Professional Documents
Culture Documents
Pan8 Cybersecurity Essentials Lab 4: Allowing Only Trusted Applications
Pan8 Cybersecurity Essentials Lab 4: Allowing Only Trusted Applications
NETLAB Academy Edition, NETLAB Professional Edition, and NETLAB+ are registered trademarks of Network Development Group, Inc.
Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Lab 4: Allowing Only Trusted Applications
Contents
Introduction ........................................................................................................................ 3
Objective ............................................................................................................................. 3
Lab Topology ....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
4 Lab: Allowing Only Trusted Applications ................................................................... 6
4.0 Load Lab Configuration ....................................................................................... 6
4.1 Create an Application Group ............................................................................. 10
4.2 Modify Security Policy ....................................................................................... 12
4.3 Commit and Test ............................................................................................... 14
Introduction
In this lab, you will configure the Firewall to only allow trusted applications by creating
an application group and adding it to an existing security policy.
Objective
Lab Topology
Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
4. In the Google Chrome address field, type https://192.168.1.254 and press Enter.
5. You will see a “Your connection is not private” message. Click on the ADVANCED
link.
8. Navigate to Device > Setup > Operations > Load named configuration snapshot.
9. In the Load Named Configuration window, select pan8-ce-lab-04 from the Name
dropdown box and click OK.
10. A message will confirm the configuration has loaded. Click Close to continue.
11. Click the Commit link located at the top-right of the web interface.
12. In the Commit window, click Commit to proceed with committing the changes.
13. When the commit operation successfully completes, click Close to continue.
The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.
In this section, you will create an application group. To simplify the creation of security
policies, applications requiring the same security settings can be combined by creating
an application group.
2. In the Application Group window, type Trusted-Apps in the Name field. Then,
click the Add button.
3. In the Application Group window, type facebook in the search box under the
Applications column. Then, click on facebook under Application.
4. In the Application Group window, click the Add button again. Then, type dns in
the search box under the Applications column. Next, click on dns under
Application.
In this section, you will modify the Allow-Inside-Out security policy to only allow the
applications in the application group, Trusted-Apps, you created earlier.
3. In the Security Policy Rule window, click on the Application tab. Then, click the
Add button. Next, type Trusted-Apps in the search box under the Applications
column. Finally, select Trusted-Apps under Application group.
In this section, you will commit changes to the Firewall. Then, you will test the security
policy you modified earlier. Next, you will add an additional application to the
application group, Trusted-Apps. Finally, you will verify the additional application is
allowed.
1. Click the Commit link located at the top-right of the web interface.
2. In the Commit window, click Commit to proceed with committing the changes.
9. Looking at the bottom, notice the application facebook-base has the action of
allow based on rule Allow-Inside-Out. Then, notice the application web-
browsing has the action reset-both based on the rule interzone-default, which
has a session end reason of policy-deny. Next, notice the application dns has the
action of allow based on the rule Allow-Inside-Out.
12. To add the application, google-base, to the application group you created,
navigate to Objects > Application Groups.
15. In the Application Group window, type google in the search box under the
Applications column. Then, click on google-base under Application.
17. Click the Commit link located at the top-right of the web interface.
18. In the Commit window, click Commit to proceed with committing the changes.
19. When the commit operation successfully completes, click Close to continue.