You are on page 1of 52

Task 1: Create a File Blocking Profile

ThePaloAltofirewallusesfileblockingprofilestwoways:toforwardfilestoWildFireforanalysisorto
blockspecifiedfiletypesoverspecifiedapplicationsandinthespecifiedsessionflowdirection
(inbound/outbound/both).Youcansettheprofiletoalertorblockonuploadand/ordownloadandyoucan
specifywhichapplicationswillbesubjecttothefileblockingprofile.Youcanalsoconfigurecustomblock
pagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.

IntheWebUl,selectObjects>SecurityProfiles>FileBlocking.

ClickAddtocreateafileblockingprofile.

NameEnterelabstudentfileblocking

RuleslistClickAddandcreatearulewiththeseparameters:
RuleName:EnterBlockPDF
Applications:any

FileTypes:pdf
Direction:both
Action:block

ClickOKtoclosetheFileBlockingProfilewindow.

Task 2: Create a WildFire Analysis Profile


ThePaloAltoWildFireserviceenablesthefirewalltoforwardattachmentstoasandboxenvironmentwhere
applicationsareruntodetectanymaliciousactivity.AsnewmalwareisdetectedbytheWildFiresystem,
malwaresignaturesareautomaticallygeneratedandaremadeavailablewithin2448hoursintheantivirus
dailydownloads.Yourthreatpreventionsubscriptionentitlesyouforantivirussignatureupdatesthatinclude
signaturesdiscoveredbyWildFire.

IntheWebUI,selectObjects>SecurityProfiles>WildFireAnalysis.

ClickAddtocreateaWildFireanalysisprofile.

NameEnterelabstudent_wildfire

RuleslistClickAddandcreatearulewiththeseparameters:

Name:EXE_Analysis

Applications:any

FileTypes:pe

Direction:both

Analysis:publiccloud

ClickOK.

Task 3: Assign the File Blocking and WildFire


Profiles to the Profile Group

IntheWebUI,selectObjects>SecurityProfileGroups.

Openelabstudentprofilesgroup.

Chooseelabstudentfileblockingasthefileblockingprofile.

Chooseelabstudent_wildfireastheWildFireanalysisprofile.

ClickOK.

Committhechanges.

Task 4: Test the File Blocking Profile

Openanewbrowserwindowtohttp://www.panedufiles.com/.Thesiteopens.

ClickthePanorama_AdminGuide70.pdflink.AFileDownloadBlockedpageappears.

Select Monitor > Logs > Data Filtering and find the entry for the pdf file that has been
blocked

Task 5: Test the WildFire Analysis Profile


IntheDesktop,openanewbrowserwindowto:http://wildfire.paloaltonetworks.com/publicapi/test/pe.This
sitegeneratesanattackfilewithauniquesignature,whichsimulatesazerodayattack.

Savethefile,withoutopeningit,totheDownloadsdirectory.

ToverifythefilewasuploadedtothePublicWildFireCloud,usePuttytoSSHintothefirewall.

WhenloggedinviaSSH,enterthedebugwildfireuploadlogshowcommandtoviewtheoutput
showing"log:0,filename:wfidiretestpefile.exeprocessed....".

ThisverifiesthefilewasuploadedtotheWildFirePublicCloud.

SelectMonitor>Logs>WildFireSubmissions.Aftersometimehaspassed(maybeaslongas
10minutes),findtheentryforwildfiretestpefile.exethathasbeensubmittedtoWildFireandidentifiedas
malicious.

ClickthemagnifyingglassiconnexttotheentrytoseetheDetailedLogViewoftheWildFire
entry.

OntheLogInfotab,checktheinformationwithintheGeneral,Details,andDestinationpanels.
ThenlookattheinformationintheWildFireAnalysisReporttab.

LogoutandclosetheSSHputty.exesession.ClosetheDownloadsdirectoryonthestudent
remotedesktop.

YouhavesuccessfullycompletedModule5:FileBlockingandWildFire

Task 1: Verify Firewall Behavior Without Decryption

PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificates
requiredfordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring
.
Isthistaskwewilldemonstratehow,(withoutdecryptionenabled)Palo Alto allows encrypted traffic to
pass through its firewall SSLdecryptionandSSHdecryptionaredisabledbydefault.
Forthislab,wewilluseInternetExplorerbrowser.Chromehasitsownvirusdetectionsystem,andFirefox
hasitsowncertificaterepository.

Fromthedesktop,openanInternetExplorerbrowserandbrowse
towww.eicar.org/850Download.html.

ScrolltothebottomofthepageanduseHTTPtodownloadoneofthetest
files.

Thefilewillbeblockedandawarningpageappears.

ClicktheBackbuttonanduseHTTPStodownloadoneofthefiles.The
filewilldownload(butmaybedeletedbythebrowser).

SelectMonitor>Logs>Threattoviewthelog.Onlythenon
encrypteddownloadshouldappearinthelog.SSLdecryptionhashiddenthecontentsofthesecondtestfile
andsoitisnotdetectedasathreat.

Task 2: Create an SSL Self-Signed Certificate

Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitedevicesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems
.

