Chapter 5 - Content-ID

1. 5.1 Content-ID overview

In this video, we are covering PC NSA 210,and this is our chapter five Content ID. Now this is the first video of chapter five,which is the five-one Content ID overview There are a lot of topics in Chapter Five, but they are very interesting and important for us to understand. Content ID is a technology that combines real-time threat prevention with administrator-defined policies to inspect and control content traversing the firewall.

Content ID will deliver a method of detection based on the analysis of all allowed traffic. So we don't apply Content ID to traffic that has been denied. Content ID will scan the network traffic for software vulnerability exploits, viruses, spyware, maliciousURLs, and dangerous or restricted files. Security policies with security profiles, like wesaid, security profiles or Content ID, will represent additional security checks to be performed on allowed network traffic. Security profiles are not necessary for the securitypolicy rules that will configure the denied action. For example, as we are getting some network traffic into our firewall, the firewall will check the security policy rules. Is that traffic allowed or denied? For example, from this source zone to thisdestination zone or from this IP address to this IP address, is it allowed or denied? If it's denied, we don't apply any security profiles. We just dropped the traffic.

If it's allowed, then we can apply more. We're going to do more checks on that traffic. Maybe there's some kind of virus in there and each one will have an action. For example, what do we do with that content over that traffic? Do we leave it to default? Like, whatever the applications are, whatever their signatures, do we allow that traffic? Maybe we will allow it, but we want to generate a log. Or maybe we want to log and drop as well. Maybe we want to reset the client, which is the initiator of that traffic, or the server, which responds to the traffic. Or we can reset both the initiator and the responder. Or maybe we can even block the IP address of the initiator. For example, vulnerability protection and other security profiles are all available to us and can be applied to our firewall. URL filtering, file blocking, wildfire analysis,datacentre and Dos protection. Now in this chapter we're going to be talking about the Antivirus.Antispyware vulnerability protection, URL filtering. This is chapter six, file blocking. In this chapter, wildfire This is chapter eight. This chapter is data filtering. And in this chapter, dust protection.

There's a lot of stuff that we're going to implement in the security profile in this chapter. Now, security profile types So we have a different type of security profile as well as having a look at the icon. So, for example, antivirus, there's an icon that will detect infected files being transferred with the application. Anti-spyware software detects spyware downloads and traffic from previously installed spyware. Spyware vulnerability defence This detects attempts to exploit known software vulnerabilities, URL filtering, and controls web browsing based on the content file blocking. This will track and block file uploads and downloads based on the file type and application. This will forward unknown files to the Wildfire service for malware analysis. Data filtering will identify and block the transfer of specific data patterns found in the network traffic. The firewall provides denial of service protection that mitigates layer three and four protocol based attacks. So we apply all of these to our security policy rules. So, for example, if I go to my firewall, I'll show you and I go to policies, and I have a policy herefrom inside to outside, and you can see the profiles.

So, when traffic or content comes in, it will be checked to see what zone it is. source zone, destination source, and destination information. If that traffic is allowed and application services and actions are allowed, then we check the security profile and we can see these are security profiles. Now this is your antivirus, antispyware, vulnerability protection, URL filtering, fileblocking, and data filtering. Right now, threat logs will contain records from antivirus, anti-spyware, and vulnerability threats discovered by security profiles. So I generated some threat logs yesterday. So if you want to see that, you need to go to monitor and logs and then thread. So the first thing to see is the type who's generated this. This is a vulnerability threat. When did we receive this? Then you can see the time and date. We have to look at this ID because sometimes we want to have an exemption for some IP address. Maybe we do an in-house penetration test or something that we want to exempt some IP addresses from this threat being logged and maybe even dropped. So we have to look at the threat ID.

I'm going to show you soon where we're going to put that. This green arrow is a green arrow pointing downwards. That means there is a package capture for this thread. So we can have a look at, for example, a bit more detail as well as this magnifying glass. We can look at this information in more detail. The name of the thread For example, we have some kind of anonymous access from zone to zone source address and destination address. Then we see the port number we're using and further information we're going to see is, for example, the application that's creating this vulnerability threat. The action was alert and the severity, for example, medium. I put it on alert. So I'll just show you, but it would have been dropped as medium with a high severity. We have some critical security and the file name,we have some passwords, D and so on. Other information here, like URL or content session ID, that we can see here at the end as well. So for example, I'll show you this ID, the thread log from the thread log. Here we look at the ID and say that we have this thread that we want to have. It doesn't really matter which threads really, just look at the threat ID. Is it correct that I want to exempt some IP addresses from this?

Or maybe I want to exempt this IP address. So what you need to do is go to your security profiles, which are located in objects,and then we have security profiles and security profiles. I'm going to be explaining in this section all of these apart from URL filtering. The next chapter in chapter eight, the wildfire analysis, But the one that created that log was vulnerability protection. So if I go there and let me look at the number again, the ID 351-7351, seven I want to exempt. So go to vulnerability protection. And the one I created is down here. And in exemption, say in the ID, I can see all the signatures, and I can look at all the signatures and find out, but it's going to take a long time. But if you look at the threat ID, which is 3517, and apply that filter, we have that vulnerability threat and I can say, okay, on this one I want to have IP address exemptions, and then on the address I want to add my penetration team IP address, for example, two, one. And this threat is not going to be for that IP address is not going to be displayed anymore. You do that after you make sure that it's not an attack.

Okay, I'm going to show a bit more in the vulnerability protection video about this stuff. Okay, I'm going to click okay there and go back to the slides. We looked at this. Exemption application control center The firewall will use threat log information as a source of information for the web interface reports and information displayed in the Application Control Center. When you go to the firewall, the Application Control Center is here and this is going to show you information,but usually shows us the last hour. And if I do your threat activity,it's not going to show anything because I did all my threat activity yesterday. So I need to change this to, for example,last 24 hours and that should come up with something. If not, I'll change it to the last seven days. Okay, here is where I had some Linux fund and I created over 20 vulnerability issues here, but we have 109 spyware and five viruses here as well. And we can see the application threat activity that we have here. For example, we're going to be talking a lot more about Application Control Center in the monitoring chapter, which is one of the last chapters. So don't worry about this.

2. 5.2 Vulnerability Protection Security Profiles

In this video we are covering PC NSA210, and this is chapter five, content ID. This is the second video of chapter five,which is five two, vulnerability protection security profile. So the first topic that we're going to dive into is vulnerability protection. It's very interesting stuff.So vulnerable probability protection security profiles contain rules that configure the action taken by the firewall when it detects malware known to exploit system vulnerabilities of different security levels and types. These exploits, among others, can include buffer overflow, illegal code execution, maybe SQL injection, and so on. So every Palo Alto network defined vulnerability protection signature includes a default action, maybe drop, maybe reset both client and server, and so on. We're going to see it updated. Vulnerability protection signatures are made available every week by Palo Alto Networks as part of the content updates. And we can attach the vulnerability protection profile to the security policy rule, which I'm going to show you. Now this is going to be the lab that I'm going to be using.

I already have a Kali Linux sitting in the outside zone with that IP address and I will have a bunch of servers with that IP address sitting in the my demilitarized zone Kali Linux is going to access the Ubuntu server or we're going to do vulnerability testing from KaliLinux and it's going to access it through a public IP address of 203 0113. That's a public IP address. The firewall will translate it to an internal IP address or a destination net to that address. I'm going to configure three things. I'm going to configure one. I'm going to do net network address translation and that's going to be a destination net. Two, I'm going to create a security policy rule, a security policy rule which will allow the outside zone Kali Linux to access that Windows server. And number three, I'm going to create a vulnerability protection plan. Okay, so that's the thing. So I'm going to access the firewall. So the first thing was to create a net policy, and to do that you need to go to policies and then net. See, I already have two NAT, but this is the Nat from outside to inside, or outside to the demilitarized zone I don't have. So I'm going to create that I go addend this is going to be outside the DMZ. And when you configure that and want more information on how to do the tags and so on, you need to look at chapter three.

We go over the nets in greater detail. The original package is going to be everything that is going to be the pre net when we are configuring the Nat or pre address translation. So the source zone is going to become from the outside and pre-addressed translation. The destination zone is going to be outside, and the interface is going to be ethernet one one.So if you look, it's coming from here,from outside. It's still on the outside, 230-11310, and the interface is Ethernet one. Okay, so the source could be the source address, which could be anything. The destination address is our Ubuntu server or the public address of that server. So 011310 when we get an IP address or a packet for that IP address, we're going to translate it, we're going to do destination address translation, and we're going to translate it. We're not going to do a port translation. Every port is the same and click OK. And the second thing is now I don't have any hits. I cleared everything, and to clear the hit counter, you just click that and all rows will be cleared, so everything is zero. And the security rules I'll create another security rule. So I'll create a security rule to allow players outside the zone to access the Dimitri zone. So add that this is going to be out to the DMZ.

The source is going to be an outside source address. We don't have a user ID configured for all host information profiles, so we can't leave it to any destination; however, because this is a post net, the destination will be dimitrizone. The destination address is a free net, so we need to put in the address before it's been translated. We cannot leave one 1310 application to any and all services, but we will leave it to any for demonstration purposes. Otherwise, you really wouldn't do this. For the outside of the trade zone, you'll put likeservice FTP or just make sure the exact services you have or the exact applications you have are actually in action. I'm going to set it to allow loginsession to end and the profile to be set up. We don't add vulnerability protection here, but we configure it here So, profile type, profiles, and vulnerability protection. We don't have a configuration, we can use a predefined one, but we're going to make our own one and click okay. So to configure the vulnerability protection, you need to go to objects and then security profiles. And then under security profiles, you have vulnerability protection.

We already have two predefined vulnerability protection security profiles. We can't change them, they are read only. But if we want to use them, we can clone them and then change the clone. But we are going to use it. We're going to make one, but I'm just going to show you what's inside. So if I click on the default, for example, we have a default signature for clients and a default signature for servers. So critical high and medium for the client,critical high and medium for the server. What to do? So then we can have a default action, whatever the signature says, that's what we're going to do. And we don't have a packet capture the strict one. It's similar to the default one. It just has two extra pieces of information low, critical high, and medium. It's reset both information. The lower is the default. And I'm going to explain all this when we create our own one. So we can create our own vulnerability protection and security profile. So click on the ad and first we have to give it a name, whatever we want. So I'm going to just call it Astrid Vulnerability Protection. Okay, And we're going to add the rule here. So the first rule, well, we can add many rules,but I'm going to add just one rule. So add and this is going to be a protection rule, or whatever you want to call it. The first thing is the threat name.

You can put any so it's going to match any signature from anywhere. Or if you just want to match, for example,say that you want to match only Microsoft's signature,I'll put Microsoft or, for example, a different signature, Palo Alto, or whatever you want. Only the signature match on that call that name will match if you want to match that. It's going to be matched by any, any signatures, and the action here is that we have a default. Default says whatever the signature match says, it's got to be either one of the actions going to be there by default.

Or if you want to set your own one, it could be allow, which means it allows the packets to go through. Allow the packets to go through. It could be an alert. That means logging the packets and allowing them to go through. Drop means drop the packets, obviously block the packets, create an alert, create a log, reset the client. So reset the initiator or reset the server, the responder, or reset both the initiator and responder. Or we could block the IP address source or we could block the destination. So if I check in that we're not going to use the block, but if I select that we can block the source or we can block source and destination, we can set the duration in seconds. We're going to do something here.

We're going to say alert because I want to show you thread lock on monitor so we can see it. Otherwise, you would say drop it or whatever. If you put in critical or high horse type, it can be anyor you can just look into the clients or the server. Now I'm going to leave it to both any packet capture. We can have a packet capture disabled or we can capture one packet or extend it to capture. There is only one packet here, and the category is exploits. For example, I want to use any exploit or maybe brute force only codeexecution, exploit kits, or SQL injection overflows. I'm just going to leave it to anyone's right to do this. This is going to be for all ages. I can use it, maybe only for critical, and change it to something else for others. We can also use a common vulnerability exposure number if you want to use all of them. Just a simple one they have identified or any means of anything. The same is true for vendors' IDs, and now we have that protection rule that says I'm going to alert for everything. We shouldn't read it. We should be dropping stuff,but it's for you to see it on the threat monitor or threat log I should say.

