Which Feature Can Be Configured to Block Sessions That the Firewall Cannot Decrypt?
1.Mục đích bài viết
This commodity volition guide how to configure the net access and block access to websites in the social network category by URL Filtering Contour.
2.Network diagram, configuration scenario, and execution steps.
2.one.Network Diagram
ii.2.Giải thích sơ đồ mạng
- As shown in the diagram, the Palo Alto firewall device will be connected to the internet at port 1 with a static IP of 192.168.1.202/24 and signal to the gateway as the address of the network provider 192.168.1.i/24.
- The inside of Palo Alto is the intranet layer with IP 192.168.x.1/24 set to port 2. On port ii, the DHCP server is configured to allocate IP for devices accessing it.
- Finally, a Laptop device is connected to port ii via a network cablevision and received the IP 192.168.10.201 issued from the DHCP server on port 2.
2.3.Configuration Scenario
- We will configure the user to access the internet and all websites except those in the social media category.
2.4.Execution steps
- Connect to the firewall device's admin website.
- Create zone
- Create Interface Mgmt Profile
- Configure the network port
- Create Virtual Router.
- Configure DHCP Server.
- Create URL Filtering Profile
- Create NAT Policy.
- Create Security Policy Rule
- Enable Interzone Logging.
- Enable Application Block Page.
- Configure Decryption.
- Consequence.
3.Configuration
three.ane.Connect to the firewall device's admin website.
- We will connect to the firewall admin page using a network cable connecting the computer to the MGMT port of the Palo Alto firewall.
- Open up your browser and access it via the link https://192.168.ane.1. The default Palo Alto firewall account and password is admin – admin.
3.two.Create Zone
- We volition create two zones, WAN and LAN.
- To create a WAN zone, go to Network > Zones > click Add together and enter the following data:
- Name : WAN
- Type : Layer 3
- Click OK.
- Similarly, click Add together once more to create LAN zone :
- Name : LAN
- Blazon : Layer three
- Click OK.
three.3.Create Interface Mgmt File
- The purpose of creating an Interface Mgmt contour is to open some essential services for any network port such as HTTPS, Ping …
- Here nosotros will create 1 Interface Mgmt Profile that allows HTTPS, Ping, SSH, Reponse Pages services for Ethernet LAN port 1/2 so that we can ping, admission the admin website on this port without connexion between laptop and MGMT port by cable.
- To create Interface Mgmt Profile become to Network > Interface Mgmt > click Add and enter the post-obit data :
- Proper name : ping-reponse-pages
- Administrative Management Services : select HTTPS, SSH.
- Network Services : select ping and reponse pages.
- Click OK.
3.4.Configure network port
- To confiure ethernet1/1 port go to Network > Interfaces > click on interface name.
- In tab Config we are going to configure with the following information :
- Interface type : select Layer 3
- Security Zone : select WAN
- In the IPv4 tab, configure the following parameters :
- Type : select Static
- Click Add together and enter ip address 192.168.1.202/24.
- Click OK.
- Like to ethernet1/1 port, to configure ethernet1/two port click on the port proper noun.
- On the config tab, configure the following parameters :
- Interface Type : Layer three
- Security Zone : LAN
- On the IPv4 tab, configure the following parameters :
- Blazon : Static
- Click Add and enter ip address 192.168.10.i/24
- Ở the Advanced tab configure as follow :
- At Other Info> Direction Profile select the ping-reponse-pages that we just created in the previous department.
3.five.Create Virtual Router
- To create Virtual Router go to Network > Virtual Router > Click Add.
- On the Router Settings tab configure the following parameters :
- Proper name : VR1
- In General console click Add and add ii interfaces ethernet1/1 and Ethernet1/2.
- On the Static Routes tab click Add and configure the following parameters :
- Proper noun : default-road
- Destination : 0.0.0.0/0
- Interface : ethernet1/1
- Next Hop : IP Address and enter ip 192.168.1.1 in the box.
- Click OK two time.
3.6.Cấu hình DHCP Server
- To configure DHCP Server go to Network> DHCP> click Add.
- On the Lease tab configure the post-obit parameters:
- Interface : select ethernet1/2
- Mode : enable
- On the IP Pools panel click Add and fill up in the IP range that will be allocated as 192.168.10.200-192.168.10.230.
- On the Options tab configure the following parameters :
- Gateway : 192.168.10.1
- Subnet Mask : 255.255.255.0
- Primary DNS : 8.8.8.8
- Secondary DNS : 8.8.four.4
- Click OK.
three.7.Create URL Filtering Profile
- To create URL Filtering Profile go to Objects > Security Profile > URL Filtering > Click Add and configure the following parameters:
- Name : block-web
- Pre-defined Categories : select social-networking.
Click Salve.
3.viii.Create NAT policy
- To create NAT Policy become to Policies > NAT > Click Add.
- On the General tab configure the post-obit parameters:
- Name : LAN_TO_WAN
- NAT Blazon : ipv4
- On the Original Packet tab configure the following parameters :
- Source Zone : LAN
- Destination Zone : WAN
- Destination Interface : ethernet ane/1
- On the Translated Packet > Source Address Translation tab configure the following parameters:
- Translation Blazon : Dynamic IP and Port
- Address Type : Interface Accost
- Interface : ethernet1/1
- IP Address : 192.168.1.202/24 (Note this ip address must exist selected from the drop-down list and not entered manually)
3.9.Create Security Policy Rule
- To create a policy that allows internet access become to Policies> Security> Click Add together.
- On the General tab configure the post-obit parameters :
- Proper name : Access_Internet
- Rule Type : universal (default)
- On the Source tab select LAN in Source Zone.
- On the Destination tab select WAN in Destinatoin Zone
- On the Application tab select Any.
- On the Service/URL Category tab select whatever.
- In the Action tab, configure the following:
- Action Setting : Permit
- Profile Type : Select Profile > select block-web at URL Filtering box.
- Log Setting : Log at Session End.
Click OK.
3.10.Enable Interzone Logging
- By default the interzone-default and intrazone-default Security policy are fix to Read-Simply.
- Policies> Security> click on the interzone-default name to open its configuration page.
- Switching to the Action tab we see that Log at Session Showtime and Log at Session End are unchecked and cannot exist edited.
- Click Cancel to exit.
- With the interzone-default policy dominion selected (grayed out), click Override. The Security Policy Dominion – predefine window appears.
- In the Activity tab check Log at Session End and click OK to save.
iii.11.Enable Application Block Page.
- The purpose of enabling Application Block Page is then that when you lot visit a blocked website, the browser volition brandish a notification page.
- To turn on Application Cake Page become to Device> Reponse Pages.
- Click the Disable button to the correct of Application Block Page.
- Cheque the box Enable Application Block Page and click OK.
three.12.Configure Decryption
- The purpose of decryption is and then that the Palo Alto firewall device tin can decrypt the traffic using the secure HTTPS protocol.
- To configure Decryption go to Device> Certificates Management> Certificates.
- Click Generate to create new certificate with the following parameters:
- Certificate Name : trusted-ca
- Mutual Name : 192.168.1.10 (IP Address of LAN port)
- Certificate Authority : bank check Certificate Authority.
- Click Generate to create.
- Click Generate to create 1 new certificate with the post-obit parameters:
- Common Proper name : untrusted-ca
- Common Name : untrusted
- Document Potency : check Certificate Authority.
- Nhấn Generate to create.
- Click on trusted-ca name to edit :
- Cheque on the Frontwards Trust Certificate box.
- Click OK.
- Similar to the above click on the untrusted-ca name to edit:
- Check on the Forward Untrust Certificate box.
- Click OK.
- Side by side bank check the trusted-ca document and click Consign Document to download the document to the reckoner.
- Next we volition create a Decryption policy, to create get to Policies > Decryption > Click Add together and configure with the post-obit parameters:
- Name : Test_Decryption
- Source : LAN
- Destination : WAN
- Service/URL Category : Any
- Options : Select Decrypt in Action and select SSL Forward Proxy in Type.
- Click OK.
- In the Windows search box, type mmc and press the Enter key to open the Microsoft Management Console.
- Choose Console Root> Click File> Click Add together / Remove Snap-in…
- The Add or Remove Snap-ins panel appears, check Certificate and click Add together.
- The Certificates snap-in console appears, select Reckoner account> Next> select Local computer> click Stop> Click OK.
- Go to Certificates (Local Estimator)> right click on Trusted Root Certification Authorities> select All Job <Import.
- The Certificate Import Sorcerer window appears, click Next> under File name, click Browse and navigate to where y'all saved the document at export.
- Click Side by side> Finish to complete the import.
3.thirteen.Consequence
- After completing the configuration using a network cable connect the computer to the ethernet1/2 port on the Palo Alto firewall.
- Launch the Command Line awarding and blazon ipconfig to check if the machine is receiving IP from the DHCP Server is configured on ethernet1/2 port or not.
- Open any spider web browser and go to a folio under the social network directory facebook to check, as a effect, we cannot admission.
- Go to other sites similar google or youtube.
- Open a new tab in your browser and enter the link https://192.168.ten.1 to access the Palo Alto firewall admin page.
Source: https://techbast.com/2020/07/palo-alto-network-guide-configured-to-block-access-to-web-sites-on-the-list-of-social-network-with-url-filtering-profile.html
0 Response to "Which Feature Can Be Configured to Block Sessions That the Firewall Cannot Decrypt?"
Post a Comment