Secure Day-One Configuration Not for the Faint of Heart

cancel
Showing results for 
Search instead for 
Did you mean: 
Community Team Member
Did you find this article helpful? Yes No
100% helpful (1/1)

Day-One-Configuration-blog_OtakarKlier_LIVEcommunity.jpg

 

 

This content was developed, written, and contributed by @OtakarKlier, one of LIVEcommunity's Cyber Elite experts. 

 

This configuration is something I came up with that is in-line with best practices and day-one settings. I felt should be part of any new implementation for proper security; it combines best practices from not only the day-one config, but also a start to Zero Trust. 

 

For manual config of management interface via CLI:


You must change the default password, you must set one and remember it! (The template will change it, so you'll need to change it a second time after importing and applying the template.)

 

At the CLI:

configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit

 

NTP and DNS are required for the device to obtain its licensing and updates.

Connect to the GUI and download all licenses as well as Dynamic updates.
Upgrade code to version 10.0.6 (that is what the template was built on)


Import the XML config (see attachment)
Template password is Paloaltorocks1! (please change it)
Load the snapshot (see attachments)
PanOS1006Base.xml

 

MGMT interface is configured for DHCP in the template

 

assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route

 

Set/Disable the following if not used:

SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2

 

Put the MGMT interface into the Management zone and make sure it has the proper IP, subnet mask and gateway along with DNS and NTP.

 

Additional information can be found via the Data Center Security Policy Best Practices Checklist. 

 

The part below is to mitigate some scan findings for weak ciphers:

 

configure
delete deviceconfig system ssh

set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm

set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600

set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt

 

 

Thanks for reading—and a big thanks to Cyber Elite expert @OtakarKlier for sharing his expertise.

 

Rate this article:
(2)
Register or Sign-in
Contributors
Article Dashboard
Version history
Last update:
2 weeks ago
Updated by: