Chapter 2. Security Tuneup

2.3 Block Files and Viruses

Learning Objectives

  • Block specific file types
  • Explore and “apply” advanced firewall features

Prerequisites:

  • SNAT for the Internet
  • Security policy for Inside to Outside
  • Interface configuration
  • Enable block pages
  • Knowledge of previous labs

Scenario: Here we will test out the file blocking, anti-malware, spyware, and spam features of Palo Alto. Sometimes we should block clients from downloading certain file types, and on top of that, implement some sort of antivirus and antispyware solution. We’ll also be “testing” wildfire. A feature that thwarts new exploits from happening.

Main scenario
Figure 2.41: Main scenario
Table 2.6: Addressing Table
Device Configuration
PaloAlto-1 management: 192.168.0.1/24
Ethernet1/1: 10.0.0.1/24
Ethernet1/2: DHCP
Client (webterm) eth0: 10.0.0.2/24 GW: 10.0.0.1 DNS: 8.8.8.8
Management (webterm) eth0: 192.168.0.2/24
Table 2.7: Zone Configuration
Zone Interface
Inside Ethernet1/1
Outside Ethernet1/2

Create an Antivirus Profile

Under Objects > Security Profiles > Antivirus. Click on default, then Clone.

Creating an Antivirus Profile
Figure 2.42: Creating an Antivirus Profile

Click on OK for the next window.

Cloning the Antivirus profile
Figure 2.43: Cloning the Antivirus profile

Select the new profile it clones (should be something like default-1).

Verify the Antivirus profile
Figure 2.44: Verify the Antivirus profile

Rename the profile, and tick the option for packet capture.

Enable Packet Captures under Antivirus Profile
Figure 2.45: Enable Packet Captures under Antivirus Profile

Then press OK.

Create an Anti-Spyware Profile

Under Objects > Security Profiles > Anti-Spyware. Click Add.

Add an Anti-Spyware Profile
Figure 2.46: Add an Anti-Spyware Profile

Under the signature policies tab, click Add, name it, then configure these:

Table 2.8: Anti-Spyware Configuration
Rule Configuration
Medium Action: Alert
Severity: Medium, Low, Informational
HighAlert Action: Drop
Severity: Critical, High
Verify an Anti-Spyware Profile
Figure 2.47: Verify an Anti-Spyware Profile

Then press OK.

Create a File Blocking Profile

Under Objects > Security Profiles > File Blocking. Click Add.

Add File blocking Profile
Figure 2.48: Add File blocking Profile

Configure these settings using the add button on the new window that just spawned.

Table 2.9: File Blocking Configuration
Name Properties
PDF Applications: any
File Types: pdf, encrypted-pdf
Action: Block
EXE Applications: any
File Types: exe, com
Action: Block
Configure the File blocking profile
Figure 2.49: Configure the File blocking profile

Then click OK.

Create a WildFire Profile

Under Objects, Security Profiles > WildFire Analysis, click Add.

Add a WildFire Profile
Figure 2.50: Add a WildFire Profile

Configure these settings using the add button on the new window that just spawned.

Table 2.10: WildFire Configuration
Name Properties
Detect Applications: any
File Types: archive, jar, ms-office
Add a WildFire Profile
Figure 2.51: Add a WildFire Profile

Then press OK.

Apply Security Profiles to a Security Policy

Under Polices > Security. Click the policy for inside to outside you created.

Add a Security Policy
Figure 2.52: Add a Security Policy

Under the Actions tab, in the Profile Setting subsection. Configure these:

Table 2.11: Security Policy Actions Configuration
Parameters Value
Profile Type Profiles
Antivirus Select the one you created
Anti-Spyware Select the one you created
File Blocking Select the one you created
WildFire Analysis Select the one you created
Assigning security profiles
Figure 2.53: Assigning security profiles

Then click OK. Remember to commit your changes!

Test the Security Profiles

Since I do not have a licence, we cannot demonstrate all of these profile features, as you can see when you commit.

Commit the configuration
Figure 2.54: Commit the configuration

This is ok, we can still test out the file blocking features.

On the client, navigate to a website that hosts PDF files (I used panedufiles.com).

Verify the configuration
Figure 2.55: Verify the configuration

Try and open one of these. If it shows the file blocking screen, it means that the file blocking worked!

File Transfer Blocked
Figure 2.56: File Transfer Blocked

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.