Networks Firewall Solution Guide

8/13/2019 Networks Firewall Solution Guide

1/25

SOLUTION GUIDE

Steelhead and Palo Alto Networks FirewallSolution Guide

Version 1.0August 2013


2/25

Steelhead and Palo Alto Networks Firewall: SOLUTION GUIDE

2013 Riverbed Technology. All rights reserved. 1

2013 Riverbed Technology. All rights reserved.

Riverbed, Cloud Steelhead, Granite, Interceptor, RiOS, Steelhead, Think Fast, Virtual Steelhead, Whitewater, Mazu, Cascade, Shark, AirPcap, BlockStream,SkipWare, TurboCap, WinPcap, Wireshark, TrafficScript, FlyScript, WWOS, and Stingray are trademarks or registered trademarks of Riverbed Technology, Inc. in theUnited States and other countries. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used hereinbelong to their respective owners. The trademarks and logos displayed herein cannot be used without the prior written consent of Riverbed Technology or their respective owners.

Akamai and the Akamai wave logo are registered trademarks of Akamai Technologies, Inc. SureRoute is a service mark of Akamai. Apple and Mac are registered trademarks of Apple,Incorporated in the United States and in other countries. Cisco is a registered trademark of Cisco Systems, Inc. and its affiliates in the United States and in other countries. EMC,Symmetrix, and SRDF are registered trademarks of EMC Corporation and its affiliates in the United States and in other countri es. IBM, iSeries, and AS/400 are registered trademarks ofIBM Corporation and its affiliates in the United States and in other countries. Linux is a trademark of Linus Torvalds in the United States and in other countries. Microsoft, Windows, Vista,

Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation in the United States and in other countries. Oracle and JInitiator are trademarks orregistered trademarks of Oracle Corporation in the United States and in other countries. UNIX is a registered trademark in the United States and in other countries, exclusively licensedthrough X/Open Company, Ltd. VMware, ESX, ESXi are trademarks or registered trademarks of VMware, Incorporated in the United States and in other countries.

This product includes software developed by the University of California, Berkeley (and i ts contributors), EMC, and Comtech AHA Corporation. This product is derived from the RSA DataSecurity, Inc. MD5 Message-Digest Algorithm.

NetApp Manageability Software Development Kit (NM SDK), including any third-party software available for review with such SDK which can be found athttp://communities.netapp.com/docs/DOC-1152, and are included in a NOTICES file included within the downloaded files.

For a list of open source software (including libraries) used in the development of this software along with associated copyright and license agreements, see the Riverbed Support site athttps//support.riverbed.com.

This documentation is furnished AS IS and is subject to change without notice and should not be construed as a commitment by Riverbed Technology. This documentation may not becopied, modified or distributed without the express authorization of Riverbed Technology and may be used only in connection w ith Riverbed products and services. Use, duplication,reproduction, release, modification, disclosure or transfer of this documentation is restricted in accordance with the Federal A cquisition Regulations as applied to civilian agencies and theDefense Federal Acquisition Regulation Supplement as applied to mil itary agencies. This documentation qualifies as commercial computer software documentation and any use by thegovernment shall be governed solely by these terms. All other use is prohibited. Riverbed Technology assumes no responsibility or liability for any errors or inaccuracies that may appearin this documentation.


3/25



Contents

PREFACE .............................................................................................................................................. ..................................................................... 3About This Guide ........................................................................................................................................................... ....................................... 3

Audience .................................................................................................................................................................................... 3Contacting Riverbed ...................................................................................................................................................... ....................................... 3

Internet ....................................................................................................................................................................................... 3Technical Support ...................................................................................................................................................................... 3Professional Services ................................................................................................................................................................. 3

Chapter 1 Solution Overview ...................................................................................................................................................................... ................ 4Why Riverbed? ............................................................................................................................................................... ....................................... 4Solution Architecture ........................................................................................................................................................................................... 4

