There are various stages or locations in your network where you may need to
implement a firewall. The first is the perimeter of your network where your
enterprise network begins. The internal network is where your employees sit,
separated from the internal servers accessed from outside.The firewall rules allow
communication from inside to outside or trust to untrust and from untrust to trust,
but not DMZ accessing trust. It is not recommended to create policies that allow
uncontrolled communication. The firewall remembers the passing packets and allows a
response to a request from the trust zone to the untrust zone. The request coming
from the untrust zone to the trust zone is not allowed unless specified.
In Palo Alto, a policy or a rule can be used interchangeably to refer to the same
idea. For a firewall to allow a particular packet, either of the following
conditions must be met: An entry should exist in the connection table for that
specific packet. There should be a matching policy.If there is no existing
connection, the policy must be matched, else, we can bypass the traffic. If a new
connection is established, a three-way traffic process occurs to keep track of all
the traffic. If a fresh connection is detected, the firewall will drop the traffic,
which is commonly referred to as the handshake. The firewall maintains a database
of all established connections. The default configuration of Palo Alto firewall is
a zone-based firewall, and by default, there are two zones: the Trust and the
Untrust zones, with the option to create a DMZ. The firewall's behavior blocks
communication from one zone to the other by default, while intra-zone communication
is allowed by default.
On all Palo Alto Firewall models, starting from VM 50 to the top-end Firewall, a
dedicated management interface is available. By default, two rules – enter zone and
intrazone – are applicable, with intrazone allowed and interzone blocked. There are
standard protocols available through which you can communicate. ICMP – which
utilizes ping, HTTPS, and SSH are all allowed. Moreover, it is possible to
customize who can access the management interface on the firewall, by dedicating a
specific server, for instance, with a corresponding IP address. When it comes to
configuring the device, Palo Alto Firewalls are similar to Juniper devices. You may
enter the config mode and use CLI, which would be familiar to anyone who has worked
on Juniper devices. You can ensure that the configuration has worked well by
checking the IP address using the command “show interface management”.
By default, when the firewall initiates communication, the communication is
initiated from the management interface, not just for ping but for any
communication. The source IP in the packet will be of the management interface, and
the destination IP will be the target IP. Note that this will try to go out via the
management interface. Therefore, when pinging, you should add a source to that
right source. Before deploying the firewall in production, it is important to
change the default password. We are running version 8, which is good for high
availability and other features. In future classes, we will cover version 10, which
is the latest version. Choosing a default gateway is like choosing between a direct
flight and a layover. If you want the firewall to forward your package, you must
ensure that the packet from your PC reaches the firewall. This can be done by
assigning the default gateway to either this or that.
Music This passage discusses configuring firewall interfaces and the limitations of
using a firewall in layer 2 mode. Interface Configuration When configuring firewall
interfaces, there are two categories: the management interface and the data
interfaces, which are located under the network section. Each interface must be
part of a virtual router to enable routing. For specific use cases, a tap interface
can be used for data collection and analysis in Wireshark. Limitations in
implement a firewall. The first is the perimeter of your network where your
enterprise network begins. The internal network is where your employees sit,
separated from the internal servers accessed from outside.The firewall rules allow
communication from inside to outside or trust to untrust and from untrust to trust,
but not DMZ accessing trust. It is not recommended to create policies that allow
uncontrolled communication. The firewall remembers the passing packets and allows a
response to a request from the trust zone to the untrust zone. The request coming
from the untrust zone to the trust zone is not allowed unless specified.
In Palo Alto, a policy or a rule can be used interchangeably to refer to the same
idea. For a firewall to allow a particular packet, either of the following
conditions must be met: An entry should exist in the connection table for that
specific packet. There should be a matching policy.If there is no existing
connection, the policy must be matched, else, we can bypass the traffic. If a new
connection is established, a three-way traffic process occurs to keep track of all
the traffic. If a fresh connection is detected, the firewall will drop the traffic,
which is commonly referred to as the handshake. The firewall maintains a database
of all established connections. The default configuration of Palo Alto firewall is
a zone-based firewall, and by default, there are two zones: the Trust and the
Untrust zones, with the option to create a DMZ. The firewall's behavior blocks
communication from one zone to the other by default, while intra-zone communication
is allowed by default.
On all Palo Alto Firewall models, starting from VM 50 to the top-end Firewall, a
dedicated management interface is available. By default, two rules – enter zone and
intrazone – are applicable, with intrazone allowed and interzone blocked. There are
standard protocols available through which you can communicate. ICMP – which
utilizes ping, HTTPS, and SSH are all allowed. Moreover, it is possible to
customize who can access the management interface on the firewall, by dedicating a
specific server, for instance, with a corresponding IP address. When it comes to
configuring the device, Palo Alto Firewalls are similar to Juniper devices. You may
enter the config mode and use CLI, which would be familiar to anyone who has worked
on Juniper devices. You can ensure that the configuration has worked well by
checking the IP address using the command “show interface management”.
By default, when the firewall initiates communication, the communication is
initiated from the management interface, not just for ping but for any
communication. The source IP in the packet will be of the management interface, and
the destination IP will be the target IP. Note that this will try to go out via the
management interface. Therefore, when pinging, you should add a source to that
right source. Before deploying the firewall in production, it is important to
change the default password. We are running version 8, which is good for high
availability and other features. In future classes, we will cover version 10, which
is the latest version. Choosing a default gateway is like choosing between a direct
flight and a layover. If you want the firewall to forward your package, you must
ensure that the packet from your PC reaches the firewall. This can be done by
assigning the default gateway to either this or that.
Music This passage discusses configuring firewall interfaces and the limitations of
using a firewall in layer 2 mode. Interface Configuration When configuring firewall
interfaces, there are two categories: the management interface and the data
interfaces, which are located under the network section. Each interface must be
part of a virtual router to enable routing. For specific use cases, a tap interface
can be used for data collection and analysis in Wireshark. Limitations in
