Networking/Firewall

Palo Alto Firewall -1

포항돼지 2021. 5. 14. 21:54

AP “C” 붙은 모델만이 Mobility 사용 할수있음! 기억하기

 

  • GlobalProtect client downloaded and activated on the Palo Alto Networks firewall
  • Portal Configuration
  • Gateway Configuration
  • Routing between the trust zones and GlobalProtect clients (and in some cases, between the GlobalProtect clients and the untrusted zones)
  • Security and NAT policies permitting traffic between the GlobalProtect clients and Trust
  • For iOS or Android devices to connect, GlobalProtect app can be used.

 

Show system info

 

Find command keyword show

 

Show interface management

 

CTRL + L (Erase everything)

 

Forward Lookup Zones: Save the DNS name

Reverse Lookup Zones: Save the IP address

A : IPv4

AAAA : IPv6

NTP is a UDP base, port 123

 

Configuration

Set deviceconfig system type static(change system type as static, it was DHCP)

Set deviceconfig system ip-address 10.120.232.2 netmask 255.255.255.0 이거 뒤에 ? 치면 DNS Default gate way 설정하는 help command 얻을수 있음.

 

Palo alto 처음 Page Logo Company logo 바꿀수있음.

Device -> operation -> Custom logo

 

Layout, Dash board 있는 application들도 UI Customized 가능

Smart Lock -> lock my configuration. So no one can change the configuration while lock function is on.

 

Show admin 하면 current admin user 보임

Show log system

Show session all

 

Paloalto also support change the display language change.

 

License 종류

Threat Prevention

Provides Antivirus, Anti-Spyware, and vulnerability protection

Decryption Mirroring

지원하는 장비가 따로있음

URL Filtering

2개종류 BrightCloud URL(3rd party database URL filtering), PAN-DB URL 둘다 쓸수 있고, 하나만 써도

Virtual System

Virtual 방화벽

WildFire

2type of wildfire , cloud & local

GlobalProtect

Laptop doesn’t require anything, just can config. But if you want to use VPN on your mobile, you have to have this license.

AutoFocus

Graphic of log

 

 

방화벽 설정하는 순서.

1.       Zone 먼저 만든다 (현재 Layer3 동작하게 )

2.       Interface Zone assign 하고, Virtual router profile 설정한다.

3.       IP 넣어준다(192.168.8.100/24) (ISP 경우 /32 /29일듯,서브넷 마스크가 같아야함)

4.       Layer3 이기때문에 라우팅을 해줘야 한다.

5.       Default route 가서 static라우트를 해줌

6.       Next Hop IP 연결된 반대편 ISP Interface ip 넣어야 한다.(서브넷도꼭 넣어줘야함,근데 서브넷은/32 해야됨)

7.       이렇게 되면 패킷들은 전부 설정된 interface(default route) 나가게 된다

8.       NAT/PAT 필요하다(Policy->NAT).

9.       Security Rule to allow inside to outside

10.       , Session browse/Monitor 확인 가능