{"id":117,"date":"2022-04-25T07:31:12","date_gmt":"2022-04-25T11:31:12","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=117"},"modified":"2026-02-19T15:36:04","modified_gmt":"2026-02-19T20:36:04","slug":"work-with-applications","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/work-with-applications\/","title":{"raw":"2.1 Work with Applications","rendered":"2.1 Work with Applications"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Configure security policies<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n
    \r\n\r\nPrerequisites<\/strong>:\r\n
      \r\n \t
    • Knowledge of previous labs<\/li>\r\n \t
    • SNAT for internet access<\/li>\r\n \t
    • Security Policy from Inside to Outside<\/li>\r\n<\/ul>\r\n<\/div>\r\n
      Scenario<\/strong>: Employees can doze off and do other things that they're not supposed to do during work time. If only there was an easy application-aware next-generation firewall that can block these applications! (Hint: It's this firewall!) In this lab, we are going to add applications to the security policy to only allow specific traffic to pass through the firewall.<\/div>\r\n\r\n[caption id=\"attachment_190\" align=\"aligncenter\" width=\"987\"]\"main Figure 2.1: Main scenario[\/caption]\r\n\r\n\r\n\r\n\r\n\r\n
      Table 2.1: Addressing Table<\/caption>\r\n
      Device<\/th>\r\nConfiguration<\/th>\r\n<\/tr>\r\n
      Client (webterm)<\/td>\r\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\r\n<\/tr>\r\n
      PaloAlto<\/td>\r\nEthernet1\/1: 10.0.0.1\/24\r\nEthernet1\/2: DHCP\r\nManagement: 192.168.0.1\/24<\/td>\r\n<\/tr>\r\n
      Management (webterm)<\/td>\r\neth0: 192.168.0.2\/24<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n\r\n\r\n\r\n\r\n
      Table 2.2: Zone Configuration<\/caption>\r\n
      Zone<\/th>\r\nInterface<\/th>\r\n<\/tr>\r\n
      Inside<\/td>\r\nEthernet1\/1<\/td>\r\n<\/tr>\r\n
      Outside<\/td>\r\nEthernet1\/2<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

      Modify Allowed Applications<\/h2>\r\nUnder polices > security<\/strong>, create a new security policy that allows inside to outside.\r\n\r\n[caption id=\"attachment_384\" align=\"aligncenter\" width=\"1026\"]\"Create Figure 2.2: Create a Security Policy[\/caption]\r\n\r\nUnder the application tab, add these under applications:\r\n
        \r\n \t
      • dns<\/li>\r\n \t
      • ssl<\/li>\r\n \t
      • web-browsing<\/li>\r\n \t
      • dns-over-https<\/li>\r\n<\/ul>\r\nThese will allow only basic web browsing.\r\n\r\n[caption id=\"attachment_192\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 2.3: Set a custom application[\/caption]\r\n\r\nPress OK<\/strong>, and commit the changes.\r\n

        Test the Policy<\/h2>\r\nOn the client machine, navigate to any website, and you'll see it works:\r\n\r\n[caption id=\"attachment_193\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 2.4: Verify your configuration[\/caption]\r\n\r\nHowever, you'll notice that ping will not function:\r\n\r\n[caption id=\"attachment_194\" align=\"aligncenter\" width=\"1026\"]\"Verify Figure 2.5: Verify Ping[\/caption]\r\n\r\nYou can allow Ping application under application settings and then you can verify whether you are able to Ping or not.","rendered":"
        \n
        \n

        Learning Objectives<\/p>\n<\/header>\n

        \n
          \n
        • Configure security policies<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
          \n

          Prerequisites<\/strong>:<\/p>\n

            \n
          • Knowledge of previous labs<\/li>\n
          • SNAT for internet access<\/li>\n
          • Security Policy from Inside to Outside<\/li>\n<\/ul>\n<\/div>\n
            Scenario<\/strong>: Employees can doze off and do other things that they’re not supposed to do during work time. If only there was an easy application-aware next-generation firewall that can block these applications! (Hint: It’s this firewall!) In this lab, we are going to add applications to the security policy to only allow specific traffic to pass through the firewall.<\/div>\n
            \"main
            Figure 2.1: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n
            Table 2.1: Addressing Table<\/caption>\n
            Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
            Client (webterm)<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
            PaloAlto<\/td>\nEthernet1\/1: 10.0.0.1\/24
            \nEthernet1\/2: DHCP
            \nManagement: 192.168.0.1\/24<\/td>\n<\/tr>\n
            Management (webterm)<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
            Table 2.2: Zone Configuration<\/caption>\n
            Zone<\/th>\nInterface<\/th>\n<\/tr>\n
            Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
            Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

            Modify Allowed Applications<\/h2>\n

            Under polices > security<\/strong>, create a new security policy that allows inside to outside.<\/p>\n

            \"Create
            Figure 2.2: Create a Security Policy<\/figcaption><\/figure>\n

            Under the application tab, add these under applications:<\/p>\n

              \n
            • dns<\/li>\n
            • ssl<\/li>\n
            • web-browsing<\/li>\n
            • dns-over-https<\/li>\n<\/ul>\n

              These will allow only basic web browsing.<\/p>\n

              \"Set
              Figure 2.3: Set a custom application<\/figcaption><\/figure>\n

              Press OK<\/strong>, and commit the changes.<\/p>\n

              Test the Policy<\/h2>\n

              On the client machine, navigate to any website, and you’ll see it works:<\/p>\n

              \"Verify
              Figure 2.4: Verify your configuration<\/figcaption><\/figure>\n

              However, you’ll notice that ping will not function:<\/p>\n

              \"Verify
              Figure 2.5: Verify Ping<\/figcaption><\/figure>\n

              You can allow Ping application under application settings and then you can verify whether you are able to Ping or not.<\/p>\n","protected":false},"author":1572,"menu_order":1,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-117","chapter","type-chapter","status-publish","hentry"],"part":115,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1572"}],"version-history":[{"count":25,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/117\/revisions"}],"predecessor-version":[{"id":1214,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/117\/revisions\/1214"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/115"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/117\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=117"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=117"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=117"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}