Scribd
Upload
58 views41 pages

Getting Started With Palo Alto Firewalls v8

Palo Alto firewall learning

Uploaded by

shan1512
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views41 pages

Getting Started With Palo Alto Firewalls v8

Palo Alto firewall learning

Uploaded by

shan1512
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

02 - Next Generation Firewall (NGFW) Concepts

Wednesday, 29-Jan-2020 10:33 AM

Overtime the attackers and sophistication of attacks has become more and more advanced more time.

We must have equivalent counter measures ideally to help prevent being compromised.

Traditional firewall features:

- NAT
- Layer 3 and layer 4 based ACL.
- Stateful filtering: Traffic going out is remember by firewall, when reply comes back from firewall refers to stateful
table (matches the IP address and headers) and allows that reply traffic to reach the user.

NGFW

Getting Started with Palo Alto Firewalls v8.x Page 1


NGFW

- URL Filtering.
- Threat prevention and identify malicious content.
- Dynamic updates (learn new threats)
- uploads the suspicious files on the cloud to analyze.
- Deep packet inspection (looking higher than layer 4 in application layer).
- User-id (policies based on groups and users).
- Application layer inspection (Two end TCP connection between user and FW, FW and internet).

Getting Started with Palo Alto Firewalls v8.x Page 2


03&04- Initial Management Access Concepts
Sunday, 02-Feb-2020 11:16 PM

Serial Port -> Terminal Emulator -> Console.

Management Port -> SSH (Default = 192.168.1.1)

Management -> GUI (Default = 192.168.1.1)

Default username and password: (admin/admin)

The CLI provides two command modes:

Operational— Use operational mode to view information about the firewall and the traffic running through it or to view information about Panorama or
a Log Collector. Additionally, use operational mode commands to perform operations such as restarting, loading a configuration, or shutting down.
When you log in, the CLI opens in operational mode.

Configuration— Use configuration mode to view and modify the configuration.

Getting Started with Palo Alto Firewalls v8.x Page 3


Configuring DNS:

Getting Started with Palo Alto Firewalls v8.x Page 4


Any time the Palo Alto goes out to internet for NTP updates, checking new signature, checking new threat information it going to be using its
management interface for that traffic by default.

If we want Palo Alto to use different interface, We can do it in Service Route Configuration.

Getting Started with Palo Alto Firewalls v8.x Page 5


Getting Started with Palo Alto Firewalls v8.x Page 6
05 - Updating the Firewall Software
Monday, 03-Feb-2020 12:15 AM

- Software for threat prevention, anti-virus.


- Core operating system (PAN OS).

Read the release notes.

8.0.x version may need certain minimum dynamic update version (Anti-virus, Threat Intelligence) in place.

First we will update the dynamic update software and then PAN OS.

Getting Started with Palo Alto Firewalls v8.x Page 7


We have most current software installed.

Download and install.

Getting Started with Palo Alto Firewalls v8.x Page 8


Getting Started with Palo Alto Firewalls v8.x Page 9
06 - Using Tap Interfaces
Tuesday, 04-Feb-2020 12:48 PM

In a network in which we have all types of traffic going through it might make a lot of sense also to
deploy a firewall but instead of deploying it inline initially we can set it on the network to just see what's
happening so we can do reconnaissance and learn about that network traffic, what kind of attacks are
there before we put policies in place, to control and allow traffic.

One way to configure this is to use interface in TAP mode.

Interface configured in TAP mode gets copies of data (network traffic) so it can look at the data and we
can use reporting on the firewall to tell us what it sees what kind of malicious traffic.

We use port mirroring(SPAN) to send copy of traffic to TAP interface connected on switch the traffic can
configured to send for VLAN or router interface.

Keep in mind, however, because the traffic is not running through the firewall when in tap mode it
cannot take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.

Eg: Source port: Router interface connected on switch, Destination port: TAP interface connected on
switch.

Getting Started with Palo Alto Firewalls v8.x Page 10


07 - Using Virtual Wire Interfaces
Tuesday, 04-Feb-2020 1:14 PM

There is quite a bit of hassle when changing network topologies and changing addresses, it will be awesome if there is option for
deploying Palo Alto firewall including all the rules and control it can bring without re ip addressing the portion of our network.

It is possible, One of the option is using network interface on Palo Alto configured as VIRTUAL WIRE.

Firewall will pass all traffic if the security policies on firewall allows it. Its like a bump in the wire.

Firewall is not doing Layer 2 switching or layer 3 forwarding, It allows to pass traffic if security policy allows.

In a virtual wire deployment, you install a firewall transparently on a network segment by binding two firewall ports (interfaces) together.
The virtual wire logically connects the two interfaces; hence, the virtual wire is internal to the firewall.

By using Virtual wire mode will we still get most of the feature of Palo Alto firewall?

Yes thing like:


APP ID
Content ID
USER ID
NAT
Other features to control the traffic.

Getting Started with Palo Alto Firewalls v8.x Page 11


Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Getting Started with Palo Alto Firewalls v8.x Page 12


Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Getting Started with Palo Alto Firewalls v8.x Page 13


We can assign to virtual wire object after we create it.

Getting Started with Palo Alto Firewalls v8.x Page 14


Changes made are in candidate configuration do commit to save in running configuration.

Preview changes can used to check the candidate config. Pop-up may be blocked on browser if preview changes does not come.

There are some additional configuration that needs to be done including adding interface to security zone.

Getting Started with Palo Alto Firewalls v8.x Page 15


08 - Using Layer 2 Interfaces
Tuesday, 04-Feb-2020 11:49 PM

Another option available to us besides Virtual wire to implement policy and control through the network using Palo alto without having to
readdress our network is use option of layer 2 type interfaces.

If configure Palo Alto interface as Layer 2 they are in same broadcast domain but benefit is if we assign security zones,
we control flow of traffic between security zones.

If we want to use Palo Alto as Layer 2 switch for multiple VLANs we can do that as well with sub interface and VLAN object.

We are limited to just two interfaces with virtual wire with Layer 2 we can have multiple interfaces.

Secondly in layer 2 interface mode is doing layer 2 forwarding.

Next step will assign it to security zone.

Getting Started with Palo Alto Firewalls v8.x Page 16


Next step will assign it to security zone.

Getting Started with Palo Alto Firewalls v8.x Page 17


09 - Using Layer 3 Interfaces
Wednesday, 05-Feb-2020 12:22 AM

Each interface has IP address and packets are actually routed through the interfaces on Palo Alto.

Not every Palo Alto firewall has same interface options. Eg: Cloud solution with virtual firewall we
should what options are available to us.

We will also do the following: Assign Security Zone, Assign IP address.

Getting Started with Palo Alto Firewalls v8.x Page 18


10 - Security Zone Concepts
Thursday, 06-Feb-2020 10:23 AM

If firewall rules are interface based we have add and tweak rules based on individual interface.

Suppose we add new inside interface we have to add and tweak rules for that interface.

Solution to this is SECURITY ZONES.

We create security zones and associate them with interfaces.

Benefit of security zones is when we are creating security policies on our firewall we can create those
policies if we want to include details regarding zones.

We can say if traffic is coming in on an interface associated with inside zone and going to internet from
interface associated with outside zone allow it.

An interface can only be member of one security zone, but there can be many interfaces associated to a
security zone.

Getting Started with Palo Alto Firewalls v8.x Page 19


11 - Virtual Router (VR) Concepts
Thursday, 06-Feb-2020 10:48 AM

Suppose we have deployed our Palo alto firewall using layer 3 interfaces, Hence each interface will have
IP address and is also responsible for routing based on IP.

There is a default virtual router (VR) by default.

If we want a set of interface to share separate routing table than other set of interface on Palo Alto
firewall we will create two virtual routers and assign those interface to VR accordingly.

(We may have a default route on management interface but that is not related to default VR.)

Getting Started with Palo Alto Firewalls v8.x Page 20


12 - Configuring Zones, VRs, and Interfaces
Tuesday, 11-Feb-2020 4:34 PM

Configuring Zones:

Configuring Virtual Router

Configuring interfaces for Virtual router and Security Zones.

Getting Started with Palo Alto Firewalls v8.x Page 21


Getting Started with Palo Alto Firewalls v8.x Page 22
13 - Configure a Default Route
Tuesday, 11-Feb-2020 4:47 PM

To check the routing table:

Getting Started with Palo Alto Firewalls v8.x Page 23


A admin distance is a tool used by routing device when there is a competition for who wants to win for a
specific route. Lower number admin distance will win for identical routes.

Getting Started with Palo Alto Firewalls v8.x Page 24


14 - Dynamic Routing on the Firewall
Tuesday, 11-Feb-2020 10:36 PM

To check the status of routing table click on More runtime Stats.

Getting Started with Palo Alto Firewalls v8.x Page 25


15 - NAT and PAT Concepts
Wednesday, 12-Feb-2020 8:00 AM

What is NAT
What is PAT

What is Source NAT (inside to outside)

What is Destination NAT (outside to inside)

Getting Started with Palo Alto Firewalls v8.x Page 26


16 - Configuring Source Address Translation
Wednesday, 12-Feb-2020 8:09 AM

Cool thing about security zones are that we can build NAT policies based on Zones.

Source Address Translation:

If packet is sourced from inside and is going to outside then translate the source ip address.

We can translate the source ip address to specific ip address, interface ip address or from pool of ip addresses.

Firewall remembers the translation in NAT table and when the reply comes back, firewall will untranslate it and
put the original ip address.

By default there are no NAT policies.

Getting Started with Palo Alto Firewalls v8.x Page 27


Dynamic IP and Port means PAT translation.

Address type: we can the interface ip address or specific ip address or ip address from Pool.

Getting Started with Palo Alto Firewalls v8.x Page 28


But for the users to send traffic to internet we have to configure security policies also.

Getting Started with Palo Alto Firewalls v8.x Page 29


17 - Security Policies Concepts
Wednesday, 12-Feb-2020 9:23 AM

Two rules are by default configured on firewall.

1. For traffic going within a zone.


- ( If firewall had two interfaces and they were associated with inside zone.)
- Default rule for intra zone traffic is permit.

2. For traffic between Zones.


- Default interzone policy is not allowed.

Hence we have to create a new rule and place it above the existing rules for the traffic from user in inside zone to be
allowed internet access.

To edit a rule highlight it (click) and click on override.

Getting Started with Palo Alto Firewalls v8.x Page 30


To enable log entry for a rule. (when required).

To add a new rule Click on Add at the bottom of page.

Getting Started with Palo Alto Firewalls v8.x Page 31


Getting Started with Palo Alto Firewalls v8.x Page 32
Getting Started with Palo Alto Firewalls v8.x Page 33
18 - Policy Verification and Traffic Logs
Wednesday, 12-Feb-2020 2:17 PM

Getting Started with Palo Alto Firewalls v8.x Page 34


When click on search icon we will get detailed explanation for the log.

Getting Started with Palo Alto Firewalls v8.x Page 35


19 - Using Tags
Wednesday, 12-Feb-2020 3:10 PM

We can add color to zones, security and NAT policies for better visibility in Palo Alto by using tags

We can create tags for lot of different elements in Palo Alto, We can create tags for subnet, or all internal network.
We can add additional search functionality based on this tags.

Now we can see tag color is being used in policies.

Getting Started with Palo Alto Firewalls v8.x Page 36


Now we can see tag color is being used in policies.

Getting Started with Palo Alto Firewalls v8.x Page 37


20 & 21 - Configuring Outside to DMZ Access
Wednesday, 12-Feb-2020 3:26 PM

Destination NAT.
Security policy.

Configuring NAT
=============

Getting Started with Palo Alto Firewalls v8.x Page 38


Configuring Security Policies

Getting Started with Palo Alto Firewalls v8.x Page 39


Getting Started with Palo Alto Firewalls v8.x Page 40
Getting Started with Palo Alto Firewalls v8.x Page 41

You might also like