Basic configuration for a small office network using Palo Alto

Basic configuration of Palo Alto office network

Model:

Purpose: Configure PC vlan 100 and 200 to access the Internet.

Switch part:

– ACC-PC switching segment: put into access vlan mode as needed

– ACC-sw core switch segment: trunk mode, allowing vlan 100 and 200

– On sw Core: configure interface vlan 100 and 200, and then configure VRRP

– Coresw1 is the master device of vlan 100

– Coresw2 is the main station of vlan 200

– Set IP for int vlan upstream firmware

Palo Alto Firewall Section:

– Download the image 10.1.0 here and import it into EVE-NG

– Set the management IP of fw according to the command:

Set deviceconfig system host name HAINM

Delete deviceconfig system type dhcp-client

Set deviceconfig system type to static

Set deviceconfig system IP address 192.168.2.1

Set deviceconfig system network mask 255.255.255.0

Set deviceconfig system time zone Asia/Saigon

Set deviceconfig system dns Set server master 8.8.8.8

Set deviceconfig system dns Set server auxiliary 8.8.4.4

– From the PC, set the IP in the same range and access the firmware’s webgui:

\

Enter the admin and password you set previously:

– Set the IP of the firewall port

Go to tab Network > Interface Then set the IP according to the plan

To allow pings on the above firmware port, enter Network > Interface Management > Add Then check the protocols that need to be allowed, such as ping, https…

Then go into each interface and select the allow-ping profile

Create region and gProject port to ZONE:

Network>Zone>Add

Trust: LAN port

Not trusted: WAN port


– Create a virtual router (enable fw’s routing function)

Enter Network > Virtual Router > Add then add the firmware port

Go to section Static routing And create a route to the internet:

Here e1/2 is the wan port, and 192.168.200.50 is the gateway. If vmnet8 is used, gateway = the IP of vmnet8 plus 1.

– Next, configure a static route pointing to the LAN scope

Go to Network > Virtual Router > Static Route > Add

– Next, configure the security policy for exposure to the Internet

Go to Policy > Security > Add Tab

– Next, configure NAT overload

Go to Policies > NAT > Add

crime

Try accessing the internet from the PC and check the logs Monitoring > Log

log