Dedicated out of band network management ethernet interface with default Ip address of 192.168.1.1 is pre-configured.
You need to just configure your system with 192.168.1.x/24 and connect with management port to access it.
VM-Series are configured with DHCP.
Default username & password is admin
Also, the device has a serial port for console connection.
Licenses
A) Threat Prevention
1) Anti-Virus
2) Anti Spyware includes Adware, Spyware & Key loggers.
Adware --> programs typically display blinking advertisements or pop-up windows when you perform a certain action.
Spyware --> It is invisible software that gathers information about your computer use, including browsing.
Key loggers --> They are a form of spyware that captures every keystroke you type; they can send this information to remote servers, where log-in information--including your passwords--can be extracted and used.
3) Anti Vulnerability Protection
4) File Blocking & Data Filtering
5) Basic Wildfire
B) URL Filtering
Bright Cloud DB
Palo Alto Database (PAN DB)
C) Global Protect (Remote Access VPN)
D) Advanced Wildfire --> Optional
Types of Interfaces
1) TAP
This is not inline deployment. It is used as Proof of Concept (POC).
Generally, say legacy Firewall is connected to switch & for POC we just want to mirror traffic going & coming to Fw to NGF.
This is achieved by configuring SPAN port on switch side.
Now advantage of doing so is traffic visibility and with the help of that logging & monitoring can be done.
2) HA Mode
HA interfaces are required to deploy firewalls in Redundant Mode.
Minimum two HA interfaces are required.
HA1: Control Link [Hello Message, Heartbeat, Configuration Synchronization]
HA2: Data Link [Session Table, ARP Table, IPsec SAS etc. Synchronization]
3) Virtual Wire
Bump in wire
In Line Deployment (It can inspect & control traffic up to layer 7)
One Vwire group only supports pair of interfaces.
No Switching & Routing
IP Address not required
No IP Schema Changed in existing network topology
In cisco Router if we require to bridge traffic from two interface then we create interface bridge group.
# Bridge-Group 1
# Protocol ieee
# Interface e0/1
# bridge1
The virtual bridge group interface can be L3 i.e. Ip can be assigned to it.
In Layer 3 switch we could use command "no switchport" to make it routed interface.
4) Layer 2 Mode
In Line Deployment
IP address is not required
Supports more than 2 interfaces
MAC/VLAN based
5) Layer 3 Mode
In Line Deployment
Ip address required
Must be associated with virtual router
Routing Table (default)
Security Zone
IP address and subnet mask e.g., 172.16.1.1/24
Interface Management Profile (optional)
Physical Interface Attributes (optional) speed, duplex etc.
Note: If duplex mismatch then there will be late collision but if speed mismatch then interface will go down.
Security Policy
Security Rules are processed sequentially from top to bottom and once it finds a match no further matching is done. There are two types of security policies.
1) Implicit Policy: Default Policy
Cannot be deleted and customized (override up to a certain extent possible e.g. logging can be enabled).
A) Intrazone Policy: Intrazone communication is allowed but not logged.
B) Interzone Policy: Interzone communication is denied and not logged.
2) Explicit Policy: User defined Policy (created by Administrator) is fully customizable.
Components of Policy
1) Name
2) Source: Source Zone, Source Address (Host or network address, Region, or country etc. )
3) Destination: Destination zone, Destination Address (Host or network address, Region, or country etc. )
4) Application: Specific Application or any
5) Service: Application-Default, Any, Custom (Destination TCP / UDP port number)
6) Actions: Drop, Deny/Reject , Allow , Reset Client , Reset Server, Reset both Client & Server, logging
7) Profile: Security Profiles [Content ID]
TASK
Comments