Episode Transcript:
John:
Hello and welcome back PANCasters, Olivier is back with us today to discuss the initial steps when you get a new firewall. Hi Olivier and welcome back.
Olivier:
Hello John, thanks for having me back.Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France.
So I received a new firewall and I wanted to share with the audience the 3 must-do things with setting up the new firewall.
John:
Great Olivier, let’s get started.
Perform the Initial Configuration
Olivier:
So the first step is to perform the initial configuration : the purpose of that initial configuration is to set the most basic configuration of the firewall, something you can backup and use as a recovery point.
At the first startup of the firewall, you will be requested to change the password of the default user account. What I like to do as well is to create a new default superuser account and delete the default “admin” account. Anyway, make sure you have at least one local superuser account.
Another thing to set up on the firewall is the basic network configuration : the IP configuration, the DNS servers and the time related settings - the device date and time and the NTP servers.
Once the initial configuration is done, perform the first commit on the firewall.
If you need to enable the multi vsys feature or jumbo frame support, enable those then commit and reboot the firewall.
Also since PAN-OS 10.2, I think it can be interesting to move to the Advanced Routing Engine while the firewall is not fully configured yet, it will be simpler than to do it later. This activation also requires a commit and a reboot.
Finally, if you plan on managing the configuration using Strata Cloud Manager or the Panorama, enable the setting then commit.
And for Panorama management, you will have to set the authkey for the initial authentication with Panorama, but no commit is required to set this key.
John:
OK, so what’s next?
Register the Device and Get the Licenses
Olivier:
Now that the initial configuration is done, your firewall should be able to contact the Palo Alto Networks server.
So the next step is to activate the firewall on the Customer Support Portal. You will have to register the firewall, make sure the information is accurate as it will be used the day you need to replace a hardware component.
You will also have to register the license authkeys so the firewall is correctly associated with the right subscriptions. One thing to note is that as long as you did activate the licenses, you won’t be able to get the associated services : no support license, no TAC support, no Threat license, no threat update on your firewall, which I remind you is to keep you secure.
Another thing you should do at that stage is to get the device certificate. This certificate automatically renewed every 3 months is required to have access to the cloud delivered security services : advanced threat prevention, IoT Security and so on...
Finally, if you are using some cloud delivered security services like IoT Security, Cortex Data Lake, or AIOps free, you need to associate your devices on the TSG in the Hub Portal.
Keep in mind that the CSP and the Hub Portal are separate applications. There is no synchronization between the CSP and the Hub Portal.
John:
More good info. Thanks Olivier. What’s the third step.
Prepare the Software Stack
Olivier:
Last point I wanted to discuss is the software stack of the firewall. By software stack, I mean the PAN-OS version, the different content updates, the plugins running on the firewall. Nobody can foresee the software version shipped with the firewall, so you will eventually have to upgrade it.
So now that the firewall has its initial configuration and that the licenses are activated, you can pull the licenses to the firewall.
Take the opportunity the firewall is not in production to perform all the required upgrades, as you may have to reboot multiple times the firewall.
One thing I noticed on recent versions of the PAN-OS is the DLP plugin automatically installed. If you are not using the Enterprise DLP, which requires a specific license, remove the plugin. I saw some cases opened simply because the DLP plugin version was not matching between HA pairs, and this plugin was not even used.
That’s all, once those 3 steps are done, you simply have to load the final configuration and connect the network cables when you are ready to put the firewall into production.
John:
Thanks Olivier, what are the key takeaways from this episode?
Episode Key Takeaways
Olivier:
I think we can summarize the episode in 3 points:
- Set the initial configuration to perform the basic tasks
- Register the firewall on the Palo Alto Networks CSP and Hub Portal
- Install the required software for the firewall to be ready.
John:
Olivier:
John:
That’s it for today PANCasters. Head to live.paloaltonetworks.com for the transcript and additional info. Until next time.