XML Format ConfigurationΒΆ
The following PAN-OS configuration is required as a starting point for the labs.
NOTE: This configuration uses the default credentials: admin / admin and adminr / admin. If you apply this configuration to your own firewall, be certain to change the passwords from the default. Do not apply this configuration to a production firewall. Use this configuration at your own risk.
If you need a firewall to run this lab on, you can easily deploy a firewall in AWS. A firewall license is not necessary for any steps in this lab.
1<config urldb="paloaltonetworks" version="9.1.0">
2 <mgt-config>
3 <users>
4 <entry name="admin">
5 <phash>$1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/</phash>
6 <permissions>
7 <role-based>
8 <superuser>yes</superuser>
9 </role-based>
10 </permissions>
11 </entry>
12 <entry name="adminr">
13 <permissions>
14 <role-based>
15 <superreader>yes</superreader>
16 </role-based>
17 </permissions>
18 <phash>$1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1</phash>
19 </entry>
20 </users>
21 </mgt-config>
22 <shared>
23 <application />
24 <application-group />
25 <service />
26 <service-group />
27 <botnet>
28 <configuration>
29 <http>
30 <dynamic-dns>
31 <enabled>yes</enabled>
32 <threshold>5</threshold>
33 </dynamic-dns>
34 <malware-sites>
35 <enabled>yes</enabled>
36 <threshold>5</threshold>
37 </malware-sites>
38 <recent-domains>
39 <enabled>yes</enabled>
40 <threshold>5</threshold>
41 </recent-domains>
42 <ip-domains>
43 <enabled>yes</enabled>
44 <threshold>10</threshold>
45 </ip-domains>
46 <executables-from-unknown-sites>
47 <enabled>yes</enabled>
48 <threshold>5</threshold>
49 </executables-from-unknown-sites>
50 </http>
51 <other-applications>
52 <irc>yes</irc>
53 </other-applications>
54 <unknown-applications>
55 <unknown-tcp>
56 <destinations-per-hour>10</destinations-per-hour>
57 <sessions-per-hour>10</sessions-per-hour>
58 <session-length>
59 <maximum-bytes>100</maximum-bytes>
60 <minimum-bytes>50</minimum-bytes>
61 </session-length>
62 </unknown-tcp>
63 <unknown-udp>
64 <destinations-per-hour>10</destinations-per-hour>
65 <sessions-per-hour>10</sessions-per-hour>
66 <session-length>
67 <maximum-bytes>100</maximum-bytes>
68 <minimum-bytes>50</minimum-bytes>
69 </session-length>
70 </unknown-udp>
71 </unknown-applications>
72 </configuration>
73 <report>
74 <topn>100</topn>
75 <scheduled>yes</scheduled>
76 </report>
77 </botnet>
78 <content-preview>
79 <application />
80 <application-type>
81 <category />
82 <technology />
83 </application-type>
84 </content-preview>
85 <local-user-database>
86 <user-group />
87 </local-user-database>
88 </shared>
89 <devices>
90 <entry name="localhost.localdomain">
91 <network>
92 <interface>
93 <ethernet>
94 <entry name="ethernet1/1">
95 <virtual-wire />
96 </entry>
97 <entry name="ethernet1/2">
98 <virtual-wire />
99 </entry>
100 </ethernet>
101 </interface>
102 <profiles>
103 <monitor-profile>
104 <entry name="default">
105 <interval>3</interval>
106 <threshold>5</threshold>
107 <action>wait-recover</action>
108 </entry>
109 </monitor-profile>
110 </profiles>
111 <ike>
112 <crypto-profiles>
113 <ike-crypto-profiles>
114 <entry name="default">
115 <encryption>
116 <member>aes-128-cbc</member>
117 <member>3des</member>
118 </encryption>
119 <hash>
120 <member>sha1</member>
121 </hash>
122 <dh-group>
123 <member>group2</member>
124 </dh-group>
125 <lifetime>
126 <hours>8</hours>
127 </lifetime>
128 </entry>
129 <entry name="Suite-B-GCM-128">
130 <encryption>
131 <member>aes-128-cbc</member>
132 </encryption>
133 <hash>
134 <member>sha256</member>
135 </hash>
136 <dh-group>
137 <member>group19</member>
138 </dh-group>
139 <lifetime>
140 <hours>8</hours>
141 </lifetime>
142 </entry>
143 <entry name="Suite-B-GCM-256">
144 <encryption>
145 <member>aes-256-cbc</member>
146 </encryption>
147 <hash>
148 <member>sha384</member>
149 </hash>
150 <dh-group>
151 <member>group20</member>
152 </dh-group>
153 <lifetime>
154 <hours>8</hours>
155 </lifetime>
156 </entry>
157 </ike-crypto-profiles>
158 <ipsec-crypto-profiles>
159 <entry name="default">
160 <esp>
161 <encryption>
162 <member>aes-128-cbc</member>
163 <member>3des</member>
164 </encryption>
165 <authentication>
166 <member>sha1</member>
167 </authentication>
168 </esp>
169 <dh-group>group2</dh-group>
170 <lifetime>
171 <hours>1</hours>
172 </lifetime>
173 </entry>
174 <entry name="Suite-B-GCM-128">
175 <esp>
176 <encryption>
177 <member>aes-128-gcm</member>
178 </encryption>
179 <authentication>
180 <member>none</member>
181 </authentication>
182 </esp>
183 <dh-group>group19</dh-group>
184 <lifetime>
185 <hours>1</hours>
186 </lifetime>
187 </entry>
188 <entry name="Suite-B-GCM-256">
189 <esp>
190 <encryption>
191 <member>aes-256-gcm</member>
192 </encryption>
193 <authentication>
194 <member>none</member>
195 </authentication>
196 </esp>
197 <dh-group>group20</dh-group>
198 <lifetime>
199 <hours>1</hours>
200 </lifetime>
201 </entry>
202 </ipsec-crypto-profiles>
203 <global-protect-app-crypto-profiles>
204 <entry name="default">
205 <encryption>
206 <member>aes-128-cbc</member>
207 </encryption>
208 <authentication>
209 <member>sha1</member>
210 </authentication>
211 </entry>
212 </global-protect-app-crypto-profiles>
213 </crypto-profiles>
214 </ike>
215 <qos>
216 <profile>
217 <entry name="default">
218 <class-bandwidth-type>
219 <mbps>
220 <class>
221 <entry name="class1">
222 <priority>real-time</priority>
223 </entry>
224 <entry name="class2">
225 <priority>high</priority>
226 </entry>
227 <entry name="class3">
228 <priority>high</priority>
229 </entry>
230 <entry name="class4">
231 <priority>medium</priority>
232 </entry>
233 <entry name="class5">
234 <priority>medium</priority>
235 </entry>
236 <entry name="class6">
237 <priority>low</priority>
238 </entry>
239 <entry name="class7">
240 <priority>low</priority>
241 </entry>
242 <entry name="class8">
243 <priority>low</priority>
244 </entry>
245 </class>
246 </mbps>
247 </class-bandwidth-type>
248 </entry>
249 </profile>
250 </qos>
251 <virtual-router>
252 <entry name="default">
253 <protocol>
254 <bgp>
255 <enable>no</enable>
256 <dampening-profile>
257 <entry name="default">
258 <cutoff>1.25</cutoff>
259 <reuse>0.5</reuse>
260 <max-hold-time>900</max-hold-time>
261 <decay-half-life-reachable>300</decay-half-life-reachable>
262 <decay-half-life-unreachable>900</decay-half-life-unreachable>
263 <enable>yes</enable>
264 </entry>
265 </dampening-profile>
266 </bgp>
267 </protocol>
268 </entry>
269 </virtual-router>
270 <virtual-wire>
271 <entry name="default-vwire">
272 <interface1>ethernet1/1</interface1>
273 <interface2>ethernet1/2</interface2>
274 </entry>
275 </virtual-wire>
276 </network>
277 <deviceconfig>
278 <system>
279 <type>
280 <static />
281 </type>
