Scribd
Upload
186 views29 pages

Lab 11 Blocking Threats With User-ID

Uploaded by

Ankita Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
186 views29 pages

Lab 11 Blocking Threats With User-ID

Uploaded by

Ankita Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

PALO ALTO NETWORKS EDU 210

Lab 11: Blocking Threats with User-ID

Document Version: 2022-07-18

Copyright © 2022 Network Development Group, Inc.


www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Lab 11: Blocking Threats with User-ID

Contents
Introduction ................................................................................................................................................ 3
Objective ..................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Theoretical Lab Topology ............................................................................................................................ 4
Lab Settings ................................................................................................................................................. 5
1 Blocking Threats with User-ID............................................................................................................. 6
1.1 Apply a Baseline Configuration to the Firewall ............................................................................ 6
1.2 Examine Firewall Configuration................................................................................................. 10
1.3 Generate Traffic from the Acquisition Zone.............................................................................. 13
1.4 Enable User-ID on the Acquisition Zone.................................................................................... 16
1.5 Modify the Allow-All-Acquisition Zone...................................................................................... 17
1.6 Create Marketing Apps Rule...................................................................................................... 18
1.7 Create Deny Rule ....................................................................................................................... 21
1.8 Generate Traffic from the Acquisition Zone.............................................................................. 24
1.9 Exam User-ID Logs ..................................................................................................................... 26
1.10 Examine Firewall Traffic Log .................................................................................................... 28

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2


Lab 11: Blocking Threats with User-ID

Introduction

Your organization recently acquired another company, and you have been tasked to create appropriate
security policy rules for traffic generated by these new users.

Your firewall has been configured with a vWire that allows traffic to the internet from the users in the
newly acquired company. The firewall also has a new security zone in place called Acquisition that
contains all new users.

The firewall has an existing security policy rule that allows all users in the Acquisition zone to access
any application on the internet. Your task is to restrict users in this new organization to approved
corporate applications only.

The approved corporate applications include DNS, web-browsing, and SSL.

You also need to ensure that only users in the marketing group are allowed to use social media
applications such as Facebook, Instagram, and others.

Another firewall administrator has created the appropriate Application Groups for you.

The firewall receives User-ID and Group membership information about users in this new company
from an XML upload sent by network authentication devices. (Note that this is simulated in this lab and
outside the scope of this course.)

In this lab, you will create a security policy rule that explicitly denies any other traffic generated by
users in the Acquisition zone. Although the interzone-default rule will deny any traffic not expressly
allowed, the creation of an explicit deny rule will allow you to examine the kinds of applications users
in the Acquisition zone are attempting to access.

Objective

In this lab, you will perform the following tasks:

 Examine current configuration


 Enable User-ID technology on the acquisition zone
 Generate traffic
 Modify security policy to meet requirements

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 3


Lab 11: Blocking Threats with User-ID

Lab Topology

Theoretical Lab Topology

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 4


Lab 11: Blocking Threats with User-ID

Lab Settings

The information in the table below will be needed to complete the lab. The task sections below
provide details on the use of this information.

Virtual Machine IP Address Account Password


(if needed) (if needed)

Client 192.168.1.20 lab-user Pal0Alt0!

DMZ 192.168.50.10 root Pal0Alt0!

Firewall 192.168.1.254 admin Pal0Alt0!

VRouter 192.168.1.10 root Pal0Alt0!

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 5


Lab 11: Blocking Threats with User-ID

1 Blocking Threats with User-ID

1.1 Apply a Baseline Configuration to the Firewall

In this section, you will load the Firewall configuration file.

1. Click on the Client tab to access the Client PC.

2. Double-click the Chromium Web Browser icon located on the desktop.

3. In the Chromium web browser, click on the EDU-210 bookmark folder in the bookmarks bar and
then click on Firewall-A.

4. You will see a "Your connection is not private" message. Next, click on the ADVANCED link.

If you experience the “Unable to connect” or “502 Bad Gateway”


message while attempting to connect to the specified IP above, please
wait an additional 1-3 minutes for the Firewall to fully initialize.
Refresh the page to continue.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 6


Lab 11: Blocking Threats with User-ID

5. Click on Proceed to 192.168.1.254 (unsafe).

6. Log in to the firewall web interface as username admin, password Pal0Alt0!.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 7


Lab 11: Blocking Threats with User-ID

7. In the web interface, navigate to Device > Setup > Operations and click on Load named
configuration snapshot underneath the Configuration Management section.

8. In the Load Named Configuration window, select edu-210-lab-11.xml from the Name dropdown
box and click OK.

9. In the Loading Configuration window, a message will show Configuration is being loaded. Please
check the Task Manager for its status. You should reload the page when the task is completed. Click
Close to continue.

10. Click the Tasks icon located at the bottom-right of the web interface.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 8


Lab 11: Blocking Threats with User-ID

11. In the Task Manager – All Tasks window, verify the Load type has successfully completed. Click
Close.

12. Click the Commit link located at the top-right of the web interface.

13. In the Commit window, click Commit to proceed with committing the changes.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 9


Lab 11: Blocking Threats with User-ID

14. When the Commit operation successfully completes, click Close to continue.

The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.

15. Leave the Palo Alto Networks Firewall open and continue to the next task.

1.2 Examine Firewall Configuration

In this section, you will review the settings that another administrator has configured for Application
Groups and Security policy rules.

1. Select Policies > Security. Click the Allow-All-Acquisition policy.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 10


Lab 11: Blocking Threats with User-ID

2. In the Security Policy Rule, select the Source tab. Note that the Source Zone is set to Acquisition.

3. Select the Destination tab. Note that the Destination Zone is set to any.

4. Select the Application tab. Note that the Application is set to Any.

5. Select the Actions tab. Note that the Action is set to Allow. Click OK.

This Security policy rule allows any host in the Acquisition security zone
to access any application anywhere.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 11


Lab 11: Blocking Threats with User-ID

6. Clear the counters for all Security policy rules by clicking Reset Rule Hit Counter > All rules at the
bottom of the window.

7. In the Reset window, click Yes.

8. Select Objects > Application Groups and note the two new Application Groups.

You will configure the firewall to allow all users in the Acquisition zone
to use the Allowed-Corp-Apps. However, only users in the Marketing
group will be able to use applications in the Allowed-Mktg-Apps group.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 12


Lab 11: Blocking Threats with User-ID

9. Minimize the Palo Alto Networks Firewall open and continue to the next task.

1.3 Generate Traffic from the Acquisition Zone

In this section, you will configure a packet capture on the firewall’s data plane. The goal of the packet
capture is to identify a unique bit pattern that can be used to create a custom application signature.

1. On the client desktop, open the Remmina application.

2. Double-click the entry for Server-Extranet.

3. In the CLI connection, enter the following command.

paloalto42@extranet1:~$ cd /home/paloalto42/pcaps92019/app.pcaps <Enter>

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 13


Lab 11: Blocking Threats with User-ID

4. In the CLI connection, enter the following command.

paloalto42@extranet1:~/pcaps92019/app.pcaps$ ./Appgenerator-2.sh <Enter>

5. Verify the Appgenerator-2 script is running.

Allow the Appgenerator-2 script to complete before continuing to the


next step.

6. Reopen the PA-VM firewall web interface by clicking on the Chromium icon in the taskbar.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 14


Lab 11: Blocking Threats with User-ID

7. Select Monitor > Logs > Traffic. Clear any filters in place. Note that almost all traffic is hitting the
Allow-All-Acquisition Rule. Please allow the firewall 3 to 6 minutes for the traffic logs to update.

Some columns have been hidden to show what is presented in the


above screen shot. You may hide and show columns as needed for the
duration of this lab.

8. Add the Source User column, if necessary, to the table by clicking the small triangle in any header
and choosing Columns > Source User.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 15


Lab 11: Blocking Threats with User-ID

9. Drag and drop the Source User column between the Receive Time and Source columns.

This action will make it easier for you to locate Source User information
later in this lab.

10. Leave the Palo Alto Networks Firewall open and continue to the next task.

1.4 Enable User-ID on the Acquisition Zone

In this section, you will enable User-ID on the Acquisition security zone as part of the process of
enabling User-ID on a firewall.

1. Select Network > Zones. Click Acquisition to open the zone.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 16


Lab 11: Blocking Threats with User-ID

2. In the Zone window, select the Enable User Identification check box. Click OK.

3. Leave the Palo Alto Networks Firewall open and continue to the next task.

1.5 Modify the Allow-All-Acquisition Zone

In this section, you will now change the set of applications that Acquisition users are allowed to access
by modifying the existing Allow-All-Acquisition rule.

1. Select Policies > Security. Click Allow-All-Acquisition.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 17


Lab 11: Blocking Threats with User-ID

2. In the Security Policy Rule window, under the General tab, change the name of this rule to Allow-
Corp-Apps. For Description, type Allows only approved apps for Acquisition users.

3. Select the Application tab, uncheck the option for Any. Click Add and enter the first few letters of
the Allowed-Corp-Apps to display the Application Groups available. Click OK.

4. Leave the Palo Alto Networks Firewall open and continue to the next task.

1.6 Create Marketing Apps Rule

In this section, you will create a new security policy rule to allow only Marketing users to access the
Allowed-Mktg-Applications.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 18


Lab 11: Blocking Threats with User-ID

1. Select Policies > Security. Click Add.

2. In the Security Policy Rule window, under the General tab, enter Allow-Mktg-Apps for the Name.
For Description, enter Allows only users of marketing group to access Mktg apps.

3. Select the Source tab, under Source Zone, click Add. Select Acquisition. Under the Source User
column, click Add and enter marketing.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 19


Lab 11: Blocking Threats with User-ID

4. Select the Destination tab. Use the dropdown list at the top to select any in the Destination Zone.

5. Select the Application tab and uncheck the option for Any. Click Add and enter the first few letters
of the Allowed-Mktg-Apps to display the Application Groups available. Select Allowed-Mktg-Apps.
On the right side of the Application window, place a check in the checkbox beside DEPENDS ON.
Click Add to Current Rule.

This action will select all the individual applications under the DEPENDS
ON column.

6. Notice the Applications have now been added to the Applications window.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 20


Lab 11: Blocking Threats with User-ID

7. Select the Actions tab and verify the Action is set to Allow. Click OK.

When you create a new Security policy rule, the default setting for
Action is Allow. However, it is always a good practice to verify this
setting before closing the window.

8. Leave the Palo Alto Networks Firewall open and continue to the next task.

1.7 Create Deny Rule

In this section, you will create a security policy rule that allows hosts in the Users_Net to access the
Custom Application in the Extranet zone.

1. Select Policies > Security. Click Add.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 21


Lab 11: Blocking Threats with User-ID

2. In the Security Policy Rule window, under the General tab, enter Deny-All-Others for the Name.
For Description, enter Denies non-approved applications for users in Acquisition
zone.

3. Select the tab for Source, click Add, and select Acquisition.

Note that you do not need to specify any users or user groups under
the Source User column. Because the dropdown list is set to any, this
rule will deny traffic to any user, regardless of group membership.

4. Select the tab for Destination, use the dropdown list at the top to select any.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 22


Lab 11: Blocking Threats with User-ID

5. Select the tab for Application and verify that Any is checked.

6. Select the Actions tab and change the Action Setting to Deny. Click OK.

7. Verify that the Deny-All-Others rule appears at the bottom of the security policy.

If the “Deny-All-Others” rule does not appear at the bottom of the


ruleset, use the Move Down button to place the rule just above the
“intrazone-default” rule.

8. Click the Commit link located at the top-right of the web interface.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 23


Lab 11: Blocking Threats with User-ID

9. In the Commit window, click Commit to proceed with committing the changes.

10. When the Commit operation successfully completes, click Close to continue.

11. Minimize the Palo Alto Networks Firewall and continue to the next task.

1.8 Generate Traffic from the Acquisition Zone

In this section, you will generate traffic from the Acquisition zone using the Extranet-Server.

1. Open the Remmina application by clicking on the Server-Extranet tab in the taskbar if necessary.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 24


Lab 11: Blocking Threats with User-ID

2. Ensure you are still in the app.pcaps directory. In the CLI connection, enter the following command.

paloalto42@extranet1:~/pcaps92019/app.pcaps$ ./Appgenerator-2.sh

3. Verify the Appgenerator-2 script is running.

Allow the Appgenerator-2 script to complete before continuing to the


next task.

4. Close the Server-Extranet connection by clicking the X icon.

5. Reopen the PA-VM firewall web interface by clicking on the Chromium icon in the taskbar.

6. Leave the Palo Alto Networks Firewall open and continue to the next task.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 25


Lab 11: Blocking Threats with User-ID

1.9 Exam User-ID Logs

You can see information about User-ID through the firewall CLI or in the web interface. In this section,
you will use both tools to examine User-ID entries.

1. Select Monitor > Logs > User-ID. The firewall should have numerous entries with username-to-ip-
address mappings. If the User mappings are not showing, repeat Task 11.8.

2. Minimize the PA-VM firewall by clicking minimize in the upper-right of the web interface and
continue to the next task.

3. On the client desktop, in the taskbar, reopen the Remmina application.

4. Double-click the entry for Firewall-A.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 26


Lab 11: Blocking Threats with User-ID

5. If you get Connecting to ‘Firewall-A’… window, click OK.

The Firewall-A connection in Remmina has been pre-configured to


provide login credentials to the firewall so that you do not have to log
in each time. This is for convenience in the lab only.

6. In the firewall CLI, enter the following command to display entries for User-ID. Examine the User-ID
information.

admin@firewall-a> show user ip-user-mapping all <Enter>

7. Close the Firewall-A window by clicking the close icon.

8. Reopen the PA-VM firewall web interface by clicking on the Chromium icon in the taskbar and
continue to the next task.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 27


Lab 11: Blocking Threats with User-ID

1.10 Examine Firewall Traffic Log

Create and apply filters to view rules and users.

1. Select Monitor > Logs > Traffic. In the filter builder, type ( app eq youtube-base ). Click
Apply Filter.

2. Clear the filter, and in the filter builder, type ( app eq dns ). Click Apply Filter.

3. Clear the filter, and in the filter builder, type ( app eq facebook-base ). Click Apply Filter.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 28


Lab 11: Blocking Threats with User-ID

4. In the filter builder, type ( app eq facebook-base ) and (action eq allow ). Click Apply
Filter.

5. Clear the filter and in the filter builder, type ( app eq instagram-base ) and ( user.src eq
‘chicago\bbart’ ). Click Apply Filter.

6. The lab is now complete; you may end your reservation.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 29

You might also like