Interface Configuration

Agenda
 Integration of SAAS Application to Palo Alto Aperture

 Creation of Admin Accounts:

 Super Admin
 Admin
 Limited Admin
 Read-Only
 Custom-Role

 Define Internal Domain

 Define Trusted and Untrusted Domains/Users

2 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Agenda
 Creation of Aperture Asset Policy
 Rule Name
 Severity
 Match Criteria
 Define Untrusted and Trusted Domain
 Actions
 Quarantine
 Change Sharing
 Notify File Owner
 Create Incident Alert
 Send Administration Alert
 Define Trusted and Untrusted Domains or Users

3 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Integration of SAAS Application
1. Log in using your Credentials

2. Go to Settings > input Internal Domain

3. Add a Cloud App

5 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Note: Log in to Office 365 using an account with privileges that will enable communication
between the Aperture service and the Microsoft Office 365 apps

Before you can establish communication between the Aperture service and the Microsoft
Office 365 SharePoint and OneDrive apps, you must:

1. Go to http://portal.microsoftonline.com and log out of Office 365.

2. Log back in to Office 365 using an account that has the Global Admin role prior to
adding the Office 365 app to the Aperture service.

6 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Creation of Admin Accounts
1. Select settings > Admin Accounts and Add Administrator

2. Enter the Name and Email address of the new administrator

3. Select the Administrative Role

 Super Admin

 Admin

 Limited Admin

 Read Only

 Custom Role

8 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Adding Internal Domain
1. Select Settings > Cloud Apps & Scan Settings

2. Enter a comma-separated list of your internal Domains

3. Save your changes

10 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Define Trusted and Untrusted
Domain/Users
1. Select Setting > External Collaborators

2. Select Untrusted and enter the email address in untrusted users and the
domains in untrusted

12 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Creation of Aperture Asset Policy
Policies

14 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Security Zones Interfaces
 An interface is configured to only one zone.

 A security zone can have multiple interfaces.

Interface Zone Address
E 1/10 Internet 161.23.4.254
E 1/11 DMZ 172.16.1.254
E 1/12 - -
E 1/12.10 Users 192.168.10.254
E 1/12.20 Users 192.168.20.254
E 1/12.30 VoIP 192.168.30.254
Tunnel.4 Remote-LAN 10.5.1.254
15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Interface Types
Interface Types
 Ethernet:
 TAP
 HA
 Virtual Wire
 Layer 2
 Layer 3
 Aggregate

 VLAN

 Loopback

 Tunnel

17 | © 2015, Palo Alto Networks. Confidential and Proprietary.

 Ethernet Interface Configuration
 Network>Interface>Ethernet

Interface type:
TAP
HA
Virtual Wire
Layer 2
Layer 3
Decrypt Mirror Virtual-wire
Aggregate

Layer 2

Layer 3

18 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Flexible Deployment Options for Ethernet Interfaces
Visibility Transparent In-Line Firewall Replacement

Application, User, and Content •App-ID, Content-ID, User-ID, •All of the virtual wire mode
visibility without inline and SSL Decryption. capabilities with the addition of
deployment. Layer 3 services: virtual
Evaluation and audit of existing routers, VPN, and routing
networks. protocols.

19 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Ethernet TAP Mode
 TAP mode deployment allows passive monitoring of traffic flows across a
network by way of a switch SPAN or mirror port.

 The firewall cannot perform traffic shaping or blocking.

 Tap interfaces must be assigned to a security zone for ACC and reporting
capabilities.

20 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Configuring TAP Interfaces
 Network>Interface>Ethernet

Security
Zone
Interface
Type: TAP

21 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Ethernet Virtual Wire Interface
 Binds two physical interfaces together.

 Supports App-ID, decryption, Content-ID, and User-ID.

 Typically used when no switching or routing is needed.

 No configuration changes for adjacent network devices.

22 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Configuring a Virtual Wire Object
 A virtual wire can
allow or block traffic
based on 802.1Q
VLAN tags:
 0 = untagged traffic

 Applies security rules

to multicast traffic, 802.1Q tags
enables multicast allowed
firewalling.

Enable
multicast
addresses
23 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Configuring Virtual Wire Interfaces
 Network>Interface>Ethernet
Interface Type

Virtual Wire Object

Security Zone

24 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Virtual Wire Subinterfaces
 Provide flexibility in setting distinct policies when needed to manage traffic
from multitenancy networks.

 Allows for the assignment of incoming traffic to different ingress and egress
security zones by either:
 VLAN tags
 VLAN tags and IP classifiers (source IP)

 Traffic from different VLANs can now be assigned to different zones and then
managed by different security policies.

 Traffic from different VLANs can be assigned to different ports:

 Voice VLAN can be assigned to one port, and data VLAN to another.

25 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Configuring a Virtual Wire Subinterface

26 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Layer 2 and Layer 3 Interfaces

Switching between
network segments

Routing between
networks

27 | © 2015, Palo Alto Networks. Confidential and Proprietary.

 VLAN Configuration
 Network>VLANs>Add

VLAN Object Name

Physical Layer 2
interfaces and
Layer 2
subinterfaces in the
VLAN objects

28 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Layer 2 Interface Configuration
 Network>Interface

29 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Configuration a Layer 3 Interface
Network>Interface>Ethernet

 Interface Type: Layer 3

 Security Zone

 IP Address:
 Static or DHCP client
 DHCP server or DHCP relay

 Interface management profile:

 Allows or denies management protocols such as SSH and HTTP on the MGT interfaces.

 Virtual router:
 Contains a set of static and dynamic routes used by a specified group of interfaces

30 | © 2015, Palo Alto Networks. Confidential and Proprietary.

 Configuring a Layer 3 Interface
 Network>Interfaces>Ethernet

Interface type: Layer 3

Virtual Router

Security Zone

IP Address

Interface
MGT profile

31 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Interface Management Profile
 Defines which management functions are allowed on a traffic interface

 Management profiles are applied to a layer 3 interface

Network>Network Profiles>Interface Mgmt>Add

32 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Virtual Routers
 All interfaces assigned to a virtual router share the same routing table:
 The routing table of a virtual router can be defined by static and dynamic (RIP,
OSPF, BGP) routes.
 Allows for the configuration of different routing behavior for different interfaces.

Network>Virtual Routers

33 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Virtual Router Static Routes
Network>Virtual Router

34 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Virtual Router Dynamic Routes
 Standards-based support for:
 OSPFv2 and OSPFv3
 RIPv2
 BGPv4

 Routing support across IPSec tunnels

 Multicast routing support for: PIM-SM
 PIM-SSM
 IGMP

35 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Troubleshooting Routing
 Confirm virtual router run-time statistics

 On the active firewall, select Network>Virtual Router and click More

Runtime Stats

36 | © 2015, Palo Alto Networks. Confidential and Proprietary.

More Runtime Stats
 The routing table shows internal network routes and shows default routes
propagated from the upstream routers.
Network>Virtual Router>More Runtime Stats

37 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Policy-Based Forwarding
 Supersedes the forwarding information in the virtual router.
• Source Address
Source • Source Zone
• Source User
• Destination Address
Destination • Destination Application
• Destination Service(Port Number)

 Reverts to the virtual router table if the PBF policy destination is unreachable.

 A single session is forwarded by the PBF policy the same way.

38 | © 2015, Palo Alto Networks. Confidential and Proprietary.

DHCP Server
Network>DHCP
 When an interface is
configured as a DHCP
server, it assigns
addresses to DHCP
clients.

39 | © 2015, Palo Alto Networks. Confidential and Proprietary.

VLAN Interface
 VLAN interface allow VLANs to connect to Layer 3 networks

40 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Configuring a VLAN Interface
Network>Interface>VLAN>Add

This is not a sub-

interface.

It does not
reference traffic
tagged with VLAN
ID

VLAN object
associated with this
VLAN interface

41 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Configuring Loopback Interfaces
Network>Interfaces>Loopback
Loopback interface ID

Virtual Router

Security Zone

Security Zone

42 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Aggregate Interfaces
 An aggregate interface group combines up to eight Ethernet interfaces using
link aggregation.

 Increased throughput and link redundancy.

 The aggregate interface is a logical interface that can be configured as if it

were a regular interface.

 LACP is supported.

43 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Create an Aggregate Interface
Network>Interfaces>Ethernet>Add Aggregate Group

This is not a sub-interface.

It does not reference traffic

tagged with VLAN ID

For Layer 3,
add IP address

44 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Assign an Interface to an Aggregate Group
Network>Interfaces>Ethernet

45 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Demo
47 | © 2015, Palo Alto Networks. Confidential and Proprietary.