Lab Manual PAN-EDU-201
Firewall Installation, Configuration, and
Management
Essentials I
January, 2013
PAN-EDU-201
PAN-OS - 5.0 - Rev A
Lab Manual
http://education.paloaltonetworks.com
2012 Palo Alto Networks. Proprietary and Confidential
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 2
Table of Contents How to use this Lab Guide ................................................................................................ 4 Lab Equipment Setup ........................................................................................................ 5 Module 0 Introduction Lab Access and Review ............................................................ 6
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall ................................................................... 6
Task 2 Review PAN-OS software, Content, and Licenses ........................................................................... 6
Task 3 Disable Panorama sharing ............................................................................................................... 6
Module 1 Administration and Management .................................................................. 7 Task 1 Apply baseline configuration to your firewall ................................................................................. 7
Task 2 Clear the logs ................................................................................................................................... 7
Task 3 Add an Administrator Role .............................................................................................................. 7
Task 4 Add an administrator account......................................................................................................... 7
Task 5 Take a Transaction Lock and test the lock ...................................................................................... 8
Module 2 Interface Configuration .................................................................................. 9 Task 1 Create a new Security Zone............................................................................................................. 9
Task 2 Create Interface Management Profiles ......................................................................................... 10
Task 3 Configure a Tap interface .............................................................................................................. 10
Task 4 Configure a Vwire .......................................................................................................................... 11
Module 3 Layer 3 Configuration .................................................................................... 12 Task 1 Configure Ethernet interfaces with Layer 3 info ........................................................................... 12
Task 2 Configure DHCP ............................................................................................................................. 13
Task 3 Create a Virtual Router .................................................................................................................. 14
Task 4 Create a Source NAT policy ........................................................................................................... 14
Task 5 Create a Destination NAT Policy.................................................................................................... 16
Module 4 App-ID ........................................................................................................... 17 Task 1 Create a basic Security Policy for outbound traffic ....................................................................... 17
Task 2 Create 2 basic policies to deny all inbound and outbound traffic ................................................ 17
Task 3 Create an Application Block Page .................................................................................................. 19
Task 5 Create Application Filter................................................................................................................ 19
Task 6 Create Application Group .............................................................................................................. 19
Task 7 Create three new Security Policies that match the following criteria: ......................................... 20
Task 8 Create a custom query in the Traffic Log ...................................................................................... 21
Module 5 Content ID ..................................................................................................... 22 Task 1 Configure a URL filtering Profile .................................................................................................... 22
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 3
Task 2 Configure a Custom URL Filtering Category .................................................................................. 22
Task 3 Configure an Antivirus Profile ....................................................................................................... 23
Task 4 Configure an Antispyware Profile ................................................................................................. 23
Task 5 Connect individual Profile to Policy .............................................................................................. 23
Task 6 Test connectivity ........................................................................................................................... 24
Task 7 Create a File Blocking Profile: Wildfire .......................................................................................... 25
Task 8 Configure a Security Profile Group ................................................................................................ 26
Task 9 Connect Profile Group to Policy .................................................................................................... 26
Task 10 Create a Custom Report .............................................................................................................. 26
Module 6 User-ID .......................................................................................................... 28 Task 1 Configure firewall to talk to User-ID Agent ................................................................................... 28
Task 2 Review user/IP information .......................................................................................................... 28
Task 3 User-ID Agent (optional) .............................................................................................................. 29
Module 7 Decryption .................................................................................................... 30 Task 1 Pre setup and test ......................................................................................................................... 30
Task 2 Create an SSL self-signed Certificate ............................................................................................. 30
Task 3 Create SSL Outbound Decryption Policies .................................................................................... 31
Task 4 Set SSL exclude cache .................................................................................................................... 32
Task 5 Review Self-signed Certificate on StudentPC browser ................................................................. 32
Module 8 VPN ............................................................................................................... 33 Task 1 Configure IPsec Tunnel Trust Zone ............................................................................................. 33
Task 2 Configure IPsec Tunnel Untrust Zone ......................................................................................... 35
Module 9 High Availability (optional) ............................................................................ 36 Task 1 Configure HA Active/Passive ...................................................................................................... 36
Module 10 Panorama .................................................................................................... 38 Task 1 Pre setup and test ......................................................................................................................... 38
Task 2 Create a custom report - Panorama .............................................................................................. 38
Task 3 Create and Application Group Object ........................................................................................... 38
Task 4 Create Pre/Post Policy ................................................................................................................... 38
Task 5 Push config to student firewall ..................................................................................................... 39
Task 6 Switch context and review Policy on firewall................................................................................ 39
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 4
How to use this Lab Guide The Lab Guide is lined out to follow the Modules in the Student Guide. There are multiple tasks for each
Module. For each Task where appropriate there are 3 sections. The first section is a diagram of what
the firewall configuration should look like. The second section contains the step to create the
configuration through the GUI. The third section contains the CLI commands to create the configuration.
You can either complete the Tasks by referencing the diagram and the material in the Student Guide. Or
you can follow the steps in the second section. If you have sufficient experience with the PAN-OS CLI, you
can type the commands in the CLI section.
NOTE:
Unless specified, the Chrome web browser and the Putty SSH client will be
used to perform any tasks outlined in the following labs. (These apps are pre-
installed on the desktop of the StudentPC.)
Once these labs are completed you should be able to:
1. Configure the basic operations of the firewall including: Interfaces, Security Zones, and
Security Policies
2. Configure basic Layer 3 operations including: IP addressing and NAT
3. Configure basic Content-ID functionality including: AV and URL filtering
4. Understand the basic operation of Logs and Reporting
5. Configure extended operations including: IPsec, SSL decryption, and HA
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 5
Lab Equipment Setup Student PC Setup
Firewall
Interface:
Management
Management10.30.11.x /24
Trust-L3192.168.x.1 /24
Internet
Student
Firewall
Firewall
Interface:
Ethernet
1/2
ED
U lab
fire
wall
RDP: ___.___.___.___
Panorama Domain
Controller
VSYS
Firewall Setup
HA
TA
P Intf
Trunk
802.1q
Switch
Vwire
2 x
Intf
Switch
L3 Intf
Trust-L3192.168.x.y /24
E 1
/2
E 1/1.2xx
E 1
/3
E 1
/4
E 1
/5
E 1
/6
E 1
/7
E 1
/8
Switch
Switch Internet
ED
U la
b
firew
all
Switch
Untrust-L3172.16.x.1 /24
Router
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 6
Module 0 Introduction Lab Access and Review In this lab you will:
Test connectivity to your Student firewall over RDP
Test StudentPC to student firewall connectivity
Review the operating system and licensing
Task 1 RDP to StudentPC, HTTPS and SSH to Student firewall Using the login credentials and IP information provided by the instructor:
Step 1: Open your local RDP client and open a session to your assigned RDP IP address.
Step 2: Once connected, use the Student PC web browser and putty client to test connectivity to the
student firewall.
Task 2 Review PAN-OS software, Content, and Licenses Step 1: Click on the Device tab Software
Step 2: Review available, downloaded, and installed PAN-OS software
Question: What version of PANOS is running on your firewall?
__________________________________________________
Step 3: Click on the Device tab Dynamic Updates
Step 4: Review Applications, Viruses, and URL Filtering to check for date of last update
Step 5: Click on the Device tab Licenses
Step 6: Review licenses installed and their expiration dates
Step 7: in device|setup|management set the current data and timezone
Task 3 Disable Panorama sharing Step 1: Click on the Device tab Setup Management tab
Step 2: Click on the Panorama Settings edit button:
Step 3: If the button in the pop-up windows says: Click on it. There will be an
additional pop-up window that allows you to select Import shared config from Panorama before
disabling. DO NOT SELECT THIS BOX. Simply click Ok and then Ok in the Panorama Settings pop-up.
If there are no settings about Panorama, close the tab and go forward.
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 7
Module 1 Administration and Management In this lab you will:
Apply a baseline configuration to build successive labs
Create a new admin role on the firewall
Create interface management profiles
Task 1 Apply baseline configuration to your firewall Step 1: Open your Student PC web browser and login to your student firewall.
Step 2: Click on the Device tab Setup Operations tab
Step 3: Click Load Named Configuration Snapshot1
Step 4: Select the file after_reset_X (where X is your Student Number)
Step 5: Click Ok then click Commit
Task 2 Clear the logs Step 1: Click Device Log Settings Manage Logs
Step 2: Click Clear Traffic Logs and Clear Threat, URL, and Data Logs
Task 3 Add an Administrator Role Step 1: Click on the Device tab Admin Roles
Step 2: Click Add in the lower left
Step 3: Configure a new admin role with the name Policy Admins
Step 4: In the Webui box, click on the following major categories to disable them: Monitor, Network, and
Device. The remaining major categories of Dashboard, ACC, Policy, Objects, Privacy, and Commit should
be enabled.
Step 5: Leave the CLI option set to None. Click OK to continue.
Task 4 Add an administrator account Step 1: Click on the Device tab Administrators
Step 2: Click Add in the lower left
Step 3: Configure a new administrator with the following parameters:
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 8
Name ip-admin
Authentication Profile: None
Password and Confirm Password: paloalto
Role: Role Based
Profile: Policy Admins from the dropdown menu
Step 4: Click Ok then Click Commit
Step 5: Log off the GUI, then log back in as ip-admin and explore functionality
Task 5 Take a Transaction Lock and test the lock Step 1: Click on the transaction lock icon (to the right of the Commit button).
Step 2: Click Take Lock, set the Type to Config and click OK. Click Close to close the transaction
lock window
Step 3: Open a different browser and login with your admin account
Step 4: Click on the transaction lock icon to view the locks taken
Step 5: Attempt to add another user (Module 1 Task 3).
Question: At what point does the firewall block your action?
________________________________________________
(Answer: It will give you an error when you click the OK button.)
Step 6: Log out of the ip-admin account
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 9
Module 2 Interface Configuration In this lab you will:
Create Security Zones
Create Interface Management Profiles
Configure basic interface types
Task 1 Create a new Security Zone Step 1: Click on the Network tab Zones
Step 2: Click Add
Step 3: Set Type to Tap
Step 4: Set the Zone name Student-tap-zone
Step 5: Click Ok
Question: Why is the OK button disabled?
__________________________________
(Answer: the zone name is too long. Change the zone name to be no more than 15 characters.)
Step 6: Set the Zone name Trust-L3
Step 7: Set Type to Layer3
Step 8: Click Ok
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 10
Step 9: Click Add and Set the Zone name Untrust-L3
Step 10: Set Type to Layer3
Step 11: Click Ok
Step 12: Click Add
Step 13: Set the Zone name Vwire-zone-3
Step 14: Set Type to Virtual Wire
Step 15: Click Ok
Step 16: Click Add
Step 17: Set the Zone name Vwire-zone-4
Step 18: Set Type to Virtual Wire
Step 19: Click Ok
Task 2 Create Interface Management Profiles Step 1: Click on the Network tab Network Profiles Interface Mgmt
Step 2: Click Add
Step 3: Set Name to allow_all
Step 4: Select all check boxes
Step 5: Click OK
Step 6: Create a second profile called allow_ping
Step 7: Click Ping check box
Step 8: Click OK then click Commit
Task 3 Configure a Tap interface Step 1: Click on the Network tab Interfaces
Step 2: Click on interface ethernet1/5
Step 3: Select Type Tap
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 11
Step 4: Select Zone Student-Tap-Zon (or whatever you named it), then click Ok
Task 4 Configure a Vwire Step 1: Click on the Network tab Interfaces
Step 2: Click on interface ethernet1/3
Step 3: Select Interface Type Virtual Wire
Step 4: In the Virtual Wire field, click the dropdown arrow and click New Virtual Wire
Step 5: In the pop-up window, set the Name to student-vwire and then click OK
Step 6: Click the arrow in the Security Zone field, and select Vwire-zone-3.
Step 7: Click OK
Step 8: Click on interface ethernet1/4
Step 9: Select Interface Type Virtual Wire
Step 10: In the Virtual Wire field, click the dropdown arrow and select student-vwire.
Step 11: Click the arrow in the Security Zone field, and select Vwire-zone-4.
Step 12: Click OK
Step 11: Back in the interface popup window, click OK and Commit all changes
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 12
Module 3 Layer 3 Configuration In this lab you will:
Configure ethernet interfaces with Layer 3 information
Configure DHCP
Create a Virtual Router
Create a Source NAT policy
Create a Destination NAT policy
Task 1 Configure Ethernet interfaces with Layer 3 info Step 1: Click on Network tab Interfaces Ethernet and select interface ethernet1/2
Step 2: In the pop-up, set Type to Layer3
Step 3: Set Security Zone to Trust-L3
Step 4: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:
192.168.__.1/24 (your student # is the 3rd octet)
Step 5: Select the Advanced tab , then Other info tab and set the Management Profile to allow_all
then click OK
Step 6: Click on the Network tab Interfaces and select interface ethernet1/1
Step 7: In the pop-up, set Type to Layer3 then click Ok
Step 8: Click Add Layer3 Subinterface at the bottom of the page
Step 9: Set Interface Name to ethernet1/1
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 13
Step 10: Set the sub-interface ID to 200 + Student #. (Example: Student-05 would be 205.)
Step 11: Set the Tag to match the sub-interface ID
Step 12: Click the dropdown arrow in the Security Zone field, and click New Zone
Step 13: In the popup window set the Name to Untrust-L3
Step 14: Select the IPv4 tab, click Add and enter the following IP address and subnet mask:
172.16.___.1/24 (your student # is the 3rd octet)
Step 15: Select the Advanced tab and set the Management Profile to allow_ping then click OK
Task 2 Configure DHCP Step 1: Click on the Network tab DHCP DHCP Server tab
Step 2: Click Add
Step 3: Select Interface ethernet1/2
Step 4: Set Gateway 192.168.___.1 (the 3rd octet is your student #)
Step 5: Set Primary DNS to 10.30.11.50
Step 6: Click the Add button in the IP Pools window, and enter an IP Pool of 192.168.___.50-
192.168.___.60 (the 3rd octet is your student #)
Step 7: Review and click OK
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 14
Task 3 Create a Virtual Router Step 1: Click on the Network tab Virtual Routers
Step 2: Click Add
Step 3: Set the Name to Student-VR
Step 4: Click Add in the Interfaces window and select interface ethernet1/1.2__ and ethernet1/2
Step 5: Select the Static Route tab, click Add and add a default route with the following information:
Name default
Destination 0.0.0.0/0
Next Hop to IP Address and enter an IP address of 172.16.___(X)_.254 (where X is your
student #)
Step 6: Click OK to add the route, review your VR configuration, and then click OK
Step 7: Delete the object default-vwire object under Network| Virtual Wires
Step 8: Click Commit to make the changes active
Step 9: Open a StudentPC command prompt and release/renew the IP configuration (C:\> ipconfig
/release and C:\> ipconfig /renew and C:\> ipconfig /all) to check that DHCP configuration was
successful. You should be able to ping 192.168.___(X)_.1
NOTE: DO NOT MANUALLY CHANGE THE INTERFACE CONFIGURATIONS OF THE STUDENT
PC. If a DHCP address is not installed - review Student Firewall DHCP configuration first.
Task 4 Create a Source NAT policy Step 1: Click on the Policies tab NAT
Step 2: Click Add, name it student source nat, then click on the Original Packet tab
Step 3: Click Add in the Source Zone box and select Trust-L3. Set the Destination Zone to Untrust-L3.
Step 4: Confirm that the Any checkbox for the Source Address and Destination Address are checked.
Step 5: Click on Translated Packet tab
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 15
Step 6: Select Translation Type of Dynamic IP and Port
Step 7: Set Address Type to Interface Address
Step 8: Select Interface ethernet1/1.x (where x is 200 + your student #)
Step 9: Select the 172.16.___(X)_.1 subnet from the pull-down immediately below IP Type, then press
OK.
