Getting Started Setting Up Your Palo Alto Networks Firewall
Your new Palo Alto Networks firewall has arrived! What next? To help you enjoy the full potential of the Palo Alto Networks firewall, we've got a series of helpful articles and videos for customers and users like you. No matter what level of expertise you have, we think you'll find some tips and tricks that ensure optimal use and enjoyment of your ...
Your new Palo Alto Networks firewall has arrived! What next? To help you enjoy the full potential of the Palo Alto Networks firewall, we've got a series of helpful articles and videos for customers and users like you. No matter what level of expertise you have, we think you'll find some tips and tricks that ensure optimal use and enjoyment of your firewall. The first series covers the basics of getting your device booted up, the management interface configured, the licenses activated, content files updated, and software upgraded to the latest version. We then take a look at several interface configuration options, security and NAT policies, and look at how logging works. After unboxing your brand new firewall, or after a factory reset, the device is in a blank state with nothing but the minimum configuration and a software image that's installed in the factory. Where do you go from here? Our first installment in the new 'Get Started' series guides you through the very first stages of preparing your firewall for operation.
1. Initial setup
The two methods available to connect to the new device is either using a network cable on the management port or an ethernet-to-db-9 console cable. - When using the management port, the workstation you'll be using must be reconfigured so its network interface has an IP address in the 192.168.1.0/24 IP range, as the default IP of the management port will be 192.168.1.1.
- When using a console cable, set the terminal emulator to 9600baud, 8 data bits, 1 stop bit, parity none, VT100. If you use PuTTY, it should come with the appropriate configuration if connection type is set to Serial.
After preparing the cables and the workstation, plug the unit into an electrical outlet and watch the firewall boot up. The console outputs the boot sequence: `<span style="color:
ccffcc;">Welcome to PanOS Starting udev: [ OK ] Setting clock (utc): Wed Oct 14 11:10:53 PDT 2015 [ OK ] Setting hostname 200: [ OK ]Checking filesystems: Running filesystem check on sysroot0: [ OK ] Running filesystem check on pancfg: [ OK ] Running filesystem check on panrepo: [ OK ] [ OK ] Remounting root filesystem in read-write mode: [ OK ] Enabling /etc/fstab swaps: [ OK ] INIT: Entering runlevel: 3 Entering non-interactive startup Starting Networking: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] ....
After the device is booted, a login prompt is displayed in the console connection and SSH or SSL connections can be made to 192.168.1.1. 1.1. Console and SSH connection The default username and password are admin / admin, so we'll go ahead and log in to reveal the CLI. From here, we'll start setting up the proper IP address and subnet for the device, and the default gateway and DNS settings, so the unit can collect updates later.login as: adminUsing keyboard-interactive authentication.Password:Last login: Wed Oct 14 11:57:16 2015 from 192.168.1.168Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.admin@PA-200> configureEntering configuration modeadmin@PA-200# set deviceconfig system ip-address 10.0.0.10 netmask 255.255.255.0 default-gateway 10.0.0.1 dns-setting servers primary 22.214.171.124
Use the commit command to apply the new settings to the system.admin@PA-200# commit` ..................55%...60%75%.99%...........100% Configuration committed successfully  At this point, you'll lose SSH and SSL access to the device, as the IP address was changed and the management service restarted to adopt these changes. Now you need to reconnect to the new IP address—please skip to step 1.3. 1.2. Web interface initial setup When making your first connection to the web interface, your browser may display an error message. This is because the certificate used by the web interface is a self-signed certificate your browser does not trust. You can safely ignore the error message at this time, which then takes you to the login screen: Log in, using the default username and password admin / admin. Navigate to the Device > Setup > Management, where you can change the Management Interface Settings: - Change the interface configuration and click OK.
- Next, select the Services tab and configure a DNS server.
- Apply changes to the device, click the Commit link at the top right:
After the commit completes, the browser eventually times out as the IP address has changed, so you'll need to manually change the address in the address bar to reconnect to the new IP. 1.3 Finishing up the first step The firewall is now configured with a proper IP address to work in your LAN network, so go ahead and connect the cables: - Connect Interface 1 to the router
- Connect Interface 2 to the switch
- Connect the Managment (mgmt) interface to the switch
You should be able to connect to the management IP from the network, and you should be able to surf out to the Internet.
2. Preparing the licenses and updating the system
To be allowed to download content and application updates or software upgrades, the system needs to be licensed. Various licenses control the different functions of the system, so the— - Support license entitles the system to software and AppID updates
- ThreatPrevention license adds virus, threats and malware signatures
- URL license enables URL categories for use in security policies
If the device has not been registered on the support portal yet, please follow these steps to register the device: How to Register a Palo Alto Networks Device, Spare, Traps, or VM-Series Auth-Code Navigate to the Device tab and select Licenses from the left pane: - If the device has been registered using the above method and auth codes have already been added, go ahead and select Retrieve License keys from license server.
- If the device was registered but no licenses added yet, select Activate feature using authorization code to activate a license through its authorization code, which you will have received from your Palo Alto sales contact.
Now you're ready to start updating the content on this device, so navigate to the Device > Dynamic Updates.
