Palo Alto firewall lab using VMware Workstation

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hey guys welcome to MBT toker my name's Matt in this video I'm gonna show you how to configure VMware Workstation to successfully deploy a Palo Alto next-generation firewall I'll provide a step-by-step demonstration on how to configure the interfaces static routing security zones scoota policies and not to allow your client PC to access the Internet allowing you to take advantage of the Palo Alto next-generation security features if you want to see more videos like this be sure to hit that subscribe button and the bell to get notified every time I post a new video okay so I created this diagram to show you how the Palo Alto firewall will be deployed all components within the green hatch lines or virtual devices and only exists inside a VMware Workstation the router switch a management PC are all physical devices and have access out to the internet via my home router using one 92168 21.2 54 which is the default gateway the Palo Alto firewall will have a total of 4 interfaces and outside inside DMZ and management the eath 1/1 outside zone interface and management interface will be on the same subnet as my home network and will be bridge using the physical interface on the VMware Workstation host the management interface will be used to access the firewalls web UI and CLI this interface is not used for normal data traffic is solely used for management purposes the eath 1/2 inside zone interface is where a Linux client vm wall resides in this video I will show you how to create this client VM from scratch using a lightweight linux OS called tiny core and install the necessary desktop apps that can be used to generate traffic and test connectivity through the parallel to a firewall out to the Internet and finally the eath 1/3 DMZ zone interface is where a Kali Linux client VM will be connected in order to test connectivity across the zones and you all will be able you use K Linux to invoke cyberattacks on demand allowing you to use the pound next generation firewall features to detect and block okay so we're gonna move into the laughs now first thing you need to do is head over to VMware comm and download the VMware Workstation software and also we need to go to the Paulo customer support portal and download the OVA I'll put the the links in description and once you've downloaded those files we can crack on with the VMware Workstation installation [Music] okay so now that VMware Workstation has successfully installed we can move on to importing the Palo Alto OVA file so you do that by clicking file open select the OVA file and then click open you can leave the the name of the virtual machine at the default and then just click import we're just wait for that to import into the VMware Workstation so that's the palo alto BM successfully created we can now go in and edit the virtual machine settings by clicking here and as you can see we've got some predefined configuration the vm comes configured with two network adapters the first one is the management interface and the second one is a data interface so you can add up to nine interfaces what we're gonna do is add two more so it matches our lab diagram so let's just click on add network adapter finish and then we can do it again add network adapter and finish that's giving us a total of four interfaces so management outside inside and DMZ so that's at this stage we can now configure the actual workstation network so we need to go into virtual network editor and you right click and you need to run as administrator as you can see got some default configuration here what we're gonna do is remove vm net one and vm 8 that leaves vm net zero this is the physical bridged interface on the VMware Workstation host so my pcs physical network is connected to VM net 0 so what we can do is add another network and I'm going to match them to our hollow VM so BM net 3 ok and then MVM net three we're going to change the subnet IP to 10.3 dot 3.0 and we're going to disable DHCP and apply and we're gonna create an another additional Network I'm gonna call that four okay and do the same again but changing the subnet IP so let's change this to one seven 2.16 dot 4.0 and remove or disable DHCP and apply so that now gives us the two subnets that we're going to be using the inside and the DMZ and as I said this will be using my home network for the outside and for the management so if we click OK we can now map this accordingly so if you go into here and we can now if you highlight their network adapter 3 and click custom we can now select VM net 3 and we can do the same for full custom VM there for ok so what we need to do now we need to make sure these additional interfaces that we've added are the same virtual device type adds the ones that were already created by importing the OVA file in so to do that we need to browse to the virtual machine folder so mine is stored in documents virtual machines and here is the Paulo virtual machine folder and you're looking for the dot vmx file I'm gonna open and edit with notepad plus plus you can use a text editor if you haven't got that but it's free to download and what we need to do we need to make sure that our interfaces new interfaces match the ones that we were or which were already created so you can see here this is Ethernet zero so this is effectively the first and second interface is created the virtual device is set to vm x vm v MX net 3 and that's what we need to make sure the other NICs are set to so I'm just going to copy that and we're gonna go look for interfaces 2 & 3 because they're sequential and as you can see it's actually set to e 1000 which is wrong so we need to replace that one and we also need to replace that one if we don't do this the VM won't boot so that's now been corrected and you just need to make sure that you save the file and close the window close the window now we can start the VM so that is now the virtual machine configured and this will dispute up and we will move on to the next parts of the lab okay so the Palo Alto has successfully