topic Re: How to install & upgrade Firewall new on client side in General Topics

How to install & upgrade Firewall new on client side

NavidAlam — Thu, 09 May 2019 15:34:51 GMT

We had ordered the firewall and it's been delivered to client Now we want to configure and upgrade without distrubtring the current network what is the best way to do this or we had to bring it our side to configure and send back?

Any document or client had to plug in separate network with the internet?

Re: How to install & upgrade Firewall new on client side

jdelio — Thu, 09 May 2019 16:18:17 GMT

You have a couple of options if you want to do this.

You should be able to hook a laptop up to the Management port, and gain access to the device and configure it without it "being on the network".

Also, You can perform some updates to it while "offline".. please refer to this article:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFhCAK

Or there are some other discussions around here talking about the same thing. here is one I found:

https://live.paloaltonetworks.com/t5/General-Topics/Any-step-to-install-all-kit-when-new-PA-box-is-offline/m-p/48764#M35911

Hope this helps.

Re: How to install & upgrade Firewall new on client side

reaper — Thu, 09 May 2019 16:41:53 GMT

You can start off by connecting the management interface to the customer's laptop or managemeny network and prepping it for deployment
The default config is a vwire setup between ethernet1/1 and 1/2 wit 1/1 being the external (ISP) interface
The default security policy allows all outgoing traffic and blocks all inbound connections

This config allows you to simply connect the firewall between the current firewall and the LAN, or directly behind the ISP router without much interruption

Theres a couple of articles you may want to have the customer go through to get the firewal hooked up so you can manage it remotely https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS2CAK

Re: How to install & upgrade Firewall new on client side

jeremy.larsen — Thu, 09 May 2019 19:07:14 GMT

1. Do you have Panorama?

2. Is this running in an HA pair?

3. Is there any kind of VPN tunnel giving you access to their network?

Re: How to install & upgrade Firewall new on client side

OtakarKlier — Thu, 09 May 2019 19:35:14 GMT

Hello,

If you are interested, I have a template I created of a base config. Does stuff like set management to dhcp, setup dynamic updates and a few security policies.

Let mek ow if you are interested.

Re: How to install & upgrade Firewall new on client side

NavidAlam — Fri, 10 May 2019 08:16:20 GMT

1. Do you have Panorama?

No Panorama

2. Is this running in an HA pair?

PA-220 so no HA Pair

3. Is there any kind of VPN tunnel giving you access to their network?

Yes VPN tunnel will be created to give support to the client .

Re: How to install & upgrade Firewall new on client side

NavidAlam — Fri, 10 May 2019 08:16:53 GMT

Sure. That would be great help. Can you email me the template ?

Re: How to install & upgrade Firewall new on client side

OtakarKlier — Fri, 10 May 2019 14:37:23 GMT

Hello,

I built it on a lab pa-200 I have on code 8.0.17 so it'll need at least 8.0.x before you can really apply it. Here are the rough steps and my email is oklier @ andraste . net . Its a work in progress so I appreciate any feedback. I left it as generic as possible so there is still specific config that needs to happen.

For manual config of MGMT interface via cli:

configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit

Time and DNS are required for the PAN to obtain its licening and updates!

MGMT interface is configured for DHCP in the template

assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route

Update dynamic updates
Code must be 8.0.0 or higher to take advantage of the template.

Disable the following if not used:

SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2

Put the MGMT interface into the Management zone and make sure it has the proper IP/SM/GW along with DNS and NTP.

Other:

https://docs.paloaltonetworks.com/best-practices/8-0/data-center-best-practices/data-center-best-practices-checklist.html

configure
delete deviceconfig system ssh

set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm

set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600

set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt

Re: How to install & upgrade Firewall new on client side

OtakarKlier — Fri, 10 May 2019 20:18:52 GMT

Hello,

I forgot that you can create your own with IronSkillet:

https://live.paloaltonetworks.com/t5/Community-Blog/Getting-Started-with-IronSkillet-Best-Practices-Templates/ba-p/233175

I would just say that the Team Cymru bogons dont work quite right. I think its a paid subscription?

Anyway good luck!