Step 10: from the Policy|Security menu, select the policy and click the botton below delete.
Step 11: Create a new policy which allow any traffic from the Trust-L3 to Untrust-L3 zone.
The policy must now to be like the following:
Step 12: From Network|Zone menu, remove the zone trust and untrust, then commit
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 16
Task 5 Create a Destination NAT Policy Step 1: Click on the Policies tab NAT
Step 2: Click Add, name it web nat, then click on the Original Packet tab
Step 3: Click Add (in the Source Zone box) and select Trust-L3
Step 4: Set the Destination Zone to Untrust-L3
Step 5: Click Any for the Source Address
Step 6: Click Add in the Destination Address box and enter the IP address of www.fortinet.com (youll
need to look up that IP address)
Step 7: Click on Translated Packet tab and check the Destination Address Translation box
Step 8: In the Destination Address Translation section add the IP address of www.exclusive-
networks.com (youll need to look up that IP address)
Step 9: In the Source Address Translation, set the Translation Type to Dynamic IP and Port
Step 10: Set Address Type to Interface Address
Step 11: Select Interface ethernet1/1.x (where x is 200 + your student #)
Step 12: Select the 172.16.___(X)_.1 subnet from the IP Address pull-down
Step 13: Move the rule to the top of the list, click OK then Commit all changes
Step 14: Open a new browser tab to www.fortinet.com. Can you connect? Why or why not?
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 17
Module 4 App-ID In this lab you will:
Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages
Create Application Filters and Application Groups
Task 1 Create a basic Security Policy for outbound traffic Step 1: Click on the Policies tab Security and delete any other policy.
Step 2: Click Add
Step 3: Create a new rule named General Internet
Step 4: Configure the following information:
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: flash, dns, web-browsing, ssl, ping
Service: application-default
Action: Allow
Task 2 Create 2 basic policies to deny all inbound and
outbound traffic Question: Why would you want to create 2 rules inbound and outbound rather than a single
deny all rule?
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 18
__________________________________
Step 1: Click Add
Step 2: Create a new rule named Deny Outbound
Step 3: Configure the following information:
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: Any
Service: Any
Action: Deny
Step 4: Create a rule named Deny Inbound
Step 5: Configure the following information:
Source Zone: Untrust-L3
Source Address: Any
Destination Zone: Trust-L3
Destination Address: Any
Application: Any
Service: Any
Action: Deny
Step 6: Ensure your Security Policy looks like this:
Step 7: Commit your changes
Question: In the General Internet rule, why do you use application-default as the service,
whereas you use Any as the service in the two deny rules?
__________________________________
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 19
Once complete, your Student PC should have access to the Internet.
Step 8: You will now test your new policies. Test internet connectivity by pinging 4.2.2.2 from your
workstation. Does web surfing over ports 80 and 443 work?
Step 9: Use a browser to try to connect to the site http://www.box.net. The browser should not be able
to display the site. Why is that? Take a look at the log message in the traffic logs to find out. What is
special about that application?
Step 10: Also attempt to reach the site http://www.box.net using the proxy site http://www.avoidr.com.
Why can you bring up that web site? (Hint: look at the traffic logs)
Task 3 Create an Application Block Page Step 1: Go to www.facebook.com: what is the browser response?
Step 2: Ensure the Interface Management Profile, applied to your ethernet1/2 interface (Trust-L3), has
Response Pages checked
Step 3: Click on the Device tab Response Pages Application Block Page
Step 4: Enable by clicking Enable
Step 5: Click OK then commit your changes
Step 6: Go to www.facebook.com: what is the browser response?
Task 5 Create Application Filter Step 1: Delete all current rules in your security policy
Step 2: Click on the Objects tab Application Filters and create a new filter name Proxies
Step 3: Set the Subcategory to proxy
Step 4: Create a second filter named Web-Based-File-Share and set the Subcategory to file-sharing and set the Technology to browser-based
Task 6 Create Application Group Step 1: Click on the Objects tab Application Groups
Step 2: Create a new group named Known-Good and add the applications ssl, web-browsing, ping, dns, and flash
Step 3: Create a second group called Known-Bad and add the application filters Proxies and Web-based-file-share to it
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 20
Task 7 Create three new Security Policies that match the
following criteria: Configure the policies with the following information:
Step 1: The first policy allows the known good applications.
Rule 1 Name: Known-Good
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: The Application Group Known-Good
Service: application-default
Action: Allow
Step 2: The second policy blocks all of your known bad applications
Rule 2 Name: Known-Bad
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: Application Group Known-Bad
Service: Any
Action: Deny
Step 3: The third policy allows all other traffic
Rule 3 Name: Log All
Source Zone: Trust-L3
Source Address: Any
Destination Zone: Untrust-L3
Destination Address: Any
Application: Any
Service: Any
Action: Allow
Step 4: Confirm that your security rulebase looks like this, and then commit your changes:
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 21
Step 5: You will now test your new policies. Ping from your student PC out to the Internet. That should work. Also, web surfing should work, over port 80 and 443.
Step 6: Use a browser to try to connect to the site www.box.net. The browser should not be able to display the site. Why is that? Take a look at the log message in the traffic log to find out. What is special about that application?
Step 7: Now attempt to reach www.box.net using the proxy site www.avoidr.com. Go to www.avoidr.com. You should not be allowed to browse it, why? (HINT: look at the traffic logs).
Step 8: Select the ACC tab to access the Application Command Center. Use the drop-down menu in the application section of the ACC to select different ways of viewing the traffic that you have generated. What is the total risk level for all traffic that has passed through the firewall thus far? Notice that the URL Filtering, Threat Prevention, and Data Filtering sections within the ACC contain no matching records.
Task 8 Create a custom query in the Traffic Log Step 1: Click the Monitor tab Traffic Logs
Step 2: Click on 1 attribute in the following 3 columns: From Zone, Destination, Application
Step 3: Click the run button () or push Enter
Step 4: Click the query writer button (+) and select and, Bytes,
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 22
Module 5 Content ID In this lab you will:
Configure Security Profiles and connect them to Security Policy
Task 1 Configure a URL filtering Profile Step 1: Click on Objects tab Security Profiles URL Filtering
Step 2: Click Add
Step 3: Set Name Student-url-filtering and set the following:
Check the box next to Dynamic URL Filtering
Set the Action for all Categories to Alert
Place paloaltonetworks.com and *.paloaltonetworks.com into the Allow list
Task 2 Configure a Custom URL Filtering Category Step 1: Click on Objects tab Custom URL Categories
Step 2: Click Add
Step 3: Set Name to BadFW and set the following:
Add sites: www.watchguard.com, www.juniper.net, www.fortinet.com, www.mcafee.com,
www.cisco.com, www.netgear.com, www.sonicwall.com, www.barracudanetworks.com,
www.checkpoint.com
Step 4: Click Ok
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 23
Task 3 Configure an Antivirus Profile Step 1: Click on Objects tab Antivirus
Step 2: Click Add
Step 3: Set Name Student-antivirus and set the following:
Change all Actions to alert
Step 4: Click the Packet Capture check box
Step 5: Click Ok
Task 4 Configure an Antispyware Profile Step 1: Click on Objects tab Anti-Spyware and set the profile name to Student-antispyware
Step 2: Click Add (under the Rules tab in the popup) and set the following:
Set Rule Name to rule-1
Set Action to Allow
Set Severity: Low and Informational
Step 3: Click Ok and then click Add again (under the Rules tab in the popup)
Set Rule Name to rule-2
Set Action to Alert
Set Severity: Critical and High
Task 5 Connect individual Profile to Policy Step 1: Click on the Policies tab Security
Step 2: Click on none in the Profile column of the Known_Good rule (you may have to scroll to the
right in this screen to see this column).
Step 3: Set Profile Type to Profiles
Step 4: Set Anti-virus to Student-antivirus, set Anti-spyware to Student-antispyware and URL to
Student-url-filtering
Step 5: Click OK
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 24
Step 6: Do the same thing for the Log_All rule, then Commit all changes
Task 6 Test connectivity Step 1: On your student PC, go to http://www.eicar.org , then click on download antivirus test file
hyperlink and then click download on the left of the page.
Step 2: in the middle of the page a list of links should appear
Step 3: Download the eicar test virus (eicar.com, eicar.com.txt, eicar_com.zip, eicarcom2.zip)
using http.
Step 4: Click on the Monitor tab Threat log, and look for the log message that detects the eicar file.
Scroll to the Action column to verify the alert for each file download.
Step 5: Click on the green down arrow in the left-hand column. This brings up a view of the packets that
were captured.
Those packets captured could be exported in pcap format, and examined with a protocol analyzer
offline for further investigation.
Step 6: Modify the anti-virus security profile (from MOD 5, Task 3) to BLOCK all viruses
Step 7: Click Commit
Step 8: In a new browser tab or window, attempt to download eicar (Step 3). A block page should appear:
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 25
Step 9: On the firewall, click on the Monitor tab Threat Logs. You will see log entries there stating
that the eicar virus was detected
Step 10: After 15 minutes, the threats you just generated will appear on the ACC tab, under the Threats
section.
Step 11: Browse to various websites. The URL filtering profile is recording each website that you go to.
Step 12: Go to a web site that is a directory of other hacking sites: http://neworder.box.sk
Step 13: On the firewall, click on the Monitor tab URL Filtering Logs. You will see log entries that
match the web sites you went to. What category was that site?
Step 14: Edit the URL filtering profile (from MOD 5, Task 1) to block access to hacking sites
Step 15: Commit the changes
Step 16: In a new browser window, attempt to go to http://neworder.box.sk .You should not be able to.
You should see a block page similar to the following:
Task 7 Create a File Blocking Profile: Wildfire Step 1: Remove the Anti-Virus Profile from the Security Policies
Step 2: Click on Objects tab Security Profiles File Blocking
Step 3: Click Add and name the profile Wildfire-test-1
Step 4: Click Add and name the rule type-1
Step 5: Set Action to forward
Step 6: Click Ok
Step 7: Add the Profile to the Known_Good and Log_All Security Policies
Step 8: Add the applications ftp and fileserve to the Known_Good Policy
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 26
Step 9: Commit all changes
Step 10: Navigate to \\10.30.11.50\students\student_tools_labs_205 and copy the file named
fiddler2Setup.exe to your desktop.
Step 11: Open a new browser window to http://www.fileserve.com
Step 12: Log in with the credentials Login: panedu / Passwd: paloalto
Step 13: Click the Upload tab (in the Fileserve web site) and upload the file setup.exe file
Step 14: Review the Data Filtering log the file should be sent to the sandbox for analysis. Your teacher
will show you the verdict of the file into the sandbox system
Task 8 Configure a Security Profile Group Step 1: Click on Objects tab Security Profile Groups
Step 2: Click Add
Step 3: Set Name Student-profile-group and set the following:
Antivirus to Student-antivirus
Anti-spyware to student-antispyware
URL Filtering to student-url-filtering
Step 4: Click Ok
Task 9 Connect Profile Group to Policy Step 1: Click on the Policies tab Security
Step 2: Click on none in the Profile column of the Known-Good rule
Step 3: In the pull-down list of the pop-up, set Profile Type to Group
Step 4: Set Group Profile to student-profile-group
Step 5: Click OK then Commit all changes
Task 10 Create a Custom Report Step 1: Click the Monitor tab Manage Custom Reports and click Add with the following:
Report name: Top unclassified traffic by day
Database: Traffic Summary
Period: Last 24 hours
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 27
Sort By : Bytes
Select Top 5
Group By: None
Remove the existing column headings before adding the following columns
Selected columns (in the following order): application, application technology, application
subcategory, bytes
Add a Query where the filter condition is:
Attribute: Rule
Operation: =
Value: (use the name you gave to the rule in your security policies: it should be called
Known_Good. Make sure to use the same capitalization).
Step 2: Save the report and then run the report.
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 28
Module 6 User-ID In this lab you will:
Connect your firewall to connect to a User-ID Agent
Task 1 Configure firewall to talk to User-ID Agent Step 1: Click on Device tab User Identification User-ID Agents tab
Step 2: Click Add and name to pan-training-X (where X is your student number)
Step 3: Set IP address to 10.30.11.50 (Instructor may provide different IP information)
Step 4: Set Port to 5000 (Instructor may provide different port information)
Step 5: Click OK then Commit all changes
Task 2 Review user/IP information Step 1: Open an SSH session, log in and issue the following commands:
show user user-id-agent statistics
show user user-IDs
show user ip-user-mapping all
show user ip-user-mapping ip
Note the mappings are from AD and the IP addresses associated with the student accounts.
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 29
Task 3 User-ID Agent (optional) Step 1: Navigate to \\10.30.11.50\students\software and import the file named UaInstall-4.1.1-7.msi to
your desktop. (Instructor may direct you to a different file.)
Step 2: Double-click the file on your desktop. Click Next 3 times. The installation should begin.
Step 3: Navigate to the following: C:\Program Files\Palo Alto Networks\User-ID Agent and double-click
UaController.exe
Step 4: In the window click Setup (in the left-hand column)
Step 5: In the window click Edit (directly above the box Access Control List) and review the tabs in the
pop-up window
Step 6: Click the Authentication tab and enter the Username/Password provided by the instructor
Step 7: Click the Agent Service tab. (You will need the User-ID Service TCP Port number.) Click Ok
Step 8: Click Discovery in the left-hand column, then click Auto Discover below the Server section
Step 9: Then click Commit in the first window (no further response will occur)
Step 10: Click Logs in the left-hand column to review that the service started
Step 11: Open a StudentPC command prompt and issue C:\> ipconfig /all. Look for the IP address
associated with the Ethernet adapter Management DO NOT CONFIGURE. (This IPv4 address should be
in the range 10.30.11.66-105).
Step 12: With the StudentPC IP address (10.30.11.___) and the Port number from Step 7 repeat Task 1
Configure firewall to talk to User-ID Agent
Step 13: Confirm connectivity with the CLI command show user user-id-agent statistics
Step 14: Review Agent configuration with the CLI command show user user-id-agent config name
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 30
Module 7 Decryption In this lab you will:
In this part, you will create and test SSL certificates and decryption rules.
Task 1 Pre setup and test Step 1: Modify your anti-virus profile (from MOD 5, Task 3) to Alert
Step 2: Apply the AV profile to the Known-good and Log All Security Policies
Step 3: Remove the file-blocking profiles from the Security Policies
Step 4: Commit the changes
Step 5: Go to the eicar.org site and find the Download AntiMalware testfiles.
Step 6: Test downloading (without SSL decryption) one of the eicar test files
Step 7: From the same web page, test downloading (this time using the SSL protocol) the eicar.com or
eicar.com.txt
Step 8: Look at the Monitor tabs Threat logs. Was the virus detected? It should not have been as
the connection was encrypted. We will now enable SSL decryption, such that the virus inside the SSL
connection will be decrypted
Task 2 Create an SSL self-signed Certificate Step 1: Click the Device tab Certificates screen
Step 2: Click Generate along the bottom of the screen.
Step 3: Set the certificate fields as follows:
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 31
Certificate Name: Student-ssl-cert
Common Name: 192.168.X.1 (where X is your student number)
Country: US (or other 2-letter country code)
State, Locality, Organization, Department, Email, Host Name, and IP with values as desired.
Step 4: select Certificate Authority below the Signed By field.
Step 5: Click Generate
Step 6: Once the certificate has successfully been generated, click on it to bring up the certificate
properties, and select Forward Trust Certificate and Forward Untrust Certificate
Step 7: Click OK
Task 3 Create SSL Outbound Decryption Policies Step 1: Click the Policies tab Decryption.
Step 2: Click Add and create an SSL decryption rule with the following parameters: General tab: Name No-Decrypt Source tab: Source Zone Trust-L3 Destination tab: Destination Zone Untrust-L3 Options tab: Action no-decrypt and URL Categories: Health and medicine, Shopping,
Financial Services
Step 3: Click Add and create an SSL decryption rule with the following parameters: General tab: Name Decrypt-all-traffic Source tab: Source Zone Trust-L3 Destination tab: Destination Zone Untrust-L3 Options tab: Action decrypt, Type SSL Forward Proxy and URL Categories: Any
Step 4: Confirm that No-Decrypt rule is before the Decrypt-all-traffic rule, then click Commit.
Step 5: To test the No-Decrypt rule, first determine what URLs fall into the financial services, shopping, or health and medicine categories. Go to http://www.brightcloud.com/ and enter various URLs that you believe fall into those categories.
Step 6: Once you have found a couple web sites that are classified as you expect, use a browser to go to those sites. You should not see a certificate error when you go to those sites.
Step 7: To test the SSL decryption rule, go to the www.eicar.org downloads page and download the virus using SSL. You will get a certificate error. This is an expected behavior, and you can proceed. (The certificate error is manifested because the firewall is intercepting the SSL connection and performing man-in-the-middle decryption.)
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 32
HINT: If the download doesnt proceed, review firewall Traffic Log and URL Filtering log. (You may need the IP address of the Eicar site.)
Step 8: Examine the Threat logs. The virus should have been detected, since the SSL connection was decrypted. To the left of the log entry, click on the magnifying class icon. Scroll to the bottom, and look for the field Decrypted. The value should say yes.
Step 9: Examine the Traffic logs. Find the entry with the SSL application that corresponds to the eicar download. Examine the details view. The Decrypted box should be checkd
Task 4 Set SSL exclude cache Step 1: Open an SSH connection to the student firewall
Step 2: Set the exclude cache for the eicar.org domain. From configure type : set shared ssl-decrypt ssl-
exclude-cert eicar.org , then press commit
Step 3: Repeat the Steps 7, 8, and 9 from the previous Task
Question: what entries are now in the Traffic and Threat logs?
Task 5 Review Self-signed Certificate on StudentPC browser Step 1: Open the browser used to test the SSL Outbound Decryption policy created in Task 3. Find the
certificate that was generated (in Task 2) that should now be in the StudentPC browser.
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 33
Module 8 VPN In this lab you will:
Configure an IPsec tunnel to another Student firewall Trust Zone
Configure an IPsec tunnel to another Student firewall Untrust Zone
Task 1 Configure IPsec Tunnel Trust Zone Step 1: Pick another student firewall and fill in the following:
Your Student Number: ..............................................(X) ____
Partners Student Number: .......................................(Y) ____
Partners Ethernet1/1.2xx IP Address: .....................172.16.____(Y).1
Partners Trusted Network: .....................................192.168.____(Y).0
Partners Ehternet1/2 IP address: ............................192.168.____(Y).1
Step 2: Click Network tab Interface Tunnel tab
Step 3: Select Add
Step 4: Create a new tunnel interface. Configure the Tunnel Interface with the following:
Tunnel Interface Name: .............................................tunnel.____(X)
Virtual Routers: ..........................................................Student-VR
Zone: ..........................................................................Trust-L3
Step 5: Click Network tab IKE Gateway
Step 6: Click Add and configure with the following:
Name: .........................................................................Student-____ (Y)
Interface: ....................................................................ethernet1/1.2xx
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 34
Local IP Address: ........................................................172.16.____(X).1
Peer IP Address: .........................................................172.16.____(Y).1
Pre-shared Key: ..........................................................paloalto
Step 7: Click Network tab IPsec Tunnels
Step 8: Click Add and configure with the following:
Name: .........................................................................Tunnel-to-____ (Y)
Tunnel Interface: ........................................................tunnel.____(X)
IKE Gateway: ..............................................................Student-____(Y)
Step 9: Click Network tab Virtual Routers
Step 10: Click on Student-VR
Step 11: Click Static Route tab
Step 12: Click Add to add a route with the following information:
Name student(Y)
Destination 192.168.____(Y).0/24
Interface tunnel.____(X)
Step 13: Commit your changes
Step 14: Test VPN tunnel connectivity by opening a command prompt window and typing:
C:\Documents and Settings\student> ping 192.168.____(Y).1
Question: do you need to modify your security policy? Why or why not?
_____________________________________________________________
(Answer: Since the tunnel interface is in the TrustL3 zone, no policy changes are required.)
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 35
Reference:
admin@PA-500> show vpn tunnel
o Shows current tunnels (has a tunnel ID as first column TnID)
admin@PA-500> show vpn flow tunnel-id
o Shows detailed info on specific tunnel (will show packets and bytes through the tunnel)
admin@PA-500> clear vpn ike-sa gateway all
o Tears down all tunnels and gateway SAs
admin@PA-500> test vpn ipsec-sa tunnel
o Initiate Phase 1 and 2 SAs for specified tunnel
Task 2 Configure IPsec Tunnel Untrust Zone Step 1: Edit your tunnel interface and change the Security Zone to UntrustL3
Step 2: Commit your changes
Step 3: Attempt to ping the remote students internal gateway interface IP address (192.168._Y_.1).
Question: Does the ping work? If not, why?
________________________________
Answer: It should not work, because there is no policy to allow the traffic.
Step 4: Create a new Security Policy Rule from your Trust zone to your Untrust zone. You should create
address objects for your network and your partners network and use them to make your policy more
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 36
restrictive. You will also need to build a policy from Untrust to Trust to allow the inbound traffic from your
partners network.
