Additional menu

Rowell Dionicio

Networking, security, and entrepreneurship

Archives for July 2021

Setting up a Palo Alto Networks Firewall for the First Time

By 5 Comments

I recently added to my lab network is a Palo Alto Networks PA-820 next-generation firewall (NGFW). Over at Packet6, I’ve been getting into the PAN NGFWs for a while now and we are reselling Palo Alto Networks.

In this post, I’ll be going over a simple configuration to set up the PA-820 for the first time. The goal is to set up a LAN, WAN (using DHCP), and NAT to get internet access.

This process would be very similar for other models as well.

Keep in mind the version running on my firewall is v9.1.4.

Table Of Contents
  1. Register your firewall
  2. Access the NGFW
  3. Configure Device Settings
  4. Create a new super user
  5. Commit your changes
  6. Configuring Interfaces
  7. Configure the WAN interface
  8. Configure DHCP
  9. Default-wire
  10. Commit
  11. Management Profile
  12. NAT
  13. Security ACLs
  14. Closing Thoughts

Register your firewall

You’ll need to create an account on the Palo Alto Networks Customer Support Portal.

To register your firewall, you’ll need the serial number.

Sign into the portal.

Click on Register a Device

Select the radio for Register a device using Serial Number then click Next

Under Device Registration, you’ll need to fill out all the required information. This includes the serial number of the firewall and the location of where this firewall will be deployed. That last part is important for RMA’s. Then at the bottom you’ll need to agree with the Eula.

There’s an option to create a Day 1 configuration but I’m going to skip that for now.

When finished, your NGFW will be registered.

Access the NGFW

Plug into the MGMT interface of the firewall.

Default IP

The MGMT interface is configured to 192.168.1.1.


Set your NIC to 192.168.1.2 with a mask of 255.255.255.0. You will not receive DHCP leases from the MGMT interface.

Next, you’ll open a web browser to https://192.168.1.1. You should be presented with the login screen of the NGFW.

Default username and password

The default username is: admin

The default password is: admin

After logging in, you’ll be prompted to change the password for the admin account, which is a super user. The new password must be 8 characters in length and must contain an upper case, lower case, number or special character.

After changing the password, you may be kicked out to the login screen. Log back in with the new password.

You’ll be presented with a Welcome pop up. You can close it and view it again later. You’re now in the NGFW and ready to configure the rest of it!

Configure Device Settings

Next, we’ll configure some basic device settings. Nothing crazy.

Click on the Device tab. On the left navigation, click on Setup. Then in the middle pane, you should be in the Management tab. There is a General Settings section. Click on the Gear icon.

Let’s add a hostname, login banner, and set the time zone.

Here’s the login banner I used.

Packet6 LEGAL NOTICE

This is a private system which may be accessed and used for authorized business purposes only.

THERE IS NO RIGHT OF PRIVACY FOR ANY PERSON ACCESSING OR USING THIS SYSTEM.

Access or use of this information system constitutes consent to these terms.

Create a new super user

It’s only best practice to set up a new user account so you’re not using the default admin account.

Let’s create a new one. We can harden accounts later. This is just basic admin account creation.

On the left navigation click on Administrators then at the bottom click Add.

In the new pop up, type in the name of the account. We won’t set the Authentication Profile just yet so leave it at none. Create a password and select Dynamic for the Administrator Type. From the dropdown, select Super User.

There are two Administrator types:

  • Dynamic
  • Role Based

The latter would be a more secure way to define administrators. The Dynamic type uses the built-in roles:

  • Superuser
  • Superuser (read only)
  • Virtual System Administrator
  • Virtual System Administrator (read only)
  • Device administrator
  • Device administrator (read only)

Commit your changes

We’re now in a good spot to save our changes to the running configuration by commiting.

By using Commit, we take the Candidate configuration and apply it to the Running configuration.

The Commit button is at the top right.

You’ll be presented with a commit pop up where you can preview your changes and add a commit comment.

Before clicking on Commit, click on Preview Changes to see what is included in this Commit Scope.

It’s good practice to review the changes being applied so you don’t create an issue.

