2.3 Block Files and Viruses

Hamid Talebi; Xavier Cawley

Chapter 2. Security Tuneup

2.3 Block Files and Viruses

Learning Objectives

Block specific file types
Explore and “apply” advanced firewall features

Prerequisites:

SNAT for the Internet
Security policy for Inside to Outside
Interface configuration
Enable block pages
Knowledge of previous labs

Scenario: Here we will test out the file blocking, anti-malware, spyware, and spam features of Palo Alto. Sometimes we should block clients from downloading certain file types, and on top of that, implement some sort of antivirus and antispyware solution. We’ll also be “testing” wildfire. A feature that thwarts new exploits from happening.

Table 2.6: Addressing Table
Device	Configuration
PaloAlto-1	management: 192.168.0.1/24 Ethernet1/1: 10.0.0.1/24 Ethernet1/2: DHCP
Client (webterm)	eth0: 10.0.0.2/24 GW: 10.0.0.1 DNS: 8.8.8.8
Management (webterm)	eth0: 192.168.0.2/24

Table 2.7: Zone Configuration
Zone	Interface
Inside	Ethernet1/1
Outside	Ethernet1/2

Create an Antivirus Profile

Under Objects > Security Profiles > Antivirus. Click on default, then Clone.

Figure 2.42: Creating an Antivirus Profile

Click on OK for the next window.

Figure 2.43: Cloning the Antivirus profile

Select the new profile it clones (should be something like default-1).

Figure 2.44: Verify the Antivirus profile

Rename the profile, and tick the option for packet capture.

Figure 2.45: Enable Packet Captures under Antivirus Profile

Then press OK.

Create an Anti-Spyware Profile

Under Objects > Security Profiles > Anti-Spyware. Click Add.

Figure 2.46: Add an Anti-Spyware Profile

Under the signature policies tab, click Add, name it, then configure these:

Table 2.8: Anti-Spyware Configuration
Rule	Configuration
Medium	Action: Alert Severity: Medium, Low, Informational
HighAlert	Action: Drop Severity: Critical, High

Figure 2.47: Verify an Anti-Spyware Profile

Then press OK.

Create a File Blocking Profile

Under Objects > Security Profiles > File Blocking. Click Add.

Figure 2.48: Add File blocking Profile

Configure these settings using the add button on the new window that just spawned.

Table 2.9: File Blocking Configuration
Name	Properties
PDF	Applications: any File Types: pdf, encrypted-pdf Action: Block
EXE	Applications: any File Types: exe, com Action: Block

Figure 2.49: Configure the File blocking profile

Then click OK.

Create a WildFire Profile

Under Objects, Security Profiles > WildFire Analysis, click Add.

Figure 2.50: Add a WildFire Profile

Configure these settings using the add button on the new window that just spawned.

Table 2.10: WildFire Configuration
Name	Properties
Detect	Applications: any File Types: archive, jar, ms-office

Figure 2.51: Add a WildFire Profile

Then press OK.

Apply Security Profiles to a Security Policy

Under Polices > Security. Click the policy for inside to outside you created.

Under the Actions tab, in the Profile Setting subsection. Configure these:

Table 2.11: Security Policy Actions Configuration
Parameters	Value
Profile Type	Profiles
Antivirus	Select the one you created
Anti-Spyware	Select the one you created
File Blocking	Select the one you created
WildFire Analysis	Select the one you created

Figure 2.53: Assigning security profiles

Then click OK. Remember to commit your changes!

Test the Security Profiles

Since I do not have a licence, we cannot demonstrate all of these profile features, as you can see when you commit.

This is ok, we can still test out the file blocking features.

On the client, navigate to a website that hosts PDF files (I used panedufiles.com).

Try and open one of these. If it shows the file blocking screen, it means that the file blocking worked!

License

Icon for the Creative Commons Attribution 4.0 International License