Welcome to the world of Palo Alto Networks firewalls!
If this is your first time setting up a Palo Alto Networks firewall, or if you just need a refresher on how to setup a new firewall, you have come to the right place. We do our best to explain what needs to happen during the initial configuration of your firewall as if it is right out of the box.
So, you have a new firewall; what do you do next?
When you get a new firewall or after performing a factory reset, the firewall will be in a blank state with factory settings. We will walk you through the basics on configuring your firewall.
YouTube Video: Getting Started
Below is a video that also walks you through the steps.
NOTE: A couple of the screens are older, so it is recommended that you watch the video for an overview, but please use the directions below for all the details if you are unable to find the same windows.
Getting Started with Palo Alto Networks Firewalls Step-by-Step Instructions
In this installment we will be taking a look at:
How to connect to the firewall for the first time.
How to download licenses so you can download new software and content.
How to prepare your first security policy.
NOTE: I will be using a PA-220 hardware for this example. You may have a different web interface and hardware options, depending on what Palo Alto Networks hardware you are using.
Before We Start...
Before we start, you need to change the factory set management IP address, which will make it much easier to continue configuring your new device in later steps.
Step 1 – Initial Setup
When you want to setup the device initially, you have two methods available to connect to the new device:
Use a network cable via the Management port.
Use a rollover console cable (e.g., USB to RJ45 or RJ45 to DB9 console cable) via the Console port.
Management Port When using the management port, your workstation must be reconfigured so its network interface has an IP address in the 192.168.1.0/24 IP range, as the default IP of the management port will be 192.168.1.1.
If you are using this method, please skip to Step 1.2.
Console Port When using a console port, as was stated above, you will need to have a console cable, which can either the older RJ45 to DB9 and then DB9 to USB cables, OR you can get a new USB to RJ45 cable on Amazon, eBay, Monoprice, or anywhere else you prefer.
Connect the console cable to your computer and then to the console port on the firewall, and set the terminal emulator to the following: 9600 baud, 8 data bits, 1 stop bit, parity none, VT100.
If you use PuTTY, it should come with the appropriate configuration by default if the connection type is set to Serial. After preparing the cables and the workstation, plug the unit into an electrical outlet and watch the firewall boot up.
NOTE: The only way that you can see the boot sequence is when you use a console cable.
Here is a sample boot sequence:
Welcome to PanOS
Starting udev: [ OK ]
Setting clock (utc): Wed Oct 14 11:10:53 PDT 2019 [ OK ]
Setting hostname 200: [ OK ]Checking filesystems:
Running filesystem check on sysroot0: [ OK ]
Running filesystem check on pancfg: [ OK ]
Running filesystem check on panrepo: [ OK ]
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
Enabling /etc/fstab swaps: [ OK ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Starting Networking: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
After the device has booted up (after a couple minutes), a login prompt is displayed in the console connection indicating that SSH or SSL connections can be made to 192.168.1.1.
Next, we'll highlight the console and SSH in Step 1.1. If you would like to skip to the web interface part, please jump to Step 1.2.
Step 1.1 – Console and SSH Connection
The default username and password are 'admin / admin', so we'll go ahead and log in to reveal the CLI. From here, we'll start setting up the proper IP address and subnet for the device along with the default gateway and DNS settings, so the unit can collect updates later.
login as: admin
Using keyboard-interactive authentication.
Last login: Wed Oct 14 11:57:16 2019 from 192.168.1.168
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.
Entering configuration mode
At this point, you can change the management IP address from 192.168.1.1 to whatever you want with the 'set deviceconfig' command.
NOTE: You can use the "?" and "tab" to autocomplete while in the CLI.
admin@PA-220# set deviceconfig system ip-address 10.0.0.10 netmask 255.255.255.0 default-gateway 10.0.0.1 dns-setting servers primary 188.8.131.52
<Use the commit command to apply the new settings to the system.>
Configuration committed successfully
After the commit completes, you'll lose SSH and SSL access to the device, as the IP address was changed and the management service restarted to adopt these changes. Now you need to reconnect to the new IP address, which is covered in Step 1.3.
Step 1.2 – Web Interface Initial Setup
When making your first connection to the web interface, your browser may display an error message. This is because the certificate used by the web interface is a self-signed certificate your browser does not trust. You can safely ignore the error message at this time, which then takes you to the login screen.
Please log in, using the default username and password 'admin / admin.'
Navigate to the Device > Setup > Interfaces tab, where you can change the Management InterfaceSettings:
Click on the Management interface and change the IP address, Netmask (if needed) and Default Gateway.
Next, select the Services tab, click the gear, and configure the Primary and Secondary DNS server, then hit OK.
Apply changes to the device by clicking the Commit link at the top right.
NOTE: After the commit completes, the browser will eventually time out as the IP address has changed, so you'll need to manually change the address in the address bar and reconnect to the new IP.
Step 1.3 – Finishing Up The First Step
The firewall is now configured with a proper IP address to work in your LAN network, so go ahead and connect the cables:
Connect Interface 1 to the router.
Connect Interface 2 to the switch.
Connect the Management (mgmt) interface to the switch.
You should be able to connect to the management IP from the network and connect to the internet.
Step 2 – Preparing The Licenses and Updating the System
To be allowed to download content and application updates or software upgrades, the system needs to be licensed.
Various licenses control the different functions of the system:
Support license entitles the system to PAN-OS Software and App-ID updates.