Chapter 2 Virtual Wire Deployment ................................................................................................................................................................ ............ 6Deployment Topology ................................................................................................................................................... ....................................... 6Deployment Prerequisites .................................................................................... ............................................................................................... 7Understanding the Deployment Process .................................................................................................................... ....................................... 7Configure Interfaces ...................................................................................................................................................... ....................................... 8Create Two Virtual Wires ..................................................................................................................................................................................... 8Create Three Security Zones ............................................................................................................................................................................... 9

Chapter 3 Routed Deployment ............................................................................................................................................ ..................................... 10Deployment Topology ................................................................................................................................................... ..................................... 10Deployment Prerequisites .................................................................................... ............................................................................................. 11Understanding the Deployment Process .................................................................................................................... ..................................... 11Configure Interfaces for Routed Deployment .................................................................................................................................................. 12Create a Virtual Wire for Routed Deployment .................................................................................................................................................. 12Create a Virtual Router for Routed Deployment .............................................................................................................................................. 13Create Four Security Zones ................................................................................................................................................................. .............. 14

Chapter 4 Policy Based Forwarding Deployment ..................................................................................................................................................... 15Deployment Topology ................................................................................................................................................... ..................................... 15Deployment Prerequisites .................................................................................... ............................................................................................. 16Understanding the Deployment Process .................................................................................................................... ..................................... 16Configure Interfaces for PBF Deployment ....................................................................................................................................................... 17Create a Virtual Router for PBF Deployment ................................................................................................................................................... 17Create Three Security Zones for PBF Deployment ......................................................................................................................................... 18Configure Policy Based Forwarding ................................................................................................................................................... .............. 19

Chapter 5 Troubleshooting Problems ....................................................................................................................................................................... 20Allow Ping on Firewall Interfaces ........................................................................ ............................................................................................. 20Packet Capture ............................................................................................................................................................... ..................................... 20Allow Traffic to Pass ............................................................................................................................................................................ .............. 20Add a Deny All Rule ....................................................................................................................................................... ..................................... 20

Appendix A Miscellaneous Configuration Steps ....................................................................................................................................................... 21Configure Full Transparency and OOB Transparency ............................................................................................................................ ....... 21Configure Security Policies ............................................................................................................................................................................... 22

Outbound Traffic ...................................................................................................................................................................... 22Inbound Traffic ......................................................................................................................................................................... 22

Appendix B Additional Resources............................................................................................................................................................................. 24Steelhead Management Console Users Guide............................................................................................................................................... 24Palo Alto Networks Administrators Guide...................................................................................................................................................... 24


4/25



PREFACE

Welcome to the SteelheadandPalo Alto Networks Firewall Solution Guide. Read this preface for an overview of the informationprovided in this guide and contact information. This preface includes the following sections:

About This Guide Contacting RiverbedAbout This Guide

The Steelhead and Palo Alto Networks Firewall Solution Guide provides an overview on how to deploy the Palo Alto NetworksFirewall appliances alongside Steelhead appliances. This guide provides configuration details for both the Palo Alto NetworksFirewall and the Steelhead appliance.

Audience

This guide is written for security and networking administrators. This guide assumes you are familiar with firewall and networkingfundamentals.

You must also be familiar with:

the Management Console. For details, see the Steelhead Management Console Users Guide. the installation and configuration process for the Steelhead appliance. For details, see the Steelhead Appliance Installation

and Configuration Guideand the Steelhead Installation Guide.

The installation and configuration process for the the Palo Alto Networks Firewall. For details, see the Palo Alto NetworksAdministrators Guide

For more details on the Steelhead appliance family, seehttp://www.riverbed.com/products-solutions/products/wan-optimization-steelhead/

For more details on the Palo Alto Networks Firewall, seehttp://www.paloaltonetworks.com/

Contacting Riverbed

This section describes how to contact departments within Riverbed.

Internet

You can learn about Riverbed products through the company Web site: http://www.riverbed.com.

Technical Support

If you have problems installing, using, or replacing Riverbed products, contact Riverbed Support or your channel partner whoprovides support. To contact Riverbed Support, open a trouble ticket by calling 1-888-RVBD-TAC (1-888-782-3822) in the UnitedStates and Canada or +1 415 247 7381 outside the United States. You can also go to https://support.riverbed.com.

