set Format ConfigurationΒΆ
The following PAN-OS configuration is required as a starting point for the labs.
NOTE: This configuration uses the default credentials: admin / admin and adminr / admin. If you apply this configuration to your own firewall, be certain to change the passwords from the default. Do not apply this configuration to a production firewall. Use this configuration at your own risk.
If you need a firewall to run this lab on, you can easily deploy a firewall in AWS. A firewall license is not necessary for any steps in this lab.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 | set deviceconfig system type static
set deviceconfig system update-server updates.paloaltonetworks.com
set deviceconfig system update-schedule
set deviceconfig system timezone US/Pacific
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname PA-VM
set deviceconfig system ip-address 192.168.1.103
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 192.168.1.254
set deviceconfig system dns-setting servers primary 8.8.8.8
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address us.pool.ntp.org
set deviceconfig system ntp-servers primary-ntp-server authentication-type none
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address north-america.pool.ntp.org
set deviceconfig system ntp-servers secondary-ntp-server authentication-type none
set deviceconfig setting config rematch yes
set deviceconfig setting management hostname-type-in-syslog FQDN
set deviceconfig setting management disable-predefined-reports [ spyware-infected-hosts top-application-categories top-technology-categories bandwidth-trend risk-trend threat-trend top-users top-attacker-sources top-attacker-destinations top-victim-sources top-victim-destinations top-attackers-by-source-countries top-attackers-by-destination-countries top-victims-by-source-countries top-victims-by-destination-countries top-sources top-destinations top-destination-countries top-source-countries top-connections top-ingress-interfaces top-egress-interfaces top-ingress-zones top-egress-zones top-applications top-http-applications top-rules top-attacks top-spyware-threats top-viruses top-vulnerabilities wildfire-file-digests top-websites top-url-categories top-url-users top-url-user-behavior top-blocked-websites top-blocked-url-categories top-blocked-url-users top-blocked-url-user-behavior blocked-credential-post unknown-tcp-connections unknown-udp-connections top-denied-sources top-denied-destinations top-denied-applications risky-users "SaaS Application Usage" gtp-events-summary gtp-malicious-wildfire-submissions gtp-security-events gtp-v1-causes gtp-v2-causes gtp-users-visiting-malicious-url top-gtp-attacker-destinations top-gtp-attacker-sources top-gtp-victim-destinations top-gtp-victim-sources sctp-error-causes sctp-events-summary sctp-security-events ]
set deviceconfig setting auto-mac-detect yes
set network interface ethernet ethernet1/1 virtual-wire
set network interface ethernet ethernet1/2 virtual-wire
set network profiles monitor-profile default interval 3
set network profiles monitor-profile default threshold 5
set network profiles monitor-profile default action wait-recover
set network ike crypto-profiles ike-crypto-profiles default encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ike-crypto-profiles default hash sha1
set network ike crypto-profiles ike-crypto-profiles default dh-group group2
set network ike crypto-profiles ike-crypto-profiles default lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 hash sha256
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 encryption aes-256-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 hash sha384
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp encryption aes-128-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp encryption aes-256-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 lifetime hours 1
set network ike crypto-profiles global-protect-app-crypto-profiles default encryption aes-128-cbc
set network ike crypto-profiles global-protect-app-crypto-profiles default authentication sha1
set network qos profile default class-bandwidth-type mbps class class1 priority real-time
set network qos profile default class-bandwidth-type mbps class class2 priority high
set network qos profile default class-bandwidth-type mbps class class3 priority high
set network qos profile default class-bandwidth-type mbps class class4 priority medium
set network qos profile default class-bandwidth-type mbps class class5 priority medium
set network qos profile default class-bandwidth-type mbps class class6 priority low
set network qos profile default class-bandwidth-type mbps class class7 priority low
set network qos profile default class-bandwidth-type mbps class class8 priority low
set network virtual-router default protocol bgp enable no
set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
set network virtual-router default protocol bgp dampening-profile default reuse 0.5
set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
set network virtual-router default protocol bgp dampening-profile default enable yes
set network virtual-wire default-vwire interface1 ethernet1/1
set network virtual-wire default-vwire interface2 ethernet1/2
set shared application
set shared application-group
set shared service
set shared service-group
set shared botnet configuration http dynamic-dns enabled yes
set shared botnet configuration http dynamic-dns threshold 5
set shared botnet configuration http malware-sites enabled yes
set shared botnet configuration http malware-sites threshold 5
set shared botnet configuration http recent-domains enabled yes
set shared botnet configuration http recent-domains threshold 5
set shared botnet configuration http ip-domains enabled yes
set shared botnet configuration http ip-domains threshold 10
set shared botnet configuration http executables-from-unknown-sites enabled yes
set shared botnet configuration http executables-from-unknown-sites threshold 5
set shared botnet configuration other-applications irc yes
set shared botnet configuration unknown-applications unknown-tcp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-tcp session-length minimum-bytes 50
set shared botnet configuration unknown-applications unknown-udp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-udp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-udp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-udp session-length minimum-bytes 50
set shared botnet report topn 100
set shared botnet report scheduled yes
set shared content-preview application
set shared content-preview application-type category
set shared content-preview application-type technology
set shared local-user-database user-group
set zone trust network virtual-wire ethernet1/2
set zone untrust network virtual-wire ethernet1/1
set user-id-collector setting enable-mapping-timeout yes
set user-id-collector setting ip-user-mapping-timeout 45
set service-group
set service
set schedule
set rulebase security rules rule2 to untrust
set rulebase security rules rule2 from trust
set rulebase security rules rule2 source any
set rulebase security rules rule2 source-user any
set rulebase security rules rule2 category any
set rulebase security rules rule2 application any
set rulebase security rules rule2 service application-default
set rulebase security rules rule2 hip-profiles any
set rulebase security rules rule2 action deny
set rulebase security rules rule2 destination group2
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 from trust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 source-user any
set rulebase security rules rule1 category any
set rulebase security rules rule1 application any
set rulebase security rules rule1 service any
set rulebase security rules rule1 hip-profiles any
set rulebase security rules rule1 action allow
set import network interface [ ethernet1/1 ethernet1/2 ]
set dynamic-user-group dug1 filter '"tag01" or "tag02"'
set application-group
set application
set address-group group1 static [ addr1 addr2 addr3 ]
set address-group group2 dynamic filter '"tag01" or "tag02"'
set address addr1 ip-netmask 10.0.0.1
set address addr2 ip-netmask 10.0.0.2
set address addr3 ip-netmask 10.0.0.3
set address addr4 ip-netmask 10.0.0.4
set address addr5 ip-netmask 10.0.0.5
set mgt-config users admin phash $1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/
set mgt-config users admin permissions role-based superuser yes
set mgt-config users adminr permissions role-based superreader yes
set mgt-config users adminr phash $1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1
|