Back to chapter I: Intro and test environment
Initial setup of the PA-460
After getting the firewall unboxed, the first order of the day was of course to obtain management access to it and get it connected to the network. And, I must say, this couldn’t have been much easier, as Palo Alto configures their firewalls with a static IPv4 address on the management interface of the device. All I had to do was to assign an IPv4 address to my PC in the same subnet, connect my PC to the firewall and log in using the default username and password. So, what I feared could have been a frustrating and time-consuming start of my Palo Alto firewall journey turned out to be a joyful experience instead.
Here is a screen dump that shows the default setup of the Management Interface. As seen, the firewall is configured with IPv4 address 192.168.1.1 and permits https, ssh and ping inbound, exactly what you need to get in contact with the firewall via your preferred WEB-browser or via an SSH-client. I used a WEB-browser and the GUI from the start.
After changing the default admin password, I configured the Internet facing interface and got the firewall connected to the internet.
This was also very simple to accomplish, the following screen dump shows the final result. Before I got to this point I defined the Virtual Router and the Security Zones and assigned the zone for the Internet (“Z-Skogvn40-Internet”) to the outside interface.
All in all, this was a very easy and intuitive process for me to go through, but admittedly, probably because I have configured lots of routers and firewalls before, and because I am familiar with networking concepts such as VLANs and IP subnets etc. But all honors to Palo Alto for designing their GUI in such a way that a novice like me, who had never set up a Palo Also firewall from scratch before, was able to accomplish this in about half an hour. And without opening a single manual. I think this is very impressive and a real testament to the quality and intuitive layout of Palo Alto’s firewall GUI.
The firewall ruleset – the overall approach I chose when building it
Now, before we jump into the details of the firewall ruleset, and how I set that up, a few words on the overall approach that I chose to use, this time. I say “this time”, because this was not the first time I have tried to set up a firewall to protect my own home. On one of my previous attempts, using another firewall brand (guess which), the implementation eventually got to a stage where it worked, but that was after a very long and agonizing process because the approach I chose was to lock everything down and then create firewall “permit-rules” for every type of traffic that needed to be permitted. While such an approach clearly is the safest option, it carries along a terrible amount of administration because you have to adjust the firewall ruleset each time a new application or type of traffic is introduced into the network. And with several children, all playing advanced games, new ones every week, new IOT-devices being brought into the house all the time, this was a never-ending process.
There are two fundamental approaches that you can use, when you set up a firewall ruleset:
- Permit every type of traffic that should be allowed, Deny everything else
- Deny traffic that should never be allowed, Permit everything else
Now, with modern Next Generation Firewalls, such as the Palo Alto PA-460, choosing option 2 is not nearly as bad as it sounds (and used to be!), as the “Permit everything else” part of this strategy can be controlled much more granularly and effectively as compared to what was possible with older generations of firewalls. Now, as an example, it is possible to moderate this “Permit everything else”-part of the strategy to known applications and known network destinations, but only if these applications or destinations are considered “safe”. “Safe”, in this context, is a constantly moving target. A new application, that no one has seen before because, well, because it’s new, will not be considered safe and trusted until it has been analyzed and categorized by Palo Alto. This is an ongoing process that Palo Alto does as part of its firewall service, and this is one of the reasons why the firewall requires a license, and this is why that license costs money.
The important point here is that Palo Alto maintains a very comprehensive list of different Network Applications, safe and unsafe network locations (IP addresses and URLs), services etc, which the firewall periodically and automatically downloads and installs locally. So if you design your ruleset to take advantage of these dynamic elements, you get A LOT of help in maintaining the ruleset and the general effectiveness of the firewall, especially due to the dynamic functionality that the firewall ruleset will then be based on.
To conclude, I chose option 2, to design my firewall ruleset with a list of initial deny-rules, followed by the needed permit-rules required to make everything else work, but under the dynamic protection of the Palo Alto firewall. For a private household, with the level of network segmentation described above, I considered this to be a reasonable balance between a sufficiently good level network security and requirements for continuous administration of the firewall. For an enterprise, option 1 described above is usually the only acceptable solution, but then most enterprises have one or more “Firewall Responsible” persons employed who have the maintenance of the firewall(s) as their primary responsibility.
After a little bit of initial tuning, and after several months of actively using the setup I am going to go through below, I can say that we (i.e. all members of my family and guests we have had) have managed to stay out of trouble, while enjoying relatively free use of the Internet. Loads of connections are blocked by the firewall every minute, but this mostly goes on without anyone noticing or being prevented from doing what they want to do. Only in very rare cases have I had to implement exceptions, for example access to specific URLs, in order to make a certain application work as it should.