Palo Alto 200 Setup for home use

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Palo Alto 200 Setup for home use

L1 Bithead

I have been given a PA200 to setup at home to get myself familiar with Palo Alto firewalls.  I have a cable modem and wireless router that will need to be connected to the PA200.  I have followed the instructions on this article to get it setup:

https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-Up-the-PA-200-for-Home-and-Small...

My problem once I comptleted the setup is that I cannot browse out to the internet.  What am I doing wrong or what am I missing?  Any help would be appreciated.

 

Thanks,

Hector

21 REPLIES 21

L6 Presenter

Hi,

 

Double check you security policy, NAT configuration. Remember that you are doing double NAT so check carefully your NAT policy. What about your security logs? Is your traffic permitted or denied ?

 

Thx,

Myky

Cyber Elite
Cyber Elite

Hi Hector

 

it may be a good idea to create a temporary 'any any' security policy with a drop action and logging enabled at the very end of the rulebase to make sure dropped sessions are logged to help visualize anything that may not be picked up by a policy

 

next, you'll want to take a look at your traffic logs

is anything being blocked by the rule you created, is there a lot/exclusively logs with 'incomplete' as the action? these would mean packets are going out but nothing is coming back

this could be due to a routing or a natting issue

 

if there are no logs, your internal hosts may be pointing to an incorrect gateway, the subnet on your interface may not correspond to you clients or may be in a different subnet altogether

 

 

please also take a look at these articles to help you get started: Getting Started: The Series

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Sorry for replying so late.  I have only on NAT setup and its the one specified on the instructions.  I also created a temporary any any rule and moved it to the top to no avail.  One other thing, the logs are not getting generated now so I cant see where the blocks are.  How did i stop the logs from showing up?

 

Thanks,

Hector

Hi Hector,

 

Please check if you have a log enabled fro the security policy:

 

traffic log.PNG

Generally, should be enabled on the "session end".

 

Thanks,  I did check both secuirty policies and they are set to "Log at Session End".  Also,  I was thinking my routing could have been setup wrong.  I have the following:

Cable modem: 192.168.100.1 - After I log in I see CM MODEM IP and its on a 10.x.x.x network

Wireless Router: 192.168.1.253

PA: 192.168.1.252

What should my routing be setup as?  

 

-Hector

 

 

Are you running this plugged into your wireless router? Where is your default routing statement currently sending your traffic, are you trying to send it directly to your modem or your wireless router? Generally speaking you would replace your wireless router with your PA-200.

It may be a little more helpful if you send a screenshot of how you actually setup the routing on this device, I suspect at this point that routing is likely your issue. 

Hi,

 

So you have to have a static default route configured on your PA pointing to your router IP address. But as BPry said it is better to see a topology so will be much easier to help you.

 

Thx,

Myky

Static Routes.PNGStatic Route1.PNGStatic Route2.PNG

The setup instructions state to set up the route "pointing to the ISP's next hop".  This is where i'm getting confused, am i supposed to send it to my wireless router, to the cable modem, or the hop after the cable modem?

 

Thanks,

Hector

Hi Hector,

 

So if you are connected to the Internet "through" your wireless router (you got a cable going to the router) then static route should be pointing to the wireless router IP address. Your cable modem as l understood there just for signal converting, so you cannot manage it. Is it similar for this set-up:

 

modem-router.jpg

Please could you confirm your wireless router IP address/network? Also email me here: mayk.08@mail.ru so I can send you few more helpful info.

Thx,

Myky

Your setup is rather odd and without looking over the total configuration I can't tell whats wrong, I can only take crack shots on the information you provide. I did notice that the current route for 192.168.1.0/24 is showing your next hop as 192.168.1.254, which I didn't see mentioned anywhere on your network setup. What does your interface configuration look like? 

This might be a little faster to just dump the configuration, take out everything you don't want people to see, and upload the file. I feel like there may be multiple small configuration errors across the configuration that you are running into, that would take a while for the forum to pinpoint each individual issue with screenshots. 

 

It might be worth throwing your wireless router out of the picture and setting up an "UnTrust" zone on your firewall along with a "Trust" zone, and setting your "UnTrust" interface as DHCP. Understanding that you will still need wireless put your Wireless Router behind the firewall and simply put it in AP mode. Running your firewall behind your wireless router isn't exactly the best setup anyways from a security perspective, as this would allow wireless users to completely bypass any security that you have setup on the firewall.

L6 Presenter

Hi,

 

If your wireless router IP is 192.168.1.253 then you got you default route correct. Use Layer 3 mode for your interfaces configuration. Your PA interface has assigned ip 192.168.1.254/24. Put this interface to the "untrust" zone. Create another "trust"zone with different IP address range, assigned other interface to this zone, set up DHCP with. For DNS you can use your wifi router IP or Google dns. For the client in the "trust" zone DG is going to be your PA interface (trust zone IP). Configure NAT (PAT) pointing to your external PA IP address (192.168.1.254). Create security policy for traffic going from the "trust"> "untrust" zone. This will be enough for you get you familiar with Palo Alto, so you can test things but it is temporary set-up 🙂

 

Hope it helps.

Thx,

Myky

Why would you point the default route to the wireless, that means your wi-fi won't go through the firewall.

In step 3 there are two if statements, you either do one or the other.

If you have a cablemodem then it is most likely serving DHCP. Just configure ethernet1/1 as DHCP client and accept whatever default route the cablemodem gives you, no need for manual input of static route.

 

And remember to restart the cablemodem so that it releases the association to the MAC address of your old device.

Hi,

 

As l understand he cannot connect/attached  Palo  directly  to the mode, that is why he has to go through the wireless route. 

Sure you are correct if you can connect Palo directly to the modem. 

p.S I could do it because my modem/router is Virgin Media and has specific interface:

 DSCF0842.jpg

 

 

  • 7930 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!