Firewall Installation, Configuration, and

Management:
Essentials I
Lab Manual
PAN-OS 7.0
PAN-EDU-101CS rev 3
For CloudShare

Palo Alto Networks, Inc.

www.paloaltonetworks.com
2007-2015 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are
the property of their respective owners.

Lab Manual

PANOS 7.0 Rev A.CS

Page 2

Table of Contents
How to Use This Lab Guide .................................................................................................. 6
Lab Guide Objectives ........................................................................................................... 6
Obtain Lab Access ............................................................................................................. 10
Access the Lab................................................................................................................... 11
Scenario Initial Configuration ......................................................................................... 12
Scenario .........................................................................................................................................................................12
RequiredInformation......................................................................................................................................................12

Solution Initial Configuration.......................................................................................... 13

Access the Windows Desktop.........................................................................................................................................13
Log In to the Firewall ......................................................................................................................................................13
Add an Administrator Role .............................................................................................................................................13
Manage Administrator Accounts ....................................................................................................................................13

Scenario Interface Configuration .................................................................................... 15

Scenario .........................................................................................................................................................................15
Required Information ....................................................................................................................................................16

Solution Interface Configuration..................................................................................... 17

Create New Security Zones .............................................................................................................................................17
Create Interface Management Profiles ...........................................................................................................................17
Configure Ethernet Interfaces with Layer 3 Information ................................................................................................17
Configure DHCP ..............................................................................................................................................................18
Create a Virtual Router ...................................................................................................................................................18

Lab Manual

PANOS 7.0 Rev A.CS

Page 3

Test the Network Configuration......................................................................................................................................19

Scenario Security and NAT Policies ................................................................................. 20

Solution Security and NAT Policies ................................................................................. 21
Create a Source NAT Policy .............................................................................................................................................21

Scenario AppID ................................................................................................................ 23

Required Information ....................................................................................................................................................24
Lab Notes .......................................................................................................................................................................24

Solution AppID............................................................................................................... 25
Verify Internet Connectivity and Application Blocking ................................................................................................... 26

Scenario ContentID ......................................................................................................... 27

Scenario .........................................................................................................................................................................27
Required Information ....................................................................................................................................................28
Lab Notes .......................................................................................................................................................................28

Solution ContentID......................................................................................................... 29
Configure a Custom URL Filtering Category ....................................................................................................................29
Configure a URL Filtering Profile .....................................................................................................................................29
Configure an Antivirus Profile .........................................................................................................................................29
Configure an AntiSpyware Profile ..................................................................................................................................30
Assign Profiles to a Policy ...............................................................................................................................................30
Test the Antivirus Profile ................................................................................................................................................30
Modify the Antivirus Profile ...........................................................................................................................................31
Test the New Antivirus Profile.........................................................................................................................................31
Test the URL Filtering Profile ..........................................................................................................................................32
Configure a Security Profile Group .................................................................................................................................32
Assign the Security Profile Group to a Policy .................................................................................................................32
Lab Scenario: File Blocking ............................................................................................................................................33

Solution File Blocking ...................................................................................................... 34

Create a File Blocking Profile ..........................................................................................................................................34

Lab Manual

PANOS 7.0 Rev A.CS

Page 4

Add a File Blocking Profile to the Security Profile Group................................................................................................ 34

Test the File Blocking Profile ..........................................................................................................................................34

Scenario Decryption ......................................................................................................... 35

Scenario .........................................................................................................................................................................35
Required Information .....................................................................................................................................................36
Lab Notes .......................................................................................................................................................................36

Solution Decryption ........................................................................................................ 37

Verify Firewall Behavior Without Decryption .................................................................................................................37
Create an SSL SelfSigned Certificate...............................................................................................................................37
Create SSL Decryption Policies ........................................................................................................................................37
Modify the Allow All Out Security Policy ........................................................................................................................38
Test the SSL Decryption Policies......................................................................................................................................38
Test the SSL NoDecryption Policy ..................................................................................................................................39
Import the CA Certificate into Windows Trusted Certificates .........................................................................................40
Exclude a Site from Decryption ......................................................................................................................................41

Scenario Management and Reporting ............................................................................ 43

Solution Management and Reporting ............................................................................. 44
Explore the Dashboard, ACC, and Session Browser .......................................................................................................44
Explore the Logs .............................................................................................................................................................44
Create a Custom Report .................................................................................................................................................44

Lab Manual

PANOS 7.0 Rev A.CS

Page 5

How to Use This Lab Guide

The Lab Guide contains lab exercises that correspond to modules in the lecture. Each lab exercise consists of
two parts: a scenario and a solution.
The scenario describes the lab exercise in terms of objectives and customer requirements. We want you to
solve the problem on your own. Therefore weve provided you with minimal instructions. If appropriate,
the scenario includes a diagram and a table of required information needed to complete the exercise.
The solution is designed to help you if you prefer stepbystep, taskbased labs. Alternatively, you can start
with the scenario and use the solution to check your work or to provide help if you have a problem.
Note: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform
any tasks outlined in the following labs.

Lab Guide Objectives

This lab guide is designed specifically for a single student attending the selfpaced version of the Essentials
I course. The instructorled version of the course includes additional exercises that can be completed only
in a classroom environment with other students and additional equipment.
Once these labs are completed, you should be able to:
1. Configure the basic components of the firewall, including interfaces, security zones, and security
policies
2. Configure basic Layer 3 settings, such as IP addressing and NAT policies
3. Configure basic ContentID functionality, including antivirus protection and URL filtering
4. Configure SSL decryption

Lab Manual

PANOS 7.0 Rev A.CS

Page 6

Obtain Lab Access

1. Open a web browser and log in to paloaltonetworks.com/learningcenter
2. Enter essentials 1 labs in the search field in the top right corner of the web page. The
Essentials 1 Labs class appears as a popup underneath the search box.

3. Select the Essentials 1 Labs popup. The Essentials 1 Labs Training Details page appears, with a list of
available sessions with dates.

4. Find the session you would like to register for.

5. Select Request to the right of the desired session. A popup saying Request appears. Click on that too.
Your Transcript appears, and the Essentials 1 Labs class is listed.
6. The session should now be attached to the trainees transcript with a status of Registered.

Lab Manual

PANOS 7.0 Rev A.CS

Page 10

7. You should receive an email confirming the lab registration.

Access the Lab

1. You should receive an email 30 minutes prior to the start of the session.

2. Then you should receive an email from CloudShare inviting you to start the lab session. This invitation
is good for 3 days.

3. Click on the link to CloudShare in the email to access the lab environment. The environment will be
available for 24 hours after your initial access. A CloudShare admin can extend the access time up to 3
days.

Lab Manual

PANOS 7.0 Rev A.CS

Page 11

Scenario Initial Configuration

In this lab you will:
Connect to the firewall through the MGT interface
Create new administrator roles and accounts on the firewall

Scenario
You have been tasked with integrating a new firewall into your environment. The firewall has the default
192.168.1.1 MGT IP address and admin administrator account.
In preparation for the new deployment, create a role for an assistant administrator that allows access to
all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account
should have no access to the XML API or the CLI. Create an account using this role. Also change the
password of the admin account to disable the warnings about using default credentials.

Required Information
New Administrator Role name
New Administrator Account name
New Administrator Account password
New password for the admin account

Lab Manual

Policy Admins
ip-admin
paloalto
paloalto

PANOS 7.0 Rev A.CS

Page 12

Solution Initial Configuration

Access the Windows Desktop
1.
2.
3.
4.
5.
6.
7.

Select the View VM button for the Windows Desktop VM. A Windows Desktop screen appears.
If necessary, press the Ctrl+Alt+Del button.
Select the Student1 account.
Enter the password 9Lp2AjsE.
Open a command prompt on the Windows Desktop.
Enter ipconfig. Notice that the address of the Windows Desktop VM is 192.168.1.100/24.
Verify that you can ping the Firewall MGT port IP address 192.168.1.1 from the Windows Desktop.

Log In to the Firewall

8. Open a browser.
9. Connect to the firewall at https://192.168.1.1. A warning message will appear because the
firewall is using an untrusted selfsigned certificate.
10. Dismiss the warning and continue to the login web page.
11. Log in with the PAN firewall username admin and the password admin. A warning about the
default admin credentials appears.
12. Click OK to dismiss the warning. The PAN firewall GUI loads.

Add an Administrator Role

13. Click Device > Admin Roles.
14. Click Add in the lower left of the panel and create a new admin role:
Name
Web UI tab

Enter Policy Admins.

Click the following major categories to disable them:
Monitor
Network
Device
Privacy
The remaining major categories should remain enabled.

15. Click OK to continue.

Manage Administrator Accounts

16. Click Device > Administrators.
17. Click admin in the list of users. Change the password from admin to paloalto. Click OK
to close the configuration window.
18. Click Add in the lower left corner of the panel. Configure a new administrator account:
Name
Password/Confirm Password
Role
Profile
Lab Manual

Enter ip-admin
Enter paloalto
Select Role Based
Select Policy Admins
PANOS 7.0 Rev A.CS

Page 13

19. Click OK.

20. Click the Commit link at the topright of the WebUI. Click OK and wait until the commit process
completes, then click Close.
21. Open a different browser and log in to the WebUI as ipadmin. For example, if you originally
connected to the WebUI using Chrome, open this connection in Internet Explorer.
22. Explore the available functionality. Compare the displays for the admin and ipadmin accounts
to see the limitations of the newly created account.
23. When you are done exploring, log out of the ipadmin account connection.

Lab Manual

PANOS 7.0 Rev A.CS

Page 14

Scenario Interface Configuration

In this lab you will:

Create Interface Management profiles

Configure Ethernet interfaces with Layer 3 information
Configure DHCP
Create a virtual router

Scenario

The POC went well and the decision was made to use the Palo Alto Networks firewall in the network.
You are to create two zones, UntrustL3 and TrustL3. The externalfacing interface in UntrustL3 will be
assigned an IP address of 172.16.1.1/24. The internalfacing interface inTrustL3 will be given the IP
address 192.168.2.1/24. Internal clients will connect to the firewall on the interface in TrustL3, so DHCP
addresses will be provided on this interface. The DHCP server you configure in the TrustL3 zone will use
DNS settings of 10.30.11.60. Both the internal and external interfaces on the firewall must route traffic
through the externalfacing interface by default. The interface in UntrustL3 must be configured to
respond to pings and the interface in TrustL3 must be able to provide management services.

Lab Manual

PANOS 7.0 Rev A.CS

Page 15

Required Information
Interface Management profile names
External-facing IP address
External-facing interface
Internal-facing interface
Internal-facing IP address
DHCP server: gateway
DHCP server: primary DNS
DHCP server: IP address range
Virtual router name

Lab Manual

allow all
allow_ping
172.16.1.1/24
Ethernet1/1
Ethernet1/2
192.168.2.1/24
192.168.2.1
10.30.11.60
192.168.2.50-192.168.2.60
Student-VR

PANOS 7.0 Rev A.CS

Page 16

Solution Interface Configuration

Create New Security Zones
1. Go to the WebUI and click Network > Zones.
2. Click Add and create the UntrustL3 zone:
Name
Enter Untrust-L3
Type
Verify that Layer 3 is selected
3. Click OK to close the Zone Creation window.
4. Click Add and create the TrustL3 zone:
Name
Enter Trust-L3
Type
Select Layer 3
5. Click OK to close the zone creation window.

Create Interface Management Profiles

6. Click Network > Network Profiles > Interface Mgmt.
7. Click Add and create an interface management profile:
Name
Enter allow_mgt
Permitted Services
Check Ping, SSH, HTTPS, SNMP, and Response Pages
Permitted IP Addresses
Do not add any addresses
8. Click OK to close the Interface Management Profile Creation window.
9. Click Add and create another interface management profile:
Name
Enter allow_ping
Permitted Services
Select only the Ping check box
Permitted IP Addresses
Do not add any addresses
10. Click OK to close the Interface Management Profile Creation window.
11. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.

Configure Ethernet Interfaces with Layer 3 Information

12. Click Network > Interfaces > Ethernet.
13. Click the interface name ethernet1/1. Configure the interface:
Interface Type
Select Layer 3
Config tab
Keep default (none)
Virtual Router
Security Zone
Select UntrustL3
IPv4 tab
IP
Click Add and then enter 172.16.1.1/24
Lab Manual

PANOS 7.0 Rev A.CS

Page 17

Advanced > Other Info tab

Management Profile
Select allow_ping
14. Click OK to close the Interface Configuration window.
15. Click the interface name ethernet1/2. Configure the interface:
Interface Type
Select Layer 3
Config tab
Keep default (none)
Virtual Router
Security Zone
Select TrustL3
IPv4 tab
Keep default (Static)
Type
IP
Click Add and then enter 192.168.2.1/24
Advanced > Other Info tab
Management Profile
Select allow_all
16. Click OK to close the Interface Configuration window.
17. Click the interface name ethernet1/2. Configure the interface:
Interface Type
Select Layer 3
Config tab
Keep default (none)
Virtual Router
Security Zone
Select TrustL3
IPv4 tab
Keep default (Static)
Type
IP
Click Add and then enter 192.168.2.1/24
Advanced > Other Info tab
Management Profile
Select allow_mgt
18. Click OK to close the Interface cConfiguration window.

Configure DHCP
19. Click Network > DHCP > DHCP Server.
20. Click Add to define a new DHCP Server:
Interface Name
Select ethernet1/2
Lease tab
IP Pools
Click Add and then enter 192.168.2.50-192.168.2.60
Options tab
Gateway
Enter 192.168.2.1
Ippool Subnet
255.255.255.0
Primary DNS
4.2.2.2
21. Click OK to close the DHCP Server Configuration window.

Create a Virtual Router

22. Click Network > Virtual Routers.
23. Click Add to define a new virtual router:
Lab Manual

PANOS 7.0 Rev A.CS

Page 18

General tab
Name
Interfaces

Enter Student-VR
Click Add and then select ethernet1/1
Click Add again and then select ethernet1/2

Static Route tab

Click Add and then enter the following information:

Default

Name
Destination
Interface

0.0.0.0/0

Next Hop

IP Address
172.16.1.254

ethernet1/1

24. Click OK to close the Virtual Router Configuration window.

25. Click the Commit link at the topright of the WebUI. Click Commit again. Because you have
changed the IP address of the MGT port, you will lose connectivity to the WebUI.

Test the Network Configuration

26. Open a command prompt.
27. Enter ipconfig to verify that your Windows Desktop has received a DHCP address from
the firewall. The displayed IP address should be in the range 192.168.2.50192.168.2.60.
You should also be able to ping 192.168.2.1.

Lab Manual

PANOS 7.0 Rev A.CS

Page 19

Scenario Security and NAT Policies

In this lab you will:
Create a source NAT policy
Create a security policy to allow connectivity from the TrustL3 to the UntrustL3 zone

At this point, the firewall is configured but is unable to pass traffic between zones. NAT and security policies
must be defined before traffic will flow between zones. In this lab, you will create a source NAT policy using
the UntrustL3 IP address as the source address for all outgoing traffic. Then you will create a security policy
to allow traffic from the TrustL3 Zone to the UntrustL3 Zone, so that your workstation can access the
outside world.

Lab Manual

PANOS 7.0 Rev A.CS

Page 20

Solution Security and NAT Policies

Create a Source NAT Policy
1. Click Policies > NAT.
2. Click Add to define a new source NAT policy:
General tab
Name
Original Packet tab
Source Zone
Destination Zone
Destination Interface
Translated Packet > Source
Address Translation tab
Translation Type
Address Type
Interface

Enter Student Source NAT

Click Add and select TrustL3
Select UntrustL3
Select ethernet1/1

Select Dynamic IP and Port

Select Interface Address
Select ethernet1/1

3. Click OK to close the NAT Policy Configuration window.

Create the Allow All Out Policy

1. Go to the WebUI and click Policies > Security.
2. Delete the existing rule1 security policy.
3. Click Add to define a security policy:
General tab
Name
Enter Allow All Out
Source tab
Source Zone
Click Add and select TrustL3
Source Address
Select Any
Destination tab
Click Add and select UntrustL3
Destination Zone
Destination Address
Select Any
Application tab
Select Any
Applications
Service/URL Category tab
Select applicationdefault from the dropdown list
Service
Actions tab
Select Allow
Action Setting
Log Setting
Select Log at Session End
4. Click OK to close the Security Policy Configuration window.
5. Click the Commit link at the topright of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Lab Manual

PANOS 7.0 Rev A.CS

Page 21

Test the Configuration

6. Test Internet connectivity by browsing websites from your laptop. You should be able to browse
the Web on HTTP and HTTPS sites.
7. Go to Monitor > Logs > Traffic to see a record of your Internet browsing. Especially notice the
Application column.

Lab Manual

PANOS 7.0 Rev A.CS

Page 22

Scenario AppID
In this lab you will:

Create an Application Group

Create a security policy to allow basic internet connectivity and log dropped traffic
Enable Application Block pages

Now that you have confirmed that your workstation has connectivity to the Internet, you will delete the
Allow All Out Security Rule and replace it with a more restrictive Security Rule. By default, the PAN
Firewall will block any traffic between different Security Zones. You will create a Security Policy to
selectively enable specific applications to pass from the TrustL3 to the UntrustL3 Zone. All other
applications will be blocked.
Create a Rule named General Internet which allows users in the TrustL3 zone to use a set of commonly
used applications to access the internet. The applications should only be permitted on an applications
default port. All other traffic (inbound and outbound) between Zones will be blocked and logged so that
you can identify what other applications are being used.
Next, you will configure the firewall to notify users when applications are blocked by a Rule.

Lab Manual

PANOS 7.0 Rev A.CS

Page 23

Required Information
General Internet

Security policy name

Members of the Known-Good application

group

dns
flash
ftp
paloalto-updates
ping
web-browsing
ssl

Lab Notes
Test your connectivity by connecting to the site http//www.depositfiles.com (login paneduc,
password paloalto). Because you have not specified depositfiles as an allowed application, the firewall
should block the application, even if you attempt to use a proxy.

Lab Manual

PANOS 7.0 Rev A.CS

Page 24

Solution AppID
Create an Application Group
1. Click Objects > Application Groups.
2. Click Add to define the KnownGood application group:
Name
Applications

Enter Known-Good
Click Add and select each of the following:
dns
flash
ftp
paloaltoupdates
ping
ssl
webbrowsing

3. Click OK to close the Application Group Configuration window.

Create the General Internet Policy

4. Go to the WebUI and click Policies > Security.
5. Select the Allow All Out Policy and click Disable.
6. Click Add to define a security policy:
General tab
Name
Source tab
Source Zone
Source Address
Destination tab
Destination Zone
Destination Address
Application tab
Applications

Enter General Internet

Click Add and select TrustL3
Select Any
Click Add and select UntrustL3
Select Any
Click Add and select the KnownGood application group

Service/URL Category tab

Select applicationdefault from the dropdown list
Service
Actions tab
Select Allow
Action Setting
Log Setting
Select Log at Session End
7. Click OK to close the Security Policy Configuration window.

Enable Interzone Logging

8. Open the InterzoneDefault policy.
Lab Manual

PANOS 7.0 Rev A.CS

Page 25

9. Click the Actions tab. Note that both Log at Session Start and Log at Session End are unchecked.
10. Click Cancel.
11. Select the interzonedefault policy row, without opening the policy, and click Override. The Security
Policy Rule predefined window opens.
12. Click the Actions tab.
13. Check Log at Session End.
14. Click OK.

Enable the Application Block Page

15. Click Device > Response Pages.
16. Find the Application Block Page line and click Disabled.
17. Check the Enable Application Block Page box, and then click OK.
18. Click the Commit link at the topright of the WebUI. Click Commit again and wait until the commit
process completes before continuing.

Verify Internet Connectivity and Application Blocking

19. Test internet connectivity by browsing websites from your desktop. You should be able to browse
common sites on the Internet such as Google and Yahoo.
20. Use a browser to connect to the site http//www.depositfiles.com. An Application
Blocked page appears, indicating that the depositfiles application has been blocked.

21. Go to Monitor > Logs > Traffic to review the traffic logs. Find the entries where the depositfiles
application has been blocked. You may want to put ( app eq depositfiles ) in the filter
text box. The site has been blocked because the depositfiles application is not listed in the allowed
applications in the General Internet Policy.

Return to the Allow All Out Security Policies

22. Go to the WebUI and click Policies > Security.
23. Click the General Internet rule and click Disable.
24. Select the Allow All Out Policy and click Enable.
25. Click the Commit link at the topright of the WebUI. Click Commit again and wait until the commit
process completes before continuing.

Lab Manual

PANOS 7.0 Rev A.CS

Page 26

Scenario ContentID
In this lab you will:

Configure Security Profiles

Create a Security Profile Group
Associate Security Profiles and Security Profile Groups to a security policy

Scenario

Now that traffic is passing through the firewall, you decide to further protect the environment with
Security Profiles. The specific security requirements for general internet traffic are:

Log all URLs accessed by users in the TrustL3 zone. In particular, you need to track access to a set
of specific technology websites.

Block the following URL categories:

o adult and pornography
o government
o hacking
o questionable
Set the unknown category to continue.

Log, but do not block, all viruses detected and maintain packet captures of these events for
analysis.
Log spyware of severity levels medium, critical, and high detected in the traffic. Ignore all other
spyware.

Lab Manual

PANOS 7.0 Rev A.CS

Page 27

After all of these profiles are configured, send test traffic to verify that the protection behaves as
expected.
After the initial testing is complete, you are asked to change the antivirus protection to resetboth for
viruses. Make the changes and verify the difference in behavior.
Once the individual profiles are created and tested, combine the profiles into a single group for ease of
management. Attach the group to the appropriate security policies.

Required Information
Custom Technology sites to track

Location of files for testing antivirus

www.newegg.org
www.cnet.com
www.zdnet.com
1.
2.
3.
4.

Browse to http://www.eicar.org.
Click Anti-Malware Testfile.
Click Download.
Download any of the files using HTTP only.
Do not use the SSL links.

Lab Notes
Only test the antivirus profile using HTTP, not HTTPS. HTTPS connections will prevent the firewall from
seeing the packet contents so the viruses contained will not be detected by the profile. Decryption will
be covered in a later module.

Lab Manual

PANOS 7.0 Rev A.CS

Page 28

Solution ContentID
Configure a Custom URL Filtering Category
1. Go to the WebUI and click Objects > Custom Objects > URL Category.
2. Click Add to create a custom URL category:
Name
Sites

Enter TechSites.
Click Add and add each of the following URLs:
www.newegg.org
www.cnet.com
www.zdnet.com
3. Click OK to close the Custom URL Category profile window.

Configure a URL Filtering Profile

4. Click Objects > Security Profiles > URL Filtering.
5. Click Add to define a URL filtering profile:
Name
Category/Action

Enter student-url-filtering.
Click the right side of the Action header to access the dropdown list.
Click Set All Actions > Alert.

Search the Category field for the following categories and set the Action
to block for each of them:
adult (or adult and pornography)
government
hacking
questionable
TechSites
Set the unknown category to continue.
6. Click OK to close the URL Filtering profile window.

Configure an Antivirus Profile

7. Click Objects > Security Profiles > Antivirus.
8. Click Add to create an antivirus profile:
Lab Manual

PANOS 7.0 Rev A.CS

Page 29

Name
Antivirus tab
Packet Capture
Decoders

Enter student-antivirus
Check the Packet Capture box
Set the Action column to Alert for all decoders

9. Click OK to close the Antivirus Profile window.

Configure an AntiSpyware Profile

10. Click Objects > Security Profiles > AntiSpyware.
11. Click Add to create an antispyware profile:
Name
Rules tab

Enter student-antispyware
Click Add and create a rule with the parameters:
Rule Name: Enter rule-1
Action: Select Allow
Severity: Check the boxes for Medium, Low, and
Informational only
Click OK to save the rule.
Click Add and create another rule with the parameters:
Rule Name: Enter rule-2
Action: Select Alert
Severity: Check the boxes for Critical and High only
Click OK to save the rule.

12. Click OK to close the AntiSpyware Profile window.

Assign Profiles to a Policy

13. Click Policies > Security.
14. Click Allow All Out in the list of policy names. Edit the policy to include the newly created
profiles:
Actions tab
Profile Type
Select Profiles
Antivirus
Select studentantivirus
AntiSpyware
Select studentantispyware
URL Filtering
Select studenturlfiltering
15. Click OK to close the Policy window.
16. Click the Commit link at the topright of the WebUI. Click Commit again and wait until the
commit process completes before continuing.

Test the Antivirus Profile

17. Open a browser to http://www.eicar.org.
18. Click AntiMalware Testfile.
19. Click the Download link to access the virus test files.
Lab Manual

PANOS 7.0 Rev A.CS

Page 30

20. Download any of the Eicar test files listed under the banner Download area using the standard
protocol http:
a. Do not use the SSLencrypted downloads. The firewall will not be able to detect the viruses in
an HTTPS connection unless decryption is configured.
b. The browser or the OS may detect the virus and delete the file.
21. Click Monitor > Logs > Threat to display the threat log. Find the log messages that detect the Eicar
files. Scroll to the Action column to verify the alerts for each file download.
22. Click the green down arrow at on the left side of the line for the Eicar file detection to display the
packet capture (PCAP). Here is an example of what a PCAP might look like:

Captured packets can be exported in PCAP format and examined with a protocol analyzer offline
for further investigation.

Modify the Antivirus Profile

23. In the W GUI, go to Objects > Security Profile > Antivirus.
24. Open the studentantivirus profile.
25. Under the Action column, select the resetboth action for ftp, http, and smb.
26. Click OK to close the antivirus profile.
27. Click the Commit link at the topright of the WebUI. Click Commit again and wait until the
commit process completes before continuing.

Test the New Antivirus Profile

28. Open a new browser window to www.eicar.org.
29. Click AntiMalware Testfile.
30. Click the Download link to access the virus test files.
31. Download any of the Eicar test files listed under the banner Download area using the
standard protocol http again. This time, because the antivirus profile is set to block, the
download fails and a response page appears.
32. Return to the Monitor > Logs > Threat in the WebUI and find the log entries that state that
the Eicar virus was detected and blocked.
33. After 15 minutes, the threats you just generated will appear on the ACC tab under the
Threats section.
Lab Manual

PANOS 7.0 Rev A.CS

Page 31

Test the URL Filtering Profile

34. Open a browser and browse to various websites.
35. In the WebUI, click Monitor > Logs > URL Filtering. Verify that the URL filtering profile records
each website that you visit.
36. Now test the Block Condition that you created by visiting a site that is part of the hacking,
government, or TechSites categories using HTTP. Attempt to browse to a government site such
as http://www.whitehouse.gov, hacking sites such as http://www.2600.org, or to
the sites that you listed in the TechSites Application Group. The profile will block this action and
you will see a Block page similar to the following:

Configure a Security Profile Group

37. Return to the WebUI and click Objects > Security Profile Groups.
38. Click Add to define a Security Profile Group:
Name
Enter student-profile-group
Antivirus Profile
Select studentantivirus
AntiSpyware Profile
Select studentantispyware
URL Filtering Profile
Select studenturlfiltering
39. Click OK to close the Security Profile Group window.

Assign the Security Profile Group to a Policy

40. Select Policies > Security.
41. Click General Internet in the list of policy names.
42. Edit the policy to replace the profiles with the profile group:
Actions tab
Profile Type

Select Group

Group Profile

Select studentprofilegroup

43. Click OK to close the Policy window.

44. Click the Commit link at the topright of the WebUI. Click Commit again, wait until the commit
process is complete, then continue.
Lab Manual

PANOS 7.0 Rev A.CS

Page 32

Lab Scenario: File Blocking

In this lab, you will:

Configure Security Profiles for file blocking.

Add the Security Profile to the Security Profile Groups associated with the security policy rule.

Now that traffic is passing through the firewall, you decide to further protect the environment with some
more Security Profiles. The additional security requirements for general Internet traffic are:

Configure downloaded PDF files to be automatically blocked

Test file blocking by trying to download a PDF file.

Lab Manual

PANOS 7.0 Rev A.CS

Page 33

Solution File Blocking

Create a File Blocking Profile
1. Click Objects > Security Profiles > File Blocking.
2. Click Add to create a file blocking profile:
Name
Rules list

Enter student-file-block.
Click Add and create a rule with the parameters:
Rule Name: Enter blockPDF
File Types: Add pdf
Action: Select block
3. Click OK to close the File Blocking Profile window.

Add a File Blocking Profile to the Security Profile Group

1.
2.
3.
4.

Return to the WebUI and click Objects > Security Profile Groups.
Open studentprofilesgroup.
Choose studentfileblocking as the file blocking profile.
Click OK.

Test the File Blocking Profile

5. Open a new browser window to the site http://www.panedufiles.com/. The site
opens.
6. Click the Panorama_AdminGuide70.pdf link. A File Download Blocked page appears.

7. Select Monitor > Logs > Data Filtering and find the entry for the PDF file that has been
blocked.

Lab Manual

PANOS 7.0 Rev A.CS

Page 34

Scenario Decryption
In this lab you will:

Create a selfsigned SSL certificate

Configure the firewall as a forwardproxy using decryption rules

Scenario
Your security team is concerned about the results of the testing performed as part of the Security Profile
configurations. The team observed that the antivirus profile only identified virus that were not SSL encrypted.
The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com) could escape
detection and cause issues.
You want to evaluate using a forwardproxy configuration on the Palo Alto Networks firewall. Only traffic
from TrustL3 to UntrustL3 needs to be decrypted. Because you are not deploying a production network,
you decide to use selfsigned SSL certificates generated on the firewall for this implementation.
Once an application is decrypted and identified by the PAN firewall, it may be denied if you have set the
security policy to allow only applications that arrive on their standard default ports. For example, if FTP
traffic encrypted by SSL is decrypted and recognized by the firewall, the firewall will see it as FTP traffic
arriving on Port 443. Because this is not the standard FTP port, the traffic may be denied. Therefore, in
this exercise, when you are using decryption, you will set your security rules to allow any port instead of
using applicationdefault.
The legal department has advised you that certain traffic should not be decrypted for liability reasons.
Specifically, you may not decrypt traffic from healthrelated, shopping, or financial websites.
Test the decryption two ways:

