Setting Up the PA-200 for Home and Small Office

by mivaldi on ‎10-13-2014 05:30 PM - edited on ‎08-27-2015 02:25 PM by (94,967 Views)


This document provides a quick-start guide for a home or small office deployment.



  • Palo Alto Networks PA-200 device.
    Note: Other devices, such as the PA-500, can be configured the same way.
  • Modem that assigns a public IP by DHCP.
  • Wireless router, which typically has 4 or more LAN ports and 1 WAN port.
  • Three straight-through RJ-45 UTP cables.
    Note: CAT5e or CAT6 is recommended for Gigabit Ethernet (GigE) speeds.


Proposed Topology

Untitled Diagram (2) (1).jpg


Access the WebGUI

  1. Connect a UTP cable from your computer to the Palo Alto Networks firewall's MGMT port.
  2. Configure your computer's Ethernet port to have IP and netmask A default gateway is not required.
  3. Open a web browser and go to, the default credentials are: username: admin, password: admin


Create Security Zones

  1. Go to: Network > Zones and click Add.
  2. Create 3 zones:
    • Untrust-L3, Type Layer3
    • Trust-L3, Type Layer3
    • Trust-L2, Type Layer2

The example shows the resulting configuration:

Screen Shot 2014-10-16 at 3.36.18 PM 1.png


Connect the ISP Modem to the Firewall

Connect a UTP cable from the ISP modem to the Palo Alto Networks firewall, port ethernet1/1.

  1. Go to Network > Interfaces on the WebGUI and configure ethernet 1/1.
  2. On Config
    • Configure the ethernet1/1 Interface Type as Layer3.
    • Set Virtual Router to default.
    • Set Security Zone to Untrust-L3.
      Screen Shot 2014-10-13 at 5.18.55 PM.png
  3. Under IPv4
    • If the ISP provides a modem from which the configuration can be obtained automatically, set the Type as DHCP Client.
      Note: When "Automatically create default route pointing to default gateway provided by server" is enabled, a default route is installed in the virtual router, 'default'.
      Screen Shot 2014-10-13 at 5.17.13 PM.png
    • If the ISP provides a modem that requires manual configuration of static entries, set the Type as Static. Then, add the static IP address/netmask.
      For example:
      Screen Shot 2015-04-30 at 2.39.22 PM.png
      Next, go to Network > Virtual Routers > 'default' > Static Routes > IPv4 and add a static route pointing to the ISP's next hop.
      For example:
      Screen Shot 2015-04-30 at 2.40.42 PM.png

Note: The IP addresses shown in the screenshots are examples only. Use IP addresses assigned by the ISP.


Connect the Wireless Router

General recommendations:

  • To avoid a double-SNAT, do not use the wireless router's WAN'or Internet port, thereby using it in a Wireless Access Point'mode.
  • The DHCP Server option in the wireless router must be disabled. The new DHCP Server will be configured in the firewall's 'vlan' interface.
  • Configure as the wireless router management IP.
  • Connect Port 1 of the wireless router to the Palo Alto Networks firewall's ethernet 1/2 port.


Create a VLAN Object

  1. Go to Network > VLANs and click Add.
  2. Enter a name and select 'v' for VLAN Interface
    Screen Shot 2014-10-17 at 3.47.32 PM.png


Configure the Layer2 Ports and VLAN Object

  1. Go to Network > Interfaces > Ethernet.
  2. Edit the following settings for the ethernet1/2, ethernet1/3 and ethernet1/4 interfaces:
    • Interface Type: Layer2
    • Netflow Profile: None
    • VLAN: VLAN Object
    • Security Zone: Trust-L2
      Screen Shot 2014-10-15 at 4.19.03 PM.png
      Screen Shot 2015-04-30 at 4.12.18 PM.png
      Screen Shot 2015-04-30 at 4.12.32 PM.png


Configure the VLAN Interface

Go to Network > Interfaces > VLAN and edit the following settings:

Config tab

  • VLAN: VLAN Object
  • Virtual Router: default
  • Security Zone: Trust-L3
    Screen Shot 2014-10-15 at 4.21.25 PM.png

IPv4 tab

Click Add and enter IP address
Screen Shot 2014-10-17 at 3.51.11 PM.png


Configure the DHCP Server

  1. Go to Network > DHCP > DHCP Server.
  2. Click Add.
  3. Edit the DHCP Server settings, as shown:
    • If the ISP provides a modem where the configuration can be obtained automatically, then the DHCP Server can inherit the configuration that was originally received by the DHCP Client from the ISP. We will then configure an Inheritance Source, with settings obtained from the ISP we want to pass along to the local network.
      Screen Shot 2015-04-30 at 3.53.41 PM.png
    • If the ISP provides a modem that requires manually configuring static entries, specify the settings for the local network.
      Note: Public Google DNS servers and are used here as an example. However, we recommend using the DNS servers provided by the ISP.
      Screen Shot 2015-04-30 at 3.56.33 PM.png


Define a Security Profile Group

  1. Go to Objects > Security Profile Groups and click Add.
  2. Edit the following Security Profile Group settings as desired:
    Screen Shot 2014-10-15 at 4.37.27 PM.png
    Note: These Profiles are those that come by default with the Palo Alto Networks firewall and have been selected for demonstration purposes. We recommend you take your time to review if the settings for each of the presented selected profiles are appropriate to your setup.


Configure Outbound Internet Security Policy

  1. Go to Policies > Security and click Add.
  2. Enter a Name and Description:
    Screen Shot 2014-10-15 at 4.35.55 PM.png
  3. Add the source zone:
    Screen Shot 2014-10-15 at 4.36.08 PM.png
  4. Add the destination zone:
    Screen Shot 2014-10-15 at 4.36.22 PM.png
  5. Specify the action as Allow and complete the Profile Setting:
    Screen Shot 2014-10-15 at 4.36.43 PM.png


Configure Outbound Internet NAT Policy

  1. Go to Policies > NAT and click Add.
  2. Enter a Name and check IPv4 for NAT Type:
    Screen Shot 2014-10-15 at 4.49.09 PM.png
  3. On Original Packet, specify the Source Zone, Destination Zone, and Destination Interface:
    Screen Shot 2014-10-15 at 4.49.28 PM.png
  4. On Translated Packet, set:
    • Translation Type: Dynamic IP And Port
    • Address Type: Interface Address
    • Interface: ethernet1/1
      Screen Shot 2014-10-15 at 4.49.36 PM.png


Configure the MGMT IP

Go to  Device > Setup > Management and specify the following Management Interface Settings:

  • IP Address
  • Netmask
  • Default Gateway
    Screen Shot 2014-10-17 at 3.55.14 PM.png


Set DNS for MGMT

  1. Go to Device > Setup > Services.
  2. Enter the DNS server IPs. For example: Google DNS IP's and
    Note: This should already have been configured to install licenses on the device. If the licenses have not been installed on the device, then the firewall will not be able to reach the license server with these settings.
    Screen Shot 2014-10-17 at 3.56.54 PM.png

Commit the Changes

Perform a commit to make the changes active as the running configuration on the firewall. The internet modem may need to be restarted in order for it to assign a DHCP address to the firewall.


owner: mivald

by eDub
on ‎06-25-2015 01:56 PM

Very helpful- thanks.

One note: ethernet1/1 has to be added to the virtual router interface or Commit will fail.

by mivaldi
on ‎07-23-2015 11:56 AM

Thanks for the input. Adding ethernet1/1 to the VR is covered under:

Connect the ISP Modem to the Firewall

Connect a UTP cable from the ISP modem to the Palo Alto Networks firewall, port ethernet1/1.

  1. Go to Network > Interfaces on the web UI and configure ethernet 1/1
  2. On the Config tab
    • Configure the ethernet1/1 Interface Type as Layer3
    • Set Virtual Router to 'default'
by Ram-Bista
on ‎07-24-2015 12:00 PM

Good day to you,

It is failing on commit even if I have virtual router configured for ethernet 1/1

Would you mind assisting me further?


by wfleitz
‎09-05-2015 06:52 PM - edited ‎09-05-2015 06:55 PM

This works perfectly for me. Quick question. I have a server at home which I would like to open up to https and ms-rdp. Can you show me how to configure the NAT for a single server? My old Linksys called this "port translation" and I had to specify the internal IP of the server and the ports. I only have one external IP with my ISP. Thanks for any help you can provide..

by mivaldi
on ‎09-23-2015 09:18 AM

@Ram-Bista, please call in to Support and we'll be able to assist you. Our number in the US is 866-898-9087.

by mivaldi
‎09-23-2015 09:21 AM - edited ‎09-23-2015 09:32 AM

@wfleitz, You need a Destination NAT policy. We have a video tutorial available for this at How to Configure Destination NAT on the PAN-OS UI

If you're using a DHCP client IP that may change from time to time on the WAN interface, then you'll need a host to maintain a Dynamic DNS entry updated. You will then define a FQDN Address Object to represent you Public IP. For a Dynamic DNS provider, there are multiple paid services like For a free option, check out Afraid DNS at

by highspeed1972bmh
on ‎12-23-2015 05:34 PM

So is this DDNS step posted by mivaldi needed?  I followed several times the exact steps above, I can get an ip address but for some reason I keep geeting two default gateways.  Does anyone have any ideas?


I have time warner -> eth 1/1 on PA, eth 1/2 PA into the eth 1/1 of my ASUS wireless router running in AP mode (DHCP disabled)


Any help would be greatly appreciated.  I did upgrade the code to 7.0.4 from 5 had to go 6.0 -> 6.0.1 -> 7.0.4

by mivaldi
on ‎01-14-2016 11:37 AM



The DDNS step I posted was in reply to wfleitz's question, where he wondered about Port Address Translation (making a server sitting on a private IP visible on the public IP, while the public IP is acquired dynamically from the ISP through DHCP).


In your case, it's possible that you have the checkbox for "Automatically create default route pointing to default gateway provided by server" checked, and that you *also* manually added a default route in the virtual router. This can result in the same default route added twice. If you are already receiving the default gateway IP from your ISP though DHCP and you have the before-mentioned checkbox checked, then you don't need to manually define the default route in the virtual router.


Naturally, an alternative is to leave the default route you added in the virtual router alone, and uncheck the checkbox for "Automatically create default route pointing to default gateway provided by server".


by TonyKiser
on ‎04-06-2016 06:56 AM

I have gone through this setup and untrust side is getting an IP, all good, my endpoints are getting DHCP IP addresses from FW, but not getting to internet. I'm seeing most traffic saying "aged-out".  Any thought on part I may be missing?

by AlexanderSuppanz
on ‎04-08-2016 12:27 AM

Hi Tony,


do you created the Virtual Router with the right default route and made a NAT rule?


br Alex

by wildcat
‎01-07-2017 07:54 AM - edited ‎01-07-2017 07:55 AM

Nice write up, thanks.

What about the Inbound Security Policy?  src:Internet  dst: Trust-L3 action:deny?  

by Community Manager
on ‎01-09-2017 03:22 AM

Hi @wildcat


the implied policy (interzone-default) takes care of that connection:



If this policy is not visible, you'll want to upgrade to a newer PAN-OS

by vvenkatara
on ‎03-30-2018 03:16 PM

This was a great article. Thank you for posting this @mivaldi


I still have one outstanding question. I'm unable to login to the FW UI via the mgmt IP address. I don't think you specified this in your write up. You did mention to add http, https etc but I don't see where this profile got associated to one of the interfaces. 


Additionally, if I was to do that to which interface would I associate the management profile to in order to access the UI of the FW. 

Thanks in advance.

by Community Manager
on ‎04-03-2018 01:18 AM

hi @vvenkatara


you first need to set your computer to use an ip in the subnet (not .1) and then you will be able to connect to the mgmt interface through or through ssh ( ssh -l admin )


At the end of the article it is explained how to change the management IP, this is not a profile that is associated with a different interface, I believe you are referring to an interface management profile which is attached to a dataplane interface. This concept is not covered by this article


please review this article:

by sfarber
on ‎05-31-2018 11:46 AM

Excellent article. Everything worked well for me, but I did change my 1/1 IP address to static (don't forget to add a default route in the virtual router!) as I wanted to enable a port map on my FiOS router to eventually activate GlobalProtect.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community