PAN - EDU-210-11.0b-Lab Guide2023

Download as pdf or txt
Download as pdf or txt
You are on page 1of 360

Lab Guide

PAN-OS® 11.0

Palo Alto Networks


Firewall Essentials:
Configuration and
Management
EDU-210
Courseware Version B
June 2023

www.paloaltonetworks.com/education
© 2023 Palo Alto Networks, Inc.
Palo Alto Networks
Firewall 11.0 Essentials:
Configuration and Management

Lab Guide
PAN-OS® 11.0
EDU-210
Courseware Version B
Palo Alto Networks, Inc.
https://www.paloaltonetworks.com
© 2023, Palo Alto Networks, Inc.
Palo Alto Networks, PAN-OS, WildFire, RedLock, and Demisto are registered trademarks of
Palo Alto Networks, Inc. All other marks mentioned herein may be trademarks of their
respective companies.

© 2023 Palo Alto Networks, Inc. Page 2


Table of Contents
Table of Contents ............................................................................................................................ 3
Typographical Conventions .......................................................................................................... 18
Lab Guidance ............................................................................................................................ 19
Lab 1: Palo Alto Networks Portfolio and Architecture ................................................................ 21
Lab 2: Configuring Initial Firewall Settings ................................................................................. 22
Lab Objectives ........................................................................................................................... 22
High-Level Lab Steps ................................................................................................................ 23
Connect to Your Student Firewall ..........................................................................................23
Apply a Baseline Configuration to the Firewall .....................................................................23
Configure the DNS and NTP Servers .....................................................................................23
Configure General Settings ....................................................................................................23
Modify Management Interface ...............................................................................................23
Commit the Configuration ......................................................................................................23
Check for New PAN-OS Software .........................................................................................23
Detailed Lab Steps .................................................................................................................... 24
Connect to Your Student Firewall ..........................................................................................24
Apply a Baseline Configuration to the Firewall .....................................................................24
Configure the DNS and NTP Servers .....................................................................................26
Configure General Settings ....................................................................................................28
Modify Management Interface ...............................................................................................28
Check for New PAN-OS Software .........................................................................................30
Commit the Configuration ......................................................................................................31
Lab 3: Managing Firewall Configurations .................................................................................... 32
Lab Objectives ........................................................................................................................... 32
High-Level Lab Steps ................................................................................................................ 33
Apply a Baseline Configuration to the Firewall .....................................................................33
Save a Named Configuration Snapshot ..................................................................................33

© 2023 Palo Alto Networks, Inc. Page 3


Export a Named Configuration Snapshot ...............................................................................33
Revert Ongoing Configuration Changes ................................................................................33
Preview Configuration Changes .............................................................................................33
Modify System Log File Columns .........................................................................................33
Create a System Log File Filter ..............................................................................................34
Use the Filter Builder .............................................................................................................34
Detailed Lab Steps .................................................................................................................... 35
Apply a Baseline Configuration to the Firewall .....................................................................35
Save a Named Configuration Snapshot ..................................................................................35
Export a Named Configuration Snapshot ...............................................................................36
Revert Ongoing Configuration Changes ................................................................................38
Preview Configuration Changes .............................................................................................41
Modify System Log File Columns .........................................................................................43
Create a System Log File Filter ..............................................................................................45
Use the Filter Builder .............................................................................................................47
Lab 4: Managing Firewall Administrator Accounts ..................................................................... 52
Lab Objectives ........................................................................................................................... 52
High-Level Lab Steps ................................................................................................................ 53
Apply a Baseline Configuration to the Firewall .....................................................................53
Create a Local Database Authentication Profile.....................................................................53
Create a Local User Database Account ..................................................................................53
Create an Administrator Account ...........................................................................................53
Commit the Configuration ......................................................................................................53
Log in With New Admin Account .........................................................................................53
Configure LDAP Authentication ............................................................................................53
Commit the Configuration ......................................................................................................54
Log in With New Admin Account .........................................................................................54
Configure RADIUS Authentication .......................................................................................54
Commit the Configuration ......................................................................................................55

© 2023 Palo Alto Networks, Inc. Page 4


Log in With New Admin Account .........................................................................................55
Configure an Authentication Sequence ..................................................................................55
Commit the Configuration ......................................................................................................55
Detailed Lab Steps .................................................................................................................... 56
Apply a Baseline Configuration to the Firewall .....................................................................56
Create a Local Database Authentication Profile.....................................................................56
Create a Local User Database Account ..................................................................................58
Create an Administrator Account ...........................................................................................59
Commit the Configuration ......................................................................................................60
Log in With New Admin Account .........................................................................................60
Configure LDAP Authentication ............................................................................................60
Commit the Configuration ......................................................................................................64
Log in With New Admin Account .........................................................................................64
Configure RADIUS Authentication .......................................................................................65
Configure an Authentication Sequence ..................................................................................69
Commit the Configuration ......................................................................................................70
Lab 5: Connecting the Firewall to Production Networks with Security Zones ............................ 71
Lab Objectives ........................................................................................................................... 72
High-Level Lab Steps ................................................................................................................ 72
Apply a Baseline Configuration to the Firewall .....................................................................72
Create Layer 3 Network Interfaces .........................................................................................72
Create a Layer 3 Interface on ethernet1/1 ..............................................................................72
Create a Layer 3 Interface on ethernet1/2 ..............................................................................72
Create a Layer 3 Interface on ethernet1/3 ..............................................................................73
Create a Virtual Router ...........................................................................................................73
Segment Your Production Network Using Security Zones ....................................................73
Commit the Configuration ......................................................................................................74
Test Connectivity to Each Zone .............................................................................................74
Test Interface Access before Management Profiles ...............................................................74

© 2023 Palo Alto Networks, Inc. Page 5


Define Interface Management Profiles ...................................................................................74
Apply Allow-ping to ethernet1/1 ............................................................................................75
Apply Allow-mgt to ethernet1/2.............................................................................................75
Apply Allow-mgt to ethernet1/3.............................................................................................75
Commit the Configuration ......................................................................................................75
Test Interface Access after Management Profiles ..................................................................75
Detailed Lab Steps .................................................................................................................... 76
Apply a Baseline Configuration to the Firewall .....................................................................76
Create Layer 3 Network Interfaces .........................................................................................76
Create a Layer 3 Interface on ethernet1/1 ..............................................................................77
Create a Layer 3 Interface on ethernet1/2 ..............................................................................79
Create a Layer 3 Interface on ethernet1/3 ..............................................................................81
Create a Virtual Router ...........................................................................................................84
Segment Your Production Network Using Security Zones ....................................................87
Commit the Configuration ......................................................................................................90
Test Connectivity to Each Zone .............................................................................................91
Create Interface Management Profiles ...................................................................................94
Test Interface Access before Management Profiles ...............................................................95
Define Interface Management Profiles ...................................................................................96
Apply Allow-ping to ethernet1/1 ............................................................................................97
Apply Allow-mgt to ethernet1/2.............................................................................................98
Apply Allow-mgt to ethernet1/3.............................................................................................99
Commit the Configuration ....................................................................................................100
Test Interface Access after Management Profiles ................................................................100
Lab 6: Creating and Managing Security Policy Rules ................................................................ 103
Lab Objectives ......................................................................................................................... 104
High-Level Lab Steps .............................................................................................................. 104
Apply a Baseline Configuration to the Firewall ...................................................................104
Create Security Policy Rule ..................................................................................................104

© 2023 Palo Alto Networks, Inc. Page 6


Commit the Configuration ....................................................................................................104
Modify Security Policy Table Columns ...............................................................................105
Test New Security Policy Rule .............................................................................................105
Examine Rule Hit Count.......................................................................................................105
Reset the Rule Hit Counter ...................................................................................................105
Examine the Traffic Log.......................................................................................................105
Enable Logging for Default Interzone Rule .........................................................................106
Commit the Configuration ....................................................................................................106
Ping a Host on the Internet ...................................................................................................106
Create Block Rules for Known-Bad IP Addresses ...............................................................106
Create Security Rules for Internet Access ............................................................................107
Create Users to Internet Security Policy Rule ......................................................................107
Create Extranet to Internet Security Policy Rule..................................................................108
Commit the Configuration ....................................................................................................108
Ping Internet Host from Client A .........................................................................................108
Detailed Lab Steps .................................................................................................................. 110
Apply a Baseline Configuration to the Firewall ...................................................................110
Create a Security Policy Rule ...............................................................................................110
Commit the Configuration ....................................................................................................115
Modify Security Policy Table Columns ...............................................................................115
Test New Security Policy Rule .............................................................................................117
Examine Rule Hit Count.......................................................................................................118
Reset the Rule Hit Counter ...................................................................................................120
Examine the Traffic Log.......................................................................................................120
Enable Logging for Default Interzone Rule .........................................................................123
Commit the Configuration ....................................................................................................124
Ping a Host on the Internet ...................................................................................................124
Create Block Rules for Known-Bad IP Addresses ...............................................................126
Create Security Policy Rules for Internet Access .................................................................129

© 2023 Palo Alto Networks, Inc. Page 7


Create Users to Internet Security Policy Rule ......................................................................129
Create Extranet to Internet Security Policy Rule..................................................................133
Commit the Configuration ....................................................................................................137
Ping Internet Host from Client A .........................................................................................137
Lab 7: Creating and Managing NAT Policy Rules ..................................................................... 140
Lab Objectives ......................................................................................................................... 140
High-Level Lab Steps .............................................................................................................. 140
Apply a Baseline Configuration to the Firewall ...................................................................140
Create a Source NAT Policy Rule ........................................................................................140
Commit the Configuration ....................................................................................................141
Verify Internet Connectivity .................................................................................................141
Create a Destination NAT Policy .........................................................................................141
Commit the Configuration ....................................................................................................142
Test the Destination NAT Rule ............................................................................................142
Detailed Lab Steps .................................................................................................................. 143
Apply a Baseline Configuration to the Firewall ...................................................................143
Create a Source NAT Policy Rule ........................................................................................143
Commit the Configuration ....................................................................................................147
Verify Internet Connectivity .................................................................................................147
Create a Destination NAT Policy .........................................................................................148
Commit the Configuration ....................................................................................................152
Test the Destination NAT Rule ............................................................................................152
Lab 8: Controlling Application Usage with App-ID .................................................................. 155
Lab Objectives ......................................................................................................................... 155
High-Level Lab Steps .............................................................................................................. 155
Apply a Baseline Configuration to the Firewall ...................................................................155
Configure an Application Group ..........................................................................................155
Configure a Security Policy Rule to Allow Update Traffic .................................................156
Commit the Configuration ....................................................................................................156

© 2023 Palo Alto Networks, Inc. Page 8


Test the Allow-PANW-Apps Security Policy Rule .............................................................156
Identify Shadowed Rules ......................................................................................................157
Modify the Security Policy to Function Properly .................................................................157
Commit the Configuration ....................................................................................................157
Test the Modified Security Policy Rule ...............................................................................157
Generate Application Traffic ................................................................................................157
Research Applications ..........................................................................................................158
Update Security Policy Rules ...............................................................................................158
Commit the Configuration ....................................................................................................159
Test the Updated Security Policy Rules ...............................................................................159
Enable the Application Block Page ......................................................................................159
Commit the Configuration ....................................................................................................159
Test the Application Block Page ..........................................................................................159
Detailed Lab Steps .................................................................................................................. 160
Apply a Baseline Configuration to the Firewall ...................................................................160
Configure an Application Group ..........................................................................................160
Configure a Security Policy Rule to Allow Firewall Update Traffic ...................................162
Commit the Configuration ....................................................................................................164
Test the Allow-PANW-Apps Security Policy Rule .............................................................165
Identify Shadowed Rules ......................................................................................................166
Modify the Security Policy to Function Properly .................................................................167
Commit the Configuration ....................................................................................................168
Test the Modified Security Policy ........................................................................................168
Generate Application Traffic ................................................................................................169
Research Applications ..........................................................................................................171
Update Security Policy Rules ...............................................................................................174
Commit the Configuration ....................................................................................................178
Test the Updated Security Policy Rules ...............................................................................178
Enable the Application Block Page ......................................................................................179

© 2023 Palo Alto Networks, Inc. Page 9


Commit the Configuration ....................................................................................................180
Test the Application Block Page ..........................................................................................181
Lab 9: Blocking Known Threats Using Security Profiles .......................................................... 183
Lab Objectives ......................................................................................................................... 183
High-Level Lab Steps .............................................................................................................. 184
Apply a Baseline Configuration to the Firewall ...................................................................184
Generate Traffic Without Security Profiles ..........................................................................184
Create a Corporate Antivirus Profile ....................................................................................184
Create A Corporate Vulnerability Security Profile ..............................................................185
Create a Corporate File Blocking Profile .............................................................................185
Create a Corporate Data Filtering Profile .............................................................................185
Create a Corporate Anti-Spyware Security Profile ..............................................................186
Create an External Dynamic List for Malicious Domains ...................................................186
Update the Anti-Spyware Profile with EDL.........................................................................186
Commit the Configuration ....................................................................................................186
Create a Security Profile Group............................................................................................186
Apply the Corp-Profiles-Group to Security Policy Rules ....................................................187
Commit the Configuration ....................................................................................................187
Generate Attack Traffic to Test Security Profiles ................................................................187
Lab Clean-Up .......................................................................................................................188
Detailed Lab Steps .................................................................................................................. 189
Apply a Baseline Configuration to the Firewall ...................................................................189
Generate Traffic Without Security Profiles ..........................................................................189
Create a Corporate Antivirus Profile ....................................................................................192
Create A Corporate Vulnerability Security Profile ..............................................................194
Create a Corporate File Blocking Profile .............................................................................195
Create a Corporate Data Filtering Profile .............................................................................196
Create a Corporate Anti Spyware Profile .............................................................................198
Create an External Dynamic List for Malicious Domains ...................................................199

© 2023 Palo Alto Networks, Inc. Page 10


Update the Anti-Spyware Profile with EDL.........................................................................201
Commit the Configuration ....................................................................................................201
Create a Security Profile Group............................................................................................202
Apply the Corp-Profiles-Group to Security Policy Rules ....................................................203
Commit the Configuration ....................................................................................................204
Generate Attack Traffic to Test Security Profiles ................................................................204
Lab Clean-Up .......................................................................................................................208
Lab 10: Blocking Inappropriate Web Traffic with Advanced URL Filtering ............................ 209
Lab Objectives ......................................................................................................................... 209
High-Level Lab Steps .............................................................................................................. 209
Apply a Baseline Configuration to the Firewall ...................................................................209
Test Access to Inappropriate Web Content ..........................................................................209
Create a Security Policy Rule to Block Categories ..............................................................209
Commit the Configuration ....................................................................................................210
Test Access to URLs Blocked by the Security Policy..........................................................210
Block Access to Inappropriate Web Content Using Security Profile ...................................211
Add the URL Profile to the Corp-Profiles-Group ................................................................211
Disable Block-Bad-URLs Rule ............................................................................................211
Commit the Configuration ....................................................................................................211
Test Access to URLs Blocked by a URL Filtering Profile...................................................212
Create a Custom URL Category ...........................................................................................212
Use Custom Category to Block URL Access in Security Policy Rule .................................212
Commit the Configuration ....................................................................................................212
Test Access to Custom URLs Blocked by the Security Policy ............................................212
Add Custom URL Category to URL Filtering Profile .........................................................212
Commit the Configuration ....................................................................................................213
Test Access to Custom URLs Blocked by the URL Filtering Profile ..................................213
Create an EDL to Block Malicious URL Access .................................................................213
Block Access to the the URL List with a Security Policy Rule ...........................................213

© 2023 Palo Alto Networks, Inc. Page 11


Commit the Configuration ....................................................................................................213
Test Access to URLs Blocked by the EDL in the Security Policy .......................................213
Commit the Configuration ....................................................................................................214
Detailed Lab Steps .................................................................................................................. 215
Apply a Baseline Configuration to the Firewall ...................................................................215
Test Access to Inappropriate Web Content ..........................................................................215
Create a Security Policy Rule to Block Categories ..............................................................216
Commit the Configuration ....................................................................................................218
Test Access to URLs Blocked by the Security Policy..........................................................218
Block Access to Inappropriate Web Content Using Security Profile ...................................221
Add the URL Profile to the Corp-Profiles-Group ................................................................222
Disable Block-Bad-URLs Rule ............................................................................................223
Commit the Configuration ....................................................................................................224
Test Access to URLs Blocked by a URL Filtering Profile...................................................224
Create a Custom URL Category ...........................................................................................226
Use Custom Category to Block URL Access in Security Policy Rule .................................228
Commit the Configuration ....................................................................................................229
Test Access to Custom URLs Blocked by the Security Policy ............................................229
Add Custom URL Category to URL Filtering Profile .........................................................230
Commit the Configuration ....................................................................................................231
Test Access to Custom URLs Blocked by the URL Filtering Profile ..................................231
Create an EDL to Block Malicious URL Access .................................................................232
Block Access to the URL List with a Security Policy Rule .................................................234
Commit the Configuration ....................................................................................................234
Test Access to URLs Blocked by the EDL in the Security Policy .......................................235
Commit the Configuration ....................................................................................................235
Lab 11: Blocking Unknown Threats with WildFire ................................................................... 237
Lab Objectives ......................................................................................................................... 238
High-Level Lab Steps .............................................................................................................. 238

© 2023 Palo Alto Networks, Inc. Page 12


Apply a Baseline Configuration to the Firewall ...................................................................238
Create a WildFire Analysis Profile .......................................................................................238
Modify Security Profile Group .............................................................................................238
Update WildFire Settings .....................................................................................................239
Commit the Configuration ....................................................................................................239
Test the WildFire Analysis Profile .......................................................................................239
Examine WildFire Analysis Details .....................................................................................239
Detailed Lab Steps .................................................................................................................. 240
Apply a Baseline Configuration to the Firewall ...................................................................240
Create a WildFire Analysis Profile .......................................................................................240
Modify Security Profile Group .............................................................................................241
Update WildFire Settings .....................................................................................................242
Commit the Configuration ....................................................................................................242
Test the WildFire Analysis Profile .......................................................................................243
Examine WildFire Analysis Details .....................................................................................244
Lab 12: Controlling Access to Network Resources with User-ID .............................................. 248
Lab Objectives ......................................................................................................................... 249
High-Level Lab Steps .............................................................................................................. 249
Apply a Baseline Configuration to the Firewall ...................................................................249
Examine Firewall Configuration ..........................................................................................249
Generate Traffic from the Acquisition Zone ........................................................................250
Enable User-ID on the Acquisition Zone .............................................................................250
Modify the Acquisition-Allow-All Security Policy Rule .....................................................251
Create Marketing Apps Rule ................................................................................................251
Create Deny Rule..................................................................................................................251
Commit the Configuration ....................................................................................................252
Generate Traffic from the Acquisition Zone ........................................................................252
Examine User-ID Logs .........................................................................................................252
Examine Firewall Traffic Log ..............................................................................................252

© 2023 Palo Alto Networks, Inc. Page 13


Examine Firewall Traffic Log ..............................................................................................252
Clean Up the Desktop ...........................................................................................................253
Detailed Lab Steps .................................................................................................................. 253
Apply a Baseline Configuration to the Firewall ...................................................................253
Examine Firewall Configuration ..........................................................................................254
Generate Traffic from the Acquisition Zone ........................................................................256
Enable User-ID on the Acquisition Zone .............................................................................257
Modify the Acquisition-Allow-All Security Policy Rule .....................................................258
Create Marketing Apps Rule ................................................................................................259
Create Deny Rule..................................................................................................................263
Commit the Configuration ....................................................................................................265
Generate Traffic from the Acquisition Zone ........................................................................265
Examine User-ID Logs .........................................................................................................265
Examine Firewall Traffic Log ..............................................................................................266
Clean Up the Desktop ...........................................................................................................267
Lab 13: Using Decryption to Block Threats in Encrypted Traffic ............................................. 269
Lab Objectives ......................................................................................................................... 270
High-Level Lab Steps .............................................................................................................. 270
Apply a Baseline Configuration to the Firewall ...................................................................270
Test the Firewall Behavior Without Decryption ..................................................................270
Create A Self-Signed Certificate for Trusted Connections ..................................................271
Create a Decryption Policy Rule for Outbound Traffic .......................................................271
Commit the Configuration ....................................................................................................271
Test Outbound Decryption Policy ........................................................................................272
Export the Firewall Certificate .............................................................................................272
Import the Firewall Certificate to Firefox ............................................................................272
Test Outbound Decryption Policy Again .............................................................................272
Review Firewall Logs ...........................................................................................................272
Exclude URL Categories from Decryption ..........................................................................272

© 2023 Palo Alto Networks, Inc. Page 14


Commit the Configuration ....................................................................................................273
Test the No-Decryption Rule................................................................................................273
Detailed Lab Steps .................................................................................................................. 274
Apply a Baseline Configuration to the Firewall ...................................................................274
Test the Firewall Behavior Without Decryption ..................................................................274
Create Certificate for Trusted Connections ..........................................................................276
Create a Certificate for Untrusted Connections ....................................................................278
Create a Decryption Policy Rule for Outbound Traffic .......................................................280
Commit the Configuration ....................................................................................................283
Test Outbound Decryption Policy ........................................................................................283
Export the Firewall Certificate .............................................................................................285
Import the Firewall Certificate .............................................................................................287
Test Forward Untrust Certificate ..........................................................................................291
Test Outbound Decryption Policy Again .............................................................................293
Review Firewall Logs ...........................................................................................................294
Exclude URL Categories from Decryption ..........................................................................297
Commit the Configuration ....................................................................................................302
Test the No-Decryption Rule................................................................................................302
Lab 14: Locating Valuable Information Using Logs and Reports .............................................. 305
Lab Objectives ......................................................................................................................... 305
High-Level Lab Steps .............................................................................................................. 305
Apply a Baseline Configuration to the Firewall ...................................................................305
Generate Traffic ....................................................................................................................305
Display Recent Threat Information in the Dashboard ..........................................................306
Display Recent Application Information in the Dashboard .................................................306
View Threat Information in the ACC ...................................................................................306
View Application Information in the ACC ..........................................................................306
View Threat Information in the Threat Log .........................................................................307
View Application Information in the Traffic Log ................................................................308

© 2023 Palo Alto Networks, Inc. Page 15


View Threats Using App Scope Reports ..............................................................................309
View Threat Information Using Predefined Reports ............................................................309
View Application Information Using Predefined Reports ...................................................309
View Threat and Application Information Using Custom Reports ......................................309
Detailed Lab Steps .................................................................................................................. 311
Apply a Baseline Configuration to the Firewall ...................................................................311
Generate Traffic ....................................................................................................................311
Display Recent Threat Information in the Dashboard ..........................................................311
Display Recent Application Information in the Dashboard .................................................316
View Threat Information in the ACC ...................................................................................317
View Application Information in the ACC ..........................................................................320
View Threat Information in the Threat Log .........................................................................326
View Application Information in the Traffic Log ................................................................331
View Threats Using App Scope Reports ..............................................................................334
View Threat Information Using Predefined Reports ............................................................336
View Application Information Using Predefined Reports ...................................................338
View Threat and Application Information Using Custom Reports ......................................339
Lab 15: Capstone ........................................................................................................................ 344
Load a Lab Configuration ....................................................................................................... 345
Configure Networking ............................................................................................................. 345
Configure Security Zones........................................................................................................ 345
Configure NAT Policy Rules .................................................................................................. 345
Configure Security Policy Rules ............................................................................................. 346
Create and Apply Security Profiles ......................................................................................... 347
Solutions .................................................................................................................................. 349
Firewall Interfaces ................................................................................................................349
Virtual Router .......................................................................................................................349
Firewall Default Route .........................................................................................................350
Allow-ping Interface Management Profile ...........................................................................350

© 2023 Palo Alto Networks, Inc. Page 16


Allow-ping Interface Management Profile Assigned to ethernet1/2 ....................................350
Security Zones ......................................................................................................................351
NAT Policy Rules .................................................................................................................351
Security Policy Rules............................................................................................................352
Security Profiles ...................................................................................................................353

© 2023 Palo Alto Networks, Inc. Page 17


Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Convention Meaning Example

Bolding Names of selectable items in Click Security to open the Security Rule
the web interface Page

Consolas font Text that you enter and Enter the following command:
coding examples a:\setup
The show arp all command yields this
output:
username@hostname> show arp
<output>

Calibri 11 pt. gray Lab step results and A new zone should appear in the web
font explanations interface.

Click Click the left mouse button Click Administrators under the Device
tab

Right-click Click the right mouse button Right-click the number of a rule you
want to copy, and select Clone Rule

< > (text enclosed Denotes a variable parameter. Click Add again and select <Internal
in angle brackets) Actual value to use is defined Interface>
in the Lab Guide document.

© 2023 Palo Alto Networks, Inc. Page 18


How to Use This Lab Guide
The Lab Guide contains exercises that correspond to modules in the Student Guide. Each lab
exercise consists of step-by-step, task-based labs. The final lab is based on a scenario that you
will interpret and use to configure a comprehensive firewall solution.
The following diagram provides a basic overview of the lab environment:

Lab Guidance
There are two sections for each lab in this guide:
● High-Level Lab Steps
● Detailed Lab Steps
The High-Level Lab Steps section provides only general guidance and information about how to
accomplish the lab objectives. This section is more challenging and is suited for students who
have a working knowledge of Palo Alto Networks firewalls. If you have never worked with a
Palo Alto Networks firewall, we strongly encourage you to use the Detailed Lab Steps section.

© 2023 Palo Alto Networks, Inc. Page 19


The instructions in the Detailed Lab Steps section provide guided, detailed steps and screenshots
to accomplish the lab objectives.
If you decide to use the High-Level Lab Guide and get stuck, switch to the Detailed Lab Guide
for guidance.

You do not need to complete both the High-Level Lab Guide and the Detailed Lab Guide for
each lab. Use either one or the other.

© 2023 Palo Alto Networks, Inc. Page 20


Lab 1: Palo Alto Networks Portfolio and
Architecture

No lab exercise is associated with this module.

© 2023 Palo Alto Networks, Inc. Page 21


Lab 2: Configuring Initial Firewall Settings
Your organization has just received a new Palo Alto Networks firewall, and you have been
tasked with deploying it. The first steps will be to connect to the firewall’s management interface
address and configure basic settings to provide the firewall with network access.

Lab Objectives
• Connect to the firewall web interface
• Load a starting lab configuration
• Set DNS servers for the firewall
• Set NTP servers for the firewall
• Configure a login banner for the firewall
• Set Latitude and Longitude for the firewall
• Configure permitted IP addresses for firewall management

© 2023 Palo Alto Networks, Inc. Page 22


High-Level Lab Steps
Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Connect to Your Student Firewall


• Use the Firefox browser to connect to the firewall web interface

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-02.xml - to the Firewall

Configure the DNS and NTP Servers


• Set the Primary DNS Server to 8.8.8.8 and the Secondary DNS Server to
192.168.50.53
• Set the Primary NTP Server to 0.pool.ntp.org and the Secondary NTP Server to
1.pool.ntp.org

Configure General Settings


• Set the Domain to panw.lab
• Create a Login Banner that says Authorized Access Only
• Set the Latitude and Longitude to reflect the firewall's geographical location in Santa
Clara, CA, USA

Modify Management Interface


• Verify that the default gateway for the firewall management interface is set to
192.168.1.1
• Allow access to the management interface only from the 192.168.0.0/16 network

Commit the Configuration


• Commit the changes to the firewall before proceeding

Check for New PAN-OS Software


• Check for new PAN-OS software (but do not upgrade the firewall)

© 2023 Palo Alto Networks, Inc. Page 23


Detailed Lab Steps
Use this section if you prefer detailed guidance to complete the objectives for this lab. We
strongly recommend that you use this section if you do not have extensive experience working
with Palo Alto Networks firewalls.

Connect to Your Student Firewall


1. Launch the Firefox browser and connect to https://192.168.1.254.
Move past any security warnings until you see the web interface login window.
2. Log in to the Palo Alto Networks firewall using the following credentials:
Parameter Value
Username admin
Password Pal0Alt0!

Apply a Baseline Configuration to the Firewall


To start this lab exercise, you will load a preconfigured firewall configuration file.
3. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
4. Click Load named configuration snapshot:

A Load Named Configuration dialog box opens.


5. Click the drop-down arrow next to the Name field and select edu-210-11.0b-02.xml.

© 2023 Palo Alto Networks, Inc. Page 24


Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

6. Click OK to close the Load Named Configuration window.


A window should open that confirms that the configuration is being loaded.
7. Click Close to close the Loading Configuration window.

8. Click the Commit button at the upper right corner of the web interface:

A Commit window should open.


9. Leave the remaining settings unchanged and click Commit.

© 2023 Palo Alto Networks, Inc. Page 25


10. Wait until the Commit process is complete.
A Commit Status window should open that confirms the configuration was committed
successfully.
11. Click Close to continue.

Configure the DNS and NTP Servers


The DNS server configuration settings are used for all DNS queries that the firewall initiates
in support of FQDN Address objects, logging, and firewall management.
12. In the web interface, select Device > Setup > Services.

© 2023 Palo Alto Networks, Inc. Page 26


13. Click the Services gear icon to open the Services window.
14. Verify that the Primary DNS Server is set to 8.8.8.8.
15. Set the Secondary DNS Server to 192.168.50.53.
16. Verify that the Update Server is set to updates.paloaltonetworks.com.

The DNS server settings that you configure do not have to be public servers, but the
firewall needs to be able to resolve hostnames such as
updates.paloaltonetworks.com and wildfire.paloaltonetworks.com to provide
various services such as WildFire® or URL filtering.

17. Select the NTP tab.


18. Set the Primary NTP Server to 0.pool.ntp.org.
19. Set the Secondary NTP Server to 1.pool.ntp.org.

20. Leave the remaining settings unchanged and click OK to close the Services window.

© 2023 Palo Alto Networks, Inc. Page 27


Configure General Settings
21. Select Device > Setup > Management.

22. Click the General Settings gear icon to open the General Settings window.
23. In the Domain field, enter panw.lab.
24. In the Login Banner area, enter Authorized Access Only.
25. In the Latitude field, enter 37.00.
26. In the Longitude field, enter 122.00.

These coordinates are for Santa Clara, California – headquarters of Palo Alto
Networks, Inc.

27. Leave the remaining settings unchanged and click OK to close the General Settings
window.

Modify Management Interface


28. Select Device > Setup > Interfaces.
29. Click the link for Management.

© 2023 Palo Alto Networks, Inc. Page 28


30. Set the Default Gateway to 192.168.1.1.
31. Leave the remaining settings unchanged.

32. At the bottom of the Permitted IP Addresses area, click Add.


33. In the Permitted IP Addresses field, enter 192.168.0.0/16.
34. In the Description field, enter Mgt access from these hosts only.

Verify that you have entered the correct address range in the Permitted IP
Addresses field. If you make a mistake and enter the wrong information, you can
lose network connectivity to your firewall.

35. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 29


36. Click OK.

Check for New PAN-OS Software


37. Select Device > Software.

38. At the bottom of the window, click the Check Now button.

39. The firewall will perform a software check with the Palo Alto Networks update servers:

40. When the process is complete, the firewall displays an updated list of available software
versions:

© 2023 Palo Alto Networks, Inc. Page 30


The list you see will vary from this example. Also, no newer versions of PAN-OS software may be
available at the time you carry out these steps.

Do not upgrade your firewall!

Commit the Configuration


41. Click the Commit button at the upper right of the web interface.
42. Leave the settings unchanged and click Commit.
43. Wait until the Commit process is complete.
44. Click Close to continue.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 31


Lab 3: Managing Firewall Configurations
Now that you have set up the firewall to allow management access, you need to make certain that
you can save, load, and restore configurations to the device. You also need to familiarize
yourself with the log files available, and with searching through the logs to find specific events.
Because the firewall is not scheduled to be deployed for a few days, you can spend some time on
these tasks without worrying about affecting your production networks.

Lab Objectives
• Load a baseline configuration
• Save a named configuration snapshot
• Export a named configuration snapshot
• Save ongoing configuration changes before a commit
• Revert ongoing configuration changes
• Preview configuration changes
• Examine System and Configuration log files
• Create a log file filter
• Use the Filter Builder

© 2023 Palo Alto Networks, Inc. Page 32


High-Level Lab Steps
Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-03.xml - to the Firewall

Save a Named Configuration Snapshot


• Save the firewall’s current configuration file as firewall-a-<Today’s Date>.

Export a Named Configuration Snapshot


• Export the firewall-a-<Today’s Date> configuration file to the lab host’s
Downloads folder.

Revert Ongoing Configuration Changes


• Change the value for the Primary DNS Server to 88.8.8.8 (an easy mistake to make).
• Verify the mistake in the Services section
• Use the Revert Changes option to restore the Primary DNS Server to its original setting
(8.8.8.8)

Preview Configuration Changes


• Modify the SNMP configuration with the following settings:
• Set the Physical Location to Santa Clara, CA, USA.
• Set the Contact to Sherlock Holmes.
• Set the SNMP Community String to paloalto42.
• Use the Preview Changes option to compare the Running configuration to the
Candidate configuration
• Do not commit changes at this stage

Modify System Log File Columns


• Hide the Object column in the System Log display
• Move the Severity column to the far left side of the System Log display

© 2023 Palo Alto Networks, Inc. Page 33


Create a System Log File Filter
• Create and apply a filter in the System Log that displays only entries with a Severity
level of informational

Use the Filter Builder


• Use the Filter Builder to create a filter that will display all entries in the System log that
have occurred in the last 60 minutes

© 2023 Palo Alto Networks, Inc. Page 34


Detailed Lab Steps
Use this section if you prefer detailed guidance to complete the objectives for this lab. We
strongly recommend that you use this section if you do not have extensive experience working
with Palo Alto Networks firewalls.

Apply a Baseline Configuration to the Firewall


To start this lab exercise, you will load a preconfigured firewall configuration file.
1. In the firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down arrow next to the Name field and select edu-210-11.0b-03.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK to close the Load Named Configuration window.


5. Click Close to close the Loading Configuration window.
6. Click the Commit button at the upper right of the web interface.
7. Leave the remaining settings unchanged and click Commit.
8. Wait until the Commit process is complete.
9. Click Close to continue.

Save a Named Configuration Snapshot


In this section, you will save the firewall configuration with a specific filename.
10. Select Device > Setup > Operations.
11. Click Save named configuration snapshot.

© 2023 Palo Alto Networks, Inc. Page 35


12. In the Save Named Configuration window, enter firewall-a-<Today’s
Date>.xml

13. Click OK.


14. Click Close in the confirmation window.

This process saves the configuration file to a location on the firewall itself.

Export a Named Configuration Snapshot


You will now export the saved configuration file firewall-a-<Today’s Date>.xml from
the firewall to your workstation.
15. Under Device > Setup > Operations > Configuration Management, click the link for
Export named configuration snapshot.

© 2023 Palo Alto Networks, Inc. Page 36


16. In the Export Named Configuration window, use the drop-down list to locate the
firewall-a-<Today’s Date>.xml configuration file.

17. Click OK.


18. The workstation will open a Save window for the Downloads folder.

19. Click Save.


20. On the workstation desktop, open the Downloads folder:

© 2023 Palo Alto Networks, Inc. Page 37


21. The saved file firewall-a-<Today’s Date>.xml appears in the folder.

22. Close the Downloads folder on the workstation.

Revert Ongoing Configuration Changes


As you work on a firewall configuration, it is theoretically possible to make a mistake. In such a
situation, you may not remember exactly which changes you have made or where the mistake
exists in the configuration, particularly if you have made multiple changes (or multiple
mistakes).
Fortunately, you can revert the firewall to the current running configuration. This process
essentially erases any of the changes you have made to the working candidate configuration and
puts the firewall back at the starting point before you made changes.
In this section, you will change the IP address for one of the firewall’s DNS servers. You will
then use Revert Changes to reset the firewall to the running configuration and remove the
mistake.
23. In the firewall web interface, select Device > Setup > Services.

© 2023 Palo Alto Networks, Inc. Page 38


24. Edit the Services section by clicking the gear icon.

25. Change the value for the Primary DNS Server to 88.8.8.8 (an easy mistake to make).
26. Click OK to close the Services window.
27. You can see the mistake in place under the Services section:

28. In the upper right corner of the web interface, click the Changes button and select
Revert Changes:

© 2023 Palo Alto Networks, Inc. Page 39


29. In the Revert Changes window, leave the settings unchanged:

The Revert Changes window allows you to select specific elements of the
configuration that you can revert. In this case, because you only made a single
change, the Commit Scope shows device-and-network (which is the portion of
the configuration that contains the changes to the DNS server).

30. Click Revert.


31. Click Close in the Message window:

32. In the Services window, notice that the Primary DNS Server has been reset to the
original value before you mistakenly changed it.

© 2023 Palo Alto Networks, Inc. Page 40


Preview Configuration Changes
Before you commit changes to the firewall, you can compare the impending changes with the
current configuration settings. This process can be useful to make certain you have the right
changes in place before they are implemented on the firewall.
In this section, you will make a minor modification to the firewall and use Preview Changes to
compare the candidate config to the running config.
33. Modify the SNMP configuration by going to Device > Setup > Operations and clicking
SNMP Setup under the Miscellaneous section:

34. In the SNMP Setup window, set the Physical Location to Santa Clara, CA, USA.
35. For Contact, enter Sherlock Holmes.
36. For SNMP Community String, enter paloalto42.
37. Leave the remaining settings unchanged:

© 2023 Palo Alto Networks, Inc. Page 41


38. Click OK.
39. Click the Commit button.
40. In the Commit window, click Preview Changes:

41. In the Preview Changes window, leave the Lines of Context set to 10:

The Lines of Context setting determines how many lines are displayed before and
after a change in the configuration file.

42. Click OK.


43. A new browser window appears that displays a side-by-side comparison of the current
running configuration (on the left) and the proposed changes in the candidate
configuration (on the right):

© 2023 Palo Alto Networks, Inc. Page 42


Changes are color coded. Green indicates new elements that have been added.
Yellow indicates existing elements that have been modified. Red indicates existing
elements that have been deleted.

44. Close the configuration comparison window by clicking the X in the upper right corner.
45. Click Cancel in the Commit window.

Modify System Log File Columns


Although the information in log files varies, the process of examining and searching log files on
the firewall is the same. In this section, you will examine and navigate the firewall System log.
You can later apply the same tasks and techniques while examining any other log file on the
firewall, such as the Traffic or Threat logs.
46. Select Monitor > Logs > System:

47. Hide the Object column by clicking the small drop-down arrow in the right portion of
any column header.
48. Choose Columns.
49. Uncheck Object:

© 2023 Palo Alto Networks, Inc. Page 43


50. The Object column is now hidden:

Hiding and displaying log columns is optional but quite useful. Each log file contains
different columns, some of which you may not need so you can hide them. There
may be columns in certain log tables that are not shown by default, and you can use
this process to display hidden columns that you want to view.

51. Drag and drop the Severity column to the left-most position in the table:

52. The table now displays Severity as the first column:

Reordering columns is also optional; however, you may discover that the
information in a specific log file is easier for you to analyze after you customize the
columns.

© 2023 Palo Alto Networks, Inc. Page 44


Create a System Log File Filter
Scanning through log files row-by-row is tedious. If you are looking for specific information,
you can create filters quickly to display only entries that match certain criteria. All log files
support filters.
53. In the System log file, click any entry under the Severity column that contains
informational:

54. The web interface will automatically build a filter statement with the appropriate syntax
to search for all entries that contain informational in the Severity field:

55. Click the Apply Filter button in the upper right corner of the window:

56. The System log display will update to show only those entries that contain
informational as the Severity level.
Note that your firewall may only have informational entries in the System log at this point.
57. Under the Type column, click any entry that contains the word general:

© 2023 Palo Alto Networks, Inc. Page 45


58. The interface will update the syntax to create a combined filter:

59. Click the Apply Filter button in the upper right corner of the window:

60. The interface will update the log file to display only those entries that match both
conditions:

© 2023 Palo Alto Networks, Inc. Page 46


61. Remove the filter by clicking the Clear Filter button in the upper right corner of the
window:

A good practice is to clear any filters from log file displays before you move to other
portions of the web interface. The next time you examine the same log, it will
display all results instead of only ones you have previously filtered.

Use the Filter Builder


Clicking the link for a specific entry in a log file will automatically create a simple filter. You
can create more complex filters by clicking multiple conditions; however, there are some
situations in which this process will not provide you with the kind of criteria you need to
complete a search. For long or sophisticated searches, you can use the Filter Builder.
In this section, you will use the Filter Builder to search the System log for all entries that have
occurred in the last 60 minutes.
62. Note the current time on the firewall by selecting the Dashboard tab.
63. Under the General Information section, scroll to the bottom and locate the Time:

© 2023 Palo Alto Networks, Inc. Page 47


In this example, the firewall time is 16:17:03.
64. Write the current time down so you do not forget it.
65. Select Monitor > Logs > System.
66. Clear any filters you may have in place by clicking the Clear Filter button in the upper
right corner of the window:

67. Click the Add Filter button in the upper right corner of the window:

68. In the Add Log Filter window:


A. Under the Connector column, click and.
B. Under the Attribute column, click Severity.
C. Under the Operator column, click equal.
D. Under the Value column, click informational.
E. Click Add.
F. Note that the filter field at the top of the window updates to display the correct syntax
for this filter:

© 2023 Palo Alto Networks, Inc. Page 48


Do not close this window yet!

69. With the same window open, build the second part of the filter:
A. Under the Connector column, select and.
B. Under the Attribute column, select Time Generated.
C. Under Operator, select greater than or equal to.
D. Under the Value column, use the first drop-down list to select today.
E. Under the Value column, use the second drop-down list to select a time
approximately sixty minutes ago (round up or down if you need to).
F. Click Add.

© 2023 Palo Alto Networks, Inc. Page 49


G. Note that the filter is updated to reflect the additional syntax:

70. In the Add Log Filter window, click Apply.


71. Your filter will appear in the System log syntax field:

The time and date for your filter will differ from the example shown here.
72. Click the Apply Filter button in the upper right corner of the window:

© 2023 Palo Alto Networks, Inc. Page 50


73. The System log display will update to show you only entries that have been generated
after the time you specified.

Although you used the System log as the basis for this exercise, the process of
creating filters is the same throughout all Palo Alto Networks firewall log databases.
The Filter Builder is available to use in all log tables.

74. Clear the filter by clicking the Clear Filter button in the upper right corner of the
window:

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 51


Lab 4: Managing Firewall Administrator
Accounts
When you deploy the firewall into your production network, you need to make sure that other
members of your team have administrative access to the device. You want to leverage an existing
LDAP server that maintains account and password information for members of your team.
However, your organization recently merged with another company whose administrative
accounts are maintained in a RADIUS database.
No one has had time yet to migrate all the accounts from RADIUS into LDAP, so you need to
configure the firewall to check both LDAP and RADIUS to authenticate an account when an
administrator logs in.

Lab Objectives
• Load a baseline configuration
• Create a local firewall administrator account
• Configure an LDAP Server Profile
• Configure a RADIUS Server Profile
• Configure an LDAP Authentication Profile
• Configure a RADIUS Authentication Profile
• Configure an Authentication Sequence
• Create non-local firewall administrator accounts

© 2023 Palo Alto Networks, Inc. Page 52


High-Level Lab Steps
Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-04.xml to the Firewall

Create a Local Database Authentication Profile


• Create a Local Database Authentication Profile called Local-database
• Set the Allow List for the Local-database Profile to all

Create a Local User Database Account


• Create an entry in the Local User Database called adminBob with Pal0Alt0! as the
Password

Create an Administrator Account


• Create an Administrator account using the Local Database entry for adminBob
• Set the Authentication Profile to Local-database

Commit the Configuration


• Commit the changes to the firewall before proceeding

Log in With New Admin Account


• Log out of the firewall web interface and log back into the firewall with adminBob as the
Username and Pal0Alt0! as the Password.
• Use the System log to verify that the adminBob account was authenticated by the local-
database
• Log out of the firewall and log back into the firewall with the admin/Pal0Alt0!
credentials.

Configure LDAP Authentication


• Use the information in the table below to configure an LDAP Server Profile
Profile Name LDAP-Server-Profile

Server Name ldap.panw.lab

© 2023 Palo Alto Networks, Inc. Page 53


LDAP Server IP Address 192.168.50.89

Port field 389

Server Settings Type Other

Base DN dc=panw,dc=lab

Bind DN cn=admin,dc=panw,dc=lab

Password / Confirm Password Pal0Alt0!

Require SSL/TLS secured connection unchecked

• Use the information in the table below to create an LDAP Authentication Profile.
Name LDAP-Auth-Profile

Type LDAP

Server Profile LDAP-Server-Profile

Allow List (Advanced Tab) all

• Use the information in the table below to create a new administrator account that will be
authenticated by LDAP
Name adminSally

Authentication Profile LDAP-Auth-Profile

Commit the Configuration


• Commit the changes to the firewall before proceeding

Log in With New Admin Account


• Test LDAP Authentication by logging in with the adminSally/Pal0Alt0! credentials
• Use the System log to verify that the adminSally account was authenticated using LDAP

Configure RADIUS Authentication


• Use the information in the table below to configure a RADIUS Server Profile
Profile Name RADIUS-Server-Profile

Authentication Protocol CHAP

Server Name radius.panw.lab

© 2023 Palo Alto Networks, Inc. Page 54


RADIUS Server 192.168.50.150

Secret / Confirm Secret Pal0Alt0!

Port 1812

• Use the information in the table below to create an RADIUS Authentication Profile
Name RADIUS-Auth-Profile

Type RADIUS

Server Profile RADIUS-Server-Profile

Allow List (Advanced Tab) all

• Use the information in the table below to create a new administrator account that will be
authenticated by RADIUS
Name adminHelga

Authentication Profile RADIUS-Auth-Profile

Commit the Configuration


• Commit the changes to the firewall before proceeding

Log in With New Admin Account


• Test RADIUS Authentication by logging in with the adminHelga/Pal0Alt0! credentials
• Use the System log to verify that the adminHelga account was authenticated using
RADIUS

Configure an Authentication Sequence


• Create an authentication sequence called LDAP-then-RADIUS that uses the LDAP-
Auth-Profile first and the RADIUS-Auth-Profile second.

Commit the Configuration


Commit the changes to the firewall before proceeding

© 2023 Palo Alto Networks, Inc. Page 55


Detailed Lab Steps
Use this section if you prefer detailed guidance to complete the objectives for this lab. We
strongly recommend that you use this section if you do not have extensive experience working
with Palo Alto Networks firewalls.

Apply a Baseline Configuration to the Firewall


To start this lab exercise, you will load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down arrow next to the Name field and select edu-210-11.0b-04.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK to close the Load Named Configuration window.


5. Click Close to close the Loading Configuration window.
6. Click the Commit button at the upper right of the web interface.
7. Leave the remaining settings unchanged and click Commit.
8. Wait until the Commit process is complete.
9. Click Close to continue.

Create a Local Database Authentication Profile


10. Create a Local Database Authentication Profile by selecting Device > Authentication
Profile.
11. Click Add at the bottom of the window.
12. Under the Authentication tab, enter Local-database for the Name.
13. For Type, use the drop-down list to select Local Database.

© 2023 Palo Alto Networks, Inc. Page 56


14. Leave the remaining settings unchanged.

15. Select the tab for Advanced.


16. In the Allow List section, click Add.
17. Select all.

© 2023 Palo Alto Networks, Inc. Page 57


18. Leave the remaining settings unchanged.

The Allow List entries allow you to select individual members of the local database
if you wish to limit access to the firewall by specific administrators. By selecting all,
you allow any administrator accounts in the local database to access the firewall.

19. Click OK.

Create a Local User Database Account


In this section, you will create a new entry in the Local User Database on the firewall. This entry
will be for a new team member, adminBob.
20. Select Device > Local User Database > Users.
21. In the bottom left corner of the window, click Add.
22. For Name, enter adminBob.
23. Enter Pal0Alt0! for Password and Confirm Password.

© 2023 Palo Alto Networks, Inc. Page 58


24. Leave the remaining settings unchanged.

25. Click OK.

Create an Administrator Account


In this section, you will create an administrator account for adminBob. The adminBob
account will use the Local-database Authentication Profile.
26. Create an Administrator Account from a Local Database user by selecting Device >
Administrators.
27. Click Add at the bottom of the window.
28. For Name, enter adminBob.
29. For Authentication Profile, use the drop-down list to select Local-database.
30. Leave the remaining settings unchanged.

When you select Local-database for the Authentication Profile, there is no option to
enter a Password for the administrator. The password information for this account
is maintained in the Local-database on the firewall.

© 2023 Palo Alto Networks, Inc. Page 59


31. Click OK.

Commit the Configuration


32. Click the Commit button at the upper right of the web interface.
33. Leave the settings unchanged and click Commit.
34. Wait until the Commit process is complete.
35. Click Close to continue.

Log in With New Admin Account


36. Log out of the firewall web interface by clicking the Logout button in the bottom left
corner of the window.

37. Log back into the firewall with adminBob as the Username and Pal0Alt0! as the
Password.
38. Close any Welcome windows that appear.
39. Select Monitor > System.
40. Look for an entry with Type auth.

If you do not see an entry in the System log indicating a successful authentication
for adminBob, you can create and apply a filter with ( subtype eq auth ) as
the syntax.

41. Note that the entry in the firewall system log indicates that adminBob was successfully
authenticated against the Local-database.
42. Log out of the firewall.
43. Log back into the firewall with the admin/Pal0Alt0! credentials.

Configure LDAP Authentication


Your organization uses an LDAP server to maintain a database of users, including network
administrators. Your team of security personnel is growing each month and you want to

© 2023 Palo Alto Networks, Inc. Page 60


leverage the existing LDAP server to authenticate administrators when they attempt to log
into the firewall.
The first step in this process is to define an LDAP Server Profile that contains specific
information that the firewall can use when sending queries for authentication.
44. Select Device > Server Profiles > LDAP.
45. At the bottom of the window, click Add.
46. For Profile Name, enter LDAP-Server-Profile.
47. Under the Server List section, click Add.
48. In the Name field, enter ldap.panw.lab.
49. In the LDAP Server field, enter 192.168.50.89.
50. Leave the Port field set to 389.
51. Under the Server Settings section, verify that the Type is set to other.
52. Enter dc=panw,dc=lab for Base DN.
53. Enter cn=admin,dc=panw,dc=lab for Bind DN.
54. Enter Pal0Alt0! for Password and Confirm Password.
55. Uncheck the option for Require SSL/TLS secured connection.
56. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 61


Note that there are no spaces between values in the Base DN and Bind DN fields.

57. Click OK to create the LDAP Server Profile.


With your LDAP Server Profile in place, you will now create an Authentication Profile and
reference the LDAP Server Profile you just created.
58. Select Device > Authentication Profile.
59. Click the Add button at the bottom of the window.
60. For Name, enter LDAP-Auth-Profile.
61. Under the Authentication tab, use the Type drop-down list to select LDAP.
62. Under Server Profile, use the drop-down list to select LDAP-Server-Profile.

63. Select the Advanced tab.


64. Under the Allow List section, click Add.
65. Select all.

© 2023 Palo Alto Networks, Inc. Page 62


66. Leave the remaining settings unchanged.

67. Click OK.


68. Create a new administrator by selecting Device > Administrators.
69. Click Add.
70. For Name, enter adminSally.
71. For Authentication Profile, use the drop-down list to select LDAP-Auth-Profile.
72. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 63


The adminSally account is one that exists in the LDAP server.

73. Click OK.

Commit the Configuration


74. Click the Commit button at the upper right of the web interface.
75. Leave the settings unchanged and click Commit.
76. Wait until the Commit process is complete.
77. Click Close to continue.

Log in With New Admin Account


78. Log out of the firewall by clicking the Logout button in the bottom left corner of the
window.
79. Log back into the firewall with adminSally as the Username and Pal0Alt0! as the
Password.
80. Close any Welcome windows that appear.
81. Select Monitor > System.
82. Look for an entry with Type auth.

If you do not see an entry in the System log indicating a successful authentication
for adminSally, you can use a filter ( subtype eq auth ) as the syntax.

83. Note that the entry in the firewall system log indicates that adminSally was
successfully authenticated against the LDAP-Auth-Profile.
84. Log out of the firewall.
85. Log back into the firewall with the admin/Pal0Alt0! credentials.

© 2023 Palo Alto Networks, Inc. Page 64


Configure RADIUS Authentication
Your organization has recently acquired another company. The newly acquired company
maintains all network administrator accounts in a RADIUS server. You need to incorporate
RADIUS authentication for the firewall so the new network administrators who have joined
your team can access the firewall for management purposes.
86. Create a RADIUS Server Profile by selecting Device > Server Profiles > RADIUS.
87. Click Add.
88. For Name, enter RADIUS-Server-Profile.
89. For Authentication Protocol, use the drop-down list to select CHAP.

Note: Never use CHAP in a production environment because it is not secure. We are
using it in the lab for the sake of simplicity.

90. Under the Servers section, click Add.


91. For the server Name field, enter radius.panw.lab.
92. For the RADIUS Server field, enter 192.168.50.150.
93. Enter Pal0Alt0! for Secret and Confirm Secret.
94. Leave the Port set to 1812.
95. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 65


96. Click OK.
97. Create a RADIUS Authentication Profile by selecting Device > Authentication
Profile.
98. Click Add.
99. For Name, enter RADIUS-Auth-Profile.
100. For Type, select RADIUS.
101. For Server Profile, select RADIUS-Server-Profile.
102. Leave the remaining settings unchanged.

103. Select the Advanced tab.


104. Under the Allow List section, click Add.
105. Select all.

© 2023 Palo Alto Networks, Inc. Page 66


106. Leave the remaining settings unchanged.

107. Click OK.


108. Create an administrator account for adminHelga (who has recently joined your team
from the acquired company) by selecting Device > Administrators.
109. Click Add.
110. For Name, enter adminHelga.
111. For Authentication Profile, select RADIUS-Auth-Profile.
112. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 67


113. Click OK.
114. Click the Commit button at the upper right of the web interface:

A Commit window should open.


115. Leave the settings unchanged and click Commit.
116. Wait until the Commit process is complete.
117. Log out of the firewall by clicking the Logout button in the bottom left corner of the
window.
118. Log back into the firewall with adminHelga as the Username and Pal0Alt0! as the
Password.
119. Close any Welcome windows that appear.
120. Select Monitor > System.
121. Look for an entry with Type auth.

If you do not see an entry in the System log indicating a successful authentication
for adminHelga, you can use a filter ( subtype eq auth ) as the syntax.

122. Note that the entry in the firewall system log indicates that adminHelga was
successfully authenticated against the RADIUS-Auth-Profile.

© 2023 Palo Alto Networks, Inc. Page 68


123. Log out of the firewall.
124. Log back into the firewall with the admin/Pal0Alt0! credentials.

Configure an Authentication Sequence


Since the acquisition, some administrator accounts exist in LDAP and other accounts exist in
RADIUS. With administrator accounts in these two different systems, you need to configure
the firewall so that it can check both external databases when an administrator attempts to
log in.
You will accomplish this by creating an Authentication Sequence. The sequence will instruct
the firewall to check an account against LDAP first and then against RADIUS if the account
does not exist in LDAP (or if the LDAP server is unavailable).
125. Select Device > Authentication Sequence.
126. Click Add.
127. For Name, enter LDAP-then-RADIUS.
128. Under the Authentication Profiles section, click Add.
129. Select LDAP-Auth-Profile.
130. Click Add again.
131. Select RADIUS-Auth-Profile.
132. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 69


Note the Move Up and Move Down buttons. These allow you to change the order
of the Authentication Profiles if necessary. In this example, the firewall will use the
LDAP-Auth-Profile first when an administrator logs in to attempt authentication; if
the user account does not exist in LDAP (or if the LDAP server is unavailable), the
firewall will use the RADIUS-Auth-Profile to attempt authentication.

133. Click OK.

Commit the Configuration


134. Click the Commit button at the upper right of the web interface.
135. Leave the settings unchanged and click Commit.
136. Wait until the Commit process is complete.
137. Click Close to continue.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 70


Lab 5: Connecting the Firewall to Production
Networks with Security Zones
In preparation for deployment, you need to connect the firewall to the appropriate production
networks. You already have cabled the firewall interfaces to the appropriate switch ports in the
data center. In this section, you will configure the firewall with Layer 3 IP addresses and a
virtual router. You also will create security zones that divide your network into separate logical
areas so that you have more control over traffic from one segment to another.
When you have the configuration in place on the firewall, you will use ping from different
devices to verify connectivity between all the segments.

© 2023 Palo Alto Networks, Inc. Page 71


Lab Objectives
• Load a baseline configuration
• Create Layer 3 interfaces
• Create a virtual router
• Segment your production network using security zones
• Test connectivity from firewall to hosts in each security zone
• Create Interface Management Profiles

High-Level Lab Steps


Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-05.xml to the Firewall

Create Layer 3 Network Interfaces


Use the information in the tables below to create Layer 3 network interfaces.

Create a Layer 3 Interface on ethernet1/1


Ethernet Interface ethernet1/1

Comment Internet connection

Type Layer 3

IPv4 Type Static

IP 203.0.113.20/24

Create a Layer 3 Interface on ethernet1/2


Ethernet Interface ethernet1/2

Comment Users network connection

Type Layer 3

IPv4 Type Static

IP 192.168.1.1/24

© 2023 Palo Alto Networks, Inc. Page 72


Create a Layer 3 Interface on ethernet1/3
Ethernet Interface ethernet1/3

Comment Extranet servers connection

Type Layer 3

IPv4 Type Static

IP 192.168.50.1/24

Create a Virtual Router


Use the information in the table below to create a Virtual Router and a firewall default gateway.
Name VR-1

Interfaces (General Tab) ethernet1/1

ethernet1/2

ethernet1/3

IPv4 Static Route Name Firewall-Default-Gateway

Destination 0.0.0.0/0

Interface ethernet1/1

Next Hop IP Address

Next Hop IP 203.0.113.1

Segment Your Production Network Using Security Zones


Use the information in the tables below to create three Security Zones with the appropriate
interface in each Zone.
Zone Name Internet

Type Layer 3

Interface ethernet1/1

Zone Name Users_Net

Type Layer 3

Interface ethernet1/2

Zone Name Extranet

© 2023 Palo Alto Networks, Inc. Page 73


Type Layer 3

Interface ethernet1/3

Commit the Configuration


• Commit the changes to the firewall before proceeding

Test Connectivity to Each Zone


• Use the Remmina SSH application on the Client-A desktop to connect to Firewall-A
• In the firewall CLI, use the ping command to check network connectivity from the
firewall to a host in each Security Zone.
• From 192.168.1.1 (ethernet1/2) to 192.168.1.20
• From 192.168.50.1 (ethernet1/3) to 192.168.50.150
• From 203.0.113.20 (ethernet1/1) to 8.8.8.8

Test Interface Access before Management Profiles


• Ping the firewall interface on ethernet1/2 from a terminal connection on Client-A. You
will not get a response.
• Attempt to connect to the firewall for CLI management through an SSH connection from
Client-A. The firewall will not accept the connection.

Define Interface Management Profiles


Use the information below to create two Interface Management Profiles
Name Allow-ping

Enabled Administrative Management Services None

Enabled Network Services Ping

Name Allow-mgt

Enabled Administrative Management Services HTTPS

SSH

Enabled Network Services Ping

SNMP

Response Pages

© 2023 Palo Alto Networks, Inc. Page 74


Apply Allow-ping to ethernet1/1
• Apply the Allow-ping Interface Management Profile to ethernet1/1

Apply Allow-mgt to ethernet1/2


• Apply the Allow-mgt Interface Management Profile to ethernet1/2

Apply Allow-mgt to ethernet1/3


• Apply the Allow-mgt Interface Management Profile to ethernet1/3

Commit the Configuration


• Commit the changes before testing Interface Management Profiles

Test Interface Access after Management Profiles


• Ping the firewall interface on ethernet1/2 from a terminal connection on Client-A. You
should now get a response.
• Attempt to connect to the firewall for CLI management through an SSH connection from
Client-A. The firewall will now accept the connection.

© 2023 Palo Alto Networks, Inc. Page 75


Detailed Lab Steps
Use this section if you prefer detailed guidance to complete the objectives for this lab. We
strongly recommend that you use this section if you do not have extensive experience working
with Palo Alto Networks firewalls.

Apply a Baseline Configuration to the Firewall


To start this lab exercise, you will load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down arrow next to the Name field and select edu-210-11.0b-05.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK to close the Load Named Configuration window.


5. Click Close to close the Loading Configuration window.
6. Click the Commit button at the upper right of the web interface.
7. Leave the remaining settings unchanged and click Commit.
8. Wait until the Commit process is complete.
9. Click Close to continue.

Create Layer 3 Network Interfaces


In the following sections, you will create Layer 3 interfaces on the firewall that will provide
basic network connectivity to your production networks. You have a network with users
(192.168.1.0/24), a network with production servers (192.168.50.0/24) and a network connecting
the firewall to an upstream internet router (203.0.113.0/24). The following diagram provides
details.

© 2023 Palo Alto Networks, Inc. Page 76


Create a Layer 3 Interface on ethernet1/1
This interface will provide network connectivity to the Internet.
10. Select Network > Interfaces > Ethernet.
11. Click the link for ethernet1/1.

