topic Need help in setting up a basic lab in Panorama Discussions

Need help in setting up a basic lab

thorinthegreat — Wed, 27 Mar 2024 13:50:16 GMT

I am a complete beginner new to Palo Alto. I have a lab setup with Palo Alto management IP 192.168.1.51 and a windows server 2022 machine with IP 192.168.1.57. I want to create a rule on Palo Alto firewall to stop the internet access to the server. The default gateway for the internet is 192.168.1.1

Tell me how to do that because when I tried using the methods given online, it did not work. Ask me more questions about my setup so that you guys can understand more and help me troubleshoot this issue. I am able to ping from firewall to server and vice versa.

Thanks in advanced.

Re: Need help in setting up a basic lab

reaper — Wed, 27 Mar 2024 14:45:53 GMT

so you should have:

- an untrust interface connected to your internet link/isp router

- a trust interface that works as the default gateway for your network (this will be your 192.168.1.1)

- mgmt interface. ideally connected to it's own subnet but for a simple lab, especially when you're brand new, i'd put that in the same network as your trust interface, so you can use the trust interface as default gateway (this is needed so the firewall can fetch updates from the internet)

-lab machine, also in the subnet of your trust interface

so maybe start by setting up your trust to be 192.168.57.1/24 so it can be the default gateway for your windows machine and the mgmt interface

next, make sure your untrust interface has a connection to the internet.

- set the interface to dhcp mode if the isp uplink is a isp router

- or set the untrust interface in the subnet of the internet uplink

- in the network > virtual router section, add a 0.0.0.0/0 static route to the next hop of the internet uplink

now all you need to do is create

-a security rule that allows trust to untrust

-a NAT rule set like: from trust to untrust, source translation - dynamic ip and port - untrust interface (ip doesn't need to be provided, it will automatically pick the ip associated to the interface)

commit

now you should have internet access

Re: Need help in setting up a basic lab

thorinthegreat — Wed, 27 Mar 2024 15:55:50 GMT

Thanks for the help. Let me explain you further so that you can help me more.

1. My base machine on which virtual box is installed has the IP of 192.168.1.8 and the default gateway for internet it 192.168.1.1.

2. I have set both palo alto management IP and server IP in the same subnet as the base machine.

3. I just need to disable internet on the server as a lab exercise.

I have followed steps on a Udemy course in which the setup is more complicated with internal network and internet network that too on EVE-NG which I don't have as I couldn't install EVE-NG lab properly so I gave up. I only have 16 GB RAM on my computer which is a hinderence to creating a complex lab.

How to create a trust and untrust network if I have everything in the same subnet. how can I create a rule based on it?

I have already tried the static route and everything but the rule is not working and I am able to ping every IP from my server. Hope you'll be able to provide better solution this time.