PCNSA: Palo Alto Networks Certified Network Security Administrator certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

Chapter 5 - Content-ID

9. 5.9 Denial-of-service protection

In this video, we are covering PC NSA Chapter 10, and this is our Chapter 5 content ID. Now you've made it so far. This is the 9th video of this chapter, which is 5.9, "Denial of Service Protection." Excellent video; very interesting stuff here.

Now, Palo Alto Networks Firewall provides denial-of-service protection that mitigates layer three and layer four protocol-based attacks and denial-of-service attacks. It is packet-based rather than signature-based, and we don't really link the denial of service to security policy. So there are two types of denial-of-service protection. We have zone-based protection, which protects the whole zone, like a demilitarized zone or inside zone, and end-host protection, which would protect a single host, for example, under zone-based protection. This is a broad-based, all-encompassing denial of service attack at the edge designed to prevent a denial of service attack on the enterprise network. It will act as a first line of defense for network-end host protection.

This is denial-of-service rule-based, and the denial-of-service profile is a flexible rule-based policy that protects specific end hosts, such as web services and DNS service user subnets, which are critical and vulnerable to denial-of-service attacks. This is the laptop or device that I'm going to use to demonstrate denial of service. We're going to do two types of denial-of-service protection. First, we're going to use zone protection, where I'm going to protect the whole of our inside zone. So we're going to create denial-of-service protection for the whole zone and apply it to that zone. And then I'm going to do the end host protection, where I'm going to protect this Ubuntu server. Then, to put it to the test, I'm going to use Kali Linux to generate some sort of attack synchronisation attack that doesn't complete the TCP connections. So it's just going to start the synchronisation and leave it there.

And the reason for the syntax is to pretty much overwhelm the CPU, so the web server cannot process new TCP connection requests. Okay, great. So let's start that. The first thing that I'm going to do is set up zone protection. So if I get to my firewall, to create zone protection we need to go to network, and in the network we have a network profile, and then there we have zone protection. Now we'll create a new zone protection and apply it to the zones. So it's not applied to security policy; it's applied to zones. So if I open zone protection and create a new one, I'm going to call it Astrid zone protection. And here is our profile:

Astrid Zone defense. And in this zone profile, we have four tabs. The first tab is flood protection. Then we have reconnaissance protection, packet-based attack protection, and protocol protection. Denial-of-service protection is always packet-based, not session-based or anything like that. It's a packet-based system. So it's packets per second. It's going to start off with flood protection. For example, we can protect against synchronization. We can protect UDP. ICMP. Icmpv-6 and IP floods are two examples. That's another IPS. And then, if I protect for synchronization, if synchronisation floods, we have the values that we can set here, the three types of values. The alarm rate was activated, followed by the maximum.

So the alarm rate is set to 10,000 packets per second. It says connection per second, which is actually packets per second. And the activate value is 100, with a maximum value of 400. Now, when we set it to 100 packets per second, If the firewall detects 10,000 packets per second from any source, it could be from one or more hosts to one or more destinations. And then we apply this flood protection to the ingress zone of the traffic. Now, 10,000 packets per second is when it's going to start generating a log message. This random yearly drop will be activated when we have another drop of the same number, a total of 10,000 packets. What it's going to do is randomly pick packets and drop them just so we don't overwhelm our CPU at its maximum and block the packets anymore.

We have another option besides dropping at random. We can have sync cookies. In a sync cookie, the router will transform into a man in the middle and begin synchronising with whoever it is attempting to connect with. Similarly, we have alarm rate activated and maximum. So I'm going to leave it to randomly drop, and I'm going to enable all of these at the same alarm rate (activate), because activate is randomly ready to drop here at maximum ICMP. If we had IPV6, you would enable that. This is also true for other IP floods. Then we have reconnaissance protection. This is used to alert or prevent reconnaissance attempts like port scans, UDP or TCP port scans, and host suites. So we have TCP port scanning, host scanning, and UDP port scanning.

Now, the action by default is set to alert. And we can, for example, have "allow," which will allow or permit the port scan attempt alert. This generates an alert for each scan that matches the threshold within the specified time interval. We can block, which will drop all traffic from the source to the destination, or block the IP address and drop all traffic for a specific period of time in seconds. There are two options here. We can use it, for example, as a source. We can block the source and destination, and we can put the time duration in seconds. So, for example, we leave it to alert, and then we have interval and threshold.

So, for example, if we get 100 packets within 2 seconds, it will generate an alert. We generate another host suite alert if we receive 100 host suites in 10 seconds. If we get another 100 packets in 2 seconds, a UDP port scan will generate an alert. We can set it to block if you want to. Then we have packet-based attack protection. Here are a few other tabs within packet-based attack protection. But first, we'll talk about this IP drop. For example, if we have a spoofed IP address, the firewall will use the routing table to verify that the source IP address is arriving on the appropriate interface.

The same thing, look at the routing table, fragmented traffic, all of these things that we can enable for packet-based protection. strict source routing, loose source routing, and so on. Then we have a TCP drop. ICMP drop. IPV-6 as well as IP ICMPV-6 Then there's protocol protection, which is the final step. In the protocol protection profile, we can exclude some protocols from being in the zone protection profile if you want, or we can include them. We can't rule out some already, such as 800, which is IPV four, eight, and six; ARP; 8100; you have a VLAN tag; and 860D, which is IPV six. We cannot rule out these protocols.

If we exclude some protocols, that will mean that all other protocols will be included, or we can include some protocols and then everything else will be excluded. But you can't touch these ones, which are already here. Okay? We can leave that as the default. So far, we've enabled flood protection, reconnaissance protection, and some packet-based attack defense. We didn't exclude any protocols; we created this as zone protection. So to apply this, we need to go to the zones and imagine that I want to apply it on the inside zone. So I'll click on that and just have a zone protection profile.

So I'll click here and enable packet buffering protection as well, and I'll click OK, so that's an example of how to enable zone protection. I'm not going to test this, but what I'm going to test and do for you is the end-host protection, where we're going to protect our web server, and then I'm going to generate an attack from Kali Linux, and then we should see some information from other routers. So, to enable and host protection, we must navigate to objects, and within the objects, we must navigate to DoS protection.

So we configure it here, and then when we apply it, we go to policies, and since we have a dust protection policy here, we can apply it here. So objects and dust protection So we first make it like a profile, so that's located under "object security profile" and "dust protection profile." So we click "add," and I'm going to call it just Astridos' profile.

Then, after we've added the description, whatever you want to call it, We have two choices: aggregate and classified aggregate, which could mean the total traffic between all the devices matched by the rule. And classified is intended to protect individual IP connections from a single IP address. But the thing is, attackers are going to spoof the address, so it's always going to be from somewhere else. So then we have two types. We have flood protection and resource protection. The maximum number of concurrent sessions allowed is referred to as resource protection.

So here, by default, we have 32,000. But what if we want to reduce the number of concurrent sessions? We have a relatively powerful server, and we can reduce or increase the number of concurrent sessions. Flood protection again; same thing again; we have a sin flood. If you remember, the host was generating or the attacker was generating an incomplete TCP connection. It was just sent during a synchronization.

Then they will get an acknowledgement and their own synchronization, but it doesn't finish the third handshake on the TCP connection. And the reason is to overwhelm the CPU buffers. So we have the same thing as I explained earlier, a random drop, and we have sync cookies. So we leave it to drop and alarm rate at random when we start creating logs. So I'm just going to lower the activation rate to $1,000. This is the point at which we begin dropping packets at random. So set this to 2000, and then for the maximum rate, set it to 4000. So I want to give a few numbers so we can see some log messages and then the block duration. This is 300 seconds.

Remember, these are packets per second here. So, instead of 300 seconds, I'm going to cut these down to about 15 seconds for demonstration purposes. Then UDP floods the same thing again. We can enable ICMP flooding. I'm not going to demonstrate any of these. So I'm not going to really enable any of these. I'm just going to do a simple flood here. So I click OK, and then to apply that, I need to go to policies and then Dose Protection. I need to add a new dose protection. So I'm going to add the rule "Dos rule" here. And after we put the description tags and you learned this, we put the source. So, where is all of this traffic coming from?

Well, the source could be a zone, or it could be an interface. So the traffic is coming from outside the zone, so we can put it anywhere from an outside source address, but we don't really know. It could be any address, source, or user; we don't know either. And again, the same thing is here before the user ID we're going to talk about. As a result, any user's destination—well, destination will be the zone.

Again, we can put the interface, but I'll leave it in the zone, and it's going to be in the demilitarised zone, where the destination addresses my server, which is two or three dot ten, sorry, 0113 dot ten. That's the IP address, and then we have an option for protection.

And the option for protection is that we can have the services; I'll leave it to anyone, and we have a choice on the action. We can deny, which means we'll drop the packet; we can allow the packets to go through; or we can protect. If we say "protect," that means that we use the profile to deny a service protection profile. So I'm going to say "protect." I don't have any scheduled, and I don't have any logging forward or configured, because, remember, we had aggregate all classified, and I chose aggregate over classified.

Classified was accessed via a single IP address. The aggregate came from all of them together. So, in the end, I'm going to go with this as the one for which I made an Astrid profile. So click okay, and that's it; we are done. So I'm going to make a commitment. commit, OK, they've successfully committed. I'm going to close this and start generating an attack. So for that, I'm going to be using—if you look at my topology, I've created something like host protection for that host there. And I'm going to start generating attacks from Kali Linux. So I'm going to go to my Kali Linux after I log in, and the first thing I'll do is show you the IP address of this Kali Linux, or IPA.

That's my IP address, 230-1321. And my gateway, 23013, is on the same network. And I'm pinging that; I'm okay with that, so just clear the screen. To generate a TCP flood attack or TCP synchronisation flood attack, I'm going to use HP 3. That's a tool, a penetration-testing tool. So I need to go to "Privilege User." So there we go. We are the privileged users now. So I'll type HPC Three, and I'm going to send, for example, 15,000 packets. So minus C tells me how many packets I'll send for fifteen zero. And then I'm going to say, for example, the size of the package. So minus D, the size of the package is 120 bytes. And these are going to be the synchronisation packages.

And with the window size, I'm going to use 64, and the port I'm going to be using is port ad, which is going to be flood, and I'm going to use a random source and the IP addresses of the web server. Now, if you're familiar with the web server, this firewall has been configured as a destination that and destination that when this client or this Kali Linux goes to IP address two or three, dot zero, dot one, one, three, ten, that's the IP address of the cell. Now the firewall, when it receives that, is going to take that and translate it to this address down here. I'm only going to do destination at. So the IP address of the server that I'm going to send this TCP send flood to is 232-3011, 310. Great. So let me show you the Nat that I have to configure.

So, if I connect to the internet here, you'll notice that I'm outside the digital trade zone. So any user from outside going to this address will have 23013 translated to this address, and I'm going to reset all these counters before I start. Yes, and I can do the same thing for security policy: reset the counters. Okay, now you see there are so many hit counts because I already did that to test it. Okay? So I'm ready. Click Enter. Now I've launched a synchronisation floodattack from Kali Linux. So, if I go there and refresh it now that this one destination is gone, they can skyrocket, right? Because, look, it's already doing so many synchronisation sessions. Sorry, 267,000 already, right? Okay, same for security.

They're going to increase, look, because they're going to be hitting, they get hit so many times, if I go to security and outside to the demilitarised zone out to the DMZ. Okay, that's already blocked. That's probably why we're not seeing an increase in traffic on the monitor; I need to go check on everything. I'll go to monitor traffic and threats. Because it generates IP addresses at random, there are many different ones. They go into the server, and really, if we look, we're not seeing anything inefficient, insufficient, or under threat. So I'll click on the threads, but there's not much we can see. You just see that there is a TCP flood happening, but we don't see anything. I'm not able to see from zone to zone, and the source address and destination address are going to be all zeros anyway. So you've discovered that your network is experiencing a TCP flood. And you see that all of this is filled with TCP floods.

This is the vulnerability that we discussed earlier, but there was a TCP flood, and it's not going to actually show you this every time all these packets arrive, because this is going to be 200,000 messages. So this is kind of like combining every 5 seconds, and it's going to display it to match application in a flood. Then you just need to search, for example, "incomplete." Who is generating all this? There is a TCP flood happening, and what we can do is create a filter that says, "I want to see an application equal to "and I'll say "incomplete" and add this and apply it. And I'm going to use this filter. And now you will see all the IP addresses from that source to this destination. All of this is incomplete and just happened now. Okay? So I'm going to go to my calendar on Linux and stop that because it's just going to keep going. So calculus, it has actually stopped because when I refreshed the hit count for this.

10. 5.10 Lab Content-ID

On this video, we are covering PC NSA 210, and this is our chapter ID. Now, tent ID. After finishing Chapter 5, we present Video 5: Point 10e: Point Tenlab, which summarizes what we learned. I'll try to do it quickly; it'll take a long time, so I'm not sure how long it will take. how long. But it's not a particularly short video, so it's fine. It's very interesting, and we're making progress with it. We'll run labs before configuring and testing the vulnerability security profile. We'll create and put to the test an antivirus security profile.

Create and run an anti-spyware profile. We'll go there and test the file-block-profile and the profile before configuring and testing the data profile. There's a lot of interesting and important information here. Okay here. So, let's start with this lattice topology that I'll show you. So, first, we'll create a vulnerability security profile, attach it to the demilitarized zone, and then we'll generate vulnerability testing from Kali Linux to the demilitarized zone, and then we'll monitor here on the firewall for those penetration tests or vulnerability tests. Then we can't create an antiviral profile and attach it to the zone where this client is going to try to add a virus.

As a result, it would be brought up before the committee as well. The third thing we're going to do is try to access the anti-spyware profile on the computer again, which is against the rules. So, for example, suppose this computer has been infected and is attempting to access the control domain and the domain, and that a file is allowed, such as a PDF, and we are going to deny that. We'll see some PDFs on the monitor, as well as an attempt to upload some confidential data to the command and control center. We're going to learn some interesting things here. ng toxoid So, first and foremost, we firewall, and I won't go into detail. You must watch the video if you want to learn every detail; otherwise, this will take a long time. long time.

So get up and have everything. So I go to the monitor; there is nothing in the traffic log, the threat log, or the data filtering log. And I did it by going to the device and turning on the appropriate settings, then returning at the end to clear the traffic log as well. Okay, so the first step is to create a vulnerability profile, which we'll do under the objects and profiles. Vulnerability protection is also included in the security profiles. protection. We're going to do antivirus, display blocking, blocking, and data-dodging stuff, so some of you can watch the video today and the previous video for dust 5.9 and I will attach that profile. At the moment, there is nothing in there that you can see. So, in the profile settings, open that security policy under the actions I need to perform. The antivirus profile type must be the one that was created, and you click OK; we can group them if you want, but that's why you should watch the videos in detail.

Okay, that's done. And I'll commit to that. Once we commit it, then we can go and test it. Okay, now that the commit has been successfully completed, I can go and test it. So I'm going to go to my client machine, which is located on the inside zone. That's the IP address; that's the gateway. So I'm going to open the Google Chrome browser, and I'm going to try and download a virus now that we have a predefined virus. However, the current issue is that they are not providing clear text and are only providing encrypted data. We can't test it because we don't have a decryption policy. I know another location where we can check it, but let me just check this one. It's actually working; maybe they updated. So Acar is a downloaded antimalware test file, and you can still see the HTTP, which is cleartext, and that's the one we're using that isn't temporarily out of order or unavailable. It's only SSL. SSL will work if I download these because they are encrypted. We haven't got decryption. I can check another location that we have. This is on this website, and here is the website, as well as the ones in plain text.

So if I click on it, as you can see, it says virus, spyware, and download blocked. Any of these will be blocked, right? different ones and this one as well. Let's see if it's blocked. Yeah, all three of them are blocked. So that's the demonstration of how to configure the antivirus, and we can go look at it. So if I go to the monitor, and on the threats, when it updates, it should show us, "Look, we have three viruses that we try to download from our internal machine to the destination address." And again, we have a single packet capture in there. Okay, that's a demonstration of how to configure an antivirus security profile.

The next one I'm going to configure is anti-spyware. So this is the infected machine that's trying to go to some domains. There are infected domains, maybe commander-control domains, and so on. Okay, now the domains I did the preliminary work; I already had this set up. For example, on my DMZ machine, I set these domains to be bad domains. So we're going to create an identifier that will alert our users if they attempt to connect to these domains. We're not going to block it; we just should get an alert. Okay, so we'll go to DNS and call them anyway. We're not going to give them the correct IP address to create antivirus spyware; to create antispyware, go to objects and create a profile; antispyware is in the same place as security profiles. In the same location as the antivirus and anti-spyware software. We have two default ones. Click on one; we're going to create our own one. So Astrid's anti-spyware profile is in here.

I'm going to add my own, and it's going to be my role. First rule: no threat, no name, no matter what. We can change it to category, or we can just leave it at any. So adware, an auto-generation backdoor, any action What to do? The default is whatever the signature says. Allow it to send the packet alert. Allow but log, drop and log, or reset them all. client server or both, and log Or we can block the IP address, either the source or the source and destination, for however many seconds you want. As a result, we can no longer put it into alert or packet capture. We'll treat it as if we're taking a single packet for all severity levels. Okay, we're going to create a DNS signature. As an example, consider a sinkhole. So we already have the two there predefined. And I'm going to create my own one. Now that I've already created it, I'll just add it and show you where to go to create it. Or if you want to see it in more depth, then you have to watch the video about antispy where. So this is my external list, and I will click okay.

Okay, now the external dynamic list is this one here, and that shows me, tells me where the list of domains in this list is: this list of bad domains, ABC, and so on. So that's the IP address and that's the location, and I clicked it, as well as having to change the service pages for service route configuration, and then having to customise here in the external list where it is. Okay. We need to apply that policy, sorry, that profile—the anti-spyware profile—to my security policy from the inside zone to the outside zone now that we've created it. So I need to go under action and antisfire here. And I'm sorry again if it seems like I'm going fast, but I've gone through all this information on the videos slowly on each one.

So this is just a recap. If you click OK and commit this, then we can go and test it. Okay, now that the commit has been completed successfully, we can go ahead and test it. So you can see under the inside-outside zone that we have an antivirus profile attached to it and that we have an anti-spyware profile attached to it. So I can go to the client machine and open the command prompt, and I'm going to test it with Nslookup. So first, I'm going to test it on some website that does exist. Yeah, right. It's not treated as a bad website. So you see, when we do a proper website something, that's okay; we get an IP address, we get a list of who's given this IP address, and so on, as well as an IPV6 address I can see here.

And now I'm going to say, "All right, now I'm going to look for the duty website." That would be ABC dot local. No, we don't have anything. Non-authoritative answer: it's sync calling here, Mslookup. I can do it for any website. X-Y-Z XYZ.com No, X. I see. XYZ.com actually works. I did XYZ dot local, and I did NS look up Astrid Toko, so these are my three bad websites. Now if I go to my firewall and look under the "monitor logs" thread, I should see some suspicious activity. There we go: suspicious domain lookup, suspicious domain lookup. The DNS lookup is being performed from the IP address on the internal network to this address, and they are attempting to connect to ABC and XYZ.

The asterisk hasn't come yet. Oh, there it comes. There we go. Astrid's localhood. You can see that as soon as we go to some website that we sync with, we get a threat or alert. Okay, that's a demonstration about antispyware. The following step is to create a file blocking security profile. Now, file blocking in my example, in laptopology, says that this Windows 7 computer is not allowed to download or upload whatever file we selected, and we're going to select a PDF file. Okay, that's the idea. So I go about making a file-blocking security profile. I go to objects and insecurity profiles. I have a file block in here. I have two already, but I'm going to make another. As a result, Astrid has a file blocking profile.

Okay, now on your production, you will write the description and so on. So I'm going to add a file that I'm going to be blocking. I'm going to block the PDFs from any application. And the file type is going to be PDF, just PDF, not an encrypted one. It is encrypted, but we don't have a decryption policy yet. We will have it later. So, there you have it, and the direction will be either upload, download, or both. Upload, download, or both And for the action, we could say alert, block, or continue. I'm going to show you that block alert is okay; it's allowed to upload or download, but you just get a log message. Block will obviously block them and generate a log message, while continue will generate a log message but the user must press continue.

So first we're going to say "block" and click "OK," and we're going to attach this file blocking profile to our inside-outside security profile or security policy. So open that and go to action and file a block here, apply that, click okay, and commit that. Okay, now that has been successfully committed. So we can go and test it. So if I go to my client machine and I need to find a clear text PDF that is located in Palo Alto Networks education files, okay, so these are clear text. So I'm going to click on that first, and that should be blocking. And then we change it to "Continue." And I click on that, which should give me a continue option. It should be downloaded. So click on that. You can see this. This is blocked. File transfer has been blocked for this file. So I can go to my firewall and check the logs. The file blocking is actually under data filtering. It will find it here.

So you can see there that the application, the Panorama admin guide, has been blocked from inside to outside deny. Now if I spot it as "continue," I can change that to "objects." Go to file blocking and edit the one that I did. And instead of saying block, I'll say Continue, okay? And I swear by it. Okay, now that I have committed, I can go and check it again. So I go to my client machine, and I'll go back here and check this one. Now it says instead of blocking, "Please click Continue to download." So it's giving me the option to actually continue. So yeah, press Continue, and I can download it, but I will see it on my thread monitor. So if I say sorry, monitor. And then under the logs, "data filtering," I'll see it here, and you can see down here that it says "block but continue." So actually, the user had to press "continue" to work. Okay, excellent. That's your file-blocking security profile. The next thing I'll show you is how to create a datafiltering profile that this user is not permitted to create.

You're not allowing anyone inside Zone to upload documents from outside. It could be on the Internet or anything else; it doesn't matter. could be, for example, some file with an author, with a category, and so on. Let's take a look. Okay, so to configure that, we need to go to myfirewall, and you need to go to firewall and click objects. And under security profiles, we have a data filtering profile. Now the data filtering profile is going to look at the data patterns. So first, before we configure data filtering, we have to go and configure data patterns, which is a custom object here. Data pattern. There are three different types of data patterns. So we have file properties, pattern type, a regular expression, and a predefined pattern. All right, so I'm going to show you all three of them. And the first one we'll make is file properties.

So I'll put a straight file property, and here with the file properties, you can look at, for example, the author, the category, the time and date, and so on, and the file type. I can just leave it like, for example, Microsoft PowerPoint, Microsoft Word, and all that. I'm going to use Microsoft Word and the file properties you can see here, such as author, category, and classification; those are the file properties, and I'm going to use author, and anything created by me is not allowed to leave the inside zone. So I clicked that. Okay. The second one I'll make is a regular expression. So, request regular expression, and there is a lot you can do with regular expression. So I already have a video about regular expression on my channel, so you can watch it. The name is anything with the word "confidential." So anything with the word "confidential" in it, of any kind. And then here I put the regular expression pattern, which is going to be a dot-star.

And then I'll open the bracket and type "confidential," close a bracket, insert a pipe, and open the bracket again. They could be in capital letters, and then close the brackets. Right. So I'm just going to check the spelling correctly. Yes, that seems okay now, so click okay. and then I'll add that. Another one I'm going to do is, well, this is a predefined pattern, so I'll do the asterisk pattern, and this is like, for example, a credit card number, a U.S. social security number, a routing number, and so on. Okay, just enter the credit card numbers and click Okay. I'm not going to actually use this; I'm going to use this and this. Now that we have configured our data pattern, we have to enable it in the data filtering. So, if I click on data filtering, I'll click add and enter astrid data filtering. And on there, I'm going to put the file properties and regular expression. I can give the pattern as an example as well, but I'm not going to be using it.

As a result, any application, any filetype, both directions, and threshold As soon as we see one thing, we will want to block it for the properties and block it for the regular expression. Right. So this is when it generates a log and when it's going to actually block it, and let's say the severity is critical for all of them. Okay, click "Okay" there. Now we need to go and add this to our security policy profile. But the way I'm going to do it and the way I'm going to show it to you is that this inside zone user is trying to upload some files to the demilitarised zone server. So I'm going to apply it to the DMZ zone, inside the DMZ zone security policy profile. So go to policies, and I have a profile here that says demilitarised zone. So I'm going to apply there. So action. And in here, I'm going to have a data filtering profile.

So we talked about antivirus profile vulnerability protection and anti-spyware file blocking, and now we do data filtering. This is the next chapter. And this is chapter eight. So click okay. And I'll commit to that. Now that the committee has completed its work successfully, we can go ahead and test it on my client's machine. I have three files that I can show you. They are in a new folder on the computer's C drive. So I've got it here. I received a document with a confidential word. You see, this document has a confidential word on it, and that should be blocked when I'm trying to go outside. I have a plain text file that is just a regular plain text file that should be okay to be transferred. And I have a top-secret file. This is just a regular file, but it's been created by the author. It's me, Astrid. So this should not leave the network either. So this one shouldn't work. Shouldn't work. This one can work.

Okay, so if I go to open the command line, I'm going to FTP to my demilitarised zone server. So go to FTP. So first, let me access that folder where these files are located. These are the files, which are new and in a directory. So, if I FTP to my server, which is 192.168.1, my username and password are labuser. Now I'm logged in successfully, so I can see the directory of that server. You can see this in the files, right? So I shouldn't be able to upload the document or make it top secret. Let me try all of them. As a result, I can say "put document." That's my REGIC dot text. Now this one says "failure reading network stream," as I was expecting.

