Zone Security, Security and NAT

Policies

PCNSA Training By Vintcom Myanmar

Security Zones

• Palo Alto Networks firewalls use the

concept of security zones to secure
and manage your networks.
• Security zones group devices and
users with similar security needs.
• Security zones often align to network
segmentation.
• To create a security zone, navigate to
Network > Zones
Zone Types

• An interface on the firewall must be assigned to a security zone before the interface can process traffic.
• A zone can have multiple interfaces of the same type assigned to it (for example, tap, Layer 2, or Layer 3
interfaces), but an interface can belong to only one zone.
1. Tap - A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port. This
mirrored traffic is forwarded by a switch port to a firewall’s Tap interface and is analyzed for App-ID, User-
ID, Content-ID, and other traffic.
2. Virtual Wire - A Virtual Wire interface is used to pass traffic through a firewall by binding two Ethernet
interfaces and allowing traffic to pass between them.
3. Layer 2 - Layer 2 interfaces are used to switch traffic between other Layer 2 interfaces.
4. Layer 3 - Layer 3 zone is used when routing between two or more networks.
5. Tunnel - A Tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver encrypted traffic
between two endpoints.
Network Interfaces

All firewall models include in-band interfaces that are used to control network traffic flowing across an enterprise.
• Physical Interfaces - The firewall supports two types of media; copper and fiber-optic. You can configure Ethernet
interfaces as various types: Tap, High Availability (HA), Virtual Wire (interface and subinterface), Layer 2 (interface
and subinterface), Layer 3 (interface and subinterface), SDWAN and Aggregate Ethernet (AE). The available
interface types and transmission speeds vary according to the hardware model.
• Logical Interfaces - These include VLAN interfaces, loopback interfaces, and tunnel interfaces. You must set up
the physical interface before defining a VLAN or a tunnel interface.
Deployment Options
Tap Mode
Tap Mode requires no changes to
the existing network design. In this
mode, the firewall cannot block
any traffic.
Virtual Wire Mode
The firewall can be inserted into an
existing topology without
requiring any re-allocation of
network addresses or redesign on
the network topology.
Layer 3 Mode
With Layer 3 interfaces, the
firewall can replace any current
enterprise firewall deployment.
Tap Interface Configuration

• The firewall can use a tap interface to connect to a switch’s SPAN or mirror
port.
• A tap interface passively collects and logs monitored traffic to the firewall’s
Traffic log.

• To configure a tap interface, browse to Network > Interfaces > Ethernet

> <select_interface>.
• Select Tap Interface Type
To enable logging, you must configure a Security policy rule with the source and
destination zones set to the zone that contains the tap interface.

• Select a Tap Type Security Zone

The Security Zone drop-down list will list only zones of the type tap.
Virtual Wire Interface Configuration

• A virtual wire configuration is defined in two steps: creating the virtual

wire object and configuring the virtual wire interfaces that the object
connects.
• The virtual wire object provides the data path between the two virtual
wire interfaces.

• Step 1: Create a Virtual Wire Type Security Zone

Network > Zones
• Step 2: Configure a Virtual Wire Object
Network > Virtual Wires
• Step 3: Configure Virtual Wire Interfaces
Network > Interfaces > Ethernet
Layer 3 Interface Configuration

• A Layer 3 deployment enables routing traffic between multiple Layer 3

interfaces.
• Because each Layer 3 interface consumes at least one IP address, a
Layer 3 deployment can require network reconfiguration in your
enterprise. Routing between Layer 3 interfaces requires a router.

• Step 1: Create a Layer 3 Type Security Zone

Network > Zones
• Step 2: Configure a Virtual Router
Network > Virtual Routers
• Step 3: Configure Layer 3 Interfaces
Network > Interfaces > Ethernet
• Step 4: Assign an IP Address
• Step 5: Assign a Management Profile (Optional)
Interface Management Profile

• By default, the out-of-band MGT port is designed to support firewall

management functions and services.
• You can apply an Interface Management Profile to a Layer 3 interface to
enable it to carry management traffic.
• To configure an Interface Management Profile, browse to Network >
Network Profiles > Interface Mgmt > Add.
• Apply the interface management profile to the configured layer 3
interface(s).
Loopback Interface Configuration

• A loopback interface is a logical interface that can be reached though a

physical interface or subinterface.
• Each loopback interface is assigned an IP address and behaves as a host
interface.

• To configure a loopback interface, browse to Network >

Interfaces > Loopback and click Add.
• The IP address assigned to a loopback interface must have no
netmask or a /32 netmask.
Security Policy

• All traffic traversing the data plane of the

Palo Alto Networks firewall is matched
against a Security policy.
• Rule Types
• Intrazone
• Interzone
• Universal
• By default, the firewall implicitly allows
intrazone traffic and implicitly denies
interzone traffic.
• The policy rule hit count feature enables you
to identify rules that are used frequently and
to determine which rules are unused and
could be removed.
Security Policy Configuration

• To create a new Security policy rule, browse to Policies > Security

• Policy elements:
• Source Zone/ Address/ User/ Device
• Destination Zone/ Address/ User/ Device
• Service
• Application
• Service/ URL Category
• Actions
• Allow
• Deny
• Drop
• Reset client
• Reset server
• Reset both client and server
Rule Shadowing

• If a traffic can match two rules, the first rule that matches is said to shadow the rule below it.
Finding Unused Security Policy Rules

• Administrators periodically should remove unused rules in their Security policy rulebase.
• Removal of unused rules increases firewall operational efficiency and simplifies rule management.
• The firewall tracks rules unused since the last time the data plane restarted.
• You can perform cleanup quickly and easily by using the Highlight Unused Rules option.
• To find unused rules, navigate to Policies > Security.
Rule Usage Filter

• Firewall administrators need to periodically check for rules that are out of date or unused.
• To filter the rules displayed, navigate to Policies > Security > Policy Optimizer > Rule Usage.
Tags

• Tags enable you to group objects using keywords or phrases.

• Tags can be assigned a color, which makes a visual search for a tag easier in the web interface.

Add Tag Assign Tags Filter for Tag Require Tag on Policies
Objects > Tags > Add Assign your Security policy Filter security policy using Device > Setup > Management
to a tag group tag and select the Require Tag on
policies
Test Policy Functionality

• You can test policy rules and managed device configurations to ensure that candidate configurations appropriately secure your
network and maintain connectivity to important network resources.
• The Test Security Policy Match window enables you to enter a set of criteria directly from the web interface rather than from the
CLI.
• Device > Troubleshooting
NAT Types

• Source NAT
• to translate the address of outbound traffic, that
is, traffic originating on a private network and
being forwarded out toward the internet.

• Destination NAT
• to translate the address of inbound traffic, that
is, traffic coming from the internet into the
local private network.
Source NAT

• Source NAT is commonly used to allow host devices configured with a private IP address to send and receive traffic on the internet.
• Source NAT Types
• Static IP
• 1-to-1 fixed translations
• Changes the source IP address while leaving the source port unchanged
• Supports the implicit bidirectional rule feature
• Dynamic IP
• 1-to-1 translations of a source IP address only (no port number)
• The private source address translates to the next available address in the range
• By default, if the source address pool is larger than the translated address pool, new IP addresses seeking translation are blocked while the translated address pool is fully
used
• Dynamic IP and Port
• Allows multiple clients to use the same public IP addresses with different source port numbers
• The assigned address can be set to the interface address or to a translated address .
Source NAT and Security Policies

• To configure source NAT, first create a NAT policy rule. Then create a security policy rule to allow the traffic.
• Policies > NAT
• A NAT policy rule matches the packet based on the original pre-NAT source and destination addresses and the pre-NAT destination zone.

• Policies > Security

• The Security policy rule is enforced after the NAT policy rule is evaluated but before the NAT translation is applied.
Destination NAT

• Destination NAT is commonly used to make a server within a private network reachable from the public internet.
• Destination NAT Types
• Static IP
• 1-to-1 translation of inbound traffic
• Changes the destination IP address while leaving the destination port unchanged
• Dynamic IP (with session distribution)
• Translate the original destination address to a destination host or server that has a dynamic IP address, meaning an address object that uses an FQDN, which can return
multiple addresses from DNS
• If the translated destination address resolves to more than one address, the firewall distributes incoming NAT sessions among the multiple addresses to provide improved
session distribution.
• Distribution is based on one of several methods: round-robin (the default method), source IP hash, IP modulo, IP hash, or least sessions.

• Destination Use Cases

• Port Forwarding
• Can translate a public destination address and port number to a private destination address but keeps the same port number
• Port Translation
• Can translate a public destination address and port number to a private destination address and a different port number
Destination NAT and Security Policies

• To configure destination NAT, first create a NAT policy rule. Then create a security policy rule to allow the traffic.
• Policies > NAT
• A NAT policy rule matches the packet based on the original pre-NAT source and destination addresses and the pre-NAT destination zone. Use
the Translated Packet tab to specify the desired translation of packets that meet the Original Packet criteria.

• Policies > Security

• The Security policy rule is enforced after the NAT policy rule is evaluated but before the NAT translation is applied.
Thank You