Setting Up the PA-200 for Home and Small Office

by mivaldi on ‎10-13-2014 05:30 PM - edited on ‎08-27-2015 02:25 PM by (65,283 Views)

Overview

This document provides a quick-start guide for a home or small office deployment.

 

Equipment

  • Palo Alto Networks PA-200 device.
    Note: Other devices, such as the PA-500, can be configured the same way.
  • Modem that assigns a public IP by DHCP.
  • Wireless router, which typically has 4 or more LAN ports and 1 WAN port.
  • Three straight-through RJ-45 UTP cables.
    Note: CAT5e or CAT6 is recommended for Gigabit Ethernet (GigE) speeds.

 

Proposed Topology

Untitled Diagram (2) (1).jpg

 

Access the WebGUI

  1. Connect a UTP cable from your computer to the Palo Alto Networks firewall's MGMT port.
  2. Configure your computer's Ethernet port to have IP 192.168.1.2 and netmask 255.255.255.0. A default gateway is not required.
  3. Open a web browser and go to https://192.168.1.1, the default credentials are: username: admin, password: admin

 

Create Security Zones

  1. Go to: Network > Zones and click Add.
  2. Create 3 zones:
    • Untrust-L3, Type Layer3
    • Trust-L3, Type Layer3
    • Trust-L2, Type Layer2
      Screen+Shot+2014-10-16+at+3.31.59+PM.png
      Screen+Shot+2014-10-16+at+3.34.26+PM.png
      Screen+Shot+2014-10-16+at+3.35.00+PM.png

The example shows the resulting configuration:

Screen Shot 2014-10-16 at 3.36.18 PM 1.png

 

Connect the ISP Modem to the Firewall

Connect a UTP cable from the ISP modem to the Palo Alto Networks firewall, port ethernet1/1.

  1. Go to Network > Interfaces on the WebGUI and configure ethernet 1/1.
  2. On Config
    • Configure the ethernet1/1 Interface Type as Layer3.
    • Set Virtual Router to default.
    • Set Security Zone to Untrust-L3.
      Screen Shot 2014-10-13 at 5.18.55 PM.png
  3. Under IPv4
    • If the ISP provides a modem from which the configuration can be obtained automatically, set the Type as DHCP Client.
      Note: When "Automatically create default route pointing to default gateway provided by server" is enabled, a default route is installed in the virtual router, 'default'.
      Screen Shot 2014-10-13 at 5.17.13 PM.png
    • If the ISP provides a modem that requires manual configuration of static entries, set the Type as Static. Then, add the static IP address/netmask.
      For example:
      Screen Shot 2015-04-30 at 2.39.22 PM.png
      Next, go to Network > Virtual Routers > 'default' > Static Routes > IPv4 and add a static route pointing to the ISP's next hop.
      For example:
      Screen Shot 2015-04-30 at 2.40.42 PM.png

Note: The IP addresses shown in the screenshots are examples only. Use IP addresses assigned by the ISP.

 

Connect the Wireless Router

General recommendations:

  • To avoid a double-SNAT, do not use the wireless router's WAN'or Internet port, thereby using it in a Wireless Access Point'mode.
  • The DHCP Server option in the wireless router must be disabled. The new DHCP Server will be configured in the firewall's 'vlan' interface.
  • Configure 192.168.1.253 as the wireless router management IP.
  • Connect Port 1 of the wireless router to the Palo Alto Networks firewall's ethernet 1/2 port.

 

Create a VLAN Object

  1. Go to Network > VLANs and click Add.
  2. Enter a name and select 'v' for VLAN Interface
    Screen Shot 2014-10-17 at 3.47.32 PM.png

 

Configure the Layer2 Ports and VLAN Object

  1. Go to Network > Interfaces > Ethernet.
  2. Edit the following settings for the ethernet1/2, ethernet1/3 and ethernet1/4 interfaces:
    • Interface Type: Layer2
    • Netflow Profile: None
    • VLAN: VLAN Object
    • Security Zone: Trust-L2
      Screen Shot 2014-10-15 at 4.19.03 PM.png
      Screen Shot 2015-04-30 at 4.12.18 PM.png
      Screen Shot 2015-04-30 at 4.12.32 PM.png

 

Configure the VLAN Interface

Go to Network > Interfaces > VLAN and edit the following settings:

Config tab

  • VLAN: VLAN Object
  • Virtual Router: default
  • Security Zone: Trust-L3
    Screen Shot 2014-10-15 at 4.21.25 PM.png

IPv4 tab

Click Add and enter IP address 192.168.1.254/24:
Screen Shot 2014-10-17 at 3.51.11 PM.png

 

Configure the DHCP Server

  1. Go to Network > DHCP > DHCP Server.
  2. Click Add.
  3. Edit the DHCP Server settings, as shown:
    • If the ISP provides a modem where the configuration can be obtained automatically, then the DHCP Server can inherit the configuration that was originally received by the DHCP Client from the ISP. We will then configure an Inheritance Source, with settings obtained from the ISP we want to pass along to the local network.
      Screen Shot 2015-04-30 at 3.53.41 PM.png
    • If the ISP provides a modem that requires manually configuring static entries, specify the settings for the local network.
      Note: Public Google DNS servers 8.8.8.8 and 8.8.4.4 are used here as an example. However, we recommend using the DNS servers provided by the ISP.
      Screen Shot 2015-04-30 at 3.56.33 PM.png

 

Define a Security Profile Group

  1. Go to Objects > Security Profile Groups and click Add.
  2. Edit the following Security Profile Group settings as desired:
    Screen Shot 2014-10-15 at 4.37.27 PM.png
    Note: These Profiles are those that come by default with the Palo Alto Networks firewall and have been selected for demonstration purposes. We recommend you take your time to review if the settings for each of the presented selected profiles are appropriate to your setup.

 

Configure Outbound Internet Security Policy

  1. Go to Policies > Security and click Add.
  2. Enter a Name and Description:
    Screen Shot 2014-10-15 at 4.35.55 PM.png
  3. Add the source zone:
    Screen Shot 2014-10-15 at 4.36.08 PM.png
  4. Add the destination zone:
    Screen Shot 2014-10-15 at 4.36.22 PM.png
  5. Specify the action as Allow and complete the Profile Setting:
    Screen Shot 2014-10-15 at 4.36.43 PM.png

 

Configure Outbound Internet NAT Policy

  1. Go to Policies > NAT and click Add.
  2. Enter a Name and check IPv4 for NAT Type:
    Screen Shot 2014-10-15 at 4.49.09 PM.png
  3. On Original Packet, specify the Source Zone, Destination Zone, and Destination Interface:
    Screen Shot 2014-10-15 at 4.49.28 PM.png
  4. On Translated Packet, set:
    • Translation Type: Dynamic IP And Port
    • Address Type: Interface Address
    • Interface: ethernet1/1
      Screen Shot 2014-10-15 at 4.49.36 PM.png

 

Configure the MGMT IP

Go to  Device > Setup > Management and specify the following Management Interface Settings:

  • IP Address
  • Netmask
  • Default Gateway
    Screen Shot 2014-10-17 at 3.55.14 PM.png

 

Set DNS for MGMT

  1. Go to Device > Setup > Services.
  2. Enter the DNS server IPs. For example: Google DNS IP's 8.8.8.8 and 8.8.4.4.
    Note: This should already have been configured to install licenses on the device. If the licenses have not been installed on the device, then the firewall will not be able to reach the license server with these settings.
    Screen Shot 2014-10-17 at 3.56.54 PM.png

Commit the Changes

Perform a commit to make the changes active as the running configuration on the firewall. The internet modem may need to be restarted in order for it to assign a DHCP address to the firewall.

 

owner: mivald

Comments
by eDub
on ‎06-25-2015 01:56 PM

Very helpful- thanks.

One note: ethernet1/1 has to be added to the virtual router interface or Commit will fail.

by mivaldi
on ‎07-23-2015 11:56 AM

Thanks for the input. Adding ethernet1/1 to the VR is covered under:

Connect the ISP Modem to the Firewall

Connect a UTP cable from the ISP modem to the Palo Alto Networks firewall, port ethernet1/1.

  1. Go to Network > Interfaces on the web UI and configure ethernet 1/1
  2. On the Config tab
    • Configure the ethernet1/1 Interface Type as Layer3
    • Set Virtual Router to 'default'
by Ram-Bista
on ‎07-24-2015 12:00 PM

Good day to you,

It is failing on commit even if I have virtual router configured for ethernet 1/1

Would you mind assisting me further?

Thanks.

by wfleitz
‎09-05-2015 06:52 PM - edited ‎09-05-2015 06:55 PM

This works perfectly for me. Quick question. I have a server at home which I would like to open up to https and ms-rdp. Can you show me how to configure the NAT for a single server? My old Linksys called this "port translation" and I had to specify the internal IP of the server and the ports. I only have one external IP with my ISP. Thanks for any help you can provide..

by mivaldi
on ‎09-23-2015 09:18 AM

@Ram_Bista, please call in to Support and we'll be able to assist you. Our number in the US is 866-898-9087.

by mivaldi
‎09-23-2015 09:21 AM - edited ‎09-23-2015 09:32 AM

@wfleitz, You need a Destination NAT policy. We have a video tutorial available for this at How to Configure Destination NAT on the PAN-OS UI

If you're using a DHCP client IP that may change from time to time on the WAN interface, then you'll need a host to maintain a Dynamic DNS entry updated. You will then define a FQDN Address Object to represent you Public IP. For a Dynamic DNS provider, there are multiple paid services like DynDNS.com. For a free option, check out Afraid DNS at http://freedns.afraid.org/

by highspeed1972bmh
on ‎12-23-2015 05:34 PM

So is this DDNS step posted by mivaldi needed?  I followed several times the exact steps above, I can get an ip address but for some reason I keep geeting two default gateways.  Does anyone have any ideas?

 

I have time warner -> eth 1/1 on PA, eth 1/2 PA into the eth 1/1 of my ASUS wireless router running in AP mode (DHCP disabled)

 

Any help would be greatly appreciated.  I did upgrade the code to 7.0.4 from 5 had to go 6.0 -> 6.0.1 -> 7.0.4

by mivaldi
on ‎01-14-2016 11:37 AM

@highspeed1972bmh

 

The DDNS step I posted was in reply to wfleitz's question, where he wondered about Port Address Translation (making a server sitting on a private IP visible on the public IP, while the public IP is acquired dynamically from the ISP through DHCP).

 

In your case, it's possible that you have the checkbox for "Automatically create default route pointing to default gateway provided by server" checked, and that you *also* manually added a default route in the virtual router. This can result in the same default route added twice. If you are already receiving the default gateway IP from your ISP though DHCP and you have the before-mentioned checkbox checked, then you don't need to manually define the default route in the virtual router.

 

Naturally, an alternative is to leave the default route you added in the virtual router alone, and uncheck the checkbox for "Automatically create default route pointing to default gateway provided by server".

 

by TonyKiser
on ‎04-06-2016 06:56 AM

I have gone through this setup and untrust side is getting an IP, all good, my endpoints are getting DHCP IP addresses from FW, but not getting to internet. I'm seeing most traffic saying "aged-out".  Any thought on part I may be missing?

by AlexanderSuppanz
on ‎04-08-2016 12:27 AM

Hi Tony,

 

do you created the Virtual Router with the right default route and made a NAT rule?

 

br Alex

by wildcat
‎01-07-2017 07:54 AM - edited ‎01-07-2017 07:55 AM

Nice write up, thanks.

What about the Inbound Security Policy?  src:Internet  dst: Trust-L3 action:deny?  

by
on ‎01-09-2017 03:22 AM

Hi @wildcat

 

the implied policy (interzone-default) takes care of that connection:

2017-01-09_12-20-11.png

 

If this policy is not visible, you'll want to upgrade to a newer PAN-OS

Ask Questions Get Answers Join the Live Community
Contributors