Ch 5 LABS

You work as the IT security administrator for a small corporate network. You need to secure access to your pfSense appliance, which is still configured with the default user settings. In this lab, your task is to: Change the password for the default pfSense account from pfsense to P@ssw0rd (use a zero). Create a new administrative user with the following parameters: Username: zolsen Password: St@yout! Full Name: Zoey Olsen Group Membership: admins Set a session timeout of 15 minutes for pfSense. Disable the webConfigurator anti-lockout rule for HTTP.

Access the pfSense management console. From the taskbar, select Google Chrome. Maximize the window for better viewing. In the Google Chrome address bar, enter 198.28.56.18 and then press Enter. Enter the pfSense sign-in information as follows: Username: admin Password: pfsense Select SIGN IN. Change the password for the default (admin) account. From the pfSense menu bar, select System > User Manager. For the admin account, under Actions, select the Edit user icon (pencil). For the Password field, change to P@ssw0rd (use a zero). For the Confirm Password field, enter P@ssw0rd. Scroll to the bottom and select Save. Create and configure a new pfSense user. Select Add. For Username, enter zolsen. For the Password field, enter St@yout!. For the Confirm Password field, enter St@yout! For Full Name, enter Zoey Olsen. For Group Membership, select admins and then select Move to Member of list. Scroll to the bottom and select Save. Set a session timeout for pfSense. Under the System breadcrumb, select Settings. For Session timeout, enter 15. Select Save. Disable the webConfigurator anti-lockout rule for HTTP. From the pfSense menu bar, select System > Advanced. Under webConfigurator, for Protocol, select HTTP. Select Anti-lockout to disable the webConfigurator anti-lockout rule. Scroll to the bottom and select Save.

You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by restricting access management and by updating the switch's firmware. In this lab, your task is to: Create an access profile named MgtAccess and configure it with the following settings: Setting Value Access Profile Name MgtAccess Rule Priority 1 Management Method All Action Deny Applies to Interface All Applies to Source IP address All Add a profile rule to the MgtAccess profile with the following settings: Setting Value Rule Priority 2 Management Method HTTP Action Permit Applies to interface All Applies to Source IP address User defined IP Version: Version 4 IP Address: 192.168.0.10 Network Mask: 255.255.255.0 Set the MgtAccess profile as the active access profile. Save the changes to the switch's startup configuration file using the default settings. Update the firmware image to the latest version by downloading the firmware files found in C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros.

Create and configure an Access Profile named MgtAccess. From the left pane, expand and select Security > Mgmt Access Method > Access Profiles. Select Add. Enter the Access Profile Name of MgtAccess. Enter the Rule Priority of 1. For Action, select Deny. Select Apply and then select Close. Add a profile rule to the MgtAccess profile. From the left pane, under Security > Mgmt Access Method, select Profile Rules. Select the MgtAccess profile and then select Add. Enter a Rule Priority of 2. For Management Method, select HTTP. For Applies to Source IP Address, select User Defined. For IP Address, enter 192.168.0.10. Enter the 255.255.255.0. Select Apply and then select Close. Set the MgtAccess profile as the active access profile. From the left pane, under Security > Mgmt Access Method, select Access Profiles. Use the Active Access Profile drop-down list to select MgtAccess. Select Apply. Select OK. Save the changes to the switch's startup configuration file. At the top, select Save. For Source File Name, make sure Running configuration is selected. For Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. Upgrade the firmware image to the latest version. From the left pane, select Getting Started. Under Quick Access, select Upgrade Device Software. For File Name, select Choose File. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. Select Open. Select Apply. Select OK. From the left pane, under File Management, select Active Image. For Active Image After Reboot, use the drop-down menu to select Image 2. Select Apply. From the left pane under Administration, select Reboot. From the right pane, select Reboot. Select OK.

You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by creating an access control list. You have been asked to prevent video game consoles from connecting to the switch. In this lab, your task is to: Create a MAC-based ACL named GameConsoles. Configure the GameConsoles MAC-based access control entry (ACE) settings as follows: Priority Action Destination MAC Address Source MAC Address 1 Deny Any Value: 00041F111111 Mask: 000000111111 2 Deny Any Value: 005042111111 Mask: 000000111111 3 Deny Any Value: 000D3A111111 Mask: 000000111111 4 Deny Any Value: 001315111111 Mask: 000000111111 5 Deny Any Value: 0009BF111111 Mask: 000000111111 6 Deny Any Value: 00125A111111 Mask: 000000111111 Bind the GameConsoles ACL to all of the GE1-GE30 interfaces. Use Copy Settings to apply the binding to multiple interfaces Save the changes to the switch's startup configuration file. Use the default settings.

Create the GameConsoles ACL. From the Getting Started page, under Quick Access, select Create MAC-Based ACL. Select Add. In the ACL Name field, enter GameConsoles Click Apply and then click Close. Create MAC-based access control. Select MAC-Based ACE Table. Select Add. Enter the priority. Select the action. For Destination MAC Address, make sure Any is selected. For Source MAC Address, select User Defined. Enter the source MAC address value. Enter the source MAC address mask. Click Apply. Repeat steps 2c-2i for additional ACE entries. Click Close. Bind the GameConsoles ACL to all of the interfaces. From the left pane, under Access Control, select ACL Binding (Port). Select GE1. At the bottom of the window, select Edit. Click Select MAC-Based ACL. Select Apply and then select Close. Select Copy Settings. In the Copy configuration's to field, enter 2-30. Click Apply. Save the Configuration. From the top of the window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Click Apply. Click OK.

The Fiji router has been configured with Standard IP Access List 11. The access list is applied to the Fa0/0 interface. The access list must allow all traffic except traffic coming from hosts 192.168.1.10 and 192.168.1.12. However, you've noticed that it's preventing all traffic from being sent on Fa0/0. You remember that access lists contain an implied deny any statement. This means that any traffic not permitted by the list is denied. For this reason, access lists should contain at least one permit statement or all traffic is blocked. In this lab, your task is to: Add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic. Save your changes in the startup-config file.

Enter the configuration mode for the Fiji router: From the exhibit, select the Fiji router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. From the terminal, add a permit any statement to Access List 11 to allow all traffic other than the restricted traffic. Type access-list 11 permit any and press Enter. Press Ctrl + Z. Save your changes in the startup-config file. Type copy run start and then press Enter. Press Enter to begin building the configuration. Press Enter.

As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: On Office2, use ipconfig /all and find the IP address and MAC address. Using SMAC, spoof the MAC address on ITAdmin to match that of Office2. Refresh the IP address on ITAdmin. Verify the MAC and IP address now match Office2.

Find the MAC address for Office2. Right-click Start and then select Windows PowerShell (Admin). From the Command Prompt, type ipconfig /all and press Enter. Find the MAC address. Spoof the MAC address. From the top navigation tabs, select Floor 1 Overview. Under IT Administration, select ITAdmin. In the Windows search bar, type SMAC. Under Best match, right-click SMAC and select Run as administrator. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 (the MAC address from Office2). Select Update MAC. Select OK to confirm the adapter restart. Renew the IP information for the ITAdmin computer. Right-click Start and select Windows PowerShell (Admin). From the Command Prompt, type ipconfig /renew to renew the IP address. Type ipconfig /all to confirm the MAC address and the IP address have been updated.

You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: Unused Ports Used Ports GE2 GE1 GE7 GE3-GE6 GE9-GE20 GE8 GE25 GE21-GE24 GE27-GE28 GE26 In this lab, your task is to: Shut down the unused ports. Configure the following Port Security settings for the used ports: Interface Status: Lock Learning Mode: Classic Lock Action on Violation: Discard

Shut down the unused ports. Under Initial Setup, select Configure Port Settings. Select the GE2 port. Scroll down and select Edit. Under Administrative Status, select Down. Scroll down and select Apply. Select Close. With the GE2 port selected, scroll down and select Copy Settings. In the Copy configuration field, enter the remaining unused ports. Select Apply. From the Port Setting Table, in the Port Status column, you can see that all the ports are down now. Configure the Port Security settings. From the left menu, expand Security. Select Port Security. Select the GE1 port. Scroll down and select Edit. Under Interface Status, select Lock. Under Learning Mode, make sure Classic Lock is selected. Under Action on Violation, make sure Discard is selected. Select Apply. Select Close. Scroll down and select Copy Settings. Enter the remaining used ports Select Apply.

You are the security analyst for a small corporate network. After monitoring your network, you have discovered that several employees are wasting time visiting non-productive and potentially malicious websites. As such, you have added pfBlockerNG to your pfSense device. You now need to configure this feature and add the required firewall rules that allow/block specific URLs and prevent all DNS traffic from leaving your LAN network. In this lab, your task is to: Sign in to pfSense using: Username: admin Password: P@ssw0rd (zero) Create a firewall rule that blocks all DNS traffic leaving the LAN network. Create a firewall rule that allows all DNS traffic going to the LAN network. Use the following table for the two rules: Parameter Setting Protocol UDP (53) Descriptions For the block rule: Block DNS from LAN For the allow rule: Allow all DNS to LAN Arrange the firewall rules in the order that allows them to function properly. Enable and configure pfBlockerNG using the information in the following table: Parameter Setting DNSBL Virtual IP 192.168.0.0 Top-Level Domain (TLD) Blacklist financereports.co totalpad.com salesscript.info Top-Level Domain (TLD) Whitelist .www.google.com .play.google.com .drive.google.com

Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Create a firewall rule that blocks all DNS traffic coming from the LAN. From the pfSense menu bar, select Firewall > Rules. Under the Firewall breadcrumb, select LAN. Select Add (either one). Under Edit Firewall Rule, use the Action drop-down to select Block. Under Edit Firewall Rule, set Protocol to UDP. Under Source, use the drop-down menu to select LAN net. Under Destination, configure the Destination Port Range to use DNS (53) (for From and To). Under Extra Options, in the Description field, enter Block DNS from LAN. Select Save. Select Apply Changes. Create a firewall rule that allows all DNS traffic going to the LAN network. Select Add (either one). Under Edit Firewall Rule, set Protocol to UDP. Under Destination, use the drop-down menu to select LAN net. Configure the Destination Port Range to use DNS (53) (for From and To). Under Extra Options, in the Description field, enter Allow all DNS to LAN. Select Save. Select Apply Changes. Arrange the firewall rules in the order that allows them to function properly. Using drag-and-drop, move the rules to the following order (top to bottom): Anti-Lockout Rule Allow all DNS to LAN Block DNS from LAN Select Save. Select Apply Changes. Enable pfBlockerNG. From the pfSense menu bar, select Firewall > pfBlockerNG. Under General Settings, select Enable pfBlockerNG. Scroll to the bottom and select Save. Enable and configure DNS block lists. Under the Firewall breadcrumb, select DNSBL. Select Enable DNSBL. For DNSBL Virtual IP, enter 192.168.0.0. Scroll to the bottom and expand TLD Blacklist. Enter the following URLs in the TLD Blacklist box: financereports.co totalpad.com salesscript.info Expand TLD Whitelist and then enter the following URLs: .www.google.com .play.google.com .drive.google.com Select Save.

You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up a Remote Access VPN using pfSense to allow secure access. In this lab, your task is to use the pfSense wizard to create and configure an OpenVPN Remote Access server using the following guidelines: Sign in to pfSense using: Username: admin Password: P@ssw0rd (zero) Create a new certificate authority certificate using the following settings: Name: CorpNet-CA Country Code: GB State: Cambridgeshire City: Woodwalton Organization: CorpNet Create a new server certificate using the following settings: Name: CorpNet Country Code: GB State: Cambridgeshire City: Woodwalton Configure the VPN server using the following settings: Interface: WAN Protocol: UDP on IPv4 only Description: CorpNet-VPN Tunnel network IP: 198.28.20.0/24 Local network IP: 198.28.56.18/24 Concurrent Connections: 4 DNS Server 1: 198.28.56.1 Configure the following: A firewall rule An OpenVPN rule Set the OpenVPN server just created to Remote Access (User Auth). Create and configure the following standard remote VPN users: Username Password Full Name blindley L3tM31nNow Brian Lindley jphillips L3tM31nToo Jacob Phillips

Sign into the pfSense management console. In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. Start the VPN wizard and select the authentication backend type. From the pfSense menu bar, select VPN > OpenVPN. From the breadcrumb, select Wizards. Under Select an Authentication Backend Type, make sure Local User Access is selected. Select Next. Create a new certificate authority certificate. For Descriptive Name, enter CorpNet-CA. For Country Code, enter GB. For State, enter Cambridgeshire. For City, enter Woodwalton. For Organization, enter CorpNet. Select Add new CA. Create a new server certificate. For Descriptive Name, enter CorpNet. Verify that all of the previous changes (Country Code, State/Providence, and City) are the same. Use all other default settings. Select Create new Certificate. Configure the VPN server. Under General OpenVPN Server Information: Use the Interface drop-down menu to select WAN. Verify that the Protocol is set to UDP on IPv4 only. For Description, enter CorpNet-VPN. Under Tunnel Settings: For Tunnel Network, enter 198.28.20.0/24. For Local Network, enter 198.28.56.18/24. For Concurrent Connections, enter 4. Under Client Settings, in DNS Server1, enter 198.28.56.1. Select Next. Configure the firewall rules. Under Traffic from clients to server, select Firewall Rule. Under Traffic from clients through VPN, select OpenVPN rule. Select Next. Select Finish. Set the OpenVPN server just created to Remote Access (User Auth). For the WAN interface, select the Edit Server icon (pencil). For Server mode, use the drop-down and select Remote Access (User Auth). Scroll to the bottom and select Save. Configure the following Standard VPN users. From the pfSense menu bar, select System > User Manager. Select Add. Configure the User Properties as follows: Username: Username Password: Password Full name: Fullname Scroll to the bottom and select Save. Repeat steps 8b-8d to created the remaining VPN users.

You work as the IT security administrator for a small corporate network. You recently set up the Remote Access VPN feature on your network security appliance to provide you and your fellow administrators with secure access to your network. You are currently at home and would like to connect your iPad to the VPN. Your iPad is connected to your home wireless network. In this lab, your task is to: Add an IPSec VPN connection using the following values: Parameter Value Description CorpNetVPN Server 198.28.56.34 Account mbrown Secret asdf1234$ Turn on the VPN. Verify that a connection is established. The password for mbrown is L3tM31nN0w (0 = zero).

Verify your connection to the Home-Wireless network. Select Settings. Select Wi-Fi. Add and configure a VPN. From the left menu, select General. From the right menu, select VPN. Select Add VPN Configuration. Select IPSec. In the Description field, enter CorpNetVPN. In the Server field, enter 198.28.56.34. In the Account field, enter mbrown. In the Secret field, enter asdf1234$. In the upper right, select Save. Connect to the VPN just created. Under VPN Configuration, slide Not Connected to ON. When prompted, enter L3tM31nN0w (0 = zero) as the password. Select OK.

Listen to simulation instructions You work as the IT security administrator for a small corporate network. You recently placed a web server in the demilitarized zone (DMZ). You need to configure the perimeter firewall on the network security appliance (pfSense) to allow access from the WAN to the Web server in the DMZ using both HTTP and HTTPs. You also want to allow all traffic from the LAN network to the DMZ network. In this lab, your task is to: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ. Use the following table when creating the HTTP and HTTPS firewall rules: Parameter Setting Source WAN network Destination port/service HTTP (80), HTTPS (443) Destination A single host IP address for host 172.16.1.5 Descriptions For HTTP: HTTP from WAN to DMZ For HTTPS: HTTPS from WAN to DMZ Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network. Use the description LAN to DMZ Any.

1. Sign in to the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Create and configure a firewall rule to pass HTTP traffic from the WAN to the Web server in the DMZ. a. From the pfSense menu bar, select Firewall > Rules. b. Under the Firewall breadcrumb, select DMZ. c. Select Add (either one). d. Make sure Action is set to Pass. e. Under Source, use the drop-down to select WAN net. f. Under Destination, use the Destination drop-down to select Single host or alias. g. In the Destination Address field, enter 172.16.1.5. h. Using the Destination Port Range drop-down, select HTTP (80). i. Under Extra Options, in the Description field, enter HTTP from WAN to DMZ. j. Select Save. k. Select Apply Changes. 3. Create and configure a firewall rule to pass HTTPS traffic from the WAN to the Web server in the DMZ. a. For the rule just created, select the Copy icon (two files). b. Under Destination, change the Destination Port Range to HTTPS (443). c. Under Extra Options, change the Description filed to HTTPS from WAN to DMZ. d. Select Save. e. Select Apply Changes. 4. Create and configure a firewall rule to pass all traffic from the LAN network to the DMZ network. a. Select Add (either one). b. Make sure Action is set to Pass. c. For Protocol, use the drop-down to select Any. d. Under Source, use the drop-down to select LAN net. e. Under Destination, use the drop-down to select DMZ net. f. Under Extra Options, change the Description filed to LAN to DMZ Any. g. Select Save. h. Select Apply Changes.

You are the IT administrator for a small corporate network. One of your assignments is to manage several computers in the demilitarized zone (DMZ). However, your computer resides on the LAN network. To be able to manage these machines remotely, you have decided to configure your pfSense device to allow several remote control protocols to pass through the pfSense device using NAT port forwarding. In this lab, your task is to create NAT forwarding rules to: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Allow the RDP/TCP Protocols from the LAN network to the administrator's PC located in the DMZ using the following guidelines: IP address for the administrator's PC: 172.16.1.100 Description: RDP from LAN to Admin Allow the SSH Protocol through the pfSense device to the Kali Linux server using the following guidelines: IP address for the Linux Kali server: 172.16.1.6 Description: SSH from LAN to Kali Allow the RDP/TCP Protocols from the LAN network to the web server located in the DMZ using the following guidelines: Destination and redirect port: Port 5151 IP address for the web server: 172.16.1.5 Description: RDP from LAN to web server using custom port

1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Configure NAT port forwarding for the administrator's PC. a. From the pfSense menu bar, select Firewall > NAT. b. Select Add (either one). c. Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): MS RDP Redirect target IP: 172.16.1.100 Redirect target port: MS RDP Description: RDP from LAN to Admin d. Select Save. 3. Configure NAT port forwarding for the Kali Linux server. a. Select Add (either one). b. Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): SSH Redirect target IP: 172.16.1.6 Redirect target port: SSH Description: SSH from LAN to Kali c. Select Save. 4. Configure NAT port forwarding for the web server. a. Select Add (either one). b. Configure or verify the following settings: Interface: LAN Protocol: TCP Destination type: LAN address Destination port range (From and To): Other Custom (From and To) 5151 Redirect target IP: 172.16.1.5 Redirect target port: MS RDP Description: RDP from LAN to web server using custom port c. Select Save. d. Select Apply Changes.

You are the IT administrator for a small corporate network. You want to make a web server that runs services accessible from the internet. To help protect your company, you want to place this server and other devices in a demilitarized zone (DMZ). This DMZ and server need to be protected by the pfSense Security Gateway Appliance (pfSense). Since a few of the other devices in the DMZ require an IP address, you have also decided to enable DHCP on the DMZ network. In this lab, your task is to perform the following: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Add a new pfSense interface that can be used for the DMZ. Name the interface DMZ. Use a static IPv4 address of 172.16.1.1/16 Add a firewall rule for the DMZ interface that allows all traffic from the DMZ. Use a description of Allow DMZ to any rule Configure and enable the DHCP server for the DMZ interface. Use a range of 172.16.1.100 to 172.16.1.200

1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Configure an interface for the DMZ. a. From the pfSense menu bar, select Interfaces > Assignments. b. Select Add. c. Select OPT1. d. Select Enable interface. e. Change the Description field to DMZ. f. Under General Configuration, use the IPv4 Configuration Type drop-down menu to select Static IPv4. g. Under Static IPv4 Configuration, in the IPv4 Address field, enter 172.16.1.1. h. Use the subnet mask drop-down menu to select 16. i. Select Save. j. Select Apply Changes. k. (Optional) Verify the change as follows: From the menu bar, select pfsense COMMUNITY EDITION. Under Interfaces, verify that the DMZ is shown with the correct IP address. 3. Add a firewall rule to the DMZ interface. a. From the pfSense menu bar, select Firewall > Rules. b. Under the Firewall breadcrumb, select DMZ. (Notice that no rules have been created.) c. Under the Firewall breadcrumb, select LAN. d. Under the Actions column, select the copy icon (two files) for the rule with a source of LAN net. e. For the Action field, make sure Pass is selected. f. For the Interface field, use the drop-down menu to select DMZ. g. For Protocol, make sure it's set to Any. h. Under Source, use the drop-down menu to select DMZ net. i. Under Destination, make sure it is configured for any. j. Under Extra Options, change the description to Allow DMZ to any rule. (Is case sensitive.) k. Scroll to the bottom and select Save. l. Select Apply Changes. 4. Configure pfSense's DHCP server for the DMZ interface. a. From the menu bar, select Services > DHCP Server. b. Under the Services breadcrumb, select DMZ. c. Select Enable. d. Configure the Range field as follows: From: 172.16.1.100 To: 172.16.1.200 e. Scroll to the bottom and select Save.

You are the IT administrator for a small corporate network. Several employees have complained of slow internet bandwidth. You have discovered that the user stations on the guest Wi-Fi network are consuming much of your company's bandwidth. You have decided to use pfSense's Traffic Shaper wizard to create the various rules needed to better control the bandwidth usage and to fine-tune the priority for the type of traffic used on your guest Wi-Fi network. Your network has one LAN and one WAN. In this lab, your task is to: Access the pfSense management console: Username: admin Password: P@ssw0rd (zero) Create a firewall alias using the following specifications: Name: HighBW Description: High bandwidth users Assign the IP addresses of the high-bandwidth users to the alias: Vera's IP address: 172.14.1.25 Paul's IP address: 172.14.1.100 The Shaper must be configured for the GuestWi-Fi interface using: An upload bandwidth of 5 Mbits A download bandwidth of 45 Mbits Allow your voice over IP traffic to have priority with: An upload bandwidth of 15 Mbits A download bandwidth of 20 Mbits To limit the user stations most likely to hog bandwidth, use the alias created earlier to penalize the offending stations to 2% of the bandwidth. Give a higher priority to the following services and protocols: MSRDP VNC PPTP IPSEC Change the port number used on the floating rule created for MSRDP as follows: Interface: GuestWi-Fi Destination Port Range: 3391 Answer the question.

