Summary:
1. Mgmt Interface Setup, Mgmt Default Gateway / DNS / NTP
2. Configure zones / virtual router / other interfaces / DG
Details:
1. Mgmt Interface Setup, Mgmt Default Gateway / DNS / NTP (default username / password: admin/admin)
Note: the very first command I normally run is "set cli config-output-format set", which will give you a nicer / clean look once you are in configuration mode
Commands:
## set deviceconfig system ip-address 10.1.1.30 netmask 255.255.255.0
## set deviceconfig system default-gateway 10.1.1.1
## set deviceconfig system dns-setting servers primary 8.8.8.8
## set deviceconfig system ntp-servers primary-ntp-server ntp-server-address time.google.com
## commit
Now, you can access the virtual firewall via browser:
Knowledge:
-
management plane - all dynamic updates to the firewall itself
-
data plane - traffic for end users
-
Layer3: allow routing and NAT
-
VWire: transparent mode
-
L2: vlans / switching capabilities
-
HA: (details see my HA notes)
-Control link: hello messge, heart beats, HA state info, user ID info, config sync
-Date link: session info; forwarding tables; IPSec SAs; ARP
-3rd interface type for Act / Act setup
-
Tap: port mirroring, taking forwarded traffic from other devices
-
Why zones?
-
You can create security policies based on the grouped interfaces in between zones vs. individual interface
-
Note: If you do not have a router for dataplane, proxy ARP could be a workaround.
To test your configurations so far:
===========================
admin@PA-VM> traceroute host www.google.com
traceroute to www.google.com (172.217.13.228), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 2.043 ms 1.913 ms 1.824 ms
2 lo0-100.CLPPVA-VFTTP-301.verizon-gni.net (108.44.145.1) 6.657 ms 6.578 ms 6.058 ms
3 B3301.CLPPVA-LCR-21.verizon-gni.net (100.41.132.86) 19.011 ms 20.311 ms 19.178 ms
4 * * *
5 0.et-8-0-2.GW13.IAD8.ALTER.NET (140.222.0.185) 21.812 ms 21.714 ms 21.629 ms
6 204.148.79.46 (204.148.79.46) 21.517 ms 32.684 ms 33.097 ms
7 * * *
8 (108.170.232.213) 11.736 ms 12.606 ms 12.507 ms
9 iad23s61-in-f4.1e100.net (172.217.13.228) 10.846 ms 11.605 ms 11.490 ms
admin@PA-VM>
================================
Note: here you have options if you do not want to use mgmt interface as default for DNS / NTP setting, you can choose to use a different interface other than mgmt.
2. Configure zones / virtual router / other interfaces / DG
-
2.1 Configure zones: (You do not have to define layer 3 type, by default, it is layer 3 type zone)
## set zone inside
## set zone dmz
## set zone prod
## set zone outside
## show zone
-
2.2 Configure virtual router:
## set network virtual-router VR-1
## show network virtual-router
-
2.3 Configure interfaces:
----------------------
eth1/1 <-> outside
----------------------
IP and comments:
## set network interface ethernet ethernet1/1 layer3 ip 10.1.1.100/24
## set network interface ethernet ethernet1/1 comment "Internet Facing"
Attach the interface to a zone:
# set zone outside network layer3 ethernet1/1
Attach the interface to a virtual router:
# set network virtual-router VR-1 interface ethernet1/1
Very important step:
## commit
eth1/2 <-> dmz
===============
set network interface ethernet ethernet1/2 layer3 ip 172.16.1.1/24
set network interface ethernet ethernet1/2 comment "Web Servers"
set zone dmz network layer3 ethernet1/2
set network virtual-router VR-1 interface ethernet1/2
commit
eth1/3 <-> inside
==============
set network interface ethernet ethernet1/3 layer3 ip 172.16.2.1/24
set network interface ethernet ethernet1/3 comment "Internal Users"
set zone inside network layer3 ethernet1/3
set network virtual-router VR-1 interface ethernet1/3
commit
eth1/4 <-> prod
==============
set network interface ethernet ethernet1/4 layer3 ip 172.16.3.1/24
set network interface ethernet ethernet1/4 comment "Prod Env"
set zone prod network layer3 ethernet1/4
set network virtual-router VR-1 interface ethernet1/4
commit
2.4 Configure default route:
set network virtual-router VR-1 routing-table ip static-route DefaultRoute nexthop ip-address 10.1.1.1
set network virtual-router VR-1 routing-table ip static-route DefaultRoute interface ethernet1/1
set network virtual-router VR-1 routing-table ip static-route DefaultRoute destination 0.0.0.0/0
commit