Scribd
Upload
141 views

PaloAlto - Lab - Part 3 Basics

Uploaded by

anasse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
141 views

PaloAlto - Lab - Part 3 Basics

Uploaded by

anasse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Palo Alto Lab Guide

Version 8.0
Part-3

1
Agenda
1. Add Static route from WAN interface to any Destination
2. DNS reachability verification
3. Create object for 10.11.11.0/24
4. Create Tags
5. Create a Source Nat Policy (Dynamic NAT & PAT)
6. Create Inter-zone Policy Between LAN & WAN zone(Allow 10.11.11.0/24 to access internet)
7. 6. Internet connectivity verification From TEST_PC
8. Translation Verification
9. Monitoring Session Browser
10. Task Deny 10.11.11.6/32 to access internet
11. Task Deny PING at LAN interface only for 10.11.11.6/32
12. Verification for triggered Security Policy rule
13. Create FTP Service
14. Create Security Policy to access FTP server from LAN zone
15. Create a Destination NAT Policy
16. Create a Security Policy Rule
17. Test the connectivity

2
1. Add Static route from WAN interface to any Destination
Note: Before adding route always check reachability to Gateway
admin@PA-VM> ping source 192.168.3.125 host 192.168.3.254

3
Commit the changes

admin@PA-VM> show routing route


admin@PA-VM> show routing route type static

3
2. DNS reachability verification
Note: DNS reachability should be from Firewall, in order to get internet
connectivity in LAN zone.

admin@PA-VM> ping source 192.168.3.125 host 4.2.2.2


admin@PA-VM> ping source 192.168.3.125 host 8.8.8.8

3
3. Create object for 10.11.11.0/24

3
4. Create Tags
Tags can be used to sort or filter objects, & visually distinguish object because they have color.
When a color is applied to a tag, the Policies tab displays the object with a background color.

Name color
LAN Yellow
WAN Red
DMZ Orange

3
Create Tags based on above parameters

These tags will be used in next tasks

3
5. Translation
NAT CONFIG

Traffic from LAN to WAN for internet access best practice is to use Dynamic Nat & Pat in real
time

3
5. Create a Source Nat Policy
• Source Nat is Used to hide Identity of Source
• Configure Traffic from LAN to WAN for internet access, using Dynamic Nat & Pat

3
Continued remaining configuration

3
Continued remaining configuration

3
Commit the changes

3
4. Create Inter-zone Security Policy Rule Between LAN & WAN zone
I. Allow 10.11.11.0/24 to access internet

Note:
• By default only Intra-zone traffics are allowed
• By default all the traffics between Inter-zone are Denied.
• Policies are checked from top to bottom
• Deny/ block policies are recommended at top

Characters of Security Policy Rule


General Source User Destination Application Service Action
Name • Source zone • WAN Zone any Default Allow
• Source NW To
• Any Dst

3
As instructed above Security Policy configuration between LAN & WAN inter-zone

3
3
Finally it should be seen as below

Note: Policies will be always checked from Top to Bottom

3
6. Internet connectivity verification From TEST_PC
Note: Prerequisite before verification on TEST_PC
• IP address, Gateway & DNS address should be properly configured
• Test the Connectivity to Gateway.

Browse the following sites for testing


www.google.com
www.cisco.com

3
7. Translation Verification

3
8. Monitoring Session Browser

3
Task Deny 10.11.11.6/32 to access internet

▪ Create object for 10.11.11.6/32


▪ Create zone policy from LAN_TO_WAN with any app & any services
▪ Define the action Deny
▪ Move deny to top & commit the changes
▪ Verify The connectivity for host 10.11.11.6/32

3
Task Deny PING at LAN interface only for 10.11.11.6/32
• Except 10.11.11.6/32 all internal hosts should be able to ping LAN interface
• Create INTRA-ZONE policy for LAN
• Deny PING for 10.11.11.6/24

3
Verification for triggered Security Policy rule
Ping from host 10.11.11.6 to 192.168.3.254

3
Create FTP server
When you define Security policy rules for specific applications, you can select one or more
services that limit the port numbers that the applications can use.

3
Create Security Policy to access FTP server from LAN zone

• Verification: From (LAN_PC 10.11.11.5) access ftp://172.16.10.50 username= sam


password=Ab12345
• You should be able to login

3
Create a Destination NAT Policy
• You are configuring destination NAT in the lab to get familiar with how destination NAT
works.
• Destination Nat is used to hide Identity of Destination
• Scenario is user BOB from Internet wants to access FTP server in DMZ.
• DMZ server is in private IP range we need to translate it to Public IP so that user BOB with
public IP can access DMZ server with translated IP address

3
Steps for Destination NAT
I. Create Address object of Translated IP (192.168.3.124)
II. Create Address object for DMZ_FTP_Server 172.16.10.50/32
III. Create D-NAT rule
IV. Create Security-Policy for WAN TO DMZ
V. Test the connection from BOB x.x.x.x/32

3
III. Create D-NAT rule
• Here Source & Translated IP both belongs to WAN zone, so WAN zone is used twice in D-NAT

Policies > NAT > Add

3
IV. Create Security-Policy for WAN TO DMZ

3
Test the connection from BOB x.x.x.x/32

3
Check Translation on Firewall

3
FLOW LOGIC

4
NAT FLOW

15
17
IPV6 SUPPORT

24
IPV6 CONFIG

25
END OF MODULE THANK YOU !

29

You might also like