Palo Alto Networks

Academy Labs
Lab Interface Configuration

Document Version: 10-Dec-19

Copyright © 2018 Palo Alto Networks, Inc.

www.paloaltonetworks.com

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 1

 Lab Topology

Virtual Machine Username Password

Firewall admin admin

Server 2012 lab-user Pal0Alt0

Centos AAC DMZ root Pal0Alt0

Centos Virtual Router root Pal0Alt0

Powering Down Your VMware Workstation VM-50 firewall appliance:

If after powering off your VM-50 firewall appliance via VMware Workstation it remains powered on,
please shut it down by accessing the CLI via SSH and entering the following command: “request
shutdown system”. You can access the firewall appliance via ssh from the Windows 2016 client virtual
machine using PuTTY and 192.168.1.254 as the destination IP address or from your host computer
using PuTTY and the Centos VR virtual machine’s external interface’s (ens160) IP address as the
destination ssh address.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 2

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 3
Lab: Interface Configuration

Lab Objectives:
▪ Create Security zones two different ways and observe the time saved.
▪ Create Interface Management Profiles to allow ping and responses pages.
▪ Configure Ethernet interfaces to observe DHCP client options and static
configuration.
▪ Create a virtual router and attach configured Ethernet interfaces.
▪ Test connectivity with automatic default route configuration and static
configuration.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 4

1.0 Load a Lab Configuration
To start this lab exercise, you will load a preconfigured firewall configuration file.
1. In the web interface, select Device > Setup > Operations.
2. Click Load named configuration snapshot:

A Load Named Configuration dialog box appears.

3. Click the drop-down list next to the Name text box and select edu-210-lab-03.
Note: Look for edu-210 in the filename because the drop-down list might contain lab
configuration files for other course numbers.

4. Click OK to close the Load Named Configuration window.

A window should appear that confirms that the configuration is being loaded.
5. Click Close to close the Loading Configuration window.
6. Click the Commit link at the upper right of the web interface:

A Commit window should appear.

7. Click Commit and wait until the commit process is complete.
A Commit Status window should appear that confirms the configuration was committed
successfully.
8. Click Close to continue

1.1 Create a New Security Zone

Security zones are a logical way to group physical and virtual interfaces on the firewall to
control and log the traffic that traverses your network through the firewall. An interface on the
firewall must be assigned to a security zone before the interface can process traffic. A zone
can have multiple interfaces of the same type (for example, Tap, Layer 2, or Layer 3
interfaces) assigned to it, but an interface can belong to only one zone.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 5

 9. In the web interface, select Network > Zones.
10. Click Add to create a new zone.
The Zone configuration window should appear.
11. Configure the following:
Parameter Value

Name Type outside

Type Select Layer3 from the drop-down list

12. Click OK to close the Zone configuration window.

A new outside zone should appear in the web interface.
The outside zone is the only zone created in this task. You will add an Ethernet interface to this
zone in a later lab step.

1.2 Create Interface Management Profiles

An Interface Management Profile protects the firewall from unauthorized access by defining
the services and IP addresses that a firewall interface permits. You can assign an Interface
Management Profile to Layer 3 Ethernet interfaces (including subinterfaces) and to logical
interfaces (aggregate, VLAN, loopback, and tunnel interfaces).
13. In the web interface, select Network > Network Profiles > Interface Mgmt.
14. Click Add to create an Interface Management Profile.
The Interface Management Profile configuration window should appear.
15. Configure the following:
Parameter Value

Name Type ping-and-response-pages

Network Services Select Ping and Response Pages check boxes

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 6

 16. Click OK to close the Interface Management Profile configuration window.
A new Interface Management Profile should appear in the web interface.
17. Click Add to create another Interface Management Profile.
The Interface Management Profile configuration window should appear.
18. Configure the following:
Parameter Value

Name Type ping-only

Network Services Select the Ping check box

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 7

 19. Click OK to close the Interface Management Profile configuration window.
A new Interface Management Profile should appear in the web interface.
20. Verify that your configuration is like the following:

1.3 Configure Ethernet Interfaces

Firewall interfaces, or ports, enable a firewall to connect with other network devices and other
interfaces within the firewall. The interface configuration of the firewall ports enables traffic
to enter and exit the firewall. You can configure the firewall interfaces for virtual wire, Layer
2, Layer 3, and tap mode deployments.
21. In the web interface, select Network > Interfaces > Ethernet.
In the next few steps, you will configure ethernet1/2 as a Layer 3 interface and assign it a static
IP address. This interface is logically connected to the Windows workstation and will operate as
the workstation’s default gateway (192.168.1.1).

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 8

 22. Click ethernet1/2 to configure the interface.
The Ethernet Interface window should appear.
23. Configure the following:
Parameter Value

Comment Type inside interface

Interface Type Select Layer3 from the drop-down list

Virtual Router Verify that None is selected

24. Click the Security Zone drop-down list and select New Zone:

The Zone configuration window opens. Selection of New Zone from the Security Zone drop-
down list is an alternate way to create security zones. You can either create them all at once or
you can create them as you are defining your network interfaces.
25. Configure the following:
Parameter Value

Name Type inside

Type Verify that Layer3 is selected

26. Click OK to close the Zone configuration window:

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 9

 27. Click the Ethernet Interface IPv4 tab.
28. Configure the following:
Parameter Value

Type Verify that the Static radio button is selected

IP Click Add and type 192.168.1.1/24

Be sure to include the CIDR mask for the interface IP address.

29. Click the Advanced tab.

30. Click the Management Profile drop-down list and select ping-and-response-pages:

Remember that the Management Profile you select here determines which network services
(ping, SNMP, SSH) an interface will answer. You must define a Management Profile before you
can assign it to an interface.
31. Click OK to close the Ethernet Interface configuration window.
32. Click ethernet1/3 to configure the interface.
The Ethernet Interface window should appear.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 10

 33. Configure the following:
Parameter Value

Comment Type dmz interface

Interface Type Select Layer3 from the drop-down list

Virtual Router Verify that None is selected

34. Click the Security Zone drop-down list and select New Zone.
The Zone configuration window should appear.
35. Configure the following:
Parameter Value

Name Type dmz

Type Verify that Layer3 is selected

36. Click OK to close the Zone configuration window:

37. Click the IPv4 tab.

38. Configure the following:

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 11

 Parameter Value

Type Verify that the Static radio button is selected

IP Click Add and type 192.168.50.1/24

39. Click the Advanced tab.

40. Click the Management Profile drop-down list and select ping-only.

41. Click OK to close the Ethernet Interface configuration window.

42. Click ethernet1/1 to configure the interface.
43. Configure the following:
Parameter Value

Comment Type outside interface

Interface Type Select Layer3 from the drop-down list

Virtual Router Verify that None is selected

Security Zone Select outside from the drop-down list

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 12

 44. Click the IPv4 tab and configure the following:
Parameter Value

Type Select the DHCP Client radio button

Note the Automatically create default route pointing to default gateway provided by server
option. This option automatically will install a default route based on DHCP-option 3.
45. Click OK to close the Ethernet Interface configuration window.
We are setting the external interface (ethernet1/1) on the firewall to obtain an IP address from
an external DHCP server. You might need to use this feature if you are installing a firewall at a
branch location and the ISP does not offer static IP addresses. Later in this lab you will change
the IP address from a dynamic or DHCP assigned address to a static IP address.
46. Click ethernet1/4 to configure the interface.
You will configure ethernet1/4 and ethernet1/5 as vwire interfaces and then configure a virtual
wire using each of these interfaces.
47. Configure the following:
Parameter Value

Comment Type vWire zone named danger

Interface Type Select Virtual Wire from the drop-down list

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 13

 Parameter Value

Virtual Wire Verify that None is selected

48. Click the Security Zone drop-down list and select New Zone.
The Zone configuration window should appear.
49. Configure the following:
Parameter Value

Name Type danger

Type Verify that Virtual Wire is selected

50. Click OK to close the Zone configuration window:

51. Click OK to close the Ethernet Interface configuration window.

52. Click ethernet1/5 to open the interface.
53. Configure the following:
Parameter Value

Comment Type vWire zone named danger

Interface Type Select Virtual Wire from the drop-down list

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 14

 Parameter Value

Virtual Wire Verify that None is selected

Security Zone Select danger from the drop-down list

54. Click OK to close the Ethernet Interface configuration window.

55. Verify that your configuration is like the following:

1.4 Create a Virtual Wire

A virtual wire interface binds two Ethernet ports. A virtual wire interface allows all traffic or
just selected VLAN traffic to pass between the ports. No other switching or routing services
are available.
56. In the web interface, select Network > Virtual Wires.
57. Click Add and configure the following:
Parameter Value

Name Type danger

Interface 1 Select ethernet1/4 from the drop-down list

Interface 2 Select ethernet1/5 from the drop-down list

Note: Even though you set ethernet1/4 and ethernet1/5 to Virtual Wire mode in the interface
settings, you must still create a virtual wire and select the appropriate interface.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 15

 58. Click OK to create your virtual wire.
A new virtual wire should appear in the web interface.
59. Verify that your configuration is like the following:

1.5 Create a Virtual Router

The firewall requires a virtual router to obtain routes to other subnets either using static routes
that you manually define or through participation in Layer 3 routing protocols that provide
dynamic routes. The firewall has a predefined virtual router named default.
A virtual router is a separate routing instance that allows the firewall to route traffic from one
network to another through its Layer 3 interfaces. In our environment, we have three networks
– 192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24. You will modify the default virtual
router and add the firewall’s interfaces from each of these networks to the virtual router.
Because we are using Layer 3 interfaces, the firewall must have a way to route traffic from
one network to another; this process is done with a virtual router. However, because each
interface is in a different security zone, the Security rules will prevent traffic in one network
from going to another network through the firewall.
60. In the web interface, select Network > Virtual Routers.
61. Click default to open the default virtual router.
The Virtual Router - default configuration window should appear.
62. Rename the default router lab-vr.
63. Locate the General tab > Interfaces box and click Add.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 16

 64. Add the following interfaces: ethernet1/1, ethernet1/2, and ethernet1/3:

Note: This step also can be completed via each Ethernet Interface configuration window.
65. Click OK to close the Virtual Router - default window.
The lab-vr virtual router should appear in the web interface.
66. Commit all changes.

1.6 Test Connectivity

67. On the Windows desktop, double-click the PuTTY icon
68. Double-click firewall-management:

69. Log in using the following:

Parameter Value

Name admin

Password admin

70. In the CLI, enter the command show interface ethernet1/1.

The CLI command output should be like the following:

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 17

 From the command output, you should be able to see the IP address obtained by DHCP. It
should be 203.0.113.21/24.
71. From the CLI, enter the command show routing route.
The CLI command output should be like the following:

The command output should show you the firewall’s default route that was installed as part of
the DHCP lease.
72. From the CLI, enter the command ping source 203.0.113.21 host 8.8.8.8.
Because a default route automatically was added to your route table, you should receive replies
from 8.8.8.8:

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 18

 Note: The host you are pinging from is the firewall itself. The ping command is used to verify
the firewall’s connectivity to the internet.
73. Press Ctrl+C to stop the ping.
Do not exit out of the PuTTY window. You will use the session again in the next section of the
lab.
74. On the Windows desktop, double-click CMD to open a command-prompt window.
75. Type the command ping 192.168.1.1:

In this task, you are pinging from the Windows host to its default gateway, which is ethernet1/2
on the firewall. Verify that you get a reply before proceeding.
Note: If you try to ping 8.8.8.8 from the Windows host, you will not receive a response. You
currently do not have Security rules or NAT rules in place on the firewall to allow internal traffic
out to the Internet.
76. Type Exit to close the command-prompt window.

1.7 Modify Outside Interface Configuration

In this section, you will reconfigure Ethernet Interface 1/1 to use a static IP address and add a
static route to your virtual router. Under most conditions you will configure the firewall’s
Layer 3 interfaces with static IP addresses. We initially configured ethernet1/1 to use the
DHCP client function only to illustrate the feature should you ever need it.
77. In the web interface, select Network > Interfaces > Ethernet.
78. Select but do not open ethernet1/1:

79. Click Delete, then click Yes.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 19

 80. Commit all changes.
This action will force the interface to release the former DHCP-assigned IP address.
81. Click ethernet1/1 to configure the interface.
The Ethernet Interface window should appear
82. Configure the following:
Parameter Value

Comment Type outside interface

Interface Type Select Layer3 from the drop-down list

Virtual Router Select lab-vr from the drop-down list

Security Zone Select outside from the drop-down list

83. Click the IPv4 tab and configure the following:

Parameter Value

Type Verify that Static radio button is selected

IP Click Add and type 203.0.113.20/24

84. Click OK to close the Ethernet Interface configuration window.

85. In the web interface, select Network > Virtual Routers.
86. Click the lab-vr virtual router to open.
The Virtual Router – lab-vr configuration window should appear.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 20

 87. Click the Static Routes vertical tab:

88. Click Add and configure the following static route:

Parameter Value

Name Type default-route

Interface Select ethernet1/1 from the drop-down list

Destination Type 0.0.0.0/0

Next Hop Verify that IP Address is selected

Next Hop IP Address Type 203.0.113.1

This step is very important! As with any other network host using IP, the firewall itself must have
a default gateway. Without this entry, the firewall can send only traffic to networks to which it
has interface connections (192.168.1.0/24, 192.168.50.0/24, and 203.0.113.0/24).
89. Click OK to add the static route.
90. Click OK to close the Virtual Router – lab-vr configuration window.
91. Commit all changes.
92. Make the PuTTY window that was used to ping 8.8.8.8 the active window.
93. Type the command ping source 203.0.113.20 host 8.8.8.8:

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 21

 You should be able to successfully ping 8.8.8.8 from the firewall itself.
94. Close the PuTTY window.

Stop. This is the end of the Interface Configuration lab.

05/10/2018 Copyright © 2018 Palo Alto Networks, Inc. www.paloaltonetworks.com Page 22