Baixe o app para aproveitar ainda mais
Prévia do material em texto
Palo Alto Networks Firewall 9.0 Essentials: Configuration and Management Lab Guide PAN-OS® 9.0 EDU-110 Courseware Version B Palo Alto Networks Technical Education © 2019 Palo Alto Networks, Inc. Page 2 Palo Alto Networks, Inc. https://www.paloaltonetworks.com © 2007-2019, Palo Alto Networks, Inc. Palo Alto Networks, PAN-OS, WildFire, RedLock, and Demisto are registered trademarks of Palo Alto Networks, Inc. All other marks mentioned herein may be trademarks of their respective companies. © 2019 Palo Alto Networks, Inc. Page 3 Table of Contents Table of Contents ............................................................................................................................ 3 Typographical Conventions ............................................................................................................ 9 How to Use This Lab Guide ......................................................................................................... 10 1. Lab: Security Operating Platform and Architecture ................................................................. 11 2. Lab: Initial Configuration ......................................................................................................... 12 Lab Objectives ........................................................................................................................... 12 2.0 Connect to Your Student Firewall ....................................................................................... 12 2.1 Apply a Baseline Configuration to the Firewall .................................................................. 13 2.2 Add an Admin Role ............................................................................................................. 14 2.3 Add an Administrator Account ........................................................................................... 15 2.4 Test the policy-admin User ................................................................................................. 16 2.5 Take a Commit Lock and Test the Lock ............................................................................. 18 2.6 Verify the Update and DNS Servers ................................................................................... 20 2.7 Schedule Dynamic Updates................................................................................................. 21 3. Lab: Interface Configuration ..................................................................................................... 25 Lab Objectives ........................................................................................................................... 25 3.0 Load a Lab Configuration ................................................................................................... 25 3.1 Create a New Security Zone ................................................................................................ 26 3.2 Create Interface Management Profiles ................................................................................ 27 3.3 Configure Ethernet Interfaces ............................................................................................. 29 3.4 Create a Virtual Wire .......................................................................................................... 36 3.5 Create a Virtual Router ....................................................................................................... 37 3.6 Test Connectivity ................................................................................................................ 38 3.7 Modify Outside Interface Configuration ............................................................................. 40 4. Lab: Security and NAT Policies ............................................................................................... 44 Lab Objectives ........................................................................................................................... 44 4.0 Load a Lab Configuration ................................................................................................... 44 4.1 Create Tags .......................................................................................................................... 45 4.2 Create a Source NAT Policy ............................................................................................... 48 © 2019 Palo Alto Networks, Inc. Page 4 4.3 Create Security Policy Rules ............................................................................................... 50 4.4 Verify Internet Connectivity ............................................................................................... 54 4.5 Create an FTP Service ......................................................................................................... 54 4.6 Create a Destination NAT Policy ........................................................................................ 55 4.7 Create a Security Policy Rule .............................................................................................. 58 4.8 Test the Connection ............................................................................................................. 62 5. Lab: App-ID .............................................................................................................................. 66 Lab Objectives ........................................................................................................................... 66 5.0 Load a Lab Configuration ................................................................................................... 66 5.1 Verify an FTP Service Object ............................................................................................. 67 5.2 Create an FTP Port-Based Security Policy Rule ................................................................. 68 5.3 Test the Port-Based Security Policy .................................................................................... 72 5.4 Create an App-ID Security Policy Rule .............................................................................. 73 5.5 Enable Interzone Logging ................................................................................................... 75 5.6 Enable the Application Block Page ..................................................................................... 76 5.7 Test Application Blocking .................................................................................................. 77 5.8 Review the Logs .................................................................................................................. 78 5.9 Test Application Blocking .................................................................................................. 78 5.10 Review the Logs ................................................................................................................ 79 5.11 Modify the App-ID Security Policy Rule ......................................................................... 79 5.12 Test the App-ID Changes .................................................................................................. 80 5.13 Observe the Application Command Center ...................................................................... 81 5.14 Create an FTP Application-Based Security Policy Rule ................................................... 82 5.15 Test the Application-Based Security Policy ...................................................................... 85 6. Lab: Content-ID ........................................................................................................................ 87 Lab Objectives ...........................................................................................................................87 6.0 Load a Lab Configuration ................................................................................................... 87 6.1 Create a Security Policy Rule with an Antivirus Profile ..................................................... 88 6.2 Test the Security Policy Rule .............................................................................................. 91 6.3 Review the Logs .................................................................................................................. 92 6.4 Create a Security Policy Rule with an Anti-Spyware Profile ............................................. 93 © 2019 Palo Alto Networks, Inc. Page 5 6.5 Create a DMZ-Access Security Policy ................................................................................ 98 6.6 Configure a DNS-Sinkhole External Dynamic List .......................................................... 100 6.7 Create an Anti-Spyware Profile with DNS Sinkhole ........................................................ 102 6.8 Test the Security Policy Rule ............................................................................................ 103 6.9 Review the Logs ................................................................................................................ 104 6.10 Create a Security Policy Rule with a Vulnerability Protection Profile ........................... 106 6.11 Test the Security Policy Rule .......................................................................................... 108 6.12 Review the Logs .............................................................................................................. 109 6.13 Update the Vulnerability Profile ..................................................................................... 109 6.14 Create a Security Profile Group ...................................................................................... 111 6.15 Create a File Blocking Profile ......................................................................................... 115 6.16 Modify a Security Profile Group ..................................................................................... 116 6.17 Test the File Blocking Profile ......................................................................................... 117 6.18 Create a File Blocking Profile to Block Multi-Level Encoded Files .............................. 117 6.19 Modify the Security Policy Rule ..................................................................................... 118 6.20 Test the File Blocking Profile with Multi-Level Encoding ............................................. 119 6.21 Modify the Security Policy Rule ..................................................................................... 119 6.22 Test the File Blocking Profile with Multi-Level Encoding ............................................. 119 6.23 Create a Danger Security Policy Rule ............................................................................. 120 6.24 Generate Threats ............................................................................................................. 123 6.25 Modify a Security Profile Group ..................................................................................... 124 6.26 Generate Threats ............................................................................................................. 125 7. Lab: URL Filtering ................................................................................................................. 126 Lab Objectives ......................................................................................................................... 126 7.0 Load a Lab Configuration ................................................................................................. 126 7.1 Create a Security Policy Rule with a Custom URL Category ........................................... 127 7.2 Test a Security Policy Rule ............................................................................................... 131 7.3 Review the Logs ................................................................................................................ 132 7.4 Configure an External Dynamic List ................................................................................ 133 7.5 Test a Security Policy Rule ............................................................................................... 136 7.6 Review the Logs ................................................................................................................ 136 © 2019 Palo Alto Networks, Inc. Page 6 7.7 Create a Security Policy Rule with a URL Filtering Profile ............................................. 137 7.8 Test a Security Policy Rule with a URL Filtering Profile ................................................. 138 7.9 Review the Logs ................................................................................................................ 139 8. Lab: Decryption ...................................................................................................................... 140 Lab Objectives ......................................................................................................................... 140 8.0 Load a Lab Configuration ................................................................................................. 140 8.1 Test the Firewall Behavior Without Decryption ............................................................... 142 8.2 Create Two Self-Signed Certificates ................................................................................. 144 8.3 Create a Custom Decryption URL Category ..................................................................... 146 8.4 Create a Decryption Policy ............................................................................................... 147 8.5 Test an AV Security Profile with the Decryption Policy .................................................. 150 8.6 Export the Firewall Certificate .......................................................................................... 151 8.7 Import the Firewall Certificate .......................................................................................... 152 8.8 Test the Decryption Policy ................................................................................................ 153 8.9 Review the Logs ................................................................................................................ 157 8.10 Test URL Filtering with Decryption ............................................................................... 158 9. Lab: WildFire .......................................................................................................................... 160 Lab Objectives ......................................................................................................................... 160 9.0 Load a Lab Configuration ................................................................................................. 160 9.1 Create a WildFire Analysis Profile ................................................................................... 161 9.2 Modify a Security Profile Group ....................................................................................... 162 9.3 Test the WildFire Analysis Profile .................................................................................... 163 10. Lab: User-ID ......................................................................................................................... 167 Lab Objectives ......................................................................................................................... 167 10.0 Load a Lab Configuration ............................................................................................... 167 10.1 Enable User-ID onthe Inside Zone ................................................................................. 168 10.2 Configure the LDAP Server Profile ................................................................................ 168 10.3 Configure User-ID Group Mapping ................................................................................ 170 10.4 Configure an Integrated Firewall Agent .......................................................................... 171 10.5 Verify the User-ID Configuration ................................................................................... 173 10.6 Review the Logs .............................................................................................................. 174 © 2019 Palo Alto Networks, Inc. Page 7 10.7 Create a Security Policy Rule .......................................................................................... 175 10.8 Review the Logs .............................................................................................................. 178 11. Lab: GlobalProtect ................................................................................................................ 180 Lab Objectives ......................................................................................................................... 180 11.0 Load the Lab Configuration ............................................................................................ 180 11.1 Configure a Subinterface ................................................................................................. 181 11.2 Generate Self-Signed Certificates ................................................................................... 184 11.3 Configure the SSL-TLS Service Profile .......................................................................... 186 11.4 Configure the LDAP Server Profile ................................................................................ 188 11.5 Configure the Authentication Profile .............................................................................. 189 11.6 Configure the Tunnel Interface ....................................................................................... 190 11.7 Configure the Internal Gateway ...................................................................................... 191 11.8 Configure the External Gateway ..................................................................................... 193 11.9 Configure the Portal ........................................................................................................ 197 11.10 Host the GlobalProtect Agent on the Portal .................................................................. 202 11.11 Create a Security Policy Rule ........................................................................................ 203 11.12 Create a No-NAT Rule .................................................................................................. 205 11.13 Download the GlobalProtect Agent .............................................................................. 207 11.14 Connect to the External Gateway .................................................................................. 208 11.15 View the User-ID Information ...................................................................................... 211 11.16 Disconnect the Connected User .................................................................................... 212 11.17 Configure a DNS Proxy ................................................................................................ 213 11.18 Connect to the Internal Gateway ................................................................................... 215 11.19 Reset the DNS ............................................................................................................... 217 12. Lab: Site-to-Site VPN ........................................................................................................... 219 Lab Objectives ......................................................................................................................... 219 12.0 Load a Lab Configuration ............................................................................................... 219 12.1 Configure the Tunnel Interface ....................................................................................... 220 12.2 Configure the IKE Gateway ............................................................................................ 222 12.3 Create an IPSec Crypto Profile ....................................................................................... 224 12.4 Configure the IPsec Tunnel ............................................................................................. 225 © 2019 Palo Alto Networks, Inc. Page 8 12.5 Test the Connectivity ...................................................................................................... 227 13. Lab: Monitoring and Reporting ............................................................................................ 229 Lab Objectives ......................................................................................................................... 229 13.0 Load a Lab Configuration ............................................................................................... 229 13.1 Generate Traffic .............................................................................................................. 230 13.2 Explore the Session Browser ........................................................................................... 230 13.3 Explore the App Scope Reports ...................................................................................... 232 13.4 Explore the ACC ............................................................................................................. 236 13.5 Investigate the Traffic ..................................................................................................... 241 13.6 Generate a User Activity Report ..................................................................................... 244 13.7 Create a Custom Report .................................................................................................. 245 13.8 Create a Report Group ..................................................................................................... 248 13.9 Schedule a Report Group Email ...................................................................................... 248 14. Lab: Active/Passive High Availability ................................................................................. 250 Lab Objectives ......................................................................................................................... 250 14.0 Load a Lab Configuration ............................................................................................... 250 14.1 Display the HA Widget ................................................................................................... 251 14.2 Configure the HA Interface ............................................................................................. 252 14.3 Configure Active/Passive HA ......................................................................................... 253 14.4 Configure HA Monitoring ............................................................................................... 255 14.5 Observe the Behavior of the HA Widget ........................................................................ 258 15. Lab: Capstone ....................................................................................................................... 260 15.0 Load a Lab Configuration ............................................................................................... 260 15.1 Configure Interfaces and Zones ......................................................................................261 15.2 Configure Security and NAT Policy Rules ..................................................................... 261 15.3 Create and Apply Security Profiles ................................................................................. 262 15.4 Configure GlobalProtect ................................................................................................. 263 © 2019 Palo Alto Networks, Inc. Page 9 Typographical Conventions This guide uses the following typographical conventions for special terms and instructions. Convention Meaning Example Bolding Names of selectable items in the web interface Click Security to open the Security Rule Page Consolas font Text that you enter and coding examples Enter the following command: a:\setup The show arp all command yields this output: username@hostname> show arp <output> Click Click the left mouse button Click Administrators under the Device tab Right-click Click the right mouse button Right-click the number of a rule you want to copy, and select Clone Rule < > (text enclosed in angle brackets) Denotes a variable parameter. Actual value to use is defined in the Lab Guide document. Click Add again and select <Internal Interface> © 2019 Palo Alto Networks, Inc. Page 10 How to Use This Lab Guide The Lab Guide contains exercises that correspond to modules in the Student Guide. Each lab exercise consists of step-by-step, task-based labs. The final lab is based on a scenario that you will interpret and use to configure a comprehensive firewall solution. The following diagram provides a basic overview of the lab environment: © 2019 Palo Alto Networks, Inc. Page 11 1. Lab: Security Operating Platform and Architecture There is no lab exercise associated with this module. © 2019 Palo Alto Networks, Inc. Page 12 2. Lab: Initial Configuration Lab Objectives Load a configuration. Create an administrator role. Create a new administrator account and apply an administrator role. Observe the newly created role permissions via the CLI and web interface. Create and test a commit lock. Configure DNS servers for the firewall. Schedule dynamic updates. 2.0 Connect to Your Student Firewall 1. Launch the Chrome browser and connect to https://192.168.1.254. Move past any security warnings until you see the web interface login window. 2. Log in to the Palo Alto Networks firewall using the following: © 2019 Palo Alto Networks, Inc. Page 13 Parameter Value Username admin Password admin 2.1 Apply a Baseline Configuration to the Firewall To start this lab exercise, you will load a preconfigured firewall configuration file. 3. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations. 4. Click Load named configuration snapshot: A Load Named Configuration dialog box appears. 5. Click the drop-down list next to the Name text box and select edu-210-lab-02. Note: Look for edu-210 in the filename because the drop-down list might contain lab configuration files for other course numbers: 6. Click OK to close the Load Named Configuration window. A window should appear that confirms that the configuration is being loaded. 7. Click Close to close the Loading Configuration window. 8. Click the Commit link at the upper right of the web interface: © 2019 Palo Alto Networks, Inc. Page 14 A Commit window should appear. 9. Click Commit and wait until the commit process is complete. A Commit Status window should appear that confirms the configuration was committed successfully. 10. Click Close to continue. 2.2 Add an Admin Role Admin roles determine the access privileges and responsibilities of administrative users. The firewall is preconfigured with three predefined admin roles that you can use for common purposes. You can create custom admin roles to define the privileges and responsibilities for your administrative users. In this section, you will create a new admin role called the policy-admins-role. You will configure this role so that any administrators who belong to this role will not have access to certain areas of the firewall’s web interface. 11. In the web interface, select Device > Admin Roles. 12. Click Add in the lower-left corner of the panel and create a new administrator role using the following: Parameter Value Name Type policy-admins-role Description Type Policy Administrators The web interface provides a Description or Comment field for most of the configuration options available. You should get into the habit of providing details about each object that you create as a normal part of your configuration. By adding a comment or description to your objects, you or other firewall administrators easily can determine the purpose of an entry by reading the field. 13. Click the Web UI tab. Click the icon to disable the following: Parameter Value Monitor Network Device Privacy Note: You will need to scroll down in the window to locate Network, Device, and Privacy. 14. Click the XML/REST API tab and verify that all items are disabled. © 2019 Palo Alto Networks, Inc. Page 15 The XML/REST API tab is used to assign permissions to roles to send information to or receive information from the firewall through the XML API. If you will use the XML API, you should create a specific account for that process and define permissions through a specific admin role. 15. Click the Command Line tab and verify that the selection is None. In this role, you are explicitly restricting the role from using the command line interface, or CLI. Any account associated with this role will not be able to access the firewall through the CLI. 16. Click OK to continue. A new admin role should appear in the web interface. 17. Verify that your configuration is like the following: 2.3 Add an Administrator Account Administrator accounts control access to the firewalls. A firewall administrator can have full access or read-only access to a single firewall or a virtual system on a single firewall. The firewall has a predefined admin account that has full access to the firewall. In this section, you will create a new admin account and assign it to the policy-admins-role you created in the previous section. 18. In the web interface, select Device > Administrators. 19. Click Add in the lower-left corner of the panel to open the Administrator configuration window and configure the following: Parameter Value Name Type policy-admin Authentication Profile Verify that None is selected Password Type paloalto Administrator Type Select the Role Based radio button Profile Select policy-admins-role from the drop-down list Password Profile Verify that None is selected © 2019 Palo Alto Networks, Inc. Page 16 20. Click OK to create the policy-admin administrator user. A new administrator account should appear in the web interface. The Profiles setting allows you to place this new administrator account into the role you defined for Policy Administrators. This account now will be limited to accessing only those tabs in the web interface that you set in the policy-admins-role. 21. Verify that your configuration is like the following: 22. Click the Commit link at the upper right of the web interface: A Commit window should appear. 23. Click Commit and wait until the commit process is complete. A Commit Status window should appear that confirms the configuration was committed successfully. 24. Click Close to continue. 2.4 Test the policy-admin User 25. On the Windows desktop, double-click the PuTTY icon. 26. Double-click firewall-management: © 2019 Palo Alto Networks, Inc. Page 17 27. Log in using the following information: Parameter Value Name admin Password admin The role assigned to this account is allowed CLI access, so the connection should succeed. 28. Close thePuTTY window. This action will end the admin user session. 29. Again open PuTTY from the Windows desktop. 30. Double-click firewall-management. 31. Log in using the following information: Parameter Value Name policy-admin Password paloalto The PuTTY window immediately closes because the admin role assigned to this account denies CLI access. 32. Open the Internet Explorer browser in private/incognito mode and browse to https://192.168.1.254. A Certificate Warning dialog might appear. Click through any certificate warnings. The Palo Alto Networks firewall login page opens. 33. Log in using the following information: This action must be done in a different browser. Parameter Value Name policy-admin Password paloalto 34. Close the Welcome window if one is presented. Notice that several tabs and some functions are missing from the web interface. The admin role assigned to the user account controls which tasks the user can perform in the web interface.: © 2019 Palo Alto Networks, Inc. Page 18 2.5 Take a Commit Lock and Test the Lock The web interface supports multiple concurrent administrator sessions. An administrator can lock the candidate or running configuration so that other administrators cannot change the configuration until the lock is removed. 35. From the web interface where you are logged in as policy-admin, click the transaction lock icon to the right of the Commit link: The Locks window should appear. 36. Click Take Lock in the lower-left corner of the panel and configure the following: Parameter Value Type Select Commit from the drop-down list Comments Type Policy Admin Lock 37. Click OK to close the Take lock window. The policy-admin lock is listed in the Locks window. 38. Click Close to close the Locks window. Notice that you do not need to Commit your changes for the Lock to take effect. 39. Click the Logout button in the lower-left corner of the web interface. 40. Close the policy-admin browser window. 41. Return to the web interface where you are logged in as the admin account. Refresh the web interface. Notice the lock icon in the upper-right corner of the web interface. © 2019 Palo Alto Networks, Inc. Page 19 42. In the web interface, select Device > Administrators. 43. Click Add to add another administrator account and configure the following: Parameter Value Name Type test-lock Authentication Profile Verify that None is selected Password Type paloalto Administrator Type Select the Role Based radio button Profile Select policy-admins-role from the drop-down list Password Profile Verify that None is selected 44. Click OK to create the test-lock administrator account. A new administrator account should appear in the web interface. 45. Commit all changes. An Error window should appear that tells you that someone else has taken a commit lock. Although you could add a new administrator account, you are not allowed to commit the changes because of the Commit lock set by the policy-admin user. 46. Click Close. 47. Click the transaction lock icon in the upper-right corner: © 2019 Palo Alto Networks, Inc. Page 20 48. Select the policy-admin lock and click Remove Lock: Note: The user that initially took the lock or any superuser can remove a lock. A Remove lock window appears. 49. Click OK to remove the lock. The lock should be removed from the list. 50. Click Close to close the Locks window. 51. Commit all changes. Now that the lock is removed, you can commit your changes. 52. Select the test-lock administrator account and then click Delete to delete the test-lock user. The test-lock account was created to show the Error message generated when a lock is present, and a commit is issued. The test-lock account will not be used in later sections of the lab. In general, you should remove any administrator accounts that no longer are valid accounts. 53. Click Yes to confirm the deletion. 54. Commit all changes. 2.6 Verify the Update and DNS Servers The DNS server configuration settings are used for all DNS queries that the firewall initiates in support of FQDN Address objects, logging, and firewall management. 55. In the web interface, select Device > Setup > Services. 56. Open the Services window by clicking the gear icon in the upper-right corner of the Services panel: © 2019 Palo Alto Networks, Inc. Page 21 57. Verify that the Primary DNS Server is configured as 4.2.2.2 and the Secondary DNS Server is configured as 8.8.8.8. The DNS server settings that you configure do not have to be public servers, but the firewall needs to be able to resolve hostnames such as updates.paloaltonetworks.com and wildfire.paloaltonetworks.com to provide various services such as WildFire® or URL filtering. 58. Verify that the Update Server is configured to updates.paloaltonetworks.com. 59. Click OK to close the Services window. 2.7 Schedule Dynamic Updates Palo Alto Networks regularly posts updates for new and modified application detection, threat protection, and GlobalProtect data files through dynamic updates. Even though these definitions are published at predefined intervals (daily or weekly), Palo Alto Networks often releases emergency updates to address newly discovered threats. These definitions should be downloaded and applied to the firewall as soon as possible. If you set schedules, you can automate this process so that the firewall has the most recent protection definitions. 60. In the web interface, select Device > Dynamic Updates. 61. Locate and click the Schedule hyperlink on the far right of Antivirus: The Antivirus Update Schedule window should open. New antivirus signatures are released daily. 62. Configure the following: Parameter Value © 2019 Palo Alto Networks, Inc. Page 22 Recurrence Select Daily from the drop-down list Time Select 01:00 from the drop-down list Action Select download-and-install from the drop-down list 63. Click OK to close the Antivirus Update Schedule window: 64. Locate and click the Schedule hyperlink on the far right of Application and Threats: The Applications and Threats Update Schedule window should open. New threat signatures are published weekly, and application updates are published monthly. 65. Configure the following: Parameter Value Recurrence Select Daily from the drop-down list Time Select 01:15 from the drop-down list Action Select download-and-install from the drop-down list © 2019 Palo Alto Networks, Inc. Page 23 66. Click OK to close the Applications and Threats Update Schedule window: 67. Locate and click the Schedule hyperlink on the far right of WildFire: The WildFire Update Schedule window opens. WildFire signatures updates are made available every five minutes. 68. Configure the following: Parameter Value Choice Select Every Minute from the drop-down list Action Select download-and-install from the drop-down list 69. Click OK to close the WildFire Update Schedule window. © 2019 Palo Alto Networks, Inc. Page 24 70. Commit all changes. Stop. This is the end of the Initial Configuration lab. © 2019 Palo Alto Networks, Inc. Page 25 3. Lab: Interface Configuration Lab Objectives Create security zones two different ways and observe the time saved. Create Interface Management Profiles to allow ping and responses pages. Configure Ethernet interfaces to observe DHCP client options and static configuration. Create a virtual router and attach configured Ethernet interfaces. Test connectivity with automatic default route configuration and static configuration. 3.0 Load a Lab Configuration To start this lab exercise, you will load a preconfigured firewall configuration file. 1. In the web interface, select Device > Setup > Operations. 2. Click Load named configuration snapshot: A Load Named Configuration dialog boxappears. 3. Click the drop-down list next to the Name text box and select edu-210-lab-03. Note: Look for edu-210 in the filename because the drop-down list might contain lab configuration files for other course numbers. © 2019 Palo Alto Networks, Inc. Page 26 4. Click OK to close the Load Named Configuration window. A window should appear that confirms that the configuration is being loaded. 5. Click Close to close the Loading Configuration window. 6. Click the Commit link at the upper right of the web interface: A Commit window should appear. 7. Click Commit and wait until the commit process is complete. A Commit Status window should appear that confirms the configuration was committed successfully. 8. Click Close to continue 3.1 Create a New Security Zone Security zones are a logical way to group physical and virtual interfaces on the firewall to control and log the traffic that traverses your network through the firewall. An interface on the firewall must be assigned to a security zone before the interface can process traffic. A zone can have multiple interfaces of the same type (for example, Tap, Layer 2, or Layer 3 interfaces) assigned to it, but an interface can belong to only one zone. 9. In the web interface, select Network > Zones. 10. Click Add to create a new zone. The Zone configuration window should appear. 11. Configure the following: Parameter Value Name Type outside Type Select Layer3 from the drop-down list © 2019 Palo Alto Networks, Inc. Page 27 12. Click OK to close the Zone configuration window. A new outside zone should appear in the web interface. The outside zone is the only zone created in this task. You will add an Ethernet interface to this zone in a later lab step. 3.2 Create Interface Management Profiles An Interface Management Profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. You can assign an Interface Management Profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (aggregate, VLAN, loopback, and tunnel interfaces). 13. In the web interface, select Network > Network Profiles > Interface Mgmt. 14. Click Add to create an Interface Management Profile. The Interface Management Profile configuration window should appear. 15. Configure the following: Parameter Value Name Type ping-and-response-pages Network Services Select Ping and Response Pages check boxes © 2019 Palo Alto Networks, Inc. Page 28 16. Click OK to close the Interface Management Profile configuration window. A new Interface Management Profile should appear in the web interface. 17. Click Add to create another Interface Management Profile. The Interface Management Profile configuration window should appear. 18. Configure the following: Parameter Value Name Type ping-only Network Services Select the Ping check box © 2019 Palo Alto Networks, Inc. Page 29 19. Click OK to close the Interface Management Profile configuration window. A new Interface Management Profile should appear in the web interface. 20. Verify that your configuration is like the following: 3.3 Configure Ethernet Interfaces Firewall interfaces, or ports, enable a firewall to connect with other network devices and other interfaces within the firewall. The interface configuration of the firewall ports enables traffic to enter and exit the firewall. You can configure the firewall interfaces for virtual wire, Layer 2, Layer 3, and tap mode deployments. 21. In the web interface, select Network > Interfaces > Ethernet. In the next few steps, you will configure ethernet1/2 as a Layer 3 interface and assign it a static IP address. This interface is logically connected to the Windows workstation and will operate as the workstation’s default gateway (192.168.1.1). © 2019 Palo Alto Networks, Inc. Page 30 22. Click ethernet1/2 to configure the interface. The Ethernet Interface window should appear. 23. Configure the following: Parameter Value Comment Type inside interface Interface Type Select Layer3 from the drop-down list Virtual Router Verify that None is selected 24. Click the Security Zone drop-down list and select New Zone: The Zone configuration window opens. Selection of New Zone from the Security Zone drop- down list is an alternate way to create security zones. You can either create them all at once or you can create them as you are defining your network interfaces. 25. Configure the following: Parameter Value Name Type inside Type Verify that Layer3 is selected 26. Click OK to close the Zone configuration window: © 2019 Palo Alto Networks, Inc. Page 31 27. Click the Ethernet Interface IPv4 tab. 28. Configure the following: Parameter Value Type Verify that the Static radio button is selected IP Click Add and type 192.168.1.1/24 Be sure to include the CIDR mask for the interface IP address. 29. Click the Advanced tab. 30. Click the Management Profile drop-down list and select ping-and-response-pages: Remember that the Management Profile you select here determines which network services (ping, SNMP, SSH) an interface will answer. You must define a Management Profile before you can assign it to an interface. 31. Click OK to close the Ethernet Interface configuration window. 32. Click ethernet1/3 to configure the interface. The Ethernet Interface window should appear. 33. Configure the following: © 2019 Palo Alto Networks, Inc. Page 32 Parameter Value Comment Type dmz interface Interface Type Select Layer3 from the drop-down list Virtual Router Verify that None is selected 34. Click the Security Zone drop-down list and select New Zone. The Zone configuration window should appear. 35. Configure the following: Parameter Value Name Type dmz Type Verify that Layer3 is selected 36. Click OK to close the Zone configuration window: 37. Click the IPv4 tab. 38. Configure the following: Parameter Value Type Verify that the Static radio button is selected IP Click Add and type 192.168.50.1/24 © 2019 Palo Alto Networks, Inc. Page 33 39. Click the Advanced tab. 40. Click the Management Profile drop-down list and select ping-only. 41. Click OK to close the Ethernet Interface configuration window. 42. Click ethernet1/1 to configure the interface. 43. Configure the following: Parameter Value Comment Type outside interface Interface Type Select Layer3 from the drop-down list Virtual Router Verify that None is selected Security Zone Select outside from the drop-down list 44. Click the IPv4 tab and configure the following: Parameter Value Type Select the DHCP Client radio button © 2019 Palo Alto Networks, Inc. Page 34 Note the Automatically create default route pointing to default gateway provided by server option. This option automatically will install a default route based on DHCP-option 3. 45. Click OK to close the Ethernet Interface configuration window. We are setting the external interface (ethernet1/1) on the firewall to obtain an IP address from an external DHCP server. You might need to use this feature if you are installing a firewall at a branch location and the ISP does not offer static IP addresses. Later in this lab you will change the IP address from a dynamic or DHCP assigned address to a static IP address. 46. Click ethernet1/4 to configure the interface. You will configure ethernet1/4 and ethernet1/5 as vwire interfaces and then configure a virtual wire using each of these interfaces. 47. Configure the following: Parameter Value Comment Type vWire zone named danger Interface Type Select Virtual Wire from the drop-down list Virtual Wire Verify that None is selected 48. Click the Security Zone drop-down list and select New Zone. The Zone configuration window should appear. 49. Configure the following:Parameter Value Name Type danger Type Verify that Virtual Wire is selected © 2019 Palo Alto Networks, Inc. Page 35 50. Click OK to close the Zone configuration window: 51. Click OK to close the Ethernet Interface configuration window. 52. Click ethernet1/5 to open the interface. 53. Configure the following: Parameter Value Comment Type vWire zone named danger Interface Type Select Virtual Wire from the drop-down list Virtual Wire Verify that None is selected Security Zone Select danger from the drop-down list 54. Click OK to close the Ethernet Interface configuration window. © 2019 Palo Alto Networks, Inc. Page 36 55. Verify that your configuration is like the following: 3.4 Create a Virtual Wire A virtual wire interface binds two Ethernet ports. A virtual wire interface allows all traffic or just selected VLAN traffic to pass between the ports. No other switching or routing services are available. 56. In the web interface, select Network > Virtual Wires. 57. Click Add and configure the following: Parameter Value Name Type danger Interface 1 Select ethernet1/4 from the drop-down list Interface 2 Select ethernet1/5 from the drop-down list Note: Even though you set ethernet1/4 and ethernet1/5 to Virtual Wire mode in the interface settings, you must still create a virtual wire and select the appropriate interface. 58. Click OK to create your virtual wire. A new virtual wire should appear in the web interface. © 2019 Palo Alto Networks, Inc. Page 37 59. Verify that your configuration is like the following: 3.5 Create a Virtual Router The firewall requires a virtual router to obtain routes to other subnets either using static routes that you manually define or through participation in Layer 3 routing protocols that provide dynamic routes. The firewall has a predefined virtual router named default. A virtual router is a separate routing instance that allows the firewall to route traffic from one network to another through its Layer 3 interfaces. In our environment, we have three networks – 192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24. You will modify the default virtual router and add the firewall’s interfaces from each of these networks to the virtual router. Because we are using Layer 3 interfaces, the firewall must have a way to route traffic from one network to another; this process is done with a virtual router. However, because each interface is in a different security zone, the Security rules will prevent traffic in one network from going to another network through the firewall. 60. In the web interface, select Network > Virtual Routers. 61. Click default to open the default virtual router. The Virtual Router - default configuration window should appear. 62. Rename the default router lab-vr. 63. Locate the General tab > Interfaces box and click Add. 64. Add the following interfaces: ethernet1/1, ethernet1/2, and ethernet1/3: Note: This step also can be completed via each Ethernet Interface configuration window. 65. Click OK to close the Virtual Router - default window. © 2019 Palo Alto Networks, Inc. Page 38 The lab-vr virtual router should appear in the web interface. 66. Commit all changes. 3.6 Test Connectivity 67. On the Windows desktop, double-click the PuTTY icon 68. Double-click firewall-management: 69. Log in using the following: Parameter Value Name admin Password admin 70. In the CLI, enter the command show interface ethernet1/1. The CLI command output should be like the following: © 2019 Palo Alto Networks, Inc. Page 39 From the command output, you should be able to see the IP address obtained by DHCP. It should be 203.0.113.21/24. 71. From the CLI, enter the command show routing route. The CLI command output should be like the following: The command output should show you the firewall’s default route that was installed as part of the DHCP lease. 72. From the CLI, enter the command ping source 203.0.113.21 host 8.8.8.8. Because a default route automatically was added to your route table, you should receive replies from 8.8.8.8: Note: The host you are pinging from is the firewall itself. The ping command is used to verify the firewall’s connectivity to the internet. 73. Press Ctrl+C to stop the ping. Do not exit out of the PuTTY window. You will use the session again in the next section of the lab. 74. On the Windows desktop, double-click CMD to open a command-prompt window. 75. Type the command ping 192.168.1.1: © 2019 Palo Alto Networks, Inc. Page 40 In this task, you are pinging from the Windows host to its default gateway, which is ethernet1/2 on the firewall. Verify that you get a reply before proceeding. Note: If you try to ping 8.8.8.8 from the Windows host, you will not receive a response. You currently do not have Security rules or NAT rules in place on the firewall to allow internal traffic out to the Internet. 76. Type Exit to close the command-prompt window. 3.7 Modify Outside Interface Configuration In this section, you will reconfigure Ethernet Interface 1/1 to use a static IP address and add a static route to your virtual router. Under most conditions you will configure the firewall’s Layer 3 interfaces with static IP addresses. We initially configured ethernet1/1 to use the DHCP client function only to illustrate the feature should you ever need it. 77. In the web interface, select Network > Interfaces > Ethernet. 78. Select but do not open ethernet1/1: 79. Click Delete, then click Yes. 80. Commit all changes. This action will force the interface to release the former DHCP-assigned IP address. 81. Click ethernet1/1 to configure the interface. The Ethernet Interface window should appear 82. Configure the following: Parameter Value Comment Type outside interface Interface Type Select Layer3 from the drop-down list Virtual Router Select lab-vr from the drop-down list Security Zone Select outside from the drop-down list © 2019 Palo Alto Networks, Inc. Page 41 83. Click the IPv4 tab and configure the following: Parameter Value Type Verify that Static radio button is selected IP Click Add and type 203.0.113.20/24 84. Click OK to close the Ethernet Interface configuration window. 85. In the web interface, select Network > Virtual Routers. 86. Click the lab-vr virtual router to open. The Virtual Router – lab-vr configuration window should appear. 87. Click the Static Routes vertical tab: 88. Click Add and configure the following static route: Parameter Value Name Type default-route Interface Select ethernet1/1 from the drop-down list © 2019 Palo Alto Networks, Inc. Page 42 Parameter Value Destination Type 0.0.0.0/0 Next Hop Verify that IP Address is selected Next Hop IP Address Type 203.0.113.1 This step is very important! As with any other network host using IP, the firewall itself must have a default gateway. Without this entry, the firewall can send only traffic to networks to which it has interface connections (192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24). 89. Click OK to add the static route. 90. Click OK to close the Virtual Router – lab-vr configuration window. 91. Commit all changes. 92. Make the PuTTY window that was used to ping 8.8.8.8 the active window. 93. Type the command ping source 203.0.113.20 host 8.8.8.8: You should be able to successfully ping 8.8.8.8 from the firewall itself. 94. Close the PuTTY window. © 2019 Palo Alto Networks, Inc. Page 43 Stop. This is the end of the Interface Configuration lab. © 2019 Palo Alto Networks, Inc. Page 44 4. Lab: Security and NAT Policies Lab Objectives Create tags for later use with Security policy rules. Create a basic source NAT rule to allow outbound access and an associated Security policy rule to allow the traffic. Create a destination NAT rule for the FTP server and an associatedSecurity policy rule to allow the traffic. 4.0 Load a Lab Configuration To start this lab exercise, you will load a preconfigured firewall configuration file. 1. In the Palo Alto Networks firewall web interface, select Device > Setup > Operations. 2. Click Load named configuration snapshot: © 2019 Palo Alto Networks, Inc. Page 45 A Load Named Configuration dialog box appears. 3. Click the drop-down list next to the Name text box and select edu-210-lab-04. Note: Look for edu-210 in the filename because the drop-down list might contain lab configuration files for other course numbers: 4. Click OK to close the Load Named Configuration window. A window should appear that confirms that the configuration is being loaded. 5. Click Close to close the Loading Configuration window. 6. Click the Commit link at the upper right of the web interface: A Commit window should appear. 7. Click Commit and wait until the commit process is complete. A Commit Status window should appear that confirms the configuration was committed successfully. 8. Click Close to continue. 4.1 Create Tags Tags are color-coded labels and enable you to group, sort, and filter objects using keywords or phrases. Tags can be applied to Address objects, Address Groups (static and dynamic), services, Service Groups, and policy rules. Tags can be assigned a color that makes the results of a search easier to find in the web interface. When used with Comments or Descriptions, Tags can help administrators to more easily determine how a firewall has been configured and the purpose of its various rules, objects, and entries. In the following steps, you will assign a description to a tag, assign the tag a color, and apply the tag to different policies. © 2019 Palo Alto Networks, Inc. Page 46 9. In the web interface, select Objects > Tags. Two default tags are available, empty and Sanctioned, which cannot be deleted or modified. 10. Click Add to define a new tag. The Tag configuration window should appear. 11. Configure the following: Parameter Value Name Select danger from the drop-down list Color Select Purple from the drop-down list Comments Type Danger Tag The firewall allows you to create tags based on existing security zones, which is why danger, dmz, outside, and inside already appear in the drop-down list. 12. Click OK to close the Tag configuration window. A new danger tag should appear in the web interface. 13. Click Add to define another new tag. The Tag configuration window should appear. 14. Configure the following: Parameter Value Name Type egress Color Select Blue from the drop-down list Comments Type Egress Tag © 2019 Palo Alto Networks, Inc. Page 47 15. Click OK to close the Tag configuration window. A new egress tag should appear in the web interface. 16. Click Add to define another new tag. The Tag configuration window should appear. 17. Configure the following: Parameter Value Name Select dmz from the drop-down list Color Select Orange from the drop-down list Comments Type DMZ Tag 18. Click OK to close the Tag configuration window. A new dmz tag should appear in the web interface. 19. Click Add to define the final new tag. The Tag configuration window should appear. 20. Configure the following: Parameter Value Name Type internal Color Select Yellow from the drop-down list Comments Type Internal Tag 21. Click OK to close the Tag configuration window. A new internal tag should appear in the web interface. © 2019 Palo Alto Networks, Inc. Page 48 22. Verify that your configuration is like the following: If you create a Tag and use the same name you used for a security zone, the firewall will apply that tag to the appropriate security zone in any tables where zones are displayed. Note that the label you create for a zone must match exactly, including lowercase and uppercase. 4.2 Create a Source NAT Policy The firewall typically uses Source NAT to translate traffic from internal hosts (often on private networks) to a public, routable address (often an interface on the firewall itself). NAT rules provide address translation and are different from Security policy rules, which allow and deny packets. You can configure a NAT Policy rule to match a packet’s source and destination zone, destination interface, source and destination address, and service. 23. In the web interface, select Policies > NAT. 24. Click Add to define a new source NAT policy. The NAT Policy Rule configuration window should appear. 25. Configure the following: Parameter Value Name Type source-egress-outside Tags Select egress from the drop-down list Group Rules By Tag Select egress from the drop-down list NAT Type Verify that ipv4 is selected Audit Comment Type Created egress NAT Policy on <date> by <Your-Role> © 2019 Palo Alto Networks, Inc. Page 49 26. Click the Original Packet tab and configure the following: Parameter Value Source Zone Click Add and select the inside zone Destination Zone Select outside from the drop-down list Destination Interface Select ethernet1/1 from the drop-down list Service Verify that the any is selected Source Address Verify that the Any check box is selected Destination Address Verify that the Any check box is selected This section defines what the packet will look like when it reaches the firewall. 27. Click the Translated Packet tab and configure the following under the section for Source Address Translation: Parameter Value Translation Type Select Dynamic IP And Port from the drop-down list © 2019 Palo Alto Networks, Inc. Page 50 Parameter Value Address Type Select Interface Address from the drop-down list Interface Select ethernet1/1 from the drop-down list IP Address Select 203.0.113.20/24 from the drop-down list. (Make sure that you select the interface IP address from the drop-down list and do not type it.) This section defines how the firewall will translate the packet. Note: You are configuring only the Source Address Translation part of this window. Leave the Destination Address Translation set to None. 28. Click OK to close the NAT Policy Rule configuration window. A new NAT policy should appear in the web interface. You will not be able to access the internet yet. You will need to configure a Security policy to allow traffic to flow between zones. 29. Verify that your configuration is like the following: 4.3 Create Security Policy Rules Security policy rules reference security zones and enable you to allow, restrict, and track traffic on your network based on the application, user or user group, and service (port and protocol). 30. In the web interface, select Policies > Security. 31. Click Add to define a Security policy rule. The Security Policy Rule configuration window should appear. 32. Configure the following:
Compartilhar