.. Archives for August 2020 | Ian Loe - Blog

Configuring a PA-220 for small network - Part 3

Part 3: Creating a DMZ for an Internet facing server


Now that you have gotten your PA-220 working as a basic firewall for your small network, you might want to host something like mail server.

As this server is Internet facing, you should create a DMZ to host it.

For this part of the set up, I will use the interface “ethernet1/5”.

Go to Network -> Zones -> DMZ-L3 (which was created in part 2)

pa3-1


Add Interface “ethernet1/5” to the Zone. Remember to remove it from zone “Trust-L2” if you have added it there previously before adding it here.

Next, go to Network -> Interfaces -> Ethernet and click on “ethernetnet1/5” to edit the settings.


pa3-2

Make sure the interface Type is “Layer 3” and the Security Zone is “DMZ-L3”.

In the IPv4 tab, I chose to give my server a static IP, configure it as such



pa3-3

Click “OK” to continue.

Next, you will need to set a security policy for the DMZ. Go to Policies -> Security and click on “add”

pa3-4


Create a policy like this:

  • Name: mail
  • Source Zone: Untrust-L3
  • Destination Zone: DMZ-L3
  • Action: Allow

pa3-5


If you want to be able to manage the system from your internal VLAN, you would need to add another security policy rule:

  • Name: internal
  • Source Zone: Trust-L3
  • Destination Zone: DMZ-L3
  • Action: Allow

pa3-6

Now you would need to add a rule to allow the mail server to reach the internet.

  • Name: mail-1
  • Source Zone: DMZ-L3
  • Destination Zone: Untrust-L3
  • Action: Allow

pa3-7


If you would like to further secure the access. You can limit the ports that can be access using Object -> Service and create an object “service-mail-tcp” with all the mail ports and limit service to just these ports.


pa3-8


After you have defined the security policy, you will need to define the NAT policies rule.

You would need to create these 3 rules, 1 for webmail access (over HTTPS) and 2 of incoming and outgoing mail.


pa3-9


Do note that to make things easier to read, I have create an address object to name the IPs:

pa3-10


No, all you have to do is ensure your mail server’s IP is set to 10.0.10.5 and that the host firewall (if any) has the relevant ports open.

Lastly you will need to configure a static route to your DMZ. Go to Network -> Virtual Routers, click on “default”


pa3-11


Now add a new static route by got to “Static Routes” and click on “add”


pa3-12

Create a new route like this:


pa3-13


Note: My DMZ server is directly attached to the PA-220 hence the static route is based on the DMZ server's IP address, else it would normally be the DMZ default gateway IP address.

Click “OK” to continue.



Now “Commit” and you should be able to use the mail server in the DMZ.

Comments

Configuring a PA-220 for small network - Part 2

Part 2: Configuring your Network Zones


Now that you have setup the PA-220 for use, it is time to define and create the zones and interfaces.

Remember to change your IP to the right subnet you used to configure the MGT interface.

Creating Zones


After you logged in, go to Network -> Zones

Click on the “Add” button at the bottom of the page.


pa2-1


Here you would need to create 4 Zones.

  • Untrust-L3, Type: Layer 3
  • Trust-L3, Type: Layer 3
  • Trust-L2, Type Layer 2
  • DMZ-L3, Type L3
  • VPN, Type: Layer (If you intend to set up Global Protect VPN with own zone later)


pa2-2

After adding the zone, you should see these 2 columns like this:

pa2-3

At this point, you can connect the ethernet cable from the GPON to port 1 (ethernet 1/1) on your PA-220.

Configure Interfaces


Now go to Network -> Interfaces -> Ethernet, and click on “ethernet1/1” to configure it.



pa2-4

You will see this screen and you will need to set the Interface type to “Layer 3”, Virtual Router to “default” and Zone to “Untrust-L3”

pa2-5



Next click on IPv4 and set the Type to “DHCP Client”, unless your ISP requires a manual configuration for static IP)


pa2-6


Click OK to continue.