12. For Comment, enter Internet connection.


13. For Interface Type, select Layer3.

© 2023 Palo Alto Networks, Inc. Page 77


14. Leave the other settings unchanged but do not close this window.

15. Select the tab for IPv4.


16. Leave the Type set to Static.
17. Under the IP heading, click Add.
18. Enter 203.0.113.20/24

© 2023 Palo Alto Networks, Inc. Page 78


19. Leave the remaining settings unchanged.

Be sure to include /24 in the address!

20. Click OK.

Create a Layer 3 Interface on ethernet1/2


This interface will provide network connectivity to the Users network.

© 2023 Palo Alto Networks, Inc. Page 79


21. Select Network > Interfaces > Ethernet.
22. Click the link for ethernet1/2.

23. For Comment, enter Users network connection.


24. For Interface Type, select Layer3.
25. Leave the other settings unchanged but do not close this window.

26. Select the tab for IPv4.


27. Leave the Type set to Static.
28. Under the IP heading, click Add.
29. Enter 192.168.1.1/24

© 2023 Palo Alto Networks, Inc. Page 80


30. Leave the remaining settings unchanged.

Be sure to include /24 in the address!

31. Click OK.

Create a Layer 3 Interface on ethernet1/3


This interface will provide network connectivity to the Extranet network.

© 2023 Palo Alto Networks, Inc. Page 81


32. Select Network > Interfaces > Ethernet.
33. Click the link for ethernet1/3.

34. For Comment, enter Extranet servers connection.


35. For Interface Type, select Layer3.
36. Leave the other settings unchanged but do not close this window.

37. Select the tab for IPv4.


38. Leave the Type set to Static.
39. Under the IP heading, click Add.
40. Enter 192.168.50.1/24

© 2023 Palo Alto Networks, Inc. Page 82


41. Leave the remaining settings unchanged.

Be sure to include /24 in the address!

42. Click OK.


43. When complete, your Ethernet table will have three entries:

Note that the Link State indicator icons will remain gray until you commit the configuration.

© 2023 Palo Alto Networks, Inc. Page 83


Create a Virtual Router
In this section, you will create a virtual router and connect your Layer 3 interfaces to it. You also
will define a default gateway for the virtual router itself.
44. Select Network > Virtual Routers.
45. Click Add.
46. For Name, enter VR-1.
47. Under the General section, within interfaces, click the Add button at the bottom.
48. Select ethernet1/1.

49. Click Add again.


50. Select ethernet1/2.
51. Click Add again.
52. Select ethernet1/3.
53. Leave this window open.

© 2023 Palo Alto Networks, Inc. Page 84


54. When complete all three interfaces should be listed under the General tab:

The order in which you add these interfaces to the list is not important. You could
start by adding ethernet1/3 and the result will be the same. You are simply adding
the appropriate interfaces to this virtual router.

55. In the Virtual Router window, click the link on the side for Static Routes.

© 2023 Palo Alto Networks, Inc. Page 85


56. Under the tab for IPv4, click Add at the bottom of the window.

57. For Name, enter Firewall-Default-Gateway.


58. For Destination, enter 0.0.0.0/0.
59. For Interface, select ethernet1/1.
60. Leave the Next Hop field set to IP Address.
61. Below the Next Hop field, enter 203.0.113.1.
62. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 86


This entry is the default route for the firewall. Like all other network hosts, the
firewall needs a default gateway in order to send traffic to unknown networks. The
firewall has local connections to 192.168.1.0, 192.168.50.0 and 203.0.113.0
networks, so it can forward packets to hosts on those networks directly. However,
for any other destination IP addresses (such as 8.8.8.8 for DNS), this route
statement instructs the firewall to forward packets to 203.0.113.1, which is the
internet router.

63. Click OK on the Virtual Router – Static Route – Ipv4 window.


64. Click OK on the Virtual Router window.

Segment Your Production Network Using Security Zones


With your network interfaces and virtual router in place, you can now create security zones. You
will create three security zones:

© 2023 Palo Alto Networks, Inc. Page 87


65. Create the Internet Zone by selecting Network > Zones.

66. At the bottom of the window, click the Add button.


67. For Name, enter Internet.
68. For Type, select Layer3.
69. Under the Interfaces section, click Add.
70. Select ethernet1/1.
71. Leave the remaining settings unchanged.

Zone names are case-sensitive! Make sure you are consistent throughout your
configuration process.

© 2023 Palo Alto Networks, Inc. Page 88


72. Click OK.
73. In the Zones window, create the Users_Net Zone by clicking Add.
74. At the bottom of the window, click the Add button.
75. For Name, enter Users_Net.
76. For Type, select Layer3.
77. Under the Interfaces section, click Add.
78. Select ethernet1/2.
Notice that ethernet1/1 is no longer listed in the available interfaces. You have
assigned ethernet1/1 to another zone so the firewall will not allow you to assign the
same interface to any other zone.

79. Leave the remaining settings unchanged.

80. Click OK.


81. In the Zones window, create the Extranet Zone by clicking Add.
82. At the bottom of the window, click the Add button.
83. For Name, enter Extranet.
84. For Type, select Layer3.
85. Under the Interfaces section, click Add.
86. Select ethernet1/3.

© 2023 Palo Alto Networks, Inc. Page 89


All other Layer 3 interfaces have been assigned to zones so you can choose only
ethernet1/3.

87. Leave the remaining settings unchanged.

88. Click OK.


89. You should now have three security zones:

Commit the Configuration


90. Click the Commit button at the upper right of the web interface.
91. Leave the settings unchanged and click Commit.
92. Wait until the Commit process is complete.

© 2023 Palo Alto Networks, Inc. Page 90


93. Click Close to continue.

Test Connectivity to Each Zone


To verify network connectivity from the firewall to hosts in each zone, you will use an SSH
connection and ping hosts on each network.
94. On the client desktop, open the Remmina application:

95. Double-click the entry for Firewall-A:

The Firewall-A connection in Remmina has been pre-configured to provide login


credentials to the firewall so that you do not have to log in each time. This is for
convenience in the lab only.

96. In the CLI connection to the firewall, use the ping command to check network
connectivity to a host in the Users_Net Security Zone by using the following command
at the admin@firewall-a> prompt:
admin@firewall-a> ping source 192.168.1.1 host 192.168.1.20

Note the syntax for this command. 192.168.1.1 is the IP address of ethernet1/2 on
the firewall. The command instructs the firewall to use that IP address on
ethernet1/2 to ping the host 192.168.1.20. If you do not use the source option, the
firewall uses its management interface address as the source IP.

© 2023 Palo Alto Networks, Inc. Page 91


97. Allow the ping to continue for three or four seconds and then use Ctrl+C to interrupt the
command:

98. Use the ping command to check connectivity to a host in the Extranet zone by using the
following command at the admin@firewall-a> prompt :
admin@firewall-a> ping source 192.168.50.1 host 192.168.50.150

192.168.50.1 is the IP address on ethernet1/3 that is assigned to the Extranet


security zone. 192.168.50.150 is a server in the Extranet zone.

99. Allow the ping to continue for three or four seconds and then use Ctrl+C to interrupt the
command:

© 2023 Palo Alto Networks, Inc. Page 92


100. Use the ping command to check connectivity to a host on the Internet by using the
following command at the admin@firewall-a> prompt:
admin@firewall-a> ping source 203.0.113.20 host 8.8.8.8

203.0.113.20 is the IP address on ethernet1/1 that is assigned to the Internet


security zone. 8.8.8.8 is a DNS server on the Internet zone.

101. Allow the ping to continue for three or four seconds and then use Ctrl+C to interrupt the
command:

102. After you have successfully tested network access from the firewall to each network
segment, close the Remmina SSH connection to the firewall by typing exit <Enter>.
103. Close the Remmina desktop application window.

© 2023 Palo Alto Networks, Inc. Page 93


Create Interface Management Profiles
Management Interface Profiles allow you to enable specific network services on individual
firewall interfaces.
Often, your team members need to manage the firewall but do not always have network
connectivity to the management network. In this exercise, you will define two Management
Interface Profiles. One Profile, named “allow-ping,” will be applied to the Internet interface
so that your SecOps team members can ping the external firewall interface for troubleshooting
from outside your organization’s network.
You will create a second Interface Management Profile called “Allow-mgt” that allows both
ping and secure management traffic including SSH and HTTPS. You will apply this Profile to
the Users_Net interface and to the Extranet interface. This Profile will allow your SecOps
team to manage the firewall from those networks if they need to.

© 2023 Palo Alto Networks, Inc. Page 94


Test Interface Access before Management Profiles
To illustrate the default behavior of firewall interfaces, you will ping 192.168.1.1 from the client
workstation. You will also attempt to access the firewall CLI by SSH through 192.168.1.1.
Without any Interface Management Profiles in place, both ping and SSH will fail.
104. Open the Terminal application on the client desktop.

105. Issue the following command:


lab-user@client-a:~/Desktop/Lab-Files$ ping 192.168.1.1 <Enter>

106. You will not get a response.


107. Wait a few seconds and use Ctrl+C to stop the command.

108. Attempt to open an SSH connection to the firewall through 192.168.1.1 by issuing the
following command:
lab-user@client-a:~/Desktop/Lab-Files$ ssh [email protected] <Enter>

109. After a few seconds, use Ctrl+C to stop the connection because it will not succeed.

110. Leave the Terminal window open on the client because you will perform these same
tests after applying an Interface Management Profile to ethernet1/2.

© 2023 Palo Alto Networks, Inc. Page 95


Define Interface Management Profiles
111. In the firewall web interface, select Network > Network Profiles > Interface Mgmt.
112. Click Add at the bottom of the window.
113. For Name, enter Allow-ping.
114. Under the Network Services section, check the box for Ping.
115. Leave the remaining settings unchanged.

116. Click OK.


117. In the Interface Management section, click Add again to create another entry.
118. For Name, enter Allow-mgt.
119. Under the Administrative Management Services section, check the boxes for HTTPS
and SSH.
120. Under the section for Network Services, check Ping, SNMP and Response Pages.

© 2023 Palo Alto Networks, Inc. Page 96


121. Leave the remaining settings unchanged.

122. Click OK.

Apply Allow-ping to ethernet1/1


123. Select Network > Interfaces > Ethernet.
124. Edit the entry for ethernet1/1.
125. Select the tab for Advanced.
126. Under the Other Info section, use the drop-down list for Management Profile to select
Allow-ping.

© 2023 Palo Alto Networks, Inc. Page 97


127. Leave the other settings unchanged.

This action applies the Allow-ping interface management Profile to ethernet1/1. As


a result, ethernet1/1 will answer ping requests.

Note that in a production environment, you may not want an Internet-facing


interface to reply to any type of traffic. Applying this Profile in the lab allows you to
see how different Profiles can be applied to different interfaces.

128. Click OK.

Apply Allow-mgt to ethernet1/2


129. Select Network > Interfaces > Ethernet.
130. Edit the entry for ethernet1/2.
131. Select the tab for Advanced.
132. Under the Other Info section, use the drop-down list for Management Profile to select
Allow-mgt.

© 2023 Palo Alto Networks, Inc. Page 98


133. Leave the other settings unchanged.

134. Click OK.


135. Read the Warning message and click Yes.

Managing the firewall by applying a management profile on a network interface has


risks and therefore should only be used if there is no other option due to the
network topology. In a production environment you should avoid this practice when
possible.

Apply Allow-mgt to ethernet1/3


136. Select Network > Interfaces > Ethernet.
137. Edit the entry for ethernet1/3.
138. Select the tab for Advanced.
139. Under the Other Info section, use the drop-down list for Management Profile to select
Allow-mgt.

© 2023 Palo Alto Networks, Inc. Page 99


140. Leave the other settings unchanged.
141. Click OK.
142. Click Yes on the Warning message.
143. When you complete these steps, your interface table should have an entry under the
Management Profile column for each interface.

Commit the Configuration


144. Click the Commit button at the upper right of the web interface.
145. Leave the settings unchanged and click Commit.
146. Wait until the Commit process is complete.
147. Click Close to continue.

Test Interface Access after Management Profiles


With the Allow-mgt Interface Management Profile in place on ethernet1/2, both ping and SSH
will succeed.
148. From the Terminal Emulator on the client desktop, issue the following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 192.168.1.1 <Enter>

149. The interface will now respond.

© 2023 Palo Alto Networks, Inc. Page 100


150. Wait a few seconds and use Ctrl+C to stop the command.

151. Attempt to open an SSH connection to the firewall through 192.168.1.1 by issuing the
following command:
lab-user@client-a:~/Desktop/Lab-Files$ ssh [email protected] <Enter>

If you are prompted to accept an RSA key fingerprint, type yes <ENTER>.
152. For password, enter Pal0Alt0! <Enter>.
153. The firewall will present the CLI interface.

154. Close the SSH connection to the firewall by typing exit <Enter>.
155. Close the Terminal window by typing exit <Enter>.

© 2023 Palo Alto Networks, Inc. Page 101


Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 102


Lab 6: Creating and Managing Security Policy
Rules
You have the firewall deployed and connected to all the appropriate networks. The next step is to
begin creating Security Policy rules. You will start by creating rules that allow hosts in the
Users_Net zone to communicate with hosts in the Extranet zone. You will then create Security
Policy rules to allow hosts in the Users_Net zone to connect to hosts in the Internet zone.
You also need to allow hosts in the Extranet zone to communicate with hosts in the Internet
zone.

© 2023 Palo Alto Networks, Inc. Page 103


Lab Objectives
• Configure a Security Policy rule to allow access from Users_Net to Extranet
• Test access from client to Extranet servers
• View the Traffic log
• Examine Policy Rule Hit Count
• Reset rule hit counts
• Customize Policy tables
• Enable intrazone and interzone logging
• Create Security Policy rules to Internet Zone

High-Level Lab Steps


Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-06.xml to the Firewall

Create Security Policy Rule


• Use the information below to create a Security Policy rule that will allow traffic from the
Users_Net zone to the Extranet zone.
Rule Name Users_to_Extranet

Description Allows hosts in Users_Net zone to access


servers in Extranet zone

Source Zone Users_Net

Destination Zone Extranet

Application Any

Service application-default

URL Category Any

Action Allow

Commit the Configuration


• Commit the changes before proceeding.

© 2023 Palo Alto Networks, Inc. Page 104


Modify Security Policy Table Columns
• Hide the following columns in the Security Policy table to create more area to view
helpful information
• Type
• Source Device
• Destination Device
• Options
• Drag and drop the Action column from its current location so that it appears between the
Name column and the Tag column

Test New Security Policy Rule


• From the Client-A host, ping 192.168.50.80, which is the IP address of a web server in
the Extranet zone.
• Use the Chrome web browser on the Client-A client to connect to the Extranet web page
at 192.168.50.80.

Examine Rule Hit Count


• In the Security Policy rule table, locate the column for Hit Count, and note the number
of Hits on this User_to_Extranet rule.
• From the Client-A host, ping the Extranet web server - 192.168.50.80.
• Refresh the Hit Count and note any increase in the value for the User_to_Extranet
Security Policy rule.

Reset the Rule Hit Counter


• Reset the Hit Count for the Users_to_Extranet rule

Examine the Traffic Log


• Hide the following columns in the Traffic Log.
• Type
• Source Dynamic Address Group
• Destination Dynamic Address Group
• Dynamic User Group
• From the terminal window on the Client-A host, ping 8.8.8.8
You will not get a reply
• Examine the traffic log again and use a simple filter to see if there are any entries for the
ping session that failed
• Answer the following question:

© 2023 Palo Alto Networks, Inc. Page 105


Why there are no entries in the Traffic log for your ping session to 8.8.8.8?

• Write down your answer in the field shown or on notepaper in class.

Enable Logging for Default Interzone Rule


• Edit the Interzone Security Policy rule and enable Log at Session End

Commit the Configuration


• Commit the changes before proceeding

Ping a Host on the Internet


• From the terminal window on the Client-A host, ping 8.8.8.8
You will not get a reply
• Examine the Traffic Log again and use a simple filter to see if there are any entries for
this session that failed
• The entries in the Traffic Log should show you that the ping sessions are hitting the
interzone-default rule

Create Block Rules for Known-Bad IP Addresses


• Use the information below to create a rule at top of the Security Policy to block traffic to
known bad IP addresses provided by Palo Alto Networks.
Rule Name Block-to-Known-Bad-Addresses

Description Blocks traffic from Users and Extranet to known bad


IP addresses

Source Zone Users_Net

Extranet

Destination Zone Internet

Destination Address ● Palo Alto Networks – Bulletproof IP


addresses
● Palo Alto Networks – High risk IP addresses
● Palo Alto Networks – Known malicious IP
addresses

Application Any

© 2023 Palo Alto Networks, Inc. Page 106


Service any

URL Category Any

Action Deny

• Use the information below to create another Security Policy rule to block traffic from
known bad IP addresses provided by Palo Alto Networks. Place this rule at the top of the
Security Policy, just below the Block-to-Known-Bad-Addresses rule.
Rule Name Block-from-Known-Bad-Addresses

Description Blocks traffic from known bad IP addresses to Users


and Extranet

Source Zone Internet

Source Address ● Palo Alto Networks – Bulletproof IP


addresses
● Palo Alto Networks – High risk IP addresses
● Palo Alto Networks – Known malicious IP
addresses

Destination Zone Users_Net

Extranet

Application Any

Service application-default

URL Category Any

Action Deny

Create Security Rules for Internet Access


• Use the information in the tables below to create Security Policy rules.

Create Users to Internet Security Policy Rule


• Use the information below to create a Security Policy rule that will allow traffic from the
Users_Net zone to the Internet zone.
Rule Name Users_to_Internet

Description Allows hosts in Users_Net zone to access Internet


zone

Source Zone Users_Net

Destination Zone Internet

Application Any

© 2023 Palo Alto Networks, Inc. Page 107


Service application-default

URL Category Any

Action Allow

Create Extranet to Internet Security Policy Rule


Use the information below to create a Security Policy rule that will allow traffic from the
Extranet zone to the Internet zone.
Rule Name Extranet_to_Internet

Description Allows hosts in Extranet zone to access Internet


zone

Source Zone Extranet

Destination Zone Internet

Application Any

Service application-default

URL Category Any

Action Allow

Commit the Configuration


• Commit the changes before proceeding

Ping Internet Host from Client A


• From the terminal window on the Client-A host, ping 8.8.8.8
You will not get a reply
• Examine the Traffic Log again and use a simple filter to see if there are any entries for
this session that failed
• The entries in the Traffic Log should show you that the ping sessions are hitting the
Users_to_Internet rule.
• Answer the following question:

Can you explain why your ping session from the client to the Internet host did not get a reply
even though the firewall is allowing the traffic?

• Write down your answer in the field shown or on notepaper in class.

© 2023 Palo Alto Networks, Inc. Page 108


© 2023 Palo Alto Networks, Inc. Page 109
Detailed Lab Steps
Use this section if you prefer detailed guidance to complete the objectives for this lab. We
strongly recommend that you use this section if you do not have extensive experience working
with Palo Alto Networks firewalls.

Apply a Baseline Configuration to the Firewall


To start this lab exercise, you will load a preconfigured firewall configuration file.
1. In the firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down arrow next to the Name field and select edu-210-11.0b-06.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK to close the Load Named Configuration window.


5. Click Close to close the Loading Configuration window.
6. Click the Commit button at the upper right of the web interface.
7. Leave the remaining settings unchanged and click Commit.
8. Wait until the Commit process is complete.
9. Click Close to continue.

Create a Security Policy Rule


You need to allow network traffic from the Users_Net security zone to the Extranet security
zone so that employees can access various business applications. In this section, you will
create a Security Policy rule to allow access between these two zones.

© 2023 Palo Alto Networks, Inc. Page 110


10. Select Policies > Security.
11. Click Add at the bottom of the window.
12. Under the tab for General, in the Name field, enter Users_to_Extranet.
13. For Description, enter Allows hosts in Users_Net zone to access
servers in Extranet zone.
14. Leave the other settings unchanged:

© 2023 Palo Alto Networks, Inc. Page 111


Descriptions are optional but highly recommended. It may take you a few extra
moments to enter an accurate Description during these labs, but if you adhere to
the practice in the labs, you will be more likely to carry out this best practice when
you return to work.

15. Select the tab for Source.


16. Under the Source Zone section, click Add.
17. Select Users_Net.
18. Leave the remaining settings unchanged.

19. Select the tab for Destination.


20. Under the section for Destination Zone, click Add.
21. Select Extranet.
22. Leave the other settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 112


23. Select the tab for Application.
24. Do not make any changes to these settings but note that the Any box is checked.

Later in this course, we will cover Applications and how to use them in Security
Policy rules.

25. Select the tab for Service/URL Category.


26. Do not make any changes to the settings in this tab but note that the Service is set to
application-default.

The application-default setting instructs the firewall to allow an application such as


web-browsing as long as that application is using the predefined service (or
destination port). For an application like web-browsing, the application default
service is TCP 80; for an application such as SSL, the application default service is
TCP 443. We will spend a great deal of time later in the course discussing
Applications and the application-default setting.

27. Select the tab for Actions.

© 2023 Palo Alto Networks, Inc. Page 113


28. You do not need to make any changes in this section but note that the Action is set to
Allow by default.

When you create a new Security Policy rule, the Action is automatically set to
Allow. If you are creating a rule to block traffic, make sure you select the Actions
tab and change the Action before you commit the rule.

29. Click OK on the Security Policy Rule window.


30. The new Security Policy rule appears in the table:

© 2023 Palo Alto Networks, Inc. Page 114


The rule appears above the two preconfigured entries intrazone-default and
interzone-default. These two rules always appear at the bottom of the ruleset.

Commit the Configuration


31. Click the Commit button at the upper right of the web interface.
32. Leave the settings unchanged and click Commit.
33. Wait until the Commit process is complete.
34. Click Close to continue.

Modify Security Policy Table Columns


You can customize the information presented in the Security Policy table to fit your needs. In
this section, you will hide some of the columns and display others that may be of more
interest. You will also move columns around and use the Adjust Column feature.
35. Click the small drop-down icon next to the Name column in the Security Policy table.

This icon is available next to all column headers.

36. Choose Columns and note the available columns that you can hide or display in this
table.

© 2023 Palo Alto Networks, Inc. Page 115


Note that the column list in this image has been cropped and wrapped to make it clearer in the
lab guide.
37. Uncheck the following item:
● Type
● Source Device
● Destination Device
● Options
38. Drag and drop the Action column from its current location so that it appears between the
Name column and the Tag column.

Note: These changes are optional. You do not have to show or hide columns or
rearrange items in any of the firewall tables. However, you may find that there are
certain columns in certain tables that you never use, and you can hide them to
provide more room in the table. You may also find that there are certain columns
that you scan frequently, and you can move those to locations that are easier to

© 2023 Palo Alto Networks, Inc. Page 116


see. You can use these same steps to show, hide or move columns in all firewall
tables.

39. At the top of the Name column, click the drop-down icon again and choose Adjust
Columns.

40. This action will resize the displayed columns to best fit in the browser window.

Test New Security Policy Rule


41. To make certain that your Security Policy rule functions, open a terminal window on the
client host.
42. Use the following command to ping 192.168.50.80, which is the IP address of a web
server in the Extranet zone.
lab-user@client-a:~/Desktop/Lab-Files$ ping 192.168.50.80 <Enter>

43. After several replies, use Ctrl+C to stop the ping.

© 2023 Palo Alto Networks, Inc. Page 117


If you see a reply from 192.168.50.80, then your Security Policy rule is configured
correctly! If not, review the previous steps and try this test again.

44. On the client workstation, open the Chrome browser.


45. Use the bookmark bar to choose Extranet > Extranet:

46. You should see a webpage displayed by the server.

47. Close the Chrome web browser.

Examine Rule Hit Count


With your rule successfully in place, you can now examine hit counters in the Security Policy
rule table. These counters can be useful for troubleshooting. If a rule is not being hit, you may
need to modify it.
48. In the firewall web interface, select Policies > Security.
49. Scroll to the right and locate the column for Hit Count.

© 2023 Palo Alto Networks, Inc. Page 118


Note: This image has been cropped to fit better on the page.
The Hit Count column in your firewall Security Policy rule list will be further to the
right than is displayed here and the numbers displayed will differ from those
shown.

50. Note the number of Hits on this rule.


51. Return to the terminal window on the desktop of your client.
52. Ping the server again by issuing the following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 192.168.50.80 <Enter>

53. After several replies, use Ctrl+C to stop the ping.

54. Return to the firewall web interface and update the Security Policy rules table by
clicking the Refresh button in the upper right corner of the window.

© 2023 Palo Alto Networks, Inc. Page 119


55. Note the increase in the Hit Count for your Security Policy rule.

Reset the Rule Hit Counter


Rule hit counts are very useful to track whether or not a rule is configured correctly. You can
reset the counters for all Security Policy rules or for a single rule. In this section, you will
reset the counters for the Users_to_Extranet rule.
56. Select Policies > Security.
57. Highlight the entry for Users_to_Extranet but do not open it.
58. At the bottom of the window, select Reset Rule Hit Counter > Selected rules.

This action does not require a commit.

59. The Rule Usage Hit Count is set to 0.

Examine the Traffic Log


The Traffic Log contains information about sessions that the firewall allows or blocks. In this
section, you will examine the Traffic Log to locate entries for sessions between the Users_Net
zone and the Extranet zone.
60. Select Monitor > Logs > Traffic.

© 2023 Palo Alto Networks, Inc. Page 120


61. Click the drop-down icon next to Receive time and choose Columns.
62. Uncheck the following items to hide their columns:
● Type
● Source Dynamic Address Group
● Destination Dynamic Address Group
● Dynamic User Group

© 2023 Palo Alto Networks, Inc. Page 121


This is not a requirement, but we will not be using information from these columns
in any lab for this course.

63. From the terminal window on the desktop, ping an address on the internet by issuing the
following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 8.8.8.8<Enter>

64. You will not get a reply, so after several seconds, use Ctrl+C to stop the ping.

65. Examine the traffic log again and use a simple filter to see if there are any entries for this
session that failed.
66. Select Monitor >Logs > Traffic.
67. In the filter field, enter the following text exactly as it appears here:
( addr.dst eq 8.8.8.8 )

Filters are case sensitive so be precise! Also, note that there is a space after the first
parentheses mark and right before the last parentheses mark.

© 2023 Palo Alto Networks, Inc. Page 122


68. Click the Apply filter button in the upper right corner of the window (or you can press
the Enter key).

69. The Traffic log will update the display but there are no matching entries.

70. Answer the following question:


• Why are there no entries in the Traffic log for your ping session to 8.8.8.8?

Write down your answer in the field shown or on notepaper in class.

Enable Logging for Default Interzone Rule


If you were unable to explain why the firewall did not log your ping session to an external
address, you are not alone. Most of the students in class probably did not figure it out either.
There are two reasons:
● First, you do not have a Security Policy rule in place to allow traffic from the Users_Net
zone to the Internet zone. As the firewall examines the ping session, the only rule that
matches is the interzone-default, which denies any traffic from one zone to another. The

© 2023 Palo Alto Networks, Inc. Page 123


ping session matches this rule; however, there are no entries in the Traffic log indicating
the match.
● Second, remember that traffic that hits the interzone-default rule is not automatically
logged. You must manually change a setting on this rule to see entries in the Traffic log.
You will enable this setting now and perform the test again.

71. Select Policies > Security.


72. Highlight the interzone-default entry in the Policy list but do not open it.
73. Click the Override button at the bottom of the window.
74. Select the Actions tab.
75. Place a check in the box for Log at session end.
76. Leave the remaining settings unchanged.

77. Click OK.

Commit the Configuration


78. Click the Commit button at the upper right of the web interface.
79. Leave the settings unchanged and click Commit.
80. Wait until the Commit process is complete.
81. Click Close to continue.

Ping a Host on the Internet


82. Now that you have enabled Log at session end for the default Security Policy rules, ping
a host on the internet and examine the Traffic log to see the results.
83. From the Terminal window on the client desktop, ping an address on the Internet by
issuing the following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 8.8.8.8 <Enter>

84. You will not get a reply, so after several seconds, use Ctrl+C to stop the ping.

© 2023 Palo Alto Networks, Inc. Page 124


85. Examine the traffic log again and use a simple filter to see if there are any entries for this
session that failed.
86. Select Monitor > Logs > Traffic.
87. In the filter field, enter the following text exactly as it appears here:
( addr.dst eq 8.8.8.8 )

Your filter may already be in place from early.

88. Click the Apply Filter button in the upper right corner of the window (or you can press
the Enter key).

89. The Traffic log will update the display and you should see entries matching the filter.

© 2023 Palo Alto Networks, Inc. Page 125


90. You can see that the sessions are hitting the interzone-default rule.

With Log at session end enabled, the firewall records hits on the internet-default
rule so that you can see information about sessions that miss all previous rules.

91. Click the X icon to clear the filter from the log filter text box.

Create Block Rules for Known-Bad IP Addresses


Palo Alto Networks provides several lists of IP addresses that are known to be malicious. As a
good practice, you should create Security Policy rules to block traffic to and from these known
addresses.
92. Under Policies > Security, click Add at the bottom of the window.
93. For Name, enter Block-to-Known-Bad-Addresses.
94. For Description, enter Blocks traffic from users and Extranet to known
bad IP addresses.
95. Select the Source tab.
96. Under the Source Zone section, click Add.
97. Select the Users_Net zone.
98. Under the Source Zone section, click Add again.
99. Select the Extranet zone.

Note that you are adding both internal zones to the Source Zone section of the rule.

100. Select the Destination tab.


101. Under the Destination Zone, click Add.
102. Select the Internet zone.
103. Under the Destination Address section of the Destination tab, click Add.
104. Select Palo Alto Networks – Bulletproof IP addresses.
105. Click Add again under the Destination Address section.

© 2023 Palo Alto Networks, Inc. Page 126


106. Select Palo Alto Networks – High risk IP addresses.
107. Click Add again under the Destination Address section.
108. Select Palo Alto Networks – Known malicious IP addresses.
When complete, you should have three Palo Alto Networks IP address lists in the Destination
Address section of the rule.
109. Select the Application tab.
110. Leave the Application set to any.
111. Under the Service/URL Category tab, change the Service from application-default to
any.

When creating deny rules, Palo Alto Networks recommends setting the Service to
any instead of using application-default.

112. Select the Actions tab.


113. Change the Action to Deny.
114. Click OK.
The new rule appears in the Security Policy table.
115. Move this new rule to the top of the Security Policy, by highlighting the entry for Block-
to-Known-Bad-Addresses (do not open it).
116. At the bottom of the window, choose Move and select Move Top.

117. Create another rule to block traffic from known bad IP addresses.
118. In the Security Policy window, click Add.
119. For Name, enter Block-from-Known-Bad-Addresses.
120. For Description, enter Blocks traffic from known bad IP addresses to
Users and Extranet.
121. Select the Source tab.
122. Under the Source Zone section, click Add.
123. Select the Internet zone.

© 2023 Palo Alto Networks, Inc. Page 127


124. Under the Source Address section, click Add
125. Select Palo Alto Networks – Bulletproof IP addresses.
126. Click Add again under the Source Address section.
127. Select Palo Alto Networks – High risk IP addresses.
128. Click Add again under the Source Address section.
129. Select Palo Alto Networks – Known malicious IP addresses.
When complete, you should have three Palo Alto Networks IP address lists in the Source
Address section of the rule.
130. Select the Destination tab.
131. Under the Destination Zone, click Add.
132. Select the Users_Net zone.
133. Click Add again under Destination Zone.
134. Select Extranet.

Note that you are adding both internal zones to the Destination Zone section of the
rule.

135. Select the Application tab.


136. Leave the Application set to any.
137. Under the Service/URL Category tab, set the Service to any.
138. Select the Actions tab.
139. Change the Action to Deny.
140. Click OK.
141. The new rule appears in the Security Policy table.
142. Move the Block-to-Known-Bad-Addresses rule to the top of the Security Policy.
143. Highlight the entry for Block-from-Known-Bad-Addresses but do not open it.
144. At the bottom of the window, choose Move and select Move Top.
145. Both of the rules to block traffic to or from known bad IP addresses should be at the top
of the Security Policy.

© 2023 Palo Alto Networks, Inc. Page 128


Create Security Policy Rules for Internet Access
In this section, you will create Security Policy rules to allow hosts in your network to access
the Internet. You need to create a rule for hosts in the Users_Net security zone to access hosts
in the Internet security zone. You also need to create a rule to allow hosts in the Extranet
security zone to access hosts in the Internet security zone.

Create Users to Internet Security Policy Rule


146. Select Policies > Security.
147. Click Add at the bottom of the window.
148. Under the tab for General, in the Name field, enter Users_to_Internet.

© 2023 Palo Alto Networks, Inc. Page 129


149. For Description, enter Allows hosts in Users_Net zone to access
Internet zone.
150. Leave the other settings unchanged:

151. Select the tab for Source.


152. Under the Source Zone section, click Add.
153. Select Users_Net.
154. Leave the remaining settings unchanged.

155. Select the tab for Destination.


156. Under the section for Destination Zone, click Add.
157. Select Internet.

© 2023 Palo Alto Networks, Inc. Page 130


158. Leave the other settings unchanged.

159. Select the tab for Application.


160. Do not make any changes to these settings but note that the Any box is checked.

161. Select the tab for Service/URL Category.

© 2023 Palo Alto Networks, Inc. Page 131


162. Do not make any changes to the settings in this tab but note that the Service is set to
application-default.

163. Select the tab for Actions.


164. Make certain that the Action is set to Allow.

165. Click OK on the Security Policy Rule window.


166. The new Security Policy rule appears in the table.
167. Highlight the new rule and use the Move > Move Bottom option to place this rule at the
end of the Security Policy.

© 2023 Palo Alto Networks, Inc. Page 132


Create Extranet to Internet Security Policy Rule
You also need to create a Security Policy rule to allow servers in the Extranet security zone to
access hosts in the Internet security zone.
168. Select Policies > Security.
169. Click Add at the bottom of the window.
170. Under the tab for General, in the Name field, enter Extranet_to_Internet.
171. For Description, enter Allows hosts in Extranet zone to access
Internet zone.

© 2023 Palo Alto Networks, Inc. Page 133


172. Leave the other settings unchanged:

173. Select the tab for Source.


174. Under the Source Zone section, click Add.
175. Select Extranet.
176. Leave the remaining settings unchanged.

177. Select the tab for Destination.


178. Under the section for Destination Zone, click Add.
179. Select Internet.

© 2023 Palo Alto Networks, Inc. Page 134


180. Leave the other settings unchanged.

181. Select the tab for Application.


182. Do not make any changes to these settings but note that the Any box is checked.

183. Select the tab for Service/URL Category.

© 2023 Palo Alto Networks, Inc. Page 135


184. Do not make any changes to the settings in this tab but note that the Service is set to
application-default.

185. Select the tab for Actions.


186. Make certain that the Action is set to Allow.

187. Click OK on the Security Policy Rule window.


188. The new Security Policy rule appears in the table.
189. Place the rule at the bottom of the Security Policy rule by using Move > Move Bottom.

© 2023 Palo Alto Networks, Inc. Page 136


Commit the Configuration
190. Click the Commit button at the upper right of the web interface.
191. Leave the settings unchanged and click Commit.
192. Wait until the Commit process is complete.
193. Click Close to continue.

Ping Internet Host from Client A


194. To verify that your Security Policy rule is allowing traffic, you will ping an Internet host
from the client workstation and examine the Traffic log to see the results.
195. From the Terminal window on the client desktop, ping an address on the internet by
issuing the following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 8.8.8.8 <Enter>

196. You will not get a reply, so after several seconds, use Ctrl+C to stop the ping.

© 2023 Palo Alto Networks, Inc. Page 137


197. Examine the traffic log again and use a filter to see if there are any entries for this
session that failed.
198. Select Monitor >Logs > Traffic.
199. In the filter field, update the syntax to include the application ping:
( addr.dst in 8.8.8.8 ) and ( app eq ping )

200. Click the Apply filter button in the upper right corner of the window (or you can press
the Enter key).

201. The Traffic log will update the display and you should see entries matching the filter.
202. You can see that the sessions are hitting the Users_to_Internet rule.

© 2023 Palo Alto Networks, Inc. Page 138


203. Answer the following question:
• Can you explain why your ping session from the client to the Internet host did not get a
reply even though the firewall is allowing the traffic?

For a hint, look at the title of the next module.

204. Write down your answer in the field shown or on notepaper in class.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 139


Lab 7: Creating and Managing NAT Policy Rules
You need to create Network Address Translation rules to allow hosts in the private network
spaces (192.168.1.0/24 and 192.168.50.0/24) to reach hosts on the internet. You will use an
interface IP address on the firewall as the source for outbound NAT.
You will also create a static NAT address on the firewall that represents one of the application
servers in the Extranet. When traffic reaches the static NAT address the firewall will translate
and forward packets to the web server in the Extranet zone.
After you have all these components in place, you will generate test traffic and examine firewall
logs.

Lab Objectives
• Configure source NAT
• Configure destination NAT

High-Level Lab Steps


Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-07.xml to the Firewall

Create a Source NAT Policy Rule


• Use the Information in the tables below to create a new Destination NAT Rule.
General tab
Parameter Value
Name Inside_Nets_to_Internet
NAT Type ipv4
Description Translates traffic from Users_Net and
Extranet to 203.0.113.20 outbound to
Internet
Original Packet tab

© 2023 Palo Alto Networks, Inc. Page 140


Parameter Value
Source Zone Users_Net
Extranet
Destination Zone Internet
Destination Interface ethernet1/1
Service any
Source Address Any
Destination Address Any
Translated Packet tab (Source Address Translation section)
Parameter Value
Translation Type Dynamic IP And Port
Address Type Interface Address
Interface ethernet1/1
IP Address 203.0.113.20/24

Commit the Configuration


• Commit the changes before proceeding

Verify Internet Connectivity


• From the Terminal window on the client desktop, ping 8.8.8.8
You should now receive a reply
• Use the Chrome browser to connect to www.paloaltonetworks.com
• Browse to several other websites to verify that you can establish connectivity to the
Internet security zone
• Examine the firewall Traffic Log to verify that there is allowed traffic that matches the
Security Policy rule Users_to_Internet

Create a Destination NAT Policy


Use the information in the tables below to create a Destination NAT address on the firewall
using an IP address on the Users_Net network. The firewall will translate traffic that hits this
address to the destination IP address of the web server in the Extranet Zone.
General tab

© 2023 Palo Alto Networks, Inc. Page 141


Parameter Value
Name Dest_NAT_To_Webserver
NAT Type ipv4
Original Packet tab

Parameter Value
Source Zone Users_Net
Destination Zone Users_Net
Destination Interface ethernet1/2
Service any
Destination Address 192.168.1.80
Translated Packet tab (Destination Address Translation section)

Parameter Value
Destination Address Static IP
Translation
Translation Type
Translated Address 192.168.50.80

Commit the Configuration


• Commit the changes before proceeding

Test the Destination NAT Rule


• Use the Chrome browser and connect to http://192.168.1.80 to verify access to
the web page for the Extranet server
• Search the Traffic Log to locate entries with a Destination IP of 192.168.1.80
• In the Security Policy window, use the Log Viewer option for the Users_to_Extranet to
jump to entries in the Traffic Log that match the rule

© 2023 Palo Alto Networks, Inc. Page 142


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, you will load a preconfigured firewall configuration file.
1. In the firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down arrow next to the Name field and select edu-210-11.0b-07.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK to close the Load Named Configuration window.


5. Click Close to close the Loading Configuration window.
6. Click the Commit button at the upper right of the web interface.
7. Leave the remaining settings unchanged and click Commit.
8. Wait until the Commit process is complete.
9. Click Close to continue.

Create a Source NAT Policy Rule


You must create entries in the firewall’s NAT Policy table in order to translate traffic from
internal hosts (often on private networks) to a public, routable address (often an interface on
the firewall itself). NAT rules provide address translation and are different from Security
Policy rules, which allow and deny packets. You can configure a NAT Policy rule to match a
packet’s source and destination zone, destination interface, source and destination address,
and service.
In your previous ping test to an Internet host, the ping traffic from your client is allowed by
the Security Policy rule, but the packets leave the firewall with a non-routable source IP
address from the private network of 192.168.1.0/24.
In this section, you will create a NAT Policy rule to translate traffic from the private networks
in the Users_Net and Extranet security zones to a routable address. You will use the same
interface IP address on the firewall (203.0.113.20) as the source IP for outbound traffic from
both Users_Net and Extranet hosts.

© 2023 Palo Alto Networks, Inc. Page 143


10. In the web interface, select Policies > NAT.
11. Click Add to define a new source NAT Policy.
The NAT Policy Rule configuration window should open.
12. Configure the following:

Parameter Value
Name Inside_Nets_to_Internet
NAT Type Verify that ipv4 is selected
Description Translates traffic from Users_Net and
Extranet to 203.0.113.20 outbound to
Internet

© 2023 Palo Alto Networks, Inc. Page 144


13. Click the Original Packet tab and configure the following:

Parameter Value
Source Zone Click Add and select the Users_Net zone
Click Add and select the Extranet zone
Destination Zone Select Internet from the drop-down list
Destination Interface Select ethernet1/1 from the drop-down list
Service Verify that the any is selected
Source Address Verify that the Any check box is selected
Destination Address Verify that the Any check box is selected

© 2023 Palo Alto Networks, Inc. Page 145


This section defines what the packet will look like when it reaches the firewall. Note
that we are using a single NAT rule to translate both source zones to the same
interface on the firewall. You could accomplish this same task by creating two
separate rules – one for each source zone – and using the same external firewall
interface.

14. Click the Translated Packet tab and configure the following under the section for
Source Address Translation:

Parameter Value
Translation Type Select Dynamic IP And Port from the drop-down list
Address Type Select Interface Address from the drop-down list
Interface Select ethernet1/1 from the drop-down list
IP Address Select 203.0.113.20/24 from the drop-down list. (Make sure
that you select the interface IP address from the drop-down
list and do not type it.)

This section defines how the firewall will translate the packet.
Note: You are configuring only the Source Address Translation part of this window.
Leave the destination address translation Translation Type set to None.

15. Click OK to close the NAT Policy Rule configuration window.


16. Verify that your configuration matches the following:

© 2023 Palo Alto Networks, Inc. Page 146


Note that some columns have been hidden in the image.

Commit the Configuration


17. Click the Commit button at the upper right of the web interface.
18. Leave the settings unchanged and click Commit.
19. Wait until the Commit process is complete.
20. Click Close to continue.

Verify Internet Connectivity


In this section, you will test the configuration of your NAT and Security policies.
21. From the Terminal window on the client desktop, ping an address on the internet by
issuing the following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 8.8.8.8 <Enter>

You should now receive a reply:

22. After several seconds, use Ctrl+C to stop the ping.


23. Open the Chrome browser and connect to www.paloaltonetworks.com.
24. Browse to several other websites to verify that you can establish connectivity to the
Internet security zone.
25. Close the Chrome browser.

© 2023 Palo Alto Networks, Inc. Page 147


26. In the Firefox browser, examine the firewall Traffic log by selecting Monitor > Logs >
Traffic.
27. Clear any filters you have in place by clicking the Clear Filter button in the upper right
corner of the window.

28. Verify that there is allowed traffic that matches the Security Policy rule
Users_to_Internet:

Traffic log entries should be present based on the internet test. A minute or two
may elapse for the log files to be updated. If the entries are not present, click the
refresh icon:

Create a Destination NAT Policy


In this section, you will create a NAT address on the firewall using an IP address on the
Users_Net network. The firewall will translate traffic that hits this address to the destination IP
address of the web server in the Extranet Zone.

© 2023 Palo Alto Networks, Inc. Page 148


You will connect from the client host (192.168.1.20) to the NAT IP address on the firewall
(192.168.1.80). The firewall will translate this connection to the DMZ server at 192.168.50.10.
This exercise will help you see how to configure Destination NAT rules.

29. In the web interface, select Policies > NAT.


30. Click Add to define a new destination NAT Policy rule.
The NAT Policy Rule configuration window should open.
31. Configure the following:

Parameter Value
Name Type Dest_NAT_To_Webserver
Description Translates traffic to web server at
192.168.50.80
NAT Type Verify that ipv4 is selected

© 2023 Palo Alto Networks, Inc. Page 149


32. Click the Original Packet tab and configure the following:

Parameter Value
Source Zone Click Add and select Users_Net
Destination Zone Select Users_Net from the drop-down list
Destination Interface Select ethernet1/2 from the drop-down list
Service Select any from the drop-down list
Destination Address Click Add and manually enter 192.168.1.80

© 2023 Palo Alto Networks, Inc. Page 150


The Original Packet tab defines how the packet will look when it reaches the
firewall. When selecting the Destination Zone, remember that the IP address we are
using (192.168.1.80) is one that resides on the firewall in the Users_Net security
zone.

33. Click the Translated Packet tab and configure the following:

Parameter Value
Destination Address Select Static IP from the drop-down list
Translation
Translation Type
Translated Address Type 192.168.50.80 (address of the Extranet web
server)

The Translated Packet tab defines how the firewall will translate a matching packet.
Leave the Source Address Translation section set to None because we are
performing only destination translation in this exercise.

34. Click OK to close the NAT Policy Rule configuration window.


A new NAT Policy rule should display in the web interface.
35. Verify that your configuration matches the following:

© 2023 Palo Alto Networks, Inc. Page 151


Commit the Configuration
36. Click the Commit button at the upper right of the web interface.
37. Leave the settings unchanged and click Commit.
38. Wait until the Commit process is complete.
39. Click Close to continue.

Test the Destination NAT Rule


In this section you will test the destination NAT Policy rule by opening a browser connection to
the NAT IP address 192.168.1.80.
40. Open the Chrome browser and connect to http://192.168.1.80.
41. Verify that you can view the web page for the Extranet server:

42. Close the Chrome browser window.


43. In the web interface, select Monitor > Logs > Traffic.
44. Use a filter to locate the entry for Destination IP 192.168.1.80:
( addr.dst in 192.168.1.80 )

© 2023 Palo Alto Networks, Inc. Page 152


45. Note the Security Policy rule that was matched: Users_to_Extranet.
46. As an alternate method to access the Traffic log in the web interface, select Policies >
Security.
47. Select the drop-down icon next to the rule entry for Users_to_Extranet and choose Log
Viewer:

This process opens the Traffic log and applies a filter automatically to display only
those entries that match the Security Policy rule “Users_to_Extranet.”

48. Click the X icon to clear the filter from the log filter text box.

© 2023 Palo Alto Networks, Inc. Page 153


Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 154


Lab 8: Controlling Application Usage with App-ID
The old firewalls in your network only allowed you to block or allow traffic using Layer 3 and
Layer 4 characteristics. With the deployment of the new Palo Alto Networks firewall, your
control over traffic now includes which applications are allowed or blocked into and out of your
network.
The list of applications that Palo Alto Networks maintains is long, but you already know some of
the applications that you must allow from and to your security zones. You will create an
Application Group and include individual applications that the Palo Alto Networks devices use.
You will then use this Application Group as part of a Security Policy rule. This process will give
you practice in creating Security Policy rules that take advantage of applications instead of
simply Layer 3 and Layer 4 traffic characteristics.

Lab Objectives
• Load a baseline configuration
• Generate application traffic
• Configure an application group
• Configure a Security Policy to allow update traffic
• Test the Allow-PANW-Apps Security Policy rule
• Identify shadowed rules
• Modify the Security Policy to function properly
• Test the modified Security Policy rule

High-Level Lab Steps


Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-08.xml to the Firewall.

Configure an Application Group


• Use the information below to create an Application Group
Parameter Value

Name paloalto-apps

Applications paloalto-dns-security

© 2023 Palo Alto Networks, Inc. Page 155


Parameter Value
paloalto-updates
paloalto-userid-agent
paloalto-wildfire-cloud
pan-db-cloud

Configure a Security Policy Rule to Allow Update Traffic


• Use the information below to create a Security Policy rule to allow Palo Alto Networks
update traffic.
Parameter Value

Name Allow-PANW-Apps

Description Allows PANW apps for firewall

Source Zone Users_Net

Source Address 192.168.1.254

Destination Zone Internet

Destination Address Any

Applications paloalto-apps

Service application-default

URL Category Any

Action Allow

Log At Session End Enabled

Commit the Configuration


• Commit the changes before proceeding

Test the Allow-PANW-Apps Security Policy Rule


• On the firewall, use the Check Now option for Dynamic Updates to test the Security
Policy rule – Allow-PANW-Apps.
• Create and apply a filter to search for log entries that contain the application paloalto-
updates
• Note which rule allowed the application traffic to pass through the firewall
• Determine why the firewall traffic did not hit the Allow-PANW-Apps rule

© 2023 Palo Alto Networks, Inc. Page 156


Identify Shadowed Rules
• Use the Tasks Manager – All Tasks window to locate the most recent entry for Commit
under Type
• Use the information in the Rule Shadow tab to determine why firewall traffic did not hit
the Allow-PANW-Apps rule

Modify the Security Policy to Function Properly


• Use the information below to update the Users_to_Internet Security Policy rule to allow
only specific applications (instead of any).
Parameter Value

Applications dns
ping
ssl
web-browsing

Commit the Configuration


• Commit the changes before proceeding and verify that you do not get any commit
warnings about Rule Shadowing

Test the Modified Security Policy Rule


• On the firewall, use the Check Now option for Dynamic Updates to test the Security
Policy rule – Allow-PANW-Apps.
• Create and apply a filter to search for log entries that contain the application paloalto-
updates
• Note which rule allowed the application traffic to pass through the firewall

Generate Application Traffic


• On the Client-A desktop, open the Class-Scripts > EDU-210 folder
• Generate application traffic by double-clicking on the icon for App Generator
• Allow the script to complete
• Examine the Traffic Log and note the entries under the Application column for the
Client-A host
• Use the information in the columns for Application, Action and Rule to answer the
following questions.
• Are there any applications that you should not allow from the Users_Net zone to
the Extranet zone?

© 2023 Palo Alto Networks, Inc. Page 157


• Are there any applications being denied from the Users_Net zone that you should
allow?

Research Applications
• Use the Application database on the firewall to research one of the three applications
below:
• dailymotion
• yammer-base
• scribd-base
• Answer the following questions about the application you have chosen to research:
• What category does the application fall into?

• What risk level has Palo Alto Networks assigned to the application?

• What are some of the characteristics of this application that might make you want
to block its use on your network?

• Should you allow this application on your company’s production network?

Update Security Policy Rules


• Edit the Users_to_Extranet Security Policy rule and allow only the following
applications:
• web-browsing
• ssl
• ssh
• ping
• dns
• ldap
• radius
• Edit the Users_to_Internet Security Policy rule and allow only the following
applications and their dependencies.
• dns
• ping
• ssl
• web-browsing
• yelp
• dropbox

© 2023 Palo Alto Networks, Inc. Page 158


• ms-office365

Commit the Configuration


• Commit the changes before proceeding

Test the Updated Security Policy Rules


• Run the Traffic Generator script again on the Client-A desktop (Class-Scripts > EDU-
210 > App Generator)
• Create and apply a filter in the Traffic log to display sessions that the firewall has
blocked
• Note the applications that are now being blocked.

Enable the Application Block Page


• To see the kind of behavior a user will experience without the Application Block Page
enabled, open the Chrome web browser and attempt to connect to
http://www.shutterfly.com.
• Note how the browser responds.
• Enable the Application Block Page under Device > Response Pages.

Commit the Configuration


• Commit the changes before proceeding

Test the Application Block Page


• To see the kind of behavior a user will experience with the Application Block Page
enabled, open the Chrome web browser and attempt to connect to
http://www.shutterfly.com.
• Note how the browser responds.

© 2023 Palo Alto Networks, Inc. Page 159


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down list next to the Name text box and select edu-210-11.0b-08.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.

Configure an Application Group


In this section, you will configure an application group called paloalto-apps that includes
some Palo Alto Networks applications. The firewall uses these applications to label and
control access to the content update network and other Palo Alto Networks products and
features. You will add the application group to a Security Policy rule later in this lab exercise.

© 2023 Palo Alto Networks, Inc. Page 160


10. In the web interface, select Objects > Application Groups.
11. Click Add and configure the following:
Parameter Value

Name paloalto-apps

Applications paloalto-dns-security
paloalto-updates
paloalto-userid-agent
paloalto-wildfire-cloud
pan-db-cloud

Note that we are only adding a few of the Palo Alto Networks entries to this group
as an example of how to create an Application Group. The list you are building here
is not necessarily inclusive of all Palo Alto Networks applications that you might
need to allow in a production environment.
You can also use the Browse button in the Application Group window to add these
entries.

12. Click OK to close the Application Group window.

© 2023 Palo Alto Networks, Inc. Page 161


Configure a Security Policy Rule to Allow Firewall Update Traffic
In this section, you will create a specific Security Policy rule to allow the firewall to use Palo
Alto Networks applications, including content updates.
13. Select Policies > Security.
14. Click Add to create a new Security Policy rule.
15. On the General tab, type Allow-PANW-Apps as the Name.
16. For Description, enter Allows PANW apps for firewall.
17. Click the Source tab and configure the following:
Parameter Value

Source Zone Users_Net

Source Address 192.168.1.254

Note that 192.168.1.254 is the IP address of the management interface on the


firewall.

18. Click the Destination tab and configure the following:


Parameter Value

Destination Zone Internet

Destination Address Any

19. Click the Application tab and configure the following:


Parameter Value

Applications paloalto-apps

To locate your paloalto-apps Application Group, start typing in the first few
letters of the group name, and the interface will display only those entries that
match. Application Groups appear at the very end of the Application list.

© 2023 Palo Alto Networks, Inc. Page 162


20. Click the Service/URL Category tab and verify that application-default and Any are
selected.
21. Click the Actions tab and verify the following:
Parameter Value

Action Allow

Log Setting Log at Session End

22. Click OK to close the Security Policy Rule window.


The “Allow-PANW-Apps” rule should be listed just above the “intrazone-default” rule in the
Security Policy rule list.

© 2023 Palo Alto Networks, Inc. Page 163


Some of the columns in the Security Policy table shown here have been hidden or rearranged.

Commit the Configuration


23. Click the Commit button at the upper right of the web interface.
24. Leave the settings unchanged and click Commit.
25. Wait until the Commit process is complete.
26. When the commit process completes, notice that there is an additional tab available for
Rule Shadow.

This tab only appears when you have a rule that shadows other rules. You will fix
the rule shadow issue in a later section of the lab.

© 2023 Palo Alto Networks, Inc. Page 164


27. Close the Commit window.

Test the Allow-PANW-Apps Security Policy Rule


In this section, you will test the new Security Policy rule for Allow-PANW-Apps to see how
it is working.
28. In the web interface, select Device > Dynamic Updates.
29. Click Check Now:

This action instructs the firewall to check for Dynamic Content updates. The
application used by the firewall is called paloalto-updates and is one that you
included in the Application Group called paloalto-apps.

30. Select Monitor > Logs > Traffic.


31. Clear any filters you have in place.
32. Create and apply a filter to search for log entries that contain the application paloalto-
updates:
( app eq paloalto-updates )

Leave this filter in place for later testing in this lab.


33. Which rule allowed the application traffic to pass through the firewall?
It should be the Users_to_Internet rule.
34. Why did the firewall traffic not use the Allow-PANW-Apps rule?
Because the Users_to_Internet rule ‘shadows’ the Allow-PANW-Apps rule. Traffic matched the
Users_to_Internet rule and the firewall carried out the allow action. There is no reason for the
firewall to continue comparing packet characteristics to any following rules after it has found a
match. Remember: Rule order is important!

© 2023 Palo Alto Networks, Inc. Page 165


Identify Shadowed Rules
The firewall provides notification when you have a rule shadowing one or more other rules.
The Rule Shadow tab appears at the end of the Commit process.
However, you might not always notice the Rule Shadow tab, so in this section, you will use
the Task list to examine your earlier Commit messages.
35. In the bottom right corner of the web browser, click the Tasks button.

36. In the Tasks Manager – All Tasks window, scroll down to locate the most recent entry
for Commit under Type.
37. Click the link for Commit.

38. Select the Rule Shadow tab.


The interface shows you which rule is shadowing other rules.
39. Click the number under Count (in this example, the value is 1).

© 2023 Palo Alto Networks, Inc. Page 166


The value under the Count column indicates the number of rules that are
shadowed. The Shadowed Rule column shows you details about which rule is
shadowed.
You can use this detailed information to modify your Security Policy rule order to
make certain traffic hits rules in the correct manner.

40. Close the Job Status Commit window.


41. Close the Task Manager – All Tasks window.

Modify the Security Policy to Function Properly


In this section, you will modify your Security Policy to ensure that firewall update traffic hits
the Allow-PANW-Apps rule.
42. In the web interface, select Policies > Security.
43. Highlight the entry for Allow-PANW-Apps but do not open it.
44. Move the entry to the third row of the Policy – just below the two Block rules for known
bad IP addresses.

You may drag and drop the Allow-PANW-Apps entry to the correct location, or you
can use the Move button at the bottom to place the rule in the right spot.

© 2023 Palo Alto Networks, Inc. Page 167


Note that several columns have been hidden or rearranged in the example shown here.

Commit the Configuration


45. Click the Commit button at the upper right of the web interface.
46. Leave the settings unchanged and click Commit.
47. Wait until the Commit process is complete.
48. Did you get any commit warnings on a Rule Shadow tab about one rule shadowing
another rule?
You should not receive any commit warnings.
49. Click Close.

Test the Modified Security Policy


In this section, you will test the modified Security Policy to verify that it is working as
expected. You want to verify that Dynamic Update traffic from the firewall uses the Allow-
PANW-Apps rule and not the Users_to_Internet rule.
50. In the web interface, select Device > Dynamic Updates.
51. Click Check Now:

© 2023 Palo Alto Networks, Inc. Page 168


52. Select Monitor > Logs > Traffic.
53. If your filter is still in place, click the Apply Filter button, or create a filter to search for
update traffic:
( app eq paloalto-updates )
54. Look for the log entries for the application paloalto-updates. Which rule allowed the
application traffic to pass through the firewall?
It should be the “Allow-PANW-Apps” rule.

Generate Application Traffic


In this section, you will run a short script that generates application traffic from your client
workstation to hosts in the Internet and Extranet security zones.
55. On the client desktop, generate application traffic by double-clicking the icon for App
Generator:

56.Press ENTER in the opened window to start the script.


57.Allow the script to complete and then press ENTER to close the window.
58.Examine the Traffic log by selecting Monitor > Logs > Traffic.
59.Clear any filters you may have in place.
60.Create and apply a filter to display sessions from your client workstation (192.168.1.20)
that do not include the application dns:
( addr.src in 192.168.1.20 ) and ( app neq dns )

Excluding the dns application from the display will make it easier for you to see
other applications in use on the network.

© 2023 Palo Alto Networks, Inc. Page 169


61. Note the information under the Application, Action and Rule columns.

You should see entries for a variety of applications. Some of the entries will be
recognizable and others will be for applications you may never have heard of.

62. Use the information in the columns for Application, Action and Rule to answer the
following questions. You can also use filters to help you find the answers from the
Traffic log.

• Are there any applications that you should not allow from the Users_Net zone to the
Extranet zone?
There is no right or wrong answer to this question.
Whether the list of allowed applications is ‘correct’ or not depends on your environment
and the applications and services running on the destination servers.
FTP is an insecure application, and you might be tempted to deny it. However, your
organization may have an old process in place that relies on FTP to transfer files. Denying
FTP would break that process, so be careful.
You can use the output of the Traffic log to identify the kinds of applications in use in your
network. You can then research the applications in question to make an informed decision
about them. You can also use the source and destination information to find out more about
why an application is in use.

• Are there any applications being denied from the Users_Net zone that you should allow?

© 2023 Palo Alto Networks, Inc. Page 170


Another trick question!
The answer depends on your organization and the applications that are necessary for
employees to do their jobs. Although you may not think it appropriate to use social media
applications during work, organizations like sales and marketing often use those types of
applications to drive awareness and branding. Your company may rely on Dropbox as the
sanctioned cloud storage application, so should you be concerned that someone is using
boxnet? Or sharefile? What is dailymotion and who uses it?
You cannot answer these kinds of questions intelligently without additional information.
Fortunately, Palo Alto Networks provides that kind of information within the firewall itself.

Research Applications
Now that you have access to detailed information about the applications in use in the network,
you can use tools available from Palo Alto Networks to help answer the questions at the end of
the last section. In this section, you will locate one application and find out more information
about it so you can make an informed decision about whether to allow it onto your network or
not.
63. In the Traffic log, locate the entry for one of the three applications listed below:
• dailymotion
• yammer-base
• scribd-base

Note that you can use the navigation buttons at the bottom of the window, or you
can create and apply a filter to locate the application entries.

64. Use the Applications database to find details about the application you have chosen to
research.
65. Select Objects > Applications.
66. In the Search field, enter the name of the application as it appears in the Traffic log.
67. Click the magnifying glass icon to search.

© 2023 Palo Alto Networks, Inc. Page 171


The previous example shows searching for the dailymotion application.
68. The Applications database will display all entries that match the Search.
69. Click directly on the entry for application below the Name column.

The previous example shows selecting the dailymotion entry.


70. The Applications database entry will display detailed information about the application:

© 2023 Palo Alto Networks, Inc. Page 172


71. Answer the following questions about the application you have chosen to research.
• What category does the application fall into?
In the bottom left corner of the window under the Classification section, you can see the entry
for Category.

• What risk level has Palo Alto Networks assigned to the application?
The Risk level will be listed under the Classification section on a scale of 1 (Safe) to 5 (Very
Risky).

• What are some of the characteristics of this application that might make you want to
block its use on your network?
Under the Characteristics section of the window you can see a list of traits for the application. A
Yes answer for a characteristic increases the risk rating of that application.

• Should you allow this application on your company’s production network?


Note that this last question does not have a right or wrong answer. Whether you allow an
application on your network depends on numerous factors. Even if the application presents
some risk, your organization may need to use it (“I can’t do my job without it!”), or there may be
lots of employees that prefer the application over safer alternatives (“We’ve always used this
application!”). Part of your job as a security professional is to identify network risks and to

© 2023 Palo Alto Networks, Inc. Page 173


mitigate them when possible. You can use the detailed information about applications on your
network to advocate for safer alternatives when possible.
72. Click Close in the Application window.

Update Security Policy Rules


When you created the Users_to_Extranet and the Users_to_Internet Security Policy rules in an
earlier lab, you set the Application to Any.
After your research, you can now update both rules to allow only applications that are necessary
for your organization.
73. Navigate to Policies > Security.
74. Edit the entry for Users_to_Extranet.
75. Select the tab for Application.
76. Uncheck the option for Any.
77. Click Add under the Applications section.
78. Type in the first few letters of web-browsing and allow the list to update with the
available selection.

79. Select the entry for web-browsing to add it to the list.

© 2023 Palo Alto Networks, Inc. Page 174


80. Click Add again.
81. Enter ssl and choose it from the list.
82. Repeat this process and add the following applications to this Security Policy rule:
• ssh
• ping
• dns
• ldap
• radius
83. When complete, your list of applications should look like the following:

© 2023 Palo Alto Networks, Inc. Page 175


84. Click OK to close the Security Policy rule.
85. In the Security Policy table, click the entry for Users_to_Internet to edit it.
86. Select the tab for Application.
87. Uncheck the box for Any.
88. Add the following applications to this Security Policy rule:
• dns
• ping
• ssl
• web-browsing
• yelp
• dropbox

Note – when you add the dropbox application, the web interface adds an entry to
the Depends On column for the google-base application.

• ms-office365

© 2023 Palo Alto Networks, Inc. Page 176


Note – when you add ms-office365, the web interface adds additional applications
to the Depends On list.

89. When complete, the Applications list should have seven entries and the Depends On
list should have multiple entries.

Note that the list of applications in the Depends On column may differ from the
example shown here. Palo Alto Networks updates application definitions
frequently, and in many cases an existing application will require additional
applications to work correctly.

90. Place the check box next to Depends On to select all items in that column.
91. Click Add to Current Rule.

© 2023 Palo Alto Networks, Inc. Page 177


92. Scan through the list of Applications on the left side of the window and note that the
dependent applications have been added.
93. Click OK.

Commit the Configuration


94. Click the Commit button at the upper right of the web interface.
95. Leave the settings unchanged and click Commit.
96. Wait until the Commit process is complete.
97. Click Close to continue.

Test the Updated Security Policy Rules


Run the application script again and examine the results.
98. On the client desktop, generate application traffic by double-clicking the icon for App
Generator:

© 2023 Palo Alto Networks, Inc. Page 178


99. Press ENTER in the opened window to start the script.
100. Allow the script to complete and then press ENTER to close the window.
Ignore any errors that the script generates – these occur because the firewall is
blocking various application traffic types. The script may also pause at different
points while applications time out because they are being blocked by the firewall.

101. When the script is complete, press ENTER to close the window.
102. Examine the Traffic log by selecting Monitor > Logs > Traffic.
103. Clear any filters you may have in place.
104. Create and apply a filter to display sessions that the firewall has blocked:
( action neq allow )

This filter will allow you to see the applications that have been blocked.

105. Note the entries under the Application column:

Many of the applications are now being blocked by the interzone-default rule. Remember that
any application that is not explicitly allowed in a Security Policy rule will be blocked by the
interzone-default rule.
The entries you see will differ from the example shown here.
106. Clear the filter in the Traffic log.

Enable the Application Block Page


When the firewall denies traffic to a web-based application, many users may assume that the
Internet is down or slow or that there is something wrong with their browser settings.
To reduce the number of potential calls to the help desk, you can enable the Application
Block Page on the firewall. This setting presents a web page that informs users when the
firewall has blocked a web-based application.

© 2023 Palo Alto Networks, Inc. Page 179


By default, the Application Block Page is not enabled.
107. To see the kind of behavior a user will experience without the Application Block page
enabled, open the Chrome web browser.
108. Attempt to connect to http://www.shutterfly.com.

Note: Be sure to type in the URL as shown above – include http as the protocol for
the request.

109. The browser will not be able to connect and will eventually time out (note that you do
not have to wait until you receive the time out message before continuing to the next
step).
110. Close the Chrome browser.
111. In the firewall web interface, select Device > Response Pages.
112. Under the Action column in the row for Application Block Page, click the link for
Disabled.

113. Place a check in the box for Enable Application Block Page.

114. Click OK.

Commit the Configuration


115. Click the Commit button at the upper right of the web interface.

© 2023 Palo Alto Networks, Inc. Page 180


116. Leave the settings unchanged and click Commit.
117. Wait until the Commit process is complete.
118. Click Close to continue.

Test the Application Block Page


119. To see the kind of behavior a user will experience with the Application Block page
enabled, open a new tab in the Firefox browser.
120. Attempt to connect to http://www.shutterfly.com.
Be sure to use http in the request and be sure to use the Firefox browser for this
test.
The number of websites which still support HTTP is dwindling. And, some browsers
(such as Chrome) automatically send requests using HTTPS even if you specify HTTP.
This test is only to show you how to enable the block page. In order for the firewall
to determine an application inside encrypted web traffic (HTTPS), you need to
enable decryption which is covered in a later section of this course.

121. The firewall will present a web page indicating that the application has been blocked.

You can customize this page to include additional information if necessary. This is the default
page that the firewall presents.

Note: Response Pages must also be enabled on the Interface Management Profile
assigned to the firewalls interface that is required to respond. This was completed
in an earlier lab.

© 2023 Palo Alto Networks, Inc. Page 181


122. Close the Application Blocked tab in the Firefox browser, but leave the firewall tab
open.

Note that there are limitations to the Application Block Page. The firewall cannot
present the page to a user when the browser session is encrypted using HTTPS.
Doing so would interrupt the secure communication between the client and the
destination server and violate the rules of encryption.
However, you can configure and enable decryption on the firewall (which we cover
in a later module). With decryption enabled, the firewall can present the
Application Block Page to a web browser when a user attempts to access a blocked
application.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 182


Lab 9: Blocking Known Threats Using Security
Profiles
Your organization recently acquired another company. Over the weekend one of your coworkers
configured the firewall with a new security zone called Acquisition that contains all the users
from this new company.
The coworker also configured the firewall with a Virtual Wire that allows traffic to the Internet
from the users in the Acquisition security zone.
Traffic is now being forwarded from users in the acquisition company through the firewall.

The firewall has a Security Policy rule that allows users in the Acquisition zone to access any
application on the Internet.
In this lab, you will build and apply a set of Security Profiles that will watch for and block
known threats from the users in this Acquisition zone.

Lab Objectives
• Load a baseline configuration
• Generate traffic without Security Profiles and examine logs
• Create Security Profiles
• Create a Security Profile Group
• Apply the Security Profile Group to existing Security Policy rules

© 2023 Palo Alto Networks, Inc. Page 183


• Generate traffic with Security Profiles and examine logs

High-Level Lab Steps


Use the information in the sections below to complete the objectives for this lab. We suggest that
you use this section only if you have extensive experience working with Palo Alto Networks
firewalls.
If you need more detailed guidance for the objectives, use the Detailed-Lab Steps section.

Apply a Baseline Configuration to the Firewall


• Load and commit the configuration file - edu-210-11.0b-09.xml - to the Firewall

Generate Traffic Without Security Profiles


• Use Remmina to connect to the Server-Extranet host
• Change to the working directory
cd pcaps92019/attack.pcaps/ <Enter>
• Run the simulated attacks script
./malwareattacks.sh <Enter>
This script takes about 6 minutes to complete

• Allow the script to run uninterrupted


• Use Chrome on the Client-A workstation to connect to the following URI:
http://192.168.50.80/badtarfile.tar
• Save the file to the Downloads folder when prompted
• From a new tab in Chrome, browse to the following URI:
http://192.168.50.80/companyssns.txt
Note that the browser will displays a file with employees and their Social Security Numbers.

• From a Terminal window on the Client-A host, use the following command to generate a
DNS query using dig to resolve a URL to an IP address:
dig @8.8.8.8 www.quora.com
The command should return a public IP address, indicating that the URL is accessible.

• Leave the Terminal Emulator window open because you will use it again later in this lab
• In the firewall web interface, examine the Threat Log
• You should have no significant entries in the Threat Log

Create a Corporate Antivirus Profile


• Clone the default Antivirus Profile

© 2023 Palo Alto Networks, Inc. Page 184


• Rename the clone to Corp-AV
• For the Corp-AV Description, enter Standard antivirus profile for all
security policy rules

Create A Corporate Vulnerability Security Profile


• Clone the strict Vulnerability Profile
• Rename the clone to Corp-Vuln
• For the Corp-Vuln Description, enter Standard vulnerability profile for
all security policy rules

Create a Corporate File Blocking Profile


• Clone the strict file blocking Profile
• Rename the clone to Corp-FileBlock.
• For the Corp-FileBlock Description, enter Standard file blocking profile
for all security policy rules.

Create a Corporate Data Filtering Profile


• Use the information below to create a Data Filtering Pattern that will identify US Social
Security numbers with and without dash separators

Parameter Value

Name US-SSNs

Description US Social Security Numbers

Pattern Type Predefined Pattern

First Pattern Social Security Numbers

Second Pattern Social Security Numbers (without dash separator)

• Use the information below to create a Data Filtering Profile


Parameter Value

Name Corp-DataFilter

Description Standard data filtering profile for all security rules

Data Pattern US-SSNs

Alert Threshold 1

© 2023 Palo Alto Networks, Inc. Page 185


Parameter Value

Block Threshold 3

Log Severity critical

Create a Corporate Anti-Spyware Security Profile


● Clone the strict Anti-Spyware Profile
● Rename the clone Corp-AS
● For the Corp-AS Description, enter Standard anti-spyware profile for all
security policy rules

Create an External Dynamic List for Malicious Domains


• Use the information below to create an External Dynamic List
Parameter Value

Name malicious-domains-edl

Type Domain List

Description Custom list of bad domains maintained on Extranet


server

Source http://192.168.50.80/malicious-domains.txt
(The EDL contains the domains quora.com and producthunt.com.)

Automatically expand to Checked


include subdomains

Check for updates Every Five Minutes

Update the Anti-Spyware Profile with EDL


• Edit the Corp-AS Security and apply the DNS sinkhole action to the entry for
malicious-domains-edl

Commit the Configuration


• Commit the changes before proceeding

Create a Security Profile Group


• Use the information below to create a Security Profile Group

© 2023 Palo Alto Networks, Inc. Page 186


Parameter Value

Name Corp-Profiles Group

Antivirus Profile Corp-AV

Anti-Spyware Profile Corp-AS

Vulnerability Protection Corp-Vuln


Profile

URL Filtering Profile none

File Blocking Profile Corp-FileBlock

Data Filtering Profile Corp-DataFilter

Wildfire Analysis Profile none

Leave the URL Filtering Profile and the WildFire Analysis Profile set to none for this
lab. We will examine both of those Security Profiles in more detail later in the
course.

Apply the Corp-Profiles-Group to Security Policy Rules


• Individually edit each Security Policy rule that allows traffic and change the Profile
Setting under the Action tab to use the Corp-Profiles Group
• Allow-PANW-Apps
• Users_to_Extranet
• Users_to_Internet
• Extranet_to_Internet
• Extranet_to_Users_Net
• Acquisition-Allow-All

Commit the Configuration


• Commit the changes before proceeding

Generate Attack Traffic to Test Security Profiles


• Use Remmina to connect to the Server-Extranet host
• Change to the working directory
cd pcaps92019/attack.pcaps/ <Enter>

© 2023 Palo Alto Networks, Inc. Page 187


• Run the simulated attacks script
./malwareattacks.sh <Enter>
This script takes about 6 minutes to complete

• Allow the script to run uninterrupted


• Use Chrome on the Client-A workstation to connect to the following URI:
http://192.168.50.80/badtarfile.tar
• You should receive a File Transfer Blocked page from the firewall.
• From a new tab in Chrome, browse to the following URI:
http://192.168.50.80/companyssns.txt
• You should receive a Data Transfer Blocked page from the firewall
• From a Terminal window on the Client-A host, use the following command to generate a
DNS query using dig to resolve a URL to an IP address:
dig @8.8.8.8 www.quora.com
This time, the command returns sinkhole.paloaltonetworks.com instead of an IP address for
the domain.
• In the firewall web interface, examine the Threat Log and note the numerous entries for
spyware and vulnerabilities

Lab Clean-Up
• Close the SSH connection to the firewall
• Close the Remmina desktop application window
• Close the Terminal Emulator window on the workstation desktop

© 2023 Palo Alto Networks, Inc. Page 188


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down list next to the Name text box and select edu-210-11.0b-9.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.

Note that you may receive messages in the Commit window about App
Dependencies. In a production environment, you should examine the messages and
use the information provided to add the missing applications to the appropriate
rules. These dependencies result from changes in Application definitions that are
released each month.

Generate Traffic Without Security Profiles


In this section, you will generate traffic that contains threats and malicious content. You will do
so from the client workstation and from the Extranet server. Because you have not yet configured
Security Profiles for your Security Policy, the firewall will allow this harmful traffic.
After the testing, you will examine the Threat Log to verify that this traffic was passed.
10. On the client desktop, open the Remmina application by double-clicking the icon:

11. In the Remmina Remote Desktop Client window, double-click the entry for Server-
Extranet:

© 2023 Palo Alto Networks, Inc. Page 189


This action will open an SSH connection to the server and automatically log you in with
appropriate credentials.
12. Enter the following command to change the working directory:
cd pcaps92019/attack.pcaps/ <Enter>
13. Run the simulated attacks:
./malwareattacks.sh <Enter>
This script takes about 6 minutes to complete.
14. Allow the script to run uninterrupted.
15. Minimize the Remmina connection window and move to the next step.
16. On the client workstation, open the Chrome browser.
17. Connect to the following URI:
18. http://192.168.50.80/badtarfile.tar

The download should succeed. This filetype is one that you will block when you
configure the firewall with a File Blocking Profile.

© 2023 Palo Alto Networks, Inc. Page 190


19. When prompted, select Save and click OK.

This action saves the malicious tar file to the client Downloads folder.
20. In Chrome, open a new tab.
21. Browse to the following URI:
http://192.168.50.80/companyssns.txt
22. The browser will display the file:

23. Close the Chrome browser.


24. On the client workstation, open a Terminal Emulator window.
25. Enter the following command to generate a DNS query using dig to resolve a URL to
an IP address:
dig @8.8.8.8 www.quora.com <Enter>
Quora.com is one of the entries included in an external dynamic list of malicious
domains. You will configure this type of list later in the lab.
The dig tool is similar to nslookup but provides more detailed information.

© 2023 Palo Alto Networks, Inc. Page 191


26. The command returns a public IP address, indicating that the URL is accessible.

Note that the IP address you see may differ from this example.
27. Leave the Terminal Emulator window open because you will use it again later in this
lab.
28. In the firewall web interface, select Monitor > Threats.
29. You should have no significant entries in the Threat Log.

Create a Corporate Antivirus Profile


In this section, you will create the first of several Security Profiles. The Antivirus Profile you
create will use signatures provided by Palo Alto Networks to watch for and block known
threats from viruses.
30. In the web interface, select Objects > Security Profiles > Antivirus.

© 2023 Palo Alto Networks, Inc. Page 192


31. Place a check in the box next to the default entry.

32. At the bottom of the window, click the Clone button.


33. In the Clone window that appears, leave the settings unchanged.

34. Click OK.


35. A new entry called default-1 will appear in the Antivirus list.
36. Click the entry for default-1 to edit it.
37. Change the Name to Corp-AV.
38. For Description, enter Standard corporate antivirus profile for all
security policy rules.
39. Leave the remaining settings unchanged.

© 2023 Palo Alto Networks, Inc. Page 193


40. Click OK.

Create A Corporate Vulnerability Security Profile


In this section, you will create a vulnerability Security Profile. Palo Alto Networks provides two
Vulnerability Profiles that you can use as the basis for your own – strict and default.
You will clone the strict Profile and modify it to function as your Corp-Vuln Profile.
41. Select Objects > Security Profiles > Vulnerability Protection.
42. Place a check in the box beside strict.
43. At the bottom of the window, click Clone.
44. In the Clone window that appears, leave the settings unchanged and click OK.
45. A new Vulnerability Protection Profile appears called strict-1.
46. Click the entry for strict-1 to open it.
47. Change the Name to Corp-Vuln.

© 2023 Palo Alto Networks, Inc. Page 194


48. For Description, enter Standard vulnerability profile for all security
policy rules.

49. Leave the remaining settings unchanged and click OK.

Create a Corporate File Blocking Profile


In this section, you will configure a File Blocking Security Profile that the firewall will use to
help detect, report, and block attempts to download potentially harmful filetypes. Palo Alto
Networks provides two File Blocking Profiles that you can use as the basis for your own –
basic file blocking and strict file blocking.
You will clone the strict file blocking Profile and modify it to function as your Corp-
FileBlock Profile.
50. Select Objects > Security Profiles > File Blocking.
51. Place a check beside the entry for strict file blocking.
52. At the bottom of the window, click the Clone button.
53. In the Clone window that appears, leave the settings unchanged and click OK.
54. A new File Blocking Profile appears called strict file blocking-1.
55. Click the entry for strict file blocking-1 to open it.
56. Change the Name to Corp-FileBlock.

© 2023 Palo Alto Networks, Inc. Page 195


57. For Description, enter Standard file blocking profile for all security
policy rules.

58. Leave the remaining settings unchanged and click OK.

Create a Corporate Data Filtering Profile


Create a Data Filtering Profile to detect and block the transfer of files that contain more than
three US social security numbers. Data Filtering Profiles are based on one or more Data Patterns,
so you will need to first configure a Data Pattern that matches variations of US social security
numbers.
59. Select Objects > Custom Objects > Data Patterns.
60. Click Add.
61. For Name, enter US-SSNs.
62. For Description, enter US Social Security Numbers.
63. Change the Pattern Type to Predefined Pattern.
64. Click Add.
65. Scroll down the available list and select Social Security Numbers.
66. Click Add again.

© 2023 Palo Alto Networks, Inc. Page 196


67. Scroll down the list and select Social Security Numbers (without dash separator).

68. Leave the remaining settings unchanged and click OK.


69. Select Objects > Security Profiles > Data Filtering.
70. Click Add.
71. For Name, enter Corp-DataFilter.
72. For Description, enter Standard data filtering profile for all
security policy rules.
73. Click Add and select the US-SSNs data pattern that you defined.
74. Click in the Alert Threshold field and change the value to 1.
75. Click in the Block Threshold field and change the value to 3.
76. Change the Log Severity to critical.

© 2023 Palo Alto Networks, Inc. Page 197


77. Leave the remaining settings unchanged.

78. Click OK.

Create a Corporate Anti Spyware Profile


In this section, you will create a Security Profile that will watch for and block known spyware.
79. In the web interface, select Objects > Security Profiles > Anti-Spyware.
80. Select the check box next to the strict Anti-Spyware Profile.
The Profile should be highlighted after it has been selected.
81. Click Clone to clone the Profile.

82. A Clone window should open.


83. Click OK to close the Clone window.

© 2023 Palo Alto Networks, Inc. Page 198


A new strict-1 Anti-Spyware Profile should have been created.
84. Click strict-1 to edit the Profile.
The Anti-Spyware Profile window should open.
85. Rename the Profile Corp-AS.
86. For Description, enter Standard anti-spyware profile for all security
policy rules.
87. Click OK to close the Anti-Spyware Profile window.

Create an External Dynamic List for Malicious Domains


You need to configure the firewall to ingest an external dynamic list that contains entries for
several malicious domains that users should not access due to company restrictions. You have
a list available on a local server that you can import to the firewall.
In this section, you will configure the firewall to import an External Dynamic List (EDL)
from a server in the DMZ.
With the list configured on the firewall, you will update the Corporate-AS Anti-Spyware
Profile to sinkhole entries in the EDL.
88. In the web interface, select Objects > External Dynamic Lists.
89. Click Add.
90. The firewall presents a notice about tokens for domain entries:

91. Read the notice and then click Cancel.


92. In the External Dynamic Lists window, configure the following:
Parameter Value

Name malicious-domains-edl

Type Domain List

© 2023 Palo Alto Networks, Inc. Page 199


Parameter Value

Description Custom list of bad domains maintained on Extranet


server

Source http://192.168.50.80/malicious-domains.txt
(The EDL contains the domains quora.com and producthunt.com.)

Automatically expand to Checked


include subdomains

Check for updates Every Five Minutes

93. Click OK to close the External Dynamic Lists window.


94. Click malicious-domains-edl.
The External Dynamic Lists window should open again.
95. Click Cancel on the Append ending token to entries window.
96. Click Test Source URL to verify that the firewall can access the EDL URL.
A message window should open and state that the source URL is accessible.
97. Click Close to close the Test Source URL window.
98. Click OK to close the External Dynamic Lists window.

© 2023 Palo Alto Networks, Inc. Page 200


Update the Anti-Spyware Profile with EDL
Now that you have configured the firewall with the External Dynamic List for custom
malicious domains, you can update the Anti-Spyware Profile to use the list for sinkholing.
99. In the web interface, select Objects > Security Profiles > Anti-Spyware.
100. Click Corp-AS to edit the Profile.
The Anti-Spyware Profile window should open.
101. Click the DNS Policies tab.
102. Under the External Dynamic Lists section, change the Policy Action drop-down list to
sinkhole for the malicious-domains-edl entry.

103. Leave the remaining settings unchanged.


104. Click OK to close the Anti-Spyware Profile window.

Commit the Configuration


105. Click the Commit button at the upper right of the web interface.
106. Leave the settings unchanged and click Commit.
107. Wait until the Commit process is complete.
108. Click Close.

© 2023 Palo Alto Networks, Inc. Page 201


Create a Security Profile Group
In order to simplify the process of applying Security Profiles to Security Policy rules, you can
create a Security Profile Group that contains individual Security Profiles.
You can then apply the Security Profile Group to a Security Policy rule, rather than
individually selecting each Profile for each rule.
In this section, you will create a Security Profile Group called Corp-Profiles-Group. You will
add each of your Corp-* Security Profiles to the group.

109. Select Objects > Security Profile Groups.


110. Click Add.
111. For Name, enter Corp-Profiles-Group.
112. For each of the available Profiles, use the drop-down list to select the Corp-* entry you
have created.

© 2023 Palo Alto Networks, Inc. Page 202


Leave the URL Filtering Profile and the WildFire Analysis Profile set to none for this
lab. We will examine both of those Security Profiles in more detail later in the
course.

113. Click OK.

Apply the Corp-Profiles-Group to Security Policy Rules


With the Security Profiles in place, you can modify your Security Policy rules to use these
protections.
114. Select Policies > Security.

© 2023 Palo Alto Networks, Inc. Page 203


115. Individually edit each Security Policy rule that allows traffic and change the Profile
Setting under the Action tab to use the Corp-Profiles Group:

116. Be sure to edit and modify each of these rules:


● Allow-PANW-Apps
● Users_to_Extranet
● Users_to_Internet
● Extranet_to_Internet
● Extranet_to_Users_Net
● Acquisition-Allow-All

Commit the Configuration


117. Click the Commit button at the upper right of the web interface.
118. Leave the settings unchanged and click Commit.
119. Wait until the Commit process is complete.
120. Click Close.

Generate Attack Traffic to Test Security Profiles


121. On the client desktop, locate the Remmina SSH connection to Server-Extranet.
122. Enter the following command to change the working directory:
cd /home/paloalto42/pcaps92019/attack.pcaps/ <Enter>
123. Run the simulated attacks script again:
./malwareattacks.sh <Enter>
This script takes about 6 minutes to complete.
124. Allow the script to run uninterrupted.
125. Minimize the Remmina connection window and move to the next step.
126. On the client workstation, open the Chrome browser.

© 2023 Palo Alto Networks, Inc. Page 204


127. Connect to the following URI:
http://192.168.50.80/badtarfile.tar
128. You should receive a File Transfer Blocked page from the firewall.

This page indicates that the firewall has blocked the file using the File Blocking
Profile you defined.
If Chrome prompts you to save the file, clear the browser cache (Settings > Privacy
and Security > Clear browsing data and click Clear Data). Close Chrome and try the
test again.

129. In Chrome, open a new tab.


130. Browse to the following URI:
http://192.168.50.80/companyssns.txt

© 2023 Palo Alto Networks, Inc. Page 205


131. You should receive a Data Transfer Blocked page from the firewall.

This page indicates that the firewall has blocked the transfer using the Data Filtering
Profile and Data Pattern you defined for Social Security Numbers.

132. Close the Chrome browser.


133. On the client workstation, locate the open Terminal Emulator window you used earlier
in this lab.
134. Run the dig command again to resolve a URL to an IP address:
dig @8.8.8.8 www.quora.com <Enter>

© 2023 Palo Alto Networks, Inc. Page 206


135. This time, the command returns sinkhole.paloaltonetworks.com instead of an IP
address for the domain.

This indicates that the firewall has intercepted and sinkholed the DNS query using
the DNS Sinkholing function in your Anti-Spyware Profile.

136. In the firewall web interface, select Monitor > Logs > Threat.
137. The Threat Log should contain numerous entries for spyware and vulnerabilities:

These entries indicate that the firewall has blocked malicious traffic using the Vulnerability and
Anti-Spyware Profiles that you defined. Note that the entries you see in the Threat Log may

© 2023 Palo Alto Networks, Inc. Page 207


differ from the example shown here. Also, several Threat Log columns have been hidden in this
example.

The table may not contain very many entries until the malwareattacks script is
finished. Use the refresh button periodically to update the table.

Lab Clean-Up
138. On the workstation desktop, locate the Remmina SSH connection to the Extranet server.
139. Type exit <Enter> to close the session.
140. Close the Remmina desktop application window.
141. Locate the open Terminal Emulator window on the workstation desktop.
142. Type exit <Enter> to close the window.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 208


Lab 10: Blocking Inappropriate Web Traffic with
Advanced URL Filtering
You can block access to malicious or inappropriate websites in two ways.
• Create Security Policy rules with a Deny Action and use URL categories as part of the
rule criteria
• Create a URL Filtering Profile that includes blocked categories and apply the Profile to a
Security Policy rule that allows the web-browsing and ssl applications.
In this lab, you will use both methods so that you can see the differences in how they are
configured and in the kind of detail available through the logs when you use one method
compared to the other.

Lab Objectives
• Test access to inappropriate web content without URL blocking in place
• Create a Security Policy rule to block inappropriate web content using the URL Category
• Test the Security Policy rule and examine the results
• Disable the Security Policy rule
• Create and apply a URL Filtering Profile to block access to a malicious URL
• Test the Security Profile and examine the results

High-Level Lab Steps


Apply a Baseline Configuration to the Firewall
• Load and commit the configuration file - edu-210-11.0b-10.xml - to the Firewall

Test Access to Inappropriate Web Content


• Run the Clear Firewall Logs script from the /home/lab-user/Desktop/Class-
Scripts/EDU-210 folder
• Use Chrome to browse to hacker9.com and hidester.com and verify that both sites are
available

Create a Security Policy Rule to Block Categories


• Use the information in the tables below to create a Security Policy rule to block traffic to
certain URL Categories:
Rule Name Block-Bad-URLs

© 2023 Palo Alto Networks, Inc. Page 209


Description Blocks bad URLs based on categories

Source Zone Users_Net

Destination Zone Internet

Application Any

Service application-default

URL Category Add the following:


adult
command-and-control
extremism
hacking
high-risk
malware
nudity
parked
peer-to-peer
phishing
proxy-avoidance-and-anonymizers
questionable

Action Deny

• Move the Block-Bad-URLs rule to the top of the Security Policy.

Commit the Configuration


• Commit the changes before proceeding.

Test Access to URLs Blocked by the Security Policy


• Use Chrome and attempt to connect to hacker9.com and hidester.com
• Note the message displayed by browser
• Examine the Traffic log and use a filter to locate entries that have been blocked by the
Block-Bad-URLs
• Examine the URL Filtering log and use a filter to locate entries that have been blocked
by the firewall

© 2023 Palo Alto Networks, Inc. Page 210


Block Access to Inappropriate Web Content Using Security Profile
• Create a URL Filtering Profile using the information in the table below:
Name Corp-URL-Profile

Description Standard corporate URL profile for all


security policy rules

Site Access All Categories (except Alert


those below)

Site Access Block adult


command-and-control
copyright-infringement
extremism
hacking
high-risk
malware
nudity
parked
peer-to-peer
phishing
proxy-avoidance-and-anonymizers
questionable
unknown

Add the URL Profile to the Corp-Profiles-Group


• Edit the Corp-Security-Group and add the URL Filtering Profile Corp-URL-
Filtering.

Disable Block-Bad-URLs Rule


• Disable the Block-Bad-URLs in the Security Policy so that it does not interfere with
your URL Filtering Profile testing.

Commit the Configuration


• Commit the changes before proceeding.

© 2023 Palo Alto Networks, Inc. Page 211


Test Access to URLs Blocked by a URL Filtering Profile
• Use Chrome and browse to hidester.com and hacker9.com
• Note the difference between this error page and the one you received when using a
Security Policy rule to block categories
• Examine the Traffic log and use a filter to display entries that fall in the URL Category
of hacking
• Examine the URL Filtering Log and use a filter to display entries that fall in the URL
Category of hacking

Create a Custom URL Category


• Use the information in the table below to create a Custom URL Category:
Parameter Value

Name Block-Per-Company-Policy

Description URLs that are blocked by company policy.

Sites Add the following:


*.nbcnews.com
*.theguardian.com

Use Custom Category to Block URL Access in Security Policy Rule


• Enable the Security Policy Rule Block-Bad-URLs
• Add the Block-Per-Company-Policy custom URL category to the rule

Commit the Configuration


• Commit the changes before proceeding.

Test Access to Custom URLs Blocked by the Security Policy


• Use the Chrome browser and connect to www.nbcnews.com and
www.theguardian.com
• Note the Application Blocked page message presented by the firewall
• Examine the URL Filtering log and use it to locate entries with an Action of block-url

Add Custom URL Category to URL Filtering Profile


• Edit the Corp-URL-Profile and set the Site Access for Block-Per-Company-Policy to
block.
• Disable the Security Policy rule Block-Bad-URLs so that it does not interfere with the
URL Filtering Profile.

© 2023 Palo Alto Networks, Inc. Page 212


Commit the Configuration
• Commit the changes before proceeding.

Test Access to Custom URLs Blocked by the URL Filtering Profile


• Use Chrome and browse to www.nbcnews.com and www.theguardian.com
• Note the Block page presented by the firewall

Create an EDL to Block Malicious URL Access


Use the information in the table below to create an External Dynamic Lists:
Parameter Value

Name malicious-urls-edl

Type URL List

Description List of malicious URLs maintained on Extranet server

Source http://192.168.50.80/malicious-urls.txt
(The EDL contains only the URL duckduckgo.com)

Check for updates Every Five Minutes

Block Access to the the URL List with a Security Policy Rule
• Add the malicious-urls-edl to the URL Category of the Block-Bad-URLs Security
Policy rule.
• Enable the Block-Bad-URLs Security Policy rule

Commit the Configuration


• Commit the changes before proceeding.

Test Access to URLs Blocked by the EDL in the Security Policy


• Use Chrome and browse to http://duckduckgo.com.
• Note the Application Blocked that the firewall displays
• Examine the URL Filtering log
• Use a filter that will display entries that have an action of block-url
• Disable the Security Policy rule Block-Bad-URLs

© 2023 Palo Alto Networks, Inc. Page 213


Commit the Configuration
• Commit the changes before proceeding.

© 2023 Palo Alto Networks, Inc. Page 214


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down list next to the Name text box and select edu-210-11.0b-10.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.

Test Access to Inappropriate Web Content


You can block access to inappropriate or malicious URLs by creating rules in the Security
Policy. In this section, you will create a rule that blocks access to several URL categories.
Before you create the rule, you will clear the log file entries on the firewall (to make it easier
to see new entries generated during this lab). You will also test access to two websites to
verify that they are not being blocked.
10. Clear the firewall log files by double-clicking on the Desktop icon for Clear Logs
Firewall-A:

11. On the client desktop, open Chrome and browse to http://www.hacker9.com, which
belongs to the URL category hacking.
The browser should display a valid webpage.
12. In Chrome, browse to http://www.hidester.com/proxy, which belongs to the
URL category proxy-avoidance-and-anonymizers.
The browser should display a valid webpage.
13. Close the Chrome browser window.

© 2023 Palo Alto Networks, Inc. Page 215


Create a Security Policy Rule to Block Categories
14. In the web interface, select Policies > Security.
15. If the URL Category column is not displayed, click the down-arrow menu that appears
next to any column header (hover your pointer over a header to see the Down arrow)
and select Columns > URL Category.
The URL Category column should appear in the web interface.

16. Click Add to create a new Security Policy rule.


17. On the General tab, type Block-Bad-URLs as the Name.
18. For Description, enter Blocks bad URLs based on categories.
19. Click the Source tab and configure the following:
Parameter Value

Source Zone Users_Net

Source Address Any

© 2023 Palo Alto Networks, Inc. Page 216


20. Click the Destination tab and configure the following:
Parameter Value

Destination Zone Internet

Destination Address Any

21. Click the Application tab and verify that Any is selected.
22. Click the Service/URL Category tab and configure the following:
Parameter Value

Service application-default

URL Category Add the following:


adult
command-and-control
extremism
hacking
high-risk
malware
nudity
parked
peer-to-peer
phishing
proxy-avoidance-and-anonymizers
questionable

Note: you can type in the first few letters of a category to locate each one more
quickly.

23. Click the Actions tab and configure the following:


Parameter Value

Action Deny

Log Setting Log at Session End

24. Click OK to close the Security Policy Rule window.


The new Block-Bad-URLs rule should be added to the Security Policy.

© 2023 Palo Alto Networks, Inc. Page 217


25. Select, but do not open, the Block-Bad-URLs rule in the Security Policy.
The rule should be highlighted after it has been selected.

26. Select Move > Move Top to move the Block-Bad-URLs rule to the top of the Security
Policy:

Commit the Configuration


27. Click the Commit button at the upper right of the web interface.
28. Leave the settings unchanged and click Commit.
29. Wait until the Commit process is complete.
30. Click Close.

Test Access to URLs Blocked by the Security Policy


In this section, you will test access to URLs that belong to URL categories prohibited by the
Security Policy.
31. On the client desktop, open a new tab in the Firefox browser.
32. Connect to http://www.hacker9.com, which belongs to the URL category hacking.

© 2023 Palo Alto Networks, Inc. Page 218


The browser should display an error message similar to the following example because the URL
category hacking is blocked in the Security Policy.

Although this page says the Application web-browsing has been blocked, the
firewall is actually blocking the site based on its category – hacking. The firewall
uses this page to inform users that the firewall has blocked a web page deliberately.
You will see a different message when the firewall blocks a page using a URL
Filtering Profile.

33. In the Firefox browser, connect to http://www.hidester.com, which belongs to the


URL category proxy-avoidance-and-anonymizers.
The browser should display the same kind of block page
34. Close the Firefox tab used for the hidester.com connection.
35. In the firewall web interface, navigate to Monitor > Logs > Traffic.
36. Add the URL Category column to the display by clicking the small arrow next to the
Application column heading and choosing URL Category:

© 2023 Palo Alto Networks, Inc. Page 219


37. Create and apply a filter to locate entries that have been blocked by the Block-Bad-
URLs rule:
( rule eq ‘Block-Bad-URLs’ )
38. Note the entries you see in the Traffic Log that have been blocked by the Block-Bad-
URLs Security Policy rule.
39. Clear the filter entry from the Traffic Log.
40. Navigate to Monitor > Logs > URL Filtering.
41. Create and apply a filter to locate entries that have been blocked by the firewall:
( action eq block-url )
42. You should see multiple entries for web-browsing sessions that have been blocked.
43. Note that the URL Filtering table contains the actual URL that was blocked as well as
the category of the site.

© 2023 Palo Alto Networks, Inc. Page 220


The Traffic log does not list the specific URL that a user attempted to visit; however,
the URL filtering log does. Note that the default columns for the URL Filtering log
table have been rearranged in this example.

44. Clear the filter from the URL Filtering Log.

Block Access to Inappropriate Web Content Using Security Profile


You can use a Security Policy rule to control access to web site categories or you can use a URL
Filtering Profile to accomplish the same task. One significant difference between the two is that
you can configure a URL Filtering Profile to log access to all websites and categories; not just to
websites that have been blocked by a Security Policy rule.
In this section, you will create a URL Filtering Profile that blocks certain categories of web
content.
45. In the firewall web interface, select Objects > Security Profiles > URL Filtering.
46. Click Add to create a new Profile.
A URL Filtering Profile window should open.
47. Type Corp-URL-Profile as the Name of the Profile.
48. For Description, enter Standard corporate URL profile for all security
policy rules.
49. In the Site Access column, click the small triangle.
50. Choose Set All Actions > alert.

© 2023 Palo Alto Networks, Inc. Page 221


This shortcut allows you to change the setting for all categories in the list rather
than changing each one entry at a time. Setting the action to alert instructs the
firewall to allow access to the category and to write an entry to the URL Filtering
log. When the action is set to allow, the firewall allows access but does not write an
entry to the URL Filtering log.

51. Under the Categories tab, configure the following:


Parameter Value

Site Access Configure the block action for the following URL categories:
adult
command-and-control
copyright-infringement
extremism
hacking
high-risk
malware
nudity
parked
peer-to-peer
phishing
proxy-avoidance-and-anonymizers
questionable
unknown

52. Click OK to close the URL Filtering Profile window.

Add the URL Profile to the Corp-Profiles-Group


In this section, you will add the URL Filtering Profile Corp-URL-Filtering to the existing
Security Profile Group you created in an earlier lab.
53. In the firewall web interface, select Objects > Security Profile Groups.
54. Click the entry for Corp-Profiles-Group to edit it.
55. Use the drop-down list for URL Filtering Profile to select Corp-URL-Profile.

© 2023 Palo Alto Networks, Inc. Page 222


Because you have already applied this Security Profile group to the rules in your
Security Policy, you will not need to modify any of the rules themselves. Each rule
will now also include this Corp-URL-Profile as part of the inspection process.

56. Leave the remaining settings unchanged and click OK.

Disable Block-Bad-URLs Rule


In this section, you will disable the rule that blocks URLs based on categories so that it does not
interfere with the URL Filtering Profile.
57. In the firewall web interface, navigate to Policies > Security.
58. Highlight the entry for Block-Bad-URLs but do not open it.
59. At the bottom of the window, click the Disable button.

© 2023 Palo Alto Networks, Inc. Page 223


Note that several columns have been hidden or rearranged in the example shown here.
60. The entry will change to italics to indicate that the rule is now Disabled.

Note that several columns have been hidden or rearranged in the example shown here.

Commit the Configuration


61. Click the Commit button at the upper right of the web interface.
62. Leave the settings unchanged and click Commit.
63. Wait until the Commit process is complete.
64. Click Close.

Test Access to URLs Blocked by a URL Filtering Profile


In this section, you will perform tests to ensure that access to malicious URLs is blocked by
the firewall using the URL Filtering Profile.
65. Open a new tab in Firefox and browse to http://www.hidester.com/proxy/.

© 2023 Palo Alto Networks, Inc. Page 224


66. You should get a block page because you do not have access to this website. It belongs
to the URL category proxy-avoidance-and-anonymizers, which is blocked by the URL
Filtering Profile.

Notice that the information provided in this page provides more details than what
the firewall displayed when it blocked the same website using the Block-Bad-URLs
Security Policy rule.
This block page includes the actual URL and the Category that the site belongs to.

67. In the same Firefox tab, browse to http://www.hacker9.com.

© 2023 Palo Alto Networks, Inc. Page 225


68.Close the Firefox tab for hacker9.com.
69.Select Monitor > Logs > Traffic.
70.Clear any filters you have in place.
71.Create and apply a filter that will display entries that fall in the URL Category of
hacking:
( category eq hacking )

Notice that the Security Policy rule listed is Users_to_Internet and that the Action
for each entry is allow.
The Security Policy rule is not blocking the URL category of hacking. The blocking
process happens as part of the URL Filtering Profile inspection.

72. Clear the filter from the Traffic Log.


73. Examine the URL Filtering Log under Monitor > Logs > URL Filtering.
74. Clear any filters you have in place.
75. Create and apply a filter to show entries in which the URL Category is hacking:
( category eq hacking )

Note that several columns have been hidden or rearranged in the example shown here.
76. Note that the action for these sessions is block-url, which is carried out by the URL
Filtering Profile.
77. Clear the filter in the URL Filtering log.

Create a Custom URL Category


In some situations, you may want to block only a few websites in a particular category, but
you do not want to block the entire category itself. You can accomplish this by creating a

© 2023 Palo Alto Networks, Inc. Page 226


Custom URL Category. Adding individual URLs to the Custom URL Category allows you to
then block the Custom URL Category within a Security Policy rule or within a URL Filtering
Profile.
In this section, you will test access to a URL and then create a Custom URL Category that
includes that URL along with a few others.
78. On the client desktop, open the Chrome browser and connect to www.nbcnews.com.
The browser should display a valid webpage.
79. Close the Chrome browser.
80. In the firewall web interface, select Objects > Custom Objects > URL Category.
81. Click Add.
82. Click Cancel on the message about Append ending token to entries.
83. Configure the following for the Custom URL Category:
Parameter Value

Name Block-Per-Company-Policy

Description URLs that are blocked by company policy.

Type URL List

Sites Add the following:


*.nbcnews.com
*.theguardian.com

© 2023 Palo Alto Networks, Inc. Page 227


84. Click OK to close the Custom URL Category window.

Use Custom Category to Block URL Access in Security Policy Rule


In this section, you will add your Custom URL Category to a Security Policy rule that has a
“deny” action.
85. In the web interface, select Policies > Security.
86. Highlight the rule for Block-Bad-URLs but do not open it.
87. Click the Enable button at the bottom of the window.
88. Click Block-Bad-URLs to edit the rule.
89. Click the Service/URL Category tab.
90. Under the URL Category, configure the following:
Parameter Value

URL Category Add the following to the list:


Block-Per-Company-Policy

© 2023 Palo Alto Networks, Inc. Page 228


91. Click OK to close the Security Policy Rule window.

Commit the Configuration


92. Click the Commit button at the upper right of the web interface.
93. Leave the settings unchanged and click Commit.
94. Wait until the Commit process is complete.
95. Click Close.

Test Access to Custom URLs Blocked by the Security Policy


Now you will test access to URLs that belong to the Custom URL Category that you added to
a Security Policy deny rule.
96. On the client desktop, open a new tab in Firefox and browse to www.nbcnews.com.
The browser should display an Application Blocked page message because the Custom URL
Category in the Security Policy blocks access to the webpage.
97. In Firefox, open a new tab and browse to www.theguardian.com.
The browser should display the Application Blocked page again.
98. Close the Firefox tabs for www.nbcnews.com and www.theguardian.com.
99. In the firewall web interface, navigate to Monitor > Logs > URL Filtering.
100. Create and the apply a filter to display blocked URLs:
( action eq block-url )

© 2023 Palo Alto Networks, Inc. Page 229


101. You should see multiple entries for sessions to www.nbcnews.com and
www.theguardian.com that the firewall has blocked:

Note that several default columns have been hidden in the example URL Filtering log file shown
here.
102. Notice that the Category listed for each of the entries is the Block-Per-Company-
Policy.

Add Custom URL Category to URL Filtering Profile


In this section, you will set the Block-Per-Company-Policy category to block in the Corp-
URL-Profile URL Filtering Profile.
103. In the firewall web interface, navigate to Objects > Security Profiles > URL Filtering.
104. Edit the Corp-URL-Profile entry.
105. Under the Custom URL Categories section, set the Site Access for Block-Per-
Company-Policy to block.

© 2023 Palo Alto Networks, Inc. Page 230


106. Leave the remaining settings unchanged.
107. Click OK.
108. In the web interface, select Policies > Security.
109. Highlight the entry for Block-Bad-URLs but do not open it.
110. Click Disable at the bottom of the window.

Note that you are disabling this rule so that it does not interfere with the
Users_to_Internet rule which allows traffic but applies the URL Filtering Profile.

Commit the Configuration


111. Click the Commit button at the upper right of the web interface.
112. Leave the settings unchanged and click Commit.
113. Wait until the Commit process is complete.
114. Click Close.

Test Access to Custom URLs Blocked by the URL Filtering Profile


Now you will test access to URLs that belong to the Custom URL Category that you added to
the URL Filtering Profile.
115. On the client desktop, open a new tab in Firefox and browse to www.nbcnews.com.
116. The browser should display a Web Page Blocked message.

117. In the Firefox browser, open a new tab and connect to www.theguardian.com.
The browser should display the Web Page Blocked page again.
118. Close the Firefox tabs for www.nbcnews.com and www.theguardian.com.

© 2023 Palo Alto Networks, Inc. Page 231


Create an EDL to Block Malicious URL Access
You can add a list of malicious URLs to a file on an external web server, and then configure
the firewall to access the list as an External Dynamic List (EDL). The advantage of this
approach is that you can regularly update the malicious URL list without the need to recommit
the firewall configuration each time, as you would have to do if you updated a Security Policy
rule with a new URL.
119. In the firewall web interface, select Objects > External Dynamic Lists.
120. Click Add.
121. Click Cancel on the message about Append ending token to entries.
122. Configure the following:
Parameter Value

Name malicious-urls-edl

Type URL List

Description List of malicious URLs maintained on Extranet server

Source http://192.168.50.80/malicious-urls.txt
(The EDL contains several URL for testing purposes - duckduckgo.com is
one of them)

Check for updates Every Five Minutes

© 2023 Palo Alto Networks, Inc. Page 232


The malicious-urls.txt file contains entries for duckduckgo.com.
123. Click OK to close the External Dynamic Lists window.
124. Click malicious-urls-edl.
The External Dynamic Lists window should open again.
125. Click Cancel on the message about Append ending token to entries.
126. Click Test Source URL to verify that the firewall can access the EDL URL.
127. A message window should open and state that the source URL is accessible.

128. Click Close to close the message window.


129. Click OK to close the External Dynamic Lists window.

© 2023 Palo Alto Networks, Inc. Page 233


Block Access to the URL List with a Security Policy Rule
Now you will add the EDL containing the malicious URL list to a Security Policy rule with a
“deny” action.
130. In the web interface, select Policies > Security.
131. Click Block-Bad-URLs to edit the rule.
132. Click the Service/URL Category tab and configure the following:
Parameter Value

URL Category Add malicious-urls-edl to the list.


This EDL will block access to duckduckgo.com.

133. Click OK to close the Security Policy Rule window.


134. With the Block-Bad-URLs Security Policy rule highlighted, click Enable at the bottom
of the window.

Commit the Configuration


135. Click the Commit button at the upper right of the web interface.
136. Leave the settings unchanged and click Commit.
137. Wait until the Commit process is complete.
138. Click Close.

© 2023 Palo Alto Networks, Inc. Page 234


Test Access to URLs Blocked by the EDL in the Security Policy
In this section, you will test access to a URL that is contained in the EDL that you added to a
Security Policy rule with a “deny” action.
139. In Firefox, open a new tab and browse to http://duckduckgo.com.
The browser will display an Application Blocked because the EDL in the Security Policy blocks
access to the duckduckgo.com webpage.
140. Close the tab for www.duckduckgo.com.
141. In the firewall web interface, navigate to Monitor > Logs > URL Filtering.
142. Clear any filters you have in place.
143. Create and apply a filter that will display entries that have an action of block-url:
( action eq block-url )
144. You should see multiple entries for sessions to duckduckgo.com that the firewall has
blocked:

Note that several default columns have been hidden in the example URL Filtering log file shown
here.
145. In the web interface, select Policies > Security.
146. Highlight the entry for Block-Bad-URLs but do not open it.
147. Click Disable at the bottom of the window.

Commit the Configuration


148. Click the Commit button at the upper right of the web interface.
149. Leave the settings unchanged and click Commit.
150. Wait until the Commit process is complete.
151. Click Close.

© 2023 Palo Alto Networks, Inc. Page 235


Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 236


Lab 11: Blocking Unknown Threats with WildFire
Your company has recently seen an increase in malicious files that users are downloading. You
have sent out informational emails explaining how much damage these types of files can do, and
you have told people not to download files from questionable sources.
Fortunately, you have deployed the Palo Alto Networks firewall, and you can set up a Security
Profile that will send any unknown files to the WildFire cloud for analysis.
To test the Security Profile after you have configured it, you will download a test file provided
by Palo Alto Networks. This test file is not actually malicious, but WildFire will identify it as
such.
You will then examine a detailed report from WildFire with information about the file that was
analyzed.

© 2023 Palo Alto Networks, Inc. Page 237


Lab Objectives
• Create a WildFire Analysis Profile
• Apply WildFire Profile to security rules
• Test the WildFire Analysis Profile
• Examine WildFire analysis details

High-Level Lab Steps


Apply a Baseline Configuration to the Firewall
• Load and commit the configuration file - edu-210-11.0b-11.xml - to the Firewall

Create a WildFire Analysis Profile


• Use the information in the tables below to create a WildFire Analysis Security Profile
that you can attach to Security Policy rules to test files and URLs for malware.
Parameter Value
Name Corp-WF
Description WildFire profile for Corp security rules.

• Click Add in the bottom left corner and configure the following:
Profile Details Value
Name All_Files
Applications any
File Types any
Direction Both
Analysis public-cloud

Modify Security Profile Group


• Add the Corp-WF Profile to the Corp-Profiles-Group.
• Disable all but the Corp-WF Security Profile.
Doing this ensures that the firewall will only use WildFire and no other Security Profiles such as
Anti-Virus or Machine Learning for this lab.

© 2023 Palo Alto Networks, Inc. Page 238


Update WildFire Settings
• Enable the options for Report Benign Files and Report Grayware Files under the
General Settings for Wildfire.

Commit the Configuration


• Commit the changes before proceeding.

Test the WildFire Analysis Profile


• Use the Chrome browser and connect to:
http://192.168.50.80/wildfire-test-pe-file.exe
• Save the file when prompted
• Use the Remmina application and connect to Firewall-A
• Use the command debug wildfire upload-log show to verify that the test file was
uploaded

Examine WildFire Analysis Details


• Examine the WildFire Submissions log file and periodically use the Refresh until you
see a new entry for the wildfire-test-pe-file.exe.
• Examine the Detailed Log View for the entry.
• Note the Verdict of the file.
• Click the link for Download PDF and examine the report to view detailed information
about the Wildfire analysis of the file.

© 2023 Palo Alto Networks, Inc. Page 239


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down list next to the Name text box and select edu-210-11.0b-11.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.

Create a WildFire Analysis Profile


In this section you will create a WildFire Analysis Security Profile that you can attach to
Security Policy rules to test files and URLs for malware.
10. In the web interface, select Objects > Security Profiles > WildFire Analysis.
11. Click Add to create a new Profile.
A WildFire Analysis Profile window should open.
12. Configure the following:

Parameter Value
Name Corp-WF
Description WildFire profile for Corp security rules.
13. Click Add in the bottom left corner and configure the following:

Parameter Value
Name All_Files
Applications Verify that any is selected
File Types Verify that any is selected
Direction Verify that both is selected

© 2023 Palo Alto Networks, Inc. Page 240


Parameter Value
Analysis Verify that public-cloud is selected

14. Click OK to close the window.


The new WildFire Analysis Profile now should be listed.

Modify Security Profile Group


15. Select Objects > Security Profile Groups.
16. Edit the entry for Corp-Profiles-Group.
17. Use the drop-down list for Wildfire Analysis Profile to select Corp-WF.
18. Set the other Profiles to None:

© 2023 Palo Alto Networks, Inc. Page 241


Doing this ensures that the firewall will only use Wildfire and no other Security
Profiles such as Anti-Virus or Inline Machine Learning.
In a production environment, you definitely want to apply all the Security Profiles
for your Group. In this lab, we only want to test WildFire to see how it operates
alone.

19. Click OK.

Update WildFire Settings


20. Select Device > Setup > WildFire.
21. Click the gear icon to edit the General Settings.
22. Check the boxes for Report Benign Files and Report Grayware Files.
23. Leave the remaining settings unchanged.

24. Click OK.

Commit the Configuration


25. Click the Commit button at the upper right of the web interface.
26. Leave the settings unchanged and click Commit.

© 2023 Palo Alto Networks, Inc. Page 242


27. Wait until the Commit process is complete.
28. Click Close.

Test the WildFire Analysis Profile


29. Open the Chrome browser and connect to:
http://192.168.50.80/wildfire-test-pe-file.exe
30. When Chrome prompts you, select Save.

This site generates an attack file with a unique signature that simulates a zero-day attack.
31. Close the Chrome browser.
32. On the client desktop, open the Remmina application.
33. Open the Firewall-A connection.
34. From the CLI, enter the command debug wildfire upload-log show.
The command should display the output log: 0, filename: wildfire-test-pe-
file.exe processed…. This output verifies that the file was uploaded to the WildFire public
cloud. The message might take a minute or two to display.

© 2023 Palo Alto Networks, Inc. Page 243


Note that the details of the entry you see will differ from the example shown here.
35. Type exit <Enter> to close the SSH session to the firewall.
36. Close the Remmina application window.

Examine WildFire Analysis Details


37. In the firewall web interface, select Monitor > Logs > WildFire Submissions:
Analysis takes 5 to 15 minutes, and the table will remain empty until WildFire has reached a
verdict about the file.

38. Periodically use the Refresh button in the upper right corner of the window until
you see a new entry for the wildfire-test-pe-file.exe.

Note that in this example several default columns have been hidden, and the details of the entry
you see will differ.
39. Click the magnifying glass icon next to the entry to open the Detailed Log View of the
entry.

© 2023 Palo Alto Networks, Inc. Page 244


40. Under the General section, note the Verdict:

Note that the details of the entry you see will differ from this example.
41. Click the tab labeled Wildfire Analysis Report at the top of the Detailed Log View.
42. Click the link for Download PDF.

© 2023 Palo Alto Networks, Inc. Page 245


43. This action will open a PDF version of the Wildfire Analysis Report in another tab of
the Firefox browser.

Note that the information you see in your report may vary from the example shown here.
44. Scroll through the report to view detailed information about the Wildfire analysis of the
file.

© 2023 Palo Alto Networks, Inc. Page 246


For example, section 3.1 provides details about the kind of environment that WildFire used to
test the file along with specific actions that the malware file carried out. Note that the
information you see in your report may vary from the example shown here.
45. Close the Firefox tab that contains the PDF version of the WildFire Analysis Report.
46. Click Close to close the Detailed Log View window.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 247


Lab 12: Controlling Access to Network
Resources with User-ID
Your organization recently acquired another company, and you have been tasked to create
appropriate security Policy rules for traffic generated by these new users.
Your firewall has been configured with a virtual wire that allows traffic to the Internet from the
users in the newly acquired company. The firewall also has a new security zone in place called
Acquisition that contains all new users.
The firewall has an existing Security Policy rule that allows all users in the Acquisition zone to
access any application on the internet. Your task is to restrict users in this new organization to
approved corporate applications only.

The approved corporate applications include DNS, web-browsing, and SSL.


You also need to ensure that only users in the marketing group are allowed to use social media
applications such as Facebook, Instagram, and others.
Another firewall administrator has created the appropriate Application Groups for you.
The firewall receives User-ID and Group membership information about users in this new
company from an XML upload sent by network authentication devices. (Note that this is
simulated in this lab and outside the scope of this course).

© 2023 Palo Alto Networks, Inc. Page 248


You also need to create a Security Policy rule that explicitly denies any other traffic generated by
users in the Acquisition zone. Although the interzone-default rule will deny any traffic not
expressly allowed, creating an explicit deny rule will allow you to examine the kinds of
applications users in the Acquisition zone are attempting to access.

Lab Objectives
• Examine current configuration
• Enable User-ID technology on the Acquisition zone.
• Generate traffic
• Modify Security Policy to meet requirements

High-Level Lab Steps


Apply a Baseline Configuration to the Firewall
• Load and commit the configuration file - edu-210-11.0b-12.xml - to the Firewall

Examine Firewall Configuration


• Review the settings that another administrator has configured for Application Groups and
Security Policy rules, and verify the following settings on the Acquisition-Allow-All
Security Policy rule

© 2023 Palo Alto Networks, Inc. Page 249


Parameter Value

Source Zone Acquisition

Source Address Any

Destination Zone any

Destination IP Any

Application Any

Action Allow

• Clear the counters for all Security Policy rules


• Use the information below to verify that the configuration contains two new Application
Groups
Name Applications

Allowed-Corp-Apps dns
web-browsing
ssl

Allowed-Mktg-Apps facebook-base
instagram-base
twitter-base
myspace-base
linkedin-base

Generate Traffic from the Acquisition Zone


• Use Remmina to connect to the Server-Extranet host
• Change to the appropriate directory
cd /home/paloalto42/pcaps92019/app.pcaps <Enter>
• Run the following command to start generating traffic in the Acquisition Zone:
./Appgenerator-2.sh <Enter>
• While the script is running, examine the firewall Traffic log under Monitor > Logs >
Traffic.
• Note that almost all traffic is hitting the Acquisition-Allow-All Rule.
• Add the Source User column to the Traffic Log

Enable User-ID on the Acquisition Zone


• Edit the Acquisition Security zone and check the box for Enable User Identification

© 2023 Palo Alto Networks, Inc. Page 250


Modify the Acquisition-Allow-All Security Policy Rule
• Change the name of the Security Policy rule Acquisition-Allow-All to Allow-Corp-
Apps
• Change the Description field to Allows only approved apps for Acquisition
users.
• Set the Applications to use only the Allowed-Corp-Apps Application Group

Create Marketing Apps Rule


• Use the information below to create a Security Policy rule to allow only Marketing users
to access the Allowed-Mktg-Applications
Parameter Value

Name Allow-Mktg-Apps

Description Allows only users of marketing group to access Mktg apps

Source Zone Acquisition

Source User marketing

Destination Zone any

Application Allowed-Mktg-Apps

Dependent Add to Current Rule


Applications

Action Allow

Create Deny Rule


• Use the information below to create a new Security Policy rule that will deny any other
application traffic for users in the Acquisition zone.
Parameter Value

Name Deny-All-Others

Description Denies non-approved applications for users in Acquisition


zone

Source Zone Acquisition

Source User Any

Destination Zone any

© 2023 Palo Alto Networks, Inc. Page 251


Parameter Value

Application Any

Action Deny

• Place the Deny-All-Others rule at the bottom of the Security Policy.

Commit the Configuration


• Commit the changes before proceeding

Generate Traffic from the Acquisition Zone


• Use the Extranet-Server connection in the Remmina application to run the
Appgenerator-2.sh script again
• While the script is running, move to the next section in which you will examine the
firewall logs

Examine User-ID Logs


• Use the firewall CLI and the web interface to examine information about User-ID
• The firewall should have numerous entries with username-to-ip-address mappings in the
User-ID log
• Use the Remmina application to connect to the CLI of Firewall-A
• Use the following command to display entries for User-ID:
show user ip-user-mapping all <Enter>
• Close the firewall SSH connection.

Examine Firewall Traffic Log

Examine Firewall Traffic Log


47. Create and apply filters in the Traffic log to answer the questions in this section.
Which rule does the firewall use when it encounters youtube-base traffic?

Which rule does the firewall use when it encounters dns traffic?

Which rule does the firewall use when it encounters facebook-base?

© 2023 Palo Alto Networks, Inc. Page 252


Which users are allowed access to facebook-base?

Is the user sholmes allowed to access instagram-base?

Is the user bbart allowed to access instagram-base?

Clean Up the Desktop


• In the Traffic log window on the firewall, clear any filters you have in place
• In the Remmina application window, close the SSH connections to the firewall and the
Server-Extranet
• Close the main Remmina application window

Detailed Lab Steps


Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down list next to the Name text box and select edu-210-11.0b-12.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.

© 2023 Palo Alto Networks, Inc. Page 253


9. Click Close to continue.

Examine Firewall Configuration


In this section, you will review the settings that another administrator has configured for
Application Groups and Security Policy rules.
10. Select Policies > Security.
11. Edit the entry for Acquisition-Allow-All.
12. Select the Source tab.

13. Note that the Source Zone is set to Acquisition.


14. Select the Destination tab.
15. Note that the Destination Zone is set to any.

© 2023 Palo Alto Networks, Inc. Page 254


16. Select the Application tab.

17. Note that the Application is set to Any.


18. Select the Actions tab.

19. Note that the Action is set to Allow.


20. Click OK to close the Security Policy Rule window.

This Security Policy rule allows any host in the Acquisition security zone to access any
application anywhere.
21. Clear the counters for all Security Policy rules by clicking Reset Rule Hit Counter >
All rules at the bottom of the window.

© 2023 Palo Alto Networks, Inc. Page 255


This action will allow you to see how many times the rules are accessed from this point forward.
22. Click Yes in the Reset window.
23. Select Objects > Application Groups.
24. Note the two new Application Groups:

You will configure the firewall to allow all users in the Acquisition zone to use the Allowed-Corp-
Apps. However, only users in the Marketing group will be able to use applications in the
Allowed-Mktg-Apps group.

