In this post I want to talk about zones and what they are used for in a Palo Alto NGFW. Zones are used to group interfaces together that are part of the same business function on the NGFW. For example you might have two departments, one is Finance and the other is IT. Because the information within the Finance part of the network is highly sensitive you do not want your users from the IT department having access to that part of the network. With zones you can put them into separate zones and build policies around them. By default interfaces within the same zone can communicate with each other but interfaces in different zones cannot for that to happen you will need to configure a policy to allow users or a group of users to go from one zone to another such as IT to Finance and visa-versa. This is the first line of defense in stopping attackers moving laterally across your network.
I am going to setup 3 zones and assign interfaces to those zones. The 3 zones will be:
On the PA GUI click on the Network tab and on the left hand side select Zones. Click on Add.
Give your zone a name “Internal” and the type in this case is Layer 3. The other options are Layer 2, Tap, Vwire and tunnel.
Continue adding the remaining zones Internet and Servers.
What is a virtual router? On the Palo Alto NGFW you can split the Firewall into virtual “mini” firewalls it can be used to keep different parts of the business separated or if you have different customers that you provide services to you can give them a virtual firewall with their own interfaces, zones, policies. You can add virtual routers or just use the default virtual router. To add a virtual router click on Network and on the left hand side click on Virtual Router and Add.
Here I have added a new Virtual Router and called it VR-1.
Interfaces and bringing it all together
The last thing to do is to assign the interfaces to the different zones and the virtual router.
Still under Network click on interfaces on the left hand side to get started. Select Layer 3 as the Interface type and add a comment. Under “assign interface to” select VR-1 as the Virtual Router and Internet as the Security Zone.
Click on IPv4 tab and enter the IP address here I am using 192.168.1.250/24 then click on Ok.
Once you have all the interfaces configured along with their IPv4 addresses you need to commit the configuration for it to become active. When the configuration is committed you will end up with the interfaces active as shown below.