Ethernet interfaces can be configured for Virtual-Wire, Layer 2, 3, & tap mode deployment.
The interfaces that the Firewall supports are Physical Interfaces and Logical Interfaces.
The Firewall supports two kinds of Physical Interfaces media—Copper and Fiber Optic.
Logical Interfaces include VLAN interfaces, loopback interfaces, and tunnel interfaces. The Physical interface name is predefined, and you cannot change the name it is fix. Interface Type, Tap, HA, Decrypt Mirror, Virtual Wire, L2, L3 and Aggregate Ethernet.
We can create sub interfaces as well but only for active physical ports.
SVI in FW
Vlan 1 has been given ip 3.3.3.3/24
Terminologies
Interface Type: Tap, HA, Decrypt Mirror, Virtual Wire, L2, L3 & Aggregate Ethernet.
Link State: Green (Configured and Up) , Red (Configured but Down or Disabled) and Gray (Not Configured).
NetFlow Profile: If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click NetFlow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the interface.
Method for Assigning an IPv4 Address
Static You must manually specify the IP address.
PPPoE Firewall will use interface for Point-to-Point Protocol over Ethernet.
DHCP Client Enables the interface to act as a (DHCP) client.
A Zone can have only one type of interface.
User Identification must be enabled from zone.
Security Zones
Security zones are a logical way to group physical and virtual interfaces on the Firewall.
Security Zones is used to control and log the traffic that traverses (passes through) specific interfaces.
Interface on Firewall must be assigned to security zone before interface process traffic.
Zone can have multiple interfaces of the same type, but interface belongs to only one zone.
Palo Alto Firewalls rely on the concept of security zones to apply security policies i.e. Security Policies (Firewall Rules) are applied to zones & not to interfaces.
Policy rules on Firewall use zones to identify where traffic comes from & where going.
Traffic can be default flow freely within a zone (intrazone), but traffic between different zones (interzone) isn't allowed unless define Security policy rule that allows it.
Creating a security zone in the Palo Alto Networks NG Firewalls involves three steps.
Specify the Zone Name, Select the Zone Type and Assign the Interface to the given Zone.
Routed & Routing Protocols
Routed Protocols:
Routed Protocol is used to send user data from one network to another network. Routed Protocol carries user traffic such as e-mails, file transfers, web traffic etc. Used between routers to direct user traffic, it is also called network protocols.
Internet Protocol (IP) IPV4 and IPV6.
Routing Protocols:
Routing protocols are used by routers to exchange information about known networks. Routers will initially only know the existence of directly connected networks.
With the use of routing protocols routers communicate with each other & share information about networks which they have and which they learn from their Neighbours.
Routing Information Base
admin@PA-VM> show routing route
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
192.168.1.0/24 192.168.1.1 0 A C ethernet1/2
192.168.1.1/32 0.0.0.0 0 A H
192.168.112.0/24 192.168.112.2 0 A C ethernet1/1
192.168.112.2/32 0.0.0.0 0 A H
Virtual Router (Similar to VRF)
When it comes to routing traffic between different networks one needs a Router. Palo Alto Networks Firewalls Uses concept of “Virtual Routers” to route traffic be it static or dynamic routing.
PA Firewall capable of supporting Dynamic routing protocols like RIPv2, OSPF & BGPv4. The Palo Alto NG Network Firewalls comes with a Virtual router named the default.
Each L3, loopback interface, & VLAN interface must be associated with Virtual Router. In Palo Alto Network Firewall each interface can belong to only one Virtual Router.
IP must be assigned to each interface & virtual router must be defined to route traffic. PA Firewall can create multiple virtual routers, each maintaining separate set of routes. An Addition to adding static routes, can configure to participate with dynamic routing. Virtual Routers used for Layer 3 IP routing and supports one or more static routes.
ความคิดเห็น