Introduction to setup Palo Alto Networks firewall for Beginners

Image Credit — RtoDto .net
  • connect to support website and register client and devices
  • register all additional licenses through auth codes in the website
  • Connect cable to MGMT port on the firewall
  • Firewall is at https://192.168.1.1
  • user: admin pass:admin
  • Apply default TLS/SSL profile in the management interface (device-setup)- The Device — SETUP of the configuration is not replicated and needs to be configured manually on each firewall if HA is in use
  • Setup time and timezone
  • go to policies-security
  • select rule 1 and delete
  • select network-virtual wires
  • select default virtual wire and delete
  • select network — zones
  • select each zone and click delete
  • select network — interfaces
  • select e1/1 and e1/2 interfaces and click delete
  • commit changes
  • go to device-software
  • upload the file and perform upgrade
  • device-management,
  • edit General settings
  • IMPORTANT: the GROUP-ID in HA will determine the Virtual MAC address of the Firewall. If two pairs of Firewall are connected in the same L2 network (i.e. a WAN L2), ARP will be all wrong. Make sure to create a group ID different for the same customer.
  • Device-setup-Services
  • Enter DNS server settings
  • check “Verify Update Server Identity”
  • configure Service route configuration
  • Go to Network — Virtual Routers
  • Rename “default” to “VR1”
  • Create a user in Device-Users and set a password
  • Go to device-Authentication profile
  • Create a new authentication profile (i.e. Admins) with 3 failed attempts and 15 minutes lockout and attach the user
  • Go to Device-administrators and create a new one and set the authentication profile to Admins
  • Click on a LAN facing zone and enable User Identification
  • Enable Logging on default intra and inter zone rules (avail from PANOS 6.1 and over):
  • Click on each rule and select “override”
  • Go to Actions, Log settings enable “log at session end”
  • Go to Objects — Security Profiles — Antivirus
  • clone the default policy, change its name and change as needed (usually all Reset-both)
  • Select Anti-spyware
  • clone the strict policy and change its name
  • in DNS-Signatures, enable “Enable Passive DNS monitoring”
  • Select Vulnerability Protection
  • Clone the strict Policy and change its name
  • Select URL Filtering
  • Clone the Default and change its name
  • by defaylt Dynammic Updates will try to go through the Management Interface
  • To allow the firewall to download updates via the main internet link, change the settings on Device-setup-Services-service route Configuration
  • Also make sure DNS is specified under device-setup-services DNS
  • go to Device-Dynamic Updates
  • select check now
  • set all the schedule for all the dynamic updates (AV,Applications and Threats, GlobalProtect, Wildfire) and select download and install.
  • For HA, both of the Firewalls need to have same Master Key
  • Go to Device-Master Key
  • Set a new Master Key
  • Device-setup-Logging-Log Export-Tick Enable log on High DP Load
  • Create a rule to allow SSL from internal and public trusted ip for management
  • Create a rule to allow DNS from the firewall public interface to out
  • Create a default NAT rules to allow internet traffic
  • Create a rule before the inter/intra but at the end of all the rules to block all traffic from untrusted zones to all zones. THIS WILL BLOCK ALSO SSL MANAGEMENT Continue Reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Endtrace

Endtrace

40 Followers

Endtrace an Online learning platform, it offers software courses like SEO, Digital Marketing, DotNet, java, Selenium Testing, DevOps, Network Security