Lab 4 Connecting The Firewall To Production Networks

PALO ALTO NETWORKS EDU 210
Lab 4: Connecting the Firewall to Production Networks
Document Version: 2022-07-18
Copyright © 2022 Network Development Group, Inc.

www.netdevgroup.com
NETLAB+ is a registered trademark of Network Development Group, Inc.
Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Contents
Introduction ................................................................................................................................................ 3
Objective ..................................................................................................................................................... 3
Lab Topology ............................................................................................................................................... 4
Theoretical Lab Topology ............................................................................................................................ 4
Lab Settings ................................................................................................................................................. 5
1 Working with Firewall Configurations and Log Files .......................................................................... 6
1.1 Apply a Baseline Configuration to the Firewall ........................................................................... 6
1.2 Create Layer 3 Network Interfaces............................................................................................ 10
1.3 Create a Virtual Router .............................................................................................................. 16
1.4 Segment Your Production Network Using Security Zones ........................................................ 19
1.5 Test Connectivity to Each Zone ................................................................................................. 24
1.6 Test Interface Access before Management Profiles ................................................................. 28
1.7 Define Interface Management Profiles ..................................................................................... 29
1.8 Test Interface Access after Management Profiles .................................................................... 38
7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2

Introduction
In preparation for deployment, you need to connect the firewall to the appropriate production
networks. You already have cabled the firewall interfaces to the appropriate switch ports in the data
center. You will configure the firewall with Layer 3 IP addresses and a virtual router. You also will
create security zones that divide your network into separate logical areas so that you have more
control over traffic from one segment to another.
When you have the configuration in place on the firewall, you will use ping from different devices to
verify connectivity between all the segments.
Objective
In this lab, you will perform the following tasks:
 Load a baseline configuration

 Create Layer 3 interfaces
 Create a virtual router
 Segment your production network using security zones
 Test connectivity from firewall to hosts in each security zone
 Create Interface Management Profiles

Lab Topology
Theoretical Lab Topology

Lab Settings
The information in the table below will be needed to complete the lab. The task sections below
provide details on the use of this information.
Virtual Machine IP Address Account Password

(if needed) (if needed)
Client 192.168.1.20 lab-user Pal0Alt0!
DMZ 192.168.50.10 root Pal0Alt0!
Firewall 192.168.1.254 admin Pal0Alt0!
VRouter 192.168.1.10 root Pal0Alt0!

1 Working with Firewall Configurations and Log Files
1.1 Apply a Baseline Configuration to the Firewall
In this section, you will load the firewall configuration file.
1. Click on the Client tab to access the Client PC.
2. Double-click the Chromium Web Browser icon located on the desktop.
3. In the Chromium web browser, click on the EDU-210 bookmark folder in the bookmarks bar and
then click on Firewall-A.
4. You will see a "Your connection is not private" message. Next, click on the ADVANCED link.
If you experience the “Unable to connect” or “502 Bad Gateway”

message while attempting to connect to the specified IP above, please
wait an additional 1-3 minutes for the Firewall to fully initialize.
Refresh the page to continue.

5. Click on Proceed to 192.168.1.254 (unsafe).
6. Log in to the firewall web interface as username admin, password Pal0Alt0!.

7. In the web interface, navigate to Device > Setup > Operations and click on Load named
configuration snapshot underneath the Configuration Management section.
8. In the Load Named Configuration window, select edu-210-lab-04.xml from the Name dropdown
box and click OK.
9. In the Loading Configuration window, a message will show Configuration is being loaded. Please
check the Task Manager for its status. You should reload the page when the task is completed. Click
Close to continue.
10. Click the Tasks icon located at the bottom-right of the web interface.

11. In the Task Manager – All Tasks window, verify the Load type has successfully completed. Click
Close.
12. Click the Commit link located at the top-right of the web interface.
13. In the Commit window, click Commit to proceed with committing the changes.

14. When the Commit operation successfully completes, click Close to continue.
The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.
16. Leave the Palo Alto Networks Firewall open and continue to the next task.
1.2 Create Layer 3 Network Interfaces
In this section, you will create Layer 3 interfaces on the firewall that will provide basic network
connectivity to your production networks. You have a network with users (192.168.1.0/24), a network
with production servers (192.168.50.0/24) and a network connecting the firewall to an upstream
internet router (203.0.113.0/24).
1. In the web interface, select Network > Interfaces > Ethernet.

2. Click ethernet1/1 to configure the interface.
3. Notice the Ethernet Interface window appears. Configure the following:
Parameter Value
Comment Internet Connection
Interface Type Layer3
Virtual Router None

4. Select the tab for IPv4. Leave the Type set to Static, Under the IP heading, click Add. Enter
203.0.113.20/24. Click OK.

Parameter Value
Comment Users network connection
Virtual Router None
192.168.1.1/24. Click OK.

Parameter Value
Comment Extranet servers connection
Virtual Router None

192.168.50.1/24. Click OK.
11. When complete, your Ethernet table will have three entries. Confirm that Ethernets 1/1, 1/2, and
1/3 are showing as seen below.
12. Leave the web interface open and continue to the next task.

1.3 Create a Virtual Router
In this section, you will create a virtual router and connect your Layer 3 interfaces to it. You also will
define a default gateway for the virtual router itself.
The firewall requires a virtual router to obtain routes to other subnets, either using static routes that
you manually define or through participation in Layer 3 routing protocols that provide dynamic routes.
The firewall has a predefined virtual router named default.
A virtual router is a separate routing instance that allows the firewall to route traffic from one network
to another through its Layer 3 interfaces. In this environment, we have three networks -
192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24. You will modify the default virtual router and
add the firewall’s interfaces from each of these networks to the virtual router.
Because we are using Layer 3 interfaces, the firewall must have a way to route traffic from one
network to another; this process is done with a virtual router. However, because each interface is in a
different security zone, the Security rules will prevent traffic in one network from going to another
network through the firewall
1. In the web interface, select Network > Virtual Routers.
2. Click default to open the default router.

3. In the Virtual Router - default window, rename the default router to lab-vr. Click Add to add the
following interfaces: ethernet1/1, ethernet1/2, and ethernet1/3.
This step can also be completed via each Ethernet Interface

configuration window.
The order in which you add these interfaces to the list is not important.
You could start by adding ethernet1/3 and the result will be the same.
You are simply adding the appropriate interfaces to this virtual router.

4. In the Virtual Router - default window, click the link on the side for Static Routes. Under the tab for
IPv4, click Add at the bottom of the window.
5. In the Virtual Router – Static Route - IPv4 window, for Name, enter Firewall Default Gateway,
for Destination, enter 0.0.0.0/0, for Interface, select ethernet1/1, for the Next Hop address, enter
203.0.113.1. Leave the remaining settings unchanged. Click OK.

This entry is the default route for the firewall. Like all other network
hosts, the firewall needs a default gateway to send traffic to unknown
networks. The firewall has local connections to 192.168.1.0,
192.168.50.0 and 203.0.113.0 networks, so it can forward packets to
hosts on those networks directly. However, for any other destination
IP addresses (such as 8.8.8.8 for DNS), this route statement instructs
the firewall to forward packets to 203.0.113.1, which is the internet.
6. In the Virtual Router – default window, click OK.
7. Leave the Palo Alto Networks Firewall open and continue to the next task.
1.4 Segment Your Production Network Using Security Zones
Security zones are a logical way to group physical and virtual interfaces on the firewall to control and
log the traffic that traverses your network through the firewall. An interface on the firewall must be
assigned to a security zone before the interface can process traffic. A zone can have multiple interfaces
of the same type (for example, Tap, Layer 2, or Layer 3 interfaces) assigned to it, but an interface can
belong to only one zone.
With your network interfaces and virtual router in place, you can now create security zones. You will
create three security zones.

1. In the web interface, select Network > Zones.
2. Click Add to create a new zone.
3. In the Zone window, enter Internet for the Name, for Type, select Layer3. Under the Interfaces
section, click Add. Select Ethernet 1/1 and leave all other settings unchanged. Click OK.

5. In the Zone window, enter Users Net for the Name, for Type, select Layer3. Under the Interfaces

7. In the Zone window, enter Extra Net for the Name, for Type, select Layer3. Under the Interfaces

8. You should now have three security zones.
9. Click the Commit button at the upper right of the PA-VM web interface.
10. In the Commit window, click Commit.

11. In the Commit Status window, click Close.
12. Minimize the PA-VM firewall by clicking the minimize icon in the upper right of the web interface
and continue to the next task.
1.5 Test Connectivity to Each Zone
In this section, you will verify network connectivity from the firewall to hosts in each zone. You will use
an SSH connection and ping hosts on each network.
1. On the client desktop, open the Remmina application.

