Categories
Hardware Palo Alto Security

So I Wanted a New Firewall…

If you have ever spent much time working with the Ubiquity UDM Pro, you will find that it is a great device for many things (network controller, video and phone controller, etc.). However, it’s not the best firewall if you are going to do some advanced rulesets or want to have that extra peace of mind. So I started looking around again at different options and came up with one that helped minimize long-term costs as well as give me a platform that has true Enterprise experience. What I found was the Palo Alto Networks PA-440:

This is a really solid firewall from their Next Generation Firewall line. Since it’s a newer product, I don’t have to worry about it going end-of-life or not supporting their latest PAN-OS releases. They advertise the PA-400 series as the “world’s first Machine Learning-powered Next-Generation Firewall”. It has plenty of throughput supported which allows me to take advantage of up to 1 Gbps on my home ISP. The best part is that I was able to get a LAB model, which for a very low annual fee enables all of the advanced features for non-production use. PERFECT for a #HomeLab!

Now, I’ve worked with other Palo Alto firewalls before and I’m familiar with their use throughout many organizations. I like their web interface as well as the VERY granular control for security and NAT policies. It supports several types of VPNs which will be good for me when I’m on the road and want to work on some #HomeLab stuff from afar. I also know the US DoD has published a STIG, or Security Technical Information Guide, for the Palo Alto series of firewalls. If the link above doesn’t work, you can search for the updated version here: https://public.cyber.mil/stigs/downloads/

Before I could start playing with my new firewall, I had to figure out how to integrate it into the #HomeLab. You laugh, but it wasn’t going to be as easy as just replace the UDM Pro with the PA. I still need the Network Controller that the UDM provides (for now…more on that coming later). Which VLANs will be migrated to the PA and which will stay on the UDM? Eventually, this is what I came up with:

I needed to move at least the external interface and a trunk to the internal VLANs to the PA (ethernet1/2 and ethernet1/8). Additionally, I setup a dedicated interface for my VoIP VLAN gateway so I could manage the 3CX services directly. I’ll tell you know, it’s still not working correctly. That too will be a later write-up as well as a submission to 3CX on how to configure a Palo Alto firewall with their server. I wanted to try and bring the VLAN Trunk connection down to the US-16-XG using a GiTi SFP 10/100/1000Base-T SFP to RJ45 Transceiver. Unfortunately, every time I swing the trunk down there, none of the VLANs want to work. I’m not sure what the problem is. It’s recognized by the 16-XG, and the link comes up with the PA. Just no traffic passing… So for now, I’m terminating the trunk on the UDM Pro.

So, the first thing I did was to enable FIPS mode on the firewall. This establishes several requirements for strong cryptographic ciphers, password complexity, and other settings. On the PA, this has to be done via the Console interface. Ironic, because once you enable FIPS mode on a PA, you can no longer use the Console interface for configuration. Anyways, I connected to the console and booted up the firewall. After the system booted, I entered the Maintenance Recovery Tool by typing the following:

debug system maintenance-mode

After the system rebooted, I was presented with the following screen:

Pressing “ENTER” to continue brought me to the menu as shown here:

Navigate down to “Set FIPS-CC Mode” and hit ENTER to select. You’ll see the following warning:

Choose the options that are good for you. I chose not to Scrub since the device was new from the factory. Purists out there will tell me I should have waited the 24+ hrs for it to do a full scrub. In a production environment, that’s exactly what I would have done. Here in my #HomeLab, it wasn’t worth the time or effort. [Risk Management at Work!]

When you select “Enable FIPS-CC Mode” and click ENTER, go enjoy a coffee/tea/juice/other beverage because this will take a little while. I think in my case, it took around 10 minutes.

When it finishes the process, go ahead and “Reboot” the device.

After the reboot, it will go through several self-tests to verify that FIPS-CC mode was enabled properly. As long as all tests pass, you should be good to go and see something similar:

You can disconnect the Console connection and connect to your firewall at the following address: https://192.168.1.1. You should see the following screen:

Notice the “**** FIPS-CC MODE ENABLED ****” banner at the bottom of the login? That’s the normal confirmation that the FIPS-CC mode activation works. In FIPS-CC mode, you will login with the default username and password of:

User: admin
Password: paloalto

You will be prompted to change the password right away to a more secure option:

When you set the new password, you will be logged out again and prompted to log back in using the new credentials:

Login and you will finally enter the main device dashboard:

As directed by the earlier message when I changed the password, you will need to do a “Commit” first. I hit “Close” and clicked on “Commit” on the top right corner. When the dialog pops up, I chose “Commit All Changes” and added a comment for the logs as shown here:

Click “Commit” and wait for the firewall to save the new configuration. For those not familiar with these types of devices, if you do not hit commit and a power outage or other reboot happens, the device will restart with the latest “committed” configuration, which may not include the latest changes you have made. So, mental note is to save often! On the PA-400 series, it usually takes 2-3 minutes per save but you mileage may vary.

That’s it for the initial configuration for me! There was a lot more done (setting a new IP, configuring it for my ISP, setting the basic NAT and Security rules, etc.) but I will save those for a later entry. This just walks you through the very beginning setup of the firewall.

I hope you found this interesting. I have taken screenshots of many of the settings so I will add this to a new “Palo Alto” Category. It has been fun trying to integrate it into my #HomeLab. If you have the chance to get your hands on one of these, I definitely recommend it. They are fantastic!

Leave a Reply

%d bloggers like this: