Day 1 Configuration Tool: What Does It Do?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Cyber Elite
Cyber Elite

day1configuration_LIVEcommunity.jpg

 

The Day 1 Configuration tool helps build a sturdy baseline configuration by providing templates that introduce best practice configuration as a foundation on which the rest of the configuration can be built.

 

When you access the Customer Support Portal (CSP) to register a new device, there is a new section at the end of the registration process that lets you run the Day 1 Configuration tool directly from there. 

 

Access to the Day 1 Configuration tool after registering a new deviceAccess to the Day 1 Configuration tool after registering a new device

 

If you already registered a device earlier and now want to run Day 1 after reading this awesome blog, you can do so from the Tools menu option in the Customer Support Portal.

 

NOTE: Make sure the device has already been registered, as the tool requests a serial number so it can determine the type of device for which you are running the tool.

 

Run Day1 ConfigurationRun Day1 Configuration

 

The tool interface itself is super easy.

 

day1 config.png

 

  • Provide the appropriate PAN-OS version that will be installed on the device
  • Provide a Hostname
  • Set the management IP to Static or DHCP and provide appropriate parameters
  • Set up email alerts and log forwarding
  • Click Generate Config File

 

Once completed, the Day 1 Config XML file is downloadedOnce completed, the Day 1 Config XML file is downloaded

 

The XML config file is automatically downloaded after it is generated. 

 

Before you move on to the next phase, make sure:

  • the firewall's licences have all been activated
  • software updates and content packages have been installed

This is important because the Day 1 Config files contain a few awesome features that will only work if the firewall has the appropriate packages loaded with active licences.

 

Lastly, access the firewall's Device > Setup > Operations tab, and "Import named configuration snapshot" to find the Day 1 Configuiration file you just downloaded and then "Load named configuration snapshot."

 

import.png

 

Review the new elements that were added, add your own configuration, and Commit.

 

Some of the elements introduced in the Day 1 Config tool you will want to review include:

 

  • Monitor > Custom Reports
  • Policies > Security
  • Policies > Decryption
  • Objects > Addresses
  • Objects > External Dynamic Lists
  • Objects > All of the Security Profiles and Security Profile Groups 
  • Objects > Log Forwarding
  • Device > Server Profiles > Syslog and SMTP

 

 

Feel free to post any questions or remarks below.

 

— Reaper out

 

Additional Resources

Knowledge Base Article: Day 1 Configuration: What Does It Do?

 

If you do like reading extensive how-to documentation, check these out:

The Best Practices Library

The IronSkillet Overview

 

20 Comments
L0 Member

I have upgraded the firewall to 10.0.1. But the tool has no option to select version 10. It doesn't go beyond 9.1. How can I run the day one configuration.

 

Thanks

L7 Applicator

@jamala 

We have the Iron Skillets that will work with PAN-OS 10 and which the Day 1 configs are based on. 

We will post more information here for the Iron Skillets, but we are also reaching out to the developers for Day 1 to see if we can get them updated for PAN-OS 10.

Community Team Member

Hi @jamala ,

 

Developers are working to get the 10.0 template into the customer support portal (and remove the 8.x options).

As @jdelio mentioned you can use the IronSkillets until then.

 

https://live.paloaltonetworks.com/t5/community-skillets/ironskillet-day-one-configuration/ta-p/30775...

https://iron-skillet.readthedocs.io/en/docs_master/viz_guide_panos.html

 

Cheers !

-Kiwi.

 

L1 Bithead

I have PA220 box, want to configure in my home lab, I don't have SMTP server IP address and logging server of my own, is there any way to configure the Day 1 with dummy info?

L2 Linker

Could you please tell us, what is Day 1 config admin password? I had to reset way to many FWs to factory default, just because of unknown admin password.

Thank you, Jan

L0 Member

When I click the final "Generate Config File" button, I get an error message that says "Request failed with status code 400". (I have experienced this with different browsers on different machines...)

 

How can I get past this?

 

Thanks for any suggestions...

L0 Member

@Jan_Linhart the minimum password complexity changes when you load the day 1 config. "As of release 9.0.4 the user is forced to change the admin password based on a minimum character length of 8 as part of a default password complexity profile. Once IronSkillet is loaded, this complexity profile is more complex overriding the default profile". If the old admin password does not meet the new minimum requirements then it will no longer work. 

L0 Member

I'm also having an issue where when I upload the config file and commit it overwrites my current password and I can no longer access the unit. Had to factory reset twice. 

 

what is the password for the admin in the day 1 config? 

L0 Member

I am running the register and Day 1 config on a Palo 5450 device. I have enter PAN OS version 10.1 and all other details

required. It successfully generated the XML file and downloaded. I loaded the names config file and appears to be succesfull. However when I COMMIT i encounter and error that the default profile for LOG-PROFILE is already in use. I located the issue in the default Interzone/Intrazone policy actions for Log Forwarding and changed it from default to none. This resolved the issue.

L1 Bithead

Unfortunately I couldn't apply this to Panos 10.1.4. Once it is loaded into the firewall config, upon committing, it complains about validataion error:

log-settings -> profiles -> default 'default' is already in use

log-settings -> profiles is invalid

 

However, there is no 'default' profile anywhere under Log Settings, or even security profiles.

Community Team Member

Hi @JamesRen ,

 

I believe the previous comment from @gogginl is the resolution for you.

 

Hope it helps,

-Kiwi.

L1 Bithead

Hi Kiwi,

Thanks for getting back. Unfortunately it did not help and the problem persists. Please see screenshots below.

 

JamesRen_0-1644228900255.png

 

JamesRen_1-1644228909501.png

 

JamesRen_2-1644228917603.png

 

Community Team Member

Hi @JamesRen ,

 

OK, I was able to replicate the issue in my lab and I did the following to be able to run the commit:

 

  • I opened the XML file.
  • I went to the section : 
    <log-settings>
                <profiles>​
  • I noticed that there were 2 profiles called 'default'.
    <entry name="default">​
  • I renamed the 2nd profile to 'default-1' and saved the XML file
    <entry name="default-1">​
  • I uploaded the new XML file
  • commit went without problem.

 

I hope this helps.

Cheers !

-Kiwi.

 

L0 Member

Comparing this config to the 10.0 Day 1 config, it appears there are some extra lines.  Delete the lines that require a new profile so it looks like this and all of them are part of the same "default" profile.

                <entry name="Auth_Log_Forwarding">
                  <log-type>auth</log-type>
                  <filter>All Logs</filter>
                  <send-to-panorama>no</send-to-panorama>
                  <send-syslog>
                    <member>Sample_Syslog_Profile</member>
                  </send-syslog>
                </entry>
                <entry name="Email_Malicious_Verdicts">
                  <send-email>
                    <member>Sample_Email_Profile</member>
                  </send-email>
                  <action-desc>Email Malicious Wildfire Verdicts</action-desc>
                  <log-type>wildfire</log-type>
                  <filter>(verdict neq benign)</filter>
                  <send-to-panorama>no</send-to-panorama>
L3 Networker

Hi Team,

I have generated Day 1 Configuration choosing 10.1 as the PAN OS.

And my firewall is with PANOS version 10.1.5-h2 . Will it cause any issue.

L0 Member

Hi Team,

 

can its run day 1 configuration be used on offline switch?

cause my switch will be disconnect over internet and possible to se in configuration in paloalto support

L0 Member

Is it mandatory to do this running configuration Day 1?

Cyber Elite
Cyber Elite

no it is not

it's simply a 'good start' configuration file you can create and upload to your brand new device, but you're not required to

L0 Member

am currently using the VM version of Panorama and awaiting the server team to build the hypervisor that will host the OVA. I have not yet downloaded the OVA and would like to know if, upon installing Panorama, I will have the opportunity to configure it without running the Day 1 configuration. Additionally, is it safe to proceed in this manner?

Lastly, my network is air-gapped and will not require DNS and SNMP servers. Is there a way to bypass these configurations and continue if I decide to run the Day 1 configuration?

Cyber Elite
Cyber Elite

@S.Gyamfi yes ofcourse. Day1 is simply a 'garnished' basic configuration that has several profiles prepopulated for you to get started quickly. 

By default Panorama spins up with a vanilla config so you can choose if you want to put a day1 config over it, or continue from vanilla and build everything yourself

 

you can simply delete the things you don't need, either from the XML, or from the GUI after you import and load the day1 config

  • 39012 Views
  • 20 comments
  • 3 Likes
Register or Sign-in
About the Author
I drink and I know things
Labels
Top Liked Authors