Pan-edu-101 - Lab Manual Pan-os 6 1 - Rev A
January 13, 2017 | Author: zapete100 | Category: N/A
Short Description
Download Pan-edu-101 - Lab Manual Pan-os 6 1 - Rev A...
Description
Firewall Installation, Configuration, and Management: Essentials I Lab Manual PAN-OS 6.1 PAN-EDU-101 Rev A.200
PAN‐EDU‐101
Palo Alto Networks, Inc. www.paloaltonetworks.com © 2007-2014 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 2
PAN‐EDU‐101
Typographical Conventions This guide uses the following typographical conventions for special terms and instructions. Convention
Meaning
Example
Boldface
Names of commands, keywords, and selectable items in the web interface
Click Security to open the Security Rule Page
Italics
Name of parameters, files, directories, or Uniform Resource Locators (URLs)
The address of the Palo Alto Networks home page is http://www.paloaltonetworks.com
courier font
Coding examples and text that you enter at a command prompt
Enter the following command: a:\setup
Click
Click the left mouse button
Click Administrators under the Device tab.
Right-click
Click the right mouse button
Right-click on the number of a rule you want to copy, and select Clone Rule.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 3
PAN‐EDU‐101
Table of Contents Contents Typographical Conventions .................................................................................................. 3 How to use this Lab Guide ................................................................................................... 7 Lab Guide Objectives ........................................................................................................... 7 Lab Equipment Setup........................................................................................................... 8 Lab Assumptions ................................................................................................................. 8 Module 2 Scenario – Initial Config ......................................................................................... 9 Scenario ...........................................................................................................................................................................9 RequiredInformation........................................................................................................................................................9
Module 2 Solution – Initial Config ..................................................................................... 10 Prepare your laptop for the lab ......................................................................................................................................10 Log on to the Firewall .....................................................................................................................................................10 Save the current configuration on your firewall (optional) ............................................................................................. 10 Upload and apply baseline configuration to your firewall ............................................................................................... 10 Add an Administrator Role .............................................................................................................................................11 Manage administrator accounts .....................................................................................................................................11
Module 3 Scenario – Interface Configuration .................................................................... 10 Scenario: ........................................................................................................................................................................10 Required Information ....................................................................................................................................................11
Module 3 Solution – Interface Configuration ..................................................................... 12
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 4
PAN‐EDU‐101 Create new Security Zones .............................................................................................................................................12 Create Interface Management Profiles ...........................................................................................................................12 Configure Ethernet interfaces with Layer 3 info ..............................................................................................................12 Configure DHCP ..............................................................................................................................................................13 Create a Virtual Router ...................................................................................................................................................13 Recable and test the network configuration ...................................................................................................................14
Module 4 Scenario – Security and NAT Policies ................................................................. 15 Module 4 Solution – Security and NAT Policies .................................................................. 16 Create a Source NAT policy.............................................................................................................................................16
Module 5 Scenario – App‐ID ................................................................................................ 18 Required Information ....................................................................................................................................................19 Lab Notes .......................................................................................................................................................................19
Module 5 Solution – App‐ID ............................................................................................... 20 Verify Internet Connectivity and Application Blocking ................................................................................................... 21
Module 6 Scenario – Content‐ID .......................................................................................... 23 Scenario .........................................................................................................................................................................23 Required Information ....................................................................................................................................................24 Lab Notes .......................................................................................................................................................................24
Module 6 Solution – Content‐ID ......................................................................................... 25 Configure a Custom URL Filtering Category ....................................................................................................................25 Configure a URL filtering Profile ......................................................................................................................................25 Configure an Antivirus Profile .........................................................................................................................................26 Configure an Anti‐Spyware Profile ..................................................................................................................................26 Create a File Blocking Profile with Wildfire .....................................................................................................................27 Assign Profiles to a Policy ...............................................................................................................................................27 Test the Antivirus Profile ................................................................................................................................................27 Modify the Antivirus Profile ...........................................................................................................................................28
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 5
PAN‐EDU‐101 Test the new Antivirus Profile .........................................................................................................................................28 Test the URL Filtering Profile ..........................................................................................................................................29 Test the File Blocking Profile with Wildfire .....................................................................................................................29 Configure a Security Profile Group .................................................................................................................................29 Assign the Security Profile Group to a Policy...................................................................................................................29
Module 7 Scenario – Decryption .......................................................................................... 31 Scenario .........................................................................................................................................................................31 Required Information .....................................................................................................................................................32 Lab Notes .......................................................................................................................................................................32
Module 7 Solution ‐ Decryption ......................................................................................... 33 Verify firewall behavior without decryption ...................................................................................................................33 Create an SSL self‐signed Certificate ...............................................................................................................................33 Create SSL Decryption Policies ........................................................................................................................................33 Modify the General Internet Security Policy...................................................................................................................34 Test the SSL Decryption Policies......................................................................................................................................34 Import the CA Certificate into Windows Trusted Certificates .........................................................................................36 Exclude a Site from Decryption ......................................................................................................................................37
Module 10 Scenario – Management and Reporting ........................................................... 38 Module 10 Solution – Management and Reporting ........................................................... 39 Explore the Dashboard, ACC and Session Browser ........................................................................................................39 Explore the Logs .............................................................................................................................................................39 Create a Custom Report .................................................................................................................................................39
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 6
PAN‐EDU‐101
How to use this Lab Guide The Lab Guide contains lab exercises which correspond to modules in the lecture. Each lab exercise consists of two parts: a scenario and a solution. The scenario describes the lab exercise in terms of objectives and customer requirements. Minimal instructions are provided to encourage students to solve the problem on their own. If appropriate, the scenario includes a diagram and a table of required information needed to complete the exercise. The solution is designed to help students who prefer step‐by‐step, task‐based labs. Alternatively, students who start with the scenario can use the solution to check their work or to provide help if they get stuck on a problem.
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform any tasks outlined in the following labs.
Lab Guide Objectives This lab guide is designed specifically for a single student attending the self‐paced version of the Essentials I course. The instructor‐led version of the course includes additional exercises which can only be completed in a classroom environment with other students and additional equipment. Once these labs are completed, you should be able to: 1. Configure the basic components of the firewall, including interfaces, security zones, and security policies 2. Configure basic Layer 3 settings, such as IP addressing and NAT policies. 3. Configure basic Content‐ID functionality, including antivirus protection and URL filtering. 4. Configure SSL decryption.
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help enabled this training to be built, tested, and deployed.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 7
PAN‐EDU‐101
Lab Equipment Setup DHCPenabled Network
Internet
Lab Assumptions These lab instructions assume the following conditions: 1. The student is using a PA‐200 firewall which has been registered with Palo Alto Networks Support. 2. The firewall is licensed for Support, Threat Prevention, and URL Filtering. 3. The PA‐200 is running the latest version of 6.1 software and has all the latest updates for Antivirus, Applications and Threats and URL Filtering. 4. The network that the student will connect to has a DHCP server from which the firewall can obtain an IP address and DNS information. 5. There are no other Palo Alto Networks firewalls between the student’s PA‐200 and the internet. The labs will still work if upstream firewalls exist, but the results will vary based on the firewall settings.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 8
PAN‐EDU‐101
Module 2 Scenario – Initial Config In this lab you will: • •
Connect to the firewall through the MGT interface Create new administrator roles and accounts on the firewall
Scenario You have been tasked with integrating a new firewall into your environment. The firewall is configured with a MGT IP address and administrator account. You will need to change the IP address of your laptop to communicate with the default IP address of the MGT port. If your firewall has settings you would like to restore after the completion of this lab, save the current configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that it is in a known state. In preparation for the new deployment, create a role for an assistant administrator which allows access to all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the password of the admin account to disable the warnings about using default credentials.
Required Information Named Configuration Snapshot New Administrator Role name New Administrator Account name New Administrator Account password New password for the admin account
Lab Manual
PAN‐EDU‐101‐Default Policy Admins ip-admin paloalto paloalto
PAN‐OS 6.1 – Rev A.200
Page 9
PAN‐EDU‐101
Module 2 Solution – Initial Config Prepare your laptop for the lab 1. While connected to the internet, download the file PAN‐EDU‐60‐101‐Default to your laptop you will be using for the lab exercises. 2. Configure the physical Ethernet interface of your laptop with an IP address on the same subnet as the MGT port of your firewall. If your firewall is at default config, the IP address of the MGT port is 192.168.1.1/24. Give your laptop Ethernet port an address of 192.168.1.100/24. If your firewall is not at default config, give your laptop an IP address on the same subnet as the MGT port IP address. 3. Connect an Ethernet cable between your laptop Ethernet port and the MGT port of your firewall. 4. Open a command prompt on your laptop and verify you can ping the MGT port IP address. 5. Disable any other active interfaces on your laptop, including the wireless interface, so the Ethernet port connected to the firewall is your only active port.
Log on to the Firewall 6. Open a browser and connect to the firewall at https://. If your firewall is at default config, the IP address of the MGT port is 192.168.1.1/24. A warning message since the firewall is using an untrusted self‐signed certificate. 7. Dismiss the warning and continue to the web page. 8. Log on with the PAN firewall user name and password. If the firewall is at default config, the username is admin and the password is admin. A warning about the default admin credentials appears. 9. Click OK to dismiss the warning. The PAN firewall GUI appears.
Save the current configuration on your firewall (optional) 10. Click Device > Setup > Operations. 11. Click Save named configuration snapshot. 12. Enter pre-101-labs in the Name field. 13. Click OK to complete the save. 14. Click OK to dismiss the success window.
