Main Menu
Services Why Nile Pricing Resources Partners About ? ? ? Customer Login Partner Login

Palo Alto Network’s Next-Generation Firewall

Overview

This document is designed to assist with integrating Palo Alto Network’s (PAN) Next-Generation Firewall (NGFW) in High Availability (HA) to allow traffic to be received from the Nile Service Block (NSB) or send traffic into the NSB. This purpose of this guide is to help with seamless integration between the Nile Access Service and the customer’s extended network (e.g., upstream Internet Gateway).

Prerequisites

  1. Four unique subnets on the LAN side (/30 is fine):
    • Designed as a high-definition and always-on-service, Equal Cost Multi-Path (ECMP) used to create 4 point-to-point links to act as an L3 transit between the Nile Gateway and the Palo Alto Network’s NGFW.

Example Topology Diagram

Integration

There are multiple sections that we need to create on the Palo Alto, including:

  1. Zones
  2. Profiles
    1. Management
    2. Link Layer Discover Protocol (LLDP)
  3. Interfaces
    1. Wide Area Network (WAN)
    2. Local Area Network (LAN)
  4. Routing
    1. Static (WAN)
    2. OSPF (LAN)
  5. Firewall Rules
  6. NAT
  7. HA Pair

1. Zones

To set up Zones, please navigate to Network → Zones.

Figure 1

Click “Add” to create a new zone.
Note: The page will be empty when the firewall is being set up for the first time

Figure 2

  1. Name: Internet
  2. Log Setting: This is where to set up SNMP traps or Syslog. Fill information in based on requirement(s).
  3. Type: Layer 3
  4. Add the interfaces that are connecting to the ISP into this Internet Zone
  5. Zone Protection Profile: Fill information base on requirement(s). Note: There will be multiple options to drop the packets if they match a certain criteria like Strict source path and TCP SYN packet containing Data

Repeat the process for creating a LAN Zone and add all the interfaces that are connecting to your LAN network. Below is an example of the LAN zone that was created in reference to the topology provided above:

Figure 3

The example below shows how to setup these zones in the CLI:

				
					set zone LAN network layer3 [ ethernet1/3 ethernet1/4 ethernet1/5 ethernet1/6 ethernet1/7 ]
set zone Internet network layer3 [ ethernet1/1 ethernet1/2 ]
Management profile:
Navigate to Network → Network profiles → Interface Mgmt
  • Click on “Add” and enable the required services

Figure 4

Below shows an example setup of how to populate the Management profile in the CLI: 

				
					set network profiles interface-management-profile WAN http no
set network profiles interface-management-profile WAN https yes
set network profiles interface-management-profile WAN http-ocsp no
set network profiles interface-management-profile WAN ssh yes
set network profiles interface-management-profile WAN snmp no
set network profiles interface-management-profile WAN ping yes
set network profiles interface-management-profile WAN telnet no
set network profiles interface-management-profile WAN permitted-ip 0.0.0.0/0
LLDP profile: Navigate to Network → Network profiles → LLDP Profile
  • Click on “Add”
  • Mode: transmit-receive
  • Optional TLVS: Enable all the 4 options (Port Description, System Name, System Description, System Capabilities)

Figure 5

Below shows how to populate the LLDP profile in the CLI: 

				
					set network profiles lldp-profile "LLDP Enable" option-tlvs management-address enabled no
set network profiles lldp-profile "LLDP Enable" option-tlvs port-description yes
set network profiles lldp-profile "LLDP Enable" option-tlvs system-name yes
set network profiles lldp-profile "LLDP Enable" option-tlvs system-description yes
set network profiles lldp-profile "LLDP Enable" option-tlvs system-capabilities yes

Interfaces:
To set up the Interfaces, please navigate to Network → Interfaces → Ethernet

Figure 6

Integrating with WAN Interfaces:

Figure 7

  1. Expand on Network → Interfaces → Ethernet. Click on the interface that will be connecting to ISP1
  2. Select the Interface Type to be “Layer3
  3. Config:
    1. Virtual Router: Default (This is where to populate routing related information)
    2. Security Zone: Internet
  4. IPv4:

Figure 8

  1. Select Add → Populate with the IP address that the ISP provided
    5. Advanced

Figure 9

  1. Select the Management Profile that was previously created for the WAN interfaces

Repeat the same steps for WAN2.
Below shows how to populate the WAN interfaces in the CLI:

				
					set network interface ethernet ethernet1/1 comment "Link to ISP1"
set network interface ethernet ethernet1/1 layer3 ip 172.16.14.2/29
set network interface ethernet ethernet1/1 layer3 interface-management-profile WAN
set network interface ethernet ethernet1/1 link-state up

set network interface ethernet ethernet1/2 comment "Link to ISP2"
set network interface ethernet ethernet1/2 layer3 ip 172.16.13.2/29 
set network interface ethernet ethernet1/2 layer3 interface-management-profile WAN
set network interface ethernet ethernet1/1 link-state up

Integrating with the LAN Interfaces: 

Figure 10

  1. Expand on Network → Interfaces → Ethernet. Click on the interface that will be connecting to Nile GW1/36
  2. Select the Interface Type to be “Layer3
  3. Config:
    1. Virtual Router: Default (If the customer already has a virtual router created and set up for the WAN interfaces, use that instead of Default)
    2. Security Zone: LAN
  4. IPv4:
    1. Select Add → 172.16.5.1/30 (Note: The /30 IP address may be different. The IP address used here is only for reference)
  5. Advanced
    1. Enable Management profile if needed
    2. LLDP → Enable LLDP and select the LLDP profile that will advertise the system info

Repeat the same process for all other interfaces that will be connecting to the Nile GW and to your Extended LAN
Below shows how to populate the WAN interfaces in the CLI: 

				
					set network interface ethernet ethernet1/3 comment "Link to Nile GW1/36"
set network interface ethernet ethernet1/3 layer3 ip 172.16.5.1/30 
set network interface ethernet ethernet1/3 layer3 lldp enable yes
set network interface ethernet ethernet1/3 layer3 lldp profile "LLDP Enable"
set network interface ethernet ethernet1/3 layer3 interface-management-profile LAN
set network interface ethernet ethernet1/3 link-state up

set network interface ethernet ethernet1/4 comment "Link to Nile GW1/34"
set network interface ethernet ethernet1/4 layer3 ip 172.16.6.1/30 
set network interface ethernet ethernet1/4 layer3 lldp enable yes
set network interface ethernet ethernet1/4 layer3 lldp profile "LLDP Enable"
set network interface ethernet ethernet1/4 layer3 interface-management-profile LAN
set network interface ethernet ethernet1/4 link-state up

set network interface ethernet ethernet1/5 comment "Link to Nile GW2/36"
set network interface ethernet ethernet1/5 layer3 ip 172.16.7.1/30 
set network interface ethernet ethernet1/5 layer3 lldp enable yes
set network interface ethernet ethernet1/5 layer3 lldp profile "LLDP Enable"
set network interface ethernet ethernet1/5 layer3 interface-management-profile LAN
set network interface ethernet ethernet1/5 link-state up

set network interface ethernet ethernet1/6 comment "Link to Nile GW2/34"
set network interface ethernet ethernet1/6 layer3 ip 172.16.8.1/30 
set network interface ethernet ethernet1/6 layer3 lldp enable yes
set network interface ethernet ethernet1/6 layer3 lldp profile "LLDP Enable"
set network interface ethernet ethernet1/6 layer3 interface-management-profile LAN
set network interface ethernet ethernet1/6 link-state up

set network interface ethernet ethernet1/7 comment "Link to the DHCP, DNS, Radius"
set network interface ethernet ethernet1/7 layer3 ip 172.16.9.1/30 
set network interface ethernet ethernet1/7 layer3 lldp enable yes
set network interface ethernet ethernet1/7 layer3 lldp profile "LLDP Enable"
set network interface ethernet ethernet1/7 layer3 interface-management-profile LAN
set network interface ethernet ethernet1/7 link-state up

Routing:
Customers should use Static Route to add the default route towards the WAN interfaces. On LAN interfaces, it is recommended to use OSPF on the PAN’s NGFW whenever possible. If there are certain limitations where OSPF cannot be used on the firewall, static routing should be used.

Below example shows how to add all of the interfaces to the virtual router in the CLI:

				
					set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ethernet1/4 ethernet1/5 ethernet1/6 ethernet1/7 ]

OSPF (LAN):

Figure 11

  1. Expand on Virtual Router → Default → OSPF
  2. Enable OSPF 
  3. Router ID: 0.0.0.1
  4. Areas:
    1. Add
    2. Area ID: 0.0.0.0 (Backbone Area)
    3. Type: Normal 
    4. Interface:

Figure 12

  1. Add

Figure 13

2. Select the interface from the drop down
3. Enable
4. Link Type: Broadcast
5. Timing: Leave the default values
6. Metric/Priority: Populate with the same value for all the 4 interfaces connecting to the Nile GW as we will set up ECMP)
7. Auth Profile: None (At the moment we don’t support authentication for forming OSPF neighbor relationship)

5. Export Rules:

  1. Navigate to OSPF → Export Rules (Note: This is where routes advertised are populated)

Figure 14

  1. Add
    1. Name: 0.0.0.0/0
    2. New Path Type: Ext 1

Below shows how to populate OSPF on the LAN interfaces of the virtual router in the CLI:

				
					set network virtual-router default protocol ospf router-id 0.0.0.1
set network virtual-router default protocol ospf area 0.0.0.0 type normal 
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 passive no
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 gr-delay 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 metric 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 priority 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 hello-interval 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 dead-counts 4
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 retransmit-interval 5
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 transit-delay 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/3 link-type broadcast 
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 passive no
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 gr-delay 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 metric 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 priority 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 hello-interval 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 dead-counts 4
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 retransmit-interval 5
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 transit-delay 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/4 link-type broadcast 
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 passive no
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 gr-delay 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 metric 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 priority 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 hello-interval 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 dead-counts 4
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 retransmit-interval 5
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 transit-delay 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/5 link-type broadcast 
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 enable yes
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 passive no
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 gr-delay 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 metric 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 priority 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 hello-interval 10
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 dead-counts 4
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 retransmit-interval 5
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 transit-delay 1
set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/6 link-type broadcast 
set network virtual-router default protocol ospf allow-redist-default-route yes
set network virtual-router default protocol ospf export-rules 0.0.0.0/0 new-path-type ext-1
set network virtual-router default protocol ospf export-rules 0.0.0.0/0 metric 10
set network virtual-router default protocol ospf reject-default-route no

Static Routing (WAN):

  1. Expand on Network → Virtual Routers → default (Note: A virtual router defined can also be used)
  2. Static Routes → Add 
    1. Name: Default Route
    2. Destination: 0.0.0.0/0
    3. Interface: ethernet1/1
    4. Next Hop: IP Address – 172.16.14.1 (Gateway address for the ISP1)
    5. Metric: 10 (Default is 10, but if different weighted links across the WAN is desired, then change the metric accordingly)
    6. Route Table: Unicast

Repeat the same steps to set up a default static route for WAN2

Note: If WAN1 is the primary link to the Internet, set the Metric as 20 while setting the default route for WAN2. If both the ISP links are used to reach the Internet, set the metric to 10 as PAN’s NGFW uses ECMP over routes with the same Metric value.

Below example shows how to add static routes via WAN on the virtual router in the CLI:

 
				
					set network virtual-router default routing-table ip static-route "Default Route" interface ethernet1/1
set network virtual-router default routing-table ip static-route "Default Route" destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route "Default Route" nexthop ip-address 172.16.14.1
set network virtual-router default routing-table ip static-route "Default Route" metric 10
set network virtual-router default routing-table ip static-route "Default Route" route-table unicast 

set network virtual-router default routing-table ip static-route "Default Route" interface ethernet1/2
set network virtual-router default routing-table ip static-route "Default Route" destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route "Default Route" nexthop ip-address 172.16.13.1
set network virtual-router default routing-table ip static-route "Default Route" metric 10
set network virtual-router default routing-table ip static-route "Default Route" route-table unicast

Setting up ECMP:

  • Navigate to the Virtual Router → Default → Router Settings → ECMP

Figure 15

  • Enable ECMP
  • Max Path: 4
  • Load Balance method: Weighted Round Robin
  • Add all the interfaces that should be load balanced (i.e., BothWAN links and all the links connecting the Nile Gateways)

Below example shows how to populate ECMP on interfaces of the virtual router in the CLI:

				
					set network virtual-router default ecmp enable yes
set network virtual-router default ecmp max-path 4
set network virtual-router default ecmp algorithm weighted-round-robin interface ethernet1/1 weight 100
set network virtual-router default ecmp algorithm weighted-round-robin interface ethernet1/2 weight 100
set network virtual-router default ecmp algorithm weighted-round-robin interface ethernet1/3 weight 100
set network virtual-router default ecmp algorithm weighted-round-robin interface ethernet1/4 weight 100
set network virtual-router default ecmp algorithm weighted-round-robin interface ethernet1/5 weight 100
set network virtual-router default ecmp algorithm weighted-round-robin interface ethernet1/6 weight 100
Firewall Rules:
By default, PAN’s NGFWallows the intrazone (within the same zone) traffic to go through and it blocks the interzone (between two different zones) traffic.
Since two zones were created (i.e.,WAN and LAN), a rule to allow the traffic from LAN to be allowed through the WAN needs to be created.

Figure 16

Allowing access to Internet:
  1. Expand on Policy → Security → Add
  2. Name: Provide a name for the rule
  3. Rule Type: Universal
  4. Source: 
    1. Source Zone: Add → LAN 
    2. Source Address: Any

Figure 17

5. User: Any
6. Destination:

  1. Destination Zone: Add → WAN
  2. Destination Address: Any

7. Application: Any
8. Service/URL Category: Any
9. Action: Allow
Note: Please change the rules according to any requirement(s). If you don’t want to allow everything to the internet, then under the source or the destination tab use the appropriate addresses.

Below example shows how to populate firewall policies between zones or addresses in the CLI:

				
					set rulebase security rules "LAN -- WAN" description "This rule is set up to allow communication from LAN to WAN"
set rulebase security rules "LAN -- WAN" from LAN
set rulebase security rules "LAN -- WAN" to Internet
set rulebase security rules "LAN -- WAN" source any
set rulebase security rules "LAN -- WAN" destination any
set rulebase security rules "LAN -- WAN" source-user any
set rulebase security rules "LAN -- WAN" category any
set rulebase security rules "LAN -- WAN" application any
set rulebase security rules "LAN -- WAN" service any
set rulebase security rules "LAN -- WAN" hip-profiles any
set rulebase security rules "LAN -- WAN" action allow

NAT:
By default PAN’s NGFW doesn’t NAT the traffic.To route all traffic from LAN to WAN and NAT them, additional setup might be needed.

Figure 18

  1. Navigate to Policies → NAT → Add
  2. General:
    1. Name: Provide a name to the rule
    2. NAT Type: IPv4
  3. Original Packet:

Figure 19

  1. Source Zone: Add → LAN
  2. Destination Zone: Internet
  3. Destination Interface: Any
  4. Service: Any
  5. Source Address: Any
  6. Destination Address: Any

4. Translated Packet:

Figure 20

  1. Source Address Translation:
    1. Translation Type: Dynamic IP and Port
    2. Address Type: Interface Address
    3. Interface: Ethernet 1/1
    4. IP Address: 172.16.14.2/29
  2. Destination Address Translation Type: None

Note: Make sure that another rule similar to this for WAN2 is created

Below is an example of setting NAT policies between zones or addresses within the CLI:

				
					set rulebase nat rules "LAN to WAN translation" description "This rule is to NAT the traffic that is originating in the LAN and destined towards the WAN"
set rulebase nat rules "LAN to WAN translation" from LAN
set rulebase nat rules "LAN to WAN translation" to Internet
set rulebase nat rules "LAN to WAN translation" source 172.16.0.0/16
set rulebase nat rules "LAN to WAN translation" destination any
set rulebase nat rules "LAN to WAN translation" source-translation dynamic-ip-and-port interface-address interface ethernet1/1
set rulebase nat rules "LAN to WAN translation" source-translation dynamic-ip-and-port interface-address ip 172.16.14.2/29
set rulebase nat rules "LAN to WAN translation" service any

Integrating the HA:
Integration on Primary Palo Alto:

Figure 21

  1. Expand on Device → High Availability
  2. Setup:
    1. Enable HA: Check the box
    2. Group ID: 10
    3. Mode: Active-Passive
    4. Enable Config Sync: Check the box
  3. Active/Passive Settings:
    1. Passive Link State: Auto
  4. Control Link (HA1):
    1. Use the default setup. Management port will be used for this link.
    2. Create another port if preferred over the management port for the control link.
  5. Data Link (HA2):
    1. Enable Session Synchronization: Check the box
    2. Port: Ethernet 1/8
    3. IPv4 Address: 192.168.224.1
    4. Netmask: 255.255.255.252 (Figure 21 shows  /24 subnet to showa direct link between the 2 Palo Alto Network’s NGFW. A /31 or a /30 subnet can be used instead)
    5. Transport: Ethernet

See below for the CLI version of integrating HA pair:

				
					set deviceconfig high-availability enabled yes
set deviceconfig high-availability group group-id 10
set deviceconfig high-availability group mode active-passive passive-link-state auto
set deviceconfig high-availability group election-option device-priority 250
set deviceconfig high-availability group election-option timers recommended 
set deviceconfig high-availability group peer-ip 192.168.224.2
set deviceconfig high-availability interface ha1 port management
set deviceconfig high-availability interface ha1-backup 
set deviceconfig high-availability interface ha2 port ethernet1/8
set deviceconfig high-availability interface ha2 ip-address 192.168.224.1
set deviceconfig high-availability interface ha2 netmask 255.255.255.0
set deviceconfig high-availability interface ha2-backup 
set deviceconfig high-availability interface ha3
Contact Sales

Register Now