Read how the Day 1 Configuration tool is now available for Panorama. Reaper provides an in-depth look at how to run a Day 1 Configuration for Panorama. He also gets into why it's important to run a Day 1 Configuration. Got questions? Get answers on LIVEcommunity!
Day 1 Configuration Tool Now for Panorama
The Day 1 Configuration tool helps you create a sturdy foundation on which you can build a more secure configuration, and it now comes for Panorama too! If you haven't seen the Day 1 Configuration tool yet, check out the following blog for firewalls: Day 1 Configuration Tool: What Does It Do?
Once you've received your Panorama serial number, register it as a new device.
View of Customer Support Portal web interface.
At the end of the registration process, you have the option to run the Day 1 Configuration.
View of Device Registration web interface before running Day 1 Configuration.
If you've already registered your new Panorama previously and skipped this step, you can choose to run a Day 1 Config from the Assets > Devices or from the Tools menu.
View of Customer Support Portal in Tools menu highlighting Run Day 1 Config.
NOTE: The serial number needs to be registered before it can be used to manually start the Day 1 Configuration tool.
Similar to the firewall counterpart, the Day 1 Configuration tool detects the device type as Panorama and provides the option of (at time of writing) three OS versions, 8.0, 8.1, and 9.0, and it comes in two flavors: static and cloud.
The static version allows you to preload the Panorama management interface configuration with an IP, subnet, default gateway, DNS, and logging hosts.
View of Day 1 Configuration in Device Registration Panorama Setup.
The cloud flavor (intended for AWS, Azure, GCS, Alibaba, etc.) simply sets the management interface to DHCP client and lets you preload DNS settings and logging hosts.
View of Device Registration web interface inputting Panorama management and logging settings.
Once the appropriate OS and flavor are chosen and the parameters are configured, clicking the "Generate Config File" will download a pre-prepared configuration file you can simply import and load onto Panorama.
Congratulations! Your Day 1 Configuration file has been created and downloaded.
So what does this configuration file do, you ask?
The configuration file loads your Panorama with a set of Best Practice settings such as Minimum Password Complexity for the Panorama and all managed firewalls.
Web interface for Minimum Password Complexity
Here is a view of the dynamic update schedules for both the Panorama and managed firewalls.
Web interface view of dynamic update schedule for Panorama and managed firewalls.
Here's a look at the Log forwarding profiles.
Web interface view of Panorama Log forwarding profiles.
Now you get a pre-created security policy to take care of malicious DNS queries.
View of Panorama pre-created security policy.
Let's not forget that you also get an extensive set of pre-created security profiles.
View of pre-created security profiles in Panorama.
These pre-created security profiles are sorted and made available in easy-to-use Security Profile groups.
View of Security Profile groups.
The one named "default" will even be added to any new security policy automatically!
If you want to verify all the configuration items before loading the configuration, you can import the configuration file and then run a Config Audit to visualize all the differences
View of web interface for Panorama Config Audit.
Once you're ready to start using the Day 1 Configuration file, load it into the candidate configuration (this is the config you're currently working on and is not running on the system yet).