Upload and apply baseline configuration to your firewall 15. Click Device > Setup > Operations. 16. Click Import named configuration snapshot. 17. Click Browse to select the PAN‐EDU‐101‐61‐Default file from your laptop. 18. Click Open then OK to upload the file to the firewall. 19. Click OK to dismiss the success window. Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 10
PAN‐EDU‐101
20. Click Load Named Configuration Snapshot. 21. Select PAN‐EDU‐101‐Default. Click OK. 22. Click OK to dismiss the success window. 23. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes, then click Close. 24. The PA‐200 MGT port IP address has changed to 192.168.1.1. If your PC’s Ethernet port is on a different subnet, you will lose connectivity. To reestablish connectivity, •
Put your PC’s Ethernet port on the 192.168.1.0/24 subnet
•
Open a browser to https://192.168.1.1
•
Login to the PA‐200 firewall with username admin password admin
Add an Administrator Role 25. Click Device > Admin Roles. 26. Click Add in the lower left of the panel and create a new admin role: Name Web UI tab
Enter Policy Admins Click the following major categories to disable them: • Monitor • Network • Device • Privacy The remaining major categories should remain enabled.
Click OK to continue.
Manage administrator accounts 27. Click Device > Administrators. 28. Click admin in the list of users. Change the password from admin to paloalto. Click OK to close the configuration window. 29. Click Add in the lower left corner of the panel. Configure a new administrator account: Name Password/Confirm Password Role Profile Click OK.
Enter ip-admin Enter paloalto Select Role Based Select Policy Admins
30. Click the Commit link at the top‐right of the WebUI. Click OK and wait until the commit process completes, then click Close. 31. Open a different browser and log onto the WebUI as ip‐admin and explore the available functionality. For example, if you originally connected to the WebUI using Chrome, open this connection in Internet Explorer. Compare the displays for the admin and ip‐admin accounts to see the limitations of the newly created account. 32. When you are done exploring, log out of the ip‐admin account connection. Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 11
PAN‐EDU‐101
33. Log back into the PA‐200 WebUI as user admin password paloalto.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 12
PAN‐EDU‐101
Module 3 Scenario – Interface Configuration In this lab you will: • • • •
Create Interface Management Profiles Configure Ethernet interfaces with Layer 3 information Configure DHCP Create a Virtual Router
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You are to create two zones, Untrust‐L3 and Trust‐L3. The external‐facing interface in Untrust‐L3 will get an IP address from a DHCP server on the external network. Trust‐L3 will be where the internal clients connect to the firewall and so the interface in Trust‐L3 will provide DHCP addresses to these internal clients. The DHCP server you configure in the Trust‐L3 zone will inherit DNS settings from the external facing interface. Both the internal and external interfaces on the firewall must route traffic through the external‐facing interface by default. The interface in Untrust‐L3 must be configured to respond to pings and the interface in Trust‐L3 must be able to provide all management services. Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable coming from your PC from the MGT port to the ethernet1/4 port of the PA‐200. You must also change the settings of the LAN interface on your laptop to use DHCP‐supplied network information (IP address and DNS servers) instead of static settings.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 10
PAN‐EDU‐101
Required Information Interface Management Profile Names Internal-facing IP Address External-facing interface Internal-facing interface DHCP Server: Gateway DHCP Server: Inheritance Source DHCP Server: Primary DNS DHCP Server: IP address range Virtual Router Name
Lab Manual
allow all allow_ping 192.168.2.1/24 Ethernet1/3 Ethernet1/4 192.168.2.1 Ethernet1/3 inherited 192.168.2.50-192.168.2.60 Student-VR
PAN‐OS 6.0 – Rev A.200
Page 11
PAN‐EDU‐101
Module 3 Solution – Interface Configuration Create new Security Zones 1. Go to the WebUI and click Network > Zones. 2. Click Add and create the Untrust‐L3 zone: Name Enter Untrust-L3 Type Verfy that Layer 3 is selected Click OK to close the zone creation window. 3. Click Add and create the Trust‐L3 zone: Name Enter Trust-L3 Type Select Layer 3 Click OK to close the zone creation window.
Create Interface Management Profiles 4. Click Network > Network Profiles > Interface Mgmt. 5. Click Add and create an interface management profile: Name Enter allow_all Permitted Services Select all check boxes Permitted IP Addresses Do not add any addresses Click OK to close the interface management profile creation window. 6. Click Add and create another interface management profile: Name Enter allow_ping Permitted Services Select only the Ping check box Permitted IP Addresses Do not add any addresses Click OK to close the interface management profile creation window. 7. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Configure Ethernet interfaces with Layer 3 info 8. Click Network > Interfaces > Ethernet. 9. Click the interface name ethernet1/3. Configure the interface: Interface Type Config tab Virtual Router Security Zone Lab Manual
Select Layer 3 Keep default (none) Select Untrust‐L3 PAN‐OS 6.0 – Rev A.200
Page 12
PAN‐EDU‐101
IPv4 tab Select DHCP Client Type Advanced > Other Info tab Management Profile Select allow_ping Click OK to close the interface configuration window. 10. Click the interface name ethernet1/4. Configure the interface: Interface Type Select Layer 3 Config tab Keep default (none) Virtual Router Security Zone Select Trust‐L3 IPv4 tab Keep default (Static) Type IP Click Add then enter 192.168.2.1/24 Advanced > Other Info tab Management Profile Select allow_all Click OK to close the interface configuration window.
Configure DHCP 11. Click Network > DHCP > DHCP Server. 12. Click Add to define a new DHCP Server: Interface Name Select ethernet1/4 Inheritance Source Select ethernet1/3 Gateway Enter 192.168.2.1 Ippool Subnet 255.255.255.0 Primary DNS Select inherited IP Pools Click Add then enter 192.168.2.50-192.168.2.60 Click OK to close the DHCP Server configuration window.
Create a Virtual Router 13. Click Network > Virtual Routers. 14. Click Add to define a new virtual router: General tab Name Interfaces
Enter Student-VR Click Add then select ethernet1/3
Click Add again and select ethernet1/4 Click OK to close the virtual router configuration window. 15. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 13
PAN‐EDU‐101
Recable and test the network configuration 16. Close the browser. 17. Move the Ethernet cable from the MGT interface to the 4 interface on the firewall. 18. Plug the cable connected to your network into the 3 interface on the firewall. 19. Configure the physical LAN interface on your laptop (the one connected to the 4 interface) to use a DHCP address. 20. Verify that your laptop is receiving DHCP address from the firewall. The displayed IP address should be in the range 192.168.2.50‐192.168.2.60 if the DHCP Server is configured correctly. You should also be able to ping 192.168.2.1. 21. Connect to the WebUI by launching a browser to https://192.168.2.1 and logging in with the admin account password paloalto. 22. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 14
PAN‐EDU‐101
Module 4 Scenario – Security and NAT Policies In this lab you will: • Create a Source NAT policy • Create a Security Policy to allow connectivity from the Trust‐L3 to the Untrust‐L3 zone
At this point, the firewall is configured but is unable to pass traffic between zones. NAT and Security Policies must be defined before traffic will flow between zones. In this lab, you will create a Source NAT Policy using the Untrust‐L3 IP address as the source address for all outgoing traffic. Then you will create a Security Policy to allow traffic from the Trust‐L3 Zone to the Untrust‐L3 Zone, so that your workstation can access the outside world.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 15
PAN‐EDU‐101
Module 4 Solution – Security and NAT Policies Create a Source NAT policy 1. Click Policies > NAT. 2. Click Add to define a new source NAT policy: General tab Name Enter Student Source NAT Original Packet tab Source Zone Click Add and select Trust‐L3 Destination Zone Select Untrust‐L3 Destination Interface Select ethernet1/3 Translated Packet > Source Address Translation tab Translation Type Select Dynamic IP and Port Address Type Select Interface Address Interface Select ethernet1/3 Click OK to close the NAT policy configuration window.
Create the Allow All Out Policy 1. Go to the WebUI and click Policies > Security. 2. Delete the exisiting rule1 security policy. 3. Click Add to define a security policy: General tab Name Enter Allow All Out Source tab Source Zone Click Add and select Trust‐L3 Source Address Select Any Destination tab Click Add and select Untrust‐L3 Destination Zone Destination Address Select Any Application tab Select Any Applications Service/URL Category tab Select application‐default from the pull‐down Service Actions tab Select Allow Action Setting Log Setting Select Log at Session End 4. Click OK to close the security policy configuration window. 5. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 16
PAN‐EDU‐101
Test the configuration 6. Test internet connectivity by browsing websites from your laptop. You should be able to surf the Web on http and https sites. 7. Go to Monitor > Logs > Traffic to see a record of your Internet browsing. Especially notice the Application column.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 17
PAN‐EDU‐101
Module 5 Scenario – App‐ID In this lab you will: • • •
Create a security policy to allow basic internet connectivity and log dropped traffic Enable Application Block pages Create Application Filters and Application Groups
Now that you have confirmed that your workstation has connectivity to the Internet, you will delete the Allow All Out Security Rule and replace it with a more restrictive Security Rule. By default, the PAN Firewall will block any traffic between different Security Zones. You will create a Security Policy to selectively enable specific applications to pass from the Trust‐L3 to the Untrust‐L3 Zone. All other applications will be blocked. Create a Rule named “General Internet” which allows users in the Trust‐L3 zone to use a set of commonly used applications to access the internet. The applications should only be permitted on an application’s default port. All other traffic (inbound and outbound) between Zones will be blocked and logged so that you can identify what other applications are being used. Next, you will configure the firewall to notify users when applications are blocked by a Rule.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 18
PAN‐EDU‐101
Required Information General Internet
Security Policy name
Members of the Known-Good application group
dns fileserve flash ftp paloalto-updates ping web-browsing ssl
Lab Notes Test your connectivity by connecting to http//www.depositfiles.com (login paneduc, password paloalto). Because you have not specified depositfiles as an allowed application, the firewall should block the appliction, even if you attempt to use a proxy.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 19
PAN‐EDU‐101
Module 5 Solution – App‐ID Create an Application Group 1. Click Objects > Application Groups. 2. Click Add to define the Known‐Good application group: Name Applications
Enter Known-Good Click Add and select each of the following: • dns • fileserve • flash • ftp • paloalto‐updates • ping • ssl • web‐browsing Click OK to close the application group configuration window.
Create the General Internet Policy 3. Go to the WebUI and click Policies > Security. 4. Select the Allow All Out Policy and click Disable. 5. Click Add to define a security policy: General tab Name Enter General Internet Source tab Source Zone Click Add and select Trust‐L3 Source Address Select Any Destination tab Click Add and select Untrust‐L3 Destination Zone Destination Address Select Any Application tab Applications Click Add and select the Known‐Good Application Group Service/URL Category tab Select application‐default from the pull‐down Service Actions tab Select Allow Action Setting Log Setting Select Log at Session End Click OK to close the security policy configuration window.
Enable Interzone Logging 6. Open the Interzone‐Default policy. 7. Click the Actions tab. Note that both Log at Session Start and Log at Session End are unchecked. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 20
PAN‐EDU‐101
8. Click Cancel. 9. Select the interzone‐default policy row, without opening the policy, and click Override. The Security Policy Rule – predefined window opens. 10. Click the Actions tab. 11. Check Log at Session End. 12. Click OK.
Enable the Application Block Page 13. Return to the WebUI and click Device > Response Pages. 14. Find the Application Block Page line and click Disabled. 15. Check the Enable Application Block Page box, and then click OK. 16. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Verify Internet Connectivity and Application Blocking 17. Test internet connectivity by browsing websites from your desktop. You should be able to surf common sites on the Internet like Google and Yahoo. 18. Use a browser to connect to the site http//www.depositfiles.com. An Application Blocked page appears, indicating that the depositfiles application has been blocked.
19. Go to Monitor > Logs > Traffic to review the traffic logs. Find the entries where the depositfiles application has been blocked. You may want to put (action eq deny) in the filter text box. The site has been blocked because the depositfiles application is not listed in the allowed applications in the General Internet Policy. 20. Now try to work around the application block by using a proxy. From the RDP desktop, go to the proxy site http//www.avoidr.com. 21. Enter www.depositfiles.com in the text box and click Go. An Application Blocked page appears showing that the phproxy application was blocked.
22. Go to Monitor > Logs > Traffic to find the corresponding entry in the Traffic Logs. It indicates that Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 21
PAN‐EDU‐101
the phproxy application has been blocked.
Return to the Allow All Out Security Policies 1. 2. 3. 4.
Go to the WebUI and click Policies > Security. Click the General Internet rule and click Disable button. Select the Allow All Out Policy and click Enable. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 22
PAN‐EDU‐101
Module 6 Scenario – Content‐ID In this lab you will: • • •
Configure Security Profiles Create a Security Profile group Associate Security Profiles and Security Profile Groups to Security Policy
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with Security Profiles. The specific security requirements for general internet traffic are: • • •
• • •
Log all URLs accessed by users in the Trust‐L3 zone. In particular, you need to track access to a set of specified technology websites. Access to all hacking and government sites should be set to Continue. Block the following URL categories: o adult and pornography o questionable o unknown Log, but do not block, all viruses detected and maintain packet captures of these events for analysis. Log spyware of severity levels critical and high detected in the traffic. Ignore all other spyware. Configure exe files to be blocked.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 23
PAN‐EDU‐101
After all of these profiles are configured, send test traffic to verify that the protection behaves as expected. After the initial testing is complete, you are asked to change the Antivirus protection to block viruses. Make the changes and verify the difference in behavior. Once the individual profiles are created and tested, combine the profiles into a single group for ease of management. Attach the group to the appropriate security policies.
Required Information Custom Technology sites to track
Location of files for testing antivirus
Procedure for testing file blocking
www.slashdot.org www.cnet.com www.zdnet.com 1. 2. 3. 4.
Browse to http://www.eicar.org Click Anti-Malware Testfile. Click Download Download any of the files using http only. Do not use the SSL links. 1. Navigate to the web site http://www.opera.com 2. Download the installer to your local system
Lab Notes •
Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall from seeing the packet contents so the viruses contained will not be detected by the profile. Decryption will be covered in a later module.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 24
PAN‐EDU‐101
Module 6 Solution – Content‐ID Note: The presence of other firewalls between your PA‐200 and the internet will cause the lab results to vary.
Configure a Custom URL Filtering Category 1. Go to the WebUI and click Objects > Custom Objects > URL Category. 2. Click Add to create a custom URL category: Name Sites
Enter TechSites Click Add and add each of the following URLs: • www.slashdot.org • www.cnet.com • www.zdnet.com Click OK to close the Custom URL Category profile window.
Configure a URL filtering Profile 3. Click Objects > Security Profiles > URL Filtering. 4. Click Add to define a URL Filtering profile: Name
Lab Manual
Enter student-url-filtering
PAN‐OS 6.1 – Rev A.200
Page 25
PAN‐EDU‐101
Category/Action
Click the right side of the Action header to access the pull‐down menu. Click Set All Actions > Alert.
Search the Category field for hacking and government. Set the Action to Continue for both categories. Search the Category field for the following categories and set the Action to block for each of them: • adult (or adult‐and‐pornography) • government • hacking • questionable • TechSites • unknown Click OK to close the URL Filtering profile window.
Configure an Antivirus Profile 5. Click Objects > Security Profiles > Antivirus. 6. Click Add to create an antivirus profile: Name Antivirus tab Packet Capture Decoders
Enter student-antivirus Check the Packet Capture box Set the Action column to Alert for all decoders Leave the WildFire Actions at default
Click OK to close the antivirus profile window.
Configure an Anti‐Spyware Profile 7. Click Objects > Security Profiles > Anti‐Spyware. 8. Click Add to create an anti‐spyware profile: Name Lab Manual
Enter student-antispyware PAN‐OS 6.1 – Rev A.200
Page 26
PAN‐EDU‐101
Rules tab
Click Add and create a rule with the parameters: • Rule Name: Enter rule-1 • Action: Select Allow • Severity: Check the boxes for Low and Informational only Click OK to save the rule Click Add and create another rule with the parameters: • Rule Name: Enter rule-2 • Action: Select Alert • Severity: Check the boxes for Critical and High only Click OK to save the rule
Click OK to close the anti‐spyware profile window.
Create a File Blocking Profile with Wildfire 9. Click Objects > Security Profiles > File Blocking. 10. Click Add to create a file blocking profile: Name Rules list
Enter student-file-block Click Add and create a rule with the parameters: • Rule Name: Enter blockexe • File Types: Enter exe • Action: Select block Click OK to close the file blocking profile window.
Assign Profiles to a Policy 11. Click Policies > Security. 12. Click Allow All Out in the list of policy names. Edit the policy to include the newly created profiles: Actions tab Profile Type Select Profiles Antivirus Select student‐antivirus Anti‐Spyware Select student‐antispyware URL Filtering Select student‐url‐filtering File Blocking Select student‐file‐block Click OK to close the policy window. 13. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Test the Antivirus Profile 14. Open a browser to http://www.eicar.org. 15. Click Anti‐Malware Testfile. Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 27
PAN‐EDU‐101
16. You may want to temporarily disable any anti‐virus programs you have running on your PC. 17. Click the Download link to access the virus test files. 18. Download any of the Eicar test files listed under the banner “Download area using the standard protocol http”. (Do not use the SSL‐encrypted downloads. The firewall will not be able to detect the viruses in an HTTPS connection unless decryption is configured.) 19. Click Monitor > Logs > Threat to view the threat log. Find the log messages which detect the Eicar files. Scroll to the Action column to verify the alerts for each file download. 20. Click on the green down arrow at on the left side of the line for the Eicar file detection to view the packet capture (PCAP). Here is an example of what a PCAP might look like:
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline for further investigation.
Modify the Antivirus Profile 21. In the PA‐200 GUI, go to Objects > Security Profile > Antivirus. 22. Open the student‐antivirus profile. 23. Under the Action column, select the block action for ftp, http, and smb. 24. Click OK to close the Antivirus Profile 25. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Test the new Antivirus Profile 26. Open a new browser window to www.eicar.org 27. Click Anti‐Malware Testfile. 28. Click the Download link to access the virus test files. 29. Download any of the Eicar test files listed under the banner “Download area using the standard protocol http” again. This time, since the antivirus profile is set to block, the download fails and a response page appears. 30. Return to the Monitor > Logs > Threat in the WebUI and find that log entries stating that the Eicar virus was detected and blocked. 31. After 15 minutes, the threats you just generated will appear on the ACC tab under the Threats section. Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 28
PAN‐EDU‐101
Test the URL Filtering Profile 32. Open a browser and browse to various websites. 33. In the WebUI, click Monitor > Logs > URL Filtering. Verify that the URL filtering profile records each website that you visit. 34. Now test the Block Condition that you created by visiting a site that is part of the hacking, government or TechSites categories. Attempt to browse to a government site like http://www.whitehouse.gov, hacking sites like http://www.2600.org, or to the sites that you listed in the TechSites Application Group. The profile will block this action and you will see a Block page similar to the following:
Test the File Blocking Profile with Wildfire 35. Open a new browser window to http://www.opera.com. 36. Download the Opera browser installer to your local system. The download should fail. 37. Click Monitor > Logs > Data Filtering and find the log entry where the exe file was denied.
Configure a Security Profile Group 38. Return to the WebUI and click Objects > Security Profile Groups. 39. Click Add to define a security profile group: Name Enter student-profile-group Antivirus Profile Select student‐antivirus Anti‐Spyware Profile Select student‐antispyware URL Filtering Profile Select student‐url‐filtering File Blocking Profile Select student‐file‐block Click OK to close the security profile group window.
