Palo Alto Networks Firewall File Blocking and Data Filtering

You configure File Blocking on a Palo Alto Networks (PAN) Firewall to protect your network and endpoints from Malware infected files (exe, PDF, etc.). This is also used for Data Loss Prevention (DLP) strategy in order to protect the company's Intellectual Property (IP) and other sensitive files from leaving the network.

To create a File Blocking Security Profile, go to Objects > Security Profiles > File Blocking.

There are two File Blocking configured by default: basic file blocking and strict file blocking.

Click on basic file blocking > Clone (at the bottom).

Leave the default Name selected > click OK.

Click basic file blocking-1 to edit.

Type a Name (FILE-BLOCK-1).

Under File Types column > click on any file type > Add > type/search pdf.

Click OK.

To apply the File Blocking Security Profile, go to Policies > Security > Actions tab > Profile Setting > File Blocking > select FILE-BLOCK-1 created earlier > click OK.

Click Commit.

You'll need the SSL Decryption policy configured and CA Cert imported to client machine in order to enforce File Blocking for HTTPS traffic.

I tried to download an installer for TFTP server which is executable (.exe) file.

I got a File Transfer Blocked error. The PAN Firewall easily detected and blocked the executable file since it's an HTTP traffic.

I tried to download a PDF file via HTTPS. The PDF file was blocked since the PAN Firewall performed deep packet inspection (SSL Decryption) and enforced the File Blocking policy.

 

To view File Blocking logs, go to Monitor > Logs > Data Filtering

Click the magnifying glass icon to get a Detailed Log View. Notice the Flags for Decrypted and under Details the downloaded File Name cybersecurity-survival-guide-3rd-edition.pdf was detected

 

Notice the Source Port is 80 (HTTP) and under Details the File Name Tftpd32-4.52-setup.exe was detected.

To configure Data Filtering Security Profile, go to Objects > Security Profiles > Data Filtering > click Add (at the bottom).

Type a Name (DATA-FILTER-1) > under Data Pattern > click Add.

Click New > click on the double arrow icon > Data Pattern.

Type a Name (DATA-PATTERN-CCARD) > Pattern Type: Predefined Pattern.

Under Name > click Add > select Credit Card Numbers. Click OK.

Click OK.

Click OK.

For this lab, I modified the Alert Threshold and Block Threshold to a count of 1 > change Log Security to Critical > click OK.

To apply the Data Filtering Security Profile, go to Policies > Security > click Rule #1 (Allow-Inside-Out) > under Actions > Profile Setting > Data Filtering > select DATA-FILTER-1 created earlier > click OK.

Click Commit.

To test, I tried to download a list of credit card numbers (100 CC Records) from this site.

I got a Data Transfer Blocked error.

To monitor Data Filtering log, go to Monitor > Logs > Data Filtering.

Click the magnifying glass icon to get a Detailed Log View.

Notice under Details > Context > it matched the DATA-PATTERN-CCARD rule which is the Predefined Pattern for US Credit Card Numbers.

 

Palo Alto Networks Firewall SSL (TLS) Decryption

Transport Layer Security (TLS) is the updated and more secure version of Secure Sockets Layer (SSL). TLS is not backward compatible with SSL's cipher suite or algorithm. SSL has been around for more two decades and it's still used as a common term when deploying Certificate Authority (CA) in a Public Key Infrastructure (PKI).

From my previous post, I created URL Filtering and Antivirus Security Profiles. Users can bypass the Palo Alto Networks (PAN) Firewall Security Profiles by using VPN or a web proxy.

The URL Filtering for Social Networking and Streaming Media and Antivirus Security Profiles were configured and correctly blocked by the PAN Firewall.

Most websites are now using HTTPS (SSL/TLS) and the PAN Firewall wouldn't be able to enforce its next-generation features (URL Filtering, Antivirus and Antimalware) since traffic is encrypted.

I tried to download eicar.com and eicar.com.txt under the protocol https but the Windows personal firewall blocked it. This is a good example of a defense-in-depth security strategy wherein endpoints have a personal firewall (Antivirus and Antimalware) installed.

 

I was able to download eicar_com.zip since the PAN Firewall is unable to decrypt HTTPS traffic and enforce its Antivirus Security Profile.

To verify, go to Monitor > Logs > URL Filtering.

It's best practice to identify which traffic to exclude in a Decryption Policy as this might involve some privacy or legal implications. Some good examples of traffic to exclude are banking/finance (PCI DSS) and health (PHI) records.

For my lab, I created three SSL Decryption rules: the first rule is to exclude Financial and Health traffic or categories for SSL Decryption source from the inside Zone going to the outside Zone. The second rule is to Decrypt Any traffic source from the inside Zone going to the outside Zone. The third rule is to Decrypt SSH only traffic source from the inside Zone going to the dmz Zone.

To configure a Decryption policy for Rule #1, go to Policies > Decryption > Add (at the bottom).

Under General tab > type a Name (NO-SSL-DECYRPT).

Under Source tab > Source Zone > Add > select inside.

Under Destination tab > Destination Zone > Add > select outside.

Under Service/URL Category > URL Category > Add > type/search for financial-services. 

Also add health-and-medicine.

Under Options tab > select Action: No Decrypt (default) > click OK.

For Decryption Policy Rule #2, click Add or Clone NO-SSL-DECRYPT and then just edit.

Under Service/URL Category tab > leave Any under both Service and URL Category.

Under Options tab > Action: Decrypt > Leave the other options in default > click OK.

Configure Decryption Policy Rule #3 to decrypt SSH traffic between the inside client (192.168.1.20) and DMZ server (192.168.50.10).

Under General tab > type a Name (DECRYPT-SSH-DMZ).

Under Source tab > Source Zone > Add > inside.

Under Destination tab > Destination Zone > Add > dmz.

Under Options tab > select Action: Decrypt > select Type: SSH Proxy > click OK.

Click Commit. An error will show the Commit Result: Failed. This is due to a forward decrypt trust cert isn't configured yet.

To configure and generate an SSL Decryption (Outbound) certificate on a PAN Firewall, go to Device > Certificate Management > Certificates > Generate.

Select Certificate Type: Local (default) > type the Certificate Name (PAN-CERT-DECRYPT) > type the Common Name (192.168.1.1) > tick Certificate Authority.

You can further add Certificate Attributes on the CA Certificate.

I added Country: SG(Singapore) for the Certificate Attribute.

Click Generate.

Click on the CA Certificate (PAN-CERT-DECRYPT) > tick both the Forward Trust Certificate and Forward Untrust Certificate > click OK.

This will enable the PAN Firewall to act as a man-in-the-middle (MITM) or a proxy server between a client in the inside Zone to a host on the outside Zone.

 

You'll need to export the PAN Firewall CA Certificate to a client machine under Device > Certificate Management > Certificates > tick the PAN-CERT-DECRYPT > Export.

Select File Format: Encrypted Privacy Key and Certificate (PKCS12).

Type a passphrase (minimum length is 6 characters).

Re-type passphrase in Confirm Passphrase > click OK.

Notice the web browser downloaded the PKCS Certificate (at the bottom).

To install the CA cert, click on the Windows icon (bottom left) > type/search for Certificate Manager > click certmgr.msc

Right-click on Trusted Root Certification Authorities (folder on the right) > All Tasks > Import.

A Welcome message for the Certificate Import Wizard will open > click Next.

Click Browse.

Go to Downloads folder > select File Type: Personal Information Exchange (*.pfx; *.p12) > select the cert_PAN-CERT-DECRYPT.p12 created earlier > click Open.

Click Next.

Type the password (same password for creating the CA Certificate) > click Next.

Leave the default Certificate store: Trusted Root Certification Authorities > click Next.

Click Finish.

Click OK.

Notice a new CA cert is added (192.168.1.1).

To view the installed CA cert in Internet Explorer web browser, go to Settings (gear icon) > Internet Options.

Go to Content tab > click Certificates.

Click View.

Notice the PAN Firewall CA cert attributes which are the inside IP address of 192.168.1.1 and Country: SG.

I visited a popular US banking website via HTTPS.

You can add a new column by doing a right-click (on any column) > tick Decrypted.

Notice the traffic between the inside Source 192.168.1.20 to the Destination banking website 171.161.203.100.

The columns for Decrypted: no, To Port: 443 and Application: SSL which means SSL Decryption (Rule #1) is not applied for this traffic (bypassed).

Click the magnifying glass icon to get a Detailed Log View.

I visited again some popular Social Networking sites such as Facebook and Instagram and this time using HTTPS. I got a Web Page Blocked error.

I also got the same error when I visited a popular Streaming Media website such as Youtube.

Notice the columns for Decrypted: yes, To Port: 443 and Application: SSL which means SSL Decryption (Rule #2) is applied for this traffic.

The PAN Firewall performed a deep packet inspection and enforced the URL Filtering policy.

Click the magnifying glass icon to get a Detailed Log View. Notice under Flags: Decrypted.

I tried to download again the eicar files via protocol https. This time the connection was blocked or reset by the PAN Firewall.

The PAN Firewall Antivirus policy kicked in.

To monitor Threat logs, go to Monitor > Logs > Threat. Notice the Action: reset-both.

Click the magnifying glass icon to get a Detailed Log View. Notice under Flags: Decrypted and the File Name was identified.

You can also view the packet capture (PCAP) file by clicking on the download icon (green arrow pointing downward).

I tried to SSH and open a web (HTTP) session on the inside client 192.168.1.20 to the DMZ server 192.168.50.10

Notice Port 80 web-browsing traffic is NOT decrypted (Decrypted: no) while SSH Port 22 is decrypted (Decrypted:yes).

Click the magnifying glass icon to get a Detailed Log View. Notice the web-browsing Application Port 80 has no Flags ticked. This is due to Decryption Policy Rule #3 is only applicable for SSH traffic (TCP port 22).

Notice the SSH Application Port 22 has the Flags: Decrypted