Lab 5 – App-ID, Content-ID, and URL

Filtering

Lab Topology and Learning Goals

In this lab you will configure some of the NGFW features included in PAN-OS. You will use App-ID to
identify applications based on their layer 7 data. Content-ID will be used to filter traffic that could
prove to be a threat to our network or our users. Finally, we will configure URL Filtering to control the
URLs that our users can access.
• BS-BR-FW1
• BS-WEB1
Required Resources • BS-HR1
• BS-WS-340
• VMware Workstation 15.5.6 or later
• VM Templates:
o _Debian10(bitnami)
o _Server2016-1607 Active Hosts
o _pfSense2.4.5
o PanOS9.0.0 • BS-WS-169
• BS-HQ-FW1
• ISP

Inactive Hosts
• BS-WS-268
• BS-SALES1
• BS-SALES2

INFO-5123 – Firewalls & Network Monitoring Page: 1

 Lab 5 – App-ID, Content-ID, and URL
Filtering
Part 1 – Apply the Firewall License
At the end of the last lab, you shut down all lab VMs. Ensure all required VMs are open in VMware
Workstation and resume each one: right-click on the VM tab, click Power, then click Power On.
While basic firewall filtering will work out of the box, many of the NGFW features require the firewall to
have an active license and feature subscription. Before we can work with the features in this lab, we
will need to apply a license to the firewall. Due to our topology, we will first need to configure a
service route, so that the firewall can access the Palo Alto update server.
3-1. On BS-WS-169, open Firefox and navigate to https://10.1.130.254. Login to the firewall
with the username admin and the password Passw0rd!.
3-2. From the top navigation menu, navigate to the Device tab, the Setup configuration page
should automatically load. Switch to the Services tab.
3-3. In the Services Features Widget, click the Service Route Configuration link to open the
Service Route Configuration window. The default is to use the management interface for
all management activities, click the Customize radio button to change the settings.

3-4. Click on the link for the following services, changing the Source Interface to ethernet1/4 and
then clicking OK to accept the changes:
a. DNS

c. Palo Alto Networks Services

d. URL Updates

INFO-5123 – Firewalls & Network Monitoring Page: 2

Lab 5 – App-ID, Content-ID, and URL
Filtering
3-5. Click OK to accept the changes. From the top navigation menu, click the Commit button
merge the changes with the running configuration. Click Commit to continue. Click Close
when the changes have applied.
3-6. From the top navigation menu, you should be on the Device tab, then from the left
navigation menu, open the Licenses configuration page.

3-7. The VM series firewalls are activated using an authorization code. Click the Activate
feature using authorization code link. In the Update License window, add the license
code from FOL and click OK. This license code has a limited number of activations, so
please only use it for official lab activities.

3-8. A Warning should appear to tell you that when the license is activated, PAN services will be
restarted. Click OK to apply the license. Wait for the license to apply (it may take some
time for the services to restart). You should be logged out of your session when the change
is successful. Login to the firewall to continue.

3-9. When you have logged in you should see that the firewall has the VM-50 license applied.

INFO-5123 – Firewalls & Network Monitoring Page: 3

 Lab 5 – App-ID, Content-ID, and URL
Filtering
Part 2 – Updating the System Software and Software Features
Palo Alto provides system updates to add new software features and to fix vulnerabilities and bugs in
the existing software. The firewall is currently running an early version of PAN-OS 9 (version 9.0.1).
A software update is available that can update our system software to version 9.1.5.
2-1. From the top navigation menu, navigate to the Device tab, from the left menu, click on the
Software configuration page. Use the OK button to close the popup window.
2-2. Our firewall has never checked for an update, so the list will appear as empty. Use the
Check Now button at the bottom of the page to check for software updates.

2-3. When the list reloads, you will see all the software that is available for the firewall, including
the currently installed release.

2-4. To update to version 9.1.11-h2, we will first need to download and install the major release
version 9.1.0, as well as some content updates. Locate the row for version 9.1.0 and use
the Download link to download the update. When the download completes, click the Close
button to continue.

2-6. Next, we need to install the required content updates. From the left menu, open the
Dynamic Updates configuration page and use the Check Now button to populate the list.

INFO-5123 – Firewalls & Network Monitoring Page: 4

 Lab 5 – App-ID, Content-ID, and URL
Filtering
2-7. In the Application and Threats section, use the Download link to download the most
recent update (located at the bottom of the list). When downloaded, click the Close button
to continue.
2-8. You should now see an Install link for the updated content, click the link to install the
update. When the Install Applications and Threats window opens, click Continue
Installation. Click the Close button when the process is finished.

2-9. We can now install software version 9.1.0. Switch to the Software configuration page from
the left menu. Locate the row for version 9.1.0 and use the Install button to begin the
install. Review the message in the Warning text box and click OK when you are ready to
continue. When prompted, click Yes to reboot the device. You should be logged out of
your session when the reboot is complete. Login to the firewall to continue.

After you have confirmed that the updated version of the software has not added instability to your
network, it would be best practice to clean up any unnecessary software images from the firewall.

2-11. From the top navigation menu, navigate to the Device tab, from the left menu, click on the
Software configuration page. In the final column for both version 9.0.0 and 9.0.1, use the X
button to remove the software image from the firewall. Click the Yes button when prompted
for you are sure you want to delete the software. Click OK when the images have been
successfully deleted.

We are now ready to configure the NGFW features.

INFO-5123 – Firewalls & Network Monitoring Page: 5

 Lab 5 – App-ID, Content-ID, and URL
Filtering
Part 3 – Configure App-ID
App-ID allows administrators to ensure that organizational security policy is enforced by identifying
applications based on the layer 7 application data, as opposed to trusting TCP and UDP port-based
rules. Additionally, App-ID can identify when employees are using web-based proxies to circumvent
security policy rules.
In our last lab, we configured the Allow-Users-All rule to allow traffic from the Users zone to any
destination. While this rule ensures that we do not block any unintended traffic, it does not provide
much protection or control of the resources that our users can access.
3-1. On BS-WS-169, configure a temporary static DNS server that points to 198.51.100.1, as we
will need DNS to confirm the changes we make to the firewall in this lab. Confirm that you
can resolve hostnames before continuing.
3-2. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load. Review the details of the Allow-Users-All rule.

3-3. Select the Allow-Users-All rule and use the Clone button to open the Clone window.
Select the rule from the list and modify the order to place the new rule before the existing
one. Click the OK button to clone the rule.

3-5. Click the link for the new rule (Allow-Users-All-1) to open the Security Policy Rule window.
Change the rule name to Allow-Users-App-ID. Modify the description to indicated that
App-ID is being used.

INFO-5123 – Firewalls & Network Monitoring Page: 6

 Lab 5 – App-ID, Content-ID, and URL
Filtering

3-6. Switch to the Application tab and use the Add button in the Applications pane to add the
following apps:

b. ntp
c. ssl
d. web-browsing
3-7. Click OK to accept the changes. From the top navigation menu, click the Commit button
merge the changes with the running configuration. Click Commit to continue. Click Close
when the changes have applied.
3-8. On BS-WS-169, open a new Firefox tab and try to navigate to the following URLs:
a. http://example.com/
b. https://www.google.ca
c. https://www.bing.com/
d. https://www.reddit.com/
e. https://www.facebook.com/
Do all the pages load?_____________________________________________
Which ones do not? ______________________________________________
Are these results expected? ________________________________________

Next, we will enable the application block page to inform users that the page has been blocked.

INFO-5123 – Firewalls & Network Monitoring Page: 7

 Lab 5 – App-ID, Content-ID, and URL
Filtering

3-9. From the top navigation menu, navigate to the Device tab, from the left menu open the
Response Pages configuration page. Click the Disabled link in the Application Block
Page row to open the configuration window. Check the checkbox to Enable the
Application Block Page. Click OK to accept the changes.

3-11. In new tab, navigate to https://www.google.ca once more. What response do you receive
this time? Can you identify the application that you would need to enable for google to
work?
Let’s view the firewall logs to see what information they provide.
3-12. From the top navigation menu, navigate to the Monitor tab, the Traffic page from the Logs
section should automatically open.
3-13. Try to identify the log that was generated when you navigated to https://www.google.ca.
What policy was matched to generate this log?__________________________________

Let’s add Google and Facebook to our policy rule.

3-14. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load.
3-15. Modify your Allow-Users-App-ID rule and add the following applications:
a. facebook-base
b. google-base
3-16. From the top navigation menu, click the Commit button merge the changes with the running
configuration. Click Commit to continue. Click Close when the changes have applied.
3-17. Test your configuration, by opening a new tab and navigating to https://www.google.ca.
Does the page now load?
3-18. Try to sign in to google using a google account. Can you sign in?
3-19. Next, try to access Gmail for the account that you are signed in with. Can you access the
service?

INFO-5123 – Firewalls & Network Monitoring Page: 8

 Lab 5 – App-ID, Content-ID, and URL
Filtering

Next, we will try to use a web-based proxy to circumvent the restrictions.

3-21. Navigate to https://kproxy.com/ and use the proxy address bar to try to access
http://www.4shared.com/. Does the page load?
3-22. Try to locate the traffic you generated in the firewall’s logs.

To ensure that App-ID will not interfere with future restrictions, we will re-enable our Allow-Users-All
rule.
3-23. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load.
3-24. Click the number next to the Allow-Users-All rule and click the Enable Button.
3-25. Click the number next to the Allow-Users-App-ID rule and click the Disable Button.
3-26. From the top navigation menu, click the Commit button merge the changes with the running
configuration. Click Commit to continue. Click Close when the changes have applied.
3-27. Test your configuration to ensure that you have access to all applications.

INFO-5123 – Firewalls & Network Monitoring Page: 9

 Lab 5 – App-ID, Content-ID, and URL
Filtering
Part 4 – Configure a Content-ID Antivirus Profile
Content-ID includes a threat prevention engine that protects network traffic from multiple threat types
including antivirus, anti-spyware, applications vulnerabilities, data exfiltration, etc… Content-ID uses
security profiles to determine what traffic is inspected.
Let’s create a security profile that will scan traffic with the antivirus engine and apply it to a security
policy.
4-1. From the top navigation menu, navigate to the Objects tab, then from the left menu, open
the Antivirus configuration page from the Security Profiles section.

4-2. Use the Add button to open the Antivirus Profile configuration window. Name the profile
Users-AV. Add an appropriate description. Check the Packet Capture checkbox to save a
capture of the file when a virus is detected. Click the OK button to create the profile.

Next, we will apply the profile to a security policy.

4-3. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load.

INFO-5123 – Firewalls & Network Monitoring Page: 10

Lab 5 – App-ID, Content-ID, and URL
Filtering

4-4. Open the Allow-Users-All rule and switch to the Actions tab. In the Profile Setting
section, use the dropdown to select the Profiles option. Use the Antivirus dropdown to
select the Users-AV profile. Click the OK button to accept the rule changes.

4-6. On BS-WS-169, open a new Firefox tab and navigate to

http://www.eicar.org/download/eicar.com to download the test virus file. The file should
be blocked, and a response page will appear in its place.

INFO-5123 – Firewalls & Network Monitoring Page: 11

 Lab 5 – App-ID, Content-ID, and URL
Filtering
Part 5 – Configure a Content-ID File Blocking Profile
A file blocking profile can be used to control the file types that users are allowed to upload and
download over the network.
Let’s configure a file blocking profile that will alert users that pdf downloads are blocked, but still allow
them to download the files.
5-1. From the top navigation menu, navigate to the Objects tab, then from the left menu, open
the File Blocking configuration page from the Security Profiles section.

5-2. Use the Add button to open the File Blocking Profile configuration window. Name the
profile Users-FB. Add an appropriate description. Use the Add button to configure the
following:

• Applications – any
• Use the Add button to select pdf
• Direction – both
• Action – continue
5-3. Click the OK button to create the profile.

Next, we will apply the profile to a security policy.

5-4. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load.

INFO-5123 – Firewalls & Network Monitoring Page: 12

Lab 5 – App-ID, Content-ID, and URL
Filtering
5-5. Open the Allow-Users-All rule and switch to the Actions tab. In the Profile Setting
section, use the File Blocking dropdown to select the Users-FB profile. Click the OK
button to accept the rule changes.
5-6. From the top navigation menu, click the Commit button merge the changes with the running
configuration. Click Commit to continue. Click Close when the changes have applied.

5-7. On BS-WS-169, open a new Firefox tab and navigate to http://www.panedufiles.com.

Click the Panorama_AdminGuide.pdf link to download the PDF file. The file should be
blocked, and a File Download Blocked response page will appear in its place. Click the
Continue button on the page to download the file.

INFO-5123 – Firewalls & Network Monitoring Page: 13

 Lab 5 – App-ID, Content-ID, and URL
Filtering
Part 6 – URL Filtering
URL filtering allows administrators to filter user traffic based on a website’s content, risk factor age or
purpose.
Let’s create a profile that blocks users access to websites based on the URL of the website as
defined by an administrator.
6-1. From the top navigation menu, navigate to the Objects tab, then from the left menu, open
the URL Category configuration page from the Custom Objects section.

6-2. Use the Add button to open the Custom URL Category configuration window. Name the
category news-sites. Add an appropriate description. Use the Add button to configure the
following URLs:

• bbc.com
• msnbc.com
• *.foxnews.com
• *.bbc.com
• *.msnbc.com
6-3. Click the OK button to create the custom category.

Next, we will apply the profile to a security policy.

6-4. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load.

INFO-5123 – Firewalls & Network Monitoring Page: 14

 Lab 5 – App-ID, Content-ID, and URL
Filtering

6-5. Use the Add button to create a new security policy rule. Name the rule Block-Users-URL.
Provide an appropriate description. Apply the Egress tag to the rule. Switch to the Source
tab and add the Users zone to the Source Zone list. Switch to the Destination tab and
add External to the Destination Zone list. Switch to the Service/URL Category tab and
use the Add button to add the news-sites category to the URL Category list. Switch to the
Actions tab and select Reset both client and server from the Action dropdown. Click OK
to add the new security policy rule.

6-7. From the top navigation menu, click the Commit button merge the changes with the running
configuration. Click Commit to continue. Click Close when the changes have applied.

6-8. On BS-WS-169, open a new Firefox tab and navigate to http://www.bbc.com. The site
should be blocked, and an Application Blocked response page will appear in its place.

Next, we will block users access to sites based on predefined categories.

6-10. From the top navigation menu, navigate to the Objects tab, then from the left menu, open
the URL Filtering configuration page from the Security Profiles section.

INFO-5123 – Firewalls & Network Monitoring Page: 15

Lab 5 – App-ID, Content-ID, and URL
Filtering

6-11. Use the Add button to open the URL Filtering Profile configuration window. Name the
category social-networking-sites. Add an appropriate description. Use the search bar on
the Categories tab to find the social-networking category. Check the checkbox next to
social networking. Click the allow link in the Site Access column and change the option to
block. Click the OK button to add the profile.

6-12. From the top navigation menu, navigate to the Policies tab, the Security configuration
page should automatically load.
6-13. Open the Allow-Users-All rule and switch to the Actions tab. In the Profile Setting
section, use the URL Filtering dropdown to select the social-networking-sites profile.
Click the OK button to accept the rule changes.
6-14. From the top navigation menu, click the Commit button merge the changes with the running
configuration. Click Commit to continue. Click Close when the changes have applied.
6-15. On BS-WS-169, open a new Firefox tab and navigate to http://www.facebook.com. The
site should be blocked, but an Application Blocked response page may not appear.
6-16. Review the firewall’s logs and look for evidence of the block.

This concludes the lab. To ensure are VMs are ready for the next lab, on the BS-HQ-FW1 VM, take a
running snapshot called Lab 5 Complete, then shut down all VMs and create snapshots on the
remaining VMs also called Lab 5 Complete.

INFO-5123 – Firewalls & Network Monitoring Page: 16