Category Archives: Palo Alto

Implementing a customized Palo Alto lab

This is a topology that I have used in this lab.

+ Set up IPSEC site to site between both PAs.

+ Configure Switch support multiple VLANs.

+ Configure DHCP service to multiple VLANs.

+ Configure DNAT on PA2 ( to NAT to Webserver on Kali (, then change to configure DNAT on PA2 ( to NAT to Webserver on Kali (

+ Configure DNAT on PA2 to SSH server on, and change ( to NAT to SSH server on Kali (

+ Configure DNAT to allow traffic from the Internet to the local Web server (DNAT).

+ Configure SNAT to allow Trust on PA1 to access the Internet.

+ Ban on accessing pdf files, and block on accessing to domain (URF filtering).

+ Set up Global Protect on Windows and Kali machines. Then, we are able to access the local network on the Global Protect VPN connection.

+ Enable Zone Protection on e1/3 to prevent DoS on this zone.

+ Set up Captive Portal on Trust interface on PA1.

Configure the basic switch for support of multiple VLANs.

Configure PA1.

Configure DHCP.

Check client on the local network has received IP address from DHCP Pool for VLAN30, VLAN40, and VLAN50.

Webterm2 on PA2.

Configure tunnel 1 for IPSEC site to site from PA1 to PA2.

Configure tunnel 12 for Remote VPN via GlobalProtect.

Setup IPSEC tunnel on PA1.

Configure default route to route traffic to the Internet.

Configure another route to allow traffic from the local network on PA1 to access the local network on PA2.

Configure access rules to allow traffic from the local network on PA1 to access the local network on PA2 and the Internet.

Configure SNAT to allow traffic from the Trust zone to the Internet.

Setup IKETunnel on PA2.

Set up IPSEC tunnel on PA2.

Configure default route from Local network on PA1 to the local network on PA1 via IPSEC tunnel 1.

Create access rules to allow traffic from the local network on PA2 to the local network on PA1

Test IPSEC site to site.

Access Apache website on VLAN 30 (service apache2 start).

The IPSEC tunnel is up.

Configure DNAT on PA2 to allow port 8888 to be translated to port 80 on the Apache Web server.

SSH 2222 to 22.

Create a Security Policy.

Access Apache2.

And SSH via 2222.

+ Set up GlobalProtect on PA1.

Enable User Authentication on Internet interface for GP.

Create a new user/password.

Set IP Pool for Global Protect VPN.

Create a new Security Rule to allow traffic from Global Protect to local networks.

Access Global Protec VPN on Windows machine.

Set up GlobalProtect on Kali. Search to download Global Protect VPN on Google.

Creating a VPN tunnel via GlobalProtect.

+ Block TungBlog on PA1.

+ Setup Captive Portal on PA1.

+ Ban PDF on PA1.

+ Configure DNAT on PA1.

+ Configure Zone Protection on PA1.

Scan ports by using Nmap tool.

Scanned port traffic has been blocked by PA1.

+ NAT port 9999 to port 7777 on (PA1), then NAT again from port 7777 to on Web Server.


Create an IPSEC site-to-site tunnel between Palo Alto And FortiGate.

This is the lab to use to set up the IPSEC site-to-site tunnel between both devices.

On Palo Alto.

IKE Crypto.

IPSEC Crypto.

IKE Gateway.

IPSec tunnel.

Create a virtual route from PA to Fortinet.

Create two Security Policies to allow traffic from the “Trusted Zone” of PA to the “Trusted Zone” of Fortinet.

Configure Fortinet.

config system interface
edit port1
set mode dhcp
set allowaccess ping httpd http fgfm
show system interface 
# show system interface to get IP Address from DHCP

Go to Webterm to configure Fortinet.

Configure a custom VPN Tunnel with the following information.

Configure a static route to allow traffic from Trusted Zone ( on Fortinet to the Trusted Zone ( on PA.

Create two Security policies to allow traffic from VPN to Trusted Zone and vice versa.

Ping and traceroute from a VM on Fortinet to another VM on Palo Alto.

Monitor IPSEC tunnel on Fortinet.

Monitor IPSEC tunnel on PA.

Create a VPN IPSEC site to site between Palo Alto and Cisco Router

This is a lab to set up a VPN site-to-site tunnel between both devices.

Configure interfaces and enable IPSEC VPN site to site on Cisco Router.

R1(config)#int g0/0
R1(config-if)#ip add
R1(config-if)#no shut

R1(config)#int g1/0
R1(config-if)#des "Connect to PA""
R1(config-if)#ip add
R1(config-if)#no shut

Create an ACL for VPN.
R1(config)#ip access-list extended ACL
R1(config-ext-nacl)#permit ip

Create ISAKMP phase 1 of the tunnel.

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#encr aes
R1(config-isakmp)#hash md5
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 5
R1(config-isakmp)#lifetime 86400
# Assign authentication-key for remote peer.
R1(config)#crypto isakmp key cisco123 address

# Create IPSEC transfrom set for phase 2
R1(config)#crypto ipsec transform-set TSET esp-aes esp-sha-hmac

# Create cryoto map to apply the phase 2 settings to the interface
crypto map PA1 10 ipsec-isakmp
set peer
set transform-set TSET
match address ACL

# Applly crypto map to an interface.

R1(config-crypto-map)#int g1/0
R1(config-if)#crypto map PA1

# Create a static route to route traffic between both sites.
R1(config)#ip route

Access Palo Alto Web management.

Assign an IP address for interface e1/1 and e1/2.

Create a new tunnel 1 on PA.

Configure a static route between PA and Cisco Router and set next hop is “None”.

Configure IKECrypto as on Cisco Router.

Configure IKE Gateway.

Configure IPSEC Tunnel.

Configure Proxy ID.

Create both Security policies to allow traffic from the Trusted zone to the VPN zone and vice versa.

From Webterm2 ( pings Webterm 3 (

Check PA, the IPSEC tunnel is up.

Deploy Palo Alto HA

This is a lab to deploy Palo Alto.

Set interface e1/1 is HA on both Firewalls.

Enable HA on Palo Alto.

Setup Election setting on both Firewalls.

configure the HA1 link.

On PA1:

On PA2:

Verify HA

On PA1.

On PA2.

Create a Global Protect VPN on Palo Alto

This is a lab to use for deploying Global Protect VPN on PA.

Create a username.

Create an authentication profile.

Assign user to this profile.

Configure Global Protect.

Create a new tunnel (tunnel 2) for GLobal Protect.

Configure Global Protect Portal.

Define my Gateway.

Create a new tunnel (tunnel2) for Global Protect.

Configure security policy to allow traffic from VPN to trusted zone and vice versa.

Enable “User Authentication ACL” setting on the untrusted zone.

Access global protect VPN from a Windows client.

Ping a Windows machine on a trusted (inside) network.

Access Global Protect from Kali Linux.

Download Global Protect (.tgz) file, then extract the file, and install the program.