PAN Firewall Configuration

The CDR Platform Palo Alto Networks plug-in allows users to integrate Palo Alto Networks Firewall products within their Glasswall CDR Platform implementation.

The following steps cover the deployment of the VM/PA-series based Palo Alto Networks Firewall.

Note: For VM-series, users should consider implementing the BYOL (Bring Your Own License) model, rather than the PAYG (Pay As You Go) model for setup of the virtual machine in AWS. Currently, PAYG does not seem to activate the use of the Network Packet Broker on the virtual machine.

• Deploy Palo Alto Networks Firewall
  • Create Instance
• Configure Palo Alto Networks Firewall
  • Create Interfaces
  • Create Routes in Virtual Router
  • Create Decryption Profile
  • Create Forwarding Profile
  • Create Certificates
  • Create a Security Role
  • Create a NAT
  • Create a Decryption Policy Rule

Deploy Palo Alto Networks Firewall

Create Instance

1. Subscribe to Palo Alto Networks in AWS Marketplace or Azure Marketplace so that the machine instances published by Palo Alto Networks can be used to create EC2 instances.
   
   
2. Select "VM-Series Next-Generation Firewall (BYOL and ELA)" in the list of products published in the above marketplaces and click Continue to Subscribe.
   
   
3. Select the region where the firewall needs to be deployed.
   
   
4. Create an instance using Palo Alto Networks Firewall machine instance in a public subnet.
   
   
5. Attach the Security Group which allows SSH and HTTPS to the instance. This allows a connection to the Management plane.
   
   
6. Create 4 Network Interfaces and attach them to the instance which lies in the data plane.
   
   
   1. Outside interface: Create an Interface in the public subnet and attach an elastic IP address. This interface will be used to connect to the internet via the firewall.
   2. Inside interface: Create an Interface in the 1st private subnet (Inside) and attach it to the instance.
   3. Security out: Create an Interface in the 2nd private subnet (Security Out) and attach it to the instance.
   4. Security in: Create an Interface in the 3rd private subnet (Security In) and attach it to the instance.
      
      
7. All interfaces should have the same Security Group which allows traffic from internet (0.0.0.0/0).
   
   
8. For every interface ensure that Source/destination check is unchecked.
   
   
9. SSH to the instance with admin username and private key used while creating the Instance. Please note it might take 10-15 mins to initialize during the 1st boot (during this time SSH will ask for your password).
   
   
10. Run the commands below to setup a new password.
    
    

    configure
    set mgt-config users admin password
    commit

11. Retrieve the authorization code following the steps here.
    
    
12. Navigate to Licences under Device and click Activate feature using authorization code and enter the code.

Configure the Palo Alto Networks Firewall

Create Interfaces

Navigate to the Network section, and create the following four interfaces:

• Ethernet 1/1 - Outside
  
  Virtual Router: default
  Security Zone: Outside
  Under IPv4, use DHCP client and tick "Automatically create default route pointing to default gateway provided by server" checkbox. Since this interface is in public subnet, it uses AWS internet gateway to connect to the internet. Please make sure an Elastic IP address(EIP) is attached to this interface in AWS.
  
  
• Ethernet 1/2 - Inside
  
  Virtual Router: default
  Security Zone: Inside
  Assign static IP address of inside interface
  
  
• Ethernet 1/3 - Security out
  
  Virtual Router: security
  Security Zone: Security
  Assign static IP address of security out interface
  
  
• Ethernet 1/4 - Security in
  
  Assign static IP address of security in interface
  
  

Create Routes in Virtual Router

Under the Network section, create the following 2 IPv4 Static Routes in the default Virtual Router.

Outbound

This makes sure that traffic routed to the internet uses the outside interface and goes through the Gateway IP of the outside subnet.

• Destination: 0.0.0.0/0
• Interface: ethernet1/1 (outside interface)
• Type: ip-address
• Value: gateway IP of the outside subnet (the public subnet)

Inbound

This makes sure that traffic routed to an IP inside the VPC or VNET uses inside interface and goes through the Gateway IP of the inside subnet.

• Destination: CIDR of the VPC or VNET
• Interface: ethernet1/2 (inside interface)
• Type: ip-address
• Value: gateway IP of the inside subnet

Create Decryption Profile

1. Navigate to the Objects section, and select Decryption Profile from the left navigation menu.
   
   
2. From the bottom of the page, click Add.
   
   
3. Enter a Name for the Decryption Profile.
   
   
   Note: we have named our decryption profile default-1. This ensures that the Firewall only uses HTTP/1.1 since the Squid Proxy (v4.17) is incompatible with HTTP/2.0.
   
   
4. Under SSL Forward Proxy section, ensure that only Strip ALPN is selected.
   
   
5. Ensure that every Key Exchange Algorithm, Encryption Algorithm, and Authentication Algorithm is selected except the following:
   1. CHACHA20-POLY1305
   2. MD5
6. Click OK.

Create Forwarding Profile

1. Navigate to the Objects section, and select Forwarding Profile from the left navigation menu.
   Now we will set up the Squid chain links to pass the HTTPs traffic through the security chain.
   
   
2. Enter a Name for the new Forwarding Profile.
   
   
3. Select the Security Chains tab, and then click Add at the bottom of the section to add a new chain. In our example, we have named them "squid-1" and "squid-2".
   
   Note: we recommend setting up at least three security chains for a normal deployment, as this will ensure that there is sufficient capacity to deal with the CDR processing load.
   
   
4. Click OK.

Create Certificates

We need to create 2 CA certificates in the Firewall, named Trusted and UnTrusted.

Trusted: Trusted CA certificate is used to generate a certificate for every website that is accessed through the firewall which has a valid SSL certificate trusted by the firewall. This CA certificate needs to be imported and trusted in all devices connected to the firewall network.

UnTrusted: The UnTrusted CA certificate is used to generate a certificate for every website that is accessed through the firewall which does not has a valid SSL certificate trusted by the firewall. This CA certificate should not be imported to user's devices.

Follow the steps below to create the certificates:

Trusted

1. Navigate to the Certificates page under the Device tab.
   
    
2. Click Generate and fill in the details as shown below. You can enter an appropriate name for the Name field.
   
   
   
3. Click OK.

UnTrusted

1. Click Generate and fill in the details as shown below. You can enter an appropriate name for the Name field.
   
   
   
2. Click OK.

Insert Certificates

1. Select the Trusted certificate and click Export Certificate from the bottom menu options.
   
   
2. Select Binary Encoded Certificate (DER) from the File Format drop-down.
   
   
   
3.  Click OK.

Create a Security Rule

The following steps show you how to create a Security Rule to allow internal traffic to the internet. 

1. Navigate to the Policies section, and select Security.
   
   
2. Click Add from the bottom of the section to add a new rule.
   
   
3. Enter a Name for the new Security Rule.
   
   
4. Next, select the Source tab.
   
   
5. From the Source Zone column, select Inside.
   
   
6. Under the Source Address column, select vpc-cidr.
   
   
7. Next, select the Destination tab and from the Destination Zone column select Outside.
   
   
8. Next, select the Actions tab and fill in according to the screenshot below.
   
   
9. Click OK.

Create a NAT

A NAT policy rule specifies whether source or destination IP addresses and ports are converted between public and private addresses and ports. For example, private source addresses can be translated to public addresses on traffic sent from an internal (trusted/inside) zone to a public (untrusted/outside) zone.

1. Navigate to the Policies section, and select NAT Policy Rule.
   
   
2. Under the General tab, enter a name and select ipv4 from the Nat Type drop-down list.
   
   
   
3. Select the Original Packet section, and set the following:
   1. Under the Source Zone column, select Inside.
   2. Under Destination Zone, select Outside.
   3. Under Destination Interface, select ethernet1/1.
      
      
      
4. Select the Translated Packet section, and set the following:
   1. Under Translation Type, select Dynamic IP And Port.
   2. Under Address Type, select Interface Address.
   3. Under Interface, select ethernet1/1.
      
      
      
5. Click OK.

Create a Decryption Policy Rule

1. Navigate to the Policies section, and select Decryption Policy Rule.
   
   
2. Under the General tab, enter a name for the new rule.
   
   
3. Select the Source tab, and set the following:
   1. Under the Source Zone column, select Inside.
   2. Under Source Address, select vpc-cidr.
      
      
4. Select the Destination tab, and set the following:
   1. Under Destination Zone, select Outside.
      
      
5. Select the Options tab, and set the following:
   1. Under Action, select Decrypt And Forward.
   2. Under Type, select SSL Forward Proxy.
   3. Enter the Decryption Profile name that you created in the previous step.
   4. Enter the Forwarding Profile name that you created in the previous step.
6. Click OK.