05-09-2019 08:34 AM
We had ordered the firewall and it's been delivered to client Now we want to configure and upgrade without distrubtring the current network what is the best way to do this or we had to bring it our side to configure and send back?
Any document or client had to plug in separate network with the internet?
05-10-2019 07:37 AM
Hello,
I built it on a lab pa-200 I have on code 8.0.17 so it'll need at least 8.0.x before you can really apply it. Here are the rough steps and my email is oklier @ andraste . net . Its a work in progress so I appreciate any feedback. I left it as generic as possible so there is still specific config that needs to happen.
For manual config of MGMT interface via cli:
configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit
Time and DNS are required for the PAN to obtain its licening and updates!
MGMT interface is configured for DHCP in the template
assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route
Update dynamic updates
Code must be 8.0.0 or higher to take advantage of the template.
Disable the following if not used:
SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2
Put the MGMT interface into the Management zone and make sure it has the proper IP/SM/GW along with DNS and NTP.
Other:
configure
delete deviceconfig system ssh
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm
set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600
set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt
05-10-2019 01:18 PM
Hello,
I forgot that you can create your own with IronSkillet:
I would just say that the Team Cymru bogons dont work quite right. I think its a paid subscription?
Anyway good luck!
05-09-2019 09:18 AM
You have a couple of options if you want to do this.
You should be able to hook a laptop up to the Management port, and gain access to the device and configure it without it "being on the network".
Also, You can perform some updates to it while "offline".. please refer to this article:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFhCAK
Or there are some other discussions around here talking about the same thing. here is one I found:
Hope this helps.
05-09-2019 09:41 AM
05-09-2019 12:07 PM
1. Do you have Panorama?
2. Is this running in an HA pair?
3. Is there any kind of VPN tunnel giving you access to their network?
05-09-2019 12:35 PM
Hello,
If you are interested, I have a template I created of a base config. Does stuff like set management to dhcp, setup dynamic updates and a few security policies.
Let mek ow if you are interested.
05-10-2019 01:16 AM
1. Do you have Panorama?
No Panorama
2. Is this running in an HA pair?
PA-220 so no HA Pair
3. Is there any kind of VPN tunnel giving you access to their network?
Yes VPN tunnel will be created to give support to the client .
05-10-2019 01:16 AM
Sure. That would be great help. Can you email me the template ?
05-10-2019 07:37 AM
Hello,
I built it on a lab pa-200 I have on code 8.0.17 so it'll need at least 8.0.x before you can really apply it. Here are the rough steps and my email is oklier @ andraste . net . Its a work in progress so I appreciate any feedback. I left it as generic as possible so there is still specific config that needs to happen.
For manual config of MGMT interface via cli:
configure
set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
commit
Time and DNS are required for the PAN to obtain its licening and updates!
MGMT interface is configured for DHCP in the template
assign IP to eth 1/1 and NAT
assing IP to internal eth 1/2
Verify default outbound route
Update dynamic updates
Code must be 8.0.0 or higher to take advantage of the template.
Disable the following if not used:
SIEM=1.0.0.0
email server profile 1.0.0.1
Netflow 10.0.0.2
Put the MGMT interface into the Management zone and make sure it has the proper IP/SM/GW along with DNS and NTP.
Other:
configure
delete deviceconfig system ssh
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm
set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 3072
set deviceconfig system ssh session-rekey mgmt interval 3600
set deviceconfig system ssh mac mgmt hmac-sha2-256
commit
exit
set ssh service-restart mgmt
05-10-2019 01:18 PM
Hello,
I forgot that you can create your own with IronSkillet:
I would just say that the Team Cymru bogons dont work quite right. I think its a paid subscription?
Anyway good luck!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
