Configuring Firewall Zones And Interfaces On A Palo Alto Networks Firewall | PART 3

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign you and I get to begin our configuration of the data plane on the Palo Alto firewall including security zones and layer 3 interfaces also if you're just joining me in this set of videos and you missed one or two of them there is a link in the description for this playlist which is covering all of these topics so in the previous video in the playlist we did a factory reset and we configured the management interface and its IP address and in this video we're going to configure the security zones and layer 3 interfaces on this newly booted up Palo Alto firewall so again if you need to go back to the factory reset and the basic IP management please check out the previous video in this playlist so for now let's take a look at our interfaces we're going to be using interface one slash four that connects up to service provider a we're going to configure one slash five as an interface connecting up to service provider B and in my lab environment I'm just borrowing these address spaces and Beyond these subnets that I'm using here my lab environment I also have additional Nat set up to allow traffic to go out to the real internet as well so the interface going through iSpa is gonna be on the 23.1.2 network and the last octet will be dot 19 there and for interface one slash Five going through service provider B it'll be 24.1.2 and the last octet there for its IP address on one slash Five will be Dot 19. and then on this interface right here the one slash one interface is going to be 10.10.0.19 and in addition to assigning these interfaces IP addresses we're also going to assign these interfaces to a security Zone and that's going to become important when we set up our initial security policy right here so as part of the configuration we'll Place interface one slash four interface one slash Five in the security Zone called outside and we'll place the interface one slash one in a security Zone called Insight so without further Ado let's go to the interface for the Palo Alto firewall and let's configure those two zones and those three interfaces so here the web interface for firewall 19 let's go to the network tab up on top and let's start off by creating our two zones so there's the trust and untrust Zone that came by default we're not using those so I'll get rid of them and let's create the two new zones inside and outside based on our plan so we'll click on ADD and for the first Zone we'll call it inside and it is going to be a type of layer three which means that interfaces of the type layer 3 can be associated with this security Zone and we'll click on OK and we'll do similar treatment by creating the Zone called outside so click on ADD we'll type in the word outside specify the type which is layer three we'll select that from the drop down click OK and now we have those two zones both part of the candidate configuration and before we do the commit let's also configure our three interfaces so with the network tab on the top selected and interfaces on the left and the sub tab of ethernet selected let's configure ethernet one slash one so in our topology that is this interface right there so let's configure ethernet one slash one with the IP address of 10.10.0.19 so to do that we'll click on ethernet one slash one to go into the details and and working from the top down we'll go ahead and start by specifying this is a type layer 3 meaning it's an interface supporting an IP address and we'll assign this to our default Virtual Router and we'll also assign this to the security Zone called inside so just to confirm this is ethernet one slash one and it's being associated with the security Zone called inside and then to assign an ipv4 address to this interface we'll click here on the ipv4 sub tab here click on add in the IP section and give the IP address of 10.10.0.19 with a 24-bit mask and click on OK and then we'll do similar treatment for interface one slash four and one slash Five except we'll put them in different zones so we'll click here on ethernet one slash four and specify the type is a layer 3 interface we'll assign it to the same default Virtual Router and we'll assign this one to the security Zone called outside and then we'll go to the ipv4 tab and we'll click on ADD and the IP address here is going to be let's confirm our notes it's going to be 23.1.2.19 for this interface one slash four so we'll plug that in 23.1.2.19 with a 24-bit mask and that looks good we'll click on OK and then we'll go to interface one slash Five by clicking on it specifying the interface type as layer 3 and then down below we'll assign that to our default Virtual Router and just like interface one slash four going to service provider a the interface one slash Five going to service provider B is also associated with the security Zone outside and then we'll click on the ipv4 tab and click on ADD and looking at our plan we want this interface to be 24.1.2.19 with a 24-bit mask so we'll put in that IP address 24.1.2.19 with a 24-bit mask and that looks good and we'll click on OK and currently I see some red here and it just occurred to me that those interfaces are not plugged in so let me go ahead and do a commit and we'll confirm that commit by clicking on Commit one more time and then let's pop over to the firewall and let's physically plug in those ports one slash one one slash four and one slash five and I'll plug them into the appropriate ports on the switch for the connectivity and here we go so let's start off with Port one slash one so