The Palo Alto Firewall GUI is really slick, but sometimes its handy to create using the CLI, perhaps if you have a large number of changes that need to be made at once.
Within this example, we’ll create a zone, then an Interface (on an Aggregate Interface), give it an IP address, apply a management profile, and then enable a DHCP Helper (Relay); once that is done we’ll then create some access rules (not for use in production) which allow all traffic in and out of the zone.
When using Palo Alto CLI you can view the output in different forms, personally I like the “set” format, which can be activated upon your session with:
set cli config-output-format set
To create the Zone, Interface, Management Profile and DHCP Helper, you can use the following:
set zone SuperSecure
set network interface aggregate-ethernet ae2 layer3 units ae2.500 tag 500
set zone SuperSecure network layer3 ae2.500
set network virtual-router Trust-VR interface ae2.500
set network interface aggregate-ethernet ae2 layer3 units ae2.500 ip 192.168.10.1/24
set tag SuperSecure color color3
set network interface aggregate-ethernet ae2 layer3 units ae2.500 interface-management-profile Ping
set network interface aggregate-ethernet ae2 layer3 units ae2.500 comment "Super Secure VLAN"
set network dhcp interface ae2.500 relay ip server [ 192.168.1.10 ] enabled yes
Once your zone and interfaces are created you can then create the rule-set, firstly the Inbound then the Outbound:
set rulebase security rules Internal_to_SuperSecure_Allow_In_All from Trust-Internal to SuperSecure source any destination any application any service any action allow
set rulebase security rules Internal_to_SuperSecure_Deny_In_All from Trust-Internal to SuperSecure source any destination any application any service any action deny log-setting "Log to splunk" tag DENY
set rulebase security rules SuperSecure_to_Internal_Allow_In_All from Trust-Internal to SuperSecure source any destination any application any service any action allow
set rulebase security rules SuperSecure_to_Internal_Deny_In_All from Trust-Internal to SuperSecure source any destination any application any service any action deny log-setting "Log to splunk" tag DENY
Hopefully that overview is helpful, the command line can be a little odd at times, and if you are using Virtual Systems, it can make things more complicated.