Alto MS Series User Manual Page 38
- Page / 108
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
34 Getting Started Guide
Security Perimeter Overview Create the Security Perimeter
About Network Address Translation (NAT)
When you use private IP addresses within your internal networks, you must use network address translation
(NAT) in order to translate the private addresses to public addresses that can be routed on external networks.
In PAN-OS, you create NAT policy rules that instruct the firewall which packets need translation and how to
do the translation. The firewall supports both source address and/or port translation and destination address
and/or port translation. For more details about the different types of NAT rules, refer to the
Understanding and
Configuring NAT Tech Note
.
It is important to understand the way the firewall applies the NAT and security policies in order to determine
what policies you need based on the zones you have defined. Upon ingress, the firewall inspects a packet to see
if it matches any of the NAT rules that have been defined, based on source and/or destination zone. It then
evaluates and applies any security rules that match the packet based on the original (pre-NAT) source and
destination addresses. Finally, it translates the source and/or destination port numbers for any matching NAT
rules upon egress. This distinction is important, because it means that the firewall determines what zone a packet
is destined for based on the address on the packet, not in the placement of the device based on its internally
assigned address.
About Security Policies
Security policies protect network assets from threats and disruptions and aid in optimally allocating network
resources for enhancing productivity and efficiency in business processes. On the Palo Alto Networks firewall,
security policies determine whether to block or allow a session based on traffic attributes such as the source and
destination security zone, the source and destination IP address, the application, user, and the service. By
default, intra-zone traffic (that is traffic within the same zone, for example from trust to trust), is allowed. Traffic
between different zones (or inter-zone traffic) is blocked until you create a security policy to allow the traffic.
Security policies are evaluated left to right and from top to bottom. A packet is matched against the first rule
that meets the defined criteria; after a match is triggered the subsequent rules are not evaluated. Therefore, the
more specific rules must precede more generic ones in order to enforce the best match criteria. Traffic that
matches a rule generates a log entry at the end of the session in the traffic log, if logging is enabled for that rule.
The logging options are configurable for each rule, and can for example be configured to log at the start of a
session instead of, or in addition to, logging at the end of a session.
Components of a Security Policy
The security policy construct permits a combination of the required and optional components listed below.
- Palo Alto Networks 1
- Contact Information 2
- About this Guide 2
- Table of Contents 3
- Table of Contents 4
- Management Network 5
- Perform Initial Configuration 6
- 4 Getting Started Guide 8
- 6 Getting Started Guide 10
- 8 Getting Started Guide 12
- Activate Firewall Services 13
- Manage Content Updates 15
- 12 Getting Started Guide 16
- Install Software Updates 17
- 14 Getting Started Guide 18
- Add Firewall Administrators 19
- How to Configure 20
- 18 Getting Started Guide 22
- Monitor the Firewall 23
- View Local Log Data 24
- View Reports 25
- Set Up Email Alerts 27
- Set Up SNMP Trap Destinations 27
- 24 Getting Started Guide 28
- Define Syslog Servers 29
- 26 Getting Started Guide 30
- Forward Logs to Panorama 31
- Enable Log Forwarding 31
- 28 Getting Started Guide 32
- Create the Security Perimeter 35
- Security Perimeter Overview 36
- Virtual Wire Deployments 37
- Layer 2 Deployments 37
- Layer 3 Deployments 37
- About Security Policies 38
- Optional 40
- Policy Best Practices 41
- About Policy Objects 41
- About Security Profiles 42
- Getting Started Guide 39 43
- Set Up Interfaces and Zones 44
- 42 Getting Started Guide 46
- Configure NAT Policies 47
- 44 Getting Started Guide 48
- 46 Getting Started Guide 50
- Create Security Rules 52
- 50 Getting Started Guide 54
- Test Your Security Policies 55
- Getting Started Guide 53 57
- Monitor > Logs 57
- Enable WildFire 59
- Scan Traffic for Threats 59
- Control Access to Web Content 59
- Set Up File Blocking 64
- Continue to 66
- 64 Getting Started Guide 68
- For More Information 69
- Configure User Identification 71
- User Identification Overview 72
- About User Mapping 73
- PAN-OS XMLAPI Usage Guide 74
- Enable User Identification 75
- 72 Getting Started Guide 76
- Map IP Addresses to Users 77
- Configure User Mapping 78
- Captive Portal Modes 81
- Configure Captive Portal 82
- 80 Getting Started Guide 84
- 82 Getting Started Guide 86
- Getting Started Guide 85 89
- Monitor > Logs) 89
- Set Up High Availability 91
- HA Overview 92
- Getting Started Guide 89 93
- Failover Triggers 94
- HA Timers 94
- 92 Getting Started Guide 96
- Getting Started Guide 93 97
- Configuration Guidelines 98
- 96 Getting Started Guide 100
- 98 Getting Started Guide 102
- 100 Getting Started Guide 104
- Click Commit 106
- Verify Failover 107
- Getting Started Guide 108
© 2020, manymanuals.com. All rights reserved. | 0.406 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals