PAN - EDU-210-11.0b-Lab Guide2023
PAN - EDU-210-11.0b-Lab Guide2023
PAN - EDU-210-11.0b-Lab Guide2023
PAN-OS® 11.0
www.paloaltonetworks.com/education
© 2023 Palo Alto Networks, Inc.
Palo Alto Networks
Firewall 11.0 Essentials:
Configuration and Management
Lab Guide
PAN-OS® 11.0
EDU-210
Courseware Version B
Palo Alto Networks, Inc.
https://www.paloaltonetworks.com
© 2023, Palo Alto Networks, Inc.
Palo Alto Networks, PAN-OS, WildFire, RedLock, and Demisto are registered trademarks of
Palo Alto Networks, Inc. All other marks mentioned herein may be trademarks of their
respective companies.
Bolding Names of selectable items in Click Security to open the Security Rule
the web interface Page
Consolas font Text that you enter and Enter the following command:
coding examples a:\setup
The show arp all command yields this
output:
username@hostname> show arp
<output>
Calibri 11 pt. gray Lab step results and A new zone should appear in the web
font explanations interface.
Click Click the left mouse button Click Administrators under the Device
tab
Right-click Click the right mouse button Right-click the number of a rule you
want to copy, and select Clone Rule
< > (text enclosed Denotes a variable parameter. Click Add again and select <Internal
in angle brackets) Actual value to use is defined Interface>
in the Lab Guide document.
Lab Guidance
There are two sections for each lab in this guide:
● High-Level Lab Steps
● Detailed Lab Steps
The High-Level Lab Steps section provides only general guidance and information about how to
accomplish the lab objectives. This section is more challenging and is suited for students who
have a working knowledge of Palo Alto Networks firewalls. If you have never worked with a
Palo Alto Networks firewall, we strongly encourage you to use the Detailed Lab Steps section.
You do not need to complete both the High-Level Lab Guide and the Detailed Lab Guide for
each lab. Use either one or the other.
Lab Objectives
• Connect to the firewall web interface
• Load a starting lab configuration
• Set DNS servers for the firewall
• Set NTP servers for the firewall
• Configure a login banner for the firewall
• Set Latitude and Longitude for the firewall
• Configure permitted IP addresses for firewall management
8. Click the Commit button at the upper right corner of the web interface:
The DNS server settings that you configure do not have to be public servers, but the
firewall needs to be able to resolve hostnames such as
updates.paloaltonetworks.com and wildfire.paloaltonetworks.com to provide
various services such as WildFire® or URL filtering.
20. Leave the remaining settings unchanged and click OK to close the Services window.
22. Click the General Settings gear icon to open the General Settings window.
23. In the Domain field, enter panw.lab.
24. In the Login Banner area, enter Authorized Access Only.
25. In the Latitude field, enter 37.00.
26. In the Longitude field, enter 122.00.
These coordinates are for Santa Clara, California – headquarters of Palo Alto
Networks, Inc.
27. Leave the remaining settings unchanged and click OK to close the General Settings
window.
Verify that you have entered the correct address range in the Permitted IP
Addresses field. If you make a mistake and enter the wrong information, you can
lose network connectivity to your firewall.
38. At the bottom of the window, click the Check Now button.
39. The firewall will perform a software check with the Palo Alto Networks update servers:
40. When the process is complete, the firewall displays an updated list of available software
versions:
Lab Objectives
• Load a baseline configuration
• Save a named configuration snapshot
• Export a named configuration snapshot
• Save ongoing configuration changes before a commit
• Revert ongoing configuration changes
• Preview configuration changes
• Examine System and Configuration log files
• Create a log file filter
• Use the Filter Builder
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
This process saves the configuration file to a location on the firewall itself.
25. Change the value for the Primary DNS Server to 88.8.8.8 (an easy mistake to make).
26. Click OK to close the Services window.
27. You can see the mistake in place under the Services section:
28. In the upper right corner of the web interface, click the Changes button and select
Revert Changes:
The Revert Changes window allows you to select specific elements of the
configuration that you can revert. In this case, because you only made a single
change, the Commit Scope shows device-and-network (which is the portion of
the configuration that contains the changes to the DNS server).
32. In the Services window, notice that the Primary DNS Server has been reset to the
original value before you mistakenly changed it.
34. In the SNMP Setup window, set the Physical Location to Santa Clara, CA, USA.
35. For Contact, enter Sherlock Holmes.
36. For SNMP Community String, enter paloalto42.
37. Leave the remaining settings unchanged:
41. In the Preview Changes window, leave the Lines of Context set to 10:
The Lines of Context setting determines how many lines are displayed before and
after a change in the configuration file.
44. Close the configuration comparison window by clicking the X in the upper right corner.
45. Click Cancel in the Commit window.
47. Hide the Object column by clicking the small drop-down arrow in the right portion of
any column header.
48. Choose Columns.
49. Uncheck Object:
Hiding and displaying log columns is optional but quite useful. Each log file contains
different columns, some of which you may not need so you can hide them. There
may be columns in certain log tables that are not shown by default, and you can use
this process to display hidden columns that you want to view.
51. Drag and drop the Severity column to the left-most position in the table:
Reordering columns is also optional; however, you may discover that the
information in a specific log file is easier for you to analyze after you customize the
columns.
54. The web interface will automatically build a filter statement with the appropriate syntax
to search for all entries that contain informational in the Severity field:
55. Click the Apply Filter button in the upper right corner of the window:
56. The System log display will update to show only those entries that contain
informational as the Severity level.
Note that your firewall may only have informational entries in the System log at this point.
57. Under the Type column, click any entry that contains the word general:
59. Click the Apply Filter button in the upper right corner of the window:
60. The interface will update the log file to display only those entries that match both
conditions:
A good practice is to clear any filters from log file displays before you move to other
portions of the web interface. The next time you examine the same log, it will
display all results instead of only ones you have previously filtered.
67. Click the Add Filter button in the upper right corner of the window:
69. With the same window open, build the second part of the filter:
A. Under the Connector column, select and.
B. Under the Attribute column, select Time Generated.
C. Under Operator, select greater than or equal to.
D. Under the Value column, use the first drop-down list to select today.
E. Under the Value column, use the second drop-down list to select a time
approximately sixty minutes ago (round up or down if you need to).
F. Click Add.
The time and date for your filter will differ from the example shown here.
72. Click the Apply Filter button in the upper right corner of the window:
Although you used the System log as the basis for this exercise, the process of
creating filters is the same throughout all Palo Alto Networks firewall log databases.
The Filter Builder is available to use in all log tables.
74. Clear the filter by clicking the Clear Filter button in the upper right corner of the
window:
Lab Objectives
• Load a baseline configuration
• Create a local firewall administrator account
• Configure an LDAP Server Profile
• Configure a RADIUS Server Profile
• Configure an LDAP Authentication Profile
• Configure a RADIUS Authentication Profile
• Configure an Authentication Sequence
• Create non-local firewall administrator accounts
Base DN dc=panw,dc=lab
Bind DN cn=admin,dc=panw,dc=lab
• Use the information in the table below to create an LDAP Authentication Profile.
Name LDAP-Auth-Profile
Type LDAP
• Use the information in the table below to create a new administrator account that will be
authenticated by LDAP
Name adminSally
Port 1812
• Use the information in the table below to create an RADIUS Authentication Profile
Name RADIUS-Auth-Profile
Type RADIUS
• Use the information in the table below to create a new administrator account that will be
authenticated by RADIUS
Name adminHelga
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
The Allow List entries allow you to select individual members of the local database
if you wish to limit access to the firewall by specific administrators. By selecting all,
you allow any administrator accounts in the local database to access the firewall.
When you select Local-database for the Authentication Profile, there is no option to
enter a Password for the administrator. The password information for this account
is maintained in the Local-database on the firewall.
37. Log back into the firewall with adminBob as the Username and Pal0Alt0! as the
Password.
38. Close any Welcome windows that appear.
39. Select Monitor > System.
40. Look for an entry with Type auth.
If you do not see an entry in the System log indicating a successful authentication
for adminBob, you can create and apply a filter with ( subtype eq auth ) as
the syntax.
41. Note that the entry in the firewall system log indicates that adminBob was successfully
authenticated against the Local-database.
42. Log out of the firewall.
43. Log back into the firewall with the admin/Pal0Alt0! credentials.
If you do not see an entry in the System log indicating a successful authentication
for adminSally, you can use a filter ( subtype eq auth ) as the syntax.
83. Note that the entry in the firewall system log indicates that adminSally was
successfully authenticated against the LDAP-Auth-Profile.
84. Log out of the firewall.
85. Log back into the firewall with the admin/Pal0Alt0! credentials.
Note: Never use CHAP in a production environment because it is not secure. We are
using it in the lab for the sake of simplicity.
If you do not see an entry in the System log indicating a successful authentication
for adminHelga, you can use a filter ( subtype eq auth ) as the syntax.
122. Note that the entry in the firewall system log indicates that adminHelga was
successfully authenticated against the RADIUS-Auth-Profile.
Type Layer 3
IP 203.0.113.20/24
Type Layer 3
IP 192.168.1.1/24
Type Layer 3
IP 192.168.50.1/24
ethernet1/2
ethernet1/3
Destination 0.0.0.0/0
Interface ethernet1/1
Type Layer 3
Interface ethernet1/1
Type Layer 3
Interface ethernet1/2
Interface ethernet1/3
Name Allow-mgt
SSH
SNMP
Response Pages
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
Note that the Link State indicator icons will remain gray until you commit the configuration.
The order in which you add these interfaces to the list is not important. You could
start by adding ethernet1/3 and the result will be the same. You are simply adding
the appropriate interfaces to this virtual router.
55. In the Virtual Router window, click the link on the side for Static Routes.
Zone names are case-sensitive! Make sure you are consistent throughout your
configuration process.
96. In the CLI connection to the firewall, use the ping command to check network
connectivity to a host in the Users_Net Security Zone by using the following command
at the admin@firewall-a> prompt:
admin@firewall-a> ping source 192.168.1.1 host 192.168.1.20
Note the syntax for this command. 192.168.1.1 is the IP address of ethernet1/2 on
the firewall. The command instructs the firewall to use that IP address on
ethernet1/2 to ping the host 192.168.1.20. If you do not use the source option, the
firewall uses its management interface address as the source IP.
98. Use the ping command to check connectivity to a host in the Extranet zone by using the
following command at the admin@firewall-a> prompt :
admin@firewall-a> ping source 192.168.50.1 host 192.168.50.150
99. Allow the ping to continue for three or four seconds and then use Ctrl+C to interrupt the
command:
101. Allow the ping to continue for three or four seconds and then use Ctrl+C to interrupt the
command:
102. After you have successfully tested network access from the firewall to each network
segment, close the Remmina SSH connection to the firewall by typing exit <Enter>.
103. Close the Remmina desktop application window.
108. Attempt to open an SSH connection to the firewall through 192.168.1.1 by issuing the
following command:
lab-user@client-a:~/Desktop/Lab-Files$ ssh [email protected] <Enter>
109. After a few seconds, use Ctrl+C to stop the connection because it will not succeed.
110. Leave the Terminal window open on the client because you will perform these same
tests after applying an Interface Management Profile to ethernet1/2.
151. Attempt to open an SSH connection to the firewall through 192.168.1.1 by issuing the
following command:
lab-user@client-a:~/Desktop/Lab-Files$ ssh [email protected] <Enter>
If you are prompted to accept an RSA key fingerprint, type yes <ENTER>.
152. For password, enter Pal0Alt0! <Enter>.
153. The firewall will present the CLI interface.
154. Close the SSH connection to the firewall by typing exit <Enter>.
155. Close the Terminal window by typing exit <Enter>.
Application Any
Service application-default
Action Allow
Extranet
Application Any
Action Deny
• Use the information below to create another Security Policy rule to block traffic from
known bad IP addresses provided by Palo Alto Networks. Place this rule at the top of the
Security Policy, just below the Block-to-Known-Bad-Addresses rule.
Rule Name Block-from-Known-Bad-Addresses
Extranet
Application Any
Service application-default
Action Deny
Application Any
Action Allow
Application Any
Service application-default
Action Allow
Can you explain why your ping session from the client to the Internet host did not get a reply
even though the firewall is allowing the traffic?
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
Later in this course, we will cover Applications and how to use them in Security
Policy rules.
When you create a new Security Policy rule, the Action is automatically set to
Allow. If you are creating a rule to block traffic, make sure you select the Actions
tab and change the Action before you commit the rule.
36. Choose Columns and note the available columns that you can hide or display in this
table.
Note: These changes are optional. You do not have to show or hide columns or
rearrange items in any of the firewall tables. However, you may find that there are
certain columns in certain tables that you never use, and you can hide them to
provide more room in the table. You may also find that there are certain columns
that you scan frequently, and you can move those to locations that are easier to
39. At the top of the Name column, click the drop-down icon again and choose Adjust
Columns.
40. This action will resize the displayed columns to best fit in the browser window.
54. Return to the firewall web interface and update the Security Policy rules table by
clicking the Refresh button in the upper right corner of the window.
63. From the terminal window on the desktop, ping an address on the internet by issuing the
following command:
lab-user@client-a:~/Desktop/Lab-Files$ ping 8.8.8.8<Enter>
64. You will not get a reply, so after several seconds, use Ctrl+C to stop the ping.
65. Examine the traffic log again and use a simple filter to see if there are any entries for this
session that failed.
66. Select Monitor >Logs > Traffic.
67. In the filter field, enter the following text exactly as it appears here:
( addr.dst eq 8.8.8.8 )
Filters are case sensitive so be precise! Also, note that there is a space after the first
parentheses mark and right before the last parentheses mark.
69. The Traffic log will update the display but there are no matching entries.
84. You will not get a reply, so after several seconds, use Ctrl+C to stop the ping.
88. Click the Apply Filter button in the upper right corner of the window (or you can press
the Enter key).
89. The Traffic log will update the display and you should see entries matching the filter.
With Log at session end enabled, the firewall records hits on the internet-default
rule so that you can see information about sessions that miss all previous rules.
91. Click the X icon to clear the filter from the log filter text box.
Note that you are adding both internal zones to the Source Zone section of the rule.
When creating deny rules, Palo Alto Networks recommends setting the Service to
any instead of using application-default.
117. Create another rule to block traffic from known bad IP addresses.
118. In the Security Policy window, click Add.
119. For Name, enter Block-from-Known-Bad-Addresses.
120. For Description, enter Blocks traffic from known bad IP addresses to
Users and Extranet.
121. Select the Source tab.
122. Under the Source Zone section, click Add.
123. Select the Internet zone.
Note that you are adding both internal zones to the Destination Zone section of the
rule.
196. You will not get a reply, so after several seconds, use Ctrl+C to stop the ping.
200. Click the Apply filter button in the upper right corner of the window (or you can press
the Enter key).
201. The Traffic log will update the display and you should see entries matching the filter.
202. You can see that the sessions are hitting the Users_to_Internet rule.
204. Write down your answer in the field shown or on notepaper in class.
Lab Objectives
• Configure source NAT
• Configure destination NAT
Parameter Value
Source Zone Users_Net
Destination Zone Users_Net
Destination Interface ethernet1/2
Service any
Destination Address 192.168.1.80
Translated Packet tab (Destination Address Translation section)
Parameter Value
Destination Address Static IP
Translation
Translation Type
Translated Address 192.168.50.80
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
Parameter Value
Name Inside_Nets_to_Internet
NAT Type Verify that ipv4 is selected
Description Translates traffic from Users_Net and
Extranet to 203.0.113.20 outbound to
Internet
Parameter Value
Source Zone Click Add and select the Users_Net zone
Click Add and select the Extranet zone
Destination Zone Select Internet from the drop-down list
Destination Interface Select ethernet1/1 from the drop-down list
Service Verify that the any is selected
Source Address Verify that the Any check box is selected
Destination Address Verify that the Any check box is selected
14. Click the Translated Packet tab and configure the following under the section for
Source Address Translation:
Parameter Value
Translation Type Select Dynamic IP And Port from the drop-down list
Address Type Select Interface Address from the drop-down list
Interface Select ethernet1/1 from the drop-down list
IP Address Select 203.0.113.20/24 from the drop-down list. (Make sure
that you select the interface IP address from the drop-down
list and do not type it.)
This section defines how the firewall will translate the packet.
Note: You are configuring only the Source Address Translation part of this window.
Leave the destination address translation Translation Type set to None.
28. Verify that there is allowed traffic that matches the Security Policy rule
Users_to_Internet:
Traffic log entries should be present based on the internet test. A minute or two
may elapse for the log files to be updated. If the entries are not present, click the
refresh icon:
Parameter Value
Name Type Dest_NAT_To_Webserver
Description Translates traffic to web server at
192.168.50.80
NAT Type Verify that ipv4 is selected
Parameter Value
Source Zone Click Add and select Users_Net
Destination Zone Select Users_Net from the drop-down list
Destination Interface Select ethernet1/2 from the drop-down list
Service Select any from the drop-down list
Destination Address Click Add and manually enter 192.168.1.80
33. Click the Translated Packet tab and configure the following:
Parameter Value
Destination Address Select Static IP from the drop-down list
Translation
Translation Type
Translated Address Type 192.168.50.80 (address of the Extranet web
server)
The Translated Packet tab defines how the firewall will translate a matching packet.
Leave the Source Address Translation section set to None because we are
performing only destination translation in this exercise.
This process opens the Traffic log and applies a filter automatically to display only
those entries that match the Security Policy rule “Users_to_Extranet.”
48. Click the X icon to clear the filter from the log filter text box.
Lab Objectives
• Load a baseline configuration
• Generate application traffic
• Configure an application group
• Configure a Security Policy to allow update traffic
• Test the Allow-PANW-Apps Security Policy rule
• Identify shadowed rules
• Modify the Security Policy to function properly
• Test the modified Security Policy rule
Name paloalto-apps
Applications paloalto-dns-security
Name Allow-PANW-Apps
Applications paloalto-apps
Service application-default
Action Allow
Applications dns
ping
ssl
web-browsing
Research Applications
• Use the Application database on the firewall to research one of the three applications
below:
• dailymotion
• yammer-base
• scribd-base
• Answer the following questions about the application you have chosen to research:
• What category does the application fall into?
• What risk level has Palo Alto Networks assigned to the application?
• What are some of the characteristics of this application that might make you want
to block its use on your network?
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.
Name paloalto-apps
Applications paloalto-dns-security
paloalto-updates
paloalto-userid-agent
paloalto-wildfire-cloud
pan-db-cloud
Note that we are only adding a few of the Palo Alto Networks entries to this group
as an example of how to create an Application Group. The list you are building here
is not necessarily inclusive of all Palo Alto Networks applications that you might
need to allow in a production environment.
You can also use the Browse button in the Application Group window to add these
entries.
Applications paloalto-apps
To locate your paloalto-apps Application Group, start typing in the first few
letters of the group name, and the interface will display only those entries that
match. Application Groups appear at the very end of the Application list.
Action Allow
This tab only appears when you have a rule that shadows other rules. You will fix
the rule shadow issue in a later section of the lab.
This action instructs the firewall to check for Dynamic Content updates. The
application used by the firewall is called paloalto-updates and is one that you
included in the Application Group called paloalto-apps.
36. In the Tasks Manager – All Tasks window, scroll down to locate the most recent entry
for Commit under Type.
37. Click the link for Commit.
You may drag and drop the Allow-PANW-Apps entry to the correct location, or you
can use the Move button at the bottom to place the rule in the right spot.
Excluding the dns application from the display will make it easier for you to see
other applications in use on the network.
You should see entries for a variety of applications. Some of the entries will be
recognizable and others will be for applications you may never have heard of.
62. Use the information in the columns for Application, Action and Rule to answer the
following questions. You can also use filters to help you find the answers from the
Traffic log.
• Are there any applications that you should not allow from the Users_Net zone to the
Extranet zone?
There is no right or wrong answer to this question.
Whether the list of allowed applications is ‘correct’ or not depends on your environment
and the applications and services running on the destination servers.
FTP is an insecure application, and you might be tempted to deny it. However, your
organization may have an old process in place that relies on FTP to transfer files. Denying
FTP would break that process, so be careful.
You can use the output of the Traffic log to identify the kinds of applications in use in your
network. You can then research the applications in question to make an informed decision
about them. You can also use the source and destination information to find out more about
why an application is in use.
• Are there any applications being denied from the Users_Net zone that you should allow?
Research Applications
Now that you have access to detailed information about the applications in use in the network,
you can use tools available from Palo Alto Networks to help answer the questions at the end of
the last section. In this section, you will locate one application and find out more information
about it so you can make an informed decision about whether to allow it onto your network or
not.
63. In the Traffic log, locate the entry for one of the three applications listed below:
• dailymotion
• yammer-base
• scribd-base
Note that you can use the navigation buttons at the bottom of the window, or you
can create and apply a filter to locate the application entries.
64. Use the Applications database to find details about the application you have chosen to
research.
65. Select Objects > Applications.
66. In the Search field, enter the name of the application as it appears in the Traffic log.
67. Click the magnifying glass icon to search.
• What risk level has Palo Alto Networks assigned to the application?
The Risk level will be listed under the Classification section on a scale of 1 (Safe) to 5 (Very
Risky).
• What are some of the characteristics of this application that might make you want to
block its use on your network?
Under the Characteristics section of the window you can see a list of traits for the application. A
Yes answer for a characteristic increases the risk rating of that application.
Note – when you add the dropbox application, the web interface adds an entry to
the Depends On column for the google-base application.
• ms-office365
89. When complete, the Applications list should have seven entries and the Depends On
list should have multiple entries.
Note that the list of applications in the Depends On column may differ from the
example shown here. Palo Alto Networks updates application definitions
frequently, and in many cases an existing application will require additional
applications to work correctly.
90. Place the check box next to Depends On to select all items in that column.
91. Click Add to Current Rule.
101. When the script is complete, press ENTER to close the window.
102. Examine the Traffic log by selecting Monitor > Logs > Traffic.
103. Clear any filters you may have in place.
104. Create and apply a filter to display sessions that the firewall has blocked:
( action neq allow )
This filter will allow you to see the applications that have been blocked.
Many of the applications are now being blocked by the interzone-default rule. Remember that
any application that is not explicitly allowed in a Security Policy rule will be blocked by the
interzone-default rule.
The entries you see will differ from the example shown here.
106. Clear the filter in the Traffic log.
Note: Be sure to type in the URL as shown above – include http as the protocol for
the request.
109. The browser will not be able to connect and will eventually time out (note that you do
not have to wait until you receive the time out message before continuing to the next
step).
110. Close the Chrome browser.
111. In the firewall web interface, select Device > Response Pages.
112. Under the Action column in the row for Application Block Page, click the link for
Disabled.
113. Place a check in the box for Enable Application Block Page.
121. The firewall will present a web page indicating that the application has been blocked.
You can customize this page to include additional information if necessary. This is the default
page that the firewall presents.
Note: Response Pages must also be enabled on the Interface Management Profile
assigned to the firewalls interface that is required to respond. This was completed
in an earlier lab.
Note that there are limitations to the Application Block Page. The firewall cannot
present the page to a user when the browser session is encrypted using HTTPS.
Doing so would interrupt the secure communication between the client and the
destination server and violate the rules of encryption.
However, you can configure and enable decryption on the firewall (which we cover
in a later module). With decryption enabled, the firewall can present the
Application Block Page to a web browser when a user attempts to access a blocked
application.
The firewall has a Security Policy rule that allows users in the Acquisition zone to access any
application on the Internet.
In this lab, you will build and apply a set of Security Profiles that will watch for and block
known threats from the users in this Acquisition zone.
Lab Objectives
• Load a baseline configuration
• Generate traffic without Security Profiles and examine logs
• Create Security Profiles
• Create a Security Profile Group
• Apply the Security Profile Group to existing Security Policy rules
• From a Terminal window on the Client-A host, use the following command to generate a
DNS query using dig to resolve a URL to an IP address:
dig @8.8.8.8 www.quora.com
The command should return a public IP address, indicating that the URL is accessible.
• Leave the Terminal Emulator window open because you will use it again later in this lab
• In the firewall web interface, examine the Threat Log
• You should have no significant entries in the Threat Log
Parameter Value
Name US-SSNs
Name Corp-DataFilter
Alert Threshold 1
Block Threshold 3
Name malicious-domains-edl
Source http://192.168.50.80/malicious-domains.txt
(The EDL contains the domains quora.com and producthunt.com.)
Leave the URL Filtering Profile and the WildFire Analysis Profile set to none for this
lab. We will examine both of those Security Profiles in more detail later in the
course.
Lab Clean-Up
• Close the SSH connection to the firewall
• Close the Remmina desktop application window
• Close the Terminal Emulator window on the workstation desktop
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.
Note that you may receive messages in the Commit window about App
Dependencies. In a production environment, you should examine the messages and
use the information provided to add the missing applications to the appropriate
rules. These dependencies result from changes in Application definitions that are
released each month.
11. In the Remmina Remote Desktop Client window, double-click the entry for Server-
Extranet:
The download should succeed. This filetype is one that you will block when you
configure the firewall with a File Blocking Profile.
This action saves the malicious tar file to the client Downloads folder.
20. In Chrome, open a new tab.
21. Browse to the following URI:
http://192.168.50.80/companyssns.txt
22. The browser will display the file:
Note that the IP address you see may differ from this example.
27. Leave the Terminal Emulator window open because you will use it again later in this
lab.
28. In the firewall web interface, select Monitor > Threats.
29. You should have no significant entries in the Threat Log.
Name malicious-domains-edl
Source http://192.168.50.80/malicious-domains.txt
(The EDL contains the domains quora.com and producthunt.com.)
This page indicates that the firewall has blocked the file using the File Blocking
Profile you defined.
If Chrome prompts you to save the file, clear the browser cache (Settings > Privacy
and Security > Clear browsing data and click Clear Data). Close Chrome and try the
test again.
This page indicates that the firewall has blocked the transfer using the Data Filtering
Profile and Data Pattern you defined for Social Security Numbers.
This indicates that the firewall has intercepted and sinkholed the DNS query using
the DNS Sinkholing function in your Anti-Spyware Profile.
136. In the firewall web interface, select Monitor > Logs > Threat.
137. The Threat Log should contain numerous entries for spyware and vulnerabilities:
These entries indicate that the firewall has blocked malicious traffic using the Vulnerability and
Anti-Spyware Profiles that you defined. Note that the entries you see in the Threat Log may
The table may not contain very many entries until the malwareattacks script is
finished. Use the refresh button periodically to update the table.
Lab Clean-Up
138. On the workstation desktop, locate the Remmina SSH connection to the Extranet server.
139. Type exit <Enter> to close the session.
140. Close the Remmina desktop application window.
141. Locate the open Terminal Emulator window on the workstation desktop.
142. Type exit <Enter> to close the window.
Lab Objectives
• Test access to inappropriate web content without URL blocking in place
• Create a Security Policy rule to block inappropriate web content using the URL Category
• Test the Security Policy rule and examine the results
• Disable the Security Policy rule
• Create and apply a URL Filtering Profile to block access to a malicious URL
• Test the Security Profile and examine the results
Application Any
Service application-default
Action Deny
Name Block-Per-Company-Policy
Name malicious-urls-edl
Source http://192.168.50.80/malicious-urls.txt
(The EDL contains only the URL duckduckgo.com)
Block Access to the the URL List with a Security Policy Rule
• Add the malicious-urls-edl to the URL Category of the Block-Bad-URLs Security
Policy rule.
• Enable the Block-Bad-URLs Security Policy rule
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.
11. On the client desktop, open Chrome and browse to http://www.hacker9.com, which
belongs to the URL category hacking.
The browser should display a valid webpage.
12. In Chrome, browse to http://www.hidester.com/proxy, which belongs to the
URL category proxy-avoidance-and-anonymizers.
The browser should display a valid webpage.
13. Close the Chrome browser window.
21. Click the Application tab and verify that Any is selected.
22. Click the Service/URL Category tab and configure the following:
Parameter Value
Service application-default
Note: you can type in the first few letters of a category to locate each one more
quickly.
Action Deny
26. Select Move > Move Top to move the Block-Bad-URLs rule to the top of the Security
Policy:
Although this page says the Application web-browsing has been blocked, the
firewall is actually blocking the site based on its category – hacking. The firewall
uses this page to inform users that the firewall has blocked a web page deliberately.
You will see a different message when the firewall blocks a page using a URL
Filtering Profile.
Site Access Configure the block action for the following URL categories:
adult
command-and-control
copyright-infringement
extremism
hacking
high-risk
malware
nudity
parked
peer-to-peer
phishing
proxy-avoidance-and-anonymizers
questionable
unknown
Note that several columns have been hidden or rearranged in the example shown here.
Notice that the information provided in this page provides more details than what
the firewall displayed when it blocked the same website using the Block-Bad-URLs
Security Policy rule.
This block page includes the actual URL and the Category that the site belongs to.
Notice that the Security Policy rule listed is Users_to_Internet and that the Action
for each entry is allow.
The Security Policy rule is not blocking the URL category of hacking. The blocking
process happens as part of the URL Filtering Profile inspection.
Note that several columns have been hidden or rearranged in the example shown here.
76. Note that the action for these sessions is block-url, which is carried out by the URL
Filtering Profile.
77. Clear the filter in the URL Filtering log.
Name Block-Per-Company-Policy
Note that several default columns have been hidden in the example URL Filtering log file shown
here.
102. Notice that the Category listed for each of the entries is the Block-Per-Company-
Policy.
Note that you are disabling this rule so that it does not interfere with the
Users_to_Internet rule which allows traffic but applies the URL Filtering Profile.
117. In the Firefox browser, open a new tab and connect to www.theguardian.com.
The browser should display the Web Page Blocked page again.
118. Close the Firefox tabs for www.nbcnews.com and www.theguardian.com.
Name malicious-urls-edl
Source http://192.168.50.80/malicious-urls.txt
(The EDL contains several URL for testing purposes - duckduckgo.com is
one of them)
Note that several default columns have been hidden in the example URL Filtering log file shown
here.
145. In the web interface, select Policies > Security.
146. Highlight the entry for Block-Bad-URLs but do not open it.
147. Click Disable at the bottom of the window.
• Click Add in the bottom left corner and configure the following:
Profile Details Value
Name All_Files
Applications any
File Types any
Direction Both
Analysis public-cloud
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.
Parameter Value
Name Corp-WF
Description WildFire profile for Corp security rules.
13. Click Add in the bottom left corner and configure the following:
Parameter Value
Name All_Files
Applications Verify that any is selected
File Types Verify that any is selected
Direction Verify that both is selected
This site generates an attack file with a unique signature that simulates a zero-day attack.
31. Close the Chrome browser.
32. On the client desktop, open the Remmina application.
33. Open the Firewall-A connection.
34. From the CLI, enter the command debug wildfire upload-log show.
The command should display the output log: 0, filename: wildfire-test-pe-
file.exe processed…. This output verifies that the file was uploaded to the WildFire public
cloud. The message might take a minute or two to display.
38. Periodically use the Refresh button in the upper right corner of the window until
you see a new entry for the wildfire-test-pe-file.exe.
Note that in this example several default columns have been hidden, and the details of the entry
you see will differ.
39. Click the magnifying glass icon next to the entry to open the Detailed Log View of the
entry.
Note that the details of the entry you see will differ from this example.
41. Click the tab labeled Wildfire Analysis Report at the top of the Detailed Log View.
42. Click the link for Download PDF.
Note that the information you see in your report may vary from the example shown here.
44. Scroll through the report to view detailed information about the Wildfire analysis of the
file.
Lab Objectives
• Examine current configuration
• Enable User-ID technology on the Acquisition zone.
• Generate traffic
• Modify Security Policy to meet requirements
Destination IP Any
Application Any
Action Allow
Allowed-Corp-Apps dns
web-browsing
ssl
Allowed-Mktg-Apps facebook-base
instagram-base
twitter-base
myspace-base
linkedin-base
Name Allow-Mktg-Apps
Application Allowed-Mktg-Apps
Action Allow
Name Deny-All-Others
Application Any
Action Deny
Which rule does the firewall use when it encounters dns traffic?
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
This Security Policy rule allows any host in the Acquisition security zone to access any
application anywhere.
21. Clear the counters for all Security Policy rules by clicking Reset Rule Hit Counter >
All rules at the bottom of the window.
You will configure the firewall to allow all users in the Acquisition zone to use the Allowed-Corp-
Apps. However, only users in the Marketing group will be able to use applications in the
Allowed-Mktg-Apps group.
28. Run the following command to start generating traffic in the Acquisition Zone:
./Appgenerator-2.sh <Enter>
29. While the script is running, examine the firewall Traffic log under Monitor > Logs >
Traffic.
30. Clear any filters you may have in place.
31. Note that almost all traffic is hitting the Acquisition-Allow-All Rule.
32. If the Source User column is not already displayed, add it to the table by clicking the
small triangle in any header and choosing Columns > Source User.
This action will make it easier for you to locate Source User information later in this lab. Note
that the Source User column will be empty because you have not yet enabled User-ID.
This action will select all the individual applications under the DEPENDS ON column. Note that
the list of applications in the Depends On column may differ from the example here.
61. Click Add to Current Rule to add these applications to this Security Policy rule.
Note that you do not need to specify any users or user groups under the Source User column.
Because the drop-down list is set to any, this rule will deny traffic to any user, regardless of
group membership.
73. Select the tab for Application and verify that Any is checked.
Note that the entries you see will differ from this example.
90. On the client desktop, locate the main window for the Remmina application.
95. When you have finished examining the User-ID information, type exit <Enter> to
close the firewall SSH connection.
Answer: Deny-All-Others
Question: Which rule does the firewall use when it encounters dns traffic?
Hint: Use the filter ( app eq dns )
Answer: Allow-Corp-Apps (in some cases, you may also see Users_to_Extranet)
Question: Which rule does the firewall use when it encounters facebook-base?
Answer: Yes
Answer: No
Right now, you do not have budget funds available to build a corporate PKI infrastructure to
generate a decryption certificate from a CA (certificate authority). However, you can generate a
self-signed CA certificate on the Palo Alto Networks firewall and deploy that for decryption
Lab Objectives
• Load a lab configuration
• Test the firewall without decryption
• Create a self-signed certificates for trusted connections
• Create A self-signed certificates for untrusted connections
• Create and test a Decryption Policy rule for outbound traffic
• Test outbound Decryption Policy rule
• Export the firewall certificate and import to Firefox
• Test outbound Decryption Policy again
• Review firewall logs
• Exclude URL categories from decryption using a No-Decrypt rule
• Test the No-Decrypt rule
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
4. Click OK.
5. A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.
12. Close the Firefox tab for the eicar file download.
13. In the firewall web interface, navigate to Monitor > Logs > Threat.
Because the connection between the client and the server is not encrypted, the firewall is able
to examine the traffic and block malicious content.
15. In Firefox, open a new tab and browse to https://192.168.50.80/eicar.com.
16. If Firefox presents a Warning window, click the Advanced button.
The web server is using a self-signed SSL certificate, which is why Firefox presents this warning.
Notice that the download is not blocked because the connection is encrypted, and the virus is
hidden. This exercise proves that without Decryption, the firewall is unable to examine the
contents of a secure connection and cannot scan for malicious content.
19. Close the Firefox tab for the eicar file download.
Parameter Value
Certificate Name trusted-cert
Common Name 192.168.1.1
Certificate Authority Select the Certificate Authority check box
This action instructs the firewall to use this certificate to decrypt traffic between clients and
sites which have a trusted HTTPS certificate.
Note that the dates for Not Valid Before and Not Valid After will be different for your certificate.
29. Click OK.
Parameter Value
Certificate Name untrusted-cert
Common Name DO NOT TRUST
33. Leave the remaining settings unchanged and click Generate to create the certificate.
A Generate Certificate status window should open that confirms that the certificate and key
pair were generated successfully.
34. Click OK to close the Generate Certificate success window.
35. You should have a new entry in the Device Certificates table.
36. Edit the entry for untrusted-cert by clicking it.
37. Place a check in the box for Forward Untrust Certificate.
This action instructs the firewall to use this certificate when it encounters a site that is not
trusted – one that has a self-signed certificate, for example.
Note that the dates for Not Valid Before and Not Valid After will be different for your certificate.
39. Click OK.
40. You should now have two entries in the Device Certificates table:
Note that the dates for Expires will be different for your certificates.
Note that the Any setting for URL category instructs the firewall to decrypt all HTTPS traffic,
regardless of the type of website users are accessing. Decrypting traffic from users to website
categories such as Health and Medicine, Shopping or Government can expose Personally
Identifiable Information (PII). In a production environment, you will need to make sure you only
decrypt traffic that is appropriate.
Later in this lab, you will exclude several categories of websites as an illustration.
47. Click the Options tab and configure the following:
Parameter Value
Action Decrypt
Type Verify that SSL Forward Proxy is selected
Decryption Profile Select default
Note that several columns have been hidden or rearranged in the example shown here.