Threat Prevention license adds virus, threats, and malware signatures.
URL license enables URL categories for use in security policies.
Navigate to the Device tab and select Licenses from the left pane:
If the device has been registered using the methods in the article above and auth codes have already been added, select "Retrieve License keys" from the license server.
If the device was registered but no licenses added yet, select the Activate feature using an authorization code to activate a license. The authorization code should have been sent to you by your Palo Alto Networks sales contact.
Now you're ready to start updating the content on this device, so navigate to the Device > Dynamic Updates.
Step 2.1 – Updating Content
The first time this page opens, there will be no visible packages for download. The system will first need to fetch a list of available updates before it can display any that are available. To do this, select Check Now.
When the system retrieves a list of available updates, the Applications and Threats package becomes available. You may notice the antivirus package is missing. It will only appear after downloading and installing the Applications and Threats Package.
After the package is downloaded, install it on the system by clicking Install.
When the Applications and Threats package has been installed, run another Check Now to retrieve the antivirus package list.
Next, download and install the antivirus package just like you did with the Applications and Threats package.
Step 2.2 – Setting a Schedule
With these tasks completed, this is a good time to set a schedule for every package to be automatically downloaded and installed at a time that's convenient for you. Content updates can be installed during production, and they do not interrupt existing sessions, so it's safe to apply updates during the day. However, most organizations perform updates during the night or off hours to minimize risk.
Set a schedule by clicking the timeframe next to the schedule.
After setting the appropriate schedules, please commit the change by clicking the Commit button.
Step 2.3 – Upgrading the System
After the commit completes, go ahead and upgrade the system to a more recent version of PAN-OS in case the unit has an older OS.
Navigate to Device > Software. The first time you access this tab, a popup displays no update information available because the system has no previous contact with the update server and doesn't know which updates are available. You can close that popup and then select Check Now.
The system comes preloaded with a default security profile in each category.
For now, you'll start the configuration with these default profiles, except for URL Filtering. Navigate to the Objects tab, select Security Profiles > URL Filtering, and add a new URL Filtering profile.
In this first custom URL Filtering profile, start by setting all actions to alert rather than allow, as the allow action doesn't create a URL filtering log entry. Set actions to alert so you can gain some insight into the kind of web browsing happening on the network.
All other default profiles should already provide sufficient coverage for network security and for offensive sessions to become visible in the appropriate logs. Next up, you'll prepare the group of unwanted applications.
Step 4 – Applications
After downloading update packages, the firewall contains a lot of applications you can use to create security policies, but these applications also come loaded with useful metadata to create groups of applications based on their behavior called an application filter.
Rather than having to manually add applications to a group and keep the list current, the application filter automatically adds new applications that match a certain behavior to the application filter, enabling the security policy to take appropriate action.
Create an application filter with undesirable behavior for the first policy. Go to the Objects tab, then select Application Filters.
As an example, you'll create an application filter called "peer-to-peer," where you add all applications that match subcategory file-sharing and Technology peer-to-peer.
Now you're ready to set up your first security policy and look at the logs, but, first, let's take a quick detour to look at the network configuration.
Step 5 – Network Configuration
If you navigate to the Network tab and look at Interfaces, you see that interfaces 1 and 2 are both set up as Virtual Wires (also called vwires) and are both added to the default-vwire.
A vwire has some interesting advantages over other types of interface configurations; it is considered a bump-in-the-wire, which requires no IP address on the interface and no routing configuration. It can simply be plugged in between your router and switch to start passing traffic. We'll cover other interface types in upcoming articles, but, for now, let's stick with the vwire configuration.
Step 6 – Security Policy and Logging
Now that you've prepared your device, let's look at the security policies and set up an initial configuration that allows good traffic to go out and bad traffic to be blocked.
The initial security policy simply allows all outbound traffic without inspection. There are two default rules that allow intrazone and block interzone traffic. We'll zoom in on these last two in an upcoming session as they are not currently relevant to the vwire.
Start by editing 'rule1' and make it the "bad applications" block rule:
Leave the source and destination as they are.
Under Application > Application Filter, select peer-to-peer. It helps to type the name of the application or group you want to add. No need to scroll through all the applications.
Under Actions, set the action to Deny as you don't like peer-to-peer, and click OK.
Next, you'll create a security policy to allow everything else out. We recommend you add applications to the 'allow' rule later. For now, let's block only the applications we know we don't like and allow the rest, so you can gain visibility into what kind of traffic is passing onto the internet and decide if you want to block more applications down the line.
Under Source, select trust as the source zone associated with Interface 2, which is connected to the LAN switch.
Under Destination, select untrust as the zone associated with Interface 1 and connected to the internet router. Leave the applications as Any for now.
Under Actions, you'll add security profiles to enable scanning of outgoing connections for malicious content or to apply URL Filtering to browsing sessions.
Make sure the 'internet-access' policy is positioned below the 'bad-applications-block policy,' as the security policy is processed top to bottom for every new connection, and the first positive match applies. If the 'bad-applications-block policy' is located below the 'internet-access rule,' peer-to-peer applications will be allowed.
Now go ahead and commit these changes and navigate to the Monitor tab. When the commit operation completes, the logs start filling up with interesting traffic, URL, and threat information, if any infections are detected.
Special thanks to @reaper (Tom Piens) for creating the original video.
Thanks for taking time to read my blog. If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.
As always, we welcome all comments and feedback in the comments section below.