This is part two of a a two-part series to configure a Palo Alto Networks firewall in a virtual environment. Palo Alto Firewalls are a great asset for any organization as it includes many advanced features to detect and stop bad network traffic.
Configuring the Palo Alto
At this point, the virtual environment is setup (see part 1). I am plugged into my router and can access the ESXi box and Palo Alto from the internal network. Now it’s time to configure the Palo Alto.
- For traffic to flow, you need a connection, a zone, a route, a rule, and a NAT configured on a firewall.
- Go to Network >> Interfaces. Verify the interfaces are connected. Click on “Dynamic DHCP Client” on ethernet1/1 to obtain the IP address and default gateway. You’ll need that information later.
- Go to Network >> Zones and verify the untrusted and trusted zones are configured to the appropriate interface. The untrusted zone should be configured with the interface leading out the the internet.
- Go to Network >> Virtual Routers. If there is no router configured, go ahead and create one. I already have a router, Student-VR, configured, but I need to input a static route out to the internet.
Click on Student-VR >> Static Routes and select the default option. In the field under Next Hop, type in the default gateway obtained earlier and save.
- Select Policies >> Security and click the add option.
- General tab: Give it a name
- Source tab: On the left-hand box add the trust zone
- Destination tab: On the left-hand box add the untrusted zone
- Actions tab: The action box should be set to allow, and the mark the option to log at the end of a session.
- Select Policies >> NAT. Click the add option.
- General tab: Give the NAT a name
- Original Packet: In the source zone box add the trust zone. The destination zone will be the untrust zone. The destination interface is ethernet1/1 (or the external-facing interface)
- Translated Packet:
- Translated Type can be set to Dynamic IP and Port.
- Address type: Interface Address
- Interface: ethernet1/1
- IP Address: none
- Save the rule
- Click the Commit button in the top right-corner of the page. Once it is done, check if you have internet connection now by navigating in a web browser on your inside network to an external website. If you connect, there is success!
- Now that there is internet access, there are a few other settings to configure.
- Verify the management IP address is correct. Device >> Setup. Under the section Management Interface Settings, verify the IP address settings are correct and change them if they are not. These should reflect the subnet that is configured on the internal network.
- Configure the Palo Alto to update automatically new definitions. Go to Device >> Dynamic Updates. For a manual update, click the Check Now option at the bottom of the screen and install the updates as appropriate. Go ahead and change the automatic update options as well for each section to download and install automatically (Antivirus, Applications and Threats, WildFire).
- Now it’s time to apply some protection. A policy is made up of two parts: The typical firewall policies such as source and destination, allow or block the connection, etc; The second is a security profile. The security profile in turn is made of of several parts that are configured separately, such as the Antivirus, Anti-Spyware, and more. Those in turn have various settings as well. All of these can be visualized in the simplified graphic below.
- For each option under Objects>>Security Profile, create a profile.
- In Objects >>Security Profile Groups, create a new security profile group that incorporates all your custom or default profiles and save it.
- Policies >> Security. Select the policy you created earlier and click the Actions tab. Under Profile Setting >> Profile Type select Group. Then select the group profile name you created earlier. Click OK to save the changes then commit those changes.
Now the Palo Alto is setup and providing basic up-to-date protection for my network as traffic flows to and from the internet.