Secure Day-One Configuration Not for the Faint of Heart

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
100% helpful (1/1)




This content was developed, written, and contributed by @OtakarKlier, one of LIVEcommunity's Cyber Elite experts. 


This configuration is something I came up with that is in-line with best practices and day-one settings. I felt should be part of any new implementation for proper security; it combines best practices from not only the day-one config, but also a start to Zero Trust. 


For manual config of management interface via CLI:

You must change the default password, you must set one and remember it! (The template will change it, so you'll need to change it a second time after importing and applying the template.)


At the CLI:

set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use>


NTP and DNS are required for the device to obtain its licensing and updates.

Connect to the GUI and download all licenses as well as Dynamic updates.
Upgrade code to version 10.0.6 (that is what the template was built on)

Import the XML config (see attachment)
Template password is Paloaltorocks1! (please change it)
Load the snapshot (see attachments)


MGMT interface is configured for DHCP in the template


assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route


Set/Disable the following if not used:

email server profile


Put the MGMT interface into the Management zone and make sure it has the proper IP, subnet mask and gateway along with DNS and NTP.


Additional information can be found via the Data Center Security Policy Best Practices Checklist. 


The part below is to mitigate some scan findings for weak ciphers:


delete deviceconfig system ssh

set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm

set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600

set deviceconfig system ssh mac mgmt hmac-sha2-256
set ssh service-restart mgmt



Thanks for reading—and a big thanks to Cyber Elite expert @OtakarKlier for sharing his expertise.


Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎10-15-2021 04:04 PM
Updated by: