Setting Up the PA-200 for Home and Small Office

Overview

This document provides a quick-start guide for a home or small office deployment.

 

Equipment

• Palo Alto Networks PA-200 device.
  Note: Other devices, such as the PA-500, can be configured the same way.
• Modem that assigns a public IP by DHCP.
• Wireless router, which typically has 4 or more LAN ports and 1 WAN port.
• Three straight-through RJ-45 UTP cables.
  Note: CAT5e or CAT6 is recommended for Gigabit Ethernet (GigE) speeds.

 

Proposed Topology

 

Access the WebGUI

1. Connect a UTP cable from your computer to the Palo Alto Networks firewall's MGMT port.
2. Configure your computer's Ethernet port to have IP 192.168.1.2 and netmask 255.255.255.0. A default gateway is not required.
3. Open a web browser and go to https://192.168.1.1, the default credentials are: username: admin, password: admin

 

Create Security Zones

1. Go to: Network > Zones and click Add.
2. Create 3 zones:
   • Untrust-L3, Type Layer3
   • Trust-L3, Type Layer3
   • Trust-L2, Type Layer2
     
     
     

The example shows the resulting configuration:

 

Connect the ISP Modem to the Firewall

Connect a UTP cable from the ISP modem to the Palo Alto Networks firewall, port ethernet1/1.

1. Go to Network > Interfaces on the WebGUI and configure ethernet 1/1.
2. On Config
   • Configure the ethernet1/1 Interface Type as Layer3.
   • Set Virtual Router to default.
   • Set Security Zone to Untrust-L3.
     
3. Under IPv4
   • If the ISP provides a modem from which the configuration can be obtained automatically, set the Type as DHCP Client.
     Note: When "Automatically create default route pointing to default gateway provided by server" is enabled, a default route is installed in the virtual router, 'default'.
     
   • If the ISP provides a modem that requires manual configuration of static entries, set the Type as Static. Then, add the static IP address/netmask.
     For example:
     
     Next, go to Network > Virtual Routers > 'default' > Static Routes > IPv4 and add a static route pointing to the ISP's next hop.
     For example:
     

Note: The IP addresses shown in the screenshots are examples only. Use IP addresses assigned by the ISP.

 

Connect the Wireless Router

General recommendations:

• To avoid a double-SNAT, do not use the wireless router's WAN'or Internet port, thereby using it in a Wireless Access Point'mode.
• The DHCP Server option in the wireless router must be disabled. The new DHCP Server will be configured in the firewall's 'vlan' interface.
• Configure 192.168.1.253 as the wireless router management IP.
• Connect Port 1 of the wireless router to the Palo Alto Networks firewall's ethernet 1/2 port.

 

Create a VLAN Object

1. Go to Network > VLANs and click Add.
2. Enter a name and select 'v' for VLAN Interface
   

 

Configure the Layer2 Ports and VLAN Object

1. Go to Network > Interfaces > Ethernet.
2. Edit the following settings for the ethernet1/2, ethernet1/3 and ethernet1/4 interfaces:
   • Interface Type: Layer2
   • Netflow Profile: None
   • VLAN: VLAN Object
   • Security Zone: Trust-L2
     
     
     

 

Configure the VLAN Interface

Go to Network > Interfaces > VLAN and edit the following settings:

Config tab

• VLAN: VLAN Object
• Virtual Router: default
• Security Zone: Trust-L3
  

IPv4 tab

Click Add and enter IP address 192.168.1.254/24:

 

Configure the DHCP Server

1. Go to Network > DHCP > DHCP Server.
2. Click Add.
3. Edit the DHCP Server settings, as shown:

• • If the ISP provides a modem where the configuration can be obtained automatically, then the DHCP Server can inherit the configuration that was originally received by the DHCP Client from the ISP. We will then configure an Inheritance Source, with settings obtained from the ISP we want to pass along to the local network.
    
  • If the ISP provides a modem that requires manually configuring static entries, specify the settings for the local network.
    Note: Public Google DNS servers 8.8.8.8 and 8.8.4.4 are used here as an example. However, we recommend using the DNS servers provided by the ISP.
    

 

Define a Security Profile Group

1. Go to Objects > Security Profile Groups and click Add.
2. Edit the following Security Profile Group settings as desired:
   
   Note: These Profiles are those that come by default with the Palo Alto Networks firewall and have been selected for demonstration purposes. We recommend you take your time to review if the settings for each of the presented selected profiles are appropriate to your setup.

 

Configure Outbound Internet Security Policy

1. Go to Policies > Security and click Add.
2. Enter a Name and Description:
   
3. Add the source zone:
   
4. Add the destination zone:
   
5. Specify the action as Allow and complete the Profile Setting:
   

 

Configure Outbound Internet NAT Policy

1. Go to Policies > NAT and click Add.
2. Enter a Name and check IPv4 for NAT Type:
   
3. On Original Packet, specify the Source Zone, Destination Zone, and Destination Interface:
   
4. On Translated Packet, set:
   • Translation Type: Dynamic IP And Port
   • Address Type: Interface Address
   • Interface: ethernet1/1
     

 

Configure the MGMT IP

Go to  Device > Setup > Management and specify the following Management Interface Settings:

• IP Address
• Netmask
• Default Gateway
  

 

Set DNS for MGMT

1. Go to Device > Setup > Services.
2. Enter the DNS server IPs. For example: Google DNS IP's 8.8.8.8 and 8.8.4.4.
   Note: This should already have been configured to install licenses on the device. If the licenses have not been installed on the device, then the firewall will not be able to reach the license server with these settings.
   

Commit the Changes

Perform a commit to make the changes active as the running configuration on the firewall. The internet modem may need to be restarted in order for it to assign a DHCP address to the firewall.

 

owner: mivald