Palo Alto Firewall: Initial Configuration

Embarking on the path to becoming a Network Security Engineer or already a seasoned Network Engineer interested in mastering Palo Alto firewalls? You’ve come to the right place.

In this blog, we delve into the essential steps of configuring a Palo Alto firewall in EVE-NG, focusing on the initial setup. From creating a lab environment to ensuring seamless Internet access for local users, we guide you through each crucial detail.

Join us as we demystify the complexities of Palo Alto firewall configuration and empower you with practical knowledge that enhances your network security expertise.

Objectives

In this write-up, we will be covering the step-by-step approach to configuring a Palo Alto firewall from scratch. The below-mentioned list does not have to be in sequence; it is based on my personal preference.

The initial configuration of a Palo Alto firewall requires but not limited to:

• Assigning an IP address to the Management Interface
• Creating Zones
• Configuring Interfaces
• Configuring a Security Profile
• Configuring NAT
• Testing Internet Connectivity

EVE-NG Lab Setup

In this lab, we will create a simple topology focusing mainly on configuring the basic but crucial settings on the Palo Alto firewall as part of its initial configuration.

We have a Palo Alto VM running PAN-OS 10.1.12 in this lab setup. We have chosen two Linux machines; one for management, and the other for Internet access. All the IP addresses on the devices (nodes) are statically assigned.

Configuring Management Interface

When the firewall first boots up, the default IP address on the management interface is set to 192.168.1.1. When a Palo Alto firewall is first configured, the following services are typically enabled on the management interface:

1. HTTPS (Web Management): This allows access to the web-based management interface (GUI) over HTTPS. Administrators can use a web browser to configure and manage the firewall.
2. SSH: Secure Shell (SSH) is enabled for secure command-line interface (CLI) access. This allows administrators to manage the firewall through a terminal or SSH client.
3. Ping: ICMP Echo Requests (ping) are usually enabled to allow the firewall to be reachable via ICMP for basic connectivity testing.

These services are essential for the initial configuration and ongoing management of the firewall. Additional services and configurations can be enabled or modified as needed through the management interface.

Based on our lab topology, we will change the management IP address to 172.16.32.1/24. To do this, we need to access the CLI of the firewall and log in using the default credentials of admin: admin. Once you’re logged in, you will be prompted to change the default password. Here, make sure to include 1 Upper-case, 1 Number, and 1 character/symbol when changing the default password.

Changing The IP on the Management Interface

To change the IP address on the management interface, run the following commands in the firewall CLI.

admin@PA-VM> configure
admin@PA-VM# set deviceconfig system type static
admin@PA-VM# set deviceconfig system ip-address 172.16.32.1 netmask 255.255.0.0
admin@PA-VM# commit

I have manually assigned the IP address of 172.16.32.2/16 on eth0 to the Admin-PC from where I will be accessing the Firewall’s GUI in a web browser.

We should be able to access the web interface of the Firewall if all our configuration so far is correct.

Great! We have GUI access to the Firewall. Let’s move on to the next step and configure Zones.

Configuring Zones

Palo Alto is a Zone-based Firewall. A zone-based firewall is a network security model that segments network traffic into different zones, each representing a logical grouping of interfaces or subnets with similar security requirements. The primary purpose of a zone-based firewall is to control and filter traffic between these zones based on defined security policies.

On a Palo Alto Networks firewall, there are no default zones pre-configured out of the box. When you first set up the firewall, you will need to create and configure zones according to your network design and security requirements.

Common Zone Types

1. Trust (Inside) Zone:
   • Represents the internal network or LAN where trusted users and devices reside.
   • Typically includes corporate devices, internal servers, and employee workstations.
2. Untrust (Outside) Zone:
   • Represents the external network, such as the internet, where traffic is generally considered untrusted.
   • Used for all inbound and outbound internet traffic.
3. DMZ (Demilitarized Zone):
   • A special zone for public-facing services like web servers, email servers, and other services that need to be accessible from the outside.
   • Provides a buffer zone between the untrusted outside network and the trusted inside network.
4. Guest Zone:
   • Used for guest Wi-Fi networks, segregating guest traffic from internal corporate resources.
   • Ensures that guest users can access the internet without having access to the internal network.

As per our lab topology, we will only be configuring Trust and Untrust zones.

Creating Zones on the Palo Alto Firewall

To create a zone:

1. Navigate to the Network tab
2. Click on Zones from the options on the left
3. Click Add at the bottom of the screen
4. Provide a name: Inside
5. Change the type to Layer3
6. Click OK

Similarly, create another Zone and name it as Outside. Once the Zones are created, we will commit the changes.

If the committed results are successful, we can move on to the next step to configure Interfaces.

Configuring Interfaces

We will configure eth1/1 which is our interface in the trusted/Inside zone and eth1/2; the outgoing interface in the Untrust/Outside zone.

Trusted/Inside Zone Interface eth1/1

To configure Interfaces:

• Click on the Interface you want to edit
• Name the Interface (I will leave it as it is)
• Interface Type: Layer3
• Under Config tab:
  • Virtual Router: default ( We will configure the default router later)
  • Security Zone: Inside

• Under IPv4 tab
  • Click Add and then click New Address
  • Select Static
  • Name: Trust-IP-Network
  • Type: IP Netmask and type 10.0.1.1/24
  • Click Ok

• Under the Advanced tab:
  • Management Profile: Add New Management Profile
  • Name: Mgmt-Profile-1
  • Select HTTPS, SSH, and Ping from the list
  • Click OK twice to save

Untusted/Outside Zone Interface eth1/2

To configure Interfaces:

• Click on the Interface you want to edit
• Name the Interface (I will leave it as it is)
• Interface Type: Layer3
• Under Config tab:
  • Virtual Router: default ( We will configure the default router later)
  • Security Zone: Outside

• Under IPv4
  • Select DHCP Client
  • Click OK

Commit the changes but clicking on the commit button on the top right.

Once the commit finishes, both the interfaces should turn ON and if we click on the Dynamic DHCP Client, we will see the IP we received for our Outgoing interface eth1/2.

Configuring a Security Policy

Since, the Interzone traffic is blocked by default on the Palo Alto firewall, we won’t be able to access the Internet until we create a policy to allow traffi from Inside to Outside zones. Besides managing and securing network traffic, other functions a Security Policy performs are:

• Traffic Inspection
• Logging and Monitoring
• User Identification
• Quality of Service (QoS)

In our lab, we are just focuing on allowing the traffic from Inside zone to the outside zone. The key components to create a Security Policy are:

• Name and Description: Each policy has a unique name and an optional description to identify its purpose.
• Source Zone: Specifies the originating zone of the traffic. Multiple zones can be included.
• Source Address: Defines the IP addresses or address groups from which traffic originates. This can include specific IPs, subnets, or address ranges.
• Source User: Specifies the users or user groups from which traffic originates, using user identification features.
• Destination Zone: Specifies the destination zone for the traffic. Multiple zones can be included.
• Destination Address: Defines the IP addresses or address groups to which traffic is destined. This can include specific IPs, subnets, or address ranges.
• Application: Identifies the applications or application groups for which the policy applies. Palo Alto firewalls use App-ID to identify applications regardless of port, protocol, or encryption.
• Service: Specifies the services or service groups (typically defined by port and protocol) that the policy applies to, such as HTTP, HTTPS, FTP, etc.
• Action: Determines the action to be taken when traffic matches the policy criteria. Common actions include Allow, Deny, Drop, and Reset.
• Profile Settings: Attach security profiles to the policy for advanced threat prevention, including antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, and data filtering.
• Logging and Alerting: Configure logging settings to record traffic matches in the traffic log. Logs can be sent to syslog servers, Panorama (Palo Alto’s centralized management system), or other logging systems.

Default Security Policies

By default, the Palo Alto firewall comes with a set of default security policies that are predefined to ensure basic functionality and security from the start.

1. Interzone Default: This policy blocks all traffic between different zones unless explicitly allowed by another policy. It provides a basic level of security by ensuring that no interzone traffic is permitted unless a specific rule allows it.
2. Intrazone Default: This policy allows all traffic within the same zone. It ensures that devices within the same security zone can communicate with each other without restriction.

Inside-to-Outside Security Policy

To create a policy that will allow Interzone traffic:

1. Go to the Policies tab
2. Click Add
3. Under General:
   • Name: Inside-to-Outside
   • Rule-Type: Universeal (default)
   • Description: Optional

• Under the Source tab:
  • Click Add and select Inside
  • Leave everything else as it is

• Under the Destination tab:
  • Click Add and select Outside
  • Leave everything else as it is

Leave the default settings under the Application, Services, and Action tabs. Click OK and Commit the changes.

Now that we have created a policy to allow Inside traffic to outside, let’s see if we can access the Internet. For this test, we will be using our User-PC (see the lab topology).

As we can see, we are still not able to access Google. The reason behind that is we have not configured a NAT rule yet. Let’s do that now.

Configuring NAT

The primary purposes of Network Address Translation (NAT) are to improve security and reduce the number of IP addresses an organization needs by enabling private IP networks to connect to the internet using a single or a few public IP addresses.

Private IP addresses are not routable on the Internet. What this means is, that the traffic leaving our network with private IP addresses must be converted to a public IP address. This can be achieved by configuring NAT on the outside interface of the firewall.

Creating a NAT Rule

To create a NAT rule:

• Navigate to the Policies tab
• Click on NAT from the options on the left
• Click Add
• Under the General tab:
  • Name: Inside-to-Outside-NAT
  • Description: Optional

• Under the Original Packet tab:
  • Under Source Zone, click Add, and select Inside
  • Under the Destination Zone area, select Outside, Destination Interface as ethernet1/2
  • Leave the rest of the settings default

• Under the Translated Packet tab:
  • Translation Type: Dynamic IP And Port
  • Address Type: Interface Address
  • Interface: ethernet1/2
  • IP Address: None
• Click OK and Commit the changes

Testing the connectivity

It’s time to test our initial configuration. Before configuring NAT we were unable to access Google. Let’s try again and see if we can access it now.

It is working! We started with a firewall without any configuration on it and configured various settings to achieve our goal. This write-up is to provide a basic understanding and to get you started on configuring a Palo Alto firewall.

If you have any questions, please feel free to leave in the comment section.