Verify firewall behavior without decryption
1. Open a new browser window to www.eicar.org 2. Click Anti‐Malware Testfile.
3. Click the Download link to access the virus test files.
4. Download any of the Eicar test zip files listed under the banner “Download area using the secure, SSL enabled protocol https”. The download succeeds.
5. Go to the PA‐200 GUI and click Monitor > Logs > Threat to view the log. Notice that SSL decryption hid the contents of the firewall and so the test file was not detected as a threat.
Create an SSL self‐signed Certificate
6. Click Device > Certificate Management > Certificates.
7. Click Generate at the bottom of the screen to create a new self‐signed certificate:
Certificate Name Enter CA-X-ssl-cert
Common Name Enter 192.168.2.1
Certificate Authority Check the box
Click Generate to create the certificate. Click OK to dismiss the certificate generation success window.
8. Click CA‐X‐ssl‐cert in the list of certificates to edit the certificate properties. Check the boxes for Forward Trust Certificate and Forward Untrust Certificate. Click OK to confirm the changes.
Create SSL Decryption Policies
9. Click Policies > Decryption.
10. Click Add to create an SSL decryption rule for the exception categories:
General tab
Name Enter no-decrypt-traffic
Source tab
Source Zone Click Add then select Trust‐L3 Destination tab
Destination Zone Click Add then select Untrust‐L3 URL Category tab
URL Category Click Add and add each of the following URL categories:
• health‐and‐medicine
• shopping
• financial‐services Options tab
Action Select no‐decrypt
Type Select SSL Forward Proxy
Click OK to close the configuration window.
PAN‐EDU‐101
Lab Manual PAN‐OS 6.0 – Rev A.200 Page 34
11. Click Add to create the SSL decryption rule for general decryption:
General tab
Name Enter decrypt-all-traffic
Source tab
Source Zone Click Add then select Trust‐L3 Destination tab
Destination Zone Click Add then select Untrust‐L3 URL Category tab
URL Category Verify that the Any box is checked Options tab
Action Select decrypt
Type Select SSL Forward Proxy
Click OK to close the configuration window.
12. Confirm that your decryption policy list looks like this:
Modify the General Internet Security Policy
13. In the WebUI, open Policies > Security.
14. Open the General Internet Policy.
15. Select the Service/URL Category tab.
16. Change the drop‐down box from application‐default to any. Click OK to close.
17. Click the Commit link at the top‐right of the WebUI. Click OK again and wait until the commit process completes before continuing.
Test the SSL Decryption Policies
18. Open a new browser window to www.eicar.org 19. Click Anti‐Malware Testfile.
20. Click the Download link to access the virus test files.
21. Download any of the Eicar test zip files listed under the banner “Download area using the secure, SSL enabled protocol https”. A certificate error occurs. This is expected behavior because the firewall is intercepting the SSL connection and performing man‐in‐the‐middle decryption.
22. Click through the certificate error. The download fails and a block page appears.
23. In the WebUI, examine the Threat logs under Monitor > Logs > Threat. The virus should have been detected, since the SSL connection was decrypted.
24. Click the magnifying glass icon at the beginning of the line to show the Log Details window. Verify that the Decrypted box has a check mark.
PAN‐EDU‐101
Lab Manual PAN‐OS 6.0 – Rev A.200 Page 35
25. In the WebUI, click Monitor > Logs > Traffic.
26. Set the traffic log to display only port 443 traffic by entering ( port.dst eq 443 ) in the filter field.
27. Select 10 Seconds from the pull‐down menu so that the display will refresh automatically.
28. In a separate browser window, browse to the following URLs using https:
• financial‐services: www.bankofamerica.com
• health‐and‐medicine: www.deltadental.com
• shopping: www.macys.com
29. Now use https:// to browse to sites like bing.com or yahoo.com which are not excluded.
30. Return to the traffic log at Monitor > Traffic > Logs.
31. If the URL Category column is not displayed, click the drop down arrow next to one of the columns and select URL Category.
32. Find an entry for one of the excluded categories by looking at the value in the URL Category column.
33. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify that the Decrypted box in the Misc panel is unchecked.
34. Find an entry for one of the non‐excluded categories by looking at the value in the URL Category column.
35. Click the magnifying glass icon at the beginning of the entry to show the Log Details window. Verify that the Decrypted box in the Misc panel is checked.
PAN‐EDU‐101
Lab Manual PAN‐OS 6.0 – Rev A.200 Page 36
Import the CA Certificate into Windows Trusted Certificates
36. Click Device > Certificate Management > Certificates.
37. Select the line containing CA‐X‐ssl‐cert, without opening the certificate.
38. Click Export. The Export Certification window opens.
39. Leave the file format at PEM, and leave the Export private key checkbox unchecked.
40. Click OK and download the crt file to the Desktop. (If your browser saves the file as a .txt file, change the extension to .crt)
41. Double‐click the certificate. A Security Warning appears.
42. Click Open. The certificate opens.
43. Click Install Certificate… The Certificate Import Wizard opens.
44. Click Next.
45. Select Place all certificates in the following store and click Browse. The Select Certificate Store window opens.
PAN‐EDU‐101
Lab Manual PAN‐OS 6.0 – Rev A.200 Page 37
46. Choose Trusted Root Certificate Authorities and click OK. The window closes.
47. Click Next. The Completing the Certificate Import window appears.
48. Click Finish. A Security Warning appears.
49. Click Yes. A box indicates that the import was successful. Click OK.
50. Close the certificate by clicking OK.
51. Double‐click the certificate to open it.
52. In the certificate, click the Certification Path tab. Notice that the Certificate Status says “This certificate is OK”.
53. Close the certificate by clicking OK.
54. Use Chrome or Internet Explorer (NOT Firefox, which uses its own Certificate Store) to browse https sites.
Notice that you no longer receive the Certificate errors.
Exclude a Site from Decryption
55. From your desktop, use PuTTY to open an SSH session to 192.168.2.1.
56. Login with Username admin Password paloalto.
57. Issue the following commands.
> configure
# set shared ssl-decrypt ssl-exclude-cert *.eicar.org
# show shared ssl-decrypt
# commit
58. When the configuration has finished committing, log out of the PuTTY session.
PAN‐EDU‐101
Lab Manual PAN‐OS 6.0 – Rev A.200 Page 38