2/2/23, 12:38 AM
Palo Alto (1-6) Flashcards | Quizlet
Palo Alto (1-6)
Study
Palo Alto (1-6)
5.0 (13 reviews)
Terms in this set (52)
Which built-in administrator
deviceadmin
role allows all rights except
for the creation of
administrative accounts and
virtual systems?
a. superuser
b. custom role
c. deviceadmin
d. vsysadmin
Which Next Generation VM
VM-500
Series Model requires a
minimum of 16 GB of memory
and 60 GB of dedicated disk
drive capacity?
Select one:
a. VM-700
b. VM-500
c. VM-100
d. VM-50
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
1/23
2/2/23, 12:38 AM
On the Alto
Next Generation
Palo
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
True
firewall, a commit lock blocks
other administrators from
committing changes until all
of the locks have been
released.
Select one:
True
False
True or False. Traffic
True
protection from external
locations where the egress
point is the perimeter is
commonly referred to as
"North-South" traffic.
Select one:
True
False
Which three engines are built
Select one or more:
into the Single Pass Parallel
User Identification (User-ID)
Processing Architecture of the
Content Identification (Content-ID)
Next Generation firewall?
Application Identification (App-ID)
Select one or more:
a. User Identification (UserID)
b. Content Identification
(Content-ID)
c. Threat Identification
(Threat-ID)
d. Application Identification
(App-ID)
e. Group Identification
(Group-ID)
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
2/23
2/2/23, 12:38 AM
Which built
in role
on the next
Palo
Alto
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
deviceadmin
generation firewall is the
same as superuser except for
creation of administrative
accounts?
a. deviceadmin
b. vsysadmin
c. sysadmin
d. devicereader
In which stage of the Cyber
Exploitation
Attack Lifecycle model do
attackers gain access "inside"
an organization and activate
attack code on the victim's
host and ultimately take
control of the target
machine?
Select one:
a. Weaponization and
Delivery
b. Reconnaissance
c. Exploitation
d. Command and Control
Which Next Generation
Aperture
Firewall feature protects
cloud-based applications
such as Box, Salesforce, and
Dropbox by managing
permissions and scanning files
for external exposure and
sensitive information.
a. Aperture
b. GlobalProtect
c. Panorama
d. AutoFocus
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
3/23
2/2/23, 12:38 AM
Which command
will reset a
Palo
Alto (1-6)
Palo Alto (1-6) Flashcards | Quizlet
request system private-data-reset
next generation firewall to its
factory default settings if you
know the admin account
password?
Select one:
a. reset system settings
b. reload
c. request system privatedata-reset
d. reset startup-config
Which feature can be
Static Route
configured with an IPv6
address?
Select one:
a. BGP
b. Static Route
c. DHCP Server
d. RIPv2
What type of interface allows
Layer2
the Next Generation firewall
to provide switching between
two or more networks?
Select one:
a. Tap
b. Layer3
c. Virtual Wire
d. Layer2
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
4/23
2/2/23, 12:38 AM
Palo Alto (1-6) Flashcards | Quizlet
Which of
the following
Palo
Alto
(1-6)
Select one or more:
services are enabled on the
HTTPS
Next Generation firewall MGT
SSH
interface by default?
Telnet
Select one or more:
a. HTTPS
b. HTTP
c. SSH
d. Telnet
Which Next Generation FW
Running
configuration type has
settings active on the firewall?
Select one:
a. Running
b. Candidate
c. Legacy
d. Startup
Which of the following is a
RIPV2
routing protocol supported in
a Next Generation firewall?
Select one:
a. RIPV2
b. EIGRP
c. ISIS
d. IGRP
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
5/23
2/2/23, 12:38 AM
Which type
of (1-6)
interface will
Palo
Alto
Palo Alto (1-6) Flashcards | Quizlet
Virtual Wire
allow the firewall to be
inserted into an existing
topology without requiring
any reallocation of network
addresses or redesign on the
network topology?
Select one:
a. Layer 3
b. Tap
c. Layer 2
d. Virtual Wire
All of the interfaces on a Next
False
Generation firewall must be of
the same interface type.
Select one:
True
False
In a Next Generation firewall,
True
every interface in use must be
assigned to a zone in order to
process traffic.
Select one:
True
False
In addition to routing to other
True
network devices, virtual
routers on the Next
Generation firewall can route
to other virtual routers.
Select one:
True
False
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
6/23
2/2/23, 12:38 AM
When using
audit to
Palo
Altoconfig
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Change
compare configuration files
on a Next Generation firewall,
what does the yellow
indication reveal?
Select one:
a. None
b. Deletion
c. Addition
d. Change
Which NGFW security policy
Intrazone
rule applies to all matching
traffic within the specified
source zones?
Select one:
a. Intrazone
b. Universal
c. Default
d. Interzone
What two interface types on
Select one or more:
the Next Generation firewall
Virtual Wire
provide support for Network
Layer 3
Address Translation?
Select one or more:
a. Virtual Wire
b. Layer2
c. Tap
d. Layer 3
e. HA
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
7/23
2/2/23, 12:38 AM
What should
configured as
Palo
Altobe(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Untrust-L3
the destination zone on the
original packet tab of the NAT
Policy rule in the Next
Generation firewall?
Select one:
a. Untrust-L3
b. Any
c. Trust-L3
d. DMZ-L3
Traffic going to a public IP
The firewall gateway IP
address is being translated by
a Next Generation firewall to
an internal server private IP
address. Which IP address
should the security policy use
as the destination IP in order
to allow traffic to the server?
Select one:
a. The server public IP
b. The firewall Management
port IP
c. The firewall gateway IP
d. The server private IP
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
8/23
2/2/23, 12:38 AM
Which source
Palo
Alto address
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Dynamic IP and Port
translation type will allow
multiple devices to share a
single translated source
address while using a single
NAT Policy rule on the Next
Generation firewall?
Select one:
a. Bi-Directional
b. Dynamic IP and Port
c. Static IP
d. Dynamic IP
On the Next Generation
True
firewall, if there is a NAT
policy - there must also be a
security policy.
Select one:
True
False
Security policy rules on the
False
Next Generation firewall
specify a source and a
destination interface.
Select one:
True
False
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
9/23
2/2/23, 12:38 AM
What feature
the Next
Palo
Altoon(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Application Command Center (ACC)
Generation firewall can be
used to identify, in real time,
the applications taking up the
most bandwidth?
Select one:
a. Application Command
Center (ACC)
b. Quality of Service Statistics
c. Applications Report
d. Quality of Service Log
What are the three pre-
Select one or more:
defined tabs in the Next
Network Traffic
Generation firewall
Threat Activity
Application Command Center
Blocked Activity
(ACC)?
Select one or more:
a. Network Traffic
b. Threat Activity
c. Blocked Activity
d. Application Traffic
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
10/23
2/2/23, 12:38 AM
Palo Alto (1-6) Flashcards | Quizlet
When creating
an application
Palo
Alto (1-6)
They are called dynamic because they will
filter, which of the following is
automatically include new applications from an
true?
application signature update if the new
Select one:
application's type is included in the filter
a. They are called dynamic
because they will
automatically include new
applications from an
application signature update
if the new application's type is
included in the filter
b. They are used by malware
c. Excessive bandwidth may
be used as a filter match
criteria
d. They are called dynamic
because they automatically
adapt to new IP addresses
In a Next Generation firewall,
Four or five
how many packet does it take
to identify the application in a
TCP exchange?
Select one:
a. Four or five
b. Three
c. Two
d. One
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
11/23
2/2/23, 12:38 AM
What feature
the Next
Palo
Altoon(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Application-default
Generation firewall will set the
security policy to allow the
application on the standard
ports associated with the
application?
Select one:
a. Application-dependent
b. Application-implicit
c. Application-custom
d. Application-default
On the Next Generation
False
firewall, application groups
are always automatically
updated when new
applications are added to the
App-ID database.
Select one:
True
False
On the Next Generation
Anti-Virus
firewall, what type of security
profile detects infected files
being transferred with the
application?
a. Vulnerability Protection
b. WildFire Analysis
c. Anti-Virus
d. URL Filtering
e. File Blocking
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
12/23
2/2/23, 12:38 AM
Palo Alto (1-6) Flashcards | Quizlet
What isAlto
the benefit
of
Palo
(1-6)
Select one or more:
enabling the "passive DNS
Improved malware detection in Wildfire
monitoring" checkbox on the
Improved PAN DB malware detection
Next Generation firewall?
Improved DNS based command and control
Select one or more:
signatures
a. Improved malware
detection in Wildfire
b. Improved PAN DB malware
detection
c. Improved anti-virus
detection
d. Improved DNS based
command and control
signatures
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
13/23
2/2/23, 12:38 AM
Palo Alto (1-6) Flashcards | Quizlet
To properly
Palo
Altoconfigure
(1-6) DOS
Action: Protect, Classified Profile with "Resources
protection to limit the number
Protection" configured, and Classified Address
of sessions individually from
with "source-ip-only" configured
specific source IPS you would
configure a DOS Protection
rule with the following
characteristics:
Select one:
a. Action: Deny, Classified
Profile with "Resources
Protection" configured, and
Classified Address with
"source-ip-only" configured
b. Action: Protect, Classified
Profile with "Resources
Protection" configured, and
Classified Address with
"source-ip-only" configured
c. Action: Deny, Aggregate
Profile with "Resources
Protection" configured
d. Action: Protect, Aggregate
Profile with "Resources
Protection" configured
What component of the Next
Zone protection
Generation Firewall will
protect from port scans?
Select one:
a. Zone protection
b. DOS Protection
c. Anti-Virus Protection
d. Vulnerability protection
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
14/23
2/2/23, 12:38 AM
What action
show
Palo
Altowill(1-6)
whether a downloaded PDF
Palo Alto (1-6) Flashcards | Quizlet
Filter the data filtering logs for the user's traffic
and the name of the PDF file
file from a user has been
blocked by a security profile
on the Next Generation
firewall?
Select one:
a. Filter the traffic logs for all
traffic from the user that
resulted in a deny action
b. Filter the data filtering logs
for the user's traffic and the
name of the PDF file
c. Filter the session browser
for all sessions from a user
with the application adobe
d. Filter the system log for
failed download messages
What is the maximum size of
Configurable up to 10 megabytes
.EXE files uploaded from the
Next Generation firewall to
WIldfire?
Select one:
a. Configurable up to 10
megabytes
b. Always 2 megabytes
c. Configurable up to 2
megabytes
d. Always 10 megabytes
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
15/23
2/2/23, 12:38 AM
WithoutAlto
a Wildfire
Palo
(1-6)
subscription, which of the
Palo Alto (1-6) Flashcards | Quizlet
MS Office doc/docx, xls/xlsx, and ppt/pptx files
only
following files can be
submitted by the Next
Generation FIrewall to the
hosted Wildfire virtualized
sandbox?
Select one:
a. PDF files only
b. PE and Java Applet only
c. MS Office doc/docx,
xls/xlsx, and ppt/pptx files
only
d. PE files only
In the latest Next Generation
5 Minutes
firewall version, what is the
shortest time that can be
configured on the firewall to
check for Wildfire updates?
Select one:
a. 30 Minutes
b. 15 Minutes
c. 1 Hour
d. 5 Minutes
On the Next Generation
True
firewall, DNS sinkhole allows
administrators to quickly
identify infected hosts on the
network using DNS traffic.
True
False
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
16/23
2/2/23, 12:38 AM
Which role
in the
Information
Palo
Alto
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Chief Information Officer (CIO)
Security Continuous
Monitoring (ISCM) for Federal
Information Systems and
Organizations ensures that an
effective program is
established and implemented
for the organization by
establishing expectations and
requirements for the
organizations's ISCM
program; working closely with
authorizing officials to
provide funding, personnel,
and other resources to
support ISCM; and
maintaining high-level
communications and working
group relationships among
organizational entities?
Select one:
a. Chief Information Officer
(CIO)
b. Senior Information Security
Officer (SISO)
c. Authorizing Official (AO)
d. Head of Agency (HOA)
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
17/23
2/2/23, 12:38 AM
In the Information
Security
Palo
Alto (1-6)
Palo Alto (1-6) Flashcards | Quizlet
Tier 3 - Information Systems
Continuous Monitoring
(ISCM) for Federal
Information Systems and
Organizations, which Tier
ensures that all system-level
security controls (technical,
operational, and
management) are
implemented correctly,
operate as intended, produce
the desired outcome with
respect to meeting the
security requirements for the
system, and continue to be
effective over time?
Select one:
a. Tier 3 - Information Systems
b. Tier 4 - System
Authorization
c. Tier 2 - Mission/Business
Process
d. Tier 1 - Organization
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
18/23
2/2/23, 12:38 AM
Which isAlto
the correct
Palo
(1-6)order for
the Risk Management
Palo Alto (1-6) Flashcards | Quizlet
Categorize, Select, Implement, Assess, Authorize,
Monitor
Framework (RMF) structured
process in the Information
Security Continuous
Monitoring (ISCM) for Federal
Information Systems and
Organizations System?
Select one:
a. Categorize, Select,
Implement, Authorize, Assess,
Monitor
b. Select, Categorize,
Implement, Assess, Authorize,
Monitor
c. Categorize, Select,
Implement, Assess, Authorize,
Monitor
d. Monitor, Select, Implement,
Assess, Authorize, Categorize
Which type of social
Quid Pro Quo
engineering attack involves
hackers who impersonate IT
service people and who
spam call as many direct
numbers that belong to a
company as they can find?
These attackers offer IT
assistance to each and every
one of their victims.
Select one:
a. Phishing
b. Baiting
c. Pretexting
d. Quid Pro Quo
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
19/23
2/2/23, 12:38 AM
Which Palo
Alto
Networks
Palo
Alto
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
override
Next Generation Firewall URL
Category Action sends a
response page to the user's
browser that prompts the user
for the administrator-defined
override password, and logs
the action to the URL Filtering
log?
Select one:
a. alert
b. block
c. continue
d. override
Which Next Generation
Safe Search Enforcement
Firewall URL filter setting is
used to prevent users who
use the Google, Yahoo, Bing,
Yandex, or YouTube search
engines from viewing search
results unless their browser is
configured with the strict safe
search option.
Select one:
a. Safe Search Enforcement
b. User Credential Detection
c. HTTP Header Logging
d. Log Container Page Only
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
20/23
2/2/23, 12:38 AM
A "continue"
can be
Palo
Altoaction
(1-6)
Palo Alto (1-6) Flashcards | Quizlet
URL Filtering and File Blocking
configured on the following
security profiles in the Next
Generation firewall:
Select one:
a. URL Filtering and Antivirus
b. URL Filtering, File Blocking,
and Data Filtering
c. URL Filtering
d. URL Filtering and File
Blocking
Which URL filtering security
Alert
profile action logs the
category to the URL filtering
log?
Select one:
a. Alert
b. Allow
c. Log
d. Default
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
21/23
2/2/23, 12:38 AM
Palo Alto (1-6) Flashcards | Quizlet
Which isAlto
the correct
Palo
(1-6)URL
Block, Allow, Custom URL, External Dynamic,
matching order on a Palo Alto
PAN-DB Cache, PAN-DB Download, PAN-DB
Networks Next Generation
Cloud
Firewall?
Select one:
a. Block, Allow, Custom URL,
External Dynamic, PAN-DB
Cache, PAN-DB Download,
PAN-DB Cloud
b. Block, Allow, External
Dynamic, Custom URL, PANDB Cache, PAN-DB
Download, PAN-DB Cloud
c. Allow, Block, Custom URL,
External Dynamic, PAN-DB
Cache, PAN-DB Download,
PAN-DB Cloud
d. Block, Allow, Custom URL,
External Dynamic, PAN-DB
Download, PAN-DB Cloud,
PAN-DB Cache
Which web development
Java
program is an objectoriented, class-based and
concurrent language that was
developed by Sun
Microsystems in the 1990s?
Select one:
a. Java
b. Python
c. Ruby
d. PHP
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
22/23
2/2/23, 12:38 AM
Which color
the Traffic
Palo
Altoof(1-6)
Palo Alto (1-6) Flashcards | Quizlet
Amber
Light Protocol (TLP) indicates
that information requires
support to be acted upon, yet
carries risks to privacy,
reputation, or operations if
shared outside of the
organizations involved?
Select one:
a. Amber
b. White
c. Green
d. Red
https://quizlet.com/422013241/palo-alto-1-6-flash-cards/
23/23
SRTY-6003
Securing the Edge 1
WEEK 5
Review of Palo Alto
Agenda
•Housekeeping Items
• Identified an issue with the Firewall OVA file provided by Palo Alto. New OVA requested
and should be here by end of week
• As a result, all Palo Alto Lab due dates have been extended to November
• If you have already submitted a lab, you are welcome to re-submit. Only the last
submission will be graded.
•In the news
•Review of the testable areas of Palo Alto covered in lecture
The Modules
•Week 1 was Device Configuration
•Week 2 was Palo Alto Architecture and Security Policies
•Week 3 was PA App-ID
•Week 4 was Content-ID and URL Filtering
Group 1 - Device Configuration
•Which of the following services are enabled on the Next Generation firewall MGT
interface by default? (choose TWO)
• Https, SSH, Telnet, or Http
•Which of the following is a routing protocol supported in a Next Generation
firewall?
• RIPV2, IPS, IGRP, or EIGRP
•Which type of interface will allow the firewall to be inserted into an existing
topology without requiring any reallocation of network addresses or redesign on
the network topology?
• Tap, Layer 3, Layer 2, Virtual Wire
Group 2 – PA Architecture
•What is the difference between vsysadmin, deviceadmin, devicereader, and
sysadmin?
•What is the difference between an XSS attack and an XSRF (also called CSRF)?
Which forges a request from a trusted user?
•Which type of attack can be mitigated by deploying strong encryption services on your
network?
• Spoofing, sniffer, DoS, or Eavesdropping
•Which Next Generation Firewall feature protects cloud-based applications such as
Box, Salesforce, and Dropbox by managing permissions and scanning files for
external exposure and sensitive information.
Group 3 - Palo Alto Security Policies
•Which NGFW security policy rule applies to all matching traffic within the specified
source zones?
• Interzone or Intrazone?
•Which is the correct order for the NIST Cybersecurity Framework process?
• Identify, Protect, Detect, Respond, Recover
• Identify, Protect, Detect, Recover, Respond
• Identify, Detect, Protect, Respond, Recover
• Detect, Identify, Protect, Respond, Recover
•What should be configured as the destination zone on the original packet tab of the
NAT Policy rule in the Next Generation firewall? Untrust L3, Trust L3, or DMZ L3?
Group 4 – Application ID (App-ID)
• What is the function of the Application Command Center?
• In a Next Generation firewall, how many packet does it take to identify the application in a
TCP exchange?
• Which color of the Traffic Light Protocol (TLP) indicates that information requires support to
be acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the
organizations involved?
• Green, red, amber, or white?
• What feature on the Next Generation firewall will set the security policy to allow the
application on the standard ports associated with the application?
• Application-implicit, application-custom, or application-default?
Group 5 – Content ID
• what type of security profile detects infected files being transferred with the application?
• WildFire, URL Filtering, AntiVirus, or Vulnerability Protection
• What is the benefit of enabling the "passive DNS monitoring" checkbox on the Next
Generation firewall?
• In the latest Next Generation firewall version, what is the shortest time that can be configured
on the firewall to check for Wildfire updates?
• 5, 10 or 15 minutes?
• What is the maximum size of .EXE files uploaded from the Next Generation firewall to
WildFire?
• Always 2MB, up to 2MB, always 10MB, or up to 10MB?
Group 6 – URL Filtering
• What is ISCM? What is the CIO’s role? Which tier ensures that all system-level security
controls (technical, operational, and management) are implemented correctly (tier 1, 2,
3, or 4?)
• What is a quid pro quo attack?
• Which URL filter setting is used to prevent users who use the Google, Yahoo, Bing,
Yandex, or YouTube search engines from viewing search results unless their browser is
configured with the strict safe search option?
• Is this the correct URL matching order on a Palo Alto Networks Next Generation
Firewall?
• Block, Allow, Custom URL, External Dynamic, PAN-DB Cache, PAN-DB Download, PAN-DB Cloud
SRTY-6003
Securing the Edge 1
Week 3
Application ID, Security Policies, and NAT
Agenda
•Define application identification (App-ID)
•Configure application filters and application groups
•Detect unidentified applications traversing the firewall
•Migrate a port-based rule to an App-ID based rule
•Display and manage Security Policy Rules
•Create a Security policy
•SNAT and DNAT
Flow Logic of the NGFW
What Is an “Application”?
What Is App-ID?
•Accurate traffic classification is the primary function of any firewall, with the
result becoming the basis of the Security Policy
•Multiple techniques to label traffic by application rather than just port and protocol
Port-based security rule
Application-based security rule
Port-Based Versus Next-Generation Firewalls
Zero-Day Malware: IPS Versus App-ID
App-ID and UDP
App data is required to identify traffic
to be processed by Security Policy
App-ID and TCP
A database of
application signatures
updated as part of the
firewall content updates.
An app-ID heuristics
engine used to look at
patterns of
communication. It
attempts to identify and
application based on its
network behaviour.
A set of application
decoders that
understand the syntax
and commands of
common applications.
SSL and SSH
decryption capabilities
App-ID Operation
Scan for
Threats
Using App-ID in a Security Policy
What if an Application Shifts/Changes During a Session
Dependent Applications
***Important to know and identify dependencies
Determining Application Dependencies
Check out: http://applipedia.paloaltonetworks.com
Implicit Applications
•Many common applications implicitly allow parent applications.
•No explicit Security policy rule is required for a parent application.
Implicit permissions for a parent application are processed only
if you have not added an explicit security policy rule for the
parent application.
Determining Implicitly Used Applications
Application Filters
An application filter is an object that dynamically groups applications based on
application attributes that you select from the App-ID database.
The selectable attributes are category, subcategory, technology, risk, and
characteristic.
App filters are an alternative to specifically identifying each application. Rather,
you allow/deny based on attributes common to those applications.
Ex. Category could be “Business Systems” and subcategory “Office Programs”.
Allow any traffic that falls within this filter as it is related to office software.
Ex. Evernote, Google Docs, Office 365, etc.
Application Filter
Objects > Application Filter > Add
•Dynamic grouping of
applications
•Created by selecting
filters in the App-ID
database
•Used to simplify
Security, QoS, and PBF
policy rulebases
Application Groups
Objects > Application Groups > Add
•
What is an application
group?
•
Facilitates and expedites
creation and management of
the policy rules
Ex. You could group all applications
that are not using default ports.
| © 2019 Palo Alto Networks, Inc.
21
Nesting Application Groups and Filters
Applications and Security Policy Rules
Application filters and groups are added to the Security policy rules just
as single applications are. They can be used to either allow or deny
applications.
Application Block Page
•For blocked web-based applications, a response page can be displayed in the
user’s browser.
Identifying Unknown Application Traffic
Unknown Network Traffic
Firewalls identify traffic
by port or application.
Let’s look at application.
Identify Unknown Application Traffic
Iterative process:
• Create rules to allow or block applications known to be traversing the firewall
• Create a temporary rule to detect unidentified applications traversing the firewall
• As applications are identified, create specific rules to allow or block them
Policies > Security
What to do with “Unknown” Traffic?
Ex. Wireshark
Overrides App-ID and
Security policies
Policy Optimizer
• Migrate port-based rules to App-ID-based rules
• Help reduce attack surface and provide information about application usage
• Prevent evasive applications from running on non-standard ports
• Identify over-provisioned application-based rules
Migrating from port-based to Application-Based Policies
Then “clone” the existing
port-based rule
***Each Phase is
discussed in the
following slides
Ensure that traffic matches the
application based rule before it can
match the legacy port based rule
Review the Traffic logs and
Security policies to determine if
traffic is continuing to match any
legacy port-based rule. If no
legitimate traffic has matched a
legacy rule, then that legacy rule
can be removed
Phase 1: Viewing Data of Port-Based Rules.
What is happening with
existing rules?
Discovering Applications Matching a Port-Based Rule
Policies > Security > Policy Optimizer > No App Specified
Active Learning Exercise
•In order to understand Phase 2 “Adding Application–Based Rules”, review the
next 6 slides. These slides show THREE options for Phase 2 of the migration
process.
•Answer the following questions:
• Which option do you prefer?
• Identify a scenario when you would use each of the three options?
•Share your opinion/findings in the Week 3 Discussion Forum on FOL
Prioritizing Port-Based Rules to Convert
A gradual conversion is safer than migration of a large rule-base at one time
Phase 3: Reviewing Port-Based Rules
•After 60 days, review the Policy Optimizer columns in the Security policy.
•Look for port-based rules with zero hits.
Disabling Port-Based Rules
•Disable port-based rules that have not matched to any new traffic.
•Disabled rules are rendered in gray italic font.
•Tag rules that must be removed later (optional).
Removing Port-Based Rules
•After 90 days, delete port-based rules that have not matched to any new traffic.
•The goals:
• At least 80% application-based rules
• No inbound or outbound unknown applications (internal is acceptable)
Policies > Security
Ways to update App-ID
Dynamic Content Updates: App-ID
Scheduled App-ID Updates
Content Update Absorption
• Review Apps for list of modified applications and details for each application
• Review Policies to see policy rules that may enforce traffic differently
Security and NAT policies
Security Policy Fundamentals: Controlling Network Traffic
HIP = Host Information Profile
Sessions and Flows
Traffic passing
through the
firewall is
matched against a
session and
each session is
then matched
against a Security
policy rule.
When you define
Security policy
rules, consider
only the C2S flow
direction.
Displaying and Managing Security Policy Rules
Security Policy – Three Types of Rules
universal rule applies to all
matching interzone and
intrazone traffic in the specified
source and destination zones
Implicit and Explicit Rules
Security Policy Rule Match
Policy Rule Hit Count
Scheduling Security Policy Rules
Managing the Policy Ruleset
Universally Unique Identifiers (UUIDs)
Finding Unused Security Policy Rules
Rule Usage Filter
Address Objects
Tags
You can
make tags
mandatory
Tag-Based Rule Groups
You can
assign rules to
tag groups.
Before you can
assign a group
tag to a rule,
you must first
create the tag
and assign it to
the Security
policy rule.
Creating a New Service Definition
You can confine an application
type to a specific port, BUT the
default port is “any”.
Active Learning Exercise: Ports!!
•Create a table of the most common ports used for different services and
applications.
•Identify the port (default), the service, and the protocol (TCP/UDP) in your table
•Identify any popular alternative ports as well (if known)
•Save that table as an excel file and upload that file into the Week 3 Discussion
Forum.
•Remember to comment on the posts of others. Push their thinking. Ask the
“what if”, “why” and “how” questions. 
Using Global Find
Can search for
• an IP address
• an object name
• a policy rule name
• a threat ID
• an application name
Global Find will not
search dynamic
content such as logs,
address ranges, or
allocated DHCP
addresses.
• Does not search for
individual username
In general, you can search only content that the firewall writes to the
or group names
candidate configuration.
Example use cases for the Global Find feature are:
 Find all objects with a given tag
 See where a given IP address is used in the configuration, including Address
objects, Dynamic objects, literals in policies, and network configuration
 Find a policy that includes a username or user group
 See any place a given username appears in the config, including user activity
reports and policies
 Find out if an application is used in a policy, application group, application
filter, or a report query
 Find a ticket number that was added to a comment in a policy or on another
object
Enabling Intrazone and Interzone Logging
To configure logging on
the implicit rules, select
a rule and click
Override.
Rule Changes Archive
Why archive all rule
changes?
• Often done to meet
regulatory compliance
requirements
Test Policy Functionality: “Test Security Policy Match”
Enables you to
enter a set of test
criteria directly
from the web
interface rather
than from the
CLI.
Viewing the Traffic Log
Network Address Translation (NAT) Policies on
a Palo Alto Firewall
Flow Logic of the Next-Generation Firewall
What are:
• PBF
• SNAT
• DNAT
Which layer is
this inspection
happening on?
NAT configuration can take two forms: SNAT and DNAT
The firewall
is a NATing
device
What is a
DMZ? Is it
inside or
outside?
Source NAT
Source NAT translates the private address and makes the traffic routable across the internet.
Source NAT Types
•Static IP:
• 1-to-1 fixed translations
• Changes the source IP address while leaving the source port unchanged
• Supports the implicit bidirectional rule feature
•Dynamic IP:
• 1-to-1 translations of a source IP address only (no port number)
• Private source address translates to the next available address in the range
•Dynamic IP and port (DIPP):
• Allows multiple clients to use the same public IP addresses with different source port
numbers.
• The assigned address can be set to the interface address or to a translated address.
Source NAT Policies and Security Policies
Configuring Source NAT
Source NAT Examples
Source NAT Examples (Cont.)
(DIPP)
With this type of NAT, an available address in the specified range can be used multiple times
because each time the address is paired with a different port number.
Why might we need to do this? Think about IPv4 and public Ips…
Configuring Bidirectional Source NAT
DIPP NAT Oversubscription
Destination NAT
Destination NAT Attributes
Dynamic IP Address Support for Destination NAT
Destination NAT and Security Policies
Configuring Destination NAT
Destination NAT Port Translation Configuration
Summary
•Today we discussed App-ID, Security Policies, and NATting in Palo Alto
Firewalls.
Reminders
•Lab #1 has been posted and is due. Lab 2 will be posted this week.
•Next week is Week 4 - Anti-Virus/Anti-Spyware/File Blocking in Palo Alto
• We will also be discussing Palo Alto’s WildFire cloud service
• To prepare: Please watch this video that discusses Wildfire (approx. 13 minutes)
•Test in Week 5 (we will discuss the test next week)
SRTY6003
Week 1: Introduction to the course and to Palo Alto
A “wake-up” riddle…
It has keys but no locks. It has space,
but no room. You can enter, but can’t
go inside. What is it?
Stephen Freymond
•Professor, School of IT
•sfreymond@fanshaweonline.ca
PHIL1019 Ethics
3
Agenda
•Part 1: Course Overview
• housekeeping/routine
• course outline and expectations for the course
•Part 2: Lesson for Week 1
• What is Security
• Types of Attacks
• History of Firewalls
• Zero Trust
• Your task this week is to complete the Workstation Setup on your laptop/PC
Let’s talk about the SRTY 6003 course
The Routine
• At the start and end of each class I’ll take some time to remind you of upcoming
tests/assignments (aka my “Housekeeping” slide)
• Synchronous classes will start with a virtual “check in” to see if there are any questions
stemming from last week, and generally see how you are doing/feeling with your course
load.
• We will also explore current events, news items, and other resources relating to Security
Planning and ISM in general.
• ISM is a student-centered program. Your learning is paramount. Own your learning!
• Then we will proceed with an interactive lesson
• Come prepared for class
• Be prepared to work in breakout groups during tutorial
• Will conclude each lesson with an invitation for questions and reminders for the coming weeks
6
Current Events: What is happening in (your) world?
•https://searchsecurity.techtarget.com/feature/A-cybersecurity-skills-gapdemands-thinking-outside-the-box
•https://www.cbsnews.com/news/ransomware-attack-shuts-down-richmondmichigan-school-district/
•https://www.technologyreview.com/f/615002/ransomware-may-have-cost-the-usmore-than-75-billion-in-2019/
How to Succeed in This Course…
• This is a “Lecture and Lab style” class, so I suggest you take notes and research.
• Lots of interactive exercises and (hopefully) discussions during class time
• I suggest you take notes during the lecture, as not all test questions come from the PowerPoint
slides and labs!
• Slides are a HANDOUT that highlights key points, but they do not cover all you need to know.
• Not all concepts are fully explained on the slides. You need to do the exercises and listen
to/participate in tutorials.
• Everything in the lessons / resources / discussion is testable material.
• Ask questions if you don’t understand something – you likely won’t be the only person.
• Don’t try to memorize! Memory alone will not suffice. Understanding and application are key!!
• Do not underestimate the work required for this course/program
8
Student Success
•Show respect for your professor and your peers
•Be active and participate in online class discussions
•HELP EACH OTHER. Create your own study groups (or use the discussion forum).
Some of you may solve problems faster than your peers – share your success by
showing them how!
•Prepare properly for lectures and tests
•Do all the required and recommended work
•Do not miss tests
9
Course Design
➢4 hours/week of scheduled time (2+2)
➢you should reserve another 4 hours/week for studying, labs, discussions, and other
course tasks
➢Tutorials are asynchronous (you watch tutorial recordings at your own pace)
➢You can also complete the labs on your own if you wish.
➢Instructor office hours double as student drop-in time for course questions
(including labs). Attendance to the drop-in sessions is optional.
➢Scheduled time consist of:
1. Discussions, tutorials/lectures, exercises (ALEs) and case reviews
2. Lab time and drop-in discussion. This will be the time you spend working on the labs,
taking screenshots of your work, and creating your submission file (.ppt or .pptx)
The Course Outline
Course Outline
•Learning Outcomes
• What you will be able to demonstrate once the course is completed.
• Questions on tests will reflect your attainment of these objectives
•Course Plan
• Detailed list of what you should expect to be taught each week
• How to prepare for class
• Test and assignment due dates
12
INFO 6003 – Learning Outcomes
This course is designed to help you meet specific learning outcomes.
•There are 10 course learning outcomes.
•EVERYTHING we do in this course is designed to help you meet those
outcomes
• If you are not clear as to how a task/content relates to these outcomes, please ask!
• #ownyourlearning
•Note the active nature of the outcomes – they are also future-focused. What
you will learn, know, understand, apply, develop, identify, create, describe,
explain, etc.
SRTY6003 – 10 Learning Outcomes
1. Manage, maintain and monitor firewall operations
2. Discuss the necessity and operations of Authentication, Authorization and
Accounting (AAA) Services
3. Describe ACL and NAT operations
4. Discuss the need for Application ID and Content ID
5. Discuss the pros and cons of File Blocking.
6. Discuss the security benefits and concerns with using the firewall to decrypt
sessions
7. Describe and implement appropriate VPN technologies given requirements
8. Configure and implement AAA services, ACLs, and NAT
9. Implement Management Reporting and fully describe it’s functionality
10. Discuss High Availability design and implementation.
Assessments Methods in this Course
•Quizzes/Testing
• Written quizzes and exams use the Respondus Lockdown Browser (RLDB) application.
• Any method may be used to test the class (not always easy!)
• Hard-wired ethernet cable is preferable to wireless (RLDB hates signal drops)
• Working, tested, laptop – USE THE MOCK TEST in FOL to test your machine
•Labs/Assignments
• Both practical/technical and research-based requirements
• Proper formatting and referencing is a MUST
•Discussion Forums
• Due weekly for a total of 5%
• (More on this late in the tutorial)
15
How will you be evaluated in this course?
There are THREE tests in this course
•All quizzes and exams use the Respondus Lockdown Browser
•Tests are NOT open book
•Expect an average time of 30-60 seconds per question
•Short answer, long answer, M/C, T/F, FIB, Matching,
•All tests are manually graded by me.
•Testable material includes anything discussed “in class” (both verbally and on the
slides), in any resources shared on FOL, and in the practical labs.
Test time lost due to PC or Respondus problems is not recoverable.
16
SRTY6003 – Securing the Edge 1
Some of the topics we will cover:
-Introduction to concepts, theories, terms, and definitions (the “language” of
network security)
-Methods of securing networks, data, infrastructure, and traffic
-Basic configurations and policies
-NAT and appliance blocking
-File blocking and user access
Introduction to Vendor Specific software:
-Palo Alto (security platform)
-Cisco ASA/firewalls
-PFSense (open source firewall)
Labs and Assignments
•Assessments
• READ THE LAB RUBRIC!
• Six practical labs (5% each)
• 2 unit tests (15% each)
• Final exam (35%)
• 5% Discussion Forum contributions
•There is no textbook for this class, but you still have a lot of resources:
• Read vendor documentation
• Watch relevant instructional videos
• Find (or create) scenarios and case studies where you would need to apply the skills and
knowledge you are learning.
18
Assignments (Labs)
•Hand in ALL assignments/Labs on time.
•Put the assignment name and your last name in the file name
•(ex. Robertson_DFLab1.pptx)
•All assignments submitted via FOL in the correct submission box
•Assignments submitted in any other method (including email) will not be
accepted
•Assignments submitted using the wrong submission box will not get graded.
•Submission box is open until the noted time, example 11:59pm. You must
complete the submission process before this time.
•Assignments must be submitted uncompressed, and using PowerPoint
or Word files (not .pdf).
•Use this command in every screenshot: whoami & date /t & time /t
•Assignments must have references - Failure to do this may result in an
academic offense
Grading
•Rubrics are used for all labs.
• What is a rubric?
• Writing skills are graded, references are
required, formatting is graded
• Content, flow, grammar/spelling
• Submit via Evaluation > Submission in FOL
by the deadline
• You WILL receive detailed, specific, and
constructive feedback from me
20
Learn to love APA ☺
•APA is one method of formatting your paper and your references
•ALL of your written work should comply with APA standards
• This is in the rubric!
• Discussion forum exempt from APA, but you must still reference work you use
• Always have a title page and a References page
• APA format includes margins, section headings, font, and more
•See the Fanshawe College Library website for help with APA
•The reason you are required to use APA on your written work is because
professional writing is a critical skill for employment.
•It also helps you avoid an academic offence
•Great resource for you: https://owl.purdue.edu/owl/purdue_owl.html
Course Expectations
•Missed Assignments and Tests
• Students are not entitled to complete missed tests
• In case of a significant event supported by documentation AND professor’s approval AND
prior notification, a missed test may be completed
•Re-writes & extra grade items
• Students will not be permitted to rewrite tests
• Students will not be entitled to extra work or assignments in order to raise a grade
•Assignments are written. Writing skills are critical in information security and in
business. You will be evaluated on your RESEARCH and WRITING skills
• Use an editor (if you are not comfortable with writing in English, for example)
• Collaboration is encouraged, but DO NOT COPY. Plagiarism is severely penalized.
22
Course Plan and Dates to Remember
•Weeks 1-4 – Palo Alto
• Basic Configuration and Policies
• Policy, NAT, Appliance Blocking
• File Blocking and User Access
•Weeks 6-9 – Cisco
• Basic Configuration and Policies
• Policy, NAT, Appliance Blocking
• File Blocking and User Access
•Weeks 11-13 – PFSense
• Basic Configuration and Policies
• Policy, NAT, Appliance Blocking
• File Blocking and User Access
•Week 14 – Final Exam
HIGHLIGHTS:
•Lab 1: Due Week 2 (5%)
•Lab 2: Due Week 4 (5%)
•Palo Alto Unit Test: Due Week 5 (15%)
•Cisco Lab 1: Due Week 7 (5%)
•Cisco Lab 2: Due Week 9 (5%)
•Cisco Unit Test – 15%: Due Week 10 (15%)
•pfSense Lab 1: Due Week 12 (5%)
•pfSense Lab 2: Due Week 13 (5%)
•Final Exam: Due Week 14 (35%)
Discussion Forum: Weekly (5% total)
23
Why Discussion Forums?
•In the absence of F2F interactions, I have elected to use the FOL discussion forums as a way to promote social
interactions and knowledge-building among students.
•Discussion forums allow us to build a Community of Practice (Lave & Wenger, 2007). Communities share ideas
and experiences. They allow us to critically examine and challenge concepts, ideas, facts, methods, and
opinions.
•Criticizing the poster is not permitted, nor is inappropriate language or content
•We can all learn from each other’s experiences and ideas, but not if you don’t share them! So everyone benefits
– including you – if everyone contributes.
•Marks are given for created threads AND for replies, but not for “reads”.
•A little cheerleading is ok, but try to make sure your posts and replies further the conversation. Ask the “why”
questions! Play devil’s advocate. Build on ideas.
•Your opinion has value, but always try to SUPPORT your statements with EVIDENCE.
Part 2: Introducing Edge Security
Week 1 – Agenda
•
•
•
•
Overview of Edge Security
Key Terms and Concepts
Anatomy of a Cyber-Attack, Attack Types
Organizational Approaches to Edge Security
INFO 6027
26
Edge Security Overview
•What is “edge” security? What does it
mean to secure the edge?
•Why do you have TWO courses dedicated
to this subject?
•What do firewalls do? Why do we need
them (or do we need them)?
•How many of you have configured a
firewall?
Source:
https://www.networkworld.com/article/322489
3/what-is-edge-computing-and-how-it-schanging-the-network.html
Cyber-attack Lifecycle
Stop the attack at any point!
What Does This Mean for Security?
•There are three points of attack:
• The data
• The network
• The people
• Which is the most easily (and often) exploited?
Assessing Network Threats
•Extreme, ill-informed attitudes about security threats can lead to poor decisions
•These are the two ends of the spectrum
1. There is no real threat, nothing to worry about
2. Extreme alarm: all hackers are experts and out to break into my network
Type #1: “There’s no real threat” or “No one would target us”
• Fosters a laissez-faire attitude toward security
• Promotes a reactive approach to security
• Security measures are not put in place until after a breach has occurred
• This approach must be avoided at all costs
Assessing Network Threats
Type #2: The world full of hackers out to get us!
• Yes, malicious actors exist, but not to the extent publicized in media
• Lesser-skilled hackers are more pervasive
• They target smaller companies and easier victims
• Usually, more skilled actors seek high profile networks
• bigger payday, challenge, bragging rights and peer recognition
• Financial and ideological gain are the objectives
•The only practical approach is the realistic one - a moderate solution to the two
extremes
•Assessment of risk level is a complex task
•Many factors need to be addressed
Classifying Threats
•Intrusion
• Cracking
• Social engineering
• War-dialing
• Wardriving
•Blocking
• Denial of Service (DoS)
• Distributed Denial of Service (DDoS)
•Malware
• Viruses
• Worms
• Trojan horses
• Spyware
•
•
Cookies
Key loggers
Prioritizing Your Approach to Edge Security
•Administrators should ask:
• What are the realistic dangers? Ex. Ransomware is a very common danger/.
• What are the most likely attack types for our type of business or network topology?
• What are some common vulnerabilities?
• What is the likelihood of an attack?
Threat Assessment Factors
•What is the value of the target (Attractiveness)
•What information is on the system (Information content)
•How easy is it to get to the system (Security devices)
© 2019 by Pearson Education, Inc.
Chapter 1 Introduction to Network
Security
34
Threat Assessment (Vulnerability Score)
•A numerical scale can be assigned to each factor
• Attractiveness (A): 1–10
• Information content (I): 1–10
• Security devices (S): 1–10
•The equation is: (A + I) – S = V (vulnerability score)
• Lower score indicates lower risk
© 2019 by Pearson Education, Inc.
Chapter 1 Introduction to Network
Security
35
Do you speak the “language” of edge security?
•White, Grey, and Black hats
•Script kiddies
•Crackers
•Cloud Computing
•Ethical hacker or sneaker
•Phreaking
•Gateway devices
•Firewall
•Access Control
•Proxy server
•Intrusion-detection system
•Fog Computing
•Non-repudiation (can’t deny)
•Auditing
•3, 4, and 5G cellular
• www.yourwindow.to/information%2Dsecurity/
• www.ietf.org/rfc/rfc2828.txt
Approaching Network Security
•Proactive versus reactive
•Three possible approaches:
1. Perimeter: Focus is on perimeter devices; internal devices are still vulnerable
2. Layered: Focus includes both perimeter and individual computers within the network
3. Hybrid: Combination of multiple security paradigms
© 2019 by Pearson Education, Inc.
Chapter 1 Introduction to Network
Security
37
Firewalls
What Is a Firewall?
•A barrier between the world and your network
•Provided via:
• Packet filtering
• Stateful packet filtering
• User authentication
• Client application
authentication
Firewall Generations
•First generation: Packet Filters
•Second Generation: Stateful Filters
•Third Generation: Application Layer
•Fourth Generation: Next Generation Firewall (NGFW)
First Generation
• First generation: Packet Filters
• Packet filters inspect packets transferred between computers.
• When a packet does not match the filtering rules
• The packet filter either accepts or rejects the packet
• Packets may be filtered by source and destination network address, protocol, source and
destination ports.
• Disadvantages
• Does not compare packets
• No authentication
• Susceptible to SYN and Ping flood attacks
• Does not track packets
• Does not look at the packet data, just the header
• Not necessarily the most secure firewall
Second Generation
•Second Generation: Stateful Packet Inspection
• These firewalls perform the functions of the first generation
• Maintains a database of conversations between the endpoints – specifically port numbers
the two IP addresses
• Being aware of the context of packets makes them less susceptible to flood attacks
• Knows if packet is part of a larger stream
• Recognizes whether source IP is within the firewall
• Can look at the contents of the packet
• When possible, the recommended firewall solution
• Uses the transport layer (layer 4)
• Vulnerable to DoS attacks
State Machine Model
•Looks at the state of a machine from one time period to the next
• Determines security violation based on the comparison
•Several ways are used to evaluate the state of the system:
• Users
• States
• Commands
• Output
Third Generation
•Third Generation: Application Layer
• Also known as application proxy or application-level proxy
• Examines the connection between the client and the server applications
• Enables administrators to specify what applications are allowed
• Allows for user authentication
• Application layer filtering that understands common applications and protocols (such as
File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol
(HTTP))
• Detects unwanted applications and services are attempting to bypass the firewall
•Disadvantages
• Requires more system resources
• Susceptible to flooding attacks (SYN and Ping)
• Due to time it takes to authenticate user
• When connection is made, packets are not checked
Fourth Generation
•Fourth Generation: Next Generation Firewall (NGFW)
• Provide wider and deeper inspection at the application layer.
• Intrusion Prevention Systems (IPS)
• Identity management
• Web application firewall (WAF)
Other Edge Protection Devices (IDS vs IPS)
Intrusion Detection System
•Passive
•Logs the activity
•Alerts an administrator
(perhaps)
Intrusion Prevention System
•Active
•Takes steps to prevent
an attack in progress
•Problem of false
positives
Implementing Firewalls
•Need to understand the firewall’s relationship to the network it is protecting
•Most common solutions
• Network host-based
• Dual-homed host
• Router-based firewall
• Screened host
Network Host-Based
•Software-based solution runs on top of operating system
•Must harden the operating system in the following ways:
• Ensure all patches are updated
• Uninstall unneeded applications or utilities
• Close unused ports
• Turn off all unused services
•Cheap solution
Dual-Homed Hosts
•Expanded version of the Network host firewall
•Also runs on top of an existing OS
•The biggest disadvantage – as with Network host firewalls – is its reliance
on the security of the OS
Router-Based Firewall
•Router-based firewalls are most often the first line of defense
•They use simple packet filtering
•Ideal for novice administrators
•Can be preconfigured by vendor for specific needs of user
•Can be placed between segments of a network
Screened Host
• A combination of firewalls
• Bastion host and screening router is used
• Similar in concept to the dual-homed host
In Practice: Utmost Security
•Multiple firewalls
• Stateful packet inspecting firewall
• Application gateway
•Screened firewall routers separating
each network segment
•Dual-perimeter firewall, packet
screening on all routers, individual
packet filtering firewalls on every
server
What is a DMZ?
•Demilitarized Zone
•Can be implemented using one or
two separate firewalls
• One faces the outside world
• One faces the inside
• Web, email, and FTP servers are
located in the area in-between them
Network Address Translation (NAT)
•Translates internal IP addresses to public addresses
•Can explicitly map ports to internal addresses for web servers
•Supersedes proxy servers
Zero Trust
What is Zero Trust
•Zero Trust is a security model originally proposed by John Kindervag in 2010
•Suggested a new security paradigm of “designing from the inside out.”
•Provides optimization of network security and future flexibility
•Traditional security model uses outside, DMZ, and inside or red, yellow, green
http://www.cs.tufts.edu/comp/116/archive/fall2018/jflanigan.pdf
Zero Trust
•According to Gilman and Barth (2017) in their book “Zero Trust Networks”, a zero
trust network is built upon five fundamental assertions:
1.
2.
3.
4.
5.
The network is always assumed to be hostile
External and internal threats exist on the network at all times
Network locality is not sufficient for deciding trust in a network
Every device user, and network flow is authenticated and authorized
Policies must be dynamic and calculated from as many sources of data as possible.
http://www.cs.tufts.edu/comp/116/archive/fall2018/jflanigan.pdf
Summary and Homework
Summary
• What is edge security
• Types of attacks
• Introduction to Firewalls
• Key terms and Concepts
Homework
• Contribute your bio to the discussion form and reply to the posts of others
• Share your findings from Exercise 1a in the Week 1 discussion forum
• Complete the setup of vsRail as per posted instructions
• Prepare for next week:
• Read slides 69-89 in this presentation
• We will be discussing Palo Alto firewall products and services.
| © 2019 Palo Alto Networks, Inc.
58
Week 1 Homework:
Types of Attacks (slides 69-89)
Denial of Service Attacks
•Denial of Service (DoS)
•Distributed Denial of Service (DDoS)
•SYN Flood
•Smurf Attack
•The Ping of Death
•UDP Flood
•ICMP Flood
•DHCP Starvation
•HTTP Post DoS
•PDoS
•Distributed Reflection Denial of
Service
Denial of Service Attack
•Based on the premise that all
computers have operational limitations
•Utilizes the ping utility to execute the
attack
•You can use the /h or /? Switch with
ping to find out what options are
available
Distributed Denial of Service (DDoS) Attack
•Variation of a Denial of Service
•Launched from multiple clients
• Example: DynDNS attack was done by controlling thousands of IOT devices
•More difficult to track due to the use of zombie machines
• What is a zombie machine?
© 2019 by Pearson Education, Inc.
Chapter 2 Types of Attacks
62
SYN Flood
•Takes advantage of the TCP handshake process
•Can be addressed in the following manners:
• Micro Blocks
• Bandwidth Throttling
• SYN Cookies
• RST Cookies
• Stack Tweaking
Smurf Attack
•Very popular attack
•Utilizes the ICMP packet to execute
the attack
Ping of Death (PoD)
•Attacks machines that cannot handle oversized packets
•Ensure that systems are patched and up to date
•Most current operating systems automatically drop oversized packets
UDP Flood and IMCP Flood
•UDP Flood
• Variation to the PoD that targets open ports
• Faster due to no acknowledgments required
• Sends packets to random ports
• If enough are sent, the target computer shuts down
•ICMP Flood
• Another name for the ping flood
Other Denial-of-Service Attacks
•HTTP Post DoS
• Hangs server with slowly delivered HTTP post message
•Permanent DoS (PDoS) (a.k.a. phlashing)
• Damages the system badly
• Often attacks device firmware
Distributed Reflection DoS (DRDoS)
•Uses routers to execute the DoS attack
•Routers do not have to be compromised in order to execute the attack
•Configure routers to not forward broadcast packets
Distributed Reflection DoS (DRDoS)
DoS Tools
•Tools are downloadable from the Internet
•Ease of access facilitates widespread use
•Examples
• Low Orbit Ion Cannon
• High Orbit Ion Cannon
• DoSHTTP
Real World Examples
•FakeAV
•Flame
•MyDoom
•Gameover ZeuS
•CryptoLocker and CrytoWall
Defending Against DoS Attacks
•Understand how attack is perpetrated
•Configure firewall to disallow incoming protocols or all traffic
• This may not be a practical solution
•Disable forwarding of directed IP broadcast packets on routers
•Maintain virus protection on all clients on your network
•Maintain operating system patches
•Establish policies for downloading software
Defending Against Buffer Overflow Attacks
•More common than DoS a few years ago
•Still a very real threat
•Designed to put more information in the buffer than it is meant to hold
•Application design can reduce this threat
•More difficult to execute
Defending Against Buffer Overflow Attacks
•How do buffer overflow attacks occur?
•What do script viruses have to do with buffer overflows?
Defending Against IP Spoofing
•Used to gain unauthorized access to computers
•Source address of packet is changed
•Becoming less frequent due to security
•Potential vulnerabilities with routers:
• External routers connected to multiple internal networks
• Proxy firewalls that use the source IP address for authentication
• Routers that subnet internal networks
• Unfiltered packets with a source IP on the local network/domain
Defending Against Session Hijacking
•The hacker takes over a TCP session
•Most common is the “man-in-the-middle”
•Can also be done if the hacker gains access to the target machine
•Encryption is the only way to combat this type of attack
Virus Attacks
•Most common threat to networks
•Propagate in two ways
• Scanning computer for network connections
• Reading e-mail address book and sending to all
•Examples:
• Sobig Virus
• Mimail and Bagle
• Sasser
Protecting Against Viruses
•Always use virus scanner software
•Do not open unknown attachments
•Establish a code word with friends and colleagues
•Do not believe security alerts sent to you
Trojan Horse Attacks
•Program that looks benign but has malicious intent
•They might:
• Download harmful software
• Install a key logger or other spyware
• Delete files
• Open a backdoor for hacker to use
Thank you!
Please share any questions in
the “Course Questions” discussion forum
SRTY-6003
Securing the Edge 1
Week 4
Palo Alto: Content ID, File Blocking and URL Filtering
Housekeeping
• Lab 2 has been posted. Due February 7th at 2359hrs EST
• Some issues with the DMZ VM. Shared new download link (check FOL announcement)
• No updates from drop-in session last Thursday.
• Lab 1 has been graded and grades have been published. Lots of feedback.
• Digitally signing your screenshots, changing hostname on VM-50 (not on the client), inclusion of
system clock when possible, etc.
• This is our last week of Palo Alto (Test next week Thursday at 10am EST)
• Discussion Forums update: Week 2 has 12 threads but no replies.
• I will close Weeks 1 and 2 before the test.
• Peer tutors (next slide!)
Peer Tutors
•The Peer Tutoring site is now up and running, you will find scheduled sessions
that you can attend but you can post a question at any time and the peer tutor
will answer next time they are available. Please do not expect an instant
response as everyone has many other commitments, which is why time
management is so important - do not leave things to the last minute!
•I suggest you log into the site and take a look: ISM/NSA Peer Mentor Site (21W)
https://www.fanshaweonline.ca/d2l/home/1141389
•This resource is for you so please make use of it.
• Dedicated times for live chat, direct and private email correspondence, and it’s FREE!
• Week 6 progress reports. If unsatisfactory you might consider PM’s as a resource for you.
In the News…
News from YOU…
•https://cio.economictimes.indiatimes.com/news/digital-security/it-securityrecommendations-for-businesses-in-2021/80480923
In Other News…
•Is the end of the firewall in sight?
•SonicWall firewall maker hacked using zero-day in its VPN device
•Data Breach in Washington State Auditors Office
•3/4 of Americans have had to change password due to security breach
•Number of identity theft reports doubled last year
Agenda
•Describe Content-ID and the seven different Security Profile types
•Define the two predefined Vulnerability Protection Profiles (ie. “strict” and
“default”)
•Configure Security Profiles to prevent virus and spyware infiltration
•Configure File Blocking Profiles to control the flow of file types through the
firewall
•Configure a DoS Profile to help mitigate Layer 3 and 4 protocol-based attacks
•Configure a custom URL Filtering Profile to minimize the number of blocked
websites between trusted zones
•Configure safe search and logging options
•Summary and Reminders
Content-ID Overview
Content-ID
•Combines threat prevention engine and policies to inspect and control content
traversing the firewall
•Scans network traffic for:
• Software vulnerability exploits
• Viruses
• Spyware
• Malicious URLs
• Restricted files and data
•How is Content-ID different from App-ID?
Security Policy with Security Profiles
•Part of the security policies that have an action of “allow” (but not “deny”)
•Security Profiles implement additional security checks on allowed traffic.
: Antivirus
for web browsing
Security Profile Types (There are SEVEN of them…)
Policies > Security
Antivirus
File Blocking
Anti-Spyware
Data Filtering
Vulnerability Protection
WildFire Analysis
URL Filtering
Security Profile Group
Threat Log
•Vulnerability threats/Protection, Antivirus, and Anti-spyware profiles all log events
to the Threat log.
• Logs are displayed in the ACC: Application Control Center
Vulnerability Protection Security Profiles
Default Vulnerability Protection Security Profiles
Vulnerability Protection Profile Rules
Vulnerability Exceptions
A profile’s
rules specify
the actions to
take when
threats are
found
Antivirus and Anti-Spyware Security Profiles
Default Antivirus Security Profile
What is a Zero Trust
configuration?
Creating a New Antivirus Profile
for traffic
that
matches
the
Antivirus
Profile
rule
Creating a New Antivirus Profile (Cont.)
What is a false
positive?
Default Anti-Spyware Security Profiles
•To create customized profile actions:
• Clone the default read-only profile and edit the clone, or
• Add a brand new profile
What is a “phone home”
network connection?
Configuring Anti-Spyware Profile Rules
Anti-Spyware Exceptions
Exception
vs.
Exemption?
•
Exemption
is a type of
exception
DNS Signatures
Objects > Security Profiles > Anti-Spyware > Add
Sinkhole Operation
The default action for the Palo Alto Networks DNS
signatures is “sinkhole”
Sinkhole Events in the Threat Log
• Infected hosts are easily identified in the Threat log or through use of reports.
• Any host that attempts to connect to the sinkhole IP address is potentially infected with malware
File Blocking Profiles
File Blocking Overview
•Prevent introduction of malicious data
•Prevent exfiltration of sensitive data
•Logs to Data Filtering log
is sent
File type is identified by
filename extension and by
examination of the file
content
For example, you might
block a .exe file in email, but
allow it if using an FTP client
Data Filtering Log
•Data Filtering log displays the list of files blocked by your file blocking profiles.
•Source is the system that sent the file (not the one that initiated the session)
•Destination is the system that received the file.
Creating a New File Blocking Profile
Continue Response Page
•A “continue” action requires user permission to complete the file transfer.
•Operates only when paired with the application web-browsing
•Helps prevent “drive-by downloads”
Blocking Multi-level Encoded Files
Objects > Security Profiles > File Blocking > Add
Encoding has legitimate uses but can be used to insert
malicious data and exfiltrate sensitive data.
Data Filtering Profiles
Creating a Data Pattern
Objects > Custom Objects > Data Patterns > Add
Three types of
data patterns
Creating a Data Filtering Profile
(ex. social security numbers,
credit card numbers, the
word “confidential”)
Attaching Security Profiles to Security Policy Rules
Assigning Security Profiles to Security Rules
•Assign individual Security
Profiles to a Security
policy rule, or
•Assign a Security Profile
Group to a Security policy
rule
Security Profile Groups
Objects > Security Profile Groups > Add
•Add Security Profiles that are
commonly used together
•Security Profile Groups
simplify Security policy rule
administration
Telemetry and Threat Intelligence
Telemetry and Threat Intelligence
•Opt-in feature; nothing
selected by default
•Globally enhances threat
protection
•Can preview data sent to
Palo Alto Networks
Configuring Telemetry
Denial of Service Protection
Denial-of-Service Protection
•Packet-based (not signature-based) and not linked to Security policy
•Two-pronged approach :
• Zone Protection Profile protects ingress zone
• DoS policy plus DoS Profile protects destination zone or specific hosts
1.0 Zone Protection: Flood Protection
•Protects against most
common flood attacks
•Alarm Rate: Threshold
to trigger log events
•Activate: Threshold to
activate mitigation
response
•Maximum: Threshold
after which all further
packets dropped
2.0 Zone Protection: Reconnaissance Protection
•Alerts or protects
against TCP or
UDP port scans
and
•ICMP/TCP/UDP
host sweeps
3.0 Zone Protection: Packet-Based Attack Protection
Network > Network Profiles > Zone Protection > Add
•Packet-based
attacks use
protocol options
or malformed
packets to
adversely affect
target systems.
•We can block
these packets.
4.0 Zone Protection: Protocol Protection
Network > Network Profiles > Zone Protection > Add
•Applies only to Layer 2
and Virtual Wire zones:
• Firewall normally allows
non-IP traffic in these
zone types.
•Enables you to control
which non-IP protocols
are allowed to flow
between or within
these security zone
types
Enabling Zone Protections
•Profiles applied
one per zone
DoS Protection Profiles and Policies
Configuring a DoS Protection Policy
Policies > DoS Protection > Add
Configuring a DoS Protection Profile
Objects > Security Profiles > DoS Protection > Add
URL Filtering
URL Filtering Feature
URL Filtering Profiles
•URL Filtering Profiles implement additional security checks on allowed traffic.
URL Category: Policy Versus Profile
URL Filtering Log
•Attachment of a URL Filtering Profile to a Security rule generates log entries:
• “alert,” “block,” “continue,” and “override” actions trigger log entries.
Monitor > Logs > URL Filtering
| © 2019 Palo Alto Networks, Inc.
54
URL Filtering Security Profile
Objects > Security Profiles > URL Filtering
•To create customized profiles:
• Clone the default read-only profile and edit the clone, or
• Add a brand new profile
Multi-Category and Risk-Based URL Filtering
Device > Setup > Content-ID > URL Filtering
• PAN-DB URL Filtering cloud assigns
websites to multiple categories.
• Categories indicate how risky the site is,
the website’s content, and the website’s
purpose or function.
• The security-related risk categories
demonstrate levels of suspicious activity.
• Websites that have been registered for
fewer than 32 days are considered newregistered-domains.
Configure Per-URL Category Actions
URL matching order:
1. Block list*
2. Allow list*
3. Custom URL categories*
4. External Dynamic Lists*
5. PAN-DB firewall cache
6. Downloaded PAN-DB file
7. PAN-DB cloud
Configure a Custom URL Category
Objects > Custom Objects > URL Category > Add
| © 2019 Palo Alto Networks, Inc.
•
Define URL categories
enforcement separate from
category defaults
•
Create URL filtering based
on URL or category
•
Replaces URL filtering
overrides
58
URL Filtering Response Pages
URL Admin Settings
Device > Setup > Content-ID > URL Admin Override > Add
Configure a URL Admin Override
password that a user must enter
to access a URL configured with
an “override” action.
Device > Setup > Content-ID > URL Filtering
Configure Safe Search and Logging Options
Objects > Security Profiles > URL Filtering > Add
Configure Credential Phishing Prevention Method
HTTP Header Insertion and Modification
• Enable access to only enterprise
versions of SaaS applications
• Inserts header if missing or
overwrites existing header
• Four predefined SaaS applications:
• Dropbox
• Google
• Office 365
• YouTube
Handling Unknown URLs
• Category column in URL Filtering log lists unknown.
Recommendation: Set unknown URL category action to support your security
requirements
Handling Not-Resolved URLs
• Category column in URL Filtering log lists not-resolved.
Recommendation: Set not-resolved URL category match action to “alert”
Downloading the URL Seed Database
•Download an initial seed database to use the URL Filtering feature
Device > Licenses
Recategorization Request: Via Log Entries
Monitor > Logs > URL Filtering
Recategorization Requests: Via Webpage
Objects > Security Profiles >
URL Filtering > Add
Attaching URL Filtering Profiles
Security Profile Groups
Objects > Security Profile Groups > Add
•Add Security Profiles that
commonly are used together
•Simplifies security rule
administration
Assigning Security Profiles to Security Policy Rules
Policies > Security > Add
•Assign individual Security
Profiles to a Security policy
rule, or
•Assign a Security Profile
Group to a Security policy
rule
Reminders
• Test next week, so no lecture/tutorial recording (so that you can study!)
• Our tests will be during the drop-in lab time,
• Alternate test times are available to part-time students or those studying outside of the
EST.
• Please email me if you need an alternate test time
• Test will cover ALL FOUR WEEKS of Palo Alto
• May use a variety of questions. Ex. Short/long answer, multiple choice, true/false, fillin-the-blanks, matching, etc.
• Time management is key!
• MUST use Respondus Lockdown Browser (not monitor)
• Test is NOT open book
• Make sure you have reliable internet and power (hard-wired is best)
• I mark each test manually, so ignore the auto-grade at the end of the test.
SRTY-6003 Securing the Edge 1
Basic Interface Configuration
Basic Interface Configuration
Next-Generation Firewall Essentials 1
PAN-OS® 7.1
Courseware Version A
Agenda
• Security zones
• Interface types:
•
•
•
•
•
TAP mode
Decrypt mirror
Virtual wire
Layer 2
Layer 3:
˗ Virtual router
˗ IP addressing
˗ DHCP
• VLAN Interface
• Loopback
• Aggregate
Flow Logic of the Next-Generation Firewall
Initial Packet
Processing
Source Zone/
Address/ UserID
PBF/
Forwarding
Lookup
Security
Pre-Policy
Check Allowed
Ports
Session
Created
Application
Check for
Encrypted
Traffic
Decryption
Policy
Security Policy
Check Security
Policy
Check Security
Profiles
Post-Policy
Processing
Re-Encrypt
Traffic
NAT Policy
Applied
Destination
Zone
NAT Policy
Evaluated
Application
Override Policy
App-ID/
Content-ID
Labeling
Packet
Forwarded
Security Zones
Security Zones Network > Zones > Add
• Specify zone name
• Specify zone type
• Assign interface
Security Zones and Policies
• Security policies use zones to regulate and log traffic:
• Intrazone traffic is allowed by default
• Interzone traffic is denied by default
Security Zone Interfaces
• An interface is configured to only one zone.
• A security zone can have multiple interfaces.
Interface
Zone
Address
E 1/10
Internet
161.23.4.254
E 1/11
DMZ
172.16.1.254
E 1/12
─
─
E 1/12.10
Users
192.168.10.254
E 1/12.20
Users
192.168.20.254
E 1/12.30
VoIP
192.168.30.254
Tunnel.4
Remote-LAN
10.5.1.254
Interface Types
Interface Types
• Ethernet:
• TAP
• HA
• Virtual wire
• Layer 2
• Layer 3
• Aggregate
• Decrypt mirror
• VLAN
• Loopback
• Tunnel
Network > Interfaces
Ethernet Interface Configuration
Network > Interfaces > Ethernet
Interface type:
TAP
HA
Virtual wire
Layer 2
Layer 3
Decrypt mirror
Aggregate
Virtual
Wire
Layer 2
Layer 3
Flexible Deployment Options for Ethernet Interfaces
TAP
▪
Application, user, and content
visibility without inline
deployment
▪
Evaluation and audit of existing
networks
Virtual Wire
▪
▪
App-ID, Content-ID, User-ID,
and SSL decryption
Includes NAT capability
Layer 3
▪
All of the Virtual Wire mode
capabilities with the addition of
Layer 3 services: virtual
routers, VPN, and routing
protocols
Ethernet TAP Mode
• TAP mode deployment allows passive monitoring of traffic flows across a
network by way of a switch SPAN or mirror port.
• The firewall cannot perform traffic shaping or blocking.
• Tap interfaces must be assigned to a security zone for ACC and reporting
capabilities.
Internet
LAN
E1/1
SPAN Port
Configuring TAP Interfaces
Network > Interfaces > Ethernet
Interface
Type
Security
Zone
Ethernet Virtual Wire Interface
• Binds two physical interfaces together
• Supports App-ID, decryption, NAT, Content-ID, and User-ID
• Typically used when no switching or routing is needed
• No configuration changes for adjacent network devices
Internet
Configuring a Virtual Wire Object
Network > Virtual Wires > Add
• A virtual wire can allow
or block traffic based on
802.1Q VLAN tags:
• 0 = untagged traffic
• Applies security rules to
multicast traffic, enables
multicast firewalling
802.1Q tags
allowed
Enable
multicast
addresses
Configuring Virtual Wire Interfaces
Network > Interfaces > Ethernet
Interface
Type
Virtual Wire
Object
Security
Zone
Virtual Wire Subinterfaces
• Provide flexibility in setting distinct policies when needed to manage traffic
from multitenancy networks
• Allow for the assignment of incoming traffic to different ingress and egress
security zones by either:
• VLAN tags
• VLAN tags and IP classifiers (source IP)
• Traffic from different VLANs can now be assigned to different zones and
then managed by different security policies
• Traffic from different VLANs can be assigned to different ports:
• Voice VLAN can be assigned to one port, and data VLAN to another
Configuring a Virtual Wire Subinterface
Network > Interfaces > Ethernet > Add Subinterface
Layer 2 and Layer 3 Interfaces
Layer 2
E1/3
LAN
(10.20.1.0/24)
Mail Servers
(10.20.1.0/24)
E1/4
E1/5
App Servers
(10.20.1.0/24)
Switching between
network segments
Layer 3
E1/3
10.1.2.1/24
Users
E1/5
192.168.2.1/24
E1/4
Internet
172.16.2.1/24
Routing between
networks
DMZ
Layer 2 Interface Example
PA-FW
Eth1/1
L2
VLAN
192.168.20.100
Eth1/2
L2
192.168.20.10
Eth1/3
L2
192.168.20.20
VLAN Configuration
Network > VLANs > Add
VLAN Object
Name
Physical Layer 2
interfaces and Layer 2
subinterfaces in the VLAN
objects
Layer 2 Interface Configuration
Network > Interface
Layer 2 Subinterfaces
Network > Interfaces > Ethernet > Add Subinterface
Physical
Interface
Subinterface ID
802.1Q Tag
Layer 2
Zone
Configuring a Layer 3 Interface
Network > Interfaces > Ethernet
• Interface Type: Layer 3
• Security zone
• IP address:
• Static or DHCP client
• DHCP server or DHCP relay
• Interface management profile:
• Allows or denies management protocols
such as SSH and HTTP on the MGT interface
• Virtual router:
• Contains a set of static and dynamic routes
used by a specified group of interfaces
Configuring a Layer 3 Interface
Network > Interfaces > Ethernet
Interface type: Layer 3
Virtual Router
Security Zone
IP Address
Interface
Management
Profile
MTU
Assigning an IP Address to an Interface
Network > Interfaces > Ethernet
Configuring a Layer 3 Subinterface
Network > Interfaces > Add Subinterface
Physical
Interface
Subinterface ID
Virtual
Router
Security
Zone
802.1Q Tag
Define
Management
Profile
Interface Management Profile
• Defines which management functions are allowed on a traffic interface
• Management profiles are applied to Layer 3 interfaces
Network > Network Profiles > Interface Mgmt > Add
Restricts
administrative
access to specific
IP addresses
Virtual Routers
• All interfaces assigned to a virtual router share the same routing table:
• The routing table of a virtual router can be defined by static and dynamic (RIP,
OSPF, BGP) routes.
• Allows for the configuration of different routing behavior for different interfaces.
Network > Virtual Routers
Multiple Virtual Routers
Internet
VLAN10
VR1
VLAN20
L3
VLAN30
VR2
Internet
VLAN40
Virtual Router Static Routes
Network > Virtual Routers
Virtual Router Dynamic Routes
▪ Standards-based support for:
• OSPFv2 and OSPFv3
• RIPv2
• BGPv4
▪ Routing support across IPSec
tunnels
▪ Multicast routing support for:
• PIM-SM
• PIM-SSM
• IGMP
Network > Virtual Routers
Troubleshooting Routing
• Confirm virtual router run-time statistics
• On the active firewall, select Network > Virtual Router and click More Runtime Stats
More Runtime Stats
• The routing table shows internal network routes and shows default routes propagated
from the upstream routers.
Network > Virtual Router > More Runtime Stats
Source
Source address
Source zone
Source user
Destination
Policy-Based Forwarding
Destination address
Destination application
Destination service (port number)
Device > Setup > Session > Session Settings
IPv6 Capabilities
Support for:
• IPv6 Layer 3 interfaces
• IPv6 addresses in all policies
• IPv6 static routes in virtual routers
• ICMPv6
• DHCPv6
• Neighbor discover
• Dual stack
• SLAAC
• LDAP
• RADIUS
Device > Setup > Session > Session Settings
IPv6 Capabilities
Support for:
• IPv6 Layer 3 interfaces
• IPv6 addresses in all policies
• IPv6 static routes in virtual routers
• ICMPv6
• DHCPv6
• Neighbor discover
• Dual stack
• SLAAC
• LDAP
• RADIUS
Supported IPv6 Features
• Networking
• Static Routing
• Dynamic Routing (OSPFv3)
• PBF
• NAT (NAT64 only)
• Site-to-Site VPN
• IPv6 over IPv4 IPSec Tunnel
• DNS Proxy
GlobalProtect VPNs are not supported
▪ Traffic Classification and Threat
Prevention
• App-ID
• Content-ID
• User-ID
• DoS Rule Base
• Zone Protection
IPv6 Interface Configuration
Network > Interfaces > Ethernet
• Dual stack support
You can have IPv4 and
IPv6 addresses on the
same interface.
DHCP Server
Network > DHCP > DHCP Server
• When an interface is
configured as a DHCP
server, it assigns
addresses to DHCP
clients.
DHCP Server Options
Network > DHCP > DHCP Server
• If an interface on the firewall is a
client of an external DHCP server, the
DHCP server can inherit this
information and forward it
to clients.
VLAN Interfaces
Internet
Eth1/8
L3
Eth1/1
L2
VLAN Int
VLAN
192.168.20.100
VR
192.168.20.254
PA-FW
Eth1/2
L2
192.168.20.10
Eth1/3
L2
192.168.20.20
Configuring a VLAN Interface
Network > Interfaces > VLAN > Add
This is not a subinterface.
It does not reference
traffic tagged with
VLAN ID 1.
VLAN object associated
with this VLAN interface
Configuring Loopback Interfaces
Network > Interfaces > Loopback
Loopback
Interface ID
Virtual
Router
Security
Zone
IP Address
Aggregate Interfaces
• An aggregate interface group combines up to eight Ethernet interfaces using link aggregation.
• Increased throughput and link redundancy.
• The aggregate interface is a logical interface that can be configured as if it were a regular
interface.
• LACP is supported.
Switch
NIC-1
Switch port 1
NIC-2
Switch port 2
Link
Aggregation
Create an Aggregate Interface
Network > Interfaces > Ethernet > Add Aggregate Group
This is not a subinterface.
It does not reference traffic
tagged with VLAN ID 1.
For Layer 3,
add IP address
Assign an Interface to an Aggregate Group
Network > Interfaces > Ethernet
Questions?
SRTY-6003Securingthe Edge 1
2023
Week 2: Introduction to Palo Alto
Housekeeping
•Lab 1 is posted this week (license issue resolved at
home).
• Due next week
•Discussion Forum !
•Test #1 (Palo Alto Unit Test) is coming up – what’s your
strategy?
• Test is in Week 5
EdgeSec in the News…
•Apple Drops Controversial Firewall-Bypass Feature
•Backdoor account discovered in Zyxel firewalls
•Human firewalls?
•Many cyberattacks successfully bypass security firewalls
•Cybersecurity talent pool must expand to take
advantage of quantum computing opportunities
Agenda for Today
➢Understand the characteristics of Palo Alto’s Security
Operating Platform
➢ What is the single-pass architecture and why is it used?
➢Explore the Zero Trust security model and how Palo Alto
handle zero trust
➢Introduce some administrative controls (WebUI, CLI, Rest
API)
➢ Initial and Admin access to a Palo Alto appliance
➢ Configuration management in Palo Alto
➢ Managing Licensing and software updates
➢ How to administer admin and other user accounts
➢ Viewing and Filtering Logs
Welcome to Palo Alto Networks!
•Palo Alto Networks Learning Center
• Log in to the Palo Alto Networks Learning Centerat
https://education.paloaltonetworks.com/learningcenter
•Palo Alto Networks exam information
•Additional resources
•Course objectives
•Course modules
•Lab environment
•Miscellaneous with general Q&A
Palo Alto Networks Certifications
1. What certifications does Palo Alto offer? What details were you
able to find? (content, cost, requirements, etc.)
2. Which of these certification interests you the most? Why?
3. What are Prisma, Strata, and Cortex?
Create a discussion forum post (under week 2) and answer
these questions.
Palo Alto Learning Center Topic Areas
•Platforms andArchitecture
•Initial Configuration
•Basic Interface
Configuration
•Security and NATPolicies
•Basic App-ID
•Basic Content-ID
•File Blocking and WildFire
•Decryption
•Basic User-ID
•Site-to-Site VPNs
•Management and Reporting
•Active/Passive High
Availability
Palo Alto Learning Center Topic Areas
•Our PA unit in this course is based on the Cybersecurity
Infrastructure and Configuration (CIC) course offered by
Palo Alto’s NetAcademy
This course provides the student with a general understanding of how to
install, configure, and manage firewalls for defense of enterprise
network architecture. Students will learn the theory and configuration
steps for setting up the security, networking, threat prevention, logging,
and reporting features of next generation firewall technologies.
Other Training Resources
Cybersecurity Survival Guide
https://s3.amazonaws.com/assets.paloaltonetworksacademy.net/csg/Cybersecuri
ty_Survival_Guide_4.pdf
PaloAlto Networks YouTube Channels:
https://www.youtube.com/user/paloaltonetworks
https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVHYMMWdbrnUgrUao4_4isr
PaloAlto Networks Lightboard Series
https://www.youtube.com/watch?v=DRBmlOJafY&feature=youtu.be&list=PLqATPiC_Bcl-t8vrzZlnGi3HTurs9Yuf3
PaloAlto Networks Webinars – BrightTalk:
https://www.paloaltonetworks.com/campaigns/brighttalk.html
PaloAlto Networks Technical Documentation
https://docs.paloaltonetworks.com
Firewall Test Drive
https://www.paloaltonetworks.com/events/test-drive.html
Supplemental Online Resources
NICE – National Initiative for CyberSecurity Education
https://www.nist.gov/itl/applied-cybersecurity/nice
The Hacker News http://thehackernews.com
PBS NOVA LABS – Cybersecurity
http://www.pbs.org/wgbh/nova/labs/lab/cyber/
Palo Alto Platforms and Architecture
(Security Platform overview)
Cyber Attack and Palo Alto
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Stop the attack at any point!
Command
and Control
Act on
Objective
Next-Generation Security Platform
•NGFW – Identifies the network
traffic.
•Threat Intelligence Cloud –
Correlates threats, gather
information from multiple
sources. – AutoFocus/WildFire
•Advanced Endpoint Protection
– Block malicious at the
endpoint.
Development of Unified Threat Management
(UTM)
Internet
Serial Processing in the UTM
Palo Alto Networks Firewall Architecture
Control Plane
Management
CPU
configuration | logging | reporting
RAM
MGT interface
SSD
consol
e
Signature Matching
Stream-based, uniform signature
match including vulnerability
exploits (IPS), virus, spyware, CC#,
and SSN
Data PlaSnGe
Signature Matching
exploits | virus | spyware | CC# | SSN
Security Processing
App-ID | User-ID | URL match | policy
match | SSL/IPsec | decompression
Network Processing
flow control | MAC lookup | route
lookup | QoS | NAT
Single-Pass
Pattern
Match
Signature
Matching
Components
Enforce
Policy
Security
Processing
Components
Network
Processing
Components
Control Plane | Management
Provides configuration, logging, and
reporting functions on a separate
processor, RAM, and hard drive
Hardware
component
types and
sizes per
layer vary per
firewall
model.
Security Processing
High-density parallel processing for
flexible hardware acceleration for
standardized complex functions
Network Processing
Front-end network processing,
hardware-accelerated per-packet
route lookup, MAC lookup, and
NAT
Zero Trust Model: NEVER TRUST, ALWAYS VERIFY.
NorthSouth
Traffic
East-West Traffic
Flow Logic of the Next-Generation Firewall
Initial Packet
Processing
Security
Pre-Policy
SourceZone/
Address/
User-ID
Check
Allowed Ports
PBF/
Forwarding
Lookup
Destination
Zone
NAT Policy
Evaluated
Application
Override
Policy
App-ID/
Content-ID
Labeling
Session
Created
Application
Checkfor
Encrypted
Traffic
Decryption
Policy
Security Policy
Check
Security Policy
Check
Security
Profiles
Post-Policy
Processing
Re-Encrypt
Traffic
NATPolicy
Applied
Packet
Forwarded
Hardware Platforms
Compare capacities at: www.paloaltonetworks.com/products/productselection.html
Next-Generation Firewalls
PA-5200 Series
PA-3200 Series
PA-800 Series
PA-220R
PA-7000 Series
PA-220
Panorama
M-200
M-500/WF-500/600
VM-Series (PAN OS 9) Models and Capacities
• Ideal for protecting virtualized data centers and “east-west” traffic
• RESTfulAPIs:
• Integrate VMs with external orchestration and management tools
• Virtual Machine Monitoring:
• Poll virtual machine inventory and changes, collecting data into tags
• Dynamic Address Groups:
• Identify newly deployed machines with tags instead of static addresses
Performance and Capacities
VM-700
VM-500
VM-300
VM-100/ VM-50
VM-200 /Lite
Firewall throughput (App-ID enabled)
16Gbps
8Gbps
4Gbps
2Gbps
200Mbps
Threat prevention throughput
New sessions per second
Dedicated CPU cores
Dedicated memory (minimum)
8Gbps
4Gbps
2Gbps
1Gbps
100Mbps
120,000
2, 4, 8, 16
56GB
60,000
2, 4, 8
16GB
30,000
2, 4
9GB
15,000
2
6.5GB
3,000
2
4.5GB/4GB
Dedicated disk drive capacity (minimum)
60GB
60GB
60GB
60GB
32GB
VM-Series Hypervisors
•VMware:
• NSX: Install and manage firewalls on multiple ESXi servers.
• ESXi: Integrates with external management systems
• VMware vCloud Air: Protect your VMware-based publiccloud
•Citrix NetScaler SDX
•Kernel-based Virtual Machine (KVM):
• Linux-based virtualization and cloud-based initiatives
•Microsoft Hyper-V andAzure
•Amazon Web Services
Virtual Systems
• Separate, logical firewalls within a single physical firewall
• Creates an administrative boundary
• Use case: multiple customers or departments
Physical firewall
vsysA
TrustZone
UntrustZone
Data Interfaces
vsysB
TrustZone
UntrustZone
Data Interfaces
Initial Configuration
Palo Alto Initial Configuration
Initial Access to the System
• Initial configurations must be performed over either:
• Dedicated out-of-band management Ethernet interface (MGT)
• Serial console connection
• Default MGT IP addressing:
• Hardware: 192.168.1.1/24
• VM: DHCP client
• Default access:
• User name: admin
• Password: admin
Administrative Access
Web Interface
SSH/Console CLI
Panorama
REST XML API
Web Interface
Functional Category Tabs
Commit Configuration
Changes
Logout
Button
28 | © 2019 Palo Alto Networks, Inc.
Help
Portal
Tasks
Button
Web Interface Editing Guidance
Contextual
Help
Red underline shows tabs
where information is required.
Yellow highlights
indicate required fields.
OK button is unavailable
if required information is
missing or is invalid.
29 | © 2019 Palo Alto Networks, Inc.
Configuring the Static MGT Interface Using
the CLI
> configure
Entering configuration mode
[edit]
# set deviceconfig system type static
# set deviceconfig system ip-address 10.30.11.1 netmask 255.255.255.0 default-gateway 10.30.11.254 dnssetting servers primary 172.16.20.230
# commit
....10%....20%....30%....40%....50%....60%....70%....80%....90%....100%
Configuration committed successfully
Internet
10.30.11.254
10.30.11.1
DNS: 172.16.20.230
Initial System Access
Gaining Admin Access
•Four ways to access firewall management.
• Web UI
• SSH/Console CLI
• Panorama
• REST XML API
Quick Look at the Web UI
Web UI – Signs and Symbols
Resetting to Factory Default
•From CLI (with known admin user password):
> request system private-data-reset
• Erases all logs
• Resets all settings, including IP addressing, which causes loss of
connectivity
• Saves a default configuration after the MGT IP address is changed
•Without known admin user password:
• From the console port, type maint during bootup
• Choose Reset to Factory Default
MGT Interface Configuration: Web Interface
Device > Setup > Interfaces > Management
Minimum configuration
requires IP address,
netmask, and default
gateway.
36 | © 2019 Palo Alto Networks, Inc.
Restrict administrative
access to specific
IP addresses
MGT Interface Dynamic Address
Firewall can identify itself to the DHCP server with hostname or
client ID (MAC).
Configure DNS and NTP Servers
Device > Setup > Services
Configure the Hostname and Domain
Device > Setup > Management > General Settings
DHCP can provide the firewall
hostname and domain.
Banners and Messages
Device > Setup > Management > Banners and Messages
Configuration Management
Config Types
Candidate Configuration
•What is shown in the UI
becomes the running
config upon successful
commit.
# commit
Running Configuration
•Active on the firewall.
Commit Operation
Transaction Locks
• Config lock: Blocks other administrators from making changes to
the configuration
• Commit lock: Blocks other administrators from committing changes
until all of the locks have been released
Configuration Management
Device > Setup > Operations
Configuration Management: Auditing
• Any two configuration files can be compared.
Device > Config Audit
Licensing and Software Updates
Activate the Firewall
Step
Hardware Firewall
VM-Based Firewall
Register with Palo Alto
Networks Support
Use serial number from
Dashboard
Use emailed auth codes and
purchase/order number
Activate licenses at
Device > Licenses
Retrieve license keys from
license server
Activate feature using
authorization code
Verify update and DNS
servers
Use correct update and DNS server in Device > Setup >
Services
Manage content updates
Get latest application and threat signatures and URL
filtering database
Install software updates
Verify OS version and install recommended version
Activate the VM-Series Firewall
1. Register with Palo Alto Networks:
a. A set of authorization codes will be emailed.
b. Log in to https://support.paloaltonetworks.com.
(If you haven’t already registered, register for a Support account
with your capacity auth-code and purchase or sales order
number.)
c. Click the Assets > Add VM-Series Authentication Code link to
manage your VM-Series firewall licenses and download the
software.
1. Activate licenses:
• Select Device > Licenses and select the Activate feature using
the authentication code link.
3. Manage content updates.
4. Install software updates.
Dynamic Updates
Device > Dynamic Updates
Schedule and check
for new content
To install from a file,
upload content first
PAN-OS® Software Updates
Install software that has
been downloaded
Check for new
software
Load software
from desktop
Rapid Mass Deployment
• When the firewall is at factory-default, it can
bootstrap from an external virtual or physical USB
device.
• Without contacting the update server, the firewall
can now perform:
• Licensing
• Content and software updates
• Addressing
• System configuration
• Connection to Panorama
• The firewall can now boot up and connect itself to
the network and to a Panorama management server.
Account Administration
Administrator Roles
Roles define the type of access an administrator has on the firewall:
▪ Dynamic Roles: Built-in roles such as superuser and device administrator
▪ Admin Role Profiles: Custom-made roles
Device > Admin Roles
Using External AAA to Authenticate Admin
Users
Device > Server Profiles
Creating Administrator Accounts
Device > Administrators
Set Admin Passwords
Device > Administrators
Minimum Password Complexity
Device > Setup > Management > Minimum Password Complexity
Discussion Forum – Week 2
In addition to the ALE’s already discussed in this lesson, here are
your discussion forum post requirements.
• Find a news article (from a source other than Palo Alto
Networks) that promotes any Palo Alto products/services. Then
find a news article that criticizes (or had a negative opinion of)
Palo Alto Networks products and services. Whoever posts first
has an advantage, as you may not post an article that a peer has
already posted.
Note: Please do not just share the link to the article. Include
your summary, challenge/clarification questions, and critique of
the article and its contents.
Summary and Reminders
Summary:
• Introduced Palo Alto products and services
• Platforms and Architectures
• Initial Configuration
• Configuration Management
Reminders
• Palo Alto Lab #1 is due next week
• Discussion Forum posts/replies for week 2 (due before week 3)
• Next week we will be discussing
• Security policies, AppID, and NAT