Summary:

1. Mgmt Interface Setup, Mgmt Default Gateway / DNS / NTP

2. Configure zones / virtual router / other interfaces / DG

Details:

1. Mgmt Interface Setup, Mgmt Default Gateway / DNS / NTP (default username / password: admin/admin)

Note: the very first command I normally run is "set cli config-output-format set", which will give you a nicer / clean look once you are in configuration mode

Commands:

## set deviceconfig system ip-address 10.1.1.30 netmask 255.255.255.0

## set deviceconfig system default-gateway 10.1.1.1

## set deviceconfig system dns-setting servers primary 8.8.8.8

## set deviceconfig system ntp-servers primary-ntp-server ntp-server-address time.google.com

## commit

Now, you can access the virtual firewall via browser:

Knowledge:

 

  • management plane - all dynamic updates to the firewall itself

  • data plane - traffic for end users

  • Layer3: allow routing and NAT

  • VWire: transparent mode

  • L2: vlans / switching capabilities

  • HA: (details see my HA notes)

-Control link: hello messge, heart beats, HA state info, user ID info, config sync

-Date link: session info; forwarding tables; IPSec SAs; ARP

-3rd interface type for Act / Act setup

  • Tap: port mirroring, taking forwarded traffic from other devices

 

  • Why zones?

    • You can create security policies based on the grouped interfaces in between zones vs. individual interface

Note: If you do not have a router for dataplane, proxy ARP could be a workaround. 

To test your configurations so far:

===========================

admin@PA-VM> traceroute host www.google.com
traceroute to www.google.com (172.217.13.228), 30 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  2.043 ms  1.913 ms  1.824 ms
 2  lo0-100.CLPPVA-VFTTP-301.verizon-gni.net (108.44.145.1)  6.657 ms  6.578 ms  6.058 ms
 3  B3301.CLPPVA-LCR-21.verizon-gni.net (100.41.132.86)  19.011 ms  20.311 ms  19.178 ms
 4  * * *
 5  0.et-8-0-2.GW13.IAD8.ALTER.NET (140.222.0.185)  21.812 ms  21.714 ms  21.629 ms
 6  204.148.79.46 (204.148.79.46)  21.517 ms  32.684 ms  33.097 ms
 7  * * *
 8   (108.170.232.213)  11.736 ms  12.606 ms  12.507 ms
 9  iad23s61-in-f4.1e100.net (172.217.13.228)  10.846 ms  11.605 ms  11.490 ms
admin@PA-VM>

================================

 

Note: here you have options if you do not want to use mgmt interface as default for DNS / NTP setting, you can choose to use a different interface other than mgmt.

2. Configure zones / virtual router / other interfaces / DG

  • 2.1 Configure zones: (You do not have to define layer 3 type, by default, it is layer 3 type zone)

## set zone inside
## set zone dmz
## set zone prod
## set zone outside

## show zone

  • 2.2 Configure virtual router:

## set network virtual-router VR-1

## show network virtual-router

  • 2.3 Configure interfaces:

----------------------

eth1/1 <-> outside

----------------------

IP and comments:

## set network interface ethernet ethernet1/1 layer3 ip 10.1.1.100/24
## set network interface ethernet ethernet1/1 comment "Internet Facing"

Attach the interface to a zone:

# set zone outside network layer3 ethernet1/1

Attach the interface to a virtual router:

# set network virtual-router VR-1 interface ethernet1/1

Very important step:

## commit

eth1/2 <-> dmz

===============

set network interface ethernet ethernet1/2 layer3 ip 172.16.1.1/24
set network interface ethernet ethernet1/2 comment "Web Servers"
set zone dmz network layer3 ethernet1/2
set network virtual-router VR-1 interface ethernet1/2

commit
 

eth1/3 <-> inside

==============

set network interface ethernet ethernet1/3 layer3 ip 172.16.2.1/24
set network interface ethernet ethernet1/3 comment "Internal Users"
set zone inside network layer3 ethernet1/3
set network virtual-router VR-1 interface ethernet1/3
commit

eth1/4 <-> prod

==============

set network interface ethernet ethernet1/4 layer3 ip 172.16.3.1/24
set network interface ethernet ethernet1/4 comment "Prod Env"
set zone prod network layer3 ethernet1/4
set network virtual-router VR-1 interface ethernet1/4
commit

2.4 Configure default route:

 

set network virtual-router VR-1 routing-table ip static-route DefaultRoute nexthop ip-address 10.1.1.1
set network virtual-router VR-1 routing-table ip static-route DefaultRoute interface ethernet1/1
set network virtual-router VR-1 routing-table ip static-route DefaultRoute destination 0.0.0.0/0

 

commit