So far we saw two deployment modes with Palo Alto NGFW. Now we will discuss the third one – Layer3 or L3 mode. Here is our topology:
As we can see, we still have our Hyper-V/ESXi host with several VMs which is connected to a switch. If we were not using virtualization, we could just plug our physical PCs into this switch. This switch is connected to ethernet1/8 port on a PA box and is member if PROTECTED zone. Then ethernet1/7 port of the PA is connected to an aggregation switch and is member of UNPROTECTED zone. This aggregation switch is connected to the rest of our network or the Internet.
First, let’s enable our two interfaces and set appropriate parameters up. This is done under Network->Interfaces. We click ethernet1/8 and fill in the Config section of dialog box as shown:
The most important setting here is the interface type. It is Layer3. We will use the default routing instance or virtual router and will assign the security zone later, once we create it. Because this is L3 interface, we need to assign the IP parameters:
Here we can see that we set up the IP address to be 10.1.110.100. This is what our protected PCs or VMs will use as a default gateway.
Similar to ethernet1/8 we set up our ethernet1/7 interface:
Let’s not forget to add our default gateway, so the PA can route traffic to and from our protected zone. This gateway can be a Layer 3 switch, a router or another firewall. This is done under Network->Virtual Routers->default->Static Routes->Add:
We give this route a name and specify the destination. This can be single network or a host, or can be a default route which is given in form 0.0.0.0/0, which means all networks or hosts. We give an interface through which these networks will be reachable and specify a next hop router IP address. Please note that we did not specify any routes towards our protected hosts because they are directly connected. If we had another L3 device in between, we would need to statically or dynamically route to our protected destination. Of course, our unprotected network must be able to forward traffic to our protected network.
Let’s now create our zones. They have to be of type Layer3. Under Network->Zones we click Add and create two zones, PROTECTED with ethernet1/8 belonging to it, and UNPROTECTED with ethernet1/7:
Finally, in order to pass traffic between our zones, we must have a security policy in place. We will make a policy that permits all traffic between zones. We can, should and will make this policy more restrictive at a later point. The policy is created by clicking Policies->Security->Add. The resulting policy looks like this:
Now we commit our changes…
After committing is done, we can verify that the traffic is actually going through our PA box. This can be done under Monitor->Traffic:
We can now tweak our security policy to allow or disallow certain types of traffic, but that is another story.
Thanks for reading!