Chapter 2. Security Tuneup

2.1 Work with Applications

Learning Objectives

  • Configure security policies

Prerequisites:

  • Knowledge of previous labs
  • SNAT for internet access
  • Security Policy from Inside to Outside
Scenario: Employees can doze off and do other things that they’re not supposed to do during work time. If only there was an easy application-aware next-generation firewall that can block these applications! (Hint: It’s this firewall!) In this lab, we are going to add applications to the security policy to only allow specific traffic to pass through the firewall.
main scenario
Figure 2.1: Main scenario
Table 2.1: Addressing Table
Device Configuration
Client (webterm) eth0: 10.0.0.2/24 GW: 10.0.0.1
PaloAlto Ethernet1/1: 10.0.0.1/24
Ethernet1/2: DHCP
Management: 192.168.0.1/24
Management (webterm) eth0: 192.168.0.2/24
Table 2.2: Zone Configuration
Zone Interface
Inside Ethernet1/1
Outside Ethernet1/2

Modify Allowed Applications

Under polices > security, create a new security policy that allows inside to outside.

Create a security Policy
Figure 2.2: Create a Security Policy

Under the application tab, add these under applications:

  • dns
  • ssl
  • web-browsing
  • dns-over-https

These will allow only basic web browsing.

Set a custom application
Figure 2.3: Set a custom application

Press OK, and commit the changes.

Test the Policy

On the client machine, navigate to any website, and you’ll see it works:

Verify your configuration
Figure 2.4: Verify your configuration

However, you’ll notice that ping will not function:

Verify Ping
Figure 2.5: Verify Ping

You can allow Ping application under application settings and then you can verify whether you are able to Ping or not.

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.