External firewall

We use a Palo Alto Networks (PAN) firewall provided by IST. We have one network port in the server room which is activated and behind the firewall; we have another network port activated in the lab behind the television which is also behind the firewall. All the ports the desktops use are also behind the firewall since they are routed through the switch in the server room.

Administering the firewall

Accessing the interface

Administration of the firewall is done through the web interface, and must be done from an on-campus IP address (for instance through the library VPN or SOCKS proxying through an OCF host). Remember to specify https when loading the firewall admin page, as it does not have a redirect from http to https. If you are having connection issues with the firewall admin page loading indefinitely, it is likely because you are trying to use http or trying to access it from an off-campus IP. To quickly set up a SOCKS proxy, run ssh -D 8000 -N supernova from any off-campus host and then set up the SOCKS proxy (through your OS or through your browser's settings) to use the proxy on localhost and port 8000.

To sign in to administer the firewall, make sure to use the single sign-on (SSO) option, and it will ask for CalNet authentication.

Policies

All our current policies are located in the "Pre Rules" section under "Security" in the policies tab. This option should be right at the top in the box on the left side of the page. It contains all our rules since we are only blocking traffic (either outgoing or incoming) before it goes through the firewall, so all we need are pre rules.

In general the interface is pretty self-explanatory. Each rule has a custom name and a description that describes what kind of traffic it should be blocking or letting through, as well as the source and destination addresses (or groups of addresses), application (identified by the firewall), service (port), and whether it is allowed or blocked. Each rule has a dropdown next to the rule name if you hover over it that leads to the log viewer, where you can see what kind of traffic matched each rule and when the traffic was allowed/blocked.

Any changes made to the firewall policies need to be committed and pushed to the firewall using the commit button and then the push button (or the commit and push button to do it in one step) located in the top right.

Syslog

When we switched over to the new PAN firewall, syslog was set up to send messages to syslog.ocf.berkeley.edu, however it is only configured to send logs there over TLS, so currently it is failing.