The purpose of this document is to guide the user through all the steps required to configure a Palo Alto Networks unit for POC testing. There are three installation scenarios for you to choose from TAP, Vwire, or Layer 3.
The configuration is designed to produce maximum logging, using real traffic that is either mirrored or seen over from your production network. The recommended TAP installation will in turn produce the most comprehensive Security Lifecycle Review (SLR) reports possible with maximum visibility.
NOTE: If your evaluation unit came directly from a partner/reseller, distributor, or Palo Alto Networks some of these configurations might already pre-configured. Typically, units shipped from partners are already licensed and registered to the partner who sent it. Below are links to information that will help you decide on the best evaluation for you.
TAP - Tap Mode Deployments
Vwire - Virtual Wire Deployments
Layer 3 - Layer 3 Interfaces
The End User Agreement must be accepted to create a user account.
You will receive an email that contains a link to activate your user account. Click on the activation link, log in to the Customer Support Portal (https://support.paloaltonetworks.com). Setup the two security questions, and you will be taken to the Account Home tab.
If you are evaluating our physical appliance, use step 3.1.
The device is now registered, and you should see a confirmation on this page.
Connect a serial cable to the CONSOLE port on the firewall, using 9600-8-N-1 on a console emulator, such as Putty. Set Putty for Serial. This will likely require you to use a USB to serial adapter to convert the 9-pin serial to USB, as the firewall ships with a 9-pin to RJ45 console cable. Determine an open IP address on the network that the firewall management interface can use and ensure this IP has access to the Internet using https and is accessible from your desktop.
On new hardware models (PA-220, PA-820, or PA-850), you may use the built-in micro-USB port to console in. Download and install the Microchip driver for Windows. (Not required for Windows 10.) Additional information on the micro USB console port found here.
NOTE: As an alternate approach to using the console port, you can plug a laptop into the MGT port, put a 192.168.1.x IP on their Ethernet NIC and browse to https://192.168.1.1 to login and change the IP in the GUI. Once this change is committed, you will lose your connection to the console (assuming you assigned it outside of that network). Then simply revert to your previous IP, and login to the newly set IP.
Log in using the defaults:
From the console, execute the following commands:
> configure (brings you into EDIT mode) # set deviceconfig system ip-address x.x.x.x netmask x.x.x.x # set deviceconfig system dns-setting servers primary x.x.x.x default-gateway x.x.x.x # commit # exit (brings you out of EDIT mode)
You should see the commit process occur and return to a prompt. If you get any formatting errors that keep you from setting the DNS, configure the IP and netmask. DNS can be configured later inside the web interface.
Ensure that the evaluation unit is on the inside of the network (behind any existing firewall, IPS, web proxy, etc) and is receiving mirrored or spanned traffic from the core switch. By default, the TAP interface on the evaluation unit is ethernet1/3. Also, ensure that the Management Interface is connected and has external (https) access as well as being internally accessible.
Use the web interface to perform the initial setup by browsing (https://x.x.x.x) to the IP you assigned.
NOTE: We will create this as an “Any to Any” Rule. Any configuration will reflect accurately in the logs however, so if you choose to write additional rules that do block things, those blocks will show in the logs.
NOTE: These will be users or groups pulled from your Active Directory Domain. Users and groups of users will only appear after User-ID has been configured.
Commit to apply your policy to the data plane, making it now take effect.
After a minute or so, you should now be able to see traffic logging start to appear under Monitor > Logs > Traffic.
For this install, we are going to be within the production network, and it must be planned around the changes that can affect production traffic. For this guide, we are under the assumption that we are within the production network but not replacing the firewall. With a Layer 3 installation, you would also be able to test a GlobalProtect VPN setup as well.
Below is an example of this network diagram:
Palo Alto Networks Firewall configuration
For this, we will be utilizing the web interface to perform our configuration moving forward. To reach this page, browsing to the IP that was setup for the management interface (https://x.x.x.x).
Resulting page should look like this:
Device tab config is same as Tap mode
When looking at the user interface for the firewall, we have seven tabs across the top. We will now select the Network tab.
Now that we are in the network tab, we are going to create our security zones by selecting Zones on the left.
At the bottom left of the page, you have an Add button with a green plus symbol. Click on Add so you can create our Untrust Zone.
Our next step will be to configure our ethernet interfaces and assign them to our new Security Zones. We will click on Interfaces on the left which is above Zones. The page should look like this.
Click to open ethernet1/1 and configure the following: