Blake Foley - IT Specialist & Network Engineer

Palo Alto Networks firewalls are not just for enterprise data centers. With used PA-220 and PA-820 hardware readily available on eBay for a few hundred dollars, a Palo Alto firewall in your homelab gives you real-world experience with the platform that dominates enterprise security today.

I run a Palo Alto PA-820 as my primary perimeter and inter-VLAN firewall. This writeup covers the concepts and configurations I use daily — written for someone who knows basic networking but wants to understand what makes Palo Alto fundamentally different from a traditional stateful firewall.

Why Palo Alto Is Different

Traditional firewalls filter traffic by port and protocol. Palo Alto uses App-ID — it identifies applications by behavior, signatures, and heuristics regardless of port. A rule allowing "web browsing" only permits actual browser traffic, not arbitrary tools tunneling over port 80. The three core identification engines are:

App-ID — identifies the application (Facebook, BitTorrent, SSH, RDP, etc.)
User-ID — maps IP addresses to Active Directory users for user-based policies
Content-ID — inspects content for threats, URL categories, files, and data patterns

Zone-Based Architecture

PAN-OS organizes interfaces into security zones. All traffic between zones is denied by default unless explicitly permitted. This is fundamentally different from ACL-based firewalls.

Zone	VLAN	Trust Level
UNTRUST	WAN	Zero — implicit deny all inbound
TRUST	Workstations (VLAN 20)	High — outbound allowed
SERVERS	Server (VLAN 10)	Medium — controlled access
DMZ	Public services (VLAN 40)	Low — strictly limited
IOT	IoT (VLAN 30)	Very low — internet only, no lateral movement

Writing Security Policies

Palo Alto policies are evaluated top-down, first-match. Each rule specifies source zone, destination zone, addresses, application, service, and action. The power is in the application field:

Rule: Allow-Workstations-Internet
  Source Zone:      TRUST
  Destination Zone: UNTRUST
  Application:      web-browsing, ssl, dns
  Service:          application-default
  Action:           Allow + Security Profiles

Rule: Allow-IoT-DNS-Only
  Source Zone:      IOT
  Destination Zone: UNTRUST
  Application:      dns
  Action:           Allow

Rule: Block-IoT-Lateral
  Source Zone:      IOT
  Destination Zone: TRUST, SERVERS
  Action:           Deny + Log

GlobalProtect VPN

GlobalProtect is Palo Alto's remote access VPN solution. Even on a homelab PA-820, you can configure a fully functional SSL VPN that tunnels traffic through your firewall when on untrusted networks. Once configured, the GlobalProtect agent lets you connect from anywhere with all traffic inspected as if you were physically on your TRUST VLAN.

URL Filtering and Threat Prevention

With a Threat Prevention subscription you get:

URL Filtering — block categories (malware, C2, gambling, etc.) or specific domains
IPS Signatures — covering exploits, command-and-control traffic, and brute force
WildFire — cloud-based sandboxing for unknown file analysis
DNS Security — block queries resolving to known-bad infrastructure

Even without subscriptions, attaching the base security profile to outbound rules adds meaningful protection for a homelab.

Logging and Visibility

PAN-OS generates detailed traffic logs, threat logs, and URL logs. Forward them to a syslog server (I use Graylog on a Proxmox container) via Device > Server Profiles > Syslog. The built-in ACC (Application Command Center) dashboard shows real-time application usage, top talkers, and detected threats — this visibility alone justifies having a Palo Alto over a simpler firewall.

Tips from Real Experience

Create a management access rule first — before anything else, ensure your management workstation can reach the firewall. Locking yourself out is easier than you think.
Use address objects — never type raw IPs in policies. Named objects mean one change updates every rule using it.
Enable logging on deny rules — unexpected deny hits reveal misconfigured devices and scanning activity faster than any other signal.
Commit with descriptions — PAN-OS requires explicit commits. Treat them like Git commits with meaningful messages.

Running a Palo Alto in your homelab builds skills directly transferable to enterprise environments. The platform is ubiquitous in mid-to-large organizations, and hands-on experience with zone architecture, App-ID, and security profiles will genuinely differentiate you in a networking or security engineering interview.