Click on Change Summary to get a different view of the changes. I like this view much better. There’s more detail such as the object that is being changed, the location, and the user account that created the change.

Additionally, we can Validate the changes for any errors.

Why don’t we add a commit comment for good practice and click Commit. It will take a moment ☕️

If the Result is Successful then good job! 👍

Configuring Interfaces

Before we can have full network connectivity, we need to configure our interfaces.

Let’s create our first network. We will need an interface for our WAN and LAN. I’m going to configure the WAN on interface ethernet1/1 and the LAN on interface ethernet1/2.

Click on the Network tab and on the left navigation click on Interfaces.

By default, I have the two interfaces I want to configure set to an interface type of Virtual Wire (I won’t go over the interface types in this post). We will change this.

Configure the WAN interface

Click on ethernet1/1.

Give the interface a comment.

Click on the dropdown for Interface Type and change it to Layer3.

Under the Config tab, set the virtual router to default. I’ll cover virtual routers in another post.

Click on the IPv4 tab.

My WAN is DHCP only so I’m going to change the type to DHCP Client.

Then click on OK.

Click on Zones on the left navigation

By default, there will be two zones: trust and untrust.

Zones are for grouping physical and virtual interfaces.

Click on untrust.

Change the type to Layer 3.

Click on Add to include interface ethernet1/1.

Then click OK.

untrust zone

We are placing ethernet1/1 in the untrust zone because this is where I’m connecting my ISP. We do not trust the Internet, hence, untrust zone.

Go back to the Interfaces config section.

Click on interface ethernet1/2.

Add a comment for the interface.

Set the Interface Type to Layer3.

Change the Virtual Router to default. (We’ll get to the Security Zone soon.)

Click on the IPv4 tab.

We’re going to begin creating our LAN by configuring the gateway for the LAN to reside on interface ethernet1/2.

Leave the type to Static.

Under the IP section, click Add.

You’ll have the option to add the IP for your new network, I will type in 10.1.1.1/24.

Then click OK.

Go back to Zones.

Click on the trust zone.

Change the Type to Layer3.

Add interface ethernet1/2 to the Interfaces list and then click OK.

Configure DHCP

Our LAN needs a DHCP scope. We’re not animals, configuring only static IPs for our LAN, are we?

Under the Network tab, click on DHCP from the left navigation.

In the DHCP Server tab, click on Add and we’ll create a scope for our new network under 10.1.1.0/24. You can change that to whatever network you’ve selected as long as the static IP we created earlier is in the same subnet.

Select the LAN interface ethernet1/2 that we configured in the Interface dropdown.

Under the Lease tab, I like to select “Ping IP when allocating new IP” and setting a Lease Timeout.

Under IP Pools, click Add and create a scope like I have done.

Then click on the Options tab.

We need to set the Gateway, subnet mask, and DNS servers.

Then click OK.

Default-wire

Delete the default-vwire, as we’re not going to use it.

Default-wire is used with virtual-wire. You can read up on it on Palo Alto Networks’ website.

Commit

Let’s commit our changes from the candidate config to the running config.

Then, we test the LAN interface.

I plug in my laptop into ethernet1/2 and see if I get a DHCP lease.

Sweet, I get an IP address within the DHCP scope we configured. I see I have a gateway assigned and DNS servers. Can I ping the gateway, 10.1.1.1?

% ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 10.1.1.1 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

If you want to allow ping replies then we’ll need to configure a Management Profile for the interface.

I’m going to plug back into the MGMT interface, where HTTPS and SSH is allowed.

Management Profile

Click on the Network Tab and on the left navigation click on Interface Mgmt under Network Profiles.
Just for simplicity and educational purposes, I’m going to create an interface management profile to allow HTTPS, SSH, and Ping on ethernet1/2.

Click on Add.

Create a name for this Interface Management Profile.

Enable HTTPS and SSH under the Administrative Management Services section.

Enable Ping under the Network Services section.

You can be more restrictive by allowing access to these services from specific IP addresses.

Click OK.

Click on the Interfaces sub menu item.

Click on ethernet1/2 (or your interface configured for the LAN).

Click on the Advanced tab.

Under the Other Info tab, click on the drop down for Management Profile and select the newly created Interface Management Profile.

Click OK.

You’ll be presented with a warning. Understand how this Interface Management Profile affects your network.
Continue by clicking on Yes.

Now, commit your changes.

Let’s test the LAN by plugging your laptop into ethernet1/2. Don’t forget to re-enable DHCP on your laptop interface and ping the gateway.

% ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.989 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.915 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=1.180 ms
^C
--- 10.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.915/1.028/1.180/0.112 ms

What about HTTPS? From the screenshot below you can see that it works. It even has our login banner. That will really scare away the bad guys 😉 And I can successfully log in with my newly created super user account.

You can even see the DHCP lease in the System Logs.

NAT

Plug in your WAN connection.

If I refresh my system logs we can see that my ISP’s modem provided a DHCP lease. It’s simple to setup the Palo Alto Networks NGFW WAN interface as a DHCP client.

Can we ping the internet? Nope!

% ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

We need to configure NAT!

Click on the Policies tab and then NAT on the left navigation.

Click Add to create a new NAT policy.

In the new NAT Policy Rule window, create a Name, description, and Audit comment.

Then click on Original Packet tab.

For the source zone, add the trust zone. This is where ethernet1/2’s zone.

Under Destination Zone, select untrust from the drop down menu. That is the configured zone for our WAN interface, ethernet1/1.

For Destination Interface, you can leave it as any but I will select ethernet1/1 here.

Click on the Translated Packet tab.

Configure the Translation Type to Dynamic IP and Port.

Address Type to Interface Address.

Interface to our WAN interface.

IP address to None (because we’re using DHCP).

Click OK.

Commit changes.

Here’s what the NAT policy looks like.

Now test ping and web browsing.

% ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=55 time=30.468 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=55 time=28.170 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=55 time=27.824 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 27.824/28.821/30.468/1.173 ms

DNS is good too.

% ping google.com
PING google.com (142.250.217.142): 56 data bytes
64 bytes from 142.250.217.142: icmp_seq=0 ttl=114 time=27.169 ms
64 bytes from 142.250.217.142: icmp_seq=1 ttl=114 time=26.697 ms
64 bytes from 142.250.217.142: icmp_seq=2 ttl=114 time=28.073 ms

Security ACLs

It’s important to note that there is a default ACL included, rule1. It allows traffic from the trust zone to the untrust zone.

You can see the Hit Count for the traffic.

You need to specify what’s allowed through the firewall, and rule1 is allowing any traffic originating from the trust zone out to the internet (untrust zone). With rule1 disabled, our traffic will not get to the Internet.

Our NAT policy has increasing hit count as well.

Closing Thoughts

This is the basic configuration of a Palo Alto Networks firewall where we configured our super user account, basic system configuration, interfaces, and NAT.

Our configuration will work for basic lab and internet use. There are advanced configurations to secure this firewall and the network which I will address in the future.

To see more tutorials like this, sign up for my email list. I’ll be going through more configurations of my PA-820 lab unit.

My Q2 2021 Income Report

By Leave a Comment

Here is the second installment of my quarterly income report. I use the income report to summarize what has been happening in the business, where revenue came from, analyze my expenses, and reflect upon what actions have positively or negatively impacted the net income.

Table Of Contents
  1. Highlights of Q2
  2. Lessons Learned
  3. Income/Expense Analysis
  4. What’s Next

Highlights of Q2

There’s no shortage of work. Packet6 is a small business operated by my wife and me.

Happy Birthday

Q2 marked the year Packet6 turned four years old! It’s remarkable how many clients we’ve been able to help in that period. And this quarter, we thought about the processes we can improve to make the business run like a well-oiled machine.

A Yearly Retreat

One decision we made was to include a yearly retreat. For our second annual retreat, that meant spending two days without the kids, thinking about the business’s past, present, and future. We change our surroundings to keep our minds fresh.

It involves thinking about what worked well for us, what didn’t work, and what needs to change.

Security Is Everyone’s Responsibility

Adding to our list of expertise, Packet6 became a Palo Alto Networks (PAN) reseller. When working with our clients, we’ve found that they come back to us asking if we can work on other parts of the network. That includes switching, routing, and firewalls.

I consider PAN to be a strong vendor in the security landscape, so I decided to become a partner and resell their solutions. It’s primarily the NGFW products, and it could branch out from there. Baby steps.

Lessons Learned

Travel

Wearing a mask has never bothered me, and I also received my vaccination in March 2021. It made me confident to travel for clients that relied on Wi-Fi.

Using my stockpile of vacation from my full-time job, I flew to Kansas City, St. Louis, New Jersey, and Seattle. While I like traveling, trying to condense some of those trips as short as possible can be draining.

Warehouse

Sales

In Q1, I spent time reading as much as possible about creating a sales process and sequence to generate a sales cycle. It’s not easy holding multiple roles, but it challenges your mindset.

Discipline is at the heart of sales. I wouldn’t say I like doing it, but there isn’t any revenue if there aren’t any sales. I’m not as consistent as I’d like to be. It just means I need to change my system to be more efficient. Set goals around how many calls/emails/connections to make each week.

I did not make one conversion from my sales process this quarter.

Income/Expense Analysis


Current QuarterPrevious QuarterChange% Change
Revenue$209,419$32,853$176,566537%
Expenses$67,156$43,719$23,43754%
Net Income$145,991-$10,845$156,8361,446%





Professional Services$59,236$26,805$32,431121%
Affiliates$55$25$30118%
Hardware$156,889$17,412$139,477801%

In previous Income Reports, I’ve talked about decreasing costs to increase the net income. It’s easy to say, but as you can see, expenses rack up! People like to focus on the revenue number. But after you subtract the expenses, then you’re left with the take-home money.

I wanted to highlight some areas of revenue. Professional Services wasn’t isolated to a specific metro region. There was an increase in professional services, primarily Wi-Fi design, configuration, troubleshooting, and validation. That’s where I begin to reach my capacity and need to look for additional resources.

The reason why I highlight Affiliates is due to its form of passive income. On this blog, you’ll see links to resources I use. Some of those resources are affiliate links, mainly from Amazon. I receive a percentage of a purchase made through one of my affiliate links. It’s not much, but I also do not focus on Affiliates.

A significant shift in Q2 came from reselling network equipment. It was a mixture of Meraki, Juniper/Mist, and Palo Alto Networks. As a network engineer, I have the insight into creating an accurate bill of materials. I’ve seen other resellers try to sell over the moon with hardware, upselling more than required products, even for growth. So you won’t see a sleazy sales guy from me.

The challenge is being consistent with those hardware sales, and the struggle is real. We don’t have a dedicated sales rep to increase these numbers. That’s me.. for now.

Where we can improve is in the expense category. There’s room to decrease expenses. We’re probably paying for too many web app subscriptions. One of our goals is to analyze what we’re paying for and whether it contributes positively to the business. If not, it goes—Marie Kondo style.

What’s Next

It’s time to implement systems and processes. I’m only one person. We’d love to bring on an additional engineer to help with Wi-Fi projects. We want to be sure it also fits within our budget. More backend business work needs to be implemented to support this plan.

Professional Training is another area we’d like to grow, but it’s percolating as an idea for now. More planning needs to happen.

Then there’s buttoning up the business. The training we need to take for specific processes, like bookkeeping, which we will eventually outsource.

Exciting things are happening!

Cheers 🍻

Better Wi-Fi with CWNA

By Leave a Comment

In the last couple of months I’ve been brought in as a consultant to resolve various Wi-Fi issues. With enterprises bringing employees back into the office, they’re beginning to see various performance issues.

Many of the people I work with are part of the IT department either as help desk or systems administrators. Their help desk tickets seem to be related to Wi-Fi in one form or another.

These are bright individuals who are good at what they do.. except when it comes to Wi-Fi.

I highly encourage IT professionals to increase their Wi-Fi knowledge with fundamentals included in the CWNA Study Guide.

