Getting Started Setting Up Your Palo Alto Networks Firewall

Video Activity

Your new Palo Alto Networks firewall has arrived! What next? To help you enjoy the full potential of the Palo Alto Networks firewall, we've got a series of helpful articles and videos for customers and users like you. No matter what level of expertise you have, we think you'll find some tips and tricks that ensure optimal use and enjoyment of your ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

54 minutes
Video Description

Your new Palo Alto Networks firewall has arrived! What next? To help you enjoy the full potential of the Palo Alto Networks firewall, we've got a series of helpful articles and videos for customers and users like you. No matter what level of expertise you have, we think you'll find some tips and tricks that ensure optimal use and enjoyment of your firewall. The first series covers the basics of getting your device booted up, the management interface configured, the licenses activated, content files updated, and software upgraded to the latest version. We then take a look at several interface configuration options, security and NAT policies, and look at how logging works. After unboxing your brand new firewall, or after a factory reset, the device is in a blank state with nothing but the minimum configuration and a software image that's installed in the factory. Where do you go from here? Our first installment in the new 'Get Started' series guides you through the very first stages of preparing your firewall for operation.

1. Initial setup

The two methods available to connect to the new device is either using a network cable on the management port or an ethernet-to-db-9 console cable. - When using the management port, the workstation you'll be using must be reconfigured so its network interface has an IP address in the IP range, as the default IP of the management port will be

  • When using a console cable, set the terminal emulator to 9600baud, 8 data bits, 1 stop bit, parity none, VT100. If you use PuTTY, it should come with the appropriate configuration if connection type is set to Serial*.*

After preparing the cables and the workstation, plug the unit into an electrical outlet and watch the firewall boot up. The console outputs the boot sequence: `<span style="color:

#ccffcc;">Welcome to PanOS Starting udev: [ OK ] Setting clock (utc): Wed Oct 14 11:10:53 PDT 2015 [ OK ] Setting hostname 200: [ OK ]Checking filesystems: Running filesystem check on sysroot0: [ OK ] Running filesystem check on pancfg: [ OK ] Running filesystem check on panrepo: [ OK ] [ OK ] Remounting root filesystem in read-write mode: [ OK ] Enabling /etc/fstab swaps: [ OK ] INIT: Entering runlevel: 3 Entering non-interactive startup Starting Networking: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] ....After the device is booted, a login prompt is displayed in the console connection and SSH or SSL connections can be made to 1.1. Console and SSH connection The default username and password are admin / admin, so we'll go ahead and log in to reveal the CLI. From here, we'll start setting up the proper IP address and subnet for the device, and the default gateway and DNS settings, so the unit can collect updates later.login as: adminUsing keyboard-interactive authentication.Password:Last login: Wed Oct 14 11:57:16 2015 from Your device is still configured with the default admin account credentials. Please change your password prior to deployment.admin@PA-200> configureEntering configuration mode[edit]admin@PA-200# set deviceconfig system ip-address netmask default-gateway dns-setting servers primary the commit command to apply the new settings to the system.admin@PA-200# commit` ..................55%...60%75%.99%...........100% Configuration committed successfully [edit] At this point, you'll lose SSH and SSL access to the device, as the IP address was changed and the management service restarted to adopt these changes. Now you need to reconnect to the new IP address—please skip to step 1.3. 1.2. Web interface initial setup When making your first connection to the web interface, your browser may display an error message. This is because the certificate used by the web interface is a self-signed certificate your browser does not trust. You can safely ignore the error message at this time, which then takes you to the login screen: Log in, using the default username and password admin / admin. Navigate to the Device > Setup > Management, where you can change the Management Interface Settings: - Change the interface configuration and click OK.

  • Next, select the Services tab and configure a DNS server.

  • Apply changes to the device, click the Commit link at the top right:

After the commit completes, the browser eventually times out as the IP address has changed, so you'll need to manually change the address in the address bar to reconnect to the new IP. 1.3 Finishing up the first step The firewall is now configured with a proper IP address to work in your LAN network, so go ahead and connect the cables: - Connect Interface 1 to the router

  • Connect Interface 2 to the switch

  • Connect the Managment (mgmt) interface to the switch

You should be able to connect to the management IP from the network, and you should be able to surf out to the Internet.

2. Preparing the licenses and updating the system

To be allowed to download content and application updates or software upgrades, the system needs to be licensed. Various licenses control the different functions of the system, so the— - Support license entitles the system to software and AppID updates

  • ThreatPrevention license adds virus, threats and malware signatures

  • URL license enables URL categories for use in security policies

If the device has not been registered on the support portal yet, please follow these steps to register the device: How to Register a Palo Alto Networks Device, Spare, Traps, or VM-Series Auth-Code Navigate to the Device tab and select Licenses from the left pane: - If the device has been registered using the above method and auth codes have already been added, go ahead and select Retrieve License keys from license server.