Create a VLAN



Next go to Network -> VLANs and click on “Add” at bottom of screen


pa2-7


Create a VLAN, you can call it “Vlan Object” and add all the interfaces you want to this VLAN. In my case I added all except ethernet1/5 that I used for the DMZ.


pa2-8

Next go back to Network -> Interfaces -> Ethernet to edit the settings for ethernet1/2, and so on.


pa2-9

Set the following for ethernet1/2 to 1/8

  • • Interface Type: Layer2
  • • Netflow Profile: None
  • • VLAN: VLAN Object
  • • Security Zone: Trust-L2

pa2-10

Next go to Network -> Interfaces -> VLAN to edit the settings:


pa2-11

Under the config tab, set the following:

  • • VLAN: VLAN Object
  • • Virtual Router: default
  • • Security Zone: Trust-L3

pa2-12

Under the IPv4 tab, enter the gateway IP you defined earlier (in Part 1)

pa2-13

Click OK to continue.


Setting DHCP Server


Go to Network -> DHCP -> DHCP Server

pa2-14

Click on "add" at bottom of page.


pa2-15

Add the IP range from 10.0.5.1 to 10.0.5.252 and set to enabled.

Click "OK" to continue.


Define a Security Policy



Next go to Policies -> Security

pa2-16

Click on “add” to create a new policy:


pa2-17

Next go to the tab “Source” and add the zone “Trust-L3”

pa2-18



On the “Destination” tab add the zone “Untrust-L3”

pa2-19

Next go to the “Actions” tab and make sure action is set to “allow”

pa2-20


Click on OK to continue.

Configure NAT


Next go to Policies -> NAT and click on "Add"

pa2-21

Create a NAT Policy Rile called “Internet Outgoing”


pa2-22


On the Original Packet tab, add the source zone “Trust-L3”

pa2-23


On the “Translated Packet” Tab, set the following:

• Translation Type: Dynamic IP And Port
• Address Type: Interface Address
• Interface: ethernet1/1


pa2-24



With this you should be able to connect a PC to any port from ethernet1/2 to ethernet1/8 on your LAN and out to the Internet on ethernet1/1





Comments

Configuring a PA-220 for small network - Part 1

Today I will do a simple walk-through on how to configure a PA-220 firewall running PAN-OS 10.0 for a simple home (or small business) network.

Assumptions: Home network would consist of a fibre broadband connection to the PA-220 and there will be 2 zones (a DMZ and an internal trusted zone)

homenet


Part 1: Get it Up and Running



The 1st thing to do is to establish some basic information such as:

  1. 1. IP Address from your ISP (if static IP)
  2. 2. Determine an IP range you would like to have for your internal zone and DMZ zone
  3. 3. Determine the IP to be used for the MGT port
  4. 4. Determine the IP for your default gateway
  5. 5. Determine which DNS service you will be using


Once you got that information, you will want to do an initial setup (assuming the PA-220 is brand new or factory reset).

Plug in your computer directly to the MGT port via an ethernet cable. Set the ethernet port IP of your computer to an address in the 192.168.1.0/24 range. (e.g. 192.168.1.2)

Connect to the PA-220 on your browser via the URL https://192.168.1.1

When Prompted, use the default username/password which is admin/admin

(note that you will be asked to change the password on 1st login if your box is shipped with PAN-OS 9.0.4 or later)

If you have an older box, go to Device-> Administrators


pa1-1

Click on the admin role and you should get a window to change the password like this:


pa1-2


Next, you would need to configure the MGT interface by going to Device -> Setup - > Interfaces and click on the “Management” interface.


pa1-3


You should see this window:

pa1-4


I would suggest to start with using a static IP (DHCP for MGT is mainly used in some cloud environment like AWS and Azure) and I have chosen the MGT IP to be 10.0.5.1 with a netmask of 255.255.255.0 and the gateway to be 10.0.5.254.

You can enhance the security by limiting the IP addresses that can access the MGT interface by adding them to the table on the left. (but I suggest you do this later once you have setup your whole environment)

Next you would need to setup your DNS service. Go to Device -> Setup -> Services. And click on the gear icon.


pa1-5


You should get to this screen.


pa1-6

In this example, I use Google DNS (8.8.8.8) as the primary and Cloudflare (1.1.1.1) as the secondary. Obviously, you can use whatever DNS server you wish here.

To set the time server, clink on the NTP tab on top to set the NTP server:

pa1-7


If you wish, you could setup the hostname and domain in the Device -> Setup -> Management tab, but this is not necessary.

After you have done all that, it is time to commit the changes. Go to the top right of the window and click on the “Commit” button.

Now that you have it all setup, you would need to change the IP of your computer to re-login to the firewall.

Comments

Ian's Blog