282 <update-server>updates.paloaltonetworks.com</update-server>
283 <update-schedule />
284 <timezone>US/Pacific</timezone>
285 <service>
286 <disable-telnet>yes</disable-telnet>
287 <disable-http>yes</disable-http>
288 </service>
289 <hostname>PA-VM</hostname>
290 <ip-address>192.168.1.103</ip-address>
291 <netmask>255.255.255.0</netmask>
292 <default-gateway>192.168.1.254</default-gateway>
293 <dns-setting>
294 <servers>
295 <primary>8.8.8.8</primary>
296 </servers>
297 </dns-setting>
298 <ntp-servers>
299 <primary-ntp-server>
300 <ntp-server-address>us.pool.ntp.org</ntp-server-address>
301 <authentication-type>
302 <none />
303 </authentication-type>
304 </primary-ntp-server>
305 <secondary-ntp-server>
306 <ntp-server-address>north-america.pool.ntp.org</ntp-server-address>
307 <authentication-type>
308 <none />
309 </authentication-type>
310 </secondary-ntp-server>
311 </ntp-servers>
312 </system>
313 <setting>
314 <config>
315 <rematch>yes</rematch>
316 </config>
317 <management>
318 <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
319 <disable-predefined-reports>
320 <member>spyware-infected-hosts</member>
321 <member>top-application-categories</member>
322 <member>top-technology-categories</member>
323 <member>bandwidth-trend</member>
324 <member>risk-trend</member>
325 <member>threat-trend</member>
326 <member>top-users</member>
327 <member>top-attacker-sources</member>
328 <member>top-attacker-destinations</member>
329 <member>top-victim-sources</member>
330 <member>top-victim-destinations</member>
331 <member>top-attackers-by-source-countries</member>
332 <member>top-attackers-by-destination-countries</member>
333 <member>top-victims-by-source-countries</member>
334 <member>top-victims-by-destination-countries</member>
335 <member>top-sources</member>
336 <member>top-destinations</member>
337 <member>top-destination-countries</member>
338 <member>top-source-countries</member>
339 <member>top-connections</member>
340 <member>top-ingress-interfaces</member>
341 <member>top-egress-interfaces</member>
342 <member>top-ingress-zones</member>
343 <member>top-egress-zones</member>
344 <member>top-applications</member>
345 <member>top-http-applications</member>
346 <member>top-rules</member>
347 <member>top-attacks</member>
348 <member>top-spyware-threats</member>
349 <member>top-viruses</member>
350 <member>top-vulnerabilities</member>
351 <member>wildfire-file-digests</member>
352 <member>top-websites</member>
353 <member>top-url-categories</member>
354 <member>top-url-users</member>
355 <member>top-url-user-behavior</member>
356 <member>top-blocked-websites</member>
357 <member>top-blocked-url-categories</member>
358 <member>top-blocked-url-users</member>
359 <member>top-blocked-url-user-behavior</member>
360 <member>blocked-credential-post</member>
361 <member>unknown-tcp-connections</member>
362 <member>unknown-udp-connections</member>
363 <member>top-denied-sources</member>
364 <member>top-denied-destinations</member>
365 <member>top-denied-applications</member>
366 <member>risky-users</member>
367 <member>SaaS Application Usage</member>
368 <member>gtp-events-summary</member>
369 <member>gtp-malicious-wildfire-submissions</member>
370 <member>gtp-security-events</member>
371 <member>gtp-v1-causes</member>
372 <member>gtp-v2-causes</member>
373 <member>gtp-users-visiting-malicious-url</member>
374 <member>top-gtp-attacker-destinations</member>
375 <member>top-gtp-attacker-sources</member>
376 <member>top-gtp-victim-destinations</member>
377 <member>top-gtp-victim-sources</member>
378 <member>sctp-error-causes</member>
379 <member>sctp-events-summary</member>
380 <member>sctp-security-events</member>
381 </disable-predefined-reports>
382 </management>
383 <auto-mac-detect>yes</auto-mac-detect>
384 </setting>
385 </deviceconfig>
386 <vsys>
387 <entry name="vsys1">
388 <application />
389 <application-group />
390 <zone>
391 <entry name="trust">
392 <network>
393 <virtual-wire>
394 <member>ethernet1/2</member>
395 </virtual-wire>
396 </network>
397 </entry>
398 <entry name="untrust">
399 <network>
400 <virtual-wire>
401 <member>ethernet1/1</member>
402 </virtual-wire>
403 </network>
404 </entry>
405 </zone>
406 <service />
407 <service-group />
408 <schedule />
409 <rulebase>
410 <security>
411 <rules>
412 <entry name="rule2" uuid="031613c5-a691-4887-b284-5af2915e7c36">
413 <to>
414 <member>untrust</member>
415 </to>
416 <from>
417 <member>trust</member>
418 </from>
419 <source>
420 <member>any</member>
421 </source>
422 <source-user>
423 <member>any</member>
424 </source-user>
425 <category>
426 <member>any</member>
427 </category>
428 <application>
429 <member>any</member>
430 </application>
431 <service>
432 <member>application-default</member>
433 </service>
434 <hip-profiles>
435 <member>any</member>
436 </hip-profiles>
437 <action>deny</action>
438 <destination>
439 <member>group2</member>
440 </destination>
441 </entry>
442 <entry name="rule1" uuid="c678a3fb-0e9b-45b7-aa4f-66a3e8864339">
443 <to>
444 <member>untrust</member>
445 </to>
446 <from>
447 <member>trust</member>
448 </from>
449 <source>
450 <member>any</member>
451 </source>
452 <destination>
453 <member>any</member>
454 </destination>
455 <source-user>
456 <member>any</member>
457 </source-user>
458 <category>
459 <member>any</member>
460 </category>
461 <application>
462 <member>any</member>
463 </application>
464 <service>
465 <member>any</member>
466 </service>
467 <hip-profiles>
468 <member>any</member>
469 </hip-profiles>
470 <action>allow</action>
471 </entry>
472 </rules>
473 </security>
474 </rulebase>
475 <import>
476 <network>
477 <interface>
478 <member>ethernet1/1</member>
479 <member>ethernet1/2</member>
480 </interface>
481 </network>
482 </import>
483 <address>
484 <entry name="addr1">
485 <ip-netmask>10.0.0.1</ip-netmask>
486 </entry>
487 <entry name="addr2">
488 <ip-netmask>10.0.0.2</ip-netmask>
489 </entry>
490 <entry name="addr3">
491 <ip-netmask>10.0.0.3</ip-netmask>
492 </entry>
493 <entry name="addr4">
494 <ip-netmask>10.0.0.4</ip-netmask>
495 </entry>
496 <entry name="addr5">
497 <ip-netmask>10.0.0.5</ip-netmask>
498 </entry>
499 </address>
500 <address-group>
501 <entry name="group1">
502 <static>
503 <member>addr1</member>
504 <member>addr2</member>
505 <member>addr3</member>
506 </static>
507 </entry>
508 <entry name="group2">
509 <dynamic>
510 <filter>"tag01" or "tag02"</filter>
511 </dynamic>
512 </entry>
513 </address-group>
514 <user-id-collector>
515 <setting>
516 <enable-mapping-timeout>yes</enable-mapping-timeout>
517 <ip-user-mapping-timeout>45</ip-user-mapping-timeout>
518 </setting>
519 </user-id-collector>
520 <dynamic-user-group>
521 <entry name="dug1">
522 <filter>"tag01" or "tag02"</filter>
523 </entry>
524 </dynamic-user-group>
525 </entry>
526 </vsys>
527 </entry>
528 </devices>
529</config>