I will walk you through the steps for configuring the firewall interfaces, defining zones, and setting up a basic security policy.
Traffic must pass through the firewall in order for the firewall to manage and control it. Physically, traffic enters and exits the firewall through interfaces. The firewall decides how to act on a packet based on whether the packet matches a “security policy”.
At the most basic level, the security policy must identify where the traffic came from and where it is going. On a Palo Alto Networks next-generation firewall, security policies are applied between zones.
A zone is a grouping of interfaces (physical or virtual) that provides an abstraction for an area of trust for simplified policy enforcement.
Create Zone
In our lab network topology, there are three zones: Trust, Untrust, and DMZ. Traffic can flow freely within a zone, but traffic will not be able to flow between zones until we define a security policy that allows it.
Let’s start first by adding 3 security zone on the Paloalto firewall
Under Network -> Zones -> Add.
Create 3 Zones: Trust / Untrust / DMZ with type Layer 3.
Create Virtual Router
In a Layer 3 deployment, the firewall routes traffic between ports. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.
In Palo Alto firewall you can create multiple virtual routers, each maintaining a separate set of routes that are not shared between virtual routers, enabling you to configure different routing behaviors for different interfaces.
In addition to adding static routes, you can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP)
Following simple steps to create a virtual router
Network -> Virtual Routers -> Add
I will create “IT_VR” virtual router and I will add interface after completing interface configuration in next step
In a separate post I will walk you through the steps for configuring static and OSPF rout.
Type name “IT_VR” -> click OK
Create Interface Management profile
The last steps before configuring the interface is to create Interface Mgmt profile
To make an interface PING able on a PaloAlto we need to create an Interface Mgmt profile and assign it to the Interface.
Network -> Network Profiles -> Interface Mgmt ->Add
Type “Allow PING” in the name field and check “ping” as a “permitted services” (you can permit other services like https, SSH …Etc) then click OK.
Create Interface
I will walk you through the steps for creating Ethernet interface, assign IP address, zone, Mgmt profile, and Virtual Routers.
Let’s Start
Network -> Interface -> Ethernet
Select Ethernet 1/1 -> Add sub interface
Interface Name: ethernet1/1
Interface Type = Layer 3
Comment = LAN
Virtual Router = IT_VR
Security Zone = Trust
IP address 10.128.1.1/24
Management Profile: Allow PING
IP4 -> Add -> New address
Then click Advanced
Select “Allow PING” for Management Profile and then click OK
Then need to repeat the process two times for the WAN and DMZ interface
WAN Interface
Interface Name: ethernet1/2
Interface Type = Layer 3
Comment = WAN
Virtual Router = IT_VR
Security Zone = UnTrust
IP address 50.0.0.1/24
Management Profile: Allow PING
DMZ Interface
Interface Name: ethernet1/3
Interface Type = Layer 3
Comment =DMZ
Virtual Router = IT_VR
Security Zone = DMZ
IP address 172.16.1.1/24
Management Profile: Allow PING
Now you will need to click “Commit” the changes.
Hey There. I found your blog the usage of msn. That is a very neatly written article.
I will make sure to bookmark it and come back
to read extra of your useful info. Thanks for the post.
I will definitely return.
LikeLike
good job thanks for the valuable post
LikeLike
Hi there,
Very helpful and informative for a neophyte and start learning Palo Alto. Looking for the link as a continuation for setting up the policies for Security and NAT for my better understanding.
Regards,
Junix
LikeLike