaces “ethernet1/7” and “ethernet1/8” to Type “HA”, then click “Commit” Step 4: Work with another student firewall and fill in the following: Your Student Number: ..............................................(X) ____ Partner’s Student Number: .......................................(Y) ____ Step 5: Agree upon IP and device information to fill in the following: Group ID:.............................................................._____ (Pick one of your Student numbers) Control Link: ........................................................ethernet1/7 Your Control Link IP:............................................10.10.____.____(X) (3rd octet is lower student number) Partner Control Link IP: .......................................10.10.____.____(Y) (3rd octet is lower student number) Data Link: .............................................................ethernet1/8 Your Data Link IP: ................................................10.10.____.____(X) Lab Manual
PAN-OS – 5.0 – Rev A
Page 36
PAN-EDU-201 (3rd octet is higher student number) Partner Data Link IP: ...........................................10.10.____.____(Y) (3rd octet is higher student number) Your Device Priority: ...........................................____(X) Partner Device Priority: .......................................____(Y) Step 6: Click on the “Device” tab “High Availability” and configure the following with the information collected in Step 5 Step 7: Click “Edit” in the “Setup” box HA Enabled: .........................................................click check box Group ID:..............................................................Determined in Step 5 Peer HA IP Address: .............................................Partner Control Link IP Step 8: Click “Edit” in the “Control Link (HA1)” box and configure with the following: Control Link Port: ................................................ethernet1/7 Control Link IP address:.......................................Your Control Link IP Control Link Netmask: ........................................./24 Step 9: Click “Edit” in the “Data Link (HA2)” box Data Link Port: .....................................................ethernet1/8 Data Link IP address: ...........................................Your Data Link IP Data Link Netmask: ............................................./24 Step 10: Click “Edit” in the “Election Settings” box Device Priority: ....................................................Your Student Number Heartbeat Backup:...............................................Enabled Step 11: Click the “Link and Path Monitoring” tab and enter the following in the “Link Monitoring” section (ON LOWER DEVICE PRIORITY FIREWALL ONLY)
Enabled: ...............................................................click check box Failure Condition: ................................................Any Link Group Name:................................................“Student HA” Interfaces: ............................................................“ethernet1/7”, “ethernet1/8”
Step 12: Commit all changes
Lab Manual
PAN-OS – 5.0 – Rev A
Page 37
PAN-EDU-201
Module 10 – Panorama In this lab you will: Identify the student firewall logs on the Panorama Create and push policy to the student firewall Conduct a Config Audit
Task 1 – Pre setup and test Step 1: Remove the HA configuration from the Module 9 lab Step 2: Click the “Device” tab “Setup” “Management” “Panorama Settings” and add the IP address (provided by the instructor) of the Panorama server Step 3: Make sure “Enabled Shared Config” is selected (this is indicated when the button reads “Disable Shared Config”) then Commit all changes
Task 2 – Create a custom report - Panorama Step 1: Log into Panorama server. IP Address: .....................................................https://____.____.____.____ Login:..............................................................“Student____(X)” (X = student number) Password: ......................................................paneduX Step 2: Click on “Monitor” tab “Manage Custom Reports” Step 3: Create the report with the following:
Name:.................................................“Student.____(X)” (X = student number) Database: ...........................................“Device Traffic Log” Selected Columns: .............................“Action”, “Application”, “Rule”, ”Source User”, “Day”, “Hour” Time Frame: .......................................“Last 7 Days” Query Builder: ...................................(serial eq _________) You can find the serial number of your student firewall on the “Dashboard” tab
Step 4: Save the template, then “Run Now” to confirm
Task 3 – Create and Application Group Object Step 1: Click “Objects” tab “Application Group” Step 2: Create a new group called “Pano-app-group-1” Step 3: Add the application “facebook-base”
Task 4 – Create Pre/Post Policy Step 1: Click the “Policies” tab “DoS Protection” “Post Rules”. Lab Manual
PAN-OS – 5.0 – Rev A
Page 38
PAN-EDU-201 Step 2: Click “Add” and create a rule called “Pano-DoS-Student___(X)” (X = student number) with the following criteria: Source Zone: ..................................................“Untrust-L3” Destination Zone: ..........................................“Trust-L3” Action:............................................................“Protect” Step 3: Click the “Policies” tab “Security” “Pre Rules”. Step 4: Click “Add” and create a rule called “Pano-Sec-Student___(X)” (X = student number) with the following criteria:
Source Zone: ..................................................“Trust-L3” Destination Zone: ..........................................“Untrust-L3” Application: ...................................................use the Application Group built in Task 3 Action:............................................................Deny
Task 5 – Push config to student firewall Step 1: Click “Panorama” tab “Managed Devices”. Step 2: Scroll to your Student number and click the “Click to see the config changes…” icon (in the “Device Group” column):
Step 3: Select “Lines of context ‘All’” and review the Additions, Modifications, and Deletions. HINT: If for some reason the Config Audit window doesn’t appear, the browser may be blocking pop-ups. You will need to allow pop-ups then close and reopen the browser. Step 4: Close the Config Audit window and click the “Click to commit all to device Student(X)” icon (in the “Device Group” column): (This action will cause a commit on the Student firewall.
Do NOT select the “Merge with Candidate Config” check box.
Task 6 – Switch context and review Policy on firewall Step 1: On the Student firewall, click the “Tasks” in the lower right-hand corner and wait for the commit Step 2: Click the “Context” drop-down in the upper left corner of the Panorama – select student firewall Step3: Review the configuration pushed from the Panorama Step 4: Open a new browser window and connect to an external web site Lab Manual
PAN-OS – 5.0 – Rev A
Page 39