Security Policy Fundamental Concepts
Lesson 1: Security Policy Fundamental Concepts - Security NAT Policies
Â
Â
Â
Â
>>Network Address Translation
Class A: 0.0.0.0Â <-> 127.255.255.255.255
- Reserved: 127.0.0.0.0 <->127.255.255.255 loopback testing TCP/IP stack test
16.7 Million address wasted on testing stack for IP address 6 use ::1
10.0.0.0 <-> 10.255.255.255 private address class A
Class B: 128.0.0.0Â <-> 191.255.255.255
- 172.16.0.0 <-> 172.31.255.255
Â
Class C: 192.0.0.0 <-> 223.255.255.255
- 192.168.0.0 <-> 192.168.255.255 private address class C
Â
Class D: 224.0.0.0 <->239.255.255.255
Class E: 240.0.0.0 <-> 255.255.255.255 (broadcast address)
Stack
L7
L6
L5
L4
L3
L2 LLC above is software
L2 MAC below hardware
L1
RFC:1918= defines IPV4 private address----> defines the private address NAT translates these to public addresses.
Flow Logic of the Next Generation Firewall
NAT Types
Source and destination
static NAT one to one e.g web email 10.1.1.20 goes to 200.1.1.1Â using a NAT router at the edge
dynamic NAT 10.1.1.30, 10.1.1.40 and 10.1.1.50 translates to 200.1.1.2 and 200.1.1.3 first come first served
PAT NAT most used by the edge router to translate layer 3 and layer 4 addresses Port number and IP address is called a socket both are translated 10.1.1.30:6400 if there are both using the same port 10.1.1.30 and 10.1.1.30 using :6400 port numbers are changed
>>Source NAT Configuration
Inside private to outside traffic
Static IP:
• 1 to 1 fixed translations.
Dynamic IP:
• 1 to 1 translations of a source IP address only (no port number).
Dynamic IP and port (DIPP):
• Allows multiple clients to use the same public IP addresses with different source port
numbers.
Source NAT and Security Policies
Configure Source NAT
Static 1:1 Translation
Dynamic IP TranslationÂ
(used for load balancing)
Dynamic IP and Port Translation
DIPP NAT Oversubscription
>>Destination NAT Configuration
Outside external to inside destination NAT
Â
Destination NAT Attributes
Dynamic IP Address Support for Destination NAT
Destination NAT and Security Policies
Configure Destination NAT
Destination NAT Port Translation Configuration
Configure Bidirectional Source NAT
Â
1. In the Palo Alto Networks Application Command Center (ACC), which filter allows you to limit the display to the details you care about right now and to exclude the unrelated information from the current display?
a. Global
b. Local
c. Universal
d. Group
2. Select the answer that best completes this sentence. Source NAT commonly is used for _________ users to access the ________ internet.
a. public, public
b. public, private
c. private, private
d. private, public
3. Select the answer that completes this sentence. DIPP source NAT will support a maximum of about ______________ concurrent sessions on each IP address configured within the NAT pool.
a. 8100
b. 64,000
c. 250
d. 16,300
4. Which one of the following statements is true about NAT rules?
NAT rules are applied after security policy rules.
NAT rules provide address translation, while security policy rules allow or deny packets.
The destination zone in the security rule is determined before the route lookup of the post-NAT destination IP address.
The addresses used in source NAT rules always refer to the original IP address in the packet (that is, the pre-translated address).
5. What feature on the Next Generation firewall can be used to identify, in real time, the applications taking up the most bandwidth?
a. Quality of Service Statistics
b. Application Command Center (ACC)
c. Applications Report
d. Quality of Service Log
6. What are the three pre-defined tabs in the Next Generation firewall Application Command Center (ACC)?
Select one or more:
a. Threat Activity
b. Application Traffic
c. Network Traffic
d. Blocked Activity
7. When using config audit to compare configuration files on a Next Generation firewall, what does the yellow indication reveal?
a. None
b. Change
c. Addition
d. Deletion
8. In the Palo Alto Networks Firewall WebUI, which type of report can be compiled into a single emailed PDF?
a. Botnet
b. PDF Summary
c. Predefined
d. Group
9. On the Palo Alto Networks Next Generation Firewall, which is the default port for transporting Syslog traffic?
a. 6514
b. 8080
c. 443
d. 514
Comments