This content was developed, written, and contributed by @OtakarKlier, one of LIVEcommunity's Cyber Elite experts.
This configuration is something I came up with that is in-line with best practices and day-one settings. I felt should be part of any new implementation for proper security; it combines best practices from not only the day-one config, but also a start to Zero Trust.
For manual config of management interface via CLI:
You must change the default password, you must set one and remember it! (The template will change it, so you'll need to change it a second time after importing and applying the template.)
At the CLI:
configure set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway> set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 188.8.131.52 > set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org> commit
NTP and DNS are required for the device to obtain its licensing and updates.
Connect to the GUI and download all licenses as well as Dynamic updates.
Upgrade code to version 10.0.6 (that is what the template was built on)
Import the XML config (see attachment)
Template password is Paloaltorocks1! (please change it)
Load the snapshot (see attachments)
MGMT interface is configured for DHCP in the template
assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route
Set/Disable the following if not used:
email server profile 184.108.40.206
Put the MGMT interface into the Management zone and make sure it has the proper IP, subnet mask and gateway along with DNS and NTP.
Additional information can be found via the Data Center Security Policy Best Practices Checklist.
The part below is to mitigate some scan findings for weak ciphers:
configure delete deviceconfig system ssh set deviceconfig system ssh ciphers mgmt aes256-ctr set deviceconfig system ssh ciphers mgmt aes256-gcm set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072 set deviceconfig system ssh session-rekey mgmt interval 3600 set deviceconfig system ssh mac mgmt hmac-sha2-256 commit exit set ssh service-restart mgmt
Thanks for reading—and a big thanks to Cyber Elite expert @OtakarKlier for sharing his expertise.