The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the interface used to connect the VM interface on the appliance to the firewall. The policy associated with the wf-vm-zone will only allow communication from the VM interface to the Untrust zone.
Configure the Firewall to Control Traffic for the WF-500 Appliance VM Interface
Configure the interface on the firewall that the VM interface will connect to and set the virtual router. The wf-vm-zone should only contain the interface (ethernet1/3 in this example) used to connect the VM interface on the appliance to the firewall. This is done to avoid having any traffic generated by the malware from reaching other networks. From the web interface on the firewall, select Network > Interfaces and then select an interface, for example Ethernet1/3. In the Interface Type drop-down, select Layer3. On the Config tab, from the Security Zone drop-down box, select New Zone. In the Zone dialog Name field, enter wf-vm-zone and click OK. In the Virtual Router drop-down box, select default. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP section, and enter the IP address and network mask to assign to the interface, for example 10.16.0.0/22. To save the interface configuration, click OK.
Create a security policy on the firewall to allow access from the VM interface to the Internet and block all incoming traffic. In this example, the policy name is WildFire VM Interface. Because you will not create a security policy from the Untrust zone to the wf-vm-interface zone, all inbound traffic is blocked by default. Select Policies > Security and click Add In the General tab, enter a Name. In the Source tab, set the Source Zone to wf-vm-zone. In the Destination tab, set the Destination Zone to Untrust. In the Application and Service/ URL Category tabs, leave the default as Any. In the Actions tab, set the Action Setting to Allow. Under Log Setting, select the Log at Session End check box. If there are concerns that someone might inadvertently add other interfaces to the wf-vm-zone, clone the WildFire VM Interface security policy and then in the Action tab for the cloned rule, select Deny. Make sure this new security policy is listed below the WildFire VM interface policy. This will override the implicit intra-zone allow rule that allows communications between interfaces in the same zone and will deny/block all intra-zone communication.
Connect the cables. Physically connect the VM interface on the WF-500 appliance to the port you configured on the firewall (Ethernet 1/3 in this example) using a straight through RJ-45 cable. The VM interface is labeled 1 on the back of the appliance.
Verify that the VM interface is transmitting and receiving traffic. View the VM interface settings: admin@WF-500> show interface vm-interface Verify that received/transmitted counters are incrementing. You can run the following command to generate ping traffic from the VM interface to an external device: admin@WF-500> ping source vm-interface-ip host <gateway-ip> For example: admin@WF-500> ping source 10.16.0.20 host 10.16.0.1

Related Documentation