Day 1 configuration for PAN OS 11.0.2

Nishtha · ‎09-08-2023

I am looking to generate Day 1 configuration file for the device running PAN OS software version 11.0.2 using the Day 1 configuration tool on the support portal. However, the tool supports versions only up to 10.2.0. Can someone please help me generate appropriate Day 1 config files for my registered devices? Also, what is the credibility of these configuration files? Can I load them on my device in order to bring it to an initial state?

Alin.Scarlat · ‎09-10-2023

Hello @Nishtha,

Indeed it appears that Palo Alto Support team did not update the Day 1 Configuration Template to include version 11.0. It may take a while until they do that.

Regarding its credibility, Day 1 configuration provides configuration that is about 50-60% on BPA when it comes to a minimum but secure configuration start. These settings are (but not limited to):

Password Complexity settings
Session settings
Syslog and Email server (added in all global Log Settings categories)
Zone protection profiles
Custom URL Categories
Security profiles (AV, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Wildfire Analysis)
Security Profile Groups
Decryption Profile

You have to keep in mind that Day 1 Configs are based on IronSkillet full configuration files. More information about IronSkillet can be found here and also a more comprehensive documentation can be found here.

One thing that you can also do is to have a blank Palo Alto device (freshly installed) and generate the Day 1 config for it for latest version as of today (10.2.0). Import it locally then load it to snapshot. Before completely committing all the changes do a "Preview Changes" to see exactly what is changing/adding. This will give a big insight into what Day 1 Configuration Template actually does.

I hope this helps.

Don't forget to Like if you find this post helpful

View solution in original post

Alin.Scarlat · ‎09-10-2023

Hello @Nishtha,

Indeed it appears that Palo Alto Support team did not update the Day 1 Configuration Template to include version 11.0. It may take a while until they do that.

Regarding its credibility, Day 1 configuration provides configuration that is about 50-60% on BPA when it comes to a minimum but secure configuration start. These settings are (but not limited to):

Password Complexity settings
Session settings
Syslog and Email server (added in all global Log Settings categories)
Zone protection profiles
Custom URL Categories
Security profiles (AV, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Wildfire Analysis)
Security Profile Groups
Decryption Profile

You have to keep in mind that Day 1 Configs are based on IronSkillet full configuration files. More information about IronSkillet can be found here and also a more comprehensive documentation can be found here.

One thing that you can also do is to have a blank Palo Alto device (freshly installed) and generate the Day 1 config for it for latest version as of today (10.2.0). Import it locally then load it to snapshot. Before completely committing all the changes do a "Preview Changes" to see exactly what is changing/adding. This will give a big insight into what Day 1 Configuration Template actually does.

I hope this helps.

Don't forget to Like if you find this post helpful

Day 1 configuration for PAN OS 11.0.2

Day 1 configuration for PAN OS 11.0.2

Show your appreciation!