Zone based firewall configuration concept in Palo Alto is similar to any other firewall. In this lesson, we will learn to configure Palo Alto Zone Based Firewall. We will be using PAN OS 8.1.0, and our firewall management is already configured. If you are new in Paloalto firewall, then you are recommended to check Palo Alto Networks Firewall Management Configuration.
- 3 zones for External, Internal and DMZ network and bind with appropriate interfaces
- Internal zone (LAN users) can reach Internet
- DMZ WEB server access from Internal Zone
- External people will be able to access WEB server only through NAT
After completing this LAB, we will develop some knowledge to configure Zone, Virtual Routers, Interface Configuration, Policies, NAT and Routing (Static).
In policy section, we will allow every application and services (any) to make article short and easier for new comers. Later we will discuss in detail. So, let’s get started with Palo Alto Zone Based Firewall Configuration.
Zone creating and binding to appropriate interfaces
To create the zone, we need to go to Network >> Zones and then click Add.
Now, name the Zone and select zone type. Below image shows External zone, creating with L3 type. Similarly, we also created other two zones named Internal and DMZ with L3 zone type.
Creating Virtual Routers:
To create virtual routers, we have to go Network >> Virtual Routers and then click Add.
You will find lots of options here, including all the routing configuration. Just name the Virtual Router, rest will be configured later. In our example, we are creating Virtual Routers name OUR_VR.
For interface configuration, first of all we need to go Network >> Interfaces and then click on the interfaces.
In our example, Ethernet 1/1 is our outside interface. So, after clicking Ethernet 1/1, we are giving comment (description), Interface type as Layer3. Then, we will assign the virtual router OUR_VR and zone External.
On the same page, we have to add IP address. We are using IPv4, so we are clicking on IPv4 and adding the IP address for external interface by clicking Add.
Similarly, we need to do the same steps for Internal and DMZ zone to add IP addresses for them. In our LAB 10.1.1.1/24 is Internal interface IP and 192.168.1.1/24 is DMZ interface IP.
Finally, commit all the configuration by clicking Commit from right top corner.
Reaching Internet from Internal Zone
First of all, we need to add routing configuration. To do so, we need to go to Network >> Virtual Routers and then click newly created virtual router named OUR_VR.
Below are the configuration of our LAB setup.
Now, we need to configure the policy for Inside to Outside communication. By default, interzone communication is blocked.
In policy, we need to configure minimum 4 section. We are configuring according below listed information.
General: Name: INTERNAL_TO_EXTERNAL Rule Type: interzone Source: Source Zone: Internal Source Address: 10.1.1.0/24 Destination: Destination Zone: External Source Address: any Action: Action: Allow
Now, we need to create NAT rule. To create go to Policies >> NAT and click Add to add the NAT rule.
We use below information to create the NAT rule.
General Name: INTERNAL_TO_INTERNET Original Packet Source Zone: Internal Destination Zone: External Destination Interface: ethernet 1/1 Source Address: 10.1.1.0 Destination Address: Any Translated Packet (Source Address Translation) Translation Type: Dynamic IP And Port Address Type: Interface Address Interface: ethernet 1/1 IP Address: 172.16.100.201/24
Now, we need to commit all the configuration by clicking Commit.
Let’s have a http request to www.paloaltonetworks.com from Internal network.
C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::6cf7:1072:c575:5 IPv4 Address. . . . . . . . . . . : 10.1.1.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.1.1.1
Sure enough, our Internal LAN users BOB can access the internet.
WEB Server configuration on DMZ
DMZ server is connected to ethernet 1/3 interface which belong to DMZ zone. Our WEB server IP is 192.168.1.10. Now, let’s create policies for communication between INTERNAL and DMZ zone.
INTERNAL to DMZ:
General: Name: INTERNAL_TO_DMZ Rule Type: interzone Source: Source Zone: Internal Source Address: 10.1.1.0/24 Destination: Destination Zone: External Source Address: 192.168.1.0/24 Action: Action: Allow
DMZ to INTERNAL
General: Name: DMZ_TO_INTERNAL Rule Type: interzone Source: Source Zone: DMZ Source Address: 192.168.1.0/24 Destination: Destination Zone: Internal Destination Address: 10.1.1.0/24 Action: Action: Allow
We can verify the result by hitting WEB server IP https://192.168.1.10 from Internal LAN PC (10.1.1.10).
Now, time for External users. We will configure Destination NAT for outside users. To create destination NAT, we have to go Policies >> NAT and then click Add to add the NAT rule.
Below are our NAT configuration.
General Name: DESTINATION_NAT Original Packet Source Zone: External Destination Zone: External (it's because we will hit external IP) Destination Interface: ethernet 1/1 Source Address: any Destination Address: 172.16.100.199 (this is our Outside IP :P ) Translated Packet (Destination Address Translation) Translation Type: Static IP Translated Address: 192.168.1.10
To verify, let’s do a http request to http://172.16.100.199 which is our WEB server external IP.
Result looks perfect. Finally, we can reach WEB server from External Zone.