Chapter 2. Security Tuneup

2.2 Deal with Bad Actors

Learning Objectives

  • Restrict certain websites
  • Deal with DoS floods

Prerequisites:

  • SNAT for the Internet
  • Security policy for Inside to Outside
  • Interface configuration
  • Knowledge of previous labs

Scenario: In this lab, we will learn how to block a specific website and how to prevent script kiddies from succeeding with the infinite ping tool they downloaded from the sketchiest site you’ve ever seen. Kali acts like an attacker machine and we are going to attack the firewall through port Ethernet1/2. Then, we’ll enable DoS Prevention in the firewall to prevent attacks.

Main scenario
Figure 2.6: Main scenario
Table 2.3: Addressing Table
Device Configuration
PaloAlto-1 management: 192.168.0.1/24
Ethernet1/1: 10.0.0.1/24
Ethernet1/2: DHCP
Client (webterm) eth0: 10.0.0.2/24 GW: 10.0.0.1 DNS: 8.8.8.8
Management (webterm) eth0: 192.168.0.2/24
KaliLinux2019-3-1 eth0: DHCP
Table 2.4: Zone Configuration
Zone Interfaces
Inside Ethernet1/1
Outside Ethernet1/2

Create a URL Category

Under object > custom objects > URL category, click Add. Click cancel on the pop-up.

Create a Custom URL Category
Figure 2.7: Create a Custom URL Category

Here we can block 5, 6, or multiple sites. But here we will use just 1. Give it a name, then click Add.

Add a CustomURL Category
Figure 2.8: Add a CustomURL Category

Enter some websites you would like to block. Here I have added a sample website (www.thegreattechadventure.com) you can also use wildcards if you want.

After you’re done. Click OK.

Block a Website

Under Policies > Security. Click Add:

Add a security policy
Figure 2.9: Add a security policy

Under the source tab, add the Inside zone under the source zone:

Add a Source Zone
Figure 2.10: Add a Source Zone

Under the destination tab, add the Outside zone under the destination zone:

Add a Destination Zone
Figure 2.11: Add a Destination Zone

Under the Service/URL Category tab, add the created URL category you created in the previous step.

Assign URL Category
Figure 2.12: Assign URL Category

Under the actions page, set the action to deny.

Set an Action to Deny
Figure 2.13: Set an Action to Deny

Then click OK.

Enable Block Pages

Under Device > Response pages. Click on Disabled beside Application Block Page.

Enabling Application Block Page
Figure 2.14: Enabling Application Block Page

Tick on the enable checkbox, then press OK.

Enabling Application Block Page
Figure 2.15: Enabling Application Block Page

Make sure to commit your changes!

Test the Blocked URL

Open up Firefox on the Client machine, and try to connect to the URL you blocked. If all is right, you should see a blocked page.

Application Block Page
Figure 2.16: Application Block Page

If you see this page, that is alright too!

Application Block Page
Figure 2.17: Application Block Page

Set Up Kali to Be a Bad Actor

After entering into the live graphical environment and testing for internet connection. Open up the terminal.

Open up Terminal in Kali
Figure 2.18: Open up Terminal in Kali

We will be using Pentmenu by GinjaChris to demonstrate a flood. Run these commands to download and run the application:

#git clone https://github.com/GinjaChris/pentmenu
#cd pentmenu
#chmod +x pentmenu
#./pentmenu
PentMenu app
Figure 2.19: PentMenu app

Select option 2 for DoS attack.

PentMenu app - Select DOS(2)
Figure 2.20: PentMenu app – Select DoS (2)

Select option 1 for ICMP Echo Flood.

PentMenu app - Select ICMP Echo Flood(1)
Figure 2.21: PentMenu app – Select ICMP Echo Flood(1)

For the IP, use the IP of the interface in the outside zone. It should be in the 192.168.122.0/24 range.

PentMenu app - Enter Target IP address
Figure 2.22: PentMenu app – Enter Target IP address

Select r for random IP address.

PentMenu app - Enter r for random IP address
Figure 2.23: PentMenu app – Enter r for random IP address

After about 2 seconds, press Ctrl+C.

Analyze the ICMP Flood

Back on the Management machine, go under Monitor > Session browser.

Verify session logs
Figure 2.24: Verify session logs

As you can see, there are many entries here for ping. We want to prevent floods like these.

Create a DoS Protection Profile

Under Objects > Security Profiles > DoS Protection. Click Add.

Create a DOS Protection
Figure 2.25: Create a DoS Protection

Set the type to Classified and under Flood protection, click the checkbox on the SYN Flood, UDP Flood, and ICMP Flood tabs.

SYN Flood Protection
Figure 2.26: SYN Flood Protection

After that, click OK.

Apply the DoS Protection Profile

Under Policies > Dos Protection. Click Add.

Add a DoS Protection Rule
Figure 2.27: Add a DoS Protection Rule

Under the Source tab, add the Outside zone.

Add the Source Zone
Figure 2.28: Add the Source Zone

Under the Destination tab, add the Inside zone.

Add the Destination Zone
Figure 2.29: Add the Destination Zone

Under the Option/Protection tab, configure these settings:

Table 2.5: DoS Rule Protection Configuration
Parameter Value
Action Protect
Schedule None
Log Forwarding None
Aggregate None
Classified Tick this box
Profile The name of the one you created
Address source-IP-only
DoS Rule - Option/Policies
Figure 2.30: DoS Rule – Option/Policies

Then click OK.

Create a Zone Protection Profile

Under Network > Network Profiles > Zone Protection. Click Add.

Add a Zone Protection
Figure 2.31: Add a Zone Protection

Under the flood protection tab, tick SYN, ICMP, and UDP.

Add a Flood Protection
Figure 2.32: Add a Flood Protection

Under the Reconnaissance Protection tab, tick enables on all boxes, and change the action to block.

Set UDP Port Scan
Figure 2.33: Set UDP Port Scan

Under the Packet Based Attack Protection tab, under the IP drop subtab, tick on Spoofed IP address and Strict IP Address Check.

Enable Spoof IP address and Strict Address Check
Figure 2.34: Enable Spoof IP address and Strict Address Check

Under the Packet Based Attack Protection tab, under the TCP drop subtab, tick on TCP SYN with Data and TCP SYNACK with Data.

Enable TCP SYN with Data
Figure 2.35: Enable TCP SYN with Data

Under the Packet Based Attack Protection tab, under the ICMP drop subtab, tick on ICMP Ping ID 0, ICMP Fragment, and ICMP Large Packet(>1024).

Enable ICMP Ping ID 0, ICMP Fragment
Figure 2.36: Enable ICMP Ping ID 0, ICMP Fragment

Then click OK.

Apply a Zone Protection Profile

Under Network > Zones. Click on the Outside Zone.

Create an Outside zone
Figure 2.37: Create an Outside zone

Under the Zone Protection category, select the profile you just created.

Enable Zone Protection under Outside Zone
Figure 2.38: Enable Zone Protection under Outside Zone

Click OK.

Don’t forget to commit your changes!

Test the DoS Protection

Run Pentmenu again using the previous options, then Ctrl+C after 3 seconds.

Running PentMenu
Figure 2.39: Running PentMenu

Under Monitor > Logs > Threat. You should see an entry for an ICMP flood.

Verify logs
Figure 2.40: Verify logs

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.