I've unpacked my firewall and did what you told me, now what?
In the previous installment, Getting Started—Preparing the Firewall, I've unpacked my firewall, now what?, we described the first steps after unpacking your firewall and getting it up and running. This week, we'll take a look at where to go from here and configure Layer 3 interfaces, set up proper routing, and enable NAT so the firewall can function as an internet gateway.
Before we get started, I'll outline a few things that may be different in your network that you'll want to note:
In the examples below, my ISP has assigned me the internet IP subnet of 198.51.100.0/28 which I want to start using on the untrust interface of the firewall instead of the router. To achieve this, NAT will need to be disabled and maybe some other things need to be changed to accomplish this. As the steps to accomplish this will vary, depending on several factors, you may need some assitance from your ISP to reconfigure your router. As it is not absolutely necessary to use a public IP range, you can simply keep using the IP range your ISP provided.
Please note these parameters for your network:
My router's IP will be: 198.51.100.1
My firewall's IP will be: 198.51.100.2
My firewall's internal IP will be: 10.0.0.1
My client's DHCP range will be: 10.0.0.50-10.0.0.250
1. Preparing the zones
To get started, we'll first reconfigure the zones we're currently using for our Virtual Wire so we can reuse the same zones. If you prefer to change the names, you can make new zones or simply rename the existing ones.
- Navigate to the Network tab.
- Open Zones from the left pane.
- Proceed to open the trust zone objects and change the Type to Layer3, then click OK. Repeat this for the untrust zone.
Don't worry if the interfaces box is empty after this change—we'll fix that in the next step.
2. Preparing the interfaces
- Navigate to the Network tab.
- Open Interfaces from the left pane. We'll see our 2 VWire interfaces that are already connected to the internet but are currently lacking zone configuration, due to the step above.
- Start by opening ethernet1/1, which will be our external, or untrust, interface.
On the Interface Type dropdown, change Virtual Wire to Layer3.
Next, set the Virtual Router to default and the Security Zone to untrust.
Next we'll add an IP address to the interface.
- Navigate to the IPv4 tab.
- Click Add.
- Enter the external IP address your ISP provided.
Click OK and proceed to ethernet1/2. Set the Interface to Layer3, Virtual Router to default and Security Zone to trust.
In the IPv4 tab, set the IP address of the interface to 10.0.0.1/24 and open the Advanced tab.
In this tab, we're going to set a Management Profile which will allow us to ping the interface, which might come in handy if we ever need to troubleshoot internal network issues. In the Management Profile dropdown, click the Management Profile link:
For now, we will only allow the ping service on the interface.
Return to the interfaces page by clicking OK on the two configuration dialogs. The interfaces page should now look like this:
3. Configuring routing
Next, we need to make sure the firewall will be able to reach the Internet, so it will need a default gateway.
- Navigate to the Network tab.
- Open Virtual Routers from the left pane.
- Open the default VR (virtual router).
This will bring up the configuration for the Virtual Router we will be using for our new Layer 3 interfaces. It is called a virtual router because the firewall does not employ one single routing instance, but can have several, all bound to different interfaces. This allows for routing instances to be very different from each other, and makes network segregation at the routing level possible. For now, we'll stick to the one we have:
Add a static route.
- Open Static Routes from the left pane.
- Click Add to start a new route.
We'll set the destination to 0.0.0.0/0, which encompasses all IP subnets that are not connected to the firewall and the egress interface to ethernet1/1 as this is the outside interface connected to the internet router. Lastly we'll set the router's IP address as the next hop.
4. Configuring DHCP
Our next step will be to enable a DHCP server on the trust interface so any users connecting to the network without a statically configured IP address can get connected.
- Navigate to the Network tab.
- Open DHCP from the left pane.
- Click Add to start a new DHCP server configuration.
We'll set the interface to ethernet1/2 as this is the inside interface. To prevent duplicate IP addresses in the network in case someone has set a static IP address configuration o their workstation, we can enable Ping IP when allocating new IP. This option sends a ping to an IP address ready to be assigned a host. In case the ping receives a reply, the DHCP server chooses a different IP to assign and repeats the step. We'll set the Lease to 1 day and the IP Pools to '10.0.0.50-10.0.0.250' to provide users with 201 IP addresses.
In the Options tab, we can configure which default gateway and DNS servers the clients receive when requesting a DHCP address. We need to set the Gateway as 10.0.0.1 as this its the firewall's internal IP address. I've set the DNS servers as Google's 4.2.2.2 and 8.8.8.8 but you can set your own ISP's DNS servers:
Click OK to complete this bit and let's move to the last part where we configure NAT.
5. Configuring NAT
The last part of this setup is to configure Network Address Translation. This will make sure all internal hosts go out to the internet using the firewall's external IP address as source. This is required as the private network IP ranges 10.0.0.0/8 , 172.16.0.0/12 and 192.168.0.0/16 are not routed on the internet and can only be used on a private network behind a NAT enabled gateway.
- Navigate to the Policies tab.
- Open NAT from the left pane.
- Click Add to create a new NAT policy.
We'll give the NAT rule an easy-to-identify name:
Next we'll go to the Original Packet tab, where we'll set the source and destination zones and the destination interface.
- Click Add to insert a new source zone.
- Select the trust zone from the dropdown.
- In the destination zone, choose untrust in the dropdown.
- For the destination interface, set ethernet1/1, as this is the outside interface.
- Leave everything else as is and move on to the Translated Packet tab.
Lastly, from the Translated Packet tab, we will configure the Source Address Translation. Set the Translation Type to Dynamic IP And Port to ensure multiple internal clients can make simultaneous outbound connections hidden behind one IP address.
About the other options—
- Dynamic IP comes in handy to hide a group of IP addresses behind another group of IP addresses of equal size. This can happen if a connection is set up with a secondary network where IP addresses may overlap, or where routing to the LAN subnet is not possible.
- Static IP is usually set if a single host will have exclusive use of a NAT IP address.
As Address Type we'll choose to use the Interface Address
and select ethernet1/1
and select its configured IP address.
Click OK to complete the NAT configuration.
6. Cleanup and commit
One last step before we go ahead and commit this configuration is to remove the previously used Virtual Wire object.
Navigate to the Network tab and open Virtual Wires from the left pane. Once there, highlight the default-VWire and click Delete.
When the default-VWire is deleted, go ahead and commit the configuration.
7. Refresh client IP and ARP
We have now succesfully switched the firewall from virtual wire to Layer 3 deployment. One caveat to consider is that now the interfaces are no longer acting as a bump-in-the-wire—they have their own MAC address and some clients. Potentially, the router may need to have its ARP cache refreshed before the interfaces can succesfully communicate with the firewall.
On a windows host, this can be accomplished by starting a command prompt as administrator
and executing 'arp -d' to clear the ARP cache and 'ipconfig /renew' to obtain a DHCP lease from the new DHCP server.
C:\>arp -d C:\>ipconfig /renew Windows IP Configuration Ethernet adapter lablan: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.0.0.50 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.1
I hope you enjoyed this article. Please feel free to leave any comments below!
Regards,
Tom Piens
______________________________________________________________________________________________________________________
I've unpacked my firewall and want to configure VLANs — subinterfaces
Now that your new Palo Alto Networks firewall is up and running, let's look at adding VLAN tags to the mix by creating Layer 3 subinterfaces. Our initial installments in the Get Started series described the first steps after unpacking your firewall and getting it updated and configured in VWire or Layer 3 mode. Check out I've unpacked my firewall, now what? and I've unpacked my firewall and did what you told me, now what?
There may be several network segments in your organization to segregate user workstations from public webservers. A good way to prevent these networks from communicating with each other is by implementing VLANs on the core switch, preventing hosts located in one VLAN from communicating with hosts in another, without some form of bridge or gateway to connect both virtual networks.
The first configuration we'll look at builds on where we left off in the previous getting started guide. The firewall has Layer 3 interfaces and we're now going to change the trust interface so it can communicate with a trunked switch interface.
The difference between a regular, or access, switchport configuration and a trunked switchport, is that the access port will not tamper with the Ethernet header with any packets, whereas a trunk port will attach a VLAN tag in the form of a IEEE 802.1Q header to packets. This ensures that packets retain VLAN information outside the switch and should be treated as different LAN networks by the next host receiving these packets.
interface GigabitEthernet1/36 switchport switchport access vlan 100 switchport mode access switchport nonegotiate spanning-tree portfast ...reconfigure... interface GigabitEthernet1/36 switchport switchport trunk allowed vlan 100,200 switchport mode trunk switchport nonegotiate spanning-tree portfast
We'll be switching our configuration from a regular interface to tagged subinterfaces.
1. Creating subinterfaces
The first step is to remove the IP configuration from the physical firewall.
- Navigate to the Network tab.
- Go to Interfaces on the left pane.
- Open the interface configuration.
- Navigate to the IPv4 tab.
- Select the subnet.
- Click Delete.
We can now go ahead and add a subinterface.
In the subinterface configuration, we need to assign an interface number and a tag. The tag needs to match the VLAN exactly, but the interface number may be different. For ease of management, it's best to set it the same id as the VLAN tag. Add the interfaceto the 'default' Virtual Router and assign it to the 'trust' Security Zone.
Next, navigate to the IPv4 tab and add the IP to the interface.
Then navigate to the Advanced tab and set the Management Profile to 'ping.'
Next, we've added a webserver to the network and placed it in VLAN 200 on the switch.
So we'll need to add a second subinterface and set it to VLAN tag 200. We'll also create a new Security Zone so we can apply different security policy to it.
We'll call the new zone 'dmz'
and assign the interface a different IP subnet
and we'll also set the Management Profile to 'ping.'
Your interface configuration should now look similar to this:
2. Reconfigure DHCP
We will now need to move the DHCP server we created last time to the new subinterface.
- Navigate to the Network tab.
- Open DHCP menu from the left pane.
- Open the DHCP configuration for interface ethernet1/2.
- Change the Interface to ethernet1/2.100 to match the new subinterface.
3. Create a new NAT policy
The next step is to create a NAT policy to allow hosts on the internet to reach the webserver via the external IP address of the firewall.
- Navigate to the Policies tab.
- Open NAT configuration from the left pane.
- Click Add to create a new NAT policy.
In the Original Packet tab, we set the source and destination zones to untrust, and the destination address to the external IP address of the firewall. The destination zone is untrust because the firewall will try to determine the destination zone of a received packet based on its routing table. In this case, the original destination IP address, before NAT is applied, belongs to the untrust zone.
In the Translated Packet tab, we add the physical IP addres of the webserver.
4. Add security policy
The last step is to create security policies to allow the trust and untrust zone to access the webserver.
- Navigate to Policies.
- Open the Security policies from the left pane.
- Click Add to create a new rule and name it access_to_webserver.
For now, we'll set the source zone to 'untrust.'
We'll set the destination to 'dmz' and the destination address to the external IP of the firewall.
We'll enable application web-browsing.
Enable several security profiles to make sure the webserver is protected from attacks.
Repeat this step for a security policy from the trust zone, so additional applications can be added.
In the destination, we'll set Security Zone 'dmz' and the internal IP address of the webserver.
Add additional applications for management.
Your security policy should now look similar to this:
After you commit this new configuration, interface ethernet1/2 will accept 'tagged' packets for VLAN 100 and 200 and the webserver will become available to the outside world.
Thank you for reading—please leave any comments in the comment section below.
Regards,
Tom
___________________________________________________________________________________________________________________
reaper on - edited on by
The Virtual Router configuration:
___________________________________________________________________________________________________________________
Getting Started: Layer 2 Interfaces
reaper on - edited on by What more can my firewall do? Layer 2 interfaces
In the previous installments of Getting Started, we covered how to set up the firewall from scratch. In this next series, we'll be covering more advanced configuration features that will help you fine tune your firewall to better suit your environment. This week, we'll take a look at Layer 2 interfaces and how the firewall can be set up to provide bridging between VLANs while enforcing security policies and providing threat prevention to keep your network secure.
We already covered VLAN tags as Layer 3 subinterfaces in Getting Started — Layer 3 Subinterfaces, but PAN-OS also enables you to create true Layer 2 interfaces that act the same way a switch would.
We'll start with a simple example where we have two Layer 2 interfaces in the same zone and the same VLAN. This scenario could be practical if, for example, you have both servers and clients on the same IP subnet and want to allow sessions to be formed, but need to control which applications are used, and/or need to provide threat prevention without changing the IP subnet.
On the switch, you could set each set of machines into a separate VLAN, for example, servers in VLAN 20 and clients in VLAN 30, and have the firewall serve as a bridge between these VLANS:
- First, you'll need to create a VLAN interface to be used by the physical interfaces we will set to Layer 2. Navigate to the Network tab, open Interfaces from the left pane and open the VLAN tab. There will already be one default VLAN interface present, which you can reuse if you like, but we'll create a new one by clicking the Add button.
You'll assign the interface an ID, add any relevant comment and assign the interface to the default Virtual Router and add it to the Trust zone. Note that the ID is simply an identification number for the interface and does not influence any 802.1Q tagging.
If you then try to assign a VLAN to the interface, you'll notice there aren't any available yet, so go ahead and click the new VLAN link to start creating a new VLAN object.
Simply give it a name and click OK for now.The VLAN interface should look somewhat like this. Go ahead and click OK. - From here, we're going to set interfaces ethernet1/2 Layer2 and set the proper VLAN configuration. Navigate to the Ethernet tab and open interface ethernet1/2's properties, then change the Interface Type to Layer2.
After setting the interface to Layer2, set the VLAN to the newly created VLAN object, but notice that the security zone does not show any option. This is because we have not yet created any Layer 2 Security Zones.
Any Security Zone configured on the firewall is also attached to a specific network type, like Layer 3, VWire, or Layer 2. In the VLAN configuration in Step 1, we added the VLAN.100 interface to the default router and Layer 3 Trust Security Zone. This is to allow traffic to pass from Layer 2 to Layer 3. We'll take a look at that after we've completed this phase of the Layer 2 introduction.
Click the new Zone link to create a new zone named L2-Trust: - Repeat the above step for interface ethernet1/3.
- The last stage is to create an intrazone security policy to allow more granular control over applications connecting both segments and applying security profiles to these sessions. Open the Policies tab and navigate to Security on the left pane. Click Add to create a new security policy. From the Rule Type dropdown, select 'intrazone' as the Type.
Next, navigate to the Source tab, click Add, and set the source zone to L2-Trust.
Because this is an intrazone Security Policy, the destination zone selection has been made inaccessible and is dependent on the source configuration.
Set the applications to what is appropriate between the segments. These are solely the applications you want to allow between the internal hosts. This does not apply to any connections going to or coming from other networks.
Lastly, set security profiles so any sessions between your internal hosts are also inspected for vulnerabilities, exploits, viruses, and so on.
Your security policy should now look similar to this:
Rule1, as seen above, will be used in the next segment, Layer2 Routing.
This configuration will ensure your hosts all remain on the same IP subnet, but can be segregated depending on their role.
More interfaces can be added to provide even more segments or tagged subinterfaces can be added in a similar fashion as described in Getting Started: Layer 3 — Subinterfaces.
Layer 2 Routing
As the next step, you may want to enable internet access for the hosts in your network, so you will need to enable some Layer 3 functionality in the Layer2 config. You may have noticed some Layer 3-looking configuration in the VLAN configuration earlier, and this is where we will need to enable the functionality.
- Navigate back to the Network tab.
- Access Interfaces on the left pane.
- Open the VLAN tab.
- Edit the vlan.100 object.
- Navigate to the IPv4 tab.
- Click Add.
- Enter the IP address the hosts on your network will use as the default gateway, with its subnet mask.
The VLAN interface now functions as a Layer 3 interface towards the outside world. Any sessions originating from your internal hosts to the outside world will be handled by the firewall as coming from the Layer 3 Trust zone going to the Layer 3 Untrust zone.
Please be aware you may need some additional configuration to allow for outbound connections, including the default route in your virtual router, NAT configuration so the internal IP subnet is translated to the public IP address of the firewall and maybe a DHCP server to automatically assign IP addresses to workstations joining your network. Please take a look at Getting Started — Layer 3, NAT, and DHCP where we cover these configuration steps in more detail.
The NAT policy required to reach the internet:
The Virtual Router configuration:
I hope you enjoyed this article and found it useful. Feel free to post any remarks or questions in the comment section below.
Regards,
No comments:
Post a Comment