Introduction to setup Palo Alto Networks firewall for Beginners

Endtrace
4 min readMar 23, 2022

--

For my first initial conversion, I used the community Palo Alto migration tool, which will help you convert a lot of the rules from an ASA (Nat and Security policies) into a format that is usable by PANOS. It will also do an object conversion as well, along with purging all the unused objects you don’t need. Not sure if this is compatible with Panorama, but for an ASA to PA firewall conversion (without Panorama) it was nice at first.

Now, this is a good way to get a bulk of the work done, but after the first migration with the tool, I found it much easier to do a complete security audit on your rules, because you still have to audit the tool’s output.

Image Credit — RtoDto .net

This is the procedure i use to deploy them (this is for version 7, it should apply for 6 and 8). This is a starting point, a collection of my experience and official Palo hardening guides. It is a bit messy, but it should give you some info. For the URL filtering i set everything to “alert” (otherwise you wont see in the logs) and p0rn/hacking/p2p etc on block. If someone complains they have to tell me why they need to access these sites. What is Firewall and its Types? — endtrace

  • connect to support website and register client and devices
  • register all additional licenses through auth codes in the website
  • Connect cable to MGMT port on the firewall
  • Firewall is at https://192.168.1.1
  • user: admin pass:admin
  • Apply default TLS/SSL profile in the management interface (device-setup)- The Device — SETUP of the configuration is not replicated and needs to be configured manually on each firewall if HA is in use
  • Setup time and timezone

Remove Default VirtualWire configuration:

  • go to policies-security
  • select rule 1 and delete
  • select network-virtual wires
  • select default virtual wire and delete
  • select network — zones
  • select each zone and click delete
  • select network — interfaces
  • select e1/1 and e1/2 interfaces and click delete
  • commit changes

Perform software upgrade to the latest version:

  • go to device-software
  • upload the file and perform upgrade

Configure Hostname and time:

  • device-management,
  • edit General settings

Configure HA:

  • IMPORTANT: the GROUP-ID in HA will determine the Virtual MAC address of the Firewall. If two pairs of Firewall are connected in the same L2 network (i.e. a WAN L2), ARP will be all wrong. Make sure to create a group ID different for the same customer.

Configure DNS and NTP Settings:

  • Device-setup-Services
  • Enter DNS server settings
  • check “Verify Update Server Identity”
  • configure Service route configuration

Rename Virtual Router:

  • Go to Network — Virtual Routers
  • Rename “default” to “VR1”

Set Latitude/Longitude in Device Setup

Create a new authentication profile:

  • Create a user in Device-Users and set a password
  • Go to device-Authentication profile
  • Create a new authentication profile (i.e. Admins) with 3 failed attempts and 15 minutes lockout and attach the user
  • Go to Device-administrators and create a new one and set the authentication profile to Admins

Enable user-Id on LAN zones:

  • Click on a LAN facing zone and enable User Identification
  • Enable Logging on default intra and inter zone rules (avail from PANOS 6.1 and over):
  • Click on each rule and select “override”
  • Go to Actions, Log settings enable “log at session end”

Create a Zone Protection Profile and apply to the Internet facing Zone

Security Profiles

  • Go to Objects — Security Profiles — Antivirus
  • clone the default policy, change its name and change as needed (usually all Reset-both)
  • Select Anti-spyware
  • clone the strict policy and change its name
  • in DNS-Signatures, enable “Enable Passive DNS monitoring”
  • Select Vulnerability Protection
  • Clone the strict Policy and change its name
  • Select URL Filtering
  • Clone the Default and change its name

SETTING UP A PALO ALTO NETWORKS FIREWALL BRIEFLY

Configure schedules for Dynamic Updates:

  • by defaylt Dynammic Updates will try to go through the Management Interface
  • To allow the firewall to download updates via the main internet link, change the settings on Device-setup-Services-service route Configuration
  • Also make sure DNS is specified under device-setup-services DNS
  • go to Device-Dynamic Updates
  • select check now
  • set all the schedule for all the dynamic updates (AV,Applications and Threats, GlobalProtect, Wildfire) and select download and install.

Issue the following commands:

configure set deviceconfig setting tcp urgent-data clear set deviceconfig setting tcp drop-zero-flag yes set deviceconfig setting application bypass-exceed-queue no set deviceconfig setting tcp bypass-exceed-oo-queue no set deviceconfig setting ctd tcp-bypass-exceed-queue no set deviceconfig setting ctd udp-bypass-exceed-queue no set deviceconfig setting tcp check-timestamp-option yes save config commit

Get Palo Alto Firewall Training by Industry Expert with best practice on real-time tasks

Change Master Key:

  • For HA, both of the Firewalls need to have same Master Key
  • Go to Device-Master Key
  • Set a new Master Key

Enable Log on High DP Load:

  • Device-setup-Logging-Log Export-Tick Enable log on High DP Load

Rule to block untrusted traffic:

  • Create a rule to allow SSL from internal and public trusted ip for management
  • Create a rule to allow DNS from the firewall public interface to out
  • Create a default NAT rules to allow internet traffic. should know how NAT works and Types in Palo Alto Firewall Technical topic discussion real world scenario
  • Create a rule before the inter/intra but at the end of all the rules to block all traffic from untrusted zones to all zones. THIS WILL BLOCK ALSO SSL MANAGEMENT Continue Reading

Recommended to Read:

What is Firewall and its Types? — endtrace

Best Check Point Firewall Training online from industry Expert

Best Cyber Security Analyst classes online Hyderabad by Expert

Best Palo Alto Firewall Training by Industry Expert

Best Cyber Security Course | SOC Analyst Training Online — Practical

How do I start learn Cybersecurity course — Complete Guide

--

--

Endtrace
Endtrace

Written by Endtrace

Endtrace an Online learning platform, it offers software courses like SEO, Digital Marketing, DotNet, java, Selenium Testing, DevOps, Network Security

No responses yet