Professional Services

Riverbed has a staff of professionals who can help you with installation, provisioning, network redesign, project management,custom designs, consolidation project design, and custom coded solutions. To contact Riverbed Professional Services, [email protected] or go tohttp://www.riverbed.com/us/products/professional_services/ .
http://www.riverbed.com/products-solutions/products/wan-optimization-steelhead/http://www.riverbed.com/products-solutions/products/wan-optimization-steelhead/http://www.paloaltonetworks.com/http://www.paloaltonetworks.com/http://www.riverbed.com/us/products/professional_services/http://www.riverbed.com/us/products/professional_services/http://www.riverbed.com/us/products/professional_services/http://www.riverbed.com/us/products/professional_services/http://www.paloaltonetworks.com/http://www.riverbed.com/products-solutions/products/wan-optimization-steelhead/


5/25



Chapter 1 Solution Overview

This chapter provides an overview of deploying Palo Alto Firewall appliances alongside Steelhead appliances.

This chapter includes the following sections:

Why Riverbed?

Solution ArchitectureWhy Riverbed?

RiOS was created to solve application acceleration challenges in a very different way than caches. Caching was created asprotocol-specific architecture, essentially only dealing with data in the application silo that they understand. RiOS, on the otherhand, accelerates applications on three levels simultaneously:

1. Data Streamlining: Data Reduction for All TCP Applications2. Transport Streamlining: TCP Optimizations for All Applications3. Application Streamlining: Application-Specific OptimizationsEach of these approaches happens independently in RiOS, meaning that all enterprise applications can benefit from datareduction and transport layer acceleration. Application layer acceleration is treated as one piece of the puzzle in this architecture,while in the caching architecture it is a requirement that the cache understand the application protocol. The application-independent optimizations in RiOS mean that email, file sharing, document management, ERP applications, CAD applications,network-based backup, software distribution, web-based applications, and even custom-built applications see benefits.

The result of this approach enables massive acceleration for allapplications that run over TCPusers see up to 100 times fasterapplication speed and up to 95% less bandwidth utilization at the same time. The system is designed to intelligently accelerateapplications while not creating the management problems that caches have created in todays networks.

Solution Architecture

This section describes the traffic flow when deploying Steelhead appliances alongside Palo Alto Networks Firewall appliances. Inthe outbound direction, traffic originating from clients is first sent to the Palo Alto Networks Firewall for security policies to beapplied. Traffic the firewall allows through is then sent through the Steelhead appliance to be optimized. The optimized traffic isthen sent back through the same Palo Alto Networks Firewall for encryption before being sent out to the WAN. Figure 1-1 lays outthe packet flow logically.

Figure 1-1 Logical layout of Steelhead appliance alongside Palo Alto Networks Firewall

WANClient Devices

Palo Alto

Networks

Firewall

Palo Alto

Networks

Firewall

Riverbed Steelhead

appliance

WAN Router


6/25



Palo Alto firewalls have a technology calledApp-IDto classify traffic based on application. App-ID allows you to apply policies atan application level, rather just to ports and IPs as in a traditional firewall. This prevents applications from, for example, sneakingaround the firewall by using port 80. App-ID works by looking for signatures in traffic to identify it as belonging to a particularapplication.

For App-ID to work properly the Palo Alto Networks Firewall must operate on unoptimizedtraffic by being deployed on the LANside of the Steelhead appliance. The Steelhead appliance alters the signature of the traffic in order to optimize it which results inSteelhead optimized traffic being classified as riverbed-riosby PAN-OS, rather than as belonging to the original application. .

Positioning the Palo Alto Networks Firewall on the LAN side of the Steelhead appliance has a few limitations however:

The Steelhead appliance is left unprotected by the firewall The firewall cannot encrypt traffic. Encrypted traffic is random and not optimizable by the Steelhead applianceIn order for the Palo Alto Networks Firewall to perform its full functionality, it must see traffic both before and after optimization.The subsequent chapters in this solution guide describe different methods of deploying Steelhead appliances alongside Palo AltoNetworks Firewall appliances.
https://www.paloaltonetworks.com/products/technologies/app-id.htmlhttps://www.paloaltonetworks.com/products/technologies/app-id.htmlhttps://www.paloaltonetworks.com/products/technologies/app-id.htmlhttps://www.paloaltonetworks.com/products/technologies/app-id.html


7/25



Chapter 2 Virtual Wire Deployment

This chapter describes the process and procedures for a Virtual Wire deployment. Virtual Wire is the simplest way to deploySteelhead appliances alongside Palo Alto Firewall appliances but is unable to perform layer 3 services such as VPN.

This chapter includes the following sections: Deployment Topology Deployment Prerequisites Understanding the Deployment Process Configure Interfaces Create Two Virtual Wires Create Three Security Zones

Deployment Topology

Figure 2-1 Virtual Wire Deployment Topology

WAN

Starting with the clients in the bottom left corner the packet flow is:

1. Clients send traffic to the LAN switch2. From the LAN switch packets go into ethernet1/1of the Palo Alto Networks Firewall3. Firewall policies are applied and then the traffic is sent to ethernet1/2to the Steelhead LAN port4. The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port to ethernet1/3of the Palo Alto

Networks Firewall5. The Palo Alto firewall sends traffic out ethernet1/4to the WAN


8/25



Deployment Prerequisites

The following items should be completed before beginning the deployment.

The physical wiring should be completed as in Figure 2-1 The default gateway of the Steelhead appliance In-Path interface should be set to the IP Address of the WAN routerUnderstanding the Deployment Process

The following table displays the process for deploying and configuring Palo Alto Networks firewall:

Component Procedure Description

Palo AltoNetworksFirewall

Configure interfaces ethernet1/1 ethernet1/4 as Virtual Wire. For a virtual wire deployment, all four interfaces should be configuredwith an Interface Typeof Virtual Wire.

For details, see Configure Interfaces

Create two Virtual-Wires Create two virtual wires with the following parameters:

Pre-optimization bridges ethernet1/1 and ethernet1/2

Post-optimization bridges ethernet1/3 and ethernet1/4

For details, see Create Two Virtual Wires

Create three Security Zones of type virtual-wire Create three security zones, all three with Typeof virtual-wire. Thisdeployment requiresan additional Steelhead zone.

Trusted The trusted networked the clients are on. Thisincludes interface ethernet1/1 .

Steelhead For traffic going to and coming from the Steelheadappliance. This includes interfaces ethernet1/2 andethernet1/3.

Untrusted For the internet facing network. This includesinterface ethernet1/4 .

For details, see Create Three Security Zones

Configure security policies Because of the additional security zones required for traffic to flowfrom the firewall to the Steelhead appliance and then back to the

firewall, additional policies and changes to the way policies are writtenwill be needed as well.

For details, see Configure Security Policies


9/25



Configure Interfaces

Interfaces can be configured by navigating to Network -> Interfacesin the Palo Alto web interface. All four interfaces should beconfigured with an Interface Type of Virtual Wire.

Figure 2-1 Screenshot of completed Interface configuration for Virtual Wire deployment

Create Two Virtual Wires

Virtual Wires can be configured by navigating to Network -> Virtual Wiresin the Palo Alto web interface. The Pre-optimizationvirtual wire bridges ethernet1/1to ethernet1/2. The Post-optimization virtual wire bridges ethernet1/3to ethernet1/4

Figure 2-2 Screenshot of completed Virtual Wire configuration for Virtual Wire deployment


10/25



Create Three Security Zones

Security Zones can be configured by navigating to Network -> Zonesin the Palo Alto web interface.

Figure 2-3 Screenshot of completed Security Zone configuration for Virtual Wire deployment


11/25



Chapter 3 Routed Deployment

This chapter describes the process and procedures for a Routed Deployment. With a routed deployment the Palo Alto Networkscan perform routing and switch services, including VPN.

This chapter includes the following sections: Deployment Topology Deployment Prerequisites Understanding the Deployment Process Configure Interfaces for Routed Deployment Create a Virtual Wire for Routed Deployment Create a Virtual Router for Routed Deployment Create Four Security Zones

Deployment Topology

Figure 3-1 Routed Deployment Topology

WAN

192.168.12.1/24

192.168.10.3/24

192.168.10.1/24


1. Clients send traffic to the LAN switch2. From the LAN switch packets go into ethernet1/1of the Palo Alto Networks Firewall3. Firewall policies are applied and then the traffic is sent to ethernet1/2to the Steelhead LAN port4. The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port to ethernet1/3of the Palo Alto

Networks Firewall5. The Palo Alto firewall sends traffic out ethernet1/4to the WAN


12/25




Before deployment, the physical wiring should be completed as in Figure 3-1. In this deployment the default gateway for theclients will be ethernet1/3of the Palo Alto Networks Firewall.

Understanding the Deployment Process




Configure interfaces ethernet1/1 ethernet1/2 as Virtual Wire. For a routed deployment, the pre optimization interfaces should beconfigured with an Interface Typeof Virtual Wire.

For details, see Configure Interfaces for Routed Deployment

Configure interfaces ethernet1/3ethernet1/4 as Layer 3. For a routed deployment, the first post optimization interfaces shouldbe configured with an Interface Typeof Layer 3. Assign IP

Addresses accordingly.

For details, see Configure Interfaces for Routed Deployment

Create a Virtual-Wire Create a virtual wire with the following parameter thatbridgesethernet1/1 and ethernet1/2.

For details, see Create a Virtual Wire for Routed Deployment

Create a Virtual Router Create a virtual router and a static route to the default gateway.

For details, see Create a Virtual Router for Routed Deployment

Create four Security Zones: twoof type virtual-wire and two of type Layer 3 Create four security zones, twoof type virtual-wire and two of typeLayer 3. This deployment requiresthe additional Steelhead LAN andSteelhead WAN zones.

Trusted The trusted networked the clients are on. Thisincludes interface ethernet1/1.

Steelhead LAN For traffic going to and coming from theSteelhead LAN interface. This includes interface ethernet1/2.

Steelhead WAN For traffic going to and coming from theSteelhead WAN interface. This includes interface ethernet1/3.

UntrustedFor the internet facing network. This includesinterface ethernet1/4 .

For details, see Create Four Security Zones

Configure security policies Because of the additional security zones required for traffic to flowfrom the firewall to the Steelhead appliance and then back to thefirewall, additional policies and changes to the way policies are writtenwill be needed as well.


Steelheadappliance

Set the In-Path Gateway IP of the Steelhead In-Path interface to the IPaddress of ethernet1/3.

To set the In-Path Gateway IP, navigate to Configure -> Networking ->In-Path Interfaces.

(Optional) If configuring NAT on the Palo Alto Networks Firewall, configureFull Transparency and OOB Transparency on the Steelhead appliance.

Full Transparency and OOB Transparency on the Steelheadappliance is needed for proper operation with NAT.

For details, see Configure Full Transparency and OOB

Transparency


13/25



Configure Interfaces for Routed Deployment

Interfaces can be configured by navigating to Network -> Interfacesin the Palo Alto web interface. Interfaces ethernet1/1andethernet1/2 should be configured as Virtual Wire. Interfaces ethernet1/3and ethernet1/4 should be configured as Layer 3. TheLayer 3 interfaces should have IP addresses assigned to them, in this example we will use 192.168.12.1/24 and 192.168.10.3/24for ethernet1/3and ethernet1/4respectively.

Figure 3-2 Screenshot of completed Interface configuration for Routed deployment

Create a Virtual Wire for Routed Deployment

Virtual Wires can be configured by navigating to Network -> Virtual Wiresin the Palo Alto web interface. The Pre-optimizationvirtual wire bridges ethernet1/1to ethernet1/2.

Figure 3-3 Screenshot of completed Virtual Wire configuration for Routed deployment


14/25



Create a Virtual Router for Routed Deployment

Virtual Routers can be configured by navigating to Network -> Virtual Routersin the Palo Alto web interface. Add ethenet1/3 andethernet1/4 to the Virtual Router as in Figure 3-4 below.

Figure 3-4 Screenshot of Virtual Router configuration

A route to the next hop in your network should be added to the Virtual Router, as in the Figure 3-5 below.

Figure 3-5 Screenshot of Virtual Router default route


15/25



Create Four Security Zones


Figure 3-6 Screenshot of completed Security Zone configuration for Routed deployment


16/25



Chapter 4 Policy Based Forwarding Deployment

This chapter describes the process and procedures for a Policy Based Forwarding (PBF) deployment. A PBF deployment shouldbe used if you want the Steelhead appliance to be out of path.

This chapter includes the following sections: Deployment Topology Deployment Prerequisites Understanding the Deployment Process Configure Interfaces for PBF Deployment Create a Virtual Router for PBF Deployment Create Three Security Zones for PBF Deployment Configure Policy Based Forwarding

Deployment Topology

Figure 4-1 Policy Based Fowarding Topology

192.168.11.1/24

192.168.11.51/24

192.168.10.3/24192.168.12.1/24

192.168.10.1/24

WAN


1. Clients send traffic to the LAN switch2. From the LAN switch packets go into ethernet1/1of the Palo Alto Networks Firewall3. Firewall policies are applied and then the traffic is sent to ethernet1/2to the Steelhead WAN port4. The Steelhead appliance will optimize the traffic and send it from the Steelhead WAN port back to ethernet1/2of the Palo

Alto Networks Firewall5. The Palo Alto firewall sends traffic out ethernet1/3to the WAN


17/25




The following items should be completed before beginning the deployment.

The physical wiring should be completed as in Figure 4-1 The default gateway for the clients will be ethernet1/1of the Palo Alto Networks Firewall. Enable PBF support on the Steelhead appliance by navigating to Configure -> Optimization -> General Service Settings andchecking Enable L4/PBR/WCCP/Interceptor Support. Restart the optimization service by navigating to Configure ->

Maintenance -> Servicesand clicking Restart.

Understanding the Deployment Process




Configure interfaces ethernet1/1 ethernet1/3 as Layer 3. For a routed deployment, the pre optimization interfaces should beconfigured with an Interface Typeof Layer 3. Assign IP Addressesaccordingly.

For details, see Configure Interfaces for PBF Deployment

Create a Virtual Router Create a virtual router and a static route to the default gateway.

For details, see Create a Virtual Router for PBF Deployment

Create three Security Zonesof type Layer 3 Create three security zones, all three with Typeof Layer 3. Thisdeployment requiresthe additional Steelhead LAN and SteelheadWAN zones.

Trusted The trusted networked the clients are on. Thisincludes interface ethernet1/1.

Steelhead For traffic going to and coming from the Steelheadappliance. This includes interfaces ethernet1/2.

UntrustedFor the internet facing network. This includesinterface ethernet1/3 .

For details, see Create Three Security Zones for PBF Deployment

Create a Packet Based Forwarding Policy Create a Packet Based Forwarding Policy to forward all traffic to theSteelhead appliance.

For details, see Configure Policy Based Forwarding

Configure security policies Because of the additional security zones required for traffic to flowfrom the firewall to the Steelhead appliance and then back to thefirewall, additional policies and changes to the way policies are writtenwill be needed as well.


Steelheadappliance

Set the In-Path Gateway IP of the Steelhead In-Path interface to the IPaddress of ethernet1/2.

To set the In-Path Gateway IP, navigate to Configure -> Networking ->In-Path Interfaces.

(Optional) If configuring NAT on the Palo Alto Networks Firewall, configureFull Transparency and OOB Transparency on the Steelhead appliance.

Full Transparency and OOB Transparency on the Steelheadappliance is needed for proper operation with NAT.

For details, see Configure Full Transparency and OOB

Transparency


18/25



Configure Interfaces for PBF Deployment

Interfaces can be configured by navigating to Network -> Interfacesin the Palo Alto web interface. Interfaces ethernet1/1-ethernet1/3should be configured as Layer 3. The Layer 3 interfaces should have IP addresses assigned to them, the IP addressused in Figure 4-2 correspond to the IP Address in Figure 4-1.

Figure 4-2 Screenshot of completed Interface configuration for PBF deployment

Create a Virtual Router for PBF Deployment

Virtual Routers can be configured by navigating to Network -> Virtual Routersin the Palo Alto web interface. Add ethenet1/1,ethernet1/2, and ethernet1/3 to the Virtual Router as in Figure 4-3 below.

Figure 4-3 Screenshot of Virtual Router configuration

A route to the next hop in your network should be added to the Vir tual Router, as in the Figure 4-4 below.


19/25



Figure 4-4 Screenshot of Virtual Router default route

Create Three Security Zones for PBF Deployment


Figure 4-5 Screenshot of completed Security Zone configuration for PBF deployment


20/25



Configure Policy Based Forwarding

Policy Based Forwarding can be configured by navigating to Policies -> Policy Based Forwardingin the Palo Alto web interface.Two policies need to be created, one to forward traffic originating from the Trustedzone and the other for traffic originating fromthe Untrustedzone.

Figure 4-6 Screenshot of both PBF policies

The Fowarding for the rule should be configured to forward traffic to the Steelhead In-Path IP address through ethernet1/2. Amonitor should be configured to bypass the Steelhead in the event of failure. This is depicted in Figure 4-7 below.

Figure 4-7 Screenshot of Forwarding rule


21/25



Chapter 5 Troubleshooting Problems

This chapter describes common deployment problems and solutions. This chapter includes the following sections:

Allow Ping on Firewall Interfaces Packet Capture Allow Traffic to Pass Add a Deny All RuleAllow Ping on Firewall Interfaces

Palo Alto Networks Firewall interfaces do not respond to ping by default. To enable ping responses:

1. Navigate to Network -> Network Profiles -> Interface Mgmt2. Create an Interface Management profile that enables ping.3. Navigate to Network -> Interfacesand edit the interface to enable ping on4. In the edit interface window, navigate toAdvances -> Other Infoand assign the Management Profilecreated in step 2.Packet Capture

Both the Steelhead appliance and the Palo Alto Networks Firewall appliance can capture packets and save them to a file that canbe analyzed byWireshark. To capture packets on the Steelhead appliance navigate to Reports -> Diagnostics -> TCP Dumpsand click onAdd a New TCP Dump . To capture packets on the Palo Alto Network Firewall navigate to Monitor -> Packet Capture.

Allow Traffic to Pass

By default, the Palo Alto Networks Firewall drops all traffic. For troubleshooting purposes its easier if the firewall passes traffic toremove the firewall from the equation. Policies are created by navigating to Policies -> Securityin the Palo Alto web interface.

Add a Deny All Rule

Palo Alto implicitly denies all traffic that is not specifically allowed by a policy. Traffic that is dropped by the implicit rule isunfortunately not logged. You can get around this by adding an explicit deny all rule to the end of the list. For more details seethis tech tip.
http://www.wireshark.org/http://www.wireshark.org/http://www.wireshark.org/http://www.commsolutions.com/blog/2011/06/palo-alto-tech-tip-implicit-deny-and-the-traffic-log/http://www.commsolutions.com/blog/2011/06/palo-alto-tech-tip-implicit-deny-and-the-traffic-log/http://www.commsolutions.com/blog/2011/06/palo-alto-tech-tip-implicit-deny-and-the-traffic-log/http://www.wireshark.org/


22/25



Appendix A Miscellaneous Configuration Steps

This appendix provides miscellaneous configuration steps referenced in the above sections.

This appendix includes the following sections:

Configure Full Transparency and OOB Transparency

Configure Security PoliciesConfigure Full Transparency and OOB Transparency

If the Palo Alto Networks Firewall is configured to do NAT, then the Steelhead appliance must be configured for Full Transparencyand OOB Transparency. To add an In-Path rule for ull Transparency navigate to Configure -> Optimization -> In-Path Rules andclick onAdd a New In-Path Rule . Set the WAN Visibility Mode to Full Transparency; all other fields can be left as default. Figure3-6 depicts a completed In-Path rule.

Figure A-1 Screenshot of Full Transparency In-Path rule

OOB Transparency must also be configured for NAT to work properly with the Steelhead appliance. To enable OOB transparencyenter the follwing in the Steelhead Command line interface after entering conf t.

in-path peering oobtransparency mode "destination"


23/25



Configure Security Policies

This section discusses how security policies should be applied when Steelhead appliances are deployed alongside Palo AltoNetworks Firewall. Because of the additional security zones required for traffic to flow from the firewall to the Steelhead applianceand then back to the firewall, additional policies and changes to the way policies are written will be needed as well. Policies can beconfigured by navigating to Policies -> Securityin the Palo Alto web interface. This section covers:

Outbound Traffic Inbound TrafficOutbound Traffic

For outbound traffic two changes are needed. The first is an additional policy to allow optimized traffic originating from theSteelhead appliance, illustrated in the Steelhead to WANpolicy in Figure A-2 below. The policy should be created with thefollowing parameters:

Source Zone Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment) Destination Zone Untrusted Action Allow

As traffic from is now flowing from the Trustedzone to the Steelheadzone (or Steelhead LANzone in the Chapter 3 RoutedDeployment) before going to the Untrustedzone, the second change is that existing or new policies will need to be written with aDestination zone of Steelhead(or Steelhead LANin the Chapter 3 Routed Deployment). This is illustrated in the LAN toSteelheadpolicy in Figure A-2 below.

Figure A-2 Screenshot of policy to allow all outbound traffic

Inbound Traffic

For inbound traffic two changes are need. The first is an additional policy to allow optimized traffic originating from the peerSteelhead appliance, illustrated in the WAN to Steelheadpolicy in Figure A-3 below. The policy should be created with thefollowing parameters:

Source Zone Untrusted Destination Zone Steelhead (or Steelhead WAN in the Chapter 3 Routed Deployment) Action Allow

As traffic from is now flowing from the Untrustedzone to the Steelheadzone (or Steelhead WANzone in the Chapter 3 Routed

Deployment) before going to the Trusted zone, the second change is that existing or new policies will need to be written with aSource zone of Steelhead(or Steelhead WANin the Chapter 3 Routed Deployment). This is illustrated in the Steelhead to LANpolicy in Figure A-3 below.


24/25



Figure A-3 Screenshot of policy to allow inbound traffic


25/25


Appendix B Additional Resources

This section describes resources that supplement the information in this guide. It includes the following:

Steelhead Management Console Users Guide

Palo Alto Networks Administrators Guide

Steelhead Management Console Users Guide

The Steelhead Management Console Users Guidedescribes how to configure and monitor the Steelhead appliance using theManagement Console. It is available at:https://support.riverbed.com/software/appliance.htm

Palo Alto Networks Administrators Guide

The Palo Alto Networks Administrators Guidedescribes how to configure the Palo Alto Networks Firewall. It is available athttps://live.paloaltonetworks.com/community/documentation/content?filterID=content~category[administrators-guide] (loginrequired)

Riverbed Technology, Inc.199 Fremont StreetSan Francisco, CA 94105

el: (415) 247-8800www.riverbed.com

Riverbed Technology Ltd.One Thames ValleyWokingham Road, Level 2Bracknell. RG42 1NGUnited Kingdom

el: +44 1344 31 7100

Riverbed Technology Pte. Ltd.391A Orchard Road #22-06/10Ngee Ann City Tower ASingapore 238873

el: +65 6508-7400

Riverbed Technology K.K.Shiba-Koen Plaza Building 9F3-6-9, Shiba, Minato-ku

okyo, Japan 105-0014el: +81 3 5419 1990
https://support.riverbed.com/software/appliance.htmhttps://support.riverbed.com/software/appliance.htmhttps://live.paloaltonetworks.com/community/documentation/content?filterID=content~category%5badministrators-guide%5dhttps://live.paloaltonetworks.com/community/documentation/content?filterID=content~category%5badministrators-guide%5dhttp://www.riverbed.com/http://www.riverbed.com/http://www.riverbed.com/https://live.paloaltonetworks.com/community/documentation/content?filterID=content~category%5badministrators-guide%5dhttps://support.riverbed.com/software/appliance.htm

Networks Firewall Solution Guide

Documents

Transcript of Networks Firewall Solution Guide