Palo Alto Networks #1: Initial Configuration (for beginners)

This post aims to give an introduction to configuring Palo Alto Networks firewall for initial deployment as it is for beginners, I would like to cover the following topics;

  • Configure management interface settings (i.e IP Address, default gateway) via console
  • Assign IP addresses to ethernet interfaces and default gateway
  • Configure NAT and Security Policies to allow Internet access to internal clients

For this purpose, we will be using the following simple topology;

palo-alto-networks-initial-configuration-for-beginners

Management Interface Settings

You can use the following console settings to connect to the firewall.

Bits per sec    =  9600
Data bits       =     8
Parity          =  none
Stop bits       =     1
Flow control    =  none

Once you are connected to the firewall, use the default credentials to login

user: admin
password: admin

Now we are in and it is time to configure management IP, DNS server etc and change the default admin password.

> set cli config-output-format set  <--This is to switch to set based display instead of default config output
> configure
# set mgt-config users admin password
# set deviceconfig system hostname PA1
# set deviceconfig system ip-address 10.100.100.150 netmask 255.255.255.0 default-gateway 10.100.100.1 dns-setting servers primary 8.8.8.8

Bear in mind that management interface is isolated i.e it needs to have its own default gateway. This doesn’t have to be the default gateway of your firewall through which all your clients’ traffic pass

Now let’s check the configuration we have made

# show deviceconfig
set deviceconfig system ip-address 10.100.100.150
set deviceconfig system netmask 255.255.255.0
set deviceconfig system hostname PA1
set deviceconfig system default-gateway 10.100.100.1
set deviceconfig system dns-setting servers primary 8.8.8.8

It looks good I think. Now it is time to commit the changes and test if management interface can reach the gateway.

Note: Commit will take time depending on the platform.

# commit
# exit

admin@PA1> ping count 2 host 10.100.100.1
PING 10.100.100.1 (10.100.100.1) 56(84) bytes of data.
64 bytes from 10.100.100.1: icmp_seq=1 ttl=64 time=3.12 ms
64 bytes from 10.100.100.1: icmp_seq=2 ttl=64 time=5.38 ms

--- 10.100.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 3.120/4.252/5.385/1.134 ms

Yep, we can reach the gateway. If you can’t get anything check the management arp table to see if you have anything via

admin@PA1> show arp management dns no

Address                  HWtype  HWaddress           Flags Mask            Iface
10.100.100.1             ether   00:0c:29:a9:cd:5c   C                     eth0

Now you should be able to connect to the web interface. You will have something similar on 7.1.x releases.

palo-alto-networks-initial-configuration-for-beginners-first-login-1

Assign IP addresses to ethernet interfaces

Now we assign IP to Internet facing interface ethernet1/1. For this, Follow Network->Interfaces->ethernet1/1 and you will get the following.

pan-ethernet-settings-2

Each interface must belong to a virtual router and a zone. Hence, assign the interface to default virtual router and create a zone by clicking the “Zone“. On the new menu, just type the name “Internet” as the zone name and click OK after which you will come back to this menu.

Note: Your list of zones will be empty in your initial deployment. Because I had this zone Internet configured before, it got populated.

Repeat the same steps for the interface ethernet1/2. In my example, I assign the IP 10.2.2.1/24 to the this LAN interface and assign the interface to the security zone name “LAN“.

Now once you look at the interface overview as below, you will see the IP addresses, virtual router and security zones set.

pan-4

Interface IP addresses are set but we haven’t configured the default gateway of the default virtual router. For this follow Network->Virtual Routers->Default->Static Routes and once you are on this menu click “Add” to add a new route i.e which is our default 0/0 route.

pan-5

Click OK on both windows.

Now I must tell you something, none of the changes took any effect yet. In order for the changes to take effect we must commit as we did on CLI at the beginning of the post but this time on the GUI. Go to upper right corner and click commit and you will get a second commit as below. Go ahead and commit.

pan-6

If you are wondering what is Save button there, it is just to save your changes to separate config file which doesn’t need to be your running config. By saving after changes, you can always revert to some working saved config.

Is the commit finished? Let’s ping google DNS server to make sure we have Internet access. If you don’t get response, ping your gateway and check your connectivity towards gateway. You should have ping response at this step.

admin@PA1> ping count 2 source 192.168.6.3 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.6.3 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=14.6 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 10.641/12.660/14.679/2.019 ms

Yes it works now we need to configure NAT and Security policy for clients in the LAN.

Configure NAT and Security Policies

Follow Policies->NAT and click Add at the left bottom corner of the screen and give the name “lan-clients” under General tab and configure the rest as shown below as per your IP range and zones and your external IP address and click OK.

nat-1

nat-2

We have configured NAT now it is time for security policy. Follow Policies->Security here you will see two default policies already.

intrazone-default: This policy is for traffic coming from a zone and destined to the same zone. You SHOULD NOT change this default unless you know what you are doing as you might break some stuff that relies on this.

interzone-default: This is your default deny policy for traffic coming from one zone and destined to another zone. This SHOULD be DENY.

Now let’s configure our policy for our clients. Click “Add” at the bottom of the screen. Give a name to the security rule and set the source/destination as below.

Source
security-1

Destination
security-2

Actions
security-3

By default, action will be set to allow and “Log at session end” which means traffic will be allowed and once the session is closed, traffic is logged. Don’t choose “Log at session start” if you aren’t doing any test.

After all these changes, do another commit as you did before.

Now we are doing a test. From client PC, we run ping towards 8.8.8.8 and check the session table.

admin@PA1> show session all filter destination 8.8.8.8

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
99           ping           ACTIVE  FLOW  NS   10.2.2.11[1]/LAN/1  (192.168.6.3[1])
vsys1                                          8.8.8.8[12]/Internet  (8.8.8.8[12])
96           ping           ACTIVE  FLOW  NS   10.2.2.11[1]/LAN/1  (192.168.6.3[1])
vsys1                                          8.8.8.8[9]/Internet  (8.8.8.8[9])
98           ping           ACTIVE  FLOW  NS   10.2.2.11[1]/LAN/1  (192.168.6.3[1])
vsys1                                          8.8.8.8[11]/Internet  (8.8.8.8[11])
97           ping           ACTIVE  FLOW  NS   10.2.2.11[1]/LAN/1  (192.168.6.3[1])
vsys1                                          8.8.8.8[10]/Internet  (8.8.8.8[10])

As per the session table, pings are allowed and application is identified as ping. By the way FLAG “NS” indicates that there is NAT involved and it is source NAT.

Now we will see how the traffic is logged. Go to Monitor->Log and observe the following:

traffic-log

The thing is that you don’t see log for every ICMP you send. Once you click the log you will see the repeat count which I think shows how many of the ICMP packets it represents.

I think this post ends here. I hope it helps an end user to do this basic configuration and you don’t call TAC support line:) Please drop your comment if you have any feedback.

Note1: In a Palo Alto Networks firewall, you can create objects for IP addresses, Subnets etc. For this you need to go to Objects->Addresses and create the object then refer it under interface or security/nat policy but on this post, I wrote IP addresses directly without any objects.

Note2: For the simplicity of this post, we allow everything for these sample clients. You probably need to only allow the applications you need.

Genco.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


13 thoughts on “Palo Alto Networks #1: Initial Configuration (for beginners)”

  1. Hi Sir,

    Would like to ask for your comments if there’s any implication when creating a PA firewall rule allow multiple Source security zone to one destination security zone? I am trying to highlight if there’s a potential of adversary performing a vlan hopping within those source security zones? Is there any pro vs con of having multiple security zones defined within a single rule?
    Thank you.

    1. Hi Dennis,
      I hadn’t thought about such an implication actually before but to the best of my knowledge it shouldn’t. Interface must belong to a zone and during session
      creation zone lookup is performed according to which security rules are also scanned for the context match. Whether you have multiple or single zone,
      I think it shouldn’t matter. The only thing is that if another admin adds a second zone on the destination zone, that might cause some unwanted traffic
      to be allowed if the intention is to allow only from a few of the source zones.
      Otherwise it also reduces the number of rules you have. Not much of a help from my side but if you learn anything please drop your comment here.

      1. Hi Sir,

        I did think of the interface bit but what if multiple security zones are tied to one physical interface via sub-interfaces/vlan then there might be a potential of vlan hopping making its way to other unintended network? Am i thinking too much?

        1. In your scenario, I think I would call it a config issue/mistake. Let’s say that such thing happened and traffic pretends to be coming from a different interface thus a different source zone will match and if you have a security rule matching this context it will match regardless of the fact that rule contains multiple security zones. I still don’t see any cons of this as long as someone doesn’t put another zone on the destination but still I might be missing something. Don’t take my words %100 correct:)

  2. Hi appreciate this post – great work.

    I was wondering if this article would suite our required solution, where we already have an existing Interface configured which services our corporate network.
    —-

    We have a requirement to access the internet from new network, which is completely segregated. It does not plug in to our corporate switches and is not on the same domain. We would be plugging this network in to a new Ethernet port on the Palo, can this be configured ?

  3. I don’t think why you can’t do if I understand you correctly. If all are in separate interfaces, you can even create a new virtual router into which you can add all these new interfaces and isolate the traffic too.

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading