Configuring 802.1Q Interface and DHCP on a Palo Alto Networks Firewall

Interface Configurations

Each interface includes configurations for binding various services to them. HTTPS includes the WebUI service and should be included on at least one interface. The Permitted IP Address entries allow an Access Control List to be included, restricting access to any interface with this profile assigned.

Palo Alto firewalls provide a number of traffic-handling objects to move traffic between interfaces and typically are required for that movement. The available types are VLAN objects (VLANs) for Layer 2 traffic, virtual routers for Layer 3 traffic, and virtual wires for virtual wire interfaces.

Simultaneous implementations of multiple handler types in multiple quantities are possible. Each object contains configuration capability appropriate to its protocol-handing needs. Virtual routers implement various dynamic routing support if desired.

Each Layer 3 dynamic routing protocol includes appropriate specific configuration options. An example of OSPF v2 follows.

IPSec tunnels are considered Layer 3 traffic segments for implementation purposes and are handled by virtual routers as any other network segment. Forwarding decisins are made by destination address, not by VPN policy.

SW1#configure terminal
SW1(config)#interface fastethernet0/10
SW1(config-if)#description ### TRUNK TO PA-200 Eth1/3 ###
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport trunk allowed vlan 11      // ALLOW ONLY VLAN 11
SW1(config-if)#switchport mode trunk
SW1(config-if)#
*Mar  1 01:03:02.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down
*Mar  1 01:03:02.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
*Mar  1 01:03:05.124: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to up
*Mar  1 01:03:35.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
*Mar  1 01:03:35.138: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan201, changed state to up
SW1(config)#exit
SW1(config)#vlan 11      // LAYER 2 VLAN
SW1(config-vlan)#name GUEST
SW1(config-vlan)#exit
SW1(config)#interface fastethernet0/13
SW1(config-if)#switchport host       // MACRO COMMAND THAT ENABLES ACCESS MODE AND PORTFAST ON A SWITCH PORT
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

SW1(config-if)#switchport access vlan 11
SW1(config-if)#description ### GUEST PC ###
SW1(config-if)#end
SW1#
*Mar  1 01:01:08.422: %SYS-5-CONFIG_I: Configured from console by console

SW1#show run interface fastethernet0/10
Building configuration...

Current configuration : 139 bytes
!
interface FastEthernet0/10
 description ### TRUNK TO PA-200 Eth1/3 ###
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11
 switchport mode trunk
end

SW1#show run interface fastethernet0/13
Building configuration...

Current configuration : 139 bytes
!
interface FastEthernet0/13
 description ### GUEST PC ###
 switchport access vlan 11
 switchport mode access
 spanning-tree portfast
end

C:\Users\John Lloyd>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : JohnLloyd-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lagura.com

Ethernet adapter Local Area Connection* 27:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Check Point Virtual Network Adapter For S
SL Network Extender
   Physical Address. . . . . . . . . : 54-60-B4-08-E2-25
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 78-2B-CB-D4-A0-85
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.11.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, March 18, 2017 12:22:45 PM
   Lease Expires . . . . . . . . . . : Saturday, March 18, 2017 8:22:45 PM
   Default Gateway . . . . . . . . . : 172.17.11.1
   DHCP Server . . . . . . . . . . . : 172.17.11.1
   DHCPv6 IAID . . . . . . . . . . . : 242756555
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-FF-27-59-78-2B-CB-D4-A0-85

   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled


C:\Users\John Lloyd>ping 172.17.11.1

Pinging 172.17.11.1 with 32 bytes of data:
Reply from 172.17.11.1: bytes=32 time=9ms TTL=64
Reply from 172.17.11.1: bytes=32 time=1ms TTL=64
Reply from 172.17.11.1: bytes=32 time=1ms TTL=64
Reply from 172.17.11.1: bytes=32 time<1ms TTL=64

Ping statistics for 172.17.11.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 9ms, Average = 2ms


C:\Users\John Lloyd>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1     1 ms     1 ms    <1 ms  172.17.11.1
  2     8 ms     9 ms     6 ms  10.47.0.1
  3     8 ms     7 ms     7 ms  172.20.43.65
  4     9 ms    11 ms    10 ms  172.20.9.226
  5    11 ms    18 ms     9 ms  203.116.188.85
  6     6 ms     7 ms     7 ms  203.117.36.21
  7     7 ms     7 ms     7 ms  203.117.35.77
  8    25 ms    11 ms     9 ms  203.117.34.34
  9     7 ms     6 ms     8 ms  72.14.196.189
 10     8 ms     6 ms     7 ms  108.170.242.65
 11     8 ms     6 ms     7 ms  108.170.237.229
 12     9 ms     6 ms     7 ms  google-public-dns-a.google.com [8.8.8.8]

Trace complete.

Configuring Destination (Static) NAT on a Palo Alto Networks Firewall

NAT Overview

NAT policies instruct the firewall to substitute a specified address for existing addresses in a packet as it moves through the firewall. The need to change addresses can be driven by security and/or network integration reasons. NAT processing is separate from the firewall's security engine. NAT policies might change a packet's address, but the security engine of the firewall must have a Security policy allowing it through. Both IPv4 and IPv6 addresses can be changed via NAT policy.

Palo Alto Networks firewall NAT policies consist of matching conditions describing the traffic to NAT and an action describing the precise address substitution desired. The actions generally address source and destination address changes separately but can be combined in the same NAT policy.

A complete discussion of NAT functionality and its implementation on Palo Alto Networks firewalls is found on this link.

Security policies allowing traffic with NAT address changes must be created with these changes borne in mind. The processing order of the Palo Alto Networks firewall includes Security policy examination before NAT address changes are carried out. Thus Security policies for traffic with NAT changes should be written with pre-NAT addresses. Security policies also include source and destination zone matching conditions. The firewall processing of NATs will calculate destination zones based on the final destination address resulting from NAT. Therefore, its Security policy must include the calculated destination zone, which often leads to counter-intuitive Security policies in which pre-NAT destination addresses appear alongside post-NAT destination zones.

NAT examples reviewing this requirement and others can be found on this link.

For Destination NAT, I’ve configured a static public IP address of 108.81.248.145/29 on the PA-200 UNTRUST interface ethernet1/1. To configure ethernet1/1, go to Network > Interfaces > Ethernet > click ethernet1/1.

Go to IPv4 tab and click Static under Type > click Add > type the IP address 108.81.248.145/29 > hit Enter > OK.

 

You also need to add a static default route by going to Network > Virtual Routers > click LAB-VR > Static Routes > Add.

Type the static route name > type 0.0.0.0/0 under Destination > choose ethernet1/1 under Interface > click IP Address for Next Hop > type the next hop IP address (108.81.248.146 in this case) > click OK.

I've used Abyss web server which is a small file you can run on a Windows, Mac or Linux PC. I’ve downloaded the Windows X1 version which is free (X2 is the paid professional version). Double-click the exe file to run the installation wizard, click I Agree and follow the installation wizard.

You'll need to allow the program in Windows firewall by clicking Allow Access.

 

Create a user login and password > click OK.

You can modify the web server settings such as the HTTP or HTTPS ports by clicking Configure > General. My PC 172.17.101.10 can ping the Web server 172.17.201.100 but can’t open the web browser using HTTP port 80. The Abyss Web Server Status indicated a Listening Error so I changed HTTP port to 8080.

Choose 8080 on the HTTP Port drop-down option.

 

Click OK and Restart.

 

The Status has now changed to Listening.

 

You can also run the built-in Internet Information Services (IIS) (in Windows 7) by going to Control Panel > Programs > Turn Windows features on or off (takes a while to open) > click Internet Information Services (takes a while again to enable).

Now you can configure Destination NAT (Static NAT) on a PAN firewall and map a public IP address to a private IP address (usually used on servers). Create first an object for the Web server under Objects > Addresses > Add.

Type the name of the object (WEB-SERVER-PRIV) > optionally add a Description > choose IP Netmask under Type > type the private IP address 172.17.201.100 > click OK. An IP address without a netmask will automatically use a host netmask of /32 (255.255.255.255).

Add another Object for the Web server’s public IP address 108.81.248.147 (also using a host netmask /32).

To configure the Destination NAT policy, go to Policies > NAT > Add.

You configure Destination NAT from left to right just like in a Source NAT configuration. Under General > type the NAT policy name (DESTINATION-NAT-WEB) and optionally add a Description.

Under Original Packet > click Add under Source Zone and choose TRUST-L3 > Under Destination Zone choose UNTRUST-L3 > under Destination Interface choose ethernet1/1 > under Source Address choose the object for the Web server’s private IP address (WEB-SERVER-PRIV) > leave Any under Destination Address.

Under Translated Packet > choose Static IP under Translation Type.

Choose the object for the Web server’s public IP address (WEB-SERVER-PUB) under Translated Address.

Click Bi-directional > then click OK.

You also need a Security rule to allow web traffic from the UNTRUST zone (Internet) going to the Web server on the TRUST zone under Policies > Security > Add.

Under General tab > type the Name of the Security rule (INTERNET-TO-WEB-SERVER) and optionally add a Description.

Under Source tab > choose UNTRUST-L3 under Source Zone and Any under Source Address (any address coming from the Internet).

Under Destination tab > choose TRUST-L3 under Destination Zone > choose the object for Web server’s public IP address (WEB-SERVER-PUB).

Go to Source/URL Category > under Service click Add > choose service-http.

Leave the defaults under Actions tab which are Allow and Log at Session End.

Click OK and then Commit.

I've simulated a host on the UNTRUST zone and used a public IP address of 108.81.248.146/29. I also created a hostfile to resolve DNS on your PC by opening Notepad (right-click and Run as Administrator) > under File Name type: C:\Windows\System32\Drivers\etc\hosts > Open

You can view successful Inbound traffic (UNTRUST-L3 to TRUST-L3 zone) under Monitor > Logs > Traffic. Notice there was a hit on the Inbound Security rule (INTERNET-TO-WEB-SERVER).