Generate Traffic from the Acquisition Zone


25. On the client workstation, open Remmina.
26. Open the connection to the Server-Extranet.
27. Enter the following command to change directories:
cd /home/paloalto42/pcaps92019/app.pcaps <Enter>

28. Run the following command to start generating traffic in the Acquisition Zone:
./Appgenerator-2.sh <Enter>

29. While the script is running, examine the firewall Traffic log under Monitor > Logs >
Traffic.
30. Clear any filters you may have in place.
31. Note that almost all traffic is hitting the Acquisition-Allow-All Rule.
32. If the Source User column is not already displayed, add it to the table by clicking the
small triangle in any header and choosing Columns > Source User.

© 2023 Palo Alto Networks, Inc. Page 256


33. Drag and drop the Source User column between the Source and Destination columns

This action will make it easier for you to locate Source User information later in this lab. Note
that the Source User column will be empty because you have not yet enabled User-ID.

Enable User-ID on the Acquisition Zone


In this section you will enable User-ID on the Acquisition Security zone as part of the process of
enabling User-ID on a firewall.
34. In the web interface, select Network > Zones.
35. Click Acquisition to open the zone.
The Zone configuration window should open.
36. Select the Enable User Identification check box:

© 2023 Palo Alto Networks, Inc. Page 257


37. Click OK to close the Zone configuration window.

Modify the Acquisition-Allow-All Security Policy Rule


You will now change the set of applications that Acquisition users are allowed to access by
modifying the existing Acquisition-Allow-All rule.
38. Select Policies > Security.
39. Edit the entry for Acquisition-Allow-All.
40. Under the General tab, change the Name of this rule to Allow-Corp-Apps.
41. For Description, change the entry to Allows only approved apps for
Acquisition users.

42. Select the Application tab.


43. Uncheck the option for Any.
44. Click Add and enter the first few letters of the Allowed-Corp-Apps to display the
Application Groups available:
45. Select Allowed-Corp-Apps.

© 2023 Palo Alto Networks, Inc. Page 258


46. Click OK to close this Security Policy Rule window.

Create Marketing Apps Rule


Create a new Security Policy rule to allow only Marketing users to access the Allowed-Mktg-
Applications.
47. In Policies > Security, click Add.
48. Under the General tab, enter Allow-Mktg-Apps for the Name.
49. For Description, enter Allows only users of marketing group to access
Mktg apps.

50. Select the Source tab.


51. Under Source Zone, click Add.
52. Select Acquisition.
53. Under the Source User column, click Add and enter marketing.

© 2023 Palo Alto Networks, Inc. Page 259


54. Select the Destination tab.
55. Use the drop-down list at the top to select any.

56. Select the Application tab.


57. Uncheck the option for Any.

© 2023 Palo Alto Networks, Inc. Page 260


58. Click Add and enter the first few letters of the Allowed-Mktg-Apps to display the
Application Groups available:

59. Select Allowed-Mktg-Apps.

© 2023 Palo Alto Networks, Inc. Page 261


60. In the right side of the Application window, place a check box beside DEPENDS ON:

This action will select all the individual applications under the DEPENDS ON column. Note that
the list of applications in the Depends On column may differ from the example here.
61. Click Add to Current Rule to add these applications to this Security Policy rule.

62. Select the Action tab.


63. Verify that the Action is set to Allow.

© 2023 Palo Alto Networks, Inc. Page 262


When you create a new Security Policy rule, the default setting for Action is Allow. However, it is
always a good practice to verify this setting before closing the window.
64. Click OK to close this Security Policy Rule window.

Create Deny Rule


Create a new Security Policy rule that will deny any other application traffic for users in the
Acquisition zone.
65. In the Security Policy table, click Add.
66. Select the tab for General.
67. For Name, enter Deny-All-Others.
68. For Description, enter Denies non-approved applications for users in
Acquisition zone.

69. Select the tab for Source.


70. Under the Source Zone column, click Add and select Acquisition.

Note that you do not need to specify any users or user groups under the Source User column.
Because the drop-down list is set to any, this rule will deny traffic to any user, regardless of
group membership.

© 2023 Palo Alto Networks, Inc. Page 263


71. Select the tab for Destination.
72. Use the drop-down list at the top to select any.

73. Select the tab for Application and verify that Any is checked.

74. Select the tab for Actions.


75. Change the Action to Deny.

76. Click OK to close this Security Policy Rule window.


77. Verify that the Deny-All-Others rule appears at the bottom of the Security Policy.

© 2023 Palo Alto Networks, Inc. Page 264


78. If the “Deny-All-Others” rule does not appear at the bottom of the ruleset, use the Move
Down button to place the rule just above the “intrazone-default” rule.

Commit the Configuration


79. Click the Commit button at the upper right of the web interface.
80. Leave the settings unchanged and click Commit.
81. Wait until the Commit process is complete.
82. Click Close.

Generate Traffic from the Acquisition Zone


83. On the client workstation, select the window for the Remmina application.
84. Select the tab for Extranet-Server connection.
85. Use the up arrow key to retrieve the previous command:
./Appgenerator-2.sh

86. Press Enter to launch the script again.


87. While the script is running, move to the next section in which you will examine the
firewall logs.

Examine User-ID Logs


You can see information about User-ID through the firewall CLI or in the web interface. In this
section, you will use both tools to examine User-ID entries.
88. In the firewall web interface, select Monitor > Logs > User-ID.
89. The firewall should have numerous entries with username-to-ip-address mappings:

Note that the entries you see will differ from this example.
90. On the client desktop, locate the main window for the Remmina application.

© 2023 Palo Alto Networks, Inc. Page 265


91. Double-click the Firewall-A connection.
92. This action will open a connection to the firewall CLI.
93. In the firewall CLI, enter the following command to display entries for User-ID:
show user ip-user-mapping all <Enter>

94. The firewall will display User-ID information:

95. When you have finished examining the User-ID information, type exit <Enter> to
close the firewall SSH connection.

Examine Firewall Traffic Log


Create and apply filters in the Traffic log to answer the questions in this section.
96. In the firewall web interface, select Monitor > Logs > Traffic.
97. Write down your answers to the following questions in the space provided or on
notepaper:
Question: Which rule does the firewall use when it encounters youtube-base traffic?
Hint: Use the filter ( app eq youtube-base )

Answer: Deny-All-Others

Question: Which rule does the firewall use when it encounters dns traffic?
Hint: Use the filter ( app eq dns )

Answer: Allow-Corp-Apps (in some cases, you may also see Users_to_Extranet)

Question: Which rule does the firewall use when it encounters facebook-base?

© 2023 Palo Alto Networks, Inc. Page 266


Hint: Use the filter ( app eq facebook-base )

Answer: Allow-Mktg-Apps and Deny-All-Others (depending on the Source User)

Question: Which users are allowed access to facebook-base?


Hint: Use the filter ( app eq facebook-base ) and ( action eq allow )

Answer: chicago\hpoirot; chicago\sholmes; chicago\vhelsing

Question: Is the user sholmes allowed to access instagram-base?


Hint: Use the filter ( app eq instagram-base ) and ( user.src eq ‘chicago\sholmes’ )

Answer: Yes

Question: Is the user bbart allowed to access instagram-base?


Hint: Use the filter ( app eq instagram-base ) and ( user.src eq ‘chicago\bbart )

Answer: No

Clean Up the Desktop


98. In the Traffic log window on the firewall, clear any filters you have in place.
99. In the Remmina window on the client workstation, select the tab for the Server-
Extranet.
100. Close the SSH connection by typing exit <Enter>.
101. Close the main Remmina application window.

© 2023 Palo Alto Networks, Inc. Page 267


Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 268


Lab 13: Using Decryption to Block Threats in
Encrypted Traffic
As an astute network security professional, you have noticed the dramatic increase of HTTPS
secure traffic over the past few years. Correspondingly, you have noticed that very few websites
even use unencrypted HTTP traffic anymore. Virtually all network traffic is now encrypted.
You know that HTTPS protects privacy and sensitive data in transit between hosts, but you have
begun to realize that HTTPS also hides potentially damaging data as well. Encrypted traffic into
and out of your network might contain viruses, spyware, vulnerability exploits and other
damaging types of data.
You need to make certain that the Palo Alto Networks firewall can inspect even encrypted
traffic, so you have decided to implement decryption. This process will allow the firewall to
decrypt HTTPS traffic, inspect it and then block any sessions that contain malicious content.

Right now, you do not have budget funds available to build a corporate PKI infrastructure to
generate a decryption certificate from a CA (certificate authority). However, you can generate a
self-signed CA certificate on the Palo Alto Networks firewall and deploy that for decryption

© 2023 Palo Alto Networks, Inc. Page 269


HR has also told you that there are certain types of traffic from employees that should not be
decrypted because those transactions might contain personally identifiable information (PII).
You need to exclude certain categories of websites (such as finance and healthcare) from
decryption. You will create a No-Decrypt rule to prevent the firewall from decrypting traffic to
and from these kinds of websites.

Lab Objectives
• Load a lab configuration
• Test the firewall without decryption
• Create a self-signed certificates for trusted connections
• Create A self-signed certificates for untrusted connections
• Create and test a Decryption Policy rule for outbound traffic
• Test outbound Decryption Policy rule
• Export the firewall certificate and import to Firefox
• Test outbound Decryption Policy again
• Review firewall logs
• Exclude URL categories from decryption using a No-Decrypt rule
• Test the No-Decrypt rule

High-Level Lab Steps


Apply a Baseline Configuration to the Firewall
• Load and commit the configuration file - edu-210-11.0b-13.xml - to the Firewall

Test the Firewall Behavior Without Decryption


• On the client-A host, use the Firefox browser and browse to the following URI:
http://192.168.50.80/eicar.com
• Note the block page that the firewall presents
Your Antivirus Security Profile is in place and has blocked this file
• Use Firefox to browse to www.eicar.org.
• In the Eicar website, navigate to Download Anti Malware Testfile > Download
area using the secure, SSL enabled protocol HTTPS
• Download the eicar.com file
• When prompted to save the file, click Cancel.
• Close the Firefox browser.

© 2023 Palo Alto Networks, Inc. Page 270


Create A Self-Signed Certificate for Trusted Connections
Use the information in the table below to create a self-signed certificate to use as a Forward
Trust Certificate
Parameter Value
Certificate Name Type trusted-cert
Common Name Type 192.168.1.1
Certificate Authority Select the Certificate Authority check box
Forward Trust Checked
Certificate

Create a Decryption Policy Rule for Outbound Traffic


Use the information below to create a Decryption Policy rule that will decrypt HTTPS traffic
from the Users_Net security zone to the Internet security zone.
Parameter Value
Name Decrypt_User_Traffic
Description Decrypts web traffic from Users_Net.
Source Zone Users_Net
Source Address Any
Source User Any
Destination Zone Internet
Extranet
Destination Address Any
Service any
URL Category Any
Action Decrypt
Type SSL Forward Proxy
Decryption Profile None

Commit the Configuration


• Commit the changes before proceeding

© 2023 Palo Alto Networks, Inc. Page 271


Test Outbound Decryption Policy
• Use Firefox and browse to https://www.bing.com.
• Use the Advanced > View Certificate buttons to note that the Issuer Name section
contains 192.168.1.1
• Close the Firefox browser.

Export the Firewall Certificate


• From the firewall web interface, export the trusted-cert as a Base64 Encoded Certificate
(PEM)
• Save the file to the Downloads folder of the Client-A host

Import the Firewall Certificate to Firefox


• Certificate Manager in Firefox to Import the cert_trusted-cert.crt to the
Authorities section.
• Set Firefox to Trust this CA to identify websites and Trust this CA to identify email
users

Test Outbound Decryption Policy Again


• In Firefox, browse to https://www.eicar.org
• Navigate to Download Anti Malware Testfile > Download
• Attempt to download the eicar.com file
• You will receive a warning page from the firewall indicating that it has detected and
blocked the malicious file download
• Close the Firefox browser.

Review Firewall Logs


• Add the Decrypted column to the Traffic Log
• Drag and drop the Session End Reason column from the right side of the table to the
beginning of the table.
• Create and apply a filter to display entries that have been decrypted from the client
workstation and that have been terminated because of a detected threat in the traffic
• Examine the Detailed Log View of a matching entry to see details about the session
• Use the Threat Log to locate entries about the eicar.com test file that the firewall
detected and blocked

Exclude URL Categories from Decryption


• Use the information below to create an entry in the Decryption Policy that will exclude
certain URL categories from decryption

© 2023 Palo Alto Networks, Inc. Page 272


Parameter Value
Name No-Decryption
Description Do not decrypt URLs in gov, shopping and
finance
Source Zone Users_Net
Destination Zone Internet
Service any
URL Category government
financial-services
shopping
Action No Decrypt
Type SSL Forward Proxy
Note that in a production environment, the URL Categories which you exclude from decryption
will depend on many factors. Company policy, national privacy laws, HR concerns, destination
country – all of these can dictate what types of traffic you should or should not decrypt. The
examples we use here simple ones to illustrate how to exclude URL categories from decryption.

• Place this rule at the top of the Decryption Policy

Commit the Configuration


• Commit the changes before proceeding

Test the No-Decryption Rule


• Use Firefox to browse to a website that falls into one of the excluded categories.
• Connect to https://texas.gov
• Examine the certificate issued to the texas.gov website
• Note that the Issuer Name is not 192.168.1.1 (the firewall)

© 2023 Palo Alto Networks, Inc. Page 273


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot.
3. Click the drop-down list next to the Name text box and select edu-210-11.0b-13.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.

Test the Firewall Behavior Without Decryption


10. On the client desktop, open a new tab in Firefox and browse to
http://192.168.50.80/eicar.com
11. You should get a page indicating that the connection was reset:

12. Close the Firefox tab for the eicar file download.
13. In the firewall web interface, navigate to Monitor > Logs > Threat.

© 2023 Palo Alto Networks, Inc. Page 274


14. You should see one or more entries for vulnerability indicating that the firewall blocked
the Eicar file download:

Because the connection between the client and the server is not encrypted, the firewall is able
to examine the traffic and block malicious content.
15. In Firefox, open a new tab and browse to https://192.168.50.80/eicar.com.
16. If Firefox presents a Warning window, click the Advanced button.

17. Click Accept the Risk and Continue.

The web server is using a self-signed SSL certificate, which is why Firefox presents this warning.

© 2023 Palo Alto Networks, Inc. Page 275


18. When you are prompted to save the file, click Cancel.

Notice that the download is not blocked because the connection is encrypted, and the virus is
hidden. This exercise proves that without Decryption, the firewall is unable to examine the
contents of a secure connection and cannot scan for malicious content.
19. Close the Firefox tab for the eicar file download.

Create Certificate for Trusted Connections


In this section, you will generate a certificate on the firewall that will be used when clients
connect to HTTPS websites that have certificates issued by trusted certificate authorities.
The firewall will use this certificate as part of the decryption process between clients and
trusted HTTPS websites.
20. In the web interface, select Device > Certificate Management > Certificates.
21. Click Generate at the bottom of the page to create a new CA certificate:

22. Configure the following:

Parameter Value
Certificate Name trusted-cert
Common Name 192.168.1.1
Certificate Authority Select the Certificate Authority check box

© 2023 Palo Alto Networks, Inc. Page 276


23. Leave the remaining settings unchanged and click Generate to create the certificate.
A Generate Certificate status window should open that confirms that the certificate and key
pair were generated successfully.
24. Click OK to close the Generate Certificate success window.
25. You should have a new entry in the Device Certificates table:

26. Edit the entry for trusted-cert by clicking it.


27. Place a check in the box for Forward Trust Certificate.

© 2023 Palo Alto Networks, Inc. Page 277


28. Leave the remaining settings unchanged.

This action instructs the firewall to use this certificate to decrypt traffic between clients and
sites which have a trusted HTTPS certificate.
Note that the dates for Not Valid Before and Not Valid After will be different for your certificate.
29. Click OK.

Create a Certificate for Untrusted Connections


In this section, you will generate a certificate on the firewall that will be used when clients
connect to HTTPS websites that do not have certificates issued by trusted certificate
authorities.
The firewall will use this certificate as part of the decryption process between clients and
untrusted HTTPS websites.
30. In the web interface, select Device > Certificate Management > Certificates.
31. Click Generate at the bottom of the page to create a new CA certificate:

32. Configure the following:

Parameter Value
Certificate Name untrusted-cert
Common Name DO NOT TRUST

© 2023 Palo Alto Networks, Inc. Page 278


Parameter Value
Certificate Authority Select the Certificate Authority check box

33. Leave the remaining settings unchanged and click Generate to create the certificate.
A Generate Certificate status window should open that confirms that the certificate and key
pair were generated successfully.
34. Click OK to close the Generate Certificate success window.
35. You should have a new entry in the Device Certificates table.
36. Edit the entry for untrusted-cert by clicking it.
37. Place a check in the box for Forward Untrust Certificate.

© 2023 Palo Alto Networks, Inc. Page 279


38. Leave the remaining settings unchanged.

This action instructs the firewall to use this certificate when it encounters a site that is not
trusted – one that has a self-signed certificate, for example.
Note that the dates for Not Valid Before and Not Valid After will be different for your certificate.
39. Click OK.
40. You should now have two entries in the Device Certificates table:

Note that the dates for Expires will be different for your certificates.

Create a Decryption Policy Rule for Outbound Traffic


In this section, you will create a Decryption Policy to decrypt HTTPS traffic from the
Users_Net security zone to the Internet security zone.
41. In the firewall web interface, select Policies > Decryption.
42. Click Add to create a decryption Policy rule.
A Decryption Policy Rule window should open.
43. Configure the following:

© 2023 Palo Alto Networks, Inc. Page 280


Parameter Value
Name Decrypt_User_Traffic
Description Decrypts web traffic from Users_Net

44. Click the Source tab and configure the following:


Parameter Value
Source Zone Users_Net
Source Address Verify that the Any check box is selected
Source User Verify that any is selected

45. Click the Destination tab and configure the following:


Parameter Value
Destination Zone Internet
Extranet
Destination Address Verify that the Any check box is selected

© 2023 Palo Alto Networks, Inc. Page 281


46. Click the Service/URL Category tab and verify that the Service is set to Any and that
the box for Any above URL Category is checked:

Note that the Any setting for URL category instructs the firewall to decrypt all HTTPS traffic,
regardless of the type of website users are accessing. Decrypting traffic from users to website
categories such as Health and Medicine, Shopping or Government can expose Personally
Identifiable Information (PII). In a production environment, you will need to make sure you only
decrypt traffic that is appropriate.
Later in this lab, you will exclude several categories of websites as an illustration.
47. Click the Options tab and configure the following:

Parameter Value
Action Decrypt
Type Verify that SSL Forward Proxy is selected
Decryption Profile Select default

© 2023 Palo Alto Networks, Inc. Page 282


48. Leave the remaining settings unchanged.
49. Click OK to close the Decryption Policy Rule configuration window.
50. Verify that your configuration matches the following:

Note that several columns have been hidden or rearranged in the example shown here.

Commit the Configuration


51. Click the Commit button at the upper right of the web interface.
52. Leave the settings unchanged and click Commit.
53. Wait until the Commit process is complete.
54. Click Close.

Test Outbound Decryption Policy


55. In Firefox, open a new tab and browse to https://www.paloaltonetworks.com.
56. The browser presents a Caution message.

© 2023 Palo Alto Networks, Inc. Page 283


Note: The Firefox browser on the client workstation does not trust the certificate generated by
the firewall (192.168.1.1).
57. Click the button for Advanced.
58. Click the link for View Certificate.

© 2023 Palo Alto Networks, Inc. Page 284


59. Under the section for *paloaltonetworks.com, note the Issuer Name section contains
192.168.1.1:

This certificate has been issued on behalf of *.paloaltonetworks.com by the firewall


(192.168.1.1) using the Trusted Certificate you created earlier. The client browser does not trust
this certificate because it is “self-signed” by the firewall. In the next section, you will fix this
issue so that the Firefox browser trusts certificates issued by the firewall.
60. Close the Firefox tabs for the certificate and for the Warning, but leave open the firewall
web interface tab.

Export the Firewall Certificate


To make users’ web browsing experience seamless while implementing decryption, you will
export the trusted certificate from the firewall and import the certificate into Firefox on the
Client host.

© 2023 Palo Alto Networks, Inc. Page 285


61. In the firewall web interface, select Device > Certificate Management > Certificates.
62. Highlight but do not open trusted-cert.
63. At the bottom of the window, click Export Certificate to open the Export Certificate
configuration window.
64. Use the drop-down list for File Format to select Base64 Encoded Certificate (PEM).
65. Uncheck the box for Export Private Key.
66. Leave all settings unchanged and click OK to export the trusted-ca CA certificate.

67. Save the file to the workstation’s Downloads folder:

© 2023 Palo Alto Networks, Inc. Page 286


Import the Firewall Certificate
68. Open the Firefox web browser.
69. In the upper right corner of the Firefox browser window, click the “hamburger” button
and choose Settings:

© 2023 Palo Alto Networks, Inc. Page 287


70. On the left side of the screen, select Privacy & Security:

© 2023 Palo Alto Networks, Inc. Page 288


71. Scroll to the bottom of the screen and locate the Certificates section.
72. Click the button for View Certificates.

73. Under the Authorities tab, click Import.

© 2023 Palo Alto Networks, Inc. Page 289


74. Select the Downloads folder.
75. Highlight the entry for cert_trusted-cert.crt.
76. Click Open.

77. In the Downloading Certificate window, place checks in both boxes for Trust this CA
to …

78. Click OK.

© 2023 Palo Alto Networks, Inc. Page 290


79. The firewall trusted-cert entry appears in the list of certificate authorities:

The Firefox browser will trust any certificate issued by the entities in this Authorities list. By
adding the firewall certificate to this list, the Firefox browser will trust any certificates issued by
the firewall. Note that the process of importing certificates to client workstations varies based
on the browser type and the operating system.
If the certificate for 192.168.1.1 does not appear at the top of the list, click OK and then click
View Certificates again.
80. Click OK to close the Certificate Manager window.
81. Close Firefox.
82. Open Firefox and browse to https://www.paloaltonetworks.com.
83. Notice that you do not get any warning messages about certificates.

Test Forward Untrust Certificate


When a web browser connects to a site that has a self-signed or untrusted certificate, the firewall
will present the Forward Untrust Certificate. The web server in the Extranet zone has a self-
signed certificate; in this section, you will see how the firewall presents the DO NOT TRUST
certificate you created.
84. In Firefox, connect to https://192.168.50.80.
85. Note the Warning message that Firefox presents:

© 2023 Palo Alto Networks, Inc. Page 291


86. Click Advanced.
87. Click View Certificate.

88. Note the information in the certificate:

You can tell that the firewall has intervened in this connection and presented the Forward
Untrust certificate you created.
89. Close the tab for Certificate for 192.168.50.80.

© 2023 Palo Alto Networks, Inc. Page 292


90. Leave Firefox running.

Test Outbound Decryption Policy Again


91. In the Firefox warning window, click Accept the Risk and Continue:

92. You will see the default page for the web server in the Extranet:

93. Attempt to download the virus file by appending eicar.com to the end of the link
https://192.168.50.80/eicar.com <ENTER>
94. The connection will not succeed, and you will receive a message from the browser:

© 2023 Palo Alto Networks, Inc. Page 293


Note that the kind of message a client receives will vary depending on the browser.
95. Close the Firefox browser.

Review Firewall Logs


In this section, you will examine information in the firewall Logs to see more details about the
decryption process.
96. Open Firefox and connect to firewall-a (https://192.168.1.254).
97. In the firewall web interface, select Monitor > Logs > Traffic.
98. Click the small triangle to the right of the Threat ID/Name column header.
99. Add the Decrypted column to the table by selecting Columns > Decrypted.

100. Drag and drop the Session End Reason column from the right side of the table to the
beginning of the table:

© 2023 Palo Alto Networks, Inc. Page 294


This is not a requirement, but placing this column at the beginning of the table will make it
easier for you to locate entries that have ended because of unusual actions taken by the firewall
(such as detecting a threat).
101. Create and apply a filter to display entries that have been decrypted from the client
workstation and that have been terminated because of a detected threat in the traffic:
( flags has proxy )
The filter syntax “flags has proxy” displays entries that have been decrypted (the value will show
as yes in the Decrypted column). Entries that match the filter indicate that the firewall carried
out a proxy connection for decryption.
102. Click the magnifying glass next to the most recent entry listed to see details about the
session.
103. Scroll down in the upper section of the window until you see the Flags section in the
right column.
104. Note the Decrypted box is checked, indicating that the firewall decrypted this session.

The details you see will differ from the example shown, but you should see similar information.
105. Select Monitor > Logs > Threat.

© 2023 Palo Alto Networks, Inc. Page 295


106. Add the Decrypted column to the table.
107. Create and apply a filter in the Threat Log to show decrypted session:
( flags has proxy )

108. Click the magnifying glass icon next to the entry for vulnerability.
109. In the top portion of the window, scroll down until you can see the Details section in the
middle column.
110. You can see information about the file that the firewall detected and blocked:

Note the ID number 39040 and the link View in Threat Vault. The ID number is a unique value
assigned to each threat by Palo Alto Networks. Threat Vault is an online database maintained by
Palo Alto Networks with extensive information about each threat. Access to Threat Vault
requires a support account.

111. In the bottom of the window, highlight an entry with Type vulnerability to see more
information about why the firewall terminated this connection.

© 2023 Palo Alto Networks, Inc. Page 296


Note that when you select the row, the information in the top half of the window changes.
112. Click Close in the Detailed Log View.
113. Clear the filter you have in place in the Threat log by clicking the X in the upper right
corner of the window.

Exclude URL Categories from Decryption


The existing Decryption Policy rule you created instructs the firewall to decrypt all traffic,
regardless of the URL category. In this section, you will configure a No-Decrypt rule that
instructs the firewall to exclude sensitive categories of web traffic from decryption in order to
avoid exposing PII (Personally Identifiable Information).

© 2023 Palo Alto Networks, Inc. Page 297


Note that in a production environment, the URL Categories which you exclude from decryption
will depend on many factors. Company policy, national privacy laws, HR concerns, destination
country – all of these can dictate what types of traffic you should or should not decrypt. The
examples we use here simple ones to illustrate how to exclude URL categories from decryption.
114. In the firewall web browser, select Policies > Decryption.
115. Click Add.
116. Under the General tab, enter No-Decryption for Name.
117. For Description, enter Do not decrypt URLs in gov, shopping and
finance.

© 2023 Palo Alto Networks, Inc. Page 298


118. Select the tab for Source.
119. Under the Source Zone section, click Add and select Users_Net.

120. Select the Destination tab.


121. Under the Destination Zone section, click Add and select Internet.

122. Select the tab for Service/URL Category.


123. Leave the Service set to any.

© 2023 Palo Alto Networks, Inc. Page 299


124. Under the URL Category, use the Add button to add government, financial-services,
and shopping.

125. Select the tab for Options.


126. Verify that the Action is set to No Decrypt.
127. Set the Decryption Profile to default.

128. Leave the remaining settings unchanged.


129. Click OK to create this entry.
130. You should have two entries in the Decryption Policy.

© 2023 Palo Alto Networks, Inc. Page 300


131. Before you proceed, answer the following question:
Is there anything wrong with these Decryption Policy rules?

The answer is yes. They are in the wrong order. All traffic will match the first rule
Decrypt_Users_Traffic because the URL category is set to any. The firewall will therefore never
proceed beyond the first rule to implement the second rule, which instructs the firewall to
exclude financial-services, government and shopping websites from decryption.
132. Highlight the No-Decryption rule entry (but do not open it).
133. At the bottom of the window, click Move > Move Top.

© 2023 Palo Alto Networks, Inc. Page 301


134. The rules now should be in the correct order:

Always place no-decrypt rules at the beginning of the Decryption Policy table.

Commit the Configuration


135. Click the Commit button at the upper right of the web interface.
136. Leave the settings unchanged and click Commit.
137. Wait until the Commit process is complete.
138. Click Close.

Test the No-Decryption Rule


With your No-Decryption rule in place, browse to a website that falls into one of the excluded
categories.
139. Close the Firefox browser.
140. Open Firefox and connect to https://texas.gov.
Closing and opening the browser will ensure that Firefox does not use any cached information
for this test.
141. Click the padlock icon just in front of the URL:

142. Click the arrow next to Connection secure:

© 2023 Palo Alto Networks, Inc. Page 302


143. Click More information.

The Certificate details you see may vary from this example because we are testing with live
websites that may change.
144. Click View Certificate:

145. Note that the Issuer Name is not 192.168.1.1.

© 2023 Palo Alto Networks, Inc. Page 303


If the firewall had decrypted this website, the Issuer Name would be displayed as 192.168.1.1.
Because you excluded government websites from Decryption, the firewall has not decrypted
this site.
The issuer name you see may be different from the example shown here.
146. Close the Firefox browser and any Firefox windows.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 304


Lab 14: Locating Valuable Information Using
Logs and Reports
Having worked with the new Palo Alto Networks firewall for almost a week, you have
discovered how much information the device provides about traffic that it processes. You have
already worked with the Traffic, Threat, URL and System log files and learned how to create
filters to locate specific information. But before you roll the firewall into production, you want to
spend some time looking at some of the other resources, graphs, reports and tools that are
available.
You will also need to show your colleagues where to find different kinds of information in the
firewall web interface so that they can assist you in keeping your network as secure as possible.

Lab Objectives
• View threat information using the Dashboard
• View application information using the Dashboard
• View threat information using the ACC
• View application information using the ACC
• View threat information using the Threat log
• View application information using the Traffic log
• View threat information using App Scope reports
• View threat information using predefined reports
• View application information using predefined reports
• View threat and application information using custom reports

High-Level Lab Steps


Apply a Baseline Configuration to the Firewall
• Load and commit the configuration file - edu-210-10.0b-lab-14.xml - to the
Firewall

Generate Traffic
• Use the Remmina application to connect to the Server-Extranet host
• Run the traffic generating script by entering the following commands:
cd ~ <ENTER>
./UsingLogs-V1.sh <Enter>
• Allow the script to run uninterrupted

© 2023 Palo Alto Networks, Inc. Page 305


Display Recent Threat Information in the Dashboard
• Add the Threat Logs widget to the Dashboard
• Use the Threat Log widget to determine what threats the firewall has detected within the
last hour
• Add the URL Filtering Logs widget to the Dashboard
• Use the URL Filtering Logs widget to examine URL Filtering entries written by the
firewall within the last hour
• Add the Data Filtering Logs widget to the Dashboard
• Use the Data Filtering Logs widget to examine Data Filtering entries written by the
firewall within the last hour

Display Recent Application Information in the Dashboard


• Add the Top Applications widget to the Dashboard
• Note which applications the firewall has detected within the last hour
• Add the Top High Risk Applications to the Dashboard
• Note which applications the firewall has detected that are considered high-risk
Applications with a risk level of 4 are shown in orange. Applications with a risk level of 5 are
shown in red. These rankings come from Palo Alto Networks.

View Threat Information in the ACC


• In the ACC, use the Threat Activity tab to view information for the Last 7 Days
• In the Threat Activity widget’s table below the graph, click the small arrow icon next to
one of the critical severity level entries to add critical severity level as a Global filter for
the ACC
Note that the widget’s table changes to display only threats that have a critical severity level

• In the Global Filters area, click Clear all to remove the global filter
• On the Threat Activity tab, determine what widgets you would use to see which hosts
have either visited or resolved a malicious DNS domain

View Application Information in the ACC


• In the Network Activity tab of the ACC, hide the sidebar to make more room for the
widgets
• In the top section of the Application Usage widget, hover your mouse pointer over the
web-browsing section in the graph
Note the summary window that appears with information about web-browsing

© 2023 Palo Alto Networks, Inc. Page 306


• In the table below the graph, hover your pointer over the web-browsing application until
the global filter Left arrow appears. Then click the Left arrow to promote the web-
browsing application to a global filter
• Unhide the sidebar
• In the Network Activity tab, locate the Rule Usage widget and change the display to
Bytes
Use the information displayed to determine which Security Policy rules have allowed web-
browsing traffic

• In the Rule Usage widget, use the Jump to Logs button to open the Traffic Log
Note the log filters that have been applied automatically to the Traffic log

• Clear the filter in the Traffic log


• In the Global Filters section of the ACC tab, clear all filters

View Threat Information in the Threat Log


• In the Threat Log, clear any filters you may have in place
• Use the Add Log Filter button to build a filter with the following characteristics:
Parameter Value

Connector and

Attribute Severity

Operator greater than or equal

Value high

This configuration filters the log to display only critical-severity and high-severity threats

• Apply the filter to the Threat Log


• Use the information from the Action column to determine how these threats have been
handled by the firewall.
• Clear the existing filter
• Use the Add Log Filter button to build a filter with the following characteristics:
Parameter Value

Connector and

Attribute Source User

Operator equal

Value chicago\escrooge

This configuration filters the log to display threats coming from only this user.

© 2023 Palo Alto Networks, Inc. Page 307


• Apply the filter to the Threat log
• Note what Threats this user has generated
You may need to add the Source User column to the Threat Log display if it is not already
present

• Clear the existing filter


Note: URL Filtering, WildFire Submissions, and Data Filtering logs are available to display traffic
and threats detected by the firewall but are not shown in this section. You also can use filters to
view these logs.

View Application Information in the Traffic Log


• In the Traffic Log, remove any existing log filters
• Use the Add Log Filter button to build a filter with the following characteristics:
Parameter Value

Connector and

Attribute Source Zone

Operator equal

Value Acquisition

This configuration filters the log to display only application traffic that is sourced from the
Acquisition zone.

• Apply the filter to the Traffic Log


Note that the Traffic log been filtered to display only traffic sourced from the Acquisition zone

• Use the Add Log Filter to modify the existing source zone filter to filter on the
Users_Net zone instead of the Acquisition zone.
• Use the Add Log Filter to update the filter to include the following information:
Parameter Value

Connector and

Attribute Application

Operator equal

Value web-browsing

• Apply the filter to the Traffic Log


Note that the Traffic log been filtered to display only web-browsing traffic sourced from the
Users_Net zone

© 2023 Palo Alto Networks, Inc. Page 308


View Threats Using App Scope Reports
• Select App Scope > Threat Monitor
• Set the time frame to Last 7 days
• Set the list of entries to Top 25
• Filter the list by Source User
• Set the display to Show all threat types
• Hover your pointer over the top section of any bar on the bar chart and note the popup
window that shows the threat name and number of detections

View Threat Information Using Predefined Reports


• Under Monitor > Reports, expand the list of Traffic Reports
• Select the entry for Sources
• Note the Sources report that is displayed in the web interface
• In the calendar below the report column, click various dates from the past week to see
information about traffic logged by the firewall on other days
Note that days that are grayed out do not have any data available

View Application Information Using Predefined Reports


• Under Monitor > Reports, expand the list of Application Reports
• Select the entry for Applications
Note the Applications report that is displayed in the web interface

• Expand the list of URL Filtering Reports and select the entry for Web Sites
Note that you may need to click different dates until you see a report with data

View Threat and Application Information Using Custom Reports


• Select Monitor > Manage Custom Reports, and use the following information to create
a Custom Report:
Parameter Value

Name Apps Used by Internal Zones

Database Traffic Summary

Scheduled check box Select it

Time Frame Last 7 Days

Sort By Select Sessions and Top 100

© 2023 Palo Alto Networks, Inc. Page 309


Parameter Value

Group By Select Source Zone and 5 Groups

Selected Columns In top-down order, select Source Zone, Application, Bytes, and Action

The report will list each internal zone along with the applications seen coming from each zone.
Because only four zones are available in the lab environment, grouping of the data into a
maximum of five groups is enough to display all zones. Sorting the applications list in each zone
by the top 100 sessions should display all applications associated with a source zone.

• Use the Filter Builder button to create a filter with the following characteristics:
Parameter Value

Connector and

Attribute Source Zone

Operator not equal

Value Internet

• Apply the filter


• Click OK to close the Custom Report window and to see a new entry in the list of
custom reports
• Open the custom report and use Run Now to see report information
Note that the report provides details for applications used by the Extranet and the Acquisition
zones

© 2023 Palo Alto Networks, Inc. Page 310


Detailed Lab Steps
Apply a Baseline Configuration to the Firewall
To start this lab exercise, load a preconfigured firewall configuration file.
1. Open Firefox and connect to firewall-a.
2. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations.
3. Click Load named configuration snapshot.
4. Click the drop-down list next to the Name text box and select edu-210-11.0b-
14.xml.

Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

5. Click OK.
A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.

Generate Traffic
In this section, you will generate simulated attacks, web browsing and application traffic to
populate firewall logs.
10. On the client workstation, open the Remmina application.
11. Double-click the entry for Server-Extranet.
12. At the prompt, enter the following command:
./UsingLogs-V1.sh <Enter>
13. Press Enter again to begin the process.
14. Allow the script to run uninterrupted.
15. Minimize the Remmina application window.

Display Recent Threat Information in the Dashboard


You will use the Dashboard to view threats detected by the firewall in the last hour. Because
you can configure the Dashboard to periodically refresh, the displayed threats will change,
depending on the most recent information available. The Dashboard information is sourced
from the Threat, URL Filtering, and Data Filtering logs.
16. In the web interface, click the Dashboard tab.
17. Click Widgets and select Logs > Threat Logs:

© 2023 Palo Alto Networks, Inc. Page 311


Note that if Threat Logs is grayed out, it means that the widget is already displayed on the
Dashboard.
18. Are any threats displayed in the Threats Logs widget? It can display the 10 most recent
threats detected by the firewall in the last hour.

Depending on activity in your lab environment in the last hour, you might not see threat entries.
This widget is useful for viewing only the most recent threats detected by the firewall. Here is an
example:

© 2023 Palo Alto Networks, Inc. Page 312


You can use the refresh button in the upper right corner of any widget to update the displayed
items. The entries you see will differ from the examples shown here.
19. Click Widgets and select Logs > URL Filtering Logs.
A URL Filtering Logs widget should appear on the Dashboard. Note that if URL Filtering Logs is
grayed out, it means that the widget is already displayed on the Dashboard.

© 2023 Palo Alto Networks, Inc. Page 313


You can use the refresh button in the upper right corner of any widget to update the displayed
items. The threats you see will differ from the examples shown here.
20. Are any URLs displayed in the URL Filtering Logs widget? It can display the 10 most
recent URLs seen by the firewall in the last hour.

Depending on activity in your lab environment in the last hour, you might see URL entries. This
widget is useful for viewing only the most recent URLs seen by the firewall.

© 2023 Palo Alto Networks, Inc. Page 314


21. Click Widgets and select Logs > Data Filtering Logs.
A Data Logs widget should appear on the Dashboard. Note that if Data Filtering Logs is grayed
out, it means that the widget is already displayed on the Dashboard.

The entries you see will differ from the examples shown here.
22. Are any files displayed in the Data Logs widget? It can display the 10 most recent files
detected by the firewall in the last hour.

Depending on activity in your lab environment in the last hour, you might not see file entries.
This widget is useful for viewing only the most recent file transfers seen by the firewall.

© 2023 Palo Alto Networks, Inc. Page 315


Display Recent Application Information in the Dashboard
In this section, you will display the Dashboard and view applications identified by the
firewall in the last hour. Because you can configure the Dashboard to periodically refresh,
the displayed applications will change depending on the most recent information available.
You also will use the Dashboard to display those applications identified by the firewall in the
last hour that have the most risk associated with them.
23. In the web interface, click the Dashboard tab.
24. Click Widgets and select Application > Top Applications.
A Top Applications widget should appear on the Dashboard.
25. Look at the applications displayed in the Top Applications widget. It displays the
applications seen by the firewall in the last hour.
Some applications should be listed because some “housekeeping” traffic nearly always traverses
the network, even in the lab environment. This widget is useful for viewing only the recent
application traffic seen in the last hour by the firewall. Here is an example:

The information you see will differ from the examples shown here.
26. Click Widgets and select Application > Top High Risk Applications.
A Top High Risk Applications widget should appear on the Dashboard.

© 2023 Palo Alto Networks, Inc. Page 316


27. Notice the applications displayed in the Top High Risk Applications widget. It displays
the high-risk applications seen by the firewall in the last hour.
Some applications should be listed because some “housekeeping” traffic nearly always traverses
the network. This widget is useful for quickly viewing only the recent application traffic seen by
the firewall in the last hour. Here is an example:

Applications with a risk level of 4 are shown in orange. Applications with a risk level of 5 are
shown in red. These rankings come from Palo Alto Networks. The information you see will differ
from the examples shown here.

View Threat Information in the ACC


In this section, you will view a few ACC widgets on the Threat Activity tab to become
familiar with widgets that display threats against your environment. Spend time examining
each widget so that you can determine which information is presented that might be most
useful to you back in your environment.
28. In the web interface, click the ACC tab.

© 2023 Palo Alto Networks, Inc. Page 317


29. On the left side of the ACC page, look at Global Filters for any configured global
filters. If there are filters, click Clear all:

30. Click the Threat Activity tab:

31. On the left side of the ACC window, click the Time drop-down menu and select Last 7
Days. This value configures all the widgets to display threat information for the last
seven days:

32. Do you see any threats listed in the Threat Activity widget?
You should see some combination of flood, scan, spyware, packet, vulnerability, and virus
threats displayed in a graph. Next to each entry should be the number of occurrences of these
threat types that the firewall has seen in the last seven days. More detail about the threats
should be displayed in a table below the graph:

The entries you see will differ from the examples shown here.

© 2023 Palo Alto Networks, Inc. Page 318


33. In the Threat Activity widget’s table below the graph, click the small arrow icon next to
one of the critical severity level entries.

This action adds the critical severity level as a Global filter for the ACC. Global filters are applied
to every widget on the ACC. Global filters are useful for quickly pivoting your search on a specific
piece of information, thus causing all widgets to display only information that is relevant to a
specific object or threat.
34. Did the widget’s table change to display only threats that have a critical severity level?

The widget should have changed to display only critical severity level threats. The graph will also
change to display only threats that match the filter.
35. Find the global filter on the left side of the ACC window.
36. Was critical added as a global filter condition?

You should see a global filter for critical.

© 2023 Palo Alto Networks, Inc. Page 319


37. Note that the Threat Activity graph and the table of Threat Names are updated to reflect
only items with a Severity level of Critical.

The entries you see will differ from the examples shown here.
38. In the Global Filters area, click Clear all to remove the global filter.
The global filter should be removed, and all widgets should be refreshed to include all threats
detected in the last seven days.
39. On the Threat Activity tab, which widgets would you use to see which hosts have either
visited or resolved a malicious DNS domain? Make a guess based on the widget names.

The answer is: Hosts Visiting Malicious URLs and Hosts Resolving Malicious Domains.

View Application Information in the ACC


In this section, you will view two widgets on the Network Activity tab. The goal is for you to
gain familiarity with some of the widgets available for viewing application and traffic
information.
40. In the web interface, click the ACC tab and then the Network Activity tab.

© 2023 Palo Alto Networks, Inc. Page 320


41. Hide the sidebar to make more room for the widgets by clicking the very small arrow
shown:

42. Resize the Application column to display the entries:

© 2023 Palo Alto Networks, Inc. Page 321


43. The top section of the Application Usage widget is a graph that illustrates how much of
the traffic a specific application represents:

Think of this as a sort of square pie-chart. The entries you see will differ from the examples
shown here.
44. Hover your pointer over the section for web-browsing.

This action displays a summary window with information about that application. The
information you see will differ from the examples shown here.

© 2023 Palo Alto Networks, Inc. Page 322


45. In the table below the graph, hover your pointer over the web-browsing application
until the global filter Left arrow appears. Then click the Left arrow to promote the
web-browsing application to a global filter:

46. Unhide the sidebar by clicking the tiny arrow again:

© 2023 Palo Alto Networks, Inc. Page 323


47. Scroll down in the Network Activity tab until you reach the Rule Usage widget.
48. Select the radio button at the top for Bytes.

The entries you see will differ from the examples shown here.
49. Which Security Policy rules have allowed web-browsing traffic?
The widget should display only those rules that have allowed web-browsing traffic in the last
seven days because the widget is filtered by the web-browsing application in the global filter
and the ACC time range setting.

© 2023 Palo Alto Networks, Inc. Page 324


50. In the upper right corner of the Rule Usage widget, click the Jump to Logs button and
select Traffic Log icon to open the logs menu.

51. Which log is displayed in the web interface?

It should be the Traffic log.


52. Which log filters have been applied automatically to the Traffic log?

There should be a time range filter and an application filter for web-browsing. The time range
filter is derived from the time specified in the ACC. The entry you see will differ from the
example shown here.
53. Note that the entries displayed in the Traffic log match the filter:

© 2023 Palo Alto Networks, Inc. Page 325


Note that several columns have been hidden or rearranged in the example shown here.
54. Clear the filter in the Traffic log.
55. Click the ACC tab.
56. In the Global Filters area, click Clear all to remove the global filter:

View Threat Information in the Threat Log


In this section, you will apply different filters to the Threat log. You will use the filters to
determine whether all critical-severity and high-severity threats detected by the firewall have
been blocked. You also will use a log filter to determine which detected threats come from a
specific security zone.
57. In the web interface, select Monitor > Logs > Threat.
58. In the upper right corner of the window, click the X icon in the filter area to remove any
existing log filter:

59. Click the + icon in the filter area to open the Add Log Filter window:

© 2023 Palo Alto Networks, Inc. Page 326


The Add Log Filter window should open.
60. In the Add Log Filter window, select the following:
Parameter Value

Connector and

Attribute Severity

Operator greater than or equal

Value high

This configuration filters the log to display only critical- and high-severity threats.

61. Click Add to add the in-progress filter to the top pane of the Add Log Filter’s window:

© 2023 Palo Alto Networks, Inc. Page 327


62. Click Apply to add the filter to the Threat log filter text box.
The Add Log Filter window should close.

As you become more familiar with filter syntax, you can simply type the filter directly into the
filter field and forego using the filter builder.
63. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Threat log:

64. Has the Threat log been filtered to display only threats of high severity or greater?

It should be filtered. You can scan the Action column to determine how the threats have been
handled by the firewall. You could, for example, use this information to help you determine the
Security Profile configuration required to control threats found in legitimate traffic.

© 2023 Palo Alto Networks, Inc. Page 328


Note that several columns have been hidden or rearranged in the example shown here. The
entries you see will differ from the ones shown here.
65. Click the X icon in the filter area to remove any existing log filter:

66. Click the + icon in the filter area to re-open the Add Log Filter window.
67. In the Add Log Filter window, select the following:
Parameter Value

Connector and

Attribute Source User

Operator equal

Value chicago\escrooge

This configuration filters the log to display threats coming from only this user.

© 2023 Palo Alto Networks, Inc. Page 329


68. Click Add and then click Apply to add the filter to the Threat log filter text box.
The Add Log Filter window should close, and the filter should have been added to the Threat
log’s filter text box.

69. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Threat log.
70. Has the Threat log been filtered to display only threats coming from the specified user?
You may need to add the Source User column to the Threat Log display if it is not already
present.

© 2023 Palo Alto Networks, Inc. Page 330


Note that several columns have been hidden or rearranged in the example shown here. If you
do not see any entries, wait a few moments and click the refresh button to update the Threat
Log table.
71. Click the X icon to clear the filter from the log filter text box.
Note: URL Filtering, WildFire Submissions, and Data Filtering logs are available to display traffic
and threats detected by the firewall but are not shown in this section. You can also use filters to
view these logs.

View Application Information in the Traffic Log


In this section, you will apply different filters to the Traffic log. You will use a filter to
determine which applications are being seen in a specific zone.
72. In the web interface, select Monitor > Logs > Traffic.
73. Click the X icon in the filter area to remove any existing log filter
74. Click the + icon in the filter area to open the Add Log Filter window:
The Add Log Filter window should open.
75. In the Add Log Filter window, select the following:
Parameter Value

Connector and

Attribute Source Zone

Operator equal

Value Acquisition

This configuration filters the log to display only application traffic that is sourced from the
Acquisition zone. You could use this information, for example, to help you to determine how to
configure your Security Policy rules. You easily could modify the filter to display application
traffic sourced from any zone and use that information to help you improve your Security Policy
configuration.

© 2023 Palo Alto Networks, Inc. Page 331


76. Click Add and then click Apply to add the filter to the Traffic log filter text box.
The Add Log Filter window should close.

77. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Traffic log
78. Has the Traffic log been filtered to display only traffic sourced from the Acquisition
zone?

It should be. You could use this information to help you determine the Security Policy rules
required to control legitimate traffic sourced from devices in the Acquisition zone.

© 2023 Palo Alto Networks, Inc. Page 332


Note that several columns have been hidden or rearranged in the example shown here.
79. Click the + icon in the filter area to again open the Add Log Filter window.
The Acquisition source zone filter still should appear in the open Add Log Filter window.
80. In the Add Log Filter window in the top pane, modify the existing source zone filter to
filter on the User_Nets zone instead of the Acquisition zone. The completed filter should
read (zone.src eq Users_Net):

81. In the Add Log Filter window, also add the following selections:
Parameter Value

Connector and

Attribute Application

Operator equal

Value web-browsing

82. Click Add and then click Apply to add the filter to the Traffic log filter text box.
The Add Log Filter window should close.

© 2023 Palo Alto Networks, Inc. Page 333


83. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Traffic log.
84. Has the Traffic log been filtered to display only web-browsing traffic sourced from the
Users_Net zone?

It should be filtered.

Note that several columns have been hidden or rearranged in the example shown here.
85. Click the X icon to clear the filter from the log filter text box.

View Threats Using App Scope Reports


In this section, you will view threat information using App Scope’s Threat Monitor and Threat
Map reports.
86. In the web interface, select Monitor > App Scope > Threat Monitor.
87. At the bottom of the window, click Last 7 days:

© 2023 Palo Alto Networks, Inc. Page 334


88. The window should update to display the top 10 threats detected by the firewall in the
last seven days.

Note that the image you see will differ from the example shown here.
89. At the top of the window, click Top 10 and select Top 25 from the menu:

This configuration enables you to see the top 25 threats within the selected time range.
90. At the top of the window, click Threat and choose Source User:

© 2023 Palo Alto Networks, Inc. Page 335


91. At the top of the window, hover your pointer over each Filter icon to see how to display
specific types of threats:

92. Select Show all threat types.


93. Hover your pointer over the top section of any bar on the bar chart. What appears on the
page?
You should see a popup window that shows the threat name and number of detections.

The information you see may differ from the example here.

View Threat Information Using Predefined Reports


In this section, you will open and view three of the more than 40 predefined reports available
on the firewall. Your efficient use of the predefined reports depends on your spending time
with each report, discovering and determining which information might be useful to you in
your own environment. Your familiarity with the reports will help you to find the reports that
are most useful to you.

© 2023 Palo Alto Networks, Inc. Page 336


94. In the web interface, select Monitor > Reports.
95. Click Traffic Reports to expand the list of available Traffic Reports:

96. Click Sources to view a report.


A Sources report should be displayed in the web interface. The report displays which source IP
addresses were detected by your firewall on the previous day. It should have a format like the
following example, but your data may be different.

© 2023 Palo Alto Networks, Inc. Page 337


97. In the calendar below the report column, click various dates from the past week to see
information about traffic logged by the firewall on other days:

Note that days that are grayed out do not have any data available.

View Application Information Using Predefined Reports


In this section, you will view reports related to Applications.
98. In the web interface, select Monitor > Reports.
99. Click Application Reports to expand the list of available application reports:

100. Click Applications to view the Applications report.


An Applications report should be displayed in the web interface. The report displays the
applications that were detected by your firewall on the previous day. It should have a format
like the following example, but your application data will be different. You can use this
information to update your Security Policy rules, as necessary.

101. Click URL Filtering Reports to expand the list of available URL Filtering reports:

© 2023 Palo Alto Networks, Inc. Page 338


102. Click Web Sites to view the report. Click each date until you see a report with data.
A Web Sites report should be displayed in the web interface. The report displays the websites
that were seen by your firewall on a given day. It should have a format like the following
example, but your data will be different. You can use this information to update your Security
Policy rules or a URL Filtering Profile, as necessary.

View Threat and Application Information Using Custom Reports


In this section, you will create a custom report. The custom reports feature enables you to
build reports that include only the information that you consider useful in your environment.
The first custom report will list the applications that the firewall has detected in each of your
internal security zones. The second custom report will list the applications that the firewall has
detected in the outside zone, which in the lab environment is associated with the internet.

© 2023 Palo Alto Networks, Inc. Page 339


Such information can help you to improve the configuration of your Security policies and
ultimately improve your security stance.
103. In the web interface, select Monitor > Manage Custom Reports.
104. Click Add and configure the following in the Custom Report window:
Parameter Value

Name Apps Used by Internal Zones

Database Traffic Summary

Scheduled box Checked

Time Frame Last 7 Days

Sort By Select Sessions and Top 100

Group By Select Source Zone and 5 Groups

Selected Columns In top-down order, select Source Zone, Application, Bytes, and Action

The report will list each internal zone along with the applications seen coming from each zone.
Because only four zones are available in the lab environment, grouping of the data into a
maximum of five groups is enough to display all zones. Sorting the applications list in each zone
by the top 100 sessions should display all applications associated with a source zone.

105. In the bottom right corner of the Custom Report window, click the Filter Builder link:

© 2023 Palo Alto Networks, Inc. Page 340


The Add Log Filter window should open.
106. Configure the following:
Parameter Value

Connector and

Attribute Source Zone

Operator not equal

Value Internet

107. In the Add Log Filter window, click Add and then Apply.
A filter should be added to the custom report. The Internet zone is outside of your network, and
this filter ensures that the custom report does not include applications that are coming from
outside your network.

© 2023 Palo Alto Networks, Inc. Page 341


108. Click OK to close the Custom Report window.
The new custom report should be added to the list of custom reports in the web interface.

109. Click Apps Used by Internal Zones to open the custom report.
110. Click Run Now to run the custom report:

The report should run, and the results should be displayed in a tab that is added and opened in
the Custom Report window.
111. View the results of the custom report.
You can scroll down through the report to see information about the Extranet and the
Acquisition zones along with details about the applications that the firewall processed in each
one. Note that the entries you see in the report may differ from the example shown here.

© 2023 Palo Alto Networks, Inc. Page 342


Ensure that you explore all pages of the report, as other zones may be listed on subsequent
pages.
112. When you are finished viewing the report, close it by clicking the X on the Apps Used
by Internal Zones (100%) tab:

113. Click Cancel to close the Custom Report window.

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 343


Lab 15: Capstone
This comprehensive lab is meant to provide you with additional hands-on firewall experience
and to enable you to test your new knowledge and skills. You can refer to your student guide and
previous lab exercises.
In this scenario, you are a network administrator and recently received a new Palo Alto Networks
VM-Series firewall. The firewall’s management IP address is 192.168.1.254. You can log in with
the username admin and Pal0Alt0! as the password. Take special care to use the exact
spelling and capitalization for the items you are asked to configure.
You are being asked to meet multiple configuration objectives. These objectives are listed in the
lab exercise sections that follow.

© 2023 Palo Alto Networks, Inc. Page 344


Load a Lab Configuration
1. In the web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot:
3. Select edu-210-11.0b-Capstone-start.xml and click OK.
4. Click Close.
5. Commit all changes.

Configure Networking
Complete the following objectives:
• Configure three firewall interfaces using the following values:
• Ethernet 1/1: 203.0.113.20/24 - Layer 3
• Ethernet 1/2: 192.168.1.1/24 - Layer 3
• Ethernet 1/3: 192.168.50.1/24 - Layer 3
• Create a virtual router called VR-1 for all configured firewall interfaces.
• Create a default route for the firewall called Default-Route
• Create an Interface Management Profile called Allow-ping that allows ping
• Assign the Allow-ping Interface Management Profile to ethernet1/2
Verify network connectivity from the firewall to other hosts.
• Your internal host can ping 192.168.1.1 and receive a response
• From the firewall CLI, the following commands are successful:
• ping source 203.0.113.20 host 203.0.113.1
• ping source 203.0.113.20 host 8.8.8.8
• ping source 192.168.1.1 host 192.168.1.20
• ping source 192.168.50.1 host 192.168.50.150

Configure Security Zones


Complete the following objectives:
• Create a Security Zone called Internet and assign ethernet1/1 to the zone
• Create a Security Zone called Users and assign ethernet1/2 to the zone:
• Configure the Users zone for User-ID
• Create a Security Zone called Extranet and assign ethernet1/3 to the zone

Configure NAT Policy Rules


Create Source NAT rules to meet the following requirements:

© 2023 Palo Alto Networks, Inc. Page 345


• Rule Name = Users_to_Internet
• From Source Zone Users to Destination Zone Internet
• Use ethernet1/1 on the firewall as the source translation address
• Rule Name = Extranet_to_Internet
• From Source Zone Extranet to Destination Zone Internet
• Use ethernet1/1 on the firewall as the source translation address
• All NAT rules must include a helpful Description

Configure Security Policy Rules


Create Security Policy rules to meet the following requirements:
• For all Security Policy rules, enter a helpful Description.
• Modify the interzone-default Security Policy rule so that traffic is logged at session end.
• Create a Security Policy rule called Block_Bad_URLs with the following characteristics:
• For all outbound traffic, the URL categories hacking, phishing, malware, and
unknown must be blocked by a Security Policy rule match criterion.
• From the User zone to the Extranet zone, create a Security Policy rule called
Users_to_Extranet to allow the following applications:
• ping
• ssl
• ssh
• dns
• web-browsing
• From the User zone to the Internet zone, create a Security Policy rule called
Users_to_Internet to allow the following applications:
• ping
• dns
• web-browsing
• ssl
• From the Extranet zone to the Internet zone, create a Security Policy rule called
Extranet_to_Internet to allow the following applications:
• ping
• dns
• web-browsing
• ssl
You can consider this objective complete when the following tests are successful:

© 2023 Palo Alto Networks, Inc. Page 346


• The client host can ping 8.8.8.8 and google.com
• The client host can access www.paloaltonetworks.com
• The client host can browse to the Extranet web server at http://192.168.50.80
• The client host can use SSH to access the Extranet host at 192.168.50.150 using the login
name paloalto42 and the password Pal0Alt0!
• The Extranet host can ping 8.8.8.8 and google.com
• The internal host cannot access hacker9.com

Create and Apply Security Profiles


Create Security Profiles and a Security Profile Group to meet the following requirements:
• A Corporate URL Filtering Security Profile called Corp-URL to log access to all web
categories
You can use the existing default Profile as the basis for your own

• A Corporate File Blocking Security Profile called Corp-FB to block dangerous file
types
You can use the existing strict Profile as the basis for your own

• A Corporate Antivirus Security Profile called Corp-AV to block vulnerabilities


You can use the existing default Profile as the basis for your own

• A Corporate Anti-Spyware Security Profile called Corp-AS to block spyware


You can use the existing strict Profile as the basis for your own

• A Corporate Vulnerability Protection Security Profile called Corp-Vuln to block


viruses
You can use the existing strict Profile as the basis for your own

• A Corporate WildFire Profile called Corp-WF to send all file types to the public cloud
for inspection
You can use the existing default Profile as the basis for your own

© 2023 Palo Alto Networks, Inc. Page 347


• Create a Security Profile Group called Corp-Profiles and assign the appropriate
Security Profiles to it
Note: You can leave the Data Filtering Profile set to None.

• Apply the Corp-Profiles Group to all applicable Security Policy rules


You can consider this objective complete when the following tests are successful:
• The internal host cannot download a test virus file from http://192.168.50.80 using
HTTP.
• The internal host cannot download the badtarfile.tar from
http://192.168.50.80/badtarfile.tar
• A URL log file entry appears when the client host browses to
https://www.paloaltonetworks.com

© 2023 Palo Alto Networks, Inc. Page 348


Solutions
You can use the following screenshots to determine how to accomplish the requirements for this
lab. You are encouraged to attempt meeting the requirements BEFORE you use these
screenshots.

Firewall Interfaces
Network > Interfaces > Ethernet

Virtual Router
Network > Virtual Routers

© 2023 Palo Alto Networks, Inc. Page 349


Firewall Default Route
Network > Virtual Routers > VR-1 > Static Routes

Allow-ping Interface Management Profile


Network > Network Profiles > Interface Mgmt

Allow-ping Interface Management Profile Assigned to ethernet1/2


Network > Interfaces > Ethernet > ethernet1/2 > Advanced

© 2023 Palo Alto Networks, Inc. Page 350


Security Zones
Network > Zones

NAT Policy Rules


Policies > NAT

© 2023 Palo Alto Networks, Inc. Page 351


Security Policy Rules
Policies > Security

© 2023 Palo Alto Networks, Inc. Page 352


Security Profiles
Objects > Security Profiles
• Corporate URL Filtering Profile

• Corporate File Blocking Profile

• Corporate Antivirus Profile

© 2023 Palo Alto Networks, Inc. Page 353


• Corporate Anti-Spyware Profile

• Corporate Vulnerability Profile

• Corporate WildFire Profile

© 2023 Palo Alto Networks, Inc. Page 354


• Security Profile Group

• Security Policy rules with Profile Group


Policies > Security > [Rule] > Actions

Stop. This is the end of the lab.

© 2023 Palo Alto Networks, Inc. Page 355


PAN-EDU-210 11.0 Version A
PAN-EDU-210 11.0 Version B

www.paloaltonetworks.com/education
© 2023 Palo Alto Networks, Inc.

You might also like