The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including PCNSE: Palo Alto Networks Certified Network Security Engineer Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Security Policy Configuration

6. URL Filtering Rules and Options

In this lecture, we'll talk about how to use URL filtering in your security policy. Under "objects," you go to "Security Profiles URL Filtering," where, by default, there is a default policy in place predefined, and this default policy has some categories blocked and the rest allowed. So you see here the category and the action. So we're going to go ahead and create a new policy here and specify that this is outbound URL filtering. So you see, the URLs are categorised by category, and there are quite a few categories here. Each category has an action that you can associate with the category. So basically, it allows the traffic without even logging it. Alert would allow the traffic and log it. Block would send the block message to the user. Continue would ask the user, are you sure you want to continue? And if they click the Continue button, they will proceed to the URL. Or I would ask the user to provide a password, and this password is set up in a location here under Device and content ID. You can create a password here when I delete the existing one here, and then we're going to specify a password. When the user hits that override category, they can provide a password, and that would allow them to get through to that category. It's important to understand the different actions that you can take. If you're going to use the power of the firewall as a monitoring tool for your users, you need to make sure that you check the alert action. Of course you're going to block categories that pose a security risk or categories that are not compliant with the acceptable use policy. So let's go through those here and specify how they're going to do this alert (abortion alert, abuse drugs block, adult block, alcohol, and tobacco alert options Continue here. Are you sure you want access? So if somebody goes to eBay, it's going to ask them, Are you sure you want to access this website? Click Continue. Business and Economy Alert so we can have log, computer, and Internet information alerts. While dealing with delivery network alerts, Continue, dynamic DNS alert for education, institutions, entertainment, and the arts Financial Services Alert gambling blockgames Continue with government alerts such as hacking block, health and medicine alerts, and home and garden alerts. So at the same time as I'm doing this, you're getting familiar with the categories of hunting and fishing alerts. Internet Communication Internet job search portals will specify override for job search where you can test the override feature. Legal Alert: Malware is blocked, of course, unless you're asking for malware. Military alert, motor vehicle alert, musical alert, news alert—not resolved. Alert nudity block, online storage, and backup are all options. It's up to your policy, right? So you can choose Continue if your policy doesn't allow users to use online storage. If user using online storage and backup, that's nota good idea because you want to control yourdata alert Peer-to-peer block personal sites and blogs, alert, philosophy, and politics phishing block private IP address proxy avoidance Block questionable continue because we're not sure you want to do this. Restate the recreational reference and search relationship. The key here is to check all of the categories to which you aren't walking. This way, you can run reports on user sex, education, and maybe Continue, show where, and freeware may be overridden if you don't want to use it to download any shareware unless they have the password. Shopping alert, social networking alert, society alert, sports alert, streaming media alert, swimsuits alert, training and tools alert, translation alert, travel alert, unknown alert, weapons alert, web advertisement but we'll leave it to web-based emails. Maybe you want to block Web-based emails because you don't want the user to access an outside email. So we'll go ahead and choose "Continue." Are you sure you want to do that? Web hosting alert So aside from that, you have a block list. You can manually add URLs to the block list. So I'm going to add www.cnn.com as a test. So you can specify whether the action should be block, continue, or override. We're going to choose "block allow list." This allows you to add URLs to a whitelist in your environment. It doesn't matter if they're blocked by any category; they're going to still be allowed under settings. You can log on in a container page to prevent the system from logging any suburbs for that page. This can potentially save on logging data. All URLs that user access. You can uncheck this feed. Be aware that this is going to generate lots of logs. You can enable safe search enforcement to prevent users from accessing unacceptable content using the search. So you can do logging based on the user agent, referrer, and exporter. So this is a good setting to allow for a place. So I'm going to go ahead and click okay on that, and then we're going to go back to our policy, where we have currently set trust and trust that we want to enforce the URL filtering policy. To enforce URL filtering policy, you can either specify a service, which is port Http or Https, or you can leave it open and specify the application of web browsing. This way, any application that's categorised as "web browsing" will have the URL filtering applied to it. So we'll go ahead and create a rule above this general rule, and we're going to specify web browsing, and we can also specify let's do this for now web browsing under "we'll leave it as the application default under actions." We're going to need to specify the URL policies. We're going to talk about grouping later on, but profiles will allow you to pick the different security policies and content inspection that you want. So we're going to choose the URL filtering content inspection, log in at session start, log in at session end, and then click okay. So reviewing this, we see this icon under "Profile." It will show you the type of filtering you have in place, the type of profile applied to this traffic, the security profile that's applied to this traffic, and you can actually hover over it and see the name of the policy. Let's go and see what application web browsing means. We'll go to objects, applications, and web browsing. So this was the application of web browsing, and it covers only TCP 80. We want to cover Port 443 as well. So, let's return to the policy and the URL filtering application SSL. This way, we cover three. Let's go back to Object, and we'll see SSL. SSL covers TCP four, four, three. So we covered those two protocols. The other way of doing it would be to specify TCP service over HTTP and HTTPS, and we'll try this as another option. So when you specified here the application of SSL web browsing, we looked at the ports that it's investigating. When you specify the application, under service application default, it should cover the default traffic that has been identified, which is port 84 43. In our case, we'll click Okay, and then we'll go ahead and commit the changes. We'll test it out. We'll return to Object because this is an application. And then we'll look up the URL filtering, and we'll see what categories are in the Continue category. So continue categories are auctioned off here. So we'll try to go to eBay. Let's open up a Web browser. We tried to go to eBay, but it did not hit. So let's take a look at the rules and see how URL filtering works. Let's look at the policy. And I set the security rule incorrectly. So I moved this rule up one level because I had the trust that allows everything above it, so it was overwriting it. So this comes down to top-down processing, right? As soon as you hit the rule, it's not continuing processing, so it will not know that there is a rule below it. So let me close the browser again. Okay, so this is the next step. Are you sure you want to do this? If you feel that this page has been incorrectly blocked, you may click Continue, okay? and that will take you through the website. We can see from the monitoring URL filtering that the action here was "continue application web browsing," which allows you to track user activity. Going back to here, we created an override. So I want to show you what the override looks like. So job search is an override category. So let's go to Dice.com. With override. It's going to ask you, are you sure you want to go there? If you are, please provide the password override password. And then you type in the override password that you specified under Content ID settings and Device Setup, and you'll be able to get to that website. So this is a way of controlling your traffic based on your category. You don't need WebSense or any other third-party URL filtering tool. It's all built into the Bell Aliant Firewall if you purchase the proper license.

7. Custom URL Category

You can also create a custom URL category for your organisation to have better classification on different sites that, for example, you're using. As an example, you can create a URL category for partner sites and then add URLs. And this will allow you to do things like track access to partner sites or maybe restrict traffic based on user identification. If we go back to our URLfiltering category, our bond URLs, we see this category that we created, partner sites. You can specify alert, allow, block, continue, override, or none. So we'll select Alert, click Okay, and apply the policy. So now if I go to www.cnn.com, well, I have this in the block category, so I'm going to do realtors.com I'm able to access the site. However, this could be your overall category that you use for specifically allowing some users access and denying others, or if you want to see it in your monitoring reports. So, if I go here and see Reuters.com URL filtering, I can click on this and then URL equals.com, and we see here category as partner sites. This is useful if you want to report traffic that goes to a specific category that is relevant to your organisation and allows you to run reports or perhaps restrict access to specific users and so on.

8. Using Address Objects

In this lecture, we'll talk about addresses and address groups. You can create address objects to use in your policy, and the address object can be based on an IP netMask IP range or fully qualified domain name. Fully qualified domain names will allow you to base your policy on DNS names instead of IP addresses. To get the fully qualified domain name to work correctly under Device Setup and Services, you have to have a DNS server set up. You have to also configure the service route configuration. So how is the router going to reach the DNS server, NTP server, and others? You can specify that all communications go through the management interface, or you can customise it to use DNS to use one interface, email to use another, and so on. Typically, we use the Management Interface. So here it's missing an NTP server, so we'll add an NTP server, and we'll commit OK under Object and go back to Addresses. So to use the Fully Qualified Domain Name, you need to specify a DNS server in your setup under Services, and you also need to select the proper route service interface to use to reach the server. So let's create an object here. We'll test Block IP Net Mask 1260 with 125-0024. Okay, test blocks, so I made a test blocks address. So we can also address groups under "Addressesd address groups. You can create address objects to use in your policy, and the address object can be based on an IP netMask IP range or fully qualified domain name. Fully qualified domain names will allow you to base your policy on DNS names instead of IP addresses. To get the fully qualified domain name to work correctly under Device Setup and Services, you have to have a DNS server set up. You have to also configure the service route configuration. So how is the router going to reach the DNS server, NTP server, and others? You can specify to reach those through the management interface for all or you can customise it to use DNS to use a specific interface, email to use another interface, and so on. Typically, we use the Management Interface. So here it's missing an NTP server, so we'll add an NTP server, and we'll commit OK under Object and go back to Addresses. So to use the Fully Qualified Domain Name, you need to specify a DNS server in your setup under Services, and you also need to select the proper route service interface to use to reach the server. So let's create an object here. Testing Block IP Net Mask 1260well, we'll do 125-0024. Okay, test blocks, so I created an address called test blocks. So we can also address groups under "Addresses." We can specify a group of addresses, so you can group your addresses together by using Address Groups. So in my case here, I'm creating a blockAddress group to block specific IP addresses, and I'm going to select the addresses in my list. So I selected the test block, and then this could be an address group that you build upon and increase the number of addresses you use over time under policies. I will go ahead and benefit from that by adding this to my policy. Since this is a block, I want to put it at the top. This way, I can guarantee that it will be blocked. blocked addresses, source trust, destination trust, and then we'll choose the destination address, which is the address group block networks, and then application any service, any, and this is going to be a drop and I'll move it up to the top and let's see if we can ping an address there before I comment. Okay, this is pingable, so let's go and apply the policy. We'll ping again after you commit close. Now I cannot ping it, so let's go here and look at this log viewer and identify if we have a policy hit here. I probably didn't select logging, so I need to go back to Policy and click on my policy under Action Log at session start Session End is checked, and since this is a drop, I'm going to send ICMP Unreachable to the source. Let's return to Monitor and check the blockAddresses in the log. See, it's hitting the correct rule, and you're able to use addresses and address groups to build your policy.

9. Using Service Objects

In this lecture, we will talk about how to use services and service groups. So services and service groups allow you to include in your policy specific protocols and ports, kind of like a legacy firewall would. So you have services http and https configured by default, and you can add services. So, for example, I'm going to say RDP service and specify the destination port. If you want to make sure that it comes in from a specific source port, you can specify the source port. So this is a service you created. The services are confined to TCP or UDP. If you have a UDP application you want to add as a service, you can add it here as well. After you create the service, you can include your services in a service group. Click Add, give the group a name, such as "standard service," and then select from the service objects which services you want to include in this rule. So now that you have created the services and service groups, you can go under Policies and use those service groups under your specific rule. So for example, we use application and URL filtering. The application uses the characteristics of the application and the protocols that are specified in the characteristics of the application. And we saw that with SSL and web browsing. Web browsing uses TCP 80 and SSL uses TCP 403; specifying the application default for service uses the default service ports and protocols, which are service protocols and ports that are specified in the application recognition. But if you want to be more specific and limit those two specific ports, you can choose it under Service. So we'll go ahead and instead of application default, we're going to select, and then we're going to add select to the service group that we created for senders service.So now that rule is not depending on the application default. It's specifically restricted to those TCP protocols and ports specified in the Service Group. So go ahead and click "commit." And then we'll just verify that it matches the rule that we have in place. So let's go to our website; let's go here and log viewer, and we can see that it's still within the rule. So under Log Viewer, there are a lot of columns that you can have. The default columns are sufficient, but if you want to add to the columns, you click on this error here and then columns, and then specify different columns that you want to add. So, for example, if you want to add Session ID, you can add the column you see here, which popped up, and I see the Session ID. So this lecture showed you how to create service objects and service group objects.

10. Using Dynamic Block Lists

In this lecture, we'll talk about how to use a dynamic block list to streamline blocking IP addresses by pointing the firewall at a URL that has IP addresses that you want to block. And basically, what the firewall does is frequently check this list, which is then dynamically added to the rule. The firewall automatically downloads the list and blocks the IP addresses. So to do this, you need to click on "add," then specify a name, and then specify the URL that you want to point to in Firewall to download the dynamic list. And then you can specify to have the firewall check every hour at the beginning of the hour. You can have a check daily, weekly, or monthly. So we're going to do hourly clicks. Okay, now that you've created this dynamic block list, you can go to Policies and add it to your rule. So we'll add a rule at the top and dynamic blocklist source, trust, destination untrust, destination the block list dynamic block, and action drop. This is a pretty powerful tool for you to be able to just modify a text file on your web server, and an hour later at the beginning of the hour, the firewall would check the list and dynamically block those IP addresses. One important step you have to keep in mind is that you have to point the firewall in the right direction to get to that URL. If we use a surface route configuration, we specify to use management interfaces for all I'm going to customise because I can't get to this from the management interface, so I'll point to HTTP. There is no HTTP here. So I'm going to specify my destination. In this case, my destination is the server, and my source interface will be a tunnel interface that I have, and this interface has access to this server. When you specify use default, that's going to use the management interface. So that basically keeps everything else going through the management interface. And then now that we've created this, we're going to go ahead and commit, and then we are going to check I created this on the IRS server, and I have this dynamic list. I'm going to add another IP address here, save, and then I'm going to go to the firewall and I'm going to click on the dynamic block list, click on it, and import. Now we can go to the CLI and check; we can issue the command request system external list, show name, dynamic block), and then we see here that the IP addresses were pulled from the web server. We'll go ahead and go to the machine and try to ping one of those IP addresses. This IP address is in the list. We'll go to parties, then click on the rule and select Log viewer, and we'll see that it's blocked, based on the dynamic list. So this is a powerful feature that you can use to automatically add IP addresses to a dynamic block list.