2. Double-click the entry for Firewall-A.
3. If you are presented the Connecting to ‘Firewall-A’… window, click OK.
The Firewall-A connection in Remmina has been pre-configured to

provide login credentials to the firewall so that you do not have to log
in each time. This is for convenience in the lab only.

4. In the CLI connection to the firewall, use the ping command to check network connectivity to a
host in the User_Net Security Zone by using the following command at the admin@firewall-a>
prompt.
admin@firewall-a> ping source 192.168.1.1 host 192.168.1.20
Note the syntax for this command. 192.168.1.1 is the IP address of

ethernet1/2 on the firewall. The command instructs the firewall to use
that IP address on ethernet1/2 to ping the host 192.168.1.20. If you do
not use the source option, the firewall uses its management interface
address as the source IP.
5. Allow the ping to continue for three or four seconds and then use Ctrl+C to interrupt the
command. Notice the pings are successful.
6. Use the ping command to check connectivity to a host in the Extranet zone by using the following
command at the admin@firewall-a> prompt.

192.168.50.1 is the IP address on ethernet1/3 which is assigned to the

Extranet security zone. 192.168.50.150 is a server in the Extranet zone.
8. Use the ping command to check connectivity to a host on the Internet by using the following
command at the admin@firewall-a> prompt.
203.0.113.20 is the IP address on ethernet1/1 which is assigned to the

Internet security zone. 8.8.8.8 is a DNS server on the Internet zone.
10. Close the Firewall-A Remmina terminal console by clicking on the close icon in the upper-right.

11. Close the Remmina Remote Desktop Client by clicking on the close icon in the upper-right.
12. Stay on the client desktop and continue to the next task.
1.6 Test Interface Access before Management Profiles
Management interface profiles allow you to enable specific network services on individual firewall
interfaces.
To illustrate the default behavior of firewall interfaces, you will ping 192.168.1.1 from the client
workstation. You will also attempt to access the firewall CLI by SSH through 192.168.1.1. Without any
Interface Management Profiles in place, both ping and SSH will fail.
1. Open the Terminal Emulator on the client desktop.
2. Issue the following command below.
C:\home\lab-user\Desktop\Lab-Files> ping 192.168.1.1 <Enter>
3. Wait a few seconds and use Ctrl+C to stop the command. You will not get a response because
Management profiles have not been configured.

4. Attempt to open an SSH connection to the firewall through 192.168.1.1 by issuing the following
command.
C:\home\lab-user\Desktop\Lab-Files> ssh admin@192.168.1.1 <Enter>
5. After a few seconds, use Ctrl+C to stop the connection because it will not succeed.
6. Leave the Terminal window open on the client because you will perform these same tests after
applying an Interface Management profile to ethernet1/1 and continue to the next task.
1.7 Define Interface Management Profiles
Often, your team members need to manage the firewall but do not always have network connectivity
to the management network. In this exercise, you will define two management interface profiles. One
profile will allow ping. You will apply this allow-ping profile to the Internet interface so that your
SecOps team members can ping the external firewall interface for troubleshooting from outside your
organization’s network.
You will create a second management interface profile that allows ping and secure management
traffic, including SSH and HTTPS. You will apply this Allow-mgt profile to the User_Net interface and to
the Extranet interface. This profile will allow your SecOps team to manage the firewall from those
networks if they need to.
1. Reopen the PA-VM firewall web interface by clicking on the Chromium icon in the taskbar.

2. Select Network > Network Profiles > Interface Management. Click Add at the bottom of the
window.

3. In the Interface Management Profile window, enter Allow-ping for the Name. Under the Network
Services section, check the box for Ping. Click OK.

4. In the Interface Management section, click Add again to create another entry. In the Interface
Management Profile window, enter Allow-mgt for the Name. Under the Administrative
Management Services section, check the boxes for HTTPS and SSH. Under the section for Network
Services, check Ping, SNMP, Response Pages and User-ID. Click OK.
5. Select Network > Interfaces > Ethernet. Click Ethernet 1/1.

6. In the Ethernet 1/1 window, click Advanced. Under the Other Info section, use the dropdown list
for Management Profile and select Allow-ping. Click OK.
This action applies the Allow-ping interface management profile to

ethernet1/1. As a result, ethernet1/1 will answer ping requests.
Note that in a production environment, you may not want an internet-
facing interface to reply to any type of traffic. Applying this profile in
the lab allows you to see how different profiles can be applied to
different interfaces.

7. Click Ethernet 1/2.
8. In the Ethernet Interface window, click Advanced. Under the Other Info section, use the dropdown
list for Management Profile and select Allow-mgt. Click OK.

9. Read the Warning message and click Yes.
Because this interface is connected to one of your internal networks

(Users_Net), the risk of applying this profile is acceptable.
10. Click Ethernet 1/3.

11. In the Ethernet 1/3 window, click Advanced. Under the Other Info section, use the dropdown list
for Management Profile and select Allow-mgt. Click OK.
12. Read the Warning message and click Yes.

13. When you complete steps 5 - 12, your interface table should have an entry under the management
profile column for each interface.
14. Click the Commit button at the upper-right of the web interface.
15. In the Commit window, click Commit.

16. Wait until the Commit process is complete. Click Close.
17. Minimize the Palo Alto Networks Firewall and continue to the next task.
1.8 Test Interface Access after Management Profiles
In this section, you will use the ping command to test the management profiles that you defined. Both
ping and SSH will succeed.
1. Return to the Terminal window used previously or reopen the Terminal Emulator on the client
desktop.
2. Issue the following command below.
C:\home\lab-user\Desktop\Lab-Files> ping 192.168.1.1 <Enter>

3. Wait a few seconds and use Ctrl+C to stop the command. You will get a response because
Management profiles have been configured.
4. Elevate to super user by issuing the following command.
C:\home\lab-user\Desktop\Lab-Files> sudo su
5. Attempt to open an SSH connection to the firewall through 192.168.1.1 by issuing the following
command.
root@client-a:/home/lab-user/Desktop/Lab-Files# ssh admin@192.168.1.1 <Enter>
6. When prompted to accept the RSA key fingerprint, type yes and press Enter.
7. For password, type Pal0Alt0! and press Enter.
8. The firewall will present the CLI interface.
9. The lab is now complete; you may end your reservation.

Lab 4 Connecting The Firewall To Production Networks

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Lab 4 Connecting The Firewall To Production Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 4 Connecting The Firewall To Production Networks

Uploaded by

Copyright:

Available Formats

PALO ALTO NETWORKS EDU 210

Lab 4: Connecting the Firewall to Production Networks

Document Version: 2022-07-18

Copyright © 2022 Network Development Group, Inc.

NETLAB+ is a registered trademark of Network Development Group, Inc.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 2

In this lab, you will perform the following tasks:

 Load a baseline configuration

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 3

Theoretical Lab Topology

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 4

Virtual Machine IP Address Account Password

Client 192.168.1.20 lab-user Pal0Alt0!

DMZ 192.168.50.10 root Pal0Alt0!

Firewall 192.168.1.254 admin Pal0Alt0!

VRouter 192.168.1.10 root Pal0Alt0!

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 5

1 Working with Firewall Configurations and Log Files

1.1 Apply a Baseline Configuration to the Firewall

In this section, you will load the firewall configuration file.

1. Click on the Client tab to access the Client PC.

2. Double-click the Chromium Web Browser icon located on the desktop.

If you experience the “Unable to connect” or “502 Bad Gateway”

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 6

5. Click on Proceed to 192.168.1.254 (unsafe).

6. Log in to the firewall web interface as username admin, password Pal0Alt0!.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 7

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 8

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 9

1.2 Create Layer 3 Network Interfaces

1. In the web interface, select Network > Interfaces > Ethernet.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 10

2. Click ethernet1/1 to configure the interface.

3. Notice the Ethernet Interface window appears. Configure the following:

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 11

5. Click ethernet1/2 to configure the interface.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 12

6. Notice the Ethernet Interface window appears. Configure the following:

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 13

8. Click ethernet1/3 to configure the interface.

9. Notice the Ethernet Interface window appears. Configure the following:

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 14

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 15

1.3 Create a Virtual Router

1. In the web interface, select Network > Virtual Routers.

2. Click default to open the default router.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 16

This step can also be completed via each Ethernet Interface

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 17

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 18

6. In the Virtual Router – default window, click OK.

1.4 Segment Your Production Network Using Security Zones

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 19

1. In the web interface, select Network > Zones.

2. Click Add to create a new zone.

7/18/2022 Copyright © 2021 Network Development Group, Inc. www.netdevgroup.com Page 20

4. Click Add to create a new zone.