Palo Alto Firewall: Home Network
This is part of the Palo Posts how-to guides for getting the most from your Palo Alto firewall on a home or small business network.
My very own Palo Alto!
I’m a big fan of Palo Alto Networks firewalls due to their focus on security and giving both network and security professionals incredible insight into network traffic. To improve my understanding of these firewalls, I recently purchased my very own PA-220 for my home network. I successfully set it up but not without running into a few issues. Since it took a fair amount of Google-searching to troubleshoot and resolve the issues, I’m sharing my experiences below in the hopes that it will help others.
Problem: Configure Outbound Internet Security Policy
For initial setup, I highly recommend using the “Setting Up the PA-200 for Home and Small Office” guide, found on Palo Alto’s “Live Community” site. For the most part, I followed it exactly except the section regarding the outbound internet security policy. When creating this policy, the guide does not mention editing the “Service/URL Category” tab. Notably, if you do not edit this, Palo Alto defaults to the “application-default” option as shown below.
What does this mean? From the firewall’s help page it states that: The selected applications are allowed or denied only on their default ports defined by Palo Alto Networks. This option is recommended for allow policies because it prevents applications from running on unusual ports and protocol which, if not intentional, can be a sign of undesired application behavior and usage.
This sounds reasonable, except that it broke my ability to use Speedtest.net and more importantly, broke my Apple/iOS Mail clients from connecting to Gmail via IMAP. It turns out, that those apparently don’t use what Palo Alto thinks are “application-default” ports. Unless you’re cool with that behavior, you’ll actually want to select “any” instead.
Problem: DNS Proxy
Like most people, I was using my wireless router as my DNS server for resolving hosts on my local network. It’s not critical as there are only a few devices on my home network, but it is convenient to have a few “A records” configured. Wanting to maintain this same functionality, I configured my Palo Alto firewall using the “DNS Proxy” option.
After a hard day’s work, we decided to watch some Netflix and I noticed the Netflix app on my TV and Apple TV no longer worked. Interestingly, there was no issue streaming Netflix on my laptop, iPhone, or iPad. After much searching, I found a helpful “Live Community” post regarding DNS Proxy as the possible issue.
It turns out that DNS Proxy, at least on PAN-OS 8.x (which is what the PA-220 ships with as of today), does not play well with Netflix. As soon as I disabled DNS Proxy, Netflix streamed without issue.
Online Console Gaming
Problem: NAT Dynamic IP & Port Policy
Anyone who knows me knows I’m a giant Nintendo fanboy. Shortly after setting up the Palo Alto firewall, I decided to play some online Mario Kart, only to find that my new Nintendo Switch would no longer connect. Sadface.
It turns out that Palo Alto firewalls do not support “Universal Plug and Play” (UPnP) which had allowed me to connect easily on my consumer-grade wireless router. This makes sense from an enterprise-grade firewall perspective as you would want to explicitly control what’s allowed inside and outside of your network.
Back to searching and I found this knowledge base article discussing how Palo Alto handles game console traffic. It turns out you need to create a specific NAT policy ahead of your default internet outbound NAT rule. This NAT policy should specify the IP of your video game console as the source address and use only “dynamic-ip” source translation instead of “dynamic-ip-and-port” source translation.
So that I don’t have to periodically update the Nintendo Switch’s source address in the NAT rule due to DHCP, I configured the firewall’s DHCP relay to always assign my Switch the same IP and created an Address Object on the firewall using this same IP. See the screenshot below for how the NAT policies ultimately looked in the end.
Ring Video Doorbell Pro
Problem: Session Initiation Protocol (SIP) Application Layer Gateway (ALG)
At home, I use a Ring Video Doorbell Pro and it has worked great for seeing who’s at our front door whether we’re at home or not. Ring will send push notification alerts whenever it detects motion or if someone presses the doorbell. From the alert you can then view a live stream of who is at your door. You can also trigger the live stream on-demand.
I noticed that once the Palo Alto was in place, the live streams, whether based on alerts or on-demand, would always hang and never load. After a few minutes I’d be able to watch the recorded video after the fact. Not ideal.
This particular problem took the most time to figure out. I found a few articles that spoke of similar issues but nothing quite exactly what I was seeing. I started playing around with the on-demand live stream functionality and observing the traffic in the firewall’s Monitor tab to see what type of traffic was being generated and if anything was being blocked. At first I thought it might’ve been a NAT issue, similar to what I saw with my Nintendo Switch.
Eventually, I noticed that Ring used the session initiation protocol (SIP) when creating these live stream communications. Looking through the “Live Community” again, I found an article regarding how to disable SIP Application Layer Gateway (ALG) in Palo Alto. It mentioned that SIP ALG can cause issues with certain SIP implementations. Figuring I had nothing to lose I followed the steps and lo and behold, live streaming worked again. Yay.
I hope these tips help anyone else that was crazy enough to purchase a Palo Alto firewall for their home network. I’ll continue to post more about my experience if I run into more issues or test out additional functionality and integrations.