This document provides a quick-start guide for a home or small office deployment.
Palo Alto Networks PA-200 device. Note: Other devices, such as the PA-500, can be configured the same way.
Modem that assigns a public IP by DHCP.
Wireless router, which typically has 4 or more LAN ports and 1 WAN port.
Three straight-through RJ-45 UTP cables. Note: CAT5e or CAT6 is recommended for Gigabit Ethernet (GigE) speeds.
Access the WebGUI
Connect a UTP cable from your computer to the Palo Alto Networks firewall's MGMT port.
Configure your computer's Ethernet port to have IP 192.168.1.2 and netmask 255.255.255.0. A default gateway is not required.
Open a web browser and go to https://192.168.1.1, the default credentials are: username: admin, password: admin
Create Security Zones
Go to: Network > Zones and click Add.
Create 3 zones:
Untrust-L3, Type Layer3
Trust-L3, Type Layer3
Trust-L2, Type Layer2
The example shows the resulting configuration:
Connect the ISP Modem to the Firewall
Connect a UTP cable from the ISP modem to the Palo Alto Networks firewall, port ethernet1/1.
Go to Network > Interfaces on the WebGUI and configure ethernet 1/1.
Configure the ethernet1/1 Interface Type as Layer3.
Set Virtual Router to default.
Set Security Zone to Untrust-L3.
If the ISP provides a modem from which the configuration can be obtained automatically, set the Type as DHCP Client. Note: When "Automatically create default route pointing to default gateway provided by server" is enabled, a default route is installed in the virtual router, 'default'.
If the ISP provides a modem that requires manual configuration of static entries, set the Type as Static. Then, add the static IP address/netmask. For example:
Next, go to Network > Virtual Routers > 'default' > Static Routes > IPv4 and add a static route pointing to the ISP's next hop. For example:
Note: The IP addresses shown in the screenshots are examples only. Use IP addresses assigned by the ISP.
Connect the Wireless Router
To avoid a double-SNAT, do not use the wireless router's WAN'or Internet port, thereby using it in a Wireless Access Point'mode.
The DHCP Server option in the wireless router must be disabled. The new DHCP Server will be configured in the firewall's 'vlan' interface.
Configure 192.168.1.253 as the wireless router management IP.
Connect Port 1 of the wireless router to the Palo Alto Networks firewall's ethernet 1/2 port.
Create a VLAN Object
Go to Network > VLANs and click Add.
Enter a name and select 'v' for VLAN Interface
Configure the Layer2 Ports and VLAN Object
Go to Network > Interfaces > Ethernet.
Edit the following settings for the ethernet1/2, ethernet1/3 and ethernet1/4 interfaces:
Interface Type: Layer2
Netflow Profile: None
VLAN: VLAN Object
Security Zone: Trust-L2
Configure the VLAN Interface
Go to Network > Interfaces > VLAN and edit the following settings:
VLAN: VLAN Object
Virtual Router: default
Security Zone: Trust-L3
Click Add and enter IP address 192.168.1.254/24:
Configure the DHCP Server
Go to Network > DHCP > DHCP Server.
Edit the DHCP Server settings, as shown:
If the ISP provides a modem where the configuration can be obtained automatically, then the DHCP Server can inherit the configuration that was originally received by the DHCP Client from the ISP. We will then configure an Inheritance Source, with settings obtained from the ISP we want to pass along to the local network.
If the ISP provides a modem that requires manually configuring static entries, specify the settings for the local network. Note: Public Google DNS servers 18.104.22.168 and 22.214.171.124 are used here as an example. However, we recommend using the DNS servers provided by the ISP.
Define a Security Profile Group
Go to Objects > Security Profile Groups and click Add.
Edit the following Security Profile Group settings as desired:
Note: These Profiles are those that come by default with the Palo Alto Networks firewall and have been selected for demonstration purposes. We recommend you take your time to review if the settings for each of the presented selected profiles are appropriate to your setup.
Configure Outbound Internet Security Policy
Go to Policies > Security and click Add.
Enter a Name and Description:
Add the source zone:
Add the destination zone:
Specify the action as Allow and complete the Profile Setting:
Configure Outbound Internet NAT Policy
Go to Policies > NAT and click Add.
Enter a Name and check IPv4 for NAT Type:
On Original Packet, specify the Source Zone, Destination Zone, and Destination Interface:
On Translated Packet, set:
Translation Type: Dynamic IP And Port
Address Type: Interface Address
Configure the MGMT IP
Go to Device > Setup > Management and specify the following Management Interface Settings:
Set DNS for MGMT
Go to Device > Setup > Services.
Enter the DNS server IPs. For example: Google DNS IP's 126.96.36.199 and 188.8.131.52. Note: This should already have been configured to install licenses on the device. If the licenses have not been installed on the device, then the firewall will not be able to reach the license server with these settings.
Commit the Changes
Perform a commit to make the changes active as the running configuration on the firewall. The internet modem may need to be restarted in order for it to assign a DHCP address to the firewall.