Deployment Configuring PAN Firewalls for a Layer 3 ...

1 Generated by Jive SBS on 2011-03-04-06:001 Configuring PA Firewalls for a Layer 3 DeploymentConfiguring PAN Firewalls for a Layer 3 DeploymentConfiguration GuideJanuary 2009 Introduction The following document provides detailed step-by-step instructions forconfiguring PAN Firewalls for a typical Layer 3 Deployment . For additionalinformation on any of the features listed in this document, please refer to theonline help in the WebUI or the Administrator s Guide, which can be found on thePalo Alto Networks support RegistrationBy default, all PAN Firewalls retrieve licenses, content and software via the managementinterface. Before a device can download new content/software, the device must beregistered on the support site. Follow the steps below to create a new support account andregister your device. to the Palo Alto Networks support site at If you have asupport account login, otherwise click on the Register link to create a new support PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:002 this page you will submit your contact information , create a user ID and register the firewall in thesupport database using the serial number located on the device.

2 Complete the form and click the PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:003 Management Interface ConfigurationBy default, all PAN Firewalls retrieve licenses and content/software updates via themanagement interface, so you will need to configure these settings first. All PAN firewallsship with a serial cable and this is often the easiest way to configure these settings. Bydefault, the management interface is configured with an IP address of , soyou can connect directly using an Ethernet cable and then establish an SSH session to thedevice. Once connected and IP connectivity or serial connectivity is confirmed, follow theinstructions below to configure the management PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:004 to using default username/password of admin/admin PA-2050 login: admin Password: admin configuration mode to configure the management interface.

3 At a minimum, youwill need to configure the IP Address, Subnet Mask, Default Gateway and PrimaryDNS as shown below. admin@PA-2050> configure Entering configuration mode[edit] admin@PA-2050# set deviceconfig system ip-address default-gateway dns-primary the configuration to make it active and exit configuration mode. admin@PA-2050# commit ..98%..100%Configuration committed successfully[edit]admin@PA-2050# exitExiting configuration mode test IP connectivity and DNS, ping the default gateway and if successful, ping an address on theInternet using the Fully Qualified Domain Name (FQDN). Configuring PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:005admin@PA-2050> ping host ( ) 56(84) bytes of bytes from : icmp_seq=1 ttl=64 time= ms64 bytes from : icmp_seq=2 ttl=64 time= ms--- ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1001msrtt min/avg/max/mdev = ms admin@PA-2050> ping host ( ) 56(84) bytes of bytes from ( ): icmp_seq=1 ttl=242 time= ms64 bytes from ( ): icmp_seq=2 ttl=242 time= ms--- ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = msDownload/Upgrade licenses, content and softwareOnce the management interface is configured, it is often easiest to configurethe remaining settings via the WebUI.

4 By default the management interface willrespond using HTTPS, so point your browser to the management interface IPaddress and be sure to specify https . configure the date and time. Once connected to the device, go to theDevice tab and click on the Set Time link. Then fill in the required fields, nocommit is needed to make the time change active. Configuring PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:006 Note: Changing the system time does not change the original timestamps ofexisting log entries. to the Licenses page in the left-hand navigation pane and click the Retrievelicense link. If the management interface is configured correctly and the deviceis registered, the firewall will pull down licenses from the Palo Alto Networks supportsite using SSL. If this fails, check for a device blocking TCP/443 between the firewall sMGT interface and the Internet.

5 If the firewall is sitting behind a proxy server, youmight need to configure the proxy settings on the Device PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:007 Content the Device tab, click on the Dynamic Updates link in the left-hand navigation pane. Next,click the Check Now button to check for new application and/or threat content. If available, theaction column will display a Download link. Click this link to begin downloading the latest completed, the link changes to an Install link. Click this link to begin installing the latestcontent. This could take several minutes depending on the platform. Later you can configuredynamic updates on a daily or weekly schedule to automate the process of downloading andinstalling new content. the installation is completed, you are finished with content updates and are ready to upgradethe PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:008 Software Update to the Software page in the left-hand navigation pane and click the Refresh button tocheck for new system software.

6 New software is available, it should be listed at the top and the action column will display aDownload link. Click this link to begin the software download. Configuring PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06 the system software is downloaded, the action column for that software version will changeto display an Install link, click the link to start the installation process. The amount of time thistakes will depend on the hardware platform and the process will require a reboot of the firewall . the software is installed, you will have the option to reboot to complete the upgrade the Reboot button to force a reboot and to complete the upgrade process. Configuring PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:0010 Note: When a device is rebooted, a job/process called an Auto Commit is performed to push the content and configuration from the managementplane to the data plane.

7 After an upgrade this may take several minutes andduring this time, the device configuration cannot be committed. You cancheck the status of this job from the CLI using the following command: The following shows an autocommit in-process:admin@PA-2050> show jobs processed Enqueued ID Type Status Result Completed------------------------------- ----------------------02:07:42 1 AutoCom ACT PEND 60% The following shows an autocommit completed:admin@PA-2050> show jobs processed Enqueued ID Type Status Result Completed------------------------------- ----------------------02:07:42 1 AutoCom FIN OK 02:18:12 Note: After upgrading, close and reopen your browser. Most releases includeupdates to files that the browser may have cached so it is also a good idea toclear your browser cache.

8 Skipping this step could cause the older files to beused and may lead to incorrect displays in the web interface. software and content are both upgraded, you are ready to begin the configuration of thefirewall. Configuring PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:0011 Configure Interfaces, Zones and Virtual RoutersFirst it is important to understand the three key components to Configuring a PAN firewall fora Layer 3 Deployment . The building blocks for any Layer 3 Deployment are zones, interfacesand virtual routers. Zones: When it comes time to build your security policy, all security rules willbe created based on a source zone and a destination zone. A typical perimeterfirewall Deployment will have three zones, a Trust , DMZ and an Untrust zone. To allow traffic to pass through the firewall from the internal networkto the Internet, a policy permitting traffic between the trust and untrust zones would be required.

9 PAN Firewalls ship with predefined zones and firewalladministrators can create their own custom zones to fit their environment. Zonesare particularly useful for internal segmentation when you need to control trafficand protect resources between different groups/functions. Interfaces: PAN Firewalls support both physical and logical interfaces and all interfaces mustbe configured to belong to a zone before traffic can pass between two interfaces. Multipleinterfaces can belong to a single zone but any physical or logical interface can only belongto a single zone. PAN devices support VLAN tagging ( ), so a single physical interfacecould have several logical subinterfaces, each in their own custom zone. Virtual Routers: Virtual routers (VRs) are required for a Layer 3 Deployment . This is wherestatic routes are added and where dynamic routing protocols are configured.

10 All Layer 3interfaces must belong to a virtual router to function. For any Layer 3 Deployment , a virtualrouter must be created and a default route added. Each virtual router maintains a separateset of routes that are not shared between VRs, giving administrators the ability to configuredifferent routing behaviors for different interfaces. Configuration CleanupBy default, all PAN Firewalls ship to work in a Virtual Wire (transparent) mode right out of thebox. Since this document only addresses Layer 3 Deployment , we will want to delete someof the default configurations that are no longer PA Firewalls for a Layer 3 DeploymentGenerated by Jive SBS on 2011-03-04-06:0012 we will delete the default virtual wire. Navigate to the Network tab and click on the VirtualWires link in the left navigation pane to see the configured virtual wire(s).