  • If the device was registered but no licenses added yet, select Activate feature using authorization code to activate a license through its authorization code, which you will have received from your Palo Alto sales contact.

Now you're ready to start updating the content on this device, so navigate to the Device > Dynamic Updates.

Updating content

The first time this page opens, there will be no visible packages for download. The system will first need to fetch a list of available updates before it can display which ones are available, so select Check Now*.* When the system retrieves a list of available updates, the Applications and Threats package becomes available. You may notice the AntiVirus package is missing—it appears only after downloading and installing the Applications and Threats Package. After the package is downloaded, go ahead and install it on the system. When the Applications and Threats package has been installed, run another Check Now to retrieve the Antivirus package. Now download and install the Antivirus package just like you did with the Applications and Threats package.

Setting a schedule

With these tasks completed, this is a good time to set a schedule for every package to be automatically downloaded and installed at a time that's convenient for you. Content updates can be installed during production and don't interrupt existing sessions, so it's safe to apply updates during the day. However, most organizations opt to perform updates during the night or off-hours to minimize risk. Set a schedule by clicking the timeframe next to the schedule. After setting the appropriate schedules, commit the change.

Upgrading the system

After the commit completes, go ahead and upgrade the system to a more recent PAN-OS in case the unit is installed on an older OS. Navigate to the Device > Software. The first time you access this tab, a popup displays No update information available, because the system has no previous contact with the update server and doesn't know which updates are available. Go ahead and close this popup, then select Check Now. Next, you'll download both PAN-OS 7.0.1 and 7.0.2. To allow for smaller, cumulative updates, the first image in a major code train is used as a base image. Any subsequent updates, or maintenance releases, are smaller and contain mostly updates. Install 7.0.2 in this instance, but go ahead and select a newer version if one is available. When you click Install, a warning may display. Click OK on the message and continue with the installation. After the installation completes, reboot the firewall to activate the new PAN-OS. In the event the device has an installed version older than the major version directly preceding the latest available major release, we'll need to install the next major version before upgrading. In our example, if the firewall were preinstalled with PAN-OS 6.0, we'd first need to install PAN-OS 6.1 before upgrading to PAN-OS 7.0.

3. Preparing security profiles

The system comes preloaded with a default security profile in each category. For now, you'll start the configuration with these default profiles, except for URL filtering. Navigate to the Objects Tab, select Security Profiles > URL Filtering and add a new URL filtering profile. In this first custom URL filtering profile, start by setting all actions to alert rather than allow, as the allow action doesn't create a URL filtering log entry. Set actions to alert to gain some insight into the kind of web browsing happening on the network. All other default profiles should already provide sufficient coverage for network security and for offensive sessions to become visible in the appropriate logs. Next up, you'll prepare the group of unwanted applications.

4. Applications

After downloading update packages, the firewall contains a lot of applications you can use to create a security policy, but these applications also come loaded with useful metadata to create groups of applications based on their behavior, called an application filter. Rather than having to manually add applications to a group and keep the list current, the application filter automatically adds new applications that match a certain behavior to the application filter, enabling the security policy to take appropriate action. Create an application filter with undesirable behavior for the first policy. Go to the Objects tab, then select Application Filters. As an example, you'll create an application filter called peer-to-peer, where you add all applications that match Subcategory file-sharingand Technology peer-to-peer. Now you're ready to set up your first security policy and look at the logs, but first, let's take a quick detour to look at the network configuration.

5. Network configuration

If you navigate to the Network tab and look at Interfaces, you see that interfaces 1 and 2 are both set up as Virtual Wire, or vwire, and are both added to the default-vwire. A vwire has some interesting advantages over other types of interface configurations: it is considered a bump-in-the-wire, which requires no IP address on the interface and no routing configuration. It can simply be plugged in between your router and switch to start passing traffic. We'll cover other interface types in upcoming articles, but for now, let's stick with the vwire configuration.

6. Security policy and logging

Now that you've prepared your device, let's look at the security policies and set up an initial configuration that allows good traffic to go out and bad traffic to be blocked. The initial security policy simply allows all outbound traffic, without inspection. There are two default rules that allow intrazone and block interzone traffic. We'll zoom in on these last two in an upcoming session as they are not currently relevant to the VWire. Start by editing rule1 and make it the 'bad applications' block rule: - Leave the source and destination as they are.

  • Under Application > Application Filter, select peer-to-peer. It helps to type the name of the application or group you want to add—no need to scroll through all the applications:

  • Under Actions, set the action to Deny as you don't like peer-to-peer, and click OK.

Next, you'll create a security policy to allow everything else out. We recommend you add applications to the 'allow' rule later, but for now, let's block only the applications we know we don't like and allow the rest, so you can gain visibility into what kind of traffic is passing onto the Internet and decide if you want to block more applications down the line. - Under Source, select trust as the source zone associated with Interface 2, which is connected to the LAN switch.

  • Under Destination, select untrust as the zone associated with Interface 1 and connected to the Internet router.

  • Leave the applications as Any for now.

  • Under Actions, you'll add security profiles to enable scanning of outgoing connections for malicious content or to apply URL filtering to browsing sessions.

Make sure the Internet-access policy is positioned below the bad-applications-block policy, as the security policy is processed top to bottom for every new connection, and the first positive match applies. If the bad-applications-block policy is located below the Internet-access rule, peer-to-peer applications will be allowed. Now go ahead and commit these changes and navigate to the Monitor tab. When the commit operation completes, the logs start filling up with interesting traffic, URL, and threat information, if any infections are detected.

Video Transcription
Hey, is this down to Baltimore? To his community,
This is the first episode of our getting started guide.
I haven't bet my father will know what
we're going to take a look at which options are available to connect to deferrals management for first time. How we consider licenses how you can download software and content and how we can prepare our security policy for the first time
before we can get started will first need to connect our management station to the far wall. There are two options available. The first is a management porch, which is going to use a normal restaurant configuration.
Or we can use indeed, be nine to alternate counsel cable to connect to the Consul port.
If we move over to my work station, we'll take a look at how we can connect
If you open up buddy
and select cereal.
Well, see, we're gonna lugging prompt
weaken Long and using the default is an ambassador admin
From here, I'm going to configuration note
an ad configuration to sit
the i P. Address off the device.
But I'll show you how to do it through the weapon to face, which is a little easier
will first need to change the computers of our workstation
because the Pharrell is going to have a factory. I leaders
off 1 90 to 1 68 wounded one.
We need to set our interface to match
that. I'd be range so we can connect to me in the face.
Well, they don't do.
City knows. Doesn't really matter. We don't need a de nous right now. It's good. Okay,
And if we know, open a browser,
he is 1 90 to 1 68 1.1
Well, first get a certificate warning message because the
as his own connection to the Web interface has been signed by a self sent certificate.
So your brother is going to pop up a little complaint,
which you can safely ignore because you know that the device is safe just impacted.
So there's no need to worry
again going along. And I mean I mean,
we'll see that there's a little warning telling youto device still has a default. U N ambassador.
So it's advisable to change that leader.
And now we're in the dashboard
from here. We're gonna go to the device that
access Toe
said that
and then in
the management interface, it thinks we're going to change 1 90 to 1 68
to an appropriate I p address in
my network.
So in my case, that's gonna beat in that zero.
It's you
five said that mask is fine.
The default gateway for mine it, Brooke,
it's going to be 10 to 001
This may be a little different in yours,
So big note
gonna click. Okay,
then we're going to go to service is
where we are going to add a d n A server
for, for example,
And then we are going to commit this configuration and change T i p address.
Well, this is committing.
We're going to change the i p. Address of our workstation
because as soon as the committee is finished, the I Paris off the fireball is going to be changed as well. So we will need to connect to a new I P address.
Let's go back here
back to my interface.
We're going to change this,
you know, for for example,
we can still use our council connection from earlier
to take a look at the committee's status.
Oh, we'll see at the committee is nearly done.
90 understands.
Commit is finished.
So now we're gonna go over here,
You know, a browser.
We're going to connect to the new I P address.
We get the same error message from earlier because this is now a new idea. Others were connecting to
going along and again,
and now we're ready for the next step. First thing we're going to do to activate the licenses so we never get to the device tap.
I'm going to scroll down
now here we have several options available. You can manually upload a license key. You can activate a feature by using an authorization code that you've received from yourselves. Contact Oregon retreat licenses from the licensing server.
If you've activated
your viral and activate all your licenses through the support portal,
the only thing you'll need to do here is there's three for licenses and device will go out and Fitch everything it needs. So we're gonna go ahead and do this.
Okay, so now my devices holds licenses.
Now we can proceed to update the content and the software. First thing we're going to do is go to dynamic updates.
You'll see that
there's not much in here.
So first thing we need to do is get a new list of available content looking used to obey the system.
Once there's been fetched, we're gonna go ahead and download
the Clinton package.
And once it is downloaded, you can go ahead
and install it.
One of the very first absent threats package is installed. He might see an error message that the briefest contact package could be saved, which is because the previous conviction is the factory one.
Eso this doesn't really matter that much.
The next one should have no problems with all.
Once this is done,
you can go back to the update page
and check again. And now we should get an anti virus package as well.
I wasn't gonna see, you know, an anti virus package. We're gonna go ahead and download that.
And after it's been now load. We're gonna go ahead and start
now. This is completed. This is a good opportunity to set a schedule
sitting. A schedule will insure that your systems to date at all times.
So first we're gonna guess it
on hourly update
or download and install for TNT fires,
which means that every hour is going to check if a new packages available, downloaded and installed.
Application entrance is already set to Donald only every Wednesday by people.
We're gonna change that to be a daily regimen
and set their defense
two in the morning.
Bill, stop.
and then we'll go ahead and commit this.
Now, this is completed. The final step is to upgrade the software of the system itself.
So we're gonna close this are gonna go to software.
When you access the softer the very first time you'll see this message pop up. It's basically because the system has never docked the update server that it isn't aware which suffered fractures are available.
Go ahead and close this and to a chick. Now.
Now it's gonna contact the update silver and get a full list of available software that it it is allowed to download.
And we'll see. Uh, currently, we have 71 installed,
and the latest version available to me is seven or tree.
You'll notice that for me, this version has already downloaded. You might need to dollar that. First,
we're gonna go ahead and install this version.
And now that the software installation is completed. We're gonna go ahead and reboot certifiable.
After giving completes, we end up on the lot of page. So I'm gonna log in again.
You have me now
and then we're going to take a look at some security profiles
under the object Stab. We have our security profiles
where most of these have been preloaded with a default profile.
We're gonna leave these for now, but we are going to create a new euro filtering profile
because default one is not going to be loving a lot of factions.
So to show what kind of logging we can get in a later Siri's,
we're going to enable blogging on all your look at the grease so it can get a nice clean log.
There's an option to sit all actions to alert.
This will create a large entry for each time a euro in any category
he's accessed.
Next, we're gonna take a look at the applications you scroll up again,
have applications.
There's a full list of all the implications we can identify. Right now, there's 2275.
That's a lot of stuff we can use to build policies.
We're going to be using an application filter.
Uh, this is a sort of dynamic group
that allows you to choose based on a behavioral
properties what kind off group this is going to be. So, as an example, we're gonna start off with a peer to peer
file sharing
which would contain all kinds of
typically unwanted file sharing protocols. You concede an organization that we want to block.
We will name it
to fear
and then
go to our security policies
and creating new rule
where the source is going to be our trust. Still,
the destination zone is going to be untrusted, which will be the outside
the application.
We're going to take our peer to peer group. The easiest way to find this by typing the name
and then in the actions were going to city action
to deny.
We need to make sure the beauty beer rule is stationed. A buff
original Rule one,
because else appeared to your applications, might not get blocked.
Security policy is process top to bottom. So the first rule that matches will be used if the Rule one had remained that top, which isn't allow any rule. There's no application. There's no feeling for anything. It just allows all traffic. True, we won't be blocking anything
to shed a little light on the dress and interest zones. We can go to the network tab
because see there there are currently do. Interface is configured as virtual wire. Virtual wire functions as a bump in the wire, so there's no configuration needed.
There's no Layer three. There's no idea this is There's no real intact nothing.
We only need to make sure that the interface is connected to your network.
The Interface one
It's currently configured as the interest interface.
An interface to
It's good You're dressed in the face, which means that interface one should get connected to your router or your upstream grounding device.
And your interface to should be connected to your switch, where all your hopes and located it will make sure that our security policy makes sense because any connections coming from your hosts going out to the Internet would come from trust. It would go to interest and anything coming in from the Internet.
Look, I'm from his own interest
going to your trust.
The last port we're going to be doing is we're going to go back to the security policies.
We're going to open Rule one, which is currently
on open security policy, which is going to allow everything. There's no applications and no service is configured,
so it's going to allow everything. But we are going to enable some security profiles.
So all your arm bone connections are secured.
We're going to be taking all the default profiles
we saw earlier,
except for your own filtering, where we're going to take our custom profile so that we can see you're a filtering logs at a later stage.
Once this is done,
go ahead and commit,
and now you're ready to start using your formal.
Go ahead and connect your router to the interesting to face
and your switch to the Justin to face
that your network topology should look like this interface. One corrected, rather interface to connected to the switch and your management to face. Also, country your switch.
I hope you enjoy this video. Feel free to leave any comments in the comments section below.
Thank you
Up Next