Attempt to download test files from www.eicar.org using HTTPS and verify that they are detected by
the firewall

Lab Manual

PANOS 7.0 Rev A.CS

Page 35

Connect to various websites using HTTPS and use the logs to verify that the correct URL categories
are being decrypted

You will receive certificate errors when browsing after decryption is enabled. This behavior is expected
because the selfsigned certificates have not been added to the Trusted certificates of the client browser.
Resolve this issue by adding the firewall certificate to the clients as a Trusted Root Certificate.
After your initial testing of the forwardproxy, the penetration testing team calls you to request an
exception to the decryption rules. The team asks that www.eicar.org be excluded from decryption so that
the team will still be able to download the files that it needs to perform its evaluations. Change the
implementation to allow this exception.

Required Information
Self-Signed Certificate name
Common Name of the SSL Certificate
Decryption Policies

CA-ssl-cert
192.168.2.1
no-decrypt-traffic
decrypt-all-traffic

Lab Notes

Sequence order matters with policies: make sure that the decrypt and nodecrypt rules are evaluated in
the correct order.
To find URLs to test the nodecrypt rule, go to https://urlfiltering.paloaltonetworks.com/testASite.aspx
and enter various URLs that you think will fall into the categories that you are testing.

Lab Manual

PANOS 7.0 Rev A.CS

Page 36

Solution Decryption
Verify Firewall Behavior Without Decryption
For this lab, we will use the Internet Explorer browser. Chrome has its own virus detection system,
and Firefox has its own certificate repository.
1. From the desktop, open an Internet Explorer browser and browse to www.eicar.org/85-0Download.html.

2. Scroll to the bottom of the page and use HTTP to download one of the test files. The file will be
blocked and a warning page appears.
3. Click the Back button and use HTTPS to download one of the files. The file will download (but may be
deleted by the browser or the OS).
4. Go to the WebUI and click Monitor > Logs > Threat to display the log. Notice that SSL decryption hid
the contents of the firewall and so the second test file was not detected as a threat.

Create an SSL SelfSigned Certificate

5. Click Device > Certificate Management > Certificates.
6. Click Generate at the bottom of the screen to create a new selfsigned certificate:
Certificate Name
Common Name
Certificate Authority

Enter CA-ssl-cert
Enter 192.168.2.1
Check the box

7. Click Generate to create the certificate. Click OK to close the certificate generation success window.
8. Click CAsslcert in the list of certificates to edit the certificate properties.
9. Check the boxes for Forward Trust Certificate and Forward Untrust Certificate.
10. Click OK to confirm the changes.

Create SSL Decryption Policies

11. Click Policies > Decryption.
12. Click Add to create an SSL decryption rule for the exception categories:
General tab
Name
Enter no-decrypt
Source tab
Source Zone
Click Add and then select TrustL3
Destination tab
Click Add and then select UntrustL3
Destination Zone
URL Category tab
URL Category
Click Add and add each of the following URL categories:
healthandmedicine
shopping
financialservices
Lab Manual

PANOS 7.0 Rev A.CS

Page 37

Options tab
Action

Select nodecrypt

13. Click OK to close the configuration window.

14. Click Add to create the SSL decryption rule for general decryption:
General tab
Name
Enter decrypt-all-traffic
Source tab
Source Zone
Click Add and then select TrustL3
Destination tab
Click Add and then select UntrustL3
Destination Zone
URL Category tab
Verify that the Any box is checked
URL Category
Options tab
Select Decrypt
Action
Type
Select SSL Forward Proxy
15. Click OK to close the configuration window.
16. Confirm that your decryption policy list looks like this:

Modify the Allow All Out Security Policy

17. In the WebUI, open Policies > Security.
18. Open the Allow All Out Policy.
19. Select the Service/URL Category tab.
20. Change the option in the dropdown list from applicationdefault to any. Click OK to close.
21. Click the Commit link at the topright of the WebUI. Click Commit again and wait until the commit
process completes before continuing.

Test the SSL Decryption Policies

22. Open a new browser window to www.eicar.org.
23. Click AntiMalware Testfile.
24. Click the Download link to access the virus test files.
25. Download any of the Eicar test zip files listed under the banner Download area using the secure,
SSL enabled protocol https. A certificate error occurs. This behavior is expected because the
firewall is intercepting the SSL connection and performing maninthemiddle decryption.
26. Click through the certificate error. The download fails and a block page appears.
Lab Manual

PANOS 7.0 Rev A.CS

Page 38

27. In the WebUI, examine the Threat logs under Monitor > Logs > Threat. The virus should have been
detected, because the SSL connection was decrypted.
28. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify
that the Decrypted box has a check mark.

Test the SSL NoDecryption Policy

29. In the WebUI, click Monitor > Logs > Traffic.
30. Set the traffic log to display only port 443 traffic by entering ( port.dst eq 443 ) in the
filter field.
31. Select 10 Seconds from the pulldown list so that the display will refresh automatically.

32. In a separate browser window, browse to the following URLs using HTTPS:
financialservices: www.bankofamerica.com
healthandmedicine: www.deltadental.com
shopping: www.macys.com
33. Now use https:// to browse to sites such as bing.com or yahoo.com, which are not excluded. Notice
that you are prompted to correct a certificate error.
34. Return to the traffic log at Monitor > Traffic > Logs.
35. If the URL Category column is not displayed, click the dropdown arrow next to one of the
columns and select URL Category.
36. Find an entry for one of the excluded categories by looking at the value in the URL Category
column.
37. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is unchecked.
38. Find an entry for one of the nonexcluded categories by looking at the value in the URL Category
column.
39. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify
that the Decrypted box in the Misc panel is checked.

Lab Manual

PANOS 7.0 Rev A.CS

Page 39

Import the CA Certificate into Windows Trusted Certificates

40. Click Device > Certificate Management > Certificates.
41. Select the line containing CAsslcert without opening the certificate.
42. Click Export. The Export Certification window opens.
43. Leave the file format at PEM, and leave the Export private key checkbox unchecked.
44. Click OK and download the crt file to the Desktop. (If your browser saves the file as a .txt file, change
the extension to .crt.)
45. Doubleclick the certificate. A Security Warning appears.
46. Click Open. The certificate opens.
47. Click Install Certificate The Certificate Import Wizard opens.
48. Click Next.
49. Select Place all certificates in the following store.
50. Click Browse. The Select Certificate Store window opens.
Lab Manual

PANOS 7.0 Rev A.CS

Page 40

51. Choose Trusted Root Certificate Authorities and click OK. The window closes.
52. Click Next. The Completing the Certificate Import window appears.
53. Click Finish. A Security Warning appears.
54. Click Yes. A box indicates that the import was successful. Click OK.
55. Close the certificate by clicking OK.
56. Doubleclick the certificate to open it. A Security Warning appears.
57. Click Open. The certificate opens.
58. In the certificate, click the Certification Path tab. Notice that the Certificate Status says This
certificate is OK.
59. Close the certificate by clicking OK.
60. Use a new window in Chrome or Internet Explorer (not Firefox, which uses its own Certificate Store)
to browse HTTPS sites. Notice that you no longer receive the Certificate errors.

Exclude a Site from Decryption

61. From your desktop, use PuTTY to open an SSH session to 192.168.2.1.
62. Log in with username admin and password paloalto.
63. Issue the following commands:
>
#
#
#

configure
set shared ssl-decrypt ssl-exclude-cert *.eicar.org
show shared ssl-decrypt
commit

Lab Manual

PANOS 7.0 Rev A.CS

Page 41

64. Open a new Internet Explorer window to http://www.eicar.org/85-0-Download.html.

65. Scroll to the bottom of the page and download a virus file encrypted by HTTPS. You should see that
now the file downloads without being blocked (though the browser may detect the virus and delete
the file) because files from eicar are now excluded from encryption.
66. In the PuTTy window, enter exit to exit configuration mode.
67. Enter show system setting ssl-decrypt exclude-cache. The exclude cache is displayed.
You should see an address in the 188.40.238.0/24 range, which is the IP address for eicar.org.

Lab Manual

PANOS 7.0 Rev A.CS

Page 42

Scenario Management and Reporting

In this lab you will:

Tour the PAN Firewall dashboard

Tour the logs

Generate reports

Your manager wants to see daily reports that detail the threats encountered by the firewall. Configure a
custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the
threat name, the application (including technology and subcategory for reference), and the number of
times that threat was encountered. Export the file as a PDF.

Lab Manual

PANOS 7.0 Rev A.CS

Page 43

Solution Management and Reporting

Explore the Dashboard, ACC, and Session Browser
1. In the WebUI, go to the Dashboard.
2. Review the contents of the available widgets. What information is available?
3. Go the ACC tab.
4. Change the Time period to the Last 24 hours.
5. Explore the information available on the Network Activity tab.
6. Explore the information available on the Threat Activity tab.
7. Explore the information available on the Blocked Activity tab.
8. Click App Scope > Summary.
9. Explore the other branches underneath the App Scope tree. What information is available?
10. Click the Session Browser to see any current sessions.

Explore the Logs

11. In the Monitor tab, under Logs, click each type of log and examine the log activity.
12. Experiment with the filters to limit the log entries shown in the log files.

Create a Custom Report

13. Click Monitor > Manage Custom Reports.
14. Click Add to define a new custom threat report:
Name
Database
Time Frame
Sort by
Group by
Selected Columns

Query Builder

Enter Top Threats by Day

Select Summary Databases Threat
Select Last 24 Hrs
Select Count and Top 10
Select None and 10 Groups
Populate the Selected Columns field with the following values,
in this order:
Threat/Content Name
Application
App Technology
App Sub Category
Count
Build a query using the following parameters:

Connector: Select and

Attribute: Select Rule
Operator: Select equal
Value: Enter Allow All Out
Click Add

15. Click OK to save the custom report definition.

16. Click the name of your custom report to reopen the Custom Report window. Click Run Now
Lab Manual

PANOS 7.0 Rev A.CS

Page 44

to generate the report. The report will appear in a new tab in the window.
17. Click OK to close the Custom Report window.

Lab Manual

PANOS 7.0 Rev A.CS

Page 45