Sanchit Gurukul

Serving Information Simply

Time to Read

6 minutes

Palo Alto Firewall – Initial Configuration

Initial Access to the System

Initial configuration must be perform over either:

Dedicated out-of-band management Ethernet interface (MGT)

Serial console connection

Default MGT IP addressing :

Hardware : 192.168.1.1/24

VM: DHCP Client

Default access:

User name : admin

Password : admin

Serial port has default values of 9600-8-N-1.

Picture2.jpg

By default, the firewall has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other firewall configuration tasks. You must perform these initial configuration tasks either from the MGT interface, even if you do not plan to use this interface for your firewall management, or using a direct serial connection to the console port on the firewall.

Gather the required information from your network administrator. IP address for MGT portNetmaskDefault gatewayDNS server address
Connect your computer to the firewall. You can connect to the firewall in one of the following ways:Connect a serial cable from your computer to the Console port and connect to the firewall using terminal emulation software (9600-8-N-1). Wait a few minutes for the boot-up sequence to complete; when the firewall is ready, the prompt changes to the name of the firewall, for example PA-500 login .Connect an RJ-45 Ethernet cable from your computer to the MGT port on the firewall. From a browser, go to https://192.168.1.1 .

 

Note that you may need to change the IP address on your computer to an address in the 192.168.1.0/24 network, such as 192.168.1.2, in order to access this URL.
When prompted, log in to the firewall. You must log in using the default username and password (admin/admin). The firewall will begin to initialize.

Picture4

Configure the MGT interface.
  1. Select Device > Setup > Management and edit the Management Interface Settings.
  2. Configure the address settings for the MGT interface using one of the following methods:
  • To configure static IP address settings for the MGT interface, set the IP Type to Static and enter the IP Address, Netmask, and Default Gateway.
  • To dynamically configure the MGT interface address settings, set the IP Type to DHCP. To use this method, you must Configure the Management Interface as a DHCP Client.
  • To prevent unauthorized access to the management interface, it is a best practice to Add the Permitted IP Addresses from which an administrator can access the MGT interface.

3. Set the Speed to auto-negotiate.

4. Select which management services to allow on the interface.

  • Make sure Telnet and HTTP are not selected because these services use plaintext and are not as secure as the other services and could compromise administrator credentials.

5. Click OK.

Picture6

Configure DNS, update server, and proxy server settings.

 

You must manually configure at least one DNS server on the firewall or it will not be able to resolve hostnames; it will not use DNS server settings from another source, such as an ISP.
  1. Select Device > Setup > Services.
    • For multi-virtual system platforms, select Global and edit the Services section.
    • For single virtual system platforms, edit the Services section.
  2. On the Services tab, for DNS, click one of the following:
    • Servers —Enter the Primary DNS Server address and Secondary DNS Server address.
    • DNS Proxy Object —From the drop-down, select the DNS Proxy that you want to use to configure global DNS services, or click DNS Proxy to configure a new DNS proxy object.
  3. Click OK.

Picture8

Configure date and time (NTP) settings.
  1. Select Device > Setup > Services.
    • For multi-virtual system platforms, select Global and edit the Services section.
    • For single virtual system platforms, edit the Services section.
  2. On the NTP tab, to use the virtual cluster of time servers on the Internet, enter the hostname pool.ntp.org as the Primary NTP Server or enter the IP address of your primary NTP server.
  3. ( Optional ) Enter a Secondary NTP Server address.
  4. ( Optional ) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server:
    • None —(Default) Disables NTP authentication.
    • Symmetric Key —Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
    • Key ID —Enter the Key ID (1-65534).
    • Algorithm —Select the algorithm to use in NTP authentication ( MD5 or SHA1).Autokey —Firewall uses autokey (public key cryptography) to authenticate time updates.
  5. Click OK.

Picture10

( Optional ) Configure general firewall settings as needed.
  1. Select Device > Setup > Management and edit the General Settings.
  2. Enter a Hostname for the firewall and enter your network Domain name. The domain name is just a label; it will not be used to join the domain.
  3. Enter Login Banner text that informs users who are about to log in that they require authorization to access the firewall management functions.

As a best practice, avoid using welcoming verbiage. Additionally, you should ask your legal department to review the banner message to ensure it adequately warns that unauthorized access is prohibited.

4. Enter the Latitude and Longitude to enable accurate placement of the firewall on the world map.

5. Click OK.
Set a secure password for the admin account.
  1. Select Device > Administrators.
  2. Select the admin role.
  3. Enter the current default password and the new password.
  4. Click OK to save your settings.

Picture12

Commit your changes.When the configuration changes are saved, you lose connectivity to the web interface because the IP address has changed. Click Commit at the top right of the web interface. The firewall can take up to 90 seconds to save your changes.
Connect the firewall to your network. Disconnect the firewall from your computer.Connect the MGT port to a switch port on your management network using an RJ-45 Ethernet cable. Make sure that the switch port you cable the firewall to is configured for auto-negotiation.
Open an SSH management session to the firewall. Using a terminal emulation software, such as PuTTY, launch an SSH session to the firewall using the new IP address you assigned to it.

Picture14

Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server.You can do this in one of the following ways:If you do not want to allow external network access to the MGT interface, you will need to set up a data port to retrieve required service updates. Continue to Set Up Network Access for External Services.If you do plan to allow external network access to the MGT interface, verify that you have connectivity and then proceed to Register the Firewall and Activate Licenses and Subscriptions. Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server; the update server does not respond to a ping request.

Picture16

 Config Types :

 Candidate Configuration

Proposed configuration changes are not in affect until successful committed.

Configuration changes appear in the User interface

Running Configuration

Configuration active on the firewall from the previous commit

Changes to the configuration of the firewall are logged within the Configuration log, which accessed through

 Monitor > Logs > Configuration.

Picture17

The configuration logs contains details the include the date and time of configuration change, the administrator who made the change. The host IP address of the administrator’s system, and the command and its result.

useful link

Initial Configuration

 

 

 

 

Leave a Reply

Sanchit Agrawal

Blog Author

Discover more from Sanchit Gurukul

Subscribe now to keep reading and get access to the full archive.

Continue Reading

%d bloggers like this: