Using Netlab with Lab 8 – Blocking Threats using APP-ID

PALO ALTO NETWORKS EDU 210 Lab 8: Blocking Threats using App-ID Document Version: 2021-09-27 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com NETLAB+ is a registered trademark of Network Development Group, Inc. Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc. Lab 8: Block Threats Using App-ID Contents Introduction ……………………………………………………………………………………………………………………………… 3 Objective ………………………………………………………………………………………………………………………………….. 3 Lab Topology …………………………………………………………………………………………………………………………….. 4 Theoretical Lab Topology ……………………………………………………………………………………………………………. 4 Lab Settings ………………………………………………………………………………………………………………………………. 5 8 Blocking Threats Using App-ID ……………………………………………………………………………………………… 6 8.1 Apply a Baseline Configuration to the Firewall ………………………………………………………………… 6 8.2 Create an FTP Service Object and Port-Based Security Policy Rule …………………………………… 11 8.3 Generate Application Traffic ……………………………………………………………………………………….. 20 8.4 Configure an Application Group …………………………………………………………………………………… 22 8.5 Configure a Security Policy to Allow Update Traffic………………………………………………………… 23 8.6 Test the Allow-PANW-Apps Security Policy Rule ……………………………………………………………. 28 8.7 Examine the Tasks Lists to See Shadowed Message ……………………………………………………….. 29 8.8 Modify the Security Policy to Function Properly …………………………………………………………….. 31 8.9 Test the Modified Security Policy Rule ………………………………………………………………………….. 34 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2 Lab 8: Block Threats Using App-ID Introduction The old firewalls in your network only allowed you to block or allow traffic using Layer 3 and Layer 4 characteristics. With the deployment of the new Palo Alto Networks firewall, your control over traffic now includes which applications are allowed or blocked into and out of your network. Some skeptics on your security team still do not fully believe that the Palo Alto Networks firewall can recognize applications beyond their Layer 4 characteristics. To illustrate application awareness, you will create a Layer 4 object for FTP and use that in a security policy rule. In a later lab, you will convert this security policy rule to use the FTP application instead of the Layer 4 port-based object. The list of applications that Palo Alto Networks maintains is long, but you already know some of the applications you must allow from and to your security zones. You will create an Application Group and include individual applications that the Palo Alto Networks devices use. You will then use this Application Group as part of a security policy rule. This process will give you practice in creating security policy rules that take advantage of applications instead of simply Layer 3 and Layer 4 traffic characteristics. Objective In this lab, you will perform the following tasks:           9/27/2021 Load a baseline configuration Create an FTP Service object and an FTP port-based security policy rule Test the port-based security policy Generate application traffic Configure an application group Configure a Security policy to allow updated traffic Test the Allow-PANW-Apps security policy rule Examine the tasks list to see shadowed message Modify the security policy to function properly Test the modified security policy rule Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 3 Lab 8: Block Threats Using App-ID Lab Topology Theoretical Lab Topology 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 4 Lab 8: Block Threats Using App-ID Lab Settings The information in the table below will be needed to complete the lab. The task sections below provide details on the use of this information. Virtual Machine IP Address Account (if needed) Password (if needed) Client 192.168.1.20 lab-user Pal0Alt0! DMZ 192.168.50.10 root Pal0Alt0! Firewall 192.168.1.254 admin Pal0Alt0! VRouter 192.168.1.10 root Pal0Alt0! 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 5 Lab 8: Block Threats Using App-ID 8 Blocking Threats Using App-ID 8.1 Apply a Baseline Configuration to the Firewall In this section, you will load the Firewall configuration file. 1. Click on the Client tab to access the Client PC. 2. Double-click the Chromium Web Browser icon located on the desktop. 3. In the Chromium address field, type https://192.168.1.254 and press Enter. 4. You will see a “Your connection is not private” message. Click on the ADVANCED link. If you experience the “Unable to connect” or “502 Bad Gateway” message while attempting to connect to the specified IP above, please wait an additional 1-3 minutes for the Firewall to fully initialize. Refresh the page to continue. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 6 Lab 8: Block Threats Using App-ID 5. Click on Proceed to 192.168.1.254 (unsafe). 6. Log in to the firewall web interface as username admin, password Pal0Alt0!. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 7 Lab 8: Block Threats Using App-ID 7. In the Telemetry Data Collection pop-up, click Remind Me Later. Before you can enable Telemetry Data Collection, you would need to install a device certificate. For this lab, you will not be using Telemetry Data Collection. 8. In the web interface, navigate to Device > Setup > Operations and click on Load named configuration snapshot underneath the Configuration Management section. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 8 Lab 8: Block Threats Using App-ID 9. In the Load Named Configuration window, select edu-210-lab-08.xml from the Name dropdown box and click OK. 10. In the Loading Configuration window, a message will show Configuration is being loaded. Please check the Task Manager for its status. You should reload the page when the task is completed. Click Close to continue. 11. Click the Tasks icon located at the bottom-right of the web interface. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 9 Lab 8: Block Threats Using App-ID 12. In the Task Manager – All Tasks window, verify the Load type has successfully completed. Click Close. 13. Click the Commit link located at the top-right of the web interface. 14. In the Commit window, click Commit to proceed with committing the changes. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 10 Lab 8: Block Threats Using App-ID 15. When the Commit operation successfully completes, click Close to continue. The commit process takes changes made to the firewall and copies them to the running configuration, which will activate all configuration changes since the last commit. 16. Leave the Palo Alto Networks Firewall open and continue to the next task. 8.2 Create an FTP Service Object and Port-Based Security Policy Rule In this section, you will start by creating an FTP Service object that defines the FTP port. Once you create the FTP Service object, you will create and test a port-based security policy rule that will enable you to simulate part of the process of migrating from a legacy, port-based security policy to a nextgeneration, application-based security policy. Lastly, you will generate FTP traffic from the client host to an FTP server in the Extranet zone. Then you will examine the Traffic log to view how the firewall processed the FTP traffic. After you complete this section, you will move on to other tasks related to App-ID. At the end of this lab, you will return to the task of migrating the FTP port-based rule to an application-based rule. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 11 Lab 8: Block Threats Using App-ID 1. Navigate to Objects > Services. Click Add at the bottom of the Services window. 2. In the Service window, configure the following. Click OK. Parameter Value Name service-ftp Protocol TCP Destination Port 21 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 12 Lab 8: Block Threats Using App-ID 3. In the web interface, select Policies > Security. Click Add at the bottom of the Security policy window. 4. On the General tab, type migrated-ftp-port-based as the Name. For Description, enter Migrated from legacy firewall . You are creating a rule that simulates a port-based rule that was migrated from another vendor’s firewall. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 13 Lab 8: Block Threats Using App-ID 5. Click the Source tab and configure the following: Parameter Value Source Zone Users_Net Source Address Any 6. Click the Destination tab and configure the following: Parameter Value Destination Zone Extranet Destination Address Any 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 14 Lab 8: Block Threats Using App-ID 7. Click the Application tab and verify the following: Parameter Value Applications Any 8. Click the Service/URL Category tab and configure the following: Parameter Value Service service-ftp 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 15 Lab 8: Block Threats Using App-ID 9. Click the Actions tab and verify the following. Click OK. Parameter Value Action Allow Log Setting Log at Session End 10. Verify the migrated-ftp-port-based security policy is visible. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 16 Lab 8: Block Threats Using App-ID 11. Use your mouse pointer to drag-and-drop the migrated-ftp-port-based rule to just above the Users_to_Extranet rule. 12. Click the Commit button at the upper-right of the web interface. 13. In the Commit window, click Commit. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 17 Lab 8: Block Threats Using App-ID 14. Wait until the Commit process is complete. Click Close. 15. Minimize the Chromium browser by clicking the minimize icon and continue to the next task. 16. On the client desktop, open Terminal Emulator. 17. Enter the command below to connect to the ftp server at 192.168.50.21. C:homelab-userDesktopLab-Files> ftp 192.168.50.21 18. Log in with the username paloalto42 and Pal0Alt0! as the password. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 18 Lab 8: Block Threats Using App-ID 19. Type bye at the FTP command prompt. ftp> bye This command should end the FTP session. An FTP session will be logged on the firewall even though no file was transferred. 20. Close the terminal window by typing exit. C:homelab-userDesktopLab-Files> exit 21. If you minimized the firewall, reopen the firewall interface by clicking on the Chromium tab in the taskbar. Leave the firewall interface open and continue to the next task. 22. In the web interface, select Monitor > Logs > Traffic. Create and apply the following filter ( addr.src in 192.168.1.20 ) and ( app eq ftp ) in the filter builder. Some columns have been hidden to provide all the information needed for this step. If you do not hide or move columns, you can use the scroll bar to view the entire traffic log for the FTP session. 23. Minimize the Chromium browser by clicking the minimize icon and continue to the next task. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 19 Lab 8: Block Threats Using App-ID 8.3 Generate Application Traffic In this section, you will run a short script that generates application traffic from your client workstation to hosts against the Internet and Extranet security zones. 1. On the client desktop, double-click the folder for Class-Scripts. 2. Open the EDU-210 folder. 3. Double-click the icon for App Generator. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 20 Lab 8: Block Threats Using App-ID 4. Press Enter to start the App Generator script. Allow the script to complete. Once the App Generator script completes, press Enter. Allow the script 30 seconds to 1 minute to complete before proceeding to the next step. 5. If you minimized the firewall, reopen the firewall interface by clicking on the Chromium tab in the taskbar. 6. In the web interface, select Monitor > Logs > Traffic. Create and apply the following new filter ( addr.src in 192.168.1.20 ) in the filter builder. Note the entries in the Application column. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 21 Lab 8: Block Threats Using App-ID You may need to scroll the pages in the traffic window to see all the entries. You should see entries for ftp, dns, google-base, ssl, web-browsing, facebook-base and ping. Use the refresh button to update the entries if necessary. 7. Leave the Palo Alto Networks Firewall open and continue to the next task. 8.4 Configure an Application Group In this section, you will configure an application group called paloalto-apps that includes some Palo Alto Networks applications. These applications are used to label and control access to the content update network and other Palo Alto Networks products and features. You will add the application group to a security policy rule later in this lab exercise. 1. Navigate to Objects > Application Groups. Click Add. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 22 Lab 8: Block Threats Using App-ID 2. In the Application Group window, configure the following. Click OK. Parameter Value Name paloalto-apps Applications paloalto-dns-security paloalto-updates paloalto-userid-agent paloalto-wildfire-cloud pan-db-cloud 3. Leave the firewall open and continue to the next task. 8.5 Configure a Security Policy to Allow Update Traffic In this section, you will create a specific security policy rule to enable access to Palo Alto Networks content updates. This configuration is an example of the positive enforcement model where you configure what the firewall should allow rather than only specifying what should be blocked. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 23 Lab 8: Block Threats Using App-ID 1. In the web interface, navigate to Policies > Security. Click Add to configure a new security policy. 2. On the General tab, type Allow-PANW-Apps as the Name. For Description, enter Allows PANW apps for firewall. 3. Click the Source tab and configure the following. Parameter Value Source Zone Users_Net Source Address 192.168.1.254 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 24 Lab 8: Block Threats Using App-ID 4. Click the Destination tab and configure the following. Parameter Value Destination Zone Internet Destination Address Any 5. Click the Application tab and configure the following. Parameter Value Applications paloalto-apps To locate your paloalto-apps Application Group, start typing in the first few letters of the group name, and the interface will display only those entries which match. Application Groups appear at the very end of the Application list. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 25 Lab 8: Block Threats Using App-ID 6. Click the Service/URL Category tab and verify that application-default and Any are selected. 7. Click the Actions tab and verify the following. Click OK. Parameter Value Action Allow Log Setting Log at Session End 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 26 Lab 8: Block Threats Using App-ID 8. The Allow PANW-Apps rule should be listed just above the intrazone-default rule in the security policy rule list. 9. Click the Commit button at the upper-right of the web interface. 10. In the Commit window, click Commit. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 27 Lab 8: Block Threats Using App-ID 11. When the Commit process completes, notice that there is an additional tab available for Rule Shadow. Click Close. 12. Leave the Palo Alto Networks Firewall open and continue to the next task. 8.6 Test the Allow-PANW-Apps Security Policy Rule In this section, you will test the new security policy rule for Allow-PANW-Apps to see how it is working. 1. In the firewall interface, select Device > Dynamic Updates. Click Check Now. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 28 Lab 8: Block Threats Using App-ID This action instructs the firewall to check for Dynamic Content updates. The application used by the firewall is called paloalto-updates and is one that you included in the Application Group called paloaltoapps. 2. Select Monitor > Logs > Traffic. Clear any filters you have in place. Create and apply the following filter ( app eq paloalto-updates ) in the filter builder. Notice the Users_to_Internet rule allowed application traffic to pass through the firewall. The firewall traffic did not his the Allow-PANWApps rule because the Users_to_Internet rule ‘shadows’ the AllowPANW-Apps rule. Traffic matched the Users_to_Internet rule and the firewall carried out the allow action. There is no reason for the firewall to continue comparing packet characteristics to any following rules after it has found a match. Remember: Rule order is important! 3. Leave the Palo Alto Networks Firewall open and continue to the next task. 8.7 Examine the Tasks Lists to See Shadowed Message The firewall provides notification when you have a rule shadowing one or more other rules. The Rule Shadow tab appears at the end of the Commit process. However, you might not always notice the Rule Shadow tab, so in this section, you will use the Task list to examine your earlier Commit messages. 1. In the bottom-right corner of the PA-VM firewall interface, click the Tasks button. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 29 Lab 8: Block Threats Using App-ID 2. In the Task Manager – All Tasks window, scroll down and locate the most recent entry for Commit under Type. Click the link for Commit. 3. In the Job Status – Commit window, select the Rule Shadow tab. The interface shows you which rule is shadowing other rules. Click the number under the Count (in this example, the value is 1 ). Click Close. The value under the Count column indicates the number of rules that are shadowed. The Shadowed Rule column shows you details about which rule is shadowed. You can use this detailed information to modify your security policy rule order to make certain traffic hits rules in the correct manner 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 30 Lab 8: Block Threats Using App-ID 4. In the Task Manager – All Tasks window, click Close. 5. Leave the Palo Alto Networks Firewall open and continue to the next task. 8.8 Modify the Security Policy to Function Properly In this section, you will modify your security policy to ensure that only the Allow-PANW-Apps rule allows Palo Alto Networks content update traffic. This configuration is another example of the positive enforcement model where you configure what the firewall should allow rather than only specifying what should be blocked. You will also modify the security policy rule that allows traffic from the Users_Net to the Internet. Instead of allowing any application, the modified rule will allow only a few applications. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 31 Lab 8: Block Threats Using App-ID 1. In the web interface, navigate to Policies > Security. Click Users_to_Internet to edit the rule. 2. In the Security Policy Rule window, click the Application tab and configure the following. Click OK. Parameter Value Applications dns ping ssl web-browsing 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 32 Lab 8: Block Threats Using App-ID 3. Click the Commit button at the upper-right of the web interface. 4. In the Commit window, click Commit. 5. Wait until the Commit process is complete. Click Close. 6. Leave the Palo Alto Networks Firewall open and continue to the next task. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 33 Lab 8: Block Threats Using App-ID 8.9 Test the Modified Security Policy Rule In this section, you will test the modified security policy to verify that it is working as expected. You want to verify that Dynamic Update traffic from the firewall uses the Allow-PANW-Apps rule. 1. In the firewall interface, select Device > Dynamic Updates. Click Check Now. 2. Select Monitor > Logs > Traffic. Apply the following filter ( app eq paloalto-updates ) in the filter builder. Look for the log entries for the application paloalto-updates. It should be the AllowPANW_Apps rule. 3. Open a new tab in Chromium. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 34 Lab 8: Block Threats Using App-ID 4. Type www.paloaltonetworks.com in the address bar and press Enter. Once you have verified the website will open, close the Chromium tab by clicking on the X icon. 5. Select Monitor > Logs > Traffic. Clear any filters you have in place. Create and apply the following filter ( addr.src eq 192.168.1.20 ) and ( rule eq Users_to_Internet ) in the filter builder. Notice the App-ID identified the traffic as dns and ssl. The rule “Users_to_Internet” allowed the traffic for both applications. 6. The lab is now complete; you may end your reservation. 9/27/2021 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 35

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.