Docstoc

Creating Security Zones in PaloAlto Panorama Server

Document Sample
Creating Security Zones in PaloAlto Panorama Server Powered By Docstoc
					Creating Security Zones in PaloAlto Panorama Server

PaloAlto Networks Panorama server helps centrally manage large number of PA Firewalls and create common
security policy structure across multiple firewall devices.


One of the initial challenges while setting up Security Policies (rules) using the Panorama server is the inability to
create rules based on Security Zone definitions. This will specially be a concern area in case you already have PA
firewalls configured separately in your environment which already have rules using Source and Destination
Security Zones.


The Panorama GUI does not allow creation of security zones; there is no provision to define zones. However, there
is a CLI based workaround which can be used in this situation to overcome this issue. We can copy the security rule
configuration from one of the existing PA firewall devices CLI and paste it into the Panorama server CLI.


Once we have a single security policy in Panorama with the required security zones, we will be able to create more
rules using the same zones through the GUI.


1.   Set the configuration output type to “set” (the “default” output is Unix/Juniper like with parentheses)
                              admin@Lab-PA500# run set cli config-output-format set

2.   Show the security rule output:
                           admin@Lab-PA500# show rulebase security rules <rule_name>

Sample output
admin@Lab-PA500# show rulebase security rules Allow_HTTP
set rulebase security rules Allow_HTTP option disable-server-response-inspection no
set rulebase security rules Allow_HTTP from trust
set rulebase security rules Allow_HTTP to untrust
set rulebase security rules Allow_HTTP source any
set rulebase security rules Allow_HTTP destination any
set rulebase security rules Allow_HTTP source-user any
set rulebase security rules Allow_HTTP category any
set rulebase security rules Allow_HTTP application any
set rulebase security rules Allow_HTTP service service-http
set rulebase security rules Allow_HTTP hip-profiles any
set rulebase security rules Allow_HTTP log-start no
set rulebase security rules Allow_HTTP log-end yes
set rulebase security rules Allow_HTTP negate-source no
set rulebase security rules Allow_HTTP negate-destination no
set rulebase security rules Allow_HTTP action allow



3.   Copy the output to your favorite Notepad editor.
4.   Depending on whether you want this to be a “pre-rulebase” or a “post-rulebase” in Panorama, change the
     word “rulebase” with “pre-rulebase” or“post-rulebase”
Clipboard Change
set pre-rulebase security rules Allow_HTTP option disable-server-response-inspection no
set pre-rulebase security rules Allow_HTTP from trust
set pre-rulebase security rules Allow_HTTP to untrust
set pre-rulebase security rules Allow_HTTP source any
set pre-rulebase security rules Allow_HTTP destination any
set pre-rulebase security rules Allow_HTTP source-user any
set pre-rulebase security rules Allow_HTTP category any
set pre-rulebase security rules Allow_HTTP application any
set pre-rulebase security rules Allow_HTTP service service-http
set pre-rulebase security rules Allow_HTTP hip-profiles any
set pre-rulebase security rules Allow_HTTP log-start no
set pre-rulebase security rules Allow_HTTP log-end yes
set pre-rulebase security rules Allow_HTTP negate-source no
set pre-rulebase security rules Allow_HTTP negate-destination no
set pre-rulebase security rules Allow_HTTP action allow



5.   Connect to the Panorama CLI and drill to the appropriate device-group rulebase
                       admin@Panorama# edit device-group GLOBAL pre-rulebase security

where “GLOBAL” is the name of the example device group.
6.   Paste the modified rule from the notepad editor
7.   Commit changes and you are done!!
You will now be able to create more rules using the above security zones used in the above rule.
References
https://live.paloaltonetworks.com/docs/DOC-1545

				
DOCUMENT INFO
Shared By:
Stats:
views:18
posted:4/29/2012
language:English
pages:3
Description: Creating Security Zones in PaloAlto Panorama Server