Okay, now that I've completed my vulnerability protection, I need to go back and apply this to my policy rule. So I go to Policies and go to Security out to Demilitarize Zone and then go toAction and under profile settings you go to vulnerabilityprotection and I'll put in Astrid vulnerability protection and clickOK and then I will commit this. Okay, now that has been committed successfully, I'm going to go and check it out. So we can see that nothing has been hit yet on the security policy, but we can see the vulnerability protection is there on the Nat rule, so nothing has been hit there either. Okay, so to test that I'm going to go to myKali Linux and here first I'm going to check the IP address, and that's my IP address, 203 01132, and I should be able to communicate with my gateway. So 203 01131, that's a gateway, and that's fine. Okay, I should be able to access the Ubuntu server through FTP. So FTP 2030 one, 1310, and I'm inside. So if I go to my firewall, I should see something on this hit count here because that's my Nat destination now. So if I refresh it, you can see that it's hit now. And in the security role I should see outside the DMZ, I should see some hit counts here as well, as you can see here.

Okay, on the monitor you can see in the traffic log, we should see something from outside to inside. It's not coming yet. We don't have anything in any threads yet. It should appear in the traffic log. It usually takes a bit of time for this to appear. Anyway, we're going to see it here. I'm going to create a penetration test from Kali Linux on the server. So I'm going to clear the screen and I'm going to run Nmap and I'm going to run a script for vulnerability testing. So, 203 0113, ten. Okay, so I'll let that run in and I'll go back to my firewall and yeah, here we go.

We went to FTP, which we allowed, and that's the address of the Kali Linux and that's the address of our server, and everything is working fine. Now if I go to the threads, I should see some threats coming through as well. Here we go, there we go, there we have threads from the source address of our KaliLinux to the destination address of our Bunter server from outside the Demilitarized zone. And for example, we have some security bypass vulnerabilities and we look at the ID as well. For example, this is vulnerability and time. You can see this downward arrow here, a green arrow. It does say that we have a packet capture for this threat that we have. We can go and look at it if we select the magnifying glass. We'll see even further information about this threat.

So if I click on there, it shows you a bit more information about this threat. Client to server, packet capture, all that. And also, we can see, for example, the port number,the application they generate in this threat, the action, which was alert, and the severity, which is critical. We have some high file names as well. And there's going to be more here coming up now because that's just going to go through all of them. Okay, imagine that we have a threat that we want to, for example, exempt some IP addresses. So these threats, like we know for sure, for example, this threat, let's say three, five, or seven http password access attempts is fine. We can exempt that IP address from that threat. To do that, we can go to objects, we have to go to object vulnerability protection and then find out the vulnerability and then have an exemption here. We can show all signatures. There's going to be all those signatures. But the one that we found, instead of looking one by one, there's 14,000 signatures, just the one that we looked at, 3517, I think it was, yeah, there we go. And say that with this signature, I don't want to create an alert and I want to exempt an IP address. So you just have to click on this white space here,even though it's not easy to detect, we just click on the white space and then we can add an IP address. We don't want this threat to be written. So for example, for 203, 01132, one, I don't want thisvulnerability to come up and click, okay, so we have one exemption here and then we will commit that and then we will never see that thread, on the thread log, we won't see that thread, this thread here.

Okay, so we looked at by default,vulnerability protection has two predefined read only. You can't change them, but you can clone them and use them if you want to, or you can create your own one. To add vulnerability protection, we had to go to objects and then to the security profile. So we went to objects and then security profile and vulnerability protection. We clicked, we created a new one, and then we clicked add. Once we added it,we have to tell what the action is which is used in the client or the server or both. Do we want to packet capture and what category do we want to use? And we can create an exemption as well. I showed you how to create it. Just click on thewhitespace here and put in the IP address of the exemption PC. And then, in the end, we had to add the vulnerability protection. After we created it, we had to add it to the security policy rule. So we went to find the security policy. We clicked on the app profile setting and we put in the vulnerability protection. Then we looked at the thread logs. We saw some strategies that came up through the.

