Palo Alto configuration

I will walk you through the steps for configuring the firewall interfaces, defining zones, and setting up a basic security policy.

Traffic must pass through the firewall in order for the firewall to manage and control it. Physically, traffic enters and exits the firewall through interfaces. The firewall decides how to act on a packet based on whether the packet matches a “security policy”.

At the most basic level, the security policy must identify where the traffic came from and where it is going. On a Palo Alto Networks next-generation firewall, security policies are applied between zones.

A zone is a grouping of interfaces (physical or virtual) that provides an abstraction for an area of trust for simplified policy enforcement.

Create Zone

In our lab network topology, there are three zones: Trust, Untrust, and DMZ. Traffic can flow freely within a zone, but traffic will not be able to flow between zones until we define a security policy that allows it.


Let’s start first by adding 3 security zone on the Paloalto firewall

Under Network -> Zones -> Add.

Create 3 Zones: Trust / Untrust / DMZ with type Layer 3.





Create Virtual Router

In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

In Palo Alto firewall you can create multiple virtual routers, each maintaining a separate set of routes that are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.

In addition to adding static routes, you can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP)


Following simple steps to create a virtual router

Network -> Virtual Routers -> Add


I will create “IT_VR” virtual router and I will add interface after completing interface configuration in next step

In a separate post I will walk you through the steps for configuring static and OSPF rout.

Type name “IT_VR” -> click OK




Create Interface Management profile

The last steps before configuring the interface is to create Interface Mgmt profile

To make an interface PING able on a PaloAlto we need to create an Interface Mgmt profile and assign it to the Interface.

Network -> Network Profiles -> Interface Mgmt ->Add

Type “Allow PING” in the name field and check “ping” as a “permitted services” (you can permit other services like https, SSH  …Etc) then click OK.




Create Interface

I will walk you through the steps for creating Ethernet interface, assign IP address, zone, Mgmt profile, and Virtual Routers.

Let’s Start

Network -> Interface -> Ethernet


Select Ethernet 1/1 -> Add sub interface

Interface Name: ethernet1/1

Interface Type = Layer 3

Comment = LAN

Virtual Router = IT_VR

Security Zone = Trust

IP address

Management Profile: Allow PING


IP4   -> Add -> New address

PA3_11  PA3_12

Then click Advanced

Select “Allow PING” for Management Profile and then click OK


Then need to repeat the process two times for the WAN and DMZ interface

WAN Interface

Interface Name: ethernet1/2

Interface Type = Layer 3

Comment = WAN

Virtual Router = IT_VR

Security Zone = UnTrust

IP address

Management Profile: Allow PING

DMZ Interface

Interface Name: ethernet1/3

Interface Type = Layer 3

Comment =DMZ

Virtual Router = IT_VR

Security Zone = DMZ

IP address

Management Profile: Allow PING

Now you will need to click “Commit” the changes.


PA3_13c  PA3_13d



2 Responses to Palo Alto configuration

  1. Pingback: Palo Alto firewall configuration | IT Mug

  2. Hey There. I found your blog the usage of msn. That is a very neatly written article.
    I will make sure to bookmark it and come back
    to read extra of your useful info. Thanks for the post.
    I will definitely return.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s