{"id":592,"date":"2014-06-02T17:55:31","date_gmt":"2014-06-02T22:55:31","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=592"},"modified":"2014-06-02T17:55:31","modified_gmt":"2014-06-02T22:55:31","slug":"my-first-experiences-with-a-palo-alto-firewall","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2014\/06\/02\/my-first-experiences-with-a-palo-alto-firewall\/","title":{"rendered":"My First Experiences with a Palo Alto Firewall"},"content":{"rendered":"

I’ve been following Palo Alto<\/a> as a networking company for a couple of years now.\u00a0 Their claim is that the days of the port-based firewall are dead and that their application-centric approach is a far better way to enforce your access controls.\u00a0 Take the HTTP protocol for example.\u00a0 HTTP typically runs as a service on port 80, but does that mean that everything running on port 80 is HTTP?\u00a0 As an attacker looking for a way to funnel data out of your organization, why not use the standard HTTP port to send data, since I know you leave it wide open in order for your employees to surf the web.\u00a0 There’s nothing to say that I actually have to be running an HTTP server on the other end and there’s nothing on my classic firewall to tell any differently.\u00a0 At first, I was admittedly a bit skeptical.\u00a0 I didn’t think that you could really tell enough about different applications on the web to be able to separate them out like Palo Alto claims to.\u00a0 Fortunately, Palo Alto reached out to me and provided me with a brand new PA-200<\/a> in an attempt to change my mind.<\/p>\n

When the PA-200 arrived, it came with everything that I would need to get it up and running.\u00a0 That includes the unit itself, a power supply, a D89 to RJ45 console cable, an ethernet cable, and some instructions and warranty information.<\/p>\n

\"20140521_175741\"<\/a><\/p>\n

On the front of the unit is four ethernet ports for your devices, a management port, a USB port, a console port, and several status indicator LEDs.<\/p>\n

\"20140521_175845-2\"<\/a><\/p>\n

By default, the appliance is configured with ethernet ports 1 and 2 paired as a WAN to LAN link as this is the configuration that the majority of the people who buy it will likely use it for.\u00a0 That said, by following the instructions to connect your computer up to the management port, you can quickly access the user interface that allows you to change this assignment.<\/p>\n

\"Ethernet<\/a><\/p>\n

This shows the ethernet 1 and 2 interfaces as both being a “virtual wire” and here we can see the virtual wire that connects the two.<\/p>\n

\"Virtual<\/a><\/p>\n

From here, we can take a look at the “zones” and see that our two interfaces have been defined as an untrusted (ethernet 1) and trusted (ethernet 2) zone.<\/p>\n

\"Zones\"<\/a><\/p>\n

To think of this a different way, my cable modem WAN connection (ie. the Internet) goes in my “untrust” zone and my local network (ie. LAN) goes in my “trust” zone.\u00a0 Now all that’s left is to set our policy and for ease of management to start with, I set it to allow everything out with a default deny all inbound.<\/p>\n

\"Security<\/a><\/p>\n

With this configuration I had done enough to be up and running on the device and I immediately started to see data populate the dashboard on the top applications running on my network.<\/p>\n

\"Top<\/a><\/p>\n

It’s color coded based on risk level and the dashboard also provides me a similar view of Top High Risk Applications.\u00a0 Any of these boxes can be clicked on in order to provide additional data about the protocol, sources, destinations, countries, and more.<\/p>\n

\"Application<\/a><\/p>\n

Now, let me say that while I’m running this on my home internet connection, this thing is a hoss and can do way more than I can throw at it.\u00a0 With their App-ID technology enabled you can throw 100 Mbps of throughput at it no problem.\u00a0 In addition to being an application firewall, it also does standard port-based firewalling, VPN, routing, switching, and so much more.\u00a0 It’s so extremely versatile that this thing could easily be placed in a smaller branch office and replace multiple other devices on their network such as a firewall, router, and VPN concentrator.\u00a0 More functionality for less money…who wouldn’t want that?\u00a0 In addition to these default capabilities, additional licensing can also be obtained to allow you to do URL filtering, malware detection, and more.\u00a0 Having just gotten this up and running, I’m still exploring the ins and outs of all of the functionality, but it’s pretty exciting to have all of this capability in a box that is smaller than the cable modem my ISP provides me.\u00a0 More posts to come on this as I get deeper into the guts of running my new Palo Alto PA-200 !<\/p>\n","protected":false},"excerpt":{"rendered":"

I’ve been following Palo Alto as a networking company for a couple of years now.\u00a0 Their claim is that the days of the port-based firewall are dead and that their application-centric approach is a far better way to enforce your access controls.\u00a0 Take the HTTP protocol for example.\u00a0 HTTP typically runs as a service on […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[71,5,70,28],"tags":[568,76,573,74,484,569,570,567,549,506,571,572,126],"class_list":["post-592","post","type-post","status-publish","format-standard","hentry","category-firewalls","category-monitoring","category-networking","category-security","tag-alto","tag-application","tag-filter","tag-firewall","tag-malware","tag-networks","tag-pa-200","tag-palo","tag-risk","tag-router","tag-switch","tag-url","tag-vpn"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-9y","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=592"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/592\/revisions"}],"predecessor-version":[{"id":601,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/592\/revisions\/601"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=592"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}