Professional Documents
Culture Documents
Management:
Essentials I
Lab Manual
PAN-OS 5.0
PAN-EDU-101 Rev A.200
PAN-EDU-101
Typographical Conventions
This guide uses the following typographical conventions for special terms and instructions.
Boldface Names of commands, keywords, and Click Security to open the Security
selectable items in the web interface Rule Page
Italics Name of parameters, files, directories, or The address of the Palo Alto Networks
Uniform Resource Locators (URLs) home page is
http://www.paloaltonetworks.com
courier font Coding examples and text that you enter Enter the following command:
at a command prompt a:\setup
Click Click the left mouse button Click Administrators under the
Device tab.
Right-click Click the right mouse button Right-click on the number of a rule
you want to copy, and select Clone
Rule.
Table of Contents
How to use this Lab Guide ................................................................................................ 6
Lab Guide Objectives ........................................................................................................ 6
Lab Equipment Setup ........................................................................................................ 7
Lab Assumptions............................................................................................................... 7
Student Firewall Interface Settings ................................................................................... 7
Module 4 – App-ID...........................................................................................................12
Scenario 1: .................................................................................................................................................................. 12
Required Information ................................................................................................................................................. 12
Scenario 2: .................................................................................................................................................................. 13
Required Information ................................................................................................................................................. 14
Lab Notes .................................................................................................................................................................... 14
Solutions .........................................................................................................................19
Module 1 – Introduction (Lab Access) ........................................................................................................................ 19
Module 2 – Interface Configuration ........................................................................................................................... 21
Module 3 – Layer 3 Configuration .............................................................................................................................. 23
Module 4 – App-ID...................................................................................................................................................... 26
Module 5 – Content-ID ............................................................................................................................................... 36
Module 6 - Decryption................................................................................................................................................ 43
The scenario describes the lab exercise in terms of objectives and customer requirements. Minimal
instructions are provided to encourage students to solve the problem on their own. If appropriate, the
scenario includes a diagram and a table of required information needed to complete the exercise.
The solution is designed to help students who prefer step-by-step, task-based labs. Alternatively, students
who start with the scenario can use the solution to check their work or to provide help if they get stuck on
a problem.
The CLI reference is intended as a starting point for students interested in the CLI commands. A partial set
of CLI commands are provided for students to research further in the Palo Alto Networks Command Line
Reference Guide.
NOTE: Unless specified, the Google Chrome web browser and the PuTTY SSH client will be used to perform
any tasks outlined in the following labs.
1. Configure the basic components of the firewall, including interfaces, security zones, and security
policies
2. Configure basic Layer 3 settings, such as IP addressing and NAT policies.
3. Configure basic Content-ID functionality, including antivirus protection and URL filtering.
4. Configure SSL decryption.
With special thanks to all of those Palo Alto Networks employees and ATC partners whose invaluable help
enabled this training to be built, tested, and deployed.
DHCP-
enabled
Network
Internet
Lab Assumptions
These lab instructions assume the following conditions:
1. The student is using a PA-200 firewall which has been registered with Palo Alto Networks Support.
2. The PA-200 firewall is using the default IP address on the MGT interface (192.168.1.1) and the default
password (admin) for the admin account.
3. The firewall is licensed for Support, Threat Prevention, and URL Filtering.
4. All network connectivity for the student laptop used for the lab has been disabled except for the Ethernet
adapter which will be connected to the firewall.
5. The firewall should have no policies defined on it.
6. The network that the student will connect to has a DHCP server from which the firewall can obtain an IP
address and DNS information.
7. There are no other Palo Alto Networks firewalls between the student’s PA-200 and the internet. The labs
will still work if upstream firewalls exist, but the results will vary based on the firewall settings.
Scenario
You have been tasked with integrating a new firewall into your environment. The firewall is configured
with the factory default IP address and administrator account. You will need to change the IP address of
your laptop to communicate with the default IP address of the MGT port.
If your firewall has settings you would like to restore after the completion of this lab, save the current
configuration so that it can be reloaded on the firewall. Apply a saved configuration to the firewall so that
it is in a known state.
In preparation for the new deployment, create a role for an assistant administrator which allows access to
all firewall functionality through the WebUI except Monitor, Network, Privacy, and Device. The account
should have no access to the XML API or the CLI. Create an account using this role. Additionally, change the
password of the admin account to disable the warnings about using default credentials.
