2

Content

Security Zones overview

Network Segmentation

Divides network into multiple areas, each protected by a firewall
Firewall used to control and secure access to the data and resources in that area
Things to watch out on:
- User-to-Data access requirements must be considered when deciding how to segment the network
- Principle of least privilege when segmenting the network should be implemented
- Data security regulations/standards that apply to the organizations should be considered.

Palo Alto networks use the concept of security zones to secure and manage networks

Security zones are a logical way to group physical and virtual interfaces on the firewall - systems with similar security needs are grouped into the same zone.

More granular the zones are and the corresponding security policy rules that control traffic between the zones, the more the attack surface is reduced
- The smaller each zone is, the greater control you have over the traffic that access each zone.
- Malware have more difficulty moving laterally between zones.

Network Interfaces and security zones

Firewall models include in-band interfaces that are used to control network traffic flowing across an enterprise
Each interface is assigned to a single zone, but each firewall interface/zone can support can include multiple logical logical interfaces called subinterfaces
- Subinterfaces can be used to support VLANs

Interface Types and Zone Types

There are numerous method to integrate Palo Alto Networks firewall into the environment.

PAN-OS has different zone types and interface types, that can be used simultaneously on the same firewall if used on different firewall interfaces.

Different zone types support only specific interface types:

Tap Zone - For tap interfaces
Layer 2 Zone - For Layer 2 interfaces
Virtual Wire Zone - Virtual wire interfaces
Layer 3 Zone - Layer 3 interfaces - VLAN interfaces - Loopback interfaces - Tunnel interfaces

MGT and HA interfaces are not assigned to a zone. HA interfaces are used for synchronization of a pair of firewalls deployed in a high availability configuration. They do not control normal network traffic, as such are not placed in a security zone. MGT interfaces are used only for firewall management and is not assigned to a zone.

Zones are case-sensitive
Interfaces must be of the appropriate zone to be assigned to a zone
Interfaces not assigned to a zone do not process traffic.

Interfaces Type

Layer 3 - Firewall can replace any current firewall deployment. - All virtual wire mode capabilities with the addition of Layer 3 services - virtual routers, VPN and routing protocols.

Firewall can be mixed and matched with the interface types on a single device. Eg. Firewall can be deployed in a tap mode for one portion, and a virtual wire/Layer 3 in another

Virtual Routers and Layer 3 Interfaces

A function of the firewall that participates in Layer 3 routing.

Firewall uses virtual routers to obtain routes to other subnets by manually defining static routes or through dynamic routes
- BGP v4, OSPF v2 and v3, RIP v2
- Support multicast routing
  - PIM-SM (sparse mode)
  - PIM-SSM (source specific multicast)

Multiple Static Default Routes

Static default routes can be configured
Route with the lowest metric is used when there are two or more routes to the same destination
Path monitoring is used by a firewall to determine whether a static route is functioning
Firewall will switch the default route during path failure

💀Confused as I am? Here's more Resources that explain what's going on!

Previous1.2 Next3

Last updated 1 year ago