講義成果講稿pan-edu20561b mod1adv interface config

1、Advanced Interface ConfigurationPAN-EDU-205PAN-OS 6.1Rev B AgendaNATPort ForwardingBi-Directional NATU-turn NATOverlapping SubnetsPolicy Based Forwarding (PBF)ConfigurationSymmetric ReturnRouting Protocols OSPF2Flow Logic of the Next-Generation FirewallInitial Packet ProcessingSource Zone/ Address/

2、User-IDPBF/ Forwarding LookupDestination ZoneNAT PolicyEvaluatedSecurity Pre-PolicyCheck Allowed PortsSession CreatedApplicationCheck for Encrypted TrafficDecryption PolicyApplication Override PolicyApp-IDSecurity PolicyCheck Security PolicyCheck Security ProfilesPost Policy ProcessingRe-Encrypt Tra

3、fficNAT Policy AppliedPacket Forwarded3NAT | Network Address Translation4Source NAT TypesDynamic IP/Port (Port Address Translation) Multiple clients use the same public IP addresses with different source port numbersAn assigned address can be set to Interface address or Translated addressDynamic IP

4、1-to-1 translationsPrivate source addresses translate to the next available address in the rangeStatic IP 1-to-1 translationsUse static IP to change the source IP address while leaving the source port unchanged5Destination NAT Types and UsesStatic IP translates an inbound destination address using1:

5、1 translation.One common use of destination NAT is to configure several NAT rules that map a single public destination addressto several private destination addresses assigned to servers or services. For example:Port Forwarding maps a public destination address and port to a private destination addr

6、ess, but on the same port.Port Translation maps a public destination address and port to a private destination address to a different port.6NAT64 Support7NAT64 provides Network Address and Protocol Translation to allow IPv6-only clients to contact IPv4 servers using unicast UDP, TCP, or ICMPBi-Direc

7、tional NATAvailable on Static Source NAT rulesCreates appropriate rule for traffic initiated in the other directionThe corresponding rule is not visible in the GUI and can only be viewed from the CLI: show running nat-policy8Destination NAT and Port ForwardingSMTP Relay0Web Server192.168

8、.10.20Port 8080POP3 / IMAP0Public IP2Untrust-L3ZoneTrust-L3ZonePrivate IP9Configuring Port Forwarding in NAT PolicyPolicies NATObjects Services10Configuring Port Forwarding in Security PolicyPolicies Security11Three-Zone U-Turn NATWhen internal traffic needs to acces

9、s DMZ resources using Public IP addressesWeb Server 0Public IP2Untrust-L3ZoneDMZZonePrivate IPTrust-L3ZonePrivate IPDNS: Internet12Configuring Three-Zone U-Turn NATU-Turn NAT rule must go before general Internet accessSecurity Rule is between the Tr

10、ust-L3 zone and the DMZDestination zone should be DMZPolicies NATPolicies Security13Two-Zone U-Turn NAT When internal traffic needs to access local resources using public IP addressesWeb Server 0External DNS returns:2 for Public IP2Untrust-L3ZoneTrust-L3ZonePrivate IP19

11、User DHCP Scope: 00-200DNS: Internet14Configuring Two-Zone U-Turn NAT U-Turn NAT rule must go before general Internet accessSecurity Rule is not needed in Intrazone trafficPolicies NAT15DNS ProxyInternal DNS Server00Public DNS ServerDNS QueryEXTERNAL IP

12、DNS QueryINTERNAL IP16Configuring DNS Proxy Network DNS Proxy17Overlapping Subnets Scenario Used when multiple remote sites have the same IP subnetTrust-L3/16Remote1/24Remote2/24VPNVPN18Overlapping Subnets SolutionUse NAT to make each site appear to have a unique IP ran

13、geTrust-L3/16Remote1/24Remote2/24VPNVPNNAT Rule: Overlap-Remote-1/24NAT Rule: Overlap-Remote-2/2419Configuring Overlapping Subnet SolutionThis configuration allows bi-directional communication between the remote sites and all HQ resourcesPolicies

14、 NAT20Policy Based Forwarding (PBF)21Policy Based Forwarding (PBF)Forwarding lookups are based on the virtual router by defaultIf a session matches a configured PBF rule, the firewall will forward the session based on the PFB rule ActionPBF is configured as a policy A single session will always be f

15、orwarded the same way PBF supports multiple up-stream linksISP - AISP - BInternetInternet22PBF Flow Logic23Forwarding Lookup/PBFVirtual RouterActionForwardDiscardNo PBF(Use VR)Forward to VSYSInterfaceDisable rule if nexthop /monitor IP is unreachableProfileFail-overWait-recoverPBFRuleMatchPBFMonitor

16、YYYNo Policies MatchPBFRule(s)YNPBF ConfigurationPolicies Policy Based ForwardingType: Zone or Interfaceany, pre-logon, known-user, unknown, Select24PBF Configuration25anyApplication-DefaultSelectPBF Actions26ForwardDiscardNo PBFForward to VSYSPBF Monitor Profiles and Failure ConditionsNetwork Netwo

17、rk Profiles MonitorSettingActionMonitor = Fail-OverTraffic is routed based on VR routing. No further PBF rules are checkedMonitor = Wait-RecoverTraffic continues to use the egress interface specified by the PBF rule27Routing IssuesInbound session through ISP2Return path through ISP1 (default route)S

18、ession failure due to NAT/routing issuesInternetABDefaultRoute0028Symmetric ReturnTo address the routing issue:Create a PBF policy to match inbound session through ISP2Configure PBF policy for symmetric returnSymmetric Return sends return traffic through

19、 ISP2AB0029Configuring Symmetric ReturnImplemented through PBFMatch C2S flow (PBF action doesnt matter)Enable symmetric returnSpecify next hop list30Route Protocols OSPF31Supported Routing ProtocolsSupport for:OSPFRIPBGPRouting support across IPsec tunnelsMultic

20、ast Routing32OSPF ConfigurationNetwork Virtual Routers33OSPF Area 034Network Virtual Routers OSPF TypeOSPF InterfacesEach Layer 3 interface that will advertise its state must be added to the OSPF processNetwork Virtual Routers OSPF Interface35OSPF Redistribution ProfileNetwork Virtual Routers Redist

21、ribution Profiles36OSPF Export Connected Routes37Redistribution ProfileOSPF Verification show routing route flags: A:active, C:connect, H:host, S:static, R:rip, O:ospf, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2VIRTUAL ROUTER: VR1 (id 1) =destination nexthop metri

22、c flags age interface /0 54 10 AS ethernet1/1 /24 10 Oi 141 ethernet1/1 /24 1 0 AC ethernet1/1 1/32 0 AH /24 10 Oi 141 ethernet1/2 /24 54 0 AC ethernet1/2 54/32 0

23、AH /24 6 20 AOi 136 ethernet1/1 total routes shown: 8Indicates an active route learned through OSPF intra-area discovery38Routing Protocol over IPsec TunnelsPAN-OS treats IPsec tunnels as physical interfacesOSPF can be enabled over these interfaces in the same way it can be enabled on physical interfaceRoutes propagated Via OSPF39OSPFv3Support for multiple instances per linkMay run multiple instances of the OSPF protocol over a single link. This is plished by assigning an OSPFv3 instance ID number.Protocol Processing Per-linkOperates p