Palo Alto Networks NGFW

overview the nile service block (nsb) connects to one or two upstream palo alto next generation firewall (ngfw) appliances, over point to point layer 3 links, and pushes all client traffic (north south or east west) to the ngfw appliance such design puts the customer in full control of the nsb traffic, to implement the desired security policies the purpose of this document is to assist with the seamless integration between the nile nsb and the palo alto ngfw appliance requirements administrator rights to the nile portal nsb ip pool this is the ip pool used for the management plane of the nsb elements to communicate with the nile cloud sensor ip pool this is the ip pool used for the management plane of the nile sensors to communicate with the nile cloud four /30 subnets these are the four (4) equal cost multi path (ecmp) l3 links between the nile gateways and the palo alto ngfw appliance, to achieve a high definition and always on service client subnets these are the subnets defined on the nile portal and used by wired and wireless devices connected to the nile service servers addresses these are the ip addresses of the customer dhcp, dns, and radius servers that are to be defined on the nile portal to pology diagra m note note it is important to diagram the interface ip assignments for illustration purposes, this document uses the following interfaces and ip subnets uplink subnets pa 1 to gw 1 link 172 16 7 0/30 pa 1 to gw 2 link 172 16 7 4/30 pa 2 to gw 1 link 172 16 7 8/30 pa 2 to gw 2 link 172 16 7 12/30 pan interfaces ethernets 1/1 to 1/4 nsb uplinks (only two are needed for a single pan) ethernet1/5 lan (on prem servers network) ethernet1/6 high availability (ha2) ethernet1/7 wan1 ethernet1/8 wan2 mgmt ha1 setup multiple sections need to be set up on the palo alto next generation firewall zones profiles management lldp interfaces nsb interfaces wan interfaces lan interface routing static (wan) ospf or static (nsb) firewall rules nat rules high availability (active – passive) before starting, log into the administrator web page of your palo alto ngfw appliance a single/active firewall 1\ zones to define the internet, lan, and nsb zones, go to network g zones figure 1 network g zones nsb click on the +add button (at the bottom of the zone screen) to create a new zone name nsb log setting snmp traps or syslog could be defined as needed (drop down menu) type layer3 (drop down menu) interfaces add the nsb assigned interfaces 1/1 to 1/4 ( + add button at bottom of interfaces panel for each ) zone protection profile define to match your environment figure 2 nsb internet click on +add button (at the bottom of the zone screen) to create another new zone name internet log setting snmp traps or syslog could be defined as needed type layer3 interfaces add the wan interfaces 1/7 and 1/8 zone protection profile define to match your environment figure 3 internet lan repeat the add zones step to create the lan zone and add the assigned interface 1/5 to it figure 4 lan once the above setup steps are complete, the zones page looks like this figure 5 figure 5 2\ profiles management profile go to network → network profiles → interface mgmt click on + add button, and enable the desired services with security concerns in mind the following screenshots illustrate two profiles nsb and wan figure 6 figure 6 figure 7 figure 7 lldp profile go to network → network profile → lldp profile click on the + add button name lldp enable mode transmit receive optional tlvs enable all 4 options (port description, system name, system description, system capabilities) figure 8 figure 8 3\ interfaces to set up interfaces, go to network → interfaces → ethernet nsb interfaces two interfaces (2) are needed for a single firewall, and four (4) for an active passive set of two firewalls this document is using ethernet1/1 to ethernet1/4 as the four uplinks to the nsb ethernet1/1 click the interface ethernet1/1, and set the following comment link to nile gw 1 interface type layer3 config tab virtual router default security zone nsb figure 9 nine 4\ ipv4 tab a type static b ip 16 7 1/30 figure 10 ten 5\ advanced tab a management profile select the nsb profile figure 11 ele a lldp enable lldp and select the ‘lldp enable’ profile figure 12 twe repeat the same procedure for ethernet1/2 through ethernet1/4 ethernet1/2 172 16 7 5/30 ethernet1/3 172 16 7 9/30 ethernet1/4 172 16 7 13/30 this completes the setup for the four uplink interfaces to the nsb wan interfaces in this document, the firewall(s) is/are connected to two isps through interfaces ethernet1/7 and ethernet1/8, for redundancy purposes ethernet1/7 click the interface ethernet1/7, and set the following figure 13 figure 13 ethernet1/8 click the interface ethernet1/8, and set the following comment link to nile isp2 interface type layer3 config tab virtual router default security zone internet ipv4 tab type static ip 1 252 236/27 advanced tab other info management profile wan figure 14 figure 14 lan subnet this setting specifies the interface to a directly attached server farm, or the core network it is shown here for completion purposes figure 15 figure 15 3\ routing to set up routing on the pan firewall, go to network → virtual routers figure 16 figure 16 the virtual router default is used in this document, and all interfaces have already been added in the previous section click on “default” link to see the settings figure 17 figure 17 wan routing (static) static routing is used on the wan with two (2) default routes added, for isp1 and isp2 isp1 is the primary and receives a metric of 10 isp2 acts as a backup with a metric of 100 click the ‘ static routes ’ selector in the virtual router panel figure 18 figure 18 click the ‘ + add ’ button in the pop up to add 2 static routes as follows isp1 figure 19 figure 19 isp2 name backup default route destination 0 0 0/0 interface ethernet1/8 next hop ip address – 10 1 252 225 metric 100 route table unicast figure 20 figure 20 nsb routing important for the nile service to operate correctly, it is critical that the following subnets are routed back by the pan firewall to the nsb gateways nsb subnet sensor subnet all client subnets servers (dhcp, radius, dns) hosts/subnets two routing options to the nile nsb are supported static or dynamic (ospf) option 1 static routing with ecmp in this document, the following subnets nsb subnet 16 8 0/24 sensor subnet 16 9 0/24 client subnets 16 10 0/24 – 172 16 15 0/24 therefore, four (4) static routes are added to the aggregated subnet 172 16 8 0/21, one for each of the downlinks to the nile gateways since nile traffic to the pan firewall uses flow based ecmp routing through both nile gateways, it is important to enable ecmp on the firewall 1 1 ecmp setup go to virtual router g default g router settings g ecmp select the following enable max path 4 load balance method weighted round robin add all interfaces to the nsb, namely ethernet1/1 to ethernet1/4 figure 21 figure 21 1 1 2 static routes add four (4) equal cost static routes for the aggregated subnet in this example figure 22 figure 22 1 3 route validation inspect the routing table and forwarding table to validate the static routes to the aggregate subnet 172 16 8 0/21, by clicking more runtime stats under network g virtual routers figure 23 figure 23 routing table figure 24 figure 24 forwarding table figure 25 figure 25 option 2 dynamic routing (ospf) 2 1 ecmp setup the setup is the same as has been defined in the static routing section 2 2 ospf setup go to network g virtual routers g default g ospf set the following enable checked reject default route unchecked router id 0 0 1 in this example (unique ip address) figure 26 figure 26 add the interfaces connected to the nsb (ethernet1/1 to ethernet1/4), one by one areas click + add area id 0 0 0 type normal interface click + add figure 27 figure 27 figure 28 figure 28 repeat the above for the other three (3) interfaces figure 29 figure 29 export rules click the ‘ export rules ’ tab allow redistribute default route checked figure 30 figure 30 click + add name 0 0 0/0 new path type ext 1 (radio button) metric 10 figure 31 figure 31 a summary of the virtual router ‘default’ setup is illustrated below figure 32 figure 32 icon note if no aggregation is used, then four (4) equal cost routes are needed for the nsb, sensors, and client subnets 4\ firewall rules by default, palo alto next gen firewall allows intrazone (within the same zone) traffic and denies / blocks interzone (between two different zones) traffic as three zones were created in this document – (1) internet, (2) nsb and (3) lan – rules are needed to allow traffic from the lan and nsb zones to the internet zone, and between the nsb and lan zones figure 33 figure 33 4 1 lan/nsb access to the internet go to policies g security click on + add to create the policy as follows name lan