Module 9 High Availability (optional) In this lab you will:
Configure an Active/Passive with another Student firewall
Task 1 Configure HA Active/Passive Step 1: Click the Dashboard tab High Availability Dashboard Widget
Step 2: Click on Network tab Interfaces
Step 3: Set interfaces ethernet1/7 and ethernet1/8 to Type HA, then click Commit
Step 4: Work with another student firewall and fill in the following:
Your Student Number: ..............................................(X) ____
Partners Student Number: .......................................(Y) ____
Step 5: Agree upon IP and device information to fill in the following:
Group ID:.............................................................._____ (Pick one of your Student numbers)
Control Link: ........................................................ethernet1/7
Your Control Link IP: ............................................10.10.____.____(X)
(3rd octet is lower student number)
Partner Control Link IP: .......................................10.10.____.____(Y)
(3rd octet is lower student number)
Data Link: .............................................................ethernet1/8
Your Data Link IP: ................................................10.10.____.____(X)
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 37
(3rd octet is higher student number)
Partner Data Link IP: ...........................................10.10.____.____(Y)
(3rd octet is higher student number)
Your Device Priority: ...........................................____(X)
Partner Device Priority: .......................................____(Y)
Step 6: Click on the Device tab High Availability and configure the following with the information
collected in Step 5
Step 7: Click Edit in the Setup box
HA Enabled: .........................................................click check box
Group ID:..............................................................Determined in Step 5
Peer HA IP Address: .............................................Partner Control Link IP
Step 8: Click Edit in the Control Link (HA1) box and configure with the following:
Control Link Port: ................................................ethernet1/7
Control Link IP address:.......................................Your Control Link IP
Control Link Netmask: ........................................./24
Step 9: Click Edit in the Data Link (HA2) box
Data Link Port: .....................................................ethernet1/8
Data Link IP address: ...........................................Your Data Link IP
Data Link Netmask: ............................................./24
Step 10: Click Edit in the Election Settings box
Device Priority: ....................................................Your Student Number
Heartbeat Backup: ...............................................Enabled
Step 11: Click the Link and Path Monitoring tab and enter the following in the Link Monitoring section
(ON LOWER DEVICE PRIORITY FIREWALL ONLY)
Enabled: ...............................................................click check box
Failure Condition: ................................................Any
Link Group Name: ................................................Student HA
Interfaces: ............................................................ethernet1/7, ethernet1/8
Step 12: Commit all changes
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 38
Module 10 Panorama In this lab you will:
Identify the student firewall logs on the Panorama
Create and push policy to the student firewall
Conduct a Config Audit
Task 1 Pre setup and test Step 1: Remove the HA configuration from the Module 9 lab
Step 2: Click the Device tab Setup Management Panorama Settings and add the IP
address (provided by the instructor) of the Panorama server
Step 3: Make sure Enabled Shared Config is selected (this is indicated when the button reads Disable
Shared Config) then Commit all changes
Task 2 Create a custom report - Panorama Step 1: Log into Panorama server.
IP Address: .....................................................https://____.____.____.____
Login: ..............................................................Student____(X) (X = student number)
Password: ......................................................paneduX
Step 2: Click on Monitor tab Manage Custom Reports
Step 3: Create the report with the following:
Name:.................................................Student.____(X) (X = student number)
Database: ...........................................Device Traffic Log
Selected Columns: .............................Action, Application, Rule, Source User, Day, Hour
Time Frame: .......................................Last 7 Days
Query Builder: ...................................(serial eq _________) You can find the serial number of your
student firewall on the Dashboard tab
Step 4: Save the template, then Run Now to confirm
Task 3 Create and Application Group Object Step 1: Click Objects tab Application Group
Step 2: Create a new group called Pano-app-group-1
Step 3: Add the application facebook-base
Task 4 Create Pre/Post Policy Step 1: Click the Policies tab DoS Protection Post Rules.
PAN-EDU-201
Lab Manual PAN-OS 5.0 Rev A Page 39
Step 2: Click Add and create a rule called Pano-DoS-Student___(X) (X = student number) with the
following criteria:
Source Zone: ..................................................Untrust-L3
Destination Zone: ..........................................Trust-L3
Action: ............................................................Protect
Step 3: Click the Policies tab Security Pre Rules.
Step 4: Click Add and create a rule called Pano-Sec-Student___(X) (X = student number) with the
following criteria:
Source Zone: ..................................................Trust-L3
Destination Zone: ..........................................Untrust-L3
Application: ...................................................use the Application Group built in Task 3
Action: ............................................................Deny
Task 5 Push config to student firewall Step 1: Click Panorama tab Managed Devices.
Step 2: Scroll to your Student number and click the Click to see the config changes icon (in the Device
Group column):
Step 3: Select Lines of context All and review the Additions, Modifications, and Deletions.
HINT: If for some reason the Config Audit window doesnt appear, the browser may be blocking pop-ups.
You will need to allow pop-ups then close and reopen the browser.
Step 4: Close the Config Audit window and click the Click to commit all to device Student(X) icon (in the
Device Group column): (This action will cause a commit on the Student firewall.
Do NOT select the Merge with Candidate Config check box.
Task 6 Switch context and review Policy on firewall Step 1: On the Student firewall, click the Tasks in the lower right-hand corner and wait for the commit
Step 2: Click the Context drop-down in the upper left corner of the Panorama select student firewall
Step3: Review the configuration pushed from the Panorama
Step 4: Open a new browser window and connect to an external web site