So that's good. Now let's try and put the plan into text. Now this is the complete transfer. So there was no problem here. Transfer complete. Let's try again with the next one, which is my file. So I'll put "top secret." Docs. That's a failure as well. So as expected, this didn't work. It worked and it didn't work. So documents and top secrets didn't work. But the plain text did work. If you do a dir, it will look like they're there, but it's just an empty document, right? So if I, for example, remove these, then remove them from here. Put them here. Okay, so now I go back to my command prompt and try to get these to this folder and see that they are just empty. So I'll type "get document," "get text," "get plain text," and "get top-secret docs" into the search box.

Okay, I transferred all three of them, but when I opened them, they would not work. Plain text is fine. There we go. Plain document. But the document is just an empty file. There's nothing in there, which means it didn't work. same top-secret empty file. Okay, so I'm going to go and delete them from here, so do M.Delete document, and then we go and look at the monitor, doing M.Delete plain text and then M.Delete top secret. Yes, so if I do that now, you can see they're gone. So now I'll go to my firewall, and under the monitor data filtering, you can see here that it's actually taken off, didn't let go of the top secret, and the document is a file property. Astrid and regular expression made the top secret, while they had the word confidential, and they are both reset. Okay, that's a demonstration of the data filtering. So we configured and tested all five: vulnerability, security profile, antivirus security profile, anti-spyware, file blocking, and data filtering profile.

Chapter 6 -URL Filtering

1. 6.1 URL Filtering concepts

Now, default URL filtering security profiles, like all the other security profiles we've discussed so far, will have a default predefined security profile. So we talked about other profiles, and the URL filtering has a default as well. We cannot delete or modify the default security profile, but if we want to use it, we must clone it and then use or edit the clone, or we can generate one from scratch. We used to create our own security profiles with URL filtering, which is the best way to start, and then edit the clone rather than starting from scratch when we did the security profiles. The default profile is configured to block websites such as non-malware sites, phishing sites, and adult content sites.

Palo Alto Networks Database now supports multi-category and risk-based URL filtering. URL filtering cloud classifies websites into several categories. Categories indicate how risky the site is, the website's content, and the website's purpose or function. Websites with a registration period of less than 32 days are considered new registered domains. Now, if, for example, a website is matched to different categories, which one will take precedence? Which one will be applied first? Well, any custom URL categories will be at the top of the list. Then we have an external dynamic list, then we have a Palo Alto network database firewall cache, then we download the Palo Alto network database file, and then we have the Palo Alto database cloud. What do we do with unknown URLs? For example, if we have an initiator in the inside zone and they request some URL requests, the firewall will check the cache and if the URL is not found in the cache, it will perform a lookup on the Palo Alto Network database cloud services. If that URL has not been categorised yet, it will send it to us as "category unknown" and then return to the firewall as "category unknown." What do you do with unknown categories?

Do you block them? unknown websites, for example, or do you allow them? A recommendation would be to not only allow but also alert the website. At least you have a log, and then you can look at the log to determine whether they are suspicious websites or not. And then the next category will be "not resolved" results. In the inside zone, the initiator is doing the same thing by sending some URL requests. If it isn't found in the firewall cache, the firewall will check the cloud services, but if it can't reach the cloud services for some reason, it will be sent as a not-resolved, which is the same thing as not-resolved as unknown.

What do we do with them? Do we block them? Do we allow it or alert and recommend it for alert download in the URL seed database? The initial seed database that you download to the firewall is a small subset of the Palo Alto Network database that is maintained on the Palo Alto Network URL cloud service. You download only a Cdatabase because the full database contains millions of URLs, many of which might never be accessed by the user. To licence our firewall for the URL filtering licence, you will need to go to "device" and then "license," and then we will have a Palo Alto database URL filtering that should stay active as well. You can use Bright Cloud URL filtering, and you might have a licence with Bright Cloud instead of the Palo Alto Network database. But either way, you need to have a licence if you want to use it, or you have to create your own one from scratch.

Prepaway's PCNSA: Palo Alto Networks Certified Network Security Administrator video training course for passing certification exams is the only solution which you need.