08-11-2016 02:44 PM
I have been given a PA200 to setup at home to get myself familiar with Palo Alto firewalls. I have a cable modem and wireless router that will need to be connected to the PA200. I have followed the instructions on this article to get it setup:
My problem once I comptleted the setup is that I cannot browse out to the internet. What am I doing wrong or what am I missing? Any help would be appreciated.
Thanks,
Hector
08-19-2016 09:49 AM - edited 08-19-2016 11:49 AM
One of those cablemodems with integrated wifi, if you want to secure your wifi users you'll need to forget about the modem wifi capabilities and install a separate Wifi router, otherwise all wireless clients will go straight out to the internet through the modem.
The yellow ports will lease RFC1918 addresses on DHCP, so just use any of those ports as a regular non-wifi integrated cablemodem.
Since these also do NAT inside, you will need to enable any port forwarding to the outside. I'd recommend you configure a 'DMZ Host' (forward all TCP and UDP ports to a single IP) pointing to the WAN IP of the Firewall, so no need to worry opening ports twice every time you want to host a service to the outside.
08-19-2016 10:13 AM
mivaldi is right, if this is a modem with integrated wireless then just forget that you modem even has a wireless option and shut it off. Keeping that wireless signal on would defeat any purpose of having a PA protecting your network. You can setup the DHCP to act as a relay or create your own DHCP options, perosnally I would recommend putting the DHCP on the PA itself since it allows you to easy switch your computers away from your ISPs DHCP servers.
I would recommend moving your equipment away from the 192.168.1.* addresses, everybody uses 192.168.1. I assumed from your first post the interface IP was 192.168.1.252, if you are using 192.168.1.254 as your interface IP then that route is currect. I would be your network around the PA-200 to simulate an enviroment that you would actually be working with, leaving it behind everything isn't what you are going to see out in the real world.
I'm not sure from your wording if your wireless router is built into your modem or not, as you referenced them as two different pieces of equipment I'm going to guess that they are not. Put you wireless router behind your PA and plug your PA directely into the modem. You may or may not have to actually power cycle the modem to get it to provide an IP address to your PA. The "Outside" port that you are using on your PA can be set to DHCP to automatically pull all the required informaiton for you, then let it build the default route. Then you can start working on the "inside" and wireless zone/ports and their security policies to actually start moving traffic.
08-19-2016 11:21 AM - edited 08-19-2016 11:21 AM
I am with you, but my set up was just simple and purely for "learning" or "familiarising" with PA as per original request. Hector doesn't want to install PA at home for the protection (you don't even need it for home), he just wants to get a skills. The quicker you configure the more time you have for practice 🙂
Of cause with this set-up, WiFi users will not be traversing the PA ( from the Palo view they will be in "untrust" zone) hence no security policy applies. Anyway, l respect every opinion and every comment. This is what I had configured in my home when was doing CBT Nuggets:
So it is simple and it worked for me.
Thx,
Myky
08-19-2016 11:34 AM
It looks like you spent some time drawing this, awesome diagram!
08-19-2016 11:42 AM - edited 08-19-2016 11:43 AM
This photo (message 11) shows you're connecting the modem to the WAN port of your wifi router. It should go to the designated WAN of the firewall instead, Also you don't want to be doing source NAT twice (dont use the WAN port of the wifi router!), let the firewall do the Source NAT. Will also make your life difficult since if you want to open any ports to the outside (DNAT rules), you would have to punch that hole twice, once in the firewall and yet again on your wifi router.
And the most crucial, the coax is not connected to the modem 🙂
08-19-2016 11:42 AM
Haha)) Unfortunately it is not me, this is from the training. But l agree with you
08-19-2016 11:45 AM
That was jus an example (bad one) but for sure no Internet with this set-up))
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
