topic Re: External Data Port Cabling in General Topics

External Data Port Cabling

Neo.The.One — Wed, 29 Oct 2014 09:18:07 GMT

Hallo

i am setting up a new PA 3050 FW. I dont want to use the management port to connect to internet and download updates. So I am following the admin guide to "Set up an External Data Port" for updates. Now as per that:

1. I set up a port, say e1/4 on PA 3050, as an internal port in "L3-Trust" Zone and give it a static IP address 192.168.35.100.

2. I set up an external facing port, say e1/5, in zone "L3-Untrust". This port is connected to my ISP Router and has a publicly routable IP.

Where should I cable the internal facing port e1/4 mentioned in point 1 above? Can I somehow NAT the private address to use the Interface e1/5 IP address?

Thanks!

Re: External Data Port Cabling

HULK — Wed, 29 Oct 2014 11:30:12 GMT

Hello Amit,

Ethernet-1/4 should be connected to your LAN segment ( there is no physical connection required between MGMT interface and L3-Trust interface) and you need a valid NAT & security policy for all outgoing traffic through L3-Untrust (towards internet).

For an Example: I am using Ethernet 1/3 -192.168.10.100( L3-Trust interface) for my service route.

Hope this helps.

Thanks

Re: External Data Port Cabling

HULK — Wed, 29 Oct 2014 11:39:20 GMT

Answer to your last query: Yes, you can create a source-NAT for all private address to use the Interface 1/5 IP address.

FYI: In this example, i am using ethernet-1/1 as my L3-Untrust interface ( towards ISP).

NAT RULE:

Thanks

Re: External Data Port Cabling

hshah — Wed, 29 Oct 2014 13:48:21 GMT

Hi Amit,

You can achieve this through service route. I would suggest to have PANW updates through untrust interface directly. That way you dont need any special NAT or Security policy. Its much simpler.

Device > Setup > Services > Service route Configuration > Customize > Palo Alto Networks Updates through Ethernet 1/5.

This should work.

Regards,

Hardik Shah

Re: External Data Port Cabling

hshah — Wed, 29 Oct 2014 13:49:28 GMT

And if you want to have updates from ethernet 1/3 than NAT and aditional security policy might require. Which is extra over had.

In that case in above step select interface Ethernet 1/3 to route the PANW update traffic. I dont see any necessity of it.

Re: External Data Port Cabling

HULK — Wed, 29 Oct 2014 14:09:54 GMT

Even if you will configure the service route ( through through Ethernet 1/5-Untrust interface), I hope you have to configure a "Untrust-to Untrust" security rule to allow traffic for management. Which will potentially allow anyone from internet to initiate an attack ( not recommended). There should be some valid logic, why ADMIN guide suggested to have a L3-Trust interface for service route.

Try to understand the fact, instead of "extra over had"

Thanks

Re: External Data Port Cabling

hshah — Wed, 29 Oct 2014 14:16:31 GMT

Hi Hulk,

There is a default policy which allows "Untrust to Untrust" Traffic. I dont see any security threat with that. Do you see ?

Regards,

Hardik Shah

Re: External Data Port Cabling

HULK — Wed, 29 Oct 2014 14:19:54 GMT

Most of the customers will not have a default allow rule in their production network, which will allow all unwanted traffic through the firewall. Hence, we should suggest some resolution which will be valid and secure for a production network.

Thanks