1. Home
    2. WildFire
    3. WildFire® Administrator’s Guide
    4. Set Up and Manage a WF-500 Appliance
    5. Connect the Firewall to the WF-500 Appliance VM Interface
    Previous
    Next
    The following example workflow describes how to connect the VM interface to a port on a Palo Alto Networks firewall. Before connecting the VM interface to the firewall, the firewall must already have an Untrust zone connected to the Internet. In this example, you configure a new zone named wf-vm-zone that will contain the interface used to connect the VM interface on the appliance to the firewall. The policy associated with the wf-vm-zone will only allow communication from the VM interface to the Untrust zone.
    Configure the Firewall to Control Traffic for the WF-500 Appliance VM Interface
    Configure the interface on the firewall that the VM interface will connect to and set the virtual router. The wf-vm-zone should only contain the interface (ethernet1/3 in this example) used to connect the VM interface on the appliance to the firewall. This is done to avoid having any traffic generated by the malware from reaching other networks. From the web interface on the firewall, select Network > Interfaces and then select an interface, for example Ethernet1/3. In the Interface Type drop-down, select Layer3. On the Config tab, from the Security Zone drop-down box, select New Zone. In the Zone dialog Name field, enter wf-vm-zone and click OK. In the Virtual Router drop-down box, select default. To assign an IP address to the interface, select the IPv4 tab, click Add in the IP section, and enter the IP address and network mask to assign to the interface, for example 10.16.0.0/22. To save the interface configuration, click OK.
    Create a security policy on the firewall to allow access from the VM interface to the Internet and block all incoming traffic. In this example, the policy name is WildFire VM Interface. Because you will not create a security policy from the Untrust zone to the wf-vm-interface zone, all inbound traffic is blocked by default. Select Policies > Security and click Add In the General tab, enter a Name. In the Source tab, set the Source Zone to wf-vm-zone. In the Destination tab, set the Destination Zone to Untrust. In the Application and Service/ URL Category tabs, leave the default as Any. In the Actions tab, set the Action Setting to Allow. Under Log Setting, select the Log at Session End check box. If there are concerns that someone might inadvertently add other interfaces to the wf-vm-zone, clone the WildFire VM Interface security policy and then in the Action tab for the cloned rule, select Deny. Make sure this new security policy is listed below the WildFire VM interface policy. This will override the implicit intra-zone allow rule that allows communications between interfaces in the same zone and will deny/block all intra-zone communication.
    Connect the cables. Physically connect the VM interface on the WF-500 appliance to the port you configured on the firewall (Ethernet 1/3 in this example) using a straight through RJ-45 cable. The VM interface is labeled 1 on the back of the appliance.
    Verify that the VM interface is transmitting and receiving traffic. View the VM interface settings: admin@WF-500> show interface vm-interface Verify that received/transmitted counters are incrementing. You can run the following command to generate ping traffic from the VM interface to an external device: admin@WF-500> ping source vm-interface-ip host <gateway-ip> For example: admin@WF-500> ping source 10.16.0.20 host 10.16.0.1
    Previous
    Next

    Related Documentation

    Configure the VM Interface on the WF-500 Appliance

    Configure the VM Interface on the WF-500 Appliance This section describes the steps required to configure the VM interface on the WF-500 appliance using the ...

    Deploy the VM-Series Firewall Using L3 Interfaces

    Deploy the VM-Series Firewall Using L3 Interfaces To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall as a L3 deployment; ...

    Use Case: Secure the EC2 Instances in the AWS Cloud

    Use Case: Secure the EC2 Instances in the AWS Cloud In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: ...

    Set Up the WF-500 Appliance VM Interface

    Set Up the WF-500 Appliance VM Interface The virtual machine interface (vm-interface) provides external network connectivity from the sandbox virtual machines in the WF-500 appliance ...

    Set Up Network Access for External Services

    Set Up Network Access for External Services By default, the firewall uses the MGT interface to access remote services, such as DNS servers, content updates, ...

    Deploy the VM-Series Firewall in Azure (Solution Template)

    Deploy the VM-Series Firewall in Azure (Solution Template) The following instructions show you how to deploy the solution template for the VM-Series firewall that is ...

    Virtual Machine Interface Overview

    Virtual Machine Interface Overview The VM interface (labeled 1 on the back of the appliance) is used by WildFire to improve malware detection capabilities. The ...

    Configure Interfaces and Zones

    Configure Interfaces and Zones After you identify how you want to segment your network and the zones you will need to create to achieve the ...

    WF-500 Appliance Software CLI Concepts

    WF-500 Appliance Software CLI Concepts This section introduces and describes how to use the WF-500 appliance software command line interface (CLI): WF-500 Appliance Software CLI ...

    Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

    Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template) The following instructions show you how to deploy the solution template for the VM-Series ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo