Connecting Security Zones

>Security Zones overview

Configure and Manage Firewall Security Zones

SPAN is like TAP

Network Segmentation

Data and users not the same Accounting, sales, customers, HR vlans Layer 2 subnets Layer 3 can be used.

Network Segmentation and Security Zones

reduce attack surface. Intra zone traffic is allowed by default. inter zone is not by default

Configure Security Policy to Support Segmentation

After you have segmented your network and grouped your network nodes into security zones, configure firewall Security policy rules to control network access between zones.

Zero Trust Architecture

Never trust always verify north-south and east-west

 

>Network interfaces and security zones

Network Interfaces

in-band network, inside/outside,  dmz zone, can be many interfaces one zone only many interfaces in a zone

eth

1/1

1/2 single-slot

eth

1/1

2/1 for multiple-slot

logical 

eth

1/1.1 and 1/1.2

Interface Types and Zone Types

Tap is like SPAN Tap stays with the one zone

WAN ---> Virtual wire zone --->LAN

layer 3 Zone

5 TYPES layer 3 layer 2 interfaces, VLAN interfaces, loopback and tunnel

Create a Security Zone

Network > Zones > Add

Add name, type and interfaces
>Interfaces Types

Need to add interfaces to the zones ...for example eth 1/1 goes to inside zone

Flexible Deployment Options for Ethernet Interfaces

like IPS (virtual wire),  IDS

Tap Interfaces

Configure a Tap Interface

Virtual Wire Interfaces

Configure a Virtual Wire Object

LAN --> VW -->LAN

Configure a Virtual Wire Interface

Network > Interfaces > Ethernet > <select_

link state span tree CDP

Layer 3 Interfaces

requires a virtual router

Enable IPv4 and IPv6 Support

Device Setup > Session > Session Settings

 

Configure a Layer 3 Interface: Config

Configure a Layer 3 Interface: IPv4

 

Configure a Layer 3 Interface: Advanced

Network > Interfaces > Ethernet > <select_

Interface Management Profile

Network Network Profiles > Interface Mgmt > Add

Layer 3 Subinterfaces

Configure a Layer 3 Subinterface

Network > Interfaces > Ethernet

>Virtual routers and Layer 3 interfaces

Virtual Routers

supports 

BGPv4

OSPFv2

OSPFv3

RIPv2

Virtual Router General Settings

Add a Static Default Route

Network >Virtual Routers > Static Routes > Add

Multiple Static Default Routes

Static Route Path Monitoring

Network >Virtual Routers > Static Routes > Add

Troubleshoot Routing

Network > Virtual Routers

Question

Which two items are supported routing protocols on a virtual router?
OSPF
IGRP
EGP
BGP
2.Which three interface types are valid on a Palo Alto Networks firewall?
FC
Layer3
FCoE
Tap
Virtual wire
3. Which two firewall interface types can be added to a Layer3 type security zone?
Tunnel
Virtual wire
Tap
Loopback
4.
Which type of firewall interface enables passive monitoring of network traffic?
Tap

5. A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.
True

1. True. A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.

True. All of the interfaces on a Next Generation firewall must be the same interface type.

3. True. In a Next Generation firewall, every interface in use must be assigned to a zone in order to process traffic.

4. True. In addition to routing to other network devices, virtual routers on the Next Generation firewall can route to other virtual routers.

5. What type of interface allows the Next Generation firewall to provide switching between two or more networks?

NO Tap

NO Virtual Wire

YES Layer2

NO Layer3

6. Which feature can be configured with an IPv6 address?

No DHCP Server

No BGP

Yes Static Route

No RIPv2

7. Which of the following is a routing protocol supported in a Next Generation firewall?

No ISIS

No EIGRP

Yes RIPV2

No IGRP

8. Which routing protocol is supported on a virtual router?

No EGP

Yes OSPF

No PPP

No IGRP

9. Which type of firewall interface enables passive monitoring of network traffic?

No Tunnel

No Virtual wire

No Loopback

Yes Tap

10. Which type of interface will allow the firewall to be inserted into an existing topology without requiring any reallocation of network addresses or redesign on the network topology?

No Tap

Yes Virtual Wire

No Layer 2

No Layer 3

11. A critical consideration when defining Network Segmentation is ____________.

No third party management

No eliminating security zones

Yes understanding your business and organizational drivers

No password management

12. From the reading "Four Ps of 5G Network Security": Which of the following is NOT one of the 'Four Ps'?

No Packets

Yes Protection

Perimeter

Permissions

13. From the reading "Securing OT to enable Manufacturing Digital Transformation": The risk of operations managing security at the local level is the potential of having _______________ approaches to security.

a. third party management No

No. multiple,disjointed

c. centralized No

IT administered

Comments