.. Ian Loe - Blog

Configuring a PA-220 for small network - Part 3

Part 3: Creating a DMZ for an Internet facing server

Now that you have gotten your PA-220 working as a basic firewall for your small network, you might want to host something like mail server.

As this server is Internet facing, you should create a DMZ to host it.

For this part of the set up, I will use the interface “ethernet1/5”.

Go to Network -> Zones -> DMZ-L3 (which was created in part 2)


Add Interface “ethernet1/5” to the Zone. Remember to remove it from zone “Trust-L2” if you have added it there previously before adding it here.

Next, go to Network -> Interfaces -> Ethernet and click on “ethernetnet1/5” to edit the settings.


Make sure the interface Type is “Layer 3” and the Security Zone is “DMZ-L3”.

In the IPv4 tab, I chose to give my server a static IP, configure it as such


Click “OK” to continue.

Next, you will need to set a security policy for the DMZ. Go to Policies -> Security and click on “add”


Create a policy like this:

  • Name: mail
  • Source Zone: Untrust-L3
  • Destination Zone: DMZ-L3
  • Action: Allow


If you want to be able to manage the system from your internal VLAN, you would need to add another security policy rule:

  • Name: internal
  • Source Zone: Trust-L3
  • Destination Zone: DMZ-L3
  • Action: Allow


Now you would need to add a rule to allow the mail server to reach the internet.

  • Name: mail-1
  • Source Zone: DMZ-L3
  • Destination Zone: Untrust-L3
  • Action: Allow


If you would like to further secure the access. You can limit the ports that can be access using Object -> Service and create an object “service-mail-tcp” with all the mail ports and limit service to just these ports.


After you have defined the security policy, you will need to define the NAT policies rule.

You would need to create these 3 rules, 1 for webmail access (over HTTPS) and 2 of incoming and outgoing mail.


Do note that to make things easier to read, I have create an address object to name the IPs:


No, all you have to do is ensure your mail server’s IP is set to and that the host firewall (if any) has the relevant ports open.

Lastly you will need to configure a static route to your DMZ. Go to Network -> Virtual Routers, click on “default”


Now add a new static route by got to “Static Routes” and click on “add”


Create a new route like this:


Note: My DMZ server is directly attached to the PA-220 hence the static route is based on the DMZ server's IP address, else it would normally be the DMZ default gateway IP address.

Click “OK” to continue.

Now “Commit” and you should be able to use the mail server in the DMZ.


Configuring a PA-220 for small network - Part 2

Part 2: Configuring your Network Zones

Now that you have setup the PA-220 for use, it is time to define and create the zones and interfaces.

Remember to change your IP to the right subnet you used to configure the MGT interface.

Creating Zones

After you logged in, go to Network -> Zones

Click on the “Add” button at the bottom of the page.


Here you would need to create 4 Zones.

  • Untrust-L3, Type: Layer 3
  • Trust-L3, Type: Layer 3
  • Trust-L2, Type Layer 2
  • DMZ-L3, Type L3
  • VPN, Type: Layer (If you intend to set up Global Protect VPN with own zone later)


After adding the zone, you should see these 2 columns like this:


At this point, you can connect the ethernet cable from the GPON to port 1 (ethernet 1/1) on your PA-220.

Configure Interfaces

Now go to Network -> Interfaces -> Ethernet, and click on “ethernet1/1” to configure it.


You will see this screen and you will need to set the Interface type to “Layer 3”, Virtual Router to “default” and Zone to “Untrust-L3”


Next click on IPv4 and set the Type to “DHCP Client”, unless your ISP requires a manual configuration for static IP)


Click OK to continue.

Create a VLAN

Next go to Network -> VLANs and click on “Add” at bottom of screen


Create a VLAN, you can call it “Vlan Object” and add all the interfaces you want to this VLAN. In my case I added all except ethernet1/5 that I used for the DMZ.


Next go back to Network -> Interfaces -> Ethernet to edit the settings for ethernet1/2, and so on.


Set the following for ethernet1/2 to 1/8

  • • Interface Type: Layer2
  • • Netflow Profile: None
  • • VLAN: VLAN Object
  • • Security Zone: Trust-L2


Next go to Network -> Interfaces -> VLAN to edit the settings:


Under the config tab, set the following:

  • • VLAN: VLAN Object
  • • Virtual Router: default
  • • Security Zone: Trust-L3


Under the IPv4 tab, enter the gateway IP you defined earlier (in Part 1)


Click OK to continue.

Setting DHCP Server

Go to Network -> DHCP -> DHCP Server


Click on "add" at bottom of page.


Add the IP range from to and set to enabled.

Click "OK" to continue.

Define a Security Policy

Next go to Policies -> Security


Click on “add” to create a new policy:


Next go to the tab “Source” and add the zone “Trust-L3”


On the “Destination” tab add the zone “Untrust-L3”


Next go to the “Actions” tab and make sure action is set to “allow”


Click on OK to continue.

Configure NAT

Next go to Policies -> NAT and click on "Add"


Create a NAT Policy Rile called “Internet Outgoing”


On the Original Packet tab, add the source zone “Trust-L3”


On the “Translated Packet” Tab, set the following:

• Translation Type: Dynamic IP And Port
• Address Type: Interface Address
• Interface: ethernet1/1


With this you should be able to connect a PC to any port from ethernet1/2 to ethernet1/8 on your LAN and out to the Internet on ethernet1/1


Configuring a PA-220 for small network - Part 1

Today I will do a simple walk-through on how to configure a PA-220 firewall running PAN-OS 10.0 for a simple home (or small business) network.

Assumptions: Home network would consist of a fibre broadband connection to the PA-220 and there will be 2 zones (a DMZ and an internal trusted zone)


Part 1: Get it Up and Running

The 1st thing to do is to establish some basic information such as:

  1. 1. IP Address from your ISP (if static IP)
  2. 2. Determine an IP range you would like to have for your internal zone and DMZ zone
  3. 3. Determine the IP to be used for the MGT port
  4. 4. Determine the IP for your default gateway
  5. 5. Determine which DNS service you will be using

Once you got that information, you will want to do an initial setup (assuming the PA-220 is brand new or factory reset).

Plug in your computer directly to the MGT port via an ethernet cable. Set the ethernet port IP of your computer to an address in the range. (e.g.

Connect to the PA-220 on your browser via the URL

When Prompted, use the default username/password which is admin/admin

(note that you will be asked to change the password on 1st login if your box is shipped with PAN-OS 9.0.4 or later)

If you have an older box, go to Device-> Administrators


Click on the admin role and you should get a window to change the password like this:


Next, you would need to configure the MGT interface by going to Device -> Setup - > Interfaces and click on the “Management” interface.


You should see this window:


I would suggest to start with using a static IP (DHCP for MGT is mainly used in some cloud environment like AWS and Azure) and I have chosen the MGT IP to be with a netmask of and the gateway to be

You can enhance the security by limiting the IP addresses that can access the MGT interface by adding them to the table on the left. (but I suggest you do this later once you have setup your whole environment)

Next you would need to setup your DNS service. Go to Device -> Setup -> Services. And click on the gear icon.


You should get to this screen.


In this example, I use Google DNS ( as the primary and Cloudflare ( as the secondary. Obviously, you can use whatever DNS server you wish here.

To set the time server, clink on the NTP tab on top to set the NTP server:


If you wish, you could setup the hostname and domain in the Device -> Setup -> Management tab, but this is not necessary.

After you have done all that, it is time to commit the changes. Go to the top right of the window and click on the “Commit” button.

Now that you have it all setup, you would need to change the IP of your computer to re-login to the firewall.


From EDR to MDR

Was recently featured in Enterprise Security Magazine on the topic of moving from EDR to MDR. As we are hit with the ever increasing volume of incidents and the shortage of trained professionals to handle them, we need to leverage partnerships to deal with these issues. One of the ways I am addressing this, is to make use of Managed Detection & Response services with a vendor to help react faster and gives us time to mitigate the issues.

Here is a link to the article : https://managed-security-services-apac.enterprisesecuritymag.com/cxoinsight/from-edr-to-mdr-the-security-industry-gets-serious-about-visibility-nid-1480-cid-83.html

And here is a copy of the article in PDF -> click here to download

New YouTube Channel

Do check out my youtube channel where I talk about some of the latest threat in 2019, diversity in hiring and a brief history of the SOC.


Ian's Blog