Revision for CT

Week 1

DMZ
- isolate Internet facing hosts
- Ideally uses proxies to rebuild packets for forwarding
- Best way to implement it is using as the proxy to screen the traffic
Different Types of DMZ
- Screened Subnet
- Triple Homed firewall topology
- Screened host approach
Which one is needed?

Understand the Data Plane and Control Plane
- Control Plane -> provides configuration, logging and reporting functions on a separate processor, RAM and hard drive
- Data Plane-> contains 3 types of processors that are connected by high speed 1Gbps buses, each dedicated to specific security functions that work in parallel
  - Signature Matching - Match vulnerability, anti-spyware, anti-virus, data filtering
  - Security Processing - App-ID, URL match, SSL/IPSec , policy match
  - Network Processing - MAC lookup, NAT

Zero Trust Architecture - never trust, always verify
- NS traffic (Traffic from Internet to firewall (Inbound/Outbound from Internet))
- EW traffic (Interzone Traffic, internal traffic)

Week 2

Network Segmentation and Security Zones (based on requirements of the company) - usually zone and segmentation align with each other
- Based on building, departments
- Increase security of network
- Use firewall to control traffic
Tap, Virtual Wire and Layer 3 zone is tested

Tap

Virtual Wire

Layer 3

Application, user and content visibility without inline deployment

Inline deployment that has App-ID,User-ID, Content-ID, SSL-decryption and NAT capabilities

All virtual wire mode capabilities and routing services (L3 services) - VPN, virtual routers and routing protocols

Auditing and monitoring/evaluation purposes using its SPAN/mirror port to duplicate the traffic

Inserted into a network topology without any change to the current network topology - due to no IP address of its interfaces

Replace any current firewall deployment

Sub-interfaces
- Three different ports that can carry different IP range and different zone
- Traffic in different zones can share a common physical firewall port.
- Used to logically split network traffic and increase the granularity of security rules

Virtual Router
- Static Default route (0.0.0.0/0 OR ::/0)
- Network > Virtual Routers > Static Routes > Add
- Static route can be used as a backup route if dynamic route is unavailable (failover)
- Route with lowest metric is used
- Path monitoring determines if routes are useable, will be constantly monitoring all paths, even after failure, switches back to the lower metric route once the route is available again

Week 3

Sessions and flow
- c2s - must enable using rule
- s2c
- A packet is matched to a session, and a session is matched to a security policy rule
- Session can have one/two flwos - single flow OR two flow (TCP traffic)
- Security policy Rule is applied to bidirectional traffic in that session (c2s, s2c)
  - Allows returning traffic to flow automatically
Server definition for a firewall is different from server definition for hosts:
- Firewall : Server is a traffic responder
- Hosts : Server is a service provider (HTTPS/ Web Server..etc)
Shadowing problem - if coverage too broad, move the rule to the bottom
- Rules are evaluated top to bottom
- Further rules are not evaluated after a rule match
- Earlier rule casts a shadow over later ruler

Source NAT
Firewall translates original internal IP address to an external IP address for external use/reference
- Static IP - 1 to 1 fixed translations
- Dynamic IP - 1 to 1 translations to the next available address in range
- DIPP - Multiple clients use the same public IP addresses with different source port numbers
Difference and Similarity of the NAT methods (static, dynamic, DIPP)

Methods

Static

Dynamic

DIPP

Difference

1 to 1 fixed translations

1 to 1 translations to the next available address in range - If there are too many new IP addresses seeking translation while translated address pool is fully used, the new IP addressed will be blocked.

Multiple clients use the same public IP addresses with different source port numbers - Able to support Oversubscription (Assuming host are connecting to different destinations, translated IP address and port pair can be used multiple times)

Similarity 1

Source Port does not change

Similarity 2

Uses Next Available IP from a pool of available IPs/subnets

Destination NAT
- Destination IP will be public IP , firewall will translate to internal IP

Create a Security Policy Rule (Policies > Security > Add)

Custom Rules are logged by default, Predefined rules are not logged by default

Week 4

Port-Based Versus Next-Generation Firewalls + Zero-Day Malware
- Traditional firewalls use port blocking to control traffic
- NGFW implements policies based on application rather than port
  - Eg. If application-default security policy rule is used on port 53, then the firewall will only allow DNS connections through the port, and deny any other non-DNS traffic on this port, including Zero-Day Malware
App-ID and TCP (Classifying TCP Traffic)
- not-applicable - dropped by firewall (traffic dropped per policy before application identified)
- incomplete - user close web page (eg.)
- insufficient-data - App-ID cannot identify the traffic from the TCP SYN packet, Not enough payload for identification(eg.)
- unknown-tcp/p2p - new in house application (eg.)

Application Shifts
- Traffic shift from one application to another during the lifetime of a session

Application Dependencies
- Only use one from the 'Depends on' - allow one or more of them for it to work

Implicit Application
- If allow certain application, it will also automatically allow several applications that the application opened is dependent on (These several applications do not need to be explicitly permitted in security policy for the application open to run)
- eg. if you want to use facebook, it will open ssl/web-browsing)
Application Group vs Application Filter

Group

Filter

Static, administrator defined set of application

Dynamically groups applications based on application attributes that you select from the App-ID database. Can be based off: Category, Subcategory, Risk, Tags and Characteristics

Used when you wan to treat a set of applications similarly in a security policy

Any new applications downloaded through the Firewall regular content update will be added to the Application Filters automatically

App-ID in Policy Rules Reduces the Attack Surface

If there is no decryption policy, there will not have a application block page, will show page not available

App-ID traffic can be found at Monitor > Logs > Traffic

Identify applications in decrypted SSL traffic
- SSL encrypts application-layer data, which the firewall can identify and decrypt
Identify applications in encrypted SSL traffic
- Two methods:

Uses Common Name in a certificate (When a single website uses a unique IP address)
Uses TLS protocol extension named Server Name Indication that enables multiple hostnames to be served over HTTPS from the same IP (When multiple websites share the same IP address)

Week 6

Security Profiles are applied to all packets over the life of a session
7 Different security profiles:
- Antivirus:
  - Detects infected (worms, virus) files being transferred with the application
  - Predefined default profile cannot be removed/deleted
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > Antivirus > Add)
  - Actions : Alert, Allow, Drop, Reset-client (TCP/UDP), Reset-server (TCP/UDP), Reset-both (TCP/UDP)
  - Application exceptions - for false positives, configured to enable firewall to pass formerly blocked traffic (on Antivirus tab)
- Anti-Spyware:
  - Detects spyware downloads and traffic from already installed spyware, can monitor different categories of viruses
  - Has two predefined Anti-Spyware Security Profiles- default and strict (reset-both for critical, high severity spyware events)
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > Anti-Spyware > Add > Rules)
  - Updated anti-spyware signatures are made available every day
  - Actions : Alert, Allow, Drop, Reset-client (TCP/UDP), Reset-server (TCP/UDP), Reset-both (TCP/UDP), Block IP(source, source and destination for a number of seconds)
- Vulnerability Protection:
  - Detects attempts to exploit known software vulnerabilities
  - Has two predefined Vulnerability Protection Security Profiles- default and strict (reset-both for critical, high severity spyware events)
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > Vulnerability Protection > Add
  - Updated Vulnerability Protection signatures are made available every day
  - Actions : Alert, Allow, Drop, Reset-client (TCP/UDP), Reset-server (TCP/UDP), Reset-both (TCP/UDP), Block IP(source, source and destination for a number of seconds)
- URL Filtering:
  - Classifies and controls web browsing based on content
  - Disrupts Delivery or C2 stage of cyberattack lifecycle
  - Has a predefined URL Filtering Security Profile
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > URL Filtering
- File Blocking:
  - Tracks and blocks file uploads and downloads based on file type and application
  - Actions : Alert, Continue, Block
  - Prevents introduction of malicious data and exfiltration of sensitive data
  - No predefined File Blocking Profile
  - Overlapping File Blocking Profile can exist.
  - Create File Blocking Profiles (Objects > Security Profile > File Blocking > Add )
  - Continue Response Page operates only when paired with application web-browsing, if paired with something else, the file transfer is blocked.
- Data Filtering:
  - Identifies and blocks transfer of specific data patterns found in network traffic
  - Used to prevent sensitive, confidential and proprietary information from leaving your network
  - Create Data Filtering Profile (Objects > Security Profile > Data Filtering > Add )
  - Three types of data patterns to use when scanning for sensitive information
    Predefined Pattern: Use the predefined data patterns to scan files for Social Security and credit card numbers
    Regular Expression: Create custom data patterns using regular expressions
    File Properties: Scans files for specific file properties and values
- [Not needed] WildFire Analysis:
  - Forwards unknown files to the WildFire service for malware analysis

Security Profile

Logs location

What goes into the logs?

