In this Part 2 of a learning series relating to the production of learning labs I review the construction of a security policy to allow Active Directory traffic through zones in a Palo Alto Firewall, and also a NAT Policy rule allowing Users to access the Outside zone. This video is a continuation from Part 1 where I introduced how the lab was produced and put together.

https://www.youtube.com/watch?v=2Mm6Lx-SV4g

Active Directory Security Policy

It is necessary to create a policy from the Users Zone to the DataCenter Zone which allows the services Active Directory uses to enrole client computers through the firewall. The following images are a capture of the screens that show detail of the Security Policy I used to allow Active Directory to pass through the zones created in the Palo Alto Firewall.

Active Directory Policy
AD-Policy2
AD-Policy3
AD-Policy4
AD-Policy5

This section details the Application specific configured allowed within the policy.

AD-Policy6

Allowed services in the application policy.

kerberos
ms-ds-smb
ms-ds-smb-base
ms-netlogon
netbios-ss
netbios-dg
netbios-ns
netbios-ss
Active-directory
dns
ldap
ms-wmi
msrpc
ntp
net.tcp
ssl

AD-Policy7

NAT policy

NAT is applied to allows Users to access the internet. It is necessary that the IP substituted as private addresses will be droped at the exit.

NAT Policy
AD-NAT-2
AD-NAT-3
AD-NAT-4

NAT security policy

Even though we have a NAT poilcy occuring it is also necessary to have regular security policy that allows traffic.

AD-NAT-5
AD-NAT-6
AD-NAT-7
AD-NAT-8

Thanks for looking at the second part of this Lab breakdown of specfic configuration images.

Posted in Palo Alto, PNETLab and tagged