Listen to this Post
This article provides a comprehensive walkthrough for configuring Layer-3 interfaces in Palo Alto firewalls, including essential security zones, routing, policies, and verification steps.
You Should Know: Essential Palo Alto Configuration Commands and Steps
1. Management Interface Configuration
<blockquote> configure set deviceconfig system type static set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.0 set deviceconfig system default-gateway 192.168.1.254 set deviceconfig system dns-setting servers primary 8.8.8.8 commit
2. Security Zone Creation
set zone network TRUST set zone network UNTRUST set zone network DMZ set zone network TRUST network layer3 ethernet1/1 set zone network UNTRUST network layer3 ethernet1/2 set zone network DMZ network layer3 ethernet1/3
3. Interface Configuration
set network interface ethernet1/1 layer3 ip 192.168.10.1/24 set network interface ethernet1/2 layer3 ip 203.0.113.2/29 set network interface ethernet1/3 layer3 ip 172.16.1.1/24
4. Virtual Router Setup
set network virtual-router default interface ethernet1/1 set network virtual-router default interface ethernet1/2 set network virtual-router default interface ethernet1/3 set network virtual-router default routing-table ip static-route default nexthop ip-address 203.0.113.1
5. Security Policy Configuration
set rulebase security rules TRUST-to-UNTRUST from TRUST set rulebase security rules TRUST-to-UNTRUST to UNTRUST set rulebase security rules TRUST-to-UNTRUST source any set rulebase security rules TRUST-to-UNTRUST destination any set rulebase security rules TRUST-to-UNTRUST application any set rulebase security rules TRUST-to-UNTRUST action allow set rulebase security rules TRUST-to-DMZ from TRUST set rulebase security rules TRUST-to-DMZ to DMZ set rulebase security rules TRUST-to-DMZ source any set rulebase security rules TRUST-to-DMZ destination any set rulebase security rules TRUST-to-DMZ application any set rulebase security rules TRUST-to-DMZ action allow set rulebase security rules DMZ-to-UNTRUST from DMZ set rulebase security rules DMZ-to-UNTRUST to UNTRUST set rulebase security rules DMZ-to-UNTRUST source any set rulebase security rules DMZ-to-UNTRUST destination any set rulebase security rules DMZ-to-UNTRUST application any set rulebase security rules DMZ-to-UNTRUST action allow
6. NAT Policy Configuration
set rulebase nat rules TRUST-to-UNTRUST-NAT from TRUST set rulebase nat rules TRUST-to-UNTRUST-NAT to UNTRUST set rulebase nat rules TRUST-to-UNTRUST-NAT source any set rulebase nat rules TRUST-to-UNTRUST-NAT destination any set rulebase nat rules TRUST-to-UNTRUST-NAT service any set rulebase nat rules TRUST-to-UNTRUST-NAT source-translation dynamic-ip-and-port interface-address interface ethernet1/2 set rulebase nat rules DMZ-to-UNTRUST-NAT from DMZ set rulebase nat rules DMZ-to-UNTRUST-NAT to UNTRUST set rulebase nat rules DMZ-to-UNTRUST-NAT source any set rulebase nat rules DMZ-to-UNTRUST-NAT destination any set rulebase nat rules DMZ-to-UNTRUST-NAT service any set rulebase nat rules DMZ-to-UNTRUST-NAT source-translation dynamic-ip-and-port interface-address interface ethernet1/2
7. Verification Commands
<blockquote> show interface all show routing route test security-policy-match source 192.168.10.100 destination 8.8.8.8 show session all filter source 192.168.10.100 show counter global filter delta yes
What Undercode Say
This comprehensive Palo Alto configuration establishes a secure network architecture with proper segmentation between Trust, DMZ, and Untrust zones. The implementation includes:
1. Proper interface configuration with security zone assignments
- Complete routing setup with default route for internet access
- Comprehensive security policies allowing only authorized traffic flows
4. NAT configuration for outbound internet access
5. Verification procedures to ensure proper operation
Additional Linux networking commands that complement this setup:
$ ip addr show $ ip route show $ ping 8.8.8.8 $ traceroute 8.8.8.8 $ nmap -sT -p 1-1000 192.168.10.1 $ tcpdump -i eth0 -n host 203.0.113.2 $ netstat -tuln $ iptables -L -n -v $ ss -tuln $ curl -I https://www.google.com
Windows networking commands for verification:
<blockquote> ipconfig /all route print ping 8.8.8.8 tracert 8.8.8.8 telnet 192.168.10.1 443 netstat -ano nslookup www.google.com Test-NetConnection 8.8.8.8 -Port 80 Get-NetTCPConnection Get-NetIPAddress
Expected Output:
Successful implementation will show:
- Proper interface status in `show interface all`
– Correct routing table in `show routing route`
– Active sessions in `show session all`
– Policy matches in `test security-policy-match`
– Internet connectivity from test PCs - Proper NAT translations in monitor logs
References:
Reported By: Shamseer Siddiqui – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
