How to install & upgrade Firewall new on client side

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to install & upgrade Firewall new on client side

L3 Networker

We had ordered the firewall and it's been delivered to client Now we want to configure and upgrade without distrubtring the current network what is the best way to do this or we had to bring it our side to configure and send back?

 

Any document or client had to plug in separate network with the internet?

 

 

2 accepted solutions

Accepted Solutions

Hello,

I built it on a lab pa-200 I have on code 8.0.17 so it'll need at least 8.0.x before you can really apply it. Here are the rough steps and my email is oklier @ andraste . net . Its a work in progress so I appreciate any feedback. I left it as generic as possible so there is still specific config that needs to happen.

 

 

 

 

For manual config of MGMT interface via cli:

configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit

Time and DNS are required for the PAN to obtain its licening and updates!

MGMT interface is configured for DHCP in the template

assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route

Update dynamic updates
Code must be 8.0.0 or higher to take advantage of the template.

Disable the following if not used:

SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2

Put the MGMT interface into the Management zone and make sure it has the proper IP/SM/GW along with DNS and NTP.

Other:


https://docs.paloaltonetworks.com/best-practices/8-0/data-center-best-practices/data-center-best-pra...

configure
delete deviceconfig system ssh

set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm

set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600

set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt

View solution in original post

Hello,

I forgot that you can create your own with IronSkillet:

https://live.paloaltonetworks.com/t5/Community-Blog/Getting-Started-with-IronSkillet-Best-Practices-...

 

I would just say that the Team Cymru bogons dont work quite right. I think its a paid subscription?

 

Anyway good luck!

View solution in original post

8 REPLIES 8

L7 Applicator

You have a couple of options if you want to do this. 

You should be able to hook a laptop up to the Management port, and gain access to the device and configure it without it "being on the network". 

Also, You can perform some updates to it while "offline".. please refer to this article:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFhCAK

 

Or there are some other discussions around here talking about the same thing. here is one I found:

https://live.paloaltonetworks.com/t5/General-Topics/Any-step-to-install-all-kit-when-new-PA-box-is-o...

 

Hope this helps.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Cyber Elite
Cyber Elite
You can start off by connecting the management interface to the customer's laptop or managemeny network and prepping it for deployment
The default config is a vwire setup between ethernet1/1 and 1/2 wit 1/1 being the external (ISP) interface
The default security policy allows all outgoing traffic and blocks all inbound connections

This config allows you to simply connect the firewall between the current firewall and the LAN, or directly behind the ISP router without much interruption


Theres a couple of articles you may want to have the customer go through to get the firewal hooked up so you can manage it remotely https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS2CAK

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

1. Do you have Panorama?

2. Is this running in an HA pair?

3. Is there any kind of VPN tunnel giving you access to their network?

Cyber Elite
Cyber Elite

Hello,

If you are interested, I have a template I created of a base config. Does stuff like set management to dhcp, setup dynamic updates and a few security policies.

 

Let mek ow if you are interested.

1. Do you have Panorama?

     No Panorama

 

2. Is this running in an HA pair?

   PA-220 so no HA Pair

3. Is there any kind of VPN tunnel giving you access to their network?

 

    Yes VPN tunnel will be created to give support to the client .

Sure. That would be great help. Can you email me the template ?

Hello,

I built it on a lab pa-200 I have on code 8.0.17 so it'll need at least 8.0.x before you can really apply it. Here are the rough steps and my email is oklier @ andraste . net . Its a work in progress so I appreciate any feedback. I left it as generic as possible so there is still specific config that needs to happen.

 

 

 

 

For manual config of MGMT interface via cli:

configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit

Time and DNS are required for the PAN to obtain its licening and updates!

MGMT interface is configured for DHCP in the template

assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route

Update dynamic updates
Code must be 8.0.0 or higher to take advantage of the template.

Disable the following if not used:

SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2

Put the MGMT interface into the Management zone and make sure it has the proper IP/SM/GW along with DNS and NTP.

Other:


https://docs.paloaltonetworks.com/best-practices/8-0/data-center-best-practices/data-center-best-pra...

configure
delete deviceconfig system ssh

set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm

set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600

set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt

Hello,

I forgot that you can create your own with IronSkillet:

https://live.paloaltonetworks.com/t5/Community-Blog/Getting-Started-with-IronSkillet-Best-Practices-...

 

I would just say that the Team Cymru bogons dont work quite right. I think its a paid subscription?

 

Anyway good luck!

  • 2 accepted solutions
  • 4664 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!