ULTIMATE TEST DRIVE Nex t -Gen erati o n Fi rewal l (NGFW)
Workshop Guide PAN-OS 8.0
UTD-NGFW 3.3
2017 017 2
Palo Alto Networks, Inc. Inc. | Confidential and Proprietary
Last Update:20170317
Table bl e of Cont on t ents nt s How to us use e th is gu guid id e ........ .............. ............. .............. .............. .............. ............. ............. .............. .............. ............. ............. .............. .............. .............. ............. ............. ............. ...... 4 Acti Ac ti vi ty 0 – Lo Logi gi n to th e UTD Wor ks ksho ho p ....... .............. .............. ............. ............. .............. .............. ............. ............. .............. .............. .............. ............. ......... ... 5 Task 1 – Log in to your Ultimate Test Drive class c lass environ ment .................... ............................ ................. ................. ................ ................ ................. ............. .... 5 Task 2 – Login to the student desktop ................................................................................................................. 6 Task 3 – Login to the UTD virtual firewall ............................................................................................................ 9
Acti Ac ti vi ty 1 – Granular con tro l on Social Media and Enabling Sancti oned SaaS SaaS Appli cation s .. 11 Task 1 – Check connectivity to Facebook .......................................................................................................... 11 Task 2 – Enable Facebook Application............................................................................................................... 12 Task 2a (Optional) – Enable Facebook Application by Function ....................................................................... 13 Task 3 – Review traffic logs ................................................................................................................................ 14 Task 4 – Enable Sanctioned SaaS Applications .................................................................................................. 15
Acti Ac ti vi ty 2 – Con tr ol li ng Evasi ve Ap Appl pl ic ati ation on s ....... .............. .............. ............. ............. .............. .............. .............. ............. ............. .............. ............ ..... 16 Task 1 – Attempt to use anon-approved web application ................................................................................ 16 Task 2 – Attempt to use an anonymizer site ..................................................................................................... 16 Task 3 – Attempt to download and install evasive application ......................................................................... 16 Task 4 - Review URL log ..................................................................................................................................... 17
Acti Ac ti vi ty 3 – Applications on Non-standard Ports .......................................................................... 20 Task 1 – Create a new security policy ................................................................................................................ 20 Task 2 – Check application connectivity ............................................................................................................ 21 Task 3 – Modify Security Policy ......................................................................................................................... 22 Task 4 – Re-check applications on non-standard ports ..................................................................................... 22
Acti Ac ti vi ty 4 – Decryption ...................................................................................................................... 23 Task 0 – Check connectivity to lab web server .................................................................................................. 23 Task 1 – Download test ...................................................................................................................................... 23 Task 2 – Add a new decryption policy ............................................................................................................... 24 Task 3 – Retest secure download ...................................................................................................................... 25 Task 4 – Review traffic logs ................................................................................................................................ 25
Acti Ac ti vi ty 5 – Mod Modern ern Malw are Pro Protec tecti ti on ....... .............. .............. ............. ............. .............. .............. ............. ............. .............. .............. .............. ............. ........ 27 27 Task 1 – Review default WildFire analysis profile ............................................................................................. 27 Task 2 – Enable WildFire analysis on a security policy ...................................................................................... 27 Task 3 – Test WildFire modern malware protection ......................................................................................... 28 Task 4 – WildFire portal review ......................................................................................................................... 28 Task 5 – Review the WildFire analysis results ................................................................................................... 29
Acti Ac ti vi ty 6 – URL Filtering .................................................................................................................. 31 Task 0 – Check connectivity ............................................................................................................................... 31 Task 1 – Modify URL Filtering ............................................................................................................................ 31 Task 2 – Apply URL Filtering to the security policy ............................................................................................ 32 Task 3 – Review URL Filtering logs ..................................................................................................................... 33
Acti Ac ti vi ty 7 – GlobalProtect: Safely Enable Mobile Devices............................................................ 34 Task 1 – Identify the GlobalProtect Gateway URL ............................................................................................. 34 Task 2 – Complete the GlobalProtect Gateway configuration ................ ........................ ................ ................ ................ ................. ................. ................ .......... 35 Task 3 – Log into GlobalProtect from the Mobile PC P C (GlobalProtect) ................. ......................... ................ ................ ................. ................. ............. ..... 37 Task 4 – Review traffic on the VM-Series firewall ............................................................................................. 38
Acti Ac ti vi ty 8 – Con tr ol Ap Appl pl i cat catio ion n Us age wit w it h Us erer-ID ID ...... ............. .............. ............. .............. .............. ............. .............. ............. .............. .......... 40 UTD-NGFW 3.3
2
Task 1 – Validate access to SSH server .............................................................................................................. 40 Task 2 – Enable applications based on User-ID ................................................................................................. 41 Task 3 – Confirm access with User-ID ................................................................................................................ 41
Acti Ac ti vi ty 9 – Clientless VPN ............................................................................................................... 44 Task 1 – Identify the Clientless VPN Gateway Hostname................. Hostname......................... ................ ................ ................. ................. ................ ................ ................ ........ 44 Task 2 – Configure Clientless VPN ..................................................................................................................... 45 Task 3 – Test the Clientless VPN access from Mobile PC .................................................................................. 47 Task 4 – Verify the log file entries on the firewall ............................................................................................. 48
Acti Ac ti vi ty 10 – ACC and Cus Custo to m Repor ts ....... .............. ............. ............. .............. .............. .............. ............. ............. .............. .............. .............. ............. ........ .. 49 49 Task 1 – Review Application Command Center (ACC) ....................................................................................... 49 Task 2 – SaaS Application Usage Report ............................................................................................................ 52 Task 3 – Setting up a custom report .................................................................................................................. 53 Task 4 – What’s new in PAN -OS 8.0................................................................................................................... 54
Acti Ac ti vi ty 11 - Feedb Feedback ack o n Ulti Ul ti mat e Test Dr iv e ........ ............... .............. .............. .............. ............. ............. .............. .............. .............. ............. ......... ... 55 Task 1 – Take the online survey ......................................................................................................................... 55
Appen Ap pendi dix x 1: Al Alter ter nat iv e Log in Meth Method ods s to t o Stud St udent ent Deskt op ....... .............. ............. ............. .............. .............. .............. ............. ........ 56 Login to the student desktop using Java Console (Java client required) ....................... ............................... ................. ................. ................ .......... .. 56
Appen Ap pendi dix x 2: Sup Suppo po rt fo r NonNo n-U.S. U.S. Keybo ard ards s ........ ............... .............. .............. .............. ............. ............. .............. .............. .............. ............. ......... ... 58 Add a new international keyboard .................................................................................................................... 58 Use the on-screen keyboard .............................................................................................................................. 59
UTD-NGFW 3.3
3
How to use this guide The activities outlined in this U ltimate Test Drive (UTD) Workshop Guide are meant to contain all the information necessary to navigate the workshop interface, complete the workshop activities, a nd troubleshoot any potential issues with the UTD environment. This guide is meant to be used used in conjunction with the information and guidance provided by your facilitator.
Once these activities are completed You should be able to: 1. Navigate the Palo Alto Networks GUI 2. Review portions of the firewall configuration 3. Change the configuration to affect the behavior of traffic across the firewall This workshop covers only basic topics and is not a substitute for the training classes conducted by Palo Alto Networks Authorized Training Centers (ATC). Please contact your partner or regional sales manager for more training information.
Terminology Tab refers to the seven tabs along the top of each screen in the GUI.
w ith each Tab found in the left-hand column of each screen. Node refers to the options associated with
Note: Unless specified, the Google® Chrome™ web browser will be used to perform any tasks
outlined in the following activities (Chrome is pre-installed on o n the student desktop of the workshop PC).
UTD-NGFW 3.3
4
Activity 0 – Login Login to the UTD Workshop In this activity activity y ou will: •
Log in t o the Ultimate Test Test Drive Workshop Workshop from y our laptop
•
Understand Unde rstand the layout of the environment and its various compon ents
•
Enable the Firewall to facilitate connectivity
Task 1 – 1 – Log Log in t o your Ultim ate Te Test st Driv Driv e class envir onment instal led with a modern browser that supports HTML 5.0. W e recommend Step 1: First, make sure your laptop is installed using the latest version of Firefox®, Firefo x®, Chrome and Internet Explorer. We also recommend you install the latest Java® client for your browser.
Step 2: Go to class URL. Enter E nter your email address and the passphrase (if you have an invitation email, you ca n
find the class URL and passphrase in the invitation email; or the instructor will provide you with the class URL and passphrase).
Step 3: Complete the registration form and click “Register and Lo gin” at the bottom.
Step 4: Depending on your browser, you will be asked to install a plugin. Please click “Yes” to allow the plugin to
be installed, then continue the login process.
UTD-NGFW 3.3
5
Step 5: Once you login, the environment will be created automatically for you. When you see the “Environment is ready” message on the upper left hand corner , that means all the virtual machines are booted up and ready read y for
use.
The UTD NGFW lab environment consists of many VMs : a “Student Desktop,” “Mobile PC”, “VM -Series Virtual Firewall”, “Linux Server” and more. You will start the lab by accessing the “Student Desktop”.
Task 2 – 2 – Login Login to the student student desktop Step 1: Click on the “Student Desktop” tab to connect to the student desktop.
Step 2: You will be connected to the student desktop through your browser
UTD-NGFW 3.3
6
Step 3: To expand the student desktop window inside the browser, you can use t he “Fullscreen RDP” option. option.
To exit the full-screen mode, click the t he black arrow at the top of window to open the dropdown menu; then the n click “Exit.”
ca n adjust it in the Step 5: If the student desktop resolution is too high or too low f or your laptop display, you can upper right-hand corner of the window.
Note: The default connection to the student desktop uses a n RDP over HTML5 protocol through the
browser. In case your browser does not support HTML5 or you find that the student desktop is too small to use in the browser, plea se refer to Appendix1: Alternative Login Method to co nnect to the student desktop using Java client.
UTD-NGFW 3.3
7
Optional Step 6: If you encounter connection issues with the student desktop, click “Reconnect” to re-establish
the connection.
Optional Step 7: If reconnection to the student desktop is unsuccessful, please verify your laptop connectivity
using the following link. [Note that a Java client is required on your browser for this test site to function.] https://use.cloudshare.com/test.mvc This test site will validate the RDP-based and Java-based connections to your browser. Click “Allow” to allow the Java applet to be installed and run on your browser.
t he browser and retry from Task1, Step1. If the Optional Step 8: If the connectivity test passed, please close the connectivity test failed, please inform the instructor and a sk for further assistance.
UTD-NGFW 3.3
8
Task 3 – 3 – Logi Logi n to t he UTD UTD virt ual firewall Step 1: Click the “UTD -NGFW-PAVM” bookmark in the Chrome browser, then login to the firewall using the
following name and password: Name: student Password: utd135
Step 2: You are now logged in to the firewall. Take a look at the welcome page to see some of the features introduced in the latest release of PAN- OS. Click “Close” to close the welcome page.
UTD-NGFW 3.3
9
Step 3: Open a new tab in the Chrome browser window and confirm Internet connectivity by selecting CNN from the Labs – Bookmark > Activity-0 folder.
Step 4: Here is a quick look at how the student desktop and the virtual firewall are connected:
End of Activity 0
UTD-NGFW 3.3
10
Activity 1 – Granular Granular control on Social Media and Enabling Sanctioned SaaS Applications Background: Every organization is trying to determine how to appropr iate iately ly contro l social media and and SaaS Sa aS (Softwa (Software re as a Service) Service) applications. Allowing them all is high ly risky , while block ing them all can cripple the business. Policy Policy con siderations, including who c an use which social media channels and and SaaS applications, require a granular level of control at the firewall.
PAN-OS® PANOS® features to be used: • •
Ap p-ID™ AppID™ and function control. Logging and reporting for verification.
In this activity activity you will: •
Modify the existing firewall configur ation to contro l the behavior of the Facebook Facebook application.
•
Review Traffic logs to confirm activity.
Task 1 – 1 – C Check heck connecti vity t o Facebook Facebook Step 1: On your session desktop, open a browser browser and select the www.facebook.com from the the Lab – Bookmarks
folder > Activity-1 folder. • •
Question: What appears in the browser window? Answer: You should should get get blocked blocked and see a screen that looks like this:
GU I, click on the “Monitor” tab and “Traffic” node under “Logs” to review the traffic logs to Step 2: On the firewall GU under why Facebook is being blocked. In the search bar, enter “( subtype eq deny)” the click “Apply filter” to filter by deny policies, you sho uld see that “facebook-base” application is not allowed b y default. You will enable Facebook application in the next ne xt task. Click “Clear Filter ” to remove the filter and see all the logs.
UTD-NGFW 3.3
11
Task 2 – 2 – E Enable nable Face Facebook book Ap pli cation Step 1: On the firewall GUI, click the “Policies” tab, then click the “Security” node.
Step 2: Highlight the rule #1, named “UTD-Policy-00” (currently greyed out).
Step 3: Click “Enable” in the bottom bar of the GUI. You can see below the rule enabled (change of color)
Step 4: 4: Double click on “UTD-Policy-00” to open up the policy details window, go to the “Application” and “Actions” tab to confirm the policy is c onfigured to allow Facebook application. Click “OK” to close the policy
window.
UTD-NGFW 3.3
12
Step 5: Click “Commit” in the upper right-hand corner of the GUI.
Step 6: 6: Click “Commit All Changes” in the pop-up window.
Step 7: 7: Click “Close” in the pop-up window once the commit has completed.
Step 8: Open a new browser tab and select www.facebook.com from the Lab – Bookmarks > Activity-1 folder.
You may get a warning message; you can ignore this. You should now be able to access www.facebook.com.
Task Ta sk 2a (Optio nal) nal) – – E Enable nable Face Facebook book Ap pli cation b y Function Note: Optional Task – the task below requires the use of your Facebook account, if you do not wish to log into
your account in this lab environment or you do not have a Facebook account, you can skip to the next task. The Ultimate Test Drive lab environment is deleted at the end of the lab.
Step 1: Log in your own Facebook account. Step 2: Open a new tab and select Candy Crush FB from the Lab – Bookmarks > Activity-1 folder and verify you can use it.
Step 3: Create a new post on your timeline. On the visibility you and just to “only me’, so it will not change your
timeline. Send a message via chat to a friend. friend .
Step 4: Click the rule name “UTD -Policy-00” A “Security Policy Policy Rule” pop-up will appear, click on the Application
tab, and Delete Facebook.
UTD-NGFW 3.3
13
Step 5: Add a new application start typing facebook-posting. Click OK and close the Policy pop-up.
Step 6: Click “Commit” in the upper right-hand corner of the GUI.
Step 7: 7: Click “Commit All Changes” in the pop-up window.
Step 8: Go to Facebook and create a new post, also try to go to Candy Crush again, and sending a message via
the chat window. What are the results? You should be blocked from Candy Crush and from private chat You should be allowed to post to Facebook.
Step 9: Log out of Facebook
Task 3 – 3 – R Review eview traffic log s Step 1: Click the “Monitor” tab. The “Traffic” node (under the “Logs” section) will be selected.
Step 2: Type the search string into i nto the que ry box (directly above the “Receive Time” column):
(app eq facebook) Then hit the “Enter” key or click the
icon.
Questions: • •
What was the action associated with the log entries? What was the port number associated with the log entries?
