Creating Security Policies in Palo Alto

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to talk about creating security policies in the palo alto now the security policies are what essentially allows the system to be able to work as a firewall by default all traffic is blocked on the palo alto and the security policies are what allows you to open up certain types of traffic based on source destination type of traffic application urls and so many other items so if we look at our network diagram what i want to do in this example is i want my servers network to be able to contact my dmz and i want to be very open as far as what it can do i don't want any restrictions at all basically i want servers to contact dmz and then i want dmz to be able to return the traffic so let's see how that works so i'm in my palo alto a quick review i've got all my network devices all configured i've got specifically my layer three interfaces all i peed and up and running so what i want to do is i want to come over to the policies tab this is where all most of the work happens under policies and the security tab down at the bottom go ahead and click add and it gives me a nice little wizard to basically walk through a couple of things to note anywhere you see these squiggly lines that means something is missing best way to really work this is to work from the left to the right so we start at general then source user destination application and so on so we'll start off with our rule name and this i'll call this uh see permit server to dmz rule type we have three options uh intra zone basically anything inside of the zone i think if you have multiple interfaces all with the same server zone then you want to allow traffic you would call that an intrazone this is also used intra zone is also use useful very much for a layer 2 interface specifically what we want is inter zone because we're starting in one zone specifically server and we're ending in another zone called dmz if you're not entirely sure you can go ahead and choose universal basically it's both of those see tags groups sure uh source on the left hand side we specify what our source zone is so where where is our traffic coming from and if we want to we can also specify which ips so sources zone let's go and add in our server zone i'm not going to put anything in the source ips i want to make sure this any checkbox is selected that way i'm able just to say anything in the server zone should be able to access this destination user i'm not going to do anything with users so i want to make sure any and any are selected destination my destination zone was the dmz so i'll go ahead and click add and dmz again i could specify a destination address if i wanted to be absolutely more specific as far as which targets i could talk to according to this rule i don't want to do that i would just want to say everything in that zone should be available application i can specify specific applications that can communicate through here for instance maybe email maybe web browsers maybe specific web browsers can access it i really just want to have any so any is checked service or url category i'm not really concerned about any services application default basically means look at the applications tab and go with whatever your defaults are so i'll leave that as is and then urls as any and then lastly actions action of allow do out to permit or deny this my action options are allow deny drop reset reset or reset go ahead and leave that to allow logging do i want to log at the start or at the end and then do also do i want to forward that and then any kind of a schedule or qos options i just want to leave all those as is and say okay now before i click okay uh i want to go ahead and make this window a little bit smaller i have a text box or a command prompt right here uh since the machine i'm on is on the server network i should be able to ping the dmz network and if i look at my network diagram 192.168.50.10 is my destination so i'm going to do a ping dash t which is a continuous ping of that ip address what that will do is when i come over here and i click commit and commit as soon as this commit goes in and is effective that ping should begin to work immediately and there we go my ping is responding back and so my security policy went ahead and worked
Info
Channel: Ed Goad
Views: 2,886
Rating: undefined out of 5
Keywords:
Id: _4Udvp4LoiM
Channel Id: undefined
Length: 5min 37sec (337 seconds)
Published: Mon Jun 08 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.