L3 - ip addresses
L4 - TCP/UDP
Stateful firewall: if its allowed out the reply traffic is allowed.
Next gen features
User based rules
URL filtering (previously done by proxy server)
Firewall learns about new Viruses / malware and blocks them
Deep pack inspection, looking at the application later
Facebook is ok but block facebook messanger
SSL decryption
Getting management access
Seems they take a while to fully boot up after showing you the login: prompt, wait a while before trying default username/password
Two options CLI and Web access
Physical boxes will have a console port and a MGMT port
Default IP is 192.168.1.1
Default username/password: admin/admin
Change your IP, gateway, DNS
Console over writing itself
Had an issue couldn't read output from CLI, these commands fixed it
set cli terminal height 500
set cli terminal width 500
CLI initial config of management port
- Set the default gateway to the core switch
- Plug mgmt port into switch port on same VLAN as inside
- Must have SVI setup on switch
- For example give inside interface 10.0.1.1 and mgmt 10.0.1.2
set deviceconfig system type static
set deviceconfig system ip-address 10.0.1.254 netmask 255.255.255.0
set deviceconfig system default-gateway 10.0.1.2
set deviceconfig system dns-setting servers primary 8.8.8.8
commit
exit
Commiting config
You must type the commit command to apply the config.
Current config is what is running
Candidate config is what has been changed but has not been commited yet.
ping host www.google.ie
Web interface
https://10.0.1.254
Device -> Setup -> Interfaces
Might need to enable ping
Change DNS (DNS in important for the palo to function correctly)
Device -> Setup -> Services
Service route configuration
NTP settings
Device > setup
also not sync'd so conifg on both palo1 and palo2
set the timezone as well.
Upgrading the software
Device -> Software
Check now
You need to upgrade through each major version 7.0 -> 7.1.x -> 8.1.0
Once in 8.1.0 you can go straight to 8.1.5 for example
Tap interfaces (monitor mode)
Setup span ports on the switch and connect to the firewall tap interface
Network -> Interfaces -> Ethernet
ethernet1/1 select interface type as "tap"
Virtual wire interfaces
Bump in the wire
Checks the traffic against security policies
passes the traffic through without needed to create IP on each interface
Select the interface type "Virtual Wire"
Network -> Virtual wires
Add
vWire1
Select the interfaces you want to be part of it
commit
Layer 2 interfaces
You can configure interfaces as L2 interfaces and configure security zones. This is to avoid re-addressing the network. Again set the interface type of Layer2.
Layer3 interfaces
Each interface has an IP address
Network -> Ethernet -> Ethernet1/1
Interface type = Layer3
Assign IP
Assign to security zone
Commit
Zone concepts and policies
Create sec zones like outside, dmz, wifi, inside
Assign interfaces to zones
Lets say we setup eth1/3 as inside zone
We setup several policies
Now we can assign eth1/4 as inside zone and our policies still apply
We don't have to write the same rules for each zone.
Virtual router concepts
There is a default virtual router. This is what we will use in most cases. Its possible to create multiple virtual rotuers.
Config zones, VR and L3 interfaces
Network -> Zones
Add
Inside
Network -> Virtual router
Add
VR1
Network -> Interfaces
ethernet1/1
Interface type = Layer3
Virtual router = VR1
Security zone = Inside
Configure a default route
Data plane (to ISP gateway)
Control plane (MGMT, for NTP, updates, SSH etc)
CLI to see the route table
show routing route
Web interface to see routing table
Network -> Virtual Routers
On your VR click "More Runtime Stats"
CLI to ping from another source
ping source x.x.x.x host 8.8.8.8
Network -> Virtual routers
edit
static routes
add
Configure NAT/PAT
Policies -> NAT
add (in bottom left)
Name it Inside_to_Outsie
source zone = inside
destination zone = outside
You can select IP's etc
Translated packets
Dynamic IP and Port (PAT / global NAT)
Interface Address = the public IP
Interface ethernet1/1
Select IP
Leave destination as none
Commit
We still need a security policy to allow the traffic
Security policy (ACLs)
There are two default rules
Logging is not turned on by default
Add sec rule
type = intrazone rule
Troubleshooting / verification
On Policies -> Security
Look at your ACL, can see the hit count, last hit, first hit.
You can clear counters in the bottom right
"Reset Rules Hit Counter"
We can see hit counts for the nat policies
Monitor -> Traffic
Most recent is at the top
You can click on the magnify glass on each entry for more info
Tags
You can setup tags to add a color
eg
outside = red
inside = green
dmz's = yellow
Objects -> Tags
Click add in bottom left
Drop down and select your zone
Select the color
commit
Zone protection
Create zone protection profile
Then apply it to a zone
Network -> Network profiles -> Zone protection
Give a name
Enable flood protection etc
Network -> Zone
Edit the zone, select the zone protection profile
Enable packet buffer protection
Check the documentation some of the features have a performance impact.
Interface management
By default ping is not allowed
Network -> Interface Mgmt
Add
HTTP_and_ping
tick: HTTPS and ping
Click add to add source IP addresses
Network -> Interfaces ->
Edit ethernet1/1
Advanced tab -> Select management profile from dropdown box
Yes
commit
DHCP
Network -> DHCP
Add
select the interface
enabled = on
disaled = off
auto = check if there is already a DHCP server
Tick pick IP when allocating (helps avoid conflicts)
Fill in details gw, dns etc
Can configure DHCP options there
DHCP relay (helper)
Click on the DHCP relay tab
select the interface
tick the box
fill in he IP address of the real DHCP server.
Config management
Create a new tag as a test
3 ways to revert this change
reboot firewall (config not saved)
config -> revert changes
Devices -> Operations -> revert to running config
Making changes but not finished but want to come back
Don't want to commit but want to return to finish these changes and commit later.
Config -> Save Changes
Devices -> Operations -> save named config snapshot
Each time we commit the palo saves a version of the config
Device -> Setup -> Load a config version
Drop now we can see previous versions of config
Upgrading the software
Device -> Software
Check now
You need to upgrade through each major version 7.0 -> 7.1.x -> 8.1.0
Once in 8.1.0 you can go straight to 8.1.5 for example
Tap interfaces (monitor mode)
Setup span ports on the switch and connect to the firewall tap interface
Network -> Interfaces -> Ethernet
ethernet1/1 select interface type as "tap"
Virtual wire interfaces
Bump in the wire
Checks the traffic against security policies
passes the traffic through without needed to create IP on each interface
Select the interface type "Virtual Wire"
Network -> Virtual wires
Add
vWire1
Select the interfaces you want to be part of it
commit
Layer 2 interfaces
You can configure interfaces as L2 interfaces and configure security zones. This is to avoid re-addressing the network. Again set the interface type of Layer2.
Layer3 interfaces
Each interface has an IP address
Network -> Ethernet -> Ethernet1/1
Interface type = Layer3
Assign IP
Assign to security zone
Commit
Zone concepts and policies
Create sec zones like outside, dmz, wifi, inside
Assign interfaces to zones
Lets say we setup eth1/3 as inside zone
We setup several policies
Now we can assign eth1/4 as inside zone and our policies still apply
We don't have to write the same rules for each zone.
Virtual router concepts
There is a default virtual router. This is what we will use in most cases. Its possible to create multiple virtual rotuers.
Config zones, VR and L3 interfaces
Network -> Zones
Add
Inside
Network -> Virtual router
Add
VR1
Network -> Interfaces
ethernet1/1
Interface type = Layer3
Virtual router = VR1
Security zone = Inside
Configure a default route
Data plane (to ISP gateway)
Control plane (MGMT, for NTP, updates, SSH etc)
CLI to see the route table
show routing route
Web interface to see routing table
Network -> Virtual Routers
On your VR click "More Runtime Stats"
CLI to ping from another source
ping source x.x.x.x host 8.8.8.8
Network -> Virtual routers
edit
static routes
add
Configure NAT/PAT
Policies -> NAT
add (in bottom left)
Name it Inside_to_Outsie
source zone = inside
destination zone = outside
You can select IP's etc
Translated packets
Dynamic IP and Port (PAT / global NAT)
Interface Address = the public IP
Interface ethernet1/1
Select IP
Leave destination as none
Commit
We still need a security policy to allow the traffic
Security policy (ACLs)
There are two default rules
Logging is not turned on by default
Add sec rule
type = intrazone rule
Troubleshooting / verification
On Policies -> Security
Look at your ACL, can see the hit count, last hit, first hit.
You can clear counters in the bottom right
"Reset Rules Hit Counter"
We can see hit counts for the nat policies
Monitor -> Traffic
Most recent is at the top
You can click on the magnify glass on each entry for more info
Tags
You can setup tags to add a color
eg
outside = red
inside = green
dmz's = yellow
Objects -> Tags
Click add in bottom left
Drop down and select your zone
Select the color
commit
Zone protection
Create zone protection profile
Then apply it to a zone
Network -> Network profiles -> Zone protection
Give a name
Enable flood protection etc
Network -> Zone
Edit the zone, select the zone protection profile
Enable packet buffer protection
Check the documentation some of the features have a performance impact.
Interface management
By default ping is not allowed
Network -> Interface Mgmt
Add
HTTP_and_ping
tick: HTTPS and ping
Click add to add source IP addresses
Network -> Interfaces ->
Edit ethernet1/1
Advanced tab -> Select management profile from dropdown box
Yes
commit
DHCP
Network -> DHCP
Add
select the interface
enabled = on
disaled = off
auto = check if there is already a DHCP server
Tick pick IP when allocating (helps avoid conflicts)
Fill in details gw, dns etc
Can configure DHCP options there
DHCP relay (helper)
Click on the DHCP relay tab
select the interface
tick the box
fill in he IP address of the real DHCP server.
Config management
Create a new tag as a test
3 ways to revert this change
reboot firewall (config not saved)
config -> revert changes
Devices -> Operations -> revert to running config
Making changes but not finished but want to come back
Don't want to commit but want to return to finish these changes and commit later.
Config -> Save Changes
Devices -> Operations -> save named config snapshot
Each time we commit the palo saves a version of the config
Device -> Setup -> Load a config version
Drop now we can see previous versions of config
No comments:
Post a Comment