UTD-NGFW 3.3
14
Task 4 – 4 – Enable Enable Sanction Sanction ed SaaS SaaS App lic ations The need for business efficiency and flexibility is driving the use of SaaS applications in many organizations. Pa lo Alto Networks Next-Generation Firewall Firewall with App-ID provides the industry-leading granular control control to and from SaaS applications. We will show you how to enable a selected set of sanctioned SaaS applications. Step 1: 1: Go to “Application Groups” in the “Objects” tab, then select “Sanctioned -SaaS- Apps” Apps” and review the SaaS
applications in this application group.
Step 2: Add 2: Add “ms-office365”to this application group by clicking the “Add” icon, then select “ms-office365.”Click “OK” to close the application -group window.
Step 3: Go back to t he security rule, “UTD-Policy-00,” and then add the “Sanctioned-SaaS- Apps” Apps” application application group to the policy. On the t he same tab delete facebook-posting. Click “OK” to close the policy window.
Step 4: Click “Commit” to commit the changes. In one policy, you have e nabled basic Facebook applications and
a group of sanctioned SaaS applications. applic ations. Enabling a group of SaaS applications will allow us to see a more interesting SaaS application usage report in the later lab activity. browser right click the SAAS bookmark folder in “Lab – Bookmarks > Activity- 1”, select “open all Step 5: In you browser right bookmarks”, let pages load (or fail) and close the tabs again.
End of Activity 1
UTD-NGFW 3.3
15
Activity 2 – Controlling Controlling Evasive Applications Background: Eva Evasive sive applications are found on almost every network. Some are purposely evasive, making every effort to hide and avoid c ontro ls. Examples Examples include anonymize anonymizer, r, Tor and P2P. P2P. Policy considerations for c ontrollin g evasive applications include pro tection from RIAA threats, threats, data loss (inadvertent or otherwise) and malware propagation. PAN-OS PANOS features features to be used: • •
Ap p-ID and URL Filt App-ID Fi lter erin in g to pr even t ev asi asive ve ap pl ic ati on ons. s. Logging and reporting for verification.
In this activity activity you will: • •
Use App-ID App-ID and URL URL Filtering to contro l prox y sites. Review the logs.
Task 1 – 1 – Attempt Attempt to use anon anon -a -appro ppro ved web web application Step 1: Open a new browser tab select Google Drive from the Lab – Bookmarks > Activity-2 folder •
You should not be able to go to Google Drive.
The Google Drive web application is not explicitly allowed by the firewall, so it is blocked. To bypass the firewall, some users may try to use an anonymizer site.
Task 2 – 2 – Attempt Attempt to use an an anonymi ze zerr sit e Step 1: Open a new browser window and select one of these anonymizer sites from the Lab – Bookmarks >
Activity-2 folder: “Proxify.com”, “ Anonymouse.org Anonymouse.org” or “Hide My Ass! ”.
Step 2: You should see the anonymizer site being blocked by URL Filtering.
Task 3 – 3 – Attempt Attempt to download and i nstall evasive evasive application application i nstall an evasive application, such as Step 1: To circumvent the firewall, some users may try to download and install Tor.
UTD-NGFW 3.3
16
Step 2: Attempt to download the Tor browser from the Tor project website from the t he Lab – Bookmarks > Activity-2
folder. You should see that it also has been blocked.
Task Ta sk 4 - Review Review URL log Visibility is the key to build and maintain a secure policy. E xplore the possibilities to work with the log files. Questions: • • • •
Can you determine which policy is blocking Google Drive? Can you determine which policy is blocking the anonymizer sites? Which application is used to access the anonymizer sites? Which application is used to access Tor download sites?
Step 1: Click the “Monitor” tab, then the “Unified” node under the “Logs” section.
Step 2: Click the green plus for “ Add Add Filter ” in the upper right corner.
Add” without closing Step 3: Select Category > equal > proxy-avoidance-and-anonymizers and click “ Add
Add” without closing Step 4: Select Connector “or ” > Application > equal > google-drive-web and click “ Add
Step 5: Select Connector “or ” > URL > contains > enter value “mouse” without quotes and click “ Add Add” and “Close”
UTD-NGFW 3.3
17
This is what you should see in the query bar: (app eq google-drive-web) or (category eq proxy-avoidance-and-anonymizers) or (url contains mouse) Hit the “Enter” key or c lick the
icon.
Note: You can also save your filter and load it again later
What do you see in the column Log Type?
Questions: • • • •
Can you determine which policy is blocking Google Drive? Can you determine which policy is blocking the anonymizer sites? Which application is used to access the anonymizer sites? Which application is used to access Tor download sites?
Step 6: Click on the magnifier icon on the left side of a log entry and explore the details.
UTD-NGFW 3.3
18
Step 7: Click the “Monitor” tab, then the “URL Filtering” node under the “ Logs” section.
Step 8: 8: You can click any entry under the “URL” column and it will automatically enter the filtering string in the search bar. In example “( category eq proxy-avoidance-and-anonymizers ) ”
Step 9: Click the “Monitor” tab, then the “Traffic” node under the “Logs” section.
Step 10: Click on a “allow” in the Action column, go to the query bar and add “! ” in front of the parentheses, it should look like this “!( action eq allow ) ”
This will negate the filter and display everything that is not matching the action allow.
End of Activity 2
UTD-NGFW 3.3
19
Activity 3 – Applications Applications on Non-standard Ports Background: Many applications can use, either either by default or thro ugh user co ntrol, a non-standard port. Oftentimes, Ofte ntimes, the use of non -standa -standard rd por ts is done as a means means of evading contro ls. Tech-savvy Tech-savvy users are accessing acce ssing their home PCs PCs from w ork by d irecting SSH to a non-standard port in or der to bypass corporate firewalls. This activity will show you how to allow applications to run on ly on the standard port and prevent prevent the same applications from run ning on any non-standard port. PAN-OS PANOS features features to be used: • • •
Logging and reporting to sh ow SSH, SSH, RDP RDP and Telnet Telnet on non-standard ports . App-ID, Ap p-ID, gr ou ps fu nc ti tion on and ser vi ce (por (p or t) t).. Logging and reporting for verification.
In this activity activity you will: • •
Ad d a n ew s ecu Add ecurr it ity y p ol icy fo forr t he IT or gan izat izatio ion. n. Re-order the policies.
Task 1 1 – Create ate a new new securit y pol icy – Cre Step 1: Click the “Policies” tab, then the “Security” node.
Step 2: 2: Click “Add” in the lower left -hand corner.
Step 3: 3: Name the po licy “Allow-IT-apps” then select “Activity3” for Tags using the drop -down list.
Step 4: 4: Click the “Source” tab.
Step 5: Click “Add” in the “Source Zone” box, then select “Trust.”
Step 6: 6: Click the “Destination” tab. Click “Add” in the “Destination Zone” box, then select “ Untrust.”
Step 7: 7: Click the “Application” tab, then c lick “Add.” Type “ IT-apps,” then select it.
Step 8: 8: Click the “Service/URL Category” tab, then click the drop-down menu above “Service;” change the default
setting from “ Application Application Default” to “ Any, Any,” then click “OK”.
Step 9: 9: Click the “Action” tab. Check that the action is set to “Allow,” then click “OK.”
UTD-NGFW 3.3
20
Step 10: Click and drag the policy “Allow -IT-apps” above the “UTD-Policy-04” rule.
Step 11: Click “Commit” in the upper right-hand corner of the web browser.
Step 12: 12: Click “Commit All Changes” in the pop -up window.
Step 13: 13: Click “Close” once the commit has completed.
Step 14: 14: “IT -apps” is a p redefined application group that includes SSH, MS -RDP and other applications. Go to the “Object” tab and “Application Groups” node to review which applications are included in this application group.
There are some industrial specific application groups that are created to highlights some of the common applications used in those industries. Review those application groups to learn about the applications that are supported by the Palo Alto Networks Next-Generation Firewall for the specific industries.
Task 2 – 2 – Che Check ck application connectivity Step 1: Use the PuTTY application on the desktop. Step 2: Load the SSH server (standard port 22) profile and the SSH to the “SSH-Server” (172.16.1.101)
using the standard port 22.Login with:
Login: student Password: utd135 Question: • •
Can you login? Yes – you should be able to login.
Step 3: Close the SSH session. Load the SSH server again (172.16.1.101) using the non-standard port 443. 443.
Question: • •
Can you login using the non-standard port? Yes – you should be able to login.
Step 4: Close the PuTTY application. Click the “Monitor ” tab, then click the “Traffic” log o n the firewall GUI.
Step 5: Search for application SSH on port 22 or 443
Questions: •
What query string did you type into the search box?
•
Was the application allowed?
UTD-NGFW 3.3
21
Task 3 – 3 – Modify Modify Security Policy Step 1: Click the “Policies,” then click “Security.”
Step 2: Click the “Allow-IT-apps” security policy created in Task 1. Step 3: 3: Click the “Service/URL “Service/URL Category” Category” tab, then click click the drop-down menu above “Service.” Change “ Any Any” to Application Default,” then click “OK” (The “A pplication Default” option only allows applications over the default “ Application
port and protocol; it prevents applications from running o n non-standard port or protocol). Step 4: Click “Commit” in the upper right-hand corner of the web browser.
Step 5: 5: Click “Commit All Changes” in the pop-up window.
Step 6: 6: Click “Close” once the commit has completed.
Task 4 – 4 – Re-check Re-check applications on non-standard ports Step 1: Use the PuTTY application on the student desktop.
Step 2: SSH to 172.16.1.101again on port 443 using PuTTY. Did you get a login prompt? •
You should not get the login prompt this time.
Step 3: Close the PuTTY application and click the “Monitor ” tab, then click the “Traffic” log o n the firewall GUI.
Step 4: Search for application SSH on port 443.
Questions: • •
What query string did you type into the search box? Was the application allowed?
End of Activity 3
UTD-NGFW 3.3
22
Activity 4 – Decryption Decryption Background: More and more traffic is being encrypted w ith SSL SSL by default. This makes it difficult t o allow and scan that traffic, yet yet blind ly allowing it is very risky. Policy-based SSL SSL decrypt decrypt ion allows you to decrypt applications, apply security po licy, then re-encrypt re-encrypt and send th e traffic traffic to its final destination. Policy considerations inc lude which applications or web traffic to decrypt and then applying t he appropriate protection t o prevent malware propagation and data/file transfers. transfers.
PAN-OS PANOS features features to be used: • •
Decryption po licy. Decryption Logging and reporting for verification.
In this activity activity you will: •
Add Ad d a n ew d ecr yp ti tion on po lic y t o d ecr yp t SSL t raf fi fic. c.
Task 0 – 0 – C Check heck connecti vity t o lab web server server Step 1: On your desktop, open a browser select “UTD Lab Web Server” from the Lab – Bookmarks > Activity-4
folder.
Task 1 – 1 – D Downl ownl oad test This website looks like a legitimate lab web server. Let’s download a file from this site and see if the site is working.
Step 1: Download the Apache configuration file, under the “Configuration Overview” tab by clicking the “here”
hyperlink.
UTD-NGFW 3.3
23
configuration file? The download should fail because the file is infected infected and Step 2: Are you able to download the configuration the antivirus inspection has stopped the download.
Step 3: Try to download the full manual from the “manual” link. Are you able to download the manual file? The
download should fail because the file is infected and the antivirus inspection has stopped the download.
Step 4: Mouse over the “Configuration file (secure download)” hyperlink; notice t hat the download is using “https:// https://”” instead of “ http://”. http://”. Click the hyperlink to download the file. Are you able to download the config uration
file? The download should succeed because it is encrypted. This browser will open the file and show you the content.
Task 2 – 2 – Ad Ad d a new n ew d ecr y pt i o n p ol i cy We will create a decryption policy that decrypts web traffic going to an unknown site. Step 1: Go to the firewall management GUI, click the “Policies” tab, then click the “Decryption” node.
UTD-NGFW 3.3
24
Step 2: 2: Click “Add” in the lower left-hand corner.
Step 3: 3: In the “Decryption “Decryption Policy Policy Rule” pop pop-up; name the policy “UTD-Decryption-02,”then select “Activity4” under “Tags.”
Step 4: 4: Click the “Source” tab.
Step 5: 5: Click “Add” in the box labeled “Source Zone.” Then select “Trust.
Step 6: 6: Click the “Destination” tab.
Step 7: 7: Click “Add” in the box labeled “Destination Zone.” Then select “ Untrust.”
Step 8: 8: In the “Service/URL “Service/URL Category” tab, add “Unknown” under the URL Category. Step 9: 9: Click the “Options” tab, then select “ decrypt” for “Action.” Leave the “Type” selection as “SSL Forward Proxy” then select “default” for the “Decryption Profile.” Step 10: 10: Click “OK.”
Step 11: Click “Commit” (in the upper right-hand corner of the web browser).
Step 12: Click “Commit All Changes” in the pop -up window.
Step 13: 13: Click “Close” once the commit has completed.
Task 3 – 3 – Re Retest test secure dow nlo ad Step 1: In the browser, go back to the UTD lab web server; then click the “Configuration file (secure download)” link again. You will need to click “Yes” on the certificate-error prompt to continue with the download.
Step 2: Are you able to download through the secure download? The download should fail because the file is
infected and the antivirus inspection can now stop the download after the session is decrypted.
Task 4 – 4 – R Review eview traffic log s Step 1: Click the “Monitor” tab; then go to the “Threat” node under the “Logs” section.
UTD-NGFW 3.3
25
Step 2: 2: Select the latest entry in the “Threat” log, then click the Details icon next to the log entry to view the log particular session is details. Notice that under the “Flags” category, there is a checkmark to indicate this
decrypted.
End of Activity 4
UTD-NGFW 3.3
26
Activity 5 – Modern Modern Malware Protection Background: Modern malware is at the heart of many of today's most s ophistic ated network network attacks and is increasingly customized to avoid traditional security solutions. WildFire™ exposes targeted and unknown malwa malware re throug h direct observation in a virtual environment, while the Next-Gene Next-Generation ration Firewall ensures full visib ility and contro l of all traffic, including t unneled, evasive, encrypted and even even unkno wn traffic. Policy cons idera iderations tions inc lude which applications to apply to the WildFire file blocking /upload profile.
PAN-OS PANOS features features to be used: • • •
Profiles: virus, sp yware, file blocking, and WildFi WildFire. re. WildFire portal. Logging and reporting for verification.
In this activity activity you will: • •
Review the existing WildFire analysis Review analysis profile. Ad d t he Wi ld Fire A nal ys is pr of il e to an ex is ti ting ng sec ur it ity y p ol icy .
Task 1 – 1 – Re Review view default WildFire analysis pr ofil e Step 1: Click the “Objects” tab, then c lick the “WildFire Analysis” node (found under “Security under “Security Profiles”).
Step 2: Click the Profile name “Default” , then review the default WildFire analysis profile. Notice that the default
profile sends any file types from any applications to the WildFire public cloud service.
Note: WildFire analysis profile provides the option to enable hybrid deployment (public clo ud and private cloud).
WildFire hybrid deployment enables you to ma intain privacy or regulatory concerns, select between public cloud or private cloud analysis (using W F-500) based on security rules, content sensitivity, and regulatory concerns. A Palo Alto Networks firewall can forward unknown files and email links to the WildFire p ublic global cloud or to one of two WildFire regional clouds c louds (Europe and Japan) that Palo Alto Networks Netwo rks owns and maintains. In this lab, we will use the default profile and send unknown files to the WildFire public g lobal cloud for analysis.
Step 3: 3: Click “Cancel” to close the WildFire analysis profile.
Task 2 – 2 – E Enable nable Wild Wild Fire ana analysi lysi s on a security p oli cy Step 1: Click the “Policies” tab, then click t he “Security” node.
Step 2: 2: Click the rule name “UTD-Policy-01.”A “Security Policy Rule” pop -up will appear.
Step 3: 3: Click the “Actions” tab within t he pop -up.
UTD-NGFW 3.3
27
Step 4: 4: In the “Profile Setting” section, select the drop -down menu next to “WildFire Analysis.” Analysis.”
Step 5: Select “Default.”
Step 6: 6: Click “OK.”
Step 7: Click “Commit” in the upper right-hand corner of the web browser.
Step 8: 8: Click “Commit All Changes” in the pop-up window.
Step 9: 9: Click “Close” once the commit has completed.
Task 3 3 – Test st WildFire mod ern malware pro tection – Te Step 1: To download a WildFire test file, open the browser and enter the following in the address bar or click on the bookmark “WildFire Test File.” [Note: Ignore the Chrome browser warning message f or downloading an .exe file by clicking the “Keep” button.] http://wildfire.paloaltonetwork http://wildfir e.paloaltonetworks.com/publicapi s.com/publicapi/test/pe /test/pe
Repeat the download a few times. Each file is different and will trigger a new upload to the WildFire Cloud.
Step 2: The browser will a utomatically download a “wildfire-test-pe-file.exe” sample file. Check your “Download”
folder to confirm the download. [Note that this sample changes every time it is downloaded dow nloaded and it should bypass b ypass most antivirus scans.]
Task 4 4 – WildFire portal review – WildFire
Step 1: 1: Use the “WildFire Portal” bookmark to go to the login page (or enter the URL:
http://wildfire.paloaltonetworks.com )
Step 2: Login using the following credentials:
Username:
[email protected] Password: utd135
UTD-NGFW 3.3
28
Step 3: 3: In the portal, click the “Reports” tab. You will see a summary of all the files that have been submitted for
analysis. You can review the WildFire analysis report by clicking the report report icon icon on the left-hand side of the the entry. A WildFire account can manage multiple m ultiple Palo Alto Networks firewalls. (Note: In this lab environment, there is only one firewall managed by this account.)
Step 4: You ca n also upload suspicious files manually fo r analysis using the “Upload Sample,” click the “Upload Sample” tab at the top of the page to review the various upload options.
Task 5 – 5 – Re Review view th e Wild Wild Fire analysis analysis r esults Step 1: To view the sample file that has been sent to WildFire, go back to the firewall GUI, then click the “Monitor” tab. Click on the “W ildFire ildFire Submissions” node and the n review the results returned from the WildFire service.
[Note: It may take about 5-10 mins for f or the WildFire Submissions log to appear.]
Step 2: 2: When you you see the entry, click the “Details” icon
next to the top log entry. In the “Log Info” tab, you
can view the basic info of the file and the application that carries that file.
Step 3: Click the “WildFire Analysis Report” tab to view the details on the analysis results. Under “W ildFire ildFire Analysis Summary”, Summary”, the “Verdict” “Verdict” indicates that that the submitted file file is malware, and you can download the malware file directly from the “Sample File” tab.
Step 4: Under “Wildfire Analysis Report tab” you ca n scroll down to see the behavior of the malware when it’s associated with different operating systems. “Virtual Machine 1” is configured with Microsoft® Window XP; you can review the behavior and activity of the malware. Click “Virtual Machine 2” to review the malware behavior and
activity in Windows 7.
UTD-NGFW 3.3
29
Step 5: 5: Click the “VirusTotal” link under “Coverage Status” on t he report, and it will b ring you to the VirusTotal
home page. Since this malware has never been seen before because the hash has been changed, VirusTotal will not have any information on this virus.
Step 6: Explore the other features and functions offered in the WildFire Analysis Report such as download the
sample file or download the WildFire Analysis report in pdf.
End of Activity 5
UTD-NGFW 3.3
30
Activity 6 – URL URL Filtering Ap pl ica icati tion on co nt ro l an d URL Filt er erin in g c om pl plemen emen t each eac h o th ther, er, pr ov id in ing g y ou wi th th e abi lility ty to del iv iver er varied levels levels of con trol that are appropr appropr iate for your security pro file. Policy Policy co nsiderations incl ude URL URL category cate gory access; wh ich users c an (or cannot) access the URL URL category; and the prevention of m alware propagation.
PAN-OS PANOS features features to be used:
URL Filtering c ategory match. URL Logging and reporting f or verification.
• •
In this activity activity you will: •
Modify the behavior of the URL Filtering functionality.
Task 0 – 0 – Che Check ck conn ectivity Step 1: Open a new tab and select Gambling.com from the Lab – Bookmarks > Activity-6 folder (you should be
able to open this page).
Task 1 – 1 – Modify Modify URL URL Filterin g f irewall GUI. Click the “Objects” tab, then click the “URL Filtering” node fo und in the Step 1: Go back to the firewall “Security Profiles” section.
Step 2: Click the Profil e name “UTD-URL-filter-01.”
Step 3: 3: Search for the “Gambling” category, then change the action f rom “Alert” to “Continue” on the Site Access
Column.
Step 4: An explicit block-and-allow list is available in the URL Filtering profile. See the preconfigured example, then click “OK” to save the changes.
UTD-NGFW 3.3
31
Task 2 – 2 – Apply Apply URL Filtering to t he security security policy Step 1: Click the “Policies” tab, then click t he “Security” node.
Step 2: Click the rule “UTD -Policy-01.”A “Security Policy Rule” pop -up will appear.
Step 3: 3: Click the “Actions” “Actions” tab within the pop -up.
Step 4: 4: In the “Profile “Profile Setting” section, section, select the drop-down menu ne xt to “URL Filtering.”
Step 5: 5: Select “UTD -URL-filter-01,” then click “OK.”
Step 6: Click “Commit” in the upper right-hand corner of the web browser.
Step 7: 7: Click “Commit All Changes” in the pop-up window.
Step 8: 8: Click “Close” once the commit has completed.
Step 9: Open a new browser tab (on the Student Desktop), then select select Top Bet from the Lab – Bookmarks > Activity-6 folder If the the cached page appears, use the CTRL + F5 keys to reload the page.
The web page is blocked, but you will have the option to continue to open the page.
Step 10: Click “Continue” to open the web page.
UTD-NGFW 3.3
32
Task 3 – 3 – Re Review view URL URL Filterin g l ogs Step 1: Click the “Monitor” tab, then click the “URL Filtering” node under the “Logs” section.
Questions: What was the action associated with the log entries? • What was the application associated with the log entries? •
End of Activity 6
UTD-NGFW 3.3
33
Activity 7 – GlobalProtect: GlobalProtect: Safely Enable Mobile Devices Mobile computing is one of the most disru ptive forces in information techno logy. It is revolution revolution izing how and where employees employees work, and the too ls they use to perform their jobs. GlobalProtect™ Glob alProtect™ from Palo Alto Networks Ne tworks safely enables mobile devices for business use by pr oviding a unique solution to manage the device, protect the device and contr ol the data.
PAN-OS PANOS features features to be used: • •
GlobalProtect Portal and Gateway. GlobalProtect Global Protect Client A pplication.
In this activity activity you will: • •
Complete the GlobalP GlobalProtect rotect Portal conf iguration in the lab environment to allow GlobalProtect GlobalProtect clients to connect t o the GlobalProtect Gateway. Gateway. Use the GlobalP GlobalProtect rotect cli ent application to connect t o the GlobalProtect Gateway Gateway and verify th e traffic is being protected by th e firewall. firewall.
Task 1 – 1 – Identif Identif y t he GlobalProtect Gateway Gateway URL URL Step 1: Locate the public URL for the GlobalProtect Gateway running on VM-Series. This is the URL we wil l use Gateway and the client. Go to t he “Virtual Machines” tab at the top of the to configure both the GlobalProtect Gateway
page. You will see a list of all the virtual machines used in this lab.
Step 2: 2: Identify the “VM -Series Next-Generation Firewall” virtual machine, then click “More Details.” The external
address for the virtual firewall will revert to the public IP address, which you will need to use. [Note that the external address is unique to each lab environment and it is different from what is shown below.]
UTD-NGFW 3.3
34
(Opti (Opti onal) Step 3a: 3a: Make note of this external address. Alternatively, Alternatively, you can use “Cloudshare –Clipboard” to copy the text to to the VM in the environment. To use “Cloudshare – Clipboard,” click the blue icon next to the URL Clipboard” button. (If you are using to copy it to the clipboard. Go bac k to the student desktop, t hen click the “Edit Clipboard” “Fullscreen RDP” you will need to e xit to see the “Edit Clipboard” button.
r ight-click, then paste the URL here. (Opti (Opti onal) Step 3b : In the clipboard window, right-click,
(Opti (Opti onal) Step 3c : Close the clipboard by clicking save in the Cloudshare clipboard. Now you should be able to paste this text in the VM when you right click in any text f ield. The URL should have a format of “*.vm.cld.sr”.
Note: You may want to paste the URL into a text file on your laptop – it
may come in handy later in this activity.
Task 2 – 2 – C Compl ompl ete the Glob Glob alP alProt rot ect Gate Gateway way confi gur ation Step 1: Go back to the student desktop, then login to the VM-Series firewall web GUI.
UTD-NGFW 3.3
35
Step 2: Go to the “Network” tab at the top of t he page, then click the “GlobalProtect” node. Click portals”
Step 3: Click the “UTD -GP-Portal” to open the G GlobalProtect lobalProtect Portal configuration configuration window; then click the “Agent”
tab on the left-hand side of the window.
Step 4: Click the “UTD-GP-Portal-ClientCfg” in the “Client Co nfiguration” nfiguration” win dow.
Step 5: In the “Config” window of the “UTD -GP-Portal-ClientCfg,” go to the “External” tab to configure the
gateway information that will be provided to the client.
external Gateway. We will enter your lab gateway gateway URL for the client. Click the Step 6: In our lab, we will use one external “Address” field under “External Gateways” tab, then replace t he “replace.this.url” with the “External Address URL” from Task1 of this activity.
Note: If you have completed Optional Step3 in Task1, you can right click and paste the URL in the address field.
UTD-NGFW 3.3
36
Step 7: Click “OK” twice to save and commit the configuration changes in the “UTD -GP-Portal.”
Task 3 – 3 – Log Log i nto GlobalP GlobalProt rot ect from th e Mobi Mobi le PC PC (GlobalProtect) (GlobalProtect) Step 1: Click the “Mobile PC (GlobalProtect)” tab at the top of the page to go to the mobile PC console.
Step 2: Open the Chrome browser and test te st the Internet connectivity using public w ebsites from the Labs –
Bookmarks > Activity-6 folder like CNN or facebook. You should be able to connect to the internet directly from this device. Note: This device is not sitting behind the VM-Series firewall. You can test this by going to the
website (www.gambling.com) that was blocked in Activity6. You should not see the block page.
Step 3: Start GlobalProtect from the “Start” menu or De sktop
Step 4: In the GlobalProtect window, on the “Home” tab to enter the GlobalProtect Portal URL. [You can use the “Send Text” feature to cut and paste the external gateway URL in the “Send Text” window, then send it to the GlobalProtect GlobalProtect “Settings” window.]
Step 5: In the “Settings” window, enter the following username and password, then copy the external gateway URL from Task1 of this activity into the “Portal” field. [You can use the “Send Text” feature to cut and paste the external gateway URL in the “Send Text” window, then send it to the GlobalProtect “Settings” window.
Note: If you encountered connection problems,
check to ensure the external gateway URL is entered correctly in the “Portal” field.
UTD-NGFW 3.3
37
(Opti (Opti onal) Step 5a: You can validate the external gateway URL by testing it in a browser with the HTTPS protocol. It will open the “GlobalProtect Portal” page on your gateway. You are not required to log in to this portal.
Step 6: 6: Click “Connect” and enter e nter credentials when prompted.
Username: jo e Password: utd135
see the GlobalProtect welcome page. To verify verify that GlobalProtect is connected Step 6: Once connected, you can see to the Portal, go to the “Details” window in the G lobalProtect application to confirm the “Connected” status.
Step 7: Check your Internet Internet connectivity in the “Mobile PC (w GlobalProtect)” by selecting some web pages from the Labs – Bookmarks folder in the t he browser. When you try to go to www.gambling.com again, you should see the
blocked page from Activity6.
browser right click the SAAS SA AS bookmark folder from the Activity-1 folder , select “ open all Step 8: In your browser right bookmarks”, let pages load (or fail) and close the tabs again.
Task 4 – 4 – Re Review view t raffic o n t he VM-S VM-Series eries fir ewa ewall ll Step 1: To view the “Mobile PC (w GlobalProtect)” VPN connection to the VM-Series firewall, go back to the
student desktop, then log in to the VM-Series V M-Series firewall web GUI.
UTD-NGFW 3.3
38
Step 2: Go to the “Monitor” tab, then to the “Traffic” logs monitor page under the “Logs” node on the left side of
the page.
Step 3: Look for traff ic ic logs from the “GP -VPN” zone where you can see the traffic logs from the “ Mobile PC (w GlobalProtect)”. This demonstrates that traffic from the the “Mobile PC (w GlobalProtect)” is now protected by the t he firewall. [Note: the firewall policy, in this case “UTD -Policy-04” can be modified to safely enable the necessary
applications for remote users.]
Step 4: Notice that the username is also visible from the traffic log, indicating which user-based firewall policy can be created based on the user’s login info.
Step 5: Now go to the “Network” tab, then go to the “GlobalProtect” > “Gateway” node .
Step 6: Click the “Remote Users” link under “Info” column to open the remote users information window.
Step 7: Under the “Current User” tab in the “User Information” window. Notice that the G lobalProtect lobalProtect client in the
Mobile-PC can collect host information such as computer name, operation system used and more.
Note: The host-information profile (HIP) in
GlobalProtect provides details about the condition of the mobile laptop, smartphone or tablet, which can be used to make policy decisions about the resources that the device can access. Please talk to your instructor for more information about mobile security sec urity management through GlobalProtect.
End of Activity 7
UTD-NGFW 3.3
39
Activity 8 – Control Control Application Usage with User-ID Understanding wh ich users are relate Understanding related d to which tr affic on your network is mor e useful than just knowing ports and IP addresses. addresses. Visibility and reportin g based on users is more intu itive, and and po licies expressed in terms of users (or groups ) are a better match for expressing business-releva business-relevant nt security policies. You will create a security po licy us ing UserUser-ID™ ID™ in this activity. You must successfully complete Activity 7 before you can continue with this activity.
PAN-OS PANOS features features to be used: • •
Createa security policy using User-ID Using GlobalProtect GlobalProtect to validate the security po licy
In this activity activity you will: • •
Create a security policy to enable applications based on User-ID Ensure that access access to the application is determined by individual userIDs, even when multi ple users log in from the same device. device.
Task 1 – 1 – Va Vali lidate date access to SS SSH H server t he Step 1: On the “Mobile PC (GlobalProtect)” (GlobalProtect)”, connect to the SSH server used in Activity3 using ssh. Open the PuTTY application, application, then load the “SSH server (standard port 22)” from the saved sessions to ssh into 172.16.1.101. Click “Open.” Can you ssh to 172.16.1.101?
You should not be able to ssh to the server.
desktop. Go to the “Traffic” logs in the “Monitor” tab. You Step 2: Go back to the firewall GUI in the student desktop. should be able to see that traffic on port 22 was being dropped.
UTD-NGFW 3.3
40
Task 2 – 2 – Enable Enable applicatio ns based on User-ID Step 1: We will enable the security policy on the firewall to allow the user “joe” to use t he SSH application. Click Click the “Security” node in the “Policies” tab, then select “UTD -Policy-05”, and click “Enable” to e nable the policy.
Once enabled, the policy will turn from light grey to blue. Step 2: Click the policy name to open the po licy window, then click on the “User” tab (note that the only user is “joe” is in this policy). Then c lick the “Application” tab.(Note: “Ping” and “SSH” are enabled in this po licy.)
You can check t he “Application Default setting in the “Service/URL Category,” so SSH can only run on its
standard port.
Step 3: Click “Commit” to commit the changes.
Task 3 – 3 – Confir Confir m access wi th User-ID Step 1: Go back to the m obilePC (and remember that you are logged in as “joe” in the GlobalProtect client).
Verify the SSH access to the server on 172.16.1.101 by using:
Login: student Password: utd135 You should be able to login to the SSH sever now. End the SSH session after you are logged in.
UTD-NGFW 3.3
41
Step 2: Go back to the GlobalProtect client window and 1. Click on “joe” in the upper right corner of the window. w indow.
That will open the dialog 2. And allow you to remove the current credentials.
Step 3: to “peter” in the “Home” tab(we have set the pa ssword for both accounts to utd135 so you don’t need to re-enter the password). Then click “Connect” a nd “OK” to reconnect to the GlobalProtect Gateway. Gateway.
Step 4: 4: Now click “Connect” and enter credentials when prompted. This time use
Username: peter Password: utd135
You will see the Welcome message and “peter” will show in the upper right comer as logged in user.
Step 5: Use the PuTTY application to reconnect to the SSH server. You will see that the connection is being
denied. Note: This demonstrates that the access to the application i s controlled based on the user’s
ID, rather than the IP address of the device. de vice.
UTD-NGFW 3.3
42
Step 6: Review the traffic log on the firewall to confirm that the source user is “peter” instead of “joe,” hence
access to the SSH is being denied.
End of Activity 8
UTD-NGFW 3.3
43
Activity 9 – Clientless Clientless VPN Clientless VPN provides secure remote access to common enterprise web applications that use HTML, HTML5, HT ML5, and Javascr ipt techn olo gies. Users have the advantage advantage of sec ure access fro m SSL-enabled SSL-enabled web browsers witho ut inst alling GlobalProtect GlobalProtect c lient software. This This is useful when you nee need d to enable partner or con tractor access to applications, and to safely enable enable unmanaged assets, assets, inclu ding p ersonal devices. In this activity activity you will: • •
Configure Clientless Clientless VPN access for accessing web applications Test the access from a mobile PC without VPN client installed
Task 1 – 1 – Identif Identif y the Clientl ess VPN VPN Gateway Gateway Host Host name Step 1: Locate the external address for the Clientless VPN Gateway running on VM-Series. This is the hostname
we will use to configure the Clientless VPN Gateway and use it to connect with the web browser to the VPN. Go to the “Virtual Machines” tab at the top of the page. Y ou will see a list of all the virtual machines used in this lab.
Step 2: 2: Identify the “VM -Series Next-Generation Firewall” virtual machine, and the n click “More Details.” The
external address for the virtual firewall will revert to the public IP address, which w hich you will need to use. [Note that the external address is unique to each lab environment and it is different from what is shown below.]
UTD-NGFW 3.3
44
Task 2 – 2 – Config Config ure Clientless VP VPN N Step 1: Go to the “Network” tab at the top of the page, then click the “GlobalProtect” node. Click on “UTD -GPPortals”.
Step 2: Go to “Clientless VPN’ and the “General” tab, activate the “Clientless VPN” checkbox and configure it with the following values: Hostname: Use the hostname we obtained in Task 1 (will look different from the screenshot) Security Security Zone: Select “Trust” from the dropdown list DNS Proxy: Proxy : Select “Google -Public-DNS” from the dropdown list Login Lifetime: 3 Hours Inactivity Inactivity Timeout Timeout : 30 Minutes
The result should look like this:
UTD-NGFW 3.3
45
Step 2: Continue on the “ Applications Applications” tab, click “Add” at the bottom left.
Step 3: Configure the “ Application Application To User Mapping” with the following values: Name: SSL-Portal-Apps User/User User/User Gro up : Any Ap plic pl ic ati on s : Google Docs, Intranet, Office 365
Step 3: Commit all changes
UTD-NGFW 3.3
46
Task 3 – 3 – Te Test st t he Clientless Clientl ess VPN VPN access access f ro rom m Mobi le PC Step 1: Click the “Mobile PC” tab at the top of the page to go to the mobile PC console.
Step 2: Open a web browser and use the hostname that we captured in Task 1. You can use t he “Send Text”
button to paste it into the browser. brow ser.
Step 3: Make sure to precede the hostname with “https:// “https:// “
Step 4: Login to the GlobalProtect Portal with the following credentials:
Name: joe Password: utd135
Step 5: Test the applications by clicking on the icons.
UTD-NGFW 3.3
47
Step 6: The web application should open, please notice the URL showing that you are connected to the
Clientless VPN hostname.
Task 4 – 4 – V Verify erify the log file entries on the firewall Step 1: On the “Student PC: Go to the “Monitor” tab, then to the “Traffic” logs monitor monitor page under the “Logs” node on the left side of the page. Filter for “(user src eq joe) ”. The log entries show the Clientless VPN traffic.
End End of Activity 9
UTD-NGFW 3.3
48
Activity 10 – ACC ACC and Custom Reports Background: Informative visualization visualization tools and reports are very very impor tant to network and security administrators, which enable them them to mon itor and identify po tential network network pr oblems and attacks. Comprehensive Comprehe nsive built-in v isualiza isualization tion too ls and reporting features in the firewall can can prov ide visibility into the network network withou t requiring a complex logging infrastructur e.
PAN-OS PANOS features features to be used: •
•
Ap pl ica icati ti on Com man d Center Cen ter (ACC). o Built-in visualization tools that provide a clear view of the application, user and thr eat data data on your network. ACC in PA N-OS has been up gr aded to red uc e res po pons ns e tim e bas ed o n v is ual and a nd o actionable data. Manage Ma nage custom reports. o Create Cre ate a custom report us ing traffic stats logs.
Task 1 – 1 – Re Review view Ap pli cation Command Center Center (ACC) (ACC) Step 1: Click the “ACC” tab. The ACC is configured to automatically show data collected in the last hour. Change the time range to “Last 6 Hrs” in the “Time” drop -down window to include all the data generated during your lab
session.
Step 2: There are four pre- defined tabs: the “Network Activity”, “Threat Activity”, “Blocked Activity” and “Tunnel Activity” tabs. Under the “Network “Network Activity” Activity” tab, you can see the the most used applications applications in the “Application “Application Usage” widget. Please take a moment to review the other widgets such as “User Activity,” “Source IP Activity,” “Destination Regions,” etc.
UTD-NGFW 3.3
49
Step 3: In the “Application “Application Usage” widget, yo you u can click any tile to zoom into a group of applications or a single application by clicking the “General Internet” category or t he “Networking” category. Step 4: The selection in the widget app lies only to that specific widget. Mouse over the “App Category [networking]” selection, selection, and the “Add Global Filter” option will appear. Click “Add Global Filter” to app ly the
selection to all the widgets.
Step 5: In the “Risk” column (shown below), mouse over risk level “4” and click the “Add Global Filter” icon to add
a risk-level-4 filter to the global filters. The widget will display only information on risk-level-4 applications in t he “networking” category.
Step 6: To remove the global filter, click “Clear all,” or select a filter, then click the red “ -” button to remove it.
UTD-NGFW 3.3
50
Step 7: To customize a time range, go to t he “User Activity” widget. Then select a start time and drag it through
the time axis to the end of the time range. Apply this to the widget. You can apply appl y this time range to the t he other widgets by clicking “Add Global Filter.”
UTD-NGFW 3.3
51
Step 8: To remove the customized time range from the global filter, select a new time from the “Time” drop-down
menu inStep1 to reset the time range.
Task 2 – 2 – Saa SaaS S Appli cation Usa Usage ge Repor Repor t To maintain network security and ensure compliance w ith corporate policy, you must identify and monitor the use of SaaS applications on your network. To meet this challenge, the Palo Alto Networks firewall includes a new SaaS Application Usage Report in PDF format to give you visibility into the SaaS applications. The new report helps you identify the ratio of sanctioned versus unsanctioned SaaS applications in use on the network. It also includes details on the top SaaS application subcategories by number of applications, by number of users, and more. You can use the data from f rom this report to define or refine security policy rules rule s on the firewall to block or monitor the use of unsanctioned SaaS applications on your network. This task will show you how to get started with the SaaS Application Usage Report on the firewall.
Step 1: 1: Click the “Monitor” tab, t hen click the “SaaS Application Usage” node under the “PDF Reports.”
Step 2: 2: Click “Add” at the bottom of the window to open a new SaaS Application Usage report configuration configuration
window.
Step 3: 3: Name the report “SaaS App Usage Report,” then select “Last 7 Days,” and click “OK” to save it.
Step 4: You should see a new entry created. Click it again to re-open the report window; then click “Run Now” to
create the report.
W hen the report is done, you should see a new browser tab Step 5: It will take a bit of time to create the report. When open with the report. (You may need to disable the pop-up blocker in your browser to allow the report to be opened in a new browser tab.)
UTD-NGFW 3.3
52
Step 6: Take a closer look at the SaaS Application Usage Report; it contains a lot of useful data. C lose the SaaS
Usage Report window after the report is created. (You can export the report as a PDF.)
Task 3 – 3 – Se Setting tting up a custom r eport Step 1: Click the “Monitor” tab, then click the “Manage Custom Reports” node (second from last).
Step 2: 2: Click “Add” (in the lower left), left), then name the report “Session Stats” (in the “Custom Report” pop -up).
information to create this report: Step 3: Use the following information
• • • •
•
Database ................ ........................ ................ ............. ..... Application Statistics Scheduled …… ........................... Not Checked Time Frame ................................. ....................... .......... Last 6 Hrs Selected Columns ................. ....................... ...... Application Name, App Category, Category, App Sub Category, Risk of App, Sessions Sort By ................. ......................... ................ ................ ........ Sessions: Top 10
Step 4: 4: Click “Run Now” Now” (at the top of the the pop-up). A tab “Session “Session Stats” will be created; review the report and
export the results as a PDF file. Reports may also be scheduled by b y selecting the “Scheduled” checkbox checkbox in the “Custom Report” Report” window. These reports will run automatically at 2:00 a.m. daily.
UTD-NGFW 3.3
53
Task 4 – 4 – What’s new in PAN -OS -OS 8.0 To provide organizations with the best security capabilities to prevent successful cyberattacks, PANOS® 8.0, includes a colossal amount of enhancements and capabilities, including: •
Secure any cloud! AWS, Azure and more
•
Secure SaaS (Office 365 ®, Box, Slack®) with visibility and enforcement
•
Prevent sandbox evasion, automate C2 detection, detection, and leverage leverage advanced intel sharing
•
Prevent credential theft usage and abuse
•
Simplify security operations with enhanced management, speed and automation
•
New high-performance hardware models to tackle encrypted traffic and more
To learn more about the new features in the latest PAN-OS release, visit us at:
End of Activity 10
UTD-NGFW 3.3
54
Activity 11 - Feedback on Ultimate Test Drive Thank yo u for atte Thank attending nding the Ultimate Test Test Drive event. event. We hope you enjoyed the presentation and the labs that we have prepared prepared for y ou. Please Please take take a few few m inutes to c omplete the online survey for m to tell us what you think about th is event. event.
Task 1 – 1 – Ta Take ke the onli ne surv ey Step 1: In your lab environment, click on the “Survey” tab.
Step 2: Please complete the survey, and let us us know what you think about this event. event.
End of Activity 11.
UTD-NGFW 3.3
55
Appendix 1: Alternative Login Methods to Student Desktop This appendix shows you how to login to the student desktop using other connectivity methods. Please complete the procedures outlined in Activity 0: Task1 to login to the UTD Workshop before you continue. There are two other methods you can use to login to the student desktop: •
Use the “Console” feature in the workshop (Java client required).
•
Use the RDP client if it is installed on the laptop
Both methods are described below, and you can select the one that best be st fits what you have installed on your laptop. Note that RDP protocol may not be supported on all networks so please verify that the RDP is supported at your location.
Logi n to the stud ent desktop usi ng Java Console (Java (Java client requir ed) Step 1: Click “Student Desktop” after you log in to the UTD workshop.
Step 2: Click the “Console” link on the upper right hand corner. This will switch the connection method from RPD
to Console which uses a Java based VNC client.
Step 3: Allow Java to run the VNC® Viewer Viewer application. You You may need to click click “Run” a few times. times.
UTD-NGFW 3.3
56
Step 2: Click “Don’t Block” on the Java Security Warning message.
Step 3: After allowing the Java client to run, you will see the student desktop display. Click “Send Ctrl-Alt-Del” to
open the login window and a nd use the username and password as indicated on your browser (not the one indicated below). You should be able to login to the student desktop after entering the login name and password.
UTD-NGFW 3.3
57
Appendix 2: Support for Non-U.S. Keyboards If you are using a non-U.S. keyboard and have difficulties entering characters and special ke ys, you can add a keyboard to the student desktop to support what you have or use the on-screen o n-screen keyboard. This appendix shows you how to add, select an international keyboard or use the on-screen keyboard. By default, the “English (United Sates)” and “French (France)” keyboards are added to the student desktop. Click
the bottom left-hand corner to switch between them.
Ad d a new n ew i nt er ern n ati o na nall key bo ar ard d To add other keyboards, go to Start > Control Panel. Click “Change Keyboards or other input m ethods.”
UTD-NGFW 3.3
58
Click “Change keyboard.”
Click “Add” to add a new international keyboard. Then switch to the new keyboard per the instructions on the
previous page.
Use the on-scr ee een n keyboard To use the on-screen keyboard: Step 1: Click “Start ->All Programs”.
Step 2: Click on “Accessories”
UTD-NGFW 3.3
59
Step 3: Click “Ease of Access,” then click “On-Screen Keyboard.”
Step 4: You should see the Windows On-Screen Keyboard. To bypass keys inside the VM image that do not work
on your keyboard, select the key.
UTD-NGFW 3.3
60
Lab Setu Setup p
Firewall
VM-Series
Interface:
Int Type:
IP Address:
Connects to Zone:
Ethernet 1/1 Ethernet 1/2 Management
L3 L3 -
172.16.1.1 192.168.11.1 192.168.11.1 10.30.11.1
"Untrust" "Trust"
UTD-NGFW 3.3
61