In my last post I covered Zones, Virtual Routers and Interfaces and how they all come together to form a basic configuration. As discussed traffic from one zone going to a different zone is denied by default, traffic going to and from the same zone called intra-zone is allowed by default. In this lab I am going to allow traffic from the windows machine out onto the internet and to do that we have to set up a security policy to allow that to happen.
Set up the windows machine on the 10.1.1.0/24 network to go from its zone ‘Internal’ to the ‘Internet’ zone and allow access to the following protocols:
- DNS port 53 (UDP)
- HTTP port 80 (TCP)
- HTTPS (SSL) port 443 (TCP)
This will allow the Windows PC onto the web and able to browse. Simply allowing HTTP and HTTPS wouldn’t be enough as DNS is involved when using the web to translate the human readable URL address such as https://www.paloaltonetworks.com to an IP address that will be then used to send the traffic towards the website.
Log into the PA GUI and select the Policies Tab.
Here we have the two default policies ‘Intrazone-default’ and ‘Interzone-default’. The Intrazone policy allows traffic to flow from the same zones and the Interzone policy denies traffic to flow from different zones. If you scroll over to the far right of the policies you’ll see ‘Action’ set to Allow and Deny for each one.
We need to add our own policy here to allow traffic from the Internal zone to the Internet zone and to specify the protocols we want the user to be able to access. Click on ‘Add’ to get started.
The first tab is called General and here we give the policy some meaning by naming it and giving it a description of what it is used for. Also you select the Rule Type since I am going between different zones I have selected ‘interzone’ as the Rule Type.
Next click on the Source tab.
Under Source Zone click on Add and select the zone you want to match on i.e. sourced from and select Internal. Under Source Address on the right side of the window I have the option to allow Any traffic from the Internal zone OR I can match a specific subnet or IP address. I could have multiple subnets that are part of my internal zone so this allows me to get more granular and select which subnet should have access out onto the Internet. To make things easier down the line I can setup an Object just for that 10.1.1.0/24 subnet and reuse it elsewhere in the configuration for other policies I might setup later.
I’ve selected Add and I get this list of IP address ranges, I could simply type in the network address I want to use but I’ll set up an object instead. To do that you need to click on the New Address button at the bottom. A new window pops up shown below.
Enter in a name for the object here I am using ‘Internal 10.1.1.0 subnet’ and I have selected the IP Netmask as the type since I am configuring a subnet. Click on OK and the object will be added to the configuration.
I am going to skip the User Tab here as I don’t have any User-ID setup yet. The User tab can be used to identify a specific user on the network and to just lock it down to that particular user. So onto the Destination tab.
In the destination tab I am selecting the zone that I want to allow the traffic to flow to. In my case it is the Internet zone. On the right of the window it is set to Any which is fine as we are going out onto the internet and I don’t want to start restricting what parts of the internet the user can or can’t get to.
Next is the Application tab and here I am going to specify what applications or protocols that users are allowed to use from the Internet 10.1.1.0/24 subnet. As part of the lab brief we said we wanted the users to be able to browse the internet so that means allowing DNS, HTTPS (SSL) and HTTP.
Click on Add and add ssl for HTTPS traffic, DNS and web-browsing for HTTP.
The last step is to select Actions.
This is where you want to select what action to take against the policy we just created and since I want to allow the traffic that is what I’ve selected.
Click on Ok and the the policy will be created and added to the policy configuration. As shown here.
The policy is as follows:
IF source zone is Internal AND from the 10.1.1.0/24 subnet going to the destination zone Internet AND using applications SSL, HTTP, DNS ALLOW the traffic.
Now our users on the 10.1.1.0/24 network have access to the internet, you might be thinking how does the return traffic get back to the users since we haven’t configured a policy for traffic from the Internet zone to the Internal zone? The NGFW is a stateful firewall which means it remembers the sessions from the ‘Internal to Internet policy’ and allows the return traffic back in without having to setup another policy for that to be allowed.
Lastly don’t forget to commit the configuration for it to become active on the firewall.