The first time this page opens, there will be no visible packages for download. The system will first need to fetch a list of available updates before it can display which ones are available, so select Check Now. When the system retrieves a list of available updates, the Applications and Threats package becomes available. You may notice the AntiVirus package is missing—it appears only after downloading and installing the Applications and Threats Package. After the package is downloaded, go ahead and install it on the system. When the Applications and Threats package has been installed, run another Check Now to retrieve the Antivirus package. Now download and install the Antivirus package just like you did with the Applications and Threats package.
Setting a schedule
With these tasks completed, this is a good time to set a schedule for every package to be automatically downloaded and installed at a time that's convenient for you. Content updates can be installed during production and don't interrupt existing sessions, so it's safe to apply updates during the day. However, most organizations opt to perform updates during the night or off-hours to minimize risk. Set a schedule by clicking the timeframe next to the schedule. After setting the appropriate schedules, commit the change.
Upgrading the system
After the commit completes, go ahead and upgrade the system to a more recent PAN-OS in case the unit is installed on an older OS. Navigate to the Device > Software. The first time you access this tab, a popup displays No update information available, because the system has no previous contact with the update server and doesn't know which updates are available. Go ahead and close this popup, then select Check Now. Next, you'll download both PAN-OS 7.0.1 and 7.0.2. To allow for smaller, cumulative updates, the first image in a major code train is used as a base image. Any subsequent updates, or maintenance releases, are smaller and contain mostly updates. Install 7.0.2 in this instance, but go ahead and select a newer version if one is available. When you click Install, a warning may display. Click OK on the message and continue with the installation. After the installation completes, reboot the firewall to activate the new PAN-OS. In the event the device has an installed version older than the major version directly preceding the latest available major release, we'll need to install the next major version before upgrading. In our example, if the firewall were preinstalled with PAN-OS 6.0, we'd first need to install PAN-OS 6.1 before upgrading to PAN-OS 7.0.
3. Preparing security profiles
The system comes preloaded with a default security profile in each category. For now, you'll start the configuration with these default profiles, except for URL filtering. Navigate to the Objects Tab, select Security Profiles > URL Filtering and add a new URL filtering profile. In this first custom URL filtering profile, start by setting all actions to alert rather than allow, as the allow action doesn't create a URL filtering log entry. Set actions to alert to gain some insight into the kind of web browsing happening on the network. All other default profiles should already provide sufficient coverage for network security and for offensive sessions to become visible in the appropriate logs. Next up, you'll prepare the group of unwanted applications.
After downloading update packages, the firewall contains a lot of applications you can use to create a security policy, but these applications also come loaded with useful metadata to create groups of applications based on their behavior, called an application filter. Rather than having to manually add applications to a group and keep the list current, the application filter automatically adds new applications that match a certain behavior to the application filter, enabling the security policy to take appropriate action. Create an application filter with undesirable behavior for the first policy. Go to the Objects tab, then select Application Filters. As an example, you'll create an application filter called peer-to-peer, where you add all applications that match Subcategory file-sharingand Technology peer-to-peer. Now you're ready to set up your first security policy and look at the logs, but first, let's take a quick detour to look at the network configuration.
5. Network configuration
If you navigate to the Network tab and look at Interfaces, you see that interfaces 1 and 2 are both set up as Virtual Wire, or vwire, and are both added to the default-vwire. A vwire has some interesting advantages over other types of interface configurations: it is considered a bump-in-the-wire, which requires no IP address on the interface and no routing configuration. It can simply be plugged in between your router and switch to start passing traffic. We'll cover other interface types in upcoming articles, but for now, let's stick with the vwire configuration.
6. Security policy and logging
Now that you've prepared your device, let's look at the security policies and set up an initial configuration that allows good traffic to go out and bad traffic to be blocked. The initial security policy simply allows all outbound traffic, without inspection. There are two default rules that allow intrazone and block interzone traffic. We'll zoom in on these last two in an upcoming session as they are not currently relevant to the VWire. Start by editing rule1 and make it the 'bad applications' block rule: - Leave the source and destination as they are.
- Under Application > Application Filter, select peer-to-peer. It helps to type the name of the application or group you want to add—no need to scroll through all the applications:
- Under Actions, set the action to Deny as you don't like peer-to-peer, and click OK.
Next, you'll create a security policy to allow everything else out. We recommend you add applications to the *'allow'* *rule later,* but for now, let's block only the applications we know we don't like and allow the rest, so you can gain visibility into what kind of traffic is passing onto the Internet and decide if you want to block more applications down the line. - Under Source, select trust as the source zone associated with Interface 2, which is connected to the LAN switch.
- Under Destination, select untrust as the zone associated with Interface 1 and connected to the Internet router.
- Leave the applications as Any for now.
- Under Actions, you'll add security profiles to enable scanning of outgoing connections for malicious content or to apply URL filtering to browsing sessions.
Make sure the Internet-access policy is positioned below the bad-applications-block policy, as the security policy is processed top to bottom for every new connection, and the first positive match applies. If the bad-applications-block policy is located below the Internet-access rule, peer-to-peer applications will be allowed. Now go ahead and commit these changes and navigate to the Monitor tab. When the commit operation completes, the logs start filling up with interesting traffic, URL, and threat information, if any infections are detected.