Palo Alto Firewall

Palo Alto Firewall: 
When it comes to security. Palo Alto is complicate setup then FortiGate and similar to SonicWall. As security goes, Palo Alto is way complicate in technique and more details in process. In my experience the more complicated the firewall is the more security it is. Because the steps and details process of trying to list every security issue only lead to more complexity, in return you get a more secure device.

*After you made the changed. You must hit ‘COMMIT’ to make that change affective!

To allow devices Management remotely:
(Devices > Setup > Management )
This is not Firewall Policy. As you can see below.  It is allow Ping, Web browser connection that we normally do to manage the firewall remotely from another PC over the network. You will also has to add Permit IP.
Network > Network Profile > Interface Mgmt 

Zone:
(Network > Zones > add )
Step 1 in Firewall setup is defining a Zone.
You ‘ll need to categorize or defining of where different connection are from and place them into a Zone category accordingly. Example you can category or define a location such as: LAN, WAN, DMZ, or such as PRIVATE, PUBLIC, Both, LOCAL, INTERNET.
In the back of the Firewall you will see network card or port or interface. This ports or connection are pre-lable such as: LAN, WAN, the others ports can be use such as for WiFi link. You should defining the Zone base on the port connection on the firewall. This is why you’ll see most zone names take place like: LAN, WAN, W-WiFi, DMZ. 

Interfaces:
(Network > Zones > add )
Step 2: are assigning an IP address to the interface and tied it to a zone.
Interfaces are the ports in the back of the device that available to use for connections. In the back of the firewall you will see about 8 interfaces and each maybe label as LAN, WAN, etc…
After you defined Zone. You need to place an interfaces into that particular zones.


Policy:
(Policy > Security > add )
Step 3: Create rules to separate or intergrade connections between zones.
The same way like any other firewall. Such as in Cisco router you enable firewall feature by doing the ACL. Basically, you have network (LAN), in firewall known as Zones. You have to protect this Zones. The policy will defines this rules weather to allow connection or not between this Zone.

Example:
If you want to (allow/permit) Ping: from LAN to WAN
-You must have two Policy: Source and Destination
1. LAN > WAN 
2. WAN > LAN
Because Ping will need request and reply back.
-If you only have 1 policy, it will drop at it way back at WAN.

Objects:
(Objects >  )
After you setup the Interfaces, define Zones, define Policy, the next step is what to protect or inventory of devices, services known as objects. Basically to identify what objects to be allow or deny connection between each others. Object can be devices, services running port UDP/TCP, or entire network or Zones type LAN, WAN, DMZ.
That will be use to apply or tied to the policy you had created.

Devices:
(Devices >  )
At the Devices menu options, you can enable or setup many different features or programs that the firewall can do such as:
User account and password, HA, LDAP, SNNP, Certificate etc..
Please see below:


Profiles:
(Object >  )
A profiles is a collection of many features to be include to be use. Example to create one profile that contain features such Antivirus, Antimalware, etc…

OBJECT > Virtual Router
This option allow you to setup two or more fake Router inside the firewall known as Virtual Router. Because you have two separate LAN. Example like internal LAN and Vendor LAN and connected into 1 Firewall devices to route the traffic to the outside WAN. By setup a fake router to handle both traffic. Similar to HA setup process, where all data are being process by virtual router instead.
-Create Zone
-Create VR
-Configure Interface
-Create Policy
-NAT setup


Defining interface types in Palo Alto:
Layer 2 Interface:
When you use a Layer3 Switch setup for a single LAN and connecting into the LAN of the Palo Alto. That interface side on the Palo Alto is set to Layer 2 interface.
Layer3 SW > PaloAlto > ISP

VWire Interface:
When you use a Core Switch setup for a multiple VLANs  and connecting into the LAN of the Palo Alto. Then connecting into a Router.
That interface side on the Palo Alto is set to VWire interface.
Access-SW > CORE-SW > PaloAlto > Router > ISP

Layer 3 Interface:
When you use a Router connecting into the LAN of the Palo Alto. That interface side on the Palo Alto is set to Layer 3 interface.
Router > PaloAlto > ISP

TAP Interface:
To setup monitor passively all the traffic passing across a network using SPAN or mirroring port.

The End

Published by

Khmer Certified

Welcome to Khmer Certified. We're all about sharing the experienced in Information Technology. Our site is not an introduction to computer. We are more about sharing your journey that may take to get a job in an entry level IT - your first year in IT field

Leave a comment