Scribd
Upload
43 views52 pages

5 Interface Configuration

Uploaded by

Matt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
43 views52 pages

5 Interface Configuration

Uploaded by

Matt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 52

INTERFACE DEPLOY TO MULTIPLE NETWORKS

CONFIGURATION
• Security zones and interfaces
• Tap interfaces
• Virtual wire interfaces
• Layer 2 interfaces
• Layer 3 interfaces
• Virtual routers
• VLAN interfaces
EDU-210 Version A
PAN-OS® 9.0 • Loopback interfaces
• Policy-based forwarding
Agenda
After you complete this module,
you should be able to:

• Describe the flow logic of the next-generation firewall


• Create a security zone
• Describe the differences between Tap, Virtual Wire, Layer 2, and Layer 3
interfaces
• Create and configure a virtual router
• Define a static default route
• Configure a VLAN interface
• Configure a loopback interface

2 | © 2019 Palo Alto Networks, Inc.


Flow Logic of the Next-Generation Firewall
Session Setup
Does
traffic match Zone Forwarding Destination Security
Source Assign
to an existing No Zone
and/or DoS Lookup Zone Policy Check
Session ID
session? Protection (PBF) (plus DNAT (App-ID
check) ignored)

Yes

Inspection and Enforcement

App-ID Encrypted? Security Policy*

Forward
INSPECTION Yes No ENFORCEMENT Traffic
Decrypt
Content-ID Policy? Security Profiles
Yes (Re-encrypt if decrypted)

* Policy check relies on pre-NAT IP addresses


3 | © 2019 Palo Alto Networks, Inc.
Flexible Deployment Options for Ethernet Interfaces

Tap Virtual Wire Layer 3

 Application, user, and content  App-ID, Content-ID, User-ID, and  All the Virtual Wire mode
visibility without inline deployment SSL decryption capabilities with the addition of
 Evaluation and audit of existing  Includes NAT capability Layer 3 services: virtual routers,
networks VPN, and routing protocols

4 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
5 | © 2019 Palo Alto Networks, Inc.
Security Zones and Security Policy Rules
• A zone is a logical grouping of traffic on the network.
• Traffic within a zone is allowed by default.
• Traffic between zones is denied by default.

Internet
DMZ

Guest

Users
Data Center

6 | © 2019 Palo Alto Networks, Inc.


In-Band Network Interfaces
• Each interface is assigned to a single zone.
• A zone can include multiple physical or logical interfaces.

ethernet 1/1
ethernet 2/1
ethernet 1/1 ethernet 1/1.1
ethernet 1/2 ethernet 1/1.2

Single-Slot Firewall Multi-Slot Firewall Logical Interfaces

7 | © 2019 Palo Alto Networks, Inc.


Interface Types and Zone Types
• Different zone types support only specific interfaces types:

Tap Zone Layer 2 Zone Layer 3 Zone

Tap interfaces Layer 2 interfaces  Layer 3 interfaces


 VLAN interfaces
 Loopback interfaces
Tunnel Zone Virtual Wire Zone  Tunnel interfaces

No interfaces assigned Virtual Wire interfaces

 MGT and HA interfaces are not assigned to a zone.

8 | © 2019 Palo Alto Networks, Inc.


Creating a Security Zone
Network > Zones > Add

• Specify zone name


• Specify zone type
• Assign interfaces:
• Must be appropriate type
• Unassigned interfaces do
not process traffic.

9 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

10 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Tap Interfaces
• Enable passive monitoring of switch traffic from the SPAN or mirror port
• Cannot control traffic or perform traffic shaping
• Must be assigned to a Tap zone
• Use Traffic log information to configure Security policy rules

Internet
LAN
E1/1 SPAN or
Mirror Port

11 | © 2019 Palo Alto Networks, Inc.


Configuring a Tap Interface
Network > Interfaces > Ethernet > <select_interface>

Select Tap
interface type.

Select a Tap type


Security Zone.

12 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

13 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Virtual Wire Interfaces
• Bind two firewall interfaces together through Virtual Wire object
• Typically used when no switching or routing is needed
• No configuration changes for adjacent network devices

Zone A Firewall Zone B


(Virtual Wire) (Virtual Wire)

Virtual Wire Virtual Wire Virtual Wire


interface object interface
No IP or No IP or
MAC Traffic inspection MAC
and control

14 | © 2019 Palo Alto Networks, Inc.


Configuring a Virtual Wire Object

Network > Virtual Wires > Add


• A Virtual Wire object
connects to Virtual
Wire interfaces.
• A virtual wire can
accept traffic based on
802.1Q VLAN tags: Forward only
multicast-traffic
• 0 = untagged traffic matched to Security
policy rule (optional).

Link state is
forwarded.

15 | © 2019 Palo Alto Networks, Inc.


Configuring a Virtual Wire Interface

Network > Interfaces > Ethernet > <select_interface>

Select Virtual Wire.

Add Virtual Wire


object now or later.

Select a Virtual
Wire type security
zone.

16 | © 2019 Palo Alto Networks, Inc.


Virtual Wire Subinterfaces

• Read and process traffic based on:


DMZ Zone DC2 Zone
• VLAN tags (1-4094)
VR-1 VR-1
172.16.1.1/24 172.16.2.1/24 • VLAN tags and IP classifiers (source IP)
VLAN 110 VLAN 120
• IP classifiers (untagged traffic, source IP)
ethernet 1/1 ethernet 1/2
ethernet 1/1 • Common uses include:
ethernet 1/2
ethernet 1/3 • More granular security rules
All type: Layer 3 • Logically splitting network traffic

ethernet 1/3.1 ethernet 1/3.2 ethernet 1/3.3

VR-1 VR-1 VR-1


192.168.1.1/24 192.168.2.1/24 192.168.3.1/24
VLAN 1 VLAN 2 VLAN 3
Eng Zone HR Zone DC1 Zone

17 | © 2019 Palo Alto Networks, Inc.


Configuring a Virtual Wire Subinterface
Network > Interfaces > Ethernet

Subinterface
ID

802.1Q VLAN
tag
Add optional
IP classifiers.
Select Virtual
Wire object.

Select Virtual
Wire zone.

18 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

19 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Layer 2 Interfaces
• Provide switching between two or more interfaces through a VLAN object
• Typically used when no routing is needed

Zone A Firewall Zone B


(Layer 2) (Layer 2)
VLAN object
Layer 2 Layer 2
interface interface
MAC address MAC address
Traffic inspection
and control

STP forwarding
STP STP
20 | © 2019 Palo Alto Networks, Inc.
Layer 2 Subinterfaces

Eng Zone HR Zone


• Assign subinterfaces to zones
VLAN 1 VLAN 2
• VLAN traffic isolated by subinterfaces:
• Need route between VLANs
ethernet 1/2.1 ethernet 1/2.2 • Security policy blocks interzone traffic by
default

• Useful configuration for multi-tenant


networks
ethernet 1/3.1 ethernet 1/3.2

VLAN 1 VLAN 2

Eng Zone HR Zone


21 | © 2019 Palo Alto Networks, Inc.
Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
22 | © 2019 Palo Alto Networks, Inc.
Layer 3 Interfaces
• Enable routing between multiple interfaces:
• Requires a virtual router

• Can require network configuration to accommodate new IP addresses

Zone A Firewall Zone B


(Layer 3) (Layer 3)

Layer 3 Layer 3
interface Virtual interface
IP address Router IP address
Traffic inspection
and control

23 | © 2019 Palo Alto Networks, Inc.


IPv4 and IPv6
• Layer 3 interfaces support IPv4 and IPv6.
• To support IPv6 addresses, you must enable IPv6 on the firewall.

Device > Setup > Session > Session Settings

24 | © 2019 Palo Alto Networks, Inc.


Configuring a Layer 3 Interface: Config

Network > Interfaces > Ethernet > <select_interface>

Select Layer3.

Select a virtual
router.

Select a Layer 3
type security
zone.

25 | © 2019 Palo Alto Networks, Inc.


Configuring a Layer 3 Interface: IPv4
Network > Interfaces > Ethernet > <select_interface>

Select to specify a
static or DHCP
assigned IP address.
Enter the static IP
address(es) with CIDR
notation.

26 | © 2019 Palo Alto Networks, Inc.


Configuring a Layer 3 Interface: Advanced
Network > Interfaces > Ethernet > <select_interface>

(IPv4) Pre- (IPv6)


load ARP Configure
Specify firewall cache entries. NDP proxy.
management services
accessible on this Enable and
interface. configure
DDNS.

(IPv6) Pre- Enable and


load ND configure
cache entries. LLDP.

27 | © 2019 Palo Alto Networks, Inc.


Interface Management Profile

Network > Network Profiles > Interface Mgmt > Add

• Defines which firewall


management services
are accessible from a
traffic interface
• Can be applied to Layer
3, loopback, and tunnel
interfaces

28 | © 2019 Palo Alto Networks, Inc.


Layer 3 Subinterfaces

Eng Zone HR Zone


• Assign subinterfaces to zones
192.168.1.1 192.168.2.1
VLAN 1 VLAN 2 • Traffic in each VLAN is isolated:
• Need a virtual router to connect VLANs
ethernet 1/2.1 ethernet 1/2.2 • Security policy blocks interzone traffic by
default

• Useful configuration for multi-tenant


networks
ethernet 1/3.2 ethernet 1/3.3

192.168.2.2 192.168.4.1
VLAN 2 VLAN 3
HR Zone DC Zone
29 | © 2019 Palo Alto Networks, Inc.
Configuring a Layer 3 Subinterface
Network > Interfaces > Ethernet

802.1Q
VLAN tag
Subinterface ID

Configure remaining options as normal Layer 3 interfaces.

30 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

31 | © 2019 Palo Alto Networks, Inc.


Policy-based forwarding
Virtual Routers

• Support one or more


static routes Firewall
inter-vr
• Support dynamic VR1 routes VR2 VR3
routing:
• BGPv4
• OSPFv2
• OSPFv3
• RIPv2
Dynamic Dynamic Static
• Support multicast routes routes routes
routing:
• PIM-SM
• PIM-SSM BGP OSPF

32 | © 2019 Palo Alto Networks, Inc.


Virtual Router General Settings
Network > Virtual Routers

Interfaces that
the virtual
router can use
to forward
traffic

33 | © 2019 Palo Alto Networks, Inc.


Adding a Static Default Route

Network > Virtual Routers > Static Routes > Add

34 | © 2019 Palo Alto Networks, Inc.


Multiple Static Default Routes

Firewall • Can configure multiple


static default routes
VR1
• Route with the lowest metric
is used.
• Path monitoring determines
if routes are usable.
default route default route
• Firewall switches the default
route during path failure.
• Supports failback

35 | © 2019 Palo Alto Networks, Inc.


Static Route Path Monitoring

Network > Virtual Routers > Static Routes > Add


• Uses ping to test
reachability to
stable upstream
devices
• Testing continues
after failure
• Will remove or
re-add static
routes

36 | © 2019 Palo Alto Networks, Inc.


Troubleshooting Routing
Network > Virtual Routers

All
known
routes Status of
Where traffic monitored
(RIB) will be paths
forwarded
(FIB)

37 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
38 | © 2019 Palo Alto Networks, Inc.
VLAN Interfaces

• Are assigned an IP address


• Connect Layer 2 to Layer 3

Zone A Zone B Zone C


(Layer 2) (Layer 3) (Layer 3)

Subnet 1

VLAN IP Subnet 2
VR
object address
Layer 2
VLAN Other
interface subnets
Firewall Layer 3

39 | © 2019 Palo Alto Networks, Inc.


Configuring a VLAN Interface

Network > Interfaces > VLAN > Add

Read-only name

An interface ID
(not VLAN tag)

Connects interface
to Layer 2 network

Connects interface
to Layer 3
networks

40 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
41 | © 2019 Palo Alto Networks, Inc.
Loopback Interface
• Logical interface with an IP address
• Behaves like a host interface
• Used to provide access to firewall services

Firewall

Zone A Zone B Zone C


Firewall services

L3 L3

IP address
Loopback
interface

42 | © 2019 Palo Alto Networks, Inc.


Configuring a Loopback Interface

Network > Interfaces > Loopback > Add

Read-only
name Loopback
interface ID

Do not assign a netmask to the IP addresses.

43 | © 2019 Palo Alto Networks, Inc.


Security zones and interfaces

Tap interfaces

Virtual wire interfaces

Layer 2 interfaces

Layer 3 interfaces

Virtual routers

VLAN interfaces

Loopback interfaces

Policy-based forwarding
44 | © 2019 Palo Alto Networks, Inc.
Policy-Based Forwarding

• Specifies a different egress interface than what is specified in the route table
• Possible use for performance or security reasons

Specify egress interface for:


eth1/2 Private • Bandwidth-sensitive
leased line applications
PBF • Unencrypted applications
eth1/1 rules
Specify egress interface for:
Branch internet
office eth1/3 • Non-bandwidth-sensitive
HQ applications
Firewall office • Encrypted applications

45 | © 2019 Palo Alto Networks, Inc.


PBF Rules
• PBF rules use match criteria to match traffic.
• PBF path monitoring enables the firewall to verify network path connectivity.

Policies > Policy Based Forwarding

46 | © 2019 Palo Alto Networks, Inc.


Configuring PBF
Policies > Policy Based Forwarding > Add

Specify egress interface and IP


address used to forward traffic.

Specify source zone, address, Specify destination address,


user to match traffic. application, port to match traffic.

47 | © 2019 Palo Alto Networks, Inc.


Module Summary
Now that you have completed this module,
you should be able to:

• Describe the flow logic of the next-generation firewall


• Create a security zone
• Describe the differences between Tap, Virtual Wire, Layer 2, and Layer 3
interfaces
• Create and configure a virtual router
• Define a static default route
• Configure a VLAN interface
• Configure a loopback interface

48 | © 2019 Palo Alto Networks, Inc.


Questions?

Q
Q &&
AA
49 | © 2019 Palo Alto Networks, Inc.
Interface Configuration Lab (Pages 24-42 in the Lab Guide)
• Load a firewall lab configuration file
• Configure security zones
• Configure firewall Ethernet interfaces
• Configure a virtual router

50 | © 2019 Palo Alto Networks, Inc.


PROTECTION. DELIVERED.

51 | © 2019 Palo Alto Networks, Inc.


This page intentionally left blank

52 | © 2019 Palo Alto Networks, Inc.

You might also like