EDU 311 80a Student Lab Guide_08

Palo Alto Networks Firewall Debug and Troubleshoot Lab Guide ®

PAN-OS 8.0 EDU-311 Courseware Version A

®

Palo Alto Networks Te!nial E"uation

Palo Alto Networks, Inc. https://www.paloaltonetworks.com

©2007-2017, Palo Alto Networks, Inc. Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc. All oter marks mentioned erein ma! "e trademarks of teir res#ecti$e com#anies.

©2017, Palo Alto Networks, Inc.

Page 2

Table of Contents %a"le of &ontents.............................................................................................................................' %!#ogra#ical &on$entions.............................................................................................................( )ow to *se %is +a" ide............................................................................................................ +a" ide O"/ecti$es......................................................................................................................7 +a" 1 Scenario Administrati$e %ro"lesooting............................................................................ Scenario........................................................................................................................................ +a" Notes..................................................................................................................................... +a" 1 Soltion Administrati$e %ro"lesooting..........................................................................10 Im#ort te &onfigration iles...................................................................................................10 +oad te &onfigration iles.....................................................................................................12 3iew 3iew te &onfigration from te &+I and te 4e"*I................................................... 4e"*I.............................................................. ............1' .1' ater 5asic S!stem Information..............................................................................................16 ater Ad$anced Information....................................................................................................16 +a" 2 Scenario irewall %ro"lesooting....................................................................................1 Scenario etails.........................................................................................................................1 +a" 2 Soltion irewall %ro"lesooting.....................................................................................1 %ro"lesoot Administrati$e Access..................................................... Access.......................................................................................... ..................................... 1 As 8stdent9 Admin, &reate a New :; Secrit! ;one..........................................................1< %ro"lesoot *ser Atentication Isses...................................................................................20 Perform a !namic *#date........................................................................................................20 +a" ' Scenario +a!er ' %ro"lesooting.....................................................................................2' +a" etails.................................................................................................................................2' %nnel &onfigration Information.............................................................................................26 =ternet 1>' Interface S#ecification.......................................................................................26 :; Secrit! ;one S#ecification.........................................................................................26 I?= atewa! S#ecification....................................................................................................26 I?= &r!#to Profile S#ecification...........................................................................................2(


Page 3

IPsec &r!#to Profile S#ecification.........................................................................................2( IPsec %nnel &onfigration S#ecification..............................................................................2( %est %nnel &onnecti$it!...........................................................................................................2 +a" ' Soltion +a!er ' %ro"lesooting......................................................................................27 %ro"lesoot +oss of &onnecti$it! to te Internet....................................................................27 %ro"lesoot )%%P>)%%P Access to 4e"sites......................................................... ................ 27 In$estigate te Acti$it! and @ele$ance of +egac! Policies.......................................................2 %ro"lesoot &onnecti$it! to a S#ecific Address......................................................................2 %ro"lesoot 3PN %nnel &onfigration..................................................................................2 +a" 6 Scenario SS+ ecr!#tion Polic! %ro"lesooting.............................................................'0 +a" etails.................................................................................................................................'0 +a" 6 Soltion SS+ ecr!#tion Polic! %ro"lesooting.............................................................'1 SS+ 4e"sites Are Not ecr!#ted..............................................................................................'1 +a" ( Scenario Polic! and Performance %ro"lesooting...........................................................'' +a" etails.................................................................................................................................'' +a" ( Soltion Polic! and Performance %ro"lesooting............................................................'( %ro"lesoot an Ina"ilit! to Access Allowed :edia Ser$ices................................................... '( ailre to 5lock Infected iles...................................................................................................' %ro"lesoot a Pro"lem wit *ser-I.......................................................................................' 4! Some 4e" Pages Are %iming Ot.....................................................................................' &reate and @e$iew a 3ideo Stream Packet &a#tre..................................................................'7


Page 4

Typographical Conventions %is gide ses te following t!#ogra#ical con$entions for s#ecial terms and instrctions. Convention

Meaning

Example

5olding

Names of selecta"le items in te we" interface

&lick Secrit! to o#en te Secrit! @le Page

Courier font

%et tat !o enter and coding eam#les

=nter te following command a:\setup

%e show arp all command !ields tis ot#t username@hostname> show arp

&lick

&lick te left mose "tton

&lick A"ministrators nder te e$ice ta"

@igt-click

&lick te rigt mose "tton

@igt-click te nm"er of a rle !o want to co#!, and select Clone #le

B C Dtet enclosed in angle "rackets

Parameter in te +a" Settings )andot

&lick A"" again and select $Internal Inter%ace&


Page 5

ow to !se This Lab Guide %e la" gide #resents fi$e ig-le$el tro"lesooting scenarios, wit ea c followed "! a 8soltion9 section tat #ro$ides ste#-"!-ste# gidance on at least one #ossi"le wa! to sol$e te #ro"lems #resented "! te scenario. %e information #ro$ided in te 8scenario9 sections is intentionall! minimal, t!#icall! #ro$iding !o onl! an otline of wat !o need to do. Eor goal is to define, docment, diagnose and resol$e te #ro"lems tat eac scenario #resents sing te tools discssed dring te workso# lectresFand, to te "est of !or a"ilit!, to do so witot rel!ing on te 8soltion9 sections of te "ook. 





If !o do reGire #rocedral gidance "e!ond wat is #ro$ided in te scenario sections, first seek in#t from oter #artici#ants and !or instrctor. *se te information in te soltion sections onl! as a last resort. Note tat some la" scenarios ma! not corres#ond to an! s#ecific lectre modle and ma! instead "e designed to $alidate !or nderstanding of te tools and tecniGes discssed across mlti#le lectres. Attem#t te la" scenarios in te order s#ecified "! te instrctor so tat te class can discss its findings as a gro# to frter enance te learning e#erience.

Note: *nless s#ecified, se te &rome we" "rowser and te P%%E SS) client to #erform te tasks reGired. %ese a##lications are #re-installed, and sortcts to tem a$e "e en added to te 4indows deskto# of te management workstation witin te la".


Page 6

Lab Guide "b#ectives 4en !o a$e finised tese la"s, !o will "e a"le to com#lete tese tasks 

*se te &+I to load configrations and commit canges



*se te &+I to $iew s!stem stats, identif! #otential #ro"lems, and cange settings



@e$iew s!stem configration and #olic! details sing te 4e"*I and &+I



Identif! te #otential im#act of configration o#tions and settings on re#orted s!m#toms



Identif! known #ro"lems wit sam#le configrations and fi tem


Page 7

Lab $ %cenario& Ad'inistrative Troubleshooting In tis la", !o will 

Im#ort configration files from te &+I interface sing %%P



+oad configration file ed-'11-la"-01 and log in wit te admin ser credentials



@e$iew te la" arcitectre and addressing sceme

%cenario

Lab Notes *se te &+I and te *I of te firewall to #erform tese eercises. Some actions ma! "e a$aila"le onl! from te &+I. *se "ot SS) and )%%PS to access te firewall trog its management interface. %e management interface is 1<2.1.1.2(6. +og in to te firewall wit te defalt sername DadminH and #assword DadminH.


Page 8

1. Im#ort te corse configration files a. irst look in te 8la"9 folder on !or 4indows deskto# for te corses configration files. Ask !or instrctor for gidance if tis folder and>or te files do not eist. ". Im#ort all ed-'11-la"'(( configration files into te firewall. *se "ot te &+I %%P im#ort metod and te im#ort metod of te *I. 2. +oad te first configration file, ed-'11-la"-01, and commit te canges. '. 3iew te rnning configration from te &+I and te 4e"*I a. &onfigre te firewall to dis#la! te configration in 8set9 mode wen $iewed from te configration #rom#t. @e$iew te format differences "etween dis#la!ing configration information in JSON, K:+, and set Dset-commandH format. ". 3iew te configration of te newl! loaded file. 6. is#la! and re$iew "asic s!stem information a. 3iew o$erall s!stem information. ". ocment te arcitectre, noting te configred Lones, interfaces, and $irtal rotes. c. Anal!Le te Secrit! #olicies and NA% #olicies, and e#lain

-

4! can !o lanc a "rowser and freel! "rowse te internetM

-

4at ena"les te firewall to allow all a##lications to # assM

(. ater ad$anced information a. enerate a %ec S##ort D%SH ile. ". 3iew te details of te newl! generated %S ile. c. &om#are te #rocess of re$iewing log files eternall! wit te fnctionalit! a$aila"le directl! on te firewall. d. @e$iew ser$ices and #rocesses rnning on te s!stem and eamine te o$erall s!stem load.

Sto#. %is is te end of te Administrati$e %ro"lesooting la" scenario.


Page 9

Lab $ %olution& Ad'inistrative Troubleshooting ('port the Configuration Files 1. &o#! te fi$e configration files to !or stdent deskto#     

ed-'11-la"-01 ed-'11-la"-02 ed-'11-la"-0' ed-'11-la"-06 ed-'11-la"-0(

2. Im#ort all fi$e of tese config files to te firewall. '. O#en an SS) session wit te firewall sing P))*, and log in sing te administrator credentials admin and admin

6. +anc te #rogram +Caemon to configre and start a %%P ser$er ser$ice. a. In te na$igation #ane, click te )-)P Server & Con%igre )-)P Server icon. ". On te )-)P Con%igration ta", s#ecif! and>or $erif! te ploa"/ownloa" "irector! $ale. *se C:\Users\lab-user\Desktop\lab\. %en click 0 


Page 10

c. In te na$igation #ane, click )-)P Server & 1o to start te %%P ser$ice. (. rom te &+I D$ia SS)H on te firewall, se %%P to download configration files from !or workstation $ia te %%P ser$er. *se te command tftp import configuration from file 

. @e$iew te log ot#t sowing te sccessfl %%P transfer

7. Eo also can im#ort configrations sing te 4e"*I. O#en a "rowser and go to https://234.256.2.478 to load te *I of !or firewall evice & Setp & perations & Import


Page 11

Load the Configuration Files %rogot te la", !o will need to load eac of te fi$e configration files to te firewall at different times, following te directions #ro$ided in tis gide. Eo can load tese configration files from te &+I or from te 4e"*I. %e &+I metod is dis#la!ed first. 1. +oad te ed-'11-la"-01 file. 2. Switc to configration mode. =nter te command configure. '. Once in configration mode, t!#e load config from and ten #ress te )a9 ke! to dis#la! te list of configration files tat crrentl! reside on te firewall

6. &om#lete te command "! entering te name of te target configration Dedu-$&&lab-#&H and #ressing Enter to load te configration.

A commit o#eration will "e reGired. Note tat in a real en$ironment, !o sold make an! administrati$e canges to te firewall D#dating of ac conts, #asswords, IP addresses, or interfacesH before rnning te commit o#eration. +og in $ia te &+I and re$iew "asic na$igation of te &+I, looking at software $ersions and s#ecific license information. (. Eo can load te configration files sing te *I. &lick evice & Setp & perations & oa" and select te target configration


Page 12

. After loading te configration file, #erform a commit, sing te &+I or 4e"*I. %e &+I #rocess is as follows

)iew the Configuration fro' the CL( and the *eb!( 1. %wo metods for $iewing te rnning configration are a$aila"le from te &+I 

> show config running from te main #rom#t



' show from te configuration #rom#t

2. %o $iew te configration in set mode, rater tan te defalt JSON format, enter set cli config-output-format set from te main #rom#t. %is command ten

will cange te ot#t sown in configration mode. '. rom te main #rom#t Dnot in configration modeH, !o can see te difference "etween te rnning and candidate configs wit te command show config diff. 6. In configration mode, se te commit command to a##l! canges.


Page 13

Gather +asic %yste' (nfor'ation 1. @e$iew te configration settings of !or firewall. 2. *se "ot te &+I and te 4e"*I to familiariLe !orself wit te crrent configrations. *sefl commands inclde te following > show s(stem info > show interface all > show running )securit(-polic( * pbf-polic( * nat-polic(+ > show routing summar(

?e! Gestions to consider are as follows 

4ic $ersion of PAN-OS software are !o rnningM



4ic %reat 3ersion is loaded, and wat is te treat release dateM



4at is te A##-I $ersion, and wat is te Anti$irs $ersionM



4ic *@+ data"ase is te firewall configred forM



4at is te 4ildire $ersion and its release dateM



Is te firewall licensedM



4at is te ostname of !or firewallM



)ow man! secrit! Lones are tereM



4ic interface is in wic secrit! LoneM



oes eac interface a$e an IP addressM



4at is te interface t!#e D%AP, 3irtal 4ire, )A, +a!er 2, or +a!er 'H, and w!M



Is a NA% #olic! configredM



)ow man! static rotes and ow man! connected rotes are tereM

Gather Advanced (nfor'ation Eo can create a %ec S##ort ile from te &+I wit te scp e,port tech-support command or "! sing te 4e"*I. 4itin tis la" en$ironment a ser$er ma! not "e a$aila"le to #erform te secre co#!. If tis is te case, dont #erform an S&P download. Note: %e command reuest tech-support dump will generate a %S ile, "t !o

cannot download tis file from te &+I. Eo can download it $ia te 4e"*I click evice & Spport & )ech Spport -ile and find te download link in te 8%ec S##ort ile9 section of te #age


Page 14

1. %o etract te contents of te %S ile, !o will reGire a tool tat can o#en a %A@ arci$e. 7-;i# is one sc #rogram and is #ro$ided for te la". After !o etract all te files, find and note te different directories tat a$e "een created. %e generated %S ile is in te #ca#stm#cli director! a #ca#stm#clilogs director! dis#la!s $arios s!stem logs. @e$iew some logs for confirmations and oter interesting data. 2. *se te show running resource-monitor and show s(stem resources commands to dis#la! s!stem #rocesses. *se te show s(stem disk-space command to dis#la! te disk s#ace

'. 4en !o are done, log ot of te firewall and close te "rowser.

Sto#. %is is te end of te Administrati$e %ro"lesooting la" soltion.


Page 15

Lab , %cenario& Firewall Troubleshooting In tis la", !o will 

+oad configration file ed-'11-la"-02



%ro"lesoot ser atentication isses



&reate a new Lone on te firewall



Perform a d!namic #date

%cenario Details ring tis la", !o will "e instrcted to log in to te firewall sing $arios acconts. =ac accont will a$e its own set of #ro"lems to fi. 1. +oad te configration file ed-'11-la"-02 to te firewall. &ommit. D%ere is no #assword for access to te file itself.H 2. Attem#t to log in to te firewall sing "ot SS) and )%%PS. isco$er, define, and resol$e an! isses tat !o ma! enconter sing and>or logging on to te 4e"*I after loading te new configration. D)int *se te &+I to disco$er te ser$ices tat are rnning, or are not rnning, on te firewall.H '. irewall administrator 8stdent9 needs to make certain canges to te firewall. S#ecificall!, te administrator needs to create a :; secrit! Lone and assign a tnnel interface to tis newl! created Lone. )owe$er, te admin wo logs in wit te sername>#assword of student>pan&.$ is na"le to manage te firewall as e#ected. %ro"lesoot and resol$e tis #ro"lem "! attem#ting to log in $ia "ot SS) and )%%PS. %en make corrections so tat te 8stdent9 administrator accont ma! create te new Lone. Proceed once te 8stdent9 accont can sccessfll! create te new Lone. 6. %wo of !or glo"al firewall administrators no longer can log in to tis firewall. 5ot continall! recei$e an 8In$alid sername or #assword9 error message, !et "ot sers can log in sccessfll!, sing te same credentials, to te oter firewalls in !or organiLation. 





5ot acconts se te same #assword of assword&/. Without changing any passwords, se te following information and te network diagram in te 8+a" 1 Scenario9 section of tis gide to tro"lesoot and resol$e tis isse. *ser stdent07 sold atenticate sing +AP, and stdent0 sold atenticate sing @AI*S. i te atentication isse for stdent07 and stdent0.

)int %o tro"lesoot and resol$e te isses, log in as admin>admin.


Page 16

(. =nsre tat te firewall as te latest Anti$irs and A##lication and %reats content "! attem#ting a d!namic #date 

Attem#t te Anti$irs #date $ia te &+I.



Attem#t te A##lication and %reats #date $ia te 4e"*I.



@esol$e an! isses. %e #date ser$er for tis firewall is #dates.#aloaltonetworks.com.

Sto#. %is is te end of te irewall %ro"lesooting la" scenario.


Page 17

Lab , %olution& Firewall Troubleshooting Troubleshoot Ad'inistrative Access 1. After !o load te configration file ed-'11-la"-02 and commit it to te firewall, te 4e"*I "ecomes d!sfnctional. &lose te "rowser, o#en it, and attem#t to reconnect to te )%%P>)%%PS management interface at 1<2.1.1.2(6. %e attem#t will fail. a. O#en an SS) connection and attem#t to log in sing te 8stdent9 admin accont wit te #assword pan&.$. %e firewall will terminate te connection. ". O#en a new SS) connection, and log in sing te 8admin9 accont wit admin>admin credentials. %e attem#t sold scceed. 2. In tis configration, te management interface settings for )%%P and )%%PS a$e "een disa"led, wic #re$ents an!one from connecting and logging in to te 4e"*I. %o dis#la! information a"ot wic management ser$ices are ena"led or disa"led, se te command show s(stem ser0ices adminQla"-firewallC show s!stem services )%%P ;))PS

 isa"led : isa9le"

%elnet

 isa"led

SS)

 =na"led

Ping

 =na"led

SN:P

 isa"led

'. %o correct te #ro"lem tat )%%PS is disa"led, se te following &+I commands ' ' ' '

configure set de0iceconfig s(stem ser0ice disable-https no show de0iceconfig s(stem ser0ice commit

adminQla"-firewall& con%igre =ntering configration mode

adminQla"-firewall( set "evicecon%ig s!stem service "isa9le'https no


Page 18

adminQla"-firewall( show de$iceconfig s!stem ser$ice ser$ice R disa"le-tt# !es "isa9le'https no<

disa"le-telnet !es disa"le-ss no disa"le-icm# no disa"le-snm# !es 

adminQla"-firewallT commit &ommit /o" '6( is in #rogress. *se &trlU& to retrn to command #rom#t ...((V 7(V <
adminQla"-firewallT

6. 4en te commit com#letes, lanc a "rowser and reattem#t to log in to te 4e"*I sing te 8stdent9 admin accont wit te #assword pan&.$. Eo sold e#ect a sccessfl login.

As -student. Ad'in/ Create a New D01 %ecurity 1one 1. 4ile attem#ting to create te new :; secrit! Lone, !o disco$er tat tis accont is na"le to create secrit! Lones. %is is a cstom Admin @oles #ro"lem tat !o mst fi "efore !o can create te new Lone.

2. Attem#t as te 8stdent9 administrator to gi$e !orself te rigts necessar! to create a new Lone. &lick evice & A"min #oles & st"ents . '. +og ot, and log in to te 4e"*I as admin>admin.


Page 19

6. @e$iew te eisting admin roles on te s!stem. Assign te 8stdent9 admin accont to te 8Stdents9 admin role Dor anoter one tat !o create or tat is oterwise sfficient to accom#lis te taskH

(. &ommit te cange. +og ot from te defalt admin accont. +og "ack in as student>pan&.$ and create te new Lone. . &reate te new secrit! Lone from Network & =ones & A"" . Name te Lone M= and s#ecif! te t!#e as a!er+. o not assign an! interfaces to tis Lone. &lick 0 to close. 7. &ommit te canges.

Troubleshoot !ser Authentication (ssues %wo oter firewall administrators cannot log in to tis firewall 

student#1>assword&/



student#2>assword&/

5ot stdent07 and stdent0 administrators recei$e an 8In$alid sername or #assword9 error message, !et "ot can log in sccessfll!, sing tese same credentials, to te oter firewalls de#lo!ed trogot !or organiLation. Without changing any passwords, resol$e tis atentication isse. 1. &onslt te la" diagram to determine te misconfigrations on te firewall related to te atentication ser$ers. 2. i te +AP and @AI*S admin acconts 8stdent079 and 8stdent09 so tat eac is assigned to a se#arate Atentication Profile. 5ot acconts on te +AP and @AI*S atentication ser$er alread! eist and are configred wit te #assword assword&W


Page 20

5ot +AP ser$ices D$ia Acti$e irector!H and @AI*S ser$ices D$ia Network Polic! Ser$erH are rnning on te same omain &ontroller D1<2.1.1.20H.

Perfor' a Dyna'ic !pdate 1. Attem#t to #erform a d!namic #date on te firewall. Attem#t te #date from "ot te &+I and te 4e" *I. Ot#t from te &+I command reuest s(stem software check will demonstrate connecti$it! "reakage. 2. @e$iew te s!stem log. +ook for information regarding te #dates. show log s(stem * match update

evice & !namic p"ates

%e #date attem#t will fail. %is isse ma! "e resol$ed trog te &+I or te 4e"*I. '. is#la! te crrentl! configred #date-ser$er setting sing te command > show config running * match update.

6. *se p"ates.paloaltonetworks.com Dinstead of 1<2.1.(0.10H as te #date ser$er. )el#fl &+I commands for s#ecif!ing an #date ser$er and #erforming cecks for #dates, downloads, and installations of #date files inclde te following ' configure ' set de0iceconfig s(stem update-ser0er ' commit > reuest anti-0irus upgrade check > reuest anti-0irus upgrade download latest > reuest anti-0irus upgrade install commit (es 0ersion latest > reuest content upgrade check > reuest content upgrade download latest > reuest content upgrade install commit (es 0ersion latest > reuest wildfire upgrade check > reuest wildfire upgrade download latest > reuest wildfire upgrade install commit (es 0ersion latest


Page 21

(. *se te C show s(stem info command to re$iew crrent software $ersions and to $alidate te com#letion of #date tasks.

Sto#. %is is te end of te irewall %ro"lesooting la" soltion.


Page 22

Lab 2 %cenario& Layer 2 Troubleshooting In tis la", !o will 

+oad configration file ed-'11-la"-0'



%ro"lesoot loss of connecti$it! to te internet



%ro"lesoot ser com#laints a"ot incom#lete we"#age loading





3erif! tat a legac! OSP configration is not crrentl! reslting in traffic roting, and eliminate te configration %ro"lesoot a 3PN isse

Lab Details *sers re#ort tat te! cannot connect to internet we"sites. Identif! and correct te #ro"lem to restore normal internet connecti$it!. 1. +oad configration file ed-'11-la"-0' and commit. 2. *se te network diagram in te first section of tis gide and an! oter associated information to tro"lesoot an! #ossi"le roting isses. '. After !o find and fi te "asic roting isses, sers can still not access te internet a. Anal!Le all te #olic! rles to tro"lesoot tis #ro"lem. ". ind te isse and fi it. 6. %e network to#olog! as canged in recent monts. Eo notice wat looks like a legac! OSP configration for an interface tat !o "elie$e is no longer acti$e a. isco$er weter te interface and configration are still acti$e. ". isco$er weter traffic is crrentl! "eing roted to tis interface. c. If tere is no #ercei$a"le acti$e se of te crrent OSP configration, reconfigre te firewall to remo$e tis configration. (. *nfortnatel!, !o now realiLe tat !or stdent P& cannot #ing an im#ortant ser$er on te internet a. %e #"lic IP address of te ser$er !o are tr!ing to #ing is 6.2.2.2. ". Anal!Le all te #olic! rles to identif! te #ro"lem, and ten resol$e te connecti$it! isse. c. @emem"er to se "est #ractices in te creation of additional NA% #olicies and Secrit! #olic! rles, as needed. . %ro"lesoot 3PN connecti$it!


Page 23

a. %e crrent 3PN configration is "adl! formed, not working, and mst "e e$alated torogl!. ". *se te network diagram in te first section of tis la" gide and te following configration s#ecification information to $alidate crrent #arameters, identif! misconfigred #arameters, add missing configration elements, and resol$e an! oter isses related to te "roken 3PN connection.

Tunnel Configuration (nfor'ation 3thernet $42 (nterface %pecification Parameter

>ale

&omment Do#tionalH

dm4 interface

Interface %!#e

a!er+

3irtal @oter

la9'vr

Secrit! ;one

M=

IP$6 Address %!#e

Static

IP Address

&5.6&7268#6&9.

:anagement Profile

allow-ping

D01 %ecurity 1one %pecification Parameter

>ale

Name

D;

%!#e

a!er+ sold "e selected

(53 Gateway %pecification Parameter

>ale

Name

tunnel-to-peer

3ersion

I0Ev2 onl! mo"e

Interface

ethernet2/+

+ocal IP Address

234.256.7?.2/48

Peer %!#e

static

Peer IP Address

&5.6&7268#6&#


Page 24

Parameter

>ale

Pre-sared ?e!

paloalto

+ocal I

None

Peer I

None

Ad$anced C I?= &r!#to Profile

!=3.87-D.-3!.

(53 Crypto Profile %pecification Parameter

>ale

Name

!=3.87-D.-3!.

) ro#

1rop 4

Atentication

sha475

=ncr!#tion

aes'475'c9c

(Psec Crypto Profile %pecification Parameter

>ale

Name

A=S2(-S)A2(

IPSec Protocol

ESP

=ncr!#tion

Add aes'475'c9c

Atentication

Add sha475

) ro#s

Select grop4

(Psec Tunnel Configuration %pecification Parameter

>ale

Name

0pn-to-peer

%nnel Interface

tnnel.2

%!#e

Ato 0e!

I?= atewa!

tnnel'to'peer

IPSec &r!#to Profile

AES475'S;A475

Sow Ad$anced O#tions

Select te ceck "o


Page 25

Parameter

>ale

%nnel :onitor

Select te ceck "o

estination IP

&1.6&76.6&&

Pro! I Xta"Y

dm4?tunnel-network

+ocal

&1.6&76.6#9.

@emote

&1.6&76.6#9.

Test Tunnel Connectivity On Network & IPSec )nnels , !or goal is to see "ot stats indicators green

Sto#. %is is te end of te +a!er ' %ro"lesooting la" scenario.


Page 26

Lab 2 %olution& Layer 2 Troubleshooting Troubleshoot Loss of Connectivity to the (nternet Eo recei$e mlti#le re#orts tat sers can no longe r access te internet. Identif! and correct te #ro"lem to restore normal internet connecti$it!. 1. +oad te configration file ed-'11-la"-0' and commit. 2. In tis scenario, te deskto# can #ing its own defalt gatewa! D1<2.1.1.1H and te net o# at 20'.0.11'.1 Dte internet access #ointH in te network diagram. '. Eo can identif! and correct te #ro"lem onl! after looking at te addressing of te actal network to#olog! and disco$ering tat te net o# for te defalt rote of te $irtal roter is misconfigred.

Troubleshoot TTP4TTP Access to *ebsites After !o restore internet connecti$it!, !o can #ing internet addresses D...H and get NS resoltions Dsc as for google.comH, "t !o still cannot access internet we"sites. 1. Anal!Le all te Secrit! #olic! rles. 2. @e$iew all te oter t!#es of #olicies, sc as NA%, ZoS, and #olic!-"ased forwarding DP5H. '. ind te Polic! 5ased orwarding #olic! tat is configred to rote all a##lications to a net o# tat is nreaca"le a. One soltion is to #t te correct gatewa! into te P5 #olic!. )owe$er, if !o kee# te P5 #olic! and correct te net o#, !o ma! e#erience #ro"lems wit te 3PN. ". Eo cold also delete or disa"le te P5 rle, or se a :onitor Profile, so tat if te net o# is not reaca"le, te roting ta"le will "e sed. c. %e traffic logs will sow te we"-"rowsing and SS+ traffic as a##lication 8incom#lete.9 d. +ogs are sefl for tis eercise. eneral searcing of log files gro#s can "e #erformed Dgrep mp-log  pattern "word%H to find wic log files contain wic conce#ts. S!stem logs can #ro$ide im#ortant details. %is le$el of log detail wold not "e $isi"le in te *I Da #acket ca#tre wold "e reGiredH.


Page 27

(nvestigate the Activity and 6elevance of Legacy Policies ind te crrent OSP configration and itemiLe all its $arios elements, inclding Lone, interface, #rotocol configration, and so fort. 1. @e$iew te crrent roting ta"le. etermine weter an! acti$e rotes are related to te OSP network. 2. Ping an! #eers or oter roters to wic !o ma! find references. o an! of te de$ices referenced witin te configration res#ondM Is te interface #M '. If tere is no discerni"le acti$it! or oter related elements to te OSP configration, remo$e te OSP configration com#onents and commit te configration. 6. %est to $erif! tat no mistakes were made.

Troubleshoot Connectivity to a %pecific Address Eo cannot #ing a s#ecific ser$er on te internet. In tis case, te IP address of te ser$er !o are tr!ing to #ing is 6.2.2.2. 1. Anal!Le all #olic! rles to identif! te #ro"lem, and ten resol$e te connecti$it! isse. 2. &eck +a!er ' connecti$it! wit NA%. '. *se "est #ractices in editing te eisting NA% #olicies and Secrit! #olic! rles. 6. %e NA% #olic! for 6.2.2.2 is configred as estination NA% instead of Sorce NA%.

Troubleshoot )PN Tunnel Configuration %ro"lesoot and resol$e te isse and restore 3PN connecti$it!. 1. *se te s#ecification data #ro$ided to work trog te 3PN configration. 2. %rack !or canges. &ommit #dated configration #arameters at ke! #oints. '. &onsider sa$ing !or configration #eriodicall! and>or at ke! #oints of cange so tat !o will "e a"le to re$ert te firewall to one of tose #rior states witot a$ing to start from te "eginning if !o make a significant mistake. 6. @e$iew te 3PN log entries


Page 28

(. *se tese &+I commands to re$iew te 3PN configration show 0pn ike-sa show 0pn ipsec-sa tunnel dm4-tunnel-network show 0pn flow name dm4-tunnel show running tunnel flow

Sto#. %is is te end of te +a!er ' %ro"lesooting la" soltion.


Page 29

Lab 7 %cenario& %%L Decryption Policy Troubleshooting In tis la", !o will 

+oad configration file ed-'11-la"-06



%ro"lesoot "roken internet access



%ro"lesoot SS+ ecr!#tion #olic!

Lab Details 1. An administrator in !or organiLation recentl! added some new #olic! rles to te firewall. Eo a$e /st learned tat !or sers cannot load an! we"sites a. iagnose te #ro"lem and im#lement a soltion to restore a "asic le$el of internet access. ". Eo can consider tis task com#lete wen !o can sccessfll! load te we"site tt#>>www.eam#le.com in a "rowser from !or client macine. 2. SS+ we"sites are not "eing decr!#ted a. &or#orate #olic! reGires tat all traffic "e decr!#ted "! te firewall. ". Eo go to te we"site www.sslla"s.com and recei$e te error message, 8%is site cant #ro$ide a secre connection.9 etermine w! and resol$e te #ro"lem.

Sto#. %is is te end of te SS+ ecr!#tion Polic! %ro"lesooting la" scenario.


Page 30

Lab 7 %olution& %%L Decryption Policy Troubleshooting %%L *ebsites Are Not Decrypted 1. +oad configration file ed-'11-la"-06 and commit. 2. NS is missing from te #olic! tat allows s#ecified a##lications. Add NS to te list of #ermitted a##lications. '. %est loading te we"site www.sslla"s.com. Notice te error message, 8%is site cant #ro$ide a secre connection.9 etermine te case of te error and resol$e te #ro"lem. DNote tat tis message ma! a##ear onl! on !or $er! first attem#t to connect to te site, wit s"seGent attem#ts reslting in a sim#le failre to connect.H 6. &eck te ecr!#tion Profile associated wit te ecr!#tion #olic! a. %e firewall is configred to decr!#t all SS+ traffic. Eo again tr! to access te test site Dwww.sslla"s.comH. %e #age first looks "roken, "t wen !o refres te #age, e$er!ting looks correct. ". %e crrent ecr!#tion #olic! ses a ecr!#tion Profile tat decr!#ts traffic from we"sites sing SS+ '.0 #rotocol. %e we"site www.sslla"s.com does not s##ort te SS+ '.0 #rotocol. %is site ses onl! te %S+ #rotocol. %is mismatc of #rotocols is casing te #ro"lem. %o resol$e te isse, select a different #rofile or remo$e te ecr!#tion Profile from te ecr!#tion #olic!. (. o to te traffic logs and ena"le te #esolve hostname o#tion. &reate a filter for www.sslla"s.com. Notice tat te filter ses te IP address of te we"site. )int &lick to dis#la! te ecr!#ted colmn if !o  do not see it in te log file


Page 31

. %e log entries for te destination address D6.61.200.100H sow tat te SS+ traffic is not "eing decr!#ted. %ro"lesoot and resol$e te isse. )int 3iew te "rowsers )rste" #oot Store . %e certificate error reGires te stdent to e#ort te certificate from te firewall and im#ort te certificate into te stdents "rowser as a %rsted @oot Store certificate. 7. After !o a$e resol$ed te decr!#tion #ro"lem, te SS+ traffic is still not "eing decr!#ted. 4at cold case a site to not "e decr!#tedM . %e site will not decr!#t "ecase te first time te stdent accessed te we"site, te site was added to te eclde cace for SS+ sites a. Eo can se te &+I command show s(stem setting ssl-decr(pt e,clude-cache to $iew all caced sites.

". Eo will see tat te we"site is caced. <. Eo will need to clear te cace sing te &+I command debug dataplane reset ssl-decr(pt e,clude-cache.

10. Once te cace is clear, !o can see tat te site is now "eing decr!#ted. )int te show s(stem setting command as an additional o#tion tat will "e el#fl to tro"lesoot tis isse. %r! clearing te SS+ cace sing te debug dataplane reset command.


Page 32

Sto#. %is is te end of te SS+ ecr!#tion Polic! %ro"lesooting la" soltion.


Page 33

Lab 8 %cenario& Policy and Perfor'ance Troubleshooting In tis la", !o will 

+oad configration file ed-'11-la"-0(



%ro"lesoot an ina"ilit! to access allowed media ser$ices



%ro"lesoot w! malicios files were not "locked



%ro"lesoot a #ro"lem wit *ser-I tecnolog!



%ro"lesoot we"#ages tat contine to time ot



&reate and re$iew a $ideo-stream #acket ca#tre

Lab Details 1. +oad configration file ed-'11-la"-0(. 2. &ommit te configration and note te de#endenc! warnings. '. Eo notice tat !o cannot "rowse te we". Eo need to esta"lis we"-"rowsing access to sites sc as wiki#edia.org and eicar.org. %ro"lesoot te #ro"lem and ena"le access. 6. &or#orate #olic! allows access to media ser$ices eeLer and oogle :sic. :an! of !or sers re#ort tat te! cannot se tese a##lications from witin te $arios regions. etermine w! and resol$e te #ro"lem. (. %e firewall is s##osed to "e configred to "lock all anti$irs, work, and $irs downloads. )owe$er, dring tests on a sers s!stem, !o disco$er te a"ilit! to sccessfll! download a file containing a $irs from te =I&A@ test site at eicar.org. %ro"lesoot and resol$e te isse. . Eor firewall ma#s IP addresses to sernames for se in Secrit! #olic! rles and logging a. One of !or firewall administrators as ena"led and configred te integrated *serI on te firewall. ". A legac! configration Dtat is not workingH for an instance of te standalone agent as "een remo$ed from te target ser$er. c. *nfortnatel!, sers are not "eing sccessfll! ma##ed to IP addresses as e#ected. d. Identif! and fi te #ro"lem to ensre tat !or com#an!s sers are sccessfll! ma##ed to te correct IP addresses for se in Secrit! #olic! rles and logs. )int In tis la", te correct #ort nm"er for commnication wit te +AP ser$er tat te integrated agent ses to commnicate wit te Acti$e irector! ser$er is '<.


Page 34

7. *sers com#lain tat te! cannot $iew certain we"#ages "ecase of timeots. %ese sers are attem#ting to access natoriLed we"sites. Im#lement a soltion to inform all sers tat te! are not allowed to access tese natoriLed sites. . Stream a $ideo from !or stdent P&. Sow session information for te $ideo traffic sing te &+I. %en $iew and clear te s!stem conters. Perform a #acket ca#tre and eamine te #ackets to $alidate tat te firewall correctl! ca#tred all te e#ected data. =#ort te #ca# file to te stdent P& and $iew te data in 4iresark.

Sto#. %is is te end of te Polic! and Performance %ro"lesooting la" scenario.


Page 35

Lab 8 %olution& Policy and Perfor'ance Troubleshooting Troubleshoot an (nability to Access Allowed 0edia %ervices 1. +oad configration file ed-'11-la"-0(. 2. &ommit te configration and note te de#endenc! warnings. '. %e crrent Secrit! #olic! incldes a. =#licit allows for te a##lications #ing and ssl, and +inkedIn, ace"ook, Pandora, and mail. ". =#licit denies for mail-cat D#rior to mailH. c. =#licit den! all at te end. 6. Note tat 8we" "rowsing9 is not eGi$alent to 8#ort 0.9 (. %o see we"-"rowsing denies, re$iew te ot#t of te show log traffic action eual den( command

a. A##lication de#endenc! errors will "e $isi"le in te m#-log ms.log. ". Eo can disco$er te s#ecific log Dms.logH "! gre##ing all of te m#-log files for te ke!word 8de#endenc!.9 iscssion to#ics and ca$eats 







Eo mst nderstand te im#act of a##lication de#endencies. Pro"lems wit de#endencies can "e seen in te m#-log files. %e order of a##lications ma! not make a difference in control "t can el# wit reada"ilit!. Altog te 4e"*I commit message can el# !o to nderstand te $arios de#endencies #on wic A##-I #rocesses rel!, !o cannot se tis ot#t alone to resol$e isses wit com#le configrations. &o#! and #aste trog &+I set mode works, "t command ordering adds a callenge.

?e! #oints 

ifference "etween 8we"-"rowsing9 as an a##lication t!#e and #ort 0 as a sorce #ort



A##lications cange witin a single session



A##lication de#endenc! conce#t


Page 36

Failure to +lock (nfected Files %e firewall is s##osed to "e configred to "lock all anti$irs, work, and $irs downloads. %e =I&A@ test file from eicar.org can crrentl! "e do wnloaded, wic is against #olic!. 1. =amine te traffic logs 2. =amine te Secrit! #olicies carefll! '. =amine te Secrit! Profiles

Troubleshoot a Proble' with !ser9(D Eor legac! *ser-I agent as "een ninstalled Dand is crrentl! misconfigred an!wa!H, and !or integrated agent configration isnt working rigt now. 1. ind te +AP ser$er configration and correct #ort nm"er sed to connect to te ser$er. %e correct #ort nm"er is '<. 2. As !o re$iew ser acti$it!, !o notice tat te! are associated wit te management interface of te stdent P& rater tan te network address Dnetwork IP address wit mask in &I@ formatH a. 5ecase te stdents ser I is not ma##ed to te inside interface, te stdent tat "rowses te we" from te deskto# will not "e identified. ". A Secrit! #olic! is configred tat will onl! allow traffic from stdent01 to go to ace"ook. %e stdent will not "e a"le to access ace"ook ntil te firewall can identif! im or er. '. An Atentication #olic! will correct tis #ro"lem and #ro#erl! ma# te sers to te network address. Note: %e mlti-omed ost isse Dif it occrsH is not common. %ere are soltions to el# address tis sitation.

)el#fl &+I commands for determining weter *ser-I ma##ing and oter fnctions are working as e#ected are as follows > show user ip-user-mapping all > show user user-id-agent statistics > show user user-id-ser0ice status

*hy %o'e *eb Pages Are Ti'ing "ut *sers com#lain tat te! cannot $iew certain we"#ages "ecase of timeots. %ese sers are attem#ting to access natoriLed we"sites. Im#lement a soltion to inform all sers attem#ting to access tese natoriLed sites tat tese sites a$e "een restricted "! cor#orate #olic!


Page 37

1. %e a##lication "lock #age needs to "e ena"led for te ser to see tat te a##lication as "een "locked. 2. +ook at te ot#t of te show log traffic action eual den( command to see te a##lication denies. '. *se te ' set shared response-page application-block-page <0alue> command to add )%:+, in "ase6 format, for a cstom #age.

Create and 6eview a )ideo %trea' Packet Capture Stream a $ideo from !or stdent P&. %en $iew and clear te s!stem conters. 1. 5efore !o stream te $ideo, make sre tat te Secrit! #olic! rle will allow $ideos from te site tat !o will se. or eam#le, if !o want to se Eo%"e, add te a##lications Eo%"e and google-"ase. Also, ena"le +og at Session Start in te a##ro#riate Secrit! #olic! rle. 2. *se show session to dis#la! session information. *se show session all to sow all crrent sessions. *se show session id "id% to dis#la! detailed information a"ot an indi$idal session. *se show session info to dis#la! oter session statistics. '. Perform a #acket ca#tre and eamine te #ackets to $alidate tat te firewall correctl! ca#tred all te e#ected data. =#ort te #ca# file to te stdent P& and dis#la! te data in 4iresark. 6. is#la! conters wit te show counter command. +ook at te interface and glo"al conters. (. ilters on te glo"al conters can el# restrict data to "e $iewed. *se te show counter global filter delta (es command to #ro$ide a $iew tat sows

onl! $ale canges since te last $iewing. . :lti#le ste#s ma! "e reGired to #ro#erl! #erform te #acket ca#tre > debug dataplane packet-diag set filter match DO#tional, "t recommendedH > debug dataplane packet-diag set filter on DO#tional, "t recommendedH > debug dataplane packet-diag set capture stage "stage% file "filename% > debug dataplane packet-diag set capture on

Eo can dis#la! ca#tres sing te > 0iew-pcap filter-pcap "filename% command


Page 38

EDU 311 80a Student Lab Guide_08

Recommend Documents