Articles Tagged ‘Palo Alto’

Palo Alto Firewall Application-based Policy Enforcement (App-ID), User Identification (User-ID) and Application Control Centre (ACC) Features for Enterprise Networks

Our previous article examined the benefits of Palo Alto Networks Firewall Single Pass Parallel Processing (SP3) architecture and how its combine with the separate Data and Control planes to boost firewall performance and handle large amounts of traffic without and performance impact. This article focuses on the traffic flow logic inside the Palo Alto Firewall and two unique features that separate it from the competition: Application-based policy enforcement (App-ID) & User Identification (User-ID).

For more Technical articles on Palo Alto Networks Firewalls, visit our Palo Alto Networks Firewall Section

Flow Logic of the Next-Generation Firewall

The diagram below is a simplified version of the flow logic of a packet travelling through a Palo Alto Networks Next-Generation Firewall and this can be always used a reference to study the packet processing sequence:

palo-alto-firewall-app-id-user-id-application-control-centre-1

Figure 1. Flow Logic of a packet inside the Palo Alto Networks Next Generation Firewall

Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. This is similar to Cisco IOS Routers Zone-based Firewalls and Cisco ASA Firewalls.

Users interested can also download for free the Palo Alto Networks document “Day in the Life of a Packet” found in our Palo Alto Networks Download section which explains in great detail the packet flow sequence inside the Palo Alto Networks Firewall.

App-ID & User-ID – Features That Set Palo Alto Apart from the Competition

App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.

App-ID: Application-based Policy Enforcement

App-ID is the biggest asset of Palo Alto Networks Next-Generation Firewalls. Traditional firewalls block traffic based on protocol and/or ports, which years ago seemed to be the best way of securing the network perimeter, however this approach today is inadequate as applications (including SSL VPNs) can easily bypass a port-based firewall by hopping between ports or using well-known open ports such as tcp-http (80) or tcp/udp-dns (53) normally found open.

A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for P2P file sharing, which is quite dangerous:

Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic

Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic

With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications traversing the network. Following is the order in which traffic is examined and classified:

Palo Alto Firewall Configuration Options. Tap Mode, Virtual Wire, Layer 2 & Layer 3 Deployment modes

Our previous article explained how Palo Alto Firewalls make use of Security Zones to process and enforce security policies. This article will explain the different configuration options for physical Ethernet and logical interfaces available on the Palo Alto Firewall.

It’s easy to mix and match the interface types and deployment options in real world deployments and this seems to be the strongest selling point of Palo Alto Networks Next-Generation Firewalls. Network segmentation becomes easier due to the flexibility offered by a single pair of Palo Alto appliances.

Below is a list of the configuration options available for Ethernet (physical) interfaces:

  • Tap Mode
  • Virtual Wire
  • Layer 2
  • Layer 3
  • Aggregate Interfaces
  • HA

Following are the Logical interface options available:

  • VLAN
  • Loopback
  • Tunnel
  • Decrypt Mirror

The various interface types offered by Palo Alto Networks Next-Generation Firewalls provide flexible deployment options.

Tap Mode Deployment Option

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring).

A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the destination SPAN port is the switch port to which our Palo Alto Firewall connects, as shown in the diagram below:

 Palo Alto Next Generation Firewall deployed in TAP mode

Figure 1. Palo Alto Next Generation Firewall deployed in TAP mode

The advantage of this deployment model is that it allows organizations to closely monitor traffic to their servers or network without requiring any changes to the network infrastructure.

During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN Destination ports are configured while also enabling Tap mode at the Firewall.

Palo Alto Firewalls Security Zones – Tap Zone, Virtual Wire, Layer 2 and Layer 3 Zones

Palo Alto Networks Next-Generation Firewalls rely on the concept of security zones in order to apply security policies. This means that access lists (firewall rules) are applied to zones and not interfaces – this is similar to Cisco’s Zone-Based Firewall supported by IOS routers.

Palo Alto Networks Next-Generation Firewalls zones have no dependency on their physical location and they may reside in any location within the enterprise network. This is also illustrated in the network security diagram below:

Palo Alto Firewall Security Zones can contain networks in different locations Figure 1. Palo Alto Firewall Security Zones can contain networks in different locations

The above topology illustrated shows VLANs 10, 11 ,12 and 2 managed by a Cisco Catalyst 4507R+E Switch and are all part of OSPF Area 0 and visible as routes in the Palo Alto Firewall. A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2).

When aggregation interface ae1.2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone, all networks learnt by the OSPF routing protocol on interface ae1.2 will be part of the DMZ Security Zone.

