Palo Alto configuration

I will walk you through the steps for configuring the firewall interfaces, defining zones, and setting up a basic security policy.

Traffic must pass through the firewall in order for the firewall to manage and control it. Physically, traffic enters and exits the firewall through interfaces. The firewall decides how to act on a packet based on whether the packet matches a “security policy”.

At the most basic level, the security policy must identify where the traffic came from and where it is going. On a Palo Alto Networks next-generation firewall, security policies are applied between zones.

A zone is a grouping of interfaces (physical or virtual) that provides an abstraction for an area of trust for simplified policy enforcement.

Create Zone

In our lab network topology, there are three zones: Trust, Untrust, and DMZ. Traffic can flow freely within a zone, but traffic will not be able to flow between zones until we define a security policy that allows it.

Let’s start first by adding 3 security zone on the Paloalto firewall

Under Network -> Zones -> Add.

Create 3 Zones: Trust / Untrust / DMZ with type Layer 3.

 

Create Virtual Router

In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

In Palo Alto firewall you can create multiple virtual routers, each maintaining a separate set of routes that are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.

In addition to adding static routes, you can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP)

 

Following simple steps to create a virtual router

Network -> Virtual Routers -> Add

I will create “IT_VR” virtual router and I will add interface after completing interface configuration in next step

In a separate post I will walk you through the steps for configuring static and OSPF rout.

Type name “IT_VR” -> click OK

 

Create Interface Management profile

The last steps before configuring the interface is to create Interface Mgmt profile

To make an interface PING able on a PaloAlto we need to create an Interface Mgmt profile and assign it to the Interface.

Network -> Network Profiles -> Interface Mgmt ->Add

Type “Allow PING” in the name field and check “ping” as a “permitted services” (you can permit other services like https, SSH  …Etc) then click OK.

 

Create Interface

I will walk you through the steps for creating Ethernet interface, assign IP address, zone, Mgmt profile, and Virtual Routers.

Let’s Start

Network -> Interface -> Ethernet

Select Ethernet 1/1 -> Add sub interface

Interface Name: ethernet1/1

Interface Type = Layer 3

Comment = LAN

Virtual Router = IT_VR

Security Zone = Trust

IP address 10.128.1.1/24

Management Profile: Allow PING

IP4   -> Add -> New address

  

Then click Advanced

Select “Allow PING” for Management Profile and then click OK

Then need to repeat the process two times for the WAN and DMZ interface

WAN Interface

Interface Name: ethernet1/2

Interface Type = Layer 3

Comment = WAN

Virtual Router = IT_VR

Security Zone = UnTrust

IP address 50.0.0.1/24

Management Profile: Allow PING

DMZ Interface

Interface Name: ethernet1/3

Interface Type = Layer 3

Comment =DMZ

Virtual Router = IT_VR

Security Zone = DMZ

IP address 172.16.1.1/24

Management Profile: Allow PING

Now you will need to click “Commit” the changes.