Transcription
Palo Alto Networks Firewall EssentialsInstallation and Configuration GuideThe Palo Alto Networks Academy Firewall Essentials lab set is designed to haveInternet access. Due to this requirement, 2 topologies are needed. The FirewallEssentials Gateway pod (GW) is designed to provide Internet access to underlyingFirewall Essentials pods (FE) per host.This guide includes installation instructions for both the GW pod and the FE pod.Document Version: 2016-07-21Copyright 2016 Network Development Group, Inc.www.netdevgroup.comNETLAB Academy Edition, NETLAB Professional Edition, and NETLAB are registered trademarks of Network Development Group, Inc.Palo Alto Networks and the Palo Alto Networks logo are trademarks or registered trademarks of Palo Alto Networks, Inc.
Palo Alto FE Pod Installation and Configuration GuideContents12345Introduction . 31.1 NETLAB Pod Internet Access and Use Agreement . 41.2 Pod Setup Overview . 4Planning. 62.1 Environment . 62.2 Pod Creation Workflow . 72.3 Pod Resource Requirements . 82.4 ESXi Host Server Requirements. 82.5 NETLAB Requirements . 82.6 Software Requirements . 92.7 Networking Requirements . 9Obtaining Software and Licenses. 103.1 Downloading OVF Files. 103.2 Obtaining Software Licenses . 10Master Pod Configuration. 114.1 Host Configuration . 114.1.1 Port Group Configuration . 114.1.2 NETLAB Virtual Machine Infrastructure Setup . 144.2 Gateway Master (GW) Pod Setup . 144.2.1 Deploying GW Virtual Machine OVF/OVA Files . 154.2.2 Create Snapshots on the Master Virtual Machines . 164.2.3 NETLAB Virtual Machine Inventory Setup . 174.2.4 Install the Master GW Pod . 184.2.5 Update the Master Pod . 194.2.6 Bring the GW Master Pod Online . 204.3 Firewall Essentials Master (FE) Pod Setup . 214.3.1 Deploying FE Virtual Machine OVF/OVA Files . 214.3.4 Install the Master FE pod . 24Pod Cloning and Configuration . 275.1 Pod Cloning . 275.1.1 Linked Clones and Full Clones . 275.1.2 Creating User Pods. 275.2 GW Pod Configuration . 295.2.1 IP Address Assignment. 295.2.1.1Static IP Address . 305.2.1.2DHCP IP Address . 315.2.2 DNS Settings . 315.2.3 Licensing. 335.2.4 Startup and Shutdown the Firewall . 335.3 FE Pod Configuration . 345.3.1 IP Addressing. 355.3.1.1Boot FE Firewalls - Manual Method . 355.3.1.2Boot FE Firewalls - PowerCLI Method . 365.3.2 Licensing. 375.3.2.1Troubleshooting. 397/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 1
Palo Alto FE Pod Installation and Configuration Guide5.3.3 Pod Snapshots . 405.3.3.1Snapshot the Virtual Machines - Manual Method . 415.3.3.2Snapshot the Virtual Machines - PowerCLI Method . 425.4 Bring Pods Online . 436 PAN Firewall Administration Best Practices . 446.1 Administration. 446.2 Security Policies. 446.3 Logging . 446.4 Threat Prevention . 456.4.1 URL Filtering . 456.4.2 Wildfire . 456.4.3 Monitoring . 457/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 2
Palo Alto FE Pod Installation and Configuration Guide1IntroductionThe Palo Alto Networks Firewall Essentials lab set is required, and thus designed, tohave Internet access. Due to this requirement, the use of the lab set requires two pods,one to provide Internet access to pods on the host and the other to clone learner podsfrom.You specifically agree to log all Internet usage by users (trainees) made through the PaloAlto Network Academy lab environment, following logging instructions and adviceprovided by Palo Alto Networks, subject to your compliance with all applicable laws.Note that, because of the nature of lab setup as shown below, you will not be able totrack Internet usage by MAC address, so it is vital that you set up logging appropriately.7/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 3
Palo Alto FE Pod Installation and Configuration GuideYou agree that you are fully responsible for, and that NDG will have no liability orresponsibility for: (a) any Internet use by any users of the Palo Alto Networks Academylab training environment or any additional lab environments that you set up using PaloAlto Networks firewalls, and (b) monitoring, securing and logging Internet activityoccurring through the Palo Alto Networks Academy lab training environment.IMPORTANT: If you decide to add optional functionality to allow trainees (includingwithout limitation remote trainees) to access and use the Internet through the Palo AltoNetworks Academy lab environment, you are solely responsible for configuring andmanaging the Palo Alto Networks firewalls and associated software that is provided byPalo Alto Networks for Internet access, including without limitation all security featuresand policies associated with the Palo Alto Networks firewalls.1.1NETLAB Pod Internet Access and Use AgreementYou are required to indicate your acceptance of the NETLAB Pod Internet Access andUse Agreement by completing the form at the link below. Your system will not beenabled to support Palo Alto Networks Firewall Essentials pods until the agreement oalto/agreement1.2Pod Setup OverviewThe Gateway pod (GW Pod) is designed to provide Internet access to underlying FirewallEssentials pods (FE Pod) per host.7/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 4
Palo Alto FE Pod Installation and Configuration GuideEach ESXi host will need special port groups created named PAN MGMT andPAN UNTRUST. Then, a single instance of the GW Pod will be deployed on each hostthat will run the PAN7 FE pods.The network labeled “VM Network” in the diagram needs to be setup or linked to a portgroup that has Internet access. A working and routable IP address, static or DHCPassigned, will need to be allocated to vmnic2 of the GW Firewall for the Firewall tocommunicate out to the Internet.The PAN MGMT and PAN UNTRUST networks are required for the FE Firewall tocommunicate to the GW Firewall properly. The PAN UNTRUST on the FE Firewall,identified as interface U in the diagram, is setup to obtain an IP address via DHCP fromthe GW Firewall T interface.7/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 5
Palo Alto FE Pod Installation and Configuration GuidePlanning2This guide provides specific information pertinent to delivering the Palo Alto NetworksFirewall Essentials course via NETLAB . It is assumed that you have knowledge of thefollowing prior to attempting deployment of this lab set on your VMware and NETLAB infrastructure: An understanding and working knowledge of VMware vSphere products andNETLAB .Deploying virtual machines on ESXi.Configuring virtual networking in the ESXi environment.Virtual machine and virtual pod management concepts using NETLAB .Documentation of these topics and more can be found at our ntation/2.1EnvironmentThe following diagram depicts four major components that make up the trainingenvironment.1. The NETLAB server provides the user interface for student and instructoraccess, an interface to manage virtual machines, and software features toautomate pod creation. This document assumes you have already setup yourNETLAB server.2. VMware vCenter is used to manage your physical VMware ESXi servers, tocreate virtual machines, and to take snapshots of virtual machines.NETLAB communicates with vCenter to perform automated tasks and7/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 6
Palo Alto FE Pod Installation and Configuration Guidevirtual machine management.3. Physical VMware ESXi servers host the virtual machines in your pods.4. The Palo Alto Networks Firewall Essentials pod consists of 4 virtualmachines that reside on your ESXi host(s).2.2Pod Creation WorkflowThe following list is an overview of the pod setup process.1. Obtain the master virtual machine images required for the pod.2. Deploy the master virtual machine images to a master pod.a. Deploy virtual machines using Thin Provisioning to reduce storageconsumption.b. Make necessary adjustments to each virtual machine in the environment.3. Import the deployed virtual machines to the NETLAB Virtual Machine Inventory.4. Take a snapshot of each virtual machine in the master pods labeledGOLDEN MASTER.5. Assign and configure pod settings for each virtual machine in each pod.6. Use the NETLAB Pod Cloning feature to create student FE pods from themaster FE pod.7. Configure and license the GW Firewall.8. License the FE Firewall in all FE student pods.9. Shutdown FE Firewall and take a GOLDEN MASTER snapshot of all FE studentpod virtual machines.7/21/2016Copyright 2016 Network Development Group, Inc. www.netdevgroup.comPage 7
Palo Alto FE Pod Installation and Configuration Guide2.3Pod Resource RequirementsThe Palo Alto Networks Firewall Essentials course will consume 65 GB of storage pereach user pod instance.The following table provides details of the storage requirements for each of the virtualmachines in the pod(s).PodGatewayFirewallEssentials2.4Virtual MachineOVF/OVAGW FirewallDesktopFE Firewall3.72.56.2Initial p2ServerTotal2.62.14.321.46.25.61265ESXi Host Server RequirementsPlease refer to the NDG website for specific ESXi host requirements to support virtualmachine delivery: nts/The number of active pods that can be used simultaneously depends on the NETLAB product edition, appliance version an
The Palo Alto Networks Firewall Essentials lab set is required, and thus designed, to have Internet access. Due to this requirement, the use of the lab set requires two pods, one to provide Internet access to pods on the host and the other to clone learner pods from. You specifically agree to log all Internet usage by users (trainees) made through the Palo Alto Network Academy lab environment .