3. 5.3 Antivirus Security Profiles

In this video we are covering PC NSA 210, and this is our chapter five content ID. This is the third video of Chapterfive, which has 5.3 antivirus security profiles. Now anti-virus security will protect us against viruses, worms, and choice agents, as well as spyware downloads using a stream-based malware prevention engine, which will inspect traffic moments after the first packet is received. So from the first packet and so on and every other packet afterwards, it will be inspected to make sure that there are no viruses or worms or charging horses. Palo Alto Networks' antivirus solution can provide protection for clients without significantly impacting the performance of the firewall.

Updated virus signatures are made available for use every 24 hours by Palo Alto Networks. Now we have a default antivirus security profile. So the Palo Alto Networks firewall includes a predefined read-only default antivirus security profile. This profile cannot be deleted and it cannot be modified either. If you don't want to use it as it is, you can clone it and then edit the clone, or you can create your own brand new from scratch antivirus profile on the list.

You can see it on the presentation. You can see some applications that are able to transfer files, and because they can transfer files,they can transfer viruses as well. Now to navigate to the antivirus security profile or the default one, we need to access an object, and I'm going to show you this on the live firewall as well. And then we need to go to the security profile and then antivirus, and we have a default here. So on the applications, you can see that they are able to transfer files. So we have apart from the emails. Everything else is to reset both. So alert is sent for resetting both HTTPS, FTP, and SMB emails for sending emails and two for receiving emails. There's a reason behind it. It's because if there's an email,it's always going to try and get to our place from the email server, and if we set it to block or reset it, we're not able to receive any other emails. So, if we want to remove viruses from emails, we must first remove them from the email server. In the actions we have, we'll instruct the firewall the action to take on the antivirus signature delivered in the content update. In the Wildfire action, the Wildfire action will instruct the firewall on the action to take based on the signature delivered by Wildfire. Now this is the lab that we will be using to demonstrate the antivirus security profile. And I'm going to protect the inside zone when they go to the outside zone. If they download some virus or something, we're going to have a block page and we're going to use a test virus for that as well. So I'm going to access my firewall. So you should see a policy. I have a security policy and a net policy that allows the inside users to go to the outside zone from the inside zone to the outside zone. That's my network.

And they can go anywhere. They can go to any destination, theycan go outside any address. And we're going to create an antivirus security profile and we're going to attach it to that's going to appear here under the profiles. And, as you can see, it goes from the outside zone to the demilitarised zone. You already have vulnerability protection, which was video 5.2 that we did yesterday. Okay, so first I'm going to create a profile, antivirus objects, and security profiles. And then we have antivirus. This is our default one. If you want to create a home one, just select add and then I will call this the Astrid Antivirus profile. And then if you want to take, we can take a packet capture, for example, if we see some kind of threat. So we can investigate it further. We can take a packet capture and use it as is, or we can change it if we deviate from the default. So for example, say the SMTP. I'll change it. I'll just say the FTP. Yeah, I'll change that from default, whichis signature says to reset both. But I can allow the traffic. I can alert. That means allowing traffic but generating a log. I can drop the traffic. Drop the traffic and generate a log. Reset the client, reset the initiator,reset the server, reset the responder. Or you can reset both the initiator and the responder. So maybe, maybe I want to drop, I just don't want to reset them both. I just want to drop the traffic, just create a log and drop it. Maybe in SNTP I want to alert or allow that.

So as you can see, when you deviate from the default, you can see like a small red arrow there or a triangle there. They're showing us that that's not the default action. We can have application exceptions. So, for example, some applications that we don't want to generate a virus threat log or block the virus for can be added here. Maybe we have our own application because it's our own application, it doesn't generate viruses. So we can have an exception there. So, for example, you can create your own application and add it here. Okay, the next thing is the virus exceptions. If, for example, you see there's some virus ID is causing false positives. It's not a virus, it just goes there and looks like a virus. We can have an exception here. We can put the threat ID and we can add it. Okay? So I created my antivirus profile here, and I'm going to apply that antivirus profile to my in to our security policy. So I'll go to policies security, select insidezone to outside zone policy, and then under the actions I'll go to profile settings. And at the moment, you can see the profile type is none. We can have profiles individually or we can group them later. I will show you how to do that. So profiles individually and at this time I'll put the antivirus,my own profile I've created and click okay. Then I'll commit this and then we'll go and test it. Okay, we have committed. It has completed successfully. So close that and when we create an antivirus, when we create some kind of threat to view it, we need to go to monitor and we need to go to logs and then to threats.

We can see here there are already some threats from yesterday when we were doing some labs and so on. And if you want to delete all of these, you need to go to device and then log settings. Right here at the end of the log settings, we can clear it. So clear the thread lock. So I want to clear that up. Okay, so now we don't have anything under threadlock, nothing there. Okay, so to test it, I'm going to go to the antivirus profile. I'm going to go to my PC, which is located in the inside zone. Okay, to test it I need to go to the navigator to download it, like a test virus. It's not a virus, it's just like to see if your antivirus is actually working. You need to go to HTTP 2000 and sixteenacar.org. Now this will allow us to download an antimalware test file, so we can make sure just how well the antivirus is actually working. The problem with this is that at the moment it's not allowing HTTP and if we try and download through HTTPS it will work because we don't have the decryption policy enabled. I have found out there is another method, so I can go to this website because he has the HTTP one and I'm going to use Acar HTML and here I can download the HTTP version and we'll see if it works. So I clicked that and there we go. It says it doesn't work if you try to do it. Because we don't have the decryption policy, it will work. For that reason, we have a spyware download locked file named acar.com. You can try the other one as well.

The zip is still going to block us from seeing it. We have to go to our file,go to monitor logs, and then thread. And as you can see, I should have two files already. I'll try to download it from this machine,internal machine to the outside, and the test file. It didn't work. There's a virus and we already have a packet capture for that. If we click on that, it's going to give us the standard antivirus test file and we can go again and try again if it works. But still, it won't work. Trying this still doesn't work. So go there, refresh it. There should be another one there. There we go, there's our third one. Okay, now I'm going to go back to my slides and just finish it off. We created our new antivirus profile, and we could see the actions that we could choose from each one. Allow the traffic to go through with no logs alert. Allow the traffic to drop to scar the traffic. Reset the clients' log and reset the initiator. Reset the server log and reset the responder. Or you can reset them both as well as log out. We can add our own application that we don't want to generate any threat logs or blocking. And we can have a couple exceptions to some kind of false positive if we get in. We can allow that. We can have exceptions for that. And I showed you where to apply that antivirus profile there. And then as soon as we saw it, it didn't work. We saw the blog page.

4. 5.4 Anti-Spyware Security Profiles

In this video we are covering PC NSA210, and this is chapter five, content ID. Now this is the fourth video of Chapter Five, which is 5.4 anti-spyware security profiles. Now anti-spyware security will block spyware-infected hosts from trying to phone home orbeacon out to external command and control services, allowing you to detect malicious traffic leaving the network from infected clients. So if we already have an infected client in our network and it's trying to beacon out tocommand and control service, we will find out. with antispyware security.

Every anti-spy signature defined by PaloAlto Networks includes a default action. Updated antispyware signatures are made available for use every 24 hours by Palo Alto Networks. There are two predefined only antispyware security profiles, similar to the other security profiles mentioned in previous videos. You cannot delete them or modify them. But if you want to modify and then use them, you can clone them first and then modify the clone. Or you can click to create one from scratch. To get to the antivirus security profile, you need to navigate to objects, then security profiles, and then antivirus. And as you can see there, we have two predefined profiles: default and strict. Default has four rules, while strict has five.

Now strict has got an extra simple informational.Now, these are the severities. We have a critical high, a medium and a low,similar to the names they used here. And we have a critical high, medium-informational, new, and low for the predefined strict one. And then on the default, we have an action there. An action tells the firewall to take the action on a predefined signature action rule. So, for example, whatever the signature says, that's what the action is going to take here. On the strict one, however, we stated that we reset both the client and the server. Information and law is a default. And I'm going to show you how to get there,how to actually create your own one and apply it. But first, let's talk about syncing all operations. Now a sinkhole operation Before we start creating this security profile or antivirus, we have to talk about the sinkhole operation. We're going to use this as well.

