2

Content

  1. Security Zones overview

  2. Network Interfaces and security zones

  3. Interfaces Type

  4. Virtual Routers and Layer 3 Interfaces

Security Zones overview

Network Segmentation

  • Divides network into multiple areas, each protected by a firewall

  • Firewall used to control and secure access to the data and resources in that area

  • Things to watch out on:

    • User-to-Data access requirements must be considered when deciding how to segment the network

    • Principle of least privilege when segmenting the network should be implemented

    • Data security regulations/standards that apply to the organizations should be considered.

Palo Alto networks use the concept of security zones to secure and manage networks

Security zones are a logical way to group physical and virtual interfaces on the firewall - systems with similar security needs are grouped into the same zone.

  • More granular the zones are and the corresponding security policy rules that control traffic between the zones, the more the attack surface is reduced

    • The smaller each zone is, the greater control you have over the traffic that access each zone.

    • Malware have more difficulty moving laterally between zones.

Network Interfaces and security zones

  • Firewall models include in-band interfaces that are used to control network traffic flowing across an enterprise

  • Each interface is assigned to a single zone, but each firewall interface/zone can support can include multiple logical logical interfaces called subinterfaces

    • Subinterfaces can be used to support VLANs

Interface Types and Zone Types

There are numerous method to integrate Palo Alto Networks firewall into the environment.

PAN-OS has different zone types and interface types, that can be used simultaneously on the same firewall if used on different firewall interfaces.

Different zone types support only specific interface types:

  1. Tap Zone - For tap interfaces

  2. Layer 2 Zone - For Layer 2 interfaces

  3. Tunnel Zone - No interfaces assigned - Used for tunnel content inspection, specifically for scenarios involving tunnel-in-tunnel encapsulation.

  4. Virtual Wire Zone - Virtual wire interfaces

  5. Layer 3 Zone - Layer 3 interfaces - VLAN interfaces - Loopback interfaces - Tunnel interfaces

MGT and HA interfaces are not assigned to a zone. HA interfaces are used for synchronization of a pair of firewalls deployed in a high availability configuration. They do not control normal network traffic, as such are not placed in a security zone. MGT interfaces are used only for firewall management and is not assigned to a zone.

  • Zones are case-sensitive

  • Interfaces must be of the appropriate zone to be assigned to a zone

  • Interfaces not assigned to a zone do not process traffic.

Sixth zone type - External is a zone that allows traffic to pass between virtual systems when multiple virtual systems are configurated on the same firewall. 🙏 Only some firewall models support virtual systems though...

Interfaces Type

  1. Tap - Firewall can use a tap interface to connect to a switch's SPAN or mirror port. - Once connected to the switch, a tap interface passively collects, and logs monitored traffic - Tap mode deployment is often used to initially discover the types of applications and user traffic flowing across a network - Usually used for evaluation and audit of existing networks - No changes to the existing network design - Firewall cannot block any traffic

  2. Virtual Wire - Typically used when no switching or routing is required - Firewall can be inserted into an existing topology without requiring any re-allocation of network addresses/redesign on the network topology using virtual wire - All firewall shipped from the factory have Ethernet ports 1 and 2 preconfigured as virtual wire interfaces - The virtual wire object provides the data path between the two virtual wire interfaces - Protection and decryption features of the devices can all be used (App-ID, Content-ID,User-ID, and SSL decryption) - NAT functionality is provided in this mode

  3. Layer 3 - Firewall can replace any current firewall deployment. - All virtual wire mode capabilities with the addition of Layer 3 services - virtual routers, VPN and routing protocols.

Firewall can be mixed and matched with the interface types on a single device. Eg. Firewall can be deployed in a tap mode for one portion, and a virtual wire/Layer 3 in another

Virtual Routers and Layer 3 Interfaces

A function of the firewall that participates in Layer 3 routing.

  • Firewall uses virtual routers to obtain routes to other subnets by manually defining static routes or through dynamic routes

    • BGP v4, OSPF v2 and v3, RIP v2

    • Support multicast routing

      • PIM-SM (sparse mode)

      • PIM-SSM (source specific multicast)

Multiple Static Default Routes

  • Static default routes can be configured

  • Route with the lowest metric is used when there are two or more routes to the same destination

  • Path monitoring is used by a firewall to determine whether a static route is functioning

  • Firewall will switch the default route during path failure

💀Confused as I am? Here's more Resources that explain what's going on!

On Tap Interface

Previous1.2Next3

Last updated