Scribd
Upload
10 views4 pages

02 DNS NTP Zones Virtual Routers Interface Types Admin Types

The document outlines the configuration of various services and settings for a firewall, including DNS, NTP, and virtual routers. It details interface types such as Tap, Layer, and Virtual Wire, as well as high availability configurations and user administration roles. Additionally, it provides instructions for managing interfaces, security zones, and resetting the firewall to factory defaults.

Uploaded by

نسمه ابراهيم
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views4 pages

02 DNS NTP Zones Virtual Routers Interface Types Admin Types

The document outlines the configuration of various services and settings for a firewall, including DNS, NTP, and virtual routers. It details interface types such as Tap, Layer, and Virtual Wire, as well as high availability configurations and user administration roles. Additionally, it provides instructions for managing interfaces, security zones, and resetting the firewall to factory defaults.

Uploaded by

نسمه ابراهيم
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

_DNS_NTP_zones_virtual routers_interface types_admin types

To configure services DNS, NTP, define ip Proxy servers.


Device, Setup, Services, edit
- If you enable Verify Update Server Identity option, the firewall will verify that the server from which the software or content package is
download has an SSL certificate signed by a trusted authority.

The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication
servers, Palo Alto Networks services such as software, URL updates and licenses.
An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services.
To configure that
Device, Setup, Services, edit, Service Route Configuration, Customize

To shutdown, reboot
Device, Setup, Operations,
By cli: request shutdown|restart system

To configure security zones.


Network, Zones (by default Trust and Untrust zones exist), Add, outside, Layer , ok
Add another one for inside

Create virtual router (used mainly for separate routing tables)


Virtual Routers.
- The firewall requires a virtual router to obtain routes to other subnets either using static routes that you manually define, or through
participation in Layer routing protocols (dynamic routes).
- Each Layer interface, loopback interface, and VLAN interface defined on the firewall must be associated with a virtual router.
- Each interface can belong to only one virtual router.

There is a default one that may holds all router interfaces or you can add it one by one.
Network, Virtual Routers, Add, VR , ok
Click any Virtual Router More Runtime Stats to view its routing table

Palo Alto interface Type:


Tap
Tap mode is used to monitor network traffic, it allows you to passively monitor traffic flows across a network with the help of switch
SPAN or mirror port.
Switch makes a copy of data which received on switch interface and forward that copy of data on SPAN and Mirror port.
SPAN (Switched Port Analyzer).
Can send a copy of traffic from one port to another port on the same switch where a network analyzer or monitoring device is connected.
Mirrors traffic received, sent, or both on source ports to a destination port for analysis.
Commonly deployed when an IDS is added to a network.
SPAN source port is the port connected to the host that should be monitored.
SPAN destination port is the port connected to the monitoring host as the IDS.

Firewalls Page
To configure SPAN source port.
Switch(config)# monitor session source interface gigabitethernet / rx|tx|both
To configure SPAN destination port.
Switch(config)# monitor session destination interface gigabitethernet /
For VLANs.
Switch(config)# monitor session source vlan rx
Switch(config)# monitor session source vlan tx
Switch(config)# monitor session destination interface FastEthernet /
To verify SPAN configuration
Sw# show monitor session n

HA
HA type interface are used to configure high availability between firewall devices.
For HA, we have links for Control link another one for Data link.
For Control link, we can use Management interface or Ethernet interface.
For Data link, we can use Ethernet link.
Virtual Wire
Used to deploy firewall as Transparent Firewall Bump in the Wire .
To deploy Palo Alto Firewall Transparent mode, we use interfaces as a Virtual Wire Type.
Virtual Wire interface type no need to configure IP Address and MAC Address.
Layer
This deployment provides switching between interfaces.
Layer
Layer Interface type Deployment, must assign an IP address, Routing on each physical Layer interface.
Without IP address we can t use Layer Interface.
All network traffic is going through Layer Deployment; we must have configured virtual router with routing protocols dynamic routing
or static routing.
We can also create multiple virtual routers.
Configuring needed interfaces as L interfaces.
Network, Interfaces, click an interface, change interface type to Layers , in comment type inside or outside
Select the Virtual Router and zone, then Assign ip addresses / , ok, commit
To allow ping,telnet,http,https create a management profile.
Network, Network Profiles, Interface Mgmt, Add, Profile , Ping-Telnet-HTTP- .
Link that profile to an interface: Network, Interfaces, click an interface, Advanced, Management Profile

Sub interface for VLAN deployment.


Click the main interface and then Add subinterface

Firewalls Page
Loopback interface
Interfaces, Loopback tab, Add (note that its mask must be / )

To reset the firewall (Factory Defaults) (Must be through the console).


> request restart system
- Power on to start the device.
- During the boot sequence, press Enter, Type maint to enter maintenance mode, PANOS (maint)
- Factory reset
To change admin password.
Device, Administrators, Add to add a new one or click an admin to edit, commit
To configure users admins.
Device, Administrators, Add,

- Administrator Type (Dynamic):


- Superuser
- Has full access to the firewall and can define new administrator accounts and virtual systems.
- You must have superuser privileges to create an administrative user with superuser privileges.
- Superuser (read-only).
- Has read-only access to the firewall.
- Device administrator.
- Has full access to all firewall settings except for defining new accounts or virtual systems.
- Device administrator (read-only).
- Has read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account
is visible).
- Virtual system administrator.
- Has full access to specific virtual systems on the firewall (if multiple virtual systems are enabled).
- Virtual system administrator (read-only).
- Has read-only access to specific virtual systems on the firewall (if multiple virtual systems are enabled).
Virtual systems are supported for PA- Series, PA- Series and PA- Series firewalls.
- Administrator Type (Role Based):
- Auditadmin.
- Responsible for the regular review of the firewall s audit data.
- Cryptoadmin.
- The Cryptographic Administrator is responsible for the configuration and maintenance of cryptographic elements related to the
establishment of secure connections to the firewall.

Firewalls Page
establishment of secure connections to the firewall.
- Securityadmin.
- Responsible for all other administrative tasks (e.g. creating Security policy) not addressed by the other two administrative roles.

Firewalls Page

You might also like