The 'Cisco KnowledgeBase' section is one of the newest and most popular section on Firewall.cx. Dedicated to Cisco's leading technological inovations, this section offers articles covering multiple categories such Cisco Routers, Switches, Voice over IP and much more.

All articles are written by qualified engineers with years of experience and are complimented by our unique diagrams.

The quality of provided information is so high, readers can use it as a guideline for learning Cisco Technologies, but also for self-study exams.

We should note that Firewall.cx is only site, officially recommended by Cisco's Network Academy Program (see Site Related/Awards section), which confirms the validity of Firewall.cx and provided information.

Articles and examples provided in this section, cover the CCENT, CCNA, CCDA, CCNP & CCVP certification levels.

The Cisco Router section contains technical articles covering the installation and configuration of Cisco routers and services such as GRE Tunnels, VPN connections, Policy Based Routing (PBR), Router-on-a-stick, Dynamic Multipoint VPN (DMVPN), Cisco Configuration Profressional Setup and much more.

All our articles contain detailed step-by-step instructions and detailed diagrams to ensure the reader understands the topic covered and is able to implement it without much trouble.

We hope you enjoy the provided articles and welcome your feedback and suggestions.

This section is dedicated to Cisco Wireless technologies. Wireless networks have without doubt become an integral part of today's networks. Cisco, a world leader in wireless technologies, offers a number of solutions and a wide range of equipment for wireless networks, each one designed to cover specific needs.

This category aims to analyse, help understand and setup Cisco wireless Aironet access points, wireless LAN Controllers (WLC), WLCs with remote access point (Flexconnect  & H-REAP) and much more. Be sure to frequently visit the Cisco Wireless Technologies category of Firewall.cx as new articles are constantly added.

We hope you enjoy the provided articles and welcome your feedback and suggestions.

Palo Alto Networks Next-Generation Firewalls rely on the concept of security zones in order to apply security policies. This means that access lists (firewall rules) are applied to zones and not interfaces – this is similar to Cisco’s Zone-Based Firewall supported by IOS routers.

Palo Alto Networks Next-Generation Firewalls zones have no dependency on their physical location and they may reside in any location within the enterprise network. This is also illustrated in the network security diagram below:

 Figure 1. Palo Alto Firewall Security Zones can contain networks in different locations

The above topology illustrated shows VLANs 10, 11 ,12 and 2 managed by a Cisco Catalyst 4507R+E Switch and are all part of OSPF Area 0 and visible as routes in the Palo Alto Firewall. A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2).

When aggregation interface ae1.2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone, all networks learnt by the OSPF routing protocol on interface ae1.2 will be part of the DMZ Security Zone.

Creating a Security Zone involves tasks such as naming the zone, assigning the interfaces to the new zone created and more. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone.

The diagram below depicts the order in which packets are processed by the Palo Alto Firewall:

Figure 2. Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall

It is without doubt Zone based firewalls provide greater flexibility in security design and are also considered easier to administer and maintain especially in large scale network deployments.

Palo Alto Networks Next-Generation Firewalls have four main types of Zones namely as shown in the screenshot below:

• Tap Zone. Used in conjunction with SPAN/RSPAN to monitor traffic.
• Virtual Wire. Also known as Transparent Firewall.
• Layer 2. Used when switching between two or more networks.
• Layer 3. Used when routing between two or more networks. Interfaces must be assigned an IP address.

This article is the second-part of our Palo Alto Networks Firewall technical articles. Our previous article was introduction to Palo Alto Networks Firewall appliances and technical specifications, while this article covers basic IP management interface configuration, DNS, NTP and other services plus account password modification and appliance registration and activation.

The introduction of Next Generation Firewalls has changed the dimension of management and configuration of firewalls, most of the well-known Firewall vendors have done a major revamp, be it the traditional command line mode or the GUI mode.

Palo Alto Networks is no different to many of those vendors, yet it is unique in terms of its WebUI. It’s a whole new experience when you access the WebUI of Palo Alto Networks Next-Generation Firewalls.

In order to start with an implementation of the Palo Alto Networks Next-Generation Firewalls one needs to configure them. Palo Alto Networks Next-Generation Firewalls can be accessed by either an out-of-band management port labelled as MGT or a Serial Console port (similar to Cisco devices). By using the MGT port, one can separate the management functions of the firewall from the data processing functions. All initial configurations must be performed either on out-of-band management interface or by using a serial console port. The serial port has default values of 9600-N-1 and a standard roll over cable can be used to connect to a serial port.

Figure 1.   Palo Alto Networks Firewall PA-5020 Management & Console Port

By default, Palo Alto Networks Next-Generation Firewalls use MGT port to retrieve license information and update the threats and application signature, therefore it is imperative the MGT port has proper DNS settings configured and is able to access the internet.

To access the Palo Alto Networks Firewall for the first time through the MGT port, we need to connect a laptop to the MGT port using a straight-thru Ethernet cable. By default, the web gui interface is accessed through the following IP Address and login credentials (note they are in lower case):

• MGT Port IP Address: 192.168.1.1 /24
• Username: admin
• Password: admin

For security reasons it’s always recommended to change the default admin credentials. Until this condition is satisfied, the Palo Alto Networks Firewall alerts the administrator to change the default password every time he logs in, as shown in the screenshot below:

Figure 2. Palo Alto Networks Firewall alerts the administrator to change the default password

Performing the Initial Setup in Palo Alto Networks Firewall Check List

Below is a list of the most important initial setup tasks that should be performed on a Palo Alto Networks Firewall regardless of the model:

• Change the default login credentials
• Configure the management IP Address & managed services (https, ssh, icmp etc)
• Configure DNS & NTP Settings
• Register and Activate the Palo Alto Networks Firewall

Let’s take a look at each step in greater detail.

Change the Default Login Credentials

Step 1: Establish connectivity with the Palo Alto Networks Firewall by connecting an Ethernet cable between the Management and the laptop’s Ethernet interface.

Step 2: Configure the laptop Ethernet interface with an IP address within the 192.168.1.0/24 network. Keep in mind that we’ll find the Palo Alto Networks Firewall at 192.168.1.1 so this IP must not be used.

Step 3: Open a web browser and navigate to the URL https://192.168.1.1 – Take note that this is an HTTPS site. At this point the Palo Alto Networks Firewall login page appears.

Step 4: Enter admin for both name and password fields.

Step 5: From the main menu, click Device > Administrators > admin

• Type the old password in the Old Password field
• Type the new password in the New Password field
• Type new password in the Confirm New Password field
• Click ok

Configure The Management IP Address & Management Services (HTTPS, SSH, ICMP)

At this point we have connectivity to the Palo Alto Networks Firewall and need to change the management IP address:

This article examines the concept of NAT Reflection, also known as NAT Loopback or Hairpinning, and shows how to configure a Cisco ASA Firewall running ASA version 8.2 and earlier plus ASA version 8.3 and later, to support NAT Reflection. NAT Reflection, is a NAT technique used when devices on the internal network (LAN) need to access a server located in a DMZ zone using its public IP address.

What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address.

Note: Users seeking additional information on Network Address Translation conceptscan visit our dedicated NAT Section that covers NAT in great depth.

Single 3-Port/Leg Firewall DMZ with one LAN interface ExpressWay-E Server

In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E (DMZ zone, IP address 192.168.5.5) using its public IP address of 203.40.40.5. This type of setup also happens to be one of the two most popular configurations:

Figure 1. NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)

ExpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:

• Destination IP address 203.40.40.5 is replacedwith Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
• The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address. This is also known as Source NAT (SNAT).

When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5

Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:

For ASA Versions 8.3 and later: