Pan Sasev1 Lab 01
Pan Sasev1 Lab 01
Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Lab 01: Creating a Zero Trust Environment
Contents
Introduction ........................................................................................................................ 3
Objective ............................................................................................................................. 3
Lab Topology ....................................................................................................................... 4
Lab Settings ......................................................................................................................... 5
1 Creating a Zero Trust Environment............................................................................. 6
1.0 Load Lab Configuration ...................................................................................... 6
1.1 Create Zones and Associate the Zones to Interfaces ........................................ 11
1.2 Create a Security Policy Rule .............................................................................. 18
1.3 Create a NAT Policy ........................................................................................... 25
1.4 Commit and Test the Rules and Policies ........................................................... 27
Introduction
In this lab, you will configure the Firewall with three zones: inside, outside, and dmz.
Then, you will apply security policies to these zones to ensure all traffic between zones
is being monitored by the Firewall.
Objective
Lab Topology
Lab Settings
The information in the table below will be needed in order to complete the lab. The
task sections below provide details on the use of this information.
5. You will see a “Your connection is not private” message. Click on the ADVANCED
link.
8. In the web interface, navigate to Device > Setup > Operations and click on Load
named configuration snapshot underneath the Configuration Management
section.
10. In the Loading Configuration window, a message will show Configuration is being
loaded. Please check the Task Manager for its status. You should reload the page
when the task is completed. Click Close to continue.
11. Click the Tasks icon located at the bottom-right of the web interface.
12. In the Task Manager – All Tasks window, verify the Load type has successfully
completed. Click Close.
13. Click the Commit link located at the top-right of the web interface.
14. In the Commit window, click Commit to proceed with committing the changes.
15. When the commit operation successfully completes, click Close to continue.
Notice the warnings in the Commit section. You will resolve those
during this lab.
The commit process takes changes made to the Firewall and copies
them to the running configuration, which will activate all configuration
changes since the last commit.
In this section, you will create three basic zones: inside, outside, and dmz. A security
zone allows you to segregate traffic in the Firewall so that you can apply security policies
later to limit the traffic between zones. Next, you will associate them with the
appropriate interfaces.
3. In the Zone window, type outside in the Name field. Change Type to Layer3.
Then, click the OK button.
5. In the Zone window, type inside in the Name field. Change Type to Layer3.
Then, click the OK button.
7. In the Zone window, type dmz in the Name field. Change Type to Layer3. Then,
click the OK button.
You have now created a zone for each interface. This will keep the
traffic between each interface in each zone. Next, you will associate
each zone with an interface.
9. In the Ethernet Interface window, select outside from the Security Zone
dropdown. Then, click on the OK button.
11. In the Ethernet Interface window, select inside from the Security Zone
dropdown. Then, click on the OK button.
14. In the Ethernet Interface window, select the dmz in the Security Zone dropdown.
Then, click on the OK button.
In this section, you will create a security policy rule that allows traffic from the inside
zone to the outside zone.
2. In the Security Policy Rule window, type Allow-Inside-Out in the Name field.
In a Security Policy Rule, there are three required sections. Note the
initial red squiggle lines under General, Source, and Destination. These
will go away as you fill out the required information.
3. In the Security Policy Rule window, click on the Source tab. Then, click the Add
button in the Source Zone section. Next, select inside from the dropdown in the
Source Zone column.
The Source tab allows you to select where traffic is coming from. In
this rule, you select traffic coming from the inside zone. Note that you
leave the default setting of any source address. This allows any
address in the inside zone to pass through.
4. In the Security Policy Rule window, click on the Destination tab. Then, click the
Add button in the Destination Zone section. Next, select outside from the
dropdown in the Destination Zone column.
The Destination tab allows you to select where traffic is going to. In
this rule, you select traffic destined to the outside zone. Note that you
leave the default setting of any destination address. This allows the
source traffic to communicate with any address in the destination
zone.
5. In the Security Policy Rule window, click on the Application tab. Then, make sure
that the Any checkbox is checked.
6. In the Security Policy Rule window, click on the Service/URL Category tab. Then,
make sure application-default is selected in the dropdown above the Service
section.
7. In the Security Policy Rule window, click on the Actions tab. Then, make sure Log
at Session End is checked under the Log Setting section. Next, select Profiles
from the dropdown under the Profile Setting section. Then, select default for the
Antivirus, Vulnerability Protection, Anti-Spyware, URL Filtering, and WildFire
Analysis fields. Finally, click the OK button.
The Actions tab allows you to decide what to do with the traffic
you have defined. In this rule, you use the default Allow action
setting to permit traffic. Selecting Log at Session End is considered
best practice as applications are likely to change throughout the
lifespan of the session. Facebook, for example, will start as web-
browsing and change to Facebook-base after the firewall
recognized the application.
9. In the Security Policy Rule window, an additional tab named Usage will be
displayed. Click on the Usage tab. You can now Compare Applications &
Applications Seen. Because there is nothing to see right now, click OK to exit the
Security Policy Rule window.
The Usage tab allows you to evaluate the rule’s usage, number of
applications seen on the rule, when the last application was seen on
the rule, hit count, traffic over the past 30 days, and when the rule
was created and last edited.
10. Click on the number 3, to select but not open the interzone-default security
policy.
11. With the interzone-default policy selected, click on the Override button at the
bottom of the center section.
12. In the Security Policy Rule – predefined window, click on the Actions tab. Then,
select the Log at Session End checkbox under the Log Settings section. Finally,
click the OK button.
In this section, you will create a basic NAT policy to NAT traffic from the inside zone to
the outside zone.
2. In the NAT Policy Rule window, type Inside-NAT-Outside in the Name field.
3. In the NAT Policy Rule window, click on the Original Packet tab. Then, click the
Add button at the bottom of the Source Zone section. Next, select inside in the
dropdown of the Source Zone column. Finally, select outside in the Destination
Zone dropdown.
4. In the NAT Policy Rule window, click on the Translated Packet tab. Then, select
Dynamic IP And Port on the Translation Type dropdown. Next, select Interface
Address on the Address Type dropdown. Then, select ethernet1/1 for the
Interface dropdown. Finally, select 203.0.113.20/24 on the IP Address dropdown
and click the OK button.
In this section, you will create a basic NAT policy to NAT traffic from the inside zone to
the outside zone.
1. Click the Commit link located at the top-right of the web interface.
2. In the Commit window, click Commit to proceed with committing the changes.
3. When the commit operation successfully completes, verify there are no warnings
under the Commit section, then click Close to continue.