Paloalto Firewall Interzone Security Policies and DMZ

In this lab I will configure interzone security policies. This lab will cover defining zones, adding interfaces to their respective zone and creating security policies to allow the traffic between each zone.

The topology for this lab;

Palo%20Alto%20Lab%202.png

In this wiki I will not be taking screen shots but will dump the final configuration done on PaloAlto Firewall.

Configuration on PaloAlto Firewall

From the firewall I can ping Google DNS

admin@PA-VM> ping source 192.168.116.157 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.116.157 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=26.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=128 time=23.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=128 time=22.1 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=128 time=19.6 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=128 time=19.0 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=128 time=17.8 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=128 time=16.0 ms
^C
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6009ms
rtt min/avg/max/mdev = 16.012/20.627/26.047/3.214 ms

As well as the management interface used to access the web gui of the firewall. However I could use either interface to access the firewall. 
But should allow HTTP and HTTPS only on the management interface to access the firewall web interface.

admin@PA-VM> ping source 10.10.10.1 host 10.10.10.10
PING 10.10.10.10 (10.10.10.10) from 10.10.10.1 : 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=128 time=1.61 ms
64 bytes from 10.10.10.10: icmp_seq=2 ttl=128 time=1.64 ms
64 bytes from 10.10.10.10: icmp_seq=3 ttl=128 time=1.43 ms
64 bytes from 10.10.10.10: icmp_seq=4 ttl=128 time=1.77 ms
64 bytes from 10.10.10.10: icmp_seq=5 ttl=128 time=1.41 ms
^C
--- 10.10.10.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 1.417/1.577/1.776/0.142 ms

OSPF between Switches and PaloAlto Firewall.

I am running OSPF between SW1/SW2 and PA-FW. Which is not necessarily required, I added this configuration at the end to test routing outside of this network.

SW1#show ip ospf neighbor  

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.10.10.10       1   FULL/DR         00:00:32    10.1.1.1        Vlan10
SW1#show ip route         
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.1.1.1
      1.0.0.0/32 is subnetted, 1 subnets
C        1.1.1.1 is directly connected, Loopback0
      10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C        10.1.1.0/24 is directly connected, Vlan10
L        10.1.1.2/32 is directly connected, Vlan10
O        10.10.20.0/24 [110/11] via 10.1.1.1, 00:53:43, Vlan10
      172.16.0.0/24 is subnetted, 1 subnets
O        172.16.10.0 [110/11] via 10.1.1.1, 00:53:43, Vlan10
O     192.168.116.0/24 [110/11] via 10.1.1.1, 00:53:43, Vlan10

I have a webterm-1 and webterm-2 which basically are used to browse the web servers in the DMZ. From webterm-1 which is on the inside zone and from webterm-2 which is on the outside zone.

Validation from Inside Zone

webterm-1 IP is 10.1.1.3

/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 2a:6b:8c:e1:93:9d  
          inet addr:10.1.1.3  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::286b:8cff:fee1:939d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30482 errors:0 dropped:187 overruns:0 frame:0
          TX packets:441 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2221108 (2.1 MiB)  TX bytes:43690 (42.6 KiB)
 
a ping sourced from this terminal IP 10.1.1.3 to the webservers in DMZ zone.
 
/ # ping -I 10.1.1.3 172.16.10.2
PING 172.16.10.2 (172.16.10.2) from 10.1.1.3 : 56(84) bytes of data.
64 bytes from 172.16.10.2: icmp_seq=1 ttl=63 time=2.41 ms
64 bytes from 172.16.10.2: icmp_seq=2 ttl=63 time=2.33 ms
64 bytes from 172.16.10.2: icmp_seq=3 ttl=63 time=2.34 ms
64 bytes from 172.16.10.2: icmp_seq=4 ttl=63 time=1.95 ms
64 bytes from 172.16.10.2: icmp_seq=5 ttl=63 time=2.01 ms
^C
--- 172.16.10.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.956/2.210/2.414/0.192 ms
/ # ping -I 10.1.1.3 172.16.10.3
PING 172.16.10.3 (172.16.10.3) from 10.1.1.3 : 56(84) bytes of data.
64 bytes from 172.16.10.3: icmp_seq=1 ttl=63 time=2.23 ms
64 bytes from 172.16.10.3: icmp_seq=2 ttl=63 time=2.12 ms
64 bytes from 172.16.10.3: icmp_seq=3 ttl=63 time=2.16 ms
64 bytes from 172.16.10.3: icmp_seq=4 ttl=63 time=3.90 ms
64 bytes from 172.16.10.3: icmp_seq=5 ttl=63 time=2.46 ms
^C
--- 172.16.10.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 2.127/2.578/3.907/0.676 ms

When I access the webserver on 172.16.10.3 through http, the webserver displays this page.

Networkers%20toolkit%20PA%20FW%20lab%202.png

Validation from Outside Zone

Now l will show you from the outside zone. Webterm-2 has an IP of 10.10.20.2. I will source ping from this IP to the DMZ zone webservers 172.16.10.2 and 172.16.10.3.

/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 82:c7:ea:bb:d7:a4  
          inet addr:10.10.20.2  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::80c7:eaff:febb:d7a4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28817 errors:0 dropped:174 overruns:0 frame:0
          TX packets:1506 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2044089 (1.9 MiB)  TX bytes:123427 (120.5 KiB)

/ # ping -I 10.10.20.2 172.16.10.2
PING 172.16.10.2 (172.16.10.2) from 10.10.20.2 : 56(84) bytes of data.
64 bytes from 172.16.10.2: icmp_seq=1 ttl=63 time=2.87 ms
64 bytes from 172.16.10.2: icmp_seq=2 ttl=63 time=17.5 ms
64 bytes from 172.16.10.2: icmp_seq=3 ttl=63 time=6.34 ms
64 bytes from 172.16.10.2: icmp_seq=4 ttl=63 time=1.80 ms
64 bytes from 172.16.10.2: icmp_seq=5 ttl=63 time=1.80 ms
64 bytes from 172.16.10.2: icmp_seq=6 ttl=63 time=1.75 ms
^C
--- 172.16.10.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5018ms
rtt min/avg/max/mdev = 1.758/5.355/17.551/5.686 ms
/ # ping -I 10.10.20.2 172.16.10.3
PING 172.16.10.3 (172.16.10.3) from 10.10.20.2 : 56(84) bytes of data.
64 bytes from 172.16.10.3: icmp_seq=1 ttl=63 time=2.62 ms
64 bytes from 172.16.10.3: icmp_seq=2 ttl=63 time=2.46 ms
64 bytes from 172.16.10.3: icmp_seq=3 ttl=63 time=2.01 ms
64 bytes from 172.16.10.3: icmp_seq=4 ttl=63 time=2.79 ms
64 bytes from 172.16.10.3: icmp_seq=5 ttl=63 time=2.14 ms
^C
--- 172.16.10.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 2.019/2.408/2.796/0.290 ms
/ #

When I access access the webserver through http we get the similar page as shown above before from webterm1.

Also to validate I can telnet to the webserver IPs on port 80

telnet> open 172.16.10.3 80
Trying 172.16.10.3...
Connected to 172.16.10.3.
Escape character is '^]'.
^ZConnection closed by foreign host.
/ # telnet

telnet> 
telnet> open 172.16.10.2 80
Trying 172.16.10.2...
Connected to 172.16.10.2.
Escape character is '^]'.
^^
HTTP/1.1 400 Bad Request
Date: Tue, 01 Jun 2021 20:26:32 GMT
Server: Apache
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
Connection closed by foreign host.

I hope this lab gives a basic overview of how interzone policies are configured and how to validate. If required I can add screen shots of the webgui, but that will make this page very lengthy to scroll through.

This concludes this topic for now.

For any comments please let me know.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License