1

Understanding the Core Technologies

Welcome to the first chapter! In this book, we’re going to explore the ins and outs of the Palo Alto Networks Strata suite. We’ll start off by learning about all the different features of the firewall and how to configure them before we move on to more complex features and additional services that will help you complete your deployment. On the way, you’ll pick up important knowledge nuggets that will help you both understand the technology and pass the PCNSE exam.

In this chapter, we’re going to examine the core technologies that make up the Palo Alto Networks firewall. We are going to take a closer look at the way in which security zones control how security, Network Address Translation (NAT), and routing verdicts are made. We will review the mechanics behind App-ID and Content-ID so you get a deeper understanding of how packets are processed and security decisions are made by the firewall, and we will review how User-ID contributes to a more robust security stance by applying group-based or user-based access control.

This chapter will cover the following topics:

• Understanding the zone-based firewall
• Understanding App-ID and Content-ID
• The management and data planes
• Authenticating users with User-ID

By the end of this chapter, you will have a better understanding of how the core technology is built up and will be able to apply these skills when we start building configuration. If you’re preparing for the PCNSE exam, this chapter will also help you understand the fundamentals required to tackle some of the scenario-based questions.

Technical requirements

For this chapter, no physical installation is required. A good understanding of basic networking protocols like UDP and TCP is necessary to fully benefit from the explanations in this chapter. It is helpful if you’ve already worked with Palo Alto Networks firewalls, but it is not required. Some experience with firewalls or web proxies in general is recommended, as this will make the subject matter more tangible.

Understanding the zone-based firewall

Traditionally, when considering a firewall as an element of your network, most likely you will imagine a network design like the one in Figure 1.1, with two to four areas surrounding a box, which represents the firewall. Most of the time, whatever is placed in the north is considered dangerous as it represents the internet; the east and west are somewhat gray areas as they are the demilitarized zones (DMZs) that are partly exposed to the internet, and the south is the happy place where users do their daily tasks. All these areas will be defined as zones in the firewall:

Figure 1.1: Basic network topology

In reality, a network design may look a lot more complex due to network segmentation, remote offices being connected to headquarters via all sorts of different technologies, and the adoption of cloud vendors.

In a route-based firewall, zones are simply an architectural or topological concept that helps identify which areas comprise the global network that is used by the company; they are usually represented by tags that can be attached to a subnet object. They have no bearing on any of the security decisions made by the system when processing security policies.

The zone-based firewall, on the other hand, will use zones as a means to internally classify the source and destination in its state table.

The following diagram illustrates the phases of packet processing from the first step when the first packet of a new session enters the firewall to the last step where the packet egresses the firewall:

Figure 1.2: Phases of packet processing

Let’s look at the process workflow for initial packet processing:

1. When a packet is first received, a source zone lookup is performed. If the source zone has a protection profile associated with it, the packet is evaluated against the profile configuration. If the first packet is a TCP packet, it will also be evaluated against the TCP state where the first packet needs to be a SYN packet, and a SYN cookie is triggered if the protection profile threshold is reached.
2. Then, a destination zone is determined by checking the policy-based forwarding (PBF) rules and, if no results are found, the routing table is consulted.
3. Lastly, the NAT policy is evaluated as the destination IP may be changed by a NAT rule action, thereby changing the destination interface and zone in the routing table. This would require a secondary forwarding lookup to determine the post-NAT egress interface and zone.

After these zone lookups have been performed in the initial packet processing, the firewall will continue to the security pre-policy evaluation.

In the pre-policy evaluation, the “six-tuple” (6-tuple) is used to match an incoming session against the rule base before establishing or dropping/denying a session. At this stage, the firewall does not consider the application just yet, as this can usually not be determined by the first packet in a session. The six-tuple consists of the following elements and is used in both uni-directional flows of a session:

• Source-address
• Destination-address
• Source-port
• Destination-port
• Protocol
• Security-zone

Zones are attached to a physical, virtual, or sub-interface. Each interface can only be part of one single zone. Zones can be created to suit any naming convention and can be very descriptive in their purpose (untrust, DMZ, LAN, and so on), which ensures that, from an administrative standpoint, each area is easily identifiable.

It is best practice to use zones in all security rules, and leveraging a clear naming convention prevents misconfiguration and makes security rules very readable. Networks that are physically separated for whatever reason but are supposed to be connected topologically (for example, users spread over two buildings that come into the firewall on two separate interfaces) can be combined into the same zone, which simplifies policies.

It is important to note that there are implied rules that influence intrazone or interzone sessions. These rules can be found at the bottom of the security policy:

• Default intrazone connections: Packets flowing from and to the same zone will be implicitly allowed
• Default interzone connections: Packets flowing from one zone to a different zone are implicitly blocked

Security rules can be set to only accept traffic within the same zone, between different zones only, or both. This setting can be changed in the rule Type and is set to Universal by default. As illustrated in Figure 1.3, the Universal rule allows sessions to flow from all zones in the Source field to all zones in the Destination field, from LAN to LAN and DMZ, and from DMZ to LAN and DMZ.

Rules set to the intrazone type only allow sessions to flow inside the same zone regardless of whether multiple zones are added to the security rule: from DMZ to DMZ and from LAN to LAN, but not from LAN to DMZ or from DMZ to LAN.

Rules set to the interzone type only allow sessions to flow between different zones: from DMZ to LAN and from LAN to DMZ, but not from DMZ to DMZ or from LAN to LAN, even though both are listed in the source and destination.

This means that you can perfectly control between which interfaces traffic is allowed to flow to even if you are unable to define subnets in the source or destination, which, for traditional firewalls, means sessions will be allowed to flow everywhere.

Figure 1.3: Different security rule types and default rules

Now that we’ve seen the important role zones play while making security decisions, let’s look at the expected behavior when determining zones.

Expected behavior when determining zones

When a packet arrives on an interface, the PBF policy or routing table will be consulted to determine the destination zone based on the original IP address in the packet header.

Let’s consider the following routing table: