This repository documents my personal HomeLab, designed to simulate a real-world enterprise security architecture. The lab integrates identity services, network security, endpoint protection, VPN access, and centralized logging/SIEM - all implemented, configured, and documented hands-on.
[PL] Polska wersja: click here
The environment integrates:
- Elasticsearch & Kibana (with SIEM)
- Microsoft Active Directory (including Enterprise Root CA)
- Elastic Agent Fleet with EDR
- Palo Alto Networks NGFW PA-220
- GlobalProtect Remote Access VPN
- Juniper Networks NetScreen 5GT
- Apache HTTPS Web Server (DMZ)
Read more about individual components and deployments:
- Elasticsearch & Kibana - Deployment & Configuration with AD TLS
- Elastic Fleet - Deployment & Configuration with AD TLS
- Juniper NetScreen - Deployment & Configuration
- Palo Alto NGFW & GlobalProtect - Deployment & Configuration
This homelab represents a segmented, enterprise-style network built to simulate realistic security, identity, and monitoring scenarios.
The environment is divided into the following zones:
- Internal
- DMZ
- VPN
- External
Traffic flows are strictly controlled and inspected using a Next-Generation Firewall and IPSec tunnels, closely mirroring real corporate network designs.
- Security Rules
- Internal Network (192.168.0.0/24)
- Internal Edge Routing - Juniper NetScreen 5GT
- NG Firewall (PA-220) - Security Enforcement Point
- DMZ Network (10.10.37.0/24)
- External Network & Internet Access
- Actual Real-Life Photo
- Internal → External ✅ Allowed,
⚠️ Inspected - Internal → DMZ 🔐
↔️ 🔐 IPSec-tunneled - Internal → GP VPN ✅ Allowed
- GP VPN → DMZ ✅ Allowed
- GP VPN → Internal ✅ Allowed
- GP VPN → External
⚠️ Not applicable (split tunneling enabled)
- DMZ → Internal 🔐
↔️ 🔐 IPSec-tunneled - DMZ → GP VPN ✅ Allowed
- DMZ → External 🚫 Blocked
- External → DMZ ✅ Allowed (
⚠️ only specific services,⚠️ inspected,⚠️ DNAT) - External → Internal 🚫 Blocked
- External → GP VPN 🚫 Blocked
The Internal zone hosts core identity, endpoint, and monitoring services.
- AD DC-01 (192.168.0.69)
Provides:
- Authentication & authorization
- Enterprise Root Certification Authority
- DNS
- IIS (Web Certificate Enrollment)
Workstation01 (192.168.0.99)- domain-joined clientAdamPC (192.168.0.19)- Elastic Stack node (non-domain)
- Centralized logging, monitoring, and security analytics
- Data sources:
- Internal systems via Elastic Agent Fleet
- AD DC
- Domain workstations (Elastic EDR)
- Fleet Server running on Elasticsearch node
- Palo Alto NGFW logs via Elastic Agent integration
- Internal systems via Elastic Agent Fleet
- SIEM detection rules trigger alerts on suspicious or malicious activity
- Free communication inside the Internal zone
- Controlled access to DMZ via IPSec tunnel
- Internet access is inspected and filtered
- All systems trust the Enterprise Root CA
- All services use certificates issued by AD CS
Read more:
The Juniper NetScreen 5GT functions as an internal edge router, separating the Internal network from the NGFW.
- Internal:
192.168.0.1 - Transit toward NGFW:
10.0.0.2/24
- Routes internal traffic
- Participates in a site-to-site IPSec VPN with the NGFW
- IPSec tunnel is strictly limited to Internal ↔ DMZ traffic
- Uses a policy-based IPSec configuration
Read more: Juniper NetScreen configuration details
The Palo Alto Networks PA-220 NGFW is the primary security control point of the entire lab.
- Transit (towards Internal):
10.0.0.1/24 - DMZ:
10.10.37.1/24 - External:
172.16.0.49/24 - VPN (GlobalProtect):
10.10.52.0/24
- Source NAT for internal users
- Malicious IP blocking (External Abuse lists)
- Palo Alto security profiles (AV, Anti-Spyware, Vulnerability Protection), user-group-based via AD
- SSL Forward Proxy Decryption, user-based via AD
- All security events forwarded to Elastic SIEM
- DNAT for external access
- Only HTTPS (TCP/443) allowed
- Anti-Virus, Anti-Vulnerability, and file upload protection
- SSL Inbound Inspection Decryption for full traffic visibility
- Tunnel: Juniper NetScreen ↔ Palo Alto NGFW
- Limited strictly to Internal ↔ DMZ traffic
- Simulates untrusted intermediate network segments
- Ensures confidentiality, integrity, and authentication
- Policy-based IPSec using Proxy IDs
Note: This IPSec tunnel intentionally simulates a real-world scenario where multiple intermediate network devices and segments between the Juniper NetScreen and Palo Alto NGFW are not fully trusted, and full authentication, encryption and integrity are required.
- Portal & Gateway hosted on the NGFW
- Remote users connect from the External network
- VPN address pool:
10.10.52.0/24 - Split tunneling enabled (Internet traffic not tunneled)
- VPN users have access to:
- Internal network
- DMZ services
- GlobalProtect authentication via LDAPS
- User-to-IP and user-to-group mappings retrieved from AD
Read more: Palo Alto NGFW & GlobalProtect configuration
The DMZ zone hosts externally exposed services.
- HTTPS Web Server - 10.10.37.45
-
Certificate issued by Enterprise Root CA
-
Accessible:
- From Internal network only via IPSec
- From Internet with full inspection
- Freely by GlobalProtect VPN users
- ISP Router:
172.16.0.1 - Source of:
- External users
- VPN client connections
- External users:
- Can access DMZ only
- Never reach Internal network directly
- All inbound traffic is inspected by the NGFW
