Palo Alto Networks #1: Initial Configuration (for beginners)

This post aims to give an introduction to configuring Palo Alto Networks firewall for initial deployment as it is for beginners, I would like to cover the following topics;

  • Configure management interface settings (i.e IP Address, default gateway) via console
  • Assign IP addresses to ethernet interfaces and default gateway
  • Configure NAT and Security Policies to allow Internet access to internal clients

For this purpose, we will be using the following simple topology;

palo-alto-networks-initial-configuration-for-beginners

Management Interface Settings

You can use the following console settings to connect to the firewall.

Once you are connected to the firewall, use the default credentials to login

Now we are in and it is time to configure management IP, DNS server etc and change the default admin password.

Bear in mind that management interface is isolated i.e it needs to have its own default gateway. This doesn’t have to be the default gateway of your firewall through which all your clients’ traffic pass

Now let’s check the configuration we have made

It looks good I think. Now it is time to commit the changes and test if management interface can reach the gateway.

Note: Commit will take time depending on the platform.

Yep, we can reach the gateway. If you can’t get anything check the management arp table to see if you have anything via

Now you should be able to connect to the web interface. You will have something similar on 7.1.x releases.

palo-alto-networks-initial-configuration-for-beginners-first-login-1

Assign IP addresses to ethernet interfaces

Now we assign IP to Internet facing interface ethernet1/1. For this, Follow Network->Interfaces->ethernet1/1 and you will get the following.

pan-ethernet-settings-2

Each interface must belong to a virtual router and a zone. Hence, assign the interface to default virtual router and create a zone by clicking the “Zone“. On the new menu, just type the name “Internet” as the zone name and click OK after which you will come back to this menu.

Note: Your list of zones will be empty in your initial deployment. Because I had this zone Internet configured before, it got populated.

Repeat the same steps for the interface ethernet1/2. In my example, I assign the IP 10.2.2.1/24 to the this LAN interface and assign the interface to the security zone name “LAN“.

Now once you look at the interface overview as below, you will see the IP addresses, virtual router and security zones set.

pan-4

Interface IP addresses are set but we haven’t configured the default gateway of the default virtual router. For this follow Network->Virtual Routers->Default->Static Routes and once you are on this menu click “Add” to add a new route i.e which is our default 0/0 route.

pan-5

Click OK on both windows.

Now I must tell you something, none of the changes took any effect yet. In order for the changes to take effect we must commit as we did on CLI at the beginning of the post but this time on the GUI. Go to upper right corner and click commit and you will get a second commit as below. Go ahead and commit.

pan-6

If you are wondering what is Save button there, it is just to save your changes to separate config file which doesn’t need to be your running config. By saving after changes, you can always revert to some working saved config.

Is the commit finished? Let’s ping google DNS server to make sure we have Internet access. If you don’t get response, ping your gateway and check your connectivity towards gateway. You should have ping response at this step.

Yes it works now we need to configure NAT and Security policy for clients in the LAN.

Configure NAT and Security Policies

Follow Policies->NAT and click Add at the left bottom corner of the screen and give the name “lan-clients” under General tab and configure the rest as shown below as per your IP range and zones and your external IP address and click OK.

nat-1

nat-2

We have configured NAT now it is time for security policy. Follow Policies->Security here you will see two default policies already.

intrazone-default: This policy is for traffic coming from a zone and destined to the same zone. You SHOULD NOT change this default unless you know what you are doing as you might break some stuff that relies on this.

interzone-default: This is your default deny policy for traffic coming from one zone and destined to another zone. This SHOULD be DENY.

Now let’s configure our policy for our clients. Click “Add” at the bottom of the screen. Give a name to the security rule and set the source/destination as below.

Source
security-1

Destination
security-2

Actions
security-3

By default, action will be set to allow and “Log at session end” which means traffic will be allowed and once the session is closed, traffic is logged. Don’t choose “Log at session start” if you aren’t doing any test.

After all these changes, do another commit as you did before.

Now we are doing a test. From client PC, we run ping towards 8.8.8.8 and check the session table.

As per the session table, pings are allowed and application is identified as ping. By the way FLAG “NS” indicates that there is NAT involved and it is source NAT.

Now we will see how the traffic is logged. Go to Monitor->Log and observe the following:

traffic-log

The thing is that you don’t see log for every ICMP you send. Once you click the log you will see the repeat count which I think shows how many of the ICMP packets it represents.

I think this post ends here. I hope it helps an end user to do this basic configuration and you don’t call TAC support line:) Please drop your comment if you have any feedback.

Note1: In a Palo Alto Networks firewall, you can create objects for IP addresses, Subnets etc. For this you need to go to Objects->Addresses and create the object then refer it under interface or security/nat policy but on this post, I wrote IP addresses directly without any objects.

Note2: For the simplicity of this post, we allow everything for these sample clients. You probably need to only allow the applications you need.

Genco.

4 thoughts on “Palo Alto Networks #1: Initial Configuration (for beginners)

  1. Dennis

    Hi Sir,

    Would like to ask for your comments if there’s any implication when creating a PA firewall rule allow multiple Source security zone to one destination security zone? I am trying to highlight if there’s a potential of adversary performing a vlan hopping within those source security zones? Is there any pro vs con of having multiple security zones defined within a single rule?
    Thank you.

    Reply
    1. rtoodtoo Post author

      Hi Dennis,
      I hadn’t thought about such an implication actually before but to the best of my knowledge it shouldn’t. Interface must belong to a zone and during session
      creation zone lookup is performed according to which security rules are also scanned for the context match. Whether you have multiple or single zone,
      I think it shouldn’t matter. The only thing is that if another admin adds a second zone on the destination zone, that might cause some unwanted traffic
      to be allowed if the intention is to allow only from a few of the source zones.
      Otherwise it also reduces the number of rules you have. Not much of a help from my side but if you learn anything please drop your comment here.

      Reply
      1. Dennis

        Hi Sir,

        I did think of the interface bit but what if multiple security zones are tied to one physical interface via sub-interfaces/vlan then there might be a potential of vlan hopping making its way to other unintended network? Am i thinking too much?

        Reply
        1. rtoodtoo Post author

          In your scenario, I think I would call it a config issue/mistake. Let’s say that such thing happened and traffic pretends to be coming from a different interface thus a different source zone will match and if you have a security rule matching this context it will match regardless of the fact that rule contains multiple security zones. I still don’t see any cons of this as long as someone doesn’t put another zone on the destination but still I might be missing something. Don’t take my words %100 correct:)

          Reply

You have a feedback?