Beruflich Dokumente
Kultur Dokumente
Administrator
Ethernet
Firewalls
HA
Interface
LAYER3
Loopback
Palo Alto Networks
tunnel
VLAN
Configuring Palo Alto Firewall in Virtual Wire mode is quite easy, in this post using below
topology I am going to demonstrate how to configure a Palo Alto Networks Firewall in
Virtual Wire or V-Wire mode.
You could see from the above topology , we have a laptop with an IP Address
192.168.1.156 in VLAN 20 placed in the trust zone trying to access an internet in the
untrust zone. The laptop is configured with a default gateway 192.168.1.1 which
happens to the IP address of our Internet Router and this is in untrust zone and belongs
to VLAN 1.
We have a Palo Alto Firewall with two interfaces connected to a Cisco Switch. One
interface ,ethernet 1/2 connected to interface G1/0/2 in a Cisco Switch , configured as a
part of V-Wire with VLAN 20 and this belongs to trust zone.
Where as the Palo Alto Firewall interface ethernet 1/1 is connected to Cisco Switch
interface G1/0/1 and is configured as part of V-Wire with Vlan 1 and this belongs to
Untrust Zone
Now lets configure the same and see how traffic flows
Step 1 – Configure Cisco Switch for trust zone interfaces with VLAN 20
description CONNECTED-TO-PALOALTO-TRUST-INTERFACE
spanning-tree portfast
no shut
description CONNECTED-TO-LAPTOP
switchport access vlan 20
spanning-tree portfast
no shut
Step 2 – Configure Cisco Switch for Untrust Zone Interfaces with VLAN 1
description CONNECTED-TO-INTERNET-ROUTER
no shut
description CONNECTED-TO-PALOALTO-UNTRUST-INTERFACE
no shut
Step 4 – Lets configure two zones names Untrust and Trust and assign ethernet 1/1 to
be part of untrust zone and ethernet 1/2 to be part of trust zone.
Network> Zone>Add
Give the name Trust, select Type to be Virtual Wire and add the interface ethernet 1/2 to
be part of Trust Zone as demonstrated below
Step 4 -B – Configure UnTrust Zone
Network> Zone>Add
Step 5 – Create a Security Policy to allow access from trust zone to untrust zone ( This
can be configured as per your requirements with security profiles, URL filtering etc)
Policies>Security>Add
Give the name to your Security Policy ( V-Wire-Policy)
You can also monitor the traffic passing through the V-Wire, you can see from the below
snapshot I am accessing Skype, pinging the default gateway (Vlan1) from my laptop
(Vlan 20) and my traffic is passing from Trust zone to Untrust zone by using the Rule V-
Wire-Policy which we created
Monitor>Traffic
This is really a great feature from Palo Alto and the Virtual Wire can