JiangsuDC
commented
5 years ago 6.Lab: URL Filtering
Lab Objectives
Create a custom URL category and use it as a Security policy rule match criterion and as part of a URL Filtering Profile.
Configure and use an External Dynamic List as a URL block list.
Create a URL Filtering Profile and observe the difference between using url-categories in a Security policy versus a profile.
Review firewall log entries to identify all actions and changes.
6.1 Create a Security Policy Rule with a Custom URL Category Use a custom URL Category object to create your custom list of URLs and use it in a URL Filtering Profile or as match criteria in Security policy rules. In a custom URL Category, you can add URL entries individually, or import a text file that contains a list of URLs.
Objects > Custom Objects > URL Category
In the same browser window, check if https://www.engadget.com also is blocked. Note that this was an SSL connection. Because the firewall is not decrypting traffic, the connection is reset without a URL block page. If the firewall intercepted this connection and displayed the URL block page, the browser would assume a man-in-the-middle attack might be in progress.
Hover over the egress-outside-url Security policy rule, click the down-arrow, and select Log Viewer to open the Traffic log:
6.4 Configure an External Dynamic List
By default, the firewall uses its management port to retrieve the list items.
An External Dynamic List is an object that references an external list of IP addresses, URLs, or domain names that can be used in policy rules.
Objects > External Dynamic Lists
6.7 Create a Security Policy Rule with URL Filtering Profile Objects > Security Profiles > URL Filtering
Search for url-block-list and tech-sites. Notice that your custom URL categories are also listed and they are set to a Site Access of “allow.” Leave them set to “allow.”
Open a different browser (not a new tab) in private/incognito mode and browse to www.newegg.com. The URL www.newegg.com belongs to the shopping URL category. Based on the Security policy rule named egress-outside-url, the URL is now allowed even though you chose to block the shopping category because your custom URL category has newegg.com listed and is set to “allow,” and your custom category is evaluated before the Palo Alto Networks URL categories.
Lab Objectives
Configure and test WildFire Analysis Security Profile.
https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin.html
admin@PA-500# set deviceconfig system ip-address 10.2.232.3 netmask 255.255.255.0 default-gateway 10.2.232.1 dns-setting servers primary 10.1.200.3 secondary 10.1.200.5
1.Lab: Initial Configuration § Load a configuration. § Create an administrator role. § Create a new administrator and apply an administrator role. § Observe the newly created role permissions via the CLI and WebUI. § Create and test a commit lock. § Configure DNS servers for the firewall. § Schedule dynamic updates.
Name | admin Password | admin
1.1 Load named configuration snapshot
1.2 Add an Admin Role Profile Select Device > Admin Roles.
1.3 Add an Administrator Account Select Device > Administrators
1.5 Take a Commit Lock and Test the Lock The web interface supports multiple concurrent administrator sessions by enabling an administrator to lock the candidate or running configuration so that other administrators cannot change the configuration until the lock is removed.
1.6 Verify the Update and DNS Servers The DNS server configuration settings are used for all DNS queries that the firewall initiates in support of FQDN address objects, logging, and firewall management.
1.7 Schedule Dynamic Updates Device > Dynamic Updates
2.Lab: Interface Configuration
Lab Objectives § Create Security zones two different ways and observe the time saved. § Create Interface Management Profiles to allow ping and responses pages. § Configure Ethernet interfaces to observe DHCP client options and static configuration. § Create a virtual router and attach configured Ethernet interfaces.
Test connectivity with automatic default route configuration and static configuration
2.1 Create New Security Zones Security zones are a logical way to group physical and virtual interfaces on the firewall in order to control and log the traffic that traverses your network through the firewall. An interface on the firewall must be assigned to a Security zone before the interface can process traffic. A zone can have multiple interfaces of the same type (for example, Tap, Layer 2, or Layer 3 interfaces) assigned to it, but an interface can belong to only one zone.
Network > Zones
2.2 Create Interface Management Profiles An Interface Management Profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. You can assign an Interface Management Profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (Aggregate, VLAN, Loopback, and Tunnel interfaces). 接口管理配置文件通过定义防火墙接口允许的服务和IP地址来保护防火墙免受未经授权的访问。 您可以将接口管理配置文件分配给第3层以太网接口(包括子接口)和逻辑接口(聚合,VLAN,环回和隧道接口)。 Network > Network Profiles > Interface Mgmt
2.3 Configure Ethernet Interfaces Network > Interfaces > Ethernet.
2.4 Create a Virtual Wire A virtual wire interface binds two Ethernet ports together. A virtual wire interface allows all traffic or just selected VLAN traffic to pass between the ports. No other switching or routing services are available.
Network > Virtual Wires
2.5 Create a Virtual Router The firewall requires a virtual router to obtain routes to other subnets either using static routes that you manually define, or through participation in Layer 3 routing protocols that provide dynamic routes. Click the default virtual router Rename the default router lab-vr
2.6 Test Connectivity ping source 203.0.113.21 host 8.8.8.8
2.7 Modify Outside Interface Configuration
3.Lab: Security and NAT Policies
3.1 Create Tags Tags allow you to group objects using keywords or phrases. Tags can be applied to Address objects, Address Groups (static and dynamic), zones, services, Service Groups, and policy rules. You can use a tag to sort or filter objects, and to visually distinguish objects because they can have color. When a color is applied to a tag, the Policies tab displays the object with a background color.
Objects > Tags
3.2 Create a Source NAT Policy Policies > NAT Click the Translated Packet tab and configure the following:
You will not be able to access the internet yet because you still need to configure a Security policy to allow traffic to flow between zones.
3.3 Create Security Policy Rules Policies > Security
3.4 Verify Internet Connectivity Monitor > Logs > Traffic
3.5 Create FTP Service Objects > Services
3.6 Create a Destination NAT Policy Policies > NAT
4.Lab: App-ID
Lab Objectives
Create an application-aware Security policy rule.
Enable interzone logging.
Enable the application block page for blocked applications.
Test application blocking with different applications
Understand what the signature web-browsing really matches.
Migrate older port-based rule to application-aware.
Review logs associated with the traffic and browse the Application Command Center (ACC).
4.1 Create App-ID Security Policy Rule
4.2 Enable Interzone Logging With the interzone-default policy rule selected but not opened, click.
The Security Policy Rule – predefined window opens.
4.3 Enable the Application Block Page Device > Response Pages
4.4 Test Application Blocking
1.Open a new browser window in private/incognito mode. You should be able to browse to www.facebook.com and www.msn.com. 2.Use private/incognito mode in a browser to connect to http://www.shutterfly.com. An Application Blocked page opens, indicating that the shutterfly application has been blocked:
Why could you browse to Facebook and MSN but not to Shutterfly? MSN currently does not have an Application signature. Therefore, it falls under the Application signature web-browsing. However, an Application signature exists for Shutterfly and it is not currently allowed in any of the firewall Security policy rules
4.5 Review Logs Monitor > Logs > Traffic Type ( app eq shutterfly ) in the filter text box
4.6 Test Application Blocking 1.Try to work around the firewall’s denial of access to Shutterfly by using a web proxy. In private/incognito mode in a browser, browse to avoidr.com. 2.Enter www.shutterfly.com in the text box near the bottom and click Go. An application block page opens showing that the phproxy application was blocked:
4.7 Review Logs Monitor > Logs > Traffic Type ( app eq phproxy ) in the filter text box. The Traffic log entries indicates that the phproxy application has been blocked
Based on the information from your log, Shutterfly and phproxy are denied by the interzone-default Security policy rule.
4.10 Migrate Port-Based Rule to Application-Aware Rule Click to open the internal-dmz-ftp Security policy rule Click the Application tab and add ftp
Click the Service/URL Category tab. Delete service-ftp and select application-default
4.11 Observe the Application Command Center The Application Command Center (ACC) is an analytical tool that provides actionable intelligence on activity within your network. The ACC uses the firewall logs as the source for graphically depicting traffic trends on your network. The graphical representation enables you to interact with the data and visualize the relationships between events on the network, including network use patterns, traffic patterns, and suspicious activity and anomalies.
Note that the upper-right corner of the ACC displays the total risk level for all traffic that has passed through the firewall thus far:
On the Network Activity tab, the Application Usage pane shows application traffic generated so far (because log aggregation is required, 15 minutes might pass before the ACC displays all applications).
You can click any application listed in the Application Usage pane; google-base is used in this example:
Notice that the WebUI generated the appropriate log filter and jumped to the applicable log information for the google-base application:
5.Lab: Content-ID
5.1 Create Security Policy Rule with an Antivirus Profile Use an Antivirus Profile object to configure options to have the firewall scan for viruses on traffic matching a Security policy rule. Objects > Security Profiles > Antivirus
http://www.eicar.org-->DOWNLOAD ANTIMALWARE TESTFILE-->Download
Within the Download area at the bottom of the page, click either the eicar.com or the eicar.com.txt file to download the file using standard HTTP and not SSL-enabled HTTPS.
The firewall will not be able to detect the viruses in an HTTPS connection until decryption is configured.
5.3 Review Logs Monitor > Logs > Threat
Display the packet capture (pcap)
5.4 Create Security Policy Rule with an Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware
5.5 Create DMZ Security Policy Because the management interface uses the inside interface as the gateway, you need to allow this traffic via a Security policy rule.
Applications:web-browsing ssl ssh ftp
5.6 Configure DNS-Sinkhole External Dynamic List An External Dynamic List is an object that references an external list of IP addresses, URLs, or domain names that can be used in policy rules. You must create this list as a text file and save it to a web server that the firewall can access. By default, the firewall uses its management port to retrieve the list items.
