Palo Alto Firewall Basics: Key Configuration Techniques

hey guys hello everyone this is iones palo alto firewall basics and i am

percolating one of the instructors here at ine i'm gonna run this session for you what

i will want to show you today is how to configure palo alto firewall with basic

so the focus is going to be on the more important features and configuration building blocks of a

palo alto firewall or next generation system we will not be looking at simple things like let's say

dns dhcp configuration things of that nature you can figure out

on your own i want to focus on the i would say core configuration blocks the things that

pretty much everyone will have to go for in order to make sure that the firewall is running

and allows certain applications to go through okay this means that we will take a look at

at the palo alto firewall from a very high level just to see what type of functionality this device offers

we will then see how to connect to the device how to manage it remotely so we can finally

start doing some configurations and next i'm gonna go for the more important policies of the system

it's going to be the security policy we will talk about traffic control and we will also see how to

configure some of the basic interface settings how to initialize the interfaces and i'm also

going to show you how to do some perform some basic translations so this all is

pretty much and everyone needs everyone has to know in order to deploy a brand new palo alto firewall

in a network and make sure the device is ready for the data data package and traffic filtering in general

for air traffic control um okay so once again from a very high level

a palo alto next generation firewall is can be defined as a prevention-focused security system

that takes into account the three most important aspects of any business environment which is going

to be the user application and the content so these three

elements these three components aspects of a network of business it's something that

this firewall allows you to integrate into its policies and in terms of the key capabilities of the unit it's going

to be the user id and app id so this is what the firewall uses to

identify connecting users and also identify applications that are run in a network

we can use this firewall to build policy roles that will include this information into account

we can choose from hundreds of different applications and we can enforce our policies based on

groups maybe individual users so not just ip addresses and port numbers like would

be typically used in traditional filtering systems okay there is also that advanced prep

prevention and what offers the inspection capabilities ips slash ideas inspection

capabilities it also includes some sort of content filtering like with url

the filtering there are also some more advanced technologies that the palo alto networks offer

such as wildfire uh palo alto devices they have a pretty broad logging capabilities you can even go for

a cloud-based logging systems with cortex data lake and you can also easily adapt

the palato firewall into the sd1 architecture okay now in terms of the management

options it's going to be obviously the web interface

this is going to be the primary method of what you would use to connect to the firewall and we can

either go for the local configuration a local access i should say

which means that our pc connects to the firewall directly using just a browser

so it's going to be a encrypted connection https a session pretty much any browser can

should work with with the firewall um this is option number one and it's something that's really easy to

to deploy obviously um as opposed to the other solution the centralized approach which is something that's

actually recommended to be used with networks that consist of at least six different firewalls

this is known as panorama and panorama is the is what makes the actual software and

possibly physical appliance that acts as this centralized management solution that is capable of

configuring multiple firewalls so with panorama the idea is going to be slightly different because your

client station your pc is going to connect to the panorama appliance or a panorama virtual

machine and it's going to be the panorama where you will put your configuration so you

put the config over here and then the system is going to replicate

this configuration to the actual firewalls okay so in my case it's going to be the

local web interface what i will use but technically there aren't really a lot of differences there's actually

very few differences between panorama and local gui in terms of functionality they both look almost the same

and vast majority of the configuration and settings that you can do with panorama you can also do

this stuff using the local gui so again if your environment is you know consists let's say of less than

six firewalls there's probably no probably doesn't make any sense to

go for panorama which is something you have to pay for okay we also have this option of

connecting to the console of the firewall we can use a serial cable with physical connection or in case of

remote access it's going to be telnet ssh uh we can you access the cli of the

firewall pretty much in the same way as with any other types of

security appliances okay palo alto networks they also allow you to connect to the device using

scripts external applications it offers two types of apis rest and xml

now most of the time today what i will be showing you is going to be obviously the gui

version of the of the the management access but we will also see some basic examples on the cli

okay now before we move on with this session uh let me guys also quickly show you

a more important documentation um and also the documentation path for the palo alto next generation firewall

systems if you go to that docs.palo alto networks dot com website take a look at the products that

go to strata and down to panos panos is obviously the operating system of a palo alto firewall

probably the three most important types of documents you want to look at it's going to be the admin guide

which is what you can use to learn about certain features of the firewall and obviously see how to

deploy them you also have that web interface reference

which i believe is pretty much the same information as we can also access locally on the firewall

i'm going to show you how to do this in this session so this is this document is going to

explain to you all individual options of the gui error page and the result is also that cli quick

start guide and just to know how to get up and running with the command line error page

okay so admin guide is probably the the most important of these documents but in reality you know you you want to be

aware at least aware of all of that right we will start the technical

portion of this session with an overview and overview of the interfaces

of a palo alto firewall um it this system offers several different types of interfaces

um because the well obviously each of those types of interfaces is meant for a spell

special deployment that's what what palo alto offers it the deployment of a firewall is

essentially closely related it's closely associated with the um particular interface type

and the the thing about panos is that it allows you to do multiple deployments of different type

just based on the based on that based on the fact that you can

deploy different types of interfaces so what i'm trying to say here is that the deployment of the firewall is

related to the interface type so for instance if you want to use if you want to deploy

a part of the the certain amount of interfaces of a firewall as layer 3 ports you can do this

but it doesn't necessarily mean that all interfaces of the system of the firewall must be

configured as layer 3 ports so you can select you can say that let's say these two

three sub interfaces you want to make them layer free ports but in addition to that you want to use

the physical interfaces that you will configure as layer 2 or maybe as a virtual wire

you can also configure some interfaces for the tab deployment now the most important

or at least i would say the the most common type of interface used in a network is going to

be layer free which is what allows you to participate in layer

free routing it's obviously an inline type of deployment it's when your appliance when

your firewall routes traffic between the interfaces of course inspecting packets in the same

time and this is what you'll take a look at today

um the the as you do layer free deployment you'll have to think about zones zones is basically a method of

enforcing segmentation in a network um this is uh the idea is that you will grip

interfaces of a certain i would say security interfaces that have similar security needs you will group

them together in the zone and then you will operate on those zones as you build your policy roles

instead of on individual interfaces and that's how you do segmentation the more zones you have

the more granular your security policy rules can be we also have to do some a virtual

router config at least added the default virtual router the virtual router for those of you who are familiar with

cisco ios it's basically an equivalent of virtual routing and forwarding instances

so we can think of a virtual router like of a routing table and the prefixes

along with the the actual interfaces okay and now the routing table is this is how the device learns about the

prefixes in the control plane so for instance using grounding protocols

or maybe just by populating the the rib with static routes the versus fib is what goes to the data

plane it includes the best routes so routes that we actually want

to use to for the data package okay as we will see the palo alto

firewall is actually capable of using many different browsing protocols i would say that most of the common ones

they are all supported like ospf like bgp plus you can also do some multicast

okay maybe let's not take a look at this stuff on the gui the firewall initialization

like when you want to bring the firewall up so i mean obviously that you have

management access which i have now i can actually show you that if i go to the device tab

then setup and then [Music] interfaces we see that my management

interface is configured with an ip address and an important thing about palo alto interfaces is that

they by default you will have to tell what type of communication a certain port should accept or not and

the management by default allows for ssh https and you can also ping the port now as we

will see it's not going to be the case with data interfaces which is what i will be configuring now

so as long as you have management access to the system you can start deploying your physical or logical ports

so we will go to the network tab then down to interfaces and i'm going to focus on this single

interface ethernet 1.1 semi one slash one and which is what i will want to make

sure is up and running and you will then use this physical port to build

sub interfaces i just want to make sure that the interface type is selected as layer 3 since i want to

build a layer free deployment i want to deploy this firewall as a layer free firewall i will not be

configuring an air and the addresses over here you could possibly play with some layer

2 settings like layer one slash two settings like duplex click speed

and maybe even change the the mac address of the system but i will just choose the interface

type as layer free and our goal is gonna be to come up with way topology like that so we will want

to [Music] configure one sub interface in vlan 21

which is going to make our inside and then the other sub interface is going to go to vlan 71

which is what i'm going to say is going to act as outside okay let's look at this let's see how to

add some interfaces on this device so i just want to highlight the physical ports

i want to further subdivide and i want to click on add sub interface

okay so you give it an identifier which technically doesn't have to be the same as the actual vlan tag

that you will insert into the frame that leaves for that port but most people they want to

keep this keep the identifier and attack consistent so they know exactly what's the

tag just by looking at the interface number and this is what i'm gonna do okay we will have to select the virtual

router so think of that as a vrf i'm gonna say that we wanna use the default

routing table and we will have to make some changes make some adjustments here to the virtual router because as

you will see it's how you enable the routing it's it's where you put the routing config

it's going to be the virtual router where you enabled the different routing protocols where you can add

static route and so on and we will also have to configure a security zone this is something that we will then

refer to in our policy it's not optional you wanna choose a zone you wanna apply a zone

associate an interface with a zone and you can either configure it from here like when i say

new zone or you can go to network and then down to zones

it's going to be the pretty much this it's going to give you it will be pretty much the same effect as you know

it's just two different places how you can access the zone configuration

okay so this is going to be my inside zone and the only thing that they want to

configure here is the name and the type now the type must match the interface type so you cannot assign

let's say a layer 2 zone to a layer free port or vice versa now since i'm configuring

this zone from the interface itself it knows that since the interface is layer free

it knows that the zone should be layer free as well if this stuff is this is the user id

configuration this is for zone protection attack mitigation it's

you can ignore this this config the interface is going to be automatically associated with the zone

when i do the when i add the zone from the interface itself okay so the virtual router again is set

to default this is my zone and then i'm going to give it a static ip address and we will use 182 168

21.10 so the firewall is going to use that 10. okay let's say at

182 168 21 10 slash 24 i can also configure this as an object

but i don't have to do this and we will now perform similar configuration for the other interface

okay so make sure that ethernet one slash one is highlighted then add sub interface

give it an identifier give it a tag select virtual router you want to use the same

routing table for both interfaces and i want to add a new zone just to make it clear

this is going to be my inside this is my inside and this is what they want to make my

outside right let's click ok now let's give it an ip address

182 168 71 10 stash 24 don't forget to add a mask or you may run into some troubles

okay we can also verify the zone config under the zones we see that two zones were created and

associated with the appropriate interface i would also go ahead and

configure virtual router we are still with network tab just go to virtual routers on the

left and edit the default vr we see that it knows about the

interfaces so i will just edit it i can change admin distances i can

enable use equal equal cost multipath brow link but what we will have to do in

reality here is in this example is just to enable use ospf on the outside

so i'm going to say that they want to run ospf with csr7 on the outside interface

plus i will also i will also want to advertise my inside port this is so 7 knows how to

get to a 182 168 21 0 24. it's going to be really simple

configuration for ospf you just want to enable the process give it the router id

and then you will have to add the area it's going to be backbone notice that it

uses the full area notation a single zero wouldn't work

anytime you are you have a problem with the syntax somewhere in the gui you can always go

ahead and click on the question mark for the appropriate window which is another way

of accessing the web interface reference we take a look at the

local reference on the firewall for a virtual router ospf config well it automatically brings you to the

right place in the documentation you just have to choose the actual tab or just the actual option of the google

you want to check the syntax for like when i click on ospf

it says you want to give it the router id you want to enable the process now

what's the reject default route option dash what is the bfd option does

and then since we were actually configuring the area tab i want to go over here

i want to take a look at the area id it says it uses the

x.x.x.x format the regular ip address like a format for double really handy feature

okay this is going to be a normal area we will just enable it on the inside and on the outside

interface i'm going to leave the regular interface ospf settings under the faults just make sure that the rounds on both

interfaces inside and outside so we will say it's we'll accept this configuration

and now an important thing to remember about palo alto is that those changes the changes you make for

the gui most of them most of those changes does not take effect

until you until you commit them so it's an equivalent of a policy push on a checkpoint or i would say

a firepower threat defense system you just want to commit you want to push the change

from from that in this case from the local gui down to the appliance of the firewall itself

okay the configuration isn't really big so it won't take long for those to be installed those changes to

be installed we can verify this from the [Music]

maybe let's start verification at the interface level we will go to the command line

and you'll just see if we can ping the the inside pc which is 200 and we'll also try to ping

router 7. okay the syntax for the ping command is is it takes at least one argument you

have to specify the host but i can tell you that the problem is that by default paul out

of firewall it tries to use the management interface as it originates packets of different

type so you will either have to configure what

is known as service routes where you select or you tell the firewall let's go to the

device tab services and then services and edit it actually not services as services and then

services features service route configuration so normally it uses the management

interface for all packets it generates but you can you can change this behavior

you can select the service like ldap like ntp and tell it what source interface

and possibly arrows you want to use to as you generate the packet you can also add prefixes

and where you tell what interface and address to use as you try to get to them now a good thing about the ping command

is that you can select the interface from here you can use the source option so we will start with the inside pink

i'm going to say that i will source those echoes from the inside and i will try to get to

my pc which is 192168 21 200 okay we see we have connectivity

we will then try to ping the outside device so i'm going to choose the outside interface

and it's going to be 71.7 okay so i can get to my local destinations

but see what's going to happen if we try to do it in the opposite direction

like for instance if i were to ping the outside interface from the local device

because we saw that the pings from the firewall to the local devices they work

but what we should see here is that by default the firewall interfaces will not be

pingable these the data ports okay so seven a seven cannot get to the

firewall and we would actually see the same exact thing if i were to ping from the pc

the problem is that as i said previously the firewall interfaces they require some

additional configuration to accept the packets destined to that we will get back to this up in just a

moment maybe let's finish verification of our config let's go back to the network tab virtual

routers and in order to take a look at the routing table of that system

you want to look at the runtime stats column and click on the more runtime stats

option so let's take a look at the ospf it gives us summary of the configuration

we take a look at the neighbors we see that we in fact form an adjacency with csr7

and we are getting some prefixes from seven okay so i should be also able to ping

the loopbacks off of seven from the firewall itself let's try to get to 777.

okay so this is this is working this is working because the firewall accepts replies

the echo reply messages but it doesn't accept echo requests by default on those data

ports right so let's now see how to fix that to the box communication a problem

of issue it's not necessarily a problem i mean the some people just don't want to have

their firewall discovered um and in general you know it's a security appliance so

unless you have a specific reason for opening certain ports or services on the firewall

you really want to do that and that's why palo alto firewall by default drops pretty much all

communication on its data ports but let's see how to change let's see

how to make um make the firewall accept the pink messages and maybe also

let's see how to access how to open management access on the inside interface

this is something that you can configure from the a network tab and then interface

management okay so there is a feature that is called management profile

i'm gonna call it improv just a name or you can select the actual services like management services

or maybe network services you want your interface to accept you want your interface to use

i'm going to say telnet and ping is what i want to accept on my inside it's what i'm going to apply to

the inside interface only so we will have to go back to the interfaces

and then apply the profile from under the advanced tab select the port go under

advanced and apply the management profile over here

okay click ok remember that in most changes they again they don't take effect until i push

until they commit so we will do a commit right i will just have to connect to my

pc the policy was pushed successfully let me just connect to my pc so we can

actually test it well we should see that nothing changes

for the outside interface i still cannot ping it because the

profile that i just created it was applied to the inside port not outside

so no changes on the outside well let's not try to pink let's try to pink from the

inside device so i will be trying to send those echoes to the inside interface

and we see that i can ping my inside it is now reachable and i should be also able to

a telnet to this port okay so this is to make it clear it's an address of the data port

the profile was attached on one of the data interfaces of my firewall specifically it was

attached to the inside interface and i said i want to allow pinch and i said i want to allow telnet

so insight is now pingable from the inside and inside there's also what we can

access using telnet we see that we have connectivity to the system

okay all good right obviously the most important piece of the deployment

is going to be the data plane traffic filtering and this is something that you can

control using the security poles so pull out the firewalls they

they come up with a bunch of policies you can access from the policies tab we've got the security policy

and that policy qos policy down to sd1 and security policy is probably the most important

of those policies because it acts is actually where you put the the actual roles

that control the communication for the firewall indication that you want to allow or block

on the firewall and notice that by default there are actually two roles in this policy we've got a role that is

called infrasound default and there is also that inter zone default rule

but it's also a different type associated with those rules but the idea is pretty straightforward

the firewall by default permits the infrazone communication or intro zone means that

it refers to the communication that is reversing for the interfaces that are part of the same zone

like if my firewall let's say was build using the inside one interface inside

two outside and maybe dmz and we said that inside one and inside two

we wanna put those interfaces make them part of the inside zone so now as i get a packet on in one

destined to into it's going to be allowed this is intra zone communication the

ingress and egress zone is the same as opposed to inter zone communication that applies to different zones

okay so an example here would be if my packet was coming on the dmz with a destination of let's say outside

the second row the inter zone rule is a deny which means that we will block those

packets okay so this would be an example of a packet that the firewall would

drop and also the as pretty much with any other types of security appliances

that are policy based it's it's going to be the same type of processing as how those roles are

evaluated on a palataviral system which means that we will be going through those roles one by one starting

at the top towards the bottom so in this case with just two roles

actually implicit rules somewhat implicit they are visible but these are basically the default rules we

will first try to match follow away the first row

and only if this first row is a mesh we will go proceed to the second rule as i have a match with the role

i will be enforcing the configured action and possibly some other settings

configured within this rule so again you only go to the only check subsequent

rules if the current role is not a match for a packet

okay these default rules what they essentially does in our case since we have just two interfaces two

zones inside and outside and each of those zones is associated with just one interface

it means that all communication that is going from the outside to the inside or from the inside to the outside is

gonna be blocked based on the second rule the inter zone rule

because as the packet comes from the outside and is sent to the inside it's obviously different zones

when it comes from the inside and it's destined to the outside it's also different zones

which means that this is all inter zone communication that again is a no-go

okay so now in order to change this behavior change a very secure behavior of the firewall

we will have to add some custom rules i'm going to go back to the security

policy i just wanted to click somewhere else because with

with a single role highlighted i wasn't able to add the new rule so i just want to make sure that none of

the roles is highlighted so i can click on add over here and this is how i can add a role to this

policy table we will start with a really simple role where i'm going to allow

ping communication between the zones and just to make sure that we are that we know what happens here

um i will not be able to get from the pc to seven i forgot to show you that

but believe me it's not gonna work it's it's different zones so the firewall is blocking those packets by default it's

the second row what blocks them so we will try to fix this by adding a row for

pink packets icmp piacos or i'm going to say that it's actually for any zone combination

so no matter what the source zone is no matter what the destination zone is no matter what the addresses are source

destination the user the authentication factor we are going to leave it as well

as long as this is the ping application we will want to and the ping is using the default

transport uh we will get back to the application default to those settings in a couple

in a couple minutes we will allow this communication and we will also log the session at the

end okay since this is my custom role it automatically goes to the top of the

table and now as i add other roles they will be put below

the previous rules so above the default roles but below the custom rules

okay one of the more a critical pieces of this rule is the application palo alto

is a application based firewall not a port-based firewall which means that as you build

your roles you will generally want to refer to the application names instead of the port

numbers this is obviously a more secure approach because we know that today

the opening access over a single port like port 80 it doesn't actually

ensure that it's only the web clear text web packets what will be allowed for this role

it's possible for our applications to go over port 80 and this will be allowed by a traditional port-based

filtering system it's no longer the case with palo alto firewalls they are able to

detect applications on the fly and enforce a policy only per application or

application group basis okay so with just pink selected here what we should see is that

we will be able to ping across the system and but not let's say web browse

because web browsing is going to match the default rule okay so let's go to the pc and let's

let's just send some more echoes to seven once this row gets installed when this

policy gets installed on the firewall but we will see that the 7 starts getting those echoes and replies back to

to the pc so as the commit was successful now let's try to do it in the opposite

direction as well like from 7 to the pc okay so i can get from 7 to the pc now for some reason it says i'm not able

to ping the uh the seventh around the pc let me say show ipr please brief here on this device

um this is actually something i wouldn't expect to see

given the fact that i can get round seven to the pc okay it might be the now let's go back and take a look at

the role itself and the rule says that the source zone is set to any and destination is set to

any the role is type of inter zone which means that it's for for one zone to another

the ping is allowed and let's maybe refresh um let me also double check the we see

that the head count goes up let me also quickly check the interface configuration

now this stuff looks okay um how about if i were to ping the firewall

i think that we did that before okay so i can get i can get to the inside of the firewall

um let's also take a look at the routing table i may want to try to get to the loopback

of seven as well okay so we see a route four seven seven seven

and we have a route for one night two one six eight seventy one slash 24 as well

it says go to the inside of the firewall okay so i can get to the loopback of seven but for some reasons i'm not able

to reach the physical port so showdown interface

[Music] ink1.71 and let's also take a look at the palo

alto the show sessions output let's see clear

sessional okay we don't have any other roles in other policies

i didn't put any addresses into this role it may be something on 7 that is

blocking the let's do this let's take a look at seven and let's say the bug iphcmp

now let's go ahead and think about the loopback okay this is a virtual device so it's

i don't think it's gonna show me anything here in this output okay i'm going to do this i'm going to

say route delete right it looks that it might have been something on the pc itself

um i would normally not even assume that it's going to be a route problem because we see we got replies

in the opposite direction but it had to be something that probably hanged out in the memory of the

pc it's the only thing i changed is i removed the route and added it back in

but we see that this communication it's not a viral problem it's the it was um it was something on the pc

that was breaking this communication and now we see that the role is working fine it's a simple rule that allows ping

communication for the firewall now one of the possible issues you can run into as you build the rules

is going to be to figure out the actual application you want to include in the role and one of the easiest way

to check available applications check the check the application database is going

to be to go to objects and applications and you can then filter based on categories subcategories and other

characteristics of all applications stored in this database you can also specify the application

name and try to filter using this method but since it is looking for the disk content inside of the

application name and also other fields of an application like for example ports like the

description and so on it's still not a 100 an accurate solution so in most cases

you will have to guess what's the category of the application you want to find

like if i'm looking for web http https communication i guess it's going to be the general

internet category now it's going to be classified further classified as internet utility

and it's going to be widely used and then i will look at those applications we have just two pages

of these i can finally find web browsing over here we take a look at the details it's going

to tell me what's the standard port of the application and possibly also what's the

encrypted port um there is also what is known as applipedia

let's take a look at this palo alto which appears to be a very similar engine to what we see on the firewall

but what i found is that here the search filter is working it's basically slightly more accurate

so you can try to guess the application name by putting it over here or just use

those different characteristics of applications and then use this information

as you navigate through the application database okay but let's go back to the policy

let's add one more rule before we add some net configuration

let's now say that we want to allow the web communication to a specific server

i will say that this is the well we will allow web packets to the loopback of cr7

just to show you how to include the arrows information in your roles just another example how to build a

simple rule so this time we will be specific it's from the inside

zone to the outside i'm selecting the zones i'm choosing the application

i know that http and https is identified as web browsing and there is also the service url

category that allows you to specify the port numbers the actual services like when you say any

it means that you want to allow h in web browsing over any port you can add some custom ports if you

want like for instance if you run http over let's say something else on 80 or you also have that application

default option which is recommended setting application default narrows down

the application to the to its standard port so for instance if the

if the firewall sees a web pack let's say the firewall sees two web packets the packet one is destined to

a tcp port 80 and second packet is destined to something else

like tcp 1980 with the application default setting used in the

service url category tab it's only going to allow this first packet because it knows

that web the clear text web communication it runs over tcp port 80

and not something else so it's useful because it allows you to cut down on

any type of tunneling attempts or basically on situations when someone is trying to

hide an application evade detection by sending traffic over non-standard port

okay so application default is what i wanna excuse me what i wanna use here i can allow we will allow we could also

deny and use the block actions specified within the application database

for the application such as sending reset you can make a silent drop and you can also reset the sessions

these are the actual actions available in the security policy the general actions okay

i want to allow which means permit from inside to the outside web browsing and let's also say that this is just to

the loopback forgot to add the destination address i can add from the destination

address tab i only want to permit those web packets to the loopback of 7 like that

from any source okay so obviously the difference from the previous row apart from application itself is that

the web communication is going to be allowed just to the single address

on the outside okay maybe this time let's wait for the firewall to

propagate install this change okay let's now go to the pc and we will say we want to browse let's

just try to browse to the physical address of the csr first 192.168.717

okay so this should match this shouldn't match my custom row because my custom role is for the

loopback so the end result here is that we will not have a match

in the pink row because web browsing is not icmp okay the second rule is also going

to be a no match because the destination errors is different

the third rule is for intrazone communication again no match rule number four is what the firewall

enforces on this particular transaction as opposed to 7777

which is permitted okay just one more thing i want to show you guys

um a really simple example of an ad policy but whenever you work with networks and

palo alto firewall systems just remember that there are actually two elements you want to think about as you

build your roles in the net and also security policy tables is going to be the addresses and

zones the arrow says this is pretty simple stuff because you will always

want to refer to the original addresses of a packet which means before net before

translations but as you work with zones the situation may change and which

specifically applies to the destination zone because the destination zone is going to

be taken based on the translator that which is going to be selected based on the

translated address of a packet in case of the security policy table now we will do a simple source

translation so we will always refer to the original addresses and the original zones as we

build our roles but i just wanted to highlight that there might be cases that your security

policy role will require a modified destination zone for the role

to be a match and you will you can get you can learn more about this topic in one of our

courses of palo alto firewall policies i just wanted to give you some highlights at

this point it's behind the scope of this session to talk about this stuff in detail

um but it's obviously helpful to be aware of that as you work with the translations and

the security polls okay the rule is going to be really simple in our case we will do basic path

so i will want to modify the the packet the packet source as it comes from the inside

and goes to the outside we will say that all inside to outside communication is going

to be translated using the source address of the outside interface of the

firewall now pat in case of firewall excuse me palo alto networks is also

sometimes referred to as the ipp dynamic ip and port translation

okay so the end result of this config is that as pc1 sends a packet to csr7 we should see the packet coming with

192.168. a 71 dot the 10 because 10 is the average of the

viral on the outside let's add a roll and see there's an action okay the net type is set to ipv4

original packet is going to be coming from the ins from the inside zone and is going to be

destined to the outside zone regardless of the interface or surface okay we will also ignore the addresses

that we see in the packet it's only the zones what really defines the translation criteria

okay as we have a match we will perform a path translation using the i.t errors configured on the

outside interface of the firewall and we will test this okay probably the easiest way to test it

is going to be just to add a rule for telnet i'm going to add one more policy role

telnet inside to outside so this is for the inside to outside

direction okay the role type is going to be set to inter zone

the universal means that it applies to the both inter zone and infrazone traffic since i

know that the source zone is going to be different than the destination for this rule

i'm selecting the inter zone rule type inside outside for any addresses

just choose the application it's telnet okay telnet on this default port which is 23

allow should be good to go i'm going to commit this change and you will test it

now remember that the rules are processed up down so the order of the rules is important

but in my case there is no overlap between them so it doesn't really matter if telnet

goes above web or vice versa those rules will be

those rules will obviously match the operand traffic flows right so let's take a look at this let's

turn that to seven you see we got connected so the roll is working

and we see that we are shown as we come from 192.168.71.10 which is the outside address of the

firewall so it's no longer the pc's address it's the translated address and there's

also the show sessions command that is going to show you not only the

input in the connection table but also the translated address and port so we see that the source was translated

from 21 to 200 to 71.10 just in case you guys want to learn more

about palo alto firewall next generation system i would go ahead and recommend

some of our courses the palo alto firewall essentials this is where i'm talking about the

basic configuration of the system like dns dhcp interfaces i'm also giving explanations

about uh i'm talking more about the actual interface types

showing you some of the examples and then the palo alto firewall policies is where you can learn more about

security policy and net policy and also some other policies

policy types as well i hope you guys enjoyed this session and i want to thank you everyone for

watching i'll see you in another class from ine thank you