IntheWebUI,selectDevice>CertificateManagement>Certificates.

ClickGenerateatthebottomofthepagetocreateanewCAcertificate.

CertificateNameEnterCAXsslcert

CommonNameEnter<interna1IPAddress10.1.1.250>

CertificateAuthorityCheckthebox

ClickGeneratetocreatethecertificate.

ClickOKtodismisstheCertificateGenerationSuccesswindow.

ClickCAXsslcertinthelistofcertificatestoedittheCertificateInformation.

ChecktheboxesforForwardTrustCertificateandForwardUntrustCertificate.

ClickOKtoconfirmthechanges.

Task 3: Create SSL Decryption Policies

DecryptionpoliciescanapplytoSSLandSecureShell(SSH)traffic.WiththeSSHoption,thefirewall
selectivelydecryptsoutboundandinboundSSHtraffictoassurethatsecureprotocolsarenotbeingusedto
tunneldisallowedapplicationsandcontent.

IntheWebUI,selectPolicies>Decryption.

ClickAddtocreateanSSLdecryptionrulefortheexceptioncategories.

Generaltab

NameEnternodecrypttraffic

FromtheSourcetab

SourceZoneSelectTrusted

FromtheDestinationtab

DestinationZoneSelectUntrusted

FromtheService/URLCategorytab

URLCategoryClickAddandaddeachoftheseURLcategories:

financialservices
healthandmedicine
educationalinstitutions

FromtheOptionstab

ActionSelectnodecrypt

ClickOKtoclosetheconfigurationwindow.

ClickAddtocreatetheSSLDecryptionRuleforgeneraldecryption.

FromtheGeneraltab

NameEnterdecryptalltraffic

FromtheSourcetab

SourceZoneSelectTrusted

FromtheDestinationtab

DestinationZoneSelectUntrusted

FromtheService/URLCategorytab

Verifythattheanyboxischecked

FromtheOptionstab

ActionSelectDecrypt

TypeSelectSSLForwardProxy

ClickOKtoclosetheconfigurationwindow.

ConfirmthatyourDecryptionPolicylistlookslikethis:

Task 4: Modify the General Internet Security Policy

IntheWebUl,selectPolicies>Security.
OpentheInternetConnectivitypolicy.

Changethedropdownboxfromapplicationdefaulttoany.

ClickOKtoclose.
ClicktheCommitlinkatthetoprightoftheWebUl.ClickOKagain,waituntilthecommitprocessiscomplete,thencontinue.

Task 5: Test the SSL Decryption Policy

Onthedesktop,openanewInternetExplorerbrowserandgotowww.eicar.org/850
Download.html.

Trytodownloadatestfileusinghttps.Acertificateerrorappears.

Clickthroughthecertificateerror.Thetestfileisblocked.

Closethebrowserwindow.

IntheWebUl,examinetheMonitor>Logs>Threatlogs.Thevirusshouldhavebeendetected
becausetheSSLconnectionwasdecrypted.

ClickthemagnifyingglassiconatthebeginningofthelinetoshowtheDetailedLogView,
maximizetheview,andthenchecktheFlagspaneltoverifytheDecryptedboxischecked.

Task 6: Test the SSL No-Decryption Policy

OpenMozillaFirefoxbrowsertothePaloAltoNetworksTestASitepageat;
https://urlfiltering.paloaltonetworks.com/testASite.aspx.

Clickthroughthecertificateerror.

Enterwww.bankofamerica.comintheURLLookupfield,entertherequiredCaptchaCode,andclick
Search.Thefinancialservicescategoryappears.

TestotherURLsthatyoubelieveareinthecategoriesforfinancialservices,

healthandmedicine,andHarvard.Forexample,

Category:financialservices,www.citibank.com,www.goldmansachs.com
Category:healthandmedicine,www.pfizer.com
Category:education,www.harvard.com

IntheWebUl,selectMonitor>Logs>Traffic.

Setthetrafficlogtodisplayonlyport443trafficbyentering(port.dsteq443)inthefilterfield
andclickingtherightfacinggreenarrow.

IftheDecryptedcolumnisnotdisplayed,displayitbyclickingthearrownexttooneofthe
columntitles,selectingColumns,andthenselectDecrypted.

Select10Secondsfromthepulldownmenusothatthedisplaywillrefreshautomatically.Leave
thiswindowopensothatyoucanmonitorthetraffic.

Inanewbrowser,useSSL(https://)tonavigatetothewebsitesthatyoucreatedintheexcluded
URLcategories.e.g.https://www.cisco.com

Navigatetootherwebsitesaswell(e.g.,https://www.google.corn,https://www.bing.corn)
forcomparisonpurposes.Clickthroughanycertificateerrors.

SelectMonitor>Logs>Traffic.

FindanentryforoneoftheexcludedcategoriesbylookingforanentrywhereDecryptedislisted
asno.

Clickthemagnifyingglassiconatthebeginningoftheline,andmaximizethewindowtoshow
theLogDetailswindow.

VerifythattheDecryptedboxintheFlagspanelisunchecked.

YouhavesuccessfullycompletedModule6:Decryption

You might also like