article PANCast™ Episode 34: Firewall Initial Setup in PANCast™ Episodes

article PANCast™ Episode 34: Firewall Initial Setup in PANCast™ Episodes https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-34-firewall-initial-setup/ta-p/573018 <P><div class="video-embed-center video-embed"><iframe class="embedly-embed" src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2FrOKQB5Zeyn4%3Ffeature%3Doembed&display_name=YouTube&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DrOKQB5Zeyn4&image=https%3A%2F%2Fi.ytimg.com%2Fvi%2FrOKQB5Zeyn4%2Fhqdefault.jpg&type=text%2Fhtml&schema=youtube" width="600" height="337" scrolling="no" title="PANCast™ Episode 34: Firewall Initial Setup" frameborder="0" allow="autoplay; fullscreen; encrypted-media; picture-in-picture;" allowfullscreen="true"></iframe></div></P> <P> </P> <P><EM><STRONG>Episode Transcript:</STRONG></EM></P> <P> </P> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV><SPAN>Hello and welcome back PANCasters, Olivier is back with us today to discuss the initial steps when you get a new firewall. Hi Olivier and welcome back.</SPAN></DIV> </DIV> <P> </P> <P><STRONG><EM><FONT color="#FF6600"><I>Olivier:</I></FONT></EM></STRONG></P> <P>Hello John, thanks for having me back.<span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France." style="width: 275px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56593i10A8EA9B653AB587/image-dimensions/275x272?v=v2" width="275" height="272" role="button" title="PANCast_Olivier-Zheng_palo-alto-networks.png" alt="Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France.</span></span><BR />So I received a new firewall and I wanted to share with the audience the 3 must-do things with setting up the new firewall.</P> <P> </P> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV><SPAN>Great Olivier, let’s get started.</SPAN></DIV> <DIV> </DIV> <DIV> <H2 id="toc-hId-1734228258"><STRONG><FONT color="#FF6600">Perform the Initial Configuration</FONT></STRONG></H2> </DIV> <DIV> </DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Olivier:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>So the first step is to perform the initial configuration : the purpose of that initial configuration is to set the most basic configuration of the firewall, something you can backup and use as a recovery point.</SPAN></DIV> <DIV><SPAN>At the first startup of the firewall, you will be requested to change the password of the default user account. What I like to do as well is to create a new default superuser account and delete the default “admin” account. Anyway, make sure you have at least one local superuser account.</SPAN></DIV> <BR /> <DIV><SPAN>Another thing to set up on the firewall is the basic network configuration : the IP configuration, the DNS servers and the time related settings - the device date and time and the NTP servers.</SPAN></DIV> <DIV><SPAN>Once the initial configuration is done, perform the first commit on the firewall.</SPAN></DIV> <DIV><SPAN>If you need to enable the multi vsys feature or jumbo frame support, enable those then commit and reboot the firewall.</SPAN></DIV> <DIV><SPAN>Also since PAN-OS 10.2, I think it can be interesting to move to the Advanced Routing Engine while the firewall is not fully configured yet, it will be simpler than to do it later. This activation also requires a commit and a reboot.</SPAN></DIV> <BR /> <DIV><SPAN>Finally, if you plan on managing the configuration using Strata Cloud Manager or the Panorama, enable the setting then commit.</SPAN></DIV> <DIV><SPAN>And for Panorama management, you will have to set the authkey for the initial authentication with Panorama, but no commit is required to set this key.</SPAN></DIV> <DIV> </DIV> </DIV> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV><SPAN>OK, so what’s next?</SPAN></DIV> <DIV> </DIV> <DIV> <H2 id="toc-hId-1734228258"><STRONG><FONT color="#FF6600">Register the Device and Get the Licenses</FONT></STRONG></H2> </DIV> <DIV> </DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Olivier:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>Now that the initial configuration is done, your firewall should be able to contact the Palo Alto Networks server. </SPAN></DIV> <DIV><SPAN>So the next step is to activate the firewall on the Customer Support Portal. You will have to register the firewall, make sure the information is accurate as it will be used the day you need to replace a hardware component.</SPAN></DIV> <DIV> </DIV> <DIV><SPAN>You will also have to register the license authkeys so the firewall is correctly associated with the right subscriptions. One thing to note is that as long as you did activate the licenses, you won’t be able to get the associated services : no support license, no TAC support, no Threat license, no threat update on your firewall, which I remind you is to keep you secure.</SPAN></DIV> <DIV><SPAN>Another thing you should do at that stage is to get the device certificate. This certificate automatically renewed every 3 months is required to have access to the cloud delivered security services : advanced threat prevention, IoT Security and so on...</SPAN></DIV> <DIV> </DIV> <DIV><SPAN>Finally, if you are using some cloud delivered security services like IoT Security, Cortex Data Lake, or AIOps free, you need to associate your devices on the TSG in the Hub Portal. </SPAN></DIV> <DIV><SPAN>Keep in mind that the CSP and the Hub Portal are separate applications. There is no synchronization between the CSP and the Hub Portal.</SPAN></DIV> <DIV> </DIV> </DIV> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV><SPAN>More good info. Thanks Olivier. What’s the third step.</SPAN></DIV> <DIV> </DIV> <DIV> <H2 id="toc-hId-1734228258"><STRONG><FONT color="#FF6600">Prepare the Software Stack</FONT></STRONG></H2> </DIV> <DIV> </DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Olivier:</I></FONT></EM></STRONG></P> <DIV> <DIV><SPAN>Last point I wanted to discuss is the software stack of the firewall. By software stack, I mean the PAN-OS version, the different content updates, the plugins running on the firewall. Nobody can foresee the software version shipped with the firewall, so you will eventually have to upgrade it.</SPAN></DIV> <DIV><SPAN>So now that the firewall has its initial configuration and that the licenses are activated, you can pull the licenses to the firewall.</SPAN></DIV> <DIV> </DIV> <DIV><SPAN>Take the opportunity the firewall is not in production to perform all the required upgrades, as you may have to reboot multiple times the firewall.</SPAN></DIV> <DIV><SPAN>One thing I noticed on recent versions of the PAN-OS is the DLP plugin automatically installed. If you are not using the Enterprise DLP, which requires a specific license, remove the plugin. I saw some cases opened simply because the DLP plugin version was not matching between HA pairs, and this plugin was not even used.</SPAN></DIV> <BR /> <DIV><SPAN>That’s all, once those 3 steps are done, you simply have to load the final configuration and connect the network cables when you are ready to put the firewall into production.</SPAN></DIV> <DIV> </DIV> </DIV> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV><SPAN>Thanks Olivier, what are the key takeaways from this episode?</SPAN></DIV> <DIV> </DIV> <DIV> <H2 id="toc-hId-1734228258"><STRONG><FONT color="#FF6600">Episode Key Takeaways</FONT></STRONG></H2> </DIV> <DIV> </DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Olivier:</I></FONT></EM></STRONG></P> <DIV><SPAN>I think we can summarize the episode in 3 points:</SPAN></DIV> <OL> <LI><SPAN>Set the initial configuration to perform the basic tasks</SPAN></LI> <LI><SPAN>Register the firewall on the Palo Alto Networks CSP and Hub Portal</SPAN></LI> <LI><SPAN>Install the required software for the firewall to be ready.</SPAN></LI> </OL> <P> </P> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV><SPAN>Thanks again Olivier.</SPAN></DIV> <DIV> </DIV> </DIV> <P><STRONG><EM><FONT color="#FF6600"><I>Olivier:</I></FONT></EM></STRONG></P> <P> </P> <P><STRONG><I>John:</I> </STRONG></P> <DIV> <DIV> <DIV><SPAN>That’s it for today PANCasters. Head to live.paloaltonetworks.com for the transcript and additional info. Until next time.</SPAN></DIV> <DIV> </DIV> <DIV> <P><STRONG>Related Content:</STRONG></P> <UL> <LI><A title="How to Activate Authorization Codes (Auth Codes)" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNACA0" target="_blank" rel="noopener nofollow noreferrer">How to Activate Authorization Codes (Auth Codes)</A></LI> <LI><A title="Enable Advanced Routing" href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/advanced-routing/enable-advanced-routing" target="_blank" rel="noopener nofollow noreferrer">Enable Advanced Routing</A></LI> <LI><A title="Install a Device Certificate" href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/obtain-certificates/device-certificate" target="_blank" rel="noopener nofollow noreferrer">Install a Device Certificate</A></LI> <LI><A title="Enable Advanced Routing" href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/advanced-routing/enable-advanced-routing" target="_blank" rel="noopener nofollow noreferrer">Enable Advanced Routing</A></LI> <LI><A title="PANCast™ Episode 1: Four Things You Must Do When Upgrading Your Firewall" href="https://live.paloaltonetworks.com/t5/pancast/pancast-episode-1-four-things-you-must-do-when-upgrading-your/ta-p/515952" target="_blank" rel="noopener nofollow noreferrer">PANCast™ Episode 1: Four Things You Must Do When Upgrading Your Firewall</A></LI> </UL> <P><LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT> <LI-PRODUCT title="VM-Series" id="VM-Series"></LI-PRODUCT> </P> </DIV> </DIV> </DIV> Wed, 17 Jan 2024 19:31:21 GMT ozheng 2024-01-17T19:31:21Z PANCast™ Episode 34: Firewall Initial Setup https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-34-firewall-initial-setup/ta-p/573018 <P><SPAN>Received a new firewall to deploy? In this episode, we are discussing about 3 must-do things on the new firewall before putting it into production.</SPAN></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PANCast_Episode 34_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56594i0C5CDC0E5D568A7E/image-size/large?v=v2&px=999" role="button" title="PANCast_Episode 34_palo-alto-networks.jpg" alt="PANCast_Episode 34_palo-alto-networks.jpg" /></span></P> <P> </P> Wed, 17 Jan 2024 19:31:21 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-34-firewall-initial-setup/ta-p/573018 ozheng 2024-01-17T19:31:21Z Re: PANCast™ Episode 34: Firewall Initial Setup https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-34-firewall-initial-setup/tac-p/573414#M81 <P>Great guidance on starting our journey with a new firewall. </P> Wed, 17 Jan 2024 23:42:37 GMT https://live.paloaltonetworks.com/t5/pancast-episodes/pancast-episode-34-firewall-initial-setup/tac-p/573414#M81 jnathan 2024-01-17T23:42:37Z