Objects > External Dynamic Lists
5.7 Anti-Spyware Profile with DNS Sinkhole The DNS sinkhole action provides administrators with a method of identifying infected hosts on the network using DNS traffic, even when the firewall is north of a local DNS server (i.e., the firewall cannot see the originator of the DNS query).
Objects > Security Profiles > Anti-Spyware
Verify that the Sinkhole IPv4 is set to 71.19.152.112--->>>>
5.8 Test Security Policy Rule Type the nslookup command and press the Enter key Type the command server 8.8.8.8 and press the Enter key
At the nslookup command prompt, type reddit.com. and press the Enter key
Notice that the reply for reddit.com is 71.19.152.112. The request has been sinkholed
使用DNS查询来确定网络上受感染的主机 防间谍软件配置文件中的 DNS Sinkhole操作可让防火墙对已知恶意域或自定义域的DNS查询伪造响应,以便您能够在网络上识别已被恶意软件感染的主机。默认情况下,对 Palo Alto Networks DNS 签名列表中包括的任何域的DNS 查询将被 sinkhole 到 Palo Alto Networks 服务器IP地址。
下列主题提供了有关如何为自定义域启用DNS Sinkholing以及如何识别受感染的主机的详细信息。 • DNS 黑洞 • 为自定义域列表配置 DNS Sinkholing • 将 Sinkholing IP 地址配置为网络上的本地服务器 • 确定受感染主机
DNS黑洞 DNS Sinkholing可帮助您在防火墙无法看到受感染的DNS查询的情况下识别受使用DNS流量的网络保护的感染主机(即防火墙无法看到DNS查询的始发者)。在防火墙在本地DNS服务器中检测不到任何内容的典型部署中,威胁日志将确定本地DNS解析器作为流量的来源,而不是实际受感染的主机。 Sinkholing恶意DNS查询通过伪造对恶意域中定向客户端主机查询的响应解决这种可见性问题,以便客户端试图连接到恶意域(如对于命令和控制),而不是试图连接到默认的Palo Alto Networks Sinkhole IP地址或用户定义的 IP地址(如为自定义域列表配置DNS Sinkholing所述)。然后,可以在流量日志中轻易地识别受感染的主机,因为试图连接到 Sinkhole IP地址的任何主机最有可能被恶意软件感染。
如果要为Palo Alto Networks DNS签名启用 DNS Sinkholing,将默认防间谍软件配置文件附加到安全策略规则(请参见设置防病毒、防间谍软件和漏洞保护)。对Palo Alto Networks DNS 签名列表中包括的任何域的DNS 查询将被解析到默认的Palo Alto Networks Sinkhole IP 地址。IP 地址当前为IPv4—71.19.152.112,回环地址当前为 Ipv6 地址—::1。这些地址可能出现变更,可随内容更新而更新。
5.9 Review Logs Monitor > Logs > Threat
Identify the Suspicious Domain log entry. Notice that the action is sinkhole. Note that you will not see an entry for this activity in the Traffic log because the Windows system did not try to initiate a connection to 71.19.152.112:
5.10 Create Security Policy Rule with a Vulnerability Protection Profile A Security policy rule can include specification of a Vulnerability Protection Profile that determines the level of protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. Objects > Security Profiles > Vulnerability Protection
5.11 Test Security Policy Rule ftp-brute
This action launches an FTP brute force attack at the DMZ FTP server. The script is expected to take about 10 minutes to complete
5.12 Review Logs Monitor > Logs > Threat Notice that you now have logs reflecting the FTP brute force attempt. However, the firewall is only set to alert
Notice the username and password that was attempted along with the 530 response from the FTP server
5.13 Update Vulnerability Profile Objects > Security Profiles > Vulnerability Protection
The new FTP brute force attempts are reset.
5.14 Group Security Profiles The firewall supports the ability to create Security Profile Groups, which specify sets of Security Profiles that can be treated as a unit and then added to Security policy rules. Objects > Security Profile Groups
5.15 Create a File Blocking Profile A Security policy rule can include specification of a File Blocking Profile that blocks selected file types from being uploaded or downloaded, or generates an alert when the specified file types are detected. Objects > Security Profiles > File Blocking
5.17 Test the File Blocking Profile
Monitor > Logs > Data Filtering
5.18 Multi-Level-Encoding Multi-Level-Encoding can be used to block content that is not inspected by the firewall because of the file being encoded five or more times. Objects > Security Profiles > File Blocking
5.19 Modify Security Policy Rule
5.20 Test the File Blocking Profile with Multi-Level-Encoding http://192.168.50.10/mle.zip The URL links to a file that is compressed five times.
5.23 Create Danger Security Policy Rule Create a Security policy rule that references the danger Security zone for threat and traffic generation. Policies > Security
5.24 Generate Threats Monitor > Logs > Threat
Monitor > Logs > Data Filtering