Palo Alto

From cwhite's wiki
Jump to: navigation, search


What the hell is all of this stuff??

Interfaces and Zones

Security policies are applied between zones. Traffic can only flow through zones. An interface cannot pass traffic until it has been assigned to a zone. A zone is a grouping of interfaces (physical or virtual) that represents a segment of your network that is connected to the firewall. Traffic can flow freely within a zone (intra-zone traffic), but traffic cannot flow between zones (inter-zone traffic) until you define a security policy rule that allows it.

Virtual Wire Deployment

In a virtual wire deployment, the firewall is installed transparently by binding two ports together. This is basically an inline deployment as the firewall does not perform any routing or switching. By default, there is a default-vwire which binds together ethernet ports 1 and 2 and allows all untagged traffic. You can use a virtual wire to connect any two ports and configure it to block or allow traffic based on the VLAN (VLAN 0 tag means untagged traffic).

Virtual wire sub-interfaces provide flexibility in enforcing distinct policies when you need to manage traffic from multiple customer networks. It allows you to separate and classify traffic into different zones using VLAN tags and/or VLAN tags in conjunction with IP classifiers.

Virtual Wire Subinterface

  1. Configure two ethernet interfaces as type virtual wire and assign these interfaces to a virtual wire.
  2. Create subinterfaces on the parent virtual wire. Make sure that the VLAN tags defined on each pair of subinterfaces that are configured as virtual wires are identical. This is essential because a virtual wire does not switch VLAN tags.
  3. Create new subinterfaces and define IP classifiers. This task is optional and only required if you wish to add additional subinterfaces with IP classifiers for further managing traffic from a customer based on the combination of VLAN tags and a specific source IP address, range or subnet.

Layer 2 Deployment

In layer 2 deployments, the firewall provides switching between 2 or more VLANs. You must assign a group of interfaces to a VLAN object in order for the firewall to switch between them. The firewall performs VLAN tag switching when Layer 2 subinterfaces are attached to a common VLAN object. In a layer 2 deployment, the firewall rewrites the inbound port VLAN ID (PVID) number in a PVST+ or Rapid PVST+ BPDU to the proper outbound VLAN ID number and forwards it out. The firewall rewrites such BPDUs on layer 2 ethernet and aggregated ethernet interfaces only.

Layer 3 Deployment

In a layer 3 deployment, the firewall routes traffic between multiple ports. This deployment requires that you assin an IP address to each interface and configure virtual routers to route the traffic.

Virtual Routers

The firewall uses virtual routers to obtain routes to other subnets by manually defining a route or through participation in layer 3 routing protocols. The ethernet interfaces and VLAN interfaces defined on the firewall receive and forwards the layer 3 traffic. Each layer 3 interface, loopback interface and VLAN interface defined on the firewall must be associated with a virtual router.


The following configurations are for PAN-OS 7.1 but may apply to older versions.


Basic configuration

  1. Configure a default route
    1. Select Network > Virtual Router and select default.
    2. Select Static Routes and click Add. Configure a quad zero default like any other networking equipment.
  2. Configure the external interface
    1. Network > Interfaces
    2. Select the Interface Type. Probably going to be a layer 3 interface.
    3. In the Config tab, select New Zone from the Security Zone drop-down.
    4. Select your Virtual Router (probably default).
    5. Assign an IP address to the interface by selecting the IPv4 tab.
    6. To be able to ping the interface, select Advanced > Other Info, expand the Management Profile drop-down and select New Management Profile.
  3. Configure the interface that connect to the internal network
    1. Same as step 2 unless you are going to be using L2 interfaces rather than L3 interfaces.

Configuring an aggregate interface group

An aggregate interface group uses IEEE 802.1AX LAG to combine multiple interface into a single virtual interface. You can add up to eight aggregate groups per firewall and each group can have up to eight interfaces. All interfaces in an aggregate group must be the same (bandwidth and type). Interface types may be HA3, virtual wire, layer 2 or layer 3.

  1. Configure the general interface group parameters
    1. Network > Interfaces > Ethernet and Add Aggregate Group.
  2. Configure the LACP settings (does not support virtual wire interfaces)
    1. Select the LACP tab and Enable LACP.
    2. Most settings are pretty straight forward. Fast Failover is if you want to enable failover to a standby interface in less than one second. For active/passive firewalls only, select Enable in HA Passive State to enable LACP pre-negotiation for the passive firewall. LACP pre-negotiation enables quicker failover to the passive firewall. If you select Enable in HA Passive State, you cannot use the same MAC address for both the active and passive firewall.
  3. Assign interfaces to the aggregate group
    1. Network > Interfaces > Ethernet and click the interface name to edit it.
    2. Set the Interface Type to Aggregate Ethernet.
    3. Select the Aggregate Group you just defined.
  4. If the firewalls have an active/active configuration and you are aggregating HA3 interfaces, enable packet forwarding for the aggregate group.
    1. Device > High Availability > Active/Active Config and edit the Packet Forwarding section.
    2. Select the aggregate group you configured for the HA3 interface and click OK.

Multiple IP addresses on a single interface

  • Section is not complete.

Security Policy

Useful Commands


Restart Web GUI
debug software restart process management-server

Documents and URLs

PAN-OS 7.1 Administrator's Guide