Palo Alto Networks: Mocked up project task

Introduction
An organisation has gone through the gap analysis by consultant and engaged your company to do phase 1 implementation based on the treatment plan by consultant. This is a new office by the organisation. The implementation phases are broken down, you will first implement phase 1.

Scope
1. Implement VLAN to segregate networks.
2. Create zones across all VLANs.
3. Apply phase 1 firewall policy on the zones.
4. Change the out of band management interface subnet to 192.168.1.0/29, only allow two management PCs to access namely 192.168.1.3 and 192.168.1.4.
5. Change admin password in the firewall, create one deviceadmin, and one devicereader.
6. User with superuser privilege should not be allowed to access the web interface and ssh of PA firewall.

Network diagram
PA-LAB1

Phase 1 Firewall policy
There are four zones altogether namely: public_service, private_service, untrust, office.
The policy is defined as follows:
1. Only web server from public_service zone is allowed to extract data from SQL server in private_service zone.

2. Users from untrust zone cannot access private_service and office zones.

3. Users from untrust zone has limited access to public_service zone, users can only access two servers namely the FTP server and web server in public_service zone.

4. Users from office zone can access untrust zone, cannot access private_service zone.

5. Users from office zone is only allowed to retrieve email from the email server (172.17.3.254) located in office zone.

6. Email server (192.168.100.34) in private_service zone is only accessible by email server (172.17.3.254) from office zone.

Change PA firewall admin password

admin@PA-5050> configure
Entering configuration mode
[edit]
admin@PA-5050# set mgt-config users admin password
admin@PA-5050#commit

Create devicereader and deviceadmin accounts

Create user dadmin and assign password and deviceadmin role.

admin@PA-5050# set mgt-config users dadmin password
Enter password   :
Confirm password :

[edit]
admin@PA-5050# set mgt-config users dadmin permissions role-based deviceadmin localhost.localdomain

Create user dreader and assign password and devicereader role.

[edit]
admin@PA-5050# set mgt-config users dreader password
Enter password   :
Confirm password :

[edit]
admin@PA-5050# set mgt-config users dreader permissions role-based devicereader localhost.localdomain

[edit]
admin@PA-5050#

Change management interface IP and subnet

admin@PA-5050# set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.248

[edit]
admin@PA-5050#

Create zones
The untrust zone has already been defined by default.

admin@PA-5050# set zone private_service

[edit]
admin@PA-5050# set zone public_service

[edit]
admin@PA-5050# set zone office

[edit]
admin@PA-5050#

Assign interface type
ethernet1/1 for untrust zone, layer3, ip address 1.1.1.1 255.255.255.240
ethernet 1/2-8 layer 2.

First remove the default virtual-wire pair, then define the network types.

admin@PA-5050# delete network interface ethernet ethernet1/1 virtual-wire

[edit]
admin@PA-5050# delete network interface ethernet ethernet1/2 virtual-wire

[edit]
admin@PA-5050# delete zone trust network virtual-wire

[edit]
admin@PA-5050# delete zone untrust network virtual-wire

[edit]

admin@PA-5050# delete network virtual-wire default-vwire

[edit]
admin@PA-5050# set network interface ethernet ethernet1/1 layer3 ip 1.1.1.1/28
[edit]
admin@PA-5050# edit network interface
[edit network interface]
admin@PA-5050# set ethernet ethernet1/2 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/3 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/4 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/5 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/6 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/7 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/8 layer2

[edit network interface]
admin@PA-5050# set ethernet ethernet1/9 layer2
[edit network interface]
admin@PA-5050# commit


....60%99%.....100%
Configuration committed successfully
Interface ethernet1/1 has no zone configuration.
Interface ethernet1/1 has no virtual-router configuration.

[edit network interface]
admin@PA-5050#

Create vlan
Vlan 10 for public_service
Vlan 20 for private_service
Vlan 30 for office

First create vlan interfaces

[edit network interface]
admin@PA-5050# set vlan units vlan.10 ip 192.168.100.1/27

[edit network interface]
admin@PA-5050# set vlan units vlan.20 ip 192.168.100.33/27

[edit network interface]
admin@PA-5050# set vlan units vlan.30 ip 172.17.0.1/22

Then group interfaces into vlan.

[edit network interface]
admin@PA-5050# up
[edit network]
admin@PA-5050# set vlan public_vlan interface [ ethernet1/2 ethernet1/3 ] virtual-interface interface vlan.10 l3-forwarding yes

[edit network]
admin@PA-5050# set vlan private_vlan interface [ ethernet1/4 ethernet1/5 ] virtual-interface interface vlan.20 l3-forwarding yes

[edit network]
admin@PA-5050# set vlan office_vlan interface [ ethernet1/6 ethernet1/7 ethernet1/8 ethernet1/9 ] virtual-interface interface vlan.30 l3-forwarding yes

[edit network]
admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully
Interface ethernet1/1 has no zone configuration.
Interface ethernet1/1 has no virtual-router configuration.
Interface vlan.10 has no zone configuration.
Interface vlan.10 has no virtual-router configuration.
Interface vlan.20 has no zone configuration.
Interface vlan.20 has no virtual-router configuration.
Interface vlan.30 has no zone configuration.
Interface vlan.30 has no virtual-router configuration.

[edit network]
admin@PA-5050#

Create virtual router
Include all vlan interfaces and layer3 interface onto this virtual router.

admin@PA-5050# set virtual-router VR1 interface [ ethernet1/1 vlan.10 vlan.20 vlan.30 ] routing-table ip static-route routing-table1 destination 0.0.0.0/0 nexthop ip-address 1.1.1.2

[edit network]
admin@PA-5050#

Assign zones onto interfaces

[edit network]
admin@PA-5050# up
[edit]
admin@PA-5050# set zone public_service network layer2 [ ethernet1/2 ethernet1/3 ]

[edit]
[edit]
admin@PA-5050# set zone private_service network layer2 [ ethernet1/4 ethernet1/5 ]

[edit]
admin@PA-5050# set zone office network layer2 [ ethernet1/6 ethernet1/7 ethernet1/8 ethernet1/9 ]

[edit]
admin@PA-5050# set zone untrust network layer3 ethernet1/1

[edit]
admin@PA-5050# set zone public_service network layer3 vlan.10

[edit]
admin@PA-5050# set zone private_service network layer3 vlan.20

[edit]
admin@PA-5050# set zone office network layer3 vlan.30

[edit]
admin@PA-5050# delete rulebase security rules rule1

[edit]
admin@PA-5050# commit


....55%98%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

I have to delete the default rule1, I will create my own rules for the firewall policy flow.

Address and address-group

Define address and group these addresses into address-groups, this method is the same as Cisco ASA object and object-group, configuring policy using address and address-group makes policy changes more scalable as well as you can use a meaningful name for your address and address-group so as to easily identify the hosts.

admin@PA-5050# set address web_server_public ip-netmask 192.168.100.29/27
admin@PA-5050# set address ftp_server_public ip-netmask 192.168.100.30/27

[edit]
admin@PA-5050# set address sql_server_private ip-netmask 192.168.100.61/27

[edit]
admin@PA-5050# set address email_server_private ip-netmask 192.168.100.62/27

[edit]
admin@PA-5050# set address email_server_office ip-netmask 172.17.0.2/22

admin@PA-5050# set address office_users ip-range 172.17.0.10-172.17.3.254

[edit]
admin@PA-5050#

[edit]
admin@PA-5050# set address-group public_service_group [ web_server_public ftp_server_public ]

[edit]
admin@PA-5050# set address-group private_service_group [ email_server_private sql_server_private ]

[edit]
admin@PA-5050# set address-group office_group [ office_users email_server_office ]

[edit]
admin@PA-5050# set address untrust-zone-address ip-netmask 1.1.1.1

[edit]
admin@PA-5050#
[edit]
admin@PA-5050# commit


.....75%99%.....100%
Configuration committed successfully

Create service and service group

[edit]
admin@PA-5050# set service service-ftp protocol tcp port 21

[edit]
admin@PA-5050# set service service-mysql protocol tcp port 3306

[edit]
admin@PA-5050# set service service-mssql protocol tcp port 1433

[edit]
admin@PA-5050# set service service-postgresql protocol tcp port 5432

[edit]
admin@PA-5050# set service-group service-sql_server [ service-mssql service-mysql service-postgresql ]

[edit]
admin@PA-5050# set service service-pop3 protocol tcp port 110

[edit]
admin@PA-5050# set service service-smtp protocol tcp port 25

[edit]
admin@PA-5050# set service-group service-email_server [ service-pop3 service-pop3-secure service-smtp service-smtp-secure ]

admin@PA-5050# set service service-ssh protocol tcp port 22
[edit]
admin@PA-5050# commit


....55%99%.....100%
Configuration committed successfully

[edit]
admin@PA-5050#

Create layer2 security zone for intra-vlan switching

The name of the layer2 zone should not be more than 12 characters. IF there is no layer2 zones, the hosts within the same vlan cannot communicate with one another since there is no policy defined, when there is no policy defined for the flow then the implicit deny is applied.

admin@PA-5050# set zone office_l2 network layer2 [ ethernet1/6 ethernet1/7 ethernet1/8 ethernet1/9 ]

[edit]
admin@PA-5050# set zone public_l2 network layer2 [ ethernet1/2 ethernet1/3 ]

[edit]
admin@PA-5050#

Define policy for layer2 zone

The first is to create a policy that is for layer 2 intra zone. Policy configuration is recommended to use web UI to configure. Using CLI for this is really tedious.
[edit]
admin@PA-5050# set rulebase security rules office-to-email_l2_policy from office_l2 to office_l2 description "office users to access office email" service service-email_server application [ pop3 smtp ] destination email_server_office source office_users action allow

[edit]
admin@PA-5050#

By using Web UI the below is how it looks like after you have configured.

The end result on how it looks like after you have configured the policy.

The end result on how it looks like after you have configured the policy.

From the web UI click on Policies tab, then choose Security from the menu on the left. Then click Add button.

Choose an arbitrary name for your security policy. And put description if needed to.

Choose an arbitrary name for your security policy. And put description if needed to.


Add specific source zone and specific address, I have created an address object that contains the range of office users' IP addresses.

Add specific source zone and specific address, I have created an address object that contains the range of office users’ IP addresses.


Add specific destination zone and specific address. I have created a specific address for office email server.

Add specific destination zone and specific address. I have created a specific address for office email server.

This makes PA firewall to be very different, you can base on layer 7 to create policy. What I am worried is if smtp and pop also includes the ssl variant or not...

This makes PA firewall to be very different, you can base on layer 7 to create policy. What I am worried is if smtp and pop also includes the ssl variant or not…


Add a service or service group, I have created a service group for this.

Add a service or service group, I have created a service group for this.


Choose the action to allow.

Choose the action to allow.

Click Object tab, choose service-group on the menu on the left.

I have assigned my defined services into the service-group.

I have assigned my defined services into the service-group.

Click Object Tab, choose service on the menu on the left.

These are my defined layer4 ports that I assigned to service.

These are my defined layer4 ports that I assigned to service.

Create intra vlan switching policy.

admin@PA-5050# set rulebase security rules office_users-to-office_users_l2 from office_l2 to office_l2 description "Office users to office users communication" service any source office_users destination office_users application any action allow

[edit]
admin@PA-5050#

NAT for office users to untrust
Click on Policies tab, select NAT from the menu on the left.

Give an arbitrary name of the NAT policy, write down your description if needed.

Give an arbitrary name of the NAT policy, write down your description if needed.


If the traffic needs to flow from office to untrust zone there will be translation of the source office address.

If the traffic needs to flow from office to untrust zone there will be translation of the source office address.


The untrust interface will be the PAT for all office users.

The untrust interface will be the PAT for all office users.

In command line it will be like this:

admin@PA-5050# set rulebase nat rules office-to-untrust description "Office users to access untrust zone" from office to untrust source office_users destination any service any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip 1.1.1.1/28

[edit]
admin@PA-5050#

Allow untrust user to access public_service zone
Although net address translation provide a solution to preserve the IPv4 addresses, it comes with a caveat that is it will have problem of doing peer to peer connection since the source address is translated.

In order for untrust users from the public network to access the web server and ftp server, a security policy has to be created to allow flow from untrust zone to public_service zone, the policy also has to include the destination address that the untrust user used to refer to.

A destination NAT rule has to be created as well. In here I am using one-to-many destination translation, to the untrust user they only know to access web server and ftp server through the public address of the firewall untrust interface.

admin@PA-5050# set address web_server_public ip-netmask 192.168.100.29
admin@PA-5050# set address ftp_server_public ip-netmask 192.168.100.30
admin@PA-5050# set address untrust-zone-address ip-netmask 1.1.1.1

There is a flexibility to include the prefix bit as well, however your translated address and the destination address must have the same prefix bit as well, the best is not to include the prefix bit but only the IP address.

A list of address which I have created.

A list of address which I have created.

Creating address and address-group is not compulsory but it sure makes complex rule and policy easy to read and is more scalable.

This is the security policy rule. With the use of address or address group the policy is easy to understand, also changing policy or adding policy is easier.

This is the security policy rule. With the use of address or address group the policy is easy to understand, also changing policy or adding policy is easier.

To configure the security policy in CLI:

admin@PA-5050# set rulebase security rules untrust-to-public from untrust to public_service source any destination untrust-zone-address application [ ftp web-browsing ] service [ service-http service-https service-ftp ] action allow
These are the destination NAT policies.

These are the destination NAT policies.

To configure these NAT policy rules in cli:

admin@PA-5050# set rulebase nat rules inbound-http from untrust to untrust service service-http source any destination untrust-zone-address destination-translation translated-address web_server_public

admin@PA-5050# set rulebase nat rules inbound-https from untrust to untrust service service-https source any destination untrust-zone-address destination-translation translated-address web_server_public

admin@PA-5050# set rulebase nat rules inbound-ftp from untrust to untrust service service-ftp source any destination untrust-zone-address destination-translation translated-address web_server_public
Advertisements
This entry was posted in Firewall, Security and tagged , . Bookmark the permalink.

3 Responses to Palo Alto Networks: Mocked up project task

  1. Darren says:

    Cool, but your l2 policy is not required as the implicit deny only applies to traffic moving between zones, not within.

    • cyruslab says:

      Hi Darren! Thank you for your advice! I was trying some mocked up and noticed that there are zone types difference, I misunderstood that I would need to define layer 2 policy in order for hosts within the same subnet and irregardless of zones to switch.. Thanks again 😀

  2. Ibrahim says:

    great post, i know this is just a tutorial, i’m asking your opinion about putting DataCenter/Internal Server Zone in the same physical firewall with DMZ Zone ?

    Thx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s