Introduction
An organisation has gone through the gap analysis by consultant and engaged your company to do phase 1 implementation based on the treatment plan by consultant. This is a new office by the organisation. The implementation phases are broken down, you will first implement phase 1.
Scope
1. Implement VLAN to segregate networks.
2. Create zones across all VLANs.
3. Apply phase 1 firewall policy on the zones.
4. Change the out of band management interface subnet to 192.168.1.0/29, only allow two management PCs to access namely 192.168.1.3 and 192.168.1.4.
5. Change admin password in the firewall, create one deviceadmin, and one devicereader.
6. User with superuser privilege should not be allowed to access the web interface and ssh of PA firewall.
Network diagram
Phase 1 Firewall policy
There are four zones altogether namely: public_service, private_service, untrust, office.
The policy is defined as follows:
1. Only web server from public_service zone is allowed to extract data from SQL server in private_service zone.
2. Users from untrust zone cannot access private_service and office zones.
3. Users from untrust zone has limited access to public_service zone, users can only access two servers namely the FTP server and web server in public_service zone.
4. Users from office zone can access untrust zone, cannot access private_service zone.
5. Users from office zone is only allowed to retrieve email from the email server (172.17.3.254) located in office zone.
6. Email server (192.168.100.34) in private_service zone is only accessible by email server (172.17.3.254) from office zone.
Change PA firewall admin password
admin@PA-5050> configure Entering configuration mode [edit] admin@PA-5050# set mgt-config users admin password admin@PA-5050#commit
Create devicereader and deviceadmin accounts
Create user dadmin and assign password and deviceadmin role.
admin@PA-5050# set mgt-config users dadmin password Enter password : Confirm password : [edit] admin@PA-5050# set mgt-config users dadmin permissions role-based deviceadmin localhost.localdomain
Create user dreader and assign password and devicereader role.
[edit] admin@PA-5050# set mgt-config users dreader password Enter password : Confirm password : [edit] admin@PA-5050# set mgt-config users dreader permissions role-based devicereader localhost.localdomain [edit] admin@PA-5050#
Change management interface IP and subnet
admin@PA-5050# set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.248 [edit] admin@PA-5050#
Create zones
The untrust zone has already been defined by default.
admin@PA-5050# set zone private_service [edit] admin@PA-5050# set zone public_service [edit] admin@PA-5050# set zone office [edit] admin@PA-5050#
Assign interface type
ethernet1/1 for untrust zone, layer3, ip address 1.1.1.1 255.255.255.240
ethernet 1/2-8 layer 2.
First remove the default virtual-wire pair, then define the network types.
admin@PA-5050# delete network interface ethernet ethernet1/1 virtual-wire [edit] admin@PA-5050# delete network interface ethernet ethernet1/2 virtual-wire [edit] admin@PA-5050# delete zone trust network virtual-wire [edit] admin@PA-5050# delete zone untrust network virtual-wire [edit] admin@PA-5050# delete network virtual-wire default-vwire [edit] admin@PA-5050# set network interface ethernet ethernet1/1 layer3 ip 1.1.1.1/28 [edit] admin@PA-5050# edit network interface [edit network interface] admin@PA-5050# set ethernet ethernet1/2 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/3 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/4 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/5 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/6 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/7 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/8 layer2 [edit network interface] admin@PA-5050# set ethernet ethernet1/9 layer2 [edit network interface] admin@PA-5050# commit ....60%99%.....100% Configuration committed successfully Interface ethernet1/1 has no zone configuration. Interface ethernet1/1 has no virtual-router configuration. [edit network interface] admin@PA-5050#
Create vlan
Vlan 10 for public_service
Vlan 20 for private_service
Vlan 30 for office
First create vlan interfaces
[edit network interface] admin@PA-5050# set vlan units vlan.10 ip 192.168.100.1/27 [edit network interface] admin@PA-5050# set vlan units vlan.20 ip 192.168.100.33/27 [edit network interface] admin@PA-5050# set vlan units vlan.30 ip 172.17.0.1/22
Then group interfaces into vlan.
[edit network interface] admin@PA-5050# up [edit network] admin@PA-5050# set vlan public_vlan interface [ ethernet1/2 ethernet1/3 ] virtual-interface interface vlan.10 l3-forwarding yes [edit network] admin@PA-5050# set vlan private_vlan interface [ ethernet1/4 ethernet1/5 ] virtual-interface interface vlan.20 l3-forwarding yes [edit network] admin@PA-5050# set vlan office_vlan interface [ ethernet1/6 ethernet1/7 ethernet1/8 ethernet1/9 ] virtual-interface interface vlan.30 l3-forwarding yes [edit network] admin@PA-5050# commit ....55%99%.....100% Configuration committed successfully Interface ethernet1/1 has no zone configuration. Interface ethernet1/1 has no virtual-router configuration. Interface vlan.10 has no zone configuration. Interface vlan.10 has no virtual-router configuration. Interface vlan.20 has no zone configuration. Interface vlan.20 has no virtual-router configuration. Interface vlan.30 has no zone configuration. Interface vlan.30 has no virtual-router configuration. [edit network] admin@PA-5050#
Create virtual router
Include all vlan interfaces and layer3 interface onto this virtual router.
admin@PA-5050# set virtual-router VR1 interface [ ethernet1/1 vlan.10 vlan.20 vlan.30 ] routing-table ip static-route routing-table1 destination 0.0.0.0/0 nexthop ip-address 1.1.1.2 [edit network] admin@PA-5050#
Assign zones onto interfaces
[edit network] admin@PA-5050# up [edit] admin@PA-5050# set zone public_service network layer2 [ ethernet1/2 ethernet1/3 ] [edit] [edit] admin@PA-5050# set zone private_service network layer2 [ ethernet1/4 ethernet1/5 ] [edit] admin@PA-5050# set zone office network layer2 [ ethernet1/6 ethernet1/7 ethernet1/8 ethernet1/9 ] [edit] admin@PA-5050# set zone untrust network layer3 ethernet1/1 [edit] admin@PA-5050# set zone public_service network layer3 vlan.10 [edit] admin@PA-5050# set zone private_service network layer3 vlan.20 [edit] admin@PA-5050# set zone office network layer3 vlan.30 [edit] admin@PA-5050# delete rulebase security rules rule1 [edit] admin@PA-5050# commit ....55%98%.....100% Configuration committed successfully [edit] admin@PA-5050#
I have to delete the default rule1, I will create my own rules for the firewall policy flow.
Address and address-group
Define address and group these addresses into address-groups, this method is the same as Cisco ASA object and object-group, configuring policy using address and address-group makes policy changes more scalable as well as you can use a meaningful name for your address and address-group so as to easily identify the hosts.
admin@PA-5050# set address web_server_public ip-netmask 192.168.100.29/27 admin@PA-5050# set address ftp_server_public ip-netmask 192.168.100.30/27 [edit] admin@PA-5050# set address sql_server_private ip-netmask 192.168.100.61/27 [edit] admin@PA-5050# set address email_server_private ip-netmask 192.168.100.62/27 [edit] admin@PA-5050# set address email_server_office ip-netmask 172.17.0.2/22 admin@PA-5050# set address office_users ip-range 172.17.0.10-172.17.3.254 [edit] admin@PA-5050# [edit] admin@PA-5050# set address-group public_service_group [ web_server_public ftp_server_public ] [edit] admin@PA-5050# set address-group private_service_group [ email_server_private sql_server_private ] [edit] admin@PA-5050# set address-group office_group [ office_users email_server_office ] [edit] admin@PA-5050# set address untrust-zone-address ip-netmask 1.1.1.1 [edit] admin@PA-5050# [edit] admin@PA-5050# commit .....75%99%.....100% Configuration committed successfully
Create service and service group
[edit] admin@PA-5050# set service service-ftp protocol tcp port 21 [edit] admin@PA-5050# set service service-mysql protocol tcp port 3306 [edit] admin@PA-5050# set service service-mssql protocol tcp port 1433 [edit] admin@PA-5050# set service service-postgresql protocol tcp port 5432 [edit] admin@PA-5050# set service-group service-sql_server [ service-mssql service-mysql service-postgresql ] [edit] admin@PA-5050# set service service-pop3 protocol tcp port 110 [edit] admin@PA-5050# set service service-smtp protocol tcp port 25 [edit] admin@PA-5050# set service-group service-email_server [ service-pop3 service-pop3-secure service-smtp service-smtp-secure ] admin@PA-5050# set service service-ssh protocol tcp port 22 [edit] admin@PA-5050# commit ....55%99%.....100% Configuration committed successfully [edit] admin@PA-5050#
Create layer2 security zone for intra-vlan switching
The name of the layer2 zone should not be more than 12 characters. IF there is no layer2 zones, the hosts within the same vlan cannot communicate with one another since there is no policy defined, when there is no policy defined for the flow then the implicit deny is applied.
admin@PA-5050# set zone office_l2 network layer2 [ ethernet1/6 ethernet1/7 ethernet1/8 ethernet1/9 ] [edit] admin@PA-5050# set zone public_l2 network layer2 [ ethernet1/2 ethernet1/3 ] [edit] admin@PA-5050#
Define policy for layer2 zone
The first is to create a policy that is for layer 2 intra zone. Policy configuration is recommended to use web UI to configure. Using CLI for this is really tedious. [edit] admin@PA-5050# set rulebase security rules office-to-email_l2_policy from office_l2 to office_l2 description "office users to access office email" service service-email_server application [ pop3 smtp ] destination email_server_office source office_users action allow [edit] admin@PA-5050#
By using Web UI the below is how it looks like after you have configured.
From the web UI click on Policies tab, then choose Security from the menu on the left. Then click Add button.
Click Object tab, choose service-group on the menu on the left.
Click Object Tab, choose service on the menu on the left.
Create intra vlan switching policy.
admin@PA-5050# set rulebase security rules office_users-to-office_users_l2 from office_l2 to office_l2 description "Office users to office users communication" service any source office_users destination office_users application any action allow [edit] admin@PA-5050#
NAT for office users to untrust
Click on Policies tab, select NAT from the menu on the left.
In command line it will be like this:
admin@PA-5050# set rulebase nat rules office-to-untrust description "Office users to access untrust zone" from office to untrust source office_users destination any service any source-translation dynamic-ip-and-port interface-address interface ethernet1/1 ip 1.1.1.1/28 [edit] admin@PA-5050#
Allow untrust user to access public_service zone
Although net address translation provide a solution to preserve the IPv4 addresses, it comes with a caveat that is it will have problem of doing peer to peer connection since the source address is translated.
In order for untrust users from the public network to access the web server and ftp server, a security policy has to be created to allow flow from untrust zone to public_service zone, the policy also has to include the destination address that the untrust user used to refer to.
A destination NAT rule has to be created as well. In here I am using one-to-many destination translation, to the untrust user they only know to access web server and ftp server through the public address of the firewall untrust interface.
admin@PA-5050# set address web_server_public ip-netmask 192.168.100.29 admin@PA-5050# set address ftp_server_public ip-netmask 192.168.100.30 admin@PA-5050# set address untrust-zone-address ip-netmask 1.1.1.1
There is a flexibility to include the prefix bit as well, however your translated address and the destination address must have the same prefix bit as well, the best is not to include the prefix bit but only the IP address.
Creating address and address-group is not compulsory but it sure makes complex rule and policy easy to read and is more scalable.
To configure the security policy in CLI:
admin@PA-5050# set rulebase security rules untrust-to-public from untrust to public_service source any destination untrust-zone-address application [ ftp web-browsing ] service [ service-http service-https service-ftp ] action allow
To configure these NAT policy rules in cli:
admin@PA-5050# set rulebase nat rules inbound-http from untrust to untrust service service-http source any destination untrust-zone-address destination-translation translated-address web_server_public admin@PA-5050# set rulebase nat rules inbound-https from untrust to untrust service service-https source any destination untrust-zone-address destination-translation translated-address web_server_public admin@PA-5050# set rulebase nat rules inbound-ftp from untrust to untrust service service-ftp source any destination untrust-zone-address destination-translation translated-address web_server_public
cyruslab 
Cool, but your l2 policy is not required as the implicit deny only applies to traffic moving between zones, not within.
Hi Darren! Thank you for your advice! I was trying some mocked up and noticed that there are zone types difference, I misunderstood that I would need to define layer 2 policy in order for hosts within the same subnet and irregardless of zones to switch.. Thanks again 😀
great post, i know this is just a tutorial, i’m asking your opinion about putting DataCenter/Internal Server Zone in the same physical firewall with DMZ Zone ?
Thx