- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2024 06:50 AM
I am a complete beginner new to Palo Alto. I have a lab setup with Palo Alto management IP 192.168.1.51 and a windows server 2022 machine with IP 192.168.1.57. I want to create a rule on Palo Alto firewall to stop the internet access to the server. The default gateway for the internet is 192.168.1.1
Tell me how to do that because when I tried using the methods given online, it did not work. Ask me more questions about my setup so that you guys can understand more and help me troubleshoot this issue. I am able to ping from firewall to server and vice versa.
Thanks in advanced.
03-27-2024 07:45 AM - edited 03-27-2024 07:45 AM
so you should have:
- an untrust interface connected to your internet link/isp router
- a trust interface that works as the default gateway for your network (this will be your 192.168.1.1)
- mgmt interface. ideally connected to it's own subnet but for a simple lab, especially when you're brand new, i'd put that in the same network as your trust interface, so you can use the trust interface as default gateway (this is needed so the firewall can fetch updates from the internet)
-lab machine, also in the subnet of your trust interface
so maybe start by setting up your trust to be 192.168.57.1/24 so it can be the default gateway for your windows machine and the mgmt interface
next, make sure your untrust interface has a connection to the internet.
- set the interface to dhcp mode if the isp uplink is a isp router
- or set the untrust interface in the subnet of the internet uplink
- in the network > virtual router section, add a 0.0.0.0/0 static route to the next hop of the internet uplink
now all you need to do is create
-a security rule that allows trust to untrust
-a NAT rule set like: from trust to untrust, source translation - dynamic ip and port - untrust interface (ip doesn't need to be provided, it will automatically pick the ip associated to the interface)
commit
now you should have internet access
03-27-2024 08:55 AM
Thanks for the help. Let me explain you further so that you can help me more.
1. My base machine on which virtual box is installed has the IP of 192.168.1.8 and the default gateway for internet it 192.168.1.1.
2. I have set both palo alto management IP and server IP in the same subnet as the base machine.
3. I just need to disable internet on the server as a lab exercise.
I have followed steps on a Udemy course in which the setup is more complicated with internal network and internet network that too on EVE-NG which I don't have as I couldn't install EVE-NG lab properly so I gave up. I only have 16 GB RAM on my computer which is a hinderence to creating a complex lab.
How to create a trust and untrust network if I have everything in the same subnet. how can I create a rule based on it?
I have already tried the static route and everything but the rule is not working and I am able to ping every IP from my server. Hope you'll be able to provide better solution this time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!