Saturday, September 27, 2025

Module 5: Connecting the Firewall to Production Networks with Security Zones

































































































No, a Palo Alto Networks subinterface is not the same as an 802.1Q trunk, but configuring a Palo Alto Networks subinterface enables it to participate in an 802.1Q trunk by assigning a VLAN tag to a logical interface that runs on a physical interface receiving trunked traffic. The subinterface itself represents a specific VLAN on that trunk, while the 802.1Q trunk is the link-level protocol that allows multiple VLANs to share a single physical connection by tagging Ethernet frames.



LAB 5 - Build a Palo Alto Firewall


GlobalProtect is Palo Alto Networks' on-premises VPN solution, connecting users to local next-generation firewalls (NGFWs).

Prisma Access is a cloud-delivered SASE (Secure Access Service Edge) service offering the same user VPN capabilities but with cloud-based infrastructure and global scalability.
 
Prisma Access eliminates the need to manage On-Prem firewalls and portals, providing a distributed network of cloud servers that users can connect to, offering greater flexibility and centralized management via Panorama. 

Palo Alto has a Management Plane and a Data Plane

D A M   P O N D 
Dashboard
ACC Application Control Center
Monitor
Policy
Objects
Network
Device

Management Plane (MGMT out of Band) 

 Configure Management Interface

<Device><Setup><Interface>
Interface Name: Management


CLI
Web
UID: admin
Password: admin
#show interface all
#show interface Mgmt
Web    https://192.168.1.1

1. Management Interface
Type: Static
IP Address 192.168.1.1
IP Address:
Netmask:
Default Gateway:

Administrative Management Service
https
SSH

Network Services
Ping 

Hostname
DNS
NTP
TimeZone

 

Initial configs
#myfw-01
set cli config-output-format set 
configure 
set deviceconfig system ip-address 100.105.37.87
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 100.105.37.1
set deviceconfig system hostname myfw-01
set deviceconfig system dns-setting servers primary 8.8.8.8

commit





2. Setup Accounts -  (Lab 4)
Authentication  User ID  Who you are?
Authorization  Privilege What you can do?

Local Database
LDAP
RADIUS
Server Profile

3a. Setup Interfaces   (lab5)
Interfaces ethernet1/1  Layer3  IP Address 203.0.113.20/24  
Interfaces ethernet1/2   Layer3 IP Address 192.168.1.1/24     
Interfaces ethernet1/3   Layer3 IP Address 192.168.50.1/24   





3b. Create Zones
Internet   Set to Layer 3  
Extranet  Set to Layer 3
User_Net  Set to Layer 3

3c. Assign Zones to Interfaces
Internet - Interfaces ethernet1/1  
User_Net Interfaces ethernet1/2
Extranet -Interfaces ethernet1/3




3d. Create Logical Router
Name: LR-1
Add Interfaces 
ethernet1/1
ethernet1/2
ethernet1/3

Add Static Route 
Destination 0.0.0.0/0
Interface ethernet1/1







3d. Ping Test  (Should be successful from firewall console because you are sourcing the ping from the firewall interface within each zone)
Ping source 192.168.1.1 host 192.168.1.20
Ping source 192.168.50.1 host 192.168.50.80
Ping source 203.0.113.20 host 8.8.8.8

In the CLI connection to the firewall, use the ping command to check network
connectivity to a host in the Users_Net Security Zone by using the following command
at the admin@firewall-a> prompt:

admin@firewall-a> ping source 192.168.1.1 host 192.168.1.20



Note the syntax for this command. 192.168.1.1 is the IP address of ethernet1/2 on
the firewall. The command instructs the firewall to use that IP address on
ethernet1/2 to ping the host 192.168.1.20. If you do not use the source option, the
firewall uses its management interface address as the source IP.




4. Create Security Policies
Name: User_Nets-to-Internet
Name: Extranet-to-Internet
Name: User_Nets-to Extranet

General 
Source  User_Nets
Destination Internet
Application
Content/URL Filtering
Action

General 
Source  Extranet
Destination Internet
Application
Content/URL Filtering
Action

General 
Source  User_Nets
Destination Extranet
Application
Content/URL Filtering
Action







5. Setup Source NAT

You must create entries in the firewall’s NAT Policy table in order to translate traffic from
internal hosts (often on private networks) to a public, routable address (often an interface on
the firewall itself). NAT rules provide address translation and are different from Security
Policy rules, which allow and deny packets. You can configure a NAT Policy rule to match a
packet’s source and destination zone, destination interface, source and destination address,
and service.
In your previous ping test to an Internet host, the ping traffic from your client is allowed by
the Security Policy rule, but the packets leave the firewall with a non-routable source IP
address from the private network of 192.168.1.0/24.
In the same way you can create a NAT Policy rule to translate traffic from the private networks in the Users_Net and Extranet security zones to a routable address. You will use the same interface IP address on the firewall (203.0.113.20) as the source IP for outbound traffic from both Users_Net and Extranet hosts.






6. Commit change


To get to the Student Guide:
https://onsecure.onfulfillment.com/reader/#/login
 
To get to the Lab Guide:
https://www.ingrammicrotraining.com/
 
To get to the Lab Environment:
https://ingrammicro.learnondemand.net/

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Global Protect Troubleshooting

Global Protect Components Certificate Management Connections Authentication Debugging https://www.youtube.com/watch?v=0Z48WHvyW0Q authentica...