https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501 <DIV class="lia-message-template-content-zone"> <P style="font-weight: 400;"><EM><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Day-One-Configuration-blog_OtakarKlier_LIVEcommunity.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37046iC621CD2FB9D8C1BC/image-size/large?v=v2&amp;px=999" role="button" title="Day-One-Configuration-blog_OtakarKlier_LIVEcommunity.jpg" alt="Day-One-Configuration-blog_OtakarKlier_LIVEcommunity.jpg" /></span></STRONG></EM></P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;"><EM><STRONG>This content was developed, written, and contributed by&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580" target="_self"><FONT color="#FF6600">@OtakarKlier</FONT></A>, one of LIVEcommunity's Cyber Elite experts.&nbsp;</STRONG></EM></P> <P style="font-weight: 400;">&nbsp;</P> <P style="font-weight: 400;">This configuration is something I came up with that is in-line with best practices and day-one settings. I felt should be part of any new implementation for proper security; it combines best practices from not only the day-one config, but also a start to Zero Trust.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>For manual config of management interface via CLI:</STRONG></P> <P><BR />You must change the default password, you must set one and remember it! (The template will change it, so you'll need to change it a second time after importing and applying the template.)</P> <P>&nbsp;</P> <P><STRONG>At the CLI:</STRONG></P> <LI-CODE lang="markup">configure set deviceconfig system ip-address &lt;IP address&gt; netmask &lt;subnet mask&gt; default-gateway &lt;gateway&gt; set deviceconfig system dns-setting servers primary &lt;IP of internal DNS server if no internal DNS server use 208.67.220.220 &gt; set deviceconfig system ntp-servers primary-ntp-server ntp-server-address &lt;IP of NTP server or use us.pool.ntp.org&gt; commit</LI-CODE> <P>&nbsp;</P> <P>NTP and DNS are required for the device to obtain its licensing and updates.</P> <P>Connect to the GUI and download all licenses as well as Dynamic updates.<BR />Upgrade code to version 10.0.6 (that is what the template was built on)</P> <P><BR />Import the XML config (see attachment)<BR />Template password is Paloaltorocks1! (please change it)<BR />Load the snapshot (see attachments)<BR /><STRONG>PanOS1006Base.xml</STRONG></P> <P>&nbsp;</P> <P>MGMT interface is configured for DHCP in the template</P> <P>&nbsp;</P> <P>assign IP to eth 1/1 and NAT <BR />assing IP to internal eth 1/2<BR />Verify default outbound route</P> <P>&nbsp;</P> <P>Set/Disable the following if not used:</P> <P>SIEM=1.0.0.0<BR />email server profile 1.0.0.1<BR />Netflow 10.0.0.2</P> <P>&nbsp;</P> <P>Put the MGMT interface into the Management zone and make sure it has the proper IP, subnet mask and gateway along with DNS and NTP.</P> <P>&nbsp;</P> <STRONG>Additional information can be found via the&nbsp;<A style="font-family: inherit; background-color: #ffffff;" href="https://docs.paloaltonetworks.com/best-practices/10-1/data-center-best-practices/data-center-best-practices-checklist.html" target="_blank" rel="noopener">Data Center Security Policy Best Practices Checklist</A>.</STRONG><SPAN style="font-family: inherit;">&nbsp;</SPAN> <P>&nbsp;</P> <P><SPAN style="color: #1f497d; font-family: Calibri, sans-serif; font-size: 14.6667px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">The part below is to mitigate some scan findings for weak ciphers: <BR /></SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup">configure delete deviceconfig system ssh set deviceconfig system ssh ciphers mgmt aes256-ctr set deviceconfig system ssh ciphers mgmt aes256-gcm set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072 set deviceconfig system ssh session-rekey mgmt interval 3600 set deviceconfig system ssh mac mgmt hmac-sha2-256 commit exit set ssh service-restart mgmt</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><STRONG>Thanks for reading—and a big thanks to Cyber Elite expert&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580" target="_self"><FONT color="#FF6600">@OtakarKlier</FONT></A>&nbsp;for sharing his expertise.</STRONG></EM></P> <P>&nbsp;</P> </DIV> Fri, 15 Oct 2021 23:04:12 GMT kiwi 2021-10-15T23:04:12Z https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501 <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">This configuration is in-line with best practices and day-one settings for proper security, and combines Palo Alto Networks best practices with a Zero Trust start.&nbsp;</DIV> Fri, 15 Oct 2021 23:04:12 GMT https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501 kiwi 2021-10-15T23:04:12Z