topic Re: PA 500 Cisco 3560 in General Topics

PA 500 Cisco 3560

phugiay — Mon, 19 Dec 2022 18:18:26 GMT

Hi there,

I am totally new here in Paloalto firewall. I have PA 500 and want to do lab test and I want to find a basic instruction to set up PA to connect internet and also connect to Cisco switch. I am very familiar with Cisco ASA and switch since we do all CLI but I understand PA firewall is all GUI. Any help I would be appreciate.

My understand is I need a license to update OS.

Thank you

Vincent

Re: PA 500 Cisco 3560

Raido_Rattameister — Mon, 19 Dec 2022 19:00:45 GMT

As PA-500 is end of sale (https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates) you most likely won't be able to re-activate already expired support subscription to download latest supported PANOS updates (8.1.x in case of PA-500).

"A product must be covered by a support contract as of the End-of-Sale date to be eligible for support renewal. Support contracts may be renewed for the duration of the End-of-Life cycle, and cannot be allowed to lapse during this time and be reinstated later."

https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-policy

Check https://beacon.paloaltonetworks.com/student/collection/660313-next-generation-firewall for learning materials

Re: PA 500 Cisco 3560

TomYoung — Mon, 19 Dec 2022 20:30:22 GMT

Hi @phugiay ,

Beacon is a great resource as @Raido_Rattameister mentioned. I recommend searching for "Firewall Essentials" and going through that course. It is most excellent and free.

If you want something faster to get you up and running, go to the Administrator's Guide, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin. It has great links for basic configurations to get you going.

Since you know the ASA, you are already very familiar with FW concepts. These links will help you learn the GUI and additional NGFW material.

Thanks,

Tom

Re: PA 500 Cisco 3560

phugiay — Mon, 19 Dec 2022 22:38:57 GMT

Hi Raido_Rattameister.

Thank you for the advise. I think I am OK for version 9. I want to play with PA 500 first before go to the real PA 850. I can be able to connect to internet to PA 500 .

My next step how to connect PA to one port from Cisco switch like we do in Cisco ASA.

Re: PA 500 Cisco 3560

Raido_Rattameister — Mon, 19 Dec 2022 22:48:23 GMT

Check if this helps

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/getting-started/segment-your-network-using-interfaces-and-zones/configure-interfaces-and-zones

Re: PA 500 Cisco 3560

phugiay — Tue, 20 Dec 2022 17:40:00 GMT

Hi Raido,

Thank you very much.

I have a question: I got the answer from the other forum. I can download the OS through my company account.

I read some instructions, you need to update from 8.1 ->9 -> 10, not straight to 10.1.8 right?

Re: Factory reset
@XXXX wrote:
We need license to do the update?
you actually don't need a license to do an upgrade, but a non-licensed device will not be able to download software versions from the update server, so you will need to do that part manually

PAN-OS 10.1.8-h2 is now available!
The PAN-OS 10.1.8-h2 software update is now available on the Palo Alto Networks Software Updates page. Check out the PAN-OS 10.1.8-h2 Release Notes for release details, including the new features and bug fixes that make the upgrade worthwhile.

This email was sent to you because you are a registered user of the Palo Alto Networks Support Portal. If you no longer wish to receive these updates, please unsubscribe by updating your profile on the Support Portal.

Re: PA 500 Cisco 3560

phugiay — Tue, 20 Dec 2022 17:42:03 GMT

Hi TomYoung,

Thank you so much for quick response. My first step to update OS since I can download the OS from my company.

I need to update from 8--> 9 - >10 or straight to 10.1.8

Re: PA 500 Cisco 3560

Raido_Rattameister — Tue, 20 Dec 2022 17:53:57 GMT

Yes it is possible to manually upload and upgrade PANOS.

In your case it would not work as PA-500 does not support anything above 8.1.x

https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates

Re: PA 500 Cisco 3560

phugiay — Wed, 21 Dec 2022 17:22:22 GMT

Hi Raido_Rattameister,

I can be able update to 8.07 and it cannot update to version 8.1

I follow the instruction below from CLI but still cannot update to 8.1. They said it will take more than an hour but it did reboot but still show 8.07

admin@PA-500> show system info

hostname: PA-500
ip-address: 192.168.1.1
netmask: 255.255.255.0
default-gateway:
ip-assignment: static
ipv6-address: unknown
ipv6-link-local-address: fe80::d6f4:beff:fe26:8d00/64
ipv6-default-gateway:
mac-address: d4:f4:be:26:8d:00
time: Tue Dec 20 17:05:38 2022
uptime: 0 days, 0:57:52
family: 500
model: PA-500
serial: XXXX
sw-version: 8.0.7
global-protect-client-package-version: 0.0.0
app-version: 695-4002
app-release-date: unknown

-------------------------------------------------------------

admin@PA-500> show jobs id 2

Enqueued Dequeued ID Type
Status Result Completed
--------------------------------------------------------------------------------
----------------------------------------------
2022/12/20 17:17:58 17:17:58 2 SWInstall
ACT PEND 0%
Warnings:
Details:Loading into software manager

https://www.samkear.com/upgrading-software-palo-alto-firewalls-without-internet-connections

Re: PA 500 Cisco 3560

Raido_Rattameister — Wed, 21 Dec 2022 18:56:58 GMT

If you do update manually you need to upload and install 8.1.0 before you can jump to 8.1.x from 8.0.x

Re: PA 500 Cisco 3560

phugiay — Fri, 23 Dec 2022 16:32:17 GMT

Hi ,

I am finally be able update to version 8.1. Thank you for you help.

My next step is connected the Internet to PA 500 and connect the switch 3560.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS2CAK

1. I plug my comcast router to Ethernet1/1 (untrust) and Ethernet1/2( trust) to Cisco switch. PA picked up the DHCP Client (10.0.0.126) and it shows the IP after I hit Commits and show green light. However, I cannot ping website like yahoo or ip or I cannot ping my wifi at home like Cisco ASA except the IP that Comcast assigned for PA 500. I search from here and everyone said the issue is NAT/security policy/Virtual router. Since this is not a static IP so there is no need for virtual routing (Correct me if I am wrong)

2. My Cisco switch has 2 VLAN 10 (192.168.10.0/24)and 12 (10.33.12.0/24). I assigned IP 192.168.10.50 for PA 500 and from my laptop or server, I can ping PA 500 but not the comcast IP. (something is not right here) For Cisco ASA, you connect one port from ASA to another port from your switch and you route all your VLAN to ASA port and from ASA you route to the port on switch.

I attached the file and my routing. I changed my Management Profile all to ping. I did the screenshot before I change

---------------------------------------------------------------------------------------------------------------------------

admin@PA-500> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf
, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-t
ype-2, E:ecmp, M:multicast

VIRTUAL ROUTER: default (id 1)
==========
destination nexthop
metric flags age interface next-AS
0.0.0.0/0 10.0.0.1
10 A S ethernet1/1
10.0.0.0/24 10.0.0.126
0 A C ethernet1/1
10.0.0.126/32 0.0.0.0
0 A H
192.168.10.0/24 192.168.10.0
0 A C ethernet1/2
192.168.10.0/32 0.0.0.0
0 A H
total routes shown: 5

VIRTUAL ROUTER: VR1 (id 2)
==========
destination nexthop
metric flags age interface next-AS
total routes shown: 0

admin@PA-500>
admin@PA-500>
admin@PA-500>

admin@PA-500> ping source 74.6.143.25 host 8.8.8.8
bind: Cannot assign requested address
admin@PA-500> ping source host 8.8.8.8

Invalid syntax.
admin@PA-500> show rulebase security rule

Invalid syntax.
admin@PA-500> configuration
Unknown command: configuration
admin@PA-500> conf
Unknown command: conf
admin@PA-500> configure
Entering configuration mode
[edit]
admin@PA-500# show rulebase security rules
rules {
bad-application-block {
from trust;
to untrust;
source any;
destination any;
service any;
application peer-to-peer;
action deny;
log-end yes;
source-user any;
category any;
hip-profiles any;
}
internet-acces {
profile-setting {
profiles {
url-filtering default;
virus default;
spyware default;
vulnerability default;
wildfire-analysis default;
}
}
to untrust;
from trust;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
[edit]
admin@PA-500#
[edit]
admin@PA-500# show zone
zone {
trust {
network {
layer3 ethernet1/2;
}
}
untrust {
network {
layer3 ethernet1/1;
}
}
WAN {
network {
layer3;
}
}
LAN {
network {
layer3;
}
}
}
[edit]
admin@PA-500# show interface all

Invalid syntax.
[edit]
admin@PA-500# exit
Exiting configuration mode
admin@PA-500> show interface all

total configured hardware interfaces: 7

name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 1000/full/up d4:f4:be:26:8d:10
ethernet1/2 17 1000/full/up d4:f4:be:26:8d:11
ethernet1/3 18 ukn/ukn/down(autoneg) d4:f4:be:26:8d:12
ethernet1/4 19 ukn/ukn/down(autoneg) d4:f4:be:26:8d:13
vlan 1 [n/a]/[n/a]/up d4:f4:be:26:8d:01
loopback 3 [n/a]/[n/a]/up d4:f4:be:26:8d:03
tunnel 4 [n/a]/[n/a]/up d4:f4:be:26:8d:04

aggregation groups: 0

Re: PA 500 Cisco 3560

phugiay — Tue, 03 Jan 2023 23:41:43 GMT

Thank you

Re: PA 500 Cisco 3560

phugiay — Tue, 03 Jan 2023 23:43:24 GMT

Hi ,

I am finally be able update to version 8.1. Thank you for you help.

My next step is connected the Internet to PA 500 and connect the switch 3560.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS2CAK

I attached the file and my routing. I changed my Management Profile all to ping. I did the screenshot before I change

---------------------------------------------------------------------------------------------------------------------------

admin@PA-500> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf
, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-t
ype-2, E:ecmp, M:multicast

VIRTUAL ROUTER: VR1 (id 2)
==========
destination nexthop
metric flags age interface next-AS
total routes shown: 0

admin@PA-500>
admin@PA-500>
admin@PA-500>

admin@PA-500> ping source 74.6.143.25 host 8.8.8.8
bind: Cannot assign requested address
admin@PA-500> ping source host 8.8.8.8

Invalid syntax.
admin@PA-500> show rulebase security rule

Invalid syntax.
[edit]
admin@PA-500# exit
Exiting configuration mode
admin@PA-500> show interface all

total configured hardware interfaces: 7

aggregation groups: 0

Re: PA 500 Cisco 3560

phugiay — Tue, 03 Jan 2023 23:45:21 GMT

Hi ,

I am finally be able update to version 8.1. Thank you for you help.

My next step is connected the Internet to PA 500 and connect the switch 3560.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS2CAK

I attached the file and my routing. I changed my Management Profile all to ping. I did the screenshot before I change

---------------------------------------------------------------------------------------------------------------------------

admin@PA-500> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf
, B:bgp,
Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-t
ype-2, E:ecmp, M:multicast

VIRTUAL ROUTER: VR1 (id 2)
==========
destination nexthop
metric flags age interface next-AS
total routes shown: 0

admin@PA-500>
admin@PA-500>
admin@PA-500>

admin@PA-500> ping source 74.6.143.25 host 8.8.8.8
bind: Cannot assign requested address
admin@PA-500> ping source host 8.8.8.8

Invalid syntax.
admin@PA-500> show rulebase security rule

Invalid syntax.
[edit]
admin@PA-500# exit
Exiting configuration mode
admin@PA-500> show interface all

total configured hardware interfaces: 7

aggregation groups: 0