Creating a Security Zone involves tasks such as naming the zone, assigning the interfaces to the new zone created and more. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone.

The diagram below depicts the order in which packets are processed by the Palo Alto Firewall:

Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall Figure 2. Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall

It is without doubt Zone based firewalls provide greater flexibility in security design and are also considered easier to administer and maintain especially in large scale network deployments.

Palo Alto Networks Next-Generation Firewalls have four main types of Zones namely as shown in the screenshot below:

  • Tap Zone. Used in conjunction with SPAN/RSPAN to monitor traffic.
  • Virtual Wire. Also known as Transparent Firewall.
  • Layer 2. Used when switching between two or more networks.
  • Layer 3. Used when routing between two or more networks. Interfaces must be assigned an IP address.

Palo Alto Networks Firewall - Web & CLI Initial Configuration, Gateway IP, Management Services & Interface, DNS – NTP Setup, Accounts, Passwords, Firewall Registration & License Activation

This article is the second-part of our Palo Alto Networks Firewall technical articles. Our previous article was introduction to Palo Alto Networks Firewall appliances and technical specifications, while this article covers basic IP management interface configuration, DNS, NTP and other services plus account password modification and appliance registration and activation.

The introduction of Next Generation Firewalls has changed the dimension of management and configuration of firewalls, most of the well-known Firewall vendors have done a major revamp, be it the traditional command line mode or the GUI mode.

Palo Alto Networks is no different to many of those vendors, yet it is unique in terms of its WebUI. It’s a whole new experience when you access the WebUI of Palo Alto Networks Next-Generation Firewalls.

In order to start with an implementation of the Palo Alto Networks Next-Generation Firewalls one needs to configure them. Palo Alto Networks Next-Generation Firewalls can be accessed by either an out-of-band management port labelled as MGT or a Serial Console port (similar to Cisco devices). By using the MGT port, one can separate the management functions of the firewall from the data processing functions. All initial configurations must be performed either on out-of-band management interface or by using a serial console port. The serial port has default values of 9600-N-1 and a standard roll over cable can be used to connect to a serial port.

 Palo Alto Networks Firewall PA-5020 Management & Console Port 

Figure 1.   Palo Alto Networks Firewall PA-5020 Management & Console Port

By default, Palo Alto Networks Next-Generation Firewalls use MGT port to retrieve license information and update the threats and application signature, therefore it is imperative the MGT port has proper DNS settings configured and is able to access the internet.

To access the Palo Alto Networks Firewall for the first time through the MGT port, we need to connect a laptop to the MGT port using a straight-thru Ethernet cable. By default, the web gui interface is accessed through the following IP Address and login credentials (note they are in lower case):

  • MGT Port IP Address: 192.168.1.1 /24
  • Username: admin
  • Password: admin

For security reasons it’s always recommended to change the default admin credentials. Until this condition is satisfied, the Palo Alto Networks Firewall alerts the administrator to change the default password every time he logs in, as shown in the screenshot below:

 Palo Alto Networks Firewall alerts the administrator to change the default password

Figure 2. Palo Alto Networks Firewall alerts the administrator to change the default password

Performing the Initial Setup in Palo Alto Networks Firewall Check List

Below is a list of the most important initial setup tasks that should be performed on a Palo Alto Networks Firewall regardless of the model:

  • Change the default login credentials
  • Configure the management IP Address & managed services (https, ssh, icmp etc)
  • Configure DNS & NTP Settings
  • Register and Activate the Palo Alto Networks Firewall

Let’s take a look at each step in greater detail.

Change the Default Login Credentials

Step 1: Establish connectivity with the Palo Alto Networks Firewall by connecting an Ethernet cable between the Management and the laptop’s Ethernet interface.

Step 2: Configure the laptop Ethernet interface with an IP address within the 192.168.1.0/24 network. Keep in mind that we’ll find the Palo Alto Networks Firewall at 192.168.1.1 so this IP must not be used.

Step 3: Open a web browser and navigate to the URL https://192.168.1.1 – Take note that this is an HTTPS site. At this point the Palo Alto Networks Firewall login page appears.

Step 4: Enter admin for both name and password fields.

Step 5: From the main menu, click Device > Administrators > admin

  • Type the old password in the Old Password field
  • Type the new password in the New Password field
  • Type new password in the Confirm New Password field
  • Click ok

Configure The Management IP Address & Management Services (HTTPS, SSH, ICMP)

At this point we have connectivity to the Palo Alto Networks Firewall and need to change the management IP address:

Articles To Read Next:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup