Scribd
Upload
30 views

5 Interface Configuration

Uploaded by

Matt
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
30 views

5 Interface Configuration

Uploaded by

Matt
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 52

INTERFACE DEPLOY TO MULTIPLE NETWORKS

CONFIGURATION
• Security zones and interfaces
• Tap interfaces
• Virtual wire interfaces
• Layer 2 interfaces
• Layer 3 interfaces
• Virtual routers
• VLAN interfaces
EDU-210 Version A
PAN-OS® 9.0 • Loopback interfaces
• Policy-based forwarding
Agenda
After you complete this module,
you should be able to:

• Describe the flow logic of the next-generation firewall


• Create a security zone
• Describe the differences between Tap, Virtual Wire, Layer 2, and Layer 3
interfaces
• Create and configure a virtual router
• Define a static default route
• Configure a VLAN interface
• Configure a loopback interface

2 | © 2019 Palo Alto Networks, Inc.


Flow Logic of the Next-Generation Firewall
Session Setup
Does
traffic match Zone Forwarding Destination Security
Source Assign
to an existing No Zone
and/or DoS Lookup Zone Policy Check
Session ID
session? Protection (PBF) (plus DNAT (App-ID
check) ignored)

Yes

Inspection and Enforcement

App-ID Encrypted? Security Policy*

Forward
INSPECTION Yes No ENFORCEMENT Traffic
Decrypt
Content-ID Policy? Security Profiles
Yes (Re-encrypt if decrypted)

* Policy check relies on pre-NAT IP addresses


3 | © 2019 Palo Alto Networks, Inc.
Flexible Deployment Options for Ethernet Interfaces

Tap Virtual Wire Layer 3

 Application, user, and content  App-ID, Content-ID, User-ID, and  All the Virtual Wire mode
visibility without inline deployment SSL decryption capabilities with the addition of
 Evaluation and audit of existing  Includes NAT capability Layer 3 services: virtual routers,
networks VPN, and routing protocols

4 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
5 | © 2019 Palo Alto Networks, Inc.
Security Zones and Security Policy Rules
• A zone is a logical grouping of traffic on the network.
• Traffic within a zone is allowed by default.
• Traffic between zones is denied by default.

Internet
DMZ

Guest

Users
Data Center

6 | © 2019 Palo Alto Networks, Inc.


In-Band Network Interfaces
• Each interface is assigned to a single zone.
• A zone can include multiple physical or logical interfaces.

ethernet 1/1
ethernet 2/1
ethernet 1/1 ethernet 1/1.1
ethernet 1/2 ethernet 1/1.2

Single-Slot Firewall Multi-Slot Firewall Logical Interfaces

7 | © 2019 Palo Alto Networks, Inc.


Interface Types and Zone Types
• Different zone types support only specific interfaces types:

Tap Zone Layer 2 Zone Layer 3 Zone

Tap interfaces Layer 2 interfaces  Layer 3 interfaces


 VLAN interfaces
 Loopback interfaces
Tunnel Zone Virtual Wire Zone  Tunnel interfaces

No interfaces assigned Virtual Wire interfaces

 MGT and HA interfaces are not assigned to a zone.

8 | © 2019 Palo Alto Networks, Inc.


Creating a Security Zone
Network > Zones > Add

• Specify zone name


• Specify zone type
• Assign interfaces:
• Must be appropriate type
• Unassigned interfaces do
not process traffic.

9 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

10 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Tap Interfaces
• Enable passive monitoring of switch traffic from the SPAN or mirror port
• Cannot control traffic or perform traffic shaping
• Must be assigned to a Tap zone
• Use Traffic log information to configure Security policy rules

Internet
LAN
E1/1 SPAN or
Mirror Port

11 | © 2019 Palo Alto Networks, Inc.


Configuring a Tap Interface
Network > Interfaces > Ethernet > <select_interface>

Select Tap
interface type.

Select a Tap type


Security Zone.

12 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

13 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Virtual Wire Interfaces
• Bind two firewall interfaces together through Virtual Wire object
• Typically used when no switching or routing is needed
• No configuration changes for adjacent network devices

Zone A Firewall Zone B


(Virtual Wire) (Virtual Wire)

Virtual Wire Virtual Wire Virtual Wire


interface object interface
No IP or No IP or
MAC Traffic inspection MAC
and control

14 | © 2019 Palo Alto Networks, Inc.


Configuring a Virtual Wire Object

Network > Virtual Wires > Add


• A Virtual Wire object
connects to Virtual
Wire interfaces.
• A virtual wire can
accept traffic based on
802.1Q VLAN tags: Forward only
multicast-traffic
• 0 = untagged traffic matched to Security
policy rule (optional).

Link state is
forwarded.

15 | © 2019 Palo Alto Networks, Inc.


Configuring a Virtual Wire Interface

Network > Interfaces > Ethernet > <select_interface>

Select Virtual Wire.

Add Virtual Wire


object now or later.

Select a Virtual
Wire type security
zone.

16 | © 2019 Palo Alto Networks, Inc.


Virtual Wire Subinterfaces

• Read and process traffic based on:


DMZ Zone DC2 Zone
• VLAN tags (1-4094)
VR-1 VR-1
172.16.1.1/24 172.16.2.1/24 • VLAN tags and IP classifiers (source IP)
VLAN 110 VLAN 120
• IP classifiers (untagged traffic, source IP)
ethernet 1/1 ethernet 1/2
ethernet 1/1 • Common uses include:
ethernet 1/2
ethernet 1/3 • More granular security rules
All type: Layer 3 • Logically splitting network traffic

ethernet 1/3.1 ethernet 1/3.2 ethernet 1/3.3

VR-1 VR-1 VR-1


192.168.1.1/24 192.168.2.1/24 192.168.3.1/24
VLAN 1 VLAN 2 VLAN 3
Eng Zone HR Zone DC1 Zone

17 | © 2019 Palo Alto Networks, Inc.


Configuring a Virtual Wire Subinterface
Network > Interfaces > Ethernet

Subinterface
ID

802.1Q VLAN
tag
Add optional
IP classifiers.
Select Virtual
Wire object.

Select Virtual
Wire zone.

18 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

19 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Layer 2 Interfaces
• Provide switching between two or more interfaces through a VLAN object
• Typically used when no routing is needed

Zone A Firewall Zone B


(Layer 2) (Layer 2)
VLAN object
Layer 2 Layer 2
interface interface
MAC address MAC address
Traffic inspection
and control

STP forwarding
STP STP
20 | © 2019 Palo Alto Networks, Inc.
Layer 2 Subinterfaces

Eng Zone HR Zone


• Assign subinterfaces to zones
VLAN 1 VLAN 2
• VLAN traffic isolated by subinterfaces:
• Need route between VLANs
ethernet 1/2.1 ethernet 1/2.2 • Security policy blocks interzone traffic by
default

• Useful configuration for multi-tenant


networks
ethernet 1/3.1 ethernet 1/3.2

VLAN 1 VLAN 2

Eng Zone HR Zone


21 | © 2019 Palo Alto Networks, Inc.
Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
22 | © 2019 Palo Alto Networks, Inc.
Layer 3 Interfaces
• Enable routing between multiple interfaces:
• Requires a virtual router

• Can require network configuration to accommodate new IP addresses

Zone A Firewall Zone B


(Layer 3) (Layer 3)

Layer 3 Layer 3
interface Virtual interface
IP address Router IP address
Traffic inspection
and control

23 | © 2019 Palo Alto Networks, Inc.


IPv4 and IPv6
• Layer 3 interfaces support IPv4 and IPv6.
• To support IPv6 addresses, you must enable IPv6 on the firewall.

Device > Setup > Session > Session Settings

24 | © 2019 Palo Alto Networks, Inc.


Configuring a Layer 3 Interface: Config

Network > Interfaces > Ethernet > <select_interface>

Select Layer3.

Select a virtual
router.

Select a Layer 3
type security
zone.

25 | © 2019 Palo Alto Networks, Inc.


Configuring a Layer 3 Interface: IPv4
Network > Interfaces > Ethernet > <select_interface>

Select to specify a
static or DHCP
assigned IP address.
Enter the static IP
address(es) with CIDR
notation.

26 | © 2019 Palo Alto Networks, Inc.


Configuring a Layer 3 Interface: Advanced
Network > Interfaces > Ethernet > <select_interface>

(IPv4) Pre- (IPv6)


load ARP Configure
Specify firewall cache entries. NDP proxy.
management services
accessible on this Enable and
interface. configure
DDNS.

(IPv6) Pre- Enable and


load ND configure
cache entries. LLDP.

27 | © 2019 Palo Alto Networks, Inc.


Interface Management Profile

Network > Network Profiles > Interface Mgmt > Add

• Defines which firewall


management services
are accessible from a
traffic interface
• Can be applied to Layer
3, loopback, and tunnel
interfaces

28 | © 2019 Palo Alto Networks, Inc.


Layer 3 Subinterfaces

Eng Zone HR Zone


• Assign subinterfaces to zones
192.168.1.1 192.168.2.1
VLAN 1 VLAN 2 • Traffic in each VLAN is isolated:
• Need a virtual router to connect VLANs
ethernet 1/2.1 ethernet 1/2.2 • Security policy blocks interzone traffic by
default

• Useful configuration for multi-tenant


networks
ethernet 1/3.2 ethernet 1/3.3

192.168.2.2 192.168.4.1
VLAN 2 VLAN 3
HR Zone DC Zone
29 | © 2019 Palo Alto Networks, Inc.
Configuring a Layer 3 Subinterface
Network > Interfaces > Ethernet

802.1Q
VLAN tag
Subinterface ID

Configure remaining options as normal Layer 3 interfaces.

30 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

31 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Virtual Routers

• Support one or more


static routes Firewall
inter-vr
• Support dynamic VR1 routes VR2 VR3
routing:
• BGPv4
• OSPFv2
• OSPFv3
• RIPv2
Dynamic Dynamic Static
• Support multicast routes routes routes
routing:
• PIM-SM
• PIM-SSM BGP OSPF

32 | © 2019 Palo Alto Networks, Inc.


Virtual Router General Settings
Network > Virtual Routers

Interfaces that
the virtual
router can use
to forward
traffic

33 | © 2019 Palo Alto Networks, Inc.


Adding a Static Default Route

Network > Virtual Routers > Static Routes > Add

34 | © 2019 Palo Alto Networks, Inc.


Multiple Static Default Routes

Firewall • Can configure multiple


static default routes
VR1
• Route with the lowest metric
is used.
• Path monitoring determines
if routes are usable.
default route default route
• Firewall switches the default
route during path failure.
• Supports failback

35 | © 2019 Palo Alto Networks, Inc.


Static Route Path Monitoring

Network > Virtual Routers > Static Routes > Add


• Uses ping to test
reachability to
stable upstream
devices
• Testing continues
after failure
• Will remove or
re-add static
routes

36 | © 2019 Palo Alto Networks, Inc.


Troubleshooting Routing
Network > Virtual Routers

All
known
routes Status of
Where traffic monitored
(RIB) will be paths
forwarded
(FIB)

37 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
38 | © 2019 Palo Alto Networks, Inc.
VLAN Interfaces

• Are assigned an IP address


• Connect Layer 2 to Layer 3

Zone A Zone B Zone C


(Layer 2) (Layer 3) (Layer 3)

Subnet 1

VLAN IP Subnet 2
VR
object address
Layer 2
VLAN Other
interface subnets
Firewall Layer 3

39 | © 2019 Palo Alto Networks, Inc.


Configuring a VLAN Interface

Network > Interfaces > VLAN > Add

Read-only name

An interface ID
(not VLAN tag)

Connects interface
to Layer 2 network

Connects interface
to Layer 3
networks

40 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
41 | © 2019 Palo Alto Networks, Inc.
Loopback Interface
• Logical interface with an IP address
• Behaves like a host interface
• Used to provide access to firewall services

Firewall

Zone A Zone B Zone C


Firewall services

L3 L3

IP address
Loopback
interface

42 | © 2019 Palo Alto Networks, Inc.


Configuring a Loopback Interface

Network > Interfaces > Loopback > Add

Read-only
name Loopback
interface ID

Do not assign a netmask to the IP addresses.

43 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
44 | © 2019 Palo Alto Networks, Inc.
Policy-Based Forwarding

• Specifies a different egress interface than what is specified in the route table
• Possible use for performance or security reasons

Specify egress interface for:


eth1/2 Private • Bandwidth-sensitive
leased line applications
PBF • Unencrypted applications
eth1/1 rules
Specify egress interface for:
Branch internet
office eth1/3 • Non-bandwidth-sensitive
HQ applications
Firewall office • Encrypted applications

45 | © 2019 Palo Alto Networks, Inc.


PBF Rules
• PBF rules use match criteria to match traffic.
• PBF path monitoring enables the firewall to verify network path connectivity.

Policies > Policy Based Forwarding

46 | © 2019 Palo Alto Networks, Inc.


Configuring PBF
Policies > Policy Based Forwarding > Add

Specify egress interface and IP


address used to forward traffic.

Specify source zone, address, Specify destination address,


user to match traffic. application, port to match traffic.

47 | © 2019 Palo Alto Networks, Inc.


Module Summary
Now that you have completed this module,
you should be able to:

• Describe the flow logic of the next-generation firewall


• Create a security zone
• Describe the differences between Tap, Virtual Wire, Layer 2, and Layer 3
interfaces
• Create and configure a virtual router
• Define a static default route
• Configure a VLAN interface
• Configure a loopback interface

48 | © 2019 Palo Alto Networks, Inc.


Questions?

Q
Q &&
AA
49 | © 2019 Palo Alto Networks, Inc.
Interface Configuration Lab (Pages 24-42 in the Lab Guide)
• Load a firewall lab configuration file
• Configure security zones
• Configure firewall Ethernet interfaces
• Configure a virtual router

50 | © 2019 Palo Alto Networks, Inc.


PROTECTION. DELIVERED.

51 | © 2019 Palo Alto Networks, Inc.


This page intentionally left blank

52 | © 2019 Palo Alto Networks, Inc.

You might also like