Consider the infected host in our internal zone. It's already infected and it's trying to communicate with this malicious domain. It's going to try and look at, for example, a DNS lookup for that domain name to an IP address. Our firewall will be able to resolve that. But before it does resolve that, it will check with the DNS signature database to make sure that whatever that infected host is trying to resolve, it's not a malicious domain. So we'll check it first with our database. And I already have a text file. It's just a text file. We could either use our own one. Or we could use Palo Alto networks, database signatures,DNS signatures, and that will resolve the ABC local the infected host is trying to resolve. It's actually a malicious domain. So, rather than providing the IP address of maliciousdomain, we provide the IP address of synchole. So the firewall will reply with 1234. Then the infected host will try to access it.

The file will obviously be dropped and then the threat will be locked. We're going to configure it. There are a few things that we need to do. So before we configure the antispyware, we need to configure the sinkhole operation. So if I go to the firewall and we're going to configure in our policies, we're going to configure an antispyware, we're going to apply it from the inside zone to the outside zone. To configure an anti-spy security policy, we need to go to objects, then we need to access security profiles. And in the security profile, we have antispyer. And as we said, there are two ones. There's a default and strict, but we're going to create our own one. So add and in the name I'm going to call Astridantispyler profile and then I'm going to select add and in the role name, I'm just going to call it again, astridrole, and the thread name you can choose like a specificentry. For example, used to match any signature, contain the entertainment as part of the signature name. So for example, say that I put Microsoft, it's going to try and match all the signatures containing the name Microsoft.

Or really, you can choose anything you want really.It's not just Microsoft. I'm not picking on them. And then in the category I can select,okay, I just want to have it for adware,maybe auto generation, backdoor botnet and so on. Or do I just leave it to any action I can select as the default? The default is whatever the signatures of the antispyware are. Or I can allow that traffic but not generate logs, just allow it to alert. So alert means allow but logdrop, discard the packet, and logreset client, server, and reset both. They will all generate logs and drop the packet. Or we can block or we can block the IP address, either source or source and destination, and we can say how many seconds are there for? Let's just say that we're going to drop packet capture. We're going to say that we're going to actually take a single packet packet capture. We can either take extended packet capture or not take any packet capture just yet. Take one and then severities. Let's do it for all of them. But you can create, like for example, critical, high, and medium.

Maybe it will be dropped and I can create another one. Add rule two, for example, astrid rule two and in the action I'll set an alert for and take a packet capture for low and medium, sorry, low and informational. As a result, low-end data has alerted criticalhigh, and medium data has dropped exceptions. You can have an exception for some kind of signature that you don't want this rule to be applied to and then DNS and DNS signatures. As you can see, the DNS signatures come from Palo Alto. Or we can have our own DNS signature because I already have one on my DMZ server a DNS signature.So I'm going to create my own external dynamic list. These are the lists created by Palo Alto. But I'm going to create my own one because I already have a server in my gymnastics zone that has a list. And I'm going to do that. So I'll click. Okay, Here. And to create your external dynamic list, you need to go to the same place object objects, external dynamic list. And here we already have some dynamic IP lists.

They're going to provide our DNS signatures, but I'm going to create one in one. So add and say, "astridl external dynamic list." And this is going to be the IP list. We are going to have a domain list and the sources on my server, my internalweb server, 19216 8510, and it's Dnssyncal text. And I'm going to check that list of DNS signatures every five minutes. We can check it hourly, five minutes, daily, weekly, or monthly,so five minutes and click okay. Now I've created that dynamic domain list and we need to apply it. So we need to check it. What interface are we checking this list from? Usually it's from the management interface. We need to change it. So to change it, I need to go to device and then go to under setup services, serviceroot configuration, and then you need to customise this. So not the user management interface, customise it.

Then, on the external dynamic list, I'd like to use one of the three interfaces connected to the server, to the DMZ. So it's connected to the demonstration zone server and then committed that I'm just going to show you. While this is committing, I'm going to show you that list. So if I go to my demilitarised zone server,which is here, you can see that I already have DNS six DNS sync called text. So I can show you. So, for example, in there we have ABC dot local, XYZ dot local. I added some other domains as well, just to make it seem more interesting. But what I'm going to do then is I'm going to go to that PCA and I'm going to try and access ABC dot local and XYZ dot local. And then we can see some suspicious domain access generated, right? Okay, go back to the firewall to confirm it has completed successfully and then we can go and test it now. So we can go back to objects external dynamic list and open the one that I created and test it.

Just make sure that this firewall is actually able to communicate with the DMZ. Yeah, it says it's accessible. That's good. And close that. Now here they're going to appear in all those lists. Whatever I put on that DMZ server, they're going to appear here. Okay, So I need to go back to my security profile, antispyware security profile, the one that I created, and open my one. And then in the DNS signatures, I need to add the one that I just created. So instead of using them, I'm going to use my own one as a single packet capture. Yeah, we can take a single packet capture and click Okay, now I'm going to commit it again. Okay, Now, if the commit has been successful, we can go and test it as well. We're actually going to apply that. I haven't applied it. So I need to go to the inside zone to outside zone security policy under the actions and go to anti-spyware and then commit it. The anti-spyware, the one that creates, okay, there and commits that.

Okay, now the commitment has been completed successfully. We can go and check under themonitors, under the monitor log threads. We haven't got anything. We just see some of the viruses,the ones that we did earlier, threats. Now we'll go to the client and do some NS lookup and then see what comes up. So I'm going to open the command prompt and type Nslookup for ABC local. It says DNS (Google nonauthorite answer). No, we haven't found any IP addresses for Abclog. If I do Nslookup Maybe for Facebook.com we see the Facebook IP address. We didn't see anything for ABC. Orgo. Let's do an Nslookup for Wikipedia.org. Yes, we see the IP address as well as IPV six. But if you do NS, look up, for example, X-Y-Z local, there is no IP address. Okay, last one. The other ones I did, for example, NS lookup for shutterfly.com. For that. No IP address either for that.Okay, so that should have generated some of the threats in our log. So if I go to monitor log threads and then refresh this, as you can see now, we have some suspicious domains. So, for example, we have some spyware from inside to outside of this IP address asking the DNS server for these ones for Shutterfly,XYZ local, ABC local, and so on, right? So we have, for example, now the action is being given to sync call. So instead of actually giving the IP address of the shutterfly, it's given the IP address of the sync all.

So if I go back to object and external dynamic lists and open the one that I created, you can see that in the list, there should be whatever I have created on my server on the email tries on. So if I create, for example, a new one, say Igo to that server, and I create DNS, DNS, and sync, all let's just say here I'll create something that doesn't exist. Really? So says Astridoco, correct? Okay, And now if I just do that, So, cat, I know it's not seen on the screen, but catDNS, I can see it's the one that I just added. So let me just put it down here, the one that I added here. So I'm going to wait like five minutes here. I'm going to pause the video,come back and refresh this. That should be all I see. Let's just see without pausing the video. It's going to come up, but it's going to be updated every five minutes. So it might not be there for five minutes. Okay, well, it didn't take five minutes. It took about two minutes. And the one that I did add, it will appear here. And how did I find it was to look in the object external dynamic list? And then we created our own one. And on that list is that the reason why we do this is because we want to generate our own quick suspicious domain look up.Otherwise, we can just leave it to the PaloAlto networks and we can ask them. So the old thing that I did here was just so.

You can see it on the thread, look. Right. And what I did was create my external dynamic list. So I clicked add, and that came up, and I put the IP address of the server where this list is. And the server was on our virtual machine, the server on the DMZone. And then I set it to every five minutes clicked.Okay, I can actually autoexpand and include subdomains here. I forgot to do that. Click "okay." And then under the device, I had to make sure that we weren't using the management interface to actually get outside. We want to use the interface that actually connects to the DMZ server. So for that, I went to service device,set up services, and service route configuration. I used this external dynamic list. I use that IP address on that interface. Then I went back and I made sure that I could ping or I could actually just test it. Test the source URL, like just pinging it. It worked. Yes, it works. and then created the security or anti-spyware security profile and applied it to the security policy. So now when the client actually tries to get to that NS lookup, for example, Astrid local,that's going to generate a suspicious domain look up.So if I go to my firewall now and check it, sogo to monitor and thread, update that and it should be here.

Prepared by Top Experts, the top IT Trainers ensure that when it comes to your IT exam prep and you can count on ExamSnap Palo Alto Networks Certified Network Security Administrator certification video training course that goes in line with the corresponding Palo Alto Networks PCNSA exam dumps, study guide, and practice test questions & answers.