Networks Firewall Solution Guide

SOLUTION GUIDE
Steelhead and Palo Alto Networks Firewall

Solution Guide
Version 1.0 August 2013
Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE
2013 Riverbed Technology. All rights reserved. Riverbed, Cloud Steelhead, Granite, Interceptor, RiOS, Steelhead, Think Fast, Virtual Steelhead, Whitewater, Mazu, Cascade, Shark, AirPcap, BlockStream, SkipWare, TurboCap, WinPcap, Wireshark, TrafficScript, FlyScript, WWOS, and Stingray are trademarks or registered trademarks of Riverbed Technology, Inc . in the United States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners. Akamai and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple, Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC, Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countries. IBM, iSeries, and AS/400 are registered trademarks of IBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista, Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensed through X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries. This product includes software developed by the University of California, Berkeley (and its contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found at http://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included within the downloaded files. For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site at https//support.riverbed.com. This documentation is furnished AS IS and is subject to change without notice and should not be constr ued as a commitment by Riverbed Technology. This documentation may not be copied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection with Riverbed products and services. Use, duplication, reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal Acquisition Regulations as applied to civilian agencies and the Defense Federal Acquisition Regulation Supplement as applied to mili tary agencies. This documentation qualifies as commercial computer software documentation and any use by the government shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appear in this documentation.
2013 Riverbed Technology. All rights reserved.
Contents
PREFACE ................................................................................................................................................................................................................... 3 About This Guide .................................................................................................................................................................................................. 3
Audience .................................................................................................................................................................................... 3
Contacting Riverbed ............................................................................................................................................................................................. 3
Internet ....................................................................................................................................................................................... 3 Technical Support ...................................................................................................................................................................... 3 Professional Services................................................................................................................................................................. 3

Chapter 1 Solution Overview ...................................................................................................................................................................................... 4 Why Riverbed? ...................................................................................................................................................................................................... 4 Solution Architecture ........................................................................................................................................................................................... 4 Chapter 2 Virtual Wire Deployment ............................................................................................................................................................................ 6 Deployment Topology .......................................................................................................................................................................................... 6 Deployment Prerequisites ................................................................................................................................................................................... 7 Understanding the Deployment Process ........................................................................................................................................................... 7 Configure Interfaces ............................................................................................................................................................................................. 8 Create Two Virtual Wires ..................................................................................................................................................................................... 8 Create Three Security Zones ............................................................................................................................................................................... 9 Chapter 3 Routed Deployment ................................................................................................................................................................................. 10 Deployment Topology ........................................................................................................................................................................................ 10 Deployment Prerequisites ................................................................................................................................................................................. 11 Understanding the Deployment Process ......................................................................................................................................................... 11 Configure Interfaces for Routed Deployment .................................................................................................................................................. 12 Create a Virtual Wire for Routed Deployment.................................................................................................................................................. 12 Create a Virtual Router for Routed Deployment .............................................................................................................................................. 13 Create Four Security Zones ............................................................................................................................................................................... 14 Chapter 4 Policy Based Forwarding Deployment ..................................................................................................................................................... 15 Deployment Topology ........................................................................................................................................................................................ 15 Deployment Prerequisites ................................................................................................................................................................................. 16 Understanding the Deployment Process ......................................................................................................................................................... 16 Configure Interfaces for PBF Deployment ....................................................................................................................................................... 17 Create a Virtual Router for PBF Deployment ................................................................................................................................................... 17 Create Three Security Zones for PBF Deployment ......................................................................................................................................... 18 Configure Policy Based Forwarding ................................................................................................................................................................. 19 Chapter 5 Troubleshooting Problems ....................................................................................................................................................................... 20 Allow Ping on Firewall Interfaces ..................................................................................................................................................................... 20 Packet Capture .................................................................................................................................................................................................... 20 Allow Traffic to Pass .......................................................................................................................................................................................... 20 Add a Deny All Rule............................................................................................................................................................................................ 20 Appendix A Miscellaneous Configuration Steps ....................................................................................................................................................... 21 Configure Full Transparency and OOB Transparency ................................................................................................................................... 21 Configure Security Policies ............................................................................................................................................................................... 22
Outbound Traffic ...................................................................................................................................................................... 22 Inbound Traffic ......................................................................................................................................................................... 22