Antivirus, Anti-spyware, Vulnerability threats

Monitor > Logs > Threat

Alert Action (Defaultly does this for IMAP, POP3 and SMTP for Antivirus Security Profile)
Drop Action

File Blocking

Monitor > Logs > Data Filtering Log

All Actions -Alert, Continue and Block

Data Filtering

Monitor > Logs > Data Filtering Log

Only if Data Capture check box is selected

URL Filtering

Monitor > Logs > URL Filtering

Attachment of URL filtering profile to a security rule
Alert
Block
Continue/Override (logs initial blocking and successful user action)

DNS sinkhole operation
- Can use the sinkhole FQDN supplied by PAN or configure a real host and IP address as the sinkhole address.
- If a real host is used, ensure that the sinkhole host is in a different security zone than the DNS client, as only network traversing security zones are logged by the firewall.
- Helps to identify and analyze the behavior of infected hosts on the network and protects environment.
[Not needed] Overlapping File Blocking Profile
- File Blocking Profile does not follow top-down approach
- As long as traffic matches a single rule, the rule's action is taken
- If traffic matches multiple rules, highest precedence action is taken
  - Continue, Block, Alert
Blocking Multi-Level Encoded Files (firewall decodes max of four levels)
- Files encoded more than four layers cannot be completely decoded but can be blocked by File Blocking Profile
- Set by setting the File Type field to 'Multi-Level-Encoding'
Assigning Security profile to security rules
- Can assign a Security Profile or Security Profile Group under 'Profile Type'
  - Policies > Security > Add
- For Security Profile Groups configuration
  - Objects > Security Profile Groups > Add
  - Add Security Profiles commonly used together
  - Help to simplify Security policy rule administration

URL Category in a Policy versus URL Filtering Security Profile

URL Category in a Policy

URL Filtering Security Profile

used as a match condition

Applied to traffic allowed by security policy

URLs matched to predefined/custom categories

URLs matched to predefined/custom URL categories

Action determined in policy rule

Actions more granularly configured for individual URLS/categories

URL category name logged in the URL filtering log

URL details logged in the URL Filtering log

Previous13 Nextexplaining success

Last updated 1 year ago

Revision for CT

Week 1

DMZ
- isolate Internet facing hosts
- Ideally uses proxies to rebuild packets for forwarding
- Best way to implement it is using as the proxy to screen the traffic
Different Types of DMZ
- Screened Subnet
- Triple Homed firewall topology
- Screened host approach
Which one is needed?

Understand the Data Plane and Control Plane
- Control Plane -> provides configuration, logging and reporting functions on a separate processor, RAM and hard drive
- Data Plane-> contains 3 types of processors that are connected by high speed 1Gbps buses, each dedicated to specific security functions that work in parallel
  - Signature Matching - Match vulnerability, anti-spyware, anti-virus, data filtering
  - Security Processing - App-ID, URL match, SSL/IPSec , policy match
  - Network Processing - MAC lookup, NAT

Zero Trust Architecture - never trust, always verify
- NS traffic (Traffic from Internet to firewall (Inbound/Outbound from Internet))
- EW traffic (Interzone Traffic, internal traffic)

Week 2

Network Segmentation and Security Zones (based on requirements of the company) - usually zone and segmentation align with each other
- Based on building, departments
- Increase security of network
- Use firewall to control traffic
Tap, Virtual Wire and Layer 3 zone is tested

Tap

Virtual Wire

Layer 3

Application, user and content visibility without inline deployment

Inline deployment that has App-ID,User-ID, Content-ID, SSL-decryption and NAT capabilities

All virtual wire mode capabilities and routing services (L3 services) - VPN, virtual routers and routing protocols

Auditing and monitoring/evaluation purposes using its SPAN/mirror port to duplicate the traffic

Inserted into a network topology without any change to the current network topology - due to no IP address of its interfaces

Replace any current firewall deployment

Sub-interfaces
- Three different ports that can carry different IP range and different zone
- Traffic in different zones can share a common physical firewall port.
- Used to logically split network traffic and increase the granularity of security rules

Virtual Router
- Static Default route (0.0.0.0/0 OR ::/0)
- Network > Virtual Routers > Static Routes > Add
- Static route can be used as a backup route if dynamic route is unavailable (failover)
- Route with lowest metric is used
- Path monitoring determines if routes are useable, will be constantly monitoring all paths, even after failure, switches back to the lower metric route once the route is available again

Week 3

Sessions and flow
- c2s - must enable using rule
- s2c
- A packet is matched to a session, and a session is matched to a security policy rule
- Session can have one/two flwos - single flow OR two flow (TCP traffic)
- Security policy Rule is applied to bidirectional traffic in that session (c2s, s2c)
  - Allows returning traffic to flow automatically
Server definition for a firewall is different from server definition for hosts:
- Firewall : Server is a traffic responder
- Hosts : Server is a service provider (HTTPS/ Web Server..etc)
Shadowing problem - if coverage too broad, move the rule to the bottom
- Rules are evaluated top to bottom
- Further rules are not evaluated after a rule match
- Earlier rule casts a shadow over later ruler

Source NAT
Firewall translates original internal IP address to an external IP address for external use/reference
- Static IP - 1 to 1 fixed translations
- Dynamic IP - 1 to 1 translations to the next available address in range
- DIPP - Multiple clients use the same public IP addresses with different source port numbers
Difference and Similarity of the NAT methods (static, dynamic, DIPP)

Methods

Static

Dynamic

DIPP

Difference

1 to 1 fixed translations

Similarity 1

Source Port does not change

Similarity 2

Uses Next Available IP from a pool of available IPs/subnets

Destination NAT
- Destination IP will be public IP , firewall will translate to internal IP

Create a Security Policy Rule (Policies > Security > Add)

Custom Rules are logged by default, Predefined rules are not logged by default

Week 4

Port-Based Versus Next-Generation Firewalls + Zero-Day Malware
- Traditional firewalls use port blocking to control traffic
- NGFW implements policies based on application rather than port
  - Eg. If application-default security policy rule is used on port 53, then the firewall will only allow DNS connections through the port, and deny any other non-DNS traffic on this port, including Zero-Day Malware
App-ID and TCP (Classifying TCP Traffic)
- not-applicable - dropped by firewall (traffic dropped per policy before application identified)
- incomplete - user close web page (eg.)
- insufficient-data - App-ID cannot identify the traffic from the TCP SYN packet, Not enough payload for identification(eg.)
- unknown-tcp/p2p - new in house application (eg.)

Application Shifts
- Traffic shift from one application to another during the lifetime of a session

Application Dependencies
- Only use one from the 'Depends on' - allow one or more of them for it to work

Implicit Application
- If allow certain application, it will also automatically allow several applications that the application opened is dependent on (These several applications do not need to be explicitly permitted in security policy for the application open to run)
- eg. if you want to use facebook, it will open ssl/web-browsing)
Application Group vs Application Filter

Group

Filter

Static, administrator defined set of application

Dynamically groups applications based on application attributes that you select from the App-ID database. Can be based off: Category, Subcategory, Risk, Tags and Characteristics

Used when you wan to treat a set of applications similarly in a security policy

Any new applications downloaded through the Firewall regular content update will be added to the Application Filters automatically

App-ID in Policy Rules Reduces the Attack Surface

If there is no decryption policy, there will not have a application block page, will show page not available

App-ID traffic can be found at Monitor > Logs > Traffic

Identify applications in decrypted SSL traffic
- SSL encrypts application-layer data, which the firewall can identify and decrypt
Identify applications in encrypted SSL traffic
- Two methods:

Uses Common Name in a certificate (When a single website uses a unique IP address)
Uses TLS protocol extension named Server Name Indication that enables multiple hostnames to be served over HTTPS from the same IP (When multiple websites share the same IP address)

