Day 1 Configuration Tool: What Does It Do?

Showing results for 
Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite

The Day 1 Configuration tool helps build a sturdy baseline configuration by providing templates that introduce best practice configuration as a foundation on which the rest of the configuration can be built.


When you access the Customer Support Portal (CSP) to register a new device, there is a new section at the end of the registration process that let's you run the Day 1 Configuration tool directly from there. 


Access to the Day 1 Configuration tool after registering a new deviceAccess to the Day 1 Configuration tool after registering a new device


If you already registered a device earlier and now want to run Day 1 after reading this awesome blog, you can do so from the Tools menu option in the Customer Support Portal.


NOTE: Make sure the device has already been registered, as the tool requests a serial number so it can determine the type of device for which you are running the tool.


Accessing the Day 1 Configuration tool if registration was already completedAccessing the Day 1 Configuration tool if registration was already completed


The tool interface itself is super easy.


Day 1 Configuration tool variables.png


  • Provide the appropriate PAN-OS version that will be installed on the device
  • Provide a Hostname
  • Set the management IP to Static or DHCP and provide appropriate parameters
  • Set up email alerts and log forwarding
  • Click Generate Config File


Once completed, the Day 1 Config XML file is downloadedOnce completed, the Day 1 Config XML file is downloaded


The XML config file is automatically downloaded after it is generated. 

Before you move on to the next phase, make sure:

  • the firewall's licences have all been activated
  • software updates and content packages have been installed

This is important because the Day 1 Config files contain a few awesome features that will only work if the firewall has the appropriate packages loaded with active licences.


Lastly, access the firewall's Device > Setup > Operations tab, and "Import named configuration snapshot" to find the Day 1 Configuiration file you just downloaded and then "Load named configuration snapshot."




Review the new elements that were added, add your own configuration, and Commit.


Some of the elements introduced in the Day 1 Config tool you will want to review include:

  • Monitor > Custom Reports
  • Policies > Security
  • Policies > Decryption
  • Objects > Addresses
  • Objects > External Dynamic Lists
  • Objects > All of the Security Profiles and Security Profile Groups 
  • Objects > Log Forwarding
  • Device > Server Profiles > Syslog and SMTP



Feel free to post any questions or remarks below.


Reaper out


Additional Resources

Knowledge Base Article: Day 1 Configuration: What Does It Do?


If you do like reading extensive how-to documentation, check these out:

The Best Practices Library

The IronSkillet Overview

L0 Member

I have upgraded the firewall to 10.0.1. But the tool has no option to select version 10. It doesn't go beyond 9.1. How can I run the day one configuration.



Community Team Member


We have the Iron Skillets that will work with PAN-OS 10 and which the Day 1 configs are based on. 

We will post more information here for the Iron Skillets, but we are also reaching out to the developers for Day 1 to see if we can get them updated for PAN-OS 10.

Community Team Member

Hi @jamala ,


Developers are working to get the 10.0 template into the customer support portal (and remove the 8.x options).

As @jdelio mentioned you can use the IronSkillets until then.


Cheers !



L1 Bithead

I have PA220 box, want to configure in my home lab, I don't have SMTP server IP address and logging server of my own, is there any way to configure the Day 1 with dummy info?

L2 Linker

Could you please tell us, what is Day 1 config admin password? I had to reset way to many FWs to factory default, just because of unknown admin password.

Thank you, Jan

L0 Member

When I click the final "Generate Config File" button, I get an error message that says "Request failed with status code 400". (I have experienced this with different browsers on different machines...)


How can I get past this?


Thanks for any suggestions...

L0 Member

@Jan_Linhart the minimum password complexity changes when you load the day 1 config. "As of release 9.0.4 the user is forced to change the admin password based on a minimum character length of 8 as part of a default password complexity profile. Once IronSkillet is loaded, this complexity profile is more complex overriding the default profile". If the old admin password does not meet the new minimum requirements then it will no longer work. 

L0 Member

I'm also having an issue where when I upload the config file and commit it overwrites my current password and I can no longer access the unit. Had to factory reset twice. 


what is the password for the admin in the day 1 config? 

Register or Sign-in