Configuring a Palo Alto Networks firewall for the first time (2023)

I recently added a Palo Alto Networks PA-820 Next Generation Firewall (NGFW) to my lab network. At Packet6, I've been involved with PAN NGFWs for a while, and we arePalo Alto netting resale.

In this post, I will walk through a simple setup for setting up the PA-820 for the first time. The goal is to set up a LAN, WAN (using DHCP), and NAT to access the Internet.

This process would be very similar for other models as well.

Please note that the version running on my firewall is v9.1.4.

Register your firewall

You must create an account on thePalo Alto Networks Customer Support Portal.

To register your firewall, you need the serial number.

Sign in to the portal.

Click Register device

Select the radioRegister a device with the serial numberThen click Next

Under Device Registration, you need to enter all the required information. This includes the serial number of the firewall and the location where that firewall is deployed. This last part is important for RMAs. Then you must accept the eula below.

There is an option to create a day 1 setup, but I'll skip that for now.

When you're done, your NGFW will be registered.

Access the NGFW

Connect to the firewall's MGMT interface.

Set your network card to 192.168.1.2 with a mask of 255.255.255.0. It does not receive DHCP leases from the MGMT interface.

It then opens a web browser at https://192.168.1.1. The NGFW login screen should appear.

After logging in, you will be prompted to change the password for the administrator account, which is a superuser. The new password must be 8 characters long and contain uppercase letters, lowercase letters, numbers or special characters.

After changing your password you may be thrown to the login screen. Sign in again with the new password.

A welcome popup will appear. You can close it and view it again later. You are now in the NGFW and ready to set up the rest!

Configure device settings

Next we will configure some basic device settings. Nothing crazy

Click on thatDeviceEyelash. Click in the left navigation barAttitude. Then it should be in the middle area in theManagementEyelash. There is aGeneral configurationSection. Click on the gear icon.

Let's add a hostname and login banner and set the timezone.

Here is the login banner I used.

Packet6 DISCLAIMER This is a private system to be accessed and used for authorized business purposes only. THERE IS NO RIGHT TO PRIVACY FOR ANYONE WHO ACCESSES OR USES THIS SYSTEM. Access to or use of this information system constitutes acceptance of these terms.

Create a new superuser

It is best to set up a new user account so that you are not using the default administrator account.

Let's create a new one. We can harden the accounts later. This is just the basic creation of an administrator account.

Click in the left navigationadministratorsthen click belowAdd to.

In the new pop-up window, enter the account name. We won't set the authentication profile yet, so leave it at none. Create a password and select Dynamic as the admin type. Select Superuser from the drop-down menu.

There are two types of administrators:

• Dynamic
• role based

The latter would be a safer way to define administrators. The dynamic type uses the built-in roles:

• overuse
• superuser (read-only)
• Virtual Systems Administrator
• Virtual System Manager (read-only)
• device administrator
• Device Manager (read-only)

Confirm your changes

We are now in a good place to commit our changes to the running configuration.

With Commit we take the candidate configuration and apply it to the running configuration.

IsCommitThe button is at the top right.

You'll see a confirmation popup where you can preview your changes and add a confirmation comment.

Before clicking Confirm, clickPreview changesto see what is included in this scope of commitment.

It's a good idea to review the changes applied so as not to cause a problem.

Click onSummary of Changesto get a different view of the changes. I like this view much better. There are other details such as B. the changed object, the location, and the user account that created the change.

We can also check changes for errors.

Why don't we add a commit comment for best practices and clickCommit. It takes a moment ☕️

If the result is successful, good work! 👍

interface configuration

Before we can have full network connectivity, we need to configure our interfaces.

Let's create our first network. We need an interface for our WAN and LAN. I will configure the WAN on the Ethernet1/1 interface and the LAN on the Ethernet1/2 interface.

Click on thatRotand click in the left navigation barinterfaces.

By default, I have both interfaces I want to configure set to an interface type from Virtual Wire (I won't go into interface types in this post). We will change this.

Configuration of the WAN interface

Click onEthernet1/1.

Give the interface aComment.

Click the Interface Type drop-down menu and change it toKapa3.

Under theAttitudetab, set theVirtual routerAStandard. I'll cover virtual routers in another post.

Click on thatIPv4Eyelash.

My WAN is DHCP only so I'll change thatTypand the DHCP client.

Then click OK.

Click onSonsin the left navigation

By default, there are two zones: trusted and untrusted.

Zones are used to group physical and virtual interfaces.

Click onsuspicious.

Change the type toOr 3.

Click onAdd toinclude interfaceEthernet1/1.

Then click OK.

back tointerfacesconfiguration section.

click InterfaceEthernet1/2.

Add a comment for the interface.

Set the interface type toKapa3.

Change the virtual router toStandard. (We will reach the safe zone soon).

Click on thatIPv4Eyelash.

Let's start creating our LAN by configuring the gateway so that the LAN is on the Ethernet1/2 interface.

Leave the type forStatic.

In the IP section, clickAdd to.

You have the option to add the IP for your new network, I write 10.1.1.1/24.

Then click OK.

Back toSons.

Click on thatTrustZone.

Change the type toKapa3.

Add interfaceEthernet1/2in the Interfaces list, and then click OK.

Configure DHCP

Our LAN requires a DHCP scope. We're not animals just setting static IP addresses for our LAN, right?

Under theRottab, clickDHCPfrom the left navigation.

insideDHCP-Servertab, clickAdd toand we will create a space for our new network on 10.1.1.0/24. You can change this to any network you choose, as long as the previously created static IP is on the same subnet.

Select the LAN interfaceEthernet1/2which we set in the Interface drop-down menu.

Under theTo rentI like to choose "Ping IP when assigning a new IP" and set a lease timeout.

LowThe IP Group, click Add and create a space like I did.

Then click theoptionsEyelash.

We have to establish themPuerta,subnet mask, jDNS-Server.

Then click OK.

Standarddraht

Delete the default vwire as we won't be using it.

Default-wire is used with virtual-wire. Canfiletherein on the Palo Alto Networks website.

Commit

Let's commit our changes from the candidate configuration to the running configuration.

Next we test the LAN interface.

I connect my laptop to Ethernet1/2 and see if I can get a DHCP lease.

Honey, I'm getting an IP address within the DHCP range we configured. I see that I have an assigned gateway and DNS server. Can I ping the gateway 10.1.1.1?

% ping 10.1.1.1PING 10.1.1.1 (10.1.1.1): 56 bytes of dataRequest timeout for icmp_seq 0Request timeout for icmp_seq 1Request timeout for icmp_seq 2Request timeout for icmp_seq 3^C- -- 10.1.1.1 Ping statistics ---5 packets sent, 0 packets received, 100.0% packet loss

If you want to allow ping replies, we need to configure a management profile for the interface.

I will reconnect to the MGMT interface where HTTPS and SSH are allowed.

Managementprofil

Click on thatRotTab and click on the left navigation barinterface managementlownetwork profiles.
Just for convenience and for training purposes, I will create an interface management profile forallowHTTPS, SSH and Ping and Ethernet1/2.

Click Add.

Create a name for this interface management profile.

AllowHTTPSjSSHin the Administrative Management Services section.

Allowpipein the Network Services section.

You can be more restrictive by allowing access to these services from specific IP addresses.

click OK.

Click on thatinterfacessubmenu item.

Click on Ethernet1/2 (or your interface configured for LAN).

Click on thatProgressiveEyelash.

Under theOther informationClick the management profile drop-down menu and select the newly created interface management profile.

click OK.

You will get a warning. Understand how this interface management profile affects your network.
Proceed by clicking Yes.

Now confirm your changes.

Let's test the LAN by connecting your laptop to Ethernet1/2. Don't forget to re-enable DHCP on your laptop interface and ping the gateway.

% ping 10.1.1.1PING 10.1.1.1 (10.1.1.1): 56 bytes data 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.989 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time = 0.915 ms64 bytes of 10.1.1.1: icmp_seq=2 ttl=64 time=1180 ms^C--- 10.1.1.1 Ping Statistics ---3 Packets Transmitted, 3 Packets Received, 0.0% Round Trip Packet Loss Round min/avg/ max/stddev = 0.915/1.028/1.180/0.112ms

What about HTTPS? In the screenshot below you can see that it works. It even has our login banner. This will really scare off the bad guys 😉 And I can successfully log in with my newly created superuser account.

You can even see the DHCP lease in the system logs.

NAT

Connect your WAN connection.

If I update my system logs, we can see that my ISP's modem provided a DHCP lease. It's easy to configure the Palo Alto Networks NGFW WAN interface as a DHCP client.

Can we ping the internet? NO!

% Ping 1.1.1.1PING 1.1.1.1 (1.1.1.1): 56 bytes of data request timeout for icmp_seq 0 request timeout for icmp_seq 1 request timeout for icmp_seq 2^C--- 1.1.1.1 statistics ping ---4 packets transmitted , 0 packets received, 100.0% packet loss

We need to configure NAT!

Click on thatguidelinestab and thenNATin the left navigation.

ClickAdd toto create a new NAT policy.

In the New NAT Policy Rule window, create oneName,Description, jTestComment.

Then clickoriginal packagingEyelash.

For the zone of origin, add theTrustZone. This is where the Ethernet1/2 zone is located.

Lowtarget area, choosesuspiciousfrom the drop down menu. This is the zone configured for our WAN interface Ethernet1/1.

Fortarget interface, you can leave it whatever you like, but I am selecting ethernet1/1 here.

Click on thattranslated packageEyelash.

Set the type of translation todynamic IP and port.

address typeinterface address.

Interface to our WAN interface.

IP address toonone(because we use DHCP).

click OK.

Apply changes.

This is what the NAT policy looks like.

Now test the ping and web browsing.

% ping 1.1.1.1PING 1.1.1.1 (1.1.1.1): 56 bytes of data 64 bytes of 1.1.1.1: icmp_seq=0 ttl=55 time=30.468 ms 64 bytes of 1.1.1.1: icmp_seq=1 ttl=55 time= 28,170 1.1.1.1 ms64 bytes: icmp_seq=2 ttl=55 time=27,824 ms^C--- 1.1.1.1 Ping Statistics ---3 packets transmitted, 3 packets received, 0.0% round trip packet loss round min/average /max/stddev = 27,824/28,821/30,468/1,173ms

The DNS is good too.

% ping google.comPING google.com (142.250.217.142): 56 bytes of data 64 bytes of 142.250.217.142: icmp_seq=0 ttl=114 time=27.169 ms 64 bytes of 142.250.217.142: icmp_seq=1 ttl=1147 bytes .66 of 142,250,217,142: icmp_seq=2 ttl=114 time=28.073 ms

Security ACLs

It's important to note that a default ACL, Rule1, is included. Allows traffic from the trusted zone to the untrusted zone.

You can see the visit count of the traffic.

You must specify what is allowed through the firewall, and Rule 1 allows any traffic originating from the trusted zone to the Internet (untrusted zone). When rule 1 is disabled, our traffic doesn't reach the internet.

Our NAT policy also has a growing number of calls.

final thoughts

This is the basic configuration of a Palo Alto Networks firewall, where we'll set up our root account, basic system configuration, interfaces, and NAT.

Our setup works for basic lab and internet use. There are advanced settings to secure this firewall and network which I will cover in the future.

To see more tutorials like this one, sign up for my email list. I will check further settings of my PA-820 laboratory unit.

Related