Uploaded by Santu Maitree Bandhaan

49-Layer+2+Deployment

advertisement
Layer 2 Deployment:
o
o
o
o
o
o
o
o
o
o
o
o
o
Palo Alto Networks Next Generation Firewall can also be deployed in Layer 2 mode.
Layer 2 mode switching is performed between two or more network segments.
In this mode, PA is configured to perform switching in two or more network segments.
In Layer 2 Deployment traffic traversing the firewall is examined, as per policies.
This mode, providing increased security and visibility within the internal network.
In Layer 2 deployment, the firewall interfaces are capable of supporting Access Link.
In Layer 2 deployment, the firewall interfaces are capable of supporting Trunk Links.
In Layer 2 deployment, firewall do not participate in the Spanning Tree topology.
Any BPDUs received on the firewall interfaces are directly forwarded to switch.
Routing traffic between VLAN networks or other networks can be achieved.
In Layer 2 deployment, Routing traffic can be achieved via a default Gateway.
Default Gateway is usually a Layer 3, switch supporting InterVLAN routing.
Default Gateway can be Firewall security appliance, or Router-on-a-Stick design.
1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Right Click on Web-Server (Toolbox Docker) go to Edit config remove # sign and put static IP.
Right Click on PC1 (Webterm Docker) go to Edit config remove # sign and put static IP.
2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Right Click on PA Firewall go to Console, login with default username and password admin.
Use web browser to navigate https://192.168.8.192 Login using admin/admin.
Let’s configure zones go to Network-> Zone->Add Name of the zone you want in our case name:
LAN , Type : Should be Layer2. Click OK.
3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Configure another zone go to Network-> Zone->Add Name of the zone in our case name:
Servers , Type : Should be Layer2. Click OK.
4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Create a VLAN interface to be used by the physical interfaces we will set to Layer 2. go to
Network-> VLANs->Add, create new one by clicking the Add button Name VLAN100 & click OK.
Going to set interfaces ethernet1/1 Layer2 and set the proper VLAN configuration.
Navigate to the Network-> Interfaces->Ethernet, Ethernet tab and open interface ethernet1/1
properties, change Interface Type to Layer2. Set VLAN to newly created VLAN object, VLAN100.
Select Security Zone: LAN create earlier and click OK.
5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Repeat the above step for interface ethernet1/2. Going to set interfaces ethernet1/2 Layer2
and set the proper VLAN configuration. Navigate to the Network-> Interfaces->Ethernet,
Ethernet tab and open interface ethernet1/2 properties, change Interface Type to Layer2. Set
VLAN to newly created VLAN object, VLAN100. Select Security Zone: Servers and click OK.
The last stage is to create a security policy to allow more granular control over applications
connecting both segments and applying security profiles to these sessions. Open the Policies
tab and navigate to Security on the left pane. Click Add to create a new security policy.
6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Policies -> Security -> Add, you can use any name you want in our case LAN to Servers.
Add Source Zone – In our case its LAN, Add Destination Zone – In our case its Servers.
The applications want to allow between the internal hosts. Set security profiles so any sessions
between your internal hosts are also inspected. Applications allow ping and web-browsing .
7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Commit the Changes by Clicking Commit on top right corner to save the configuration.
Verify from PC1 to Web-Server, type IP address of Web-Server in browser http://192.168.1.20
Monitor > Session Browser, Monitor the traffic passing through the Layer 2, traffic is passing
from LAN to Servers Zones by using the Rule which we created.
8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Also, can be check from CLI show session all Command.
Try FTP from PC1 to Web-Server ftp://192.168.1.20 it deny because not allowed applications.
Let’s modify Security Policy rules and add FTP application.
9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Commit the Changes by Clicking Commit on top right corner to save the configuration.
Now try again ftp://192.168.1.20 it is accessible.
Also, can be check from CLI show session all Command.
10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , Mobile: 056 430 3717
Download