Professional Documents
Culture Documents
ThePaloAltofirewallusesfileblockingprofilestwoways:toforwardfilestoWildFireforanalysisorto
blockspecifiedfiletypesoverspecifiedapplicationsandinthespecifiedsessionflowdirection
(inbound/outbound/both).Youcansettheprofiletoalertorblockonuploadand/ordownloadandyoucan
specifywhichapplicationswillbesubjecttothefileblockingprofile.Youcanalsoconfigurecustomblock
pagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
IntheWebUl,selectObjects>SecurityProfiles>FileBlocking.
ClickAddtocreateafileblockingprofile.
NameEnterelabstudentfileblocking
RuleslistClickAddandcreatearulewiththeseparameters:
RuleName:EnterBlockPDF
Applications:any
FileTypes:pdf
Direction:both
Action:block
ClickOKtoclosetheFileBlockingProfilewindow.
IntheWebUI,selectObjects>SecurityProfiles>WildFireAnalysis.
ClickAddtocreateaWildFireanalysisprofile.
NameEnterelabstudent_wildfire
RuleslistClickAddandcreatearulewiththeseparameters:
Name:EXE_Analysis
Applications:any
FileTypes:pe
Direction:both
Analysis:publiccloud
ClickOK.
IntheWebUI,selectObjects>SecurityProfileGroups.
Openelabstudentprofilesgroup.
Chooseelabstudentfileblockingasthefileblockingprofile.
Chooseelabstudent_wildfireastheWildFireanalysisprofile.
ClickOK.
Committhechanges.
Openanewbrowserwindowtohttp://www.panedufiles.com/.Thesiteopens.
ClickthePanorama_AdminGuide70.pdflink.AFileDownloadBlockedpageappears.
Select Monitor > Logs > Data Filtering and find the entry for the pdf file that has been
blocked
IntheDesktop,openanewbrowserwindowto:http://wildfire.paloaltonetworks.com/publicapi/test/pe.This
sitegeneratesanattackfilewithauniquesignature,whichsimulatesazerodayattack.
Savethefile,withoutopeningit,totheDownloadsdirectory.
ToverifythefilewasuploadedtothePublicWildFireCloud,usePuttytoSSHintothefirewall.
WhenloggedinviaSSH,enterthedebugwildfireuploadlogshowcommandtoviewtheoutput
showing"log:0,filename:wfidiretestpefile.exeprocessed....".
ThisverifiesthefilewasuploadedtotheWildFirePublicCloud.
SelectMonitor>Logs>WildFireSubmissions.Aftersometimehaspassed(maybeaslongas
10minutes),findtheentryforwildfiretestpefile.exethathasbeensubmittedtoWildFireandidentifiedas
malicious.
ClickthemagnifyingglassiconnexttotheentrytoseetheDetailedLogViewoftheWildFire
entry.
OntheLogInfotab,checktheinformationwithintheGeneral,Details,andDestinationpanels.
ThenlookattheinformationintheWildFireAnalysisReporttab.
LogoutandclosetheSSHputty.exesession.ClosetheDownloadsdirectoryonthestudent
remotedesktop.
YouhavesuccessfullycompletedModule5:FileBlockingandWildFire
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificates
requiredfordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring
.
Isthistaskwewilldemonstratehow,(withoutdecryptionenabled)Palo Alto allows encrypted traffic to
pass through its firewall SSLdecryptionandSSHdecryptionaredisabledbydefault.
Forthislab,wewilluseInternetExplorerbrowser.Chromehasitsownvirusdetectionsystem,andFirefox
hasitsowncertificaterepository.
Fromthedesktop,openanInternetExplorerbrowserandbrowse
towww.eicar.org/850Download.html.
ScrolltothebottomofthepageanduseHTTPtodownloadoneofthetest
files.
Thefilewillbeblockedandawarningpageappears.
ClicktheBackbuttonanduseHTTPStodownloadoneofthefiles.The
filewilldownload(butmaybedeletedbythebrowser).
SelectMonitor>Logs>Threattoviewthelog.Onlythenon
encrypteddownloadshouldappearinthelog.SSLdecryptionhashiddenthecontentsofthesecondtestfile
andsoitisnotdetectedasathreat.
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitedevicesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems
.
IntheWebUI,selectDevice>CertificateManagement>Certificates.
ClickGenerateatthebottomofthepagetocreateanewCAcertificate.
CertificateNameEnterCAXsslcert
CommonNameEnter<interna1IPAddress10.1.1.250>
CertificateAuthorityCheckthebox
ClickGeneratetocreatethecertificate.
ClickOKtodismisstheCertificateGenerationSuccesswindow.
ClickCAXsslcertinthelistofcertificatestoedittheCertificateInformation.
ChecktheboxesforForwardTrustCertificateandForwardUntrustCertificate.
ClickOKtoconfirmthechanges.
DecryptionpoliciescanapplytoSSLandSecureShell(SSH)traffic.WiththeSSHoption,thefirewall
selectivelydecryptsoutboundandinboundSSHtraffictoassurethatsecureprotocolsarenotbeingusedto
tunneldisallowedapplicationsandcontent.
IntheWebUI,selectPolicies>Decryption.
ClickAddtocreateanSSLdecryptionrulefortheexceptioncategories.
Generaltab
NameEnternodecrypttraffic
FromtheSourcetab
SourceZoneSelectTrusted
FromtheDestinationtab
DestinationZoneSelectUntrusted
FromtheService/URLCategorytab
URLCategoryClickAddandaddeachoftheseURLcategories:
financialservices
healthandmedicine
educationalinstitutions
FromtheOptionstab
ActionSelectnodecrypt
ClickOKtoclosetheconfigurationwindow.
ClickAddtocreatetheSSLDecryptionRuleforgeneraldecryption.
FromtheGeneraltab
NameEnterdecryptalltraffic
FromtheSourcetab
SourceZoneSelectTrusted
FromtheDestinationtab
DestinationZoneSelectUntrusted
FromtheService/URLCategorytab
Verifythattheanyboxischecked
FromtheOptionstab
ActionSelectDecrypt
TypeSelectSSLForwardProxy
ClickOKtoclosetheconfigurationwindow.
ConfirmthatyourDecryptionPolicylistlookslikethis:
IntheWebUl,selectPolicies>Security.
OpentheInternetConnectivitypolicy.
Changethedropdownboxfromapplicationdefaulttoany.
ClickOKtoclose.
ClicktheCommitlinkatthetoprightoftheWebUl.ClickOKagain,waituntilthecommitprocessiscomplete,thencontinue.
Onthedesktop,openanewInternetExplorerbrowserandgotowww.eicar.org/850
Download.html.
Trytodownloadatestfileusinghttps.Acertificateerrorappears.
Clickthroughthecertificateerror.Thetestfileisblocked.
Closethebrowserwindow.
IntheWebUl,examinetheMonitor>Logs>Threatlogs.Thevirusshouldhavebeendetected
becausetheSSLconnectionwasdecrypted.
ClickthemagnifyingglassiconatthebeginningofthelinetoshowtheDetailedLogView,
maximizetheview,andthenchecktheFlagspaneltoverifytheDecryptedboxischecked.
OpenMozillaFirefoxbrowsertothePaloAltoNetworksTestASitepageat;
https://urlfiltering.paloaltonetworks.com/testASite.aspx.
Clickthroughthecertificateerror.
Enterwww.bankofamerica.comintheURLLookupfield,entertherequiredCaptchaCode,andclick
Search.Thefinancialservicescategoryappears.
TestotherURLsthatyoubelieveareinthecategoriesforfinancialservices,
healthandmedicine,andHarvard.Forexample,
Category:financialservices,www.citibank.com,www.goldmansachs.com
Category:healthandmedicine,www.pfizer.com
Category:education,www.harvard.com
IntheWebUl,selectMonitor>Logs>Traffic.
Setthetrafficlogtodisplayonlyport443trafficbyentering(port.dsteq443)inthefilterfield
andclickingtherightfacinggreenarrow.
IftheDecryptedcolumnisnotdisplayed,displayitbyclickingthearrownexttooneofthe
columntitles,selectingColumns,andthenselectDecrypted.
Select10Secondsfromthepulldownmenusothatthedisplaywillrefreshautomatically.Leave
thiswindowopensothatyoucanmonitorthetraffic.
Inanewbrowser,useSSL(https://)tonavigatetothewebsitesthatyoucreatedintheexcluded
URLcategories.e.g.https://www.cisco.com
Navigatetootherwebsitesaswell(e.g.,https://www.google.corn,https://www.bing.corn)
forcomparisonpurposes.Clickthroughanycertificateerrors.
SelectMonitor>Logs>Traffic.
FindanentryforoneoftheexcludedcategoriesbylookingforanentrywhereDecryptedislisted
asno.
Clickthemagnifyingglassiconatthebeginningoftheline,andmaximizethewindowtoshow
theLogDetailswindow.
VerifythattheDecryptedboxintheFlagspanelisunchecked.
YouhavesuccessfullycompletedModule6:Decryption