Initial setup of Palo Alto Networks Next Generation Firewall

Ok, we just unboxed our PA-500 NG Firewall and we want to deploy it in our network for variety of purposes. Before we deploy it, there are several steps that should be taken care of, such as assigning IP parameters, registering with Paloalto Networks and so on. We will deal with deployment scenarios later as well as some standard use cases. For now, we just want to do initial tasks.

The model we will be working with is PA-500 which has eight ethernet ports for data plane and one ethernet port for management plane. In order to configure the box, we need to connect our laptop to the management port and assign our laptop with the IP address from the 192.168.1.2-192.168.1.254 range, because the default management IP address of PA is 192.168.1.1:

31-Jul-2014 9-22-06 AM

We will receive a certificate warning, which is ok, because this certificate is self-signed and as such is not trusted by our browser:

31-Jul-2014 9-24-04 AM

Then we log in with the default credentials of admin/admin:

31-Jul-2014 9-24-37 AM

We will be notified that we should change our credentials, which we will do in a later step:

31-Jul-2014 9-25-42 AM

After we successfully log in, we will see our management interface with basic informations:

31-Jul-2014 9-26-45 AM

We click Device->Administrators->admin, type old password and two times new password, then click OK:

31-Jul-2014 9-28-23 AM

Now we navigate to Device->Setup option, and under “General Settings” we click small settings icon. We then change some basic parameters:

31-Jul-2014 9-29-51 AM

31-Jul-2014 9-32-07 AM

We do the same for “Management Interface Settings”:

31-Jul-2014 9-34-08 AM

In the dialog that opens, we type in the new IP parameters that fit our network: IP address, Netmask and Default Gateway. In here we can also specify which management protocols are allowed to the box and from which addresses. If we don’t specify anything in the “Permitted IP Addresses” then any IP address will be able to connect. If we specify 10.0.0.0/24, for example, then only PCs from that range will be able to connect. Please note that on the picture the default gateway is same as the management IP address. This is wrong, but I was unable to correct the picture for reasons not important now 🙂 This should be valid default router IP address, for example 10.0.0.1:

31-Jul-2014 9-38-17 AM

Now we can make our changes permanent as part of startup configuration by clicking “Commit”:

31-Jul-2014 9-41-06 AM

31-Jul-2014 9-43-07 AM

Now we will be disconnected from the box because our IP address is 192.168.1.2 and the IP address of PA has changed. We could now change our IP address to be from the same segment as PA, and then reconnect to the box. We want to be nice to the box and shut it down gracefully, instead of just pulling out the cable. This is done by clicking Device->Operations->Shutdown Device:

31-Jul-2014 9-51-14 AM

31-Jul-2014 9-51-58 AM

There is a catch now: we don’t know when the box is down, because it will not power off by itself. So we can connect our serial sable to the console port with our terminal software and wait for the final shutdown message:

31-Jul-2014 9-53-52 AM

No we can pull out the cable and mount our PA box into datacenter. We now need to obtain our licenses from the PAN site and upgrade the software and various signatures. Before we can do that, we need to specify the DNS servers, so the box can reach out to the PAN site. This is done via Device->Services:

31-Jul-2014 10-45-45 AM

Then we specify our private DNS servers or public ones, depending on our network and security policies:

31-Jul-2014 10-46-50 AM

We are now ready for obtaining licenses and updating the box. We log in to our support page, support.paloaltonetworks.com and click Assets and then Register New Device. The dialog pops up requiring some basic information about the box. The most important one is the serial number which we obtain from our PA partner. After submitting the form, we are presented with features we are able to use:

11-Aug-2014 10-43-36 AM

After completing this task, we are returned back to main page where we can check out our license status, such as expiration date or if this license is evaluation (marked with a red capital T).  Now we go back to our box, and under Device->Licenses->Retrieve license keys from license server:

11-Aug-2014 10-49-13 AM

Finally, we may upgrade our software to the latest version. To check our version, as well as available versions we go under Device->Software:

11-Aug-2014 10-59-14 AM

Here we can see a bunch of stuff. Marked with red color is our current version with the option of re-install in the case of some sort of problem. Green squared are version downloaded to the box, but not active. We can activate any of them by clicking Install. Finally, blue squared are the most current version. We can download this or any other available version to the box and install it. This is exactly what we are going to do:

11-Aug-2014 11-03-52 AM

A time for coffee 🙂

11-Aug-2014 11-59-34 AM

After clicking OK, we may install the downloaded version:

11-Aug-2014 12-00-51 PM

11-Aug-2014 12-04-23 PM

After the installation is completed, we need to reboot our box:

11-Aug-2014 1-28-28 PM

After a reboot, we make sure that the device signatures and databases are current and we are ready to go. We can do that by clicking: Device->Dynamic Updates. Depending on our license, we can see different categories, when was the last update when will be next one and so on. We can wait for the next update cycle (01:02 in this case) or trigger the upgrade process manually:

11-Aug-2014 2-05-38 PM

 

We may change these settings by clicking at the schedule link. Also we should note the option of downloading only or downloading and installing updates:

11-Aug-2014 2-51-18 PM

 

Of course, we should not forget submitting our configuration.

Now we are ready for our first scenario. Next time…

 

 

Advertisements
This entry was posted in Firewall, Paloalto, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s