77. In the Downloading Certificate window, place checks in both boxes for Trust this CA
to …
The Firefox browser will trust any certificate issued by the entities in this Authorities list. By
adding the firewall certificate to this list, the Firefox browser will trust any certificates issued by
the firewall. Note that the process of importing certificates to client workstations varies based
on the browser type and the operating system.
If the certificate for 192.168.1.1 does not appear at the top of the list, click OK and then click
View Certificates again.
80. Click OK to close the Certificate Manager window.
81. Close Firefox.
82. Open Firefox and browse to https://www.paloaltonetworks.com.
83. Notice that you do not get any warning messages about certificates.
You can tell that the firewall has intervened in this connection and presented the Forward
Untrust certificate you created.
89. Close the tab for Certificate for 192.168.50.80.
92. You will see the default page for the web server in the Extranet:
93. Attempt to download the virus file by appending eicar.com to the end of the link
https://192.168.50.80/eicar.com <ENTER>
94. The connection will not succeed, and you will receive a message from the browser:
100. Drag and drop the Session End Reason column from the right side of the table to the
beginning of the table:
The details you see will differ from the example shown, but you should see similar information.
105. Select Monitor > Logs > Threat.
108. Click the magnifying glass icon next to the entry for vulnerability.
109. In the top portion of the window, scroll down until you can see the Details section in the
middle column.
110. You can see information about the file that the firewall detected and blocked:
Note the ID number 39040 and the link View in Threat Vault. The ID number is a unique value
assigned to each threat by Palo Alto Networks. Threat Vault is an online database maintained by
Palo Alto Networks with extensive information about each threat. Access to Threat Vault
requires a support account.
111. In the bottom of the window, highlight an entry with Type vulnerability to see more
information about why the firewall terminated this connection.
The answer is yes. They are in the wrong order. All traffic will match the first rule
Decrypt_Users_Traffic because the URL category is set to any. The firewall will therefore never
proceed beyond the first rule to implement the second rule, which instructs the firewall to
exclude financial-services, government and shopping websites from decryption.
132. Highlight the No-Decryption rule entry (but do not open it).
133. At the bottom of the window, click Move > Move Top.
Always place no-decrypt rules at the beginning of the Decryption Policy table.
The Certificate details you see may vary from this example because we are testing with live
websites that may change.
144. Click View Certificate:
Lab Objectives
• View threat information using the Dashboard
• View application information using the Dashboard
• View threat information using the ACC
• View application information using the ACC
• View threat information using the Threat log
• View application information using the Traffic log
• View threat information using App Scope reports
• View threat information using predefined reports
• View application information using predefined reports
• View threat and application information using custom reports
Generate Traffic
• Use the Remmina application to connect to the Server-Extranet host
• Run the traffic generating script by entering the following commands:
cd ~ <ENTER>
./UsingLogs-V1.sh <Enter>
• Allow the script to run uninterrupted
• In the Global Filters area, click Clear all to remove the global filter
• On the Threat Activity tab, determine what widgets you would use to see which hosts
have either visited or resolved a malicious DNS domain
• In the Rule Usage widget, use the Jump to Logs button to open the Traffic Log
Note the log filters that have been applied automatically to the Traffic log
Connector and
Attribute Severity
Value high
This configuration filters the log to display only critical-severity and high-severity threats
Connector and
Operator equal
Value chicago\escrooge
This configuration filters the log to display threats coming from only this user.
Connector and
Operator equal
Value Acquisition
This configuration filters the log to display only application traffic that is sourced from the
Acquisition zone.
• Use the Add Log Filter to modify the existing source zone filter to filter on the
Users_Net zone instead of the Acquisition zone.
• Use the Add Log Filter to update the filter to include the following information:
Parameter Value
Connector and
Attribute Application
Operator equal
Value web-browsing
• Expand the list of URL Filtering Reports and select the entry for Web Sites
Note that you may need to click different dates until you see a report with data
Selected Columns In top-down order, select Source Zone, Application, Bytes, and Action
The report will list each internal zone along with the applications seen coming from each zone.
Because only four zones are available in the lab environment, grouping of the data into a
maximum of five groups is enough to display all zones. Sorting the applications list in each zone
by the top 100 sessions should display all applications associated with a source zone.
• Use the Filter Builder button to create a filter with the following characteristics:
Parameter Value
Connector and
Value Internet
Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.
5. Click OK.
A window should open that confirms that the configuration is being loaded.
6. Click Close.
7. Click the Commit link at the upper right of the web interface:
8. Click Commit again and wait until the commit process is complete.
9. Click Close to continue.
Generate Traffic
In this section, you will generate simulated attacks, web browsing and application traffic to
populate firewall logs.
10. On the client workstation, open the Remmina application.
11. Double-click the entry for Server-Extranet.
12. At the prompt, enter the following command:
./UsingLogs-V1.sh <Enter>
13. Press Enter again to begin the process.
14. Allow the script to run uninterrupted.
15. Minimize the Remmina application window.
Depending on activity in your lab environment in the last hour, you might not see threat entries.
This widget is useful for viewing only the most recent threats detected by the firewall. Here is an
example:
Depending on activity in your lab environment in the last hour, you might see URL entries. This
widget is useful for viewing only the most recent URLs seen by the firewall.
The entries you see will differ from the examples shown here.
22. Are any files displayed in the Data Logs widget? It can display the 10 most recent files
detected by the firewall in the last hour.
Depending on activity in your lab environment in the last hour, you might not see file entries.
This widget is useful for viewing only the most recent file transfers seen by the firewall.
The information you see will differ from the examples shown here.
26. Click Widgets and select Application > Top High Risk Applications.
A Top High Risk Applications widget should appear on the Dashboard.
Applications with a risk level of 4 are shown in orange. Applications with a risk level of 5 are
shown in red. These rankings come from Palo Alto Networks. The information you see will differ
from the examples shown here.
31. On the left side of the ACC window, click the Time drop-down menu and select Last 7
Days. This value configures all the widgets to display threat information for the last
seven days:
32. Do you see any threats listed in the Threat Activity widget?
You should see some combination of flood, scan, spyware, packet, vulnerability, and virus
threats displayed in a graph. Next to each entry should be the number of occurrences of these
threat types that the firewall has seen in the last seven days. More detail about the threats
should be displayed in a table below the graph:
The entries you see will differ from the examples shown here.
This action adds the critical severity level as a Global filter for the ACC. Global filters are applied
to every widget on the ACC. Global filters are useful for quickly pivoting your search on a specific
piece of information, thus causing all widgets to display only information that is relevant to a
specific object or threat.
34. Did the widget’s table change to display only threats that have a critical severity level?
The widget should have changed to display only critical severity level threats. The graph will also
change to display only threats that match the filter.
35. Find the global filter on the left side of the ACC window.
36. Was critical added as a global filter condition?
The entries you see will differ from the examples shown here.
38. In the Global Filters area, click Clear all to remove the global filter.
The global filter should be removed, and all widgets should be refreshed to include all threats
detected in the last seven days.
39. On the Threat Activity tab, which widgets would you use to see which hosts have either
visited or resolved a malicious DNS domain? Make a guess based on the widget names.
The answer is: Hosts Visiting Malicious URLs and Hosts Resolving Malicious Domains.
Think of this as a sort of square pie-chart. The entries you see will differ from the examples
shown here.
44. Hover your pointer over the section for web-browsing.
This action displays a summary window with information about that application. The
information you see will differ from the examples shown here.
The entries you see will differ from the examples shown here.
49. Which Security Policy rules have allowed web-browsing traffic?
The widget should display only those rules that have allowed web-browsing traffic in the last
seven days because the widget is filtered by the web-browsing application in the global filter
and the ACC time range setting.
There should be a time range filter and an application filter for web-browsing. The time range
filter is derived from the time specified in the ACC. The entry you see will differ from the
example shown here.
53. Note that the entries displayed in the Traffic log match the filter:
59. Click the + icon in the filter area to open the Add Log Filter window:
Connector and
Attribute Severity
Value high
This configuration filters the log to display only critical- and high-severity threats.
61. Click Add to add the in-progress filter to the top pane of the Add Log Filter’s window:
As you become more familiar with filter syntax, you can simply type the filter directly into the
filter field and forego using the filter builder.
63. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Threat log:
64. Has the Threat log been filtered to display only threats of high severity or greater?
It should be filtered. You can scan the Action column to determine how the threats have been
handled by the firewall. You could, for example, use this information to help you determine the
Security Profile configuration required to control threats found in legitimate traffic.
66. Click the + icon in the filter area to re-open the Add Log Filter window.
67. In the Add Log Filter window, select the following:
Parameter Value
Connector and
Operator equal
Value chicago\escrooge
This configuration filters the log to display threats coming from only this user.
69. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Threat log.
70. Has the Threat log been filtered to display only threats coming from the specified user?
You may need to add the Source User column to the Threat Log display if it is not already
present.
Connector and
Operator equal
Value Acquisition
This configuration filters the log to display only application traffic that is sourced from the
Acquisition zone. You could use this information, for example, to help you to determine how to
configure your Security Policy rules. You easily could modify the filter to display application
traffic sourced from any zone and use that information to help you improve your Security Policy
configuration.
77. With the filter string in the log filter text box, click the right arrow icon to apply the
filter to the Traffic log
78. Has the Traffic log been filtered to display only traffic sourced from the Acquisition
zone?
It should be. You could use this information to help you determine the Security Policy rules
required to control legitimate traffic sourced from devices in the Acquisition zone.
81. In the Add Log Filter window, also add the following selections:
Parameter Value
Connector and
Attribute Application
Operator equal
Value web-browsing
82. Click Add and then click Apply to add the filter to the Traffic log filter text box.
The Add Log Filter window should close.
It should be filtered.
Note that several columns have been hidden or rearranged in the example shown here.
85. Click the X icon to clear the filter from the log filter text box.
Note that the image you see will differ from the example shown here.
89. At the top of the window, click Top 10 and select Top 25 from the menu:
This configuration enables you to see the top 25 threats within the selected time range.
90. At the top of the window, click Threat and choose Source User:
The information you see may differ from the example here.
Note that days that are grayed out do not have any data available.
101. Click URL Filtering Reports to expand the list of available URL Filtering reports:
Selected Columns In top-down order, select Source Zone, Application, Bytes, and Action
The report will list each internal zone along with the applications seen coming from each zone.
Because only four zones are available in the lab environment, grouping of the data into a
maximum of five groups is enough to display all zones. Sorting the applications list in each zone
by the top 100 sessions should display all applications associated with a source zone.
105. In the bottom right corner of the Custom Report window, click the Filter Builder link:
Connector and
Value Internet
107. In the Add Log Filter window, click Add and then Apply.
A filter should be added to the custom report. The Internet zone is outside of your network, and
this filter ensures that the custom report does not include applications that are coming from
outside your network.
109. Click Apps Used by Internal Zones to open the custom report.
110. Click Run Now to run the custom report:
The report should run, and the results should be displayed in a tab that is added and opened in
the Custom Report window.
111. View the results of the custom report.
You can scroll down through the report to see information about the Extranet and the
Acquisition zones along with details about the applications that the firewall processed in each
one. Note that the entries you see in the report may differ from the example shown here.
Configure Networking
Complete the following objectives:
• Configure three firewall interfaces using the following values:
• Ethernet 1/1: 203.0.113.20/24 - Layer 3
• Ethernet 1/2: 192.168.1.1/24 - Layer 3
• Ethernet 1/3: 192.168.50.1/24 - Layer 3
• Create a virtual router called VR-1 for all configured firewall interfaces.
• Create a default route for the firewall called Default-Route
• Create an Interface Management Profile called Allow-ping that allows ping
• Assign the Allow-ping Interface Management Profile to ethernet1/2
Verify network connectivity from the firewall to other hosts.
• Your internal host can ping 192.168.1.1 and receive a response
• From the firewall CLI, the following commands are successful:
• ping source 203.0.113.20 host 203.0.113.1
• ping source 203.0.113.20 host 8.8.8.8
• ping source 192.168.1.1 host 192.168.1.20
• ping source 192.168.50.1 host 192.168.50.150
• A Corporate File Blocking Security Profile called Corp-FB to block dangerous file
types
You can use the existing strict Profile as the basis for your own
• A Corporate WildFire Profile called Corp-WF to send all file types to the public cloud
for inspection
You can use the existing default Profile as the basis for your own
Firewall Interfaces
Network > Interfaces > Ethernet
Virtual Router
Network > Virtual Routers
www.paloaltonetworks.com/education
© 2023 Palo Alto Networks, Inc.