Week 6

Security Profiles are applied to all packets over the life of a session
7 Different security profiles:
- Antivirus:
  - Detects infected (worms, virus) files being transferred with the application
  - Predefined default profile cannot be removed/deleted
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > Antivirus > Add)
  - Actions : Alert, Allow, Drop, Reset-client (TCP/UDP), Reset-server (TCP/UDP), Reset-both (TCP/UDP)
  - Application exceptions - for false positives, configured to enable firewall to pass formerly blocked traffic (on Antivirus tab)
- Anti-Spyware:
  - Detects spyware downloads and traffic from already installed spyware, can monitor different categories of viruses
  - Has two predefined Anti-Spyware Security Profiles- default and strict (reset-both for critical, high severity spyware events)
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > Anti-Spyware > Add > Rules)
  - Updated anti-spyware signatures are made available every day
  - Actions : Alert, Allow, Drop, Reset-client (TCP/UDP), Reset-server (TCP/UDP), Reset-both (TCP/UDP), Block IP(source, source and destination for a number of seconds)
- Vulnerability Protection:
  - Detects attempts to exploit known software vulnerabilities
  - Has two predefined Vulnerability Protection Security Profiles- default and strict (reset-both for critical, high severity spyware events)
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > Vulnerability Protection > Add
  - Updated Vulnerability Protection signatures are made available every day
  - Actions : Alert, Allow, Drop, Reset-client (TCP/UDP), Reset-server (TCP/UDP), Reset-both (TCP/UDP), Block IP(source, source and destination for a number of seconds)
- URL Filtering:
  - Classifies and controls web browsing based on content
  - Disrupts Delivery or C2 stage of cyberattack lifecycle
  - Has a predefined URL Filtering Security Profile
  - Create a customized profile or clone the default profile and edit it (Objects > Security Profile > URL Filtering
- File Blocking:
  - Tracks and blocks file uploads and downloads based on file type and application
  - Actions : Alert, Continue, Block
  - Prevents introduction of malicious data and exfiltration of sensitive data
  - No predefined File Blocking Profile
  - Overlapping File Blocking Profile can exist.
  - Create File Blocking Profiles (Objects > Security Profile > File Blocking > Add )
  - Continue Response Page operates only when paired with application web-browsing, if paired with something else, the file transfer is blocked.
- Data Filtering:
  - Identifies and blocks transfer of specific data patterns found in network traffic
  - Used to prevent sensitive, confidential and proprietary information from leaving your network
  - Create Data Filtering Profile (Objects > Security Profile > Data Filtering > Add )
  - Three types of data patterns to use when scanning for sensitive information
    Predefined Pattern: Use the predefined data patterns to scan files for Social Security and credit card numbers
    Regular Expression: Create custom data patterns using regular expressions
    File Properties: Scans files for specific file properties and values
- [Not needed] WildFire Analysis:
  - Forwards unknown files to the WildFire service for malware analysis

Security Profile

Logs location

What goes into the logs?

Antivirus, Anti-spyware, Vulnerability threats

Monitor > Logs > Threat

Alert Action (Defaultly does this for IMAP, POP3 and SMTP for Antivirus Security Profile)
Drop Action

File Blocking

Monitor > Logs > Data Filtering Log

All Actions -Alert, Continue and Block

Data Filtering

Monitor > Logs > Data Filtering Log

Only if Data Capture check box is selected

URL Filtering

Monitor > Logs > URL Filtering

Attachment of URL filtering profile to a security rule
Alert
Block
Continue/Override (logs initial blocking and successful user action)

DNS sinkhole operation
- Can use the sinkhole FQDN supplied by PAN or configure a real host and IP address as the sinkhole address.
- If a real host is used, ensure that the sinkhole host is in a different security zone than the DNS client, as only network traversing security zones are logged by the firewall.
- Helps to identify and analyze the behavior of infected hosts on the network and protects environment.
[Not needed] Overlapping File Blocking Profile
- File Blocking Profile does not follow top-down approach
- As long as traffic matches a single rule, the rule's action is taken
- If traffic matches multiple rules, highest precedence action is taken
  - Continue, Block, Alert
Blocking Multi-Level Encoded Files (firewall decodes max of four levels)
- Files encoded more than four layers cannot be completely decoded but can be blocked by File Blocking Profile
- Set by setting the File Type field to 'Multi-Level-Encoding'
Assigning Security profile to security rules
- Can assign a Security Profile or Security Profile Group under 'Profile Type'
  - Policies > Security > Add
- For Security Profile Groups configuration
  - Objects > Security Profile Groups > Add
  - Add Security Profiles commonly used together
  - Help to simplify Security policy rule administration

URL Category in a Policy versus URL Filtering Security Profile

URL Category in a Policy

URL Filtering Security Profile

used as a match condition

Applied to traffic allowed by security policy

URLs matched to predefined/custom categories

URLs matched to predefined/custom URL categories

Action determined in policy rule

Actions more granularly configured for individual URLS/categories

URL category name logged in the URL filtering log

URL details logged in the URL Filtering log

Previous13 Nextexplaining success

Last updated 1 year ago