Configuring Palo Alto Networks Next-Generation Firewall (NGFW) – A Detailed Guide

Contents

Introduction
Dashboard
Device
Network
Policies

END OF SEASON SALE

— Our Mid Top sneakers are now — 

30% OFF 

Final Prices As Marked. Only Select Items Apply As Stock Lasts

END OF SEASON SALE

— Our Mid Top sneakers are now — 

30% OFF 

Final Prices As Marked. Only Select Items Apply As Stock Lasts

1. Introduction

If we conducted a poll asking about the biggest business challenges CIOs and CTOs are worried about, then cybersecurity will most certainly feature in the top 3 of everyone’s list. Cyber attacks are getting more frequent and sophisticated; from countries to individuals – no one is safe. The only way ahead is complete vigilance.

One way to safeguard your organization and its data and applications is to use a Next-Generation Firewall (NGFW). The NGFW combines traditional firewall inspection of incoming and outgoing network traffic with additional features like application awareness and control, intrusion prevention systems, and real-time cloud-enabled threat prevention.

The best Next-generation firewalls for organizations are provided by Palo Alto Networks, an American network security company based in Santa Clara, California.

NGFW by Palo Alto works by limiting the unauthorized transfer of files and sensitive data and enables safe non-work-related web surfing. It also identifies unknown malware, analyzes it by matching it to hundreds of malicious behaviors, and then automatically creates and delivers protection.

Palo Alto network offers an enterprise cyber-security platform, which provides network security, cloud security, endpoint protection, and various related cloud-delivered security services.

Their core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security.

NGFW – Next-Generation Firewall – Features: 

A next-generation firewall is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as –

Application awareness

User device location identifications

Deep Inspection IPS/IDS/Decryptions

Advanced filtering and protections

Required Skills

Basic TCP/IP Knowledge

Basic network / firewalling knowledge

2. Dashboard

The Dashboard widgets show general firewall or Panorama information, such as the software version, the operational status of each interface, resource utilization, and up to 10 entries in the threat, configuration, and system logs.

Log entries from the last 60 minutes are displayed. 

The available widgets are displayed by default, but each administrator can remove and add individual widgets, as needed.

3. Device

Activate licenses on all firewall platforms. When you purchase a subscription from Palo Alto Networks, you receive an authorization code to activate one or more license keys.

On the VM-Series firewall, this page also allows you to deactivate a virtual machine.

The available widgets are displayed by default, but each administrator can remove and add individual widgets, as needed.

Manually upload the license key

If the firewall does not have connectivity to the license server and you want to upload license keys manually.

4. Network

The interface configurations of firewall data ports enable traffic to enter and exit the firewall. A Palo Alto Networks firewall can operate in multiple deployments simultaneously because you can Configure Interfaces to support different deployments.

The Ethernet interfaces on a firewall for you can configure the Ethernet interfaces on a firewall for virtual wire, Layer 2, Layer 3, and tap mode deployments.

The interfaces that the firewall supports are

Physical Interfaces

Logical Interfaces

Physical Interfaces

The firewall supports two kinds of Ethernet—copper and fiber optic—that can send and receive traffic at different transmission rates. 

Logical Interfaces

These include virtual local area network (VLAN) interfaces, loopback interfaces, and tunnel interfaces. You must set up the physical interface before defining a VLAN or a tunnel interface.

We are using two Ethernet interfaces,

Ethernet1/1

Ethernet1/2

Ethernet1/1

The Internet traffic that comes from the azure load balancer is considered as untrusted traffic.

The Network Virtual Appliances untrust interface is linked to the backend pool of the load balancer.

The traffic reaches Network Virtual Appliances untrust interface.

Configure Ethernet1/1 interface with an IPv4 address

Select Network Interface and either Ethernet, loopback or Tunnel depending on what type of interface you want

Select the ethernet1/1 interface to configure.

Select the Interface Type Layer3

On the Config tab, for Virtual Router, select the virtual router you are configuring, such as default.

To configure the interface with a static IPv4 address, on the IPv4 tab, set Type to Static.

Ethernet1/2

Ethernet 1/2 is the trust interface of the Palo Alto Network Virtual Appliances, where the Internet traffic from the untrust interface is forwarded to this interface and is sent to the application gateway.

Configure Ethernet1/2 interface with an IPv4 address

Select Network Interface and either Ethernet, loopback or Tunnel depending on what type of interface you want

Select the ethernet1/2 interface to configure.

Select the Interface Type Layer3

On the Config tab, for Virtual Router, select the virtual router you are configuring, such as default.

To configure the interface with a static IPv4 address, on the IPv4 tab, set Type to Static.

LOOPBACK INTERFACE

A loopback interface is a logical, virtual interface in a Palo Alto. A loopback interface is not a physical interface like a Fast Ethernet interface or Gigabit Ethernet interface.

Loopback interfaces are a very valuable configuration option on Palo Alto firewalls.

Loopback

The loopback interface is created to allow only the https traffic from the port 443, and the port can be manipulated as you desire. In this case, it is being redirected to 4443 (this will be discussed under the Service section).

Zone

Palo Alto Networks Next-Generation Firewalls have special zone called External, which is used to pass traffic between Virtual Systems (vsys) configured on the same firewall appliance.

A security zone is a portion of a network that has specific security requirements set. Each zone consists of a single interface or a group of interfaces, to which a security policy is applied. These zones are typically separated using a layer 3 device such as a firewall

Security zones are a logical way to group physical and virtual interfaces on the firewall in order to control and log the traffic that traverses (through these interfaces on) your network. An interface on the firewall must be assigned to a security zone before the interface can process traffic. A zone can have multiple interfaces of the same type (for example, tap, layer 2 or layer 3 interfaces) assigned to it, but an interface can belong to only one zone.

ZONE- TRUST

ZONE-UNTRUST

Virtual Router

Palo Alto uses a concept of “Virtual Routers” to route the traffic, be it static routing or dynamic routing. Virtual Router uses virtualized or partitioned routing tables to do the routing job.

Palo Alto Firewalls uses virtual routers to obtain the routes and uses the best route to populates its routing table.

The firewall uses virtual routers to obtain routes to other subnets by you manually defining static routes or through participation in one or more Layer 3 routing protocols.

STATIC ROUTE-DEFAULT

Create a virtual router and apply interfaces to it.

Navigate to ‘Network > Virtual Routers’

Select the ‘default’ Virtual Router or Add a new Virtual Router if there are none in the list

If you added a new Virtual Router, you would need to give it a ‘Name.’

Navigate to ‘Static Routes > IPv4’

Add a new static route

Name: next_hop (you can name it anything you want)

Destination: 0.0.0.0/0 (send all traffic to this route)

Interface: ethernet1/1 (or whatever you set your public interface as)

Next Hop: (specify the gateway IP for the next hop in your network

The default route links the internet traffic from outside to the untrust interface of the Palo Alto NVA.

Interface Management

Palo Alto Networks Firewalls does come with a dedicated out-of-band Management (MGT) Interface, which is used to manage the Palo Alto Network Firewalls. By default SSH, HTTPS, and ping are enabled to manage the Palo Alto Network Firewalls; apart from dedicated out-of-band management interface, one can use any Layer 3 interface for the management of the Palo Alto Network Firewalls.

An Interface Management profile protects the firewall from unauthorized access by defining the services and IP addresses that a firewall interface permits. You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical interfaces (aggregate group, VLAN, loopback, and tunnel interfaces). To assign an Interface Management profile,

INTERFACE- ALLOW PROFILE

The interface “Allow-profile” allows specific management services (HTTP, HTTPS, SSH) with Ping network service

INTERFACE MANAGEMENT PROFILE- ALLOW HTTPS-SSH

The interface “Allow-profile” allows specific management services ( HTTPS, SSH).

5. Policies

The Palo Alto Networks firewall is a stateful firewall, meaning all traffic passing through the firewall is matched against a session, and each session is then matched against a security policy

Policies allow you to control firewall operations by enforcing rules and automatically taking actions.

We have created two policies

Security-Policy

NAT-Policy (Network Address Translations)

SECURITY POLICY

Security policies allow you to enforce rules and take actions and can be as general or specific as needed.

The policy rules are compared against the incoming traffic in sequence, and because the first rule that matches the traffic is applied, the more specific rules must precede the more general ones

UNTRUST TO TRUST

In traffic-untrust-to-trust security policy, the traffic from outside is sent through the Trust Zone, allowing the traffic to flow through the interface.

The configurations for the security policy are defined by providing the general attributes like the naming the policy, describing the source and destination zone, the service ports (HTTP & HTTPS), session initiation, and end time for logs.

Defining general setting,

Defining source zone

Defining a destination zone

Defining the allowed services, HTTP and HTTPS,

Configuring actions (Allow/Deny) and session log settings,

ALLOW UNTRUST ACCESS

In traffic-untrust-access security policy, the traffic from loopback manipulated https port 4443 traffic is sent through the Trust Zone allowing the traffic to flow through the interface.

Defining general setting,

Defining source zone,

Defining destination zone,

Defining service,

Defining actions and log settings

NAT POLICY RULE

NAT allows you to translate private, non-routable IPv4 addresses to one or more globally-routable IPv4 addresses, thereby conserving an organization’s routable IP addresses.

NAT allows you to not disclose the real IP addresses of hosts that need access to public addresses and to manage traffic by performing port forwarding. You can use NAT to solve network design challenges, enabling networks with identical IP subnets to communicate with each other.

We have two NAT policy rules,

HTTPS ACCESS

WEB ACCESS- NAT RULE.

Their configurations are as follows,

HTTPS ACCESS

WEB ACCESS- NAT RULE

Share this:

CloudIQ is a leading Cloud Consulting and Solutions firm that helps businesses solve today’s problems and plan the enterprise of tomorrow by integrating intelligent cloud solutions. We help you leverage the technologies that make your people more productive, your infrastructure more intelligent, and your business more profitable. 

US

626 120th Ave NE, B102, Bellevue,

WA, 98005.

 sales@cloudiqtech.com

INDIA

Chennai One IT SEZ,

Module No:5-C, Phase ll, 2nd Floor, North Block, Pallavaram-Thoraipakkam 200 ft road, Thoraipakkam, Chennai – 600097


© 2020 CloudIQ Technologies. All rights reserved.