Hi Keith, I have subscribed to your Palo Alto training on CBT nuggets, coming here to get some additional content. Thank you so much for your work. Your videos have helped me a lot in my training. Planning to take PCCET exam soon. Any tips, please feel free to share. Thanks once agian!!🙂
@@KeithBarker if you’re ever in Orlando Florida let me know, as we could catch a Orlando Magic game it’s the least I can do for you helping me past my security + awhile back.
Excuse me, I have my firewall in L2 and I want to go to L3; How the configuration would be if I have a single ISP but this provides me two network segments (one of 30 host and another of 254); Therefore, each of them handles their own gateway and I need to take traffic for both segments since I have a part of services in one segment and another part in the other (I cannot unify them in a single segment since I need them so). Do you have any idea how the configuration would be?; I consider that I must generate two DMZ (one for each network segment of my ISP) and two Vrouter in the FW but I do not know if it is the best practice.
Question, what would best practice be when configuring sub interfaces to allow different subnets such as servers, hosts, NTP, cyber and so on. Would you put all those into the same "trust" zone? Or would you segregate these into different zones for more granular policy implementation? I know this can be done I am curious what best practice would be.
Thank you for the question Alan Huntley. Any time you place hosts in a different security zone, there are pros and cons. Cons, more work regarding policies, including NAT and Security. Pros, more control regarding which apps, protocols, and services are allowed through the zone. Generally speaking, you would NOT want to place servers and clients in the same zone, as the default intra-zone policy would allow ALL of the traffic. I also prefer to NOT use the names of trust or untrust as my zone names. Instead, I may integrate the types of devices int he security zone name, such as: HR_services, User_networks, Core_services, Internet_Zone, etc
@@KeithBarker thank you for the response. I was struggling with this because of the default intrazone policy mentioned. Thank you for the knowledge given.
Confusion: how are two PCs able to ping each other when they are in the different networks but in the same zone, without any routing protocol? Does the zone have more prioprity over routing protocols? kindly respond, thanku!
I ran into that issue a while ago on my network. So the is layer3 and is handling the routing for your layer 2. So what that means is it doesn’t matter if you have vlan segmentation on layer 2. Layer 3 controls that flow of traffic. Think of it like this. Let say in your house you have 3 rooms vlan 1,2,3 if three friends all go inside the rooms we can communicate, but if we all go into the living room which is let’s say zone 1 and you point all vlans to that zone. We can now talk which negats the layer 2 segmentation. I hope this helps.
Thank you for the question Souritya Das. If a /32 is used, that IP is logically on the network, by itself, with no additional addresses available for other devices. By using a /24, the subnet can support 254 host addresses on that subnet. For more insight on IP addresses, masks, and subnetting, check out this playlist: ogit.online/subnet Thanks again for the question, and all the best!
@@KeithBarker So if I get this correctly, a firewall will act in the same way as a router whereby each interface will produce a subnet and therefore each interface of a firewall is a broadcast domain in itself?
@@sourityadas Yes, with the Layer 3 interfaces, the firewall is acting very much like a typical IP router would, regarding its routing table and making forwarding decisions. Each layer 3 interface connects to a separate broadcast domain, and each broadcast domain is using its own IP subnet. Hope that helps, and happy studies.
thank you this videos really helped me , i am stuck in something i was trying to ping from my pc to the vm interface i am not able to do that can you help me in part
Thank you for the question @hebsonsaji5360. To ping the interface, you will need to configure an interface management profile that allows for the pings. Once you create the management profile, you then associate it with the interface you wish to ping.
Thank you for the question FTLN. Unless you are a corporate potential customer, evals are hard to come by. A PA-440 Lab kit, which includes a 1 year license of the core features is available for under 1K, US. I bought mine from Corporate Armour.
Thank you Sea Lewy! Based on the video, I don't recall displaying or checking on the ARP cache, and you are right. After pinging each of the ISPs over the data plane, there should be an arp entry for both 23.1.2.1 and 24.1.2.1. So, may I ask, what is the "weird" part, I don't see it.
Keith, you're simply the best. I wish I had a teacher like you during my studies.
Thank you @fabrice9848!
Thank you for the many hours of content Keith love you from the bottom of my heart x
Thank you, Keith
Thank you, that's great to hear!
Im curious about what your connection to isp looks like. Are you using a modem provided by isp to the connect to network?
Love your work Keith!! :)
Thank you matt murphy!
Forgive my ignorance but you mentioned registerimg license wirh the devoce. Is there a yearly license fee or anyting of that nature?
Why the firewall is not taking the directly connected subnet as the route for the ping? instead of the default GW?
Hi Keith, I have subscribed to your Palo Alto training on CBT nuggets, coming here to get some additional content. Thank you so much for your work. Your videos have helped me a lot in my training. Planning to take PCCET exam soon. Any tips, please feel free to share. Thanks once agian!!🙂
Way to commit to your goal @magpieenterprise6781❗ You can do this.
Can you make a series for IT newbies?? There are so many “why” moments when watching this series!!
Thank you @cluelesschemist6060! www.youtube.com/@professormesser
He has tons of entry level, and good videos.
Keith just to verify are you using a loopback as a pseudo public ip for testing the outside zone interfaces.
Yes, in my lab environment.
@ wow this is crazy I didn’t think you would respond to my message, man you are my hero you have no idea how much you have helped me in my IT journey.
@@KeithBarker if you’re ever in Orlando Florida let me know, as we could catch a Orlando Magic game it’s the least I can do for you helping me past my security + awhile back.
@@drumworksinc Very kind, thank you!!!
Woow Mr baker it s l aid today and you are offer ing so much thanks for all
Happy to do it, thanks for the feedback majid dehbi.
Excuse me, I have my firewall in L2 and I want to go to L3; How the configuration would be if I have a single ISP but this provides me two network segments (one of 30 host and another of 254); Therefore, each of them handles their own gateway and I need to take traffic for both segments since I have a part of services in one segment and another part in the other (I cannot unify them in a single segment since I need them so). Do you have any idea how the configuration would be?; I consider that I must generate two DMZ (one for each network segment of my ISP) and two Vrouter in the FW but I do not know if it is the best practice.
Thank you for the question @alejandrorodriguezgarcia4190. Unfortunately that is a bit beyond the scope of a simple answer.
Thanks, Keith! As usual, very informative! But where's the rest of the videos?😢
Thank you Chris , they are being edited now and added one by one. Check the playlist for any updates, and thanks for the interest.
After a long time
Thank you Fahad Bawazir!
Question, what would best practice be when configuring sub interfaces to allow different subnets such as servers, hosts, NTP, cyber and so on. Would you put all those into the same "trust" zone? Or would you segregate these into different zones for more granular policy implementation? I know this can be done I am curious what best practice would be.
Thank you for the question Alan Huntley.
Any time you place hosts in a different security zone, there are pros and cons.
Cons, more work regarding policies, including NAT and Security.
Pros, more control regarding which apps, protocols, and services are allowed through the zone.
Generally speaking, you would NOT want to place servers and clients in the same zone, as the default intra-zone policy would allow ALL of the traffic.
I also prefer to NOT use the names of trust or untrust as my zone names. Instead, I may integrate the types of devices int he security zone name, such as: HR_services, User_networks, Core_services, Internet_Zone, etc
@@KeithBarker thank you for the response. I was struggling with this because of the default intrazone policy mentioned. Thank you for the knowledge given.
Confusion: how are two PCs able to ping each other when they are in the different networks but in the same zone, without any routing protocol? Does the zone have more prioprity over routing protocols? kindly respond, thanku!
I ran into that issue a while ago on my network. So the is layer3 and is handling the routing for your layer 2. So what that means is it doesn’t matter if you have vlan segmentation on layer 2. Layer 3 controls that flow of traffic. Think of it like this. Let say in your house you have 3 rooms vlan 1,2,3 if three friends all go inside the rooms we can communicate, but if we all go into the living room which is let’s say zone 1 and you point all vlans to that zone. We can now talk which negats the layer 2 segmentation. I hope this helps.
Why are we creating the interface as /24 and not /32? That particular interface will have only 1 IP right?
Thank you for the question Souritya Das.
If a /32 is used, that IP is logically on the network, by itself, with no additional addresses available for other devices.
By using a /24, the subnet can support 254 host addresses on that subnet.
For more insight on IP addresses, masks, and subnetting, check out this playlist:
ogit.online/subnet
Thanks again for the question, and all the best!
@@KeithBarker So if I get this correctly, a firewall will act in the same way as a router whereby each interface will produce a subnet and therefore each interface of a firewall is a broadcast domain in itself?
@@sourityadas Yes, with the Layer 3 interfaces, the firewall is acting very much like a typical IP router would, regarding its routing table and making forwarding decisions. Each layer 3 interface connects to a separate broadcast domain, and each broadcast domain is using its own IP subnet.
Hope that helps, and happy studies.
thank you this videos really helped me , i am stuck in something i was trying to ping from my pc to the vm interface i am not able to do that can you help me in part
are your pc and vm in same network? of not routes/fw rules are ok?
Thank you for the question @hebsonsaji5360. To ping the interface, you will need to configure an interface management profile that allows for the pings. Once you create the management profile, you then associate it with the interface you wish to ping.
you are the best
Thank you!
Can we get home lab free version of Palo Alto Firewall ?
Thank you for the question FTLN. Unless you are a corporate potential customer, evals are hard to come by. A PA-440 Lab kit, which includes a 1 year license of the core features is available for under 1K, US. I bought mine from Corporate Armour.
@@KeithBarker What a shame that they don't allow people to learn from home with VM.
Thanks
Happy to do it, thanks for the feedback Avis Bell.
Weird, it is directly connected and should have arp entries for the ISPs .1 IP addresses. 😊
Thank you Sea Lewy!
Based on the video, I don't recall displaying or checking on the ARP cache, and you are right. After pinging each of the ISPs over the data plane, there should be an arp entry for both 23.1.2.1 and 24.1.2.1.
So, may I ask, what is the "weird" part, I don't see it.
Thanks