1. Sign into the pfSense management console. a. In the Username field, enter admin. b. In the Password field, enter P@ssw0rd (zero). c. Select SIGN IN or press Enter. 2. Create a high bandwidth usage alias. a. From the pfSense menu bar, select Firewall > Aliases. b. Select Add. c. Configure the Properties as follows: Name: HighBW Description: High bandwidth users Type: Host(s) d. Add the IP addresses of the offending computers to the host(s) configuration: Under Host(s), in the IP or FQDN field, enter 172.14.1.25 Select Add Host. In the new IP or FQDN field, enter 172.14.1.100 e. Select Save. f. Select Apply Changes. 3. Start the Traffic Shaper wizard for dedicated links. a. From the pfSense menu bar, select Firewall > Traffic Shaper. b. Under the Firewall bread crumb, select Wizards. c. Select traffic_shaper_wizard_dedicated.xml. d. Under Traffic shaper Wizard, in the Enter number of WAN type connections field, enter 1 and then select Next. 4. Configure the Traffic Shaper. a. Make sure you are on Step 1 of 8. b. Using the drop-down menu for the upper Local interface, select GuestWi-Fi. c. Using the drop-down menu for lower Local interface, make sure PRIQ is selected. d. For the upper Upload field, enter 5. e. Using the drop-down menu for the lower Upload field, select Mbit/s. f. For the top Download field, enter 45. g. Using the drop-down menu for the lower Download field, select Mbit/s. h. Select Next. 5. Prioritize voice over IP traffic. a. Make sure you are on Step 2 of 8. b. Under Voice over IP, select Enable to prioritize the voice over IP traffic. c. Under Connection #1 parameters, in the Upload rate field, enter 15. d. Using the drop-down menu for the top Units, select Mbit/s. e. For the Download rate, enter 20. f. Using the drop-down menu for the bottom Units, select Mbit/s. g. Select Next. 6. Enable and configure a penalty box. a. Make sure you are on Step 3 of 8. b. Under Penalty Box, select Enable to enable the penalize IP or alias option. c. In the Address field, enter HighBW. This is the alias created earlier. d. For Bandwidth, enter 2. e. Select Next. 7. Skip steps 4 and 5. a. For Step 4 of 8, scroll to the bottom and select Next. b. For Step 5 of 8, scroll to the bottom and select Next. 8. Raise and lower the applicable application's priority. a. Make sure you are on Step 6 of 8. b. Under Raise or lower other Applications, select Enable to enable other networking protocols. c. Under Remote Service / Terminal emulation, use the: MSRDP drop-down menu to select Higher priority. VNC drop-down menu to select Higher priority. d. Under VPN: Use the PPTP drop-down menu to select Higher priority Use the IPSEC drop-down menu to select Higher priority e. Scroll to the bottom and select Next. f. For step 7 of 8, select Finish. Wait for the reload status to indicate that the rules have been created (look for Done). 9. View the floating rules created for the firewall. a. Select Firewall > Rules. b. Under the Firewall breadcrumb, select Floating. c. In the top right, select Answer Questions. d. Answer the question and then minimize the question dialog. 10. Change the port number used for the MSRDP outbound rule. a. For the m_Other MSRDP outbound rule, select the edit icon (pencil). b. Under Edit Firewall Rule, in the Interface field, select GuestWi-Fi. c. Under Destination, use the Destination Port Range drop-down menu to select Other. d. In both Custom fields, enter 3391. e. Select Save. f. Select Apply Changes. g. In the top right, select Answer Questions. h. Select Score Lab.

You are an IT security administrator for a small corporate network. To increase security for the corporate network, you have installed the pfSense network security appliance in your network. Now you need to configure the device. In this lab, your task is to configure pfSense as follows: Sign in to pfSense using the following case-sensitive information: URL: 198.28.56.18 Username: admin Password: pfsense Configure the DNS servers as follows: Primary DNS server: 163.128.78.93 - Hostname: DNS1 Secondary DNS server: 163.128.80.93 - Hostname: DNS2 Configure the WAN IPv4 information as follows: Enable the interface. Use a static IPv4 address of 65.86.24.136/8 Add a new gateway using the following information: Type: Default gateway Name: WANGateway IP address: 65.86.1.1

Access the pfSense management console. From the taskbar, select Google Chrome. Maximize the window for better viewing. In the address bar, type 198.28.56.18 and then press Enter. Sign in using the following case-sensitive information: Username: admin Password: pfsense Select SIGN IN or press Enter. Configure the DNS Servers. From the pfSense menu bar, select System > General Setup. Under DNS Server Settings, configure the primary DNS Server as follows: Address: 163.128.78.93 Hostname: DNS1 Gateway: None Select Add DNS Server to add a secondary DNS Server and then configure it as follows: Address: 163.128.80.93 Hostname: DNS2 Gateway: None Scroll to the bottom and select Save. Configure the WAN settings. From pfSense menu bar, select Interfaces > WAN. Under General Configuration, select Enable interface. Use the IPv4 Configuration Type drop-down to select Static IPv4. Under Static IPv4 Configuration, in the IPv4 Address field, enter 65.86.24.136. Use the IPv4 Address subnet drop-down to select 8. Under Static IPv4 Configuration, select Add a new gateway. Configure the gateway settings as follows: Default: Select Default gateway Gateway name: Enter WANGateway Gateway IPv4: 65.86.1.1 Select Add. Scroll to the bottom and select Save. Select Apply Changes.

You have a small business network connected to the internet through a single router as shown in the network diagram. You have noticed that three hosts on the internet have been flooding your router with unwanted traffic. As a temporary measure, you want to prevent all communication from these three hosts until the issue is resolved. In this lab, your task is to: Create a Standard Access List 25. Add statements to the access list to block traffic from the following hosts: 199.68.111.199 202.177.9.1 211.55.67.11 Add a statement to allow all other traffic from all other hosts. Apply Access List 25 to the Serial0/0/0 interface to filter incoming traffic.

Enter the configuration mode for the router: From the exhibit, select the router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. From the terminal, create a standard numbered access list using number 25. Add statements to the access list to block traffic to the required hosts. Type access-list 25 deny host 199.68.111.199 and press Enter. Type access-list 25 deny host 202.177.9.1 and press Enter. Type access-list 25 deny host 211.55.67.11 and press Enter. From the terminal, add a statement to allow all other traffic from all other hosts, by typing access-list 25 permit any and pressing Enter. From the terminal, apply Access List 25 to the Serial0/0/0 interface to filter incoming traffic. Type int s0/0/0 and press Enter. Type ip access-group 25 in and press Enter. Type Ctrl + Z.

You are in the process of configuring a new router. The router interfaces connect to the following networks: Interface Network FastEthernet0/0 192.168.1.0/24 FastEthernet0/1 192.168.2.0/24 FastEthernet0/1/0 192.168.3.0/24 Only Telnet and SSH access from these three networks should be allowed. In this lab, your task is to: Use the access-list command to create a standard numbered access list using number 5. Add a permit statement for each network to the access list. Use the access-class command to apply the access list to VTY lines 0-4. Use the in direction to filter incoming traffic. Save your changes in the startup-config file.

Enter the configuration mode for the router: From the exhibit, select the router. From the terminal, press Enter. Type enable and then press Enter. Type config term and then press Enter. From the terminal, create a standard numbered access list using number 5. Add a permit statement for each network to the access list. Type access-list 5 permit 192.168.1.0 0.0.0.255 and then press Enter. Type access-list 5 permit 192.168.2.0 0.0.0.255 and then press Enter. Type access-list 5 permit 192.168.3.0 0.0.0.255 and then press Enter. Apply the access list to VTY lines 0-4. Filter incoming traffic. Type line vty 0 4 and then press Enter. Type access-class 5 in and then press Enter. Press Ctrl + Z. Save your changes in the startup-config file. Type copy run start and then press Enter. Press Enter to begin building the configuration. Press Enter.

You are the IT security administrator for a small corporate network. You need to increase the networking closet's security by implementing a CCTV system with IP cameras. As part of this task, you need to separate the CCTV data traffic on the network using a separate VLAN on the switch. The patch panel connections for the networking closet, lobby, and IT administration office are installed and ready for use (ports 18-20). A DHCP server is already configured to provide the IP cameras and the laptop in the IT administration office with the correct TCP/IP settings (port 21). For an easier implementation, create the logical VLAN first and then establish the physical connections of the IP cameras and the laptop. In this lab, your task is to perform the following: Access the switch management console from ITAdmin using the following credentials: Address: http://192.168.0.2 Username: ITSwitchAdmin Password: Admin$only (the password is case-sensitive) Create and configure a VLAN on the switch as follows: VLAN ID: 2 VLAN Name: IPCameras Configure ports GE18, GE19, GE20, GE21 as untagged.. In the lobby and networking closet, perform the following: Connect a Cat5e cable to the RJ-45 ports on the IP camera and the IP camera wall plate. Mount the IP camera on the wall plate. In the networking closet, connect the DHCP server to the VLAN using a Cat5e cable from switch port 21 to patch panel port 21 in the rack. In the IT administration office, connect a Cat5e cable to the laptop's network port and the open port on the wall plate. On IT-Laptop2, verify the VLAN configuration and IP camera installation as follows: Select Start > IP Cameras. Verify that the program detects the IP cameras on the VLAN 2 network.

From the ITAdmin computer, log into the CISCO switch. From the taskbar, open Google Chrome. Maximize the window for easier viewing. In the URL field, enter 192.168.0.2 and press Enter. For Username, enter ITSwitchAdmin. For Password, enter Admin$only (password is case-sensitive). Select Log In. Create a VLAN. From the Getting Started pane, under Initial Setup, select Create VLAN. Select Add. For VLAN ID, enter 2. For VLAN Name, enter IPCameras. Select Apply. Select Close. Configure a VLAN. From the left pane, under VLAN Management, select Port to VLAN. From the the VLAN ID equals to drop-down menu, select 2. Select Go. For ports GE18, GE19, GE20, and GE21, select Untagged. Select Apply. Connect the IP camera in the lobby to the VLAN and mount the IP cameras. From the top navigation area, select Floor 1. Under Lobby, select Hardware. Under Shelf, expand CCTV Cameras. Drag the IP Camera (Lobby) to the workspace. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. Under Shelf, expand Cables and then select a Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera wall mount plate. From the wall plate's Partial Connections list, drag the other connector to the RJ-45 port on the back of the IP camera. Drag the IP camera to the IP camera wall plate. Connect the IP camera in the networking closet to the VLAN and mount the IP cameras. From the top navigation area, select Floor 1. Under Networking Closet, select Hardware. Under Shelf, expand CCTV Cameras. Drag the IP Camera (Networking Closet) to the workspace. Under Workspace for the IP camera, select Back to switch to the back view of the IP camera. Under Shelf, expand Cables and then select Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the IP Camera mount wall plate. Under Selected Component, drag the unconnected RJ45 cable to the RJ-45 port on the back of the IP camera. To mount the IP camera, drag the IP camera to the IP camera wall plate. Connect the DHCP server and laptop to the VLAN. In the networking closet, under Shelf, select a Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to port 21 on the switch. Under Selected Component, drag the unconnected RJ45 Connector to port 21 on the patch panel. Connect the laptop to the VLAN. From the top menu, select Floor 1. Under IT Administration, select Hardware. Above the laptop, select Back to switch to the back view of the laptop. Under Shelf, select Cat5e Cable, RJ45. Under Selected Component, drag a RJ45 Connector to the RJ-45 port on the laptop. Under Selected Component, drag the unconnected RJ45 Connector to the open RJ-45 port on the wall plate. Launch the IP camera monitoring software. Under the laptop's workspace, select Front. On the IT-Laptop2, select Click to view Windows 10. From the taskbar, select Start. Select IP Cameras. Verify that both cameras are detected on the network.

You are the IT security administrator for a small corporate network. You need to secure access to your switch, which is still configured with the default settings. In this lab, your task is to: Create a new user account with the following settings: Username: ITSwitchAdmin Password: Admin$only1844 User Level: Read/Write Management Access (15) Edit the default user account as follows: Username: cisco Password: CLI$only1958 User Level: Read-Only CLI Access (1) Save the changes to the switch's startup configuration file.

Log in to the CISCO switch. From the taskbar, select Google Chrome. In the URL field, enter 192.168.0.2 and press Enter. Maximize the window for easier viewing. In the Username and Password fields, enter cisco (case sensitive). Select Log In. Create a new user account. From Getting Started under Quick Access, select Change Device Password. Select Add. For the username, enter ITSwitchAdmin (case sensitive). For the password, enter Admin$only1844 (case sensitive). For Confirm Password, enter Admin$only1844. For User Level, make sure Read/Write Management Access (15) is selected. Select Apply. Select Close. Edit the default user account. Under User Account Table, select cisco (the default user) and then select Edit. For the password, enter CLI$only1958. For Confirm Password, enter CLI$only1958. For User Level, select Read-Only CLI Access (1). Select Apply. Save the changes to the switch's startup configuration file. From the top of the switch window, select Save. Under Source File Name, make sure Running configuration is selected. Under Destination File Name, make sure Startup configuration is selected. Select Apply. Select OK. Select Done.