Appendix B Additional Resources............................................................................................................................................................................. 24 Steelhead Management Console Users Guide ............................................................................................................................................... 24 Palo Alto Networks Administrators Guide ...................................................................................................................................................... 24
PREFACE
Welcome to the Steelhead and Palo Alto Networks Firewall Solution Guide. Read this preface for an overview of the information provided in this guide and contact information. This preface includes the following sections: About This Guide Contacting Riverbed
About This Guide

The Steelhead and Palo Alto Networks Firewall Solution Guide provides an overview on how to deploy the Palo Alto Networks Firewall appliances alongside Steelhead appliances. This guide provides configuration details for both the Palo Alto Networks Firewall and the Steelhead appliance. Audience This guide is written for security and networking administrators. This guide assumes you are familiar with firewall and networking fundamentals. You must also be familiar with: the Management Console. For details, see the Steelhead Management Console Users Guide. the installation and configuration process for the Steelhead appliance. For details, see the Steelhead Appliance Installation and Configuration Guide and the Steelhead Installation Guide. The installation and configuration process for the the Palo Alto Networks Firewall. For details, see the Palo Alto Networks Administrators Guide For more details on the Steelhead appliance family, see http://www.riverbed.com/products-solutions/products/wan-optimization-steelhead/ For more details on the Palo Alto Networks Firewall, see http://www.paloaltonetworks.com/
Contacting Riverbed
This section describes how to contact departments within Riverbed. Internet You can learn about Riverbed products through the company Web site: http://www.riverbed.com. Technical Support If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner who provides support. To contact Riverbed Support, open a trouble ticket by calling 1-888-RVBD-TAC (1-888-782-3822) in the United States and Canada or +1 415 247 7381 outside the United States. You can also go to https://support.riverbed.com. Professional Services Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management, custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, email proserve@riverbed.com or go to http://www.riverbed.com/us/products/professional_services/.
Chapter 1 Solution Overview

This chapter provides an overview of deploying Palo Alto Firewall appliances alongside Steelhead appliances. This chapter includes the following sections: Why Riverbed? Solution Architecture
Why Riverbed?
RiOS was created to solve application acceleration challenges in a very different way than caches. Caching was created as protocol-specific architecture, essentially only dealing with data in the application silo that they understand. RiOS, on the other hand, accelerates applications on three levels simultaneously: 1. 2. 3. Data Streamlining: Data Reduction for All TCP Applications Transport Streamlining: TCP Optimizations for All Applications Application Streamlining: Application-Specific Optimizations
Each of these approaches happens independently in RiOS, meaning that all enterprise applications can benefit from data reduction and transport layer acceleration. Application layer acceleration is treated as one piece of the puzzle in this architecture, while in the caching architecture it is a requirement that the cache understand the application protocol. The applicationindependent optimizations in RiOS mean that email, file sharing, document management, ERP applications, CAD applications, network-based backup, software distribution, web-based applications, and even custom-built applications see benefits. The result of this approach enables massive acceleration for all applications that run over TCP users see up to 100 times faster application speed and up to 95% less bandwidth utilization at the same time. The system is designed to intelligently accelerate applications while not creating the management problems that caches have created in todays networks.
Solution Architecture
This section describes the traffic flow when deploying Steelhead appliances alongside Palo Alto Networks Firewall appliances. In the outbound direction, traffic originating from clients is first sent to the Palo Alto Networks Firewall for security policies to be applied. Traffic the firewall allows through is then sent through the Steelhead appliance to be optimized. The optimized traffic is then sent back through the same Palo Alto Networks Firewall for encryption before being sent out to the WAN. Figure 1-1 lays out the packet flow logically. Figure 1-1 Logical layout of Steelhead appliance alongside Palo Alto Networks Firewall
Riverbed Steelhead appliance
WAN Router
WAN
Client Devices
Palo Alto Networks Firewall Palo Alto Networks Firewall
Palo Alto firewalls have a technology called App-ID to classify traffic based on application. App-ID allows you to apply policies at an application level, rather just to ports and IPs as in a traditional firewall. This prevents applications from, for example, sneaking around the firewall by using port 80. App-ID works by looking for signatures in traffic to identify it as belonging to a particular application. For App-ID to work properly the Palo Alto Networks Firewall must operate on unoptimized traffic by being deployed on the LAN side of the Steelhead appliance. The Steelhead appliance alters the signature of the traffic in order to optimize it which results in Steelhead optimized traffic being classified as riverbed-rios by PAN-OS, rather than as belonging to the original application. . Positioning the Palo Alto Networks Firewall on the LAN side of the Steelhead appliance has a few limitations however: The Steelhead appliance is left unprotected by the firewall The firewall cannot encrypt traffic. Encrypted traffic is random and not optimizable by the Steelhead appliance
In order for the Palo Alto Networks Firewall to perform its full functionality, it must see traffic both before and after optimization. The subsequent chapters in this solution guide describe different methods of deploying Steelhead appliances alongside Palo Alto Networks Firewall appliances.
Chapter 2 Virtual Wire Deployment

This chapter describes the process and procedures for a Virtual Wire deployment. Virtual Wire is the simplest way to deploy Steelhead appliances alongside Palo Alto Firewall appliances but is unable to perform layer 3 services such as VPN. This chapter includes the following sections: Deployment Topology Deployment Prerequisites Understanding the Deployment Process Configure Interfaces Create Two Virtual Wires Create Three Security Zones
Deployment Topology
Figure 2-1 Virtual Wire Deployment Topology
WAN
Starting with the clients in the bottom left corner the packet flow is: 1. 2. 3. 4. 5. Clients send traffic to the LAN switch From the LAN switch packets go into ethernet1/1 of the Palo Alto Networks Firewall Firewall policies are applied and then the traffic is sent to ethernet1/2 to the Steelhead LAN port The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port to ethernet1/3 of the Palo Alto Networks Firewall The Palo Alto firewall sends traffic out ethernet1/4 to the WAN
Deployment Prerequisites
The following items should be completed before beginning the deployment. The physical wiring should be completed as in Figure 2-1 The default gateway of the Steelhead appliance In-Path interface should be set to the IP Address of the WAN router
Understanding the Deployment Process

The following table displays the process for deploying and configuring Palo Alto Networks firewall:
Component Palo Alto Networks Firewall Procedure Configure interfaces ethernet1/1 ethernet1/4 as Virtual Wire. Description For a virtual wire deployment, all four interfaces should be configured with an Interface Type of Virtual Wire. For details, see Configure Interfaces Create two Virtual-Wires Create two virtual wires with the following parameters: Pre-optimization bridges ethernet1/1 and ethernet1/2 Post-optimization bridges ethernet1/3 and ethernet1/4
For details, see Create Two Virtual Wires Create three Security Zones of type virtual-wire Create three security zones, all three with Type of virtual-wire. This deployment requires an additional Steelhead zone. Trusted The trusted networked the clients are on. This includes interface ethernet1/1. Steelhead For traffic going to and coming from the Steelhead appliance. This includes interfaces ethernet1/2 and ethernet1/3. Untrusted For the internet facing network. This includes interface ethernet1/4.
For details, see Create Three Security Zones Configure security policies Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. For details, see Configure Security Policies
Configure Interfaces
Interfaces can be configured by navigating to Network -> Interfaces in the Palo Alto web interface. All four interfaces should be configured with an Interface Type of Virtual Wire. Figure 2-1 Screenshot of completed Interface configuration for Virtual Wire deployment
Create Two Virtual Wires

Virtual Wires can be configured by navigating to Network -> Virtual Wires in the Palo Alto web interface. The Pre-optimization virtual wire bridges ethernet1/1 to ethernet1/2. The Post-optimization virtual wire bridges ethernet1/3 to ethernet1/4 Figure 2-2 Screenshot of completed Virtual Wire configuration for Virtual Wire deployment
Create Three Security Zones

Security Zones can be configured by navigating to Network -> Zones in the Palo Alto web interface. Figure 2-3 Screenshot of completed Security Zone configuration for Virtual Wire deployment
Chapter 3 Routed Deployment

This chapter describes the process and procedures for a Routed Deployment. With a routed deployment the Palo Alto Networks can perform routing and switch services, including VPN. This chapter includes the following sections: Deployment Topology Deployment Prerequisites Understanding the Deployment Process Configure Interfaces for Routed Deployment Create a Virtual Wire for Routed Deployment Create a Virtual Router for Routed Deployment Create Four Security Zones
Deployment Topology
Figure 3-1 Routed Deployment Topology
192.168.12.1/24
192.168.10.3/24
192.168.10.1/24
WAN
Starting with the clients in the bottom left corner the packet flow is: 1. 2. 3. 4. 5. Clients send traffic to the LAN switch From the LAN switch packets go into ethernet1/1 of the Palo Alto Networks Firewall Firewall policies are applied and then the traffic is sent to ethernet1/2 to the Steelhead LAN port The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port to ethernet1/3 of the Palo Alto Networks Firewall The Palo Alto firewall sends traffic out ethernet1/4 to the WAN
10
Before deployment, the physical wiring should be completed as in Figure 3-1. In this deployment the default gateway for the clients will be ethernet1/3 of the Palo Alto Networks Firewall.

Component Palo Alto Networks Firewall Procedure Configure interfaces ethernet1/1 ethernet1/2 as Virtual Wire. Description For a routed deployment, the pre optimization interfaces should be configured with an Interface Type of Virtual Wire. For details, see Configure Interfaces for Routed Deployment Configure interfaces ethernet1/3 ethernet1/4 as Layer 3. For a routed deployment, the first post optimization interfaces should be configured with an Interface Type of Layer 3. Assign IP Addresses accordingly. For details, see Configure Interfaces for Routed Deployment Create a Virtual-Wire Create a virtual wire with the following parameter that bridges ethernet1/1 and ethernet1/2. For details, see Create a Virtual Wire for Routed Deployment Create a Virtual Router Create a virtual router and a static route to the default gateway. For details, see Create a Virtual Router for Routed Deployment Create four Security Zones: two of type virtual-wire and two of type Layer 3 Create four security zones, two of type virtual-wire and two of type Layer 3. This deployment requires the additional Steelhead LAN and Steelhead WAN zones. Trusted The trusted networked the clients are on. This includes interface ethernet1/1. Steelhead LAN For traffic going to and coming from the Steelhead LAN interface. This includes interface ethernet1/2. Steelhead WAN For traffic going to and coming from the Steelhead WAN interface. This includes interface ethernet1/3. Untrusted For the internet facing network. This includes interface ethernet1/4.
For details, see Create Four Security Zones Configure security policies Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. For details, see Configure Security Policies Steelhead appliance Set the In-Path Gateway IP of the Steelhead In-Path interface to the IP address of ethernet1/3. (Optional) If configuring NAT on the Palo Alto Networks Firewall, configure Full Transparency and OOB Transparency on the Steelhead appliance. To set the In-Path Gateway IP, navigate to Configure -> Networking -> In-Path Interfaces. Full Transparency and OOB Transparency on the Steelhead appliance is needed for proper operation with NAT. For details, see Configure Full Transparency and OOB Transparency
11
Configure Interfaces for Routed Deployment

Interfaces can be configured by navigating to Network -> Interfaces in the Palo Alto web interface. Interfaces ethernet1/1 and ethernet1/2 should be configured as Virtual Wire. Interfaces ethernet1/3 and ethernet1/4 should be configured as Layer 3. The Layer 3 interfaces should have IP addresses assigned to them, in this example we will use 192.168.12.1/24 and 192.168.10.3/24 for ethernet1/3 and ethernet1/4 respectively. Figure 3-2 Screenshot of completed Interface configuration for Routed deployment
Create a Virtual Wire for Routed Deployment

Virtual Wires can be configured by navigating to Network -> Virtual Wires in the Palo Alto web interface. The Pre-optimization virtual wire bridges ethernet1/1 to ethernet1/2. Figure 3-3 Screenshot of completed Virtual Wire configuration for Routed deployment
12
Create a Virtual Router for Routed Deployment

Virtual Routers can be configured by navigating to Network -> Virtual Routers in the Palo Alto web interface. Add ethenet1/3 and ethernet1/4 to the Virtual Router as in Figure 3-4 below. Figure 3-4 Screenshot of Virtual Router configuration
A route to the next hop in your network should be added to the Virtual Router, as in the Figure 3-5 below. Figure 3-5 Screenshot of Virtual Router default route
13
Create Four Security Zones

Security Zones can be configured by navigating to Network -> Zones in the Palo Alto web interface. Figure 3-6 Screenshot of completed Security Zone configuration for Routed deployment
14
Chapter 4 Policy Based Forwarding Deployment

This chapter describes the process and procedures for a Policy Based Forwarding (PBF) deployment. A PBF deployment should be used if you want the Steelhead appliance to be out of path. This chapter includes the following sections: Deployment Topology Deployment Prerequisites Understanding the Deployment Process Configure Interfaces for PBF Deployment Create a Virtual Router for PBF Deployment Create Three Security Zones for PBF Deployment Configure Policy Based Forwarding
Deployment Topology
Figure 4-1 Policy Based Fowarding Topology
192.168.11.51/24
192.168.11.1/24
192.168.12.1/24
192.168.10.3/24
192.168.10.1/24
WAN
Starting with the clients in the bottom left corner the packet flow is: 1. 2. 3. 4. 5. Clients send traffic to the LAN switch From the LAN switch packets go into ethernet1/1 of the Palo Alto Networks Firewall Firewall policies are applied and then the traffic is sent to ethernet1/2 to the Steelhead WAN port The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port back to ethernet1/2 of the Palo Alto Networks Firewall The Palo Alto firewall sends traffic out ethernet1/3 to the WAN
15
The following items should be completed before beginning the deployment. The physical wiring should be completed as in Figure 4-1 The default gateway for the clients will be ethernet1/1 of the Palo Alto Networks Firewall. Enable PBF support on the Steelhead appliance by navigating to Configure -> Optimization -> General Service Settings and checking Enable L4/PBR/WCCP/Interceptor Support. Restart the optimization service by navigating to Configure -> Maintenance -> Services and clicking Restart.

Component Palo Alto Networks Firewall Procedure Configure interfaces ethernet1/1 ethernet1/3 as Layer 3. Description For a routed deployment, the pre optimization interfaces should be configured with an Interface Type of Layer 3. Assign IP Addresses accordingly. For details, see Configure Interfaces for PBF Deployment Create a Virtual Router Create a virtual router and a static route to the default gateway. For details, see Create a Virtual Router for PBF Deployment Create three Security Zones of type Layer 3 Create three security zones, all three with Type of Layer 3. This deployment requires the additional Steelhead LAN and Steelhead WAN zones. Trusted The trusted networked the clients are on. This includes interface ethernet1/1. Steelhead For traffic going to and coming from the Steelhead appliance. This includes interfaces ethernet1/2. Untrusted For the internet facing network. This includes interface ethernet1/3.
For details, see Create Three Security Zones for PBF Deployment Create a Packet Based Forwarding Policy Create a Packet Based Forwarding Policy to forward all traffic to the Steelhead appliance. For details, see Configure Policy Based Forwarding Configure security policies Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. For details, see Configure Security Policies Steelhead appliance Set the In-Path Gateway IP of the Steelhead In-Path interface to the IP address of ethernet1/2. (Optional) If configuring NAT on the Palo Alto Networks Firewall, configure Full Transparency and OOB Transparency on the Steelhead appliance. To set the In-Path Gateway IP, navigate to Configure -> Networking -> In-Path Interfaces. Full Transparency and OOB Transparency on the Steelhead appliance is needed for proper operation with NAT. For details, see Configure Full Transparency and OOB Transparency
16
Configure Interfaces for PBF Deployment

Interfaces can be configured by navigating to Network -> Interfaces in the Palo Alto web interface. Interfaces ethernet1/1 ethernet1/3 should be configured as Layer 3. The Layer 3 interfaces should have IP addresses assigned to them, the IP address used in Figure 4-2 correspond to the IP Address in Figure 4-1. Figure 4-2 Screenshot of completed Interface configuration for PBF deployment
Create a Virtual Router for PBF Deployment

Virtual Routers can be configured by navigating to Network -> Virtual Routers in the Palo Alto web interface. Add ethenet1/1, ethernet1/2, and ethernet1/3 to the Virtual Router as in Figure 4-3 below. Figure 4-3 Screenshot of Virtual Router configuration
A route to the next hop in your network should be added to the Virtual Router, as in the Figure 4-4 below.
17
Figure 4-4 Screenshot of Virtual Router default route
Create Three Security Zones for PBF Deployment

Security Zones can be configured by navigating to Network -> Zones in the Palo Alto web interface. Figure 4-5 Screenshot of completed Security Zone configuration for PBF deployment
18
Configure Policy Based Forwarding

Policy Based Forwarding can be configured by navigating to Policies -> Policy Based Forwarding in the Palo Alto web interface. Two policies need to be created, one to forward traffic originating from the Trusted zone and the other for traffic originating from the Untrusted zone. Figure 4-6 Screenshot of both PBF policies
The Fowarding for the rule should be configured to forward traffic to the Steelhead In-Path IP address through ethernet1/2. A monitor should be configured to bypass the Steelhead in the event of failure. This is depicted in Figure 4-7 below. Figure 4-7 Screenshot of Forwarding rule
19
Chapter 5 Troubleshooting Problems

This chapter describes common deployment problems and solutions. This chapter includes the following sections: Allow Ping on Firewall Interfaces Packet Capture Allow Traffic to Pass Add a Deny All Rule
Allow Ping on Firewall Interfaces

Palo Alto Networks Firewall interfaces do not respond to ping by default. To enable ping responses: 1. 2. 3. 4. Navigate to Network -> Network Profiles -> Interface Mgmt Create an Interface Management profile that enables ping. Navigate to Network -> Interfaces and edit the interface to enable ping on In the edit interface window, navigate to Advances -> Other Info and assign the Management Profile created in step 2.
Packet Capture
Both the Steelhead appliance and the Palo Alto Networks Firewall appliance can capture packets and save them to a file that can be analyzed by Wireshark. To capture packets on the Steelhead appliance navigate to Reports -> Diagnostics -> TCP Dumps and click on Add a New TCP Dump. To capture packets on the Palo Alto Network Firewall navigate to Monitor -> Packet Capture.
Allow Traffic to Pass

By default, the Palo Alto Networks Firewall drops all traffic. For troubleshooting purposes its easier if the firewall passes traffic to remove the firewall from the equation. Policies are created by navigating to Policies -> Security in the Palo Alto web interface.
Add a Deny All Rule

Palo Alto implicitly denies all traffic that is not specifically allowed by a policy. Traffic that is dropped by the implicit rule is unfortunately not logged. You can get around this by adding an explicit deny all rule to the end of the list. For more details see this tech tip .
20
Appendix A Miscellaneous Configuration Steps

This appendix provides miscellaneous configuration steps referenced in the above sections. This appendix includes the following sections: Configure Full Transparency and OOB Transparency Configure Security Policies
Configure Full Transparency and OOB Transparency

If the Palo Alto Networks Firewall is configured to do NAT, then the Steelhead appliance must be configured for Full Transparency and OOB Transparency. To add an In-Path rule for ull Transparency navigate to Configure -> Optimization -> In-Path Rules and click on Add a New In-Path Rule. Set the WAN Visibility Mode to Full Transparency; all other fields can be left as default. Figure 3-6 depicts a completed In-Path rule. Figure A-1 Screenshot of Full Transparency In-Path rule
OOB Transparency must also be configured for NAT to work properly with the Steelhead appliance. To enable OOB transparency enter the follwing in the Steelhead Command line interface after entering conf t. in-path peering oobtransparency mode "destination"
21
Configure Security Policies

This section discusses how security policies should be applied when Steelhead appliances are deployed alongside Palo Alto Networks Firewall. Because of the additional security zones required for traffic to flow from the firewall to the Steelhead appliance and then back to the firewall, additional policies and changes to the way policies are written will be needed as well. Policies can be configured by navigating to Policies -> Security in the Palo Alto web interface. This section covers: Outbound Traffic Inbound Traffic
Outbound Traffic For outbound traffic two changes are needed. The first is an additional policy to allow optimized traffic originating from the Steelhead appliance, illustrated in the Steelhead to WAN policy in Figure A-2 below. The policy should be created with the following parameters: Source Zone Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment) Destination Zone Untrusted Action Allow As traffic from is now flowing from the Trusted zone to the Steelhead zone (or Steelhead LAN zone in the Chapter 3 Routed Deployment) before going to the Untrusted zone, the second change is that existing or new policies will need to be written with a Destination zone of Steelhead (or Steelhead LAN in the Chapter 3 Routed Deployment). This is illustrated in the LAN to Steelhead policy in Figure A-2 below. Figure A-2 Screenshot of policy to allow all outbound traffic
Inbound Traffic For inbound traffic two changes are need. The first is an additional policy to allow optimized traffic originating from the peer Steelhead appliance, illustrated in the WAN to Steelhead policy in Figure A-3 below. The policy should be created with the following parameters: Source Zone Untrusted Destination Zone Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment) Action Allow As traffic from is now flowing from the Untrusted zone to the Steelhead zone (or Steelhead WAN zone in the Chapter 3 Routed Deployment) before going to the Trusted zone, the second change is that existing or new policies will need to be written with a Source zone of Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment). This is illustrated in the Steelhead to LAN policy in Figure A-3 below.
22
Figure A-3 Screenshot of policy to allow inbound traffic
23
Appendix B Additional Resources

This section describes resources that supplement the information in this guide. It includes the following: Steelhead Management Console Users Guide Palo Alto Networks Administrators Guide
Steelhead Management Console Users Guide

The Steelhead Management Console Users Guide describes how to configure and monitor the Steelhead appliance using the Management Console. It is available at: https://support.riverbed.com/software/appliance.htm
Palo Alto Networks Administrators Guide

The Palo Alto Networks Administrators Guide describes how to configure the Palo Alto Networks Firewall. It is available at https://live.paloaltonetworks.com/community/documentation/content?filterID=content~category[administrators-guide] (login required)
Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com
Riverbed Technology Ltd. One Thames Valley Wokingham Road, Level 2 Bracknell. RG42 1NG United Kingdom Tel: +44 1344 31 7100
Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A Singapore 238873 Tel: +65 6508-7400
Riverbed Technology K.K. Shiba-Koen Plaza Building 9F 3-6-9, Shiba, Minato-ku Tokyo, Japan 105-0014 Tel: +81 3 5419 1990
24

Networks Firewall Solution Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Networks Firewall Solution Guide

Uploaded by

Copyright:

Available Formats

SOLUTION GUIDE

Steelhead and Palo Alto Networks Firewall

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

About This Guide

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Chapter 1 Solution Overview

Riverbed Steelhead appliance

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Chapter 2 Virtual Wire Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Understanding the Deployment Process

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Create Two Virtual Wires

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Create Three Security Zones

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Chapter 3 Routed Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Understanding the Deployment Process

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Configure Interfaces for Routed Deployment

Create a Virtual Wire for Routed Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Create a Virtual Router for Routed Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Create Four Security Zones

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Chapter 4 Policy Based Forwarding Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Understanding the Deployment Process

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Configure Interfaces for PBF Deployment

Create a Virtual Router for PBF Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Figure 4-4 Screenshot of Virtual Router default route

Create Three Security Zones for PBF Deployment

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Configure Policy Based Forwarding

2013 Riverbed Technology. All rights reserved.

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

Chapter 5 Troubleshooting Problems

Allow Ping on Firewall Interfaces

Allow Traffic to Pass