Initial Access to the System
Initial configuration must be perform over either:
Dedicated out-of-band management Ethernet interface (MGT)
Serial console connection
Default MGT IP addressing :
Hardware : 192.168.1.1/24
VM: DHCP Client
User name : admin
Password : admin
Serial port has default values of 9600-8-N-1.
By default, the firewall has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other firewall configuration tasks. You must perform these initial configuration tasks either from the MGT interface, even if you do not plan to use this interface for your firewall management, or using a direct serial connection to the console port on the firewall.
|Gather the required information from your network administrator.||IP address for MGT portNetmaskDefault gatewayDNS server address|
|Connect your computer to the firewall.||You can connect to the firewall in one of the following ways:Connect a serial cable from your computer to the Console port and connect to the firewall using terminal emulation software (9600-8-N-1). Wait a few minutes for the boot-up sequence to complete; when the firewall is ready, the prompt changes to the name of the firewall, for example PA-500 login .Connect an RJ-45 Ethernet cable from your computer to the MGT port on the firewall. From a browser, go to https://192.168.1.1 .
Note that you may need to change the IP address on your computer to an address in the 192.168.1.0/24 network, such as 192.168.1.2, in order to access this URL.
|When prompted, log in to the firewall.||You must log in using the default username and password (admin/admin). The firewall will begin to initialize.|
|Configure the MGT interface.||
3. Set the Speed to auto-negotiate.
4. Select which management services to allow on the interface.
5. Click OK.
|Configure DNS, update server, and proxy server settings.
You must manually configure at least one DNS server on the firewall or it will not be able to resolve hostnames; it will not use DNS server settings from another source, such as an ISP.
|Configure date and time (NTP) settings.||
|( Optional ) Configure general firewall settings as needed.||
As a best practice, avoid using welcoming verbiage. Additionally, you should ask your legal department to review the banner message to ensure it adequately warns that unauthorized access is prohibited.
4. Enter the Latitude and Longitude to enable accurate placement of the firewall on the world map.
5. Click OK.
|Set a secure password for the admin account.||
|Commit your changes.When the configuration changes are saved, you lose connectivity to the web interface because the IP address has changed.||Click Commit at the top right of the web interface. The firewall can take up to 90 seconds to save your changes.|
|Connect the firewall to your network.||Disconnect the firewall from your computer.Connect the MGT port to a switch port on your management network using an RJ-45 Ethernet cable. Make sure that the switch port you cable the firewall to is configured for auto-negotiation.|
|Open an SSH management session to the firewall.||Using a terminal emulation software, such as PuTTY, launch an SSH session to the firewall using the new IP address you assigned to it.|
|Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server.You can do this in one of the following ways:If you do not want to allow external network access to the MGT interface, you will need to set up a data port to retrieve required service updates. Continue to Set Up Network Access for External Services.If you do plan to allow external network access to the MGT interface, verify that you have connectivity and then proceed to Register the Firewall and Activate Licenses and Subscriptions.||Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server; the update server does not respond to a ping request.|
Config Types :
Proposed configuration changes are not in affect until successful committed.
Configuration changes appear in the User interface
Configuration active on the firewall from the previous commit
Changes to the configuration of the firewall are logged within the Configuration log, which accessed through
Monitor > Logs > Configuration.
The configuration logs contains details the include the date and time of configuration change, the administrator who made the change. The host IP address of the administrator’s system, and the command and its result.