nsb to internet rule type universal source column set source zone lan and nsb source address any source user any source hip profile any destination column set destination zone internet destination address any application any service/url category any action allow 4 2 nsb/lan access go to policy g security click on + add to create the policy as follows name nsb lan rule type universal source source zone lan and nsb source address any source user any source hip profile any destination destination zone lan and nsb destination address any application any service/url category any action allow icon note the above rules are provided as an example; it is up to customers to change them according to the requirements of their security policies 5\ nat rules by default, the palo alto next gen firewall does not nat traffic source nat rules are needed for internal traffic using private addresses to reach the internet since this document covers a dual isp environment, two source nat rules are needed for each isp go to policies g nat click on + add to create the source nat rules figure 34 figure 34 4 2 nsb/lan access figure 35 figure 35 source zone nsb and lan (check boxes) destination zone internet (from pull down list) destination interface ethernet1/7 (from pull down list) service any (from pull down list) source address any (check box) destination address any (check box) translated packet tab figure 36 figure 36 source address translation translation type dynamic ip and port (from drop down list) address type interface address (from drop down list) interface ethernet1/7 (from drop down list) ip address 1 251 236/27 (from drop down list) 4 2 nsb/lan access repeat the previous step using interface ethernet1/8 , with the translated packet tab reflecting the following figure 37 figure 37 b two firewalls 1\ ha (active passive) it is important to abide by the palo alto prerequisites for active/passive ha (high availability), as detailed in the following url https //docs paloaltonetworks com/pan os/9 1/pan os admin/high availability/set up activepassive ha/prerequisites for activepassive ha#id78977437 fe66 4204 9690 5a673fc8dd35 https //docs paloaltonetworks com/pan os/9 1/pan os admin/high availability/set up activepassive ha/prerequisites for activepassive ha#id78977437 fe66 4204 9690 5a673fc8dd35 ha ports the ha ports could be dedicated or assigned based on the firewall model in this document the following ha ports are utilized control link (ha1) management data link (ha2) ethernet1/6 active firewall general setup go to device → high availability → general where the setup is divided into sections accessible through their own setup button figure 38 figure 38 click the config button within each section to access the settings, starting with the setup section setup (config button) figure 39 figure 39 figure 40 figure 40 passive link state auto control link (ha1) (config button) the management port is used in this document data link (ha2) (config button) figure 41 figure 41 figure 42 figure 42 link and path monitoring this setup defines the failover conditions and could use link and/or path monitoring to determine what causes a pan firewall to fail over this document covers link monitoring of the nsb and wan interfaces two groups are defined nsb and wan the nsb link monitoring comprises the active interfaces on each firewall, namely ethernet1/1 and ethernet1/2 on the active firewall ethernet1/3 and ethernet1/4 on the passive firewall the wan link monitoring has both isp1 and isp2 interfaces (dual isp) to set up ha link monitoring, go to device → high availability → link and path monitoring , define as shown figure 43 figure 43 passive firewall general setup repeat the setup steps taken in the active firewall section to define ha on the passive firewall paying attention to the following same group id 10 peer ha1 ip address active firewall management port ip higher device priority in election settings data link (ha2) ip address 192 168 224 2 figure 44 figure 44 link and path monitoring figure 45 45b click the commit button on each firewall to save the setup and make it operational once synchronized, the high availability widget on each firewall should reflect their state and that their setup is in sync figure 46 figure 47 fs figure 46 icon note the management ports of both firewalls have ip connectivity ping is enabled and permitted on the management interface ha2 ports are connected via an ethernet cable