PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A.PDF
January 13, 2017 | Author: Ruben De Sis Temas | Category: N/A
Short Description
Download PAN-EDU-101 - Lab Manual PAN-OS 6.0 - Rev A.PDF...
Description
Firewall Installation, Configuration, and Management: Essentials I
Lab Manual PAN-OS 6.0 PAN-EDU-101 Rev A.200
PAN‐EDU‐101
Palo Alto Networks, Inc. www.paloaltonetworks.com © 2007-2014 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 2
PAN‐EDU‐101
Typographical Conventions This guide uses the following typographical conventions for special terms and instructions. Convention
Meaning
Example
Boldface
Names of commands, keywords, and selectable items in the web interface
Click Security to open the Security Rule Page
Italics
Name of parameters, files, directories, or Uniform Resource Locators (URLs)
The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com
courier font
Coding examples and text that you enter at a command prompt
Enter the following command: a:\setup
Click
Click the left mouse button
Click Administrators under the Device tab.
Right-click
Click the right mouse button
Right-click on the number of a rule you want to copy, and select Clone Rule.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 3
PAN‐EDU‐101
Table of Contents
How to use this Lab Guide ................................................................................................... 6 Lab Guide Objectives ........................................................................................................... 6 Lab Equipment Setup .......................................................................................................... 7 Lab Assumptions ................................................................................................................. 7 Student Firewall Interface Settings ...................................................................................... 7 Module 1 – Administration and Management ..................................................................... 8 Scenario ............................................................................................................................................................................ 8 Required Information ....................................................................................................................................................... 8
Module 2 – Interface Configuration (optional) .................................................................... 9 Scenario ............................................................................................................................................................................ 9 Required Information ....................................................................................................................................................... 9
Module 3 – Layer 3 Configuration ...................................................................................... 10 Scenario .......................................................................................................................................................................... 10 Required Information ..................................................................................................................................................... 11
Module 4 – App‐ID ............................................................................................................ 12 Scenario 1 ................................................................................................................................................................... 12 Required Information ..................................................................................................................................................... 12 Scenario 2 ................................................................................................................................................................... 13 Required Information ..................................................................................................................................................... 14 Lab Notes ........................................................................................................................................................................ 14
Module 5 – Content‐ID ...................................................................................................... 15 Scenario .......................................................................................................................................................................... 15 Required Information ..................................................................................................................................................... 16 Lab Notes ........................................................................................................................................................................ 16
Module 6 – Decryption ...................................................................................................... 17 Scenario .......................................................................................................................................................................... 17 Required Information ..................................................................................................................................................... 18 Lab Notes ........................................................................................................................................................................ 18
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 4
PAN‐EDU‐101
Solutions ........................................................................................................................... 19 Module 1 – Introduction (Lab Access) ............................................................................................................................ 19 Module 2 – Interface Configuration ............................................................................................................................... 21 Module 3 – Layer 3 Configuration .................................................................................................................................. 23 Module 4 – App‐ID .......................................................................................................................................................... 26 Module 5 – Content‐ID ...................................................................................................................................................... 36 Module 6 ‐ Decryption .................................................................................................................................................... 43
CLI Reference .................................................................................................................... 47 Module 1 – Administration and Management ............................................................................................................... 47 Module 2 – Interface Configuration ............................................................................................................................... 47 Module 3 – Layer 3 Configuration .................................................................................................................................. 48 Module 4 – App‐ID .......................................................................................................................................................... 48 Module 5 – Content‐ID ...................................................................................................................................................... 48 Module 6 ‐ Decryption .................................................................................................................................................... 48
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 5
PAN‐EDU‐101
How to use this Lab Guide The Lab Guide contains lab exercises which correspond to modules in the student guide. Each lab exercise consists of three parts: a scenario, a solution, and a CLI reference. The scenario describes the lab exercise in terms of objectives and customer requirements. Minimal instructions are provided to encourage students to solve the problem on their own. If appropriate, the scenario includes a diagram and a table of required information needed to complete the exercise. The solution is designed to help students who prefer step‐by‐step, task‐based labs. Alternatively, students who start with the scenario can use the solution to check their work or to provide help if they get stuck on a problem. The CLI reference is intended as a starting point for students interested in the CLI commands. A partial set of CLI commands are provided for students to research further in the Palo Alto Networks Command Line Reference Guide.
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform any tasks outlined in the following labs.
Lab Guide Objectives This lab guide is designed specifically for a single student attending the self‐paced version of the Essentials I course. The instructor‐led version of the course includes additional exercises which can only be completed in a classroom environment with other students and additional equipment. Once these labs are completed, you should be able to:
1. Configure the basic components of the firewall, including interfaces, security zones, and security policies 2. Configure basic Layer 3 settings, such as IP addressing and NAT policies. 3. Configure basic Content‐ID functionality, including antivirus protection and URL filtering. 4. Configure SSL decryption.
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help enabled this training to be built, tested, and deployed. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 6
PAN‐EDU‐101
Lab Equipment Setup
DHCPenabled Network
Internet
Lab Assumptions These lab instructions assume the following conditions: 1. The student is using a PA‐200 firewall which has been registered with Palo Alto Networks Support. 2. The PA‐200 firewall is using the default IP address on the MGT interface (192.168.1.1) and the default password (admin) for the admin account. 3. The firewall is licensed for Support, Threat Prevention, and URL Filtering. 4. All network connectivity for the student laptop used for the lab has been disabled except for the Ethernet adapter which will be connected to the firewall. 5. The firewall should have no policies defined on it. 6. The network that the student will connect to has a DHCP server from which the firewall can obtain an IP address and DNS information. 7. There are no other Palo Alto Networks firewalls between the student’s PA‐200 and the internet. The labs will still work if upstream firewalls exist, but the results will vary based on the firewall settings.
Student Firewall Interface Settings
Student Firewall
PA‐200
Interface:
Type:
MGT Ethernet 1/1 Ethernet 1/2 Ethernet 1/3 Ethernet 1/4
Management Vwire Vwire Layer 3 Layer 3
Lab Manual
IP Address:
Zone:
192.168.1.1
N/A trust untrust Untrust‐L3 Trust‐L3
DHCP Client 192.168.2.1/24
PAN‐OS 6.0 – Rev A.200
Page 7
PAN‐EDU‐101
Module 1 – Administration and Management In this lab you will:
Connect to the firewall through the MGT interface Create new administrator roles and accounts on the firewall
Scenario You have been tasked with integrating a new firewall into your environment. The firewall is configured with the factory default IP address and administrator account. You will need to change the IP address of your laptop to communicate with the default IP address of the MGT port. If your firewall has settings you would like to restore after the completion of this lab, save the current configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that it is in a known state. In preparation for the new deployment, create a role for an assistant administrator which allows access to all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the password of the admin account to disable the warnings about using default credentials.
Required Information
Named Configuration Snapshot New Administrator Role name New Administrator Account name New Administrator Account password New password for the admin account Lab Manual
PAN‐EDU‐101‐Default Policy Admins ip-admin paloalto paloalto PAN‐OS 6.0 – Rev A.200
Page 8
PAN‐EDU‐101
Module 2 – Interface Configuration (optional) In this lab you will:
Create Security Zones Configure basic interface types
Scenario:
You are preparing the firewall for a simple proof of concept (POC). In order to demonstrate firewall features with a minimum of changes to the existing network, you have decided to use virtual wire to pass traffic through the firewall for one network segment and a tap interface to monitor a different network segment. Configure the virtual wire and create zones so that policy rules can be defined. Create a tap interface and the associated zone. Note: Due to the limited number of interfaces available on a PA‐200, the configurations set in this lab will be immediately removed so that the interfaces may be reused for later labs.
Required Information
Interface to use for tap interface Interfaces to use for virtual wire Name for the tap zone Name for the virtual wire zones Name for the virtual wire object
Lab Manual
Ethernet1/3 Ethernet1/3 Ethernet1/4 tap-zone vwire-zone-3 vwire-zone-4 student-vwire
PAN‐OS 6.0 – Rev A.200
Page 9
PAN‐EDU‐101
Module 3 – Layer 3 Configuration In this lab you will:
Create Interface Management Profiles Configure Ethernet interfaces with Layer 3 information Configure DHCP Create a Virtual Router Create Source NAT policy
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You are to create two zones, Untrust‐L3 and Trust‐L3. The external‐facing interface in Untrust‐L3 will get an IP address from a DHCP server on the external network. Trust‐L3 will be where the internal clients connect to the firewall and so the interface in Trust‐L3 will provide DHCP addresses to these internal clients. The DHCP server you configure in the Trust‐L3 zone will inherit DNS settings from the external facing interface. Both the internal and external interfaces on the firewall must route traffic through the external‐facing interface by default. The interface in Untrust‐L3 must be configured to respond to pings and the interface in Trust‐L3 must be able to provide all management services. NOTE: You will not be able to test whether the Untrust‐L3 interface responds to pings until the next lab. Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable from the MGT port to the ethernet1/4 port of the PA‐200. You must also change the settings of the LAN interface on your laptop to use DHCP‐supplied network information (IP address and DNS servers) instead of static settings. When the firewall is fully configured, a NAT policy must exist so that all traffic originating in the Trust‐L3 zone appears to come from the external‐facing address of the firewall.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 10
PAN‐EDU‐101
Required Information
Interface Management Profile Names Internal-facing IP Address External-facing interface Internal-facing interface DHCP Server: Gateway DHCP Server: Inheritance Source DHCP Server: Primary DNS DHCP Server: IP address range Virtual Router Name
Lab Manual
allow_all allow_ping 192.168.2.1/24 Ethernet1/3 Ethernet1/4 192.168.2.1 Ethernet1/3 inherited 192.168.2.50-192.168.2.60 Student-VR
PAN‐OS 6.0 – Rev A.200
Page 11
PAN‐EDU‐101
Module 4 – App‐ID In this lab you will:
Enable the firewall to communication with the Palo Alto Networks update server Update the threat definitions and OS of the firewall Create a security policy to allow basic internet connectivity and log dropped traffic Enable Application Block pages Create Application Filters and Application Groups
Scenario 1:
In order to update the software on the firewall, you must enable the DNS, paloalto‐updates, and SSL applications to pass between the zones. The applications should only be permitted on application default ports. Configure the firewall to communicate with DNS and Palo Alto Networks update servers through the Trust‐L3 interface. Once these configurations are complete, license your firewall. Update the Threats and Applications datafile to the most recent version.
Required Information
DNS Server for the MGT functions Address to use for Service Routes Name to use for Security Policy
Lab Manual
4.2.2.2 192.168.2.1/24 General Internet
PAN‐OS 6.0 – Rev A.200
Page 12
PAN‐EDU‐101
Scenario 2:
At this point, the firewall is configured but not passing traffic. Security policies must be defined before traffic will flow between zones. To facilitate testing and present the minimal amount of risk to the network traffic, the policies will be established in a three‐phase deployment: Phase 1: Modify the General Internet policy to allow users in the Trust‐L3 zone to use a set of commonly used applications to access the internet. The applications should only be permitted on application default ports. All other traffic (inbound and outbound) should be blocked and logged so that you can identify what other applications are being used. This will help generate lists of good and bad applications to be managed in the later phases. Phase 2: Configure the firewall to notify users when blocked applications are used so that the helpdesk does not get called for “connection issues” that are actually blocked applications. Phase 3: The results from the first two phases of testing result in the following discoveries:
The logs from phase 1 show heavy use of a variety of internet proxies and client‐server gaming applications by users in the Trust‐L3 zone. Management mandates that you explicitly prevent use of these applications. For ease of configuration, your team decides to create groups for the allowed and denied applications to reduce the number of policies required on the firewall. The rules blocking all unmatched traffic were too restrictive for your environment. The testing denied access to numerous vital applications, causing a surge in support calls. Any traffic which does not match the allowed or denied lists should be allowed but logged for future policy decisions.
Modify General Internet and create new policies (Block‐Known‐Bad and Log‐All) to meet these new requirements. Remove the other policies created in Phase 1. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 13
PAN‐EDU‐101
Required Information
dns fileserve flash ftp paloalto-updates ping web-browsing ssl General Internet Deny Inbound Deny Proxies Web-Based-File-Sharing General Internet Deny Inbound BlockKnown-Bad Log-All
Phase 1 Allowed Applications
Phase 1 Security Policy names Phase 3 Application Filter names
Phase 3 Security Policy names Setting for Proxies application filter Settings for Web-Based-File-Sharing application filter Phase 3 Application Group names
Members of the Known-Good application group
Members of the Known-Bad application group
Subcategory: Proxies Subcategory: file-sharing Technology: browser-based Known-Good Known-Bad dns fileserve flash ftp paloalto-updates ping web-browsing ssl Proxies Web-Based-File-Sharing
Lab Notes
During Phase 1, test your connectivity by connecting to http://www.box.net (login: student@pan‐ edu.com, password: paloalto1). Use the traffic logs to determine how the firewall handles that connection. During Phase 2, check to see what happens when you browse to www.facebook.com before and after you make your changes. The lab solutions use the buttons at the bottom of the policy screens to change the order of the rules. Rules can also be reordered by clicking and dragging the rules to the desired location.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 14
PAN‐EDU‐101
Module 5 – Content‐ID In this lab you will:
Configure Security Profiles Create a Security Profile group Associate Security Profiles and Security Profile Groups to Security Policy Generate a custom report
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with Security Profiles. The specific security requirements for general internet traffic are:
Log all URLs accessed by users in the Trust‐L3 zone. In particular, you need to track access to a set of specified technology websites. Access to all hacking and government sites should be set to Continue. Block the following URL categories: o Adult and pornography o questionable o Unknown Log, but do not block, all viruses detected and maintain packet captures of these events for analysis. Log spyware of severity levels critical and high detected in the traffic. Ignore all other spyware. Configure files to be automatically forwarded to WildFire with no user interaction.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 15
PAN‐EDU‐101
After all of these profiles are configured, send test traffic to verify that the protection behaves as expected. Testing parameters will be included in the Required Information section of this lab. After the initial testing is complete, you are asked to change the Antivirus protection to block viruses. Make the changes and verify the difference in behavior. Once the individual profiles are created and tested, combine the profiles into a single group for ease of management. Attach the group to the appropriate security policies. Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the threat name, the application (including technology and sub‐category for reference), and the number of times that threat was encountered. Export the file as a PDF.
Required Information
Custom Technology sites to track
Location of files for testing antivirus
Hacking sites for testing URL Filtering Procedure for testing file blocking
www.slashdot.org www.cnet.com www.phys.org www.zdnet.com 1. Browse to http://www.eicar.org 2. Click Anti-Malware Testfile. 3. Click Download 4. Download any of the files using http only. Do not use the SSL links. www.2600.org www.neworder.box.sk 1. Navigate to the web site http://www.opera.com 2. Download the installer to your local system
Lab Notes
You do not need to assign profiles to all of the security policies you have created in the lab. The “Known‐Bad” policy has an action of deny so profiles will do nothing for that rule. Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall from seeing the packet contents so the viruses contained will not be detected by the profile. Decryption will be covered in a later module.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 16
PAN‐EDU‐101
Module 6 – Decryption In this lab you will:
Create a self‐signed SSL certificate Configure the firewall as a forward‐proxy using decryption rules
Scenario Your security team is concerned about the results of the testing performed as part of the security profile configurations. The team observed that the antivirus profile only identified virus which were not SSL encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com) could escape detection and cause issues. For testing purposes, you will need to change the antivirus profile to alert instead of blocking the file. Verify that https downloads of virus files from www.eicar.org are detected by the antivirus profile. You want to evaluate using a forward‐proxy configuration on the Palo Alto Networks firewall. Only traffic from Trust‐L3 to Untrust‐L3 needs to be decrypted. Since this is not production, you decide to use self‐ signed SSL certificates generated on the firewall for this implementation. The legal department has advised you that certain traffic should not be decrypted for liability reasons. Specifically, you may not decrypt traffic from health‐related, shopping, or financial web sites. Test the decryption two ways:
Attempt to download test files from www.eicar.org using https and verify that they are detected by the firewall Connect to various websites using https and use the logs to verify that the correct URL categories are being decrypted
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 17
PAN‐EDU‐101
After your initial testing of the forward‐proxy, the penetration testing team calls you to request an exception to the decryption rules. The team asks that www.eicar.org be excluded from decryption so that they will still be able to download the files they need to perform their evaluations. Change the implementation to allow this exception.
Required Information
Self-signed Certificate name Common Name of the SSL Certificate Decryption Policies
student-ssl-cert 192.168.2.1 no-decrypt-traffic decrypt-all-traffic
Lab Notes
You will get certificate errors when browsing after decryption is enabled. This is expected because the self‐signed certificates have not been added to the trusted certificates of the client browser. In a production environment you would resolve this by adding the firewall certificate to the clients as trusted or by using a commercial certificate from a known CA such as VeriSign. Order matters with policies – make sure that the “decrypt” and “no‐decrypt” policies are evaluated in the correct order. To find URLs to test the “no‐decrypt” rule, go to http://www.brightcloud.com/ and enter various URLs that you believe fall into the categories you are testing.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 18
PAN‐EDU‐101
Solutions Module 1 – Introduction (Lab Access)
Prepare your laptop for the lab 1. While connected to the internet, download the file PAN‐EDU‐101‐Default to your laptop you will be using for the lab exercises. 2. Configure the physical LAN interface on your laptop with an IP address to communicate with the firewall.
192.168.1.100 IP address Subnet Mask 255.255.255.0 3. Connect an Ethernet cable between the interface you just configured and the MGT port of your firewall. 4. Open a command prompt and verify you can ping the IP address 192.168.1.1.
Log on to the Firewall 5. Open a browser and connect to the firewall at https://192.168.1.1. Note: You will get a warning message since the firewall is using an untrusted self‐signed certificate. Dismiss the warning and continue to the web page. 6. Log on with the default user name and password. Click OK to dismiss the warning about the default admin credentials.
Save the current configuration on your firewall (optional) Note: If your firewall has settings you would like to restore after the completion of this lab, save the configuration so that it can be reloaded on the firewall.
7. Click Device > Setup > Operations. 8. Click Save named configuration snapshot. Enter pre-101-labs in the Name field. Click OK to complete the save. Click OK to dismiss the success window.
Upload and apply baseline configuration to your firewall 9. Click Device > Setup > Operations. 10. Click Import named configuration snapshot. Click Browse to select the PAN‐EDU‐101‐Default file from your system. Click Open then OK to upload the file to the firewall. Click OK to dismiss the success window. 11. Click Load Named Configuration Snapshot. 12. Select PAN‐EDU‐101‐Default. Click OK. Click OK to dismiss the success window. 13. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes, then click Close.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 19
PAN‐EDU‐101
Add an Administrator Role 14. Click Device > Admin Roles. 15. Click Add in the lower left of the panel and create a new admin role: Name Web UI tab
Enter Policy Admins Click the following major categories to disable them: Monitor Network Device Privacy The remaining major categories should remain enabled.
Click OK to continue.
Manage administrator accounts 16. Click Device > Administrators. 17. Click admin in the list of users. Change the password to paloalto. Click OK to close the configuration window. 18. Click Add in the lower left corner of the panel. Configure a new administrator account:
Name Password/Confirm Password Role Profile Click OK.
Enter ip-admin Enter paloalto Select Role Based Select Policy Admins
19. Click the Commit link at the top‐right of the WebUI. Click OK and wait until the commit process completes, then click Close. 20. Use an SSH client (e.g., PuTTY) to attempt to log into the CLI as ip‐admin. Because the role assigned to this account was not assigned CLI access, the connection should reset. 21. Open different browser and log onto the WebUI as ip‐admin and explore the available functionality. For example, if you originally connected to the WebUI using Chrome, open this connection in Internet Explorer. Compare the displays for the admin and ip‐admin accounts to see the limitations of the newly created account. 22. Log out of the ip‐admin account connection when you are done exploring.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 20
PAN‐EDU‐101
Module 2 – Interface Configuration
Create new Security Zones 1. If necessary, log into the WebUI using your admin account 2. Click Network > Zones. Click Add and create the tap zone: Name Enter tap-zone Type Select Tap Click OK to close the zone creation window. 3. Click Add and create the first virtual wire zone: Name Enter vwire-zone-3 Type Select Virtual Wire Click OK to close the zone creation window. 4. Click Add and create the second virtual wire zone: Name Enter vwire-zone-4 Type Select Virtual Wire Click OK to close the zone creation window.
Configure a Tap interface 5. Click Network > Interfaces > Ethernet. 6. Click the interface name ethernet1/3. Configure the interface:
Interface Type Select Tap Config tab Security Zone Select tap‐zone Click OK to close the interface configuration window.
Creating a Virtual Wire Setup 7. Click Network > Virtual Wires. 8. Click Add and create a new virtual wire object named student-vwire. Keep all other settings at the default values and click OK. 9. Click Network > Interfaces > Ethernet.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 21
PAN‐EDU‐101
10. Click the interface name ethernet1/3. Configure the interface: Interface Type Select Virtual Wire Config tab Virtual Wire Select student‐vwire Security Zone Select vwire‐zone‐3 Click OK to close the interface configuration window. 11. Click the interface name ethernet1/4. Configure the interface: Interface Type Select Virtual Wire Config tab Virtual Wire Select student‐vwire Security Zone Select vwire‐zone‐4 Click OK to close the interface configuration window. Normally, you would commit your changes at this point. However, for the self‐paced labs you will be reusing these interfaces so you must undo some of the changes you just implemented. 12. Click Network >Virtual Wires. 13. Select the student‐vwire object and click Delete. (Note: you will set the interfaces to a different type in the next module.)
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 22
PAN‐EDU‐101
Module 3 – Layer 3 Configuration
Create new Security Zones 1. Go to the WebUI and click Network > Zones. 2. Click Add and create the Untrust‐L3 zone: Name Enter Untrust-L3 Type Verfy that Layer 3 is selected Click OK to close the zone creation window. 3. Click Add and create the Trust‐L3 zone: Name Enter Trust-L3 Type Select Layer 3 Click OK to close the zone creation window.
Create Interface Management Profiles 4. Click Network > Network Profiles > Interface Mgmt. 5. Click Add and create an interface management profile:
Name Enter allow_all Permitted Services Select all check boxes Permitted IP Addresses Do not add any addresses Click OK to close the interface management profile creation window. 6. Click Add and create another interface management profile: Name Enter allow_ping Permitted Services Select only the Ping check box Permitted IP Addresses Do not add any addresses Click OK to close the interface management profile creation window. 7. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Configure Ethernet interfaces with Layer 3 info 8. Click Network > Interfaces > Ethernet. 9. Click the interface name ethernet1/3. Configure the interface: Interface Type Config tab Virtual Router Security Zone Lab Manual
Select Layer 3
Keep default (none) Select Untrust‐L3 PAN‐OS 6.0 – Rev A.200
Page 23
PAN‐EDU‐101
IPv4 tab Type Select DHCP Client Advanced > Other Info tab Select allow_ping Management Profile Click OK to close the interface configuration window.
10. Click the interface name ethernet1/4. Configure the interface: Interface Type Select Layer 3 Config tab Virtual Router Keep default (none) Security Zone Select Trust‐L3 IPv4 tab Type Keep default (Static) IP Click Add then enter 192.168.2.1/24 Advanced > Other Info tab Select allow_all Management Profile Click OK to close the interface configuration window.
Configure DHCP 11. Click Network > DHCP > DHCP Server. 12. Click Add to define a new DHCP Server:
Interface Name Select ethernet1/4 Inheritance Source Select ethernet1/3 Gateway Enter 192.168.2.1 Primary DNS Select inherited IP Pools Click Add then enter 192.168.2.50-192.168.2.60 Click OK to close the DHCP Server configuration window.
Create a Virtual Router 13. Click Network > Virtual Routers. 14. Click Add to define a new virtual router:
General tab Name Interfaces
Enter Student-VR Click Add then select ethernet1/3
Click Add again and select ethernet1/4 Click OK to close the virtual router configuration window. 15. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 24
PAN‐EDU‐101
Test the Network Configuration 16. Log out of the WebUI. 17. Move the Ethernet cable from the MGT interface to the 4 interface on the firewall. 18. Plug the cable connected to your network into the 3 interface on the firewall. 19. Configure the physical LAN interface on your laptop (the one connected to the 4 interface) to use a DHCP address. 20. Verify that your laptop is receiving DHCP address from the firewall. The displayed IP address should be in the range 192.168.2.50‐192.168.2.60 if the DHCP Server is configured correctly. You should also be able to ping 192.168.2.1. 21. Connect to the WebUI by launching a browser to https://192.168.2.1 and logging in with your admin account.
Create a Source NAT policy 22. Click Policies > NAT. 23. Click Add to define a new source NAT policy:
General tab Name Enter Student Source NAT Original Packet tab Click Add and select Trust‐L3 Source Zone Destination Zone Select Untrust‐L3 Destination Interface Select ethernet1/3 Translated Packet > Source Address Translation tab Translation Type Select Dynamic IP and Port Address Type Select Interface Address Interface Select ethernet1/3 Click OK to close the NAT policy configuration window.
24. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing. Note: At this point, you still will not have access to the internet. A security policy is required, which will be configured in the next lab.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 25
PAN‐EDU‐101
Module 4 – App‐ID
Scenario 1 Create the “General Internet” Policy 1. Go to the WebUI and click Policies > Security. 2. Click Add to define a security policy: General tab Name Source tab Source Zone Source Address Destination tab Destination Zone Destination Address Application tab Applications
Enter General Internet
Click Add and select Trust‐L3 Select Any
Click Add and select Untrust‐L3 Select Any
Click Add and select each of the following: dns paloalto‐updates ssl
Service/URL Category tab Service Select application‐default from the pull‐down Actions tab Action Setting Select Allow Log Setting Select Log at Session End Click OK to close the security policy configuration window.
Configure the Firewall to Communicate with the Update Server 3. In the WebUI, click Device > Setup > Services. 4. Click the icon in the upper‐right corner of the Services panel to configure DNS lookups:
DNS Verify that Servers is selected Primary DNS Server Enter 4.2.2.2 Update Server Keep the default (updates.paloaltonetworks.com) Click OK to close the configuration window. 5. In the Services Features panel, click the Service Route Configuration link to configure how the firewall accesses network services. Click the radio button for Select. For the DNS, Palo Alto Updates, and URL Updates services, go to the Source Address column and select 192.168.2.1/24. Click OK to close the configuration window.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 26
PAN‐EDU‐101
6. Click the Commit link at the top‐right of the WebUI. Click OK and wait until the commit process completes before continuing.
Review PAN‐OS Licenses 7. Click Device > Licenses. 8. If no licenses appear, click Retrieve license keys from license server. 9. Review licenses installed and their expiration dates.
Update the Applications and Threats Definition File Note: Upgrading PAN‐OS requires that the firewall be running the most recent Applications and Threats definition file. All other dynamic updates can be handled later. 10. Click Device > Dynamic Updates. 11. Click Check Now at the bottom of the page to retrieve the latest updates from Palo Alto Networks. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 27
PAN‐EDU‐101
12. Verify that your firewall is running the most recent Applications and Threats. 13. If the definition file is out of date, install the latest version. a. Click Download on the line for the update file you plan to install. Click Close when the file download completes.
b. The Download link will have been replaced with the Install link. Click Install to activate the definition file. The installation will automatically trigger a commit. Wait for both operations to complete before continuing. Click Close to exit the installation window.
Verify the PAN‐OS version 14. Click Device> Software. 15. Review available, downloaded, and installed PAN‐OS software. If no software versions are displayed, click Check Now at the bottom of the panel to refresh the list. What version of PANOS is running on your firewall?
16. If the firewall is not running version 6.0.0, update the firewall to that version. a. Click Download on the line for version 6.0.0. Click Close when the file download completes. b. If your firewall is currently running a version of PAN‐OS older than 6.0.0 (e.g., 5.0.x), you must also download (but not install) version 5.1.0. Click Download on the line for version 5.1.0. Click Close when the file download completes.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 28
PAN‐EDU‐101
c. On the line for 6.0.0, the Download link will have been replaced with the Install link. Click Install to update PAN‐OS on your firewall. d. Reboot the firewall when prompted. Wait until your browser reconnects with the firewall and log in again using your admin account.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 29
PAN‐EDU‐101
Scenario 2 (Phase 1) Modify the “General Internet” Policy 17. Go to the WebUI and click Policies > Security. 18. Click the General Internet policy you previously created and modify the allowed applications: Application tab Applications
Click Add and select each of the following: fileserve flash ftp ping web‐browsing Click OK to close the security policy configuration window.
Create Policies Block and Log All Inbound and Outbound Traffic 19. Click Policies > Security. 20. Click Add to define the Deny Outbound security policy:
General tab Name Enter Deny Outbound Source tab Click Add and select Trust‐L3 Source Zone Source Address Select Any Destination tab Click Add and select Untrust‐L3 Destination Zone Destination Address Select Any Application tab Applications Check the Any box Service/URL Category tab Service Select any from the pull‐down Actions tab Action Setting Select Deny Log Setting Select Log at Session End Click OK to close the security policy configuration window.
21. Click Add to define the Deny Inbound security policy: General tab Name Source tab Source Zone Source Address Lab Manual
Enter Deny Inbound
Click Add and select Untrust‐L3 Select Any PAN‐OS 6.0 – Rev A.200
Page 30
PAN‐EDU‐101
Destination tab Destination Zone Click Add and select Trust ‐L3 Destination Address Select Any Application tab Applications Check the Any box Service/URL Category tab Service Select any from the pull‐down Actions tab Action Setting Select Deny Log Setting Select Log at Session End Click OK to close the security policy configuration window.
22. Ensure your Security Policy looks like this:
Note: The default rule1 affects virtual wire connections and will not affect the lab exercises. 23. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Verify Internet Connectivity and Application Blocking 24. Test internet connectivity by browsing websites from your laptop. Does web surfing over ports 80 and 443 work? 25. Use a browser to connect to the site http://www.box.net. The browser should not be able to display the site. Review the traffic logs to determine why this site is not reachable. (Hint: Check the applications listed in the log.) The boxnet‐base application is not allowed by the configured policies. 26. Attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com. You will not be able to connect because the avoidr website also uses a custom application which is not allowed by your policies. Use the traffic logs to verify this statement. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 31
PAN‐EDU‐101
Scenario 2 (Phase 2) Create an Application Block Page 1. From the RDP desktop, open a browser and navigate to http://www.facebook.com. Leave the browser open to the error page. 2. Return to the WebUI and click Device > Response Pages. 3. Find the Application Block Page line and click Disabled. 4. Check the Enable Application Block Page box, and then click OK. 5. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing. 6. Open a different browser window and go to http://www.facebook.com. Compare the page displayed to the one generated in Step 1 of the Create an Application Block Page section of the lab.
Note: An Interface Management Profile DOES NOT need to be set for application block pages. From the admin guide (p. 176): “The Response Pages check box controls whether the ports used to serve captive portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if this setting is enabled.”
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 32
PAN‐EDU‐101
Scenario 2 (Phase 3) Create Application Filters 1. Go to the WebUI and click Objects > Application Filters. 2. Click Add to define the Proxies application filter: Name Enter Proxies Subcategory column Select proxy Click OK to close the application filter configuration window. 3. Click Add to define the Web‐Based‐File‐Sharing application filter: Name Enter Web-Based-File-Sharing Subcategory column Select file‐sharing Technology column Select browser‐based Click OK to close the application filter configuration window.
Create Application Groups 4. Click Objects > Application Groups. 5. Click Add to define the Known‐Good application group:
Name Applications
Enter Known-Good Click Add and select each of the following: dns fileserve flash ftp paloalto‐updates ping ssl web‐browsing Click OK to close the application group configuration window. 6. Click Add to define the Known‐Bad application group: Name Applications
Enter Known-Bad Click Add and select each of the following: Proxies Web‐Based‐File‐Sharing Click OK to close the application group configuration window.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 33
PAN‐EDU‐101
Update Security Policies 7. Click Policies > Security. 8. Click General Internet to edit the existing rule. Go to the Application tab. Delete all of the listed applications and add the Known‐Good application group. Click OK to close the window. 9. Click the Deny Outbound rule and modify with the following values: General tab Name Change to Log-All Actions tab Select Allow Action Setting Click OK to close the security policy configuration window.
10. Click Add to define the Block‐Known‐Bad security policy: General tab Name Enter Block-Known-Bad Source tab Click Add and select Trust‐L3 Source Zone Source Address Select Any Destination tab Destination Zone Click Add and select Untrust ‐L3 Destination Address Select Any Application tab Applications Click Add and select Known‐Bad Service/URL Category tab Service Select any from the pull‐down Actions tab Action Setting Select Deny Log Setting Select Log at Session End Click OK to close the security policy configuration window.
27. Use the move buttons at the bottom of the page to arrange the policies in a logical order. Confirm that your security rule list looks like this:
You can also rearrange the rule by clicking and dragging them into the correct order. 28. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 34
PAN‐EDU‐101
Verify Internet Connectivity and Application Blocking 29. Verify that your policies have not broken network connectivity. Test internet connectivity by browsing websites from your laptop. Does web surfing over ports 80 and 443 work? 30. Use a browser to connect to the site http://www.box.net. The browser should not be able to display the site. Review the traffic logs to determine why this site is not reachable. (Hint: Check the application listed in the log.) 31. Attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com. Why can’t you bring up that web site? (Hint: the traffic logs will help you solve this problem.) 32. Click the ACC tab to access the Application Command Center. Use the drop‐down menu in the
application section of the ACC to select different ways of viewing the traffic that you have generated. What is the total risk level for all traffic that has passed through the firewall thus far? Notice that the URL Filtering, Threat Prevention, and Data Filtering sections within the ACC contain no matching records.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 35
PAN‐EDU‐101
Module 5 – Content‐ID Note: The presence of firewalls between your PA‐200 and the internet will cause the lab results to vary.
Configure Dynamic Updates 1. 2. 3. 4.
Click Device > Dynamic Updates. Click Check Now at the bottom of the page to retrieve the latest updates from Palo Alto Networks. Verify that your firewall is running the most recent Antivirus definition file. If the definition file is out of date, install the latest version. a. Click Download on the line for the update file you plan to install. Click Close when the file download completes. b. The Download link will have been replaced with the Install link. Click Install to activate the definition file. The installation will automatically trigger a commit. Wait for both operations to complete before continuing. Click Close to exit the installation window.
Configure a Custom URL Filtering Category 1. Go to the WebUI and click Objects > Custom URL Category. 2. Click Add to create a custom URL category: Name Sites
Enter TechSites Click Add and add each of the following URLs: www.slashdot.org www.cnet.com www.zdnet.com Click OK to close the URL Filtering profile window.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 36
PAN‐EDU‐101
Configure a URL filtering Profile 3. Click Objects > Security Profiles > URL Filtering. 4. Click Add to define a URL Filtering profile: Name Category/Action
Enter student-url-filtering Click the right side of the Action header to access the pull‐down menu. Click Set All Actions > Alert.
Search the Category field for hacking and government. Set the Action to Continue for both categories.
Search the Category field for the following categories and set the Action to block for each of them: adult‐and‐pornography questionable unknown
Verify that your custom category appears in the Category column. Click OK to close the URL Filtering profile window.
Configure an Antivirus Profile 5. Click Objects > Security Profiles > Antivirus. 6. Click Add to create an antivirus profile:
Name Enter student-antivirus Antivirus tab Check the Packet Capture box Packet Capture Decoders Set the Action column to Alert for all decoders Click OK to close the antivirus profile window.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 37
PAN‐EDU‐101
Configure an Anti‐Spyware Profile 7. Click Objects > Security Profiles > Anti‐Spyware. 8. Click Add to create an anti‐spyware profile: Name Rules tab
Enter student-antispyware Click Add and create a rule with the parameters: Rule Name: Enter rule-1 Action: Select Allow Severity: Check the boxes for Low and Informational only Click OK to save the rule
Click Add and create another rule with the parameters: Rule Name: Enter rule-2 Action: Select Alert Severity: Check the boxes for Critical and High only Click OK to save the rule Click OK to close the anti‐spyware profile window.
Create a File Blocking Profile with Wildfire 9. Click Objects > Security Profiles > File Blocking. 10. Click Add to create a file blocking profile:
Name Rules list
Enter student-file-block Click Add and create a rule with the parameters: Rule Name: Enter type-1 Action: Select Forward Click OK to close the file blocking profile window.
Assign Profiles to a Policy 11. Click Policies > Security. 12. Click General Internet in the list of policy names. Edit the policy to include the newly created profiles:
Actions tab Profile Type Antivirus Anti‐Spyware URL Filtering File Blocking Click OK to close the policy window. Lab Manual
Select Profiles Select student‐antivirus Select student‐antispyware Select student‐url‐filtering Select student‐file‐block
PAN‐OS 6.0 – Rev A.200
Page 38
PAN‐EDU‐101
13. Repeat the previous step and add the profiles to the Log‐All policy. 14. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Test the Antivirus Profile 15. On your local system, open a browser to http://www.eicar.org and click Anti‐Malware Testfile. 16. Click the Download link to access the virus test files. 17. Download any of the Eicar test files using http. Do not use the SSL‐encrypted downloads. The firewall will not be able to detect the viruses in an HTTPS connection until decryption is configured. 18. Click Monitor > Logs > Threat to view the threat log. Find the log messages which detect the Eicar files. Scroll to the Action column to verify the alerts for each file download. 19. Click on the green down arrow at on the left side of the line for the Eicar file detection to view the packet capture (PCAP). Here is an example of what a PCAP might look like:
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline for further investigation. 20. Modify the antivirus profile to block viruses using ftp, http, and smb. Click Objects > Security Profiles > Antivirus. Change the Action column for the ftp, http, and smb decoders to Block. 21. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing. 22. Open a new browser window to www.eicar.org and attempt to download a virus file again. Since the antivirus profile is set to block, a response page should appear:
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 39
PAN‐EDU‐101
23. Return to the WebUI and verify that log entries stating that the Eicar virus was detected appear in the threat log. 24. After 15 minutes, the threats you just generated will appear on the ACC tab under the Threats section.
Test the URL Filtering Profile 25. Open a browser and browse to various websites. The URL filtering profile records each website that you visit. 26. In the WebUI, click Monitor > Logs > URL Filtering. Verify that the log entries track the sites that you visited during your tests. 27. Test the continue condition you created by visiting a site which is part of the hacking category. In a new browser window, attempt to browse to http://neworder.box.sk and http://www.2600.org. The profile will block this action and you will see a response page similar to the following:
Test the File Blocking Profile with Wildfire 28. Open a new browser window to http://www.opera.com. Download the Opera browser installer to your local system. 29. Click Monitor > Logs > Data Filtering to determine how the file was handled by the profile.
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 40
PAN‐EDU‐101
Configure a Security Profile Group 30. Return to the WebUI and click Objects > Security Profile Groups. 31. Click Add to define a security profile group: Name Enter student-profile-group Antivirus Profile Select student‐antivirus Anti‐Spyware Profile Select student‐antispyware URL Filtering Profile Select student‐url‐filtering File Blocking Profile Select student‐file‐block Click OK to close the security profile group window.
Assign the Security Profile Group to a Policy 32. Click Policies > Security. 33. Click General Internet in the list of policy names. Edit the policy to replace the profiles with the profile group:
Actions tab Profile Type Select Group Group Profile Select student‐profile‐group Click OK to close the policy window.
34. Repeat the previous step and add the profile group to the Log‐All policy. 35. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 41
PAN‐EDU‐101
Create a Custom Report 36. Click Monitor > Manage Custom Reports. 37. Click Add to define a new custom threat report: Name Database Time Frame Sort by Group by Selected Columns
Enter Top Threats by Day Select Threat Summary Select Last 24 Hrs Select Count and Top 10 Select None and 10 Groups Populate the Selected Columns field with the following values, in this order: Threat/Content Name Application App Technology App Sub Category Count Build a query using the following parameters:
Query Builder
Connector: Select and Attribute: Select Rule Operator: Select = Value: Enter General Internet Click Add
Connector: Select or Attribute: Select Rule Operator: Select = Value: Enter Log-All Click Add Click OK to save the custom report definition. 38. Click the name of your custom report to reopen the custom report window. Click Run Now to generate the report. 39. The report will appear in a new tab in the window. Click Export to PDF to save it to your RDP desktop.
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 42
PAN‐EDU‐101
Module 6 ‐ Decryption
Verify firewall behavior without decryption 1. From your laptop, browse to the www.eicar.com and attempt to download the one of the test files using http. 2. Repeat the previous step but attempt to download one of the files using https. 3. Go to the GUI and click Monitor > Logs > Threat to view the log. Only the non‐encrypted download should appear in the log. SSL decryption hid the contents of the firewall and so the test file was not detected as a threat.
Create an SSL self‐signed Certificate 4. Click Device > Certificate Management > Certificates. 5. Click Generate at the bottom of the screen to create a new self‐signed certificate: Certificate Name Enter student-ssl-cert Common Name Enter 192.168.2.1 Certificate Authority Check the box Click Generate to create the certificate. Click OK to dismiss the certificate generation success window. 6. Click student‐ssl‐cert in the list of certificates to edit the certificate properties. Check the boxes for Forward Trust Certificate and Forward Untrust Certificate. Click OK to confirm the changes.
Create SSL Decryption Policies 7. Click Policies > Decryption. 8. Click Add to create an SSL decryption rule for the exception categories: General tab Name Enter no-decrypt-traffic Source tab Click Add then select Trust‐L3 Source Zone Destination tab Destination Zone Click Add then select Untrust‐L3 URL Category tab URL Category Click Add and add each of the following URL categories: health‐and‐medicine shopping financial‐services Options tab Action Select no‐decrypt Type Select SSL Forward Proxy Click OK to close the configuration window.
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 43
PAN‐EDU‐101
9. Click Add to create the SSL decryption rule for general decryption: General tab Name Enter decrypt-all-traffic Source tab Click Add then select Trust‐L3 Source Zone Destination tab Destination Zone Click Add then select Untrust‐L3 URL Category tab URL Category Verify that the Any box is checked Options tab Action Select decrypt Type Select SSL Forward Proxy Click OK to close the configuration window. 10. Confirm that your decryption policy list looks like this:
11. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Test the SSL Decryption Policies 12. Open a browser to the www.eicar.org downloads page. Download a test file using SSL. Ignore the certificate error. This is expected behavior because the firewall is intercepting the SSL connection and performing man‐in‐the‐middle decryption. Close the browser window. 13. In the WebUI, examine the threat logs. The virus should have been detected, since the SSL connection was decrypted. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify that the Decrypted box has a check mark. 14. Open a browser to http://www.brightcloud.com/ and enter various URLs that you believe fall into the categories excluded by the “no‐decrypt” rule. Make a list of URLs that fall into these categories to test against. For example: financial‐services: www.bankofamerica.com health‐and‐medicine: www.deltadental.com shopping: www.macys.com 15. In the WebUI, click Monitor > Logs > Traffic. Set the traffic log to display only port 443 traffic on a 10 second refresh. Enter ( port.dst eq 443 ) in the filter field. Select 10 Seconds from the Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 44
PAN‐EDU‐101
pull‐down menu so that the display will refresh automatically. Leave this window open so you can monitor the traffic.
16. In a separate browser window, use SSL (https://) to navigate to the websites you found in the excluded URL categories. Navigate to other websites as well (e.g., www.facebook.com, www.google.com) for comparison purposes. 17. Return to the traffic log. Find an entry for one of the excluded categories by looking at the value in the URL Category column. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify that the Decrypted box in the Misc panel is unchecked. 18. Repeat the previous step for a URL in a non‐excluded category. Verify that the Decrypted box has a check mark.
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 45
Lab Manual
PAN‐EDU‐101
PAN‐OS 5.0 – Rev A.200
Page 46
PAN‐EDU‐101
CLI Reference This section provides a subset of the commands needed to complete the tasks in the associated lab modules. The commands are intended to provide command sets for you to research further in the PAN‐OS Command Line Interface Reference Guide.
Module 1 – Administration and Management # load config from PAN-EDU-201-Default-1.xml
> request license info
> request system software info
> request anti-virus upgrade info
# set shared admin-role "Policy Admins" role device webui acc enable
# set mgt-config users ip-admin permissions role-based custom profile "Policy Admins"
> request config-lock add
> request commit-lock add
> request config-lock remove
> request commit-lock remove
Module 2 – Interface Configuration # set zone tap-zone network tap
# set network interface ethernet ethernet1/3 virtual-wire
# set zone vwire-zone-3 network virtual-wire ethernet1/3
# set network virtual-wire student-vwire interface1 ethernet1/3
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 47
PAN‐EDU‐101
Module 3 – Layer 3 Configuration # set network profiles interface-management-profile allow_all telnet yes
# set network dhcp interface ethernet1/2 server ip-pool 192.168.15.50192.168.15.60
# set network virtual-router Student-VR interface ethernet1/2
# set rulebase nat rules "student source nat" to Untrust-L3
Module 4 – App‐ID # set rulebase security rules "General Internet" action allow
# set application-filter Proxies subcategory proxy
# set application-group Known-Good web-browsing
Module 5 – Content‐ID # set profiles url-filtering Student-url-filtering alert bot-nets
# set profiles custom-url-category TrustedCompanies list www.paloaltonetworks.com
# set profiles virus Student-antivirus decoder ftp action alert
# set profiles spyware Student-antispyware rules simple-low severity low
# set profile-group "Student Profile" virus Student-antivirus
# set rulebase security rules "General Internet" profile-setting group "Student Profile"
Module 6 ‐ Decryption > request certificate generate ca yes name 192.168.15.1 certificatename student15-cert
# set rulebase decryption rules No-Decrypt source any
Lab Manual
PAN‐OS 5.0 – Rev A.200
Page 48
View more...
Comments
