{"id":103,"date":"2022-04-25T07:31:12","date_gmt":"2022-04-25T11:31:12","guid":{"rendered":"https:\/\/opentextbc.ca\/paloalto\/chapter\/work-with-applications\/"},"modified":"2023-11-28T19:03:51","modified_gmt":"2023-11-29T00:03:51","slug":"work-with-applications","status":"publish","type":"chapter","link":"https:\/\/opentextbc.ca\/paloalto\/chapter\/work-with-applications\/","title":{"raw":"2.1 Work with Applications","rendered":"2.1 Work with Applications"},"content":{"raw":"
\n

Learning Objectives<\/p>\n\n<\/header>\n

\n
    \n \t
  • Configure security policies<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
    \n\nPrerequisites<\/strong>:\n
      \n \t
    • Knowledge of previous labs<\/li>\n \t
    • SNAT for internet access<\/li>\n \t
    • Security Policy from Inside to Outside<\/li>\n<\/ul>\n<\/div>\n
      Scenario<\/strong>: Employees can doze off and do other things that they're not supposed to do during work time. If only there was an easy application-aware next-generation firewall that can block these applications! (Hint: It's this firewall!) In this lab, we are going to add applications to the security policy to only allow specific traffic to pass through the firewall.<\/div>\n\n[caption id=\"attachment_102\" align=\"aligncenter\" width=\"987\"]\"main Figure 2.1: Main scenario[\/caption]\n\n\n\n\n\n
      Table 2.1: Addressing Table<\/caption>\n
      Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
      Client (webterm)<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
      PaloAlto<\/td>\nEthernet1\/1: 10.0.0.1\/24\nEthernet1\/2: DHCP\nManagement: 192.168.0.1\/24<\/td>\n<\/tr>\n
      Management (webterm)<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n
      Table 2.2: Zone Configuration<\/caption>\n
      Zone<\/th>\nInterface<\/th>\n<\/tr>\n
      Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
      Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      Modify Allowed Applications<\/h2>\nUnder polices > security<\/strong>, create a new security policy that allows inside to outside.\n\n[caption id=\"attachment_102\" align=\"aligncenter\" width=\"1026\"]\"Create Figure 2.2: Create a Security Policy[\/caption]\n\nUnder the application tab, add these under applications:\n
        \n \t
      • dns<\/li>\n \t
      • ssl<\/li>\n \t
      • web-browsing<\/li>\n \t
      • dns-over-https<\/li>\n<\/ul>\nThese will allow only basic web browsing.\n\n[caption id=\"attachment_102\" align=\"aligncenter\" width=\"1026\"]\"Set Figure 2.3: Set a custom application[\/caption]\n\nPress OK<\/strong>, and commit the changes.\n

        Test the Policy<\/h2>\nOn the client machine, navigate to any website, and you'll see it works:\n\n[caption id=\"attachment_102\" align=\"aligncenter\" width=\"400\"]\"Verify Figure 2.4: Verify your configuration[\/caption]\n\nHowever, you'll notice that ping will not function:\n\n[caption id=\"attachment_102\" align=\"aligncenter\" width=\"400\"]\"Verify Figure 2.5: Verify Ping[\/caption]\n\nYou can allow Ping application under application settings and then you can verify whether you are able to Ping or not.","rendered":"
        \n
        \n

        Learning Objectives<\/p>\n<\/header>\n

        \n
          \n
        • Configure security policies<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
          \n

          Prerequisites<\/strong>:<\/p>\n

            \n
          • Knowledge of previous labs<\/li>\n
          • SNAT for internet access<\/li>\n
          • Security Policy from Inside to Outside<\/li>\n<\/ul>\n<\/div>\n
            Scenario<\/strong>: Employees can doze off and do other things that they’re not supposed to do during work time. If only there was an easy application-aware next-generation firewall that can block these applications! (Hint: It’s this firewall!) In this lab, we are going to add applications to the security policy to only allow specific traffic to pass through the firewall.<\/div>\n
            \"main
            Figure 2.1: Main scenario<\/figcaption><\/figure>\n\n\n\n\n\n\n
            Table 2.1: Addressing Table<\/caption>\n
            Device<\/th>\nConfiguration<\/th>\n<\/tr>\n
            Client (webterm)<\/td>\neth0: 10.0.0.2\/24 GW: 10.0.0.1<\/td>\n<\/tr>\n
            PaloAlto<\/td>\nEthernet1\/1: 10.0.0.1\/24
            \nEthernet1\/2: DHCP
            \nManagement: 192.168.0.1\/24<\/td>\n<\/tr>\n
            Management (webterm)<\/td>\neth0: 192.168.0.2\/24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
            Table 2.2: Zone Configuration<\/caption>\n
            Zone<\/th>\nInterface<\/th>\n<\/tr>\n
            Inside<\/td>\nEthernet1\/1<\/td>\n<\/tr>\n
            Outside<\/td>\nEthernet1\/2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

            Modify Allowed Applications<\/h2>\n

            Under polices > security<\/strong>, create a new security policy that allows inside to outside.<\/p>\n

            \"Create
            Figure 2.2: Create a Security Policy<\/figcaption><\/figure>\n

            Under the application tab, add these under applications:<\/p>\n

              \n
            • dns<\/li>\n
            • ssl<\/li>\n
            • web-browsing<\/li>\n
            • dns-over-https<\/li>\n<\/ul>\n

              These will allow only basic web browsing.<\/p>\n

              \"Set
              Figure 2.3: Set a custom application<\/figcaption><\/figure>\n

              Press OK<\/strong>, and commit the changes.<\/p>\n

              Test the Policy<\/h2>\n

              On the client machine, navigate to any website, and you’ll see it works:<\/p>\n

              \"Verify
              Figure 2.4: Verify your configuration<\/figcaption><\/figure>\n

              However, you’ll notice that ping will not function:<\/p>\n

              \"Verify
              Figure 2.5: Verify Ping<\/figcaption><\/figure>\n

              You can allow Ping application under application settings and then you can verify whether you are able to Ping or not.<\/p>\n","protected":false},"author":124,"menu_order":1,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-103","chapter","type-chapter","status-publish","hentry"],"part":97,"_links":{"self":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/users\/124"}],"version-history":[{"count":1,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/103\/revisions"}],"predecessor-version":[{"id":104,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/103\/revisions\/104"}],"part":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/97"}],"metadata":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/103\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=103"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=103"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/opentextbc.ca\/paloalto\/wp-json\/wp\/v2\/license?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}