booted up now we're going to login to the firewall and verify the management IP address so you can use the default credentials which is admin admin and then we're going to issue the show system info command and as you can see there's an IP address Bennet assigned by DHCP and the default gateway has been set which is my home Rooter but I want to change this address to be a static IP so it matches the lab diagram and it doesn't change when I reboot the firewall so we're going to go into configure mode and then we're gonna do set device config system type static so this changes from DHCP to a static assignment hit return and then we can do set device system IP address 192.168.1.1 net mask 255.255.255.0 and then default gateway is my home Rooter one nine two one six eight dot twenty-three for dns settings is dinner setting service primary and then just gonna use Google and then hit return and then we're going to commit the changes to the firewall so using the commit command we wait wait for that to save the config and then once it's saved we're going to exit configuration mode and then we're going to issue the show system info command again and as you can see we have now got a static IP set to 192 168 21 21 so now we can verify that we've got web UI access so we're going to open it up open up a browser and we're going to go to http PS 192 168 of 21 21 events proceed and there you go we've got web UI access default credentials and then login and click OK there and we should be seeing a baseline configuration so just close that window and then you can verify that the networks are all there but not configured so we're gonna move on to the next part of the lab which is going to be to set up a VM client and to configure the interfaces on the Palo Alto so that we can start testing connectivity the next thing we need to do is get the Linux clients virtual machine up and running I use a lightweight operating system called tiny core Linux so if you head over to their website at tiny core Linux dotnet and go to the download section and look for the core plus ISO file and download that to your desktop or to your downloads folder and then once that's done you can then go back into VMware Workstation and start configuring the virtual machine so go to file and new virtual machine click custom and then next next again and choose I will install the operating system later click Next choose Linux and other Linux 5 point X or later then click Next give the virtual machine a name so tiny core Linux and then click Next need the processors default allocate 1 gig to the memory use a bridge networking this will connect the virtual machine to the home network and you should get an IP address off your Rooter or DHCP server click Next keep that at default select Sattar for this type and then create a new virtual desk next I normally change this to sixteen gig and I store the virtual disk as a single file leave that as default and then go into customize hardware remove any unnecessary virtual hardware so I remove the USB controller the sound card and the printer and then what we need to do is highlight the cd/dvd and then use ISO image file and then browse to the ISO file you downloaded earlier click open and then close this window finish we should be then in a position to power on the Virtual Machine so click on the screen and hit return on the first option this doesn't take too long to boot up and should present us with a twenty cord desktop okay so we're at the desktop now it's a little bit difficult to navigate the tynacorp desktop without VM tools installed so what I tend to do is put the mouse curve cursor in the left-hand corner of the screen and then right-click your mouse and then use your cursor key to go to applications and then TC install and then press return when you're on here just use your tab key to go to the whole disk and then use your spacebar to select it and then use your tab twice and use your down arrow and then power to select the STA use your tab to go down to the forward arrow and press spacebar spacebar again on EXT four and again and again and then use the tab to go to the proceed and then spacebar and this will partition or format the virtual hard drive and and finish the core installation and then once that's done if you hit escape and that will close that window and what we're gonna do now is just again put your cursor in the left hand corner right click and then we're going to go to exit and then we're going to reboot so then we're just going to give a quick reboot to make sure that it's installed the operating system correctly and then we can then install VMware tools so again I know this a little bit difficult but we need to get the mice into that left-hand corner right click and then this time we're going to go to system tools exit and then we're going to choose exit to prompt are using the cursor and then spacebar then use the tab to go to ok and then hit the enter key now we can install VM tools first of all I'm just going to check that we've got an IP address so I have config so we've got an IP address can we ping the Gateway 192.168.1 two five four yes we can so we can ping the router coming and putting the internet so ping google.com UK yep so we've got internet access so we've got connectivity to the home network and we obtain an IP address so which is a good start so now we can get VM tools installed so we're going to use the TC e load - WI switch and then we're going to do open-vm-tools-desktop and I'm going to hit return this takes a little while to to install so I'm just going to let it run and I'll get back to you when it's complete okay so that's V n tools installed so I'm gonna give that a reboot again and then hopefully when the desktop comes back it's gonna be a lot more usable [Music] okay so that looks good what we're gonna do now is configure the wallpaper to fit properly so it makes it look at them but now as you can see now the mouse is working properly and it's much easier to navigate the mouse and select the applications and software so what we can do again is go to system tools and we're gonna go to