CWNA stands for Certified Wireless Network Administrator. It’s a certification from the CWNP organization.

You don’t have to take the certification exam but I encourage you to pick up the book and learn how Wi-Fi communication works. What you read from the book can be used with any Wi-Fi network.

You’ll look like the super hero!

Palo Alto Networks NGFW Single-Pass Parallel Architecture

By Leave a Comment

The Single-Pass Parallel Processing (SP3) architecture is meant to compete with the traditional performance of firewalls. Traditionally, when additional features are activated, firewall performance decreases.

SP3 addresses these performance challenges with single-pass parallel architecture. The single-pass architecture allows a packet to pass through a processing chain once for all sub-processes or features.

Single-pass architecture from PCNSA Study Guide.

Latency is reduced with Single-Pass Parallel Processing (SP3) architecture. Components include:

  • Single-pass software
  • Parallel processing hardware

Compared to the multi-pass architecture, a packet goes through a processing chain, such as a feature, more than once. This process adds features in a sequence of separate engines but adds latency and negatively impacts performance.

Multi-pass architecture from Single-Pass Architecture Solution Brief

SP3 architecture of choice for Palo Alto networks NGFW. Stream-based components provide a way to classify and control traffic in a “single pass”.

Palo Alto Networks NGFWs take the “scan it all, scan it once” approach for physical and virtual NGFWs.

Join Network Junkies

Get the latest updates via email by joining the Network Junkies email list.

Management and Data Planes

Management and data plane functions are separate on physical and virtual firewalls. They each have dedicated resources such as CPU, RAM, and storage.

If load is applied to one plane, it doesn’t adversely impact the other plane’s performance.

Control plane features:

  • Firewall configuration
  • Logging
  • Reporting

Data plane features:

  • Signature matching
  • Security processing
  • Network processing

The Single-Pass Parallel Processing (SP3) architecture is meant to compete with the traditional performance of firewalls. Traditionally, when additional features are activated, firewall performance decreases.

SP3 addresses these performance challenges with single-pass parallel architecture. The single-pass architecture allows a packet to pass through a processing chain once for all sub-processes or features.

From the PCNSA Study Guide

3 Components of the Palo Alto Networks Cybersecurity Portfolio

By Leave a Comment

I’m studying for the Palo Alto Networks Certified Network Security Administrator (PCNSA) certification. In the last few months I’ve been getting more familiar with the next-generation firewalls (NGFW) and I’m also a partner over at Packet6 where we resell the solution.

There are three principal groups that come together to build the Palo Alto Networks cybersecurity portfolio. They are Strata, Prisma, and Cortex.

PCNSA 1.1

Strata is the Enterprise Security portion of the portfolio. It contains the Next-Generation Firewalls which you may have heard of such as the PA-200, 800, 3200 and 5200 series appliances. There are also VM-Series for your virtual firewall needs, and the CN-Series for Container Native.

Strata Enterprise Security also includes Security Subscriptions. There many types of subscriptions such as Threat Prevention, URL Filtering, WildFire, DNS Security, IoT, Data Loss Prevention, GlobalProtect, SD-WAN, and Panorama.

Then there’s Prisma: Cloud Security. This includes Prisma Cloud containing Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), Prisma Access (their SASE or Secure Access Service Edge), and Prisma SaaS.

Within Cortex is their Security Operations solutions which includes Cortex XDR to give you visibility of network traffic, user behavior, and endpoint activity, Cortex XSOAR for security orchestration, automation, and response or SOAR, Cortex Data Lake for collecting large volumes of log data – Palo Alto Networks’ own log infrastructure and log automation, and then there’s AutoFocus which is a single source for threat intelligence providing event context from Unit 42 and contains community-based threat data.

Those are the three main components of the Palo Alto Networks Cybersecurity Portfolio. Identifying the basics of which does what in the line of products is important for the PCNSA exam, objective 1.1 – Identifying the components of the Palo Alto Networks Cybersecurity Portfolio.

Join the Network Junkies Newsletter

Get the latest updates and special content via email.