- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
on 09-30-2021 04:47 AM - edited on 10-15-2021 04:04 PM by jforsythe
This content was developed, written, and contributed by @OtakarKlier, one of LIVEcommunity's Cyber Elite experts.
This configuration is something I came up with that is in-line with best practices and day-one settings. I felt should be part of any new implementation for proper security; it combines best practices from not only the day-one config, but also a start to Zero Trust.
For manual config of management interface via CLI:
You must change the default password, you must set one and remember it! (The template will change it, so you'll need to change it a second time after importing and applying the template.)
At the CLI:
configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit
NTP and DNS are required for the device to obtain its licensing and updates.
Connect to the GUI and download all licenses as well as Dynamic updates.
Upgrade code to version 10.0.6 (that is what the template was built on)
Import the XML config (see attachment)
Template password is Paloaltorocks1! (please change it)
Load the snapshot (see attachments)
PanOS1006Base.xml
MGMT interface is configured for DHCP in the template
assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route
Set/Disable the following if not used:
SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2
Put the MGMT interface into the Management zone and make sure it has the proper IP, subnet mask and gateway along with DNS and NTP.
Additional information can be found via the Data Center Security Policy Best Practices Checklist.
The part below is to mitigate some scan findings for weak ciphers:
configure
delete deviceconfig system ssh
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm
set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600
set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt
Thanks for reading—and a big thanks to Cyber Elite expert @OtakarKlier for sharing his expertise.