Tag: Security

Upgraded my NGFW

Since my last blog post I’ve upgraded by Palo Alto NGFW to the latest PAN-OS release which is 9.0 I also got an evaluation license from them to test the advanced features of the firewall. The license also allows me to see all the log entries as well, which is great for troubleshooting any issues I have with the firewall when enabling the different features.

I have the firewall setup to allow traffic from the network (inside-zone) to the internet (outside-zone), the network is also NAT’d to my local LAN address of otherwise traffic wouldn’t flow as the 10 network is a private address range, I know the network is also a private address range but my home router is setup to also NAT that range to the public IP address I get from my ISP.

One of the first features I am going to add to my security policy is URL filtering. Company policy is to block all web email for example http://www.gmail.com and http://www.outlook.com


I am going to add URL Filtering to the security policy that will block web email sites I’m also going to enable Response Pages so when an end user tries to get to a web email site they will get a message saying that it’s against company policy.

I’m first going to go to http://www.gmail.com and show that I can successfully browse to that site, and as you can see below I can. I am doing this from the PC on the inside network with an IP address of


The first thing I am going to do is enable the response page. To do that go to Device>>Response Pages.


Once under Device and Response Pages click on the Application Block Page which is currently set to Disable and then tick the box to Enable Application Block Page and click on OK.

Now end users will get a page displaying the reason they were blocked from connecting to sites that I mark as blocked under URL Filtering. So lets set up some URL Filtering now. To do that go to Objects>>URL Filtering.


There is a default policy already configured which I can edit but I am going to create my own one and name it No Web Email. I’ll first tick the box beside the default policy and clone it. This will create a new policy called default-1 click on it to edit it.


Under my new policy I have named it No Web Email and then I did a search to find we-based-email, here you need to change the Site Access from allow to block and also do the same under User Credential Submission and change that to block. Click on Ok.

Now its time to update the security policy and add the URL Filtering profile I just created. So under Policies>>Security I just clicked on the security policy called ‘inside to out’.


Click on the Action tab and under ‘Profile Setting’ select Profiles as the Profile Type and under URL Filtering select the newly created profile called No Web Email and click on ok. All I have to do now is commit the configuration changes and test to see if this works !


It is working, I’m unable to get to the different web based email services. You can also check this under Monitor>>URL Filtering.


As you can see mail.google.com has been blocked as well as outlook.com

Any questions leave a comment below.

NAT – Network Address Translation

With IPv4 networks NAT is fundamental for it to work without it not a whole lot of devices would be able to surf the internet. For example your broadband connection uses NAT. You are assigned a public IPv4 address from your ISP on your WAN interface of your modem which allows you to surf the internet, within your LAN (home) all the devices you have attached to your WiFi network are assigned an address most likely from the range which is from the private class C subnet range. These private IP addresses are not allowed out on the public internet and if you tried to use an address from a private IP address range your ISP will have an ACL blocking its use.

The job of NAT is to translate your private IP address that has been assigned by your modem at home to your PC for example and change the IP address to its public IP address before it leaves your modem.

If we take the following example:


Your PC as been given the IP address of and you want to surf the Internet. Before you can do that NAT has to step in and change your private IP address to its public IP address using NAT or more specific PAT which is a form of NAT which stands for Port Address Translation which allows all the private IP addresses on your LAN to be translated to the single public IP address using port numbers to keep track of the different sessions from the devices in your LAN.

So NAT will translate the source IP address in the packet from to before sending the packet out its WAN interface towards its destination on the Internet. It will keep track of this translation in its NAT table:

  • =

This mapping allows the return traffic to go back to the PC that started the session. If a second PC on the LAN went out to the internet and had an IP address of it will also be tracked in the NAT table:

  • =
  • =

The second entry has a different port number assigned to it and this is how NAT/PAT keeps track of which traffic belongs to which IP address on the LAN.

Configuring NAT on the PA-NGFW

Here I will configure NAT/PAT on the NGFW to demonstrate how it is done.

NAT is configured under the Policies Tab on the left hand side panel select NAT and then click the Add button at the bottom to get started.


A new window will pop up asking for General information, give it a meaningful name and description then click the Original Packet tab.


Under Original Packet I’ve added the following:


Under Source Zone I’ve added the Internal zone, Destination Zone will be the Internet zone and I’ve selected the Destination Interface as the Interface that I configured as the Internet interface which as an IP address Ok so isn’t a public IP address but in my lab environment my modem is also doing NAT to a real public IP address before any traffic is sent. So for this lab I am pretending that is a public IP address and it will translate IP address in the network to and my home modem will then translate the again to a real public IP address. Hope that is clear enough. Ok back to the configuration under Source Address I selected the Object I created in an earlier lab called ‘Internal subnet’. The Destination Address will be left to ‘Any’.

Next is the Translation piece so click on Translate Packet.


I have selected the Dynamic IP and Port as the translation type as I am using PAT. The Address Type is ‘Interface Address’ and I have selected the ethernet1/1 interface which is the Internet interface and the only IP address that is associated with that interface is Next thing to do is click Ok and that is NAT/PAT configured. Don’t forget to commit the configuration for it to take affect.

To check that it is working I have started up the Windows 10 Virtual Machine I have as part of the lab. It is configured with the IP address of I went to http://www.paloaltonetworks.com as you can see below it was successful.


This verifies a few things that I have done in the past blog posts. It verifies that traffic from the Internal zone is allowed out the Internet zone. It also verifies that the DNS, SSL protocols are allowed based on the security policy.

We can verify that NAT is working by looking at the NAT translation rule and see the hit count has increased to 985 meaning that it is working. I can’t show you this in the logs as I don’t have the license for that but will add one and show how that is done.


Any questions leave a comment.