Required Information
Named Configuration Snapshot PAN-EDU-101-Default
New Administrator Role name Policy Admins
New Administrator Account name ip-admin
New Administrator Account password paloalto
New password for the admin account paloalto
Scenario:
You are preparing the firewall for a simple proof of concept (POC). In order to demonstrate firewall
features with a minimum of changes to the existing network, you have decided to use virtual wire to pass
traffic through the firewall for one network segment and a tap interface to monitor a different network
segment.
Configure the virtual wire and create zones so that policy rules can be defined. Create a tap interface and
the associated zone.
Note: Due to the limited number of interfaces available on a PA-200, the configurations set in this lab will be
immediately removed so that the interfaces may be reused for later labs.
Required Information
Interface to use for tap interface Ethernet1/3
Ethernet1/3
Interfaces to use for virtual wire
Ethernet1/4
Name for the tap zone tap-zone
vwire-zone-3
Name for the virtual wire zones
vwire-zone-4
Name for the virtual wire object student-vwire
Scenario:
The POC went well and the decision was made to use the Palo Alto Networks firewall in the network. You
are to create two zones, Untrust-L3 and Trust-L3. The external-facing interface in Untrust-L3 will get an IP
address from a DHCP server on the external network. Trust-L3 will be where the internal clients connect to
the firewall and so the interface in Trust-L3 will provide DHCP addresses to these internal clients. The
DHCP server you configure in the Trust-L3 zone will inherit DNS settings from the external facing interface.
Both the internal and external interfaces on the firewall must route traffic through the external-facing
interface by default. The interface in Untrust-L3 must be configured to respond to pings and the interface
in Trust-L3 must be able to provide all management services. NOTE: You will not be able to test whether
the Untrust-L3 interface responds to pings until the next lab.
Once you have completed the Layer 3 configurations, you will need to move the physical Ethernet cable
from the MGT port to the ethernet1/4 port of the PA-200. You must also change the settings of the LAN
interface on your laptop to use DHCP-supplied network information (IP address and DNS servers) instead
of static settings.
When the firewall is fully configured, a NAT policy must exist so that all traffic originating in the Trust-L3
zone appears to come from the external-facing address of the firewall.
Required Information
allow_all
Interface Management Profile Names
allow_ping
Internal-facing IP Address 192.168.2.1/24
External-facing interface Ethernet1/3
Internal-facing interface Ethernet1/4
DHCP Server: Gateway 192.168.2.1
DHCP Server: Inheritance Source Ethernet1/3
DHCP Server: Primary DNS inherited
DHCP Server: IP address range 192.168.2.50-192.168.2.60
Virtual Router Name Student-VR
Module 4 – App-ID
In this lab you will:
• Enable the firewall to communication with the Palo Alto Networks update server
• Update the threat definitions and OS of the firewall
• Create a security policy to allow basic internet connectivity and log dropped traffic
• Enable Application Block pages
• Create Application Filters and Application Groups
Scenario 1:
In order to update the software on the firewall, you must enable the DNS, paloalto-updates, and SSL
applications to pass between the zones. The applications should only be permitted on application default
ports. Configure the firewall to communicate with DNS and Palo Alto Networks update servers through the
Trust-L3 interface.
Once these configurations are complete, license your firewall. Update the Threats and Applications datafile
to the most recent version. If necessary, upgrade your firewall to PAN-OS 5.0.1. (Note: More recent
versions of PAN-OS may be available but the labs have been tested on 5.0.1.)
Required Information
DNS Server for the MGT functions 4.2.2.2
Address to use for Service Routes 192.168.2.1/24
Name to use for Security Policy General Internet
Scenario 2:
At this point, the firewall is configured but not passing traffic. Security policies must be defined before
traffic will flow between zones. To facilitate testing and present the minimal amount of risk to the network
traffic, the policies will be established in a three-phase deployment:
Phase 1: Modify the General Internet policy to allow users in the Trust-L3 zone to use a set of
commonly used applications to access the internet. The applications should only be permitted on
application default ports. All other traffic (inbound and outbound) should be blocked and logged so
that you can identify what other applications are being used. This will help generate lists of good
and bad applications to be managed in the later phases.
Phase 2: Configure the firewall to notify users when blocked applications are used so that the
helpdesk does not get called for “connection issues” that are actually blocked applications.
Phase 3: The results from the first two phases of testing result in the following discoveries:
• The logs from phase 1 show heavy use of a variety of internet proxies and client-server
gaming applications by users in the Trust-L3 zone. Management mandates that you
explicitly prevent use of these applications.
• For ease of configuration, your team decides to create groups for the allowed and denied
applications to reduce the number of policies required on the firewall.
• The rules blocking all unmatched traffic were too restrictive for your environment. The
testing denied access to numerous vital applications, causing a surge in support calls. Any
traffic which does not match the allowed or denied lists should be allowed but logged for
future policy decisions.
Modify General Internet and create new policies (Block-Known-Bad and Log-All) to meet these new
requirements. Remove the other policies created in Phase 1.
Required Information
dns
fileserve
flash
ftp
Phase 1 Allowed Applications
paloalto-updates
ping
web-browsing
ssl
General Internet
Phase 1 Security Policy names Deny Inbound
Deny Outbound
Proxies
Phase 3 Application Filter names
Web-Based-File-Sharing
General Internet
Deny Inbound
Phase 3 Security Policy names
Block-Known-Bad
Log-All
Setting for Proxies application filter Subcategory: Proxies
Settings for Web-Based-File-Sharing application Subcategory: file-sharing
filter Technology: browser-based
Known-Good
Phase 3 Application Group names
Known-Bad
dns
fileserve
flash
ftp
Members of the Known-Good application group
paloalto-updates
ping
web-browsing
ssl
Proxies
Members of the Known-Bad application group
Web-Based-File-Sharing
Lab Notes
• During Phase 1, test your connectivity by connecting to http://www.box.net (login: student@pan-
edu.com, password: paloalto1). Use the traffic logs to determine how the firewall handles that
connection.
• During Phase 2, check to see what happens when you browse to www.facebook.com before and
after you make your changes.
• The lab solutions use the buttons at the bottom of the policy screens to change the order of the
rules. Rules can also be reordered by clicking and dragging the rules to the desired location.
Module 5 – Content-ID
In this lab you will:
Scenario
Now that traffic is passing through the firewall, you decide to further protect the environment with
Security Profiles. The specific security requirements for general internet traffic are:
• Log all URLs accessed by users in the Trust-L3 zone. In particular, you need to track access to a set
of specified technology websites.
• Access to all hacking and government sites should be set to Continue.
• Block the following URL categories:
o Adult and pornography
o questionable
o Unknown
• Log, but do not block, all viruses detected and maintain packet captures of these events for
analysis.
• Log spyware of severity levels critical and high detected in the traffic. Ignore all other spyware.
• Configure files to be automatically forwarded to WildFire with no user interaction.
After all of these profiles are configured, send test traffic to verify that the protection behaves as
expected. Testing parameters will be included in the Required Information section of this lab.
After the initial testing is complete, you are asked to change the Antivirus protection to block viruses.
Make the changes and verify the difference in behavior.
Once the individual profiles are created and tested, combine the profiles into a single group for ease of
management. Attach the group to the appropriate security policies.
Your manager wants to see daily reports which detail the threats encountered by the firewall. Configure a
custom report to show a threat summary for all traffic allowed in the past 24 hours. It should include the
threat name, the application (including technology and sub-category for reference), and the number of
times that threat was encountered. Export the file as a PDF.
Required Information
www.slashdot.org
www.cnet.com
Custom Technology sites to track
www.phys.org
www.zdnet.com
1. Browse to http://www.eicar.org
2. Click Anti-Malware Testfile.
Location of files for testing antivirus 3. Click Download
4. Download any of the files using http only.
Do not use the SSL links.
www.2600.org
Hacking sites for testing URL Filtering
www.neworder.box.sk
1. Navigate to the web site http://www.opera.com
Procedure for testing file blocking
2. Download the installer to your local system
Lab Notes
• You do not need to assign profiles to all of the security policies you have created in the lab. The
“Known-Bad” policy has an action of deny so profiles will do nothing for that rule.
• Only test the antivirus profile using http, not https. HTTPS connections will prevent the firewall
from seeing the packet contents so the viruses contained will not be detected by the profile.
Decryption will be covered in a later module.
Module 6 – Decryption
In this lab you will:
Scenario
Your security team is concerned about the results of the testing performed as part of the security profile
configurations. The team observed that the antivirus profile only identified virus which were not SSL
encrypted. The concern is that files transferred from encrypted sources (e.g., https://www.facebook.com)
could escape detection and cause issues. For testing purposes, you will need to change the antivirus profile
to alert instead of blocking the file. Verify that https downloads of virus files from www.eicar.org are
detected by the antivirus profile.
You want to evaluate using a forward-proxy configuration on the Palo Alto Networks firewall. Only traffic
from Trust-L3 to Untrust-L3 needs to be decrypted. Since this is not production, you decide to use self-
signed SSL certificates generated on the firewall for this implementation. The legal department has advised
you that certain traffic should not be decrypted for liability reasons. Specifically, you may not decrypt
traffic from health-related, shopping, or financial web sites.
• Attempt to download test files from www.eicar.org using https and verify that they are detected by
the firewall
• Connect to various websites using https and use the logs to verify that the correct URL categories
are being decrypted
After your initial testing of the forward-proxy, the penetration testing team calls you to request an
exception to the decryption rules. The team asks that www.eicar.org be excluded from decryption so that
they will still be able to download the files they need to perform their evaluations. Change the
implementation to allow this exception.
Required Information
Self-signed Certificate name student-ssl-cert
Common Name of the SSL Certificate 192.168.2.1
no-decrypt-traffic
Decryption Policies
decrypt-all-traffic
Lab Notes
• You will get certificate errors when browsing after decryption is enabled. This is expected because
the self-signed certificates have not been added to the trusted certificates of the client browser. In
a production environment you would resolve this by adding the firewall certificate to the clients as
trusted or by using a commercial certificate from a known CA such as VeriSign.
• Order matters with policies – make sure that the “decrypt” and “no-decrypt” policies are evaluated
in the correct order.
• To find URLs to test the “no-decrypt” rule, go to http://www.brightcloud.com/ and enter various
URLs that you believe fall into the categories you are testing.
Solutions
Module 1 – Introduction (Lab Access)
Prepare your laptop for the lab
1. While connected to the internet, download the file PAN-EDU-101-Default to your laptop you
will be using for the lab exercises.
2. Configure the physical LAN interface on your laptop with an IP address to communicate with
the firewall.
IP address 192.168.1.100
Subnet Mask 255.255.255.0
3. Connect an Ethernet cable between the interface you just configured and the MGT port of your
firewall.
4. Open a command prompt and verify you can ping the IP address 192.168.1.1.
19. Click the Commit link at the top-right of the WebUI. Click OK and wait until the commit process
completes, then click Close.
20. Use an SSH client (e.g., PuTTY) to attempt to log into the CLI as ip-admin. Because the role
assigned to this account was not assigned CLI access, the connection should reset.
21. Open different browser and log onto the WebUI as ip-admin and explore the available
functionality. For example, if you originally connected to the WebUI using Chrome, open this
connection in Internet Explorer. Compare the displays for the admin and ip-admin accounts to
see the limitations of the newly created account.
22. Log out of the ip-admin account connection when you are done exploring.
Normally, you would commit your changes at this point. However, for the self-paced labs you will
be reusing these interfaces so you must undo some of the changes you just implemented.
(Note: you will set the interfaces to a different type in the next module.)
7. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
IPv4 tab
Type Select DHCP Client
Advanced > Other Info tab
Management Profile Select allow_ping
Click OK to close the interface configuration window.
Configure DHCP
11. Click Network > DHCP > DHCP Server.
12. Click Add to define a new DHCP Server:
General tab
Name Enter Student-VR
Interfaces Click Add then select ethernet1/3
15. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
General tab
Name Enter Student Source NAT
Original Packet tab
Source Zone Click Add and select Trust-L3
Destination Zone Select Untrust-L3
Destination Interface Select ethernet1/3
Translated Packet > Source
Address Translation tab
Translation Type Select Dynamic IP and Port
Address Type Select Interface Address
Interface Select ethernet1/3
Click OK to close the NAT policy configuration window.
24. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Note: At this point, you still will not have access to the internet. A security policy is required,
which will be configured in the next lab.
Module 4 – App-ID
Scenario 1
General tab
Name Enter General Internet
Source tab
Source Zone Click Add and select Trust-L3
Source Address Select Any
Destination tab
Destination Zone Click Add and select Untrust-L3
Destination Address Select Any
Application tab
Applications Click Add and select each of the following:
• dns
• paloalto-updates
• ssl
Service/URL Category tab
Service Select application-default from the pull-down
Actions tab
Action Setting Select Allow
Log Setting Select Log at Session End
Click OK to close the security policy configuration window.
5. In the Services Features panel, click the Service Route Configuration link to configure how the
firewall accesses network services. Click the radio button for Select. For the DNS, Palo Alto
Updates, and URL Updates services, go to the Source Address column and select 192.168.2.1/24.
Click OK to close the configuration window.
6. Click the Commit link at the top-right of the WebUI. Click OK and wait until the commit process
completes before continuing.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
12. Verify that your firewall is running the most recent Applications and Threats.
13. If the definition file is out of date, install the latest version.
a. Click Download on the line for the update file you plan to install. Click Close when the file
download completes.
b. The Download link will have been replaced with the Install link. Click Install to activate the
definition file. The installation will automatically trigger a commit. Wait for both operations
to complete before continuing. Click Close to exit the installation window.
__________________________________________________
16. If the firewall is not running version 5.0.1, update the firewall to that version. (Note: The labs have
been tested on PAN-OS 5.0.1.)
c. Click Download on the line for version 5.0.1. Click Close when the file download completes.
d. If your firewall is currently running a version of PAN-OS older than 5.0.0 (e.g., 4.1.x), you
must also download (but not install) version 5.0.0. Click Download on the line for version
5.0.0. Click Close when the file download completes.
e. On the line for 5.0.1, the Download link will have been replaced with the Install link. Click
Install to update PAN-OS on your firewall.
f. Reboot the firewall when prompted. Wait until your browser reconnects with the firewall
and log in again using your admin account.
Scenario 2 (Phase 1)
Application tab
Applications Click Add and select each of the following:
• fileserve
• flash
• ftp
• ping
• web-browsing
Click OK to close the security policy configuration window.
Create Policies Block and Log All Inbound and Outbound Traffic
19. Click Policies > Security.
20. Click Add to define the Deny Outbound security policy:
General tab
Name Enter Deny Outbound
Source tab
Source Zone Click Add and select Trust-L3
Source Address Select Any
Destination tab
Destination Zone Click Add and select Untrust-L3
Destination Address Select Any
Application tab
Applications Check the Any box
Service/URL Category tab
Service Select any from the pull-down
Actions tab
Action Setting Select Deny
Log Setting Select Log at Session End
Click OK to close the security policy configuration window.
General tab
Name Enter Deny Inbound
Source tab
Source Zone Click Add and select Untrust-L3
Source Address Select Any
Destination tab
Destination Zone Click Add and select Trust -L3
Destination Address Select Any
Application tab
Applications Check the Any box
Service/URL Category tab
Service Select any from the pull-down
Actions tab
Action Setting Select Deny
Log Setting Select Log at Session End
Click OK to close the security policy configuration window.
Note: The default rule1 affects virtual wire connections and will not affect the lab exercises.
23. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Scenario 2 (Phase 2)
Note: An Interface Management Profile DOES NOT need to be set for application block pages. From the
admin guide (p. 176): “The Response Pages check box controls whether the ports used to serve captive
portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if
this setting is enabled.”
Scenario 2 (Phase 3)
General tab
Name Change to Log-All
Actions tab
Action Setting Select Allow
Click OK to close the security policy configuration window.
General tab
Name Enter Block-Known-Bad
Source tab
Source Zone Click Add and select Trust-L3
Source Address Select Any
Destination tab
Destination Zone Click Add and select Untrust -L3
Destination Address Select Any
Application tab
Applications Click Add and select Known-Bad
Service/URL Category tab
Service Select any from the pull-down
Actions tab
Action Setting Select Deny
Log Setting Select Log at Session End
Click OK to close the security policy configuration window.
27. Use the move buttons at the bottom of the page to arrange the policies in a logical order. Confirm
that your security rule list looks like this:
You can also rearrange the rule by clicking and dragging them into the correct order.
28. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Module 5 – Content-ID
Note: The presence of firewalls between your PA-200 and the internet will cause the lab results to vary.
Search the Category field for hacking and government. Set the Action to
Continue for both categories.
Search the Category field for the following categories and set the Action
to block for each of them:
• adult-and-pornography
• questionable
• unknown
Actions tab
Profile Type Select Profiles
Antivirus Select student-antivirus
Anti-Spyware Select student-antispyware
URL Filtering Select student-url-filtering
File Blocking Select student-file-block
Click OK to close the policy window.
13. Repeat the previous step and add the profiles to the Log-All policy.
14. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
Captured packets can be exported in PCAP format and examined with a protocol analyzer offline
for further investigation.
20. Modify the antivirus profile to block viruses using ftp, http, and smb. Click Objects > Security
Profiles > Antivirus. Change the Action column for the ftp, http, and smb decoders to Block.
21. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
22. Open a new browser window to www.eicar.org and attempt to download a virus file again. Since
the antivirus profile is set to block, a response page should appear:
23. Return to the WebUI and verify that log entries stating that the Eicar virus was detected appear in
the threat log.
24. After 15 minutes, the threats you just generated will appear on the ACC tab under the Threats
section.
Actions tab
Profile Type Select Group
Group Profile Select student-profile-group
Click OK to close the policy window.
34. Repeat the previous step and add the profile group to the Log-All policy.
35. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
• Connector: Select or
• Attribute: Select Rule
• Operator: Select =
• Value: Enter Log-All
• Click Add
Click OK to save the custom report definition.
38. Click the name of your custom report to reopen the custom report window. Click Run Now to
generate the report.
39. The report will appear in a new tab in the window. Click Export to PDF to save it to your RDP
desktop.
Module 6 - Decryption
Verify firewall behavior without decryption
1. From your laptop, browse to the www.eicar.com and attempt to download the one of the test files
using http.
2. Repeat the previous step but attempt to download one of the files using https.
3. Go to the GUI and click Monitor > Logs > Threat to view the log. Only the non-encrypted download
should appear in the log. SSL decryption hid the contents of the firewall and so the test file was not
detected as a threat.
6. Click student-ssl-cert in the list of certificates to edit the certificate properties. Check the boxes for
Forward Trust Certificate and Forward Untrust Certificate. Click OK to confirm the changes.
9. Click Add to create the SSL decryption rule for general decryption:
General tab
Name Enter decrypt-all-traffic
Source tab
Source Zone Click Add then select Trust-L3
Destination tab
Destination Zone Click Add then select Untrust-L3
URL Category tab
URL Category Verify that the Any box is checked
Options tab
Action Select decrypt
Type Select SSL Forward Proxy
Click OK to close the configuration window.
10. Confirm that your decryption policy list looks like this:
11. Click the Commit link at the top-right of the WebUI. Click OK again and wait until the commit
process completes before continuing.
12. Open a browser to the www.eicar.org downloads page. Download a test file using SSL. Ignore the
certificate error. This is expected behavior because the firewall is intercepting the SSL connection
and performing man-in-the-middle decryption. Close the browser window.
13. In the WebUI, examine the threat logs. The virus should have been detected, since the SSL
connection was decrypted. Click the magnifying glass icon at the beginning of the line to show the
Log Details window. Verify that the Decrypted box has a check mark.
14. Open a browser to http://www.brightcloud.com/ and enter various URLs that you believe fall into
the categories excluded by the “no-decrypt” rule. Make a list of URLs that fall into these categories
to test against. For example:
• financial-services: www.bankofamerica.com
• health-and-medicine: www.deltadental.com
• shopping: www.macys.com
15. In the WebUI, click Monitor > Logs > Traffic. Set the traffic log to display only port 443 traffic on a
10 second refresh. Enter ( port.dst eq 443 ) in the filter field. Select 10 Seconds from the
pull-down menu so that the display will refresh automatically. Leave this window open so you can
monitor the traffic.
16. In a separate browser window, use SSL (https://) to navigate to the websites you found in the
excluded URL categories. Navigate to other websites as well (e.g., www.facebook.com,
www.google.com) for comparison purposes.
17. Return to the traffic log. Find an entry for one of the excluded categories by looking at the value in
the URL Category column. Click the magnifying glass icon at the beginning of the line to show the
Log Details window. Verify that the Decrypted box in the Misc panel is unchecked.
18. Repeat the previous step for a URL in a non-excluded category. Verify that the Decrypted box has a
check mark.
CLI Reference
This section provides a subset of the commands needed to complete the tasks in the associated lab
modules. The commands are intended to provide command sets for you to research further in the PAN-OS
Command Line Interface Reference Guide.
# set shared admin-role "Policy Admins" role device webui acc enable
Module 4 – App-ID
# set rulebase security rules "General Internet" action allow
Module 5 – Content-ID
# set profiles url-filtering Student-url-filtering alert bot-nets
Module 6 - Decryption
> request certificate generate ca yes name 192.168.15.1 certificate-name
student15-cert