Nominated Discussion: Setting Up a New Palo Alto Firewall

This Nominated Discussion Article is based on the post "Internet -> PA-440 -> ASUS RT-AX53U AX1800. Error = Router does not get Internet access " by @SoloSigma and answered by Cyber Elite @reaper. Read on if you are curious about setting up a new firewall yourself!

I have just purchased my first Palo Alto firewall. I am a sysadmin at a small office (about 20 people) and I am in the progress of setting up a new WiFi for my office.

This is my equipment:

Firewall: PA-440

Router: Asus RT-AX53U AX1800

This is my current setting:

I have managed to connect to the PA-440 firewall by setting my network cards IP to 192.168.1.2.

What should I do in order to make my router get Internet? I have some screenshots of my setup here:

PA-440 Dashboard

PA-440 Interfaces

Asus RT-AX53U AX1800 dashboard

Asus RT-AX53U AX1800 LAN

Asus RT-AX53U AX1800 LAN -> DHCP

Asus RT-AX53U AX1800 WAN

Solution:

There's a good book you can read 😉

There's a lot of stuff you can do but let's start with the basics

Create 2 new layer3 zones

I'd firstly set the interface 1/1 to layer 3 mode and set it as dhcp client. that should get you a public IP automatically from your ISP

Assign it the external zone

Fig 8_Nominated Discussion-Setting-Up-a-New-Firewall_palo-alto-networks.png

Next, set the ethernet1/2 as a layer3 interface and assign it an IP address (e.g. 192.168.50.1/24), and enable a dhcp server on that interface, make sure you set the 192.168.50.1 IP as default route in the dhcp features

Fig 9_Nominated Discussion-Setting-Up-a-New-Firewall_palo-alto-networks.png

Now, it would be preferable if you can set your Asus in passthrough mode so it simply acts as an access point and not interfere with routing or additional NAT inside your network

Don't forget to create a security rule that allows your new internal zone out to your new external zone (delete the rule that was already in place, fresh starts are better)

Make sure to add your subscription profiles!

Fig 10_Nominated Discussion-Setting-Up-a-New-Firewall_palo-alto-networks.png

And lastly, create a NAT rule for your outbound traffic:

Fig 11_Nominated Discussion-Setting-Up-a-New-Firewall_palo-alto-networks.png

To ensure your firewall is able to fetch updates, configure it with a DNS server in the management section, then consider setting up 'service routes' (Device > setup > service > service routes) attached to your ethernet1/2 (as else the updates will be fetched via your management interface which is currently not connected to anything)