Assign the Security Profile Group to a Policy 40. Click Policies > Security. 41. Click Allow All Out in the list of policy names. Edit the policy to replace the profiles with the profile group: Actions tab Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 29
PAN‐EDU‐101
Select Group Profile Type Group Profile Select student‐profile‐group Click OK to close the policy window. 42. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 30
PAN‐EDU‐101
Module 7 Scenario – Decryption In this lab you will: • •
Create a self‐signed SSL certificate Configure the firewall as a forward‐proxy using decryption rules
Scenario Your security team is concerned about the results of the testing performed as part of the security profile configurations. The team observed that the antivirus profile only identified virus which were not SSL encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com) could escape detection and cause issues. You want to evaluate using a forward‐proxy configuration on the Palo Alto Networks firewall. Only traffic from Trust‐L3 to Untrust‐L3 needs to be decrypted. Since this is not production, you decide to use self‐ signed SSL certificates generated on the firewall for this implementation. Once an application is decrypted and identified by the PAN firewall, it may be denied if you have set the Security Policy to only allow applications that arrive on their standard default ports. For example, if FTP traffic encrypted by SSL is decrypted and recognized by the firewall, the firewall will see it as FTP traffic arriving on Port 443. Because this is not the standard FTP port, it may be denied. Therefore, in this exercise, when you are using decryption, you will set your Security Rules to allow any port instead of using application‐default. The legal department has advised you that certain traffic should not be decrypted for liability reasons. Specifically, you may not decrypt traffic from health‐related, shopping, or financial web sites. Test the decryption two ways: •
Attempt to download test files from www.eicar.org using https and verify that they are detected by the firewall
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 31
PAN‐EDU‐101
•
Connect to various websites using https and use the logs to verify that the correct URL categories are being decrypted
You will receive certificate errors when browsing after decryption is enabled. This is expected because the self‐signed certificates have not been added to the Trusted certificates of the client browser. Resolve this by adding the firewall certificate to the clients as a Trusted Root Certificate. After your initial testing of the forward‐proxy, the penetration testing team calls you to request an exception to the decryption rules. The team asks that www.eicar.org be excluded from decryption so that they will still be able to download the files that they need to perform their evaluations. Change the implementation to allow this exception.
Required Information Self-signed Certificate name Common Name of the SSL Certificate Decryption Policies
student-ssl-cert 192.168.2.1 no-decrypt-traffic decrypt-all-traffic
Lab Notes •
•
You will get certificate errors when browsing after decryption is enabled. This is expected because the self‐signed certificates have not been added to the trusted certificates of the client browser. In a production environment you would resolve this by adding the firewall certificate to the clients as trusted or by using a commercial certificate from a known CA such as VeriSign. Order matters with policies – make sure that the “decrypt” and “no‐decrypt” policies are evaluated in the correct order.
Lab Manual
PAN‐OS 6.1 – Rev A.200
Page 32
PAN‐EDU‐101
Module 7 Solution ‐ Decryption Verify firewall behavior without decryption 1. Open a new browser window to www.eicar.org 2. Click Anti‐Malware Testfile. 3. Click the Download link to access the virus test files. 4. Download any of the Eicar test zip files listed under the banner “Download area using the secure, SSL enabled protocol https”. The download succeeds. 5. Go to the PA‐200 GUI and click Monitor > Logs > Threat to view the log. Notice that SSL decryption hid the contents of the firewall and so the test file was not detected as a threat.
Create an SSL self‐signed Certificate 6. Click Device > Certificate Management > Certificates. 7. Click Generate at the bottom of the screen to create a new self‐signed certificate: Certificate Name Enter CA-X-ssl-cert Common Name Enter 192.168.2.1 Certificate Authority Check the box Click Generate to create the certificate. Click OK to dismiss the certificate generation success window. 8. Click CA‐X‐ssl‐cert in the list of certificates to edit the certificate properties. Check the boxes for Forward Trust Certificate and Forward Untrust Certificate. Click OK to confirm the changes.
Create SSL Decryption Policies 9. Click Policies > Decryption. 10. Click Add to create an SSL decryption rule for the exception categories: General tab Name Enter no-decrypt-traffic Source tab Source Zone Click Add then select Trust‐L3 Destination tab Click Add then select Untrust‐L3 Destination Zone URL Category tab URL Category Click Add and add each of the following URL categories: • health‐and‐medicine • shopping • financial‐services Options tab Select no‐decrypt Action Type Select SSL Forward Proxy Click OK to close the configuration window. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 33
PAN‐EDU‐101
11. Click Add to create the SSL decryption rule for general decryption: General tab Name Enter decrypt-all-traffic Source tab Source Zone Click Add then select Trust‐L3 Destination tab Click Add then select Untrust‐L3 Destination Zone URL Category tab Verify that the Any box is checked URL Category Options tab Select decrypt Action Type Select SSL Forward Proxy Click OK to close the configuration window. 12. Confirm that your decryption policy list looks like this:
Modify the General Internet Security Policy 13. In the WebUI, open Policies > Security. 14. Open the General Internet Policy. 15. Select the Service/URL Category tab. 16. Change the drop‐down box from application‐default to any. Click OK to close. 17. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Test the SSL Decryption Policies 18. Open a new browser window to www.eicar.org 19. Click Anti‐Malware Testfile. 20. Click the Download link to access the virus test files. 21. Download any of the Eicar test zip files listed under the banner “Download area using the secure, SSL enabled protocol https”. A certificate error occurs. This is expected behavior because the firewall is intercepting the SSL connection and performing man‐in‐the‐middle decryption. 22. Click through the certificate error. The download fails and a block page appears. 23. In the WebUI, examine the Threat logs under Monitor > Logs > Threat. The virus should have been detected, since the SSL connection was decrypted. 24. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify that the Decrypted box has a check mark. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 34
PAN‐EDU‐101
25. In the WebUI, click Monitor > Logs > Traffic. 26. Set the traffic log to display only port 443 traffic by entering ( port.dst eq 443 ) in the filter field. 27. Select 10 Seconds from the pull‐down menu so that the display will refresh automatically.
28. In a separate browser window, browse to the following URLs using https: • financial‐services: www.bankofamerica.com • health‐and‐medicine: www.deltadental.com • shopping: www.macys.com 29. Now use https:// to browse to sites like bing.com or yahoo.com which are not excluded. 30. Return to the traffic log at Monitor > Traffic > Logs. 31. If the URL Category column is not displayed, click the drop down arrow next to one of the columns and select URL Category. 32. Find an entry for one of the excluded categories by looking at the value in the URL Category column. 33. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify that the Decrypted box in the Misc panel is unchecked. 34. Find an entry for one of the non‐excluded categories by looking at the value in the URL Category column. 35. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify that the Decrypted box in the Misc panel is checked.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 35
PAN‐EDU‐101
Import the CA Certificate into Windows Trusted Certificates 36. Click Device > Certificate Management > Certificates. 37. Select the line containing CA‐X‐ssl‐cert, without opening the certificate. 38. Click Export. The Export Certification window opens. 39. Leave the file format at PEM, and leave the Export private key checkbox unchecked. 40. Click OK and download the crt file to the Desktop. (If your browser saves the file as a .txt file, change the extension to .crt)
41. Double‐click the certificate. A Security Warning appears. 42. Click Open. The certificate opens. 43. Click Install Certificate… The Certificate Import Wizard opens. 44. Click Next. 45. Select Place all certificates in the following store and click Browse. The Select Certificate Store window opens. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 36
PAN‐EDU‐101 46. Choose Trusted Root Certificate Authorities and click OK. The window closes.
47. Click Next. The Completing the Certificate Import window appears. 48. Click Finish. A Security Warning appears. 49. Click Yes. A box indicates that the import was successful. Click OK. 50. Close the certificate by clicking OK. 51. Double‐click the certificate to open it. 52. In the certificate, click the Certification Path tab. Notice that the Certificate Status says “This certificate is OK”. 53. Close the certificate by clicking OK. 54. Use Chrome or Internet Explorer (NOT Firefox, which uses its own Certificate Store) to browse https sites. Notice that you no longer receive the Certificate errors.
Exclude a Site from Decryption 55. From your desktop, use PuTTY to open an SSH session to 192.168.2.1. 56. Login with Username admin Password paloalto. 57. Issue the following commands. > configure # set shared ssl-decrypt ssl-exclude-cert *.eicar.org # show shared ssl-decrypt # commit
58. When the configuration has finished committing, log out of the PuTTY session. Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 37
PAN‐EDU‐101
Module 10 Scenario – Management and Reporting In this lab you will: •
Tour the PAN Firewall Dashboard
•
Tour the Logs
•
Generate Reports
Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the threat name, the application (including technology and sub‐category for reference), and the number of times that threat was encountered. Export the file as a PDF.
Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 38
PAN‐EDU‐101
Module 10 Solution – Management and Reporting Explore the Dashboard, ACC and Session Browser 1. 2. 3. 4. 5. 6. 7.
In the WebUI, go to the Dashboard. What information is available? Go the ACC tab and change the Time period to the Last 7 Days. Review the contents of the available widgets. What information is available? Click the Monitor tab. Click App Scope > Summary. Explore the other branches underneath the App Scope tree. What information is available? Click the Session Browser to see any current sessions.
Explore the Logs 8. In the Monitor tab, under Logs, click on each type of log and examine the log activity. 9. Experiment with the filters to limit the log entries show in the log files.
Create a Custom Report 10. Click Monitor > Manage Custom Reports. 11. Click Add to define a new custom threat report: Name Database Time Frame Sort by Group by Selected Columns
Query Builder
Enter Top Threats by Day Select Summary Databases ‐ Threat Select Last 24 Hrs Select Count and Top 10 Select None and 10 Groups Populate the Selected Columns field with the following values, in this order: • Threat/Content Name • Application • App Technology • App Sub Category • Count Build a query using the following parameters: • • • • •
Connector: Select and Attribute: Select Rule Operator: Select = Value: Enter Allow and Log Outbound Click Add
Click OK to save the custom report definition. 12. Click the name of your custom report to reopen the custom report window. Click Run Now to generate the report. 13. The report will appear in a new tab in the window. Click Export to PDF to save it to your RDP desktop. 14. Click OK to close the Custom Report window Lab Manual
PAN‐OS 6.0 – Rev A.200
Page 39
View more...
Comments
