.. Configuring a PA-220 for small network - Part 3 | Ian Loe - Blog

Configuring a PA-220 for small network - Part 3

Part 3: Creating a DMZ for an Internet facing server


Now that you have gotten your PA-220 working as a basic firewall for your small network, you might want to host something like mail server.

As this server is Internet facing, you should create a DMZ to host it.

For this part of the set up, I will use the interface “ethernet1/5”.

Go to Network -> Zones -> DMZ-L3 (which was created in part 2)

pa3-1


Add Interface “ethernet1/5” to the Zone. Remember to remove it from zone “Trust-L2” if you have added it there previously before adding it here.

Next, go to Network -> Interfaces -> Ethernet and click on “ethernetnet1/5” to edit the settings.


pa3-2

Make sure the interface Type is “Layer 3” and the Security Zone is “DMZ-L3”.

In the IPv4 tab, I chose to give my server a static IP, configure it as such



pa3-3

Click “OK” to continue.

Next, you will need to set a security policy for the DMZ. Go to Policies -> Security and click on “add”

pa3-4


Create a policy like this:

  • Name: mail
  • Source Zone: Untrust-L3
  • Destination Zone: DMZ-L3
  • Action: Allow

pa3-5


If you want to be able to manage the system from your internal VLAN, you would need to add another security policy rule:

  • Name: internal
  • Source Zone: Trust-L3
  • Destination Zone: DMZ-L3
  • Action: Allow

pa3-6

Now you would need to add a rule to allow the mail server to reach the internet.

  • Name: mail-1
  • Source Zone: DMZ-L3
  • Destination Zone: Untrust-L3
  • Action: Allow

pa3-7


If you would like to further secure the access. You can limit the ports that can be access using Object -> Service and create an object “service-mail-tcp” with all the mail ports and limit service to just these ports.


pa3-8


After you have defined the security policy, you will need to define the NAT policies rule.

You would need to create these 3 rules, 1 for webmail access (over HTTPS) and 2 of incoming and outgoing mail.


pa3-9


Do note that to make things easier to read, I have create an address object to name the IPs:

pa3-10


No, all you have to do is ensure your mail server’s IP is set to 10.0.10.5 and that the host firewall (if any) has the relevant ports open.

Lastly you will need to configure a static route to your DMZ. Go to Network -> Virtual Routers, click on “default”


pa3-11


Now add a new static route by got to “Static Routes” and click on “add”


pa3-12

Create a new route like this:


pa3-13


Note: My DMZ server is directly attached to the PA-220 hence the static route is based on the DMZ server's IP address, else it would normally be the DMZ default gateway IP address.

Click “OK” to continue.



Now “Commit” and you should be able to use the mail server in the DMZ.

blog comments powered by Disqus

Ian's Blog