exit and we're gonna go exit to prompt and then we're gonna press ok and we'll go back to the command prompt this time and we're going to install the rest of the software so we're going to use the same command again which is TC load and then we're gonna use the minus WI switch and then we're going to install nano Bosch annex terminal leaf pad which is like text editor Firefox VLC and libre office so we get those downloaded and would give the VM another reboot and fingers crossed that should be all we need I may install just one more application as a bonus application at the end let's see how we get on with this [Music] okay so we're back at the desktop let's have a look to see if all the applications have installed Firefox leafpad libre office LX terminal and VLC player have all been installed I didn't mention that I'm going to install one more application so I'm going to use the new LX terminal and I'm going to use the same command as I used earlier which is the TC e load and we're going to download a file manager to make it easier to browse files on the tiny core virtual machine so and we're going to use the minus WI switch and we're gonna install a PC man FM so it's going to go and download that it take hardly any time at all and hopefully within a few seconds we should have the application installed okay so we should now see in our application list file manager so this gives us a way to browse files so that's it that's all the applications installed so we're now ready for this virtual machine to be connected to the Palo Alto and do some testing ok so we're back over at VMware Workstation we need to make a quick change to the tiny core client so if you highlight the Tony Cole VM and then edit virtual machines we need to be looking at the network adapter and as you can see it's still set to bridge this is when we set it up to access the internet via my home router what we need to do is change that to the inside network of the Palo Alto so we need to choose VM net 3 this will put it on the 10.33 0/24 network and I'll just click OK we can now boot up the virtual machine and then while that's boots note we're gonna head over to the Palo Alto let's log in with the default admin admin and then we're going to check that the IP address of the manager interface is what we expected as be so show system info and is 192 168 21 dot 21 and the default gateway is 20 1.25 4 so if we can we can now go over an open up a browser and browse to the web UI so HTTP 191 6 8 21 21 and then we can click advanced and then proceed and then just log in again with the admin admin credentials and then hit return ok so now we're ready to do some basic configuration first of all we're going to set the date and time so we're going to go to the device tab and we're going to go to management tab and then click the gear icon and here we're going to set it to our time zone so mine is Europe London and I'm just going to get very quick so we can just put this as PA p.m. just default and then click OK and then we're going to go to services and then open up the window using the gear icon and then go to the NTP tab and I'm going to set mine to a UK server which is pool dot u K dot NTP org and then ok now we can commit the hacks so that the time and dates correct and then we can move on to the network configuration close that we can just verify on a dashboard that the NTP as we started and synchronized we've got the current date and time which is good all right on to the network tab and the first thing we're gonna do is configure some zones so click on zones and then we're gonna add good outside zone and we're going to set that to layer three type zone and then click OK we're gonna add an inside zone layer three type ok and then we're gonna add a DMZ zone and layer 3 ok and now we're going to configure a virtual router then we're going to add one I'm gonna call it V r1 then okay and then we're going to create two management profiles so that we can manage the interfaces and ping the interfaces that we choose so click on interface management then add and this one I'm just going to call ping management and then just take the ping network service and then ok and add a secondary one this one is going to be web UI SSH ping and just put management on the end so then we can choose the HTTP SSH and ping service click ok so now we need to go to the interfaces and we can tie all this configuration together so the first one is Ethernet 1 / 1 this is going to be the outside interface so we're going to choose a layer 3 interface type virtual router is going to be VR one and security zone is going to be outside ipv4 is where we assign the IP address so we're going to go on this is going to be my outside home network so 192.168 21 250 last 24 and then click on advanced and then we can then assign the management profile and we're just going to have pink on the outside we're not going to be able to manage it from the outside and then click OK go into Ethernet 1/2 so interface type layer 3 virtual router is vr1 security zone is inside onto the ipv4 tab click Add and this is going to be the the 10.33 network and then click on the Advanced tab and we'll go to the management profile and this time we're going to select and the web UI SSH ping management profile so we can manage from the inside so we're going to use the Linux client to be able to manage the firewall now I test connectivity to the virtual machine and then click OK there and then Ethernet 1/3 again layer 3 virtual root of vr1 security zone dmz ipv4 is going to be the 172 dot 16 dot 4 dot 2 5 4/24 network and then on to advanced again and again we're just going to use the ping management profile so we can test connectivity from a virtual machine and then click ok so let's just recap on here so we've got Ethernet 1/1 which is the in the outside security zone connected to V r1 virtual routes 1 and is using the home network 192 168 21.5 250 Ethernet 1/2 is the inside network so inside security zone and is using the 10.33 254 dress Ethernet 1/3 is in DMZ security zone and is using 170 216 4.25 4 and we've got 2 management profiles the least trusted interfaces which you've just got ping management and then most trusted we've got full web access web UI and SSH access so that's good at that point so we can config commit that and then we can move on to the security policies okay so the configuration has been pushed to the firewall and you can see that the three interfaces have come up as the link state has turned green so next thing we need to do is configure some security policies so head to the policies tab there's two default security policies already created at the box we're gonna add our own so first policy is going to be inside to outside and then we're going to select inside as the sauce zone and outside as the destination zone this will all be default so application any service application default and log at session this creates logs in the monitor tab and then we need to do another one from outside to inside source outside zone destination inside zone again application any services application default and then action is alive and then log session and and then the policy is going to be from inside to DMZ so source inside destination diem said and again application any service application default and allow a log session at the end and then we're gonna do one more which is going to be from outside DMZ so outside too DMZ sauce at outside damn that and then just the default settings again all the way through so this is a very permissive set of policies these can be changed but at the moment just to get traffic through the firewall and just demonstrate how this works we're just going to leave it as it is next thing we need to do is a nap policy now we go back to network tab we know that the Ethernet 1/1 is our outside interface and this IP address is on our home network so the 192 168 21.5 250 is is something that our homework have no network knows about so when we do the nap policy this is going to be a key IP address so if we go to policies NAT and we're gonna create a new policy here and we're just going to call this a ground nut and what we're gonna do here is we're gonna source from the inside and the DMZ and we're going to be destined to the outside Network which is the home network and the interface is Ethernet 1/1 and leave the service at any and then we can need this at any any and then we go to the translated packet tab and then we're going to select the source address translation here and we're gonna do dynamic IP import and then address type we're going to use interface address we're going to select Ethernet 1/1 and then we're gonna choose the IP address of the outside interface so it's called a brand NAT and it's sourcing from our DMZ and inside interfaces and it's destined to the outside zone which is the ethernet 1/1 interface it's sourcing from any source dress to any destination dress from any service you any service and we're going to translate it to the Ethernet one outside interface so we're going to commit that and we're going to wait for that to push to the firewall and then we're going to do some testing okay so we're back at VMware Workstation we're at the tiny core desktop what we need to do now is configure an IP address so that the Linux machine can communicate with the Palo Alto is inside interface so what you do at the desktop is right-click and go to system tools and control panel and then go to network and we're going to set the IP addresses 10.33 10 it will populate the rest of the fields make sure your name server or your dinner service sets of Google's 88.8 and then exit and then exit the control panel open a terminal and so we can get to the command line and then we're just going to verify the IP address and that's 10.3 dot 310 and then we're going to ping the Palo Alto z-- interface so ping 10.3 dot 3.2 five four okay that looks good so we should be able to open up a web browser now and browse through the web UI so let's open up Firefox and from here we're gonna do HTTP 10.3 dot 3.25 4 and then we're going to login with admin admin don't say that take okay and as you can see we've got web UI access and there's the dashboard so that looks good so next test is to see if we get out to the Internet I'm just going to open another tab and then we're just going to go to WWE girl code or UK okay I know this is going to fail and the reason is we don't have a default route set on the Palo Alto so what we need to do is just close that tab and we're going to go into network tab again and then we're going to go to virtual rooters and then we're going to go into the VR one route to that we created and then we're going to go to static routes and then we're going to add and we're just going to call this default default route and the destination network is 0 dot 0 dot 0 slash 0 so that's the default that's everything and then we're gonna do interface beef next 1/1 and then we're gonna do the next hop IP address as my home router which is 192.168.1.254 so yeah so that's the default route to any destination go to the Palos outside interface and use the IP address as the default gateway which is the home Rooter 191 6 821 to 5 4 and then click OK and then ok on that and then we need to commit the change and commit so once I committed we will open a tap again and we will test the internet connection again so close open the tab and let's go to WWE ball co dot uk' and there we go we have access to the Internet so that looks good so we've got full connectivity through the Palo Alto we've got a Linux client connected directly to the inside interface so we're currently connected to this security zone inside and we are going out to the Internet via the outside address and the only real next thing we need to do is test that we've got access to the DMZ but as it stands we don't have a client configured yet so that's the next bit I'm gonna do I'm gonna bring in another client and attach it to the DMZ interface ok so we're back at VMware Workstation I've just imported a Kali Linux client that I created prior to making the videos just to make things a little bit quicker so ultimately what I've done is copied the Kali client folder back into the virtual machines folder and then just gone to file and open and then rise to the Kali Kali Linux client vmx file and then just opened it and that just imported the VM into VMware Workstation so all we need to confirm is just by highlighting Kali Linux and going to the settings and we need to just confirm that the the VM is set to the VMF for which it is and that is the DMZ zone on the Palo Alto so that's put it on the 172 16:4 0/24 network so we can just test connectivity from the Kali Linux command line so let's do ping 172 dot 16 dot 4.25 4 that's good and if we went to the tiny core and opened up a terminal we can test connectivity from the inside to the DMZ zone so let's do ping 1 7 2.16 dot 4.10 so that's good but because the security policy doesn't allow you if you did the ping when some ping sorry 10.3 dot 3.10 the policy doesn't allow you to go the other way so it doesn't allow you to go from DMZ inside but it allows you to go from ends up inside the DMZ another thing that the Kali Linux won't be able to do is get out to the Internet so if I ping WWE ball comm work will have no access one there's no policy rule and - there is no nut policy I'm gonna leave that for you guys to do so that you can get that working the clue is that you just use the policies in place and just create the same rules same that policy or adding the zone into the same that policy to allow that Kaleigh mix - dmz machine to get out to the internet but there is one more thing that we need to do and that is to allow the the home network to be able to access both of the virtual machines because the home network does not know how to get to 10.33 0/24 network and the 172 16 4.0 / 24 network you're gonna need to tell your home router how to do that now inside your router you should be looking for some configuration called routing or static routing and you need to put in there a route of a static route saying to get to my net to get to the 10.3 3.0 networking and the 172 16.4 network go to the Palo Alto outside interface and now I can show you how to do that so I'm gonna just going to browse quickly - to my my Rooter I'm gonna log in and then we're gonna go to routing and then static routes and then you would do ten dot 3.30 255.255.255.0 pointing to the IP address of the Palo Alto outside interface so in this case it's 21.2 50 I'm just going to enable that then okay and then for the 172 16 4.0 stars 24 Network again need to point it to the IP address of the outside of the Paulo enable it and then okay and that should be all we need and then we can verify that so I'm going to open up a command prompt and ipconfig this machine and you can see that I'm on 191 six eight twenty 1.59 so the PC with VMware Workstation configured is using that physical IP address so what I'm gonna do is I'm going to ping the the tiny core Linux client and also the Kali Linux client so first of all ping 10.3 dot 3.10 and there you go I've got connectivity from my home network to the tiny core and now we try the DMZ client so the Kali client so ping 172 dot 16.4 10 and we've got access to that as well so that is giving us a parallel to blab using VMware Workstation just to make you aware that I've got no license is installed on here so I'm not able to show you any monitoring but this is something I can do in another video I know that traffic is passed through the file because of the connectivity testing we've done but inside your policy rules you can see hit counts and you can see what traffic is going through which policy and also you can do the same in the nut and you can see that you've got a hit count here and it will be incrementing as you send traffic through the firewall so that's the end of this video the end of the lab I hope you found this interesting if you've got any question please pop them in the comments below and I will get back to you let me know how you got on let me know if there's anything that I could have improved on or if there's anything I missed then just pop it all in the comments below and I will get back to you as soon as I can okay guys that's it for today's video thanks for watching over the next coming weeks I will be uploading more videos where I will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time I post a new video if you have any ideas of video content you want me to create please put them in the comments below as I would love to hear your feedback on any aspect of my channel please keep watching and I will see you in the next video thanks
Info
Channel: MB Tech Talker
Views: 10,077
Rating: undefined out of 5
Keywords: paloalto firewall, palo alto firewall, palo alto firewall tutorial, palo alto firewall training, palo alto firewall configuration, palo alto firewall tutorial for beginners, palo alto firewall architecture, PA-VM, PAN-NGFW, vmware workstation, kali linux in vmware workstation, tiny core linux, tiny core in vmware, palo alto home lab setup, palo alto firewall lab setup, next generation firewall, PAN-FW
Id: fEz-5vzkCNk
Channel Id: undefined
Length: 48min 12sec (2892 seconds)
Published: Fri Oct 18 2019
Related Videos
Don't Talk to the Police
Regent University School of Law
16M
you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows)
NetworkChuck
3.2M
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
how to add palo alto to EVE
Network Security Innovators
2K
GlobalProtect Portal & Gateway Configuration PAN-OS 10.0.6
MB Tech Talker
1.2K
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
373K
IBM QRadar Security Operations and Incident Response Solutions Training - The Hacktivists
The Hacktivists
10K
VMware on a Raspberry Pi!?!?! (ESXi Install)
NetworkChuck
520K
Palo Alto Firewall GlobalProtect VMware Workstation Lab
MB Tech Talker
2.3K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Configure Site-to-site IPSEC VPN Tunnel in Palo Alto Firewall
Sec-U-rity
13K
$250 Slab To $7700 Table
Blacktail Studio
3.6M
Palo Alto NGFW SSL Forward Proxy Decryption & AD Certificate Services CSR on VMware Workstation
MB Tech Talker
822
PfSense Setup and Initial Configuration
Steven Koselke
73K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.