Palo Alto Firewall: Home Network
If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.
This is part of the Palo Posts how-to guides for getting the most from your Palo Alto firewall on a home or small business network.
My very own Palo Alto!
I’m a big fan of Palo Alto Networks firewalls due to their focus on security and giving both network and security professionals incredible insight into network traffic. To improve my understanding of these firewalls, I recently purchased my very own PA-220 for my home network. I successfully set it up but not without running into a few issues. Since it took a fair amount of Google-searching to troubleshoot and resolve the issues, I’m sharing my experiences below in the hopes that it will help others.
Initial Setup
Problem: Configure Outbound Internet Security Policy
For initial setup, I highly recommend using the “Setting Up the PA-200 for Home and Small Office” guide, found on Palo Alto’s “Live Community” site. For the most part, I followed it exactly except the section regarding the outbound internet security policy. When creating this policy, the guide does not mention editing the “Service/URL Category” tab. Notably, if you do not edit this, Palo Alto defaults to the “application-default” option as shown below.
What does this mean? From the firewall’s help page it states that: The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage.
This sounds reasonable, except that it broke my ability to use Speedtest.net and more importantly, broke my Apple/iOS Mail clients from connecting to Gmail via IMAP. It turns out, that those apparently don’t use what Palo Alto thinks are “application-default” ports. Unless you’re cool with that behavior, you’ll actually want to select “any” instead.
Netflix
Problem: DNS Proxy
Like most people, I was using my wireless router as my DNS server for resolving hosts on my local network. It’s not critical as there are only a few devices on my home network, but it is convenient to have a few “A records” configured. Wanting to maintain this same functionality, I configured my Palo Alto firewall using the “DNS Proxy” option.
After a hard day’s work, we decided to watch some Netflix and I noticed the Netflix app on my TV and Apple TV no longer worked. Interestingly, there was no issue streaming Netflix on my laptop, iPhone, or iPad. After much searching, I found a helpful “Live Community” post regarding DNS Proxy as the possible issue.
It turns out that DNS Proxy, at least on PAN-OS 8.x (which is what the PA-220 ships with as of today), does not play well with Netflix. As soon as I disabled DNS Proxy, Netflix streamed without issue.
Online Console Gaming
Problem: NAT Dynamic IP & Port Policy
Anyone who knows me knows I’m a giant Nintendo fanboy. Shortly after setting up the Palo Alto firewall, I decided to play some online Mario Kart, only to find that my new Nintendo Switch would no longer connect. Sadface.
It turns out that Palo Alto firewalls do not support “Universal Plug and Play” (UPnP) which had allowed me to connect easily on my consumer-grade wireless router. This makes sense from an enterprise-grade firewall perspective as you would want to explicitly control what’s allowed inside and outside of your network.
Back to searching and I found this knowledge base article discussing how Palo Alto handles game console traffic. It turns out you need to create a specific NAT policy ahead of your default internet outbound NAT rule. This NAT policy should specify the IP of your video game console as the source address and use only “dynamic-ip” source translation instead of “dynamic-ip-and-port” source translation.
So that I don’t have to periodically update the Nintendo Switch’s source address in the NAT rule due to DHCP, I configured the firewall’s DHCP relay to always assign my Switch the same IP and created an Address Object on the firewall using this same IP. See the screenshot below for how the NAT policies ultimately looked in the end.
Ring Video Doorbell Pro
Problem: Session Initiation Protocol (SIP) Application Layer Gateway (ALG)
At home, I use a Ring Video Doorbell Pro and it has worked great for seeing who’s at our front door whether we’re at home or not. Ring will send push notification alerts whenever it detects motion or if someone presses the doorbell. From the alert you can then view a live stream of who is at your door. You can also trigger the live stream on-demand.
I noticed that once the Palo Alto was in place, the live streams, whether based on alerts or on-demand, would always hang and never load. After a few minutes I’d be able to watch the recorded video after the fact. Not ideal.
This particular problem took the most time to figure out. I found a few articles that spoke of similar issues but nothing quite exactly what I was seeing. I started playing around with the on-demand live stream functionality and observing the traffic in the firewall’s Monitor tab to see what type of traffic was being generated and if anything was being blocked. At first I thought it might’ve been a NAT issue, similar to what I saw with my Nintendo Switch.
Eventually, I noticed that Ring used the session initiation protocol (SIP) when creating these live stream communications. Looking through the “Live Community” again, I found an article regarding how to disable SIP Application Layer Gateway (ALG) in Palo Alto. It mentioned that SIP ALG can cause issues with certain SIP implementations. Figuring I had nothing to lose I followed the steps and lo and behold, live streaming worked again. Yay.
Conclusion
I hope these tips help anyone else that was crazy enough to purchase a Palo Alto firewall for their home network. I’ll continue to post more about my experience if I run into more issues or test out additional functionality and integrations.
If you like my content and want to support me, I'd greatly appreciate you buying me a coffee. Thanks! 🙏
Eric,
I found this after trying to troubleshoot my kid wanting to play Animal Crossing with her friends and fruitless searches and Nintendo’s horrible NAT advise. Yea, just DMZ the Switch and feed every port into it. I was so frustrated with their advise, I wrote their support department that the article was terrible. So, found a link to your site from a Reddit post and added the dynamic-IP NAT rule for the Switch’s IP and bam, she was immediately playing with friends. Thank you so much!
That’s great, Jeff! Always happy to help folks enjoy more Nintendo. 🙂
Eric — great guide! Do you have any advice for setting up an AnyConnect VPN for the home? I know I should be using DynDNS but I’ve been playing around with certs and the DynDNS feature with limited success. I also want to be able to have my son’s Chromebook beholden to home URL filtering when he’s at his mother’s, Do I have to have a dedicated public IP for the VPN besides a dedicated FQDN? with some sort of call-home from the Chromebook, like an always on client workstation. Thanks for this!
Hi Christopher,
Thanks for the kind words!
I do have GlobalProtect VPN set up through my Palo Alto and have a guide in draft. Sounds like I should’ve finalized it before all this chaos, haha.
You *don’t have to* use DynDNS or have a dedicated public IP, though it makes it much more convenient. I personally use a dynamic DNS service + dynamic public IP and it works well. If you go that route, you just need to ensure your VPN certificates use the FQDN that you set up for the dynamic DNS service. But you can certainly use a dynamic public IP on its own, it’s just not ideal.
Hope that helps!
Eric
Hi Christopher, you might’ve already figured it out, but in case you haven’t, I finally wrote my GlobalProtect VPN guide: http://www.ericooi.com/palo-alto-firewall-globalprotect-vpn-how-to-guide/
Eric,
Can you share the steps to buy and license a PA lab at home? How much $$ are we talking about with most of the PA features enable and PA support?
Thanks in advanced
In my situation, I was able to purchase one through the reseller that my employer was using. You can also find them through sites like eBay, though I’m not sure how the licensing would work in those situations. For me, the firewall itself was $460 and the annual license was $175. With tax, it ended up being just under $700 total. This was three years ago, so it may be cheaper now (at least the hardware). What’s great about the lab license is that it includes everything, as in all available features plus support. Really great deal given how much you can do with it. I’m working on adding more articles about what I’ve done with my Palo Alto if you want to get one and follow along. 😛
Great stuff here! Got my consoles working again after we put in a PA at home.
Happy to hear that things are working again!
Very strange, my Ring doorbell had been working for at least one year and suddenly stopped when I changed ISP’s from FIOS to Spectrum. I disabled SIP ALG and boom, it’s working again. Thank you.
No problem, glad it’s working for you again!
Like others here, found your post after several hours of troubleshooting multiple Rings. I was getting notifications, and the devices were definitely connected just fine, and it was happening to all so I knew it wasn’t the device – but no stream! Then I noticed my GMail hadn’t connected in several hours; but here’s the answer already staring at me! (Granted, I fine-tuned that one a bit.) You’re a life saver. Another home-use PA-220 here… Best way to learn without the risk of an R.G.E.!
Glad I could help! I’m always surprised at how popular this post is. Who knew there were so many of us home-use PA-220 nerds?? And agreed, absolutely the best way to learn, though if you’re like me, it’s not completely risk-free — the wife and kids aren’t very happy when I break Netflix. 😛
Not sure if this thread is still up. I am having issues with Smash Brothers. I tried to to the separate NAT rule but it doesn’t seem to be working. I am running PANO 8.0.7 at the moment.
Thank you,
Hi Michael — Can you elaborate on what you specifically configured? If it helps, the screenshot I provided above is specifying “Source Address” as the private IP of my Nintendo Switch and the “External Interface” under “Source Translation” is referring to my public IP address.
Wow… so glad I found this post! Thanks for the help… application-overide and ALG did the trick for Ring and Wyze!
Glad my little corner of the internet helped you out, Jason!
Hey Eric,
I have a PA-500 that I’m using at home and your post was super helpful when little things stopped working. For iCloud Mail I created a policy allowing applications icloud-mail, smtp, & ssl with custom TCP ports of 997 & 587. When testing with “Connection Doctor” on Apple Mail all the tests pass and I’m able to send & receive emails with no problem. This solution locks the policy down a bit more and since we’re all nerding out at home, why not?
Thanks for the post. I’m digging the site and content.
Thanks for the kind words and great tip on securing email, Agent 0!
The comment about any service (vs. application-default) saved me from losing my mind. I use Wyze cameras and the app wouldn’t connect, reporting the Internet being unreachable. I couldn’t find any logs in the Palo where it was being blocked. The change also fixed my Ring and EcoBee devices. I could not find any fixes or any other reports of what the fix might be but that one little change fixed it! Thank you for this!
That took me a few hours to figure out myself! I’ve been looking into setting up some Zeek/Bro sensors which would’ve helped me solve this much quicker.
Thanks! I spent all morning looking for this. I have been struggling all morning with getting my nintendo online to work again after installing my lab 220 on my home network. I had it on a “DMZ” connection directly from my modem, but now the Dynamic IP snat works great! 10/10 would read again.
Nintendo suppport and the error codes were absolutely no help. There was actually a KB article that explained a bit what nintendo was trying to do and why it would not work on the Palo, but your article was perfect and finally gave me the solution.
Thanks again!
No problem, it took me a quite bit of searching to figure it out as well! And yes, I imagine Nintendo support isn’t targeted at us Palo Alto enthusiasts. 😛
This solution for gaming consoles works quite well, if you have 1 console. If you have more than 1, it seems that whichever device attempts to connect to the internet first will work, and all others will fail until you reboot the firewall. The more I think about it, the more I think that it’s likely there won’t be a solution for this. Do you have any ideas?
You’re exactly right, this will only work for one console. Only way I can think of is having multiple public IP addresses or accepting that you can only have one console online at a time.
Regarding Ring, in order to get video to my ios device, I had to change my URL filtering from “block” to “alert” for category “unknown”.
The connection is a random AWS ip addr on port 15064
The situation was beyond ring support.
Would like to close that hole back. Anyone have any suggestions?
That’s a bit of a challenge. Perhaps, creating a specific policy for Ring that allows connections between AWS IP addresses (https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html). It will take some work to download and format these IP addresses, but you could use Palo Alto’s EDL feature and specify the port.
Under Online Gaming Console, how did you add “External Interface” under Source Translation? I seem to only be able to add addresses, but not interfaces.
The “External Interface” is actually an Address Object I created that just points to my public IP. Assuming you have a dynamic IP, you will need to update this whenever your public IP changes. If you don’t want to purchase a static IP, an alternative is to set up some kind of dynamic DNS service to automatically update your IP address and then create the “External Interface” object using this FQDN instead.
Hope this helps!
So I’m not even getting past initial setup. Was there a trick for anyone to get the doorbell pro setup via the PA-220 initially? I allocated an IP for it’s MAC address and have a policy allowing outbound any/any but still no joy. What’s the magic??
What error are you seeing specifically? Is the IP assigned successfully? Do you see any traffic in the Monitor tab?
If this works I’ll hug you. I’ve seen ALG cause some of my other issues in business, but didn’t think about this. Even with all app default allowed and everything else.
Let me know when to expect that hug, I guess? 😉
*HUG* That weird? That was it!!! My GAWD, I was on this for every bit of 2 days. You know I actually turned an autonomous AP into single channel broadcast before I found this. When it read it , it hit me. First try, boom, it loaded. I never leave replies, but had to for this one. Nicely done!
WOOO! Welcome to the exclusive *working* Ring and Palo Alto club. 🙂
Any ideas why Nest cameras and thermostat wouldn’t work? The cams are frozen and the thermo shows disconnected.
I’d try looking at the Monitor tab to see if anything is being blocked or aged-out unexpectedly. It’s hard to say without my own set of Nest devices. You’re welcome to send some my way to recreate the issue and help further troubleshoot. 🙂
The Nest thermostat is trying to get out a non-standard dst port 9543. You will need to change your outbound security policy for Nest Device to use “any” for the service instead of “application-default”
I just installed my PA-220 this past weekend and had the same Ring doorbell issue!
Luckily I decided to take a break for the night out of frustration and just started doing some reading/Googling. Thanks for posting this!
Nice — happy to help! And thanks for making me feel better knowing it wasn’t just me who was crazy enough to use a PA at home. 🙂
You would not believe what I just went through with the PA0=220 to get the Ring doorbell working! Packet captures, application overrides, vuln protection overrides for SIP, combing the monitor unified tab … Disable ALG for SIP!! I’ve been burned by that in the past but thought the app override would take care of it. Thanks so much for your post, you made a difference in my sanity for at least one more day. Over two hours on the phone with Ring, an hour on the phone with Comcast. One crazy checkbox in the sip application. Thank you, thank you, thank you.
So glad to hear that this post helped you! Your experience sounds just like mine and I too thought the application override would be sufficient. Another thing to watch out for — be careful with applying a zone protection profile. I noticed that the UDP protections would cause my Ring’s video captures to freeze and stutter. Once I disabled those, it was much smoother.