Scribd
Upload
131 views21 pages

Palo Alto Networks - Edu-210 Lab 4: App-ID: Document Version

Uploaded by

Jay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
131 views21 pages

Palo Alto Networks - Edu-210 Lab 4: App-ID: Document Version

Uploaded by

Jay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

PALO ALTO NETWORKS - EDU-210

Lab 4: App-ID

Document Version: 2017-09-29

Copyright © 2017 Network Development Group, Inc.


www.netdevgroup.com

NETLAB Academy Edition, NETLAB Professional Edition, and NETLAB+ are registered trademarks of Network Development Group,
Inc.

VMware is a registered trademark of VMware, Inc. Cisco, IOS, Cisco IOS, Networking Academy, CCNA, and CCNP are registered
trademarks of Cisco Systems, Inc. EMC2 is a registered trademark of EMC Corporation.
Lab 4: App-ID

Contents
Introduction ........................................................................................................................ 3
Objectives............................................................................................................................ 3
Lab Topology ....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
4 Lab: App-ID.................................................................................................................. 6
4.1 Load Lab Configuration ........................................................................................ 6
4.2 Create App-ID Security Policy Rule ...................................................................... 7
4.3 Enable Interzone Logging ..................................................................................... 9
4.4 Enable the Application Block Page ..................................................................... 11
4.5 Test Application Blocking ................................................................................... 12
4.6 Review Logs ........................................................................................................ 13
4.7 Test Application Blocking ................................................................................... 14
4.8 Review Logs ........................................................................................................ 14
4.9 Modify the App-ID Security Policy Rule ............................................................. 16
4.10 Test App-ID Changes .......................................................................................... 17
4.11 Migrate Port-Based Rule to Application-Aware Rule ..................................... 17
4.12 Observe the Application Command Center.................................................... 19

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 2


Lab 4: App-ID

Introduction

We have configured the interfaces and a basic security policy that allows any
application. Since this is a next-generation firewall we want to allow only the
applications that users need to complete their jobs. We will begin experimenting with
the application id process to see how we can restrict these applications.

Objectives

• Create an application-aware Security policy rule.


• Enable interzone logging.
• Enable the application block page for blocked applications.
• Test application blocking with different applications
• Understand what the signature web-browsing really matches.
• Migrate older port-based rule to application-aware.
• Review logs associated with the traffic and browse the Application Command
Center (ACC).

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 3


Lab 4: App-ID

Lab Topology

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 4


Lab 4: App-ID

Lab Settings

The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.

Virtual Machine IP Address Account Password


(if needed) (if needed)

Client – Windows 2012 R2 192.168.1.20 lab-user Pal0Alt0

Firewall – PA-VM 192.168.1.254 admin admin

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 5


Lab 4: App-ID

4 Lab: App-ID

4.0 Load Lab Configuration

1. In the WebUI select Device > Setup > Operations.


2. Click Load named configuration snapshot:

3. Select edu-210-lab-04 and click OK.

4. Click Close.
5. Commit all changes.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 6


Lab 4: App-ID

4.1 Create App-ID Security Policy Rule

1. Select Policies > Security.

2. Select the egress-outside Security policy rule without opening it.

3. Click Clone. The Clone configuration window opens.

4. On the Rule order drop-down list, select Move top.

5. Click OK to close the Clone configuration window.


6. With the original egress-outside Security policy rule still selected, click Disable.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 7


Lab 4: App-ID

Notice that the egress-public rule is now grayed out and in italic fonts:

7. Click to open the cloned Security policy rule named egress-outside-1.


8. Configure the following:

Parameter Value
Name egress-outside-app-id

9. Click the Application tab and configure the following:

Parameter Value
Applications dns
facebook-base
ssl
web-browsing

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 8


Lab 4: App-ID

10. Click OK to close the Security Policy Rule configuration window.

4.2 Enable Interzone Logging

The intrazone-default and interzone-default Security policy rules are read-only by


default.

1. Click to open the interzone-default Security policy rule.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 9


Lab 4: App-ID

2. Click the Actions tab. Note that Log at Session Start and Log at Session End are
deselected, and cannot be edited:

3. Click Cancel.
4. With the interzone-default policy rule selected but not opened, click Override.

The Security Policy Rule – predefined window opens.

5. Click the Actions tab.


6. Select Log at Session End.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 10


Lab 4: App-ID

7. Click OK.

4.3 Enable the Application Block Page

1. Select Device > Response Pages.

2. Click Disabled to the right of Application Block Page:

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 11


Lab 4: App-ID

3. Select the Enable Application Block Page check box.

4. Click OK. The Application Block Page should now be enabled:

5. Commit all changes.

4.4 Test Application Blocking

1. Open a new browser window in private/incognito mode. You should be able to


browse to www.facebook.com and www.msn.com.

2. Use private/incognito mode in a browser to connect to


http://www.shutterfly.com. An Application Blocked page opens,
indicating that the shutterfly application has been blocked:

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 12


Lab 4: App-ID

Why could you browse to Facebook and MSN but not to Shutterfly? MSN
currently does not have an Application signature. Therefore, it falls under the
Application signature web-browsing. However, an Application signature exists
for Shutterfly and it is not currently allowed in any of the firewall Security policy
rules.
3. Browse to google.com and verify that google-base is also being blocked:

4.5 Review Logs

1. Select Monitor > Logs > Traffic.

2. Type ( app eq shutterfly ) in the filter text box.


3. Press the Enter key.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 13


Lab 4: App-ID

Only log entries whose Application is shutterfly are displayed.

4.6 Test Application Blocking

1. Try to work around the firewall’s denial of access to Shutterfly by using a web
proxy. In private/incognito mode in a browser, browse to avoidr.com.

2. Enter www.shutterfly.com in the text box near the bottom and click Go. An
application block page opens showing that the phproxy application was blocked:

4.7 Review Logs

1. Select Monitor > Logs > Traffic.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 14


Lab 4: App-ID

2. Type ( app eq phproxy ) in the filter text box. The Traffic log entries
indicates that the phproxy application has been blocked:

Based on the information from your log, Shutterfly and phproxy are denied by
the interzone-default Security policy rule.

Note: If the logging function of your interzone-default rule is not enabled, no


information would be provided via the Traffic log.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 15


Lab 4: App-ID

4.8 Modify the App-ID Security Policy Rule

1. In the WebUI select Policies > Security.

2. Add shutterfly and google-base to the egress-outside-app-id Security


policy rule.

3. Remove facebook-base from the egress-outside-app-id Security policy rule.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 16


Lab 4: App-ID

4. Commit all changes.

4.9 Test App-ID Changes

1. Open a browser in private/incognito mode and browse to


www.shutterfly.com and google.com. The application block page is no
longer presented.
2. Open a new browser in private/incognito mode and browse to
www.facebook.com The application block page now appears for facebook-
base. Note: Do not use any previously used browser windows because browser
caching can cause incorrect results.

3. Close all browser windows except for the firewall WebUI.

Note: The web-browsing Application signature only covers browsing that does
not match any other Application signature.

4.10 Migrate Port-Based Rule to Application-Aware Rule

1. In the WebUI select Policies > Security.

2. Click to open the internal-dmz-ftp Security policy rule:


3. Click the Application tab and add ftp.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 17


Lab 4: App-ID

4. Click the Service/URL Category tab.

5. Delete service-ftp and select application-default.

Selecting application-default does not change the service behavior because, in


the application database, FTP is allowed only on ports 20 and 21 by default.

6. Click OK.

7. Commit all changes.

8. Open a new Chrome browser window in private mode and browse to


ftp://192.168.1.1.

9. At the prompt for login information, enter the following (Credentials may be
cached from previous login):

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 18


Lab 4: App-ID

Notice that the connection succeeds and that you can log in to the FTP server
with the updated Security policy rule.

4.11 Observe the Application Command Center

The Application Command Center (ACC) is an analytical tool that provides actionable
intelligence on activity within your network. The ACC uses the firewall logs as the source
for graphically depicting traffic trends on your network. The graphical representation
enables you to interact with the data and visualize the relationships between events on
the network, including network use patterns, traffic patterns, and suspicious activity and
anomalies.

1. Click the ACC tab to access the Application Command Center:

2. Note that the upper-right corner of the ACC displays the total risk level for all
traffic that has passed through the firewall thus far:

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 19


Lab 4: App-ID

3. On the Network Activity tab, the Application Usage pane shows application
traffic generated so far (because log aggregation is required, 15 minutes might
pass before the ACC displays all applications).

4. You can click any application listed in the Application Usage pane; google-base is
used in this example:

Notice that the Application Usage pane updates to present only google-base
information.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 20


Lab 4: App-ID

5. Click the Jump to logs icon and select Traffic Log:

Notice that the WebUI generated the appropriate log filter and jumped to the
applicable log information for the google-base application:

Stop. This is the end of the App-ID lab.

10/3/2017 Copyright © 2017 Network Development Group, Inc. www.netdevgroup.com Page 21

You might also like