Palo Alto

Blocking Youtube Using Palo Alto URL Category

Youtube
The Bandwidth Killer
to be honest i learn a lot from youtube whether cisco configuration or paloalto or even other things
but during work hour many user using youtube to hear songs, watch a movie trailer which kill the internet bandwidth so i explain earlier how to block facebook using APP-ID
but Youtube APP-ID is little diffrent cause it depend in google-base which will forbid google website too
so URL Category may save the Day
this remind me of Microsoft TMG

So first let create a URL Category
Go to Objects – Custom objects – URL Category – add new
(Youtube)
Add URL (www.youtube.com) Also you can add more (*.youtube.com)
1
now we create a security policy
Go to Policies – Security – add new (Stop Youtube)
2
Select the Source Zone (inside) and the Source Address (My Laptop IP  Address)
3
Select the user aysar.mohamed (Me)4
Select the Destination as my Outside Interface5
Select any in Application tab6
well here we go
in Service/URL Category we select the (Youtube) Category that we create earlier7
put the Action to deny8
now when i try to open Youtube i got the deny messgae ;D9
As you can see from the log i got the (Reset-both ) Action in rule of Stop youtube 10a

;D

 

Advertisements
Standard
Palo Alto

Blocking Facebook or Facebook Chat Using Palo Alto APP-ID

Work Time is Work Time
So unless you work in Marketing then you don’t need any Social Website
so Aysar Mohamed (ME) is an IT guy and i want my self to do IT Work and stop playing around the Facebook (i am sure my manager agree in  this point)so let’s do it

First go to Monitor – Logs – traffic and as you can see it full by Facebook logs by Aysar and it depend on one Application (facebook-base)

1
So let go to Policies – Security – add new (Stop facebook)91
Select the Source Zone (Inside) and Source Address (My Laptop IP Address)3
Select my user (Aysar.Mohamed)4
Select the Destination my outside interface5
then here choose the application (facebook-base) which appear in my logs90
Now Choose action to deny
92
Make sure to move this rule to the top
7
As you can see now i cant open my facebook at all and it give me this error7a
and if you go back to the logs you will see the action (reset-both)8

Now what if i want Aysar to view his Facebook but don’t want him to Chat with Anyone
Easy go back to my (Stop facebook) Policy change the APP-ID to (facebook-chat) and save9
some application can’t just stop by choosing the APP-ID you need to select also what it depend on
so highlight the rule and go to the application tab and choose facebook-chat and right click and choose (Value) to see what its Depends on.
so for facebook-chat it depends on
facebook-base
mqtt
Now If i select facebook-base it will also block facebook page Also
so here the trick
10
Add only mqtt
11
Then in my Second Rule (Aysar Allow) i will add to Alow the facebook-base12
under Application i will only add the facebook-base13
Now i can go to my facebook but as you can see my Chat is Dark (Unable to connect) 15
and as you can see in the Logs it block the facebook-chat14

 

Standard
Palo Alto

Palo Alto HA Sync Issue & APP and Threat Mismatch

Just when i think everything okay a Nice View Such as Below Appear
1
I Checked All my HA Configuration and it’s Fine SO
i Define this as Two Issue
Synchronize
App and Threat Mismatch

First lets Solve the Synchronized and it’s a simple Step
Just Next to Running Config Press (Sync to Peer) so it Push the Configuration to the Passive HA
2
It will Ask you to Overwrite Peer Configuration Just press yes
3
Now it Start as you See (Synchronization in Progress)4
And as you can see now it finished and now its Synchronized 5
and now here in the Passive HA and Also show the Same 6
Now Lets Move to Next step which is the APP & Threat Mismatch
Lets Check the Version of the Application First
Go to Device – Dynamic updates – and Check the Applications and threats
7
so Go to 654-3805 which is my Latest Update also you can See in the lower of screen (Check Update)
Then Press Install on Right Side of the Application8
Check to Synch to HA Peer
press Continue Installation
9
Now it will Progress
10
And Automatically will Transfer a copy to HA Peer11
As you See now a Copy Transferred and Installed in HA Peer12
And Finally the all your HA Item in the Active Peer  is Green14

;D

Standard
Firewall, Palo Alto, Security

Palo Alto to Internet

TOP 10 Next Generation Firewalls
Palo Alto
After Spending Many Years in Cisco Security ASA and Worked with microsoft TMG the Company Decided to go to New technology
After Reading About it I realized that Gartner  agree that Palo Alto  Consider to be the leader when it comes to Next Generation Firewall appliances
So let me guide you with the First Step of Initial Setup and Configure it to Internet Access for users

Well first Let start Login to the ESXI host1
Then Choose to Deploy the OVA File
2
Browse to my Folder were i Save the OVA3
Press Next4
Type a Name of your Choice5
I Prefer to Select Thin Provision is i will not Reserve the Whole Size6
Select the Network7
Now Press Finish8
The Deploying Procedure Start9Now we Finished with The Installation of the OVA
10

Depend on your Scenario and how many Network Card you Need
in my Scenario i Need 4 (Management, WAN, LAN and DMZ)
in my ESXI i have this Already Configured as you see in the Picture

a.png
Now i will Edit My Virtual Machine
Configure the Network Adapter 2 to be my Outside
11
Click Add  and Select my Third Network Card for LAN12
Choose the Network Label (Inside) Which Represent the LAN Also DO the Same for Server Side whch Represent by (DMZ)13
Press Finish and Its Created14

15
Now Start the Machine16
Username: admin
Password:admin
and Set your IP Address for the Machine17
Now Set the Default Gateway and Save it (Commit)18
Now Go to the Web Page Https://192.168.208.222
Enter the Default username and Password19
normal Warning Regard the Default username and Password20
Go to the Device – Setup – Management – Management Interface Settings and you Can Edit the Service or IP Address21
Second Go to Device – Setup – Service – Services and Configure the DNS and NTP22

23
Second Go to Network – Zones and Add the Zones (Outside, Inside and DMZ) Repeat the Same Step Below to Create Each
25

26
Now Go to Network – Virtual Router and Create New One and Name it27
Second Go to Network – Interfaces – Edit Each interface (Ethernet 1/1, 1/2 and 1/3)
Outside, inside and DMZ
Type of Layer 3
Select the virtual Router and Security Zone28
then Go to IPv4 tab and Add the IP Address29
Second go to Advanced Tab – Other info – Management profile and press new 30
Select Name and Edit the Service Permitted31
And Then Select the Management profile32
Repeat the Same Step to Each Interface (LAN and DMZ)
here the Zone is Different for inside33
and Add the LAN IP Address : 192.168.250.250
34

35
Now  Go back to Virtual Router and Add a Static Routes to Default Route to your internet ISP Router in my Case : 37.76.249.9136
Now time to Configure your Security Rule
Go to Policies – Security and Add one
Name : Allow-Net
Type: Interzone37
Choose the Source to be Inside38
Choose the Destination: Outside39
Select the Service/ URL category : Any40
Select the Action : Allow
Log Setting Enable Log at Session Start and END41
42
Now Go to to Configure the PAT (Port Address Translation)
Policies – NAT add new
Choose Name 43
Choose your Security Zone:Inside
Destination Zone: outside
Destination interface: Ethernet 1/1 (My WAN Network)
44
Then Select the Translated Packet and Configure it As below
Dynamic IP and Port for PAT
45
46
Now i go to my Client and I too IP from DHCP47
Test the PING and Now the ping is working perfectly to IP Address 8.8.8.848
and i Test the Web browsing and It’s Working Perfectly49

;D

Standard