Module 5 Connecting the firewall to Production Networks with Security Zones

Question 1

Why do we segment the network?

Answer 1

Several reasons, secure access to data, prevents additional access if one area is compromised.

Question 2

How do we use segmentation in Palo Alto Firewalls?

Answer 2

We used network segmentation/security zones to reduce the attack surface. Palo Alto uses logical zones to group physical/virtual interfaces on the firewall.

Question 3

What is interzone traffic?

Answer 3

Between zones

Question 4

What is Intrazone traffic?

Answer 4

Its own zone

Question 5

How do we support segmentation with the firewall?

Answer 5

We configure security policies which will allow traffic between certain zones (interzone).

Question 6

Can traffic flow between zones in a Palo Alto firewall?

Answer 6

Traffic can flow freely within a zone, but you need a security policy rule that allows traffic between zones.

Question 7

What is zero-trust architecture

Answer 7

Never trust, always verify. Inspect traffic flows to inbound traffic, outbound traffic to the internet and internal traffic between nodes and your data center.

Question 8

How do we carry VLAN traffic?

Answer 8

ROAS, firewall (sub-interfaces) which can be used on a single physical interface. Ethernet1/1, 1/1.2, 1/1.3

Question 9

What is the control plane?

Question 10

What is the data plane?

Question 11

What is your first task before creating a security policy?

Answer 11

Create a Security Zone
Specify zone type: Virtual Wire, layer 2, tap, layer 3, tunnel
Assign interfaces -

Question 12

What are the different zone types?

Answer 12

Tap, Virtual Wire, Layer 2, Layer 3, Tunnel

Question 13

What is Tap, what is its purpose?

Answer 13

Switch port analyzer, requires no changes to the existing network design. Does not block traffic, or control traffic. Passive collecting

Question 14

What is virtual wire, what is its purpose?

Answer 14

NAT functionality provided. Inserted into existing network, without any re-allocation of network addresses or redesign on the network topology. *Bind two firewall interfaces together through a virtual wire object. No network changes for adjacent network devices. *Can block traffic.

Question 15

What is a layer 3 zone type, what is its purpose?

Answer 15

Fucking route man. Firewall has a virtual router. App-ID, Content-ID, User-ID, SSL Decryption, NAT and QoS.

Question 16

Where do I configure a layer 3 interface on the firewall?

Answer 16

Network - Interfaces - Ethernet - select_interface
- go through the tabs, advanced, (MTU size),

Question 17

In-band and out-of band MGT port?

Answer 17

Out-of-band management can be a lifesaver. In-band would be like http, ssh, telnet into a device. Out-of-band uses a console port (how do we get access to the console port?) We would need access to the console server. Maybe an additional internet connection, MPLS, etc.

Question 18

Interface Management Profile

Answer 18

You can apply an interface management profile to a layer 3 interface to enable it to carry management traffic.

Question 19

What routing protocols are supported?

Answer 19

OSPF, RIPv2 and BGP