this cable this green cable connects down to the VLAN associated with the 10.10 network in my lab environment so that connection is now in place support number four goes up to service provider Ace this is Port one and then below that two and then this one three and then this one right here is Port four or the full term would be ethernet one slash four so we'll take the appropriate cable and plug that in so now this cable is leading up to that same VLAN that same network of 23.1.2 and then the next Port which is going to connect up to service provider B is one slash Five and that's right here so we'll take the cable that leads off to that appropriate Network and we'll plug that in right there so as far as a quick connection review I've got my connection on my management interface to my management Network I've got this connection that goes off to my 10.10 network this interface here goes to the 23.1.2 network and this connection goes off to the 24.1.2 network through service provider B so with those physical Connections in place let's go back to the web interface so back on the interfaces page I did a refresh and now it's showing that we have green indicators for each of those ports indicating that there's link that's because I connected the ports on the firewall to a switch Port that leads to the correct VLAN for each of those connections I think it'd also be wise to do some basic testing at this point just let's do a pain test from the Palo Alto firewall will Source it from this interface going to iSpa we'll also do another ping we'll Source it from this interface going to ispb and now the critical thing here is that if we do a ping from the pedal to firewall by default it's going to try to use the management interface and the default route associated with the management interface unless we tell it otherwise so just be aware that by default it's going to try to go this way at the management interface and not use these interfaces one slash four and one slash five and then the world of Palo Alto the traffic associated with the management interface is known as the management plane and the interfaces and the traffic associated with user traffic going through the firewall is considered to be the data plane so what we want to do is test and verify the data plane interfaces and the connectivity from each of these interfaces going to their service providers so each of the isps are at dot one so 23.1.2.1 here and 24.1.2.1 here so let's go to the command line interface via our SSH session and let's test that so here at the firewall we'll do a ping and let's say we're going to Source it from 23.1.2.19 going to host 23.1.2.1 and that is working great we'll do a control C to cancel that and let's also do a ping and we'll Source it from 24.1.2.19 going to host 24.1.2.1 and again that's a little ISP or pseudo ISP here in my home lab environment and press enter and that is working as well so just as a reminder if we did this we did a ping to 23.1.2.1 press enter and let me go ahead and add the keyword host there I get a little excited let's do a ping to host 23.1.2.1 that's not fly and that's because that device whatever that is on the real internet that's trying to go through my Management Port out the default gateway associated with my management interface so when testing the data plane interfaces make sure you specify the correct source so it'll know where to Source those ping requests from and that's why the Ping with this source is working to my little pseudo internet service provider here which is responding to pings and it's not working down here because I'm trying to Ping the real IP address 23.1.2.1 out on the public internet and that's going through the management interface and the default gateway associate the management interface and this IP address on the public internet is not responding to pings and that's why that ping request is not working so if we did a ping to host let's go to a Google DNS server 888 and press enter no problem that device is responding so again just be aware when testing the data plane interfaces make sure you control where you're sourcing those pings from so by default it's not using the management interface for those pings so I'm I've got a question for you what would happen if we tried to do a ping and we sourced it from 23.1.2.19 and we tried to Ping 888 also just as a heads up here in my little lab environment I have another set of nat devices doing that out to the public internet so assuming the NAT was all in place and this firewall tried to Ping 888 from his data plane interface one slash four would it work and the answer is it would not and the reason it wouldn't work yet is because on the data plane we don't have any default routes in place yet and that's our exact next step on this Palo Alto firewall is to give it default routes going through surface provider a and also a default route that it can use going through service provider B and it is the configuration of those default routes that you and I get to do in the next video as part of this playlist so if you have another minute or two I'll see you there in just a moment

Info

Channel: Keith Barker - The OG of IT

Views: 26,731

Rating: undefined out of 5

Keywords: ogit, Keith Barker, palo alto, palo alto networks, palo alto firewall training, palo alto firewall, paloalto networks, palo alto networks firewall, how to, palo alto training, palo alto firewall basics, palo alto networks firewall essentials configuration and management, palo alto networks firewall training

Id: gqSkT00mJZA

Channel Id: undefined

Length: 10min 12sec (612 seconds)

Published: Sat Apr 22 2023