Palo Alto

Palo Alto Series – Part I

Like any other firewall palo alto is a very feature enrich firewall which we’ll see in our next series.

When we boot the firewall and connect the management cable and take the session then it boots up with IP : ; so connect a laptop and access the firewall via

PA has separate mgmt and console ports. In higher version a serial port is also available.

Topology :


Here, R6 is our DMZ Router , Win is for Inside users and towards R5 we have outside zone.

By default Palo Alto have as their management address, if we want to configure management then connect 1 PC in same IP segment and take the access, otherwise we can change it via console.

Mgmt IP Configuration by CLI:

set deviceconfig system ip-address  netmask type static

By default it takes dynamic IP address

To edit management interfaces on the firewall :


Check the management IP by the following command to verify :

show system info

So, like any other firewall PA also have interfaces on the device but these are of certain types :

  1. Layer 3
  2. Vwire : For sniffing of traffic
  3. Layer 2
  4. HA : for sync of state information and replication of Data
  5. TAP : to send data from remote part of network to PA firewall to analyze that

Next, we have Virtual router concept in Palo Alto like we have VRF on Cisco Routers. In this series we’ll be assigning interfaces to different virtual routers starting from VR-1.

Be default all interfaces are the part of default virtual router.

Like some other vendor firewalls, PA also supports making zones and assigning different interfaces to those zones.

Eg : Inside Zone, Outside Zone, DMZ Zone

and we can assign multiple interfaces and sub interfaces to these zones. And We can set up our policies based on Zones.

Now, Let’s create Zones :

Go to Network Tab, click on Zones and click on Add :


And the same way , we can create Outside and DMZ zones as well. We can add interfaces here also but we haven’t defined any interface so far , so we’ll link interfaces later.

Now, create the virtual router :

By default there will be default virtual router. Delete if you don’t wish to use it and click on create to create your custom virtual router.


Now, let’s configure the interfaces as per topology given in the diagram and we’ll be calling security zones and virtual router there:


And we configured all the interfaces. click on commit and commit all the changes.


Now, configure the default route for the data plane or for our virtual router VR-1

got to virtual router VR-1 and click on More Runtime Stats for routing information


Here we can see all the networks and assigned IP address on the interfaces which are the part of this virtual router. But there is no default route. So, let’s configure it.

To configure a default route , go to Network –> virtual router –> VR-1 , click on it and go to static routes and click on add to configure the default route.


Once committed , routing table now have 1 static route and it looks like :


Here, I have also attached the management profile on inside interface to allow ping and some other protocols from my inside PC.


Security Policy :

Default policy on the PA firewall is denied to any traffic that is attempting routing or forwarding between two different zones. However traffic within the same zone will be permitted by default.

Like any other firewall, PA is also a stateful firewall means we need to permit traffic only in 1 direction and return traffic will be permitted by default through already built session.

So, through security we can allow a user based on a specific source IP, destination IP and service/port .

By default, we can see inter zone is denied and intra zone is allowed.

Go to Policies , then go to security and see the rules and make changes in the policy here :


Now, click on add (Left  bottom) to add a new security policy.


To allow inside users to internet, we gave the name as : Inside_To_Internet


As shown above, we are allowing inside users to access the internet but to certain applications as given above. Commit the changes.

Still the inside users will not be able to reach internet because of private IP assigned to them. I have NAT the inside user’s IP on R5 to allow to go to internet and once the NAT is done, Inside users can browse the internet. Output from Inside PC :

NAT Configuration on Router R5 :



let’s test browsing :


PAT : Port Address Translation

I am now directly going to implement PAT on our PA firewall instead of explaining like what is PAT and what it does.

Go to Policies–click on NAT–And then click on Add


And choose below Parameters :

Source Zone is Inside , Destination Zone is Outside, choose the destination Interface as there could have been many interfaces assigned to the outside zone and then the service and actual source and destination IP address.


And to do the PAT now click on translated packet where we’ll define if a packet qualifies the criteria we defined in original packet then perform below action which we’ll define in translated packet :


In translation type, choose Dynamic IP and Port , there are other options also which we’ll discuss later but for PAT choose Dynamic IP and Port.

In address type choose interface address because we have already an IP assigned on the interface , so use that instead of using a new IP. We can use another IP also here if we choose address type as Translated Address. So for now it’s interface address.

Now, Specify the Port on which we want to overload the IP and Port and his IP address as shown in above snapshot and click on ok and commit.

Now Let’s see if this is working :


As you can see , from our user machine yes I can reach out to internet as well as nslookup is working fine.


NAT Sessions on the Router :

Ping to Session : We can see actual source IP is but here after PAT on the firewall request is hitting the router R5 as an source IP and that is again static translated to  on the router R5 to reach out the internet.

If the PAT shouldn’t have been configured on the firewall then this translation on the router would have reflected from to


NSLOOKUP Session : (On user machine I have configured as Primary DNS)


DMZ Server Access :

Now to check access to a DMZ server, what is actually required is :

  1. A server placed in DMZ zone ;
  2. NAT : Generally user hit on the public IP of the server but actually that public IP is natted to some private IP and then it is processed by the firewall.

3.Policy : Firewall policy to allow that traffic.

Configuration to enable http/https on a Cisco Router :

username cisco privilege 15 secret  cisco

interface FastEthernet0/0

ip address

ip route

ip http server

ip http authentication local

ip http secure-server ; wr

Now Let’s configure Static NAT :


Translated Packet :Choose Bidirectional


and do the commit.

Now, let’s configure the security policy to allow this access.


We have allowed http and https services from outside to DMZ zone.

Now, commit this.

Let’s test this :

Let’s do http from router R5 :


And similarly for port 443 :

R5#telnet 443 /source-interface fastEthernet 0/0

Trying, 443 … Open

It is also open.

Now, let’s try to open it from a windows user machine :


And we can see here, static NAT is working as well as we are able to access http/https services.

Now, Let’s change the administrator’s password :

Go to Device–>Administrators–>and click on admin account to change the password

OR , here we can click on Add to create a new user and give him privileges like super user or real only user.


To Reboot or shutdown gracefully the device : choose from here :


Backup and restore of the configuration :

  1. To save the current running-configuration snapshot :


  1. Now, click on Export named configuration snapshot on your local PC :


Choose from the one we created in step 1 and it will download the snapshot on local PC.

Now if anything wrong happens to this firewall, let’s say it is blown away and we might need to replace it with a new one then we only have to configure the management IP and then we can import and load this snapshot.

  1. To Import the snapshot on newly created firewall or if we want the old snapshot to load on same firewall :

–Click on Import named configuration snapshot and click on browse and import it.

In this example, I have imported the one which we exported in step 2.


And then load the imported snapshot :


Click on commit after loading to see all the configuration we had when we took the snapshot.

Licensing the firewall :

If we need advance features like SSL encryption and decryption on firewall to find out any malware/threat in the traffic going on between user and the actual web server on the internet. In these type of features PA acts as a  proxy like man in the middle.

For URL Filtering , Data Filtering and threat prevention like (Anti Virus, Anti Malware and Anti Spyware), VPN support for remote access needs licensing.

So, to License the firewall, first make a support account on the Palo Alto support center website and then register yourself and enter the CPU ID and UUID which are present on the dashboard of the firewall to get it licensed.

Then go to Device–Licenses– and choose from below License Management features :


Either retrieve directly or upload the license key manually.

Once it will be licensed then we can see the serial number of the firewall on dashboard page.

Before upgrading a firewall make sure you have updated and installed the dynamic updates which are prerequisite to this.

and then go for the major release. In some cases you might need to download the base version if you going for a major version change.

So, it goes like : Dynamic update–>Download base version–>Download and install the latest version whose base version we already downloaded–Reboot

App Vs Protocol and Port Security policies :

So, till now we have configured below policies on our firewall :


In policy no 2, we are allowing access from internet to our DMZ server but in this policy we are only monitoring till the port level means http/https traffic. What if any malicious traffic comes to an attack on port 80/443 because in that rule we are not inspecting up to application level. Palo alto provides us that functionality by looking upto application level like what is inside the packet.

For example, in policy 1 we have allowed certain applications like dns, ping, SSL, web-browsing so if any attacker send data on port UDP port 53 for DNS query but sending something else inside the payload instead of a genuine DNS request then firewall will quickly realize that and will drop that traffic.

So, when we define a policy Services tab open access till transport layer and Application tab till layer 7.

Sometimes in services we choose application default, what does that mean ?

Application-default regarding services means it is going to use well known and expected ports associated with the application objects we define under Application tab in policy rules. By this way we can control traffic upto application level like we can allow users to go to facebook but not allow them to play any game/chat on facebook.

Beside the application granularity, we can also tied those conversations with the actual user so that we can identify which user associated with which IP addresses are attempting what activities.

We can see all applications which Palo Alto recognizes by going to Applications under Objects tab.


So, it’s currently showing 2458 application it recognizes but this number will only grow day by day.

If you want to see what it offers then click on any application type and it will tell us some important characteristics :

I have clicked on the web-browsing and we can see the standard port it supports, Timeout info and some other info.


So we define application in policies so that our firewall can look for deep packet inspection upto application level or inspect up to payload in the packet.

Destination NAT :

We generally require destination NAT when someone from outside world wants to access our servers which are placed in our internal network. So, outside user hit on the public IP (as outside users can come over public IP only over internet) on the outside zone of the firewall and then destination IP gets natted to some private IP and then packet goes to the actual server who has private IP address in actual.


As earlier in this series we did the source NAT when packet was initiated from inside network and was going out to the internet but we did that translation in bidirectional way.

Now, we are going to perform destination NAT.

In destination NAT 1 point needs to be look with more keen is here packet is coming from internet means outside zone and it will be hitting the IP (Global reachable address, in our Lab Environment I am taking which is also a part of the outside zone. So, we’ll be defining NAT rule from outside to outside zone.


and in translated packet : We are not going to translate the source but we are going to translate the destination IP on which is the IP of our DMZ server.


Disable the NAT rule no 2 as we did the same for going from DMZ to outside.

Commit the changes.

And now let’s test this : I am going to telnet (Outside interface IP) from R6 (Outside device) on port 80 and let’s see the output.

R6#telnet 80 /source-interface fastEthernet 0/0

Trying, 80 … Open

And it is opened means our destination NAT is working fine.

Also, I have allowed telnet through policy and now i can telnet to the DMZ device

R6#telnet /source-interface fa0/0

Trying … Open

User Access Verification

Username: cisco



Line       User       Host(s)              Idle       Location

0 con 0                idle                 00:06:20

* 98 vty 0     cisco      idle                 00:00:00


Interface    User               Mode         Idle     Peer Address

So, here we can see the outside user’s IP, in this case from where we telnet to this router.

So, what is preferred or what should we define in policy on Palo when we perform destination NAT : So, it’s like:

Post NAT Zones and Pre NAT Addresses are preferred.


In above policy we have define destination zone as DMZ that is post NAT (because in NAT we have defined outside to outside NAT zones)  and as destination address that is pre NAT address.


The major benefit of Palo alto firewall is its ability to correctly indentified what actually being carried inside the packet and the concept of being able to correctly identify the applications is a function of APP-ID.

Let’s say if any malicious user is sending his data by tunneling on some well known allowed port on the firewall but inside the payload there is something else that would be allowed if we are inspecting up to layer-4 only so, one of the solution that Palo Alto come up with is called Application ID or APP-ID.

With APP ID firewall not only looking for port number or transport protocol to allow/deny traffic but instead still aware of the default ports for those applications but it has also the ability to look deeper into the packet verify what’s the actual payload/traffic is.

Like many other features, APP-ID is also not free but integrated as a part of Palo firewall and need to be licensed.

How APP ID Works :

Classification : It has understanding about port and protocols of the traffic.

Signatures : Signatures allow the PA firewall to identify an application correctly. Currently more than 2500 application objects are the part of its database. And the signatures are looking for specific application properties and characteristics to recognize that particular application.

Decryption : To break the SSL/TLS session between user and the end application. PA firewall will be the man in the middle here where there will be two SSL sessions. One from user to Firewall and one from firewall to end destination, so that firewall can decrypt the data and see what kind of traffic is going on.

Decoders : Decoders are actually looking for tunneled traffic , like some applications are tunneled in something else. By the help of decoders  firewall can identify the payload and set up actions like to permit the traffic, deny the traffic or apply QOS (Voice Traffic) or scanning.

One of the best thing about APP ID is we can have granular control by specifically identifying  and telling the PA that what is allowed and what’s not.

Means you can access Face book and can’t chat over it or can’t play games on Face book. And to do that use specific apps for thing like facebook and google (Subset of Facebook and google).For example facebook has Facebook-Base app on the PA which don’t allow playing games or chat.

1 Point to keep in mind here : For example if we want to allow the Facebook-Chat then first we need to allow Facebook-base. So, application objects have some dependencies.


So, these dependencies have to be allowed either in same rule or in different rule in the policy.

And other point here is : there are some applications which use some implicit  apps. For Example : see the below snapshot :


Here, we can see Facebook-Base implicitly uses ssl and web-browsing means if we have allowed Facebook-Base then we don’t need to enable SSL, web-browsing(HTTP) in the policy rules. However if we want to go to let’s say then we need a different rule in the policy.

Also, we can make application groups and call different applications under a single group.


Here, I have made an application group named as Internet_Access, commit the changes and I am going to replace my 1st rule : which was for inside users to go to internet with this application group.


Commit the changes once again.

Now, I am going to disable the rule no 1 and add 2 more rules :

Rule No 2. To allow inside user to go to facebook (basic functionality)

Rule No 5. Cleanup Rule


Click on Commit.

Now Let’s test this :


Yeah…. we can login into facebook and we can see the https session as well.

Why, because it is already a part of the facebook-base application which it uses implicitly.


And we can see , we can’t get connected to chat as chat is not a part of Face book-Base.

If you’ll go to the monitor tab then it will show the Facebook-Chat logs as policy denied. I can’ t show those at this moment because my firewall is unlicensed.

Now, let’s allow the chat :


Now, let’s see if there are any dependencies for Facebook-chat.


From above snapshot it is clear that we also need to allow the mqtt app.


If you wish to read about MQTT(Message Queue Telemetry transport) just go to application and search for it. Then click on it to see what it is all about.

And if you want the latest info on these apps. go to :

Commit the changes and let’s test the facebook-chat if we can access.


And now, as we can see Facebook-Chat is now accessible.

Palo Alto Series:

  1. Palo Alto Series – Part I
  2. Palo Alto Series – Part II
  3. Palo Alto Series – Part III

Categories: Palo Alto, Security

4 replies »

  1. Just read complete Article its awesome with some typing mistakes.

    However i loved it. I am dying to set it up in my Virtual lab environment, please help for the same. Thanks


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s