Chapter 2. Security Tuneup
2.3 Block Files and Viruses
Learning Objectives
- Block specific file types
- Explore and “apply” advanced firewall features
Prerequisites:
- SNAT for the Internet
- Security policy for Inside to Outside
- Interface configuration
- Enable block pages
- Knowledge of previous labs
Scenario: Here we will test out the file blocking, anti-malware, spyware, and spam features of Palo Alto. Sometimes we should block clients from downloading certain file types, and on top of that, implement some sort of antivirus and antispyware solution. We’ll also be “testing” wildfire. A feature that thwarts new exploits from happening.
| Device | Configuration |
|---|---|
| PaloAlto-1 | management: 192.168.0.1/24 Ethernet1/1: 10.0.0.1/24 Ethernet1/2: DHCP |
| Client (webterm) | eth0: 10.0.0.2/24 GW: 10.0.0.1 DNS: 8.8.8.8 |
| Management (webterm) | eth0: 192.168.0.2/24 |
| Zone | Interface |
|---|---|
| Inside | Ethernet1/1 |
| Outside | Ethernet1/2 |
Create an Antivirus Profile
Under Objects > Security Profiles > Antivirus. Click on default, then Clone.
Click on OK for the next window.
Select the new profile it clones (should be something like default-1).
Rename the profile, and tick the option for packet capture.
Then press OK.
Create an Anti-Spyware Profile
Under Objects > Security Profiles > Anti-Spyware. Click Add.
Under the signature policies tab, click Add, name it, then configure these:
| Rule | Configuration |
|---|---|
| Medium | Action: Alert Severity: Medium, Low, Informational |
| HighAlert | Action: Drop Severity: Critical, High |
Then press OK.
Create a File Blocking Profile
Under Objects > Security Profiles > File Blocking. Click Add.
Configure these settings using the add button on the new window that just spawned.
| Name | Properties |
|---|---|
| Applications: any File Types: pdf, encrypted-pdf Action: Block |
|
| EXE | Applications: any File Types: exe, com Action: Block |
Then click OK.
Create a WildFire Profile
Under Objects, Security Profiles > WildFire Analysis, click Add.
Configure these settings using the add button on the new window that just spawned.
| Name | Properties |
|---|---|
| Detect | Applications: any File Types: archive, jar, ms-office |
Then press OK.
Apply Security Profiles to a Security Policy
Under Polices > Security. Click the policy for inside to outside you created.
Under the Actions tab, in the Profile Setting subsection. Configure these:
| Parameters | Value |
|---|---|
| Profile Type | Profiles |
| Antivirus | Select the one you created |
| Anti-Spyware | Select the one you created |
| File Blocking | Select the one you created |
| WildFire Analysis | Select the one you created |
Then click OK. Remember to commit your changes!
Test the Security Profiles
Since I do not have a licence, we cannot demonstrate all of these profile features, as you can see when you commit.
This is ok, we can still test out the file blocking features.
On the client, navigate to a website that hosts PDF files (I used panedufiles.com).
Try and open one of these. If it shows the file blocking screen, it means that the file blocking worked!